After much deliberation, I have decided that I don't want to release the
incomplete solution for Netfilter helpers that I had implemented in the
Betas and RC1. I have rather decided that I will release the complete
solution in this release rather than in 4.5.8 as I had originally
planned. So I'm breaking with my usual practice and releasing
new/changed features in this release candidate.
New/Changed Features since 4.5.7 RC 1:
1) With the addition of the CT action to the /etc/shorewall[6]/notrack
file, the name of the file does not accurately reflect the file's
purpose. In this release, the name of the file has been changed to
'conntrack'.
Unless the 'sparse' installer option is enabled ('sparse' is the
default on Debian and derivitaves), the tarball installers will
install 'conntrack' along side of an existing 'notrack'
file. If the 'notrack' file is non-empty, a warning message is
issued during compilation:
WARNING: Non-empty notrack file (...);
please move its contents to the conntrack file
This warning can be eliminated by removing the notrack file (if it
has no entries), or by moving its entries to the conntrack file and
removing the notrack file. Note that the conntrack file is always
populated with rules (see enhancement 5).
If the 'notrack' file exists and is empty, the first compilation
will remove it with the warning:
WARNING: Empty notrack file (...) removed
2) Because of the potential for attackers to subvert Netfilter helpers
like the one for FTP, the Netfilter team are in the process of
eliminating the automatic association of helpers to connections. In
the 3.5 kernel, it is possible to disable this automatic
association, and the team have announced that automatic association
will eventually be eliminated. While it is certainly more secure to
add explicit rules that create these associations, for Shorewall to
require users to add those rules would present a gross
inconvenience during a Shorewall upgrade.
To make Shorewall and kernel upgrades as smooth as possible,
several new features have been added in this release:
- Shorewall will automatically disable the kernel's automatic
association of helpers to connections on kernel 3.5 and later.
- An automatic association of helpers with connections that
performs the same function as in the pre-3.5 kernels has been
added. This automatic association is controlled by the new
AUTOHELPERS shorewall.conf option which is set to 'Yes' by
default.
- A HELPERS column has been added to the /etc/shorewall/rules
In the NEW section:
When the ACTION is ACCEPT, DNAT or REDIRECT, the specified
helper is automatically associated with the connection. HELPERS
may be specified in action files, macros and in the rules file
itself.
In the RELATED section:
The rule will only match related connections that have the
named helper attached.
- The standard Macros for applications requiring a helper (FTP,
IRC, etc) have been modified to automatically specify the correct
helper in the HELPER column.
- HELPER is now a valid action in /etc/shorewall/rules. This action
requires that a helper be present in the HELPER column and causes
the specified helper to be associated with connections matching
the rule. No destination zone should be specified in HELPER
rules. HELPER rules allow specification of a helper for
connections that are ACCEPTed by the applicable policy.
Example:
loc->net policy is ACCEPT.
In /etc/shorewall/rules:
FTP(HELPER) loc -
or equivalently
HELPER loc - tcp 21 ; helper=ftp
- The set of enabled helpers (either by AUTOHELPERS=Yes or by the
HELPERS column) can be taylored using the new HELPERS option in
shorewall.conf.
By making AUTOHELPERS=Yes the default, users can upgrade their
systems to a 3.5+ kernel without disrupting the operation of their
firewalls. Beyond such upgrades, we suggest setting AUTOHELPERS=No
and follow one of two strategies:
- Use the HELPERS column in the rules file to enable helpers as
needed (preferred); or
- Taylor the conntrack file to enable helpers on only those
connections that are required.
With either of these approaches, the list if available helpers can
be trimmed using the HELPERS option and rules can be added to the
RELATED section of the rules file to further restrict the effect of
helpers.
The implementation of these new function places conditional rules
in the /etc/shorewall[6]/conntrack file. These rules are included
conditionally based in the setting of AUTOHELPERS.
Example:
?if $AUTOHELPERS && __CT_TARGET
?if __FTP_HELPER
CT:helper:ftp all - tcp 21
?endif
...
?endif
__FTP_HELPER evaluates to false if the HELPERS setting is
non-empty and 'ftp' is not listed in that setting.
For example, if you only need FTP access from your 'loc' zone, then
add this rule outside of the outer-most ?if....?endif shown above.
CT:helper:ftp loc - tcp 21
For an overview of Netfilter Helpers and Shorewall's support for
dealing with them, see
http://www.shorewall.net/Helpers.html.
See
https://home.regit.org/netfilter-en/secure-use-of-helpers/
for additional information.
3) Optimization level 4 now locates short chains (3 rules or less)
that have a single reference and replaces that single reference with
the rules themselves.
Optimization level 8 now eliminates duplicate rules in the raw
table.
Thank you for testing,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel
