mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-15 19:01:19 +01:00
Add OLD_PING_HANDLING option
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@406 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
3b29150cb2
commit
7fe133fe4a
@ -1,10 +1,5 @@
|
|||||||
Changes since 1.3.12
|
Changes since 1.3.13
|
||||||
|
|
||||||
1. Added 'DNAT-' target.
|
1. Fix 'shorewall add' bug.
|
||||||
|
|
||||||
2. Print policies in 'check' command.
|
|
||||||
|
|
||||||
3. Added CLEAR_TC option.
|
|
||||||
|
|
||||||
4. Added SHARED_DIR option.
|
|
||||||
|
|
||||||
|
2. Add OLD_PING_HANDLING option
|
||||||
|
@ -599,12 +599,16 @@ validate_interfaces_file() {
|
|||||||
|
|
||||||
for option in $options; do
|
for option in $options; do
|
||||||
case $option in
|
case $option in
|
||||||
dhcp|noping|filterping|routestopped|norfc1918|multi|tcpflags)
|
dhcp|routestopped|norfc1918|multi|tcpflags)
|
||||||
;;
|
;;
|
||||||
routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-)
|
routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-)
|
||||||
;;
|
;;
|
||||||
*)
|
noping|filterping)
|
||||||
error_message "Warning: Invalid option ($option) in record \"$r\""
|
[ -n "$OLD_PING_HANDLING" ] || \
|
||||||
|
startup_error "Option $option only allowed with old ping handling"
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
error_message "Warning: Invalid option ($option) in record \"$r\""
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
done
|
done
|
||||||
@ -3350,11 +3354,14 @@ initialize_netfilter () {
|
|||||||
# Build the common chain -- called during [re]start and refresh
|
# Build the common chain -- called during [re]start and refresh
|
||||||
#
|
#
|
||||||
build_common_chain() {
|
build_common_chain() {
|
||||||
#
|
|
||||||
# PING
|
if [ -n "$OLD_PING_HANDLING" ]; then
|
||||||
#
|
#
|
||||||
[ -n "$FORWARDPING" ] && \
|
# PING
|
||||||
run_iptables -A icmpdef -p icmp --icmp-type echo-request -j ACCEPT
|
#
|
||||||
|
[ -n "$FORWARDPING" ] && \
|
||||||
|
run_iptables -A icmpdef -p icmp --icmp-type echo-request -j ACCEPT
|
||||||
|
fi
|
||||||
#
|
#
|
||||||
# Common ICMP rules
|
# Common ICMP rules
|
||||||
#
|
#
|
||||||
@ -3907,23 +3914,25 @@ define_firewall() # $1 = Command (Start or Restart)
|
|||||||
|
|
||||||
process_rules $rules
|
process_rules $rules
|
||||||
|
|
||||||
echo "Setting up ICMP Echo handling..."
|
if [ -n "$OLD_PING_HANDLING" ]; then
|
||||||
|
echo "Setting up ICMP Echo handling..."
|
||||||
|
|
||||||
filterping_interfaces="`find_interfaces_by_option filterping`"
|
filterping_interfaces="`find_interfaces_by_option filterping`"
|
||||||
noping_interfaces="`find_interfaces_by_option noping`"
|
noping_interfaces="`find_interfaces_by_option noping`"
|
||||||
|
|
||||||
for interface in $all_interfaces; do
|
for interface in $all_interfaces; do
|
||||||
if ! list_search $interface $filterping_interfaces; then
|
if ! list_search $interface $filterping_interfaces; then
|
||||||
if list_search $interface $noping_interfaces; then
|
if list_search $interface $noping_interfaces; then
|
||||||
target=DROP
|
target=DROP
|
||||||
else
|
else
|
||||||
target=ACCEPT
|
target=ACCEPT
|
||||||
|
fi
|
||||||
|
|
||||||
|
run_iptables -A `input_chain $interface` \
|
||||||
|
-p icmp --icmp-type echo-request -j $target
|
||||||
fi
|
fi
|
||||||
|
done
|
||||||
run_iptables -A `input_chain $interface` \
|
fi
|
||||||
-p icmp --icmp-type echo-request -j $target
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
|
|
||||||
policy=`find_file policy`
|
policy=`find_file policy`
|
||||||
|
|
||||||
@ -4471,6 +4480,7 @@ do_initialize() {
|
|||||||
TCP_FLAGS_LOG_LEVEL=
|
TCP_FLAGS_LOG_LEVEL=
|
||||||
RFC1918_LOG_LEVEL=
|
RFC1918_LOG_LEVEL=
|
||||||
MARK_IN_FORWARD_CHAIN=
|
MARK_IN_FORWARD_CHAIN=
|
||||||
|
OLD_PING_HANDLING=
|
||||||
SHARED_DIR=/usr/lib/shorewall
|
SHARED_DIR=/usr/lib/shorewall
|
||||||
FUNCTIONS=
|
FUNCTIONS=
|
||||||
VERSION_FILE=
|
VERSION_FILE=
|
||||||
@ -4596,7 +4606,7 @@ do_initialize() {
|
|||||||
else
|
else
|
||||||
CLEAR_TC=
|
CLEAR_TC=
|
||||||
fi
|
fi
|
||||||
|
OLD_PING_HANDLING=`added_param_value_yes OLD_PING_HANDLING $OLD_PING_HANDLING`
|
||||||
|
|
||||||
run_user_exit params
|
run_user_exit params
|
||||||
|
|
||||||
|
@ -2,48 +2,14 @@ This is a minor release of Shorewall that has a couple of new features.
