forked from extern/shorewall_code
1.4.10 RC2 and fixes for broadcast rejects, ratelimiting and CONTINUE rules
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1092 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
6891ed7d8e
commit
3a82d46762
@ -28,7 +28,7 @@
|
|||||||
# shown below. Simply run this script to revert to your prior version of
|
# shown below. Simply run this script to revert to your prior version of
|
||||||
# Shoreline Firewall.
|
# Shoreline Firewall.
|
||||||
|
|
||||||
VERSION=1.4.10-RC1
|
VERSION=1.4.10-RC2
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
|
|||||||
@ -2944,6 +2944,8 @@ process_rule() # $1 = target
|
|||||||
|
|
||||||
# Function Body - isolate rate limit
|
# Function Body - isolate rate limit
|
||||||
|
|
||||||
|
[ "x$ratelimit" = "x-" ] && ratelimit=
|
||||||
|
|
||||||
if [ -z "$ratelimit" ]; then
|
if [ -z "$ratelimit" ]; then
|
||||||
if [ "$target" != "${target%<*}" ]; then
|
if [ "$target" != "${target%<*}" ]; then
|
||||||
ratelimit="${target#*<}"
|
ratelimit="${target#*<}"
|
||||||
@ -2955,9 +2957,6 @@ process_rule() # $1 = target
|
|||||||
|
|
||||||
if [ -n "$ratelimit" ]; then
|
if [ -n "$ratelimit" ]; then
|
||||||
case $ratelimit in
|
case $ratelimit in
|
||||||
-)
|
|
||||||
ratelimit=
|
|
||||||
;;
|
|
||||||
*:*)
|
*:*)
|
||||||
ratelimit="-m limit --limit ${ratelimit%:*} --limit-burst ${ratelimit#*:}"
|
ratelimit="-m limit --limit ${ratelimit%:*} --limit-burst ${ratelimit#*:}"
|
||||||
;;
|
;;
|
||||||
@ -2995,7 +2994,11 @@ process_rule() # $1 = target
|
|||||||
case "$userset" in
|
case "$userset" in
|
||||||
*:*)
|
*:*)
|
||||||
case $target in
|
case $target in
|
||||||
ACCEPT|REJECT|DROP)
|
ACCEPT)
|
||||||
|
;;
|
||||||
|
REJECT|DROP)
|
||||||
|
[ -n "$ratelimit" ] && fatal_error \
|
||||||
|
"Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and LOG"
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
fatal_error "<user>:<group> may only be specified in ACCEPT, REJECT and DROP rules: rule \"$rule\""
|
fatal_error "<user>:<group> may only be specified in ACCEPT, REJECT and DROP rules: rule \"$rule\""
|
||||||
@ -3021,9 +3024,13 @@ process_rule() # $1 = target
|
|||||||
target=`accept_chain $userset`
|
target=`accept_chain $userset`
|
||||||
;;
|
;;
|
||||||
DROP)
|
DROP)
|
||||||
|
[ -n "$ratelimit" ] && fatal_error \
|
||||||
|
"Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and LOG"
|
||||||
target=`drop_chain $userset`
|
target=`drop_chain $userset`
|
||||||
;;
|
;;
|
||||||
REJECT)
|
REJECT)
|
||||||
|
[ -n "$ratelimit" ] && fatal_error \
|
||||||
|
"Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and LOG"
|
||||||
target=`reject_chain $userset`
|
target=`reject_chain $userset`
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
@ -3039,8 +3046,15 @@ process_rule() # $1 = target
|
|||||||
ACCEPT|LOG)
|
ACCEPT|LOG)
|
||||||
;;
|
;;
|
||||||
REJECT)
|
REJECT)
|
||||||
|
[ -n "$ratelimit" ] && fatal_error \
|
||||||
|
"Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and LOG"
|
||||||
target=reject
|
target=reject
|
||||||
;;
|
;;
|
||||||
|
CONTINUE)
|
||||||
|
[ -n "$ratelimit" ] && fatal_error \
|
||||||
|
"Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and LOG"
|
||||||
|
target=RETURN
|
||||||
|
;;
|
||||||
DNAT)
|
DNAT)
|
||||||
target=ACCEPT
|
target=ACCEPT
|
||||||
address=${address:=detect}
|
address=${address:=detect}
|
||||||
@ -4433,6 +4447,19 @@ add_common_rules() {
|
|||||||
# Reject Rules
|
# Reject Rules
|
||||||
#
|
#
|
||||||
run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset
|
run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset
|
||||||
|
#
|
||||||
|
# Don't respond to broadcasts with an ICMP
|
||||||
|
#
|
||||||
|
qt iptables -A reject -m pkttype --pkt-type broadcast -j DROP
|
||||||
|
if ! qt iptables -A reject -m pkttype --pkt-type multicast -j DROP; then
|
||||||
|
run_iptables -A reject -d 255.255.255.255 -j DROP
|
||||||
|
run_iptables -A reject -d 224.0.0.0/4 -j DROP
|
||||||
|
|
||||||
|
for address in $(find_broadcasts) ; do
|
||||||
|
run_iptables -A reject -d $address -j DROP
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
|
||||||
run_iptables -A reject -p udp -j REJECT
|
run_iptables -A reject -p udp -j REJECT
|
||||||
#
|
#
|
||||||
# Not all versions of iptables support these so don't complain if they don't work
|
# Not all versions of iptables support these so don't complain if they don't work
|
||||||
|
|||||||
@ -54,7 +54,7 @@
|
|||||||
# /etc/rc.d/rc.local file is modified to start the firewall.
|
# /etc/rc.d/rc.local file is modified to start the firewall.
|
||||||
#
|
#
|
||||||
|
|
||||||
VERSION=1.4.10-RC1
|
VERSION=1.4.10-RC2
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
|
|||||||
@ -9,6 +9,8 @@ Problems Corrected since version 1.4.9:
|
|||||||
during [re]start if ADD_IP_ALIASES=Yes or ADD_SNAT_ALIASES=Yes are
|
during [re]start if ADD_IP_ALIASES=Yes or ADD_SNAT_ALIASES=Yes are
|
||||||
specified in /etc/shorewall/shorewall.conf.
|
specified in /etc/shorewall/shorewall.conf.
|
||||||
|
|
||||||
|
3. Shorewall now tried to avoid sending an ICMP response to broadcasts.
|
||||||
|
|
||||||
Migration Issues:
|
Migration Issues:
|
||||||
|
|
||||||
None.
|
None.
|
||||||
@ -45,7 +47,7 @@ New Features:
|
|||||||
/etc/shorewall/interfaces. This option automatically taylors the
|
/etc/shorewall/interfaces. This option automatically taylors the
|
||||||
definition of the zone named in the ZONE column to include just
|
definition of the zone named in the ZONE column to include just
|
||||||
those hosts that have routes through the interface named in the
|
those hosts that have routes through the interface named in the
|
||||||
INTERFACE column. The named interface must be UP prior when
|
INTERFACE column. The named interface must be UP when
|
||||||
Shorewall is [re]started.
|
Shorewall is [re]started.
|
||||||
|
|
||||||
WARNING: DO NOT SET THIS OPTION ON YOUR INTERNET INTERFACE!
|
WARNING: DO NOT SET THIS OPTION ON YOUR INTERNET INTERFACE!
|
||||||
|
|||||||
@ -1,6 +1,6 @@
|
|||||||
%define name shorewall
|
%define name shorewall
|
||||||
%define version 1.4.10
|
%define version 1.4.10
|
||||||
%define release 0RC1
|
%define release 0RC2
|
||||||
%define prefix /usr
|
%define prefix /usr
|
||||||
|
|
||||||
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
|
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
|
||||||
@ -109,8 +109,10 @@ fi
|
|||||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
|
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Tue Jan 22 2004 Tom Eastep <tom@shorewall.net>
|
* Sat Jan 24 2004 Tom Eastep <tom@shorewall.net>
|
||||||
- Changed version to 1.4.10
|
- Changed version to 1.4.10-RC2
|
||||||
|
* Thu Jan 22 2004 Tom Eastep <tom@shorewall.net>
|
||||||
|
- Changed version to 1.4.10-RC1
|
||||||
* Tue Jan 13 2004 Tom Eastep <tom@shorewall.net>
|
* Tue Jan 13 2004 Tom Eastep <tom@shorewall.net>
|
||||||
- Changed version to 1.4.9
|
- Changed version to 1.4.9
|
||||||
* Mon Dec 29 2003 Tom Eastep <tom@shorewall.net>
|
* Mon Dec 29 2003 Tom Eastep <tom@shorewall.net>
|
||||||
|
|||||||
@ -26,7 +26,7 @@
|
|||||||
# You may only use this script to uninstall the version
|
# You may only use this script to uninstall the version
|
||||||
# shown below. Simply run this script to remove Seattle Firewall
|
# shown below. Simply run this script to remove Seattle Firewall
|
||||||
|
|
||||||
VERSION=1.4.10-RC1
|
VERSION=1.4.10-RC2
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user