Shorewall devel - Jan 2008 - Shorewall 4.1.4

Shorewall 4.1.4 is available at:

http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.8/
ftp://ftp1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.8/

Problems corrected in Shorewall 4.1.4.

1)  Previously, a value of 0 was ignored in the TEST column of tcrules
    and the MARK column of the rules files.

    Also, the default mask for entries in these columns has been
    changed from 0xFF to 0xFFFF for compatibility with Shorewall-shell.

2)  The compilation date recorded in the firewall.conf file produced by
    Shorewall-perl was previously mangled.

3)  The following situation would result in unexpected behavior.

    /etc/shorewall/zones:

        #ZONE        TYPE
        fw           firewall
        net          ipv4
        loc          ipv4
        dmz          ipv4

    /etc/shorewall/interfaces:

        #ZONE        INTERFACE    BROADCAST      OPTIONS
        net          ppp0
        loc          eth1
        loc          ppp+
        dmz          eth2

    /etc/shorewall/rules:

        #ACTION   SOURCE     DEST     PROTO    DEST
        #                                      PORT(S)
        ACCEPT    net        dmz      tcp      80
        REDIRECT  loc        3128     tcp      80

    The web server in the dmz (implied by the first rule) is
    inaccessible from the ''net'' zone because the REDIRECT rule
    redirects all traffic arriving on ''ppp+'' to local port
3128.

    Shorewall 4.1.4 includes a fix for this problem that also requires
    a configuration change.

    The basic problem with the above configuration is that
''net'' is a
    sub-zone of ''loc'' (since ppp0 is a subset of ppp+) but
Shorewall
    isn''t able to recognize that fact.

    By changing the /etc/shorewall/zones file to make the parent/child
    relationship explicit, Shorewall will now know that ''net''
is a
    sub-zone of ''loc''.

    /etc/shorewall/zones:

        #ZONE        TYPE
        fw           firewall
        loc          ipv4
        net:loc      ipv4
        dmz          ipv4

    Be sure that there are no CONTINUE policies from net to another
    zone and that IMPLICIT_CONTINUE=No (to prevent implicit CONTINUE
    policies from ''net'' to all other zones).

Other changes in Shorewall 4.1.4.

1)  When installing on Cygwin, /etc/shorewall is no longer fully
    populated. Rather, only the shorewall.conf and params files are
    installed. As always, the full configuration file set is installed
    in /usr/share/shorewall/configfiles.

2)  Specifying a destination zone in a NAT-only rule now generates a
    warning and the destination zone is ignored. NAT-only rules are:

             NONAT
             REDIRECT-
             DNAT-

3)  The /etc/shorewall/masq and /etc/shorewall/nat file now accept a
    comma-separated list of interface names where before only a single
    interface name could be listed (Shorewall-perl only).

    This feature is not for beginners. It iterates over the
    list of interfaces, substituting each interface in place of the
    list and processing the resulting entry according to the semantics
    of earlier Shorewall versions. If you don''t know where to use this,
    don''t try.

    Example 1:

    /etc/shorewall/masq:

    #INTERFACE              SOURCE          ADDRESS
    eth0,eth1               eth2            1.2.3.4

    equivalent to:

    #INTERFACE              SOURCE          ADDRESS
    eth0                    eth2            1.2.3.4
    eth1                    eth2            1.2.3.4

    Example 2:

    /etc/shorewall/masq:

    #INTERFACE                  SOURCE      ADDRESS
    eth0,eth1::192.168.1.0/24   eth2        1.2.3.4

    equivalent to:

    #INTERFACE              SOURCE          ADDRESS
    eth0::192.168.1.0/24    eth2            1.2.3.4
    eth1::192.168.1.0/24    eth2            1.2.3.4

    Example 3:

    /etc/shorewall/nat:

    #EXTERNAL        INTERFACE       INTERNAL
    206.124.146.178  eth0,wlan0      192.168.1.3

    equivalent to:

    #EXTERNAL        INTERFACE       INTERNAL
    206.124.146.178  eth0            192.168.1.3
    206.124.146.178  wlan0           192.168.1.3

4)  Previously, the INTERFACE name used in the masq, nat and netmap
    files had to exactly match the name of an interface from the
    interfaces file. Beginning with Shorewall-perl 4.1.4, the
    interface may loosely match a wildcard entry in the interfaces
    file.

    Example:

    /etc/shorewall/interfaces:

        vpn     tun+

    /etc/shorewall/masq:

        tun1    192.168.4.0/24

5)  Previously, Shorewall classified non-firewall zones as either
    ''simple'' or ''complex''. Attributes of a
zone which made it ''complex''
    included:

    - The zone was of type ''ipsec'' or
''ipsec4'' or it had a hosts
      entry with the ''ipsec'' options.
    - The zone had OPTIONS, IN OPTIONS or OUT OPTIONS
    - The zone had more than one network on a given interface
    - The zone had a hosts file entry with an exclusion.
    - The zone had a hosts file entry specifying an ipset.

    The handling of ''simple'' and ''complex''
zones was different.

    -  complex zones had their own ''forward'' chain (named
       ''<zone>_frwd'').
    -  complex zones with exclusions had their own ''input'' and
       ''output'' chains.

    Beginning with Shorewall-perl 4.1.4, all non-firewall zones will be
    treated as ''complex''. This will have the effect of one
additional
    filter chain per zone but in most cases, the average number of
    filter rules traversed by a connection request will be reduced.

Happy Testing,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

On Friday 25 January 2008 22:00, Tom Eastep wrote:
> Shorewall 4.1.4 is available at:
>
> http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.8/
> ftp://ftp1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.8/
>
Tom
	The above URL''s are for the wrong release.

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Steven Jan Springl wrote:
> On Friday 25 January 2008 22:00, Tom Eastep wrote:
>> Shorewall 4.1.4 is available at:
>>
>> http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.8/
>> ftp://ftp1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.8/
>>
> Tom
> 	The above URL''s are for the wrong release.
Sorry -- 4.0.8 is obviously at those URLs (I shouldn''t try doing two
releases in one day).

Try

http://www1.shorewall.net/pub/shorewall/development/4.1/shorewall-4.1.4
ftp://ftp1.shorewall.net/pub/shorewall/development/4.1/shorewall-4.1.4

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Tom

The following erroneous nat file entry:

10.99.99.99  eth1,,eth0  192.168.22.1

produces the following errors:



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Today 23:34:48
   
Tom

I will try again.

The following erroneous nat file entry:

10.99.99.99  eth1,,eth0  192.168.22.1

produces the following errors:

Use of uninitialized value in hash element 
at /usr/share/shorewall-perl/Shorewall/Zones.pm line 769, <$currentfile>
line
11.
Use of uninitialized value in substr 
at /usr/share/shorewall-perl/Shorewall/Zones.pm line 777, <$currentfile>
line
11.
Use of uninitialized value in concatenation (.) or string 
at /usr/share/shorewall-perl/Shorewall/Nat.pm line 379, <$currentfile>
line
11.

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Shorewall-devel mailing list
Shorewall-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-devel

Steven Jan Springl wrote:
> Today 23:34:48
>    
> Tom
> 
> I will try again.
> 
> The following erroneous nat file entry:
> 
> 10.99.99.99  eth1,,eth0  192.168.22.1
> 
> produces the following errors:
> 
> Use of uninitialized value in hash element 
> at /usr/share/shorewall-perl/Shorewall/Zones.pm line 769,
<$currentfile> line
> 11.
> Use of uninitialized value in substr 
> at /usr/share/shorewall-perl/Shorewall/Zones.pm line 777,
<$currentfile> line
> 11.
> Use of uninitialized value in concatenation (.) or string 
> at /usr/share/shorewall-perl/Shorewall/Nat.pm line 379,
<$currentfile> line
> 11.
> 
The attached patch corrects this problem and a similar one in the masq file.

Thanks, Steven

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Tom

Erroneous masq file entry

br0::1.1.1.1,,2.2.2.2  192.168.0.4  detect

produces the following message:

Use of uninitialized value in substr 
at /usr/share/shorewall-perl/Shorewall/IPAddrs.pm line 94, <$currentfile> 
line 10.

