diff --git a/Lrp/etc/shorewall/hosts b/Lrp/etc/shorewall/hosts index 3a390cc58..24bb53a9d 100644 --- a/Lrp/etc/shorewall/hosts +++ b/Lrp/etc/shorewall/hosts @@ -1,10 +1,17 @@ # # Shorewall 1.4 - /etc/shorewall/hosts # -# WARNING: 90% of Shorewall users don't need to add entries to this -# file and 80% of those who try to add such entries get it -# wrong. Unless you are ABSOLUTELY SURE that you need entries -# in this file, don't touch it! +# THERE ARE TWO CASES WHERE YOU NEED THIS FILE: +# +# 1) YOU HAVE MULTIPLE NETWORKS IN THE SAME ZONE CONNECTED TO +# A SINGLE INTERFACE AND YOU WANT THE SHOREWALL BOX TO ROUTE +# BETWEEN THESE NETWORKS. +# +# 2) YOU HAVE MORE THAN ONE ZONE CONNECTED THROUGH A SINGLE +# INTERFACE. +# +# IF YOU DON'T HAVE EITHER OF THESE SITUATIONS THEN DON'T TOUCH +# THIS FILE. # # This file is used to define zones in terms of subnets and/or # individual IP addresses. Most simple setups don't need to diff --git a/Lrp/etc/shorewall/policy b/Lrp/etc/shorewall/policy index c90d1cdc1..e33ebfe7c 100644 --- a/Lrp/etc/shorewall/policy +++ b/Lrp/etc/shorewall/policy @@ -22,7 +22,26 @@ # Shorewall will not start! # # POLICY Policy if no match from the rules file is found. Must -# be "ACCEPT", "DROP", "REJECT" or "CONTINUE" +# be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE". +# +# ACCEPT - Accept the connection +# DROP - Ignore the connection request +# REJECT - For TCP, send RST. For all other, send +# "port unreachable" ICMP. +# CONTINUE - Pass the connection request past +# any other rules that it might also +# match (where the source or destination +# zone in those rules is a superset of +# the SOURCE or DEST in this policy). +# NONE - Assume that there will never be any +# packets from this SOURCE +# to this DEST. Shorewall will not set up +# any infrastructure to handle such +# packets and you may not have any rules +# with this SOURCE and DEST in the +# /etc/shorewall/rules file. If such a +# packet _is_ received, the result is +# undefined. # # LOG LEVEL If supplied, each connection handled under the default # POLICY is logged at that level. If not supplied, no diff --git a/Lrp/etc/shorewall/rules b/Lrp/etc/shorewall/rules index 53bae816c..e658a9e9f 100644 --- a/Lrp/etc/shorewall/rules +++ b/Lrp/etc/shorewall/rules @@ -15,7 +15,8 @@ # Columns are: # # -# ACTION ACCEPT, DROP, REJECT, DNAT or REDIRECT +# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE +# or LOG. # # ACCEPT -- allow the connection request # DROP -- ignore the request @@ -39,6 +40,7 @@ # connection request will be passed # to the rules defined for that # (those) zone(s). +# LOG -- Simply log the packet and continue. # # May optionally be followed by ":" and a syslog log # level (e.g, REJECT:info). This causes the packet to be diff --git a/Lrp/usr/share/shorewall/firewall b/Lrp/usr/share/shorewall/firewall index 03630b5fe..0fcfbb0d8 100755 --- a/Lrp/usr/share/shorewall/firewall +++ b/Lrp/usr/share/shorewall/firewall @@ -672,6 +672,7 @@ validate_policy() print_policy() # $1 = source zone, $2 = destination zone { [ $command != check ] || \ + [ $1 = $2 ] || \ [ $1 = all ] || \ [ $2 = all ] || \ echo " Policy for $1 to $2 is $policy" @@ -708,7 +709,7 @@ validate_policy() esac case $policy in - ACCEPT|REJECT|DROP|CONTINUE) + ACCEPT|REJECT|DROP|CONTINUE|NONE) ;; *) startup_error "Invalid policy $policy" @@ -728,7 +729,7 @@ validate_policy() chain=${client}2${server} - all_policy_chains="$all_policy_chains $chain" + [ $policy = NONE ] || all_policy_chains="$all_policy_chains $chain" eval ${chain}_is_policy=Yes eval ${chain}_policy=$policy @@ -743,6 +744,7 @@ validate_policy() if [ -z "$pc" ]; then eval ${zone}2${zone1}_policychain=$chain + eval ${zone}2${zone1}_policy=$policy print_policy $zone $zone1 fi done @@ -753,6 +755,7 @@ validate_policy() if [ -z "$pc" ]; then eval ${zone}2${server}_policychain=$chain + eval ${zone}2${server}_policy=$policy print_policy $zone $server fi done @@ -763,6 +766,7 @@ validate_policy() if [ -z "$pc" ]; then eval ${client}2${zone}_policychain=$chain + eval ${client}2${zone}_policy=$policy print_policy $client $zone fi done @@ -1438,7 +1442,7 @@ delete_nat() { # setup_ecn() # $1 = file name { - local interfaces + local interfaces="" local hosts local h @@ -2151,7 +2155,7 @@ process_rule() # $1 = target else serverport= [ -z "$serverzone" -o -z "$servers" ] && \ - startup_error "Empty destination zone or qualifier: rule \"$rule\"" + fatal_error "Empty destination zone or qualifier: rule \"$rule\"" fi fi @@ -2165,6 +2169,11 @@ process_rule() # $1 = target chain=${source}2${dest} + eval policy=\$${chain}_policy + + [ $policy = NONE ] && \ + fatal_error "Rules may not override a NONE policy: rule \"$rule\"" + [ $command = check ] || ensurechain $chain if [ "x$chain" = x${FW}2${FW} ]; then @@ -2683,6 +2692,8 @@ rules_chain() # $1 = source zone, $2 = destination zone havechain $chain && { echo $chain; return; } + [ "$1" = "$2" ] && { echo ACCEPT; return; } + eval chain=\$${chain}_policychain [ -n "$chain" ] && { echo $chain; return; } @@ -3670,41 +3681,27 @@ activate_rules() done for zone1 in $zones; do + + eval policy=\$${zone}2${zone1}_policy + + [ "$policy" = NONE ] && continue + eval dest_hosts=\$${zone1}_hosts chain="`rules_chain $zone $zone1`" echo "$zone $zone1 $chain" >> ${STATEDIR}/chains - if havechain ${zone}2${zone1} || havechain ${zone1}2${zone}; then - have_canonical=Yes - else - have_canonical= - fi - for host in $source_hosts; do interface=${host%:*} subnet=${host#*:} chain1=`forward_chain $interface` - if [ -n "$have_canonical" ]; then - bounce=yes - else - case $interface in - *+*) - bounce=yes - ;; - *) - bounce= - ;; - esac - fi - for host1 in $dest_hosts; do interface1=${host1%:*} subnet1=${host1#*:} - if [ $interface != $interface1 -o -n "$bounce" ]; then + if [ "$host" != "$host1" ]; then run_iptables -A $chain1 -s $subnet -o $interface1 -d $subnet1 -j $chain fi done diff --git a/Lrp/usr/share/shorewall/version b/Lrp/usr/share/shorewall/version index 88c5fb891..347f5833e 100644 --- a/Lrp/usr/share/shorewall/version +++ b/Lrp/usr/share/shorewall/version @@ -1 +1 @@ -1.4.0 +1.4.1 diff --git a/Lrp/var/lib/lrpkg/shorwall.conf b/Lrp/var/lib/lrpkg/shorwall.conf index 4433a561f..4ccdb0c9f 100644 --- a/Lrp/var/lib/lrpkg/shorwall.conf +++ b/Lrp/var/lib/lrpkg/shorwall.conf @@ -16,6 +16,7 @@ /etc/shorewall/tos TOS Type of Service policy /etc/shorewall/blacklist Blacklist Blacklisted hosts /etc/shorewall/rfc1918 RFC1918 Defines 'norfc1918' interface option +/etc/shorewall/ecn ECN Disable ECN to hosts and networks /etc/shorewall/init Init Commands executed before [re]start /etc/shorewall/start Start Commands executed after [re]start /etc/shorewall/stop Stop Commands executed before stop diff --git a/Lrp/var/lib/lrpkg/shorwall.version b/Lrp/var/lib/lrpkg/shorwall.version index 88c5fb891..347f5833e 100644 --- a/Lrp/var/lib/lrpkg/shorwall.version +++ b/Lrp/var/lib/lrpkg/shorwall.version @@ -1 +1 @@ -1.4.0 +1.4.1