mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-16 11:20:53 +01:00
NONE Policy; Allow Intrazone connections; no bounce rules
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@510 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
fbca287dab
commit
5be79ecde7
@ -1,66 +1,7 @@
|
||||
Changes since 1.3.14
|
||||
Changes since 1.4.0
|
||||
|
||||
1. All versions changed to 1.4.
|
||||
1. Implement NONE policy.
|
||||
|
||||
2. Rework of error message generation to make the 'firewall' script
|
||||
smaller.
|
||||
2. Never create rules for <iface>:<subnet> to itself.
|
||||
|
||||
3. Deimplemented MERGE_HOSTS=No.
|
||||
|
||||
4. Generate error for <dev>:<integer> name in interfaces file.
|
||||
|
||||
5. Deimplement old ping handling.
|
||||
|
||||
6. Deimplement 'routestopped' interface/hosts option.
|
||||
|
||||
7. Strip comments from potentially large files while the firewall is
|
||||
still up and running during 'restart'.
|
||||
|
||||
8. Disallow the old port forwarding/redirection syntax.
|
||||
|
||||
9. Reorganize shorewall.conf.
|
||||
|
||||
10. Added support for LOG target.
|
||||
|
||||
11. Move firewall and version (one more time....)
|
||||
|
||||
12. Add late DNS reply rule to the common chain.
|
||||
|
||||
12. Corrected rule number calculation problem in 'shorewall add' command
|
||||
processing.
|
||||
|
||||
13. Update Documentation for 1.4
|
||||
|
||||
14. Remove icmp.def file.
|
||||
|
||||
15. Added CONTINUE rule target.
|
||||
|
||||
16. Added Andrew Zhoglo's fix for logunclean.
|
||||
|
||||
17. Removed 'multi' option.
|
||||
|
||||
18. Support 802.11b devices with maclist.
|
||||
|
||||
19. Don't detect loopback simply by name.
|
||||
|
||||
20. Removed trailing white space from all files.
|
||||
|
||||
21. Improved parsing of comma-separated lists.
|
||||
|
||||
22. Add ECN Removal support
|
||||
|
||||
23. Add TCP ports 445 and 139 to the common silent list.
|
||||
|
||||
24. Remove 'check' command support.
|
||||
|
||||
25. Restore 'check' command support.
|
||||
|
||||
26. Remove unused function find_interface_broadcasts()
|
||||
|
||||
27. Remove stale comments in the params file.
|
||||
|
||||
28. Silently drop INVALID state packets
|
||||
|
||||
29. Ignore the 'default' route when detecting masq'd networks.
|
||||
|
||||
30. REALLY process the params file first now (honest).
|
||||
3. Always allow intrazone traffic.
|
||||
|
@ -672,6 +672,7 @@ validate_policy()
|
||||
print_policy() # $1 = source zone, $2 = destination zone
|
||||
{
|
||||
[ $command != check ] || \
|
||||
[ $1 = $2 ] || \
|
||||
[ $1 = all ] || \
|
||||
[ $2 = all ] || \
|
||||
echo " Policy for $1 to $2 is $policy"
|
||||
@ -708,7 +709,7 @@ validate_policy()
|
||||
esac
|
||||
|
||||
case $policy in
|
||||
ACCEPT|REJECT|DROP|CONTINUE)
|
||||
ACCEPT|REJECT|DROP|CONTINUE|NONE)
|
||||
;;
|
||||
*)
|
||||
startup_error "Invalid policy $policy"
|
||||
@ -717,8 +718,8 @@ validate_policy()
|
||||
|
||||
chain=${client}2${server}
|
||||
|
||||
[ "x$chain" = "x${FW}2${FW}" ] && \
|
||||
startup_error "fw->fw policy not allowed: $policy"
|
||||
[ "$client" != "$server" ] || [ -n "$serverwild" ] || \
|
||||
startup_error "Intra-zone policies not allowed: $client $server $policy"
|
||||
|
||||
if is_policy_chain $chain ; then
|
||||
startup_error "Duplicate policy $policy"
|
||||
@ -728,7 +729,7 @@ validate_policy()
|
||||
|
||||
chain=${client}2${server}
|
||||
|
||||
all_policy_chains="$all_policy_chains $chain"
|
||||
[ $policy = NONE ] || all_policy_chains="$all_policy_chains $chain"
|
||||
|
||||
eval ${chain}_is_policy=Yes
|
||||
eval ${chain}_policy=$policy
|
||||
@ -743,6 +744,7 @@ validate_policy()
|
||||
|
||||
if [ -z "$pc" ]; then
|
||||
eval ${zone}2${zone1}_policychain=$chain
|
||||
eval ${zone}2${zone1}_policy=$policy
|
||||
print_policy $zone $zone1
|
||||
fi
|
||||
done
|
||||
@ -753,6 +755,7 @@ validate_policy()
|
||||
|
||||
if [ -z "$pc" ]; then
|
||||
eval ${zone}2${server}_policychain=$chain
|
||||
eval ${zone}2${server}_policy=$policy
|
||||
print_policy $zone $server
|
||||
fi
|
||||
done
|
||||
@ -763,6 +766,7 @@ validate_policy()
|
||||
|
||||
if [ -z "$pc" ]; then
|
||||
eval ${client}2${zone}_policychain=$chain
|
||||
eval ${client}2${zone}_policy=$policy
|
||||
print_policy $client $zone
|
||||
fi
|
||||
done
|
||||
@ -2151,7 +2155,7 @@ process_rule() # $1 = target
|
||||
else
|
||||
serverport=
|
||||
[ -z "$serverzone" -o -z "$servers" ] && \
|
||||
startup_error "Empty destination zone or qualifier: rule \"$rule\""
|
||||
fatal_error "Empty destination zone or qualifier: rule \"$rule\""
|
||||
fi
|
||||
fi
|
||||
|
||||
@ -2165,6 +2169,11 @@ process_rule() # $1 = target
|
||||
|
||||
chain=${source}2${dest}
|
||||
|
||||
eval policy=${chain}_policy
|
||||
|
||||
[ $policy = NONE ] && \
|
||||
fatal_error "Rules may not override a NONE policy: rule \"$rule\""
|
||||
|
||||
[ $command = check ] || ensurechain $chain
|
||||
|
||||
if [ "x$chain" = x${FW}2${FW} ]; then
|
||||
@ -2176,6 +2185,8 @@ process_rule() # $1 = target
|
||||
return
|
||||
;;
|
||||
esac
|
||||
elif [ "$source" = "$dest" ]; then
|
||||
fatal_error "Intra-zone rules are not allowed: rule \"$rule\""
|
||||
else
|
||||
[ $command = check ] || ensurechain $chain
|
||||
fi
|
||||
@ -3670,41 +3681,34 @@ activate_rules()
|
||||
done
|
||||
|
||||
for zone1 in $zones; do
|
||||
|
||||
eval policy=\$${zone}2${zone1}_policy
|
||||
|
||||
[ "$policy" = NONE ] && continue
|
||||
|
||||
eval dest_hosts=\$${zone1}_hosts
|
||||
|
||||
if [ $zone = $zone1 ]; then
|
||||
chain=${zone}2${zone}
|
||||
havechain $chain || chain=ACCEPT
|
||||
else
|
||||
chain="`rules_chain $zone $zone1`"
|
||||
fi
|
||||
|
||||
eval policy_chain=
|
||||
|
||||
echo "$zone $zone1 $chain" >> ${STATEDIR}/chains
|
||||
|
||||
if havechain ${zone}2${zone1} || havechain ${zone1}2${zone}; then
|
||||
have_canonical=Yes
|
||||
else
|
||||
have_canonical=
|
||||
fi
|
||||
|
||||
for host in $source_hosts; do
|
||||
interface=${host%:*}
|
||||
subnet=${host#*:}
|
||||
chain1=`forward_chain $interface`
|
||||
|
||||
if [ -n "$have_canonical" ]; then
|
||||
bounce=yes
|
||||
else
|
||||
case $interface in
|
||||
*+*)
|
||||
bounce=yes
|
||||
;;
|
||||
*)
|
||||
bounce=
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
for host1 in $dest_hosts; do
|
||||
interface1=${host1%:*}
|
||||
subnet1=${host1#*:}
|
||||
|
||||
if [ $interface != $interface1 -o -n "$bounce" ]; then
|
||||
if [ "$host" != "$host1" ]; then
|
||||
run_iptables -A $chain1 -s $subnet -o $interface1 -d $subnet1 -j $chain
|
||||
fi
|
||||
done
|
||||
|
@ -1,10 +1,17 @@
|
||||
#
|
||||
# Shorewall 1.4 - /etc/shorewall/hosts
|
||||
#
|
||||
# WARNING: 90% of Shorewall users don't need to add entries to this
|
||||
# file and 80% of those who try to add such entries get it
|
||||
# wrong. Unless you are ABSOLUTELY SURE that you need entries
|
||||
# in this file, don't touch it!
|
||||
# THERE ARE TWO CASES WHERE YOU NEED THIS FILE:
|
||||
#
|
||||
# 1) YOU HAVE MULTIPLE NETWORKS IN THE SAME ZONE CONNECTED TO
|
||||
# A SINGLE INTERFACE AND YOU WANT THE SHOREWALL BOX TO ROUTE
|
||||
# BETWEEN THESE NETWORKS.
|
||||
#
|
||||
# 2) YOU HAVE MORE THAN ONE ZONE CONNECTED THROUGH A SINGLE
|
||||
# INTERFACE.
|
||||
#
|
||||
# IF YOU DON'T HAVE EITHER OF THESE SITUATIONS THEN DON'T TOUCH
|
||||
# THIS FILE.
|
||||
#
|
||||
# This file is used to define zones in terms of subnets and/or
|
||||
# individual IP addresses. Most simple setups don't need to
|
||||
|
@ -1,94 +1,19 @@
|
||||
This is a major release of Shorewall.
|
||||
This is a minor release of Shorewall.
|
||||
|
||||
Function from 1.3 that has been omitted from this version includes:
|
||||
This release introduces incompatibilities with prior releases. See
|
||||
http://www.shorewall.net/upgrade_issues.htm.
|
||||
|
||||
1) The MERGE_HOSTS variable in shorewall.conf is no longer
|
||||
supported. Shorewall 1.4 behavior is the same as 1.3 with
|
||||
MERGE_HOSTS=Yes.
|
||||
Changes are:
|
||||
|
||||
2) Interface names of the form <device>:<integer> in
|
||||
/etc/shorewall/interfaces now generate an error.
|
||||
a) There is now a new NONE policy specifiable in
|
||||
/etc/shorewall/policy. This policy will cause Shorewall to assume that
|
||||
there will never be any traffic between the source and destination
|
||||
zones.
|
||||
|
||||
3) Shorewall 1.4 implements behavior consistent with
|
||||
OLD_PING_HANDLING=No. OLD_PING_HANDLING=Yes will generate an error
|
||||
at startup as will specification of the 'noping' or 'filterping'
|
||||
interface options.
|
||||
|
||||
4) The 'routestopped' option in the /etc/shorewall/interfaces and
|
||||
/etc/shorewall/hosts files is no longer supported and will generate
|
||||
an error at startup if specified.
|
||||
|
||||
5) The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer
|
||||
accepted.
|
||||
|
||||
6) The ALLOWRELATED variable in shorewall.conf is no longer
|
||||
supported. Shorewall 1.4 behavior is the same as 1.3 with
|
||||
ALLOWRELATED=Yes.
|
||||
|
||||
7) The 'multi' interface option is no longer supported. Shorewall will
|
||||
generate rules for sending packets back out the same interface
|
||||
that they arrived on in two cases:
|
||||
|
||||
a) There is an _explicit_ policy for the source zone to the
|
||||
destination zone. An explicit policy names both zones and does not
|
||||
use the 'all' reserved word.
|
||||
|
||||
b) There are one or more rules for traffic for the source zone to
|
||||
or from the destination zone including rules that use the 'all'
|
||||
reserved word. Exception: If the source and the destination are
|
||||
the same zone then the rule must be explicit - it must name the zone
|
||||
in both the SOURCE and DESTINATION columns.
|
||||
|
||||
Changes for 1.4 include:
|
||||
|
||||
1) shorewall.conf has been completely reorganized into logical
|
||||
sections.
|
||||
|
||||
2) LOG is now a valid action for a rule (/etc/shorewall/rules).
|
||||
|
||||
3) The firewall script and version file are now installed in
|
||||
/usr/share/shorewall.
|
||||
|
||||
4. Late arriving DNS replies are now silently dropped in the common
|
||||
chain by default.
|
||||
|
||||
5) In addition to behaving like OLD_PING_HANDLING=No, Shorewall 1.4 no
|
||||
longer unconditionally accepts outbound ICMP packets. So if you want
|
||||
to 'ping' from the firewall, you will need the appropriate rule or
|
||||
policy.
|
||||
|
||||
6) CONTINUE is now a valid action for a rule (/etc/shorewall/rules).
|
||||
|
||||
7) 802.11b devices with names of the form wlan<n> now support the
|
||||
'maclist' option.
|
||||
|
||||
8) IMPORTANT: Shorewall now REQUIRES the iproute package ('ip'
|
||||
utility).
|
||||
|
||||
9) Explicit Congestion Notification (ECN - RFC 3168) may now be turned
|
||||
off on a host or network basis using the new /etc/shorewall/ecn
|
||||
file. To use this facility:
|
||||
|
||||
a) You must be running kernel 2.4.20
|
||||
b) You must have applied the patch in
|
||||
http://www.shorewall/net/pub/shorewall/ecn/patch.
|
||||
c) You must have iptables 1.2.7a installed.
|
||||
|
||||
10) The /etc/shorewall/params file is now processed first so that
|
||||
variables may be used in the /etc/shorewall/shorewall.conf file.
|
||||
|
||||
11) Packets with state INVALID are now silently dropped.
|
||||
|
||||
12) Shorewall now gives a more helpful diagnostic when the 'ipchains'
|
||||
compatibility kernel module is loaded and a 'shorewall start'
|
||||
command is issued.
|
||||
|
||||
13) The SHARED_DIR variable has been removed from shorewall.conf. This
|
||||
variable was for use by package maintainers and was not documented
|
||||
for general use.
|
||||
|
||||
14) Shorewall now ignores 'default' routes when detecting masq'd
|
||||
networks.
|
||||
b) Shorewall no longer creates rules to govern traffic from an
|
||||
interface:subnet to itself.
|
||||
|
||||
c) Intra-zone traffic is always accepted now (exception is (b)
|
||||
above).. Intrazone policies and rules are no longer allowed.
|
||||
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user