Apply Juergen Kreileder's patch for logging

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1957 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-02-13 16:24:51 +00:00
parent 426f6b0f4a
commit 3c3377d39d
4 changed files with 34 additions and 16 deletions

View File

@ -6,16 +6,13 @@
# #
# allowBcast #Silently Allow Broadcast/multicast # allowBcast #Silently Allow Broadcast/multicast
# dropBcast #Silently Drop Broadcast/multicast # dropBcast #Silently Drop Broadcast/multicast
# dropNonSyn #Silently Drop Non-syn TCP packets # dropNotSyn #Silently Drop Non-syn TCP packets
# rejNonSyn #Silently Reject Non-syn TCP packets # rejNotSyn #Silently Reject Non-syn TCP packets
# dropInvalid #Silently Drop packets that are in the INVALID # dropInvalid #Silently Drop packets that are in the INVALID
# #conntrack state. # #conntrack state.
# allowInvalid #Accept packets that are in the INVALID # allowInvalid #Accept packets that are in the INVALID
# #conntrack state. # #conntrack state.
# #
# The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in
# shorewall.conf. If that option isn't specified then 'info' is used.
#
#ACTION #ACTION
DropSMB #Silently Drops Microsoft SMB Traffic DropSMB #Silently Drops Microsoft SMB Traffic

View File

@ -4,6 +4,8 @@ Changes in 2.2.1
2) Simon Matter's patch for umask. 2) Simon Matter's patch for umask.
3) Apply Juergen Kreileder's patch for logging.
Changes since 2.0.3 Changes since 2.0.3
1) Fix security vulnerability involving temporary files/directories. 1) Fix security vulnerability involving temporary files/directories.

View File

@ -3533,8 +3533,8 @@ process_actions3() {
;; ;;
*) *)
if [ -n "$xlevel" ]; then if [ -n "$xlevel" ]; then
log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -A -m pkttype --pkt-type broadcast log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -m pkttype --pkt-type broadcast
log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -A -m pkttype --pkt-type multicast log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -m pkttype --pkt-type multicast
fi fi
;; ;;
esac esac
@ -3548,7 +3548,7 @@ process_actions3() {
;; ;;
*) *)
[ -n "$xlevel" ] && \ [ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -A -d $address log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -d $address
;; ;;
esac esac
@ -3565,8 +3565,8 @@ process_actions3() {
;; ;;
*) *)
if [ -n "$xlevel" ]; then if [ -n "$xlevel" ]; then
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -A -m pkttype --pkt-type broadcast log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -m pkttype --pkt-type broadcast
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -A -m pkttype --pkt-type multicast log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -m pkttype --pkt-type multicast
fi fi
;; ;;
esac esac
@ -3580,7 +3580,7 @@ process_actions3() {
;; ;;
*) *)
[ -n "$xlevel" ] && \ [ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -A -d $address log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -d $address
;; ;;
esac esac
@ -3594,35 +3594,35 @@ process_actions3() {
if [ "$COMMAND" != check ]; then if [ "$COMMAND" != check ]; then
[ -n "$xlevel" ] && \ [ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain dropNonSyn $2 "" "$xtag" -A -p tcp ! --syn log_rule_limit ${xlevel%\!} $xchain dropNonSyn DROP "" "$xtag" -A -p tcp ! --syn
run_iptables -A $xchain -p tcp ! --syn -j DROP run_iptables -A $xchain -p tcp ! --syn -j DROP
fi fi
;; ;;
dropNotSyn) dropNotSyn)
if [ "$COMMAND" != check ]; then if [ "$COMMAND" != check ]; then
[ -n "$xlevel" ] && \ [ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain dropNotSyn $2 "" "$xtag" -A -p tcp ! --syn log_rule_limit ${xlevel%\!} $xchain dropNotSyn DROP "" "$xtag" -A -p tcp ! --syn
run_iptables -A $xchain -p tcp ! --syn -j DROP run_iptables -A $xchain -p tcp ! --syn -j DROP
fi fi
;; ;;
rejNotSyn) rejNotSyn)
if [ "$COMMAND" != check ]; then if [ "$COMMAND" != check ]; then
[ -n "$xlevel" ] && \ [ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain rejNotSyn $2 "" "$xtag" -A -p tcp ! --syn log_rule_limit ${xlevel%\!} $xchain rejNotSyn REJECT "" "$xtag" -A -p tcp ! --syn
run_iptables -A $xchain -p tcp ! --syn -j REJECT --reject-with tcp-reset run_iptables -A $xchain -p tcp ! --syn -j REJECT --reject-with tcp-reset
fi fi
;; ;;
dropInvalid) dropInvalid)
if [ "$COMMAND" != check ]; then if [ "$COMMAND" != check ]; then
[ -n "$xlevel" ] && \ [ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain dropInvalid $2 "" "$xtag" -A -m state --state INVALID log_rule_limit ${xlevel%\!} $xchain dropInvalid DROP "" "$xtag" -A -m state --state INVALID
run_iptables -A $xchain -m state --state INVALID -j DROP run_iptables -A $xchain -m state --state INVALID -j DROP
fi fi
;; ;;
allowInvalid) allowInvalid)
if [ "$COMMAND" != check ]; then if [ "$COMMAND" != check ]; then
[ -n "$xlevel" ] && \ [ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain allowInvalid $2 "" "$xtag" -A -m state --state INVALID log_rule_limit ${xlevel%\!} $xchain allowInvalid ACCEPT "" "$xtag" -A -m state --state INVALID
run_iptables -A $xchain -m state --state INVALID -j ACCEPT run_iptables -A $xchain -m state --state INVALID -j ACCEPT
fi fi
;; ;;

View File

@ -9,6 +9,25 @@ Problems corrected in version 2.2.1
2) Shorewall previously used root's default umask which could cause 2) Shorewall previously used root's default umask which could cause
files in /var/lib/shorewall to be world-readable. Shorewall now uses files in /var/lib/shorewall to be world-readable. Shorewall now uses
umask 0177. umask 0177.
3) In log messages produced by logging a built-in action, the packet
disposition was displayed incorrectly.
Example:
rejNotSyn:ULOG all all tcp
produces the log message:
Feb 12 23:57:08 server Shorewall:rejNotSyn:ULOG: ...
rather than
Feb 12 23:57:08 server Shorewall:rejNotSyn:REJECT: ...
3) The comments regarding built-in actions in
/usr/share/shorewall/actions.std have been corrected.
----------------------------------------------------------------------- -----------------------------------------------------------------------
Issues when migrating from Shorewall 2.0 to Shorewall 2.2: Issues when migrating from Shorewall 2.0 to Shorewall 2.2: