From 1d650b41cd2ce897783cd7ea76f9cfc4b5fcb5bf Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 15 Sep 2010 15:24:58 -0700 Subject: [PATCH] Remove blacklisting by destination IP address support Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 4 -- Shorewall/Perl/Shorewall/Rules.pm | 97 ++++++----------------------- Shorewall/Perl/Shorewall/Zones.pm | 35 +++-------- Shorewall/configfiles/blacklist | 2 +- Shorewall/releasenotes.txt | 43 +++---------- Shorewall6/blacklist | 2 +- docs/blacklisting_support.xml | 23 ------- manpages/shorewall-blacklist.xml | 56 ----------------- manpages/shorewall-hosts.xml | 11 +--- manpages/shorewall-interfaces.xml | 38 +---------- manpages6/shorewall6-hosts.xml | 11 +--- manpages6/shorewall6-interfaces.xml | 39 ++---------- 12 files changed, 48 insertions(+), 313 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 2c3426bbd..baa10ee9e 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -894,10 +894,6 @@ sub use_output_chain($$) { # return 1 if $nets > 1; # - # Must also use the interface's chain if there is type-1 blacklisting on the interface - # - return 1 if $interfaceref->{options}{blacklist} & BL_IN; - # # Don't need it if it isn't associated with any zone # return 0 unless $nets; diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index dc665aa4b..48124064f 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -213,19 +213,16 @@ sub add_rule_pair( $$$$ ) { sub setup_blacklist() { - my $hosts = find_hosts_by_option1 'blacklist', BL_IN; - my $hosts1 = find_hosts_by_option1 'blacklist', BL_OUT; + my $hosts = find_hosts_by_option 'blacklist'; my $chainref; - my $chainref1; my ( $level, $disposition ) = @config{'BLACKLIST_LOGLEVEL', 'BLACKLIST_DISPOSITION' }; my $target = $disposition eq 'REJECT' ? 'reject' : $disposition; # - # We go ahead and generate the blacklist chains and jump to them, even if they turn out to be empty. That is necessary + # We go ahead and generate the blacklist chain and jump to it, even if it turns out to be empty. That is necessary # for 'refresh' to work properly. # - if ( @$hosts || @$hosts1 ) { - $chainref = dont_delete new_standard_chain 'blacklst' if @$hosts; - $chainref1 = dont_delete new_standard_chain 'blackout' if @$hosts || @$hosts1; + if ( @$hosts ) { + $chainref = dont_delete new_standard_chain 'blacklst'; if ( defined $level && $level ne '' ) { my $logchainref = new_standard_chain 'blacklog'; @@ -249,7 +246,7 @@ sub setup_blacklist() { while ( read_a_line ) { if ( $first_entry ) { - unless ( @$hosts || @$hosts1 ) { + unless ( @$hosts ) { warning_message qq(The entries in $fn have been ignored because there are no 'blacklist' interfaces); close_file; last BLACKLIST; @@ -258,59 +255,25 @@ sub setup_blacklist() { $first_entry = 0; } - my ( $networks, $protocol, $ports, $options ) = split_line 1, 4, 'blacklist file'; + my ( $networks, $protocol, $ports ) = split_line 1, 3, 'blacklist file'; - $options = 'src' if $options eq '-'; - - my ( $to, $from ) = ( 0, 0 ); - - for ( split /,/, $options ) { - if ( $_ =~ /^(?:from|src)$/ ) { - if ( $from++ ) { - warning_message "Duplicate 'src' ignored"; - } else { - if ( @$hosts ) { - expand_rule( - $chainref , - NO_RESTRICT , - do_proto( $protocol , $ports, '' ) , - $networks, - '', - '' , - $target , - '' , - $target , - '' ); - } else { - warning_message 'Blacklist entry ignored because there are no "blacklist=1" interfaces'; - } - } - } elsif ( $_ =~ /^(?:dst|to)$/ ) { - if ( $to++ ) { - warning_message "Duplicate 'dst' ignored"; - } else { - expand_rule( - $chainref1 , - NO_RESTRICT , - do_proto( $protocol , $ports, '' ) , - '', - $networks, - '' , - $target , - '' , - $target , - '' ); - } - } else { - fatal_error "Invalid blacklist option($_)"; - } - } + expand_rule( + $chainref , + NO_RESTRICT , + do_proto( $protocol , $ports, '' ) , + $networks , + '' , + '' , + $target , + '' , + $disposition , + '' ); progress_message " \"$currentline\" added to blacklist"; } warning_message q(There are interfaces or hosts with the 'blacklist' option but the 'blacklist' file is empty) if $first_entry && @$hosts; - } elsif ( @$hosts || @$hosts1 ) { + } elsif ( @$hosts ) { warning_message q(There are interfaces or hosts with the 'blacklist' option, but the 'blacklist' file is either missing or has zero size); } @@ -331,24 +294,7 @@ sub setup_blacklist() { set_interface_option $interface, 'use_input_chain', 1; set_interface_option $interface, 'use_forward_chain', 1; - progress_message " Type 1 blacklisting enabled on ${interface}:${network}"; - } - - if ( $chainref1 && @{$chainref1->{rules}} ) { - for my $hostref ( @$hosts1 ) { - my $interface = $hostref->[0]; - my $ipsec = $hostref->[1]; - my $policy = have_ipsec ? "-m policy --pol $ipsec --dir in " : ''; - my $network = $hostref->[2]; - my $source = match_source_net $network; - my $target = source_exclusion( $hostref->[3], $chainref1 ); - - add_jump $filter_table->{forward_chain $interface} , $target, 0, "${source}${state}${policy}"; - - set_interface_option $interface, 'use_forward_chain', 1; - - progress_message " Type 2 blacklisting enabled on ${interface}:${network}"; - } + progress_message " Blacklisting enabled on ${interface}:${network}"; } } } @@ -1885,14 +1831,12 @@ sub generate_matrix() { my $fw = firewall_zone; my $notrackref = $raw_table->{notrack_chain $fw}; my $state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? "$globals{STATEMATCH} NEW,INVALID,UNTRACKED " : "$globals{STATEMATCH} NEW,INVALID " : ''; - my $blackout = $filter_table->{blackout}; my @zones = off_firewall_zones; my @vservers = vserver_zones; my $interface_jumps_added = 0; our %input_jump_added = (); our %output_jump_added = (); our %forward_jump_added = (); - my %needs_bl_jump = (); progress_message2 'Generating Rule Matrix...'; # @@ -2021,7 +1965,6 @@ sub generate_matrix() { my $ipsec_in_match = match_ipsec_in $zone , $hostref; my $ipsec_out_match = match_ipsec_out $zone , $hostref; my $exclusions = $hostref->{exclusions}; - my $blacklist = $blackout && $hostref->{options}{blacklist} & BL_IN; for my $net ( @{$hostref->{hosts}} ) { my $dest = match_dest_net $net; @@ -2038,7 +1981,6 @@ sub generate_matrix() { $outputref = $interfacechainref; add_jump $filter_table->{OUTPUT}, $outputref, 0, match_dest_dev( $interface ) unless $output_jump_added{$interface}++; $use_output = 1; - $needs_bl_jump{output_chain $interface} = 1 if $blacklist; unless ( lc $net eq IPv6_LINKLOCAL ) { for my $vzone ( vserver_zones ) { @@ -2301,7 +2243,6 @@ sub generate_matrix() { add_jump $frwd_ref , $last_chain, 1 if $frwd_ref && $last_chain; } - add_jump( $filter_table->{$_}, $filter_table->{blackout} , 0 , $state , 0 , 0 ) for keys %needs_bl_jump; add_interface_jumps @interfaces unless $interface_jumps_added; my %builtins = ( mangle => [ qw/PREROUTING INPUT FORWARD POSTROUTING/ ] , diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index 368bee1a2..a92571b45 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -41,8 +41,6 @@ our @EXPORT = qw( NOTHING IP BPORT IPSEC - BL_IN - BL_OUT determine_zones zone_report @@ -98,12 +96,6 @@ use constant { NOTHING => 'NOTHING', IPSECMODE => 'tunnel|transport' }; # -# blacklist option values -# -use constant { - BL_IN => 1 , - BL_OUT => 2 }; -# # Zone Table. # # @zones contains the ordered list of zones with sub-zones appearing before their parents. @@ -239,7 +231,7 @@ sub initialize( $ ) { if ( $family == F_IPV4 ) { %validinterfaceoptions = (arp_filter => BINARY_IF_OPTION, arp_ignore => ENUM_IF_OPTION, - blacklist => ENUM_IF_OPTION + IF_OPTION_HOST, + blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST, bridge => SIMPLE_IF_OPTION, detectnets => OBSOLETE_IF_OPTION, dhcp => SIMPLE_IF_OPTION, @@ -272,7 +264,7 @@ sub initialize( $ ) { sourceonly => 1, ); } else { - %validinterfaceoptions = ( blacklist => ENUM_IF_OPTION + IF_OPTION_HOST, + %validinterfaceoptions = ( blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST, bridge => SIMPLE_IF_OPTION, dhcp => SIMPLE_IF_OPTION, maclist => SIMPLE_IF_OPTION + IF_OPTION_HOST, @@ -653,8 +645,6 @@ sub add_group_to_zone($$$$$) $zoneref->{interfaces}{$interface} = 1; - $options->{blacklist} ||= 0; - my @newnetworks; my @exclusions = (); my $new = \@newnetworks; @@ -919,7 +909,6 @@ sub process_interface( $$ ) { my %options; $options{port} = 1 if $port; - $options{blacklist} = 0; my $hostoptionsref = {}; @@ -931,7 +920,7 @@ sub process_interface( $$ ) { if ( $options ne '-' ) { - my %hostoptions = ( blacklist => 0, dynamic => 0 ); + my %hostoptions = ( dynamic => 0 ); for my $option (split_list1 $options, 'option' ) { next if $option eq '-'; @@ -974,11 +963,6 @@ sub process_interface( $$ ) { } else { $options{arp_ignore} = 1; } - } elsif ( $option eq 'blacklist' ) { - fatal_error "Duplicate blacklist option" if $options{blacklist}; - $value = BL_IN unless ( defined $value && $value ne '' ); - fatal_error "Invalid 'blacklist' value ( $value )" unless $value =~ /^[12]$/; - $options{blacklist} = $value; } else { assert( 0 ); } @@ -1141,7 +1125,7 @@ sub validate_interfaces_file( $ ) { number => $nextinum , root => $interface , broadcasts => undef , - options => { blacklist => 0 } , + options => {} , zone => '', physical => 'lo', }; @@ -1680,11 +1664,11 @@ sub process_host( ) { } } - my $optionsref = { blacklist => 0, dynamic => 0 }; + my $optionsref = { dynamic => 0 }; if ( $options ne '-' ) { my @options = split_list $options, 'option'; - my %options = ( blacklist => 0, dynamic => 0 ); + my %options = ( dynamic => 0 ); for my $option ( @options ) { if ( $option eq 'ipsec' ) { @@ -1696,12 +1680,7 @@ sub process_host( ) { warning_message "The 'norfc1918' option is no longer supported" } elsif ( $validhostoptions{$option}) { fatal_error qq(The "$option" option is not allowed with Vserver zones) if $type == VSERVER && ! ( $validhostoptions{$option} & IF_OPTION_VSERVER ); - - if ( $option eq 'blacklist' ) { - warning_message qq(The "blacklist" host option is no longer supported and will be ignored); - } else { - $options{$option} = 1; - } + $options{$option} = 1; } else { fatal_error "Invalid option ($option)"; } diff --git a/Shorewall/configfiles/blacklist b/Shorewall/configfiles/blacklist index 9bb785124..9e7722cb9 100644 --- a/Shorewall/configfiles/blacklist +++ b/Shorewall/configfiles/blacklist @@ -7,5 +7,5 @@ # information. # ############################################################################### -#ADDRESS/SUBNET PROTOCOL PORT OPTIONS +#ADDRESS/SUBNET PROTOCOL PORT diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index c5d2c869c..b1159db02 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -187,33 +187,10 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES As part of this change, the tcrules file now accepts $FW in the DEST column for marking packets in the INPUT chain. -4) Blacklisting has undergone considerable change in this release. - - The OPTIONS column may now contain a comma-separated list of the - options 'src' and 'dst'. The 'src' keyword supercedes 'from' and - 'dst' supercedes 'to'. The old keywords are still supported but are - no longer documented. - - The 'blacklist' interface option may now have one of 2 values: - - 1 - Inbound blacklisting - 2 - Outbond blacklisting - - Inbound blacklisting is targeted for use on Internet-facing - interfaces. Incoming packets are passed against the blacklist - entries with the 'src' option (either explicitly or defaulted). - Traffic originating on the firewall is passed against the blacklist - entries with the 'dst' option. - - Outbound blacklisting is targeted for use on internal - interfaces. Packets arriving on these interfaces is passed against - the blacklist entries with the 'dst' option. - - Additionally, the 'blacklist' option in /etc/shorewall/hosts is no - longer supported and is ignored with a warning: - - WARNING: The "blacklist" host option is no longer supported - and will be ignored. +4) After a failed attempt to improve blacklisting by destination IP + address, I've decided to remove the OPTIONS column from the + blacklist files and take a fresh start at implementing this + feature in a later release. 5) There is now an OUT-BANDWIDTH column in /etc/shorewall/tcinterfaces. @@ -450,14 +427,10 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES where 'iface' is a capitalized interface name (e.g., ETH0) and 'provider' is the capitalized name of a provider. -15) The 'blacklist' option in /etc/shorewall/hosts - (/etc/shorewall6/hosts) is now ignored with a warning: - - WARNING: The "blacklist" host option is no longer supported and - will be ignored - - The option was originally implemented to handle post kernel-2.6.21 - bridges which are now handled completely in the interfaces file. +15) Support for the OPTIONS column in /etc/shorewall/blacklist + (/etc/shorewall6/blacklist) has been removed. Blacklisting by + destination IP address will be included in a later Shorewall + release. ---------------------------------------------------------------------------- V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S diff --git a/Shorewall6/blacklist b/Shorewall6/blacklist index 4edfd1505..6b519040e 100755 --- a/Shorewall6/blacklist +++ b/Shorewall6/blacklist @@ -7,4 +7,4 @@ # information. # ############################################################################### -#ADDRESS/SUBNET PROTOCOL PORT OPTIONS +#ADDRESS/SUBNET PROTOCOL PORT diff --git a/docs/blacklisting_support.xml b/docs/blacklisting_support.xml index f0710fe02..0ef13ac94 100644 --- a/docs/blacklisting_support.xml +++ b/docs/blacklisting_support.xml @@ -174,29 +174,6 @@ ipset -A Blacklist 206.124.146.177 ipset -B Blacklist 206.124.146.177 -b SMTP This will blacklist SMTP traffic from host 206.124.146.177. - - Beginning with Shoreall 4.4.13, outgoing blacklisting is also - supported. The "blacklist" setting in /etc/shorewall/interfaces - specifes whether an interface is an Internet-facing interface (value 1) or - an internal interface (value 2). Additionally, entries in - /etc/shorewall/blacklist can be specified as defining - the destination IP address rather than the source address. - - - - Traffic entering an Internet-facing interface is passed against - those blacklist entries that specify the source IP address. Traffic - originating on the firewall and leaving on an Interface-facing - interface is passed against the blacklist entries that specify the - destination IP address. - - - - Traffic entering an internal interface is passed against those - blacklist entries that specify the destination IP address. - -
diff --git a/manpages/shorewall-blacklist.xml b/manpages/shorewall-blacklist.xml index 02890cde0..ca5b1ef7f 100644 --- a/manpages/shorewall-blacklist.xml +++ b/manpages/shorewall-blacklist.xml @@ -72,62 +72,6 @@ from services(5). - - - OPTIONS (Optional - Added in 4.4.12) - - {-|{dst|src}[,...]} - - - If specified, indicates whether traffic - from ADDRESS/SUBNET (src) or traffic to - ADDRESS/SUBNET (dst) should be - blacklisted. The default is src. If - the ADDRESS/SUBNET column is empty, then this column has no effect - on the generated rule. - - - In Shorewall 4.4.12, blacklisting is still restricted to - traffic arriving on an interface that has the - 'blacklist' option set. So to block traffic from your local - network to an internet host, you must specify - on your internal interface in shorewall-interfaces - (5). - - - - Beginning with Shorewall 4.4.13, entries specifying - to are applied based on the - blacklist setting in shorewall-interfaces(5): - - - - Input blacklisting (default if no value given). Traffic - entering this interface are passed against the entries in - shorewall-blacklist(5) - that have the from option - (specified or defaulted). Traffic originating on the firewall - and leaving by this interface is passed against the entries in - shorewall-blacklist(5) - that have the to - option. - - - - Output blacklisting. Traffic entering on this interface - is passed against the entries in shorewall-blacklist(5) - that have the to - option. - - - - - diff --git a/manpages/shorewall-hosts.xml b/manpages/shorewall-hosts.xml index 3e7ac6cca..b9934e1ba 100644 --- a/manpages/shorewall-hosts.xml +++ b/manpages/shorewall-hosts.xml @@ -139,15 +139,8 @@ blacklist - This option only makes sense for ports on a bridge. As - of Shoreawall 4.4.13, ithe option is no longer supported and - is ignored with a warning: - -
- WARNING: The "blacklist" host - option is no longer supported and will be - ignored. -
+ This option only makes sense for ports on a bridge. + Check packets arriving on this port against the shorewall-blacklist(5) diff --git a/manpages/shorewall-interfaces.xml b/manpages/shorewall-interfaces.xml index 9c50ed7b9..14bb5c335 100644 --- a/manpages/shorewall-interfaces.xml +++ b/manpages/shorewall-interfaces.xml @@ -223,45 +223,13 @@ loc eth2 - - blacklist[=value] + blacklist Check packets arriving on this interface against the shorewall-blacklist(5) - file. The value may be specified when running Shorewall 4.4.13 - or later and can have a value in the range 1-2; entering no - value is equivalent to blacklist=1. - - - - Input blacklisting (default if no value given). This - setting is intended for Internet-facing interfaces. - - Traffic entering this interface is passed against - the entries in shorewall-blacklist(5) - that have the from option - (specified or defaulted). Traffic originating on the - firewall and leaving by this interface is passed against - the entries in shorewall-blacklist(5) - that have the to - option. - - - - Output blacklisting. This setting is intended for - internal interfaces. - - Forwarded traffic that entered through this - interface is passed against the entries in shorewall-blacklist(5) - that have the to - option. - - + url="shorewall6-blacklist.html">shorewall6-blacklist(5) + file.
diff --git a/manpages6/shorewall6-hosts.xml b/manpages6/shorewall6-hosts.xml index 88d6ded73..a748cda52 100644 --- a/manpages6/shorewall6-hosts.xml +++ b/manpages6/shorewall6-hosts.xml @@ -127,15 +127,8 @@ blacklist - This option only makes sense for ports on a bridge. As - of Shorewall 4.4.13, its is ignored with a warning - message: - -
- WARNING: The "blacklist" host - option is no longer supported and will be - ignored. -
+ This option only makes sense for ports on a + bridge. Check packets arriving on this port against the shorewall6-blacklist(5) diff --git a/manpages6/shorewall6-interfaces.xml b/manpages6/shorewall6-interfaces.xml index a60ce572b..69711b0d1 100644 --- a/manpages6/shorewall6-interfaces.xml +++ b/manpages6/shorewall6-interfaces.xml @@ -115,42 +115,13 @@ loc eth2 - - blacklist[=value] + blacklist - The value may be specified when running Shorewall 4.4.13 - or later and can have a value in the range 1-2. Specifying no - value is equivalent to blacklist=1. - - - - Input blacklisting (default if no value given). This - setting is intended for Internet-facing interfaces. - - Traffic entering this interface is passed against - the entries in shorewall6-blacklist(5) - that have the from option - (specified or defaulted). Traffic originating on the - firewall and leaving by this interface is passed against - the entries in shorewall6-blacklist(5) - that have the to - option. - - - - Output blacklisting. This setting is intended for - internal interfaces. - - Traffic entering on this interface is passed against - the entries in shorewall6-blacklist(5) - that have the to - option. - - + Check packets arriving on this interface against the + shorewall6-blacklist(5) + file.