Shorewall devel - Aug 2010 - Shorewall 4.4.13 Beta 1

Beta 1 is now available for testing. New features include:

1)  Entries in the rules file (both Shorewall and Shorewall6) may now
    contain zone lists in the SOURCE and DEST column. A zone list is a
    comma-separated list of zone names where each name appears in the
    zones file. A zone list may be optionally followed by a plus sign
    ("+") to indicate that the rule should apply to intra-zone traffic
    as well as to inter-zone traffic.

    Zone lists behave like ''all'' and ''any''
with respect to Optimization
    1. If the rule matches the applicable policy for a given (source
    zone, dest zone), then the rule will be suppessed for that pair of
    zones unless overridden by the ''!'' suffix on the target in
the
    ACTION column (e.g., ACCEPT!, DROP!:info, etc.).

    Additionally, ''any'', ''all'' and zone
lists may be qualified in the
    same way as a single zone.

    Examples:

	fw,dmz:90.90.191.120/29
	all:+blacklist

    The ''all'' and ''any'' keywords now support
exclusion in the form of a
    comma-separated list of excluded zones.

    Examples:

    	     all!fw         (same as all-).
	     any+!dmz,loc   (All zones except ''dmz'' and
''loc'' and
	     		     include intra-zone rules).

2)  An IPSEC column has been added to the accounting file, allowing you
    to segregate IPSEC traffic from non-IPSEC traffic. See ''man
    shorewall-accounting'' (man shorewall6-accounting) for details.

    With this change, there are now three trees of accounting chains:

    - The one rooted in the ''accounting'' chain.
    - The one rooted in the ''accipsecin'' chain. This tree
handles
      traffic that has been decrypted on the firewall. Rules in this
      tree cannot specify an interface name in the DEST column.
    - The one rooted in the ''accipsecout'' chain. This tree
handles
      traffic that will be encrypted on the firewall. Rules in this
      tree cannot specify an interface name in the SOURCE column.

    In reality, when there are bridges defined in the configuration,
    there is a fourth tree rooted in the ''accountout'' chain.
That chain
    handles traffic that originates on the firewall (both IPSEC and
    non-IPSEC).

    This change also implements a couple of new warnings:

    - WARNING: Adding rule to unreferenced accounting chain <name>

      The first reference to user-defined accounting chain <name> is
      not a JUMP or COUNT from an already-defined chain.

    - WARNING: Accounting chain <name> has o references

      The named chain contains accounting rules but no JUMP or COUNT
      specifies that chain as the target.

Thank you for testing,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Sell apps to millions through the Intel(R) Atom(Tm) Developer Program
Be part of this innovative community and reach millions of netbook users 
worldwide. Take advantage of special opportunities to increase revenue and 
speed time-to-market. Join now, and jumpstart your future.
http://p.sf.net/sfu/intel-atom-d2d

Tom

Using my test config that works with Shorewall 4.4.12,  
issuing a shorewall start produces the the following error:

Optimizing Ruleset...
   ERROR: Internal error in Shorewall::Chains::delete_jumps 
at /usr/share/shorewall/Shorewall/Chains.pm line 1088

If you need any further details, please let me know.

Steven.


------------------------------------------------------------------------------
Sell apps to millions through the Intel(R) Atom(Tm) Developer Program
Be part of this innovative community and reach millions of netbook users 
worldwide. Take advantage of special opportunities to increase revenue and 
speed time-to-market. Join now, and jumpstart your future.
http://p.sf.net/sfu/intel-atom-d2d

On 8/23/10 12:53 PM, Steven Jan Springl wrote:
> Tom
> 
> Using my test config that works with Shorewall 4.4.12,  
> issuing a shorewall start produces the the following error:
> 
> Optimizing Ruleset...
>    ERROR: Internal error in Shorewall::Chains::delete_jumps 
> at /usr/share/shorewall/Shorewall/Chains.pm line 1088
> 
> If you need any further details, please let me know.
Probably the best thing is to tar up your config along with a
capabilities file and send it to me personally.

Thanks, Steven
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Sell apps to millions through the Intel(R) Atom(Tm) Developer Program
Be part of this innovative community and reach millions of netbook users 
worldwide. Take advantage of special opportunities to increase revenue and 
speed time-to-market. Join now, and jumpstart your future.
http://p.sf.net/sfu/intel-atom-d2d

On 8/23/10 1:14 PM, Tom Eastep wrote:
> On 8/23/10 12:53 PM, Steven Jan Springl wrote:
>> Tom
>>
>> Using my test config that works with Shorewall 4.4.12,  
>> issuing a shorewall start produces the the following error:
>>
>> Optimizing Ruleset...
>>    ERROR: Internal error in Shorewall::Chains::delete_jumps 
>> at /usr/share/shorewall/Shorewall/Chains.pm line 1088
>>
>> If you need any further details, please let me know.
> 
> Probably the best thing is to tar up your config along with a
> capabilities file and send it to me personally.
Please give 160ad231df0f84739a3b15b00f420c2f6c7847e8 a try.

