From e3584b67edcd041553fd4ef85c630f168ccbaaf5 Mon Sep 17 00:00:00 2001 From: teastep Date: Wed, 17 Mar 2004 21:37:58 +0000 Subject: [PATCH] Log prefix; set routeback on brige ports git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1199 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall2/firewall | 101 +++++++++++++++++++++++++++++--------------- Shorewall2/rules | 48 ++++++++++++++++++--- 2 files changed, 108 insertions(+), 41 deletions(-) diff --git a/Shorewall2/firewall b/Shorewall2/firewall index 115d7c945..9d8efecf3 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -696,7 +696,7 @@ validate_interfaces_file() { # Validate the zone names and options in the hosts file # validate_hosts_file() { - local z hosts options r interface host option + local z hosts options r interface host option options1 bridge while read z hosts options; do expandv z hosts options @@ -712,22 +712,32 @@ validate_hosts_file() { hosts=${hosts#*:} for host in $(separate_list $hosts); do + bridge= + [ -n "$BRIDGING" ] && case $host in *:*) - eval ${iface}_is_bridge=Yes + bridge=Yes list_search ${host%:*} $all_interfaces && \ startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host" ;; *.*.*.*) ;; *) + bridge=Yes eval ${iface}_is_bridge=Yes list_search $host $all_interfaces && \ startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host" ;; esac - for option in $(separate_list $options); do + options1=$(separate_list $options) + + if [ -n "$bridge" ]; then + eval ${iface}_is_bridge=Yes + list_search routeback $options1 || options1="$options1 routeback" + fi + + for option in $options1 ; do case $option in maclist|-) ;; @@ -1012,21 +1022,32 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = disposition , $4 = rate limi local disposition=$3 local rulenum= local limit="${4:-$LOGLIMIT}" + local dx=""; + local logprefix="${5:-$dx}" + logprefix="$logprefix " - shift;shift;shift;shift + shift;shift;shift;shift;shift + + + if [ -n "$LOGRULENUMBERS" ]; then eval rulenum=\$${chain}_logrules [ -z "$rulenum" ] && rulenum=1 - + + logprefixtemp="$(printf "$LOGFORMAT" $chain $rulenum $disposition)$logprefix" + if [ ${#logprefixtemp} -gt 29 ]; then + logprefixtemp="$(echo $logprefixtemp |cut -b -29)" + echo " Logprefix too LONG ! cutting it to 29 : $logprefixtemp" + fi + case $level in ULOG) - eval iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix '"$(printf "$LOGFORMAT" $chain $rulenum $disposition)"' + eval iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix '"$logprefixtemp"' ;; *) - eval iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level \ - --log-prefix '"$(printf "$LOGFORMAT" $chain $rulenum $disposition)"' + eval iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix '"$logprefixtemp"' ;; esac @@ -1038,13 +1059,21 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = disposition , $4 = rate limi eval ${chain}_logrules=$rulenum else + + logprefixtemp="$(printf "$LOGFORMAT" $chain $disposition)$logprefix" + if [ ${#logprefixtemp} -gt 29 ]; then + logprefixtemp="$(echo $logprefixtemp |cut -b -29)" + echo " Logprefix too LONG ! cutting it to 29 : $logprefixtemp" + fi + + case $level in ULOG) - eval iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix '"$(printf "$LOGFORMAT" $chain $disposition)"' + eval iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix '"$logprefixtemp"' ;; *) - eval iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level \ - --log-prefix '"$(printf "$LOGFORMAT" $chain $disposition)"' + + eval iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix '"$logprefixtemp"' ;; esac @@ -1062,7 +1091,7 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo shift;shift;shift - log_rule_limit $level $chain $disposition "$LOGLIMIT" $@ + log_rule_limit $level $chain $disposition "$LOGLIMIT" "$logprefix" $@ } # @@ -2331,7 +2360,7 @@ add_an_action() for serv1 in $(separate_list $serv); do for srv in $(ip_range $serv1); do if [ -n "$loglevel" ]; then - log_rule_limit $loglevel $action $logtarget "$ratelimit" $userandgroup \ + log_rule_limit $loglevel $action $logtarget "$ratelimit" "$logprefix" $userandgroup \ $(fix_bang $proto $sports $multiport $cli -d $srv $dports) fi @@ -2341,7 +2370,7 @@ add_an_action() done else if [ -n "$loglevel" ]; then - log_rule_limit $loglevel $action $logtarget "$ratelimit" $userandgroup \ + log_rule_limit $loglevel $action $logtarget "$ratelimit" "$logprefix" $userandgroup \ $(fix_bang $proto $sports $multiport $cli $dports) fi @@ -2373,7 +2402,8 @@ process_action() # $1 = action local cports="$7" local ratelimit="$8" local userspec="$9" - local rule="$(echo $target $clients $servers $protocol $ports $cports $ratelimit)" + local logprefix="${10}" + local rule="$(echo $target $clients $servers $protocol $ports $cports $ratelimit $logprefix)" local userandgroup= if [ -n "$ratelimit" ]; then @@ -2579,7 +2609,7 @@ process_actions1() { if [ -f $fn ]; then echo " Pre-processing $fn..." strip_file $f $fn - while read xtarget xclients xservers xprotocol xports xcports xratelimit $xuserspec; do + while read xtarget xclients xservers xprotocol xports xcports xratelimit $xuserspec xlogprefix; do expandv xtarget temp="${xtarget%:*}" case "${temp%<*}" in @@ -2589,7 +2619,7 @@ process_actions1() { if list_search $temp $ACTIONS; then eval requiredby_${xaction}=\"\$requiredby_${xaction} $temp\" else - rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec)" + rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec $xlogprefix)" fatal_error "Invalid TARGET in rule \"$rule\"" fi ;; @@ -2623,7 +2653,7 @@ process_actions2() { if [ "${ysourcezone}" != "${ydestzone}" ] ; then eval ypolicy=\$${ysourcezone}2${ydestzone}_policy if [ "$ypolicy" != NONE ] ; then - process_action $xaction $xtarget $yclients $yservers $xprotocol $xports $xcports $xratelimit $xuserspec + process_action $xaction $xtarget $yclients $yservers $xprotocol $xports $xcports $xratelimit $xuserspec $xlogprefix fi fi done @@ -2631,7 +2661,7 @@ process_actions2() { } do_it() { - expandv xclients xservers xprotocol xports xcports xratelimit xuserspec + expandv xclients xservers xprotocol xports xcports xratelimit xuserspec xlogprefix if [ "x$xclients" = xall ]; then xclients="$zones $FW" @@ -2648,7 +2678,7 @@ process_actions2() { continue fi - process_action $xaction $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec + process_action $xaction $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec $xlogprefix } # @@ -2681,7 +2711,7 @@ process_actions2() { fn=$(find_file $f) echo "Processing $fn..." - while read xtarget xclients xservers xprotocol xports xcports xratelimit $xuserspec; do + while read xtarget xclients xservers xprotocol xports xcports xratelimit $xuserspec xlogprefix; do do_it done < $TMP_DIR/$f ;; @@ -2787,14 +2817,14 @@ add_nat_rule() { done if [ -n "$loglevel" ]; then - log_rule $loglevel $chain $logtarget -t nat + log_rule $loglevel $chain $logtarget "$logprefix" -t nat fi addnatrule $chain $ratelimit $proto -j $target1 # Protocol is necessary for port redirection else for adr in $(separate_list $addr); do if [ -n "$loglevel" ]; then - log_rule_limit $loglevel $OUTPUT $logtarget "$ratelimit" -t nat \ + log_rule_limit $loglevel $OUTPUT $logtarget "$ratelimit" "$logprefix" -t nat \ $(fix_bang $proto $cli $sports $userandgroup -d $adr $multiport $dports) fi @@ -2825,7 +2855,7 @@ add_nat_rule() { done if [ -n "$loglevel" ]; then - log_rule_limit $loglevel $chain $logtarget "$ratelimit" -t nat + log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logprefix" -t nat fi addnatrule $chain $ratelimit $proto -j $target1 # Protocol is necessary for port redirection @@ -2833,7 +2863,7 @@ add_nat_rule() { for adr in $(separate_list $addr); do if [ -n "$loglevel" ]; then ensurenatchain $chain - log_rule_limit $loglevel $chain $logtarget "$ratelimit" -t nat \ + log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logprefix" -t nat \ $(fix_bang $proto $cli $sports -d $adr $multiport $dports) fi @@ -3041,7 +3071,7 @@ add_a_rule() if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then for adr in $(separate_list $addr); do if [ -n "$loglevel" -a -z "$natrule" ]; then - log_rule_limit $loglevel $chain $logtarget "$ratelimit" -m conntrack --ctorigdst $adr \ + log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logprefix" -m conntrack --ctorigdst $adr \ $userandgroup $(fix_bang $proto $sports $multiport $cli -d $srv $dports) fi @@ -3050,7 +3080,7 @@ add_a_rule() done else if [ -n "$loglevel" -a -z "$natrule" ]; then - log_rule_limit $loglevel $chain $logtarget "$ratelimit" $userandgroup \ + log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logprefix" $userandgroup \ $(fix_bang $proto $sports $multiport $cli -d $srv $dports) fi @@ -3061,7 +3091,7 @@ add_a_rule() done else if [ -n "$loglevel" -a -z "$natrule" ]; then - log_rule_limit $loglevel $chain $logtarget "$ratelimit" $userandgroup \ + log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logprefix" $userandgroup \ $(fix_bang $proto $sports $multiport $cli $dports) fi @@ -3080,7 +3110,7 @@ add_a_rule() if [ $COMMAND != check ]; then if [ -n "$loglevel" ]; then - log_rule_limit $loglevel $chain $logtarget "$ratelimit" $userandgroup \ + log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logprefix" $userandgroup \ $(fix_bang $proto $multiport $dest_interface $cli $sports $dports) fi @@ -3114,8 +3144,9 @@ process_rule() # $1 = target local address="$7" local ratelimit="$8" local userspec="$9" + local logprefix="${10}" local userandgroup= - local rule="$(echo $target $clients $servers $protocol $ports $cports $address $ratelimit $userspec)" + local rule="$(echo $target $clients $servers $protocol $ports $cports $address $ratelimit $userspec $logprefix)" # Function Body - isolate rate limit @@ -3406,7 +3437,7 @@ process_rules() if [ "${ysourcezone}" != "${ydestzone}" ] ; then eval ypolicy=\$${ysourcezone}2${ydestzone}_policy if [ "$ypolicy" != NONE ] ; then - process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec + process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xlogprefix fi fi done @@ -3414,7 +3445,7 @@ process_rules() } do_it() { - expandv xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec + expandv xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec xlogprefix if [ "x$xclients" = xall ]; then xclients="$zones $FW" @@ -3431,10 +3462,10 @@ process_rules() continue fi - process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec + process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xlogprefix } - while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec; do + while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec xlogprefix; do temp="${xtarget%:*}" case "${temp%<*}" in ACCEPT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE) @@ -3449,7 +3480,7 @@ process_rules() do_it else - rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)" + rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xlogprefix)" fatal_error "Invalid Action in rule \"$rule\"" fi ;; diff --git a/Shorewall2/rules b/Shorewall2/rules index 3d4adb7c5..cb2f3b63e 100755 --- a/Shorewall2/rules +++ b/Shorewall2/rules @@ -208,7 +208,7 @@ # address is not altered. # # RATE LIMIT You may rate-limit the rule by placing a value in -# this colume: +# this column: # # /[:] # @@ -240,6 +240,29 @@ # !:kids #program must not be run by a member # #of the 'kids' group # +# +# LOGPREFIX You may add a specific log prefix to rules which are +# already logged (see the ACTIONS paragraph) by adding +# a word in this column. Spaces are not allowed, but +# underscores are. +# +# Examples: +# +# pingw # print Shorewall:fw2lan:ACCEPT:pingw +# mailo # print Shorewall:fw2lan:ACCEPT:mailo +# ma_ou # print Shorewall:fw2lan:ACCEPT:ma_ou +# +# +# The default log format is LOGFORMAT="Shorewall:%s:%s:" +# You might want to reduce it to something shorter to +# allow you longer logprefixes. (in shorewall.conf : +# LOGFORMAT="Sw:%s:%s:" or something similar) +# (the total lenght permitted by iptables is 29 chars.) +# Shorewall:fw2lan:ACCEPT is already 23 chars. +# +# +# +# # Example: Accept SMTP requests from the DMZ to the internet # # #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL @@ -257,9 +280,9 @@ # to local system 192.168.1.3 with a limit of 3 per second and # a maximum burst of 10 # -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# DNAT<3/sec:10> net loc:192.168.1.3 tcp http +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE +# # PORT PORT(S) DEST LIMIT +# DNAT net loc:192.168.1.3 tcp http - - <3/sec:10> # # Example: Redirect all locally-originating www connection requests to # port 3128 on the firewall (Squid running on the firewall @@ -283,7 +306,20 @@ # # PORT PORT(S) DEST # ACCEPT net:130.252.100.69,130.252.100.70 fw \ # tcp 22 +# +# Example: You want to explicitly log when a user named bob use https +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ LOG +# # PORT PORT(S) DEST LIMIT GROUP PREFIX +# ACCEPT:debug fw lan tcp 443 - - - bob hs_bob +# +# Example: You want to explicitly log outgoing pings +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ LOG +# # PORT PORT(S) DEST LIMIT GROUP PREFIX +# ACCEPT:debug fw lan icmp 8 - - - - p_out + + + #################################################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ LOG +# PORT PORT(S) DEST LIMIT GROUP PREFIX #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE