mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-22 14:20:40 +01:00
Shorewall-2.0.6
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1481 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
997c722946
commit
c053b240ca
@ -8,6 +8,7 @@
|
|||||||
# PORT PORT(S) LIMIT GROUP
|
# PORT PORT(S) LIMIT GROUP
|
||||||
RejectAuth
|
RejectAuth
|
||||||
dropBcast
|
dropBcast
|
||||||
|
dropInvalid
|
||||||
DropSMB
|
DropSMB
|
||||||
DropUPnP
|
DropUPnP
|
||||||
dropNotSyn
|
dropNotSyn
|
||||||
|
@ -8,6 +8,7 @@
|
|||||||
# PORT PORT(S) LIMIT GROUP
|
# PORT PORT(S) LIMIT GROUP
|
||||||
RejectAuth
|
RejectAuth
|
||||||
dropBcast
|
dropBcast
|
||||||
|
dropInvalid
|
||||||
RejectSMB
|
RejectSMB
|
||||||
DropUPnP
|
DropUPnP
|
||||||
dropNotSyn
|
dropNotSyn
|
||||||
|
@ -10,6 +10,8 @@
|
|||||||
# logNonSyn #Log Non-syn TCP packets with disposition LOG
|
# logNonSyn #Log Non-syn TCP packets with disposition LOG
|
||||||
# dLogNonSyn #Log Non-syn TCP packets with disposition DROP
|
# dLogNonSyn #Log Non-syn TCP packets with disposition DROP
|
||||||
# rLogNonSyn #Log Non-syn TCP packets with disposition REJECT
|
# rLogNonSyn #Log Non-syn TCP packets with disposition REJECT
|
||||||
|
# dropInvalid #Silently Drop packets that are in the INVALID
|
||||||
|
# #conntrack state.
|
||||||
#
|
#
|
||||||
# The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in
|
# The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in
|
||||||
# shorewall.conf. If that option isn't specified then 'info' is used.
|
# shorewall.conf. If that option isn't specified then 'info' is used.
|
||||||
|
@ -670,15 +670,15 @@ determine_hosts() {
|
|||||||
networks=0.0.0.0/0
|
networks=0.0.0.0/0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
for networks in $networks; do
|
for network in $networks; do
|
||||||
if [ -z "$hosts" ]; then
|
if [ -z "$hosts" ]; then
|
||||||
hosts=$interface:$networks
|
hosts=$interface:$network
|
||||||
else
|
else
|
||||||
hosts="$hosts $interface:$networks"
|
hosts="$hosts $interface:$network"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if interface_has_option $interface routeback; then
|
if interface_has_option $interface routeback; then
|
||||||
eval ${zone}_routeback=\"$interface:$networks \$${zone}_routeback\"
|
eval ${zone}_routeback=\"$interface:$network \$${zone}_routeback\"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
done
|
done
|
||||||
@ -2790,7 +2790,7 @@ createactionchain() # $1 = chain name
|
|||||||
|
|
||||||
process_actions1() {
|
process_actions1() {
|
||||||
|
|
||||||
ACTIONS="dropBcast dropNonSyn dropNotSyn rejNotSyn logNotSyn rLogNotSyn dLogNotSyn"
|
ACTIONS="dropBcast dropNonSyn dropNotSyn rejNotSyn logNotSyn rLogNotSyn dLogNotSyn dropInvalid"
|
||||||
USEDACTIONS=
|
USEDACTIONS=
|
||||||
|
|
||||||
strip_file actions
|
strip_file actions
|
||||||
@ -2908,6 +2908,13 @@ process_actions2() {
|
|||||||
log_action() {
|
log_action() {
|
||||||
[ "$COMMAND" != check ] && log_rule ${LOGNEWNOTSYN:-info} $1 $2 "" "" -p tcp ! --syn
|
[ "$COMMAND" != check ] && log_rule ${LOGNEWNOTSYN:-info} $1 $2 "" "" -p tcp ! --syn
|
||||||
}
|
}
|
||||||
|
|
||||||
|
drop_broadcasts() {
|
||||||
|
for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
|
||||||
|
run_iptables -A dropBcast -d $address -j DROP
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Generate the transitive closure of $USEDACTIONS
|
# Generate the transitive closure of $USEDACTIONS
|
||||||
#
|
#
|
||||||
@ -2933,14 +2940,16 @@ process_actions2() {
|
|||||||
case $xaction in
|
case $xaction in
|
||||||
dropBcast)
|
dropBcast)
|
||||||
if [ "$COMMAND" != check ]; then
|
if [ "$COMMAND" != check ]; then
|
||||||
|
if [ -n "$PKTTYPE" ]; then
|
||||||
qt iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP
|
qt iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP
|
||||||
if ! qt iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP; then
|
if ! qt iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP; then
|
||||||
#
|
#
|
||||||
# No pkttype support -- do it the hard way
|
# No pkttype support -- do it the hard way
|
||||||
#
|
#
|
||||||
for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
|
drop_broadcasts
|
||||||
run_iptables -A dropBcast -d $address -j DROP
|
fi
|
||||||
done
|
else
|
||||||
|
drop_broadcasts
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