I added an assertion in 4.4.13 Beta 1 and it caught a couple of existing
bugs.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Sell apps to millions through the Intel(R) Atom(Tm) Developer Program
Be part of this innovative community and reach millions of netbook users 
worldwide. Take advantage of special opportunities to increase revenue and 
speed time-to-market. Join now, and jumpstart your future.
http://p.sf.net/sfu/intel-atom-d2d

On Monday 23 August 2010 23:16:18 Tom Eastep wrote:
> On 8/23/10 1:14 PM, Tom Eastep wrote:
> > On 8/23/10 12:53 PM, Steven Jan Springl wrote:
> >> Tom
> >>
> >> Using my test config that works with Shorewall 4.4.12,
> >> issuing a shorewall start produces the the following error:
> >>
> >> Optimizing Ruleset...
> >>    ERROR: Internal error in Shorewall::Chains::delete_jumps
> >> at /usr/share/shorewall/Shorewall/Chains.pm line 1088
> >>
> >> If you need any further details, please let me know.
> >
> > Probably the best thing is to tar up your config along with a
> > capabilities file and send it to me personally.
>
> Please give 160ad231df0f84739a3b15b00f420c2f6c7847e8 a try.
>
> I added an assertion in 4.4.13 Beta 1 and it caught a couple of existing
> bugs.
>
> -Tom
Tom

That''s fixed it. Thanks.

Steven.

------------------------------------------------------------------------------
Sell apps to millions through the Intel(R) Atom(Tm) Developer Program
Be part of this innovative community and reach millions of netbook users 
worldwide. Take advantage of special opportunities to increase revenue and 
speed time-to-market. Join now, and jumpstart your future.
http://p.sf.net/sfu/intel-atom-d2d

Tom

The attached config contains just 2 rules.
The first rule correctly generates the following iptables rules:

-A fw2dmz -p tcp -m tcp --dport 23 -j ACCEPT 
-A lan2dmz -p tcp -m tcp --dport 23 -j ACCEPT 

However, the second rule generates the following iptables rules:

-A dmz2dmz -p tcp -m tcp --dport 25 -j ACCEPT 
-A dmz2dmz -j ACCEPT 

Is this correct?

Steven.
  


------------------------------------------------------------------------------
Sell apps to millions through the Intel(R) Atom(Tm) Developer Program
Be part of this innovative community and reach millions of netbook users 
worldwide. Take advantage of special opportunities to increase revenue and 
speed time-to-market. Join now, and jumpstart your future.
http://p.sf.net/sfu/intel-atom-d2d

On 8/23/10 4:08 PM, Steven Jan Springl wrote:
> Tom
> 
> The attached config contains just 2 rules.
> The first rule correctly generates the following iptables rules:
> 
> -A fw2dmz -p tcp -m tcp --dport 23 -j ACCEPT 
> -A lan2dmz -p tcp -m tcp --dport 23 -j ACCEPT 
> 
> However, the second rule generates the following iptables rules:
> 
> -A dmz2dmz -p tcp -m tcp --dport 25 -j ACCEPT 
> -A dmz2dmz -j ACCEPT 
> 
> Is this correct?
The second iptables rule is generated by the implicit dmz->dmz ACCEPT
policy. However, your second rule should have generated no iptables
rules since you specified ''all'' rather than
''all+''.

I''ll take a look.

Thanks, Steven

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Sell apps to millions through the Intel(R) Atom(Tm) Developer Program
Be part of this innovative community and reach millions of netbook users 
worldwide. Take advantage of special opportunities to increase revenue and 
speed time-to-market. Join now, and jumpstart your future.
http://p.sf.net/sfu/intel-atom-d2d

On 8/23/10 4:18 PM, Tom Eastep wrote:
> On 8/23/10 4:08 PM, Steven Jan Springl wrote:
>> Tom
>>
>> The attached config contains just 2 rules.
>> The first rule correctly generates the following iptables rules:
>>
>> -A fw2dmz -p tcp -m tcp --dport 23 -j ACCEPT 
>> -A lan2dmz -p tcp -m tcp --dport 23 -j ACCEPT 
>>
>> However, the second rule generates the following iptables rules:
>>
>> -A dmz2dmz -p tcp -m tcp --dport 25 -j ACCEPT 
>> -A dmz2dmz -j ACCEPT 
>>
>> Is this correct?
> 
> The second iptables rule is generated by the implicit dmz->dmz ACCEPT
> policy. However, your second rule should have generated no iptables
> rules since you specified ''all'' rather than
''all+''.
> 
> I''ll take a look.
Commit d74af30368026d4c6c0647bde93e6e35f019bd73 correctly suppresses
intra-zone rule generation when exclusion results in a single zone.

Thanks again, Steven.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Sell apps to millions through the Intel(R) Atom(Tm) Developer Program
Be part of this innovative community and reach millions of netbook users 
worldwide. Take advantage of special opportunities to increase revenue and 
speed time-to-market. Join now, and jumpstart your future.
http://p.sf.net/sfu/intel-atom-d2d

On Tuesday 24 August 2010 00:33:51 Tom Eastep wrote:
> On 8/23/10 4:18 PM, Tom Eastep wrote:
> > On 8/23/10 4:08 PM, Steven Jan Springl wrote:
> >> Tom
> >>
> >> The attached config contains just 2 rules.
> >> The first rule correctly generates the following iptables rules:
> >>
> >> -A fw2dmz -p tcp -m tcp --dport 23 -j ACCEPT
> >> -A lan2dmz -p tcp -m tcp --dport 23 -j ACCEPT
> >>
> >> However, the second rule generates the following iptables rules:
> >>
> >> -A dmz2dmz -p tcp -m tcp --dport 25 -j ACCEPT
> >> -A dmz2dmz -j ACCEPT
> >>
> >> Is this correct?
> >
> > The second iptables rule is generated by the implicit dmz->dmz
ACCEPT
> > policy. However, your second rule should have generated no iptables
> > rules since you specified ''all'' rather than
''all+''.
> >
> > I''ll take a look.
>
> Commit d74af30368026d4c6c0647bde93e6e35f019bd73 correctly suppresses
> intra-zone rule generation when exclusion results in a single zone.
>
Tom

Thanks you.

Steven.

------------------------------------------------------------------------------
Sell apps to millions through the Intel(R) Atom(Tm) Developer Program
Be part of this innovative community and reach millions of netbook users 
worldwide. Take advantage of special opportunities to increase revenue and 
speed time-to-market. Join now, and jumpstart your future.
http://p.sf.net/sfu/intel-atom-d2d

On 8/23/10 4:53 PM, Steven Jan Springl wrote:
> On Tuesday 24 August 2010 00:33:51 Tom Eastep wrote:
>> On 8/23/10 4:18 PM, Tom Eastep wrote:
>>> On 8/23/10 4:08 PM, Steven Jan Springl wrote:
>>>> Tom
>>>>
>>>> The attached config contains just 2 rules.
>>>> The first rule correctly generates the following iptables
rules:
>>>>
>>>> -A fw2dmz -p tcp -m tcp --dport 23 -j ACCEPT
>>>> -A lan2dmz -p tcp -m tcp --dport 23 -j ACCEPT
>>>>
>>>> However, the second rule generates the following iptables
rules:
>>>>
>>>> -A dmz2dmz -p tcp -m tcp --dport 25 -j ACCEPT
>>>> -A dmz2dmz -j ACCEPT
>>>>
>>>> Is this correct?
>>>
>>> The second iptables rule is generated by the implicit dmz->dmz
ACCEPT
>>> policy. However, your second rule should have generated no iptables
>>> rules since you specified ''all'' rather than
''all+''.
>>>
>>> I''ll take a look.
>>
>> Commit d74af30368026d4c6c0647bde93e6e35f019bd73 correctly suppresses
>> intra-zone rule generation when exclusion results in a single zone.
>>
> 
> Tom
> 
> Thanks you.
Unfortunately, that change caused zone lists to lose their wildcard
properties. Fixed by 383e7928079d5a8f93d2f9c4ce85c042e39d7a94.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Sell apps to millions through the Intel(R) Atom(Tm) Developer Program
Be part of this innovative community and reach millions of netbook users 
worldwide. Take advantage of special opportunities to increase revenue and 
speed time-to-market. Join now, and jumpstart your future.
http://p.sf.net/sfu/intel-atom-d2d

Tom

With rule entry:

ACCEPT  dmz:eth1,lan  all

and interface entry:

dmz  eth1

Shorewall produces the following message:

ERROR: Unknow Interface (eth1,fw)

If the interface entry is changed to:

dmz  eth+

then Shorewall accepts it.

If the interface entry is changed to:

dmz  eth+  -  optional

then the following message is produced:

/var/lib/shorewall/.restart: line 1562: SW_ETH1,FW_IS_USABLE=: command not 
found

Steven.

------------------------------------------------------------------------------
Sell apps to millions through the Intel(R) Atom(Tm) Developer Program
Be part of this innovative community and reach millions of netbook users 
worldwide. Take advantage of special opportunities to increase revenue and 
speed time-to-market. Join now, and jumpstart your future.
http://p.sf.net/sfu/intel-atom-d2d

On 8/24/10 12:58 PM, Steven Jan Springl wrote:
> Tom
> 
> With rule entry:
> 
> ACCEPT  dmz:eth1,lan  all
> 
> and interface entry:
> 
> dmz  eth1
> 
> Shorewall produces the following message:
> 
> ERROR: Unknow Interface (eth1,fw)
Which is appropriate. The correct syntax is dmz,lan:eth1.
> 
> If the interface entry is changed to:
> 
> dmz  eth+
> 
> then Shorewall accepts it.
> 
> If the interface entry is changed to:
> 
> dmz  eth+  -  optional
> 
> then the following message is produced:
> 
> /var/lib/shorewall/.restart: line 1562: SW_ETH1,FW_IS_USABLE=: command not 
> found
That''s not good.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Sell apps to millions through the Intel(R) Atom(Tm) Developer Program
Be part of this innovative community and reach millions of netbook users 
worldwide. Take advantage of special opportunities to increase revenue and 
speed time-to-market. Join now, and jumpstart your future.
http://p.sf.net/sfu/intel-atom-d2d