4.5.4 Beta 3 is now available for testing. I apologize for the
back-to-back Betas but I guess it''s better to find these problems
during
the Beta period rather than later.
Problems corrected:
1) This release includes all defect repairs from Shorewall 4.5.3.1.
2) When EXPORTMODULES=No in shorewall.conf, the following errors were
issued:
/usr/share/shorewall/modules: line 19: ?INCLUDE: command not found
/usr/share/shorewall/modules: line 23: ?INCLUDE: command not found
/usr/share/shorewall/modules: line 27: ?INCLUDE: command not found
/usr/share/shorewall/modules: line 31: ?INCLUDE: command not found
/usr/share/shorewall/modules: line 35: ?INCLUDE: command not found
/usr/share/shorewall/modules: line 39: ?INCLUDE: command not found
These messages have been eliminated.
New Features:
Beta 1:
1) The TPROXY tcrules action introduced in Shorewall 4.4.7 was
incomplete and required additional rules to be added in the
''start''
or ''started'' extension scripts.
In this release, the TPROXY implementation has been changed and an
additional DIVERT action has been created. Because the new TPROXY
has a different set of parameters than the prior one, the tcrules
file now supports two formats:
FORMAT 1 - (default, deprecated )
The TPROXY action allows three arguments, the first of which
(''mark'') is required.
FORMAT 2
The TPROXY action has two optional arguments:
port -- the port on which the proxy is listening. While
this argument is optional, it will normally be
supplied.
ip address -- The address on which the proxy is listening.
The file format is specified by a line like this:
FORMAT {1|2}
The Sample configurations have been updated to use FORMAT 2.
The format-2 tcrules file also supports the DIVERT action. The
DIVERT action directs matching packets to the local system if there
is a transparent socket in the local system that matches the
destination of the packet. DIVERT is used to redirect response
packets from remote web servers back to the proxy process
running on the firewall rather than being routed directly back to
the client.
Finally, the providers file supports a new ''tproxy''
option. When
''tproxy'' is specified:
- It must be the only OPTION given
- The MARK, DUPLICATE and GATEWAY columns must be empty.
- The loopback device (lo) should be specified as the INTERFACE.
The ''tproxy'' option causes a reserved mark value to be
associated
with the provider and for its associated routing rule to have
priority 1.
Here is the TPROXY configuration at shorewall.net:
interfaces:
FORMAT 2
#ZONE INTERFACE OPTIONS
- lo ignore
tcrules:
FORMAT 2
#ACTION SOURCE DEST PROTO DEST SOURCE
# PORT(S) PORT(S)
DIVERT eth1 - tcp - 80
DIVERT eth0 - tcp - 80
TPROXY(3129,172.20.1.254) eth2 - tcp 80
Note: eth1 and eth0 are Internet interfaces and eth2 connects to
the local LAN.
providers:
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS
...
Squid 3 - - lo - tproxy
/etc/squid3/squid.conf:
...
http_port 172.20.1.254:3129 tproxy
...
Beta 3:
1) With some misgivings, this release adds support for the geoip match
feature available in xtables-addons. Geoip allows matching of the
source or destination IP address by ISO 3661 country codes.
The support is implemented in the form of extended syntax in the
SOURCE and DEST columns of the rules file.
To specify one or more country codes, list them as a
comma-separated list preceded by a caret (''^'').
Example - Drop email from Anonymous Proxies and Satellite Providers:
#ACTION SOURCE DEST PROTO DEST
# PORT(S)
DROP:info net:^A1,A2 dmz tcp 25
A listing of two-character country codes is available at
http://www.shorewall.net/ISO-3661.html.
