From 967629569bd26e3c38d4b6789fad17e7a5e3b712 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 1 Aug 2010 08:36:56 -0700 Subject: [PATCH] Taylor Universal config to work with Shorewall-init and streamline ruleset - Make interface 'all' optional and set REQUIRE_INTERFACE=Yes - Add COMPLETE option - Set FASTACCEPT in Universal samples - Reset SUBSYSLOCK in Universal samples Signed-off-by: Tom Eastep --- Samples/Universal/interfaces | 2 +- Samples/Universal/shorewall.conf | 8 +++--- Samples/one-interface/shorewall.conf | 2 ++ Samples/three-interfaces/shorewall.conf | 2 ++ Samples/two-interfaces/shorewall.conf | 2 ++ Samples6/Universal/interfaces | 1 + Samples6/Universal/shorewall6.conf | 10 +++++--- Samples6/one-interface/shorewall6.conf | 2 ++ Samples6/three-interfaces/shorewall6.conf | 2 ++ Samples6/two-interfaces/shorewall6.conf | 4 ++- Shorewall/Perl/Shorewall/Config.pm | 3 +++ Shorewall/Perl/Shorewall/Rules.pm | 8 +++--- Shorewall/changelog.txt | 2 ++ Shorewall/configfiles/shorewall.conf | 2 ++ Shorewall/releasenotes.txt | 19 +++++++++++++- Shorewall6/shorewall6.conf | 6 ++++- docs/Universal.xml | 10 ++++---- manpages/shorewall.conf.xml | 30 +++++++++++++++++++++++ manpages6/shorewall6.conf.xml | 30 +++++++++++++++++++++++ 19 files changed, 127 insertions(+), 18 deletions(-) diff --git a/Samples/Universal/interfaces b/Samples/Universal/interfaces index c0526e452..8d1fb2360 100644 --- a/Samples/Universal/interfaces +++ b/Samples/Universal/interfaces @@ -8,5 +8,5 @@ # ############################################################################### #ZONE INTERFACE BROADCAST OPTIONS +- lo - ignore net all - dhcp,physical=+,routeback - diff --git a/Samples/Universal/shorewall.conf b/Samples/Universal/shorewall.conf index 5e09a66fa..dba2b208b 100644 --- a/Samples/Universal/shorewall.conf +++ b/Samples/Universal/shorewall.conf @@ -63,7 +63,7 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin SHOREWALL_SHELL=/bin/sh -SUBSYSLOCK=/var/lock/subsys/shorewall +SUBSYSLOCK= MODULESDIR= @@ -148,7 +148,7 @@ SAVE_IPSETS=No MAPOLDACTIONS=No -FASTACCEPT=No +FASTACCEPT=Yes IMPLICIT_CONTINUE=No @@ -194,10 +194,12 @@ OPTIMIZE_ACCOUNTING=No LOAD_HELPERS_ONLY=No -REQUIRE_INTERFACE=No +REQUIRE_INTERFACE=Yes FORWARD_CLEAR_MARK=Yes +COMPLETE=Yes + ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### diff --git a/Samples/one-interface/shorewall.conf b/Samples/one-interface/shorewall.conf index 6eef0c389..7b5846e99 100644 --- a/Samples/one-interface/shorewall.conf +++ b/Samples/one-interface/shorewall.conf @@ -209,6 +209,8 @@ REQUIRE_INTERFACE=No FORWARD_CLEAR_MARK=Yes +COMPLETE=No + ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### diff --git a/Samples/three-interfaces/shorewall.conf b/Samples/three-interfaces/shorewall.conf index a9e66559e..f3007976d 100644 --- a/Samples/three-interfaces/shorewall.conf +++ b/Samples/three-interfaces/shorewall.conf @@ -209,6 +209,8 @@ REQUIRE_INTERFACE=No FORWARD_CLEAR_MARK=Yes +COMPLETE=No + ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### diff --git a/Samples/two-interfaces/shorewall.conf b/Samples/two-interfaces/shorewall.conf index 87881a8e8..62cc166f3 100644 --- a/Samples/two-interfaces/shorewall.conf +++ b/Samples/two-interfaces/shorewall.conf @@ -216,6 +216,8 @@ REQUIRE_INTERFACE=No FORWARD_CLEAR_MARK=Yes +COMPLETE=No + ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### diff --git a/Samples6/Universal/interfaces b/Samples6/Universal/interfaces index c0526e452..b9d6b3b3e 100644 --- a/Samples6/Universal/interfaces +++ b/Samples6/Universal/interfaces @@ -8,5 +8,6 @@ # ############################################################################### #ZONE INTERFACE BROADCAST OPTIONS +- lo - ignore net all - dhcp,physical=+,routeback diff --git a/Samples6/Universal/shorewall6.conf b/Samples6/Universal/shorewall6.conf index f4603705c..66badef6b 100644 --- a/Samples6/Universal/shorewall6.conf +++ b/Samples6/Universal/shorewall6.conf @@ -60,7 +60,7 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin SHOREWALL_SHELL=/bin/sh -SUBSYSLOCK=/var/lock/subsys/shorewall +SUBSYSLOCK= MODULESDIR= @@ -113,7 +113,7 @@ BLACKLISTNEWONLY=Yes MODULE_SUFFIX=ko -FASTACCEPT=No +FASTACCEPT=Yes IMPLICIT_CONTINUE=No @@ -151,7 +151,11 @@ DYNAMIC_BLACKLIST=Yes LOAD_HELPERS_ONLY=No -FORWARD_CLEAR_MARK=yes +REQUIRE_INTERFACE=Yes + +FORWARD_CLEAR_MARK=Yes + +COMPLETE=Yes ############################################################################### # P A C K E T D I S P O S I T I O N diff --git a/Samples6/one-interface/shorewall6.conf b/Samples6/one-interface/shorewall6.conf index 0aa0c76c7..462f02533 100644 --- a/Samples6/one-interface/shorewall6.conf +++ b/Samples6/one-interface/shorewall6.conf @@ -157,6 +157,8 @@ REQUIRE_INTERFACE=No FORWARD_CLEAR_MARK=Yes +COMPLETE=No + ############################################################################## # P A C K E T D I S P O S I T I O N ############################################################################### diff --git a/Samples6/three-interfaces/shorewall6.conf b/Samples6/three-interfaces/shorewall6.conf index fdedf26c1..4b763d7d1 100644 --- a/Samples6/three-interfaces/shorewall6.conf +++ b/Samples6/three-interfaces/shorewall6.conf @@ -157,6 +157,8 @@ REQUIRE_INTERFACE=No FORWARD_CLEAR_MARK=Yes +COMPLETE=No + ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### diff --git a/Samples6/two-interfaces/shorewall6.conf b/Samples6/two-interfaces/shorewall6.conf index c65b9fb2b..25f807bb0 100644 --- a/Samples6/two-interfaces/shorewall6.conf +++ b/Samples6/two-interfaces/shorewall6.conf @@ -1,6 +1,6 @@ ############################################################################### # -# Shorewall version 3.4 - Sample shorewall.conf for one-interface configuration. +# Shorewall version 4.4 - Sample shorewall.conf for one-interface configuration. # Copyright (C) 2006 by the Shorewall Team # # This library is free software; you can redistribute it and/or @@ -157,6 +157,8 @@ REQUIRE_INTERFACE=No FORWARD_CLEAR_MARK=Yes +COMPLETE=No + ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 18fbc2172..908630d24 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -466,6 +466,7 @@ sub initialize( $ ) { LOAD_HELPERS_ONLY => undef, REQUIRE_INTERFACE => undef, FORWARD_CLEAR_MARK => undef, + COMPLETE => undef, # # Packet Disposition # @@ -590,6 +591,7 @@ sub initialize( $ ) { LOAD_HELPERS_ONLY => undef, REQUIRE_INTERFACE => undef, FORWARD_CLEAR_MARK => undef, + COMPLETE => undef, # # Packet Disposition # @@ -3038,6 +3040,7 @@ sub get_configuration( $ ) { default_yes_no 'DYNAMIC_BLACKLIST' , 'Yes'; default_yes_no 'REQUIRE_INTERFACE' , ''; default_yes_no 'FORWARD_CLEAR_MARK' , have_capability 'MARK' ? 'Yes' : ''; + default_yes_no 'COMPLETE' , ''; require_capability 'MARK' , 'FOREWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK}; diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index d53128dda..3114d0663 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -2261,9 +2261,11 @@ sub generate_matrix() { nat=> [ qw/PREROUTING OUTPUT POSTROUTING/ ] , filter=> [ qw/INPUT FORWARD OUTPUT/ ] ); - complete_standard_chain $filter_table->{INPUT} , 'all' , firewall_zone , 'DROP'; - complete_standard_chain $filter_table->{OUTPUT} , firewall_zone , 'all', 'REJECT'; - complete_standard_chain $filter_table->{FORWARD} , 'all' , 'all', 'REJECT'; + unless ( $config{COMPLETE} ) { + complete_standard_chain $filter_table->{INPUT} , 'all' , firewall_zone , 'DROP'; + complete_standard_chain $filter_table->{OUTPUT} , firewall_zone , 'all', 'REJECT'; + complete_standard_chain $filter_table->{FORWARD} , 'all' , 'all', 'REJECT'; + } if ( $config{LOGALLNEW} ) { for my $table qw/mangle nat filter/ { diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 9c2fbf240..9fbcc652b 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -14,6 +14,8 @@ Changes in Shorewall 4.4.12 7) Add Universal sample. +8) Add COMPLETE option. + Changes in Shorewall 4.4.11 1) Apply patch from Gabriel. diff --git a/Shorewall/configfiles/shorewall.conf b/Shorewall/configfiles/shorewall.conf index 4ccd7c04e..f4d428978 100644 --- a/Shorewall/configfiles/shorewall.conf +++ b/Shorewall/configfiles/shorewall.conf @@ -198,6 +198,8 @@ REQUIRE_INTERFACE=No FORWARD_CLEAR_MARK=Yes +COMPLETE=No + ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index fce32ee70..22d84d385 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -1,6 +1,6 @@ ---------------------------------------------------------------------------- S H O R E W A L L 4 . 4 . 1 2 - B E T A 3 + R C 1 ---------------------------------------------------------------------------- I. RELEASE 4.4 HIGHLIGHTS @@ -279,6 +279,23 @@ None. 3) The sample configurations now include a 'Universal' configuration that will start on any system and protect that system while allowing the system to forward traffic. + + As part of this change, several additional features were added: + + - You may now specify "physical=+" in the interfaces file. + - A 'COMPLETE' option is added to shorewall.conf and + shorewall6.conf. When you set this option to Yes, you are + asserting that the configuration is complete so that your set of + zones encompasses any hosts that can send or receive traffic + to/from/through the firewall. This causes Shorewall to omit the + rules that catch packets in which the source or destination IP + address is outside of any of your zones. Default is No. It is + recommended that this option only be set to Yes if: + + o You have defined an interface whose effective physical setting + is '+' + o That interface is assigned to a zone. + o You have no CONTINUE policies or rules. ---------------------------------------------------------------------------- V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S diff --git a/Shorewall6/shorewall6.conf b/Shorewall6/shorewall6.conf index 23234a4cc..6d0f63f57 100644 --- a/Shorewall6/shorewall6.conf +++ b/Shorewall6/shorewall6.conf @@ -151,7 +151,11 @@ DYNAMIC_BLACKLIST=Yes LOAD_HELPERS_ONLY=No -FORWARD_CLEAR_MARK=yes +REQUIRE_INTERFACE=No + +FORWARD_CLEAR_MARK=Yes + +COMPLETE=No ############################################################################### # P A C K E T D I S P O S I T I O N diff --git a/docs/Universal.xml b/docs/Universal.xml index 71f90a7f8..44a5daea1 100644 --- a/docs/Universal.xml +++ b/docs/Universal.xml @@ -308,7 +308,7 @@ ACCEPT net $FW tcp 143 the line that reads:
- net all DROP + net all DROP
to @@ -328,18 +328,18 @@ ACCEPT net $FW tcp 143 How do I prevent the firewall from forwarding connection requests? - Edit /etc/shorewall/interfaces, and change the line that - read: + Edit /etc/shorewall/interfaces, and remove the routeback option + from the interface. e.g., change the line that reads:
net all - dhcp,physical=+,routeback + role="bold">,routeback,optional
to
- net all - dhcp,physical=+ + net all - dhcp,physical=+,optional
Then at a root prompt, type: diff --git a/manpages/shorewall.conf.xml b/manpages/shorewall.conf.xml index 211fa6379..15ac94ca4 100644 --- a/manpages/shorewall.conf.xml +++ b/manpages/shorewall.conf.xml @@ -390,6 +390,36 @@ + + COMPLETE=[Yes|No] + + + Added in Shorewall 4.4.12. When you set this option to Yes, + you are asserting that the configuration is complete so that your + set of zones encompasses any hosts that can send or receive traffic + to/from/through the firewall. This causes Shorewall to omit the + rules that catch packets in which the source or destination IP + address is outside of any of your zones. Default is No. It is + recommended that this option only be set to Yes if: + + + + You have defined an interface whose effective physical + setting is '+'. + + + + That interface is assigned to a zone. + + + + You have no CONTINUE policies or rules. + + + + + CONFIG_PATH=[directory[:directory]...] diff --git a/manpages6/shorewall6.conf.xml b/manpages6/shorewall6.conf.xml index d0a5bcab0..f16d26719 100644 --- a/manpages6/shorewall6.conf.xml +++ b/manpages6/shorewall6.conf.xml @@ -336,6 +336,36 @@ + + COMPLETE=[Yes|No] + + + Added in Shorewall6 4.4.12. When you set this option to Yes, + you are asserting that the configuration is complete so that your + set of zones encompasses any hosts that can send or receive traffic + to/from/through the firewall. This causes Shorewall6 to omit the + rules that catch packets in which the source or destination IP + address is outside of any of your zones. Default is No. It is + recommended that this option only be set to Yes if: + + + + You have defined an interface whose effective physical + setting is '+'. + + + + That interface is assigned to a zone. + + + + You have no CONTINUE policies or rules. + + + + + CONFIG_PATH=[directory[:directory]...]