Discussion:
[Shorewall-users] Shorewall 5.0.12 RC 1
Tom Eastep
2016-09-26 15:20:19 UTC
Permalink
Shorewall 5.0.12 RC 1 is now available for testing.

Problems Corrected since Beta 2:

1) Recently, a case was observed where certain incoming packets had a
non-zero mark in the raw PREROUTING chain, causing them to be
misrouted. To guard against this issue, packet marks are now
cleared at the top of the PREROUTING and OUTPUT mangle chains.

2) New Features since Beta 2:

2) Distribution maintainers may now set a default pager via the
configure and configure.pl programs in Shorewall-core to set
DEFAULT_PAGER in the generated shorewallrc file. The
Shorewall-provided shorewallrc files for Debian currently specify
'less' for DEFAULT_PAGER. The other shorewallrc files do not
specify DEFAULT_PAGER.

If shorewall[6].conf does not specify PAGER then the DEFAULT_PAGER
setting is used.

3) The 'contiguous' option is now supported in TIME columns. When the
'timestop' value is smaller than the 'timestart' value, match this
as a single time period instead distinct intervals.

Example:

weekdays=Mo&timestart=23:00&timestop=01:00

Will match Monday, for one hour from midnight to 1 a.m., and
then again for another hour from 23:00 onwards. If this is
unwanted, e.g. if you would like 'match for two hours from
Monday 23:00 onwards' you need to also specify the 'contiguous'
option in the example above.

See http://www.shorewall.org/configuration_file_basics.htm#TIME for
additional TIME column examples.

Thank you for testing,

-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
Bill Shirley
2016-09-26 19:16:59 UTC
Permalink
Also will #1 break ping -m?
?COMMENT -network- pre-marked ping
SAVE($CONNMASK) $FW - icmp { state=NEW test=!0/$ND_PING_MASK }

Bill
Post by Tom Eastep
Shorewall 5.0.12 RC 1 is now available for testing.
1) Recently, a case was observed where certain incoming packets had a
non-zero mark in the raw PREROUTING chain, causing them to be
misrouted. To guard against this issue, packet marks are now
cleared at the top of the PREROUTING and OUTPUT mangle chains.
2) Distribution maintainers may now set a default pager via the
configure and configure.pl programs in Shorewall-core to set
DEFAULT_PAGER in the generated shorewallrc file. The
Shorewall-provided shorewallrc files for Debian currently specify
'less' for DEFAULT_PAGER. The other shorewallrc files do not
specify DEFAULT_PAGER.
If shorewall[6].conf does not specify PAGER then the DEFAULT_PAGER
setting is used.
3) The 'contiguous' option is now supported in TIME columns. When the
'timestop' value is smaller than the 'timestart' value, match this
as a single time period instead distinct intervals.
weekdays=Mo&timestart=23:00&timestop=01:00
Will match Monday, for one hour from midnight to 1 a.m., and
then again for another hour from 23:00 onwards. If this is
unwanted, e.g. if you would like 'match for two hours from
Monday 23:00 onwards' you need to also specify the 'contiguous'
option in the example above.
See http://www.shorewall.org/configuration_file_basics.htm#TIME for
additional TIME column examples.
Thank you for testing,
-Tom
------------------------------------------------------------------------------
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
Bill Shirley
2016-09-26 19:12:24 UTC
Permalink
As for #1, will this break IPSEC since it traverses the PREROUTING twice?
?COMMENT -incoming- decrypt Memphis
MARK($MEM_VPN1_FWMARK/$CONNMASK):P $MEM_VPN1_IF:$MEM_VPN1_DST_IP $MEM_VPN1_SRC_IP esp
?COMMENT -incoming- esp return
CONTINUE:P - - esp { test=!0/$CONNMASK }
Now the packet has a mark that can be used the 2nd time thru PREROUTING.

Bill
Post by Tom Eastep
Shorewall 5.0.12 RC 1 is now available for testing.
1) Recently, a case was observed where certain incoming packets had a
non-zero mark in the raw PREROUTING chain, causing them to be
misrouted. To guard against this issue, packet marks are now
cleared at the top of the PREROUTING and OUTPUT mangle chains.
2) Distribution maintainers may now set a default pager via the
configure and configure.pl programs in Shorewall-core to set
DEFAULT_PAGER in the generated shorewallrc file. The
Shorewall-provided shorewallrc files for Debian currently specify
'less' for DEFAULT_PAGER. The other shorewallrc files do not
specify DEFAULT_PAGER.
If shorewall[6].conf does not specify PAGER then the DEFAULT_PAGER
setting is used.
3) The 'contiguous' option is now supported in TIME columns. When the
'timestop' value is smaller than the 'timestart' value, match this
as a single time period instead distinct intervals.
weekdays=Mo&timestart=23:00&timestop=01:00
Will match Monday, for one hour from midnight to 1 a.m., and
then again for another hour from 23:00 onwards. If this is
unwanted, e.g. if you would like 'match for two hours from
Monday 23:00 onwards' you need to also specify the 'contiguous'
option in the example above.
See http://www.shorewall.org/configuration_file_basics.htm#TIME for
additional TIME column examples.
Thank you for testing,
-Tom
------------------------------------------------------------------------------
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
Tom Eastep
2016-09-26 22:31:18 UTC
Permalink
Post by Bill Shirley
As for #1, will this break IPSEC since it traverses the PREROUTING twice?
?COMMENT -incoming- decrypt Memphis
MARK($MEM_VPN1_FWMARK/$CONNMASK):P $MEM_VPN1_IF:$MEM_VPN1_DST_IP $MEM_VPN1_SRC_IP esp
?COMMENT -incoming- esp return
CONTINUE:P - - esp { test=!0/$CONNMASK }
Now the packet has a mark that can be used the 2nd time thru PREROUTING.
Okay -- I'll add a shorewall[6].conf option to enable the feature so
that only users who encounter the problem will need to set the option.

Thanks,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
Loading...