mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-30 03:23:47 +01:00
Deimplement original 'netnotsyn' handling
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2766 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
314b4ffd36
commit
2b6a9bb843
@ -8,6 +8,8 @@ Changes in 2.5.7
|
|||||||
|
|
||||||
4) Rename 'plain' to 'ipv4'
|
4) Rename 'plain' to 'ipv4'
|
||||||
|
|
||||||
|
5) Deimplement NEWNOTSYN
|
||||||
|
|
||||||
Changes in 2.5.6
|
Changes in 2.5.6
|
||||||
|
|
||||||
1) Finish install/fallback cleanup.
|
1) Finish install/fallback cleanup.
|
||||||
|
@ -243,8 +243,6 @@ finish_chain_section() # $1 = canonical chain $2 = state list
|
|||||||
[ -n "$FASTACCEPT" ] || run_iptables -A $1 -m state --state $2 -j ACCEPT
|
[ -n "$FASTACCEPT" ] || run_iptables -A $1 -m state --state $2 -j ACCEPT
|
||||||
|
|
||||||
if list_search RELATED $(separate_list $2) ; then
|
if list_search RELATED $(separate_list $2) ; then
|
||||||
[ -z "$NEWNOTSYN" ] && run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn
|
|
||||||
|
|
||||||
if is_policy_chain $1 ; then
|
if is_policy_chain $1 ; then
|
||||||
if eval test -n \"\$${1}_synparams\" ; then
|
if eval test -n \"\$${1}_synparams\" ; then
|
||||||
if [ $SECTION = DONE ]; then
|
if [ $SECTION = DONE ]; then
|
||||||
@ -295,7 +293,7 @@ finish_section() # $1 = Section(s)
|
|||||||
# variable exists_${1} and set its value to Yes to indicate that the chain now
|
# variable exists_${1} and set its value to Yes to indicate that the chain now
|
||||||
# exists.
|
# exists.
|
||||||
#
|
#
|
||||||
createchain() # $1 = chain name, $2 = If "yes", create newnotsyn rule
|
createchain() # $1 = chain name, $2 = If "yes", do section-end processing
|
||||||
{
|
{
|
||||||
local c=$(chain_base $1)
|
local c=$(chain_base $1)
|
||||||
|
|
||||||
@ -310,9 +308,6 @@ createchain() # $1 = chain name, $2 = If "yes", create newnotsyn rule
|
|||||||
finish_chain_section $1 ESTABLISHED
|
finish_chain_section $1 ESTABLISHED
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
[ -z "$NEWNOTSYN" ] && \
|
|
||||||
run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
eval exists_${c}=Yes
|
eval exists_${c}=Yes
|
||||||
@ -1167,7 +1162,7 @@ validate_interfaces_file() {
|
|||||||
case $option in
|
case $option in
|
||||||
-)
|
-)
|
||||||
;;
|
;;
|
||||||
dhcp|tcpflags|newnotsyn|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|maclist|nosmurfs|upnp|-)
|
dhcp|tcpflags|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|maclist|nosmurfs|upnp|-)
|
||||||
;;
|
;;
|
||||||
norfc1918)
|
norfc1918)
|
||||||
addr=$(ip -f inet addr show $interface 2> /dev/null | grep inet | head -n1)
|
addr=$(ip -f inet addr show $interface 2> /dev/null | grep inet | head -n1)
|
||||||
@ -1483,7 +1478,7 @@ validate_hosts_file() {
|
|||||||
|
|
||||||
for option in $(separate_list $options) ; do
|
for option in $(separate_list $options) ; do
|
||||||
case $option in
|
case $option in
|
||||||
maclist|norfc1918|blacklist|tcpflags|nosmurfs|newnotsyn|-)
|
maclist|norfc1918|blacklist|tcpflags|nosmurfs|-)
|
||||||
;;
|
;;
|
||||||
ipsec)
|
ipsec)
|
||||||
[ -n "$POLICY_MATCH" ] || \
|
[ -n "$POLICY_MATCH" ] || \
|
||||||
@ -4546,7 +4541,7 @@ map_old_action() # $1 = Potential Old Action
|
|||||||
#
|
#
|
||||||
process_actions1() {
|
process_actions1() {
|
||||||
|
|
||||||
ACTIONS="dropBcast allowBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP allowoutUPnP forwardUPnP"
|
ACTIONS="dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP allowoutUPnP forwardUPnP"
|
||||||
|
|
||||||
USEDACTIONS=
|
USEDACTIONS=
|
||||||
|
|
||||||
@ -4787,15 +4782,6 @@ process_actions3() {
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
dropNonSyn)
|
|
||||||
error_message "WARNING: \"dropNonSyn\" has been replaced by \"dropNotSyn\""
|
|
||||||
|
|
||||||
if [ "$COMMAND" != check ]; then
|
|
||||||
[ -n "$xlevel" ] && \
|
|
||||||
log_rule_limit ${xlevel%\!} $xchain dropNonSyn DROP "" "$xtag" -A -p tcp ! --syn
|
|
||||||
run_iptables -A $xchain -p tcp ! --syn -j DROP
|
|
||||||
fi
|
|
||||||
;;
|
|
||||||
dropNotSyn)
|
dropNotSyn)
|
||||||
if [ "$COMMAND" != check ]; then
|
if [ "$COMMAND" != check ]; then
|
||||||
[ -n "$xlevel" ] && \
|
[ -n "$xlevel" ] && \
|
||||||
@ -7408,30 +7394,6 @@ initialize_netfilter () {
|
|||||||
|
|
||||||
[ -f $accounting_file ] && setup_accounting $accounting_file
|
[ -f $accounting_file ] && setup_accounting $accounting_file
|
||||||
|
|
||||||
if [ -z "$NEWNOTSYN" ]; then
|
|
||||||
createchain newnotsyn no
|
|
||||||
|
|
||||||
for host in $(find_hosts_by_option newnotsyn); do
|
|
||||||
ipsec=${host%^*}
|
|
||||||
host=${host#*^}
|
|
||||||
[ -n "$POLICY_MATCH" ] && policy="-m policy --pol $ipsec --dir in" || policy=
|
|
||||||
interface=${host%%:*}
|
|
||||||
network=${host#*:}
|
|
||||||
run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) $policy -p tcp --tcp-flags ACK ACK -j ACCEPT
|
|
||||||
run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) $policy -p tcp --tcp-flags RST RST -j ACCEPT
|
|
||||||
run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) $policy -p tcp --tcp-flags FIN FIN -j ACCEPT
|
|
||||||
run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) $policy -j RETURN
|
|
||||||
done
|
|
||||||
|
|
||||||
run_user_exit newnotsyn
|
|
||||||
|
|
||||||
if [ -n "$LOGNEWNOTSYN" ]; then
|
|
||||||
log_rule $LOGNEWNOTSYN newnotsyn DROP
|
|
||||||
fi
|
|
||||||
|
|
||||||
run_iptables -A newnotsyn -j DROP
|
|
||||||
fi
|
|
||||||
|
|
||||||
createchain reject no
|
createchain reject no
|
||||||
createchain dynamic no
|
createchain dynamic no
|
||||||
createchain smurfs no
|
createchain smurfs no
|
||||||
@ -8857,8 +8819,6 @@ do_initialize() {
|
|||||||
LOG_MARTIANS=
|
LOG_MARTIANS=
|
||||||
DETECT_DNAT_IPADDRS=
|
DETECT_DNAT_IPADDRS=
|
||||||
MUTEX_TIMEOUT=
|
MUTEX_TIMEOUT=
|
||||||
NEWNOTSYN=
|
|
||||||
LOGNEWNOTSYN=
|
|
||||||
FORWARDPING=
|
FORWARDPING=
|
||||||
MACLIST_DISPOSITION=
|
MACLIST_DISPOSITION=
|
||||||
MACLIST_LOG_LEVEL=
|
MACLIST_LOG_LEVEL=
|
||||||
@ -9017,8 +8977,6 @@ do_initialize() {
|
|||||||
[ -n "$FORWARDPING" ] && \
|
[ -n "$FORWARDPING" ] && \
|
||||||
startup_error "FORWARDPING=Yes is no longer supported"
|
startup_error "FORWARDPING=Yes is no longer supported"
|
||||||
|
|
||||||
NEWNOTSYN=$(added_param_value_yes NEWNOTSYN $NEWNOTSYN)
|
|
||||||
|
|
||||||
maclist_target=reject
|
maclist_target=reject
|
||||||
|
|
||||||
if [ -n "$MACLIST_DISPOSITION" ] ; then
|
if [ -n "$MACLIST_DISPOSITION" ] ; then
|
||||||
|
@ -115,16 +115,6 @@
|
|||||||
# shorewall.conf. After logging, the
|
# shorewall.conf. After logging, the
|
||||||
# packets are dropped.
|
# packets are dropped.
|
||||||
#
|
#
|
||||||
# newnotsyn - TCP packets that don't have the SYN
|
|
||||||
# flag set and which are not part of an
|
|
||||||
# established connection will be accepted
|
|
||||||
# from these hosts, even if
|
|
||||||
# NEWNOTSYN=No has been specified in
|
|
||||||
# /etc/shorewall/shorewall.conf.
|
|
||||||
#
|
|
||||||
# This option has no effect if
|
|
||||||
# NEWNOTSYN=Yes.
|
|
||||||
#
|
|
||||||
# ipsec - The zone is accessed via a
|
# ipsec - The zone is accessed via a
|
||||||
# kernel 2.6 ipsec SA. Note that if the
|
# kernel 2.6 ipsec SA. Note that if the
|
||||||
# zone named in the ZONE column is
|
# zone named in the ZONE column is
|
||||||
|
@ -113,27 +113,6 @@
|
|||||||
# sub-networking as described at:
|
# sub-networking as described at:
|
||||||
# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
|
# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
|
||||||
#
|
#
|
||||||
# newnotsyn - TCP packets that don't have the SYN
|
|
||||||
# flag set and which are not part of an
|
|
||||||
# established connection will be accepted
|
|
||||||
# from this interface, even if
|
|
||||||
# NEWNOTSYN=No has been specified in
|
|
||||||
# /etc/shorewall/shorewall.conf. In other
|
|
||||||
# words, packets coming in on this
|
|
||||||
# interface are processed as if
|
|
||||||
# NEWNOTSYN=Yes had been specified in
|
|
||||||
# /etc/shorewall/shorewall.conf.
|
|
||||||
#
|
|
||||||
# This option has no effect if
|
|
||||||
# NEWNOTSYN=Yes.
|
|
||||||
#
|
|
||||||
# It is the opinion of the author that
|
|
||||||
# NEWNOTSYN=No creates more problems than
|
|
||||||
# it solves and I recommend against using
|
|
||||||
# that setting in shorewall.conf (hence
|
|
||||||
# making the use of the 'newnotsyn'
|
|
||||||
# interface option unnecessary).
|
|
||||||
#
|
|
||||||
# routeback - If specified, indicates that Shorewall
|
# routeback - If specified, indicates that Shorewall
|
||||||
# should include rules that allow
|
# should include rules that allow
|
||||||
# filtering traffic arriving on this
|
# filtering traffic arriving on this
|
||||||
|
@ -20,6 +20,11 @@ New Features in 2.5.7:
|
|||||||
"IPv4" and "IPV4" are synonyms for "ipv4". In addition, "IPSEC",
|
"IPv4" and "IPV4" are synonyms for "ipv4". In addition, "IPSEC",
|
||||||
"ipsec4" and "IPSEC4" are recognized synonyms for "ipsec".
|
"ipsec4" and "IPSEC4" are recognized synonyms for "ipsec".
|
||||||
|
|
||||||
|
3) The NEWNOTSYN and LOGNEWNOTSYN options in shorewall.conf have been
|
||||||
|
removed as have the 'newnotsyn' options in /etc/shorewall/interfaces
|
||||||
|
and /etc/shorewall/hosts. See the Migration Considerations for
|
||||||
|
instructions if you wish to block "new-not-syn" TCP packets.
|
||||||
|
|
||||||
Migration Considerations:
|
Migration Considerations:
|
||||||
|
|
||||||
1) The "monitor" command has been eliminated.
|
1) The "monitor" command has been eliminated.
|
||||||
@ -200,6 +205,23 @@ Migration Considerations:
|
|||||||
scripts like WonderShaper should see no change provided that
|
scripts like WonderShaper should see no change provided that
|
||||||
execute permission is placed on /etc/shorewall/tcstart.
|
execute permission is placed on /etc/shorewall/tcstart.
|
||||||
|
|
||||||
|
11) The NEWNOTSYN and LOGNEWNOTSYN options in shorewall.conf have been
|
||||||
|
removed as have the 'newnotsyn' options in /etc/shorewall/interfaces
|
||||||
|
and /etc/shorewall/hosts.
|
||||||
|
|
||||||
|
TCP new-not-syn packets may be blocked using the 'dropNonSyn' or
|
||||||
|
'rejNonSyn' built-in actions.
|
||||||
|
|
||||||
|
Example: Reject all new-not-syn packets from the net and log them at
|
||||||
|
the 'info' level.
|
||||||
|
|
||||||
|
#ACTION SOURCE DEST PROTO
|
||||||
|
SECTION NEW
|
||||||
|
rejNonSyn:info net all tcp
|
||||||
|
|
||||||
|
Note that the rule is added at the front of the NEW section of the
|
||||||
|
rules file.
