forked from extern/shorewall_code
Add OLD_PING_HANDLING option
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@406 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
3b29150cb2
commit
7fe133fe4a
@ -1,10 +1,5 @@
|
||||
Changes since 1.3.12
|
||||
Changes since 1.3.13
|
||||
|
||||
1. Added 'DNAT-' target.
|
||||
|
||||
2. Print policies in 'check' command.
|
||||
|
||||
3. Added CLEAR_TC option.
|
||||
|
||||
4. Added SHARED_DIR option.
|
||||
1. Fix 'shorewall add' bug.
|
||||
|
||||
2. Add OLD_PING_HANDLING option
|
||||
|
||||
@ -599,12 +599,16 @@ validate_interfaces_file() {
|
||||
|
||||
for option in $options; do
|
||||
case $option in
|
||||
dhcp|noping|filterping|routestopped|norfc1918|multi|tcpflags)
|
||||
;;
|
||||
routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-)
|
||||
;;
|
||||
*)
|
||||
error_message "Warning: Invalid option ($option) in record \"$r\""
|
||||
dhcp|routestopped|norfc1918|multi|tcpflags)
|
||||
;;
|
||||
routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-)
|
||||
;;
|
||||
noping|filterping)
|
||||
[ -n "$OLD_PING_HANDLING" ] || \
|
||||
startup_error "Option $option only allowed with old ping handling"
|
||||
;;
|
||||
*)
|
||||
error_message "Warning: Invalid option ($option) in record \"$r\""
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@ -3350,11 +3354,14 @@ initialize_netfilter () {
|
||||
# Build the common chain -- called during [re]start and refresh
|
||||
#
|
||||
build_common_chain() {
|
||||
#
|
||||
# PING
|
||||
#
|
||||
[ -n "$FORWARDPING" ] && \
|
||||
run_iptables -A icmpdef -p icmp --icmp-type echo-request -j ACCEPT
|
||||
|
||||
if [ -n "$OLD_PING_HANDLING" ]; then
|
||||
#
|
||||
# PING
|
||||
#
|
||||
[ -n "$FORWARDPING" ] && \
|
||||
run_iptables -A icmpdef -p icmp --icmp-type echo-request -j ACCEPT
|
||||
fi
|
||||
#
|
||||
# Common ICMP rules
|
||||
#
|
||||
@ -3907,23 +3914,25 @@ define_firewall() # $1 = Command (Start or Restart)
|
||||
|
||||
process_rules $rules
|
||||
|
||||
echo "Setting up ICMP Echo handling..."
|
||||
if [ -n "$OLD_PING_HANDLING" ]; then
|
||||
echo "Setting up ICMP Echo handling..."
|
||||
|
||||
filterping_interfaces="`find_interfaces_by_option filterping`"
|
||||
noping_interfaces="`find_interfaces_by_option noping`"
|
||||
filterping_interfaces="`find_interfaces_by_option filterping`"
|
||||
noping_interfaces="`find_interfaces_by_option noping`"
|
||||
|
||||
for interface in $all_interfaces; do
|
||||
if ! list_search $interface $filterping_interfaces; then
|
||||
if list_search $interface $noping_interfaces; then
|
||||
target=DROP
|
||||
else
|
||||
target=ACCEPT
|
||||
for interface in $all_interfaces; do
|
||||
if ! list_search $interface $filterping_interfaces; then
|
||||
if list_search $interface $noping_interfaces; then
|
||||
target=DROP
|
||||
else
|
||||
target=ACCEPT
|
||||
fi
|
||||
|
||||
run_iptables -A `input_chain $interface` \
|
||||
-p icmp --icmp-type echo-request -j $target
|
||||
fi
|
||||
|
||||
run_iptables -A `input_chain $interface` \
|
||||
-p icmp --icmp-type echo-request -j $target
|
||||
fi
|
||||
done
|
||||
done
|
||||
fi
|
||||
|
||||
policy=`find_file policy`
|
||||
|
||||
@ -4471,6 +4480,7 @@ do_initialize() {
|
||||
TCP_FLAGS_LOG_LEVEL=
|
||||
RFC1918_LOG_LEVEL=
|
||||
MARK_IN_FORWARD_CHAIN=
|
||||
OLD_PING_HANDLING=
|
||||
SHARED_DIR=/usr/lib/shorewall
|
||||
FUNCTIONS=
|
||||
VERSION_FILE=
|
||||
@ -4596,7 +4606,7 @@ do_initialize() {
|
||||
else
|
||||
CLEAR_TC=
|
||||
fi
|
||||
|
||||
OLD_PING_HANDLING=`added_param_value_yes OLD_PING_HANDLING $OLD_PING_HANDLING`
|
||||
|
||||
run_user_exit params
|
||||
|
||||
|
||||
@ -2,48 +2,14 @@ This is a minor release of Shorewall that has a couple of new features.
|
||||
|
||||
New features include:
|
||||
|
||||
1) A new 'DNAT-' action has been added for entries in the
|
||||
/etc/shorewall/rules file. DNAT- is intended for advanced users who
|
||||
wish to minimize the number of rules that connection requests must
|
||||
traverse.
|
||||
|
||||
A Shorewall DNAT rule actually generates two iptables rules: a
|
||||
header rewriting rule in the 'nat' table and an ACCEPT rule in the
|
||||
'filter' table. A DNAT- rule only generates the first of these
|
||||
rules. This is handy when you have several DNAT rules that would
|
||||
generate the same ACCEPT rule.
|
||||
1) An OLD_PING_HANDLING option has been added to shorewall.conf. When
|
||||
set to Yes, Shorewall ping handling is as it has always been (see
|
||||
http://www.shorewall.net/ping.html).
|
||||
|
||||
Here are three rules from my previous rules file:
|
||||
|
||||
DNAT net dmz:206.124.146.177 tcp smtp - 206.124.146.178
|
||||
DNAT net dmz:206.124.146.177 tcp smtp - 206.124.146.179
|
||||
ACCEPT net dmz:206.124.146.177 tcp www,smtp,ftp,...
|
||||
When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules and
|
||||
policies just like any other connection request. The FORWARDPING
|
||||
option in shorewall.conf is ignored and the 'noping' and
|
||||
'filterping' options in /etc/shorewall/interfaces will generate an
|
||||
error.
|
||||
|
||||
These three rules ended up generating _three_ copies of
|
||||
|
||||
ACCEPT net dmz:206.124.146.177 tcp smtp
|
||||
|
||||
By writing the rules this way, I end up with only one copy of the
|
||||
ACCEPT rule.
|
||||
|
||||
DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.178
|
||||
DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.179
|
||||
ACCEPT net dmz:206.124.146.177 tcp www,smtp,ftp,...
|
||||
|
||||
2) The 'shorewall check' command now prints out the applicable policy
|
||||
between each pair of zones.
|
||||
|
||||
3. A new CLEAR_TC option has been added to shorewall.conf. If this
|
||||
option is set to 'No' then Shorewall won't clear the current
|
||||
traffic control rules during [re]start. This setting is intended
|
||||
for use by people that prefer to configure traffic shaping when
|
||||
the network interfaces come up rather than when the firewall
|
||||
is started. If that is what you want to do, set TC_ENABLED=Yes and
|
||||
CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That
|
||||
way, your traffic shaping rules can still use the 'fwmark'
|
||||
classifier based on packet marking defined in /etc/shorewall/tcrules.
|
||||
|
||||
4. A new SHARED_DIR variable has been added that allows distribution
|
||||
packagers to easily move the shared directory (default
|
||||
/usr/lib/shorewall). Users should never have a need to change the
|
||||
value of this shorewall.conf setting.
|
||||
|
||||
@ -400,11 +400,21 @@ MUTEX_TIMEOUT=60
|
||||
|
||||
LOGNEWNOTSYN=
|
||||
|
||||
#
|
||||
# Old Ping Handling
|
||||
#
|
||||
# If this option is set to "Yes" then Shorewall will use its old ping handling
|
||||
# facility including the FORWARDPING option below and the 'noping' and
|
||||
# 'filterping' interface options. If this option is set to 'No' then ping
|
||||
# is handled via policy and rules just like any other connection request.
|
||||
#
|
||||
OLD_PING_HANDLING=No
|
||||
|
||||
#
|
||||
# Forward "Ping"
|
||||
#
|
||||
# If FORWARDPING is set to "Yes" then Echo Request ("Ping") packets are
|
||||
# forwarded by the firewall.
|
||||
# forwarded by the firewall. This option is only used if OLD_PING_HANDLING=Yes
|
||||
|
||||
FORWARDPING=Yes
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user