Final Changes for 1.3.1

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@47 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-06-01 00:28:18 +00:00
parent ed339d65bf
commit 16d50cb974
9 changed files with 73 additions and 113 deletions

View File

@ -1,30 +1,13 @@
Changes since 1.2.13
Changes since 1.3.0
1. Changed all file versions to 1.3
1. Corrected policy handling for "all z CONTINUE" policies.
2. Corrected problems with "-" as LOGLEVEL in the policy file.
3. Added /etc/shorewall/rfc1918 file for defining the behavior of the
'norfc1918' interface option.
4. Avoided forwarding rules between zones on the same interface when 'multi'
isn't specified on that interface.
2. Changed the rules file and firewall file to implement the new forwarding
and redirection syntax.
3. Removed the sample rules from the rules file -- the quickstart samples
should provide those sample rules.
4. Added a silent Auth reject rule to common.def.
5. Changed the handling of the nat table to have a separate chain for each
source zone.
6. Removed the code that tested each rules column for "none" -- this was never
documented and was there to support the brain-dead parameterized samples.
7. Reworked the chain structure in the filter table so that each interface has
its own input and forward chain.
8. Added logic to allow a subzone to be excluded from a DNAT or REDIRECT rule.
9. Removed white list capability
10. Added 'filterping' interface option.

View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=1.3.0
VERSION=1.3.1
usage() # $1 = exit status
{
@ -103,6 +103,8 @@ restore_file /etc/shorewall/blacklist
restore_file /etc/shorewall/whitelist
restore_file /etc/shorewall/rfc1918
restore_file /etc/shorewall/version
oldversion="`cat /etc/shorewall/version`"

