After much deliberation, I have decided that I don''t want to release the incomplete solution for Netfilter helpers that I had implemented in the Betas and RC1. I have rather decided that I will release the complete solution in this release rather than in 4.5.8 as I had originally planned. So I''m breaking with my usual practice and releasing new/changed features in this release candidate. New/Changed Features since 4.5.7 RC 1: 1) With the addition of the CT action to the /etc/shorewall[6]/notrack file, the name of the file does not accurately reflect the file''s purpose. In this release, the name of the file has been changed to ''conntrack''. Unless the ''sparse'' installer option is enabled (''sparse'' is the default on Debian and derivitaves), the tarball installers will install ''conntrack'' along side of an existing ''notrack'' file. If the ''notrack'' file is non-empty, a warning message is issued during compilation: WARNING: Non-empty notrack file (...); please move its contents to the conntrack file This warning can be eliminated by removing the notrack file (if it has no entries), or by moving its entries to the conntrack file and removing the notrack file. Note that the conntrack file is always populated with rules (see enhancement 5). If the ''notrack'' file exists and is empty, the first compilation will remove it with the warning: WARNING: Empty notrack file (...) removed 2) Because of the potential for attackers to subvert Netfilter helpers like the one for FTP, the Netfilter team are in the process of eliminating the automatic association of helpers to connections. In the 3.5 kernel, it is possible to disable this automatic association, and the team have announced that automatic association will eventually be eliminated. While it is certainly more secure to add explicit rules that create these associations, for Shorewall to require users to add those rules would present a gross inconvenience during a Shorewall upgrade. To make Shorewall and kernel upgrades as smooth as possible, several new features have been added in this release: - Shorewall will automatically disable the kernel''s automatic association of helpers to connections on kernel 3.5 and later. - An automatic association of helpers with connections that performs the same function as in the pre-3.5 kernels has been added. This automatic association is controlled by the new AUTOHELPERS shorewall.conf option which is set to ''Yes'' by default. - A HELPERS column has been added to the /etc/shorewall/rules In the NEW section: When the ACTION is ACCEPT, DNAT or REDIRECT, the specified helper is automatically associated with the connection. HELPERS may be specified in action files, macros and in the rules file itself. In the RELATED section: The rule will only match related connections that have the named helper attached. - The standard Macros for applications requiring a helper (FTP, IRC, etc) have been modified to automatically specify the correct helper in the HELPER column. - HELPER is now a valid action in /etc/shorewall/rules. This action requires that a helper be present in the HELPER column and causes the specified helper to be associated with connections matching the rule. No destination zone should be specified in HELPER rules. HELPER rules allow specification of a helper for connections that are ACCEPTed by the applicable policy. Example: loc->net policy is ACCEPT. In /etc/shorewall/rules: FTP(HELPER) loc - or equivalently HELPER loc - tcp 21 ; helper=ftp - The set of enabled helpers (either by AUTOHELPERS=Yes or by the HELPERS column) can be taylored using the new HELPERS option in shorewall.conf. By making AUTOHELPERS=Yes the default, users can upgrade their systems to a 3.5+ kernel without disrupting the operation of their firewalls. Beyond such upgrades, we suggest setting AUTOHELPERS=No and follow one of two strategies: - Use the HELPERS column in the rules file to enable helpers as needed (preferred); or - Taylor the conntrack file to enable helpers on only those connections that are required. With either of these approaches, the list if available helpers can be trimmed using the HELPERS option and rules can be added to the RELATED section of the rules file to further restrict the effect of helpers. The implementation of these new function places conditional rules in the /etc/shorewall[6]/conntrack file. These rules are included conditionally based in the setting of AUTOHELPERS. Example: ?if $AUTOHELPERS && __CT_TARGET ?if __FTP_HELPER CT:helper:ftp all - tcp 21 ?endif ... ?endif __FTP_HELPER evaluates to false if the HELPERS setting is non-empty and ''ftp'' is not listed in that setting. For example, if you only need FTP access from your ''loc'' zone, then add this rule outside of the outer-most ?if....?endif shown above. CT:helper:ftp loc - tcp 21 For an overview of Netfilter Helpers and Shorewall''s support for dealing with them, see http://www.shorewall.net/Helpers.html. See https://home.regit.org/netfilter-en/secure-use-of-helpers/ for additional information. 3) Optimization level 4 now locates short chains (3 rules or less) that have a single reference and replaces that single reference with the rules themselves. Optimization level 8 now eliminates duplicate rules in the raw table. Thank you for testing, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/