extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-05 13:08:50 +01:00
Code Issues Packages Projects Releases Wiki Activity

Changes for 1.3.8

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@239 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-09-16 17:02:08 +00:00
parent 87890954b7
commit da993d8c10
9 changed files with 229 additions and 115 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
STABLE/blacklist
View File

@ -4,16 +4,40 @@
# /etc/shorewall/blacklist # /etc/shorewall/blacklist
# #
# This file contains a list of IP addresses, MAC addresses and/or subnetworks. # This file contains a list of IP addresses, MAC addresses and/or subnetworks.
#
# Columns are:
#
# ADDRESS/SUBNET - Host address, subnetwork or MAC address
#
# MAC addresses must be prefixed with "~" and use "-"
# as a separator.
#
# Example: ~00-A0-C9-15-39-78
#
# PROTOCOL - Optional. If specified, must be a protocol number
# or a protocol name from /etc/protocols.
#
# PORTS - Optional. May only be specified if the protocol
# is TCP (6) or UDP (17). A comma-separated list
# of port numbers or service names from /etc/services.
#
# When a packet arrives on in interface that has the 'blacklist' option # When a packet arrives on in interface that has the 'blacklist' option
# specified, its source IP address is checked against this file and disposed of # specified, its source IP address is checked against this file and disposed of
# according to the BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL variables in # according to the BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL variables in
# /etc/shorewall/shorewall.conf # /etc/shorewall/shorewall.conf
# #
# MAC addresses must be prefixed with "~" and use "-" as a separator. # If PROTOCOL or PROTOCOL and PORTS are supplied, only packets matching
# the protocol (and one of the ports if PORTS supplied) are blocked.
#
# Example:
#
# To block DNS queries from address 192.0.2.126:
#
# ADDRESS/SUBNET PROTOCOL PORT
# 192.0.2.126 udp 53
# #
# Example: ~00-A0-C9-15-39-78
############################################################################### ###############################################################################
#ADDRESS/SUBNET #ADDRESS/SUBNET PROTOCOL PORT
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

25
STABLE/changelog.txt
View File

@ -1,26 +1,19 @@
Changes since 1.3.6 Changes since 1.3.7
1. Comments in the common.def file have been updated. 1. Correct rules file handling bug introduced in 1.3.7.
2. icmp.def deimplemented 2. Correct handling of DNAT rule where source is $FW
3. FORWARDPING implemented. 3. Reverse order of RFC 1918 and DHCP filtering
4. Made MULTIPORT work with iptables 1.2.7 4. "shorewall refresh" fix for FORWARDPING=Yes
5. Corrected ADD_SNAT_ALIASES 5. Replace tab with space in blacklist output.
6. Work around iptables 1.2.7 protocol match bug.
7. Remove themes from documentation and web site.
8. Comments in the interfaces file improved.
9. Typo in the policy file corrected.
10. Loopback class A added to rfc1918.
6. Added NEWNOTSYN option
7. Assume 'multi' if canonical chain exists.
8. Add PROTOCOL and PORT columns to blacklist file

2
STABLE/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of # shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall. # Shoreline Firewall.
VERSION=1.3.7c VERSION=1.3.8
usage() # $1 = exit status usage() # $1 = exit status
{ {

