holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Taylor Universal config to work with Shorewall-init and streamline ruleset

Browse Source 
- Make interface 'all' optional and set REQUIRE_INTERFACE=Yes
- Add COMPLETE option
- Set FASTACCEPT in Universal samples
- Reset SUBSYSLOCK in Universal samples

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2010-08-01 08:36:56 -07:00
parent a88e2afa69
commit 967629569b
19 changed files with 127 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Samples/Universal/interfaces
View File

@ -8,5 +8,5 @@
# #
############################################################################### ###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS #ZONE INTERFACE BROADCAST OPTIONS
- lo - ignore
net all - dhcp,physical=+,routeback net all - dhcp,physical=+,routeback

8
Samples/Universal/shorewall.conf
View File

@ -63,7 +63,7 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SHOREWALL_SHELL=/bin/sh SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK=/var/lock/subsys/shorewall SUBSYSLOCK=
MODULESDIR= MODULESDIR=
@ -148,7 +148,7 @@ SAVE_IPSETS=No
MAPOLDACTIONS=No MAPOLDACTIONS=No
FASTACCEPT=No FASTACCEPT=Yes
IMPLICIT_CONTINUE=No IMPLICIT_CONTINUE=No
@ -194,10 +194,12 @@ OPTIMIZE_ACCOUNTING=No
LOAD_HELPERS_ONLY=No LOAD_HELPERS_ONLY=No
REQUIRE_INTERFACE=No REQUIRE_INTERFACE=Yes
FORWARD_CLEAR_MARK=Yes FORWARD_CLEAR_MARK=Yes
COMPLETE=Yes
############################################################################### ###############################################################################
# P A C K E T D I S P O S I T I O N # P A C K E T D I S P O S I T I O N
############################################################################### ###############################################################################

2
Samples/one-interface/shorewall.conf
View File

@ -209,6 +209,8 @@ REQUIRE_INTERFACE=No
FORWARD_CLEAR_MARK=Yes FORWARD_CLEAR_MARK=Yes
COMPLETE=No
############################################################################### ###############################################################################
# P A C K E T D I S P O S I T I O N # P A C K E T D I S P O S I T I O N
############################################################################### ###############################################################################

2
Samples/three-interfaces/shorewall.conf
View File

@ -209,6 +209,8 @@ REQUIRE_INTERFACE=No
FORWARD_CLEAR_MARK=Yes FORWARD_CLEAR_MARK=Yes
COMPLETE=No
############################################################################### ###############################################################################
# P A C K E T D I S P O S I T I O N # P A C K E T D I S P O S I T I O N
############################################################################### ###############################################################################

2
Samples/two-interfaces/shorewall.conf
View File

@ -216,6 +216,8 @@ REQUIRE_INTERFACE=No
FORWARD_CLEAR_MARK=Yes FORWARD_CLEAR_MARK=Yes
COMPLETE=No
############################################################################### ###############################################################################
# P A C K E T D I S P O S I T I O N # P A C K E T D I S P O S I T I O N
############################################################################### ###############################################################################

1
Samples6/Universal/interfaces
View File

@ -8,5 +8,6 @@
# #
############################################################################### ###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS #ZONE INTERFACE BROADCAST OPTIONS
- lo - ignore
net all - dhcp,physical=+,routeback net all - dhcp,physical=+,routeback

10
Samples6/Universal/shorewall6.conf
View File

@ -60,7 +60,7 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SHOREWALL_SHELL=/bin/sh SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK=/var/lock/subsys/shorewall SUBSYSLOCK=
MODULESDIR= MODULESDIR=
@ -113,7 +113,7 @@ BLACKLISTNEWONLY=Yes
MODULE_SUFFIX=ko MODULE_SUFFIX=ko
FASTACCEPT=No FASTACCEPT=Yes
IMPLICIT_CONTINUE=No IMPLICIT_CONTINUE=No
@ -151,7 +151,11 @@ DYNAMIC_BLACKLIST=Yes
LOAD_HELPERS_ONLY=No LOAD_HELPERS_ONLY=No
FORWARD_CLEAR_MARK=yes REQUIRE_INTERFACE=Yes
FORWARD_CLEAR_MARK=Yes
COMPLETE=Yes
############################################################################### ###############################################################################
# P A C K E T D I S P O S I T I O N # P A C K E T D I S P O S I T I O N

2
Samples6/one-interface/shorewall6.conf
View File

@ -157,6 +157,8 @@ REQUIRE_INTERFACE=No
FORWARD_CLEAR_MARK=Yes FORWARD_CLEAR_MARK=Yes
COMPLETE=No
############################################################################## ##############################################################################
# P A C K E T D I S P O S I T I O N # P A C K E T D I S P O S I T I O N
############################################################################### ###############################################################################

2
Samples6/three-interfaces/shorewall6.conf
View File

@ -157,6 +157,8 @@ REQUIRE_INTERFACE=No
FORWARD_CLEAR_MARK=Yes FORWARD_CLEAR_MARK=Yes
COMPLETE=No
############################################################################### ###############################################################################
# P A C K E T D I S P O S I T I O N # P A C K E T D I S P O S I T I O N
############################################################################### ###############################################################################

