diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 64be1589b..63612e8a8 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -1,66 +1,7 @@ -Changes since 1.3.14 +Changes since 1.4.0 -1. All versions changed to 1.4. +1. Implement NONE policy. -2. Rework of error message generation to make the 'firewall' script - smaller. +2. Never create rules for : to itself. -3. Deimplemented MERGE_HOSTS=No. - -4. Generate error for : name in interfaces file. - -5. Deimplement old ping handling. - -6. Deimplement 'routestopped' interface/hosts option. - -7. Strip comments from potentially large files while the firewall is - still up and running during 'restart'. - -8. Disallow the old port forwarding/redirection syntax. - -9. Reorganize shorewall.conf. - -10. Added support for LOG target. - -11. Move firewall and version (one more time....) - -12. Add late DNS reply rule to the common chain. - -12. Corrected rule number calculation problem in 'shorewall add' command - processing. - -13. Update Documentation for 1.4 - -14. Remove icmp.def file. - -15. Added CONTINUE rule target. - -16. Added Andrew Zhoglo's fix for logunclean. - -17. Removed 'multi' option. - -18. Support 802.11b devices with maclist. - -19. Don't detect loopback simply by name. - -20. Removed trailing white space from all files. - -21. Improved parsing of comma-separated lists. - -22. Add ECN Removal support - -23. Add TCP ports 445 and 139 to the common silent list. - -24. Remove 'check' command support. - -25. Restore 'check' command support. - -26. Remove unused function find_interface_broadcasts() - -27. Remove stale comments in the params file. - -28. Silently drop INVALID state packets - -29. Ignore the 'default' route when detecting masq'd networks. - -30. REALLY process the params file first now (honest). +3. Always allow intrazone traffic. diff --git a/Shorewall/firewall b/Shorewall/firewall index 03630b5fe..e2890f540 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -672,6 +672,7 @@ validate_policy() print_policy() # $1 = source zone, $2 = destination zone { [ $command != check ] || \ + [ $1 = $2 ] || \ [ $1 = all ] || \ [ $2 = all ] || \ echo " Policy for $1 to $2 is $policy" @@ -708,7 +709,7 @@ validate_policy() esac case $policy in - ACCEPT|REJECT|DROP|CONTINUE) + ACCEPT|REJECT|DROP|CONTINUE|NONE) ;; *) startup_error "Invalid policy $policy" @@ -717,8 +718,8 @@ validate_policy() chain=${client}2${server} - [ "x$chain" = "x${FW}2${FW}" ] && \ - startup_error "fw->fw policy not allowed: $policy" + [ "$client" != "$server" ] || [ -n "$serverwild" ] || \ + startup_error "Intra-zone policies not allowed: $client $server $policy" if is_policy_chain $chain ; then startup_error "Duplicate policy $policy" @@ -728,7 +729,7 @@ validate_policy() chain=${client}2${server} - all_policy_chains="$all_policy_chains $chain" + [ $policy = NONE ] || all_policy_chains="$all_policy_chains $chain" eval ${chain}_is_policy=Yes eval ${chain}_policy=$policy @@ -743,6 +744,7 @@ validate_policy() if [ -z "$pc" ]; then eval ${zone}2${zone1}_policychain=$chain + eval ${zone}2${zone1}_policy=$policy print_policy $zone $zone1 fi done @@ -753,6 +755,7 @@ validate_policy() if [ -z "$pc" ]; then eval ${zone}2${server}_policychain=$chain + eval ${zone}2${server}_policy=$policy print_policy $zone $server fi done @@ -763,6 +766,7 @@ validate_policy() if [ -z "$pc" ]; then eval ${client}2${zone}_policychain=$chain + eval ${client}2${zone}_policy=$policy print_policy $client $zone fi done @@ -2151,7 +2155,7 @@ process_rule() # $1 = target else serverport= [ -z "$serverzone" -o -z "$servers" ] && \ - startup_error "Empty destination zone or qualifier: rule \"$rule\"" + fatal_error "Empty destination zone or qualifier: rule \"$rule\"" fi fi @@ -2165,6 +2169,11 @@ process_rule() # $1 = target chain=${source}2${dest} + eval policy=${chain}_policy + + [ $policy = NONE ] && \ + fatal_error "Rules may not override a NONE policy: rule \"$rule\"" + [ $command = check ] || ensurechain $chain if [ "x$chain" = x${FW}2${FW} ]; then @@ -2176,6 +2185,8 @@ process_rule() # $1 = target return ;; esac + elif [ "$source" = "$dest" ]; then + fatal_error "Intra-zone rules are not allowed: rule \"$rule\"" else [ $command = check ] || ensurechain $chain fi @@ -3670,41 +3681,34 @@ activate_rules() done for zone1 in $zones; do + + eval policy=\$${zone}2${zone1}_policy + + [ "$policy" = NONE ] && continue + eval dest_hosts=\$${zone1}_hosts - chain="`rules_chain $zone $zone1`" + if [ $zone = $zone1 ]; then + chain=${zone}2${zone} + havechain $chain || chain=ACCEPT + else + chain="`rules_chain $zone $zone1`" + fi + + eval policy_chain= echo "$zone $zone1 $chain" >> ${STATEDIR}/chains - if havechain ${zone}2${zone1} || havechain ${zone1}2${zone}; then - have_canonical=Yes - else - have_canonical= - fi - for host in $source_hosts; do interface=${host%:*} subnet=${host#*:} chain1=`forward_chain $interface` - if [ -n "$have_canonical" ]; then - bounce=yes - else - case $interface in - *+*) - bounce=yes - ;; - *) - bounce= - ;; - esac - fi - for host1 in $dest_hosts; do interface1=${host1%:*} subnet1=${host1#*:} - if [ $interface != $interface1 -o -n "$bounce" ]; then + if [ "$host" != "$host1" ]; then run_iptables -A $chain1 -s $subnet -o $interface1 -d $subnet1 -j $chain fi done diff --git a/Shorewall/hosts b/Shorewall/hosts index 3a390cc58..24bb53a9d 100644 --- a/Shorewall/hosts +++ b/Shorewall/hosts @@ -1,10 +1,17 @@ # # Shorewall 1.4 - /etc/shorewall/hosts # -# WARNING: 90% of Shorewall users don't need to add entries to this -# file and 80% of those who try to add such entries get it -# wrong. Unless you are ABSOLUTELY SURE that you need entries -# in this file, don't touch it! +# THERE ARE TWO CASES WHERE YOU NEED THIS FILE: +# +# 1) YOU HAVE MULTIPLE NETWORKS IN THE SAME ZONE CONNECTED TO +# A SINGLE INTERFACE AND YOU WANT THE SHOREWALL BOX TO ROUTE +# BETWEEN THESE NETWORKS. +# +# 2) YOU HAVE MORE THAN ONE ZONE CONNECTED THROUGH A SINGLE +# INTERFACE. +# +# IF YOU DON'T HAVE EITHER OF THESE SITUATIONS THEN DON'T TOUCH +# THIS FILE. # # This file is used to define zones in terms of subnets and/or # individual IP addresses. Most simple setups don't need to diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index b6e048be7..fb6bad082 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -1,94 +1,19 @@ -This is a major release of Shorewall. +This is a minor release of Shorewall. -Function from 1.3 that has been omitted from this version includes: +This release introduces incompatibilities with prior releases. See +http://www.shorewall.net/upgrade_issues.htm. -1) The MERGE_HOSTS variable in shorewall.conf is no longer - supported. Shorewall 1.4 behavior is the same as 1.3 with - MERGE_HOSTS=Yes. +Changes are: -2) Interface names of the form : in - /etc/shorewall/interfaces now generate an error. +a) There is now a new NONE policy specifiable in +/etc/shorewall/policy. This policy will cause Shorewall to assume that +there will never be any traffic between the source and destination +zones. -3) Shorewall 1.4 implements behavior consistent with - OLD_PING_HANDLING=No. OLD_PING_HANDLING=Yes will generate an error - at startup as will specification of the 'noping' or 'filterping' - interface options. - -4) The 'routestopped' option in the /etc/shorewall/interfaces and - /etc/shorewall/hosts files is no longer supported and will generate - an error at startup if specified. - -5) The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer - accepted. - -6) The ALLOWRELATED variable in shorewall.conf is no longer - supported. Shorewall 1.4 behavior is the same as 1.3 with - ALLOWRELATED=Yes. - -7) The 'multi' interface option is no longer supported. Shorewall will - generate rules for sending packets back out the same interface - that they arrived on in two cases: - - a) There is an _explicit_ policy for the source zone to the - destination zone. An explicit policy names both zones and does not - use the 'all' reserved word. - - b) There are one or more rules for traffic for the source zone to - or from the destination zone including rules that use the 'all' - reserved word. Exception: If the source and the destination are - the same zone then the rule must be explicit - it must name the zone - in both the SOURCE and DESTINATION columns. - -Changes for 1.4 include: - -1) shorewall.conf has been completely reorganized into logical - sections. - -2) LOG is now a valid action for a rule (/etc/shorewall/rules). - -3) The firewall script and version file are now installed in - /usr/share/shorewall. - -4. Late arriving DNS replies are now silently dropped in the common - chain by default. - -5) In addition to behaving like OLD_PING_HANDLING=No, Shorewall 1.4 no - longer unconditionally accepts outbound ICMP packets. So if you want - to 'ping' from the firewall, you will need the appropriate rule or - policy. - -6) CONTINUE is now a valid action for a rule (/etc/shorewall/rules). - -7) 802.11b devices with names of the form wlan now support the - 'maclist' option. - -8) IMPORTANT: Shorewall now REQUIRES the iproute package ('ip' - utility). - -9) Explicit Congestion Notification (ECN - RFC 3168) may now be turned - off on a host or network basis using the new /etc/shorewall/ecn - file. To use this facility: - - a) You must be running kernel 2.4.20 - b) You must have applied the patch in - http://www.shorewall/net/pub/shorewall/ecn/patch. - c) You must have iptables 1.2.7a installed. - -10) The /etc/shorewall/params file is now processed first so that - variables may be used in the /etc/shorewall/shorewall.conf file. - -11) Packets with state INVALID are now silently dropped. - -12) Shorewall now gives a more helpful diagnostic when the 'ipchains' - compatibility kernel module is loaded and a 'shorewall start' - command is issued. - -13) The SHARED_DIR variable has been removed from shorewall.conf. This - variable was for use by package maintainers and was not documented - for general use. - -14) Shorewall now ignores 'default' routes when detecting masq'd - networks. +b) Shorewall no longer creates rules to govern traffic from an +interface:subnet to itself. +c) Intra-zone traffic is always accepted now (exception is (b) + above).. Intrazone policies and rules are no longer allowed.