forked from extern/shorewall_code
Implement new Blacklisting Scheme
This commit is contained in:
Tom Eastep
parent
3c1cff0794
commit
a8c9fc1859
@ -213,16 +213,19 @@ sub add_rule_pair( $$$$ ) {
|
||||
|
||||
sub setup_blacklist() {
|
||||
|
||||
my $hosts = find_hosts_by_option 'blacklist';
|
||||
my $zones = find_zones_by_option 'blacklist', 'in';
|
||||
my $zones1 = find_zones_by_option 'blacklist', 'out';
|
||||
my $chainref;
|
||||
my $chainref1;
|
||||
my ( $level, $disposition ) = @config{'BLACKLIST_LOGLEVEL', 'BLACKLIST_DISPOSITION' };
|
||||
my $target = $disposition eq 'REJECT' ? 'reject' : $disposition;
|
||||
#
|
||||
# We go ahead and generate the blacklist chain and jump to it, even if it turns out to be empty. That is necessary
|
||||
# We go ahead and generate the blacklist chains and jump to them, even if they turn out to be empty. That is necessary
|
||||
# for 'refresh' to work properly.
|
||||
#
|
||||
if ( @$hosts ) {
|
||||
$chainref = dont_delete new_standard_chain 'blacklst';
|
||||
if ( @$zones || @$zones1 ) {
|
||||
$chainref = dont_delete new_standard_chain 'blacklst' if @$zones;
|
||||
$chainref1 = dont_delete new_standard_chain 'blackout' if @$zones1;
|
||||
|
||||
if ( defined $level && $level ne '' ) {
|
||||
my $logchainref = new_standard_chain 'blacklog';
|
||||
@ -246,8 +249,8 @@ sub setup_blacklist() {
|
||||
while ( read_a_line ) {
|
||||
|
||||
if ( $first_entry ) {
|
||||
unless ( @$hosts ) {
|
||||
warning_message qq(The entries in $fn have been ignored because there are no 'blacklist' interfaces);
|
||||
unless ( @$zones || @$zones1 ) {
|
||||
warning_message qq(The entries in $fn have been ignored because there are no 'blacklist' zones);
|
||||
close_file;
|
||||
last BLACKLIST;
|
||||
}
|
||||
@ -255,46 +258,64 @@ sub setup_blacklist() {
|
||||
$first_entry = 0;
|
||||
}
|
||||
|
||||
my ( $networks, $protocol, $ports ) = split_line 1, 3, 'blacklist file';
|
||||
my ( $networks, $protocol, $ports, $options ) = split_line 1, 4, 'blacklist file';
|
||||
|
||||
expand_rule(
|
||||
$chainref ,
|
||||
NO_RESTRICT ,
|
||||
do_proto( $protocol , $ports, '' ) ,
|
||||
$networks ,
|
||||
'' ,
|
||||
'' ,
|
||||
$target ,
|
||||
'' ,
|
||||
$disposition ,
|
||||
'' );
|
||||
$options = 'src' if $options eq '-';
|
||||
|
||||
my ( $to, $from ) = ( 0, 0 );
|
||||
|
||||
for ( split /,/, $options ) {
|
||||
if ( $_ =~ /^(?:from|src)$/ ) {
|
||||
if ( $from++ ) {
|
||||
warning_message "Duplicate 'src' ignored";
|
||||
} else {
|
||||
if ( @$zones ) {
|
||||
expand_rule(
|
||||
$chainref ,
|
||||
NO_RESTRICT ,
|
||||
do_proto( $protocol , $ports, '' ) ,
|
||||
$networks,
|
||||
'',
|
||||
'' ,
|
||||
$target ,
|
||||
'' ,
|
||||
$target ,
|
||||
'' );
|
||||
} else {
|
||||
warning_message 'Blacklist entry ignored because there are no "blacklist in" zones';
|
||||
}
|
||||
}
|
||||
} elsif ( $_ =~ /^(?:dst|to)$/ ) {
|
||||
if ( $to++ ) {
|
||||
warning_message "Duplicate 'dst' ignored";
|
||||
} else {
|
||||
if ( @$zones1 ) {
|
||||
expand_rule(
|
||||
$chainref1 ,
|
||||
NO_RESTRICT ,
|
||||
do_proto( $protocol , $ports, '' ) ,
|
||||
'',
|
||||
$networks,
|
||||
'' ,
|
||||
$target ,
|
||||
'' ,
|
||||
$target ,
|
||||
'' );
|
||||
} else {
|
||||
warning_message 'Blacklist entry ignored because there are no "blacklist out" zones';
|
||||
}
|
||||
}
|
||||
} else {
|
||||
fatal_error "Invalid blacklist option($_)";
|
||||
}
|
||||
}
|
||||
|
||||
progress_message " \"$currentline\" added to blacklist";
|
||||
}
|
||||
|
||||
warning_message q(There are interfaces or hosts with the 'blacklist' option but the 'blacklist' file is empty) if $first_entry && @$hosts;
|
||||
} elsif ( @$hosts ) {
|
||||
warning_message q(There are interfaces or hosts with the 'blacklist' option, but the 'blacklist' file is either missing or has zero size);
|
||||
}
|
||||
|
||||
my $state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? "$globals{STATEMATCH} NEW,INVALID,UNTRACKED " : "$globals{STATEMATCH} NEW,INVALID " : '';
|
||||
|
||||
for my $hostref ( @$hosts ) {
|
||||
my $interface = $hostref->[0];
|
||||
my $ipsec = $hostref->[1];
|
||||
my $policy = have_ipsec ? "-m policy --pol $ipsec --dir in " : '';
|
||||
my $network = $hostref->[2];
|
||||
my $source = match_source_net $network;
|
||||
my $target = source_exclusion( $hostref->[3], $chainref );
|
||||
|
||||
for my $chain ( first_chains $interface ) {
|
||||
add_jump $filter_table->{$chain} , $target, 0, "${source}${state}${policy}";
|
||||
}
|
||||
|
||||
set_interface_option $interface, 'use_input_chain', 1;
|
||||
set_interface_option $interface, 'use_forward_chain', 1;
|
||||
|
||||
progress_message " Blacklisting enabled on ${interface}:${network}";
|
||||
warning_message q(There are interfaces or zones with the 'blacklist' option but the 'blacklist' file is empty) if $first_entry && @$zones;
|
||||
} elsif ( @$zones || @$zones1 ) {
|
||||
warning_message q(There are interfaces or zones with the 'blacklist' option, but the 'blacklist' file is either missing or has zero size);
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -1851,7 +1872,20 @@ sub generate_matrix() {
|
||||
#
|
||||
my $frwd_ref = new_standard_chain zone_forward_chain( $zone );
|
||||
|
||||
add_jump( $frwd_ref, $filter_table->{blacklst}, 0 ) if $zoneref->{options}{in}{blacklist};
|
||||
if ( $zoneref->{options}{in}{blacklist} ) {
|
||||
my $blackref = $filter_table->{blacklst};
|
||||
add_jump $frwd_ref , $blackref, 0, $state;
|
||||
add_jump ensure_filter_chain( rules_chain( $zone, firewall_zone ), 1 ) , $blackref , 0, $state, 0, 0;
|
||||
}
|
||||
|
||||
if ( $zoneref->{options}{out}{blacklist} ) {
|
||||
my $blackref = $filter_table->{blackout};
|
||||
add_jump ensure_filter_chain( rules_chain( firewall_zone, $zone ), 1 ) , $blackref , 0, $state, 0, 0;
|
||||
|
||||
for my $zone1 ( @zones ) {
|
||||
add_jump( ensure_filter_chain( rules_chain( $zone1, $zone ), 1 ), $blackref, 0, $state, 0, 0 ) unless $zone eq $zone1;
|
||||
}
|
||||
}
|
||||
|
||||
if ( have_ipsec ) {
|
||||
#
|
||||
@ -2039,6 +2073,7 @@ sub generate_matrix() {
|
||||
my $interfacechainref = $filter_table->{input_chain $interface};
|
||||
my $interfacematch = '';
|
||||
my $use_input;
|
||||
my $blacklist = $zoneref->{options}{in}{blacklist};
|
||||
|
||||
if ( @vservers || use_input_chain( $interface, $interfacechainref ) || ! $chain2 || ( @{$interfacechainref->{rules}} && ! $chain2ref ) ) {
|
||||
$inputchainref = $interfacechainref;
|
||||
|
||||
@ -78,7 +78,7 @@ our @EXPORT = qw( NOTHING
|
||||
compile_updown
|
||||
validate_hosts_file
|
||||
find_hosts_by_option
|
||||
find_hosts_by_option1
|
||||
find_zones_by_option
|
||||
all_ipsets
|
||||
have_ipsec
|
||||
);
|
||||
@ -231,7 +231,7 @@ sub initialize( $ ) {
|
||||
if ( $family == F_IPV4 ) {
|
||||
%validinterfaceoptions = (arp_filter => BINARY_IF_OPTION,
|
||||
arp_ignore => ENUM_IF_OPTION,
|
||||
blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||
blacklist => SIMPLE_IF_OPTION,
|
||||
bridge => SIMPLE_IF_OPTION,
|
||||
detectnets => OBSOLETE_IF_OPTION,
|
||||
dhcp => SIMPLE_IF_OPTION,
|
||||
@ -264,7 +264,7 @@ sub initialize( $ ) {
|
||||
sourceonly => 1,
|
||||
);
|
||||
} else {
|
||||
%validinterfaceoptions = ( blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||
%validinterfaceoptions = ( blacklist => SIMPLE_IF_OPTION,
|
||||
bridge => SIMPLE_IF_OPTION,
|
||||
dhcp => SIMPLE_IF_OPTION,
|
||||
maclist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||
@ -946,8 +946,16 @@ sub process_interface( $$ ) {
|
||||
|
||||
if ( $type == SIMPLE_IF_OPTION ) {
|
||||
fatal_error "Option $option does not take a value" if defined $value;
|
||||
$options{$option} = 1;
|
||||
$hostoptions{$option} = 1 if $hostopt;
|
||||
if ( $option eq 'blacklist' ) {
|
||||
if ( $zone ) {
|
||||
$zoneref->{options}{in}{blacklist} = 1;
|
||||
} else {
|
||||
warning_message "The 'blacklist' option is ignored on multi-zone interfaces";
|
||||
}
|
||||
} else {
|
||||
$options{$option} = 1;
|
||||
$hostoptions{$option} = 1 if $hostopt;
|
||||
}
|
||||
} elsif ( $type == BINARY_IF_OPTION ) {
|
||||
$value = 1 unless defined $value;
|
||||
fatal_error "Option value for '$option' must be 0 or 1" unless ( $value eq '0' || $value eq '1' );
|
||||
@ -1679,8 +1687,8 @@ sub process_host( ) {
|
||||
$type = IPSEC;
|
||||
$zoneref->{options}{complex} = 1;
|
||||
$ipsec = 1;
|
||||
} elsif ( $option eq 'norfc1918' ) {
|
||||
warning_message "The 'norfc1918' option is no longer supported"
|
||||
} elsif ( $option =~ /^(?:norfc1918|blacklist)$/ ) {
|
||||
warning_message "The '$option' host option is no longer supported"
|
||||
} elsif ( $validhostoptions{$option}) {
|
||||
fatal_error qq(The "$option" option is not allowed with Vserver zones) if $type == VSERVER && ! ( $validhostoptions{$option} & IF_OPTION_VSERVER );
|
||||
$options{$option} = 1;
|
||||
@ -1786,18 +1794,18 @@ sub find_hosts_by_option( $ ) {
|
||||
}
|
||||
|
||||
#
|
||||
# This one returns a 4-tuple for each interface which the passed bit set in the passed option
|
||||
# Retruns a reference to a list of zones with the passed in/out option
|
||||
#
|
||||
|
||||
sub find_hosts_by_option1( $$ ) {
|
||||
my ($option, $bit ) = @_;
|
||||
my @hosts;
|
||||
sub find_zones_by_option( $$ ) {
|
||||
my ($option, $in_out ) = @_;
|
||||
my @zns;
|
||||
|
||||
for my $interface ( @interfaces ) {
|
||||
push @hosts, [ $interface, 'none', ALLIP , [] ] if $interfaces{$interface}{options}{$option} & $bit
|
||||
for my $zone ( @zones ) {
|
||||
push @zns, $zone if $zones{$zone}{options}{$in_out}{$option};
|
||||
}
|
||||
|
||||
\@hosts;
|
||||
\@zns;
|
||||
}
|
||||
|
||||
sub all_ipsets() {
|
||||
|
||||
@ -72,6 +72,57 @@
|
||||
from services(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>OPTIONS (Optional - Added in 4.4.12) -
|
||||
{-|{dst|src}[,...]}</term>
|
||||
|
||||
<listitem>
|
||||
<para>If specified, indicates whether traffic
|
||||
<emphasis>from</emphasis> ADDRESS/SUBNET (<emphasis
|
||||
role="bold">src</emphasis>) or traffic <emphasis>to</emphasis>
|
||||
ADDRESS/SUBNET (<emphasis role="bold">dst</emphasis>) should be
|
||||
blacklisted. The default is <emphasis role="bold">src</emphasis>. If
|
||||
the ADDRESS/SUBNET column is empty, then this column has no effect
|
||||
on the generated rule.</para>
|
||||
|
||||
<note>
|
||||
<para>In Shorewall 4.4.12, the keywords from and to were used in
|
||||
place of src and dst respectively. Blacklisting was still
|
||||
restricted to traffic <emphasis>arriving</emphasis> on an
|
||||
interface that has the 'blacklist' option set. So to block traffic
|
||||
from your local network to an internet host, you had to specify
|
||||
<option>blacklist</option> on your internal interface in <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>
|
||||
(5).</para>
|
||||
</note>
|
||||
|
||||
<note>
|
||||
<para>Beginning with Shorewall 4.4.13, entries are applied based
|
||||
on the <emphasis role="bold">blacklist</emphasis> setting in
|
||||
<ulink
|
||||
url="shorewall-interfaces.html">shorewall-zones</ulink>(5):</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>'blacklist' in the OPTIONS or IN_OPTIONS column. Traffic
|
||||
from this zone is passed against the entries in <ulink
|
||||
url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
|
||||
that have the <emphasis role="bold">src</emphasis> option
|
||||
(specified or defaulted).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>'blacklist' in the OPTIONS or OUT_OPTIONS column.
|
||||
Trafficto this zone is passed against the entries in <ulink
|
||||
url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
|
||||
that have the <emphasis role="bold">dst</emphasis>
|
||||
option.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</note>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para></para>
|
||||
|
||||
@ -139,8 +139,15 @@
|
||||
<term><emphasis role="bold">blacklist</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>This option only makes sense for ports on a bridge.
|
||||
</para>
|
||||
<para>This option only makes sense for ports on a bridge. As
|
||||
of Shoreawall 4.4.13, ithe option is no longer supported and
|
||||
is ignored with a warning:</para>
|
||||
|
||||
<blockquote>
|
||||
<para><emphasis role="bold">WARNING: The "blacklist" host
|
||||
option is no longer supported and will be
|
||||
ignored.</emphasis></para>
|
||||
</blockquote>
|
||||
|
||||
<para>Check packets arriving on this port against the <ulink
|
||||
url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
|
||||
|
||||
@ -230,6 +230,29 @@ loc eth2 -</programlisting>
|
||||
<ulink
|
||||
url="shorewall6-blacklist.html">shorewall6-blacklist</ulink>(5)
|
||||
file.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.4.13:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>If a <replaceable>zone</replaceable> is given in the
|
||||
ZONES column, then the behavior is as if <emphasis
|
||||
role="bold">blacklist</emphasis> had been specified in the
|
||||
IN_OPTIONS column of <ulink
|
||||
url="shorewall-zones.html">shorewall-zones</ulink>(5).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Otherwise, the option is ignored with a
|
||||
warning:</para>
|
||||
|
||||
<blockquote>
|
||||
<para><emphasis role="bold">WARNING: The 'blacklist'
|
||||
option is ignored on mult-zone
|
||||
interfaces</emphasis></para>
|
||||
</blockquote>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@ -200,6 +200,28 @@ c:a,b ipv4</programlisting>
|
||||
<option>ipsec</option> zones.</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">blacklist</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.13.</para>
|
||||
|
||||
<para>When specified in the IN_OPTIONS column, causes all
|
||||
traffic from this zone to be passed against the <emphasis
|
||||
role="bold">src</emphasis> entries in s<ulink
|
||||
url="shorewall-blacklist.html">horewall-blacklist</ulink>(5).</para>
|
||||
|
||||
<para>When specified in the OUT_OPTIONS column, causes all
|
||||
traffic to this zone to be passed against the <emphasis
|
||||
role="bold">dst</emphasis> entries in s<ulink
|
||||
url="shorewall-blacklist.html">horewall-blacklist</ulink>(5).</para>
|
||||
|
||||
<para>Specifying this option in the OPTIONS column is
|
||||
equivalent to entering it in both of the IN_OPTIONS and
|
||||
OUT_OPTIONS column.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">reqid=</emphasis><emphasis>number</emphasis></term>
|
||||
@ -319,7 +341,8 @@ c:a,b ipv4</programlisting>
|
||||
shorewall-nesting(8), shorewall-netmap(5), shorewall-params(5),
|
||||
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
|
||||
shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
|
||||
shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
|
||||
shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5)</para>
|
||||
shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
|
||||
shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
|
||||
shorewall-tunnels(5)</para>
|
||||
</refsect1>
|
||||
</refentry>
|
||||
|
||||
@ -127,8 +127,15 @@
|
||||
<term><emphasis role="bold">blacklist</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>This option only makes sense for ports on a
|
||||
bridge.</para>
|
||||
<para>This option only makes sense for ports on a bridge. As
|
||||
of Shorewall 4.4.13, its is ignored with a warning
|
||||
message:</para>
|
||||
|
||||
<blockquote>
|
||||
<para><emphasis role="bold">WARNING: The "blacklist" host
|
||||
option is no longer supported and will be
|
||||
ignored.</emphasis></para>
|
||||
</blockquote>
|
||||
|
||||
<para>Check packets arriving on this port against the <ulink
|
||||
url="shorewall-blacklist.html">shorewall6-blacklist</ulink>(5)
|
||||
|
||||
@ -122,6 +122,29 @@ loc eth2 -</programlisting>
|
||||
<ulink
|
||||
url="shorewall6-blacklist.html">shorewall6-blacklist</ulink>(5)
|
||||
file.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.4.13:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>If a <replaceable>zone</replaceable> is given in the
|
||||
ZONES column, then the behavior is as if <emphasis
|
||||
role="bold">blacklist</emphasis> had been specified in the
|
||||
IN_OPTIONS column of <ulink
|
||||
url="shorewall6-zones.html">shorewall6-zones</ulink>(5).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Otherwise, the option is ignored with a
|
||||
warning:</para>
|
||||
|
||||
<blockquote>
|
||||
<para><emphasis role="bold">WARNING: The 'blacklist'
|
||||
option is ignored on mult-zone
|
||||
interfaces</emphasis></para>
|
||||
</blockquote>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@ -194,10 +194,32 @@ c:a,b ipv6</programlisting>
|
||||
|
||||
<listitem>
|
||||
<para>A comma-separated list of options. With the exception of the
|
||||
<option>mss</option> option, these only apply to TYPE
|
||||
<option>mss</option> and blacklist options, these only apply to TYPE
|
||||
<option>ipsec</option> zones.</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">blacklist</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.13.</para>
|
||||
|
||||
<para>When specified in the IN_OPTIONS column, causes all
|
||||
traffic from this zone to be passed against the <emphasis
|
||||
role="bold">src</emphasis> entries in s<ulink
|
||||
url="shorewall6-blacklist.html">horewall6-blacklist</ulink>(5).</para>
|
||||
|
||||
<para>When specified in the OUT_OPTIONS column, causes all
|
||||
traffic to this zone to be passed against the <emphasis
|
||||
role="bold">dst</emphasis> entries in s<ulink
|
||||
url="shorewall6-blacklist.html">horewall6-blacklist</ulink>(5).</para>
|
||||
|
||||
<para>Specifying this option in the OPTIONS column is
|
||||
equivalent to entering it in both of the IN_OPTIONS and
|
||||
OUT_OPTIONS column.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">reqid=</emphasis><emphasis>number</emphasis></term>
|
||||
@ -315,8 +337,8 @@ c:a,b ipv6</programlisting>
|
||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
||||
shorewall6-maclist(5), shorewall6-nesting(8), shorewall6-params(5),
|
||||
shorewall6-policy(5), shorewall6-providers(5), shorewall6-route_rules(5),
|
||||
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
|
||||
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
|
||||
shorewall6-tos(5), shorewall6-tunnels(5)</para>
|
||||
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
|
||||
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
|
||||
shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5)</para>
|
||||
</refsect1>
|
||||
</refentry>
|
||||
|
||||
Loading…
Reference in New Issue
Block a user