Changes for 1.3.6

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@179 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-08-06 20:30:45 +00:00
parent 0e9e5a4241
commit f8832018d2
9 changed files with 92 additions and 28 deletions

View File

@ -192,12 +192,15 @@ run_tc() {
################################################################################
createchain() # $1 = chain name, $2 = If non-null, don't create default rules
{
local target
run_iptables -N $1
if [ $# -eq 1 ]; then
state="ESTABLISHED"
[ -n "$ALLOWRELATED" ] && state="$state,RELATED"
run_iptables -A $1 -m state --state $state -j ACCEPT
run_iptables -A $1 -m state --state NEW -p tcp !--syn -j newnotsyn
fi
eval ${1}_exists=Yes
@ -1236,7 +1239,7 @@ setup_proxy_arp() {
interfaces=`find_interfaces_by_option proxyarp`
for interface in $interfaces; do
if qt echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp; then
if echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp 2> /dev/null; then
echo " Enabled proxy ARP on $interface"
else
error_message "Warning: Unable to enable proxy ARP on $interface"
@ -2713,6 +2716,14 @@ initialize_netfilter () {
run_iptables -A FORWARD -p tcp \
--tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
createchain newnotsyn no
run_user_exit newnotsyn
[ -n "$LOGNEWNOTSYN" ] && \
run_iptables -A newnotsyn -j LOG \
--log-prefix "Shorewall:newnotsyn:DROP:" --log-level $LOGNEWNOTSYN
run_iptables -A newnotsyn -j DROP
createchain icmpdef no
createchain common no
createchain reject no
@ -3388,6 +3399,7 @@ do_initialize() {
DETECT_DNAT_IPADDRS=
MERGE_HOSTS=
MUTEX_TIMEOUT=
LOGNEWNOTSYN=
stopping=
have_mutex=
masq_seq=1

View File

@ -35,7 +35,9 @@
# following:
#
# dhcp - interface is managed by DHCP or used by
# a DHCP server running on the firewall.
# a DHCP server running on the firewall or
# you have a static IP but are on a LAN
# segment with lots of Laptop DHCP clients.
# noping - icmp echo-request (ping) packets
# addressed to the firewall should
# be ignored on this interface
@ -65,7 +67,9 @@
# addresses and you want to be able to
# route between them.
# routefilter - turn on kernel route filtering for this
# interface (anti-spoofing measure).
# interface (anti-spoofing measure). This
# option can also be enabled globally in
# the /etc/shorewall/shorewall.conf file.
# dropunclean - Logs and drops mangled/invalid packets
#
# logunclean - Logs mangled/invalid packets but does

View File

@ -57,7 +57,7 @@
#
# You add a router to your local network to connect subnet
# 192.168.1.0/24 which you also want to masquerade. You then
# add the following entry to this file:
# add a second entry for eth0 to this file:
#
# eth0 192.168.1.0/24
#
@ -76,6 +76,9 @@
#
# eth0 192.168.1.0/24 206.124.146.176
#
# This would normally be done when you have a static external
# IP address since it makes the processing of outgoing
# packets somewhat faster.
##############################################################################
#INTERFACE SUBNET ADDRESS
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

View File

@ -35,7 +35,7 @@
# As shipped, the default policies are:
#
# a) All connections from the local network to the internet are allowed
# b) All connections from the network are ignored but logged at syslog
# b) All connections from the internet are ignored but logged at syslog
# level KERNEL.INFO.
# d) All other connection requests are rejected and logged at level
# KERNEL.INFO.

