New IPSEC Options

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1554 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-08-18 22:29:09 +00:00
parent 8ba1724c0d
commit 16487eb51a
11 changed files with 312 additions and 38 deletions

View File

@ -46,3 +46,5 @@ Changes since 2.0.3
21) Apply policy to interface/host options.
22) Fix policy and maclist.
23) Implement additional IPSEC options for zones and masq entries.

View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=2.1.4
VERSION=2.1.5
usage() # $1 = exit status
{
@ -85,6 +85,8 @@ restore_file /etc/shorewall/policy
restore_file /etc/shorewall/interfaces
restore_file /etc/shorewall/ipsec
restore_file /etc/shorewall/hosts
restore_file /etc/shorewall/rules

View File

@ -613,11 +613,12 @@ match_ipsec_in() # $1 = zone, $2 = host
{
eval local is_ipsec=\$${1}_is_ipsec
eval local hosts=\"\$${1}_ipsec_hosts\"
eval local options=\"\$${1}_ipsec_options\"
if [ -n "$is_ipsec" ] || list_search $2 $hosts; then
echo "-m policy --pol ipsec --dir in"
echo "-m policy --pol ipsec --dir in $options"
elif [ -n "$POLICY_MATCH" ]; then
echo "-m policy --pol none --dir in"
echo "-m policy --pol none --dir in $options"
fi
}
@ -628,11 +629,12 @@ match_ipsec_out() # $1 = zone, $2 = host
{
eval local is_ipsec=\$${1}_is_ipsec
eval local hosts=\"\$${1}_ipsec_hosts\"
eval local options=\"\$${1}_ipsec_options\"
if [ -n "$is_ipsec" ] || list_search $2 $hosts; then
echo "-m policy --pol ipsec --dir out"
echo "-m policy --pol ipsec --dir out $options"
elif [ -n "$POLICY_MATCH" ]; then
echo "-m policy --pol none --dir out"
echo "-m policy --pol none --dir out $options"
fi
}
@ -1454,6 +1456,7 @@ setup_tunnels() # $1 = name of tunnels file
local inchain
local outchain
setup_one_ipsec() # $1 = gateway $2 = Tunnel Kind $3 = gateway zones
{
local kind=$2 noah=
@ -1485,7 +1488,21 @@ setup_tunnels() # $1 = name of tunnels file
run_iptables -A $inchain -p udp -s $1 --dport 4500 $options
fi
for z in $(separate_list $3); do
for z in $3; do
case $z in
*:ipsec)
z=${z%:*}
eval ${z}_is_ipsec=Yes
;;
*:ipsec\(*)
do_options
eval ${z}_is_ipsec=Yes
;;
*:mixed\(*)
do_options
;;
esac
if validate_zone $z; then
addrule ${FW}2${z} -p udp --dport 500 $options
if [ $kind = ipsec ]; then
@ -1495,8 +1512,7 @@ setup_tunnels() # $1 = name of tunnels file
addrule ${z}2${FW} -p udp --dport 4500 $options
fi
else
error_message "Warning: Invalid gateway zone ($z)" \
" -- Tunnel \"$tunnel\" may encounter keying problems"
fatal_error ": Invalid gateway zone ($z) -- Tunnel \"$tunnel\""
fi
done
@ -1632,6 +1648,64 @@ setup_tunnels() # $1 = name of tunnels file
done < $TMP_DIR/tunnels
}
setup_ipsec() {
do_options() {
local option newoptions=
options=$(separate_list $options)
for option in $options; do
case $option in
reqid=*)
newoptions="$newoptions --reqid ${option#*=}"
;;
spi=*)
newoptions="$newoptions --spi ${option#*=}"
;;
proto=*)
newoptions="$newoptions --proto ${option#*=}"
;;
mode=*)
newoptions="$newoptions --mode ${option#*=}"
;;
tunnel-src=*)
newoptions="$newoptions --tunnel-src ${option#*=}"
;;
tunnel-dst=*)
newoptions="$newoptions --tunnel-dst ${option#*=}"
;;
*)
