Shorewall users - Aug 2011 - Shorewall 4.4.23 Beta 1

Beta 1 is now available for testing.

----------------------------------------------------------------------------
  I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
----------------------------------------------------------------------------

1)  On older distributions where ''shorewall show capabilities''
    indicates ''Connection Tracking Match: Not Available'',
harmless Perl
    diagnostics like the following could be issued:

        Use of uninitialized value $list in pattern match (m//) 
        at /usr/share/shorewall/Shorewall/Config.pm line 1273,
        <$currentfile> line 14.

        Use of uninitialized value $list in split 
        at /usr/share/shorewall/Shorewall/Config.pm line 1275,
        <$currentfile> line 14.

2)  On older distributions where ''shorewall show capabilities''
    indicates ''Mangle FORWARD Chain: Not Available'', entries
in the ecn
    file generated the following Perl Diagnostic:

        Use of uninitialized value in hash element 
	at /usr/share/shorewall/Shorewall/Chains.pm line 1119.

--------------------------------------------------------------------------
           I I.  K N O W N   P R O B L E M S   R E M A I N I N G
----------------------------------------------------------------------------

1)  On systems running Upstart, shorewall-init cannot reliably secure
    the firewall before interfaces are brought up.

----------------------------------------------------------------------------
      I I I.  N E W   F E A T U R E S   I N   T H I S  R E L E A S E
----------------------------------------------------------------------------

1)  When ''shorewall update'' or ''shorewall6
update'' results in no change
    to the .conf file, a message is issued, the .bak file is removed
    and the command terminates without error.

2)  Support has been added for ''stateless NAT''. Stateless NAT
is very
    simmilar to NATMAP but differs from it in a couple of ways:

    a. It does not rely on connection tracking, but is rather
       implemented in the Netfilter raw table.

    b. Both the source and destination address can be rewritten in all
       three raw table chains: PREROUTING, OUTPUT and POSTROUTING.

    When used together with stateful NAT, it allows a single router to
    handle a duplicate network address situation.

    Suppose that a VPN using interface tun0 is used to connect to
    another organization, and that both intranets have network
    192.168.1.0/24.

    To allow the two organizations to communicate, they decide to use
    172.20.1.0/24 to address the other''s 192.168.1.0/24.

    The following four entries are required in /etc/shorewall/netmap:

	#TYPE   NET1                INTERFACE        NET2
	SNAT	192.168.1.0/24	    tun0	     172.20.1.0/24
	DNAT	172.20.1.0/24	    tun0	     192.168.1.0/24
	DNAT:T  172.20.1.0/24	    tun0	     192.168.1.0.24
	SNAT:P  192.168.1.0/24	    tun0	     172.20.1.0/24

    Stateless NAT entries differ from NETMAP entries in the TYPE
    column. For stateless entries, both the type of address
    translation (DNAT or SNAT) and the chain (O for OUTPUT, P for
    PREROUTING and T for POSTROUTING) are given.

Note: The release notes in the packages are abbreviated for some reason. So
please refer to this email or to the copy of the release notes on the web site.

Thank you for testing,

-Tom

Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
FREE DOWNLOAD - uberSVN with Social Coding for Subversion.
Subversion made easy with a complete admin console. Easy 
to use, easy to manage, easy to install, easy to extend. 
Get a Free download of the new open ALM Subversion platform now.
http://p.sf.net/sfu/wandisco-dev2dev

Tom

In the attached minimal config. the zone entry:

p5  ipsec

produces the following error message:

ERROR: Internal error in Shorewall::Chains::delete_jumps 
at /usr/share/shorewall/Shorewall/Chains.pm line 1922

Steven.


------------------------------------------------------------------------------
uberSVN''s rich system and user administration capabilities and model 
configuration take the hassle out of deploying and managing Subversion and 
the tools developers use with it. Learn more about uberSVN and get a free 
download at:  http://p.sf.net/sfu/wandisco-dev2dev

On Mon, 2011-08-15 at 17:34 +0100, Steven Jan Springl wrote:
> In the attached minimal config. the zone entry:
> 
> p5  ipsec
> 
> produces the following error message:
> 
> ERROR: Internal error in Shorewall::Chains::delete_jumps 
> at /usr/share/shorewall/Shorewall/Chains.pm line 1922
Steven,

