mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-09 01:04:06 +01:00
New IPSEC Options
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1554 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
8ba1724c0d
commit
16487eb51a
@ -46,3 +46,5 @@ Changes since 2.0.3
|
||||
21) Apply policy to interface/host options.
|
||||
|
||||
22) Fix policy and maclist.
|
||||
|
||||
23) Implement additional IPSEC options for zones and masq entries.
|
||||
|
@ -28,7 +28,7 @@
|
||||
# shown below. Simply run this script to revert to your prior version of
|
||||
# Shoreline Firewall.
|
||||
|
||||
VERSION=2.1.4
|
||||
VERSION=2.1.5
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
@ -85,6 +85,8 @@ restore_file /etc/shorewall/policy
|
||||
|
||||
restore_file /etc/shorewall/interfaces
|
||||
|
||||
restore_file /etc/shorewall/ipsec
|
||||
|
||||
restore_file /etc/shorewall/hosts
|
||||
|
||||
restore_file /etc/shorewall/rules
|
||||
|
@ -613,11 +613,12 @@ match_ipsec_in() # $1 = zone, $2 = host
|
||||
{
|
||||
eval local is_ipsec=\$${1}_is_ipsec
|
||||
eval local hosts=\"\$${1}_ipsec_hosts\"
|
||||
eval local options=\"\$${1}_ipsec_options\"
|
||||
|
||||
if [ -n "$is_ipsec" ] || list_search $2 $hosts; then
|
||||
echo "-m policy --pol ipsec --dir in"
|
||||
echo "-m policy --pol ipsec --dir in $options"
|
||||
elif [ -n "$POLICY_MATCH" ]; then
|
||||
echo "-m policy --pol none --dir in"
|
||||
echo "-m policy --pol none --dir in $options"
|
||||
fi
|
||||
}
|
||||
|
||||
@ -628,11 +629,12 @@ match_ipsec_out() # $1 = zone, $2 = host
|
||||
{
|
||||
eval local is_ipsec=\$${1}_is_ipsec
|
||||
eval local hosts=\"\$${1}_ipsec_hosts\"
|
||||
eval local options=\"\$${1}_ipsec_options\"
|
||||
|
||||
if [ -n "$is_ipsec" ] || list_search $2 $hosts; then
|
||||
echo "-m policy --pol ipsec --dir out"
|
||||
echo "-m policy --pol ipsec --dir out $options"
|
||||
elif [ -n "$POLICY_MATCH" ]; then
|
||||
echo "-m policy --pol none --dir out"
|
||||
echo "-m policy --pol none --dir out $options"
|
||||
fi
|
||||
}
|
||||
|
||||
@ -1454,6 +1456,7 @@ setup_tunnels() # $1 = name of tunnels file
|
||||
local inchain
|
||||
local outchain
|
||||
|
||||
|
||||
setup_one_ipsec() # $1 = gateway $2 = Tunnel Kind $3 = gateway zones
|
||||
{
|
||||
local kind=$2 noah=
|
||||
@ -1485,7 +1488,21 @@ setup_tunnels() # $1 = name of tunnels file
|
||||
run_iptables -A $inchain -p udp -s $1 --dport 4500 $options
|
||||
fi
|
||||
|
||||
for z in $(separate_list $3); do
|
||||
for z in $3; do
|
||||
case $z in
|
||||
*:ipsec)
|
||||
z=${z%:*}
|
||||
eval ${z}_is_ipsec=Yes
|
||||
;;
|
||||
*:ipsec\(*)
|
||||
do_options
|
||||
eval ${z}_is_ipsec=Yes
|
||||
;;
|
||||
*:mixed\(*)
|
||||
do_options
|
||||
;;
|
||||
esac
|
||||
|
||||
if validate_zone $z; then
|
||||
addrule ${FW}2${z} -p udp --dport 500 $options
|
||||
if [ $kind = ipsec ]; then
|
||||
@ -1495,8 +1512,7 @@ setup_tunnels() # $1 = name of tunnels file
|
||||
