extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-20 17:58:07 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update config files and manpages for BLACKLISTSECTION

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-11-06 12:05:07 -08:00
parent b0103a51d5
commit da7516d401
21 changed files with 84 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Samples/Universal/shorewall.conf
View File

@ -110,6 +110,8 @@ AUTOMAKE=No
BLACKLISTNEWONLY=Yes
BLACKLISTSECTION=No
CLAMPMSS=No
CLEAR_TC=Yes

2
Samples/one-interface/shorewall.conf
View File

@ -121,6 +121,8 @@ AUTOMAKE=No
BLACKLISTNEWONLY=Yes
BLACKLISTSECTION=No
CLAMPMSS=No
CLEAR_TC=Yes

2
Samples/three-interfaces/shorewall.conf
View File

@ -119,6 +119,8 @@ AUTOMAKE=No
BLACKLISTNEWONLY=Yes
BLACKLISTSECTION=No
CLAMPMSS=Yes
CLEAR_TC=Yes

2
Samples/two-interfaces/shorewall.conf
View File

@ -122,6 +122,8 @@ AUTOMAKE=No
BLACKLISTNEWONLY=Yes
BLACKLISTSECTION=No
CLAMPMSS=Yes
CLEAR_TC=Yes

1
Samples6/Universal/rules
View File

@ -9,7 +9,6 @@
###########################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
# PORT PORT(S) DEST LIMIT GROUP
#SECTION BLACKLIST
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED

2
Samples6/Universal/shorewall6.conf
View File

@ -105,6 +105,8 @@ AUTOMAKE=No
BLACKLISTNEWONLY=Yes
BLACKLISTSECTION=No
CLAMPMSS=No
CLEAR_TC=Yes

1
Samples6/one-interface/rules
View File

@ -13,7 +13,6 @@
###########################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
# PORT PORT(S) DEST LIMIT GROUP
#SECTION BLACKLIST
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED

2
Samples6/one-interface/shorewall6.conf
View File

@ -105,6 +105,8 @@ AUTOMAKE=No
BLACKLISTNEWONLY=Yes
BLACKLISTSECTION=No
CLAMPMSS=No
CLEAR_TC=Yes

1
Samples6/three-interfaces/rules
View File

@ -13,7 +13,6 @@
###########################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
# PORT PORT(S) DEST LIMIT GROUP
#SECTION BLACKLIST
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED

2
Samples6/three-interfaces/shorewall6.conf
View File

@ -105,6 +105,8 @@ AUTOMAKE=No
BLACKLISTNEWONLY=Yes
BLACKLISTSECTION=No
CLAMPMSS=No
CLEAR_TC=Yes

1
Samples6/two-interfaces/rules
View File

@ -13,7 +13,6 @@
###########################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
# PORT PORT(S) DEST LIMIT GROUP
#SECTION BLACKLIST
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED

2
Samples6/two-interfaces/shorewall6.conf
View File

@ -105,6 +105,8 @@ AUTOMAKE=No
BLACKLISTNEWONLY=Yes
BLACKLISTSECTION=No
CLAMPMSS=No
CLEAR_TC=Yes

9
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -1796,6 +1796,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
$bt =~ s/[-+!]$//;
my %functions = ( ACCEPT => sub() { $action = 'RETURN' if $blacklist; } ,
REDIRECT => sub () {
my $z = $actiontype & NATONLY ? '' : firewall_zone;
if ( $dest eq '-' ) {
@ -1806,8 +1807,11 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
$dest = join( '', $z, '::', $dest ) unless $dest =~ /^[^\d].*:/;
}
} ,
REJECT => sub { $action = 'reject'; } ,
CONTINUE => sub { $action = 'RETURN'; } ,
WHITELIST => sub {
unless ( $blacklist ) {
if ( $config{BLACKLISTSECTION} ) {
@ -1817,8 +1821,11 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
}
}
$action = 'RETURN'; } ,
$action = 'RETURN';
} ,
COUNT => sub { $action = ''; } ,
LOG => sub { fatal_error 'LOG requires a log level' unless supplied $loglevel; } ,
);

12
Shorewall/configfiles/blrules Normal file
View File

@ -0,0 +1,12 @@
#
# Shorewall version 5 - Blacklist Rules File
#
# For information about entries in this file, type "man shorewall-blrules"
#
# Please see http://shorewall.net/blacklisting_support.htm for additional
# information.
#
######################################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
# PORT PORT(S) DEST LIMIT GROUP

2
Shorewall/configfiles/shorewall.conf
View File

@ -110,6 +110,8 @@ AUTOMAKE=No
BLACKLISTNEWONLY=Yes
BLACKLISTSECTION=No
CLAMPMSS=No
CLEAR_TC=Yes

10
Shorewall/install.sh
View File

@ -616,6 +616,16 @@ if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/blacklist ]; then
echo "Blacklist file installed as ${DESTDIR}/etc/shorewall/blacklist"
fi
#
# Install the blacklist rules file
#
run_install $OWNERSHIP -m 0644 configfiles/blrules ${DESTDIR}/usr/share/shorewall/configfiles
run_install $OWNERSHIP -m 0644 configfiles/blrules.annotated ${DESTDIR}/usr/share/shorewall/configfiles
if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/blrules ]; then
run_install $OWNERSHIP -m 0600 configfiles/blrules${suffix} ${DESTDIR}/etc/shorewall/blrules
echo "Blacklist rules file installed as ${DESTDIR}/etc/shorewall/blrules"
fi
#
# Install the findgw file
#
run_install $OWNERSHIP -m 0644 configfiles/findgw ${DESTDIR}/usr/share/shorewall/configfiles

