From c053b240ca333c79344e1ec460fce88a0acbb940 Mon Sep 17 00:00:00 2001 From: teastep Date: Fri, 16 Jul 2004 20:38:59 +0000 Subject: [PATCH] Shorewall-2.0.6 git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1481 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Lrp2/usr/share/shorewall/action.Drop | 1 + Lrp2/usr/share/shorewall/action.Reject | 1 + Lrp2/usr/share/shorewall/actions.std | 2 + Lrp2/usr/share/shorewall/firewall | 40 +++++++++++++------ Lrp2/usr/share/shorewall/version | 2 +- Shorewall-docs2/Documentation.xml | 21 +++++++++- Shorewall-docs2/Documentation_Index.xml | 6 ++- Shorewall-docs2/Shorewall_Squid_Usage.xml | 6 +-- Shorewall-docs2/shorewall_logging.xml | 8 +--- .../shorewall_quickstart_guide.xml | 8 ++++ Shorewall-docs2/shorewall_setup_guide.xml | 6 +-- 11 files changed, 73 insertions(+), 28 deletions(-) diff --git a/Lrp2/usr/share/shorewall/action.Drop b/Lrp2/usr/share/shorewall/action.Drop index 04feb4ce7..721a46126 100644 --- a/Lrp2/usr/share/shorewall/action.Drop +++ b/Lrp2/usr/share/shorewall/action.Drop @@ -8,6 +8,7 @@ # PORT PORT(S) LIMIT GROUP RejectAuth dropBcast +dropInvalid DropSMB DropUPnP dropNotSyn diff --git a/Lrp2/usr/share/shorewall/action.Reject b/Lrp2/usr/share/shorewall/action.Reject index 1799ecc6c..8cfd666ec 100644 --- a/Lrp2/usr/share/shorewall/action.Reject +++ b/Lrp2/usr/share/shorewall/action.Reject @@ -8,6 +8,7 @@ # PORT PORT(S) LIMIT GROUP RejectAuth dropBcast +dropInvalid RejectSMB DropUPnP dropNotSyn diff --git a/Lrp2/usr/share/shorewall/actions.std b/Lrp2/usr/share/shorewall/actions.std index b762d2730..99515bd83 100644 --- a/Lrp2/usr/share/shorewall/actions.std +++ b/Lrp2/usr/share/shorewall/actions.std @@ -10,6 +10,8 @@ # logNonSyn #Log Non-syn TCP packets with disposition LOG # dLogNonSyn #Log Non-syn TCP packets with disposition DROP # rLogNonSyn #Log Non-syn TCP packets with disposition REJECT +# dropInvalid #Silently Drop packets that are in the INVALID +# #conntrack state. # # The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in # shorewall.conf. If that option isn't specified then 'info' is used. diff --git a/Lrp2/usr/share/shorewall/firewall b/Lrp2/usr/share/shorewall/firewall index fee1eb195..b3e1116a8 100755 --- a/Lrp2/usr/share/shorewall/firewall +++ b/Lrp2/usr/share/shorewall/firewall @@ -670,15 +670,15 @@ determine_hosts() { networks=0.0.0.0/0 fi - for networks in $networks; do + for network in $networks; do if [ -z "$hosts" ]; then - hosts=$interface:$networks + hosts=$interface:$network else - hosts="$hosts $interface:$networks" + hosts="$hosts $interface:$network" fi if interface_has_option $interface routeback; then - eval ${zone}_routeback=\"$interface:$networks \$${zone}_routeback\" + eval ${zone}_routeback=\"$interface:$network \$${zone}_routeback\" fi done done @@ -2790,7 +2790,7 @@ createactionchain() # $1 = chain name process_actions1() { - ACTIONS="dropBcast dropNonSyn dropNotSyn rejNotSyn logNotSyn rLogNotSyn dLogNotSyn" + ACTIONS="dropBcast dropNonSyn dropNotSyn rejNotSyn logNotSyn rLogNotSyn dLogNotSyn dropInvalid" USEDACTIONS= strip_file actions @@ -2908,6 +2908,13 @@ process_actions2() { log_action() { [ "$COMMAND" != check ] && log_rule ${LOGNEWNOTSYN:-info} $1 $2 "" "" -p tcp ! --syn } + + drop_broadcasts() { + for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do + run_iptables -A dropBcast -d $address -j DROP + done + } + # # Generate the transitive closure of $USEDACTIONS # @@ -2933,14 +2940,16 @@ process_actions2() { case $xaction in dropBcast) if [ "$COMMAND" != check ]; then - qt iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP - if ! qt iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP; then - # - # No pkttype support -- do it the hard way - # - for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do - run_iptables -A dropBcast -d $address -j DROP - done + if [ -n "$PKTTYPE" ]; then + qt iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP + if ! qt iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP; then + # + # No pkttype support -- do it the hard way + # + drop_broadcasts + fi + else + drop_broadcasts fi fi ;; @@ -2964,6 +2973,9 @@ process_actions2() { dLogNotSyn) log_action dLogNotSyn DROP ;; + dropInvalid) + [ "$COMMAND" != check ] && run_iptables -A dropInvalid -m state --state INVALID -j DROP + ;; *) f=action.$xaction fn=$(find_file $f) @@ -6053,6 +6065,7 @@ do_initialize() { DISABLE_IPV6= BRIDGING= DYNAMIC_ZONES= + PKTTYPE= RESTOREBASE= TMP_DIR= @@ -6225,6 +6238,7 @@ do_initialize() { DISABLE_IPV6=$(added_param_value_no DISABLE_IPV6 $DISABLE_IPV6) BRIDGING=$(added_param_value_no BRIDGING $BRIDGING) DYNAMIC_ZONES=$(added_param_value_no DYNAMIC_ZONES $DYNAMIC_ZONES) + PKTTYPE=$(added_param_value_yes PKTTYPE $PKTTYPE) # # Strip the files that we use often diff --git a/Lrp2/usr/share/shorewall/version b/Lrp2/usr/share/shorewall/version index e01025862..157e54f3e 100644 --- a/Lrp2/usr/share/shorewall/version +++ b/Lrp2/usr/share/shorewall/version @@ -1 +1 @@ -2.0.5 +2.0.6 diff --git a/Shorewall-docs2/Documentation.xml b/Shorewall-docs2/Documentation.xml index 8bb87e2f1..f2f40624e 100644 --- a/Shorewall-docs2/Documentation.xml +++ b/Shorewall-docs2/Documentation.xml @@ -1437,7 +1437,8 @@ DNAT net loc:192.168.1.3 tcp ssh (Shorewall 1.4.9 and later) - An action defined in the /etc/shorewall/actions - file. + or /usr/share/shorewall/actions.std + files. @@ -1461,6 +1462,24 @@ DNAT net loc:192.168.1.3 tcp ssh Shorewall will issue a warning message and will truncate the prefix to 29 characters. + Specifying a log level for a <defined action> + will log all invocations of the action. For example: + + AllowFTP:info net dmz + + will log all net->dmz traffic that has not been handled by + earlier rules. That's probably not what you want. If you want to + log the FTP connections that are actually accepted, you need to log + within the action itself. One way to do that would be to copy + /usr/share/shorewall/action.AllowFTP to + /etc/shorewall and modify the + copy as follows: + + #TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP +ACCEPT:info - - tcp 21 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE + The use of DNAT or REDIRECT requires that you have NAT enabled in your kernel configuration. diff --git a/Shorewall-docs2/Documentation_Index.xml b/Shorewall-docs2/Documentation_Index.xml index c85752400..9654c606c 100644 --- a/Shorewall-docs2/Documentation_Index.xml +++ b/Shorewall-docs2/Documentation_Index.xml @@ -15,7 +15,7 @@ - 2004-07-10 + 2004-07-16 2001-2004 @@ -329,6 +329,10 @@ Firewall + + SMB + + Starting/stopping the FirewallDescription of all diff --git a/Shorewall-docs2/Shorewall_Squid_Usage.xml b/Shorewall-docs2/Shorewall_Squid_Usage.xml index 536bbc4ae..5fdb8809e 100644 --- a/Shorewall-docs2/Shorewall_Squid_Usage.xml +++ b/Shorewall-docs2/Shorewall_Squid_Usage.xml @@ -15,7 +15,7 @@ - 2004-07-13 + 2004-07-16 2003-2004 @@ -251,7 +251,7 @@ fi and add the following entry in /etc/shorewall/tcrules: #MARK SOURCE DESTINATION PROTOCOL PORT -202 eth2 0.0.0.0 tcp 80 +202 eth2 0.0.0.0/0 tcp 80 @@ -259,7 +259,7 @@ fi in /etc/shorewall/tcrules: #MARK SOURCE DESTINATION PROTOCOL PORT -202:P eth2 0.0.0.0 tcp 80 +202:P eth2 0.0.0.0/0 tcp 80 diff --git a/Shorewall-docs2/shorewall_logging.xml b/Shorewall-docs2/shorewall_logging.xml index 4015ca3a5..2aa2de5b5 100644 --- a/Shorewall-docs2/shorewall_logging.xml +++ b/Shorewall-docs2/shorewall_logging.xml @@ -15,7 +15,7 @@ - 2004-06-28 + 2004-07-15 2001 - 2004 @@ -42,7 +42,7 @@ - The packet is part of an established commection. The packet is + The packet is part of an established connecection. The packet is accepted and cannot be logged. @@ -151,10 +151,6 @@ If you give, for example, kern.info it's own log destination then that destination will also receive all kernel messages of levels 5 (notice) through 0 (emerg). - - - - diff --git a/Shorewall-docs2/shorewall_quickstart_guide.xml b/Shorewall-docs2/shorewall_quickstart_guide.xml index 4eed6300a..1194fe362 100644 --- a/Shorewall-docs2/shorewall_quickstart_guide.xml +++ b/Shorewall-docs2/shorewall_quickstart_guide.xml @@ -48,6 +48,14 @@ These guides provide step-by-step instructions for configuring Shorewall in common firewall setups. +
+ If you already have a router. + + If you already have a router on your premises and you simply want + to add a firewall between the router and your local system then you want + a simple bridge configuration. +
+
If you have a <emphasis role="bold">single public IP address</emphasis> diff --git a/Shorewall-docs2/shorewall_setup_guide.xml b/Shorewall-docs2/shorewall_setup_guide.xml index 5fdb0c8b3..0b0632793 100644 --- a/Shorewall-docs2/shorewall_setup_guide.xml +++ b/Shorewall-docs2/shorewall_setup_guide.xml @@ -15,7 +15,7 @@ - 2004-06-11 + 2004-07-15 2001-2004 @@ -246,8 +246,8 @@ all all REJECT info drop (ignore) all connection requests from the internet to your - firewall or local network and log a message at the info level (here is - a description of log levels). + firewall or local network and log a message at the info level (here is a description of log levels).