forked from extern/shorewall_code
Add dropInvalid builtin action
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1430 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
c469e62bbe
commit
0fea583005
@ -8,6 +8,7 @@
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
RejectAuth
|
||||
dropBcast
|
||||
dropInvalid
|
||||
DropSMB
|
||||
DropUPnP
|
||||
dropNotSyn
|
||||
|
@ -8,6 +8,7 @@
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
RejectAuth
|
||||
dropBcast
|
||||
dropInvalid
|
||||
RejectSMB
|
||||
DropUPnP
|
||||
dropNotSyn
|
||||
|
@ -10,6 +10,8 @@
|
||||
# logNonSyn #Log Non-syn TCP packets with disposition LOG
|
||||
# dLogNonSyn #Log Non-syn TCP packets with disposition DROP
|
||||
# rLogNonSyn #Log Non-syn TCP packets with disposition REJECT
|
||||
# dropInvalid #Silently Drop packets that are in the INVALID
|
||||
# #conntrack state.
|
||||
#
|
||||
# The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in
|
||||
# shorewall.conf. If that option isn't specified then 'info' is used.
|
||||
|
@ -1,40 +1,10 @@
|
||||
Changes since 2.0.2
|
||||
Changes since 2.0.3
|
||||
|
||||
1) Remove restore files; don't generate them for non-statechanging
|
||||
commands.
|
||||
|
||||
2) Restore file now loads kernel modules.
|
||||
1) Fix security vulnerability involving temporary files/directories.
|
||||
|
||||
3) Minor tweaks to the restore mechanism.
|
||||
2) Hack security fix so that it works under Slackware.
|
||||
|
||||
4) Allow "!" in accounting rules.
|
||||
3) Correct mktempfile() for case where mktemp isn't installed.
|
||||
|
||||
5) Backport bug fixes from stable (/var/lib/shorewall existence and
|
||||
null common action).
|
||||
|
||||
6) Add lots of overhead to [re]start in order to catch typing errors.
|
||||
|
||||
7) Correct reporting of installation directory in install.sh.
|
||||
|
||||
8) Load kernel modules before detecting capabilities.
|
||||
|
||||
9) Added the 'rejectNonSyn' standard built-in action.
|
||||
|
||||
10) Merged Tuomo Soini's patch to the install script.
|
||||
|
||||
11) Correct brain-cramp in module loading fix (8 above).
|
||||
|
||||
12) Add 'key' to sample tunnel file.
|
||||
|
||||
13) Allow multiple saved configurations.
|
||||
|
||||
14) Add %attr spec to /etc/init.d/shorewall in the .spec file.
|
||||
|
||||
15) Fix rules that have bridge ports in both SOURCE and DEST. Update
|
||||
comments in the rules file WRT "all" in SOURCE or DEST.
|
||||
|
||||
16) Pass INVALID icmp packets through the blacklisting chains.
|
||||
|
||||
17) Fix bogus code in procerss_tc_rule()
|
||||
|
||||
18) Fix security vulnerability involving temporary files/directories.
|
||||
4) Implement 'dropInvalid' builtin action.
|
||||
|
@ -1046,15 +1046,6 @@ find_interface_address() # $1 = interface
|
||||
echo $addr | sed 's/inet //;s/\/.*//;s/ peer.*//'
|
||||
}
|
||||
|
||||
#
|
||||
# Find interface addresses--returns the set of addresses assigned to the passed
|
||||
# device
|
||||
#
|
||||
find_interface_addresses() # $1 = interface
|
||||
{
|
||||
ip -f inet addr show $1 | grep inet | sed 's/inet //;s/\/.*//;s/ peer.*//'
|
||||
}
|
||||
|
||||
#
|
||||
# Find interfaces that have the passed option specified
|
||||
#
|
||||
@ -2743,7 +2734,7 @@ createactionchain() # $1 = chain name
|
||||
|
||||
process_actions1() {
|
||||
|
||||
ACTIONS="dropBcast dropNonSyn dropNotSyn rejNotSyn logNotSyn rLogNotSyn dLogNotSyn"
|
||||
ACTIONS="dropBcast dropNonSyn dropNotSyn rejNotSyn logNotSyn rLogNotSyn dLogNotSyn dropInvalid"
|
||||
USEDACTIONS=
|
||||
|
||||
strip_file actions
|
||||
@ -2917,6 +2908,9 @@ process_actions2() {
|
||||
dLogNotSyn)
|
||||
log_action dLogNotSyn DROP
|
||||
;;
|
||||
dropInvalid)
|
||||
[ "COMMAND" != check ] && run_iptables -A dropInvalid -m state --state INVALID -j DROP
|
||||
;;
|
||||
*)
|
||||
f=action.$xaction
|
||||
fn=$(find_file $f)
|
||||
|
@ -374,10 +374,10 @@ mktempfile() {
|
||||
mktemp -p $1 shorewall.XXXXXX
|
||||
;;
|
||||
None)
|
||||
mkdir $1/shorewall-$$ && echo $1/shorewall-$$
|
||||
> $1/shorewall-$$ && echo $1/shorewall-$$
|
||||
;;
|
||||
*)
|
||||
