Shorewall users - Nov 2009 - Shorewall 4.4.4

The Shorewall team is pleased to announce the availability of Shorewall
4.4.4.

----------------------------------------------------------------------------
          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 4
----------------------------------------------------------------------------

1)  In some simple one-interface configurations, the following Perl
    run-time error messages were issued:

      Generating Rule Matrix...
      Use of uninitialized value in concatenation (.) or string at
      /usr/share/shorewall/Shorewall/Chains.pm line 649.
      Use of uninitialized value in concatenation (.) or string at
      /usr/share/shorewall/Shorewall/Chains.pm line 649.
      Creating iptables-restore input...

2)  The Shorewall operations log (specified by STARTUP_LOG) is now
    secured 0600.

3)  Previously, the compiler generated an incorrect test for interface
    availability in the generated code for adding route rules. The
    result was that the rules were always added, regardless of the
    state of the provider''s interface. Now, the rules are only added
    when the interface is available.

4)  When TC_WIDE_MARKS=Yes and class numbers are not explicitly
    specified in /etc/shorewall/tcclasses, duplicate class numbers
    result. A typical error message is:

            ERROR: Command "tc class add dev eth3 parent 1:1 classid
            1:1 htb rate 1024kbit ceil 100000kbit prio 1 quantum 1500"
            Failed

    Note that the class ID of the class being added is a duplicate of
    the parent''s class ID.

    Also, when TC_WIDE_MARKS=Yes, values > 255 in the MARK column of
    /etc/shorewall/tcclasses were rejected.

----------------------------------------------------------------------------
             K N O W N   P R O B L E M S   R E M A I N I N G
----------------------------------------------------------------------------

None.

----------------------------------------------------------------------------
                N E W   F E A T U R E S   I N   4 . 4 . 4
----------------------------------------------------------------------------

1)  The Shorewall packages now include a logrotate configuration file.

2)  The limit of 15 entries in a port list has been relaxed in
    /etc/shorewall/routestopped.

3)  The following seemingly valid configuration produces a fatal
    error reporting "Duplicate interface name (p+)"

    /etc/shorewall/zones:

       #ZONE            TYPE
       fw               firewall
       world            ipv4
       z1:world         bport4
       z2:world         bport4

    /etc/shorewall/interfaces:

       #ZONE            INTERFACE       BROADCAST       OPTIONS
       world            br0             -               bridge
       world            br1             -               bridge
       z1               br0:p+
       z2               br1:p+

    This error occurs because the Shorewall implementation requires
    that each bridge port must have a unique name.

    To work around this problem, a new ''physical'' interface
option has
    been created. The above configuration may be defined using the
    following in /etc/shorewall/interfaces:

       #ZONE            INTERFACE       BROADCAST       OPTIONS
       world            br0             -               bridge
       world            br1             -               bridge
       z1               br0:x+          -               physical=p+
       z2               br1:y+          -               physical=p+

    In this configuration, ''x+'' is the logical name for ports
p+ on
    bridge br0 while ''y+'' is the logical name for ports p+ on
bridge
    br1.

    If you need to refer to a particular port on br1 (for example
    p1023), you write it as y1023; Shorewall will translate that name
    to p1023 when needed.

    It is allowed to have a physical name ending in ''+'' with a
logical
    name that does not end with ''+''. The reverse is not
allowed; if the
    logical name ends in ''+'' then the physical name must also
end in
    ''+''.

    This feature is not restricted to bridge ports. Beginning with this
    release, the interface name in the INTERFACE column can be
    considered a logical name for the interface, and the actual
    interface name is specified using the ''physical'' option.
If no
    ''physical'' option is present, then the physical name is
assumed to
    be the same as the logical name. As before, the logical interface
    name is used throughout the rest of the configuration to refer to
    the interface.

4)  Previously, Shorewall has used the character ''2'' to form
the name
    of chains involving zones and/or the word ''all'' (e.g.,
fw2net,
    all2all). When zones names are given numeric suffixes, these
    generated names are hard to read (e.g., foo1232bar). To make these
    names clearer, a ZONE2ZONE option has been added.

    ZONE2ZONE has a default value of "2" but can also be given the
    value "-" (e.g., ZONE2ZONE="-") which causes Shorewall
to separate
    the two parts of the name with a hyphen (e.g., foo123-bar).

5)  Only one instance of the following warning is now generated;
    previously, one instance of a similar warning was generated for
    each COMMENT encountered.

       COMMENTs ignored -- require comment support in iptables/Netfilter

6)  The shorewall and shorewall6 utilities now support a ''show
    policies'' command. Once Shorewall or Shorewall6 has been restarted
    using a script generated by this version, the ''show
policies''
    command will list each pair of zones and give the applicable
    policy. If the policy is enforced in a chain, the name of the chain
    is given.

    Example:

        net     =>      loc     DROP using chain net2all

    Note that implicit intrazone ACCEPT policies are not displayed for
    zones associated with a single network where that network
    doesn''t specify ''routeback''.

7)  The ''show'' and ''dump'' commands now
support an ''-l'' option which
    causes chain displays to include the rule number of each rule.

    (Type ''iptables -h'' and look for
''--line-number'')

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

On Saturday 21 November 2009 18:32:06 Tom Eastep wrote:
> ---------------------------------------------------------------------------
>- N E W   F E A T U R E S   I N   4 . 4 . 4
> ---------------------------------------------------------------------------
>-
> 2)  The limit of 15 entries in a port list has been relaxed in
>     /etc/shorewall/routestopped.
>
Tom 

If I specify more than 15 ports in routestopped the following message is 
produced:

ERROR: A port list in this file may only have up to 15 
ports : /etc/shorewall2/routestopped (line 12)

Steven.

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

Steven Jan Springl wrote:
> On Saturday 21 November 2009 18:32:06 Tom Eastep wrote:
>>
---------------------------------------------------------------------------
>> - N E W   F E A T U R E S   I N   4 . 4 . 4
>>
---------------------------------------------------------------------------
>> -
>> 2)  The limit of 15 entries in a port list has been relaxed in
>>     /etc/shorewall/routestopped.
>>
> 
> Tom 
> 
> If I specify more than 15 ports in routestopped the following message is 
> produced:
> 
> ERROR: A port list in this file may only have up to 15 
> ports : /etc/shorewall2/routestopped (line 12)
Crap -- I changed all of the rule generation but neglected to remove the
test. Attached patch should fix it.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

On Saturday 21 November 2009 22:22:07 Tom Eastep wrote:
> Steven Jan Springl wrote:
> > On Saturday 21 November 2009 18:32:06 Tom Eastep wrote:
> >>
------------------------------------------------------------------------
> >>--- - N E W   F E A T U R E S   I N   4 . 4 . 4
> >>
------------------------------------------------------------------------
> >>--- -
> >> 2)  The limit of 15 entries in a port list has been relaxed in
> >>     /etc/shorewall/routestopped.
> >
> > Tom
> >
> > If I specify more than 15 ports in routestopped the following message
is
> > produced:
> >
> > ERROR: A port list in this file may only have up to 15
> > ports : /etc/shorewall2/routestopped (line 12)
>
> Crap -- I changed all of the rule generation but neglected to remove the
> test. Attached patch should fix it.
>
> -Tom
Tom

That''s fixed it. Thanks.

Steven.

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

Tom

Issuing a shorewall6 start produces the following message:

Undefined subroutine &Shorewall::Rules::match_source_interface called 
at /usr/share/shorewall/Shorewall/Rules.pm line 2319.

Steven.

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

Steven Jan Springl wrote:
> Tom
> 
> Issuing a shorewall6 start produces the following message:
> 
> Undefined subroutine &Shorewall::Rules::match_source_interface called 
> at /usr/share/shorewall/Shorewall/Rules.pm line 2319.
The trigger is the presence of a bridge, not IPv6. Patch attached.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

On Saturday 21 November 2009 23:30:56 Tom Eastep wrote:
> Steven Jan Springl wrote:
> > Tom
> >
> > Issuing a shorewall6 start produces the following message:
> >
> > Undefined subroutine &Shorewall::Rules::match_source_interface
called
> > at /usr/share/shorewall/Shorewall/Rules.pm line 2319.
>
> The trigger is the presence of a bridge, not IPv6. Patch attached.
>
> -Tom
Tom

That''s worked. Thanks.

Steven.


------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

On Saturday 21 November 2009 18:32:06 Tom Eastep wrote:
> 6)  The shorewall and shorewall6 utilities now support a ''show
>     policies'' command. 
Tom:

Command ''shorewall show policies'' works, 
but command ''shorewall6 show policies'' is invalid.

Steven.

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

Steven Jan Springl wrote:
> On Saturday 21 November 2009 18:32:06 Tom Eastep wrote:
> 
>> 6)  The shorewall and shorewall6 utilities now support a ''show
>>     policies'' command. 
> 
> Tom:
> 
> Command ''shorewall show policies'' works, 
> but command ''shorewall6 show policies'' is invalid.
Wonder where I managed to lose that -- I had tested it on my own firewall.

Patch attached.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

On Monday 23 November 2009 21:48:23 Tom Eastep wrote:
> Steven Jan Springl wrote:
> > On Saturday 21 November 2009 18:32:06 Tom Eastep wrote:
> >> 6)  The shorewall and shorewall6 utilities now support a
''show
> >>     policies'' command.
> >
> > Tom:
> >
> > Command ''shorewall show policies'' works,
> > but command ''shorewall6 show policies'' is invalid.
>
> Wonder where I managed to lose that -- I had tested it on my own firewall.
>
> Patch attached.
>
> -Tom
Tom

That''s worked. Thanks.

Steven.

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

Steven Jan Springl wrote:
> That''s worked. Thanks.
Thanks for testing, Steven!

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july