Beta 4 is now available for testing. Changes in this version include: Problems Corrected: 1) Previously, when a device number was explicitly specified in /etc/shorewall/tcdevices, all unused numbers less than the one specified were unavailable for allocation to following entries that did not specify a number. Now, the compiler selects the lowest unallocated number when no device number is explicitly allocated. 2) Problem in Beta 3 that resulted in these failures: ERROR: Internal error in Shorewall::Chains::new_chain at /usr/share/shorewall/Shorewall/Chains.pm line 1200 Use of uninitialized value in numeric gt (>) at /usr/share/shorewall/Shorewall/Chains.pm line 814. ERROR: Internal error in Shorewall::Chains::decrement_reference_count at /usr/share/shorewall/Shorewall/Chains.pm line 814 New Features: 1) There are audited versions of the standard Default Actions named ADrop and AReject. Note that these audit everything that they do so you will probably want to make your own copies and modify them to only audit the packets that you care about. 2) Significant work has been done toward unifying the sources for /sbin/shorewall and /sbin/shorewall6. This work should be transparent to users so please report any issues that you find with either program. 3) Shorewall and Shorewall6 no longer have a dependence on ''make''. 4) Up to this release, the behaviors of ''start -f'' and ''restart -f'' has been inconsistent. The ''start -f'' command compares the modification times of /etc/shorewall[6] with /var/lib/shorewall[6]/restore while ''restart -f'' compares with /var/lib/shorewall[6]/firewall. To make the two consistent, a new LEGACY_FASTSTART option has been added. The default value when the option isn''t specified is LEGACY_FASTSTART=Yes which preserves the old behavior. When LEGACY_FASTSTART=No, ''start -f'' and ''restart -f'' compare with /var/lib/shorewall[6]/firewall. 5) A ''-c'' (compile) option has been added to the ''restart'' command in both Shorewall and Shorewall6. It overrides the setting of AUTOMAKE and unconditionally forces a recompilation of the configuration. When both -c and -f are specified, the result is determined by the option that appears last. Thank you for testing, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ vRanger cuts backup time in half-while increasing security. With the market-leading solution for virtual backup and recovery, you get blazing-fast, flexible, and affordable data protection. Download your free trial now. http://p.sf.net/sfu/quest-d2dcopy1
Tom When the accounting file contains: SECTION PREROUTING ACCOUNT(net2lan,192.168.0.0/24) the following message is produced: ERROR: Unknown accounting chain (accountpre) : /etc/shorewallA/accounting (line 14) ----------------------------------------------------------------------------------------------------------------------------- If the SECTION is changed to POSTROUTING the following message is produced: ERROR: Unknown accounting chain (accountpost) : /etc/shorewallA/accounting (line 14) Steven. ------------------------------------------------------------------------------ vRanger cuts backup time in half-while increasing security. With the market-leading solution for virtual backup and recovery, you get blazing-fast, flexible, and affordable data protection. Download your free trial now. http://p.sf.net/sfu/quest-d2dcopy1
On 5/24/11 12:41 PM, Steven Jan Springl wrote:> When the accounting file contains: > > SECTION PREROUTING > ACCOUNT(net2lan,192.168.0.0/24) > > the following message is produced: > > ERROR: Unknown accounting chain (accountpre) : /etc/shorewallA/accounting > (line 14) > > ----------------------------------------------------------------------------------------------------------------------------- > > If the SECTION is changed to POSTROUTING the following message is produced: > > ERROR: Unknown accounting chain (accountpost) : /etc/shorewallA/accounting > (line 14)Steven, This should fix you up. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ vRanger cuts backup time in half-while increasing security. With the market-leading solution for virtual backup and recovery, you get blazing-fast, flexible, and affordable data protection. Download your free trial now. http://p.sf.net/sfu/quest-d2dcopy1
On Tuesday 24 May 2011 21:42:25 Tom Eastep wrote:> On 5/24/11 12:41 PM, Steven Jan Springl wrote: > > When the accounting file contains: > > > > SECTION PREROUTING > > ACCOUNT(net2lan,192.168.0.0/24) > > > > the following message is produced: > > > > ERROR: Unknown accounting chain (accountpre) : /etc/shorewallA/accounting > > (line 14) > > > > ------------------------------------------------------------------------- > >---------------------------------------------------- > > > > If the SECTION is changed to POSTROUTING the following message is > > produced: > > > > ERROR: Unknown accounting chain (accountpost) : > > /etc/shorewallA/accounting (line 14) > > Steven, > > This should fix you up. > > -TomTom Confirmed, that''s fixed it. Thanks. Steven. ------------------------------------------------------------------------------ vRanger cuts backup time in half-while increasing security. With the market-leading solution for virtual backup and recovery, you get blazing-fast, flexible, and affordable data protection. Download your free trial now. http://p.sf.net/sfu/quest-d2dcopy1
On 5/24/11 2:18 PM, Steven Jan Springl wrote:> Confirmed, that''s fixed it. Thanks.Thanks, Steven If you are interested, there is an undocumented FAKE_AUDIT option in shorewall.conf. If you set FAKE_AUDIT=Yes, you can test the AUDIT feature without AUDIT_TARGET support in your iptables and kernel. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ vRanger cuts backup time in half-while increasing security. With the market-leading solution for virtual backup and recovery, you get blazing-fast, flexible, and affordable data protection. Download your free trial now. http://p.sf.net/sfu/quest-d2dcopy1
> Thank you for testing, > -Tom >I have just noticed that on all my blacklst and blackout jumps (in net2fw, fw2net etc) I have this (using fw2net as an example, but it is the same for net2fw etc): 0 0 blackout all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW This wasn''t there before, I don''t think! I looked at .start and the statement which creates this is as follows: -A fw2net -m conntrack --ctstate NEW,INVALID -j blackout Is this something recently introduced or have I messed things up somehow? ------------------------------------------------------------------------------ vRanger cuts backup time in half-while increasing security. With the market-leading solution for virtual backup and recovery, you get blazing-fast, flexible, and affordable data protection. Download your free trial now. http://p.sf.net/sfu/quest-d2dcopy1
On 5/26/11 4:08 PM, Mr Dash Four wrote:> >> Thank you for testing, >> -Tom >> > I have just noticed that on all my blacklst and blackout jumps (in > net2fw, fw2net etc) I have this (using fw2net as an example, but it is > the same for net2fw etc): > > 0 0 blackout all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW > > This wasn''t there before, I don''t think! I looked at .start and the > statement which creates this is as follows: > > -A fw2net -m conntrack --ctstate NEW,INVALID -j blackout > > Is this something recently introduced or have I messed things up somehow?It was added when I added the in and out options to the blacklist file. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ vRanger cuts backup time in half-while increasing security. With the market-leading solution for virtual backup and recovery, you get blazing-fast, flexible, and affordable data protection. Download your free trial now. http://p.sf.net/sfu/quest-d2dcopy1
> It was added when I added the in and out options to the blacklist file. >This is strange, because on two of my machines I did check (they have 4.4.19.4 installed) I do not have this! I only have it on the test harness and one other machine on the dmz, so what could be wrong then? ------------------------------------------------------------------------------ vRanger cuts backup time in half-while increasing security. With the market-leading solution for virtual backup and recovery, you get blazing-fast, flexible, and affordable data protection. Download your free trial now. http://p.sf.net/sfu/quest-d2dcopy1
On 5/26/11 4:24 PM, Mr Dash Four wrote:> >> It was added when I added the in and out options to the blacklist file. >> > This is strange, because on two of my machines I did check (they have > 4.4.19.4 installed) I do not have this! I only have it on the test > harness and one other machine on the dmz, so what could be wrong then?You must be blacklisting ''out'' traffic on the test machine. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ vRanger cuts backup time in half-while increasing security. With the market-leading solution for virtual backup and recovery, you get blazing-fast, flexible, and affordable data protection. Download your free trial now. http://p.sf.net/sfu/quest-d2dcopy1
> You must be blacklisting ''out'' traffic on the test machine. >Solved! This is what testing shorewall will get you - I have been testing the A* actions and didn''t want to bother myself with the blacklists, so I commented out everything (my blacklist is practically empty as everything is commented out), so I presume that is what causes it. ------------------------------------------------------------------------------ vRanger cuts backup time in half-while increasing security. With the market-leading solution for virtual backup and recovery, you get blazing-fast, flexible, and affordable data protection. Download your free trial now. http://p.sf.net/sfu/quest-d2dcopy1
> Solved! This is what testing shorewall will get you - I have been > testing the A* actions and didn''t want to bother myself with the > blacklists, so I commented out everything (my blacklist is practically > empty as everything is commented out), so I presume that is what > causes it.Forgot to add - all new, internal A* actions work as expected (I also applied the accounting patch), though I have designed (and customised) my own version, which will be used when I build shorewall - in a similar fashion as I do with the init script. ------------------------------------------------------------------------------ vRanger cuts backup time in half-while increasing security. With the market-leading solution for virtual backup and recovery, you get blazing-fast, flexible, and affordable data protection. Download your free trial now. http://p.sf.net/sfu/quest-d2dcopy1
On 5/26/11 4:34 PM, Mr Dash Four wrote:> >> Solved! This is what testing shorewall will get you - I have been >> testing the A* actions and didn''t want to bother myself with the >> blacklists, so I commented out everything (my blacklist is practically >> empty as everything is commented out), so I presume that is what >> causes it. > Forgot to add - all new, internal A* actions work as expected (I also > applied the accounting patch), though I have designed (and customised) > my own version, which will be used when I build shorewall - in a similar > fashion as I do with the init script.Thanks. In Beta 5, the A* actions and macros will be named A_* (per your request). -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ vRanger cuts backup time in half-while increasing security. With the market-leading solution for virtual backup and recovery, you get blazing-fast, flexible, and affordable data protection. Download your free trial now. http://p.sf.net/sfu/quest-d2dcopy1
> You must be blacklisting ''out'' traffic on the test machine. >So, is this "ctstate INVALID,NEW" supposed to appear when I have ''out'' traffic blocked? Because I have this now in my blacklist: +whitelist - - whitelist,src,dst +test - - src,dst and I am still getting the same thing - "ctstate INVALID,NEW"! Also, when I have A_AUDIT/A_DROP (the new jumps) involved in the Drop and Reject actions the comments in those two chains are assumed from the first use of these (AAllowICMPTypes and Auth from the default Drop and Reject actions in my case), so I think you need to remove these as they are misleading. ------------------------------------------------------------------------------ vRanger cuts backup time in half-while increasing security. With the market-leading solution for virtual backup and recovery, you get blazing-fast, flexible, and affordable data protection. Download your free trial now. http://p.sf.net/sfu/quest-d2dcopy1
On 5/26/11 4:49 PM, Mr Dash Four wrote:> >> You must be blacklisting ''out'' traffic on the test machine. >> > So, is this "ctstate INVALID,NEW" supposed to appear when I have ''out'' > traffic blocked? Because I have this now in my blacklist: > > +whitelist - - whitelist,src,dst > +test - - src,dst > > and I am still getting the same thing - "ctstate INVALID,NEW"!Right -- you have BLACKLISTNEWONLY=No, correct?> > Also, when I have A_AUDIT/A_DROP (the new jumps) involved in the Drop > and Reject actions the comments in those two chains are assumed from the > first use of these (AAllowICMPTypes and Auth from the default Drop and > Reject actions in my case), so I think you need to remove these as they > are misleading.Yep. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ vRanger cuts backup time in half-while increasing security. With the market-leading solution for virtual backup and recovery, you get blazing-fast, flexible, and affordable data protection. Download your free trial now. http://p.sf.net/sfu/quest-d2dcopy1
> Thanks. > > In Beta 5, the A* actions and macros will be named A_* (per your request). >Thanks, it is a bank holiday here this coming Monday, so I have planned a major "test-and-upgrade" work on most of my machines, so I''ll have plenty of time to test things out. ------------------------------------------------------------------------------ vRanger cuts backup time in half-while increasing security. With the market-leading solution for virtual backup and recovery, you get blazing-fast, flexible, and affordable data protection. Download your free trial now. http://p.sf.net/sfu/quest-d2dcopy1
> Right -- you have BLACKLISTNEWONLY=No, correct? >Nope, it is set to "Yes" - just checked. ------------------------------------------------------------------------------ vRanger cuts backup time in half-while increasing security. With the market-leading solution for virtual backup and recovery, you get blazing-fast, flexible, and affordable data protection. Download your free trial now. http://p.sf.net/sfu/quest-d2dcopy1
On 5/26/11 4:54 PM, Mr Dash Four wrote:> >> Thanks. >> >> In Beta 5, the A* actions and macros will be named A_* (per your request). >> > Thanks, it is a bank holiday here this coming Monday, so I have planned > a major "test-and-upgrade" work on most of my machines, so I''ll have > plenty of time to test things out.Okay -- I''ll try to get Beta 5 released tomorrow. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ vRanger cuts backup time in half-while increasing security. With the market-leading solution for virtual backup and recovery, you get blazing-fast, flexible, and affordable data protection. Download your free trial now. http://p.sf.net/sfu/quest-d2dcopy1
On 5/26/11 4:57 PM, Mr Dash Four wrote:> >> Right -- you have BLACKLISTNEWONLY=No, correct? >> > Nope, it is set to "Yes" - just checked.Sorry -- I had it backwards. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ vRanger cuts backup time in half-while increasing security. With the market-leading solution for virtual backup and recovery, you get blazing-fast, flexible, and affordable data protection. Download your free trial now. http://p.sf.net/sfu/quest-d2dcopy1
> Sorry -- I had it backwards. >Ha, so that is what causes it then! Why the INVALID state as well though, why not just "NEW"? ------------------------------------------------------------------------------ vRanger cuts backup time in half-while increasing security. With the market-leading solution for virtual backup and recovery, you get blazing-fast, flexible, and affordable data protection. Download your free trial now. http://p.sf.net/sfu/quest-d2dcopy1
On 5/26/11 5:02 PM, Mr Dash Four wrote:> >> Sorry -- I had it backwards. >> > Ha, so that is what causes it then! Why the INVALID state as well > though, why not just "NEW"?So that crooks sending forged packets don''t bypass your blacklist. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ vRanger cuts backup time in half-while increasing security. With the market-leading solution for virtual backup and recovery, you get blazing-fast, flexible, and affordable data protection. Download your free trial now. http://p.sf.net/sfu/quest-d2dcopy1
> So that crooks sending forged packets don''t bypass your blacklist. >Right, good thinking! I just read the man page for that option - this must have been left unchecked since I first started using shorewall, because I am going to set it as Yes - blacklisting to me make sense on new connections only, otherwise it will slow things down, particularly on low-end machines (and I have plenty of those knocking around). Thanks for that! ------------------------------------------------------------------------------ vRanger cuts backup time in half-while increasing security. With the market-leading solution for virtual backup and recovery, you get blazing-fast, flexible, and affordable data protection. Download your free trial now. http://p.sf.net/sfu/quest-d2dcopy1