Göran Höglund | 2 Jun 14:26 2014
Picon

Instagram

Hi List!
Any one who has any suggestion how to block users from using Instagram??

/Göran

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their 
applications. Written by three acclaimed leaders in the field, 
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
Tom Eastep | 31 May 23:13 2014
Picon

Shorewall 4.6.0.3

4.6.0.3 is now available for download.

Problems Corrected:

1)  The Shorewall-init package now installs correctly on RHEL7.

2)  1:1 NAT is now enabled in IPv6.

3)  A subtle interaction between NAT and sub-zones is explained in
    shorewall-nat.

4)  The 'show filters' command now works with Simple TC.

Thank you for using Shorewall.

-Tom
--

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Time is money. Stop wasting it! Get your web API in 5 minutes.
www.restlet.com/download
http://p.sf.net/sfu/restlet
------------------------------------------------------------------------------
(Continue reading)

Tom Eastep | 27 May 01:26 2014
Picon

Shorewall 4.5.21.10

For those who are reluctant to upgrade to the new major release, I've
corrected a couple of problems in 4.5.21.

1)  The tarball installers, now install .service files with mode 644
    rather than mode 600.

2)  Previously, 1:1 NAT was disabled in Shorewall6, even if IPv6 NAT is
    supported.

3)  The 'show filters' command now works with Simple TC and shows
    ingress filters in both Simple and Complex TC.

Thank you for using Shorewall.

-Tom
--

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
The best possible search technologies are now affordable for all companies.
Download your FREE open source Enterprise Search Engine today!
Our experts will assist you in its installation for $59/mo, no commitment.
Test it for FREE on our Cloud platform anytime!
http://pubads.g.doubleclick.net/gampad/clk?id=145328191&iu=/4140/ostg.clktrk
(Continue reading)

Paolo | 26 May 13:54 2014
Picon

host


Hi list

 	I usually install shorewall to stand-alone servers or into servers 
that act non only, but also as gateway for other boxes.
If I install a dedicated box as firewall, usually I consider dedicated 
distro like IpCop, PFSense, ZeroShell, ... because they give me a distro 
already hardened and some tools like graphical reports that are very 
useful for monitoring activity.
Using Munin/Monitorix/... I can have the flexybility of Shorewall and the 
confort of a visual monitoring system. I like this combination, so 
sometimes I ask to myself and now to the list: If you are planning to 
install a box wich primary activity is firewalling (usual 
NET/LAN/DMZ/WLAN config), wich distro do you consider/prefer?
Some particular packages and/or advice for configuration?

Thanks, P.

------------------------------------------------------------------------------
The best possible search technologies are now affordable for all companies.
Download your FREE open source Enterprise Search Engine today!
Our experts will assist you in its installation for $59/mo, no commitment.
Test it for FREE on our Cloud platform anytime!
http://pubads.g.doubleclick.net/gampad/clk?id=145328191&iu=/4140/ostg.clktrk
Lee Brown | 24 May 20:18 2014

Re: shorewall show filters not working

On Fri, May 23, 2014 at 9:19 AM, Tom Eastep <teastep <at> shorewall.net> wrote:
> On 5/22/2014 7:35 PM, Lee Brown wrote:
>> Hi list,
>>
>> I recently installed shorewall 4.5.21.9 on Centos6.5 (2.6.32) on metal
>> and another install of 4.6.0 on Slackware 14.1 (3.10.17) in a KVM under
>> it.  I notice that on both these systems shorewall show filters iterates
>> the devices but provides no output.  I believe the 'tc' tool may have
>> changed behaviour.
>>
>> I can see tc filters being added via 'tc monitor', but a 'tc show
>> filters dev eth0' produces no output.  'tc show filters dev eth0 root'
>> provides some output and if you know all the parent id's, 'tc show
>> filters dev eth0 parent xxx:' gets output.
>>
>> From the slack KVM, I've included a tar of the /etc/shorewall directory,
>> which includes a file called dump.txt which is the output from shorewall
>> dump, plus a file called console to illustrate the problem.  It's very
>> small.
>>
>> I used no filters on my previous systems which were Centos5.9 (2.6.18),
>> so I've no basis for when this may have been introduced.
>
> It looks to me as though 'tc filter ls' is broken. The manpage only
> shows 'tc filter show' as a valid command (where 'ls' is a synonym for
> 'show'). 'tc filter show [ parent ] root' works as you have observed,
> but 'tc filter show parent 1' does not, even though there are filters
> defined for qdisc 1. Similarly 'tc filter show parent ffff' doesn't
> work, even though 'ffff' is equivalent to 'root'.
>
(Continue reading)

