Beta 1 is now available for testing.
----------------------------------------------------------------------------
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) Previously /var/log/shorewall*-init.log was created in the wrong
Selinux context. The rpm''s have been modified to correct that
issue.
2) An issue with params processing on RHEL6 has been corrected. The
problem manifested as the following type of warning:
WARNING: Param line (export OLDPWD) ignored at
/usr/share/shorewall/Shorewall/Config.pm line 2993.
----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
----------------------------------------------------------------------------
1) On systems running Upstart, shorewall-init cannot reliably secure
the firewall before interfaces are brought up.
----------------------------------------------------------------------------
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) When TC_ENABLED=Simple, ACK packets are now placed in the highest
priority class. An ACK packet is a TCP packet with the ACK flag set
and no data payload.
Rationale: Entries in /etc/shorewall[6]/tcpri affect both incoming
and outgoing connections. If a particular application, SMTP for
example, is placed in priority class 3, then outgoing ACK packets
for incoming email were previously placed in priority class 3 as
well. This could have the effect of slowing down incoming mail when
the goal was to give outgoing mail a lower priority. By
unconditionally placing ACK packets in priority class 1, this issue
is avoided.
2) Up to this point, the Perl-based rules compiler has not accepted
ICMP type lists. This is in contrast to the shell-based compiler
which did support such lists.
Support for ICMP (and ICMPv6) type lists has now been restored.
3) A Shorewall user has contributed a macro for Puppet.
4) Beginning with this release, it is possible to install Shorewall
and Shorewall6 in an arbitrary location.
The simplest form of this capability is the BASE environmental
variable. When set, it causes Shorewall to be installed relate to a
specified directory.
For example:
BASE=/usr/local/ ./install.sh
will install Shorewall''s components in
/usr/local/etc/shorewall/
/usr/local/sbin/
/usr/local/share/shorewall/
/usr/local/share/man/
/usr/local/var/lib
When run as root, the necessary files are installed in
/etc/default, /etc/init.d/ etc.
When run as non-root, /etc is not modified.
There are several restrictions and considerations:
a) Shorewall and Shorewall6 must be installed in the same BASE
directory.
b) When Shorewall Init is used, /etc/default/shorewall-init
(/etc/sysconfig/shorewall-init) must set four additional
variables:
ETC - name of the BASE /etc directory
SBIN - name of the BASE /sbin directory
SHARE - name of the BASE /usr/share directory
VAR - name of the BASE /var directory
If BASE=/usr/local/ then
ETC=/usr/local/etc/
SBIN=/usr/local/sbin/
SHARE=/usr/local/share/
VAR=/usr/local/var/lib/
c) The CONFIG_PATH variable (if set) in shorewall.conf and
shorewall6.conf must be adjusted accordingly.
If BASE=/usr/local/ then the Shorewall CONFIG_PATH would be:
CONFIG_PATH=/usr/local/etc/shorewall:/usr/local/share/shorewall
and for Shorewall6, it would be
CONFIG_PATH=/usr/local/etc/shorewall6:/usr/local/share
/shorewall6:/usr/local/share/shorewall/
(folded)
The ETC, SBIN, SHARE and VAR variables may also be passed to
install.sh (in addition to the existing MANDIR variable). When
passed together with BASE, they override BASE if the value is an
absolute path name (begins with ''/''); otherwise, they are
appended
to base. If BASE is not passed, then their values must be absolute
path names.
