mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-27 08:39:00 +01:00
Final Changes for 1.3.1
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@47 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
ed339d65bf
commit
16d50cb974
@ -1,30 +1,13 @@
|
||||
Changes since 1.2.13
|
||||
Changes since 1.3.0
|
||||
|
||||
1. Changed all file versions to 1.3
|
||||
1. Corrected policy handling for "all z CONTINUE" policies.
|
||||
2. Corrected problems with "-" as LOGLEVEL in the policy file.
|
||||
3. Added /etc/shorewall/rfc1918 file for defining the behavior of the
|
||||
'norfc1918' interface option.
|
||||
4. Avoided forwarding rules between zones on the same interface when 'multi'
|
||||
isn't specified on that interface.
|
||||
|
||||
2. Changed the rules file and firewall file to implement the new forwarding
|
||||
and redirection syntax.
|
||||
|
||||
3. Removed the sample rules from the rules file -- the quickstart samples
|
||||
should provide those sample rules.
|
||||
|
||||
4. Added a silent Auth reject rule to common.def.
|
||||
|
||||
5. Changed the handling of the nat table to have a separate chain for each
|
||||
source zone.
|
||||
|
||||
6. Removed the code that tested each rules column for "none" -- this was never
|
||||
documented and was there to support the brain-dead parameterized samples.
|
||||
|
||||
7. Reworked the chain structure in the filter table so that each interface has
|
||||
its own input and forward chain.
|
||||
|
||||
8. Added logic to allow a subzone to be excluded from a DNAT or REDIRECT rule.
|
||||
|
||||
9. Removed white list capability
|
||||
|
||||
10. Added 'filterping' interface option.
|
||||
|
||||
|
||||
|
||||
|
||||
|
@ -28,7 +28,7 @@
|
||||
# shown below. Simply run this script to revert to your prior version of
|
||||
# Shoreline Firewall.
|
||||
|
||||
VERSION=1.3.0
|
||||
VERSION=1.3.1
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
@ -103,6 +103,8 @@ restore_file /etc/shorewall/blacklist
|
||||
|
||||
restore_file /etc/shorewall/whitelist
|
||||
|
||||
restore_file /etc/shorewall/rfc1918
|
||||
|
||||
restore_file /etc/shorewall/version
|
||||
|
||||
oldversion="`cat /etc/shorewall/version`"
|
||||
|
@ -1964,15 +1964,18 @@ policy_rules() # $1 = chain to add rules to
|
||||
run_iptables -A $1 -j common
|
||||
target=reject
|
||||
;;
|
||||
CONTINUE)
|
||||
target=
|
||||
;;
|
||||
*)
|
||||
fatal_error "Invalid policy ($policy) for $1 to $2"
|
||||
fatal_error "Invalid policy ($policy) for $1"
|
||||
;;
|
||||
|
||||
esac
|
||||
|
||||
[ $# -eq 3 ] && [ "x${3}" != "x-" ] && run_iptables -A $1 -j LOG $LOGPARMS \
|
||||
--log-prefix "Shorewall:$chain:$policy:" --log-level $3
|
||||
run_iptables -A $1 -j $target
|
||||
--log-prefix "Shorewall:${1}:${2}:" --log-level $3
|
||||
[ -n "$target" ] && run_iptables -A $1 -j $target
|
||||
}
|
||||
|
||||
################################################################################
|
||||
@ -2000,17 +2003,7 @@ default_policy() # $1 = client $2 = server
|
||||
|
||||
echo " Policy $policy for $1 to $2 using chain $chain1"
|
||||
|
||||
if [ "$policy" = CONTINUE ]; then
|
||||
####################################################################
|
||||
# The policy is CONTINUE -- simply add any logging and syn flood
|
||||
# jump rules to the canonical chain
|
||||
#
|
||||
[ -n "$loglevel" ] && run_iptables -A $chain -j LOG $LOGPARMS \
|
||||
--log-prefix "Shorewall:$chain:$policy:" --log-level $loglevel
|
||||
[ -n "$synparams" ] && \
|
||||
enable_syn_flood_protection $chain $chain1
|
||||
|
||||
elif [ "$chain" = "$chain1" ]; then
|
||||
if [ "$chain" = "$chain1" ]; then
|
||||
####################################################################
|
||||
# The policy chain is the canonical chain; add policy rule to it
|
||||
# The syn flood jump has already been added if required.
|
||||
@ -2019,14 +2012,13 @@ default_policy() # $1 = client $2 = server
|
||||
else
|
||||
####################################################################
|
||||
# Policy chain is different; add a rule to jump from the canonical
|
||||
# chain to the policy chain and optionally, insert a jump to the
|
||||
# policy chain's syn flood chain.
|
||||
# chain to the policy chain (unless the policy is CONTINUE) and
|
||||
# optionally, insert a jump to the policy chain's syn flood chain.
|
||||
#
|
||||
run_iptables -A $chain -j $chain1
|
||||
|
||||
[ -n "$synparams" ] && \
|
||||
enable_syn_flood_protection $chain $chain1
|
||||
|
||||
fi
|
||||
}
|
||||
|
||||
@ -2071,6 +2063,9 @@ complete_standard_chain() # $1 = chain, $2 = source zone, $3 = destination zone
|
||||
|
||||
while read client server policy loglevel synparams; do
|
||||
expandv client server policy loglevelsynparams
|
||||
|
||||
[ "x$loglevel" = "x-" ] && loglevel=
|
||||
|
||||
case "$client" in
|
||||
all|ALL)
|
||||
if [ "$server" = "$3" -o "$server" = "all" ]; then
|
||||
@ -2110,15 +2105,14 @@ rules_chain() # $1 = source zone, $2 = destination zone
|
||||
case "$client" in
|
||||
all|ALL)
|
||||
if [ "$server" = "$2" -o "$server" = "all" ]; then
|
||||
echo all2${server}
|
||||
echo all2${server}
|
||||
return
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
if [ "$client" = "$1" ] && \
|
||||
[ "$server" = "all" -o "$server" = "$2" ]; then
|
||||
echo ${client}2${server}
|
||||
return
|
||||
if [ "$client" = "$1" -a "$server" = "all" ]; then
|
||||
echo ${client}2${server}
|
||||
return
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
@ -2535,12 +2529,7 @@ add_common_rules() {
|
||||
strip_file rfc1918
|
||||
|
||||
disp="LOG --log-prefix "Shorewall:rfc1918:DROP:" --log-level info"
|
||||
########################################################################
|
||||
# Since the limited broadcast address falls into 240.0.0.0/4 which we
|
||||
# filter, we must make a special case. Also, we drop the autoconfig
|
||||
# class B but don't log since too many folks on cable/dsl screw up
|
||||
# their Windows Networking config and end up with an autoconfiged IP.
|
||||
#
|
||||
|
||||
createchain rfc1918 no
|
||||
|
||||
createchain logdrop no
|
||||
@ -2651,34 +2640,25 @@ apply_policy_rules() {
|
||||
[ -n "$synparams" ] && setup_syn_flood_chain $chain $synparams
|
||||
|
||||
if havechain $chain; then
|
||||
[ -n "$synparams" ] && enable_syn_flood_protection $chain $chain
|
||||
elif [ "$client" = "all" -o "$server" = "all" ]; then
|
||||
[ -n "$synparams" ] && \
|
||||
run_iptables -I $chain 2 -p tcp --syn -j @$chain
|
||||
else
|
||||
#
|
||||
# A wild-card rule. Create the chain and add policy
|
||||
# rules if the policy isn't CONTINUE
|
||||
#
|
||||
createchain $chain
|
||||
# rules
|
||||
#
|
||||
# We must include the ESTABLISHED and RELATED state
|
||||
# rule here to account for replys and reverse
|
||||
# related sessions associated with sessions going
|
||||
# in the other direction
|
||||
#
|
||||
if [ "$policy" != CONTINUE ]; then
|
||||
policy_rules $chain $policy $loglevel
|
||||
|
||||
[ -n "$synparams" ] && \
|
||||
[ $policy = ACCEPT ] && \
|
||||
run_iptables -I $chain 2 -p tcp --syn -j @$chain
|
||||
fi
|
||||
else
|
||||
#
|
||||
# This policy chain is also a canonical chain -- create it
|
||||
#
|
||||
createchain $chain
|
||||
|
||||
[ "$client" = "all" -o "$server" = "all" ] && \
|
||||
policy_rules $chain $policy $loglevel
|
||||
|
||||
[ -n "$synparams" ] && \
|
||||
[ $policy = ACCEPT ] && \
|
||||
[ $policy = ACCEPT -o $policy = CONTINUE ] && \
|
||||
run_iptables -I $chain 2 -p tcp --syn -j @$chain
|
||||
fi
|
||||
|
||||
@ -2731,23 +2711,20 @@ activate_rules() {
|
||||
interface=${host%:*}
|
||||
subnet=${host#*:}
|
||||
chain1=`forward_chain $interface`
|
||||
|
||||
list_search $interface $multi_interfaces && multi=yes || multi=
|
||||
|
||||
|
||||
for host1 in $dest_hosts; do
|
||||
interface1=${host1%:*}
|
||||
subnet1=${host1#*:}
|
||||
|
||||
if [ $interface != $interface1 -o \
|
||||
"x$subnet" != "x$subnet1" -o \
|
||||
-n "$multi" ]; then
|
||||
|
||||
if [ $interface != $interface1 -o -n "$multi" ]; then
|
||||
run_iptables -A $chain1 -s $subnet \
|
||||
-o $interface1 -d $subnet1 -j $chain
|
||||
fi
|
||||
done
|
||||
|
||||
done
|
||||
done
|
||||
|
||||
done
|
||||
|
||||
for interface in $all_interfaces; do
|
||||
|
@ -54,7 +54,7 @@
|
||||
# /etc/rc.d/rc.local file is modified to start the firewall.
|
||||
#
|
||||
|
||||
VERSION=1.3.0
|
||||
VERSION=1.3.1
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
@ -423,6 +423,15 @@ if [ -f ${PREFIX}/etc/shorewall/whitelist ]; then
|
||||
rm -f ${PREFIX}/etc/shorewall/whitelist
|
||||
fi
|
||||
#
|
||||
# Install the rfc1918 file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/rfc1918 ]; then
|
||||
backup_file /etc/shorewall/rfc1918
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 rfc1918 ${PREFIX}/etc/shorewall/rfc1918
|
||||
echo -e "\nRFC 1918 file installed as ${PREFIX}/etc/shorewall/rfc1918"
|
||||
fi
|
||||
#
|
||||
# Backup the version file
|
||||
#
|
||||
if [ -z "$PREFIX" ]; then
|
||||
|
@ -1,31 +1,15 @@
|
||||
This is a major release of Shorewall.
|
||||
This is a minor release of Shorewall.
|
||||
|
||||
In this release:
|
||||
|
||||
1. The rules syntax for port forwarding and port redirection has been
|
||||
simplified.
|
||||
|
||||
2. Compatibility has been maintained with version 1.2 configurations so
|
||||
that users may migrate their configuration at their convenience.
|
||||
|
||||
WARNING: Compatibility has NOT been maintained with the parameterized
|
||||
sample configurations which were withdrawn on 4/8/2002. Users
|
||||
still employing one of those samples must upgrade to the
|
||||
latest samples before running Shorewall 1.3 (Beta or Release).
|
||||
|
||||
3. You may now exclude zone A from a DNAT or REDIRECT rule that applies
|
||||
to zone B where zone A is a subzone of sone B.
|
||||
|
||||
4. The whitelist capability has been deimplemented. With recent changes
|
||||
to the firewall structure and change 3. above, white lists are now
|
||||
best implemented using zones as shown at:
|
||||
|
||||
http://www.shorewall.net/whitelisting_under_shorewall.htm
|
||||
|
||||
5. A 'filterping' interface option has been added to allow the
|
||||
rules and policy files to control the handling of ICMP echo-request
|
||||
(ping) requests that are addressed to the firewall.
