extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-23 08:03:11 +01:00
Code Issues Packages Projects Releases Wiki Activity

More 1.3.14 Changes

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@456 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-02-19 23:52:03 +00:00
parent 84ed075e10
commit 6cabdfae5d
8 changed files with 106 additions and 110 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
Shorewall/changelog.txt
View File

@ -31,4 +31,13 @@ Changes since 1.3.14
13. Update Documentation for 1.4
13. Remove icmp.def file.
14. Remove icmp.def file.
15. Added CONTINUE rule target.
16. Added Andrew Zhoglo's fix for logunclean.
17. Removed 'multi' option.
18. Support 802.11b devices with maclist.

88
Shorewall/firewall
View File

@ -310,7 +310,7 @@ havenatchain() # $1 = name of chain
}
#
# Ensure that a chain exists (create it if it doesn't)
# Ensure that a nat chain exists (create it if it doesn't)
#
ensurenatchain() # $1 = chain name
{
@ -493,7 +493,7 @@ determine_interfaces() {
for zone in $zones; do
interfaces=`find_interfaces $zone`
interfaces=`echo $interfaces` # Remove extra trash
eval ${zone}_interfaces="\$interfaces"
eval ${zone}_interfaces=\"\$interfaces\"
done
}
@ -585,7 +585,7 @@ validate_interfaces_file() {
for option in $options; do
case $option in
dhcp|norfc1918|multi|tcpflags)
dhcp|norfc1918|tcpflags)
;;
routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-)
;;
@ -728,10 +728,6 @@ validate_rule() {
[ -n "$port" ] && dports="--icmp-type $port"
state=""
;;
related|RELATED)
proto=
state="-m state --state RELATED"
;;
*)
state=
[ -n "$port" ] && [ "x${port}" != "x-" ] && \
@ -754,6 +750,12 @@ validate_rule() {
startup_error "Server port may not be specified in an ACCEPT rule;"\
"rule: \"$rule\""
;;
CONTINUE)
target=RETURN
[ -n "$servport" ] && \
startup_error "Server port may not be specified in a CONTINUE rule;"\
"rule: \"$rule\""
;;
LOG)
[ -n "$servport" ] && \
startup_error "Server port may not be specified in an LOG rule;"\
@ -956,7 +958,7 @@ validate_rules() # $1 = name of rules file
expandv clients servers protocol ports cports address
case "$target" in
ACCEPT*|DROP*|REJECT*|DNAT*|REDIRECT*|LOG*)
ACCEPT*|DROP*|REJECT*|DNAT*|REDIRECT*|LOG*|CONTINUE*)
rule="`echo $target $clients $servers $protocol $ports $cports $address`"
validate_rule
;;
@ -1261,8 +1263,10 @@ stop_firewall() {
while read interface host; do
expandv interface host
[ "x$host" = "x-" ] && host=
hosts="$hosts $interface:${host:-0.0.0.0/0}"
[ "x$host" = "x-" ] && host=0.0.0.0/0
for h in `separate_list $host`; do
hosts="$hosts $interface:$h"
done
done < $TMP_DIR/routestopped
for host in $hosts; do
@ -1553,10 +1557,10 @@ setup_mac_lists() {
#
for interface in $maclist_interfaces; do
case $interface in
eth*)
eth*|wlan*)
;;
*)
fatal_error "MAC verification is only supported on ethernet devices: $interface"
fatal_error "MAC verification is only supported on ethernet and 802.11b devices: $interface"
;;
esac
@ -2156,10 +2160,6 @@ add_a_rule()
fatal_error "Port number not allowed with \"all\"; rule: \"$rule\""
proto=
;;
related|RELATED)
proto=
state="-m state --state RELATED"
;;
*)
state=
[ -n "$port" ] && [ "x${port}" != "x-" ] && \
@ -2443,9 +2443,9 @@ process_rules() # $1 = name of rules file
}
while read xtarget xclients xservers xprotocol xports xcports xaddress; do
case "$xtarget" in
case "${xtarget%:*}" in
ACCEPT|ACCEPT:*|DROP|DROP:*|REJECT|REJECT:*|DNAT|DNAT-|DNAT:*|DNAT-:*|REDIRECT|REDIRECT:*|LOG|LOG:*)
ACCEPT|DROP|REJECT|DNAT|DNAT|DNAT-|REDIRECT|LOG|CONTINUE)
expandv xclients xservers xprotocol xports xcports xaddress
if [ "x$xclients" = xall ]; then
@ -3049,19 +3049,6 @@ setup_masq()
done < $TMP_DIR/masq
}
#
# Setup Intrazone chain if appropriate
#
setup_intrazone() # $1 = zone
{
eval hosts=\$${1}_hosts
if [ "$hosts" != "${hosts% *}" ] || \
have_interfaces_in_zone_with_option $1 multi
then
ensurechain ${1}2${1}
fi
}
#
# Add a record to the blacklst chain
#
@ -3498,10 +3485,10 @@ add_common_rules() {
if [ -n "$LOGUNCLEAN" ]; then
if [ "$LOGUNCLEAN" = ULOG ]; then
logoptions="-j ULOG $LOGPARAMS --ulog-prefix Shorewall:badpkt:DROP:"
logoptions="-j ULOG $LOGPARMS --ulog-prefix Shorewall:badpkt:DROP:"
logoptions="$logoptions --log-ip-options"
else
logoptions="-j LOG $LOGPARAMS --log-prefix Shorewall:badpkt:DROP:"
logoptions="-j LOG $LOGPARMS --log-prefix Shorewall:badpkt:DROP:"
logoptions="$logoptions --log-level $LOGUNCLEAN --log-ip-options"
fi
@ -3530,10 +3517,10 @@ add_common_rules() {
[ -z"$LOGUNCLEAN" ] && LOGUNCLEAN=info
if [ "$LOGUNCLEAN" = ULOG ]; then
logoptions="-j ULOG $LOGPARAMS --ulog-prefix Shorewall:logpkt:LOG:"
logoptions="-j ULOG $LOGPARMS --ulog-prefix Shorewall:logpkt:LOG:"
logoptions="$logoptions --log-ip-options"
else
logoptions="-j LOG $LOGPARAMS --log-prefix Shorewall:logpkt:LOG:"
logoptions="-j LOG $LOGPARMS --log-prefix Shorewall:logpkt:LOG:"
logoptions="$logoptions --log-level $LOGUNCLEAN --log-ip-options"
fi
@ -3776,11 +3763,11 @@ apply_policy_rules() {
fi
done
#
# Add policy rules to canonical chains
#
for zone in $FW $zones; do
setup_intrazone $zone
for zone1 in $FW $zones; do
chain=${zone}2${zone1}
if havechain $chain; then
@ -3845,8 +3832,6 @@ activate_rules()
addnatjump POSTROUTING `output_chain $interface` -o $interface
done
multi_interfaces=`find_interfaces_by_option multi`
> ${STATEDIR}/chains
> ${STATEDIR}/zones
@ -3896,14 +3881,14 @@ activate_rules()
chain1=`forward_chain $interface`
if [ -n "$have_canonical" ]; then
multi=yes
bounce=yes
else
case $interface in
*+*)
multi=yes
bounce=yes
;;
*)
list_search $interface $multi_interfaces && multi=yes || multi=
bounce=
;;
esac
fi
@ -3912,9 +3897,8 @@ activate_rules()
interface1=${host1%:*}
subnet1=${host1#*:}
if [ $interface != $interface1 -o -n "$multi" ]; then
run_iptables -A $chain1 -s $subnet \
-o $interface1 -d $subnet1 -j $chain
if [ $interface != $interface1 -o -n "$bounce" ]; then
run_iptables -A $chain1 -s $subnet -o $interface1 -d $subnet1 -j $chain
fi
done
done
@ -4053,6 +4037,8 @@ check_config() {
validate_hosts_file
validate_bounce_file
echo "Determining Hosts in Zones..."
determine_interfaces
@ -4204,7 +4190,19 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
#
# If the zone passed in the command has a dnat chain then insert a rule in
# the nat table PREROUTING chain to jump to that chain when the source
# matches the new host(s)
# matches the new host(s)#
# Setup Intrazone chain if appropriate
#
setup_intrazone() # $1 = zone
{
eval hosts=\$${1}_hosts
if have_interfaces_in_zone_with_option $1 multi; then
ensurechain ${1}2${1}
fi
}
#
chain=${zone}_dnat

