diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index d59040f24..c285174c1 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -1,19 +1,12 @@ -Changes since 1.3.7 +Changes since 1.3.8 -1. Correct rules file handling bug introduced in 1.3.7. +1. DNAT rules that remap a port but leave the IP address unchanged are + now handled properly. -2. Correct handling of DNAT rule where source is $FW +2. The use of shell variables in the LOG LEVEL or SYNPARMS columns of + the policy file now works correctly. -3. Reverse order of RFC 1918 and DHCP filtering - -4. "shorewall refresh" fix for FORWARDPING=Yes - -5. Replace tab with space in blacklist output. - -6. Added NEWNOTSYN option - -7. Assume 'multi' if canonical chain exists. - -8. Add PROTOCOL and PORT columns to blacklist file +3. Added support for /etc/shorewall/startup_disabled. +4. Added support for DNS names in config files. diff --git a/Shorewall/firewall b/Shorewall/firewall index ad560d7df..b0c9add4d 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -609,10 +609,13 @@ validate_rule() { [ -n "$client" ] && case "$client" in -) ;; + *:*) + cli="-i ${client%:*} -s ${client#*:}" + ;; ~*) cli=`mac_match $client` ;; - [0-9]*|![0-9]*) + *.*.*) # # IP Address, address or subnet # @@ -632,7 +635,7 @@ validate_rule() { -) serv= ;; - [0-9]*|![0-9]*) + *.*.*) serv=$server ;; ~*) @@ -1381,7 +1384,7 @@ process_tc_rule() if [ "x$source" != "x-" ]; then case $source in - [0-9]*) + *.*.*) r="-s $source " ;; ~*) @@ -1624,18 +1627,17 @@ add_a_rule() [ -n "$client" ] && case "$client" in -) ;; - [0-9]*|![0-9]*) + *:*) + cli="-i ${client%:*} -s ${client#*:}" + ;; + *.*.*) cli="-s $client" ;; ~*) cli=`mac_match $client` ;; *) - if [ "$client" != "${client%:*}" ]; then - cli="-i ${client%:*} -s ${client#*:}" - else - cli="-i $client" - fi + cli="-i $client" ;; esac @@ -1647,7 +1649,7 @@ add_a_rule() -) serv= ;; - [0-9]*|![0-9]*) + *.*.*) serv=$server ;; *) @@ -1741,7 +1743,11 @@ add_a_rule() # A specific server or server port given - [ -n "$addr" -a "$addr" != "$serv" ] && add_nat_rule + if [ -n "$addr" -a "$addr" != "$serv" ]; then + add_nat_rule + elif [ -n "$servport" -a "$servport" != "$port" ]; then + add_nat_rule + fi serv="${serv:+-d $serv}" @@ -1967,7 +1973,7 @@ process_tos_rule() { fi [ -n "$src" ] && case "$src" in - [0-9]*|![0-9]*) + *.*.*) # # IP Address or subnet # @@ -2010,7 +2016,7 @@ process_tos_rule() { fi [ -n "$dst" ] && case "$dst" in - [0-9]*|![0-9]*) + *.*.*) # # IP Address or subnet # @@ -2416,7 +2422,7 @@ setup_masq() iface= case $subnet in - [0-9]*|![0-9]*) + *.*.*) source="$subnet" subnet="-s $subnet" ;; @@ -2783,12 +2789,17 @@ initialize_netfilter () { setpolicy INPUT DROP setpolicy OUTPUT DROP setpolicy FORWARD DROP - + deleteallchains setcontinue FORWARD setcontinue INPUT setcontinue OUTPUT + # + # Allow DNS lookups during startup for FQDNs + # + run_iptables -A OUTPUT -p udp --dport 53 -j ACCEPT + run_iptables -A FORWARD -p udp --dport 53 -j ACCEPT [ -n "$CLAMPMSS" ] && \ run_iptables -A FORWARD -p tcp \ @@ -3245,6 +3256,9 @@ activate_rules() run_iptables -D INPUT 1 run_iptables -D OUTPUT 1 run_iptables -D FORWARD 1 + + run_iptables -D OUTPUT -p udp --dport 53 -j ACCEPT + run_iptables -D FORWARD -p udp --dport 53 -j ACCEPT } ################################################################################ diff --git a/Shorewall/masq b/Shorewall/masq index 69894ddbb..3b0edea3e 100755 --- a/Shorewall/masq +++ b/Shorewall/masq @@ -37,7 +37,9 @@ # WARNING: Do NOT specify ADD_SNAT_ALIASES=Yes if # the address given in this column is the primary # IP address for the interface in the INTERFACE -# column. +# column. +# +# This column may not contain a DNS Name. # # Example 1: # diff --git a/Shorewall/nat b/Shorewall/nat index db85e4114..7b6ba5b20 100755 --- a/Shorewall/nat +++ b/Shorewall/nat @@ -14,10 +14,10 @@ # # EXTERNAL External IP Address - this should NOT be the primary # IP address of the interface named in the next -# column. +# column and must not be a DNS Name. # INTERFACE Interface that we want to EXTERNAL address to appear # on -# INTERNAL Internal Address +# INTERNAL Internal Address (must not be a DNS Name). # ALL INTERFACES If Yes or yes (or left empty), NAT will be effective # from all hosts. If No or no then NAT will be effective # only through the interface named in the INTERFACE diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 3a256ef7d..4021b1eb5 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -3,20 +3,10 @@ fixes. New features include: -1. A NEWNOTSYN option has been added to shorewall.conf. This option - determines whether Shorewall accepts TCP packets which are not part - of an established connection and that are not 'SYN' packets (SYN - flag on and ACK flag off). +1. DNS Names are now allowed in Shorewall config files. +2. The connection SOURCE may now be qualified by both interface + and IP address in a Shorewall rule. -2. The need for the 'multi' option to communicate between zones za and - zb on the same interface is removed in the case where the chain - 'za2zb' and/or 'zb2za' exists. 'za2zb' will exist if: - - a. There is a policy for za to zb. - b. There is at least one rule for za to zb. - -3. The /etc/shorewall/blacklist file now contains three columns. In - addition to the SUBNET/ADDRESS column, there are optional PROTOCOL - and PORT columns to block only certain applications from the - blacklisted addresses. +3. Shorewall startup is now disabled after initial installation until + the file /etc/shorewall/shorewall_disabled is removed. diff --git a/Shorewall/rules b/Shorewall/rules index 00a3e3c51..39a81eb4d 100755 --- a/Shorewall/rules +++ b/Shorewall/rules @@ -71,6 +71,13 @@ # subnet, host or interface by appending ":" and the # subnet, host or interface. See above. # +# Restrictions: +# +# 1. MAC addresses are not allowed. +# 2. In DNAT rules, only IP addresses are +# allowed; no FQDNs or subnet addresses +# are permitted. +# # The port that the server is listening on may be # included and separated from the server's IP address by # ":". If omitted, the firewall will not modifiy the diff --git a/Shorewall/shorewall.spec b/Shorewall/shorewall.spec index f1c6761d5..f089385a2 100644 --- a/Shorewall/shorewall.spec +++ b/Shorewall/shorewall.spec @@ -63,6 +63,9 @@ if [ $1 = 0 ]; then elif [ -x /sbin/chkconfig ]; then /sbin/chkconfig --del shorewall fi + + rm -f /etc/shorewall/startup_disabled + fi %files