Now that Shorewall 4.2 is transitioning into maintenance-only mode, it is time to start thinking about Shorewall 4.4. Originally, I had planned for 4.4 to be the IPv6 release but when IPv6 proved to be relatively easy and painless to add to 4.2, deferring it until 4.4 was no longer required. Another idea I had was to split the traffic shaping and routing (providers) part of the product off into a separate product. I''ve made a couple of half-hearted attempts to begin that work but I find myself very disinterested in continuing in that direction. The current product works well enough and if someone else has the time and energy to build a routing and traffic shaping product, I''ll be happy to do what I can to integrate with that product. So the only plan that I have for 4.4 right now is to discontinue Shorewall-shell. That product is mature and given that Shorewall 4.0 is part of Debian Lenny, we will be maintaining Shorewall 4.0/4.2 for the next couple of years at least. Anyone have something on their wish list that we might want to add to 4.4? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
Let me start by saying thank you for a wonderful product.> Anyone have something on their wish list that we might want to add to 4.4? >There''s the existing GUI in the shape of Mandriva''s drakfirewall and drakgw, which are based on shorewall and GTK-perl. They work pretty well, but lack sophistication. Another idea: what about implementing a "shorewall helpme" command, which would check for all the common mistakes (often warned about in the FAQ)? This would essentially extend "shorewall check". Lastly, I still contend that offering a friendly probing service would be useful - though I recall that this was shot down the last time I raised it, on the basis of too much bandwidth requirement. Richard ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
On Sun, 2009-02-22 at 08:12 -0800, Tom Eastep wrote:> So the only plan that I have for 4.4 right now is to discontinue > Shorewall-shell....> Anyone have something on their wish list that we might want to add to 4.4?shorewall-lua? perl is way to bloaty for small boxes. Even miniperl is atleast 1MB. (the busybox shell is approx 64kb and must be there anyway) shorewall-lite is not practical in many sitauations. We send out preconfigured boxes with shorewall firewall. Many (most?) users dont know linux very well and many does not have a deep understanding in firewalling. Telling them to setup an another linux box so they can generate a config for shorewall-lite is just not realistic. a shorewall-lua would be just perfect. lua is 1/5 of the size of miniperl and is also faster. thanks! -nc ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
Richard Neill wrote:> Let me start by saying thank you for a wonderful product.You are most welcome.> >> Anyone have something on their wish list that we might want to add to 4.4? >> > There''s the existing GUI in the shape of Mandriva''s drakfirewall and > drakgw, which are based on shorewall and GTK-perl. They work pretty > well, but lack sophistication. >The question of a GUI comes up each time that I send out one of these requests and my answer is still the same. I have spent my entire 40-year career working in middleware and kernel programming. I have no GUI experience and it is generally accepted that any developer''s first GUI is guaranteed to be unusable. Plus, I have no interest in GUI development. So I''m going to have to leave that one to someone with the skills, time and interest to persue.> Another idea: what about implementing a "shorewall helpme" command, > which would check for all the common mistakes (often warned about in the > FAQ)? This would essentially extend "shorewall check".I''ll have to give that one some thought. My initial reaction is that such a feature assumes that there is one ''right'' way to configure a firewall and that a computer program can determine if a configuration is ''right''. I''m doubtful that either of those propositions is true.> > Lastly, I still contend that offering a friendly probing service would > be useful - though I recall that this was shot down the last time I > raised it, on the basis of too much bandwidth requirement. >That is still a good suggestion but it has nothing to do with Shorewall 4.4 since it isn''t something that would be part of the product. Thanks Richard, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
On Mon, Feb 23, 2009 at 07:19:36AM -0800, Tom Eastep wrote:> That is still a good suggestion but it has nothing to do with Shorewall > 4.4 since it isn''t something that would be part of the product.How likely would it be that shorewall check could catch more errors than it currently does? I know some things it simply has no way to know if is right or wrong, but perhaps there is room for more checking than it currently does. Catching incorrect values would be nice in some cases. I guess a check for ''is config sane'' is the idea. There is no way you could check for correctness. -- Len Sorensen ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
