Shorewall devel - Jan 2013 - Shorewall 4.5.12 Beta 3

Beta 3 is now available for testing.

Changes since Beta 2:

1)  Two defects associated with ''update -D'' have been
corrected.

    - shorewall.conf.bak is no longer deleted.
    - files that are not changed no longer have their mtime updated.

2)  Support for arptables has been added to Shorewall and Shorewall
    Lite.

    - Both classic arptables and arptables_jf (fork maintained by Jay
      Fenlason) are supported.

    - There is now an ARPTABLES option in the shorewall.conf file to
      specify the path to the arptables binary.

    - An arprules file has been added to allow specification of
      arptables rules. See shorewall-arprules (5) for details.

    - A ''show arptables'' command has been added to show the
active
      arptables rules.

    - arptables rules are saved and restored by the save and restore
      commands if the new option SAVE_ARPTABLES is set to Yes in
      shorewall.conf.

    - arptables rules are displayed in the ''dump'' command.

    As part of this change, a new capability (''Arptables JF'')
has been
    added. If you use a capabilities file, you should regenerate it
    after installing this version.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and
much more. Get web development skills now with LearnDevNow -
350+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122812

On 01/04/2013 10:08 AM, Tom Eastep wrote:
> Beta 3 is now available for testing.
> 
> Changes since Beta 2:
> 
> 1)  Two defects associated with ''update -D'' have been
corrected.
> 
>     - shorewall.conf.bak is no longer deleted.
>     - files that are not changed no longer have their mtime updated.
> 
> 2)  Support for arptables has been added to Shorewall and Shorewall
>     Lite.
I recommend against testing this feature until I''ve posted a patch. MAC
address handling is pretty broken.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and
much more. Get web development skills now with LearnDevNow -
350+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122812

On 01/04/2013 03:20 PM, Tom Eastep wrote:
> On 01/04/2013 10:08 AM, Tom Eastep wrote:
>> Beta 3 is now available for testing.
>>
>> Changes since Beta 2:
>>
>> 1)  Two defects associated with ''update -D'' have been
corrected.
>>
>>     - shorewall.conf.bak is no longer deleted.
>>     - files that are not changed no longer have their mtime updated.
>>
>> 2)  Support for arptables has been added to Shorewall and Shorewall
>>     Lite.
> 
> I recommend against testing this feature until I''ve posted a
patch. MAC
> address handling is pretty broken.
> 
Attached is the patch.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and
much more. Get web development skills now with LearnDevNow -
350+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122812

On 01/04/2013 03:51 PM, Tom Eastep wrote:
> On 01/04/2013 03:20 PM, Tom Eastep wrote:
>> On 01/04/2013 10:08 AM, Tom Eastep wrote:
>>> Beta 3 is now available for testing.
>>>
>>> Changes since Beta 2:
>>>
>>> 1)  Two defects associated with ''update -D'' have
been corrected.
>>>
>>>     - shorewall.conf.bak is no longer deleted.
>>>     - files that are not changed no longer have their mtime
updated.
>>>
>>> 2)  Support for arptables has been added to Shorewall and Shorewall
>>>     Lite.
>>
>> I recommend against testing this feature until I''ve posted a
patch. MAC
>> address handling is pretty broken.
>>
> 
> Attached is the patch.
The attached patch is required by those who run arptables_jf.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122912

Tom

In the attached config. arprule:

DROP  eth0:192.168.0.0/24  eth1  1

Produces the following error message:

Can''t use string ("eth0") as a HASH ref while "strict
refs" in use at
/usr/share/shorewall/Shorewall/ARP.pm line 144, <$currentfile> line 9.

Note, ARP.patch is applied but not ARP1.patch.

Steven.


------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122912

On 01/05/2013 04:44 AM, Steven Jan Springl wrote:
> In the attached config. arprule:
> 
> DROP  eth0:192.168.0.0/24  eth1  1
> 
> Produces the following error message:
> 
> Can''t use string ("eth0") as a HASH ref while
"strict refs" in use at
> /usr/share/shorewall/Shorewall/ARP.pm line 144, <$currentfile> line
9.
> 
> Note, ARP.patch is applied but not ARP1.patch.
The attached patch corrects the problem and produces the expected error
message.

Thanks Steven,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122912

On Saturday 05 Jan 2013 15:19:01 Tom Eastep wrote:
> On 01/05/2013 04:44 AM, Steven Jan Springl wrote:
> > In the attached config. arprule:
> > 
> > DROP  eth0:192.168.0.0/24  eth1  1
> > 
> > Produces the following error message:
> > 
> > Can''t use string ("eth0") as a HASH ref while
"strict refs" in use at
> > /usr/share/shorewall/Shorewall/ARP.pm line 144, <$currentfile>
line 9.
> > 
> > Note, ARP.patch is applied but not ARP1.patch.
> 
> The attached patch corrects the problem and produces the expected error
> message.
> 
> Thanks Steven,
> -Tom
Tom

Confirmed, the patch corrects the issue.

Thanks.

Steven.

------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122912

> 
> Confirmed, the patch corrects the issue.
> 
Thanks, Steven

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122912

Tom

Arprules entry:

DROP  eth0:!1.1.1.1  -  1

Produces the following error:

ERROR: Invalid IP Address (!1.1.1.1) /etc/shorewall2A11/arprules (line 10)

------------------------------------------------------------------------------------------------

Arprules entry:

DROP  eth0  -  !1

Generates the following arptables rule:

-A INPUT -i eth0 --opcode 1 -j DROP

Which seems to ignore the ''!'' in the ARP OPCODE column.

Steven.

------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122912

On 01/05/2013 07:48 AM, Steven Jan Springl wrote:
> Arprules entry:
> 
> DROP  eth0:!1.1.1.1  -  1
> 
> Produces the following error:
> 
> ERROR: Invalid IP Address (!1.1.1.1) /etc/shorewall2A11/arprules (line 10)
Attached ARP3.patch corrects this problem.
> 
>
------------------------------------------------------------------------------------------------
> 
> Arprules entry:
> 
> DROP  eth0  -  !1
> 
> Generates the following arptables rule:
> 
> -A INPUT -i eth0 --opcode 1 -j DROP
> 
> Which seems to ignore the ''!'' in the ARP OPCODE column.
> 
This problem was unique to ''arptables'' it worked correctly
with
''arptables_jf''.

ARP4.patch attached

Thanks, Steven

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122912

On Saturday 05 Jan 2013 16:24:40 Tom Eastep wrote:
> On 01/05/2013 07:48 AM, Steven Jan Springl wrote:
> > Arprules entry:
> > 
> > DROP  eth0:!1.1.1.1  -  1
> > 
> > Produces the following error:
> > 
> > ERROR: Invalid IP Address (!1.1.1.1) /etc/shorewall2A11/arprules (line
> > 10)
> 
> Attached ARP3.patch corrects this problem.
> 
> >
-------------------------------------------------------------------------
> > -----------------------
> > 
> > Arprules entry:
> > 
> > DROP  eth0  -  !1
> > 
> > Generates the following arptables rule:
> > 
> > -A INPUT -i eth0 --opcode 1 -j DROP
> > 
> > Which seems to ignore the ''!'' in the ARP OPCODE
column.
> 
> This problem was unique to ''arptables'' it worked
correctly with
> ''arptables_jf''.
> 
> ARP4.patch attached
> 
> Thanks, Steven
> 
> -Tom
Tom

Confirmed, the patches have fixed both issues.

Note, there seems to be a bug in arptables.

Arprules entry:

DROP  eth0  -  !1

Generates arptables rule:

-A INPUT -i eth0 --opcode ! 1 -j DROP

Issuing arptables-save produces:

-A INPUT -j DROP -i eth0  --opcode 1

The "!" is missing.

I am using arptables v0.0.3.4 supplied with Debian Squeeze.

Steven.

------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122912

Steven,

On 1/5/13 8:55 AM, Steven Jan Springl wrote:
> Confirmed, the patches have fixed both issues.
Thanks.
> 
> Note, there seems to be a bug in arptables.
> 
> Arprules entry:
> 
> DROP  eth0  -  !1
> 
> Generates arptables rule:
> 
> -A INPUT -i eth0 --opcode ! 1 -j DROP
> 
> Issuing arptables-save produces:
> 
> -A INPUT -j DROP -i eth0  --opcode 1
> 
> The "!" is missing.
> 
> I am using arptables v0.0.3.4 supplied with Debian Squeeze.
It seems to be dropped while processing the -A command, as the -L
command also shows no ''!'':

root@gateway:~# arptables -A foo -j RETURN --opcode ! 1
root@gateway:~# arptables -L foo -n -v
Chain foo (0 references)
-j RETURN -i * -o * --opcode 1 , pcnt=0 -- bcnt=0
root@gateway:~# arptables -V
arptables v0.0.3.4
root@gateway:~#

arptables_jf seems to work correctly:

[root@sami ~]# arptables -N foo
[root@sami ~]# arptables -A foo -j RETURN --arpop ! 1
[root@sami ~]# arptables -L foo -n -v
Chain foo (0 references)
 pkts bytes target     in     out     source-ip
destination-ip       source-hw          destination-hw     hlen   op
     hrd        pro
    0     0 RETURN     *      *       0.0.0.0/0            0.0.0.0/0
        00/00              00/00              any   !0001
0000/0000  0000/0000
[root@sami ~]#

Are you submitting a Debian bug report?

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122912

On Saturday 05 Jan 2013 19:44:41 Tom Eastep wrote:
> Steven,
> 
> On 1/5/13 8:55 AM, Steven Jan Springl wrote:
> > Confirmed, the patches have fixed both issues.
> 
> Thanks.
> 
> > Note, there seems to be a bug in arptables.
> > 
> > Arprules entry:
> > 
> > DROP  eth0  -  !1
> > 
> > Generates arptables rule:
> > 
> > -A INPUT -i eth0 --opcode ! 1 -j DROP
> > 
> > Issuing arptables-save produces:
> > 
> > -A INPUT -j DROP -i eth0  --opcode 1
> > 
> > The "!" is missing.
> > 
> > I am using arptables v0.0.3.4 supplied with Debian Squeeze.
> 
> It seems to be dropped while processing the -A command, as the -L
> command also shows no ''!'':
> 
> root@gateway:~# arptables -A foo -j RETURN --opcode ! 1
> root@gateway:~# arptables -L foo -n -v
> Chain foo (0 references)
> -j RETURN -i * -o * --opcode 1 , pcnt=0 -- bcnt=0
> root@gateway:~# arptables -V
> arptables v0.0.3.4
> root@gateway:~#
> 
> arptables_jf seems to work correctly:
> 
> [root@sami ~]# arptables -N foo
> [root@sami ~]# arptables -A foo -j RETURN --arpop ! 1
> [root@sami ~]# arptables -L foo -n -v
> Chain foo (0 references)
>  pkts bytes target     in     out     source-ip
> destination-ip       source-hw          destination-hw     hlen   op
>      hrd        pro
>     0     0 RETURN     *      *       0.0.0.0/0            0.0.0.0/0
>         00/00              00/00              any   !0001
> 0000/0000  0000/0000
> [root@sami ~]#
> 
> Are you submitting a Debian bug report?
> 
> Thanks,
> -Tom
Tom

I have submitted a bug report to the Netfilter team & a Debian bug report.

Steven.


------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122912

On 01/05/2013 01:14 PM, Steven Jan Springl wrote:
> 
> I have submitted a bug report to the Netfilter team & a Debian bug
report.
> 
Thanks Steven,

I''ve added a warning if opcode inversion is specified and arptables (as
opposed to arptables_jf) is being used:

   WARNING: arptables versions through 0.3.4 ignore ''!'' after
''--opcode''

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122912

> 2)  Support for arptables has been added to Shorewall and Shorewall
>     Lite.
>
>     - Both classic arptables and arptables_jf (fork maintained by Jay
>       Fenlason) are supported.
>
>     - There is now an ARPTABLES option in the shorewall.conf file to
>       specify the path to the arptables binary.
>
>     - An arprules file has been added to allow specification of
>       arptables rules. See shorewall-arprules (5) for details.
>
>     - A ''show arptables'' command has been added to show
the active
>       arptables rules.
>
>     - arptables rules are saved and restored by the save and restore
>       commands if the new option SAVE_ARPTABLES is set to Yes in
>       shorewall.conf.
>
>     - arptables rules are displayed in the ''dump''
command.
>
>     As part of this change, a new capability (''Arptables
JF'') has been
>     added. If you use a capabilities file, you should regenerate it
>     after installing this version.
>   
A couple of things you may or may not be aware of:

1. The default policy for the core chains does not function properly (at 
least when the policy is DROP anyway), particularly if you have 
sub-chains. What I had to do in such instance is insert a "-j
<policy>"
statement at the end of each chain/sub-chain to fix this.
2. You probably need to manipulate the arp cache when the firewall is 
(re-)started since there may be changes in the rules set. This, as you 
probably know, is done with "ip n ..." command, so it would be easy to
deal with.
3. You may wish to create additional file (something like the existing 
maclist) to manipulate the arp cache entries: the arp cache entries 
could be temporary as well as permanent - this adds, among other things, 
extra security layer as well as preventing excessive arp traffic.
4. The loopback interface, when included in any arp rules, does not work 
properly.

------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnmore_123012

On Saturday 05 Jan 2013 21:23:27 Tom Eastep wrote:
> On 01/05/2013 01:14 PM, Steven Jan Springl wrote:
> > I have submitted a bug report to the Netfilter team & a Debian bug
> > report.
> 
> Thanks Steven,
> 
> I''ve added a warning if opcode inversion is specified and
arptables (as
> opposed to arptables_jf) is being used:
> 
>    WARNING: arptables versions through 0.3.4 ignore ''!''
after ''--opcode''
> 
> -Tom
Tom

I don''t know if you have seen on the netfilter mailing list, a patch
has been
provided that corrects the opcode inversion issue and new release will made 
available later this week.

Steven.

------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122412

On 01/07/2013 12:55 PM, Steven Jan Springl wrote:
> On Saturday 05 Jan 2013 21:23:27 Tom Eastep wrote:
>> On 01/05/2013 01:14 PM, Steven Jan Springl wrote:
>>> I have submitted a bug report to the Netfilter team & a Debian
bug
>>> report.
>>
>> Thanks Steven,
>>
>> I''ve added a warning if opcode inversion is specified and
arptables (as
>> opposed to arptables_jf) is being used:
>>
>>    WARNING: arptables versions through 0.3.4 ignore
''!'' after ''--opcode''
>>
>> -Tom
> 
> Tom
> 
> I don''t know if you have seen on the netfilter mailing list, a
patch has been
> provided that corrects the opcode inversion issue and new release will made
> available later this week.
Thanks, Steven!

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122412