Shorewall devel - Apr 2007 - Shorewall-3.9.2

I''ve uploaded 3.9.2.

ftp://shorewall.net/pub/shorewall/development/3.9/shorewall-3.9.2/

With 3.9.1, I tried managing the Development branch just like it was a
stable branch; patches, known_problems.txt updated with patch instructions, etc.

Given the volume of problems being found in this early code, the amount of
work that this approach generated was just too much. So I''m going to
start
issuing frequent full 3.9 releases and the known_problems.txt file will just
refer the reader to the appropriate SVN revision where the problem is fixed.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom Eastep wrote:
> I''ve uploaded 3.9.2.
Please disregard this announcement -- it was premature.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Tuesday 17 April 2007 18:53, Tom Eastep wrote:
> Tom Eastep wrote:
> > I''ve uploaded 3.9.2.
>
> Please disregard this announcement -- it was premature.
>
> -Tom
Tom

I am putting the final touches to a patch to Chains.pm for 3.9.2. Should I 
hold off submitting for the moment.

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> On Tuesday 17 April 2007 18:53, Tom Eastep wrote:
>> Tom Eastep wrote:
>>> I''ve uploaded 3.9.2.
>> Please disregard this announcement -- it was premature.
>>
>> -Tom
> Tom
> 
> I am putting the final touches to a patch to Chains.pm for 3.9.2. Should I 
> hold off submitting for the moment.
The ''real'' 3.9.2 is now available. So please check your patch
against that
version, Steven.

Thanks,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Hello,

  In the documentation it is writen that Shorewall
  doesn''t support multi-network bridges.

  Is it a limitation in the kernel, in iptable or
  in Shorewall?

  Is there a plan to support it?

  Here is our problem:  Our provider route us 2
  class B and 3 class C.  We want to put a bridge
  as a frontend from our provider''s router and
  ours.

  For the moment we use FreeBSD and ipfw.  These
  are very old versions.  It supports multi-net
  bridge but we want to use a firewall on Linux
  and something that we already know as Shorewall.

  Thank you for your help.


Yves



----- Message d''origine ----- 
De : "Tom Eastep" <teastep@shorewall.net>
À : "Shorewall Users" <shorewall-users@lists.sourceforge.net>
Envoyé : 17 avril 2007 15:18
Objet : Re: [Shorewall-users] Please Disregard Shorewall-3.9.2 announcement

> -------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/

--------------------------------------------------------------------------------

> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
> 


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Yves Bélanger wrote:
>   Hello,
> 
>   In the documentation it is writen that Shorewall
>   doesn''t support multi-network bridges.
> 
What document are you referring to?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

I''ve uploaded 3.9.2 (again).

ftp://shorewall.net/pub/shorewall/development/3.9/shorewall-3.9.2/

If you downloaded earlier, please check the md5 sums to be sure that you
have the correct code:

576291efa43130004f5f16c5193b1267  shorewall-3.9.2-1.noarch.rpm
9da962081651ee8002812f258171906d  shorewall-3.9.2.tar.bz2
7cc712fd031ce895f2f84255fb124af4  shorewall-3.9.2.tgz
60a60338e63dc2e643fdcaf5e040f67f  shorewall-docs-html-3.9.2.tar.bz2
aa78c4bc6eef2c4c8b6677c0b42e49cb  shorewall-docs-html-3.9.2.tgz
b1fe621dbf44cabba94cff0e24aca233  shorewall-docs-xml-3.9.2.tar.bz2
790a5e1d75d5ebe3ac9b8c7b36b00307  shorewall-docs-xml-3.9.2.tgz
e14330cd52e71d46ecb940d45732ab8f  shorewall-lite-3.9.2-1.noarch.rpm
0ffda3cb7dd41f5066828b606e593ce8  shorewall-lite-3.9.2.tar.bz2
41c5d7ed239826f8050400f49dd637bc  shorewall-lite-3.9.2.tgz
2562447ab9b439ef495cebdb05645f69  shorewall-perl-3.9.2-1.noarch.rpm
1aeef18372e8ff8b719e1e54733d7b30  shorewall-perl-3.9.2.tar.bz2
567c5db6a41f4063e50cd070e95dac77  shorewall-perl-3.9.2.tgz
250abc86c8342130f210fc53176969c4  shorewall-shell-3.9.2-1.noarch.rpm
baf716742aab0cfc45798167290a6a78  shorewall-shell-3.9.2.tar.bz2
806dad236c4db0058dae6ac7110e4743  shorewall-shell-3.9.2.tgz

With 3.9.1, I tried managing the Development branch just like it was a
stable branch; patches, known_problems.txt updated with patch instructions, etc.

Given the volume of problems being found in this early code, the amount of
work that this approach generated was just too much. So I''m going to
start
issuing frequent full 3.9 releases and the known_problems.txt file will just
refer the reader to the appropriate SVN revision where the problem is fixed.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key





-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

http://www.shorewall.net/NewBridge.html

  Sorry if I even badly read the book...

============================There are a several key differences in this setup
and a normal Shorewall configuration:

  a.. The Shorewall system (the Bridge/Firewall) has only a single IP address
even though it has two ethernet interfaces! The IP address is configured on the
bridge itself, rather than on either of the network cards.

  b.. The systems connected to the LAN are configured with the router''s
IP address (192.168.1.254 in the above diagram) as their default gateway.

  c.. traceroute doesn''t detect the Bridge/Firewall as an intermediate
router.

  d.. If the router runs a DHCP server, the hosts connected to the LAN can use
that server without having dhcrelay running on the Bridge/Firewall.

Warning
Inserting a bridge/firewall between a router and a set of local hosts only works
if those local hosts form a single IP network. In the above diagram, all of the
hosts in the loc zone are in the 192.168.1.0/24 network. If the router is
routing between several local networks through the same physical interface
(there are multiple IP networks sharing the same LAN), then inserting a
bridge/firewall between the router and the local LAN won''t work.

There are other possibilities here -- there could be a hub or switch between the
router and the Bridge/Firewall and there could be other systems connected to
that switch. All of the systems on the local side of the router would still be
configured with IP addresses in 192.168.1.0/24 as shown below.

============================
. . .                            
             . . .               
   Yves Belanger, ift.a.u.     : 
   Administrateur de systèmes  : 
                               : 
   Darius Technologies         : 
             . . .               
                                 

----- Message d''origine ----- 
De : "Tom Eastep" <teastep@shorewall.net>
À : "Shorewall Users" <shorewall-users@lists.sourceforge.net>
Cc : <belanger@dariustech.qc.ca>
Envoyé : 17 avril 2007 15:50
Objet : Re: [Shorewall-users] Multi-network bridge



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Yves Bélanger wrote:
>  
>   http://www.shorewall.net/NewBridge.html
>  

It''s a consequence of the way that IP over LANs interacts with the
bridge.


ROUTER<-------->BRIDGE/FW<----->(hosts in 10.0.0.0/8 and in
192.168.1.0/24)

When a host in 10.0.0.0/8 sends a request to a host in 192.168.1.0/24, both
the request and the reply traverse the bridge twice, once in one direction
and once in the other. This might actually work using the new bridging
technique -- it can''t possibly work using physdev (or at least
firewalling
becomes impossible using physdev).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Tuesday 17 April 2007 21:02, Tom Eastep wrote:
> I''ve uploaded 3.9.2 (again).
Tom

Testing of 3.9.2 has shown the following problems:

If a rule specifies a source or destination port of 0 for TCP or UDP it is 
ignored.

The test for the presence of a source or destination port if the protocol is 
not specified also ignores port 0.

A patch to fix these problems is attached. The patch also adds a check for the 
presence of source or destinations ports if the protocol is not TCP, UDP or 
ICMP.

Steven



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> On Tuesday 17 April 2007 21:02, Tom Eastep wrote:
>> I''ve uploaded 3.9.2 (again).
> Tom
> 
> Testing of 3.9.2 has shown the following problems:
> 
> If a rule specifies a source or destination port of 0 for TCP or UDP it is 
> ignored.
> 
> The test for the presence of a source or destination port if the protocol
is
> not specified also ignores port 0.
> 
> A patch to fix these problems is attached. The patch also adds a check for
the
> presence of source or destinations ports if the protocol is not TCP, UDP or
> ICMP.
Thanks, Steven.