Natanael Copa wrote:> shorewall-lua? > > perl is way to bloaty for small boxes. Even miniperl is atleast 1MB. > (the busybox shell is approx 64kb and must be there anyway) > shorewall-lite is not practical in many sitauations. We send out > preconfigured boxes with shorewall firewall. Many (most?) users dont > know linux very well and many does not have a deep understanding in > firewalling. Telling them to setup an another linux box so they can > generate a config for shorewall-lite is just not realistic.Note that it is not necessary to set up another Linux system -- Shorewall-perl runs fine on Windows under Cygwin. Installing Cygwin under Vista and getting everything to work properly is tricky but it can be cook booked so that anyone can do it.> > a shorewall-lua would be just perfect. lua is 1/5 of the size of > miniperl and is also faster.Shorewall-lua might be perfect for the embedded community but I have no interest in spending another year and a half writing another rules compiler (that is what it took to become fluent in Perl and to develop Shorewall-perl -- remember that I have to do this in my spare time). I might spend some time though investigating what it would take to get Shorewall-perl running natively under windows. Would that be an acceptable solution? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
Lennart Sorensen wrote:> On Mon, Feb 23, 2009 at 07:19:36AM -0800, Tom Eastep wrote: >> That is still a good suggestion but it has nothing to do with Shorewall >> 4.4 since it isn''t something that would be part of the product. > > How likely would it be that shorewall check could catch more errors than > it currently does? I know some things it simply has no way to know if > is right or wrong, but perhaps there is room for more checking than it > currently does. Catching incorrect values would be nice in some cases. > I guess a check for ''is config sane'' is the idea. There is no way you > could check for correctness. >Shorewall-perl already does a lot of value checking. Have you found cases that it is missing? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
On Mon, 2009-02-23 at 07:44 -0800, Tom Eastep wrote:> Natanael Copa wrote: > > > shorewall-lua? > > > > perl is way to bloaty for small boxes. Even miniperl is atleast 1MB. > > (the busybox shell is approx 64kb and must be there anyway) > > shorewall-lite is not practical in many sitauations. We send out > > preconfigured boxes with shorewall firewall. Many (most?) users dont > > know linux very well and many does not have a deep understanding in > > firewalling. Telling them to setup an another linux box so they can > > generate a config for shorewall-lite is just not realistic. > > Note that it is not necessary to set up another Linux system -- > Shorewall-perl runs fine on Windows under Cygwin. Installing Cygwin > under Vista and getting everything to work properly is tricky but it can > be cook booked so that anyone can do it. > > > > > a shorewall-lua would be just perfect. lua is 1/5 of the size of > > miniperl and is also faster. > > Shorewall-lua might be perfect for the embedded community but I have no > interest in spending another year and a half writing another rules > compiler (that is what it took to become fluent in Perl and to develop > Shorewall-perl -- remember that I have to do this in my spare time).I have full understand and respect for that. I was just expressing a wish. :)> I might spend some time though investigating what it would take to get > Shorewall-perl running natively under windows. Would that be an > acceptable solution?unfortunally no. users are used to be able to log on the webinterface do the change, and expect the change to happen there and then. Copying out config to a windows machine, need to install a special application (perl/cygwin/shorewall), compile and the copy configs back will not work for us, unfortunally. miniperl and more RAM is what we will have to do if we want continue use shorewall, which might not be too bad. Thanks! -nc ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
Natanael Copa wrote:> On Mon, 2009-02-23 at 07:44 -0800, Tom Eastep wrote:> >> I might spend some time though investigating what it would take to get >> Shorewall-perl running natively under windows. Would that be an >> acceptable solution? > > unfortunally no. users are used to be able to log on the webinterface do > the change, and expect the change to happen there and then. Copying out > config to a windows machine, need to install a special application > (perl/cygwin/shorewall), compile and the copy configs back will not work > for us, unfortunally.I guess what I was thinking of was an application under Windows that would make all of the copying transparent.> > miniperl and more RAM is what we will have to do if we want continue use > shorewall, which might not be too bad. >Let me know if you have problems with Shorewall-perl and miniperl -- I''ll be happy to help in working around them. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
Tom Eastep wrote:> Anyone have something on their wish list that we might want to add to 4.4?I''d like to suggest possibility to limit meaning of interface on interfaces file so you could limit interface to certain network only. And other thing: when interface is configured to some address this way this same source address would be disabled on other interfaces by default. So that ingress and egress filtering would be done properly by netfilter. I know this kind of configuration is not optiomal for one machine only firewall configuration but it''s very good for real firewall setups. Other way to get this is to change documentation for two interface and three interface guides to prefer hosts over interfaces. But I''d really like to see this done more secure way one way or another. -- Tuomo Soini <tis@foobar.fi> Foobar Linux services +358 40 5240030 Foobar Oy <http://foobar.fi/> ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
