extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-25 00:53:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Final Changes for 1.3.1

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@47 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-06-01 00:28:18 +00:00
parent ed339d65bf
commit 16d50cb974
9 changed files with 73 additions and 113 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
Shorewall/changelog.txt
View File

@ -1,29 +1,12 @@
Changes since 1.2.13 Changes since 1.3.0
1. Corrected policy handling for "all z CONTINUE" policies.
2. Corrected problems with "-" as LOGLEVEL in the policy file.
3. Added /etc/shorewall/rfc1918 file for defining the behavior of the
'norfc1918' interface option.
4. Avoided forwarding rules between zones on the same interface when 'multi'
isn't specified on that interface.
1. Changed all file versions to 1.3
2. Changed the rules file and firewall file to implement the new forwarding
and redirection syntax.
3. Removed the sample rules from the rules file -- the quickstart samples
should provide those sample rules.
4. Added a silent Auth reject rule to common.def.
5. Changed the handling of the nat table to have a separate chain for each
source zone.
6. Removed the code that tested each rules column for "none" -- this was never
documented and was there to support the brain-dead parameterized samples.
7. Reworked the chain structure in the filter table so that each interface has
its own input and forward chain.
8. Added logic to allow a subzone to be excluded from a DNAT or REDIRECT rule.
9. Removed white list capability
10. Added 'filterping' interface option.

4
Shorewall/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of # shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall. # Shoreline Firewall.
VERSION=1.3.0 VERSION=1.3.1
usage() # $1 = exit status usage() # $1 = exit status
{ {
@ -103,6 +103,8 @@ restore_file /etc/shorewall/blacklist
restore_file /etc/shorewall/whitelist restore_file /etc/shorewall/whitelist
restore_file /etc/shorewall/rfc1918
restore_file /etc/shorewall/version restore_file /etc/shorewall/version
oldversion="`cat /etc/shorewall/version`" oldversion="`cat /etc/shorewall/version`"

77
Shorewall/firewall
View File

@ -1964,15 +1964,18 @@ policy_rules() # $1 = chain to add rules to
run_iptables -A $1 -j common run_iptables -A $1 -j common
target=reject target=reject
;; ;;
CONTINUE)
target=
;;
*) *)
fatal_error "Invalid policy ($policy) for $1 to $2" fatal_error "Invalid policy ($policy) for $1"
;; ;;
esac esac
[ $# -eq 3 ] && [ "x${3}" != "x-" ] && run_iptables -A $1 -j LOG $LOGPARMS \ [ $# -eq 3 ] && [ "x${3}" != "x-" ] && run_iptables -A $1 -j LOG $LOGPARMS \
--log-prefix "Shorewall:$chain:$policy:" --log-level $3 --log-prefix "Shorewall:${1}:${2}:" --log-level $3
run_iptables -A $1 -j $target [ -n "$target" ] && run_iptables -A $1 -j $target
} }
################################################################################ ################################################################################
@ -2000,17 +2003,7 @@ default_policy() # $1 = client $2 = server
echo " Policy $policy for $1 to $2 using chain $chain1" echo " Policy $policy for $1 to $2 using chain $chain1"
if [ "$policy" = CONTINUE ]; then if [ "$chain" = "$chain1" ]; then
####################################################################
# The policy is CONTINUE -- simply add any logging and syn flood
# jump rules to the canonical chain
#
[ -n "$loglevel" ] && run_iptables -A $chain -j LOG $LOGPARMS \
--log-prefix "Shorewall:$chain:$policy:" --log-level $loglevel
[ -n "$synparams" ] && \
enable_syn_flood_protection $chain $chain1
elif [ "$chain" = "$chain1" ]; then
#################################################################### ####################################################################
# The policy chain is the canonical chain; add policy rule to it # The policy chain is the canonical chain; add policy rule to it
# The syn flood jump has already been added if required. # The syn flood jump has already been added if required.
@ -2019,14 +2012,13 @@ default_policy() # $1 = client $2 = server
else else
#################################################################### ####################################################################
# Policy chain is different; add a rule to jump from the canonical # Policy chain is different; add a rule to jump from the canonical
# chain to the policy chain and optionally, insert a jump to the # chain to the policy chain (unless the policy is CONTINUE) and
# policy chain's syn flood chain. # optionally, insert a jump to the policy chain's syn flood chain.
# #
run_iptables -A $chain -j $chain1 run_iptables -A $chain -j $chain1
[ -n "$synparams" ] && \ [ -n "$synparams" ] && \
enable_syn_flood_protection $chain $chain1 enable_syn_flood_protection $chain $chain1
fi fi
} }
@ -2071,6 +2063,9 @@ complete_standard_chain() # $1 = chain, $2 = source zone, $3 = destination zone
while read client server policy loglevel synparams; do while read client server policy loglevel synparams; do
expandv client server policy loglevelsynparams expandv client server policy loglevelsynparams
[ "x$loglevel" = "x-" ] && loglevel=
case "$client" in case "$client" in
all|ALL) all|ALL)
if [ "$server" = "$3" -o "$server" = "all" ]; then if [ "$server" = "$3" -o "$server" = "all" ]; then
@ -2110,15 +2105,14 @@ rules_chain() # $1 = source zone, $2 = destination zone
case "$client" in case "$client" in
all|ALL) all|ALL)
if [ "$server" = "$2" -o "$server" = "all" ]; then if [ "$server" = "$2" -o "$server" = "all" ]; then
echo all2${server} echo all2${server}
return return
fi fi
;; ;;
*) *)
if [ "$client" = "$1" ] && \ if [ "$client" = "$1" -a "$server" = "all" ]; then
[ "$server" = "all" -o "$server" = "$2" ]; then echo ${client}2${server}
echo ${client}2${server} return
return
fi fi
;; ;;
esac esac
@ -2535,12 +2529,7 @@ add_common_rules() {
strip_file rfc1918 strip_file rfc1918
disp="LOG --log-prefix "Shorewall:rfc1918:DROP:" --log-level info" disp="LOG --log-prefix "Shorewall:rfc1918:DROP:" --log-level info"
########################################################################
# Since the limited broadcast address falls into 240.0.0.0/4 which we
# filter, we must make a special case. Also, we drop the autoconfig
# class B but don't log since too many folks on cable/dsl screw up
# their Windows Networking config and end up with an autoconfiged IP.
#
createchain rfc1918 no createchain rfc1918 no
createchain logdrop no createchain logdrop no
@ -2651,34 +2640,25 @@ apply_policy_rules() {
[ -n "$synparams" ] && setup_syn_flood_chain $chain $synparams [ -n "$synparams" ] && setup_syn_flood_chain $chain $synparams
if havechain $chain; then if havechain $chain; then
[ -n "$synparams" ] && enable_syn_flood_protection $chain $chain [ -n "$synparams" ] && \
elif [ "$client" = "all" -o "$server" = "all" ]; then run_iptables -I $chain 2 -p tcp --syn -j @$chain
else
# #
# A wild-card rule. Create the chain and add policy # A wild-card rule. Create the chain and add policy
# rules if the policy isn't CONTINUE # rules
#
createchain $chain
# #
# We must include the ESTABLISHED and RELATED state # We must include the ESTABLISHED and RELATED state
# rule here to account for replys and reverse # rule here to account for replys and reverse
# related sessions associated with sessions going # related sessions associated with sessions going
# in the other direction # in the other direction
# #
if [ "$policy" != CONTINUE ]; then
policy_rules $chain $policy $loglevel
[ -n "$synparams" ] && \
[ $policy = ACCEPT ] && \
run_iptables -I $chain 2 -p tcp --syn -j @$chain
fi
else
#
# This policy chain is also a canonical chain -- create it
#
createchain $chain createchain $chain
[ "$client" = "all" -o "$server" = "all" ] && \
policy_rules $chain $policy $loglevel
[ -n "$synparams" ] && \ [ -n "$synparams" ] && \
[ $policy = ACCEPT ] && \ [ $policy = ACCEPT -o $policy = CONTINUE ] && \
run_iptables -I $chain 2 -p tcp --syn -j @$chain run_iptables -I $chain 2 -p tcp --syn -j @$chain
fi fi
@ -2731,23 +2711,20 @@ activate_rules() {
interface=${host%:*} interface=${host%:*}
subnet=${host#*:} subnet=${host#*:}
chain1=`forward_chain $interface` chain1=`forward_chain $interface`
list_search $interface $multi_interfaces && multi=yes || multi= list_search $interface $multi_interfaces && multi=yes || multi=
for host1 in $dest_hosts; do for host1 in $dest_hosts; do
interface1=${host1%:*} interface1=${host1%:*}
subnet1=${host1#*:} subnet1=${host1#*:}
if [ $interface != $interface1 -o \ if [ $interface != $interface1 -o -n "$multi" ]; then
"x$subnet" != "x$subnet1" -o \
-n "$multi" ]; then
run_iptables -A $chain1 -s $subnet \ run_iptables -A $chain1 -s $subnet \
-o $interface1 -d $subnet1 -j $chain -o $interface1 -d $subnet1 -j $chain
fi fi
done done
done done
done done
done done
for interface in $all_interfaces; do for interface in $all_interfaces; do

11
Shorewall/install.sh
View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall. # /etc/rc.d/rc.local file is modified to start the firewall.
# #
VERSION=1.3.0 VERSION=1.3.1
usage() # $1 = exit status usage() # $1 = exit status
{ {
@ -423,6 +423,15 @@ if [ -f ${PREFIX}/etc/shorewall/whitelist ]; then
rm -f ${PREFIX}/etc/shorewall/whitelist rm -f ${PREFIX}/etc/shorewall/whitelist
fi fi
# #
# Install the rfc1918 file
#
if [ -f ${PREFIX}/etc/shorewall/rfc1918 ]; then
backup_file /etc/shorewall/rfc1918
else
run_install -o $OWNER -g $GROUP -m 0600 rfc1918 ${PREFIX}/etc/shorewall/rfc1918
echo -e "\nRFC 1918 file installed as ${PREFIX}/etc/shorewall/rfc1918"
fi
#
# Backup the version file # Backup the version file
# #
if [ -z "$PREFIX" ]; then if [ -z "$PREFIX" ]; then

30
Shorewall/releasenotes.txt
View File

@ -1,30 +1,14 @@
This is a major release of Shorewall. This is a minor release of Shorewall.
In this release: In this release:
1. The rules syntax for port forwarding and port redirection has been 1. The handling of "all z CONTINUE" policies has been corrected. Use of
simplified. these policies greatly simplifies whitelisting and other nested zone
configuration.
2. Added an /etc/shorewall/rfc1918 configuration file for defining the
behavior of the 'norfc1918' interface option.
2. Compatibility has been maintained with version 1.2 configurations so
that users may migrate their configuration at their convenience.
WARNING: Compatibility has NOT been maintained with the parameterized
sample configurations which were withdrawn on 4/8/2002. Users
still employing one of those samples must upgrade to the
latest samples before running Shorewall 1.3 (Beta or Release).
3. You may now exclude zone A from a DNAT or REDIRECT rule that applies
to zone B where zone A is a subzone of sone B.
4. The whitelist capability has been deimplemented. With recent changes
to the firewall structure and change 3. above, white lists are now
best implemented using zones as shown at:
http://www.shorewall.net/whitelisting_under_shorewall.htm
5. A 'filterping' interface option has been added to allow the
rules and policy files to control the handling of ICMP echo-request
(ping) requests that are addressed to the firewall.

3
Shorewall/rfc1918
View File

@ -7,7 +7,7 @@
# #
# Columns are: # Columns are:
# #
# SUBNET The subnet # SUBNET The subnet (host addresses also allowed)
# TARGET Where to send packets to/from this subnet # TARGET Where to send packets to/from this subnet
# RETURN - let the packet be processed normally # RETURN - let the packet be processed normally
# DROP - silently drop the packet # DROP - silently drop the packet
@ -24,3 +24,4 @@
192.168.0.0/16 logdrop # RFC 1918 192.168.0.0/16 logdrop # RFC 1918
172.16.0.0/12 logdrop # RFC 1918 172.16.0.0/12 logdrop # RFC 1918
240.0.0.0/4 logdrop # Reserved 240.0.0.0/4 logdrop # Reserved
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

