extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-23 14:08:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Destination exclude list in masq file

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1085 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-01-22 02:06:56 +00:00
parent c11a1f6b95
commit d362f734d9
6 changed files with 98 additions and 154 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Shorewall/action.template
View File

@ -92,7 +92,7 @@
# Otherwise, a separate rule will be generated for each # Otherwise, a separate rule will be generated for each
# port. # port.
# #
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted, # SOURCE PORT(S) (Optional) Port(s) used by the client. If omitted,
# any source port is acceptable. Specified as a comma- # any source port is acceptable. Specified as a comma-
# separated list of port names, port numbers or port # separated list of port names, port numbers or port
# ranges. # ranges.
@ -126,6 +126,6 @@
# place a similar limit in the TARGET column. # place a similar limit in the TARGET column.
# #
###################################################################################### ######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE #TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) DEST LIMIT # PORT PORT(S) LIMIT
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

23
Shorewall/changelog.txt
View File

@ -1,23 +1,4 @@
Changes since 1.4.8 Changes since 1.4.9
1) Replace "Static NAT" with "One-to-one NAT". 1) Implement destination list in masq file.
2) Change SMB common rules to DROP.
3) Change wording in release notes.
4) Move ip_forward handling to a function.
5) Change 'norfc1918' logging to log out of chains named 'rfc1918'.
6) Reword the description of NEWNOTSYN in shorewall.conf.
7) Added MODULE_SUFFIX option to shorewall.conf.
8) Add /etc/shorewall/actions and /etc/shorewall/action.template
9) Fix SNAT handling in DNAT rules.
10) Change default to NEWNOTSYN=Yes
11) Add rule to drop null source addressed ICMPs.

114
Shorewall/firewall
View File

@ -3735,7 +3735,7 @@ setup_masq()
case $fullinterface in case $fullinterface in
*:*:*) *:*:*)
# Both alias name and subnet # Both alias name and subnet
destnet="${fullinterface##*:}" destnets="${fullinterface##*:}"
fullinterface="${fullinterface%:*}" fullinterface="${fullinterface%:*}"
;; ;;
*:*) *:*)
@ -3743,17 +3743,17 @@ setup_masq()
case ${fullinterface#*:} in case ${fullinterface#*:} in
*.*) *.*)
# It's a subnet # It's a subnet
destnet="${fullinterface#*:}" destnets="${fullinterface#*:}"
fullinterface="${fullinterface%:*}" fullinterface="${fullinterface%:*}"
;; ;;
*) *)
#it's an alias name #it's an alias name
destnet="0.0.0.0/0" destnets="0.0.0.0/0"
;; ;;
esac esac
;; ;;
*) *)
destnet="0.0.0.0/0" destnets="0.0.0.0/0"
;; ;;
esac esac
@ -3770,7 +3770,6 @@ setup_masq()
subnet="${subnet%!*}" subnet="${subnet%!*}"
fi fi
chain=`masq_chain $interface`
source="$subnet" source="$subnet"
@ -3799,33 +3798,68 @@ setup_masq()
done done
fi fi
destination=$destnet destination=$destnets
if [ -n "$nomasq" ]; then chain=`masq_chain $interface`
newchain=masq${masq_seq}
createnatchain $newchain
if [ -n "$subnet" ]; then case $destnets in
for s in $subnet; do !*)
addnatrule $chain -d $destnet -s $s -j $newchain newchain=masq${masq_seq}
createnatchain $newchain
destnets=${destnets#!}
for destnet in $(separate_list $destnets); do
addnatrule $newchain -d $destnet -j RETURN
done done
else
addnatrule $chain -d $destnet -j $newchain
fi
masq_seq=$(($masq_seq + 1)) if [ -n "$subnet" ]; then
chain=$newchain for s in $subnet; do
subnet= addnatrule $chain -s $s -j $newchain
destnet= done
subnet=
else
addnatrule $chain -j $newchain
fi
for addr in `separate_list $nomasq`; do masq_seq=$(($masq_seq + 1))
addnatrule $chain -s $addr -j RETURN chain=$newchain
done destnets=0.0.0.0/0
source="$source except $nomasq" for addr in `separate_list $nomasq`; do
else addnatrule $chain -s $addr -j RETURN
destnet="-d $destnet" done
fi ;;
*)
if [ -n "$nomasq" ]; then
newchain=masq${masq_seq}
createnatchain $newchain
if [ -n "$subnet" ]; then
for s in $subnet; do
for destnet in $(separate_list $destnets); do
addnatrule $chain -d $destnet -s $s -j $newchain
done
done
else
for destnet in $(separate_list $destnets); do
addnatrule $chain -d $destnet -j $newchain
done
fi
masq_seq=$(($masq_seq + 1))
chain=$newchain
subnet=
destnets=0.0.0.0/0
for addr in `separate_list $nomasq`; do
addnatrule $chain -s $addr -j RETURN
done
source="$source except $nomasq"
fi
;;
esac
if [ -n "$addresses" ]; then if [ -n "$addresses" ]; then
temp= temp=
@ -3836,20 +3870,26 @@ setup_masq()
if [ -n "$subnet" ]; then if [ -n "$subnet" ]; then
for s in $subnet; do for s in $subnet; do
if [ -n "$addresses" ]; then for destnet in $(separate_list $destnets); do
addnatrule $chain -s $s $destnet -j SNAT $temp if [ -n "$addresses" ]; then
echo " To $destination from $s through ${interface} using $addresses" addnatrule $chain -s $s -d $destnet -j SNAT $temp
else echo " To $destination from $s through ${interface} using $addresses"
addnatrule $chain -s $s $destnet -j MASQUERADE else
echo " To $destination from $s through ${interface}" addnatrule $chain -s $s -d $destnet -j MASQUERADE
fi echo " To $destination from $s through ${interface}"
fi
done
done done
elif [ -n "$address" ]; then elif [ -n "$address" ]; then
addnatrule $chain $destnet -j SNAT $temp for destnet in $(separate_list $destnets); do
echo " To $destination from $source through ${interface} using $addresses" addnatrule $chain -d $destnet -j SNAT $temp
echo " To $destination from $source through ${interface} using $addresses"
done
else else
addnatrule $chain $destnet -j MASQUERADE for destnet in $(separate_list $destnets); do
echo " To $destination from $source through ${interface}" addnatrule $chain -d $destnet -j MASQUERADE
echo " To $destination from $source through ${interface}"
done
fi fi
} }

7
Shorewall/masq
View File

@ -18,7 +18,12 @@
# PLACE IN YOUR SHOREWALL CONFIGURATION. # PLACE IN YOUR SHOREWALL CONFIGURATION.
# #
# This may be qualified by adding the character # This may be qualified by adding the character
# ":" followed by a destination host or subnet. # ":" followed by a comma-separed list of
# destination hosts or subnets. If this list begins with
# "!" then masquerading will occur if and only if the
# connection destination is NOT included in the list.
# Otherwise, the masquerading will occur if and only if
# the destination IS included in the list.
# #
# #
# SUBNET -- Subnet that you wish to masquerade. You can specify this as # SUBNET -- Subnet that you wish to masquerade. You can specify this as

100
Shorewall/releasenotes.txt
View File

@ -1,24 +1,8 @@
This is a minor release of Shorewall. This is a minor release of Shorewall.
Problems Corrected since version 1.4.8: Problems Corrected since version 1.4.9:
1) There has been a low continuing level of confusion over the terms None.
"Source NAT" (SNAT) and "Static NAT". To avoid future confusion, all
instances of "Static NAT" have been replaced with "One-to-one NAT"
in the documentation and configuration files.
2) The description of NEWNOTSYN in shorewall.conf has been reworded for
clarity.
3) Wild-card rules (those involving "all" as SOURCE or DEST) will no
longer produce an error if they attempt to add a rule that would
override a NONE policy. The logic for expanding these wild-card
rules now simply skips those (SOURCE,DEST) pairs that have a NONE
policy.
4) DNAT rules that also specified SNAT now work reliably. Previously,
there were cases where the SNAT specification was effectively
ignored.
Migration Issues: Migration Issues:
@ -26,79 +10,13 @@ None.
New Features: New Features:
1) The documentation has been completely rebased to Docbook XML. The 1) The INTERFACE column in the /etc/shorewall/masq file may now
documentation is now released as separate HTML and XML packages. specify a destination list.
2) To cut down on the number of "Why are these ports closed rather than Example:
stealthed?" questions, the SMB-related rules in
/etc/shorewall/common.def have been changed from 'reject' to 'DROP'.
3) For easier identification, packets logged under the 'norfc1918' #INTERFACE SUBNET ADDRESS
interface option are now logged out of chains named eth0:192.0.2.3,192.0.2.16/28 eth1
'rfc1918'. Previously, such packets were logged under chains named
'logdrop'.
4) Distributors and developers seem to be regularly inventing new If the list begins with "!" then SNAT will occur only if the
naming conventions for kernel modules. To avoid the need to change destination IP address is NOT included in the list.
Shorewall code for each new convention, the MODULE_SUFFIX option has
been added to shorewall.conf. MODULE_SUFFIX may be set to the suffix
for module names in your particular distribution. If MODULE_SUFFIX
is not set in shorewall.conf, Shorewall will use the list "o gz ko
o.gz".
To see what suffix is used by your distribution:
ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
All of the files listed should have the same suffix (extension). Set
MODULE_SUFFIX to that suffix.
Examples:
If all files end in ".kzo" then set MODULE_SUFFIX="kzo"
If all files end in ".kz.o" then set MODULE_SUFFIX="kz.o"
5) Support for user defined rule ACTIONS has been implemented through
two new files:
/etc/shorewall/actions - used to list the user-defined ACTIONS.
/etc/shorewall/action.template - For each user defined <action>, copy
this file to
/etc/shorewall/action.<action> and
add the appropriate rules for that
<action>.
Once an <action> has been defined, it may be used like any of the
builtin ACTIONS (ACCEPT, DROP, etc.) in /etc/shorewall/rules.
Example: You want an action that logs a packet at the 'info' level
and accepts the connection.
In /etc/shorewall/actions, you would add:
LogAndAccept
You would then copy /etc/shorewall/action.template to
/etc/shorewall/action.LogAndAccept and in that file, you would add the two
rules:
LOG:info
ACCEPT
6) The default value for NEWNOTSYN in shorewall.conf is now "Yes"
(non-syn TCP packets that are not part of an existing connection are
filtered according to the rules and policies rather than being
dropped). I have made this change for two reasons:
a) NEWNOTSYN=No tends to result in lots of "stuck" connections since
any timeout during TCP session tear down results in the firewall
dropping all of the retries.
b) The old default of NEWNOTSYN=No and LOGNEWNOTSYN=info resulted in
lots of confusing messages when a connection got "stuck". While I
could have changed the default value of LOGNEWNOTSYN to suppress
logging, I dislike defaults that silently throw away packets.
7) The common.def file now contains an entry that silently drops ICMP
packets with a null source address. Ad Koster reported a case where
these were occuring frequently as a result of a broken system on his
external network.

2
Shorewall/rfc1918
View File

@ -46,7 +46,7 @@
49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98 49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98 50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
58.0.0.0/7 logdrop # Reserved 58.0.0.0/7 logdrop # Reserved
70.0.0.0/7 logdrop # Reserved 71.0.0.0/8 logdrop # Reserved
72.0.0.0/5 logdrop # Reserved 72.0.0.0/5 logdrop # Reserved
85.0.0.0/8 logdrop # Reserved 85.0.0.0/8 logdrop # Reserved
86.0.0.0/7 logdrop # Reserved 86.0.0.0/7 logdrop # Reserved