extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-18 18:51:00 +01:00
Code Issues Packages Projects Releases Wiki Activity

Implement REDIRECT-

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@564 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-05-20 23:27:11 +00:00
parent 9aedaecf30
commit c15c93c7d1
4 changed files with 23 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
Shorewall/changelog.txt
View File

@ -1,13 +1,4 @@
Changes since 1.4.2 Changes since 1.4.3a
1. The 'add' and 'delete' commands no longer leave behind a temporary 1. Implement REDIRECT-.
directory in /tmp.
2. Added support for 6to4 tunnels.
3. Added $LOGMARKER for fireparse support
4. Return more appropriate ICMP responses if the systems supports them.
5. Silently drop UDP 135 in common.def.

13
Shorewall/firewall
View File

@ -2123,6 +2123,17 @@ process_rule() # $1 = target
servers="$FW::$servers" servers="$FW::$servers"
fi fi
;; ;;
REDIRECT-)
target=ACCEPT
logtarget=REDIRECT
dnat_only=Yes
address=${address:=all}
if [ "x-" = "x$servers" ]; then
servers=$FW
else
servers="$FW::$servers"
fi
;;
esac esac
# Parse and validate source # Parse and validate source
@ -2263,7 +2274,7 @@ process_rules() # $1 = name of rules file
while read xtarget xclients xservers xprotocol xports xcports xaddress; do while read xtarget xclients xservers xprotocol xports xcports xaddress; do
case "${xtarget%:*}" in case "${xtarget%:*}" in
ACCEPT|DROP|REJECT|DNAT|DNAT|DNAT-|REDIRECT|LOG|CONTINUE) ACCEPT|DROP|REJECT|DNAT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE)
expandv xclients xservers xprotocol xports xcports xaddress expandv xclients xservers xprotocol xports xcports xaddress
if [ "x$xclients" = xall ]; then if [ "x$xclients" = xall ]; then

34
Shorewall/releasenotes.txt
View File

@ -2,36 +2,10 @@ This is a minor release of Shorewall.
Problems Corrected: Problems Corrected:
1) There were several cases where Shorewall would fail to remove a
temporary directory from /tmp. These cases have been corrected.
2) The rules for allowing all traffic via the loopback interface have
been moved to before the rule that drops status=INVALID
packets. This insures that all loopback traffic is allowed even if
Netfilter connection tracking is confused.
New Features: New Features:
1) IPV6-IPV4 (6to4) tunnels are now supported in the 1) A REDIRECT- rule target has been added. This target behaves for
/etc/shorewall/tunnels file. REDIRECT in the same was as DNAT- does for DNAT in that the
Netfilter nat table REDIRECT rule is added but not the companion
filter table ACCEPT rule.
2) Shorewall can now be easily integrated with fireparse
(http://www.fireparse.com) by setting LOGMARKER="fp=" in
/etc/shorewall/shorewall.conf. Note: You may not use ULOG
with fireparse unless you modify fireparse.
3) If you are running iptables 1.2.7a and kernel 2.4.20, then
Shorewall will return reject replies as follows:
a) tcp - RST
b) udp - ICMP port unreachable
c) icmp - ICMP host unreachable
d) Otherwise - ICMP host prohibited
If you are running earlier software, Shorewall will follow it's
traditional convention:
a) tcp - RST
b) Otherwise - ICMP port unreachable
4) UDP Port 135 is now silently dropped in the common.def chain.

5
Shorewall/rules
View File

@ -31,6 +31,11 @@
# the companion ACCEPT rule. # the companion ACCEPT rule.
# REDIRECT -- Redirect the request to a local # REDIRECT -- Redirect the request to a local
# port on the firewall. # port on the firewall.
# REDIRECT-
# -- Advanced users only.
# Like REDIRET but only generates the
# REDIRECT iptables rule and not
# the companion ACCEPT rule.
# CONTINUE -- (For experts only). Do not process # CONTINUE -- (For experts only). Do not process
# any of the following rules for this # any of the following rules for this
# (source zone,destination zone). If # (source zone,destination zone). If