Quite a meaty release this...
> 1) The /etc/shorewall/secmarks and /etc/shorewall6/secmarks files now
> support the UNTRACKED state. See the manpages for details.
>From the man page: "CHAIN:STATE (chain) -
>{P|I|F|O|T}[:{N|I|U|NI|NU|NIU|NUI:E|ER}]". Could you add IU (or UI, if you
>prefer) state as well?
> 2) NFLOG has been documented for some time as a valid ACTION in the
> rules files but support for that action was never implemented
> until this release.
Works perfectly.
> 2) The /etc/shorewall/conntrack and /etc/shorewall6/conntrack files
> now support a DROP target.
>
> As part of this change, the handling of 'all' has been improved in
> these files. When 'all' is specified in the SOURCE column, the
> resulting rule is added directly to the PREROUTING and OUTPUT
> chains. Additionally, 'all' may be qualified with network/host
> addresses, ipsets, etc. Rules specifying $FW in the SOURCE column
> are added directly to the OUTPUT chain.
>
> It is now possible to specify 'all-' in the SOURCE column which
> causes the rule to be added directly in the PREROUTING chain.
>
> A consequence of this change is that 'all', 'all-' and '$FW' rules
> will be processed after rules naming a specific zone.
> 3) A SWITCH column has been added to the /etc/shorewall/conntrack and
> /etc/shorewall/conntrack6 files.
I am unable to test this properly (see below).
> 4) An AUDIT action has been added to the /etc/shorewall/rules and
> /etc/shorewall6/rules.
rules
~~~~~
AUDIT(drop)
Gives me "ERROR: The AUDIT TARGET does not accept a parameter". Same goes if
that is used in a macro.
> 6) An additional format (3) has been added to the conntrack files. In
> this format, zone names are not used in the SOURCE column; rather,
> a suffix in the ACTION column determines which raw-table chain the
> generated Netfilter rule will be placed in. See the manpages for
> details.
Quite a lot of issues here:
1. http://www.shorewall.net/manpages/shorewall-conntrack.html is a dead link
(Shorewall -> Documentation -> IPv4 man pages -> conntrack)
2. From the man pages for conntrack:
ACTION - {NOTRACK|CT:helper:name[(arg=val[,...])|CT:notrack}[:chain-designator]
This column is only present when FORMAT = 2. Values other than
NOTRACK or DROP require CT Targetsupport in your iptables and kernel.
* NOTRACK or CT:notrack
Disables connection tracking for this packet.
* DROP
Added in Shorewall 4.5.10. Silently discard the packet.
[...]
Beginning with Shoreall 4.5.10, when FORMAT = 3, this column can end with a
colon followed by a chain-designator. The chain-designator can be one of the
following:
P The rule is added to the raw table PREROUTING chain. This is the
default if no chain-designator is present.
O The rule is added to the raw table OUTPUT chain.
PO or OP The rule is added to the raw table PREROUTING and OUTPUT
chains.
OK, so I assume that if FORMAT=3, ACTION column should NOT be present, right?
If so, how do I use DROP or any other actions then?
3. "DROP" is not included as being allowed in the ACTION column in the ACTION
format specified in that man page (assuming that it is and the correct format
is
"{DROP|NOTRACK|CT:helper:name[(arg=val[,...])|CT:notrack}[:chain-designator]").
4. Moving on, and ignoring the above "FORMAT=2 only" text in the man page and
also assuming that the correct format for "FORMAT 3" is to include the ACTION
column with the format I specified in 3 above, including the "DROP" action:
conntrack
~~~~~~~~~
DROP:O :+baddies-set[dst]
Gives me "ERROR: Invalid notrack ACTION ( DROP:O )"
5. FORMAT 3 itself:
>From the man page (conntrack):
[...]
in FORMAT 3, the SOURCE column accepts no zone name; rather the ACTION column
allows a SUFFIX that determines the chain(s) that the generated rule will be
added to."
[...]
SOURCE (formats 1 and 2) - {zone[:interface][:address-list]|COMMENT}
[...]
SOURCE (formats 3) - {-|[:interface][:address-list}
Why can't you get rid of the ":chain-designator" from ACTION (FORMAT 3) and
have the following in SOURCE instead:
{{zone|:chain-designator}[:interface][:address-list]|COMMENT}
Note the preceding ":" for the chain-designator - this could be any "special"
character (not allowed to be used in zones definition), enabling you to make
distinction between zone name and start of "chain-designator". That way, I
could use something like the following for SOURCE, without involving any other
columns, to specify the chain I wish to use:
1. :P:eth0:+baddies-set[src]
2. all-:eth0:+baddies-set[src]
3. :PO:eth0:10.0.0.0/8
4. all:eth0:10.0.0.0/8
5. COMMENT whatever
Why involve another column (ACTION) where the destination chain is to be
determined when you can have everything in one place (the SOURCE column in this
case)?
Finally - a suggestion (new feature): would it be possible to add SWITCH column
to actions/macros?
------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel
