Tom Eastep | 31 Mar 17:16 2016
Picon

Shorewall 5.0.7.2

Shorewall 5.0.7.2 is now available for download.

Problems Corrected:

1)  When using older versions of Perl, the following warnings were
    generated with 5.0.7 and 5.0.7.1.

    Found = in conditional, should be == at
       /usr/share/perl5/Shorewall/Chains.pm line 8630.
    Found = in conditional, should be == at
       /usr/share/perl5/Shorewall/Chains.pm line 8635.

    That has been corrected.

    (Tuomo Soini)

2)  Several typos in the manpages have been corrected (Roberto
    Sánchez).

3)  Previously, if an inline match was used in the last line of an
    action, then the inline match could also be applied to the jump to
    the action's chain. That has been corrected so that the jump to the
    chain contains the correct set of matches.

Thank you for using Shorewall,

-Tom
--

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
(Continue reading)

Eric Teeter | 30 Mar 19:29 2016
Picon

Question for list?

I have a question for all on this list?

 

I am planning to write a bash script to install Shorewall for myself. What I was wondering is would anyone else would be interested, as I would release with min the same License as Shorewall?

 

I am going to start with Ubuntu 16.04 LTS as it would come out shortly. I will do Fedora, CentOS then Debian as time permits.

 

It will be a basic running with two network cards (guessing that most people would be using this setup). I will add Webmin, Isc-DHCP sever, and BIND9 for a basic router, the installer will be asked if they want them. It won't be bleeding edge, it will use the packages as supplied by the OS vender's as this is easier to maintain.

 

Q1 Is there any interest in such a project?

 

Q2 Would someone help in maintaining this? I believe changes would happen when the different versions of OS come out and maybe changes would have to be made.

 

If we ask Tom nicely may be he would put it on his web site as I can't make promises for him.


Let me know if you have any questions.

<!-- /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-parent:""; margin:0in; margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman"; mso-fareast-font-family:"Times New Roman";} <at> page Section1 {size:8.5in 11.0in; margin:1.0in 1.25in 1.0in 1.25in; mso-header-margin:.5in; mso-footer-margin:.5in; mso-paper-source:0;} div.Section1 {page:Section1;} -->
Eric Teeter
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
Tom Eastep | 29 Mar 16:49 2016
Picon

Shorewall 5.0.7.1

5.0.7.1 is now available for download.

Problems Corrected:

1)  In 5.0.7, use of an inline match in a rule that generated multiple
    ip[6]tables rules caused only the first generated rule to contain
    the inline match.  That has been corrected.

2)  In 5.0.7, if ':R' was specified with the DIVERT action, an error
    message was erroneously generated. That has been corrected.

Thank you for using Shorewall,

-Tom

PS -- When using older versions of Perl, both 5.0.7 and 5.0.7.1 produce
Perl warnings during compilation. These warnings will be eliminated in
the next release, but they can be safely ignored in the meantime.

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
Tom Eastep | 29 Mar 03:14 2016
Picon

Shorewall 5.0.7.1

Shorewall 5.0.7.1 is now available for download.

Problems Corrected:

1)  In 5.0.6.2 and 5.0.7, use of an inline match in a rule that
    generated multipl ip[6]tables rules caused only the first generated
    rule to contain the inline match.  That has been corrected.

2)  In 5.0.7, if ':R' was specified with the DIVERT action, an error
    message was erroneously generated. That has been corrected.

Thank you for using Shorewall,

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
Thomas D. | 28 Mar 20:41 2016
Picon
Gravatar

Inline match broken since 5.0.6.2?

Hi,

got the following bug report on Gentoo:
https://bugs.gentoo.org/show_bug.cgi?id=578076

Copying from https://bugs.gentoo.org/show_bug.cgi?id=578076#c2:

> Seems like I am the lucky one, in the meantime I was able to track
> down the problem to an inline matching issue. This box has an older
> config migrated to Shorewall in the past. Following blacklist rule
> (blrules file) caused the trouble for version greater 5.0.6.1:
> 
> # Filter all packets that have RH0 headers DROP           all
> all ; -m rt --rt-type 0
> 
> this generated until 5.0.6.1 a rule
> -A ~blacklist1 -m rt --rt-type 0 -j DROP
> which is referenced correctly, everything works as expected
> 
> version 5.0.6.2 and 5.0.7 generate new rules: a new chain fw-loc~
> appears which is polpulated with
> fw-loc~ -m rt --rt-type 0 -j DROP
> inline part present, so far, ok.
> 
> BUT ~blacklist1 is now polulated with
> -A ~blacklist1 -j DROP
> which is missing the inline match, generating a blackhole rule, ipv6
> connectivity successfully terminated...
> 
> After a fair amount of crossreading through the whole shorewall docs,
> because not in every place its crystal clear how inline matches are
> now have to be written down, I have updated the format of the
> blacklisting entry to post 5.0.3 favored to eliminate backward
> compatibility issues:
> 
> INLINE(DROP):info    all             all ;; -m rt --rt-type 0
> 
> Same result...

