The Shorewall team is pleased to announce the availability of Shorewall
4.5.7.
----------------------------------------------------------------------------
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) This release includes the defect repair from Shorewall 4.5.6.2.
2) The command ''shorewall enable pppX'' could fail with the ip
diagnostic
Error: either "to" is duplicate, or "weight" is a
garbage.
Shorewall now generates the correct ip command.
3) Optimize level 4 could previously combine two rules that each
specified the ''policy'' match, leading to this
iptables-restore
failure:
policy match: multiple elements but no --strict
The optimizer now avoids combining such rules.
While this is a long-standing defect in the optimizer, it was
exposed by changes in Shorewall 4.5.6.
4) There were several cases where hard-wired directory names appeared
in the tarball installers. These have been replaced with the
appropriate shorewallrc variables.
5) A defect in RHEL 6.3 and derivatives causes ''shorewall show
capabilities'' to leave an empty ipset in the configuration. The
same defect can cause the Shorewall compiler to similarly leave an
empty ipset behind.
This Shorewall release has a workaround for this problem.
----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
----------------------------------------------------------------------------
1) On systems running Upstart, shorewall-init cannot reliably secure
the firewall before interfaces are brought up.
----------------------------------------------------------------------------
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) A new ''rpfilter'' interface option has been added. Setting
this
option requires kernel 3.4.0 or later and iptables 1.4.14. This
option is similar to routefilter but without the disadvantages:
- Works with both IPv4 and IPv6
- Uses packet marks when doing reverse path lookup so works with
all Multi-ISP configurations.
- Uses standard Netfilter/Shorewall log messages controlled by the
- RPFILTER_LOG_LEVEL setting in shorewall.conf (5).
- Disposition and auditing may be controlled using the
- RPFILTER_DISPOSITION option in shorewall.conf (5).
This feature adds a new ''RPFilter Match'' capability; if
you use a
capabilities file, you should regenerate it using this release.
2) Beginning with the 3.3 kernels, Netfilter supports a form of
accounting (nfacct) that is triggered by iptables rules but that
survives purging and/or reloading the Netfilter ruleset. Shorewall
support for this form of accounting was added in Shorewall 4.5.7.
As of this writing, Fedora 17 has partial support for this feature
but not all. It is necessary to download and build the following:
- libnetfilter_acct
- nfacct
The following Fedora packages are also required:
- libnetlink and libnetlink-dev
- libmnl and libmnl-dev
The tarballs are available from the Netfilter download sites.
The nfacct utility can create, delete and display nfacct
objects. These named objects consist of a packet and byte
counter. Packets matching those netfilter rules that use the nfacct
match cause the packet and byte count in the object named in the
match to be incremented.
To use nfaccnt with Shorewall, use the NFACCT target. See
shorewall-accounting(5) for details.
The ''shorewall show nfacct'' command is a thin wrapper
around the
''nfacct list'' command and displays all objects.
3) With the addition of the CT action to the /etc/shorewall[6]/notrack
file, the name of the file does not accurately reflect the file''s
purpose. In this release, the name of the file has been changed to
''conntrack''.
The tarball installers will install ''conntrack'' along
side of an
existing ''notrack'' file. If the
''notrack'' file is non-empty, a
warning message is issued during compilation:
WARNING: Non-empty notrack file (...);
please move its contents to the conntrack file
This warning can be eliminated by removing the notrack file (if it
has no entries), or by moving its entries to the conntrack file and
removing the notrack file. Note that the conntrack file is always
populated with rules (see enhancement 5).
If the ''notrack'' file exists and is empty, the first
compilation
will remove it with the warning:
WARNING: Empty notrack file (...) removed
4) ''all'' is now accepted as a zone name in the SOURCE column
of
shorewall-conntrack(5). As in the rules file, it means all zones.
5) Because of the potential for attackers to subvert Netfilter helpers
like the one for FTP, the Netfilter team are in the process of
eliminating the automatic association of helpers to connections. In
the 3.5 kernel, it is possible to disable this automatic
association, and the team have announced that automatic association
will eventually be eliminated. While it is certainly more secure to
add explicit rules that create these associations, for Shorewall to
require users to add those rules would present a gross
inconvenience during a Shorewall upgrade.
To make Shorewall and kernel upgrades as smooth as possible,
several new features have been added in this release:
- Shorewall will automatically disable the kernel''s automatic
association of helpers to connections on kernel 3.5 and later.
- An automatic association of helpers with connections that
performs the same function as in the pre-3.5 kernels has been
added. This automatic association is controlled by the new
AUTOHELPERS shorewall.conf option which is set to ''Yes''
by
default.
- A HELPERS column has been added to the /etc/shorewall/rules
In the NEW section:
When the ACTION is ACCEPT, DNAT or REDIRECT, the specified
helper is automatically associated with the connection. HELPERS
may be specified in action files, macros and in the rules file
itself.
In the RELATED section:
The rule will only match related connections that have the
named helper attached.
- The standard Macros for applications requiring a helper (FTP,
IRC, etc) have been modified to automatically specify the correct
helper in the HELPER column.
- HELPER is now a valid action in /etc/shorewall/rules. This action
requires that a helper be present in the HELPER column and causes
the specified helper to be associated with connections matching
the rule. No destination zone should be specified in HELPER
rules. HELPER rules allow specification of a helper for
connections that are ACCEPTed by the applicable policy.
Example:
loc->net policy is ACCEPT.
In /etc/shorewall/rules:
FTP(HELPER) loc -
or equivalently
HELPER loc - tcp 21 ; helper=ftp
- The set of enabled helpers (either by AUTOHELPERS=Yes or by the
HELPERS column) can be taylored using the new HELPERS option in
shorewall.conf.
By making AUTOHELPERS=Yes the default, users can upgrade their
systems to a 3.5+ kernel without disrupting the operation of their
firewalls. Beyond such upgrades, we suggest setting AUTOHELPERS=No
and follow one of two strategies:
- Use the HELPERS column in the rules file to enable helpers as
needed (preferred); or
- Taylor the conntrack file to enable helpers on only those
connections that are required.
With either of these approaches, the list if available helpers can
be trimmed using the HELPERS option and rules can be added to the
RELATED section of the rules file to further restrict the effect of
helpers.
The implementation of these new function places conditional rules
in the /etc/shorewall[6]/conntrack file. These rules are included
conditionally based in the setting of AUTOHELPERS.
Example:
?if $AUTOHELPERS && __CT_TARGET
?if __FTP_HELPER
CT:helper:ftp all - tcp 21
?endif
...
?endif
__FTP_HELPER evaluates to false if the HELPERS setting is
non-empty and ''ftp'' is not listed in that setting.
For example, if you only need FTP access from your ''loc''
zone, then
add this rule outside of the outer-most ?if....?endif shown above.
CT:helper:ftp loc - tcp 21
For an overview of Netfilter Helpers and Shorewall''s support for
dealing with them, see
http://www.shorewall.net/Helpers.html.
See
https://home.regit.org/netfilter-en/secure-use-of-helpers/
for additional information.
6) To make the spelling of the AUTO* shorewall[6].conf options
consistent, the AUTO_COMMENT option has been renamed
AUTOCOMMENT. AUTO_COMMENT is still accepted as an
alias. ''shorewall[6] update'' will rename the option in
the updated
.conf file.
7) The CT:helper action in the /etc/shorewall[6]/conntrack file
(formerly the notrack file) lacked flexibility. To allow different
options to be specified for each helper, the syntax of the
CT:helper action has been redesigned.
CT:helper:<helper>[(<option>=<value>[,...])]
where <option> is one of:
- ctevents
- expevents
Example:
CT:helper:ftp(expevents=new)
See shorewall-conntrack (5) for details.
8) The deprecated /etc/shorewall[6]/blacklist files are no longer
installed. Existing files are still processed by the compiler. Note
that blacklist files may be converted to equivalent blrules files
using ''shorewall[6] update -b''.
9) "?IF", "?ELSE", "?ELSEIF" and "?END"
are now case-insensitive so,
for example, they can be entered as "?if", "?else",
"elseif" AND
"?end".
10) Optimization level 4 now locates short chains (3 rules or less)
that have a single reference and replaces that single reference with
the rules themselves.
Optimization level 8 now eliminates duplicate rules in the raw
table.
Thank you for using Shorewall.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
