forked from extern/shorewall_code
565 lines
21 KiB
Plaintext
565 lines
21 KiB
Plaintext
Shorewall 4.3.10
|
|
|
|
Shorewall 4.3 is the development thread for Shorewall 4.4 which will be
|
|
released late in 2009.
|
|
|
|
----------------------------------------------------------------------------
|
|
R E L E A S E 4 . 3 H I G H L I G H T S
|
|
----------------------------------------------------------------------------
|
|
|
|
1) Support for Shorewall-shell has been discontinued. Shorewall-perl
|
|
has been combined with Shorewall-common to produce a single
|
|
Shorewall package.
|
|
|
|
2) The Shorewall documentation and man pages have been purged of
|
|
information about earlier Shorewall releases. The documentation
|
|
describes only the behavior of Shorewall 4.3 and later versions.
|
|
|
|
3) The interfaces file OPTIONs have been extended to largely remove the
|
|
need for the hosts file.
|
|
|
|
4) It is now possible to define PREROUTING and OUTPUT marking rules
|
|
that cause new connections to use the same provider as an existing
|
|
connection of the same kind.
|
|
|
|
5) Dynamic Zone support is once again available for IPv4; ipset support is
|
|
required in your kernel and in iptables.
|
|
|
|
6) A new AUTOMAKE option has been added to shorewall.conf and
|
|
shorewall6.conf. Setting this option will allow Shorewall to skip
|
|
the compilation phase during start/restart if no configuration
|
|
changes have occurred since the last start/restart.
|
|
|
|
7) The LIMIT:BURST column in /etc/shorewall/policy
|
|
(/etc/shorewall6/policy) and the RATE LIMIT column in
|
|
/etc/shorewall/rules (/etc/shorewall6/rules) may now be used to
|
|
limit on a per source IP or per destination IP basis.
|
|
|
|
8) Support for per-IP traffic shaping classes has been added.
|
|
|
|
----------------------------------------------------------------------------
|
|
M I G R A T I O N I S S U E S
|
|
----------------------------------------------------------------------------
|
|
|
|
1) The 'shorewall stop', 'shorewall clear', 'shorewall6 stop' and
|
|
'shorewall6 clear' commands no longer read the 'routestopped'
|
|
file. The 'routestopped' file used is the one that was present at
|
|
the last 'start', 'restart' or 'restore' command.
|
|
|
|
2) The old macro parameter syntax (e.g., SSH/ACCEPT) is now deprecated
|
|
in favor of the new syntax (e.g., SSH(ACCEPT)). The 4.3 documentation
|
|
uses the new syntax exclusively, although the old syntax
|
|
continues to be supported.
|
|
|
|
3) Support for the SAME target in /etc/shorewall/masq and
|
|
/etc/shorewall/rules has been removed, following the removal of the
|
|
underlying support in the Linux kernel.
|
|
|
|
4) Supplying an interface name in the SOURCE column of
|
|
/etc/shorewall/masq is now deprecated. Entering the name of an
|
|
interface there will result in a compile-time warning:
|
|
|
|
WARNING: Using an interface as the masq SOURCE requires the
|
|
interface to be up and configured when Shorewall
|
|
starts/restarts
|
|
|
|
To avoid this warning, replace interface names by the corresponding
|
|
network addresses (e.g., 192.168.144.0/24).
|
|
|
|
----------------------------------------------------------------------------
|
|
P R O B L E M S C O R R E C T E D I N 4 . 3 . 10
|
|
----------------------------------------------------------------------------
|
|
|
|
1. When Shorewall could not determine the MAC address of of a gateway
|
|
router where multiple providers are configured through the same
|
|
interface, invalid iptables-restore input was generated. This
|
|
resulted in an error message similar to the following:
|
|
|
|
iptables-restore v1.3.5: Bad mac address `-j'
|
|
|
|
2. Previously, Shorewall has treated traffic shaping class IDs as
|
|
decimal numbers (or pairs of decimal numbers). That worked fine
|
|
until IPMARK was implemented. IPMARK requires Shorewall to generate
|
|
class Ids in numeric sequence. In 4.3.9, that didn't work correctly
|
|
because Shorewall was generating the sequence "..8,9,10,11..." when
|
|
the correct sequence was "...8,9,a,b,...". Shorewall now treats
|
|
class IDs as hex, like 'tc' and 'iptables' do.
