From 68571cbbdc47aca432b7f58c82f82c32dbbdec47 Mon Sep 17 00:00:00 2001 From: teastep Date: Sat, 12 Jun 2004 16:39:54 +0000 Subject: [PATCH] Shorewall 2.0.3 Beta 1 git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1396 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Lrp2/etc/shorewall/shorewall.conf | 18 ++ Lrp2/sbin/shorewall | 155 ++++++++++---- Lrp2/usr/share/shorewall/action.Drop | 2 +- Lrp2/usr/share/shorewall/action.Reject | 2 +- Lrp2/usr/share/shorewall/actions.std | 7 + Lrp2/usr/share/shorewall/firewall | 268 +++++++++++++++++-------- Lrp2/usr/share/shorewall/functions | 8 + Lrp2/usr/share/shorewall/help | 27 ++- Lrp2/usr/share/shorewall/version | 2 +- 9 files changed, 360 insertions(+), 129 deletions(-) diff --git a/Lrp2/etc/shorewall/shorewall.conf b/Lrp2/etc/shorewall/shorewall.conf index 70ee6d5b4..93d2febcf 100755 --- a/Lrp2/etc/shorewall/shorewall.conf +++ b/Lrp2/etc/shorewall/shorewall.conf @@ -258,6 +258,24 @@ MODULESDIR= # CONFIG_PATH=/etc/shorewall:/usr/share/shorewall is assumed. CONFIG_PATH=/etc/shorewall:/usr/share/shorewall + +# +# RESTORE SCRIPT +# +# This option determines the script to be run in the following cases: +# +# shorewall -f start +# shorewall restore +# shorewall save +# shorewall forget +# Failure of shorewall start or shorewall restart +# +# The value of the option must be the name of an executable file in the +# directory /var/lib/shorewall. If this option is not set or if it is +# set to the empty value (RESTOREFILE="") then RESTOREFILE=restore is +# assumed. + +RESTOREFILE= ################################################################################ # F I R E W A L L O P T I O N S ################################################################################ diff --git a/Lrp2/sbin/shorewall b/Lrp2/sbin/shorewall index 0883fce27..f4172bb7c 100755 --- a/Lrp2/sbin/shorewall +++ b/Lrp2/sbin/shorewall @@ -76,14 +76,17 @@ # listed address(es) # shorewall allow
... Reenable address(es) previously # disabled with "drop" or "reject" -# shorewall save Save the list of "rejected" and +# shorewall save [ ] Save the list of "rejected" and # "dropped" addresses so that it will # be automatically reinstated the # next time that Shorewall starts. # Save the current state so that 'shorewall # restore' can be used. # -# shorewall forget Discard the data saved by 'shorewall save' +# shorewall forget [ ] Discard the data saved by 'shorewall save' +# +# shorewall restore [ ] Restore the state of the firewall from +# previously saved information. # # shorewall ipaddr [
/ |
] # @@ -131,6 +134,19 @@ showchain() # $1 = name of chain fi } +# +# Validate the value of RESTOREFILE +# +validate_restorefile() # $* = label +{ + case $RESTOREFILE in + */*) + echo " ERROR: $@ must specify a simple file name: $RESTOREFILE" >&2 + exit 2 + ;; + esac +} + # # Set the configuration variables from shorewall.conf # @@ -160,11 +176,17 @@ get_config() { if [ -n "$SHOREWALL_SHELL" ]; then if [ ! -e "$SHOREWALL_SHELL" ]; then - echo "The program specified in SHOREWALL_SHELL does not exist or is not executable" >&2 + echo " ERROR: The program specified in SHOREWALL_SHELL does not exist or is not executable" >&2 exit 2 fi fi + [ -n "$RESTOREFILE" ] || RESTOREFILE=restore + + validate_restorefile RESTOREFILE + + export RESTOREFILE + } # @@ -535,7 +557,7 @@ help() # usage() # $1 = exit status { - echo "Usage: $(basename $0) [debug|trace] [nolock] [-c ] [ -x ] [ -q ] " + echo "Usage: $(basename $0) [debug|trace] [nolock] [-c ] [ -x ] [ -q ] [ -f ] " echo "where is one of:" echo " add [:] " echo " allow
..." @@ -543,7 +565,7 @@ usage() # $1 = exit status echo " clear" echo " delete [:] " echo " drop
..." - echo " forget" + echo " forget [ ]" echo " help [ | host | address ]" echo " hits" echo " ipcalc [
/ |
]" @@ -554,8 +576,8 @@ usage() # $1 = exit status echo " reject
..." echo " reset" echo " restart" - echo " restore" - echo " save" + echo " restore [ ]" + echo " save [ ]" echo " show [ [ ... ]|classifiers|connections|log|nat|tc|tos]" echo " start" echo " stop" @@ -735,11 +757,14 @@ case "$1" in [ $# -ne 1 ] && usage 1 get_config if [ -n "$FAST" ]; then - if [ -f /var/lib/shorewall/restore ]; then + + RESTOREPATH=/var/lib/shorewall/$RESTOREFILE + + if [ -x $RESTOREPATH ]; then echo Restoring Shorewall... - . /var/lib/shorewall/restore + $RESTOREPATH date > $STATEDIR/restarted - echo Shorewall restored + echo Shorewall restored from $RESTOREPATH else exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start fi @@ -963,28 +988,57 @@ case "$1" in ;; save) [ -n "$debugging" ] && set -x - [ $# -ne 1 ] && usage 1 + + get_config + + case $# in + 1) + ;; + 2) + RESTOREFILE="$2" + validate_restorefile '' + ;; + *) + usage 1 + ;; + esac + + RESTOREPATH=/var/lib/shorewall/$RESTOREFILE + mutex_on if qt iptables -L shorewall -n; then - [ -d /var/lib/shorewall ] || mkdir /var/lib/shorewall + [ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall - if iptables -L dynamic -n > /var/lib/shorewall/save; then - echo " Dynamic Rules Saved" - if [ -f /var/lib/shorewall/restore-base ]; then - cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$ - if iptables-save >> /var/lib/shorewall/restore-$$ ; then - echo EOF >> /var/lib/shorewall/restore-$$ - mv -f /var/lib/shorewall/restore-$$ /var/lib/shorewall/restore - chmod +x /var/lib/shorewall/restore - echo " Currently-running Configuration Saved" - else - rm -f /var/lib/shorewall/restore-$$ - echo " ERROR: Currently-running Configuration Not Saved" - fi - fi + if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then + echo " ERROR: $RESTOREPATH exists and is not a saved Shorewall configuration" else - echo "Error Saving the Dynamic Rules" + case $RESTOREFILE in + save|restore-base) + echo " ERROR: Reserved file name: save" + ;; + *) + if iptables -L dynamic -n > /var/lib/shorewall/save; then + echo " Dynamic Rules Saved" + if [ -f /var/lib/shorewall/restore-base ]; then + cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$ + if iptables-save >> /var/lib/shorewall/restore-$$ ; then + echo __EOF__ >> /var/lib/shorewall/restore-$$ + mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH + chmod +x $RESTOREPATH + echo " Currently-running Configuration Saved to $RESTOREPATH" + else + rm -f /var/lib/shorewall/restore-$$ + echo " ERROR: Currently-running Configuration Not Saved" + fi + else + echo " ERROR: /var/lib/shorewall/restore-base does not exist" + fi + else + echo "Error Saving the Dynamic Rules" + fi + ;; + esac fi else echo "Shorewall isn't started" @@ -992,9 +1046,28 @@ case "$1" in mutex_off ;; forget) - rm -f /var/lib/shorewall/restore - rm -f /var/lib/shorewall/save - echo " Previously saved information discarded" + get_config + case $# in + 1) + ;; + 2) + RESTOREFILE="$2" + validate_restorefile '' + ;; + *) + usage 1 + ;; + esac + + + RESTOREPATH=/var/lib/shorewall/$RESTOREFILE + + if [ -x $RESTOREPATH ]; then + rm -f $RESTOREPATH + echo " $RESTOREPATH removed" + elif [ -f $RESTOREPATH ]; then + echo " ERROR: $RESTOREPATH is not a restore script" + fi ;; ipcalc) [ -n "$debugging" ] && set -x @@ -1032,12 +1105,26 @@ case "$1" in esac ;; restore) - if [ -f /var/lib/shorewall/restore ]; then + get_config + case $# in + 1) + ;; + 2) + RESTOREFILE="$2" + validate_restorefile '' + ;; + *) + usage 1 + ;; + esac + + RESTOREPATH=/var/lib/shorewall/$RESTOREFILE + + if [ -x $RESTOREPATH ]; then echo Restoring Shorewall... - . /var/lib/shorewall/restore - echo Shorewall restored + $RESTOREPATH && echo "Shorewall restored from /var/lib/shorewall/$RESTOREFILE" else - echo "File /var/lib/shorewall/restore: file not found" + echo "File /var/lib/shorewall/$RESTOREFILE: file not found" exit 2 fi ;; diff --git a/Lrp2/usr/share/shorewall/action.Drop b/Lrp2/usr/share/shorewall/action.Drop index 00e03cfa1..04feb4ce7 100644 --- a/Lrp2/usr/share/shorewall/action.Drop +++ b/Lrp2/usr/share/shorewall/action.Drop @@ -10,6 +10,6 @@ RejectAuth dropBcast DropSMB DropUPnP -dropNonSyn +dropNotSyn DropDNSrep #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp2/usr/share/shorewall/action.Reject b/Lrp2/usr/share/shorewall/action.Reject index ddcd9ad58..1799ecc6c 100644 --- a/Lrp2/usr/share/shorewall/action.Reject +++ b/Lrp2/usr/share/shorewall/action.Reject @@ -10,6 +10,6 @@ RejectAuth dropBcast RejectSMB DropUPnP -dropNonSyn +dropNotSyn DropDNSrep #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp2/usr/share/shorewall/actions.std b/Lrp2/usr/share/shorewall/actions.std index 2e9fbab99..b762d2730 100644 --- a/Lrp2/usr/share/shorewall/actions.std +++ b/Lrp2/usr/share/shorewall/actions.std @@ -6,6 +6,13 @@ # # dropBcast #Silently Drop Broadcast/multicast # dropNonSyn #Silently Drop Non-syn TCP packets +# rejNonSyn #Silently Reject Non-syn TCP packets +# logNonSyn #Log Non-syn TCP packets with disposition LOG +# dLogNonSyn #Log Non-syn TCP packets with disposition DROP +# rLogNonSyn #Log Non-syn TCP packets with disposition REJECT +# +# The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in +# shorewall.conf. If that option isn't specified then 'info' is used. # #ACTION diff --git a/Lrp2/usr/share/shorewall/firewall b/Lrp2/usr/share/shorewall/firewall index 9d186d78d..9d8b573e9 100755 --- a/Lrp2/usr/share/shorewall/firewall +++ b/Lrp2/usr/share/shorewall/firewall @@ -51,11 +51,6 @@ my_mutex_off() { [ -n "$have_mutex" ] && { mutex_off; have_mutex=; } } -progress_message() # $* = Message -{ - [ -n "$QUIET" ] || echo "$@" -} - # # Message to stderr # @@ -108,6 +103,17 @@ save_command() echo "$@" >> /var/lib/shorewall/restore-$$ } +# +# Write a progress_message command to /var/lib/shorewall/restore-$$ +# +save_progress_message() +{ + + echo >> /var/lib/shorewall/restore-$$ + echo "progress_message \"$@\"" >> /var/lib/shorewall/restore-$$ + echo >> /var/lib/shorewall/restore-$$ +} + # # Save the passed command in the restore script then run it -- returns the status of the command # If the command involves file redirection then it must be enclosed in quotes as in: @@ -133,12 +139,13 @@ ensure_and_save_command() } # -# Append a file to /var/lib/shorewall/restore-$$ +# Append a file in $STATEDIR to /var/lib/shorewall/restore-$$ # -append_file() { - save_command "cat > $STATEDIR/$1 << EOF" +append_file() # $1 = File Name +{ + save_command "cat > $STATEDIR/$1 << __EOF__" cat $STATEDIR/$1 >> /var/lib/shorewall/restore-$$ - save_command EOF + save_command __EOF__ } # @@ -576,7 +583,7 @@ known_interface() # $1 = interface name match_source_dev() { if [ -n "$BRIDGING" ]; then - known_interface $1 && echo -i $1 || physdev_echo "--physdev-in $1" + list_search $1 $all_ports && physdev_echo "--physdev-in $1" || echo -i $1 else echo -i $1 fi @@ -585,12 +592,17 @@ match_source_dev() match_dest_dev() { if [ -n "$BRIDGING" ]; then - known_interface $1 && echo -o $1 || physdev_echo "--physdev-out $1" + list_search $1 $all_ports && physdev_echo "--physdev-out $1" || echo -o $1 else echo -o $1 fi } +verify_interface() +{ + known_interface $1 || { [ -n $BRIDGING ] && list_search $1 $all_ports ; } +} + # # # Find hosts in a given zone @@ -765,7 +777,7 @@ validate_interfaces_file() { if [ -z "$found_obsolete_option" ]; then found_obsolete_option=yes error_message \ - "Warning: The 'dropunclean' and 'logunclean' options are not supported by Shorewall 2.0" + "WARNING: The 'dropunclean' and 'logunclean' options are not supported by Shorewall 2.0" error_message \ " PLEASE STAND BY WHILE SHOREWALL REFORMATS YOUR HARD DRIVE TO REMOVE THESE OPTIONS..." sleep 5 @@ -798,6 +810,13 @@ validate_interfaces_file() { validate_hosts_file() { local z hosts options r interface host option port ports + check_bridge_port() + { + list_search $1 $ports || ports="$ports $1" + list_search ${interface}:${1} $zports || zports="$zports ${interface}:${1}" + list_search $1 $all_ports || all_ports="$all_ports $1" + } + while read z hosts options; do expandv z hosts options r="$z $hosts $options" @@ -820,17 +839,14 @@ validate_hosts_file() { *:*) known_interface ${host%:*} && \ startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host" - port=${host%%:*} - list_search $port $ports || ports="$ports $port" - list_search ${interface}:${port} $zports || zports="$zports ${interface}:${port}" + check_bridge_port ${host%%:*} ;; *.*.*.*) ;; *) known_interface $host && \ startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host" - list_search $host $ports || ports="$ports $host" - list_search ${interface}:${host} $zports || zports="$zports ${interface}:${host}" + check_bridge_port $host ;; esac @@ -855,6 +871,8 @@ validate_hosts_file() { fi done < $TMP_DIR/hosts + + [ -n "$all_ports" ] && echo " Bridge ports are: $all_ports" } # @@ -1178,6 +1196,9 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo # Set /proc/sys/net/ipv4/ip_forward based on $IP_FORWARDING # setup_forwarding() { + + save_progress_message "Restoring IP Forwarding..." + case "$IP_FORWARDING" in [Oo][Nn]) run_and_save_command "echo 1 > /proc/sys/net/ipv4/ip_forward" @@ -1198,6 +1219,7 @@ disable_ipv6() { if [ -n "$foo" ]; then if qt which ip6tables; then + save_progress_message "Disabling IPV6..." ip6tables -P FORWARD DROP && save_command ip6tables -P FORWARD DROP ip6tables -P INPUT DROP && save_command ip6tables -P INPUT DROP ip6tables -P OUTPUT DROP && save_command ip6tables -P OUTPUT DROP @@ -1226,10 +1248,15 @@ stop_firewall() { ;; *) set +x - if [ -f /var/lib/shorewall/restore ]; then + + [ -z "$RESTOREFILE" ] && RESTOREFILE=restore + + RESTOREPATH=/var/lib/shorewall/$RESTOREFILE + + if [ -x $RESTOREPATH ]; then echo Restoring Shorewall... - . /var/lib/shorewall/restore - echo Shorewall restored + $RESTOREPATH + echo "Shorewall restored from $RESTOREPATH" my_mutex_off kill $$ exit 2 @@ -1640,6 +1667,8 @@ setup_proxy_arp() { > ${STATEDIR}/proxyarp + save_progress_message "Restoring Proxy ARP..." + while read address interface external haveroute persistent; do expandv address interface external haveroute persistent setup_one_proxy_arp @@ -1840,6 +1869,8 @@ setup_nat() { # > ${STATEDIR}/nat + save_progress_message "Restoring one-to-one NAT..." + while read external interface internal allints localnat; do expandv external interface internal allints localnat @@ -1995,10 +2026,8 @@ process_tc_rule() chain=tcout ;; *) - if [ -z "$BRIDGING" ] && ! list_search $source $all_interfaces; then - fatal_error "Unknown interface $source in rule \"$rule\"" - fi - + + verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\"" r="$(match_source_dev) $source " ;; esac @@ -2023,7 +2052,11 @@ process_tc_rule() esac fi - [ "x$dest" = "x-" ] || r="${r}-d $dest " + if [ "x$dest" != "x-" ]; then + verify_interface $dest || fatal_error "Unknown interface $dest in rule \"$rule\"" + r="${r}$(match_dest_dev $dest) " + fi + [ "$proto" = "all" ] || r="${r}-p $proto " [ "x$port" = "x-" ] || r="${r}--dport $port " [ "x$sport" = "x-" ] || r="${r}--sport $sport " @@ -2095,6 +2128,8 @@ setup_tc1() { run_iptables -t mangle -A OUTPUT -j tcout run_user_exit tcstart + + save_progress_message "Restoring Traffic Control..." save_command . $(find_file tcstart) } @@ -2118,6 +2153,8 @@ delete_tc() } + save_progress_message "Clearing Traffic Control/QOS" + run_user_exit tcclear run_ip link list | \ @@ -2144,6 +2181,14 @@ process_accounting_rule() { error_message "Warning: Invalid Accounting rule" $action $chain $source $dest $proto $port $sport } + accounting_interface_error() { + error_message "Warning: Unknown interface $1 in " $action $chain $source $dest $proto $port $sport + } + + accounting_interface_verify() { + verify_interface $1 || accounting_interface_error $1 + } + jump_to_chain() { if ! havechain $jumpchain; then if ! createchain2 $jumpchain No; then @@ -2157,6 +2202,7 @@ process_accounting_rule() { case $source in *:*) + accounting_interface_verify ${source%:*} rule="-s ${source#*:} $(match_source_dev ${source%:*})" ;; *.*.*.*) @@ -2165,12 +2211,16 @@ process_accounting_rule() { -|all|any) ;; *) - [ -n "$source" ] && rule="$(match_source_dev $source)" + if [ -n "$source" ]; then + accounting_interface_verify $source + rule="$(match_source_dev $source)" + fi ;; esac [ -n "$dest" ] && case $dest in *:*) + accounting_interface_verify ${dest%:*} rule="$rule -d ${dest#*:} $(match_dest_dev ${dest%:*})" ;; *.*.*.*) @@ -2179,6 +2229,7 @@ process_accounting_rule() { -|all|any) ;; *) + accounting_interface_verify $dest rule="$rule $(match_dest_dev $dest)" ;; esac @@ -2233,8 +2284,8 @@ process_accounting_rule() { ensurechain1 $chain - if iptables -A $chain $rule ; then - [ "x$rule2" != x ] && run_iptables -A $jumpchain $rule2 + if iptables -A $chain $(fix_bang $rule) ; then + [ -n "$rule2" ] && run_iptables2 -A $jumpchain $rule2 progress_message " Accounting rule" $action $chain $source $dest $proto $port $sport Added else accounting_error @@ -2409,6 +2460,16 @@ add_an_action() fi } + interface_error() + { + fatal_error "Unknown interface $1 in rule: \"$rule\"" + } + + action_interface_verify() + { + verify_interface $1 || interface_error $1 + } + # Set source variables. The 'cli' variable will hold the client match predicate(s). cli= @@ -2417,6 +2478,7 @@ add_an_action() -) ;; *:*) + action_interface_verify ${client%:*} cli="$(match_source_dev ${client%:*}) -s ${client#*:}" ;; *.*.*) @@ -2426,7 +2488,10 @@ add_an_action() cli=$(mac_match $client) ;; *) - [ -n "$client" ] && cli="$(match_source_dev $client)" + if [ -n "$client" ]; then + action_interface_verify $client + cli="$(match_source_dev $client)" + fi ;; esac @@ -2445,7 +2510,10 @@ add_an_action() fatal_error "Rule \"$rule\" - Destination may not be specified by MAC Address" ;; *) - [ -n "$server" ] && dest_interface="$(match_dest_dev $server)" + if [ -n "$server" ]; then + action_interface_verify $server + dest_interface="$(match_dest_dev $server)" + fi ;; esac @@ -2496,9 +2564,8 @@ add_an_action() $(fix_bang $proto $sports $multiport $cli -d $srv $dports) fi - [ "$logtarget" = LOG ] || \ - run_iptables2 -A $action $proto $multiport $cli $sports \ - -d $srv $dports $ratelimit $userandgroup -j $target + run_iptables2 -A $action $proto $multiport $cli $sports \ + -d $srv $dports $ratelimit $userandgroup -j $target done done else @@ -2507,9 +2574,8 @@ add_an_action() $(fix_bang $proto $sports $multiport $cli $dports) fi - [ "$logtarget" = LOG ] || \ - run_iptables2 -A $action $proto $multiport $cli $sports \ - $dports $ratelimit $userandgroup -j $target + run_iptables2 -A $action $proto $multiport $cli $sports \ + $dports $ratelimit $userandgroup -j $target fi fi } @@ -2682,33 +2748,9 @@ createactionchain() # $1 = chain name # process_actions1() { - # - # Add the builtin actions - # - add_builtin_actions() { - if [ "$COMMAND" != check ]; then - createchain dropBcast no - qt iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP - if ! qt iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP; then - # - # No pkttype support -- do it the hard way - # - for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do - run_iptables -A dropBcast -d $address -j DROP - done - fi - - createchain dropNonSyn no - run_iptables -A dropNonSyn -p tcp ! --syn -j DROP - fi - - ACTIONS="dropBcast dropNonSyn" - USEDACTIONS="dropBcast dropNonSyn" - - } - - add_builtin_actions + ACTIONS="dropBcast dropNonSyn dropNotSyn rejNotSyn logNotSyn rLogNotSyn dLogNotSyn" + USEDACTIONS= strip_file actions @@ -2821,6 +2863,10 @@ process_actions2() { process_action $xaction $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec } + + log_action() { + [ "$COMMAND" != check ] && log_rule ${LOGNEWNOTSYN:-info} $1 $2 "" "" -p tcp ! --syn + } # # Generate the transitive closure of $USEDACTIONS # @@ -2844,7 +2890,38 @@ process_actions2() { # for xaction in $USEDACTIONS; do case $xaction in - dropNonSyn|dropBcast) + dropBcast) + if [ "$COMMAND" != check ]; then + qt iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP + if ! qt iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP; then + # + # No pkttype support -- do it the hard way + # + for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do + run_iptables -A dropBcast -d $address -j DROP + done + fi + fi + ;; + dropNonSyn) + error_message "WARNING: \"dropNonSyn\" has been replaced by \"dropNotSyn\"" + [ "$COMMAND" != check ] && run_iptables -A dropNonSyn -p tcp ! --syn -j DROP + ;; + + dropNotSyn) + [ "$COMMAND" != check ] && run_iptables -A dropNotSyn -p tcp ! --syn -j DROP + ;; + rejNotSyn) + [ "$COMMAND" != check ] && run_iptables -A rejectNotSyn -p tcp ! --syn -j REJECT --reject-with tcp-reset + ;; + logNotSyn) + log_action logNotSyn LOG + ;; + rLogNotSyn) + log_action rLogNotSyn REJECT + ;; + dLogNotSyn) + log_action dLogNotSyn DROP ;; *) f=action.$xaction @@ -3091,6 +3168,16 @@ add_a_rule() fi } + interface_error() + { + fatal_error "Unknown interface $1 in rule: \"$rule\"" + } + + rule_interface_verify() + { + verify_interface $1 || interface_error $1 + } + # Set source variables. The 'cli' variable will hold the client match predicate(s). cli= @@ -3099,6 +3186,7 @@ add_a_rule() -) ;; *:*) + rule_interface_verify ${client%:*} cli="$(match_source_dev ${client%:*}) -s ${client#*:}" ;; *.*.*) @@ -3108,7 +3196,10 @@ add_a_rule() cli=$(mac_match $client) ;; *) - [ -n "$client" ] && cli="$(match_source_dev $client)" + if [ -n "$client" ]; then + rule_interface_verify $client + cli="$(match_source_dev $client)" + fi ;; esac @@ -3128,7 +3219,8 @@ add_a_rule() ;; *) if [ -n "$server" ]; then - [ -n "$nonat" ] && fatal_error "Destination interface not allowe with $logtarget" + [ -n "$nonat" ] && fatal_error "Destination interface not allowed with $logtarget" + rule_interface_verify $server dest_interface="$(match_dest_dev $server)" fi ;; @@ -3708,6 +3800,11 @@ process_tos_rule() { # # Assume that this is a device name # + if ! verify_interface $src ; then + error_message "Warning: Unknown Interface in rule \"$rule\" ignored" + return + fi + src="$(match_source_dev $src)" ;; esac @@ -4285,7 +4382,7 @@ setup_masq() strip_file masq $1 - [ -n "$NAT_ENABLED" ] && echo "Masqueraded Networks and Hosts:" + [ -n "$NAT_ENABLED" ] && echo "Masqueraded Networks and Hosts:" && save_progress_message "Restoring Masquerading/SNAT..." while read fullinterface networks addresses proto ports; do expandv fullinterface networks addresses proto ports @@ -4507,6 +4604,8 @@ add_ip_aliases() set -- $aliases_to_add + save_progress_message "Restoring IP Addresses..." + while [ $# -gt 0 ]; do external=$1 interface=$2 @@ -4529,7 +4628,7 @@ add_ip_aliases() # load_kernel_modules() { - local save_modules_dir=$MODULESDIR + save_modules_dir=$MODULESDIR [ -z "$MODULESDIR" ] && \ MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter @@ -4537,7 +4636,7 @@ load_kernel_modules() modules=$(find_file modules) if [ -f $modules -a -d $MODULESDIR ]; then - echo "Loading Modules..." + progress_message "Loading Modules..." . $modules fi @@ -4547,12 +4646,10 @@ load_kernel_modules() save_load_kernel_modules() { - [ -z "$MODULESDIR" ] && \ - MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter - modules=$(find_file modules) - save_command "reload_kernel_modules < $f" done @@ -5055,6 +5154,8 @@ add_common_rules() { if [ -n "$interfaces" -o -n "$ROUTE_FILTER" ]; then echo "Setting up Kernel Route Filtering..." + save_progress_message "Restoring Route Filtering..." + for f in /proc/sys/net/ipv4/conf/*/rp_filter; do run_and_save_command "echo 0 > $f" done @@ -5419,7 +5520,10 @@ define_firewall() # $1 = Command (Start or Restart) [ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall echo '#bin/sh' > /var/lib/shorewall/restore-$$ - echo ". /usr/share/shorewall/functions" >> /var/lib/shorewall/restore-$$ + save_command "#" + save_command "# Restore base file generated by Shorewall $version - $(date)" + save_command "#" + save_command ". /usr/share/shorewall/functions" save_command "MODULESDIR=\"$MODULESDIR\"" save_command "MODULE_SUFFIX=\"$MODULE_SUFFIX\"" @@ -5476,9 +5580,11 @@ define_firewall() # $1 = Command (Start or Restart) save_command "date > $STATEDIR/restarted" - save_command 'iptables-restore << EOF' + save_progress_message "Restoring Netfilter Configuration..." - # 'shorewall save' appends the iptables-save output and 'EOF' + save_command 'iptables-restore << __EOF__' + + # 'shorewall save' appends the iptables-save output and '__EOF__' mv -f /var/lib/shorewall/restore-$$ /var/lib/shorewall/restore-base @@ -5948,16 +6054,16 @@ do_initialize() { ensure_config_path # # Determine the capabilities of the installed iptables/netfilter - # We load the kernel modules so that capabilities can be - # accurately detected when kernel module autoloading is not - # enabled. + # We load the kernel modules here to acurately determine + # capabilities when module autoloading isn't enabled. # + [ -n "$MODULE_SUFFIX" ] || MODULE_SUFFIX="o gz ko o.gz ko.gz" load_kernel_modules determine_capabilities [ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall - + [ -d $STATEDIR ] || mkdir -p $STATEDIR [ -z "$FW" ] && FW=fw diff --git a/Lrp2/usr/share/shorewall/functions b/Lrp2/usr/share/shorewall/functions index 57f079376..443cd2c2a 100644 --- a/Lrp2/usr/share/shorewall/functions +++ b/Lrp2/usr/share/shorewall/functions @@ -33,6 +33,14 @@ list_count() { list_count1 $(separate_list $1) } +# +# Conditionally produce message +# +progress_message() # $* = Message +{ + [ -n "$QUIET" ] || echo "$@" +} + # # Suppress all output for a command # diff --git a/Lrp2/usr/share/shorewall/help b/Lrp2/usr/share/shorewall/help index af39ec8e7..09e61e179 100755 --- a/Lrp2/usr/share/shorewall/help +++ b/Lrp2/usr/share/shorewall/help @@ -117,9 +117,9 @@ drop) ;; forget) - echo "forget: forget - Deletes /var/lib/shorewall/save and /var/lib/shorewall/restore. Those - files are created by the 'shorewall save' command + echo "forget: forget [ ] + Deletes /var/lib/shorewall/. If no is given then + the file specified by RESTOREFILE in shorewall.conf is removed. See also \"help save\"" ;; @@ -194,18 +194,22 @@ restart) ;; restore) - echo "restore: restore - Restore Shorewall to its last state saved using the 'save' command - Existing connections are maintained. + echo "restore: restore [ ] + Restore Shorewall to a state saved using the 'save' command + Existing connections are maintained. The names a restore file in + /var/lib/shorewall created using "shorewall save"; if no is given + then Shorewall will be restored from the file specified by the RESTOREFILE + option in shorewall.conf. See also \"help save\" and \"help forget\"" ;; save) - echo "save: save + echo "save: save [ ] The dynamic data is stored in /var/lib/shorewall/save. The state of the - firewall is stored in /var/lib/shorewall/restore for use by the 'shorewall restore' - and 'shorewall -f start' commands. + firewall is stored in /var/lib/shorewall/ for use by the 'shorewall restore' + and 'shorewall -f start' commands. If is not given then the state is saved + in the file specified by the RESTOREFILE option in shorewall.conf. Shorewall allow, drop, rejct and save implement dynamic blacklisting. @@ -240,8 +244,9 @@ start) Start shorewall. Existing connections through shorewall managed interfaces are untouched. New connections will be allowed only if they are allowed by the firewall rules or policies. - If \"-q\" is specified, less detain is displayed making it easier to spot warnings - If \"-f\" is specified, the last saved configuraton if any will be restored" + If \"-q\" is specified, less detail is displayed making it easier to spot warnings + If \"-f\" is specified, the saved configuration specified by the RESTOREFILE option + in shorewall.conf will be restored if that saved configuration exists" ;; stop) diff --git a/Lrp2/usr/share/shorewall/version b/Lrp2/usr/share/shorewall/version index 5e388152b..2810558da 100644 --- a/Lrp2/usr/share/shorewall/version +++ b/Lrp2/usr/share/shorewall/version @@ -1 +1 @@ -2.0.2f +2.0.3-Beta1