diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 8e5ca3761..50aef5944 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -50,3 +50,5 @@ Changes in 3.1.x. 24) Apply Steven Springl's help patch. 25) Fix 'allow/drop/reject' while Shorewall not running. + +26) Implement bi-directional macros. diff --git a/Shorewall/compiler b/Shorewall/compiler index 375d86600..4a72c5da0 100755 --- a/Shorewall/compiler +++ b/Shorewall/compiler @@ -4586,7 +4586,7 @@ __EOF__ esac cat >&3 << __EOF__ -${INDENT} run_iptables -A $xchain -d \$address -j +${INDENT} run_iptables -A $xchain -d \$address -j ACCEPT ${INDENT}done __EOF__ @@ -4711,9 +4711,12 @@ __EOF__ if [ -n "$mclients" ]; then case $mclients in - -) + -|SOURCE) mclients=${xclients} ;; + DEST) + mclients=${xservers} + ;; *) mclients=$(merge_macro_source_dest $mclients $xclients) ;; @@ -4724,9 +4727,12 @@ __EOF__ if [ -n "$mservers" ]; then case $mservers in - -) + -|DEST) mservers=${xservers} ;; + SOURCE) + mservers=${xclients} + ;; *) mservers=$(merge_macro_source_dest $mservers $xservers) ;; @@ -5766,9 +5772,12 @@ process_macro() # $1 = target if [ -n "$mclients" ]; then case $mclients in - -) + -|SOURCE) mclients=${iclients} ;; + DEST) + mclients=${iservers} + ;; *) mclients=$(merge_macro_source_dest $mclients $iclients) ;; @@ -5779,9 +5788,12 @@ process_macro() # $1 = target if [ -n "$mservers" ]; then case $mservers in - -) + -|DEST) mservers=${iservers} ;; + SOURCE) + mservers=${iclients} + ;; *) mservers=$(merge_macro_source_dest $mservers $iservers) ;; diff --git a/Shorewall/macro.SMBBI b/Shorewall/macro.SMBBI new file mode 100644 index 000000000..68bbd6c04 --- /dev/null +++ b/Shorewall/macro.SMBBI @@ -0,0 +1,23 @@ +# +# Shorewall version 3.2 - SMB Bi-directional Macro +# +# /usr/share/shorewall/macro.SMBBI +# +# This macro handles Microsoft SMB traffic. +# +# Beware! This macro opens a lot of ports, and could possibly be used +# to compromise your firewall if not used with care. You should only +# allow SMB traffic between hosts you fully trust. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# PORT PORT(S) DEST LIMIT GROUP +PARAM - - udp 135,445 +PARAM - - udp 137:139 +PARAM - - udp 1024: 137 +PARAM - - tcp 135,139,445 +PARAM DEST SOURCE udp 135,445 +PARAM DEST SOURCE udp 137:139 +PARAM DEST SOURCE udp 1024: 137 +PARAM DEST SOURCE tcp 135,139,445 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 7d1645692..aa9984ecb 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -37,7 +37,33 @@ Problems Corrected in 3.1.6 Other changes in 3.1.6 -None. +1) In macro files, you can now use the reserved words SOURCE and DEST + in the columns of the same names. When Shorewall expands the + macro, it will substitute the SOURCE from the macro invocation for + SOURCE and the DEST from the invocation for DEST. This allows you + to write macros that act in both directions (from source to destination + and from destination to source). + + Example: + + macro.FOO: + + PARAM SOURCE DEST udp 500 + PARAM DEST SOURCE udp 500 + + /etc/shorewall/rules: + + FOO/ACCEPT fw net + + Resulting rules: + + ACCEPT fw net udp 500 + ACCEPT net fw udp 500 + + This new feature has been used to implement the SMBBI macro. + SMBBI is the same as the SMB macro with the exception that + it passes SMB traffic in both directions whereas SMB only + passes that traffic in one direction. Migration Considerations: