Shorewall devel - Mar 2009 - Shorewall 4.3.7

Shorewall 4.3.7 is available for testing.

----------------------------------------------------------------------------
          P R O B L E M S   C O R R E C T E D   I N   4 . 3 . 7
----------------------------------------------------------------------------

1)  Klemens Rutz reported a problem that affects all Shorewall-perl 4.2
    and 4.3 versions.

    The problem:

    a) Only occurs when there are more than one non-firewall zone.
    b) Results in the following interface options not being applied to
      forwarded traffic.

        blacklist
        dhcp
        maclist (when MACLIST_TABLE=filter)
        norfc1918
        nosmurfs
        tcpflags

2)  Matt LaPlante reported a problem whereby a valid DNAT- rule was
    badly mis-handled.

    The rule:

       DNAT-    loc     net:1.2.3.4:2525        tcp     25

    The result:

     WARNING: Destination zone (1.2.3.4) ignored : /etc/shorewall/rules
     (line 459)
     Can''t call method "inet_htoa" without a package or
object reference
       at /usr/share/shorewall-perl/Shorewall/IPAddrs.pm line 150,
      <$currentfile> line 459.

3)  Previously, OPTIONS were not allowed with a bridge port in
    /etc/shorewall/interfaces. That oversight has been corrected and
    now the following OPTIONS are allowed:

        blacklist
        maclist
        norfc1918
        nosmurfs
        routeback
        tcpflags

----------------------------------------------------------------------------
                N E W   F E A T U R E S   I N   4 . 3 . 7
----------------------------------------------------------------------------

1)  The file /var/lib/shorewall/.restore has been renamed to
    /var/lib/shorewall/firewall. A similar change has been made in
    Shorewall6.

    When a successful start or restart is completed, the script that
    executed the command copies itself to to
    /var/lib/shorewall[6/firewall.

2)  Dynamic zone support is once again available for IPv4. This support
    is built on top of ipsets so you must have installed the
    xtable-addons.

    Dynamic zones are available when Shorewall-lite is used as well.

    Note that the dynamic zone support built into Shorewall provides no
    additional functionality over what is provided by simply defining a
    zone in terms of an ipset (see
    http://www1.shorewall.net/ipsets.html#Dynamic).

    You define a zone as having dynamic content in one of two ways:

    - By specifying nets=dynamic in the OPTIONS column of an entry for
      the zone in /etc/shorewall/interfaces; or

    - By specifying <interface>:dynamic in the HOST(S) column of an
      entry for the zone in /etc/shorewall/hosts.

    When there are any dynamic zones present in your configuration,
    Shorewall (Shorewall-lite) will:

    a) Execute the following commands during ''shorewall start''
or
    ''shorewall-lite start''.

           ipset -U :all: :all:
           ipset -U :all: :default:
           ipset -F
           ipset -X
           ipset -R < ${VARDIR}/ipsets.save

       where $VARDIR normally contains /var/lib/shorewall
       (/var/lib/shorewall-lite) but may be modified by
       /etc/shorewall/vardir (/etc/shorewall-lite/vardir).

    b) During ''start'', ''restart'' and
''restore'' processing, Shorewall
       will then attempt to create an ipset named <zone>_<interface>
       for each zone/interface pair that has been specified as
       dynamic. The type of ipset created is ''iphash'' so that
only
       individual IPv4 addresses may be added to the set.

    c) Execute the following commands during ''shorewall stop''
or
       ''shorewall-lite stop'':

           if ipset -S > ${VARDIR}/ipsets.tmp; then
              mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save
           fi

    The ''shorewall add'' and ''shorewall
delete'' commands are supported
    with their original syntax:

           add <interface>[:<host-list>] ... <zone>

           delete <interface>[:<host-list>] ... <zone>

    In addition, the ''show dynamic'' command is added that
lists the
    dynamic content of a zone.

            show dynamic <zone>

    These commands are supported by shorewall-lite as well.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
easily build your RIAs with Flex Builder, the Eclipse(TM)based development
software that enables intelligent coding and step-through debugging.
Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com

Tom

Shorewall rule:

ACCEPT  lan:!192.168.20.1  fw  tcp 999

generates iptables rule:

-A  lan2fw  -p 6  --dport 999  -s ! 192.168.20.1  -j ACCEPT

with iptables 1.4.3.1 the following information message is produced:

Using intrapositioned negation (`--option ! this`) is deprecated in favour of 
extrapositioned (`! --option this`).

