From 4c08cc4780f21d4f3b502efda262ed68d527e937 Mon Sep 17 00:00:00 2001 From: teastep Date: Tue, 29 Jul 2003 23:04:04 +0000 Subject: [PATCH] ADMINISABSENTMINDED Option git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@681 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/changelog.txt | 2 ++ Shorewall/firewall | 33 +++++++++++++++++++++++++------- Shorewall/releasenotes.txt | 39 ++++++++++++++++++++++++++++++++++++++ Shorewall/shorewall.conf | 29 ++++++++++++++++++++++++++++ 4 files changed, 96 insertions(+), 7 deletions(-) diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index c9f7098ac..8230b7b2d 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -12,3 +12,5 @@ Changes since 1.4.6 5) Removed some undocumented/braindead code from setup_masq() 6) Don't allow 'stop' when startup is disabled + +7) Added ADMINISABSENTMINDED option. diff --git a/Shorewall/firewall b/Shorewall/firewall index 60371f0d8..7eb45986e 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -996,11 +996,25 @@ stop_firewall() { delete_proxy_arp [ -n "$CLEAR_TC" ] && delete_tc - for chain in INPUT OUTPUT FORWARD; do - setpolicy $chain DROP - done + if [ -z "$ADMINISABSENTMINDED" ]; then + for chain in INPUT OUTPUT FORWARD; do + setpolicy $chain DROP + done - deleteallchains + deleteallchains + else + for chain in INPUT FORWARD; do + setpolicy $chain DROP + done + + setpolicy OUTPUT ACCEPT + + deleteallchains + + for chain in INPUT FORWARD; do + setcontinue $chain + done + fi hosts= @@ -1018,7 +1032,8 @@ stop_firewall() { interface=${host%:*} subnet=${host#*:} iptables -A INPUT -i $interface -s $subnet -j ACCEPT - iptables -A OUTPUT -o $interface -d $subnet -j ACCEPT + [ -z "$ADMINISABSENTMINDED" ] && \ + iptables -A OUTPUT -o $interface -d $subnet -j ACCEPT for host1 in $hosts; do [ "$host" != "$host1" ] && \ @@ -1028,11 +1043,13 @@ stop_firewall() { done iptables -A INPUT -i lo -j ACCEPT - iptables -A OUTPUT -o lo -j ACCEPT + [ -z "$ADMINISABSENTMINDED" ] && \ + iptables -A OUTPUT -o lo -j ACCEPT for interface in `find_interfaces_by_option dhcp`; do iptables -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT - iptables -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT + [ -z "$ADMINISABSENTMINDED" ] && \ + iptables -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT done case "$IP_FORWARDING" in @@ -4582,6 +4599,7 @@ do_initialize() { VERSION_FILE= LOGFORMAT= LOGRULENUMBERS= + ADMINISABSENTMINDED= stopping= have_mutex= @@ -4730,6 +4748,7 @@ do_initialize() { else LOGFORMAT="Shorewall:%s:%s:" fi + ADMINISABSENTMINDED=`added_param_value_no ADMINISABSENTMINDED $ADMINISABSENTMINDED` # # Strip the files that we use often # diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 54a03f1e3..7b36ddd42 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -38,3 +38,42 @@ New Features: /etc/shorewall/startup_disabled exists. This prevents people from shooting themselves in the foot prior to having configured Shorewall. + +4) A new option "ADMINISABSENTMINDED" has been added to + /etc/shorewall/shorewall.conf. This option has a default value of + "No" in which case Shorewall's 'stopped' state continues as it has + been; namely, in the stopped state only traffic to/from hosts listed + in /etc/shorewall/routestopped is accepted. + + With ADMINISABSENTMINDED=Yes, in addition to traffic to/from the + hosts listed in /etc/shorewall/routestopped, Shorewall will allow: + + a) All traffic originating from the firewall itself; and + b) All traffic that is part of or related to an already-existing + connection. + + In particular, with ADMINISABSENTMINDED=Yes, a "shorewall stop" + entered through an ssh session will not kill the session. + + Note though that it is still possible for people to shoot themselves + in the foot. + + Example: + + /etc/shorewall/nat: + + 206.124.146.178 eth0:0 192.168.1.5 + + /etc/shorewall/rules: + + ACCEPT net loc:192.168.1.5 tcp 22 + ACCEPT loc fw tcp 22 + + I ssh into 206.124.146.178 which establishes an SSH connection with + 192.168.1.5. I then create a second SSH connection from that + computer to the firewall and confidently type "shorewall + stop". As part of stopping, Shorewall removes eth0:0 which kills my + SSH connection to 192.168.1.5!!! + + + diff --git a/Shorewall/shorewall.conf b/Shorewall/shorewall.conf index 6aa0a2f8e..6970e65a1 100755 --- a/Shorewall/shorewall.conf +++ b/Shorewall/shorewall.conf @@ -434,6 +434,35 @@ MUTEX_TIMEOUT=60 NEWNOTSYN=No +# +# FOR ADMINS THAT REPEATEDLY SHOOT THEMSELVES IN THE FOOT +# +# Normally, when a "shorewall stop" command is issued or an error occurs during +# the execution of another shorewall command, Shorewall puts the firewall into +# a state where only traffic to/from the hosts listed in +# /etc/shorewall/routestopped is accepted. +# +# When performing remote administration on a Shorewall firewall, it is +# therefore recommended that the IP address of the computer being used for +# administration be added to the firewall's /etc/shorewall/routestopped file. +# +# Some administrators have a hard time remembering to do this with the result +# that they get to drive across town in the middle of the night to restart +# a remote firewall (or worse, they have to get someone out of bed to drive +# across town to restart a very remote firewall). +# +# For those administrators, we offer ADMINISABSENTMINDED=Yes. With this setting, +# when the firewall enters the 'stopped' state: +# +# All traffic that is part of or related to established connections is still +# allowed and all OUTPUT traffic is allowed. This is in addition to traffic +# to and from hosts listed in /etc/shorewall/routestopped. +# +# If this variable is not set or it is set to the null value then +# ADMINISABSENTMINDED=No is assumed. +# +ADMINISABSENTMINDED=No + ################################################################################ # P A C K E T D I S P O S I T I O N ################################################################################