Shorewall 4.4.20.2 is now available for download. Problems Corrected: 1) Problem Corrected #1 from 4.4.19.4 was inadvertently omitted from 4.4.20. It is now included. 2) A defect introduced in 4.4.20 could cause the following failure at start/restart: ERROR: Command "tc qdisc add dev eth0 parent 1:11 handle 1: sfq quantum 12498 limit 127 perturb 10" failed 3) The ''sfilter'' interface option introduced in 4.4.20 was only applied to forwarded traffic. Now it is also applied to traffic addressed to the firewall itself. 4) IPSEC traffic is now (correctly) excluded from sfilter. 5) Shorewall 4.4.20 could, under some circumstances, fail during iptables-restore with a message such as the following: iptables-restore v1.4.10: Couldn''t load target `dsl0_fwd'':/usr/lib/xtables/libipt_dsl0_fwd.so: cannot open shared object file: No such file or directory Error occurred at line: 113 Try `iptables-restore -h'' or ''iptables-restore --help'' for more information. ERROR: iptables-restore Failed. Input is in /var/lib/shorewall/.iptables-restore-input 6) The following incorrect warning message has been eliminated: WARNING: sfilter is ineffective with FASTACCEPT=Yes Thank you for using Shorewall, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ EditLive Enterprise is the world''s most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev
> 3) The ''sfilter'' interface option introduced in 4.4.20 was only > applied to forwarded traffic. Now it is also applied to traffic > addressed to the firewall itself. >From reading the (annotated version of) interfaces file what I cannot understand is the "it should list those local networks that are not routed out of the bridge or interface" bit. What does that mean exactly? Am I supposed to list the local network this interface belongs to or what? You are writing these annotated pages as if I have PhD in computer networks & signalling ffs! I also take it in 20.2 the sfilter options is now mandatory if I have specified routeback, is that the case? What happens if I do not specify it? ------------------------------------------------------------------------------ EditLive Enterprise is the world''s most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev
On Sat, 2011-06-11 at 00:16 +0100, Mr Dash Four wrote:> > 3) The ''sfilter'' interface option introduced in 4.4.20 was only > > applied to forwarded traffic. Now it is also applied to traffic > > addressed to the firewall itself. > > > From reading the (annotated version of) interfaces file what I cannot > understand is the "it should list those local networks that are not > routed out of the bridge or interface" bit. What does that mean exactly? > Am I supposed to list the local network this interface belongs to or > what? You are writing these annotated pages as if I have PhD in computer > networks & signalling ffs!It is regrettable that you didn''t stumble over that bit in 4.4.20.1 since, with the exception of the option name, it is identical to what was in that release (it was incorrectly listed as "filter" in 4.4.20.1). teastep@sami:~/shorewall/build/4.4.20$ diff -au shorewall-4.4.20.1/configfiles/interfaces.annotated shorewall-4.4.20.2/configfiles/interfaces.annotated --- shorewall-4.4.20.1/configfiles/interfaces.annotated 2011-06-06 16:12:23.000000000 -0700 +++ shorewall-4.4.20.2/configfiles/interfaces.annotated 2011-06-10 13:03:21.000000000 -0700 @@ -189,13 +189,6 @@ # This option allows DHCP datagrams to enter and # leave the interface. # -# filter=(net[,...]) -# Added in Shorewall 4.4.20. This option should be -# used on bridges or other interfaces with the -# routeback option. On these interfaces, it should -# list those local networks that are not routed out -# of the bridge or interface. -# # logmartians[={0|1}] # Turn on kernel martian logging (logging of packets # with impossible source addresses. It is strongly @@ -354,6 +347,13 @@ # This option can also be enabled globally in the # shorewall.conf(5) file. # +# sfilter=(net[,...]) +# Added in Shorewall 4.4.20. This option should be +# used on bridges or other interfaces with the +# routeback option. On these interfaces, it should +# list those local networks that are not routed out +# of the bridge or interface. +# # sourceroute[={0|1}] # If this option is not specified for an interface, # then source-routed packets will not be accepted teastep@sami:~/shorewall/build/4.4.20$> > I also take it in 20.2 the sfilter options is now mandatory if I have > specified routeback, is that the case? What happens if I do not specify it? >No. Please have a look at the revised text at http://www1.shorewall.net/manpages/shorewall-interfaces.html and see if it clearer. The ''sfilter'' option is only appropriate in cases where ''routeback'' is required and ''routefilter'' cannot be used. -Tom ------------------------------------------------------------------------------ EditLive Enterprise is the world''s most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev
On Sat, 2011-06-11 at 00:16 +0100, Mr Dash Four wrote:> > 3) The ''sfilter'' interface option introduced in 4.4.20 was only > > applied to forwarded traffic. Now it is also applied to traffic > > addressed to the firewall itself. > > > From reading the (annotated version of) interfaces file what I cannot > understand is the "it should list those local networks that are not > routed out of the bridge or interface" bit. What does that mean exactly? > Am I supposed to list the local network this interface belongs to or > what? You are writing these annotated pages as if I have PhD in computer > networks & signalling ffs!It is regrettable that you didn''t stumble over that bit in 4.4.20.1 since, with the exception of the option name, it is identical to what was in that release (it was incorrectly listed as "filter" in 4.4.20.1). teastep@sami:~/shorewall/build/4.4.20$ diff -au shorewall-4.4.20.1/configfiles/interfaces.annotated shorewall-4.4.20.2/configfiles/interfaces.annotated --- shorewall-4.4.20.1/configfiles/interfaces.annotated 2011-06-06 16:12:23.000000000 -0700 +++ shorewall-4.4.20.2/configfiles/interfaces.annotated 2011-06-10 13:03:21.000000000 -0700 @@ -189,13 +189,6 @@ # This option allows DHCP datagrams to enter and # leave the interface. # -# filter=(net[,...]) -# Added in Shorewall 4.4.20. This option should be -# used on bridges or other interfaces with the -# routeback option. On these interfaces, it should -# list those local networks that are not routed out -# of the bridge or interface. -# # logmartians[={0|1}] # Turn on kernel martian logging (logging of packets # with impossible source addresses. It is strongly @@ -354,6 +347,13 @@ # This option can also be enabled globally in the # shorewall.conf(5) file. # +# sfilter=(net[,...]) +# Added in Shorewall 4.4.20. This option should be +# used on bridges or other interfaces with the +# routeback option. On these interfaces, it should +# list those local networks that are not routed out +# of the bridge or interface. +# # sourceroute[={0|1}] # If this option is not specified for an interface, # then source-routed packets will not be accepted teastep@sami:~/shorewall/build/4.4.20$> > I also take it in 20.2 the sfilter options is now mandatory if I have > specified routeback, is that the case? What happens if I do not specify it? >No. Please have a look at the revised text at http://www1.shorewall.net/manpages/shorewall-interfaces.html and see if it clearer. The ''sfilter'' option is only appropriate in cases where ''routeback'' is required and ''routefilter'' cannot be used. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ EditLive Enterprise is the world''s most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev
>> I also take it in 20.2 the sfilter options is now mandatory if I have >> specified routeback, is that the case? What happens if I do not specify it? >> >> > > No. Please have a look at the revised text at > http://www1.shorewall.net/manpages/shorewall-interfaces.html and see if > it clearer. The ''sfilter'' option is only appropriate in cases where > ''routeback'' is required and ''routefilter'' cannot be used. >The revised text is much clearer (at least that is the case with me anyway). Thanks for pointing it out. ------------------------------------------------------------------------------ EditLive Enterprise is the world''s most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev
> Shorewall 4.4.20.2 is now available for download. > > Problems Corrected: > > 3) The ''sfilter'' interface option introduced in 4.4.20 was only > applied to forwarded traffic. Now it is also applied to traffic > addressed to the firewall itself.Hi Tom and everbody, I''m having issues with 4.4.20.2 on some client configurations. It looks like all traffic is blocked on eth0 after upgrading from 4.4.20.1 to 4.4.20.2: Shorewall:sfilter:DROP:IN=eth0 OUTMAC=48:5b:39:79:ea:8b:00:14:38:ca:df:44:08:00 SRC=17.17.17.17 DST=192.168.4.148 LEN=132 TOS=0x10 PREC=0x00 TTL=51 ID=5442 DF PROTO=TCP SPT=27123 DPT=48281 WINDOW=501 RES=0x00 ACK PSH URGP=0 Shorewall:sfilter:DROP:IN=eth0 OUTMAC=48:5b:39:79:ea:8b:00:14:38:ca:df:44:08:00 SRC=192.168.1.2 DST=192.168.4.148 LEN=64 TOS=0x10 PREC=0x00 TTL=62 ID=32542 DF PROTO=TCP SPT=35776 DPT=22 WINDOW=501 RES=0x00 ACK URGP=0 Shorewall:sfilter:DROP:IN=eth0 OUTMAC=48:5b:39:79:ea:8b:00:14:38:ca:df:44:08:00 SRC=192.168.1.2 DST=192.168.4.148 LEN=136 TOS=0x00 PREC=0x00 TTL=62 ID=45324 PROTO=UDP SPT=53 DPT=45177 LEN=116 Here is the very simple config: interfaces: net + detect dhcp,tcpflags,nosmurfs zones: fw firewall net policy: fw net ACCEPT net all DROP info all all REJECT info rules: ACCEPT net:192.168.0.0/16 fw all ACCEPT net:17.17.17.17/28 fw tcp ssh,10000 ACCEPT net:17.17.17.17/28 fw icmp echo-request AllowICMPs all all Could it be that the wildcard interface definition makes problems here? Regards, Simon ------------------------------------------------------------------------------ EditLive Enterprise is the world''s most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev
On Tue, 2011-06-14 at 10:10 +0200, Simon Matter wrote:> > Could it be that the wildcard interface definition makes problems here? >I''ll take a look. But adding the ''routeback'' option to the interfaces entry is a workaround. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ EditLive Enterprise is the world''s most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev
On Tue, 2011-06-14 at 06:37 -0700, Tom Eastep wrote:> On Tue, 2011-06-14 at 10:10 +0200, Simon Matter wrote: > > > > > Could it be that the wildcard interface definition makes problems here? > > > > I''ll take a look. But adding the ''routeback'' option to the interfaces > entry is a workaround. >The attached patch exempts wildcard interfaces from sfilter. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ EditLive Enterprise is the world''s most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev
> On Tue, 2011-06-14 at 06:37 -0700, Tom Eastep wrote: >> On Tue, 2011-06-14 at 10:10 +0200, Simon Matter wrote: >> >> > >> > Could it be that the wildcard interface definition makes problems >> here? >> > >> >> I''ll take a look. But adding the ''routeback'' option to the interfaces >> entry is a workaround. >> > > The attached patch exempts wildcard interfaces from sfilter.Hi Tom, Thanks for the quick patch, I''ll test it ASAP. I understand that the wildcard "+" is catched here but how would a wildcard like "eth+" work in this case? Thanks, Simon ------------------------------------------------------------------------------ EditLive Enterprise is the world''s most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev
On Tue, 2011-06-14 at 15:52 +0200, Simon Matter wrote:> > On Tue, 2011-06-14 at 06:37 -0700, Tom Eastep wrote: > >> On Tue, 2011-06-14 at 10:10 +0200, Simon Matter wrote: > >> > >> > > >> > Could it be that the wildcard interface definition makes problems > >> here? > >> > > >> > >> I''ll take a look. But adding the ''routeback'' option to the interfaces > >> entry is a workaround. > >> > > > > The attached patch exempts wildcard interfaces from sfilter. > > Hi Tom, > > Thanks for the quick patch, I''ll test it ASAP. > > I understand that the wildcard "+" is catched here but how would a > wildcard like "eth+" work in this case?It works okay, although it generates a rule in the INPUT chain that I''m surprised is accepted by iptables/Netfilter. A second patch is forthcoming that eliminates that rules. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ EditLive Enterprise is the world''s most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev
On Tue, 2011-06-14 at 07:12 -0700, Tom Eastep wrote:> On Tue, 2011-06-14 at 15:52 +0200, Simon Matter wrote: > > I understand that the wildcard "+" is catched here but how would a > > wildcard like "eth+" work in this case? > > It works okay, although it generates a rule in the INPUT chain that I''m > surprised is accepted by iptables/Netfilter. A second patch is > forthcoming that eliminates that rules.Here is the second patch -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ EditLive Enterprise is the world''s most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev
> On Tue, 2011-06-14 at 07:12 -0700, Tom Eastep wrote: >> On Tue, 2011-06-14 at 15:52 +0200, Simon Matter wrote: >> > I understand that the wildcard "+" is catched here but how would a >> > wildcard like "eth+" work in this case? >> >> It works okay, although it generates a rule in the INPUT chain that I''m >> surprised is accepted by iptables/Netfilter. A second patch is >> forthcoming that eliminates that rules. > > Here is the second patchThanks Tom, all is working well now. Simon ------------------------------------------------------------------------------ EditLive Enterprise is the world''s most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev
On Wed, 2011-06-15 at 15:28 +0200, Simon Matter wrote:> > On Tue, 2011-06-14 at 07:12 -0700, Tom Eastep wrote: > >> On Tue, 2011-06-14 at 15:52 +0200, Simon Matter wrote: > >> > I understand that the wildcard "+" is catched here but how would a > >> > wildcard like "eth+" work in this case? > >> > >> It works okay, although it generates a rule in the INPUT chain that I''m > >> surprised is accepted by iptables/Netfilter. A second patch is > >> forthcoming that eliminates that rules. > > > > Here is the second patch > > Thanks Tom, all is working well now.Thanks, Simon I''ll upload 4.4.20.3 shortly. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ EditLive Enterprise is the world''s most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev