[Shorewall-devel] Shorewall 4.6.6 Beta 2

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Beta 2 is now available for testing.

Problems Corrected since Beta 1:

1)  The -c option to the 'dump' and 'show routing' commands is now
    documented.

2)  The syntax of the 'show' command has been corrected in four
    manpages.

New Features since Beta 1:

1)  The 'TARPIT' target is now supported in the rules file. Using this
    target requires the appropriate support in your kernel and
    iptables. This feature implements a new "TARPIT Target" capability,
    so if you use a capabilities file, then you need to regenerate the
    file after installing this release.

    TARPIT captures and holds incoming TCP connections using no local
    per-connection resources.

    TARPIT only works with the PROTO column set to tcp (6), and is
    totally application agnostic. This module will answer a TCP request
    and play along like a listening server, but aside from  sending  an
    ACK or RST, no data is sent. Incoming packets are ignored and
    dropped. The attacker will terminate the session eventually. This
    module allows the initial packets of an attack to be captured by
    other software for inspection. In most cases this is sufficient to
    determine the nature of the attack.

    This offers similar functionality to LaBrea
    <http://www.hackbusters.net/LaBrea/> but does not require dedicated
    hardware or IPs. Any TCP port that you would normally DROP or
    REJECT can instead become a tarpit.

    The target accepts a single optional parameter:

    	tarpit (default)

	  This mode completes a connection with the attacker but limits
	  the window size to 0, thus keeping the attacker waiting long
	  periods of time. While he is maintaining state of the
	  connection and trying to continue every 60-240 seconds, we
	  keep none, so it is very lightweight. Attempts to close  the
	  connection are ignored, forcing the remote side to time out
	  the connection in 12-24 minutes.

        honeypot

	  This  mode completes a connection with the attacker, but
	  signals a normal window size, so that the remote side will
	  attempt to send data, often with some very nasty exploit
	  attempts. We can capture these packets for decoding and
	  further analysis. The module does not send any data, so if
	  the remote  expects an application level response, the game
	  is up.

        reset

          This mode is handy because we can send an inline RST
          (reset). It has no other function.

Thank you for testing,

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________