From e940f5018e26dbccdfe5ff31b1ddb06dc61581ba Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 18 May 2011 08:30:01 -0700 Subject: [PATCH] Implement whitelisting. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Misc.pm | 24 +++++++++++----- Shorewall/changelog.txt | 2 ++ Shorewall/releasenotes.txt | 7 ++++- docs/Documentation_Index.xml | 6 ++-- docs/blacklisting_support.xml | 46 ++++++++++++++++++------------ manpages/shorewall-blacklist.xml | 8 +++++- manpages6/shorewall6-blacklist.xml | 8 +++++- 7 files changed, 70 insertions(+), 31 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index f3dda3f2e..f14701529 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -247,9 +247,19 @@ sub setup_blacklist() { $options = 'src' if $options eq '-'; - my ( $to, $from ) = ( 0, 0 ); + my ( $to, $from, $whitelist ) = ( 0, 0, 0 ); - for ( split /,/, $options ) { + my @options = split_list $options, 'option'; + + for ( @options ) { + $whitelist++ if $_ eq 'whitelist'; + } + + warning_message "Duplicate 'whitelist' option ignored" if $whitelist > 1; + + my $tgt = $whitelist ? 'RETURN' : $target; + + for ( @options ) { if ( $_ =~ /^(?:from|src)$/ ) { if ( $from++ ) { warning_message "Duplicate 'src' ignored"; @@ -262,9 +272,9 @@ sub setup_blacklist() { $networks, '', '' , - $target , + $tgt , '' , - $target , + $tgt , '' ); } else { warning_message '"src" entry ignored because there are no "blacklist in" zones'; @@ -282,15 +292,15 @@ sub setup_blacklist() { '', $networks, '' , - $target , + $tgt , '' , - $target , + $tgt , '' ); } else { warning_message '"dst" entry ignored because there are no "blacklist out" zones'; } } - } else { + } elsif ( $_ ne 'whitelist' ) { fatal_error "Invalid blacklist option($_)"; } } diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 7c6ba705f..7d53e7790 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -8,6 +8,8 @@ Changes in Shorewall 4.4.20 Beta 2 4) Implemented NFLOG accounting action. +5) Implement 'whitelist' option. + Changes in Shorewall 4.4.20 Beta 1 1) Apply Togan's patch for installation flexibility. diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index f75eface1..0aaacf425 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -51,7 +51,12 @@ All bug fixes from 4.4.19.1 - 4.4.19.4. 3) An NFLOG 'ACTION' has been added to the accounting file to allow sending matching packets (or the leading part of them) to backend - accounting daemons via a netlink socket. + accounting daemons via a netlink socket. + +4) A 'whitelist' option has been added to the blacklist file. When + 'whitelist' is specified, packets/connections matching the entry + are not matched against the entries which follow. No logging of + whitelisted packets/connections is performed. ---------------------------------------------------------------------------- I V. R E L E A S E 4 . 4 H I G H L I G H T S diff --git a/docs/Documentation_Index.xml b/docs/Documentation_Index.xml index dc12edcfb..c8e2126d1 100644 --- a/docs/Documentation_Index.xml +++ b/docs/Documentation_Index.xml @@ -124,7 +124,7 @@ Blacklisting + url="blacklisting_support.htm">Blacklisting/Whitelisting Masquerading @@ -265,8 +265,8 @@ Port Forwarding - White List - Creation + White + List Creation diff --git a/docs/blacklisting_support.xml b/docs/blacklisting_support.xml index 0ef13ac94..ca761f5da 100644 --- a/docs/blacklisting_support.xml +++ b/docs/blacklisting_support.xml @@ -5,7 +5,7 @@ - Shorewall Blacklisting Support + Shorewall Blacklisting/Whitelisting Support @@ -22,6 +22,8 @@ 2010 + 2011 + Thomas M. Eastep @@ -66,10 +68,10 @@ - Only the source address is checked against - the blacklists. Blacklists only stop blacklisted hosts from - connecting to you — they do not stop you or your users from connecting - to blacklisted hosts . + By default, only the source address is + checked against the blacklists. Blacklists only stop + blacklisted hosts from connecting to you — they do not stop you or your + users from connecting to blacklisted hosts . @@ -106,36 +108,31 @@ You specify whether you want packets from blacklisted hosts dropped or rejected using the BLACKLIST_DISPOSITION setting in /etc/shorewall/shorewall.conf. + url="manpages/shorewall.conf.html">shorewall.conf(5). You specify whether you want packets from blacklisted hosts logged and at what syslog level using the BLACKLIST_LOGLEVEL setting in /etc/shorewall/shorewall.conf. + url="manpages/shorewall.conf.html">shorewall.conf(5). You list the IP addresses/subnets that you wish to blacklist in /etc/shorewall/blacklist. - You may also specify PROTOCOL and Port numbers/Service names in the - blacklist file. + url="manpages/shorewall-blacklist.html">shorewall-blacklist + (5). You may also specify PROTOCOL and Port numbers/Service names in + the blacklist file. You specify the interfaces whose incoming packets you want checked against the blacklist using the blacklist option in /etc/shorewall/interfaces. - - - - The black list is refreshed from - /etc/shorewall/blacklist by the shorewall - refresh command. + url="manpages/shorewall-interfaces.html">shorewall-interfaces(5) + (shorewall-zones(5) + in Shorewall 4.4.12 and later). @@ -176,6 +173,19 @@ ipset -B Blacklist 206.124.146.177 -b SMTP This will blacklist SMTP traffic from host 206.124.146.177. +
+ Static Whitelisting + + Beginning with Shorewall 4.4.20, you can create + whitelist entries in the blacklist file. + Connections/packets matching a whitelist entry are not matched against the + entries in the blacklist file that follow. Whitelist entries are created + using the whitelist option (OPTIONS + column). See shorewall-blacklist + (5). +
+
Dynamic Blacklisting diff --git a/manpages/shorewall-blacklist.xml b/manpages/shorewall-blacklist.xml index 89512525f..b455cc00c 100644 --- a/manpages/shorewall-blacklist.xml +++ b/manpages/shorewall-blacklist.xml @@ -78,7 +78,7 @@ OPTIONS (Optional - Added in 4.4.12) - - {-|{dst|src}[,...]} + {-|{dst|src|whitelist}[,...]} If specified, indicates whether traffic @@ -122,6 +122,12 @@ + + In Shorewall 4.4.20, the whitelist option was added. When whitelist is specified, packets/connections + that match the entry are not matched against the remaining entries + in the file. diff --git a/manpages6/shorewall6-blacklist.xml b/manpages6/shorewall6-blacklist.xml index 421fad3fc..ac8a79ca5 100644 --- a/manpages6/shorewall6-blacklist.xml +++ b/manpages6/shorewall6-blacklist.xml @@ -78,7 +78,7 @@ OPTIONS (Optional - Added in 4.4.12) - - {-|{dst|src}[,...]} + {-|{dst|src|whitelist}[,...]} If specified, indicates whether traffic @@ -122,6 +122,12 @@ + + In Shorewall 4.4.20, the whitelist option was added. When whitelist is specified, packets/connections + that match the entry are not matched against the remaining entries + in the file.