Merge branch '5.1.12'

# Conflicts:
#	Shorewall/Perl/Shorewall/Config.pm
This commit is contained in:
Tom Eastep 2018-02-09 17:16:12 -08:00
commit 12bbbbfa2a
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
26 changed files with 189 additions and 30 deletions

View File

@ -0,0 +1,9 @@
#
# Shorewall -- /usr/share/shorewall/macro.Apcupsd
#
# This macro handles apcupsd traffic.
#
###############################################################################
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER
PARAM - - tcp 3551

View File

@ -0,0 +1,16 @@
#
# Shorewall -- /usr/share/shorewall/macro.FreeIPA
#
# This macro handles FreeIPA server traffic.
#
###############################################################################
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER
DNS
HTTP
HTTPS
Kerberos
Kpasswd
LDAP
LDAPS
NTP

View File

@ -11,14 +11,20 @@
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER
PARAM - - tcp 623 # RMCP PARAM - - tcp 623 # RMCP
PARAM - - udp 623 # RMCP
PARAM - - tcp 3668,3669 # Virtual Media, Secure (Dell) PARAM - - tcp 3668,3669 # Virtual Media, Secure (Dell)
PARAM - - tcp 5120,5123 # CD, floppy (Asus, Aten) PARAM - - tcp 5120,5122,5123 # CD,FD,HD (Asus, Aten)
PARAM - - tcp 5900,5901 # Remote Console (Aten, Dell) PARAM - - tcp 5900,5901 # Remote Console (Aten, Dell)
PARAM - - tcp 7578 # Remote Console (AMI) PARAM - - tcp 7578 # Remote Console (AMI)
PARAM - - tcp 3520 # Remote Console (Redfish) PARAM - - tcp 8889 # WS-MAN
PARAM - - udp 623 # RMCP
HTTP HTTP
HTTPS
SNMP
SSH # Serial over Lan
Telnet Telnet
SNMP
# TLS/secure ports
PARAM - - tcp 3520 # Remote Console (Redfish)
PARAM - - tcp 3669 # Virtual Media (Dell)
PARAM - - tcp 5124,5126,5127 # CD,FD,HD (AMI)
PARAM - - tcp 7582 # Remote Console (AMI)
HTTPS
SSH # Serial over Lan

View File

@ -0,0 +1,10 @@
#
# Shorewall -- /usr/share/shorewall/macro.Kpasswd
#
# This macro handles Kerberos "passwd" traffic.
#
###############################################################################
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER
PARAM - - tcp 464
PARAM - - udp 464

View File

@ -0,0 +1,9 @@
#
# Shorewall -- /usr/share/shorewall/macro.RedisSecure
#
# This macro handles Redis Secure (SSL/TLS) traffic.
#
###############################################################################
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER
PARAM - - tcp 6380

View File

@ -0,0 +1,9 @@
#
# Shorewall -- /usr/share/shorewall/macro.Rwhois
#
# This macro handles Remote Who Is (rwhois) traffic.
#
###############################################################################
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER
PARAM - - tcp 4321

View File

@ -0,0 +1,9 @@
#
# Shorewall -- /usr/share/shorewall/macro.SSDP
#
# This macro handles SSDP (used by DLNA/UPnP) client traffic.
#
###############################################################################
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER
PARAM - - udp 1900

View File

@ -0,0 +1,10 @@
#
# Shorewall -- /usr/share/shorewall/macro.SSDPserver
#
# This macro handles SSDP (used by DLNA/UPnP) server bidirectional traffic.
#
###############################################################################
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER
PARAM - - udp 1900
PARAM DEST SOURCE udp - 1900

View File

@ -834,7 +834,7 @@ sub initialize( $;$$$) {
TC_SCRIPT => '', TC_SCRIPT => '',
EXPORT => 0, EXPORT => 0,
KLUDGEFREE => '', KLUDGEFREE => '',
VERSION => "5.1.12-Beta2", VERSION => "5.1.12",
CAPVERSION => 50112 , CAPVERSION => 50112 ,
BLACKLIST_LOG_TAG => '', BLACKLIST_LOG_TAG => '',
RELATED_LOG_TAG => '', RELATED_LOG_TAG => '',
@ -2412,6 +2412,10 @@ sub split_line2( $$;$$$ ) {
fatal_error "Only one set of double semicolons (';;') allowed on a line" if defined $rest; fatal_error "Only one set of double semicolons (';;') allowed on a line" if defined $rest;
$currline = $columns; $currline = $columns;
#
# Remove trailing white space
#
$currline =~ s/\s*$//;
$inline_matches = $pairs; $inline_matches = $pairs;
# #

