extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-05-31 06:55:42 +02:00
Code Issues Packages Projects Releases Wiki Activity

Implement new Blacklisting Scheme

Browse Source
This commit is contained in:
Tom Eastep 2010-09-16 09:40:28 -07:00
parent 3c1cff0794
commit a8c9fc1859
9 changed files with 265 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

119
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -213,16 +213,19 @@ sub add_rule_pair( $$$$ ) {
sub setup_blacklist() { sub setup_blacklist() {
my $hosts = find_hosts_by_option 'blacklist'; my $zones = find_zones_by_option 'blacklist', 'in';
my $zones1 = find_zones_by_option 'blacklist', 'out';
my $chainref; my $chainref;
my $chainref1;
my ( $level, $disposition ) = @config{'BLACKLIST_LOGLEVEL', 'BLACKLIST_DISPOSITION' }; my ( $level, $disposition ) = @config{'BLACKLIST_LOGLEVEL', 'BLACKLIST_DISPOSITION' };
my $target = $disposition eq 'REJECT' ? 'reject' : $disposition; my $target = $disposition eq 'REJECT' ? 'reject' : $disposition;
# #
# We go ahead and generate the blacklist chain and jump to it, even if it turns out to be empty. That is necessary # We go ahead and generate the blacklist chains and jump to them, even if they turn out to be empty. That is necessary
# for 'refresh' to work properly. # for 'refresh' to work properly.
# #
if ( @$hosts ) { if ( @$zones || @$zones1 ) {
$chainref = dont_delete new_standard_chain 'blacklst'; $chainref = dont_delete new_standard_chain 'blacklst' if @$zones;
$chainref1 = dont_delete new_standard_chain 'blackout' if @$zones1;
if ( defined $level && $level ne '' ) { if ( defined $level && $level ne '' ) {
my $logchainref = new_standard_chain 'blacklog'; my $logchainref = new_standard_chain 'blacklog';
@ -246,8 +249,8 @@ sub setup_blacklist() {
while ( read_a_line ) { while ( read_a_line ) {
if ( $first_entry ) { if ( $first_entry ) {
unless ( @$hosts ) { unless ( @$zones || @$zones1 ) {
warning_message qq(The entries in $fn have been ignored because there are no 'blacklist' interfaces); warning_message qq(The entries in $fn have been ignored because there are no 'blacklist' zones);
close_file; close_file;
last BLACKLIST; last BLACKLIST;
} }
@ -255,46 +258,64 @@ sub setup_blacklist() {
$first_entry = 0; $first_entry = 0;
} }
my ( $networks, $protocol, $ports ) = split_line 1, 3, 'blacklist file'; my ( $networks, $protocol, $ports, $options ) = split_line 1, 4, 'blacklist file';
expand_rule( $options = 'src' if $options eq '-';
$chainref ,
NO_RESTRICT , my ( $to, $from ) = ( 0, 0 );
do_proto( $protocol , $ports, '' ) ,
$networks , for ( split /,/, $options ) {
'' , if ( $_ =~ /^(?:from|src)$/ ) {
'' , if ( $from++ ) {
$target , warning_message "Duplicate 'src' ignored";
'' , } else {
$disposition , if ( @$zones ) {
'' ); expand_rule(
$chainref ,
NO_RESTRICT ,
do_proto( $protocol , $ports, '' ) ,
$networks,
'',
'' ,
$target ,
'' ,
$target ,
'' );
} else {
warning_message 'Blacklist entry ignored because there are no "blacklist in" zones';
}
}
} elsif ( $_ =~ /^(?:dst|to)$/ ) {
if ( $to++ ) {
warning_message "Duplicate 'dst' ignored";
} else {
if ( @$zones1 ) {
expand_rule(
$chainref1 ,
NO_RESTRICT ,
do_proto( $protocol , $ports, '' ) ,
'',
$networks,
'' ,
