Tom Eastep | 18 Sep 21:15 2015
Picon

Shorewall 4.6.13.1

4.6.13.1 is now available for download.

Problems Corrected:

1)  Previously, the 'reset' command would fail if chain names were
    included. Now, the command succeeds, provided that all of the
    specified chains exist in the filter table.

2)  The TCP meta-connection is now supported by the Tinc macro and
    tunnel type. Previously, only the UDP data connection was
    supported.

Thank you for using Shorewall,
-Tom
--

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
------------------------------------------------------------------------------
SancheZZS . | 18 Sep 16:02 2015
Picon

Issue with Interface usable and providers

Hi all,

I get warnings during start shorewall

 * Starting shorewall ...
   WARNING: Interface id3 is not usable -- Provider ISP1 (1) not Started
   WARNING: Interface ppp0 is not usable -- Provider ISP2 (2) not Started
   WARNING: No Default route added (all 'balance' providers are down)

I  dont understand whats happens?  Any advice is greatly appreciated.

# ls /proc/sys/net/ipv4/conf
all  default  eth0  eth0.13  eth0.15  eth0.16  eth0.17  eth0.18
eth0.19  id10  id11  id12  id13  id2  id3  id4  id5  id6  id7  id8
id9  lo  ppp0

# cat providers
#NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY
 OPTIONS         COPY
ISP1 1 1 - id3   2.2.2.9 track,balance=1
ISP2 2 2 - ppp0  8.8.4.8 track,balance=2

# cat interfaces
#ZONE           INTERFACE               OPTIONS
wan1    id3     wait=10,optional
wan2    ppp+    wait=10,dhcp,optional
offc   id5  dhcp
tech  eth0  dhcp
gb  id6  dhcp
www  id7  dhcp
(Continue reading)

Răzvan Sandu | 17 Sep 13:32 2015
Picon

[RFE] Please include tinc macro in stock shorewall package

Hello,

Please include tinc macro (macro.Tinc file) in stock shorewall package 
(under /usr/share/shorewall for IPv4 and the corresponding place for IPv6).

Tinc (http://www.tinc-vpn.org/) is a popular VPN solution, similar to 
OpenVPN, but mesh-capable. It uses standard port 655 on both TCP and UDP.

So, for the ease of use, please add the following macros in shorewall's kit:

#
# Shorewall version 4 - Tinc Macro
#
# /usr/share/shorewall/macro.Tinc
#
#       This macro handles tinc VPN traffic.
#
###############################################################################
?FORMAT 2
###############################################################################
#ACTION SOURCE  DEST    PROTO   DEST    SOURCE  ORIGIN  RATE    USER/
#                               PORT(S) PORT(S) DEST    LIMIT   GROUP
PARAM   -       -       udp     655
PARAM   -       -       tcp     655

Thanks a lot,
Răzvan

Attachment (razvan_sandu.vcf): text/x-vcard, 507 bytes
(Continue reading)

Wayne S | 16 Sep 03:13 2015
Picon

Ipset not save/restoring - Debian Jessie systemd

Not sure what has changed, but my shorewall will no longer start on power up because ipset is not restored. I
am running Debian Jessie with systemd. I have SAVE_IPSETS=Yes in shorewall.conf. This has been working
fine for quite a while on this system but now fails.

According to the documentation, shorewall needs to be stopped in order to save and restore the ipset.

Is anyone familiar with systemd to know how to make sure shorewall is stopped properly on reboot or poweroff?

Wayne

------------------------------------------------------------------------------
Monitor Your Dynamic Infrastructure at Any Scale With Datadog!
Get real-time metrics from all of your servers, apps and tools
in one place.
SourceForge users - Click here to start your Free Trial of Datadog now!
http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140
Hristo Benev | 14 Sep 19:53 2015
Picon

List of IPs

Hi,

I'm trying to get list of IPs under a variable(zone).

I thinking to use hosts and zone.

Is that best way or there is another one?

Goal is to allow access on some ports for geo distributed monitoring system (multiple single IPs).

Thanks,

Hristo

------------------------------------------------------------------------------
Davide Marini | 14 Sep 11:50 2015
Picon

MACLIST option and dhcp server

Hi all,
my name is Davide Marini, I'm using shorewall for a while, but this is 
the first time I'm writing on this ML.
This is my scenario: I'm using the MACLIST option, so I properly edited 
the necessary files (maclist, interfaces etc.) in order to make it 
work... and it's working flawlessy, the policy is DROP for packets with 
no ip/mac binding.

Now, on  the same machine where Shorewall is running, I also have a dhcp 
server for my LAN with dhcp reservations (reservations are exactly the 
same ip/mac listed in the maclist file) .
The devices have no fixed ip, they receive an ip from the dhcp and the 
ones with the reservation can make traffic, the others are blocked.
This is important because it avoid me to configure any single device 
with fixed ip, I can make everything from remote, just need to know the 
mac address.

The problem now is that the maclist option in shorewall create the block 
rule at the top of the INPUT chain and this is blocking all dhcp 
requests from clients to my dhcp server (running on the same server 
machine), so even the clients in the maclist can't receive an IP address 
and they can't make any traffic.
I tried to put some rule in the /etc/shorewall/rules file, but I can't 
put anything prior the maclist rule (maybe there is one way I don't know).

At the moment I'm using a work around: I edited the /etc/shorewall/start 
script file putting the right iptables rules to allow clients to talk 
with the dhcp server (input accept udp ports 67 and 68).
It is working... but I would prefer to use a more "standard" way to make 
it work... do you have any advice?
(Continue reading)

Jeremy Baker | 11 Sep 21:35 2015
Picon

accounting rules

Is there a command to zero the counters in the accountin, accountout,
and accountfwd chains?
--

-- 
Jeremy Baker <jab <at> mbcs.ca>
GnuPGP fingerprint =
EE66 AC49 E008 E09A 7A2A  0195 50EF 580B EDBB 95B6

------------------------------------------------------------------------------
Michael Johannes | 9 Sep 05:14 2015
Picon

ie: (2)

































=======================
The Christian reso'lutio'n to' find the wo'rld ugly and bad has made the wo'rld ugly and bad.
Hank Palinski
------------------------------------------------------------------------------
Monitor Your Dynamic Infrastructure at Any Scale With Datadog!
Get real-time metrics from all of your servers, apps and tools
in one place.
SourceForge users - Click here to start your Free Trial of Datadog now!
http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140
------------------------------------------------------------------------------
Monitor Your Dynamic Infrastructure at Any Scale With Datadog!
Get real-time metrics from all of your servers, apps and tools
in one place.
SourceForge users - Click here to start your Free Trial of Datadog now!
http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140
Tom Eastep | 8 Sep 21:17 2015
Picon

Shorewall 4.6.13

Shorewall 4.6.13 is now available for download.

Shorewall 4.6.13 is scheduled to be the last 4.6 release. In
the fall of this year, Shorewall 5.0.0 will be available - please see
http://www.shorewall.org/Shorewall-5.html for information about
preparing to migrate to Shorewall 5.

Problems Corrected:

1)  The 'rules' file manpages have been corrected regarding the packets
    that are processed by rules in the NEW section.

2)  Parsing of IPv6 address ranges has been corrected. Previously, use
    of ranges resulted in 'Invalid IPv6 Address' errors.

3)  The shorewall6-hosts man page has been corrected to show the
    proper contents of the HOST(S) column.

4)  Previously, INLINE statements in the mangle file were not 	
    recognized if a chain designator (:F, :P, etc.) followed 	
    INLINE(...). As a consequence, additional matches following a
    semicolon were interpreted as column/value pairs unless
    INLINE_MATCHES=Yes, resulting in compilation failure.

5)  Inline matches on IP[6]TABLE rules could be ignored if
    INLINE_MATCHES=No. They are now recognized.

6)  Specifying an action with a logging level in one of the _DEFAULT
    options in shorewall[6].conf (e.g., REJECT_DEFAULT=Reject:info)
    produced a compilation error:

      ERROR: Invalid value (:info) for first Reject parameter
      	     /usr/share/shorewall/action.Reject (line 52)

    That has been corrected. Note, however, that specifying logging
    with a default action tends to defeat one of the main purposes of
    default actions which is to suppress logging.

7)  Previously, it was necessary to set TC_EXPERT=Yes to have full
    access to the user mark in fw marks. That has been corrected so
    that any place that a mark or mask can be specified, both the TC
    mark and the User mark are accessible.

New Features:

1)  'update -t' now converts both the tcrules and tos files.

2)  'second' and 'minute' are now allowed in the LOGLIMIT
    specification in place of 'sec' and 'min' respectively.

3)  The 'update' command now converts additional deprecated option
    settings:

    - LOGRATE/LOGBURST are converted to the equivalent LOGLIMIT
      setting.

    - BLACKLISTNEWONLY is now converted to the equivalent BLACKLIST
      setting.

4)  Two settings now have more reasonable defaults if they don't appear
    in the .conf file being updated:

    - USE_DEFAULT_RT now defaults to No
    - EXPORTMODULES now defaults to No.

5)  When the 'update' command is converting a deprecated file, it now
    makes additional checks when it finds a target file (mangle,
    stoppedrules or blrules) to append the converted rules to:

    - If the file is in the directory $SHAREDIR/$product/configfiles/,
      the file is not opened.
    - If the file is in the directory
      $SHAREDIR/doc/$product/default-config/, the file is not opened.
    - If the file is not writable, the file is not opened.

    When the file isn't opened because of one of these checks, an
    attempt is made to create a new file in either the directory
    specified on the command line (if any) or in the first directory
    listed in the CONFIG_PATH setting.

Thank you for using Shorewall,
-Tom
--

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
------------------------------------------------------------------------------
Bill Shirley | 8 Sep 21:10 2015

Shorewall6: Documentation

http://shorewall.net/manpages6/shorewall6-mangle.html
has TTL but Shorewall6 won't let you use it:
Checking /etc/shorewall6/mangle...
    ERROR: TTL is not supported in IPv6 - use HL instead /etc/shorewall6/mangle (line 29)

shorewall6 check works after changing TTL to HL.

HL is not documented though.

Thanks for all you do,
Bill

------------------------------------------------------------------------------
Vieri Di Paola | 8 Sep 15:05 2015
Picon

providers track option and rtrules

Hi,

My goal is to have 2 NICs associated to 2 providers for specific private IP address ranges (eg. all traffic
to/from 10.215.224.0/20 should go through these two providers).
Another NIC allows access to Internet and that should be the default route.
The other NIC of course is connected to the local network.

At the moment I don't want to load-balance outgoing connections. I understand that I can force outbound
connections with rtrules:

10.215.247.194          10.215.236.221          IBS             11000
-                       10.215.224.0/20         CAIB            11001

So connections from "lan" src 10.215.247.194 to destination 10.215.236.221 will imperatively go via IBS provider.
All other connections to 10.215.224.0/20 will go through CAIB provider.

Now, suppose "providers" contains the following:

CAIB    1       1       -       $IF_CAIB        $ADDR_GW_CAIB   loose,track
IBS     2       2       -       $IF_IBS         $ADDR_GW_IBS    loose,track

and the remote router behind IBS and CAIB decides to send a packet from 10.215.236.221 to 10.215.247.194
via the CAIB provider (new connection) then where will shorewall reply?
If the "track" option is specified in "providers" then the packet will be MARKed with 1 in this case and I
guess that it should go back out the CAIB provider DESPITE the rtrule shown above, right?

However, "shorewall show routing" displays among other things:

Routing Rules

0:      from all lookup local
1:      from all fwmark 0x200/0x200 lookup Tproxy
220:    from all lookup 220
999:    from all lookup main
10000:  from all fwmark 0x1/0xff lookup CAIB
10001:  from all fwmark 0x2/0xff lookup IBS
11000:  from 10.215.247.194 to 10.215.236.221 lookup IBS
11001:  from all to 10.215.224.0/20 lookup CAIB
32765:  from all lookup balance
32767:  from all lookup default

Furthermore, table "default" is empty and table "main" has:
default via 172.16.0.2 dev enp4s1

Note: 172.16.0.2 is my internet gateway.

Trying to initiate from 10.215.247.194 to 10.215.236.221 does not go out the IBS provider, probably
because we're reaching the "main" table and the default route to 172.16.0.2.
Likewise, any incoming CAIB connections will hit the default internet gateway in "main" before looking up
CAIB table.

Would moving "default via 172.16.0.2 dev enp4s1 metric 4" from "main" to "default" make sense?
If so, how can I do that?

I'm attaching a shorewall dump.

Thanks,

Vieri
Attachment (dump.gz): application/gzip, 43 KiB
------------------------------------------------------------------------------
------------------------------------------------------------------------------

Gmane