holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

More 1.3.14 Changes

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@456 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-02-19 23:52:03 +00:00
parent 84ed075e10
commit 6cabdfae5d
8 changed files with 106 additions and 110 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
Shorewall/changelog.txt
View File

@ -31,4 +31,13 @@ Changes since 1.3.14
13. Update Documentation for 1.4 13. Update Documentation for 1.4
13. Remove icmp.def file. 14. Remove icmp.def file.
15. Added CONTINUE rule target.
16. Added Andrew Zhoglo's fix for logunclean.
17. Removed 'multi' option.
18. Support 802.11b devices with maclist.

88
Shorewall/firewall
View File

@ -310,7 +310,7 @@ havenatchain() # $1 = name of chain
} }
# #
# Ensure that a chain exists (create it if it doesn't) # Ensure that a nat chain exists (create it if it doesn't)
# #
ensurenatchain() # $1 = chain name ensurenatchain() # $1 = chain name
{ {
@ -493,7 +493,7 @@ determine_interfaces() {
for zone in $zones; do for zone in $zones; do
interfaces=`find_interfaces $zone` interfaces=`find_interfaces $zone`
interfaces=`echo $interfaces` # Remove extra trash interfaces=`echo $interfaces` # Remove extra trash
eval ${zone}_interfaces="\$interfaces" eval ${zone}_interfaces=\"\$interfaces\"
done done
} }
@ -585,7 +585,7 @@ validate_interfaces_file() {
for option in $options; do for option in $options; do
case $option in case $option in
dhcp|norfc1918|multi|tcpflags) dhcp|norfc1918|tcpflags)
;; ;;
routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-) routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-)
;; ;;
@ -728,10 +728,6 @@ validate_rule() {
[ -n "$port" ] && dports="--icmp-type $port" [ -n "$port" ] && dports="--icmp-type $port"
state="" state=""
;; ;;
related|RELATED)
proto=
state="-m state --state RELATED"
;;
*) *)
state= state=
[ -n "$port" ] && [ "x${port}" != "x-" ] && \ [ -n "$port" ] && [ "x${port}" != "x-" ] && \
@ -754,6 +750,12 @@ validate_rule() {
startup_error "Server port may not be specified in an ACCEPT rule;"\ startup_error "Server port may not be specified in an ACCEPT rule;"\
"rule: \"$rule\"" "rule: \"$rule\""
;; ;;
CONTINUE)
target=RETURN
[ -n "$servport" ] && \
startup_error "Server port may not be specified in a CONTINUE rule;"\
"rule: \"$rule\""
;;
LOG) LOG)
[ -n "$servport" ] && \ [ -n "$servport" ] && \
startup_error "Server port may not be specified in an LOG rule;"\ startup_error "Server port may not be specified in an LOG rule;"\
@ -956,7 +958,7 @@ validate_rules() # $1 = name of rules file
expandv clients servers protocol ports cports address expandv clients servers protocol ports cports address
case "$target" in case "$target" in
ACCEPT*|DROP*|REJECT*|DNAT*|REDIRECT*|LOG*) ACCEPT*|DROP*|REJECT*|DNAT*|REDIRECT*|LOG*|CONTINUE*)
rule="`echo $target $clients $servers $protocol $ports $cports $address`" rule="`echo $target $clients $servers $protocol $ports $cports $address`"
validate_rule validate_rule
;; ;;
@ -1261,8 +1263,10 @@ stop_firewall() {
while read interface host; do while read interface host; do
expandv interface host expandv interface host
[ "x$host" = "x-" ] && host= [ "x$host" = "x-" ] && host=0.0.0.0/0
hosts="$hosts $interface:${host:-0.0.0.0/0}" for h in `separate_list $host`; do
hosts="$hosts $interface:$h"
done
done < $TMP_DIR/routestopped done < $TMP_DIR/routestopped
for host in $hosts; do for host in $hosts; do
@ -1553,10 +1557,10 @@ setup_mac_lists() {
# #
for interface in $maclist_interfaces; do for interface in $maclist_interfaces; do
case $interface in case $interface in
eth*) eth*|wlan*)
;; ;;
*) *)
fatal_error "MAC verification is only supported on ethernet devices: $interface" fatal_error "MAC verification is only supported on ethernet and 802.11b devices: $interface"
;; ;;
esac esac
@ -2156,10 +2160,6 @@ add_a_rule()
fatal_error "Port number not allowed with \"all\"; rule: \"$rule\"" fatal_error "Port number not allowed with \"all\"; rule: \"$rule\""
proto= proto=
;; ;;
related|RELATED)
proto=
state="-m state --state RELATED"
;;
*) *)
state= state=
[ -n "$port" ] && [ "x${port}" != "x-" ] && \ [ -n "$port" ] && [ "x${port}" != "x-" ] && \
@ -2443,9 +2443,9 @@ process_rules() # $1 = name of rules file
} }
while read xtarget xclients xservers xprotocol xports xcports xaddress; do while read xtarget xclients xservers xprotocol xports xcports xaddress; do
case "$xtarget" in case "${xtarget%:*}" in
ACCEPT|ACCEPT:*|DROP|DROP:*|REJECT|REJECT:*|DNAT|DNAT-|DNAT:*|DNAT-:*|REDIRECT|REDIRECT:*|LOG|LOG:*) ACCEPT|DROP|REJECT|DNAT|DNAT|DNAT-|REDIRECT|LOG|CONTINUE)
expandv xclients xservers xprotocol xports xcports xaddress expandv xclients xservers xprotocol xports xcports xaddress
if [ "x$xclients" = xall ]; then if [ "x$xclients" = xall ]; then
@ -3049,19 +3049,6 @@ setup_masq()
done < $TMP_DIR/masq done < $TMP_DIR/masq
} }
#
# Setup Intrazone chain if appropriate
#
setup_intrazone() # $1 = zone
{
eval hosts=\$${1}_hosts
if [ "$hosts" != "${hosts% *}" ] || \
have_interfaces_in_zone_with_option $1 multi
then
ensurechain ${1}2${1}
fi
}
# #
# Add a record to the blacklst chain # Add a record to the blacklst chain
# #
@ -3498,10 +3485,10 @@ add_common_rules() {
if [ -n "$LOGUNCLEAN" ]; then if [ -n "$LOGUNCLEAN" ]; then
if [ "$LOGUNCLEAN" = ULOG ]; then if [ "$LOGUNCLEAN" = ULOG ]; then
logoptions="-j ULOG $LOGPARAMS --ulog-prefix Shorewall:badpkt:DROP:" logoptions="-j ULOG $LOGPARMS --ulog-prefix Shorewall:badpkt:DROP:"
logoptions="$logoptions --log-ip-options" logoptions="$logoptions --log-ip-options"
else else
logoptions="-j LOG $LOGPARAMS --log-prefix Shorewall:badpkt:DROP:" logoptions="-j LOG $LOGPARMS --log-prefix Shorewall:badpkt:DROP:"
logoptions="$logoptions --log-level $LOGUNCLEAN --log-ip-options" logoptions="$logoptions --log-level $LOGUNCLEAN --log-ip-options"
fi fi
@ -3530,10 +3517,10 @@ add_common_rules() {
[ -z"$LOGUNCLEAN" ] && LOGUNCLEAN=info [ -z"$LOGUNCLEAN" ] && LOGUNCLEAN=info
if [ "$LOGUNCLEAN" = ULOG ]; then if [ "$LOGUNCLEAN" = ULOG ]; then
logoptions="-j ULOG $LOGPARAMS --ulog-prefix Shorewall:logpkt:LOG:" logoptions="-j ULOG $LOGPARMS --ulog-prefix Shorewall:logpkt:LOG:"
logoptions="$logoptions --log-ip-options" logoptions="$logoptions --log-ip-options"
else else
logoptions="-j LOG $LOGPARAMS --log-prefix Shorewall:logpkt:LOG:" logoptions="-j LOG $LOGPARMS --log-prefix Shorewall:logpkt:LOG:"
logoptions="$logoptions --log-level $LOGUNCLEAN --log-ip-options" logoptions="$logoptions --log-level $LOGUNCLEAN --log-ip-options"
fi fi
@ -3776,11 +3763,11 @@ apply_policy_rules() {
fi fi
done done
# #
# Add policy rules to canonical chains # Add policy rules to canonical chains
# #
for zone in $FW $zones; do for zone in $FW $zones; do
setup_intrazone $zone
for zone1 in $FW $zones; do for zone1 in $FW $zones; do
chain=${zone}2${zone1} chain=${zone}2${zone1}
if havechain $chain; then if havechain $chain; then
@ -3845,8 +3832,6 @@ activate_rules()
addnatjump POSTROUTING `output_chain $interface` -o $interface addnatjump POSTROUTING `output_chain $interface` -o $interface
done done
multi_interfaces=`find_interfaces_by_option multi`
> ${STATEDIR}/chains > ${STATEDIR}/chains
> ${STATEDIR}/zones > ${STATEDIR}/zones
@ -3896,14 +3881,14 @@ activate_rules()
chain1=`forward_chain $interface` chain1=`forward_chain $interface`
if [ -n "$have_canonical" ]; then if [ -n "$have_canonical" ]; then
multi=yes bounce=yes
else else
case $interface in case $interface in
*+*) *+*)
multi=yes bounce=yes
;; ;;
*) *)
list_search $interface $multi_interfaces && multi=yes || multi= bounce=
;; ;;
esac esac
fi fi
@ -3912,9 +3897,8 @@ activate_rules()
interface1=${host1%:*} interface1=${host1%:*}
subnet1=${host1#*:} subnet1=${host1#*:}
if [ $interface != $interface1 -o -n "$multi" ]; then if [ $interface != $interface1 -o -n "$bounce" ]; then
run_iptables -A $chain1 -s $subnet \ run_iptables -A $chain1 -s $subnet -o $interface1 -d $subnet1 -j $chain
-o $interface1 -d $subnet1 -j $chain
fi fi
done done
done done
@ -4053,6 +4037,8 @@ check_config() {
validate_hosts_file validate_hosts_file
validate_bounce_file
echo "Determining Hosts in Zones..." echo "Determining Hosts in Zones..."
determine_interfaces determine_interfaces
@ -4204,7 +4190,19 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
# #
# If the zone passed in the command has a dnat chain then insert a rule in # If the zone passed in the command has a dnat chain then insert a rule in
# the nat table PREROUTING chain to jump to that chain when the source # the nat table PREROUTING chain to jump to that chain when the source
# matches the new host(s) # matches the new host(s)#
# Setup Intrazone chain if appropriate
#
setup_intrazone() # $1 = zone
{
eval hosts=\$${1}_hosts
if have_interfaces_in_zone_with_option $1 multi; then
ensurechain ${1}2${1}
fi
}
# #
chain=${zone}_dnat chain=${zone}_dnat

51
Shorewall/hosts
View File

@ -1,45 +1,22 @@
# #
# Shorewall 1.4 - /etc/shorewall/hosts # Shorewall 1.4 - /etc/shorewall/bounce
# #
# WARNING: 90% of Shorewall users don't need to add entries to this # Normally, Shorewall assumes that the firewall/gateway will not be
# file and 80% of those who try to add such entries get it # routing requests back out the same interface that they came in on.
# wrong. Unless you are ABSOLUTELY SURE that you need entries # If you have such requirements, they should be defined here.
# in this file, don't touch it!
# #
# This file is used to define zones in terms of subnets and/or # Columns are:
# individual IP addresses. Most simple setups don't need to
# (should not) place anything in this file. Note that if you
# assign one or more interfaces to a zone in /etc/shorewall/interfaces,
# the hosts/networks that you define for the zone in the file will be
# IN ADDITION to those interfaces.
# #
# ZONE - The name of a zone defined in /etc/shorewall/zones # INTERFACE The name of an interfaces defined
# in /etc/shorewall/interfaces
# #
# HOST(S) - The name of an interface followed by a colon (":") and # SOURCE The name of a zone followed by a
# either: # colon (":") and the address of a
# host or subnet.
# #
# a) The IP address of a host # DESTINATION The name of a zone followed by a
# b) A subnetwork in CIDR format # colon and the address of a host
# (<subnet-address>/<mask width>) # or subnet.
# #
# The interface must be defined in the #INTERFACE SOURCE DESTINATION
# /etc/shorewall/interfaces file.
#
# Examples:
#
# eth1:192.168.1.3
# eth2:192.168.2.0/24
#
# OPTIONS - A comma-separated list of options. Currently-defined
# options are:
#
# maclist - Connection requests from these hosts
# are compared against the contents of
# /etc/shorewall/maclist. If this option
# is specified, the interface must be
# an ethernet NIC and must be up before
# Shorewall is started.
#
#
#ZONE HOST(S) OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

3
Shorewall/interfaces
View File

@ -54,9 +54,6 @@
# enabled in shorewall.conf, packets # enabled in shorewall.conf, packets
# whose destination addresses are # whose destination addresses are
# reserved by RFC 1918 are also rejected. # reserved by RFC 1918 are also rejected.
# multi - This interface has multiple IP
# addresses and you want to be able to
# route between them.
# routefilter - turn on kernel route filtering for this # routefilter - turn on kernel route filtering for this
# interface (anti-spoofing measure). This # interface (anti-spoofing measure). This
# option can also be enabled globally in # option can also be enabled globally in

25
Shorewall/releasenotes.txt
View File

@ -1,6 +1,6 @@
This is a major release of Shorewall. This is a major release of Shorewall.
Function from 1.3 that has been omitted from this version include: Function from 1.3 that has been omitted from this version includes:
1) The MERGE_HOSTS variable in shorewall.conf is no longer 1) The MERGE_HOSTS variable in shorewall.conf is no longer
supported. Shorewall 1.4 behavior is the same as 1.3 with supported. Shorewall 1.4 behavior is the same as 1.3 with
@ -25,6 +25,20 @@ Function from 1.3 that has been omitted from this version include:
supported. Shorewall 1.4 behavior is the same as 1.3 with supported. Shorewall 1.4 behavior is the same as 1.3 with
ALLOWRELATED=Yes. ALLOWRELATED=Yes.
7. The 'multi' interface option is no longer supported. Shorewall will
generate rules for sending packets back out the same interface
that they arrived on in two cases:
a) There is an _explicit_ policy for the source zone to the
destination zone. An explicit policy names both zones and does not
use the 'all' reserved word.
b) There are one or more rules for traffic for the source zone to
or from the destination zone including rules that use the 'all'
reserved word. Exception: If the source and the destination are
the same zone then the rule must be explicit - it must name the zone
in both the SOURCE and DESTINATION columns.
Changes for 1.4 include: Changes for 1.4 include:
1. shorewall.conf has been completely reorganized into logical 1. shorewall.conf has been completely reorganized into logical
@ -38,9 +52,16 @@ Changes for 1.4 include:
4. Late arriving DNS replies are now silently dropped in the common 4. Late arriving DNS replies are now silently dropped in the common
chain by default. chain by default.
5. In addition to behaving like OLD_PING_HANDLING=No, Shorewall 2.0 no 5. In addition to behaving like OLD_PING_HANDLING=No, Shorewall 1.4 no
longer unconditionally accepts outbound ICMP packets. So if you want longer unconditionally accepts outbound ICMP packets. So if you want
to 'ping' from the firewall, you will need the appropriate rule or to 'ping' from the firewall, you will need the appropriate rule or
policy. policy.
6. CONTINUE is now a valid action for a rule (/etc/shorewall/rules).
7. 802.11b devices with names of the form wlan<n> now support the
'maclist' option.

2
Shorewall/routestopped
View File

@ -12,7 +12,7 @@
# INTERFACE - Interface through which host(s) communicate with # INTERFACE - Interface through which host(s) communicate with
# the firewall # the firewall
# HOST(S) - (Optional) Comma-separated list of IP/subnet # HOST(S) - (Optional) Comma-separated list of IP/subnet
# addresses. If left empty or supplied as "-", # If left empty or supplied as "-",
# 0.0.0.0/0 is assumed. # 0.0.0.0/0 is assumed.
# #
# Example: # Example:

23
Shorewall/rules
View File

@ -30,18 +30,25 @@
# the companion ACCEPT rule. # the companion ACCEPT rule.
# REDIRECT -- Redirect the request to a local # REDIRECT -- Redirect the request to a local
# port on the firewall. # port on the firewall.
# CONTINUE -- (For experts only). Do not process
# any of the following rules for this
# (source zone,destination zone). If
# The source and/or destination IP
# address falls into a zone defined
# later in /etc/shorewall/zones, this
# connection request will be passed
# to the rules defined for that
# (those) zone(s).
# #
# May optionally be followed by ":" and a syslog log # May optionally be followed by ":" and a syslog log
# level (e.g, REJECT:info). This causes the packet to be # level (e.g, REJECT:info). This causes the packet to be
# logged at the specified level. # logged at the specified level.
# #
# Beginning with Shorewall version 1.3.12, you may # You may also specify ULOG (must be in upper case) as a
# also specify ULOG (must be in upper case) as a log level.\ # log level.This will log to the ULOG target for routing
# This will log to the ULOG target and sent to a separate log # to a separate log through use of ulogd
# through use of ulogd
# (http://www.gnumonks.org/projects/ulogd). # (http://www.gnumonks.org/projects/ulogd).
# #
#
# SOURCE Source hosts to which the rule applies. May be a zone # SOURCE Source hosts to which the rule applies. May be a zone
# defined in /etc/shorewall/zones, $FW to indicate the # defined in /etc/shorewall/zones, $FW to indicate the
# firewall itself, or "all" If the ACTION is DNAT or # firewall itself, or "all" If the ACTION is DNAT or
@ -106,10 +113,8 @@
# contain the port number on the firewall that the # contain the port number on the firewall that the
# request should be redirected to. # request should be redirected to.
# #
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, # PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or
# "all" or "related". If "related", the remainder of the # "all".
# entry must be omitted and connection requests that are
# related to existing requests will be accepted.
# #
# DEST PORT(S) Destination Ports. A comma-separated list of Port # DEST PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port # names (from /etc/services), port numbers or port

11
Shorewall/shorewall.conf
View File

@ -212,17 +212,6 @@ MODULESDIR=
# #
FW=fw FW=fw
# ALLOW RELATED CONNECTIONS
#
# Set this to "yes" or "Yes" if you want to accept all connection requests
# that are related to already established connections. For example, you want
# to accept FTP data connections. If you say "no" here, then to accept
# these connections between particular zones or hosts, you must include
# explicit "related" rules in /etc/shorewall/rules.
#
ALLOWRELATED=yes
# #
# ENABLE NAT SUPPORT # ENABLE NAT SUPPORT
# #