|
||||
1. The handling of "all z CONTINUE" policies has been corrected. Use of
|
||||
these policies greatly simplifies whitelisting and other nested zone
|
||||
configuration.
|
||||
|
||||
2. Added an /etc/shorewall/rfc1918 configuration file for defining the
|
||||
behavior of the 'norfc1918' interface option.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
@ -7,7 +7,7 @@
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
# SUBNET The subnet
|
||||
# SUBNET The subnet (host addresses also allowed)
|
||||
# TARGET Where to send packets to/from this subnet
|
||||
# RETURN - let the packet be processed normally
|
||||
# DROP - silently drop the packet
|
||||
@ -24,3 +24,4 @@
|
||||
192.168.0.0/16 logdrop # RFC 1918
|
||||
172.16.0.0/12 logdrop # RFC 1918
|
||||
240.0.0.0/4 logdrop # Reserved
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
@ -1,6 +1,6 @@
|
||||
%define name shorewall
|
||||
%define version 1.3
|
||||
%define release 0
|
||||
%define release 1
|
||||
%define prefix /usr
|
||||
|
||||
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
|
||||
@ -70,6 +70,7 @@ if [ $1 = 0 ]; then if [ -x /sbin/insserv ]; then /sbin/insserv -r /etc/init.d/s
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/tunnels
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/hosts
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/blacklist
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/rfc1918
|
||||
%attr(0544,root,root) /sbin/shorewall
|
||||
%attr(0444,root,root) /etc/shorewall/functions
|
||||
/etc/shorewall/firewall
|
||||
@ -77,6 +78,9 @@ if [ $1 = 0 ]; then if [ -x /sbin/insserv ]; then /sbin/insserv -r /etc/init.d/s
|
||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
|
||||
|
||||
%changelog
|
||||
* Fri May 31 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.3.1
|
||||
- Added the rfc1918 file
|
||||
* Wed May 29 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.3.0
|
||||
* Mon May 20 2002 Tom Eastep <tom@shorewall.net>
|
||||
|
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Seattle Firewall
|
||||
|
||||
VERSION=1.3.0
|
||||
VERSION=1.3.1
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
@ -104,6 +104,7 @@ if [ -n "$VERSION" ]; then
|
||||
remove_file /etc/shorewall/modules-${VERSION}.bkout
|
||||
remove_file /etc/shorewall/blacklist-${VERSION}.bkout
|
||||
remove_file /etc/shorewall/whitelist-${VERSION}.bkout
|
||||
remove_file /etc/shorewall/rfc1918-${VERSION}.bkout
|
||||
fi
|
||||
|
||||
remove_file /etc/shorewall/firewall
|
||||
@ -144,6 +145,8 @@ remove_file /etc/shorewall/blacklist
|
||||
|
||||
remove_file /etc/shorewall/whitelist
|
||||
|
||||
remove_file /etc/shorewall/rfc1918
|
||||
|
||||
remove_file /etc/shorewall/shorewall.conf
|
||||
|
||||
remove_file /etc/shorewall/version
|
||||
|
@ -3,15 +3,12 @@
|
||||
#
|
||||
# This file determines your network zones. Columns are:
|
||||
#
|
||||
# ZONE Short name of the zone. If a sub-zone of a
|
||||
# previously-declared zone then it is
|
||||
# followed by a colon and the name of the
|
||||
# parent zone.
|
||||
# ZONE Short name of the zone
|
||||
# DISPLAY Display name of the zone
|
||||
# COMMENTS Comments about the zone
|
||||
#
|
||||
#ZONE[:PARENT] DISPLAY COMMENTS
|
||||
net Net Internet
|
||||
loc Local Local networks
|
||||
dmz DMZ Demilitarized zone
|
||||
#ZONE DISPLAY COMMENTS
|
||||
net Net Internet
|
||||
loc Local Local networks
|
||||
dmz DMZ Demilitarized zone
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
||||
|
Loading…
Reference in New Issue
Block a user