ADMINISABSENTMINDED Option

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@681 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-07-29 23:04:04 +00:00
parent 617c0d311e
commit 4c08cc4780
4 changed files with 96 additions and 7 deletions

View File

@ -12,3 +12,5 @@ Changes since 1.4.6
5) Removed some undocumented/braindead code from setup_masq()
6) Don't allow 'stop' when startup is disabled
7) Added ADMINISABSENTMINDED option.

View File

@ -996,11 +996,25 @@ stop_firewall() {
delete_proxy_arp
[ -n "$CLEAR_TC" ] && delete_tc
for chain in INPUT OUTPUT FORWARD; do
setpolicy $chain DROP
done
if [ -z "$ADMINISABSENTMINDED" ]; then
for chain in INPUT OUTPUT FORWARD; do
setpolicy $chain DROP
done
deleteallchains
deleteallchains
else
for chain in INPUT FORWARD; do
setpolicy $chain DROP
done
setpolicy OUTPUT ACCEPT
deleteallchains
for chain in INPUT FORWARD; do
setcontinue $chain
done
fi
hosts=
@ -1018,7 +1032,8 @@ stop_firewall() {
interface=${host%:*}
subnet=${host#*:}
iptables -A INPUT -i $interface -s $subnet -j ACCEPT
iptables -A OUTPUT -o $interface -d $subnet -j ACCEPT
[ -z "$ADMINISABSENTMINDED" ] && \
iptables -A OUTPUT -o $interface -d $subnet -j ACCEPT
for host1 in $hosts; do
[ "$host" != "$host1" ] && \
@ -1028,11 +1043,13 @@ stop_firewall() {
done
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
[ -z "$ADMINISABSENTMINDED" ] && \
iptables -A OUTPUT -o lo -j ACCEPT
for interface in `find_interfaces_by_option dhcp`; do
iptables -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT
iptables -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT
[ -z "$ADMINISABSENTMINDED" ] && \
iptables -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT
done
case "$IP_FORWARDING" in
@ -4582,6 +4599,7 @@ do_initialize() {
VERSION_FILE=
LOGFORMAT=
LOGRULENUMBERS=
ADMINISABSENTMINDED=
stopping=
have_mutex=
@ -4730,6 +4748,7 @@ do_initialize() {
else
LOGFORMAT="Shorewall:%s:%s:"
fi
ADMINISABSENTMINDED=`added_param_value_no ADMINISABSENTMINDED $ADMINISABSENTMINDED`
#
# Strip the files that we use often
#

View File

@ -38,3 +38,42 @@ New Features:
/etc/shorewall/startup_disabled exists. This prevents people from
shooting themselves in the foot prior to having configured
Shorewall.
4) A new option "ADMINISABSENTMINDED" has been added to
/etc/shorewall/shorewall.conf. This option has a default value of
"No" in which case Shorewall's 'stopped' state continues as it has
been; namely, in the stopped state only traffic to/from hosts listed
in /etc/shorewall/routestopped is accepted.
With ADMINISABSENTMINDED=Yes, in addition to traffic to/from the
hosts listed in /etc/shorewall/routestopped, Shorewall will allow:
a) All traffic originating from the firewall itself; and
b) All traffic that is part of or related to an already-existing
connection.
In particular, with ADMINISABSENTMINDED=Yes, a "shorewall stop"
entered through an ssh session will not kill the session.
Note though that it is still possible for people to shoot themselves
in the foot.
Example:
/etc/shorewall/nat:
206.124.146.178 eth0:0 192.168.1.5
/etc/shorewall/rules:
ACCEPT net loc:192.168.1.5 tcp 22
ACCEPT loc fw tcp 22
I ssh into 206.124.146.178 which establishes an SSH connection with
192.168.1.5. I then create a second SSH connection from that
computer to the firewall and confidently type "shorewall
stop". As part of stopping, Shorewall removes eth0:0 which kills my
SSH connection to 192.168.1.5!!!

View File

@ -434,6 +434,35 @@ MUTEX_TIMEOUT=60
NEWNOTSYN=No
#
# FOR ADMINS THAT REPEATEDLY SHOOT THEMSELVES IN THE FOOT
#
# Normally, when a "shorewall stop" command is issued or an error occurs during
# the execution of another shorewall command, Shorewall puts the firewall into
# a state where only traffic to/from the hosts listed in
# /etc/shorewall/routestopped is accepted.
#
# When performing remote administration on a Shorewall firewall, it is
# therefore recommended that the IP address of the computer being used for
# administration be added to the firewall's /etc/shorewall/routestopped file.
#
# Some administrators have a hard time remembering to do this with the result
# that they get to drive across town in the middle of the night to restart
# a remote firewall (or worse, they have to get someone out of bed to drive
# across town to restart a very remote firewall).
#
# For those administrators, we offer ADMINISABSENTMINDED=Yes. With this setting,
# when the firewall enters the 'stopped' state:
#
# All traffic that is part of or related to established connections is still
# allowed and all OUTPUT traffic is allowed. This is in addition to traffic
# to and from hosts listed in /etc/shorewall/routestopped.
#
# If this variable is not set or it is set to the null value then
# ADMINISABSENTMINDED=No is assumed.
#
ADMINISABSENTMINDED=No
################################################################################
# P A C K E T D I S P O S I T I O N
################################################################################