diff --git a/Lrp2/usr/share/shorewall/action.Drop b/Lrp2/usr/share/shorewall/action.Drop
index 04feb4ce7..721a46126 100644
--- a/Lrp2/usr/share/shorewall/action.Drop
+++ b/Lrp2/usr/share/shorewall/action.Drop
@@ -8,6 +8,7 @@
# PORT PORT(S) LIMIT GROUP
RejectAuth
dropBcast
+dropInvalid
DropSMB
DropUPnP
dropNotSyn
diff --git a/Lrp2/usr/share/shorewall/action.Reject b/Lrp2/usr/share/shorewall/action.Reject
index 1799ecc6c..8cfd666ec 100644
--- a/Lrp2/usr/share/shorewall/action.Reject
+++ b/Lrp2/usr/share/shorewall/action.Reject
@@ -8,6 +8,7 @@
# PORT PORT(S) LIMIT GROUP
RejectAuth
dropBcast
+dropInvalid
RejectSMB
DropUPnP
dropNotSyn
diff --git a/Lrp2/usr/share/shorewall/actions.std b/Lrp2/usr/share/shorewall/actions.std
index b762d2730..99515bd83 100644
--- a/Lrp2/usr/share/shorewall/actions.std
+++ b/Lrp2/usr/share/shorewall/actions.std
@@ -10,6 +10,8 @@
# logNonSyn #Log Non-syn TCP packets with disposition LOG
# dLogNonSyn #Log Non-syn TCP packets with disposition DROP
# rLogNonSyn #Log Non-syn TCP packets with disposition REJECT
+# dropInvalid #Silently Drop packets that are in the INVALID
+# #conntrack state.
#
# The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in
# shorewall.conf. If that option isn't specified then 'info' is used.
diff --git a/Lrp2/usr/share/shorewall/firewall b/Lrp2/usr/share/shorewall/firewall
index fee1eb195..b3e1116a8 100755
--- a/Lrp2/usr/share/shorewall/firewall
+++ b/Lrp2/usr/share/shorewall/firewall
@@ -670,15 +670,15 @@ determine_hosts() {
networks=0.0.0.0/0
fi
- for networks in $networks; do
+ for network in $networks; do
if [ -z "$hosts" ]; then
- hosts=$interface:$networks
+ hosts=$interface:$network
else
- hosts="$hosts $interface:$networks"
+ hosts="$hosts $interface:$network"
fi
if interface_has_option $interface routeback; then
- eval ${zone}_routeback=\"$interface:$networks \$${zone}_routeback\"
+ eval ${zone}_routeback=\"$interface:$network \$${zone}_routeback\"
fi
done
done
@@ -2790,7 +2790,7 @@ createactionchain() # $1 = chain name
process_actions1() {
- ACTIONS="dropBcast dropNonSyn dropNotSyn rejNotSyn logNotSyn rLogNotSyn dLogNotSyn"
+ ACTIONS="dropBcast dropNonSyn dropNotSyn rejNotSyn logNotSyn rLogNotSyn dLogNotSyn dropInvalid"
USEDACTIONS=
strip_file actions
@@ -2908,6 +2908,13 @@ process_actions2() {
log_action() {
[ "$COMMAND" != check ] && log_rule ${LOGNEWNOTSYN:-info} $1 $2 "" "" -p tcp ! --syn
}
+
+ drop_broadcasts() {
+ for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
+ run_iptables -A dropBcast -d $address -j DROP
+ done
+ }
+
#
# Generate the transitive closure of $USEDACTIONS
#
@@ -2933,14 +2940,16 @@ process_actions2() {
case $xaction in
dropBcast)
if [ "$COMMAND" != check ]; then
- qt iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP
- if ! qt iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP; then
- #
- # No pkttype support -- do it the hard way
- #
- for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
- run_iptables -A dropBcast -d $address -j DROP
- done
+ if [ -n "$PKTTYPE" ]; then
+ qt iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP
+ if ! qt iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP; then
+ #
+ # No pkttype support -- do it the hard way
+ #
+ drop_broadcasts
+ fi
+ else
+ drop_broadcasts
fi
fi
;;
@@ -2964,6 +2973,9 @@ process_actions2() {
dLogNotSyn)
log_action dLogNotSyn DROP
;;
+ dropInvalid)
+ [ "$COMMAND" != check ] && run_iptables -A dropInvalid -m state --state INVALID -j DROP
+ ;;
*)
f=action.$xaction
fn=$(find_file $f)
@@ -6053,6 +6065,7 @@ do_initialize() {
DISABLE_IPV6=
BRIDGING=
DYNAMIC_ZONES=
+ PKTTYPE=
RESTOREBASE=
TMP_DIR=
@@ -6225,6 +6238,7 @@ do_initialize() {
DISABLE_IPV6=$(added_param_value_no DISABLE_IPV6 $DISABLE_IPV6)
BRIDGING=$(added_param_value_no BRIDGING $BRIDGING)
DYNAMIC_ZONES=$(added_param_value_no DYNAMIC_ZONES $DYNAMIC_ZONES)
+ PKTTYPE=$(added_param_value_yes PKTTYPE $PKTTYPE)
#
# Strip the files that we use often
diff --git a/Lrp2/usr/share/shorewall/version b/Lrp2/usr/share/shorewall/version
index e01025862..157e54f3e 100644
--- a/Lrp2/usr/share/shorewall/version
+++ b/Lrp2/usr/share/shorewall/version
@@ -1 +1 @@
-2.0.5
+2.0.6
diff --git a/Shorewall-docs2/Documentation.xml b/Shorewall-docs2/Documentation.xml
index 8bb87e2f1..f2f40624e 100644
--- a/Shorewall-docs2/Documentation.xml
+++ b/Shorewall-docs2/Documentation.xml
@@ -1437,7 +1437,8 @@ DNAT net loc:192.168.1.3 tcp ssh
(Shorewall 1.4.9 and later) - An action defined in the
/etc/shorewall/actions
- file.
+ or /usr/share/shorewall/actions.std
+ files.
@@ -1461,6 +1462,24 @@ DNAT net loc:192.168.1.3 tcp ssh
Shorewall will issue a warning message and will truncate the prefix
to 29 characters.
+ Specifying a log level for a <defined action>
+ will log all invocations of the action. For example:
+
+ AllowFTP:info net dmz
+
+ will log all net->dmz traffic that has not been handled by
+ earlier rules. That's probably not what you want. If you want to
+ log the FTP connections that are actually accepted, you need to log
+ within the action itself. One way to do that would be to copy
+ /usr/share/shorewall/action.AllowFTP to
+ /etc/shorewall and modify the
+ copy as follows:
+
+ #TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
+# PORT PORT(S) LIMIT GROUP
+ACCEPT:info - - tcp 21
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
+
The use of DNAT or REDIRECT requires that you have NAT enabled
in your kernel configuration.
diff --git a/Shorewall-docs2/Documentation_Index.xml b/Shorewall-docs2/Documentation_Index.xml
index c85752400..9654c606c 100644
--- a/Shorewall-docs2/Documentation_Index.xml
+++ b/Shorewall-docs2/Documentation_Index.xml
@@ -15,7 +15,7 @@
- 2004-07-10
+ 2004-07-16
2001-2004
@@ -329,6 +329,10 @@
Firewall
+
+ SMB
+
+
Starting/stopping
the FirewallDescription of all
diff --git a/Shorewall-docs2/Shorewall_Squid_Usage.xml b/Shorewall-docs2/Shorewall_Squid_Usage.xml
index 536bbc4ae..5fdb8809e 100644
--- a/Shorewall-docs2/Shorewall_Squid_Usage.xml
+++ b/Shorewall-docs2/Shorewall_Squid_Usage.xml
@@ -15,7 +15,7 @@
- 2004-07-13
+ 2004-07-16
2003-2004
@@ -251,7 +251,7 @@ fi
and add the following entry in /etc/shorewall/tcrules:
#MARK SOURCE DESTINATION PROTOCOL PORT
-202 eth2 0.0.0.0 tcp 80
+202 eth2 0.0.0.0/0 tcp 80
@@ -259,7 +259,7 @@ fi
in /etc/shorewall/tcrules:
#MARK SOURCE DESTINATION PROTOCOL PORT
-202:P eth2 0.0.0.0 tcp 80
+202:P eth2 0.0.0.0/0 tcp 80
diff --git a/Shorewall-docs2/shorewall_logging.xml b/Shorewall-docs2/shorewall_logging.xml
index 4015ca3a5..2aa2de5b5 100644
--- a/Shorewall-docs2/shorewall_logging.xml
+++ b/Shorewall-docs2/shorewall_logging.xml
@@ -15,7 +15,7 @@
- 2004-06-28
+ 2004-07-15
2001 - 2004
@@ -42,7 +42,7 @@
- The packet is part of an established commection. The packet is
+ The packet is part of an established connecection. The packet is
accepted and cannot be logged.
@@ -151,10 +151,6 @@
If you give, for example, kern.info it's own log
destination then that destination will also receive all kernel
messages of levels 5 (notice) through 0 (emerg).
-
-
-
-
diff --git a/Shorewall-docs2/shorewall_quickstart_guide.xml b/Shorewall-docs2/shorewall_quickstart_guide.xml
index 4eed6300a..1194fe362 100644
--- a/Shorewall-docs2/shorewall_quickstart_guide.xml
+++ b/Shorewall-docs2/shorewall_quickstart_guide.xml
@@ -48,6 +48,14 @@
These guides provide step-by-step instructions for configuring
Shorewall in common firewall setups.
+
+ If you already have a router.
+
+ If you already have a router on your premises and you simply want
+ to add a firewall between the router and your local system then you want
+ a simple bridge configuration.
+
+
If you have a <emphasis role="bold">single public IP address</emphasis>
diff --git a/Shorewall-docs2/shorewall_setup_guide.xml b/Shorewall-docs2/shorewall_setup_guide.xml
index 5fdb0c8b3..0b0632793 100644
--- a/Shorewall-docs2/shorewall_setup_guide.xml
+++ b/Shorewall-docs2/shorewall_setup_guide.xml
@@ -15,7 +15,7 @@
- 2004-06-11
+ 2004-07-15
2001-2004
@@ -246,8 +246,8 @@ all all REJECT info
drop (ignore) all connection requests from the internet to your
- firewall or local network and log a message at the info level (here is
- a description of log levels).
+ firewall or local network and log a message at the info level (here is a description of log levels).