Gerhard Wiesinger | 23 Jan 14:59 2015

Multiple Zones

Hello,

Is it possible to specify multiple zones or define virtual zones to get 
better readibility?

e.g. following config (all can not be used because there exist more than 
the 3 zones):
SSH(ACCEPT)     loc             $FW
SSH(ACCEPT)     loc             dmz
SSH(ACCEPT)     loc             net

# Should be written as:
SSH(ACCEPT)     loc             $FW,dmz,net

# Or virtual zone:
fw-dmz-net: $FW,dmz,net
SSH(ACCEPT)     loc             fw-dmz-net

# or subtract it (% means subtract, just for illustration):
SSH(ACCEPT)     loc             all%dmz2%dmz3

# so can look like for generating the whole n x m product:
SSH(ACCEPT)     loc,dmz4             all%dmz2%dmz3

Any plan to implement such a feature if it is not possible?

Thnx.

Ciao,
Gerhard
(Continue reading)

Gerhard Wiesinger | 23 Jan 14:29 2015

Double logs

Hello,

I'm having a problem that I get doubled logs:
Jan 23 14:22:05 fw kernel: [63639.395178] SW:net2fw: ....
Jan 23 14:22:05 fw kernel: SW:net2fw: ...

I read already FAQ and logging of shorewall and debugged rsyslog.

It looks like that 2 messages are generated:
1.) via kernel logging (=> ends via $ModLoad imklog also in rsyslog)
2.) via syslog

I know I can filter in rsyslog one of the messages. But I want to avoid 
the generation of the 2 messages.

And: ULOG is due to IPv6 not an option

Any ideas why 2 messages are generated and how to avoid?

OS: Fedora 21 latest

Thank you.

Ciao,
Gerhard

------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
(Continue reading)

Orlandinei Vujanski | 22 Jan 18:45 2015
Picon

block all IP addresses originating from the country of India

Good afternoon!
I need help.
I have to block all IP addresses originating from the country of India.
I already know the networks, are approximately 500 networks.
If I put each of the networks in the / etc / shorewall / rules, will be very large and confusing.
How could I make the networks stay in a separate file by country?
------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
Bill Shirley | 19 Jan 04:24 2015

ERROR: Invalid ACTION (RESTORE/0xff00) /etc/shorewall/mangle (line 36)

Setting up a new server with shorewall-4.6.5.3-1.fc21.noarch

Copied rules from old server (shorewall-4.5.15-1.fc19.noarch).
Moved tcrules -> mangle.
Ran 'shorewall check' and got:
Checking /etc/shorewall/mangle...
    ERROR: Invalid ACTION (RESTORE/0xff00) /etc/shorewall/mangle (line 36)

The mangle rule:
RESTORE/$CONNMASK:P -               -               all     -               - -       0/$CONNMASK

parms:
CONNMASK=0xff00

shorewall.conf:
TC_ENABLED=Internal
#TC_ENABLED=No
TC_EXPERT=Yes

TC_BITS=8
MASK_BITS=8
PROVIDER_OFFSET=24
PROVIDER_BITS=0
ZONE_BITS=5

The RESTORE action is in the mangle documentation so I'm thinking Shorewall is choking on the mask?

Thanks in advance for any help,
Bill

------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
Bill Shirley | 19 Jan 03:40 2015

ERROR: SAVE rules are not allowed in the INPUT chain

I'm setting up a new server to be a backup of the production server.

Production is running Fedora 19: shorewall-4.5.15-1.fc19.noarch

New server is running Fedora 21: shorewall-4.6.5.3-1.fc21.noarch

I've copied over my Shorewall configuration files and when I run 'shorewall check' I get:
Checking /etc/shorewall/tcrules...
    ERROR: SAVE rules are not allowed in the INPUT chain /etc/shorewall/tcrules (line 198)

The relevant rules are:
?COMMENT -vpn- decrypted
SAVE/$CONNMASK                  $mem_net        $FW !esp    ; state=NEW test=$MEM_VPN1_FWMARK/$CONNMASK
SAVE/$CONNMASK                  $mem_net        $FW !esp    ; state=NEW test=$MEM_VPN2_FWMARK/$CONNMASK
SAVE/$CONNMASK                  $phx_net        $FW !esp    ; state=NEW test=$PHX_VPN_FWMARK/$CONNMASK
SAVE/$CONNMASK                  $sfn_net        $FW !esp    ; state=NEW test=$SFN_VPN1_FWMARK/$CONNMASK
SAVE/$CONNMASK                  $sfn_net        $FW !esp    ; state=NEW test=$SFN_VPN2_FWMARK/$CONNMASK

My question is: Why can't I do a SAVE in the INPUT chain?  Am I doing something stupid?

Bill

------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
Tom Eastep | 16 Jan 19:51 2015
Picon

Shorewall 4.6.6

The Shorewall team is pleased to announce the availability of Shorewall
4.6.6.

Problems Corrected:

1)  This release includes defect repair from Shorewall 4.6.5.5 and
    earlier releases.

2)  Previously, a line beginning with 'shell' was interpreted as a
    shell script. Now, the line must begin with 'SHELL'
    (case-sensitive).

    Note that ?SHELL and BEGIN SHELL are still case-insensitive.

New Features:

1)  Previously, the firewall products (Shorewall, Shorewall6 and
    *-lite) specified "After=network.target" in their .service files.

    Beginning with this release, those products specify
    "After=network-online.target" like the service.214 files. This
    change is intended to delay firewall startup until after network
    initialization is complete.

2)  The 'TARPIT' target is now supported in the rules file. Using this
    target requires the appropriate support in your kernel and
    iptables. This feature implements a new "TARPIT Target" capability,
    so if you use a capabilities file, then you need to regenerate the
    file after installing this release.

    TARPIT captures and holds incoming TCP connections using no local
    per-connection resources.

    TARPIT only works with the PROTO column set to tcp (6), and is
    totally application agnostic. This module will answer a TCP request
    and play along like a listening server, but aside from  sending an
    ACK or RST, no data is sent. Incoming packets are ignored and
    dropped. The attacker will terminate the session eventually. This
    module allows the initial packets of an attack to be captured by
    other software for inspection. In most cases this is sufficient to
    determine the nature of the attack.

    This offers similar functionality to LaBrea
    <http://www.hackbusters.net/LaBrea/> but does not require dedicated
    hardware or IPs. Any TCP port that you would normally DROP or
    REJECT can instead become a tarpit.

    The target accepts a single optional parameter:

    	tarpit (default)
	
	  This mode completes a connection with the attacker but limits
	  the window size to 0, thus keeping the attacker waiting long
	  periods of time. While he is maintaining state of the
	  connection and trying to continue every 60-240 seconds, we
	  keep none, so it is very lightweight. Attempts to close the
	  connection are ignored, forcing the remote side to time out
	  the connection in 12-24 minutes.

        honeypot

	  This  mode completes a connection with the attacker, but
	  signals a normal window size, so that the remote side will
	  attempt to send data, often with some very nasty exploit
	  attempts. We can capture these packets for decoding and
	  further analysis. The module does not send any data, so if
	  the remote  expects an application level response, the game
	  is up.

        reset

          This mode is handy because we can send an inline RST
          (reset). It has no other function.

3)  A 'loopback' option has been added to the interfaces files to
    designate the interface as the loopback device. This option is
    assumed if the device's physical name is 'lo'. Only one
    interface may specify 'loopback'.

    If no interface has physical name 'lo' and no interface specifies
    the 'loopback' option, then the compiler implicitly defines an
    interface as follows:

        #ZONE	 INTERFACE	OPTIONS
        -	 lo		ignore,loopback

4)  The compiler now takes advantage of the iptables 'iface' match
    capability for identifying loopback traffic.

5)  The 'primary' provider option has been added as a synonym for
    'balance=1'. The rationale for this addition is that 'balance'
    seems inappropriate when only a single provider specifies that
    option. For example, if there are two providers and one specifies
    'fallback', then the other would specify 'primary' rather than
    'balance'.

6)  Two new Macros have been contributed:

    Zabbix - Tuomo Soini
    Tinc   - Răzvan Sandu

Thank you for using Shorewall,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
Gerhard Wiesinger | 15 Jan 09:02 2015

Access to external service ip from internal subnet

Hello,

I've a project with classically 3 zone: internet, internal net, DMZ.

Some public tcp services provided to the internet by DMZ services (e.g. 
mydomain.example.com) should be also available WITHOUT split DNS from 
the internal subnet. Therefore some forwards are configured from the 
firewall to the DMZ.

What's the best shorewall configuration to route traffic from the 
internal subnet with the public IP also to the DMZ service?
Any other preferred solution?

Reason is that for clients all the configuration (mydomain.example.com, 
certificates) are the same.

I hope my requirements are clear, if not just ask.

Thanx.

Ciao,
Gerhard

------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
Artur Uszyński | 13 Jan 11:45 2015
Picon

Helper modules on Fedora 21

Hello.

	Posting it just FYI.
	Shorewall does not load some of very needed modules on Fedora 21. This happens, because netfilter modules
are compressed, file names end with .ko.xz instead of .ko and shorewall looks only for *.ko files. I have
created the bug report at https://bugzilla.redhat.com/show_bug.cgi?id=1181504, because I think it
is specific to Fedora 21 only.

Regards.
--

-- 
Artur

------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
Tom Eastep | 11 Jan 19:24 2015
Picon

Shorewall 4.6.5.5

This release adds Tuomo Soini's fix for Shorewall-init to 4.6.5.5.
Previously, the ifupdown scripts were looking in the wrong directory for
the firewall script.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
Tom Eastep | 10 Jan 16:01 2015
Picon

Shorewall 4.6.5.4

Shorewall 4.6.5.4 is now available for download.

Problems corrected since 4.6.5.3:

1)  The '-c' option of the 'dump' and 'show routing' commands is now
    documented.

2)  The handling of the 'DIGEST' environmental variable has been
    corrected in the Shorewall installer. Previously, specifying that
    option would not correctly update the Chains module which led to a
    Perl compilation failure.

3)  Handling of ipset names in PORT columns has been
    corrected. Previously, such usage resulted in an invalid iptables
    rule being generated.

Thank you for using Shorewall,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
Jan Lühr | 9 Jan 22:42 2015
Picon

Why is shorewall6 blocking ICMPv6 NS?

Hello folks,

I'm lost. For some reason, shorewall6 is blocking ICMPv6 Neighbor
Solicitation.

Shorewall6 itself is running on one VM host, connecting different
LXC-Containers using a bridge (br-guests).
NS between guests is blocked :-/.

Details:
https://gist.github.com/anonymous/a39bf4d5f6c71fa9bb02

Do you get what's wrong? I'm starring at the log without seeing anything
useful.

Thanks in advance,
yanosz

------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net

Gmane