192
STABLE/firewall
View File

@ -70,6 +70,14 @@ list_search() # $1 = element to search for , $2-$n = list
return 1 return 1
} }
###############################################################################
# Function to count list elements #
###############################################################################
list_count() {
local temp=`separate_list $1`
echo $temp | wc -w
}
############################################################################### ###############################################################################
# Mutual exclusion -- These functions are jackets for the mutual exclusion # # Mutual exclusion -- These functions are jackets for the mutual exclusion #
@ -200,6 +208,7 @@ createchain() # $1 = chain name, $2 = If non-null, don't create default rules
state="ESTABLISHED" state="ESTABLISHED"
[ -n "$ALLOWRELATED" ] && state="$state,RELATED" [ -n "$ALLOWRELATED" ] && state="$state,RELATED"
run_iptables -A $1 -m state --state $state -j ACCEPT run_iptables -A $1 -m state --state $state -j ACCEPT
[ -z "$NEWNOTSYN" ] && \
run_iptables -A $1 -m state --state NEW -p tcp !--syn -j newnotsyn run_iptables -A $1 -m state --state NEW -p tcp !--syn -j newnotsyn
fi fi
@ -1771,14 +1780,6 @@ add_a_rule()
################################################################################ ################################################################################
process_rule() { process_rule() {
# Function to count list elements
list_count() {
local temp=`separate_list $1`
echo $temp | wc -w
}
# Function Body -- isolate log level # Function Body -- isolate log level
if [ "$target" = "${target%:*}" ]; then if [ "$target" = "${target%:*}" ]; then
@ -2396,6 +2397,10 @@ setup_masq()
interface="${interface%:*}" interface="${interface%:*}"
fi fi
if ! list_search $interface $all_interfaces; then
fatal_error "Error: Unknown interface $interface"
fi
if [ "$subnet" = "${subnet%!*}" ]; then if [ "$subnet" = "${subnet%!*}" ]; then
nomasq= nomasq=
else else
@ -2496,15 +2501,34 @@ setup_intrazone() # $1 = zone
ensurechain ${1}2${1} ensurechain ${1}2${1}
fi fi
} }
###############################################################################
# Add a record to the blacklst chain #
# #
# $source = address match #
# $proto = protocol selector #
# $dport = destination port selector #
###############################################################################
add_blacklist_rule() {
[ -n "$BLACKLIST_LOGLEVEL" ] && \
run_iptables -A blacklst $source $proto $dport -j \
LOG $LOGPARMS --log-prefix \
"Shorewall:blacklst:$BLACKLIST_DISPOSITION:" \
--log-level $BLACKLIST_LOGLEVEL
run_iptables -A blacklst $source $proto $dport -j $disposition
}
############################################################################### ###############################################################################
# Process a record from the blacklist file # # Process a record from the blacklist file #
# # # #
# $subnet = address/subnet # # $subnet = address/subnet #
# $protocol = Protocol Number/Name #
# $port = Port Number/Name #
############################################################################### ###############################################################################
process_blacklist_rec() { process_blacklist_rec() {
local source local source
local addr local addr
local proto
local dport
for addr in `separate_list $subnet`; do for addr in `separate_list $subnet`; do
case $addr in case $addr in
@ -2517,11 +2541,52 @@ process_blacklist_rec() {
;; ;;
esac esac
[ -n "$BLACKLIST_LOGLEVEL" ] && \ if [ -n "$protocol" ]; then
run_iptables -A blacklst $source -j LOG $LOGPARMS --log-prefix \ proto=" -p $protocol "
"Shorewall:blacklst:$BLACKLIST_DISPOSITION:" \
--log-level $BLACKLIST_LOGLEVEL case $protocol in
run_iptables -A blacklst $source -j $disposition tcp|TCP|6|udp|UDP|17)
if [ -n "$ports" ]; then
if [ -n "$MULTIPORT" -a \
"$ports" != "${ports%,*}" -a \
"$ports" = "${ports%:*}" -a \
`list_count $ports` -le 15 ]
then
dport="-m multiport --dports $ports"
add_blacklist_rule
else
for dport in `separate_list $ports`; do
dport="--dport $dport"
add_blacklist_rule
done
fi
else
add_blacklist_rule
fi
;;
icmp|ICMP|0)
if [ -n "$ports" ]; then
for dport in `separate_list $ports`; do
dport="--icmp-type $dport"
add_blacklist_rule
done
else
add_blacklist_rule
fi
;;
*)
add_blacklist_rule
;;
esac
else
add_blacklist_rule
fi
if [ -n "$ports" ]; then
addr="$addr $protocol $ports"
elif [ -n "$protocol" ]; then
addr="$addr $protocol"
fi
echo " $addr added to Black List" echo " $addr added to Black List"
done done
@ -2552,8 +2617,8 @@ setup_blacklist() {
[ "$disposition" = REJECT ] && disposition=reject [ "$disposition" = REJECT ] && disposition=reject
while read subnet; do while read subnet protocol ports; do
expandv subnet expandv subnet protocol ports
process_blacklist_rec process_blacklist_rec
done < $TMP_DIR/blacklist done < $TMP_DIR/blacklist
@ -2576,8 +2641,8 @@ refresh_blacklist() {
run_iptables -F blacklst run_iptables -F blacklst
while read subnet; do while read subnet protocol ports; do
expandv subnet expandv subnet protocol ports
process_blacklist_rec process_blacklist_rec
done < $TMP_DIR/blacklist done < $TMP_DIR/blacklist
fi fi
@ -2726,12 +2791,14 @@ initialize_netfilter () {
--tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
if [ -z "$NEWNOTSYN" ]; then
createchain newnotsyn no createchain newnotsyn no
run_user_exit newnotsyn run_user_exit newnotsyn
