One-to-one NAT and updated common.def

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@790 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-06-30 14:42:01 +02:00 · 2003-11-24 19:08:43 +00:00
parent dbfc838988
commit 64bd2c9035
5 changed files with 29 additions and 148 deletions
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -1,40 +1,5 @@
-Changes since 1.4.7
+Changes since 1.4.8
-1) Applied patch from Tuomo Soini that fixes syntax error occuring with
+1) Replace "Static NAT" with "One-to-one NAT".
   some versions of 'ash'.
-2) Applied Andrew Zhoglo's patch that avoids using multiport match for
+2) Change SMB common rules to DROP.
   ICMP.
 3) Added support for QUEUE target.
 4) Fix error handling after "Unable to determine the routes..."
 5) Fix handling of LOGUNCLEAN
 6) Added BLACKLISTNEWONLY support.
 7) Correct optimization for 'complex' zones.
 8) Fix tcrules processing.
 9) Liberalize chain names used in the accounting file.
 10) Fix the fix for 'complex' zones (twice).
 11) Remove incorrect comment from shorewall.conf regarding Debian
    lockfiles.
 12) Change "_exists" suffix (including _nat_exists) to an "exists_"
    prefix to allow chain names beginning with a digit without
    lengthening the variable name.
 13) Applied and improved Eric Bowles's fix for route filtering.
 14) Corrected handling of /32 addresses with broadcast in maclist
    processing.
 15) Generate error for NONE policy where source or destination zone is
    the firewall itself.
 16) Fix 'routeback' for wildcard interfaces.
--- a/Shorewall/common.def
+++ b/Shorewall/common.def
@ -16,12 +16,12 @@ run_iptables -A common -p icmp -j icmpdef
 ############################################################################
 # NETBIOS chatter
 #
-run_iptables -A common -p udp --dport 135	  -j reject
+run_iptables -A common -p udp --dport 135	  -j DROP
-run_iptables -A common -p udp --dport 137:139     -j reject
+run_iptables -A common -p udp --dport 137:139     -j DROP
-run_iptables -A common -p udp --dport 445         -j reject
+run_iptables -A common -p udp --dport 445         -j DROP
-run_iptables -A common -p tcp --dport 139         -j reject
+run_iptables -A common -p tcp --dport 139         -j DROP
-run_iptables -A common -p tcp --dport 445         -j reject
+run_iptables -A common -p tcp --dport 445         -j DROP
-run_iptables -A common -p tcp --dport 135	  -j reject
+run_iptables -A common -p tcp --dport 135	  -j DROP
 ############################################################################
 # UPnP
 #
--- a/Shorewall/interfaces
+++ b/Shorewall/interfaces
@ -103,6 +103,11 @@
 #				       This option has no effect if 
 #				       NEWNOTSYN=Yes.
 #
 #			routeback    - If specified, indicates that Shorewall
 #				       should include rules that allow filtering
 #				       traffic arriving on this interface back
 #				       out that same interface.
 #
 #			arp_filter   - If specified, this interface will only
 #				       respond to ARP who-has requests for IP
 #				       addresses configured on the interface.
--- a/Shorewall/nat
+++ b/Shorewall/nat
@ -4,11 +4,12 @@
 #
 # /etc/shorewall/nat
 #
-#	This file is used to define static Network Address Translation (NAT).
+#	This file is used to define one-to-one Network Address Translation
 #	(NAT).
 #
 # WARNING: If all you want to do is simple port forwarding, do NOT use this
 #          file. See http://www.shorewall.net/FAQ.htm#faq1. Also, in most
-#	   cases, Proxy ARP is a better solution that static NAT.
+#	   cases, Proxy ARP is a better solution that one-to-one NAT.
 #
 # Columns must be separated by white space and are:
 #
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -1,114 +1,24 @@
 This is a minor release of Shorewall.
-Problems Corrected since version 1.4.7:
+Problems Corrected since version 1.4.8:
-1) Tuomo Soini has supplied a correction to a problem that occurs using
+1) There has been a low level of confusion over the terms "Source NAT" (SNAT)
-   some versions of 'ash'. The symptom is that "shorewall start" fails
+   and "Static NAT". To avoid future confusion, all instances of "Static
-   with:
+   NAT" have been replaced with "One-to-one NAT" in the documentation and
-
+   configuration files.
   local: --limit: bad variable name
   iptables v1.2.8: Couldn't load match `-j':/lib/iptables/libipt_-j.so: 
   cannot open shared object file: No such file or directory
   Try `iptables -h' or 'iptables --help' for more information.
 2) Andres Zhoglo has supplied a correction that avoids trying to use
   the multiport match iptables facility on ICMP rules.
   Example of rule that previously caused "shorewall start" to fail:
 	   ACCEPT      loc  $FW  icmp    0,8,11,12
 3) Previously, if the following error message was issued, Shorewall
   was left in an inconsistent state.
   Error: Unable to determine the routes through interface xxx
 4) Handling of the LOGUNCLEAN option in shorewall.conf has been
   corrected.
 5) In Shorewall 1.4.2, an optimization was added. This optimization
   involved creating a chain named "<zone>_frwd" for most zones
   defined using the /etc/shorewall/hosts file. It has since been
   discovered that in many cases these new chains contain redundant
   rules and that the "optimization" turns out to be less than
   optimal. The implementation has now been corrected.
 6) When the MARK value in a tcrules entry is followed by ":F" or ":P",
   the ":F" or ":P" was previously only applied to the first Netfilter
   rule generated by the entry. It is now applied to all entries.
 7) The original fix for item 5) above contained a bug which caused the
   "<zone>_frwd" chain to have too few rules. That has been corrected
   (twice).  
 8) An incorrect comment concerning Debian's use of the SYBSYSLOCK
   option has been removed from shorewall.conf.
 9) Previously, neither the 'routefilter' interface option nor the
   ROUTE_FILTER parameter were working properly. This has been
   corrected (thanks to Eric Bowles for his patch). The definition
   of the ROUTE_FILTER option has changed however. Previously,
   ROUTE_FILTER=Yes was documented as enabling route filtering on all
   interfaces (which didn't work). Beginning with this release, setting
   ROUTE_FILTER=Yes will enable route filtering of all interfaces
   brought up while Shorewall is started. As a consequence,
   ROUTE_FILTER=Yes can coexist with the use of the 'routefilter'
   option in the interfaces file.
 10) If MAC verification was enabled on an interface that had a /32
    address with a broadcast address then an error would occur during
    startup.
 11) The NONE policy's intended use is to suppress the generating of
    rules that can't possibly be traversed. This means that a policy of
    NONE is inappropriate where the source or destination zone is
    $FW. Shorewall now generates an error message if such a policy is
    given in /etc/shorewall/policy. Previously such a policy caused
    "shorewall start" to fail.
 12) The 'routeback' option was broken for wildcard interfaces (e.g.,
    "tun+"). This has been corrected so that 'routeback' now works as
    expected in this case.
 Migration Issues:
-1. The definition of the ROUTE_FILTER option in shorewall.conf has
+None.
   changed as described in item 9) above.
 New Features:
-1. A new QUEUE action has been introduced for rules. QUEUE allows you
+1) To cut down on the number of "Why are these ports closed rather than
-   to pass connection requests to a user-space filter such as ftwall
+   sealthed?" questions, the SMB-related rules in
-   (http://p2pwall.sourceforge.net). The ftwall program allows for
+   /etc/shorewall/common.def have been changed from 'reject' to 'DROP'.
-   effective filtering of p2p applications such as Kazaa.
+ 
-
+
-   For example, to use ftwall to filter P2P clients in your 'loc' zone,
+
   you would add the following rules:
   QUEUE   loc	     net	tcp
   QUEUE   loc	     net	udp
   QUEUE   loc	     fw		udp
   You would normally want to place those three rules BEFORE any ACCEPT
   rules for loc->net or loc->fw udp or tcp.
   Note: When the protocol specified is TCP ("tcp", "TCP" or "6"),
   Shorewall will only pass connection requests (SYN packets) to user
   space. This is for compatibility with ftwall.
 2. A BLACKLISTNEWNONLY option has been added to shorewall.conf. When
   this option is set to "Yes", the blacklists (dynamic and static)
   are only consulted for new connection requests. When set to "No"
   (the default if the variable is not set), the blacklists are
   consulted on every packet.
   Setting this option to "No" allows blacklisting to stop existing
   connections from a newly blacklisted host but is more expensive in
   terms of packet processing time. This is especially true if the
   blacklists contain a large number of entries.
 3. Chain names used in the /etc/shorewall/accounting file may now begin
   with a digit ([0-9]) and may contain embedded dashes ("-").