Add dropInvalid builtin action

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1430 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-07-01 14:12:29 +00:00
parent c469e62bbe
commit 0fea583005
7 changed files with 37 additions and 204 deletions

View File

@ -8,6 +8,7 @@
# PORT PORT(S) LIMIT GROUP
RejectAuth
dropBcast
dropInvalid
DropSMB
DropUPnP
dropNotSyn

View File

@ -8,6 +8,7 @@
# PORT PORT(S) LIMIT GROUP
RejectAuth
dropBcast
dropInvalid
RejectSMB
DropUPnP
dropNotSyn

View File

@ -10,6 +10,8 @@
# logNonSyn #Log Non-syn TCP packets with disposition LOG
# dLogNonSyn #Log Non-syn TCP packets with disposition DROP
# rLogNonSyn #Log Non-syn TCP packets with disposition REJECT
# dropInvalid #Silently Drop packets that are in the INVALID
# #conntrack state.
#
# The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in
# shorewall.conf. If that option isn't specified then 'info' is used.

View File

@ -1,40 +1,10 @@
Changes since 2.0.2
Changes since 2.0.3
1) Remove restore files; don't generate them for non-statechanging
commands.
2) Restore file now loads kernel modules.
1) Fix security vulnerability involving temporary files/directories.
3) Minor tweaks to the restore mechanism.
2) Hack security fix so that it works under Slackware.
4) Allow "!" in accounting rules.
3) Correct mktempfile() for case where mktemp isn't installed.
5) Backport bug fixes from stable (/var/lib/shorewall existence and
null common action).
6) Add lots of overhead to [re]start in order to catch typing errors.
7) Correct reporting of installation directory in install.sh.
8) Load kernel modules before detecting capabilities.
9) Added the 'rejectNonSyn' standard built-in action.
10) Merged Tuomo Soini's patch to the install script.
11) Correct brain-cramp in module loading fix (8 above).
12) Add 'key' to sample tunnel file.
13) Allow multiple saved configurations.
14) Add %attr spec to /etc/init.d/shorewall in the .spec file.
15) Fix rules that have bridge ports in both SOURCE and DEST. Update
comments in the rules file WRT "all" in SOURCE or DEST.
16) Pass INVALID icmp packets through the blacklisting chains.
17) Fix bogus code in procerss_tc_rule()
18) Fix security vulnerability involving temporary files/directories.
4) Implement 'dropInvalid' builtin action.

View File

@ -1046,15 +1046,6 @@ find_interface_address() # $1 = interface
echo $addr | sed 's/inet //;s/\/.*//;s/ peer.*//'
}
#
# Find interface addresses--returns the set of addresses assigned to the passed
# device
#
find_interface_addresses() # $1 = interface
{
ip -f inet addr show $1 | grep inet | sed 's/inet //;s/\/.*//;s/ peer.*//'
}
#
# Find interfaces that have the passed option specified
#
@ -2743,7 +2734,7 @@ createactionchain() # $1 = chain name
process_actions1() {
ACTIONS="dropBcast dropNonSyn dropNotSyn rejNotSyn logNotSyn rLogNotSyn dLogNotSyn"
ACTIONS="dropBcast dropNonSyn dropNotSyn rejNotSyn logNotSyn rLogNotSyn dLogNotSyn dropInvalid"
USEDACTIONS=
strip_file actions
@ -2917,6 +2908,9 @@ process_actions2() {
dLogNotSyn)
log_action dLogNotSyn DROP
;;
dropInvalid)
[ "COMMAND" != check ] && run_iptables -A dropInvalid -m state --state INVALID -j DROP
;;
*)
f=action.$xaction
fn=$(find_file $f)

View File

@ -374,10 +374,10 @@ mktempfile() {
mktemp -p $1 shorewall.XXXXXX
;;
None)
mkdir $1/shorewall-$$ && echo $1/shorewall-$$
> $1/shorewall-$$ && echo $1/shorewall-$$
;;
*)
echo " ERROR:Internal error in mktempfile"
echo " ERROR:Internal error in mktempfile" >&2
;;
esac
else
@ -393,7 +393,7 @@ mktempfile() {
> /tmp/shorewall-$$ && echo /tmp/shorewall-$$
;;
*)
echo " ERROR:Internal error in mktempfile"
echo " ERROR:Internal error in mktempfile" >&2
;;
esac
fi
@ -407,17 +407,17 @@ mktempdir() {
[ -z "$MKTEMP" ] && find_mktemp
case "$MKTEMP" in
BSD)
mktemp -d /tmp/shorewall.XXXXXX
;;
STD)
mktemp -td shorewall.XXXXXX
;;
None)
mkdir /tmp/shorewall-$$ && echo /tmp/shorewall-$$
None|BSD)
#
# Not all versions of the BSD mktemp support the -d option under Linux
#
mkdir /tmp/shorewall-$$ && chmod 700 /tmp/shorewall-$$ && echo /tmp/shorewall-$$
;;
*)
echo " ERROR:Internal error in mktempdir"
echo " ERROR:Internal error in mktempdir" >&2
;;
esac
}
@ -767,3 +767,11 @@ find_interface_by_address() {
[ -n "$dev" ] && echo $dev
}
#
# Find interface addresses--returns the set of addresses assigned to the passed
# device
#
find_interface_addresses() # $1 = interface
{
ip -f inet addr show $1 | grep inet | sed 's/inet //;s/\/.*//;s/ peer.*//'
}

