From c36a7cd35bcc57533df144ed6b81b2c2af6083ab Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 15 Mar 2017 08:55:41 -0700 Subject: [PATCH 1/3] Correct typo in the Shorewall6 sample .conf files. Signed-off-by: Tom Eastep --- Shorewall6/Samples6/Universal/shorewall6.conf | 2 +- Shorewall6/Samples6/one-interface/shorewall6.conf | 2 +- Shorewall6/Samples6/three-interfaces/shorewall6.conf | 2 +- Shorewall6/Samples6/two-interfaces/shorewall6.conf | 2 +- Shorewall6/configfiles/shorewall6.conf | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/Shorewall6/Samples6/Universal/shorewall6.conf b/Shorewall6/Samples6/Universal/shorewall6.conf index c0c3ccb5f..76fe425ac 100644 --- a/Shorewall6/Samples6/Universal/shorewall6.conf +++ b/Shorewall6/Samples6/Universal/shorewall6.conf @@ -107,7 +107,7 @@ TC= ############################################################################### ACCEPT_DEFAULT="none" -BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL:DropDNSrep:$LOG_LEVEL" +BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL" DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)" NFQUEUE_DEFAULT="none" QUEUE_DEFAULT="none" diff --git a/Shorewall6/Samples6/one-interface/shorewall6.conf b/Shorewall6/Samples6/one-interface/shorewall6.conf index 43f9e54d3..96734a606 100644 --- a/Shorewall6/Samples6/one-interface/shorewall6.conf +++ b/Shorewall6/Samples6/one-interface/shorewall6.conf @@ -108,7 +108,7 @@ TC= ############################################################################### ACCEPT_DEFAULT="none" -BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL:DropDNSrep:$LOG_LEVEL" +BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL" DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)" NFQUEUE_DEFAULT="none" QUEUE_DEFAULT="none" diff --git a/Shorewall6/Samples6/three-interfaces/shorewall6.conf b/Shorewall6/Samples6/three-interfaces/shorewall6.conf index 88b5ec724..a64c02fe6 100644 --- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf +++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf @@ -107,7 +107,7 @@ TC= ############################################################################### ACCEPT_DEFAULT="none" -BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL:DropDNSrep:$LOG_LEVEL" +BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL" DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)" NFQUEUE_DEFAULT="none" QUEUE_DEFAULT="none" diff --git a/Shorewall6/Samples6/two-interfaces/shorewall6.conf b/Shorewall6/Samples6/two-interfaces/shorewall6.conf index 669fa3d6e..47cfb021b 100644 --- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf +++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf @@ -107,7 +107,7 @@ TC= ############################################################################### ACCEPT_DEFAULT="none" -BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL:DropDNSrep:$LOG_LEVEL" +BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL" DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)" NFQUEUE_DEFAULT="none" QUEUE_DEFAULT="none" diff --git a/Shorewall6/configfiles/shorewall6.conf b/Shorewall6/configfiles/shorewall6.conf index 2fd6e821e..1cc72fcfd 100644 --- a/Shorewall6/configfiles/shorewall6.conf +++ b/Shorewall6/configfiles/shorewall6.conf @@ -107,7 +107,7 @@ TC= ############################################################################### ACCEPT_DEFAULT="none" -BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL:DropDNSrep:$LOG_LEVEL" +BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL" DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)" NFQUEUE_DEFAULT="none" QUEUE_DEFAULT="none" From c3303067fc923948863a0878ddb6b9a8bcd2688d Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 15 Mar 2017 10:09:53 -0700 Subject: [PATCH 2/3] Correct all+ handling in the policy file Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Rules.pm | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 9010c5ddf..ee86dc078 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -747,22 +747,21 @@ sub process_a_policy1($$$$$$$) { if ( $serverwild ) { for my $zone ( @zonelist ) { for my $zone1 ( @zonelist ) { - set_policy_chain rules_chain( ${zone}, ${zone1} ), $client, $server, $chainref, $policy, $intrazone; + set_policy_chain rules_chain( ${zone}, ${zone1} ), $zone, $zone1, $chainref, $policy, $intrazone; print_policy $zone, $zone1, $originalpolicy, $chain; } } } else { for my $zone ( all_zones ) { - set_policy_chain rules_chain( ${zone}, ${server} ), $client, $server, $chainref, $policy, $intrazone; + set_policy_chain rules_chain( ${zone}, ${server} ), $zone, $server, $chainref, $policy, $intrazone; print_policy $zone, $server, $originalpolicy, $chain; } } } elsif ( $serverwild ) { for my $zone ( @zonelist ) { - set_policy_chain rules_chain( ${client}, ${zone} ), $client, $server, $chainref, $policy, $intrazone; + set_policy_chain rules_chain( ${client}, ${zone} ), $client, $zone, $chainref, $policy, $intrazone; print_policy $client, $zone, $originalpolicy, $chain; } - } else { print_policy $client, $server, $originalpolicy, $chain; } From 31bd10ffdd88a4b5dc03c484c8ffc367b3be8c3f Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 15 Mar 2017 21:18:23 -0700 Subject: [PATCH 3/3] Correct two-interface sample snat file - s/92/192/ Signed-off-by: Tom Eastep --- Shorewall/Samples/two-interfaces/snat | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Shorewall/Samples/two-interfaces/snat b/Shorewall/Samples/two-interfaces/snat index 905a258ad..3610b3c3a 100644 --- a/Shorewall/Samples/two-interfaces/snat +++ b/Shorewall/Samples/two-interfaces/snat @@ -20,4 +20,4 @@ MASQUERADE 10.0.0.0/8,\ 169.254.0.0/16,\ 172.16.0.0/12,\ - 92.168.0.0/16 eth0 + 192.168.0.0/16 eth0