RC 1 is now available for testing. Problems corrected:
1) The obsolete PKTTYPE option has been removed from shorewall.conf
and the associated manpage.
2) The iptables 1.4.11 release produces an error when negative numbers
are specified for IPMARK mask values. Shorewall now converts such
numbers to their 32-bit hex equivalent.
3) Previously, before /etc/shorewall6/params was processed, the
IPv4 Shorewall libraries (/usr/share/shorewall/lib.*) were
loaded rather that the IPv6 versions (/usr/share/shorewall6/lib.*).
Now, the correct libraries are loaded.
Note the change of keywords (filter->sfilter and FILTER->SFILTER) in
this item from Beta 5.
4) Network developers have discovered an exploit that allows hosts to
poke holes in a firewall. The known ways to protect against the
exploit are:
a) rt_filter (Shorewall's routefilter). Only applicable to IPv4
and can't be used with some multi-ISP configurations.
b) Insert a DROP rule that prevents hairpinning (routeback). The
rule must be inserted before any ESTABLISHED,RELATED firewall
rules. This approach is not appropriate for bridges and other
cases, where the 'routeback' option is specified or implied.
For non-routeback interfaces, Shorewall and Shorewall6 will insert
a hairpin rule, provided that the routefilter option is not
specified. The rule will dispose of hairpins according to the
setting of two new options in shorewall.conf and shorewall6.conf:
SFILTER_LOG_LEVEL
Specifies the logging level; default is 'info'. To omit
logging, specify FILTER_LOG_LEVEL=none.
SFILTER_DISPOSITION
Specifies the disposition. Default is DROP and the possible
values are DROP, A_DROP, REJECT and A_REJECT.
To deal with bridges and other routeback interfaces , there is now
an 'sfilter' option in /shorewall/interfaces and
/etc/shorewall6/interfaces.
The value of the 'sfilter' option is a list of network addresses
enclosed in in parentheses. Where only a single address is listed,
the parentheses may be omitted. When a packet from a
source-filtered address is received on the interface, it is
disposed of based on the new SFILTER_ options described above.
For a bridge or other routeback interface, you should list all of
your other local networks (those networks not attached to the
bridge) in the bridge's sfilter list.
Example:
My DMZ is 2001:470:b:227::40/124
My local interface (br1) is a bridge.
In /etc/shorewall6/interfaces, I have:
#ZONE INTERFACE BROADCAST OPTIONS
loc br1 - sfilter=2001:470:b:227::40/124
New Features:
1) The Shorewall and Shorewall6 configuration files (including the
samples) are now annotated with documentation from the associated
manpage.
The installers for these two packages support a -p (plain)
option that installs unannotated versions of the packages. Both
versions are available in the configfiles directory within the
tarball.
Thank you for testing,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ vRanger cuts backup time in half-while increasing security. With the market-leading solution for virtual backup and recovery, you get blazing-fast, flexible, and affordable data protection. Download your free trial now. http://p.sf.net/sfu/quest-d2dcopy1
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