On Mon, Feb 23, 2009 at 08:15:30AM -0800, Tom Eastep wrote:> Shorewall-perl already does a lot of value checking. Have you found > cases that it is missing?Hmm, not sure. I will have to check if there are any in particular. I guess some values are hard to check since their allowed range depends on kernel and iptables versions in some cases. I will keep an eye out for any that it misses that should have been checked. -- Len Sorensen ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
Tuomo Soini wrote:> Tom Eastep wrote: > >> Anyone have something on their wish list that we might want to add to 4.4? > > I''d like to suggest possibility to limit meaning of interface on > interfaces file so you could limit interface to certain network only. > And other thing: when interface is configured to some address this way > this same source address would be disabled on other interfaces by > default. So that ingress and egress filtering would be done properly by > netfilter. > > I know this kind of configuration is not optiomal for one machine only > firewall configuration but it''s very good for real firewall setups. > > Other way to get this is to change documentation for two interface and > three interface guides to prefer hosts over interfaces. But I''d really > like to see this done more secure way one way or another. >Doesn''t simply setting the ''routefilter'' option on the internal interfaces do this for you? We can certainly change the two- and three-interface samples to do that. Currently, they set ''routefilter'' on the ''net'' interface which is silly since that interface will have the default route. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
Tom Eastep wrote:> Tuomo Soini wrote: >> Tom Eastep wrote: >> >>> Anyone have something on their wish list that we might want to add to 4.4? >> I''d like to suggest possibility to limit meaning of interface on >> interfaces file so you could limit interface to certain network only. >> And other thing: when interface is configured to some address this way >> this same source address would be disabled on other interfaces by >> default. So that ingress and egress filtering would be done properly by >> netfilter. >> >> I know this kind of configuration is not optiomal for one machine only >> firewall configuration but it''s very good for real firewall setups. >> >> Other way to get this is to change documentation for two interface and >> three interface guides to prefer hosts over interfaces. But I''d really >> like to see this done more secure way one way or another. >> > > Doesn''t simply setting the ''routefilter'' option on the internal > interfaces do this for you? We can certainly change the two- and > three-interface samples to do that. > > Currently, they set ''routefilter'' on the ''net'' interface which is silly > since that interface will have the default route.Shorewall 4.3.5 and 4.3.6 have a nets=(...) option that does what Tuomo suggested above. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
Tom Eastep wrote:> Now that Shorewall 4.2 is transitioning into maintenance-only mode, it > is time to start thinking about Shorewall 4.4. > > Originally, I had planned for 4.4 to be the IPv6 release but when IPv6 > proved to be relatively easy and painless to add to 4.2, deferring it > until 4.4 was no longer required. > ... > Anyone have something on their wish list that we might want to add to 4.4?You appear to have read my mind by starting to put dynamic zones back. :-) Paul ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
Paul Gear wrote:> Tom Eastep wrote: >> Now that Shorewall 4.2 is transitioning into maintenance-only mode, it >> is time to start thinking about Shorewall 4.4. >> >> Originally, I had planned for 4.4 to be the IPv6 release but when IPv6 >> proved to be relatively easy and painless to add to 4.2, deferring it >> until 4.4 was no longer required. >> ... >> Anyone have something on their wish list that we might want to add to 4.4? > You appear to have read my mind by starting to put dynamic zones back. :-)Glad you like it. This implementation is based on ipsets so it is much cleaner. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
Tom Eastep wrote:> Paul Gear wrote: > >> Tom Eastep wrote: >> >>> Now that Shorewall 4.2 is transitioning into maintenance-only mode, it >>> is time to start thinking about Shorewall 4.4. >>> >>> Originally, I had planned for 4.4 to be the IPv6 release but when IPv6 >>> proved to be relatively easy and painless to add to 4.2, deferring it >>> until 4.4 was no longer required. >>> ... >>> Anyone have something on their wish list that we might want to add to 4.4? >>> >> You appear to have read my mind by starting to put dynamic zones back. :-) >> > > Glad you like it. This implementation is based on ipsets so it is much > cleaner. >So i take it we''re going to have to resort to custom kernels for this? Are ipsets getting any closer to release with the mainline kernel? Paul ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H