Deimplement original 'netnotsyn' handling

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2766 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-10-01 15:55:41 +00:00
parent 314b4ffd36
commit 2b6a9bb843
7 changed files with 32 additions and 143 deletions

View File

@ -8,6 +8,8 @@ Changes in 2.5.7
4) Rename 'plain' to 'ipv4' 4) Rename 'plain' to 'ipv4'
5) Deimplement NEWNOTSYN
Changes in 2.5.6 Changes in 2.5.6
1) Finish install/fallback cleanup. 1) Finish install/fallback cleanup.

View File

@ -243,8 +243,6 @@ finish_chain_section() # $1 = canonical chain $2 = state list
[ -n "$FASTACCEPT" ] || run_iptables -A $1 -m state --state $2 -j ACCEPT [ -n "$FASTACCEPT" ] || run_iptables -A $1 -m state --state $2 -j ACCEPT
if list_search RELATED $(separate_list $2) ; then if list_search RELATED $(separate_list $2) ; then
[ -z "$NEWNOTSYN" ] && run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn
if is_policy_chain $1 ; then if is_policy_chain $1 ; then
if eval test -n \"\$${1}_synparams\" ; then if eval test -n \"\$${1}_synparams\" ; then
if [ $SECTION = DONE ]; then if [ $SECTION = DONE ]; then
@ -295,7 +293,7 @@ finish_section() # $1 = Section(s)
# variable exists_${1} and set its value to Yes to indicate that the chain now # variable exists_${1} and set its value to Yes to indicate that the chain now
# exists. # exists.
# #
createchain() # $1 = chain name, $2 = If "yes", create newnotsyn rule createchain() # $1 = chain name, $2 = If "yes", do section-end processing
{ {
local c=$(chain_base $1) local c=$(chain_base $1)
@ -310,9 +308,6 @@ createchain() # $1 = chain name, $2 = If "yes", create newnotsyn rule
finish_chain_section $1 ESTABLISHED finish_chain_section $1 ESTABLISHED
;; ;;
esac esac
[ -z "$NEWNOTSYN" ] && \
run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn
fi fi
eval exists_${c}=Yes eval exists_${c}=Yes
@ -1167,7 +1162,7 @@ validate_interfaces_file() {
case $option in case $option in
-) -)
;; ;;
dhcp|tcpflags|newnotsyn|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|maclist|nosmurfs|upnp|-) dhcp|tcpflags|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|maclist|nosmurfs|upnp|-)
;; ;;
norfc1918) norfc1918)
addr=$(ip -f inet addr show $interface 2> /dev/null | grep inet | head -n1) addr=$(ip -f inet addr show $interface 2> /dev/null | grep inet | head -n1)
@ -1483,7 +1478,7 @@ validate_hosts_file() {
for option in $(separate_list $options) ; do for option in $(separate_list $options) ; do
case $option in case $option in
maclist|norfc1918|blacklist|tcpflags|nosmurfs|newnotsyn|-) maclist|norfc1918|blacklist|tcpflags|nosmurfs|-)
;; ;;
ipsec) ipsec)
[ -n "$POLICY_MATCH" ] || \ [ -n "$POLICY_MATCH" ] || \
@ -4546,7 +4541,7 @@ map_old_action() # $1 = Potential Old Action
# #
process_actions1() { process_actions1() {
ACTIONS="dropBcast allowBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP allowoutUPnP forwardUPnP" ACTIONS="dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP allowoutUPnP forwardUPnP"
USEDACTIONS= USEDACTIONS=
@ -4787,15 +4782,6 @@ process_actions3() {
fi fi
fi fi
;; ;;
dropNonSyn)
error_message "WARNING: \"dropNonSyn\" has been replaced by \"dropNotSyn\""
if [ "$COMMAND" != check ]; then
[ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain dropNonSyn DROP "" "$xtag" -A -p tcp ! --syn
run_iptables -A $xchain -p tcp ! --syn -j DROP
fi
;;
dropNotSyn) dropNotSyn)
if [ "$COMMAND" != check ]; then if [ "$COMMAND" != check ]; then
[ -n "$xlevel" ] && \ [ -n "$xlevel" ] && \
@ -7408,30 +7394,6 @@ initialize_netfilter () {
[ -f $accounting_file ] && setup_accounting $accounting_file [ -f $accounting_file ] && setup_accounting $accounting_file
if [ -z "$NEWNOTSYN" ]; then
createchain newnotsyn no
for host in $(find_hosts_by_option newnotsyn); do
ipsec=${host%^*}
host=${host#*^}
[ -n "$POLICY_MATCH" ] && policy="-m policy --pol $ipsec --dir in" || policy=
interface=${host%%:*}
network=${host#*:}
run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) $policy -p tcp --tcp-flags ACK ACK -j ACCEPT
run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) $policy -p tcp --tcp-flags RST RST -j ACCEPT
run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) $policy -p tcp --tcp-flags FIN FIN -j ACCEPT
run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) $policy -j RETURN
done
run_user_exit newnotsyn
if [ -n "$LOGNEWNOTSYN" ]; then
log_rule $LOGNEWNOTSYN newnotsyn DROP
fi
run_iptables -A newnotsyn -j DROP
fi
createchain reject no createchain reject no
createchain dynamic no createchain dynamic no
createchain smurfs no createchain smurfs no
@ -8857,8 +8819,6 @@ do_initialize() {
LOG_MARTIANS= LOG_MARTIANS=
DETECT_DNAT_IPADDRS= DETECT_DNAT_IPADDRS=
MUTEX_TIMEOUT= MUTEX_TIMEOUT=
NEWNOTSYN=
LOGNEWNOTSYN=
FORWARDPING= FORWARDPING=
MACLIST_DISPOSITION= MACLIST_DISPOSITION=
MACLIST_LOG_LEVEL= MACLIST_LOG_LEVEL=
@ -9017,8 +8977,6 @@ do_initialize() {
[ -n "$FORWARDPING" ] && \ [ -n "$FORWARDPING" ] && \
startup_error "FORWARDPING=Yes is no longer supported" startup_error "FORWARDPING=Yes is no longer supported"
NEWNOTSYN=$(added_param_value_yes NEWNOTSYN $NEWNOTSYN)
maclist_target=reject maclist_target=reject
if [ -n "$MACLIST_DISPOSITION" ] ; then if [ -n "$MACLIST_DISPOSITION" ] ; then

View File

@ -115,16 +115,6 @@
# shorewall.conf. After logging, the # shorewall.conf. After logging, the
# packets are dropped. # packets are dropped.
# #
# newnotsyn - TCP packets that don't have the SYN
# flag set and which are not part of an
# established connection will be accepted
# from these hosts, even if
# NEWNOTSYN=No has been specified in
# /etc/shorewall/shorewall.conf.
#
# This option has no effect if
# NEWNOTSYN=Yes.
#
# ipsec - The zone is accessed via a # ipsec - The zone is accessed via a
# kernel 2.6 ipsec SA. Note that if the # kernel 2.6 ipsec SA. Note that if the
# zone named in the ZONE column is # zone named in the ZONE column is

View File

@ -113,27 +113,6 @@
# sub-networking as described at: # sub-networking as described at:
# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet # http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
# #
# newnotsyn - TCP packets that don't have the SYN
# flag set and which are not part of an
# established connection will be accepted
# from this interface, even if
# NEWNOTSYN=No has been specified in
# /etc/shorewall/shorewall.conf. In other
# words, packets coming in on this
# interface are processed as if
# NEWNOTSYN=Yes had been specified in
# /etc/shorewall/shorewall.conf.
#
# This option has no effect if
# NEWNOTSYN=Yes.
#
# It is the opinion of the author that
# NEWNOTSYN=No creates more problems than
# it solves and I recommend against using
# that setting in shorewall.conf (hence
# making the use of the 'newnotsyn'
# interface option unnecessary).
#
# routeback - If specified, indicates that Shorewall # routeback - If specified, indicates that Shorewall
# should include rules that allow # should include rules that allow
# filtering traffic arriving on this # filtering traffic arriving on this

View File

@ -20,6 +20,11 @@ New Features in 2.5.7:
"IPv4" and "IPV4" are synonyms for "ipv4". In addition, "IPSEC", "IPv4" and "IPV4" are synonyms for "ipv4". In addition, "IPSEC",
"ipsec4" and "IPSEC4" are recognized synonyms for "ipsec". "ipsec4" and "IPSEC4" are recognized synonyms for "ipsec".
3) The NEWNOTSYN and LOGNEWNOTSYN options in shorewall.conf have been
removed as have the 'newnotsyn' options in /etc/shorewall/interfaces
and /etc/shorewall/hosts. See the Migration Considerations for
instructions if you wish to block "new-not-syn" TCP packets.
Migration Considerations: Migration Considerations:
1) The "monitor" command has been eliminated. 1) The "monitor" command has been eliminated.
@ -200,6 +205,23 @@ Migration Considerations:
scripts like WonderShaper should see no change provided that scripts like WonderShaper should see no change provided that
execute permission is placed on /etc/shorewall/tcstart. execute permission is placed on /etc/shorewall/tcstart.
11) The NEWNOTSYN and LOGNEWNOTSYN options in shorewall.conf have been
removed as have the 'newnotsyn' options in /etc/shorewall/interfaces
and /etc/shorewall/hosts.
TCP new-not-syn packets may be blocked using the 'dropNonSyn' or
'rejNonSyn' built-in actions.
Example: Reject all new-not-syn packets from the net and log them at
the 'info' level.
#ACTION SOURCE DEST PROTO
SECTION NEW
rejNonSyn:info net all tcp
Note that the rule is added at the front of the NEW section of the
rules file.
New Features in Shorewall 2.5.* New Features in Shorewall 2.5.*
1) Error and warning messages are made easier to spot by using 1) Error and warning messages are made easier to spot by using

View File

@ -165,23 +165,6 @@ LOGALLNEW=
BLACKLIST_LOGLEVEL= BLACKLIST_LOGLEVEL=
#
# LOGGING 'New not SYN' rejects
#
# This variable only has an effect when NEWNOTSYN=No (see below).
#
# When a TCP packet that does not have the SYN flag set and the ACK and RST
# flags clear then unless the packet is part of an established connection,
# it will be rejected by the firewall. If you want these rejects logged,
# then set LOGNEWNOTSYN to the syslog log level at which you want them logged.
#
# See the comment at the top of this section for a description of log levels
#
# Example: LOGNEWNOTSYN=debug
#
LOGNEWNOTSYN=info
# #
# MAC List Log Level # MAC List Log Level
# #
@ -558,52 +541,6 @@ DETECT_DNAT_IPADDRS=No
MUTEX_TIMEOUT=60 MUTEX_TIMEOUT=60
#
# NEWNOTSYN
#
# TCP connections are established using the familiar three-way "handshake":
#
# CLIENT SERVER
#
# SYN-------------------->
# <------------------SYN,ACK
# ACK-------------------->
#
# The first packet in that exchange (packet with the SYN flag on and the ACK
# and RST flags off) is referred to in Netfilter terminology as a "syn" packet.
# A packet is said to be NEW if it is not part of or related to an already
# established connection.
#
# The NEWNOTSYN option determines the handling of non-SYN packets (those with
# SYN off or with ACK or RST on) that are not associated with an already
# established connection.
#
# If NEWNOTSYN is set to "No" or "no", then non-SYN packets that are not
# part of an already established connection will be dropped by the
# firewall. The setting of LOGNEWNOTSYN above determines if these packets are
# logged before they are dropped.
#
# If NEWNOTSYN is set to "Yes" or "yes" then such packets will not be
# dropped but will pass through the normal rule/policy processing.
#
# Users with a High-availability setup with two firewall's and one acting
# as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may
# also need to select NEWNOTSYN=Yes.
#
# The behavior of NEWNOTSYN=Yes may also be enabled on a per-interface basis
# using the 'newnotsyn' option in /etc/shorewall/interfaces and on a
# network or host basis using the same option in /etc/shorewall/hosts.
#
# I find that NEWNOTSYN=No tends to result in lots of "stuck"
# connections because any network timeout during TCP session tear down
# results in retries being dropped (Netfilter has removed the
# connection from the conntrack table but the end-points haven't
# completed shutting down the connection). I therefore have chosen
# NEWNOTSYN=Yes as the default value.
#
NEWNOTSYN=Yes
# #
# FOR ADMINS THAT REPEATEDLY SHOOT THEMSELVES IN THE FOOT # FOR ADMINS THAT REPEATEDLY SHOOT THEMSELVES IN THE FOOT
# #

View File

@ -2,6 +2,7 @@
# tcstart from tc4shorewall Version 0.5 # tcstart from tc4shorewall Version 0.5
# (c) 2005 Arne Bernin <arne@ucbering.de> # (c) 2005 Arne Bernin <arne@ucbering.de>
# Modified by Tom Eastep for integration into the Shorewall distribution
# published under GPL Version 2 # published under GPL Version 2
created_tmp_dir= created_tmp_dir=
@ -86,7 +87,7 @@ setup_traffic_shaping()
fi fi
} }
# get given outbandwidth for device # get given outbandwidth for device
get_outband_for_dev() { get_outband_for_dev() {
local device inband outband local device inband outband
while read device inband outband; do while read device inband outband; do