Shorewall devel - Sep 2011 - Shorewall 4.4.24 Beta 1

Beta 1 is now available for testing.

1)  Stateless NAT is now available in Shorewall6. See
    shorewall6-netmap(5) for details.

Thank you for testing,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA
http://p.sf.net/sfu/rim-devcon-copy2

On Sunday 18 September 2011 14:31:28 Tom Eastep wrote:
> Beta 1 is now available for testing.
>
> 1)  Stateless NAT is now available in Shorewall6. See
>     shorewall6-netmap(5) for details.
>
> Thank you for testing,
> -Tom
Tom

Man page shorewall6-netmap refers to the last two columns as DEST PORT(S).
Their description suggests that the first is destination port(s) and the 
second source port(S).

However, the following shorewall6 netmap entry:

DNAT:P  2001:4d48:ad51:24::/64  eth0  fd58:b443:dd9e:1::/64  -  tcp  22  1000

generates the following ip6tables rule:

-A eth0_pre -p 6 --dport 1000 --sport 22 -d 2001:4d48:ad51:24::/64 -j 
RAWDNAT --to-dest fd58:b443:dd9e:1::/64

This seems to show the source port(s) column is first and destination port(s) 
second.

Steven.



------------------------------------------------------------------------------
BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA
http://p.sf.net/sfu/rim-devcon-copy2

Hello Tom - on my Centos 6.0 Linux I get this with Shorewall 4.4.24 beta 1:

Compiling...
Can''t exec "/usr/share/shorewall/getparams": Permission
denied at
/usr/share/shorewall/Shorewall/Config.pm line 3258.
   ERROR: Processing of /etc/shorewall/params failed

So I delete /etc/shorewall/params and it runs fine.

No problem on Centos 5.7

neal


On Sun, Sep 18, 2011 at 6:33 PM, Steven Jan Springl <
steven@springl.ukfsn.org> wrote:
> On Sunday 18 September 2011 14:31:28 Tom Eastep wrote:
> > Beta 1 is now available for testing.
> >
> > 1)  Stateless NAT is now available in Shorewall6. See
> >     shorewall6-netmap(5) for details.
> >
> > Thank you for testing,
> > -Tom
>
> Tom
>
> Man page shorewall6-netmap refers to the last two columns as DEST PORT(S).
> Their description suggests that the first is destination port(s) and the
> second source port(S).
>
> However, the following shorewall6 netmap entry:
>
> DNAT:P  2001:4d48:ad51:24::/64  eth0  fd58:b443:dd9e:1::/64  -  tcp  22
>  1000
>
> generates the following ip6tables rule:
>
> -A eth0_pre -p 6 --dport 1000 --sport 22 -d 2001:4d48:ad51:24::/64 -j
> RAWDNAT --to-dest fd58:b443:dd9e:1::/64
>
> This seems to show the source port(s) column is first and destination
> port(s)
> second.
>
> Steven.
>
>
>
>
>
------------------------------------------------------------------------------
> BlackBerry&reg; DevCon Americas, Oct. 18-20, San Francisco, CA
> http://p.sf.net/sfu/rim-devcon-copy2
> _______________________________________________
> Shorewall-devel mailing list
> Shorewall-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-devel
>


-- 
(\(\    That''s odd.  That''s very odd.
(^.^)  Wouldn''t you say that''s very odd?
(")")
-------- When the going gets weird, the weird turn pro.


------------------------------------------------------------------------------
BlackBerry&reg; DevCon Americas, Oct. 18-20, San Francisco, CA
Learn about the latest advances in developing for the 
BlackBerry&reg; mobile platform with sessions, labs & more.
See new tools and technologies. Register for BlackBerry&reg; DevCon today!
http://p.sf.net/sfu/rim-devcon-copy1

On Mon, 2011-09-19 at 07:28 -0400, Neal Thomsen wrote:
> Hello Tom - on my Centos 6.0 Linux I get this with Shorewall 4.4.24
> beta 1:
> 
> 
> Compiling...
> Can''t exec "/usr/share/shorewall/getparams": Permission
denied
> at /usr/share/shorewall/Shorewall/Config.pm line 3258.
>    ERROR: Processing of /etc/shorewall/params failed
> 
> 
> So I delete /etc/shorewall/params and it runs fine.
> 
> 
> No problem on Centos 5.7
Neal,

That''s an SELinux configuration issue. There are hints about how to
correct it in the mailing list archives.