[ -n "$LOGNEWNOTSYN" ] && \ [ -n "$LOGNEWNOTSYN" ] && \
run_iptables -A newnotsyn -j LOG \ run_iptables -A newnotsyn -j LOG \
--log-prefix "Shorewall:newnotsyn:DROP:" --log-level $LOGNEWNOTSYN --log-prefix "Shorewall:newnotsyn:DROP:" --log-level $LOGNEWNOTSYN
run_iptables -A newnotsyn -j DROP run_iptables -A newnotsyn -j DROP
fi
createchain icmpdef no createchain icmpdef no
createchain common no createchain common no
@ -2762,6 +2829,42 @@ initialize_netfilter () {
done done
} }
################################################################################
# Build the common chain -- called during [re]start and refresh #
################################################################################
build_common_chain() {
###########################################################################
# PING
#
[ -n "$FORWARDPING" ] && \
run_iptables -A icmpdef -p icmp --icmp-type echo-request -j ACCEPT
############################################################################
# Common ICMP rules
#
run_user_exit icmpdef
############################################################################
# Common rules in each chain
#
common=`find_file common`
if [ -f $common ]; then
. $common
else
. `find_file common.def`
fi
###########################################################################
# New Not Syn Stuff
#
if [ -n "$NEWNOTSYN" ]; then
run_iptables -A common -p tcp --tcp-flags ACK ACK -j ACCEPT
run_iptables -A common -p tcp --tcp-flags RST RST -j ACCEPT
fi
###########################################################################
# BROADCASTS
#
drop_broadcasts `find_broadcasts`
}
################################################################################ ################################################################################
# Construct zone-independent rules # # Construct zone-independent rules #
################################################################################ ################################################################################
@ -2825,29 +2928,9 @@ add_common_rules() {
echo " $interface" echo " $interface"
done done
fi fi
###########################################################################
# PING
#
[ -n "$FORWARDPING" ] && \
run_iptables -A common -p icmp --icmp-type echo-request -j ACCEPT
############################################################################
# Common ICMP rules
#
run_user_exit icmpdef
############################################################################
# Common rules in each chain
#
common=`find_file common`
if [ -f $common ]; then build_common_chain
. $common
else
. `find_file common.def`
fi
###########################################################################
# BROADCASTS
#
drop_broadcasts `find_broadcasts`
########################################################################### ###########################################################################
# DHCP # DHCP
# #
@ -3108,11 +3191,20 @@ activate_rules()
chain="`rules_chain $zone $zone1`" chain="`rules_chain $zone $zone1`"
if havechain ${zone}2${zone1} || havechain ${zone1}2${zone}; then
have_canonical=Yes
else
have_canonical=
fi
for host in $source_hosts; do for host in $source_hosts; do
interface=${host%:*} interface=${host%:*}
subnet=${host#*:} subnet=${host#*:}
chain1=`forward_chain $interface` chain1=`forward_chain $interface`
if [ -n "$have_canonical" ]; then
multi=yes
else
case $interface in case $interface in
*+*) *+*)
multi=yes multi=yes
@ -3121,6 +3213,7 @@ activate_rules()
list_search $interface $multi_interfaces && multi=yes || multi= list_search $interface $multi_interfaces && multi=yes || multi=
;; ;;
esac esac
fi
for host1 in $dest_hosts; do for host1 in $dest_hosts; do
interface1=${host1%:*} interface1=${host1%:*}
@ -3303,25 +3396,8 @@ refresh_firewall()
run_iptables -F common run_iptables -F common
echo "Adding Common Rules" echo "Adding Common Rules"
###########################################################################
# PING
#
[ -n "$FORWARDPING" ] && \
run_iptables -A common -p icmp --icmp-type echo-request -j ACCEPT
############################################################################
# Common rules in each chain
#
common=`find_file common`
if [ -f $common ]; then build_common_chain
. $common
else
. `find_file common.def`
fi
###########################################################################
# BROADCASTS
#
drop_broadcasts `find_broadcasts`
########################################################################### ###########################################################################
# Blacklist # Blacklist
@ -3416,6 +3492,7 @@ do_initialize() {
DETECT_DNAT_IPADDRS= DETECT_DNAT_IPADDRS=
MERGE_HOSTS= MERGE_HOSTS=
MUTEX_TIMEOUT= MUTEX_TIMEOUT=
NEWNOTSYN=
LOGNEWNOTSYN= LOGNEWNOTSYN=
FORWARDPING= FORWARDPING=
stopping= stopping=
@ -3495,6 +3572,7 @@ do_initialize() {
DETECT_DNAT_IPADDRS=`added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS` DETECT_DNAT_IPADDRS=`added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS`
MERGE_HOSTS=`added_param_value_no MERGE_HOSTS $MERGE_HOSTS` MERGE_HOSTS=`added_param_value_no MERGE_HOSTS $MERGE_HOSTS`
FORWARDPING=`added_param_value_no FORWARDPING $FORWARDPING` FORWARDPING=`added_param_value_no FORWARDPING $FORWARDPING`
NEWNOTSYN=`added_param_value_yes NEWNOTSYN $NEWNOTSYN`
} }
################################################################################ ################################################################################

