From 6403f4959dc6aef2f6bf71fdb1d33098194ae38c Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 24 Jan 2013 15:42:01 -0800 Subject: [PATCH] Implement UNTRACKED SECTION Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 8 +++ Shorewall/Perl/Shorewall/Config.pm | 24 +++++++- Shorewall/Perl/Shorewall/Rules.pm | 54 +++++++++++------- Shorewall/Samples/Universal/rules | 2 + Shorewall/Samples/Universal/shorewall.conf | 4 ++ Shorewall/Samples/one-interface/rules | 2 + .../Samples/one-interface/shorewall.conf | 4 ++ Shorewall/Samples/three-interfaces/rules | 2 + .../Samples/three-interfaces/shorewall.conf | 4 ++ Shorewall/Samples/two-interfaces/rules | 2 + .../Samples/two-interfaces/shorewall.conf | 4 ++ Shorewall/configfiles/rules | 2 + Shorewall/configfiles/shorewall.conf | 4 ++ Shorewall/manpages/shorewall.conf.xml | 56 +++++++++++++++++++ Shorewall6/Samples6/Universal/shorewall6.conf | 4 ++ .../Samples6/one-interface/shorewall6.conf | 4 ++ .../Samples6/three-interfaces/shorewall6.conf | 4 ++ .../Samples6/two-interfaces/shorewall6.conf | 4 ++ Shorewall6/configfiles/rules | 2 + Shorewall6/configfiles/shorewall6.conf | 4 ++ Shorewall6/manpages/shorewall6.conf.xml | 56 +++++++++++++++++++ 21 files changed, 229 insertions(+), 21 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index fff416752..26e75c625 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -132,6 +132,7 @@ our %EXPORT_TAGS = ( blacklist_chain related_chain invalid_chain + untracked_chain zone_forward_chain use_forward_chain input_chain @@ -1637,6 +1638,13 @@ sub invalid_chain($$) { '_' . &rules_chain(@_); } +# +# Name of the untracked chain between an ordered pair of zones +# +sub untracked_chain($$) { + '&' . &rules_chain(@_); +} + # # Create the base for a chain involving the passed interface -- we make this a function so it will be # easy to change the mapping should the need ever arrive. diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 4a7ae9bd5..930c65805 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -663,7 +663,6 @@ sub initialize( $;$$) { LOGALLNEW => undef, BLACKLIST_LOGLEVEL => undef, RELATED_LOG_LEVEL => undef, - INVALID_LOG_LEVEL => undef, RFC1918_LOG_LEVEL => undef, MACLIST_LOG_LEVEL => undef, TCP_FLAGS_LOG_LEVEL => undef, @@ -673,6 +672,8 @@ sub initialize( $;$$) { STARTUP_LOG => undef, SFILTER_LOG_LEVEL => undef, RPFILTER_LOG_LEVEL => undef, + INVALID_LOG_LEVEL => undef, + UNTRACKED_LOG_LEVEL => undef, # # Location of Files # @@ -784,6 +785,7 @@ sub initialize( $;$$) { RPFILTER_DISPOSITION => undef, RELATED_DISPOSITION => undef, INVALID_DISPOSITION => undef, + UNTRACKED_DISPOSITION => undef, # # Mark Geometry # @@ -5227,6 +5229,7 @@ sub get_configuration( $$$$ ) { default_log_level 'RFC1918_LOG_LEVEL', ''; default_log_level 'RELATED_LOG_LEVEL', ''; default_log_level 'INVALID_LOG_LEVEL', ''; + default_log_level 'UNTRACKED_LOG_LEVEL', ''; warning_message "RFC1918_LOG_LEVEL=$config{RFC1918_LOG_LEVEL} ignored. The 'norfc1918' interface/host option is no longer supported" if $config{RFC1918_LOG_LEVEL}; @@ -5300,12 +5303,29 @@ sub get_configuration( $$$$ ) { fatal_error "Invalid value ($config{INVALID_DISPOSITION}) for INVALID_DISPOSITION" } - require_capability 'AUDIT_TARGET' , "RELATED_DISPOSITION=$val", 's' if $val =~ /^A_/; + require_capability 'AUDIT_TARGET' , "INVALID_DISPOSITION=$val", 's' if $val =~ /^A_/; } else { $config{INVALID_DISPOSITION} = 'CONTINUE'; $globals{INVALID_TARGET} = ''; } + if ( $val = $config{UNTRACKED_DISPOSITION} ) { + if ( $val =~ /^(?:A_)?