diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 418c708b9..5b9f9bf07 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -66,6 +66,7 @@ our %EXPORT_TAGS = ( NFQ CHAIN SET + AUDIT NO_RESTRICT PREROUTE_RESTRICT DESTIFACE_DISALLOW @@ -261,7 +262,8 @@ use constant { STANDARD => 1, #defined by Netfilter LOGRULE => 256, #'LOG','NFLOG' NFQ => 512, #'NFQUEUE' CHAIN => 1024, #Manual Chain - SET => 2048. #SET + SET => 2048, #SET + AUDIT => 4096, #A_ACCEPT, etc }; # # Valid Targets -- value is a combination of one or more of the above @@ -1510,11 +1512,17 @@ sub initialize_chain_table() %targets = ('ACCEPT' => STANDARD, 'ACCEPT+' => STANDARD + NONAT, 'ACCEPT!' => STANDARD, + 'A_ACCEPT' => STANDARD + AUDIT, + 'A_ACCEPT+' => STANDARD + NONAT + AUDIT, 'NONAT' => STANDARD + NONAT + NATONLY, 'DROP' => STANDARD, 'DROP!' => STANDARD, + 'A_DROP' => STANDARD + AUDIT, + 'A_DROP!' => STANDARD + AUDIT, 'REJECT' => STANDARD, 'REJECT!' => STANDARD, + 'A_REJECT' => STANDARD + AUDIT, + 'A_REJECT!' => STANDARD + AUDIT, 'DNAT' => NATRULE, 'DNAT-' => NATRULE + NATONLY, 'REDIRECT' => NATRULE + REDIRECT, diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index e4f8502a9..cdaded2a0 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -546,6 +546,7 @@ sub initialize( $ ) { MACLIST_DISPOSITION => undef, TCP_FLAGS_DISPOSITION => undef, BLACKLIST_DISPOSITION => undef, + SMURF_DISPOSITION => undef, # # Mark Geometry # @@ -3351,6 +3352,14 @@ sub get_configuration( $ ) { require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$val", 's' if $val =~ /^A_/; + default 'SMURF_DISPOSITION' , 'DROP'; + + unless ( ( $val = $config{SMURF_DISPOSITION} ) =~ /^(?:A_)?DROP$/ ) { + fatal_error q(SMURF_DISPOSITION must be 'DROP' or 'A_DROP'); + } + + require_capability 'AUDIT_TARGET', "SMURF_DISPOSITION=$val", 's' if $val =~ /^A_/; + default_log_level 'BLACKLIST_LOGLEVEL', ''; default_log_level 'MACLIST_LOG_LEVEL', ''; default_log_level 'TCP_FLAGS_LOG_LEVEL', ''; diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index f007b604e..cfa5262cb 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -203,9 +203,8 @@ sub setup_blacklist() { my $chainref; my $chainref1; my ( $level, $disposition ) = @config{'BLACKLIST_LOGLEVEL', 'BLACKLIST_DISPOSITION' }; - my $audit = $disposition =~ s/^A_//; + my $audit = $disposition =~ /^A_/; my $target = $disposition eq 'REJECT' ? 'reject' : $disposition; - my $auditref; # # We go ahead and generate the blacklist chains and jump to them, even if they turn out to be empty. That is necessary # for 'refresh' to work properly. @@ -214,7 +213,7 @@ sub setup_blacklist() { $chainref = dont_delete new_standard_chain 'blacklst' if @$zones; $chainref1 = dont_delete new_standard_chain 'blackout' if @$zones1; - if ( $audit || ( defined $level && $level ne '' ) ) { + if ( defined $level && $level ne '' ) { my $logchainref = new_standard_chain 'blacklog'; log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add', '' ); @@ -224,7 +223,10 @@ sub setup_blacklist() { add_jump $logchainref, $target, 1; $target = 'blacklog'; - } + } elsif ( $audit ) { + require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's'; + $target = verify_audit( $disposition ); + } } BLACKLIST: @@ -272,13 +274,7 @@ sub setup_blacklist() { } else { warning_message "Duplicate 'audit' option ignored" if $auditone > 1; - unless ( $auditref ) { - $auditref = new_standard_chain 'blackaud'; - add_rule $auditref, '-j AUDIT --type ' . lc $target; - add_jump $auditref, $target, 1; - } - - $tgt = 'blackaud'; + $tgt = verify_audit( 'A_' . $target ); } } @@ -501,10 +497,10 @@ sub add_common_rules() { $chainref = new_standard_chain 'smurfs'; - my $smurfdest; + my $smurfdest = $config{SMURF_DISPOSITION}; if ( defined $config{SMURF_LOG_LEVEL} && $config{SMURF_LOG_LEVEL} ne '' ) { - my $smurfref = new_chain( 'filter', $smurfdest = 'smurflog' ); + my $smurfref = new_chain( 'filter', 'smurflog' ); log_rule_limit( $config{SMURF_LOG_LEVEL}, $smurfref, @@ -514,9 +510,12 @@ sub add_common_rules() { '', 