mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-23 06:38:53 +01:00
Add DNS Name support; remove startup_disabled on uninstall
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@255 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
b709e18fd1
commit
f2b2e84808
@ -1,19 +1,12 @@
|
||||
Changes since 1.3.7
|
||||
Changes since 1.3.8
|
||||
|
||||
1. Correct rules file handling bug introduced in 1.3.7.
|
||||
1. DNAT rules that remap a port but leave the IP address unchanged are
|
||||
now handled properly.
|
||||
|
||||
2. Correct handling of DNAT rule where source is $FW
|
||||
2. The use of shell variables in the LOG LEVEL or SYNPARMS columns of
|
||||
the policy file now works correctly.
|
||||
|
||||
3. Reverse order of RFC 1918 and DHCP filtering
|
||||
|
||||
4. "shorewall refresh" fix for FORWARDPING=Yes
|
||||
|
||||
5. Replace tab with space in blacklist output.
|
||||
|
||||
6. Added NEWNOTSYN option
|
||||
|
||||
7. Assume 'multi' if canonical chain exists.
|
||||
|
||||
8. Add PROTOCOL and PORT columns to blacklist file
|
||||
3. Added support for /etc/shorewall/startup_disabled.
|
||||
|
||||
4. Added support for DNS names in config files.
|
||||
|
||||
|
@ -609,10 +609,13 @@ validate_rule() {
|
||||
[ -n "$client" ] && case "$client" in
|
||||
-)
|
||||
;;
|
||||
*:*)
|
||||
cli="-i ${client%:*} -s ${client#*:}"
|
||||
;;
|
||||
~*)
|
||||
cli=`mac_match $client`
|
||||
;;
|
||||
[0-9]*|![0-9]*)
|
||||
*.*.*)
|
||||
#
|
||||
# IP Address, address or subnet
|
||||
#
|
||||
@ -632,7 +635,7 @@ validate_rule() {
|
||||
-)
|
||||
serv=
|
||||
;;
|
||||
[0-9]*|![0-9]*)
|
||||
*.*.*)
|
||||
serv=$server
|
||||
;;
|
||||
~*)
|
||||
@ -1381,7 +1384,7 @@ process_tc_rule()
|
||||
|
||||
if [ "x$source" != "x-" ]; then
|
||||
case $source in
|
||||
[0-9]*)
|
||||
*.*.*)
|
||||
r="-s $source "
|
||||
;;
|
||||
~*)
|
||||
@ -1624,18 +1627,17 @@ add_a_rule()
|
||||
[ -n "$client" ] && case "$client" in
|
||||
-)
|
||||
;;
|
||||
[0-9]*|![0-9]*)
|
||||
*:*)
|
||||
cli="-i ${client%:*} -s ${client#*:}"
|
||||
;;
|
||||
*.*.*)
|
||||
cli="-s $client"
|
||||
;;
|
||||
~*)
|
||||
cli=`mac_match $client`
|
||||
;;
|
||||
*)
|
||||
if [ "$client" != "${client%:*}" ]; then
|
||||
cli="-i ${client%:*} -s ${client#*:}"
|
||||
else
|
||||
cli="-i $client"
|
||||
fi
|
||||
cli="-i $client"
|
||||
;;
|
||||
esac
|
||||
|
||||
@ -1647,7 +1649,7 @@ add_a_rule()
|
||||
-)
|
||||
serv=
|
||||
;;
|
||||
[0-9]*|![0-9]*)
|
||||
*.*.*)
|
||||
serv=$server
|
||||
;;
|
||||
*)
|
||||
@ -1741,7 +1743,11 @@ add_a_rule()
|
||||
|
||||
# A specific server or server port given
|
||||
|
||||
[ -n "$addr" -a "$addr" != "$serv" ] && add_nat_rule
|
||||
if [ -n "$addr" -a "$addr" != "$serv" ]; then
|
||||
add_nat_rule
|
||||
elif [ -n "$servport" -a "$servport" != "$port" ]; then
|
||||
add_nat_rule
|
||||
fi
|
||||
|
||||
serv="${serv:+-d $serv}"
|
||||
|
||||
@ -1967,7 +1973,7 @@ process_tos_rule() {
|
||||
fi
|
||||
|
||||
[ -n "$src" ] && case "$src" in
|
||||
[0-9]*|![0-9]*)
|
||||
*.*.*)
|
||||
#
|
||||
# IP Address or subnet
|
||||
#
|
||||
@ -2010,7 +2016,7 @@ process_tos_rule() {
|
||||
fi
|
||||
|
||||
[ -n "$dst" ] && case "$dst" in
|
||||
[0-9]*|![0-9]*)
|
||||
*.*.*)
|
||||
#
|
||||
# IP Address or subnet
|
||||
#
|
||||
@ -2416,7 +2422,7 @@ setup_masq()
|
||||
iface=
|
||||
|
||||
case $subnet in
|
||||
[0-9]*|![0-9]*)
|
||||
*.*.*)
|
||||
source="$subnet"
|
||||
subnet="-s $subnet"
|
||||
;;
|
||||
@ -2783,12 +2789,17 @@ initialize_netfilter () {
|
||||
setpolicy INPUT DROP
|
||||
setpolicy OUTPUT DROP
|
||||
setpolicy FORWARD DROP
|
||||
|
||||
|
||||
deleteallchains
|
||||
|
||||
setcontinue FORWARD
|
||||
setcontinue INPUT
|
||||
setcontinue OUTPUT
|
||||
#
|
||||
# Allow DNS lookups during startup for FQDNs
|
||||
#
|
||||
run_iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
|
||||
run_iptables -A FORWARD -p udp --dport 53 -j ACCEPT
|
||||
|
||||
[ -n "$CLAMPMSS" ] && \
|
||||
run_iptables -A FORWARD -p tcp \
|
||||
@ -3245,6 +3256,9 @@ activate_rules()
|
||||
run_iptables -D INPUT 1
|
||||
run_iptables -D OUTPUT 1
|
||||
run_iptables -D FORWARD 1
|
||||
|
||||
run_iptables -D OUTPUT -p udp --dport 53 -j ACCEPT
|
||||
run_iptables -D FORWARD -p udp --dport 53 -j ACCEPT
|
||||
}
|
||||
|
||||
################################################################################
|
||||
|
@ -37,7 +37,9 @@
|
||||
# WARNING: Do NOT specify ADD_SNAT_ALIASES=Yes if
|
||||
# the address given in this column is the primary
|
||||
# IP address for the interface in the INTERFACE
|
||||
# column.
|
||||
# column.
|
||||
#
|
||||
# This column may not contain a DNS Name.
|
||||
#
|
||||
# Example 1:
|
||||
#
|
||||
|
@ -14,10 +14,10 @@
|
||||
#
|
||||
# EXTERNAL External IP Address - this should NOT be the primary
|
||||
# IP address of the interface named in the next
|
||||
# column.
|
||||
# column and must not be a DNS Name.
|
||||
# INTERFACE Interface that we want to EXTERNAL address to appear
|
||||
# on
|
||||
# INTERNAL Internal Address
|
||||
# INTERNAL Internal Address (must not be a DNS Name).
|
||||
# ALL INTERFACES If Yes or yes (or left empty), NAT will be effective
|
||||
# from all hosts. If No or no then NAT will be effective
|
||||
# only through the interface named in the INTERFACE
|
||||
|
@ -3,20 +3,10 @@ fixes.
|
||||
|
||||
New features include:
|
||||
|
||||
1. A NEWNOTSYN option has been added to shorewall.conf. This option
|
||||
determines whether Shorewall accepts TCP packets which are not part
|
||||
of an established connection and that are not 'SYN' packets (SYN
|
||||
flag on and ACK flag off).
|
||||
1. DNS Names are now allowed in Shorewall config files.
|
||||
|
||||
2. The connection SOURCE may now be qualified by both interface
|
||||
and IP address in a Shorewall rule.
|
||||
|
||||
2. The need for the 'multi' option to communicate between zones za and
|
||||
zb on the same interface is removed in the case where the chain
|
||||
'za2zb' and/or 'zb2za' exists. 'za2zb' will exist if:
|
||||
|
||||
a. There is a policy for za to zb.
|
||||
b. There is at least one rule for za to zb.
|
||||
|
||||
3. The /etc/shorewall/blacklist file now contains three columns. In
|
||||
addition to the SUBNET/ADDRESS column, there are optional PROTOCOL
|
||||
and PORT columns to block only certain applications from the
|
||||
blacklisted addresses.
|
||||
3. Shorewall startup is now disabled after initial installation until
|
||||
the file /etc/shorewall/shorewall_disabled is removed.
|
||||
|
@ -71,6 +71,13 @@
|
||||
# subnet, host or interface by appending ":" and the
|
||||
# subnet, host or interface. See above.
|
||||
#
|
||||
# Restrictions:
|
||||
#
|
||||
# 1. MAC addresses are not allowed.
|
||||
# 2. In DNAT rules, only IP addresses are
|
||||
# allowed; no FQDNs or subnet addresses
|
||||
# are permitted.
|
||||
#
|
||||
# The port that the server is listening on may be
|
||||
# included and separated from the server's IP address by
|
||||
# ":". If omitted, the firewall will not modifiy the
|
||||
|
@ -63,6 +63,9 @@ if [ $1 = 0 ]; then
|
||||
elif [ -x /sbin/chkconfig ]; then
|
||||
/sbin/chkconfig --del shorewall
|
||||
fi
|
||||
|
||||
rm -f /etc/shorewall/startup_disabled
|
||||
|
||||
fi
|
||||
|
||||
%files
|
||||
|
Loading…
Reference in New Issue
Block a user