forked from extern/shorewall_code
Add AUTOHELPER option
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
a5824dc2d4
commit
50bd1d6398
@ -12,11 +12,11 @@ FORMAT 2
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
|
||||
?IF ( __CT_TARGET && $HELPERS && __AMANDA_HELPER )
|
||||
?if ( __CT_TARGET && ! $AUTOHELPERS && __AMANDA_HELPER )
|
||||
PARAM - - udp 10080 ; helper=amanda
|
||||
?ELSE
|
||||
?else
|
||||
PARAM - - udp 10080
|
||||
?ENDIF
|
||||
?endif
|
||||
|
||||
PARAM - - tcp 10080
|
||||
#
|
||||
|
@ -8,8 +8,8 @@
|
||||
###############################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
?IF $BLACKLIST_LOGLEVEL
|
||||
?if $BLACKLIST_LOGLEVEL
|
||||
blacklog
|
||||
?ELSE
|
||||
?else
|
||||
$BLACKLIST_DISPOSITION
|
||||
?ENDIF
|
||||
?endif
|
||||
|
@ -9,8 +9,8 @@
|
||||
FORMAT 2
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
?IF ( __CT_TARGET && $HELPERS && __FTP_HELPER )
|
||||
?if ( __CT_TARGET && ! $AUTOHELPERS && __FTP_HELPER )
|
||||
PARAM - - tcp 21 ; helper=ftp
|
||||
?ELSE
|
||||
?else
|
||||
PARAM - - tcp 21
|
||||
?ENDIF
|
||||
?endif
|
||||
|
@ -10,8 +10,8 @@ FORMAT 2
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
|
||||
?IF ( __CT_TARGET && $HELPERS && __IRC_HELPER )
|
||||
?if ( __CT_TARGET && ! $AUTOHELPERS && __IRC_HELPER )
|
||||
PARAM - - tcp 6667 ; helper=irc
|
||||
?ELSE
|
||||
?else
|
||||
PARAM - - tcp 6667
|
||||
?ENDIF
|
||||
?endif
|
||||
|
@ -12,8 +12,8 @@
|
||||
PARAM - - 47
|
||||
PARAM DEST SOURCE 47
|
||||
|
||||
?IF ( __CT_TARGET && $HELPERS && __PPTP_HELPER )
|
||||
?if ( __CT_TARGET && ! $AUTOHELPERS && __PPTP_HELPER )
|
||||
PARAM - - tcp 1723 ; helper=pptp
|
||||
?ELSE
|
||||
?else
|
||||
PARAM - - tcp 1723
|
||||
?ENDIF
|
||||
?endif
|
||||
|
@ -10,11 +10,11 @@ FORMAT 2
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
|
||||
?IF ( __CT_TARGET && $HELPERS && __SANE_HELPER )
|
||||
?if ( __CT_TARGET && ! $AUTOHELPERS && __SANE_HELPER )
|
||||
PARAM - - tcp 6566 ; helper=sane
|
||||
?ELSE
|
||||
?else
|
||||
PARAM - - tcp 6566
|
||||
?ENDIF
|
||||
?endif
|
||||
|
||||
#
|
||||
# Kernels 2.6.23+ has nf_conntrack_sane module which will handle
|
||||
|
@ -10,8 +10,8 @@ FORMAT 2
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
|
||||
?IF ( __CT_TARGET && $HELPERS && __SIP_HELPER )
|
||||
?if ( __CT_TARGET && ! $AUTOHELPERS && __SIP_HELPER )
|
||||
PARAM - - udp 5060 ; helper=sip
|
||||
?ELSE
|
||||
?else
|
||||
PARAM - - udp 5060
|
||||
?ENDIF
|
||||
?endif
|
||||
|
@ -15,12 +15,12 @@ FORMAT 2
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
PARAM - - udp 135,445
|
||||
|
||||
?IF ( __CT_TARGET && $HELPERS && __NETBIOS_NS_HELPER )
|
||||
?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
|
||||
PARAM - - udp 137 ; helper=netbios-ns
|
||||
PARAM - - udp 138:139
|
||||
?ELSE
|
||||
?else
|
||||
PARAM - - udp 137:139
|
||||
?ENDIF
|
||||
?endif
|
||||
|
||||
PARAM - - udp 1024: 137
|
||||
