diff --git a/Shorewall2/action.Drop b/Shorewall2/action.Drop index 04feb4ce7..721a46126 100644 --- a/Shorewall2/action.Drop +++ b/Shorewall2/action.Drop @@ -8,6 +8,7 @@ # PORT PORT(S) LIMIT GROUP RejectAuth dropBcast +dropInvalid DropSMB DropUPnP dropNotSyn diff --git a/Shorewall2/action.Reject b/Shorewall2/action.Reject index 1799ecc6c..8cfd666ec 100644 --- a/Shorewall2/action.Reject +++ b/Shorewall2/action.Reject @@ -8,6 +8,7 @@ # PORT PORT(S) LIMIT GROUP RejectAuth dropBcast +dropInvalid RejectSMB DropUPnP dropNotSyn diff --git a/Shorewall2/actions.std b/Shorewall2/actions.std index b762d2730..d2438703a 100644 --- a/Shorewall2/actions.std +++ b/Shorewall2/actions.std @@ -9,7 +9,9 @@ # rejNonSyn #Silently Reject Non-syn TCP packets # logNonSyn #Log Non-syn TCP packets with disposition LOG # dLogNonSyn #Log Non-syn TCP packets with disposition DROP -# rLogNonSyn #Log Non-syn TCP packets with disposition REJECT +# rLogNonSyn #Log Non-syn TCP packets with disposition REJECT +# dropInvalid #Silently Drop packets that are in the INVALID +# #conntrack state. # # The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in # shorewall.conf. If that option isn't specified then 'info' is used. diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt index b4e536899..12f99c635 100644 --- a/Shorewall2/changelog.txt +++ b/Shorewall2/changelog.txt @@ -1,40 +1,10 @@ -Changes since 2.0.2 +Changes since 2.0.3 -1) Remove restore files; don't generate them for non-statechanging - commands. -2) Restore file now loads kernel modules. +1) Fix security vulnerability involving temporary files/directories. -3) Minor tweaks to the restore mechanism. +2) Hack security fix so that it works under Slackware. -4) Allow "!" in accounting rules. +3) Correct mktempfile() for case where mktemp isn't installed. -5) Backport bug fixes from stable (/var/lib/shorewall existence and - null common action). - -6) Add lots of overhead to [re]start in order to catch typing errors. - -7) Correct reporting of installation directory in install.sh. - -8) Load kernel modules before detecting capabilities. - -9) Added the 'rejectNonSyn' standard built-in action. - -10) Merged Tuomo Soini's patch to the install script. - -11) Correct brain-cramp in module loading fix (8 above). - -12) Add 'key' to sample tunnel file. - -13) Allow multiple saved configurations. - -14) Add %attr spec to /etc/init.d/shorewall in the .spec file. - -15) Fix rules that have bridge ports in both SOURCE and DEST. Update - comments in the rules file WRT "all" in SOURCE or DEST. - -16) Pass INVALID icmp packets through the blacklisting chains. - -17) Fix bogus code in procerss_tc_rule() - -18) Fix security vulnerability involving temporary files/directories. +4) Implement 'dropInvalid' builtin action. diff --git a/Shorewall2/firewall b/Shorewall2/firewall index 746ae7d6c..60c2081ae 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -1046,15 +1046,6 @@ find_interface_address() # $1 = interface echo $addr | sed 's/inet //;s/\/.*//;s/ peer.*//' } -# -# Find interface addresses--returns the set of addresses assigned to the passed -# device -# -find_interface_addresses() # $1 = interface -{ - ip -f inet addr show $1 | grep inet | sed 's/inet //;s/\/.*//;s/ peer.*//' -} - # # Find interfaces that have the passed option specified # @@ -2743,7 +2734,7 @@ createactionchain() # $1 = chain name process_actions1() { - ACTIONS="dropBcast dropNonSyn dropNotSyn rejNotSyn logNotSyn rLogNotSyn dLogNotSyn" + ACTIONS="dropBcast dropNonSyn dropNotSyn rejNotSyn logNotSyn rLogNotSyn dLogNotSyn dropInvalid" USEDACTIONS= strip_file actions @@ -2917,6 +2908,9 @@ process_actions2() { dLogNotSyn) log_action dLogNotSyn DROP ;; + dropInvalid) + [ "COMMAND" != check ] && run_iptables -A dropInvalid -m state --state INVALID -j DROP + ;; *) f=action.$xaction fn=$(find_file $f) diff --git a/Shorewall2/functions b/Shorewall2/functions index e8aa7d942..ba0b7c71e 100755 --- a/Shorewall2/functions +++ b/Shorewall2/functions @@ -374,10 +374,10 @@ mktempfile() { mktemp -p $1 shorewall.XXXXXX ;; None) - mkdir $1/shorewall-$$ && echo $1/shorewall-$$ + > $1/shorewall-$$ && echo $1/shorewall-$$ ;; *) - echo " ERROR:Internal error in mktempfile" + echo " ERROR:Internal error in mktempfile" >&2 ;; esac else @@ -393,7 +393,7 @@ mktempfile() { > /tmp/shorewall-$$ && echo /tmp/shorewall-$$ ;; *) - echo " ERROR:Internal error in mktempfile" + echo " ERROR:Internal error in mktempfile" >&2 ;; esac fi @@ -407,17 +407,17 @@ mktempdir() { [ -z "$MKTEMP" ] && find_mktemp case "$MKTEMP" in - BSD) - mktemp -d /tmp/shorewall.XXXXXX - ;; STD) mktemp -td shorewall.XXXXXX ;; - None) - mkdir /tmp/shorewall-$$ && echo /tmp/shorewall-$$ + None|BSD) + # + # Not all versions of the BSD mktemp support the -d option under Linux + # + mkdir /tmp/shorewall-$$ && chmod 700 /tmp/shorewall-$$ && echo /tmp/shorewall-$$ ;; *) - echo " ERROR:Internal error in mktempdir" + echo " ERROR:Internal error in mktempdir" >&2 ;; esac } @@ -767,3 +767,11 @@ find_interface_by_address() { [ -n "$dev" ] && echo $dev } +# +# Find interface addresses--returns the set of addresses assigned to the passed +# device +# +find_interface_addresses() # $1 = interface +{ + ip -f inet addr show $1 | grep inet | sed 's/inet //;s/\/.*//;s/ peer.*//' +} diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index e987cbd4b..dfb23fd6f 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -1,49 +1,6 @@ -Shorewall 2.0.3 +Shorewall 2.0.4-Beta1 ---------------------------------------------------------------------- -Problems Corrected since 2.0.2 - -1) The 'firewall' script is not purging temporary restore files in - /var/lib/shorewall. These files have names of the form - "restore-nnnnn". - -2) The /var/lib/shorewall/restore script did not load the kernel - modules specified in /etc/shorewall/modules. - -3) Specifying a null common action in /etc/shorewall/actions (e.g., - :REJECT) results in a startup error. - -4) If /var/lib/shorewall does not exist, shorewall start fails. - -5) DNAT rules with a dynamic source zone don't work properly. When - used, these rules cause the rule to be checked against ALL input, - not just input from the designated zone. - -6) The install.sh script reported installing some files in - /etc/shorewall when the files were actually installed in - /usr/share/shorewall. - -7) Shorewall checks netfilter capabilities before loading kernel - modules. Hence if kernel module autoloading isn't enabled, the - capabilities will be misdetected. - -8) The 'newnotsyn' option in /etc/shorewall/hosts has no effect. - -9) The file /etc/init.d/shorewall now gets proper ownership when the - RPM is built by a non-root user. - -10) Rules that specify bridge ports in both the SOURCE and DEST - columns no longer cause "shorewall start" to fail. - -11) Comments in the rules file have been added to advise users that - "all" in the SOURCE or DEST column does not affect intra-zone - traffic. - -12) With BLACKLISTNEWONLY=Yes, ICMP packets with state INVALID are now - passed through the blacklisting chains. Without this change, it is - not possible to blacklist hosts that are mounting certain types of - ICMP-based DOS attacks. - Problems Corrected since 2.0.3 1) A non-empty DEST entry in /etc/shorewall/tcrules will generate an @@ -53,113 +10,13 @@ Problems Corrected since 2.0.3 handles temporary files and directories has been corrected. ----------------------------------------------------------------------- -Issues when migrating from Shorewall 2.0.2 to Shorewall 2.0.3: +Issues when migrating from Shorewall 2.0.3 to Shorewall 2.0.4: -1) The 