diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt index 179563c1e..0bff4846b 100644 --- a/Shorewall2/changelog.txt +++ b/Shorewall2/changelog.txt @@ -15,3 +15,5 @@ Changes since 2.0.0 7) Add -x option to /sbin/shorewall. 8) Implement Sean Mathews's fix fix Proxy ARP and IPSEC. + +9) Improve zone-definition checking. diff --git a/Shorewall2/firewall b/Shorewall2/firewall index e98ff2606..6a627b773 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -587,6 +587,10 @@ determine_hosts() { for host in $hosts; do interface=${host%:*} if list_search $interface $interfaces; then + list_search $interface:0.0.0.0/0 $hosts && \ + startup_error "Invalid zone definition for zone $zone" + list_search $interface:0/0 $hosts && \ + startup_error "Invalid zone definition for zone $zone" eval ${zone}_is_complex=Yes else if [ -z "$interfaces" ]; then @@ -616,6 +620,13 @@ validate_zone() # $1 = zone { list_search $1 $zones $FW } +# +# Ensure that the passed zone is defined in the zones file. +# +validate_zone1() # $1 = zone +{ + list_search $1 $zones +} # # Validate the zone names and options in the interfaces file @@ -701,7 +712,7 @@ validate_hosts_file() { while read z hosts options; do expandv z hosts options r="$z $hosts $options" - validate_zone $z || startup_error "Invalid zone ($z) in record \"$r\"" + validate_zone1 $z || startup_error "Invalid zone ($z) in record \"$r\"" interface=${hosts%%:*} iface=$(chain_base $interface) diff --git a/Shorewall2/hosts b/Shorewall2/hosts index 8085dbeb0..12f9740d7 100644 --- a/Shorewall2/hosts +++ b/Shorewall2/hosts @@ -5,7 +5,11 @@ # ONE ZONE CONNECTED THROUGH A SINGLE INTERFACE. # # IF YOU DON'T HAVE THAT SITUATION THEN DON'T TOUCH THIS FILE. -# +#------------------------------------------------------------------------------ +# IF YOU HAVE AN ENTRY FOR A ZONE AND INTERFACE IN +# /etc/shorewall/interfaces THEN DO NOT ADD ANY ENTRIES FOR THAT +# ZONE AND INTERFACE IN THIS FILE. +#------------------------------------------------------------------------------ # This file is used to define zones in terms of subnets and/or # individual IP addresses. Most simple setups don't need to # (should not) place anything in this file. diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index 58ff127af..c89b705a6 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -72,4 +72,17 @@ New Features: shorewall -x status shorewall -x monitor [ ] +4) Shorewall now traps two common zone definition errors: + + - Including the firewall zone in a /etc/shorewall/hosts record. + - Defining a interface for a zone in both /etc/shorewall/interfaces + and /etc/shorewall/hosts. + + In the second case, the following will appear during "shorewall + [re]start" or "shorewall check": + + Determining Hosts in Zones... + ... + Error: Invalid zone definition for zone + Terminated