forked from extern/shorewall_code
Update for Shorewall 2.2.1
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1960 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
464ad6019d
commit
198207c84c
@ -6,16 +6,13 @@
|
||||
#
|
||||
# allowBcast #Silently Allow Broadcast/multicast
|
||||
# dropBcast #Silently Drop Broadcast/multicast
|
||||
# dropNonSyn #Silently Drop Non-syn TCP packets
|
||||
# rejNonSyn #Silently Reject Non-syn TCP packets
|
||||
# dropNotSyn #Silently Drop Non-syn TCP packets
|
||||
# rejNotSyn #Silently Reject Non-syn TCP packets
|
||||
# dropInvalid #Silently Drop packets that are in the INVALID
|
||||
# #conntrack state.
|
||||
# allowInvalid #Accept packets that are in the INVALID
|
||||
# #conntrack state.
|
||||
#
|
||||
# The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in
|
||||
# shorewall.conf. If that option isn't specified then 'info' is used.
|
||||
#
|
||||
#ACTION
|
||||
|
||||
DropSMB #Silently Drops Microsoft SMB Traffic
|
||||
|
||||
@ -3533,8 +3533,8 @@ process_actions3() {
|
||||
;;
|
||||
*)
|
||||
if [ -n "$xlevel" ]; then
|
||||
log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -A -m pkttype --pkt-type broadcast
|
||||
log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -A -m pkttype --pkt-type multicast
|
||||
log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -m pkttype --pkt-type broadcast
|
||||
log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -m pkttype --pkt-type multicast
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
@ -3548,7 +3548,7 @@ process_actions3() {
|
||||
;;
|
||||
*)
|
||||
[ -n "$xlevel" ] && \
|
||||
log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -A -d $address
|
||||
log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -d $address
|
||||
;;
|
||||
esac
|
||||
|
||||
@ -3565,8 +3565,8 @@ process_actions3() {
|
||||
;;
|
||||
*)
|
||||
if [ -n "$xlevel" ]; then
|
||||
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -A -m pkttype --pkt-type broadcast
|
||||
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -A -m pkttype --pkt-type multicast
|
||||
log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -m pkttype --pkt-type broadcast
|
||||
log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -m pkttype --pkt-type multicast
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
@ -3580,7 +3580,7 @@ process_actions3() {
|
||||
;;
|
||||
*)
|
||||
[ -n "$xlevel" ] && \
|
||||
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -A -d $address
|
||||
log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -d $address
|
||||
;;
|
||||
esac
|
||||
|
||||
@ -3594,35 +3594,35 @@ process_actions3() {
|
||||
|
||||
if [ "$COMMAND" != check ]; then
|
||||
[ -n "$xlevel" ] && \
|
||||
log_rule_limit ${xlevel%\!} $xchain dropNonSyn $2 "" "$xtag" -A -p tcp ! --syn
|
||||
log_rule_limit ${xlevel%\!} $xchain dropNonSyn DROP "" "$xtag" -A -p tcp ! --syn
|
||||
run_iptables -A $xchain -p tcp ! --syn -j DROP
|
||||
fi
|
||||
;;
|
||||
dropNotSyn)
|
||||
if [ "$COMMAND" != check ]; then
|
||||
[ -n "$xlevel" ] && \
|
||||
log_rule_limit ${xlevel%\!} $xchain dropNotSyn $2 "" "$xtag" -A -p tcp ! --syn
|
||||
log_rule_limit ${xlevel%\!} $xchain dropNotSyn DROP "" "$xtag" -A -p tcp ! --syn
|
||||
run_iptables -A $xchain -p tcp ! --syn -j DROP
|
||||
fi
|
||||
;;
|
||||
rejNotSyn)
|
||||
if [ "$COMMAND" != check ]; then
|
||||
[ -n "$xlevel" ] && \
|
||||
log_rule_limit ${xlevel%\!} $xchain rejNotSyn $2 "" "$xtag" -A -p tcp ! --syn
|
||||
log_rule_limit ${xlevel%\!} $xchain rejNotSyn REJECT "" "$xtag" -A -p tcp ! --syn
|
||||
run_iptables -A $xchain -p tcp ! --syn -j REJECT --reject-with tcp-reset
|
||||
fi
|
||||
;;
|
||||
dropInvalid)
|
||||
if [ "$COMMAND" != check ]; then
|
||||
[ -n "$xlevel" ] && \
|
||||
log_rule_limit ${xlevel%\!} $xchain dropInvalid $2 "" "$xtag" -A -m state --state INVALID
|
||||
log_rule_limit ${xlevel%\!} $xchain dropInvalid DROP "" "$xtag" -A -m state --state INVALID
|
||||
run_iptables -A $xchain -m state --state INVALID -j DROP
|
||||
fi
|
||||
;;
|
||||
allowInvalid)
|
||||
if [ "$COMMAND" != check ]; then
|
||||
[ -n "$xlevel" ] && \
|
||||
log_rule_limit ${xlevel%\!} $xchain allowInvalid $2 "" "$xtag" -A -m state --state INVALID
|
||||
log_rule_limit ${xlevel%\!} $xchain allowInvalid ACCEPT "" "$xtag" -A -m state --state INVALID
|
||||
run_iptables -A $xchain -m state --state INVALID -j ACCEPT
|
||||
fi
|
||||
;;
|
||||
@ -7065,6 +7065,9 @@ do_initialize() {
|
||||
|
||||
export LC_ALL=C
|
||||
|
||||
# Make sure umask is sane
|
||||
umask 177
|
||||
|
||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
|
||||
#
|
||||
# Establish termination function
|
||||
|
||||
@ -1 +1 @@
|
||||
2.2.0
|
||||
2.2.1
|
||||
|
||||
@ -6,16 +6,13 @@
|
||||
#
|
||||
# allowBcast #Silently Allow Broadcast/multicast
|
||||
# dropBcast #Silently Drop Broadcast/multicast
|
||||
# dropNonSyn #Silently Drop Non-syn TCP packets
|
||||
# rejNonSyn #Silently Reject Non-syn TCP packets
|
||||
# dropNotSyn #Silently Drop Non-syn TCP packets
|
||||
# rejNotSyn #Silently Reject Non-syn TCP packets
|
||||
# dropInvalid #Silently Drop packets that are in the INVALID
|
||||
# #conntrack state.
|
||||
# allowInvalid #Accept packets that are in the INVALID
|
||||
# #conntrack state.
|
||||
#
|
||||
# The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in
|
||||
# shorewall.conf. If that option isn't specified then 'info' is used.
|
||||
#
|
||||
#ACTION
|
||||
|
||||
DropSMB #Silently Drops Microsoft SMB Traffic
|
||||
|
||||
@ -4,6 +4,8 @@ Changes in 2.2.1
|
||||
|
||||
2) Simon Matter's patch for umask.
|
||||
|
||||
3) Apply Juergen Kreileder's patch for logging.
|
||||
|
||||
Changes since 2.0.3
|
||||
|
||||
1) Fix security vulnerability involving temporary files/directories.
|
||||
|
||||
@ -28,7 +28,7 @@
|
||||
# shown below. Simply run this script to revert to your prior version of
|
||||
# Shoreline Firewall.
|
||||
|
||||
VERSION=2.2.0
|
||||
VERSION=2.2.1
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
||||
@ -3533,8 +3533,8 @@ process_actions3() {
|
||||
;;
|
||||
*)
|
||||
if [ -n "$xlevel" ]; then
|
||||
log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -A -m pkttype --pkt-type broadcast
|
||||
log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -A -m pkttype --pkt-type multicast
|
||||
log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -m pkttype --pkt-type broadcast
|
||||
log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -m pkttype --pkt-type multicast
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
@ -3548,7 +3548,7 @@ process_actions3() {
|
||||
;;
|
||||
*)
|
||||
[ -n "$xlevel" ] && \
|
||||
log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -A -d $address
|
||||
log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -d $address
|
||||
;;
|
||||
esac
|
||||
|
||||
@ -3565,8 +3565,8 @@ process_actions3() {
|
||||
;;
|
||||
*)
|
||||
if [ -n "$xlevel" ]; then
|
||||
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -A -m pkttype --pkt-type broadcast
|
||||
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -A -m pkttype --pkt-type multicast
|
||||
log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -m pkttype --pkt-type broadcast
|
||||
log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -m pkttype --pkt-type multicast
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
@ -3580,7 +3580,7 @@ process_actions3() {
|
||||
;;
|
||||
*)
|
||||
[ -n "$xlevel" ] && \
|
||||
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -A -d $address
|
||||
log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -d $address
|
||||
;;
|
||||
esac
|
||||
|
||||
@ -3594,35 +3594,35 @@ process_actions3() {
|
||||
|
||||
if [ "$COMMAND" != check ]; then
|
||||
[ -n "$xlevel" ] && \
|
||||
log_rule_limit ${xlevel%\!} $xchain dropNonSyn $2 "" "$xtag" -A -p tcp ! --syn
|
||||
log_rule_limit ${xlevel%\!} $xchain dropNonSyn DROP "" "$xtag" -A -p tcp ! --syn
|
||||
run_iptables -A $xchain -p tcp ! --syn -j DROP
|
||||
fi
|
||||
;;
|
||||
dropNotSyn)
|
||||
if [ "$COMMAND" != check ]; then
|
||||
[ -n "$xlevel" ] && \
|
||||
log_rule_limit ${xlevel%\!} $xchain dropNotSyn $2 "" "$xtag" -A -p tcp ! --syn