Thank you for testing,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On Friday 18 May 2012 01:18:44 Tom Eastep wrote:> Example - Drop email from Anonymous Proxies and Satellite Providers: > > #ACTION SOURCE DEST PROTO DEST > # PORT(S) > DROP:info net:^A1,A2 dmz tcp 25 >Tom Specifying two country codes as in the above example produces the following error message: ERROR: Unknown Host (A2) /etc/shorewall2/rules (line 182) Steven. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 05/19/2012 08:58 AM, Steven Jan Springl wrote:> On Friday 18 May 2012 01:18:44 Tom Eastep wrote: > >> Example - Drop email from Anonymous Proxies and Satellite Providers: >> >> #ACTION SOURCE DEST PROTO DEST >> # PORT(S) >> DROP:info net:^A1,A2 dmz tcp 25 >> > > Tom > > Specifying two country codes as in the above example produces the following > error message: > > ERROR: Unknown Host (A2) /etc/shorewall2/rules (line 182)<Tom hits forehead with palm> Clearly the country list needs to be delimited. The attached patch allows a single country code to be entered as ^cc and a list as ^[cc,...]. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 05/19/2012 09:23 AM, Tom Eastep wrote:> On 05/19/2012 08:58 AM, Steven Jan Springl wrote: >> On Friday 18 May 2012 01:18:44 Tom Eastep wrote: >> >>> Example - Drop email from Anonymous Proxies and Satellite Providers: >>> >>> #ACTION SOURCE DEST PROTO DEST >>> # PORT(S) >>> DROP:info net:^A1,A2 dmz tcp 25 >>> >> >> Tom >> >> Specifying two country codes as in the above example produces the >> following >> error message: >> >> ERROR: Unknown Host (A2) /etc/shorewall2/rules (line 182) > > <Tom hits forehead with palm> > > Clearly the country list needs to be delimited. The attached patch > allows a single country code to be entered as ^cc and a list as ^[cc,...]. >Updated release notes text is: 2) With some misgivings, this release adds support for the geoip match feature available in xtables-addons. Geoip allows matching of the source or destination IP address by ISO 3661 country codes. The support is implemented in the form of extended syntax in the SOURCE and DEST columns. To specify a single country code, prefix it with a caret (''^'') (e.g., ^A1). To specify multiple country codes, enter them as a comma-separated list enclosed in square brackets (''[...]'') prefixed by a caret (''^'') (e.g., ^[A1,A2]). Example - Drop email from Anonymous Proxies and Satellite Providers: #ACTION SOURCE DEST PROTO DEST # PORT(S) DROP:info net:^[A1,A2] dmz tcp 25 A listing of two-character country codes is available at http://www.shorewall.net/ISO-3661.html. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
I''m not the owner of the main mail but in your link about this theme the error replied by the author is the same as is in the link. This link has not the same information of your last mail. Thanks for your time tom. I''m in this mailing list a few day ago and you are the man who know everything! Best regards. Emiliano Emiliano Vazquez | PcCentro S.R.L. Callao 80 | CP 1022 | C.A.B.A. Office: +54 (11) 4951-0203 / 4155 Celular: 15.6253.7165 Mail: emilianovazquez@gmail.com Web: http://www.pccentro.com.ar -----Original Message----- From: Tom Eastep <teastep@shorewall.net> Date: Sat, 19 May 2012 09:42:31 To: <shorewall-users@lists.sourceforge.net> Reply-To: Shorewall Users <shorewall-users@lists.sourceforge.net> Subject: Re: [Shorewall-users] Shorewall 4.5.4 Beta 3 On 05/19/2012 09:23 AM, Tom Eastep wrote:> On 05/19/2012 08:58 AM, Steven Jan Springl wrote: >> On Friday 18 May 2012 01:18:44 Tom Eastep wrote: >> >>> Example - Drop email from Anonymous Proxies and Satellite Providers: >>> >>> #ACTION SOURCE DEST PROTO DEST >>> # PORT(S) >>> DROP:info net:^A1,A2 dmz tcp 25 >>> >> >> Tom >> >> Specifying two country codes as in the above example produces the >> following >> error message: >> >> ERROR: Unknown Host (A2) /etc/shorewall2/rules (line 182) > > <Tom hits forehead with palm> > > Clearly the country list needs to be delimited. The attached patch > allows a single country code to be entered as ^cc and a list as ^[cc,...]. >Updated release notes text is: 2) With some misgivings, this release adds support for the geoip match feature available in xtables-addons. Geoip allows matching of the source or destination IP address by ISO 3661 country codes. The support is implemented in the form of extended syntax in the SOURCE and DEST columns. To specify a single country code, prefix it with a caret (''^'') (e.g., ^A1). To specify multiple country codes, enter them as a comma-separated list enclosed in square brackets (''[...]'') prefixed by a caret (''^'') (e.g., ^[A1,A2]). Example - Drop email from Anonymous Proxies and Satellite Providers: #ACTION SOURCE DEST PROTO DEST # PORT(S) DROP:info net:^[A1,A2] dmz tcp 25 A listing of two-character country codes is available at http://www.shorewall.net/ISO-3661.html. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 5/19/12 9:58 AM, emilianovazquez@gmail.com wrote:> I''m not the owner of the main mail but in your link about this theme > the error replied by the author is the same as is in the link. > > This link has not the same information of your last mail. >I know. As Steven reported, the syntax in the previous mail did not work; so I had to change it to include the [....].> > Thanks for your time tom. I''m in this mailing list a few day ago and > you are the man who know everything!You are very welcome. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On Saturday 19 May 2012 17:42:31 Tom Eastep wrote:> On 05/19/2012 09:23 AM, Tom Eastep wrote: > > On 05/19/2012 08:58 AM, Steven Jan Springl wrote: > >> On Friday 18 May 2012 01:18:44 Tom Eastep wrote: > >>> Example - Drop email from Anonymous Proxies and Satellite Providers: > >>> > >>> #ACTION SOURCE DEST PROTO DEST > >>> # PORT(S) > >>> DROP:info net:^A1,A2 dmz tcp 25 > >> > >> Tom > >> > >> Specifying two country codes as in the above example produces the > >> following > >> error message: > >> > >> ERROR: Unknown Host (A2) /etc/shorewall2/rules (line 182) > > > > <Tom hits forehead with palm> > > > > Clearly the country list needs to be delimited. The attached patch > > allows a single country code to be entered as ^cc and a list as > > ^[cc,...]. > > Updated release notes text is: > > 2) With some misgivings, this release adds support for the geoip match > feature available in xtables-addons. Geoip allows matching of the > source or destination IP address by ISO 3661 country codes. > > The support is implemented in the form of extended syntax in the > SOURCE and DEST columns. > > To specify a single country code, prefix it with a caret (''^'') > (e.g., ^A1). > > To specify multiple country codes, enter them as a > comma-separated list enclosed in square brackets (''[...]'') prefixed > by a caret (''^'') (e.g., ^[A1,A2]). > > Example - Drop email from Anonymous Proxies and Satellite Providers: > > #ACTION SOURCE DEST PROTO DEST > # PORT(S) > DROP:info net:^[A1,A2] dmz tcp 25 > > A listing of two-character country codes is available at > http://www.shorewall.net/ISO-3661.html. > > -TomTom Confirmed, the patch corrects the issue. Thanks. Steven. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 5/19/12 11:42 AM, Steven Jan Springl wrote:> > Confirmed, the patch corrects the issue.Thanks, Steven. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Tom If more than 15 country codes are specified the following error is produced: iptables v1.4.13: geoip: too many countries specified ERROR: Command "/usr/local/sbin/iptables -A wan2lan -p 6 --dport 80 -m geoip --src-cc GB,GB,GB,GB,GB,GB,GB,GB,GB,GB,GB,GB,GB,GB,GB,GB -m geoip --dst-cc A2 -j ACCEPT" Failed Steven. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 5/19/12 12:14 PM, Steven Jan Springl wrote:> If more than 15 country codes are specified the following error is produced: > > iptables v1.4.13: geoip: too many countries specified > > ERROR: Command "/usr/local/sbin/iptables -A wan2lan -p 6 --dport 80 -m geoip > --src-cc GB,GB,GB,GB,GB,GB,GB,GB,GB,GB,GB,GB,GB,GB,GB,GB -m geoip --dst-cc A2 > -j ACCEPT" FailedThe attached patch corrects this issue and also improves the error message when an invalid or unknown CC is listed. Thanks, Steven -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On Saturday 19 May 2012 20:36:02 Tom Eastep wrote:> On 5/19/12 12:14 PM, Steven Jan Springl wrote: > > If more than 15 country codes are specified the following error is > > produced: > > > > iptables v1.4.13: geoip: too many countries specified > > > > ERROR: Command "/usr/local/sbin/iptables -A wan2lan -p 6 --dport 80 -m > > geoip --src-cc GB,GB,GB,GB,GB,GB,GB,GB,GB,GB,GB,GB,GB,GB,GB,GB -m geoip > > --dst-cc A2 -j ACCEPT" Failed > > The attached patch corrects this issue and also improves the error > message when an invalid or unknown CC is listed. > > Thanks, Steven > > -TomTom Confirmed, the patch corrects the issue. Thanks. Steven. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 5/19/12 1:01 PM, Steven Jan Springl wrote:> > Confirmed, the patch corrects the issue. >Thanks, Steven. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/