diff -Naur -X /usr/local/bin/exclude.txt shorewall6-4.4.6/action.Drop shorewall6-4.4.7/action.Drop --- shorewall6-4.4.6/action.Drop 2010-01-14 08:36:22.000000000 -0800 +++ shorewall6-4.4.7/action.Drop 2010-02-11 07:29:41.000000000 -0800 @@ -22,7 +22,7 @@ # # Reject 'auth' # -Auth/REJECT +Auth(REJECT) # # ACCEPT critical ICMP types # @@ -35,7 +35,7 @@ # # Drop Microsoft noise so that it doesn't clutter up the log. # -SMB/DROP +SMB(DROP) # # Drop 'newnotsyn' traffic so that it doesn't get logged. # diff -Naur -X /usr/local/bin/exclude.txt shorewall6-4.4.6/action.Reject shorewall6-4.4.7/action.Reject --- shorewall6-4.4.6/action.Reject 2010-01-14 08:36:22.000000000 -0800 +++ shorewall6-4.4.7/action.Reject 2010-02-11 07:29:41.000000000 -0800 @@ -18,7 +18,7 @@ # # Don't log 'auth' -- REJECT # -Auth/REJECT +Auth(REJECT) # # ACCEPT critical ICMP types # @@ -32,7 +32,7 @@ # # Reject Microsoft noise so that it doesn't clutter up the log. # -SMB/REJECT +SMB(REJECT) # # Drop 'newnotsyn' traffic so that it doesn't get logged. # diff -Naur -X /usr/local/bin/exclude.txt shorewall6-4.4.6/changelog.txt shorewall6-4.4.7/changelog.txt --- shorewall6-4.4.6/changelog.txt 2010-01-14 08:38:22.000000000 -0800 +++ shorewall6-4.4.7/changelog.txt 2010-02-11 10:50:26.000000000 -0800 @@ -1,3 +1,27 @@ +Changes in Shorewall 4.4.7 + +1) Backport optimization changes from 4.5. + +2) Backport two new options from 4.5. + +3) Backport TPROXY from 4.5 + +4) Add TC_PRIOMAP to shorewall*.conf + +5) Implement LOAD_HELPERS_ONLY + +6) Avoid excessive module loading with LOAD_HELPERS_ONLY=Yes + +7) Fix case where MARK target is unavailable. + +8) Change default to ADD_IP_ALIASES=No + +9) Correct defects in generate_matrix(). + +10) Fix and optimize 'nosmurfs'. + +11) Use 'OLD_HL_MATCH' to suppress use of 'flow' in Simple TC. + Changes in Shorewall 4.4.6 1) Fix for rp_filter and kernel 2.6.31. diff -Naur -X /usr/local/bin/exclude.txt shorewall6-4.4.6/fallback.sh shorewall6-4.4.7/fallback.sh --- shorewall6-4.4.6/fallback.sh 2010-01-14 08:36:22.000000000 -0800 +++ shorewall6-4.4.7/fallback.sh 2010-02-11 07:29:41.000000000 -0800 @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=4.4.6 +VERSION=4.4.7 usage() # $1 = exit status { diff -Naur -X /usr/local/bin/exclude.txt shorewall6-4.4.6/helpers shorewall6-4.4.7/helpers --- shorewall6-4.4.6/helpers 1969-12-31 16:00:00.000000000 -0800 +++ shorewall6-4.4.7/helpers 2010-02-11 07:29:41.000000000 -0800 @@ -0,0 +1,36 @@ +# +# Shorewall6 version 4 - Helpers File +# +# /usr/share/shorewall6/helpers +# +# This file loads the modules that may be needed by the firewall. +# +# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in +# dependency order. i.e., if M2 depends on M1 then you must load M1 +# before you load M2. +# +# If you need to modify this file, copy it to /etc/shorewall and modify the +# copy. +# +############################################################################### +# +# Helpers +# +loadmodule nf_conntrack_amanda +loadmodule nf_conntrack_ftp +loadmodule nf_conntrack_h323 +loadmodule nf_conntrack_irc +loadmodule nf_conntrack_netbios_ns +loadmodule nf_conntrack_netbios_ns +loadmodule nf_conntrack_netlink +loadmodule nf_conntrack_pptp +loadmodule nf_conntrack_proto_sctp +loadmodule nf_conntrack_proto_udplite +loadmodule nf_conntrack_sane +loadmodule nf_conntrack_sip sip_direct_media=0 +loadmodule nf_conntrack_pptp +loadmodule nf_conntrack_proto_gre +loadmodule nf_conntrack_proto_sctp +loadmodule nf_conntrack_sip +loadmodule nf_conntrack_tftp +loadmodule nf_conntrack_sane diff -Naur -X /usr/local/bin/exclude.txt shorewall6-4.4.6/install.sh shorewall6-4.4.7/install.sh --- shorewall6-4.4.6/install.sh 2010-01-14 08:36:22.000000000 -0800 +++ shorewall6-4.4.7/install.sh 2010-02-11 07:29:41.000000000 -0800 @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.6 +VERSION=4.4.7 usage() # $1 = exit status { @@ -362,6 +362,12 @@ echo "Modules file installed as ${PREFIX}/usr/share/shorewall6/modules" # +# Install the Module Helpers file +# +run_install $OWNERSHIP -m 0600 helpers ${PREFIX}/usr/share/shorewall6/helpers +echo "Helper modules file installed as ${PREFIX}/usr/share/shorewall6/helpers" + +# # Install the TC Rules file # run_install $OWNERSHIP -m 0644 tcrules ${PREFIX}/usr/share/shorewall6/configfiles/tcrules @@ -372,6 +378,26 @@ fi # +# Install the TC Interfaces file +# +run_install $OWNERSHIP -m 0644 tcinterfaces ${PREFIX}/usr/share/shorewall6/configfiles/tcinterfaces + +if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall6/tcinterfaces ]; then + run_install $OWNERSHIP -m 0600 tcinterfaces ${PREFIX}/etc/shorewall6/tcinterfaces + echo "TC Interfaces file installed as ${PREFIX}/etc/shorewall6/tcinterfaces" +fi + +# +# Install the TC Priority file +# +run_install $OWNERSHIP -m 0644 tcpri ${PREFIX}/usr/share/shorewall6/configfiles/tcpri + +if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall6/tcpri ]; then + run_install $OWNERSHIP -m 0600 tcpri ${PREFIX}/etc/shorewall6/tcpri + echo "TC Priority file installed as ${PREFIX}/etc/shorewall6/tcpri" +fi + +# # Install the TOS file # run_install $OWNERSHIP -m 0644 tos ${PREFIX}/usr/share/shorewall6/configfiles/tos @@ -693,4 +719,4 @@ # # Report Success # -echo "shorewall6-common Version $VERSION Installed" +echo "shorewall6 Version $VERSION Installed" diff -Naur -X /usr/local/bin/exclude.txt shorewall6-4.4.6/lib.base shorewall6-4.4.7/lib.base --- shorewall6-4.4.6/lib.base 2010-01-14 08:36:22.000000000 -0800 +++ shorewall6-4.4.7/lib.base 2010-02-11 07:29:41.000000000 -0800 @@ -32,7 +32,7 @@ # by the compiler. # -SHOREWALL_LIBVERSION=40406 +SHOREWALL_LIBVERSION=40407 SHOREWALL_CAPVERSION=40407 [ -n "${VARDIR:=/var/lib/shorewall6}" ] @@ -302,7 +302,7 @@ [ -d $directory ] && moduledirectories="$moduledirectories $directory" done - modules=$(find_file modules) + [ -n "$LOAD_HELPERS_ONLY" ] && modules=$(find_file helpers) || modules=$(find_file modules) if [ -f $modules -a -n "$moduledirectories" ]; then MODULES=$(lsmod | cut -d ' ' -f1) @@ -723,6 +723,7 @@ MARK= XMARK= EXMARK= + TPROXY_TARGET= MANGLE_FORWARD= COMMENTS= ADDRTYPE= @@ -736,6 +737,7 @@ GOTO_TARGET= IPMARK_TARGET= LOG_TARGET=Yes + FLOW_FILTER= chain=fooX$$ @@ -746,6 +748,10 @@ exit 1 fi + [ -n "$IP" ] || IP=$(which ip) + + [ -n "$IP" -a -x "$IP" ] || IP= + qt $IP6TABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED= qt $IP6TABLES -F $chain @@ -833,6 +839,7 @@ qt $IP6TABLES -t mangle -A $chain -j CLASSIFY --set-class 1:1 && CLASSIFY_TARGET=Yes qt $IP6TABLES -t mangle -A $chain -j IPMARK --addr src && IPMARK_TARGET=Yes + qt $IP6TABLES -t mangle -A $chain -p tcp -j TPROXY --on-port 0 --tproxy-mark 1 && TPROXY_TARGET=Yes qt $IP6TABLES -t mangle -F $chain qt $IP6TABLES -t mangle -X $chain qt $IP6TABLES -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes @@ -873,6 +880,8 @@ qt $IP6TABLES -F $chain1 qt $IP6TABLES -X $chain1 + [ -n "$IP" ] && $IP filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes + CAPVERSION=$SHOREWALL_CAPVERSION KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g')) } @@ -934,6 +943,8 @@ report_capability "Goto Support" $GOTO_TARGET report_capability "IPMARK Target" $IPMARK_TARGET report_capability "LOG Target" $LOG_TARGET + report_capability "TPROXY Target" $TPROXY_TARGET + report_capability "FLOW Classifier" $FLOW_FILTER fi [ -n "$PKTTYPE" ] || USEPKTTYPE= @@ -991,6 +1002,8 @@ report_capability1 GOTO_TARGET report_capability1 IPMARK_TARGET report_capability1 LOG_TARGET + report_capability1 TPROXY_TARGET + report_capability1 FLOW_FILTER echo CAPVERSION=$SHOREWALL_CAPVERSION echo KERNELVERSION=$KERNELVERSION diff -Naur -X /usr/local/bin/exclude.txt shorewall6-4.4.6/modules shorewall6-4.4.7/modules --- shorewall6-4.4.6/modules 2010-01-14 08:36:22.000000000 -0800 +++ shorewall6-4.4.7/modules 2010-02-11 07:29:41.000000000 -0800 @@ -56,6 +56,8 @@ loadmodule xt_tcpmss loadmodule xt_TCPMSS loadmodule xt_time +loadmodule xt_IPMARK +loadmodule xt_TPROXY # # Helpers # diff -Naur -X /usr/local/bin/exclude.txt shorewall6-4.4.6/releasenotes.txt shorewall6-4.4.7/releasenotes.txt --- shorewall6-4.4.6/releasenotes.txt 2010-01-14 08:38:22.000000000 -0800 +++ shorewall6-4.4.7/releasenotes.txt 2010-02-11 10:50:26.000000000 -0800 @@ -1,4 +1,4 @@ -Shorewall 4.4.6 +Shorewall 4.4.7 ---------------------------------------------------------------------------- R E L E A S E 4 . 4 H I G H L I G H T S @@ -54,6 +54,10 @@ 13) A new simplified Traffic Shaping facility is now available. +14) Additional ruleset optimization options are available. + +15) TPROXY support has been added. + ---------------------------------------------------------------------------- M I G R A T I O N I S S U E S ---------------------------------------------------------------------------- @@ -174,6 +178,146 @@ now, if the zone has :0.0.0.0/0 (even with exclusions), then it may have no additional members in /etc/shorewall/hosts. +13) ADD_IP_ALIASES=No is now the setting in the released shorewall.conf + and in all of the samples. This will not affect you during upgrade + unless you choose to replace your current shorewall.conf with the + one from the release (not recommended). + +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 4 . 7 +---------------------------------------------------------------------------- + +1) The tcinterfaces and tcpri files are now installed by the + installer and are included in the rpm. + +2) An invalid octal number (e.g., 080) appearing in a port list + resulted in a perl error message. + + As part of this fix, both hex and octal numbers are now accepted + for protocol and port numbers. + +3) In 4.4.6, if a system: + + a) Had mangle table support. + b) Had a FORWARD chain in the mangle table. + c) Did not have MARK Target support. + + then 'shorewall start' would fail. + +4) Previously, the 'nosmurfs' option was ignored in IPv6 + compilations. As part of this fix, 'nosmurfs' handling when + SMURF_LOG_LEVEL is specified has been improved for both IPv4 and + IPv6. + +5) Previously, specifying a TYPE in /etc/shorewall/tcinterfaces would + cause start/restart to fail on systems lacking 'flow' classifier + support. While we currently know of no safe way to test for that + support, in Shorewall 4.4.7 we use other hints to surmise that the + installed toolset is likely to be too old to support 'flow' and + simply ignore the TYPE setting. In particular, RHEL5 and + derivatives no lonter experience a startup failure when TYPE is + specified. + +---------------------------------------------------------------------------- + K N O W N P R O B L E M S R E M A I N I N G +---------------------------------------------------------------------------- + +None. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 4 . 7 +---------------------------------------------------------------------------- + +1) The OPTIMIZE option value is now a bit-map with each bit + controlling a separate set of optimizations. + + - The low-order bit (value 1) controls optimizations available in + earlier releases. We refer to this optimization as "optimization + 1". + + - The next bit (value 2) suppresses superfluous ACCEPT rules in a + policy chain that implements an ACCEPT policy. Any ACCEPT rules + that immediately preceed the final blanket ACCEPT rule in the + chain are now omitted. We refer to this optimization as + "optimization 2". + + - The next bit (value 4 or "optimization 4") enables the following + additional optimizations: + + a) Empty chains are optimized away. + b) Chains with one rule are optimized away. + c) If a built-in chain has a single rule that branches to a + second chain, then the rules from the second chain are moved + to the built-in chain and the target chain is omitted. + d) Chains with no references are deleted. + e) Accounting chains are subject to optimization if the new + OPTIMIZE_ACCOUNTING option is set to 'Yes' (default is 'No'). + f) If a chain ends with an unconditional branch to a second chain + (other than to 'reject'), then the branch is deleted from the + first chain and the rules from the second chain are appended + to it. + + The following chains are exempted from optimization 4: + + action chains (user-created). + accounting chains (unless OPTIMIZE_ACCOUNTING=Yes) + dynamic + forwardUPnP + logdrop + logreject + rules chains (those of the form zonea2zoneb or zonea-zoneb). + UPnP (nat table). + + To enable all possible optimizations, set OPTIMIZE to 7 (1 + 2 + + 4). + +2) Shorewall now combines identical logging chains. Previously, a + separate chain was created for each logging rule. + +3) Beginning with Shorewall 4.4.7, accounting can be disabled by + setting ACCOUNTING=No in shorewall.conf. This allows you to keep a + set of accounting rules configured in /etc/shorewall/accounting and + to then enable and disable them by simply toggling the setting of + ACCOUNTING. + + Similarly, dynamic blacklisting can be disabled by setting + DYNAMIC_BLACKLIST=No. This saves a jump rule in the INPUT + and FORWARD filter chains.. + +4) Shorewall can now automatically assign mark values to providers in + cases where 'track' is specified (or TRACK_PROVIDERS=Yes) but + packet marking is otherwise not used for directing connections to a + particular provider. Simply specify '-' in the MARK column and + Shorewall will automatically assign a mark value. + +5) Support for TPROXY has been added. See + http://www.shorewall.net/Shorewall_Squid_Usage.html#TPROXY. + +6) Traditionally, Shorewall has loaded all modules that could possibly + be needed twice; once in the compiler, and once when the generated + script is initialized. The latter can be a time-consuming process + on slow hardware. + + Beginning with 4.4.7, there is a LOAD_HELPERS_ONLY option in + shorewall.conf. For existing users, LOAD_HELPERS_ONLY=No is the + default. + + For new users that employ the sample configurations, + LOAD_HELPERS_ONLY=Yes will be the default. That setting causes only + a small subset of modules to be loaded; it is assumed that the + remaining modules will be autoloaded. Additionally, capability + detection in the compiler is deferred until each capability is + actually used. As a consequence, no modules are autoloaded + unnecessarily. + + Modules loaded when LOAD_HELPERS_ONLY=Yes are the protocol + helpers. These cannot be autoloaded. + + In addition, the nf_conntrack_sip module is loaded with + sip_direct_media=0. This setting is slightly less secure than + sip_direct_media=1, but it solves many VOIP problems that users + routinely encounter. + ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 4 . 6 ---------------------------------------------------------------------------- @@ -192,12 +336,6 @@ omissions have been corrected. ---------------------------------------------------------------------------- - K N O W N P R O B L E M S R E M A I N I N G ----------------------------------------------------------------------------- - -None. - ----------------------------------------------------------------------------- N E W F E A T U R E S I N 4 . 4 . 6 ---------------------------------------------------------------------------- @@ -304,1194 +442,1196 @@ 4.4.3, this change should be transparent to most, if not all, users. ---------------------------------------------------------------------------- - N E W F E A T U R E S I N 4 . 4 . 0 + P R O B L E M S C O R R E C T E D I N 4 . 4 . 5 ---------------------------------------------------------------------------- -1) The Shorewall packaging has been completely revamped in Shorewall - 4.4. +1) The change which removed the 15 port limitation on + /etc/shorewall/routestopped was incomplete. The result was that if + more than 15 ports were listed, an error was generated. - The new packages are: +2) If any interfaces had the 'bridge' option specified, compilation + failed with the error: - - Shorewall. Includes the former Shorewall-common and - Shorewall-perl packages. Includes everything needed - to create an IPv4 firewall. + Undefined subroutine &Shorewall::Rules::match_source_interface called + at /usr/share/shorewall/Shorewall/Rules.pm line 2319. - Shorewall-shell is no longer available. +3) The compiler now flags port number 0 as an error in all + contexts. Previously, port 0 was allowed with the result that + invalid iptables-restore input could be generated in some cases. - - Shorewall6. Requires Shorewall. Adds the components necessary to - create an IPv6 firewall. +4) The 'show policies' command now works in Shorewall6 and + Shorewall6-lite. - - Shorewall-lite +5) Traffic shaping modules from /lib/modules//net/sched/ are + now correctly loaded. Previously, that directory was not + searched. Additionally, Shorewall6 now tries to load the cls_flow + module; previously, only Shorewall attempts to load that module. - May be installed on a firewall system to run - IPv4 firewall scripts generated by Shorewall. +6) The Shorewall6-lite shorecap program was previously including the + IPv4 base library rather than the IPv6 version. Also, Shorewall6 + capability detection was determing the availablity of the mangle + capability before it had determined if ip6tables was installed. - - Shorewall6-lite +7) The setting of MODULE_SUFFIX was previously ignored except when + compiling for export. - May be installed on a firewall system to run - IPv6 firewall scripts generated by Shorewall6. +8) Detection of the Enhanced Reject capability in the compiler was + broken for IPv4 compilations. -2) The interfaces file supports a new 'nets=' option. This option - allows you to restrict a zone's definition to particular networks - through an interface without having to use the hosts file. +9) The 'reload -c' command would ignore the setting of DONT_LOAD in + shorewall.conf. The 'reload' command without '-c' worked as + expected. - Example interfaces file: +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 4 . 5 +---------------------------------------------------------------------------- - #ZONE INTERFACE BROADCAST OPTIONS - loc eth3 detect dhcp,logmartians=1,routefilter=1,nets=172.20.1.0/24 - dmz eth4 detect logmartians=1,routefilter=1,nets=206.124.146.177 - net eth0 detect dhcp,blacklist,tcpflags,optional,routefilter=0,nets=(!172.20.0.0/24,206.124.146.177) - net eth2 detect dhcp,blacklist,tcpflags,optional,upnp,routefilter=0,nets=(!172.20.0.0/24,206.124.146.177) - loc tun+ detect nets=172.20.0.0/24 - #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE +1) Shorewall now allows DNAT rules that change only the destination + port. - Note that when more than one network address is listed, the list - must be enclosed in parentheses. Notice also that exclusion may be - used. + Example: - The first entry in the above interfaces file is equivalent to the - following: + DNAT loc net::456 udp 234 - interfaces: + That rule will modify the destination port in UDP packets received + from the 'loc' zone from 456 to 234. Note that if the destination + is the firewall itself, then the destination port will be rewritten + but that no ACCEPT rule from the loc zone to the $FW zone will have + been created to handle the request. So such rules should probably + exclude the firewall's IP addresses in the ORIGINAL DEST column. - #ZONE INTERFACE BROADCAST OPTIONS - - eth0 detect dhcp,logmartians=1,routefilter=1 +2) Systems that do not log Netfilter messages locally can now set + LOGFILE=/dev/null in shorewall.conf. - hosts: +3) The 'shorewall show connections' and 'shorewall dump' commands now + display the current number of connections and the max supported + connections. - #ZONE HOST(S) OPTIONS - loc $INT_IF:192.20.1.0/24 broadcast + Example: - Note that the 'broadcast' option is automatically assumed and need - not be explicitly specified. + shorewall show connections + Shorewall 4.5.0 Connections (62 out of 65536) at gateway - Sat ... -3) Some websites run applications that require multiple connections - from a client browser. Where multiple 'balanced' providers are - configured, this can lead to problems when some of the connections - are routed through one provider and some through another. + In that case, there were 62 current connections out of a maximum + number supported of 65536. - To work around this issue, the SAME target has been added to - /etc/shorewall/tcrules. SAME may be used in the PREROUTING and - OUTPUT chains. When used in PREROUTING, it causes matching - connections from an individual local system to all use the same - provider. +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 4 . 4 +---------------------------------------------------------------------------- - For example: +1) In some simple one-interface configurations, the following Perl + run-time error messages were issued: - SAME:P 192.168.1.0/24 - tcp 80,443 + Generating Rule Matrix... + Use of uninitialized value in concatenation (.) or string at + /usr/share/shorewall/Shorewall/Chains.pm line 649. + Use of uninitialized value in concatenation (.) or string at + /usr/share/shorewall/Shorewall/Chains.pm line 649. + Creating iptables-restore input... - If a host in 192.168.1.0/24 attempts a connection on TCP port 80 or - 443 and it has sent a packet on either of those ports in the last - five minutes then the new connection will use the same provider as - the connection over which that last packet was sent. +2) The Shorewall operations log (specified by STARTUP_LOG) is now + secured 0600. - When used in the OUTPUT chain, it causes all matching connections - to an individual remote system to use the same provider. +3) Previously, the compiler generated an incorrect test for interface + availability in the generated code for adding route rules. The + result was that the rules were always added, regardless of the + state of the provider's interface. Now, the rules are only added + when the interface is available. - For example: +4) When TC_WIDE_MARKS=Yes and class numbers are not explicitly + specified in /etc/shorewall/tcclasses, duplicate class numbers + result. A typical error message is: - SAME $FW - tcp 80,443 + ERROR: Command "tc class add dev eth3 parent 1:1 classid + 1:1 htb rate 1024kbit ceil 100000kbit prio 1 quantum 1500" + Failed - If the firewall attempts a connection on TCP port 80 or - 443 and it has sent a packet on either of those ports in the last - five minutes to the same remote system then the new connection will - use the same provider as the connection over which that last packet - was sent. + Note that the class ID of the class being added is a duplicate of + the parent's class ID. - Important note: SAME only works with providers that have the - 'track' option specified in /etc/shorewall/providers. + Also, when TC_WIDE_MARKS=Yes, values > 255 in the MARK column of + /etc/shorewall/tcclasses were rejected. -4) The file /var/lib/shorewall/.restore has been renamed to - /var/lib/shorewall/firewall. A similar change has been made in - Shorewall6. +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 4 . 4 +---------------------------------------------------------------------------- - When a successful start or restart is completed, the script that - executed the command copies itself to - /var/lib/shorewall[6]/firewall. +1) The Shorewall packages now include a logrotate configuration file. - As always, /var/lib/shorewall[6] is the default directory which may - be overridden using the /etc/shorewall[6]/vardir file. +2) The limit of 15 entries in a port list has been relaxed in + /etc/shorewall/routestopped. -5) Dynamic zone support is once again available for IPv4. This support - is built on top of ipsets so you must have the xtables-addons - installed on the firewall system. +3) The following seemingly valid configuration produces a fatal + error reporting "Duplicate interface name (p+)" - See http://www.shorewall.net/Dynamic.html for information about - this feature and for instructions for installing xtables-addons on - your firewall. + /etc/shorewall/zones: - Dynamic zones are available when Shorewall-lite is used as well. + #ZONE TYPE + fw firewall + world ipv4 + z1:world bport4 + z2:world bport4 - You define a zone as having dynamic content in one of two ways: + /etc/shorewall/interfaces: - - By specifying nets=dynamic in the OPTIONS column of an entry for - the zone in /etc/shorewall/interfaces; or + #ZONE INTERFACE BROADCAST OPTIONS + world br0 - bridge + world br1 - bridge + z1 br0:p+ + z2 br1:p+ - - By specifying :dynamic in the HOST(S) column of an - entry for the zone in /etc/shorewall/hosts. + This error occurs because the Shorewall implementation requires + that each bridge port must have a unique name. - When there are any dynamic zones present in your configuration, - Shorewall (Shorewall-lite) will: + To work around this problem, a new 'physical' interface option has + been created. The above configuration may be defined using the + following in /etc/shorewall/interfaces: - a) Execute the following commands during 'shorewall start' or - 'shorewall-lite start'. + #ZONE INTERFACE BROADCAST OPTIONS + world br0 - bridge + world br1 - bridge + z1 br0:x+ - physical=p+ + z2 br1:y+ - physical=p+ - ipset -U :all: :all: - ipset -U :all: :default: - ipset -F - ipset -X - ipset -R < ${VARDIR}/ipsets.save + In this configuration, 'x+' is the logical name for ports p+ on + bridge br0 while 'y+' is the logical name for ports p+ on bridge + br1. - where $VARDIR normally contains /var/lib/shorewall - (/var/lib/shorewall-lite) but may be modified by - /etc/shorewall/vardir (/etc/shorewall-lite/vardir). + If you need to refer to a particular port on br1 (for example + p1023), you write it as y1023; Shorewall will translate that name + to p1023 when needed. - b) During 'start', 'restart' and 'restore' processing, Shorewall - will attempt to create an ipset named _ - for each zone/interface pair that has been specified as - dynamic. The type of ipset created is 'iphash' so that only - individual IPv4 addresses may be added to the set. + It is allowed to have a physical name ending in '+' with a logical + name that does not end with '+'. The reverse is not allowed; if the + logical name ends in '+' then the physical name must also end in + '+'. - c) Execute the following commands during 'shorewall stop' or - 'shorewall-lite stop': - - if ipset -S > ${VARDIR}/ipsets.tmp; then - mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save - fi + This feature is not restricted to bridge ports. Beginning with this + release, the interface name in the INTERFACE column can be + considered a logical name for the interface, and the actual + interface name is specified using the 'physical' option. If no + 'physical' option is present, then the physical name is assumed to + be the same as the logical name. As before, the logical interface + name is used throughout the rest of the configuration to refer to + the interface. - The 'shorewall add' and 'shorewall delete' commands are supported - with their original syntax: +4) Previously, Shorewall has used the character '2' to form the name + of chains involving zones and/or the word 'all' (e.g., fw2net, + all2all). When zones names are given numeric suffixes, these + generated names are hard to read (e.g., foo1232bar). To make these + names clearer, a ZONE2ZONE option has been added. - add [:] ... + ZONE2ZONE has a default value of "2" but can also be given the + value "-" (e.g., ZONE2ZONE="-") which causes Shorewall to separate + the two parts of the name with a hyphen (e.g., foo123-bar). - delete [:] ... +5) Only one instance of the following warning is now generated; + previously, one instance of a similar warning was generated for + each COMMENT encountered. - In addition, the 'show dynamic' command is added that lists the dynamic - content of a zone. + COMMENTs ignored -- require comment support in iptables/Netfilter - show dynamic +6) The shorewall and shorewall6 utilities now support a 'show + policies' command. Once Shorewall or Shorewall6 has been restarted + using a script generated by this version, the 'show policies' + command will list each pair of zones and give the applicable + policy. If the policy is enforced in a chain, the name of the chain + is given. - These commands are supported by shorewall-lite as well. + Example: -6) The generated program now attempts to detect all dynamic - information when it first starts. Dynamic information includes IP - addresses, default gateways, networks routed through an interface, - etc. If any of those steps fail, an error message is generated and - the state of the firewall is not changed. + net => loc DROP using chain net2all -7) To improve the readability of configuration files, Shorewall now - allows leading white space in continuation lines when the continued - line ends in ":" or ",". + Note that implicit intrazone ACCEPT policies are not displayed for + zones associated with a single network where that network + doesn't specify 'routeback'. - Example (/etc/shorewall/rules): +7) The 'show' and 'dump' commands now support an '-l' option which + causes chain displays to include the rule number of each rule. - #ACTION SOURCE DEST PROTO DEST - # PORT(S) - ACCEPT net:\ - 206.124.146.177,\ - 206.124.146.178,\ - 206.124.146.180\ - dmz tcp 873 + (Type 'iptables -h' and look for '--line-number') - The leading white space on the lines that contain just an IP - address is ignored so the SOURCE column effectively contains - "net:206.124.146.177,206.124.147.178,206.124.146.180". +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 4 . 3 +---------------------------------------------------------------------------- -8) The generated script now uses iptables[6]-restore to instantiate - the Netfilter ruleset during processing of the 'stop' command. As a - consequence, the 'critical' option in /etc/shorewall/route_stopped - is no longer needed and will result in a warning. +1. Previously, if 'routeback' was specified in /etc/shorewall/routestopped: -9) A new AUTOMAKE option has been added to shorewall.conf and - shorewall6.conf. When set to 'Yes', this option causes new behavior - during processing of the 'start' and 'restart' commands; if no - files in /etc/shorewall/ (/etc/shorewall6) have changed since the last - 'start' or 'restart', then the compilation step is skipped and the - script used during the last 'start' or 'restart' is used to - start/restart the firewall. + a) 'shorewall check' produced an internal error + b) The 'routeback' option didn't work - Note that if a is specified in the start/restart - command (e.g., "shorewall restart /etc/shorewall.new") then the - setting of AUTOMAKE is ignored. +2) If an alias IP address was added and RETAIN_ALIASES=No in + shorewall.conf, then a compiler internal error resulted. - Note that the 'make' utility must be installed on the firewall - system in order for AUTOMAKE=Yes to work correctly. +3) Previously, the generated script would try to detect the values + for all run-time variables (such as IP addresses), regardless of + what command was being executed. Now, this information is only + detected when it is needed. -10) The 'compile' command now allows you to omit the . When - you do that, the defaults to /var/lib/shorewall/firewall - (/var/lib/shorewall6/firewall) unless you have overridden VARDIR - using /etc/shorewall/vardir (/etc/shorewall6/vardir). +4) Nested zones where the parent zone was defined by a wildcard + interface (name ends with +) in /etc/shorewall/interfaces did + not work correctly in some cases. - When combined with AUTOMAKE=Yes, it allows the following: +5) IPv4 addresses embedded in IPv6 (e.g., ::192.168.1.5) were + incorrectly reported as invalid. - gateway:~ # shorewall compile - Compiling... - Shorewall configuration compiled to /root/shorewall/firewall - gateway:~ # - ... - gateway:~ # shorewall restart - Restarting Shorewall.... - done. - gateway:~ # +6) Under certain circumstances, optional providers were not detected + as being usable. - In other words, you can compile the current configuration then - install it at a later time. + Additionally, the messages issued when an optional provider was not + usable were confusing; the message intended to be issued when the + provider shared an interface ("WARNING: Gateway is not + reachable -- Provider () not Added") was being + issued when the provider did not share an interface. Similarly, the + message intended to be issued when the provider did not share an + interface ("WARNING: Interface is not usable -- + Provider () not Added") was being issued when the + provider did share an interface. -11) Thanks to I. Buijs, it is now possible to rate-limit connections by - source IP or destination IP. The LIMIT:BURST column in - /etc/shorewall/policy (/etc/shorewall6/policy) and the RATE LIMIT - column /etc/shorewall/rules (/etc/shorewall6/rules) have been - extended as follows: +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 4 . 3 +---------------------------------------------------------------------------- - [{s|d}:[[]:]]/{sec|min}[:] +1) On Debian systems, a default installation will now set + INITLOG=/dev/null in /etc/default/shorewall. In all configurations, + the default values for the log variables are changed to: - When s: is specified, the rate is per source IP address. - When d: is specified, the rate is per destination IP address. - The specifies the name of a hash table -- you get to choose - the name. If you don't specify a name, the name 'shorewall' is - assumed. Rules with the same name have their connection counts - aggregated and the individual rates are applied to the aggregate. + STARTUP_LOG=/var/log/shorewall-init.log + LOG_VERBOSITY=2 - Example: + The effect is much the same as the old defaults, with the exception + that: - ACCEPT net fw tcp 22 - - s:ssh:3/min + a) Start, stop, etc. commands issued through /sbin/shorewall + will be logged. + b) Logging will occur at maximum verbosity. + c) Log entries will be date/time stamped. - This will limit SSH connections from net->fw to 3 per minute. + On non-Debian systems, new installs will now log all Shorewall + commands to /var/log/shorewall-init.log. - ACCEPT net fw tcp 25 - - s:mail:3/min - ACCEPT net fw tcp 587 - - s:mail:3/min +2) A new TRACK_PROVIDERS option has been added in shorewall.conf. + The value of this option becomes the default for the 'track' + provider option in /etc/shorewall/providers. - Since the same hash table name is used in both rules, the above is - equivalent to this single rule: +3) A new 'limit' option has been added to + /etc/shorewall/tcclasses. This option specifies the number of + packets that are allowed to be queued within the class. Packets + exceeding this limit are dropped. The default value is 127 which is + the value that earlier versions of Shorewall used. The option is + ignored with a warning if the 'pfifo' option has been specified. - ACCEPT net fw tcp 25,587 - - s:mail:3/min +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 4 . 2 +---------------------------------------------------------------------------- -12) Rules that specify a log level with a target other than LOG or NFLOG - are now implemented through a separate chain. While this may increase - the processing cost slightly for packets that match these rules, it - is expected to reduce the overall cost of such rules because each - packet that doesn't match the rules only has to be processed once - per rule rather than twice. +1) Detection of Persistent SNAT was broken in the rules compiler. - Example: +2) Initialization of the compiler's chain table was occurring before + shorewall.conf had been read and before the capabilities had been + determined. This could lead to incorrect rules and Perl runtime + errors. - /etc/shorewall/rules: +3) The 'shorewall check' command previously did not detect errors in + /etc/shorewall/routestopped. - REJECT:info loc net tcp 25 +4) In earlier versions, if a file with the same name as a built-in + action were present in the CONFIG_PATH, then the compiler would + process that file like it was an extension script. - This previously generated these two rules (long rules folded): + The compiler now ignores the presence of such files. - -A loc2net -p 6 --dport 25 -j LOG --log-level 6 - --log-prefix "Shorewall:loc2net:reject:" - -A loc2net -p 6 --dport 25 -j reject +5) Several configuration issues which previously produced an error or + warning are now handled differently. - It now generates these rules: + a) MAPOLDACTIONS=Yes and MAPOLDACTIONS= in shorewall.conf are now + handled as they were by the old shell-based compiler. That is, + they cause pre-3.0 built-in actions to be mapped automatically + to the corresponding macro invocation. - :log0 - [0:0] - ... - -A loc2net -p 6 --dport 25 -g log0 - ... - -A log0 -j LOG --log-level 6 - --log-prefix "Shorewall:loc2net:REJECT:" - -A log0 -j reject + b) SAVE_IPSETS=Yes no longer produces a fatal error -- it is now a + warning. - Notice that now there is only a single rule generated in the - 'loc2net' chain where before there were two. Packets for other than + c) DYNAMIC_ZONES=Yes no longer produces a fatal error -- it is now + a warning. - TCP port 25 had to be processed by both rules. + d) RFC1918_STRICT=Yes no longer produces a fatal error -- it is now + a warning. - Notice also that the new LOG rule reflects the original action - ("REJECT") rather than what Shorewall maps that to ("reject"). +6) Previously, it was not possible to specify an IP address range in + the ADDRESS column of /etc/shorewall/masq. Thanks go to Jessee + Shrieve for the patch. -13) Shorewall6 has now been tested on kernel 2.6.24 (Ubuntu Hardy) and - hence will now start successfully when running on that kernel. +7) The 'wait4ifup' script included for Debian compatibility now runs + correctly with no PATH. -14) Three new options (IP, TC and IPSET) have been added to - shorewall.conf and shorwall6.conf. These options specify the name - of the executable for the 'ip', 'tc' and 'ipset' utilities - respectively. +8) The new per-IP LIMIT feature now works with ancient iptables + releases (e.g., 1.3.5 as found on RHEL 5). This change required + testing for an additional capability which means that those who use + a capabilities file should regenerate that file after installing + 4.4.2. - If not specified, the default values are: +9) One unintended difference between Shorewall-shell and + Shorewall-perl was that Shorewall-perl did not support the MARK + column in action bodies. This has been corrected. - IP=ip - TC=tc - IPSET=ipset +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 4 . 2 +---------------------------------------------------------------------------- - In other words, the utilities will be located via the current PATH - setting. +1) Prior to this release, line continuation has taken precedence over + #-style comments. This prevented us from doing the following: -15) There has been a desire in the user community to limit traffic by - IP address using Shorewall traffic shaping. Heretofore, that has - required a very inefficient process: + ACCEPT net:206.124.146.176,\ #Gateway + 206.124.146.177,\ #Mail + 206.124.146.178\ #Server + ... + + Now, unless a line ends with '\', any trailing comment is stripped + off (including any white-space preceding the '#'). Then if the line + ends with '\', it is treated as a continuation line as normal. - a) Define a tcclass for each internal host (two, if shaping both in - and out). - b) Define a tcrule for each host to mark to classify the packets - accordingly. +2) Three new columns have been added to FORMAT-2 macro bodies. - Beginning with Shorewall 4.4, this process is made easier IF YOU - ARE WILLING TO INSTALL xtables-addons. The feature requires IPMARK - support in iptables[6] and your kernel. That support is available - in xtables-addons. + MARK + CONNLIMIT + TIME - Instructions for installing xtables-addons may be found at - http://www.shorewall.net/Dynamic.html#xtables-addons. + These three columns correspond to the similar columns in + /etc/shorewall/rules and must be empty in macros invoked from an + action. - The new facility has two components: +3) Accounting chains may now have extension scripts. Simply place your + Perl script in the file /etc/shorewall/ and when the + accounting chain named is created, your script will be + invoked. - a) A new IPMARK MARKing command in /etc/shorewall/tcrules. - b) A new 'occurs' OPTION in /etc/shorewall/tcclasses. + As usual, the variable $chainref will contain a reference to the + chain's table entry. - The facility is currently only available with IPv4. +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 4 . 