View File

@ -1,49 +1,6 @@
Shorewall 2.0.3
Shorewall 2.0.4-Beta1
----------------------------------------------------------------------
Problems Corrected since 2.0.2
1) The 'firewall' script is not purging temporary restore files in
/var/lib/shorewall. These files have names of the form
"restore-nnnnn".
2) The /var/lib/shorewall/restore script did not load the kernel
modules specified in /etc/shorewall/modules.
3) Specifying a null common action in /etc/shorewall/actions (e.g.,
:REJECT) results in a startup error.
4) If /var/lib/shorewall does not exist, shorewall start fails.
5) DNAT rules with a dynamic source zone don't work properly. When
used, these rules cause the rule to be checked against ALL input,
not just input from the designated zone.
6) The install.sh script reported installing some files in
/etc/shorewall when the files were actually installed in
/usr/share/shorewall.
7) Shorewall checks netfilter capabilities before loading kernel
modules. Hence if kernel module autoloading isn't enabled, the
capabilities will be misdetected.
8) The 'newnotsyn' option in /etc/shorewall/hosts has no effect.
9) The file /etc/init.d/shorewall now gets proper ownership when the
RPM is built by a non-root user.
10) Rules that specify bridge ports in both the SOURCE and DEST
columns no longer cause "shorewall start" to fail.
11) Comments in the rules file have been added to advise users that
"all" in the SOURCE or DEST column does not affect intra-zone
traffic.
12) With BLACKLISTNEWONLY=Yes, ICMP packets with state INVALID are now
passed through the blacklisting chains. Without this change, it is
not possible to blacklist hosts that are mounting certain types of
ICMP-based DOS attacks.
Problems Corrected since 2.0.3
1) A non-empty DEST entry in /etc/shorewall/tcrules will generate an
@ -53,113 +10,13 @@ Problems Corrected since 2.0.3
handles temporary files and directories has been corrected.
-----------------------------------------------------------------------
Issues when migrating from Shorewall 2.0.2 to Shorewall 2.0.3:
Issues when migrating from Shorewall 2.0.3 to Shorewall 2.0.4:
1) The 'dropNonSyn' standard builtin action has been replaced with the
'dropNotSyn' standard builtin action. The old name can still be used
but will generate a warning.
None.
-----------------------------------------------------------------------
New Features:
1) Shorewall now supports multiple saved configurations.
a) The default saved configuration (restore script) in
/var/lib/shorewall is now specified using the RESTOREFILE option
in shorewall.conf. If this variable isn't set then to maitain
backward compatibility, 'restore' is assumed.
The value of RESTOREFILE must be a simple file name; no slashes
("/") may be included.
b) The "save" command has been extended to be able to specify the
name of a saved configuration.
shorewall save [ <file name> ]
The current state is saved to /var/lib/shorewall/<file name>. If
no <file name> is given, the configuration is saved to
the file determined by the RESTOREFILE setting.
c) The "restore" command has been extended to be able to specify
the name of a saved configuration:
shorewall restore [ <file name> ]
The firewall state is restored from /var/lib/shorewall/<file
name>. If no <file name> is given, the firewall state is
restored from the file determined by the RESTOREFILE setting.
c) The "forget" command has changed. Previously, the command
unconditionally removed the /var/lib/shorewall/save file which
records the current dynamic blacklist. The "forget" command now
leaves that file alone.
Also, the "forget" command has been extended to be able to
specify the name of a saved configuration:
shorewall forget [ <file name> ]
The file /var/lib/shorewall/<file name> is removed. If no <file
name> is given, the file determined by the RESTOREFILE setting
is removed.
d) The "shorewall -f start" command restores the state from the
file determined by the RESTOREFILE setting.
2) "!" is now allowed in accounting rules.
3) Interface names appearing within the configuration are now
verified. Interface names must match the name of an entry in
/etc/shorewall/interfaces (or if bridging is enabled, they must
match the name of an entry in /etc/shorewall/interfaces or the name
of a bridge port appearing in /etc/shorewall/hosts).
4) A new 'rejNotSyn' built-in standard action has been added. This
action responds to "New not SYN" packets with an RST.
The 'dropNonSyn' action has been superceded by the new 'dropNotSyn'
action. The old name will be accepted until the next major release
of Shorewall but will generate a warning.
Several new logging actions involving "New not SYN" packets have
been added:
logNewNotSyn -- logs the packet with disposition = LOG
dLogNewNotSyn -- logs the packet with disposition = DROP
rLogNewNotSyn -- logs the packet with disposition = REJECT
The packets are logged at the log level specified in the
LOGNEWNOTSYN option in shorewall.conf. If than option is empty or
not specified, then 'info' is assumed.
Examples (In all cases, set NEWNOTSYN=Yes in shorewall.conf):
A: To simulate the behavior of NEWNOTSYN=No:
a) Add 'NoNewNotSyn' to /etc/shorewall/actions.
b) Create /etc/shorewall/action.NoNewNotSyn containing:
dLogNotSyn
dropNotSyn
c) Early in your rules file, place:
NoNewNotSyn all all tcp
B: Drop 'New not SYN' packets from the net only. Don't log them.
a) Early in your rules file, place:
dropNotSyn net all tcp
5) Slackware users no longer have to modify the install.sh script
before installation. Tuomo Soini has provided a change that allows
the INIT and FIREWALL variables to be specified outside the script
as in:
DEST=/etc/rc.d INIT=rc.firewall ./install.sh
1) ICMP packets that are in the INVALID state are now dropped by the
Reject and Drop default actions. They do so using the new
'dropInvalid' builtin action.