'add', '' ); + add_rule( $smurfref, '-j AUDIT --type drop' ) if $smurfdest eq 'A_DROP'; add_rule( $smurfref, '-j DROP' ); + + $smurfdest = 'smurflog'; } else { - $smurfdest = 'DROP'; + verify_audit( $smurfdest ) if $smurfdest eq 'A_DROP'; } if ( have_capability( 'ADDRTYPE' ) ) { @@ -629,34 +628,38 @@ sub add_common_rules() { if ( @$list ) { my $level = $config{TCP_FLAGS_LOG_LEVEL}; my $disposition = $config{TCP_FLAGS_DISPOSITION}; - my $audit = $disposition =~ s/^A_//; + my $audit = $disposition =~ /^A_/; progress_message2 "$doing TCP Flags filtering..."; $chainref = new_standard_chain 'tcpflags'; - if ( $audit || $level ) { + if ( $level ) { my $logflagsref = new_standard_chain 'logflags'; - if ( $level ) { - my $savelogparms = $globals{LOGPARMS}; + my $savelogparms = $globals{LOGPARMS}; - $globals{LOGPARMS} = "$globals{LOGPARMS}--log-ip-options "; + $globals{LOGPARMS} = "$globals{LOGPARMS}--log-ip-options "; - log_rule $level , $logflagsref , $config{TCP_FLAGS_DISPOSITION}, ''; + log_rule $level , $logflagsref , $config{TCP_FLAGS_DISPOSITION}, ''; + + $globals{LOGPARMS} = $savelogparms; - $globals{LOGPARMS} = $savelogparms; + if ( $audit ) { + $disposition =~ s/^A_//; + add_rule( $logflagsref, '-j AUDIT --type ' . lc $disposition ); } - add_rule( $logflagsref, '-j AUDIT --type ' . lc $disposition ) if $audit; - - if ( $config{TCP_FLAGS_DISPOSITION} eq 'REJECT' ) { + if ( $disposition eq 'REJECT' ) { add_rule $logflagsref , '-p 6 -j REJECT --reject-with tcp-reset'; } else { - add_rule $logflagsref , "-j $config{TCP_FLAGS_DISPOSITION}"; + add_rule $logflagsref , "-j $disposition"; } $disposition = 'logflags'; + } elsif ( $audit ) { + require_capability( 'AUDIT_TARGET', "TCP_FLAGS_DISPOSITION=$disposition", 's' ); + verify_audit( $disposition ); } add_jump $chainref , $disposition, 1, '-p tcp --tcp-flags ALL FIN,URG,PSH '; diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index f9d9afd70..330970c80 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -48,6 +48,7 @@ our @EXPORT = qw( optimize_policy_chains process_actions process_rules + verify_audit ); our @EXPORT_OK = qw( initialize ); @@ -91,14 +92,6 @@ my %actions; # my %usedactions; -# -# Enumerate the AUDIT builtins -# -my %auditactions = ( A_ACCEPT => 1, - A_DROP => 1, - A_REJECT => 1 - ); - # # Policies for which AUDIT is allowed # @@ -169,9 +162,9 @@ sub initialize( $ ) { %usedactions = (); if ( $family == F_IPV4 ) { - @builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP forwardUPnP Limit A_ACCEPT A_DROP A_REJECT/; + @builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP forwardUPnP Limit/; } else { - @builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid A_ACCEPT A_DROP A_REJECT/; + @builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid/; } } @@ -451,9 +444,6 @@ sub process_policies() ACCEPT => undef, REJECT => undef, DROP => undef, - A_ACCEPT => undef, - A_DROP => undef, - A_REJECT => undef, CONTINUE => undef, QUEUE => undef, NFQUEUE => undef, @@ -1141,10 +1131,10 @@ sub require_audit($$) { return $action unless defined $audit and $audit ne ''; - fatal_error "Invalid parameter ($audit)" unless $audit eq 'audit'; - my $target = 'A_' . $action; + fatal_error "Invalid parameter ($audit)" unless $audit eq 'audit'; + require_capability 'AUDIT_TARGET', 'audit', 's'; my $ref = $filter_table->{$target}; @@ -1159,8 +1149,6 @@ sub require_audit($$) { } else { add_rule $ref , "-j $action"; } - - $usedactions{normalize_action_name $target} = $ref; } return $target; @@ -1342,36 +1330,6 @@ sub Limit( $$$$ ) { add_rule $chainref, '-j ACCEPT'; } -sub A_ACCEPT ( $$$ ) { - my ($chainref, $level, $tag) = @_; - - require_capability 'AUDIT_TARGET' , 'A_ACCEPT rules', ''; - - log_rule_limit $level, $chainref, $chainref->{name} , 'ACCEPT', '', $tag, 'add', '' if $level ne ''; - add_rule $chainref , '-j AUDIT --type accept'; - add_rule $chainref , '-j ACCEPT'; -} - -sub A_DROP ( $$$ ) { - my ($chainref, $level, $tag) = @_; - - require_capability 'AUDIT_TARGET' , 'A_DROP rules', ''; - - log_rule_limit $level, $chainref, $chainref->{name} , 'DROP', '', $tag, 'add', '' if $level ne ''; - add_rule $chainref , '-j AUDIT --type drop'; - add_rule $chainref , '-j DROP'; -} - -sub A_REJECT ( $$$ ) { - my ($chainref, $level, $tag) = @_; - - require_capability 'AUDIT_TARGET' , 'A_REJECT rules', ''; - - log_rule_limit $level, $chainref, $chainref->{name} , 'REJECT', '', $tag, 'add', '' if $level ne ''; - add_rule $chainref , '-j AUDIT --type reject'; - add_rule $chainref , '-j reject'; -} - my %builtinops = ( 'dropBcast' => \&dropBcast, 'allowBcast' => \&allowBcast, 'dropNotSyn' => \&dropNotSyn, @@ -1381,9 +1339,6 @@ my %builtinops = ( 'dropBcast' => \&dropBcast, 'allowinUPnP' => \&allowinUPnP, 'forwardUPnP' => \&forwardUPnP, 'Limit' => \&Limit, - 'A_ACCEPT' => \&A_ACCEPT, - 'A_DROP' => \&A_DROP, - 'A_REJECT' => \&A_REJECT ); # @@ -1641,6 +1596,32 @@ sub process_macro ( $$$$$$$$$$$$$$$$$ ) { return $generated; } +sub verify_audit($) { + my ($target, $audit ) = @_; + + require_capability 'AUDIT_TARGET', "$target rules", ''; + + my $ref = $filter_table->{$target}; + + unless ( $ref ) { + $ref = new_chain 'filter', $target; + + my $action = $target; + + $action =~ s/^A_//; + + add_rule $ref, '-j AUDIT --type ' . lc $action; + + if ( $action eq 'REJECT' ) { + add_jump $ref , 'reject', 1; + } else { + add_rule $ref , "-j $action"; + } + } + + return $target; +} + # # Once a rule has been expanded via wildcards (source and/or dest zone eq 'all'), it is processed by this function. If # the target is a macro, the macro is expanded and this function is called recursively for each rule in the expansion. @@ -2095,7 +2076,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) { $target , $loglevel , $log_action , - $serverport ? do_proto( $proto, '', '' ) : '' ); + $serverport ? do_proto( $proto, '', '' ) : '', + ); # # After NAT: # - the destination port will be the server port ($ports) -- we did that above @@ -2189,7 +2171,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) { $tgt, $loglevel , $log_action , - '' , + '', ); # # Possible optimization if the rule just generated was a simple jump to the nonat chain @@ -2226,6 +2208,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) { $rule .= "-m conntrack --ctorigdstport $origdstports " if have_capability( 'NEW_CONNTRACK_MATCH' ) && $origdstports; + verify_audit( $action ) if $actiontype & AUDIT; + expand_rule( ensure_chain( 'filter', $chain ) , $restriction , $rule , diff --git a/Shorewall/configfiles/shorewall.conf b/Shorewall/configfiles/shorewall.conf index 0a21fe87f..45ce6bdf7 100644 --- a/Shorewall/configfiles/shorewall.conf +++ b/Shorewall/configfiles/shorewall.conf @@ -208,4 +208,6 @@ MACLIST_DISPOSITION=REJECT TCP_FLAGS_DISPOSITION=DROP +SMURF_DISPOSITION=DROP + #LAST LINE -- DO NOT REMOVE diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 5f5d9e7e1..434dfd470 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -113,12 +113,16 @@ All bug fixes from 4.4.19.1 - 4.4.19.4. MACLIST_TABLE=mangle TCP_FLAGS_DISPOSITION A_DROP or A_REJECT - e) An 'audit' option has been added to the + e) A SMURF_DISPOSITION option has been added to + shorewall.conf. The default value is DROP; if the option is set + to A_DROP, then dropped smurfs are audited. + + f) An 'audit' option has been added to the /etc/shorewall/blacklist file which causes the packets matching the entryto be audited. 'audit' may not be specified together with 'accept'. - f) With the exception of 'Limit', the builtin actions + g) With the exception of 'Limit', the builtin actions (dropBroadcast, rejNonSyn, etc.) now support an 'audit' parameter which causes all ACCEPT, DROP and REJECTs performed by the action to be audited. This allows creation of diff --git a/Shorewall6/shorewall6.conf b/Shorewall6/shorewall6.conf index b40967713..f63de5127 100644 --- a/Shorewall6/shorewall6.conf +++ b/Shorewall6/shorewall6.conf @@ -169,4 +169,6 @@ BLACKLIST_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP +SMURF_DISPOSITION=DROP + #LAST LINE -- DO NOT REMOVE