11
Shorewall6/configfiles/blrules Normal file
View File

@ -0,0 +1,11 @@
#
# Shorewall6 version 4 - Blacklist File
#
# For information about entries in this file, type "man shorewall6-blrules"
#
# Please see http://shorewall.net/blacklisting_support.htm for additional
# information.
#
###########################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
# PORT PORT(S) DEST LIMIT GROUP

2
Shorewall6/configfiles/shorewall6.conf
View File

@ -105,6 +105,8 @@ AUTOMAKE=No
BLACKLISTNEWONLY=Yes
BLACKLISTSECTION=No
CLAMPMSS=No
CLEAR_TC=No

10
Shorewall6/install.sh
View File

@ -586,6 +586,16 @@ if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/blacklist ]; then
echo "Blacklist file installed as ${DESTDIR}/etc/shorewall6/blacklist"
fi
#
# Install the blacklist rules file
#
run_install $OWNERSHIP -m 0644 blrules ${DESTDIR}/usr/share/shorewall6/configfiles/
run_install $OWNERSHIP -m 0644 blrules.annotated ${DESTDIR}/usr/share/shorewall6/configfiles/
if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/blrules ]; then
run_install $OWNERSHIP -m 0600 blrules${suffix} ${DESTDIR}/etc/shorewall6/blrules
echo "Blrules file installed as ${DESTDIR}/etc/shorewall6/blrules"
fi
#
# Install the Providers file
#
run_install $OWNERSHIP -m 0644 providers ${DESTDIR}/usr/share/shorewall6/configfiles/

20
manpages/shorewall-blrules.xml
View File

@ -16,7 +16,7 @@
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall6/blrules</command>
<command>/etc/shorewall/blrules</command>
</cmdsynopsis>
</refsynopsisdiv>
@ -154,7 +154,7 @@
<para>the rest of the line will be attached as a comment to
the Netfilter rule(s) generated by the following entries. The
comment will appear delimited by "/* ... */" in the output of
"shorewall6 show &lt;chain&gt;". To stop the comment from
"shorewall show &lt;chain&gt;". To stop the comment from
being attached to further rules, simply include COMMENT on a
line by itself.</para>
</listitem>
@ -167,7 +167,7 @@
<para>The name of an <emphasis>action</emphasis> declared in
<ulink
url="shorewall-actions.html">shorewall-actions</ulink>(5) or
in /usr/share/shorewall6/actions.std.</para>
in /usr/share/shorewall/actions.std.</para>
</listitem>
</varlistentry>
@ -199,7 +199,7 @@
<para>If the <emphasis role="bold">ACTION</emphasis> names an
<emphasis>action</emphasis> declared in <ulink
url="shorewall-actions.html">shorewall-actions</ulink>(5) or in
/usr/share/shorewall6/actions.std then:</para>
/usr/share/shorewall/actions.std then:</para>
<itemizedlist>
<listitem>
@ -234,7 +234,7 @@
</variablelist>
<para>For the remaining columns, see <ulink
url="shorewall6-rules.html">shorewall6-rules (5)</ulink>.</para>
url="shorewall-rules.html">shorewall-rules (5)</ulink>.</para>
</refsect1>
<refsect1>
@ -245,9 +245,9 @@
<term>Example 1:</term>
<listitem>
<para>Disallow SMTP from the local zone to the net zone.</para>
<para>Drop Teredo packets from the net.</para>
<programlisting>DROP loc net tcp 25</programlisting>
<programlisting>DROP net:[2001::/32] all</programlisting>
</listitem>
</varlistentry>
@ -255,10 +255,10 @@
<term>Example 2:</term>
<listitem>
<para>Don't subject packets from 192.0.2.0/24 to the remaining rules
in the file.</para>
<para>Don't subject packets from 2001:DB8::/64 to the remaining
rules in the file.</para>
<programlisting>WHITELIST net:192.0.2.0/24 all</programlisting>
<programlisting>WHITELIST net:[2001:DB8::/64] all</programlisting>
</listitem>
</varlistentry>
</variablelist>

2
manpages6/shorewall6-blrules.xml
View File

@ -29,7 +29,7 @@
<para>Rules in this file are applied depending on the setting of
BLACKLISTNEWONLY in <ulink
url="shorewall6.conf.html">shorewall6.conf</ulink>(5). If
url="shorewall.conf.html">shorewall6.conf</ulink>(5). If
BLACKLISTNEWONLY=No, then they are applied regardless of the connection
tracking state of the packet. If BLACKLISTNEWONLY=Yes, they are applied to
connections in the NEW and INVALID states.</para>