Use -j CT for helper detection, when available

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-08-04 11:36:03 -07:00
parent cfe2f36320
commit 6c97e13107
2 changed files with 65 additions and 15 deletions

View File

@ -2191,7 +2191,20 @@ determine_capabilities() {
qt $g_tool -t raw -X $chain
qt $g_tool -t raw -N $chain
qt $g_tool -t raw -A $chain -j CT --notrack && CT_TARGET=Yes;
if qt $g_tool -t raw -A $chain -j CT --notrack; then
CT_TARGET=Yes;
qt $g_tool -t raw -A $chain -p udp --dport 10080 -j CT --helper amanda && AMANDA_HELPER=Yes
qt $g_tool -t raw -A $chain -p tcp --dport 21 -j CT --helper ftp && FTP_HELPER=Yes
qt $g_tool -t raw -A $chain -p udp --dport 1719 -j CT --helper RAS && H323_HELPER=Yes
qt $g_tool -t raw -A $chain -p tcp --dport 6667 -j CT --helper irc && IRC_HELPER=Yes
qt $g_tool -t raw -A $chain -p udp --dport 137 -J CT --helper netbios-ns && NETBIOS_NS_HELPER=Yes
qt $g_tool -t raw -A $chain -p tcp --dport 1729 -j CT --helper pptp && PPTP_HELPER=Yes
qt $g_tool -t raw -A $chain -p tcp --dport 6566 -j CT --helper sane && SANE_HELPER=Yes
qt $g_tool -t raw -A $chain -p udp --dport 5060 -j CT --helper sip && SIP_HELPER=Yes
qt $g_tool -t raw -A $chain -p udp --dport 161 -j CT --helper snmp && SNMP_HELPER=Yes
qt $g_tool -t raw -A $chain -p udp --dport 69 -j CT --helper tftp && TFTP_HELPER=Yes
fi
qt $g_tool -t raw -F $chain
qt $g_tool -t raw -X $chain
@ -2246,16 +2259,25 @@ determine_capabilities() {
qt $g_tool -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
qt $g_tool -A $chain -m realm --realm 4 && REALM_MATCH=Yes
qt $g_tool -A $chain -p udp --dport 10080 -m helper --helper amanda && HELPER_MATCH=Yes && AMANDA_HELPER=Yes
qt $g_tool -A $chain -p tcp --dport 21 -m helper --helper ftp && HELPER_MATCH=Yes && FTP_HELPER=Yes
qt $g_tool -A $chain -p udp --dport 1719 -m helper --helper RAS && HELPER_MATCH=Yes && H323_HELPER=Yes
$g_tool -A $chain -p tcp --dport 6667 -m helper --helper irc && HELPER_MATCH=Yes && IRC_HELPER=Yes
qt $g_tool -A $chain -p udp --dport 137 -m helper --helper netbios-ns && HELPER_MATCH=Yes && NETBIOS_NS_HELPER=Yes
qt $g_tool -A $chain -p tcp --dport 1729 -m helper --helper pptp && HELPER_MATCH=Yes && PPTP_HELPER=Yes
qt $g_tool -A $chain -p tcp --dport 6566 -m helper --helper sane && HELPER_MATCH=Yes && SANE_HELPER=Yes
qt $g_tool -A $chain -p udp --dport 5060 -m helper --helper sip && HELPER_MATCH=Yes && SIP_HELPER=Yes
qt $g_tool -A $chain -p udp --dport 161 -m helper --helper snmp && HELPER_MATCH=Yes && SNMP_HELPER=Yes
qt $g_tool -A $chain -p udp --dport 69 -m helper --helper tftp && HELPER_MATCH=Yes && TFTP_HELPER=Yes
#
# -m helper doesn't verify the existence of the specified helper :-(
#
if qt $g_tool -A $chain -p tcp --dport 21 -m helper --helper ftp; then
HELPER_MATCH=Yes
if [ -z "$CT_TARGET" ]; then
AMANDA_HELPER=Yes
FTP_HELPER=Yes
H323_HELPER=Yes
IRC_HELPER=Yes
NS_HELPER=Yes
PPTP_HELPER=Yes
SANE_HELPER=Yes
SIP_HELPER=Yes
SNMP_HELPER=Yes
TFTP_HELPER=Yes
fi
fi
qt $g_tool -A $chain -m connlimit --connlimit-above 8 -j DROP && CONNLIMIT_MATCH=Yes
qt $g_tool -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes

View File

@ -287,9 +287,10 @@
<para>This option was added in Shorewall 4.5.7 and lists the
modules to be enabled for association with connections. This
option is fully functional only on systems running kernel 3.5 or
later. On systems running earlier kernels, the only way to totally
disable a module is to not load it. The module names allowed in
this list are <emphasis role="bold">amanda</emphasis>, <emphasis
later.</para>
<para>The module names allowed in this list are <emphasis
role="bold">amanda</emphasis>, <emphasis
role="bold">ftp</emphasis>, <emphasis role="bold">h323</emphasis>,
<emphasis role="bold">irc</emphasis>, <emphasis
role="bold">netbios-ns</emphasis>, <emphasis
@ -308,6 +309,33 @@
</filename>and modify the copy. That way, your changes won't be
overwritten the next time that Shorewall is updated on your
system.</para>
<para>On systems running a a kernel earlier than 3.5, not all of the
helpers can be totally disabled. The following modules can be disabled
by using the parameter <emphasis role="bold">ports=0</emphasis> in
/etc/shorewall/helpers:</para>
<itemizedlist>
<listitem>
<para>ftp</para>
</listitem>
<listitem>
<para>irc</para>
</listitem>
<listitem>
<para>sane</para>
</listitem>
<listitem>
<para>sip</para>
</listitem>
<listitem>
<para>tftp</para>
</listitem>
</itemizedlist>
</section>
<section>