RC 1 is now available for testing.
Problems corrected:
1) The obsolete PKTTYPE option has been removed from shorewall.conf
and the associated manpage.
2) The iptables 1.4.11 release produces an error when negative numbers
are specified for IPMARK mask values. Shorewall now converts such
numbers to their 32-bit hex equivalent.
3) Previously, before /etc/shorewall6/params was processed, the
IPv4 Shorewall libraries (/usr/share/shorewall/lib.*) were
loaded rather that the IPv6 versions (/usr/share/shorewall6/lib.*).
Now, the correct libraries are loaded.
Note the change of keywords (filter->sfilter and FILTER->SFILTER) in
this item from Beta 5.
4) Network developers have discovered an exploit that allows hosts to
poke holes in a firewall. The known ways to protect against the
exploit are:
a) rt_filter (Shorewall''s routefilter). Only applicable to IPv4
and can''t be used with some multi-ISP configurations.
b) Insert a DROP rule that prevents hairpinning (routeback). The
rule must be inserted before any ESTABLISHED,RELATED firewall
rules. This approach is not appropriate for bridges and other
cases, where the ''routeback'' option is specified or
implied.
For non-routeback interfaces, Shorewall and Shorewall6 will insert
a hairpin rule, provided that the routefilter option is not
specified. The rule will dispose of hairpins according to the
setting of two new options in shorewall.conf and shorewall6.conf:
SFILTER_LOG_LEVEL
Specifies the logging level; default is ''info''. To
omit
logging, specify FILTER_LOG_LEVEL=none.
SFILTER_DISPOSITION
Specifies the disposition. Default is DROP and the possible
values are DROP, A_DROP, REJECT and A_REJECT.
To deal with bridges and other routeback interfaces , there is now
an ''sfilter'' option in /shorewall/interfaces and
/etc/shorewall6/interfaces.
The value of the ''sfilter'' option is a list of network
addresses
enclosed in in parentheses. Where only a single address is listed,
the parentheses may be omitted. When a packet from a
source-filtered address is received on the interface, it is
disposed of based on the new SFILTER_ options described above.
For a bridge or other routeback interface, you should list all of
your other local networks (those networks not attached to the
bridge) in the bridge''s sfilter list.
Example:
My DMZ is 2001:470:b:227::40/124
My local interface (br1) is a bridge.
In /etc/shorewall6/interfaces, I have:
#ZONE INTERFACE BROADCAST OPTIONS
loc br1 - sfilter=2001:470:b:227::40/124
New Features:
1) The Shorewall and Shorewall6 configuration files (including the
samples) are now annotated with documentation from the associated
manpage.
The installers for these two packages support a -p (plain)
option that installs unannotated versions of the packages. Both
versions are available in the configfiles directory within the
tarball.
Thank you for testing,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery,
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now.
http://p.sf.net/sfu/quest-d2dcopy1
Tom AUDIT needs to be added to %builtin_target in Chains.pm to prevent AUDIT being allowed in the ACTION column of the accounting file. Steven. ------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation''s a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Data protection magic? Nope - It''s vRanger. Get your free trial download today. http://p.sf.net/sfu/quest-sfdev2dev
On Tuesday 31 May 2011 23:14:46 Steven Jan Springl wrote:> Tom > > AUDIT needs to be added to %builtin_target in Chains.pm to prevent AUDIT > being allowed in the ACTION column of the accounting file. > > Steven. >Tom DNETMAP also needs to be added. Steven. ------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation''s a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Data protection magic? Nope - It''s vRanger. Get your free trial download today. http://p.sf.net/sfu/quest-sfdev2dev
On 05/31/2011 03:36 PM, Steven Jan Springl wrote:> On Tuesday 31 May 2011 23:14:46 Steven Jan Springl wrote:>> AUDIT needs to be added to %builtin_target in Chains.pm to prevent AUDIT >> being allowed in the ACTION column of the accounting file. > DNETMAP also needs to be added.Thanks, Steven I''ve added both. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation''s a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Data protection magic? Nope - It''s vRanger. Get your free trial download today. http://p.sf.net/sfu/quest-sfdev2dev
On 05/31/2011 02:06 AM, Tom Eastep wrote:> RC 1 is now available for testing.Seems like the Samples6/zones file needs correcting again. The previous patch I sent corrects the issue. Thanks Togan ------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation''s a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Data protection magic? Nope - It''s vRanger. Get your free trial download today. http://p.sf.net/sfu/quest-sfdev2dev
On 05/31/2011 11:49 PM, Togan Muftuoglu wrote:> On 05/31/2011 02:06 AM, Tom Eastep wrote: >> RC 1 is now available for testing. > > Seems like the Samples6/zones file needs correcting again. The previous > patch I sent corrects the issue.Applied and pushed. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation''s a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Data protection magic? Nope - It''s vRanger. Get your free trial download today. http://p.sf.net/sfu/quest-sfdev2dev
On 05/30/2011 05:06 PM, Tom Eastep wrote:
The release notes state that:
h) There are audited versions of the standard Default Actions
named ADrop and AReject. Note that these audit everything that
they do so you will probably want to make your own copies and
modify them to only audit the packets that you care about.
The actions have been renamed to A_Drop and A_Reject respectively.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
Simplify data backup and recovery for your virtual environment with vRanger.
Installation''s a snap, and flexible recovery options mean your data is
safe,
secure and there when you need it. Data protection magic?
Nope - It''s vRanger. Get your free trial download today.
http://p.sf.net/sfu/quest-sfdev2dev
Tom Specifying BLACKLIST_DISPOSITION=A_DROP generates the following iptables rule: -A blacklog -j AUDIT -type a_drop Which produces the following iptables-restore error: iptables-restore v1.4.11: Bad action type value "a_drop" Steven. ------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation''s a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Discover what all the cheering''s about. Get your free trial download today. http://p.sf.net/sfu/quest-dev2dev2
On 06/04/2011 07:25 AM, Steven Jan Springl wrote:> Specifying BLACKLIST_DISPOSITION=A_DROP generates the following iptables > rule: > > -A blacklog -j AUDIT -type a_drop > > Which produces the following iptables-restore error: > > iptables-restore v1.4.11: Bad action type value "a_drop"The attached patch seems to correct the problem. It only occured when BLACKLIST_LOG_LEVEL was set to a logging value. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation''s a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Discover what all the cheering''s about. Get your free trial download today. http://p.sf.net/sfu/quest-dev2dev2
On Saturday 04 June 2011 15:42:55 Tom Eastep wrote:> On 06/04/2011 07:25 AM, Steven Jan Springl wrote: > > Specifying BLACKLIST_DISPOSITION=A_DROP generates the following > > iptables rule: > > > > -A blacklog -j AUDIT -type a_drop > > > > Which produces the following iptables-restore error: > > > > iptables-restore v1.4.11: Bad action type value "a_drop" > > The attached patch seems to correct the problem. It only occured when > BLACKLIST_LOG_LEVEL was set to a logging value. > > -TomTom Confirmed, that''s fixed it. Steven. ------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation''s a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Discover what all the cheering''s about. Get your free trial download today. http://p.sf.net/sfu/quest-dev2dev2
On 06/04/2011 07:58 AM, Steven Jan Springl wrote:> On Saturday 04 June 2011 15:42:55 Tom Eastep wrote:> Confirmed, that''s fixed it.Thanks, Steven Here''s another patch that corrects the handling of the ''audit'' option in the blacklist file. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation''s a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Discover what all the cheering''s about. Get your free trial download today. http://p.sf.net/sfu/quest-dev2dev2
On Saturday 04 June 2011 16:44:23 Tom Eastep wrote:> On 06/04/2011 07:58 AM, Steven Jan Springl wrote: > > On Saturday 04 June 2011 15:42:55 Tom Eastep wrote: > > > > Confirmed, that''s fixed it. > > Thanks, Steven > > Here''s another patch that corrects the handling of the ''audit'' option in > the blacklist file. > > -TomTom Patch applied. Thanks. Steven. ------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation''s a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Discover what all the cheering''s about. Get your free trial download today. http://p.sf.net/sfu/quest-dev2dev2
On 06/04/2011 09:06 AM, Steven Jan Springl wrote:> Patch applied. Thanks.Please let me know when you are finished with your RC1 testing. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation''s a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Discover what all the cheering''s about. Get your free trial download today. http://p.sf.net/sfu/quest-dev2dev2