holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Update for Shorewall 2.2.1

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1960 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-02-15 23:53:34 +00:00
parent 464ad6019d
commit 198207c84c
12 changed files with 64 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
Lrp2/usr/share/shorewall/actions.std
View File

@ -6,16 +6,13 @@
# #
# allowBcast #Silently Allow Broadcast/multicast # allowBcast #Silently Allow Broadcast/multicast
# dropBcast #Silently Drop Broadcast/multicast # dropBcast #Silently Drop Broadcast/multicast
# dropNonSyn #Silently Drop Non-syn TCP packets # dropNotSyn #Silently Drop Non-syn TCP packets
# rejNonSyn #Silently Reject Non-syn TCP packets # rejNotSyn #Silently Reject Non-syn TCP packets
# dropInvalid #Silently Drop packets that are in the INVALID # dropInvalid #Silently Drop packets that are in the INVALID
# #conntrack state. # #conntrack state.
# allowInvalid #Accept packets that are in the INVALID # allowInvalid #Accept packets that are in the INVALID
# #conntrack state. # #conntrack state.
# #
# The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in
# shorewall.conf. If that option isn't specified then 'info' is used.
#
#ACTION #ACTION
DropSMB #Silently Drops Microsoft SMB Traffic DropSMB #Silently Drops Microsoft SMB Traffic

25
Lrp2/usr/share/shorewall/firewall
View File

@ -3533,8 +3533,8 @@ process_actions3() {
;; ;;
*) *)
if [ -n "$xlevel" ]; then if [ -n "$xlevel" ]; then
log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -A -m pkttype --pkt-type broadcast log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -m pkttype --pkt-type broadcast
log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -A -m pkttype --pkt-type multicast log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -m pkttype --pkt-type multicast
fi fi
;; ;;
esac esac
@ -3548,7 +3548,7 @@ process_actions3() {
;; ;;
*) *)
[ -n "$xlevel" ] && \ [ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -A -d $address log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -d $address
;; ;;
esac esac
@ -3565,8 +3565,8 @@ process_actions3() {
;; ;;
*) *)
if [ -n "$xlevel" ]; then if [ -n "$xlevel" ]; then
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -A -m pkttype --pkt-type broadcast log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -m pkttype --pkt-type broadcast
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -A -m pkttype --pkt-type multicast log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -m pkttype --pkt-type multicast
fi fi
;; ;;
esac esac
@ -3580,7 +3580,7 @@ process_actions3() {
;; ;;
*) *)
[ -n "$xlevel" ] && \ [ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -A -d $address log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -d $address
;; ;;
esac esac
@ -3594,35 +3594,35 @@ process_actions3() {
if [ "$COMMAND" != check ]; then if [ "$COMMAND" != check ]; then
[ -n "$xlevel" ] && \ [ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain dropNonSyn $2 "" "$xtag" -A -p tcp ! --syn log_rule_limit ${xlevel%\!} $xchain dropNonSyn DROP "" "$xtag" -A -p tcp ! --syn
run_iptables -A $xchain -p tcp ! --syn -j DROP run_iptables -A $xchain -p tcp ! --syn -j DROP
fi fi
;; ;;
dropNotSyn) dropNotSyn)
if [ "$COMMAND" != check ]; then if [ "$COMMAND" != check ]; then
[ -n "$xlevel" ] && \ [ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain dropNotSyn $2 "" "$xtag" -A -p tcp ! --syn log_rule_limit ${xlevel%\!} $xchain dropNotSyn DROP "" "$xtag" -A -p tcp ! --syn
run_iptables -A $xchain -p tcp ! --syn -j DROP run_iptables -A $xchain -p tcp ! --syn -j DROP
fi fi
;; ;;
rejNotSyn) rejNotSyn)
if [ "$COMMAND" != check ]; then if [ "$COMMAND" != check ]; then
[ -n "$xlevel" ] && \ [ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain rejNotSyn $2 "" "$xtag" -A -p tcp ! --syn log_rule_limit ${xlevel%\!} $xchain rejNotSyn REJECT "" "$xtag" -A -p tcp ! --syn
run_iptables -A $xchain -p tcp ! --syn -j REJECT --reject-with tcp-reset run_iptables -A $xchain -p tcp ! --syn -j REJECT --reject-with tcp-reset
fi fi
;; ;;
dropInvalid) dropInvalid)
if [ "$COMMAND" != check ]; then if [ "$COMMAND" != check ]; then
[ -n "$xlevel" ] && \ [ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain dropInvalid $2 "" "$xtag" -A -m state --state INVALID log_rule_limit ${xlevel%\!} $xchain dropInvalid DROP "" "$xtag" -A -m state --state INVALID
run_iptables -A $xchain -m state --state INVALID -j DROP run_iptables -A $xchain -m state --state INVALID -j DROP
fi fi
;; ;;
allowInvalid) allowInvalid)
if [ "$COMMAND" != check ]; then if [ "$COMMAND" != check ]; then
[ -n "$xlevel" ] && \ [ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain allowInvalid $2 "" "$xtag" -A -m state --state INVALID log_rule_limit ${xlevel%\!} $xchain allowInvalid ACCEPT "" "$xtag" -A -m state --state INVALID
run_iptables -A $xchain -m state --state INVALID -j ACCEPT run_iptables -A $xchain -m state --state INVALID -j ACCEPT
fi fi
;; ;;
@ -7065,6 +7065,9 @@ do_initialize() {
export LC_ALL=C export LC_ALL=C
# Make sure umask is sane
umask 177
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
# #
# Establish termination function # Establish termination function

2
Lrp2/usr/share/shorewall/version
View File

@ -1 +1 @@
2.2.0 2.2.1

7
STABLE2/actions.std
View File

@ -6,16 +6,13 @@
# #
# allowBcast #Silently Allow Broadcast/multicast # allowBcast #Silently Allow Broadcast/multicast
# dropBcast #Silently Drop Broadcast/multicast # dropBcast #Silently Drop Broadcast/multicast
# dropNonSyn #Silently Drop Non-syn TCP packets # dropNotSyn #Silently Drop Non-syn TCP packets
# rejNonSyn #Silently Reject Non-syn TCP packets # rejNotSyn #Silently Reject Non-syn TCP packets
# dropInvalid #Silently Drop packets that are in the INVALID # dropInvalid #Silently Drop packets that are in the INVALID
# #conntrack state. # #conntrack state.
# allowInvalid #Accept packets that are in the INVALID # allowInvalid #Accept packets that are in the INVALID
# #conntrack state. # #conntrack state.
# #
# The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in
# shorewall.conf. If that option isn't specified then 'info' is used.
#
#ACTION #ACTION
DropSMB #Silently Drops Microsoft SMB Traffic DropSMB #Silently Drops Microsoft SMB Traffic

2
STABLE2/changelog.txt
View File

@ -4,6 +4,8 @@ Changes in 2.2.1
2) Simon Matter's patch for umask. 2) Simon Matter's patch for umask.
3) Apply Juergen Kreileder's patch for logging.
Changes since 2.0.3 Changes since 2.0.3
1) Fix security vulnerability involving temporary files/directories. 1) Fix security vulnerability involving temporary files/directories.

2
STABLE2/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of # shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall. # Shoreline Firewall.
VERSION=2.2.0 VERSION=2.2.1
usage() # $1 = exit status usage() # $1 = exit status
{ {

22
STABLE2/firewall
View File

@ -3533,8 +3533,8 @@ process_actions3() {
;; ;;
*) *)
if [ -n "$xlevel" ]; then if [ -n "$xlevel" ]; then
log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -A -m pkttype --pkt-type broadcast log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -m pkttype --pkt-type broadcast
log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -A -m pkttype --pkt-type multicast log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -m pkttype --pkt-type multicast
fi fi
;; ;;
esac esac
@ -3548,7 +3548,7 @@ process_actions3() {
;; ;;
*) *)
[ -n "$xlevel" ] && \ [ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -A -d $address log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -d $address
;; ;;
esac esac
@ -3565,8 +3565,8 @@ process_actions3() {
;; ;;
*) *)
if [ -n "$xlevel" ]; then if [ -n "$xlevel" ]; then
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -A -m pkttype --pkt-type broadcast log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -m pkttype --pkt-type broadcast
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -A -m pkttype --pkt-type multicast log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -m pkttype --pkt-type multicast
fi fi
;; ;;
esac esac
@ -3580,7 +3580,7 @@ process_actions3() {
;; ;;
*) *)
[ -n "$xlevel" ] && \ [ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -A -d $address log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -d $address
;; ;;
esac esac
@ -3594,35 +3594,35 @@ process_actions3() {
if [ "$COMMAND" != check ]; then if [ "$COMMAND" != check ]; then
[ -n "$xlevel" ] && \ [ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain dropNonSyn $2 "" "$xtag" -A -p tcp ! --syn log_rule_limit ${xlevel%\!} $xchain dropNonSyn DROP "" "$xtag" -A -p tcp ! --syn
run_iptables -A $xchain -p tcp ! --syn -j DROP run_iptables -A $xchain -p tcp ! --syn -j DROP
fi fi
;; ;;
dropNotSyn) dropNotSyn)
if [ "$COMMAND" != check ]; then if [ "$COMMAND" != check ]; then
[ -n "$xlevel" ] && \ [ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain dropNotSyn $2 "" "$xtag" -A -p tcp ! --syn log_rule_limit ${xlevel%\!} $xchain dropNotSyn DROP "" "$xtag" -A -p tcp ! --syn
run_iptables -A $xchain -p tcp ! --syn -j DROP run_iptables -A $xchain -p tcp ! --syn -j DROP
fi fi
;; ;;
rejNotSyn) rejNotSyn)
if [ "$COMMAND" != check ]; then if [ "$COMMAND" != check ]; then
[ -n "$xlevel" ] && \ [ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain rejNotSyn $2 "" "$xtag" -A -p tcp ! --syn log_rule_limit ${xlevel%\!} $xchain rejNotSyn REJECT "" "$xtag" -A -p tcp ! --syn
run_iptables -A $xchain -p tcp ! --syn -j REJECT --reject-with tcp-reset run_iptables -A $xchain -p tcp ! --syn -j REJECT --reject-with tcp-reset
fi fi
;; ;;
dropInvalid) dropInvalid)
if [ "$COMMAND" != check ]; then if [ "$COMMAND" != check ]; then
[ -n "$xlevel" ] && \ [ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain dropInvalid $2 "" "$xtag" -A -m state --state INVALID log_rule_limit ${xlevel%\!} $xchain dropInvalid DROP "" "$xtag" -A -m state --state INVALID
run_iptables -A $xchain -m state --state INVALID -j DROP run_iptables -A $xchain -m state --state INVALID -j DROP
fi fi
;; ;;
allowInvalid) allowInvalid)
if [ "$COMMAND" != check ]; then if [ "$COMMAND" != check ]; then
[ -n "$xlevel" ] && \ [ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain allowInvalid $2 "" "$xtag" -A -m state --state INVALID log_rule_limit ${xlevel%\!} $xchain allowInvalid ACCEPT "" "$xtag" -A -m state --state INVALID
run_iptables -A $xchain -m state --state INVALID -j ACCEPT run_iptables -A $xchain -m state --state INVALID -j ACCEPT
fi fi
;; ;;

