From cd555022bfd7525401b016837dee9b1d01b9f174 Mon Sep 17 00:00:00 2001 From: teastep Date: Tue, 22 Oct 2002 18:07:52 +0000 Subject: [PATCH] Add MAC verification git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@306 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/fallback.sh | 2 + Shorewall/firewall | 104 ++++++++++++++++++++++++++++++++++++++- Shorewall/install.sh | 9 ++++ Shorewall/interfaces | 5 ++ Shorewall/shorewall.conf | 21 ++++++++ Shorewall/shorewall.spec | 3 ++ 6 files changed, 143 insertions(+), 1 deletion(-) diff --git a/Shorewall/fallback.sh b/Shorewall/fallback.sh index 75f123606..76fa4491f 100755 --- a/Shorewall/fallback.sh +++ b/Shorewall/fallback.sh @@ -101,6 +101,8 @@ restore_file /etc/shorewall/proxyarp restore_file /etc/shorewall/routestopped +restore_file /etc/shorewall/maclist + restore_file /etc/shorewall/masq restore_file /etc/shorewall/modules diff --git a/Shorewall/firewall b/Shorewall/firewall index 804b3c191..39b60af8d 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -511,7 +511,7 @@ validate_interfaces_file() { case $option in dhcp|noping|filterping|routestopped|norfc1918|multi) ;; - routefilter|dropunclean|logunclean|blacklist|proxyarp|-) + routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-) ;; *) error_message "Warning: Invalid option ($option) in record \"$r\"" @@ -925,6 +925,30 @@ find_broadcasts() { done < $TMP_DIR/interfaces } +################################################################################ +# Find interface broadcast addresses # +################################################################################ +find_interface_broadcasts() # $1 = Interface name +{ + while read z interface bcast options; do + expandv interface bcast + if [ "$interface" = "$1" ]; then + if [ "x$bcast" = "xdetect" ]; then + addr="`ip addr show $interface 2> /dev/null`" + if [ -n "`echo "$addr" | grep 'inet.*brd '`" ]; then + addr="`echo "$addr" | \ + grep "inet " | sed 's/^.* inet.*brd //;s/scope.*//'`" + echo $addr | cut -d' ' -f 1 + fi + elif [ "x${bcast}" != "x-" ]; then + echo `separate_list $bcast` + fi + + return + fi + done < $TMP_DIR/interfaces +} + ################################################################################ # Find interface address--returns the first IP address assigned to the passed # # device # @@ -1276,6 +1300,57 @@ setup_proxy_arp() { done } +############################################################################### +# Set up MAC List Chains # +############################################################################### +setup_mac_lists() { + + for interface in $maclist_interfaces; do + createchain ${interface}_mac no + done + + strip_file maclist + + while read interface mac address; do + chain=${interface}_mac + + if ! havechain $chain ; then + error_message "Warning: $interface does not have the maclist option specified" + continue + fi + + [ -n "$address" ] && addr_match="-s $address" || addr_match= + + run_iptables -A ${interface}_mac `mac_match $mac` $addr_match -j RETURN + done < $TMP_DIR/maclist + + if [ -n "$MACLIST_LOG_LEVEL" ]; then + logpart="-j LOG $LOGPARMS --log-level $MACLIST_LOG_LEVEL --log-prefix" + else + logpart= + fi + + for interface in $maclist_interfaces; do + chain=${interface}_mac + # + # Must take care of our own broadcasts + # + source="-s `find_interface_address $interface`" + + for address in `find_interface_broadcasts $interface` 255.255.255.255 ; do + run_iptables -A $chain $source -d $address -j RETURN + done + + [ -n "$logpart" ] && \ + run_iptables -A $chain $logpart "Shorewall:$chain:$MACLIST_DISPOSITION:" + + run_iptables -A $chain -j $maclist_target + + run_iptables -A `input_chain $interface` -m state --state NEW -j $chain + run_iptables -A `forward_chain $interface` -m state --state NEW -j $chain + done +} + ############################################################################### # Set up SYN flood protection # ############################################################################### @@ -3335,6 +3410,13 @@ define_firewall() # $1 = Command (Start or Restart) [ -f $tunnels ] && \ echo "Processing $tunnels..." && setup_tunnels $tunnels + maclist_interfaces=`find_interfaces_by_option maclist` + + if [ -n "$maclist_interfaces" ] ; then + echo "Setting up MAC Verification on $maclist_interfaces..." + setup_mac_lists + fi + rules=`find_file rules` echo "Processing $rules..." @@ -3882,6 +3964,8 @@ do_initialize() { NEWNOTSYN= LOGNEWNOTSYN= FORWARDPING= + MACLIST_DISPOSITION= + MACLIST_LOG_LEVEL= stopping= have_mutex= masq_seq=1 @@ -3961,6 +4045,24 @@ do_initialize() { MERGE_HOSTS=`added_param_value_no MERGE_HOSTS $MERGE_HOSTS` FORWARDPING=`added_param_value_no FORWARDPING $FORWARDPING` NEWNOTSYN=`added_param_value_yes NEWNOTSYN $NEWNOTSYN` + + maclist_target=reject + + if [ -n "$MACLIST_DISPOSITION" ] ; then + case $MACLIST_DISPOSITION in + REJECT) + ;; + ACCEPT|DROP) + maclist_target=$MACLIST_DISPOSITION + ;; + *) + startup_error "Invalid value ($MACLIST_DISPOSITION) for MACLIST_DISPOSITION" + ;; + esac + else + MACLIST_DISPOSITION=REJECT + fi + } ################################################################################ diff --git a/Shorewall/install.sh b/Shorewall/install.sh index 615d82adf..b14387446 100755 --- a/Shorewall/install.sh +++ b/Shorewall/install.sh @@ -382,6 +382,15 @@ else echo -e "\nStopped Routing file installed as ${PREFIX}/etc/shorewall/routestopped" fi # +# Install the Mac List file +# +if [ -f ${PREFIX}/etc/shorewall/maclist ]; then + backup_file /etc/shorewall/maclist +else + run_install -o $OWNER -g $GROUP -m 0600 maclist ${PREFIX}/etc/shorewall/maclist + echo -e "\nMAC list file installed as ${PREFIX}/etc/shorewall/maclist" +fi +# # Install the Masq file # if [ -f ${PREFIX}/etc/shorewall/masq ]; then diff --git a/Shorewall/interfaces b/Shorewall/interfaces index eb20f46cd..afef9b4f0 100644 --- a/Shorewall/interfaces +++ b/Shorewall/interfaces @@ -81,6 +81,11 @@ # . . blacklist - Check packets arriving on this interface # against the /etc/shorewall/blacklist # file. +# maclist - Connection requests from this interface +# are compared against the contents of +# /etc/shorewall/maclist. If this option +# is specified, the interface must be +# up before Shorewall is started. # proxyarp - # Sets # /proc/sys/net/ipv4/conf//proxy_arp. diff --git a/Shorewall/shorewall.conf b/Shorewall/shorewall.conf index b6ffe4941..ba0fdb069 100755 --- a/Shorewall/shorewall.conf +++ b/Shorewall/shorewall.conf @@ -383,4 +383,25 @@ FORWARDPING=Yes NEWNOTSYN=No +# +# MAC List Disposition +# +# This variable determines the disposition of connection requests arriving +# on interfaces that have the 'maclist' option and that are from a device +# that is not listed for that interface in /etc/shorewall/maclist. Valid +# values are ACCEPT, DROP and REJECT. If not specified or specified as +# empty (MACLIST_DISPOSITION="") then REJECT is assumed + +MACLIST_DISPOSITION=REJECT + +# +# MAC List Log Level +# +# Specifies the logging level for connection requests that fail MAC +# verification. If set to the empty value (MACLIST_LOG_LEVEL="") then +# such connection requests will not be logged. +# + +MACLIST_LOG_LEVEL=info + #LAST LINE -- DO NOT REMOVE diff --git a/Shorewall/shorewall.spec b/Shorewall/shorewall.spec index bc9222cfd..b60bae197 100644 --- a/Shorewall/shorewall.spec +++ b/Shorewall/shorewall.spec @@ -85,6 +85,7 @@ fi %attr(0600,root,root) %config(noreplace) /etc/shorewall/params %attr(0600,root,root) %config(noreplace) /etc/shorewall/proxyarp %attr(0600,root,root) %config(noreplace) /etc/shorewall/routestopped +%attr(0600,root,root) %config(noreplace) /etc/shorewall/maclist %attr(0600,root,root) %config(noreplace) /etc/shorewall/masq %attr(0600,root,root) %config(noreplace) /etc/shorewall/modules %attr(0600,root,root) %config(noreplace) /etc/shorewall/tcrules @@ -100,6 +101,8 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %changelog +* Tue Oct 22 2002 Tom Eastep +- Added maclist file * Tue Oct 15 2002 Tom Eastep - Changed version to 1.3.10 - Replaced symlink with real file