mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-14 03:34:31 +01:00
Shorewall 2.2.3
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2027 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
9edbc16770
commit
b6f9065b93
@ -1,3 +1,17 @@
|
||||
Changes in 2.2.3
|
||||
|
||||
1) Added the 'continue' extension script.
|
||||
|
||||
2) Obey 'routestopped' rules during [re]start.
|
||||
|
||||
3) MACLIST_TTL added.
|
||||
|
||||
4) Fix ! in hosts file
|
||||
|
||||
5) Add QUEUE policy.
|
||||
|
||||
6) Fix routing output when advanced routing support not in kernel.
|
||||
|
||||
Changes in 2.2.2
|
||||
|
||||
1) The 'check' command disclaimer is toned down further and only
|
||||
|
6
STABLE2/continue
Normal file
6
STABLE2/continue
Normal file
@ -0,0 +1,6 @@
|
||||
############################################################################
|
||||
# Shorewall 2.2 -- /etc/shorewall/continue
|
||||
#
|
||||
# Add commands below that you want to be executed after shorewall has
|
||||
# cleared any existing Netfilter rules and has enabled existing connections.
|
||||
#
|
@ -28,7 +28,7 @@
|
||||
# shown below. Simply run this script to revert to your prior version of
|
||||
# Shoreline Firewall.
|
||||
|
||||
VERSION=2.2.2
|
||||
VERSION=2.2.3
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
192
STABLE2/firewall
192
STABLE2/firewall
@ -464,6 +464,11 @@ mac_chain() # $1 = interface
|
||||
echo $(chain_base $1)_mac
|
||||
}
|
||||
|
||||
macrecent_target() # $1 - interface
|
||||
{
|
||||
[ -n "$MACLIST_TTL" ] && echo $(chain_base $1)_rec || echo RETURN
|
||||
}
|
||||
|
||||
#
|
||||
# Functions for creating dynamic zone rules
|
||||
#
|
||||
@ -1095,7 +1100,7 @@ validate_policy()
|
||||
esac
|
||||
|
||||
case $policy in
|
||||
ACCEPT|REJECT|DROP|CONTINUE)
|
||||
ACCEPT|REJECT|DROP|CONTINUE|QUEUE)
|
||||
;;
|
||||
NONE)
|
||||
[ "$client" = "$FW" -o "$server" = "$FW" ] && \
|
||||
@ -1390,6 +1395,58 @@ disable_ipv6_1() {
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Process the routestopped file either adding or deleting rules
|
||||
#
|
||||
|
||||
process_routestopped() # $1 = command
|
||||
{
|
||||
local hosts= interface host host1 options networks
|
||||
|
||||
while read interface host options; do
|
||||
expandv interface host options
|
||||
[ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0
|
||||
for h in $(separate_list $host); do
|
||||
hosts="$hosts $interface:$h"
|
||||
done
|
||||
|
||||
routeback=
|
||||
|
||||
if [ -n "$options" ]; then
|
||||
for option in $(separate_list $options); do
|
||||
case $option in
|
||||
routeback)
|
||||
if [ -n "$routeback" ]; then
|
||||
error_message "Warning: Duplicate routestopped option ignored: routeback"
|
||||
else
|
||||
routeback=Yes
|
||||
for h in $(separate_list $host); do
