Beta 3 is now available for testing. Problem Corrected since Beta 2:
1) The set of helpers and protocols used in validating the CT:helpers
action (shorewall-notrack (5)) and in the HELPER column of
shorewall-tcrules has been corrected.
New Features since Beta 2:
1) With the addition of the CT action to the /etc/shorewall[6]/notrack
file, the name of the file does not accurately reflect the file's
purpose. In this release, the name of the file has been changed to
'conntrack'.
Unless the 'sparse' installer option is enabled ('sparse' is the
default on Debian and derivitaves), the tarball installers will
install 'conntrack' along side of an existing 'notrack'
file. Where both files exist, a warning message is issued during
compilation:
WARNING: Both notrack and conntrack exist; conntrack ignored
This warning can be eliminated by removing the notrack file (if it
has no entries), or by moving its entries to the conntrack file and
removing the notrack file. Note that the conntrack file is always
populated with rules (see the next enhancement).
2) 'all' is now accepted as a zone name in the SOURCE column of
shorewall-conntrack(5). As in the rules file, it means all zones.
3) Because of the potential for attackers to subvert Netfilter helpers
like the one for FTP, the Netfilter team are in the process of
eliminating the automatic association of helpers to connections. In
the 3.5 kernel, it is possible to disable this automatic
association, and the team have announced that automatic association
will eventually be eliminated. While it is certainly more secure to
add explicit rules that create these associations, for Shorewall to
require users to add those rules would present a gross
inconvenience during a Shorewall upgrade.
To make Shorewall and kernel upgrades as smooth as possible, a new
HELPERS option has been added to shorewall[6].conf. When HELPERS is
not specified (the default), all helpers are enabled. Shorewall
generates rules in the iptables raw table that create the same
associations as are created automatically today.
You can restrict the set of helpers that Shorewall enables by
listing their names in the HELPERS setting. See shorewall[6].conf
(5) for details. Note that unless you are running kernel 3.5 or
later and have disabled automatic associations, omitting helpers
from the HELPERS list has no effect.
In addition to specifying the set of helpers to be enabled, on 3.5
and later kernels, the HELPERS option controls whether the helpers
are automatically associated. So if you specify that only the FTP
and IRC helpers are enabled, all other helpers will be disabled.
The implementation of HELPERS places conditional rules in the
/etc/shorewall[6]/conntrack file.
Example:
?IF __FTP_HELPER
CT:helper:ftp all - tcp 21
?ENDIF
__FTP_HELPER evaluates to false if the HELPERS setting is
non-empty and 'ftp' is not listed in that setting.
Users are encouraged to taylor the conntrack file and the HELPERS
setting to meet their particular needs. This can be done
before you upgrade to a 3.5 or later kernel.
For example, if you only need FTP access from your 'loc' zone, then
change the above rule to
CT:helper:ftp loc - tcp 21
See:
https://home.regit.org/netfilter-en/secure-use-of-helpers/
for additional information.
For an overview of Netfilter Helpers and Shorewall's support for
dealing with them, see http://www.shorewall.net/Helpers.html.
4) To make the spelling of the AUTO* shorewall[6].conf options
consistent, the AUTO_COMMENT option has been renamed
AUTOCOMMENT. AUTO_COMMENT is still accepted as an
alias. 'shorewall[6] update' will rename the option in the updated
.conf file.
5) The CT:helper action in the /etc/shorewall[6]/conntrack file
(formerly the notrack file) lacked flexibility. To allow different
options to be specified for each helper, the syntax of the
CT:helper action has been redesigned.
CT:helper:<helper>[(<option>=<value>[,...])]
where <option> is one of:
- ctevents
- expevents
Example:
CT:helper:ftp(expevents=new)
See shorewall-conntrack (5) for details.
Thank you for testing,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
