diff --git a/Shorewall2/actions b/Shorewall2/actions index e6a8a6d3d..ebadc7b39 100644 --- a/Shorewall2/actions +++ b/Shorewall2/actions @@ -16,14 +16,6 @@ # respectively is enforced. If you specify ":DROP" or ":REJECT" # on more than one action then only the last such action will be # taken. -# -# If you remove the following INCLUDE, you will need to copy the -# definitions you need from the actions.std file into this one. -# -INCLUDE /etc/shorewall/actions.std -# -# Add your entries below here -# #ACTION #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt index d17df85ea..65748eeac 100644 --- a/Shorewall2/changelog.txt +++ b/Shorewall2/changelog.txt @@ -40,3 +40,7 @@ Changes since 1.4.10 19) Added a comment to the rules file to aid users who are terminally stupid. 20) Only create the action chains that are actually used. + +21) Move actions.std and action.* files to /usr/share/shorewall. + +22) Added DISABLE_IPV6 option. diff --git a/Shorewall2/fallback.sh b/Shorewall2/fallback.sh index 6d099acd4..fe228a434 100755 --- a/Shorewall2/fallback.sh +++ b/Shorewall2/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=2.0.0-Beta1 +VERSION=2.0.0-Beta2 usage() # $1 = exit status { @@ -131,7 +131,7 @@ restore_file /etc/shorewall/actions.std restore_file /etc/shorewall/actions -for f in /etc/shorewall/action.*-${VERSION}.bkout; do +for f in /usr/share/shorewall/action.*-${VERSION}.bkout; do restore_file $(echo $f | sed "s/-${VERSION}.bkout//") done diff --git a/Shorewall2/firewall b/Shorewall2/firewall index 8cf9395a0..17443990f 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -1012,6 +1012,12 @@ stop_firewall() { delete_proxy_arp [ -n "$CLEAR_TC" ] && delete_tc + if [ -n "$DISABLE_IPV6" ]; then + ip6tables -P FORWARD DROP + ip6tables -P INPUT DROP + ip6tables -P OUTPUT DROP + fi + if [ -z "$ADMINISABSENTMINDED" ]; then for chain in INPUT OUTPUT FORWARD; do setpolicy $chain DROP @@ -1105,6 +1111,10 @@ clear_firewall() { setpolicy FORWARD ACCEPT setpolicy OUTPUT ACCEPT + ip6tables -P INPUT ACCEPT 2> /dev/null + ip6tables -P OUTPUT ACCEPT 2> /dev/null + ip6tables -P FORWARD ACCEPT 2> /dev/null + run_user_exit clear logger "Shorewall Cleared" @@ -2386,58 +2396,64 @@ process_actions1() { strip_file actions - while read xaction rest; do - [ "x$rest" = x ] || fatal_error "Invalid Action: $xaction $rest" + strip_file actions.std /usr/share/shorewall/actions.std - case $xaction in - *:*) - temp=${xaction#*:} - xaction=${xaction%:*} - case $temp in - ACCEPT|REJECT|DROP) - eval ${temp}_common=$xaction - if ! list_search $xaction $USEDACTIONS; then - USEDACTIONS="$USEDACTIONS $xaction" - [ $command = check ] || createactionchain $xaction - fi - ;; - *) - fatal_error "Common Actions are only allowed for ACCEPT, DROP and REJECT" - ;; - esac - esac - - f=action.$xaction - fn=$(find_file $f) + for inputfile in actions.std actions; do + while read xaction rest; do + [ "x$rest" = x ] || fatal_error "Invalid Action: $xaction $rest" - eval requiredby_${action}= - - if [ -f $fn ]; then - echo " Pre-processing $fn..." - strip_file $f $fn - while read xtarget xclients xservers xprotocol xports xcports xratelimit $xuserspec; do - expandv xtarget - temp="${xtarget%:*}" - case "${temp%<*}" in - ACCEPT|DROP|REJECT|LOG|QUEUE) - ;; - *) - if list_search $temp $ACTIONS; then - eval requiredby_${xaction}=\"\$requiredby_${xaction} $temp\" - else - rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec)" - fatal_error "Invalid TARGET in rule \"$rule\"" - fi - ;; - - esac - done < $TMP_DIR/$f - else - fatal_error "Missing Action File: $f" - fi - - ACTIONS="$ACTIONS $xaction" - done < $TMP_DIR/actions + case $xaction in + *:*) + temp=${xaction#*:} + xaction=${xaction%:*} + case $temp in + ACCEPT|REJECT|DROP) + eval ${temp}_common=$xaction + if ! list_search $xaction $USEDACTIONS; then + USEDACTIONS="$USEDACTIONS $xaction" + [ $command = check ] || createactionchain $xaction + fi + ;; + *) + fatal_error "Common Actions are only allowed for ACCEPT, DROP and REJECT" + ;; + esac + esac + + if ! list_search $xaction $ACTIONS; then + f=action.$xaction + fn=$(find_file $f) + + eval requiredby_${action}= + + if [ -f $fn ]; then + echo " Pre-processing $fn..." + strip_file $f $fn + while read xtarget xclients xservers xprotocol xports xcports xratelimit $xuserspec; do + expandv xtarget + temp="${xtarget%:*}" + case "${temp%<*}" in + ACCEPT|DROP|REJECT|LOG|QUEUE) + ;; + *) + if list_search $temp $ACTIONS; then + eval requiredby_${xaction}=\"\$requiredby_${xaction} $temp\" + else + rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec)" + fatal_error "Invalid TARGET in rule \"$rule\"" + fi + ;; + + esac + done < $TMP_DIR/$f + else + fatal_error "Missing Action File: $f" + fi + + ACTIONS="$ACTIONS $xaction" + fi + done < $TMP_DIR/$inputfile + done } # # Generate the transitive closure of $USEDACTIONS (the actions directly referred to in rules and as common actions) then @@ -2508,7 +2524,7 @@ process_actions2() { # for xaction in $USEDACTIONS; do case $xaction in - dropNonSyn|dropBcasts) + dropNonSyn|dropBcast) ;; *) f=action.$xaction @@ -4278,6 +4294,12 @@ initialize_netfilter () { setcontinue INPUT setcontinue OUTPUT + if [ -n "$DISABLE_IPV6" ]; then + ip6tables -P FORWARD DROP + ip6tables -P INPUT DROP + ip6tables -P OUTPUT DROP + fi + # # Enable the Loopback interface for now # @@ -5441,6 +5463,7 @@ do_initialize() { ACTIONS= USEDACTIONS= SMURF_LOG_LEVEL= + DISABLE_IPV6= stopping= have_mutex= @@ -5590,6 +5613,7 @@ do_initialize() { fi ADMINISABSENTMINDED=$(added_param_value_no ADMINISABSENTMINDED $ADMINISABSENTMINDED) BLACKLISTNEWONLY=$(added_param_value_no BLACKLISTNEWONLY $BLACKLISTNEWONLY) + DISABLE_IPV6=$(added_param_value_no DISABLE_IPV6 $DISABLE_IPV6) [ -n "$MODULE_SUFFIX" ] || MODULE_SUFFIX="o gz ko o.gz" # diff --git a/Shorewall2/functions b/Shorewall2/functions index 455168dfd..0ec1357d2 100755 --- a/Shorewall2/functions +++ b/Shorewall2/functions @@ -94,6 +94,10 @@ find_file() *) if [ -n "$SHOREWALL_DIR" -a -f $SHOREWALL_DIR/$1 ]; then echo $SHOREWALL_DIR/$1 + elif [ -f /etc/shorewall/$1 ]; then + echo /etc/shorewall/$1 + elif [ -f /usr/share/shorewall/$1 ]; then + echo /usr/share/shorewall/$1 else echo /etc/shorewall/$1 fi diff --git a/Shorewall2/install.sh b/Shorewall2/install.sh index 5b2ad5afe..612bb885f 100755 --- a/Shorewall2/install.sh +++ b/Shorewall2/install.sh @@ -54,7 +54,7 @@ # /etc/rc.d/rc.local file is modified to start the firewall. # -VERSION=2.0.0-Beta1 +VERSION=2.0.0-Beta2 usage() # $1 = exit status { @@ -503,7 +503,7 @@ fi # # Install the Standard Actions file # -install_file_with_backup actions.std ${PREFIX}/etc/shorewall/actions.std 0600 +install_file_with_backup actions.std ${PREFIX}/usr/share/shorewall/actions.std 0600 echo echo "Standard actions file installed as ${PREFIX}/etc/shorewall/actions.std" @@ -521,10 +521,10 @@ fi # Install the Action files # for f in action.* ; do - if [ -f ${PREFIX}/etc/shorewall/$f ]; then - backup_file /etc/shorewall/$f + if [ -f ${PREFIX}/usr/share/shorewall/$f ]; then + backup_file /usr/share/shorewall/$f else - run_install -o $OWNER -g $GROUP -m 0600 $f ${PREFIX}/etc/shorewall/$f + run_install -o $OWNER -g $GROUP -m 0600 $f ${PREFIX}/usr/share/shorewall/$f echo echo "Action ${f#*.} file installed as ${PREFIX}/etc/shorewall/$f" fi @@ -548,8 +548,9 @@ chmod 644 ${PREFIX}/usr/share/shorewall/version if [ -z "$PREFIX" ]; then rm -f /usr/share/shorewall/init - ln -s ${DEST}/firewall /usr/share/shorewall/init + ln -s ${DEST}/shorewall /usr/share/shorewall/init fi + # # Install the firewall script # diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index 9b28ed2c6..6f7a39d17 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -1,4 +1,4 @@ -Shorewall 2.0.0-Beta1 +Shorewall 2.0.0-Beta2 ---------------------------------------------------------------------- Problems Corrected since prior version. @@ -27,13 +27,14 @@ Issues when migrating from Shorewall 1.4.x to Shorewall 2.0.0: /etc/shorewall/common.def /etc/shorewall/common /etc/shorewall/icmpdef + /etc/shorewall/action.template The /etc/shorewall/action file now allows an action to be designated as the "common" action for a particular policy type by following the action name with ":" and the policy (DROP, REJECT or ACCEPT). - The file /etc/shorewall/actions.std has been added to define those + The file /usr/share/shorewall/actions.std has been added to define those actions that are released as part of Shorewall. In that file are two actions as follows: @@ -51,15 +52,20 @@ Issues when migrating from Shorewall 1.4.x to Shorewall 2.0.0: policies but does not specify such an action in the default configuration. - /etc/shorewall/actions contains an INCLUDE for - /etc/shorewall/actions.std. This causes a large number of actions to - be defined; in the current release: + The file /usr/share/shorewall/actions.std catalogs the standard + actions and is processed prior to /etc/shorewall/actions. This + causes a large number of actions to be defined. The files which + define these aactions are also located in /usr/share/shorewall as + is the he action template file (action.template). + + In the initial release, the following actions are defined: + + dropBcast #Silently Drops Broadcast Traffic + dropNonSyn #Silently Drop Non-syn TCP packets - DropBcast #Silently Drops Broadcast Traffic DropSMB #Silently Drops Microsoft SMB Traffic RejectSMB #Silently Reject Microsoft SMB Traffic DropUPnP #Silently Drop UPnP Probes - DropNonSyn #Silently Drop Non-syn TCP packets RejectAuth #Silently Reject Auth DropPing #Silently Drop Ping DropDNSrep #Silently Drop DNS Replies @@ -77,47 +83,38 @@ Issues when migrating from Shorewall 1.4.x to Shorewall 2.0.0: AllowTelnet #Allow Telnet Access (not recommended for use over the #Internet) AllowVNC #Allow VNC, Displays 0-9 + AllowVNCL #Allow access to VNC viewer in listen mode AllowNTP #Allow Network Time Protocol (ntpd) AllowRdate #Allow remote time (rdate). AllowNNTP #Allow network news (Usenet). AllowTrcrt #Allows Traceroute (20 hops) AllowSNMP #Allows SNMP (including traps) + AllowPCA #Allows PCAnywhere (tm). Drop:DROP #Common rules for DROP policy Reject:REJECT #Common Action for Reject policy - If you don't want to create all of the action chains, you can remove - the INCLUDE and only include those actions that you need. Here's my - /etc/shorewall/actions file: + if you want to redefine any of the Shorewall-defined actions, + simply copy the appropriate action file from /usr/share/shorewall + to /etc/shorewall and modify the copy as desired. Your modified + copy will be used rather than the original one in + /usr/share/shorewall. - DropBcast #Silently Drops Broadcast Traffic - DropSMB #Silently Drops Microsoft SMB Traffic - RejectSMB #Silently Reject Microsoft SMB Traffic - DropUPnP #Silently Drop UPnP Probes - DropNonSyn #Silently Drop Non-syn TCP packets - RejectAuth #Silently Reject Auth - DropPing #Silently Drop Ping - DropDNSrep #Silently Drop DNS Replies - AllowPing #Accept Ping + Note: The 'dropBcast' and 'dropNonSyn' actions are built into + Shorewall and may not be changed. - Mirrors #Accept traffic from Shorewall Mirrors - - MyDrop:DROP - MyReject:REJECT - - At any rate, if you have an existing /etc/shorewall/actions file, - then you MUST either add "INCLUDE /etc/shorewall/actions.std" to - that file or you must include the definitions similar to mine above - in your /etc/shorewall/actions file. + Beginning with version 2.0.0-Beta2, Shorewall will only create a + chain for those actions that are actually used. 5) The /etc/shorewall directory no longer contains a 'users' file or a 'usersets' file. Similar functionality is now available using user-defined actions. - Now, action files created by copying /etc/shorewall/action.template - may now specify a USER and or GROUP name/id in the final column just - like in the rules file (see below). It is thus possible to create - actions that control traffic from a list of users and/or groups. + Now, action files created by copying + /usr/share/shorewall/action.template may now specify a USER and or + GROUP name/id in the final column just like in the rules file (see + below). It is thus possible to create actions that control traffic + from a list of users and/or groups. The last column in /etc/shorewall/rules is now labeled USER/GROUP and may contain: @@ -166,5 +163,16 @@ New Features: (e.g., "ipsec:noah"), then Shorewall will only create rules for ESP (protocol 50) and will not create rules for AH (protocol 51). +7) A new DISABLE_IPV6 option has been added to shorewall.conf. When + this option is set to "Yes", Shorewall will set the policy for the + IPv6 INPUT, OUTPUT and FORWARD chains to DROP during "shorewall + [re]start" and "shorewall stop". Regardless of the setting of this + variable, "shorewall clear" will silently attempt to set these + policies to ACCEPT. + + If this option is not set in your existing shorewall.conf then a + setting of DISABLE_IPV6=No is assumed in which case, Shorewall will + not touch any IPv6 settings except during "shorewall clear". + diff --git a/Shorewall2/shorewall.conf b/Shorewall2/shorewall.conf index b8a38c80c..1e0bd1755 100755 --- a/Shorewall2/shorewall.conf +++ b/Shorewall2/shorewall.conf @@ -514,6 +514,16 @@ BLACKLISTNEWONLY=Yes MODULE_SUFFIX= +# +# DISABLE IPV6 +# +# Distributions (notably SuSE) are beginning to ship with IPV6 +# enabled. If you are not using IPV6, you are at risk of being +# exploited by users who do. Setting DISABLE_IPV6=Yes will cause +# Shorewall to disable IPV6 traffic to/from and through your +# firewall system. This requires that you have ip6tables installed. + +DISABLE_IPV6=Yes ################################################################################ # P A C K E T D I S P O S I T I O N ################################################################################ diff --git a/Shorewall2/shorewall.spec b/Shorewall2/shorewall.spec index cb140ab3d..ff018e3ec 100644 --- a/Shorewall2/shorewall.spec +++ b/Shorewall2/shorewall.spec @@ -72,8 +72,6 @@ fi %attr(0700,root,root) %dir /etc/shorewall %attr(0700,root,root) %dir /usr/share/shorewall %attr(0700,root,root) %dir /var/lib/shorewall -%attr(0600,root,root) /usr/share/shorewall/version -%attr(0600,root,root) /etc/shorewall/actions.std %attr(0600,root,root) %config(noreplace) /etc/shorewall/shorewall.conf %attr(0600,root,root) %config(noreplace) /etc/shorewall/zones %attr(0600,root,root) %config(noreplace) /etc/shorewall/policy @@ -98,40 +96,44 @@ fi %attr(0600,root,root) %config(noreplace) /etc/shorewall/stopped %attr(0600,root,root) %config(noreplace) /etc/shorewall/ecn %attr(0600,root,root) %config(noreplace) /etc/shorewall/accounting -%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.AllowAuth -%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.AllowDNS -%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.AllowFTP -%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.AllowIMAP -%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.AllowNNTP -%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.AllowNTP -%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.AllowPCA -%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.AllowPing -%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.AllowPOP3 -%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.AllowRdate -%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.AllowSMB -%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.AllowSMTP -%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.AllowSNMP -%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.AllowSSH -%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.AllowTelnet -%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.AllowTrcrt -%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.AllowVNC -%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.AllowVNCL* -%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.AllowWeb -%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.Drop -%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.DropDNSrep -%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.DropPing -%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.DropSMB -%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.DropUPnP -%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.Reject -%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.RejectAuth -%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.RejectSMB -%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.template %attr(0600,root,root) %config(noreplace) /etc/shorewall/actions %attr(0544,root,root) /sbin/shorewall + +%attr(0600,root,root) /usr/share/shorewall/version +%attr(0600,root,root) /usr/share/shorewall/actions.std +%attr(0600,root,root) /usr/share/shorewall/action.AllowAuth +%attr(0600,root,root) /usr/share/shorewall/action.AllowDNS +%attr(0600,root,root) /usr/share/shorewall/action.AllowFTP +%attr(0600,root,root) /usr/share/shorewall/action.AllowIMAP +%attr(0600,root,root) /usr/share/shorewall/action.AllowNNTP +%attr(0600,root,root) /usr/share/shorewall/action.AllowNTP +%attr(0600,root,root) /usr/share/shorewall/action.AllowPCA +%attr(0600,root,root) /usr/share/shorewall/action.AllowPing +%attr(0600,root,root) /usr/share/shorewall/action.AllowPOP3 +%attr(0600,root,root) /usr/share/shorewall/action.AllowRdate +%attr(0600,root,root) /usr/share/shorewall/action.AllowSMB +%attr(0600,root,root) /usr/share/shorewall/action.AllowSMTP +%attr(0600,root,root) /usr/share/shorewall/action.AllowSNMP +%attr(0600,root,root) /usr/share/shorewall/action.AllowSSH +%attr(0600,root,root) /usr/share/shorewall/action.AllowTelnet +%attr(0600,root,root) /usr/share/shorewall/action.AllowTrcrt +%attr(0600,root,root) /usr/share/shorewall/action.AllowVNC +%attr(0600,root,root) /usr/share/shorewall/action.AllowVNCL +%attr(0600,root,root) /usr/share/shorewall/action.AllowWeb +%attr(0600,root,root) /usr/share/shorewall/action.Drop +%attr(0600,root,root) /usr/share/shorewall/action.DropDNSrep +%attr(0600,root,root) /usr/share/shorewall/action.DropPing +%attr(0600,root,root) /usr/share/shorewall/action.DropSMB +%attr(0600,root,root) /usr/share/shorewall/action.DropUPnP +%attr(0600,root,root) /usr/share/shorewall/action.Reject +%attr(0600,root,root) /usr/share/shorewall/action.RejectAuth +%attr(0600,root,root) /usr/share/shorewall/action.RejectSMB +%attr(0600,root,root) /usr/share/shorewall/action.template %attr(0444,root,root) /usr/share/shorewall/functions %attr(0544,root,root) /usr/share/shorewall/firewall %attr(0544,root,root) /usr/share/shorewall/help + %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %changelog diff --git a/Shorewall2/uninstall.sh b/Shorewall2/uninstall.sh index 1a091a522..0483b4626 100755 --- a/Shorewall2/uninstall.sh +++ b/Shorewall2/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Seattle Firewall -VERSION=2.0.0-Beta1 +VERSION=2.0.0-Beta2 usage() # $1 = exit status {