mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-11 08:08:12 +01:00
Add DNS Name support; remove startup_disabled on uninstall
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@255 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
b709e18fd1
commit
f2b2e84808
@ -1,19 +1,12 @@
|
|||||||
Changes since 1.3.7
|
Changes since 1.3.8
|
||||||
|
|
||||||
1. Correct rules file handling bug introduced in 1.3.7.
|
1. DNAT rules that remap a port but leave the IP address unchanged are
|
||||||
|
now handled properly.
|
||||||
|
|
||||||
2. Correct handling of DNAT rule where source is $FW
|
2. The use of shell variables in the LOG LEVEL or SYNPARMS columns of
|
||||||
|
the policy file now works correctly.
|
||||||
|
|
||||||
3. Reverse order of RFC 1918 and DHCP filtering
|
3. Added support for /etc/shorewall/startup_disabled.
|
||||||
|
|
||||||
4. "shorewall refresh" fix for FORWARDPING=Yes
|
|
||||||
|
|
||||||
5. Replace tab with space in blacklist output.
|
|
||||||
|
|
||||||
6. Added NEWNOTSYN option
|
|
||||||
|
|
||||||
7. Assume 'multi' if canonical chain exists.
|
|
||||||
|
|
||||||
8. Add PROTOCOL and PORT columns to blacklist file
|
|
||||||
|
|
||||||
|
4. Added support for DNS names in config files.
|
||||||
|
|
||||||
|
@ -609,10 +609,13 @@ validate_rule() {
|
|||||||
[ -n "$client" ] && case "$client" in
|
[ -n "$client" ] && case "$client" in
|
||||||
-)
|
-)
|
||||||
;;
|
;;
|
||||||
|
*:*)
|
||||||
|
cli="-i ${client%:*} -s ${client#*:}"
|
||||||
|
;;
|
||||||
~*)
|
~*)
|
||||||
cli=`mac_match $client`
|
cli=`mac_match $client`
|
||||||
;;
|
;;
|
||||||
[0-9]*|![0-9]*)
|
*.*.*)
|
||||||
#
|
#
|
||||||
# IP Address, address or subnet
|
# IP Address, address or subnet
|
||||||
#
|
#
|
||||||
@ -632,7 +635,7 @@ validate_rule() {
|
|||||||
-)
|
-)
|
||||||
serv=
|
serv=
|
||||||
;;
|
;;
|
||||||
[0-9]*|![0-9]*)
|
*.*.*)
|
||||||
serv=$server
|
serv=$server
|
||||||
;;
|
;;
|
||||||
~*)
|
~*)
|
||||||
@ -1381,7 +1384,7 @@ process_tc_rule()
|
|||||||
|
|
||||||
if [ "x$source" != "x-" ]; then
|
if [ "x$source" != "x-" ]; then
|
||||||
case $source in
|
case $source in
|
||||||
[0-9]*)
|
*.*.*)
|
||||||
r="-s $source "
|
r="-s $source "
|
||||||
;;
|
;;
|
||||||
~*)
|
~*)
|
||||||
@ -1624,18 +1627,17 @@ add_a_rule()
|
|||||||
[ -n "$client" ] && case "$client" in
|
[ -n "$client" ] && case "$client" in
|
||||||
-)
|
-)
|
||||||
;;
|
;;
|
||||||
[0-9]*|![0-9]*)
|
*:*)
|
||||||
|
cli="-i ${client%:*} -s ${client#*:}"
|
||||||
|
;;
|
||||||
|
*.*.*)
|
||||||
cli="-s $client"
|
cli="-s $client"
|
||||||
;;
|
;;
|
||||||
~*)
|
~*)
|
||||||
cli=`mac_match $client`
|
cli=`mac_match $client`
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
if [ "$client" != "${client%:*}" ]; then
|
|
||||||
cli="-i ${client%:*} -s ${client#*:}"
|
|
||||||
else
|
|
||||||
cli="-i $client"
|
cli="-i $client"
|
||||||
fi
|
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
@ -1647,7 +1649,7 @@ add_a_rule()
|
|||||||
-)
|
-)
|
||||||
serv=
|
serv=
|
||||||
;;
|
;;
|
||||||
[0-9]*|![0-9]*)
|
*.*.*)
|
||||||
serv=$server
|
serv=$server
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
@ -1741,7 +1743,11 @@ add_a_rule()
|
|||||||
|
|
||||||
# A specific server or server port given
|
# A specific server or server port given
|
||||||
|
|
||||||
[ -n "$addr" -a "$addr" != "$serv" ] && add_nat_rule
|
if [ -n "$addr" -a "$addr" != "$serv" ]; then
|
||||||
|
add_nat_rule
|
||||||
|
elif [ -n "$servport" -a "$servport" != "$port" ]; then
|
||||||
|
add_nat_rule
|
||||||
|
fi
|
||||||
|
|
||||||
serv="${serv:+-d $serv}"
|
serv="${serv:+-d $serv}"
|
||||||
|
|
||||||
@ -1967,7 +1973,7 @@ process_tos_rule() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
[ -n "$src" ] && case "$src" in
|
[ -n "$src" ] && case "$src" in
|
||||||
[0-9]*|![0-9]*)
|
*.*.*)
|
||||||
#
|
#
|
||||||
# IP Address or subnet
|
# IP Address or subnet
|
||||||
#
|
#
|
||||||
@ -2010,7 +2016,7 @@ process_tos_rule() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
[ -n "$dst" ] && case "$dst" in
|
[ -n "$dst" ] && case "$dst" in
|
||||||
[0-9]*|![0-9]*)
|
*.*.*)
|
||||||
#
|
#
|
||||||
# IP Address or subnet
|
# IP Address or subnet
|
||||||
#
|
#
|
||||||
@ -2416,7 +2422,7 @@ setup_masq()
|
|||||||
iface=
|
iface=
|
||||||
|
|
||||||
case $subnet in
|
case $subnet in
|
||||||
[0-9]*|![0-9]*)
|
*.*.*)
|
||||||
source="$subnet"
|
source="$subnet"
|
||||||
subnet="-s $subnet"
|
subnet="-s $subnet"
|
||||||
;;
|
;;
|
||||||
@ -2789,6 +2795,11 @@ initialize_netfilter () {
|
|||||||
setcontinue FORWARD
|
setcontinue FORWARD
|
||||||
setcontinue INPUT
|
setcontinue INPUT
|
||||||
setcontinue OUTPUT
|
setcontinue OUTPUT
|
||||||
|
#
|
||||||
|
# Allow DNS lookups during startup for FQDNs
|
||||||
|
#
|
||||||
|
run_iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
|
||||||
|
run_iptables -A FORWARD -p udp --dport 53 -j ACCEPT
|
||||||
|
|
||||||
[ -n "$CLAMPMSS" ] && \
|
[ -n "$CLAMPMSS" ] && \
|
||||||
run_iptables -A FORWARD -p tcp \
|
run_iptables -A FORWARD -p tcp \
|
||||||
@ -3245,6 +3256,9 @@ activate_rules()
|
|||||||
run_iptables -D INPUT 1
|
run_iptables -D INPUT 1
|
||||||
run_iptables -D OUTPUT 1
|
run_iptables -D OUTPUT 1
|
||||||
run_iptables -D FORWARD 1
|
run_iptables -D FORWARD 1
|
||||||
|
|
||||||
|
run_iptables -D OUTPUT -p udp --dport 53 -j ACCEPT
|
||||||
|
run_iptables -D FORWARD -p udp --dport 53 -j ACCEPT
|
||||||
}
|
}
|
||||||
|
|
||||||
################################################################################
|
################################################################################
|
||||||
|
@ -39,6 +39,8 @@
|
|||||||
# IP address for the interface in the INTERFACE
|
# IP address for the interface in the INTERFACE
|
||||||
# column.
|
# column.
|
||||||
#
|
#
|
||||||
|
# This column may not contain a DNS Name.
|
||||||
|
#
|
||||||
# Example 1:
|
# Example 1:
|
||||||
#
|
#
|
||||||
# You have a simple masquerading setup where eth0 connects to
|
# You have a simple masquerading setup where eth0 connects to
|
||||||
|
@ -14,10 +14,10 @@
|
|||||||
#
|
#
|
||||||
# EXTERNAL External IP Address - this should NOT be the primary
|
# EXTERNAL External IP Address - this should NOT be the primary
|
||||||
# IP address of the interface named in the next
|
# IP address of the interface named in the next
|
||||||
# column.
|
# column and must not be a DNS Name.
|
||||||
# INTERFACE Interface that we want to EXTERNAL address to appear
|
# INTERFACE Interface that we want to EXTERNAL address to appear
|
||||||
# on
|
# on
|
||||||
# INTERNAL Internal Address
|
# INTERNAL Internal Address (must not be a DNS Name).
|
||||||
# ALL INTERFACES If Yes or yes (or left empty), NAT will be effective
|
# ALL INTERFACES If Yes or yes (or left empty), NAT will be effective
|
||||||
# from all hosts. If No or no then NAT will be effective
|
# from all hosts. If No or no then NAT will be effective
|
||||||
# only through the interface named in the INTERFACE
|
# only through the interface named in the INTERFACE
|
||||||
|
@ -3,20 +3,10 @@ fixes.
|
|||||||
|
|
||||||
New features include:
|
New features include:
|
||||||
|
|
||||||
1. A NEWNOTSYN option has been added to shorewall.conf. This option
|
1. DNS Names are now allowed in Shorewall config files.
|
||||||
determines whether Shorewall accepts TCP packets which are not part
|
|
||||||
of an established connection and that are not 'SYN' packets (SYN
|
|
||||||
flag on and ACK flag off).
|
|
||||||
|
|
||||||
|
2. The connection SOURCE may now be qualified by both interface
|
||||||
|
and IP address in a Shorewall rule.
|
||||||
|
|
||||||
2. The need for the 'multi' option to communicate between zones za and
|
3. Shorewall startup is now disabled after initial installation until
|
||||||
zb on the same interface is removed in the case where the chain
|
the file /etc/shorewall/shorewall_disabled is removed.
|
||||||
'za2zb' and/or 'zb2za' exists. 'za2zb' will exist if:
|
|
||||||
|
|
||||||
a. There is a policy for za to zb.
|
|
||||||
b. There is at least one rule for za to zb.
|
|
||||||
|
|
||||||
3. The /etc/shorewall/blacklist file now contains three columns. In
|
|
||||||
addition to the SUBNET/ADDRESS column, there are optional PROTOCOL
|
|
||||||
and PORT columns to block only certain applications from the
|
|
||||||
blacklisted addresses.
|
|
||||||
|
@ -71,6 +71,13 @@
|
|||||||
# subnet, host or interface by appending ":" and the
|
# subnet, host or interface by appending ":" and the
|
||||||
# subnet, host or interface. See above.
|
# subnet, host or interface. See above.
|
||||||
#
|
#
|
||||||
|
# Restrictions:
|
||||||
|
#
|
||||||
|
# 1. MAC addresses are not allowed.
|
||||||
|
# 2. In DNAT rules, only IP addresses are
|
||||||
|
# allowed; no FQDNs or subnet addresses
|
||||||
|
# are permitted.
|
||||||
|
#
|
||||||
# The port that the server is listening on may be
|
# The port that the server is listening on may be
|
||||||
# included and separated from the server's IP address by
|
# included and separated from the server's IP address by
|
||||||
# ":". If omitted, the firewall will not modifiy the
|
# ":". If omitted, the firewall will not modifiy the
|
||||||
|
@ -63,6 +63,9 @@ if [ $1 = 0 ]; then
|
|||||||
elif [ -x /sbin/chkconfig ]; then
|
elif [ -x /sbin/chkconfig ]; then
|
||||||
/sbin/chkconfig --del shorewall
|
/sbin/chkconfig --del shorewall
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
rm -f /etc/shorewall/startup_disabled
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
%files
|
%files
|
||||||
|
Loading…
Reference in New Issue
Block a user