|
|||||||
|
|
||||||
New features include:
|
New features include:
|
||||||
|
|
||||||
1) A new 'DNAT-' action has been added for entries in the
|
1) An OLD_PING_HANDLING option has been added to shorewall.conf. When
|
||||||
/etc/shorewall/rules file. DNAT- is intended for advanced users who
|
set to Yes, Shorewall ping handling is as it has always been (see
|
||||||
wish to minimize the number of rules that connection requests must
|
http://www.shorewall.net/ping.html).
|
||||||
traverse.
|
|
||||||
|
|
||||||
A Shorewall DNAT rule actually generates two iptables rules: a
|
|
||||||
header rewriting rule in the 'nat' table and an ACCEPT rule in the
|
|
||||||
'filter' table. A DNAT- rule only generates the first of these
|
|
||||||
rules. This is handy when you have several DNAT rules that would
|
|
||||||
generate the same ACCEPT rule.
|
|
||||||
|
|
||||||
Here are three rules from my previous rules file:
|
When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules and
|
||||||
|
policies just like any other connection request. The FORWARDPING
|
||||||
DNAT net dmz:206.124.146.177 tcp smtp - 206.124.146.178
|
option in shorewall.conf is ignored and the 'noping' and
|
||||||
DNAT net dmz:206.124.146.177 tcp smtp - 206.124.146.179
|
'filterping' options in /etc/shorewall/interfaces will generate an
|
||||||
ACCEPT net dmz:206.124.146.177 tcp www,smtp,ftp,...
|
error.
|
||||||
|
|
||||||
These three rules ended up generating _three_ copies of
|
|
||||||
|
|
||||||
ACCEPT net dmz:206.124.146.177 tcp smtp
|
|
||||||
|
|
||||||
By writing the rules this way, I end up with only one copy of the
|
|
||||||
ACCEPT rule.
|
|
||||||
|
|
||||||
DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.178
|
|
||||||
DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.179
|
|
||||||
ACCEPT net dmz:206.124.146.177 tcp www,smtp,ftp,...
|
|
||||||
|
|
||||||
2) The 'shorewall check' command now prints out the applicable policy
|
|
||||||
between each pair of zones.
|
|
||||||
|
|
||||||
3. A new CLEAR_TC option has been added to shorewall.conf. If this
|
|
||||||
option is set to 'No' then Shorewall won't clear the current
|
|
||||||
traffic control rules during [re]start. This setting is intended
|
|
||||||
for use by people that prefer to configure traffic shaping when
|
|
||||||
the network interfaces come up rather than when the firewall
|
|
||||||
is started. If that is what you want to do, set TC_ENABLED=Yes and
|
|
||||||
CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That
|
|
||||||
way, your traffic shaping rules can still use the 'fwmark'
|
|
||||||
classifier based on packet marking defined in /etc/shorewall/tcrules.
|
|
||||||
|
|
||||||
4. A new SHARED_DIR variable has been added that allows distribution
|
|
||||||
packagers to easily move the shared directory (default
|
|
||||||
/usr/lib/shorewall). Users should never have a need to change the
|
|
||||||
value of this shorewall.conf setting.
|
|
||||||
|
@ -400,11 +400,21 @@ MUTEX_TIMEOUT=60
|
|||||||
|
|
||||||
LOGNEWNOTSYN=
|
LOGNEWNOTSYN=
|
||||||
|
|
||||||
|
#
|
||||||
|
# Old Ping Handling
|
||||||
|
#
|
||||||
|
# If this option is set to "Yes" then Shorewall will use its old ping handling
|
||||||
|
# facility including the FORWARDPING option below and the 'noping' and
|
||||||
|
# 'filterping' interface options. If this option is set to 'No' then ping
|
||||||
|
# is handled via policy and rules just like any other connection request.
|
||||||
|
#
|
||||||
|
OLD_PING_HANDLING=No
|
||||||
|
|
||||||
#
|
#
|
||||||
# Forward "Ping"
|
# Forward "Ping"
|
||||||
#
|
#
|
||||||
# If FORWARDPING is set to "Yes" then Echo Request ("Ping") packets are
|
# If FORWARDPING is set to "Yes" then Echo Request ("Ping") packets are
|
||||||
# forwarded by the firewall.
|
# forwarded by the firewall. This option is only used if OLD_PING_HANDLING=Yes
|
||||||
|
|
||||||
FORWARDPING=Yes
|
FORWARDPING=Yes
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user