From 624e2f2ef3224029f21dab72f8ddf76dd69cc0c1 Mon Sep 17 00:00:00 2001 From: teastep Date: Tue, 6 Jul 2004 14:13:52 +0000 Subject: [PATCH] Fix nat table logging bugs git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1451 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- STABLE2/changelog.txt | 47 +---------- STABLE2/fallback.sh | 2 +- STABLE2/firewall | 4 +- STABLE2/install.sh | 2 +- STABLE2/releasenotes.txt | 170 +-------------------------------------- STABLE2/shorewall.spec | 2 + STABLE2/uninstall.sh | 2 +- 7 files changed, 13 insertions(+), 216 deletions(-) diff --git a/STABLE2/changelog.txt b/STABLE2/changelog.txt index 3c17da196..6fcaba542 100644 --- a/STABLE2/changelog.txt +++ b/STABLE2/changelog.txt @@ -1,46 +1,3 @@ -Changes since 2.0.2 +Changes since 2.0.3c -1) Remove restore files; don't generate them for non-statechanging - commands. - -2) Restore file now loads kernel modules. - -3) Minor tweaks to the restore mechanism. - -4) Allow "!" in accounting rules. - -5) Backport bug fixes from stable (/var/lib/shorewall existence and - null common action). - -6) Add lots of overhead to [re]start in order to catch typing errors. - -7) Correct reporting of installation directory in install.sh. - -8) Load kernel modules before detecting capabilities. - -9) Added the 'rejectNonSyn' standard built-in action. - -10) Merged Tuomo Soini's patch to the install script. - -11) Correct brain-cramp in module loading fix (8 above). - -12) Add 'key' to sample tunnel file. - -13) Allow multiple saved configurations. - -14) Add %attr spec to /etc/init.d/shorewall in the .spec file. - -15) Fix rules that have bridge ports in both SOURCE and DEST. Update - comments in the rules file WRT "all" in SOURCE or DEST. - -16) Pass INVALID icmp packets through the blacklisting chains. - -17) Fix bogus code in process_tc_rule() - -18) Fix security vulnerability involving temporary files/directories. - -19) Hack security fix so that it works under Slackware. - -20) Fix mktempfile() where there is no mktemp utility. - -21) Hack security fix to correct "shorewall stop" problems. +1) Fix DNAT logging with 'fw' as the source zone. diff --git a/STABLE2/fallback.sh b/STABLE2/fallback.sh index c8f7794fc..3a235a543 100755 --- a/STABLE2/fallback.sh +++ b/STABLE2/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=2.0.3c +VERSION=2.0.4 usage() # $1 = exit status { diff --git a/STABLE2/firewall b/STABLE2/firewall index 50af7a829..41dc667f1 100755 --- a/STABLE2/firewall +++ b/STABLE2/firewall @@ -3068,7 +3068,7 @@ add_nat_rule() { else for adr in $(separate_list $addr); do if [ -n "$loglevel" ]; then - log_rule_limit $loglevel $OUTPUT $logtarget "$ratelimit" "$logtag" -t nat \ + log_rule_limit $loglevel OUTPUT $logtarget "$ratelimit" "$logtag" -t nat \ $(fix_bang $proto $cli $sports $userandgroup -d $adr $multiport $dports) fi @@ -3099,7 +3099,7 @@ add_nat_rule() { done if [ -n "$loglevel" ]; then - log_rule_limit $loglevel $chain $logtarget "$ratelimit" -t nat + log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logtag" -t nat fi addnatrule $chain $ratelimit $proto -j $target1 # Protocol is necessary for port redirection diff --git a/STABLE2/install.sh b/STABLE2/install.sh index b05fbb775..ffc3fbd84 100755 --- a/STABLE2/install.sh +++ b/STABLE2/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # -VERSION=2.0.3c +VERSION=2.0.4 usage() # $1 = exit status { diff --git a/STABLE2/releasenotes.txt b/STABLE2/releasenotes.txt index 7d132db74..cd89516ec 100644 --- a/STABLE2/releasenotes.txt +++ b/STABLE2/releasenotes.txt @@ -1,172 +1,10 @@ -Shorewall 2.0.3b +Shorewall 2.0.4 ---------------------------------------------------------------------- -Problems Corrected since 2.0.2 - -1) The 'firewall' script is not purging temporary restore files in - /var/lib/shorewall. These files have names of the form - "restore-nnnnn". - -2) The /var/lib/shorewall/restore script did not load the kernel - modules specified in /etc/shorewall/modules. - -3) Specifying a null common action in /etc/shorewall/actions (e.g., - :REJECT) results in a startup error. - -4) If /var/lib/shorewall does not exist, shorewall start fails. - -5) DNAT rules with a dynamic source zone don't work properly. When - used, these rules cause the rule to be checked against ALL input, - not just input from the designated zone. - -6) The install.sh script reported installing some files in - /etc/shorewall when the files were actually installed in - /usr/share/shorewall. - -7) Shorewall checks netfilter capabilities before loading kernel - modules. Hence if kernel module autoloading isn't enabled, the - capabilities will be misdetected. - -8) The 'newnotsyn' option in /etc/shorewall/hosts has no effect. - -9) The file /etc/init.d/shorewall now gets proper ownership when the - RPM is built by a non-root user. - -10) Rules that specify bridge ports in both the SOURCE and DEST - columns no longer cause "shorewall start" to fail. - -11) Comments in the rules file have been added to advise users that - "all" in the SOURCE or DEST column does not affect intra-zone - traffic. - -12) With BLACKLISTNEWONLY=Yes, ICMP packets with state INVALID are now - passed through the blacklisting chains. Without this change, it is - not possible to blacklist hosts that are mounting certain types of - ICMP-based DOS attacks. - -Problems Corrected since 2.0.3 - -1) A non-empty DEST entry in /etc/shorewall/tcrules will generate an - error and Shorewall fails to start. - -2) A potential security vulnerablilty in the way that Shorewall - handles temporary files and directories has been corrected. - -3) The security vulnerability fix failed under Slackware 9.1. - -4) The security vulnerability fix failed if mktemp was not installed. - -5) The security vulnerability fix causes error messages during - "shorewall stop" - ------------------------------------------------------------------------ -Issues when migrating from Shorewall 2.0.2 to Shorewall 2.0.3: - -1) The 'dropNonSyn' standard builtin action has been replaced with the - 'dropNotSyn' standard builtin action. The old name can still be used - but will generate a warning. - ------------------------------------------------------------------------ -New Features: - -1) Shorewall now supports multiple saved configurations. - - a) The default saved configuration (restore script) in - /var/lib/shorewall is now specified using the RESTOREFILE option - in shorewall.conf. If this variable isn't set then to maitain - backward compatibility, 'restore' is assumed. - - The value of RESTOREFILE must be a simple file name; no slashes - ("/") may be included. - - b) The "save" command has been extended to be able to specify the - name of a saved configuration. - - shorewall save [ ] - - The current state is saved to /var/lib/shorewall/. If - no is given, the configuration is saved to - the file determined by the RESTOREFILE setting. - - c) The "restore" command has been extended to be able to specify - the name of a saved configuration: - - shorewall restore [ ] - - The firewall state is restored from /var/lib/shorewall/. If no is given, the firewall state is - restored from the file determined by the RESTOREFILE setting. - - c) The "forget" command has changed. Previously, the command - unconditionally removed the /var/lib/shorewall/save file which - records the current dynamic blacklist. The "forget" command now - leaves that file alone. - - Also, the "forget" command has been extended to be able to - specify the name of a saved configuration: - - shorewall forget [ ] - - The file /var/lib/shorewall/ is removed. If no is given, the file determined by the RESTOREFILE setting - is removed. - - d) The "shorewall -f start" command restores the state from the - file determined by the RESTOREFILE setting. - -2) "!" is now allowed in accounting rules. - -3) Interface names appearing within the configuration are now - verified. Interface names must match the name of an entry in - /etc/shorewall/interfaces (or if bridging is enabled, they must - match the name of an entry in /etc/shorewall/interfaces or the name - of a bridge port appearing in /etc/shorewall/hosts). - -4) A new 'rejNotSyn' built-in standard action has been added. This - action responds to "New not SYN" packets with an RST. - - The 'dropNonSyn' action has been superceded by the new 'dropNotSyn' - action. The old name will be accepted until the next major release - of Shorewall but will generate a warning. - - Several new logging actions involving "New not SYN" packets have - been added: - - logNewNotSyn -- logs the packet with disposition = LOG - dLogNewNotSyn -- logs the packet with disposition = DROP - rLogNewNotSyn -- logs the packet with disposition = REJECT - - The packets are logged at the log level specified in the - LOGNEWNOTSYN option in shorewall.conf. If than option is empty or - not specified, then 'info' is assumed. - - Examples (In all cases, set NEWNOTSYN=Yes in shorewall.conf): - - A: To simulate the behavior of NEWNOTSYN=No: - - a) Add 'NoNewNotSyn' to /etc/shorewall/actions. - b) Create /etc/shorewall/action.NoNewNotSyn containing: - - dLogNotSyn - dropNotSyn - - c) Early in your rules file, place: - - NoNewNotSyn all all tcp - - B: Drop 'New not SYN' packets from the net only. Don't log them. - - a) Early in your rules file, place: - - dropNotSyn net all tcp - -5) Slackware users no longer have to modify the install.sh script - before installation. Tuomo Soini has provided a change that allows - the INIT and FIREWALL variables to be specified outside the script - as in: - - DEST=/etc/rc.d INIT=rc.firewall ./install.sh +Problems Corrected since 2.0.3c +1) A DNAT rule with 'fw' as the source that specified logging caused + "shorewall start" to fail. diff --git a/STABLE2/shorewall.spec b/STABLE2/shorewall.spec index d2949df8d..e447027ab 100644 --- a/STABLE2/shorewall.spec +++ b/STABLE2/shorewall.spec @@ -141,6 +141,8 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %changelog +* Tue Jul 06 2004 Tom Eastep tom@shorewall.net +- Updated to 2.0.4-1 * Fri Jul 02 2004 Tom Eastep tom@shorewall.net - Updated to 2.0.3c-1 * Wed Jun 30 2004 Tom Eastep tom@shorewall.net diff --git a/STABLE2/uninstall.sh b/STABLE2/uninstall.sh index 4c159f37c..a960edb15 100755 --- a/STABLE2/uninstall.sh +++ b/STABLE2/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Seattle Firewall -VERSION=2.0.3c +VERSION=2.0.4 usage() # $1 = exit status {