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Steven Jan Springl wrote:
> Tom
> 
> Erroneous masq file entry
> 
> br0::1.1.1.1,,2.2.2.2  192.168.0.4  detect
> 
> produces the following message:
> 
> Use of uninitialized value in substr 
> at /usr/share/shorewall-perl/Shorewall/IPAddrs.pm line 94,
<$currentfile>
> line 10.
I''m sure you can find as many of this type of problem as you are
willing to
document. To eliminate them, I suppose I''ll have to do what I did in
Shorewall-shell and write my own ''split'' routine that checks
for leading,
trailing and adjacent commas.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

On Fri, Jan 25, 2008 at 04:21:37PM -0800, Tom Eastep
wrote:
> Steven Jan Springl wrote:
> > Tom
> > 
> > Erroneous masq file entry
> > 
> > br0::1.1.1.1,,2.2.2.2  192.168.0.4  detect
> > 
> > produces the following message:
> > 
> > Use of uninitialized value in substr 
> > at /usr/share/shorewall-perl/Shorewall/IPAddrs.pm line 94,
<$currentfile>
> > line 10.
> 
> I''m sure you can find as many of this type of problem as you are
willing to
> document. To eliminate them, I suppose I''ll have to do what I did
in
> Shorewall-shell and write my own ''split'' routine that
checks for leading,
> trailing and adjacent commas.
grep {$_} split '','', $str

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Andrew Suffield wrote:
> On Fri, Jan 25, 2008 at 04:21:37PM -0800, Tom Eastep wrote:
>> Steven Jan Springl wrote:
>>> Tom
>>>
>>> Erroneous masq file entry
>>>
>>> br0::1.1.1.1,,2.2.2.2  192.168.0.4  detect
>>>
>>> produces the following message:
>>>
>>> Use of uninitialized value in substr 
>>> at /usr/share/shorewall-perl/Shorewall/IPAddrs.pm line 94,
<$currentfile>
>>> line 10.
>> I''m sure you can find as many of this type of problem as you
are willing to
>> document. To eliminate them, I suppose I''ll have to do what I
did in
>> Shorewall-shell and write my own ''split'' routine that
checks for leading,
>> trailing and adjacent commas.
> 
> grep {$_} split '','', $str
I prefer to flag invalid lists rather than sanitize them.

I''ve updated my tree with a fix but it''s large enough that it
will have to
wait until 4.1.5.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Tom

After applying rev. 8109, when the ecn file contains rule:

eth1  1.1.1.0/24,!,1.1.1.1

the following message is produced:

Use of uninitialized value in substr 
at /usr/share/shorewall-perl/Shorewall/IPAddrs.pm line 94.

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Steven Jan Springl wrote:
> Tom
> 
> After applying rev. 8109, when the ecn file contains rule:
> 
> eth1  1.1.1.0/24,!,1.1.1.1
> 
> the following message is produced:
> 
> Use of uninitialized value in substr 
> at /usr/share/shorewall-perl/Shorewall/IPAddrs.pm line 94.
Steven,

Attached is a patch for this and a bit more.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Tom

Whilst testing Shorewall with kernel 2.6.25-rc1, I have found the following  
changes to netfilter modules:

ipt_iprange  is now called  xt_iprange
ipt_owner    is now called  xt_owner

ipt_TOS  has been merged with  xt_DSCP
ipt_tos   has been merged with  xt_dscp

As expected, ipt_SAME  has been removed.

Steven.  

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Steven Jan Springl wrote:
> Tom
> 
> Whilst testing Shorewall with kernel 2.6.25-rc1, I have found the following
> changes to netfilter modules:
> 
> ipt_iprange  is now called  xt_iprange
> ipt_owner    is now called  xt_owner
> 
> ipt_TOS  has been merged with  xt_DSCP
> ipt_tos   has been merged with  xt_dscp
> 
> As expected, ipt_SAME  has been removed.
Thanks, Steven.

Attached is a patch to the modules file that should accomodate the name changes.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/