holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Allow bang range; relax OpenVPN source port restriction

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1621 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-09-13 22:16:15 +00:00
parent ec8e01d09c
commit 0a87d4db6a
3 changed files with 23 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall2/changelog.txt
View File

@ -79,3 +79,5 @@ Changes since 2.0.3
37) Fixed proxy arp flag setting for complex configurations. 37) Fixed proxy arp flag setting for complex configurations.
38) Added RETAIN_ALIASES option. 38) Added RETAIN_ALIASES option.
39) Relax OpenVPN source port restrictions.

18
Shorewall2/firewall
View File

@ -527,8 +527,15 @@ source_ip_range() # $1 = Address or Address Range
{ {
case $1 in case $1 in
*.*.*.*-*.*.*.*) *.*.*.*-*.*.*.*)
case $1 in
!*)
iprange_echo "! --src-range ${1#!}"
;;
*)
iprange_echo "--src-range $1" iprange_echo "--src-range $1"
;; ;;
esac
;;
*) *)
echo "-s $1" echo "-s $1"
;; ;;
@ -542,8 +549,15 @@ dest_ip_range() # $1 = Address or Address Range
{ {
case $1 in case $1 in
*.*.*.*-*.*.*.*) *.*.*.*-*.*.*.*)
case $1 in
!*)
iprange_echo "! --dst-range ${1#!}"
;;
*)
iprange_echo "--dst-range $1" iprange_echo "--dst-range $1"
;; ;;
esac
;;
*) *)
echo "-d $1" echo "-d $1"
;; ;;
@ -1608,8 +1622,8 @@ setup_tunnels() # $1 = name of tunnels file
;; ;;
esac esac
addrule $inchain -p udp $(source_ip_range $1) --sport $p --dport $p -j ACCEPT addrule $inchain -p udp $(source_ip_range $1) --dport $p -j ACCEPT
addrule $outchain -p udp $(dest_ip_range $1) --sport $p --dport $p -j ACCEPT addrule $outchain -p udp $(dest_ip_range $1) --dport $p -j ACCEPT
progress_message " OPENVPN tunnel to $1:$p defined." progress_message " OPENVPN tunnel to $1:$p defined."
} }

4
Shorewall2/releasenotes.txt
View File

@ -406,7 +406,9 @@ New Features:
changed. changed.
8) To improve interoperability, tunnels of type 'ipsec' no longer 8) To improve interoperability, tunnels of type 'ipsec' no longer
enforce the use of source port 500 for ISAKMP. enforce the use of source port 500 for ISAKMP and OpenVPN
tunnels no longer enforce use of the specified port as both the
source and destination ports.
9) A new 'allowBcast' builtin action has been added -- it silently 9) A new 'allowBcast' builtin action has been added -- it silently
allows broadcasts and multicasts. allows broadcasts and multicasts.