Add DNS Name support; remove startup_disabled on uninstall

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@255 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-09-24 23:13:36 +00:00
parent b709e18fd1
commit f2b2e84808
7 changed files with 56 additions and 47 deletions

View File

@ -1,19 +1,12 @@
Changes since 1.3.7
Changes since 1.3.8
1. Correct rules file handling bug introduced in 1.3.7.
1. DNAT rules that remap a port but leave the IP address unchanged are
now handled properly.
2. Correct handling of DNAT rule where source is $FW
2. The use of shell variables in the LOG LEVEL or SYNPARMS columns of
the policy file now works correctly.
3. Reverse order of RFC 1918 and DHCP filtering
4. "shorewall refresh" fix for FORWARDPING=Yes
5. Replace tab with space in blacklist output.
6. Added NEWNOTSYN option
7. Assume 'multi' if canonical chain exists.
8. Add PROTOCOL and PORT columns to blacklist file
3. Added support for /etc/shorewall/startup_disabled.
4. Added support for DNS names in config files.

View File

@ -609,10 +609,13 @@ validate_rule() {
[ -n "$client" ] && case "$client" in
-)
;;
*:*)
cli="-i ${client%:*} -s ${client#*:}"
;;
~*)
cli=`mac_match $client`
;;
[0-9]*|![0-9]*)
*.*.*)
#
# IP Address, address or subnet
#
@ -632,7 +635,7 @@ validate_rule() {
-)
serv=
;;
[0-9]*|![0-9]*)
*.*.*)
serv=$server
;;
~*)
@ -1381,7 +1384,7 @@ process_tc_rule()
if [ "x$source" != "x-" ]; then
case $source in
[0-9]*)
*.*.*)
r="-s $source "
;;
~*)
@ -1624,18 +1627,17 @@ add_a_rule()
[ -n "$client" ] && case "$client" in
-)
;;
[0-9]*|![0-9]*)
*:*)
cli="-i ${client%:*} -s ${client#*:}"
;;
*.*.*)
cli="-s $client"
;;
~*)
cli=`mac_match $client`
;;
*)
if [ "$client" != "${client%:*}" ]; then
cli="-i ${client%:*} -s ${client#*:}"
else
cli="-i $client"
fi
cli="-i $client"
;;
esac
@ -1647,7 +1649,7 @@ add_a_rule()
-)
serv=
;;
[0-9]*|![0-9]*)
*.*.*)
serv=$server
;;
*)
@ -1741,7 +1743,11 @@ add_a_rule()
# A specific server or server port given
[ -n "$addr" -a "$addr" != "$serv" ] && add_nat_rule
if [ -n "$addr" -a "$addr" != "$serv" ]; then
add_nat_rule
elif [ -n "$servport" -a "$servport" != "$port" ]; then
add_nat_rule
fi
serv="${serv:+-d $serv}"
@ -1967,7 +1973,7 @@ process_tos_rule() {
fi
[ -n "$src" ] && case "$src" in
[0-9]*|![0-9]*)
*.*.*)
#
# IP Address or subnet
#
@ -2010,7 +2016,7 @@ process_tos_rule() {
fi
[ -n "$dst" ] && case "$dst" in
[0-9]*|![0-9]*)
*.*.*)
#
# IP Address or subnet
#
@ -2416,7 +2422,7 @@ setup_masq()
iface=
case $subnet in
[0-9]*|![0-9]*)
*.*.*)
source="$subnet"
subnet="-s $subnet"
;;
@ -2783,12 +2789,17 @@ initialize_netfilter () {
setpolicy INPUT DROP
setpolicy OUTPUT DROP
setpolicy FORWARD DROP
deleteallchains
setcontinue FORWARD
setcontinue INPUT
setcontinue OUTPUT
#
# Allow DNS lookups during startup for FQDNs
#
run_iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
run_iptables -A FORWARD -p udp --dport 53 -j ACCEPT
[ -n "$CLAMPMSS" ] && \
run_iptables -A FORWARD -p tcp \
@ -3245,6 +3256,9 @@ activate_rules()
run_iptables -D INPUT 1
run_iptables -D OUTPUT 1
run_iptables -D FORWARD 1
run_iptables -D OUTPUT -p udp --dport 53 -j ACCEPT
run_iptables -D FORWARD -p udp --dport 53 -j ACCEPT
}
################################################################################

View File

@ -37,7 +37,9 @@
# WARNING: Do NOT specify ADD_SNAT_ALIASES=Yes if
# the address given in this column is the primary
# IP address for the interface in the INTERFACE
# column.
# column.
#
# This column may not contain a DNS Name.
#
# Example 1:
#

View File

@ -14,10 +14,10 @@
#
# EXTERNAL External IP Address - this should NOT be the primary
# IP address of the interface named in the next
# column.
# column and must not be a DNS Name.
# INTERFACE Interface that we want to EXTERNAL address to appear
# on
# INTERNAL Internal Address
# INTERNAL Internal Address (must not be a DNS Name).
# ALL INTERFACES If Yes or yes (or left empty), NAT will be effective
# from all hosts. If No or no then NAT will be effective
# only through the interface named in the INTERFACE

View File

@ -3,20 +3,10 @@ fixes.
New features include:
1. A NEWNOTSYN option has been added to shorewall.conf. This option
determines whether Shorewall accepts TCP packets which are not part
of an established connection and that are not 'SYN' packets (SYN
flag on and ACK flag off).
1. DNS Names are now allowed in Shorewall config files.
2. The connection SOURCE may now be qualified by both interface
and IP address in a Shorewall rule.
2. The need for the 'multi' option to communicate between zones za and
zb on the same interface is removed in the case where the chain
'za2zb' and/or 'zb2za' exists. 'za2zb' will exist if:
a. There is a policy for za to zb.
b. There is at least one rule for za to zb.
3. The /etc/shorewall/blacklist file now contains three columns. In
addition to the SUBNET/ADDRESS column, there are optional PROTOCOL
and PORT columns to block only certain applications from the
blacklisted addresses.
3. Shorewall startup is now disabled after initial installation until
the file /etc/shorewall/shorewall_disabled is removed.

View File

@ -71,6 +71,13 @@
# subnet, host or interface by appending ":" and the
# subnet, host or interface. See above.
#
# Restrictions:
#
# 1. MAC addresses are not allowed.
# 2. In DNAT rules, only IP addresses are
# allowed; no FQDNs or subnet addresses
# are permitted.
#
# The port that the server is listening on may be
# included and separated from the server's IP address by
# ":". If omitted, the firewall will not modifiy the

View File

@ -63,6 +63,9 @@ if [ $1 = 0 ]; then
elif [ -x /sbin/chkconfig ]; then
/sbin/chkconfig --del shorewall
fi
rm -f /etc/shorewall/startup_disabled
fi
%files