@ -2964,6 +2973,9 @@ process_actions2() {
|
|||||||
dLogNotSyn)
|
dLogNotSyn)
|
||||||
log_action dLogNotSyn DROP
|
log_action dLogNotSyn DROP
|
||||||
;;
|
;;
|
||||||
|
dropInvalid)
|
||||||
|
[ "$COMMAND" != check ] && run_iptables -A dropInvalid -m state --state INVALID -j DROP
|
||||||
|
;;
|
||||||
*)
|
*)
|
||||||
f=action.$xaction
|
f=action.$xaction
|
||||||
fn=$(find_file $f)
|
fn=$(find_file $f)
|
||||||
@ -6053,6 +6065,7 @@ do_initialize() {
|
|||||||
DISABLE_IPV6=
|
DISABLE_IPV6=
|
||||||
BRIDGING=
|
BRIDGING=
|
||||||
DYNAMIC_ZONES=
|
DYNAMIC_ZONES=
|
||||||
|
PKTTYPE=
|
||||||
RESTOREBASE=
|
RESTOREBASE=
|
||||||
TMP_DIR=
|
TMP_DIR=
|
||||||
|
|
||||||
@ -6225,6 +6238,7 @@ do_initialize() {
|
|||||||
DISABLE_IPV6=$(added_param_value_no DISABLE_IPV6 $DISABLE_IPV6)
|
DISABLE_IPV6=$(added_param_value_no DISABLE_IPV6 $DISABLE_IPV6)
|
||||||
BRIDGING=$(added_param_value_no BRIDGING $BRIDGING)
|
BRIDGING=$(added_param_value_no BRIDGING $BRIDGING)
|
||||||
DYNAMIC_ZONES=$(added_param_value_no DYNAMIC_ZONES $DYNAMIC_ZONES)
|
DYNAMIC_ZONES=$(added_param_value_no DYNAMIC_ZONES $DYNAMIC_ZONES)
|
||||||
|
PKTTYPE=$(added_param_value_yes PKTTYPE $PKTTYPE)
|
||||||
|
|
||||||
#
|
#
|
||||||
# Strip the files that we use often
|
# Strip the files that we use often
|
||||||
|
@ -1 +1 @@
|
|||||||
2.0.5
|
2.0.6
|
||||||
|
@ -1437,7 +1437,8 @@ DNAT net loc:192.168.1.3 tcp ssh
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>(Shorewall 1.4.9 and later) - An action defined in the
|
<para>(Shorewall 1.4.9 and later) - An action defined in the
|
||||||
<filename><ulink url="User_defined_Actions.html">/etc/shorewall/actions</ulink></filename>
|
<filename><ulink url="User_defined_Actions.html">/etc/shorewall/actions</ulink></filename>
|
||||||
file.</para>
|
or <filename>/usr/share/shorewall/actions.std</filename>
|
||||||
|
files.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
@ -1461,6 +1462,24 @@ DNAT net loc:192.168.1.3 tcp ssh
|
|||||||
Shorewall will issue a warning message and will truncate the prefix
|
Shorewall will issue a warning message and will truncate the prefix
|
||||||
to 29 characters.</para>
|
to 29 characters.</para>
|
||||||
|
|
||||||
|
<para>Specifying a log level for a <<emphasis>defined action</emphasis>>
|
||||||
|
will log all invocations of the action. For example:</para>
|
||||||
|
|
||||||
|
<programlisting>AllowFTP:info net dmz</programlisting>
|
||||||
|
|
||||||
|
<para>will log all net->dmz traffic that has not been handled by
|
||||||
|
earlier rules. That's probably not what you want. If you want to
|
||||||
|
log the FTP connections that are actually accepted, you need to log
|
||||||
|
within the action itself. One way to do that would be to copy
|
||||||
|
<filename>/usr/share/shorewall/action.AllowFTP</filename> to
|
||||||
|
<filename class="directory">/etc/shorewall</filename> and modify the
|
||||||
|
copy as follows:</para>
|
||||||
|
|
||||||
|
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||||
|
# PORT PORT(S) LIMIT GROUP
|
||||||
|
ACCEPT<emphasis role="bold">:info</emphasis> - - tcp 21
|
||||||
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||||
|
|
||||||
<para>The use of DNAT or REDIRECT requires that you have NAT enabled
|
<para>The use of DNAT or REDIRECT requires that you have NAT enabled
|
||||||
in your <ulink url="kernel.htm">kernel configuration</ulink>.</para>
|
in your <ulink url="kernel.htm">kernel configuration</ulink>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
@ -15,7 +15,7 @@
|
|||||||
</author>
|
</author>
|
||||||
</authorgroup>
|
</authorgroup>
|
||||||
|
|
||||||
<pubdate>2004-07-10</pubdate>
|
<pubdate>2004-07-16</pubdate>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2001-2004</year>
|
<year>2001-2004</year>
|
||||||
@ -329,6 +329,10 @@
|
|||||||
Firewall</ulink></para></listitem></itemizedlist></para>
|
Firewall</ulink></para></listitem></itemizedlist></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><ulink url="samba.htm">SMB</ulink></para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><ulink url="starting_and_stopping_shorewall.htm">Starting/stopping
|
<para><ulink url="starting_and_stopping_shorewall.htm">Starting/stopping
|
||||||
the Firewall</ulink><itemizedlist><listitem><para>Description of all
|
the Firewall</ulink><itemizedlist><listitem><para>Description of all
|
||||||
|
@ -15,7 +15,7 @@
|
|||||||
</author>
|
</author>
|
||||||
</authorgroup>
|
</authorgroup>
|
||||||
|
|
||||||
<pubdate>2004-07-13</pubdate>
|
<pubdate>2004-07-16</pubdate>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2003-2004</year>
|
<year>2003-2004</year>
|
||||||
@ -251,7 +251,7 @@ fi</command></programlisting>
|
|||||||
and add the following entry in <filename>/etc/shorewall/tcrules</filename>:</para>
|
and add the following entry in <filename>/etc/shorewall/tcrules</filename>:</para>
|
||||||
|
|
||||||
<programlisting>#MARK SOURCE DESTINATION PROTOCOL PORT
|
<programlisting>#MARK SOURCE DESTINATION PROTOCOL PORT
|
||||||
202 eth2 0.0.0.0 tcp 80</programlisting>
|
202 eth2 0.0.0.0/0 tcp 80</programlisting>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -259,7 +259,7 @@ fi</command></programlisting>
|
|||||||
in <filename>/etc/shorewall/tcrules</filename>:</para>
|
in <filename>/etc/shorewall/tcrules</filename>:</para>
|
||||||
|
|
||||||
<programlisting>#MARK SOURCE DESTINATION PROTOCOL PORT
|
<programlisting>#MARK SOURCE DESTINATION PROTOCOL PORT
|
||||||
202:P eth2 0.0.0.0 tcp 80</programlisting>
|
202:P eth2 0.0.0.0/0 tcp 80</programlisting>
|
||||||
</listitem>
|
</listitem>
|
||||||
</orderedlist>
|
</orderedlist>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
@ -15,7 +15,7 @@
|
|||||||
</author>
|
</author>
|
||||||
</authorgroup>
|
</authorgroup>
|
||||||
|
|
||||||
<pubdate>2004-06-28</pubdate>
|
<pubdate>2004-07-15</pubdate>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2001 - 2004</year>
|
<year>2001 - 2004</year>
|
||||||
@ -42,7 +42,7 @@
|
|||||||
|
|
||||||
<orderedlist>
|
<orderedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The packet is part of an established commection. The packet is
|
<para>The packet is part of an established connecection. The packet is
|
||||||
accepted and cannot be logged.</para>
|
accepted and cannot be logged.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
@ -151,10 +151,6 @@
|
|||||||
<para>If you give, for example, kern.info it's own log
|
<para>If you give, for example, kern.info it's own log
|
||||||
destination then that destination will also receive all kernel
|
destination then that destination will also receive all kernel
|
||||||
messages of levels 5 (notice) through 0 (emerg).</para>
|
messages of levels 5 (notice) through 0 (emerg).</para>
|
||||||
|
|
||||||
<destructorsynopsis>
|
|
||||||
<void />
|
|
||||||
</destructorsynopsis>
|
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
|
@ -48,6 +48,14 @@
|
|||||||
<para>These guides provide step-by-step instructions for configuring
|
<para>These guides provide step-by-step instructions for configuring
|
||||||
Shorewall in common firewall setups.</para>
|
Shorewall in common firewall setups.</para>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title>If you already have a router.</title>
|
||||||
|
|
||||||
|
<para>If you already have a router on your premises and you simply want
|
||||||
|
to add a firewall between the router and your local system then you want
|
||||||
|
a <ulink url="quick_bridge.html">simple bridge configuration</ulink>.</para>
|
||||||
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
<title>If you have a <emphasis role="bold">single public IP address</emphasis></title>
|
<title>If you have a <emphasis role="bold">single public IP address</emphasis></title>
|
||||||
|
|
||||||
|
@ -15,7 +15,7 @@
|
|||||||
</author>
|
</author>
|
||||||
</authorgroup>
|
</authorgroup>
|
||||||
|
|
||||||
<pubdate>2004-06-11</pubdate>
|
<pubdate>2004-07-15</pubdate>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2001-2004</year>
|
<year>2001-2004</year>
|
||||||
@ -246,8 +246,8 @@ all all REJECT info</programlisting>
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>drop (ignore) all connection requests from the internet to your
|
<para>drop (ignore) all connection requests from the internet to your
|
||||||
firewall or local network and log a message at the info level (here is
|
firewall or local network and log a message at the info level (<ulink
|
||||||
a description of log levels).</para>
|
url="shorewall_logging.html">here is a description of log levels</ulink>).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
|
Loading…
Reference in New Issue
Block a user