Shorewall 4.3.7 is available for testing. ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 3 . 7 ---------------------------------------------------------------------------- 1) Klemens Rutz reported a problem that affects all Shorewall-perl 4.2 and 4.3 versions. The problem: a) Only occurs when there are more than one non-firewall zone. b) Results in the following interface options not being applied to forwarded traffic. blacklist dhcp maclist (when MACLIST_TABLE=filter) norfc1918 nosmurfs tcpflags 2) Matt LaPlante reported a problem whereby a valid DNAT- rule was badly mis-handled. The rule: DNAT- loc net:1.2.3.4:2525 tcp 25 The result: WARNING: Destination zone (1.2.3.4) ignored : /etc/shorewall/rules (line 459) Can''t call method "inet_htoa" without a package or object reference at /usr/share/shorewall-perl/Shorewall/IPAddrs.pm line 150, <$currentfile> line 459. 3) Previously, OPTIONS were not allowed with a bridge port in /etc/shorewall/interfaces. That oversight has been corrected and now the following OPTIONS are allowed: blacklist maclist norfc1918 nosmurfs routeback tcpflags ---------------------------------------------------------------------------- N E W F E A T U R E S I N 4 . 3 . 7 ---------------------------------------------------------------------------- 1) The file /var/lib/shorewall/.restore has been renamed to /var/lib/shorewall/firewall. A similar change has been made in Shorewall6. When a successful start or restart is completed, the script that executed the command copies itself to to /var/lib/shorewall[6/firewall. 2) Dynamic zone support is once again available for IPv4. This support is built on top of ipsets so you must have installed the xtable-addons. Dynamic zones are available when Shorewall-lite is used as well. Note that the dynamic zone support built into Shorewall provides no additional functionality over what is provided by simply defining a zone in terms of an ipset (see http://www1.shorewall.net/ipsets.html#Dynamic). You define a zone as having dynamic content in one of two ways: - By specifying nets=dynamic in the OPTIONS column of an entry for the zone in /etc/shorewall/interfaces; or - By specifying <interface>:dynamic in the HOST(S) column of an entry for the zone in /etc/shorewall/hosts. When there are any dynamic zones present in your configuration, Shorewall (Shorewall-lite) will: a) Execute the following commands during ''shorewall start'' or ''shorewall-lite start''. ipset -U :all: :all: ipset -U :all: :default: ipset -F ipset -X ipset -R < ${VARDIR}/ipsets.save where $VARDIR normally contains /var/lib/shorewall (/var/lib/shorewall-lite) but may be modified by /etc/shorewall/vardir (/etc/shorewall-lite/vardir). b) During ''start'', ''restart'' and ''restore'' processing, Shorewall will then attempt to create an ipset named <zone>_<interface> for each zone/interface pair that has been specified as dynamic. The type of ipset created is ''iphash'' so that only individual IPv4 addresses may be added to the set. c) Execute the following commands during ''shorewall stop'' or ''shorewall-lite stop'': if ipset -S > ${VARDIR}/ipsets.tmp; then mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save fi The ''shorewall add'' and ''shorewall delete'' commands are supported with their original syntax: add <interface>[:<host-list>] ... <zone> delete <interface>[:<host-list>] ... <zone> In addition, the ''show dynamic'' command is added that lists the dynamic content of a zone. show dynamic <zone> These commands are supported by shorewall-lite as well. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
Tom Shorewall rule: ACCEPT lan:!192.168.20.1 fw tcp 999 generates iptables rule: -A lan2fw -p 6 --dport 999 -s ! 192.168.20.1 -j ACCEPT with iptables 1.4.3.1 the following information message is produced: Using intrapositioned negation (`--option ! this`) is deprecated in favour of extrapositioned (`! --option this`). Note: This does not cause shorewall start to fail. Changing the iptables rule to: -A lan2fw -p 6 --dport 999 ! -s 192.168.20.1 -j ACCEPT resolves the issue. The message is also produced when exclusion is used in the DEST or ORIGINAL DEST columns. The new rule format works with iptables 1.3.6. (debian etch). I don''t have anything older than this to try it on. The same message is produced with shorewall6 when exclusion is used. Note: there is a bug in iptables-save and ip6tables-save 1.4.3.1, rules are saved in the deprecated format. The netfilter team have released a patch for this. Steven. ------------------------------------------------------------------------------
Steven Jan Springl wrote:> > Note: there is a bug in iptables-save and ip6tables-save 1.4.3.1, rules are > saved in the deprecated format. The netfilter team have released a patch for > this.Thanks, Steven. I saw the patch on netfilter-devel this morning and assumed that I had another task for the weekend :-) -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------
Tom I have doing some further testing of exclusion and I believe I found another iptables bug. If you have the time, could try a shorewall rule similar to the following: DNAT lan wan:1.2.3.4:2525 tcp 25 - !4.3.2.2 After issuing a shorewall start, /var/lib/shorewall/.iptables-restore-input should contain the correct rules in the nat and filter tables for the above rule. If you issue an iptables-save, it should show the nat table with the correct rule, but the entry in the filter table will be missing the "!". If you can recreate this bug, I will report it to the netfilter team. Steven. ------------------------------------------------------------------------------
Steven Jan Springl wrote:> Tom > > I have doing some further testing of exclusion and I believe I found another > iptables bug. > > If you have the time, could try a shorewall rule similar to the following: > > DNAT lan wan:1.2.3.4:2525 tcp 25 - !4.3.2.2 > > After issuing a shorewall start, /var/lib/shorewall/.iptables-restore-input > should contain the correct rules in the nat and filter tables for the above > rule. > > If you issue an iptables-save, it should show the nat table with the correct > rule, but the entry in the filter table will be missing the "!". > > If you can recreate this bug, I will report it to the netfilter team.I''ve also reproduced the problem with iptables 1.4.2. -Tom> > Steven. > >------------------------------------------------------------------------------> _______________________________________________ > Shorewall-devel mailing list > Shorewall-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-devel-- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------
On Saturday 04 April 2009 20:41:19 Tom Eastep wrote:> Steven Jan Springl wrote: > > Tom > > > > I have doing some further testing of exclusion and I believe I found > > another iptables bug. > > > > If you have the time, could try a shorewall rule similar to the > > following: > > > > DNAT lan wan:1.2.3.4:2525 tcp 25 - !4.3.2.2 > > > > After issuing a shorewall start, > > /var/lib/shorewall/.iptables-restore-input should contain the correct > > rules in the nat and filter tables for the above rule. > > > > If you issue an iptables-save, it should show the nat table with the > > correct rule, but the entry in the filter table will be missing the "!". > > > > If you can recreate this bug, I will report it to the netfilter team. > > I''ve also reproduced the problem with iptables 1.4.2. >Tom Thanks, I have reported the bug. Steven. ------------------------------------------------------------------------------
Tom The netfilter team have released a patch for this issue. I have applied it and it seems to fix the bug. Steven. ------------------------------------------------------------------------------
Tom Shorewall rule: NONAT lan:eth0 :1.1.1.1 udp 555 produces the following message: Argument "FIREWALL" isn''t numeric in numeric eq (==) at /usr/share/shorewall/Shorewall/Rules.pm line 1397, <$currentfile> line 26. Steven. ------------------------------------------------------------------------------