View File

@ -29,7 +29,7 @@
#
# http://www.shorewall.net/pub/shorewall/contrib/iana_reserved/
#
# The program was contributed by Andy Wiggen
# The program was contributed by Andy Wiggin
#
0.0.0.0/7 logdrop # Reserved
2.0.0.0/8 logdrop # Reserved

View File

@ -9,26 +9,36 @@
# (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
##############################################################################
#
# NAME OF THE FIREWALL ZONE
#
# Name of the firewall zone -- if not set or if set to an empty string, "fw"
# is assumed.
#
FW=fw
#
# SUBSYSTEM LOCK FILE
#
# Set this to the name of the lock file expected by your init scripts. For
# RedHat, this should be /var/lock/subsys/shorewall. On Debian, it
# should be /var/state/shorewall. If your init scripts don't use lock files,
# set -this to "".
# set this to "".
#
SUBSYSLOCK=/var/run/shorewall
#
# SHOREWALL TEMPORARY STATE DIRECTORY
#
# This is the directory where the firewall maintains state information while
# it is running
#
STATEDIR=/tmp/shorewall
#
# ALLOW RELATED CONNECTIONS
#
# Set this to "yes" or "Yes" if you want to accept all connection requests
# that are related to already established connections. For example, you want
@ -39,6 +49,8 @@ STATEDIR=/tmp/shorewall
ALLOWRELATED=yes
#
# KERNEL MODULE DIRECTORY
#
# If your netfilter kernel modules are in a directory other than
# /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that
@ -46,6 +58,8 @@ ALLOWRELATED=yes
MODULESDIR=
#
# LOG RATE LIMITING
#
# The next two variables can be used to control the amount of log output
# generated. LOGRATE is expressed as a number followed by an optional
@ -54,22 +68,35 @@ MODULESDIR=
# maximum initial burst size that will be logged. If set empty, the default
# value of 5 will be used.
#
# Example:
#
# LOGRATE=10/minute
# LOGBURST=5
#
# If BOTH variables are set empty then logging will not be rate-limited.
#
LOGRATE=
LOGBURST=
#
# LEVEL AT WHICH TO LOG 'UNCLEAN' PACKETS
#
# This variable determines the level at which Mangled/Invalid packets are logged
# under the 'dropunclean' interface option. If you set this variable to an
# empty value (e.g., LOGUNCLEAN= ), Mangled/Invalid packets will be dropped
# silently.
#
# The value of this variable also determines the level at which Mangled/Invalid
# packets are logged under the 'logunclean' interface option. If the variable
# is empty, these packets will still be logged at the 'info' level.
#
LOGUNCLEAN=info
#
# LOG FILE LOCATION
#
# This variable tells the /sbin/shorewall program where to look for Shorewall
# log messages. If not set or set to an empty string (e.g., LOGFILE="") then
# /var/log/messages is assumed.
@ -83,7 +110,7 @@ LOGUNCLEAN=info
LOGFILE=/var/log/messages
#
# Enable nat support.
# ENABLE NAT SUPPORT
#
# You probally want yes here. Only gateways not doing NAT in any form, like
# SNAT,DNAT masquerading, port forwading etc. should say "no" here.
@ -91,7 +118,7 @@ LOGFILE=/var/log/messages
NAT_ENABLED=Yes
#
# Enable mangle support.
# ENABLE MANGLE SUPPORT
#
# If you say "no" here, Shorewall will ignore the /etc/shorewall/tos file
# and will not initialize the mangle table when starting or stopping
@ -101,7 +128,7 @@ NAT_ENABLED=Yes
MANGLE_ENABLED=Yes
#
# Enable IP Forwarding
# ENABLE IP FORWARDING
#
# If you say "On" or "on" here, IPV4 Packet Forwarding is enabled. If you
# say "Off" or "off", packet forwarding will be disabled. You would only want
@ -113,26 +140,27 @@ MANGLE_ENABLED=Yes
# enable nor disable packet forwarding.
#
IP_FORWARDING=On
#
# Automatically add IP Aliases
# AUTOMATICALLY ADD NAT IP ADDRESSES
#
# If you say "Yes" or "yes" here, Shorewall will automatically add IP aliases
# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses
# for each NAT external address that you give in /etc/shorewall/nat. If you say
# "No" or "no", you must add these aliases youself.
#
ADD_IP_ALIASES=Yes
#
# Automatically add SNAT Aliases
# AUTOMATICALLY ADD SNAT IP ADDRESSES
#
# If you say "Yes" or "yes" here, Shorewall will automatically add IP aliases
# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses
# for each SNAT external address that you give in /etc/shorewall/masq. If you say
# "No" or "no", you must add these aliases youself.
#
ADD_SNAT_ALIASES=No
#
# Enable Traffic Shaping
# ENABLE TRAFFIC SHAPING
#
# If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If
# you say "No" or "no" then traffic shaping is not enabled. If you enable traffic
@ -142,7 +170,7 @@ ADD_SNAT_ALIASES=No
TC_ENABLED=No
#
# Blacklisting
# BLACKLIST DISPOSITION
#
# Set this variable to the action that you want to perform on packets from
# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty,
@ -151,7 +179,7 @@ TC_ENABLED=No
BLACKLIST_DISPOSITION=DROP
#
# Blacklist Logging
# BLACKLIST LOG LEVEL
#
# Set this variable to the syslogd level that you want blacklist packets logged
# (beward of DOS attacks resulting from such logging). If not set, no logging
@ -160,7 +188,7 @@ BLACKLIST_DISPOSITION=DROP
BLACKLIST_LOGLEVEL=
#
# MSS Clamping
# MSS CLAMPING
#
# Set this variable to "Yes" or "yes" if you want the TCP "Clamp MSS to PMTU"
# option. This option is most commonly required when your internet
@ -189,17 +217,19 @@ BLACKLIST_LOGLEVEL=
CLAMPMSS=No
#
# Route Filtering
# ROUTE FILTERING
#
# Set this variable to "Yes" or "yes" if you want kernel route filtering on all
# interfaces (anti-spoofing measure).
#
# If this variable is not set or is set to the empty value, "No" is assumed.
# In that case, you can still enable route filtering on individual interfaces
# in the /etc/shorewall/interfaces file.
ROUTE_FILTER=No
#
# NAT before RULES
# NAT BEFORE RULES
#
# Shorewall has traditionally processed static NAT rules before port forwarding
# rules. If you would like to reverse the order, set this variable to "No".
@ -208,7 +238,7 @@ ROUTE_FILTER=No
NAT_BEFORE_RULES=Yes
# MULTIPORT
# MULTIPORT support
#
# If your kernel includes the multiport match option
# (CONFIG_IP_NF_MATCH_MULTIPORT), you may enable it's use here. When this
@ -228,7 +258,7 @@ NAT_BEFORE_RULES=Yes
MULTIPORT=No
# DNAT IP Address Detection
# DNAT IP ADDRESS DETECTION
#
# Normally when Shorewall encounters the following rule:
#
@ -259,7 +289,8 @@ MULTIPORT=No
DETECT_DNAT_IPADDRS=No
# Merge Hosts File
#
# MERGE HOSTS FILE
#
# The traditional behavior of the /etc/shorewall/hosts file has been that
# if that file has ANY entry for a zone then the zone must be defined
@ -292,7 +323,7 @@ DETECT_DNAT_IPADDRS=No
MERGE_HOSTS=Yes
#
# Mutex Timeout
# MUTEX TIMEOUT
#
# The value of this variable determines the number of seconds that programs
# will wait for exclusive access to the Shorewall lock file. After the number
@ -306,4 +337,17 @@ MERGE_HOSTS=Yes
MUTEX_TIMEOUT=60
#
# LOGGING 'New not SYN' rejects
#
# When a TCP packet that does not have the SYN flag set and the ACK and RST
# flags clear then unless the packet is part of an established connection,
# it will be rejected by the firewall. If you want these rejects logged,
# then set LOGNEWNOTSYN to the syslog log level at which you want them logged.
#
# Example: LOGNEWNOTSYN=debug
LOGNEWNOTSYN=
#LAST LINE -- DO NOT REMOVE

View File

@ -4,7 +4,7 @@
# /etc/shorewall/tcrules
#
# Entries in this file cause packets to be marked as a means of
# classifying them for traffic control.
# classifying them for traffic control or policy routing.
#
# Columns are:
#

View File

@ -201,6 +201,7 @@ display_chains()
showchain rfc1918
showchain blacklst
showchain reject
showchain newnotsyn
for zone in $zones all; do
showchain ${zone}2all
showchain @${zone}2all

View File

@ -1 +1 @@
1.3.5a
1.3.6