diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 16c7befaa..c2f66c034 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -22,3 +22,5 @@ Changes since 1.4.6 10) Added support for Address Range Lists in /etc/shorewall/masq. 11) Simplify ip_broadcast() + +12) Add 'arp_filter' interface option. diff --git a/Shorewall/firewall b/Shorewall/firewall index 7601c63d2..da79fa98b 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -597,7 +597,7 @@ validate_interfaces_file() { for option in $options; do case $option in - dhcp|norfc1918|tcpflags|newnotsyn) + dhcp|norfc1918|tcpflags|newnotsyn|arp_filter) ;; routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-) ;; @@ -3813,6 +3813,27 @@ add_common_rules() { done fi # + # ARP Filtering + # + for f in /proc/sys/net/ipv4/conf/*/arp_filter; do + echo 0 > $f + done + + interfaces=`find_interfaces_by_option arp_filter` + + if [ -n "$interfaces" ]; then + echo "Setting up ARP Filtering..." + for interface in $interfaces; do + file=/proc/sys/net/ipv4/conf/$interface/arp_filter + if [ -f $file ]; then + echo 1 > $file + else + error_message \ + "Warning: Cannot set ARP filtering on $interface" + fi + done + fi + # # Process Black List # setup_blacklist @@ -3832,8 +3853,6 @@ add_common_rules() { if [ -n "$ROUTE_FILTER" ]; then echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter else - echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter - for interface in $interfaces; do file=/proc/sys/net/ipv4/conf/$interface/rp_filter if [ -f $file ]; then diff --git a/Shorewall/interfaces b/Shorewall/interfaces index 41c50e807..7cc373f74 100644 --- a/Shorewall/interfaces +++ b/Shorewall/interfaces @@ -103,6 +103,15 @@ # This option has no effect if # NEWNOTSYN=Yes. # +# arp_filter - If specified, this interface will only +# respond to ARP who-has requests for IP +# addresses configured on the interface. +# If not specified, the interface can +# respond to ARP who-has requests for +# IP addresses on any of the firewall's +# interface. The interface must be up +# when Shorewall is started. +# # The order in which you list the options is not # significant but the list should have no embedded white # space. diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 6226509ac..0d42da727 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -115,4 +115,14 @@ New Features: If specified, the remote gateway is to be considered part of these zones. +5) An 'arp_filter' option has been added to the + /etc/shorewall/interfaces file. This option causes + /proc/sys/net/ipv4/conf//arp_filter to be set with the + result that this interface will only answer ARP 'who-has' requests + from hosts that are routed out of that interface. Setting this + option facilitates testing of your firewall where multiple firewall + interfaces are connected to the same HUB/Switch (all interfaces + connected to the single HUB/Switch should have this option + specified). Note that using such a configuration in a production + environment is strongly recommended against.