extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-25 09:03:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Implement whitelisting.

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-05-18 08:30:01 -07:00
parent 8ec33cd6dd
commit e940f5018e
7 changed files with 70 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -247,9 +247,19 @@ sub setup_blacklist() {
$options = 'src' if $options eq '-'; $options = 'src' if $options eq '-';
my ( $to, $from ) = ( 0, 0 ); my ( $to, $from, $whitelist ) = ( 0, 0, 0 );
for ( split /,/, $options ) { my @options = split_list $options, 'option';
for ( @options ) {
$whitelist++ if $_ eq 'whitelist';
}
warning_message "Duplicate 'whitelist' option ignored" if $whitelist > 1;
my $tgt = $whitelist ? 'RETURN' : $target;
for ( @options ) {
if ( $_ =~ /^(?:from|src)$/ ) { if ( $_ =~ /^(?:from|src)$/ ) {
if ( $from++ ) { if ( $from++ ) {
warning_message "Duplicate 'src' ignored"; warning_message "Duplicate 'src' ignored";
@ -262,9 +272,9 @@ sub setup_blacklist() {
$networks, $networks,
'', '',
'' , '' ,
$target , $tgt ,
'' , '' ,
$target , $tgt ,
'' ); '' );
} else { } else {
warning_message '"src" entry ignored because there are no "blacklist in" zones'; warning_message '"src" entry ignored because there are no "blacklist in" zones';
@ -282,15 +292,15 @@ sub setup_blacklist() {
'', '',
$networks, $networks,
'' , '' ,
$target , $tgt ,
'' , '' ,
$target , $tgt ,
'' ); '' );
} else { } else {
warning_message '"dst" entry ignored because there are no "blacklist out" zones'; warning_message '"dst" entry ignored because there are no "blacklist out" zones';
} }
} }
} else { } elsif ( $_ ne 'whitelist' ) {
fatal_error "Invalid blacklist option($_)"; fatal_error "Invalid blacklist option($_)";
} }
} }

2
Shorewall/changelog.txt
View File

@ -8,6 +8,8 @@ Changes in Shorewall 4.4.20 Beta 2
4) Implemented NFLOG accounting action. 4) Implemented NFLOG accounting action.
5) Implement 'whitelist' option.
Changes in Shorewall 4.4.20 Beta 1 Changes in Shorewall 4.4.20 Beta 1
1) Apply Togan's patch for installation flexibility. 1) Apply Togan's patch for installation flexibility.

7
Shorewall/releasenotes.txt
View File

@ -51,7 +51,12 @@ All bug fixes from 4.4.19.1 - 4.4.19.4.
3) An NFLOG 'ACTION' has been added to the accounting file to allow 3) An NFLOG 'ACTION' has been added to the accounting file to allow
sending matching packets (or the leading part of them) to backend sending matching packets (or the leading part of them) to backend
accounting daemons via a netlink socket. accounting daemons via a netlink socket.
4) A 'whitelist' option has been added to the blacklist file. When
'whitelist' is specified, packets/connections matching the entry
are not matched against the entries which follow. No logging of
whitelisted packets/connections is performed.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
I V. R E L E A S E 4 . 4 H I G H L I G H T S I V. R E L E A S E 4 . 4 H I G H L I G H T S

6
docs/Documentation_Index.xml
View File

@ -124,7 +124,7 @@
<row> <row>
<entry><ulink <entry><ulink
url="blacklisting_support.htm">Blacklisting</ulink></entry> url="blacklisting_support.htm">Blacklisting/Whitelisting</ulink></entry>
<entry><ulink <entry><ulink
url="two-interface.htm#SNAT">Masquerading</ulink></entry> url="two-interface.htm#SNAT">Masquerading</ulink></entry>
@ -265,8 +265,8 @@
<entry><ulink url="two-interface.htm#DNAT">Port <entry><ulink url="two-interface.htm#DNAT">Port
Forwarding</ulink></entry> Forwarding</ulink></entry>
<entry><ulink url="whitelisting_under_shorewall.htm">White List <entry><ulink url="blacklisting_support.htm#whitelisting">White
Creation</ulink></entry> List Creation</ulink></entry>
</row> </row>
<row> <row>