(?:DROP|ACCEPT)$/ ) { + $globals{UNTRACKED_TARGET} = $val; + } elsif ( $val eq 'REJECT' ) { + $globals{UNTRACKED_TARGET} = 'reject'; + } elsif ( $val eq 'A_REJECT' ) { + $globals{UNTRACKED_TARGET} = $val; + } else { + fatal_error "Invalid value ($config{UNTRACKED_DISPOSITION}) for UNTRACKED_DISPOSITION" + } + + require_capability 'AUDIT_TARGET' , "UNTRACKED_DISPOSITION=$val", 's' if $val =~ /^A_/; + } else { + $config{UNTRACKED_DISPOSITION} = 'CONTINUE'; + $globals{UNTRACKED_TARGET} = ''; + } + if ( $val = $config{MACLIST_TABLE} ) { if ( $val eq 'mangle' ) { fatal_error 'MACLIST_DISPOSITION=$1 is not allowed with MACLIST_TABLE=mangle' if $config{MACLIST_DISPOSITION} =~ /^((?:A)?REJECT)$/; diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 91aa509ee..c2af9ae51 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -62,14 +62,15 @@ our %sections; our $section; -use constant { NULL_SECTION => 0, - BLACKLIST_SECTION => 1, - ALL_SECTION => 2, - ESTABLISHED_SECTION => 4, - RELATED_SECTION => 8, - INVALID_SECTION => 16, - NEW_SECTION => 32, - DEFAULTACTION_SECTION => 64 }; +use constant { NULL_SECTION => 0x00, + BLACKLIST_SECTION => 0x01, + ALL_SECTION => 0x02, + ESTABLISHED_SECTION => 0x04, + RELATED_SECTION => 0x08, + INVALID_SECTION => 0x10, + UNTRACKED_SECTION => 0x20, + NEW_SECTION => 0x40, + DEFAULTACTION_SECTION => 0x80 }; # # These are the sections that may appear in a section header # @@ -77,6 +78,7 @@ our %section_map = ( ALL => ALL_SECTION, ESTABLISHED => ESTABLISHED_SECTION, RELATED => RELATED_SECTION, INVALID => INVALID_SECTION, + UNTRACKED => UNTRACKED_SECTION, NEW => NEW_SECTION ); our @policy_chains; @@ -173,6 +175,7 @@ sub initialize( $ ) { ESTABLISHED => 0, RELATED => 0, INVALID => 0, + UNTRACKED => 0, NEW => 0 ); # @@ -848,20 +851,24 @@ sub finish_chain_section ($$$) { my $related_target = $globals{RELATED_TARGET}; my $invalid_level = $config{INVALID_LOG_LEVEL}; my $invalid_target = $globals{INVALID_TARGET}; + my $untracked_level = $config{UNTRACKED_LOG_LEVEL}; + my $untracked_target = $globals{UNTRACKED_TARGET}; my $save_comment = push_comment; my %state; - my %statetable = ( RELATED => [ '+', $related_level, $related_target ] , - INVALID => [ '_', $invalid_level, $invalid_target ] ); + my %statetable = ( RELATED => [ '+', $related_level, $related_target ] , + INVALID => [ '_', $invalid_level, $invalid_target ] , + UNTRACKED => [ '&', $untracked_level, $untracked_target ] , + ); $state{$_} = 1 for split ',', $state; - for ( qw/ESTABLISHED RELATED INVALID/ ) { + for ( qw/ESTABLISHED RELATED INVALID UNTRACKED/ ) { delete $state{$_} if $chain1ref->{sections}{$_}; } $chain1ref->{sections}{$_} = 1 for keys %state; - for ( qw( RELATED INVALID ) ) { + for ( qw( RELATED INVALID UNTRACKED ) ) { if ( $state{$_} ) { my ( $char, $level, $target ) = @{$statetable{$_}}; my $twochains = substr( $chainref->{name}, 0, 1 ) eq $char; @@ -951,6 +958,8 @@ sub ensure_rules_chain( $ ) unless ( $chainref->{referenced} ) { if ( $section & ( NEW_SECTION | DEFAULTACTION_SECTION ) ) { + finish_chain_section $chainref , $chainref, 'ESTABLISHED,RELATED,INVALID,UNTRACKED'; + } elsif ( $section == UNTRACKED_SECTION ) { finish_chain_section $chainref , $chainref, 'ESTABLISHED,RELATED,INVALID'; } elsif ( $section == INVALID_SECTION ) { finish_chain_section $chainref , $chainref, 'ESTABLISHED,RELATED'; @@ -978,6 +987,8 @@ sub finish_section ( $ ) { $function = \&related_chain; } elsif ( $section == INVALID_SECTION ) { $function = \&invalid_chain; + } elsif ( $section == UNTRACKED_SECTION ) { + $function = \&untracked_chain; } else { $function = \&rules_chain; } @@ -2299,7 +2310,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) { # # Handle rules in the BLACKLIST, RELATED and INVALID sections # - if ( $section & ( BLACKLIST_SECTION | RELATED_SECTION | INVALID_SECTION ) ) { + if ( $section & ( BLACKLIST_SECTION | RELATED_SECTION | INVALID_SECTION | UNTRACKED_SECTION ) ) { my $auxchain; my $auxref; @@ -2307,6 +2318,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) { $auxchain = blacklist_chain( ${sourcezone}, ${destzone} ); } elsif ( $section == INVALID_SECTION ) { $auxchain = invalid_chain( ${sourcezone}, ${destzone} ); + } elsif ( $section == UNTRACKED_SECTION ) { + $auxchain = related_chain( ${sourcezone}, ${destzone} ); } else { $auxchain = related_chain( ${sourcezone}, ${destzone} ); } @@ -2323,6 +2336,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) { $auxref->{blacklistsection} = 1; } elsif ( $section == INVALID_SECTION ) { @state = state_imatch( 'INVALID' ); + } elsif ( $section == UNTRACKED_SECTION ) { + @state = state_imatch( 'UNTRACKED' ); } else { @state = state_imatch 'RELATED'; }; @@ -2412,7 +2427,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) { do_headers( $headers ) , do_condition( $condition , $chain ) , ); - } elsif ( $section & ( INVALID_SECTION | RELATED_SECTION ) ) { + } elsif ( $section & ( INVALID_SECTION | RELATED_SECTION | UNTRACKED_SECTION ) ) { $rule = join( '', do_proto($proto, $ports, $sports), do_ratelimit( $ratelimit, $basictarget ) , @@ -2588,12 +2603,13 @@ sub process_section ($) { finish_section 'ESTABLISHED'; } elsif ( $sect eq 'INVALID' ) { @sections{'ALL','ESTABLISHED','RELATED'} = ( 1, 1, 1 ); - finish_section ( ( $section eq 'RELATED' ) ? 'RELATED' : 'ESTABLISHED,RELATED' ); + finish_section ( 'ESTABLISHED,RELATED' ); + } elsif ( $sect eq 'UNTRACKED' ) { + @sections{'ALL','ESTABLISHED','RELATED', 'INVALID' } = ( 1, 1, 1, 1 ); + finish_section ( 'ESTABLISHED,RELATED, INVALID' ); } elsif ( $sect eq 'NEW' ) { - @sections{'ALL','ESTABLISHED','RELATED','INVALID','NEW'} = ( 1, 1, 1, 1, 1 ); - finish_section ( ( $section == RELATED_SECTION ) ? 'RELATED,INVALID' : - ( $section == INVALID_SECTION ) ? 'INVALID' : - 'ESTABLISHED,RELATED,INVALID' ); + @sections{'ALL','ESTABLISHED','RELATED','INVALID','UNTRACKED', 'NEW'} = ( 1, 1, 1, 1, 1, 1 ); + finish_section ( 'ESTABLISHED,RELATED,INVALID' ); } $section = $section_map{$sect}; diff --git a/Shorewall/Samples/Universal/rules b/Shorewall/Samples/Universal/rules index dd191d2cf..99baa901a 100644 --- a/Shorewall/Samples/Universal/rules +++ b/Shorewall/Samples/Universal/rules @@ -12,6 +12,8 @@ #SECTION ALL #SECTION ESTABLISHED #SECTION RELATED +#SECTION INVALID +#SECTION UNTRACKED SECTION NEW Invalid(DROP) net $FW tcp SSH(ACCEPT) net $FW diff --git a/Shorewall/Samples/Universal/shorewall.conf b/Shorewall/Samples/Universal/shorewall.conf index 30e3fc77d..a69ef3295 100644 --- a/Shorewall/Samples/Universal/shorewall.conf +++ b/Shorewall/Samples/Universal/shorewall.conf @@ -53,6 +53,8 @@ STARTUP_LOG=/var/log/shorewall-init.log TCP_FLAGS_LOG_LEVEL=info +UNTRACKED_LOG_LEVEL= + ############################################################################### # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S ############################################################################### @@ -240,6 +242,8 @@ SFILTER_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP +UNTRACKED_DISPOSITION=CONTINUE + ################################################################################ # P A C K E T M A R K L A Y O U T ################################################################################ diff --git a/Shorewall/Samples/one-interface/rules b/Shorewall/Samples/one-interface/rules index e83cac99b..59eae5691 100644 --- a/Shorewall/Samples/one-interface/rules +++ b/Shorewall/Samples/one-interface/rules @@ -16,6 +16,8 @@ #SECTION ALL #SECTION ESTABLISHED #SECTION RELATED +#SECTION INVALID +#SECTION UNTRACKED SECTION NEW # Drop packets in the INVALID state diff --git a/Shorewall/Samples/one-interface/shorewall.conf b/Shorewall/Samples/one-interface/shorewall.conf index e9df443c9..b3c9581dd 100644 --- a/Shorewall/Samples/one-interface/shorewall.conf +++ b/Shorewall/Samples/one-interface/shorewall.conf @@ -64,6 +64,8 @@ STARTUP_LOG=/var/log/shorewall-init.log TCP_FLAGS_LOG_LEVEL=info +UNTRACKED_LOG_LEVEL= + ############################################################################### # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S ############################################################################### @@ -251,6 +253,8 @@ SFILTER_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP +UNTRACKED_DISPOSITION=CONTINUE + ################################################################################ # P A C K E T M A R K L A Y O U T ################################################################################ diff --git a/Shorewall/Samples/three-interfaces/rules b/Shorewall/Samples/three-interfaces/rules index 33d5ca927..002a7dea0 100644 --- a/Shorewall/Samples/three-interfaces/rules +++ b/Shorewall/Samples/three-interfaces/rules @@ -16,6 +16,8 @@ #SECTION ALL #SECTION ESTABLISHED #SECTION RELATED +#SECTION INVALID +#SECTION UNTRACKED SECTION NEW # Don't allow connection pickup from the net diff --git a/Shorewall/Samples/three-interfaces/shorewall.conf b/Shorewall/Samples/three-interfaces/shorewall.conf index afde9972a..ffb0c07b6 100644 --- a/Shorewall/Samples/three-interfaces/shorewall.conf +++ b/Shorewall/Samples/three-interfaces/shorewall.conf @@ -62,6 +62,8 @@ STARTUP_LOG=/var/log/shorewall-init.log TCP_FLAGS_LOG_LEVEL=info +UNTRACKED_LOG_LEVEL= + ############################################################################### # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S ############################################################################### @@ -249,6 +251,8 @@ SFILTER_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP +UNTRACKED_DISPOSITION=CONTINUE + ################################################################################ # P A C K E T M A R K L A Y O U T ################################################################################ diff --git a/Shorewall/Samples/two-interfaces/rules b/Shorewall/Samples/two-interfaces/rules index 2aefcc815..0eab21390 100644 --- a/Shorewall/Samples/two-interfaces/rules +++ b/Shorewall/Samples/two-interfaces/rules @@ -16,6 +16,8 @@ #SECTION ALL #SECTION ESTABLISHED #SECTION RELATED +#SECTION INVALID +#SECTION UNTRACKED SECTION NEW # Don't allow connection pickup from the net diff --git a/Shorewall/Samples/two-interfaces/shorewall.conf b/Shorewall/Samples/two-interfaces/shorewall.conf index a0502918f..c65eb818d 100644 --- a/Shorewall/Samples/two-interfaces/shorewall.conf +++ b/Shorewall/Samples/two-interfaces/shorewall.conf @@ -65,6 +65,8 @@ STARTUP_LOG=/var/log/shorewall-init.log TCP_FLAGS_LOG_LEVEL=info +UNTRACKED_LOG_LEVEL= + ############################################################################### # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S ############################################################################### @@ -252,6 +254,8 @@ SFILTER_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP +UNTRACKED_DISPOSITION=CONTINUE + ################################################################################ # P A C K E T M A R K L A Y O U T ################################################################################ diff --git a/Shorewall/configfiles/rules b/Shorewall/configfiles/rules index 688dd5071..2ae67a390 100644 --- a/Shorewall/configfiles/rules +++ b/Shorewall/configfiles/rules @@ -12,4 +12,6 @@ #SECTION ALL #SECTION ESTABLISHED #SECTION RELATED +#SECTION INVALID +#SECTION UNTRACKED SECTION NEW diff --git a/Shorewall/configfiles/shorewall.conf b/Shorewall/configfiles/shorewall.conf index 2c0ec4692..a325b8648 100644 --- a/Shorewall/configfiles/shorewall.conf +++ b/Shorewall/configfiles/shorewall.conf @@ -53,6 +53,8 @@ STARTUP_LOG=/var/log/shorewall-init.log TCP_FLAGS_LOG_LEVEL=info +UNTRACKED_LOG_LEVEL= + ############################################################################### # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S ############################################################################### @@ -240,6 +242,8 @@ SFILTER_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP +UNTRACKED_DISPOSITION=CONTINUE + ################################################################################ # P A C K E T M A R K L A Y O U T ################################################################################ diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml index efaee8096..cb27963b6 100644 --- a/Shorewall/manpages/shorewall.conf.xml +++ b/Shorewall/manpages/shorewall.conf.xml @@ -942,6 +942,34 @@ net all DROP infothen the chain name is 'net2all' + + INVALID_DISPOSITION=[A_DROP|A_REJECT|DROP|REJECT|CONTINUE] + + + Added in Shorewall 4.5.13. Shorewall has traditionally passed + INVALID packets through the NEW section of shorewall-rules (5). When a + packet in INVALID state fails to match any rule in the INVALID + section, the packet is disposed of based on this setting. The + default value is CONTINUE for compatibility with earlier + versions. + + + + + INVALID_LOG_LEVEL=log-level + + + Added in Shorewall 4.5.13. Packets in the INVALID state that + do not match any rule in the INVALID section of shorewall-rules (5) are + logged at this level. The default value is empty which means no + logging is performed. + + + IP=[pathname] @@ -2439,6 +2467,34 @@ LOG:info:,bar net fw + + UNTRACKED_DISPOSITION=[ACCEPT|A_ACCEPT|A_DROP|A_REJECT|DROP|REJECT|CONTINUE] + + + Added in Shorewall 4.5.13. Shorewall has traditionally passed + UNTRACKED packets through the NEW section of shorewall-rules (5). When a + packet in UNTRACKED state fails to match any rule in the UNTRACKED + section, the packet is disposed of based on this setting. The + default value is CONTINUE for compatibility with earlier + versions. + + + + + UNTRACKED_LOG_LEVEL=log-level + + + Added in Shorewall 4.5.13. Packets in the UNTRACKED state that + do not match any rule in the UNTRACKED section of shorewall-rules (5) are logged at + this level. The default value is empty which means no logging is + performed. + + + USE_DEFAULT_RT=[Yes|No] diff --git a/Shorewall6/Samples6/Universal/shorewall6.conf b/Shorewall6/Samples6/Universal/shorewall6.conf index 13b89547e..2183d92db 100644 --- a/Shorewall6/Samples6/Universal/shorewall6.conf +++ b/Shorewall6/Samples6/Universal/shorewall6.conf @@ -52,6 +52,8 @@ STARTUP_LOG=/var/log/shorewall6-init.log TCP_FLAGS_LOG_LEVEL=info +UNTRACKED_LOG_LEVEL= + ############################################################################### # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S ############################################################################### @@ -213,6 +215,8 @@ SMURF_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP +UNTRACKED_DISPOSITION=CONTINUE + ################################################################################ # P A C K E T M A R K L A Y O U T ################################################################################ diff --git a/Shorewall6/Samples6/one-interface/shorewall6.conf b/Shorewall6/Samples6/one-interface/shorewall6.conf index 9e4e1f31f..6d44bad8a 100644 --- a/Shorewall6/Samples6/one-interface/shorewall6.conf +++ b/Shorewall6/Samples6/one-interface/shorewall6.conf @@ -52,6 +52,8 @@ STARTUP_LOG=/var/log/shorewall6-init.log TCP_FLAGS_LOG_LEVEL=info +UNTRACKED_LOG_LEVEL= + ############################################################################### # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S ############################################################################### @@ -213,6 +215,8 @@ SMURF_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP +UNTRACKED_DISPOSITION=CONTINUE + ################################################################################ # P A C K E T M A R K L A Y O U T ################################################################################ diff --git a/Shorewall6/Samples6/three-interfaces/shorewall6.conf b/Shorewall6/Samples6/three-interfaces/shorewall6.conf index 7ccd5bbeb..df6a9e909 100644 --- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf +++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf @@ -52,6 +52,8 @@ STARTUP_LOG=/var/log/shorewall6-init.log TCP_FLAGS_LOG_LEVEL=info +UNTRACKED_LOG_LEVEL= + ############################################################################### # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S ############################################################################### @@ -213,6 +215,8 @@ SMURF_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP +UNTRACKED_DISPOSITION=CONTINUE + ################################################################################ # P A C K E T M A R K L A Y O U T ################################################################################ diff --git a/Shorewall6/Samples6/two-interfaces/shorewall6.conf b/Shorewall6/Samples6/two-interfaces/shorewall6.conf index 9c691f931..e1a3a175c 100644 --- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf +++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf @@ -52,6 +52,8 @@ STARTUP_LOG=/var/log/shorewall6-init.log TCP_FLAGS_LOG_LEVEL=info +UNTRACKED_LOG_LEVEL= + ############################################################################### # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S ############################################################################### @@ -213,6 +215,8 @@ SMURF_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP +UNTRACKED_DISPOSITION=CONTINUE + ################################################################################ # P A C K E T M A R K L A Y O U T ################################################################################ diff --git a/Shorewall6/configfiles/rules b/Shorewall6/configfiles/rules index 243ecfc4e..207dead3f 100644 --- a/Shorewall6/configfiles/rules +++ b/Shorewall6/configfiles/rules @@ -12,4 +12,6 @@ #SECTION ALL #SECTION ESTABLISHED #SECTION RELATED +#SECTION INVALID +#SECTION UNTRACKED SECTION NEW diff --git a/Shorewall6/configfiles/shorewall6.conf b/Shorewall6/configfiles/shorewall6.conf index 3bde1ff60..134a790ae 100644 --- a/Shorewall6/configfiles/shorewall6.conf +++ b/Shorewall6/configfiles/shorewall6.conf @@ -52,6 +52,8 @@ STARTUP_LOG=/var/log/shorewall6-init.log TCP_FLAGS_LOG_LEVEL=info +UNTRACKED_LOG_LEVEL= + ############################################################################### # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S ############################################################################### @@ -213,6 +215,8 @@ SMURF_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP +UNTRACKED_DISPOSITION=CONTINUE + ################################################################################ # P A C K E T M A R K L A Y O U T ################################################################################ diff --git a/Shorewall6/manpages/shorewall6.conf.xml b/Shorewall6/manpages/shorewall6.conf.xml index a0a044ef1..73cbf722e 100644 --- a/Shorewall6/manpages/shorewall6.conf.xml +++ b/Shorewall6/manpages/shorewall6.conf.xml @@ -818,6 +818,34 @@ net all DROP infothen the chain name is 'net2all' + + INVALID_DISPOSITION=[A_DROP|A_REJECT|DROP|REJECT|CONTINUE] + + + Added in Shorewall 4.5.13. Shorewall has traditionally passed + INVALID packets through the NEW section of shorewall-rules (5). When a + packet in INVALID state fails to match any rule in the INVALID + section, the packet is disposed of based on this setting. The + default value is CONTINUE for compatibility with earlier + versions. + + + + + INVALID_LOG_LEVEL=log-level + + + Added in Shorewall 4.5.13. Packets in the INVALID state that + do not match any rule in the INVALID section of shorewall-rules (5) are + logged at this level. The default value is empty which means no + logging is performed. + + + IP=[pathname] @@ -2113,6 +2141,34 @@ LOG:info:,bar net fw + + UNTRACKED_DISPOSITION=[ACCEPT|A_ACCEPT|A_DROP|A_REJECT|DROP|REJECT|CONTINUE] + + + Added in Shorewall 4.5.13. Shorewall has traditionally passed + UNTRACKED packets through the NEW section of shorewall6-rules (5). When a + packet in UNTRACKED state fails to match any rule in the UNTRACKED + section, the packet is disposed of based on this setting. The + default value is CONTINUE for compatibility with earlier + versions. + + + + + UNTRACKED_LOG_LEVEL=log-level + + + Added in Shorewall 4.5.13. Packets in the UNTRACKED state that + do not match any rule in the UNTRACKED section of shorewall-rules (5) are + logged at this level. The default value is empty which means no + logging is performed. + + + USE_DEFAULT_RT=[Yes|No]