View File

@ -183,7 +183,7 @@ IGNOREUNKNOWNVARIABLES=No
IMPLICIT_CONTINUE=No IMPLICIT_CONTINUE=No
INLINE_MATCHES=Yes INLINE_MATCHES=No
IPSET_WARNINGS=Yes IPSET_WARNINGS=Yes

View File

@ -194,7 +194,7 @@ IGNOREUNKNOWNVARIABLES=No
IMPLICIT_CONTINUE=No IMPLICIT_CONTINUE=No
INLINE_MATCHES=Yes INLINE_MATCHES=No
IPSET_WARNINGS=Yes IPSET_WARNINGS=Yes

View File

@ -191,7 +191,7 @@ IGNOREUNKNOWNVARIABLES=No
IMPLICIT_CONTINUE=No IMPLICIT_CONTINUE=No
INLINE_MATCHES=Yes INLINE_MATCHES=No
IPSET_WARNINGS=Yes IPSET_WARNINGS=Yes

View File

@ -194,7 +194,7 @@ IGNOREUNKNOWNVARIABLES=No
IMPLICIT_CONTINUE=No IMPLICIT_CONTINUE=No
INLINE_MATCHES=Yes INLINE_MATCHES=No
IPSET_WARNINGS=Yes IPSET_WARNINGS=Yes

View File

@ -170,7 +170,7 @@ IGNOREUNKNOWNVARIABLES=No
IMPLICIT_CONTINUE=No IMPLICIT_CONTINUE=No
INLINE_MATCHES=Yes INLINE_MATCHES=No
IPSET_WARNINGS=Yes IPSET_WARNINGS=Yes

View File

@ -171,7 +171,7 @@ IGNOREUNKNOWNVARIABLES=No
IMPLICIT_CONTINUE=No IMPLICIT_CONTINUE=No
INLINE_MATCHES=Yes INLINE_MATCHES=No
IPSET_WARNINGS=Yes IPSET_WARNINGS=Yes

View File

@ -170,7 +170,7 @@ IGNOREUNKNOWNVARIABLES=No
IMPLICIT_CONTINUE=No IMPLICIT_CONTINUE=No
INLINE_MATCHES=Yes INLINE_MATCHES=No
IPSET_WARNINGS=Yes IPSET_WARNINGS=Yes

View File

@ -170,7 +170,7 @@ IGNOREUNKNOWNVARIABLES=No
IMPLICIT_CONTINUE=No IMPLICIT_CONTINUE=No
INLINE_MATCHES=Yes INLINE_MATCHES=No
IPSET_WARNINGS=Yes IPSET_WARNINGS=Yes

View File

@ -107,7 +107,7 @@
requires an appropriate SA to exist. SAs may be created manually using requires an appropriate SA to exist. SAs may be created manually using
<command>setkey</command>(8) but most often, they are created by a <command>setkey</command>(8) but most often, they are created by a
cooperative process involving the ISAKMP protocol and a daemon included in cooperative process involving the ISAKMP protocol and a daemon included in
your IPSEC package (StrongSwan, LibreSwan, ipsec-tools/Racoon, etc.) . your IPsec package (StrongSwan, LibreSwan, ipsec-tools/Racoon, etc.) .
Incoming traffic is verified against the SPD to ensure that no unencrypted Incoming traffic is verified against the SPD to ensure that no unencrypted
traffic is accepted in violation of the administrator's policies.</para> traffic is accepted in violation of the administrator's policies.</para>
@ -227,7 +227,7 @@
<important> <important>
<para>This article provides guidance regarding configuring Shorewall to <para>This article provides guidance regarding configuring Shorewall to
use with IPSEC. For configuring IPSEC itself, consult your IPSEC use with IPsec. For configuring IPsec itself, consult your IPsec
product's documentation.</para> product's documentation.</para>
</important> </important>
</section> </section>
@ -681,4 +681,75 @@ ipip <emphasis role="bold">vpn</emphasis> 0.0.0.0/0</prog
the INPUT chain.</para> the INPUT chain.</para>
</important> </important>
</section> </section>
<section>
<title>Using SNAT to Force Traffic over an IPsec Tunnel</title>
<para>Cases can arise where you need to use an IPsec tunnel to access a
remote network, but you have no control over the associated security
polices. In such cases, the resulting tunnel is accessible from your
firewall but not from your local networks.</para>
<para>Let's take an example:</para>
<itemizedlist>
<listitem>
<para>Remote gateway 192.0.2.26</para>
</listitem>
<listitem>
<para>Remote subnet 172.22.4.0/24</para>
</listitem>
<listitem>
<para>Your public IP address is 192.0.2.199</para>
</listitem>
<listitem>
<para>Your Internet-facing interface is eth0</para>
</listitem>
<listitem>
<para>Your local network is 192.168.219.0/24</para>
</listitem>
<listitem>
<para>You want to access 172.22.4.0/24 from 192.168.219.0/24</para>
</listitem>
<listitem>
<para>The IPsec tunnel is configured between 172.22.4.0/24 and
192.0.2.199</para>
</listitem>
</itemizedlist>
<para>You need to configure as follows.</para>
<para>/etc/shorewall/zones:</para>
<programlisting>#ZONE TYPE OPTIONS
...
vpn ip # Note that the zone <emphasis role="bold">cannot</emphasis> be declared as type ipsec
...</programlisting>
<para>/etc/shorewall/interfaces:</para>
<programlisting>#ZONE INTERFACE OPTIONS
net eth0 nets=(!172.22.4.0/24),... # You must exclude the remote network from the net zone</programlisting>
<para>/etc/shorewall/hosts:</para>
<programlisting>#ZONE HOSTS OPTIONS
vpn eth0:172.22.4.0/24 mss=1380,destonly
vpn eth0:0.0.0.0/0 mss=1380,ipsec</programlisting>
<para>/etc/shorewall/snat:</para>
<programlisting>SNAT(192.0.2.199) 192.168.219.0/24 eth0:172.22.4.0/24</programlisting>
<para>/etc/shorewall/tunnels:</para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
ipsec net 192.0.2.26 vpn</programlisting>
</section>
</article> </article>

View File

@ -1233,7 +1233,7 @@ gateway:~ #</programlisting>
those clients. See<link linkend="Openvpn"> Example 2</link> those clients. See<link linkend="Openvpn"> Example 2</link>
below.</para> below.</para>
<para>If you have an IPSEC gateway on your firewall, be sure to <para>If you have an IPsec gateway on your firewall, be sure to
arrange for ESP packets to be routed out of the same interface that arrange for ESP packets to be routed out of the same interface that
you have configured your keying daemon to use.</para> you have configured your keying daemon to use.</para>
</section> </section>

View File

@ -1021,7 +1021,7 @@ Mirrors(ACCEPT:none) { SOURCE=net, DEST=dmz:$SERVER, PROTO=tcp, DPORT=873 }
<section> <section>
<title>tunnels</title> <title>tunnels</title>
<para>Both address families define IPSEC tunnels:</para> <para>Both address families define IPsec tunnels:</para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE <programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
ipsecnat {ZONE=net, GATEWAY=$ALL, GATEWAY_ZONE=vpn } ipsecnat {ZONE=net, GATEWAY=$ALL, GATEWAY_ZONE=vpn }

View File

@ -43,7 +43,7 @@
<para>It is often the case that a system behind the firewall needs to be <para>It is often the case that a system behind the firewall needs to be
able to access a remote network through Virtual Private Networking (VPN). able to access a remote network through Virtual Private Networking (VPN).
The two most common means for doing this are IPSEC and PPTP. The basic The two most common means for doing this are IPsec and PPTP. The basic
setup is shown in the following diagram:</para> setup is shown in the following diagram:</para>
<graphic fileref="images/VPN.png"/> <graphic fileref="images/VPN.png"/>
@ -60,8 +60,8 @@
modules file, Shorewall (Lite) will attempt to load these modules when modules file, Shorewall (Lite) will attempt to load these modules when
Shorewall (Lite) is started.</para> Shorewall (Lite) is started.</para>
<para>If IPSEC is being used, you should configure IPSEC to use <para>If IPsec is being used, you should configure IPsec to use
<firstterm>NAT Traversal</firstterm> -- Under NAT traversal the IPSEC <firstterm>NAT Traversal</firstterm> -- Under NAT traversal the IPsec
packets (protocol 50 or 51) are encapsulated in UDP packets (normally with packets (protocol 50 or 51) are encapsulated in UDP packets (normally with
destination port 4500). Additionally, <firstterm>keep-alive destination port 4500). Additionally, <firstterm>keep-alive
messages</firstterm> are sent frequently so that NATing gateways between messages</firstterm> are sent frequently so that NATing gateways between
@ -69,10 +69,10 @@
way that I connect to the HP Intranet and it works flawlessly without way that I connect to the HP Intranet and it works flawlessly without
anything in Shorewall other than my ACCEPT loc-&gt;net policy. NAT anything in Shorewall other than my ACCEPT loc-&gt;net policy. NAT
traversal is available as a patch for Windows 2K and is a standard feature traversal is available as a patch for Windows 2K and is a standard feature
of Windows XP -- simply select "L2TP IPSec VPN" from the "Type of VPN" of Windows XP -- simply select "L2TP IPsec VPN" from the "Type of VPN"
pulldown.</para> pulldown.</para>
<para>Alternatively, if you have an IPSEC gateway behind your firewall <para>Alternatively, if you have an IPsec gateway behind your firewall
then you can try the following: only one system may connect to the remote then you can try the following: only one system may connect to the remote
gateway and there are firewall configuration requirements as gateway and there are firewall configuration requirements as
follows:</para> follows:</para>

View File

@ -508,7 +508,7 @@ rc-update add bridge boot
packet arrived on and/or the bridge port that a packet will be sent over. packet arrived on and/or the bridge port that a packet will be sent over.
The latter has proved to be problematic because it requires that the The latter has proved to be problematic because it requires that the
evaluation of rules be deferred until the destination bridge port is evaluation of rules be deferred until the destination bridge port is
known. This deferral has the unfortunate side effect that it makes IPSEC known. This deferral has the unfortunate side effect that it makes IPsec
Netfilter filtration incompatible with bridges. To work around this Netfilter filtration incompatible with bridges. To work around this
problem, in kernel version 2.6.20 the Netfilter developers decided to problem, in kernel version 2.6.20 the Netfilter developers decided to
remove the deferred processing in two cases:</para> remove the deferred processing in two cases:</para>

View File

@ -854,6 +854,12 @@ INLINE net $FW ; -m recent --rcheck 10 --hitcount 5 -
semicolons (";;"). If alternate input is present, the adjacent semicolons (";;"). If alternate input is present, the adjacent
semicolons should follow that input.</para> semicolons should follow that input.</para>
<caution>
<para>INLINE_MATCHES=Yes is deprecated and will no longer be
supported in Shorewall 5.2 and beyond. Use two adjacent semicolons
to introduce inline matches.</para>
</caution>
<para>Example from the masq file that spits outgoing SNAT between <para>Example from the masq file that spits outgoing SNAT between
two public IP addresses</para> two public IP addresses</para>

View File

@ -242,7 +242,7 @@ IMAPS(ACCEPT) &lt;source&gt; &lt;destination&gt; # IMAP over SSL.</programlis
</section> </section>
<section id="IPSEC"> <section id="IPSEC">
<title>IPSEC</title> <title>IPsec</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis> &lt;destination&gt;</emphasis> 50 ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis> &lt;destination&gt;</emphasis> 50
@ -252,8 +252,8 @@ ACCEPT <emphasis>&lt;destination&gt;</emphasis> <emphasis>&lt;source&gt;</e
ACCEPT <emphasis>&lt;destination&gt;</emphasis> <emphasis>&lt;source&gt;</emphasis> 51 ACCEPT <emphasis>&lt;destination&gt;</emphasis> <emphasis>&lt;source&gt;</emphasis> 51
ACCEPT <emphasis>&lt;destination&gt;</emphasis> <emphasis>&lt;source&gt;</emphasis> udp 500</programlisting> ACCEPT <emphasis>&lt;destination&gt;</emphasis> <emphasis>&lt;source&gt;</emphasis> udp 500</programlisting>
<para>Lots more information <ulink url="IPSEC.htm">here</ulink> and <ulink <para>Lots more information <ulink url="IPSEC-2.6.html">here</ulink> and
url="VPN.htm">here</ulink>.</para> <ulink url="VPN.htm">here</ulink>.</para>
</section> </section>
<section id="LDAP"> <section id="LDAP">

View File

@ -176,7 +176,7 @@
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para><ulink url="manpages/shorewall-tunnels.html">IPSEC, GRE, <para><ulink url="manpages/shorewall-tunnels.html">IPsec, GRE,
IPIP and OpenVPN Tunnels</ulink>.</para> IPIP and OpenVPN Tunnels</ulink>.</para>
</listitem> </listitem>

View File

@ -277,7 +277,7 @@ State:Stopped (Thu Mar 30 14:08:11 PDT 2006)</programlisting>
</listitem> </listitem>
<listitem> <listitem>
<para>If your problem has anything to do with IPSEC, be sure that <para>If your problem has anything to do with IPsec, be sure that
the ipsec-tools package is installed.</para> the ipsec-tools package is installed.</para>
</listitem> </listitem>