extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-05-19 07:31:00 +02:00
Code Issues Packages Projects Releases Wiki Activity

Apply policy to interface/host option rules

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1546 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-08-16 16:28:44 +00:00
parent e034b345ea
commit af8baff5cb
3 changed files with 58 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall2/changelog.txt
View File

@ -42,3 +42,5 @@ Changes since 2.0.3
19) Added IPSEC column to /etc/shorewall/masq. 19) Added IPSEC column to /etc/shorewall/masq.
20) No longer enforce source port 500 for ISAKMP. 20) No longer enforce source port 500 for ISAKMP.
21) Apply policy to interface/host options.

66
Shorewall2/firewall
View File

@ -1099,23 +1099,25 @@ find_interfaces_by_option() # $1 = option
# #
find_hosts_by_option() # $1 = option find_hosts_by_option() # $1 = option
{ {
local ignore hosts interface address addresses options local ignore hosts interface address addresses options ipsec= list
while read ignore hosts options; do while read ignore hosts options; do
expandv options expandv options
if list_search $1 $(separate_list $options); then list=$(separate_list $options)
if list_search $1 $list; then
list_search ipsec $list && ipsec=ipsec || ipsec=none
expandv hosts expandv hosts
interface=${hosts%%:*} interface=${hosts%%:*}
addresses=${hosts#*:} addresses=${hosts#*:}
for address in $(separate_list $addresses); do for address in $(separate_list $addresses); do
echo $interface:$address echo ${ipsec}^$interface:$address
done done
fi fi
done < $TMP_DIR/hosts done < $TMP_DIR/hosts
for interface in $ALL_INTERFACES; do for interface in $ALL_INTERFACES; do
interface_has_option $interface $1 && \ interface_has_option $interface $1 && \
echo ${interface}:0.0.0.0/0 echo none^${interface}:0.0.0.0/0
done done
} }
@ -1727,12 +1729,15 @@ setup_mac_lists() {
local macpart local macpart
local blob local blob
local hosts local hosts
local ipsec
local policy=
# #
# Generate the list of interfaces having MAC verification # Generate the list of interfaces having MAC verification
# #
maclist_interfaces= maclist_interfaces=
for hosts in $maclist_hosts; do for hosts in $maclist_hosts; do
hosts=${hosts#*^}
interface=${hosts%%:*} interface=${hosts%%:*}
if ! list_search $interface $maclist_interfaces; then\ if ! list_search $interface $maclist_interfaces; then\
if [ -z "$maclist_interfaces" ]; then if [ -z "$maclist_interfaces" ]; then
@ -1823,6 +1828,9 @@ setup_mac_lists() {
# Generate jumps from the input and forward chains # Generate jumps from the input and forward chains
# #
for hosts in $maclist_hosts; do for hosts in $maclist_hosts; do
ipsec=${hosst%^*}
hosts=${hosts#*^}
[ -n $POLICY_MATCH ] && policy="-m policy --pol $ipsec --dir in" || policy=
interface=${hosts%%:*} interface=${hosts%%:*}
hosts=${hosts#*:} hosts=${hosts#*:}
for chain in $(first_chains $interface) ; do for chain in $(first_chains $interface) ; do
@ -4854,6 +4862,7 @@ setup_blacklist() {
local hosts="$(find_hosts_by_option blacklist)" local hosts="$(find_hosts_by_option blacklist)"
local f=$(find_file blacklist) local f=$(find_file blacklist)
local disposition=$BLACKLIST_DISPOSITION local disposition=$BLACKLIST_DISPOSITION
local ipsec policy
if [ -n "$hosts" -a -f $f ]; then if [ -n "$hosts" -a -f $f ]; then
echo "Setting up Blacklisting..." echo "Setting up Blacklisting..."
@ -4865,11 +4874,14 @@ setup_blacklist() {
[ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW,INVALID" || state= [ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW,INVALID" || state=
for host in $hosts; do for host in $hosts; do
ipsec=${host%^*}
host=${host#*^}
[ -n $POLICY_MATCH ] && policy="-m policy --pol $ipsec --dir in" || policy=
interface=${host%%:*} interface=${host%%:*}
network=${host#*:} network=${host#*:}
for chain in $(first_chains $interface); do for chain in $(first_chains $interface); do
run_iptables -A $chain $state $(match_source_hosts $network) -j blacklst run_iptables -A $chain $state $(match_source_hosts $network) $policy -j blacklst
done done
[ $network = 0/0.0.0.0 ] && network= || network=":$network" [ $network = 0/0.0.0.0 ] && network= || network=":$network"
@ -5191,17 +5203,19 @@ initialize_netfilter () {
run_iptables -A FORWARD -p tcp \ run_iptables -A FORWARD -p tcp \
--tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
if [ -z "$NEWNOTSYN" ]; then if [ -z "$NEWNOTSYN" ]; then
createchain newnotsyn no createchain newnotsyn no
for host in $(find_hosts_by_option newnotsyn); do for host in $(find_hosts_by_option newnotsyn); do
ipsec=${host%^*}
host=${host#*^}
[ -n $POLICY_MATCH ] && policy="-m policy --pol $ipsec --dir in" || policy=
interface=${host%%:*} interface=${host%%:*}
network=${host#*:} network=${host#*:}
run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) -p tcp --tcp-flags ACK ACK -j ACCEPT run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) $policy -p tcp --tcp-flags ACK ACK -j ACCEPT
run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) -p tcp --tcp-flags RST RST -j ACCEPT run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) $policy -p tcp --tcp-flags RST RST -j ACCEPT
run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) -p tcp --tcp-flags FIN FIN -j ACCEPT run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) $policy -p tcp --tcp-flags FIN FIN -j ACCEPT
run_iptables -A newnotsyn -i $interface $(match_source_hosts ${host#*:}) -j RETURN run_iptables -A newnotsyn -i $interface $(match_source_hosts ${host#*:}) $policy -j RETURN
done done
run_user_exit newnotsyn run_user_exit newnotsyn
@ -5324,11 +5338,14 @@ add_common_rules() {
echo "Adding Anti-smurf Rules" echo "Adding Anti-smurf Rules"
for host in $hosts; do for host in $hosts; do
ipsec=${host%^*}
host=${host#*^}
[ -n $POLICY_MATCH ] && policy="-m policy --pol $ipsec --dir in" || policy=
interface=${host%%:*} interface=${host%%:*}
network=${host#*:} network=${host#*:}
for chain in $(first_chains $interface); do for chain in $(first_chains $interface); do
run_iptables -A $chain -m state --state NEW $(match_source_hosts $network) -j smurfs run_iptables -A $chain -m state --state NEW $(match_source_hosts $network) $policy -j smurfs
done done
done done
fi fi
@ -5341,14 +5358,22 @@ add_common_rules() {
echo "Adding rules for DHCP" echo "Adding rules for DHCP"
if [ -n "$POLICY_MATCH" ]; then
policyin="-m policy --dir in --pol none"
policyout="-m policy --dir out --pol none"
else
policyin=
policyout=
fi
for interface in $interfaces; do for interface in $interfaces; do
if [ -n "$BRIDGING" ]; then if [ -n "$BRIDGING" ]; then
eval is_bridge=\$$(chain_base $interface)_ports eval is_bridge=\$$(chain_base $interface)_ports
[ -n "$is_bridge" ] && \ [ -n "$is_bridge" ] && \
iptables -A $(forward_chain $interface) -p udp -o $interface --dport 67:68 -j ACCEPT iptables -A $(forward_chain $interface) -p udp -o $interface --dport 67:68 $policyin -j ACCEPT
fi fi
run_iptables -A $(input_chain $interface) -p udp --dport 67:68 -j ACCEPT run_iptables -A $(input_chain $interface) -p udp --dport 67:68 $policyin -j ACCEPT
run_iptables -A OUTPUT -o $interface -p udp --dport 67:68 -j ACCEPT run_iptables -A OUTPUT -o $interface -p udp --dport 67:68 $policyout -j ACCEPT
done done
fi fi
# #
@ -5413,11 +5438,14 @@ add_common_rules() {
done < $TMP_DIR/rfc1918 done < $TMP_DIR/rfc1918
for host in $hosts; do for host in $hosts; do
ipsec=${host%^*}
host=${host#*^}
[ -n $POLICY_MATCH ] && policy="-m policy --pol $ipsec --dir in" || policy=
interface=${host%%:*} interface=${host%%:*}
networks=${host#*:} networks=${host#*:}
for chain in $(first_chains $interface); do for chain in $(first_chains $interface); do
run_iptables -A $chain -m state --state NEW $(match_source_hosts $networks) -j norfc1918 run_iptables -A $chain -m state --state NEW $(match_source_hosts $networks) $policy -j norfc1918
done done
[ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ] && \ [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ] && \
@ -5459,6 +5487,9 @@ add_common_rules() {
done < $TMP_DIR/bogons done < $TMP_DIR/bogons
for host in $hosts; do for host in $hosts; do
ipsec=${host%^*}
host=${host#*^}
[ -n $POLICY_MATCH ] && policy="-m policy --pol $ipsec --dir in" || policy=
interface=${host%%:*} interface=${host%%:*}
network=${host#*:} network=${host#*:}
@ -5513,11 +5544,14 @@ add_common_rules() {
run_iptables -A tcpflags -p tcp --syn --sport 0 $disposition run_iptables -A tcpflags -p tcp --syn --sport 0 $disposition
for host in $hosts; do for host in $hosts; do
ipsec=${host%^*}
host=${host#*^}
[ -n $POLICY_MATCH ] && policy="-m policy --pol $ipsec --dir in" || policy=
interface=${host%%:*} interface=${host%%:*}
network=${host#*:} network=${host#*:}
for chain in $(first_chains $interface); do for chain in $(first_chains $interface); do
run_iptables -A $chain -p tcp $(match_source_hosts $network) -j tcpflags run_iptables -A $chain -p tcp $(match_source_hosts $network) $policy -j tcpflags
done done
done done
fi fi

7
Shorewall2/releasenotes.txt
View File

@ -1,4 +1,4 @@
Shorewall 2.1.3 Shorewall 2.1.5
---------------------------------------------------------------------- ----------------------------------------------------------------------
Problems Corrected since 2.0.3 Problems Corrected since 2.0.3
@ -26,6 +26,11 @@ Problems Corrected since 2.1.0
iptables: No chain/target/match by that name iptables: No chain/target/match by that name
Problems Corrected since 2.1.4
1) Per-interface options like 'norfc1918' are not applied to requests
that have been unencrypted as a result of an entry in the SPD.
----------------------------------------------------------------------- -----------------------------------------------------------------------
Issues when migrating from Shorewall 2.0 to Shorewall 2.1: Issues when migrating from Shorewall 2.0 to Shorewall 2.1: