From da7516d40129bbaea0fdd08ef71aa2a853fb2df4 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 6 Nov 2011 12:05:07 -0800 Subject: [PATCH] Update config files and manpages for BLACKLISTSECTION Signed-off-by: Tom Eastep --- Samples/Universal/shorewall.conf | 2 ++ Samples/one-interface/shorewall.conf | 2 ++ Samples/three-interfaces/shorewall.conf | 2 ++ Samples/two-interfaces/shorewall.conf | 2 ++ Samples6/Universal/rules | 1 - Samples6/Universal/shorewall6.conf | 2 ++ Samples6/one-interface/rules | 1 - Samples6/one-interface/shorewall6.conf | 2 ++ Samples6/three-interfaces/rules | 1 - Samples6/three-interfaces/shorewall6.conf | 2 ++ Samples6/two-interfaces/rules | 1 - Samples6/two-interfaces/shorewall6.conf | 2 ++ Shorewall/Perl/Shorewall/Rules.pm | 13 ++++++++++--- Shorewall/configfiles/blrules | 12 ++++++++++++ Shorewall/configfiles/shorewall.conf | 2 ++ Shorewall/install.sh | 10 ++++++++++ Shorewall6/configfiles/blrules | 11 +++++++++++ Shorewall6/configfiles/shorewall6.conf | 2 ++ Shorewall6/install.sh | 10 ++++++++++ manpages/shorewall-blrules.xml | 20 ++++++++++---------- manpages6/shorewall6-blrules.xml | 2 +- 21 files changed, 84 insertions(+), 18 deletions(-) create mode 100644 Shorewall/configfiles/blrules create mode 100644 Shorewall6/configfiles/blrules diff --git a/Samples/Universal/shorewall.conf b/Samples/Universal/shorewall.conf index 437f76d28..44093dbee 100644 --- a/Samples/Universal/shorewall.conf +++ b/Samples/Universal/shorewall.conf @@ -110,6 +110,8 @@ AUTOMAKE=No BLACKLISTNEWONLY=Yes +BLACKLISTSECTION=No + CLAMPMSS=No CLEAR_TC=Yes diff --git a/Samples/one-interface/shorewall.conf b/Samples/one-interface/shorewall.conf index 25baa6d0a..b42faf0bb 100644 --- a/Samples/one-interface/shorewall.conf +++ b/Samples/one-interface/shorewall.conf @@ -121,6 +121,8 @@ AUTOMAKE=No BLACKLISTNEWONLY=Yes +BLACKLISTSECTION=No + CLAMPMSS=No CLEAR_TC=Yes diff --git a/Samples/three-interfaces/shorewall.conf b/Samples/three-interfaces/shorewall.conf index 101c5b4aa..d89ab47cc 100644 --- a/Samples/three-interfaces/shorewall.conf +++ b/Samples/three-interfaces/shorewall.conf @@ -119,6 +119,8 @@ AUTOMAKE=No BLACKLISTNEWONLY=Yes +BLACKLISTSECTION=No + CLAMPMSS=Yes CLEAR_TC=Yes diff --git a/Samples/two-interfaces/shorewall.conf b/Samples/two-interfaces/shorewall.conf index 6d85ed6ad..545a32e2c 100644 --- a/Samples/two-interfaces/shorewall.conf +++ b/Samples/two-interfaces/shorewall.conf @@ -122,6 +122,8 @@ AUTOMAKE=No BLACKLISTNEWONLY=Yes +BLACKLISTSECTION=No + CLAMPMSS=Yes CLEAR_TC=Yes diff --git a/Samples6/Universal/rules b/Samples6/Universal/rules index 2967c1dcf..5ae7cfbad 100644 --- a/Samples6/Universal/rules +++ b/Samples6/Universal/rules @@ -9,7 +9,6 @@ ########################################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH # PORT PORT(S) DEST LIMIT GROUP -#SECTION BLACKLIST #SECTION ALL #SECTION ESTABLISHED #SECTION RELATED diff --git a/Samples6/Universal/shorewall6.conf b/Samples6/Universal/shorewall6.conf index a56f46e06..45de42211 100644 --- a/Samples6/Universal/shorewall6.conf +++ b/Samples6/Universal/shorewall6.conf @@ -105,6 +105,8 @@ AUTOMAKE=No BLACKLISTNEWONLY=Yes +BLACKLISTSECTION=No + CLAMPMSS=No CLEAR_TC=Yes diff --git a/Samples6/one-interface/rules b/Samples6/one-interface/rules index 0a391516b..e051f8e01 100644 --- a/Samples6/one-interface/rules +++ b/Samples6/one-interface/rules @@ -13,7 +13,6 @@ ########################################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH # PORT PORT(S) DEST LIMIT GROUP -#SECTION BLACKLIST #SECTION ALL #SECTION ESTABLISHED #SECTION RELATED diff --git a/Samples6/one-interface/shorewall6.conf b/Samples6/one-interface/shorewall6.conf index 23b4577e3..de7bb7be2 100644 --- a/Samples6/one-interface/shorewall6.conf +++ b/Samples6/one-interface/shorewall6.conf @@ -105,6 +105,8 @@ AUTOMAKE=No BLACKLISTNEWONLY=Yes +BLACKLISTSECTION=No + CLAMPMSS=No CLEAR_TC=Yes diff --git a/Samples6/three-interfaces/rules b/Samples6/three-interfaces/rules index 9f8c2772f..a8a8d2979 100644 --- a/Samples6/three-interfaces/rules +++ b/Samples6/three-interfaces/rules @@ -13,7 +13,6 @@ ########################################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH # PORT PORT(S) DEST LIMIT GROUP -#SECTION BLACKLIST #SECTION ALL #SECTION ESTABLISHED #SECTION RELATED diff --git a/Samples6/three-interfaces/shorewall6.conf b/Samples6/three-interfaces/shorewall6.conf index 3b038757f..3c0394aac 100644 --- a/Samples6/three-interfaces/shorewall6.conf +++ b/Samples6/three-interfaces/shorewall6.conf @@ -105,6 +105,8 @@ AUTOMAKE=No BLACKLISTNEWONLY=Yes +BLACKLISTSECTION=No + CLAMPMSS=No CLEAR_TC=Yes diff --git a/Samples6/two-interfaces/rules b/Samples6/two-interfaces/rules index 0a13822da..2e95245eb 100644 --- a/Samples6/two-interfaces/rules +++ b/Samples6/two-interfaces/rules @@ -13,7 +13,6 @@ ########################################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH # PORT PORT(S) DEST LIMIT GROUP -#SECTION BLACKLIST #SECTION ALL #SECTION ESTABLISHED #SECTION RELATED diff --git a/Samples6/two-interfaces/shorewall6.conf b/Samples6/two-interfaces/shorewall6.conf index f51ec661d..a2f1d5800 100644 --- a/Samples6/two-interfaces/shorewall6.conf +++ b/Samples6/two-interfaces/shorewall6.conf @@ -105,6 +105,8 @@ AUTOMAKE=No BLACKLISTNEWONLY=Yes +BLACKLISTSECTION=No + CLAMPMSS=No CLEAR_TC=Yes diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 75a8110db..ab538e3f7 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -1795,8 +1795,9 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) { $bt =~ s/[-+!]$//; - my %functions = (ACCEPT => sub() { $action = 'RETURN' if $blacklist; } , - REDIRECT => sub () { + my %functions = ( ACCEPT => sub() { $action = 'RETURN' if $blacklist; } , + + REDIRECT => sub () { my $z = $actiontype & NATONLY ? '' : firewall_zone; if ( $dest eq '-' ) { $dest = $inaction ? '' : join( '', $z, '::' , $ports =~ /[:,]/ ? '' : $ports ); @@ -1806,8 +1807,11 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) { $dest = join( '', $z, '::', $dest ) unless $dest =~ /^[^\d].*:/; } } , + REJECT => sub { $action = 'reject'; } , + CONTINUE => sub { $action = 'RETURN'; } , + WHITELIST => sub { unless ( $blacklist ) { if ( $config{BLACKLISTSECTION} ) { @@ -1817,8 +1821,11 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) { } } - $action = 'RETURN'; } , + $action = 'RETURN'; + } , + COUNT => sub { $action = ''; } , + LOG => sub { fatal_error 'LOG requires a log level' unless supplied $loglevel; } , ); diff --git a/Shorewall/configfiles/blrules b/Shorewall/configfiles/blrules new file mode 100644 index 000000000..da2576927 --- /dev/null +++ b/Shorewall/configfiles/blrules @@ -0,0 +1,12 @@ +# +# Shorewall version 5 - Blacklist Rules File +# +# For information about entries in this file, type "man shorewall-blrules" +# +# Please see http://shorewall.net/blacklisting_support.htm for additional +# information. +# +###################################################################################################################################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH +# PORT PORT(S) DEST LIMIT GROUP + diff --git a/Shorewall/configfiles/shorewall.conf b/Shorewall/configfiles/shorewall.conf index 8ff338023..6d624693d 100644 --- a/Shorewall/configfiles/shorewall.conf +++ b/Shorewall/configfiles/shorewall.conf @@ -110,6 +110,8 @@ AUTOMAKE=No BLACKLISTNEWONLY=Yes +BLACKLISTSECTION=No + CLAMPMSS=No CLEAR_TC=Yes diff --git a/Shorewall/install.sh b/Shorewall/install.sh index dc9db04a4..c87220ec4 100755 --- a/Shorewall/install.sh +++ b/Shorewall/install.sh @@ -616,6 +616,16 @@ if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/blacklist ]; then echo "Blacklist file installed as ${DESTDIR}/etc/shorewall/blacklist" fi # +# Install the blacklist rules file +# +run_install $OWNERSHIP -m 0644 configfiles/blrules ${DESTDIR}/usr/share/shorewall/configfiles +run_install $OWNERSHIP -m 0644 configfiles/blrules.annotated ${DESTDIR}/usr/share/shorewall/configfiles + +if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/blrules ]; then + run_install $OWNERSHIP -m 0600 configfiles/blrules${suffix} ${DESTDIR}/etc/shorewall/blrules + echo "Blacklist rules file installed as ${DESTDIR}/etc/shorewall/blrules" +fi +# # Install the findgw file # run_install $OWNERSHIP -m 0644 configfiles/findgw ${DESTDIR}/usr/share/shorewall/configfiles diff --git a/Shorewall6/configfiles/blrules b/Shorewall6/configfiles/blrules new file mode 100644 index 000000000..cf3850aeb --- /dev/null +++ b/Shorewall6/configfiles/blrules @@ -0,0 +1,11 @@ +# +# Shorewall6 version 4 - Blacklist File +# +# For information about entries in this file, type "man shorewall6-blrules" +# +# Please see http://shorewall.net/blacklisting_support.htm for additional +# information. +# +########################################################################################################################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH +# PORT PORT(S) DEST LIMIT GROUP diff --git a/Shorewall6/configfiles/shorewall6.conf b/Shorewall6/configfiles/shorewall6.conf index 3b7314959..0d4966fb4 100644 --- a/Shorewall6/configfiles/shorewall6.conf +++ b/Shorewall6/configfiles/shorewall6.conf @@ -105,6 +105,8 @@ AUTOMAKE=No BLACKLISTNEWONLY=Yes +BLACKLISTSECTION=No + CLAMPMSS=No CLEAR_TC=No diff --git a/Shorewall6/install.sh b/Shorewall6/install.sh index 983a24cc7..394c83b62 100755 --- a/Shorewall6/install.sh +++ b/Shorewall6/install.sh @@ -586,6 +586,16 @@ if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/blacklist ]; then echo "Blacklist file installed as ${DESTDIR}/etc/shorewall6/blacklist" fi # +# Install the blacklist rules file +# +run_install $OWNERSHIP -m 0644 blrules ${DESTDIR}/usr/share/shorewall6/configfiles/ +run_install $OWNERSHIP -m 0644 blrules.annotated ${DESTDIR}/usr/share/shorewall6/configfiles/ + +if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/blrules ]; then + run_install $OWNERSHIP -m 0600 blrules${suffix} ${DESTDIR}/etc/shorewall6/blrules + echo "Blrules file installed as ${DESTDIR}/etc/shorewall6/blrules" +fi +# # Install the Providers file # run_install $OWNERSHIP -m 0644 providers ${DESTDIR}/usr/share/shorewall6/configfiles/ diff --git a/manpages/shorewall-blrules.xml b/manpages/shorewall-blrules.xml index 151f1dd6a..aae27ac33 100644 --- a/manpages/shorewall-blrules.xml +++ b/manpages/shorewall-blrules.xml @@ -16,7 +16,7 @@ - /etc/shorewall6/blrules + /etc/shorewall/blrules @@ -154,7 +154,7 @@ the rest of the line will be attached as a comment to the Netfilter rule(s) generated by the following entries. The comment will appear delimited by "/* ... */" in the output of - "shorewall6 show <chain>". To stop the comment from + "shorewall show <chain>". To stop the comment from being attached to further rules, simply include COMMENT on a line by itself. @@ -167,7 +167,7 @@ The name of an action declared in shorewall-actions(5) or - in /usr/share/shorewall6/actions.std. + in /usr/share/shorewall/actions.std. @@ -199,7 +199,7 @@ If the ACTION names an action declared in shorewall-actions(5) or in - /usr/share/shorewall6/actions.std then: + /usr/share/shorewall/actions.std then: @@ -234,7 +234,7 @@ For the remaining columns, see shorewall6-rules (5). + url="shorewall-rules.html">shorewall-rules (5). @@ -245,9 +245,9 @@ Example 1: - Disallow SMTP from the local zone to the net zone. + Drop Teredo packets from the net. - DROP loc net tcp 25 + DROP net:[2001::/32] all @@ -255,10 +255,10 @@ Example 2: - Don't subject packets from 192.0.2.0/24 to the remaining rules - in the file. + Don't subject packets from 2001:DB8::/64 to the remaining + rules in the file. - WHITELIST net:192.0.2.0/24 all + WHITELIST net:[2001:DB8::/64] all diff --git a/manpages6/shorewall6-blrules.xml b/manpages6/shorewall6-blrules.xml index b7ba4583b..c61c3cd24 100644 --- a/manpages6/shorewall6-blrules.xml +++ b/manpages6/shorewall6-blrules.xml @@ -29,7 +29,7 @@ Rules in this file are applied depending on the setting of BLACKLISTNEWONLY in shorewall6.conf(5). If + url="shorewall.conf.html">shorewall6.conf(5). If BLACKLISTNEWONLY=No, then they are applied regardless of the connection tracking state of the packet. If BLACKLISTNEWONLY=Yes, they are applied to connections in the NEW and INVALID states.