echo " ERROR:Internal error in mktempfile"
|
||||
echo " ERROR:Internal error in mktempfile" >&2
|
||||
;;
|
||||
esac
|
||||
else
|
||||
@ -393,7 +393,7 @@ mktempfile() {
|
||||
> /tmp/shorewall-$$ && echo /tmp/shorewall-$$
|
||||
;;
|
||||
*)
|
||||
echo " ERROR:Internal error in mktempfile"
|
||||
echo " ERROR:Internal error in mktempfile" >&2
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
@ -407,17 +407,17 @@ mktempdir() {
|
||||
[ -z "$MKTEMP" ] && find_mktemp
|
||||
|
||||
case "$MKTEMP" in
|
||||
BSD)
|
||||
mktemp -d /tmp/shorewall.XXXXXX
|
||||
;;
|
||||
STD)
|
||||
mktemp -td shorewall.XXXXXX
|
||||
;;
|
||||
None)
|
||||
mkdir /tmp/shorewall-$$ && echo /tmp/shorewall-$$
|
||||
None|BSD)
|
||||
#
|
||||
# Not all versions of the BSD mktemp support the -d option under Linux
|
||||
#
|
||||
mkdir /tmp/shorewall-$$ && chmod 700 /tmp/shorewall-$$ && echo /tmp/shorewall-$$
|
||||
;;
|
||||
*)
|
||||
echo " ERROR:Internal error in mktempdir"
|
||||
echo " ERROR:Internal error in mktempdir" >&2
|
||||
;;
|
||||
esac
|
||||
}
|
||||
@ -767,3 +767,11 @@ find_interface_by_address() {
|
||||
[ -n "$dev" ] && echo $dev
|
||||
}
|
||||
|
||||
#
|
||||
# Find interface addresses--returns the set of addresses assigned to the passed
|
||||
# device
|
||||
#
|
||||
find_interface_addresses() # $1 = interface
|
||||
{
|
||||
ip -f inet addr show $1 | grep inet | sed 's/inet //;s/\/.*//;s/ peer.*//'
|
||||
}
|
||||
|
@ -1,49 +1,6 @@
|
||||
Shorewall 2.0.3
|
||||
Shorewall 2.0.4-Beta1
|
||||
|
||||
----------------------------------------------------------------------
|
||||
Problems Corrected since 2.0.2
|
||||
|
||||
1) The 'firewall' script is not purging temporary restore files in
|
||||
/var/lib/shorewall. These files have names of the form
|
||||
"restore-nnnnn".
|
||||
|
||||
2) The /var/lib/shorewall/restore script did not load the kernel
|
||||
modules specified in /etc/shorewall/modules.
|
||||
|
||||
3) Specifying a null common action in /etc/shorewall/actions (e.g.,
|
||||
:REJECT) results in a startup error.
|
||||
|
||||
4) If /var/lib/shorewall does not exist, shorewall start fails.
|
||||
|
||||
5) DNAT rules with a dynamic source zone don't work properly. When
|
||||
used, these rules cause the rule to be checked against ALL input,
|
||||
not just input from the designated zone.
|
||||
|
||||
6) The install.sh script reported installing some files in
|
||||
/etc/shorewall when the files were actually installed in
|
||||
/usr/share/shorewall.
|
||||
|
||||
7) Shorewall checks netfilter capabilities before loading kernel
|
||||
modules. Hence if kernel module autoloading isn't enabled, the
|
||||
capabilities will be misdetected.
|
||||
|
||||
8) The 'newnotsyn' option in /etc/shorewall/hosts has no effect.
|
||||
|
||||
9) The file /etc/init.d/shorewall now gets proper ownership when the
|
||||
RPM is built by a non-root user.
|
||||
|
||||
10) Rules that specify bridge ports in both the SOURCE and DEST
|
||||
columns no longer cause "shorewall start" to fail.
|
||||
|
||||
11) Comments in the rules file have been added to advise users that
|
||||
"all" in the SOURCE or DEST column does not affect intra-zone
|
||||
traffic.
|
||||
|
||||
12) With BLACKLISTNEWONLY=Yes, ICMP packets with state INVALID are now
|
||||
passed through the blacklisting chains. Without this change, it is
|
||||
not possible to blacklist hosts that are mounting certain types of
|
||||
ICMP-based DOS attacks.
|
||||
|
||||
Problems Corrected since 2.0.3
|
||||
|
||||
1) A non-empty DEST entry in /etc/shorewall/tcrules will generate an
|
||||
@ -53,113 +10,13 @@ Problems Corrected since 2.0.3
|
||||
handles temporary files and directories has been corrected.
|
||||
|
||||
-----------------------------------------------------------------------
|
||||
Issues when migrating from Shorewall 2.0.2 to Shorewall 2.0.3:
|
||||
Issues when migrating from Shorewall 2.0.3 to Shorewall 2.0.4:
|
||||
|
||||
1) The 'dropNonSyn' standard builtin action has been replaced with the
|
||||
'dropNotSyn' standard builtin action. The old name can still be used
|
||||
but will generate a warning.
|
||||
None.
|
||||
|
||||
-----------------------------------------------------------------------
|
||||
New Features:
|
||||
|
||||
1) Shorewall now supports multiple saved configurations.
|
||||
|
||||
a) The default saved configuration (restore script) in
|
||||
/var/lib/shorewall is now specified using the RESTOREFILE option
|
||||
in shorewall.conf. If this variable isn't set then to maitain
|
||||
backward compatibility, 'restore' is assumed.
|
||||
|
||||
The value of RESTOREFILE must be a simple file name; no slashes
|
||||
("/") may be included.
|
||||
|
||||
b) The "save" command has been extended to be able to specify the
|
||||
name of a saved configuration.
|
||||
|
||||
shorewall save [ <file name> ]
|
||||
|
||||
The current state is saved to /var/lib/shorewall/<file name>. If
|
||||
no <file name> is given, the configuration is saved to
|
||||
the file determined by the RESTOREFILE setting.
|
||||
|
||||
c) The "restore" command has been extended to be able to specify
|
||||
the name of a saved configuration:
|
||||
|
||||
shorewall restore [ <file name> ]
|
||||
|
||||
The firewall state is restored from /var/lib/shorewall/<file
|
||||
name>. If no <file name> is given, the firewall state is
|
||||
restored from the file determined by the RESTOREFILE setting.
|
||||
|
||||
c) The "forget" command has changed. Previously, the command
|
||||
unconditionally removed the /var/lib/shorewall/save file which
|
||||
records the current dynamic blacklist. The "forget" command now
|
||||
leaves that file alone.
|
||||
|
||||
Also, the "forget" command has been extended to be able to
|
||||
specify the name of a saved configuration:
|
||||
|
||||
shorewall forget [ <file name> ]
|
||||
|
||||
The file /var/lib/shorewall/<file name> is removed. If no <file
|
||||
name> is given, the file determined by the RESTOREFILE setting
|
||||
is removed.
|
||||
|
||||
d) The "shorewall -f start" command restores the state from the
|
||||
file determined by the RESTOREFILE setting.
|
||||
|
||||
2) "!" is now allowed in accounting rules.
|
||||
|
||||
3) Interface names appearing within the configuration are now
|
||||
verified. Interface names must match the name of an entry in
|
||||
/etc/shorewall/interfaces (or if bridging is enabled, they must
|
||||
match the name of an entry in /etc/shorewall/interfaces or the name
|
||||
of a bridge port appearing in /etc/shorewall/hosts).
|
||||
|
||||
4) A new 'rejNotSyn' built-in standard action has been added. This
|
||||
action responds to "New not SYN" packets with an RST.
|
||||
|
||||
The 'dropNonSyn' action has been superceded by the new 'dropNotSyn'
|
||||
action. The old name will be accepted until the next major release
|
||||
of Shorewall but will generate a warning.
|
||||
|
||||
Several new logging actions involving "New not SYN" packets have
|
||||
been added:
|
||||
|
||||
logNewNotSyn -- logs the packet with disposition = LOG
|
||||
dLogNewNotSyn -- logs the packet with disposition = DROP
|
||||
rLogNewNotSyn -- logs the packet with disposition = REJECT
|
||||
|
||||
The packets are logged at the log level specified in the
|
||||
LOGNEWNOTSYN option in shorewall.conf. If than option is empty or
|
||||
not specified, then 'info' is assumed.
|
||||
|
||||
Examples (In all cases, set NEWNOTSYN=Yes in shorewall.conf):
|
||||
|
||||
A: To simulate the behavior of NEWNOTSYN=No:
|
||||
|
||||
a) Add 'NoNewNotSyn' to /etc/shorewall/actions.
|
||||
b) Create /etc/shorewall/action.NoNewNotSyn containing:
|
||||
|
||||
dLogNotSyn
|
||||
dropNotSyn
|
||||
|
||||
c) Early in your rules file, place:
|
||||
|
||||
NoNewNotSyn all all tcp
|
||||
|
||||
B: Drop 'New not SYN' packets from the net only. Don't log them.
|
||||
|
||||
a) Early in your rules file, place:
|
||||
|
||||
dropNotSyn net all tcp
|
||||
|
||||
5) Slackware users no longer have to modify the install.sh script
|
||||
before installation. Tuomo Soini has provided a change that allows
|
||||
the INIT and FIREWALL variables to be specified outside the script
|
||||
as in:
|
||||
|
||||
DEST=/etc/rc.d INIT=rc.firewall ./install.sh
|
||||
|
||||
|
||||
|
||||
|
||||
1) ICMP packets that are in the INVALID state are now dropped by the
|
||||
Reject and Drop default actions. They do so using the new
|
||||
'dropInvalid' builtin action.
|
||||
|
Loading…
Reference in New Issue
Block a user