Changes for 1.3.6

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@179 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Lrp/etc/init.d/shorewall

@@ -192,12 +192,15 @@ run_tc() {
 ################################################################################
 createchain() # $1 = chain name, $2 = If non-null, don't create default rules
 {
+    local target
+
     run_iptables -N $1
 
     if [ $# -eq 1 ]; then
 	state="ESTABLISHED"
 	[ -n "$ALLOWRELATED" ] && state="$state,RELATED"
 	run_iptables -A $1 -m state --state $state -j ACCEPT
+	run_iptables -A $1 -m state --state NEW -p tcp !--syn -j newnotsyn
     fi
 
     eval ${1}_exists=Yes
@@ -1236,7 +1239,7 @@ setup_proxy_arp() {
     interfaces=`find_interfaces_by_option proxyarp`
 
     for interface in $interfaces; do
-	if qt echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp; then
+	if echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp 2> /dev/null; then
 	    echo "   Enabled proxy ARP on $interface"
         else
 	    error_message "Warning: Unable to enable proxy ARP on $interface"
@@ -2713,11 +2716,19 @@ initialize_netfilter () {
 	run_iptables -A FORWARD -p tcp \
 	    --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
 
+    
+    createchain newnotsyn no
+    run_user_exit newnotsyn
+    [ -n "$LOGNEWNOTSYN" ] && \
+	run_iptables -A newnotsyn -j LOG \
+	--log-prefix "Shorewall:newnotsyn:DROP:" --log-level $LOGNEWNOTSYN
+    run_iptables -A newnotsyn -j DROP	
+
     createchain icmpdef no
     createchain common	no
     createchain reject	no
     createchain dynamic no
-    
+	    
     if [ -f /var/lib/shorewall/save ]; then
 	echo "Restoring dynamic rules..."
 
@@ -3388,6 +3399,7 @@ do_initialize() {
     DETECT_DNAT_IPADDRS=
     MERGE_HOSTS=
     MUTEX_TIMEOUT=
+    LOGNEWNOTSYN=
     stopping=
     have_mutex=
     masq_seq=1

Lrp/etc/shorewall/interfaces

@@ -35,7 +35,9 @@
 #			following:
 #
 #			dhcp	     - interface is managed by DHCP or used by
-#                                      a DHCP server running on the firewall.
+#                                      a DHCP server running on the firewall or
+#				       you have a static IP but are on a LAN
+#				       segment with lots of Laptop DHCP clients.
 #			noping	     - icmp echo-request (ping) packets
 #				       addressed to the firewall should
 #				       be ignored on this interface
@@ -65,7 +67,9 @@
 #				       addresses and you want to be able to
 #				       route between them.
 #			routefilter  - turn on kernel route filtering for this
-#				       interface (anti-spoofing measure).
+#				       interface (anti-spoofing measure). This
+#                                      option can also be enabled globally in
+#				       the /etc/shorewall/shorewall.conf file.
 #			dropunclean  - Logs and drops mangled/invalid packets
 #
 #			logunclean   - Logs mangled/invalid packets but does

Lrp/etc/shorewall/masq

@@ -57,7 +57,7 @@
 #
 #		  You add a router to your local network to connect subnet
 #		  192.168.1.0/24 which you also want to masquerade. You then
-#		  add the following entry to this file:
+#		  add a second entry for eth0 to this file:
 #
 #			eth0	192.168.1.0/24
 #
@@ -76,6 +76,9 @@
 #
 #			eth0	192.168.1.0/24	206.124.146.176
 #
+#		  This would normally be done when you have a static external
+#		  IP address since it makes the processing of outgoing 
+#		  packets somewhat faster.
 ##############################################################################
 #INTERFACE	        SUBNET		ADDRESS
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Lrp/etc/shorewall/policy

@@ -35,7 +35,7 @@
 #	As shipped, the default policies are:
 #
 #	a) All connections from the local network to the internet are allowed
-#	b) All connections from the network are ignored but logged at syslog
+#	b) All connections from the internet are ignored but logged at syslog
 #	   level KERNEL.INFO.
 #	d) All other connection requests are rejected and logged at level
 #	   KERNEL.INFO.

Lrp/etc/shorewall/rfc1918

@@ -29,7 +29,7 @@
 #
 #	http://www.shorewall.net/pub/shorewall/contrib/iana_reserved/
 #
-# The program was contributed by Andy Wiggen
+# The program was contributed by Andy Wiggin
 #
 0.0.0.0/7		logdrop		# Reserved
 2.0.0.0/8		logdrop		# Reserved

Lrp/etc/shorewall/shorewall.conf

@@ -9,26 +9,36 @@
 #  (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
 ##############################################################################
 #
+# NAME OF THE FIREWALL ZONE
+#
 # Name of the firewall zone -- if not set or if set to an empty string, "fw"
 # is assumed.
 #
 FW=fw
 
 
+#
+# SUBSYSTEM LOCK FILE
+#
 # Set this to the name of the lock file expected by your init scripts. For
 # RedHat, this should be /var/lock/subsys/shorewall. On Debian, it
 # should be /var/state/shorewall. If your init scripts don't use lock files,
-# set -this to "".
+# set this to "".
 #
 
 SUBSYSLOCK=/var/run/shorewall
 
+#
+# SHOREWALL TEMPORARY STATE DIRECTORY
+#
 # This is the directory where the firewall maintains state information while
 # it is running
 #
 
 STATEDIR=/tmp/shorewall
 
+#
+# ALLOW RELATED CONNECTIONS
 #
 # Set this to "yes" or "Yes" if you want to accept all connection requests
 # that are related to already established connections. For example, you want
@@ -39,6 +49,8 @@ STATEDIR=/tmp/shorewall
 
 ALLOWRELATED=yes
 
+#
+# KERNEL MODULE DIRECTORY
 #
 # If your netfilter kernel modules are in a directory other than
 # /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that
@@ -46,6 +58,8 @@ ALLOWRELATED=yes
 
 MODULESDIR=
 
+#
+# LOG RATE LIMITING
 #
 # The next two variables can be used to control the amount of log output
 # generated. LOGRATE is expressed as a number followed by an optional
@@ -54,22 +68,35 @@ MODULESDIR=
 # maximum initial burst size that will be logged. If set empty, the default
 # value of 5 will be used.
 #
+# Example:
+#
+#	LOGRATE=10/minute
+#	LOGBURST=5
+#
 # If BOTH variables are set empty then logging will not be rate-limited.
 #
 
 LOGRATE=
 LOGBURST=
 
-
+#
+# LEVEL AT WHICH TO LOG 'UNCLEAN' PACKETS
 #
 # This variable determines the level at which Mangled/Invalid packets are logged
 # under the 'dropunclean' interface option. If you set this variable to an
 # empty value (e.g., LOGUNCLEAN= ), Mangled/Invalid packets will be dropped
 # silently.
 #
+# The value of this variable also determines the level at which Mangled/Invalid
+# packets are logged under the 'logunclean' interface option. If the variable
+# is empty, these packets will still be logged at the 'info' level.
+#
 
 LOGUNCLEAN=info
 
+#
+# LOG FILE LOCATION
+#
 # This variable tells the /sbin/shorewall program where to look for Shorewall
 # log messages. If not set or set to an empty string (e.g., LOGFILE="") then
 # /var/log/messages is assumed.
@@ -83,7 +110,7 @@ LOGUNCLEAN=info
 LOGFILE=/var/log/messages
 
 #
-# Enable nat support.
+# ENABLE NAT SUPPORT
 #
 # You probally want yes here. Only gateways not doing NAT in any form, like
 # SNAT,DNAT masquerading, port forwading etc. should say "no" here.
@@ -91,7 +118,7 @@ LOGFILE=/var/log/messages
 NAT_ENABLED=Yes
 
 #
-# Enable mangle support.
+# ENABLE MANGLE SUPPORT
 #
 # If you say "no" here, Shorewall will ignore the /etc/shorewall/tos file
 # and will not initialize the mangle table when starting or stopping
@@ -101,7 +128,7 @@ NAT_ENABLED=Yes
 MANGLE_ENABLED=Yes
 
 #
-# Enable IP Forwarding
+# ENABLE IP FORWARDING
 #
 # If you say "On" or "on" here, IPV4 Packet Forwarding is enabled. If you
 # say "Off" or "off", packet forwarding will be disabled. You would only want
@@ -113,26 +140,27 @@ MANGLE_ENABLED=Yes
 # enable nor disable packet forwarding.
 #
 IP_FORWARDING=On
+
 #
-# Automatically add IP Aliases
+# AUTOMATICALLY ADD NAT IP ADDRESSES
 #
-# If you say "Yes" or "yes" here, Shorewall will automatically add IP aliases
+# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses
 # for each NAT external address that you give in /etc/shorewall/nat. If you say
 # "No" or "no", you must add these aliases youself.
 #
 ADD_IP_ALIASES=Yes
 
 #
-# Automatically add SNAT Aliases
+# AUTOMATICALLY ADD SNAT IP ADDRESSES
 #
-# If you say "Yes" or "yes" here, Shorewall will automatically add IP aliases
+# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses
 # for each SNAT external address that you give in /etc/shorewall/masq. If you say
 # "No" or "no", you must add these aliases youself.
 #
 ADD_SNAT_ALIASES=No
 
