forked from extern/shorewall_code
0cb16ef3b1
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1435 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
401 lines
17 KiB
HTML
401 lines
17 KiB
HTML
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html>
|
|
<head>
|
|
<meta content="HTML Tidy, see www.w3.org" name="generator">
|
|
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
|
|
<title>Shoreline Firewall (Shorewall) 2.0</title>
|
|
<base target="_self">
|
|
</head>
|
|
<body>
|
|
<div>
|
|
<h1>Shorewall 2.0</h1>
|
|
<span style="font-weight: bold;">Tom Eastep</span><br>
|
|
<br>
|
|
The information on this site
|
|
applies only to 2.0.x releases of
|
|
Shorewall. For older versions:<br>
|
|
<ul>
|
|
<li>The 1.4 site is <a href="http://www.shorewall.net/1.4"
|
|
target="_top">here.<br>
|
|
</a></li>
|
|
<li>The 1.3 site is <a href="http://www.shorewall.net/1.3"
|
|
target="_top">here.</a></li>
|
|
<li>The 1.2 site is <a href="http://shorewall.net/1.2/" target="_top">here</a>.</li>
|
|
</ul>
|
|
Copyright © 2001-2004 Thomas M. Eastep<br>
|
|
<div>
|
|
<div class="legalnotice">
|
|
<p>Permission is granted to copy, distribute and/or modify this
|
|
document under the terms of the GNU Free Documentation License, Version
|
|
1.2 or any later version published by the Free Software Foundation;
|
|
with no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
|
Texts. A copy of the license is included in the section entitled “<span
|
|
class="quote"><a
|
|
href="file:///vfat/Ursa/Shorewall/Shorewall-Website/GnuCopyright.htm"
|
|
target="_self">GNU Free
|
|
Documentation License</a></span>”.</p>
|
|
</div>
|
|
</div>
|
|
<div>
|
|
<p class="pubdate">2004-07-02<br>
|
|
</p>
|
|
<hr style="width: 100%; height: 2px;"></div>
|
|
<h3>Table of Contents</h3>
|
|
<div style="margin-left: 40px;"><a href="#Intro">Introduction to
|
|
Shorewall</a><br>
|
|
<div style="margin-left: 40px;"><a href="#Glossary">Glossary</a><br>
|
|
<a href="#WhatIs">What is Shorewall?</a><br>
|
|
<a href="#GettingStarted">Getting Started with Shorewall</a><br>
|
|
<a href="#Info">Looking for Information?</a><br>
|
|
<a href="#Mandrake">Running Shorewall on Mandrake® with a
|
|
two-interface setup?</a><br>
|
|
<a href="#License">License</a><br>
|
|
</div>
|
|
<a href="#News">News</a><a href="#2_0_3b"><br>
|
|
</a>
|
|
<div style="margin-left: 40px;"><a href="#2_0_3c">Shorewall 2.0.3c</a><br>
|
|
<a href="#2_0_3b">Shorewall 2.0.3b</a><br>
|
|
<a href="#2_0_3a">Shorewall 2.0.3a</a><br>
|
|
<a href="#2_0_3">Shorewall
|
|
2.0.3</a><br>
|
|
</div>
|
|
<a href="#Leaf">Leaf</a><br>
|
|
<a href="#Donations">Donations</a><br>
|
|
</div>
|
|
<h2><a name="Intro"></a>Introduction to Shorewall</h2>
|
|
<h3><a name="Glossary"></a>Glossary</h3>
|
|
<ul>
|
|
<li><a href="http://www.netfilter.org" target="_top">Netfilter</a>
|
|
- the
|
|
packet filter facility built into the 2.4 and later Linux kernels.</li>
|
|
<li>ipchains - the packet filter facility built into the 2.2
|
|
Linux kernels. Also the name of the utility program used to configure
|
|
and control that facility. Netfilter can be used in ipchains
|
|
compatibility mode.</li>
|
|
<li>iptables - the utility program used to configure and
|
|
control Netfilter. The term 'iptables' is often used to refer to the
|
|
combination of iptables+Netfilter (with Netfilter not in ipchains
|
|
compatibility mode).</li>
|
|
</ul>
|
|
<h3><a name="WhatIs"></a>What is Shorewall?</h3>
|
|
<div style="margin-left: 40px;">The Shoreline Firewall, more
|
|
commonly known as "Shorewall", is
|
|
a high-level tool for configuring Netfilter. You describe your
|
|
firewall/gateway requirements using entries in a set of configuration
|
|
files. Shorewall reads those configuration files and with the help of
|
|
the iptables utility, Shorewall configures Netfilter to match your
|
|
requirements. Shorewall can be used on a dedicated firewall system, a
|
|
multi-function gateway/router/server or on a standalone GNU/Linux
|
|
system. Shorewall does not use Netfilter's ipchains compatibility mode
|
|
and can thus take advantage of Netfilter's <a
|
|
href="http://www.cs.princeton.edu/%7Ejns/security/iptables/iptables_conntrack.html"
|
|
target="_top">connection
|
|
state tracking
|
|
capabilities</a>.<br>
|
|
<br>
|
|
Shorewall is <span style="text-decoration: underline;">not</span> a
|
|
daemon. Once Shorewall has configured Netfilter, it's job is complete.