4
Samples6/two-interfaces/shorewall6.conf
View File

@ -1,6 +1,6 @@
############################################################################### ###############################################################################
# #
# Shorewall version 3.4 - Sample shorewall.conf for one-interface configuration. # Shorewall version 4.4 - Sample shorewall.conf for one-interface configuration.
# Copyright (C) 2006 by the Shorewall Team # Copyright (C) 2006 by the Shorewall Team
# #
# This library is free software; you can redistribute it and/or # This library is free software; you can redistribute it and/or
@ -157,6 +157,8 @@ REQUIRE_INTERFACE=No
FORWARD_CLEAR_MARK=Yes FORWARD_CLEAR_MARK=Yes
COMPLETE=No
############################################################################### ###############################################################################
# P A C K E T D I S P O S I T I O N # P A C K E T D I S P O S I T I O N
############################################################################### ###############################################################################

3
Shorewall/Perl/Shorewall/Config.pm
View File

@ -466,6 +466,7 @@ sub initialize( $ ) {
LOAD_HELPERS_ONLY => undef, LOAD_HELPERS_ONLY => undef,
REQUIRE_INTERFACE => undef, REQUIRE_INTERFACE => undef,
FORWARD_CLEAR_MARK => undef, FORWARD_CLEAR_MARK => undef,
COMPLETE => undef,
# #
# Packet Disposition # Packet Disposition
# #
@ -590,6 +591,7 @@ sub initialize( $ ) {
LOAD_HELPERS_ONLY => undef, LOAD_HELPERS_ONLY => undef,
REQUIRE_INTERFACE => undef, REQUIRE_INTERFACE => undef,
FORWARD_CLEAR_MARK => undef, FORWARD_CLEAR_MARK => undef,
COMPLETE => undef,
# #
# Packet Disposition # Packet Disposition
# #
@ -3038,6 +3040,7 @@ sub get_configuration( $ ) {
default_yes_no 'DYNAMIC_BLACKLIST' , 'Yes'; default_yes_no 'DYNAMIC_BLACKLIST' , 'Yes';
default_yes_no 'REQUIRE_INTERFACE' , ''; default_yes_no 'REQUIRE_INTERFACE' , '';
default_yes_no 'FORWARD_CLEAR_MARK' , have_capability 'MARK' ? 'Yes' : ''; default_yes_no 'FORWARD_CLEAR_MARK' , have_capability 'MARK' ? 'Yes' : '';
default_yes_no 'COMPLETE' , '';
require_capability 'MARK' , 'FOREWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK}; require_capability 'MARK' , 'FOREWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK};

8
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -2261,9 +2261,11 @@ sub generate_matrix() {
nat=> [ qw/PREROUTING OUTPUT POSTROUTING/ ] , nat=> [ qw/PREROUTING OUTPUT POSTROUTING/ ] ,
filter=> [ qw/INPUT FORWARD OUTPUT/ ] ); filter=> [ qw/INPUT FORWARD OUTPUT/ ] );
complete_standard_chain $filter_table->{INPUT} , 'all' , firewall_zone , 'DROP'; unless ( $config{COMPLETE} ) {
complete_standard_chain $filter_table->{OUTPUT} , firewall_zone , 'all', 'REJECT'; complete_standard_chain $filter_table->{INPUT} , 'all' , firewall_zone , 'DROP';
complete_standard_chain $filter_table->{FORWARD} , 'all' , 'all', 'REJECT'; complete_standard_chain $filter_table->{OUTPUT} , firewall_zone , 'all', 'REJECT';
complete_standard_chain $filter_table->{FORWARD} , 'all' , 'all', 'REJECT';
}
if ( $config{LOGALLNEW} ) { if ( $config{LOGALLNEW} ) {
for my $table qw/mangle nat filter/ { for my $table qw/mangle nat filter/ {

2
Shorewall/changelog.txt
View File

@ -14,6 +14,8 @@ Changes in Shorewall 4.4.12
7) Add Universal sample. 7) Add Universal sample.
8) Add COMPLETE option.
Changes in Shorewall 4.4.11 Changes in Shorewall 4.4.11
1) Apply patch from Gabriel. 1) Apply patch from Gabriel.

2
Shorewall/configfiles/shorewall.conf
View File

@ -198,6 +198,8 @@ REQUIRE_INTERFACE=No
FORWARD_CLEAR_MARK=Yes FORWARD_CLEAR_MARK=Yes
COMPLETE=No
############################################################################### ###############################################################################
# P A C K E T D I S P O S I T I O N # P A C K E T D I S P O S I T I O N
############################################################################### ###############################################################################

19
Shorewall/releasenotes.txt
View File

@ -1,6 +1,6 @@
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
S H O R E W A L L 4 . 4 . 1 2 S H O R E W A L L 4 . 4 . 1 2
B E T A 3 R C 1
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
I. RELEASE 4.4 HIGHLIGHTS I. RELEASE 4.4 HIGHLIGHTS
@ -279,6 +279,23 @@ None.
3) The sample configurations now include a 'Universal' configuration 3) The sample configurations now include a 'Universal' configuration
that will start on any system and protect that system while that will start on any system and protect that system while
allowing the system to forward traffic. allowing the system to forward traffic.
As part of this change, several additional features were added:
- You may now specify "physical=+" in the interfaces file.
- A 'COMPLETE' option is added to shorewall.conf and
shorewall6.conf. When you set this option to Yes, you are
asserting that the configuration is complete so that your set of
zones encompasses any hosts that can send or receive traffic
to/from/through the firewall. This causes Shorewall to omit the
rules that catch packets in which the source or destination IP
address is outside of any of your zones. Default is No. It is
recommended that this option only be set to Yes if:
o You have defined an interface whose effective physical setting
is '+'
o That interface is assigned to a zone.
o You have no CONTINUE policies or rules.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S

6
Shorewall6/shorewall6.conf
View File

@ -151,7 +151,11 @@ DYNAMIC_BLACKLIST=Yes
LOAD_HELPERS_ONLY=No LOAD_HELPERS_ONLY=No
FORWARD_CLEAR_MARK=yes REQUIRE_INTERFACE=No
FORWARD_CLEAR_MARK=Yes
COMPLETE=No
############################################################################### ###############################################################################
# P A C K E T D I S P O S I T I O N # P A C K E T D I S P O S I T I O N

10
docs/Universal.xml
View File

@ -308,7 +308,7 @@ ACCEPT net $FW tcp 143</programlisting></para>
the line that reads:</para> the line that reads:</para>
<blockquote> <blockquote>
<para>net all DROP </para> <para>net all DROP</para>
</blockquote> </blockquote>
<para>to</para> <para>to</para>
@ -328,18 +328,18 @@ ACCEPT net $FW tcp 143</programlisting></para>
<title>How do I prevent the firewall from forwarding connection <title>How do I prevent the firewall from forwarding connection
requests?</title> requests?</title>
<para>Edit /etc/shorewall/interfaces, and change the line that <para>Edit /etc/shorewall/interfaces, and remove the routeback option
read:</para> from the interface. e.g., change the line that reads:</para>
<blockquote> <blockquote>
<para>net all - dhcp,physical=+<emphasis <para>net all - dhcp,physical=+<emphasis
role="bold">,routeback</emphasis></para> role="bold">,routeback</emphasis>,optional</para>
</blockquote> </blockquote>
<para>to</para> <para>to</para>
<blockquote> <blockquote>
<para>net all - dhcp,physical=+</para> <para>net all - dhcp,physical=+,optional</para>
</blockquote> </blockquote>
<para>Then at a root prompt, type:</para> <para>Then at a root prompt, type:</para>

30
manpages/shorewall.conf.xml
View File

@ -390,6 +390,36 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">COMPLETE=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem>
<para>Added in Shorewall 4.4.12. When you set this option to Yes,
you are asserting that the configuration is complete so that your
set of zones encompasses any hosts that can send or receive traffic
to/from/through the firewall. This causes Shorewall to omit the
rules that catch packets in which the source or destination IP
address is outside of any of your zones. Default is No. It is
recommended that this option only be set to Yes if:</para>
<itemizedlist>
<listitem>
<para>You have defined an interface whose effective physical
setting is '+'.</para>
</listitem>
<listitem>
<para>That interface is assigned to a zone.</para>
</listitem>
<listitem>
<para>You have no CONTINUE policies or rules.</para>
</listitem>
</itemizedlist>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">CONFIG_PATH</emphasis>=[<emphasis>directory</emphasis>[:<emphasis>directory</emphasis>]...]</term> role="bold">CONFIG_PATH</emphasis>=[<emphasis>directory</emphasis>[:<emphasis>directory</emphasis>]...]</term>

30
manpages6/shorewall6.conf.xml
View File

@ -336,6 +336,36 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">COMPLETE=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem>
<para>Added in Shorewall6 4.4.12. When you set this option to Yes,
you are asserting that the configuration is complete so that your
set of zones encompasses any hosts that can send or receive traffic
to/from/through the firewall. This causes Shorewall6 to omit the
rules that catch packets in which the source or destination IP
address is outside of any of your zones. Default is No. It is
recommended that this option only be set to Yes if:</para>
<itemizedlist>
<listitem>
<para>You have defined an interface whose effective physical
setting is '+'.</para>
</listitem>
<listitem>
<para>That interface is assigned to a zone.</para>
</listitem>
<listitem>
<para>You have no CONTINUE policies or rules.</para>
</listitem>
</itemizedlist>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">CONFIG_PATH</emphasis>=[<emphasis>directory</emphasis>[:<emphasis>directory</emphasis>]...]</term> role="bold">CONFIG_PATH</emphasis>=[<emphasis>directory</emphasis>[:<emphasis>directory</emphasis>]...]</term>