Note: This does not cause shorewall start to fail.

Changing the iptables rule to:

-A  lan2fw  -p 6  --dport 999  ! -s 192.168.20.1  -j ACCEPT

resolves the issue.

The message is also produced when exclusion is used in the DEST or ORIGINAL 
DEST columns.

The new rule format works with iptables 1.3.6. (debian etch).
I don''t have anything older than this to try it on.

The same message is produced with shorewall6 when exclusion is used.

Note: there is a bug in iptables-save and ip6tables-save 1.4.3.1, rules are 
saved in the deprecated format. The netfilter team have released a patch for 
this.

Steven.   

------------------------------------------------------------------------------

Steven Jan Springl wrote:
> 
> Note: there is a bug in iptables-save and ip6tables-save 1.4.3.1, rules are
> saved in the deprecated format. The netfilter team have released a patch
for
> this.
Thanks, Steven.

I saw the patch on netfilter-devel this morning and assumed that I had
another task for the weekend :-)

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------

Tom

I have doing some further testing of exclusion and I believe I found another 
iptables bug.

If you have the time, could try a shorewall rule similar to the following:

DNAT  lan  wan:1.2.3.4:2525  tcp  25  -  !4.3.2.2

After issuing a shorewall start, /var/lib/shorewall/.iptables-restore-input 
should contain the correct rules in the nat and filter tables for the above 
rule.

If you issue an iptables-save, it should show the nat table with the correct 
rule, but the entry in the filter table will be missing the "!".

If you can recreate this bug, I will report it to the netfilter team.

Steven.

------------------------------------------------------------------------------

Steven Jan Springl wrote:
> Tom
> 
> I have doing some further testing of exclusion and I believe I found
another
> iptables bug.
> 
> If you have the time, could try a shorewall rule similar to the following:
> 
> DNAT  lan  wan:1.2.3.4:2525  tcp  25  -  !4.3.2.2
> 
> After issuing a shorewall start, /var/lib/shorewall/.iptables-restore-input
> should contain the correct rules in the nat and filter tables for the above
> rule.
> 
> If you issue an iptables-save, it should show the nat table with the
correct
> rule, but the entry in the filter table will be missing the "!".
> 
> If you can recreate this bug, I will report it to the netfilter team.
I''ve also reproduced the problem with iptables 1.4.2.

-Tom
>
> Steven.
>
>
------------------------------------------------------------------------------
> _______________________________________________
> Shorewall-devel mailing list
> Shorewall-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-devel

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------

On Saturday 04 April 2009 20:41:19 Tom Eastep wrote:
> Steven Jan Springl wrote:
> > Tom
> >
> > I have doing some further testing of exclusion and I believe I found
> > another iptables bug.
> >
> > If you have the time, could try a shorewall rule similar to the
> > following:
> >
> > DNAT  lan  wan:1.2.3.4:2525  tcp  25  -  !4.3.2.2
> >
> > After issuing a shorewall start,
> > /var/lib/shorewall/.iptables-restore-input should contain the correct
> > rules in the nat and filter tables for the above rule.
> >
> > If you issue an iptables-save, it should show the nat table with the
> > correct rule, but the entry in the filter table will be missing the
"!".
> >
> > If you can recreate this bug, I will report it to the netfilter team.
>
> I''ve also reproduced the problem with iptables 1.4.2.
>
Tom

Thanks, I have reported the bug.

Steven.

------------------------------------------------------------------------------

Tom

The netfilter team have released a patch for this issue. I have applied it and 
it seems to fix the bug.

Steven.

------------------------------------------------------------------------------

Tom

Shorewall rule:

NONAT  lan:eth0  :1.1.1.1  udp  555

produces the following message:

Argument "FIREWALL" isn''t numeric in numeric eq (==) 
at /usr/share/shorewall/Shorewall/Rules.pm line 1397, <$currentfile> line
26.

Steven.



------------------------------------------------------------------------------