1 +---------------------------------------------------------------------------- - In a sense, the IPMARK target is more like an IPCLASSIFY target in - that the mark value is later interpreted as a class ID. A packet - mark is 32 bits wide; so is a class ID. The class occupies - the high-order 16 bits and the class occupies the low-order - 16 bits. So the class ID 1:4ff (remember that class IDs are always - in hex) is equivalent to a mark value of 0x104ff. Remember that - Shorewall uses the interface number as the number where the - first interface in tcdevices has number 1, the second has - number 2, and so on. +1) If ULOG was specified as the LOG LEVEL in the all->all policy, the + rules at the end of the INPUT and OUTPUT chains would still use the + LOG target rather than ULOG. - The IPMARK target assigns a mark to each matching packet based on - the either the source or destination IP address. By default, it - assigns a mark value equal to the low-order 8 bits of the source - address. +2) Using CONTINUE policies with a nested IPSEC zone was still broken + in some cases. - The syntax is as follows: +3) The setting of IP_FORWARDING has been change to Off in the + one-interface sample configuration since forwarding is typically + not required with only a single interface. - IPMARK[([{src|dst}][,[][,[][,[]]]])] +4) If MULTICAST=Yes in shorewall.conf, multicast traffic was + incorrectly exempted from ACCEPT policies. - Default values are: +5) Previously, the definition of a zone that specified "nets=" in + /etc/shorewall/interfaces could not be extended by entries in + /etc/shorewall/hosts. - src - = 0xFF - = 0x00 - = 0 +6) Previously, "nets=" could be specified in a multi-zone interface + definition ("-" in the ZONES column) in /etc/shorewall/zones. This + now raises a fatal compilation error. - 'src' and 'dst' specify whether the mark is to be based on the - source or destination address respectively. +7) MULTICAST=Yes generates an incorrect rule that limits its + effectiveness to a small part of the multicast address space. - The selected address is first shifted right by , then - LANDed with and then LORed with . The - argument is intended to be used primarily with IPv6 addresses. +8) Checking for zone membership has been tighened up. Previously, + a zone could contain :0.0.0.0/0 along with other hosts; + now, if the zone has :0.0.0.0/0 (even with exclusions), + then it may have no additional members in /etc/shorewall/hosts. - Example: +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 4 . 1 +---------------------------------------------------------------------------- - IPMARK(src,0xff,0x10100) +1) To replace the SAME keyword in /etc/shorewall/masq, support has + been added for 'persistent' SNAT. Persistent SNAT is required when + an address range is specified in the ADDRESS column and when you + want a client to always receive the same source/destination IP + pair. It replaces SAME: which was removed in Shorewall 4.4.0. - Destination IP address is 192.168.4.3 = 0xc0a80403 + To specify persistence, follow the address range with + ":persistent". - 0xc0a80403 >> 0 = 0xc0a80403 - 0xc0a80403 LAND 0xFF = 0x03 - 0x03 LOR 0x10100 = 0x10103 + Example: - So the mark value is 0x10103 which corresponds to class id - 1:103. + #INTERFACE SOURCE ADDRESS + eth0 0.0.0.0/0 206.124.146.177-206.124.146.179:persistent - It is important to realize that, while class IDs are composed of a - and a value, the set of values must be - unique. You must keep this in mind when deciding how to map IP - addresses to class IDs. + This feature requires Persistent SNAT support in your kernel and + iptables. - For example, suppose that your internal network is 192.168.1.0/29 - (host IP addresses 192.168.1.1 - 192.168.1.6). Your first notion - might be to use IPMARK(src,0xFF,0x10000) so as to produce class IDs - 1:1 through 1:6. But 1:1 is the class ID of the base HTB class on - interface 1. So you might chose instead to use - IPMARK(src,0xFF,0x10100) as shown in the example above so as to - avoid minor class 1. + If you use a capabilities file, you will need to create a new one + as a result of this feature. - The 'occurs' option in /etc/shorewall/tcclasses causes the class - definition to be replicated many times. The synax is: + WARNING: Linux kernels beginning with 2.6.29 include persistent + SNAT support. If your iptables supports persistent SNAT but your + kernel does not, there is no way for Shorewall to determine that + persistent SNAT isn't going to work. The kernel SNAT code blindly + accepts all SNAT flags without verifying them and returns them to + iptables when asked. - occurs= +2) A 'clean' target has been added to the Makefiles. It removes backup + files (*~ and .*~). - When 'occurs' is used: +3) The meaning of 'full' has been redefined when used in the context + of a traffic shaping sub-class. Previously, 'full' always meant the + OUT-BANDWIDTH of the device. In the case of a sub-class, however, + that definition is awkward to use because the sub-class is limited + by the parent class. - a) The associated device may not have the 'classify' option. - b) The class may not be the default class. - c) The class may not have any 'tos=' options (including - 'tcp-ack'). - d) The class should not specify a MARK value. Any MARK value - given is ignored with a warning. + Beginning with this release, 'full' in a sub-class definition + refers to the specified rate defined for the parent class. So + 'full' used in the RATE column refers to the parent class's RATE; + when used in the CEIL column, 'full' refers to the parent class's + CEIL. - The 'RATE' and 'CEIL' parameters apply to each instance of the - class. So the total RATE represented by an entry with 'occurs' will - be the listed RATE multiplied by the 'occurs' number. + As part of this change, the compiler now issues a warning if the + sum of the top-level classes' RATEs exceeds the OUT-BANDWIDTH of + the device. Similarly, a warning is issued if the sum of the RATEs + of a class's sub-classes exceeds the rate of the CLASS. - Example: +4) When 'nets=' or 'nets=(,,...) is specified in + /etc/shorewall/interfaces, multicast traffic will now be sent to + the zone along with limited broadcasts. - /etc/shorewall/tcdevices: +5) A flaw in the parsing logic for the zones file allowed most zone + types containing the character string 'ip' to be accepted as a + synonym for 'ipv4' (or ipv6 if compiling an IPv6 configuration). - #INTERFACE IN-BANDWIDTH OUT-BANDWIDTH - eth0 100mbit 100mbit +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 4 . 0 +---------------------------------------------------------------------------- - /etc/shorewall/tcclasses: +1) The Shorewall packaging has been completely revamped in Shorewall + 4.4. - #DEVICE MARK RATE CEIL PRIORITY OPTIONS - eth0:101 - 1kbit 230kbit 4 occurs=6 + The new packages are: - The above defines 6 classes with class IDs 0x101-0x106. Each - class has a guaranteed rate of 1kbit/second and a ceiling of - 230kbit. + - Shorewall. Includes the former Shorewall-common and + Shorewall-perl packages. Includes everything needed + to create an IPv4 firewall. - /etc/shoreall/tcrules: + Shorewall-shell is no longer available. - #MARK SOURCE DEST - IPMARK(src,0xff,0x10100):F 192.168.1.0/29 eth0 + - Shorewall6. Requires Shorewall. Adds the components necessary to + create an IPv6 firewall. - This change also altered the way in which Shorewall generates a - class number when none is given. + - Shorewall-lite - - Prior to this change, the class number was constructed by concatinating - the mark value with the either '1' or '10'. '10' was used when - there were more than 10 devices defined in /etc/shorewall/tcdevices. + May be installed on a firewall system to run + IPv4 firewall scripts generated by Shorewall. - - Beginning with this change, a new method is added; class numbers - are assigned sequentially beginning with 2. + - Shorewall6-lite - The WIDE_TC_MARKS option in shorewall.conf selects which - construction to use. WIDE_TC_MARKS=No (the default) produces - pre-4.4 behavior. WIDE_TC_MARKS=Yes produces the new behavior. + May be installed on a firewall system to run + IPv6 firewall scripts generated by Shorewall6. - In addition to determining the method of constructing class Ids, - WIDE_TC_MARKS=Yes provides for larger mark values for traffic - shaping. Traffic shaping marks may have values up to 16383 (0x3fff) - with WIDE_TC_MARKS=Yes. This means that when both WIDE_TC_MARKS=Yes and - HIGH_ROUTE_MARKS=Yes, routing marks (/etc/shorewall/providers MARK - column) must be >= 65536 (0x10000) and must be a multiple of 65536 - (0x1000, 0x20000, 0x30000, ...). +2) The interfaces file supports a new 'nets=' option. This option + allows you to restrict a zone's definition to particular networks + through an interface without having to use the hosts file. -16) In the 'shorewall compile' and 'shorewall6 compile' commands, the - filename '-' now causes the compiled script to be written to - Standard Out. As a side effect, the effective VERBOSITY is set to - -1 (silent). + Example interfaces file: - Examples: + #ZONE INTERFACE BROADCAST OPTIONS + loc eth3 detect dhcp,logmartians=1,routefilter=1,nets=172.20.1.0/24 + dmz eth4 detect logmartians=1,routefilter=1,nets=206.124.146.177 + net eth0 detect dhcp,blacklist,tcpflags,optional,routefilter=0,nets=(!172.20.0.0/24,206.124.146.177) + net eth2 detect dhcp,blacklist,tcpflags,optional,upnp,routefilter=0,nets=(!172.20.0.0/24,206.124.146.177) + loc tun+ detect nets=172.20.0.0/24 + #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE - shorewall compile -- - # Compile the configuration in - # /etc/shorewall and send the - # output to STDOUT - shorewall compile . - # Compile the configuration in the - # current working directory - # and send the output to STDOUT + Note that when more than one network address is listed, the list + must be enclosed in parentheses. Notice also that exclusion may be + used. -17) Supplying an interface name in the SOURCE column of - /etc/shorewall/masq is now deprecated. Entering the name of an - interface there will result in a compile-time warning (see the - Migration Considerations above). + The first entry in the above interfaces file is equivalent to the + following: -18) Shorewall now supports nested HTB traffic shaping classes. The - nested classes within a class can borrow from their parent class in - the same way as the first level classes can borrow from the root - class. + interfaces: - To use nested classes, you must explicitly number your - classes. That does not imply that you must use the 'classify' - option. + #ZONE INTERFACE BROADCAST OPTIONS + - eth0 detect dhcp,logmartians=1,routefilter=1 - Example: + hosts: - /etc/shorewall/tcdevices + #ZONE HOST(S) OPTIONS + loc $INT_IF:192.20.1.0/24 broadcast - #INTERFACE IN-BANDWITH OUT-BANDWIDTH OPTIONS - eth2 - 100mbps classify + Note that the 'broadcast' option is automatically assumed and need + not be explicitly specified. - /etc/shorewall/tcclasses +3) Some websites run applications that require multiple connections + from a client browser. Where multiple 'balanced' providers are + configured, this can lead to problems when some of the connections + are routed through one provider and some through another. - #INTERFACE MARK RATE CEIL PRIORITY OPTIONS - 1:10 - full/2 full 1 - 1:100 - 16mbit 20mbit 2 - 1:100:101 - 8mbit 20mbit 3 default - 1:100:102 - 8mbit 20mbit 3 - - /etc/shorewall/tcrules + To work around this issue, the SAME target has been added to + /etc/shorewall/tcrules. SAME may be used in the PREROUTING and + OUTPUT chains. When used in PREROUTING, it causes matching + connections from an individual local system to all use the same + provider. - #MARK SOURCE DEST - 1:102 0.0.0.0/0 eth2:172.20.1.107 - 1:10 206.124.146.177 eth2 - 1:10 172.20.1.254 eth2 + For example: - The above controls download for internal interface eth2. The - external interface has a download rate of 20mbit so we guarantee - that to class 1:100. 1:100 has two subclasses, each of which is - guaranteed half of their parent's bandwidth. + SAME:P 192.168.1.0/24 - tcp 80,443 - Local traffic (that coming from the firewall and from the DMZ - server) is placed in the effectively unrestricted class 1:10. The - default class is guaranteed half of the download capacity and my - work system (172.20.1.107) is guarandeed the other half. + If a host in 192.168.1.0/24 attempts a connection on TCP port 80 or + 443 and it has sent a packet on either of those ports in the last + five minutes then the new connection will use the same provider as + the connection over which that last packet was sent. -19) Support for the "Hierarchical Fair Service Curve" (HFSC) queuing - discipline has been added. HFSC is claimed to be superior to the - "Hierarchical Token Bucket" queuing discipline where realtime - traffic such as VOIP is being used. + When used in the OUTPUT chain, it causes all matching connections + to an individual remote system to use the same provider. - An excellent overview of HFSC on Linux may be found at - http://linux-ip.net/articles/hfsc.en/. + For example: - To use HFSC, several changes need to be made to your traffic - shaping configuration: + SAME $FW - tcp 80,443 - - To use HFSC on an interface rather than HTB, specify the - 'hfsc' option in the OPTIONS column in the interfaces's - entry in /etc/shorewall/tcdevices. + If the firewall attempts a connection on TCP port 80 or + 443 and it has sent a packet on either of those ports in the last + five minutes to the same remote system then the new connection will + use the same provider as the connection over which that last packet + was sent. - - Modify the RATE colum for each 'leaf' class (class with no - parent class specified) defined for the interface. + Important note: SAME only works with providers that have the + 'track' option specified in /etc/shorewall/providers. - When using HFSC, the RATE column may specify 1, 2 or 3 - pieces of information separated by colons (":"). +4) The file /var/lib/shorewall/.restore has been renamed to + /var/lib/shorewall/firewall. A similar change has been made in + Shorewall6. - 1. The Guaranteed bandwidth (as always). - 2. The Maximum delay (DMAX) that the first queued packet - in the class should experience. The delay is expressed - in milliseconds and may be followed by 'ms' (e.g., - 10ms. Note that there may be no white space between the - number and 'ms'). - 3. The maximum transmission unit (UMAX) for this class of - traffic. If not specified, the MTU of the interface is - used. The length is specified in bytes and may be - followed by 'b' (e.g., 800b. Note that there may be no - white space between the number and 'b'). + When a successful start or restart is completed, the script that + executed the command copies itself to + /var/lib/shorewall[6]/firewall. - DMAX should be specified for each leaf class. The Shorewall - compiler will issue a warning if DMAX is omitted. + As always, /var/lib/shorewall[6] is the default directory which may + be overridden using the /etc/shorewall[6]/vardir file. - Example: +5) Dynamic zone support is once again available for IPv4. This support + is built on top of ipsets so you must have the xtables-addons + installed on the firewall system. - full/2:10ms:1500b + See http://www.shorewall.net/Dynamic.html for information about + this feature and for instructions for installing xtables-addons on + your firewall. - Guaranteed bandwidth is 1/2 of the devices - OUT-BANDWIDTH. Maximum delay is 10ms. Maximum packet - size is 1500 bytes. + Dynamic zones are available when Shorewall-lite is used as well. -20) Optional TOS and LENGTH fields have been added to the tcfilters - file. + You define a zone as having dynamic content in one of two ways: - The TOS field may contain any of the following: + - By specifying nets=dynamic in the OPTIONS column of an entry for + the zone in /etc/shorewall/interfaces; or - tos-minimize-delay - tos-maximuze-throughput - tos-maximize-reliability - tos-minimize-cost - tos-normal-service - Hex-number - Hex-number/Hex-number + - By specifying :dynamic in the HOST(S) column of an + entry for the zone in /etc/shorewall/hosts. - The hex numbers must have exactly two digits. + When there are any dynamic zones present in your configuration, + Shorewall (Shorewall-lite) will: - The LENGTH value must be a numeric power of two between 32 and 8192 - inclusive. Packets with a total length that is strictly less that - the specified value will match the rule. + a) Execute the following commands during 'shorewall start' or + 'shorewall-lite start'. -21) Support for 'norfc1918' has been removed. See the Migration - Considerations above. + ipset -U :all: :all: + ipset -U :all: :default: + ipset -F + ipset -X + ipset -R < ${VARDIR}/ipsets.save -22) A 'upnpclient' option has been added to - /etc/shorewall/interfaces. This option is intended for laptop users - who always run Shorewall on their system yet need to run - UPnP-enabled client apps such as Transmission (BitTorrent client). + where $VARDIR normally contains /var/lib/shorewall + (/var/lib/shorewall-lite) but may be modified by + /etc/shorewall/vardir (/etc/shorewall-lite/vardir). - The option causes Shorewall to detect the default gateway through - the interface and to accept UDP packets from that gateway. Note - that, like all aspects of UPnP, this is a security hole so use this - option at your own risk. + b) During 'start', 'restart' and 'restore' processing, Shorewall + will attempt to create an ipset named _ + for each zone/interface pair that has been specified as + dynamic. The type of ipset created is 'iphash' so that only + individual IPv4 addresses may be added to the set. -23) 'iptrace' and 'noiptrace' commands have been added to both - /sbin/shorewall and /sbin/shorewall6. + c) Execute the following commands during 'shorewall stop' or + 'shorewall-lite stop': - These are low-level debugging commands that cause - iptables/ip6tables TRACE log messages to be generated. See 'man - iptables' and 'man ip6tables' for details. + if ipset -S > ${VARDIR}/ipsets.tmp; then + mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save + fi - The syntax for the commands is: + The 'shorewall add' and 'shorewall delete' commands are supported + with their original syntax: - iptrace - noiptrace + add [:] ... - iptrace starts the trace; noiptrace turns it off. + delete [:] ... - The match expression must be an expression that is legal in both - the raw table OUTPUT and PREROUTING chains. + In addition, the 'show dynamic' command is added that lists the dynamic + content of a zone. - Examaple: + show dynamic - To trace all packets destinted for IP address 206.124.146.176: + These commands are supported by shorewall-lite as well. - shorewall iptrace -d 206.124.146.176 +6) The generated program now attempts to detect all dynamic + information when it first starts. Dynamic information includes IP + addresses, default gateways, networks routed through an interface, + etc. If any of those steps fail, an error message is generated and + the state of the firewall is not changed. - To turn that trace off: +7) To improve the readability of configuration files, Shorewall now + allows leading white space in continuation lines when the continued + line ends in ":" or ",". - shorewall noiptrace -d 206.124.146.176 + Example (/etc/shorewall/rules): -24) A USER/GROUP column has been added to /etc/shorewall/masq. The - column works similarly to USER/GROUP columns in other Shorewall - configuration files. Only locally-generated traffic is matched. + #ACTION SOURCE DEST PROTO DEST + # PORT(S) + ACCEPT net:\ + 206.124.146.177,\ + 206.124.146.178,\ + 206.124.146.180\ + dmz tcp 873 -25) A new extension script, 'lib.private' has been added. This file is - intended to include declarations of shell functions that will be - called by the other run-time extension scripts. + The leading white space on the lines that contain just an IP + address is ignored so the SOURCE column effectively contains + "net:206.124.146.177,206.124.147.178,206.124.146.180". -26) Paul Gear has contributed the following macros: +8) The generated script now uses iptables[6]-restore to instantiate + the Netfilter ruleset during processing of the 'stop' command. As a + consequence, the 'critical' option in /etc/shorewall/route_stopped + is no longer needed and will result in a warning. - macro.Webcache (originally named macro.DG) - macro.IPPbrd - macro.NTPbi - macro.RIPbi - macro.mDNS +9) A new AUTOMAKE option has been added to shorewall.conf and + shorewall6.conf. When set to 'Yes', this option causes new behavior + during processing of the 'start' and 'restart' commands; if no + files in /etc/shorewall/ (/etc/shorewall6) have changed since the last + 'start' or 'restart', then the compilation step is skipped and the + script used during the last 'start' or 'restart' is used to + start/restart the firewall. -27) The default value of DISABLE_IPV6 has been changed from 'Yes' to - 'No' in all sample shorewall.conf files. Shorewall6 should be - installed to restrict IPv6 traffic. + Note that if a is specified in the start/restart + command (e.g., "shorewall restart /etc/shorewall.new") then the + setting of AUTOMAKE is ignored. - As part of this change, the ip6tables program in the directory - specified by the IPTABLES setting will be used to disable IPv6. If - the iptables utility is discovered using the PATH setting, then - ip6tables in the same directory as the discovered iptables will be - used. + Note that the 'make' utility must be installed on the firewall + system in order for AUTOMAKE=Yes to work correctly. -28) A 'flow=' option has been added to the - /etc/shorewall/tcclasses OPTIONS column. +10) The 'compile' command now allows you to omit the . When + you do that, the defaults to /var/lib/shorewall/firewall + (/var/lib/shorewall6/firewall) unless you have overridden VARDIR + using /etc/shorewall/vardir (/etc/shorewall6/vardir). - Shorewall attaches an SFQ queuing discipline to each leaf HTB - and HFSC class. SFQ ensures that each flow gets equal access to the - interface. The default definition of a flow corresponds roughly to - a Netfilter connection. So if one internal system is running - BitTorrent, for example, it can have lots of 'flows' and can thus - take up a larger share of the bandwidth than a system having only a - single active connection. The flow classifier (module cls_flow) - works around this by letting you define what a 'flow' is. + When combined with AUTOMAKE=Yes, it allows the following: - The clasifier must be used carefully or it can block off all - traffic on an interface! + gateway:~ # shorewall compile + Compiling... + Shorewall configuration compiled to /root/shorewall/firewall + gateway:~ # + ... + gateway:~ # shorewall restart + Restarting Shorewall.... + done. + gateway:~ # - The flow option can be specified for an HTB or HFSC leaf class (one - that has no sub-classes). We recommend that you use the following: + In other words, you can compile the current configuration then + install it at a later time. - Shaping internet-bound traffic: flow=nfct-src - Shaping traffic bound for your local net: flow=dst +11) Thanks to I. Buijs, it is now possible to rate-limit connections by + source IP or destination IP. The LIMIT:BURST column in + /etc/shorewall/policy (/etc/shorewall6/policy) and the RATE LIMIT + column /etc/shorewall/rules (/etc/shorewall6/rules) have been + extended as follows: - These will cause a 'flow' to consists of the traffic to/from each - internal system. + [{s|d}:[[]:]]/{sec|min}[:] - When more than one key is give, they must be enclosed in - parenthesis and separated by commas. + When s: is specified, the rate is per source IP address. + When d: is specified, the rate is per destination IP address. + The specifies the name of a hash table -- you get to choose + the name. If you don't specify a name, the name 'shorewall' is + assumed. Rules with the same name have their connection counts + aggregated and the individual rates are applied to the aggregate. - To see a list of the possible flow keys, run this command: + Example: - tc filter add flow help + ACCEPT net fw tcp 22 - - s:ssh:3/min - Those that begin with "nfct-" are Netfilter connection tracking - fields. As shown above, we recommend flow=nfct-src; that means that - we want to use the source IP address before SNAT as the key. + This will limit SSH connections from net->fw to 3 per minute. - Note: Shorewall cannot determine ahead of time if the flow - classifier is available in your kernel (especially if it was built - into the kernel as opposed to being loaded as a - module). Consequently, you should check ahead of time to ensure - that both your kernel and 'tc' utility support the feature. + ACCEPT net fw tcp 25 - - s:mail:3/min + ACCEPT net fw tcp 587 - - s:mail:3/min - You can test the 'tc' utility by typing (as root): + Since the same hash table name is used in both rules, the above is + equivalent to this single rule: - tc filter add flow help + ACCEPT net fw tcp 25,587 - - s:mail:3/min - If flow is supported, you will see: +12) Rules that specify a log level with a target other than LOG or NFLOG + are now implemented through a separate chain. While this may increase + the processing cost slightly for packets that match these rules, it + is expected to reduce the overall cost of such rules because each + packet that doesn't match the rules only has to be processed once + per rule rather than twice. - Usage: ... flow ... + Example: - [mapping mode]: map key KEY [ OPS ] ... - [hashing mode]: hash keys KEY-LIST ... + /etc/shorewall/rules: - ... + REJECT:info loc net tcp 25 - If flow is not supported, you will see: + This previously generated these two rules (long rules folded): - Unknown filter "flow", hence option "help" is unparsable - - If your kernel supports module autoloading, just type (as root): + -A loc2net -p 6 --dport 25 -j LOG --log-level 6 + --log-prefix "Shorewall:loc2net:reject:" + -A loc2net -p 6 --dport 25 -j reject - modprobe cls_flow + It now generates these rules: - If 'flow' is supported, no output is produced; otherwise, you will - see: + :log0 - [0:0] + ... + -A loc2net -p 6 --dport 25 -g log0 + ... + -A log0 -j LOG --log-level 6 + --log-prefix "Shorewall:loc2net:REJECT:" + -A log0 -j reject - FATAL: Module cls_flow not found. - - If your kernel is not modularized or does not support module - autoloading, look at your kernel configuration (either - /proc/config.gz or the .config file in - /lib/modules//build/ + Notice that now there is only a single rule generated in the + 'loc2net' chain where before there were two. Packets for other than - If 'flow' is supported, you will see: + TCP port 25 had to be processed by both rules. - NET_CLS_FLOW=m + Notice also that the new LOG rule reflects the original action + ("REJECT") rather than what Shorewall maps that to ("reject"). - or +13) Shorewall6 has now been tested on kernel 2.6.24 (Ubuntu Hardy) and + hence will now start successfully when running on that kernel. - NET_CLS_FLOW=y +14) Three new options (IP, TC and IPSET) have been added to + shorewall.conf and shorwall6.conf. These options specify the name + of the executable for the 'ip', 'tc' and 'ipset' utilities + respectively. - For modularized kernels, Shorewall will attempt to load - /lib/modules//net/sched/cls_flow.ko by default. - ----------------------------------------------------------------------------- - P R O B L E M S C O R R E C T E D I N 4 . 4 . 1 ----------------------------------------------------------------------------- + If not specified, the default values are: -1) If ULOG was specified as the LOG LEVEL in the all->all policy, the - rules at the end of the INPUT and OUTPUT chains would still use the - LOG target rather than ULOG. + IP=ip + TC=tc + IPSET=ipset -2) Using CONTINUE policies with a nested IPSEC zone was still broken - in some cases. + In other words, the utilities will be located via the current PATH + setting. -3) The setting of IP_FORWARDING has been change to Off in the - one-interface sample configuration since forwarding is typically - not required with only a single interface. +15) There has been a desire in the user community to limit traffic by + IP address using Shorewall traffic shaping. Heretofore, that has + required a very inefficient process: -4) If MULTICAST=Yes in shorewall.conf, multicast traffic was - incorrectly exempted from ACCEPT policies. + a) Define a tcclass for each internal host (two, if shaping both in + and out). + b) Define a tcrule for each host to mark to classify the packets + accordingly. -5) Previously, the definition of a zone that specified "nets=" in - /etc/shorewall/interfaces could not be extended by entries in - /etc/shorewall/hosts. + Beginning with Shorewall 4.4, this process is made easier IF YOU + ARE WILLING TO INSTALL xtables-addons. The feature requires IPMARK + support in iptables[6] and your kernel. That support is available + in xtables-addons. -6) Previously, "nets=" could be specified in a multi-zone interface - definition ("-" in the ZONES column) in /etc/shorewall/zones. This - now raises a fatal compilation error. + Instructions for installing xtables-addons may be found at + http://www.shorewall.net/Dynamic.html#xtables-addons. -7) MULTICAST=Yes generates an incorrect rule that limits its - effectiveness to a small part of the multicast address space. + The new facility has two components: -8) Checking for zone membership has been tighened up. Previously, - a zone could contain :0.0.0.0/0 along with other hosts; - now, if the zone has :0.0.0.0/0 (even with exclusions), - then it may have no additional members in /etc/shorewall/hosts. + a) A new IPMARK MARKing command in /etc/shorewall/tcrules. + b) A new 'occurs' OPTION in /etc/shorewall/tcclasses. ----------------------------------------------------------------------------- - N E W F E A T U R E S I N 4 . 4 . 1 ----------------------------------------------------------------------------- + The facility is currently only available with IPv4. -1) To replace the SAME keyword in /etc/shorewall/masq, support has - been added for 'persistent' SNAT. Persistent SNAT is required when - an address range is specified in the ADDRESS column and when you - want a client to always receive the same source/destination IP - pair. It replaces SAME: which was removed in Shorewall 4.4.0. + In a sense, the IPMARK target is more like an IPCLASSIFY target in + that the mark value is later interpreted as a class ID. A packet + mark is 32 bits wide; so is a class ID. The class occupies + the high-order 16 bits and the class occupies the low-order + 16 bits. So the class ID 1:4ff (remember that class IDs are always + in hex) is equivalent to a mark value of 0x104ff. Remember that + Shorewall uses the interface number as the number where the + first interface in tcdevices has number 1, the second has + number 2, and so on. - To specify persistence, follow the address range with - ":persistent". + The IPMARK target assigns a mark to each matching packet based on + the either the source or destination IP address. By default, it + assigns a mark value equal to the low-order 8 bits of the source + address. - Example: + The syntax is as follows: - #INTERFACE SOURCE ADDRESS - eth0 0.0.0.0/0 206.124.146.177-206.124.146.179:persistent + IPMARK[([{src|dst}][,[][,[][,[]]]])] - This feature requires Persistent SNAT support in your kernel and - iptables. + Default values are: - If you use a capabilities file, you will need to create a new one - as a result of this feature. + src + = 0xFF + = 0x00 + = 0 - WARNING: Linux kernels beginning with 2.6.29 include persistent - SNAT support. If your iptables supports persistent SNAT but your - kernel does not, there is no way for Shorewall to determine that - persistent SNAT isn't going to work. The kernel SNAT code blindly - accepts all SNAT flags without verifying them and returns them to - iptables when asked. + 'src' and 'dst' specify whether the mark is to be based on the + source or destination address respectively. -2) A 'clean' target has been added to the Makefiles. It removes backup - files (*~ and .*~). + The selected address is first shifted right by , then + LANDed with and then LORed with . The + argument is intended to be used primarily with IPv6 addresses. -3) The meaning of 'full' has been redefined when used in the context - of a traffic shaping sub-class. Previously, 'full' always meant the - OUT-BANDWIDTH of the device. In the case of a sub-class, however, - that definition is awkward to use because the sub-class is limited - by the parent class. + Example: - Beginning with this release, 'full' in a sub-class definition - refers to the specified rate defined for the parent class. So - 'full' used in the RATE column refers to the parent class's RATE; - when used in the CEIL column, 'full' refers to the parent class's - CEIL. + IPMARK(src,0xff,0x10100) - As part of this change, the compiler now issues a warning if the - sum of the top-level classes' RATEs exceeds the OUT-BANDWIDTH of - the device. Similarly, a warning is issued if the sum of the RATEs - of a class's sub-classes exceeds the rate of the CLASS. + Destination IP address is 192.168.4.3 = 0xc0a80403 -4) When 'nets=' or 'nets=(,,...) is specified in - /etc/shorewall/interfaces, multicast traffic will now be sent to - the zone along with limited broadcasts. + 0xc0a80403 >> 0 = 0xc0a80403 + 0xc0a80403 LAND 0xFF = 0x03 + 0x03 LOR 0x10100 = 0x10103 -5) A flaw in the parsing logic for the zones file allowed most zone - types containing the character string 'ip' to be accepted as a - synonym for 'ipv4' (or ipv6 if compiling an IPv6 configuration). + So the mark value is 0x10103 which corresponds to class id + 1:103. ----------------------------------------------------------------------------- - P R O B L E M S C O R R E C T E D I N 4 . 4 . 2 ----------------------------------------------------------------------------- + It is important to realize that, while class IDs are composed of a + and a value, the set of values must be + unique. You must keep this in mind when deciding how to map IP + addresses to class IDs. -1) Detection of Persistent SNAT was broken in the rules compiler. + For example, suppose that your internal network is 192.168.1.0/29 + (host IP addresses 192.168.1.1 - 192.168.1.6). Your first notion + might be to use IPMARK(src,0xFF,0x10000) so as to produce class IDs + 1:1 through 1:6. But 1:1 is the class ID of the base HTB class on + interface 1. So you might chose instead to use + IPMARK(src,0xFF,0x10100) as shown in the example above so as to + avoid minor class 1. -2) Initialization of the compiler's chain table was occurring before - shorewall.conf had been read and before the capabilities had been - determined. This could lead to incorrect rules and Perl runtime - errors. + The 'occurs' option in /etc/shorewall/tcclasses causes the class + definition to be replicated many times. The synax is: -3) The 'shorewall check' command previously did not detect errors in - /etc/shorewall/routestopped. + occurs= -4) In earlier versions, if a file with the same name as a built-in - action were present in the CONFIG_PATH, then the compiler would - process that file like it was an extension script. + When 'occurs' is used: - The compiler now ignores the presence of such files. + a) The associated device may not have the 'classify' option. + b) The class may not be the default class. + c) The class may not have any 'tos=' options (including + 'tcp-ack'). + d) The class should not specify a MARK value. Any MARK value + given is ignored with a warning. -5) Several configuration issues which previously produced an error or - warning are now handled differently. + The 'RATE' and 'CEIL' parameters apply to each instance of the + class. So the total RATE represented by an entry with 'occurs' will + be the listed RATE multiplied by the 'occurs' number. - a) MAPOLDACTIONS=Yes and MAPOLDACTIONS= in shorewall.conf are now - handled as they were by the old shell-based compiler. That is, - they cause pre-3.0 built-in actions to be mapped automatically - to the corresponding macro invocation. + Example: - b) SAVE_IPSETS=Yes no longer produces a fatal error -- it is now a - warning. + /etc/shorewall/tcdevices: - c) DYNAMIC_ZONES=Yes no longer produces a fatal error -- it is now - a warning. + #INTERFACE IN-BANDWIDTH OUT-BANDWIDTH + eth0 100mbit 100mbit - d) RFC1918_STRICT=Yes no longer produces a fatal error -- it is now - a warning. + /etc/shorewall/tcclasses: -6) Previously, it was not possible to specify an IP address range in - the ADDRESS column of /etc/shorewall/masq. Thanks go to Jessee - Shrieve for the patch. + #DEVICE MARK RATE CEIL PRIORITY OPTIONS + eth0:101 - 1kbit 230kbit 4 occurs=6 -7) The 'wait4ifup' script included for Debian compatibility now runs - correctly with no PATH. + The above defines 6 classes with class IDs 0x101-0x106. Each + class has a guaranteed rate of 1kbit/second and a ceiling of + 230kbit. -8) The new per-IP LIMIT feature now works with ancient iptables - releases (e.g., 1.3.5 as found on RHEL 5). This change required - testing for an additional capability which means that those who use - a capabilities file should regenerate that file after installing - 4.4.2. + /etc/shoreall/tcrules: -9) One unintended difference between Shorewall-shell and - Shorewall-perl was that Shorewall-perl did not support the MARK - column in action bodies. This has been corrected. + #MARK SOURCE DEST + IPMARK(src,0xff,0x10100):F 192.168.1.0/29 eth0 ----------------------------------------------------------------------------- - N E W F E A T U R E S I N 4 . 4 . 2 ----------------------------------------------------------------------------- + This change also altered the way in which Shorewall generates a + class number when none is given. -1) Prior to this release, line continuation has taken precedence over - #-style comments. This prevented us from doing the following: + - Prior to this change, the class number was constructed by concatinating + the mark value with the either '1' or '10'. '10' was used when + there were more than 10 devices defined in /etc/shorewall/tcdevices. - ACCEPT net:206.124.146.176,\ #Gateway - 206.124.146.177,\ #Mail - 206.124.146.178\ #Server - ... - - Now, unless a line ends with '\', any trailing comment is stripped - off (including any white-space preceding the '#'). Then if the line - ends with '\', it is treated as a continuation line as normal. + - Beginning with this change, a new method is added; class numbers + are assigned sequentially beginning with 2. -2) Three new columns have been added to FORMAT-2 macro bodies. + The WIDE_TC_MARKS option in shorewall.conf selects which + construction to use. WIDE_TC_MARKS=No (the default) produces + pre-4.4 behavior. WIDE_TC_MARKS=Yes produces the new behavior. - MARK - CONNLIMIT - TIME + In addition to determining the method of constructing class Ids, + WIDE_TC_MARKS=Yes provides for larger mark values for traffic + shaping. Traffic shaping marks may have values up to 16383 (0x3fff) + with WIDE_TC_MARKS=Yes. This means that when both WIDE_TC_MARKS=Yes and + HIGH_ROUTE_MARKS=Yes, routing marks (/etc/shorewall/providers MARK + column) must be >= 65536 (0x10000) and must be a multiple of 65536 + (0x1000, 0x20000, 0x30000, ...). - These three columns correspond to the similar columns in - /etc/shorewall/rules and must be empty in macros invoked from an - action. +16) In the 'shorewall compile' and 'shorewall6 compile' commands, the + filename '-' now causes the compiled script to be written to + Standard Out. As a side effect, the effective VERBOSITY is set to + -1 (silent). -3) Accounting chains may now have extension scripts. Simply place your - Perl script in the file /etc/shorewall/ and when the - accounting chain named is created, your script will be - invoked. + Examples: - As usual, the variable $chainref will contain a reference to the - chain's table entry. + shorewall compile -- - # Compile the configuration in + # /etc/shorewall and send the + # output to STDOUT + shorewall compile . - # Compile the configuration in the + # current working directory + # and send the output to STDOUT ----------------------------------------------------------------------------- - P R O B L E M S C O R R E C T E D I N 4 . 4 . 3 ----------------------------------------------------------------------------- +17) Supplying an interface name in the SOURCE column of + /etc/shorewall/masq is now deprecated. Entering the name of an + interface there will result in a compile-time warning (see the + Migration Considerations above). -1. Previously, if 'routeback' was specified in /etc/shorewall/routestopped: +18) Shorewall now supports nested HTB traffic shaping classes. The + nested classes within a class can borrow from their parent class in + the same way as the first level classes can borrow from the root + class. - a) 'shorewall check' produced an internal error - b) The 'routeback' option didn't work + To use nested classes, you must explicitly number your + classes. That does not imply that you must use the 'classify' + option. -2) If an alias IP address was added and RETAIN_ALIASES=No in - shorewall.conf, then a compiler internal error resulted. + Example: -3) Previously, the generated script would try to detect the values - for all run-time variables (such as IP addresses), regardless of - what command was being executed. Now, this information is only - detected when it is needed. + /etc/shorewall/tcdevices -4) Nested zones where the parent zone was defined by a wildcard - interface (name ends with +) in /etc/shorewall/interfaces did - not work correctly in some cases. + #INTERFACE IN-BANDWITH OUT-BANDWIDTH OPTIONS + eth2 - 100mbps classify -5) IPv4 addresses embedded in IPv6 (e.g., ::192.168.1.5) were - incorrectly reported as invalid. + /etc/shorewall/tcclasses -6) Under certain circumstances, optional providers were not detected - as being usable. + #INTERFACE MARK RATE CEIL PRIORITY OPTIONS + 1:10 - full/2 full 1 + 1:100 - 16mbit 20mbit 2 + 1:100:101 - 8mbit 20mbit 3 default + 1:100:102 - 8mbit 20mbit 3 + + /etc/shorewall/tcrules - Additionally, the messages issued when an optional provider was not - usable were confusing; the message intended to be issued when the - provider shared an interface ("WARNING: Gateway is not - reachable -- Provider () not Added") was being - issued when the provider did not share an interface. Similarly, the - message intended to be issued when the provider did not share an - interface ("WARNING: Interface is not usable -- - Provider () not Added") was being issued when the - provider did share an interface. + #MARK SOURCE DEST + 1:102 0.0.0.0/0 eth2:172.20.1.107 + 1:10 206.124.146.177 eth2 + 1:10 172.20.1.254 eth2 ----------------------------------------------------------------------------- - N E W F E A T U R E S I N 4 . 4 . 3 ----------------------------------------------------------------------------- + The above controls download for internal interface eth2. The + external interface has a download rate of 20mbit so we guarantee + that to class 1:100. 1:100 has two subclasses, each of which is + guaranteed half of their parent's bandwidth. -1) On Debian systems, a default installation will now set - INITLOG=/dev/null in /etc/default/shorewall. In all configurations, - the default values for the log variables are changed to: + Local traffic (that coming from the firewall and from the DMZ + server) is placed in the effectively unrestricted class 1:10. The + default class is guaranteed half of the download capacity and my + work system (172.20.1.107) is guarandeed the other half. - STARTUP_LOG=/var/log/shorewall-init.log - LOG_VERBOSITY=2 +19) Support for the "Hierarchical Fair Service Curve" (HFSC) queuing + discipline has been added. HFSC is claimed to be superior to the + "Hierarchical Token Bucket" queuing discipline where realtime + traffic such as VOIP is being used. - The effect is much the same as the old defaults, with the exception - that: + An excellent overview of HFSC on Linux may be found at + http://linux-ip.net/articles/hfsc.en/. - a) Start, stop, etc. commands issued through /sbin/shorewall - will be logged. - b) Logging will occur at maximum verbosity. - c) Log entries will be date/time stamped. + To use HFSC, several changes need to be made to your traffic + shaping configuration: - On non-Debian systems, new installs will now log all Shorewall - commands to /var/log/shorewall-init.log. + - To use HFSC on an interface rather than HTB, specify the + 'hfsc' option in the OPTIONS column in the interfaces's + entry in /etc/shorewall/tcdevices. -2) A new TRACK_PROVIDERS option has been added in shorewall.conf. - The value of this option becomes the default for the 'track' - provider option in /etc/shorewall/providers. + - Modify the RATE colum for each 'leaf' class (class with no + parent class specified) defined for the interface. -3) A new 'limit' option has been added to - /etc/shorewall/tcclasses. This option specifies the number of - packets that are allowed to be queued within the class. Packets - exceeding this limit are dropped. The default value is 127 which is - the value that earlier versions of Shorewall used. The option is - ignored with a warning if the 'pfifo' option has been specified. ----------------------------------------------------------------------------- - P R O B L E M S C O R R E C T E D I N 4 . 4 . 4 ----------------------------------------------------------------------------- + When using HFSC, the RATE column may specify 1, 2 or 3 + pieces of information separated by colons (":"). -1) In some simple one-interface configurations, the following Perl - run-time error messages were issued: + 1. The Guaranteed bandwidth (as always). + 2. The Maximum delay (DMAX) that the first queued packet + in the class should experience. The delay is expressed + in milliseconds and may be followed by 'ms' (e.g., + 10ms. Note that there may be no white space between the + number and 'ms'). + 3. The maximum transmission unit (UMAX) for this class of + traffic. If not specified, the MTU of the interface is + used. The length is specified in bytes and may be + followed by 'b' (e.g., 800b. Note that there may be no + white space between the number and 'b'). - Generating Rule Matrix... - Use of uninitialized value in concatenation (.) or string at - /usr/share/shorewall/Shorewall/Chains.pm line 649. - Use of uninitialized value in concatenation (.) or string at - /usr/share/shorewall/Shorewall/Chains.pm line 649. - Creating iptables-restore input... + DMAX should be specified for each leaf class. The Shorewall + compiler will issue a warning if DMAX is omitted. -2) The Shorewall operations log (specified by STARTUP_LOG) is now - secured 0600. + Example: -3) Previously, the compiler generated an incorrect test for interface - availability in the generated code for adding route rules. The - result was that the rules were always added, regardless of the - state of the provider's interface. Now, the rules are only added - when the interface is available. + full/2:10ms:1500b + + Guaranteed bandwidth is 1/2 of the devices + OUT-BANDWIDTH. Maximum delay is 10ms. Maximum packet + size is 1500 bytes. -4) When TC_WIDE_MARKS=Yes and class numbers are not explicitly - specified in /etc/shorewall/tcclasses, duplicate class numbers - result. A typical error message is: +20) Optional TOS and LENGTH fields have been added to the tcfilters + file. - ERROR: Command "tc class add dev eth3 parent 1:1 classid - 1:1 htb rate 1024kbit ceil 100000kbit prio 1 quantum 1500" - Failed + The TOS field may contain any of the following: - Note that the class ID of the class being added is a duplicate of - the parent's class ID. + tos-minimize-delay + tos-maximuze-throughput + tos-maximize-reliability + tos-minimize-cost + tos-normal-service + Hex-number + Hex-number/Hex-number - Also, when TC_WIDE_MARKS=Yes, values > 255 in the MARK column of - /etc/shorewall/tcclasses were rejected. + The hex numbers must have exactly two digits. ----------------------------------------------------------------------------- - N E W F E A T U R E S I N 4 . 4 . 4 ----------------------------------------------------------------------------- + The LENGTH value must be a numeric power of two between 32 and 8192 + inclusive. Packets with a total length that is strictly less that + the specified value will match the rule. -1) The Shorewall packages now include a logrotate configuration file. +21) Support for 'norfc1918' has been removed. See the Migration + Considerations above. -2) The limit of 15 entries in a port list has been relaxed in - /etc/shorewall/routestopped. +22) A 'upnpclient' option has been added to + /etc/shorewall/interfaces. This option is intended for laptop users + who always run Shorewall on their system yet need to run + UPnP-enabled client apps such as Transmission (BitTorrent client). -3) The following seemingly valid configuration produces a fatal - error reporting "Duplicate interface name (p+)" + The option causes Shorewall to detect the default gateway through + the interface and to accept UDP packets from that gateway. Note + that, like all aspects of UPnP, this is a security hole so use this + option at your own risk. - /etc/shorewall/zones: +23) 'iptrace' and 'noiptrace' commands have been added to both + /sbin/shorewall and /sbin/shorewall6. - #ZONE TYPE - fw firewall - world ipv4 - z1:world bport4 - z2:world bport4 + These are low-level debugging commands that cause + iptables/ip6tables TRACE log messages to be generated. See 'man + iptables' and 'man ip6tables' for details. - /etc/shorewall/interfaces: + The syntax for the commands is: - #ZONE INTERFACE BROADCAST OPTIONS - world br0 - bridge - world br1 - bridge - z1 br0:p+ - z2 br1:p+ + iptrace + noiptrace - This error occurs because the Shorewall implementation requires - that each bridge port must have a unique name. + iptrace starts the trace; noiptrace turns it off. - To work around this problem, a new 'physical' interface option has - been created. The above configuration may be defined using the - following in /etc/shorewall/interfaces: + The match expression must be an expression that is legal in both + the raw table OUTPUT and PREROUTING chains. - #ZONE INTERFACE BROADCAST OPTIONS - world br0 - bridge - world br1 - bridge - z1 br0:x+ - physical=p+ - z2 br1:y+ - physical=p+ + Examaple: - In this configuration, 'x+' is the logical name for ports p+ on - bridge br0 while 'y+' is the logical name for ports p+ on bridge - br1. + To trace all packets destinted for IP address 206.124.146.176: - If you need to refer to a particular port on br1 (for example - p1023), you write it as y1023; Shorewall will translate that name - to p1023 when needed. + shorewall iptrace -d 206.124.146.176 - It is allowed to have a physical name ending in '+' with a logical - name that does not end with '+'. The reverse is not allowed; if the - logical name ends in '+' then the physical name must also end in - '+'. + To turn that trace off: - This feature is not restricted to bridge ports. Beginning with this - release, the interface name in the INTERFACE column can be - considered a logical name for the interface, and the actual - interface name is specified using the 'physical' option. If no - 'physical' option is present, then the physical name is assumed to - be the same as the logical name. As before, the logical interface - name is used throughout the rest of the configuration to refer to - the interface. + shorewall noiptrace -d 206.124.146.176 -4) Previously, Shorewall has used the character '2' to form the name - of chains involving zones and/or the word 'all' (e.g., fw2net, - all2all). When zones names are given numeric suffixes, these - generated names are hard to read (e.g., foo1232bar). To make these - names clearer, a ZONE2ZONE option has been added. +24) A USER/GROUP column has been added to /etc/shorewall/masq. The + column works similarly to USER/GROUP columns in other Shorewall + configuration files. Only locally-generated traffic is matched. - ZONE2ZONE has a default value of "2" but can also be given the - value "-" (e.g., ZONE2ZONE="-") which causes Shorewall to separate - the two parts of the name with a hyphen (e.g., foo123-bar). +25) A new extension script, 'lib.private' has been added. This file is + intended to include declarations of shell functions that will be + called by the other run-time extension scripts. -5) Only one instance of the following warning is now generated; - previously, one instance of a similar warning was generated for - each COMMENT encountered. +26) Paul Gear has contributed the following macros: - COMMENTs ignored -- require comment support in iptables/Netfilter + macro.Webcache (originally named macro.DG) + macro.IPPbrd + macro.NTPbi + macro.RIPbi + macro.mDNS -6) The shorewall and shorewall6 utilities now support a 'show - policies' command. Once Shorewall or Shorewall6 has been restarted - using a script generated by this version, the 'show policies' - command will list each pair of zones and give the applicable - policy. If the policy is enforced in a chain, the name of the chain - is given. +27) The default value of DISABLE_IPV6 has been changed from 'Yes' to + 'No' in all sample shorewall.conf files. Shorewall6 should be + installed to restrict IPv6 traffic. - Example: + As part of this change, the ip6tables program in the directory + specified by the IPTABLES setting will be used to disable IPv6. If + the iptables utility is discovered using the PATH setting, then + ip6tables in the same directory as the discovered iptables will be + used. - net => loc DROP using chain net2all +28) A 'flow=' option has been added to the + /etc/shorewall/tcclasses OPTIONS column. - Note that implicit intrazone ACCEPT policies are not displayed for - zones associated with a single network where that network - doesn't specify 'routeback'. + Shorewall attaches an SFQ queuing discipline to each leaf HTB + and HFSC class. SFQ ensures that each flow gets equal access to the + interface. The default definition of a flow corresponds roughly to + a Netfilter connection. So if one internal system is running + BitTorrent, for example, it can have lots of 'flows' and can thus + take up a larger share of the bandwidth than a system having only a + single active connection. The flow classifier (module cls_flow) + works around this by letting you define what a 'flow' is. -7) The 'show' and 'dump' commands now support an '-l' option which - causes chain displays to include the rule number of each rule. + The clasifier must be used carefully or it can block off all + traffic on an interface! - (Type 'iptables -h' and look for '--line-number') + The flow option can be specified for an HTB or HFSC leaf class (one + that has no sub-classes). We recommend that you use the following: ----------------------------------------------------------------------------- - P R O B L E M S C O R R E C T E D I N 4 . 4 . 5 ----------------------------------------------------------------------------- + Shaping internet-bound traffic: flow=nfct-src + Shaping traffic bound for your local net: flow=dst -1) The change which removed the 15 port limitation on - /etc/shorewall/routestopped was incomplete. The result was that if - more than 15 ports were listed, an error was generated. + These will cause a 'flow' to consists of the traffic to/from each + internal system. -2) If any interfaces had the 'bridge' option specified, compilation - failed with the error: + When more than one key is give, they must be enclosed in + parenthesis and separated by commas. - Undefined subroutine &Shorewall::Rules::match_source_interface called - at /usr/share/shorewall/Shorewall/Rules.pm line 2319. + To see a list of the possible flow keys, run this command: -3) The compiler now flags port number 0 as an error in all - contexts. Previously, port 0 was allowed with the result that - invalid iptables-restore input could be generated in some cases. + tc filter add flow help -4) The 'show policies' command now works in Shorewall6 and - Shorewall6-lite. + Those that begin with "nfct-" are Netfilter connection tracking + fields. As shown above, we recommend flow=nfct-src; that means that + we want to use the source IP address before SNAT as the key. -5) Traffic shaping modules from /lib/modules//net/sched/ are - now correctly loaded. Previously, that directory was not - searched. Additionally, Shorewall6 now tries to load the cls_flow - module; previously, only Shorewall attempts to load that module. + Note: Shorewall cannot determine ahead of time if the flow + classifier is available in your kernel (especially if it was built + into the kernel as opposed to being loaded as a + module). Consequently, you should check ahead of time to ensure + that both your kernel and 'tc' utility support the feature. -6) The Shorewall6-lite shorecap program was previously including the - IPv4 base library rather than the IPv6 version. Also, Shorewall6 - capability detection was determing the availablity of the mangle - capability before it had determined if ip6tables was installed. + You can test the 'tc' utility by typing (as root): -7) The setting of MODULE_SUFFIX was previously ignored except when - compiling for export. + tc filter add flow help -8) Detection of the Enhanced Reject capability in the compiler was - broken for IPv4 compilations. + If flow is supported, you will see: -9) The 'reload -c' command would ignore the setting of DONT_LOAD in - shorewall.conf. The 'reload' command without '-c' worked as - expected. + Usage: ... flow ... ----------------------------------------------------------------------------- - N E W F E A T U R E S I N 4 . 4 . 5 ----------------------------------------------------------------------------- + [mapping mode]: map key KEY [ OPS ] ... + [hashing mode]: hash keys KEY-LIST ... -1) Shorewall now allows DNAT rules that change only the destination - port. + ... - Example: + If flow is not supported, you will see: - DNAT loc net::456 udp 234 + Unknown filter "flow", hence option "help" is unparsable + + If your kernel supports module autoloading, just type (as root): - That rule will modify the destination port in UDP packets received - from the 'loc' zone from 456 to 234. Note that if the destination - is the firewall itself, then the destination port will be rewritten - but that no ACCEPT rule from the loc zone to the $FW zone will have - been created to handle the request. So such rules should probably - exclude the firewall's IP addresses in the ORIGINAL DEST column. + modprobe cls_flow -2) Systems that do not log Netfilter messages locally can now set - LOGFILE=/dev/null in shorewall.conf. + If 'flow' is supported, no output is produced; otherwise, you will + see: -3) The 'shorewall show connections' and 'shorewall dump' commands now - display the current number of connections and the max supported - connections. + FATAL: Module cls_flow not found. + + If your kernel is not modularized or does not support module + autoloading, look at your kernel configuration (either + /proc/config.gz or the .config file in + /lib/modules//build/ - Example: + If 'flow' is supported, you will see: - shorewall show connections - Shorewall 4.5.0 Connections (62 out of 65536) at gateway - Sat ... + NET_CLS_FLOW=m - In that case, there were 62 current connections out of a maximum - number supported of 65536. + or + + NET_CLS_FLOW=y + + For modularized kernels, Shorewall will attempt to load + /lib/modules//net/sched/cls_flow.ko by default. + diff -Naur -X /usr/local/bin/exclude.txt shorewall6-4.4.6/Samples6/one-interface/shorewall6.conf shorewall6-4.4.7/Samples6/one-interface/shorewall6.conf --- shorewall6-4.4.6/Samples6/one-interface/shorewall6.conf 2010-01-14 08:36:22.000000000 -0800 +++ shorewall6-4.4.7/Samples6/one-interface/shorewall6.conf 2010-02-11 07:29:41.000000000 -0800 @@ -99,6 +99,8 @@ TC_EXPERT=No +TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" + CLEAR_TC=Yes MARK_IN_FORWARD_CHAIN=No @@ -143,7 +145,15 @@ ZONE2ZONE=2 -############################################################################### +ACCOUNTING=Yes + +DYNAMIC_BLACKLIST=Yes + +OPTIMIZE_ACCOUNTING=No + +LOAD_HELPERS_ONLY=Yes + +############################################################################## # P A C K E T D I S P O S I T I O N ############################################################################### diff -Naur -X /usr/local/bin/exclude.txt shorewall6-4.4.6/Samples6/three-interfaces/shorewall6.conf shorewall6-4.4.7/Samples6/three-interfaces/shorewall6.conf --- shorewall6-4.4.6/Samples6/three-interfaces/shorewall6.conf 2010-01-14 08:36:22.000000000 -0800 +++ shorewall6-4.4.7/Samples6/three-interfaces/shorewall6.conf 2010-02-11 07:29:41.000000000 -0800 @@ -99,6 +99,8 @@ TC_EXPERT=No +TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" + CLEAR_TC=Yes MARK_IN_FORWARD_CHAIN=No @@ -143,6 +145,14 @@ ZONE2ZONE=2 +ACCOUNTING=Yes + +DYNAMIC_BLACKLIST=Yes + +OPTIMIZE_ACCOUNTING=No + +LOAD_HELPERS_ONLY=Yes + ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### diff -Naur -X /usr/local/bin/exclude.txt shorewall6-4.4.6/Samples6/two-interfaces/shorewall6.conf shorewall6-4.4.7/Samples6/two-interfaces/shorewall6.conf --- shorewall6-4.4.6/Samples6/two-interfaces/shorewall6.conf 2010-01-14 08:36:22.000000000 -0800 +++ shorewall6-4.4.7/Samples6/two-interfaces/shorewall6.conf 2010-02-11 07:29:41.000000000 -0800 @@ -99,6 +99,8 @@ TC_EXPERT=No +TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" + CLEAR_TC=Yes MARK_IN_FORWARD_CHAIN=No @@ -143,6 +145,14 @@ ZONE2ZONE=2 +ACCOUNTING=Yes + +DYNAMIC_BLACKLIST=Yes + +OPTIMIZE_ACCOUNTING=No + +LOAD_HELPERS_ONLY=Yes + ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### diff -Naur -X /usr/local/bin/exclude.txt shorewall6-4.4.6/shorewall6 shorewall6-4.4.7/shorewall6 --- shorewall6-4.4.6/shorewall6 2010-01-14 08:36:22.000000000 -0800 +++ shorewall6-4.4.7/shorewall6 2010-02-11 07:29:41.000000000 -0800 @@ -220,6 +220,20 @@ fi ;; esac + + case $LOAD_HELPERS_ONLY in + Yes|yes) + ;; + No|no) + LOAD_HELPERS_ONLY= + ;; + *) + if [ -n "$LOAD_HELPERS_ONLY" ]; then + echo " ERROR: Invalid LOAD_HELPERS_ONLY setting ($LOAD_HELPERS_ONLY)" >&2 + exit 1 + fi + ;; + esac } # @@ -1330,6 +1344,7 @@ USE_VERBOSITY= NOROUTES= PURGE= +DEBUG= EXPORT= export TIMESTAMP= noroutes= diff -Naur -X /usr/local/bin/exclude.txt shorewall6-4.4.6/shorewall6.conf shorewall6-4.4.7/shorewall6.conf --- shorewall6-4.4.6/shorewall6.conf 2010-01-14 08:36:22.000000000 -0800 +++ shorewall6-4.4.7/shorewall6.conf 2010-02-11 07:29:41.000000000 -0800 @@ -105,6 +105,8 @@ TC_EXPERT=No +TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" + CLEAR_TC=No MARK_IN_FORWARD_CHAIN=No @@ -149,6 +151,14 @@ ZONE2ZONE=2 +ACCOUNTING=Yes + +OPTIMIZE_ACCOUNTING=No + +DYNAMIC_BLACKLIST=Yes + +LOAD_HELPERS_ONLY=No + ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### diff -Naur -X /usr/local/bin/exclude.txt shorewall6-4.4.6/shorewall6.spec shorewall6-4.4.7/shorewall6.spec --- shorewall6-4.4.6/shorewall6.spec 2010-01-14 08:36:22.000000000 -0800 +++ shorewall6-4.4.7/shorewall6.spec 2010-02-11 07:29:41.000000000 -0800 @@ -1,5 +1,5 @@ %define name shorewall6 -%define version 4.4.6 +%define version 4.4.7 %define release 0base Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems. @@ -84,6 +84,7 @@ %attr(0644,root,root) /usr/share/shorewall6/lib.cli %attr(0644,root,root) /usr/share/shorewall6/macro.* %attr(0644,root,root) /usr/share/shorewall6/modules +%attr(0644,root,root) /usr/share/shorewall6/helpers %attr(0644,root,root) /usr/share/shorewall6/configpath %attr(0755,root,root) /usr/share/shorewall6/wait4ifup @@ -95,6 +96,21 @@ %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6 %changelog +* Fri Feb 05 2010 Tom Eastep tom@shorewall.net +- Updated to 4.4.7-0base +* Tue Feb 02 2010 Tom Eastep tom@shorewall.net +- Updated to 4.4.7-0RC2 +* Wed Jan 27 2010 Tom Eastep tom@shorewall.net +- Updated to 4.4.7-0RC1 +* Mon Jan 25 2010 Tom Eastep tom@shorewall.net +- Updated to 4.4.7-0Beta4 +* Fri Jan 22 2010 Tom Eastep tom@shorewall.net +- Updated to 4.4.7-0Beta3 +* Fri Jan 22 2010 Tom Eastep tom@shorewall.net +- Updated to 4.4.7-0Beta2 +- Added helpers file +* Sun Jan 17 2010 Tom Eastep tom@shorewall.net +- Updated to 4.4.7-0Beta1 * Wed Jan 13 2010 Tom Eastep tom@shorewall.net - Updated to 4.4.6-0base * Tue Jan 12 2010 Tom Eastep tom@shorewall.net diff -Naur -X /usr/local/bin/exclude.txt shorewall6-4.4.6/tcinterfaces shorewall6-4.4.7/tcinterfaces --- shorewall6-4.4.6/tcinterfaces 1969-12-31 16:00:00.000000000 -0800 +++ shorewall6-4.4.7/tcinterfaces 2010-02-11 07:29:41.000000000 -0800 @@ -0,0 +1,11 @@ +# +# Shorewall6 version 4 - Tcinterfaces File +# +# For information about entries in this file, type "man shorewall6-tcinterfaces" +# +# See http://shorewall.net/simple_traffic_shaping.htm for additional +# information. +# +############################################################################### +#INTERFACE TYPE IN-BANDWIDTH + diff -Naur -X /usr/local/bin/exclude.txt shorewall6-4.4.6/tcpri shorewall6-4.4.7/tcpri --- shorewall6-4.4.6/tcpri 1969-12-31 16:00:00.000000000 -0800 +++ shorewall6-4.4.7/tcpri 2010-02-11 07:29:41.000000000 -0800 @@ -0,0 +1,13 @@ +# +# Shorewall6 version 4 - Tcpri File +# +# For information about entries in this file, type "man shorewall6-tcpri" +# +# See http://shorewall.net/simple_traffic_shaping.htm for additional +# information. +# +############################################################################### +#BAND PROTO PORT(S) ADDRESS IN-INTERFACE HELPER + + + diff -Naur -X /usr/local/bin/exclude.txt shorewall6-4.4.6/uninstall.sh shorewall6-4.4.7/uninstall.sh --- shorewall6-4.4.6/uninstall.sh 2010-01-14 08:36:22.000000000 -0800 +++ shorewall6-4.4.7/uninstall.sh 2010-02-11 07:29:41.000000000 -0800 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.6 +VERSION=4.4.7 usage() # $1 = exit status {