addrule ${z}2${FW} -p udp --dport 4500 $options
|
||||
fi
|
||||
else
|
||||
error_message "Warning: Invalid gateway zone ($z)" \
|
||||
" -- Tunnel \"$tunnel\" may encounter keying problems"
|
||||
fatal_error ": Invalid gateway zone ($z) -- Tunnel \"$tunnel\""
|
||||
fi
|
||||
done
|
||||
|
||||
@ -1632,6 +1648,64 @@ setup_tunnels() # $1 = name of tunnels file
|
||||
done < $TMP_DIR/tunnels
|
||||
}
|
||||
|
||||
setup_ipsec() {
|
||||
|
||||
do_options() {
|
||||
local option newoptions=
|
||||
|
||||
options=$(separate_list $options)
|
||||
|
||||
for option in $options; do
|
||||
case $option in
|
||||
reqid=*)
|
||||
newoptions="$newoptions --reqid ${option#*=}"
|
||||
;;
|
||||
spi=*)
|
||||
newoptions="$newoptions --spi ${option#*=}"
|
||||
;;
|
||||
proto=*)
|
||||
newoptions="$newoptions --proto ${option#*=}"
|
||||
;;
|
||||
mode=*)
|
||||
newoptions="$newoptions --mode ${option#*=}"
|
||||
;;
|
||||
tunnel-src=*)
|
||||
newoptions="$newoptions --tunnel-src ${option#*=}"
|
||||
;;
|
||||
tunnel-dst=*)
|
||||
newoptions="$newoptions --tunnel-dst ${option#*=}"
|
||||
;;
|
||||
*)
|
||||
fatal_error "Invalid option \"$option\" for zone $zone"
|
||||
;;
|
||||
esac
|
||||
done
|
||||
eval ${zone}_ipsec_options=\"${newoptions# }\"
|
||||
}
|
||||
|
||||
strip_file ipsec $1
|
||||
|
||||
while read zone ipsec options; do
|
||||
expandv zone ipsec options
|
||||
|
||||
validate_zone1 $zone || fatal_error "Unknown zone: $zone"
|
||||
|
||||
case $ipsec in
|
||||
-|No|no)
|
||||
;;
|
||||
Yes|yes)
|
||||
eval ${zone}_is_ipsec=Yes
|
||||
;;
|
||||
*)
|
||||
fatal_error "Invalid IPSEC column value: $ipsec"
|
||||
;;
|
||||
esac
|
||||
|
||||
do_options
|
||||
|
||||
done < $TMP_DIR/ipsec
|
||||
}
|
||||
|
||||
#
|
||||
# Setup Proxy ARP
|
||||
#
|
||||
@ -2424,6 +2498,12 @@ check_config() {
|
||||
|
||||
display_list "Zones:" $zones
|
||||
|
||||
ipsecfile=$(find_file ipsec)
|
||||
|
||||
[ -f $ipsecfile ] && \
|
||||
echo "Validating ipsec file..." && \
|
||||
setup_ipsec $ipsecfile
|
||||
|
||||
echo "Validating interfaces file..."
|
||||
|
||||
validate_interfaces_file
|
||||
@ -4496,6 +4576,38 @@ get_routed_networks() # $1 = interface name
|
||||
#
|
||||
setup_masq()
|
||||
{
|
||||
do_ipsec_options() {
|
||||
local options=$(separate_list $ipsec) option
|
||||
policy ="-m policy --pol ipsec --dir out"
|
||||
|
||||
options=$(separate_list $options)
|
||||
for option in $options; do
|
||||
case $option in
|
||||
reqid=*)
|
||||
policy="$policy --reqid ${option#*=}"
|
||||
;;
|
||||
spi=*)
|
||||
policy="$policy --spi ${option#*=}"
|
||||
;;
|
||||
proto=*)
|
||||
policy="$policy --proto ${option#*=}"
|
||||
;;
|
||||
mode=*)
|
||||
policy="$policy --mode ${option#*=}"
|
||||
;;
|
||||
tunnel-src=*)
|
||||
policy="$policy --tunnel-src ${option#*=}"
|
||||
;;
|
||||
tunnel-dst=*)
|
||||
policy="$policy --tunnel-dst ${option#*=}"
|
||||
;;
|
||||
*)
|
||||