'dropNonSyn' standard builtin action has been replaced with the - 'dropNotSyn' standard builtin action. The old name can still be used - but will generate a warning. +None. ----------------------------------------------------------------------- New Features: -1) Shorewall now supports multiple saved configurations. - - a) The default saved configuration (restore script) in - /var/lib/shorewall is now specified using the RESTOREFILE option - in shorewall.conf. If this variable isn't set then to maitain - backward compatibility, 'restore' is assumed. - - The value of RESTOREFILE must be a simple file name; no slashes - ("/") may be included. - - b) The "save" command has been extended to be able to specify the - name of a saved configuration. - - shorewall save [ ] - - The current state is saved to /var/lib/shorewall/. If - no is given, the configuration is saved to - the file determined by the RESTOREFILE setting. - - c) The "restore" command has been extended to be able to specify - the name of a saved configuration: - - shorewall restore [ ] - - The firewall state is restored from /var/lib/shorewall/. If no is given, the firewall state is - restored from the file determined by the RESTOREFILE setting. - - c) The "forget" command has changed. Previously, the command - unconditionally removed the /var/lib/shorewall/save file which - records the current dynamic blacklist. The "forget" command now - leaves that file alone. - - Also, the "forget" command has been extended to be able to - specify the name of a saved configuration: - - shorewall forget [ ] - - The file /var/lib/shorewall/ is removed. If no is given, the file determined by the RESTOREFILE setting - is removed. - - d) The "shorewall -f start" command restores the state from the - file determined by the RESTOREFILE setting. - -2) "!" is now allowed in accounting rules. - -3) Interface names appearing within the configuration are now - verified. Interface names must match the name of an entry in - /etc/shorewall/interfaces (or if bridging is enabled, they must - match the name of an entry in /etc/shorewall/interfaces or the name - of a bridge port appearing in /etc/shorewall/hosts). - -4) A new 'rejNotSyn' built-in standard action has been added. This - action responds to "New not SYN" packets with an RST. - - The 'dropNonSyn' action has been superceded by the new 'dropNotSyn' - action. The old name will be accepted until the next major release - of Shorewall but will generate a warning. - - Several new logging actions involving "New not SYN" packets have - been added: - - logNewNotSyn -- logs the packet with disposition = LOG - dLogNewNotSyn -- logs the packet with disposition = DROP - rLogNewNotSyn -- logs the packet with disposition = REJECT - - The packets are logged at the log level specified in the - LOGNEWNOTSYN option in shorewall.conf. If than option is empty or - not specified, then 'info' is assumed. - - Examples (In all cases, set NEWNOTSYN=Yes in shorewall.conf): - - A: To simulate the behavior of NEWNOTSYN=No: - - a) Add 'NoNewNotSyn' to /etc/shorewall/actions. - b) Create /etc/shorewall/action.NoNewNotSyn containing: - - dLogNotSyn - dropNotSyn - - c) Early in your rules file, place: - - NoNewNotSyn all all tcp - - B: Drop 'New not SYN' packets from the net only. Don't log them. - - a) Early in your rules file, place: - - dropNotSyn net all tcp - -5) Slackware users no longer have to modify the install.sh script - before installation. Tuomo Soini has provided a change that allows - the INIT and FIREWALL variables to be specified outside the script - as in: - - DEST=/etc/rc.d INIT=rc.firewall ./install.sh - - - - +1) ICMP packets that are in the INVALID state are now dropped by the + Reject and Drop default actions. They do so using the new + 'dropInvalid' builtin action.