51
Shorewall/hosts
View File

@ -1,45 +1,22 @@
#
# Shorewall 1.4 - /etc/shorewall/hosts
# Shorewall 1.4 - /etc/shorewall/bounce
#
# WARNING: 90% of Shorewall users don't need to add entries to this
# file and 80% of those who try to add such entries get it
# wrong. Unless you are ABSOLUTELY SURE that you need entries
# in this file, don't touch it!
# Normally, Shorewall assumes that the firewall/gateway will not be
# routing requests back out the same interface that they came in on.
# If you have such requirements, they should be defined here.
#
# This file is used to define zones in terms of subnets and/or
# individual IP addresses. Most simple setups don't need to
# (should not) place anything in this file. Note that if you
# assign one or more interfaces to a zone in /etc/shorewall/interfaces,
# the hosts/networks that you define for the zone in the file will be
# IN ADDITION to those interfaces.
# Columns are:
#
# ZONE - The name of a zone defined in /etc/shorewall/zones
# INTERFACE The name of an interfaces defined
# in /etc/shorewall/interfaces
#
# HOST(S) - The name of an interface followed by a colon (":") and
# either:
# SOURCE The name of a zone followed by a
# colon (":") and the address of a
# host or subnet.
#
# a) The IP address of a host
# b) A subnetwork in CIDR format
# (<subnet-address>/<mask width>)
#
# The interface must be defined in the
# /etc/shorewall/interfaces file.
# DESTINATION The name of a zone followed by a
# colon and the address of a host
# or subnet.
#
# Examples:
#
# eth1:192.168.1.3
# eth2:192.168.2.0/24
#
# OPTIONS - A comma-separated list of options. Currently-defined
# options are:
#
# maclist - Connection requests from these hosts
# are compared against the contents of
# /etc/shorewall/maclist. If this option
# is specified, the interface must be
# an ethernet NIC and must be up before
# Shorewall is started.
#
#
#ZONE HOST(S) OPTIONS
#INTERFACE SOURCE DESTINATION
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

3
Shorewall/interfaces
View File

@ -54,9 +54,6 @@
# enabled in shorewall.conf, packets
# whose destination addresses are
# reserved by RFC 1918 are also rejected.
# multi - This interface has multiple IP
# addresses and you want to be able to
# route between them.
# routefilter - turn on kernel route filtering for this
# interface (anti-spoofing measure). This
# option can also be enabled globally in

27
Shorewall/releasenotes.txt
View File

@ -1,6 +1,6 @@
This is a major release of Shorewall.
Function from 1.3 that has been omitted from this version include:
Function from 1.3 that has been omitted from this version includes:
1) The MERGE_HOSTS variable in shorewall.conf is no longer
supported. Shorewall 1.4 behavior is the same as 1.3 with
@ -25,6 +25,20 @@ Function from 1.3 that has been omitted from this version include:
supported. Shorewall 1.4 behavior is the same as 1.3 with
ALLOWRELATED=Yes.
7. The 'multi' interface option is no longer supported. Shorewall will
generate rules for sending packets back out the same interface
that they arrived on in two cases:
a) There is an _explicit_ policy for the source zone to the
destination zone. An explicit policy names both zones and does not
use the 'all' reserved word.
b) There are one or more rules for traffic for the source zone to
or from the destination zone including rules that use the 'all'
reserved word. Exception: If the source and the destination are
the same zone then the rule must be explicit - it must name the zone
in both the SOURCE and DESTINATION columns.
Changes for 1.4 include:
1. shorewall.conf has been completely reorganized into logical
@ -38,9 +52,16 @@ Changes for 1.4 include:
4. Late arriving DNS replies are now silently dropped in the common
chain by default.
5. In addition to behaving like OLD_PING_HANDLING=No, Shorewall 2.0 no
5. In addition to behaving like OLD_PING_HANDLING=No, Shorewall 1.4 no
longer unconditionally accepts outbound ICMP packets. So if you want
to 'ping' from the firewall, you will need the appropriate rule or
policy.
policy.
6. CONTINUE is now a valid action for a rule (/etc/shorewall/rules).
7. 802.11b devices with names of the form wlan<n> now support the
'maclist' option.

2
Shorewall/routestopped
View File

@ -12,7 +12,7 @@
# INTERFACE - Interface through which host(s) communicate with
# the firewall
# HOST(S) - (Optional) Comma-separated list of IP/subnet
# addresses. If left empty or supplied as "-",
# If left empty or supplied as "-",
# 0.0.0.0/0 is assumed.
#
# Example:

23
Shorewall/rules
View File

@ -30,18 +30,25 @@
# the companion ACCEPT rule.
# REDIRECT -- Redirect the request to a local
# port on the firewall.
# CONTINUE -- (For experts only). Do not process
# any of the following rules for this
# (source zone,destination zone). If
# The source and/or destination IP
# address falls into a zone defined
# later in /etc/shorewall/zones, this
# connection request will be passed
# to the rules defined for that
# (those) zone(s).
#
# May optionally be followed by ":" and a syslog log
# level (e.g, REJECT:info). This causes the packet to be
# logged at the specified level.
#
# Beginning with Shorewall version 1.3.12, you may
# also specify ULOG (must be in upper case) as a log level.\
# This will log to the ULOG target and sent to a separate log
# through use of ulogd
# You may also specify ULOG (must be in upper case) as a
# log level.This will log to the ULOG target for routing
# to a separate log through use of ulogd
# (http://www.gnumonks.org/projects/ulogd).
#
#
# SOURCE Source hosts to which the rule applies. May be a zone
# defined in /etc/shorewall/zones, $FW to indicate the
# firewall itself, or "all" If the ACTION is DNAT or
@ -106,10 +113,8 @@
# contain the port number on the firewall that the
# request should be redirected to.
#
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number,
# "all" or "related". If "related", the remainder of the
# entry must be omitted and connection requests that are
# related to existing requests will be accepted.
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or
# "all".
#
# DEST PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port

11
Shorewall/shorewall.conf
View File

@ -212,17 +212,6 @@ MODULESDIR=
#
FW=fw
# ALLOW RELATED CONNECTIONS
#
# Set this to "yes" or "Yes" if you want to accept all connection requests
# that are related to already established connections. For example, you want
# to accept FTP data connections. If you say "no" here, then to accept
# these connections between particular zones or hosts, you must include
# explicit "related" rules in /etc/shorewall/rules.
#
ALLOWRELATED=yes
#
# ENABLE NAT SUPPORT
#