fatal_error "Invalid IPSEC option \"$option\""
|
||||
;;
|
||||
esac
|
||||
done
|
||||
}
|
||||
|
||||
setup_one() {
|
||||
local add_snat_aliases=$ADD_SNAT_ALIASES, pre_nat= policy=
|
||||
|
||||
@ -4513,9 +4625,7 @@ setup_masq()
|
||||
policy="-m policy --pol none --dir out"
|
||||
;;
|
||||
*)
|
||||
[ -n "$ipsec" ] && \
|
||||
fatal_error "Invalid value in IPSEC column: $ipsec"
|
||||
[ -n "$POLICY_MATCH" ] && policy="-m policy --pol none --dir out"
|
||||
[ -n "$ipsec" ] && do_ipsec_options || [ -n "$POLICY_MATCH" ] && policy="-m policy --pol none --dir out"
|
||||
;;
|
||||
esac
|
||||
|
||||
@ -5985,6 +6095,10 @@ define_firewall() # $1 = Command (Start or Restart)
|
||||
[ -f $tunnels ] && \
|
||||
echo "Processing $tunnels..." && setup_tunnels $tunnels
|
||||
|
||||
ipsecfile=$(find_file ipsec)
|
||||
[ -f $ipsecfile ] && \
|
||||
echo "Processing $ipsecfile..." && setup_ipsec $ipsecfile
|
||||
|
||||
maclist_hosts=$(find_hosts_by_option maclist)
|
||||
[ -n "$maclist_hosts" ] && setup_mac_lists
|
||||
|
||||
@ -6118,11 +6232,12 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
||||
[ "$zone" = $FW ] && startup_error "Can't add $1 to firewall zone"
|
||||
|
||||
eval is_ipsec=\$${zone}_is_ipsec
|
||||
eval options=\"\$${zone}_ipsec_options\"
|
||||
|
||||
if [ -n "$is_ipsec" ]; then
|
||||
[ -n "$POLICY_MATCH" ] || startup_error "Your kernel and/or iptables lacks policy match support"
|
||||
policyin="-m policy --pol ipsec --dir in"
|
||||
policyout="-m policy --pol ipsec --dir out"
|
||||
policyin="-m policy --pol ipsec --dir in $options"
|
||||
policyout="-m policy --pol ipsec --dir out $options"
|
||||
elif [ -n "$POLICY_MATCH" ]; then
|
||||
policyin="-m policy --pol none --dir in"
|
||||
policyout="-m policy --pol none --dir out"
|
||||
|
@ -270,15 +270,7 @@ determine_zones()
|
||||
|
||||
for zone in $zones; do
|
||||
dsply=$(find_display $zone $TMP_DIR/zones)
|
||||
case $zone in
|
||||
*:ipsec)
|
||||
zone=${zone%:*}
|
||||
eval ${zone}_is_ipsec=Yes
|
||||
;;
|
||||
*)
|
||||
esac
|
||||
|
||||
[ ${#zone} -gt 5 ] && echo " Warning: Zone name longer than 5 characters: $zone" 2> /tmp/trace
|
||||
[ ${#zone} -gt 5 ] && echo " Warning: Zone name longer than 5 characters: $zone" >&2
|
||||
eval ${zone}_display=\$dsply
|
||||
newzones="$newzones $zone"
|
||||
done
|
||||
|
@ -22,7 +22,7 @@
|
||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||
#
|
||||
|
||||
VERSION=2.1.4
|
||||
VERSION=2.1.5
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
@ -247,6 +247,16 @@ else
|
||||
echo "Interfaces file installed as ${PREFIX}/etc/shorewall/interfaces"
|
||||
fi
|
||||
#
|
||||
# Install the ipsec file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/ipsec ]; then
|
||||
backup_file /etc/shorewall/ipsec
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 ipsec ${PREFIX}/etc/shorewall/ipsec
|
||||
echo
|
||||
echo "Ipsec file installed as ${PREFIX}/etc/shorewall/ipsec"
