Shorewall 2.3.0 ----------------------------------------------------------------------- Problems corrected in version 2.3.0 None. ----------------------------------------------------------------------- New Features in version 2.3.0 1) Shorewall 2.3.0 supports the 'cmd-owner' option of the owner match facility in Netfilter. Like all owner match options, 'cmd-owner' may only be applied to traffic that originates on the firewall. The syntax of the USER/GROUP column in the following files has been extended: /etc/shorewall/accounting /etc/shorewall/rules /etc/shorewall/tcrules /usr/share/shorewall/action.template To specify a command, prefix the command name with "+". Examples: +mozilla-bin #The program is named "mozilla-bin" joe+mozilla-bin #The program is named "mozilla-bin" and #is being run by user "joe" joe:users+mozilla-bin #The program is named "mozilla-bin" and #is being run by user "joe" with #effective group "users". Note that this is not a particularly robust feature and I would never advertise it as a "Personal Firewall" equivalent. Using symbolic links, it's easy to alias command names to be anything you want. 2) Support has been added for ipsets (see http://people.netfilter.org/kadlec/ipset/). In most places where a host or network address may be used, you may also use the name of an ipset prefaced by "+". Example: "+Mirrors" The name of the set may be optionally followed by: a) a number from 1 to 6 enclosed in square brackets ([]) -- this number indicates the maximum number of ipset binding levels that are to be matched. Depending on the context where the ipset name is used, either all "src" or all "dst" matches will be used. Example: "+Mirrors[4]" b) a series of "src" and "dst" options separated by commas and inclosed in square brackets ([]). These will be passed directly to iptables in the generated --set clause. See the ipset documentation for details. Example: "+Mirrors[src,dst,src]" Note that "+Mirrors[4]" used in the SOURCE column of the rules file is equivalent to "+Mirrors[src,src,src,src]". To generate a negative match, prefix the "+" with "!" as in "!+Mirrors". Example 1: Blacklist all hosts in an ipset named "blacklist" /etc/shorewall/blacklist #ADDRESS/SUBNET PROTOCOL PORT +blacklist Example 2: Allow SSH from all hosts in an ipset named "sshok: /etc/shorewall/rules #ACTION SOURCE DEST PROTO DEST PORT(S) ACCEPT +sshok fw tcp 22 Shorewall can automatically manage the contents of your ipsets for you. If you specify SAVE_IPSETS=Yes in /etc/shorewall/shorewall.conf then "shorewall save" will save the contents of your ipsets. The file where the sets are saved is formed by taking the name where the Shorewall configuration is stored and appending "-ipsets". So if you enter the command "shorewall save standard" then your Shorewall configuration will be saved in /var/lib/shorewall/standard and your ipset contents will be saved in /var/lib/shorewall/standard-ipsets. Regardless of the setting of SAVE_IPSETS, the "shorewall -f start" and "shorewall restore" commands will restore the ipset contents corresponding to the Shorewall configuration restored provided that the saved Shorewall configuration specified exists. For example, "shorewall restore standard" would restore the ipset contents from /var/lib/shorewall/standard-ipsets provided that /var/lib/shorewall/standard exists and is executable and that /var/lib/shorewall/standard-ipsets exists and is executable. Also regardless of the setting of SAVE_IPSETS, the "shorewall forget" command will purge the saved ipset information (if any) associated with the saved shorewall configuration being removed. You can also associate ipset contents with Shorewall configuration directories using the following command: ipset -S > <config directory>/ipsets Example: ipset -S > /etc/shorewall/ipsets When you start or restart Shorewall (including using the 'try' command) from the configuration directory, your ipsets will be configured from the saved ipsets file. Once again, this behavior is independent of the setting of SAVE_IPSETS. Ipsets are well suited for large blacklists. You can maintain your blacklist using the 'ipset' utility without ever having to restart or refresh Shorewall. If you use the SAVE_IPSETS=Yes feature just be sure to "shorewall save" after altering the blacklist ipset(s). Example /etc/shorewall/blacklist: #ADDRESS/SUBNET PROTOCOL PORT +Blacklist[src,dst] +Blacklistnets[src,dst] Create the blacklist ipsets using: ipset -N Blacklist iphash ipset -N Blacklistnets nethash Add entries ipset -A Blacklist 206.124.146.177 ipset -A Blacklistnets 206.124.146.0/24 To allow entries for individual ports ipset -N SMTP portmap --from 1 --to 31 ipset -A SMTP 25 ipset -A Blacklist 206.124.146.177 ipset -B Blacklist 206.124.146.177 -b SMTP Now only port 25 will be blocked from 206.124.146.177.