forked from extern/shorewall_code
Use -j CT for helper detection, when available
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
cfe2f36320
commit
6c97e13107
@ -2191,7 +2191,20 @@ determine_capabilities() {
|
||||
qt $g_tool -t raw -X $chain
|
||||
qt $g_tool -t raw -N $chain
|
||||
|
||||
qt $g_tool -t raw -A $chain -j CT --notrack && CT_TARGET=Yes;
|
||||
if qt $g_tool -t raw -A $chain -j CT --notrack; then
|
||||
CT_TARGET=Yes;
|
||||
|
||||
qt $g_tool -t raw -A $chain -p udp --dport 10080 -j CT --helper amanda && AMANDA_HELPER=Yes
|
||||
qt $g_tool -t raw -A $chain -p tcp --dport 21 -j CT --helper ftp && FTP_HELPER=Yes
|
||||
qt $g_tool -t raw -A $chain -p udp --dport 1719 -j CT --helper RAS && H323_HELPER=Yes
|
||||
qt $g_tool -t raw -A $chain -p tcp --dport 6667 -j CT --helper irc && IRC_HELPER=Yes
|
||||
qt $g_tool -t raw -A $chain -p udp --dport 137 -J CT --helper netbios-ns && NETBIOS_NS_HELPER=Yes
|
||||
qt $g_tool -t raw -A $chain -p tcp --dport 1729 -j CT --helper pptp && PPTP_HELPER=Yes
|
||||
qt $g_tool -t raw -A $chain -p tcp --dport 6566 -j CT --helper sane && SANE_HELPER=Yes
|
||||
qt $g_tool -t raw -A $chain -p udp --dport 5060 -j CT --helper sip && SIP_HELPER=Yes
|
||||
qt $g_tool -t raw -A $chain -p udp --dport 161 -j CT --helper snmp && SNMP_HELPER=Yes
|
||||
qt $g_tool -t raw -A $chain -p udp --dport 69 -j CT --helper tftp && TFTP_HELPER=Yes
|
||||
fi
|
||||
|
||||
qt $g_tool -t raw -F $chain
|
||||
qt $g_tool -t raw -X $chain
|
||||
@ -2246,16 +2259,25 @@ determine_capabilities() {
|
||||
qt $g_tool -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
|
||||
qt $g_tool -A $chain -m realm --realm 4 && REALM_MATCH=Yes
|
||||
|
||||
qt $g_tool -A $chain -p udp --dport 10080 -m helper --helper amanda && HELPER_MATCH=Yes && AMANDA_HELPER=Yes
|
||||
qt $g_tool -A $chain -p tcp --dport 21 -m helper --helper ftp && HELPER_MATCH=Yes && FTP_HELPER=Yes
|
||||
qt $g_tool -A $chain -p udp --dport 1719 -m helper --helper RAS && HELPER_MATCH=Yes && H323_HELPER=Yes
|
||||
$g_tool -A $chain -p tcp --dport 6667 -m helper --helper irc && HELPER_MATCH=Yes && IRC_HELPER=Yes
|
||||
qt $g_tool -A $chain -p udp --dport 137 -m helper --helper netbios-ns && HELPER_MATCH=Yes && NETBIOS_NS_HELPER=Yes
|
||||
qt $g_tool -A $chain -p tcp --dport 1729 -m helper --helper pptp && HELPER_MATCH=Yes && PPTP_HELPER=Yes
|
||||
qt $g_tool -A $chain -p tcp --dport 6566 -m helper --helper sane && HELPER_MATCH=Yes && SANE_HELPER=Yes
|
||||
qt $g_tool -A $chain -p udp --dport 5060 -m helper --helper sip && HELPER_MATCH=Yes && SIP_HELPER=Yes
|
||||
qt $g_tool -A $chain -p udp --dport 161 -m helper --helper snmp && HELPER_MATCH=Yes && SNMP_HELPER=Yes
|
||||
qt $g_tool -A $chain -p udp --dport 69 -m helper --helper tftp && HELPER_MATCH=Yes && TFTP_HELPER=Yes
|
||||
#
|
||||
# -m helper doesn't verify the existence of the specified helper :-(
|
||||
#
|
||||
if qt $g_tool -A $chain -p tcp --dport 21 -m helper --helper ftp; then
|
||||
HELPER_MATCH=Yes
|
||||
|
||||
if [ -z "$CT_TARGET" ]; then
|
||||
AMANDA_HELPER=Yes
|
||||
FTP_HELPER=Yes
|
||||
H323_HELPER=Yes
|
||||
IRC_HELPER=Yes
|
||||
NS_HELPER=Yes
|
||||
PPTP_HELPER=Yes
|
||||
SANE_HELPER=Yes
|
||||
SIP_HELPER=Yes
|
||||
SNMP_HELPER=Yes
|
||||
TFTP_HELPER=Yes
|
||||
fi
|
||||
fi
|
||||
|
||||
qt $g_tool -A $chain -m connlimit --connlimit-above 8 -j DROP && CONNLIMIT_MATCH=Yes
|
||||
qt $g_tool -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes
|
||||
|
@ -240,7 +240,7 @@
|
||||
<title>Shorewall Support for Helpers</title>
|
||||
|
||||
<para>Shorewall includes support for helpers is several areas. These areas
|
||||
are covered in the sections below. </para>
|
||||
are covered in the sections below.</para>
|
||||
|
||||
<section>
|
||||
<title>Module Loading</title>
|
||||
@ -287,9 +287,10 @@
|
||||
<para>This option was added in Shorewall 4.5.7 and lists the
|
||||
modules to be enabled for association with connections. This
|
||||
option is fully functional only on systems running kernel 3.5 or
|
||||
later. On systems running earlier kernels, the only way to totally
|
||||
disable a module is to not load it. The module names allowed in
|
||||
this list are <emphasis role="bold">amanda</emphasis>, <emphasis
|
||||
later.</para>
|
||||
|
||||
<para>The module names allowed in this list are <emphasis
|
||||
role="bold">amanda</emphasis>, <emphasis
|
||||
role="bold">ftp</emphasis>, <emphasis role="bold">h323</emphasis>,
|
||||
<emphasis role="bold">irc</emphasis>, <emphasis
|
||||
role="bold">netbios-ns</emphasis>, <emphasis
|
||||
@ -308,6 +309,33 @@
|
||||
</filename>and modify the copy. That way, your changes won't be
|
||||
overwritten the next time that Shorewall is updated on your
|
||||
system.</para>
|
||||
|
||||
<para>On systems running a a kernel earlier than 3.5, not all of the
|
||||
helpers can be totally disabled. The following modules can be disabled
|
||||
by using the parameter <emphasis role="bold">ports=0</emphasis> in
|
||||
/etc/shorewall/helpers:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>ftp</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>irc</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>sane</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>sip</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>tftp</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
|
Loading…
Reference in New Issue
Block a user