Thank you for testing,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d
Tom If params contains: NULL and rules contains: ACCEPT net:eth0$NULL lan tcp 22 The following error message is produced: ERROR: Unknown destination zone (OLDPWD) : /etc/shorewallER/rules (line 15) If NULL is set to a value or the line removed and the rules file changed accordingly the error does not occur, but the following message is produced: WARNING: Param line (export OLDPWD) ignored Steven. ------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d
On 3/14/11 4:16 PM, Steven Jan Springl wrote:> Tom > > If params contains: > > NULL> > and rules contains: > > ACCEPT net:eth0$NULL lan tcp 22 > > The following error message is produced: > > ERROR: Unknown destination zone (OLDPWD) : /etc/shorewallER/rules (line 15) > > If NULL is set to a value or the line removed and the rules file changed > accordingly the error does not occur, but the following message is produced: > > WARNING: Param line (export OLDPWD) ignoredThanks, Steven. I''ve already been working on a similar problem; please apply the attached 3 patches and see if things improve. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d
On 3/14/11 4:30 PM, Tom Eastep wrote:> On 3/14/11 4:16 PM, Steven Jan Springl wrote: >> Tom >> >> If params contains: >> >> NULL>> >> and rules contains: >> >> ACCEPT net:eth0$NULL lan tcp 22 >> >> The following error message is produced: >> >> ERROR: Unknown destination zone (OLDPWD) : /etc/shorewallER/rules (line 15) >> >> If NULL is set to a value or the line removed and the rules file changed >> accordingly the error does not occur, but the following message is produced: >> >> WARNING: Param line (export OLDPWD) ignored > > Thanks, Steven. > > I''ve already been working on a similar problem; please apply the > attached 3 patches and see if things improve.And if you still have problems, please send me the output of ''shorewall trace check 2>&1''. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d
On Monday 14 March 2011 23:30:25 Tom Eastep wrote:> On 3/14/11 4:16 PM, Steven Jan Springl wrote: > > Tom > > > > If params contains: > > > > NULL> > > > and rules contains: > > > > ACCEPT net:eth0$NULL lan tcp 22 > > > > The following error message is produced: > > > > ERROR: Unknown destination zone (OLDPWD) : /etc/shorewallER/rules (line > > 15) > > > > If NULL is set to a value or the line removed and the rules file changed > > accordingly the error does not occur, but the following message is > > produced: > > > > WARNING: Param line (export OLDPWD) ignored > > Thanks, Steven. > > I''ve already been working on a similar problem; please apply the > attached 3 patches and see if things improve. > > -TomTom The first patch was already applied. I have applied the other 2 patches, they seem to have fixed the issue. Thanks. Steven. ------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d
On 3/14/11 4:48 PM, Steven Jan Springl wrote:> > The first patch was already applied. > I have applied the other 2 patches, they seem to have fixed the issue. Thanks. >Thanks, Steven -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d
Tom Rule: ACCEPT net lan icmp , produces the following error messages: iptables v1.4.10: Invalid ICMP type `-j'' ERROR: Command "/usr/local/sbin/iptables -A net2lan -p 1 --icmp-type -j ACCEPT" Failed Steven. ------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d
On 3/14/11 5:04 PM, Steven Jan Springl wrote:> Tom > > Rule: > > ACCEPT net lan icmp , > > produces the following error messages: > > iptables v1.4.10: Invalid ICMP type `-j'' > > ERROR: Command "/usr/local/sbin/iptables -A net2lan -p 1 --icmp-type -j > ACCEPT" FailedThe attached patch should fix this. Thanks, Steven -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d
On Tuesday 15 March 2011 00:18:33 Tom Eastep wrote:> On 3/14/11 5:04 PM, Steven Jan Springl wrote: > > Tom > > > > Rule: > > > > ACCEPT net lan icmp , > > > > produces the following error messages: > > > > iptables v1.4.10: Invalid ICMP type `-j'' > > > > ERROR: Command "/usr/local/sbin/iptables -A net2lan -p 1 --icmp-type -j > > ACCEPT" Failed > > The attached patch should fix this. > > Thanks, Steven > > -TomTom Confirmed, the patch fixes the issue. Thanks. Steven. ------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d
Tom A few minor issues with shorewall.conf parameter TC_PRIOMAP. If a value has a decimal point: TC_PRIOMAP="2.1 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" The following error messages are produced: Illegal "priomap" element ERROR: Command "tc qdisc add dev eth0 root handle 1: prio bands 3 priomap 1.1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1" Failed ------------------------------------------------------------------------------------------------------------------------------- If a value is negative: TC_PRIOMAP="-1 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" The following error messages are produced: "priomap" element is out of bands ERROR: Command "tc qdisc add dev eth0 root handle 1: prio bands 3 priomap -2 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1" Failed ------------------------------------------------------------------------------------------------------------------------------- If the closing " is missing: TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2 The following error messages are produced: "priomap" element is out of bands ERROR: Command "tc qdisc add dev eth0 root handle 1: prio bands 3 priomap -1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1" Failed Steven. ------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d
On 3/16/11 3:31 PM, Steven Jan Springl wrote:> Tom > > A few minor issues with shorewall.conf parameter TC_PRIOMAP. > > If a value has a decimal point: > > TC_PRIOMAP="2.1 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" > > The following error messages are produced: > > Illegal "priomap" element > ERROR: Command "tc qdisc add dev eth0 root handle 1: prio bands 3 priomap 1.1 > 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1" Failed > > ------------------------------------------------------------------------------------------------------------------------------- > > If a value is negative: > > TC_PRIOMAP="-1 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" > > The following error messages are produced: > > "priomap" element is out of bands > ERROR: Command "tc qdisc add dev eth0 root handle 1: prio bands 3 priomap -2 2 > 2 2 1 2 0 0 1 1 1 1 1 1 1 1" Failed > > ------------------------------------------------------------------------------------------------------------------------------- > > If the closing " is missing: > > TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2 > > The following error messages are produced: > > "priomap" element is out of bands > ERROR: Command "tc qdisc add dev eth0 root handle 1: prio bands 3 priomap -1 2 > 2 2 1 2 0 0 1 1 1 1 1 1 1 1" FailedSteven, I couldn''t reproduce the last problem -- I kept getting /etc/shorewall /shorewall.conf: 63: Syntax error: Unterminated quoted string But the attached patch corrects the other two. Thanks! -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d
On Wednesday 16 March 2011 23:40:13 Tom Eastep wrote:> On 3/16/11 3:31 PM, Steven Jan Springl wrote: > > Tom > > > > A few minor issues with shorewall.conf parameter TC_PRIOMAP. > > > > If a value has a decimal point: > > > > TC_PRIOMAP="2.1 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" > > > > The following error messages are produced: > > > > Illegal "priomap" element > > ERROR: Command "tc qdisc add dev eth0 root handle 1: prio bands 3 priomap > > 1.1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1" Failed > > > > ------------------------------------------------------------------------- > >------------------------------------------------------ > > > > If a value is negative: > > > > TC_PRIOMAP="-1 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" > > > > The following error messages are produced: > > > > "priomap" element is out of bands > > ERROR: Command "tc qdisc add dev eth0 root handle 1: prio bands 3 priomap > > -2 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1" Failed > > > > ------------------------------------------------------------------------- > >------------------------------------------------------ > > > > If the closing " is missing: > > > > TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2 > > > > The following error messages are produced: > > > > "priomap" element is out of bands > > ERROR: Command "tc qdisc add dev eth0 root handle 1: prio bands 3 priomap > > -1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1" Failed > > Steven, > > I couldn''t reproduce the last problem -- I kept getting /etc/shorewall > > /shorewall.conf: 63: Syntax error: Unterminated quoted string > > But the attached patch corrects the other two. > > Thanks! > -TomTom I can confirm the patch fixes the first two issues. It also fixes the third issue. I now get the following Shorewall message which I am happy with: ERROR: Invalid TC_PRIOMAP entry ("2) Thanks. Steven. ------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d
On 3/16/11 5:04 PM, Steven Jan Springl wrote:> > I can confirm the patch fixes the first two issues. > It also fixes the third issue. I now get the following Shorewall message which > I am happy with: > > ERROR: Invalid TC_PRIOMAP entry ("2) >Thanks, Steven -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d
Tom In tcfilters, if an icmp type/code is specified: eth0:33 77.77.77.77/7 2.2.0.0 icmp 3/4 The following error messages are produced: Illegal "match" ERROR: Command "tc filter add dev eth0 protocol ip parent 1:0 prio 10 u32 ht 0x006:0 match icmp type 3/4 0xff flowid 1:33" Failed Steven. ------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d
On 3/17/11 3:46 PM, Steven Jan Springl wrote:> Tom > > In tcfilters, if an icmp type/code is specified: > > eth0:33 77.77.77.77/7 2.2.0.0 icmp 3/4 > > The following error messages are produced: > > Illegal "match" > ERROR: Command "tc filter add dev eth0 protocol ip parent 1:0 prio 10 u32 ht > 0x006:0 match icmp type 3/4 0xff flowid 1:33" FailedSteven, Sorry to be slow getting back to you -- lots of work right now. Please try the attached patch. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d
On Friday 18 March 2011 19:41:25 Tom Eastep wrote:> On 3/17/11 3:46 PM, Steven Jan Springl wrote: > > Tom > > > > In tcfilters, if an icmp type/code is specified: > > > > eth0:33 77.77.77.77/7 2.2.0.0 icmp 3/4 > > > > The following error messages are produced: > > > > Illegal "match" > > ERROR: Command "tc filter add dev eth0 protocol ip parent 1:0 prio 10 u32 > > ht 0x006:0 match icmp type 3/4 0xff flowid 1:33" Failed > > Steven, > > Sorry to be slow getting back to you -- lots of work right now. > > Please try the attached patch. > > Thanks, > -TomTom The patch fixes the problem. Thanks. Steven. ------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d
On 3/18/11 4:01 PM, Steven Jan Springl wrote:> The patch fixes the problem. Thanks.Thanks, Steven -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d