Shorewall users - Dec 2011 - Shorewall 4.4.27 RC 1

RC 1 is now available for testing.

Problems Corrected in RC 1:

1)  The CT target in /etc/shorewall[6]/notrack now works with exclusion.

2)  /sbin/shorewall6 is once again a file rather than a symbolic   
    link.  The latter proved difficult for rpm to cope with.

3)  The ''show ipa'' command now works; it was broken in one of
the betas.

4)  When providers were used in an IPv6 configuration, each time that
    Shorewall6 was started or restarted, entries as follows would be
    added to the IPv4 (!) routing rules:

        32767:  from all lookup default

    One such entry would be added for each provider.

    Now, one such an entry is added to the IPv6 routing rules, only if
    that entry does not already exist.

New Features in RC 1:

1)  A new option, USE_PHYSICAL_NAMES, has been added to shorewall.conf
    and shorewall6.conf. Normally, when the rules compiler creates a
    Netfilter chain that relates to an interface, the logical name of
    the interface is used as the base for the chain name. For example,
    if an interface has logical name OAKLAND and physical name eth0,
    then the primary chain for input arriving on that interface is
    normally ''OAKLAND_in''. When USE_PHYSICAL_NAMES=Yes, the
name would
    be ''eth0_in''.

Thank you for testing,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create 
new or port existing apps to sell to consumers worldwide. Explore the 
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev

Tom

If RELATED_DISPOSITION contains an invalid value e.g. 

	RELATED_DISPOSITION=Cat

The following incorrect error message is produced:

ERROR: Invalid value (A_DROP) for MACLIST_DISPOSITION

Steven.

------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create 
new or port existing apps to sell to consumers worldwide. Explore the 
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev

On 12/22/11 3:16 PM, Steven Jan Springl wrote:
> 
> If RELATED_DISPOSITION contains an invalid value e.g. 
> 
> 	RELATED_DISPOSITION=Cat
> 
> The following incorrect error message is produced:
> 
> ERROR: Invalid value (A_DROP) for MACLIST_DISPOSITION
> 
Obvious patch attached.

Thanks, STeven

-Tom

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create 
new or port existing apps to sell to consumers worldwide. Explore the 
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev

On Thursday 22 Dec 2011 23:48:49 Tom Eastep wrote:
> On 12/22/11 3:16 PM, Steven Jan Springl wrote:
> > If RELATED_DISPOSITION contains an invalid value e.g.
> > 
> > 	RELATED_DISPOSITION=Cat
> > 
> > The following incorrect error message is produced:
> > 
> > ERROR: Invalid value (A_DROP) for MACLIST_DISPOSITION
> 
> Obvious patch attached.
> 
> Thanks, STeven
> 
> -Tom
Tom

Confirmed, the patch fixes the issue.

Thanks.

Steven.

------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create 
new or port existing apps to sell to consumers worldwide. Explore the 
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev

On 12/22/11 5:29 PM, Steven Jan Springl wrote:
> 
> Confirmed, the patch fixes the issue.
> 
Thanks, Steven

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create 
new or port existing apps to sell to consumers worldwide. Explore the 
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev

Tom

Specifying the wrong protocol for a helper in notrack e.g

CT:helper:ftp  lan  -  udp  21

produces the following error messages:

iptables: No chain/target/match by that name.

ERROR: Command "/usr/local/sbin/iptables -A PREROUTING -p 17 --dport 21 -i 
eth0 -j CT --helper ftp" Failed

Steven

 

------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create 
new or port existing apps to sell to consumers worldwide. Explore the 
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev

On 12/23/11 3:48 PM, Steven Jan Springl wrote:
> Specifying the wrong protocol for a helper in notrack e.g
> 
> CT:helper:ftp  lan  -  udp  21
> 
> produces the following error messages:
> 
> iptables: No chain/target/match by that name.
> 
> ERROR: Command "/usr/local/sbin/iptables -A PREROUTING -p 17 --dport
21 -i
> eth0 -j CT --helper ftp" Failed
> 
The attached patch applies to RC 2 -- not so sure about RC 1.

Thanks, Steven

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create 
new or port existing apps to sell to consumers worldwide. Explore the 
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev

On Saturday 24 Dec 2011 01:35:09 Tom Eastep wrote:
> On 12/23/11 3:48 PM, Steven Jan Springl wrote:
> > Specifying the wrong protocol for a helper in notrack e.g
> > 
> > CT:helper:ftp  lan  -  udp  21
> > 
> > produces the following error messages:
> > 
> > iptables: No chain/target/match by that name.
> > 
> > ERROR: Command "/usr/local/sbin/iptables -A PREROUTING -p 17
--dport 21
> > -i eth0 -j CT --helper ftp" Failed
> 
> The attached patch applies to RC 2 -- not so sure about RC 1.
> 
> Thanks, Steven
> 
> -Tom
Tom

I have applied the patch to RC2 and can confirm that it works.

