4.5.4 Beta 3 is now available for testing. I apologize for the back-to-back Betas but I guess it's better to find these problems during the Beta period rather than later.
Problems corrected:
1) This release includes all defect repairs from Shorewall 4.5.3.1.
2) When EXPORTMODULES=No in shorewall.conf, the following errors were
issued:
/usr/share/shorewall/modules: line 19: ?INCLUDE: command not found
/usr/share/shorewall/modules: line 23: ?INCLUDE: command not found
/usr/share/shorewall/modules: line 27: ?INCLUDE: command not found
/usr/share/shorewall/modules: line 31: ?INCLUDE: command not found
/usr/share/shorewall/modules: line 35: ?INCLUDE: command not found
/usr/share/shorewall/modules: line 39: ?INCLUDE: command not found
These messages have been eliminated.
New Features:
Beta 1:
1) The TPROXY tcrules action introduced in Shorewall 4.4.7 was
incomplete and required additional rules to be added in the 'start'
or 'started' extension scripts.
In this release, the TPROXY implementation has been changed and an
additional DIVERT action has been created. Because the new TPROXY
has a different set of parameters than the prior one, the tcrules
file now supports two formats:
FORMAT 1 - (default, deprecated )
The TPROXY action allows three arguments, the first of which
('mark') is required.
FORMAT 2
The TPROXY action has two optional arguments:
port -- the port on which the proxy is listening. While
this argument is optional, it will normally be
supplied.
ip address -- The address on which the proxy is listening.
The file format is specified by a line like this:
FORMAT {1|2}
The Sample configurations have been updated to use FORMAT 2.
The format-2 tcrules file also supports the DIVERT action. The
DIVERT action directs matching packets to the local system if there
is a transparent socket in the local system that matches the
destination of the packet. DIVERT is used to redirect response
packets from remote web servers back to the proxy process
running on the firewall rather than being routed directly back to
the client.
Finally, the providers file supports a new 'tproxy' option. When
'tproxy' is specified:
- It must be the only OPTION given
- The MARK, DUPLICATE and GATEWAY columns must be empty.
- The loopback device (lo) should be specified as the INTERFACE.
The 'tproxy' option causes a reserved mark value to be associated
with the provider and for its associated routing rule to have
priority 1.
Here is the TPROXY configuration at shorewall.net:
interfaces:
FORMAT 2
#ZONE INTERFACE OPTIONS
- lo ignore
tcrules:
FORMAT 2
#ACTION SOURCE DEST PROTO DEST SOURCE
# PORT(S) PORT(S)
DIVERT eth1 - tcp - 80
DIVERT eth0 - tcp - 80
TPROXY(3129,172.20.1.254) eth2 - tcp 80
Note: eth1 and eth0 are Internet interfaces and eth2 connects to
the local LAN.
providers:
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS
...
Squid 3 - - lo - tproxy
/etc/squid3/squid.conf:
...
http_port 172.20.1.254:3129 tproxy
...
Beta 3:
1) With some misgivings, this release adds support for the geoip match
feature available in xtables-addons. Geoip allows matching of the
source or destination IP address by ISO 3661 country codes.
The support is implemented in the form of extended syntax in the
SOURCE and DEST columns of the rules file.
To specify one or more country codes, list them as a
comma-separated list preceded by a caret ('^').
Example - Drop email from Anonymous Proxies and Satellite Providers:
#ACTION SOURCE DEST PROTO DEST
# PORT(S)
DROP:info net:^A1,A2 dmz tcp 25
A listing of two-character country codes is available at
http://www.shorewall.net/ISO-3661.html.
Thank you for testing,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
