holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Remove blacklisting by destination IP address support

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2010-09-15 15:24:58 -07:00
parent bea4ce4ca6
commit 1d650b41cd
12 changed files with 48 additions and 313 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -894,10 +894,6 @@ sub use_output_chain($$) {
#
return 1 if $nets > 1;
#
# Must also use the interface's chain if there is type-1 blacklisting on the interface
#
return 1 if $interfaceref->{options}{blacklist} & BL_IN;
#
# Don't need it if it isn't associated with any zone
#
return 0 unless $nets;

97
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -213,19 +213,16 @@ sub add_rule_pair( $$$$ ) {
sub setup_blacklist() {
my $hosts = find_hosts_by_option1 'blacklist', BL_IN;
my $hosts1 = find_hosts_by_option1 'blacklist', BL_OUT;
my $hosts = find_hosts_by_option 'blacklist';
my $chainref;
my $chainref1;
my ( $level, $disposition ) = @config{'BLACKLIST_LOGLEVEL', 'BLACKLIST_DISPOSITION' };
my $target = $disposition eq 'REJECT' ? 'reject' : $disposition;
#
# We go ahead and generate the blacklist chains and jump to them, even if they turn out to be empty. That is necessary
# We go ahead and generate the blacklist chain and jump to it, even if it turns out to be empty. That is necessary
# for 'refresh' to work properly.
#
if ( @$hosts || @$hosts1 ) {
$chainref = dont_delete new_standard_chain 'blacklst' if @$hosts;
$chainref1 = dont_delete new_standard_chain 'blackout' if @$hosts || @$hosts1;
if ( @$hosts ) {
$chainref = dont_delete new_standard_chain 'blacklst';
if ( defined $level && $level ne '' ) {
my $logchainref = new_standard_chain 'blacklog';
@ -249,7 +246,7 @@ sub setup_blacklist() {
while ( read_a_line ) {
if ( $first_entry ) {
unless ( @$hosts || @$hosts1 ) {
unless ( @$hosts ) {
warning_message qq(The entries in $fn have been ignored because there are no 'blacklist' interfaces);
close_file;
last BLACKLIST;
@ -258,59 +255,25 @@ sub setup_blacklist() {
$first_entry = 0;
}
my ( $networks, $protocol, $ports, $options ) = split_line 1, 4, 'blacklist file';
my ( $networks, $protocol, $ports ) = split_line 1, 3, 'blacklist file';
$options = 'src' if $options eq '-';
my ( $to, $from ) = ( 0, 0 );
for ( split /,/, $options ) {
if ( $_ =~ /^(?:from|src)$/ ) {
if ( $from++ ) {
warning_message "Duplicate 'src' ignored";
} else {
if ( @$hosts ) {
expand_rule(
$chainref ,
NO_RESTRICT ,
do_proto( $protocol , $ports, '' ) ,
$networks,
'',
'' ,
$target ,
'' ,
$target ,
'' );
} else {
warning_message 'Blacklist entry ignored because there are no "blacklist=1" interfaces';
}
}
} elsif ( $_ =~ /^(?:dst|to)$/ ) {
if ( $to++ ) {
warning_message "Duplicate 'dst' ignored";
} else {
expand_rule(
$chainref1 ,
NO_RESTRICT ,
do_proto( $protocol , $ports, '' ) ,
'',
$networks,
'' ,
$target ,
'' ,
$target ,
'' );
}
} else {
fatal_error "Invalid blacklist option($_)";
}
}
expand_rule(
$chainref ,
NO_RESTRICT ,
