extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-20 01:37:59 +02:00
Code Issues Packages Projects Releases Wiki Activity

Restore fw->fw redirection; Check for SPT=0 in SYN

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@367 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-12-14 15:44:26 +00:00
parent 6f5a5cf9c0
commit ede456adf6
1 changed files with 44 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
Shorewall/firewall
View File

@ -907,8 +907,14 @@ validate_rule() {
chain=${source}2${dest} chain=${source}2${dest}
if [ "x$chain" = x${FW}2${FW} ]; then if [ "x$chain" = x${FW}2${FW} ]; then
error_message "WARNING: fw -> fw rules are not supported; rule \"$rule\" ignored" case $logtarget in
return REDIRECT)
;;
*)
error_message "WARNING: fw -> fw rules are not supported; rule \"$rule\" ignored"
return
;;
esac
fi fi
# #
@ -2132,23 +2138,26 @@ add_a_rule()
add_nat_rule add_nat_rule
fi fi
serv="${serv:+-d $serv}" if [ $chain != ${FW}2${FW} ]; then
serv="${serv:+-d $serv}"
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
if [ "$loglevel" = ULOG ]; then if [ "$loglevel" = ULOG ]; then
run_iptables -A $chain $proto $multiport \ run_iptables -A $chain $proto $multiport \
$state $cli $sports $serv $dports -j ULOG $LOGPARMS \ $state $cli $sports $serv $dports -j ULOG $LOGPARMS \
--ulog-prefix "Shorewall:$chain:$logtarget:" \ --ulog-prefix "Shorewall:$chain:$logtarget:" \
else else
run_iptables -A $chain $proto $multiport \ run_iptables -A $chain $proto $multiport \
$state $cli $sports $serv $dports -j LOG $LOGPARMS \ $state $cli $sports $serv $dports -j LOG $LOGPARMS \
--log-prefix "Shorewall:$chain:$logtarget:" \ --log-prefix "Shorewall:$chain:$logtarget:" \
--log-level $loglevel --log-level $loglevel
fi
fi fi
fi
run_iptables -A $chain $proto $multiport $state $cli $sports \
$serv $dports -j $target run_iptables -A $chain $proto $multiport $state $cli $sports \
$serv $dports -j $target
fi
else else
# Destination is a simple zone # Destination is a simple zone
@ -2286,13 +2295,21 @@ process_rule() # $1 = target
chain=${source}2${dest} chain=${source}2${dest}
if [ "x$chain" = x${FW}2${FW} ]; then
error_message "WARNING: fw -> fw rules are not supported; rule \"$rule\" ignored"
return
fi
ensurechain $chain ensurechain $chain
if [ "x$chain" = x${FW}2${FW} ]; then
case $logtarget in
REDIRECT)
;;
*)
error_message "WARNING: fw -> fw rules are not supported; rule \"$rule\" ignored"
return
;;
esac
else
ensurechain $chain
fi
# Generate Netfilter rule(s) # Generate Netfilter rule(s)
if [ -n "$MULTIPORT" -a \ if [ -n "$MULTIPORT" -a \
@ -3500,6 +3517,12 @@ add_common_rules() {
run_iptables -A tcpflags -p tcp --tcp-flags ALL NONE $disposition run_iptables -A tcpflags -p tcp --tcp-flags ALL NONE $disposition
run_iptables -A tcpflags -p tcp --tcp-flags SYN,RST SYN,RST $disposition run_iptables -A tcpflags -p tcp --tcp-flags SYN,RST SYN,RST $disposition
run_iptables -A tcpflags -p tcp --tcp-flags SYN,FIN SYN,FIN $disposition run_iptables -A tcpflags -p tcp --tcp-flags SYN,FIN SYN,FIN $disposition
#
# A Shorewall user reported seeing outgoing SYN ACK packets with DPT=0
# That prompted me to add the following which will stop an incoming
# SYN with SPT=0
#
run_iptables -A tcpflags -p tcp --syn --sport 0 $disposition
for interface in $interfaces; do for interface in $interfaces; do
for chain in `first_chains $interface`; do for chain in `first_chains $interface`; do