View File

@ -1964,15 +1964,18 @@ policy_rules() # $1 = chain to add rules to
run_iptables -A $1 -j common
target=reject
;;
CONTINUE)
target=
;;
*)
fatal_error "Invalid policy ($policy) for $1 to $2"
fatal_error "Invalid policy ($policy) for $1"
;;
esac
[ $# -eq 3 ] && [ "x${3}" != "x-" ] && run_iptables -A $1 -j LOG $LOGPARMS \
--log-prefix "Shorewall:$chain:$policy:" --log-level $3
run_iptables -A $1 -j $target
--log-prefix "Shorewall:${1}:${2}:" --log-level $3
[ -n "$target" ] && run_iptables -A $1 -j $target
}
################################################################################
@ -2000,17 +2003,7 @@ default_policy() # $1 = client $2 = server
echo " Policy $policy for $1 to $2 using chain $chain1"
if [ "$policy" = CONTINUE ]; then
####################################################################
# The policy is CONTINUE -- simply add any logging and syn flood
# jump rules to the canonical chain
#
[ -n "$loglevel" ] && run_iptables -A $chain -j LOG $LOGPARMS \
--log-prefix "Shorewall:$chain:$policy:" --log-level $loglevel
[ -n "$synparams" ] && \
enable_syn_flood_protection $chain $chain1
elif [ "$chain" = "$chain1" ]; then
if [ "$chain" = "$chain1" ]; then
####################################################################
# The policy chain is the canonical chain; add policy rule to it
# The syn flood jump has already been added if required.
@ -2019,14 +2012,13 @@ default_policy() # $1 = client $2 = server
else
####################################################################
# Policy chain is different; add a rule to jump from the canonical
# chain to the policy chain and optionally, insert a jump to the
# policy chain's syn flood chain.
# chain to the policy chain (unless the policy is CONTINUE) and
# optionally, insert a jump to the policy chain's syn flood chain.
#
run_iptables -A $chain -j $chain1
[ -n "$synparams" ] && \
enable_syn_flood_protection $chain $chain1
fi
}
@ -2071,6 +2063,9 @@ complete_standard_chain() # $1 = chain, $2 = source zone, $3 = destination zone
while read client server policy loglevel synparams; do
expandv client server policy loglevelsynparams
[ "x$loglevel" = "x-" ] && loglevel=
case "$client" in
all|ALL)
if [ "$server" = "$3" -o "$server" = "all" ]; then
@ -2110,15 +2105,14 @@ rules_chain() # $1 = source zone, $2 = destination zone
case "$client" in
all|ALL)
if [ "$server" = "$2" -o "$server" = "all" ]; then
echo all2${server}
echo all2${server}
return
fi
;;
*)
if [ "$client" = "$1" ] && \
[ "$server" = "all" -o "$server" = "$2" ]; then
echo ${client}2${server}
return
if [ "$client" = "$1" -a "$server" = "all" ]; then
echo ${client}2${server}
return
fi
;;
esac
@ -2535,12 +2529,7 @@ add_common_rules() {
strip_file rfc1918
disp="LOG --log-prefix "Shorewall:rfc1918:DROP:" --log-level info"
########################################################################
# Since the limited broadcast address falls into 240.0.0.0/4 which we
# filter, we must make a special case. Also, we drop the autoconfig
# class B but don't log since too many folks on cable/dsl screw up
# their Windows Networking config and end up with an autoconfiged IP.
#
createchain rfc1918 no
createchain logdrop no
@ -2651,34 +2640,25 @@ apply_policy_rules() {
[ -n "$synparams" ] && setup_syn_flood_chain $chain $synparams
if havechain $chain; then
[ -n "$synparams" ] && enable_syn_flood_protection $chain $chain
elif [ "$client" = "all" -o "$server" = "all" ]; then
[ -n "$synparams" ] && \
run_iptables -I $chain 2 -p tcp --syn -j @$chain
else
#
# A wild-card rule. Create the chain and add policy
# rules if the policy isn't CONTINUE
#
createchain $chain
# rules
#
# We must include the ESTABLISHED and RELATED state
# rule here to account for replys and reverse
# related sessions associated with sessions going
# in the other direction
#
if [ "$policy" != CONTINUE ]; then
policy_rules $chain $policy $loglevel
[ -n "$synparams" ] && \
[ $policy = ACCEPT ] && \
run_iptables -I $chain 2 -p tcp --syn -j @$chain
fi
else
#
# This policy chain is also a canonical chain -- create it
#
createchain $chain
[ "$client" = "all" -o "$server" = "all" ] && \
policy_rules $chain $policy $loglevel
[ -n "$synparams" ] && \
[ $policy = ACCEPT ] && \
[ $policy = ACCEPT -o $policy = CONTINUE ] && \
run_iptables -I $chain 2 -p tcp --syn -j @$chain
fi
@ -2731,23 +2711,20 @@ activate_rules() {
interface=${host%:*}
subnet=${host#*:}
chain1=`forward_chain $interface`
list_search $interface $multi_interfaces && multi=yes || multi=
for host1 in $dest_hosts; do
interface1=${host1%:*}
subnet1=${host1#*:}
if [ $interface != $interface1 -o \
"x$subnet" != "x$subnet1" -o \
-n "$multi" ]; then
if [ $interface != $interface1 -o -n "$multi" ]; then
run_iptables -A $chain1 -s $subnet \
-o $interface1 -d $subnet1 -j $chain
fi
done
done
done
done
for interface in $all_interfaces; do

View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall.
#
VERSION=1.3.0
VERSION=1.3.1
usage() # $1 = exit status
{
@ -423,6 +423,15 @@ if [ -f ${PREFIX}/etc/shorewall/whitelist ]; then
rm -f ${PREFIX}/etc/shorewall/whitelist
fi
#
# Install the rfc1918 file
#
if [ -f ${PREFIX}/etc/shorewall/rfc1918 ]; then
backup_file /etc/shorewall/rfc1918
else
run_install -o $OWNER -g $GROUP -m 0600 rfc1918 ${PREFIX}/etc/shorewall/rfc1918
echo -e "\nRFC 1918 file installed as ${PREFIX}/etc/shorewall/rfc1918"
fi
#
# Backup the version file
#
if [ -z "$PREFIX" ]; then

