forked from extern/shorewall_code
Assume 'multi' if canonical chain exists; add PROTOCOL and PORT columns to the blacklist file
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@236 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
3a107844d5
commit
80498aa034
@ -12,8 +12,19 @@
|
|||||||
# MAC addresses must be prefixed with "~" and use "-" as a separator.
|
# MAC addresses must be prefixed with "~" and use "-" as a separator.
|
||||||
#
|
#
|
||||||
# Example: ~00-A0-C9-15-39-78
|
# Example: ~00-A0-C9-15-39-78
|
||||||
|
#
|
||||||
|
# Each ADDRESS/SUBNET may be optionally followed by a protocol name or number
|
||||||
|
# and an optional port number. If these are supplied, only packets matching
|
||||||
|
# the protocol and the port (if supplied) are blocked.
|
||||||
|
#
|
||||||
|
# Example:
|
||||||
|
#
|
||||||
|
# To block DNS queries from address 192.0.2.126:
|
||||||
|
#
|
||||||
|
# ADDRESS/SUBNET PROTOCOL PORT
|
||||||
|
# 192.0.2.126 udp 53
|
||||||
###############################################################################
|
###############################################################################
|
||||||
#ADDRESS/SUBNET
|
#ADDRESS/SUBNET PROTOCOL PORT
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||||
|
|
||||||
|
|
||||||
|
@ -1,26 +1,19 @@
|
|||||||
Changes since 1.3.6
|
Changes since 1.3.7
|
||||||
|
|
||||||
1. Comments in the common.def file have been updated.
|
1. Correct rules file handling bug introduced in 1.3.7.
|
||||||
|
|
||||||
2. icmp.def deimplemented
|
2. Correct handling of DNAT rule where source is $FW
|
||||||
|
|
||||||
3. FORWARDPING implemented.
|
3. Reverse order of RFC 1918 and DHCP filtering
|
||||||
|
|
||||||
4. Made MULTIPORT work with iptables 1.2.7
|
4. "shorewall refresh" fix for FORWARDPING=Yes
|
||||||
|
|
||||||
5. Corrected ADD_SNAT_ALIASES
|
5. Replace tab with space in blacklist output.
|
||||||
|
|
||||||
6. Work around iptables 1.2.7 protocol match bug.
|
|
||||||
|
|
||||||
7. Remove themes from documentation and web site.
|
|
||||||
|
|
||||||
8. Comments in the interfaces file improved.
|
|
||||||
|
|
||||||
9. Typo in the policy file corrected.
|
|
||||||
|
|
||||||
10. Loopback class A added to rfc1918.
|
|
||||||
|
|
||||||
|
6. Added NEWNOTSYN option
|
||||||
|
|
||||||
|
7. Assume 'multi' if canonical chain exists.
|
||||||
|
|
||||||
|
8. Add PROTOCOL and PORT columns to blacklist file
|
||||||
|
|
||||||
|
|
||||||
|
@ -2506,10 +2506,14 @@ setup_intrazone() # $1 = zone
|
|||||||
# Process a record from the blacklist file #
|
# Process a record from the blacklist file #
|
||||||
# #
|
# #
|
||||||
# $subnet = address/subnet #
|
# $subnet = address/subnet #
|
||||||
|
# $protocol = Protocol Number/Name #
|
||||||
|
# $port = Port Number/Name #
|
||||||
###############################################################################
|
###############################################################################
|
||||||
process_blacklist_rec() {
|
process_blacklist_rec() {
|
||||||
local source
|
local source
|
||||||
local addr
|
local addr
|
||||||
|
local proto=
|
||||||
|
local dport
|
||||||
|
|
||||||
for addr in `separate_list $subnet`; do
|
for addr in `separate_list $subnet`; do
|
||||||
case $addr in
|
case $addr in
|
||||||
@ -2522,11 +2526,24 @@ process_blacklist_rec() {
|
|||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
|
if [ -n "$protocol" ]; then
|
||||||
|
proto=" -p $protocol "
|
||||||
|
|
||||||
|
[ -n "$port" ] && dport="--dport $port"
|
||||||
|
fi
|
||||||
|
|
||||||
[ -n "$BLACKLIST_LOGLEVEL" ] && \
|
[ -n "$BLACKLIST_LOGLEVEL" ] && \
|
||||||
run_iptables -A blacklst $source -j LOG $LOGPARMS --log-prefix \
|
run_iptables -A blacklst $source $proto $dport -j \
|
||||||
|
LOG $LOGPARMS --log-prefix \
|
||||||
"Shorewall:blacklst:$BLACKLIST_DISPOSITION:" \
|
"Shorewall:blacklst:$BLACKLIST_DISPOSITION:" \
|
||||||
--log-level $BLACKLIST_LOGLEVEL
|
--log-level $BLACKLIST_LOGLEVEL
|
||||||
run_iptables -A blacklst $source -j $disposition
|
run_iptables -A blacklst $source $proto $dport -j $disposition
|
||||||
|
|
||||||
|
if [ -n "$port" ]; then
|
||||||
|
addr="$addr $protocol $port"
|
||||||
|
elif [ -n "$protocol" ]; then
|
||||||
|
addr="$addr $protocol"
|
||||||
|
fi
|
||||||
|
|
||||||
echo " $addr added to Black List"
|
echo " $addr added to Black List"
|
||||||
done
|
done
|
||||||
@ -2557,8 +2574,8 @@ setup_blacklist() {
|
|||||||
|
|
||||||
[ "$disposition" = REJECT ] && disposition=reject
|
[ "$disposition" = REJECT ] && disposition=reject
|
||||||
|
|
||||||
while read subnet; do
|
while read subnet protocol port; do
|
||||||
expandv subnet
|
expandv subnet protocol port
|
||||||
process_blacklist_rec
|
process_blacklist_rec
|
||||||
done < $TMP_DIR/blacklist
|
done < $TMP_DIR/blacklist
|
||||||
|
|
||||||
@ -2581,8 +2598,8 @@ refresh_blacklist() {
|
|||||||
|
|
||||||
run_iptables -F blacklst
|
run_iptables -F blacklst
|
||||||
|
|
||||||
while read subnet; do
|
while read subnet protocol port; do
|
||||||
expandv subnet
|
expandv subnet protocol port
|
||||||
process_blacklist_rec
|
process_blacklist_rec
|
||||||
done < $TMP_DIR/blacklist
|
done < $TMP_DIR/blacklist
|
||||||
fi
|
fi
|
||||||
@ -3115,11 +3132,20 @@ activate_rules()
|
|||||||
|
|
||||||
chain="`rules_chain $zone $zone1`"
|
chain="`rules_chain $zone $zone1`"
|
||||||
|
|
||||||
|
if havechain ${zone}2${zone1} || havechain ${zone1}2${zone}; then
|
||||||
|
have_canonical=Yes
|
||||||
|
else
|
||||||
|
have_canonical=
|
||||||
|
fi
|
||||||
|
|
||||||
for host in $source_hosts; do
|
for host in $source_hosts; do
|
||||||
interface=${host%:*}
|
interface=${host%:*}
|
||||||
subnet=${host#*:}
|
subnet=${host#*:}
|
||||||
chain1=`forward_chain $interface`
|
chain1=`forward_chain $interface`
|
||||||
|
|
||||||
|
if [ -n "$have_canonical" ]; then
|
||||||
|
multi=yes
|
||||||
|
else
|
||||||
case $interface in
|
case $interface in
|
||||||
*+*)
|
*+*)
|
||||||
multi=yes
|
multi=yes
|
||||||
@ -3128,6 +3154,7 @@ activate_rules()
|
|||||||
list_search $interface $multi_interfaces && multi=yes || multi=
|
list_search $interface $multi_interfaces && multi=yes || multi=
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
fi
|
||||||
|
|
||||||
for host1 in $dest_hosts; do
|
for host1 in $dest_hosts; do
|
||||||
interface1=${host1%:*}
|
interface1=${host1%:*}
|
||||||
|
@ -3,22 +3,20 @@ fixes.
|
|||||||
|
|
||||||
New features include:
|
New features include:
|
||||||
|
|
||||||
1) The 'icmp.def' file is now empty! The rules in that file were
|
1. A NEWNOTSYN option has been added to shorewall.conf. This option
|
||||||
required in ipchains firewalls but are not required in Shorewall.
|
determines whether Shorewall accepts TCP packets which are not part
|
||||||
Users who have ALLOWRELATED=No in shorewall.conf should see the
|
of an established connection and that are not 'SYN' packets (SYN
|
||||||
Upgrade Issues.
|
flag on and ACK flag off).
|
||||||
2) A 'FORWARDPING' option has been added to shorewall.conf. The effect
|
|
||||||
of setting this variable to Yes is the same as the effect of adding
|
|
||||||
an ACCEPT rule for ICMP echo-request in
|
|
||||||
/etc/shorewall/icmpdef. Users who have such a rule in icmpdef are
|
|
||||||
encouraged to switch to FORWARDPING=Yes.
|
|
||||||
3) The loopback CLASS A Network (127.0.0.0/8) has been added to the
|
|
||||||
rfc1918 file.
|
|
||||||
4) Shorewall now works with iptables 1.2.7.
|
|
||||||
5) The documentation and Web site no longer use FrontPage themes.
|
|
||||||
|
|
||||||
I would like to thank John Distler for his valuable input regarding TCP
|
|
||||||
SYN and ICMP treatment in Shorewall. That input has led to marked
|
|
||||||
improvement in Shorewall in the last two releases.
|
|
||||||
|
|
||||||
|
|
||||||
|
2. The need for the 'multi' option to communicate between zones za and
|
||||||
|
zb on the same interface is removed in the case where the chain
|
||||||
|
'za2zb' and/or 'zb2za' exists. 'za2zb' will exist if:
|
||||||
|
|
||||||
|
a. There is a policy for za to zb.
|
||||||
|
b. There is at least one rule for za to zb.
|
||||||
|
|
||||||
|
3. The /etc/shorewall/blacklist file now contains three columns. In
|
||||||
|
addition to the SUBNET/ADDRESS column, there are optional PROTOCOL
|
||||||
|
and PORT columns to block only certain applications from the
|
||||||
|
blacklisted addresses.
|
||||||
|
Loading…
Reference in New Issue
Block a user