diff --git a/Shorewall/action.template b/Shorewall/action.template index b54419b65..2a4df614a 100644 --- a/Shorewall/action.template +++ b/Shorewall/action.template @@ -92,7 +92,7 @@ # Otherwise, a separate rule will be generated for each # port. # -# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted, +# SOURCE PORT(S) (Optional) Port(s) used by the client. If omitted, # any source port is acceptable. Specified as a comma- # separated list of port names, port numbers or port # ranges. @@ -126,6 +126,6 @@ # place a similar limit in the TARGET column. # ###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE -# PORT PORT(S) DEST LIMIT +#TARGET SOURCE DEST PROTO DEST SOURCE RATE +# PORT PORT(S) LIMIT #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 0e06751d8..7ca39c0e7 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -1,23 +1,4 @@ -Changes since 1.4.8 +Changes since 1.4.9 -1) Replace "Static NAT" with "One-to-one NAT". +1) Implement destination list in masq file. -2) Change SMB common rules to DROP. - -3) Change wording in release notes. - -4) Move ip_forward handling to a function. - -5) Change 'norfc1918' logging to log out of chains named 'rfc1918'. - -6) Reword the description of NEWNOTSYN in shorewall.conf. - -7) Added MODULE_SUFFIX option to shorewall.conf. - -8) Add /etc/shorewall/actions and /etc/shorewall/action.template - -9) Fix SNAT handling in DNAT rules. - -10) Change default to NEWNOTSYN=Yes - -11) Add rule to drop null source addressed ICMPs. diff --git a/Shorewall/firewall b/Shorewall/firewall index f74af7606..c70c4f153 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -3735,7 +3735,7 @@ setup_masq() case $fullinterface in *:*:*) # Both alias name and subnet - destnet="${fullinterface##*:}" + destnets="${fullinterface##*:}" fullinterface="${fullinterface%:*}" ;; *:*) @@ -3743,17 +3743,17 @@ setup_masq() case ${fullinterface#*:} in *.*) # It's a subnet - destnet="${fullinterface#*:}" + destnets="${fullinterface#*:}" fullinterface="${fullinterface%:*}" ;; *) #it's an alias name - destnet="0.0.0.0/0" + destnets="0.0.0.0/0" ;; esac ;; *) - destnet="0.0.0.0/0" + destnets="0.0.0.0/0" ;; esac @@ -3770,7 +3770,6 @@ setup_masq() subnet="${subnet%!*}" fi - chain=`masq_chain $interface` source="$subnet" @@ -3799,33 +3798,68 @@ setup_masq() done fi - destination=$destnet + destination=$destnets - if [ -n "$nomasq" ]; then - newchain=masq${masq_seq} - createnatchain $newchain + chain=`masq_chain $interface` - if [ -n "$subnet" ]; then - for s in $subnet; do - addnatrule $chain -d $destnet -s $s -j $newchain + case $destnets in + !*) + newchain=masq${masq_seq} + createnatchain $newchain + destnets=${destnets#!} + + for destnet in $(separate_list $destnets); do + addnatrule $newchain -d $destnet -j RETURN done - else - addnatrule $chain -d $destnet -j $newchain - fi - masq_seq=$(($masq_seq + 1)) - chain=$newchain - subnet= - destnet= + if [ -n "$subnet" ]; then + for s in $subnet; do + addnatrule $chain -s $s -j $newchain + done + subnet= + else + addnatrule $chain -j $newchain + fi - for addr in `separate_list $nomasq`; do - addnatrule $chain -s $addr -j RETURN - done + masq_seq=$(($masq_seq + 1)) + chain=$newchain + destnets=0.0.0.0/0 - source="$source except $nomasq" - else - destnet="-d $destnet" - fi + for addr in `separate_list $nomasq`; do + addnatrule $chain -s $addr -j RETURN + done + ;; + *) + + if [ -n "$nomasq" ]; then + newchain=masq${masq_seq} + createnatchain $newchain + + if [ -n "$subnet" ]; then + for s in $subnet; do + for destnet in $(separate_list $destnets); do + addnatrule $chain -d $destnet -s $s -j $newchain + done + done + else + for destnet in $(separate_list $destnets); do + addnatrule $chain -d $destnet -j $newchain + done + fi + + masq_seq=$(($masq_seq + 1)) + chain=$newchain + subnet= + destnets=0.0.0.0/0 + + for addr in `separate_list $nomasq`; do + addnatrule $chain -s $addr -j RETURN + done + + source="$source except $nomasq" + fi + ;; + esac if [ -n "$addresses" ]; then temp= @@ -3836,20 +3870,26 @@ setup_masq() if [ -n "$subnet" ]; then for s in $subnet; do - if [ -n "$addresses" ]; then - addnatrule $chain -s $s $destnet -j SNAT $temp - echo " To $destination from $s through ${interface} using $addresses" - else - addnatrule $chain -s $s $destnet -j MASQUERADE - echo " To $destination from $s through ${interface}" - fi + for destnet in $(separate_list $destnets); do + if [ -n "$addresses" ]; then + addnatrule $chain -s $s -d $destnet -j SNAT $temp + echo " To $destination from $s through ${interface} using $addresses" + else + addnatrule $chain -s $s -d $destnet -j MASQUERADE + echo " To $destination from $s through ${interface}" + fi + done done elif [ -n "$address" ]; then - addnatrule $chain $destnet -j SNAT $temp - echo " To $destination from $source through ${interface} using $addresses" + for destnet in $(separate_list $destnets); do + addnatrule $chain -d $destnet -j SNAT $temp + echo " To $destination from $source through ${interface} using $addresses" + done else - addnatrule $chain $destnet -j MASQUERADE - echo " To $destination from $source through ${interface}" + for destnet in $(separate_list $destnets); do + addnatrule $chain -d $destnet -j MASQUERADE + echo " To $destination from $source through ${interface}" + done fi } diff --git a/Shorewall/masq b/Shorewall/masq index 2a1460afb..edffdce7d 100755 --- a/Shorewall/masq +++ b/Shorewall/masq @@ -18,7 +18,12 @@ # PLACE IN YOUR SHOREWALL CONFIGURATION. # # This may be qualified by adding the character -# ":" followed by a destination host or subnet. +# ":" followed by a comma-separed list of +# destination hosts or subnets. If this list begins with +# "!" then masquerading will occur if and only if the +# connection destination is NOT included in the list. +# Otherwise, the masquerading will occur if and only if +# the destination IS included in the list. # # # SUBNET -- Subnet that you wish to masquerade. You can specify this as diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 0ef99088c..4c9772fd7 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -1,24 +1,8 @@ This is a minor release of Shorewall. -Problems Corrected since version 1.4.8: +Problems Corrected since version 1.4.9: -1) There has been a low continuing level of confusion over the terms - "Source NAT" (SNAT) and "Static NAT". To avoid future confusion, all - instances of "Static NAT" have been replaced with "One-to-one NAT" - in the documentation and configuration files. - -2) The description of NEWNOTSYN in shorewall.conf has been reworded for - clarity. - -3) Wild-card rules (those involving "all" as SOURCE or DEST) will no - longer produce an error if they attempt to add a rule that would - override a NONE policy. The logic for expanding these wild-card - rules now simply skips those (SOURCE,DEST) pairs that have a NONE - policy. - -4) DNAT rules that also specified SNAT now work reliably. Previously, - there were cases where the SNAT specification was effectively - ignored. +None. Migration Issues: @@ -26,79 +10,13 @@ None. New Features: -1) The documentation has been completely rebased to Docbook XML. The - documentation is now released as separate HTML and XML packages. +1) The INTERFACE column in the /etc/shorewall/masq file may now + specify a destination list. -2) To cut down on the number of "Why are these ports closed rather than - stealthed?" questions, the SMB-related rules in - /etc/shorewall/common.def have been changed from 'reject' to 'DROP'. + Example: -3) For easier identification, packets logged under the 'norfc1918' - interface option are now logged out of chains named - 'rfc1918'. Previously, such packets were logged under chains named - 'logdrop'. + #INTERFACE SUBNET ADDRESS + eth0:192.0.2.3,192.0.2.16/28 eth1 -4) Distributors and developers seem to be regularly inventing new - naming conventions for kernel modules. To avoid the need to change - Shorewall code for each new convention, the MODULE_SUFFIX option has - been added to shorewall.conf. MODULE_SUFFIX may be set to the suffix - for module names in your particular distribution. If MODULE_SUFFIX - is not set in shorewall.conf, Shorewall will use the list "o gz ko - o.gz". - - To see what suffix is used by your distribution: - - ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter - - All of the files listed should have the same suffix (extension). Set - MODULE_SUFFIX to that suffix. - - Examples: - - If all files end in ".kzo" then set MODULE_SUFFIX="kzo" - If all files end in ".kz.o" then set MODULE_SUFFIX="kz.o" - -5) Support for user defined rule ACTIONS has been implemented through - two new files: - - /etc/shorewall/actions - used to list the user-defined ACTIONS. - /etc/shorewall/action.template - For each user defined , copy - this file to - /etc/shorewall/action. and - add the appropriate rules for that - . - Once an has been defined, it may be used like any of the - builtin ACTIONS (ACCEPT, DROP, etc.) in /etc/shorewall/rules. - - Example: You want an action that logs a packet at the 'info' level - and accepts the connection. - - In /etc/shorewall/actions, you would add: - - LogAndAccept - - You would then copy /etc/shorewall/action.template to - /etc/shorewall/action.LogAndAccept and in that file, you would add the two - rules: - - LOG:info - ACCEPT - -6) The default value for NEWNOTSYN in shorewall.conf is now "Yes" - (non-syn TCP packets that are not part of an existing connection are - filtered according to the rules and policies rather than being - dropped). I have made this change for two reasons: - - a) NEWNOTSYN=No tends to result in lots of "stuck" connections since - any timeout during TCP session tear down results in the firewall - dropping all of the retries. - - b) The old default of NEWNOTSYN=No and LOGNEWNOTSYN=info resulted in - lots of confusing messages when a connection got "stuck". While I - could have changed the default value of LOGNEWNOTSYN to suppress - logging, I dislike defaults that silently throw away packets. - -7) The common.def file now contains an entry that silently drops ICMP - packets with a null source address. Ad Koster reported a case where - these were occuring frequently as a result of a broken system on his - external network. + If the list begins with "!" then SNAT will occur only if the + destination IP address is NOT included in the list. diff --git a/Shorewall/rfc1918 b/Shorewall/rfc1918 index 404e78cdf..ae9010d9c 100644 --- a/Shorewall/rfc1918 +++ b/Shorewall/rfc1918 @@ -46,7 +46,7 @@ 49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98 50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98 58.0.0.0/7 logdrop # Reserved -70.0.0.0/7 logdrop # Reserved +71.0.0.0/8 logdrop # Reserved 72.0.0.0/5 logdrop # Reserved 85.0.0.0/8 logdrop # Reserved 86.0.0.0/7 logdrop # Reserved