extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-29 02:54:18 +01:00
Code Issues Packages Projects Releases Wiki Activity

Implement whitelisting.

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-05-18 08:30:01 -07:00
parent 8ec33cd6dd
commit e940f5018e
7 changed files with 70 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -247,9 +247,19 @@ sub setup_blacklist() {
$options = 'src' if $options eq '-'; $options = 'src' if $options eq '-';
my ( $to, $from ) = ( 0, 0 ); my ( $to, $from, $whitelist ) = ( 0, 0, 0 );
for ( split /,/, $options ) { my @options = split_list $options, 'option';
for ( @options ) {
$whitelist++ if $_ eq 'whitelist';
}
warning_message "Duplicate 'whitelist' option ignored" if $whitelist > 1;
my $tgt = $whitelist ? 'RETURN' : $target;
for ( @options ) {
if ( $_ =~ /^(?:from|src)$/ ) { if ( $_ =~ /^(?:from|src)$/ ) {
if ( $from++ ) { if ( $from++ ) {
warning_message "Duplicate 'src' ignored"; warning_message "Duplicate 'src' ignored";
@ -262,9 +272,9 @@ sub setup_blacklist() {
$networks, $networks,
'', '',
'' , '' ,
$target , $tgt ,
'' , '' ,
$target , $tgt ,
'' ); '' );
} else { } else {
warning_message '"src" entry ignored because there are no "blacklist in" zones'; warning_message '"src" entry ignored because there are no "blacklist in" zones';
@ -282,15 +292,15 @@ sub setup_blacklist() {
'', '',
$networks, $networks,
'' , '' ,
$target , $tgt ,
'' , '' ,
$target , $tgt ,
'' ); '' );
} else { } else {
warning_message '"dst" entry ignored because there are no "blacklist out" zones'; warning_message '"dst" entry ignored because there are no "blacklist out" zones';
} }
} }
} else { } elsif ( $_ ne 'whitelist' ) {
fatal_error "Invalid blacklist option($_)"; fatal_error "Invalid blacklist option($_)";
} }
} }

2
Shorewall/changelog.txt
View File

@ -8,6 +8,8 @@ Changes in Shorewall 4.4.20 Beta 2
4) Implemented NFLOG accounting action. 4) Implemented NFLOG accounting action.
5) Implement 'whitelist' option.
Changes in Shorewall 4.4.20 Beta 1 Changes in Shorewall 4.4.20 Beta 1
1) Apply Togan's patch for installation flexibility. 1) Apply Togan's patch for installation flexibility.

5
Shorewall/releasenotes.txt
View File

@ -53,6 +53,11 @@ All bug fixes from 4.4.19.1 - 4.4.19.4.
sending matching packets (or the leading part of them) to backend sending matching packets (or the leading part of them) to backend
accounting daemons via a netlink socket. accounting daemons via a netlink socket.
4) A 'whitelist' option has been added to the blacklist file. When
'whitelist' is specified, packets/connections matching the entry
are not matched against the entries which follow. No logging of
whitelisted packets/connections is performed.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
I V. R E L E A S E 4 . 4 H I G H L I G H T S I V. R E L E A S E 4 . 4 H I G H L I G H T S
---------------------------------------------------------------------------- ----------------------------------------------------------------------------

6
docs/Documentation_Index.xml
View File

@ -124,7 +124,7 @@
<row> <row>
<entry><ulink <entry><ulink
url="blacklisting_support.htm">Blacklisting</ulink></entry> url="blacklisting_support.htm">Blacklisting/Whitelisting</ulink></entry>
<entry><ulink <entry><ulink
url="two-interface.htm#SNAT">Masquerading</ulink></entry> url="two-interface.htm#SNAT">Masquerading</ulink></entry>
@ -265,8 +265,8 @@
<entry><ulink url="two-interface.htm#DNAT">Port <entry><ulink url="two-interface.htm#DNAT">Port
Forwarding</ulink></entry> Forwarding</ulink></entry>
<entry><ulink url="whitelisting_under_shorewall.htm">White List <entry><ulink url="blacklisting_support.htm#whitelisting">White
Creation</ulink></entry> List Creation</ulink></entry>
</row> </row>
<row> <row>