|
|
|
|
3. Previously, when 'all' appeared in the SOURCE column of a DNAT-
|
|
rule, no rule was generated to redirect output from the firewall
|
|
itself.
|
|
|
|
----------------------------------------------------------------------------
|
|
K N O W N P R O B L E M S R E M A I N I N G
|
|
----------------------------------------------------------------------------
|
|
|
|
None.
|
|
|
|
----------------------------------------------------------------------------
|
|
N E W F E A T U R E S I N 4 . 3 . 10
|
|
----------------------------------------------------------------------------
|
|
|
|
1) The change that implemented IPMARK support in 4.3.9 resulted in a
|
|
lack of upward compatibility which could break some
|
|
configurations. The incompatibility stems from the way in which
|
|
Shorewall generates a TC class Id from a mark value.
|
|
|
|
- Prior to 4.3.9, the class number was constructed by concatinating
|
|
the either '1' or '10' with the mark value. '10' is used when
|
|
there are more than 10 devices defined in /etc/shorewall/tcdevices.
|
|
|
|
- In 4.3.9, the class number is constructed by shifting
|
|
the device number left by 10 bits and logically ORing the result
|
|
with the mark value.
|
|
|
|
- In 4.3.10, a new method is added; the mark value is logically
|
|
ORed with 0x4000.
|
|
|
|
The WIDE_TC_MARKS option in shorewall.conf selects which
|
|
construction to use. WIDE_TC_MARKS=No (the default) produces
|
|
pre-4.3.9 behavior. WIDE_TC_MARKS=Yes produces the new behavior.
|
|
|
|
In addition to determining the method of constructing class Ids,
|
|
WIDE_TC_MARKS=Yes provides for larger mark values for traffic
|
|
shaping. Traffic shaping marks may have values up to 16383 (0x3fff)
|
|
with WIDE_TC_MARKS=Yes. This means that when both WIDE_TC_MARKS=Yes and
|
|
HIGH_ROUTE_MARKS=Yes, routing marks (/etc/shorewall/providers MARK
|
|
column) must be >= 65536 (0x10000) and must be a multiple of 65536
|
|
(0x1000, 0x20000, 0x30000, ...).
|
|
|
|
2) In the 'shorewall compile' command, the filename '-' is now causes
|
|
the compiled script to be written to Standard Out. As a side
|
|
effect, the effective VERBOSITY is set to -1 (silent).
|
|
|
|
Examples:
|
|
|
|
shorewall compile -v-1 -- - # Compile the configuration in
|
|
# /etc/shorewall and send the
|
|
# output to STDOUT
|
|
shorewall compile -v-1 . - # Compile the configuration in the
|
|
# current working directory
|
|
# and send the output to STDOUT
|
|
|
|
Note that the '-v-1' suppresses the 'Compiling...' message normally
|
|
issued by /sbin/shorewall (/sbin/shorewall6) when a compilation
|
|
begins.
|
|
|
|
3) Supplying an interface name in the SOURCE column of
|
|
/etc/shorewall/masq is now deprecated. Entering the name of an
|
|
interface there will result in a compile-time warning.
|
|
|
|
----------------------------------------------------------------------------
|
|
N E W F E A T U R E S IN 4 . 3
|
|
----------------------------------------------------------------------------
|
|
|
|
1) The Shorewall packaging has been completely revamped in Shorewall
|
|
4.3.
|
|
|
|
The new packages are:
|
|
|
|
- Shorewall. Includes the former Shorewall-common and
|
|
Shorewall-perl packages. Includes everything needed
|
|
to create an IPv4 firewall.
|
|
|
|
- Shorewall6. Requires Shorewall. Adds the components necessary to
|
|
create an IPv6 firewall.
|
|
|
|
- Shorewall-lite
|
|
|
|
May be installed on a firewall system to run
|
|
IPv4 firewall scripts generated by Shorewall.
|
|
|
|
- Shorewall6-lite
|
|
|
|
May be installed on a firewall system to run
|
|
IPv6 firewall scripts generated by Shorewall6.
|
|
|
|
2) The interfaces file supports a new 'nets=' option. This option
|
|
allows users to restrict a zone's definition to particular networks
|
|
through an interface without having to use the hosts file.
|
|
|
|
Example interfaces file:
|
|
|
|
#ZONE INTERFACE BROADCAST OPTIONS
|
|
loc eth3 detect dhcp,logmartians=1,routefilter=1,nets=172.20.1.0/24
|
|
dmz eth4 detect logmartians=1,routefilter=1,nets=206.124.146.177
|
|
net eth0 detect dhcp,blacklist,tcpflags,optional,routefilter=0,nets=(!172.20.0.0/24,206.124.146.177)
|
|
net eth2 detect dhcp,blacklist,tcpflags,optional,upnp,routefilter=0,nets=(!172.20.0.0/24,206.124.146.177)
|
|
loc tun+ detect nets=172.20.0.0/24
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
|
|
Note that when more than one network address is listed, the list
|
|
must be enclosed in parentheses. Notice also that exclusion may be
|
|
used.
|
|
|
|
The first entry in the above interfaces file is equivalent to the
|
|
following:
|
|
|
|
interfaces:
|
|
|
|
#ZONE INTERFACE BROADCAST OPTIONS
|
|
- eth0 detect dhcp,logmartians=1,routefilter=1
|
|
|
|
hosts:
|
|
|
|
#ZONE HOST(S) OPTIONS
|
|
loc $INT_IF:192.20.1.0/24 broadcast
|
|
|
|
Note that the 'broadcast' option is automatically assumed and need
|
|
not be explicitly specified.
|
|
|
|
3) Some websites run applications that require multiple connections
|
|
from a client browser. Where multiple 'balanced' providers are
|
|
configured, this can lead to problems when some of the connections
|
|
are routed through one provider and some through another.
|
|
|
|
To work around this issue, the SAME target has been added to
|
|
/etc/shorewall/tcrules. SAME may be used in the PREROUTING and
|
|
OUTPUT chains. When used in PREROUTING, it causes matching
|
|
connections from an individual local system to all use the same
|
|
provider.
|
|
|
|
For example:
|
|
|
|
SAME:P 192.168.1.0/24 - tcp 80,443
|
|
|
|
If a host in 192.168.1.0/24 attempts a connection on TCP port 80 or
|
|
443 and it has sent a packet on either of those ports in the last
|
|
five minutes then the new connection will use the same provider as
|
|
the connection over which that last packet was sent.
|
|
|
|
When used in the OUTPUT chain, it causes all matching connections
|
|
to an individual remote system to all use the same provider.
|
|
|
|
For example:
|
|
|
|
SAME $FW - tcp 80,443
|
|
|
|
If the firewall attempts a connection on TCP port 80 or
|
|
443 and it has sent a packet on either of those ports in the last
|
|
five minutes to the same remote system then the new connection will
|
|
use the same provider as the connection over which that last packet
|
|
was sent.
|
|
|
|
Important note: SAME only works with providers that have the
|
|
'track' option specified in /etc/shorewall/providers.
|
|
|
|
4) The file /var/lib/shorewall/.restore has been renamed to
|
|
/var/lib/shorewall/firewall. A similar change has been made in
|
|
Shorewall6.
|
|
|
|
When a successful start or restart is completed, the script that
|
|
executed the command copies itself to to
|
|
/var/lib/shorewall[6]/firewall.
|
|
|
|
5) Dynamic zone support is once again available for IPv4. This support
|
|
is built on top of ipsets so you must have the xtables-addons
|
|
installed on the firewall system.
|
|
|
|
Dynamic zones are available when Shorewall-lite is used as well.
|
|
|
|
Note that the dynamic zone support built into Shorewall provides no
|
|
additional functionality over what is provided by simply defining a
|
|
zone in terms of an ipset (see
|
|
http://www1.shorewall.net/ipsets.html#Dynamic).
|
|
|
|
You define a zone as having dynamic content in one of two ways:
|
|
|
|
- By specifying nets=dynamic in the OPTIONS column of an entry for
|
|
the zone in /etc/shorewall/interfaces; or
|
|
|
|
- By specifying <interface>:dynamic in the HOST(S) column of an
|
|
entry for the zone in /etc/shorewall/hosts.
|
|
|
|
When there are any dynamic zones present in your configuration,
|
|
Shorewall (Shorewall-lite) will:
|
|
|
|
a) Execute the following commands during 'shorewall start' or
|
|
'shorewall-lite start'.
|
|
|
|
ipset -U :all: :all:
|
|
ipset -U :all: :default:
|
|
ipset -F
|
|
ipset -X
|
|
ipset -R < ${VARDIR}/ipsets.save
|
|
|
|
where $VARDIR normally contains /var/lib/shorewall
|
|
(/var/lib/shorewall-lite) but may be modified by
|
|
/etc/shorewall/vardir (/etc/shorewall-lite/vardir).
|
|
|
|
|
|
b) During 'start', 'restart' and 'restore' processing, Shorewall
|
|
will then attempt to create an ipset named <zone>_<interface>
|
|
for each zone/interface pair that has been specified as
|
|
dynamic. The type of ipset created is 'iphash' so that only
|
|
individual IPv4 addresses may be added to the set.
|
|
|
|
c) Execute the following commands during 'shorewall stop' or
|
|
'shorewall-lite stop':
|
|
|
|
if ipset -S > ${VARDIR}/ipsets.tmp; then
|
|
mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save
|
|
fi
|
|
|
|
The 'shorewall add' and 'shorewall delete' commands are supported
|
|
with their original syntax:
|
|
|
|
add <interface>[:<host-list>] ... <zone>
|
|
|
|
delete <interface>[:<host-list>] ... <zone>
|
|
|
|
In addition, the 'show dynamic' command is added that lists the dynamic
|
|
content of a zone.
|
|
|
|
show dynamic <zone>
|
|
|
|
These commands are supported by shorewall-lite as well.
|
|
|
|
6) The generated program now attempts to detect all dynamic
|
|
information when it first starts. If any of those steps fail, an
|
|
error message is generated and the state of the firewall is not
|
|
changed.
|
|
|
|
7) Shorewall will now attempt to detect a dynamic gateway by reading
|
|
the dhclient lease file for the interface
|
|
(/var/run/dhcp/dhclient-<if>.lease).
|
|
|
|
8) To improve readability of the configuration files, Shorewall now
|
|
allows leading white space in continuation lines when the continued
|
|
line ends in ":" or ",".
|
|
|
|
Example (/etc/shorewall/rules):
|
|
|
|
#ACTION SOURCE DEST PROTO DEST
|
|
# PORT(S)
|
|
ACCEPT net:\
|
|
206.124.146.177,\
|
|
206.124.146.178,\
|
|
206.124.146.180\
|
|
dmz tcp 873
|
|
|
|
The leading white space on the lines that contain just an IP
|
|
address is ignored so the SOURCE column effectively contains
|
|
"net:206.124.146.177,206.124.147.178,206.124.146.180".
|
|
|
|
9) The generated script now uses iptables[6]-restore to instantiate
|
|
the Netfilter ruleset during processing of the 'stop' command. As a
|
|
consequence, the 'critical' option in /etc/shorewall/route_stopped
|
|
is no longer needed and will result in a warning.
|
|
|
|
10) A new AUTOMAKE option has been added to shorewall.conf and
|
|
shorewall6.conf. When set to 'Yes', this option causes new behavior
|
|
during processing of the 'start' and 'restart' commands; if no
|
|
files in /etc/shorewall/ (/etc/shorewall6) have changed since the last
|
|
'start' or 'restart', then the compilation step is skipped and the
|
|
script used during the last 'start' or 'restart' is used to
|
|
start/restart the firewall.
|
|
|
|
Note that if a <directory> is specified in the start/restart
|
|
command (e.g., "shorewall restart /etc/shorewall.new") then the
|
|
setting of AUTOMAKE is ignored.
|
|
|
|
Note that the 'make' utility must be installed on the firewall
|
|
system in order for AUTOMAKE=Yes to work correctly.
|
|
|
|
11) The 'compile' command now allows you to omit the <pathname>. When
|
|
you do that, the <pathname> defaults to /var/lib/shorewall/firewall
|
|
(/var/lib/shorewall6/firewall) unless you have overridden VARDIR
|
|
using /etc/shorewall/vardir (/etc/shorewall6/vardir).
|
|
|
|
When combined with AUTOMAKE=Yes, it allows the following:
|
|
|
|
gateway:~ # shorewall compile
|
|
Compiling...
|
|
Shorewall configuration compiled to /root/shorewall/firewall
|
|
gateway:~ #
|
|
...
|
|
gateway:~ # shorewall restart
|
|
Restarting Shorewall....
|
|
done.
|
|
gateway:~ #
|
|
|
|
In other words, you can compile the current configuration then
|
|
install it at a later time.
|
|
|
|
12) Thanks to I. Buijs, it is now possible to rate-limit connections by
|
|
source IP or destination IP. The LIMIT:BURST column in
|
|
/etc/shorewall/policy (/etc/shorewall6/policy) and the RATE LIMIT
|
|
column /etc/shorewall/rules (/etc/shorewall6/rules) have been
|
|
extended as follows:
|
|
|
|
[{s|d}:[[<name>]:]]<rate>/{sec|min}[:<burst>]
|
|
|
|
When s: is specified, the rate is per source IP address.
|
|
When d: is specified, the rate is per destination IP address.
|
|
The <name> specifies the name of a hash table -- you get to choose
|
|
the name. If you don't specify a name, the name 'shorewall' is
|
|
assumed. Rules with the same name have their connection counts
|
|
aggregated and the individual rates are applied to the aggregate.
|
|
|
|
Example:
|
|
|
|
ACCEPT net fw tcp 22 - - s:ssh:3/min
|
|
|
|
This will limit SSH connections from net->fw to 3 per minute.
|
|
|
|
ACCEPT net fw tcp 25 - - s:mail:3/min
|
|
ACCEPT net fw tcp 587 - - s:mail:3/min
|
|
|
|
Since the same hash table name is used in both rules, the above is
|
|
equivalent to this single rule:
|
|
|
|
ACCEPT net fw tcp 25,587 - - s:mail:3/min
|
|
|
|
13) Rules that specify a log level with a target other than LOG or NFLOG
|
|
are now implemented through a separate chain. While this may increase
|
|
the processing cost slightly for packets that match these rules, it
|
|
is expected to reduce the overall cost of such rules because each
|
|
packet that doesn't match the rules only has to be processed once
|
|
per rule rather than twice.
|
|
|
|
Example:
|
|
|
|
/etc/shorewall/rules:
|
|
|
|
REJECT:info loc net tcp 25
|
|
|
|
This previously generated these two rules (long rules folded):
|
|
|
|
-A loc2net -p 6 --dport 25 -j LOG --log-level 6
|
|
--log-prefix "Shorewall:loc2net:reject:"
|
|
-A loc2net -p 6 --dport 25 -j reject
|
|
|
|
It now generates these rules:
|
|
|
|
:log0 - [0:0]
|
|
...
|
|
-A loc2net -p 6 --dport 25 -g log0
|
|
...
|
|
-A log0 -j LOG --log-level 6
|
|
--log-prefix "Shorewall:loc2net:REJECT:"
|
|
-A log0 -p 6 --dport 25 -j reject
|
|
|
|
Notice that now there is only a single rule generated in the
|
|
'loc2net' chain where before there were two. Packets for other than
|
|
TCP port 25 had to be processed by both rules.
|
|
|
|
Notice also that the new LOG rule reflects the original action
|
|
("REJECT") rather than what Shorewall maps that to ("reject").
|
|
|
|
14) Shorewall6 has now been tested on kernel 2.6.24 (Ubuntu Hardy) and
|
|
hence will now start successfully when running on that kernel.