-Tom

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA
Learn about the latest advances in developing for the 
BlackBerry® mobile platform with sessions, labs & more.
See new tools and technologies. Register for BlackBerry® DevCon today!
http://p.sf.net/sfu/rim-devcon-copy1

On Sun, 2011-09-18 at 23:33 +0100, Steven Jan Springl wrote:
> Man page shorewall6-netmap refers to the last two columns as DEST PORT(S).
> Their description suggests that the first is destination port(s) and the 
> second source port(S).
> 
> However, the following shorewall6 netmap entry:
> 
> DNAT:P  2001:4d48:ad51:24::/64  eth0  fd58:b443:dd9e:1::/64  -  tcp  22 
1000
> 
> generates the following ip6tables rule:
> 
> -A eth0_pre -p 6 --dport 1000 --sport 22 -d 2001:4d48:ad51:24::/64 -j 
> RAWDNAT --to-dest fd58:b443:dd9e:1::/64
> 
> This seems to show the source port(s) column is first and destination
port(s)
> second.
Steven,

You''re correct; the ports are being reversed in the code. The attached
patch fixes the issue.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA
Learn about the latest advances in developing for the 
BlackBerry® mobile platform with sessions, labs & more.
See new tools and technologies. Register for BlackBerry® DevCon today!
http://p.sf.net/sfu/rim-devcon-copy1

Ooops Sorry about that! Got it, found it, fixed it! I always forget to check
SELinux!

neal

On Mon, Sep 19, 2011 at 9:09 AM, Tom Eastep <teastep@shorewall.net> wrote:
> On Mon, 2011-09-19 at 07:28 -0400, Neal Thomsen wrote:
> > Hello Tom - on my Centos 6.0 Linux I get this with Shorewall 4.4.24
> > beta 1:
> >
> >
> > Compiling...
> > Can''t exec "/usr/share/shorewall/getparams":
Permission denied
> > at /usr/share/shorewall/Shorewall/Config.pm line 3258.
> >    ERROR: Processing of /etc/shorewall/params failed
> >
> >
> > So I delete /etc/shorewall/params and it runs fine.
> >
> >
> > No problem on Centos 5.7
>
> Neal,
>
> That''s an SELinux configuration issue. There are hints about how
to
> correct it in the mailing list archives.
>
> -Tom
>
> --
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
>
>
------------------------------------------------------------------------------
> BlackBerry&reg; DevCon Americas, Oct. 18-20, San Francisco, CA
> Learn about the latest advances in developing for the
> BlackBerry&reg; mobile platform with sessions, labs & more.
> See new tools and technologies. Register for BlackBerry&reg; DevCon
today!
> http://p.sf.net/sfu/rim-devcon-copy1
> _______________________________________________
> Shorewall-devel mailing list
> Shorewall-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-devel
>
>

-- 
(\(\    That''s odd.  That''s very odd.
(^.^)  Wouldn''t you say that''s very odd?
(")")
-------- When the going gets weird, the weird turn pro.


------------------------------------------------------------------------------
BlackBerry&reg; DevCon Americas, Oct. 18-20, San Francisco, CA
Learn about the latest advances in developing for the 
BlackBerry&reg; mobile platform with sessions, labs & more.
See new tools and technologies. Register for BlackBerry&reg; DevCon today!
http://p.sf.net/sfu/rim-devcon-copy1

On Monday 19 September 2011 14:12:27 Tom Eastep wrote:
> On Sun, 2011-09-18 at 23:33 +0100, Steven Jan Springl wrote:
> > Man page shorewall6-netmap refers to the last two columns as DEST
> > PORT(S). Their description suggests that the first is destination
port(s)
> > and the second source port(S).
> >
> > However, the following shorewall6 netmap entry:
> >
> > DNAT:P  2001:4d48:ad51:24::/64  eth0  fd58:b443:dd9e:1::/64  -  tcp 
22
> > 1000
> >
> > generates the following ip6tables rule:
> >
> > -A eth0_pre -p 6 --dport 1000 --sport 22 -d 2001:4d48:ad51:24::/64 -j
> > RAWDNAT --to-dest fd58:b443:dd9e:1::/64
> >
> > This seems to show the source port(s) column is first and destination
> > port(s) second.
>
> Steven,
>
> You''re correct; the ports are being reversed in the code. The
attached
> patch fixes the issue.
>
> -Tom
Tom

Confirmed, the patch fixes the issue.

Thanks.

Steven.

------------------------------------------------------------------------------
BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA
Learn about the latest advances in developing for the 
BlackBerry® mobile platform with sessions, labs & more.
See new tools and technologies. Register for BlackBerry® DevCon today!
http://p.sf.net/sfu/rim-devcon-copy1

On Mon, 2011-09-19 at 16:37 +0100, Steven Jan Springl wrote:
> 
> Confirmed, the patch fixes the issue.
> 
Thanks, Steven

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA
Learn about the latest advances in developing for the 
BlackBerry® mobile platform with sessions, labs & more.
See new tools and technologies. Register for BlackBerry® DevCon today!
http://p.sf.net/sfu/rim-devcon-copy1

Tom

Shorewall6 netmap entry:

DNAT:P  2001:4d48:ad51:24::/64  eth0  fd58:b443:dd9e:1::/64  -  ipv6-icmp  128

Generates the the following ip6tables rule:

-A eth0_pre -p 58 -d 2001:4d48:ad51:24::/64 -m icmpv6-type 128 -j 
RAWDNAT --to-dest fd58:b443:dd9e:1::/64

Which produces the following error message:

ip6tables-restore v1.4.12.1: Couldn''t load match
`icmpv6-type'':No such file or
directory

Steven.

------------------------------------------------------------------------------
BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA
Learn about the latest advances in developing for the 
BlackBerry® mobile platform with sessions, labs & more.
See new tools and technologies. Register for BlackBerry® DevCon today!
http://p.sf.net/sfu/rim-devcon-copy1

On Sep 19, 2011, at 9:03 AM, Steven Jan Springl wrote:
> Shorewall6 netmap entry:
> 
> DNAT:P  2001:4d48:ad51:24::/64  eth0  fd58:b443:dd9e:1::/64  -  ipv6-icmp 
128
> 
> Generates the the following ip6tables rule:
> 
> -A eth0_pre -p 58 -d 2001:4d48:ad51:24::/64 -m icmpv6-type 128 -j 
> RAWDNAT --to-dest fd58:b443:dd9e:1::/64
> 
> Which produces the following error message:
> 
> ip6tables-restore v1.4.12.1: Couldn''t load match
`icmpv6-type'':No such file or
> directory

Steven,

The attached patch seems to correct this.

-Tom




Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA
Learn about the latest advances in developing for the 
BlackBerry® mobile platform with sessions, labs & more.
See new tools and technologies. Register for BlackBerry® DevCon today!
http://p.sf.net/sfu/rim-devcon-copy1

On Monday 19 September 2011 18:05:37 Tom Eastep wrote:
> On Sep 19, 2011, at 9:03 AM, Steven Jan Springl wrote:
> > Shorewall6 netmap entry:
> >
> > DNAT:P  2001:4d48:ad51:24::/64  eth0  fd58:b443:dd9e:1::/64  - 
ipv6-icmp
> >  128
> >
> > Generates the the following ip6tables rule:
> >
> > -A eth0_pre -p 58 -d 2001:4d48:ad51:24::/64 -m icmpv6-type 128 -j
> > RAWDNAT --to-dest fd58:b443:dd9e:1::/64
> >
> > Which produces the following error message:
> >
> > ip6tables-restore v1.4.12.1: Couldn''t load match
`icmpv6-type'':No such
> > file or directory
>
> Steven,
>
> The attached patch seems to correct this.
>
> -Tom
Tom

Confirmed. The patch corrects the issue.

Thanks.

Steven.



------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1

On Sep 19, 2011, at 11:28 AM, Steven Jan Springl wrote:
> 
> Confirmed. The patch corrects the issue.
> 
Thanks, Steven

-Tom

Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1

Tom

Shorewall netmap entry:

DNAT:P  192.168.168.0/24  eth0  10.199.0.0/16  -  	icmp	8,3

Generates the following rule:

-A PREROUTING -p 1 --icmp-type 8,3 -d 192.168.168.0/24 -i eth0 -j 
RAWDNAT --to-dest 10.199.0.0/16

Which produces the following error message:

iptables-restore v1.4.12.1: Invalid ICMP type `8,3''

-------------------------------------------------------------------------------------------------------------------

Specifying a similar format shorewall6 netmap entry:

DNAT:P  2001:4d48:ad51:24::/64  eth0  fd58:b443:dd9e:1::/64  -  icmp  	129,128

Produces the following error message:

Undefined subroutine &Shorewall::Chains::list_split called 
at /usr/share/shorewall/Shorewall/Chains.pm line 3258, <$currentfile> line
11.

Steven.

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1

On Sep 19, 2011, at 1:01 PM, Steven Jan Springl wrote:
> Shorewall netmap entry:
> 
> DNAT:P  192.168.168.0/24  eth0  10.199.0.0/16  -  	icmp	8,3
> 
> Generates the following rule:
> 
> -A PREROUTING -p 1 --icmp-type 8,3 -d 192.168.168.0/24 -i eth0 -j 
> RAWDNAT --to-dest 10.199.0.0/16
> 
> Which produces the following error message:
> 
> iptables-restore v1.4.12.1: Invalid ICMP type `8,3''
> 
>
-------------------------------------------------------------------------------------------------------------------
> 
> Specifying a similar format shorewall6 netmap entry:
> 
> DNAT:P  2001:4d48:ad51:24::/64  eth0  fd58:b443:dd9e:1::/64  -  icmp  
129,128
> 
> Produces the following error message:
> 
> Undefined subroutine &Shorewall::Chains::list_split called 
> at /usr/share/shorewall/Shorewall/Chains.pm line 3258, <$currentfile>
line
> 11.

Steven,

Both issues should be eliminated by the attached patch. I had not intended to
allow icmp-type lists in that file but an existing bug prevented that
restriction.

-Tom



 

Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1

On Monday 19 September 2011 21:25:20 Tom Eastep wrote:
> On Sep 19, 2011, at 1:01 PM, Steven Jan Springl wrote:
> > Shorewall netmap entry:
> >
> > DNAT:P  192.168.168.0/24  eth0  10.199.0.0/16  -  	icmp	8,3
> >
> > Generates the following rule:
> >
> > -A PREROUTING -p 1 --icmp-type 8,3 -d 192.168.168.0/24 -i eth0 -j
> > RAWDNAT --to-dest 10.199.0.0/16
> >
> > Which produces the following error message:
> >
> > iptables-restore v1.4.12.1: Invalid ICMP type `8,3''
> >
> >
-------------------------------------------------------------------------
> >------------------------------------------
> >
> > Specifying a similar format shorewall6 netmap entry:
> >
> > DNAT:P  2001:4d48:ad51:24::/64  eth0  fd58:b443:dd9e:1::/64  -  icmp 
> > 	129,128
> >
> > Produces the following error message:
> >
> > Undefined subroutine &Shorewall::Chains::list_split called
> > at /usr/share/shorewall/Shorewall/Chains.pm line 3258,
<$currentfile>
> > line 11.
>
> Steven,
>
> Both issues should be eliminated by the attached patch. I had not intended
> to allow icmp-type lists in that file but an existing bug prevented that
> restriction.
>
> -Tom
Tom

Confirmed, the patch fixes both issues.

Thanks.

Steven.

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1

On Sep 19, 2011, at 1:33 PM, Steven Jan Springl wrote:
> 
> Confirmed, the patch fixes both issues.
> 
Thanks, Steven

-Tom

Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1