Final Changes for 1.3.1

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@47 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/changelog.txt

@@ -1,29 +1,12 @@
-Changes since 1.2.13
+Changes since 1.3.0
+
+1. Corrected policy handling for "all z CONTINUE" policies.
+2. Corrected problems with "-" as LOGLEVEL in the policy file.
+3. Added /etc/shorewall/rfc1918 file for defining the behavior of the
+   'norfc1918' interface option.
+4. Avoided forwarding rules between zones on the same interface when 'multi'
+   isn't specified on that interface.
 
-1. Changed all file versions to 1.3
-
-2. Changed the rules file and firewall file to implement the new forwarding
-   and redirection syntax.
-   
-3. Removed the sample rules from the rules file -- the quickstart samples
-   should provide those sample rules.
-   
-4. Added a silent Auth reject rule to common.def.
-
-5. Changed the handling of the nat table to have a separate chain for each
-   source zone.
-   
-6. Removed the code that tested each rules column for "none" -- this was never
-   documented and was there to support the brain-dead parameterized samples.
-   
-7. Reworked the chain structure in the filter table so that each interface has
-   its own input and forward chain.
-   
-8. Added logic to allow a subzone to be excluded from a DNAT or REDIRECT rule.
-
-9. Removed white list capability
-
-10. Added 'filterping' interface option.
 
 
 

Shorewall/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of 
 #       Shoreline Firewall.
 
-VERSION=1.3.0
+VERSION=1.3.1
 
 usage() # $1 = exit status
 {
@@ -103,6 +103,8 @@ restore_file /etc/shorewall/blacklist
 
 restore_file /etc/shorewall/whitelist
 
+restore_file /etc/shorewall/rfc1918
+
 restore_file /etc/shorewall/version
 
 oldversion="`cat /etc/shorewall/version`"

Shorewall/firewall

@@ -1964,15 +1964,18 @@ policy_rules() # $1 = chain to add rules to
     	run_iptables -A $1 -j common
 	target=reject
 	;;
+    CONTINUE)
+        target=
+	;;
     *)
-	fatal_error "Invalid policy ($policy) for $1 to $2"
+	fatal_error "Invalid policy ($policy) for $1"
 	;;
 
     esac
 
     [ $# -eq 3 ] && [ "x${3}" != "x-" ] && run_iptables -A $1 -j LOG $LOGPARMS \
-	--log-prefix "Shorewall:$chain:$policy:" --log-level $3
-    run_iptables -A $1 -j $target
+	--log-prefix "Shorewall:${1}:${2}:" --log-level $3
+    [ -n "$target" ] && run_iptables -A $1 -j $target
 }
 
 ################################################################################
@@ -2000,17 +2003,7 @@ default_policy() # $1 = client $2 = server
 
 	echo "   Policy $policy for $1 to $2 using chain $chain1"
 
-	if [ "$policy" = CONTINUE ]; then
-	    ####################################################################
-	    # The policy is CONTINUE -- simply add any logging and syn flood
-	    # jump rules to the canonical chain
-	    #
-	    [ -n "$loglevel" ] && run_iptables -A $chain -j LOG $LOGPARMS \
-	        --log-prefix "Shorewall:$chain:$policy:" --log-level $loglevel
-	    [ -n "$synparams" ] && \
-	        enable_syn_flood_protection $chain $chain1
-
-	elif [ "$chain" = "$chain1" ]; then
+	if [ "$chain" = "$chain1" ]; then
 	    ####################################################################
 	    # The policy chain is the canonical chain; add policy rule to it
 	    # The syn flood jump has already been added if required.
@@ -2019,14 +2012,13 @@ default_policy() # $1 = client $2 = server
 	else
 	    ####################################################################
 	    # Policy chain is different; add a rule to jump from the canonical
-	    # chain to the policy chain and optionally, insert a jump to the
-	    # policy chain's syn flood chain.
+	    # chain to the policy chain (unless the policy is CONTINUE) and
+	    # optionally, insert a jump to the policy chain's syn flood chain.
 	    #
 	    run_iptables -A $chain -j $chain1
 
 	    [ -n "$synparams" ] && \
 	        enable_syn_flood_protection $chain $chain1
-
 	fi
     }
 
@@ -2071,6 +2063,9 @@ complete_standard_chain() # $1 = chain, $2 = source zone, $3 = destination zone
 
     while read client server policy loglevel synparams; do
         expandv client server policy loglevelsynparams
+	
+	[ "x$loglevel" = "x-" ] && loglevel=
+
 	case "$client" in
 	all|ALL)
 	    if [ "$server" = "$3" -o "$server" = "all" ]; then
@@ -2115,8 +2110,7 @@ rules_chain() # $1 = source zone, $2 = destination zone
 	    fi
 	    ;;
 	*)
-	    if  [ "$client" = "$1" ] && \
-		[ "$server" = "all" -o "$server" = "$2" ]; then
+	    if [ "$client" = "$1" -a "$server" = "all" ]; then
 		echo ${client}2${server}
 		return
 	    fi
@@ -2535,12 +2529,7 @@ add_common_rules() {
 	strip_file rfc1918
 
 	disp="LOG --log-prefix "Shorewall:rfc1918:DROP:" --log-level info"
-	########################################################################
-	# Since the limited broadcast address falls into 240.0.0.0/4 which we 
-	# filter, we must make a special case. Also, we drop the autoconfig
-	# class B but don't log since too many folks on cable/dsl screw up
-	# their Windows Networking config and end up with an autoconfiged IP.
-	#
+	
 	createchain rfc1918 no
 
 	createchain logdrop no
@@ -2651,34 +2640,25 @@ apply_policy_rules() {
 	[ -n "$synparams" ] && setup_syn_flood_chain $chain $synparams
 
 	if havechain $chain; then
-	    [ -n "$synparams" ] && enable_syn_flood_protection $chain $chain
-	elif [ "$client" = "all" -o "$server" = "all" ]; then
+	    [ -n "$synparams" ] && \
+	        run_iptables -I $chain 2 -p tcp --syn -j @$chain
+	else
 	    #
 	    # A wild-card rule. Create the chain and add policy
-	    # rules if the policy isn't CONTINUE
-	    #
-	    createchain $chain
+	    # rules
 	    #
 	    # We must include the ESTABLISHED and RELATED state
 	    # rule here to account for replys and reverse
 	    # related sessions associated with sessions going
 	    # in the other direction
 	    #
-	    if [ "$policy" != CONTINUE ]; then
+	    createchain $chain
+
+	    [ "$client" = "all" -o "$server" = "all" ] && \
 	        policy_rules $chain $policy $loglevel
 
 	    [ -n "$synparams" ] && \
-		    [ $policy = ACCEPT ] && \
-		    run_iptables -I $chain 2 -p tcp --syn -j @$chain
-	    fi
-	else
-	    #
-	    # This policy chain is also a canonical chain -- create it
-	    #
-	    createchain $chain
-
-	    [ -n "$synparams" ] && \
-		[ $policy = ACCEPT ] && \
+		[ $policy = ACCEPT -o $policy = CONTINUE ] && \
 		run_iptables -I $chain 2 -p tcp --syn -j @$chain
 	fi
 
@@ -2731,23 +2711,20 @@ activate_rules() {
 		interface=${host%:*}
 		subnet=${host#*:}
 		chain1=`forward_chain $interface`
+		
 		list_search $interface $multi_interfaces && multi=yes || multi=
 		
 		for host1 in $dest_hosts; do
 		    interface1=${host1%:*}
 		    subnet1=${host1#*:}
 
-		    if [ $interface != $interface1 -o \
-		         "x$subnet"  != "x$subnet1" -o \
-		          -n "$multi" ]; then
+		    if [ $interface != $interface1 -o -n "$multi" ]; then
 			run_iptables -A $chain1 -s $subnet \
 			    -o $interface1 -d $subnet1 -j $chain
 		    fi
 		done
-
 	    done
 	done
-
     done
 
     for interface in $all_interfaces; do

Shorewall/install.sh

@@ -54,7 +54,7 @@
 #        /etc/rc.d/rc.local file is modified to start the firewall.
 #
 
-VERSION=1.3.0
+VERSION=1.3.1
 
 usage() # $1 = exit status
 {
@@ -423,6 +423,15 @@ if [ -f ${PREFIX}/etc/shorewall/whitelist ]; then
     rm -f ${PREFIX}/etc/shorewall/whitelist
 fi
 #
+# Install the rfc1918 file
+#
+if [ -f ${PREFIX}/etc/shorewall/rfc1918 ]; then
+    backup_file /etc/shorewall/rfc1918
+else
+    run_install -o $OWNER -g $GROUP -m 0600 rfc1918 ${PREFIX}/etc/shorewall/rfc1918
+    echo -e "\nRFC 1918 file installed as ${PREFIX}/etc/shorewall/rfc1918"
+fi
+#
 # Backup the version file
 #
 if [ -z "$PREFIX" ]; then

Shorewall/releasenotes.txt

@@ -1,30 +1,14 @@
-This is a major release of Shorewall.
+This is a minor release of Shorewall.
 
 In this release:
 
-1. The rules syntax for port forwarding and port redirection has been 
-   simplified.
+1. The handling of "all z CONTINUE" policies has been corrected. Use of
+   these policies greatly simplifies whitelisting and other nested zone
+   configuration.
+   
+2. Added an /etc/shorewall/rfc1918 configuration file for defining the
+   behavior of the 'norfc1918' interface option.
 
-2. Compatibility has been maintained with version 1.2 configurations so
-   that users may migrate their configuration at their convenience.
-   
-WARNING: Compatibility has NOT been maintained with the parameterized
-         sample configurations which were withdrawn on 4/8/2002. Users
-	 still employing one of those samples must upgrade to the
-	 latest samples before running Shorewall 1.3 (Beta or Release).
-	 
-3. You may now exclude zone A from a DNAT or REDIRECT rule that applies
-   to zone B where zone A is a subzone of sone B.
-   
-4. The whitelist capability has been deimplemented. With recent changes
-   to the firewall structure and change 3. above, white lists are now
-   best implemented using zones as shown at:
-   
-   http://www.shorewall.net/whitelisting_under_shorewall.htm 
-	 
-5. A 'filterping' interface option has been added to allow the 
-   rules and policy files to control the handling of ICMP echo-request
-   (ping) requests that are addressed to the firewall.
 
 
 

Shorewall/rfc1918

@@ -7,7 +7,7 @@
 #
 # Columns are:
 #
-# 	SUBNET		The subnet
+# 	SUBNET		The subnet (host addresses also allowed)
 #	TARGET		Where to send packets to/from this subnet
 #			RETURN	- let the packet be processed normally
 #			DROP	- silently drop the packet
@@ -24,3 +24,4 @@
 192.168.0.0/16		logdrop		# RFC 1918
 172.16.0.0/12		logdrop		# RFC 1918
 240.0.0.0/4		logdrop		# Reserved
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/shorewall.spec

@@ -1,6 +1,6 @@
 %define name shorewall
 %define version 1.3
-%define release 0
+%define release 1
 %define prefix /usr
 
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@@ -70,6 +70,7 @@ if [ $1 = 0 ]; then if [ -x /sbin/insserv ]; then /sbin/insserv -r /etc/init.d/s
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/tunnels
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/hosts
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/blacklist
+%attr(0600,root,root) %config(noreplace) /etc/shorewall/rfc1918
 %attr(0544,root,root) /sbin/shorewall
 %attr(0444,root,root) /etc/shorewall/functions
 /etc/shorewall/firewall
@@ -77,6 +78,9 @@ if [ $1 = 0 ]; then if [ -x /sbin/insserv ]; then /sbin/insserv -r /etc/init.d/s
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
 
 %changelog
+* Fri May 31 2002 Tom Eastep <tom@shorewall.net>
+- Changed version to 1.3.1
+- Added the rfc1918 file
 * Wed May 29 2002 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.3.0
 * Mon May 20 2002 Tom Eastep <tom@shorewall.net>

Shorewall/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Seattle Firewall
 
-VERSION=1.3.0
+VERSION=1.3.1
 
 usage() # $1 = exit status
 {
@@ -104,6 +104,7 @@ if [ -n "$VERSION" ]; then
     remove_file /etc/shorewall/modules-${VERSION}.bkout
     remove_file /etc/shorewall/blacklist-${VERSION}.bkout
     remove_file /etc/shorewall/whitelist-${VERSION}.bkout
+    remove_file /etc/shorewall/rfc1918-${VERSION}.bkout
 fi
 
 remove_file /etc/shorewall/firewall
@@ -144,6 +145,8 @@ remove_file /etc/shorewall/blacklist
 
 remove_file /etc/shorewall/whitelist
 
+remove_file /etc/shorewall/rfc1918
+
 remove_file /etc/shorewall/shorewall.conf
 
 remove_file /etc/shorewall/version

Shorewall/zones

@@ -3,14 +3,11 @@
 #
 # This file determines your network zones. Columns are:
 #
-#	ZONE		Short name of the zone. If a sub-zone of a
-#			previously-declared zone then it is
-#			followed by a colon and the name of the
-#			parent zone.
+#	ZONE		Short name of the zone
 #	DISPLAY		Display name of the zone
 #	COMMENTS	Comments about the zone
 #
-#ZONE[:PARENT]	DISPLAY		COMMENTS
+#ZONE	DISPLAY		COMMENTS
 net	Net		Internet 
 loc	Local		Local networks
 dmz	DMZ		Demilitarized zone