|
||||
log_rule_limit ${xlevel%\!} $xchain dropNotSyn DROP "" "$xtag" -A -p tcp ! --syn
|
||||
run_iptables -A $xchain -p tcp ! --syn -j DROP
|
||||
fi
|
||||
;;
|
||||
rejNotSyn)
|
||||
if [ "$COMMAND" != check ]; then
|
||||
[ -n "$xlevel" ] && \
|
||||
log_rule_limit ${xlevel%\!} $xchain rejNotSyn $2 "" "$xtag" -A -p tcp ! --syn
|
||||
log_rule_limit ${xlevel%\!} $xchain rejNotSyn REJECT "" "$xtag" -A -p tcp ! --syn
|
||||
run_iptables -A $xchain -p tcp ! --syn -j REJECT --reject-with tcp-reset
|
||||
fi
|
||||
;;
|
||||
dropInvalid)
|
||||
if [ "$COMMAND" != check ]; then
|
||||
[ -n "$xlevel" ] && \
|
||||
log_rule_limit ${xlevel%\!} $xchain dropInvalid $2 "" "$xtag" -A -m state --state INVALID
|
||||
log_rule_limit ${xlevel%\!} $xchain dropInvalid DROP "" "$xtag" -A -m state --state INVALID
|
||||
run_iptables -A $xchain -m state --state INVALID -j DROP
|
||||
fi
|
||||
;;
|
||||
allowInvalid)
|
||||
if [ "$COMMAND" != check ]; then
|
||||
[ -n "$xlevel" ] && \
|
||||
log_rule_limit ${xlevel%\!} $xchain allowInvalid $2 "" "$xtag" -A -m state --state INVALID
|
||||
log_rule_limit ${xlevel%\!} $xchain allowInvalid ACCEPT "" "$xtag" -A -m state --state INVALID
|
||||
run_iptables -A $xchain -m state --state INVALID -j ACCEPT
|
||||
fi
|
||||
;;
|
||||
|
||||
@ -22,7 +22,7 @@
|
||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||
#
|
||||
|
||||
VERSION=2.2.0
|
||||
VERSION=2.2.1
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
||||
@ -9,6 +9,28 @@ Problems corrected in version 2.2.1
|
||||
2) Shorewall previously used root's default umask which could cause
|
||||
files in /var/lib/shorewall to be world-readable. Shorewall now uses
|
||||
umask 0177.
|
||||
|
||||
3) In log messages produced by logging a built-in action, the packet
|
||||
disposition was displayed incorrectly.
|
||||
|
||||
Example:
|
||||
|
||||
rejNotSyn:ULOG all all tcp
|
||||
|
||||
produces the log message:
|
||||
|
||||
Feb 12 23:57:08 server Shorewall:rejNotSyn:ULOG: ...
|
||||
|
||||
rather than
|
||||
|
||||
Feb 12 23:57:08 server Shorewall:rejNotSyn:REJECT: ...
|
||||
|
||||
3) The comments regarding built-in actions in
|
||||
/usr/share/shorewall/actions.std have been corrected.
|
||||
|
||||
4) The /etc/shorewall/policy file in the LRP package was missing the
|
||||
'all->all' policy.
|
||||
|
||||
-----------------------------------------------------------------------
|
||||
Issues when migrating from Shorewall 2.0 to Shorewall 2.2:
|
||||
|
||||
|
||||
@ -49,8 +49,10 @@ STARTUP_ENABLED=No
|
||||
# specify a log level of ULOG (must be all caps). Rather than log its
|
||||
# messages to syslogd, Shorewall will direct netfilter to log the messages
|
||||
# via the ULOG target which will send them to a process called 'ulogd'.
|
||||
# ulogd is available from http://www.gnumonks.org/projects/ulogd and can be
|
||||
# configured to log all Shorewall message to their own log file
|
||||
# ulogd is available with most Linux distributions (although it probably isn't
|
||||
# installed by default). Ulogd is also available from
|
||||
# http://www.gnumonks.org/projects/ulogd and can be configured to log all
|
||||
# Shorewall message to their own log file
|
||||
################################################################################
|
||||
#
|
||||
# LOG FILE LOCATION
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
%define name shorewall
|
||||
%define version 2.2.0
|
||||
%define version 2.2.1
|
||||
%define release 1
|
||||
%define prefix /usr
|
||||
|
||||
@ -138,6 +138,8 @@ fi
|
||||
|
||||
%changelog
|
||||
* Mon Jan 24 2005 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.2.1-1
|
||||
* Mon Jan 24 2005 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.2.0-1
|
||||
* Mon Jan 17 2005 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.2.0-0RC5
|
||||
|
||||
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Seattle Firewall
|
||||
|
||||
VERSION=2.2.0
|
||||
VERSION=2.2.1
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
||||
Loading…
Reference in New Issue
Block a user