Now that 1.3 is out, I thought it would be a good idea to tell you what my plans are for Shorewall and to solicit input from this list. My focus for the next several minor releases will be to incorporate recent Netfilter enhancements into Shorewall. For example, this afternoon I have integrated support for the ''multiport'' match facility. I would like to defer the next minor release until the Documentation Group has had a chance to catch up. Along that line: Ron, Steve & all; what is happening with the documentation cleanup? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom Eastep wrote:> Now that 1.3 is out, I thought it would be a good idea to tell you what my > plans are for Shorewall and to solicit input from this list. > > My focus for the next several minor releases will be to incorporate recent > Netfilter enhancements into Shorewall. For example, this afternoon I have > integrated support for the ''multiport'' match facility. > > I would like to defer the next minor release until the Documentation > Group has had a chance to catch up. Along that line: Ron, Steve & all; > what is happening with the documentation cleanup?Tom, Here are some suggestions: * Support for generating rules for multiple firewalls from a central location. This probably wouldn''t require much - i haven''t thought about it a lot yet - but i think there are a few little improvements that could be made that would make life easier for those of us with multiple firewalls. * User space helpers: We could implement a user space program to pop up and ask whether an unknown connection should be accepted. I think this would make shorewall more valuable as a personal firewall, since you wouldn''t have to keep going to syslog to look at denied connections. I haven''t done any more thinking about it than that, but i think being able to monitor multiple firewalls and get realtime alerts on the desktop would be useful - something like Tiny Personal Firewall for Windows'' alert dialog. * Porting to other firewall engines: The only reason i suggest this is that i have to use non-Linux platforms at work (mainly HP-UX, but a bit of Solaris as well), and i would like to be able to use Shorewall on ipfilter. That should keep you busy for a few days. :-) On an unrelated topic, is anyone using CVS to access the source? When i try, i get this: $ export CVSROOT=:pserver:anonymous@cvs.shorewall.net:/usr/local/cvs $ cvs login Logging in to :pserver:anonymous@cvs.shorewall.net:2401/usr/local/cvs CVS password: $ cvs checkout Shorewall cvs server: Updating Shorewall cvs server: failed to create lock directory for `/usr/local/cvs/Shorewall'' (/usr/local/cvs/Shorewall/#cvs.lock): Permission denied cvs server: failed to obtain dir lock in repository `/usr/local/cvs/Shorewall'' cvs [server aborted]: read lock failed - giving up I think the problem is actually on your end, Tom, but i''m not positive. Paul http://paulgear.webhop.net
I have been swamped with work and so have just sent you the typo type errors I have found. Ron, can you remind us of the status of the work you have been able to do to update the documentation and what your future plans are? Is there anything I or anyone else can do to help? Are there new suggestions from anyone else? Please post them. Thanks, -- Steve Herber herber@thing.com work: 206-261-0307 Systems Engineer, AMCIS, UoW home: 425-454-2399 On Sat, 1 Jun 2002, Tom Eastep wrote:> Now that 1.3 is out, I thought it would be a good idea to tell you what my > plans are for Shorewall and to solicit input from this list. > > My focus for the next several minor releases will be to incorporate recent > Netfilter enhancements into Shorewall. For example, this afternoon I have > integrated support for the ''multiport'' match facility. > > I would like to defer the next minor release until the Documentation > Group has had a chance to catch up. Along that line: Ron, Steve & all; > what is happening with the documentation cleanup? > > -Tom
Thanks for the suggestions, Paul: On Sun, 2 Jun 2002, Paul Gear wrote:> Here are some suggestions: > > * Support for generating rules for multiple firewalls from a central > location. This probably wouldn''t require much - i haven''t thought about > it a lot yet - but i think there are a few little improvements that > could be made that would make life easier for those of us with multiple > firewalls.There may be someone on the user''s list that has some tools in this area already. I''m referring to the user for whom I provided the ability to rename the firewall zone. I''m going to have to have a better idea of what the requirements are before I can comment further.