Tom Eastep | 24 May 17:15 2014
Picon

Re: 6to4 with Charter.com

On 5/24/2014 2:36 AM, Louis Lagendijk wrote:
> On Fri, 2014-05-23 at 17:30 -0700, Tom Eastep wrote:
>> On 5/23/2014 3:59 PM, Tom Eastep wrote:
>>
>>> A couple of things:
>>>
>>> a) That script was written 6 years ago before the distributions has much
>>> support for IPv6. I certainly wouldn't use it today and will remove
>>> mention to it as soon as I have a moment. You really should be using
>>> your distribution's configuration tools to configure the tunnel.
>>>
>>> b) You need to give some thought to how you are going to use the /32.
>>> Your current configuration is totally unusable (the same /32 is defined
>>> on eth0 and eth1). Unless the two interfaces connect to the same
>>> network, you must subnet such that the networks on eth0 and eth1 are
>>> disjoint.
> Charter offers 6rd, where the V6 address is appended to the 6rd prefix,
> effectively giving the OP a single /64 address. I recommend the OP to
> read up on 6rd

Thanks, Louis.

Eric: Here's a Debian Howto:

   http://servernetworktech.com/2012/11/charter-ipv6/

But before you go there, in the material you sent previously, we see:

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
    inet6 2602:100:6153:810d:1::1/32 scope global
(Continue reading)

Orion Poplawski | 19 May 21:00 2014

Support for RHEL7

I'm trying to build the shorewall EPEL package for RHEL7 and getting:

+ pushd shorewall-init-4.6.0
~/build/BUILD/shorewall-4.6.0/shorewall-init-4.6.0 ~/build/BUILD/shorewall-4.6.0
+ ./configure vendor=redhat SYSTEMD=/usr/lib/systemd/system SBINDIR=/usr/sbin
INFO: Creating a redhat-specific installation -  Mon May 19 18:24:23 UTC 2014
HOST=redhat
PREFIX=/usr
SHAREDIR=${PREFIX}/share
LIBEXECDIR=${PREFIX}/libexec
PERLLIBDIR=/usr/share/perl5/vendor_perl
CONFDIR=/etc
SBINDIR=/usr/sbin
MANDIR=${SHAREDIR}/man
INITDIR=/etc/rc.d/init.d
INITSOURCE=init.fedora.sh
INITFILE=$PRODUCT
AUXINITSOURCE=
AUXINITFILE=
SYSTEMD=/usr/lib/systemd/system
SERVICEFILE=                      	
SYSCONFFILE=sysconfig
SYSCONFDIR=/etc/sysconfig/
SPARSE=
ANNOTATED=
VARLIB=/var/lib
VARDIR=${VARLIB}/$PRODUCT
+ DESTDIR=/builddir/build/BUILDROOT/shorewall-4.6.0-1.el7.noarch
+ ./install.sh
ERROR: Unknown BUILD environment (rhel)
(Continue reading)

Victor Galino | 19 May 11:22 2014
Picon

Shorewall Asterisk SIP Callls Stop at 30 minutes


Hello

I Configure shorewall for a Asterisk server.

Need to add on /etc/shorewall/start

rmmod nf_nat_sip &> /dev/null
rmmod nf_conntrack_sip &> /dev/null


And works fine.

The only problem i detect its when i have a call stablished, , on the 30 minutes mark, the call is down, and need to do another call

Configuration its on a Centos 6.5 Final and kernel 2.6.32-431.17.1, Shorewall 4.5.4

I Send the parts of shorewall dump related to the modules and nfconntrack, i understand its something generic with tcp connections or nf_conntraf (netfilter)

Thanks in advance
Regards
Victor



/proc

   /proc/version = Linux version 2.6.32-431.17.1.el6.x86_64 (mockbuild <at> c6b8.bsys.dev.centos.org) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-4) (GCC) ) #1 SMP Wed May 7 23:32:49 UTC 2014
   /proc/sys/net/ipv4/ip_forward = 1
   /proc/sys/net/ipv4/icmp_echo_ignore_all = 0
   /proc/sys/net/ipv4/conf/all/proxy_arp = 0
   /proc/sys/net/ipv4/conf/all/arp_filter = 0
   /proc/sys/net/ipv4/conf/all/arp_ignore = 0
   /proc/sys/net/ipv4/conf/all/rp_filter = 0
   /proc/sys/net/ipv4/conf/all/log_martians = 0
   /proc/sys/net/ipv4/conf/default/proxy_arp = 0
   /proc/sys/net/ipv4/conf/default/arp_filter = 0
   /proc/sys/net/ipv4/conf/default/arp_ignore = 0
   /proc/sys/net/ipv4/conf/default/rp_filter = 0
   /proc/sys/net/ipv4/conf/default/log_martians = 1
   /proc/sys/net/ipv4/conf/eth0/proxy_arp = 0
   /proc/sys/net/ipv4/conf/eth0/arp_filter = 0
   /proc/sys/net/ipv4/conf/eth0/arp_ignore = 0
   /proc/sys/net/ipv4/conf/eth0/rp_filter = 0
   /proc/sys/net/ipv4/conf/eth0/log_martians = 1
   /proc/sys/net/ipv4/conf/lo/proxy_arp = 0
   /proc/sys/net/ipv4/conf/lo/arp_filter = 0
   /proc/sys/net/ipv4/conf/lo/arp_ignore = 0
   /proc/sys/net/ipv4/conf/lo/rp_filter = 0
   /proc/sys/net/ipv4/conf/lo/log_martians = 1
   /proc/sys/net/ipv4/conf/tun3/proxy_arp = 0
   /proc/sys/net/ipv4/conf/tun3/arp_filter = 0
   /proc/sys/net/ipv4/conf/tun3/arp_ignore = 0
   /proc/sys/net/ipv4/conf/tun3/rp_filter = 0
   /proc/sys/net/ipv4/conf/tun3/log_martians = 1



Modules

ip_set                 30977  1 xt_set
iptable_filter          2793  1
iptable_mangle          3349  1
iptable_nat             6158  0
iptable_raw             2264  0
ip_tables              17831  4 iptable_raw,iptable_nat,iptable_mangle,iptable_filter
ipt_addrtype            2153  5
ipt_ah                  1247  0
ipt_CLUSTERIP           6796  0
ipt_ecn                 1507  0
ipt_ECN                 1955  0
ipt_LOG                 5845  9
ipt_MASQUERADE          2466  0
ipt_NETMAP              1832  0
ipt_REDIRECT            1840  0
ipt_REJECT              2351  4
ipt_ULOG               10765  0
nf_conntrack           79758  32 xt_connlimit,ipt_MASQUERADE,ipt_CLUSTERIP,nf_nat_tftp,nf_nat_snmp_basic,nf_conntrack_snmp,nf_nat_pptp,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda,nf_conntrack_amanda,nf_conntrack_sane,nf_conntrack_tftp,nf_conntrack_proto_udplite,nf_conntrack_proto_sctp,nf_conntrack_pptp,nf_conntrack_proto_gre,nf_conntrack_netlink,nf_conntrack_netbios_ns,nf_conntrack_broadcast,nf_conntrack_irc,nf_conntrack_h323,nf_conntrack_ftp,xt_helper,xt_conntrack,xt_CONNMARK,xt_connmark,xt_state,iptable_nat,nf_nat,nf_conntrack_ipv4
nf_conntrack_amanda     2979  1 nf_nat_amanda
nf_conntrack_broadcast     1471  2 nf_conntrack_snmp,nf_conntrack_netbios_ns
nf_conntrack_ftp       12913  1 nf_nat_ftp
nf_conntrack_h323      67696  1 nf_nat_h323
nf_conntrack_ipv4       9506  16 iptable_nat,nf_nat
nf_conntrack_irc        5530  1 nf_nat_irc
nf_conntrack_netbios_ns     1323  0
nf_conntrack_netlink    17392  0
nf_conntrack_pptp      12166  1 nf_nat_pptp
nf_conntrack_proto_gre     7003  1 nf_conntrack_pptp
nf_conntrack_proto_sctp    12482  0
nf_conntrack_proto_udplite     3348  0
nf_conntrack_sane       5716  0
nf_conntrack_snmp       1651  1 nf_nat_snmp_basic
nf_conntrack_tftp       4878  1 nf_nat_tftp
nf_defrag_ipv4          1483  2 xt_TPROXY,nf_conntrack_ipv4
nf_defrag_ipv6         11156  1 xt_TPROXY
nf_nat                 22759  11 ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,nf_nat_tftp,nf_nat_pptp,nf_nat_proto_gre,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda,iptable_nat
nf_nat_amanda           1277  0
nf_nat_ftp              3507  0
nf_nat_h323             8830  0
nf_nat_irc              1883  0
nf_nat_pptp             4653  0
nf_nat_proto_gre        3028  1 nf_nat_pptp
nf_nat_snmp_basic       8553  0
nf_nat_tftp              987  0
nf_tproxy_core          1332  1 xt_TPROXY,[permanent]
xt_AUDIT                3064  0
xt_CLASSIFY             1069  0
xt_comment              1034  9
xt_connlimit            3238  0
xt_connmark             1347  0
xt_CONNMARK             1507  0
xt_conntrack            2776  13
xt_dccp                 2215  0
xt_dscp                 1831  0
xt_DSCP                 2279  0
xt_hashlimit            9685  0
xt_helper               1497  0
xt_iprange              2312  0
xt_length               1322  0
xt_limit                2118  0
xt_mac                  1118  0
xt_mark                 1057  0
xt_MARK                 1057  1
xt_multiport            2700  2
xt_NFLOG                1195  0
xt_NFQUEUE              2213  0
xt_owner                1252  0
xt_physdev              1741  0
xt_pkttype              1194  0
xt_policy               2616  0
xt_realm                1060  0
xt_recent               7932  0
xt_set                  4032  0
xt_state                1492  0
xt_statistic            1524  0
xt_tcpmss               1607  0
xt_time                 2183  0
xt_TPROXY               9249  0



