Shorewall announce - May 2005 - Shorewall 2.3.0

http://shorewall.net/pub/shorewall/2.3/shorewall-2.3.0
ftp://shorewall.net/pub/shorewall/2.3/shorewall-2.3.0

WARNING: This is a development release and may be unstable

New Features in version 2.3.0

1) Shorewall 2.3.0 supports the ''cmd-owner'' option of the
owner match
   facility in Netfilter. Like all owner match options,
''cmd-owner'' may
   only be applied to traffic that originates on the firewall.

   The syntax of the USER/GROUP column in the following files has been
   extended:

	/etc/shorewall/accounting
	/etc/shorewall/rules
	/etc/shorewall/tcrules
	/usr/share/shorewall/action.template

   To specify a command, prefix the command name with "+".

   Examples:

	+mozilla-bin		#The program is named "mozilla-bin"
	joe+mozilla-bin		#The program is named "mozilla-bin" and
				#is being run by user "joe"
	joe:users+mozilla-bin	#The program is named "mozilla-bin" and
				#is being run by user "joe" with
				#effective group "users".

   Note that this is not a particularly robust feature and I would
   never advertise it as a "Personal Firewall" equivalent. Using
   symbolic links, it''s easy to alias command names to be anything you
   want.

2) Support has been added for ipsets
   (see http://people.netfilter.org/kadlec/ipset/).

   THIS FEATURE REQUIRES PATCHING YOUR KERNEL AND IPTABLES.

   In most places where an host or network address may be used, you may
   also use the name of an ipset prefaced by "+".

	Example: "+Mirrors"

   The name of the set may optionally followed by:

   a) a number from 1 to 6 enclosed in square brackets ([]) -- this
   number indicates the maximum number of ipset binding levels that
   are to be matched. Depending on the context where the ipset name
   is used, either all "src" or all "dst" matches will be
used.

	Example: "+Mirrors[4]"

   b) a series of "src" and "dst" options separated by
commas and
   enclosed in square brackets ([]). These will be passed directly
   to iptables in the generated --set clause. See the ipset
   documentation for details.

	Example: "+Mirrors[src,dst,src]"

   Note that "+Mirrors[4]" used in the SOURCE column of the rules
   file is equivalent to "+Mirrors[src,src,src,src]".

   To generate a negative match, prefix the "+" with "!" as
in
   "!+Mirrors".

   Example 1: Blacklist all hosts in an ipset named "blacklist"

	   /etc/shorewall/blacklist

	   #ADDRESS/SUBNET         PROTOCOL        PORT
	   +blacklist

   Example 2: Allow SSH from all hosts in an ipset named "sshok:

	   /etc/shorewall/rules

	   #ACTION      SOURCE      DEST     PROTO    DEST PORT(S)
           ACCEPT	+sshok      fw	     tcp      22

   Shorewall can automatically manage the contents of your ipsets for
   you. If you specify SAVE_IPSETS=Yes in /etc/shorewall/shorewall.conf
   then:

   A) "shorewall save" will save the contents of your ipsets. The file
   where the sets are saved is formed by taking the name where the
   Shorewall configuration is stored and appending "-ipsets". So if
you
   enter the command "shorewall save standard" then your Shorewall
   configuration will be saved in /var/lib/shorewall/standard and your
   ipset contents will be saved in /var/lib/shorewall/standard-ipsets.

   B) During "shorewall [re]start", shorewall will restore the ipset
   contents from the file specified in RESTOREFILE
   (shorewall.conf). Again "-ipsets" is appended so if you have
   RESTOREFILE=standard in shorewall.conf then your ipset contents will
   be restored from /var/lib/shorewall/standard-ipsets.

   Regardless of the setting of SAVE_IPSETS, the "shorewall -f start"
   and "shorewall start" commands will restore the ipset contents
   corresponding to the Shorewall configuration restored provided that
   the saved Shorewall configuration specified exists.

   For example, "shorewall restore standard" would restore the ipset
   contents from /var/lib/shorewall/standard-ipsets provided that
   /var/lib/shorewall/standard exists and is executable and that
   /var/lib/shorewall/standard-ipsets exists and is executable.

   Ipsets are well suited for large blacklists. You can maintain your
   blacklist using the ''ipset'' utility without ever having to
restart
   or refresh Shorewall. If you use the SAVE_IPSETS=Yes feature just be
   sure to "shorewall save" after altering the blacklist ipset(s).

   Example /etc/shorewall/blacklist:

   #ADDRESS/SUBNET         PROTOCOL        PORT
   +Blacklist[2]
   +Blacklistnets[2]

   Create the blacklist ipsets using:

	  ipset -N Blacklist iphash
	  ipset -N Blacklistnets nethash

   Add entries

       ipset -A Blacklist 206.124.146.177
       ipset -A Blacklistnets 206.124.146.0/24

   To allow entries for individual ports

       ipset -N SMTP portmap --from 1 --to 31
       ipset -A SMTP 25

       ipset -A Blacklist 206.124.146.177
       ipset -B Blacklist 206.124.146.177 -b SMTP

   Now only port 25 will be blocked from 206.124.146.177.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
> http://shorewall.net/pub/shorewall/2.3/shorewall-2.3.0
> ftp://shorewall.net/pub/shorewall/2.3/shorewall-2.3.0
> 
> WARNING: This is a development release and may be unstable
> 
> New Features in version 2.3.0
> 
> 1) Shorewall 2.3.0 supports the ''cmd-owner'' option of the
owner match
>    facility in Netfilter. Like all owner match options,
''cmd-owner'' may
>    only be applied to traffic that originates on the firewall.
...
> 2) Support has been added for ipsets
>    (see http://people.netfilter.org/kadlec/ipset/).
> 
>    THIS FEATURE REQUIRES PATCHING YOUR KERNEL AND IPTABLES.
> 
...

As a development release requiring kernel patching, I''m not going to 
make a Mandrake/Mandriva RPM for this one.

-- 
Jack at Monkeynoodle dot Org: It''s a Scientific Venture...
Riding the Emergency Third Rail Power Trip since 1996!

Jack Coates wrote:
> 
> As a development release requiring kernel patching, I''m not going
to
> make a Mandrake/Mandriva RPM for this one.
> 
I wouldn''t either.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Hi,

Seeing this I would suggest Shorewall come-up with
it''s own kind of distro which later can be extended
with snort or other complement packages.

What your comment Tom?

Regards
--- Tom Eastep <teastep@shorewall.net> wrote:
> Jack Coates wrote:
> 
> > 
> > As a development release requiring kernel
> patching, I''m not going to
> > make a Mandrake/Mandriva RPM for this one.
> > 
> 
> I wouldn''t either.
> 
> -Tom
> -- 
> Tom Eastep    \ Nothing is foolproof to a
> sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \
> https://lists.shorewall.net/teastep.pgp.key
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
>
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
> 

		
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - Find what you need with new enhanced search. 
http://info.mail.yahoo.com/mail_250

mynullvoid wrote:
> Hi,
> 
> Seeing this I would suggest Shorewall come-up with
> it''s own kind of distro which later can be extended
> with snort or other complement packages.
> 
> What your comment Tom?
I have no interest in creating a new package type. The tarball works with
any distribution and the .rpm that I produce will work on Mandrake and on
Redhat/Fedora if you are careful.

Finally, I don''t see any point in making the development releases
easier for
naive users to install. I provide those releases to allow people to help
test my bleeding edge code and newbies have absolutely no business
installing those versions anyway.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key