$target ,
'' ,
$target ,
'' );
} else {
warning_message 'Blacklist entry ignored because there are no "blacklist out" zones';
}
}
} else {
fatal_error "Invalid blacklist option($_)";
}
}
progress_message " \"$currentline\" added to blacklist"; progress_message " \"$currentline\" added to blacklist";
} }
warning_message q(There are interfaces or hosts with the 'blacklist' option but the 'blacklist' file is empty) if $first_entry && @$hosts; warning_message q(There are interfaces or zones with the 'blacklist' option but the 'blacklist' file is empty) if $first_entry && @$zones;
} elsif ( @$hosts ) { } elsif ( @$zones || @$zones1 ) {
warning_message q(There are interfaces or hosts with the 'blacklist' option, but the 'blacklist' file is either missing or has zero size); warning_message q(There are interfaces or zones with the 'blacklist' option, but the 'blacklist' file is either missing or has zero size);
}
my $state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? "$globals{STATEMATCH} NEW,INVALID,UNTRACKED " : "$globals{STATEMATCH} NEW,INVALID " : '';
for my $hostref ( @$hosts ) {
my $interface = $hostref->[0];
my $ipsec = $hostref->[1];
my $policy = have_ipsec ? "-m policy --pol $ipsec --dir in " : '';
my $network = $hostref->[2];
my $source = match_source_net $network;
my $target = source_exclusion( $hostref->[3], $chainref );
for my $chain ( first_chains $interface ) {
add_jump $filter_table->{$chain} , $target, 0, "${source}${state}${policy}";
}
set_interface_option $interface, 'use_input_chain', 1;
set_interface_option $interface, 'use_forward_chain', 1;
progress_message " Blacklisting enabled on ${interface}:${network}";
} }
} }
} }
@ -1851,7 +1872,20 @@ sub generate_matrix() {
# #
my $frwd_ref = new_standard_chain zone_forward_chain( $zone ); my $frwd_ref = new_standard_chain zone_forward_chain( $zone );
add_jump( $frwd_ref, $filter_table->{blacklst}, 0 ) if $zoneref->{options}{in}{blacklist}; if ( $zoneref->{options}{in}{blacklist} ) {
my $blackref = $filter_table->{blacklst};
add_jump $frwd_ref , $blackref, 0, $state;
add_jump ensure_filter_chain( rules_chain( $zone, firewall_zone ), 1 ) , $blackref , 0, $state, 0, 0;
}
if ( $zoneref->{options}{out}{blacklist} ) {
my $blackref = $filter_table->{blackout};
add_jump ensure_filter_chain( rules_chain( firewall_zone, $zone ), 1 ) , $blackref , 0, $state, 0, 0;
for my $zone1 ( @zones ) {
add_jump( ensure_filter_chain( rules_chain( $zone1, $zone ), 1 ), $blackref, 0, $state, 0, 0 ) unless $zone eq $zone1;
}
}
if ( have_ipsec ) { if ( have_ipsec ) {
# #
@ -2039,6 +2073,7 @@ sub generate_matrix() {
my $interfacechainref = $filter_table->{input_chain $interface}; my $interfacechainref = $filter_table->{input_chain $interface};
my $interfacematch = ''; my $interfacematch = '';
my $use_input; my $use_input;
my $blacklist = $zoneref->{options}{in}{blacklist};
if ( @vservers || use_input_chain( $interface, $interfacechainref ) || ! $chain2 || ( @{$interfacechainref->{rules}} && ! $chain2ref ) ) { if ( @vservers || use_input_chain( $interface, $interfacechainref ) || ! $chain2 || ( @{$interfacechainref->{rules}} && ! $chain2ref ) ) {
$inputchainref = $interfacechainref; $inputchainref = $interfacechainref;

36
Shorewall/Perl/Shorewall/Zones.pm
View File

@ -78,7 +78,7 @@ our @EXPORT = qw( NOTHING
compile_updown compile_updown
validate_hosts_file validate_hosts_file
find_hosts_by_option find_hosts_by_option
find_hosts_by_option1 find_zones_by_option
all_ipsets all_ipsets
have_ipsec have_ipsec
); );
@ -231,7 +231,7 @@ sub initialize( $ ) {
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
%validinterfaceoptions = (arp_filter => BINARY_IF_OPTION, %validinterfaceoptions = (arp_filter => BINARY_IF_OPTION,
arp_ignore => ENUM_IF_OPTION, arp_ignore => ENUM_IF_OPTION,
blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST, blacklist => SIMPLE_IF_OPTION,
bridge => SIMPLE_IF_OPTION, bridge => SIMPLE_IF_OPTION,
detectnets => OBSOLETE_IF_OPTION, detectnets => OBSOLETE_IF_OPTION,
dhcp => SIMPLE_IF_OPTION, dhcp => SIMPLE_IF_OPTION,
@ -264,7 +264,7 @@ sub initialize( $ ) {
sourceonly => 1, sourceonly => 1,
); );
} else { } else {
%validinterfaceoptions = ( blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST, %validinterfaceoptions = ( blacklist => SIMPLE_IF_OPTION,
bridge => SIMPLE_IF_OPTION, bridge => SIMPLE_IF_OPTION,
dhcp => SIMPLE_IF_OPTION, dhcp => SIMPLE_IF_OPTION,
maclist => SIMPLE_IF_OPTION + IF_OPTION_HOST, maclist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
@ -946,8 +946,16 @@ sub process_interface( $$ ) {
if ( $type == SIMPLE_IF_OPTION ) { if ( $type == SIMPLE_IF_OPTION ) {
fatal_error "Option $option does not take a value" if defined $value; fatal_error "Option $option does not take a value" if defined $value;
$options{$option} = 1; if ( $option eq 'blacklist' ) {
$hostoptions{$option} = 1 if $hostopt; if ( $zone ) {
$zoneref->{options}{in}{blacklist} = 1;
} else {
warning_message "The 'blacklist' option is ignored on multi-zone interfaces";
}
} else {
$options{$option} = 1;
$hostoptions{$option} = 1 if $hostopt;
}
} elsif ( $type == BINARY_IF_OPTION ) { } elsif ( $type == BINARY_IF_OPTION ) {
$value = 1 unless defined $value; $value = 1 unless defined $value;
fatal_error "Option value for '$option' must be 0 or 1" unless ( $value eq '0' || $value eq '1' ); fatal_error "Option value for '$option' must be 0 or 1" unless ( $value eq '0' || $value eq '1' );
@ -1679,8 +1687,8 @@ sub process_host( ) {
$type = IPSEC; $type = IPSEC;
$zoneref->{options}{complex} = 1; $zoneref->{options}{complex} = 1;
$ipsec = 1; $ipsec = 1;
} elsif ( $option eq 'norfc1918' ) { } elsif ( $option =~ /^(?:norfc1918|blacklist)$/ ) {
warning_message "The 'norfc1918' option is no longer supported" warning_message "The '$option' host option is no longer supported"
} elsif ( $validhostoptions{$option}) { } elsif ( $validhostoptions{$option}) {
fatal_error qq(The "$option" option is not allowed with Vserver zones) if $type == VSERVER && ! ( $validhostoptions{$option} & IF_OPTION_VSERVER ); fatal_error qq(The "$option" option is not allowed with Vserver zones) if $type == VSERVER && ! ( $validhostoptions{$option} & IF_OPTION_VSERVER );
$options{$option} = 1; $options{$option} = 1;
@ -1786,18 +1794,18 @@ sub find_hosts_by_option( $ ) {
} }
# #
# This one returns a 4-tuple for each interface which the passed bit set in the passed option # Retruns a reference to a list of zones with the passed in/out option
# #
sub find_hosts_by_option1( $$ ) { sub find_zones_by_option( $$ ) {
my ($option, $bit ) = @_; my ($option, $in_out ) = @_;
my @hosts; my @zns;
for my $interface ( @interfaces ) { for my $zone ( @zones ) {
push @hosts, [ $interface, 'none', ALLIP , [] ] if $interfaces{$interface}{options}{$option} & $bit push @zns, $zone if $zones{$zone}{options}{$in_out}{$option};
} }
\@hosts; \@zns;
} }
sub all_ipsets() { sub all_ipsets() {