|
||||
run_iptables $1 FORWARD -i $interface -o $interface $(both_ip_ranges $h $h) -j ACCEPT
|
||||
done
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
error_message "Warning: Unknown routestopped option ignored: $option"
|
||||
;;
|
||||
esac
|
||||
done
|
||||
fi
|
||||
|
||||
done < $TMP_DIR/routestopped
|
||||
|
||||
for host in $hosts; do
|
||||
interface=${host%:*}
|
||||
networks=${host#*:}
|
||||
$IPTABLES $1 INPUT -i $interface $(source_ip_range $networks) -j ACCEPT
|
||||
[ -z "$ADMINISABSENTMINDED" ] && \
|
||||
run_iptables $1 OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
|
||||
|
||||
for host1 in $hosts; do
|
||||
[ "$host" != "$host1" ] && run_iptables $1 FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT
|
||||
done
|
||||
done
|
||||
}
|
||||
|
||||
#
|
||||
# Stop the Firewall
|
||||
#
|
||||
@ -1465,50 +1522,9 @@ stop_firewall() {
|
||||
|
||||
hosts=
|
||||
|
||||
strip_file routestopped
|
||||
[ -f $TMP_DIR/routestopped ] || strip_file routestopped
|
||||
|
||||
while read interface host options; do
|
||||
expandv interface host options
|
||||
[ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0
|
||||
for h in $(separate_list $host); do
|
||||
hosts="$hosts $interface:$h"
|
||||
done
|
||||
|
||||
routeback=
|
||||
|
||||
if [ -n "$options" ]; then
|
||||
for option in $(separate_list $options); do
|
||||
case $option in
|
||||
routeback)
|
||||
if [ -n "$routeback" ]; then
|
||||
error_message "Warning: Duplicate option ignored: routeback"
|
||||
else
|
||||
routeback=Yes
|
||||
for h in $(separate_list $host); do
|
||||
$IPTABLES -A FORWARD -i $interface -o $interface $(both_ip_ranges $h $h) -j ACCEPT
|
||||
done
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
error_message "Warning: Unknown option ignored: $option"
|
||||
;;
|
||||
esac
|
||||
done
|
||||
fi
|
||||
|
||||
done < $TMP_DIR/routestopped
|
||||
|
||||
for host in $hosts; do
|
||||
interface=${host%:*}
|
||||
networks=${host#*:}
|
||||
$IPTABLES -A INPUT -i $interface $(source_ip_range $networks) -j ACCEPT
|
||||
[ -z "$ADMINISABSENTMINDED" ] && \
|
||||
$IPTABLES -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
|
||||
|
||||
for host1 in $hosts; do
|
||||
[ "$host" != "$host1" ] && $IPTABLES -A FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT
|
||||
done
|
||||
done
|
||||
process_routestopped -A
|
||||
|
||||
$IPTABLES -A INPUT -i lo -j ACCEPT
|
||||
[ -z "$ADMINISABSENTMINDED" ] && \
|
||||
@ -1989,6 +2005,7 @@ setup_mac_lists() {
|
||||
local addresses
|
||||
local address
|
||||
local chain
|
||||
local chain1
|
||||
local macpart
|
||||
local blob
|
||||
local hosts
|
||||
@ -2013,10 +2030,19 @@ setup_mac_lists() {
|
||||
|
||||
progress_message "Setting up MAC Verification on $maclist_interfaces..."
