mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-23 06:38:53 +01:00
Shorewall 1.4.3
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@556 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
72bb7e0a83
commit
8386b811ff
@ -54,6 +54,15 @@
|
||||
|
||||
LOGFILE=/var/log/messages
|
||||
|
||||
#
|
||||
# LOG MARKER
|
||||
#
|
||||
# Used to identify Shorewall log messages. If you are using fireparse, you must
|
||||
# set this to "fp=Shorewall:". You may not use the ULOG level with fireparse and
|
||||
# you must not embed white space in the LOGMARKER value.
|
||||
|
||||
LOGMARKER="Shorewall:"
|
||||
|
||||
#
|
||||
# LOG RATE LIMITING
|
||||
#
|
||||
|
@ -10,7 +10,7 @@
|
||||
# The columns are:
|
||||
#
|
||||
# TYPE -- must start in column 1 and be "ipsec", "ipsecnat","ip"
|
||||
# "gre", "pptpclient", "pptpserver" or "openvpn".
|
||||
# "gre", "6to4", "pptpclient", "pptpserver" or "openvpn".
|
||||
#
|
||||
# If type is "openvpn", it may optionally be followed
|
||||
# by ":" and the port number used by the tunnel. if no
|
||||
|
@ -134,6 +134,8 @@ get_config() {
|
||||
fi
|
||||
|
||||
[ -n "$FW" ] || FW=fw
|
||||
|
||||
[ -n "$LOGMARKER" ] || LOGMARKER="Shorewall:"
|
||||
}
|
||||
|
||||
#
|
||||
@ -259,9 +261,9 @@ packet_log() # $1 = number of messages
|
||||
|
||||
[ -n "$realtail" ] && options="-n$1"
|
||||
|
||||
grep 'Shorewall:\|ipt_unclean' $LOGFILE | \
|
||||
grep "${LOGMARKER}\|ipt_unclean" $LOGFILE | \
|
||||
sed s/" kernel:"// | \
|
||||
sed s/" $host Shorewall:"/" "/ | \
|
||||
sed s/" $host $LOGMARKER"/" "/ | \
|
||||
sed s/" $host kernel: ipt_unclean: "/" "/ | \
|
||||
sed 's/MAC=.*SRC=/SRC=/' | \
|
||||
tail $options
|
||||
@ -732,27 +734,27 @@ case "$1" in
|
||||
|
||||
timeout=30
|
||||
|
||||
if [ `grep -c "Shorewall:" $LOGFILE ` -gt 0 ] ; then
|
||||
if [ `grep -c "$LOGMARKER" $LOGFILE ` -gt 0 ] ; then
|
||||
echo " HITS IP DATE"
|
||||
echo " ---- --------------- ------"
|
||||
grep "Shorewall:" $LOGFILE | sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\3 \1/' | sort | uniq -c | sort -rn
|
||||
grep "$LOGMARKER" $LOGFILE | sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\3 \1/' | sort | uniq -c | sort -rn
|
||||
echo ""
|
||||
|
||||
echo " HITS IP PORT"
|
||||
echo " ---- --------------- -----"
|
||||
grep "Shorewall:" $LOGFILE | sed 's/\(.*SRC=\)\(.*\)\( DST=.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2 \4/
|
||||
grep "$LOGMARKER" $LOGFILE | sed 's/\(.*SRC=\)\(.*\)\( DST=.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2 \4/
|
||||
t
|
||||
s/\(.*SRC=\)\(.*\)\( DST=.*\)/\2/' | sort | uniq -c | sort -rn
|
||||
echo ""
|
||||
|
||||
echo " HITS DATE"
|
||||
echo " ---- ------"
|
||||
grep "Shorewall:" $LOGFILE | sed 's/\(.\{6\}\)\(.*\)/\1/' | sort | uniq -c | sort -rn
|
||||
grep "$LOGMARKER" $LOGFILE | sed 's/\(.\{6\}\)\(.*\)/\1/' | sort | uniq -c | sort -rn
|
||||
echo ""
|
||||
|
||||
echo " HITS PORT SERVICE(S)"
|
||||
echo " ---- ----- ----------"
|
||||