Shorewall has detected the following iptables/netfilter capabilities:
   NAT (NAT_ENABLED): Available
   Packet Mangling (MANGLE_ENABLED): Available
   Multi-port Match (MULTIPORT): Available
   Extended Multi-port Match (XMULIPORT): Available
   Connection Tracking Match (CONNTRACK_MATCH): Available
   Extended Connection Tracking Match Support (NEW_CONNTRACK_MATCH): Available
   Packet Type Match (USEPKTTYPE): Available
   Policy Match (POLICY_MATCH): Available
   Physdev Match (PHYSDEV_MATCH): Available
   Physdev-is-bridged Support (PHYSDEV_BRIDGE): Available
   Packet length Match (LENGTH_MATCH): Available
   IP range Match(IPRANGE_MATCH): Available
   Recent Match (RECENT_MATCH): Available
   Owner Match (OWNER_MATCH): Available
   Owner Name Match (OWNER_NAME_MATCH): Available
   CONNMARK Target (CONNMARK): Available
   Extended CONNMARK Target (XCONNMARK): Available
   Connmark Match (CONNMARK_MATCH): Available
   Extended Connmark Match (XCONNMARK_MATCH): Available
   Raw Table (RAW_TABLE): Available
   Rawpost Table (RAWPOST_TABLE): Not available
   IPP2P Match (IPP2P_MATCH): Not available
   CLASSIFY Target (CLASSIFY_TARGET): Available
   Extended REJECT (ENHANCED_REJECT): Available
   Repeat match (KLUDGEFREE): Available
   MARK Target (MARK): Available
   Extended MARK Target (XMARK): Available
   Extended MARK Target 2 (EXMARK): Available
   Mangle FORWARD Chain (MANGLE_FORWARD): Available
   Comments (COMMENTS): Available
   Address Type Match (ADDRTYPE): Available
   TCPMSS Match (TCPMSS_MATCH): Available
   Hashlimit Match (HASHLIMIT_MATCH): Available
   NFQUEUE Target (NFQUEUE_TARGET): Available
   Realm Match (REALM_MATCH): Available
   Helper Match (HELPER_MATCH): Available
   Connlimit Match (CONNLIMIT_MATCH): Available
   Time Match (TIME_MATCH): Available
   Goto Support (GOTO_TARGET): Available
   LOGMARK Target (LOGMARK_TARGET): Not available
   IPMARK Target (IPMARK_TARGET): Not available
   LOG Target (LOG_TARGET): Available
   ULOG Target (ULOG_TARGET): Available
   NFLOG Target (NFLOG_TARGET): Available
   Persistent SNAT (PERSISTENT_SNAT): Available
   TPROXY Target (TPROXY_TARGET): Available
   FLOW Classifier (FLOW_FILTER): Available
   fwmark route mask (FWMARK_RT_MASK): Available
   Mark in any table (MARK_ANYWHERE): Available
   Header Match (HEADER_MATCH): Not available
   ACCOUNT Target (ACCOUNT_TARGET): Not available
   AUDIT Target (AUDIT_TARGET): Available
   ipset V5 (IPSET_V5): Not available
   Condition Match (CONDITION_MATCH): Not available
   Statistic Match (STATISTIC_MATCH): Available
   IMQ Target (IMQ_TARGET): Not available
   DSCP Match (DSCP_MATCH): Available
   DSCP Target (DSCP_TARGET): Available
   Geo IP match: Not available
   iptables -S (IPTABLES_S): Available
   Basic Filter (BASIC_FILTER): Available
   CT Target (CT_TARGET): Not available