 #
-# Enable Traffic Shaping
+# ENABLE TRAFFIC SHAPING
 #
 # If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If
 # you say "No" or "no" then traffic shaping is not enabled. If you enable traffic
@@ -142,7 +170,7 @@ ADD_SNAT_ALIASES=No
 TC_ENABLED=No
 
 #
-# Blacklisting
+# BLACKLIST DISPOSITION
 #
 # Set this variable to the action that you want to perform on packets from
 # Blacklisted systems. Must be DROP or REJECT. If not set or set to empty,
@@ -151,7 +179,7 @@ TC_ENABLED=No
 BLACKLIST_DISPOSITION=DROP
 
 #
-# Blacklist Logging
+# BLACKLIST LOG LEVEL
 #
 # Set this variable to the syslogd level that you want blacklist packets logged
 # (beward of DOS attacks resulting from such logging). If not set, no logging
@@ -160,7 +188,7 @@ BLACKLIST_DISPOSITION=DROP
 BLACKLIST_LOGLEVEL=
 
 #
-# MSS Clamping
+# MSS CLAMPING
 #
 # Set this variable to "Yes" or "yes" if you want the TCP "Clamp MSS to PMTU"
 # option. This option is most commonly required when your internet
@@ -189,17 +217,19 @@ BLACKLIST_LOGLEVEL=
 CLAMPMSS=No
 
 #
-# Route Filtering
+# ROUTE FILTERING
 #
 # Set this variable to "Yes" or "yes" if you want kernel route filtering on all
 # interfaces (anti-spoofing measure).
 #
 # If this variable is not set or is set to the empty value, "No" is assumed.
+# In that case, you can still enable route filtering on individual interfaces
+# in the /etc/shorewall/interfaces file.
 
 ROUTE_FILTER=No
 
 #
-# NAT before RULES
+# NAT BEFORE RULES
 #
 # Shorewall has traditionally processed static NAT rules before port forwarding
 # rules. If you would like to reverse the order, set this variable to "No".
@@ -208,7 +238,7 @@ ROUTE_FILTER=No
 
 NAT_BEFORE_RULES=Yes
 
-# MULTIPORT
+# MULTIPORT support
 #
 # If your kernel includes the multiport match option
 # (CONFIG_IP_NF_MATCH_MULTIPORT), you may enable it's use here. When this
@@ -228,7 +258,7 @@ NAT_BEFORE_RULES=Yes
 
 MULTIPORT=No
 
-# DNAT IP Address Detection
+# DNAT IP ADDRESS DETECTION
 #
 # Normally when Shorewall encounters the following rule:
 #
@@ -259,7 +289,8 @@ MULTIPORT=No
 
 DETECT_DNAT_IPADDRS=No
 
-# Merge Hosts File
+#
+# MERGE HOSTS FILE
 #
 # The traditional behavior of the /etc/shorewall/hosts file has been that
 # if that file has ANY entry for a zone then the zone must be defined 
@@ -292,7 +323,7 @@ DETECT_DNAT_IPADDRS=No
 MERGE_HOSTS=Yes
 
 #
-# Mutex Timeout
+# MUTEX TIMEOUT
 #
 # The value of this variable determines the number of seconds that programs
 # will wait for exclusive access to the Shorewall lock file. After the number
@@ -306,4 +337,17 @@ MERGE_HOSTS=Yes
 
 MUTEX_TIMEOUT=60
 
+#
+# LOGGING 'New not SYN' rejects
+#
+# When a TCP packet that does not have the SYN flag set and the ACK and RST
+# flags clear then unless the packet is part of an established connection,
+# it will be rejected by the firewall. If you want these rejects logged, 
+# then set LOGNEWNOTSYN to the syslog log level at which you want them logged.
+#
+# Example: LOGNEWNOTSYN=debug
+
+
+LOGNEWNOTSYN=
+
 #LAST LINE -- DO NOT REMOVE

Lrp/etc/shorewall/tcrules

@@ -4,7 +4,7 @@
 # /etc/shorewall/tcrules
 #
 #	Entries in this file cause packets to be marked as a means of
-#	classifying them for traffic control.
+#	classifying them for traffic control or policy routing.
 #
 # Columns are:
 #

Lrp/sbin/shorewall

@@ -201,6 +201,7 @@ display_chains()
 	showchain rfc1918
 	showchain blacklst
 	showchain reject
+	showchain newnotsyn
 	for zone in $zones all; do
 	    showchain ${zone}2all
 	    showchain @${zone}2all

Lrp/var/lib/shorewall/version

@@ -1 +1 @@
-1.3.5a
+1.3.6