|
|
|
|
15) Three new options (IP, TC and IPSET) have been added to
|
|
shorewall.conf and shorwall6.conf. These options specify the name
|
|
of the executable for the 'ip', 'tc' and 'ipset' utilities
|
|
respectively.
|
|
|
|
If not specified, the default values are:
|
|
|
|
IP=ip
|
|
TC=tc
|
|
IPSET=ipset
|
|
|
|
In other words, the utilities will be located via the current PATH
|
|
setting.
|
|
|
|
16) There has been a desire in the user community to limit traffic by
|
|
IP address using Shorewall traffic shaping. Heretofore, that has
|
|
required a very inefficient process:
|
|
|
|
a) Define a tcclass for each internal host (two, if shaping both in
|
|
and out).
|
|
b) Define a tcrule for each host to mark to classify the packets
|
|
accordingly.
|
|
|
|
Beginning with Shorewall 4.3.9, this process is made easier IF YOU
|
|
ARE WILLING TO INSTALL xtables-addons. The feature requires IPMARK
|
|
support in iptables[6] and your kernel. That support is available
|
|
in xtables-addons.
|
|
|
|
The new facility has two components:
|
|
|
|
a) A new IPMARK MARKing command in /etc/shorewall/tcrules.
|
|
b) A new 'occurs' OPTION in /etc/shorewall/tcclasses.
|
|
|
|
The IPMARK target assigns a mark to each matching packet based on
|
|
the either the source or destination IP address. By default, it
|
|
assigns a mark value equal to the low-order 8 bits of the source
|
|
address.
|
|
|
|
The syntax is as follows:
|
|
|
|
IPMARK[([{src|dst}][,[<mask1>][,[<mask2>][,[<shift>]]]])]
|
|
|
|
Default values are:
|
|
|
|
src
|
|
<mask1> = 0xFF
|
|
<mask2> = 0x00
|
|
<shift> = 0
|
|
|
|
'src' and 'dst' specify whether the mark is to be based on the
|
|
source or destination address respectively.
|
|
|
|
The selected address is first LANDed with <mask1> then LORed with
|
|
<mask2>.
|
|
|
|
The result is then shifted <shift> bits to the right.
|
|
|
|
Example:
|
|
|
|
IPMARK(dst, 0XFF00, 0x8000,8)
|
|
|
|
Destination IP address is 192.168.4.3 = 0xc0a80403
|
|
|
|
0xc0a80403 LAND 0xFF00 = 0x0400
|
|
0x0400 LOR 0x80 = 0x8400
|
|
0x8400 >> 8 = 0x84
|
|
|
|
Mark = 0x84 = 132
|
|
|
|
The 'occurs' option causes the class definition to be replicated
|
|
many times. The synax is:
|
|
|
|
occurs=<number>
|
|
|
|
When 'occurs' is used:
|
|
|
|
a) The associated device may not have the 'classify' option.
|
|
b) The class may not be the default class.
|
|
c) The class may not have any 'tos=' options (including
|
|
'tcp-ack').
|
|
|
|
The 'RATE' and 'CEIL' parameters apply to each instance of the
|
|
class. So the total RATE represented by an entry with 'occurs' will
|
|
be the listed RATE multiplied by the 'occurs' number.
|
|
|
|
Example:
|
|
|
|
#DEVICE MARK RATE CEIL PRIORITY OPTIONS
|
|
eth0 100 1kbit 230kbit 4 occurs=32
|
|
|
|
The above defines 32 classes with MARK values 100-131. Each
|
|
class has a guaranteed rate of 1kbit/second.
|
|
|
|
As part of this change, the generation of class ids from mark
|
|
values has been changed. The class number is now
|
|
|
|
( <devnum> << 10 ) | <mask>
|
|
|
|
/sbin/shorewall has an 'encode' and 'decode' command to translate a
|
|
device number, mark pair to/from a classid:
|
|
|
|
encode <devnum> <mark>
|
|
decode <classnum>
|
|
|
|
Example:
|
|
|
|
$ shorewall decode 3172
|
|
Device = 3 Mark = 100
|
|
$ shorewall encode 3 100
|
|
Class number = 3172
|
|
$
|
|
|