Add AUTOHELPER option

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-08-12 07:25:11 -07:00
parent a5824dc2d4
commit 50bd1d6398
25 changed files with 165 additions and 57 deletions

View File

@ -12,11 +12,11 @@ FORMAT 2
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
?IF ( __CT_TARGET && $HELPERS && __AMANDA_HELPER )
?if ( __CT_TARGET && ! $AUTOHELPERS && __AMANDA_HELPER )
PARAM - - udp 10080 ; helper=amanda
?ELSE
?else
PARAM - - udp 10080
?ENDIF
?endif
PARAM - - tcp 10080
#

View File

@ -8,8 +8,8 @@
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
?IF $BLACKLIST_LOGLEVEL
?if $BLACKLIST_LOGLEVEL
blacklog
?ELSE
?else
$BLACKLIST_DISPOSITION
?ENDIF
?endif

View File

@ -9,8 +9,8 @@
FORMAT 2
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
?IF ( __CT_TARGET && $HELPERS && __FTP_HELPER )
?if ( __CT_TARGET && ! $AUTOHELPERS && __FTP_HELPER )
PARAM - - tcp 21 ; helper=ftp
?ELSE
?else
PARAM - - tcp 21
?ENDIF
?endif

View File

@ -10,8 +10,8 @@ FORMAT 2
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
?IF ( __CT_TARGET && $HELPERS && __IRC_HELPER )
?if ( __CT_TARGET && ! $AUTOHELPERS && __IRC_HELPER )
PARAM - - tcp 6667 ; helper=irc
?ELSE
?else
PARAM - - tcp 6667
?ENDIF
?endif

View File

@ -12,8 +12,8 @@
PARAM - - 47
PARAM DEST SOURCE 47
?IF ( __CT_TARGET && $HELPERS && __PPTP_HELPER )
?if ( __CT_TARGET && ! $AUTOHELPERS && __PPTP_HELPER )
PARAM - - tcp 1723 ; helper=pptp
?ELSE
?else
PARAM - - tcp 1723
?ENDIF
?endif

View File

@ -10,11 +10,11 @@ FORMAT 2
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
?IF ( __CT_TARGET && $HELPERS && __SANE_HELPER )
?if ( __CT_TARGET && ! $AUTOHELPERS && __SANE_HELPER )
PARAM - - tcp 6566 ; helper=sane
?ELSE
?else
PARAM - - tcp 6566
?ENDIF
?endif
#
# Kernels 2.6.23+ has nf_conntrack_sane module which will handle

View File

@ -10,8 +10,8 @@ FORMAT 2
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
?IF ( __CT_TARGET && $HELPERS && __SIP_HELPER )
?if ( __CT_TARGET && ! $AUTOHELPERS && __SIP_HELPER )
PARAM - - udp 5060 ; helper=sip
?ELSE
?else
PARAM - - udp 5060
?ENDIF
?endif

View File

@ -15,12 +15,12 @@ FORMAT 2
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - udp 135,445
?IF ( __CT_TARGET && $HELPERS && __NETBIOS_NS_HELPER )
?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
PARAM - - udp 137 ; helper=netbios-ns
PARAM - - udp 138:139
?ELSE
?else
PARAM - - udp 137:139
?ENDIF
?endif
PARAM - - udp 1024: 137
PARAM - - tcp 135,139,445

View File

@ -15,23 +15,23 @@ FORMAT 2
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - udp 135,445
?IF ( __CT_TARGET && $HELPERS && __NETBIOS_NS_HELPER )
?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
PARAM - - udp 137 ; helper=netbios-ns
PARAM - - udp 138:139
?ELSE
?else
PARAM - - udp 137:139
?ENDIF
?endif
PARAM - - udp 1024: 137
PARAM - - tcp 135,139,445
PARAM DEST SOURCE udp 135,445
?IF ( __CT_TARGET && $HELPERS && __NETBIOS_NS_HELPER )
?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
PARAM DEST SOURCE udp 137 ; helper=netbios-ns
PARAM DEST SOURCE udp 138:139
?ELSE
?else
PARAM DEST SOURCE udp 137:139
?ENDIF
?endif
PARAM DEST SOURCE udp 1024: 137
PARAM DEST SOURCE tcp 135,139,445

View File

@ -10,11 +10,11 @@ FORMAT 2
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
?IF ( __CT_TARGET && $HELPERS && __SNMP_HELPER )
?if ( __CT_TARGET && ! $AUTOHELPERS && __SNMP_HELPER )
PARAM - - udp 161 ; helper=snmp
PARAM - - udp 162
?ELSE
?else
PARAM - - udp 161:162
?ENDIF
?endif
PARAM - - tcp 161

View File

@ -12,8 +12,8 @@ FORMAT 2
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
?IF ( __CT_TARGET && $HELPERS && __TFTP_HELPER )
?if ( __CT_TARGET && ! $AUTOHELPERS && __TFTP_HELPER )
PARAM - - udp 69 ; helper=tftp
?ELSE
?else
PARAM - - udp 69
?ENDIF
?endif

View File

@ -730,6 +730,7 @@ sub initialize( $;$ ) {
LEGACY_FASTSTART => undef,
USE_PHYSICAL_NAMES => undef,
HELPERS => undef,
AUTOHELPERS => undef,
#
# Packet Disposition
#
@ -4524,6 +4525,7 @@ sub get_configuration( $$$ ) {
default_yes_no 'LEGACY_FASTSTART' , 'Yes';
default_yes_no 'USE_PHYSICAL_NAMES' , '';
default_yes_no 'IPSET_WARNINGS' , 'Yes';
default_yes_no 'AUTOHELPERS' , 'Yes';
if ( supplied $config{HELPERS} ) {
my %helpers_temp = %helpers_enabled;

View File

@ -116,6 +116,8 @@ ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes
AUTOHELPERS=Yes
AUTOMAKE=No
BLACKLISTNEWONLY=Yes

View File

@ -127,6 +127,8 @@ ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes
AUTOHELPERS=Yes
AUTOMAKE=No
BLACKLISTNEWONLY=Yes

View File

@ -125,6 +125,8 @@ ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes
AUTOHELPERS=Yes
AUTOMAKE=No
BLACKLISTNEWONLY=Yes

View File

@ -128,6 +128,8 @@ ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes
AUTOHELPERS=Yes
AUTOMAKE=No
BLACKLISTNEWONLY=Yes

View File

@ -7,7 +7,7 @@
FORMAT 2
#ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/
# PORT(S) PORT(S) GROUP
?IF __CT_TARGET
?IF $AUTOHELPERS && __CT_TARGET
?IF __AMANDA_HELPER
CT:helper:amanda all - udp 10080

View File

@ -116,6 +116,8 @@ ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes
AUTOHELPERS=Yes
AUTOMAKE=No
BLACKLISTNEWONLY=Yes

View File

@ -96,7 +96,7 @@
role="bold">none</emphasis>}</term>
<listitem>
<para/>
<para></para>
</listitem>
</varlistentry>
@ -106,7 +106,7 @@
role="bold">none</emphasis>}</term>
<listitem>
<para/>
<para></para>
</listitem>
</varlistentry>
@ -116,7 +116,7 @@
role="bold">none</emphasis>}</term>
<listitem>
<para/>
<para></para>
</listitem>
</varlistentry>
@ -126,7 +126,7 @@
role="bold">none</emphasis>}</term>
<listitem>
<para/>
<para></para>
</listitem>
</varlistentry>
@ -299,6 +299,49 @@
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">AUTOHELPERS=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem>
<para>Added in Shorewall 4.5.8. When set to <option>Yes</option>
(the default), the generated ruleset will automatically associate
helpers with applications that require them (FTP, IRC, etc.). When
configuring your firewall on systems running kernel 3.5 or later, it
is recommended that you:</para>
<orderedlist>
<listitem>
<para>Set AUTOHELPERS=No.</para>
</listitem>
<listitem>
<para>Either:</para>
<orderedlist numeration="loweralpha">
<listitem>
<para>Modify <ulink
url="shorewall-conntrack.html">shorewall-conntrack</ulink>
(5) to only apply helpers where they are required; or</para>
</listitem>
<listitem>
<para>Specify the appropriate helper in the HELPER column in
<ulink url="shorewall-rules.html">shorewall-rules</ulink>
(5).</para>
<note>
<para>The macros for those applications requiring a helper
automatically specify the appropriate HELPER where
required.</para>
</note>
</listitem>
</orderedlist>
</listitem>
</orderedlist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">AUTOMAKE=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
@ -482,7 +525,7 @@
</itemizedlist>
<blockquote>
<para/>
<para></para>
<para>If CONFIG_PATH is not given or if it is set to the empty
value then the contents of /usr/share/shorewall/configpath are
@ -739,8 +782,8 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</itemizedlist>
<para>When HELPERS is specified on a system running Kernel 3.5.0 or
later, automatic association of helpers to connections is disabled.
</para>
later, automatic association of helpers to connections is
disabled.</para>
</listitem>
</varlistentry>
@ -889,7 +932,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</varlistentry>
</variablelist>
<para/>
<para></para>
<blockquote>
<para>If this variable is not set or is given an empty value
@ -1099,7 +1142,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem>
</itemizedlist>
<para/>
<para></para>
<blockquote>
<para>For example, using the default LOGFORMAT, the log prefix for
@ -1116,7 +1159,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
control your firewall after you enable this option.</para>
</important>
<para/>
<para></para>
<caution>
<para>Do not use this option if the resulting log messages will
@ -1780,7 +1823,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
role="bold">"</emphasis></term>
<listitem>
<para/>
<para></para>
</listitem>
</varlistentry>

View File

@ -111,6 +111,8 @@ ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes
AUTOHELPERS=Yes
AUTOMAKE=No
BLACKLISTNEWONLY=Yes

View File

@ -111,6 +111,8 @@ ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes
AUTOHELPERS=Yes
AUTOMAKE=No
BLACKLISTNEWONLY=Yes

View File

@ -111,6 +111,8 @@ ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes
AUTOHELPERS=Yes
AUTOMAKE=No
BLACKLISTNEWONLY=Yes

View File

@ -111,6 +111,8 @@ ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes
AUTOHELPERS=Yes
AUTOMAKE=No
BLACKLISTNEWONLY=Yes

View File

@ -111,6 +111,8 @@ ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes
AUTOHELPERS=Yes
AUTOMAKE=No
BLACKLISTNEWONLY=Yes

View File

@ -82,7 +82,7 @@
role="bold">none</emphasis>}</term>
<listitem>
<para/>
<para></para>
</listitem>
</varlistentry>
@ -92,7 +92,7 @@
role="bold">none</emphasis>}</term>
<listitem>
<para/>
<para></para>
</listitem>
</varlistentry>
@ -102,7 +102,7 @@
role="bold">none</emphasis>}</term>
<listitem>
<para/>
<para></para>
</listitem>
</varlistentry>
@ -112,7 +112,7 @@
role="bold">none</emphasis>}</term>
<listitem>
<para/>
<para></para>
</listitem>
</varlistentry>
@ -228,6 +228,49 @@
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">AUTOHELPERS=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem>
<para>Added in Shorewall 4.5.8. When set to <option>Yes</option>
(the default), the generated ruleset will automatically associate
helpers with applications that require them (FTP, IRC, etc.). When
configuring your firewall on systems running kernel 3.5 or later, it
is recommended that you:</para>
<orderedlist>
<listitem>
<para>Set AUTOHELPERS=No.</para>
</listitem>
<listitem>
<para>Either:</para>
<orderedlist numeration="loweralpha">
<listitem>
<para>Modify <ulink
url="shorewall-conntrack.html">shorewall6-conntrack</ulink>
(5) to only apply helpers where they are required; or</para>
</listitem>
<listitem>
<para>Specify the appropriate helper in the HELPER column in
<ulink url="shorewall6-rules.html">shorewall6-rules</ulink>
(5).</para>
<note>
<para>The macros for those applications requiring a helper
automatically specify the appropriate HELPER where
required.</para>
</note>
</listitem>
</orderedlist>
</listitem>
</orderedlist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">AUTOMAKE=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
@ -648,8 +691,8 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</itemizedlist>
<para>When HELPERS is specified on a system running Kernel 3.5.0 or
later, automatic association of helpers to connections is disabled.
</para>
later, automatic association of helpers to connections is
disabled.</para>
</listitem>
</varlistentry>
@ -962,7 +1005,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem>
</itemizedlist>
<para/>
<para></para>
<blockquote>
<para>For example, using the default LOGFORMAT, the log prefix for
@ -979,7 +1022,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
control your firewall after you enable this option.</para>
</important>
<para/>
<para></para>
<caution>
<para>Do not use this option if the resulting log messages will
@ -1578,7 +1621,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
role="bold">"</emphasis></term>
<listitem>
<para/>
<para></para>
</listitem>
</varlistentry>