Changes for 1.3.8

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@239 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-09-16 17:02:08 +00:00
parent 87890954b7
commit da993d8c10
9 changed files with 229 additions and 115 deletions

View File

@ -4,16 +4,40 @@
# /etc/shorewall/blacklist
#
# This file contains a list of IP addresses, MAC addresses and/or subnetworks.
#
# Columns are:
#
# ADDRESS/SUBNET - Host address, subnetwork or MAC address
#
# MAC addresses must be prefixed with "~" and use "-"
# as a separator.
#
# Example: ~00-A0-C9-15-39-78
#
# PROTOCOL - Optional. If specified, must be a protocol number
# or a protocol name from /etc/protocols.
#
# PORTS - Optional. May only be specified if the protocol
# is TCP (6) or UDP (17). A comma-separated list
# of port numbers or service names from /etc/services.
#
# When a packet arrives on in interface that has the 'blacklist' option
# specified, its source IP address is checked against this file and disposed of
# according to the BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL variables in
# /etc/shorewall/shorewall.conf
#
# MAC addresses must be prefixed with "~" and use "-" as a separator.
# If PROTOCOL or PROTOCOL and PORTS are supplied, only packets matching
# the protocol (and one of the ports if PORTS supplied) are blocked.
#
# Example:
#
# To block DNS queries from address 192.0.2.126:
#
# ADDRESS/SUBNET PROTOCOL PORT
# 192.0.2.126 udp 53
#
# Example: ~00-A0-C9-15-39-78
###############################################################################
#ADDRESS/SUBNET
#ADDRESS/SUBNET PROTOCOL PORT
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

View File

@ -1,26 +1,19 @@
Changes since 1.3.6
Changes since 1.3.7
1. Comments in the common.def file have been updated.
1. Correct rules file handling bug introduced in 1.3.7.
2. icmp.def deimplemented
2. Correct handling of DNAT rule where source is $FW
3. FORWARDPING implemented.
3. Reverse order of RFC 1918 and DHCP filtering
4. Made MULTIPORT work with iptables 1.2.7
4. "shorewall refresh" fix for FORWARDPING=Yes
5. Corrected ADD_SNAT_ALIASES
6. Work around iptables 1.2.7 protocol match bug.
7. Remove themes from documentation and web site.
8. Comments in the interfaces file improved.
9. Typo in the policy file corrected.
10. Loopback class A added to rfc1918.
5. Replace tab with space in blacklist output.
6. Added NEWNOTSYN option
7. Assume 'multi' if canonical chain exists.
8. Add PROTOCOL and PORT columns to blacklist file

View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=1.3.7c
VERSION=1.3.8
usage() # $1 = exit status
{

