forked from extern/shorewall_code
Fix nat table logging bugs
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1451 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
5d7f769774
commit
624e2f2ef3
@ -1,46 +1,3 @@
|
||||
Changes since 2.0.2
|
||||
Changes since 2.0.3c
|
||||
|
||||
1) Remove restore files; don't generate them for non-statechanging
|
||||
commands.
|
||||
|
||||
2) Restore file now loads kernel modules.
|
||||
|
||||
3) Minor tweaks to the restore mechanism.
|
||||
|
||||
4) Allow "!" in accounting rules.
|
||||
|
||||
5) Backport bug fixes from stable (/var/lib/shorewall existence and
|
||||
null common action).
|
||||
|
||||
6) Add lots of overhead to [re]start in order to catch typing errors.
|
||||
|
||||
7) Correct reporting of installation directory in install.sh.
|
||||
|
||||
8) Load kernel modules before detecting capabilities.
|
||||
|
||||
9) Added the 'rejectNonSyn' standard built-in action.
|
||||
|
||||
10) Merged Tuomo Soini's patch to the install script.
|
||||
|
||||
11) Correct brain-cramp in module loading fix (8 above).
|
||||
|
||||
12) Add 'key' to sample tunnel file.
|
||||
|
||||
13) Allow multiple saved configurations.
|
||||
|
||||
14) Add %attr spec to /etc/init.d/shorewall in the .spec file.
|
||||
|
||||
15) Fix rules that have bridge ports in both SOURCE and DEST. Update
|
||||
comments in the rules file WRT "all" in SOURCE or DEST.
|
||||
|
||||
16) Pass INVALID icmp packets through the blacklisting chains.
|
||||
|
||||
17) Fix bogus code in process_tc_rule()
|
||||
|
||||
18) Fix security vulnerability involving temporary files/directories.
|
||||
|
||||
19) Hack security fix so that it works under Slackware.
|
||||
|
||||
20) Fix mktempfile() where there is no mktemp utility.
|
||||
|
||||
21) Hack security fix to correct "shorewall stop" problems.
|
||||
1) Fix DNAT logging with 'fw' as the source zone.
|
||||
|
@ -28,7 +28,7 @@
|
||||
# shown below. Simply run this script to revert to your prior version of
|
||||
# Shoreline Firewall.
|
||||
|
||||
VERSION=2.0.3c
|
||||
VERSION=2.0.4
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -3068,7 +3068,7 @@ add_nat_rule() {
|
||||
else
|
||||
for adr in $(separate_list $addr); do
|
||||
if [ -n "$loglevel" ]; then
|
||||
log_rule_limit $loglevel $OUTPUT $logtarget "$ratelimit" "$logtag" -t nat \
|
||||
log_rule_limit $loglevel OUTPUT $logtarget "$ratelimit" "$logtag" -t nat \
|
||||
$(fix_bang $proto $cli $sports $userandgroup -d $adr $multiport $dports)
|
||||
fi
|
||||
|
||||
@ -3099,7 +3099,7 @@ add_nat_rule() {
|
||||
done
|
||||
|
||||
if [ -n "$loglevel" ]; then
|
||||
log_rule_limit $loglevel $chain $logtarget "$ratelimit" -t nat
|
||||
log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logtag" -t nat
|
||||
fi
|
||||
|
||||
addnatrule $chain $ratelimit $proto -j $target1 # Protocol is necessary for port redirection
|
||||
|
@ -22,7 +22,7 @@
|
||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||
#
|
||||
|
||||
VERSION=2.0.3c
|
||||
VERSION=2.0.4
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -1,172 +1,10 @@
|
||||
Shorewall 2.0.3b
|
||||
Shorewall 2.0.4
|
||||
|
||||
----------------------------------------------------------------------
|
||||
Problems Corrected since 2.0.2
|
||||
|
||||
1) The 'firewall' script is not purging temporary restore files in
|
||||
/var/lib/shorewall. These files have names of the form
|
||||
"restore-nnnnn".
|
||||
|
||||
2) The /var/lib/shorewall/restore script did not load the kernel
|
||||
modules specified in /etc/shorewall/modules.
|
||||
|
||||
3) Specifying a null common action in /etc/shorewall/actions (e.g.,
|
||||
:REJECT) results in a startup error.
|
||||
|
||||
4) If /var/lib/shorewall does not exist, shorewall start fails.
|
||||
|
||||
5) DNAT rules with a dynamic source zone don't work properly. When
|
||||
used, these rules cause the rule to be checked against ALL input,
|
||||
not just input from the designated zone.
|
||||
|
||||
6) The install.sh script reported installing some files in
|
||||
/etc/shorewall when the files were actually installed in
|
||||
/usr/share/shorewall.
|
||||
|
||||
7) Shorewall checks netfilter capabilities before loading kernel
|
||||
modules. Hence if kernel module autoloading isn't enabled, the
|
||||
capabilities will be misdetected.
|
||||
|
||||
8) The 'newnotsyn' option in /etc/shorewall/hosts has no effect.
|
||||
|
||||
9) The file /etc/init.d/shorewall now gets proper ownership when the
|
||||
RPM is built by a non-root user.
|
||||
|
||||
10) Rules that specify bridge ports in both the SOURCE and DEST
|
||||
columns no longer cause "shorewall start" to fail.
|
||||
|
||||
11) Comments in the rules file have been added to advise users that
|
||||
"all" in the SOURCE or DEST column does not affect intra-zone
|
||||
traffic.
|
||||
|
||||
12) With BLACKLISTNEWONLY=Yes, ICMP packets with state INVALID are now
|
||||
passed through the blacklisting chains. Without this change, it is
|
||||
not possible to blacklist hosts that are mounting certain types of
|
||||
ICMP-based DOS attacks.
|
||||
|
||||
Problems Corrected since 2.0.3
|
||||
|
||||
1) A non-empty DEST entry in /etc/shorewall/tcrules will generate an
|
||||
error and Shorewall fails to start.
|
||||
|
||||
2) A potential security vulnerablilty in the way that Shorewall
|
||||
handles temporary files and directories has been corrected.
|
||||
|
||||
3) The security vulnerability fix failed under Slackware 9.1.
|
||||
|
||||
4) The security vulnerability fix failed if mktemp was not installed.
|
||||
|
||||
5) The security vulnerability fix causes error messages during
|
||||
"shorewall stop"
|
||||
|
||||
-----------------------------------------------------------------------
|
||||
Issues when migrating from Shorewall 2.0.2 to Shorewall 2.0.3:
|
||||
|
||||
1) The 'dropNonSyn' standard builtin action has been replaced with the
|
||||
'dropNotSyn' standard builtin action. The old name can still be used
|
||||
but will generate a warning.
|
||||
|
||||
-----------------------------------------------------------------------
|
||||
New Features:
|
||||
|
||||
1) Shorewall now supports multiple saved configurations.
|
||||
|
||||
a) The default saved configuration (restore script) in
|
||||
/var/lib/shorewall is now specified using the RESTOREFILE option
|
||||
in shorewall.conf. If this variable isn't set then to maitain
|
||||
backward compatibility, 'restore' is assumed.
|
||||
|
||||
The value of RESTOREFILE must be a simple file name; no slashes
|
||||
("/") may be included.
|
||||
|
||||
b) The "save" command has been extended to be able to specify the
|
||||
name of a saved configuration.
|
||||
|
||||
shorewall save [ <file name> ]
|
||||
|
||||
The current state is saved to /var/lib/shorewall/<file name>. If
|
||||
no <file name> is given, the configuration is saved to
|
||||
the file determined by the RESTOREFILE setting.
|
||||
|
||||
c) The "restore" command has been extended to be able to specify
|
||||
the name of a saved configuration:
|
||||
|
||||
shorewall restore [ <file name> ]
|
||||
|
||||
The firewall state is restored from /var/lib/shorewall/<file
|
||||
name>. If no <file name> is given, the firewall state is
|
||||
restored from the file determined by the RESTOREFILE setting.
|
||||
|
||||
c) The "forget" command has changed. Previously, the command
|
||||
unconditionally removed the /var/lib/shorewall/save file which
|
||||
records the current dynamic blacklist. The "forget" command now
|
||||
leaves that file alone.
|
||||
|
||||
Also, the "forget" command has been extended to be able to
|
||||
specify the name of a saved configuration:
|
||||
|
||||
shorewall forget [ <file name> ]
|
||||
|
||||
The file /var/lib/shorewall/<file name> is removed. If no <file
|
||||
name> is given, the file determined by the RESTOREFILE setting
|
||||
is removed.
|
||||
|
||||
d) The "shorewall -f start" command restores the state from the
|
||||
file determined by the RESTOREFILE setting.
|
||||
|
||||
2) "!" is now allowed in accounting rules.
|
||||
|
||||
3) Interface names appearing within the configuration are now
|
||||
verified. Interface names must match the name of an entry in
|
||||
/etc/shorewall/interfaces (or if bridging is enabled, they must
|
||||
match the name of an entry in /etc/shorewall/interfaces or the name
|
||||
of a bridge port appearing in /etc/shorewall/hosts).
|
||||
|
||||
4) A new 'rejNotSyn' built-in standard action has been added. This
|
||||
action responds to "New not SYN" packets with an RST.
|
||||
|
||||
The 'dropNonSyn' action has been superceded by the new 'dropNotSyn'
|
||||
action. The old name will be accepted until the next major release
|
||||
of Shorewall but will generate a warning.
|
||||
|
||||
Several new logging actions involving "New not SYN" packets have
|
||||
been added:
|
||||
|
||||
logNewNotSyn -- logs the packet with disposition = LOG
|
||||
dLogNewNotSyn -- logs the packet with disposition = DROP
|
||||
rLogNewNotSyn -- logs the packet with disposition = REJECT
|
||||
|
||||
The packets are logged at the log level specified in the
|
||||
LOGNEWNOTSYN option in shorewall.conf. If than option is empty or
|
||||
not specified, then 'info' is assumed.
|
||||
|
||||
Examples (In all cases, set NEWNOTSYN=Yes in shorewall.conf):
|
||||
|
||||
A: To simulate the behavior of NEWNOTSYN=No:
|
||||
|
||||
a) Add 'NoNewNotSyn' to /etc/shorewall/actions.
|
||||
b) Create /etc/shorewall/action.NoNewNotSyn containing:
|
||||
|
||||
dLogNotSyn
|
||||
dropNotSyn
|
||||
|
||||
c) Early in your rules file, place:
|
||||
|
||||
NoNewNotSyn all all tcp
|
||||
|
||||
B: Drop 'New not SYN' packets from the net only. Don't log them.
|
||||
|
||||
a) Early in your rules file, place:
|
||||
|
||||
dropNotSyn net all tcp
|
||||
|
||||
5) Slackware users no longer have to modify the install.sh script
|
||||
before installation. Tuomo Soini has provided a change that allows
|
||||
the INIT and FIREWALL variables to be specified outside the script
|
||||
as in:
|
||||
|
||||
DEST=/etc/rc.d INIT=rc.firewall ./install.sh
|
||||
Problems Corrected since 2.0.3c
|
||||
|
||||
1) A DNAT rule with 'fw' as the source that specified logging caused
|
||||
"shorewall start" to fail.
|
||||
|
||||
|
||||
|
||||
|
@ -141,6 +141,8 @@ fi
|
||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
|
||||
|
||||
%changelog
|
||||
* Tue Jul 06 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.0.4-1
|
||||
* Fri Jul 02 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.0.3c-1
|
||||
* Wed Jun 30 2004 Tom Eastep tom@shorewall.net
|
||||
|
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Seattle Firewall
|
||||
|
||||
VERSION=2.0.3c
|
||||
VERSION=2.0.4
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
Loading…
Reference in New Issue
Block a user