From 74219e2e3a80fbbeea39d1ef428ec14f44401e5c Mon Sep 17 00:00:00 2001 From: teastep Date: Mon, 15 Mar 2004 18:55:13 +0000 Subject: [PATCH] Bridging Changes git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1194 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall2/firewall | 284 +++++++++++++++++++++++++++++--------- Shorewall2/hosts | 15 +- Shorewall2/interfaces | 23 ++- Shorewall2/maclist | 5 +- Shorewall2/routestopped | 10 +- Shorewall2/shorewall.conf | 13 ++ 6 files changed, 276 insertions(+), 74 deletions(-) diff --git a/Shorewall2/firewall b/Shorewall2/firewall index 0fb91993b..ef4c0cef9 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -99,6 +99,8 @@ report () { # $* = message # run_iptables() { + [ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev + if ! iptables $@ ; then [ -z "$stopping" ] && { stop_firewall; exit 2; } fi @@ -423,6 +425,84 @@ first_chains() #$1 = interface echo ${c}_fwd ${c}_in } +# +# Horrible hack to work around an iptables bug +# +physdev_echo() +{ + if [ -f $TMP_DIR/physdev ]; then + echo $@ + else + echo -m physdev $@ + > $TMP_DIR/physdev + fi +} + +# +# We allow hosts to be specified by IP address or by physdev. These two functions +# are used to produce the proper match in a netfilter rule. +# +match_source_hosts() +{ + if [ -n "$BRIDGING" ]; then + case $1 in + *:*) + physdev_echo "--physdev-in ${1%:*} -s ${1#*:}" + ;; + *.*.*.*) + echo -s $1 + ;; + *) + physdev_echo "--physdev-in $1" + ;; + esac + else + echo -s $1 + fi +} + +match_dest_hosts() +{ + if [ -n "$BRIDGING" ]; then + case $1 in + *:*) + physdev_echo "--physdev-out ${1%:*} -d ${1#*:}" + ;; + *.*.*.*) + echo -d $1 + ;; + *) + physdev_echo "--physdev-out $1" + ;; + esac + else + echo -d $1 + fi +} +# +# Similarly, the source or destination in a rule can be qualified by a device name. If +# the device is defined in /etc/shorewall/interfaces then a normal interface match is +# generated (-i or -o); otherwise, a physdev match is generated. +# +match_source_dev() +{ + if [ -n "$BRIDGING" ]; then + list_search $1 $all_interfaces && echo -i $1 || physdev_echo "--physdev-in $1" + else + echo -i $1 + fi +} + +match_dest_dev() +{ + if [ -n "$BRIDGING" ]; then + list_search $1 $all_interfaces && echo -o $1 || physdev_echo "--physdev-out $1" + else + echo -o $1 + fi +} + +# # # Find hosts in a given zone # @@ -436,7 +516,7 @@ find_hosts() # $1 = host zone while read z hosts options; do if [ "x$(expand $z)" = "x$1" ]; then expandv hosts - interface=${hosts%:*} + interface=${hosts%%:*} addresses=${hosts#*:} for address in $(separate_list $addresses); do echo $interface:$address @@ -459,6 +539,18 @@ determine_interfaces() { done } +# +# Determine if an interface has a given option +# +interface_has_option() # $1 = interface, #2 = option +{ + local options + + eval options=\$$(chain_base $1)_options + + list_search $2 $options +} + # # Determine the defined hosts in each zone and generate report # @@ -471,8 +563,7 @@ determine_hosts() { eval interfaces=\$${zone}_interfaces for interface in $interfaces; do - eval options=\$$(chain_base $interface)_options - if list_search detectnets $options; then + if interface_has_option $interface detectnets; then subnets=$(get_routed_subnets $interface) else subnets=0.0.0.0/0 @@ -612,7 +703,8 @@ validate_hosts_file() { r="$z $hosts $options" validate_zone $z || startup_error "Invalid zone ($z) in record \"$r\"" - interface=${hosts%:*} + interface=${hosts%%:*} + iface=$(chain_base $interface) list_search $interface $all_interfaces || \ startup_error "Unknown interface ($interface) in record \"$r\"" @@ -620,6 +712,21 @@ validate_hosts_file() { hosts=${hosts#*:} for host in $(separate_list $hosts); do + [ -n "$BRIDGING" ] && case $host in + *:*) + eval ${iface}_is_bridge=Yes + list_search ${host%:*} $all_interfaces && \ + startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host" + ;; + *.*.*.*) + ;; + *) + eval ${iface}_is_bridge=Yes + list_search $host $all_interfaces && \ + startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host" + ;; + esac + for option in $(separate_list $options); do case $option in maclist|-) @@ -838,7 +945,7 @@ find_hosts_by_option() # $1 = option expandv options if list_search $1 $(separate_list $options); then expandv hosts - interface=${hosts%:*} + interface=${hosts%%:*} addresses=${hosts#*:} for address in $(separate_list $addresses); do echo $interface:$address @@ -847,8 +954,7 @@ find_hosts_by_option() # $1 = option done < $TMP_DIR/hosts for interface in $all_interfaces; do - eval options=\$$(chain_base $interface)_options - list_search $1 $options && \ + interface_has_option $interface $option && \ echo ${interface}:0.0.0.0/0 done } @@ -984,7 +1090,7 @@ disable_ipv6() { ip6tables -P INPUT DROP ip6tables -P OUTPUT DROP else - error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system has no ip6tables" + error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables" fi } @@ -1049,12 +1155,35 @@ stop_firewall() { strip_file routestopped - while read interface host; do - expandv interface host + while read interface host options; do + expandv interface host options [ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0 for h in $(separate_list $host); do hosts="$hosts $interface:$h" done + + routeback= + + if [ -n $options ]; then + for option in $(separate_list $options); do + case $option in + routeback) + if [ -n "$routeback" ]; then + error_message "Warning: Duplicate option ignored: routeback" + else + routeback=Yes + for h in $(separate_list $host); do + iptables -A FORWARD -i $interface -s $h -o $interface -d $h -j ACCEPT + done + fi + ;; + *) + error_message "Warning: Unknown option ignored: $option" + ;; + esac + done + fi + done < $TMP_DIR/routestopped for host in $hosts; do @@ -1065,7 +1194,7 @@ stop_firewall() { iptables -A OUTPUT -o $interface -d $subnet -j ACCEPT for host1 in $hosts; do - iptables -A FORWARD -i $interface -s $subnet -o ${host1%:*} -d ${host1#*:} -j ACCEPT + [ "$host" != "$host1" ] && iptables -A FORWARD -i $interface -s $subnet -o ${host1%:*} -d ${host1#*:} -j ACCEPT done done @@ -1077,6 +1206,10 @@ stop_firewall() { iptables -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT [ -z "$ADMINISABSENTMINDED" ] && \ iptables -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT + # + # This might be a bridge + # + iptables -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT done setup_forwarding @@ -1415,7 +1548,7 @@ setup_mac_lists() { maclist_interfaces= for hosts in $maclist_hosts; do - interface=${hosts%:*} + interface=${hosts%%:*} if ! list_search $interface $maclist_interfaces; then\ if [ -z "$maclist_interfaces" ]; then maclist_interfaces=$interface @@ -1447,6 +1580,17 @@ setup_mac_lists() { while read interface mac addresses; do expandv interface mac addresses + physdev_part= + + if [ -n "$BRIDGING" ]; then + case $interface in + *:*) + physdev_part="-m physdev --physdev-in ${interface#*:}" + interface=${interface%:*} + ;; + esac + fi + chain=$(mac_chain $interface) if ! havechain $chain ; then @@ -1456,10 +1600,10 @@ setup_mac_lists() { macpart=$(mac_match $mac) if [ -z "$addresses" ]; then - run_iptables -A $chain $macpart -j RETURN + run_iptables -A $chain $macpart $physdev_part -j RETURN else for address in $(separate_list $addresses) ; do - run_iptables2 -A $chain $macpart -s $address -j RETURN + run_iptables2 -A $chain $macpart -s $address $physdev_part -j RETURN done fi done < $TMP_DIR/maclist @@ -1494,10 +1638,10 @@ setup_mac_lists() { # Generate jumps from the input and forward chains # for hosts in $maclist_hosts; do - interface=${hosts%:*} + interface=${hosts%%:*} hosts=${hosts#*:} for chain in $(first_chains $interface) ; do - run_iptables -A $chain -s $hosts -m state --state NEW \ + run_iptables -A $chain $(match_source_hosts $hosts) -m state --state NEW \ -j $(mac_chain $interface) done done @@ -1692,11 +1836,11 @@ process_tc_rule() chain=tcout ;; *) - if ! list_search $source $all_interfaces; then + if [ -z "$BRIDGING" ] && ! list_search $source $all_interfaces; then fatal_error "Unknown interface $source in rule \"$rule\"" fi - r="-i $source " + r="$(select_source_dev) $source " ;; esac fi @@ -1852,7 +1996,7 @@ process_accounting_rule() { case $source in *:*) - rule="-s ${source#*:} -i ${source%:*}" + rule="-s ${source#*:} $(match_source_dev ${source%:*})" ;; *.*.*.*) rule="-s $source" @@ -1860,13 +2004,13 @@ process_accounting_rule() { -|all|any) ;; *) - [ -n "$source" ] && rule="-i $source" + [ -n "$source" ] && rule="$(match_source_dev $source)" ;; esac [ -n "$dest" ] && case $dest in *:*) - rule="$rule -d ${dest#*:} -o ${dest%:*}" + rule="$rule -d ${dest#*:} $(match_dest_dev ${dest%:*})" ;; *.*.*.*) rule="$rule -d $dest" @@ -1874,7 +2018,7 @@ process_accounting_rule() { -|all|any) ;; *) - rule="$rule -o $dest" + rule="$rule $(match_dest_dev $dest)" ;; esac @@ -1959,7 +2103,6 @@ setup_accounting() # $1 = Name of accounting file } - # # Check the configuration # @@ -2113,7 +2256,7 @@ add_an_action() -) ;; *:*) - cli="-i ${client%:*} -s ${client#*:}" + cli="$(match_source_dev ${client%:*}) -s ${client#*:}" ;; *.*.*) cli="-s $client" @@ -2122,7 +2265,7 @@ add_an_action() cli=$(mac_match $client) ;; *) - [ -n "$client" ] && cli="-i $client" + [ -n "$client" ] && cli="$(match_source_dev $client)" ;; esac @@ -2141,7 +2284,7 @@ add_an_action() fatal_error "Rule \"$rule\" - Destination may not be specified by MAC Address" ;; *) - [ -n "$server" ] && dest_interface="-o $server" + [ -n "$server" ] && dest_interface="$(match_dest_dev $server)" ;; esac @@ -2321,7 +2464,7 @@ process_action() # $1 = action for client in $(separate_list ${clients:=-}); do for server in $(separate_list ${servers:=-}); do # - # add_a_rule() modifies these so we must set their values each time + # add_an_action() modifies these so we must set their values each time # port=${ports:=-} cport=${cports:=-} @@ -2673,7 +2816,7 @@ add_nat_rule() { for z in $(separate_list $excludezones); do eval hosts=\$${z}_hosts for host in $hosts; do - addnatrule $chain -s ${host#*:} -j RETURN + addnatrule $chain $(match_source_hosts ${host#*:}) -j RETURN done done @@ -2723,7 +2866,7 @@ add_nat_rule() { error_message "Warning: SNAT will occur on all connections to this server and port - rule \"$rule\"" [ $COMMAND = check ] || addnatrule $(snat_chain $dest) \ - -s ${source_host#*:} $proto $sports $multiport \ + $(match_source_hosts ${source_host#*:}) $proto $sports $multiport \ -d $serv $dports -j SNAT --to-source $snat done fi @@ -2784,7 +2927,7 @@ add_a_rule() -) ;; *:*) - cli="-i ${client%:*} -s ${client#*:}" + cli="$(match_source_dev ${client%:*}) -s ${client#*:}" ;; *.*.*) cli="-s $client" @@ -2793,7 +2936,7 @@ add_a_rule() cli=$(mac_match $client) ;; *) - [ -n "$client" ] && cli="-i $client" + [ -n "$client" ] && cli="$(match_source_dev $client)" ;; esac @@ -2812,7 +2955,7 @@ add_a_rule() fatal_error "Rule \"$rule\" - Destination may not be specified by MAC Address" ;; *) - [ -n "$server" ] && dest_interface="-o $server" + [ -n "$server" ] && dest_interface="$(match_dest_dev $server)" ;; esac @@ -2879,7 +3022,7 @@ add_a_rule() # Complain if the rule is really a policy case $logtarget in - ACCEPT|DROP|REJECT) + ACCEPT|DROP|REJECT|CONTINUE) if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" -a -z "$userspec" ] ; then error_message "Warning -- Rule \"$rule\" is a POLICY" error_message " -- and should be moved to the policy file" @@ -3371,7 +3514,7 @@ process_tos_rule() { # # Assume that this is a device name # - src="-i $src" + src="$(match_source_dev $src)" ;; esac @@ -4441,6 +4584,11 @@ add_common_rules() { echo "Adding rules for DHCP" for interface in $interfaces; do + if [ -n "$BRIDGING" ]; then + eval is_bridge=\$$(chain_base $interface)_is_bridge + [ -n "$is_bridge" ] && \ + iptables -A $(forward_chain $interface) -p udp -o $interface --dport 67:68 -j ACCEPT + fi run_iptables -A $(input_chain $interface) -p udp --dport 67:68 -j ACCEPT run_iptables -A OUTPUT -o $interface -p udp --dport 67:68 -j ACCEPT done @@ -4698,8 +4846,11 @@ activate_rules() shift shift - havenatchain $destchain && \ + if havenatchain $destchain ; then run_iptables -t nat -A $sourcechain $@ -j $destchain + elif [ -n "$BRIDGING" -a -f $TMP_DIR/physdev ]; then + rm -f #TMP_DIR/physdev + fi } # @@ -4716,6 +4867,8 @@ activate_rules() eval run_iptables -t nat -I $sourcechain \ \$${sourcechain}_rule $@ -j $destchain eval ${sourcechain}_rule=\$\(\(\$${sourcechain}_rule + 1\)\) + elif [ -n "$BRIDGING" -a -f $TMP_DIR/physdev ]; then + rm -f $TMP_DIR/physdev fi } @@ -4726,7 +4879,7 @@ activate_rules() addnatjump POSTROUTING nat_out for interface in $all_interfaces; do - addnatjump PREROUTING $(input_chain $interface) -i $interface + addnatjump PREROUTING $(input_chain $interface) -i $interface addnatjump POSTROUTING $(output_chain $interface) -o $interface done @@ -4754,28 +4907,31 @@ activate_rules() need_broadcast= for host in $source_hosts; do - interface=${host%:*} + interface=${host%%:*} subnet=${host#*:} - run_iptables -A OUTPUT -o $interface -d $subnet -j $chain1 + run_iptables -A OUTPUT -o $interface $(match_dest_hosts $subnet) -j $chain1 # # Add jumps from the builtin chains for DNAT and SNAT rules # - addrulejump PREROUTING $(dnat_chain $zone) -i $interface -s $subnet - addrulejump POSTROUTING $(snat_chain $zone) -o $interface -d $subnet + addrulejump PREROUTING $(dnat_chain $zone) -i $interface $(match_source_hosts $subnet) + addrulejump POSTROUTING $(snat_chain $zone) -o $interface $(match_dest_hosts $subnet) - run_iptables -A $(input_chain $interface) -s $subnet -j $chain2 + run_iptables -A $(input_chain $interface) $(match_source_hosts $subnet) -j $chain2 [ -n "$complex" ] && \ - run_iptables -A $(forward_chain $interface) -s $subnet -j $frwd_chain + run_iptables -A $(forward_chain $interface) $(match_source_hosts $subnet) -j $frwd_chain - if [ "$subnet" != 0.0.0.0/0 ]; then - if ! list_search $interface $need_broadcast ; then - eval options=\$$(chain_base $interface)_options - list_search detectnets $options && need_broadcast="$need_broadcast $interface" - fi - fi + case $subnet in + *.*.*.*) + if [ "$subnet" != 0.0.0.0/0 ]; then + if ! list_search $interface $need_broadcast ; then + interface_has_option $interface detectnets && need_broadcast="$need_broadcast $interface" + fi + fi + ;; + esac done @@ -4804,29 +4960,29 @@ activate_rules() if [ -n "$complex" ]; then for host1 in $dest_hosts; do - interface1=${host1%:*} + interface1=${host1%%:*} subnet1=${host1#*:} if [ $(list_count1 $source_hosts) -eq 1 -a "$source_hosts" = "$host1" ]; then if list_search $host1 $routeback; then - run_iptables -A $frwd_chain -o $interface1 -d $subnet1 -j $chain + run_iptables -A $frwd_chain -o $interface1 $(match_dest_hosts $subnet1) -j $chain fi else - run_iptables -A $frwd_chain -o $interface1 -d $subnet1 -j $chain + run_iptables -A $frwd_chain -o $interface1 $(match_dest_hosts $subnet1) -j $chain fi done else for host in $source_hosts; do - interface=${host%:*} + interface=${host%%:*} subnet=${host#*:} chain1=$(forward_chain $interface) for host1 in $dest_hosts; do - interface1=${host1%:*} + interface1=${host1%%:*} subnet1=${host1#*:} if [ "$host" != "$host1" ] || list_search $host $routeback; then - run_iptables -A $chain1 -s $subnet -o $interface1 -d $subnet1 -j $chain + run_iptables -A $chain1 $(match_source_hosts $subnet) -o $interface1 $(match_dest_hosts $subnet1) -j $chain fi done done @@ -5178,11 +5334,11 @@ add_to_zone() # $1 = [:] $2 = zone fi for h in $dest_hosts; do - iface=${h%:*} + iface=${h%%:*} hosts=${h#*:} if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - do_iptables -I $source_chain $rulenum -s $host -o $iface -d $hosts -j $chain + do_iptables -I $source_chain $rulenum -s $host -o $iface $(match_dest_hosts $hosts) -j $chain rulenum=$(($rulenum + 1)) fi done @@ -5205,7 +5361,7 @@ add_to_zone() # $1 = [:] $2 = zone eval source_hosts=\"\$${z1}_hosts\" for h in $source_hosts; do - iface=${h%:*} + iface=${h%%:*} hosts=${h#*:} base=$(chain_base $iface) @@ -5221,7 +5377,7 @@ add_to_zone() # $1 = [:] $2 = zone fi if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - do_iptables -I $(forward_chain $iface) $rulenum -s $hosts -o $interface -d $host -j $chain + do_iptables -I $(forward_chain $iface) $rulenum $(match_source_hosts $hosts) -o $interface -d $host -j $chain rulenum=$(($rulenum + 1)) fi @@ -5328,11 +5484,11 @@ delete_from_zone() # $1 = [:] $2 = zone eval dest_hosts=\"\$${z2}_hosts\" for h in $dest_hosts $delhost; do - iface=${h%:*} + iface=${h%%:*} hosts=${h#*:} if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - qt iptables -D $source_chain -s $host -o $iface -d $hosts -j $chain + qt iptables -D $source_chain -s $host -o $iface $(match_source_hosts $hosts) -j $chain fi done fi @@ -5343,11 +5499,11 @@ delete_from_zone() # $1 = [:] $2 = zone eval source_hosts=\"\$${z1}_hosts\" for h in $source_hosts; do - iface=${h%:*} + iface=${h%%:*} hosts=${h#*:} if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - qt iptables -D $(forward_chain $iface) -s $hosts -o $interface -d $host -j $chain + qt iptables -D $(forward_chain $iface) $(match_source_hosts $hosts) -o $interface -d $host -j $chain fi done fi @@ -5463,6 +5619,7 @@ do_initialize() { USEDACTIONS= SMURF_LOG_LEVEL= DISABLE_IPV6= + BRIDGING= stopping= have_mutex= @@ -5613,6 +5770,7 @@ do_initialize() { ADMINISABSENTMINDED=$(added_param_value_no ADMINISABSENTMINDED $ADMINISABSENTMINDED) BLACKLISTNEWONLY=$(added_param_value_no BLACKLISTNEWONLY $BLACKLISTNEWONLY) DISABLE_IPV6=$(added_param_value_no DISABLE_IPV6 $DISABLE_IPV6) + BRIDGING=$(added_param_value_no BRIDGING $BRIDGING) [ -n "$MODULE_SUFFIX" ] || MODULE_SUFFIX="o gz ko o.gz" # @@ -5629,6 +5787,8 @@ do_initialize() { if [ $(encodeaddr $temp) != 192.168.1.1 ]; then startup_error "Shell $SHOREWALL_SHELL is broken and may not be used with Shorewall" fi + + rm -f $TMP_DIR/physdev } # diff --git a/Shorewall2/hosts b/Shorewall2/hosts index 129e5431b..ef641d0a7 100644 --- a/Shorewall2/hosts +++ b/Shorewall2/hosts @@ -12,21 +12,28 @@ # # ZONE - The name of a zone defined in /etc/shorewall/zones # -# HOST(S) - The name of an interface followed by a colon (":") and +# HOST(S) - The name of an interface defined in the +# /etc/shorewall/interfaces file followed by a colon (":") and # a comma-separated list whose elements are either: # # a) The IP address of a host # b) A subnetwork in the form # / -# -# The interface must be defined in the -# /etc/shorewall/interfaces file. +# c) A physical port name; only allowed when the +# interface names a bridge created by the +# brctl addbr command. This port must not +# be defined in /etc/shorewall/interfaces and may +# optionally followed by a colon (":") and a +# host or network IP. +# See http://www.shorewall.net/Bridge.html for details. # # Examples: # # eth1:192.168.1.3 # eth2:192.168.2.0/24 # eth3:192.168.2.0/24,192.168.3.1 +# br0:eth4 +# br0:eth0:192.168.1.16/28 # # OPTIONS - A comma-separated list of options. Currently-defined # options are: diff --git a/Shorewall2/interfaces b/Shorewall2/interfaces index 9d25a0f1f..575286e03 100644 --- a/Shorewall2/interfaces +++ b/Shorewall2/interfaces @@ -46,10 +46,19 @@ # OPTIONS A comma-separated list of options including the # following: # -# dhcp - interface is managed by DHCP or used by -# a DHCP server running on the firewall or -# you have a static IP but are on a LAN -# segment with lots of Laptop DHCP clients. +# dhcp - Specify this option when any of +# the following are true: +# 1. the interface gets its IP address +# via DHCP +# 2. the interface is used by +# a DHCP server running on the firewall +# 3. you have a static IP but are on a LAN +# segment with lots of Laptop DHCP +# clients. +# 4. the interface is a bridge with +# a DHCP server on one port and DHCP +# clients on another port. +# # norfc1918 - This interface should not receive # any packets whose source is in one # of the ranges reserved by RFC 1918 @@ -58,6 +67,7 @@ # enabled in shorewall.conf, packets # whose destination addresses are # reserved by RFC 1918 are also rejected. +# # routefilter - turn on kernel route filtering for this # interface (anti-spoofing measure). This # option can also be enabled globally in @@ -65,12 +75,14 @@ # . . blacklist - Check packets arriving on this interface # against the /etc/shorewall/blacklist # file. +# # maclist - Connection requests from this interface # are compared against the contents of # /etc/shorewall/maclist. If this option # is specified, the interface must be # an ethernet NIC and must be up before # Shorewall is started. +# # tcpflags - Packets arriving on this interface are # checked for certain illegal combinations # of TCP flags. Packets found to have @@ -79,6 +91,7 @@ # TCP_FLAGS_DISPOSITION after having been # logged according to the setting of # TCP_FLAGS_LOG_LEVEL. +# # proxyarp - # Sets # /proc/sys/net/ipv4/conf//proxy_arp. @@ -127,7 +140,7 @@ # hosts routed through the interface. # # WARNING: DO NOT SET THE detectnets OPTION ON YOUR -# INTERNET INTERFACE! +# INTERNET INTERFACE. # # The order in which you list the options is not # significant but the list should have no embedded white diff --git a/Shorewall2/maclist b/Shorewall2/maclist index e26c3bf42..3374fd83c 100644 --- a/Shorewall2/maclist +++ b/Shorewall2/maclist @@ -5,7 +5,10 @@ # # Columns are: # -# INTERFACE Network interface to a host +# INTERFACE Network interface to a host. If the interface +# names a bridge, it may be optionally followed by +# a colon (":") and a physical port name (e.g., +# br0:eth4). # # MAC MAC address of the host -- you do not need to use # the Shorewall format for MAC addresses here diff --git a/Shorewall2/routestopped b/Shorewall2/routestopped index 40d0f4d29..8d5a0b41c 100644 --- a/Shorewall2/routestopped +++ b/Shorewall2/routestopped @@ -14,12 +14,18 @@ # HOST(S) - (Optional) Comma-separated list of IP/subnet # If left empty or supplied as "-", # 0.0.0.0/0 is assumed. +# OPTIONS - (Optional) A comma-separated list of +# options. The currently-supported options are: +# +# routeback - Set up a rule to ACCEPT traffic from +# these hosts back to themselves. # # Example: # -# INTERFACE HOST(S) +# INTERFACE HOST(S) OPTIONS # eth2 192.168.1.0/24 # eth0 192.0.2.44 +# br0 - routeback ############################################################################## -#INTERFACE HOST(S) +#INTERFACE HOST(S) OPTIONS #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall2/shorewall.conf b/Shorewall2/shorewall.conf index 1e0bd1755..9af188321 100755 --- a/Shorewall2/shorewall.conf +++ b/Shorewall2/shorewall.conf @@ -524,6 +524,18 @@ MODULE_SUFFIX= # firewall system. This requires that you have ip6tables installed. DISABLE_IPV6=Yes + +# +# BRIDGING +# +# If you wish to control traffic through a bridge (see http://bridge.sf.net), +# then set BRIDGING=Yes. Your kernel must have the physdev match option +# enabled; that option is available through Patch-O-Matic for 2.4 kernels and +# is included as a standard part of the 2.6 series kernels. If not +# specified or specified as empty (BRIDGING="") then "No" is assumed. +# + +BRIDGING=No ################################################################################ # P A C K E T D I S P O S I T I O N ################################################################################ @@ -534,6 +546,7 @@ DISABLE_IPV6=Yes # Blacklisted systems. Must be DROP or REJECT. If not set or set to empty, # DROP is assumed. # + BLACKLIST_DISPOSITION=DROP #