|
||||||
|
|
||||||
New Features in Shorewall 2.5.*
|
New Features in Shorewall 2.5.*
|
||||||
|
|
||||||
1) Error and warning messages are made easier to spot by using
|
1) Error and warning messages are made easier to spot by using
|
||||||
|
@ -165,23 +165,6 @@ LOGALLNEW=
|
|||||||
|
|
||||||
BLACKLIST_LOGLEVEL=
|
BLACKLIST_LOGLEVEL=
|
||||||
|
|
||||||
#
|
|
||||||
# LOGGING 'New not SYN' rejects
|
|
||||||
#
|
|
||||||
# This variable only has an effect when NEWNOTSYN=No (see below).
|
|
||||||
#
|
|
||||||
# When a TCP packet that does not have the SYN flag set and the ACK and RST
|
|
||||||
# flags clear then unless the packet is part of an established connection,
|
|
||||||
# it will be rejected by the firewall. If you want these rejects logged,
|
|
||||||
# then set LOGNEWNOTSYN to the syslog log level at which you want them logged.
|
|
||||||
#
|
|
||||||
# See the comment at the top of this section for a description of log levels
|
|
||||||
#
|
|
||||||
# Example: LOGNEWNOTSYN=debug
|
|
||||||
#
|
|
||||||
|
|
||||||
LOGNEWNOTSYN=info
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# MAC List Log Level
|
# MAC List Log Level
|
||||||
#
|
#
|
||||||
@ -558,52 +541,6 @@ DETECT_DNAT_IPADDRS=No
|
|||||||
|
|
||||||
MUTEX_TIMEOUT=60
|
MUTEX_TIMEOUT=60
|
||||||
|
|
||||||
#
|
|
||||||
# NEWNOTSYN
|
|
||||||
#
|
|
||||||
# TCP connections are established using the familiar three-way "handshake":
|
|
||||||
#
|
|
||||||
# CLIENT SERVER
|
|
||||||
#
|
|
||||||
# SYN-------------------->
|
|
||||||
# <------------------SYN,ACK
|
|
||||||
# ACK-------------------->
|
|
||||||
#
|
|
||||||
# The first packet in that exchange (packet with the SYN flag on and the ACK
|
|
||||||
# and RST flags off) is referred to in Netfilter terminology as a "syn" packet.
|
|
||||||
# A packet is said to be NEW if it is not part of or related to an already
|
|
||||||
# established connection.
|
|
||||||
#
|
|
||||||
# The NEWNOTSYN option determines the handling of non-SYN packets (those with
|
|
||||||
# SYN off or with ACK or RST on) that are not associated with an already
|
|
||||||
# established connection.
|
|
||||||
#
|
|
||||||
# If NEWNOTSYN is set to "No" or "no", then non-SYN packets that are not
|
|
||||||
# part of an already established connection will be dropped by the
|
|
||||||
# firewall. The setting of LOGNEWNOTSYN above determines if these packets are
|
|
||||||
# logged before they are dropped.
|
|
||||||
#
|
|
||||||
# If NEWNOTSYN is set to "Yes" or "yes" then such packets will not be
|
|
||||||
# dropped but will pass through the normal rule/policy processing.
|
|
||||||
#
|
|
||||||
# Users with a High-availability setup with two firewall's and one acting
|
|
||||||
# as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may
|
|
||||||
# also need to select NEWNOTSYN=Yes.
|
|
||||||
#
|
|
||||||
# The behavior of NEWNOTSYN=Yes may also be enabled on a per-interface basis
|
|
||||||
# using the 'newnotsyn' option in /etc/shorewall/interfaces and on a
|
|
||||||
# network or host basis using the same option in /etc/shorewall/hosts.
|
|
||||||
#
|
|
||||||
# I find that NEWNOTSYN=No tends to result in lots of "stuck"
|
|
||||||
# connections because any network timeout during TCP session tear down
|
|
||||||
# results in retries being dropped (Netfilter has removed the
|
|
||||||
# connection from the conntrack table but the end-points haven't
|
|
||||||
# completed shutting down the connection). I therefore have chosen
|
|
||||||
# NEWNOTSYN=Yes as the default value.
|
|
||||||
#
|
|
||||||
|
|
||||||
NEWNOTSYN=Yes
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# FOR ADMINS THAT REPEATEDLY SHOOT THEMSELVES IN THE FOOT
|
# FOR ADMINS THAT REPEATEDLY SHOOT THEMSELVES IN THE FOOT
|
||||||
#
|
#
|
||||||
|
@ -2,6 +2,7 @@
|
|||||||
|
|
||||||
# tcstart from tc4shorewall Version 0.5
|
# tcstart from tc4shorewall Version 0.5
|
||||||
# (c) 2005 Arne Bernin <arne@ucbering.de>
|
# (c) 2005 Arne Bernin <arne@ucbering.de>
|
||||||
|
# Modified by Tom Eastep for integration into the Shorewall distribution
|
||||||
# published under GPL Version 2
|
# published under GPL Version 2
|
||||||
|
|
||||||
created_tmp_dir=
|
created_tmp_dir=
|
||||||
@ -86,7 +87,7 @@ setup_traffic_shaping()
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# get given outbandwidth for device
|
# get given outbandwidth for device
|
||||||
get_outband_for_dev() {
|
get_outband_for_dev() {
|
||||||
local device inband outband
|
local device inband outband
|
||||||
while read device inband outband; do
|
while read device inband outband; do
|
||||||
|
Loading…
Reference in New Issue
Block a user