-------------------------------------------------------------------------------

If an invalid helper is specified e.g.

CT:helper:cat  lan  -  udp  21

the following error messages are produced:

iptables: No chain/target/match by that name.

ERROR: Command "/usr/local/sbin/iptables -A PREROUTING -p 6 --dport 21 -i
eth0
-j CT --helper cat" Failed

Steven.

------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create 
new or port existing apps to sell to consumers worldwide. Explore the 
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev

On Sat, 2011-12-24 at 14:21 +0000, Steven Jan Springl wrote:
> 
> If an invalid helper is specified e.g.
> 
> CT:helper:cat  lan  -  udp  21
> 
> the following error messages are produced:
> 
> iptables: No chain/target/match by that name.
> 
> ERROR: Command "/usr/local/sbin/iptables -A PREROUTING -p 6 --dport 21
-i eth0
> -j CT --helper cat" Failed
Steven,

You should have received a warning:

	WARNING: Unrecognized helper cat

I chose to make that a warning rather than an error so that if a user
wishes to specify a helper that Shorewall doesn''t yet recognize, he or
she won''t be dead in the water.

Thoughts?

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create 
new or port existing apps to sell to consumers worldwide. Explore the 
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev

On Sat, 2011-12-24 at 07:31 -0800, Tom Eastep wrote:
> On Sat, 2011-12-24 at 14:21 +0000, Steven Jan Springl wrote:
> 
> > 
> > If an invalid helper is specified e.g.
> > 
> > CT:helper:cat  lan  -  udp  21
> > 
> > the following error messages are produced:
> > 
> > iptables: No chain/target/match by that name.
> > 
> > ERROR: Command "/usr/local/sbin/iptables -A PREROUTING -p 6
--dport 21 -i eth0
> > -j CT --helper cat" Failed
> 
> Steven,
> 
> You should have received a warning:
> 
> 	WARNING: Unrecognized helper (cat)
> 
> I chose to make that a warning rather than an error so that if a user
> wishes to specify a helper that Shorewall doesn''t yet recognize,
he or
> she won''t be dead in the water.
> 
> Thoughts?
Also, after more careful study this morning, I have revised the %helpers
table contents in Chains.pm to be as follows:

    %helpers = ( amanda          => TCP,
		 ftp             => TCP,
		 h323            => UDP,
		 irc             => TCP,
		 netbios_ns      => UDP,
		 pptp            => TCP,
		 sane            => TCP,
		 sip             => UDP,
		 snmp            => UDP,
		 tftp            => UDP);

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create 
new or port existing apps to sell to consumers worldwide. Explore the 
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev

On Saturday 24 Dec 2011 16:12:06 Tom Eastep wrote:
> On Sat, 2011-12-24 at 07:31 -0800, Tom Eastep wrote:
> > On Sat, 2011-12-24 at 14:21 +0000, Steven Jan Springl wrote:
> > > If an invalid helper is specified e.g.
> > > 
> > > CT:helper:cat  lan  -  udp  21
> > > 
> > > the following error messages are produced:
> > > 
> > > iptables: No chain/target/match by that name.
> > > 
> > > ERROR: Command "/usr/local/sbin/iptables -A PREROUTING -p 6
--dport 21
> > > -i eth0 -j CT --helper cat" Failed
> > 
> > Steven,
> > 
> > You should have received a warning:
> > 	WARNING: Unrecognized helper (cat)
> > 
> > I chose to make that a warning rather than an error so that if a user
> > wishes to specify a helper that Shorewall doesn''t yet
recognize, he or
> > she won''t be dead in the water.
> > 
> > Thoughts?
> 
> Also, after more careful study this morning, I have revised the %helpers
> table contents in Chains.pm to be as follows:
> 
>     %helpers = ( amanda          => TCP,
> 		 ftp             => TCP,
> 		 h323            => UDP,
> 		 irc             => TCP,
> 		 netbios_ns      => UDP,
> 		 pptp            => TCP,
> 		 sane            => TCP,
> 		 sip             => UDP,
> 		 snmp            => UDP,
> 		 tftp            => UDP);
> 
> -Tom
Tom

I did see the warning message.

The helpers table could be moved to a config. file such as 
/usr/share/shorewall/CT_helpers.

Users could simply add an entry if they need to.

Steven.


------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create 
new or port existing apps to sell to consumers worldwide. Explore the 
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev

On Sat, 2011-12-24 at 16:20 +0000, Steven Jan Springl wrote:
> 
> I did see the warning message.
> 
> The helpers table could be moved to a config. file such as 
> /usr/share/shorewall/CT_helpers.
> 
> Users could simply add an entry if they need to.
I''ve taken a look, and the most recently-released helper is the one for
Sane whose copyright dates back to 2007. So I think that I''ll just make
this an error. Note that even if I validate the name and protocol, there
is no guarantee that the rule will load successfully; the only way that
I could insure that would be to create a detected capability for each of
the helpers.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create 
new or port existing apps to sell to consumers worldwide. Explore the 
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev

On Sat, 2011-12-24 at 08:47 -0800, Tom Eastep wrote:
> 
> I''ve taken a look, and the most recently-released helper is the
one for
> Sane whose copyright dates back to 2007. So I think that I''ll just
make
> this an error. Note that even if I validate the name and protocol, there
> is no guarantee that the rule will load successfully; the only way that
> I could insure that would be to create a detected capability for each of
> the helpers.
Here is the (hopefully) final patch against RC 2.

Thanks, Steven

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________





------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create 
new or port existing apps to sell to consumers worldwide. Explore the 
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev

On Dec 21, 2011 7:55 PM, "Tom Eastep" <teastep@shorewall.net>
wrote:
>
> RC 1 is now available for testing.
>
> Problems Corrected in RC 1:
>
> 1)  The CT target in /etc/shorewall[6]/notrack now works with exclusion.
>
> 2)  /sbin/shorewall6 is once again a file rather than a symbolic
>    link.  The latter proved difficult for rpm to cope with.
>
Just wondering what the problem here was? If it''s desirable to have it
as a
symlink, I can try and help fix the RPM issue.

Jonathan


------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create 
new or port existing apps to sell to consumers worldwide. Explore the 
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev

On Sat, 2011-12-24 at 17:05 +0000, Jonathan Underwood
wrote:
> 
> On Dec 21, 2011 7:55 PM, "Tom Eastep"
<teastep@shorewall.net> wrote:
> >
> > 2)  /sbin/shorewall6 is once again a file rather than a symbolic
> >    link.  The latter proved difficult for rpm to cope with.
> >
> 
> Just wondering what the problem here was? If it''s desirable to
have it
> as a symlink, I can try and help fix the RPM issue.
Apparently, changing an existing file to a symbolic link in RPM isn''t
feasible, according to Tuomo Soini. I''ve reduced the size of the file
to
the point where having multiple copies under different names isn''t an
issue.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create 
new or port existing apps to sell to consumers worldwide. Explore the 
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev

On Dec 24, 2011 5:15 PM, "Tom Eastep" <teastep@shorewall.net>
wrote:
>
> On Sat, 2011-12-24 at 17:05 +0000, Jonathan Underwood wrote:
> >
> > On Dec 21, 2011 7:55 PM, "Tom Eastep"
<teastep@shorewall.net> wrote:
>
> > >
> > > 2)  /sbin/shorewall6 is once again a file rather than a symbolic
> > >    link.  The latter proved difficult for rpm to cope with.
> > >
> >
> > Just wondering what the problem here was? If it''s desirable
to have it
> > as a symlink, I can try and help fix the RPM issue.
>
> Apparently, changing an existing file to a symbolic link in RPM
isn''t
> feasible, according to Tuomo Soini. I''ve reduced the size of the
file to
> the point where having multiple copies under different names isn''t
an
> issue.
Ah. That''s true for directories, but should be possible for files
afaik.
But if it''s a non issue, I won''t investigate further.


------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create 
new or port existing apps to sell to consumers worldwide. Explore the 
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev

On Saturday 24 Dec 2011 16:55:55 Tom Eastep wrote:
> On Sat, 2011-12-24 at 08:47 -0800, Tom Eastep wrote:
> > I''ve taken a look, and the most recently-released helper is
the one for
> > Sane whose copyright dates back to 2007. So I think that I''ll
just make
> > this an error. Note that even if I validate the name and protocol,
there
> > is no guarantee that the rule will load successfully; the only way
that
> > I could insure that would be to create a detected capability for each
of
> > the helpers.
> 
> Here is the (hopefully) final patch against RC 2.
> 
> Thanks, Steven
> 
> -Tom
Tom

Confirmed, the patch corrects the issue.

Thanks.

Steven.

------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create 
new or port existing apps to sell to consumers worldwide. Explore the 
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev

On Dec 24, 2011, at 5:18 PM, Steven Jan Springl wrote:
> 
> Confirmed, the patch corrects the issue.
> 
Thanks, Steven

Merry Christmas,

-Tom

Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________





------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create 
new or port existing apps to sell to consumers worldwide. Explore the 
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev