Add dropInvalid builtin action

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1430 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall2/action.Drop

@@ -8,6 +8,7 @@
 #                       	        	PORT    PORT(S)		LIMIT	GROUP
 RejectAuth
 dropBcast
+dropInvalid
 DropSMB
 DropUPnP
 dropNotSyn

Shorewall2/action.Reject

@@ -8,6 +8,7 @@
 #                       	        	PORT    PORT(S)		LIMIT	GROUP
 RejectAuth
 dropBcast
+dropInvalid
 RejectSMB
 DropUPnP
 dropNotSyn

Shorewall2/actions.std

@@ -9,7 +9,9 @@
 #    rejNonSyn          #Silently Reject Non-syn TCP packets
 #    logNonSyn          #Log Non-syn TCP packets with disposition LOG
 #    dLogNonSyn         #Log Non-syn TCP packets with disposition DROP
-#    rLogNonSyn          #Log Non-syn TCP packets with disposition REJECT
+#    rLogNonSyn         #Log Non-syn TCP packets with disposition REJECT
+#    dropInvalid	#Silently Drop packets that are in the INVALID
+#                       #conntrack state.
 #
 # The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in
 # shorewall.conf. If that option isn't specified then 'info' is used.

Shorewall2/changelog.txt

@@ -1,40 +1,10 @@
-Changes since 2.0.2
+Changes since 2.0.3
 
-1) Remove restore files; don't generate them for non-statechanging
-   commands.
 
-2) Restore file now loads kernel modules.
+1) Fix security vulnerability involving temporary files/directories.
 
-3) Minor tweaks to the restore mechanism.
+2) Hack security fix so that it works under Slackware.
 
-4) Allow "!" in accounting rules.
+3) Correct mktempfile() for case where mktemp isn't installed.
 
-5) Backport bug fixes from stable (/var/lib/shorewall existence and
-   null common action).
-
-6) Add lots of overhead to [re]start in order to catch typing errors.
-
-7) Correct reporting of installation directory in install.sh.
-
-8) Load kernel modules before detecting capabilities.
-
-9) Added the 'rejectNonSyn' standard built-in action.
-
-10) Merged Tuomo Soini's patch to the install script.
-
-11) Correct brain-cramp in module loading fix (8 above).
-
-12) Add 'key' to sample tunnel file.
-
-13) Allow multiple saved configurations.
-
-14) Add %attr spec to /etc/init.d/shorewall in the .spec file.
-
-15) Fix rules that have bridge ports in both SOURCE and DEST. Update
-    comments in the rules file WRT "all" in SOURCE or DEST.
-
-16) Pass INVALID icmp packets through the blacklisting chains.
-
-17) Fix bogus code in procerss_tc_rule()
-
-18) Fix security vulnerability involving temporary files/directories.
+4) Implement 'dropInvalid' builtin action.

Shorewall2/firewall

@@ -1046,15 +1046,6 @@ find_interface_address() # $1 = interface
     echo $addr | sed 's/inet //;s/\/.*//;s/ peer.*//'
 }
 
-#
-# Find interface addresses--returns the set of addresses assigned to the passed
-# device
-#
-find_interface_addresses() # $1 = interface
-{
-    ip -f inet addr show $1 | grep inet | sed 's/inet //;s/\/.*//;s/ peer.*//'
-}
-
 #
 # Find interfaces that have the passed option specified
 #
@@ -2743,7 +2734,7 @@ createactionchain() # $1 = chain name
 
 process_actions1() {
 	
-    ACTIONS="dropBcast dropNonSyn dropNotSyn rejNotSyn logNotSyn rLogNotSyn dLogNotSyn"
+    ACTIONS="dropBcast dropNonSyn dropNotSyn rejNotSyn logNotSyn rLogNotSyn dLogNotSyn dropInvalid"
     USEDACTIONS=
 
     strip_file actions
@@ -2917,6 +2908,9 @@ process_actions2() {
 	    dLogNotSyn)
 		log_action dLogNotSyn DROP		
 		;;
+	    dropInvalid)
+		[ "COMMAND" != check ] && run_iptables -A dropInvalid -m state --state INVALID -j DROP
+		;;
 	    *)
 		f=action.$xaction
 		fn=$(find_file $f)

Shorewall2/functions

@@ -374,10 +374,10 @@ mktempfile() {
 		mktemp -p $1 shorewall.XXXXXX
 		;;
 	    None)
-		mkdir $1/shorewall-$$ && echo $1/shorewall-$$
+		> $1/shorewall-$$ && echo $1/shorewall-$$
 		;;
 	    *)
-		echo "   ERROR:Internal error in mktempfile"
+		echo "   ERROR:Internal error in mktempfile" >&2
 		;;
 	esac
     else
@@ -393,7 +393,7 @@ mktempfile() {
 		> /tmp/shorewall-$$ && echo /tmp/shorewall-$$
 		;;
 	    *)
-		echo "   ERROR:Internal error in mktempfile"
+		echo "   ERROR:Internal error in mktempfile" >&2
 		;;
 	esac
     fi
@@ -407,17 +407,17 @@ mktempdir() {
     [ -z "$MKTEMP" ] && find_mktemp   
      
     case "$MKTEMP" in
-	BSD)
-	    mktemp -d /tmp/shorewall.XXXXXX
-	    ;;
 	STD)
 	    mktemp -td shorewall.XXXXXX
 	    ;;
-	None)
-	    mkdir /tmp/shorewall-$$ && echo /tmp/shorewall-$$
+	None|BSD)
+	    #
+	    # Not all versions of the BSD mktemp support the -d option under Linux
+	    #
+	    mkdir /tmp/shorewall-$$ && chmod 700 /tmp/shorewall-$$ && echo /tmp/shorewall-$$
 	    ;;
 	*)
-	    echo "   ERROR:Internal error in mktempdir"
+	    echo "   ERROR:Internal error in mktempdir" >&2
 	    ;;
 	esac
 }	
@@ -767,3 +767,11 @@ find_interface_by_address() {
     [ -n "$dev" ] && echo $dev
 }
 
+#
+# Find interface addresses--returns the set of addresses assigned to the passed
+# device
+#
+find_interface_addresses() # $1 = interface
+{
+    ip -f inet addr show $1 | grep inet | sed 's/inet //;s/\/.*//;s/ peer.*//'
+}

Shorewall2/releasenotes.txt

@@ -1,49 +1,6 @@
-Shorewall 2.0.3
+Shorewall 2.0.4-Beta1
 
 ----------------------------------------------------------------------
-Problems Corrected since 2.0.2
-
-1) The 'firewall' script is not purging temporary restore files in
-   /var/lib/shorewall. These files have names of the form
-   "restore-nnnnn".
-
-2) The /var/lib/shorewall/restore script did not load the kernel
-   modules specified in /etc/shorewall/modules.
-
-3) Specifying a null common action in /etc/shorewall/actions (e.g.,
-   :REJECT) results in a startup error.
-
-4) If /var/lib/shorewall does not exist, shorewall start fails.
-
-5) DNAT rules with a dynamic source zone don't work properly. When
-   used, these rules cause the rule to be checked against ALL input,
-   not just input from the designated zone.
-
-6) The install.sh script reported installing some files in
-   /etc/shorewall when the files were actually installed in
-   /usr/share/shorewall.
-
-7) Shorewall checks netfilter capabilities before loading kernel
-   modules. Hence if kernel module autoloading isn't enabled, the
-   capabilities will be misdetected.
-
-8) The 'newnotsyn' option in /etc/shorewall/hosts has no effect.
-
-9) The file /etc/init.d/shorewall now gets proper ownership when the
-   RPM is built by a non-root user.
-
-10) Rules that specify bridge ports in both the SOURCE and DEST
-    columns no longer cause "shorewall start" to fail.
-
-11) Comments in the rules file have been added to advise users that
-    "all" in the SOURCE or DEST column does not affect intra-zone
-    traffic.
-
-12) With BLACKLISTNEWONLY=Yes, ICMP packets with state INVALID are now
-    passed through the blacklisting chains. Without this change, it is
-    not possible to blacklist hosts that are mounting certain types of
-    ICMP-based DOS attacks.
-
 Problems Corrected since 2.0.3
 
 1)  A non-empty DEST entry in /etc/shorewall/tcrules will generate an
@@ -53,113 +10,13 @@ Problems Corrected since 2.0.3
     handles temporary files and directories has been corrected.
 
 -----------------------------------------------------------------------
-Issues when migrating from Shorewall 2.0.2 to Shorewall 2.0.3:
+Issues when migrating from Shorewall 2.0.3 to Shorewall 2.0.4:
 
-1) The 'dropNonSyn' standard builtin action has been replaced with the
-   'dropNotSyn' standard builtin action. The old name can still be used
-   but will generate a warning.
+None.
 
 -----------------------------------------------------------------------
 New Features:
 
-1) Shorewall now supports multiple saved configurations.
-
-   a) The default saved configuration (restore script) in
-      /var/lib/shorewall is now specified using the RESTOREFILE option
-      in shorewall.conf. If this variable isn't set then to maitain
-      backward compatibility, 'restore' is assumed.
-      
-      The value of RESTOREFILE must be a simple file name; no slashes
-      ("/") may be included.
-      
-   b)  The "save" command has been extended to be able to specify the
-      name of a saved configuration.
-
-	   shorewall save [ <file name> ]
-
-      The current state is saved to /var/lib/shorewall/<file name>. If
-      no <file name> is given, the configuration is saved to
-      the file determined by the RESTOREFILE setting.
-
-   c) The "restore" command has been extended to be able to specify 
-      the name of a saved configuration:
-
-	  shorewall restore [ <file name> ]
-
-      The firewall state is restored from /var/lib/shorewall/<file
-      name>. If no <file name> is given, the firewall state is
-      restored from the file determined by the RESTOREFILE setting.
-
-   c) The "forget" command has changed. Previously, the command
-      unconditionally removed the /var/lib/shorewall/save file which
-      records the current dynamic blacklist. The "forget" command now
-      leaves that file alone.
-
-      Also, the "forget" command has been extended to be able to
-      specify the name of a saved configuration:
-
-	      shorewall forget [ <file name> ]
-
-      The file /var/lib/shorewall/<file name> is removed. If no <file
-      name> is given, the file determined by the RESTOREFILE setting
-      is removed.
-
-   d) The "shorewall -f start" command restores the state from the
-      file determined by the RESTOREFILE setting. 
-
-2) "!" is now allowed in accounting rules.
-
-3) Interface names appearing within the configuration are now
-   verified. Interface names must match the name of an entry in
-   /etc/shorewall/interfaces (or if bridging is enabled, they must
-   match the name of an entry in /etc/shorewall/interfaces or the name
-   of a bridge port appearing in /etc/shorewall/hosts).
-
-4) A new 'rejNotSyn' built-in standard action has been added. This
-   action responds to "New not SYN" packets with an RST.
-
-   The 'dropNonSyn' action has been superceded by the new 'dropNotSyn'
-   action. The old name will be accepted until the next major release
-   of Shorewall but will generate a warning.
-
-   Several new logging actions involving "New not SYN" packets have
-   been added:
-
-	logNewNotSyn  -- logs the packet with disposition = LOG
-	dLogNewNotSyn -- logs the packet with disposition = DROP
-	rLogNewNotSyn -- logs the packet with disposition = REJECT
-
-   The packets are logged at the log level specified in the
-   LOGNEWNOTSYN option in shorewall.conf. If than option is empty or
-   not specified, then 'info' is assumed.
-
-   Examples (In all cases, set NEWNOTSYN=Yes in shorewall.conf):
-
-   A: To simulate the behavior of NEWNOTSYN=No:
-
-      a) Add 'NoNewNotSyn' to /etc/shorewall/actions.
-      b) Create /etc/shorewall/action.NoNewNotSyn containing:
-
-	    dLogNotSyn
-	    dropNotSyn
-
-      c) Early in your rules file, place:
-
-	 NoNewNotSyn   all   all     tcp
-
-   B: Drop 'New not SYN' packets from the net only. Don't log them.
-
-      a) Early in your rules file, place:
-
-         dropNotSyn    net	  all	tcp
-
-5) Slackware users no longer have to modify the install.sh script
-   before installation. Tuomo Soini has provided a change that allows
-   the INIT and FIREWALL variables to be specified outside the script
-   as in:
-
-      DEST=/etc/rc.d INIT=rc.firewall ./install.sh
-
-
- 
-
+1)  ICMP packets that are in the INVALID state are now dropped by the
+    Reject and Drop default actions. They do so using the new 
+    'dropInvalid' builtin action.