Shorewall users - Dec 2012 - Shorewall 4.5.10 RC 1

RC 1 is now available for testing.

Problems Corrected since Beta 3:

1)  In Beta 3, if a rule with a SWITCH that included the chain name did
    not survive optimization, then ''echo'' would issue an error
when
    trying to initialize the corresponding Netfilter condition.

New/Changed Features since Beta 3:

1)  The compiler allows overriding the setting of ''inline'' on
the
    Shorewall standard actions within
    /etc/shorewall[6]/actions. Beware, however, that some of them
    don''t work when in-lined so the compiler will ignore the
''inline''
    option with a warning for those actions:

    	    Broadcast
	    DropSmurfs
	    Invalid
	    NonSyn
	    RST
	    TCPFlags

2)  In SWITCH columns, the name of the current Netfilter chain
    will be substituted for ''@0'' and ''@{0}''.

    Example (using alternative rule column specification):

    #ACTION 	   SOURCE      	    DEST   ...
    NFLOG	   net		    fw	   ; switch:@{0}_logall

    The name of the switch will be ''net2fw_logall''.

    Note 1: Non-alphanumeric characters other than ''_'' and
''-'' will be
    deleted from the chain name before substitution.

    Note 2: The chain name substituted is the one to which the rule is
    initially added. The rule may end up in a different chain due to
    optimization.

14) Optimization level 16 now suppresses duplicate rules in chains from
    all tables (it previously only suppressed duplicates in the
''raw''
    table).

    Non-adjacent rules containing ''mark'',
''connmark'', ''dscp'', ''ecn'',
    ''set'', ''tos'' or ''u32''
matches are not suppressed:

Thank you for testing,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Keep yourself connected to Go Parallel: 
DESIGN Expert tips on starting your parallel project right.
http://goparallel.sourceforge.net/

> Thank you for testing,
I''ll be able to do a bit of testing after Tuesday.

------------------------------------------------------------------------------
Keep yourself connected to Go Parallel: 
DESIGN Expert tips on starting your parallel project right.
http://goparallel.sourceforge.net/

On 12/2/12 3:37 PM, Mr Dash Four wrote:
> 
>> Thank you for testing,
> I''ll be able to do a bit of testing after Tuesday.
Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Keep yourself connected to Go Parallel: 
DESIGN Expert tips on starting your parallel project right.
http://goparallel.sourceforge.net/

Tom

In the attached config. rule:

self(:)  all  all  udp  900

produces the following messages:

Use of uninitialized value $target in pattern match (m//) at 
/usr/share/shorewall/Shorewall/Rules.pm line 1146, <$currentfile> line 4.

Use of uninitialized value $target in concatenation (.) or string at 
/usr/share/shorewall/Shorewall/Rules.pm line 1148, <$currentfile> line 4.

Steven.


------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d

On 12/4/12 1:03 PM, Steven Jan Springl wrote:
> In the attached config. rule:
> 
> self(:)  all  all  udp  900
> 
> produces the following messages:
> 
> Use of uninitialized value $target in pattern match (m//) at 
> /usr/share/shorewall/Shorewall/Rules.pm line 1146, <$currentfile>
line 4.
> 
> Use of uninitialized value $target in concatenation (.) or string at 
> /usr/share/shorewall/Shorewall/Rules.pm line 1148, <$currentfile>
line 4.
> 
The attached patch seems to resolve the issue.

Thanks Steven,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d

On Wednesday 05 Dec 2012 04:08:37 Tom Eastep wrote:
> On 12/4/12 1:03 PM, Steven Jan Springl wrote:
> > In the attached config. rule:
> > 
> > self(:)  all  all  udp  900
> > 
> > produces the following messages:
> > 
> > Use of uninitialized value $target in pattern match (m//) at
> > /usr/share/shorewall/Shorewall/Rules.pm line 1146,
<$currentfile> line 4.
> > 
> > Use of uninitialized value $target in concatenation (.) or string at
> > /usr/share/shorewall/Shorewall/Rules.pm line 1148,
<$currentfile> line 4.
> 
> The attached patch seems to resolve the issue.
> 
> Thanks Steven,
> -Tom
Tom

Confirmed, the patch fixes the issue.