do_proto( $protocol , $ports, '' ) ,
$networks ,
'' ,
'' ,
$target ,
'' ,
$disposition ,
'' );
progress_message " \"$currentline\" added to blacklist";
}
warning_message q(There are interfaces or hosts with the 'blacklist' option but the 'blacklist' file is empty) if $first_entry && @$hosts;
} elsif ( @$hosts || @$hosts1 ) {
} elsif ( @$hosts ) {
warning_message q(There are interfaces or hosts with the 'blacklist' option, but the 'blacklist' file is either missing or has zero size);
}
@ -331,24 +294,7 @@ sub setup_blacklist() {
set_interface_option $interface, 'use_input_chain', 1;
set_interface_option $interface, 'use_forward_chain', 1;
progress_message " Type 1 blacklisting enabled on ${interface}:${network}";
}
if ( $chainref1 && @{$chainref1->{rules}} ) {
for my $hostref ( @$hosts1 ) {
my $interface = $hostref->[0];
my $ipsec = $hostref->[1];
my $policy = have_ipsec ? "-m policy --pol $ipsec --dir in " : '';
my $network = $hostref->[2];
my $source = match_source_net $network;
my $target = source_exclusion( $hostref->[3], $chainref1 );
add_jump $filter_table->{forward_chain $interface} , $target, 0, "${source}${state}${policy}";
set_interface_option $interface, 'use_forward_chain', 1;
progress_message " Type 2 blacklisting enabled on ${interface}:${network}";
}
progress_message " Blacklisting enabled on ${interface}:${network}";
}
}
}
@ -1885,14 +1831,12 @@ sub generate_matrix() {
my $fw = firewall_zone;
my $notrackref = $raw_table->{notrack_chain $fw};
my $state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? "$globals{STATEMATCH} NEW,INVALID,UNTRACKED " : "$globals{STATEMATCH} NEW,INVALID " : '';
my $blackout = $filter_table->{blackout};
my @zones = off_firewall_zones;
my @vservers = vserver_zones;
my $interface_jumps_added = 0;
our %input_jump_added = ();
our %output_jump_added = ();
our %forward_jump_added = ();
my %needs_bl_jump = ();
progress_message2 'Generating Rule Matrix...';
#
@ -2021,7 +1965,6 @@ sub generate_matrix() {
my $ipsec_in_match = match_ipsec_in $zone , $hostref;
my $ipsec_out_match = match_ipsec_out $zone , $hostref;
my $exclusions = $hostref->{exclusions};
my $blacklist = $blackout && $hostref->{options}{blacklist} & BL_IN;
for my $net ( @{$hostref->{hosts}} ) {
my $dest = match_dest_net $net;
@ -2038,7 +1981,6 @@ sub generate_matrix() {
$outputref = $interfacechainref;
add_jump $filter_table->{OUTPUT}, $outputref, 0, match_dest_dev( $interface ) unless $output_jump_added{$interface}++;
$use_output = 1;
$needs_bl_jump{output_chain $interface} = 1 if $blacklist;
unless ( lc $net eq IPv6_LINKLOCAL ) {
for my $vzone ( vserver_zones ) {
@ -2301,7 +2243,6 @@ sub generate_matrix() {
add_jump $frwd_ref , $last_chain, 1 if $frwd_ref && $last_chain;
}
add_jump( $filter_table->{$_}, $filter_table->{blackout} , 0 , $state , 0 , 0 ) for keys %needs_bl_jump;
add_interface_jumps @interfaces unless $interface_jumps_added;
my %builtins = ( mangle => [ qw/PREROUTING INPUT FORWARD POSTROUTING/ ] ,

35
Shorewall/Perl/Shorewall/Zones.pm
View File

@ -41,8 +41,6 @@ our @EXPORT = qw( NOTHING
IP
BPORT
IPSEC
BL_IN
BL_OUT
determine_zones
zone_report
@ -98,12 +96,6 @@ use constant { NOTHING => 'NOTHING',
IPSECMODE => 'tunnel|transport'
};
#
# blacklist option values
#
use constant {
BL_IN => 1 ,
BL_OUT => 2 };
#
# Zone Table.
#
# @zones contains the ordered list of zones with sub-zones appearing before their parents.
@ -239,7 +231,7 @@ sub initialize( $ ) {
if ( $family == F_IPV4 ) {
%validinterfaceoptions = (arp_filter => BINARY_IF_OPTION,
arp_ignore => ENUM_IF_OPTION,
blacklist => ENUM_IF_OPTION + IF_OPTION_HOST,
blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
bridge => SIMPLE_IF_OPTION,
detectnets => OBSOLETE_IF_OPTION,
dhcp => SIMPLE_IF_OPTION,
@ -272,7 +264,7 @@ sub initialize( $ ) {
sourceonly => 1,
);
} else {
%validinterfaceoptions = ( blacklist => ENUM_IF_OPTION + IF_OPTION_HOST,
%validinterfaceoptions = ( blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
bridge => SIMPLE_IF_OPTION,
dhcp => SIMPLE_IF_OPTION,
maclist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
@ -653,8 +645,6 @@ sub add_group_to_zone($$$$$)
$zoneref->{interfaces}{$interface} = 1;
$options->{blacklist} ||= 0;
my @newnetworks;
my @exclusions = ();
my $new = \@newnetworks;
@ -919,7 +909,6 @@ sub process_interface( $$ ) {
my %options;
$options{port} = 1 if $port;
$options{blacklist} = 0;
my $hostoptionsref = {};
@ -931,7 +920,7 @@ sub process_interface( $$ ) {
if ( $options ne '-' ) {
my %hostoptions = ( blacklist => 0, dynamic => 0 );
my %hostoptions = ( dynamic => 0 );
for my $option (split_list1 $options, 'option' ) {
next if $option eq '-';
@ -974,11 +963,6 @@ sub process_interface( $$ ) {
} else {
$options{arp_ignore} = 1;
}
} elsif ( $option eq 'blacklist' ) {
fatal_error "Duplicate blacklist option" if $options{blacklist};
$value = BL_IN unless ( defined $value && $value ne '' );
fatal_error "Invalid 'blacklist' value ( $value )" unless $value =~ /^[12]$/;
$options{blacklist} = $value;
} else {
assert( 0 );
}
@ -1141,7 +1125,7 @@ sub validate_interfaces_file( $ ) {
number => $nextinum ,
root => $interface ,
broadcasts => undef ,
options => { blacklist => 0 } ,
options => {} ,
zone => '',
physical => 'lo',
};
@ -1680,11 +1664,11 @@ sub process_host( ) {
}
}
my $optionsref = { blacklist => 0, dynamic => 0 };
my $optionsref = { dynamic => 0 };
if ( $options ne '-' ) {
my @options = split_list $options, 'option';
my %options = ( blacklist => 0, dynamic => 0 );
my %options = ( dynamic => 0 );
for my $option ( @options ) {
if ( $option eq 'ipsec' ) {
@ -1696,12 +1680,7 @@ sub process_host( ) {
warning_message "The 'norfc1918' option is no longer supported"
} elsif ( $validhostoptions{$option}) {
fatal_error qq(The "$option" option is not allowed with Vserver zones) if $type == VSERVER && ! ( $validhostoptions{$option} & IF_OPTION_VSERVER );
if ( $option eq 'blacklist' ) {
warning_message qq(The "blacklist" host option is no longer supported and will be ignored);
} else {
$options{$option} = 1;
}
$options{$option} = 1;
} else {
fatal_error "Invalid option ($option)";
}

2
Shorewall/configfiles/blacklist
View File

@ -7,5 +7,5 @@
# information.
#
###############################################################################
#ADDRESS/SUBNET PROTOCOL PORT OPTIONS
#ADDRESS/SUBNET PROTOCOL PORT

43
Shorewall/releasenotes.txt
View File

@ -187,33 +187,10 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
As part of this change, the tcrules file now accepts $FW in the
DEST column for marking packets in the INPUT chain.
4) Blacklisting has undergone considerable change in this release.
The OPTIONS column may now contain a comma-separated list of the
options 'src' and 'dst'. The 'src' keyword supercedes 'from' and
'dst' supercedes 'to'. The old keywords are still supported but are
no longer documented.
The 'blacklist' interface option may now have one of 2 values:
1 - Inbound blacklisting
2 - Outbond blacklisting
Inbound blacklisting is targeted for use on Internet-facing
interfaces. Incoming packets are passed against the blacklist
entries with the 'src' option (either explicitly or defaulted).
Traffic originating on the firewall is passed against the blacklist
entries with the 'dst' option.
Outbound blacklisting is targeted for use on internal
interfaces. Packets arriving on these interfaces is passed against
the blacklist entries with the 'dst' option.
Additionally, the 'blacklist' option in /etc/shorewall/hosts is no
longer supported and is ignored with a warning:
WARNING: The "blacklist" host option is no longer supported
and will be ignored.
4) After a failed attempt to improve blacklisting by destination IP
address, I've decided to remove the OPTIONS column from the
blacklist files and take a fresh start at implementing this
feature in a later release.
5) There is now an OUT-BANDWIDTH column in
/etc/shorewall/tcinterfaces.
@ -450,14 +427,10 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
where 'iface' is a capitalized interface name (e.g., ETH0) and
'provider' is the capitalized name of a provider.
15) The 'blacklist' option in /etc/shorewall/hosts
(/etc/shorewall6/hosts) is now ignored with a warning:
WARNING: The "blacklist" host option is no longer supported and
will be ignored
The option was originally implemented to handle post kernel-2.6.21
bridges which are now handled completely in the interfaces file.
15) Support for the OPTIONS column in /etc/shorewall/blacklist
(/etc/shorewall6/blacklist) has been removed. Blacklisting by
destination IP address will be included in a later Shorewall
release.
----------------------------------------------------------------------------
V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S