Traffic Control

Device eth0:
qdisc mq 0: root
 Sent 1346296381 bytes 11623838 pkt (dropped 0, overlimits 0 requeues 7)
 rate 0bit 0pps backlog 0b 0p requeues 7

class mq :1 root
 Sent 842127610 bytes 5697988 pkt (dropped 0, overlimits 0 requeues 1)
 backlog 0b 0p requeues 1
class mq :2 root
 Sent 504168771 bytes 5925850 pkt (dropped 0, overlimits 0 requeues 6)
 backlog 0b 0p requeues 6

Device tun3:
qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap  1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
 Sent 38445759 bytes 443154 pkt (dropped 0, overlimits 0 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0



TC Filters

Device eth0:

Device tun3:






 
This e-mail has been scanned by comendo.com and does not contain virus.
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
Tom Eastep | 15 May 22:13 2014
Picon

Shorewall 4.6.0

The Shorewall team is pleased to announce the availability of Shorewall
4.6.0.

----------------------------------------------------------------------------
  I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
----------------------------------------------------------------------------

This release includes all defect repair from releases up through
4.5.21.9.

1)  The tarball installers, now install .service files with mode 644
    rather than mode 600.

----------------------------------------------------------------------------
           I I.  K N O W N   P R O B L E M S   R E M A I N I N G
----------------------------------------------------------------------------

1)  On systems running Upstart, shorewall-init cannot reliably secure
    the firewall before interfaces are brought up.

----------------------------------------------------------------------------
      I I I.  N E W   F E A T U R E S   I N   T H I S  R E L E A S E
----------------------------------------------------------------------------

1)  SECTION entries in the accounting and rules files now allow
    "SECTION" to be immediately preceded by "?" (e.g., ?SECTION). The
    new form is preferred and if any SECTION entries do not have the
    question mark, a warning is issued (see Migration Issues below).

2)  The default setting for ZONE2ZONE has been changed from '2' to '-'
    for increased readability when zone names contain '2'.

3)  The 'tcrules' file has been superceded by the 'mangle'
    file. Existing 'tcrules' files will still be processed, with the
    restriction that TPROXY is no longer supported in FORMAT 1.

    You can convert your tcrules file into the equivalent mangle file
    using the command:

       shorewall update -t

    See shorewall(8) and shorewall6(8) for important restrictions of
    the -t option.

4)  Prior to now, the ability to specify raw iptables matches has been
    tied to the INLINE action. Beginning with this release, the two can
    be separated by specifying INLINE_MATCHES=Yes.

    When INLINE_MATCHES=Yes, then inline matches may be specified after
    a semicolon in the following files:

      action files
      macros
      rules
      mangle
      masq

    Note that semicolons are not allowed in any other files. If you
    want to use the alternative input format in those files, then you
    must inclosed the specifications in curly brackets ({...}). The -i
    option of the 'check' command will warn you of lines that need to
    be changed from using ";" to using "{...}".

5)  The 'conntrack', 'raw', 'mangle' and 'rules' files now support an
    IPTABLES (IP6TABLES) action. This action is similar to INLINE in
    that it allows arbitrary ip[6]tables matches to be specified after a
    semicolon (even when INLINE_MATCHES=No). It differs in that the
    parameter passed is an iptables target with target options.

    Example (rules file):

       #ACTION                          SOURCE  DEST    PROTO
       IPTABLES(TARPIT --honeypot)      net     pot

    If the particular target that you wish to use is unknown to
    Shorewall, you will get this error message:

       ERROR: Unknown TARGET (<target>)

    You can eliminate that error by adding your target as a builtin
    action in /etc/shorewall[6]/actions.

    As part if this change, the /etc/shorewall[6]/actions file options
    have been extended to allow you to specify the Netfilter table(s)
    where the target is accepted. When 'builtin' is specified, you can
    also include the following options:

         filter
         nat
         mangle
         raw

    If no table is given, 'filter' is assumed for backward
    compatibility.