Thanks.

Steven.

------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d

> I''ll be able to do a bit of testing after Tuesday.
This is what I was able to find out so far:

1.

action.my_log
~~~~~~~~~~~~~
$1

rules
~~~~~
my_log(LOG:info(uid,tcp_options,ip_options,macdecode,tcp_sequence)):debug(uid,tcp_options,ip_options,macdecode,tcp_sequence)
$FW net

gets me "ERROR: Invalid ACTION (LOG:info(uid)"

2. 

action.my_log78901234567890
~~~~~~~~~~~~~~~~~~~~~~~~~~~
$1

3.

action.C_ACTION (inline)
~~~~~~~~~~~~~~~~~~~~~~~~
$1

rules
~~~~~
C_ACTION(dropBcast) $FW net
dropBcast $FW net


generates:

[...]
-A fw2net -j dropBcast -m comment --comment "C_ACTION"
-A fw2net -j dropBcast
[...]

Two issues here: 1. the above 2 statements are essentially the same, bar the
(auto-generated) comment (OPTIMIZE is set at 31); and 2. It would be nice if I
could disable the auto-generated comment by shorewall (new option in
"actions"?) and verify that OPTIMIZE works to remove the duplicate
statements in inline actions (that optimisation seems to work for normal
actions).

4. 

rules
~~~~~
my_log78901234567890(LOG:debug):info $FW net

gets me (note the extra space after "678") WARNING: Log Prefix
shortened to "Shorewall:my_log789012345678 "
and then generates a rule containing (again, note the extra space) ...
--log-prefix "Shorewall:my_log789012345678 "

5. 

rules
~~~~~
circ1(NonSyn) $FW net

gets me "ERROR: Invalid Action (NonSyn) in inline action" (circ1 is
indeed inlined) - isn''t that supposed to be (silently) ignored?

rules
~~~~~
circ1(RST) $FW net

gives no error, but the following rule is produced:
-A fw2net -p 6 --tcp-flags RST RST, -j DROP -m comment --comment
"circ1"

Is the comma after the second "RST" supposed to be there?

------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d

On 12/5/12 5:34 PM, Mr Dash Four wrote:
> 4. 
> 
> rules
> ~~~~~
> my_log78901234567890(LOG:debug):info $FW net
> 
> gets me (note the extra space after "678") WARNING: Log Prefix
shortened to "Shorewall:my_log789012345678 "
> and then generates a rule containing (again, note the extra space) ...
--log-prefix "Shorewall:my_log789012345678 "
> 
What is your LOGFORMAT setting? Does it end with a space character?

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d

> What is your LOGFORMAT setting? Does it end with a space character?
LOGFORMAT="Shorewall:%s:%s:"

------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d

On 12/05/2012 05:34 PM, Mr Dash Four wrote:
>
>> I''ll be able to do a bit of testing after Tuesday.
> This is what I was able to find out so far:
>
> 1.
>
> action.my_log
> ~~~~~~~~~~~~~
> $1
>
> rules
> ~~~~~
>
my_log(LOG:info(uid,tcp_options,ip_options,macdecode,tcp_sequence)):debug(uid,tcp_options,ip_options,macdecode,tcp_sequence)
$FW net
>
> gets me "ERROR: Invalid ACTION (LOG:info(uid)"
Patch PARAM.patch attached.
>
> 2.
>
> action.my_log78901234567890
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~
> $1
>
> 3.
>
> action.C_ACTION (inline)
> ~~~~~~~~~~~~~~~~~~~~~~~~
> $1
>
> rules
> ~~~~~
> C_ACTION(dropBcast) $FW net
> dropBcast $FW net
>
>
> generates:
>
> [...]
> -A fw2net -j dropBcast -m comment --comment "C_ACTION"
> -A fw2net -j dropBcast
> [...]
>
> Two issues here: 1. the above 2 statements are essentially the same, bar
the (auto-generated) comment (OPTIMIZE is set at 31); and 2. It would be nice if
I could disable the auto-generated comment by shorewall (new option in
"actions"?) and verify that OPTIMIZE works to remove the duplicate
statements in inline actions (that optimisation seems to work for normal
actions).
>
Number 1 will have to wait for 4.5.11.

For number 2, have you tried simply placing an empty COMMENT line as the 
first line of C_ACTION?
> 4.
>
> rules
> ~~~~~
> my_log78901234567890(LOG:debug):info $FW net
>
> gets me (note the extra space after "678") WARNING: Log Prefix
shortened to "Shorewall:my_log789012345678 "
> and then generates a rule containing (again, note the extra space) ...
--log-prefix "Shorewall:my_log789012345678 "
>
The space is there to separate the tag from the following
''IN='' in the
log message; without it, the log message reads 
...Shorewall:my_log7890123456789IN=eth0....
> 5.
>
> rules
> ~~~~~
> circ1(NonSyn) $FW net
>
> gets me "ERROR: Invalid Action (NonSyn) in inline action" (circ1
is indeed inlined) - isn''t that supposed to be (silently) ignored?
Looks like there is no target named ''nonSyn'' (note that the
standard
shorewall action is ''NotSyn'').
>
> rules
> ~~~~~
> circ1(RST) $FW net
>
> gives no error, but the following rule is produced:
> -A fw2net -p 6 --tcp-flags RST RST, -j DROP -m comment --comment
"circ1"
>
> Is the comma after the second "RST" supposed to be there?
Obviously not. COMMA.patch attached.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d

On 12/06/2012 08:16 AM, Tom Eastep wrote:
> On 12/05/2012 05:34 PM, Mr Dash Four wrote:
>>
>>> I''ll be able to do a bit of testing after Tuesday.
>> This is what I was able to find out so far:
>>
>> 1.
>>
>> action.my_log
>> ~~~~~~~~~~~~~
>> $1
>>
>> rules
>> ~~~~~
>>
my_log(LOG:info(uid,tcp_options,ip_options,macdecode,tcp_sequence)):debug(uid,tcp_options,ip_options,macdecode,tcp_sequence)
>> $FW net
>>
>> gets me "ERROR: Invalid ACTION (LOG:info(uid)"
>
> Patch PARAM.patch attached.
My apologies -- that patch doesn''t apply cleanly against RC 1. Patch 
PARAM1.patch attached.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d

> Patch PARAM.patch attached.
With the PARAM1.patch applied...

action.circ1
~~~~~~~~~~~~
$1 $2 $3

rules
~~~~~
circ1(LOG:info,$FW,net)

I get "ERROR: Unknown Interface (fw)"

Also:

actions
~~~~~~~
circ2 inline
circ3 inline

action.circ2
~~~~~~~~~~~~
circ3($1)

action.circ3
~~~~~~~~~~~~
$1

rules
~~~~~
circ2(LOG:info) $FW net

I get "ERROR: Invalid Action (circ2(LOG:info)) in inline action".
> For number 2, have you tried simply placing an empty COMMENT line as the
> first line of C_ACTION?
Yep, that does the trick.
> The space is there to separate the tag from the following
''IN='' in the
> log message; without it, the log message reads
> ...Shorewall:my_log7890123456789IN=eth0....
I get the same issue with NFLOG (in the form of --nflog-prefix
"Shorewall:log789012345678 ") where there is no such thing as
"IN=", at least not in 99% of all cases anyway.
> Looks like there is no target named ''nonSyn'' (note that
the standard
> shorewall action is ''NotSyn'').
Looks like I shouldn''t be relying on your shorewall announcements
(where you used "NonSyn") and should stick to reading the relevant man
pages instead. "NotSyn" works as expected though.
> Obviously not. COMMA.patch attached.
Works as expected this time.

------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d

On 12/6/12 4:37 PM, "Mr Dash Four" <mr.dash.four@googlemail.com>
wrote:
>
>> Patch PARAM.patch attached.
>With the PARAM1.patch applied...
>
>action.circ1
>~~~~~~~~~~~~
>$1 $2 $3
>
>rules
>~~~~~
>circ1(LOG:info,$FW,net)
>
>I get "ERROR: Unknown Interface (fw)"
Not a defect -- Within the body of a non-inlined action, the SOURCE column
cannot include a zone name.
>
>Also:
>
>actions
>~~~~~~~
>circ2 inline
>circ3 inline
>
>action.circ2
>~~~~~~~~~~~~
>circ3($1)
>
>action.circ3
>~~~~~~~~~~~~
>$1
>
>rules
>~~~~~
>circ2(LOG:info) $FW net
>
>I get "ERROR: Invalid Action (circ2(LOG:info)) in inline action".
I''ll look into that one.
>
>> The space is there to separate the tag from the following
''IN='' in the
>> log message; without it, the log message reads
>> ...Shorewall:my_log7890123456789IN=eth0....
>I get the same issue with NFLOG (in the form of --nflog-prefix
>"Shorewall:log789012345678 ") where there is no such thing as
"IN=", at
>least not in 99% of all cases anyway.
The syslog emulator in ulogd2 places IN= in every message and faithfully
reproduces this awkward xt_LOG behavior; thus I''m not changing it.

-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.





------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d

> Not a defect -- Within the body of a non-inlined action, the SOURCE column
> cannot include a zone name.
Didn''t know that. Should I assume (and test) for destination zones
then?
>> I get the same issue with NFLOG (in the form of --nflog-prefix
>> "Shorewall:log789012345678 ") where there is no such thing as
"IN=", at
>> least not in 99% of all cases anyway.
> 
> The syslog emulator in ulogd2 places IN= in every message and faithfully
> reproduces this awkward xt_LOG behavior; thus I''m not changing it.
xt_LOG is not the only filter in ulogd2. In fact, it is one of about a dozen
others. The likelihood that NFLOg''s xt_LOG will be used instead of the
LOG target is slim-to-none.

Why is it so difficult for you to change this and account for the extra space
then?

------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d

On 12/6/12 6:43 PM, "Mr Dash Four" <mr.dash.four@googlemail.com>
wrote:
>
>
>> Not a defect -- Within the body of a non-inlined action, the SOURCE
>>column
>> cannot include a zone name.
>Didn''t know that. Should I assume (and test) for destination zones
then?
Only in non-inlined actions.
>
>>> I get the same issue with NFLOG (in the form of --nflog-prefix
>>> "Shorewall:log789012345678 ") where there is no such
thing as "IN=", at
>>> least not in 99% of all cases anyway.
>> 
>> The syslog emulator in ulogd2 places IN= in every message and
faithfully
>> reproduces this awkward xt_LOG behavior; thus I''m not changing
it.
>xt_LOG is not the only filter in ulogd2. In fact, it is one of about a
>dozen others. The likelihood that NFLOg''s xt_LOG will be used
instead of
>the LOG target is slim-to-none.
I use it! And I''m not going to break my own firewall.

-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.





------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d

On 12/6/12 5:50 PM, "Tom Eastep" <teastep@shorewall.net> wrote:
>>
>>Also:
>>
>>actions
>>~~~~~~~
>>circ2 inline
>>circ3 inline
>>
>>action.circ2
>>~~~~~~~~~~~~
>>circ3($1)
>>
>>action.circ3
>>~~~~~~~~~~~~
>>$1
>>
>>rules
>>~~~~~
>>circ2(LOG:info) $FW net
>>
>>I get "ERROR: Invalid Action (circ2(LOG:info)) in inline
action".
>
>I''ll look into that one.
Patch TARGET.patch attached

-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.





------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d

On 12/6/12 7:03 PM, "Tom Eastep" <teastep@shorewall.net> wrote:
>On 12/6/12 6:43 PM, "Mr Dash Four"
<mr.dash.four@googlemail.com> wrote:
>
>>
>>
>>> Not a defect -- Within the body of a non-inlined action, the SOURCE
>>>column
>>> cannot include a zone name.
>>Didn''t know that. Should I assume (and test) for destination
zones then?
>
>Only in non-inlined actions.
Check that -- in ANY action body, zones are not allowed. They are only
allowed in rules and in macro bodies.

-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.





------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d

> I use it! And I''m not going to break my own firewall.
>   
Where have I asked you to or insisted on "breaking your own firewall"?
If there is a bug in xt_LOG (or its corresponding ulogd2 filter module) 
then it should be fixed.


------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d

>> Only in non-inlined actions.
>>     
>
> Check that -- in ANY action body, zones are not allowed. They are only
> allowed in rules and in macro bodies.
>   
Noted.

------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d