51
manpages/shorewall-blacklist.xml
View File

@ -72,6 +72,57 @@
from services(5).</para> from services(5).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>OPTIONS (Optional - Added in 4.4.12) -
{-|{dst|src}[,...]}</term>
<listitem>
<para>If specified, indicates whether traffic
<emphasis>from</emphasis> ADDRESS/SUBNET (<emphasis
role="bold">src</emphasis>) or traffic <emphasis>to</emphasis>
ADDRESS/SUBNET (<emphasis role="bold">dst</emphasis>) should be
blacklisted. The default is <emphasis role="bold">src</emphasis>. If
the ADDRESS/SUBNET column is empty, then this column has no effect
on the generated rule.</para>
<note>
<para>In Shorewall 4.4.12, the keywords from and to were used in
place of src and dst respectively. Blacklisting was still
restricted to traffic <emphasis>arriving</emphasis> on an
interface that has the 'blacklist' option set. So to block traffic
from your local network to an internet host, you had to specify
<option>blacklist</option> on your internal interface in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>
(5).</para>
</note>
<note>
<para>Beginning with Shorewall 4.4.13, entries are applied based
on the <emphasis role="bold">blacklist</emphasis> setting in
<ulink
url="shorewall-interfaces.html">shorewall-zones</ulink>(5):</para>
<orderedlist>
<listitem>
<para>'blacklist' in the OPTIONS or IN_OPTIONS column. Traffic
from this zone is passed against the entries in <ulink
url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
that have the <emphasis role="bold">src</emphasis> option
(specified or defaulted).</para>
</listitem>
<listitem>
<para>'blacklist' in the OPTIONS or OUT_OPTIONS column.
Trafficto this zone is passed against the entries in <ulink
url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
that have the <emphasis role="bold">dst</emphasis>
option.</para>
</listitem>
</orderedlist>
</note>
</listitem>
</varlistentry>
</variablelist> </variablelist>
<para></para> <para></para>

11
manpages/shorewall-hosts.xml
View File

@ -139,8 +139,15 @@
<term><emphasis role="bold">blacklist</emphasis></term> <term><emphasis role="bold">blacklist</emphasis></term>
<listitem> <listitem>
<para>This option only makes sense for ports on a bridge. <para>This option only makes sense for ports on a bridge. As
</para> of Shoreawall 4.4.13, ithe option is no longer supported and
is ignored with a warning:</para>
<blockquote>
<para><emphasis role="bold">WARNING: The "blacklist" host
option is no longer supported and will be
ignored.</emphasis></para>
</blockquote>
<para>Check packets arriving on this port against the <ulink <para>Check packets arriving on this port against the <ulink
url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5) url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)

23
manpages/shorewall-interfaces.xml
View File

@ -230,6 +230,29 @@ loc eth2 -</programlisting>
<ulink <ulink
url="shorewall6-blacklist.html">shorewall6-blacklist</ulink>(5) url="shorewall6-blacklist.html">shorewall6-blacklist</ulink>(5)
file.</para> file.</para>
<para>Beginning with Shorewall 4.4.13:</para>
<itemizedlist>
<listitem>
<para>If a <replaceable>zone</replaceable> is given in the
ZONES column, then the behavior is as if <emphasis
role="bold">blacklist</emphasis> had been specified in the
IN_OPTIONS column of <ulink
url="shorewall-zones.html">shorewall-zones</ulink>(5).</para>
</listitem>
<listitem>
<para>Otherwise, the option is ignored with a
warning:</para>
<blockquote>
<para><emphasis role="bold">WARNING: The 'blacklist'
option is ignored on mult-zone
interfaces</emphasis></para>
</blockquote>
</listitem>
</itemizedlist>
</listitem> </listitem>
</varlistentry> </varlistentry>

27
manpages/shorewall-zones.xml
View File

@ -200,6 +200,28 @@ c:a,b ipv4</programlisting>
<option>ipsec</option> zones.</para> <option>ipsec</option> zones.</para>
<variablelist> <variablelist>
<varlistentry>
<term><emphasis role="bold">blacklist</emphasis></term>
<listitem>
<para>Added in Shorewall 4.4.13.</para>
<para>When specified in the IN_OPTIONS column, causes all
traffic from this zone to be passed against the <emphasis
role="bold">src</emphasis> entries in s<ulink
url="shorewall-blacklist.html">horewall-blacklist</ulink>(5).</para>
<para>When specified in the OUT_OPTIONS column, causes all
traffic to this zone to be passed against the <emphasis
role="bold">dst</emphasis> entries in s<ulink
url="shorewall-blacklist.html">horewall-blacklist</ulink>(5).</para>
<para>Specifying this option in the OPTIONS column is
equivalent to entering it in both of the IN_OPTIONS and
OUT_OPTIONS column.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">reqid=</emphasis><emphasis>number</emphasis></term> role="bold">reqid=</emphasis><emphasis>number</emphasis></term>
@ -319,7 +341,8 @@ c:a,b ipv4</programlisting>
shorewall-nesting(8), shorewall-netmap(5), shorewall-params(5), shorewall-nesting(8), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5), shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5)</para> shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
shorewall-tunnels(5)</para>
</refsect1> </refsect1>
</refentry> </refentry>

