Shorewall 2.0

• The 1.4 site is here.
  
• The 1.3 site is here.
• The 1.2 site is here.

Table of Contents

Introduction to Shorewall

Glossary

• Netfilter - the packet filter facility built into the 2.4 and later Linux kernels.
• ipchains - the packet filter facility built into the 2.2 Linux kernels. Also the name of the utility program used to configure and control that facility. Netfilter can be used in ipchains compatibility mode.
• iptables - the utility program used to configure and control Netfilter. The term 'iptables' is often used to refer to the combination of iptables+Netfilter (with Netfilter not in ipchains compatibility mode).

What is Shorewall?

Getting Started with Shorewall

Looking for Information?

Running Shorewall on Mandrake® with a two-interface setup?

License

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more detail.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA

News

1. Error messages regarding $RESTOREBASE occur during shorewall stop
2. If CLEAR_TC=Yes in shorewall.conf, shorewall stop fails without removing the lock file.

1. The security vulnerability fix released in Shorewall 2.0.3a failed under Slackware 9.1.
2. The security vulnerability fix released in Shorewall 2.0.3a failed if mktemp was not installed.
   

1. Javier Fernández-Sanguino Peña has discovered an exploitable vulnerability in the way that Shorewall handles temporary files and directories. The vulnerability can allow a non-root user to cause arbitrary files on the system to be overwritten. LEAF Bering and Bering uClibc users are generally not at risk due to the fact that LEAF boxes do not typically allow logins by non-root users.
   
2. (2.0.3a only) A non-empty DEST entry in /etc/shorewall/tcrules will generate an error and Shorewall fails to start.

1. The 'firewall' script is not purging temporary restore files in /var/lib/shorewall. These files have names of the form "restore-nnnnn".
2. The /var/lib/shorewall/restore script did not load the kernel modules specified in /etc/shorewall/modules.
3. Specifying a null common action in /etc/shorewall/actions (e.g., :REJECT) results in a startup error.
4. If /var/lib/shorewall does not exist, shorewall start fails.
5. DNAT rules with a dynamic source zone don't work properly. When used, these rules cause the rule to be checked against ALL input, not just input from the designated zone.
6. The install.sh script reported installing some files in /etc/shorewall when the files were actually installed in /usr/share/shorewall.
7. Shorewall checks netfilter capabilities before loading kernel modules. Hence if kernel module autoloading isn't enabled, the capabilities will be misdetected.
8. The 'newnotsyn' option in /etc/shorewall/hosts has no effect.
9. The file /etc/init.d/shorewall now gets proper ownership when the RPM is built by a non-root user.
10. Rules that specify bridge ports in both the SOURCE and DEST columns no longer cause "shorewall start" to fail.
11. Comments in the rules file have been added to advise users that "all" in the SOURCE or DEST column does not affect intra-zone traffic.
12. With BLACKLISTNEWONLY=Yes, ICMP packets with state INVALID are now passed through the blacklisting chains. Without this change, it is not possible to blacklist hosts that are mounting certain types of ICMP-based DOS attacks.

1. The 'dropNonSyn' standard builtin action has been replaced with the 'dropNotSyn' standard builtin action. The old name can still be used but will generate a warning.

1. Shorewall now supports multiple saved configurations.
1. The default saved configuration (restore script) in /var/lib/shorewall is now specified using the RESTOREFILE option in shorewall.conf. If this variable isn't set then to maintain backward compatibility, 'restore' is assumed.
   
   The value of RESTOREFILE must be a simple file name; no slashes ("/") may be included.
   
2. The "save" command has been extended to be able to specify the name of a saved configuration.
   
              shorewall save [ <file name> ]
   
   The current state is saved to /var/lib/shorewall/<file name>. If no <file name> is given, the configuration is saved to the file determined by the RESTOREFILE setting.
3. The "restore" command has been extended to be able to specify the name of a saved configuration:
   
             shorewall restore [ <file name> ]
   
   The firewall state is restored from /var/lib/shorewall/<file name>. If no <file name> is given, the firewall state is restored from the file determined by the RESTOREFILE setting.
4. The "forget" command has changed. Previously, the command unconditionally removed the /var/lib/shorewall/save file which records the current dynamic blacklist. The "forget" command now leaves that file alone.
   
   Also, the "forget" command has been extended to be able to specify the name of a saved configuration:
   
                 shorewall forget [ <file name> ]
   
   The file /var/lib/shorewall/<file name> is removed. If no <file name> is given, the file determined by the RESTOREFILE setting is removed.
5. The "shorewall -f start" command restores the state from the file determined by the RESTOREFILE setting.
2. "!" is now allowed in accounting rules.
3. Interface names appearing within the configuration are now verified. Interface names must match the name of an entry in /etc/shorewall/interfaces (or if bridging is enabled, they must match the name of an entry in /etc/shorewall/interfaces or the name of a bridge port appearing in /etc/shorewall/hosts).
4. A new 'rejNotSyn' built-in standard action has been added. This action responds to "New not SYN" packets with an RST.
   
   The 'dropNonSyn' action has been superceded by the new 'dropNotSyn' action. The old name will be accepted until the next major release of Shorewall but will generate a warning.
   
   Several new logging actions involving "New not SYN" packets have been added:
   
           logNewNotSyn  -- logs the packet with disposition = LOG
           dLogNewNotSyn -- logs the packet with disposition = DROP
           rLogNewNotSyn -- logs the packet with disposition = REJECT
   
   The packets are logged at the log level specified in the LOGNEWNOTSYN option in shorewall.conf. If than option is empty or not specified, then 'info' is assumed.
   
   Examples (In all cases, set NEWNOTSYN=Yes in shorewall.conf):
1. To simulate the behavior of NEWNOTSYN=No:
   1. Add 'NoNewNotSyn' to /etc/shorewall/actions.
   2. Create /etc/shorewall/action.NoNewNotSyn containing:
      
                  dLogNotSyn
                  dropNotSyn
      
      
   3. Early in your rules file, place:
      
               NoNewNotSyn   all   all     tcp
      
      
2. Drop 'New not SYN' packets from the net only. Don't log them:
1. Early in your rules file, place:
   
            dropNotSyn    net        all   tcp
   
   
5. Slackware users no longer have to modify the install.sh script before installation. Tuomo Soini has provided a change that allows the INIT and FIREWALL variables to be specified outside the script as in:
   
         DEST=/etc/rc.d INIT=rc.firewall ./install.sh
   

More News

Leaf

LEAF is an open source project which provides a Firewall/router on a floppy, CD or CF. Several LEAF distributions including Bering and Bering-uClibc use Shorewall as their Netfilter configuration tool.

Donations

Shorewall is free but if you try it and find it useful, please consider making a donation to the Alzheimer's Association or to the Starlight Children's Foundation.

Thanks