Fix nat table logging bugs

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1451 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-07-06 14:13:52 +00:00
parent 5d7f769774
commit 624e2f2ef3
7 changed files with 13 additions and 216 deletions

View File

@ -1,46 +1,3 @@
Changes since 2.0.2
Changes since 2.0.3c
1) Remove restore files; don't generate them for non-statechanging
commands.
2) Restore file now loads kernel modules.
3) Minor tweaks to the restore mechanism.
4) Allow "!" in accounting rules.
5) Backport bug fixes from stable (/var/lib/shorewall existence and
null common action).
6) Add lots of overhead to [re]start in order to catch typing errors.
7) Correct reporting of installation directory in install.sh.
8) Load kernel modules before detecting capabilities.
9) Added the 'rejectNonSyn' standard built-in action.
10) Merged Tuomo Soini's patch to the install script.
11) Correct brain-cramp in module loading fix (8 above).
12) Add 'key' to sample tunnel file.
13) Allow multiple saved configurations.
14) Add %attr spec to /etc/init.d/shorewall in the .spec file.
15) Fix rules that have bridge ports in both SOURCE and DEST. Update
comments in the rules file WRT "all" in SOURCE or DEST.
16) Pass INVALID icmp packets through the blacklisting chains.
17) Fix bogus code in process_tc_rule()
18) Fix security vulnerability involving temporary files/directories.
19) Hack security fix so that it works under Slackware.
20) Fix mktempfile() where there is no mktemp utility.
21) Hack security fix to correct "shorewall stop" problems.
1) Fix DNAT logging with 'fw' as the source zone.

View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=2.0.3c
VERSION=2.0.4
usage() # $1 = exit status
{

View File

@ -3068,7 +3068,7 @@ add_nat_rule() {
else
for adr in $(separate_list $addr); do
if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $OUTPUT $logtarget "$ratelimit" "$logtag" -t nat \
log_rule_limit $loglevel OUTPUT $logtarget "$ratelimit" "$logtag" -t nat \
$(fix_bang $proto $cli $sports $userandgroup -d $adr $multiport $dports)
fi
@ -3099,7 +3099,7 @@ add_nat_rule() {
done
if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $chain $logtarget "$ratelimit" -t nat
log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logtag" -t nat
fi
addnatrule $chain $ratelimit $proto -j $target1 # Protocol is necessary for port redirection

View File

@ -22,7 +22,7 @@
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
#
VERSION=2.0.3c
VERSION=2.0.4
usage() # $1 = exit status
{

View File

@ -1,172 +1,10 @@
Shorewall 2.0.3b
Shorewall 2.0.4
----------------------------------------------------------------------
Problems Corrected since 2.0.2
1) The 'firewall' script is not purging temporary restore files in
/var/lib/shorewall. These files have names of the form
"restore-nnnnn".
2) The /var/lib/shorewall/restore script did not load the kernel
modules specified in /etc/shorewall/modules.
3) Specifying a null common action in /etc/shorewall/actions (e.g.,
:REJECT) results in a startup error.
4) If /var/lib/shorewall does not exist, shorewall start fails.
5) DNAT rules with a dynamic source zone don't work properly. When
used, these rules cause the rule to be checked against ALL input,
not just input from the designated zone.
6) The install.sh script reported installing some files in
/etc/shorewall when the files were actually installed in
/usr/share/shorewall.
7) Shorewall checks netfilter capabilities before loading kernel
modules. Hence if kernel module autoloading isn't enabled, the
capabilities will be misdetected.
8) The 'newnotsyn' option in /etc/shorewall/hosts has no effect.
9) The file /etc/init.d/shorewall now gets proper ownership when the
RPM is built by a non-root user.
10) Rules that specify bridge ports in both the SOURCE and DEST
columns no longer cause "shorewall start" to fail.
11) Comments in the rules file have been added to advise users that
"all" in the SOURCE or DEST column does not affect intra-zone
traffic.
12) With BLACKLISTNEWONLY=Yes, ICMP packets with state INVALID are now
passed through the blacklisting chains. Without this change, it is
not possible to blacklist hosts that are mounting certain types of
ICMP-based DOS attacks.
Problems Corrected since 2.0.3
1) A non-empty DEST entry in /etc/shorewall/tcrules will generate an
error and Shorewall fails to start.
2) A potential security vulnerablilty in the way that Shorewall
handles temporary files and directories has been corrected.
3) The security vulnerability fix failed under Slackware 9.1.
4) The security vulnerability fix failed if mktemp was not installed.
5) The security vulnerability fix causes error messages during
"shorewall stop"
-----------------------------------------------------------------------
Issues when migrating from Shorewall 2.0.2 to Shorewall 2.0.3:
1) The 'dropNonSyn' standard builtin action has been replaced with the
'dropNotSyn' standard builtin action. The old name can still be used
but will generate a warning.
-----------------------------------------------------------------------
New Features:
1) Shorewall now supports multiple saved configurations.
a) The default saved configuration (restore script) in
/var/lib/shorewall is now specified using the RESTOREFILE option
in shorewall.conf. If this variable isn't set then to maitain
backward compatibility, 'restore' is assumed.
The value of RESTOREFILE must be a simple file name; no slashes
("/") may be included.
b) The "save" command has been extended to be able to specify the
name of a saved configuration.
shorewall save [ <file name> ]
The current state is saved to /var/lib/shorewall/<file name>. If
no <file name> is given, the configuration is saved to
the file determined by the RESTOREFILE setting.
c) The "restore" command has been extended to be able to specify
the name of a saved configuration:
shorewall restore [ <file name> ]
The firewall state is restored from /var/lib/shorewall/<file
name>. If no <file name> is given, the firewall state is
restored from the file determined by the RESTOREFILE setting.
c) The "forget" command has changed. Previously, the command
unconditionally removed the /var/lib/shorewall/save file which
records the current dynamic blacklist. The "forget" command now
leaves that file alone.
Also, the "forget" command has been extended to be able to
specify the name of a saved configuration:
shorewall forget [ <file name> ]
The file /var/lib/shorewall/<file name> is removed. If no <file
name> is given, the file determined by the RESTOREFILE setting
is removed.
d) The "shorewall -f start" command restores the state from the
file determined by the RESTOREFILE setting.
2) "!" is now allowed in accounting rules.
3) Interface names appearing within the configuration are now
verified. Interface names must match the name of an entry in
/etc/shorewall/interfaces (or if bridging is enabled, they must
match the name of an entry in /etc/shorewall/interfaces or the name
of a bridge port appearing in /etc/shorewall/hosts).
4) A new 'rejNotSyn' built-in standard action has been added. This
action responds to "New not SYN" packets with an RST.
The 'dropNonSyn' action has been superceded by the new 'dropNotSyn'
action. The old name will be accepted until the next major release
of Shorewall but will generate a warning.
Several new logging actions involving "New not SYN" packets have
been added:
logNewNotSyn -- logs the packet with disposition = LOG
dLogNewNotSyn -- logs the packet with disposition = DROP
rLogNewNotSyn -- logs the packet with disposition = REJECT
The packets are logged at the log level specified in the
LOGNEWNOTSYN option in shorewall.conf. If than option is empty or
not specified, then 'info' is assumed.
Examples (In all cases, set NEWNOTSYN=Yes in shorewall.conf):
A: To simulate the behavior of NEWNOTSYN=No:
a) Add 'NoNewNotSyn' to /etc/shorewall/actions.
b) Create /etc/shorewall/action.NoNewNotSyn containing:
dLogNotSyn
dropNotSyn
c) Early in your rules file, place:
NoNewNotSyn all all tcp
B: Drop 'New not SYN' packets from the net only. Don't log them.
a) Early in your rules file, place:
dropNotSyn net all tcp
5) Slackware users no longer have to modify the install.sh script
before installation. Tuomo Soini has provided a change that allows
the INIT and FIREWALL variables to be specified outside the script
as in:
DEST=/etc/rc.d INIT=rc.firewall ./install.sh
Problems Corrected since 2.0.3c
1) A DNAT rule with 'fw' as the source that specified logging caused
"shorewall start" to fail.

View File

@ -141,6 +141,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog
* Tue Jul 06 2004 Tom Eastep tom@shorewall.net
- Updated to 2.0.4-1
* Fri Jul 02 2004 Tom Eastep tom@shorewall.net
- Updated to 2.0.3c-1
* Wed Jun 30 2004 Tom Eastep tom@shorewall.net

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall
VERSION=2.0.3c
VERSION=2.0.4
usage() # $1 = exit status
{