|
||||
#
|
||||
# Be sure that they are all ethernet interfaces
|
||||
# Create chains.
|
||||
#
|
||||
for interface in $maclist_interfaces; do
|
||||
createchain $(mac_chain $interface) no
|
||||
chain=$(mac_chain $interface)
|
||||
createchain $chain no
|
||||
|
||||
if [ -n "$MACLIST_TTL" ]; then
|
||||
chain1=$(macrecent_target $interface)
|
||||
createchain $chain1 no
|
||||
run_iptables -A $chain -m recent --rcheck --seconds $MACLIST_TTL --name $chain -j $chain1
|
||||
run_iptables -A $chain1 -m recent --update --name $chain -j ACCEPT
|
||||
run_iptables -A $chain1 -m recent --set --name $chain -j ACCEPT
|
||||
fi
|
||||
done
|
||||
#
|
||||
# Process the maclist file producing the verification rules
|
||||
@ -2036,6 +2062,7 @@ setup_mac_lists() {
|
||||
fi
|
||||
|
||||
chain=$(mac_chain $interface)
|
||||
chain1=$(macrecent_target $interface)
|
||||
|
||||
if ! havechain $chain ; then
|
||||
fatal_error "No hosts on $interface have the maclist option specified"
|
||||
@ -2044,10 +2071,10 @@ setup_mac_lists() {
|
||||
macpart=$(mac_match $mac)
|
||||
|
||||
if [ -z "$addresses" ]; then
|
||||
run_iptables -A $chain $macpart $physdev_part -j RETURN
|
||||
run_iptables -A $chain $macpart $physdev_part -j $chain1
|
||||
else
|
||||
for address in $(separate_list $addresses) ; do
|
||||
run_iptables2 -A $chain $macpart -s $address $physdev_part -j RETURN
|
||||
run_iptables2 -A $chain $macpart -s $address $physdev_part -j $chain1
|
||||
done
|
||||
fi
|
||||
done < $TMP_DIR/maclist
|
||||
@ -2057,6 +2084,7 @@ setup_mac_lists() {
|
||||
#
|
||||
for interface in $maclist_interfaces; do
|
||||
chain=$(mac_chain $interface)
|
||||
chain1=$(macrecent_target $interface)
|
||||
|
||||
blob=$(ip link show $interface 2> /dev/null)
|
||||
|
||||
@ -2065,11 +2093,11 @@ setup_mac_lists() {
|
||||
|
||||
ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet //; s/brd //; s/scope.*//;' | while read address broadcast; do
|
||||
if [ -n "$broadcast" ]; then
|
||||
run_iptables -A $chain -s ${address%/*} -d $broadcast -j RETURN
|
||||
run_iptables -A $chain -s ${address%/*} -d $broadcast -j $chain1
|
||||
fi
|
||||
|
||||
run_iptables -A $chain -s $address -d 255.255.255.255 -j RETURN
|
||||
run_iptables -A $chain -s $address -d 224.0.0.0/4 -j RETURN
|
||||
run_iptables -A $chain -s $address -d 255.255.255.255 -j $chain1
|
||||
run_iptables -A $chain -s $address -d 224.0.0.0/4 -j $chain1
|
||||
done
|
||||
|
||||
if [ -n "$MACLIST_LOG_LEVEL" ]; then
|
||||
@ -3462,14 +3490,14 @@ process_actions1() {
|
||||
[ ${#temp} -le 30 ] || fatal_error "Action Name Longer than 30 Characters: $temp"
|
||||
xaction=${xaction%:*}
|
||||
case $temp in
|
||||
ACCEPT|REJECT|DROP)
|
||||
ACCEPT|REJECT|DROP|QUEUE)
|
||||
eval ${temp}_common=$xaction
|
||||
if [ -n "$xaction" ] && ! list_search $xaction $USEDACTIONS; then
|
||||
USEDACTIONS="$USEDACTIONS $xaction"
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
startup_error "Common Actions are only allowed for ACCEPT, DROP and REJECT"
|
||||
startup_error "Common Actions are only allowed for ACCEPT, DROP, REJECT and QUEUE"
|
||||
;;
|
||||
esac
|
||||
esac
|
||||
@ -4778,6 +4806,9 @@ policy_rules() # $1 = chain to add rules to
|
||||
[ -n "$REJECT_common" ] && run_iptables -A $1 -j $REJECT_common
|
||||
target=reject
|
||||
;;
|
||||
QUEUE)
|
||||
[ -n "$QUEUE_common" ] && run_iptables -A $1 -j $QUEUE_common
|
||||
;;
|
||||
CONTINUE)
|
||||
target=
|
||||
;;
|
||||
@ -4843,7 +4874,7 @@ default_policy() # $1 = client $2 = server
|
||||
# depends on the policy
|
||||
#
|
||||
case $policy in
|
||||
ACCEPT)
|
||||
ACCEPT|QUEUE)
|
||||
if [ -n "$synparams" ]; then
|
||||
#
|
||||
# To avoid double-counting SYN packets, enforce the policy
|
||||
@ -5589,6 +5620,7 @@ determine_capabilities() {
|
||||
POLICY_MATCH=
|
||||
PHYSDEV_MATCH=
|
||||
IPRANGE_MATCH=
|
||||
RECENT_MATCH=
|
||||
|
||||
qt $IPTABLES -N fooX1234
|
||||
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
|
||||
@ -5597,7 +5629,7 @@ determine_capabilities() {
|
||||
qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes
|
||||
qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes
|
||||
qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
|
||||
|
||||
qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes
|
||||
|
||||
if [ -n "$PKTTYPE" ]; then
|
||||
qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT || PKTTYPE=
|
||||
@ -5627,6 +5659,7 @@ report_capabilities() {
|
||||
report_capability "Policy Match" $POLICY_MATCH
|
||||
report_capability "Physdev Match" $PHYSDEV_MATCH
|
||||
report_capability "IP range Match" $IPRANGE_MATCH
|
||||
report_capability "Recent Match" $RECENT_MATCH
|
||||
}
|
||||
|
||||
#
|
||||
@ -5678,7 +5711,7 @@ initialize_netfilter () {
|
||||
run_user_exit init
|
||||
|
||||
#
|
||||
# The some files might be large so strip them while the firewall is still running
|
||||
# Some files might be large so strip them while the firewall is still running
|
||||
# (restart command). This reduces the length of time that the firewall isn't
|
||||
# accepting new connections.
|
||||
#
|
||||
@ -5721,6 +5754,16 @@ initialize_netfilter () {
|
||||
setcontinue INPUT
|
||||
setcontinue OUTPUT
|
||||
|
||||
run_user_exit continue
|
||||
|
||||
f=$(find_file routestopped)
|
||||
|
||||
echo "Processing $f ..."
|
||||
|
||||
strip_file routestopped $f
|
||||
|
||||
process_routestopped -A
|
||||
|
||||
[ -n "$DISABLE_IPV6" ] && disable_ipv6
|
||||
|
||||
#
|
||||
@ -5729,10 +5772,6 @@ initialize_netfilter () {
|
||||
run_iptables -A INPUT -i lo -j ACCEPT
|
||||
run_iptables -A OUTPUT -o lo -j ACCEPT
|
||||
|
||||
accounting_file=$(find_file accounting)
|
||||
|
||||
[ -f $accounting_file ] && setup_accounting $accounting_file
|
||||
|
||||
#
|
||||
# Allow DNS lookups during startup for FQDNs
|
||||
#
|
||||
@ -5756,6 +5795,10 @@ initialize_netfilter () {
|
||||
run_iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS $option
|
||||
fi
|
||||
|
||||
accounting_file=$(find_file accounting)
|
||||
|
||||
[ -f $accounting_file ] && setup_accounting $accounting_file
|
||||
|
||||
if [ -z "$NEWNOTSYN" ]; then
|
||||
createchain newnotsyn no
|
||||
|
||||
@ -6332,7 +6375,7 @@ activate_rules()
|
||||
shift
|
||||
|
||||
if havenatchain $destchain ; then
|
||||
run_iptables -t nat -A $sourcechain $@ -j $destchain
|
||||
run_iptables2 -t nat -A $sourcechain $@ -j $destchain
|
||||
else
|
||||
[ -n "$BRIDGING" -a -f $TMP_DIR/physdev ] && -rm -f $TMP_DIR/physdev
|
||||
[ -n "$IPRANGE_MATCH" -a -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
|
||||
@ -6350,7 +6393,7 @@ activate_rules()
|
||||
shift
|
||||
|
||||
if havenatchain $destchain; then
|
||||
eval run_iptables -t nat -I $sourcechain \
|
||||
eval run_iptables2 -t nat -I $sourcechain \
|
||||
\$${sourcechain}_rule $@ -j $destchain
|
||||
eval ${sourcechain}_rule=\$\(\(\$${sourcechain}_rule + 1\)\)
|
||||
else
|
||||
@ -6358,7 +6401,7 @@ activate_rules()
