forked from extern/shorewall_code
Merge branch 'master' into 4.5.7
This commit is contained in:
commit
75b830b10e
@ -8,9 +8,16 @@
|
|||||||
# files from those nodes.
|
# files from those nodes.
|
||||||
#
|
#
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
FORMAT 2
|
||||||
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||||
# PORT(S) PORT(S) LIMIT GROUP
|
# PORT(S) PORT(S) LIMIT GROUP
|
||||||
|
|
||||||
|
?if ( __CT_TARGET && ! $AUTOHELPERS && __AMANDA_HELPER )
|
||||||
|
PARAM - - udp 10080 ; helper=amanda
|
||||||
|
?else
|
||||||
PARAM - - udp 10080
|
PARAM - - udp 10080
|
||||||
|
?endif
|
||||||
|
|
||||||
PARAM - - tcp 10080
|
PARAM - - tcp 10080
|
||||||
#
|
#
|
||||||
# You may also need this rule. With AMANDA 2.4.4 on Linux kernel 2.6,
|
# You may also need this rule. With AMANDA 2.4.4 on Linux kernel 2.6,
|
||||||
|
@ -8,8 +8,8 @@
|
|||||||
###############################################################################
|
###############################################################################
|
||||||
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||||
# PORT(S) PORT(S) LIMIT GROUP
|
# PORT(S) PORT(S) LIMIT GROUP
|
||||||
?IF $BLACKLIST_LOGLEVEL
|
?if $BLACKLIST_LOGLEVEL
|
||||||
blacklog
|
blacklog
|
||||||
?ELSE
|
?else
|
||||||
$BLACKLIST_DISPOSITION
|
$BLACKLIST_DISPOSITION
|
||||||
?ENDIF
|
?endif
|
||||||
|
@ -6,6 +6,11 @@
|
|||||||
# This macro handles FTP traffic.
|
# This macro handles FTP traffic.
|
||||||
#
|
#
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
FORMAT 2
|
||||||
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||||
# PORT(S) PORT(S) LIMIT GROUP
|
# PORT(S) PORT(S) LIMIT GROUP
|
||||||
|
?if ( __CT_TARGET && ! $AUTOHELPERS && __FTP_HELPER )
|
||||||
|
PARAM - - tcp 21 ; helper=ftp
|
||||||
|
?else
|
||||||
PARAM - - tcp 21
|
PARAM - - tcp 21
|
||||||
|
?endif
|
||||||
|
@ -6,6 +6,12 @@
|
|||||||
# This macro handles IRC traffic (Internet Relay Chat).
|
# This macro handles IRC traffic (Internet Relay Chat).
|
||||||
#
|
#
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
FORMAT 2
|
||||||
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||||
# PORT(S) PORT(S) LIMIT GROUP
|
# PORT(S) PORT(S) LIMIT GROUP
|
||||||
|
|
||||||
|
?if ( __CT_TARGET && ! $AUTOHELPERS && __IRC_HELPER )
|
||||||
|
PARAM - - tcp 6667 ; helper=irc
|
||||||
|
?else
|
||||||
PARAM - - tcp 6667
|
PARAM - - tcp 6667
|
||||||
|
?endif
|
||||||
|
@ -6,8 +6,14 @@
|
|||||||
# This macro handles PPTP traffic.
|
# This macro handles PPTP traffic.
|
||||||
#
|
#
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
?FORMAT 2
|
||||||
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||||
# PORT(S) PORT(S) LIMIT GROUP
|
# PORT(S) PORT(S) LIMIT GROUP
|
||||||
PARAM - - 47
|
PARAM - - 47
|
||||||
PARAM DEST SOURCE 47
|
PARAM DEST SOURCE 47
|
||||||
|
|
||||||
|
?if ( __CT_TARGET && ! $AUTOHELPERS && __PPTP_HELPER )
|
||||||
|
PARAM - - tcp 1723 ; helper=pptp
|
||||||
|
?else
|
||||||
PARAM - - tcp 1723
|
PARAM - - tcp 1723
|
||||||
|
?endif
|
||||||
|
@ -6,9 +6,16 @@
|
|||||||
# This macro handles SANE network scanning.
|
# This macro handles SANE network scanning.
|
||||||
#
|
#
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
FORMAT 2
|
||||||
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||||
# PORT(S) PORT(S) LIMIT GROUP
|
# PORT(S) PORT(S) LIMIT GROUP
|
||||||
|
|
||||||
|
?if ( __CT_TARGET && ! $AUTOHELPERS && __SANE_HELPER )
|
||||||
|
PARAM - - tcp 6566 ; helper=sane
|
||||||
|
?else
|
||||||
PARAM - - tcp 6566
|
PARAM - - tcp 6566
|
||||||
|
?endif
|
||||||
|
|
||||||
#
|
#
|
||||||
# Kernels 2.6.23+ has nf_conntrack_sane module which will handle
|
# Kernels 2.6.23+ has nf_conntrack_sane module which will handle
|
||||||
# sane data connection.
|
# sane data connection.
|
||||||
|
17
Shorewall/Macros/macro.SIP
Normal file
17
Shorewall/Macros/macro.SIP
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
#
|
||||||
|
# Shorewall version 4 - SIP Macro
|
||||||
|
#
|
||||||
|
# /usr/share/shorewall/macro.SIP
|
||||||
|
#
|
||||||
|
# This macro handles SIP traffic.
|
||||||
|
#
|
||||||
|
###############################################################################
|
||||||
|
FORMAT 2
|
||||||
|
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||||
|
# PORT(S) PORT(S) LIMIT GROUP
|
||||||
|
|
||||||
|
?if ( __CT_TARGET && ! $AUTOHELPERS && __SIP_HELPER )
