mirror of
https://gitlab.com/shorewall/code.git
synced 2025-06-23 19:21:21 +02:00
Apply Juergen Kreileder's patch for logging
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1957 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
426f6b0f4a
commit
3c3377d39d
@ -6,16 +6,13 @@
|
|||||||
#
|
#
|
||||||
# allowBcast #Silently Allow Broadcast/multicast
|
# allowBcast #Silently Allow Broadcast/multicast
|
||||||
# dropBcast #Silently Drop Broadcast/multicast
|
# dropBcast #Silently Drop Broadcast/multicast
|
||||||
# dropNonSyn #Silently Drop Non-syn TCP packets
|
# dropNotSyn #Silently Drop Non-syn TCP packets
|
||||||
# rejNonSyn #Silently Reject Non-syn TCP packets
|
# rejNotSyn #Silently Reject Non-syn TCP packets
|
||||||
# dropInvalid #Silently Drop packets that are in the INVALID
|
# dropInvalid #Silently Drop packets that are in the INVALID
|
||||||
# #conntrack state.
|
# #conntrack state.
|
||||||
# allowInvalid #Accept packets that are in the INVALID
|
# allowInvalid #Accept packets that are in the INVALID
|
||||||
# #conntrack state.
|
# #conntrack state.
|
||||||
#
|
#
|
||||||
# The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in
|
|
||||||
# shorewall.conf. If that option isn't specified then 'info' is used.
|
|
||||||
#
|
|
||||||
#ACTION
|
#ACTION
|
||||||
|
|
||||||
DropSMB #Silently Drops Microsoft SMB Traffic
|
DropSMB #Silently Drops Microsoft SMB Traffic
|
||||||
|
|||||||
@ -4,6 +4,8 @@ Changes in 2.2.1
|
|||||||
|
|
||||||
2) Simon Matter's patch for umask.
|
2) Simon Matter's patch for umask.
|
||||||
|
|
||||||
|
3) Apply Juergen Kreileder's patch for logging.
|
||||||
|
|
||||||
Changes since 2.0.3
|
Changes since 2.0.3
|
||||||
|
|
||||||
1) Fix security vulnerability involving temporary files/directories.
|
1) Fix security vulnerability involving temporary files/directories.
|
||||||
|
|||||||
@ -3533,8 +3533,8 @@ process_actions3() {
|
|||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
if [ -n "$xlevel" ]; then
|
if [ -n "$xlevel" ]; then
|
||||||
log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -A -m pkttype --pkt-type broadcast
|
log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -m pkttype --pkt-type broadcast
|
||||||
log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -A -m pkttype --pkt-type multicast
|
log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -m pkttype --pkt-type multicast
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
@ -3548,7 +3548,7 @@ process_actions3() {
|
|||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
[ -n "$xlevel" ] && \
|
[ -n "$xlevel" ] && \
|
||||||
log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -A -d $address
|
log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -d $address
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
@ -3565,8 +3565,8 @@ process_actions3() {
|
|||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
if [ -n "$xlevel" ]; then
|
if [ -n "$xlevel" ]; then
|
||||||
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -A -m pkttype --pkt-type broadcast
|
log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -m pkttype --pkt-type broadcast
|
||||||
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -A -m pkttype --pkt-type multicast
|
log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -m pkttype --pkt-type multicast
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
@ -3580,7 +3580,7 @@ process_actions3() {
|
|||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
[ -n "$xlevel" ] && \
|
[ -n "$xlevel" ] && \
|
||||||
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -A -d $address
|
log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -d $address
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
@ -3594,35 +3594,35 @@ process_actions3() {
|
|||||||
|
|
||||||
if [ "$COMMAND" != check ]; then
|
