holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Assume 'multi' if canonical chain exists; add PROTOCOL and PORT columns to the blacklist file

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@236 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-09-14 22:00:52 +00:00
parent 3a107844d5
commit 80498aa034
4 changed files with 79 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
Shorewall/blacklist
View File

@ -12,8 +12,19 @@
# MAC addresses must be prefixed with "~" and use "-" as a separator.
#
# Example: ~00-A0-C9-15-39-78
#
# Each ADDRESS/SUBNET may be optionally followed by a protocol name or number
# and an optional port number. If these are supplied, only packets matching
# the protocol and the port (if supplied) are blocked.
#
# Example:
#
# To block DNS queries from address 192.0.2.126:
#
# ADDRESS/SUBNET PROTOCOL PORT
# 192.0.2.126 udp 53
###############################################################################
#ADDRESS/SUBNET
#ADDRESS/SUBNET PROTOCOL PORT
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

25
Shorewall/changelog.txt
View File

@ -1,26 +1,19 @@
Changes since 1.3.6
Changes since 1.3.7
1. Comments in the common.def file have been updated.
1. Correct rules file handling bug introduced in 1.3.7.
2. icmp.def deimplemented
2. Correct handling of DNAT rule where source is $FW
3. FORWARDPING implemented.
3. Reverse order of RFC 1918 and DHCP filtering
4. Made MULTIPORT work with iptables 1.2.7
4. "shorewall refresh" fix for FORWARDPING=Yes
5. Corrected ADD_SNAT_ALIASES
6. Work around iptables 1.2.7 protocol match bug.
7. Remove themes from documentation and web site.
8. Comments in the interfaces file improved.
9. Typo in the policy file corrected.
10. Loopback class A added to rfc1918.
5. Replace tab with space in blacklist output.
6. Added NEWNOTSYN option
7. Assume 'multi' if canonical chain exists.
8. Add PROTOCOL and PORT columns to blacklist file

59
Shorewall/firewall
View File

@ -2506,10 +2506,14 @@ setup_intrazone() # $1 = zone
# Process a record from the blacklist file #
# #
# $subnet = address/subnet #
# $protocol = Protocol Number/Name #
# $port = Port Number/Name #
###############################################################################
process_blacklist_rec() {
local source
local addr
local proto=
local dport
for addr in `separate_list $subnet`; do
case $addr in
@ -2521,13 +2525,26 @@ process_blacklist_rec() {
source="-s $addr"
;;
esac
if [ -n "$protocol" ]; then
proto=" -p $protocol "
[ -n "$port" ] && dport="--dport $port"
fi
[ -n "$BLACKLIST_LOGLEVEL" ] && \
run_iptables -A blacklst $source -j LOG $LOGPARMS --log-prefix \
"Shorewall:blacklst:$BLACKLIST_DISPOSITION:" \
--log-level $BLACKLIST_LOGLEVEL
run_iptables -A blacklst $source -j $disposition
run_iptables -A blacklst $source $proto $dport -j \
LOG $LOGPARMS --log-prefix \
"Shorewall:blacklst:$BLACKLIST_DISPOSITION:" \
--log-level $BLACKLIST_LOGLEVEL
run_iptables -A blacklst $source $proto $dport -j $disposition
if [ -n "$port" ]; then
addr="$addr $protocol $port"
elif [ -n "$protocol" ]; then
addr="$addr $protocol"
fi
echo " $addr added to Black List"
done
}
@ -2557,8 +2574,8 @@ setup_blacklist() {
[ "$disposition" = REJECT ] && disposition=reject
while read subnet; do
expandv subnet
while read subnet protocol port; do
expandv subnet protocol port
process_blacklist_rec
done < $TMP_DIR/blacklist
@ -2581,8 +2598,8 @@ refresh_blacklist() {
run_iptables -F blacklst
while read subnet; do
expandv subnet
while read subnet protocol port; do
expandv subnet protocol port
process_blacklist_rec
done < $TMP_DIR/blacklist
fi
@ -3115,19 +3132,29 @@ activate_rules()
chain="`rules_chain $zone $zone1`"
if havechain ${zone}2${zone1} || havechain ${zone1}2${zone}; then
have_canonical=Yes
else
have_canonical=
fi
for host in $source_hosts; do
interface=${host%:*}
subnet=${host#*:}
chain1=`forward_chain $interface`
case $interface in
*+*)
multi=yes
;;
*)
list_search $interface $multi_interfaces && multi=yes || multi=
;;
esac
if [ -n "$have_canonical" ]; then
multi=yes
else
case $interface in
*+*)
multi=yes
;;
*)
list_search $interface $multi_interfaces && multi=yes || multi=
;;
esac
fi
for host1 in $dest_hosts; do
interface1=${host1%:*}

32
Shorewall/releasenotes.txt
View File

@ -3,22 +3,20 @@ fixes.
New features include:
1) The 'icmp.def' file is now empty! The rules in that file were
required in ipchains firewalls but are not required in Shorewall.
Users who have ALLOWRELATED=No in shorewall.conf should see the
Upgrade Issues.
2) A 'FORWARDPING' option has been added to shorewall.conf. The effect
of setting this variable to Yes is the same as the effect of adding
an ACCEPT rule for ICMP echo-request in
/etc/shorewall/icmpdef. Users who have such a rule in icmpdef are
encouraged to switch to FORWARDPING=Yes.
3) The loopback CLASS A Network (127.0.0.0/8) has been added to the
rfc1918 file.
4) Shorewall now works with iptables 1.2.7.
5) The documentation and Web site no longer use FrontPage themes.
I would like to thank John Distler for his valuable input regarding TCP
SYN and ICMP treatment in Shorewall. That input has led to marked
improvement in Shorewall in the last two releases.
1. A NEWNOTSYN option has been added to shorewall.conf. This option
determines whether Shorewall accepts TCP packets which are not part
of an established connection and that are not 'SYN' packets (SYN
flag on and ACK flag off).
2. The need for the 'multi' option to communicate between zones za and
zb on the same interface is removed in the case where the chain
'za2zb' and/or 'zb2za' exists. 'za2zb' will exist if:
a. There is a policy for za to zb.
b. There is at least one rule for za to zb.
3. The /etc/shorewall/blacklist file now contains three columns. In
addition to the SUBNET/ADDRESS column, there are optional PROTOCOL
and PORT columns to block only certain applications from the
blacklisted addresses.