mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-10 23:58:14 +01:00
ADMINISABSENTMINDED Option
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@681 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
617c0d311e
commit
4c08cc4780
@ -12,3 +12,5 @@ Changes since 1.4.6
|
||||
5) Removed some undocumented/braindead code from setup_masq()
|
||||
|
||||
6) Don't allow 'stop' when startup is disabled
|
||||
|
||||
7) Added ADMINISABSENTMINDED option.
|
||||
|
@ -996,11 +996,25 @@ stop_firewall() {
|
||||
delete_proxy_arp
|
||||
[ -n "$CLEAR_TC" ] && delete_tc
|
||||
|
||||
for chain in INPUT OUTPUT FORWARD; do
|
||||
setpolicy $chain DROP
|
||||
done
|
||||
if [ -z "$ADMINISABSENTMINDED" ]; then
|
||||
for chain in INPUT OUTPUT FORWARD; do
|
||||
setpolicy $chain DROP
|
||||
done
|
||||
|
||||
deleteallchains
|
||||
deleteallchains
|
||||
else
|
||||
for chain in INPUT FORWARD; do
|
||||
setpolicy $chain DROP
|
||||
done
|
||||
|
||||
setpolicy OUTPUT ACCEPT
|
||||
|
||||
deleteallchains
|
||||
|
||||
for chain in INPUT FORWARD; do
|
||||
setcontinue $chain
|
||||
done
|
||||
fi
|
||||
|
||||
hosts=
|
||||
|
||||
@ -1018,7 +1032,8 @@ stop_firewall() {
|
||||
interface=${host%:*}
|
||||
subnet=${host#*:}
|
||||
iptables -A INPUT -i $interface -s $subnet -j ACCEPT
|
||||
iptables -A OUTPUT -o $interface -d $subnet -j ACCEPT
|
||||
[ -z "$ADMINISABSENTMINDED" ] && \
|
||||
iptables -A OUTPUT -o $interface -d $subnet -j ACCEPT
|
||||
|
||||
for host1 in $hosts; do
|
||||
[ "$host" != "$host1" ] && \
|
||||
@ -1028,11 +1043,13 @@ stop_firewall() {
|
||||
done
|
||||
|
||||
iptables -A INPUT -i lo -j ACCEPT
|
||||
iptables -A OUTPUT -o lo -j ACCEPT
|
||||
[ -z "$ADMINISABSENTMINDED" ] && \
|
||||
iptables -A OUTPUT -o lo -j ACCEPT
|
||||
|
||||
for interface in `find_interfaces_by_option dhcp`; do
|
||||
iptables -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT
|
||||
iptables -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT
|
||||
[ -z "$ADMINISABSENTMINDED" ] && \
|
||||
iptables -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT
|
||||
done
|
||||
|
||||
case "$IP_FORWARDING" in
|
||||
@ -4582,6 +4599,7 @@ do_initialize() {
|
||||
VERSION_FILE=
|
||||
LOGFORMAT=
|
||||
LOGRULENUMBERS=
|
||||
ADMINISABSENTMINDED=
|
||||
|
||||
stopping=
|
||||
have_mutex=
|
||||
@ -4730,6 +4748,7 @@ do_initialize() {
|
||||
else
|
||||
LOGFORMAT="Shorewall:%s:%s:"
|
||||
fi
|
||||
ADMINISABSENTMINDED=`added_param_value_no ADMINISABSENTMINDED $ADMINISABSENTMINDED`
|
||||
#
|
||||
# Strip the files that we use often
|
||||
#
|
||||
|
@ -38,3 +38,42 @@ New Features:
|
||||
/etc/shorewall/startup_disabled exists. This prevents people from
|
||||
shooting themselves in the foot prior to having configured
|
||||
Shorewall.
|
||||
|
||||
4) A new option "ADMINISABSENTMINDED" has been added to
|
||||
/etc/shorewall/shorewall.conf. This option has a default value of
|
||||
"No" in which case Shorewall's 'stopped' state continues as it has
|
||||
been; namely, in the stopped state only traffic to/from hosts listed
|
||||
in /etc/shorewall/routestopped is accepted.
|
||||
|
||||
With ADMINISABSENTMINDED=Yes, in addition to traffic to/from the
|
||||
hosts listed in /etc/shorewall/routestopped, Shorewall will allow:
|
||||
|
||||
a) All traffic originating from the firewall itself; and
|
||||
b) All traffic that is part of or related to an already-existing
|
||||
connection.
|
||||
|
||||
In particular, with ADMINISABSENTMINDED=Yes, a "shorewall stop"
|
||||
entered through an ssh session will not kill the session.
|
||||
|
||||
Note though that it is still possible for people to shoot themselves
|
||||
in the foot.
|
||||
|
||||
Example:
|
||||
|
||||
/etc/shorewall/nat:
|
||||
|
||||
206.124.146.178 eth0:0 192.168.1.5
|
||||
|
||||
/etc/shorewall/rules:
|
||||
|
||||
ACCEPT net loc:192.168.1.5 tcp 22
|
||||
ACCEPT loc fw tcp 22
|
||||
|
||||
I ssh into 206.124.146.178 which establishes an SSH connection with
|
||||
192.168.1.5. I then create a second SSH connection from that
|
||||
computer to the firewall and confidently type "shorewall
|
||||
stop". As part of stopping, Shorewall removes eth0:0 which kills my
|
||||
SSH connection to 192.168.1.5!!!
|
||||
|
||||
|
||||
|
||||
|
@ -434,6 +434,35 @@ MUTEX_TIMEOUT=60
|
||||
|
||||
NEWNOTSYN=No
|
||||
|
||||
#
|
||||
# FOR ADMINS THAT REPEATEDLY SHOOT THEMSELVES IN THE FOOT
|
||||
#
|
||||
# Normally, when a "shorewall stop" command is issued or an error occurs during
|
||||
# the execution of another shorewall command, Shorewall puts the firewall into
|
||||
# a state where only traffic to/from the hosts listed in
|
||||
# /etc/shorewall/routestopped is accepted.
|
||||
#
|
||||
# When performing remote administration on a Shorewall firewall, it is
|
||||
# therefore recommended that the IP address of the computer being used for
|
||||
# administration be added to the firewall's /etc/shorewall/routestopped file.
|
||||
#
|
||||
# Some administrators have a hard time remembering to do this with the result
|
||||
# that they get to drive across town in the middle of the night to restart
|
||||
# a remote firewall (or worse, they have to get someone out of bed to drive
|
||||
# across town to restart a very remote firewall).
|
||||
#
|
||||
# For those administrators, we offer ADMINISABSENTMINDED=Yes. With this setting,
|
||||
# when the firewall enters the 'stopped' state:
|
||||
#
|
||||
# All traffic that is part of or related to established connections is still
|
||||
# allowed and all OUTPUT traffic is allowed. This is in addition to traffic
|
||||
# to and from hosts listed in /etc/shorewall/routestopped.
|
||||
#
|
||||
# If this variable is not set or it is set to the null value then
|
||||
# ADMINISABSENTMINDED=No is assumed.
|
||||
#
|
||||
ADMINISABSENTMINDED=No
|
||||
|
||||
################################################################################
|
||||
# P A C K E T D I S P O S I T I O N
|
||||
################################################################################
|
||||
|
Loading…
Reference in New Issue
Block a user