2
Shorewall6/blacklist
View File

@ -7,4 +7,4 @@
# information.
#
###############################################################################
#ADDRESS/SUBNET PROTOCOL PORT OPTIONS
#ADDRESS/SUBNET PROTOCOL PORT

23
docs/blacklisting_support.xml
View File

@ -174,29 +174,6 @@ ipset -A Blacklist 206.124.146.177
ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
<para>This will blacklist SMTP traffic from host 206.124.146.177.</para>
<para>Beginning with Shoreall 4.4.13, outgoing blacklisting is also
supported. The "blacklist" setting in <ulink
url="manpages/shorewall-interfaces.html"><filename>/etc/shorewall/interfaces</filename></ulink>
specifes whether an interface is an Internet-facing interface (value 1) or
an internal interface (value 2). Additionally, entries in
<filename>/etc/shorewall/blacklist</filename> can be specified as defining
the destination IP address rather than the source address.</para>
<itemizedlist>
<listitem>
<para>Traffic entering an Internet-facing interface is passed against
those blacklist entries that specify the source IP address. Traffic
originating on the firewall and leaving on an Interface-facing
interface is passed against the blacklist entries that specify the
destination IP address.</para>
</listitem>
<listitem>
<para>Traffic entering an internal interface is passed against those
blacklist entries that specify the destination IP address.</para>
</listitem>
</itemizedlist>
</section>
<section id="Dynamic">

56
manpages/shorewall-blacklist.xml
View File

@ -72,62 +72,6 @@
from services(5).</para>
</listitem>
</varlistentry>
<varlistentry>
<term>OPTIONS (Optional - Added in 4.4.12) -
{-|{dst|src}[,...]}</term>
<listitem>
<para>If specified, indicates whether traffic
<emphasis>from</emphasis> ADDRESS/SUBNET (<emphasis
role="bold">src</emphasis>) or traffic <emphasis>to</emphasis>
ADDRESS/SUBNET (<emphasis role="bold">dst</emphasis>) should be
blacklisted. The default is <emphasis role="bold">src</emphasis>. If
the ADDRESS/SUBNET column is empty, then this column has no effect
on the generated rule.</para>
<note>
<para>In Shorewall 4.4.12, blacklisting is still restricted to
traffic <emphasis>arriving</emphasis> on an interface that has the
'blacklist' option set. So to block traffic from your local
network to an internet host, you must specify
<option>blacklist</option> on your internal interface in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>
(5).</para>
</note>
<note>
<para>Beginning with Shorewall 4.4.13, entries specifying
<emphasis role="bold">to</emphasis> are applied based on the
<emphasis role="bold">blacklist</emphasis> setting in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5):</para>
<orderedlist>
<listitem>
<para>Input blacklisting (default if no value given). Traffic
entering this interface are passed against the entries in
<ulink
url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
that have the <emphasis role="bold">from</emphasis> option
(specified or defaulted). Traffic originating on the firewall
and leaving by this interface is passed against the entries in
<ulink
url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
that have the <emphasis role="bold">to</emphasis>
option.</para>
</listitem>
<listitem>
<para>Output blacklisting. Traffic entering on this interface
is passed against the entries in <ulink
url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
that have the <emphasis role="bold">to</emphasis>
option.</para>
</listitem>
</orderedlist>
</note>
</listitem>
</varlistentry>
</variablelist>
<para></para>

11
manpages/shorewall-hosts.xml
View File

@ -139,15 +139,8 @@
<term><emphasis role="bold">blacklist</emphasis></term>
<listitem>
<para>This option only makes sense for ports on a bridge. As
of Shoreawall 4.4.13, ithe option is no longer supported and
is ignored with a warning:</para>
<blockquote>
<para><emphasis role="bold">WARNING: The "blacklist" host
option is no longer supported and will be
ignored.</emphasis></para>
</blockquote>
<para>This option only makes sense for ports on a bridge.
</para>
<para>Check packets arriving on this port against the <ulink
url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)

38
manpages/shorewall-interfaces.xml
View File

@ -223,45 +223,13 @@ loc eth2 -</programlisting>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">blacklist[=<replaceable>value</replaceable>]</emphasis></term>
<term><emphasis role="bold">blacklist</emphasis></term>
<listitem>
<para>Check packets arriving on this interface against the
<ulink
url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
file. The value may be specified when running Shorewall 4.4.13
or later and can have a value in the range 1-2; entering no
value is equivalent to blacklist=1.</para>
<orderedlist>
<listitem>
<para>Input blacklisting (default if no value given). This
setting is intended for Internet-facing interfaces.</para>
<para>Traffic entering this interface is passed against
the entries in <ulink
url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
that have the <emphasis role="bold">from</emphasis> option
(specified or defaulted). Traffic originating on the
firewall and leaving by this interface is passed against
the entries in <ulink
url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
that have the <emphasis role="bold">to</emphasis>
option.</para>
</listitem>
<listitem>
<para>Output blacklisting. This setting is intended for
internal interfaces.</para>
<para>Forwarded traffic that entered through this
interface is passed against the entries in <ulink
url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
that have the <emphasis role="bold">to</emphasis>
option.</para>
</listitem>
</orderedlist>
url="shorewall6-blacklist.html">shorewall6-blacklist</ulink>(5)
file.</para>
</listitem>
</varlistentry>

11
manpages6/shorewall6-hosts.xml
View File

@ -127,15 +127,8 @@
<term><emphasis role="bold">blacklist</emphasis></term>
<listitem>
<para>This option only makes sense for ports on a bridge. As
of Shorewall 4.4.13, its is ignored with a warning
message:</para>
<blockquote>
<para><emphasis role="bold">WARNING: The "blacklist" host
option is no longer supported and will be
ignored.</emphasis></para>
</blockquote>
<para>This option only makes sense for ports on a
bridge.</para>
<para>Check packets arriving on this port against the <ulink
url="shorewall-blacklist.html">shorewall6-blacklist</ulink>(5)

39
manpages6/shorewall6-interfaces.xml
View File

@ -115,42 +115,13 @@ loc eth2 -</programlisting>
<variablelist>
<varlistentry>
<term><emphasis
role="bold">blacklist[=<replaceable>value</replaceable>]</emphasis></term>
<term><emphasis role="bold">blacklist</emphasis></term>
<listitem>
<para>The value may be specified when running Shorewall 4.4.13
or later and can have a value in the range 1-2. Specifying no
value is equivalent to blacklist=1.</para>
<orderedlist>
<listitem>
<para>Input blacklisting (default if no value given). This
setting is intended for Internet-facing interfaces.</para>
<para>Traffic entering this interface is passed against
the entries in <ulink
url="shorewall6-blacklist.html">shorewall6-blacklist</ulink>(5)
that have the <emphasis role="bold">from</emphasis> option
(specified or defaulted). Traffic originating on the
firewall and leaving by this interface is passed against
the entries in <ulink
url="shorewall6-blacklist.html">shorewall6-blacklist</ulink>(5)
that have the <emphasis role="bold">to</emphasis>
option.</para>
</listitem>
<listitem>
<para>Output blacklisting. This setting is intended for
internal interfaces.</para>
<para>Traffic entering on this interface is passed against
the entries in <ulink
url="shorewall6-blacklist.html">shorewall6-blacklist</ulink>(5)
that have the <emphasis role="bold">to</emphasis>
option.</para>
</listitem>
</orderedlist>
<para>Check packets arriving on this interface against the
<ulink
url="shorewall6-blacklist.html">shorewall6-blacklist</ulink>(5)
file.</para>
</listitem>
</varlistentry>