mirror of
https://gitlab.com/shorewall/code.git
synced 2025-06-23 19:21:21 +02:00
Apply Juergen Kreileder's patch for logging
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1957 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
426f6b0f4a
commit
3c3377d39d
@ -6,16 +6,13 @@
|
||||
#
|
||||
# allowBcast #Silently Allow Broadcast/multicast
|
||||
# dropBcast #Silently Drop Broadcast/multicast
|
||||
# dropNonSyn #Silently Drop Non-syn TCP packets
|
||||
# rejNonSyn #Silently Reject Non-syn TCP packets
|
||||
# dropNotSyn #Silently Drop Non-syn TCP packets
|
||||
# rejNotSyn #Silently Reject Non-syn TCP packets
|
||||
# dropInvalid #Silently Drop packets that are in the INVALID
|
||||
# #conntrack state.
|
||||
# allowInvalid #Accept packets that are in the INVALID
|
||||
# #conntrack state.
|
||||
#
|
||||
# The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in
|
||||
# shorewall.conf. If that option isn't specified then 'info' is used.
|
||||
#
|
||||
#ACTION
|
||||
|
||||
DropSMB #Silently Drops Microsoft SMB Traffic
|
||||
|
||||
@ -4,6 +4,8 @@ Changes in 2.2.1
|
||||
|
||||
2) Simon Matter's patch for umask.
|
||||
|
||||
3) Apply Juergen Kreileder's patch for logging.
|
||||
|
||||
Changes since 2.0.3
|
||||
|
||||
1) Fix security vulnerability involving temporary files/directories.
|
||||
|
||||
@ -3533,8 +3533,8 @@ process_actions3() {
|
||||
;;
|
||||
*)
|
||||
if [ -n "$xlevel" ]; then
|
||||
log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -A -m pkttype --pkt-type broadcast
|
||||
log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -A -m pkttype --pkt-type multicast
|
||||
log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -m pkttype --pkt-type broadcast
|
||||
log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -m pkttype --pkt-type multicast
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
@ -3548,7 +3548,7 @@ process_actions3() {
|
||||
;;
|
||||
*)
|
||||
[ -n "$xlevel" ] && \
|
||||
log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -A -d $address
|
||||
log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -d $address
|
||||
;;
|
||||
esac
|
||||
|
||||
@ -3565,8 +3565,8 @@ process_actions3() {
|
||||
;;
|
||||
*)
|
||||
if [ -n "$xlevel" ]; then
|
||||
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -A -m pkttype --pkt-type broadcast
|
||||
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -A -m pkttype --pkt-type multicast
|
||||
log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -m pkttype --pkt-type broadcast
|
||||
log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -m pkttype --pkt-type multicast
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
@ -3580,7 +3580,7 @@ process_actions3() {
|
||||
;;
|
||||
*)
|
||||
[ -n "$xlevel" ] && \
|
||||
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -A -d $address
|
||||
log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -d $address
|
||||
;;
|
||||
esac
|
||||
|
||||
@ -3594,35 +3594,35 @@ process_actions3() {
|
||||
|
||||
if [ "$COMMAND" != check ]; then
|
||||
[ -n "$xlevel" ] && \
|
||||
log_rule_limit ${xlevel%\!} $xchain dropNonSyn $2 "" "$xtag" -A -p tcp ! --syn
|
||||
log_rule_limit ${xlevel%\!} $xchain dropNonSyn DROP "" "$xtag" -A -p tcp ! --syn
|
||||
run_iptables -A $xchain -p tcp ! --syn -j DROP
|
||||
fi
|
||||
;;
|
||||
dropNotSyn)
|
||||
if [ "$COMMAND" != check ]; then
|
||||
[ -n "$xlevel" ] && \
|
||||
log_rule_limit ${xlevel%\!} $xchain dropNotSyn $2 "" "$xtag" -A -p tcp ! --syn
|
||||
log_rule_limit ${xlevel%\!} $xchain dropNotSyn DROP "" "$xtag" -A -p tcp ! --syn
|
||||
run_iptables -A $xchain -p tcp ! --syn -j DROP
|
||||
fi
|
||||
;;
|
||||
rejNotSyn)
|
||||
if [ "$COMMAND" != check ]; then
|
||||
[ -n "$xlevel" ] && \
|
||||
log_rule_limit ${xlevel%\!} $xchain rejNotSyn $2 "" "$xtag" -A -p tcp ! --syn
|
||||
log_rule_limit ${xlevel%\!} $xchain rejNotSyn REJECT "" "$xtag" -A -p tcp ! --syn
|
||||
run_iptables -A $xchain -p tcp ! --syn -j REJECT --reject-with tcp-reset
|
||||
fi
|
||||
;;
|
||||
dropInvalid)
|
||||
if [ "$COMMAND" != check ]; then
|
||||
[ -n "$xlevel" ] && \
|
||||
log_rule_limit ${xlevel%\!} $xchain dropInvalid $2 "" "$xtag" -A -m state --state INVALID
|
||||
log_rule_limit ${xlevel%\!} $xchain dropInvalid DROP "" "$xtag" -A -m state --state INVALID
|
||||
run_iptables -A $xchain -m state --state INVALID -j DROP
|
||||
fi
|
||||
;;
|
||||
allowInvalid)
|
||||
if [ "$COMMAND" != check ]; then
|
||||
[ -n "$xlevel" ] && \
|
||||
log_rule_limit ${xlevel%\!} $xchain allowInvalid $2 "" "$xtag" -A -m state --state INVALID
|
||||
log_rule_limit ${xlevel%\!} $xchain allowInvalid ACCEPT "" "$xtag" -A -m state --state INVALID
|
||||
run_iptables -A $xchain -m state --state INVALID -j ACCEPT
|
||||
fi
|
||||
;;
|
||||
|
||||
@ -9,6 +9,25 @@ Problems corrected in version 2.2.1
|
||||
2) Shorewall previously used root's default umask which could cause
|
||||
files in /var/lib/shorewall to be world-readable. Shorewall now uses
|
||||
umask 0177.
|
||||
|
||||
3) In log messages produced by logging a built-in action, the packet
|
||||
disposition was displayed incorrectly.
|
||||
|
||||
Example:
|
||||
|
||||
rejNotSyn:ULOG all all tcp
|
||||
|
||||
produces the log message:
|
||||
|
||||
Feb 12 23:57:08 server Shorewall:rejNotSyn:ULOG: ...
|
||||
|
||||
rather than
|
||||
|
||||
Feb 12 23:57:08 server Shorewall:rejNotSyn:REJECT: ...
|
||||
|
||||
3) The comments regarding built-in actions in
|
||||
/usr/share/shorewall/actions.std have been corrected.
|
||||
|
||||
-----------------------------------------------------------------------
|
||||
Issues when migrating from Shorewall 2.0 to Shorewall 2.2:
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user