diff --git a/Shorewall2/actions.std b/Shorewall2/actions.std index ccdc2eb4b..47779a38b 100644 --- a/Shorewall2/actions.std +++ b/Shorewall2/actions.std @@ -6,16 +6,13 @@ # # allowBcast #Silently Allow Broadcast/multicast # dropBcast #Silently Drop Broadcast/multicast -# dropNonSyn #Silently Drop Non-syn TCP packets -# rejNonSyn #Silently Reject Non-syn TCP packets +# dropNotSyn #Silently Drop Non-syn TCP packets +# rejNotSyn #Silently Reject Non-syn TCP packets # dropInvalid #Silently Drop packets that are in the INVALID # #conntrack state. # allowInvalid #Accept packets that are in the INVALID # #conntrack state. # -# The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in -# shorewall.conf. If that option isn't specified then 'info' is used. -# #ACTION DropSMB #Silently Drops Microsoft SMB Traffic diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt index 4d57c02ed..6e8e52db2 100644 --- a/Shorewall2/changelog.txt +++ b/Shorewall2/changelog.txt @@ -4,6 +4,8 @@ Changes in 2.2.1 2) Simon Matter's patch for umask. +3) Apply Juergen Kreileder's patch for logging. + Changes since 2.0.3 1) Fix security vulnerability involving temporary files/directories. diff --git a/Shorewall2/firewall b/Shorewall2/firewall index 892a9aa76..4744bac36 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -3533,8 +3533,8 @@ process_actions3() { ;; *) if [ -n "$xlevel" ]; then - log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -A -m pkttype --pkt-type broadcast - log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -A -m pkttype --pkt-type multicast + log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -m pkttype --pkt-type broadcast + log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -m pkttype --pkt-type multicast fi ;; esac @@ -3548,7 +3548,7 @@ process_actions3() { ;; *) [ -n "$xlevel" ] && \ - log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -A -d $address + log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -d $address ;; esac @@ -3565,8 +3565,8 @@ process_actions3() { ;; *) if [ -n "$xlevel" ]; then - log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -A -m pkttype --pkt-type broadcast - log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -A -m pkttype --pkt-type multicast + log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -m pkttype --pkt-type broadcast + log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -m pkttype --pkt-type multicast fi ;; esac @@ -3580,7 +3580,7 @@ process_actions3() { ;; *) [ -n "$xlevel" ] && \ - log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -A -d $address + log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -d $address ;; esac @@ -3594,35 +3594,35 @@ process_actions3() { if [ "$COMMAND" != check ]; then [ -n "$xlevel" ] && \ - log_rule_limit ${xlevel%\!} $xchain dropNonSyn $2 "" "$xtag" -A -p tcp ! --syn + log_rule_limit ${xlevel%\!} $xchain dropNonSyn DROP "" "$xtag" -A -p tcp ! --syn run_iptables -A $xchain -p tcp ! --syn -j DROP fi ;; dropNotSyn) if [ "$COMMAND" != check ]; then [ -n "$xlevel" ] && \ - log_rule_limit ${xlevel%\!} $xchain dropNotSyn $2 "" "$xtag" -A -p tcp ! --syn + log_rule_limit ${xlevel%\!} $xchain dropNotSyn DROP "" "$xtag" -A -p tcp ! --syn run_iptables -A $xchain -p tcp ! --syn -j DROP fi ;; rejNotSyn) if [ "$COMMAND" != check ]; then [ -n "$xlevel" ] && \ - log_rule_limit ${xlevel%\!} $xchain rejNotSyn $2 "" "$xtag" -A -p tcp ! --syn + log_rule_limit ${xlevel%\!} $xchain rejNotSyn REJECT "" "$xtag" -A -p tcp ! --syn run_iptables -A $xchain -p tcp ! --syn -j REJECT --reject-with tcp-reset fi ;; dropInvalid) if [ "$COMMAND" != check ]; then [ -n "$xlevel" ] && \ - log_rule_limit ${xlevel%\!} $xchain dropInvalid $2 "" "$xtag" -A -m state --state INVALID + log_rule_limit ${xlevel%\!} $xchain dropInvalid DROP "" "$xtag" -A -m state --state INVALID run_iptables -A $xchain -m state --state INVALID -j DROP fi ;; allowInvalid) if [ "$COMMAND" != check ]; then [ -n "$xlevel" ] && \ - log_rule_limit ${xlevel%\!} $xchain allowInvalid $2 "" "$xtag" -A -m state --state INVALID + log_rule_limit ${xlevel%\!} $xchain allowInvalid ACCEPT "" "$xtag" -A -m state --state INVALID run_iptables -A $xchain -m state --state INVALID -j ACCEPT fi ;; diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index 66e942969..587007529 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -9,6 +9,25 @@ Problems corrected in version 2.2.1 2) Shorewall previously used root's default umask which could cause files in /var/lib/shorewall to be world-readable. Shorewall now uses umask 0177. + +3) In log messages produced by logging a built-in action, the packet + disposition was displayed incorrectly. + + Example: + + rejNotSyn:ULOG all all tcp + + produces the log message: + + Feb 12 23:57:08 server Shorewall:rejNotSyn:ULOG: ... + + rather than + + Feb 12 23:57:08 server Shorewall:rejNotSyn:REJECT: ... + +3) The comments regarding built-in actions in + /usr/share/shorewall/actions.std have been corrected. + ----------------------------------------------------------------------- Issues when migrating from Shorewall 2.0 to Shorewall 2.2: