NONE Policy; Allow Intrazone connections; no bounce rules

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@510 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-03-21 04:14:20 +00:00
parent fbca287dab
commit 5be79ecde7
4 changed files with 57 additions and 180 deletions

View File

@ -1,66 +1,7 @@
Changes since 1.3.14 Changes since 1.4.0
1. All versions changed to 1.4. 1. Implement NONE policy.
2. Rework of error message generation to make the 'firewall' script 2. Never create rules for <iface>:<subnet> to itself.
smaller.
3. Deimplemented MERGE_HOSTS=No. 3. Always allow intrazone traffic.
4. Generate error for <dev>:<integer> name in interfaces file.
5. Deimplement old ping handling.
6. Deimplement 'routestopped' interface/hosts option.
7. Strip comments from potentially large files while the firewall is
still up and running during 'restart'.
8. Disallow the old port forwarding/redirection syntax.
9. Reorganize shorewall.conf.
10. Added support for LOG target.
11. Move firewall and version (one more time....)
12. Add late DNS reply rule to the common chain.
12. Corrected rule number calculation problem in 'shorewall add' command
processing.
13. Update Documentation for 1.4
14. Remove icmp.def file.
15. Added CONTINUE rule target.
16. Added Andrew Zhoglo's fix for logunclean.
17. Removed 'multi' option.
18. Support 802.11b devices with maclist.
19. Don't detect loopback simply by name.
20. Removed trailing white space from all files.
21. Improved parsing of comma-separated lists.
22. Add ECN Removal support
23. Add TCP ports 445 and 139 to the common silent list.
24. Remove 'check' command support.
25. Restore 'check' command support.
26. Remove unused function find_interface_broadcasts()
27. Remove stale comments in the params file.
28. Silently drop INVALID state packets
29. Ignore the 'default' route when detecting masq'd networks.
30. REALLY process the params file first now (honest).

View File

@ -672,6 +672,7 @@ validate_policy()
print_policy() # $1 = source zone, $2 = destination zone print_policy() # $1 = source zone, $2 = destination zone
{ {
[ $command != check ] || \ [ $command != check ] || \
[ $1 = $2 ] || \
[ $1 = all ] || \ [ $1 = all ] || \
[ $2 = all ] || \ [ $2 = all ] || \
echo " Policy for $1 to $2 is $policy" echo " Policy for $1 to $2 is $policy"
@ -708,7 +709,7 @@ validate_policy()
esac esac
case $policy in case $policy in
ACCEPT|REJECT|DROP|CONTINUE) ACCEPT|REJECT|DROP|CONTINUE|NONE)
;; ;;
*) *)
startup_error "Invalid policy $policy" startup_error "Invalid policy $policy"
@ -717,8 +718,8 @@ validate_policy()
chain=${client}2${server} chain=${client}2${server}
[ "x$chain" = "x${FW}2${FW}" ] && \ [ "$client" != "$server" ] || [ -n "$serverwild" ] || \
startup_error "fw->fw policy not allowed: $policy" startup_error "Intra-zone policies not allowed: $client $server $policy"
if is_policy_chain $chain ; then if is_policy_chain $chain ; then
startup_error "Duplicate policy $policy" startup_error "Duplicate policy $policy"
@ -728,7 +729,7 @@ validate_policy()
chain=${client}2${server} chain=${client}2${server}
all_policy_chains="$all_policy_chains $chain" [ $policy = NONE ] || all_policy_chains="$all_policy_chains $chain"
eval ${chain}_is_policy=Yes eval ${chain}_is_policy=Yes
eval ${chain}_policy=$policy eval ${chain}_policy=$policy
@ -743,6 +744,7 @@ validate_policy()
if [ -z "$pc" ]; then if [ -z "$pc" ]; then
eval ${zone}2${zone1}_policychain=$chain eval ${zone}2${zone1}_policychain=$chain
eval ${zone}2${zone1}_policy=$policy
print_policy $zone $zone1 print_policy $zone $zone1
fi fi
done done
@ -753,6 +755,7 @@ validate_policy()
if [ -z "$pc" ]; then if [ -z "$pc" ]; then
eval ${zone}2${server}_policychain=$chain eval ${zone}2${server}_policychain=$chain
eval ${zone}2${server}_policy=$policy
print_policy $zone $server print_policy $zone $server
fi fi
done done
@ -763,6 +766,7 @@ validate_policy()
if [ -z "$pc" ]; then if [ -z "$pc" ]; then
eval ${client}2${zone}_policychain=$chain eval ${client}2${zone}_policychain=$chain
eval ${client}2${zone}_policy=$policy
print_policy $client $zone print_policy $client $zone
fi fi
done done
@ -2151,7 +2155,7 @@ process_rule() # $1 = target
else else
serverport= serverport=
[ -z "$serverzone" -o -z "$servers" ] && \ [ -z "$serverzone" -o -z "$servers" ] && \
startup_error "Empty destination zone or qualifier: rule \"$rule\"" fatal_error "Empty destination zone or qualifier: rule \"$rule\""
fi fi
fi fi
@ -2165,6 +2169,11 @@ process_rule() # $1 = target
chain=${source}2${dest} chain=${source}2${dest}
eval policy=${chain}_policy
[ $policy = NONE ] && \
fatal_error "Rules may not override a NONE policy: rule \"$rule\""
[ $command = check ] || ensurechain $chain [ $command = check ] || ensurechain $chain
if [ "x$chain" = x${FW}2${FW} ]; then if [ "x$chain" = x${FW}2${FW} ]; then
@ -2176,6 +2185,8 @@ process_rule() # $1 = target
return return
;; ;;
esac esac
elif [ "$source" = "$dest" ]; then
fatal_error "Intra-zone rules are not allowed: rule \"$rule\""
else else
[ $command = check ] || ensurechain $chain [ $command = check ] || ensurechain $chain
fi fi
@ -3670,41 +3681,34 @@ activate_rules()
done done
for zone1 in $zones; do for zone1 in $zones; do
eval policy=\$${zone}2${zone1}_policy
[ "$policy" = NONE ] && continue
eval dest_hosts=\$${zone1}_hosts eval dest_hosts=\$${zone1}_hosts
chain="`rules_chain $zone $zone1`" if [ $zone = $zone1 ]; then
chain=${zone}2${zone}
havechain $chain || chain=ACCEPT
else
chain="`rules_chain $zone $zone1`"
fi
eval policy_chain=
echo "$zone $zone1 $chain" >> ${STATEDIR}/chains echo "$zone $zone1 $chain" >> ${STATEDIR}/chains
if havechain ${zone}2${zone1} || havechain ${zone1}2${zone}; then
have_canonical=Yes
else
have_canonical=
fi
for host in $source_hosts; do for host in $source_hosts; do
interface=${host%:*} interface=${host%:*}
subnet=${host#*:} subnet=${host#*:}
chain1=`forward_chain $interface` chain1=`forward_chain $interface`
if [ -n "$have_canonical" ]; then
bounce=yes
else
case $interface in
*+*)
bounce=yes
;;
*)
bounce=
;;
esac
fi
for host1 in $dest_hosts; do for host1 in $dest_hosts; do
interface1=${host1%:*} interface1=${host1%:*}
subnet1=${host1#*:} subnet1=${host1#*:}
if [ $interface != $interface1 -o -n "$bounce" ]; then if [ "$host" != "$host1" ]; then
run_iptables -A $chain1 -s $subnet -o $interface1 -d $subnet1 -j $chain run_iptables -A $chain1 -s $subnet -o $interface1 -d $subnet1 -j $chain
fi fi
done done

View File

@ -1,10 +1,17 @@
# #
# Shorewall 1.4 - /etc/shorewall/hosts # Shorewall 1.4 - /etc/shorewall/hosts
# #
# WARNING: 90% of Shorewall users don't need to add entries to this # THERE ARE TWO CASES WHERE YOU NEED THIS FILE:
# file and 80% of those who try to add such entries get it #
# wrong. Unless you are ABSOLUTELY SURE that you need entries # 1) YOU HAVE MULTIPLE NETWORKS IN THE SAME ZONE CONNECTED TO
# in this file, don't touch it! # A SINGLE INTERFACE AND YOU WANT THE SHOREWALL BOX TO ROUTE
# BETWEEN THESE NETWORKS.
#
# 2) YOU HAVE MORE THAN ONE ZONE CONNECTED THROUGH A SINGLE
# INTERFACE.
#
# IF YOU DON'T HAVE EITHER OF THESE SITUATIONS THEN DON'T TOUCH
# THIS FILE.
# #
# This file is used to define zones in terms of subnets and/or # This file is used to define zones in terms of subnets and/or
# individual IP addresses. Most simple setups don't need to # individual IP addresses. Most simple setups don't need to

View File

@ -1,94 +1,19 @@
This is a major release of Shorewall. This is a minor release of Shorewall.
Function from 1.3 that has been omitted from this version includes: This release introduces incompatibilities with prior releases. See
http://www.shorewall.net/upgrade_issues.htm.
1) The MERGE_HOSTS variable in shorewall.conf is no longer Changes are:
supported. Shorewall 1.4 behavior is the same as 1.3 with
MERGE_HOSTS=Yes.
2) Interface names of the form <device>:<integer> in a) There is now a new NONE policy specifiable in
/etc/shorewall/interfaces now generate an error. /etc/shorewall/policy. This policy will cause Shorewall to assume that
there will never be any traffic between the source and destination
zones.
3) Shorewall 1.4 implements behavior consistent with b) Shorewall no longer creates rules to govern traffic from an
OLD_PING_HANDLING=No. OLD_PING_HANDLING=Yes will generate an error interface:subnet to itself.
at startup as will specification of the 'noping' or 'filterping'
interface options.
4) The 'routestopped' option in the /etc/shorewall/interfaces and
/etc/shorewall/hosts files is no longer supported and will generate
an error at startup if specified.
5) The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer
accepted.
6) The ALLOWRELATED variable in shorewall.conf is no longer
supported. Shorewall 1.4 behavior is the same as 1.3 with
ALLOWRELATED=Yes.
7) The 'multi' interface option is no longer supported. Shorewall will
generate rules for sending packets back out the same interface
that they arrived on in two cases:
a) There is an _explicit_ policy for the source zone to the
destination zone. An explicit policy names both zones and does not
use the 'all' reserved word.
b) There are one or more rules for traffic for the source zone to
or from the destination zone including rules that use the 'all'
reserved word. Exception: If the source and the destination are
the same zone then the rule must be explicit - it must name the zone
in both the SOURCE and DESTINATION columns.
Changes for 1.4 include:
1) shorewall.conf has been completely reorganized into logical
sections.
2) LOG is now a valid action for a rule (/etc/shorewall/rules).
3) The firewall script and version file are now installed in
/usr/share/shorewall.
4. Late arriving DNS replies are now silently dropped in the common
chain by default.
5) In addition to behaving like OLD_PING_HANDLING=No, Shorewall 1.4 no
longer unconditionally accepts outbound ICMP packets. So if you want
to 'ping' from the firewall, you will need the appropriate rule or
policy.
6) CONTINUE is now a valid action for a rule (/etc/shorewall/rules).
7) 802.11b devices with names of the form wlan<n> now support the
'maclist' option.
8) IMPORTANT: Shorewall now REQUIRES the iproute package ('ip'
utility).
9) Explicit Congestion Notification (ECN - RFC 3168) may now be turned
off on a host or network basis using the new /etc/shorewall/ecn
file. To use this facility:
a) You must be running kernel 2.4.20
b) You must have applied the patch in
http://www.shorewall/net/pub/shorewall/ecn/patch.
c) You must have iptables 1.2.7a installed.
10) The /etc/shorewall/params file is now processed first so that
variables may be used in the /etc/shorewall/shorewall.conf file.
11) Packets with state INVALID are now silently dropped.
12) Shorewall now gives a more helpful diagnostic when the 'ipchains'
compatibility kernel module is loaded and a 'shorewall start'
command is issued.
13) The SHARED_DIR variable has been removed from shorewall.conf. This
variable was for use by package maintainers and was not documented
for general use.
14) Shorewall now ignores 'default' routes when detecting masq'd
networks.
c) Intra-zone traffic is always accepted now (exception is (b)
above).. Intrazone policies and rules are no longer allowed.