11
manpages6/shorewall6-hosts.xml
View File

@ -127,8 +127,15 @@
<term><emphasis role="bold">blacklist</emphasis></term> <term><emphasis role="bold">blacklist</emphasis></term>
<listitem> <listitem>
<para>This option only makes sense for ports on a <para>This option only makes sense for ports on a bridge. As
bridge.</para> of Shorewall 4.4.13, its is ignored with a warning
message:</para>
<blockquote>
<para><emphasis role="bold">WARNING: The "blacklist" host
option is no longer supported and will be
ignored.</emphasis></para>
</blockquote>
<para>Check packets arriving on this port against the <ulink <para>Check packets arriving on this port against the <ulink
url="shorewall-blacklist.html">shorewall6-blacklist</ulink>(5) url="shorewall-blacklist.html">shorewall6-blacklist</ulink>(5)

23
manpages6/shorewall6-interfaces.xml
View File

@ -122,6 +122,29 @@ loc eth2 -</programlisting>
<ulink <ulink
url="shorewall6-blacklist.html">shorewall6-blacklist</ulink>(5) url="shorewall6-blacklist.html">shorewall6-blacklist</ulink>(5)
file.</para> file.</para>
<para>Beginning with Shorewall 4.4.13:</para>
<itemizedlist>
<listitem>
<para>If a <replaceable>zone</replaceable> is given in the
ZONES column, then the behavior is as if <emphasis
role="bold">blacklist</emphasis> had been specified in the
IN_OPTIONS column of <ulink
url="shorewall6-zones.html">shorewall6-zones</ulink>(5).</para>
</listitem>
<listitem>
<para>Otherwise, the option is ignored with a
warning:</para>
<blockquote>
<para><emphasis role="bold">WARNING: The 'blacklist'
option is ignored on mult-zone
interfaces</emphasis></para>
</blockquote>
</listitem>
</itemizedlist>
</listitem> </listitem>
</varlistentry> </varlistentry>

30
manpages6/shorewall6-zones.xml
View File

@ -194,10 +194,32 @@ c:a,b ipv6</programlisting>
<listitem> <listitem>
<para>A comma-separated list of options. With the exception of the <para>A comma-separated list of options. With the exception of the
<option>mss</option> option, these only apply to TYPE <option>mss</option> and blacklist options, these only apply to TYPE
<option>ipsec</option> zones.</para> <option>ipsec</option> zones.</para>
<variablelist> <variablelist>
<varlistentry>
<term><emphasis role="bold">blacklist</emphasis></term>
<listitem>
<para>Added in Shorewall 4.4.13.</para>
<para>When specified in the IN_OPTIONS column, causes all
traffic from this zone to be passed against the <emphasis
role="bold">src</emphasis> entries in s<ulink
url="shorewall6-blacklist.html">horewall6-blacklist</ulink>(5).</para>
<para>When specified in the OUT_OPTIONS column, causes all
traffic to this zone to be passed against the <emphasis
role="bold">dst</emphasis> entries in s<ulink
url="shorewall6-blacklist.html">horewall6-blacklist</ulink>(5).</para>
<para>Specifying this option in the OPTIONS column is
equivalent to entering it in both of the IN_OPTIONS and
OUT_OPTIONS column.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">reqid=</emphasis><emphasis>number</emphasis></term> role="bold">reqid=</emphasis><emphasis>number</emphasis></term>
@ -315,8 +337,8 @@ c:a,b ipv6</programlisting>
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shorewall6-nesting(8), shorewall6-params(5), shorewall6-maclist(5), shorewall6-nesting(8), shorewall6-params(5),
shorewall6-policy(5), shorewall6-providers(5), shorewall6-route_rules(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-route_rules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
shorewall6-tos(5), shorewall6-tunnels(5)</para> shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5)</para>
</refsect1> </refsect1>
</refentry> </refentry>