From f7ea7cdd419bba04cd8dcc33cc36481dc5b51ee2 Mon Sep 17 00:00:00 2001 From: teastep Date: Sat, 26 Jul 2003 16:44:38 +0000 Subject: [PATCH] Snapshot 1.4.6_20030726 git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@678 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/changelog.txt | 55 ++++---------------------------------- Shorewall/fallback.sh | 2 +- Shorewall/firewall | 50 +++++++++++++++++++++------------- Shorewall/install.sh | 2 +- Shorewall/releasenotes.txt | 20 ++++++++++++-- Shorewall/shorewall | 6 ++--- Shorewall/shorewall.spec | 4 ++- Shorewall/uninstall.sh | 2 +- Shorewall/zones | 5 ++++ 9 files changed, 69 insertions(+), 77 deletions(-) diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index aebaf9266..1b8791d28 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -1,53 +1,8 @@ -Changes since 1.4.5 +Changes since 1.4.6 -1) Worked around RH7.3 "service" anomaly. +1) Added Smart Blacklisting. -2) Implemented 'newnotsyn' interface option. +2) Move determine_capabilities call to do_initialize to ensure that + MANGLE_ENABLED is set before it is tested. -3) Document range in masq ADDRESS column and suppress ADD_SNAT_ALIASES - behavior in that case. - -4) Enable ADD_SNAT_ALIASES=Yes for SNAT ranges. - -5) Allow Shorewall to add aliases to other than the first subnet on an - interface. - -6) Add support for load-balancing. - -7) Toned down the disclaimer for the 'check' command. - -8) Implemented support for the Connection Tracking Match extension in - iptables 1.2.8/Kernel 2.4.21. - -9) Removed the NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration - parameters and replaced them with code that detects these - capabilities. - -10) Added the SHOREWALL_SHELL configuraiton parameter. - -11) Fixed capability reporting (thanks to Simon Matter). - -12) Correct the implementation of destination IP list in DNAT[-] rules. - -13) Check for shells whose arithmetic support is broken. - -14) Moved IP Address manipulation functions to - /usr/share/shorewall/functions. - -15. Added ipcalc command. - -16. Fixed handling of destination DNS names containing a "-" - -17. Make ip_range() smarter. - -18. Added /sbin/shorewall iprange command. - -19. Fixed handling of excluded zone processing in DNAT and REDIRECT - rules (re-added the protocol to the rule). Fixed parsing of exclude - zones. - -20. Display policy chain along with policy in 'check' command. - -21. Support Linux 2.6 compressed modules. - -22. Don't display DHCP message when there are no DHCP interface. +3) Fixed MAC address handling in the SOURCE column of tcrules. diff --git a/Shorewall/fallback.sh b/Shorewall/fallback.sh index bae84ca68..2ed23c2e8 100755 --- a/Shorewall/fallback.sh +++ b/Shorewall/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=1.4.6 +VERSION=1.4.6-20030726 usage() # $1 = exit status { diff --git a/Shorewall/firewall b/Shorewall/firewall index a0f59f113..a93bf2b0c 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -996,9 +996,9 @@ stop_firewall() { delete_proxy_arp [ -n "$CLEAR_TC" ] && delete_tc - setpolicy INPUT DROP - setpolicy OUTPUT DROP - setpolicy FORWARD DROP + for chain in INPUT OUTPUT FORWARD; do + setpolicy $chain DROP + done deleteallchains @@ -1564,7 +1564,7 @@ process_tc_rule() r="-s $source " ;; ~*) - r=`mac_match $source` + r="`mac_match $source` " ;; $FW) chain=tcout @@ -3463,22 +3463,36 @@ initialize_netfilter () { echo $all_interfaces > $STATEDIR/interfaces - if [ -f /var/lib/shorewall/save ]; then + if [ -f /var/lib/shorewall/save -o -f /var/lib/shorewall/savedyn ]; then echo "Restoring dynamic rules..." + + if [ -f /var/lib/shorewall/savedyn ]; then + while read target ignore1 ignore2 address rest; do + case $target in + DROP|reject) + chains=`dynamic_chains_by_address $address` + + for chain in ${chains:-dynamic}; do + run_iptables2 -I $chain -s $address -j $target + done + ;; + *) + ;; + esac + done < /var/lib/shorewall/savedyn + fi - while read target ignore1 ignore2 address rest; do - case $target in - DROP|reject) - chains=`dynamic_chains_by_address $address` - - for chain in ${chains:-dynamic}; do - run_iptables2 -I $chain -s $address -j $target - done - ;; - *) - ;; - esac - done < /var/lib/shorewall/save + if [ -f /var/lib/shorewall/save ]; then + while read target ignore1 ignore2 address rest; do + case $target in + DROP|reject) + run_iptables2 -A dynamic -s $address -j $target + ;; + *) + ;; + esac + done < /var/lib/shorewall/save + fi fi echo "Creating Interface Chains..." diff --git a/Shorewall/install.sh b/Shorewall/install.sh index 8cc393dff..94231684a 100755 --- a/Shorewall/install.sh +++ b/Shorewall/install.sh @@ -54,7 +54,7 @@ # /etc/rc.d/rc.local file is modified to start the firewall. # -VERSION=1.4.6 +VERSION=1.4.6-20030726 usage() # $1 = exit status { diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index f23567cd9..aa16b933a 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -1,6 +1,13 @@ This is a minor release of Shorewall. -Problems Corrected: +Problems Corrected since version 1.4.6: + +1) Corrected problem in 1.4.6 where the MANGLE_ENABLED variable was + being tested before it was set. + +2) Corrected handling of MAC addresses in the SOURCE column of the + tcrules file. Previously, these addresses resulted in an invalid + iptables command. None. @@ -8,7 +15,11 @@ Migration Issues: 1) Once you have installed this version of Shorewall, you must restart Shorewall before you may use the 'drop', 'reject', 'allow' - or 'save' commands. + or 'save' commands. + +2) To maintain strict compatibility with previous versions, current + uses of "shorewall drop" and "shorewall reject" should be replaced + with "shorewall dropall" and "shorewall rejectall". New Features: @@ -16,3 +27,8 @@ New Features: defined in /etc/shorewall/interfaces. The 'drop' and 'reject' commands use the routing table to determine which of these chains is to be used for blacklisting the specified IP address(es). + + Two new commands ('dropall' and 'rejectall') have been introduced + that do what 'drop' and 'reject' used to do; namely, when an address + is blacklisted using these new commands, it will be blacklisted on + all of your firewall's interfaces. diff --git a/Shorewall/shorewall b/Shorewall/shorewall index 5a6d200a7..a3d01eae3 100755 --- a/Shorewall/shorewall +++ b/Shorewall/shorewall @@ -535,14 +535,14 @@ load_all_interfaces() { # save_dynamic_blacklist() { - [ -d /var/lib/shorewall ] || mkdir /var/lib/shorewall + [ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall load_all_interfaces - > /var/lib/shorewall/save + > /var/lib/shorewall/savedyn for interface in $all_interfaces; do - if ! iptables -L `dynamic_chain $interface` >> /var/lib/shorewall/save; then + if ! iptables -L `dynamic_chain $interface` >> /var/lib/shorewall/savedyn; then echo "Error Saving the Dynamic Rules" return fi diff --git a/Shorewall/shorewall.spec b/Shorewall/shorewall.spec index 4f22e88b5..0b66e0862 100644 --- a/Shorewall/shorewall.spec +++ b/Shorewall/shorewall.spec @@ -1,5 +1,5 @@ %define name shorewall -%define version 1.4.6 +%define version 1.4.6_20030726 %define release 1 %define prefix /usr @@ -105,6 +105,8 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %changelog +* Sat Jul 26 2003 Tom Eastep +- Changed version to 1.4.6_20030726-1 * Sat Jul 19 2003 Tom Eastep - Changed version to 1.4.6-1 * Mon Jul 14 2003 Tom Eastep diff --git a/Shorewall/uninstall.sh b/Shorewall/uninstall.sh index 16e4cb057..6a7eb654f 100755 --- a/Shorewall/uninstall.sh +++ b/Shorewall/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Seattle Firewall -VERSION=1.4.6 +VERSION=1.4.6-20030726 usage() # $1 = exit status { diff --git a/Shorewall/zones b/Shorewall/zones index 4f3cdcd6f..993080b5e 100644 --- a/Shorewall/zones +++ b/Shorewall/zones @@ -7,6 +7,11 @@ # DISPLAY Display name of the zone # COMMENTS Comments about the zone # +# THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED OR +# OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts. +# +# See http://www.shorewall.net/Documentation.htm#Nested +# #ZONE DISPLAY COMMENTS net Net Internet loc Local Local networks