Shorewall users - Oct 2013 - Shorewall 4.5.21.2

Shorewall 4.5.21.2 is now available for download.

Problems Corrected:

1)  Previously, the AutoBL action would fail if the kernel and iptables
    did not support the Recent Match ''--reap'' option. A new
REAP_OPTION
    capability has been added to work around this issue.

2)  The Shorewall-core installer no longer reports an error from
''cp''
    stating that it could not stat the shorewallrc file.

3)  When a non-root user attempts to execute ''version -a'', the
CLI no
    longer attempts to get the version of the compiled
    firewall. Previously, the command issued the following diagnostic
    when run by non-root:

    	 /sbin/shorewall: /var/lib/shorewall/firewall: Permission denied

4)  Shorewall no longer uses ''fgrep'' thus allowing for use on
systems
    without that utility. All uses of ''fgrep'' have been
replaced by
    ''grep -F''.

5)  Placing |<mark> in the ACTION column of the tcrules file no longer
    raises a fatal compilation error.

6)  Support has been added to the Shorewall-core configure scripts and
    installer for Ubuntu Raring.

Thank you for using Shorewall,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk

On Mon, 21 Oct 2013 10:11:24 -0700
Tom Eastep <teastep@shorewall.net> wrote:
> Shorewall 4.5.21.2 is now available for download.
> 
> Problems Corrected:
> 
> <snip>
> 
> Thank you for using Shorewall,
> -Tom
  Thanks for this great app and all the work you put into it Tom!


  JB

-- 
Help spread the word! Learn about Jury Nullification! Help take back our country
from our corrupt: judicial system, police system and government!  www.fija.org


------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk

On 10/24/2013 9:53 AM, Wayne S wrote:
> I would like to log to multiple outputs, one to log file, second to
> PCAP file using NFLOG in ulogd.
> 
> I noticed some developer discussions in the past and followed some 
> possible ways to do this in policy: For example, I changed the
> policy:
> 
> net    all   DROP     $LOG to net    all   DROP:N2LOG
> 
> actions ~~~~~~ N2LOG     inline
> 
> action.N2LOG ~~~~~~~~~ Drop NFLOG(1,0,1) NFLOG(2,0,1)
> 
> I noticed that DROP  $LOG will insert the Drop chain before the log, 
> which filters a lot of cruft. However, I have to manually add it if I
> use DROP:N2LOG.
That''s correct. ''DROP'' in the POLICY column is the
same as ''DROP:Drop'',
since ''Drop'' is the default action for a DROP
policy.
> 
> Is this the correct way to go about this?
Yes.
> It seems to be working. I tried putting the N2LOG action in the log
> level, but that did not work (or macro). I was not clear on log level
> option.
I should add a ''shorewall-logging'' manpage. In the meantime,
see
http://www.shorewall.net/shorewall_logging.html
> The reason for inline is so the log tag is loc2fw instead an
> N2LOG chain. Is there another way to control the prefix without using
> inline?
''inline'' is certainly the most convenient. But within an
action, the
@chain and @disposition variables, together with the LOGPREFIX setting,
are used to form the log prefix. So if you include this in the action body:

	?set @chain @caller

then the logging will be correct. Note that you don''t really gain
anything by doing that; with that directive in the action body, each
invocation of N2LOG will generate a separate chain. So you may as well
just use ''inline''.
> 
> Also, I noticed that the manual says NFLOG(,0,1) will default to
> group 1 but in the ulogd stack it seems to go to group 0, also just
> NFLOG defaults to group 0. I''m running arch linux kernel
> 3.11.5-1-ARCH and ulogd Version 2.0.2 at the moment. With Arch,
> though, the moment can change often.
I''ll correct the documentation.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk

I would like to log to multiple outputs, one to log file, second to PCAP file
using NFLOG in ulogd.

I noticed some developer discussions in the past and followed some possible ways
to do this in policy:
For example, I changed the policy:

net    all   DROP     $LOG
to
net    all   DROP:N2LOG

actions
~~~~~~
N2LOG     inline

action.N2LOG
~~~~~~~~~
Drop
NFLOG(1,0,1)
NFLOG(2,0,1)

I noticed that DROP  $LOG will insert the Drop chain before the log, which
filters a lot of cruft.
However, I have to manually add it if I use DROP:N2LOG.

Is this the correct way to go about this? It seems to be working. I tried
putting the N2LOG action in the log level, but that did not work (or macro). I
was not clear on log level option. The reason for inline is so the log tag is
loc2fw instead an N2LOG chain. Is there another way to control the prefix
without using inline?

