The Shorewall Team is pleased to announce the availability of Shorewall
4.5.4.
----------------------------------------------------------------------------
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) This release includes all defect repairs from Shorewall 4.5.3.1.
2) When EXPORTMODULES=No in shorewall.conf, the following errors were
issued:
/usr/share/shorewall/modules: line 19: ?INCLUDE: command not found
/usr/share/shorewall/modules: line 23: ?INCLUDE: command not found
/usr/share/shorewall/modules: line 27: ?INCLUDE: command not found
/usr/share/shorewall/modules: line 31: ?INCLUDE: command not found
/usr/share/shorewall/modules: line 35: ?INCLUDE: command not found
/usr/share/shorewall/modules: line 39: ?INCLUDE: command not found
These messages have been eliminated.
3) If the configuration settings in the PACKET MARK LAYOUT section of
shorewall.conf (shorewall6.conf) had empty settings, the 'update'
command would previously set them to their default settings. It now
leaves them empty.
4) Previously, Shorewall used 'unreachable' routes to null-route the
RFC1918 subnets. This approach has two drawbacks:
- It can cause problems for IPSEC in that it can cause packets to
be rejected rather than encrypted and forwarded.
- It can return 'host unreachable' ICMPs to other systems that
attempt to route RFC1918 addresses through the firewall.
To eliminate these problems, Shorewall now uses 'blackhole' routes.
Such routes don't interfere with IPSEC and silently drop packets
rather than return an ICMP.
5) The 'default' routing table is now cleared if there are no
'fallback' providers.
----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
----------------------------------------------------------------------------
1) On systems running Upstart, shorewall-init cannot reliably secure
the firewall before interfaces are brought up.
----------------------------------------------------------------------------
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) The TPROXY tcrules action introduced in Shorewall 4.4.7 was
incomplete and required additional rules to be added in the 'start'
or 'started' extension scripts.
In this release, the TPROXY implementation has been changed and an
additional DIVERT action has been created. Because the new TPROXY
has a different set of parameters than the prior one, the tcrules
file now supports two formats:
FORMAT 1 - (default, deprecated )
The TPROXY action allows three arguments, the first of which
('mark') is required.
FORMAT 2
The TPROXY action has two optional arguments; these are the
second and third arguments to the format-1 TPROXY:
port -- the port on which the proxy is listening. While
this argument is optional, it will normally be
supplied.
ip address -- The address on which the proxy is listening.
The file format is specified by a line like this:
FORMAT {1|2}
The Sample configurations have been updated to use FORMAT 2.
The format-2 tcrules file also supports the DIVERT action. The
DIVERT action directs matching packets to the local system if there
is a transparent socket in the local system that matches the
destination of the packet. DIVERT is used to redirect response
packets from remote web servers back to the proxy process
running on the firewall rather than being routed directly back to
the client.
Finally, the providers file supports a new 'tproxy' option. When
'tproxy' is specified:
- It must be the only OPTION given
- The MARK, DUPLICATE and GATEWAY columns must be empty.
- The loopback device (lo) should be specified as the INTERFACE.
The 'tproxy' option causes a reserved mark value to be associated
with the provider and for its associated routing rule to have
priority 1.
Here is the TPROXY configuration at shorewall.net:
interfaces:
FORMAT 2
#ZONE INTERFACE OPTIONS
net eth0 ...
net eth1 ...
loc eth2 ...
- lo ignore
tcrules:
FORMAT 2
#ACTION SOURCE DEST PROTO DEST SOURCE
# PORT(S) PORT(S)
DIVERT eth1 - tcp - 80
DIVERT eth0 - tcp - 80
TPROXY(3129,172.20.1.254) eth2 - tcp 80
providers:
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS
...
Squid 3 - - lo - tproxy
/etc/squid3/squid.conf:
...
http_port 172.20.1.254:3129 tproxy
...
2) With some misgivings, this release adds support for the geoip match
feature available in xtables-addons. Geoip allows matching of the
source or destination IP address by ISO 3661 country codes. The
Shorewall support requires xtables-addons 1.33 or later.
The support is implemented in the form of extended syntax in the
SOURCE and DEST columns of the rules file.
To specify a single country code, add a caret prefix ('^').
Example: ^A1
To specify multiple country codes, enter them as a
comma-separated list enclosed in square brackets ('[...]') with a
caret prefix ('^').
Example: ^[A1,A2]
A listing of two-character country codes is available at
http://www.shorewall.net/ISO-3661.html.
Example rule - Drop email from Anonymous Proxies and Satellite
Providers:
#ACTION SOURCE DEST PROTO DEST
# PORT(S)
DROP:info net:^[A1,A2] dmz tcp 25
The compiler determines the set of valid country codes by examining
the geoip database which is normally installed in
/usr/share/xt_geoip/. There are two sub-directories at that
location:
BE - The big-endian database.
LE - The little-endian database.
To accomodate both big-endian and little-endian machines and
to allow the database to be installed elsewhere, a GEOIPDIR option
has been added in shorewall.conf and shorewall6.conf. The default
setting is "/usr/share/xt_geoip/LE" since Shorewall is normally
installed on little-endian machines.
3) OPTIMIZE level 4 now performs an additional optimization. If the
last rule in a chain is an unqualified jump to a simple target,
then all immediately preceding rules with the same simple target
are omitted.
For example, consider this chain:
-A fw-net -p udp --dport 67:68 -j ACCEPT
-A fw-net -p udp --sport 1194 -j ACCEPT
-A fw-net -p 41 -j ACCEPT
-A fw-net -j ACCEPT
Since all of the rules are jumps to the simple target ACCEPT, this
chain is totally optimized away and jumps to 'fw-net' are replaced
with jumps to ACCEPT.
As part of this enhancement, when both OPTIMIZE level 1 and level 4
are selected, the level 1 optimization step is skipped because it
is now a limited subset of level 4.
4) Tuomo Soini contributed a macro for MS SQL (macro.MSSQL).
Thank you for using Shorewall.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
