diff --git a/STABLE/blacklist b/STABLE/blacklist index 5c7ce6d81..33df1518c 100644 --- a/STABLE/blacklist +++ b/STABLE/blacklist @@ -4,16 +4,40 @@ # /etc/shorewall/blacklist # # This file contains a list of IP addresses, MAC addresses and/or subnetworks. +# +# Columns are: +# +# ADDRESS/SUBNET - Host address, subnetwork or MAC address +# +# MAC addresses must be prefixed with "~" and use "-" +# as a separator. +# +# Example: ~00-A0-C9-15-39-78 +# +# PROTOCOL - Optional. If specified, must be a protocol number +# or a protocol name from /etc/protocols. +# +# PORTS - Optional. May only be specified if the protocol +# is TCP (6) or UDP (17). A comma-separated list +# of port numbers or service names from /etc/services. +# # When a packet arrives on in interface that has the 'blacklist' option # specified, its source IP address is checked against this file and disposed of # according to the BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL variables in # /etc/shorewall/shorewall.conf # -# MAC addresses must be prefixed with "~" and use "-" as a separator. +# If PROTOCOL or PROTOCOL and PORTS are supplied, only packets matching +# the protocol (and one of the ports if PORTS supplied) are blocked. +# +# Example: +# +# To block DNS queries from address 192.0.2.126: +# +# ADDRESS/SUBNET PROTOCOL PORT +# 192.0.2.126 udp 53 # -# Example: ~00-A0-C9-15-39-78 ############################################################################### -#ADDRESS/SUBNET +#ADDRESS/SUBNET PROTOCOL PORT #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/STABLE/changelog.txt b/STABLE/changelog.txt index 9efc392c8..d59040f24 100644 --- a/STABLE/changelog.txt +++ b/STABLE/changelog.txt @@ -1,26 +1,19 @@ -Changes since 1.3.6 +Changes since 1.3.7 -1. Comments in the common.def file have been updated. +1. Correct rules file handling bug introduced in 1.3.7. -2. icmp.def deimplemented +2. Correct handling of DNAT rule where source is $FW -3. FORWARDPING implemented. +3. Reverse order of RFC 1918 and DHCP filtering -4. Made MULTIPORT work with iptables 1.2.7 +4. "shorewall refresh" fix for FORWARDPING=Yes -5. Corrected ADD_SNAT_ALIASES - -6. Work around iptables 1.2.7 protocol match bug. - -7. Remove themes from documentation and web site. - -8. Comments in the interfaces file improved. - -9. Typo in the policy file corrected. - -10. Loopback class A added to rfc1918. +5. Replace tab with space in blacklist output. +6. Added NEWNOTSYN option +7. Assume 'multi' if canonical chain exists. +8. Add PROTOCOL and PORT columns to blacklist file diff --git a/STABLE/fallback.sh b/STABLE/fallback.sh index 1fcba5478..f76eb41a3 100755 --- a/STABLE/fallback.sh +++ b/STABLE/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=1.3.7c +VERSION=1.3.8 usage() # $1 = exit status { diff --git a/STABLE/firewall b/STABLE/firewall index beea3f772..e77d57d7c 100755 --- a/STABLE/firewall +++ b/STABLE/firewall @@ -70,6 +70,14 @@ list_search() # $1 = element to search for , $2-$n = list return 1 } +############################################################################### +# Function to count list elements # +############################################################################### +list_count() { + local temp=`separate_list $1` + + echo $temp | wc -w +} ############################################################################### # Mutual exclusion -- These functions are jackets for the mutual exclusion # @@ -200,7 +208,8 @@ createchain() # $1 = chain name, $2 = If non-null, don't create default rules state="ESTABLISHED" [ -n "$ALLOWRELATED" ] && state="$state,RELATED" run_iptables -A $1 -m state --state $state -j ACCEPT - run_iptables -A $1 -m state --state NEW -p tcp !--syn -j newnotsyn + [ -z "$NEWNOTSYN" ] && \ + run_iptables -A $1 -m state --state NEW -p tcp !--syn -j newnotsyn fi eval ${1}_exists=Yes @@ -1771,14 +1780,6 @@ add_a_rule() ################################################################################ process_rule() { - # Function to count list elements - - list_count() { - local temp=`separate_list $1` - - echo $temp | wc -w - } - # Function Body -- isolate log level if [ "$target" = "${target%:*}" ]; then @@ -2396,6 +2397,10 @@ setup_masq() interface="${interface%:*}" fi + if ! list_search $interface $all_interfaces; then + fatal_error "Error: Unknown interface $interface" + fi + if [ "$subnet" = "${subnet%!*}" ]; then nomasq= else @@ -2496,15 +2501,34 @@ setup_intrazone() # $1 = zone ensurechain ${1}2${1} fi } +############################################################################### +# Add a record to the blacklst chain # +# # +# $source = address match # +# $proto = protocol selector # +# $dport = destination port selector # +############################################################################### +add_blacklist_rule() { + [ -n "$BLACKLIST_LOGLEVEL" ] && \ + run_iptables -A blacklst $source $proto $dport -j \ + LOG $LOGPARMS --log-prefix \ + "Shorewall:blacklst:$BLACKLIST_DISPOSITION:" \ + --log-level $BLACKLIST_LOGLEVEL + run_iptables -A blacklst $source $proto $dport -j $disposition +} ############################################################################### # Process a record from the blacklist file # # # # $subnet = address/subnet # +# $protocol = Protocol Number/Name # +# $port = Port Number/Name # ############################################################################### process_blacklist_rec() { local source local addr + local proto + local dport for addr in `separate_list $subnet`; do case $addr in @@ -2516,14 +2540,55 @@ process_blacklist_rec() { source="-s $addr" ;; esac + + if [ -n "$protocol" ]; then + proto=" -p $protocol " - [ -n "$BLACKLIST_LOGLEVEL" ] && \ - run_iptables -A blacklst $source -j LOG $LOGPARMS --log-prefix \ - "Shorewall:blacklst:$BLACKLIST_DISPOSITION:" \ - --log-level $BLACKLIST_LOGLEVEL - run_iptables -A blacklst $source -j $disposition + case $protocol in + tcp|TCP|6|udp|UDP|17) + if [ -n "$ports" ]; then + if [ -n "$MULTIPORT" -a \ + "$ports" != "${ports%,*}" -a \ + "$ports" = "${ports%:*}" -a \ + `list_count $ports` -le 15 ] + then + dport="-m multiport --dports $ports" + add_blacklist_rule + else + for dport in `separate_list $ports`; do + dport="--dport $dport" + add_blacklist_rule + done + fi + else + add_blacklist_rule + fi + ;; + icmp|ICMP|0) + if [ -n "$ports" ]; then + for dport in `separate_list $ports`; do + dport="--icmp-type $dport" + add_blacklist_rule + done + else + add_blacklist_rule + fi + ;; + *) + add_blacklist_rule + ;; + esac + else + add_blacklist_rule + fi - echo " $addr added to Black List" + if [ -n "$ports" ]; then + addr="$addr $protocol $ports" + elif [ -n "$protocol" ]; then + addr="$addr $protocol" + fi + + echo " $addr added to Black List" done } @@ -2552,8 +2617,8 @@ setup_blacklist() { [ "$disposition" = REJECT ] && disposition=reject - while read subnet; do - expandv subnet + while read subnet protocol ports; do + expandv subnet protocol ports process_blacklist_rec done < $TMP_DIR/blacklist @@ -2576,8 +2641,8 @@ refresh_blacklist() { run_iptables -F blacklst - while read subnet; do - expandv subnet + while read subnet protocol ports; do + expandv subnet protocol ports process_blacklist_rec done < $TMP_DIR/blacklist fi @@ -2726,12 +2791,14 @@ initialize_netfilter () { --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu - createchain newnotsyn no - run_user_exit newnotsyn - [ -n "$LOGNEWNOTSYN" ] && \ - run_iptables -A newnotsyn -j LOG \ - --log-prefix "Shorewall:newnotsyn:DROP:" --log-level $LOGNEWNOTSYN - run_iptables -A newnotsyn -j DROP + if [ -z "$NEWNOTSYN" ]; then + createchain newnotsyn no + run_user_exit newnotsyn + [ -n "$LOGNEWNOTSYN" ] && \ + run_iptables -A newnotsyn -j LOG \ + --log-prefix "Shorewall:newnotsyn:DROP:" --log-level $LOGNEWNOTSYN + run_iptables -A newnotsyn -j DROP + fi createchain icmpdef no createchain common no @@ -2762,6 +2829,42 @@ initialize_netfilter () { done } +################################################################################ +# Build the common chain -- called during [re]start and refresh # +################################################################################ +build_common_chain() { + ########################################################################### + # PING + # + [ -n "$FORWARDPING" ] && \ + run_iptables -A icmpdef -p icmp --icmp-type echo-request -j ACCEPT + ############################################################################ + # Common ICMP rules + # + run_user_exit icmpdef + ############################################################################ + # Common rules in each chain + # + common=`find_file common` + + if [ -f $common ]; then + . $common + else + . `find_file common.def` + fi + ########################################################################### + # New Not Syn Stuff + # + if [ -n "$NEWNOTSYN" ]; then + run_iptables -A common -p tcp --tcp-flags ACK ACK -j ACCEPT + run_iptables -A common -p tcp --tcp-flags RST RST -j ACCEPT + fi + ########################################################################### + # BROADCASTS + # + drop_broadcasts `find_broadcasts` +} + ################################################################################ # Construct zone-independent rules # ################################################################################ @@ -2825,37 +2928,17 @@ add_common_rules() { echo " $interface" done fi - ########################################################################### - # PING - # - [ -n "$FORWARDPING" ] && \ - run_iptables -A common -p icmp --icmp-type echo-request -j ACCEPT - ############################################################################ - # Common ICMP rules - # - run_user_exit icmpdef - ############################################################################ - # Common rules in each chain - # - common=`find_file common` - if [ -f $common ]; then - . $common - else - . `find_file common.def` - fi - ########################################################################### - # BROADCASTS - # - drop_broadcasts `find_broadcasts` + build_common_chain + ########################################################################### # DHCP # echo "Adding rules for DHCP" for interface in `find_interfaces_by_option dhcp`; do - run_iptables -A `input_chain $interface` -p udp --dport 67:68 -j ACCEPT - run_iptables -A OUTPUT -o $interface -p udp --dport 67:68 -j ACCEPT + run_iptables -A `input_chain $interface` -p udp --dport 67:68 -j ACCEPT + run_iptables -A OUTPUT -o $interface -p udp --dport 67:68 -j ACCEPT done ########################################################################### @@ -3108,19 +3191,29 @@ activate_rules() chain="`rules_chain $zone $zone1`" + if havechain ${zone}2${zone1} || havechain ${zone1}2${zone}; then + have_canonical=Yes + else + have_canonical= + fi + for host in $source_hosts; do interface=${host%:*} subnet=${host#*:} chain1=`forward_chain $interface` - case $interface in - *+*) - multi=yes - ;; - *) - list_search $interface $multi_interfaces && multi=yes || multi= - ;; - esac + if [ -n "$have_canonical" ]; then + multi=yes + else + case $interface in + *+*) + multi=yes + ;; + *) + list_search $interface $multi_interfaces && multi=yes || multi= + ;; + esac + fi for host1 in $dest_hosts; do interface1=${host1%:*} @@ -3303,25 +3396,8 @@ refresh_firewall() run_iptables -F common echo "Adding Common Rules" - ########################################################################### - # PING - # - [ -n "$FORWARDPING" ] && \ - run_iptables -A common -p icmp --icmp-type echo-request -j ACCEPT - ############################################################################ - # Common rules in each chain - # - common=`find_file common` - if [ -f $common ]; then - . $common - else - . `find_file common.def` - fi - ########################################################################### - # BROADCASTS - # - drop_broadcasts `find_broadcasts` + build_common_chain ########################################################################### # Blacklist @@ -3416,6 +3492,7 @@ do_initialize() { DETECT_DNAT_IPADDRS= MERGE_HOSTS= MUTEX_TIMEOUT= + NEWNOTSYN= LOGNEWNOTSYN= FORWARDPING= stopping= @@ -3495,6 +3572,7 @@ do_initialize() { DETECT_DNAT_IPADDRS=`added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS` MERGE_HOSTS=`added_param_value_no MERGE_HOSTS $MERGE_HOSTS` FORWARDPING=`added_param_value_no FORWARDPING $FORWARDPING` + NEWNOTSYN=`added_param_value_yes NEWNOTSYN $NEWNOTSYN` } ################################################################################ diff --git a/STABLE/install.sh b/STABLE/install.sh index 4ec6b57c0..f3c4f4616 100755 --- a/STABLE/install.sh +++ b/STABLE/install.sh @@ -54,7 +54,7 @@ # /etc/rc.d/rc.local file is modified to start the firewall. # -VERSION=1.3.7c +VERSION=1.3.8 usage() # $1 = exit status { diff --git a/STABLE/releasenotes.txt b/STABLE/releasenotes.txt index 11eb0c2e7..3a256ef7d 100644 --- a/STABLE/releasenotes.txt +++ b/STABLE/releasenotes.txt @@ -3,22 +3,20 @@ fixes. New features include: -1) The 'icmp.def' file is now empty! The rules in that file were - required in ipchains firewalls but are not required in Shorewall. - Users who have ALLOWRELATED=No in shorewall.conf should see the - Upgrade Issues. -2) A 'FORWARDPING' option has been added to shorewall.conf. The effect - of setting this variable to Yes is the same as the effect of adding - an ACCEPT rule for ICMP echo-request in - /etc/shorewall/icmpdef. Users who have such a rule in icmpdef are - encouraged to switch to FORWARDPING=Yes. -3) The loopback CLASS A Network (127.0.0.0/8) has been added to the - rfc1918 file. -4) Shorewall now works with iptables 1.2.7. -5) The documentation and Web site no longer use FrontPage themes. - -I would like to thank John Distler for his valuable input regarding TCP -SYN and ICMP treatment in Shorewall. That input has led to marked -improvement in Shorewall in the last two releases. +1. A NEWNOTSYN option has been added to shorewall.conf. This option + determines whether Shorewall accepts TCP packets which are not part + of an established connection and that are not 'SYN' packets (SYN + flag on and ACK flag off). +2. The need for the 'multi' option to communicate between zones za and + zb on the same interface is removed in the case where the chain + 'za2zb' and/or 'zb2za' exists. 'za2zb' will exist if: + + a. There is a policy for za to zb. + b. There is at least one rule for za to zb. + +3. The /etc/shorewall/blacklist file now contains three columns. In + addition to the SUBNET/ADDRESS column, there are optional PROTOCOL + and PORT columns to block only certain applications from the + blacklisted addresses. diff --git a/STABLE/shorewall.conf b/STABLE/shorewall.conf index adef919b5..8bb4fb236 100644 --- a/STABLE/shorewall.conf +++ b/STABLE/shorewall.conf @@ -339,6 +339,8 @@ MUTEX_TIMEOUT=60 # # LOGGING 'New not SYN' rejects # +# This variable only has an effect when NEWNOTSYN=No (see below). +# # When a TCP packet that does not have the SYN flag set and the ACK and RST # flags clear then unless the packet is part of an established connection, # it will be rejected by the firewall. If you want these rejects logged, @@ -357,4 +359,21 @@ LOGNEWNOTSYN= FORWARDPING=Yes +# +# NEWNOTSYN +# +# If this variable is set to "No" or "no", then When a TCP packet that does +# not have the SYN flag set and the ACK and RST flags clear then unless the +# packet is part of an established connection, it will be dropped by the +# firewall +# +# If this variable is set to "Yes" or "yes" then such packets will not be +# dropped but will pass through the normal rule processing. +# +# Users with a High-availability setup with two firewall's and one acting +# as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may +# also need to select NEWNOTSYN=Yes. + +NEWNOTSYN=No + #LAST LINE -- DO NOT REMOVE diff --git a/STABLE/shorewall.spec b/STABLE/shorewall.spec index d7f30a79b..383d1f72c 100644 --- a/STABLE/shorewall.spec +++ b/STABLE/shorewall.spec @@ -1,5 +1,5 @@ %define name shorewall -%define version 1.3.7c +%define version 1.3.8 %define release 1 %define prefix /usr @@ -76,6 +76,8 @@ if [ $1 = 0 ]; then if [ -x /sbin/insserv ]; then /sbin/insserv -r /etc/init.d/s %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %changelog +* Mon Sep 16 2002 Tom Eastep +- Changed version to 1.3.8 * Mon Sep 02 2002 Tom Eastep - Changed version to 1.3.7c * Mon Aug 26 2002 Tom Eastep diff --git a/STABLE/uninstall.sh b/STABLE/uninstall.sh index 826931c2f..cbe3edf56 100755 --- a/STABLE/uninstall.sh +++ b/STABLE/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Seattle Firewall -VERSION=1.3.7c +VERSION=1.3.8 usage() # $1 = exit status {