> * User space helpers: We could implement a user space program to pop up > and ask whether an unknown connection should be accepted. I think this > would make shorewall more valuable as a personal firewall, since you > wouldn''t have to keep going to syslog to look at denied connections.I''m not at all interested in such a thing: a) It sounds like an open invitation for DOS. b) I''ve never been particularly interested in Shorewall as a "personal firewall"; there are lots of those available and if that''s what people want or need then that''s what they should use. c) The "shorewall monitor" facility contains all of the logic needed for a log monitoring facility already; A little hacking on what''s already there would produce a "shorewall watchlog" command (or some such thing). Take a look at "shorewall monitor" and you''ll see what I mean.> > I haven''t done any more thinking about it than that, but i think > being able to monitor multiple firewalls and get realtime alerts on > the desktop would be useful - something like Tiny Personal Firewall > for Windows'' alert dialog.How about forwarding Netfilter messages to a central site and using my proposed "watchlog" command?> * Porting to other firewall engines: The only reason i suggest this is > that i have to use non-Linux platforms at work (mainly HP-UX, but a bit > of Solaris as well), and i would like to be able to use Shorewall on > ipfilter.I''m perfectly happy if someone who has access to those platforms wants to port Shorewall. My only access to either of them is remote and non-root so it''s out of the question for me to do it (even if I were interested). Given that Shorewall wasn''t designed to be multi-platform, there would need to first be a lot of structural changes to the code. If someone steps forward and wants to do such a port, I will work on those structural changes but not until then; those changes will slow down "start" and "restart" so there''s no sense in doing them without any immediate need.> > On an unrelated topic, is anyone using CVS to access the source? When i try, > i get this: > > $ export CVSROOT=:pserver:anonymous@cvs.shorewall.net:/usr/local/cvs > $ cvs login > Logging in to :pserver:anonymous@cvs.shorewall.net:2401/usr/local/cvs > CVS password: > $ cvs checkout Shorewall > cvs server: Updating Shorewall > cvs server: failed to create lock directory for `/usr/local/cvs/Shorewall'' > (/usr/local/cvs/Shorewall/#cvs.lock): Permission denied > cvs server: failed to obtain dir lock in repository > `/usr/local/cvs/Shorewall'' > cvs [server aborted]: read lock failed - giving up > > I think the problem is actually on your end, Tom, but i''m not positive. >Oops -- I had intentionally disallowed CVS access to the Shorewall project and forgot to reenable it. It should be available again now. If you want update access, you''ll need to send me the password you want to use along with the hashed password you want. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom Eastep wrote:> Thanks for the suggestions, Paul: > > On Sun, 2 Jun 2002, Paul Gear wrote: > > > Here are some suggestions: > > > > * Support for generating rules for multiple firewalls from a central > > location. This probably wouldn''t require much - i haven''t thought about > > it a lot yet - but i think there are a few little improvements that > > could be made that would make life easier for those of us with multiple > > firewalls. > > There may be someone on the user''s list that has some tools in this area > already. I''m referring to the user for whom I provided the ability to > rename the firewall zone. I''m going to have to have a better idea of what > the requirements are before I can comment further.That was me. ;-) (Or did you remember that?) When i actually get to working on this, i''ll let you know what i think needs to be done. The new redirect syntax may have solved some of my problems.> > * User space helpers: We could implement a user space program to pop up > > and ask whether an unknown connection should be accepted. I think this > > would make shorewall more valuable as a personal firewall, since you > > wouldn''t have to keep going to syslog to look at denied connections. > > I''m not at all interested in such a thing: > > a) It sounds like an open invitation for DOS.Doesn''t the netfilter user space code have a limit on the number of outstanding packets, after which it starts dropping them anyway? That would be sufficient to prevent DOS, wouldn''t it? Only connections that do not already match a rule would be passed to user space.> ... > b) I''ve never been particularly interested in Shorewall as a "personal > firewall"; there are lots of those available and if that''s what people > want or need then that''s what they should use.What personal firewalls are available for Linux?> c) The "shorewall monitor" facility contains all of the logic needed for a > log monitoring facility already; A little hacking on what''s already there > would produce a "shorewall watchlog" command (or some such thing). Take a > look at "shorewall monitor" and you''ll see what I mean. > > > I haven''t done any more thinking about it than that, but i think > > being able to monitor multiple firewalls and get realtime alerts on > > the desktop would be useful - something like Tiny Personal Firewall > > for Windows'' alert dialog. > > How about forwarding Netfilter messages to a central site and using my > proposed "watchlog" command?I was thinking about something event-driven rather than polled.> > * Porting to other firewall engines: The only reason i suggest this is > > that i have to use non-Linux platforms at work (mainly HP-UX, but a bit > > of Solaris as well), and i would like to be able to use Shorewall on > > ipfilter. > > I''m perfectly happy if someone who has access to those platforms wants to > port Shorewall. My only access to either of them is remote and non-root so > it''s out of the question for me to do it (even if I were interested). > Given that Shorewall wasn''t designed to be multi-platform, there would > need to first be a lot of structural changes to the code. If someone steps > forward and wants to do such a port, I will work on those structural > changes but not until then; those changes will slow down "start" and > "restart" so there''s no sense in doing them without any immediate need.I agree. That''s about all i was looking for for now.> > On an unrelated topic, is anyone using CVS to access the source? When i try, > > i get this: > > ... > > I think the problem is actually on your end, Tom, but i''m not positive. > > Oops -- I had intentionally disallowed CVS access to the Shorewall project > and forgot to reenable it. It should be available again now.Much better - thanks.> If you want > update access, you''ll need to send me the password you want to use along > with the hashed password you want.No need - anonymous is good enough for now. Paul http://paulgear.webhop.net
On Mon, 3 Jun 2002, Paul Gear wrote:> > That was me. ;-) (Or did you remember that?)No, I honestly didn''t.> When i actually get to working on this, i''ll let you know what i think > needs to be done. The new redirect syntax may have solved some of my > problems. > > > > > a) It sounds like an open invitation for DOS. > > Doesn''t the netfilter user space code have a limit on the number of outstanding > packets, after which it starts dropping them anyway? That would be sufficient to > prevent DOS, wouldn''t it? Only connections that do not already match a rule would > be passed to user space. >Could be -- maybe I''d better research netfilter user space hooks more before I shoot my mouth off :-)> > ... > > b) I''ve never been particularly interested in Shorewall as a "personal > > firewall"; there are lots of those available and if that''s what people > > want or need then that''s what they should use. > > What personal firewalls are available for Linux?RH 7.3, Mandrake 8.2 and SuSE 8.x claim to include them.> > > > > How about forwarding Netfilter messages to a central site and using my > > proposed "watchlog" command? > > I was thinking about something event-driven rather than polled. >I''d rather base such a thing on the ULOG target then.> > > > I''m perfectly happy if someone who has access to those platforms wants to > > port Shorewall. My only access to either of them is remote and non-root so > > it''s out of the question for me to do it (even if I were interested). > > Given that Shorewall wasn''t designed to be multi-platform, there would > > need to first be a lot of structural changes to the code. If someone steps > > forward and wants to do such a port, I will work on those structural > > changes but not until then; those changes will slow down "start" and > > "restart" so there''s no sense in doing them without any immediate need. > > I agree. That''s about all i was looking for for now.Ok. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On 2 Jun 2002 at 14:53, Tom Eastep wrote: > > What personal firewalls are available for Linux?> > RH 7.3, Mandrake 8.2 and SuSE 8.x claim to include them.The SuSE Distro contains two firewalls, and neither is very easy to set up, as the documentation is sparse. There is constant yammering about them on the Suse-Security list. The SuSE presume a vastly greater knowledge about iptables than the target audience generaly has, and the frequently offered suggestion is to go to Shorewall. And this is where the (reciently maligned) QSG really shines.... ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/