fatal_error "Invalid option \"$option\" for zone $zone"
;;
esac
done
eval ${zone}_ipsec_options=\"${newoptions# }\"
}
strip_file ipsec $1
while read zone ipsec options; do
expandv zone ipsec options
validate_zone1 $zone || fatal_error "Unknown zone: $zone"
case $ipsec in
-|No|no)
;;
Yes|yes)
eval ${zone}_is_ipsec=Yes
;;
*)
fatal_error "Invalid IPSEC column value: $ipsec"
;;
esac
do_options
done < $TMP_DIR/ipsec
}
#
# Setup Proxy ARP
#
@ -2424,6 +2498,12 @@ check_config() {
display_list "Zones:" $zones
ipsecfile=$(find_file ipsec)
[ -f $ipsecfile ] && \
echo "Validating ipsec file..." && \
setup_ipsec $ipsecfile
echo "Validating interfaces file..."
validate_interfaces_file
@ -4496,6 +4576,38 @@ get_routed_networks() # $1 = interface name
#
setup_masq()
{
do_ipsec_options() {
local options=$(separate_list $ipsec) option
policy ="-m policy --pol ipsec --dir out"
options=$(separate_list $options)
for option in $options; do
case $option in
reqid=*)
policy="$policy --reqid ${option#*=}"
;;
spi=*)
policy="$policy --spi ${option#*=}"
;;
proto=*)
policy="$policy --proto ${option#*=}"
;;
mode=*)
policy="$policy --mode ${option#*=}"
;;
tunnel-src=*)
policy="$policy --tunnel-src ${option#*=}"
;;
tunnel-dst=*)
policy="$policy --tunnel-dst ${option#*=}"
;;
*)
fatal_error "Invalid IPSEC option \"$option\""
;;
esac
done
}
setup_one() {
local add_snat_aliases=$ADD_SNAT_ALIASES, pre_nat= policy=
@ -4513,9 +4625,7 @@ setup_masq()
policy="-m policy --pol none --dir out"
;;
*)
[ -n "$ipsec" ] && \
fatal_error "Invalid value in IPSEC column: $ipsec"
[ -n "$POLICY_MATCH" ] && policy="-m policy --pol none --dir out"
[ -n "$ipsec" ] && do_ipsec_options || [ -n "$POLICY_MATCH" ] && policy="-m policy --pol none --dir out"
;;
esac
@ -5985,6 +6095,10 @@ define_firewall() # $1 = Command (Start or Restart)
[ -f $tunnels ] && \
echo "Processing $tunnels..." && setup_tunnels $tunnels
ipsecfile=$(find_file ipsec)
[ -f $ipsecfile ] && \
echo "Processing $ipsecfile..." && setup_ipsec $ipsecfile
maclist_hosts=$(find_hosts_by_option maclist)
[ -n "$maclist_hosts" ] && setup_mac_lists
@ -6118,11 +6232,12 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
[ "$zone" = $FW ] && startup_error "Can't add $1 to firewall zone"
eval is_ipsec=\$${zone}_is_ipsec
eval options=\"\$${zone}_ipsec_options\"
if [ -n "$is_ipsec" ]; then
[ -n "$POLICY_MATCH" ] || startup_error "Your kernel and/or iptables lacks policy match support"
policyin="-m policy --pol ipsec --dir in"
policyout="-m policy --pol ipsec --dir out"
policyin="-m policy --pol ipsec --dir in $options"
policyout="-m policy --pol ipsec --dir out $options"
elif [ -n "$POLICY_MATCH" ]; then
policyin="-m policy --pol none --dir in"
policyout="-m policy --pol none --dir out"

View File

@ -270,15 +270,7 @@ determine_zones()
for zone in $zones; do
dsply=$(find_display $zone $TMP_DIR/zones)
case $zone in
*:ipsec)
zone=${zone%:*}
eval ${zone}_is_ipsec=Yes
;;
*)
esac
[ ${#zone} -gt 5 ] && echo " Warning: Zone name longer than 5 characters: $zone" 2> /tmp/trace
[ ${#zone} -gt 5 ] && echo " Warning: Zone name longer than 5 characters: $zone" >&2
eval ${zone}_display=\$dsply
newzones="$newzones $zone"
done