|
|
After that, there is no Shorewall code running although the <a
|
|
href="starting_and_stopping_shorewall.htm">/sbin/shorewall
|
|
program can be used at any time to monitor the Netfilter firewall</a>.<br>
|
|
</div>
|
|
<h3><a name="GettingStarted"></a>Getting Started with Shorewall</h3>
|
|
<div style="margin-left: 40px;">New to Shorewall? Start by
|
|
selecting the <a href="shorewall_quickstart_guide.htm">QuickStart Guide</a>
|
|
that most
|
|
closely matches your environment and follow the step by step
|
|
instructions.<br>
|
|
</div>
|
|
<h3><a name="Info"></a>Looking for Information?</h3>
|
|
<div style="margin-left: 40px;">The <a href="Documentation_Index.html">Documentation
|
|
Index</a> is a good place to start as is the Quick Search in the frame
|
|
above. </div>
|
|
<h3><a name="Mandrake"></a>Running Shorewall on Mandrake® with a
|
|
two-interface setup?</h3>
|
|
<div style="margin-left: 40px;">If so, the documentation on this
|
|
site will not apply directly
|
|
to your setup. If you want to use the documentation that you find here,
|
|
you will want to consider uninstalling what you have and installing a
|
|
setup that matches the documentation on this site. See the <a
|
|
href="two-interface.htm">Two-interface QuickStart Guide</a> for
|
|
details.<br>
|
|
<br>
|
|
<span style="font-weight: bold;">Update: </span>I've been
|
|
informed by Mandrake Development that this problem has been corrected
|
|
in Mandrake 10.0 Final (the problem still exists in the 10.0 Community
|
|
release).<br>
|
|
</div>
|
|
<h3><a name="License"></a>License</h3>
|
|
<div style="margin-left: 40px;">This program is free software;
|
|
you can redistribute it and/or modify it
|
|
under the terms of <a href="http://www.gnu.org/licenses/gpl.html">Version
|
|
2 of the GNU General Public License</a> as published by the Free
|
|
Software Foundation.<br>
|
|
</div>
|
|
<p style="margin-left: 40px;">This program is distributed in the
|
|
hope that it will be
|
|
useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
General Public License for more detail.</p>
|
|
<div style="margin-left: 40px;"> </div>
|
|
<p style="margin-left: 40px;">You should have received a copy of
|
|
the GNU General Public
|
|
License along with this program; if not, write to the Free Software
|
|
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
|
|
<div style="margin-left: 40px;">Permission is granted to copy,
|
|
distribute and/or modify this document
|
|
under the terms of the GNU Free Documentation License, Version 1.2 or
|
|
any later version published by the Free Software Foundation; with no
|
|
Invariant Sections, with no Front-Cover, and with no Back-Cover Texts.