|
||||
fi
|
||||
#
|
||||
# Install the hosts file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/hosts ]; then
|
||||
|
42
Shorewall2/ipsec
Normal file
42
Shorewall2/ipsec
Normal file
@ -0,0 +1,42 @@
|
||||
#
|
||||
# Shorewall 2.1 - /etc/shorewall/ipsec
|
||||
#
|
||||
# This file defines the attributes of zones with respect to
|
||||
# IPSEC. To use this file, you must be running a 2.6 kernel and
|
||||
# both your kernel and iptables must include Policy Match Support.
|
||||
#
|
||||
# The columns are:
|
||||
#
|
||||
# ZONE The name of a zone defined in /etc/shorewall/zones. The
|
||||
# $FW zone may not be listed.
|
||||
#
|
||||
# IPSEC Yes -- Communication with all zone hosts is encrypted
|
||||
# ONLY No -- Communication with some zone hosts is encrypted.
|
||||
# Encrypted hosts are designated using the 'ipsec'
|
||||
# option in /etc/shorewall/hosts.
|
||||
#
|
||||
# OPTIONS A comma-separated list of options as follows:
|
||||
# reqid=<number> where <number> is specified
|
||||
# using setkey(8) using the 'unique:<number>
|
||||
# option for the SPD level.
|
||||
#
|
||||
# spi=<number> where <number> is the SPI of
|
||||
# the SA.
|
||||
#
|
||||
# proto=ah|esp|ipcomp
|
||||
#
|
||||
# mode=transport|tunnel
|
||||
#
|
||||
# tunnel-src=<address>[/<mask>] (only
|
||||
# available with mode=tunnel)
|
||||
#
|
||||
# tunnel-dst=<address>[/<mask>] (only
|
||||
# available with mode=tunnel)
|
||||
#
|
||||
# Example:
|
||||
# mode=transport,reqid=44
|
||||
################################################################################
|
||||
#ZONE IPSEC OPTIONS
|
||||
# ONLY
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
@ -110,6 +110,29 @@
|
||||
# your kernel and iptables contain policy match
|
||||
# support.
|
||||
#
|
||||
# Comma-separated list of options from the following.
|
||||
# Only packets that will be encrypted via an SA that
|
||||
# matches these options will have their source address
|
||||
# changed.
|
||||
#
|
||||
# reqid=<number> where <number> is specified
|
||||
# using setkey(8) using the 'unique:<number>
|
||||
# option for the SPD level.
|
||||
#
|
||||
# spi=<number> where <number> is the SPI of
|
||||
# the SA.
|
||||
#
|
||||
# proto=ah|esp|ipcomp
|
||||
#
|
||||
# mode=transport|tunnel
|
||||
#
|
||||
# tunnel-src=<address>[/<mask>] (only
|
||||
# available with mode=tunnel)
|
||||
#
|
||||
# tunnel-dst=<address>[/<mask>] (only
|
||||
# available with mode=tunnel)
|
||||
#
|
||||
#
|
||||
# Example 1:
|
||||
#
|
||||
# You have a simple masquerading setup where eth0 connects to
|
||||
|
@ -230,8 +230,23 @@ New Features:
|
||||
IPSEC policy match patch from Patch-0-Matic-ng. That patch affects
|
||||
both your kernel and iptables.
|
||||
|
||||
This new Shorewall support is enabled through use of the 'ipsec'
|
||||
option in /etc/shorewall/hosts.
|
||||
There are two ways to specify that IPSEC is to be used when
|
||||
communicating with a set of hosts; both methods involve the new
|
||||
/etc/shorewall/ipsec file:
|
||||
|
||||
a) If encrypted communication is used with all hosts in a zone,
|
||||
then you can designate the zone as an "ipsec" zone by placing
|
||||
'Yes" in the IPSEC ONLY column in the /etc/shorewall/ipsec:
|
||||
|
||||
#ZONE IPSEC OPTIONS
|
||||
# ONLY
|
||||
vpn Yes
|
||||
|
||||
The hosts in the zone (if any) must be specified in
|
||||
/etc/shorewall/hosts but you do not need to specify the 'ipsec'
|
||||
option on the entries in that file (see below).
|
||||
|
||||
Dynamic zones involving IPSEC must use that technique.
|
||||
|
||||
Example:
|
||||
|
||||
@ -249,10 +264,10 @@ New Features:
|
||||
|
||||
Under 2.6 Kernel with this new support:
|
||||
|
||||
/etc/shorewall/zones (note the change of order):
|
||||
/etc/shorewall/zones:
|
||||
|
||||
vpn VPN Remote Network
|
||||
net Net The big bad Internet
|
||||
vpn VPN Remote Network
|
||||
|
||||
/etc/shorewall/interfaces:
|
||||
|
||||
@ -260,12 +275,83 @@ New Features:
|
||||
|
||||
/etc/shorewall/hosts:
|
||||
|
||||
vpn eth0:0.0.0.0/0 ipsec
|
||||
vpn eth0:0.0.0.0/0
|
||||
|
||||
/etc/shorewall/ipsec
|
||||
|
||||
vpn Yes
|
||||
|
||||
b) If only part of the hosts in a zone require encrypted
|
||||
communication, you may use of the new 'ipsec' option in
|
||||
/etc/shorewall/hosts to designate those hosts.
|
||||
|
||||
Example:
|
||||
|
||||
Under 2.4 Kernel FreeS/Wan:
|
||||
|
||||
/etc/shorewall/zones:
|
||||
|
||||
net Net The big bad Internet
|
||||
loc Local Extended local zone
|
||||
|
||||
/etc/shorewall/interfaces:
|
||||
|
||||
net eth0 ...
|
||||
loc eth1 ...
|
||||
loc ipsec0 ...
|
||||
|
||||
Under 2.6 Kernel with this new support:
|
||||
|
||||
/etc/shorewall/zones:
|
||||
|
||||
net Net The big bad Internet
|
||||
vpn VPN Remote Network
|
||||
|
||||
/etc/shorewall/interfaces:
|
||||
|
||||
net eth0 ...
|
||||
loc eth1 ...
|
||||
|
||||
/etc/shorewall/hosts:
|
||||
|
||||
vpn eth0:0.0.0.0/0 ipsec,...
|
||||
|
||||
Regardless of which technique you choose, you can specify
|
||||
additional SA options for the zone in the /etc/shorewall/ipsec
|
||||
entry.
|
||||
|
||||
The OPTIONS column specifies
|
||||
|
||||
The available options are:
|
||||
|
||||
reqid=<number> where <number> is specified using setkey(8) using
|
||||
the 'unique:<number>' option for the SPD level.
|
||||
|
||||
spi=<number> where <number> is the SPI of the SA.
|
||||
|
||||
proto=ah|esp|ipcomp
|
||||
|
||||
mode=transport|tunnel
|
||||
|
||||
tunnel-src=<address>[/<mask>] (only available with mode=tunnel)
|
||||
|
||||
tunnel-dst=<address>[/<mask>] (only available with mode=tunnel)
|
||||
|
||||
Examples:
|
||||
|
||||
#ZONE IPSEC OPTIONS
|
||||
# ONLY
|
||||
vpn Yes mode=tunnel,proto=esp
|
||||
loc No reqid=44,mode=transport
|
||||
|
||||
The /etc/shorewall/masq file has a new IPSEC column added. If you
|
||||
specify Yes or yes in that column then the unencrypted packets will
|
||||
have their source address changed. Otherwise, the unencrypted
|
||||
packets will not have their source addresses changed.
|
||||
packets will not have their source addresses changed. This column
|
||||
may also contain a comma-separated list of the options specified
|
||||
above in which case only those packets that will be encrypted
|
||||
by an SA matching the given options will have their source address
|
||||
changed.
|
||||
|
||||
8) To improve interoperability, tunnels of type 'ipsec' no longer
|
||||
enforce the use of source port 500 for ISAKMP.
|
||||
|
@ -1,5 +1,5 @@
|
||||
%define name shorewall
|
||||
%define version 2.1.4
|
||||
%define version 2.1.5
|
||||
%define release 1
|
||||
%define prefix /usr
|
||||
|
||||
@ -62,6 +62,7 @@ fi
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/zones
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/policy
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/interfaces
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/ipsec
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/rules
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/nat
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/netmap
|
||||
@ -127,6 +128,9 @@ fi
|
||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
|
||||
|
||||
%changelog
|
||||
* Wed Aug 18 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.1.5-1
|
||||
- Add /etc/shorewall/ipsec
|
||||
* Sat Aug 14 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.1.4-1
|
||||
* Sat Aug 07 2004 Tom Eastep tom@shorewall.net
|
||||
|
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Seattle Firewall
|
||||
|
||||
VERSION=2.1.4
|
||||
VERSION=2.1.5
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -4,8 +4,6 @@
|
||||
# This file determines your network zones. Columns are:
|
||||
#
|
||||
# ZONE Short name of the zone (5 Characters or less in length).
|
||||
# If all hosts in the zone are accessed using kernel 2.6
|
||||
# ipsec SAs then follow the zone name with ":ipsec".
|
||||
# DISPLAY Display name of the zone
|
||||
# COMMENTS Comments about the zone
|
||||
#
|
||||
|
Loading…
Reference in New Issue
Block a user