View File

@ -22,7 +22,7 @@
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
#
VERSION=2.1.4
VERSION=2.1.5
usage() # $1 = exit status
{
@ -247,6 +247,16 @@ else
echo "Interfaces file installed as ${PREFIX}/etc/shorewall/interfaces"
fi
#
# Install the ipsec file
#
if [ -f ${PREFIX}/etc/shorewall/ipsec ]; then
backup_file /etc/shorewall/ipsec
else
run_install -o $OWNER -g $GROUP -m 0600 ipsec ${PREFIX}/etc/shorewall/ipsec
echo
echo "Ipsec file installed as ${PREFIX}/etc/shorewall/ipsec"
fi
#
# Install the hosts file
#
if [ -f ${PREFIX}/etc/shorewall/hosts ]; then

42
Shorewall2/ipsec Normal file
View File

@ -0,0 +1,42 @@
#
# Shorewall 2.1 - /etc/shorewall/ipsec
#
# This file defines the attributes of zones with respect to
# IPSEC. To use this file, you must be running a 2.6 kernel and
# both your kernel and iptables must include Policy Match Support.
#
# The columns are:
#
# ZONE The name of a zone defined in /etc/shorewall/zones. The
# $FW zone may not be listed.
#
# IPSEC Yes -- Communication with all zone hosts is encrypted
# ONLY No -- Communication with some zone hosts is encrypted.
# Encrypted hosts are designated using the 'ipsec'
# option in /etc/shorewall/hosts.
#
# OPTIONS A comma-separated list of options as follows:
# reqid=<number> where <number> is specified
# using setkey(8) using the 'unique:<number>
# option for the SPD level.
#
# spi=<number> where <number> is the SPI of
# the SA.
#
# proto=ah|esp|ipcomp
#
# mode=transport|tunnel
#
# tunnel-src=<address>[/<mask>] (only
# available with mode=tunnel)
#
# tunnel-dst=<address>[/<mask>] (only
# available with mode=tunnel)
#
# Example:
# mode=transport,reqid=44
################################################################################
#ZONE IPSEC OPTIONS
# ONLY
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

View File

@ -110,6 +110,29 @@
# your kernel and iptables contain policy match
# support.
#
# Comma-separated list of options from the following.
# Only packets that will be encrypted via an SA that
# matches these options will have their source address
# changed.
#
# reqid=<number> where <number> is specified
# using setkey(8) using the 'unique:<number>
# option for the SPD level.
#
# spi=<number> where <number> is the SPI of
# the SA.
#
# proto=ah|esp|ipcomp
#
# mode=transport|tunnel
#
# tunnel-src=<address>[/<mask>] (only
# available with mode=tunnel)
#
# tunnel-dst=<address>[/<mask>] (only
# available with mode=tunnel)
#
#
# Example 1:
#
# You have a simple masquerading setup where eth0 connects to

