holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Assume 'multi' if canonical chain exists; add PROTOCOL and PORT columns to the blacklist file

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@236 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-09-14 22:00:52 +00:00
parent 3a107844d5
commit 80498aa034
4 changed files with 79 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
Shorewall/blacklist
View File

@ -12,8 +12,19 @@
# MAC addresses must be prefixed with "~" and use "-" as a separator. # MAC addresses must be prefixed with "~" and use "-" as a separator.
# #
# Example: ~00-A0-C9-15-39-78 # Example: ~00-A0-C9-15-39-78
#
# Each ADDRESS/SUBNET may be optionally followed by a protocol name or number
# and an optional port number. If these are supplied, only packets matching
# the protocol and the port (if supplied) are blocked.
#
# Example:
#
# To block DNS queries from address 192.0.2.126:
#
# ADDRESS/SUBNET PROTOCOL PORT
# 192.0.2.126 udp 53
############################################################################### ###############################################################################
#ADDRESS/SUBNET #ADDRESS/SUBNET PROTOCOL PORT
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

25
Shorewall/changelog.txt
View File

@ -1,26 +1,19 @@
Changes since 1.3.6 Changes since 1.3.7
1. Comments in the common.def file have been updated. 1. Correct rules file handling bug introduced in 1.3.7.
2. icmp.def deimplemented 2. Correct handling of DNAT rule where source is $FW
3. FORWARDPING implemented. 3. Reverse order of RFC 1918 and DHCP filtering
4. Made MULTIPORT work with iptables 1.2.7 4. "shorewall refresh" fix for FORWARDPING=Yes
5. Corrected ADD_SNAT_ALIASES 5. Replace tab with space in blacklist output.
6. Work around iptables 1.2.7 protocol match bug.
7. Remove themes from documentation and web site.
8. Comments in the interfaces file improved.
9. Typo in the policy file corrected.
10. Loopback class A added to rfc1918.
6. Added NEWNOTSYN option
7. Assume 'multi' if canonical chain exists.
8. Add PROTOCOL and PORT columns to blacklist file

59
Shorewall/firewall
View File

@ -2506,10 +2506,14 @@ setup_intrazone() # $1 = zone
# Process a record from the blacklist file # # Process a record from the blacklist file #
# # # #
# $subnet = address/subnet # # $subnet = address/subnet #
# $protocol = Protocol Number/Name #
# $port = Port Number/Name #
############################################################################### ###############################################################################
process_blacklist_rec() { process_blacklist_rec() {
local source local source
local addr local addr
local proto=
local dport
for addr in `separate_list $subnet`; do for addr in `separate_list $subnet`; do
case $addr in case $addr in
@ -2521,13 +2525,26 @@ process_blacklist_rec() {
source="-s $addr" source="-s $addr"
;; ;;
esac esac
if [ -n "$protocol" ]; then
proto=" -p $protocol "
[ -n "$port" ] && dport="--dport $port"
fi
[ -n "$BLACKLIST_LOGLEVEL" ] && \ [ -n "$BLACKLIST_LOGLEVEL" ] && \
run_iptables -A blacklst $source -j LOG $LOGPARMS --log-prefix \ run_iptables -A blacklst $source $proto $dport -j \
"Shorewall:blacklst:$BLACKLIST_DISPOSITION:" \ LOG $LOGPARMS --log-prefix \
--log-level $BLACKLIST_LOGLEVEL "Shorewall:blacklst:$BLACKLIST_DISPOSITION:" \
run_iptables -A blacklst $source -j $disposition --log-level $BLACKLIST_LOGLEVEL
run_iptables -A blacklst $source $proto $dport -j $disposition
if [ -n "$port" ]; then
addr="$addr $protocol $port"
elif [ -n "$protocol" ]; then
addr="$addr $protocol"
fi
echo " $addr added to Black List" echo " $addr added to Black List"
done done
} }
@ -2557,8 +2574,8 @@ setup_blacklist() {
[ "$disposition" = REJECT ] && disposition=reject [ "$disposition" = REJECT ] && disposition=reject
while read subnet; do while read subnet protocol port; do
expandv subnet expandv subnet protocol port
process_blacklist_rec process_blacklist_rec
done < $TMP_DIR/blacklist done < $TMP_DIR/blacklist
@ -2581,8 +2598,8 @@ refresh_blacklist() {
run_iptables -F blacklst run_iptables -F blacklst
while read subnet; do while read subnet protocol port; do
expandv subnet expandv subnet protocol port
process_blacklist_rec process_blacklist_rec
done < $TMP_DIR/blacklist done < $TMP_DIR/blacklist
fi fi
@ -3115,19 +3132,29 @@ activate_rules()
chain="`rules_chain $zone $zone1`" chain="`rules_chain $zone $zone1`"
if havechain ${zone}2${zone1} || havechain ${zone1}2${zone}; then
have_canonical=Yes
else
have_canonical=
fi
for host in $source_hosts; do for host in $source_hosts; do
interface=${host%:*} interface=${host%:*}
subnet=${host#*:} subnet=${host#*:}
chain1=`forward_chain $interface` chain1=`forward_chain $interface`
case $interface in if [ -n "$have_canonical" ]; then
*+*) multi=yes
multi=yes else
;; case $interface in
*) *+*)
list_search $interface $multi_interfaces && multi=yes || multi= multi=yes
;; ;;
esac *)
list_search $interface $multi_interfaces && multi=yes || multi=
;;
esac
fi
for host1 in $dest_hosts; do for host1 in $dest_hosts; do
interface1=${host1%:*} interface1=${host1%:*}

32
Shorewall/releasenotes.txt
View File

@ -3,22 +3,20 @@ fixes.
New features include: New features include:
1) The 'icmp.def' file is now empty! The rules in that file were 1. A NEWNOTSYN option has been added to shorewall.conf. This option
required in ipchains firewalls but are not required in Shorewall. determines whether Shorewall accepts TCP packets which are not part
Users who have ALLOWRELATED=No in shorewall.conf should see the of an established connection and that are not 'SYN' packets (SYN
Upgrade Issues. flag on and ACK flag off).
2) A 'FORWARDPING' option has been added to shorewall.conf. The effect
of setting this variable to Yes is the same as the effect of adding
an ACCEPT rule for ICMP echo-request in
/etc/shorewall/icmpdef. Users who have such a rule in icmpdef are
encouraged to switch to FORWARDPING=Yes.
3) The loopback CLASS A Network (127.0.0.0/8) has been added to the
rfc1918 file.
4) Shorewall now works with iptables 1.2.7.
5) The documentation and Web site no longer use FrontPage themes.
I would like to thank John Distler for his valuable input regarding TCP
SYN and ICMP treatment in Shorewall. That input has led to marked
improvement in Shorewall in the last two releases.
2. The need for the 'multi' option to communicate between zones za and
zb on the same interface is removed in the case where the chain
'za2zb' and/or 'zb2za' exists. 'za2zb' will exist if:
a. There is a policy for za to zb.
b. There is at least one rule for za to zb.
3. The /etc/shorewall/blacklist file now contains three columns. In
addition to the SUBNET/ADDRESS column, there are optional PROTOCOL
and PORT columns to block only certain applications from the
blacklisted addresses.