The Shorewall team is pleased to announce the availability of Shorewall 4.6.6.
Problems Corrected:
1) This release includes defect repair from Shorewall 4.6.5.5 and
earlier releases.
2) Previously, a line beginning with 'shell' was interpreted as a
shell script. Now, the line must begin with 'SHELL'
(case-sensitive).
Note that ?SHELL and BEGIN SHELL are still case-insensitive.
New Features:
1) Previously, the firewall products (Shorewall, Shorewall6 and
*-lite) specified "After=network.target" in their .service files.
Beginning with this release, those products specify
"After=network-online.target" like the service.214 files. This
change is intended to delay firewall startup until after network
initialization is complete.
2) The 'TARPIT' target is now supported in the rules file. Using this
target requires the appropriate support in your kernel and
iptables. This feature implements a new "TARPIT Target" capability,
so if you use a capabilities file, then you need to regenerate the
file after installing this release.
TARPIT captures and holds incoming TCP connections using no local
per-connection resources.
TARPIT only works with the PROTO column set to tcp (6), and is
totally application agnostic. This module will answer a TCP request
and play along like a listening server, but aside from sending an
ACK or RST, no data is sent. Incoming packets are ignored and
dropped. The attacker will terminate the session eventually. This
module allows the initial packets of an attack to be captured by
other software for inspection. In most cases this is sufficient to
determine the nature of the attack.
This offers similar functionality to LaBrea
<http://www.hackbusters.net/LaBrea/> but does not require dedicated
hardware or IPs. Any TCP port that you would normally DROP or
REJECT can instead become a tarpit.
The target accepts a single optional parameter:
tarpit (default)
This mode completes a connection with the attacker but limits
the window size to 0, thus keeping the attacker waiting long
periods of time. While he is maintaining state of the
connection and trying to continue every 60-240 seconds, we
keep none, so it is very lightweight. Attempts to close the
connection are ignored, forcing the remote side to time out
the connection in 12-24 minutes.
honeypot
This mode completes a connection with the attacker, but
signals a normal window size, so that the remote side will
attempt to send data, often with some very nasty exploit
attempts. We can capture these packets for decoding and
further analysis. The module does not send any data, so if
the remote expects an application level response, the game
is up.
reset
This mode is handy because we can send an inline RST
(reset). It has no other function.
3) A 'loopback' option has been added to the interfaces files to
designate the interface as the loopback device. This option is
assumed if the device's physical name is 'lo'. Only one
interface may specify 'loopback'.
If no interface has physical name 'lo' and no interface specifies
the 'loopback' option, then the compiler implicitly defines an
interface as follows:
#ZONE INTERFACE OPTIONS
- lo ignore,loopback
4) The compiler now takes advantage of the iptables 'iface' match
capability for identifying loopback traffic.
5) The 'primary' provider option has been added as a synonym for
'balance=1'. The rationale for this addition is that 'balance'
seems inappropriate when only a single provider specifies that
option. For example, if there are two providers and one specifies
'fallback', then the other would specify 'primary' rather than
'balance'.
6) Two new Macros have been contributed:
Zabbix - Tuomo Soini
Tinc - Răzvan Sandu
Thank you for using Shorewall,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ New Year. New Location. New Benefits. New Data Center in Ashburn, VA. GigeNET is offering a free month of service with a new server in Ashburn. Choose from 2 high performing configs, both with 100TB of bandwidth. Higher redundancy.Lower latency.Increased capacity.Completely compliant. http://p.sf.net/sfu/gigenet
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