View File

@ -230,8 +230,23 @@ New Features:
IPSEC policy match patch from Patch-0-Matic-ng. That patch affects
both your kernel and iptables.
This new Shorewall support is enabled through use of the 'ipsec'
option in /etc/shorewall/hosts.
There are two ways to specify that IPSEC is to be used when
communicating with a set of hosts; both methods involve the new
/etc/shorewall/ipsec file:
a) If encrypted communication is used with all hosts in a zone,
then you can designate the zone as an "ipsec" zone by placing
'Yes" in the IPSEC ONLY column in the /etc/shorewall/ipsec:
#ZONE IPSEC OPTIONS
# ONLY
vpn Yes
The hosts in the zone (if any) must be specified in
/etc/shorewall/hosts but you do not need to specify the 'ipsec'
option on the entries in that file (see below).
Dynamic zones involving IPSEC must use that technique.
Example:
@ -249,10 +264,10 @@ New Features:
Under 2.6 Kernel with this new support:
/etc/shorewall/zones (note the change of order):
/etc/shorewall/zones:
vpn VPN Remote Network
net Net The big bad Internet
vpn VPN Remote Network
/etc/shorewall/interfaces:
@ -260,12 +275,83 @@ New Features:
/etc/shorewall/hosts:
vpn eth0:0.0.0.0/0 ipsec
vpn eth0:0.0.0.0/0
/etc/shorewall/ipsec
vpn Yes
b) If only part of the hosts in a zone require encrypted
communication, you may use of the new 'ipsec' option in
/etc/shorewall/hosts to designate those hosts.
Example:
Under 2.4 Kernel FreeS/Wan:
/etc/shorewall/zones:
net Net The big bad Internet
loc Local Extended local zone
/etc/shorewall/interfaces:
net eth0 ...
loc eth1 ...
loc ipsec0 ...
Under 2.6 Kernel with this new support:
/etc/shorewall/zones:
net Net The big bad Internet
vpn VPN Remote Network
/etc/shorewall/interfaces:
net eth0 ...
loc eth1 ...
/etc/shorewall/hosts:
vpn eth0:0.0.0.0/0 ipsec,...
Regardless of which technique you choose, you can specify
additional SA options for the zone in the /etc/shorewall/ipsec
entry.
The OPTIONS column specifies
The available options are:
reqid=<number> where <number> is specified using setkey(8) using
the 'unique:<number>' option for the SPD level.
spi=<number> where <number> is the SPI of the SA.
proto=ah|esp|ipcomp
mode=transport|tunnel
tunnel-src=<address>[/<mask>] (only available with mode=tunnel)
tunnel-dst=<address>[/<mask>] (only available with mode=tunnel)
Examples:
#ZONE IPSEC OPTIONS
# ONLY
vpn Yes mode=tunnel,proto=esp
loc No reqid=44,mode=transport
The /etc/shorewall/masq file has a new IPSEC column added. If you
specify Yes or yes in that column then the unencrypted packets will
have their source address changed. Otherwise, the unencrypted
packets will not have their source addresses changed.
packets will not have their source addresses changed. This column
may also contain a comma-separated list of the options specified
above in which case only those packets that will be encrypted
by an SA matching the given options will have their source address
changed.
8) To improve interoperability, tunnels of type 'ipsec' no longer
enforce the use of source port 500 for ISAKMP.

View File

@ -1,5 +1,5 @@
%define name shorewall
%define version 2.1.4
%define version 2.1.5
%define release 1
%define prefix /usr
@ -62,6 +62,7 @@ fi
%attr(0600,root,root) %config(noreplace) /etc/shorewall/zones
%attr(0600,root,root) %config(noreplace) /etc/shorewall/policy
%attr(0600,root,root) %config(noreplace) /etc/shorewall/interfaces
%attr(0600,root,root) %config(noreplace) /etc/shorewall/ipsec
%attr(0600,root,root) %config(noreplace) /etc/shorewall/rules
%attr(0600,root,root) %config(noreplace) /etc/shorewall/nat
%attr(0600,root,root) %config(noreplace) /etc/shorewall/netmap
@ -127,6 +128,9 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog
* Wed Aug 18 2004 Tom Eastep tom@shorewall.net
- Updated to 2.1.5-1
- Add /etc/shorewall/ipsec
* Sat Aug 14 2004 Tom Eastep tom@shorewall.net
- Updated to 2.1.4-1
* Sat Aug 07 2004 Tom Eastep tom@shorewall.net

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall
VERSION=2.1.4
VERSION=2.1.5
usage() # $1 = exit status
{

View File

@ -4,8 +4,6 @@
# This file determines your network zones. Columns are:
#
# ZONE Short name of the zone (5 Characters or less in length).
# If all hosts in the zone are accessed using kernel 2.6
# ipsec SAs then follow the zone name with ":ipsec".
# DISPLAY Display name of the zone
# COMMENTS Comments about the zone
#