Update for 2.2.3

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2025 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-04-06 17:45:04 +00:00
parent 1b1d13b4aa
commit 05601aeb63
8 changed files with 175 additions and 81 deletions

View File

@ -0,0 +1,6 @@
############################################################################
# Shorewall 2.2 -- /etc/shorewall/continue
#
# Add commands below that you want to be executed after shorewall has
# cleared any existing Netfilter rules and has enabled existing connections.
#

View File

@ -25,6 +25,8 @@
# DROP - Ignore the connection request # DROP - Ignore the connection request
# REJECT - For TCP, send RST. For all other, send # REJECT - For TCP, send RST. For all other, send
# "port unreachable" ICMP. # "port unreachable" ICMP.
# QUEUE - Send the request to a user-space
# application using the QUEUE target.
# CONTINUE - Pass the connection request past # CONTINUE - Pass the connection request past
# any other rules that it might also # any other rules that it might also
# match (where the source or destination # match (where the source or destination

View File

@ -5,7 +5,8 @@
# /etc/shorewall/routestopped # /etc/shorewall/routestopped
# #
# This file is used to define the hosts that are accessible when the # This file is used to define the hosts that are accessible when the
# firewall is stopped # firewall is stopped or when it is in the process of being
# [re]started.
# #
# Columns must be separated by white space and are: # Columns must be separated by white space and are:
# #

View File

@ -760,6 +760,30 @@ DROPINVALID=No
# 'conntrack state' match. # 'conntrack state' match.
RFC1918_STRICT=No RFC1918_STRICT=No
#
# MACLIST caching
#
# If your iptables and kernel support the "Recent Match" (see the output of
# "shorewall check" near the top), you can cache the results of a 'maclist'
# file lookup and thus reduce the overhead associated with MAC Verification
# (/etc/shorewall/maclist).
#
# When a new connection arrives from a 'maclist' interface, the packet passes
# through then list of entries for that interface in /etc/shorewall/maclist. If
# there is a match then the source IP address is added to the 'Recent' set for
# that interface. Subsequent connection attempts from that IP address occuring
# within $MACLIST_TTL seconds will be accepted without having to scan all of
# the entries. After $MACLIST_TTL from the first accepted connection request,
# the next connection request from that IP address will be checked against
# the entire list.
#
# If MACLIST_TTL is not specified or is specified as empty (e.g,
# MACLIST_TTL="" or is specified as zero then 'maclist' lookups will not
# be cached.
MACLIST_TTL=
################################################################################ ################################################################################
# P A C K E T D I S P O S I T I O N # P A C K E T D I S P O S I T I O N
################################################################################ ################################################################################

View File

@ -1014,6 +1014,7 @@ case "$1" in
done done
done done
if [ -n "$(ip rule ls)" ]; then
echo echo
echo "Routing Rules" echo "Routing Rules"
echo echo
@ -1025,6 +1026,12 @@ case "$1" in
echo echo
ip route ls table $table ip route ls table $table
done done
else
echo
echo "Routing Table"
echo
ip route ls
fi
echo echo
echo "ARP" echo "ARP"

View File

@ -464,6 +464,11 @@ mac_chain() # $1 = interface
echo $(chain_base $1)_mac echo $(chain_base $1)_mac
} }
macrecent_target() # $1 - interface
{
[ -n "$MACLIST_TTL" ] && echo $(chain_base $1)_rec || echo RETURN
}
# #
# Functions for creating dynamic zone rules # Functions for creating dynamic zone rules
# #
@ -1095,7 +1100,7 @@ validate_policy()
esac esac
case $policy in case $policy in
ACCEPT|REJECT|DROP|CONTINUE) ACCEPT|REJECT|DROP|CONTINUE|QUEUE)
;; ;;
NONE) NONE)
[ "$client" = "$FW" -o "$server" = "$FW" ] && \ [ "$client" = "$FW" -o "$server" = "$FW" ] && \
@ -1390,6 +1395,58 @@ disable_ipv6_1() {
fi fi
} }
#
# Process the routestopped file either adding or deleting rules
#
process_routestopped() # $1 = command
{
local hosts= interface host host1 options networks
while read interface host options; do
expandv interface host options
[ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0
for h in $(separate_list $host); do
hosts="$hosts $interface:$h"
done
routeback=
if [ -n "$options" ]; then
for option in $(separate_list $options); do
case $option in
routeback)
if [ -n "$routeback" ]; then
error_message "Warning: Duplicate routestopped option ignored: routeback"
else
routeback=Yes
for h in $(separate_list $host); do
run_iptables $1 FORWARD -i $interface -o $interface $(both_ip_ranges $h $h) -j ACCEPT
done
fi
;;
*)
error_message "Warning: Unknown routestopped option ignored: $option"
;;
esac
done
fi
done < $TMP_DIR/routestopped
for host in $hosts; do
interface=${host%:*}
networks=${host#*:}
$IPTABLES $1 INPUT -i $interface $(source_ip_range $networks) -j ACCEPT
[ -z "$ADMINISABSENTMINDED" ] && \
run_iptables $1 OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
for host1 in $hosts; do
[ "$host" != "$host1" ] && run_iptables $1 FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT
done
done
}
# #
# Stop the Firewall # Stop the Firewall
# #
@ -1465,50 +1522,9 @@ stop_firewall() {
hosts= hosts=
strip_file routestopped [ -f $TMP_DIR/routestopped ] || strip_file routestopped
while read interface host options; do process_routestopped -A
expandv interface host options
[ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0
for h in $(separate_list $host); do
hosts="$hosts $interface:$h"
done
routeback=
if [ -n "$options" ]; then
for option in $(separate_list $options); do
case $option in
routeback)
if [ -n "$routeback" ]; then
error_message "Warning: Duplicate option ignored: routeback"
else
routeback=Yes
for h in $(separate_list $host); do
$IPTABLES -A FORWARD -i $interface -o $interface $(both_ip_ranges $h $h) -j ACCEPT
done
fi
;;
*)
error_message "Warning: Unknown option ignored: $option"
;;
esac
done
fi
done < $TMP_DIR/routestopped
for host in $hosts; do
interface=${host%:*}
networks=${host#*:}
$IPTABLES -A INPUT -i $interface $(source_ip_range $networks) -j ACCEPT
[ -z "$ADMINISABSENTMINDED" ] && \
$IPTABLES -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
for host1 in $hosts; do
[ "$host" != "$host1" ] && $IPTABLES -A FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT
done
done
$IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A INPUT -i lo -j ACCEPT
[ -z "$ADMINISABSENTMINDED" ] && \ [ -z "$ADMINISABSENTMINDED" ] && \
@ -1989,6 +2005,7 @@ setup_mac_lists() {
local addresses local addresses
local address local address
local chain local chain
local chain1
local macpart local macpart
local blob local blob
local hosts local hosts
@ -2013,10 +2030,19 @@ setup_mac_lists() {
progress_message "Setting up MAC Verification on $maclist_interfaces..." progress_message "Setting up MAC Verification on $maclist_interfaces..."
# #
# Be sure that they are all ethernet interfaces # Create chains.
# #
for interface in $maclist_interfaces; do for interface in $maclist_interfaces; do
createchain $(mac_chain $interface) no chain=$(mac_chain $interface)
createchain $chain no
if [ -n "$MACLIST_TTL" ]; then
chain1=$(macrecent_target $interface)
createchain $chain1 no
run_iptables -A $chain -m recent --rcheck --seconds $MACLIST_TTL --name $chain -j $chain1
run_iptables -A $chain1 -m recent --update --name $chain -j ACCEPT
run_iptables -A $chain1 -m recent --set --name $chain -j ACCEPT
fi
done done
# #
# Process the maclist file producing the verification rules # Process the maclist file producing the verification rules
@ -2036,6 +2062,7 @@ setup_mac_lists() {
fi fi
chain=$(mac_chain $interface) chain=$(mac_chain $interface)
chain1=$(macrecent_target $interface)
if ! havechain $chain ; then if ! havechain $chain ; then
fatal_error "No hosts on $interface have the maclist option specified" fatal_error "No hosts on $interface have the maclist option specified"
@ -2044,10 +2071,10 @@ setup_mac_lists() {
macpart=$(mac_match $mac) macpart=$(mac_match $mac)
if [ -z "$addresses" ]; then if [ -z "$addresses" ]; then
run_iptables -A $chain $macpart $physdev_part -j RETURN run_iptables -A $chain $macpart $physdev_part -j $chain1
else else
for address in $(separate_list $addresses) ; do for address in $(separate_list $addresses) ; do
run_iptables2 -A $chain $macpart -s $address $physdev_part -j RETURN run_iptables2 -A $chain $macpart -s $address $physdev_part -j $chain1
done done
fi fi
done < $TMP_DIR/maclist done < $TMP_DIR/maclist
@ -2057,6 +2084,7 @@ setup_mac_lists() {
# #
for interface in $maclist_interfaces; do for interface in $maclist_interfaces; do
chain=$(mac_chain $interface) chain=$(mac_chain $interface)
chain1=$(macrecent_target $interface)
blob=$(ip link show $interface 2> /dev/null) blob=$(ip link show $interface 2> /dev/null)
@ -2065,11 +2093,11 @@ setup_mac_lists() {
ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet //; s/brd //; s/scope.*//;' | while read address broadcast; do ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet //; s/brd //; s/scope.*//;' | while read address broadcast; do
if [ -n "$broadcast" ]; then if [ -n "$broadcast" ]; then
run_iptables -A $chain -s ${address%/*} -d $broadcast -j RETURN run_iptables -A $chain -s ${address%/*} -d $broadcast -j $chain1
fi fi
run_iptables -A $chain -s $address -d 255.255.255.255 -j RETURN run_iptables -A $chain -s $address -d 255.255.255.255 -j $chain1
run_iptables -A $chain -s $address -d 224.0.0.0/4 -j RETURN run_iptables -A $chain -s $address -d 224.0.0.0/4 -j $chain1
done done
if [ -n "$MACLIST_LOG_LEVEL" ]; then if [ -n "$MACLIST_LOG_LEVEL" ]; then
@ -3462,14 +3490,14 @@ process_actions1() {
[ ${#temp} -le 30 ] || fatal_error "Action Name Longer than 30 Characters: $temp" [ ${#temp} -le 30 ] || fatal_error "Action Name Longer than 30 Characters: $temp"
xaction=${xaction%:*} xaction=${xaction%:*}
case $temp in case $temp in
ACCEPT|REJECT|DROP) ACCEPT|REJECT|DROP|QUEUE)
eval ${temp}_common=$xaction eval ${temp}_common=$xaction
if [ -n "$xaction" ] && ! list_search $xaction $USEDACTIONS; then if [ -n "$xaction" ] && ! list_search $xaction $USEDACTIONS; then
USEDACTIONS="$USEDACTIONS $xaction" USEDACTIONS="$USEDACTIONS $xaction"
fi fi
;; ;;
*) *)
startup_error "Common Actions are only allowed for ACCEPT, DROP and REJECT" startup_error "Common Actions are only allowed for ACCEPT, DROP, REJECT and QUEUE"
;; ;;
esac esac
esac esac
@ -4778,6 +4806,9 @@ policy_rules() # $1 = chain to add rules to
[ -n "$REJECT_common" ] && run_iptables -A $1 -j $REJECT_common [ -n "$REJECT_common" ] && run_iptables -A $1 -j $REJECT_common
target=reject target=reject
;; ;;
QUEUE)
[ -n "$QUEUE_common" ] && run_iptables -A $1 -j $QUEUE_common
;;
CONTINUE) CONTINUE)
target= target=
;; ;;
@ -4843,7 +4874,7 @@ default_policy() # $1 = client $2 = server
# depends on the policy # depends on the policy
# #
case $policy in case $policy in
ACCEPT) ACCEPT|QUEUE)
if [ -n "$synparams" ]; then if [ -n "$synparams" ]; then
# #
# To avoid double-counting SYN packets, enforce the policy # To avoid double-counting SYN packets, enforce the policy
@ -5589,6 +5620,7 @@ determine_capabilities() {
POLICY_MATCH= POLICY_MATCH=
PHYSDEV_MATCH= PHYSDEV_MATCH=
IPRANGE_MATCH= IPRANGE_MATCH=
RECENT_MATCH=
qt $IPTABLES -N fooX1234 qt $IPTABLES -N fooX1234
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
@ -5597,7 +5629,7 @@ determine_capabilities() {
qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes
qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes
qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes
if [ -n "$PKTTYPE" ]; then if [ -n "$PKTTYPE" ]; then
qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT || PKTTYPE= qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT || PKTTYPE=
@ -5627,6 +5659,7 @@ report_capabilities() {
report_capability "Policy Match" $POLICY_MATCH report_capability "Policy Match" $POLICY_MATCH
report_capability "Physdev Match" $PHYSDEV_MATCH report_capability "Physdev Match" $PHYSDEV_MATCH
report_capability "IP range Match" $IPRANGE_MATCH report_capability "IP range Match" $IPRANGE_MATCH
report_capability "Recent Match" $RECENT_MATCH
} }
# #
@ -5678,7 +5711,7 @@ initialize_netfilter () {
run_user_exit init run_user_exit init
# #
# The some files might be large so strip them while the firewall is still running # Some files might be large so strip them while the firewall is still running
# (restart command). This reduces the length of time that the firewall isn't # (restart command). This reduces the length of time that the firewall isn't
# accepting new connections. # accepting new connections.
# #
@ -5721,6 +5754,16 @@ initialize_netfilter () {
setcontinue INPUT setcontinue INPUT
setcontinue OUTPUT setcontinue OUTPUT
run_user_exit continue
f=$(find_file routestopped)
echo "Processing $f ..."
strip_file routestopped $f
process_routestopped -A
[ -n "$DISABLE_IPV6" ] && disable_ipv6 [ -n "$DISABLE_IPV6" ] && disable_ipv6
# #
@ -5729,10 +5772,6 @@ initialize_netfilter () {
run_iptables -A INPUT -i lo -j ACCEPT run_iptables -A INPUT -i lo -j ACCEPT
run_iptables -A OUTPUT -o lo -j ACCEPT run_iptables -A OUTPUT -o lo -j ACCEPT
accounting_file=$(find_file accounting)
[ -f $accounting_file ] && setup_accounting $accounting_file
# #
# Allow DNS lookups during startup for FQDNs # Allow DNS lookups during startup for FQDNs
# #
@ -5756,6 +5795,10 @@ initialize_netfilter () {
run_iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS $option run_iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS $option
fi fi
accounting_file=$(find_file accounting)
[ -f $accounting_file ] && setup_accounting $accounting_file
if [ -z "$NEWNOTSYN" ]; then if [ -z "$NEWNOTSYN" ]; then
createchain newnotsyn no createchain newnotsyn no
@ -6332,7 +6375,7 @@ activate_rules()
shift shift
if havenatchain $destchain ; then if havenatchain $destchain ; then
run_iptables -t nat -A $sourcechain $@ -j $destchain run_iptables2 -t nat -A $sourcechain $@ -j $destchain
else else
[ -n "$BRIDGING" -a -f $TMP_DIR/physdev ] && -rm -f $TMP_DIR/physdev [ -n "$BRIDGING" -a -f $TMP_DIR/physdev ] && -rm -f $TMP_DIR/physdev
[ -n "$IPRANGE_MATCH" -a -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange [ -n "$IPRANGE_MATCH" -a -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
@ -6350,7 +6393,7 @@ activate_rules()
shift shift
if havenatchain $destchain; then if havenatchain $destchain; then
eval run_iptables -t nat -I $sourcechain \ eval run_iptables2 -t nat -I $sourcechain \
\$${sourcechain}_rule $@ -j $destchain \$${sourcechain}_rule $@ -j $destchain
eval ${sourcechain}_rule=\$\(\(\$${sourcechain}_rule + 1\)\) eval ${sourcechain}_rule=\$\(\(\$${sourcechain}_rule + 1\)\)
else else
@ -6410,7 +6453,7 @@ activate_rules()
interface=${host%%:*} interface=${host%%:*}
networks=${host#*:} networks=${host#*:}
run_iptables -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain run_iptables2 -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain
done done
fi fi
fi fi
@ -6439,7 +6482,7 @@ activate_rules()
interface=${host%%:*} interface=${host%%:*}
networks=${host#*:} networks=${host#*:}
run_iptables -A OUTPUT -o $interface $(match_dest_hosts $networks) $(match_ipsec_out $zone $host) -j $chain1 run_iptables2 -A OUTPUT -o $interface $(match_dest_hosts $networks) $(match_ipsec_out $zone $host) -j $chain1
# #
# Add jumps from the builtin chains for DNAT and SNAT rules # Add jumps from the builtin chains for DNAT and SNAT rules
@ -6447,10 +6490,10 @@ activate_rules()
addrulejump PREROUTING $(dnat_chain $zone) -i $interface $(match_source_hosts $networks) $(match_ipsec_in $zone $host) addrulejump PREROUTING $(dnat_chain $zone) -i $interface $(match_source_hosts $networks) $(match_ipsec_in $zone $host)
addrulejump POSTROUTING $(snat_chain $zone) -o $interface $(match_dest_hosts $networks) $(match_ipsec_out $zone $host) addrulejump POSTROUTING $(snat_chain $zone) -o $interface $(match_dest_hosts $networks) $(match_ipsec_out $zone $host)
run_iptables -A $(input_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $chain2 run_iptables2 -A $(input_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $chain2
if [ -n "$complex" ] && ! is_ipsec_host $zone $host ; then if [ -n "$complex" ] && ! is_ipsec_host $zone $host ; then
run_iptables -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain run_iptables2 -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain
fi fi
case $networks in case $networks in
@ -6515,7 +6558,7 @@ activate_rules()
# routeback was specified for this host group # routeback was specified for this host group
# #
if [ $zone != $zone1 -o $num_ifaces -gt 1 ] || list_search $host1 $routeback ; then if [ $zone != $zone1 -o $num_ifaces -gt 1 ] || list_search $host1 $routeback ; then
run_iptables -A $frwd_chain -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain run_iptables2 -A $frwd_chain -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain
fi fi
done done
else else
@ -6530,7 +6573,7 @@ activate_rules()
networks1=${host1#*:} networks1=${host1#*:}
if [ "$host" != "$host1" ] || list_search $host $routeback; then if [ "$host" != "$host1" ] || list_search $host $routeback; then
run_iptables -A $chain1 $(match_source_hosts $networks) -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain run_iptables2 -A $chain1 $(match_source_hosts $networks) -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain
fi fi
done done
done done
@ -6578,6 +6621,8 @@ activate_rules()
run_iptables -D $chain -p udp --dport 53 -j ACCEPT run_iptables -D $chain -p udp --dport 53 -j ACCEPT
done done
process_routestopped -D
if [ -n "$LOGALLNEW" ]; then if [ -n "$LOGALLNEW" ]; then
for table in mangle nat filter; do for table in mangle nat filter; do
case $table in case $table in
@ -7240,6 +7285,7 @@ do_initialize() {
LOGALLNEW= LOGALLNEW=
DROPINVALID= DROPINVALID=
RFC1918_STRICT= RFC1918_STRICT=
MACLIST_TTL=
RESTOREBASE= RESTOREBASE=
TMP_DIR= TMP_DIR=
@ -7436,6 +7482,12 @@ do_initialize() {
LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY) LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY)
DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID) DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID)
RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT) RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT)
[ "$MACLIST_TTL" = "0" ] && MACLIST_TTL=
if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then
startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables"
fi
# #
# Strip the files that we use often # Strip the files that we use often
# #

View File

@ -1 +1 @@
2.2.2 2.2.3

View File

@ -23,3 +23,5 @@
/etc/shorewall/stopped Stopped Commands executed after stop /etc/shorewall/stopped Stopped Commands executed after stop
/etc/shorewall/accounting Account Traffic Accounting Rules /etc/shorewall/accounting Account Traffic Accounting Rules
/etc/shorewall/actions Actions Define user actions /etc/shorewall/actions Actions Define user actions
/etc/shorewall/continue Continue Commands executed early in [re]start