Applied.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom

The following rule:

ACCEPT  $FW  lan  tcp  22  -  -  -  10/15

The following iptables rule is generated:

-A fw2lan -p tcp --dport 22  -m owner--uid-owner 10/15 -j ACCEPT

The space between owner and --uid-owner is missing.

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom

If the following rule is defined:

ACCEPT  $FW  lan  tcp  22  -  -  -  0

The following iptables rule is generated:

-A fw2lan -p tcp --dport 22 -j ACCEPT

The -m owner is missing.

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> Tom
> 
> The following rule:
> 
> ACCEPT  $FW  lan  tcp  22  -  -  -  10/15
> 
> The following iptables rule is generated:
> 
> -A fw2lan -p tcp --dport 22  -m owner--uid-owner 10/15 -j ACCEPT
> 
> The space between owner and --uid-owner is missing.
Thanks!

Fix commited to SVN in rev 5995.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> Tom
> 
> If the following rule is defined:
> 
> ACCEPT  $FW  lan  tcp  22  -  -  -  0
> 
> The following iptables rule is generated:
> 
> -A fw2lan -p tcp --dport 22 -j ACCEPT
> 
> The -m owner is missing.
Thanks. Fix commited to SVN in rev 5996.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Wednesday 18 April 2007 16:49, Tom Eastep wrote:
> Steven Jan Springl wrote:
> > Tom
> >
> > The following rule:
> >
> > ACCEPT  $FW  lan  tcp  22  -  -  -  10/15
> >
> > The following iptables rule is generated:
> >
> > -A fw2lan -p tcp --dport 22  -m owner--uid-owner 10/15 -j ACCEPT
> >
> > The space between owner and --uid-owner is missing.
>
> Thanks!
>
> Fix commited to SVN in rev 5995.
>
> -Tom
Tom

It works now.

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Wednesday 18 April 2007 16:51, Tom Eastep wrote:
> Steven Jan Springl wrote:
> > Tom
> >
> > If the following rule is defined:
> >
> > ACCEPT  $FW  lan  tcp  22  -  -  -  0
> >
> > The following iptables rule is generated:
> >
> > -A fw2lan -p tcp --dport 22 -j ACCEPT
> >
> > The -m owner is missing.
>
> Thanks. Fix commited to SVN in rev 5996.
>
> -Tom
Tom

It works now,

However the following rule:

ACCEPT  lan:192.168.0.2  $FW  udp  0  0

produces the following iptables rule:

-A lan2fw -p udp -s 192.168.0.3 -j ACCEPT

both source and destination ports are missing.

Steven.  

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Hello,

  As I said, our provider gives us 2 class B and 3 class C
  networks.

  Here is the configuration we want to have:


    +-----+       ClassB1/24         +------------+
    |     |      +-----------+       |            |
    | ISP +------+ Shorewall +-------+  Backbone  |
    |     | .1   +-----------+  .254 |   Router   |
    +-----+                          |            |
                                     +------------+
                                       ClassB1/16
                                       ClassB2/16
                                       ClassC1/24
                                       ClassC2/24
                                       ClassC3/24

  So, there are no system on both sides with the same
  subnet except for ClassB1 that is used to route
  the other subnets.

  Will it work then?

  Thank you very much.

. . .
             . . .
   Yves Belanger, ift.a.u.     :
   Administrateur de systèmes  :
                               :
   Darius Technologies         :
             . . .


----- Message d''origine ----- 
De : "Tom Eastep" <teastep@shorewall.net>
À : "Shorewall Users" <shorewall-users@lists.sourceforge.net>
Envoyé : 17 avril 2007 16:16
Objet : Re: [Shorewall-users] Multi-network bridge

> -------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/

--------------------------------------------------------------------------------

> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
> 


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Yves Bélanger wrote:
>   Hello,
> 
>   As I said, our provider gives us 2 class B and 3 class C
>   networks.
> 
>   Here is the configuration we want to have:
> 
> 
>     +-----+       ClassB1/24         +------------+
>     |     |      +-----------+       |            |
>     | ISP +------+ Shorewall +-------+  Backbone  |
>     |     | .1   +-----------+  .254 |   Router   |
>     +-----+                          |            |
>                                      +------------+
>                                        ClassB1/16
>                                        ClassB2/16
>                                        ClassC1/24
>                                        ClassC2/24
>                                        ClassC3/24
> 
>   So, there are no system on both sides with the same
>   subnet except for ClassB1 that is used to route
>   the other subnets.
> 
>   Will it work then?
Yes, it should work.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom

Both %dropInvalid and dropInvalid built in chains specify -j REJECT instead 
of  -j DROP.

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> Tom
> 
> Both %dropInvalid and dropInvalid built in chains specify -j REJECT instead
> of  -j DROP.
> 
Thanks, Steven

Fix is in SVN rev 6005.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Just reading through this thread, it struck me that perhaps it would
be a good idea to write unit tests for Shorewall, especially with the
advent of the shorewall-perl version.  Perhaps it''d be a good idea to
specify what behavior is expected from each rule in a
machine-checkable way, so that it''s easy to verify that changes in one
area don''t affect other functions.  Test::Unit might be a good choice
for this.  I''d be interested in helping with this some after May is
over, when I''m on summer vacation.

Anyways, just a thought.  Let me know what you think.

Will

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Will Murnane wrote:
> Just reading through this thread, it struck me that perhaps it would
> be a good idea to write unit tests for Shorewall, especially with the
> advent of the shorewall-perl version.  Perhaps it''d be a good idea
to
> specify what behavior is expected from each rule in a
> machine-checkable way, so that it''s easy to verify that changes in
one
> area don''t affect other functions.
I agree, Will. I have gathered a set of configurations which I run new
versions of the compiler against (and compare the output) but my testing is
neither systematic nor complete.
> Test::Unit might be a good choice
> for this.  I''d be interested in helping with this some after May
is
> over, when I''m on summer vacation.
> 
>
I would welcome your help.

Thanks!
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom

The following rule:

ACCEPT:warn  lan:~00-11-22-33-44-55  $FW  tcp  23

produces the following error:

Use of uninitialized value in concatenation (.) or string 
at /usr/share/shorewall-perl/Shorewall/Chains.pm line 857, <$currentfile> 
line 22.

I am using Chains.pm REV 6009.

Steven

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> Tom
> 
> The following rule:
> 
> ACCEPT:warn  lan:~00-11-22-33-44-55  $FW  tcp  23
> 
> produces the following error:
> 
> Use of uninitialized value in concatenation (.) or string 
> at /usr/share/shorewall-perl/Shorewall/Chains.pm line 857,
<$currentfile>
> line 22.
> 
> I am using Chains.pm REV 6009.
Fixed in REV 6010.

Thanks,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom

The following rules:

CONTINUE  lan:192.168.0.0/24,!192.168.0.3  $FW  tcp  23
ACCEPT     lan:192.168.0.0/24			$FW  tcp  21

produces the following iptables rules:

-A lan2fw -p tcp --dport 23 -s 192.168.0.0/24 -j exc10
-A lan2fw -p tcp -dport 21 -j ACCEPT

-A exc10 -s 192.168.0.3 -j RETURN
-A exc10 -j RETURN


It appears to me that no matter what the source IP address is, the CONTINUE is 
not performed, as both iptables rules in the exc10 chain will return to the 
lan2fw chain.

The policy file contains:

fw  all  ACCEPT:
all  all  DROP  warn

The zones file contains:

fw    firewall
lan   ipv4


Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Wed, Apr 18, 2007 at 02:11:54PM -0700, Tom Eastep
wrote:
> Will Murnane wrote:
> > Just reading through this thread, it struck me that perhaps it would
> > be a good idea to write unit tests for Shorewall, especially with the
> > advent of the shorewall-perl version.  Perhaps it''d be a good
idea to
> > specify what behavior is expected from each rule in a
> > machine-checkable way, so that it''s easy to verify that
changes in one
> > area don''t affect other functions.
> 
> I agree, Will. I have gathered a set of configurations which I run new
> versions of the compiler against (and compare the output) but my testing is
> neither systematic nor complete.
That much at least is easily improved - at least the systematic
part. In my past experiences with writing compiler-like things, I have
found a simple automatic diff-based testing mechanism to make an
excellent first cut - it may not be as precise as unit testing, but
it''s disgustingly easy and catches a lot of regressions, for a very
small expenditure of effort compared to any other methods of
testing. Quickly hacked-together implementation attached, running
inside the shorewall-perl source tree.

Stick all your test configurations in directories named t/*.t (I''ve
included the sample one-interface configuration here), and edit
shorewall.conf to set

CONFIG_PATH=${TEST_DIR}:${TEST_ROOT}/etc

rather than the default. Then run ./run-tests in t/. The first time it
sees a directory, it''ll save compiler.pl''s output as
firewall.baseline
and firewall.conf.baseline. Otherwise, it checks that the new output
matches the baseline, and fails with a diff if it doesn''t. If the
changes are expected, simply delete the relevant baseline and run it
again.

I did a few basic hacks to ignore changes to prog.*, lib.*, and
comments. It runs independently of shorewall itself - only the perl
compiler is under test here, so everything else is replaced with
stub files located in t/sharedir and t/etc.

(I spent less than 30 minutes on this, so it''s not very pretty, but
the point of this sort of testing is minimum-effort)


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> Tom
> 
> The following rules:
> 
> CONTINUE  lan:192.168.0.0/24,!192.168.0.3  $FW  tcp  23
That is actually an invalid rule -- the shell compiler flags it. The
valid rule would be:

CONTINUE  lan:192.168.0.0/24!192.168.0.3  $FW  tcp  23
> ACCEPT     lan:192.168.0.0/24			$FW  tcp  21
> 
> produces the following iptables rules:
> 
> -A lan2fw -p tcp --dport 23 -s 192.168.0.0/24 -j exc10
> -A lan2fw -p tcp -dport 21 -j ACCEPT
> 
> -A exc10 -s 192.168.0.3 -j RETURN
> -A exc10 -j RETURN
> 
> 
> It appears to me that no matter what the source IP address is, the CONTINUE
is
> not performed, as both iptables rules in the exc10 chain will return to the
> lan2fw chain.
The shorewall-shell compiler generates similar code. Neither compiler
can deal with exclusion in a CONTINUE rule :-(

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Andrew Suffield wrote:
> 
> (I spent less than 30 minutes on this, so it''s not very pretty,
but
> the point of this sort of testing is minimum-effort)
> 
Unfortunately, it will take me a lot longer than than to understand it.
I''ll try to get to it this weekend...

Thanks, Andrew...
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom Eastep wrote:
> 
> That is actually an invalid rule -- the shell compiler flags it. The
> valid rule would be:
> 
> CONTINUE  lan:192.168.0.0/24!192.168.0.3  $FW  tcp  23
> 
> The shorewall-shell compiler generates similar code. Neither compiler
> can deal with exclusion in a CONTINUE rule :-(
And without new support from iptables (-j RETURN --level n), this rule
is not possible to implement. So I''ve added logic to generate a fatal
error on CONTINUE rules with non-trivial exclusion.

Change in rev 6014.

Thanks again, Steven

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom Eastep wrote:
> 
> Change in rev 6014.
> 
And updated in 6015.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom

Rule:

NONAT  lan:192.168.0.3  $FW  tcp  10

produces iptables rule:

-A lan2fw -p tcp --dport 10 -s 192.168.0.3 -j NONAT

which generates the follow error message:

couldn''t load target ''NONAT''
:/lib/iptables/libipt_NONAT.so:  ..........


Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Steven Jan Springl wrote:
> Tom
> 
> Rule:
> 
> NONAT  lan:192.168.0.3  $FW  tcp  10
> 
> produces iptables rule:
> 
> -A lan2fw -p tcp --dport 10 -s 192.168.0.3 -j NONAT
> 
> which generates the follow error message:
> 
> couldn''t load target ''NONAT''
:/lib/iptables/libipt_NONAT.so:  ..........
Thanks, Steven

Fixed in REV 6023

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFGJ5fAO/MAbZfjDLIRAtAaAJ9NT9+Q/etKnFvIPi4v3iwf0Eet2gCeL/R9
PYmcXCf7ueIVHx0qyL+UUuY=QxPz
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom

Rule:

SAME-  all  lan:192.168.0.3  tcp  80  -  84.45.199.1

produces iptables rules:

-A PREROUTING -i eth0 -j lan_dnat
-A OUTPUT -p tcp --dport 80 -d 84.45.199.1 -j SAME 192.168.0.3
-A lan_dnat -p tcp --dport 80 -d 84.45.199.1 -j SAME 192.168.0.3

which produces the error message:

iptables: SAME target: bad hook_mask 8


Changing ''all'' to ''all-'': 

SAME-  all-  lan:192.168.0.3  tcp  80  -  84.45.199.1

produces iptables rules:

-A PREROUTING -i eth0 -j lan_dnat
-A lan_dnat -p tcp --dport 80 -d 84.45.199.1 -j SAME 192.168.0.3

which does not produce any errors.

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom

Rule:

ACCEPT  none  $FW  icmp  8

produces error message:

ERROR: Unknown source zone (none) : .....

The problem also occurs if ''none'' is entered in the
''destination'' column.

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom

Rule:

ACCEPT  lan:192.168.0.3  $FW  tcp:syn  22

produces error message:

ERROR: SOURCE/DEST PORT(S) not allowed with PROTO tcp:syn

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Steven Jan Springl wrote:
> Tom
> 
> Rule:
> 
> ACCEPT  lan:192.168.0.3  $FW  tcp:syn  22
> 
> produces error message:
> 
> ERROR: SOURCE/DEST PORT(S) not allowed with PROTO tcp:syn
Fixed in rev 6024.

Thanks,
- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFGJ9vEO/MAbZfjDLIRAmKGAJ4/gE0L3qWO9G5UoG4sQDeSVFutUQCfcfV1
Kf9+4RxIgYXx4mkRKAkaj6c=TF4v
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Steven Jan Springl wrote:
> Tom
> 
> Rule:
> 
> SAME-  all  lan:192.168.0.3  tcp  80  -  84.45.199.1
> 
> produces iptables rules:
> 
> -A PREROUTING -i eth0 -j lan_dnat
> -A OUTPUT -p tcp --dport 80 -d 84.45.199.1 -j SAME 192.168.0.3
> -A lan_dnat -p tcp --dport 80 -d 84.45.199.1 -j SAME 192.168.0.3
> 
> which produces the error message:
> 
> iptables: SAME target: bad hook_mask 8
I''ve made this a Shorewall error rather than letting iptables-restore
catch it.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFGJ9vuO/MAbZfjDLIRAimfAJ416Zkb0NgFluCvehNrJSOTRcVsLACght3t
rrLnGrhsQAkE06rSMBb9Azs=YioY
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Steven Jan Springl wrote:
> Tom
> 
> Rule:
> 
> ACCEPT  none  $FW  icmp  8
> 
> produces error message:
> 
> ERROR: Unknown source zone (none) : .....
> 
> The problem also occurs if ''none'' is entered in the
''destination'' column.
>
Fixed in 6025.

Thanks,
- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFGJ94pO/MAbZfjDLIRAudnAKCFYrgUyUBPYAEWgzNcP9BwTW/tqwCfULeu
oOqiWZiZbFS4ej5FgD6Z8uQ=F6zh
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom

The following reserved zone names can be defined:

all      ipv4
none  ipv4

then you can define rules such as:

ACCEPT  lan  all:!192.168.0.3  icmp  8

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Steven Jan Springl wrote:
> Tom
> 
> The following reserved zone names can be defined:
> 
> all      ipv4
> none  ipv4
> 
> then you can define rules such as:
> 
> ACCEPT  lan  all:!192.168.0.3  icmp  8
>
Thanks, Steven.

Fixed in REV 6035

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFGKMrxO/MAbZfjDLIRAstEAKDD7n7QvCMQ7O8TwL85pnKdh7m6awCeIzE2
z30ADxKNWBQuSFxe32z4v1A=Uyuo
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom

If zones contains (no firewall zone):

fw   ipv4
lan  ipv4

and rules contains:

ACCEPT  all                     lan   tcp  80
ACCEPT  lan:192.168.0.3  $FW  tcp  22

produces the following error messages:

Use of uninitialized value in string eq 
at /usr/share/shorewall-perl/Shorewall/Rules.pm line 946, <$currentfile>
line
1.

Use of uninitialized value in string eq 
at /usr/share/shorewall-perl/Shorewall/Rules.pm line 949, <$currentfile>
line
1.

Use of uninitialized value in string eq 
at /usr/share/shorewall-perl/Shorewall/Rules.pm line 946, <$currentfile>
line
1.

Use of uninitialized value in string eq 
at /usr/share/shorewall-perl/Shorewall/Rules.pm line 949, <$currentfile>
line
1.

   ERROR: Unknown destination zone (tcp) : /etc/shorewall/rules ( line 2 )

Rules.pm is rev 6034.

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Steven Jan Springl wrote:
> Tom
> 
> If zones contains (no firewall zone):
> 
> fw   ipv4
> lan  ipv4
> 
> and rules contains:
> 
> ACCEPT  all                     lan   tcp  80
> ACCEPT  lan:192.168.0.3  $FW  tcp  22
> 
> produces the following error messages:
> 
> Use of uninitialized value in string eq 
> at /usr/share/shorewall-perl/Shorewall/Rules.pm line 946,
<$currentfile> line
> 1.
> 
> Use of uninitialized value in string eq 
> at /usr/share/shorewall-perl/Shorewall/Rules.pm line 949,
<$currentfile> line
> 1.
> 
> Use of uninitialized value in string eq 
> at /usr/share/shorewall-perl/Shorewall/Rules.pm line 946,
<$currentfile> line
> 1.
> 
> Use of uninitialized value in string eq 
> at /usr/share/shorewall-perl/Shorewall/Rules.pm line 949,
<$currentfile> line
> 1.
> 
>    ERROR: Unknown destination zone (tcp) : /etc/shorewall/rules ( line 2 )
Fixed in REV 6036.

Thanks, Steven

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFGKNUmO/MAbZfjDLIRAtDVAKCq6JwumD5T/TBIwB9LO5KCjOgNZACgoDXX
qBQewjef6jkWe0OvGpbUua8=UtIC
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom

Zones:

fw      firewall
fwln    ipv4

and rules:

ACCEPT  all  lan  tcp  80

produces the following error messages:

Use of uninitialized value in string ne 
at /usr/share/shorewall-perl/Shorewall/Rules.pm line 1192, <$currentfile> 
line 1.

   ERROR: Unknown destination zone (lan) : /etc/shorewall/rules ( line 1 )

Rules.pm is rev 6034.

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Steven Jan Springl wrote:
> Tom
> 
> Zones:
> 
> fw      firewall
> fwln    ipv4
> 
> and rules:
> 
> ACCEPT  all  lan  tcp  80
> 
> produces the following error messages:
> 
> Use of uninitialized value in string ne 
> at /usr/share/shorewall-perl/Shorewall/Rules.pm line 1192,
<$currentfile>
> line 1.
> 
>    ERROR: Unknown destination zone (lan) : /etc/shorewall/rules ( line 1 )
> 
> Rules.pm is rev 6034.
Thanks, Steven

Fixed in REV 6037.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFGKO6mO/MAbZfjDLIRAkpoAJ4uTW+bO7WrZpHSKObICf5FAjvLHgCff+p4
xc2ftIQMek1TzMRJDZnsFCI=ju2O
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/