grep 'Shorewall:.*DPT' $LOGFILE | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | \
|
||||
grep '${LOGMARKER}.*DPT' $LOGFILE | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | \
|
||||
while read count port ; do
|
||||
# List all services defined for the given port
|
||||
srv=`grep "^[^#].*\\b$port/" /etc/services | cut -f 1 | sort -u`
|
||||
|
@ -95,7 +95,11 @@ error_message() # $* = Error Message
|
||||
fatal_error() # $* = Error Message
|
||||
{
|
||||
echo " Error: $@" >&2
|
||||
[ $command = check ] || stop_firewall
|
||||
if [ $command = check ]; then
|
||||
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
|
||||
else
|
||||
stop_firewall
|
||||
fi
|
||||
exit 2
|
||||
}
|
||||
|
||||
@ -1130,6 +1134,9 @@ setup_tunnels() # $1 = name of tunnels file
|
||||
gre|GRE)
|
||||
setup_one_other GRE $gateway 47
|
||||
;;
|
||||
6to4|6TO4)
|
||||
setup_one_other 6to4 $gateway 41
|
||||
;;
|
||||
pptpclient|PPTPCLIENT)
|
||||
setup_pptp_client $gateway
|
||||
;;
|
||||
@ -1316,7 +1323,7 @@ setup_mac_lists() {
|
||||
done
|
||||
|
||||
[ -n "$logpart" ] && \
|
||||
run_iptables -A $chain $logpart "Shorewall:$chain:$MACLIST_DISPOSITION:"
|
||||
run_iptables -A $chain $logpart "${LOGMARKER}$chain:$MACLIST_DISPOSITION:"
|
||||
|
||||
run_iptables -A $chain -j $maclist_target
|
||||
done
|
||||
@ -2015,11 +2022,11 @@ add_a_rule()
|
||||
if [ "$loglevel" = ULOG ]; then
|
||||
run_iptables2 -A $chain $proto $multiport \
|
||||
$state $cli $sports $serv $dports -j ULOG $LOGPARMS \
|
||||
--ulog-prefix "Shorewall:$chain:$logtarget:"
|
||||
--ulog-prefix "${LOGMARKER}$chain:$logtarget:"
|
||||
else
|
||||
run_iptables2 -A $chain $proto $multiport \
|
||||
$state $cli $sports $serv $dports -j LOG $LOGPARMS \
|
||||
--log-prefix "Shorewall:$chain:$logtarget:" \
|
||||
--log-prefix "${LOGMARKER}$chain:$logtarget:" \
|
||||
--log-level $loglevel
|
||||
fi
|
||||
fi
|
||||
@ -2042,11 +2049,11 @@ add_a_rule()
|
||||
if [ "$loglevel" = ULOG ]; then
|
||||
run_iptables2 -A $chain $proto $multiport \
|
||||
$dest_interface $state $cli $sports $dports -j ULOG \
|
||||
$LOGPARMS --ulog-prefix "Shorewall:$chain:$logtarget:"
|
||||
$LOGPARMS --ulog-prefix "${LOGMARKER}$chain:$logtarget:"
|
||||
else
|
||||
run_iptables2 -A $chain $proto $multiport \
|
||||
$dest_interface $state $cli $sports $dports -j LOG \
|
||||
$LOGPARMS --log-prefix "Shorewall:$chain:$logtarget:" \
|
||||
$LOGPARMS --log-prefix "${LOGMARKER}$chain:$logtarget:" \
|
||||
--log-level $loglevel
|
||||
fi
|
||||
fi
|
||||
@ -2551,10 +2558,10 @@ policy_rules() # $1 = chain to add rules to
|
||||
if [ $# -eq 3 -a "x${3}" != "x-" ]; then
|
||||
if [ "$3" = ULOG ]; then
|
||||
run_iptables -A $1 -j ULOG $LOGPARMS \
|
||||
--ulog-prefix "Shorewall:${1}:${2}:"
|
||||
--ulog-prefix "${LOGMARKER}${1}:${2}:"
|
||||
else
|
||||
run_iptables -A $1 -j LOG $LOGPARMS \
|
||||
--log-prefix "Shorewall:${1}:${2}:" --log-level $3
|
||||
--log-prefix "${LOGMARKER}${1}:${2}:" --log-level $3
|
||||
fi
|
||||
fi
|
||||
|
||||
@ -2878,11 +2885,11 @@ add_blacklist_rule() {
|
||||
if [ "$BLACKLIST_LOGLEVEL" = ULOG ]; then
|
||||
run_iptables2 -A blacklst $source $proto $dport -j \
|
||||
ULOG $LOGPARMS --ulog-prefix \
|
||||
"Shorewall:blacklst:$BLACKLIST_DISPOSITION:"
|
||||
"${LOGMARKER}blacklst:$BLACKLIST_DISPOSITION:"
|
||||
else
|
||||
run_iptables2 -A blacklst $source $proto $dport -j \
|
||||
LOG $LOGPARMS --log-prefix \
|
||||
"Shorewall:blacklst:$BLACKLIST_DISPOSITION:" \
|
||||
"${LOGMARKER}blacklst:$BLACKLIST_DISPOSITION:" \
|
||||
--log-level $BLACKLIST_LOGLEVEL
|
||||
fi
|
||||
fi
|
||||
@ -3196,6 +3203,12 @@ initialize_netfilter () {
|
||||
setcontinue INPUT
|
||||
setcontinue OUTPUT
|
||||
|
||||
#
|
||||
# Enable the Loopback interface
|
||||
#
|
||||
run_iptables -A INPUT -i lo -j ACCEPT
|
||||
run_iptables -A OUTPUT -o lo -j ACCEPT
|
||||
|
||||
#
|
||||
# Allow DNS lookups during startup for FQDNs and deep-six INVALID packets
|
||||
#
|
||||
@ -3216,10 +3229,10 @@ initialize_netfilter () {
|
||||
if [ -n "$LOGNEWNOTSYN" ]; then
|
||||
if [ "$LOGNEWNOTSYN" = ULOG ]; then
|
||||
run_iptables -A newnotsyn -j ULOG $LOGPARMS \
|
||||
--ulog-prefix "Shorewall:newnotsyn:DROP:"
|
||||
--ulog-prefix "${LOGMARKER}newnotsyn:DROP:"
|
||||
else
|
||||
run_iptables -A newnotsyn -j LOG $LOGPARMS \
|
||||
--log-prefix "Shorewall:newnotsyn:DROP:" --log-level $LOGNEWNOTSYN
|
||||
--log-prefix "${LOGMARKER}newnotsyn:DROP:" --log-level $LOGNEWNOTSYN
|
||||
fi
|
||||
fi
|
||||
|
||||
@ -3294,16 +3307,26 @@ add_common_rules() {
|
||||
logdisp() # $1 = Chain Name
|
||||
{
|
||||
if [ "$RFC1918_LOG_LEVEL" = ULOG ]; then
|
||||
echo "ULOG $LOGPARMS --ulog-prefix Shorewall:${1}:DROP:"
|
||||
echo "ULOG $LOGPARMS --ulog-prefix ${LOGMARKER}${1}:DROP:"
|
||||
else
|
||||
echo "LOG $LOGPARMS --log-prefix Shorewall:${1}:DROP: --log-level $RFC1918_LOG_LEVEL"
|
||||
echo "LOG $LOGPARMS --log-prefix ${LOGMARKER}${1}:DROP: --log-level $RFC1918_LOG_LEVEL"
|
||||
fi
|
||||
}
|
||||
#
|
||||
# Reject Rules
|
||||
#
|
||||
run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset
|
||||
run_iptables -A reject -j REJECT
|
||||
run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset
|
||||
run_iptables -A reject -p udp -j REJECT
|
||||
#
|
||||
# Not all versions of iptables support these so don't complain if they don't work
|
||||
#
|
||||
qt iptables -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
|
||||
if ! qt iptables -A reject -j REJECT --reject-with icmp-host-prohibited; then
|
||||
#
|
||||
# In case the above doesn't work
|
||||
#
|
||||
run_iptables -A reject -j REJECT
|
||||
fi
|
||||
#
|
||||
# dropunclean rules
|
||||
#
|
||||
@ -3314,10 +3337,10 @@ add_common_rules() {
|
||||
|
||||
if [ -n "$LOGUNCLEAN" ]; then
|
||||
if [ "$LOGUNCLEAN" = ULOG ]; then
|
||||
logoptions="-j ULOG $LOGPARMS --ulog-prefix Shorewall:badpkt:DROP:"
|
||||
logoptions="-j ULOG $LOGPARMS --ulog-prefix ${LOGMARKER}badpkt:DROP:"
|
||||
logoptions="$logoptions --log-ip-options"
|
||||
else
|
||||