46
docs/blacklisting_support.xml
View File

@ -5,7 +5,7 @@
<!--$Id$--> <!--$Id$-->
<articleinfo> <articleinfo>
<title>Shorewall Blacklisting Support</title> <title>Shorewall Blacklisting/Whitelisting Support</title>
<authorgroup> <authorgroup>
<author> <author>
@ -22,6 +22,8 @@
<year>2010</year> <year>2010</year>
<year>2011</year>
<holder>Thomas M. Eastep</holder> <holder>Thomas M. Eastep</holder>
</copyright> </copyright>
@ -66,10 +68,10 @@
</orderedlist> </orderedlist>
<important> <important>
<para><emphasis role="bold">Only the source address is checked against <para><emphasis role="bold">By default, only the source address is
the blacklists</emphasis>. Blacklists only stop blacklisted hosts from checked against the blacklists</emphasis>. Blacklists only stop
connecting to you — they do not stop you or your users from connecting blacklisted hosts from connecting to you — they do not stop you or your
to blacklisted hosts .</para> users from connecting to blacklisted hosts .</para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
@ -106,36 +108,31 @@
<listitem> <listitem>
<para>You specify whether you want packets from blacklisted hosts <para>You specify whether you want packets from blacklisted hosts
dropped or rejected using the BLACKLIST_DISPOSITION setting in <ulink dropped or rejected using the BLACKLIST_DISPOSITION setting in <ulink
url="manpages/shorewall.conf.html"><filename>/etc/shorewall/shorewall.conf</filename>.</ulink></para> url="manpages/shorewall.conf.html"><filename>shorewall.conf</filename>(5).</ulink></para>
</listitem> </listitem>
<listitem> <listitem>
<para>You specify whether you want packets from blacklisted hosts <para>You specify whether you want packets from blacklisted hosts
logged and at what syslog level using the BLACKLIST_LOGLEVEL setting logged and at what syslog level using the BLACKLIST_LOGLEVEL setting
in <ulink in <ulink
url="manpages/shorewall.conf.html"><filename>/etc/shorewall/shorewall.conf</filename></ulink>.</para> url="manpages/shorewall.conf.html"><filename>shorewall.conf</filename></ulink>(5).</para>
</listitem> </listitem>
<listitem> <listitem>
<para>You list the IP addresses/subnets that you wish to blacklist in <para>You list the IP addresses/subnets that you wish to blacklist in
<ulink <ulink
url="manpages/shorewall-blacklist.html"><filename>/etc/shorewall/blacklist</filename></ulink>. url="manpages/shorewall-blacklist.html"><filename>shorewall-blacklist</filename></ulink>
You may also specify PROTOCOL and Port numbers/Service names in the (5). You may also specify PROTOCOL and Port numbers/Service names in
blacklist file.</para> the blacklist file.</para>
</listitem> </listitem>
<listitem> <listitem>
<para>You specify the interfaces whose incoming packets you want <para>You specify the interfaces whose incoming packets you want
checked against the blacklist using the <quote>blacklist</quote> checked against the blacklist using the <quote>blacklist</quote>
option in <ulink option in <ulink
url="manpages/shorewall-interfaces.html"><filename>/etc/shorewall/interfaces</filename></ulink>.</para> url="manpages/shorewall-interfaces.html"><filename>shorewall-interfaces</filename></ulink>(5)
</listitem> (<ulink url="manpages/shorewall-zones.html">shorewall-zones</ulink>(5)
in Shorewall 4.4.12 and later).</para>
<listitem>
<para>The black list is refreshed from
<filename>/etc/shorewall/blacklist</filename> by the <quote><ulink
url="starting_and_stopping_shorewall.htm"><command>shorewall
refresh</command></ulink></quote> command.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
@ -176,6 +173,19 @@ ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
<para>This will blacklist SMTP traffic from host 206.124.146.177.</para> <para>This will blacklist SMTP traffic from host 206.124.146.177.</para>
</section> </section>
<section id="whitelisting">
<title>Static Whitelisting</title>
<para>Beginning with Shorewall 4.4.20, you can create
<firstterm>whitelist</firstterm> entries in the blacklist file.
Connections/packets matching a whitelist entry are not matched against the
entries in the blacklist file that follow. Whitelist entries are created
using the <emphasis role="bold">whitelist</emphasis> option (OPTIONS
column). See <ulink
url="manpages/shorewall-blacklist.html"><filename>shorewall-blacklist</filename></ulink>
(5).</para>
</section>
<section id="Dynamic"> <section id="Dynamic">
<title>Dynamic Blacklisting</title> <title>Dynamic Blacklisting</title>

8
manpages/shorewall-blacklist.xml
View File

@ -78,7 +78,7 @@
<varlistentry> <varlistentry>
<term>OPTIONS (Optional - Added in 4.4.12) - <term>OPTIONS (Optional - Added in 4.4.12) -
{-|{dst|src}[,...]}</term> {-|{dst|src|whitelist}[,...]}</term>
<listitem> <listitem>
<para>If specified, indicates whether traffic <para>If specified, indicates whether traffic
@ -122,6 +122,12 @@
</listitem> </listitem>
</orderedlist> </orderedlist>
</note> </note>
<para>In Shorewall 4.4.20, the <emphasis
role="bold">whitelist</emphasis> option was added. When <emphasis
role="bold">whitelist</emphasis> is specified, packets/connections
that match the entry are not matched against the remaining entries
in the file.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>

8
manpages6/shorewall6-blacklist.xml
View File

@ -78,7 +78,7 @@
<varlistentry> <varlistentry>
<term>OPTIONS (Optional - Added in 4.4.12) - <term>OPTIONS (Optional - Added in 4.4.12) -
{-|{dst|src}[,...]}</term> {-|{dst|src|whitelist}[,...]}</term>
<listitem> <listitem>
<para>If specified, indicates whether traffic <para>If specified, indicates whether traffic
@ -122,6 +122,12 @@
</listitem> </listitem>
</orderedlist> </orderedlist>
</note> </note>
<para>In Shorewall 4.4.20, the <emphasis
role="bold">whitelist</emphasis> option was added. When <emphasis
role="bold">whitelist</emphasis> is specified, packets/connections
that match the entry are not matched against the remaining entries
in the file.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>