The attached patch eliminates the problem.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
uberSVN''s rich system and user administration capabilities and model 
configuration take the hassle out of deploying and managing Subversion and 
the tools developers use with it. Learn more about uberSVN and get a free 
download at:  http://p.sf.net/sfu/wandisco-dev2dev

On Monday 15 August 2011 18:09:12 Tom Eastep wrote:
> On Mon, 2011-08-15 at 17:34 +0100, Steven Jan Springl wrote:
> > In the attached minimal config. the zone entry:
> >
> > p5  ipsec
> >
> > produces the following error message:
> >
> > ERROR: Internal error in Shorewall::Chains::delete_jumps
> > at /usr/share/shorewall/Shorewall/Chains.pm line 1922
>
> Steven,
>
> The attached patch eliminates the problem.
>
> Thanks,
> -Tom
Tom

Confirmed, the patch fixes the issue.

Thanks.

Steven.

------------------------------------------------------------------------------
uberSVN''s rich system and user administration capabilities and model 
configuration take the hassle out of deploying and managing Subversion and 
the tools developers use with it. Learn more about uberSVN and get a free 
download at:  http://p.sf.net/sfu/wandisco-dev2dev

On Mon, 2011-08-15 at 18:44 +0100, Steven Jan Springl wrote:
> Confirmed, the patch fixes the issue.
Thanks, Steven

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
uberSVN''s rich system and user administration capabilities and model 
configuration take the hassle out of deploying and managing Subversion and 
the tools developers use with it. Learn more about uberSVN and get a free 
download at:  http://p.sf.net/sfu/wandisco-dev2dev

Tom

After creating a new capabilities file, the following message is produced:

WARNING: Unknown capability (QUOTA_MATCH) 
ignored : /etc/shorewall2/capabilities (line 58)

Steven.

------------------------------------------------------------------------------
uberSVN''s rich system and user administration capabilities and model 
configuration take the hassle out of deploying and managing Subversion and 
the tools developers use with it. Learn more about uberSVN and get a free 
download at:  http://p.sf.net/sfu/wandisco-dev2dev

On Mon, 2011-08-15 at 20:20 +0100, Steven Jan Springl wrote:
> After creating a new capabilities file, the following message is produced:
> 
> WARNING: Unknown capability (QUOTA_MATCH) 
> ignored : /etc/shorewall2/capabilities (line 58)
Steven,

I started implementing QUOTA support then thought better of it. The
attached patch backs out what got added.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
uberSVN''s rich system and user administration capabilities and model 
configuration take the hassle out of deploying and managing Subversion and 
the tools developers use with it. Learn more about uberSVN and get a free 
download at:  http://p.sf.net/sfu/wandisco-dev2dev

On Monday 15 August 2011 20:33:41 Tom Eastep wrote:
> On Mon, 2011-08-15 at 20:20 +0100, Steven Jan Springl wrote:
> > After creating a new capabilities file, the following message is
> > produced:
> >
> > WARNING: Unknown capability (QUOTA_MATCH)
> > ignored : /etc/shorewall2/capabilities (line 58)
>
> Steven,
>
> I started implementing QUOTA support then thought better of it. The
> attached patch backs out what got added.
>
> Thanks,
> -Tom
Tom

Confirmed, the patch fixes the problem.

Thanks.

Steven.

------------------------------------------------------------------------------
uberSVN''s rich system and user administration capabilities and model 
configuration take the hassle out of deploying and managing Subversion and 
the tools developers use with it. Learn more about uberSVN and get a free 
download at:  http://p.sf.net/sfu/wandisco-dev2dev

On Mon, 2011-08-15 at 23:16 +0100, Steven Jan Springl wrote:
> Confirmed, the patch fixes the problem.
Thanks, Steven

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
uberSVN''s rich system and user administration capabilities and model 
configuration take the hassle out of deploying and managing Subversion and 
the tools developers use with it. Learn more about uberSVN and get a free 
download at:  http://p.sf.net/sfu/wandisco-dev2dev

Tom

On a system that does not have Rawpost Table support, the attached config. 
produces the following messages:

iptables: No chain/target/match by that name.

ERROR: Command "/usr/local/sbin/iptables -A eth0_out -s 88.88.88.2 -d 
192.168.2.0/24 -j RAWDNAT --to-dest 10.2.0.0/16" Failed

Steven.




------------------------------------------------------------------------------
Get a FREE DOWNLOAD! and learn more about uberSVN rich system, 
user administration capabilities and model configuration. Take 
the hassle out of deploying and managing Subversion and the 
tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2

On Tue, 2011-08-16 at 21:12 +0100, Steven Jan Springl wrote:
> On a system that does not have Rawpost Table support, the attached config. 
> produces the following messages:
> 
> iptables: No chain/target/match by that name.
> 
> ERROR: Command "/usr/local/sbin/iptables -A eth0_out -s 88.88.88.2 -d 
> 192.168.2.0/24 -j RAWDNAT --to-dest 10.2.0.0/16" Failed
Steven,

I had originally implemented Stateless NAT using a separate file. When I
decided to use a single file, I neglected to check the Rawpost
capability and to remove the function that processed the other file. The
attached patch corrects both oversights.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
Get a FREE DOWNLOAD! and learn more about uberSVN rich system, 
user administration capabilities and model configuration. Take 
the hassle out of deploying and managing Subversion and the 
tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2

On Tuesday 16 August 2011 22:09:21 Tom Eastep wrote:
> On Tue, 2011-08-16 at 21:12 +0100, Steven Jan Springl wrote:
> > On a system that does not have Rawpost Table support, the attached
> > config. produces the following messages:
> >
> > iptables: No chain/target/match by that name.
> >
> > ERROR: Command "/usr/local/sbin/iptables -A eth0_out -s
88.88.88.2 -d
> > 192.168.2.0/24 -j RAWDNAT --to-dest 10.2.0.0/16" Failed
>
> Steven,
>
> I had originally implemented Stateless NAT using a separate file. When I
> decided to use a single file, I neglected to check the Rawpost
> capability and to remove the function that processed the other file. The
> attached patch corrects both oversights.
>
> Thanks,
> -Tom
Tom

Confirmed, the patch corrects the issue.

Thanks.

Steven.

------------------------------------------------------------------------------
Get a FREE DOWNLOAD! and learn more about uberSVN rich system, 
user administration capabilities and model configuration. Take 
the hassle out of deploying and managing Subversion and the 
tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2

Tom

On a system that does have Rawpost Table support, the attached config works 
with  ''shorewall start'' but a ''shorewall debug
start'' produces the following
error messages:

iptables: Bad built-in chain name.

ERROR: Command "/usr/local/sbin/iptables :POSTROUTING ACCEPT [0:0]"
Failed

Steven.


------------------------------------------------------------------------------
Get a FREE DOWNLOAD! and learn more about uberSVN rich system, 
user administration capabilities and model configuration. Take 
the hassle out of deploying and managing Subversion and the 
tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2

On Aug 16, 2011, at 2:30 PM, Steven Jan Springl wrote:
> On a system that does have Rawpost Table support, the attached config works
> with  ''shorewall start'' but a ''shorewall debug
start'' produces the following
> error messages:
> 
> iptables: Bad built-in chain name.
> 
> ERROR: Command "/usr/local/sbin/iptables :POSTROUTING ACCEPT
[0:0]" Failed
Good catch, Steven

The attached patch seems to fix it.

-Tom

Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Get a FREE DOWNLOAD! and learn more about uberSVN rich system, 
user administration capabilities and model configuration. Take 
the hassle out of deploying and managing Subversion and the 
tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2

On Wednesday 17 August 2011 00:16:29 Tom Eastep wrote:
> On Aug 16, 2011, at 2:30 PM, Steven Jan Springl wrote:
> > On a system that does have Rawpost Table support, the attached config
> > works with  ''shorewall start'' but a
''shorewall debug start'' produces the
> > following error messages:
> >
> > iptables: Bad built-in chain name.
> >
> > ERROR: Command "/usr/local/sbin/iptables :POSTROUTING ACCEPT
[0:0]"
> > Failed
>
> Good catch, Steven
>
> The attached patch seems to fix it.
>
> -Tom
>
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
Tom

Confirmed, the patch fixes the issue.

Thanks.

Steven.

------------------------------------------------------------------------------
Get a FREE DOWNLOAD! and learn more about uberSVN rich system, 
user administration capabilities and model configuration. Take 
the hassle out of deploying and managing Subversion and the 
tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2

On Wed, 2011-08-17 at 12:20 +0100, Steven Jan Springl wrote:
> Confirmed, the patch fixes the issue.
Thanks, Steven

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Get a FREE DOWNLOAD! and learn more about uberSVN rich system, 
user administration capabilities and model configuration. Take 
the hassle out of deploying and managing Subversion and the 
tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2