From f56e907907a2de495a8ff9a9de214476b330655b Mon Sep 17 00:00:00 2001 From: teastep Date: Thu, 4 Aug 2005 20:24:23 +0000 Subject: [PATCH] Correct typo in /etc/shorewall/policy; Allow "all+" in SOURCE/DEST in /etc/shorewall/rules to enable intra-zone traffic git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2454 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/firewall | 25 ++++++++++++++++++++----- Shorewall/policy | 2 +- Shorewall/releasenotes.txt | 13 ++++++++++++- Shorewall/rules | 25 +++++++++++++------------ 4 files changed, 46 insertions(+), 19 deletions(-) diff --git a/Shorewall/firewall b/Shorewall/firewall index f79bcc8bb..a538ccc09 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -5493,14 +5493,15 @@ process_rules() # $1 = "Yes" if the target is a macro. # # Process a rule where the source or destination is "all" # - process_wildcard_rule() { + process_wildcard_rule() # $1 = Yes, if this is a macro, $2 = Yes if we want intrazone traffic + { local yclients yservers ysourcezone ydestzone ypolicy for yclients in $xclients; do for yservers in $xservers; do ysourcezone=${yclients%%:*} ydestzone=${yservers%%:*} - if [ "${ysourcezone}" != "${ydestzone}" ] ; then + if [ "$2" = Yes -o "${ysourcezone}" != "${ydestzone}" ] ; then eval ypolicy=\$${ysourcezone}2${ydestzone}_policy if [ "$ypolicy" != NONE ] ; then if [ "$1" = Yes ]; then @@ -5517,20 +5518,34 @@ process_rules() # $1 = "Yes" if the target is a macro. do_it() # $1 = "Yes" if the target is a macro. { - expandv xprotocol xports xcports xaddress xratelimit xuserspec + expandv xprotocol xports xcports xaddress xratelimit xuserspec intrazone= + + case $xclients in + all+) + xclients=all + intrazone=Yes + ;; + esac + + case $xservers in + all+) + xservers=all + intrazone=Yes + ;; + esac if [ "x$xclients" = xall ]; then xclients="$ZONES $FW" if [ "x$xservers" = xall ]; then xservers="$ZONES $FW" fi - process_wildcard_rule $1 + process_wildcard_rule "$1" $intrazone return fi if [ "x$xservers" = xall ]; then xservers="$ZONES $FW" - process_wildcard_rule $1 + process_wildcard_rule "$1" $intrazone return fi diff --git a/Shorewall/policy b/Shorewall/policy index 4a205a632..079634fcc 100644 --- a/Shorewall/policy +++ b/Shorewall/policy @@ -51,7 +51,7 @@ # /etc/shorewall/actions (or # /usr/share/shorewall/actions.std) then that action # will be invoked before the policy named in this column -# is inforced. +# is enforced. # # The policy determined the default treatment of new # connection requests and may optionally be followed by diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 60c71b59b..6fb2ae4b2 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -157,6 +157,9 @@ Migration Considerations: upgrading to this release before "shorewall status" will show anything but "Unknown" for the state. +8) The "shorewall forget" command now removes the dynamic blacklist + save file (/var/lib/shorewall/save). + New Features in Shorewall 2.5.0 1) Error and warning messages are made easier to spot by using @@ -298,5 +301,13 @@ New Features in Shorewall 2.5.0 WARNING -- DO NOT SPECIFY arp_ignore FOR ANY INTERFACE INVOLVED IN PROXY ARP. - +7) In /etc/shorewall/rules, "all+" in the SOURCE or DEST column works + like "all" but also includes intrazone traffic. So the rule: + ACCEPT loc all+ tcp 22 + + would allow SSH traffic from loc->loc whereas + + ACCEPT loc all tcp 22 + + does not. diff --git a/Shorewall/rules b/Shorewall/rules index f2b8edf30..64c4da6b9 100755 --- a/Shorewall/rules +++ b/Shorewall/rules @@ -112,20 +112,21 @@ # # SOURCE Source hosts to which the rule applies. May be a zone # defined in /etc/shorewall/zones, $FW to indicate the -# firewall itself, "all" or "none" If the ACTION is DNAT -# or REDIRECT, sub-zones of the specified zone may be -# excluded from the rule by following the zone name with -# "!' and a comma-separated list of sub-zone names. +# firewall itself, "all", "all+" or "none" If the ACTION +# is DNAT or REDIRECT, sub-zones of the specified zone +# may be excluded from the rule by following the zone +# name with "!' and a comma-separated list of sub-zone +# names. # # When "none" is used either in the SOURCE or DEST # column, the rule is ignored. # # When "all" is used either in the SOURCE or DEST column -# intra-zone traffic is not affected. You must add -# separate rules to handle that traffic. +# intra-zone traffic is not affected. When "all+" is +# used, intra-zone traffic is affected. # -# Except when "all" is specified, clients may be further -# restricted to a list of subnets and/or hosts by +# Except when "all[+]" is specified, clients may be +# further restricted to a list of subnets and/or hosts by # appending ":" and a comma-separated list of subnets # and/or hosts. Hosts may be specified by IP or MAC # address; mac addresses must begin with "~" and must use @@ -166,16 +167,16 @@ # # DEST Location of Server. May be a zone defined in # /etc/shorewall/zones, $FW to indicate the firewall -# itself, "all" or "none". +# itself, "all". "all+" or "none". # # When "none" is used either in the SOURCE or DEST # column, the rule is ignored. # # When "all" is used either in the SOURCE or DEST column -# intra-zone traffic is not affected. You must add -# separate rules to handle that traffic. +# intra-zone traffic is not affected. When "all+" is +# used, intra-zone traffic is affected. # -# Except when "all" is specified, the server may be +# Except when "all[+]" is specified, the server may be # further restricted to a particular subnet, host or # interface by appending ":" and the subnet, host or # interface. See above.