Apply Juergen Kreileder's patch for logging

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1957 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-02-13 16:24:51 +00:00
parent 426f6b0f4a
commit 3c3377d39d
4 changed files with 34 additions and 16 deletions

View File

@ -6,16 +6,13 @@
#
# allowBcast #Silently Allow Broadcast/multicast
# dropBcast #Silently Drop Broadcast/multicast
# dropNonSyn #Silently Drop Non-syn TCP packets
# rejNonSyn #Silently Reject Non-syn TCP packets
# dropNotSyn #Silently Drop Non-syn TCP packets
# rejNotSyn #Silently Reject Non-syn TCP packets
# dropInvalid #Silently Drop packets that are in the INVALID
# #conntrack state.
# allowInvalid #Accept packets that are in the INVALID
# #conntrack state.
#
# The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in
# shorewall.conf. If that option isn't specified then 'info' is used.
#
#ACTION
DropSMB #Silently Drops Microsoft SMB Traffic

View File

@ -4,6 +4,8 @@ Changes in 2.2.1
2) Simon Matter's patch for umask.
3) Apply Juergen Kreileder's patch for logging.
Changes since 2.0.3
1) Fix security vulnerability involving temporary files/directories.

View File

@ -3533,8 +3533,8 @@ process_actions3() {
;;
*)
if [ -n "$xlevel" ]; then
log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -A -m pkttype --pkt-type broadcast
log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -A -m pkttype --pkt-type multicast
log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -m pkttype --pkt-type broadcast
log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -m pkttype --pkt-type multicast
fi
;;
esac
@ -3548,7 +3548,7 @@ process_actions3() {
;;
*)
[ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -A -d $address
log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -d $address
;;
esac
@ -3565,8 +3565,8 @@ process_actions3() {
;;
*)
if [ -n "$xlevel" ]; then
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -A -m pkttype --pkt-type broadcast
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -A -m pkttype --pkt-type multicast
log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -m pkttype --pkt-type broadcast
log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -m pkttype --pkt-type multicast
fi
;;
esac
@ -3580,7 +3580,7 @@ process_actions3() {
;;
*)
[ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -A -d $address
log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -d $address
;;
esac
@ -3594,35 +3594,35 @@ process_actions3() {
if [ "$COMMAND" != check ]; then
[ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain dropNonSyn $2 "" "$xtag" -A -p tcp ! --syn
log_rule_limit ${xlevel%\!} $xchain dropNonSyn DROP "" "$xtag" -A -p tcp ! --syn
run_iptables -A $xchain -p tcp ! --syn -j DROP
fi
;;
dropNotSyn)
if [ "$COMMAND" != check ]; then
[ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain dropNotSyn $2 "" "$xtag" -A -p tcp ! --syn
log_rule_limit ${xlevel%\!} $xchain dropNotSyn DROP "" "$xtag" -A -p tcp ! --syn
run_iptables -A $xchain -p tcp ! --syn -j DROP
fi
;;
rejNotSyn)
if [ "$COMMAND" != check ]; then
[ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain rejNotSyn $2 "" "$xtag" -A -p tcp ! --syn
log_rule_limit ${xlevel%\!} $xchain rejNotSyn REJECT "" "$xtag" -A -p tcp ! --syn
run_iptables -A $xchain -p tcp ! --syn -j REJECT --reject-with tcp-reset
fi
;;
dropInvalid)
if [ "$COMMAND" != check ]; then
[ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain dropInvalid $2 "" "$xtag" -A -m state --state INVALID
log_rule_limit ${xlevel%\!} $xchain dropInvalid DROP "" "$xtag" -A -m state --state INVALID
run_iptables -A $xchain -m state --state INVALID -j DROP
fi
;;
allowInvalid)
if [ "$COMMAND" != check ]; then
[ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain allowInvalid $2 "" "$xtag" -A -m state --state INVALID
log_rule_limit ${xlevel%\!} $xchain allowInvalid ACCEPT "" "$xtag" -A -m state --state INVALID
run_iptables -A $xchain -m state --state INVALID -j ACCEPT
fi
;;

View File

@ -9,6 +9,25 @@ Problems corrected in version 2.2.1
2) Shorewall previously used root's default umask which could cause
files in /var/lib/shorewall to be world-readable. Shorewall now uses
umask 0177.
3) In log messages produced by logging a built-in action, the packet
disposition was displayed incorrectly.
Example:
rejNotSyn:ULOG all all tcp
produces the log message:
Feb 12 23:57:08 server Shorewall:rejNotSyn:ULOG: ...
rather than
Feb 12 23:57:08 server Shorewall:rejNotSyn:REJECT: ...
3) The comments regarding built-in actions in
/usr/share/shorewall/actions.std have been corrected.
-----------------------------------------------------------------------
Issues when migrating from Shorewall 2.0 to Shorewall 2.2: