Shorewall 4.3.5 is now available for testing. New Features in Shorewall 4.3.5 1) The Shorewall packaging has been completely revamped in Shorewall 4.4. The new packages are: - Shorewall. Includes the former Shorewall-common and Shorewall-perl packages. Includes everything needed to create an IPv4 firewall. - Shorewall6. Requires Shorewall. Adds the components necessary to create an IPv6 firewall. - Shorewall-lite May be installed on a firewall system to run IPv4 firewall scripts generated by Shorewall. - Shorewall6-lite May be installed on a firewall system to run IPv6 firewall scripts generated by Shorewall. 2) The interfaces file supports a new ''nets='' option. This option allows users to restrict a zone''s definition to particular networks through an interface without having to use the hosts file. Example interfaces file: #ZONE INTERFACE BROADCAST OPTIONS loc eth3 detect dhcp,logmartians=1,routefilter=1,nets=172.20.1.0/24 dmz eth4 detect logmartians=1,routefilter=1,nets=206.124.146.177 net eth0 detect dhcp,blacklist,tcpflags,optional,routefilter=0,nets=(!172.20.0.0/24,206.124.146.177) net eth2 detect dhcp,blacklist,tcpflags,optional,upnp,routefilter=0,nets=(!172.20.0.0/24,206.124.146.177) loc tun+ detect nets=172.20.0.0/24 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE Note that when more than one network address is listed, the list must be enclosed in parentheses. Notice also that exclusion may be used. The first entry in the above interfaces file is equivalent to the following: interfaces: #ZONE INTERFACE BROADCAST OPTIONS - eth0 detect dhcp,logmartians=1,routefilter=1 hosts: #ZONE HOST(S) OPTIONS loc $INT_IF:192.20.1.0/24 broadcast Note that the ''broadcast'' option is automatically assumed and need not be explicitly specified. 3) Some websites run applications that require multiple connections from a client browser. Where multiple ''balanced'' providers are configured, this can lead to problems when some of the connections are routed through one provider and some through another. To work around this issue, the SAME target has been added to /etc/shorewall/tcrules. SAME may be used in the PREROUTING and OUTPUT chains. When used in PREROUTING, it causes matching connections from an individual local system to all use the same provider. For example: SAME:P 192.168.1.0/24 - tcp 80,443 If a host in 192.168.1.0/24 attempts a connection on TCP port 80 or 443 and it has sent a packet on either of those ports in the last five minutes then the new connection will use the same provider as the connection over which that last packet was sent. When used in the OUTPUT chain, it causes all matching connections to an individual remote system to all use the same provider. For example: SAME $FW - tcp 80,443 If the firewall attempts a connection on TCP port 80 or 443 and it has sent a packet on either of those ports in the last five minutes to the same remote system then the new connection will use the same provider as the connection over which that last packet was sent. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
On Wed, Feb 25, 2009 at 01:23:17PM -0800, Tom Eastep wrote:> Shorewall 4.3.5 is now available for testing. > > New Features in Shorewall 4.3.5 > > 1) The Shorewall packaging has been completely revamped in Shorewall > 4.4.So is it 4.3.5 or 4.4? -- Len Sorensen ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
Lennart Sorensen wrote:> On Wed, Feb 25, 2009 at 01:23:17PM -0800, Tom Eastep wrote: >> Shorewall 4.3.5 is now available for testing. >> >> New Features in Shorewall 4.3.5 >> >> 1) The Shorewall packaging has been completely revamped in Shorewall >> 4.4. > > So is it 4.3.5 or 4.4? >It is 4.3.5 which will be released as 4.4 later this year. So the documentation refers to 4.4 so I don''t have to do a mass change to make the final release. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
Tom When /etc/shorewall/notrack contains the following: lan:eth0 eth0:192.168.0.42 udp 999 1234 the shorewall compiler rejects it. However if the following exclusion is specified: lan:eth0 eth0:!192.168.0.42 udp 999 1234 the shorewall compiler allows it, but the following invalid iptables rule is generated ( two -d parameters): -A lan_notrk -p 17 --dport 999 --sport 1234 -i eth0 -d 192.168.0.5 -d ! 192.168.0.42 -j NOTRACK Steven. ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
Steven Jan Springl wrote:> Tom > > When /etc/shorewall/notrack contains the following: > > lan:eth0 eth0:192.168.0.42 udp 999 1234 > > the shorewall compiler rejects it. > > However if the following exclusion is specified: > > lan:eth0 eth0:!192.168.0.42 udp 999 1234 > > the shorewall compiler allows it, but the following invalid iptables rule is > generated ( two -d parameters): > > -A lan_notrk -p 17 --dport 999 --sport 1234 -i eth0 -d 192.168.0.5 -d ! > 192.168.0.42 -j NOTRACKFixed in r9548. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H