2
STABLE/install.sh
View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall. # /etc/rc.d/rc.local file is modified to start the firewall.
# #
VERSION=1.3.7c VERSION=1.3.8
usage() # $1 = exit status usage() # $1 = exit status
{ {

32
STABLE/releasenotes.txt
View File

@ -3,22 +3,20 @@ fixes.
New features include: New features include:
1) The 'icmp.def' file is now empty! The rules in that file were 1. A NEWNOTSYN option has been added to shorewall.conf. This option
required in ipchains firewalls but are not required in Shorewall. determines whether Shorewall accepts TCP packets which are not part
Users who have ALLOWRELATED=No in shorewall.conf should see the of an established connection and that are not 'SYN' packets (SYN
Upgrade Issues. flag on and ACK flag off).
2) A 'FORWARDPING' option has been added to shorewall.conf. The effect
of setting this variable to Yes is the same as the effect of adding
an ACCEPT rule for ICMP echo-request in
/etc/shorewall/icmpdef. Users who have such a rule in icmpdef are
encouraged to switch to FORWARDPING=Yes.
3) The loopback CLASS A Network (127.0.0.0/8) has been added to the
rfc1918 file.
4) Shorewall now works with iptables 1.2.7.
5) The documentation and Web site no longer use FrontPage themes.
I would like to thank John Distler for his valuable input regarding TCP
SYN and ICMP treatment in Shorewall. That input has led to marked
improvement in Shorewall in the last two releases.
2. The need for the 'multi' option to communicate between zones za and
zb on the same interface is removed in the case where the chain
'za2zb' and/or 'zb2za' exists. 'za2zb' will exist if:
a. There is a policy for za to zb.
b. There is at least one rule for za to zb.
3. The /etc/shorewall/blacklist file now contains three columns. In
addition to the SUBNET/ADDRESS column, there are optional PROTOCOL
and PORT columns to block only certain applications from the
blacklisted addresses.

19
STABLE/shorewall.conf
View File

@ -339,6 +339,8 @@ MUTEX_TIMEOUT=60
# #
# LOGGING 'New not SYN' rejects # LOGGING 'New not SYN' rejects
# #
# This variable only has an effect when NEWNOTSYN=No (see below).
#
# When a TCP packet that does not have the SYN flag set and the ACK and RST # When a TCP packet that does not have the SYN flag set and the ACK and RST
# flags clear then unless the packet is part of an established connection, # flags clear then unless the packet is part of an established connection,
# it will be rejected by the firewall. If you want these rejects logged, # it will be rejected by the firewall. If you want these rejects logged,
@ -357,4 +359,21 @@ LOGNEWNOTSYN=
FORWARDPING=Yes FORWARDPING=Yes
#
# NEWNOTSYN
#
# If this variable is set to "No" or "no", then When a TCP packet that does
# not have the SYN flag set and the ACK and RST flags clear then unless the
# packet is part of an established connection, it will be dropped by the
# firewall
#
# If this variable is set to "Yes" or "yes" then such packets will not be
# dropped but will pass through the normal rule processing.
#
# Users with a High-availability setup with two firewall's and one acting
# as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may
# also need to select NEWNOTSYN=Yes.
NEWNOTSYN=No
#LAST LINE -- DO NOT REMOVE #LAST LINE -- DO NOT REMOVE

4
STABLE/shorewall.spec
View File

@ -1,5 +1,5 @@
%define name shorewall %define name shorewall
%define version 1.3.7c %define version 1.3.8
%define release 1 %define release 1
%define prefix /usr %define prefix /usr
@ -76,6 +76,8 @@ if [ $1 = 0 ]; then if [ -x /sbin/insserv ]; then /sbin/insserv -r /etc/init.d/s
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog %changelog
* Mon Sep 16 2002 Tom Eastep <tom@shorewall.net>
- Changed version to 1.3.8
* Mon Sep 02 2002 Tom Eastep <tom@shorewall.net> * Mon Sep 02 2002 Tom Eastep <tom@shorewall.net>
- Changed version to 1.3.7c - Changed version to 1.3.7c
* Mon Aug 26 2002 Tom Eastep <tom@shorewall.net> * Mon Aug 26 2002 Tom Eastep <tom@shorewall.net>

2
STABLE/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall # shown below. Simply run this script to remove Seattle Firewall
VERSION=1.3.7c VERSION=1.3.8
usage() # $1 = exit status usage() # $1 = exit status
{ {