Shorewall-2.0.6

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1481 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-07-16 20:38:59 +00:00
parent 997c722946
commit c053b240ca
11 changed files with 73 additions and 28 deletions

View File

@ -8,6 +8,7 @@
# PORT PORT(S) LIMIT GROUP # PORT PORT(S) LIMIT GROUP
RejectAuth RejectAuth
dropBcast dropBcast
dropInvalid
DropSMB DropSMB
DropUPnP DropUPnP
dropNotSyn dropNotSyn

View File

@ -8,6 +8,7 @@
# PORT PORT(S) LIMIT GROUP # PORT PORT(S) LIMIT GROUP
RejectAuth RejectAuth
dropBcast dropBcast
dropInvalid
RejectSMB RejectSMB
DropUPnP DropUPnP
dropNotSyn dropNotSyn

View File

@ -10,6 +10,8 @@
# logNonSyn #Log Non-syn TCP packets with disposition LOG # logNonSyn #Log Non-syn TCP packets with disposition LOG
# dLogNonSyn #Log Non-syn TCP packets with disposition DROP # dLogNonSyn #Log Non-syn TCP packets with disposition DROP
# rLogNonSyn #Log Non-syn TCP packets with disposition REJECT # rLogNonSyn #Log Non-syn TCP packets with disposition REJECT
# dropInvalid #Silently Drop packets that are in the INVALID
# #conntrack state.
# #
# The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in # The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in
# shorewall.conf. If that option isn't specified then 'info' is used. # shorewall.conf. If that option isn't specified then 'info' is used.

View File

@ -670,15 +670,15 @@ determine_hosts() {
networks=0.0.0.0/0 networks=0.0.0.0/0
fi fi
for networks in $networks; do for network in $networks; do
if [ -z "$hosts" ]; then if [ -z "$hosts" ]; then
hosts=$interface:$networks hosts=$interface:$network
else else
hosts="$hosts $interface:$networks" hosts="$hosts $interface:$network"
fi fi
if interface_has_option $interface routeback; then if interface_has_option $interface routeback; then
eval ${zone}_routeback=\"$interface:$networks \$${zone}_routeback\" eval ${zone}_routeback=\"$interface:$network \$${zone}_routeback\"
fi fi
done done
done done
@ -2790,7 +2790,7 @@ createactionchain() # $1 = chain name
process_actions1() { process_actions1() {
ACTIONS="dropBcast dropNonSyn dropNotSyn rejNotSyn logNotSyn rLogNotSyn dLogNotSyn" ACTIONS="dropBcast dropNonSyn dropNotSyn rejNotSyn logNotSyn rLogNotSyn dLogNotSyn dropInvalid"
USEDACTIONS= USEDACTIONS=
strip_file actions strip_file actions
@ -2908,6 +2908,13 @@ process_actions2() {
log_action() { log_action() {
[ "$COMMAND" != check ] && log_rule ${LOGNEWNOTSYN:-info} $1 $2 "" "" -p tcp ! --syn [ "$COMMAND" != check ] && log_rule ${LOGNEWNOTSYN:-info} $1 $2 "" "" -p tcp ! --syn
} }
drop_broadcasts() {
for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
run_iptables -A dropBcast -d $address -j DROP
done
}
# #
# Generate the transitive closure of $USEDACTIONS # Generate the transitive closure of $USEDACTIONS
# #
@ -2933,14 +2940,16 @@ process_actions2() {
case $xaction in case $xaction in
dropBcast) dropBcast)
if [ "$COMMAND" != check ]; then if [ "$COMMAND" != check ]; then
if [ -n "$PKTTYPE" ]; then
qt iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP qt iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP
if ! qt iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP; then if ! qt iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP; then
# #
# No pkttype support -- do it the hard way # No pkttype support -- do it the hard way
# #
for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do drop_broadcasts
run_iptables -A dropBcast -d $address -j DROP fi
done else
drop_broadcasts
fi fi
fi fi
;; ;;
@ -2964,6 +2973,9 @@ process_actions2() {
dLogNotSyn) dLogNotSyn)
log_action dLogNotSyn DROP log_action dLogNotSyn DROP
;; ;;
dropInvalid)
[ "$COMMAND" != check ] && run_iptables -A dropInvalid -m state --state INVALID -j DROP
;;
*) *)
f=action.$xaction f=action.$xaction
fn=$(find_file $f) fn=$(find_file $f)
@ -6053,6 +6065,7 @@ do_initialize() {
DISABLE_IPV6= DISABLE_IPV6=
BRIDGING= BRIDGING=
DYNAMIC_ZONES= DYNAMIC_ZONES=
PKTTYPE=
RESTOREBASE= RESTOREBASE=
TMP_DIR= TMP_DIR=
@ -6225,6 +6238,7 @@ do_initialize() {
DISABLE_IPV6=$(added_param_value_no DISABLE_IPV6 $DISABLE_IPV6) DISABLE_IPV6=$(added_param_value_no DISABLE_IPV6 $DISABLE_IPV6)
BRIDGING=$(added_param_value_no BRIDGING $BRIDGING) BRIDGING=$(added_param_value_no BRIDGING $BRIDGING)
DYNAMIC_ZONES=$(added_param_value_no DYNAMIC_ZONES $DYNAMIC_ZONES) DYNAMIC_ZONES=$(added_param_value_no DYNAMIC_ZONES $DYNAMIC_ZONES)
PKTTYPE=$(added_param_value_yes PKTTYPE $PKTTYPE)
# #
# Strip the files that we use often # Strip the files that we use often

View File

@ -1 +1 @@
2.0.5 2.0.6

View File

@ -1437,7 +1437,8 @@ DNAT net loc:192.168.1.3 tcp ssh
<listitem> <listitem>
<para>(Shorewall 1.4.9 and later) - An action defined in the <para>(Shorewall 1.4.9 and later) - An action defined in the
<filename><ulink url="User_defined_Actions.html">/etc/shorewall/actions</ulink></filename> <filename><ulink url="User_defined_Actions.html">/etc/shorewall/actions</ulink></filename>
file.</para> or <filename>/usr/share/shorewall/actions.std</filename>
files.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
@ -1461,6 +1462,24 @@ DNAT net loc:192.168.1.3 tcp ssh
Shorewall will issue a warning message and will truncate the prefix Shorewall will issue a warning message and will truncate the prefix
to 29 characters.</para> to 29 characters.</para>
<para>Specifying a log level for a &#60;<emphasis>defined action</emphasis>&#62;
will log all invocations of the action. For example:</para>
<programlisting>AllowFTP:info net dmz</programlisting>
<para>will log all net-&#62;dmz traffic that has not been handled by
earlier rules. That&#39;s probably not what you want. If you want to
log the FTP connections that are actually accepted, you need to log
within the action itself. One way to do that would be to copy
<filename>/usr/share/shorewall/action.AllowFTP</filename> to
<filename class="directory">/etc/shorewall</filename> and modify the
copy as follows:</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT<emphasis role="bold">:info</emphasis> - - tcp 21
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
<para>The use of DNAT or REDIRECT requires that you have NAT enabled <para>The use of DNAT or REDIRECT requires that you have NAT enabled
in your <ulink url="kernel.htm">kernel configuration</ulink>.</para> in your <ulink url="kernel.htm">kernel configuration</ulink>.</para>
</listitem> </listitem>

View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2004-07-10</pubdate> <pubdate>2004-07-16</pubdate>
<copyright> <copyright>
<year>2001-2004</year> <year>2001-2004</year>
@ -329,6 +329,10 @@
Firewall</ulink></para></listitem></itemizedlist></para> Firewall</ulink></para></listitem></itemizedlist></para>
</listitem> </listitem>
<listitem>
<para><ulink url="samba.htm">SMB</ulink></para>
</listitem>
<listitem> <listitem>
<para><ulink url="starting_and_stopping_shorewall.htm">Starting/stopping <para><ulink url="starting_and_stopping_shorewall.htm">Starting/stopping
the Firewall</ulink><itemizedlist><listitem><para>Description of all the Firewall</ulink><itemizedlist><listitem><para>Description of all