46
docs/blacklisting_support.xml
View File

@ -5,7 +5,7 @@
<!--$Id$--> <!--$Id$-->
<articleinfo> <articleinfo>
<title>Shorewall Blacklisting Support</title> <title>Shorewall Blacklisting/Whitelisting Support</title>
<authorgroup> <authorgroup>
<author> <author>
@ -22,6 +22,8 @@
<year>2010</year> <year>2010</year>
<year>2011</year>
<holder>Thomas M. Eastep</holder> <holder>Thomas M. Eastep</holder>
</copyright> </copyright>
@ -66,10 +68,10 @@
</orderedlist> </orderedlist>
<important> <important>
<para><emphasis role="bold">Only the source address is checked against <para><emphasis role="bold">By default, only the source address is
the blacklists</emphasis>. Blacklists only stop blacklisted hosts from checked against the blacklists</emphasis>. Blacklists only stop
connecting to you — they do not stop you or your users from connecting blacklisted hosts from connecting to you — they do not stop you or your
to blacklisted hosts .</para> users from connecting to blacklisted hosts .</para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
@ -106,36 +108,31 @@
<listitem> <listitem>
<para>You specify whether you want packets from blacklisted hosts <para>You specify whether you want packets from blacklisted hosts
dropped or rejected using the BLACKLIST_DISPOSITION setting in <ulink dropped or rejected using the BLACKLIST_DISPOSITION setting in <ulink
url="manpages/shorewall.conf.html"><filename>/etc/shorewall/shorewall.conf</filename>.</ulink></para> url="manpages/shorewall.conf.html"><filename>shorewall.conf</filename>(5).</ulink></para>
</listitem> </listitem>
<listitem> <listitem>
<para>You specify whether you want packets from blacklisted hosts <para>You specify whether you want packets from blacklisted hosts
logged and at what syslog level using the BLACKLIST_LOGLEVEL setting logged and at what syslog level using the BLACKLIST_LOGLEVEL setting
in <ulink in <ulink
url="manpages/shorewall.conf.html"><filename>/etc/shorewall/shorewall.conf</filename></ulink>.</para> url="manpages/shorewall.conf.html"><filename>shorewall.conf</filename></ulink>(5).</para>
</listitem> </listitem>
<listitem> <listitem>
<para>You list the IP addresses/subnets that you wish to blacklist in <para>You list the IP addresses/subnets that you wish to blacklist in
<ulink <ulink
url="manpages/shorewall-blacklist.html"><filename>/etc/shorewall/blacklist</filename></ulink>. url="manpages/shorewall-blacklist.html"><filename>shorewall-blacklist</filename></ulink>
You may also specify PROTOCOL and Port numbers/Service names in the (5). You may also specify PROTOCOL and Port numbers/Service names in
blacklist file.</para> the blacklist file.</para>
</listitem> </listitem>
<listitem> <listitem>
<para>You specify the interfaces whose incoming packets you want <para>You specify the interfaces whose incoming packets you want
checked against the blacklist using the <quote>blacklist</quote> checked against the blacklist using the <quote>blacklist</quote>
option in <ulink option in <ulink
url="manpages/shorewall-interfaces.html"><filename>/etc/shorewall/interfaces</filename></ulink>.</para> url="manpages/shorewall-interfaces.html"><filename>shorewall-interfaces</filename></ulink>(5)
</listitem> (<ulink url="manpages/shorewall-zones.html">shorewall-zones</ulink>(5)
in Shorewall 4.4.12 and later).</para>
<listitem>
<para>The black list is refreshed from
<filename>/etc/shorewall/blacklist</filename> by the <quote><ulink
url="starting_and_stopping_shorewall.htm"><command>shorewall
refresh</command></ulink></quote> command.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
@ -176,6 +173,19 @@ ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
<para>This will blacklist SMTP traffic from host 206.124.146.177.</para> <para>This will blacklist SMTP traffic from host 206.124.146.177.</para>
</section> </section>
<section id="whitelisting">
<title>Static Whitelisting</title>
<para>Beginning with Shorewall 4.4.20, you can create
<firstterm>whitelist</firstterm> entries in the blacklist file.
Connections/packets matching a whitelist entry are not matched against the
entries in the blacklist file that follow. Whitelist entries are created
using the <emphasis role="bold">whitelist</emphasis> option (OPTIONS
column). See <ulink
url="manpages/shorewall-blacklist.html"><filename>shorewall-blacklist</filename></ulink>
(5).</para>
</section>
<section id="Dynamic"> <section id="Dynamic">
<title>Dynamic Blacklisting</title> <title>Dynamic Blacklisting</title>

8
manpages/shorewall-blacklist.xml
View File

@ -78,7 +78,7 @@
<varlistentry> <varlistentry>
<term>OPTIONS (Optional - Added in 4.4.12) - <term>OPTIONS (Optional - Added in 4.4.12) -
{-|{dst|src}[,...]}</term> {-|{dst|src|whitelist}[,...]}</term>
<listitem> <listitem>
<para>If specified, indicates whether traffic <para>If specified, indicates whether traffic
@ -122,6 +122,12 @@
</listitem> </listitem>
</orderedlist> </orderedlist>
</note> </note>
<para>In Shorewall 4.4.20, the <emphasis
role="bold">whitelist</emphasis> option was added. When <emphasis
role="bold">whitelist</emphasis> is specified, packets/connections
that match the entry are not matched against the remaining entries
in the file.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>

8
manpages6/shorewall6-blacklist.xml
View File

@ -78,7 +78,7 @@
<varlistentry> <varlistentry>
<term>OPTIONS (Optional - Added in 4.4.12) - <term>OPTIONS (Optional - Added in 4.4.12) -
{-|{dst|src}[,...]}</term> {-|{dst|src|whitelist}[,...]}</term>
<listitem> <listitem>
<para>If specified, indicates whether traffic <para>If specified, indicates whether traffic
@ -122,6 +122,12 @@
</listitem> </listitem>
</orderedlist> </orderedlist>
</note> </note>
<para>In Shorewall 4.4.20, the <emphasis
role="bold">whitelist</emphasis> option was added. When <emphasis
role="bold">whitelist</emphasis> is specified, packets/connections
that match the entry are not matched against the remaining entries
in the file.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>