|
|
A copy of the license is included in the section entitled <a>"GNU Free
|
|
Documentation License"</a>. </div>
|
|
<p> </p>
|
|
<hr style="width: 100%; height: 2px;">
|
|
<h2><a name="News"></a>News</h2>
|
|
<span style="font-weight: bold;"><a name="2_0_3c"><span
|
|
style="font-weight: bold;">7/02/2004 -
|
|
Shorewall 2.0.3c<br>
|
|
<br>
|
|
</span></a></span>Problems Corrected<span style="font-weight: bold;">:<br>
|
|
</span>
|
|
<ol>
|
|
<li> Error messages regarding $RESTOREBASE occur during <span
|
|
class="bold"><b>shorewall stop</b></span> </li>
|
|
<li> If CLEAR_TC=Yes in <tt class="filename">shorewall.conf</tt>, <span
|
|
class="bold"><b>shorewall stop</b></span> fails without removing the
|
|
lock file. </li>
|
|
</ol>
|
|
<span style="font-weight: bold;"><br>
|
|
</span><span style="font-weight: bold;"><a name="2_0_3b"></a>6/30/2004
|
|
-
|
|
Shorewall 2.0.3b and Shorewall 1.4.10g<br>
|
|
<br>
|
|
</span>Problems Corrected:<br>
|
|
<ol>
|
|
<li>The security vulnerability fix released in Shorewall 2.0.3a
|
|
failed under Slackware 9.1.</li>
|
|
<li>The security vulnerability fix released in Shorewall 2.0.3a
|
|
failed if mktemp was not installed.<br>
|
|
</li>
|
|
</ol>
|
|
<a name="2_0_3a"></a><span style="font-weight: bold;">6/28/2004 -
|
|
Shorewall 2.0.3a and Shorewall 1.4.10f<br>
|
|
<br>
|
|
</span>Problems Corrected:<br>
|
|
<ol>
|
|
<li>Javier Fernández-Sanguino Peña has discovered an exploitable
|
|
vulnerability in the way that Shorewall handles temporary files and
|
|
directories. The vulnerability can allow a non-root user to cause
|
|
arbitrary files on the system to be overwritten. LEAF Bering and Bering
|
|
uClibc users are generally not at risk due to the fact that LEAF boxes
|
|
do not typically allow logins by non-root users. <br>
|
|
</li>
|
|
<li>(2.0.3a only) A non-empty DEST entry in /etc/shorewall/tcrules
|
|
will generate an error and Shorewall fails to start.</li>
|
|
</ol>
|
|
<div style="margin-left: 40px;">Note:: Slackware users may need the
|
|
'functions' file from CVS (STABLE/ project for 1.4.10f and STABLE2/
|
|
project for 2.0.3a) to prevent startup errors with these versions
|
|
installed. These updatged files are also available from the Errata (<a
|
|
href="errata.htm">2.0,</a> <a href="1.4/errata.htm">1.4</a>).<br>
|
|
<br>
|
|
</div>
|
|
<a name="2_0_3"></a><span style="font-weight: bold;">6/23/2004 -
|
|
Shorewall 2.0.3<br>
|
|
<br>
|
|
</span>Problems Corrected:<br>
|
|
<ol>
|
|
<li>The 'firewall' script is not purging temporary restore files in
|
|
/var/lib/shorewall. These files have names of the form "restore-nnnnn".</li>
|
|
<li>The /var/lib/shorewall/restore script did not load the kernel
|
|
modules specified in /etc/shorewall/modules.</li>
|
|
<li>Specifying a null common action in /etc/shorewall/actions (e.g.,
|
|
:REJECT) results in a startup error.</li>
|
|
<li>If /var/lib/shorewall does not exist, shorewall start fails.</li>
|
|
<li>DNAT rules with a dynamic source zone don't work properly. When
|
|
used, these rules cause the rule to be checked against ALL input, not
|
|
just input from the designated zone.</li>
|
|
<li>The install.sh script reported installing some files in
|
|
/etc/shorewall when the files were actually installed in
|
|
/usr/share/shorewall.</li>
|
|
<li>Shorewall checks netfilter capabilities before loading kernel
|
|
modules. Hence if kernel module autoloading isn't enabled, the
|
|
capabilities will be misdetected.</li>
|
|
<li>The 'newnotsyn' option in /etc/shorewall/hosts has no effect.</li>
|
|
<li>The file /etc/init.d/shorewall now gets proper ownership when the
|
|
RPM is built by a non-root user.</li>
|
|
<li>Rules that specify bridge ports in both the SOURCE and DEST
|
|
columns no longer cause "shorewall start" to fail.</li>
|
|
<li>Comments in the rules file have been added to advise users that
|
|
"all" in the SOURCE or DEST column does not affect intra-zone traffic.</li>
|
|
<li>With BLACKLISTNEWONLY=Yes, ICMP packets with state INVALID are
|
|
now passed through the blacklisting chains. Without this change, it is
|
|
not possible to blacklist hosts that are mounting certain types of
|
|
ICMP-based DOS attacks.</li>
|
|
</ol>
|
|
Issues when migrating from Shorewall 2.0.2 to Shorewall 2.0.3:<br>
|
|
<ol>
|
|
<li>The 'dropNonSyn' standard builtin action has been replaced with
|
|
the 'dropNotSyn' standard builtin action. The old name can still be
|
|
used but will generate a warning.</li>
|
|
</ol>
|
|
New Features:<br>
|
|
<ol>
|
|
<li>Shorewall now supports multiple saved configurations.</li>
|
|
<ol>
|
|
<li>The default saved configuration (restore script) in
|
|
/var/lib/shorewall is now specified using the RESTOREFILE option in
|
|
shorewall.conf. If this variable isn't set then to maintain backward
|
|
compatibility, 'restore' is assumed.<br>
|
|
<br>
|
|
The value of RESTOREFILE must be a simple file name; no slashes ("/")
|
|
may be included.<br>
|
|
</li>
|
|
<li>The "save" command has been extended to be able to specify the
|
|
name of a saved configuration.<br>
|
|
<br>
|
|
shorewall
|
|
save [ <file name> ]<br>
|
|
<br>
|
|
The current state is saved to /var/lib/shorewall/<file name>. If
|
|
no <file name> is given, the configuration is saved to the file
|
|
determined by the RESTOREFILE setting.</li>
|
|
<li>The "restore" command has been extended to be able to specify
|
|
the name of a saved configuration:<br>
|
|
<br>
|
|
shorewall
|
|
restore [ <file name> ]<br>
|
|
<br>
|
|
The firewall state is restored from /var/lib/shorewall/<file
|
|
name>. If no <file name> is given, the firewall state is
|
|
restored from the file determined by the RESTOREFILE setting.</li>
|
|
<li>The "forget" command has changed. Previously, the command
|
|
unconditionally removed the /var/lib/shorewall/save file which records
|
|
the current dynamic blacklist. The "forget" command now leaves that
|
|
file alone.<br>
|
|
<br>
|
|
Also, the "forget" command has been extended to be able to specify the
|
|
name of a saved configuration:<br>
|
|
<br>
|
|
|
|
shorewall forget [ <file name> ]<br>
|
|
<br>
|
|
The file /var/lib/shorewall/<file name> is removed. If no
|
|
<file name> is given, the file determined by the RESTOREFILE
|
|
setting is removed.</li>
|
|
<li>The "shorewall -f start" command restores the state from the
|
|
file determined by the RESTOREFILE setting.</li>
|
|
</ol>
|
|
<li>"!" is now allowed in accounting rules.</li>
|
|
<li>Interface names appearing within the configuration are now
|
|
verified. Interface names must match the name of an entry in
|
|
/etc/shorewall/interfaces (or if bridging is enabled, they must match
|
|
the name of an entry in /etc/shorewall/interfaces or the name of a
|
|
bridge port appearing in /etc/shorewall/hosts).</li>
|
|
<li>A new 'rejNotSyn' built-in standard action has been added. This
|
|
action responds to "New not SYN" packets with an RST.<br>
|
|
<br>
|
|
The 'dropNonSyn' action has been superceded by the new 'dropNotSyn'
|
|
action. The old name will be accepted until the next major release of
|
|
Shorewall but will generate a warning.<br>
|
|
<br>
|
|
Several new logging actions involving "New not SYN" packets have been
|
|
added:<br>
|
|
<br>
|
|
logNewNotSyn -- logs
|
|
the packet with disposition = LOG<br>
|
|
dLogNewNotSyn -- logs the
|
|
packet with disposition = DROP<br>
|
|
rLogNewNotSyn -- logs the
|
|
packet with disposition = REJECT<br>
|
|
<br>
|
|
The packets are logged at the log level specified in the LOGNEWNOTSYN
|
|
option in shorewall.conf. If than option is empty or not specified,
|
|
then 'info' is assumed.<br>
|
|
<br>
|
|
Examples (In all cases, set NEWNOTSYN=Yes in shorewall.conf):</li>
|
|
<ol>
|
|
<li>To simulate the behavior of NEWNOTSYN=No:
|
|
<ol>
|
|
<li>Add 'NoNewNotSyn' to /etc/shorewall/actions.</li>
|
|
<li>Create /etc/shorewall/action.NoNewNotSyn containing:<br>
|
|
<br>
|
|
|
|
dLogNotSyn<br>
|
|
|
|
dropNotSyn<br>
|
|
<br>
|
|
</li>
|
|
<li>Early in your rules file, place:<br>
|
|
<br>
|
|
|
|
NoNewNotSyn all all tcp<br>
|
|
<br>
|
|
</li>
|
|
</ol>
|
|
</li>
|
|
<li>Drop 'New not SYN' packets from the net only. Don't log them:</li>
|
|
<ol>
|
|
<li>Early in your rules file, place:<br>
|
|
<br>
|
|
|
|
dropNotSyn
|
|
net all tcp<br>
|
|
<br>
|
|
</li>
|
|
</ol>
|
|
</ol>
|
|
<li>Slackware users no longer have to modify the install.sh script
|
|
before installation. Tuomo Soini has provided a change that allows the
|
|
INIT and FIREWALL variables to be specified outside the script as in:<br>
|
|
<br>
|
|
DEST=/etc/rc.d INIT=rc.firewall
|
|
./install.sh<br>
|
|
</li>
|
|
</ol>
|
|
<ol>
|
|
</ol>
|
|
<p><a href="News.htm">More News</a></p>
|
|
<hr style="width: 100%; height: 2px;">
|
|
<h2><a name="Leaf"></a>Leaf<br>
|
|
</h2>
|
|
<p><a href="http://leaf.sourceforge.net" target="_top"><img
|
|
alt="(Leaf Logo)"
|
|
style="border: 0px solid ; height: 36px; width: 49px;"
|
|
src="images/leaflogo.gif" title=""></a> LEAF is an open source project
|
|
which provides a Firewall/router on a floppy, CD or CF. Several LEAF
|
|
distributions including Bering and Bering-uClibc use Shorewall as their
|
|
Netfilter configuration tool.<br>
|
|
</p>
|
|
<div>
|
|
<div style="text-align: center;"> </div>
|
|
</div>
|
|
<hr style="width: 100%; height: 2px;">
|
|
<h2><a name="Donations"></a>Donations
|
|
</h2>
|
|
<p style="text-align: left;"> </p>
|
|
<p style="text-align: left;"><big><a href="http://www.alz.org"
|
|
target="_top"><img src="images/alz_logo2.gif" title=""
|
|
alt="(Alzheimer's Association Logo)"
|
|
style="border: 0px solid ; width: 300px; height: 60px;" align="left"></a></big></p>
|
|
<h2><big><a href="http://www.starlight.org" target="_top"><img
|
|
src="images/newlog.gif" title="" alt="(Starlight Foundation Logo)"
|
|
style="border: 0px solid ; width: 59px; height: 102px;" align="left"></a></big></h2>
|
|
<p style="text-align: left;"><big>Shorewall
|
|
is free but
|
|
if you
|
|
try it and find it useful,
|
|
please consider making a donation to the <a href="http://www.alz.org/"
|
|
target="_top">Alzheimer's Association</a> or to the <a
|
|
href="http://www.starlight.org" target="_top">Starlight Children's
|
|
Foundation</a>.<br>
|
|
</big></p>
|
|
<p style="text-align: left;"><big>Thanks<br>
|
|
<br>
|
|
</big></p>
|
|
<p style="text-align: left;"><big><br>
|
|
</big> </p>
|
|
</div>
|
|
</body>
|
|
</html>
|