[Shorewall-users] Shorewall 2.3.0

Tom Eastep teastep at shorewall.net
Thu May 5 15:51:27 PDT 2005


WARNING: This is a development release and may be unstable

New Features in version 2.3.0

1) Shorewall 2.3.0 supports the 'cmd-owner' option of the owner match
   facility in Netfilter. Like all owner match options, 'cmd-owner' may
   only be applied to traffic that originates on the firewall.

   The syntax of the USER/GROUP column in the following files has been


   To specify a command, prefix the command name with "+".


	+mozilla-bin		#The program is named "mozilla-bin"
	joe+mozilla-bin		#The program is named "mozilla-bin" and
				#is being run by user "joe"
	joe:users+mozilla-bin	#The program is named "mozilla-bin" and
				#is being run by user "joe" with
				#effective group "users".

   Note that this is not a particularly robust feature and I would
   never advertise it as a "Personal Firewall" equivalent. Using
   symbolic links, it's easy to alias command names to be anything you

2) Support has been added for ipsets
   (see http://people.netfilter.org/kadlec/ipset/).


   In most places where an host or network address may be used, you may
   also use the name of an ipset prefaced by "+".

	Example: "+Mirrors"

   The name of the set may optionally followed by:

   a) a number from 1 to 6 enclosed in square brackets ([]) -- this
   number indicates the maximum number of ipset binding levels that
   are to be matched. Depending on the context where the ipset name
   is used, either all "src" or all "dst" matches will be used.

	Example: "+Mirrors[4]"

   b) a series of "src" and "dst" options separated by commas and
   enclosed in square brackets ([]). These will be passed directly
   to iptables in the generated --set clause. See the ipset
   documentation for details.

	Example: "+Mirrors[src,dst,src]"

   Note that "+Mirrors[4]" used in the SOURCE column of the rules
   file is equivalent to "+Mirrors[src,src,src,src]".

   To generate a negative match, prefix the "+" with "!" as in

   Example 1: Blacklist all hosts in an ipset named "blacklist"



   Example 2: Allow SSH from all hosts in an ipset named "sshok:


           ACCEPT	+sshok      fw	     tcp      22

   Shorewall can automatically manage the contents of your ipsets for
   you. If you specify SAVE_IPSETS=Yes in /etc/shorewall/shorewall.conf

   A) "shorewall save" will save the contents of your ipsets. The file
   where the sets are saved is formed by taking the name where the
   Shorewall configuration is stored and appending "-ipsets". So if you
   enter the command "shorewall save standard" then your Shorewall
   configuration will be saved in /var/lib/shorewall/standard and your
   ipset contents will be saved in /var/lib/shorewall/standard-ipsets.

   B) During "shorewall [re]start", shorewall will restore the ipset
   contents from the file specified in RESTOREFILE
   (shorewall.conf). Again "-ipsets" is appended so if you have
   RESTOREFILE=standard in shorewall.conf then your ipset contents will
   be restored from /var/lib/shorewall/standard-ipsets.

   Regardless of the setting of SAVE_IPSETS, the "shorewall -f start"
   and "shorewall start" commands will restore the ipset contents
   corresponding to the Shorewall configuration restored provided that
   the saved Shorewall configuration specified exists.

   For example, "shorewall restore standard" would restore the ipset
   contents from /var/lib/shorewall/standard-ipsets provided that
   /var/lib/shorewall/standard exists and is executable and that
   /var/lib/shorewall/standard-ipsets exists and is executable.

   Ipsets are well suited for large blacklists. You can maintain your
   blacklist using the 'ipset' utility without ever having to restart
   or refresh Shorewall. If you use the SAVE_IPSETS=Yes feature just be
   sure to "shorewall save" after altering the blacklist ipset(s).

   Example /etc/shorewall/blacklist:


   Create the blacklist ipsets using:

	  ipset -N Blacklist iphash
	  ipset -N Blacklistnets nethash

   Add entries

       ipset -A Blacklist
       ipset -A Blacklistnets

   To allow entries for individual ports

       ipset -N SMTP portmap --from 1 --to 31
       ipset -A SMTP 25

       ipset -A Blacklist
       ipset -B Blacklist -b SMTP

   Now only port 25 will be blocked from

Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

More information about the Shorewall-users mailing list