holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Update for Shorewall 2.0.3a:

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1415 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-06-28 17:58:24 +00:00
parent 3e88508243
commit 87b34352fb
9 changed files with 153 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
STABLE2/changelog.txt
View File

@ -36,3 +36,5 @@ Changes since 2.0.2
16) Pass INVALID icmp packets through the blacklisting chains. 16) Pass INVALID icmp packets through the blacklisting chains.
17) Fix bogus code in process_tc_rule() 17) Fix bogus code in process_tc_rule()
18) Fix security vulnerability involving temporary files/directories.

2
STABLE2/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of # shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall. # Shoreline Firewall.
VERSION=2.0.3 VERSION=2.0.3a
usage() # $1 = exit status usage() # $1 = exit status
{ {

63
STABLE2/firewall
View File

@ -82,7 +82,7 @@ startup_error() # $* = Error Message
echo " Error: $@" >&2 echo " Error: $@" >&2
my_mutex_off my_mutex_off
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
rm -f /var/lib/shorewall/restore-$$ [ -n "$RESTOREBASE" ] && rm -f $RESTOREBASE
kill $$ kill $$
exit 2 exit 2
} }
@ -96,22 +96,22 @@ report () { # $* = message
} }
# #
# Write the passed args to /var/lib/shorewall/restore-$$ # Write the passed args to $RESTOREBASE
# #
save_command() save_command()
{ {
echo "$@" >> /var/lib/shorewall/restore-$$ echo "$@" >> $RESTOREBASE
} }
# #
# Write a progress_message command to /var/lib/shorewall/restore-$$ # Write a progress_message command to $RESTOREBASE
# #
save_progress_message() save_progress_message()
{ {
echo >> /var/lib/shorewall/restore-$$ echo >> $RESTOREBASE
echo "progress_message \"$@\"" >> /var/lib/shorewall/restore-$$ echo "progress_message \"$@\"" >> $RESTOREBASE
echo >> /var/lib/shorewall/restore-$$ echo >> $RESTOREBASE
} }
# #
@ -122,7 +122,7 @@ save_progress_message()
# #
run_and_save_command() run_and_save_command()
{ {
echo "$@" >> /var/lib/shorewall/restore-$$ echo "$@" >> $RESTOREBASE
eval $* eval $*
} }
@ -132,19 +132,19 @@ run_and_save_command()
ensure_and_save_command() ensure_and_save_command()
{ {
if eval $* ; then if eval $* ; then
echo "$@" >> /var/lib/shorewall/restore-$$ echo "$@" >> $RESTOREBASE
else else
[ -z "$stopping" ] && { stop_firewall; exit 2; } [ -z "$stopping" ] && { stop_firewall; exit 2; }
fi fi
} }
# #
# Append a file in $STATEDIR to /var/lib/shorewall/restore-$$ # Append a file in $STATEDIR to $RESTOREBASE
# #
append_file() # $1 = File Name append_file() # $1 = File Name
{ {
save_command "cat > $STATEDIR/$1 << __EOF__" save_command "cat > $STATEDIR/$1 << __EOF__"
cat $STATEDIR/$1 >> /var/lib/shorewall/restore-$$ cat $STATEDIR/$1 >> $RESTOREBASE
save_command __EOF__ save_command __EOF__
} }
@ -1237,7 +1237,7 @@ stop_firewall() {
# Turn off trace unless we were tracing "stop" or "clear" # Turn off trace unless we were tracing "stop" or "clear"
# #
rm -f /var/lib/shorewall/restore-$$ [ -n "$RESTOREBASE" ] && rm -f $RESTOREBASE
case $COMMAND in case $COMMAND in
stop|clear) stop|clear)
@ -1380,8 +1380,6 @@ stop_firewall() {
# else. Remove the lock file and Kill the shell in case we're in a # else. Remove the lock file and Kill the shell in case we're in a
# subshell # subshell
# #
rm -f /var/lib/shorewall/restore-$$
my_mutex_off my_mutex_off
kill $$ kill $$
;; ;;
@ -2372,7 +2370,7 @@ check_config() {
process_actions2 process_actions2
rm -rf $TMP_DIR rm -rf $TMP_DIR
rm -f /var/lib/shorewall/restore-$$ [ -n "$RESTOREBASE" ] && rm -f $RESTOREBASE
echo "Configuration Validated" echo "Configuration Validated"
@ -5513,9 +5511,13 @@ define_firewall() # $1 = Command (Start or Restart)
verify_os_version verify_os_version
verify_ip verify_ip
[ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall [ -d /var/lib/shorewall ] || { mkdir -p /var/lib/shorewall ; chmod 700 /var/lib/shorewall; }
echo '#bin/sh' > /var/lib/shorewall/restore-$$ RESTOREBASE=$(mktempfile /var/lib/shorewall)
[ -n "$RESTOREBASE" ] || fatal_error "Cannot create temporary file in /var/lib/shorewall"
echo '#bin/sh' >> $RESTOREBASE
save_command "#" save_command "#"
save_command "# Restore base file generated by Shorewall $version - $(date)" save_command "# Restore base file generated by Shorewall $version - $(date)"
save_command "#" save_command "#"
@ -5582,7 +5584,7 @@ define_firewall() # $1 = Command (Start or Restart)
# 'shorewall save' appends the iptables-save output and '__EOF__' # 'shorewall save' appends the iptables-save output and '__EOF__'
mv -f /var/lib/shorewall/restore-$$ /var/lib/shorewall/restore-base mv -f $RESTOREBASE /var/lib/shorewall/restore-base
} }
@ -6004,6 +6006,8 @@ do_initialize() {
DISABLE_IPV6= DISABLE_IPV6=
BRIDGING= BRIDGING=
DYNAMIC_ZONES= DYNAMIC_ZONES=
RESTOREBASE=
TMP_DIR=
stopping= stopping=
have_mutex= have_mutex=
@ -6011,13 +6015,6 @@ do_initialize() {
nonat_seq=1 nonat_seq=1
aliases_to_add= aliases_to_add=
TMP_DIR=/tmp/shorewall-$$
rm -rf $TMP_DIR
mkdir -p $TMP_DIR && chmod 700 $TMP_DIR || \
startup_error "Can't create $TMP_DIR"
trap "rm -rf $TMP_DIR; my_mutex_off; exit 2" 1 2 3 4 5 6 9
FUNCTIONS=$SHARED_DIR/functions FUNCTIONS=$SHARED_DIR/functions
if [ -f $FUNCTIONS ]; then if [ -f $FUNCTIONS ]; then
@ -6027,6 +6024,13 @@ do_initialize() {
startup_error "$FUNCTIONS does not exist!" startup_error "$FUNCTIONS does not exist!"
fi fi
TMP_DIR=$(mktempdir)
[ -n "$TMP_DIR" ] && chmod 700 $TMP_DIR || \
startup_error "Can't create a temporary directory"
trap "rm -rf $TMP_DIR; my_mutex_off; exit 2" 1 2 3 4 5 6 9
ensure_config_path ensure_config_path
VERSION_FILE=$SHARED_DIR/version VERSION_FILE=$SHARED_DIR/version
@ -6038,8 +6042,13 @@ do_initialize() {
config=$(find_file shorewall.conf) config=$(find_file shorewall.conf)
if [ -f $config ]; then if [ -f $config ]; then
[ -n "$QUIET" ] || echo "Processing $config..." if [ -r $config ]; then
. $config [ -n "$QUIET" ] || echo "Processing $config..."
. $config
else
echo " ERROR: Cannot read $config (Hint: Are you root?)"
exit 2
fi
else else
echo "$config does not exist!" >&2 echo "$config does not exist!" >&2
exit 2 exit 2

86
STABLE2/functions
View File

@ -336,6 +336,92 @@ mutex_off()
rm -f $STATEDIR/lock rm -f $STATEDIR/lock
} }
#
# Determine which version of mktemp is present (if any) and set MKTEMP accortingly:
#
# None - No mktemp
# BSD - BSD mktemp (Mandrake)
# STD - mktemp.org mktemp
#
find_mktemp() {
local mktemp=`which mktemp 2> /dev/null`
if [ -n "$mktemp" ]; then
if qt mktemp -V ; then
MKTEMP=STD
else
MKTEMP=BSD
fi
else
MKTEMP=None
fi
}
#
# create a temporary file. If a directory name is passed, the file will be created in
# that directory. Otherwise, it will be created in a temporary directory.
#
mktempfile() {
[ -z "$MKTEMP" ] && find_mktemp
if [ $# -gt 0 ]; then
case "$MKTEMP" in
BSD)
mktemp $1/shorewall.XXXXXX
;;
STD)
mktemp -p $1 shorewall.XXXXXX
;;
None)
mkdir $1/shorewall-$$ && echo $1/shorewall-$$
;;
*)
echo " ERROR:Internal error in mktempfile"
;;
esac
else
case "$MKTEMP" in
BSD)
mktemp /tmp/shorewall.XXXXXX
;;
STD)
mktemp -t shorewall.XXXXXX
;;
None)
rm -f /tmp/shorewall-$$
> /tmp/shorewall-$$ && echo /tmp/shorewall-$$
;;
*)
echo " ERROR:Internal error in mktempfile"
;;
esac
fi
}
#
# create a temporary directory
#
mktempdir() {
[ -z "$MKTEMP" ] && find_mktemp
case "$MKTEMP" in
BSD)
mktemp -d /tmp/shorewall.XXXXXX
;;
STD)
mktemp -td shorewall.XXXXXX
;;
None)
mkdir /tmp/shorewall-$$ && echo /tmp/shorewall-$$
;;
*)
echo " ERROR:Internal error in mktempdir"
;;
esac
}
# #
# Read a file and handle "INCLUDE" directives # Read a file and handle "INCLUDE" directives
# #

2
STABLE2/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
# #
VERSION=2.0.3 VERSION=2.0.3a
usage() # $1 = exit status usage() # $1 = exit status
{ {

9
STABLE2/releasenotes.txt
View File

@ -44,10 +44,13 @@ Problems Corrected since 2.0.2
not possible to blacklist hosts that are mounting certain types of not possible to blacklist hosts that are mounting certain types of
ICMP-based DOS attacks. ICMP-based DOS attacks.
Problems corrected since 2.0.3: Problems Corrected since 2.0.3
1) Non-empty entries in the /etc/shorewall/tcrules DEST column 1) A non-empty DEST entry in /etc/shorewall/tcrules will generate an
generated an error message and Shorewall failed to start. error and Shorewall fails to start.
2) A potential security vulnerablilty in the way that Shorewall
handles temporary files and directories has been corrected.
----------------------------------------------------------------------- -----------------------------------------------------------------------
Issues when migrating from Shorewall 2.0.2 to Shorewall 2.0.3: Issues when migrating from Shorewall 2.0.2 to Shorewall 2.0.3:

27
STABLE2/shorewall
View File

@ -115,7 +115,7 @@ showfirstchain() # $1 = name of chain
/^Chain/ {if ( prnt == 1 ) { rslt=0; exit 0; }; };\ /^Chain/ {if ( prnt == 1 ) { rslt=0; exit 0; }; };\
/Chain '$1'/ { prnt=1; }; \ /Chain '$1'/ { prnt=1; }; \
{ if (prnt == 1) print; };\ { if (prnt == 1) print; };\
END { exit rslt; }' /tmp/chains-$$ END { exit rslt; }' $TMPFILE
} }
showchain() # $1 = name of chain showchain() # $1 = name of chain
@ -130,7 +130,7 @@ showchain() # $1 = name of chain
/^$|^ pkts/ { next; };\ /^$|^ pkts/ { next; };\
/^Chain/ {if ( prnt == 1 ) exit; };\ /^Chain/ {if ( prnt == 1 ) exit; };\
/Chain '$1'/ { prnt=1; };\ /Chain '$1'/ { prnt=1; };\
{ if (prnt == 1) print; }' /tmp/chains-$$ { if (prnt == 1) print; }' $TMPFILE
fi fi
} }
@ -202,7 +202,10 @@ display_chains()
# Send the output to a temporary file since ash craps if we try to store # Send the output to a temporary file since ash craps if we try to store
# the output in a variable. # the output in a variable.
# #
iptables -L $IPT_OPTIONS > /tmp/chains-$$ TMPFILE=$(mktempfile)
[ -n "$TMPFILE" ] || { echo " ERROR:Cannot create temporary file" >&2; exit 1; }
iptables -L $IPT_OPTIONS >> $TMPFILE
clear clear
echo "$banner $(date)" echo "$banner $(date)"
@ -223,7 +226,7 @@ display_chains()
echo "Input Chains" echo "Input Chains"
echo echo
chains=$(grep '^Chain.*_[in|fwd]' /tmp/chains-$$ | cut -d' ' -f 2) chains=$(grep '^Chain.*_[in|fwd]' $TMPFILE | cut -d' ' -f 2)
for chain in $chains; do for chain in $chains; do
showchain $chain showchain $chain
@ -233,7 +236,7 @@ display_chains()
for zone in $zones; do for zone in $zones; do
if [ -n "$(grep "^Chain \.*${zone}" /tmp/chains-$$)" ] ; then if [ -n "$(grep "^Chain \.*${zone}" $TMPFILE)" ] ; then
clear clear
echo "$banner $(date)" echo "$banner $(date)"
echo echo
@ -283,7 +286,7 @@ display_chains()
showchain dynamic showchain dynamic
timed_read timed_read
qt rm -f /tmp/chains-$$ qt rm -f $TMPFILE
else else
iptables -L -n -v iptables -L -n -v
timed_read timed_read
@ -399,8 +402,8 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
if qt which awk; then if qt which awk; then
TMP_DIR=/tmp/shorewall-$$ TMP_DIR=$(mktempdir)
mkdir $TMP_DIR [ -n "$TMP_DIR" ] || { echo " ERROR:Cannot create temporary directory" >&2; exit 1; }
haveawk=Yes haveawk=Yes
determine_zones determine_zones
rm -rf $TMP_DIR rm -rf $TMP_DIR
@ -699,7 +702,12 @@ ensure_config_path
config=$(find_file shorewall.conf) config=$(find_file shorewall.conf)
if [ -f $config ]; then if [ -f $config ]; then
. $config if [ -r $config ]; then
. $config
else
echo "Cannot read $config! (Hint: Are you root?)" >&2
exit 1
fi
else else
echo "$config does not exist!" >&2 echo "$config does not exist!" >&2
exit 2 exit 2
@ -733,7 +741,6 @@ fi
banner="Shorewall-$version Status at $HOSTNAME -" banner="Shorewall-$version Status at $HOSTNAME -"
case $(echo -e) in case $(echo -e) in
-e*) -e*)
RING_BELL="echo \a" RING_BELL="echo \a"

4
STABLE2/shorewall.spec
View File

@ -1,5 +1,5 @@
%define name shorewall %define name shorewall
%define version 2.0.3 %define version 2.0.3a
%define release 1 %define release 1
%define prefix /usr %define prefix /usr
@ -141,6 +141,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog %changelog
* Mon Jun 28 2004 Tom Eastep tom@shorewall.net
- Updated to 2.0.2a-1
* Wed Jun 23 2004 Tom Eastep tom@shorewall.net * Wed Jun 23 2004 Tom Eastep tom@shorewall.net
- Updated to 2.0.2-1 - Updated to 2.0.2-1
* Sat Jun 19 2004 Tom Eastep tom@shorewall.net * Sat Jun 19 2004 Tom Eastep tom@shorewall.net

2
STABLE2/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall # shown below. Simply run this script to remove Seattle Firewall
VERSION=2.0.3 VERSION=2.0.3a
usage() # $1 = exit status usage() # $1 = exit status
{ {