View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2004-07-13</pubdate> <pubdate>2004-07-16</pubdate>
<copyright> <copyright>
<year>2003-2004</year> <year>2003-2004</year>
@ -251,7 +251,7 @@ fi</command></programlisting>
and add the following entry in <filename>/etc/shorewall/tcrules</filename>:</para> and add the following entry in <filename>/etc/shorewall/tcrules</filename>:</para>
<programlisting>#MARK SOURCE DESTINATION PROTOCOL PORT <programlisting>#MARK SOURCE DESTINATION PROTOCOL PORT
202 eth2 0.0.0.0 tcp 80</programlisting> 202 eth2 0.0.0.0/0 tcp 80</programlisting>
</listitem> </listitem>
<listitem> <listitem>
@ -259,7 +259,7 @@ fi</command></programlisting>
in <filename>/etc/shorewall/tcrules</filename>:</para> in <filename>/etc/shorewall/tcrules</filename>:</para>
<programlisting>#MARK SOURCE DESTINATION PROTOCOL PORT <programlisting>#MARK SOURCE DESTINATION PROTOCOL PORT
202:P eth2 0.0.0.0 tcp 80</programlisting> 202:P eth2 0.0.0.0/0 tcp 80</programlisting>
</listitem> </listitem>
</orderedlist> </orderedlist>
</listitem> </listitem>

View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2004-06-28</pubdate> <pubdate>2004-07-15</pubdate>
<copyright> <copyright>
<year>2001 - 2004</year> <year>2001 - 2004</year>
@ -42,7 +42,7 @@
<orderedlist> <orderedlist>
<listitem> <listitem>
<para>The packet is part of an established commection. The packet is <para>The packet is part of an established connecection. The packet is
accepted and cannot be logged.</para> accepted and cannot be logged.</para>
</listitem> </listitem>
@ -151,10 +151,6 @@
<para>If you give, for example, kern.info it&#39;s own log <para>If you give, for example, kern.info it&#39;s own log
destination then that destination will also receive all kernel destination then that destination will also receive all kernel
messages of levels 5 (notice) through 0 (emerg).</para> messages of levels 5 (notice) through 0 (emerg).</para>
<destructorsynopsis>
<void />
</destructorsynopsis>
</listitem> </listitem>
<listitem> <listitem>

View File

@ -48,6 +48,14 @@
<para>These guides provide step-by-step instructions for configuring <para>These guides provide step-by-step instructions for configuring
Shorewall in common firewall setups.</para> Shorewall in common firewall setups.</para>
<section>
<title>If you already have a router.</title>
<para>If you already have a router on your premises and you simply want
to add a firewall between the router and your local system then you want
a <ulink url="quick_bridge.html">simple bridge configuration</ulink>.</para>
</section>
<section> <section>
<title>If you have a <emphasis role="bold">single public IP address</emphasis></title> <title>If you have a <emphasis role="bold">single public IP address</emphasis></title>

View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2004-06-11</pubdate> <pubdate>2004-07-15</pubdate>
<copyright> <copyright>
<year>2001-2004</year> <year>2001-2004</year>
@ -246,8 +246,8 @@ all all REJECT info</programlisting>
<listitem> <listitem>
<para>drop (ignore) all connection requests from the internet to your <para>drop (ignore) all connection requests from the internet to your
firewall or local network and log a message at the info level (here is firewall or local network and log a message at the info level (<ulink
a description of log levels).</para> url="shorewall_logging.html">here is a description of log levels</ulink>).</para>
</listitem> </listitem>
<listitem> <listitem>