From 573ff6ae57376f55ec886b0b86d412bb1eb9573f Mon Sep 17 00:00:00 2001 From: teastep Date: Thu, 10 Mar 2005 23:53:50 +0000 Subject: [PATCH] Correct wording regarding connection tracking match git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1996 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Lrp2/usr/share/shorewall/firewall | 2 +- STABLE2/changelog.txt | 2 ++ STABLE2/firewall | 29 +++++++++++++++++++++++++---- STABLE2/releasenotes.txt | 22 ++++++++++++++++++++++ STABLE2/rfc1918 | 19 ++++++++++++++++++- STABLE2/shorewall.conf | 29 +++++++++++++++++++++++++++++ Shorewall-docs2/Documentation.xml | 4 ++-- Shorewall2/firewall | 2 +- Shorewall2/releasenotes.txt | 2 +- 9 files changed, 101 insertions(+), 10 deletions(-) diff --git a/Lrp2/usr/share/shorewall/firewall b/Lrp2/usr/share/shorewall/firewall index fa4ed164b..407844657 100755 --- a/Lrp2/usr/share/shorewall/firewall +++ b/Lrp2/usr/share/shorewall/firewall @@ -5634,7 +5634,7 @@ initialize_netfilter () { [ -n "$RFC1918_STRICT" -a -z "$CONNTRACK_MATCH" ] && \ - startup_error "RFC1918_STRICT=Yes requires conntrack state match" + startup_error "RFC1918_STRICT=Yes requires Connection Tracking match" echo "Determining Zones..." diff --git a/STABLE2/changelog.txt b/STABLE2/changelog.txt index 11663d81f..05da26df4 100644 --- a/STABLE2/changelog.txt +++ b/STABLE2/changelog.txt @@ -21,6 +21,8 @@ Changes in 2.2.2 9) Fix installer's handling of action.* files. +10) Implement RFC1918_STRICT + Changes in 2.2.1 1) Add examples to the zones and policy files. diff --git a/STABLE2/firewall b/STABLE2/firewall index 76c3b069f..407844657 100755 --- a/STABLE2/firewall +++ b/STABLE2/firewall @@ -5632,6 +5632,10 @@ initialize_netfilter () { [ -n "$PHYSDEV_MATCH" ] || startup_error "BRIDGING=Yes requires Physdev Match support in your Kernel and iptables" fi + + [ -n "$RFC1918_STRICT" -a -z "$CONNTRACK_MATCH" ] && \ + startup_error "RFC1918_STRICT=Yes requires Connection Tracking match" + echo "Determining Zones..." determine_zones @@ -5922,7 +5926,15 @@ add_common_rules() { run_iptables -A rfc1918 -j DROP - if [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ]; then + chain=norfc1918 + + if [ -n "$RFC1918_STRICT" ]; then + # + # We'll generate two chains - one for source and one for destination + # + chain=rfc1918d + createchain $chain no + elif [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ]; then # # Mangling is enabled but conntrack match isn't available -- # create a chain in the mangle table to filter RFC1918 destination @@ -5941,8 +5953,13 @@ add_common_rules() { case $target in logdrop) target=rfc1918 + s_target=rfc1918 ;; - DROP|RETURN) + DROP) + s_target=DROP + ;; + RETURN) + [ -n "$RFC1918_STRICT" ] && s_target=rfc1918d || s_target=RETURN ;; *) fatal_error "Invalid target ($target) for $networks" @@ -5950,13 +5967,13 @@ add_common_rules() { esac for network in $(separate_list $networks); do - run_iptables2 -A norfc1918 $(source_ip_range $network) -j $target + run_iptables2 -A norfc1918 $(source_ip_range $network) -j $s_target if [ -n "$CONNTRACK_MATCH" ]; then # # We have connection tracking match -- match on the original destination # - run_iptables2 -A norfc1918 -m conntrack --ctorigdst $network -j $target + run_iptables2 -A $chain -m conntrack --ctorigdst $network -j $target elif [ -n "$MANGLE_ENABLED" ]; then # # No connection tracking match but we have mangling -- add a rule to @@ -5967,6 +5984,8 @@ add_common_rules() { done done < $TMP_DIR/rfc1918 + [ -n "$RFC1918_STRICT" ] && run_iptables -A norfc1918 -j rfc1918d + for host in $hosts; do ipsec=${host%^*} host=${host#*^} @@ -7207,6 +7226,7 @@ do_initialize() { LOGTAGONLY= LOGALLNEW= DROPINVALID= + RFC1918_STRICT= RESTOREBASE= TMP_DIR= @@ -7402,6 +7422,7 @@ do_initialize() { DELAYBLACKLISTLOAD=$(added_param_value_no DELAYBLACKLISTLOAD $DELAYBLACKLISTLOAD) LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY) DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID) + RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT) # # Strip the files that we use often # diff --git a/STABLE2/releasenotes.txt b/STABLE2/releasenotes.txt index 09600e120..93f75a076 100644 --- a/STABLE2/releasenotes.txt +++ b/STABLE2/releasenotes.txt @@ -45,6 +45,28 @@ New Features in version 2.2.2 with "multiport match", a separate iptables rule will be generated for each element in the list. +5) Traditionally, the RETURN target in the 'rfc1918' file has caused + 'norfc1918' processing to cease for a packet if the packet's source + IP address matches the rule. Thus, if you have: + + SUBNETS TARGET + 192.168.1.0/24 RETURN + + then traffic from 192.168.1.4 to 10.0.3.9 will be accepted even + though you also have: + + SUBNETS TARGET + 10.0.0.0/8 logdrop + + Setting RFC1918_STRICT=Yes in shorewall.conf will cause such traffic + to be logged and dropped since while the packet's source matches the + RETURN rule, the packet's destination matches the 'logdrop' rule. + + If not specified or specified as empty (e.g., RFC1918_STRICT="") + then RFC1918_STRICT=No is assumed. + + WARNING: RFC1918_STRICT=Yes requires that your kernel and iptables + support 'Connection Tracking' match. ----------------------------------------------------------------------- Problems corrected in version 2.2.1 diff --git a/STABLE2/rfc1918 b/STABLE2/rfc1918 index 038525465..f93ff71e8 100644 --- a/STABLE2/rfc1918 +++ b/STABLE2/rfc1918 @@ -21,7 +21,24 @@ # DROP - silently drop the packet # logdrop - log then drop # -############################################################################### +# By default, the RETURN target in the 'rfc1918' causes 'norfc1918' +# processing to cease for a packet if the packet's source IP address matches +# the rule. Thus, if you have: +# +# SUBNETS TARGET +# 192.168.1.0/24 RETURN +# +# then traffic from 192.168.1.4 to 10.0.3.9 will be accepted even though you +# also have: +# +# SUBNETS TARGET +# 10.0.0.0/8 logdrop +# +# Setting RFC1918_STRICT=Yes in shorewall.conf will cause such traffic to be +# logged and dropped since while the packet's source matches the RETURN rule, +# the packet's destination matches the 'logdrop' rule. +# +################################################################################ #SUBNETS TARGET 172.16.0.0/12 logdrop # RFC 1918 192.168.0.0/16 logdrop # RFC 1918 diff --git a/STABLE2/shorewall.conf b/STABLE2/shorewall.conf index a92cb9d7c..563d878d2 100644 --- a/STABLE2/shorewall.conf +++ b/STABLE2/shorewall.conf @@ -739,6 +739,35 @@ PKTTYPE=Yes # DROPINVALID=Yes is assumed. DROPINVALID=No + +# +# RFC 1918 BEHAVIOR +# +# Traditionally, the RETURN target in the 'rfc1918' file has caused 'norfc1918' +# processing to cease for a packet if the packet's source IP address matches +# the rule. Thus, if you have: +# +# SUBNETS TARGET +# 192.168.1.0/24 RETURN +# +# then traffic from 192.168.1.4 to 10.0.3.9 will be accepted even though you +# also have: +# +# SUBNETS TARGET +# 10.0.0.0/8 logdrop +# +# Setting RFC1918_STRICT=Yes will cause such traffic to be logged and dropped +# since while the packet's source matches the RETURN rule, the packet's +# destination matches the 'logdrop' rule. +# +# If not specified or specified as empty (e.g., RFC1918_STRICT="") then +# RFC1918_STRICT=No is assumed. +# +# WARNING: RFC1918_STRICT=Yes requires that your kernel and iptables support +# 'conntrack state' match. + +RFC1918_STRICT=No + ################################################################################ # P A C K E T D I S P O S I T I O N ################################################################################ diff --git a/Shorewall-docs2/Documentation.xml b/Shorewall-docs2/Documentation.xml index 049b52879..acf2198c0 100644 --- a/Shorewall-docs2/Documentation.xml +++ b/Shorewall-docs2/Documentation.xml @@ -2681,7 +2681,7 @@ eth0 eth1 206.124.146.176 RFC1918_STRICT=Yes requires that your kernel and iptables - support 'conntrack state' match. + support 'Connection Tracking' match. @@ -3743,7 +3743,7 @@ all all tcp ftp-data - 8
- /usr/share//shorewall/bogons — Added in Version 2.0.1 + /usr/share/shorewall/bogons — Added in Version 2.0.1 This file lists the subnets affected by the nobogons interface option and