forked from extern/shorewall_code
Correct wording regarding connection tracking match
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1996 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
25f6815c4f
commit
573ff6ae57
@ -5634,7 +5634,7 @@ initialize_netfilter () {
|
|||||||
|
|
||||||
|
|
||||||
[ -n "$RFC1918_STRICT" -a -z "$CONNTRACK_MATCH" ] && \
|
[ -n "$RFC1918_STRICT" -a -z "$CONNTRACK_MATCH" ] && \
|
||||||
startup_error "RFC1918_STRICT=Yes requires conntrack state match"
|
startup_error "RFC1918_STRICT=Yes requires Connection Tracking match"
|
||||||
|
|
||||||
echo "Determining Zones..."
|
echo "Determining Zones..."
|
||||||
|
|
||||||
|
|||||||
@ -21,6 +21,8 @@ Changes in 2.2.2
|
|||||||
|
|
||||||
9) Fix installer's handling of action.* files.
|
9) Fix installer's handling of action.* files.
|
||||||
|
|
||||||
|
10) Implement RFC1918_STRICT
|
||||||
|
|
||||||
Changes in 2.2.1
|
Changes in 2.2.1
|
||||||
|
|
||||||
1) Add examples to the zones and policy files.
|
1) Add examples to the zones and policy files.
|
||||||
|
|||||||
@ -5632,6 +5632,10 @@ initialize_netfilter () {
|
|||||||
[ -n "$PHYSDEV_MATCH" ] || startup_error "BRIDGING=Yes requires Physdev Match support in your Kernel and iptables"
|
[ -n "$PHYSDEV_MATCH" ] || startup_error "BRIDGING=Yes requires Physdev Match support in your Kernel and iptables"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
[ -n "$RFC1918_STRICT" -a -z "$CONNTRACK_MATCH" ] && \
|
||||||
|
startup_error "RFC1918_STRICT=Yes requires Connection Tracking match"
|
||||||
|
|
||||||
echo "Determining Zones..."
|
echo "Determining Zones..."
|
||||||
|
|
||||||
determine_zones
|
determine_zones
|
||||||
@ -5922,7 +5926,15 @@ add_common_rules() {
|
|||||||
|
|
||||||
run_iptables -A rfc1918 -j DROP
|
run_iptables -A rfc1918 -j DROP
|
||||||
|
|
||||||
if [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ]; then
|
chain=norfc1918
|
||||||
|
|
||||||
|
if [ -n "$RFC1918_STRICT" ]; then
|
||||||
|
#
|
||||||
|
# We'll generate two chains - one for source and one for destination
|
||||||
|
#
|
||||||
|
chain=rfc1918d
|
||||||
|
createchain $chain no
|
||||||
|
elif [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ]; then
|
||||||
#
|
#
|
||||||
# Mangling is enabled but conntrack match isn't available --
|
# Mangling is enabled but conntrack match isn't available --
|
||||||
# create a chain in the mangle table to filter RFC1918 destination
|
# create a chain in the mangle table to filter RFC1918 destination
|
||||||
@ -5941,8 +5953,13 @@ add_common_rules() {
|
|||||||
case $target in
|
case $target in
|
||||||
logdrop)
|
logdrop)
|
||||||
target=rfc1918
|
target=rfc1918
|
||||||
|
s_target=rfc1918
|
||||||
;;
|
;;
|
||||||
DROP|RETURN)
|
DROP)
|
||||||
|
s_target=DROP
|
||||||
|
;;
|
||||||
|
RETURN)
|
||||||
|
[ -n "$RFC1918_STRICT" ] && s_target=rfc1918d || s_target=RETURN
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
fatal_error "Invalid target ($target) for $networks"
|
fatal_error "Invalid target ($target) for $networks"
|
||||||
@ -5950,13 +5967,13 @@ add_common_rules() {
|
|||||||
esac
|
esac
|
||||||
|
|
||||||
for network in $(separate_list $networks); do
|
for network in $(separate_list $networks); do
|
||||||
run_iptables2 -A norfc1918 $(source_ip_range $network) -j $target
|
run_iptables2 -A norfc1918 $(source_ip_range $network) -j $s_target
|
||||||
|
|
||||||
if [ -n "$CONNTRACK_MATCH" ]; then
|
if [ -n "$CONNTRACK_MATCH" ]; then
|
||||||
#
|
#
|
||||||
# We have connection tracking match -- match on the original destination
|
# We have connection tracking match -- match on the original destination
|
||||||
#
|
#
|
||||||
run_iptables2 -A norfc1918 -m conntrack --ctorigdst $network -j $target
|
run_iptables2 -A $chain -m conntrack --ctorigdst $network -j $target
|
||||||
elif [ -n "$MANGLE_ENABLED" ]; then
|
elif [ -n "$MANGLE_ENABLED" ]; then
|
||||||
#
|
#
|
||||||
# No connection tracking match but we have mangling -- add a rule to
|
# No connection tracking match but we have mangling -- add a rule to
|
||||||
@ -5967,6 +5984,8 @@ add_common_rules() {
|
|||||||
done
|
done
|
||||||
done < $TMP_DIR/rfc1918
|
done < $TMP_DIR/rfc1918
|
||||||
|
|
||||||
|
[ -n "$RFC1918_STRICT" ] && run_iptables -A norfc1918 -j rfc1918d
|
||||||
|
|
||||||
for host in $hosts; do
|
for host in $hosts; do
|
||||||
ipsec=${host%^*}
|
ipsec=${host%^*}
|
||||||
host=${host#*^}
|
host=${host#*^}
|
||||||
@ -7207,6 +7226,7 @@ do_initialize() {
|
|||||||
LOGTAGONLY=
|
LOGTAGONLY=
|
||||||
LOGALLNEW=
|
LOGALLNEW=
|
||||||
DROPINVALID=
|
DROPINVALID=
|
||||||
|
RFC1918_STRICT=
|
||||||
|
|
||||||
RESTOREBASE=
|
RESTOREBASE=
|
||||||
TMP_DIR=
|
TMP_DIR=
|
||||||
@ -7402,6 +7422,7 @@ do_initialize() {
|
|||||||
DELAYBLACKLISTLOAD=$(added_param_value_no DELAYBLACKLISTLOAD $DELAYBLACKLISTLOAD)
|
DELAYBLACKLISTLOAD=$(added_param_value_no DELAYBLACKLISTLOAD $DELAYBLACKLISTLOAD)
|
||||||
LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY)
|
LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY)
|
||||||
DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID)
|
DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID)
|
||||||
|
RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT)
|
||||||
#
|
#
|
||||||
# Strip the files that we use often
|
# Strip the files that we use often
|
||||||
#
|
#
|
||||||
|
|||||||
@ -45,6 +45,28 @@ New Features in version 2.2.2
|
|||||||
with "multiport match", a separate iptables rule will be generated
|
with "multiport match", a separate iptables rule will be generated
|
||||||
for each element in the list.
|
for each element in the list.
|
||||||
|
|
||||||
|
5) Traditionally, the RETURN target in the 'rfc1918' file has caused
|
||||||
|
'norfc1918' processing to cease for a packet if the packet's source
|
||||||
|
IP address matches the rule. Thus, if you have:
|
||||||
|
|
||||||
|
SUBNETS TARGET
|
||||||
|
192.168.1.0/24 RETURN
|
||||||
|
|
||||||
|
then traffic from 192.168.1.4 to 10.0.3.9 will be accepted even
|
||||||
|
though you also have:
|
||||||
|
|
||||||
|
SUBNETS TARGET
|
||||||
|
10.0.0.0/8 logdrop
|
||||||
|
|
||||||
|
Setting RFC1918_STRICT=Yes in shorewall.conf will cause such traffic
|
||||||
|
to be logged and dropped since while the packet's source matches the
|
||||||
|
RETURN rule, the packet's destination matches the 'logdrop' rule.
|
||||||
|
|
||||||
|
If not specified or specified as empty (e.g., RFC1918_STRICT="")
|
||||||
|
then RFC1918_STRICT=No is assumed.
|
||||||
|
|
||||||
|
WARNING: RFC1918_STRICT=Yes requires that your kernel and iptables
|
||||||
|
support 'Connection Tracking' match.
|
||||||
-----------------------------------------------------------------------
|
-----------------------------------------------------------------------
|
||||||
Problems corrected in version 2.2.1
|
Problems corrected in version 2.2.1
|
||||||
|
|
||||||
|
|||||||
@ -21,7 +21,24 @@
|
|||||||
# DROP - silently drop the packet
|
# DROP - silently drop the packet
|
||||||
# logdrop - log then drop
|
# logdrop - log then drop
|
||||||
#
|
#
|
||||||
###############################################################################
|
# By default, the RETURN target in the 'rfc1918' causes 'norfc1918'
|
||||||
|
# processing to cease for a packet if the packet's source IP address matches
|
||||||
|
# the rule. Thus, if you have:
|
||||||
|
#
|
||||||
|
# SUBNETS TARGET
|
||||||
|
# 192.168.1.0/24 RETURN
|
||||||
|
#
|
||||||
|
# then traffic from 192.168.1.4 to 10.0.3.9 will be accepted even though you
|
||||||
|
# also have:
|
||||||
|
#
|
||||||
|
# SUBNETS TARGET
|
||||||
|
# 10.0.0.0/8 logdrop
|
||||||
|
#
|
||||||
|
# Setting RFC1918_STRICT=Yes in shorewall.conf will cause such traffic to be
|
||||||
|
# logged and dropped since while the packet's source matches the RETURN rule,
|
||||||
|
# the packet's destination matches the 'logdrop' rule.
|
||||||
|
#
|
||||||
|
################################################################################
|
||||||
#SUBNETS TARGET
|
#SUBNETS TARGET
|
||||||
172.16.0.0/12 logdrop # RFC 1918
|
172.16.0.0/12 logdrop # RFC 1918
|
||||||
192.168.0.0/16 logdrop # RFC 1918
|
192.168.0.0/16 logdrop # RFC 1918
|
||||||
|
|||||||
@ -739,6 +739,35 @@ PKTTYPE=Yes
|
|||||||
# DROPINVALID=Yes is assumed.
|
# DROPINVALID=Yes is assumed.
|
||||||
|
|
||||||
DROPINVALID=No
|
DROPINVALID=No
|
||||||
|
|
||||||
|
#
|
||||||
|
# RFC 1918 BEHAVIOR
|
||||||
|
#
|
||||||
|
# Traditionally, the RETURN target in the 'rfc1918' file has caused 'norfc1918'
|
||||||
|
# processing to cease for a packet if the packet's source IP address matches
|
||||||
|
# the rule. Thus, if you have:
|
||||||
|
#
|
||||||
|
# SUBNETS TARGET
|
||||||
|
# 192.168.1.0/24 RETURN
|
||||||
|
#
|
||||||
|
# then traffic from 192.168.1.4 to 10.0.3.9 will be accepted even though you
|
||||||
|
# also have:
|
||||||
|
#
|
||||||
|
# SUBNETS TARGET
|
||||||
|
# 10.0.0.0/8 logdrop
|
||||||
|
#
|
||||||
|
# Setting RFC1918_STRICT=Yes will cause such traffic to be logged and dropped
|
||||||
|
# since while the packet's source matches the RETURN rule, the packet's
|
||||||
|
# destination matches the 'logdrop' rule.
|
||||||
|
#
|
||||||
|
# If not specified or specified as empty (e.g., RFC1918_STRICT="") then
|
||||||
|
# RFC1918_STRICT=No is assumed.
|
||||||
|
#
|
||||||
|
# WARNING: RFC1918_STRICT=Yes requires that your kernel and iptables support
|
||||||
|
# 'conntrack state' match.
|
||||||
|
|
||||||
|
RFC1918_STRICT=No
|
||||||
|
|
||||||
################################################################################
|
################################################################################
|
||||||
# P A C K E T D I S P O S I T I O N
|
# P A C K E T D I S P O S I T I O N
|
||||||
################################################################################
|
################################################################################
|
||||||
|
|||||||
@ -2681,7 +2681,7 @@ eth0 eth1 206.124.146.176</programlisting>
|
|||||||
|
|
||||||
<warning>
|
<warning>
|
||||||
<para>RFC1918_STRICT=Yes requires that your kernel and iptables
|
<para>RFC1918_STRICT=Yes requires that your kernel and iptables
|
||||||
support 'conntrack state' match.</para>
|
support 'Connection Tracking' match.</para>
|
||||||
</warning>
|
</warning>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -3743,7 +3743,7 @@ all all tcp ftp-data - 8</programlisting
|
|||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="Bogons" xreflabel="/etc/shorewall/rfc1918">
|
<section id="Bogons" xreflabel="/etc/shorewall/rfc1918">
|
||||||
<title>/usr/share//shorewall/bogons — Added in Version 2.0.1</title>
|
<title>/usr/share/shorewall/bogons — Added in Version 2.0.1</title>
|
||||||
|
|
||||||
<para>This file lists the subnets affected by the <link
|
<para>This file lists the subnets affected by the <link
|
||||||
linkend="Interfaces">nobogons interface option</link> and <link
|
linkend="Interfaces">nobogons interface option</link> and <link
|
||||||
|
|||||||
@ -5634,7 +5634,7 @@ initialize_netfilter () {
|
|||||||
|
|
||||||
|
|
||||||
[ -n "$RFC1918_STRICT" -a -z "$CONNTRACK_MATCH" ] && \
|
[ -n "$RFC1918_STRICT" -a -z "$CONNTRACK_MATCH" ] && \
|
||||||
startup_error "RFC1918_STRICT=Yes requires conntrack state match"
|
startup_error "RFC1918_STRICT=Yes requires Connection Tracking match"
|
||||||
|
|
||||||
echo "Determining Zones..."
|
echo "Determining Zones..."
|
||||||
|
|
||||||
|
|||||||
@ -66,7 +66,7 @@ New Features in version 2.2.2
|
|||||||
then RFC1918_STRICT=No is assumed.
|
then RFC1918_STRICT=No is assumed.
|
||||||
|
|
||||||
WARNING: RFC1918_STRICT=Yes requires that your kernel and iptables
|
WARNING: RFC1918_STRICT=Yes requires that your kernel and iptables
|
||||||
support 'conntrack state' match.
|
support 'Connection Tracking' match.
|
||||||
-----------------------------------------------------------------------
|
-----------------------------------------------------------------------
|
||||||
Problems corrected in version 2.2.1
|
Problems corrected in version 2.2.1
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user