6)  The 'tcpflags' option is now set by default. To disable the option,
    specify 'tcpflags=0' in the OPTIONS column of the interface file.

7)  You may now use ipset names (preceded by '+') in PORT columns,
    allowing you to take advantage of bitmap:port ipsets.

8)  The counter extensions to ipset matches have been
    implemented. See shorewall[6]-ipsets for details.

9)  DROP is now a valid action in the stoppedrules files. DROP occurs
    in the raw table PREROUTING chain which avoids conntrack entry
    creation.

10) A new BASIC_FILTERS option is now supported. When set to 'Yes',
    this option causes the compiler to generate basic TC filters from
    tcfilters entries rather than u32 filters.

    Basic filters are more straight-forward than u32 filters and, in
    later iptables/kernel versions, basic filters support ipset
    matches.  Please note that Shorewall cannot reliably detect whether
    your iptables/kernel support ipset matches, so an error-free
    compilation does not guarantee that the firewall will start
    successfully when ipset names are specified in tcfilters entries.

11) The update command now supports an -A option. This is intended to
    perform all available updates to the configuration and is currently
    equivalent to '-b -D -t'.

12) Beginning with this release, FORMAT-1 actions and macros are
    deprecated and a warning will be issued for each FORMAT-1 action
    or macro found. See the Migration Issues for further information.

13) To facilitate creation of ipsets with characteristics different
    from what Shorewall generates, the 'init' user exit is now executed
    before Shorewall creates ipsets that don't exist.

----------------------------------------------------------------------------
                  I V.  M I G R A T I O N   I S S U E S
----------------------------------------------------------------------------

1)  If you are migrating from Shorewall 4.4.x or earlier, please see
    http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.21
    /releasenotes.txt

2)  Beginning with Shorewall 4.5.2, using /etc/shorewall-lite/vardir
    and /etc/shorewall6-lite/vardir to specify VARDIR is deprecated in
    favor of the VARDIR setting in shorewallrc.

        NOTE: While the name of the variable remains VARDIR, the
              meaning is slightly different. When set in shorewallrc,
              each product (shorewall-lite, and shorewall6-lite) will
              create a directory under the specified path name to
              hold state information.

              Example:

                  VARDIR=/opt/var/

                  The state directory for shorewall-lite will be
                  /opt/var/shorewall-lite/ and the directory for
                  shorewall6-lite will be /opt/var/shorewall6-lite.

              When VARDIR is set in /etc/shorewall[6]/vardir, the
              product will save its state directly in the specified
              directory.

    In Shorewall 4.5.8, a VARLIB variable was added to the shorewallrc
    file and the meaning of VARDIR is once again consistent. The
    default setting of VARDIR for a particular product is
    ${VARLIB}/$product. There is an entry of that form in the
    shorewallrc file. Because there is a single shorewallrc file for
    all installed products, the /etc/shorewall[6]-lite/vardir file
    provides the only means for overriding this default.

3)  Begining with Shorewall 4.5.6, the tcrules file is processed if
    MANGLE_ENABLED=Yes, independent of the setting of TC_ENABLED. This
    allows actions like TTL and TPROXY to be used without enabling
    traffic shaping.

    If you have rules in your tcrules file that you only want processed
    when TC_ENABLED is other than 'No', then enclose them in

         ?IF $TC_ENABLED
         ...
         ?ENDIF

    If they are to be processed only if TC_ENABLED=Internal, then
    enclose them in

         ?IF TC_ENABLED eq 'Internal'
         ...
         ?ENDIF

4)  Beginning with Shorewall 4.5.7, the deprecated
    /etc/shorewall[6]/blacklist files are no longer installed. Existing
    files are still processed by the compiler. Note that blacklist
    files may be converted to equivalent blrules files using
    'shorewall[6] update -b'.

5)  In Shorewall 4.5.7, the /etc/shorewall[6]/notrack file was renamed
    /etc/shorewall[6]/conntrack. When upgrading to a release >= 4.5.7,
    the conntrack file will be installed along side of an existing
    notrack file. When both files exist, a compiler warning is
    generated:

       WARNING: Both notrack and conntrack exist; conntrack is ignored

    This warning may be eliminated by moving any entries in the notrack
    file to the conntrack file and removing the notrack file.

6)  In Shorewall 4.5.8, the /etc/shorewall[6]/routestopped files were
    deprecated if favor of new /etc/shorewall[6]/stoppedrules
    counterparts. The new files have much more familiar and
    straightforward semantics. Once a stoppedrules file is populated,
    the compiler will process that file and will ignore the
    corresponding routestopped file.

