From 3a82d467629f3374b4971c87d2b5b51239d23b20 Mon Sep 17 00:00:00 2001 From: teastep Date: Tue, 27 Jan 2004 21:16:07 +0000 Subject: [PATCH] 1.4.10 RC2 and fixes for broadcast rejects, ratelimiting and CONTINUE rules git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1092 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/fallback.sh | 2 +- Shorewall/firewall | 35 +++++++++++++++++++++++++++++++---- Shorewall/install.sh | 2 +- Shorewall/releasenotes.txt | 4 +++- Shorewall/shorewall.spec | 8 +++++--- Shorewall/uninstall.sh | 2 +- 6 files changed, 42 insertions(+), 11 deletions(-) diff --git a/Shorewall/fallback.sh b/Shorewall/fallback.sh index 5526b67b5..1886cb29d 100755 --- a/Shorewall/fallback.sh +++ b/Shorewall/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=1.4.10-RC1 +VERSION=1.4.10-RC2 usage() # $1 = exit status { diff --git a/Shorewall/firewall b/Shorewall/firewall index 3bb2aee62..51580b8e2 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -2944,6 +2944,8 @@ process_rule() # $1 = target # Function Body - isolate rate limit + [ "x$ratelimit" = "x-" ] && ratelimit= + if [ -z "$ratelimit" ]; then if [ "$target" != "${target%<*}" ]; then ratelimit="${target#*<}" @@ -2955,9 +2957,6 @@ process_rule() # $1 = target if [ -n "$ratelimit" ]; then case $ratelimit in - -) - ratelimit= - ;; *:*) ratelimit="-m limit --limit ${ratelimit%:*} --limit-burst ${ratelimit#*:}" ;; @@ -2995,7 +2994,11 @@ process_rule() # $1 = target case "$userset" in *:*) case $target in - ACCEPT|REJECT|DROP) + ACCEPT) + ;; + REJECT|DROP) + [ -n "$ratelimit" ] && fatal_error \ + "Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and LOG" ;; *) fatal_error ": may only be specified in ACCEPT, REJECT and DROP rules: rule \"$rule\"" @@ -3021,9 +3024,13 @@ process_rule() # $1 = target target=`accept_chain $userset` ;; DROP) + [ -n "$ratelimit" ] && fatal_error \ + "Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and LOG" target=`drop_chain $userset` ;; REJECT) + [ -n "$ratelimit" ] && fatal_error \ + "Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and LOG" target=`reject_chain $userset` ;; *) @@ -3039,8 +3046,15 @@ process_rule() # $1 = target ACCEPT|LOG) ;; REJECT) + [ -n "$ratelimit" ] && fatal_error \ + "Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and LOG" target=reject ;; + CONTINUE) + [ -n "$ratelimit" ] && fatal_error \ + "Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and LOG" + target=RETURN + ;; DNAT) target=ACCEPT address=${address:=detect} @@ -4433,6 +4447,19 @@ add_common_rules() { # Reject Rules # run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset + # + # Don't respond to broadcasts with an ICMP + # + qt iptables -A reject -m pkttype --pkt-type broadcast -j DROP + if ! qt iptables -A reject -m pkttype --pkt-type multicast -j DROP; then + run_iptables -A reject -d 255.255.255.255 -j DROP + run_iptables -A reject -d 224.0.0.0/4 -j DROP + + for address in $(find_broadcasts) ; do + run_iptables -A reject -d $address -j DROP + done + fi + run_iptables -A reject -p udp -j REJECT # # Not all versions of iptables support these so don't complain if they don't work diff --git a/Shorewall/install.sh b/Shorewall/install.sh index aa50f97f2..20413ede4 100755 --- a/Shorewall/install.sh +++ b/Shorewall/install.sh @@ -54,7 +54,7 @@ # /etc/rc.d/rc.local file is modified to start the firewall. # -VERSION=1.4.10-RC1 +VERSION=1.4.10-RC2 usage() # $1 = exit status { diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 84edf91e7..b0baa324f 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -9,6 +9,8 @@ Problems Corrected since version 1.4.9: during [re]start if ADD_IP_ALIASES=Yes or ADD_SNAT_ALIASES=Yes are specified in /etc/shorewall/shorewall.conf. +3. Shorewall now tried to avoid sending an ICMP response to broadcasts. + Migration Issues: None. @@ -45,7 +47,7 @@ New Features: /etc/shorewall/interfaces. This option automatically taylors the definition of the zone named in the ZONE column to include just those hosts that have routes through the interface named in the - INTERFACE column. The named interface must be UP prior when + INTERFACE column. The named interface must be UP when Shorewall is [re]started. WARNING: DO NOT SET THIS OPTION ON YOUR INTERNET INTERFACE! diff --git a/Shorewall/shorewall.spec b/Shorewall/shorewall.spec index f5ca982b0..435b8a4e4 100644 --- a/Shorewall/shorewall.spec +++ b/Shorewall/shorewall.spec @@ -1,6 +1,6 @@ %define name shorewall %define version 1.4.10 -%define release 0RC1 +%define release 0RC2 %define prefix /usr Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. @@ -109,8 +109,10 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %changelog -* Tue Jan 22 2004 Tom Eastep -- Changed version to 1.4.10 +* Sat Jan 24 2004 Tom Eastep +- Changed version to 1.4.10-RC2 +* Thu Jan 22 2004 Tom Eastep +- Changed version to 1.4.10-RC1 * Tue Jan 13 2004 Tom Eastep - Changed version to 1.4.9 * Mon Dec 29 2003 Tom Eastep diff --git a/Shorewall/uninstall.sh b/Shorewall/uninstall.sh index 11ae4db87..80444c4ef 100755 --- a/Shorewall/uninstall.sh +++ b/Shorewall/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Seattle Firewall -VERSION=1.4.10-RC1 +VERSION=1.4.10-RC2 usage() # $1 = exit status {