PARAM - - tcp 135,139,445
|
||||
|
@ -15,23 +15,23 @@ FORMAT 2
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
PARAM - - udp 135,445
|
||||
|
||||
?IF ( __CT_TARGET && $HELPERS && __NETBIOS_NS_HELPER )
|
||||
?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
|
||||
PARAM - - udp 137 ; helper=netbios-ns
|
||||
PARAM - - udp 138:139
|
||||
?ELSE
|
||||
?else
|
||||
PARAM - - udp 137:139
|
||||
?ENDIF
|
||||
?endif
|
||||
|
||||
PARAM - - udp 1024: 137
|
||||
PARAM - - tcp 135,139,445
|
||||
PARAM DEST SOURCE udp 135,445
|
||||
|
||||
?IF ( __CT_TARGET && $HELPERS && __NETBIOS_NS_HELPER )
|
||||
?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
|
||||
PARAM DEST SOURCE udp 137 ; helper=netbios-ns
|
||||
PARAM DEST SOURCE udp 138:139
|
||||
?ELSE
|
||||
?else
|
||||
PARAM DEST SOURCE udp 137:139
|
||||
?ENDIF
|
||||
?endif
|
||||
|
||||
PARAM DEST SOURCE udp 1024: 137
|
||||
PARAM DEST SOURCE tcp 135,139,445
|
||||
|
@ -10,11 +10,11 @@ FORMAT 2
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
|
||||
?IF ( __CT_TARGET && $HELPERS && __SNMP_HELPER )
|
||||
?if ( __CT_TARGET && ! $AUTOHELPERS && __SNMP_HELPER )
|
||||
PARAM - - udp 161 ; helper=snmp
|
||||
PARAM - - udp 162
|
||||
?ELSE
|
||||
?else
|
||||
PARAM - - udp 161:162
|
||||
?ENDIF
|
||||
?endif
|
||||
|
||||
PARAM - - tcp 161
|
||||
|
@ -12,8 +12,8 @@ FORMAT 2
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
|
||||
?IF ( __CT_TARGET && $HELPERS && __TFTP_HELPER )
|
||||
?if ( __CT_TARGET && ! $AUTOHELPERS && __TFTP_HELPER )
|
||||
PARAM - - udp 69 ; helper=tftp
|
||||
?ELSE
|
||||
?else
|
||||
PARAM - - udp 69
|
||||
?ENDIF
|
||||
?endif
|
||||
|
@ -730,6 +730,7 @@ sub initialize( $;$ ) {
|
||||
LEGACY_FASTSTART => undef,
|
||||
USE_PHYSICAL_NAMES => undef,
|
||||
HELPERS => undef,
|
||||
AUTOHELPERS => undef,
|
||||
#
|
||||
# Packet Disposition
|
||||
#
|
||||
@ -4524,6 +4525,7 @@ sub get_configuration( $$$ ) {
|
||||
default_yes_no 'LEGACY_FASTSTART' , 'Yes';
|
||||
default_yes_no 'USE_PHYSICAL_NAMES' , '';
|
||||
default_yes_no 'IPSET_WARNINGS' , 'Yes';
|
||||
default_yes_no 'AUTOHELPERS' , 'Yes';
|
||||
|
||||
if ( supplied $config{HELPERS} ) {
|
||||
my %helpers_temp = %helpers_enabled;
|
||||
|
@ -116,6 +116,8 @@ ADMINISABSENTMINDED=Yes
|
||||
|
||||
AUTOCOMMENT=Yes
|
||||
|
||||
AUTOHELPERS=Yes
|
||||
|
||||
AUTOMAKE=No
|
||||
|
||||
BLACKLISTNEWONLY=Yes
|
||||
|
@ -127,6 +127,8 @@ ADMINISABSENTMINDED=Yes
|
||||
|
||||
AUTOCOMMENT=Yes
|
||||
|
||||
AUTOHELPERS=Yes
|
||||
|
||||
AUTOMAKE=No
|
||||
|
||||
BLACKLISTNEWONLY=Yes
|
||||
|
@ -125,6 +125,8 @@ ADMINISABSENTMINDED=Yes
|
||||
|
||||
AUTOCOMMENT=Yes
|
||||
|
||||
AUTOHELPERS=Yes
|
||||
|
||||
AUTOMAKE=No
|
||||
|
||||
BLACKLISTNEWONLY=Yes
|
||||
|
@ -128,6 +128,8 @@ ADMINISABSENTMINDED=Yes
|
||||
|
||||
AUTOCOMMENT=Yes
|
||||
|
||||
AUTOHELPERS=Yes
|
||||
|
||||
AUTOMAKE=No
|
||||
|
||||
BLACKLISTNEWONLY=Yes
|
||||
|
@ -7,7 +7,7 @@
|
||||
FORMAT 2
|
||||
#ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/
|
||||
# PORT(S) PORT(S) GROUP
|
||||
?IF __CT_TARGET
|
||||
?IF $AUTOHELPERS && __CT_TARGET
|
||||
|
||||
?IF __AMANDA_HELPER
|
||||
CT:helper:amanda all - udp 10080
|
||||
|
@ -116,6 +116,8 @@ ADMINISABSENTMINDED=Yes
|
||||
|
||||
AUTOCOMMENT=Yes
|
||||
|
||||
AUTOHELPERS=Yes
|
||||
|
||||
AUTOMAKE=No
|
||||
|
||||
BLACKLISTNEWONLY=Yes
|
||||
|
@ -96,7 +96,7 @@
|
||||
role="bold">none</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para/>
|
||||
<para></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -106,7 +106,7 @@
|
||||
role="bold">none</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para/>
|
||||
<para></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -116,7 +116,7 @@
|
||||
role="bold">none</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para/>
|
||||
<para></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -126,7 +126,7 @@
|
||||
role="bold">none</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para/>
|
||||
<para></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -299,6 +299,49 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">AUTOHELPERS=</emphasis>[<emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.8. When set to <option>Yes</option>
|
||||
(the default), the generated ruleset will automatically associate
|
||||
helpers with applications that require them (FTP, IRC, etc.). When
|
||||
configuring your firewall on systems running kernel 3.5 or later, it
|
||||
is recommended that you:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>Set AUTOHELPERS=No.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Either:</para>
|
||||
|
||||
<orderedlist numeration="loweralpha">
|
||||
<listitem>
|
||||
<para>Modify <ulink
|
||||
url="shorewall-conntrack.html">shorewall-conntrack</ulink>
|
||||
(5) to only apply helpers where they are required; or</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Specify the appropriate helper in the HELPER column in
|
||||
<ulink url="shorewall-rules.html">shorewall-rules</ulink>
|
||||
(5).</para>
|
||||
|
||||
<note>
|
||||
<para>The macros for those applications requiring a helper
|
||||
automatically specify the appropriate HELPER where
|
||||
required.</para>
|
||||
</note>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">AUTOMAKE=</emphasis>[<emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
||||
@ -482,7 +525,7 @@
|
||||
</itemizedlist>
|
||||
|
||||
<blockquote>
|
||||
<para/>
|
||||
<para></para>
|
||||
|
||||
<para>If CONFIG_PATH is not given or if it is set to the empty
|
||||
value then the contents of /usr/share/shorewall/configpath are
|
||||
@ -739,8 +782,8 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
</itemizedlist>
|
||||
|
||||
<para>When HELPERS is specified on a system running Kernel 3.5.0 or
|
||||
later, automatic association of helpers to connections is disabled.
|
||||
</para>
|
||||
later, automatic association of helpers to connections is
|
||||
disabled.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -889,7 +932,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para/>
|
||||
<para></para>
|
||||
|
||||
<blockquote>
|
||||
<para>If this variable is not set or is given an empty value
|
||||
@ -1099,7 +1142,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para/>
|
||||
<para></para>
|
||||
|
||||
<blockquote>
|
||||
<para>For example, using the default LOGFORMAT, the log prefix for
|
||||
@ -1116,7 +1159,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
control your firewall after you enable this option.</para>
|
||||
</important>
|
||||
|
||||
<para/>
|
||||
<para></para>
|
||||
|
||||
<caution>
|
||||
<para>Do not use this option if the resulting log messages will
|
||||
@ -1780,7 +1823,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
role="bold">"</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para/>
|
||||
<para></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
@ -111,6 +111,8 @@ ADMINISABSENTMINDED=Yes
|
||||
|
||||
AUTOCOMMENT=Yes
|
||||
|
||||
AUTOHELPERS=Yes
|
||||
|
||||
AUTOMAKE=No
|
||||
|
||||
BLACKLISTNEWONLY=Yes
|
||||
|
@ -111,6 +111,8 @@ ADMINISABSENTMINDED=Yes
|
||||
|
||||
AUTOCOMMENT=Yes
|
||||
|
||||
AUTOHELPERS=Yes
|
||||
|
||||
AUTOMAKE=No
|
||||
|
||||
BLACKLISTNEWONLY=Yes
|
||||
|
@ -111,6 +111,8 @@ ADMINISABSENTMINDED=Yes
|
||||
|
||||
AUTOCOMMENT=Yes
|
||||
|
||||
AUTOHELPERS=Yes
|
||||
|
||||
AUTOMAKE=No
|
||||
|
||||
BLACKLISTNEWONLY=Yes
|
||||
|
@ -111,6 +111,8 @@ ADMINISABSENTMINDED=Yes
|
||||
|
||||
AUTOCOMMENT=Yes
|
||||
|
||||
AUTOHELPERS=Yes
|
||||
|
||||
AUTOMAKE=No
|
||||
|
||||
BLACKLISTNEWONLY=Yes
|
||||
|
@ -111,6 +111,8 @@ ADMINISABSENTMINDED=Yes
|
||||
|
||||
AUTOCOMMENT=Yes
|
||||
|
||||
AUTOHELPERS=Yes
|
||||
|
||||
AUTOMAKE=No
|
||||
|
||||
BLACKLISTNEWONLY=Yes
|
||||
|
@ -82,7 +82,7 @@
|
||||
role="bold">none</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para/>
|
||||
<para></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -92,7 +92,7 @@
|
||||
role="bold">none</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para/>
|
||||
<para></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -102,7 +102,7 @@
|
||||
role="bold">none</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para/>
|
||||
<para></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -112,7 +112,7 @@
|
||||
role="bold">none</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para/>
|
||||
<para></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -228,6 +228,49 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">AUTOHELPERS=</emphasis>[<emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.8. When set to <option>Yes</option>
|
||||
(the default), the generated ruleset will automatically associate
|
||||
helpers with applications that require them (FTP, IRC, etc.). When
|
||||
configuring your firewall on systems running kernel 3.5 or later, it
|
||||
is recommended that you:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>Set AUTOHELPERS=No.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Either:</para>
|
||||
|
||||
<orderedlist numeration="loweralpha">
|
||||
<listitem>
|
||||
<para>Modify <ulink
|
||||
url="shorewall-conntrack.html">shorewall6-conntrack</ulink>
|
||||
(5) to only apply helpers where they are required; or</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Specify the appropriate helper in the HELPER column in
|
||||
<ulink url="shorewall6-rules.html">shorewall6-rules</ulink>
|
||||
(5).</para>
|
||||
|
||||
<note>
|
||||
<para>The macros for those applications requiring a helper
|
||||
automatically specify the appropriate HELPER where
|
||||
required.</para>
|
||||
</note>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">AUTOMAKE=</emphasis>[<emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
||||
@ -648,8 +691,8 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
</itemizedlist>
|
||||
|
||||
<para>When HELPERS is specified on a system running Kernel 3.5.0 or
|
||||
later, automatic association of helpers to connections is disabled.
|
||||
</para>
|
||||
later, automatic association of helpers to connections is
|
||||
disabled.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -962,7 +1005,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para/>
|
||||
<para></para>
|
||||
|
||||
<blockquote>
|
||||
<para>For example, using the default LOGFORMAT, the log prefix for
|
||||
@ -979,7 +1022,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
control your firewall after you enable this option.</para>
|
||||
</important>
|
||||
|
||||
<para/>
|
||||
<para></para>
|
||||
|
||||
<caution>
|
||||
<para>Do not use this option if the resulting log messages will
|
||||
@ -1578,7 +1621,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
role="bold">"</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para/>
|
||||
<para></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user