7)  In Shorewall 4.5.8, a new variable (VARLIB) was added to the
    shorewallrc file. This variable assumes the role formerly played by
    VARDIR, and VARDIR now designates the configuration directory for a
    particular product.

    This change should be transparent to all users:

    a) If VARDIR is set in an existing shorewallrc file and VARLIB is
       not, then VARLIB is set to ${VARDIR} and VARDIR is set to
       ${VARLIB}/${PRODUCT}.

    b) If VARLIB is set in a shorewallrc file and VARDIR is not, then
       VARDIR is set to ${VARLIB}/${PRODUCT}.

    The Shorewall-core installer will automatically update
    ~/.shorewallrc and save the original in ~/.shorewallrc.bak

8)  Previously, the macro.SNMP macro opened both UDP ports 161 and 162
    from SOURCE to DEST. This is against the usual practice of opening
    these ports in the opposite direction. Beginning with Shorewall
    4.5.8, the SNMP macro opens port 161 from SOURCE to DEST as before,
    and a new SNMPTrap macro is added that opens port 162 (from SOURCE
    to DEST).

9)  Beginning with Shorewall 4.5.11, ?FORMAT is preferred over FORMAT
    for specifying the format of records in these configuration files:

        action.* files
        conntrack
        interface
        macro.* files
        tcrules

    While deprecated, FORMAT (without the '?') is still supported.

    Also, ?COMMENT is preferred over COMMENT for attaching comments to
    generated netfilter rules in the following files.

        accounting
        action.* files
        blrules files
        conntrack
        masq
        nat
        rules
        secmarks
        tcrules
        tunnels

    When one of the deprecated forms is encountered, a warning message
    is issued.

    Examples:

       WARNING: 'FORMAT' is deprecated in favor of '?FORMAT' -
                consider running 'shorewall update -D'.

       WARNING: 'COMMENT' is deprecated in favor of '?COMMENT' -
                consider running 'shorewall update -D'.

    As the warnings indicate, 'update -D' will traverse the CONFIG_PATH
    replacing FORMAT and COMMENT lines with ?FORMAT and ?COMMENT
    directives respectively. The original version of modified files
    will be saved with a .bak suffix.

    During the update, .bak files are skipped as are files in
    ${SHAREDIR}/shorewall and ${SHAREDIR}/shorewall6.

10) To allow finer-grained selection of the connection-tracking states
    that are passed through blacklists (both dynamic and static), a
    BLACKLIST option was added to shorewall.conf and shorewall6.conf in
    Shorewall 4.5.13.

    The BLACKLISTNEWONLY option was deprecated at that point. A
    'shorewall update' ( 'shorewall6 update' ) will replace the
    BLACKLISTNEWONLY option with the equivalent BLACKLIST option.

11) In Shorewall 4.5.14, the BLACKLIST_LOGLEVEL option was renamed
    BLACKLIST_LOG_LEVEL to be consistent with the other log-level
    option names. BLACKLIST_LOGLEVEL continues to be accepted as a
    synonym for BLACKLIST_LOG_LEVEL, but a 'shorewall update' or
    'shorewall6 update' command will replace BLACKLIST_LOGLEVEL with
    BLACKLIST_LOG_LEVEL in the new .conf file.

12) Beginning with Shorewall 4.6.0, the default setting for 'ZONE2ZONE'
    is '-' rather than '2'. If you prefer to keep your pre-4.6.0 chain
    names, then specify ZONE2ZONE=2 in shorewall[6].conf.

13) Beginning with Shorewall 4.6.0, ection headers are now preceded by
    '?' (e.g., '?SECTION ...').  If your configuration contains any
    bare 'SECTION' entries, the following warning is issued:

      WARNING: 'SECTION' is deprecated in favor of '?SECTION' -
               consider running 'shorewall update -D' ...

    As mentioned in the message, running 'shorewall[6] update -D' will
    eliminate the warning.

14) Beginning with Shorewall 4.6.0, the 'tcrules' file has been
    superceded by the 'mangle' file. Existing 'tcrules' files will
    still be processed, with the restriction that TPROXY is no longer
    supported in FORMAT 1.

    If your 'tcrules' file has non-commentary entries, the following
    warning message is issued:

        WARNING: Non-empty tcrules file (...);
                 consider running 'shorewall update -t'

    See shorewall6(8) for limitations of 'update -t'.