if [ "$COMMAND" != check ]; then
|
||||||
[ -n "$xlevel" ] && \
|
[ -n "$xlevel" ] && \
|
||||||
log_rule_limit ${xlevel%\!} $xchain dropNonSyn $2 "" "$xtag" -A -p tcp ! --syn
|
log_rule_limit ${xlevel%\!} $xchain dropNonSyn DROP "" "$xtag" -A -p tcp ! --syn
|
||||||
run_iptables -A $xchain -p tcp ! --syn -j DROP
|
run_iptables -A $xchain -p tcp ! --syn -j DROP
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
dropNotSyn)
|
dropNotSyn)
|
||||||
if [ "$COMMAND" != check ]; then
|
if [ "$COMMAND" != check ]; then
|
||||||
[ -n "$xlevel" ] && \
|
[ -n "$xlevel" ] && \
|
||||||
log_rule_limit ${xlevel%\!} $xchain dropNotSyn $2 "" "$xtag" -A -p tcp ! --syn
|
log_rule_limit ${xlevel%\!} $xchain dropNotSyn DROP "" "$xtag" -A -p tcp ! --syn
|
||||||
run_iptables -A $xchain -p tcp ! --syn -j DROP
|
run_iptables -A $xchain -p tcp ! --syn -j DROP
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
rejNotSyn)
|
rejNotSyn)
|
||||||
if [ "$COMMAND" != check ]; then
|
if [ "$COMMAND" != check ]; then
|
||||||
[ -n "$xlevel" ] && \
|
[ -n "$xlevel" ] && \
|
||||||
log_rule_limit ${xlevel%\!} $xchain rejNotSyn $2 "" "$xtag" -A -p tcp ! --syn
|
log_rule_limit ${xlevel%\!} $xchain rejNotSyn REJECT "" "$xtag" -A -p tcp ! --syn
|
||||||
run_iptables -A $xchain -p tcp ! --syn -j REJECT --reject-with tcp-reset
|
run_iptables -A $xchain -p tcp ! --syn -j REJECT --reject-with tcp-reset
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
dropInvalid)
|
dropInvalid)
|
||||||
if [ "$COMMAND" != check ]; then
|
if [ "$COMMAND" != check ]; then
|
||||||
[ -n "$xlevel" ] && \
|
[ -n "$xlevel" ] && \
|
||||||
log_rule_limit ${xlevel%\!} $xchain dropInvalid $2 "" "$xtag" -A -m state --state INVALID
|
log_rule_limit ${xlevel%\!} $xchain dropInvalid DROP "" "$xtag" -A -m state --state INVALID
|
||||||
run_iptables -A $xchain -m state --state INVALID -j DROP
|
run_iptables -A $xchain -m state --state INVALID -j DROP
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
allowInvalid)
|
allowInvalid)
|
||||||
if [ "$COMMAND" != check ]; then
|
if [ "$COMMAND" != check ]; then
|
||||||
[ -n "$xlevel" ] && \
|
[ -n "$xlevel" ] && \
|
||||||
log_rule_limit ${xlevel%\!} $xchain allowInvalid $2 "" "$xtag" -A -m state --state INVALID
|
log_rule_limit ${xlevel%\!} $xchain allowInvalid ACCEPT "" "$xtag" -A -m state --state INVALID
|
||||||
run_iptables -A $xchain -m state --state INVALID -j ACCEPT
|
run_iptables -A $xchain -m state --state INVALID -j ACCEPT
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
|
|||||||
@ -9,6 +9,25 @@ Problems corrected in version 2.2.1
|
|||||||
2) Shorewall previously used root's default umask which could cause
|
2) Shorewall previously used root's default umask which could cause
|
||||||
files in /var/lib/shorewall to be world-readable. Shorewall now uses
|
files in /var/lib/shorewall to be world-readable. Shorewall now uses
|
||||||
umask 0177.
|
umask 0177.
|
||||||
|
|
||||||
|
3) In log messages produced by logging a built-in action, the packet
|
||||||
|
disposition was displayed incorrectly.
|
||||||
|
|
||||||
|
Example:
|
||||||
|
|
||||||
|
rejNotSyn:ULOG all all tcp
|
||||||
|
|
||||||
|
produces the log message:
|
||||||
|
|
||||||
|
Feb 12 23:57:08 server Shorewall:rejNotSyn:ULOG: ...
|
||||||
|
|
||||||
|
rather than
|
||||||
|
|
||||||
|
Feb 12 23:57:08 server Shorewall:rejNotSyn:REJECT: ...
|
||||||
|
|
||||||
|
3) The comments regarding built-in actions in
|
||||||
|
/usr/share/shorewall/actions.std have been corrected.
|
||||||
|
|
||||||
-----------------------------------------------------------------------
|
-----------------------------------------------------------------------
|
||||||
Issues when migrating from Shorewall 2.0 to Shorewall 2.2:
|
Issues when migrating from Shorewall 2.0 to Shorewall 2.2:
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user