mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-15 12:14:32 +01:00
Reformat the code in define_firewall()
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1251 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
a269ac1384
commit
429b6924de
@ -1,40 +1,4 @@
|
||||
Changes since 2.0.0
|
||||
Changes since 2.0.1
|
||||
|
||||
1) Eliminate Warning about Policy as rule when using actions.
|
||||
1) Reformat the code in define_firewall().
|
||||
|
||||
2) Add bridging Code.
|
||||
|
||||
3) Cleanup Warning elimination.
|
||||
|
||||
4) Add 'nobogons'
|
||||
|
||||
5) Add 'netmap'
|
||||
|
||||
6) Fix another <zone>_frwd problem.
|
||||
|
||||
7) Add -x option to /sbin/shorewall.
|
||||
|
||||
8) Implement Sean Mathews's fix fix Proxy ARP and IPSEC.
|
||||
|
||||
9) Improve zone-definition checking.
|
||||
|
||||
10) Add additional options to hosts file
|
||||
|
||||
11) Replace 'subnet' with 'network' in the code
|
||||
|
||||
12) Fix item 10 above :-(
|
||||
|
||||
13) Replace good code with crap to satisfy 'ash'.
|
||||
|
||||
14) Fix if_match to only do wild-card matches on patterns ending in
|
||||
"+".
|
||||
|
||||
15) Tighten edits on bridge port names.
|
||||
|
||||
16) Make 'routeback' on interfaces work again.
|
||||
|
||||
17) Reduce useless intra-zone rules on bridges.
|
||||
|
||||
18) Make 'routeback' on hosts work again.
|
||||
|
||||
19) Fix display of ICMP packets.
|
||||
|
@ -5130,7 +5130,6 @@ activate_rules()
|
||||
done
|
||||
|
||||
for interface in $all_interfaces ; do
|
||||
|
||||
run_iptables -A FORWARD -i $interface -j $(forward_chain $interface)
|
||||
run_iptables -A INPUT -i $interface -j $(input_chain $interface)
|
||||
addnatjump POSTROUTING $(masq_chain $interface) -o $interface
|
||||
@ -5196,83 +5195,42 @@ define_firewall() # $1 = Command (Start or Restart)
|
||||
echo "${1}ing Shorewall..."
|
||||
|
||||
verify_os_version
|
||||
|
||||
verify_ip
|
||||
|
||||
load_kernel_modules
|
||||
|
||||
echo "Initializing..."
|
||||
|
||||
initialize_netfilter
|
||||
|
||||
echo "Configuring Proxy ARP"
|
||||
|
||||
setup_proxy_arp
|
||||
|
||||
echo "Setting up NAT..."
|
||||
|
||||
setup_nat
|
||||
|
||||
echo "Setting up NETMAP..."
|
||||
|
||||
setup_netmap
|
||||
|
||||
echo "Adding Common Rules"
|
||||
|
||||
add_common_rules
|
||||
echo "Initializing..."; initialize_netfilter
|
||||
echo "Configuring Proxy ARP"; setup_proxy_arp
|
||||
echo "Setting up NAT..."; setup_nat
|
||||
echo "Setting up NETMAP..."; setup_netmap
|
||||
echo "Adding Common Rules"; add_common_rules
|
||||
|
||||
tunnels=$(find_file tunnels)
|
||||
|
||||
[ -f $tunnels ] && \
|
||||
echo "Processing $tunnels..." && setup_tunnels $tunnels
|
||||
|
||||
maclist_hosts=$(find_hosts_by_option maclist)
|
||||
[ -n "$maclist_hosts" ] && setup_mac_lists
|
||||
|
||||
if [ -n "$maclist_hosts" ] ; then
|
||||
setup_mac_lists
|
||||
fi
|
||||
|
||||
rules=$(find_file rules)
|
||||
|
||||
echo "Pre-processing Actions..."
|
||||
|
||||
process_actions1
|
||||
|
||||
echo "Processing $rules..."
|
||||
|
||||
process_rules
|
||||
|
||||
echo "Processing Actions..."
|
||||
|
||||
process_actions2
|
||||
|
||||
policy=$(find_file policy)
|
||||
|
||||
echo "Processing $policy..."
|
||||
|
||||
apply_policy_rules
|
||||
echo "Pre-processing Actions..."; process_actions1
|
||||
echo "Processing $rules..."; process_rules
|
||||
echo "Processing Actions..."; process_actions2
|
||||
echo "Processing $policy..."; apply_policy_rules
|
||||
|
||||
masq=$(find_file masq)
|
||||
|
||||
[ -f $masq ] && setup_masq $masq
|
||||
|
||||
tos=$(find_file tos)
|
||||
|
||||
[ -f $tos ] && [ -n "$MANGLE_ENABLED" ] && process_tos $tos
|
||||
|
||||
ecn=$(find_file ecn)
|
||||
|
||||
[ -f $ecn ] && [ -n "$MANGLE_ENABLED" ] && setup_ecn $ecn
|
||||
|
||||
[ -n "$TC_ENABLED" ] && setup_tc
|
||||
|
||||
echo "Activating Rules..."
|
||||
|
||||
activate_rules
|
||||
echo "Activating Rules..."; activate_rules
|
||||
|
||||
[ -n "$aliases_to_add" ] && \
|
||||
echo "Adding IP Addresses..." && \
|
||||
add_ip_aliases
|
||||
echo "Adding IP Addresses..." && add_ip_aliases
|
||||
|
||||
run_user_exit start
|
||||
|
||||
|
@ -1,100 +1,15 @@
|
||||
Shorewall 2.0.1
|
||||
Shorewall 2.0.2-Beta 1
|
||||
|
||||
----------------------------------------------------------------------
|
||||
Problems Corrected since 2.0.0
|
||||
Problems Corrected since 2.0.1
|
||||
|
||||
1) Using actions in the manner recommended in the documentation
|
||||
results in a Warning that the rule is a policy.
|
||||
|
||||
2) When a zone on a single interface is defined using
|
||||
/etc/shorewall/hosts, superfluous rules are generated in the
|
||||
<zone>_frwd chain.
|
||||
|
||||
3) Thanks to Sean Mathews, a long-standing problem with Proxy ARP and
|
||||
IPSEC has been corrected. Thanks Sean!!!
|
||||
|
||||
4) The "shorewall show log" and "shorewall logwatch" commands
|
||||
incorrectly displayed type 3 ICMP packets.
|
||||
None.
|
||||
|
||||
-----------------------------------------------------------------------
|
||||
Issues when migrating from Shorewall 2.0.0 to Shorewall 2.0.1:
|
||||
|
||||
1) The function of 'norfc1918' is now split between that option and a
|
||||
new 'nobogons' option.
|
||||
|
||||
The rfc1918 file released with Shorewall now contains entries for
|
||||
only those three address ranges reserved by RFC 1918. A 'nobogons'
|
||||
interface option has been added which handles bogon source
|
||||
addresses (those which are reserved by the IANA, those reserved for
|
||||
DHCP auto-configuration and the class C test-net reserved for
|
||||
testing and documentation examples). This will allow users to
|
||||
perform RFC 1918 filtering without having to deal with out
|
||||
of date data from IANA. Those who are willing to update their
|
||||
/usr/share/shorewall/bogons file regularly can specify the
|
||||
'nobogons' option in addition to 'norfc1918'.
|
||||
|
||||
The level at which bogon packets are logged is specified in the new
|
||||
BOGON_LOG_LEVEL variable in shorewall.conf. If that option is not
|
||||
specified or is specified as empty (e.g, BOGON_LOG_LEVEL="") then
|
||||
bogon packets whose TARGET is 'logdrop' in
|
||||
/usr/share/shorewall/bogons are logged at the 'info' level.
|
||||
None.
|
||||
|
||||
New Features:
|
||||
|
||||
1) Support for Bridging Firewalls has been added. For details, see
|
||||
|
||||
http://shorewall.net/bridge.html
|
||||
|
||||
2) Support for NETMAP has been added. NETMAP allows NAT to be defined
|
||||
between two network:
|
||||
|
||||
a.b.c.1 -> x.y.z.1
|
||||
a.b.c.2 -> x.y.z.2
|
||||
a.b.c.3 -> x.y.z.3
|
||||
...
|
||||
|
||||
http://shorewall.net/netmap.html
|
||||
|
||||
3) The /sbin/shorewall program now accepts a "-x" option to cause
|
||||
iptables to print out the actual packet and byte counts rather than
|
||||
abbreviated counts such as "13MB".
|
||||
|
||||
Commands affected by this are:
|
||||
|
||||
shorewall -x show [ <chain>[ <chain> ...] ]
|
||||
shorewall -x show tos|mangle
|
||||
shorewall -x show nat
|
||||
shorewall -x status
|
||||
shorewall -x monitor [ <interval> ]
|
||||
|
||||
4) Shorewall now traps two common zone definition errors:
|
||||
|
||||
- Including the firewall zone in a /etc/shorewall/hosts record.
|
||||
- Defining an interface for a zone in both /etc/shorewall/interfaces
|
||||
and /etc/shorewall/hosts.
|
||||
|
||||
In the second case, the following will appear during "shorewall
|
||||
[re]start" or "shorewall check":
|
||||
|
||||
Determining Hosts in Zones...
|
||||
...
|
||||
Error: Invalid zone definition for zone <name of zone>
|
||||
Terminated
|
||||
|
||||
5) To support bridging, the following options have been added to
|
||||
entries in /etc/shorewall/hosts:
|
||||
|
||||
norfc1918
|
||||
nobogons
|
||||
blacklist
|
||||
tcpflags
|
||||
nosmurfs
|
||||
newnotsyn
|
||||
|
||||
With the exception of 'newnotsyn', these options are only
|
||||
useful when the entry refers to a bridge port.
|
||||
|
||||
Example:
|
||||
|
||||
#ZONE HOST(S) OPTIONS
|
||||
net br0:eth0 norfc1918,nobogons,blacklist,tcpflags,nosmurfs
|
||||
None.
|
||||
|
Loading…
Reference in New Issue
Block a user