holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Implement UNTRACKED SECTION

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2013-01-24 15:42:01 -08:00
parent 0ca93c1ac9
commit 6403f4959d
21 changed files with 229 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -132,6 +132,7 @@ our %EXPORT_TAGS = (
blacklist_chain blacklist_chain
related_chain related_chain
invalid_chain invalid_chain
untracked_chain
zone_forward_chain zone_forward_chain
use_forward_chain use_forward_chain
input_chain input_chain
@ -1637,6 +1638,13 @@ sub invalid_chain($$) {
'_' . &rules_chain(@_); '_' . &rules_chain(@_);
} }
#
# Name of the untracked chain between an ordered pair of zones
#
sub untracked_chain($$) {
'&' . &rules_chain(@_);
}
# #
# Create the base for a chain involving the passed interface -- we make this a function so it will be # Create the base for a chain involving the passed interface -- we make this a function so it will be
# easy to change the mapping should the need ever arrive. # easy to change the mapping should the need ever arrive.

24
Shorewall/Perl/Shorewall/Config.pm
View File

@ -663,7 +663,6 @@ sub initialize( $;$$) {
LOGALLNEW => undef, LOGALLNEW => undef,
BLACKLIST_LOGLEVEL => undef, BLACKLIST_LOGLEVEL => undef,
RELATED_LOG_LEVEL => undef, RELATED_LOG_LEVEL => undef,
INVALID_LOG_LEVEL => undef,
RFC1918_LOG_LEVEL => undef, RFC1918_LOG_LEVEL => undef,
MACLIST_LOG_LEVEL => undef, MACLIST_LOG_LEVEL => undef,
TCP_FLAGS_LOG_LEVEL => undef, TCP_FLAGS_LOG_LEVEL => undef,
@ -673,6 +672,8 @@ sub initialize( $;$$) {
STARTUP_LOG => undef, STARTUP_LOG => undef,
SFILTER_LOG_LEVEL => undef, SFILTER_LOG_LEVEL => undef,
RPFILTER_LOG_LEVEL => undef, RPFILTER_LOG_LEVEL => undef,
INVALID_LOG_LEVEL => undef,
UNTRACKED_LOG_LEVEL => undef,
# #
# Location of Files # Location of Files
# #
@ -784,6 +785,7 @@ sub initialize( $;$$) {
RPFILTER_DISPOSITION => undef, RPFILTER_DISPOSITION => undef,
RELATED_DISPOSITION => undef, RELATED_DISPOSITION => undef,
INVALID_DISPOSITION => undef, INVALID_DISPOSITION => undef,
UNTRACKED_DISPOSITION => undef,
# #
# Mark Geometry # Mark Geometry
# #
@ -5227,6 +5229,7 @@ sub get_configuration( $$$$ ) {
default_log_level 'RFC1918_LOG_LEVEL', ''; default_log_level 'RFC1918_LOG_LEVEL', '';
default_log_level 'RELATED_LOG_LEVEL', ''; default_log_level 'RELATED_LOG_LEVEL', '';
default_log_level 'INVALID_LOG_LEVEL', ''; default_log_level 'INVALID_LOG_LEVEL', '';
default_log_level 'UNTRACKED_LOG_LEVEL', '';
warning_message "RFC1918_LOG_LEVEL=$config{RFC1918_LOG_LEVEL} ignored. The 'norfc1918' interface/host option is no longer supported" if $config{RFC1918_LOG_LEVEL}; warning_message "RFC1918_LOG_LEVEL=$config{RFC1918_LOG_LEVEL} ignored. The 'norfc1918' interface/host option is no longer supported" if $config{RFC1918_LOG_LEVEL};
@ -5300,12 +5303,29 @@ sub get_configuration( $$$$ ) {
fatal_error "Invalid value ($config{INVALID_DISPOSITION}) for INVALID_DISPOSITION" fatal_error "Invalid value ($config{INVALID_DISPOSITION}) for INVALID_DISPOSITION"
} }
require_capability 'AUDIT_TARGET' , "RELATED_DISPOSITION=$val", 's' if $val =~ /^A_/; require_capability 'AUDIT_TARGET' , "INVALID_DISPOSITION=$val", 's' if $val =~ /^A_/;
} else { } else {
$config{INVALID_DISPOSITION} = 'CONTINUE'; $config{INVALID_DISPOSITION} = 'CONTINUE';
$globals{INVALID_TARGET} = ''; $globals{INVALID_TARGET} = '';
} }
if ( $val = $config{UNTRACKED_DISPOSITION} ) {
if ( $val =~ /^(?:A_)?(?:DROP|ACCEPT)$/ ) {
$globals{UNTRACKED_TARGET} = $val;
} elsif ( $val eq 'REJECT' ) {
$globals{UNTRACKED_TARGET} = 'reject';
} elsif ( $val eq 'A_REJECT' ) {
$globals{UNTRACKED_TARGET} = $val;
} else {
fatal_error "Invalid value ($config{UNTRACKED_DISPOSITION}) for UNTRACKED_DISPOSITION"
}
require_capability 'AUDIT_TARGET' , "UNTRACKED_DISPOSITION=$val", 's' if $val =~ /^A_/;
} else {
$config{UNTRACKED_DISPOSITION} = 'CONTINUE';
$globals{UNTRACKED_TARGET} = '';
}
if ( $val = $config{MACLIST_TABLE} ) { if ( $val = $config{MACLIST_TABLE} ) {
if ( $val eq 'mangle' ) { if ( $val eq 'mangle' ) {
fatal_error 'MACLIST_DISPOSITION=$1 is not allowed with MACLIST_TABLE=mangle' if $config{MACLIST_DISPOSITION} =~ /^((?:A)?REJECT)$/; fatal_error 'MACLIST_DISPOSITION=$1 is not allowed with MACLIST_TABLE=mangle' if $config{MACLIST_DISPOSITION} =~ /^((?:A)?REJECT)$/;

54
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -62,14 +62,15 @@ our %sections;
our $section; our $section;
use constant { NULL_SECTION => 0, use constant { NULL_SECTION => 0x00,
BLACKLIST_SECTION => 1, BLACKLIST_SECTION => 0x01,
ALL_SECTION => 2, ALL_SECTION => 0x02,
ESTABLISHED_SECTION => 4, ESTABLISHED_SECTION => 0x04,
RELATED_SECTION => 8, RELATED_SECTION => 0x08,
INVALID_SECTION => 16, INVALID_SECTION => 0x10,
NEW_SECTION => 32, UNTRACKED_SECTION => 0x20,
DEFAULTACTION_SECTION => 64 }; NEW_SECTION => 0x40,
DEFAULTACTION_SECTION => 0x80 };
# #
# These are the sections that may appear in a section header # These are the sections that may appear in a section header
# #
@ -77,6 +78,7 @@ our %section_map = ( ALL => ALL_SECTION,
ESTABLISHED => ESTABLISHED_SECTION, ESTABLISHED => ESTABLISHED_SECTION,
RELATED => RELATED_SECTION, RELATED => RELATED_SECTION,
INVALID => INVALID_SECTION, INVALID => INVALID_SECTION,
UNTRACKED => UNTRACKED_SECTION,
NEW => NEW_SECTION ); NEW => NEW_SECTION );
our @policy_chains; our @policy_chains;
@ -173,6 +175,7 @@ sub initialize( $ ) {
ESTABLISHED => 0, ESTABLISHED => 0,
RELATED => 0, RELATED => 0,
INVALID => 0, INVALID => 0,
UNTRACKED => 0,
NEW => 0 NEW => 0
); );
# #
@ -848,20 +851,24 @@ sub finish_chain_section ($$$) {
my $related_target = $globals{RELATED_TARGET}; my $related_target = $globals{RELATED_TARGET};
my $invalid_level = $config{INVALID_LOG_LEVEL}; my $invalid_level = $config{INVALID_LOG_LEVEL};
my $invalid_target = $globals{INVALID_TARGET}; my $invalid_target = $globals{INVALID_TARGET};
my $untracked_level = $config{UNTRACKED_LOG_LEVEL};
my $untracked_target = $globals{UNTRACKED_TARGET};
my $save_comment = push_comment; my $save_comment = push_comment;
my %state; my %state;
my %statetable = ( RELATED => [ '+', $related_level, $related_target ] , my %statetable = ( RELATED => [ '+', $related_level, $related_target ] ,
INVALID => [ '_', $invalid_level, $invalid_target ] ); INVALID => [ '_', $invalid_level, $invalid_target ] ,
UNTRACKED => [ '&', $untracked_level, $untracked_target ] ,
);
$state{$_} = 1 for split ',', $state; $state{$_} = 1 for split ',', $state;
for ( qw/ESTABLISHED RELATED INVALID/ ) { for ( qw/ESTABLISHED RELATED INVALID UNTRACKED/ ) {
delete $state{$_} if $chain1ref->{sections}{$_}; delete $state{$_} if $chain1ref->{sections}{$_};
} }
$chain1ref->{sections}{$_} = 1 for keys %state; $chain1ref->{sections}{$_} = 1 for keys %state;
for ( qw( RELATED INVALID ) ) { for ( qw( RELATED INVALID UNTRACKED ) ) {
if ( $state{$_} ) { if ( $state{$_} ) {
my ( $char, $level, $target ) = @{$statetable{$_}}; my ( $char, $level, $target ) = @{$statetable{$_}};
my $twochains = substr( $chainref->{name}, 0, 1 ) eq $char; my $twochains = substr( $chainref->{name}, 0, 1 ) eq $char;
@ -951,6 +958,8 @@ sub ensure_rules_chain( $ )
unless ( $chainref->{referenced} ) { unless ( $chainref->{referenced} ) {
if ( $section & ( NEW_SECTION | DEFAULTACTION_SECTION ) ) { if ( $section & ( NEW_SECTION | DEFAULTACTION_SECTION ) ) {
finish_chain_section $chainref , $chainref, 'ESTABLISHED,RELATED,INVALID,UNTRACKED';
} elsif ( $section == UNTRACKED_SECTION ) {
finish_chain_section $chainref , $chainref, 'ESTABLISHED,RELATED,INVALID'; finish_chain_section $chainref , $chainref, 'ESTABLISHED,RELATED,INVALID';
} elsif ( $section == INVALID_SECTION ) { } elsif ( $section == INVALID_SECTION ) {
finish_chain_section $chainref , $chainref, 'ESTABLISHED,RELATED'; finish_chain_section $chainref , $chainref, 'ESTABLISHED,RELATED';
@ -978,6 +987,8 @@ sub finish_section ( $ ) {
$function = \&related_chain; $function = \&related_chain;
} elsif ( $section == INVALID_SECTION ) { } elsif ( $section == INVALID_SECTION ) {
$function = \&invalid_chain; $function = \&invalid_chain;
} elsif ( $section == UNTRACKED_SECTION ) {
$function = \&untracked_chain;
} else { } else {
$function = \&rules_chain; $function = \&rules_chain;
} }
@ -2299,7 +2310,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
# #
# Handle rules in the BLACKLIST, RELATED and INVALID sections # Handle rules in the BLACKLIST, RELATED and INVALID sections
# #
if ( $section & ( BLACKLIST_SECTION | RELATED_SECTION | INVALID_SECTION ) ) { if ( $section & ( BLACKLIST_SECTION | RELATED_SECTION | INVALID_SECTION | UNTRACKED_SECTION ) ) {
my $auxchain; my $auxchain;
my $auxref; my $auxref;
@ -2307,6 +2318,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
$auxchain = blacklist_chain( ${sourcezone}, ${destzone} ); $auxchain = blacklist_chain( ${sourcezone}, ${destzone} );
} elsif ( $section == INVALID_SECTION ) { } elsif ( $section == INVALID_SECTION ) {
$auxchain = invalid_chain( ${sourcezone}, ${destzone} ); $auxchain = invalid_chain( ${sourcezone}, ${destzone} );
} elsif ( $section == UNTRACKED_SECTION ) {
$auxchain = related_chain( ${sourcezone}, ${destzone} );
} else { } else {
$auxchain = related_chain( ${sourcezone}, ${destzone} ); $auxchain = related_chain( ${sourcezone}, ${destzone} );
} }
@ -2323,6 +2336,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
$auxref->{blacklistsection} = 1; $auxref->{blacklistsection} = 1;
} elsif ( $section == INVALID_SECTION ) { } elsif ( $section == INVALID_SECTION ) {
@state = state_imatch( 'INVALID' ); @state = state_imatch( 'INVALID' );
} elsif ( $section == UNTRACKED_SECTION ) {
@state = state_imatch( 'UNTRACKED' );
} else { } else {
@state = state_imatch 'RELATED'; @state = state_imatch 'RELATED';
}; };
@ -2412,7 +2427,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
do_headers( $headers ) , do_headers( $headers ) ,
do_condition( $condition , $chain ) , do_condition( $condition , $chain ) ,
); );
} elsif ( $section & ( INVALID_SECTION | RELATED_SECTION ) ) { } elsif ( $section & ( INVALID_SECTION | RELATED_SECTION | UNTRACKED_SECTION ) ) {
$rule = join( '', $rule = join( '',
do_proto($proto, $ports, $sports), do_proto($proto, $ports, $sports),
do_ratelimit( $ratelimit, $basictarget ) , do_ratelimit( $ratelimit, $basictarget ) ,
@ -2588,12 +2603,13 @@ sub process_section ($) {
finish_section 'ESTABLISHED'; finish_section 'ESTABLISHED';
} elsif ( $sect eq 'INVALID' ) { } elsif ( $sect eq 'INVALID' ) {
@sections{'ALL','ESTABLISHED','RELATED'} = ( 1, 1, 1 ); @sections{'ALL','ESTABLISHED','RELATED'} = ( 1, 1, 1 );
finish_section ( ( $section eq 'RELATED' ) ? 'RELATED' : 'ESTABLISHED,RELATED' ); finish_section ( 'ESTABLISHED,RELATED' );
} elsif ( $sect eq 'UNTRACKED' ) {
@sections{'ALL','ESTABLISHED','RELATED', 'INVALID' } = ( 1, 1, 1, 1 );
finish_section ( 'ESTABLISHED,RELATED, INVALID' );
} elsif ( $sect eq 'NEW' ) { } elsif ( $sect eq 'NEW' ) {
@sections{'ALL','ESTABLISHED','RELATED','INVALID','NEW'} = ( 1, 1, 1, 1, 1 ); @sections{'ALL','ESTABLISHED','RELATED','INVALID','UNTRACKED', 'NEW'} = ( 1, 1, 1, 1, 1, 1 );
finish_section ( ( $section == RELATED_SECTION ) ? 'RELATED,INVALID' : finish_section ( 'ESTABLISHED,RELATED,INVALID' );
( $section == INVALID_SECTION ) ? 'INVALID' :
'ESTABLISHED,RELATED,INVALID' );
} }
$section = $section_map{$sect}; $section = $section_map{$sect};

2
Shorewall/Samples/Universal/rules
View File

@ -12,6 +12,8 @@
#SECTION ALL #SECTION ALL
#SECTION ESTABLISHED #SECTION ESTABLISHED
#SECTION RELATED #SECTION RELATED
#SECTION INVALID
#SECTION UNTRACKED
SECTION NEW SECTION NEW
Invalid(DROP) net $FW tcp Invalid(DROP) net $FW tcp
SSH(ACCEPT) net $FW SSH(ACCEPT) net $FW

4
Shorewall/Samples/Universal/shorewall.conf
View File

@ -53,6 +53,8 @@ STARTUP_LOG=/var/log/shorewall-init.log
TCP_FLAGS_LOG_LEVEL=info TCP_FLAGS_LOG_LEVEL=info
UNTRACKED_LOG_LEVEL=
############################################################################### ###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
############################################################################### ###############################################################################
@ -240,6 +242,8 @@ SFILTER_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP
UNTRACKED_DISPOSITION=CONTINUE
################################################################################ ################################################################################
# P A C K E T M A R K L A Y O U T # P A C K E T M A R K L A Y O U T
################################################################################ ################################################################################

2
Shorewall/Samples/one-interface/rules
View File

@ -16,6 +16,8 @@
#SECTION ALL #SECTION ALL
#SECTION ESTABLISHED #SECTION ESTABLISHED
#SECTION RELATED #SECTION RELATED
#SECTION INVALID
#SECTION UNTRACKED
SECTION NEW SECTION NEW
# Drop packets in the INVALID state # Drop packets in the INVALID state

4
Shorewall/Samples/one-interface/shorewall.conf
View File

@ -64,6 +64,8 @@ STARTUP_LOG=/var/log/shorewall-init.log
TCP_FLAGS_LOG_LEVEL=info TCP_FLAGS_LOG_LEVEL=info
UNTRACKED_LOG_LEVEL=
############################################################################### ###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
############################################################################### ###############################################################################
@ -251,6 +253,8 @@ SFILTER_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP
UNTRACKED_DISPOSITION=CONTINUE
################################################################################ ################################################################################
# P A C K E T M A R K L A Y O U T # P A C K E T M A R K L A Y O U T
################################################################################ ################################################################################

2
Shorewall/Samples/three-interfaces/rules
View File

@ -16,6 +16,8 @@
#SECTION ALL #SECTION ALL
#SECTION ESTABLISHED #SECTION ESTABLISHED
#SECTION RELATED #SECTION RELATED
#SECTION INVALID
#SECTION UNTRACKED
SECTION NEW SECTION NEW
# Don't allow connection pickup from the net # Don't allow connection pickup from the net

4
Shorewall/Samples/three-interfaces/shorewall.conf
View File

@ -62,6 +62,8 @@ STARTUP_LOG=/var/log/shorewall-init.log
TCP_FLAGS_LOG_LEVEL=info TCP_FLAGS_LOG_LEVEL=info
UNTRACKED_LOG_LEVEL=
############################################################################### ###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
############################################################################### ###############################################################################
@ -249,6 +251,8 @@ SFILTER_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP
UNTRACKED_DISPOSITION=CONTINUE
################################################################################ ################################################################################
# P A C K E T M A R K L A Y O U T # P A C K E T M A R K L A Y O U T
################################################################################ ################################################################################

2
Shorewall/Samples/two-interfaces/rules
View File

@ -16,6 +16,8 @@
#SECTION ALL #SECTION ALL
#SECTION ESTABLISHED #SECTION ESTABLISHED
#SECTION RELATED #SECTION RELATED
#SECTION INVALID
#SECTION UNTRACKED
SECTION NEW SECTION NEW
# Don't allow connection pickup from the net # Don't allow connection pickup from the net

4
Shorewall/Samples/two-interfaces/shorewall.conf
View File

@ -65,6 +65,8 @@ STARTUP_LOG=/var/log/shorewall-init.log
TCP_FLAGS_LOG_LEVEL=info TCP_FLAGS_LOG_LEVEL=info
UNTRACKED_LOG_LEVEL=
############################################################################### ###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
############################################################################### ###############################################################################
@ -252,6 +254,8 @@ SFILTER_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP
UNTRACKED_DISPOSITION=CONTINUE
################################################################################ ################################################################################
# P A C K E T M A R K L A Y O U T # P A C K E T M A R K L A Y O U T
################################################################################ ################################################################################

2
Shorewall/configfiles/rules
View File

@ -12,4 +12,6 @@
#SECTION ALL #SECTION ALL
#SECTION ESTABLISHED #SECTION ESTABLISHED
#SECTION RELATED #SECTION RELATED
#SECTION INVALID
#SECTION UNTRACKED
SECTION NEW SECTION NEW

4
Shorewall/configfiles/shorewall.conf
View File

@ -53,6 +53,8 @@ STARTUP_LOG=/var/log/shorewall-init.log
TCP_FLAGS_LOG_LEVEL=info TCP_FLAGS_LOG_LEVEL=info
UNTRACKED_LOG_LEVEL=
############################################################################### ###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
############################################################################### ###############################################################################
@ -240,6 +242,8 @@ SFILTER_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP
UNTRACKED_DISPOSITION=CONTINUE
################################################################################ ################################################################################
# P A C K E T M A R K L A Y O U T # P A C K E T M A R K L A Y O U T
################################################################################ ################################################################################

56
Shorewall/manpages/shorewall.conf.xml
View File

@ -942,6 +942,34 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis
role="bold">INVALID_DISPOSITION=[A_DROP|A_REJECT|DROP|REJECT|CONTINUE]</emphasis></term>
<listitem>
<para>Added in Shorewall 4.5.13. Shorewall has traditionally passed
INVALID packets through the NEW section of <ulink
url="shorewall-rules.html">shorewall-rules</ulink> (5). When a
packet in INVALID state fails to match any rule in the INVALID
section, the packet is disposed of based on this setting. The
default value is CONTINUE for compatibility with earlier
versions.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">INVALID_LOG_LEVEL=</emphasis><emphasis>log-level</emphasis></term>
<listitem>
<para>Added in Shorewall 4.5.13. Packets in the INVALID state that
do not match any rule in the INVALID section of <ulink
url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5) are
logged at this level. The default value is empty which means no
logging is performed.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">IP</emphasis>=[<emphasis>pathname</emphasis>]</term> role="bold">IP</emphasis>=[<emphasis>pathname</emphasis>]</term>
@ -2439,6 +2467,34 @@ LOG:info:,bar net fw</programlisting>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis
role="bold">UNTRACKED_DISPOSITION=[ACCEPT|A_ACCEPT|A_DROP|A_REJECT|DROP|REJECT|CONTINUE]</emphasis></term>
<listitem>
<para>Added in Shorewall 4.5.13. Shorewall has traditionally passed
UNTRACKED packets through the NEW section of <ulink
url="shorewall-rules.html">shorewall-rules</ulink> (5). When a
packet in UNTRACKED state fails to match any rule in the UNTRACKED
section, the packet is disposed of based on this setting. The
default value is CONTINUE for compatibility with earlier
versions.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">UNTRACKED_LOG_LEVEL=</emphasis><emphasis>log-level</emphasis></term>
<listitem>
<para>Added in Shorewall 4.5.13. Packets in the UNTRACKED state that
do not match any rule in the UNTRACKED section of <ulink
url="shorewall-rules.html">shorewall-rules</ulink> (5) are logged at
this level. The default value is empty which means no logging is
performed.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">USE_DEFAULT_RT=</emphasis>[<emphasis <term><emphasis role="bold">USE_DEFAULT_RT=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term> role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>

4
Shorewall6/Samples6/Universal/shorewall6.conf
View File

@ -52,6 +52,8 @@ STARTUP_LOG=/var/log/shorewall6-init.log
TCP_FLAGS_LOG_LEVEL=info TCP_FLAGS_LOG_LEVEL=info
UNTRACKED_LOG_LEVEL=
############################################################################### ###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
############################################################################### ###############################################################################
@ -213,6 +215,8 @@ SMURF_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP
UNTRACKED_DISPOSITION=CONTINUE
################################################################################ ################################################################################
# P A C K E T M A R K L A Y O U T # P A C K E T M A R K L A Y O U T
################################################################################ ################################################################################

4
Shorewall6/Samples6/one-interface/shorewall6.conf
View File

@ -52,6 +52,8 @@ STARTUP_LOG=/var/log/shorewall6-init.log
TCP_FLAGS_LOG_LEVEL=info TCP_FLAGS_LOG_LEVEL=info
UNTRACKED_LOG_LEVEL=
############################################################################### ###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
############################################################################### ###############################################################################
@ -213,6 +215,8 @@ SMURF_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP
UNTRACKED_DISPOSITION=CONTINUE
################################################################################ ################################################################################
# P A C K E T M A R K L A Y O U T # P A C K E T M A R K L A Y O U T
################################################################################ ################################################################################

4
Shorewall6/Samples6/three-interfaces/shorewall6.conf
View File

@ -52,6 +52,8 @@ STARTUP_LOG=/var/log/shorewall6-init.log
TCP_FLAGS_LOG_LEVEL=info TCP_FLAGS_LOG_LEVEL=info
UNTRACKED_LOG_LEVEL=
############################################################################### ###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
############################################################################### ###############################################################################
@ -213,6 +215,8 @@ SMURF_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP
UNTRACKED_DISPOSITION=CONTINUE
################################################################################ ################################################################################
# P A C K E T M A R K L A Y O U T # P A C K E T M A R K L A Y O U T
################################################################################ ################################################################################

4
Shorewall6/Samples6/two-interfaces/shorewall6.conf
View File

@ -52,6 +52,8 @@ STARTUP_LOG=/var/log/shorewall6-init.log
TCP_FLAGS_LOG_LEVEL=info TCP_FLAGS_LOG_LEVEL=info
UNTRACKED_LOG_LEVEL=
############################################################################### ###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
############################################################################### ###############################################################################
@ -213,6 +215,8 @@ SMURF_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP
UNTRACKED_DISPOSITION=CONTINUE
################################################################################ ################################################################################
# P A C K E T M A R K L A Y O U T # P A C K E T M A R K L A Y O U T
################################################################################ ################################################################################

2
Shorewall6/configfiles/rules
View File

@ -12,4 +12,6 @@
#SECTION ALL #SECTION ALL
#SECTION ESTABLISHED #SECTION ESTABLISHED
#SECTION RELATED #SECTION RELATED
#SECTION INVALID
#SECTION UNTRACKED
SECTION NEW SECTION NEW

4
Shorewall6/configfiles/shorewall6.conf
View File

@ -52,6 +52,8 @@ STARTUP_LOG=/var/log/shorewall6-init.log
TCP_FLAGS_LOG_LEVEL=info TCP_FLAGS_LOG_LEVEL=info
UNTRACKED_LOG_LEVEL=
############################################################################### ###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
############################################################################### ###############################################################################
@ -213,6 +215,8 @@ SMURF_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP
UNTRACKED_DISPOSITION=CONTINUE
################################################################################ ################################################################################
# P A C K E T M A R K L A Y O U T # P A C K E T M A R K L A Y O U T
################################################################################ ################################################################################

56
Shorewall6/manpages/shorewall6.conf.xml
View File

@ -818,6 +818,34 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis
role="bold">INVALID_DISPOSITION=[A_DROP|A_REJECT|DROP|REJECT|CONTINUE]</emphasis></term>
<listitem>
<para>Added in Shorewall 4.5.13. Shorewall has traditionally passed
INVALID packets through the NEW section of <ulink
url="shorewall6-rules.html">shorewall-rules</ulink> (5). When a
packet in INVALID state fails to match any rule in the INVALID
section, the packet is disposed of based on this setting. The
default value is CONTINUE for compatibility with earlier
versions.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">INVALID_LOG_LEVEL=</emphasis><emphasis>log-level</emphasis></term>
<listitem>
<para>Added in Shorewall 4.5.13. Packets in the INVALID state that
do not match any rule in the INVALID section of <ulink
url="manpages/shorewall6-rules.html">shorewall-rules</ulink> (5) are
logged at this level. The default value is empty which means no
logging is performed.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">IP</emphasis>=[<emphasis>pathname</emphasis>]</term> role="bold">IP</emphasis>=[<emphasis>pathname</emphasis>]</term>
@ -2113,6 +2141,34 @@ LOG:info:,bar net fw</programlisting>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis
role="bold">UNTRACKED_DISPOSITION=[ACCEPT|A_ACCEPT|A_DROP|A_REJECT|DROP|REJECT|CONTINUE]</emphasis></term>
<listitem>
<para>Added in Shorewall 4.5.13. Shorewall has traditionally passed
UNTRACKED packets through the NEW section of <ulink
url="shorewall6-rules.html">shorewall6-rules</ulink> (5). When a
packet in UNTRACKED state fails to match any rule in the UNTRACKED
section, the packet is disposed of based on this setting. The
default value is CONTINUE for compatibility with earlier
versions.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">UNTRACKED_LOG_LEVEL=</emphasis><emphasis>log-level</emphasis></term>
<listitem>
<para>Added in Shorewall 4.5.13. Packets in the UNTRACKED state that
do not match any rule in the UNTRACKED section of <ulink
url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5) are
logged at this level. The default value is empty which means no
logging is performed.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">USE_DEFAULT_RT=</emphasis>[<emphasis <term><emphasis role="bold">USE_DEFAULT_RT=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term> role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>