View File

@ -1,31 +1,15 @@
This is a major release of Shorewall.
This is a minor release of Shorewall.
In this release:
1. The rules syntax for port forwarding and port redirection has been
simplified.
2. Compatibility has been maintained with version 1.2 configurations so
that users may migrate their configuration at their convenience.
WARNING: Compatibility has NOT been maintained with the parameterized
sample configurations which were withdrawn on 4/8/2002. Users
still employing one of those samples must upgrade to the
latest samples before running Shorewall 1.3 (Beta or Release).
3. You may now exclude zone A from a DNAT or REDIRECT rule that applies
to zone B where zone A is a subzone of sone B.
4. The whitelist capability has been deimplemented. With recent changes
to the firewall structure and change 3. above, white lists are now
best implemented using zones as shown at:
http://www.shorewall.net/whitelisting_under_shorewall.htm
5. A 'filterping' interface option has been added to allow the
rules and policy files to control the handling of ICMP echo-request
(ping) requests that are addressed to the firewall.
1. The handling of "all z CONTINUE" policies has been corrected. Use of
these policies greatly simplifies whitelisting and other nested zone
configuration.
2. Added an /etc/shorewall/rfc1918 configuration file for defining the
behavior of the 'norfc1918' interface option.

View File

@ -7,7 +7,7 @@
#
# Columns are:
#
# SUBNET The subnet
# SUBNET The subnet (host addresses also allowed)
# TARGET Where to send packets to/from this subnet
# RETURN - let the packet be processed normally
# DROP - silently drop the packet
@ -24,3 +24,4 @@
192.168.0.0/16 logdrop # RFC 1918
172.16.0.0/12 logdrop # RFC 1918
240.0.0.0/4 logdrop # Reserved
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

View File

@ -1,6 +1,6 @@
%define name shorewall
%define version 1.3
%define release 0
%define release 1
%define prefix /usr
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@ -70,6 +70,7 @@ if [ $1 = 0 ]; then if [ -x /sbin/insserv ]; then /sbin/insserv -r /etc/init.d/s
%attr(0600,root,root) %config(noreplace) /etc/shorewall/tunnels
%attr(0600,root,root) %config(noreplace) /etc/shorewall/hosts
%attr(0600,root,root) %config(noreplace) /etc/shorewall/blacklist
%attr(0600,root,root) %config(noreplace) /etc/shorewall/rfc1918
%attr(0544,root,root) /sbin/shorewall
%attr(0444,root,root) /etc/shorewall/functions
/etc/shorewall/firewall
@ -77,6 +78,9 @@ if [ $1 = 0 ]; then if [ -x /sbin/insserv ]; then /sbin/insserv -r /etc/init.d/s
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog
* Fri May 31 2002 Tom Eastep <tom@shorewall.net>
- Changed version to 1.3.1
- Added the rfc1918 file
* Wed May 29 2002 Tom Eastep <tom@shorewall.net>
- Changed version to 1.3.0
* Mon May 20 2002 Tom Eastep <tom@shorewall.net>

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall
VERSION=1.3.0
VERSION=1.3.1
usage() # $1 = exit status
{
@ -104,6 +104,7 @@ if [ -n "$VERSION" ]; then
remove_file /etc/shorewall/modules-${VERSION}.bkout
remove_file /etc/shorewall/blacklist-${VERSION}.bkout
remove_file /etc/shorewall/whitelist-${VERSION}.bkout
remove_file /etc/shorewall/rfc1918-${VERSION}.bkout
fi
remove_file /etc/shorewall/firewall
@ -144,6 +145,8 @@ remove_file /etc/shorewall/blacklist
remove_file /etc/shorewall/whitelist
remove_file /etc/shorewall/rfc1918
remove_file /etc/shorewall/shorewall.conf
remove_file /etc/shorewall/version

View File

@ -3,15 +3,12 @@
#
# This file determines your network zones. Columns are:
#
# ZONE Short name of the zone. If a sub-zone of a
# previously-declared zone then it is
# followed by a colon and the name of the
# parent zone.
# ZONE Short name of the zone
# DISPLAY Display name of the zone
# COMMENTS Comments about the zone
#
#ZONE[:PARENT] DISPLAY COMMENTS
net Net Internet
loc Local Local networks
dmz DMZ Demilitarized zone
#ZONE DISPLAY COMMENTS
net Net Internet
loc Local Local networks
dmz DMZ Demilitarized zone
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE