holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Use -j CT for helper detection, when available

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-08-04 11:36:03 -07:00
parent cfe2f36320
commit 6c97e13107
2 changed files with 65 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
Shorewall-core/lib.cli
View File

@ -2191,7 +2191,20 @@ determine_capabilities() {
qt $g_tool -t raw -X $chain qt $g_tool -t raw -X $chain
qt $g_tool -t raw -N $chain qt $g_tool -t raw -N $chain
qt $g_tool -t raw -A $chain -j CT --notrack && CT_TARGET=Yes; if qt $g_tool -t raw -A $chain -j CT --notrack; then
CT_TARGET=Yes;
qt $g_tool -t raw -A $chain -p udp --dport 10080 -j CT --helper amanda && AMANDA_HELPER=Yes
qt $g_tool -t raw -A $chain -p tcp --dport 21 -j CT --helper ftp && FTP_HELPER=Yes
qt $g_tool -t raw -A $chain -p udp --dport 1719 -j CT --helper RAS && H323_HELPER=Yes
qt $g_tool -t raw -A $chain -p tcp --dport 6667 -j CT --helper irc && IRC_HELPER=Yes
qt $g_tool -t raw -A $chain -p udp --dport 137 -J CT --helper netbios-ns && NETBIOS_NS_HELPER=Yes
qt $g_tool -t raw -A $chain -p tcp --dport 1729 -j CT --helper pptp && PPTP_HELPER=Yes
qt $g_tool -t raw -A $chain -p tcp --dport 6566 -j CT --helper sane && SANE_HELPER=Yes
qt $g_tool -t raw -A $chain -p udp --dport 5060 -j CT --helper sip && SIP_HELPER=Yes
qt $g_tool -t raw -A $chain -p udp --dport 161 -j CT --helper snmp && SNMP_HELPER=Yes
qt $g_tool -t raw -A $chain -p udp --dport 69 -j CT --helper tftp && TFTP_HELPER=Yes
fi
qt $g_tool -t raw -F $chain qt $g_tool -t raw -F $chain
qt $g_tool -t raw -X $chain qt $g_tool -t raw -X $chain
@ -2246,16 +2259,25 @@ determine_capabilities() {
qt $g_tool -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes qt $g_tool -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
qt $g_tool -A $chain -m realm --realm 4 && REALM_MATCH=Yes qt $g_tool -A $chain -m realm --realm 4 && REALM_MATCH=Yes
qt $g_tool -A $chain -p udp --dport 10080 -m helper --helper amanda && HELPER_MATCH=Yes && AMANDA_HELPER=Yes #
qt $g_tool -A $chain -p tcp --dport 21 -m helper --helper ftp && HELPER_MATCH=Yes && FTP_HELPER=Yes # -m helper doesn't verify the existence of the specified helper :-(
qt $g_tool -A $chain -p udp --dport 1719 -m helper --helper RAS && HELPER_MATCH=Yes && H323_HELPER=Yes #
$g_tool -A $chain -p tcp --dport 6667 -m helper --helper irc && HELPER_MATCH=Yes && IRC_HELPER=Yes if qt $g_tool -A $chain -p tcp --dport 21 -m helper --helper ftp; then
qt $g_tool -A $chain -p udp --dport 137 -m helper --helper netbios-ns && HELPER_MATCH=Yes && NETBIOS_NS_HELPER=Yes HELPER_MATCH=Yes
qt $g_tool -A $chain -p tcp --dport 1729 -m helper --helper pptp && HELPER_MATCH=Yes && PPTP_HELPER=Yes
qt $g_tool -A $chain -p tcp --dport 6566 -m helper --helper sane && HELPER_MATCH=Yes && SANE_HELPER=Yes if [ -z "$CT_TARGET" ]; then
qt $g_tool -A $chain -p udp --dport 5060 -m helper --helper sip && HELPER_MATCH=Yes && SIP_HELPER=Yes AMANDA_HELPER=Yes
qt $g_tool -A $chain -p udp --dport 161 -m helper --helper snmp && HELPER_MATCH=Yes && SNMP_HELPER=Yes FTP_HELPER=Yes
qt $g_tool -A $chain -p udp --dport 69 -m helper --helper tftp && HELPER_MATCH=Yes && TFTP_HELPER=Yes H323_HELPER=Yes
IRC_HELPER=Yes
NS_HELPER=Yes
PPTP_HELPER=Yes
SANE_HELPER=Yes
SIP_HELPER=Yes
SNMP_HELPER=Yes
TFTP_HELPER=Yes
fi
fi
qt $g_tool -A $chain -m connlimit --connlimit-above 8 -j DROP && CONNLIMIT_MATCH=Yes qt $g_tool -A $chain -m connlimit --connlimit-above 8 -j DROP && CONNLIMIT_MATCH=Yes
qt $g_tool -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes qt $g_tool -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes

36
docs/Helpers.xml
View File

@ -240,7 +240,7 @@
<title>Shorewall Support for Helpers</title> <title>Shorewall Support for Helpers</title>
<para>Shorewall includes support for helpers is several areas. These areas <para>Shorewall includes support for helpers is several areas. These areas
are covered in the sections below. </para> are covered in the sections below.</para>
<section> <section>
<title>Module Loading</title> <title>Module Loading</title>
@ -287,9 +287,10 @@
<para>This option was added in Shorewall 4.5.7 and lists the <para>This option was added in Shorewall 4.5.7 and lists the
modules to be enabled for association with connections. This modules to be enabled for association with connections. This
option is fully functional only on systems running kernel 3.5 or option is fully functional only on systems running kernel 3.5 or
later. On systems running earlier kernels, the only way to totally later.</para>
disable a module is to not load it. The module names allowed in
this list are <emphasis role="bold">amanda</emphasis>, <emphasis <para>The module names allowed in this list are <emphasis
role="bold">amanda</emphasis>, <emphasis
role="bold">ftp</emphasis>, <emphasis role="bold">h323</emphasis>, role="bold">ftp</emphasis>, <emphasis role="bold">h323</emphasis>,
<emphasis role="bold">irc</emphasis>, <emphasis <emphasis role="bold">irc</emphasis>, <emphasis
role="bold">netbios-ns</emphasis>, <emphasis role="bold">netbios-ns</emphasis>, <emphasis
@ -308,6 +309,33 @@
</filename>and modify the copy. That way, your changes won't be </filename>and modify the copy. That way, your changes won't be
overwritten the next time that Shorewall is updated on your overwritten the next time that Shorewall is updated on your
system.</para> system.</para>
<para>On systems running a a kernel earlier than 3.5, not all of the
helpers can be totally disabled. The following modules can be disabled
by using the parameter <emphasis role="bold">ports=0</emphasis> in
/etc/shorewall/helpers:</para>
<itemizedlist>
<listitem>
<para>ftp</para>
</listitem>
<listitem>
<para>irc</para>
</listitem>
<listitem>
<para>sane</para>
</listitem>
<listitem>
<para>sip</para>
</listitem>
<listitem>
<para>tftp</para>
</listitem>
</itemizedlist>
</section> </section>
<section> <section>