|
||||
[ -n "$IPRANGE_MATCH" -a -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
|
||||
|
||||
fi
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Add jumps to early SNAT chains
|
||||
@ -6410,7 +6453,7 @@ activate_rules()
|
||||
interface=${host%%:*}
|
||||
networks=${host#*:}
|
||||
|
||||
run_iptables -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain
|
||||
run_iptables2 -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain
|
||||
done
|
||||
fi
|
||||
fi
|
||||
@ -6439,7 +6482,7 @@ activate_rules()
|
||||
interface=${host%%:*}
|
||||
networks=${host#*:}
|
||||
|
||||
run_iptables -A OUTPUT -o $interface $(match_dest_hosts $networks) $(match_ipsec_out $zone $host) -j $chain1
|
||||
run_iptables2 -A OUTPUT -o $interface $(match_dest_hosts $networks) $(match_ipsec_out $zone $host) -j $chain1
|
||||
|
||||
#
|
||||
# Add jumps from the builtin chains for DNAT and SNAT rules
|
||||
@ -6447,10 +6490,10 @@ activate_rules()
|
||||
addrulejump PREROUTING $(dnat_chain $zone) -i $interface $(match_source_hosts $networks) $(match_ipsec_in $zone $host)
|
||||
addrulejump POSTROUTING $(snat_chain $zone) -o $interface $(match_dest_hosts $networks) $(match_ipsec_out $zone $host)
|
||||
|
||||
run_iptables -A $(input_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $chain2
|
||||
run_iptables2 -A $(input_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $chain2
|
||||
|
||||
if [ -n "$complex" ] && ! is_ipsec_host $zone $host ; then
|
||||
run_iptables -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain
|
||||
run_iptables2 -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain
|
||||
fi
|
||||
|
||||
case $networks in
|
||||
@ -6515,7 +6558,7 @@ activate_rules()
|
||||
# routeback was specified for this host group
|
||||
#
|
||||
if [ $zone != $zone1 -o $num_ifaces -gt 1 ] || list_search $host1 $routeback ; then
|
||||
run_iptables -A $frwd_chain -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain
|
||||
run_iptables2 -A $frwd_chain -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain
|
||||
fi
|
||||
done
|
||||
else
|
||||
@ -6530,7 +6573,7 @@ activate_rules()
|
||||
networks1=${host1#*:}
|
||||
|
||||
if [ "$host" != "$host1" ] || list_search $host $routeback; then
|
||||
run_iptables -A $chain1 $(match_source_hosts $networks) -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain
|
||||
run_iptables2 -A $chain1 $(match_source_hosts $networks) -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain
|
||||
fi
|
||||
done
|
||||
done
|
||||
@ -6577,7 +6620,9 @@ activate_rules()
|
||||
run_iptables -D $chain -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
run_iptables -D $chain -p udp --dport 53 -j ACCEPT
|
||||
done
|
||||
|
||||
|
||||
process_routestopped -D
|
||||
|
||||
if [ -n "$LOGALLNEW" ]; then
|
||||
for table in mangle nat filter; do
|
||||
case $table in
|
||||
@ -7240,6 +7285,7 @@ do_initialize() {
|
||||
LOGALLNEW=
|
||||
DROPINVALID=
|
||||
RFC1918_STRICT=
|
||||
MACLIST_TTL=
|
||||
|
||||
RESTOREBASE=
|
||||
TMP_DIR=
|
||||
@ -7436,6 +7482,12 @@ do_initialize() {
|
||||
LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY)
|
||||
DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID)
|
||||
RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT)
|
||||
|
||||
[ "$MACLIST_TTL" = "0" ] && MACLIST_TTL=
|
||||
|
||||
if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then
|
||||
startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables"