|
||||||
|
PARAM - - udp 5060 ; helper=sip
|
||||||
|
?else
|
||||||
|
PARAM - - udp 5060
|
||||||
|
?endif
|
@ -10,9 +10,17 @@
|
|||||||
# between hosts you fully trust.
|
# between hosts you fully trust.
|
||||||
#
|
#
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
FORMAT 2
|
||||||
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||||
# PORT(S) PORT(S) LIMIT GROUP
|
# PORT(S) PORT(S) LIMIT GROUP
|
||||||
PARAM - - udp 135,445
|
PARAM - - udp 135,445
|
||||||
|
|
||||||
|
?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
|
||||||
|
PARAM - - udp 137 ; helper=netbios-ns
|
||||||
|
PARAM - - udp 138:139
|
||||||
|
?else
|
||||||
PARAM - - udp 137:139
|
PARAM - - udp 137:139
|
||||||
|
?endif
|
||||||
|
|
||||||
PARAM - - udp 1024: 137
|
PARAM - - udp 1024: 137
|
||||||
PARAM - - tcp 135,139,445
|
PARAM - - tcp 135,139,445
|
||||||
|
@ -10,13 +10,28 @@
|
|||||||
# allow SMB traffic between hosts you fully trust.
|
# allow SMB traffic between hosts you fully trust.
|
||||||
#
|
#
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
FORMAT 2
|
||||||
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||||
# PORT(S) PORT(S) LIMIT GROUP
|
# PORT(S) PORT(S) LIMIT GROUP
|
||||||
PARAM - - udp 135,445
|
PARAM - - udp 135,445
|
||||||
|
|
||||||
|
?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
|
||||||
|
PARAM - - udp 137 ; helper=netbios-ns
|
||||||
|
PARAM - - udp 138:139
|
||||||
|
?else
|
||||||
PARAM - - udp 137:139
|
PARAM - - udp 137:139
|
||||||
|
?endif
|
||||||
|
|
||||||
PARAM - - udp 1024: 137
|
PARAM - - udp 1024: 137
|
||||||
PARAM - - tcp 135,139,445
|
PARAM - - tcp 135,139,445
|
||||||
PARAM DEST SOURCE udp 135,445
|
PARAM DEST SOURCE udp 135,445
|
||||||
|
|
||||||
|
?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
|
||||||
|
PARAM DEST SOURCE udp 137 ; helper=netbios-ns
|
||||||
|
PARAM DEST SOURCE udp 138:139
|
||||||
|
?else
|
||||||
PARAM DEST SOURCE udp 137:139
|
PARAM DEST SOURCE udp 137:139
|
||||||
|
?endif
|
||||||
|
|
||||||
PARAM DEST SOURCE udp 1024: 137
|
PARAM DEST SOURCE udp 1024: 137
|
||||||
PARAM DEST SOURCE tcp 135,139,445
|
PARAM DEST SOURCE tcp 135,139,445
|
||||||
|
@ -6,7 +6,15 @@
|
|||||||
# This macro handles SNMP traffic (including traps).
|
# This macro handles SNMP traffic (including traps).
|
||||||
#
|
#
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
FORMAT 2
|
||||||
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||||
# PORT(S) PORT(S) LIMIT GROUP
|
# PORT(S) PORT(S) LIMIT GROUP
|
||||||
|
|
||||||
|
?if ( __CT_TARGET && ! $AUTOHELPERS && __SNMP_HELPER )
|
||||||
|
PARAM - - udp 161 ; helper=snmp
|
||||||
|
PARAM - - udp 162
|
||||||
|
?else
|
||||||
PARAM - - udp 161:162
|
PARAM - - udp 161:162
|
||||||
|
?endif
|
||||||
|
|
||||||
PARAM - - tcp 161
|
PARAM - - tcp 161
|
||||||
|
@ -8,6 +8,12 @@
|
|||||||
# Internet.
|
# Internet.
|
||||||
#
|
#
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
FORMAT 2
|
||||||
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||||
# PORT(S) PORT(S) LIMIT GROUP
|
# PORT(S) PORT(S) LIMIT GROUP
|
||||||
|
|
||||||
|
?if ( __CT_TARGET && ! $AUTOHELPERS && __TFTP_HELPER )
|
||||||
|
PARAM - - udp 69 ; helper=tftp
|
||||||
|
?else
|
||||||
PARAM - - udp 69
|
PARAM - - udp 69
|
||||||
|
?endif
|
||||||
|
@ -101,6 +101,7 @@ our %EXPORT_TAGS = (
|
|||||||
CHAIN
|
CHAIN
|
||||||
SET
|
SET
|
||||||
AUDIT
|
AUDIT
|
||||||
|
HELPER
|
||||||
NO_RESTRICT
|
NO_RESTRICT
|
||||||
PREROUTE_RESTRICT
|
PREROUTE_RESTRICT
|
||||||
DESTIFACE_DISALLOW
|
DESTIFACE_DISALLOW
|
||||||
@ -352,6 +353,7 @@ use constant { STANDARD => 1, #defined by Netfilter
|
|||||||
CHAIN => 1024, #Manual Chain
|
CHAIN => 1024, #Manual Chain
|
||||||
SET => 2048, #SET
|
SET => 2048, #SET
|
||||||
AUDIT => 4096, #A_ACCEPT, etc
|
AUDIT => 4096, #A_ACCEPT, etc
|
||||||
|
HELPER => 8192, #CT:helper
|
||||||
};
|
};
|
||||||
#
|
#
|
||||||
# Valid Targets -- value is a combination of one or more of the above
|
# Valid Targets -- value is a combination of one or more of the above
|
||||||
@ -2979,6 +2981,51 @@ sub optimize_level4( $$ ) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Identify short chains with a single reference and replace the reference with the chain rules
|
||||||
|
#
|
||||||
|
my @chains = grep ( $_->{referenced} &&
|
||||||
|
! $_->{optflags} &&
|
||||||
|
@{$_->{rules}} < 4 &&
|
||||||
|
keys %{$_->{references}} == 1 , values %$tableref );
|
||||||
|
|
||||||
|
if ( my $chains = @chains ) {
|
||||||
|
$passes++;
|
||||||
|
|
||||||
|
progress_message "\n Table $table pass $passes, $chains short chains, level 4b...";
|
||||||
|
|
||||||
|
for my $chainref ( @chains ) {
|
||||||
|
my $name = $chainref->{name};
|
||||||
|
for my $sourceref ( map $tableref->{$_}, keys %{$chainref->{references}} ) {
|
||||||
|
my $name1 = $sourceref->{name};
|
||||||
|
|
||||||
|
if ( $chainref->{references}{$name1} == 1 ) {
|
||||||
|
my $rulenum = 0;
|
||||||
|
my $rulesref = $sourceref->{rules};
|
||||||
|
my $rules = @{$chainref->{rules}};
|
||||||
|
|
||||||
|
for ( @$rulesref ) {
|
||||||
|
if ( $_->{simple} && ( $_->{target} || '' ) eq $name ) {
|
||||||
|
trace( $sourceref, 'D', $rulenum + 1, $_ ) if $debug;
|
||||||
|
splice @$rulesref, $rulenum, 1, @{$chainref->{rules}};
|
||||||
|
if ( $debug ) {
|
||||||
|
while ( my $ruleref = shift @{$chainref->{rules}} ) {
|
||||||
|
trace ( $sourceref, 'I', $rulenum++, $ruleref );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
delete $chainref->{references}{$name1};
|
||||||
|
delete_chain $chainref;
|
||||||
|
last;
|
||||||
|
}
|
||||||
|
$rulenum++;
|
||||||
|
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
$passes;
|
$passes;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -3282,6 +3329,62 @@ sub combine_dports {
|
|||||||
\@rules;
|
\@rules;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Delete duplicate rules from the passed chain.
|
||||||
|
#
|
||||||
|
# The arguments are a reference to the chain followed by references to each
|
||||||
|
# of its rules.
|
||||||
|
#
|
||||||
|
sub delete_duplicates {
|
||||||
|
my @rules;
|
||||||
|
my $chainref = shift;
|
||||||
|
my $lastrule = @_;
|
||||||
|
my $baseref = pop;
|
||||||
|
my $ruleref;
|
||||||
|
my $duplicate = 0;
|
||||||
|
|
||||||
|
while ( @_ && ! $duplicate ) {
|
||||||
|
{
|
||||||
|
my $ports1;
|
||||||
|
my @keys1 = sort( keys( %$baseref ) );
|
||||||
|
my $rulenum = @_;
|
||||||
|
my $duplicate = 0;
|
||||||
|
|
||||||
|
RULE:
|
||||||
|
|
||||||
|
while ( --$rulenum >= 0 ) {
|
||||||
|
$ruleref = $_[$rulenum];
|
||||||
|
|
||||||
|
my @keys2 = sort(keys( %$ruleref ) );
|
||||||
|
|
||||||
|
next unless @keys1 == @keys2 ;
|
||||||
|
|
||||||
|
my $keynum = 0;
|
||||||
|
|
||||||
|
for my $key ( @keys1 ) {
|
||||||
|
next RULE unless $key eq $keys2[$keynum++];
|
||||||
|
next RULE unless compare_values( $baseref->{$key}, $ruleref->{$key} );
|
||||||
|
}
|
||||||
|
|
||||||
|
$duplicate = 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( $duplicate ) {
|
||||||
|
trace( $chainref, 'D', $lastrule, $baseref ) if $debug;
|
||||||
|
} else {
|
||||||
|
unshift @rules, $baseref;
|
||||||
|
}
|
||||||
|
|
||||||
|
$baseref = pop @_;
|
||||||
|
$lastrule--;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
unshift @rules, $baseref if $baseref;
|
||||||
|
|
||||||
|
\@rules;
|
||||||
|
}
|
||||||
|
|
||||||
sub optimize_level16( $$$ ) {
|
sub optimize_level16( $$$ ) {
|
||||||
my ( $table, $tableref , $passes ) = @_;
|
my ( $table, $tableref , $passes ) = @_;
|
||||||
my @chains = ( grep $_->{referenced}, values %{$tableref} );
|
my @chains = ( grep $_->{referenced}, values %{$tableref} );
|
||||||
@ -3290,11 +3393,23 @@ sub optimize_level16( $$$ ) {
|
|||||||
|
|
||||||
progress_message "\n Table $table pass $passes, $chains referenced user chains, level 16...";
|
progress_message "\n Table $table pass $passes, $chains referenced user chains, level 16...";
|
||||||
|
|
||||||
|
if ( $table eq 'raw' ) {
|
||||||
|
#
|
||||||
|
# Helpers in rules have the potential for generating lots of duplicate iptables rules
|
||||||
|
# in the raw table. This step eliminates those duplicates
|
||||||
|
#
|
||||||
|
for my $chainref ( @chains ) {
|
||||||
|
$chainref->{rules} = delete_duplicates( $chainref, @{$chainref->{rules}} );
|
||||||
|
}
|
||||||
|
|
||||||
|
$passes++;
|
||||||
|
}
|
||||||
|
|
||||||
for my $chainref ( @chains ) {
|
for my $chainref ( @chains ) {
|
||||||
$chainref->{rules} = combine_dports( $chainref, @{$chainref->{rules}} );
|
$chainref->{rules} = combine_dports( $chainref, @{$chainref->{rules}} );
|
||||||
}
|
}
|
||||||
|
|
||||||
$passes++;
|
++$passes;
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -3483,7 +3598,7 @@ sub source_exclusion( $$ ) {
|
|||||||
|
|
||||||
my $table = reftype $target ? $target->{table} : 'filter';
|
my $table = reftype $target ? $target->{table} : 'filter';
|
||||||
|
|
||||||
my $chainref = new_chain( $table , newexclusionchain( $table ) );
|
my $chainref = dont_move new_chain( $table , newexclusionchain( $table ) );
|
||||||
|
|
||||||
add_ijump( $chainref, j => 'RETURN', imatch_source_net( $_ ) ) for @$exclusions;
|
add_ijump( $chainref, j => 'RETURN', imatch_source_net( $_ ) ) for @$exclusions;
|
||||||
add_ijump( $chainref, g => $target );
|
add_ijump( $chainref, g => $target );
|
||||||
@ -3505,7 +3620,7 @@ sub source_iexclusion( $$$$$;@ ) {
|
|||||||
$source = $1;
|
$source = $1;
|
||||||
@exclusion = mysplit( $2 );
|
@exclusion = mysplit( $2 );
|
||||||
|
|
||||||
my $chainref1 = new_chain( $table , newexclusionchain( $table ) );
|
my $chainref1 = dont_move new_chain( $table , newexclusionchain( $table ) );
|
||||||
|
|
||||||
add_ijump( $chainref1 , j => 'RETURN', imatch_source_net( $_ ) ) for @exclusion;
|
add_ijump( $chainref1 , j => 'RETURN', imatch_source_net( $_ ) ) for @exclusion;
|
||||||
|
|
||||||
@ -3534,7 +3649,7 @@ sub dest_exclusion( $$ ) {
|
|||||||
|
|
||||||
my $table = reftype $target ? $target->{table} : 'filter';
|
my $table = reftype $target ? $target->{table} : 'filter';
|
||||||
|
|
||||||
my $chainref = new_chain( $table , newexclusionchain( $table ) );
|
my $chainref = dont_move new_chain( $table , newexclusionchain( $table ) );
|
||||||
|
|
||||||
add_ijump( $chainref, j => 'RETURN', imatch_dest_net( $_ ) ) for @$exclusions;
|
add_ijump( $chainref, j => 'RETURN', imatch_dest_net( $_ ) ) for @$exclusions;
|
||||||
add_ijump( $chainref, g => $target );
|
add_ijump( $chainref, g => $target );
|
||||||
@ -3556,7 +3671,7 @@ sub dest_iexclusion( $$$$$;@ ) {
|
|||||||
$dest = $1;
|
$dest = $1;
|
||||||
@exclusion = mysplit( $2 );
|
@exclusion = mysplit( $2 );
|
||||||
|
|
||||||
my $chainref1 = new_chain( $table , newexclusionchain( $table ) );
|
my $chainref1 = dont_move new_chain( $table , newexclusionchain( $table ) );
|
||||||
|
|
||||||
add_ijump( $chainref1 , j => 'RETURN', imatch_dest_net( $_ ) ) for @exclusion;
|
add_ijump( $chainref1 , j => 'RETURN', imatch_dest_net( $_ ) ) for @exclusion;
|
||||||
|
|
||||||
|
@ -666,11 +666,6 @@ sub compiler {
|
|||||||
# (Produces no output to the compiled script)
|
# (Produces no output to the compiled script)
|
||||||
#
|
#
|
||||||
process_policies;
|
process_policies;
|
||||||
#
|
|
||||||
# N O T R A C K
|
|
||||||
# (Produces no output to the compiled script)
|
|
||||||
#
|
|
||||||
setup_notrack;
|
|
||||||
|
|
||||||
enable_script;
|
enable_script;
|
||||||
|
|
||||||
@ -710,12 +705,10 @@ sub compiler {
|
|||||||
#
|
#
|
||||||
setup_proxy_arp;
|
setup_proxy_arp;
|
||||||
|
|
||||||
my $setting = supplied $config{HELPERS} ? 0 : 1;
|
emit( "#\n# Disable automatic helper association on kernel 3.5.0 and later\n#" ,
|
||||||
|
|
||||||
emit( "#\n# Set automatic helper association on kernel 3.5.0 and later\n#" ,
|
|
||||||
'if [ -f /proc/sys/net/netfilter/nf_conntrack_helper ]; then' ,
|
'if [ -f /proc/sys/net/netfilter/nf_conntrack_helper ]; then' ,
|
||||||
' progress_message "Setting up Automatic Helper Association"',
|
' progress_message "Disabling Kernel Automatic Helper Association"',
|
||||||
" echo $setting > /proc/sys/net/netfilter/nf_conntrack_helper",
|
" echo 0 > /proc/sys/net/netfilter/nf_conntrack_helper",
|
||||||
'fi',
|
'fi',
|
||||||
''
|
''
|
||||||
);
|
);
|
||||||
@ -799,6 +792,10 @@ sub compiler {
|
|||||||
#
|
#
|
||||||
process_rules( $convert );
|
process_rules( $convert );
|
||||||
#
|
#
|
||||||
|
# Process the conntrack file
|
||||||
|
#
|
||||||
|
setup_conntrack;
|
||||||
|
#
|
||||||
# Add Tunnel rules.
|
# Add Tunnel rules.
|
||||||
#
|
#
|
||||||
setup_tunnels;
|
setup_tunnels;
|
||||||
|
@ -606,7 +606,6 @@ sub initialize( $;$ ) {
|
|||||||
EXPORT => 0,
|
EXPORT => 0,
|
||||||
KLUDGEFREE => '',
|
KLUDGEFREE => '',
|
||||||
STATEMATCH => '-m state --state',
|
STATEMATCH => '-m state --state',
|
||||||
UNTRACKED => 0,
|
|
||||||
VERSION => "4.5.6",
|
VERSION => "4.5.6",
|
||||||
CAPVERSION => 40507 ,
|
CAPVERSION => 40507 ,
|
||||||
);
|
);
|
||||||
@ -731,6 +730,7 @@ sub initialize( $;$ ) {
|
|||||||
LEGACY_FASTSTART => undef,
|
LEGACY_FASTSTART => undef,
|
||||||
USE_PHYSICAL_NAMES => undef,
|
USE_PHYSICAL_NAMES => undef,
|
||||||
HELPERS => undef,
|
HELPERS => undef,
|
||||||
|
AUTOHELPERS => undef,
|
||||||
#
|
#
|
||||||
# Packet Disposition
|
# Packet Disposition
|
||||||
#
|
#
|
||||||
@ -4529,6 +4529,7 @@ sub get_configuration( $$$ ) {
|
|||||||
default_yes_no 'LEGACY_FASTSTART' , 'Yes';
|
default_yes_no 'LEGACY_FASTSTART' , 'Yes';
|
||||||
default_yes_no 'USE_PHYSICAL_NAMES' , '';
|
default_yes_no 'USE_PHYSICAL_NAMES' , '';
|
||||||
default_yes_no 'IPSET_WARNINGS' , 'Yes';
|
default_yes_no 'IPSET_WARNINGS' , 'Yes';
|
||||||
|
default_yes_no 'AUTOHELPERS' , 'Yes';
|
||||||
|
|
||||||
if ( supplied $config{HELPERS} ) {
|
if ( supplied $config{HELPERS} ) {
|
||||||
my %helpers_temp = %helpers_enabled;
|
my %helpers_temp = %helpers_enabled;
|
||||||
|
@ -681,7 +681,7 @@ sub add_common_rules ( $ ) {
|
|||||||
my $chain;
|
my $chain;
|
||||||
my $dynamicref;
|
my $dynamicref;
|
||||||
|
|
||||||
my @state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID' : ();
|
my @state = $config{BLACKLISTNEWONLY} ? have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID' : ();
|
||||||
my $faststate = $config{RELATED_DISPOSITION} eq 'ACCEPT' && $config{RELATED_LOG_LEVEL} eq '' ? 'ESTABLISHED,RELATED' : 'ESTABLISHED';
|
my $faststate = $config{RELATED_DISPOSITION} eq 'ACCEPT' && $config{RELATED_LOG_LEVEL} eq '' ? 'ESTABLISHED,RELATED' : 'ESTABLISHED';
|
||||||
my $level = $config{BLACKLIST_LOGLEVEL};
|
my $level = $config{BLACKLIST_LOGLEVEL};
|
||||||
my $rejectref = $filter_table->{reject};
|
my $rejectref = $filter_table->{reject};
|
||||||
@ -882,7 +882,7 @@ sub add_common_rules ( $ ) {
|
|||||||
add_ijump( $chainref, g => $smurfdest, s => IPv6_MULTICAST );
|
add_ijump( $chainref, g => $smurfdest, s => IPv6_MULTICAST );
|
||||||
}
|
}
|
||||||
|
|
||||||
my @state = $globals{UNTRACKED} ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID';
|
my @state = have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID';
|
||||||
|
|
||||||
for my $hostref ( @$list ) {
|
for my $hostref ( @$list ) {
|
||||||
$interface = $hostref->[0];
|
$interface = $hostref->[0];
|
||||||
@ -1187,7 +1187,7 @@ sub setup_mac_lists( $ ) {
|
|||||||
my @policy = have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
|
my @policy = have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
|
||||||
my @source = imatch_source_net $hostref->[2];
|
my @source = imatch_source_net $hostref->[2];
|
||||||
|
|
||||||
my @state = $globals{UNTRACKED} ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW';
|
my @state = have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW';
|
||||||
|
|
||||||
if ( $table eq 'filter' ) {
|
if ( $table eq 'filter' ) {
|
||||||
my $chainref = source_exclusion( $hostref->[3], $filter_table->{mac_chain $interface} );
|
my $chainref = source_exclusion( $hostref->[3], $filter_table->{mac_chain $interface} );
|
||||||
|
@ -32,8 +32,8 @@ use Shorewall::Chains qw(:DEFAULT :internal);
|
|||||||
use strict;
|
use strict;
|
||||||
|
|
||||||
our @ISA = qw(Exporter);
|
our @ISA = qw(Exporter);
|
||||||
our @EXPORT = qw( setup_notrack );
|
our @EXPORT = qw( setup_conntrack );
|
||||||
our @EXPORT_OK = qw( );
|
our @EXPORT_OK = qw( handle_helper_rule );
|
||||||
our $VERSION = 'MODULEVERSION';
|
our $VERSION = 'MODULEVERSION';
|
||||||
|
|
||||||
my %valid_ctevent = ( new => 1, related => 1, destroy => 1, reply => 1, assured => 1, protoinfo => 1, helper => 1, mark => 1, natseqinfo => 1, secmark => 1 );
|
my %valid_ctevent = ( new => 1, related => 1, destroy => 1, reply => 1, assured => 1, protoinfo => 1, helper => 1, mark => 1, natseqinfo => 1, secmark => 1 );
|
||||||
@ -41,21 +41,34 @@ my %valid_ctevent = ( new => 1, related => 1, destroy => 1, reply => 1, assured
|
|||||||
#
|
#
|
||||||
# Notrack
|
# Notrack
|
||||||
#
|
#
|
||||||
sub process_notrack_rule( $$$$$$$ ) {
|
sub process_conntrack_rule( $$$$$$$$$ ) {
|
||||||
|
|
||||||
my ($action, $source, $dest, $proto, $ports, $sports, $user ) = @_;
|
my ($chainref, $zoneref, $action, $source, $dest, $proto, $ports, $sports, $user ) = @_;
|
||||||
|
|
||||||
|
require_capability 'RAW_TABLE', 'conntrack rules', '';
|
||||||
|
|
||||||
$proto = '' if $proto eq 'any';
|
$proto = '' if $proto eq 'any';
|
||||||
$ports = '' if $ports eq 'any' || $ports eq 'all';
|
$ports = '' if $ports eq 'any' || $ports eq 'all';
|
||||||
$sports = '' if $sports eq 'any' || $sports eq 'all';
|
$sports = '' if $sports eq 'any' || $sports eq 'all';
|
||||||
|
|
||||||
( my $zone, $source) = split /:/, $source, 2;
|
my $zone;
|
||||||
my $zoneref = find_zone $zone;
|
my $restriction = PREROUTE_RESTRICT;
|
||||||
my $chainref = ensure_raw_chain( notrack_chain $zone );
|
|
||||||
my $restriction = $zoneref->{type} == FIREWALL || $zoneref->{type} == VSERVER ? OUTPUT_RESTRICT : PREROUTE_RESTRICT;
|
|
||||||
|
|
||||||
|
unless ( $chainref ) {
|
||||||
|
#
|
||||||
|
# Entry in the conntrack file
|
||||||
|
#
|
||||||
|
if ( $zoneref ) {
|
||||||
|
$zone = $zoneref->{name};
|
||||||
|
} else {
|
||||||
|
($zone, $source) = split /:/, $source, 2;
|
||||||
|
$zoneref = find_zone ( $zone );
|
||||||
|
}
|
||||||
|
|
||||||
|
$chainref = ensure_raw_chain( notrack_chain $zone );
|
||||||
|
$restriction = OUTPUT_RESTRICT if $zoneref->{type} == FIREWALL || $zoneref->{type} == VSERVER;
|
||||||
fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-' && $restriction != OUTPUT_RESTRICT;
|
fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-' && $restriction != OUTPUT_RESTRICT;
|
||||||
require_capability 'RAW_TABLE', 'conntrack rules', '';
|
}
|
||||||
|
|
||||||
my $target = $action;
|
my $target = $action;
|
||||||
my $exception_rule = '';
|
my $exception_rule = '';
|
||||||
@ -122,9 +135,60 @@ sub process_notrack_rule( $$$$$$$ ) {
|
|||||||
$target ,
|
$target ,
|
||||||
$exception_rule );
|
$exception_rule );
|
||||||
|
|
||||||
progress_message " Notrack rule \"$currentline\" $done";
|
progress_message " Conntrack rule \"$currentline\" $done";
|
||||||
|
}
|
||||||
|
|
||||||
$globals{UNTRACKED} = 1;
|
sub handle_helper_rule( $$$$$$$$$$$ ) {
|
||||||
|
my ( $helper, $source, $dest, $proto, $ports, $sports, $sourceref, $action_target, $actionchain, $user, $rule ) = @_;
|
||||||
|
|
||||||
|
if ( $helper ne '-' ) {
|
||||||
|
fatal_error "A HELPER is not allowed with this ACTION" if $action_target;
|
||||||
|
#
|
||||||
|
# This means that an ACCEPT or NAT rule with a helper is being processed
|
||||||
|
#
|
||||||
|
process_conntrack_rule( $actionchain ? ensure_raw_chain( $actionchain ) : undef ,
|
||||||
|
$sourceref ,
|
||||||
|
"CT:helper:$helper",
|
||||||
|
$source ,
|
||||||
|
$dest ,
|
||||||
|
$proto ,
|
||||||
|
$ports ,
|
||||||
|
$sports ,
|
||||||
|
$user );
|
||||||
|
} else {
|
||||||
|
assert( $action_target );
|
||||||
|
#
|
||||||
|
# The target is an action
|
||||||
|
#
|
||||||
|
if ( $actionchain ) {
|
||||||
|
#
|
||||||
|
# And the source is another action chain
|
||||||
|
#
|
||||||
|
expand_rule( ensure_raw_chain( $actionchain ) ,
|
||||||
|
PREROUTE_RESTRICT ,
|
||||||
|
$rule ,
|
||||||
|
$source ,
|
||||||
|
$dest ,
|
||||||
|
'' ,
|
||||||
|
$action_target ,
|
||||||
|
'',
|
||||||
|
'CT' ,
|
||||||
|
'' );
|
||||||
|
} else {
|
||||||
|
expand_rule( ensure_raw_chain( notrack_chain( $sourceref->{name} ) ) ,
|
||||||
|
( $sourceref->{type} == FIREWALL || $sourceref->{type} == VSERVER ?
|
||||||
|
OUTPUT_RESTRICT :
|
||||||
|
PREROUTE_RESTRICT ) ,
|
||||||
|
$rule ,
|
||||||
|
$source ,
|
||||||
|
$dest ,
|
||||||
|
'' ,
|
||||||
|
$action_target ,
|
||||||
|
'' ,
|
||||||
|
'CT' ,
|
||||||
|
'' );
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
sub process_format( $ ) {
|
sub process_format( $ ) {
|
||||||
@ -135,7 +199,7 @@ sub process_format( $ ) {
|
|||||||
$format;
|
$format;
|
||||||
}
|
}
|
||||||
|
|
||||||
sub setup_notrack() {
|
sub setup_conntrack() {
|
||||||
|
|
||||||
my $format = 1;
|
my $format = 1;
|
||||||
my $action = 'NOTRACK';
|
my $action = 'NOTRACK';
|
||||||
@ -188,10 +252,10 @@ sub setup_notrack() {
|
|||||||
|
|
||||||
if ( $source eq 'all' ) {
|
if ( $source eq 'all' ) {
|
||||||
for my $zone (all_zones) {
|
for my $zone (all_zones) {
|
||||||
process_notrack_rule( $action, $zone, $dest, $proto, $ports, $sports, $user );
|
process_conntrack_rule( undef, undef, $action, $zone, $dest, $proto, $ports, $sports, $user );
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
process_notrack_rule( $action, $source, $dest, $proto, $ports, $sports, $user );
|
process_conntrack_rule( undef, undef, $action, $source, $dest, $proto, $ports, $sports, $user );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -34,6 +34,7 @@ use Shorewall::Zones;
|
|||||||
use Shorewall::Chains qw(:DEFAULT :internal);
|
use Shorewall::Chains qw(:DEFAULT :internal);
|
||||||
use Shorewall::IPAddrs;
|
use Shorewall::IPAddrs;
|
||||||
use Shorewall::Nat qw(:rules);
|
use Shorewall::Nat qw(:rules);
|
||||||
|
use Shorewall::Raw qw( handle_helper_rule );
|
||||||
use Scalar::Util 'reftype';
|
use Scalar::Util 'reftype';
|
||||||
|
|
||||||
use strict;
|
use strict;
|
||||||
@ -91,7 +92,9 @@ my %rulecolumns = ( action => 0,
|
|||||||
connlimit => 10,
|
connlimit => 10,
|
||||||
time => 11,
|
time => 11,
|
||||||
headers => 12,
|
headers => 12,
|
||||||
switch => 13 );
|
switch => 13,
|
||||||
|
helper => 14,
|
||||||
|
);
|
||||||
|
|
||||||
use constant { MAX_MACRO_NEST_LEVEL => 5 };
|
use constant { MAX_MACRO_NEST_LEVEL => 5 };
|
||||||
|
|
||||||
@ -1424,7 +1427,7 @@ sub process_actions() {
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
sub process_rule1 ( $$$$$$$$$$$$$$$$$ );
|
sub process_rule1 ( $$$$$$$$$$$$$$$$$$ );
|
||||||
|
|
||||||
#
|
#
|
||||||
# Populate an action invocation chain. As new action tuples are encountered,
|
# Populate an action invocation chain. As new action tuples are encountered,
|
||||||
@ -1457,14 +1460,14 @@ sub process_action( $) {
|
|||||||
|
|
||||||
while ( read_a_line( NORMAL_READ ) ) {
|
while ( read_a_line( NORMAL_READ ) ) {
|
||||||
|
|
||||||
my ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition );
|
my ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper );
|
||||||
|
|
||||||
if ( $format == 1 ) {
|
if ( $format == 1 ) {
|
||||||
($target, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) =
|
($target, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) =
|
||||||
split_line1 'action file', { target => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, rate => 6, user => 7, mark => 8 }, $rule_commands;
|
split_line1 'action file', { target => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, rate => 6, user => 7, mark => 8 }, $rule_commands;
|
||||||
$origdest = $connlimit = $time = $headers = $condition = '-';
|
$origdest = $connlimit = $time = $headers = $condition = '-';
|
||||||
} else {
|
} else {
|
||||||
($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition )
|
($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper )
|
||||||
= split_line1 'action file', \%rulecolumns, $action_commands;
|
= split_line1 'action file', \%rulecolumns, $action_commands;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1502,6 +1505,7 @@ sub process_action( $) {
|
|||||||
$time,
|
$time,
|
||||||
$headers,
|
$headers,
|
||||||
$condition,
|
$condition,
|
||||||
|
$helper,
|
||||||
0 );
|
0 );
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1531,8 +1535,8 @@ sub use_policy_action( $ ) {
|
|||||||
#
|
#
|
||||||
# Expand a macro rule from the rules file
|
# Expand a macro rule from the rules file
|
||||||
#
|
#
|
||||||
sub process_macro ( $$$$$$$$$$$$$$$$$$ ) {
|
sub process_macro ( $$$$$$$$$$$$$$$$$$$) {
|
||||||
my ($macro, $chainref, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $wildcard ) = @_;
|
my ($macro, $chainref, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_;
|
||||||
|
|
||||||
my $nocomment = no_comment;
|
my $nocomment = no_comment;
|
||||||
|
|
||||||
@ -1550,13 +1554,13 @@ sub process_macro ( $$$$$$$$$$$$$$$$$$ ) {
|
|||||||
|
|
||||||
while ( read_a_line( NORMAL_READ ) ) {
|
while ( read_a_line( NORMAL_READ ) ) {
|
||||||
|
|
||||||
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition );
|
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition, $mhelper);
|
||||||
|
|
||||||
if ( $format == 1 ) {
|
if ( $format == 1 ) {
|
||||||
( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 'macro file', \%rulecolumns, $rule_commands;
|
( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 'macro file', \%rulecolumns, $rule_commands;
|
||||||
( $morigdest, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition ) = qw/- - - - - -/;
|
( $morigdest, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition, $mhelper ) = qw/- - - - - - -/;
|
||||||
} else {
|
} else {
|
||||||
( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition ) = split_line1 'macro file', \%rulecolumns, $rule_commands;
|
( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition, $mhelper ) = split_line1 'macro file', \%rulecolumns, $rule_commands;
|
||||||
}
|
}
|
||||||
|
|
||||||
fatal_error 'TARGET must be specified' if $mtarget eq '-';
|
fatal_error 'TARGET must be specified' if $mtarget eq '-';
|
||||||
@ -1635,6 +1639,7 @@ sub process_macro ( $$$$$$$$$$$$$$$$$$ ) {
|
|||||||
merge_macro_column( $mtime, $time ),
|
merge_macro_column( $mtime, $time ),
|
||||||
merge_macro_column( $mheaders, $headers ),
|
merge_macro_column( $mheaders, $headers ),
|
||||||
merge_macro_column( $mcondition, $condition ),
|
merge_macro_column( $mcondition, $condition ),
|
||||||
|
merge_macro_column( $mhelper, $helper ),
|
||||||
$wildcard
|
$wildcard
|
||||||
);
|
);
|
||||||
|
|
||||||
@ -1667,7 +1672,7 @@ sub verify_audit($;$$) {
|
|||||||
# Similarly, if a new action tuple is encountered, this function is called recursively for each rule in the action
|
# Similarly, if a new action tuple is encountered, this function is called recursively for each rule in the action
|
||||||
# body. In this latter case, a reference to the tuple's chain is passed in the first ($chainref) argument.
|
# body. In this latter case, a reference to the tuple's chain is passed in the first ($chainref) argument.
|
||||||
#
|
#
|
||||||
sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) {
|
sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
|
||||||
my ( $chainref, #reference to Action Chain if we are being called from process_action(); undef otherwise
|
my ( $chainref, #reference to Action Chain if we are being called from process_action(); undef otherwise
|
||||||
$target,
|
$target,
|
||||||
$current_param,
|
$current_param,
|
||||||
@ -1684,6 +1689,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) {
|
|||||||
$time,
|
$time,
|
||||||
$headers,
|
$headers,
|
||||||
$condition,
|
$condition,
|
||||||
|
$helper,
|
||||||
$wildcard ) = @_;
|
$wildcard ) = @_;
|
||||||
|
|
||||||
my ( $action, $loglevel) = split_action $target;
|
my ( $action, $loglevel) = split_action $target;
|
||||||
@ -1735,6 +1741,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) {
|
|||||||
$time,
|
$time,
|
||||||
$headers,
|
$headers,
|
||||||
$condition,
|
$condition,
|
||||||
|
$helper,
|
||||||
$wildcard );
|
$wildcard );
|
||||||
|
|
||||||
$macro_nest_level--;
|
$macro_nest_level--;
|
||||||
@ -1776,12 +1783,13 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) {
|
|||||||
#
|
#
|
||||||
process_action( $ref );
|
process_action( $ref );
|
||||||
#
|
#
|
||||||
# Processing the action may determine that the action or one of it's dependents does NAT, so:
|
# Processing the action may determine that the action or one of it's dependents does NAT or HELPER, so:
|
||||||
#
|
#
|
||||||
# - Refresh $actiontype
|
# - Refresh $actiontype
|
||||||
# - Create the associate nat table chain if appropriate.
|
# - Create the associated nat and/or table chain if appropriate.
|
||||||
#
|
#
|
||||||
ensure_chain( 'nat', $ref->{name} ) if ( $actiontype = $targets{$basictarget} ) & NATRULE;
|
ensure_chain( 'nat', $ref->{name} ) if ( $actiontype = $targets{$basictarget} ) & NATRULE;
|
||||||
|
ensure_chain( 'raw', $ref->{name} ) if ( $actiontype & HELPER );
|
||||||
}
|
}
|
||||||
|
|
||||||
$action = $basictarget; # Remove params, if any, from $action.
|
$action = $basictarget; # Remove params, if any, from $action.
|
||||||
@ -1796,6 +1804,10 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) {
|
|||||||
$targets{$inaction} |= NATRULE if $inaction;
|
$targets{$inaction} |= NATRULE if $inaction;
|
||||||
fatal_error "NAT rules are only allowed in the NEW section" unless $section eq 'NEW';
|
fatal_error "NAT rules are only allowed in the NEW section" unless $section eq 'NEW';
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if ( $actiontype & HELPER ) {
|
||||||
|
fatal_error "HELPER rules are only allowed in the NEW section" unless $section eq 'NEW';
|
||||||
|
}
|
||||||
#
|
#
|
||||||
# Take care of irregular syntax and targets
|
# Take care of irregular syntax and targets
|
||||||
#
|
#
|
||||||
@ -1807,7 +1819,13 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) {
|
|||||||
$bt =~ s/[-+!]$//;
|
$bt =~ s/[-+!]$//;
|
||||||
|
|
||||||
my %functions =
|
my %functions =
|
||||||
( ACCEPT => sub() { $action = 'RETURN' if $blacklist; } ,
|
( ACCEPT => sub() {
|
||||||
|
if ( $blacklist ) {
|
||||||
|
$action = 'RETURN';
|
||||||
|
} elsif ( $helper ne '-' ) {
|
||||||
|
$actiontype |= HELPER;
|
||||||
|
}
|
||||||
|
} ,
|
||||||
|
|
||||||
REDIRECT => sub () {
|
REDIRECT => sub () {
|
||||||
my $z = $actiontype & NATONLY ? '' : firewall_zone;
|
my $z = $actiontype & NATONLY ? '' : firewall_zone;
|
||||||
@ -1838,6 +1856,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) {
|
|||||||
|
|
||||||
if ( $function ) {
|
if ( $function ) {
|
||||||
$function->();
|
$function->();
|
||||||
|
} elsif ( $actiontype & NATRULE && $helper ne '-' ) {
|
||||||
|
$actiontype |= HELPER;
|
||||||
} elsif ( $actiontype & SET ) {
|
} elsif ( $actiontype & SET ) {
|
||||||
my %xlate = ( ADD => 'add-set' , DEL => 'del-set' );
|
my %xlate = ( ADD => 'add-set' , DEL => 'del-set' );
|
||||||
|
|
||||||
@ -2027,8 +2047,26 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) {
|
|||||||
fatal_error "$basictarget rules are not allowed in the $section SECTION" if $actiontype & ( NATRULE | NONAT );
|
fatal_error "$basictarget rules are not allowed in the $section SECTION" if $actiontype & ( NATRULE | NONAT );
|
||||||
$rule .= "$globals{STATEMATCH} $section " unless $section eq 'ALL' || $blacklist;
|
$rule .= "$globals{STATEMATCH} $section " unless $section eq 'ALL' || $blacklist;
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
|
# Generate CT rules(s), if any
|
||||||
|
#
|
||||||
|
if ( $actiontype & HELPER ) {
|
||||||
|
handle_helper_rule( $helper,
|
||||||
|
$source,
|
||||||
|
$origdest ? $origdest : $dest,
|
||||||
|
$proto,
|
||||||
|
$ports,
|
||||||
|
$sports,
|
||||||
|
$sourceref,
|
||||||
|
( $actiontype & ACTION ) ? $usedactions{$normalized_target}->{name} : '',
|
||||||
|
$inaction ? $chain : '' ,
|
||||||
|
$user ,
|
||||||
|
$rule ,
|
||||||
|
);
|
||||||
|
|
||||||
|
$targets{$inaction} |= HELPER if $inaction;
|
||||||
|
}
|
||||||
|
|
||||||
# Generate NAT rule(s), if any
|
# Generate NAT rule(s), if any
|
||||||
#
|
#
|
||||||
if ( $actiontype & NATRULE ) {
|
if ( $actiontype & NATRULE ) {
|
||||||
@ -2049,8 +2087,9 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) {
|
|||||||
$rule,
|
$rule,
|
||||||
$source,
|
$source,
|
||||||
( $actiontype & ACTION ) ? '' : $loglevel,
|
( $actiontype & ACTION ) ? '' : $loglevel,
|
||||||
$log_action
|
$log_action,
|
||||||
);
|
);
|
||||||
|
|
||||||
#
|
#
|
||||||
# After NAT:
|
# After NAT:
|
||||||
# - the destination port will be the server port ($ports) -- we did that above
|
# - the destination port will be the server port ($ports) -- we did that above
|
||||||
@ -2069,6 +2108,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) {
|
|||||||
$loglevel = '';
|
$loglevel = '';
|
||||||
$action = 'ACCEPT';
|
$action = 'ACCEPT';
|
||||||
$origdest = ALLIP if $origdest =~ /[+]/;
|
$origdest = ALLIP if $origdest =~ /[+]/;
|
||||||
|
$helper = '-';
|
||||||
}
|
}
|
||||||
} elsif ( $actiontype & NONAT ) {
|
} elsif ( $actiontype & NONAT ) {
|
||||||
#
|
#
|
||||||
@ -2224,7 +2264,7 @@ sub build_zone_list( $$$\$\$ ) {
|
|||||||
# Process a Record in the rules file
|
# Process a Record in the rules file
|
||||||
#
|
#
|
||||||
sub process_rule ( ) {
|
sub process_rule ( ) {
|
||||||
my ( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers, $condition )
|
my ( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers, $condition, $helper )
|
||||||
= split_line1 'rules file', \%rulecolumns, $rule_commands;
|
= split_line1 'rules file', \%rulecolumns, $rule_commands;
|
||||||
|
|
||||||
fatal_error 'ACTION must be specified' if $target eq '-';
|
fatal_error 'ACTION must be specified' if $target eq '-';
|
||||||
@ -2281,6 +2321,7 @@ sub process_rule ( ) {
|
|||||||
$time,
|
$time,
|
||||||
$headers,
|
$headers,
|
||||||
$condition,
|
$condition,
|
||||||
|
$helper,
|
||||||
$wild );
|
$wild );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -2305,7 +2346,7 @@ sub classic_blacklist() {
|
|||||||
my $fw = firewall_zone;
|
my $fw = firewall_zone;
|
||||||
my @zones = off_firewall_zones;
|
my @zones = off_firewall_zones;
|
||||||
my @vservers = vserver_zones;
|
my @vservers = vserver_zones;
|
||||||
my @state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID' : ();
|
my @state = $config{BLACKLISTNEWONLY} ? have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID' : ();
|
||||||
my $result;
|
my $result;
|
||||||
|
|
||||||
for my $zone ( @zones ) {
|
for my $zone ( @zones ) {
|
||||||
|
@ -61,7 +61,7 @@ sub setup_tunnels() {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
my @options = $globals{UNTRACKED} ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW';
|
my @options = have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW';
|
||||||
|
|
||||||
add_tunnel_rule $inchainref, p => 50, @$source;
|
add_tunnel_rule $inchainref, p => 50, @$source;
|
||||||
add_tunnel_rule $outchainref, p => 50, @$dest;
|
add_tunnel_rule $outchainref, p => 50, @$dest;
|
||||||
|
@ -57,6 +57,7 @@ our @EXPORT = qw( NOTHING
|
|||||||
all_parent_zones
|
all_parent_zones
|
||||||
complex_zones
|
complex_zones
|
||||||
vserver_zones
|
vserver_zones
|
||||||
|
on_firewall_zones
|
||||||
off_firewall_zones
|
off_firewall_zones
|
||||||
non_firewall_zones
|
non_firewall_zones
|
||||||
single_interface
|
single_interface
|
||||||
@ -117,7 +118,8 @@ use constant { IN_OUT => 1,
|
|||||||
#
|
#
|
||||||
# @zones contains the ordered list of zones with sub-zones appearing before their parents.
|
# @zones contains the ordered list of zones with sub-zones appearing before their parents.
|
||||||
#
|
#
|
||||||
# %zones{<zone1> => {type => <zone type> FIREWALL, IP, IPSEC, BPORT;
|
# %zones{<zone1> => {name => <name>,
|
||||||
|
# type => <zone type> FIREWALL, IP, IPSEC, BPORT;
|
||||||
# complex => 0|1
|
# complex => 0|1
|
||||||
# super => 0|1
|
# super => 0|1
|
||||||
# options => { in_out => < policy match string >
|
# options => { in_out => < policy match string >
|
||||||
@ -838,6 +840,10 @@ sub all_zones() {
|
|||||||
@zones;
|
@zones;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
sub on_firewall_zones() {
|
||||||
|
grep ( ( $zones{$_}{type} & ( FIREWALL | VSERVER ) ) , @zones );
|
||||||
|
}
|
||||||
|
|
||||||
sub off_firewall_zones() {
|
sub off_firewall_zones() {
|
||||||
grep ( ! ( $zones{$_}{type} & ( FIREWALL | VSERVER ) ) , @zones );
|
grep ( ! ( $zones{$_}{type} & ( FIREWALL | VSERVER ) ) , @zones );
|
||||||
}
|
}
|
||||||
|
@ -116,6 +116,8 @@ ADMINISABSENTMINDED=Yes
|
|||||||
|
|
||||||
AUTOCOMMENT=Yes
|
AUTOCOMMENT=Yes
|
||||||
|
|
||||||
|
AUTOHELPERS=Yes
|
||||||
|
|
||||||
AUTOMAKE=No
|
AUTOMAKE=No
|
||||||
|
|
||||||
BLACKLISTNEWONLY=Yes
|
BLACKLISTNEWONLY=Yes
|
||||||
|
@ -127,6 +127,8 @@ ADMINISABSENTMINDED=Yes
|
|||||||
|
|
||||||
AUTOCOMMENT=Yes
|
AUTOCOMMENT=Yes
|
||||||
|
|
||||||
|
AUTOHELPERS=Yes
|
||||||
|
|
||||||
AUTOMAKE=No
|
AUTOMAKE=No
|
||||||
|
|
||||||
BLACKLISTNEWONLY=Yes
|
BLACKLISTNEWONLY=Yes
|
||||||
|
@ -125,6 +125,8 @@ ADMINISABSENTMINDED=Yes
|
|||||||
|
|
||||||
AUTOCOMMENT=Yes
|
AUTOCOMMENT=Yes
|
||||||
|
|
||||||
|
AUTOHELPERS=Yes
|
||||||
|
|
||||||
AUTOMAKE=No
|
AUTOMAKE=No
|
||||||
|
|
||||||
BLACKLISTNEWONLY=Yes
|
BLACKLISTNEWONLY=Yes
|
||||||
|
@ -128,6 +128,8 @@ ADMINISABSENTMINDED=Yes
|
|||||||
|
|
||||||
AUTOCOMMENT=Yes
|
AUTOCOMMENT=Yes
|
||||||
|
|
||||||
|
AUTOHELPERS=Yes
|
||||||
|
|
||||||
AUTOMAKE=No
|
AUTOMAKE=No
|
||||||
|
|
||||||
BLACKLISTNEWONLY=Yes
|
BLACKLISTNEWONLY=Yes
|
||||||
|
@ -116,6 +116,8 @@ ADMINISABSENTMINDED=Yes
|
|||||||
|
|
||||||
AUTOCOMMENT=Yes
|
AUTOCOMMENT=Yes
|
||||||
|
|
||||||
|
AUTOHELPERS=Yes
|
||||||
|
|
||||||
AUTOMAKE=No
|
AUTOMAKE=No
|
||||||
|
|
||||||
BLACKLISTNEWONLY=Yes
|
BLACKLISTNEWONLY=Yes
|
||||||
|
@ -96,7 +96,7 @@
|
|||||||
role="bold">none</emphasis>}</term>
|
role="bold">none</emphasis>}</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para/>
|
<para></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -106,7 +106,7 @@
|
|||||||
role="bold">none</emphasis>}</term>
|
role="bold">none</emphasis>}</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para/>
|
<para></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -116,7 +116,7 @@
|
|||||||
role="bold">none</emphasis>}</term>
|
role="bold">none</emphasis>}</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para/>
|
<para></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -126,7 +126,7 @@
|
|||||||
role="bold">none</emphasis>}</term>
|
role="bold">none</emphasis>}</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para/>
|
<para></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -299,6 +299,49 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">AUTOHELPERS=</emphasis>[<emphasis
|
||||||
|
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Added in Shorewall 4.5.8. When set to <option>Yes</option>
|
||||||
|
(the default), the generated ruleset will automatically associate
|
||||||
|
helpers with applications that require them (FTP, IRC, etc.). When
|
||||||
|
configuring your firewall on systems running kernel 3.5 or later, it
|
||||||
|
is recommended that you:</para>
|
||||||
|
|
||||||
|
<orderedlist>
|
||||||
|
<listitem>
|
||||||
|
<para>Set AUTOHELPERS=No.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Either:</para>
|
||||||
|
|
||||||
|
<orderedlist numeration="loweralpha">
|
||||||
|
<listitem>
|
||||||
|
<para>Modify <ulink
|
||||||
|
url="shorewall-conntrack.html">shorewall-conntrack</ulink>
|
||||||
|
(5) to only apply helpers where they are required; or</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Specify the appropriate helper in the HELPER column in
|
||||||
|
<ulink url="shorewall-rules.html">shorewall-rules</ulink>
|
||||||
|
(5).</para>
|
||||||
|
|
||||||
|
<note>
|
||||||
|
<para>The macros for those applications requiring a helper
|
||||||
|
automatically specify the appropriate HELPER where
|
||||||
|
required.</para>
|
||||||
|
</note>
|
||||||
|
</listitem>
|
||||||
|
</orderedlist>
|
||||||
|
</listitem>
|
||||||
|
</orderedlist>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">AUTOMAKE=</emphasis>[<emphasis
|
<term><emphasis role="bold">AUTOMAKE=</emphasis>[<emphasis
|
||||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
||||||
@ -482,7 +525,7 @@
|
|||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<para/>
|
<para></para>
|
||||||
|
|
||||||
<para>If CONFIG_PATH is not given or if it is set to the empty
|
<para>If CONFIG_PATH is not given or if it is set to the empty
|
||||||
value then the contents of /usr/share/shorewall/configpath are
|
value then the contents of /usr/share/shorewall/configpath are
|
||||||
@ -739,8 +782,8 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
<para>When HELPERS is specified on a system running Kernel 3.5.0 or
|
<para>When HELPERS is specified on a system running Kernel 3.5.0 or
|
||||||
later, automatic association of helpers to connections is disabled.
|
later, automatic association of helpers to connections is
|
||||||
</para>
|
disabled.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -889,7 +932,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
|
|
||||||
<para/>
|
<para></para>
|
||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<para>If this variable is not set or is given an empty value
|
<para>If this variable is not set or is given an empty value
|
||||||
@ -1099,7 +1142,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
<para/>
|
<para></para>
|
||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<para>For example, using the default LOGFORMAT, the log prefix for
|
<para>For example, using the default LOGFORMAT, the log prefix for
|
||||||
@ -1116,7 +1159,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
control your firewall after you enable this option.</para>
|
control your firewall after you enable this option.</para>
|
||||||
</important>
|
</important>
|
||||||
|
|
||||||
<para/>
|
<para></para>
|
||||||
|
|
||||||
<caution>
|
<caution>
|
||||||
<para>Do not use this option if the resulting log messages will
|
<para>Do not use this option if the resulting log messages will
|
||||||
@ -1780,7 +1823,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
role="bold">"</emphasis></term>
|
role="bold">"</emphasis></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para/>
|
<para></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
@ -111,6 +111,8 @@ ADMINISABSENTMINDED=Yes
|
|||||||
|
|
||||||
AUTOCOMMENT=Yes
|
AUTOCOMMENT=Yes
|
||||||
|
|
||||||
|
AUTOHELPERS=Yes
|
||||||
|
|
||||||
AUTOMAKE=No
|
AUTOMAKE=No
|
||||||
|
|
||||||
BLACKLISTNEWONLY=Yes
|
BLACKLISTNEWONLY=Yes
|
||||||
|
@ -111,6 +111,8 @@ ADMINISABSENTMINDED=Yes
|
|||||||
|
|
||||||
AUTOCOMMENT=Yes
|
AUTOCOMMENT=Yes
|
||||||
|
|
||||||
|
AUTOHELPERS=Yes
|
||||||
|
|
||||||
AUTOMAKE=No
|
AUTOMAKE=No
|
||||||
|
|
||||||
BLACKLISTNEWONLY=Yes
|
BLACKLISTNEWONLY=Yes
|
||||||
|
@ -111,6 +111,8 @@ ADMINISABSENTMINDED=Yes
|
|||||||
|
|
||||||
AUTOCOMMENT=Yes
|
AUTOCOMMENT=Yes
|
||||||
|
|
||||||
|
AUTOHELPERS=Yes
|
||||||
|
|
||||||
AUTOMAKE=No
|
AUTOMAKE=No
|
||||||
|
|
||||||
BLACKLISTNEWONLY=Yes
|
BLACKLISTNEWONLY=Yes
|
||||||
|
@ -111,6 +111,8 @@ ADMINISABSENTMINDED=Yes
|
|||||||
|
|
||||||
AUTOCOMMENT=Yes
|
AUTOCOMMENT=Yes
|
||||||
|
|
||||||
|
AUTOHELPERS=Yes
|
||||||
|
|
||||||
AUTOMAKE=No
|
AUTOMAKE=No
|
||||||
|
|
||||||
BLACKLISTNEWONLY=Yes
|
BLACKLISTNEWONLY=Yes
|
||||||
|
@ -111,6 +111,8 @@ ADMINISABSENTMINDED=Yes
|
|||||||
|
|
||||||
AUTOCOMMENT=Yes
|
AUTOCOMMENT=Yes
|
||||||
|
|
||||||
|
AUTOHELPERS=Yes
|
||||||
|
|
||||||
AUTOMAKE=No
|
AUTOMAKE=No
|
||||||
|
|
||||||
BLACKLISTNEWONLY=Yes
|
BLACKLISTNEWONLY=Yes
|
||||||
|
@ -82,7 +82,7 @@
|
|||||||
role="bold">none</emphasis>}</term>
|
role="bold">none</emphasis>}</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para/>
|
<para></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -92,7 +92,7 @@
|
|||||||
role="bold">none</emphasis>}</term>
|
role="bold">none</emphasis>}</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para/>
|
<para></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -102,7 +102,7 @@
|
|||||||
role="bold">none</emphasis>}</term>
|
role="bold">none</emphasis>}</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para/>
|
<para></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -112,7 +112,7 @@
|
|||||||
role="bold">none</emphasis>}</term>
|
role="bold">none</emphasis>}</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para/>
|
<para></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -228,6 +228,49 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">AUTOHELPERS=</emphasis>[<emphasis
|
||||||
|
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Added in Shorewall 4.5.8. When set to <option>Yes</option>
|
||||||
|
(the default), the generated ruleset will automatically associate
|
||||||
|
helpers with applications that require them (FTP, IRC, etc.). When
|
||||||
|
configuring your firewall on systems running kernel 3.5 or later, it
|
||||||
|
is recommended that you:</para>
|
||||||
|
|
||||||
|
<orderedlist>
|
||||||
|
<listitem>
|
||||||
|
<para>Set AUTOHELPERS=No.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Either:</para>
|
||||||
|
|
||||||
|
<orderedlist numeration="loweralpha">
|
||||||
|
<listitem>
|
||||||
|
<para>Modify <ulink
|
||||||
|
url="shorewall-conntrack.html">shorewall6-conntrack</ulink>
|
||||||
|
(5) to only apply helpers where they are required; or</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Specify the appropriate helper in the HELPER column in
|
||||||
|
<ulink url="shorewall6-rules.html">shorewall6-rules</ulink>
|
||||||
|
(5).</para>
|
||||||
|
|
||||||
|
<note>
|
||||||
|
<para>The macros for those applications requiring a helper
|
||||||
|
automatically specify the appropriate HELPER where
|
||||||
|
required.</para>
|
||||||
|
</note>
|
||||||
|
</listitem>
|
||||||
|
</orderedlist>
|
||||||
|
</listitem>
|
||||||
|
</orderedlist>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">AUTOMAKE=</emphasis>[<emphasis
|
<term><emphasis role="bold">AUTOMAKE=</emphasis>[<emphasis
|
||||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
||||||
@ -648,8 +691,8 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
<para>When HELPERS is specified on a system running Kernel 3.5.0 or
|
<para>When HELPERS is specified on a system running Kernel 3.5.0 or
|
||||||
later, automatic association of helpers to connections is disabled.
|
later, automatic association of helpers to connections is
|
||||||
</para>
|
disabled.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -962,7 +1005,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
<para/>
|
<para></para>
|
||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<para>For example, using the default LOGFORMAT, the log prefix for
|
<para>For example, using the default LOGFORMAT, the log prefix for
|
||||||
@ -979,7 +1022,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
control your firewall after you enable this option.</para>
|
control your firewall after you enable this option.</para>
|
||||||
</important>
|
</important>
|
||||||
|
|
||||||
<para/>
|
<para></para>
|
||||||
|
|
||||||
<caution>
|
<caution>
|
||||||
<para>Do not use this option if the resulting log messages will
|
<para>Do not use this option if the resulting log messages will
|
||||||
@ -1578,7 +1621,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
role="bold">"</emphasis></term>
|
role="bold">"</emphasis></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para/>
|
<para></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
@ -94,11 +94,11 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>This version of Shorewall requires the Digest::SHA1 Perl
|
<para>This version of Shorewall requires the Digest::SHA1 or the
|
||||||
module.</para>
|
Digest:SHA Perl module.</para>
|
||||||
|
|
||||||
<simplelist>
|
<simplelist>
|
||||||
<member>Debian: libdigest-sha1-perl</member>
|
<member>Debian: libdigest-sha-perl</member>
|
||||||
|
|
||||||
<member>Fedora: perl-Digest-SHA1</member>
|
<member>Fedora: perl-Digest-SHA1</member>
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user