Also, I noticed that the manual says NFLOG(,0,1) will default to group 1 but in
the ulogd stack it seems to go to group 0, also just NFLOG defaults to group 0.
I''m running arch linux kernel 3.11.5-1-ARCH and ulogd Version 2.0.2 at
the moment. With Arch, though, the moment can change often.

Here is the working ulogd stack:
/etc/ulogd.conf
~~~~~~~~~~~
[global]
logfile="/var/log/ulogd.log"
loglevel=5
rmem=131071
bufsize=300000

plugin="/usr/lib/ulogd/ulogd_inppkt_NFLOG.so"
plugin="/usr/lib/ulogd/ulogd_raw2packet_BASE.so"
plugin="/usr/lib/ulogd/ulogd_filter_IFINDEX.so"
plugin="/usr/lib/ulogd/ulogd_filter_IP2STR.so"
plugin="/usr/lib/ulogd/ulogd_filter_PRINTPKT.so"
plugin="/usr/lib/ulogd/ulogd_output_LOGEMU.so"
plugin="/usr/lib/ulogd/ulogd_output_PCAP.so"

# shorewall logging packets
stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU

# capture bad packets
stack=log2:NFLOG,base1:BASE,pcap1:PCAP

[log1]
group=1
#sync=1

[log2]
group=2

[emu1]
file=/var/log/ulogd.syslogemu

[pcap1]

----------
Wayne S



------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk

On 21/10/13 18:11, Tom Eastep wrote:
> Shorewall 4.5.21.2 is now available for download.
<snip/>

Tom,

I am sorry that I didn''t find time to test the beta. I
couldn''t find a
set of bz2''s to download, so assumed I would have to do a git clone - 
was that right?

Anyway, when the 4.5.21.2 bz2''s were distributed to the mirrors, I
tried
to install them...
> Problems Corrected:
<snip/>
> 6)  Support has been added to the Shorewall-core configure scripts and
>      installer for Ubuntu Raring.
I''m sorry to say the fix did not work on my ubuntu raring system.

core configure and install run ok. shorewall-4 install is ok too.

BUT shorewall-init install fails with the line:

   ERROR: Unknown BUILD environment (ubuntu)


As I explained before, /etc/os-release contains two lines relevant to 
the failure:

ID=ubuntu
ID_LIKE=debian

However, your script''s BUILD detection inner case section examines this
file for an "ID" line, but it does not have a specific case for the 
string "ubuntu". I simply edited my own copy, cloned the
"debian"
section and made it handle "ubuntu" the same way, then the install
worked.

I''m not sure what should be done for the best long-term solution. 
Perhaps you should test for "ID_LIKE" first, and use that value if it 
exists, then only fall back to the bare "ID" test if a value
wasn''t found?

Thanks for trying,

Brian


------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk

On 10/24/2013 2:31 PM, Wayne S wrote:
> Although this scheme works for policy and rules to generate multiple
> NFLOG groups, is there a way to do this with the log level as used in
> shorewall.conf parameters, such as RPFILTER_LOG_LEVEL?
No.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk

On 10/24/2013 10:36 AM, Brian Burch wrote:
> On 21/10/13 18:11, Tom Eastep wrote:
>> Shorewall 4.5.21.2 is now available for download.
> <snip/>
> 
> Tom,
> 
> I am sorry that I didn''t find time to test the beta. I
couldn''t find a
> set of bz2''s to download, so assumed I would have to do a git
clone -
> was that right?
> 
> Anyway, when the 4.5.21.2 bz2''s were distributed to the mirrors, I
tried
> to install them...
> 
>> Problems Corrected:
> <snip/>
>> 6)  Support has been added to the Shorewall-core configure scripts and
>>      installer for Ubuntu Raring.
> 
> I''m sorry to say the fix did not work on my ubuntu raring system.
> 
> core configure and install run ok. shorewall-4 install is ok too.
> 
> BUT shorewall-init install fails with the line:
> 
>    ERROR: Unknown BUILD environment (ubuntu)
> 
> 
> As I explained before, /etc/os-release contains two lines relevant to 
> the failure:
> 
> ID=ubuntu
> ID_LIKE=debian
> 
> However, your script''s BUILD detection inner case section examines
this
> file for an "ID" line, but it does not have a specific case for
the
> string "ubuntu". I simply edited my own copy, cloned the
"debian"
> section and made it handle "ubuntu" the same way, then the
install worked.
> 
> I''m not sure what should be done for the best long-term solution. 
> Perhaps you should test for "ID_LIKE" first, and use that value
if it
> exists, then only fall back to the bare "ID" test if a value
wasn''t found?
> 
You reported the problem against Shorewall-core, not against
Shorewall-init. I tested Shorewall-core''s configure/installer on a
Raring system and installed Shorewall after that.

For Shorewall-init, the following workaround is still available:

	BUILD=debian ./install.sh

I''ll fix Shorewall-init in the next release.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk

Although this scheme works for policy and rules to generate multiple
NFLOG groups, is there a way to do this with the log level as used in
shorewall.conf parameters, such as RPFILTER_LOG_LEVEL?

Thanks
Wayne S


------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk

Although this scheme works for policy and rules to generate multiple
NFLOG groups, is there a way to do this with the log level as used in
shorewall.conf parameters, such as RPFILTER_LOG_LEVEL?

Thanks
Wayne S


------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk

On 24/10/13 21:39, Tom Eastep wrote:
> On 10/24/2013 10:36 AM, Brian Burch wrote:
>> On 21/10/13 18:11, Tom Eastep wrote:
>>> Shorewall 4.5.21.2 is now available for download.
>> <snip/>
>>
>> Tom,
>>
>> I am sorry that I didn''t find time to test the beta. I
couldn''t find a
>> set of bz2''s to download, so assumed I would have to do a git
clone -
>> was that right?
>>
>> Anyway, when the 4.5.21.2 bz2''s were distributed to the
mirrors, I tried
>> to install them...
>>
>>> Problems Corrected:
>> <snip/>
>>> 6)  Support has been added to the Shorewall-core configure scripts
and
>>>       installer for Ubuntu Raring.
>>
>> I''m sorry to say the fix did not work on my ubuntu raring
system.
>>
>> core configure and install run ok. shorewall-4 install is ok too.
>>
>> BUT shorewall-init install fails with the line:
>>
>>     ERROR: Unknown BUILD environment (ubuntu)
>>
>>
>> As I explained before, /etc/os-release contains two lines relevant to
>> the failure:
>>
>> ID=ubuntu
>> ID_LIKE=debian
>>
>> However, your script''s BUILD detection inner case section
examines this
>> file for an "ID" line, but it does not have a specific case
for the
>> string "ubuntu". I simply edited my own copy, cloned the
"debian"
>> section and made it handle "ubuntu" the same way, then the
install worked.
>>
>> I''m not sure what should be done for the best long-term
solution.
>> Perhaps you should test for "ID_LIKE" first, and use that
value if it
>> exists, then only fall back to the bare "ID" test if a value
wasn''t found?
>>
>
> You reported the problem against Shorewall-core, not against
> Shorewall-init. I tested Shorewall-core''s configure/installer on a
> Raring system and installed Shorewall after that.
>
> For Shorewall-init, the following workaround is still available:
>
> 	BUILD=debian ./install.sh
>
> I''ll fix Shorewall-init in the next release.
>
> -Tom
Thanks Tom.

Sorry about my confusion between core and init, but even now I''m not 
entirely clear what is going on during my installation process.

I run the recommended sequence: core/configure, core/install, 
shorewall-4/install, shorewall-init/install.

1. the source for configure is identical in all three bz2''s
2. configure (I think) creates ./shorewallrc in the current directory.
3. configure does not create or update ~/.shorewallrc
4. .shorewallrc is created by shorewall-4/install
5. shorewall-init/configure does not determine the value to be used as 
$BUILD, so does not store it in ~/.shorewallrc or ./shorewallrc
6. shorewall-init/install dynamically determines the value to be used as 
$BUILD

This seems prone to user errors (i.e. me)... am I missing an important 
concept?

Brian
>
------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
from
> the latest Intel processors and coprocessors. See abstracts and register
>
>
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
>
>
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk

On 10/25/2013 2:28 AM, Brian Burch wrote:
> Thanks Tom.
> 
> Sorry about my confusion between core and init, but even now I''m
not
> entirely clear what is going on during my installation process.
> 
> I run the recommended sequence: core/configure, core/install, 
> shorewall-4/install, shorewall-init/install.
> 
> 1. the source for configure is identical in all three bz2''s
> 2. configure (I think) creates ./shorewallrc in the current directory.
> 3. configure does not create or update ~/.shorewallrc
shorewall-core install.sh does that. Note that there was a defect that
required that the installer be run twice to create that file; that was
correcteed in 4.5.21.2.
> 4. .shorewallrc is created by shorewall-4/install
No -- see above.
> 5. shorewall-init/configure does not determine the value to be used as 
> $BUILD, so does not store it in ~/.shorewallrc or ./shorewallrc
shorewall-init has no business modifying or creating a shorewallrc file.
> 6. shorewall-init/install dynamically determines the value to be used as 
> $BUILD
> 
And as I stated in my previous post, that is a bug.

I have created 4.5.21.3 which I will release shortly. Distribution
maintainers may ignore that dot release, as it only contains changes to
the tarball installers. Attached is a log file of an install from
scratch on a Ubuntu Raring system.

Regards,
-Tom

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk