Shorewall Issues when Upgrading from Debian Lenny to
SqueezeTomEastep2009Thomas M. EastepPermission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
GNU Free Documentation
License.IntroductionDebian Lenny includes Shorewall version 4.0.15 while Squeeze will
soon include Shorewall 4.4. Because there are significant differences
between the two product versions, some users may experience upgrade
issues. This article outlines those issues and offers advice for dealing
with them.Although this article is targeted specifically at Lenny ->
Squeeze upgrades, it should be useful to any Shorewall-shell user
upgrading to Shorewall 4.4.x. Footnotes are used to flag areas where
non-Debian users may experience different results.Packaging DifferencesThe first key difference between Shorewall 4.0 and Shorewall 4.4 is
in the packagingMost distributions use a similar packaging structure. Note,
however, that the 'shorewall' package in Simon Mater's RPMs for
RedHat/Fedora/CentOS is like the Debian shorewall-common
package.. In Lenny, there are six Shorewall packages:shorewall-common — Contains the basic components needed to
create an IPv4 firewall.shorewall-shell — The legacy Shorewall configuration compiler
written in Bourne shell.shorewall — A transitional package that depends on
shorewall-common and shorewall-shell. Installing this package installs
both shorewall-common and shorewall-shell.shorewall-perl — A re-implementation of the Shorewall
configuration compiler in Perl. This compiler has many advantages over
the shell-based compiler:The compiler is much fasterThe compiler does a much better job of validating the
configuration, thus avoiding run-time errors.The compiler produces better and more consistent diagnostic
messages.The compiler produces a script that runs much faster and
that does not reject/drop connections during start/restart.shorewall-lite — A small package that can run scripts generated
by shorewall-shell or shorewall-perl. Allows centralized firewall
administration.shorewall-doc — Documentation.In Squeeze, there are five packages:shorewall — Contains everything needed to create an IPv4
firewall. It combines the former shorewall-common and shorewall-perl
packages.shorewall6 — Depends on shorewall. Adds those components needed
to create an IPv6 firewall.shorewall-lite — Same as in Lenny; only runs IPv4 firewall
scripts.shorewall6-lite — Similar to shorewall-lite, except that it only
runs IPv6 firewall scripts.shorewall-doc — Documentation.Do not purge the old packages (shorewall-common, shorewall-shell
and shorewall-perl) until after the new shorewall package has been
installed.The key change in Squeeze that may produce upgrade issues is that
Squeeze does not include the shell-based configuration compiler. As a
consequence, unless you are already using Shorewall-perl on Lenny, an
upgrade from Lenny to Squeeze will mean that you will be switching from
the old shell-based compiler to the new Perl-based compilerNote that Perl is a required package on Debian. If you are
running an embedded distribution which does not include Perl and it is
not feasible to install Perl on your firewall, then you should
consider installing Shorewall on another system in your network (may
be a Windows system running
Cygwin) and installing Shorewall-lite on your
firewall.. While the two compilers are highly compatible, there are
some differences. Those differences are detailed in the following
sections.Issues Most Likely to Cause Problems or Concernsshorewall.confAs always, when upgrading from one major release of Shorewall to
another, the installer will prompt you about replacing your existing
shorewall.conf with the updated one from the
package. Shorewall is designed with the assumption that users will never
replace shorewall.conf and retaining your existing file will always
produce upward-compatible behavior.That having been said, there are a few settings that you may have
in your shorewall.conf that will cause compilation warning or error
messages after the upgrade.BLACKLISTNEWONLYIf you have BLACKLISTNEWONLY=No together with
FASTACCEPT=Yes, you will receive this error:ERROR: BLACKLISTNEWONLY=No may not be
specified with FASTACCEPT=YesTo eliminate the error, reverse the setting of one of the
options.This combination never worked correctly in earlier
versions -- to duplicate the earlier behavior, you will want to
set BLACKLISTNEWONLY=Yes.BRIDGINGIf you have set this option to Yes, you will receive the
following error:ERROR: BRIDGING=Yes is not supported
by Shorewall 4.4.xYou should not be receiving this error if you are upgrading
from Lenny since BRIDGING=Yes did not work in that
releaseIf you are upgrading from a release using a kernel
earlier than 2.6.20, then BRIDGING=Yes did work correctly with
Shorewall-shell.. If you have a bridge configuration where you want
to control connections through the bridge, you will want to visit
http://www.shorewall.net/bridge-Shorewall-perl.htmlKernel 2.6.20 or later is required..DELAYBLACKLISTLOADIf you have set this option to Yes, you will receive the
following warning:WARNING: DELAYBLACKLIST=Yes is not
supported by Shorewall 4.4.xTo eliminate the warning, set DELAYBLACKLISTLOAD=No or
remove the setting altogether.DYNAMIC_ZONESIf you have set this option to Yes, you will receive the
following warning:WARNING: DYNAMIC_ZONES=Yes is not
supported by Shorewall 4.4.xTo eliminate the warning, set DYNAMIC_ZONES=No or remove the
setting altogether. See this
article to learn how to set up Dynamic Zones under
Shorewall 4.4.FWIf a setting for FW appears in your shorewall.conf file, you
will receive this warning:WARNING: Unknown configuration option
(FW) ignored.Remove the setting from the file and modify your
/etc/shorewall/zones file as described below.IPSECFILEIf you have specified IPSECFILE=ipsec or IPSECFILE= or if
you do not have a setting for IPSECFILE, then you will receive the
following error:ERROR: IPSECFILE=ipsec is not
supported by Shorewall 4.4.xTo eliminate the warning, you will need to:Set IPSECFILE=zonesModify your /etc/shorewall/zones
file as described below.PKTTYPEThe PKTTYPE option is ignored by Shorewall-perl.
Shorewall-perl will use Address type match if it is available;
otherwise, it will behave as if PKTTYPE=No had been
specified.RFC1918_LOG_LEVELIf you have specified any setting for this option, you will
receive the following warning:WARNING: RFC1918_LOG_LEVEL=value
ignored. The 'norfc1918' interface/host option is no longer
supported.To eliminate the warning, set RFC1918_LOG_LEVEL= or simply
remove the setting altogether.RFC1918_STRICTIf you have set this option to Yes, you will receive the
following warning:WARNING: RFC1918_STRICT=Yes is not
supported by Shorewall 4.4.xTo eliminate the warning, set RFC1918_STRICT=No or remove
the setting altogether.SAVE_IPSETSShorewall 4.4 will issue a warning if you set
SAVE_IPSETS=Yes in shorewall.conf:WARNING SAVE_IPSETS=Yes is not
supported by Shorewall 4.4.xTo eliminate this message, you will need to set
SAVE_IPSETS=No or remove the setting altogether.See below for additional
information regarding ipsets in Shorewall 4.4.SHOREWALL_COMPILERIf you have specified SHOREWALL_COMPILER=shell, you will
receive the following warning message:WARNING: SHOREWALL_COMPILER=shell
ignored. Shorewall-shell support has been removed in this
releaseTo eliminate the warning, set SHOREWALL_COMPILER=perl or
simply remove the setting altogether.USE_ACTIONSIf you have set this option to No, you will receive the
following warning:WARNING: USE_ACTIONS=No is not
supported by Shorewall 4.4.xTo eliminate the warning, set USE_ACTIONS=Yes or remove the
setting altogether./etc/shorewall/zonesIf the column headings in your /etc/shorewall/zones file look like
this:#ZONE DISPLAY COMMENTS
net Net The big bad net
loc Local The local LANthen you are using the original zones file format that has been
deprecated since Shorewall 3.0.You will need to convert to the new file format which has the
following headings:#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONSYou will need to add an entry for your firewall zone. The default
name for the firewall zone is 'fw' but may have been overriden using
the FW option in
shorewall.conf.#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewallThe remainder of your zones will have type 'ipv4' unless they are
mentioned in your /etc/shorewall/ipsec file (see below).#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4 # The big bad net
loc ipv4 # The local LAN/etc/shorewall/ipsecThis file is no longer used -- its specifications are now included
in /etc/shorewall/zones.Take this example:#ZONE IPSEC OPTIONS IN OUT
# ONLY OPTIONS OPTIONS
ipsec1 Yes
ipsec2 NoThis would translate to the following entries in
/etc/shorewall/zones:#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
ipsec1 ipsec4
ipsec2 ipv4Any OPTIONS, IN OPTIONS and OUT OPTIONS should simply be copied
from /etc/shorewall/ipsec to
/etc/shorewall/zones./etc/shorewall/interfacesThe BROADCAST column is essentially unused in Squeeze. If it
contains anything except 'detect' or '-', then you will receive this
warningUsers whose kernel and/or iptables do not include Address Type
Match Support can continue to list broadcast addresses in this
column; no warning will be issued.:
WARNING: Shorewall no longer uses
broadcast addresses in rule generation when Address Type Match is
available
To eliminate the warning, replace the contents of the BROADCAST
column with '-' or 'detect'.The 'norfc1918' option has been removed. If you specify the
option, you will receive the following warning:
WARNING: Support for the norfc1918
interface option has been removed from Shorewall
To eliminate the warning, simply remove the 'norfc1918' option
from the OPTIONS list. You may wish to consider NULL_ROUTE_RFC1918=Yes
as a replacement (see shorewall.conf (5))./etc/shorewall/hostsThe 'norfc1918' option has been removed. If you specify the
option, you will receive the following warning:
WARNING: The 'norfc1918' option is no
longer supported
To eliminate the warning, simply remove the 'norfc1918' option
from the OPTIONS list. You may wish to consider NULL_ROUTE_RFC1918=Yes
as a replacement (see shorewall.conf (5))./etc/shorewall/policyShorewall 4.4 detects dead policy file entries that result when an
entry is masked by an earlier more general entry.Example:#SOURCE DEST POLICY LOG LEVEL
all all REJECT info
loc net ACCEPTShorewall-shell silently accepted the above even though the
loc->net policy is useless. Shorewall-perl generates a fatal
compilation error:
ERROR: Policy "loc net ACCEPT" duplicates
earlier policy "all all REJECT"
/etc/shorewall/masqThere is a long tradition of specifying an interface name in the
SOURCE column of this file. Given that masquerading/SNAT occurs in the
Netfilter POSTROUTING chain where an incoming interface may not be
specified, Shorewall must examine the main routing table during
shorewall start and shorewall
restart processing to determine those networks routed out of
the named interface and then add MASQUERADE/SNAT rules for traffic from
those networks. This requires that the named interface be up and
configured when Shorewall starts or restarts.This continues to be a frequent issue with VPN configurations
where the named interface isn't configured during boot.To emphasize this restriction, if an interface is named in the
SOURCE column of one or more entries, a single warning as follows is
issued:
WARNING: Using an interface as the masq
SOURCE requires the interface to be up and configured when Shorewall
starts/restarts
To suppress this warning, replace the interface name with the list
of networks that are routed out of the interface.Example.Existing entry:#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/
# GROUP
eth0 eth1Current routing configuration:gateway:~# ip route ls dev eth1
172.20.1.0/24 proto kernel scope link src 172.20.1.254
224.0.0.0/4 scope link
gateway:~#
Replacement entry:#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/
# GROUP
eth0 172.20.1.0/24Note that no entry is included for 224.0.0.0/4 since that is the
multicast IP range and there should never be any packets with a SOURCE
IP address in that network./etc/shorewall/rulesIf you include a destination zone in a 'nonat' rule, Shorewall
issues the following warning:
WARNING: Destination zone (zonename)
ignored.
Nonat rules include:
DNAT-REDIRECT-NONAT
To eliminate the warning, remove the DEST zone.Example.Before:#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME
# PORT PORT(S) DEST LIMIT GROUP
NONAT loc net tcp 80After:#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME
# PORT PORT(S) DEST LIMIT GROUP
NONAT loc - tcp 80/etc/shorewall/routestoppedThe 'critical' option is no longer needed and hence is no longer
supported. If you have critical hosts defined, you will receive this
warning:
WARNING: The 'critical' option is no
longer supported (or needed)
To suppress the warning, simply remove the option.Shorewall 4.4 also treats the routestopped
file differently from earlier releases. Previously, the
routestopped file was parsed during
shorewall stop processing so that changes made to the
file while Shorewall was running would be applied at the next
stop. This is no longer the case -- the
routestopped file is processed during compilation
just like the rest of the configuration files so that when
shorewall stop is issued, the firewall will pass
traffic based on the contents of the routestopped
file at the last start or
restart./etc/shorewall/tosThe /etc/shorewall/tos file now has
zone-independent SOURCE and DEST columns as do all other files except
the rules and policy files.The SOURCE column may be one of the following:[all:]<address>[,...][all:]<interface>[:<address>[,...]]$FW[:<address>[,...]]The DEST column may be one of the following:[all:]<address>[,...][all:]<interface>[:<address>[,...]]This is a permanent change. The old zone-based rules have never
worked right and this is a good time to replace them. We have tried to
make the new syntax cover the most common cases without requiring change
to existing files. In particular, it will handle the
tos file released with Shorewall 1.4 and
earlier.Extension ScriptsWith the shell-based compiler, all extension scripts were copied
into the compiled script and executed at run-time. In some cases, this
approach doesn't work with Shorewall Perl because (almost) the entire
rule set is built by the compiler. As a result, Shorewall-perl runs some
extension scripts at compile-time rather than at run-time. Because the
compiler is written in Perl, these extension scripts from earlier
versions will no longer work.The following table summarizes when the various extension scripts
are run:Compile-time (Must be written in
Perl)Run-timeEliminatedinitdoneclearcontinuemacloginitPer-chain (including those associated with
actions)startstartedstopstoppedtcclearCompile-time extension scripts are executed using the Perl 'eval
`cat <file>`' mechanism. Be sure that each script returns a 'true'
value; otherwise, the Shorewall-perl compiler will assume that the
script failed and will abort the compilation.When a script is invoked, the $chainref scalar variable will usually hold a
reference to a chain table entry.$chainref->{name} contains
the name of the chain$chainref->{table} holds
the table nameTo add a rule to the chain:add_rule $chainref,
the-ruleWherethe rule is a scalar argument
holding the rule text. Do not include "-A
chain-name"Example:add_rule $chainref, '-j ACCEPT';To insert a rule into the chain:insert_rule $chainref, rulenum,
the-ruleThe log_rule_limit function works like it does in the shell
compiler with three exceptions:You pass the chain reference rather than the name of the
chain.The commands are 'add' and 'insert' rather than '-A' and
'-I'.There is only a single "pass as-is to iptables" argument (so
you must quote that partExample: log_rule_limit
'info' ,
$chainref ,
$chainref->{name},
'DROP' ,
'', #Limit
'' , #Log tag
'add'
'-p tcp '; Here is an example of an actual initdone script used with
Shorewall 3.4:run_iptables -t mangle -I PREROUTING -p esp -j MARK --set-mark 0x50
run_iptables -t filter -I INPUT -p udp --dport 1701 -m mark --mark 0x50 -j ACCEPT
run_iptables -t filter -I OUTPUT -p udp --sport 1701 -j ACCEPT
Here is the corresponding script used with Shorewall
4.4:use Shorewall::Chains;
insert_rule $mangle_table->{PREROUTING}, 1, "-p esp -j MARK --set-mark 0x50";
insert_rule $filter_table->{INPUT}, 1, "-p udp --dport 1701 -m mark --mark 0x50 -j ACCEPT";
insert_rule $filter_table->{OUTPUT}, 1, "-p udp --sport 1701 -j ACCEPT";
1;The initdone script is unique because the $chainref variable is
not set before the script is called. The above script illustrates how
the $mangle_table, $filter_table, and $nat_table references can be used
to add or insert rules in arbitrary chains.IpsetsShorewall 4.4 insists that ipset names begin with a letter and be
composed of alphanumeric characters and underscores (_). When used in a
Shorewall configuration file, the name must be preceded by a plus sign
(+) as with the shell-based compiler.Shorewall 4.4 is out of the ipset load/reload business with the
exception of ipsets used for dynamic zones. With scripts generated by
Shorwall 4.4, the Netfilter rule set is never cleared. That means that
there is no opportunity for Shorewall to load/reload your ipsets since
that cannot be done while there are any current rules using
ipsets.So:Your ipsets must be loaded before Shorewall starts. You are
free to try to do that with the following code in
/etc/shorewall/init (it works for me; your mileage may
vary):if [ "$COMMAND" = start ]; then
ipset -U :all: :all:
ipset -U :all: :default:
ipset -F
ipset -X
ipset -R < /etc/shorewall/ipsets
fiThe file /etc/shorewall/ipsets will
normally be produced using the ipset -S command.
I have this in my /etc/shorewall/stop
file:if ipset -S > /etc/shorewall/ipsets.tmp; then
mv -f /etc/shorewall/ipsets /etc/shorewall/ipsets.bak
mv /etc/shorewall/ipsets.tmp /etc/shorewall/ipsets
fiThe above extension scripts will work most of the time but
will fail in a shorewall stop -
shorewall start sequence if you use ipsets in
your routestopped file (see below).Your ipsets may not be reloaded until Shorewall is stopped or
cleared.If you specify ipsets in your routestopped file then Shorewall
must be cleared in order to reload your ipsets.Additional Sources of InformationThe following articles provide additional information.Shorewall
Perl IncompatibilitiesUpgrade Issues