2
STABLE2/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
# #
VERSION=2.2.0 VERSION=2.2.1
usage() # $1 = exit status usage() # $1 = exit status
{ {

22
STABLE2/releasenotes.txt
View File

@ -9,6 +9,28 @@ Problems corrected in version 2.2.1
2) Shorewall previously used root's default umask which could cause 2) Shorewall previously used root's default umask which could cause
files in /var/lib/shorewall to be world-readable. Shorewall now uses files in /var/lib/shorewall to be world-readable. Shorewall now uses
umask 0177. umask 0177.
3) In log messages produced by logging a built-in action, the packet
disposition was displayed incorrectly.
Example:
rejNotSyn:ULOG all all tcp
produces the log message:
Feb 12 23:57:08 server Shorewall:rejNotSyn:ULOG: ...
rather than
Feb 12 23:57:08 server Shorewall:rejNotSyn:REJECT: ...
3) The comments regarding built-in actions in
/usr/share/shorewall/actions.std have been corrected.
4) The /etc/shorewall/policy file in the LRP package was missing the
'all->all' policy.
----------------------------------------------------------------------- -----------------------------------------------------------------------
Issues when migrating from Shorewall 2.0 to Shorewall 2.2: Issues when migrating from Shorewall 2.0 to Shorewall 2.2:

6
STABLE2/shorewall.conf
View File

@ -49,8 +49,10 @@ STARTUP_ENABLED=No
# specify a log level of ULOG (must be all caps). Rather than log its # specify a log level of ULOG (must be all caps). Rather than log its
# messages to syslogd, Shorewall will direct netfilter to log the messages # messages to syslogd, Shorewall will direct netfilter to log the messages
# via the ULOG target which will send them to a process called 'ulogd'. # via the ULOG target which will send them to a process called 'ulogd'.
# ulogd is available from http://www.gnumonks.org/projects/ulogd and can be # ulogd is available with most Linux distributions (although it probably isn't
# configured to log all Shorewall message to their own log file # installed by default). Ulogd is also available from
# http://www.gnumonks.org/projects/ulogd and can be configured to log all
# Shorewall message to their own log file
################################################################################ ################################################################################
# #
# LOG FILE LOCATION # LOG FILE LOCATION

4
STABLE2/shorewall.spec
View File

@ -1,5 +1,5 @@
%define name shorewall %define name shorewall
%define version 2.2.0 %define version 2.2.1
%define release 1 %define release 1
%define prefix /usr %define prefix /usr
@ -138,6 +138,8 @@ fi
%changelog %changelog
* Mon Jan 24 2005 Tom Eastep tom@shorewall.net * Mon Jan 24 2005 Tom Eastep tom@shorewall.net
- Updated to 2.2.1-1
* Mon Jan 24 2005 Tom Eastep tom@shorewall.net
- Updated to 2.2.0-1 - Updated to 2.2.0-1
* Mon Jan 17 2005 Tom Eastep tom@shorewall.net * Mon Jan 17 2005 Tom Eastep tom@shorewall.net
- Updated to 2.2.0-0RC5 - Updated to 2.2.0-0RC5

2
STABLE2/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall # shown below. Simply run this script to remove Seattle Firewall
VERSION=2.2.0 VERSION=2.2.1
usage() # $1 = exit status usage() # $1 = exit status
{ {