|
||||
fi
|
||||
#
|
||||
# Strip the files that we use often
|
||||
#
|
||||
|
@ -22,7 +22,7 @@
|
||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||
#
|
||||
|
||||
VERSION=2.2.2
|
||||
VERSION=2.2.3
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -25,6 +25,8 @@
|
||||
# DROP - Ignore the connection request
|
||||
# REJECT - For TCP, send RST. For all other, send
|
||||
# "port unreachable" ICMP.
|
||||
# QUEUE - Send the request to a user-space
|
||||
# application using the QUEUE target.
|
||||
# CONTINUE - Pass the connection request past
|
||||
# any other rules that it might also
|
||||
# match (where the source or destination
|
||||
|
@ -1,4 +1,74 @@
|
||||
Shorewall 2.2.2
|
||||
Shorewall 2.2.3
|
||||
|
||||
-----------------------------------------------------------------------
|
||||
Problems corrected in version 2.2.3
|
||||
|
||||
1) If a zone is defined in /etc/shorewall/hosts using
|
||||
<interface>:!<network> in the HOSTS column then startup errors occur
|
||||
on "shorewall [re]start".
|
||||
|
||||
2) Previously, if "shorewall status" was run on a system whose kernel
|
||||
lacked advanced routing support (CONFIG_IP_ADVANCED_ROUTER), then
|
||||
no routing information was displayed.
|
||||
|
||||
-----------------------------------------------------------------------
|
||||
New Features in version 2.2.3
|
||||
|
||||
1) A new extension script "continue" has been added. This script is
|
||||
invoked after Shorewall has set the built-in filter chains'
|
||||
policy to DROP, deleted any existing Netfilter rules and user
|
||||
chains and has enabled existing connections.
|
||||
|
||||
It is useful for enabling certain communication while Shorewall is
|
||||
being [re]started. Be sure to delete any rules that you add here in
|
||||
your /etc/shorewall/start file.
|
||||
|
||||
2) There has been ongoing confusion about how the
|
||||
/etc/shorewall/routestopped file works. People understand how it
|
||||
works with the 'shorewall stop' command but when they read that
|
||||
'shorewall restart' is logically equivalent to 'shorewall stop'
|
||||
followed by 'shorewall start' then they erroneously conclude that
|
||||
/etc/shorewall/routestopped can be used to enable new connections
|
||||
during 'shorewall restart'. Up to now, it cannot -- that file is not
|
||||
processed during either 'shorewall start' or 'shorewall restart'.
|
||||
|
||||
Beginning with Shorewall version 2.2.3, /etc/shorewall/routestopped
|
||||
will be processed TWICE during 'shorewall start' and during
|
||||
'shorewall restart'. It will be processed early in the command
|
||||
execution to add rules allowing new connections while the command
|
||||
is running and it will be processed again when the
|
||||
command is complete to remove the rules added earlier.
|
||||
|
||||
The result of this change will be that during most of [re]start, new
|
||||
connections will be allowed in accordance with the contents of
|
||||
/etc/shorewall/routestopped.
|
||||
|
||||
3) The performance of configurations with a large numbers of entries in
|
||||
/etc/shorewall/maclist can be improved by setting the new
|
||||
MACLIST_TTL variable in /etc/shorewall/shorewall.conf.
|
||||
|
||||
If your iptables and kernel support the "Recent Match" (see the
|
||||
output of "shorewall check" near the top), you can cache the results
|
||||
of a 'maclist' file lookup and thus reduce the overhead associated
|
||||
with MAC Verification.
|
||||
|
||||
When a new connection arrives from a 'maclist' interface, the packet
|
||||
passes through then list of entries for that interface in
|
||||
/etc/shorewall/maclist. If there is a match then the source IP
|
||||
address is added to the 'Recent' set for that interface. Subsequent
|
||||
connection attempts from that IP address occuring within
|
||||
$MACLIST_TTL seconds will be accepted without having to scan all
|
||||
of the entries. After $MACLIST_TTL from the first accepted
|
||||
connection request from an IP address, the next connection request
|
||||
from that IP address will be checked against the entire list.
|
||||
|
||||
If MACLIST_TTL is not specified or is specified as empty (e.g,
|
||||
MACLIST_TTL="" or is specified as zero then 'maclist' lookups
|
||||
will not be cached.
|
||||
|
||||
4) You can now specify QUEUE as a policy and you can designate a
|
||||
common action for QUEUE policies in /etc/shorewall/actions. This is
|
||||
useful for sending packets to something like Snort Inline.
|
||||
|
||||
-----------------------------------------------------------------------
|
||||
Problems corrected in version 2.2.2
|
||||
|
@ -5,7 +5,8 @@
|
||||
# /etc/shorewall/routestopped
|
||||
#
|
||||
# This file is used to define the hosts that are accessible when the
|
||||
# firewall is stopped
|
||||
# firewall is stopped or when it is in the process of being
|
||||
# [re]started.
|
||||
#
|
||||
# Columns must be separated by white space and are:
|
||||
#
|
||||
|
@ -1014,17 +1014,24 @@ case "$1" in
|
||||
done
|
||||
done
|
||||
|
||||
echo
|
||||
echo "Routing Rules"
|
||||
echo
|
||||
ip rule ls
|
||||
ip rule ls | while read rule; do
|
||||
table=${rule##* }
|
||||
if [ -n "$(ip rule ls)" ]; then
|
||||
echo
|
||||
echo "Table $table:"
|
||||
echo "Routing Rules"
|
||||
echo
|
||||
ip route ls table $table
|
||||
done
|
||||
ip rule ls
|
||||
ip rule ls | while read rule; do
|
||||
table=${rule##* }
|
||||
echo
|
||||
echo "Table $table:"
|
||||
echo
|
||||
ip route ls table $table
|
||||
done
|
||||
else
|
||||
echo
|
||||
echo "Routing Table"
|
||||
echo
|
||||
ip route ls
|
||||
fi
|
||||
|
||||
echo
|
||||
echo "ARP"
|
||||
|
@ -768,6 +768,29 @@ DROPINVALID=No
|
||||
|
||||
RFC1918_STRICT=No
|
||||
|
||||
#
|
||||
# MACLIST caching
|
||||
#
|
||||
# If your iptables and kernel support the "Recent Match" (see the output of
|
||||
# "shorewall check" near the top), you can cache the results of a 'maclist'
|
||||
# file lookup and thus reduce the overhead associated with MAC Verification
|
||||
# (/etc/shorewall/maclist).
|
||||
#
|
||||
# When a new connection arrives from a 'maclist' interface, the packet passes
|
||||
# through then list of entries for that interface in /etc/shorewall/maclist. If
|
||||
# there is a match then the source IP address is added to the 'Recent' set for
|
||||
# that interface. Subsequent connection attempts from that IP address occuring
|
||||
# within $MACLIST_TTL seconds will be accepted without having to scan all of
|
||||
# the entries. After $MACLIST_TTL from the first accepted connection request,
|
||||
# the next connection request from that IP address will be checked against
|
||||
# the entire list.
|
||||
#
|
||||
# If MACLIST_TTL is not specified or is specified as empty (e.g,
|
||||
# MACLIST_TTL="" or is specified as zero then 'maclist' lookups will not
|
||||
# be cached.
|
||||
|
||||
MACLIST_TTL=
|
||||
|
||||
################################################################################
|
||||
# P A C K E T D I S P O S I T I O N
|
||||
################################################################################
|
||||
|
@ -1,5 +1,5 @@
|
||||
%define name shorewall
|
||||
%define version 2.2.2
|
||||
%define version 2.2.3
|
||||
%define release 1
|
||||
%define prefix /usr
|
||||
|
||||
@ -137,6 +137,8 @@ fi
|
||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn
|
||||
|
||||
%changelog
|
||||
* Tue Apr 05 2005 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.2.3-1
|
||||
* Mon Mar 07 2005 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.2.2-1
|
||||
* Mon Jan 24 2005 Tom Eastep tom@shorewall.net
|
||||
|
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Seattle Firewall
|
||||
|
||||
VERSION=2.2.2
|
||||
VERSION=2.2.3
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
Loading…
Reference in New Issue
Block a user