Shorewall-2.0.6

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1481 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Lrp2/usr/share/shorewall/action.Drop

@@ -8,6 +8,7 @@
 #                       	        	PORT    PORT(S)		LIMIT	GROUP
 RejectAuth
 dropBcast
+dropInvalid
 DropSMB
 DropUPnP
 dropNotSyn

Lrp2/usr/share/shorewall/action.Reject

@@ -8,6 +8,7 @@
 #                       	        	PORT    PORT(S)		LIMIT	GROUP
 RejectAuth
 dropBcast
+dropInvalid
 RejectSMB
 DropUPnP
 dropNotSyn

Lrp2/usr/share/shorewall/actions.std

@@ -10,6 +10,8 @@
 #    logNonSyn          #Log Non-syn TCP packets with disposition LOG
 #    dLogNonSyn         #Log Non-syn TCP packets with disposition DROP
 #    rLogNonSyn          #Log Non-syn TCP packets with disposition REJECT
+#    dropInvalid	#Silently Drop packets that are in the INVALID
+#                       #conntrack state.
 #
 # The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in
 # shorewall.conf. If that option isn't specified then 'info' is used.

Lrp2/usr/share/shorewall/firewall

@@ -670,15 +670,15 @@ determine_hosts() {
 		networks=0.0.0.0/0
 	    fi
 
-	    for networks in $networks; do
+	    for network in $networks; do
 		if [ -z "$hosts" ]; then
-		    hosts=$interface:$networks
+		    hosts=$interface:$network
 		else
-		    hosts="$hosts $interface:$networks"
+		    hosts="$hosts $interface:$network"
 		fi
 
 		if interface_has_option $interface routeback; then
-		    eval ${zone}_routeback=\"$interface:$networks \$${zone}_routeback\"
+		    eval ${zone}_routeback=\"$interface:$network \$${zone}_routeback\"
 		fi
 	    done
 	done
@@ -2790,7 +2790,7 @@ createactionchain() # $1 = chain name
 
 process_actions1() {
 	
-    ACTIONS="dropBcast dropNonSyn dropNotSyn rejNotSyn logNotSyn rLogNotSyn dLogNotSyn"
+    ACTIONS="dropBcast dropNonSyn dropNotSyn rejNotSyn logNotSyn rLogNotSyn dLogNotSyn dropInvalid"
     USEDACTIONS=
 
     strip_file actions
@@ -2908,6 +2908,13 @@ process_actions2() {
     log_action() {
 	[ "$COMMAND" != check ] && log_rule ${LOGNEWNOTSYN:-info} $1 $2 "" "" -p tcp ! --syn
     }
+
+    drop_broadcasts() {
+	for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
+	    run_iptables -A dropBcast -d $address -j DROP
+	done
+    }
+
     #
     # Generate the transitive closure of $USEDACTIONS
     #
@@ -2933,14 +2940,16 @@ process_actions2() {
 	case $xaction in
 	    dropBcast)
 		if [ "$COMMAND" != check ]; then
-		    qt iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP
+		    if [ -n "$PKTTYPE" ]; then
-		    if ! qt iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP; then
+			qt iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP
-                        #
+			if ! qt iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP; then
-                        # No pkttype support -- do it the hard way
+			    #
-                        #
+			    # No pkttype support -- do it the hard way
-			for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
+			    #
-			    run_iptables -A dropBcast -d $address -j DROP
+			    drop_broadcasts
-			done
+			fi
+		    else
+			drop_broadcasts
 		    fi
 		fi
 		;;		
@@ -2964,6 +2973,9 @@ process_actions2() {
 	    dLogNotSyn)
 		log_action dLogNotSyn DROP		
 		;;
+	    dropInvalid)
+		[ "$COMMAND" != check ] && run_iptables -A dropInvalid -m state --state INVALID -j DROP
+		;;
 	    *)
 		f=action.$xaction
 		fn=$(find_file $f)
@@ -6053,6 +6065,7 @@ do_initialize() {
     DISABLE_IPV6=
     BRIDGING=
     DYNAMIC_ZONES=
+    PKTTYPE=
     RESTOREBASE=
     TMP_DIR=
 
@@ -6225,6 +6238,7 @@ do_initialize() {
     DISABLE_IPV6=$(added_param_value_no DISABLE_IPV6 $DISABLE_IPV6)
     BRIDGING=$(added_param_value_no BRIDGING $BRIDGING)
     DYNAMIC_ZONES=$(added_param_value_no DYNAMIC_ZONES $DYNAMIC_ZONES)
+    PKTTYPE=$(added_param_value_yes PKTTYPE $PKTTYPE)
 
     #
     # Strip the files that we use often

Lrp2/usr/share/shorewall/version

@@ -1 +1 @@
-2.0.5
+2.0.6

Shorewall-docs2/Documentation.xml

@@ -1437,7 +1437,8 @@ DNAT      net       loc:192.168.1.3 tcp      ssh
               <listitem>
                 <para>(Shorewall 1.4.9 and later) - An action defined in the
                 <filename><ulink url="User_defined_Actions.html">/etc/shorewall/actions</ulink></filename>
-                file.</para>
+                or <filename>/usr/share/shorewall/actions.std</filename>
+                files.</para>
               </listitem>
             </varlistentry>
           </variablelist>
@@ -1461,6 +1462,24 @@ DNAT      net       loc:192.168.1.3 tcp      ssh
           Shorewall will issue a warning message and will truncate the prefix
           to 29 characters.</para>
 
+          <para>Specifying a log level for a &#60;<emphasis>defined action</emphasis>&#62;
+          will log all invocations of the action. For example:</para>
+
+          <programlisting>AllowFTP:info          net        dmz</programlisting>
+
+          <para>will log all net-&#62;dmz traffic that has not been handled by
+          earlier rules. That&#39;s probably not what you want. If you want to
+          log the FTP connections that are actually accepted, you need to log
+          within the action itself. One way to do that would be to copy
+          <filename>/usr/share/shorewall/action.AllowFTP</filename> to
+          <filename class="directory">/etc/shorewall</filename> and modify the
+          copy as follows:</para>
+
+          <programlisting>#TARGET       SOURCE         DEST            PROTO   DEST    SOURCE          RATE    USER/
+#                                                    PORT    PORT(S)         LIMIT   GROUP
+ACCEPT<emphasis role="bold">:info</emphasis>   -              -               tcp     21
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
+
           <para>The use of DNAT or REDIRECT requires that you have NAT enabled
           in your <ulink url="kernel.htm">kernel configuration</ulink>.</para>
         </listitem>

Shorewall-docs2/Documentation_Index.xml

@@ -15,7 +15,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2004-07-10</pubdate>
+    <pubdate>2004-07-16</pubdate>
 
     <copyright>
       <year>2001-2004</year>
@@ -329,6 +329,10 @@
       Firewall</ulink></para></listitem></itemizedlist></para>
     </listitem>
 
+    <listitem>
+      <para><ulink url="samba.htm">SMB</ulink></para>
+    </listitem>
+
     <listitem>
       <para><ulink url="starting_and_stopping_shorewall.htm">Starting/stopping
       the Firewall</ulink><itemizedlist><listitem><para>Description of all

Shorewall-docs2/Shorewall_Squid_Usage.xml

@@ -15,7 +15,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2004-07-13</pubdate>
+    <pubdate>2004-07-16</pubdate>
 
     <copyright>
       <year>2003-2004</year>
@@ -251,7 +251,7 @@ fi</command></programlisting>
               and add the following entry in <filename>/etc/shorewall/tcrules</filename>:</para>
 
               <programlisting>#MARK   SOURCE   DESTINATION    PROTOCOL    PORT
-202     eth2     0.0.0.0        tcp         80</programlisting>
+202     eth2     0.0.0.0/0      tcp         80</programlisting>
             </listitem>
 
             <listitem>
@@ -259,7 +259,7 @@ fi</command></programlisting>
               in <filename>/etc/shorewall/tcrules</filename>:</para>
 
               <programlisting>#MARK   SOURCE   DESTINATION    PROTOCOL    PORT
-202:P   eth2     0.0.0.0        tcp         80</programlisting>
+202:P   eth2     0.0.0.0/0      tcp         80</programlisting>
             </listitem>
           </orderedlist>
         </listitem>

Shorewall-docs2/shorewall_logging.xml

@@ -15,7 +15,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2004-06-28</pubdate>
+    <pubdate>2004-07-15</pubdate>
 
     <copyright>
       <year>2001 - 2004</year>
@@ -42,7 +42,7 @@
 
     <orderedlist>
       <listitem>
-        <para>The packet is part of an established commection. The packet is
+        <para>The packet is part of an established connecection. The packet is
         accepted and cannot be logged.</para>
       </listitem>
 
@@ -151,10 +151,6 @@
           <para>If you give, for example, kern.info it&#39;s own log
           destination then that destination will also receive all kernel
           messages of levels 5 (notice) through 0 (emerg).</para>
-
-          <destructorsynopsis>
-            <void />
-          </destructorsynopsis>
         </listitem>
 
         <listitem>

Shorewall-docs2/shorewall_quickstart_guide.xml

@@ -48,6 +48,14 @@
     <para>These guides provide step-by-step instructions for configuring
     Shorewall in common firewall setups.</para>
 
+    <section>
+      <title>If you already have a router.</title>
+
+      <para>If you already have a router on your premises and you simply want
+      to add a firewall between the router and your local system then you want
+      a <ulink url="quick_bridge.html">simple bridge configuration</ulink>.</para>
+    </section>
+
     <section>
       <title>If you have a <emphasis role="bold">single public IP address</emphasis></title>
 

Shorewall-docs2/shorewall_setup_guide.xml

@@ -15,7 +15,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2004-06-11</pubdate>
+    <pubdate>2004-07-15</pubdate>
 
     <copyright>
       <year>2001-2004</year>
@@ -246,8 +246,8 @@ all              all                 REJECT     info</programlisting>
 
       <listitem>
         <para>drop (ignore) all connection requests from the internet to your
-        firewall or local network and log a message at the info level (here is
+        firewall or local network and log a message at the info level (<ulink
-        a description of log levels).</para>
+        url="shorewall_logging.html">here is a description of log levels</ulink>).</para>
       </listitem>
 
       <listitem>