6
Shorewall/shorewall.spec
View File

@ -1,6 +1,6 @@
%define name shorewall %define name shorewall
%define version 1.3 %define version 1.3
%define release 0 %define release 1
%define prefix /usr %define prefix /usr
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@ -70,6 +70,7 @@ if [ $1 = 0 ]; then if [ -x /sbin/insserv ]; then /sbin/insserv -r /etc/init.d/s
%attr(0600,root,root) %config(noreplace) /etc/shorewall/tunnels %attr(0600,root,root) %config(noreplace) /etc/shorewall/tunnels
%attr(0600,root,root) %config(noreplace) /etc/shorewall/hosts %attr(0600,root,root) %config(noreplace) /etc/shorewall/hosts
%attr(0600,root,root) %config(noreplace) /etc/shorewall/blacklist %attr(0600,root,root) %config(noreplace) /etc/shorewall/blacklist
%attr(0600,root,root) %config(noreplace) /etc/shorewall/rfc1918
%attr(0544,root,root) /sbin/shorewall %attr(0544,root,root) /sbin/shorewall
%attr(0444,root,root) /etc/shorewall/functions %attr(0444,root,root) /etc/shorewall/functions
/etc/shorewall/firewall /etc/shorewall/firewall
@ -77,6 +78,9 @@ if [ $1 = 0 ]; then if [ -x /sbin/insserv ]; then /sbin/insserv -r /etc/init.d/s
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog %changelog
* Fri May 31 2002 Tom Eastep <tom@shorewall.net>
- Changed version to 1.3.1
- Added the rfc1918 file
* Wed May 29 2002 Tom Eastep <tom@shorewall.net> * Wed May 29 2002 Tom Eastep <tom@shorewall.net>
- Changed version to 1.3.0 - Changed version to 1.3.0
* Mon May 20 2002 Tom Eastep <tom@shorewall.net> * Mon May 20 2002 Tom Eastep <tom@shorewall.net>

5
Shorewall/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall # shown below. Simply run this script to remove Seattle Firewall
VERSION=1.3.0 VERSION=1.3.1
usage() # $1 = exit status usage() # $1 = exit status
{ {
@ -104,6 +104,7 @@ if [ -n "$VERSION" ]; then
remove_file /etc/shorewall/modules-${VERSION}.bkout remove_file /etc/shorewall/modules-${VERSION}.bkout
remove_file /etc/shorewall/blacklist-${VERSION}.bkout remove_file /etc/shorewall/blacklist-${VERSION}.bkout
remove_file /etc/shorewall/whitelist-${VERSION}.bkout remove_file /etc/shorewall/whitelist-${VERSION}.bkout
remove_file /etc/shorewall/rfc1918-${VERSION}.bkout
fi fi
remove_file /etc/shorewall/firewall remove_file /etc/shorewall/firewall
@ -144,6 +145,8 @@ remove_file /etc/shorewall/blacklist
remove_file /etc/shorewall/whitelist remove_file /etc/shorewall/whitelist
remove_file /etc/shorewall/rfc1918
remove_file /etc/shorewall/shorewall.conf remove_file /etc/shorewall/shorewall.conf
remove_file /etc/shorewall/version remove_file /etc/shorewall/version

13
Shorewall/zones
View File

@ -3,15 +3,12 @@
# #
# This file determines your network zones. Columns are: # This file determines your network zones. Columns are:
# #
# ZONE Short name of the zone. If a sub-zone of a # ZONE Short name of the zone
# previously-declared zone then it is
# followed by a colon and the name of the
# parent zone.
# DISPLAY Display name of the zone # DISPLAY Display name of the zone
# COMMENTS Comments about the zone # COMMENTS Comments about the zone
# #
#ZONE[:PARENT] DISPLAY COMMENTS #ZONE DISPLAY COMMENTS
net Net Internet net Net Internet
loc Local Local networks loc Local Local networks
dmz DMZ Demilitarized zone dmz DMZ Demilitarized zone
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE