Shorewall devel - Dec 2007 - Shorewall 4.1.2 resent (without a mangled release notes extract)

Shorewall 4.1.2 is now available for testing.

http://www1.shorewall.net/pub/shorewall/development/4.1/shorewall-4.1.2/
ftp://ftp1.shorewall.net/pub/shorewall/development/4.1/shorewall-4.1.2/

Problems corrected in Shorewall 4.1.2.

1)  If any of the following files was missing, a harmless Perl warning
    was issued:

       accounting
       maclist
       masq
       nat
       netmap
       rfc1918
       routestopped
       tunnels

    This problem was experienced mostly by Debian users and users of
    Debian derivatives such as Ubuntu.

2)  The iptables utility doesn''t retry operations that fail due to
    resource shortage. Beginning with this release, Shorewall reruns
    iptables when such a failure occurs.

3)  Previously, Shorewall-perl did not accept log levels in upper case
    (e.g., INFO). Log levels are treated in a case-insensitive manner
    by Shorewall-perl.

4)  The column headers in macro files were not aligned. This has been
    corrected, along with some inaccuracies in the macro.template file.

5)  The shorewall.conf files in the Samples did not contain some
    recently-defined options. They are now up to date.

6)  The names of the Jabber macros were shuffled. They are now named
    correctly.

Other changes in Shorewall 4.1.2.

1)  Shorewall 4.1.2 contains enhanced operational logging capabilities
    through a set of related enhancements to Shorewall-common and
    Shorewall-perl. The enhancements are not supported by
    Shorewall-shell nor are they supported by Shorewall-lite except
    when the script is compiled using Shorewall-perl.

    a)  The STARTUP_LOG option in /etc/shorewall/shorewall.conf gives
        the name of the Shorewall operational log. The log will be
        created if it does not exist.

    b)  The LOG_VERBOSITY option in /etc/shorewall/shorewall.conf gives
        the verbosity at which logging will occur. It uses the same
        value range as VERBOSITY:

	-1    Do not log
	0     Almost quiet
	1     Only major steps
	2     Verbose

    c)  An absolute VERBOSITY may be specified on the command line
        using the -v option followed by -1,0,1 or 2.

	Example:

		shorewall -v2 check

    d)  The /etc/init.d/shorewall script supplied with the
        shorewall.net packages sets ''-v0'' as the default. This
may be
        overridden with the OPTIONS setting in /etc/defaults/shorewall or
        /etc/sysconfig/shorewall.

    Logging occurs on both Shorewall-perl and the generated script when
    the following commands are issued:

	start
	restart
	refresh

    Messages in the log are always timestamped.

    This change implemented two new options to the Shorewall-perl
    compiler (/usr/share/shorewall-perl/compiler.pl).

	     --log=<logfile>
	     --log_verbosity={-1|0-2}

    The --log option is ignored when --log_verbosity is not supplied or
    is supplied with value -1.

    To avoid a proliferation of parameters to
    Shorewall::Compiler::compile(), that function has been changed to
    use named parameters. Parameter names are:

	 object          Object file. If omitted or '''', the
			 configuration is syntax checked.
	 directory       Directory. If omitted or '''', configuration
			 files are located using
			 CONFIG_PATH. Otherwise, the directory named by
			 this parameter is searched first.
	 verbosity       Verbosity; range -1 to 2
	 timestamp       0|1 -- timestamp messages.
	 debug           0|1 -- include stack trace in warning/error
			 messages.
	 export          0|1 -- compile for export.
	 chains          List of chains to be reloaded by ''refresh''.
	 log             File to log compiler messages to.
	 log_verbosity   Log Verbosity; range -1 to 2.

    Those parameters that are supplied must have defined values.

    Defaults are:

	     object		'''' (''check'' command)
	     directory		''''
	     verbosity		1
	     timestamp		0
	     debug		0
	     export		0
	     chains		''''
	     log		''''
	     log_verbosity	-1
	

    Example:

    use lib ''/usr/share/shorewall-perl/'';
    use Shorewall::Compiler;

    compiler( object        => ''/root/firewall'',
              log           => ''/root/compile.log'',
	      log_verbosity => 2 );

2)  Previously, when HIGH_ROUTE_MARKS=Yes, Shorewall allowed non-zero
    mark values < 256 to be assigned in the OUTPUT chain. This has been
    changed so that only high mark values may be assigned
    there. Packet marking rules for traffic shaping of packets
    originating on the firewall must be coded in the POSTROUTING table.

3)  Previously, Shorewall did not range-check the value of the
    VERBOSITY option in shorewall.conf. Beginning with Shorewall 4.1.2:

    a) A VERBOSITY setting outside the range -1 through 2 is rejected.
    b) After the -v and -q options are applied, the resulting value is
       adjusted to fall within the range -1 through 2.

4)  The tcdevices file has been extended to include an OPTIONS
    column. Currently only a single option is defined.

    classify   When specified, you must use explicit CLASSIFY tcrules
	       to classify traffic by class. Shorewall will not create
               any CLASSIFY rules to classify traffic by mark value.

    The ''classify'' option should be specified when you want to
do all
    classification using CLASSIFY tcrules. Because CLASSIFY is not a
    terminating target, every packet passes through all CLASSIFY
    rules. ''classify'' can prevent packets from having to pass
through
    useless additional rules.

    Example:

    /etc/shorewall/tcdevices

	#INTERFACE	IN-BANDWITH	OUT-BANDWIDTH	OPTIONS
	$EXT_IF		1300kbit	384kbit		classify

    /etc/shorewall/tcclasses

	#INTERFACE MARK	RATE	  CEIL	    PRIORITY OPTIONS
	$EXT_IF	   10	5*full/10 full	    1	     tcp-ack,tos-minimize-delay
	$EXT_IF	   20	2*full/10 6*full/10 2	     default
	$EXT_IF	   30	2*full/10 6*full/10 3

    /etc/shorewall/tcrules

	#MARK	SOURCE		DEST	PROTO	PORT(S)	SOURCE
	#                                               PORT(S)
	1:110	192.168.0.0/22	$EXT_IF
	1:130	206.124.146.177 $EXT_IF	tcp     -       873

    This example shows my own simple traffic shaping configuration. I
    have three classes; one for traffic from our local network, one for
    rsync from the master shorewall.net server, and one for all other
    DMZ traffic. I use CLASSIFY rules to assign traffic to the first
    and third class and let the rest default to the second class.

5)  COMMENT lines are now supported in macro bodies by Shorewall-perl
    and are ignored by the Shorewall-shell compiler. The standard
    macros (with the exception of macro.Drop and macro.Reject) have
    been modified to include a COMMENT line describing the macro.

    COMMENT lines in macros work slightly differently from COMMENT
    lines in other files. COMMENT lines in macros are ignored if
    COMMENT support is not available or if there was a COMMENT in use
    when the top-level macro was invoked. This allows the
    following:

	/usr/share/shorewall/macro.SSH:

	    #ACTION SOURCE  PROTO   DEST    SOURCE  RATE    USER/
	    #                       PORT(S) PORT(S) LIMIT   GROUP
	    COMMENT SSH
	    PARAM   -       -       tcp     22

	/etc/shorewall/rules:

	    COMMENT Allow SSH from home
	    SSH/ALLOW     net:$MYIP	$FW
	    COMMENT

	The comment line in macro.SSH will not override the
	COMMENT line in the rules file and the generated rule will show

		/* Allow SSH from home */

	when displayed through the Shorewall show and dump commands.


Thank you for testing,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key





-------------------------------------------------------------------------
SF.Net email is sponsored by: 
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php

On Friday 07 December 2007 00:26, Tom Eastep wrote:
> Shorewall 4.1.2 is now available for testing.
Tom

Rule:
	ACCEPT:NFLOG(1,2,3)  lan  brd  tcp  22

when compile with shorewall-perl generates the following iptables rule:

A lan2brd -p 6 --dport 22 -j NFLOG --NFLOG-GROUP 1 --NFLOG-RANGE 
2 --NFLOG-THRESHOLD 3 --nflog-prefix "Shorewall:lan2brd:ACCEPT:" 

which produces the following error message:

iptables-restore v1.4.0rc1: Unknown arg `--NFLOG-GROUP''

Steven.

-------------------------------------------------------------------------
SF.Net email is sponsored by: 
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php

Steven Jan Springl wrote:
> On Friday 07 December 2007 00:26, Tom Eastep wrote:
>> Shorewall 4.1.2 is now available for testing.
Hi Steven,

Do you have a test suite you''re running this through, or do you just
test this on your own firewall?

-- 
Paul
<http://paul.gear.dyndns.org>
-- 
Did you know?  Many viruses specifically target Microsoft Outlook and
Outlook Express.  You can help to keep your computer free of viruses by
using one of the more secure alternatives from <http://mozilla.org>.



-------------------------------------------------------------------------
SF.Net email is sponsored by: 
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php

Steven Jan Springl wrote:
> On Friday 07 December 2007 00:26, Tom Eastep wrote:
>> Shorewall 4.1.2 is now available for testing.
> 
> Tom
> 
> Rule:
> 	ACCEPT:NFLOG(1,2,3)  lan  brd  tcp  22
> 
> when compile with shorewall-perl generates the following iptables rule:
> 
> A lan2brd -p 6 --dport 22 -j NFLOG --NFLOG-GROUP 1 --NFLOG-RANGE 
> 2 --NFLOG-THRESHOLD 3 --nflog-prefix "Shorewall:lan2brd:ACCEPT:" 
>
Drat -- I knew I should have retested after that last "can''t
fail"
one-line change....

Patch attached...

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
SF.Net email is sponsored by: 
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php

On Friday 07 December 2007 04:38, Paul Gear wrote:
> Steven Jan Springl wrote:
> > On Friday 07 December 2007 00:26, Tom Eastep wrote:
> >> Shorewall 4.1.2 is now available for testing.
>
> Hi Steven,
>
> Do you have a test suite you''re running this through, or do you
just
> test this on your own firewall?
>
> --
> Paul
> <http://paul.gear.dyndns.org>
Paul

I have a PC just for Shorewall testing. It runs Debian Etch with the latest 
test versions on the kernel, iptables and Shorewall.

The Shorewall configuration that I use for testing is a
''nonesense''
configuration that generally contains entries that test the latest features 
only.

As it is not possible for me to test some of the features such as multiple 
providers, I limit my testing to trying to break Shorewall, rather than prove 
that features work.

I always start my testing by using the configuration from the previous test 
release.

I have attached my latest test configuration (it breaks Shorewall).

Steven.




-------------------------------------------------------------------------
SF.Net email is sponsored by: 
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php

On Friday 07 December 2007 00:26, Tom Eastep wrote:
> Shorewall 4.1.2 is now available for testing.
Tom

shorewall.conf entry:

STARTUP_LOG=/var/log/sjs

produces the following error:

/sbin/shorewall: line 241: =2: command not found

Steven.

-------------------------------------------------------------------------
SF.Net email is sponsored by: 
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php

Steven Jan Springl wrote:
> On Friday 07 December 2007 00:26, Tom Eastep wrote:
>> Shorewall 4.1.2 is now available for testing.
> 
> Tom
> 
> shorewall.conf entry:
> 
> STARTUP_LOG=/var/log/sjs
> 
> produces the following error:
> 
> /sbin/shorewall: line 241: =2: command not found
> 
Steven,

The error occurs only when STARTUP_LOG is specified without LOG_VERBOSITY.

Patch attached.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
SF.Net email is sponsored by: 
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php

On Friday 07 December 2007 00:26, Tom Eastep wrote:
> Shorewall 4.1.2 is now available for testing.
Tom

If LOG_VERBOSITY=2 is specified and STARTUP_LOG is not specified, 
the following messages are produced:

/var/lib/shorewall/.start: line 66: $STARTUP_LOG: ambiguous redirect
Starting Shorewall....
/var/lib/shorewall/.start: line 81: $STARTUP_LOG: ambiguous redirect
Initializing...
/var/lib/shorewall/.start: line 66: $STARTUP_LOG: ambiguous redirect
/var/lib/shorewall/.start: line 51: $STARTUP_LOG: ambiguous redirect
Processing /etc/shorewall/init ...
/var/lib/shorewall/.start: line 66: $STARTUP_LOG: ambiguous redirect
Setting up ARP filtering...
/var/lib/shorewall/.start: line 66: $STARTUP_LOG: ambiguous redirect
Setting up Route Filtering...
/var/lib/shorewall/.start: line 66: $STARTUP_LOG: ambiguous redirect
Setting up Martian Logging...
/var/lib/shorewall/.start: line 66: $STARTUP_LOG: ambiguous redirect
Setting up Accept Source Routing...
/var/lib/shorewall/.start: line 66: $STARTUP_LOG: ambiguous redirect
Setting up Proxy ARP...
/var/lib/shorewall/.start: line 66: $STARTUP_LOG: ambiguous redirect
Setting up Traffic Control...
/var/lib/shorewall/.start: line 66: $STARTUP_LOG: ambiguous redirect
Preparing iptables-restore input...
/var/lib/shorewall/.start: line 66: $STARTUP_LOG: ambiguous redirect
Running /usr/local/sbin/iptables-restore...
/var/lib/shorewall/.start: line 66: $STARTUP_LOG: ambiguous redirect
Processing /etc/shorewall/start ...
/var/lib/shorewall/.start: line 66: $STARTUP_LOG: ambiguous redirect
Processing /etc/shorewall/started ...
/var/lib/shorewall/.start: line 66: $STARTUP_LOG: ambiguous redirect
done.
/var/lib/shorewall/.start: line 81: $STARTUP_LOG: ambiguous redirect


Steven.

-------------------------------------------------------------------------
SF.Net email is sponsored by: 
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php

Steven Jan Springl wrote:
> On Friday 07 December 2007 00:26, Tom Eastep wrote:
>> Shorewall 4.1.2 is now available for testing.
> 
> Tom
> 
> If LOG_VERBOSITY=2 is specified and STARTUP_LOG is not specified, 
> the following messages are produced:
> 
Steven,

Please try the attached patch. I got different symtoms than you did but
it''s
probably because we are using different shells.

Thanks,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
SF.Net email is sponsored by: 
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php

On Friday 07 December 2007 16:30, Tom Eastep wrote:
> Steven Jan Springl wrote:
> > On Friday 07 December 2007 00:26, Tom Eastep wrote:
> >> Shorewall 4.1.2 is now available for testing.
> >
> > Tom
> >
> > If LOG_VERBOSITY=2 is specified and STARTUP_LOG is not specified,
> > the following messages are produced:
>
> Steven,
>
> Please try the attached patch. I got different symtoms than you did but
> it''s probably because we are using different shells.
>
> Thanks,
> -Tom
Tom

The patch works.

Steven.

-------------------------------------------------------------------------
SF.Net email is sponsored by: 
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php

Steven Jan Springl wrote:
> On Friday 07 December 2007 16:30, Tom Eastep wrote:
>> Please try the attached patch. I got different symptoms than you did
but
>> it''s probably because we are using different shells.
> The patch works.
Thanks, Steven

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
SF.Net email is sponsored by: 
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php

On Friday 07 December 2007 00:26, Tom Eastep wrote:
> Shorewall 4.1.2 is now available for testing.
>
Tom

I am getting the following error from the Shorewall shell compiler:
 
Checking...
Initializing...
Determining Zones...
   IPv4 Zones: lan
   Firewall Zone: fw
Validating interfaces file...
Validating hosts file...
Pre-processing Actions...
   Pre-processing /usr/share/shorewall/action.Drop...
/usr/share/shorewall-shell/lib.actions: line 646: [: eq: binary operator 
expected
   ERROR: Invalid TARGET in rule "COMMENT Auth      "


Steven.

-------------------------------------------------------------------------
SF.Net email is sponsored by: 
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php

Steven Jan Springl wrote:
> On Friday 07 December 2007 00:26, Tom Eastep wrote:
>> Shorewall 4.1.2 is now available for testing.
>>
> Tom
> 
> I am getting the following error from the Shorewall shell compiler:
>  
> Checking...
> Initializing...
> Determining Zones...
>    IPv4 Zones: lan
>    Firewall Zone: fw
> Validating interfaces file...
> Validating hosts file...
> Pre-processing Actions...
>    Pre-processing /usr/share/shorewall/action.Drop...
> /usr/share/shorewall-shell/lib.actions: line 646: [: eq: binary operator 
> expected
>    ERROR: Invalid TARGET in rule "COMMENT Auth      "
Grrrr -- using Perl syntax in a shell program works poorly.

Patch attached,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
SF.Net email is sponsored by: 
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php

On Friday 07 December 2007 00:26, Tom Eastep wrote:
> Shorewall 4.1.2 is now available for testing.
Tom;

Nat entry:
	
	10.1.1.1  eth0:  192.168.12.1

When compiled with Shorewall-perl, 10.1.1.1 is added as an alias to eth0.
When compiled with Shorewall-shell it is not added as an alias.

Having read the shorewall-nat man page, I was not expecting the alias to be 
added.

ADD_IP_ALIASES=Yes is set in shorewall.conf

Steven.


-------------------------------------------------------------------------
SF.Net email is sponsored by: 
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php

Steven Jan Springl wrote:
> On Friday 07 December 2007 00:26, Tom Eastep wrote:
>> Shorewall 4.1.2 is now available for testing.
> 
> Tom;
> 
> Nat entry:
> 	
> 	10.1.1.1  eth0:  192.168.12.1
> 
> When compiled with Shorewall-perl, 10.1.1.1 is added as an alias to eth0.
> When compiled with Shorewall-shell it is not added as an alias.
> 
> Having read the shorewall-nat man page, I was not expecting the alias to be
> added.
> 
> ADD_IP_ALIASES=Yes is set in shorewall.conf
This problem also occurs in 4.0.6. Patch attached.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
SF.Net email is sponsored by: 
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php