Re: [Shorewall-users] Shorewall 4.4.13 Beta 6

Tom Eastep Fri, 17 Sep 2010 16:37:06 -0700

On 9/17/10 9:10 AM, Tom Eastep wrote:
> Beta 6 is now available for testing. Pay close attention to the
> Blacklisting change in this release; static blacklisting is incompatible
> with blacklisting in Beta 5.
> 
> Problems corrected:
> 
> 1)  'shorewall clear' (and 'shorewall6 clear') now work again (broken
>     in Beta 5).
> 
> 2)  To work around an issue in Netfilter/iptables, Shorewall now uses
>     state match rather than conntrack match for UNTRACKED state
>     matching.
> 
> New Features:
> 
> 1)  Blacklisting has undergone considerable change in Shorewall 4.4.13.
> 
>     a) Blacklisting is now based on zones rather than on interfaces and
>        host groups.
> 
>     b) Near compatibility with earlier releases is maintained.
>


I've found a case where interface-related filtering like 'nosmurfs' and
'dhcp' is done before incoming blacklist filtering.

gateway:/etc/shorewall# cat zones
fw              firewall
loc             ip                        #Local Zone
net             ipv4            blacklist #Internet
drct            ipv4:loc
gateway:/etc/shorewall# c

gateway:/etc/shorewall# cat interfaces
#ZONE  INTERFACE  BROADCAST OPTIONS
drct   INT_IF     detect    nets=dynamic,physical=...
net    COM_IF     detect    dhcp,optional,nosmurfs,physical=...
...

gateway:/etc/shorewall# cat hosts
#ZONE   HOST(S)                                 OPTIONS
loc     INT_IF:0.0.0.0/0
loc     COM_IF:10.1.10.0/24

The 'net' zone and 'loc' zones share COM_IF.

The generated ruleset:

Shorewall 4.4.13-Beta6 Chain COM_IF_in at gateway - Fri Sep 17 16:24:08
PDT 2010

Counters reset Fri Sep 17 15:16:00 PDT 2010

Chain COM_IF_in (1 references)
 pkts bytes target     prot opt in     out     source
destination
 1580  110K smurfs     all  --  *      *       0.0.0.0/0
0.0.0.0/0           state INVALID,NEW,UNTRACKED
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0
0.0.0.0/0           udp dpts:67:68
    0     0 loc-dmz    all  --  *      *       10.1.10.0/24
70.90.191.124/31
    1    69 loc-fw     all  --  *      *       10.1.10.0/24
0.0.0.0/0
   98  6109 net-fw     all  --  *      *       0.0.0.0/0
0.0.0.0/0

gateway:/etc/shorewall#

Chain net-fw (1 references)
 pkts bytes target     prot opt in     out     source
destination
  102  6353 blacklst   all  --  *      *       0.0.0.0/0
0.0.0.0/0           state INVALID,NEW,UNTRACKED

COM_IF_fwd is similar.

I'm not sure whether or not I'll be able to do anything about this in
the short term.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev

_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Shorewall 4.4.13 Beta 6

Reply via email to