logoptions="-j LOG $LOGPARMS --log-prefix Shorewall:badpkt:DROP:"
|
||||
logoptions="-j LOG $LOGPARMS --log-prefix ${LOGMARKER}badpkt:DROP:"
|
||||
logoptions="$logoptions --log-level $LOGUNCLEAN --log-ip-options"
|
||||
fi
|
||||
|
||||
@ -3346,10 +3369,10 @@ add_common_rules() {
|
||||
[ -z"$LOGUNCLEAN" ] && LOGUNCLEAN=info
|
||||
|
||||
if [ "$LOGUNCLEAN" = ULOG ]; then
|
||||
logoptions="-j ULOG $LOGPARMS --ulog-prefix Shorewall:logpkt:LOG:"
|
||||
logoptions="-j ULOG $LOGPARMS --ulog-prefix ${LOGMARKER}logpkt:LOG:"
|
||||
logoptions="$logoptions --log-ip-options"
|
||||
else
|
||||
logoptions="-j LOG $LOGPARMS --log-prefix Shorewall:logpkt:LOG:"
|
||||
logoptions="-j LOG $LOGPARMS --log-prefix ${LOGMARKER}logpkt:LOG:"
|
||||
logoptions="$logoptions --log-level $LOGUNCLEAN --log-ip-options"
|
||||
fi
|
||||
|
||||
@ -3450,12 +3473,12 @@ add_common_rules() {
|
||||
|
||||
if [ "$TCP_FLAGS_LOG_LEVEL" = ULOG ]; then
|
||||
run_iptables -A logflags -j ULOG $LOGPARMS \
|
||||
--ulog-prefix "Shorewall:logflags:$TCP_FLAGS_DISPOSITION:" \
|
||||
--ulog-prefix "${LOGMARKER}logflags:$TCP_FLAGS_DISPOSITION:" \
|
||||
--log-tcp-options --log-ip-options
|
||||
else
|
||||
run_iptables -A logflags -j LOG $LOGPARMS \
|
||||
--log-level $TCP_FLAGS_LOG_LEVEL \
|
||||
--log-prefix "Shorewall:logflags:$TCP_FLAGS_DISPOSITION:" \
|
||||
--log-prefix "${LOGMARKER}logflags:$TCP_FLAGS_DISPOSITION:" \
|
||||
--log-tcp-options --log-ip-options
|
||||
fi
|
||||
case $TCP_FLAGS_DISPOSITION in
|
||||
@ -3494,12 +3517,6 @@ add_common_rules() {
|
||||
#
|
||||
setup_blacklist
|
||||
|
||||
#
|
||||
# Enable the Loopback interface
|
||||
#
|
||||
run_iptables -A INPUT -i lo -j ACCEPT
|
||||
run_iptables -A OUTPUT -o lo -j ACCEPT
|
||||
|
||||
#
|
||||
# Route Filtering
|
||||
#
|
||||
@ -4101,6 +4118,8 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
||||
fi
|
||||
done < ${STATEDIR}/chains
|
||||
|
||||
rm -rf $TMP_DIR
|
||||
|
||||
echo "$1 added to zone $2"
|
||||
}
|
||||
|
||||
@ -4209,7 +4228,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
||||
qt iptables -D OUTPUT -o $interface -d $host -j $chain
|
||||
else
|
||||
eval source_hosts=\"\$${z1}_hosts\"
|
||||
|
||||
|
||||
for h in $source_hosts; do
|
||||
iface=${h%:*}
|
||||
hosts=${h#*:}
|
||||
@ -4222,6 +4241,8 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
||||
fi
|
||||
done < ${STATEDIR}/chains
|
||||
|
||||
rm -rf $TMP_DIR
|
||||
|
||||
echo "$1 removed from zone $2"
|
||||
}
|
||||
|
||||
@ -4323,6 +4344,7 @@ do_initialize() {
|
||||
SHARED_DIR=/usr/share/shorewall
|
||||
FUNCTIONS=
|
||||
VERSION_FILE=
|
||||
LOGMARKER=
|
||||
|
||||
stopping=
|
||||
have_mutex=
|
||||
@ -4449,6 +4471,8 @@ do_initialize() {
|
||||
CLEAR_TC=
|
||||
fi
|
||||
|
||||
[ -n "$LOGMARKER" ] || LOGMARKER="Shorewall:"
|
||||
|
||||
#
|
||||
# Strip the files that we use often
|
||||
#
|
||||
|
@ -1 +1 @@
|
||||
1.4.2
|
||||
1.4.3
|
||||
|
@ -1 +1 @@
|
||||
1.4.2
|
||||
1.4.3
|
||||
|
Loading…
Reference in New Issue
Block a user