The Shorewall Team is pleased to announce the availability of Shorewall 4.5.4. ---------------------------------------------------------------------------- I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- 1) This release includes all defect repairs from Shorewall 4.5.3.1. 2) When EXPORTMODULES=No in shorewall.conf, the following errors were issued: /usr/share/shorewall/modules: line 19: ?INCLUDE: command not found /usr/share/shorewall/modules: line 23: ?INCLUDE: command not found /usr/share/shorewall/modules: line 27: ?INCLUDE: command not found /usr/share/shorewall/modules: line 31: ?INCLUDE: command not found /usr/share/shorewall/modules: line 35: ?INCLUDE: command not found /usr/share/shorewall/modules: line 39: ?INCLUDE: command not found These messages have been eliminated. 3) If the configuration settings in the PACKET MARK LAYOUT section of shorewall.conf (shorewall6.conf) had empty settings, the ''update'' command would previously set them to their default settings. It now leaves them empty. 4) Previously, Shorewall used ''unreachable'' routes to null-route the RFC1918 subnets. This approach has two drawbacks: - It can cause problems for IPSEC in that it can cause packets to be rejected rather than encrypted and forwarded. - It can return ''host unreachable'' ICMPs to other systems that attempt to route RFC1918 addresses through the firewall. To eliminate these problems, Shorewall now uses ''blackhole'' routes. Such routes don''t interfere with IPSEC and silently drop packets rather than return an ICMP. 5) The ''default'' routing table is now cleared if there are no ''fallback'' providers. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G ---------------------------------------------------------------------------- 1) On systems running Upstart, shorewall-init cannot reliably secure the firewall before interfaces are brought up. ---------------------------------------------------------------------------- I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- 1) The TPROXY tcrules action introduced in Shorewall 4.4.7 was incomplete and required additional rules to be added in the ''start'' or ''started'' extension scripts. In this release, the TPROXY implementation has been changed and an additional DIVERT action has been created. Because the new TPROXY has a different set of parameters than the prior one, the tcrules file now supports two formats: FORMAT 1 - (default, deprecated ) The TPROXY action allows three arguments, the first of which (''mark'') is required. FORMAT 2 The TPROXY action has two optional arguments; these are the second and third arguments to the format-1 TPROXY: port -- the port on which the proxy is listening. While this argument is optional, it will normally be supplied. ip address -- The address on which the proxy is listening. The file format is specified by a line like this: FORMAT {1|2} The Sample configurations have been updated to use FORMAT 2. The format-2 tcrules file also supports the DIVERT action. The DIVERT action directs matching packets to the local system if there is a transparent socket in the local system that matches the destination of the packet. DIVERT is used to redirect response packets from remote web servers back to the proxy process running on the firewall rather than being routed directly back to the client. Finally, the providers file supports a new ''tproxy'' option. When ''tproxy'' is specified: - It must be the only OPTION given - The MARK, DUPLICATE and GATEWAY columns must be empty. - The loopback device (lo) should be specified as the INTERFACE. The ''tproxy'' option causes a reserved mark value to be associated with the provider and for its associated routing rule to have priority 1. Here is the TPROXY configuration at shorewall.net: interfaces: FORMAT 2 #ZONE INTERFACE OPTIONS net eth0 ... net eth1 ... loc eth2 ... - lo ignore tcrules: FORMAT 2 #ACTION SOURCE DEST PROTO DEST SOURCE # PORT(S) PORT(S) DIVERT eth1 - tcp - 80 DIVERT eth0 - tcp - 80 TPROXY(3129,172.20.1.254) eth2 - tcp 80 providers: #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS ... Squid 3 - - lo - tproxy /etc/squid3/squid.conf: ... http_port 172.20.1.254:3129 tproxy ... 2) With some misgivings, this release adds support for the geoip match feature available in xtables-addons. Geoip allows matching of the source or destination IP address by ISO 3661 country codes. The Shorewall support requires xtables-addons 1.33 or later. The support is implemented in the form of extended syntax in the SOURCE and DEST columns of the rules file. To specify a single country code, add a caret prefix (''^''). Example: ^A1 To specify multiple country codes, enter them as a comma-separated list enclosed in square brackets (''[...]'') with a caret prefix (''^''). Example: ^[A1,A2] A listing of two-character country codes is available at http://www.shorewall.net/ISO-3661.html. Example rule - Drop email from Anonymous Proxies and Satellite Providers: #ACTION SOURCE DEST PROTO DEST # PORT(S) DROP:info net:^[A1,A2] dmz tcp 25 The compiler determines the set of valid country codes by examining the geoip database which is normally installed in /usr/share/xt_geoip/. There are two sub-directories at that location: BE - The big-endian database. LE - The little-endian database. To accomodate both big-endian and little-endian machines and to allow the database to be installed elsewhere, a GEOIPDIR option has been added in shorewall.conf and shorewall6.conf. The default setting is "/usr/share/xt_geoip/LE" since Shorewall is normally installed on little-endian machines. 3) OPTIMIZE level 4 now performs an additional optimization. If the last rule in a chain is an unqualified jump to a simple target, then all immediately preceding rules with the same simple target are omitted. For example, consider this chain: -A fw-net -p udp --dport 67:68 -j ACCEPT -A fw-net -p udp --sport 1194 -j ACCEPT -A fw-net -p 41 -j ACCEPT -A fw-net -j ACCEPT Since all of the rules are jumps to the simple target ACCEPT, this chain is totally optimized away and jumps to ''fw-net'' are replaced with jumps to ACCEPT. As part of this enhancement, when both OPTIMIZE level 1 and level 4 are selected, the level 1 optimization step is skipped because it is now a limited subset of level 4. 4) Tuomo Soini contributed a macro for MS SQL (macro.MSSQL). Thank you for using Shorewall. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/