When you diff shorewall-5.0.6.1 against 5.0.6.2 you will notice

> --- /tmp/shorewall-5.0.6.1/work/Shorewall/Perl/Shorewall/Rules.pm	2016-03-09
20:18:18.000000000 +0100
> +++ /tmp/shorewall-5.0.6.2/work/Shorewall/Perl/Shorewall/Rules.pm	2016-03-16
22:11:41.000000000 +0100
>  <at>  <at>  -3427,6 +3427,10  <at>  <at> 
>  					   $wild ) ) {
>  			    $generated = 1;
>  			}
> +			#
> +			# Clear inline matches
> +			#
> +			set_inline_matches( '' );
>  		    }
>  		}
>  	    }

The user confirmed the problem with latest shorewall-5.0.7.

-Thomas

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
jonetsu | 28 Mar 19:54 2016

L2TPv3 traffic control ?

Hello,

Is there any provision within Shorewall to provide traffic control inside L2TPv3 ?

Thanks.

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
Paolo Prandini | 28 Mar 19:25 2016
Picon

Problem with clampmss

Sorry everybody, I ask for your precious advice again.
I am switching from shorewall 4.5.6 and kernel 2.6.18
to shorewall 5.0.6 and kernel 2.6.32-573
I used mss=1538 in the in options in zones file
and CLAMPMSS=yes to handle an IPSEC connection.
But with the new setup the same settings don't do anything
anymore! I checked it with wireshark, the settings in
SYN get through untouched, while previously the MSS got
changed to 1538.
The same connection with the old environment works correctly.
I would like to add I am using klips.
What can I do?
Thanks
Paolo

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
Paolo Prandini | 28 Mar 11:19 2016
Picon

Block icmp redirect

Hi, I allowed on my interface only:

Ping(ACCEPT)	net	all

but I get ICMP redirects anyway.
How can I block ICMP redirects?
Or maybe there is a shorewall.conf option?
Thanks a lot
Paolo

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
Tom Eastep | 27 Mar 01:10 2016
Picon

Shorewall 5.0.7

Shorewall 5.0.7 is now available for download.

Problems Corrected:

1)  This release includes defect repair from Shorewall 5.0.6.2.

2)  Previously, the compiler failed to catch invalid action/chain
    combinations which caused iptables-restore failures when such
    combinations were present in the configuration. That has been
    corrected.

3)  An issue involving nested inlined action and macro invocations has
    been resolved.

4)  The '&' (and) and '|' (or) symbols were previously ignored when
    the action was CONNMARK (mangle file). These symbols now work as
    documented.

5)  When 'DOCKER=Yes', 'check -r' would previously fail. The command
    now works correctly.

6)  Previously, the specified linklayer, overhead, mtu, mpu and tsize
    were not applied to ingress qdiscs that provide IN-BANDWIDTH
    limiting. That has been corrected so that these options also apply
    to inbound traffic.

    IMPORTANT: If you have specified linklayer, overhead, etc., then
    after this fix is installed, your inbound speed will be less than
    it was before the fix. You are advised to re-test and possibly
    adjust your IN-BANDWIDTH accordingly.

7)  The syntax which Shorewall previously used to define ingress
    filters is misinterpreted by the tc utility, with the result that
    rather than dropping packets exceeding the IN-BANDWIDTH, the filter
    instead reclassified them. That caused 'packet reclassify loop'
    errors during periods of high inbound traffic. The compiler now
    generates the options in the 'tc add filter' command in an order
    that tc handles correctly.

8)  If a log level was specified in one of the *_DEFAULT options,
    the compiler would previously raise a fatal error when applying the
    default action. That has been corrected.

New Features:

1)  Actions may now be used in the mangle file. To be used in the
    mangle file, an action must be declared in the actions file with
    the 'mangle' option. Actions with this option may only be used in
    the mangle file (or in other actions with the mangle option); they
    may not be used in the rules file. Mangle actions may be inlined
    using the 'inline' option in the actions file.

    A new template file (/usr/share/shorewall/action.mangletemplate) is
    included in the release for use in creating mangle actions.

2)  The 'check -r' command now uses the PAGER program unless the -d
    option is also specified. Additionally, when the compiler runs with
    'trace', the PAGER program is used unless -d is set.

3)  It is now possible to raise an error if a condition isn't met using
    the ?ERROR directive.

    	?ERROR <message>

    The text after ?ERROR is displayed in a standard Shorewall error
    message.

4)  Using the new ?ERROR directive, embedded Perl has been eliminated
    from a number of standard actions.

    Example from action.GlusterFS:

    ?if  <at> 1 !~ /^\d+/ || !  <at> 1 ||  <at> 1 > 1024
        ?error Invalid value for Bricks ( <at> 1)
    ?elsif  <at> 2 !~ /^[01]$/
        ?error Invalid value for IB ( <at> 2)
    ?endif

    The above logic insures that the first action paramater is a
    non-zero number <= 1024 and that the second parameter is either 0
    or 1. If 2000 is passed for the first parameter, the following
    error message is generated:

    ERROR: Invalid value for Bricks (2000)
      /usr/share/shorewall/action.GlusterFS (line 15)
      from /etc/shorewall/rules (line 45)

5)  Previously, inline matches were placed after column-generated
    matches in the generated rule. This meant that "-p' could not be
    used in inline matches. Beginning with this release, if the first
    non-blank characters in an inline match is '+', then the remainder
    of the inline matches are placed at the front of the generated
    rule.

    There are a couple of restrictions:

    a. When -p is used  in an inline match and the PROTO column is
       supplied, then an error is generated unless the resolved
       contents of the column matches the protocol specified in the
       inline match. This means that only protocol numbers should
       appear in the inline match.

    b. Use of -i, -s, -o, or -d (or their long-form equivalents) in an
       inline match will result in a compilation error if the contents
       of the columns generates the same match.

6)  The TCPFlags action has been modified to use '+' in inline matches
    rather than embedded Perl with perl_action_tcp_handler() calls.

7)  A new 'audit' action option has been added. Such actions are
    expected to have at least two parameters; the first is a
    target and the second is either omitted or is 'audit'.
    Two existing standard actions (RST and NotSyn) have this
    characteristic and they have been converted to use the 'audit'
    option, eliminating embedded Perl within their bodies.

8)  Within an action body, if a parameter is omitted in a DEFAULTS
    statement, then the value of the corresponding action and Shorewall
    variables is '-', while if the parameter is specified as '-' in
    the parameter list, the value of the variables is '' if
    expanded before the DEFAULTS statement.

    Additionally, when an expression is evaluated, the value 0
    evaluates as false; so '?IF  <at> n' and 'IF $n' both fail if the nth
    parameter is passed with value zero.

    To make testing of the presense of parameters more efficient and
    uniform, an new function has been added for use in ?IF and
    ?ELSEIF:

        ?IF [!] passed(<variable>)

    where <variable> is an action or Shoreall variable.

    'passed( <at> n)' and 'passed($n)' evaluate to true if the nth parameter
    is not empty and its contents are other than '-'. If '!' is
    present, the result is inverted.

    In this simple form, the expression is evaluated by the compiler
    without having to invoke the (expensive) Perl exec() function. The
    'passed' function may also be used in more complex expressions, but
    exec() will be invoked to evaluate those expressions.

9)  The MARK and CONNMARK targets are now available in the rules file,
    macros, and actions. Mark ranges are not currently supported with
    these targets.

Thank you for using Shorewall,

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
Csányi Pál | 25 Mar 13:00 2016
Picon
Gravatar

find_interface_address: command not found

Hi,

I'm following http://www.shorewall.net/three-interface.htm

At header:
Example 1. You run a Web Server on DMZ Computer 2 and you want to
forward incoming TCP port 80 to that system

it is advised to Include the following in /etc/shorewall/params:
ETH0_IP=$(find_interface_address eth0)

I did so but when run 'shorewall check' I get:
# shorewall check
/etc/shorewall/params: line 28: find_interface_address: command not found

What can I do to solve this problem?

--

-- 
Best, Pali

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
Thorsten von Eicken | 23 Mar 17:05 2016

adding providers fails with RTNETLINK answers: Invalid argument

I'm trying to switch my configuration to a multi-ISP config but as soon
as I add a provider that generates a default route to the providers file
I get the following error when running shorewall restart:

...
Restarting Shorewall....
Initializing...
Setting up Route Filtering...
Setting up Martian Logging...
Setting up Accept Source Routing...
Adding Providers...
RTNETLINK answers: Invalid argument
   ERROR: Command "ip -4 route replace default scope global table 250
nexthop via 207.154.101.1 dev eth0.2 weight 1" Failed
Running /sbin/iptables-restore...

>From what I can tell, the ip command doesn't accept "nexthop" in front
of the first route of a multi-route command. I'm wondering whether this
is a known problem and I need to upgrade some component. I'm running
linux 14.04 on an ARM box:

# cat /proc/version
Linux version 3.8.13.30 (root <at> odroid-wheezy) (gcc version 4.7.2 (Debian
4.7.2-5) ) #7 SMP PREEMPT Sun Mar 1 20:05:28 CET 2015
# shorewall version
4.5.21.6
# ip -V
ip utility, iproute2-ss131122
# dpkg -p iproute2
Package: iproute2
...
Origin: Ubuntu
Architecture: armhf
Version: 3.12.0-2
...

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140

Gmane