This Beta completes implementation the new features that I am planning
for 4.4.21.
Problems Corrected:
1) The compiler now correctly rejects the DEFAULTS directive in the
rules file and in macros.
2) An empty parameter list (e.g., DROP:Drop()) in the POLICY column of
the policy file is now handled correctly.
3) The parameterized macros now correctly audit all rulings
when :audit is specified. As part of this change, the Drop and
Reject actions now accept two additional parameters:
4th The action to be applied to accepted ICMP packets.
FIRST PARAMETER DEFAULT
- ACCEPT
audit A_ACCEPT
5th The action to be applied to UPnP (udp port 1900) and late
DNS replies (udp source port 53)
FIRST PARAMETER DEFAULT
- DROP
audit A_DROP
New Features:
1) The ''shorewall update'' (and ''shorewall6
update'') now updates
shorewall.conf *before* validating the configuration.
2) Macros may now specify a default parameter value using the DEFAULT
directive.
DEFAULT <default>
Example macro.Foo -- by default, accepts connections on ficticous
tcp port ''foo''.
DEFAULT ACCEPT
PARAM - - tcp foo
3) Shorewall6 now supports ipsets.
This support has been validated on Kernel 2.6.37 with
xtables-addons 1.36.
Unlike iptables, which has separate configurations for IPv4 and
IPv6, ipset has a single configuration that handles both. This
means the SAVE_IPSETS=Yes in shorewall.conf or shorewall6.conf
won''t work correctly. To work around this issue, Shorewall-init is
now capable restoring ipset contents during ''start'' and
saving them
during ''stop''.
To direct Shorewall-init to save/restore ipset contents, set the
SAVE_IPSETS option in /etc/sysconfig/shorewall-init
(/etc/default/shorewall-init on Debian and derivatives). The value
of the option is a file name where the contents of the ipsets will
be save to and restored from. Shorewall-init will create any
necessary directories during the first ''save'' operation.
If you configure Shorewall-init to save/restore ipsets, be sure to
set SAVE_IPSETS=No in shorewall.conf and shorewall6.conf.
As part of this change, Shorewall and Shorewall6 will only restore
saved ipsets if SAVE_IPSETS=Yes in shorewall.conf
(shorewall6.conf). It previously did so if any ipset rules were
present in the configuration.
4) Shorewall6 now supports dynamic zones:
1) The nets=dynamic option is allowed in /etc/shorewall6/interfaces
2) The HOSTS column of /etc/shorewall6/hosts may now contain
<interface>:dynamic.
3) /sbin/shorewall6 now supports the ''add'' and
''delete'' commands.
Thank you for testing,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense..
http://p.sf.net/sfu/splunk-d2d-c1
On Thu, 2011-06-23 at 15:10 -0700, Tom Eastep wrote:> > New Features: > > 1) The ''shorewall update'' (and ''shorewall6 update'') now updates > shorewall.conf *before* validating the configuration. >I noticed this morning that while the update is occurring prior to configuration validation, the updated values are not being used in that validation. Corrected by the attached patch. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense.. http://p.sf.net/sfu/splunk-d2d-c1
Tom If shorewall.conf contains the following: REJECT_DEFAULT="Reject()" The following messages are produced: Use of uninitialized value within %Shorewall::Rules::targets in bitwise and (&) at /usr/share/shorewall/Shorewall/Rules.pm line 958. Use of uninitialized value within %Shorewall::Rules::targets in bitwise and (&) at /usr/share/shorewall/Shorewall/Rules.pm line 1455. Steven. ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense.. http://p.sf.net/sfu/splunk-d2d-c1
On Jun 25, 2011, at 9:10 AM, Steven Jan Springl wrote:> If shorewall.conf contains the following: > > REJECT_DEFAULT="Reject()" > > The following messages are produced: > > Use of uninitialized value within %Shorewall::Rules::targets in bitwise and > (&) at /usr/share/shorewall/Shorewall/Rules.pm line 958. > > Use of uninitialized value within %Shorewall::Rules::targets in bitwise and > (&) at /usr/share/shorewall/Shorewall/Rules.pm line 1455.The attached patch will correct this. Thanks, Steven -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense.. http://p.sf.net/sfu/splunk-d2d-c1
On Saturday 25 June 2011 17:48:03 Tom Eastep wrote:> On Jun 25, 2011, at 9:10 AM, Steven Jan Springl wrote: > > If shorewall.conf contains the following: > > > > REJECT_DEFAULT="Reject()" > > > > The following messages are produced: > > > > Use of uninitialized value within %Shorewall::Rules::targets in bitwise > > and (&) at /usr/share/shorewall/Shorewall/Rules.pm line 958. > > > > Use of uninitialized value within %Shorewall::Rules::targets in bitwise > > and (&) at /usr/share/shorewall/Shorewall/Rules.pm line 1455. > > The attached patch will correct this. > > Thanks, Steven > -TomTom Confirmed, the patch has fixed the issue. Thanks. Steven. ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense.. http://p.sf.net/sfu/splunk-d2d-c1
On Jun 25, 2011, at 12:00 PM, Steven Jan Springl wrote:> Confirmed, the patch has fixed the issue. Thanks.Thanks, Steven -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense.. http://p.sf.net/sfu/splunk-d2d-c1
Hello, I currently have a Shorewall firewall running in my network connected to 5mbps ethernet. I need to set up another DSL connection as a backup in case the ethernet goes down so my users can get to a web based application. I have done multi-isp with Shorewall before with great success. However for this setup I want a separate firewall for the DSL connection so that the primary firewall is not a single point of failure for the terminal server application. I therefore configured a system with OpenWRT and am using shorewall-lite on it. I will have two dns entries for this, so it''s a poor mans failover solution. I have the OpenWRT system working, but there is one issue to hammer out. My main or primary firewall is the default gateway for all my systems. This is something I don''t want to change. I am trying to do reverse masq so that I can leave my setup my gateway as is on my systems in the internal network. I recall doing this years ago with Shorewall but cannot remember how I accomplished it. Does anyone have any idea how this might be done? I thought it might be with source nat but after reading the documentation and trying a few things I have not been able to make it work. Thanks in advance,Simon ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
On Tue, 2011-06-28 at 07:21 -0400, Ryan on the Beach wrote:> I have the OpenWRT system working, but there is one issue to hammer > out. My main or primary firewall is the default gateway for all my > systems. This is something I don''t want to change. I am trying to do > reverse masq so that I can leave my setup my gateway as is on my > systems in the internal network. I recall doing this years ago with > Shorewall but cannot remember how I accomplished it. > > > Does anyone have any idea how this might be done? I thought it might > be with source nat but after reading the documentation and trying a > few things I have not been able to make it work.This requires: * Detecting the failure of the primary firewall. This is done using the exchange of "I''m alive" messages and there are daemon''s for that. * Upon failure, reconfigure the internal NIC''s IP address (and optionally its MAC address) to match the primary''s. It doesn''t really involve Shorewall. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
Hi Tom, Thanks for taking the time to to respond to my message.>This requires:> > * Detecting the failure of the primary firewall. This is done> using the exchange of "I''m alive" messages and there are> daemon''s for that.> * Upon failure, reconfigure the internal NIC''s IP address (and> optionally its MAC address) to match the primary''s.> >It doesn''t really involve Shorewall.I''m sorry,. I don''t think I articulated my problem very well. I used the word failover, but in fact it''s just a bit of redundancy using a cheap DSL connection in case the ethernet goes offline. It''s certainly a unsophisticated solution, and not introducing any type or real failover. My network has two firewalls: 10.0.1.1 Main Firewall connect to 5Mbps ethernet10.0.1.2 Secondary Firewall (OpenWRT) connected to DSL I have separate external address space for both from separate ISPs. The web based application has an fqdn webapp.company.com which directs traffic through the main firewall. I will create an additional fqdn of webapp-backup.company.com that goes to the address space on the secondary firewall. If the main connection goes down the users will know to try the alternate backup url. The problem is the web server uses 10.0.1.1 as its gateway. So my DNAT rule works. but of course the internal web server responds using it''s default gateway and can''t respond to request coming from the DSL. Therefore I would like to do reverse masq/nat/snat, where the incoming requests to webapp-backup.compay.com appear to all come from 10.0.1.2 thereby allowing the internal web server to remain unchanged. Simon ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
On Tue, 2011-06-28 at 12:04 -0400, Simon Ryan wrote:> > My network has two firewalls: > > > 10.0.1.1 Main Firewall connect to 5Mbps ethernet > 10.0.1.2 Secondary Firewall (OpenWRT) connected to DSL > > > I have separate external address space for both from separate ISPs. > The web based application has an fqdn webapp.company.com which > directs traffic through the main firewall. I will create an > additional fqdn of webapp-backup.company.com that goes to the address > space on the secondary firewall. If the main connection goes down > the users will know to try the alternate backup url. > > > The problem is the web server uses 10.0.1.1 as its gateway. So my > DNAT rule works. but of course the internal web server responds using > it''s default gateway and can''t respond to request coming from the > DSL. Therefore I would like to do reverse masq/nat/snat, where the > incoming requests to webapp-backup.compay.com appear to all come from > 10.0.1.2 thereby allowing the internal web server to remain unchanged.Hi Simon, You need to SNAT traffic leaving the local interface of the OpenWRT firewall. That will force response packets back through that firewall. In /etc/shorewall/masq: <local interface> 0.0.0.0/0 10.0.1.2 Note that a side-effect of that approach is that all connections from remote clients appear to the server to have originated on the backup firewall. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2