12) The default value LOAD_HELPERS_ONLY is now 'Yes'.

13) Beginning with Shorewall 4.5.0, FORMAT-1 actions and macros are
    deprecated and a warning will be issued for each FORMAT-1 action
    or macro found.

      WARNING: FORMAT-1 actions are deprecated and support will be
               dropped in a future release.

      WARNING: FORMAT-1 macros are deprecated and support will be
               dropped in a future release.

    To eliminate these warnings, add the following line before the
    first rule in the action or macro:

      ?FORMAT 2

    and adjust the columns appropriately.

    FORMAT-1 actions have the following columns:

      TARGET
      SOURCE
      DEST
      PROTO
      DEST PORT(S)
      SOURCE PORT(S)
      RATE/LIMIT
      USER/GROUP
      TARGET
      SOURCE
      DEST
      PROTO
      DEST PORT(S)
      SOURCE PORT(S)
      RATE/LIMIT
      USER/GROUP
      MARK

    while FORMAT-2 actions have these columns:

      TARGET
      SOURCE
      DEST
      PROTO
      DEST PORT(S)
      SOURCE PORT(S)
      ORIGINAL DEST
      RATE/LIMIT
      USER/GROUP
      MARK
      CONNLIMIT
      TIME
      HEADERS (Used in IPv6 only)
      CONDITION
      HELPER

    FORMAT-1 macros have the following columns:

      TARGET
      SOURCE
      DEST
      PROTO
      DEST PORT(S)
      SOURCE PORTS(S)
      RATE/LIMIT
      USER/GROUP

    while FORMAT-2 macros have these columns:

      TARGET
      SOURCE
      DEST
      PROTO
      DEST PORT(S)
      SOURCE PORT(S)
      ORIGINAL DEST
      RATE/LIMIT
      USER/GROUP
      MARK
      CONNLIMIT
      TIME
      HEADERS (Used in IPv6 only)
      CONDITION
      HELPER

Thank you for using Shorewall,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
Tadd M. Balfour | 13 May 23:46 2014
Picon

new to shorewall > need help with incorrect eth_wan link negotiation

I'm new to Shorewall, but not to Linux.

 

I've been brought on to a project where the Shorewall seems to be hindering the overall bandwidth out to the cloud.

 

The business has a 50M x 5M fiber circuit with TW Cable.

 

When they run a speed test from inside the LAN, they are getting horrible download speeds.  Less than 3MB!

 

The TW Level III Tech indicated that he felt that it was the Firewall that was causing the issues.

My job is to figure out if that is the case.

 

After poking around, I ran the following command:  /sbin/mii-tool -v eth_wan

 

and got these results:

 

eth_wan: negotiated 100baseTx-FD flow-control, link ok

  product info: vendor 00:50:43, model 11 rev 1

  basic mode:   autonegotiation enabled

  basic status: autonegotiation complete, link ok

  capabilities: 1000baseT-FD 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD

  advertising:  1000baseT-FD 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control

  link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control

 

That looks to me like it is negotiating only a 100 Megabit connection.

Is that correct?

 

What else can I do to see what is going on?

 

Here is some more info:

 

Linux firewall 3.2.1-gentoo-r2 #2 SMP Fri Sep 21 16:28:20 CDT 2012 x86_64 Intel(R) Atom(TM) CPU D525 <at> 1.80GHz Genuine Intel GNU/Linux

 

I'm afraid to make any changes as I don't want to bring this entire business down, but I need to positive identify, if not resolve the issue.

 

Can anyone kindly please advise?

 

Thanks!

 

Tadd in Austin, TX

 

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
emilianovazquez | 13 May 18:22 2014
Picon

TC fails when ppp is down

Hi guys!

In this escenary we have 2 dsl connections (ppp1 and ppp2) with tc filters enabled.

The files have everything and run ok! And ppp1 and ppp2 are fixed in file
/etc/ppp/peers/dsl-provider-eth1[2] with unit=1 and unit=2. This config makes always get the same
number of ppp for eth1 (run ppp1) and eth2 (run ppp2)

The problem is when the machine gets rebooted and one dsl is down.

The error is about a missconfigured interface in /etc/shorewall/tcinterfaces and never goes up.

Is the an "optional" like in /etc/shorewall/interfaces ???

I almost forgot! I'm running Ubuntu 12.04 64bits in a headless server.

Best regards!

Emiliano

Enviado desde mi BlackBerry de Personal (http://www.personal.com.ar/)

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs

Gmane