Add DNS Name support; remove startup_disabled on uninstall

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@255 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-09-24 23:13:36 +00:00
parent b709e18fd1
commit f2b2e84808
7 changed files with 56 additions and 47 deletions

View File

@ -1,19 +1,12 @@
Changes since 1.3.7 Changes since 1.3.8
1. Correct rules file handling bug introduced in 1.3.7. 1. DNAT rules that remap a port but leave the IP address unchanged are
now handled properly.
2. Correct handling of DNAT rule where source is $FW 2. The use of shell variables in the LOG LEVEL or SYNPARMS columns of
the policy file now works correctly.
3. Reverse order of RFC 1918 and DHCP filtering 3. Added support for /etc/shorewall/startup_disabled.
4. "shorewall refresh" fix for FORWARDPING=Yes
5. Replace tab with space in blacklist output.
6. Added NEWNOTSYN option
7. Assume 'multi' if canonical chain exists.
8. Add PROTOCOL and PORT columns to blacklist file
4. Added support for DNS names in config files.

View File

@ -609,10 +609,13 @@ validate_rule() {
[ -n "$client" ] && case "$client" in [ -n "$client" ] && case "$client" in
-) -)
;; ;;
*:*)
cli="-i ${client%:*} -s ${client#*:}"
;;
~*) ~*)
cli=`mac_match $client` cli=`mac_match $client`
;; ;;
[0-9]*|![0-9]*) *.*.*)
# #
# IP Address, address or subnet # IP Address, address or subnet
# #
@ -632,7 +635,7 @@ validate_rule() {
-) -)
serv= serv=
;; ;;
[0-9]*|![0-9]*) *.*.*)
serv=$server serv=$server
;; ;;
~*) ~*)
@ -1381,7 +1384,7 @@ process_tc_rule()
if [ "x$source" != "x-" ]; then if [ "x$source" != "x-" ]; then
case $source in case $source in
[0-9]*) *.*.*)
r="-s $source " r="-s $source "
;; ;;
~*) ~*)
@ -1624,18 +1627,17 @@ add_a_rule()
[ -n "$client" ] && case "$client" in [ -n "$client" ] && case "$client" in
-) -)
;; ;;
[0-9]*|![0-9]*) *:*)
cli="-i ${client%:*} -s ${client#*:}"
;;
*.*.*)
cli="-s $client" cli="-s $client"
;; ;;
~*) ~*)
cli=`mac_match $client` cli=`mac_match $client`
;; ;;
*) *)
if [ "$client" != "${client%:*}" ]; then cli="-i $client"
cli="-i ${client%:*} -s ${client#*:}"
else
cli="-i $client"
fi
;; ;;
esac esac
@ -1647,7 +1649,7 @@ add_a_rule()
-) -)
serv= serv=
;; ;;
[0-9]*|![0-9]*) *.*.*)
serv=$server serv=$server
;; ;;
*) *)
@ -1741,7 +1743,11 @@ add_a_rule()
# A specific server or server port given # A specific server or server port given
[ -n "$addr" -a "$addr" != "$serv" ] && add_nat_rule if [ -n "$addr" -a "$addr" != "$serv" ]; then
add_nat_rule
elif [ -n "$servport" -a "$servport" != "$port" ]; then
add_nat_rule
fi
serv="${serv:+-d $serv}" serv="${serv:+-d $serv}"
@ -1967,7 +1973,7 @@ process_tos_rule() {
fi fi
[ -n "$src" ] && case "$src" in [ -n "$src" ] && case "$src" in
[0-9]*|![0-9]*) *.*.*)
# #
# IP Address or subnet # IP Address or subnet
# #
@ -2010,7 +2016,7 @@ process_tos_rule() {
fi fi
[ -n "$dst" ] && case "$dst" in [ -n "$dst" ] && case "$dst" in
[0-9]*|![0-9]*) *.*.*)
# #
# IP Address or subnet # IP Address or subnet
# #
@ -2416,7 +2422,7 @@ setup_masq()
iface= iface=
case $subnet in case $subnet in
[0-9]*|![0-9]*) *.*.*)
source="$subnet" source="$subnet"
subnet="-s $subnet" subnet="-s $subnet"
;; ;;
@ -2783,12 +2789,17 @@ initialize_netfilter () {
setpolicy INPUT DROP setpolicy INPUT DROP
setpolicy OUTPUT DROP setpolicy OUTPUT DROP
setpolicy FORWARD DROP setpolicy FORWARD DROP
deleteallchains deleteallchains
setcontinue FORWARD setcontinue FORWARD
setcontinue INPUT setcontinue INPUT
setcontinue OUTPUT setcontinue OUTPUT
#
# Allow DNS lookups during startup for FQDNs
#
run_iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
run_iptables -A FORWARD -p udp --dport 53 -j ACCEPT
[ -n "$CLAMPMSS" ] && \ [ -n "$CLAMPMSS" ] && \
run_iptables -A FORWARD -p tcp \ run_iptables -A FORWARD -p tcp \
@ -3245,6 +3256,9 @@ activate_rules()
run_iptables -D INPUT 1 run_iptables -D INPUT 1
run_iptables -D OUTPUT 1 run_iptables -D OUTPUT 1
run_iptables -D FORWARD 1 run_iptables -D FORWARD 1
run_iptables -D OUTPUT -p udp --dport 53 -j ACCEPT
run_iptables -D FORWARD -p udp --dport 53 -j ACCEPT
} }
################################################################################ ################################################################################

View File

@ -37,7 +37,9 @@
# WARNING: Do NOT specify ADD_SNAT_ALIASES=Yes if # WARNING: Do NOT specify ADD_SNAT_ALIASES=Yes if
# the address given in this column is the primary # the address given in this column is the primary
# IP address for the interface in the INTERFACE # IP address for the interface in the INTERFACE
# column. # column.
#
# This column may not contain a DNS Name.
# #
# Example 1: # Example 1:
# #

View File

@ -14,10 +14,10 @@
# #
# EXTERNAL External IP Address - this should NOT be the primary # EXTERNAL External IP Address - this should NOT be the primary
# IP address of the interface named in the next # IP address of the interface named in the next
# column. # column and must not be a DNS Name.
# INTERFACE Interface that we want to EXTERNAL address to appear # INTERFACE Interface that we want to EXTERNAL address to appear
# on # on
# INTERNAL Internal Address # INTERNAL Internal Address (must not be a DNS Name).
# ALL INTERFACES If Yes or yes (or left empty), NAT will be effective # ALL INTERFACES If Yes or yes (or left empty), NAT will be effective
# from all hosts. If No or no then NAT will be effective # from all hosts. If No or no then NAT will be effective
# only through the interface named in the INTERFACE # only through the interface named in the INTERFACE

View File

@ -3,20 +3,10 @@ fixes.
New features include: New features include:
1. A NEWNOTSYN option has been added to shorewall.conf. This option 1. DNS Names are now allowed in Shorewall config files.
determines whether Shorewall accepts TCP packets which are not part
of an established connection and that are not 'SYN' packets (SYN
flag on and ACK flag off).
2. The connection SOURCE may now be qualified by both interface
and IP address in a Shorewall rule.
2. The need for the 'multi' option to communicate between zones za and 3. Shorewall startup is now disabled after initial installation until
zb on the same interface is removed in the case where the chain the file /etc/shorewall/shorewall_disabled is removed.
'za2zb' and/or 'zb2za' exists. 'za2zb' will exist if:
a. There is a policy for za to zb.
b. There is at least one rule for za to zb.
3. The /etc/shorewall/blacklist file now contains three columns. In
addition to the SUBNET/ADDRESS column, there are optional PROTOCOL
and PORT columns to block only certain applications from the
blacklisted addresses.

View File

@ -71,6 +71,13 @@
# subnet, host or interface by appending ":" and the # subnet, host or interface by appending ":" and the
# subnet, host or interface. See above. # subnet, host or interface. See above.
# #
# Restrictions:
#
# 1. MAC addresses are not allowed.
# 2. In DNAT rules, only IP addresses are
# allowed; no FQDNs or subnet addresses
# are permitted.
#
# The port that the server is listening on may be # The port that the server is listening on may be
# included and separated from the server's IP address by # included and separated from the server's IP address by
# ":". If omitted, the firewall will not modifiy the # ":". If omitted, the firewall will not modifiy the

View File

@ -63,6 +63,9 @@ if [ $1 = 0 ]; then
elif [ -x /sbin/chkconfig ]; then elif [ -x /sbin/chkconfig ]; then
/sbin/chkconfig --del shorewall /sbin/chkconfig --del shorewall
fi fi
rm -f /etc/shorewall/startup_disabled
fi fi
%files %files