extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-18 15:46:55 +02:00
Code Issues Packages Projects Releases Wiki Activity

Slightly less horrible Hack to make the Tunnels file still work with the sectioned Rules file

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2569 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-08-27 14:50:33 +00:00
parent 2a55b70b32
commit 739db31efb
3 changed files with 43 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/changelog.txt
View File

@ -15,6 +15,8 @@ Changes in 2.5.3
7) Section the rules file. 7) Section the rules file.
8) Fixed tunnels/rules interaction problems.
Changes in 2.5.2 Changes in 2.5.2
1) Allow port lists in /etc/sorewall/accounting. 1) Allow port lists in /etc/sorewall/accounting.

59
Shorewall/firewall
View File

@ -2192,7 +2192,7 @@ setup_tunnels() # $1 = name of tunnels file
{ {
local inchain local inchain
local outchain local outchain
local options="-m state --state NEW,INVALID -j ACCEPT"
setup_one_ipsec() # $1 = gateway $2 = Tunnel Kind $3 = gateway zones setup_one_ipsec() # $1 = gateway $2 = Tunnel Kind $3 = gateway zones
{ {
@ -2208,13 +2208,13 @@ setup_tunnels() # $1 = name of tunnels file
[ $kind = IPSEC ] && kind=ipsec [ $kind = IPSEC ] && kind=ipsec
options="-m state --state NEW -j ACCEPT"
addrule2 $inchain -p 50 $(source_ip_range $1) $options addrule2 $inchain -p 50 $(source_ip_range $1) -j ACCEPT
addrule2 $outchain -p 50 $(dest_ip_range $1) $options addrule2 $outchain -p 50 $(dest_ip_range $1) -j ACCEPT
if [ -z "$noah" ]; then if [ -z "$noah" ]; then
run_iptables -A $inchain -p 51 $(source_ip_range $1) $options run_iptables -A $inchain -p 51 $(source_ip_range $1) -j ACCEPT
run_iptables -A $outchain -p 51 $(dest_ip_range $1) $options run_iptables -A $outchain -p 51 $(dest_ip_range $1) -j ACCEPT
fi fi
run_iptables -A $outchain -p udp $(dest_ip_range $1) --dport 500 $options run_iptables -A $outchain -p udp $(dest_ip_range $1) --dport 500 $options
@ -2245,26 +2245,26 @@ setup_tunnels() # $1 = name of tunnels file
setup_one_other() # $1 = TYPE, $2 = gateway, $3 = protocol setup_one_other() # $1 = TYPE, $2 = gateway, $3 = protocol
{ {
addrule2 $inchain -p $3 $(source_ip_range $2) $options addrule2 $inchain -p $3 $(source_ip_range $2) -j ACCEPT
addrule2 $outchain -p $3 $(dest_ip_range $2) $options addrule2 $outchain -p $3 $(dest_ip_range $2) -j ACCEPT
progress_message " $1 tunnel to $2 defined." progress_message " $1 tunnel to $2 defined."
} }
setup_pptp_client() # $1 = gateway setup_pptp_client() # $1 = gateway
{ {
addrule2 $outchain -p 47 $(dest_ip_range $1) $options addrule2 $outchain -p 47 $(dest_ip_range $1) -j ACCEPT
addrule2 $inchain -p 47 $(source_ip_range $1) $options addrule2 $inchain -p 47 $(source_ip_range $1) -j ACCEPT
addrule2 $outchain -p tcp --dport 1723 $(dest_ip_range $1) $options addrule2 $outchain -p tcp --dport 1723 $(dest_ip_range $1) -j ACCEPT
progress_message " PPTP tunnel to $1 defined." progress_message " PPTP tunnel to $1 defined."
} }
setup_pptp_server() # $1 = gateway setup_pptp_server() # $1 = gateway
{ {
addrule2 $inchain -p 47 $(source_ip_range $1) $options addrule2 $inchain -p 47 $(source_ip_range $1) -j ACCEPT
addrule2 $outchain -p 47 $(dest_ip_range $1) $options addrule2 $outchain -p 47 $(dest_ip_range $1) -j ACCEPT
addrule2 $inchain -p tcp --dport 1723 $(source_ip_range $1) $options addrule2 $inchain -p tcp --dport 1723 $(source_ip_range $1) -j ACCEPT
progress_message " PPTP server defined." progress_message " PPTP server defined."
} }
@ -2285,8 +2285,8 @@ setup_tunnels() # $1 = name of tunnels file
;; ;;
esac esac
addrule2 $inchain -p $protocol $(source_ip_range $1) --dport $p $options addrule2 $inchain -p $protocol $(source_ip_range $1) --dport $p -j ACCEPT
addrule2 $outchain -p $protocol $(dest_ip_range $1) --dport $p $options addrule2 $outchain -p $protocol $(dest_ip_range $1) --dport $p -j ACCEPT
progress_message " OPENVPN tunnel to $1:$protocol:$p defined." progress_message " OPENVPN tunnel to $1:$protocol:$p defined."
} }
@ -2307,8 +2307,8 @@ setup_tunnels() # $1 = name of tunnels file
;; ;;
esac esac
addrule2 $inchain -p $protocol $(source_ip_range $1) --dport $p $options addrule2 $inchain -p $protocol $(source_ip_range $1) --dport $p -j ACCEPT
addrule2 $outchain -p $protocol $(dest_ip_range $1) --sport $p $options addrule2 $outchain -p $protocol $(dest_ip_range $1) --sport $p -j ACCEPT
progress_message " OPENVPN server tunnel from $1:$protocol:$p defined." progress_message " OPENVPN server tunnel from $1:$protocol:$p defined."
} }
@ -2329,8 +2329,8 @@ setup_tunnels() # $1 = name of tunnels file
;; ;;
esac esac
addrule2 $inchain -p $protocol $(source_ip_range $1) --dsport $p $options addrule2 $inchain -p $protocol $(source_ip_range $1) --dsport $p -j ACCEPT
addrule2 $outchain -p $protocol $(dest_ip_range $1) --dport $p $options addrule2 $outchain -p $protocol $(dest_ip_range $1) --dport $p -j ACCEPT
progress_message " OPENVPN client tunnel to $1:$protocol:$p defined." progress_message " OPENVPN client tunnel to $1:$protocol:$p defined."
} }
@ -2357,15 +2357,15 @@ setup_tunnels() # $1 = name of tunnels file
p=${p:+--dport $p} p=${p:+--dport $p}
addrule2 $inchain -p $protocol $(source_ip_range $1) $p $options addrule2 $inchain -p $protocol $(source_ip_range $1) $p -j ACCEPT
addrule2 $outchain -p $protocol $(dest_ip_range $1) $p $options addrule2 $outchain -p $protocol $(dest_ip_range $1) $p -j ACCEPT
for z in $(separate_list $3); do for z in $(separate_list $3); do
if validate_zone $z; then if validate_zone $z; then
addrule ${FW}2${z} -p $protocol $p $options addrule ${FW}2${z} -p $protocol $p -j ACCEPT
addrule ${z}2${FW} -p $protocol $p $options addrule ${z}2${FW} -p $protocol $p -j ACCEPT
else else
error_message "WARNING: Invalid gateway zone ($z)" \ error_message "Warning: Invalid gateway zone ($z)" \
" -- Tunnel \"$tunnel\" may encounter problems" " -- Tunnel \"$tunnel\" may encounter problems"
fi fi
done done
@ -8249,16 +8249,17 @@ define_firewall() # $1 = Command (Start or Restart)
setup_syn_flood_chains setup_syn_flood_chains
tunnels=$(find_file tunnels)
[ -f $tunnels ] && \
echo "Processing $tunnels..." && setup_tunnels $tunnels
setup_ipsec setup_ipsec
maclist_hosts=$(find_hosts_by_option maclist) maclist_hosts=$(find_hosts_by_option maclist)
[ -n "$maclist_hosts" ] && setup_mac_lists [ -n "$maclist_hosts" ] && setup_mac_lists
echo "Processing $(find_file rules)..."; process_rules echo "Processing $(find_file rules)..."; process_rules
tunnels=$(find_file tunnels)
[ -f $tunnels ] && \
echo "Processing $tunnels..." && setup_tunnels $tunnels
echo "Processing Actions..."; process_actions2 echo "Processing Actions..."; process_actions2
process_actions3 process_actions3
echo "Processing $(find_file policy)..."; apply_policy_rules echo "Processing $(find_file policy)..."; apply_policy_rules

10
Shorewall/releasenotes.txt
View File

@ -255,6 +255,16 @@ Migration Considerations:
8) The "shorewall forget" command now removes the dynamic blacklist 8) The "shorewall forget" command now removes the dynamic blacklist
save file (/var/lib/shorewall/save). save file (/var/lib/shorewall/save).
9) In previous versions of Shorewall, the rules generated by entries in
/etc/shorewall/tunnels preceded those rules generated by entries in
/etc/shorewall/rules. Beginning with this release, the entries
generated by entries in the tunnels file will appear *AFTER* the
rules generated by the rules file. This may cause you problems if
you have REJECT, DENY or CONTINUE rules in your rules file that
would cause the tunnel transport packets to not reach the rules that
ACCEPT them. See http://www.shorewall.net/VPNBasics.html for
information on the rules generated by entries in the tunnels file.
New Features in Shorewall 2.5.* New Features in Shorewall 2.5.*
1) Error and warning messages are made easier to spot by using 1) Error and warning messages are made easier to spot by using