forked from extern/shorewall_code
NONE Policy; Allow Intrazone connections; no bounce rules
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@510 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
fbca287dab
commit
5be79ecde7
@ -1,66 +1,7 @@
|
|||||||
Changes since 1.3.14
|
Changes since 1.4.0
|
||||||
|
|
||||||
1. All versions changed to 1.4.
|
1. Implement NONE policy.
|
||||||
|
|
||||||
2. Rework of error message generation to make the 'firewall' script
|
2. Never create rules for <iface>:<subnet> to itself.
|
||||||
smaller.
|
|
||||||
|
|
||||||
3. Deimplemented MERGE_HOSTS=No.
|
3. Always allow intrazone traffic.
|
||||||
|
|
||||||
4. Generate error for <dev>:<integer> name in interfaces file.
|
|
||||||
|
|
||||||
5. Deimplement old ping handling.
|
|
||||||
|
|
||||||
6. Deimplement 'routestopped' interface/hosts option.
|
|
||||||
|
|
||||||
7. Strip comments from potentially large files while the firewall is
|
|
||||||
still up and running during 'restart'.
|
|
||||||
|
|
||||||
8. Disallow the old port forwarding/redirection syntax.
|
|
||||||
|
|
||||||
9. Reorganize shorewall.conf.
|
|
||||||
|
|
||||||
10. Added support for LOG target.
|
|
||||||
|
|
||||||
11. Move firewall and version (one more time....)
|
|
||||||
|
|
||||||
12. Add late DNS reply rule to the common chain.
|
|
||||||
|
|
||||||
12. Corrected rule number calculation problem in 'shorewall add' command
|
|
||||||
processing.
|
|
||||||
|
|
||||||
13. Update Documentation for 1.4
|
|
||||||
|
|
||||||
14. Remove icmp.def file.
|
|
||||||
|
|
||||||
15. Added CONTINUE rule target.
|
|
||||||
|
|
||||||
16. Added Andrew Zhoglo's fix for logunclean.
|
|
||||||
|
|
||||||
17. Removed 'multi' option.
|
|
||||||
|
|
||||||
18. Support 802.11b devices with maclist.
|
|
||||||
|
|
||||||
19. Don't detect loopback simply by name.
|
|
||||||
|
|
||||||
20. Removed trailing white space from all files.
|
|
||||||
|
|
||||||
21. Improved parsing of comma-separated lists.
|
|
||||||
|
|
||||||
22. Add ECN Removal support
|
|
||||||
|
|
||||||
23. Add TCP ports 445 and 139 to the common silent list.
|
|
||||||
|
|
||||||
24. Remove 'check' command support.
|
|
||||||
|
|
||||||
25. Restore 'check' command support.
|
|
||||||
|
|
||||||
26. Remove unused function find_interface_broadcasts()
|
|
||||||
|
|
||||||
27. Remove stale comments in the params file.
|
|
||||||
|
|
||||||
28. Silently drop INVALID state packets
|
|
||||||
|
|
||||||
29. Ignore the 'default' route when detecting masq'd networks.
|
|
||||||
|
|
||||||
30. REALLY process the params file first now (honest).
|
|
||||||
|
@ -672,6 +672,7 @@ validate_policy()
|
|||||||
print_policy() # $1 = source zone, $2 = destination zone
|
print_policy() # $1 = source zone, $2 = destination zone
|
||||||
{
|
{
|
||||||
[ $command != check ] || \
|
[ $command != check ] || \
|
||||||
|
[ $1 = $2 ] || \
|
||||||
[ $1 = all ] || \
|
[ $1 = all ] || \
|
||||||
[ $2 = all ] || \
|
[ $2 = all ] || \
|
||||||
echo " Policy for $1 to $2 is $policy"
|
echo " Policy for $1 to $2 is $policy"
|
||||||
@ -708,7 +709,7 @@ validate_policy()
|
|||||||
esac
|
esac
|
||||||
|
|
||||||
case $policy in
|
case $policy in
|
||||||
ACCEPT|REJECT|DROP|CONTINUE)
|
ACCEPT|REJECT|DROP|CONTINUE|NONE)
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
startup_error "Invalid policy $policy"
|
startup_error "Invalid policy $policy"
|
||||||
@ -717,8 +718,8 @@ validate_policy()
|
|||||||
|
|
||||||
chain=${client}2${server}
|
chain=${client}2${server}
|
||||||
|
|
||||||
[ "x$chain" = "x${FW}2${FW}" ] && \
|
[ "$client" != "$server" ] || [ -n "$serverwild" ] || \
|
||||||
startup_error "fw->fw policy not allowed: $policy"
|
startup_error "Intra-zone policies not allowed: $client $server $policy"
|
||||||
|
|
||||||
if is_policy_chain $chain ; then
|
if is_policy_chain $chain ; then
|
||||||
startup_error "Duplicate policy $policy"
|
startup_error "Duplicate policy $policy"
|
||||||
@ -728,7 +729,7 @@ validate_policy()
|
|||||||
|
|
||||||
chain=${client}2${server}
|
chain=${client}2${server}
|
||||||
|
|
||||||
all_policy_chains="$all_policy_chains $chain"
|
[ $policy = NONE ] || all_policy_chains="$all_policy_chains $chain"
|
||||||
|
|
||||||
eval ${chain}_is_policy=Yes
|
eval ${chain}_is_policy=Yes
|
||||||
eval ${chain}_policy=$policy
|
eval ${chain}_policy=$policy
|
||||||
@ -743,6 +744,7 @@ validate_policy()
|
|||||||
|
|
||||||
if [ -z "$pc" ]; then
|
if [ -z "$pc" ]; then
|
||||||
eval ${zone}2${zone1}_policychain=$chain
|
eval ${zone}2${zone1}_policychain=$chain
|
||||||
|
eval ${zone}2${zone1}_policy=$policy
|
||||||
print_policy $zone $zone1
|
print_policy $zone $zone1
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
@ -753,6 +755,7 @@ validate_policy()
|
|||||||
|
|
||||||
if [ -z "$pc" ]; then
|
if [ -z "$pc" ]; then
|
||||||
eval ${zone}2${server}_policychain=$chain
|
eval ${zone}2${server}_policychain=$chain
|
||||||
|
eval ${zone}2${server}_policy=$policy
|
||||||
print_policy $zone $server
|
print_policy $zone $server
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
@ -763,6 +766,7 @@ validate_policy()
|
|||||||
|
|
||||||
if [ -z "$pc" ]; then
|
if [ -z "$pc" ]; then
|
||||||
eval ${client}2${zone}_policychain=$chain
|
eval ${client}2${zone}_policychain=$chain
|
||||||
|
eval ${client}2${zone}_policy=$policy
|
||||||
print_policy $client $zone
|
print_policy $client $zone
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
@ -2151,7 +2155,7 @@ process_rule() # $1 = target
|
|||||||
else
|
else
|
||||||
serverport=
|
serverport=
|
||||||
[ -z "$serverzone" -o -z "$servers" ] && \
|
[ -z "$serverzone" -o -z "$servers" ] && \
|
||||||
startup_error "Empty destination zone or qualifier: rule \"$rule\""
|
fatal_error "Empty destination zone or qualifier: rule \"$rule\""
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -2165,6 +2169,11 @@ process_rule() # $1 = target
|
|||||||
|
|
||||||
chain=${source}2${dest}
|
chain=${source}2${dest}
|
||||||
|
|
||||||
|
eval policy=${chain}_policy
|
||||||
|
|
||||||
|
[ $policy = NONE ] && \
|
||||||
|
fatal_error "Rules may not override a NONE policy: rule \"$rule\""
|
||||||
|
|
||||||
[ $command = check ] || ensurechain $chain
|
[ $command = check ] || ensurechain $chain
|
||||||
|
|
||||||
if [ "x$chain" = x${FW}2${FW} ]; then
|
if [ "x$chain" = x${FW}2${FW} ]; then
|
||||||
@ -2176,6 +2185,8 @@ process_rule() # $1 = target
|
|||||||
return
|
return
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
elif [ "$source" = "$dest" ]; then
|
||||||
|
fatal_error "Intra-zone rules are not allowed: rule \"$rule\""
|
||||||
else
|
else
|
||||||
[ $command = check ] || ensurechain $chain
|
[ $command = check ] || ensurechain $chain
|
||||||
fi
|
fi
|
||||||
@ -3670,41 +3681,34 @@ activate_rules()
|
|||||||
done
|
done
|
||||||
|
|
||||||
for zone1 in $zones; do
|
for zone1 in $zones; do
|
||||||
|
|
||||||
|
eval policy=\$${zone}2${zone1}_policy
|
||||||
|
|
||||||
|
[ "$policy" = NONE ] && continue
|
||||||
|
|
||||||
eval dest_hosts=\$${zone1}_hosts
|
eval dest_hosts=\$${zone1}_hosts
|
||||||
|
|
||||||
chain="`rules_chain $zone $zone1`"
|
if [ $zone = $zone1 ]; then
|
||||||
|
chain=${zone}2${zone}
|
||||||
|
havechain $chain || chain=ACCEPT
|
||||||
|
else
|
||||||
|
chain="`rules_chain $zone $zone1`"
|
||||||
|
fi
|
||||||
|
|
||||||
|
eval policy_chain=
|
||||||
|
|
||||||
echo "$zone $zone1 $chain" >> ${STATEDIR}/chains
|
echo "$zone $zone1 $chain" >> ${STATEDIR}/chains
|
||||||
|
|
||||||
if havechain ${zone}2${zone1} || havechain ${zone1}2${zone}; then
|
|
||||||
have_canonical=Yes
|
|
||||||
else
|
|
||||||
have_canonical=
|
|
||||||
fi
|
|
||||||
|
|
||||||
for host in $source_hosts; do
|
for host in $source_hosts; do
|
||||||
interface=${host%:*}
|
interface=${host%:*}
|
||||||
subnet=${host#*:}
|
subnet=${host#*:}
|
||||||
chain1=`forward_chain $interface`
|
chain1=`forward_chain $interface`
|
||||||
|
|
||||||
if [ -n "$have_canonical" ]; then
|
|
||||||
bounce=yes
|
|
||||||
else
|
|
||||||
case $interface in
|
|
||||||
*+*)
|
|
||||||
bounce=yes
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
bounce=
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
fi
|
|
||||||
|
|
||||||
for host1 in $dest_hosts; do
|
for host1 in $dest_hosts; do
|
||||||
interface1=${host1%:*}
|
interface1=${host1%:*}
|
||||||
subnet1=${host1#*:}
|
subnet1=${host1#*:}
|
||||||
|
|
||||||
if [ $interface != $interface1 -o -n "$bounce" ]; then
|
if [ "$host" != "$host1" ]; then
|
||||||
run_iptables -A $chain1 -s $subnet -o $interface1 -d $subnet1 -j $chain
|
run_iptables -A $chain1 -s $subnet -o $interface1 -d $subnet1 -j $chain
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
@ -1,10 +1,17 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 1.4 - /etc/shorewall/hosts
|
# Shorewall 1.4 - /etc/shorewall/hosts
|
||||||
#
|
#
|
||||||
# WARNING: 90% of Shorewall users don't need to add entries to this
|
# THERE ARE TWO CASES WHERE YOU NEED THIS FILE:
|
||||||
# file and 80% of those who try to add such entries get it
|
#
|
||||||
# wrong. Unless you are ABSOLUTELY SURE that you need entries
|
# 1) YOU HAVE MULTIPLE NETWORKS IN THE SAME ZONE CONNECTED TO
|
||||||
# in this file, don't touch it!
|
# A SINGLE INTERFACE AND YOU WANT THE SHOREWALL BOX TO ROUTE
|
||||||
|
# BETWEEN THESE NETWORKS.
|
||||||
|
#
|
||||||
|
# 2) YOU HAVE MORE THAN ONE ZONE CONNECTED THROUGH A SINGLE
|
||||||
|
# INTERFACE.
|
||||||
|
#
|
||||||
|
# IF YOU DON'T HAVE EITHER OF THESE SITUATIONS THEN DON'T TOUCH
|
||||||
|
# THIS FILE.
|
||||||
#
|
#
|
||||||
# This file is used to define zones in terms of subnets and/or
|
# This file is used to define zones in terms of subnets and/or
|
||||||
# individual IP addresses. Most simple setups don't need to
|
# individual IP addresses. Most simple setups don't need to
|
||||||
|
@ -1,94 +1,19 @@
|
|||||||
This is a major release of Shorewall.
|
This is a minor release of Shorewall.
|
||||||
|
|
||||||
Function from 1.3 that has been omitted from this version includes:
|
This release introduces incompatibilities with prior releases. See
|
||||||
|
http://www.shorewall.net/upgrade_issues.htm.
|
||||||
|
|
||||||
1) The MERGE_HOSTS variable in shorewall.conf is no longer
|
Changes are:
|
||||||
supported. Shorewall 1.4 behavior is the same as 1.3 with
|
|
||||||
MERGE_HOSTS=Yes.
|
|
||||||
|
|
||||||
2) Interface names of the form <device>:<integer> in
|
a) There is now a new NONE policy specifiable in
|
||||||
/etc/shorewall/interfaces now generate an error.
|
/etc/shorewall/policy. This policy will cause Shorewall to assume that
|
||||||
|
there will never be any traffic between the source and destination
|
||||||
|
zones.
|
||||||
|
|
||||||
3) Shorewall 1.4 implements behavior consistent with
|
b) Shorewall no longer creates rules to govern traffic from an
|
||||||
OLD_PING_HANDLING=No. OLD_PING_HANDLING=Yes will generate an error
|
interface:subnet to itself.
|
||||||
at startup as will specification of the 'noping' or 'filterping'
|
|
||||||
interface options.
|
|
||||||
|
|
||||||
4) The 'routestopped' option in the /etc/shorewall/interfaces and
|
|
||||||
/etc/shorewall/hosts files is no longer supported and will generate
|
|
||||||
an error at startup if specified.
|
|
||||||
|
|
||||||
5) The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer
|
|
||||||
accepted.
|
|
||||||
|
|
||||||
6) The ALLOWRELATED variable in shorewall.conf is no longer
|
|
||||||
supported. Shorewall 1.4 behavior is the same as 1.3 with
|
|
||||||
ALLOWRELATED=Yes.
|
|
||||||
|
|
||||||
7) The 'multi' interface option is no longer supported. Shorewall will
|
|
||||||
generate rules for sending packets back out the same interface
|
|
||||||
that they arrived on in two cases:
|
|
||||||
|
|
||||||
a) There is an _explicit_ policy for the source zone to the
|
|
||||||
destination zone. An explicit policy names both zones and does not
|
|
||||||
use the 'all' reserved word.
|
|
||||||
|
|
||||||
b) There are one or more rules for traffic for the source zone to
|
|
||||||
or from the destination zone including rules that use the 'all'
|
|
||||||
reserved word. Exception: If the source and the destination are
|
|
||||||
the same zone then the rule must be explicit - it must name the zone
|
|
||||||
in both the SOURCE and DESTINATION columns.
|
|
||||||
|
|
||||||
Changes for 1.4 include:
|
|
||||||
|
|
||||||
1) shorewall.conf has been completely reorganized into logical
|
|
||||||
sections.
|
|
||||||
|
|
||||||
2) LOG is now a valid action for a rule (/etc/shorewall/rules).
|
|
||||||
|
|
||||||
3) The firewall script and version file are now installed in
|
|
||||||
/usr/share/shorewall.
|
|
||||||
|
|
||||||
4. Late arriving DNS replies are now silently dropped in the common
|
|
||||||
chain by default.
|
|
||||||
|
|
||||||
5) In addition to behaving like OLD_PING_HANDLING=No, Shorewall 1.4 no
|
|
||||||
longer unconditionally accepts outbound ICMP packets. So if you want
|
|
||||||
to 'ping' from the firewall, you will need the appropriate rule or
|
|
||||||
policy.
|
|
||||||
|
|
||||||
6) CONTINUE is now a valid action for a rule (/etc/shorewall/rules).
|
|
||||||
|
|
||||||
7) 802.11b devices with names of the form wlan<n> now support the
|
|
||||||
'maclist' option.
|
|
||||||
|
|
||||||
8) IMPORTANT: Shorewall now REQUIRES the iproute package ('ip'
|
|
||||||
utility).
|
|
||||||
|
|
||||||
9) Explicit Congestion Notification (ECN - RFC 3168) may now be turned
|
|
||||||
off on a host or network basis using the new /etc/shorewall/ecn
|
|
||||||
file. To use this facility:
|
|
||||||
|
|
||||||
a) You must be running kernel 2.4.20
|
|
||||||
b) You must have applied the patch in
|
|
||||||
http://www.shorewall/net/pub/shorewall/ecn/patch.
|
|
||||||
c) You must have iptables 1.2.7a installed.
|
|
||||||
|
|
||||||
10) The /etc/shorewall/params file is now processed first so that
|
|
||||||
variables may be used in the /etc/shorewall/shorewall.conf file.
|
|
||||||
|
|
||||||
11) Packets with state INVALID are now silently dropped.
|
|
||||||
|
|
||||||
12) Shorewall now gives a more helpful diagnostic when the 'ipchains'
|
|
||||||
compatibility kernel module is loaded and a 'shorewall start'
|
|
||||||
command is issued.
|
|
||||||
|
|
||||||
13) The SHARED_DIR variable has been removed from shorewall.conf. This
|
|
||||||
variable was for use by package maintainers and was not documented
|
|
||||||
for general use.
|
|
||||||
|
|
||||||
14) Shorewall now ignores 'default' routes when detecting masq'd
|
|
||||||
networks.
|
|
||||||
|
|
||||||
|
c) Intra-zone traffic is always accepted now (exception is (b)
|
||||||
|
above).. Intrazone policies and rules are no longer allowed.
|
||||||
|
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user