View File

@ -70,6 +70,14 @@ list_search() # $1 = element to search for , $2-$n = list
return 1
}
###############################################################################
# Function to count list elements #
###############################################################################
list_count() {
local temp=`separate_list $1`
echo $temp | wc -w
}
###############################################################################
# Mutual exclusion -- These functions are jackets for the mutual exclusion #
@ -200,7 +208,8 @@ createchain() # $1 = chain name, $2 = If non-null, don't create default rules
state="ESTABLISHED"
[ -n "$ALLOWRELATED" ] && state="$state,RELATED"
run_iptables -A $1 -m state --state $state -j ACCEPT
run_iptables -A $1 -m state --state NEW -p tcp !--syn -j newnotsyn
[ -z "$NEWNOTSYN" ] && \
run_iptables -A $1 -m state --state NEW -p tcp !--syn -j newnotsyn
fi
eval ${1}_exists=Yes
@ -1771,14 +1780,6 @@ add_a_rule()
################################################################################
process_rule() {
# Function to count list elements
list_count() {
local temp=`separate_list $1`
echo $temp | wc -w
}
# Function Body -- isolate log level
if [ "$target" = "${target%:*}" ]; then
@ -2396,6 +2397,10 @@ setup_masq()
interface="${interface%:*}"
fi
if ! list_search $interface $all_interfaces; then
fatal_error "Error: Unknown interface $interface"
fi
if [ "$subnet" = "${subnet%!*}" ]; then
nomasq=
else
@ -2496,15 +2501,34 @@ setup_intrazone() # $1 = zone
ensurechain ${1}2${1}
fi
}
###############################################################################
# Add a record to the blacklst chain #
# #
# $source = address match #
# $proto = protocol selector #
# $dport = destination port selector #
###############################################################################
add_blacklist_rule() {
[ -n "$BLACKLIST_LOGLEVEL" ] && \
run_iptables -A blacklst $source $proto $dport -j \
LOG $LOGPARMS --log-prefix \
"Shorewall:blacklst:$BLACKLIST_DISPOSITION:" \
--log-level $BLACKLIST_LOGLEVEL
run_iptables -A blacklst $source $proto $dport -j $disposition
}
###############################################################################
# Process a record from the blacklist file #
# #
# $subnet = address/subnet #
# $protocol = Protocol Number/Name #
# $port = Port Number/Name #
###############################################################################
process_blacklist_rec() {
local source
local addr
local proto
local dport
for addr in `separate_list $subnet`; do
case $addr in
@ -2517,13 +2541,54 @@ process_blacklist_rec() {
;;
esac
[ -n "$BLACKLIST_LOGLEVEL" ] && \
run_iptables -A blacklst $source -j LOG $LOGPARMS --log-prefix \
"Shorewall:blacklst:$BLACKLIST_DISPOSITION:" \
--log-level $BLACKLIST_LOGLEVEL
run_iptables -A blacklst $source -j $disposition
if [ -n "$protocol" ]; then
proto=" -p $protocol "
echo " $addr added to Black List"
case $protocol in
tcp|TCP|6|udp|UDP|17)
if [ -n "$ports" ]; then
if [ -n "$MULTIPORT" -a \
"$ports" != "${ports%,*}" -a \
"$ports" = "${ports%:*}" -a \
`list_count $ports` -le 15 ]
then
dport="-m multiport --dports $ports"
add_blacklist_rule
else
for dport in `separate_list $ports`; do
dport="--dport $dport"
add_blacklist_rule
done
fi
else
add_blacklist_rule
fi
;;
icmp|ICMP|0)
if [ -n "$ports" ]; then
for dport in `separate_list $ports`; do
dport="--icmp-type $dport"
add_blacklist_rule
done
else
add_blacklist_rule
fi
;;
*)
add_blacklist_rule
;;
esac
else
add_blacklist_rule
fi
if [ -n "$ports" ]; then
addr="$addr $protocol $ports"
elif [ -n "$protocol" ]; then
addr="$addr $protocol"
fi
echo " $addr added to Black List"
done
}
@ -2552,8 +2617,8 @@ setup_blacklist() {
[ "$disposition" = REJECT ] && disposition=reject
while read subnet; do
expandv subnet
while read subnet protocol ports; do
expandv subnet protocol ports
process_blacklist_rec
done < $TMP_DIR/blacklist
@ -2576,8 +2641,8 @@ refresh_blacklist() {
run_iptables -F blacklst
while read subnet; do
expandv subnet
while read subnet protocol ports; do
expandv subnet protocol ports
process_blacklist_rec
done < $TMP_DIR/blacklist
fi
@ -2726,12 +2791,14 @@ initialize_netfilter () {
--tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
createchain newnotsyn no
run_user_exit newnotsyn
[ -n "$LOGNEWNOTSYN" ] && \
run_iptables -A newnotsyn -j LOG \
--log-prefix "Shorewall:newnotsyn:DROP:" --log-level $LOGNEWNOTSYN
run_iptables -A newnotsyn -j DROP
if [ -z "$NEWNOTSYN" ]; then
createchain newnotsyn no
run_user_exit newnotsyn
[ -n "$LOGNEWNOTSYN" ] && \
run_iptables -A newnotsyn -j LOG \
--log-prefix "Shorewall:newnotsyn:DROP:" --log-level $LOGNEWNOTSYN
run_iptables -A newnotsyn -j DROP
fi
createchain icmpdef no
createchain common no
@ -2762,6 +2829,42 @@ initialize_netfilter () {
done
}
################################################################################
# Build the common chain -- called during [re]start and refresh #
################################################################################
build_common_chain() {
###########################################################################
# PING
#
[ -n "$FORWARDPING" ] && \
run_iptables -A icmpdef -p icmp --icmp-type echo-request -j ACCEPT
############################################################################
# Common ICMP rules
#
run_user_exit icmpdef
############################################################################
# Common rules in each chain
#
common=`find_file common`
if [ -f $common ]; then
. $common
else
. `find_file common.def`
fi
###########################################################################
# New Not Syn Stuff
#
if [ -n "$NEWNOTSYN" ]; then
run_iptables -A common -p tcp --tcp-flags ACK ACK -j ACCEPT
run_iptables -A common -p tcp --tcp-flags RST RST -j ACCEPT
fi
###########################################################################
# BROADCASTS
#
drop_broadcasts `find_broadcasts`
}
################################################################################
# Construct zone-independent rules #
################################################################################
@ -2825,37 +2928,17 @@ add_common_rules() {
echo " $interface"
done
fi
###########################################################################
# PING
#
[ -n "$FORWARDPING" ] && \
run_iptables -A common -p icmp --icmp-type echo-request -j ACCEPT
############################################################################
# Common ICMP rules
#
run_user_exit icmpdef
############################################################################
# Common rules in each chain
#
common=`find_file common`
if [ -f $common ]; then
. $common
else
. `find_file common.def`
fi
###########################################################################
# BROADCASTS
#
drop_broadcasts `find_broadcasts`
build_common_chain
###########################################################################
# DHCP
#
echo "Adding rules for DHCP"
for interface in `find_interfaces_by_option dhcp`; do
run_iptables -A `input_chain $interface` -p udp --dport 67:68 -j ACCEPT
run_iptables -A OUTPUT -o $interface -p udp --dport 67:68 -j ACCEPT
run_iptables -A `input_chain $interface` -p udp --dport 67:68 -j ACCEPT
run_iptables -A OUTPUT -o $interface -p udp --dport 67:68 -j ACCEPT
done
###########################################################################
@ -3108,19 +3191,29 @@ activate_rules()
chain="`rules_chain $zone $zone1`"
if havechain ${zone}2${zone1} || havechain ${zone1}2${zone}; then
have_canonical=Yes
else
have_canonical=
fi
for host in $source_hosts; do
interface=${host%:*}
subnet=${host#*:}
chain1=`forward_chain $interface`
case $interface in
*+*)
multi=yes
;;
*)
list_search $interface $multi_interfaces && multi=yes || multi=
;;
esac
if [ -n "$have_canonical" ]; then
multi=yes
else
case $interface in
*+*)
multi=yes
;;
*)
list_search $interface $multi_interfaces && multi=yes || multi=
;;
esac
fi
for host1 in $dest_hosts; do
interface1=${host1%:*}
@ -3303,25 +3396,8 @@ refresh_firewall()
run_iptables -F common
echo "Adding Common Rules"
###########################################################################
# PING
#
[ -n "$FORWARDPING" ] && \
run_iptables -A common -p icmp --icmp-type echo-request -j ACCEPT
############################################################################
# Common rules in each chain
#
common=`find_file common`
if [ -f $common ]; then
. $common
else
. `find_file common.def`
fi
###########################################################################
# BROADCASTS
#
drop_broadcasts `find_broadcasts`
build_common_chain
###########################################################################
# Blacklist
@ -3416,6 +3492,7 @@ do_initialize() {
DETECT_DNAT_IPADDRS=
MERGE_HOSTS=
MUTEX_TIMEOUT=
NEWNOTSYN=
LOGNEWNOTSYN=
FORWARDPING=
stopping=
@ -3495,6 +3572,7 @@ do_initialize() {
DETECT_DNAT_IPADDRS=`added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS`
MERGE_HOSTS=`added_param_value_no MERGE_HOSTS $MERGE_HOSTS`
FORWARDPING=`added_param_value_no FORWARDPING $FORWARDPING`
NEWNOTSYN=`added_param_value_yes NEWNOTSYN $NEWNOTSYN`
}
################################################################################

View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall.
#
VERSION=1.3.7c
VERSION=1.3.8
usage() # $1 = exit status
{

View File

@ -3,22 +3,20 @@ fixes.
New features include:
1) The 'icmp.def' file is now empty! The rules in that file were
required in ipchains firewalls but are not required in Shorewall.
Users who have ALLOWRELATED=No in shorewall.conf should see the
Upgrade Issues.
2) A 'FORWARDPING' option has been added to shorewall.conf. The effect
of setting this variable to Yes is the same as the effect of adding
an ACCEPT rule for ICMP echo-request in
/etc/shorewall/icmpdef. Users who have such a rule in icmpdef are
encouraged to switch to FORWARDPING=Yes.
3) The loopback CLASS A Network (127.0.0.0/8) has been added to the
rfc1918 file.
4) Shorewall now works with iptables 1.2.7.
5) The documentation and Web site no longer use FrontPage themes.
I would like to thank John Distler for his valuable input regarding TCP
SYN and ICMP treatment in Shorewall. That input has led to marked
improvement in Shorewall in the last two releases.
1. A NEWNOTSYN option has been added to shorewall.conf. This option
determines whether Shorewall accepts TCP packets which are not part
of an established connection and that are not 'SYN' packets (SYN
flag on and ACK flag off).
2. The need for the 'multi' option to communicate between zones za and
zb on the same interface is removed in the case where the chain
'za2zb' and/or 'zb2za' exists. 'za2zb' will exist if:
a. There is a policy for za to zb.
b. There is at least one rule for za to zb.
3. The /etc/shorewall/blacklist file now contains three columns. In
addition to the SUBNET/ADDRESS column, there are optional PROTOCOL
and PORT columns to block only certain applications from the
blacklisted addresses.

View File

@ -339,6 +339,8 @@ MUTEX_TIMEOUT=60
#
# LOGGING 'New not SYN' rejects
#
# This variable only has an effect when NEWNOTSYN=No (see below).
#
# When a TCP packet that does not have the SYN flag set and the ACK and RST
# flags clear then unless the packet is part of an established connection,
# it will be rejected by the firewall. If you want these rejects logged,
@ -357,4 +359,21 @@ LOGNEWNOTSYN=
FORWARDPING=Yes
#
# NEWNOTSYN
#
# If this variable is set to "No" or "no", then When a TCP packet that does
# not have the SYN flag set and the ACK and RST flags clear then unless the
# packet is part of an established connection, it will be dropped by the
# firewall
#
# If this variable is set to "Yes" or "yes" then such packets will not be
# dropped but will pass through the normal rule processing.
#
# Users with a High-availability setup with two firewall's and one acting
# as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may
# also need to select NEWNOTSYN=Yes.
NEWNOTSYN=No
#LAST LINE -- DO NOT REMOVE

View File

@ -1,5 +1,5 @@
%define name shorewall
%define version 1.3.7c
%define version 1.3.8
%define release 1
%define prefix /usr
@ -76,6 +76,8 @@ if [ $1 = 0 ]; then if [ -x /sbin/insserv ]; then /sbin/insserv -r /etc/init.d/s
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog
* Mon Sep 16 2002 Tom Eastep <tom@shorewall.net>
- Changed version to 1.3.8
* Mon Sep 02 2002 Tom Eastep <tom@shorewall.net>
- Changed version to 1.3.7c
* Mon Aug 26 2002 Tom Eastep <tom@shorewall.net>

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall
VERSION=1.3.7c
VERSION=1.3.8
usage() # $1 = exit status
{