forked from extern/shorewall_code
Save IPv6 State
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8934 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
430a3f7929
commit
b2045fdc0b
@ -2325,7 +2325,7 @@ sub expand_rule( $$$$$$$$$$$ )
|
||||
if ( $origdest ) {
|
||||
if ( $origdest eq '-' || ! $capabilities{CONNTRACK_MATCH} ) {
|
||||
$origdest = '';
|
||||
if ( $capabilities{NEW_CONNTRACK_MATCH} && defined $oport && $oport ne '' ) {
|
||||
if ( $capabilities{NEW_CONNTRACK_MATCH} && defined $oport && $oport ne '' && $oport ne '-' ) {
|
||||
$rule .= "-m conntrack --ctorigdstport $oport ";
|
||||
}
|
||||
} elsif ( $origdest =~ /^detect:(.*)$/ ) {
|
||||
132
docs/ipsets.xml
132
docs/ipsets.xml
@ -20,6 +20,8 @@
|
||||
<copyright>
|
||||
<year>2005</year>
|
||||
|
||||
<year>2008</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
|
||||
@ -128,51 +130,109 @@
|
||||
<para><filename>/etc/shorewall/rules</filename><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
ACCEPT +sshok $FW tcp 22</programlisting></para>
|
||||
|
||||
<para>Shorewall can automatically manage the contents of your ipsets for
|
||||
you. If you specify SAVE_IPSETS=Yes in /etc/shorewall/shorewall.conf then
|
||||
"shorewall save" will save the contents of your ipsets. The file where the
|
||||
sets are saved is formed by taking the name where the Shorewall
|
||||
configuration is stored and appending "-ipsets". So if you enter the
|
||||
command "shorewall save standard" then Shorewall will save the file as
|
||||
/var/lib/shorewall/standard-ipsets</para>
|
||||
<para>If you are running Shorewall-shell:</para>
|
||||
|
||||
<para>Regardless of the setting of SAVE_IPSETS, the <command>shorewall -f
|
||||
start</command> and <command>shorewall restore</command> commands will
|
||||
restore the ipset contents corresponding to the Shorewall configuration
|
||||
restored provided that the saved Shorewall configuration specified
|
||||
exists.</para>
|
||||
<blockquote>
|
||||
<para>Shorewall can automatically manage the contents of your ipsets for
|
||||
you. If you specify SAVE_IPSETS=Yes in /etc/shorewall/shorewall.conf
|
||||
then "shorewall save" will save the contents of your ipsets. The file
|
||||
where the sets are saved is formed by taking the name where the
|
||||
Shorewall configuration is stored and appending "-ipsets". So if you
|
||||
enter the command "shorewall save standard" then Shorewall will save the
|
||||
file as /var/lib/shorewall/standard-ipsets</para>
|
||||
|
||||
<para>For example, <command>shorewall restore standard</command> would
|
||||
restore the ipset contents from
|
||||
<filename>/var/lib/shorewall/standard-ipsets</filename> provided that
|
||||
<filename>/var/lib/shorewall/standard</filename> exists and is executable
|
||||
and that <filename>/var/lib/shorewall/standard-ipsets</filename> exists
|
||||
and is executable.</para>
|
||||
<para>Regardless of the setting of SAVE_IPSETS, the <command>shorewall
|
||||
-f start</command> and <command>shorewall restore</command> commands
|
||||
will restore the ipset contents corresponding to the Shorewall
|
||||
configuration restored provided that the saved Shorewall configuration
|
||||
specified exists.</para>
|
||||
|
||||
<para>Also regardless of the setting of SAVE_IPSETS, the
|
||||
<command>shorewall forget</command> command will purge the saved ipset
|
||||
information (if any) associated with the saved shorewall configuration
|
||||
being removed.</para>
|
||||
<para>For example, <command>shorewall restore standard</command> would
|
||||
restore the ipset contents from
|
||||
<filename>/var/lib/shorewall/standard-ipsets</filename> provided that
|
||||
<filename>/var/lib/shorewall/standard</filename> exists and is
|
||||
executable and that
|
||||
<filename>/var/lib/shorewall/standard-ipsets</filename> exists and is
|
||||
executable.</para>
|
||||
|
||||
<para>You can also associate ipset contents with Shorewall configuration
|
||||
directories using the following command:</para>
|
||||
<para>Also regardless of the setting of SAVE_IPSETS, the
|
||||
<command>shorewall forget</command> command will purge the saved ipset
|
||||
information (if any) associated with the saved shorewall configuration
|
||||
being removed.</para>
|
||||
|
||||
<programlisting><command>ipset -S > <config directory>/ipsets</command></programlisting>
|
||||
<para>You can also associate ipset contents with Shorewall configuration
|
||||
directories using the following command:</para>
|
||||
|
||||
<para>Example:</para>
|
||||
<programlisting><command>ipset -S > <config directory>/ipsets</command></programlisting>
|
||||
|
||||
<programlisting><command>ipset -S > /etc/shorewall/ipsets</command></programlisting>
|
||||
<para>Example:</para>
|
||||
|
||||
<para>When you start or restart Shorewall (including using the
|
||||
<command>try</command> command) from the configuration directory, your
|
||||
ipsets will be configured from the saved ipsets file. Once again, this
|
||||
behavior is independent of the setting of SAVE_IPSETS.</para>
|
||||
<programlisting><command>ipset -S > /etc/shorewall/ipsets</command></programlisting>
|
||||
|
||||
<para>As mentioned above, ipsets are well suited for large blacklists. You
|
||||
can maintain your blacklist using the 'ipset' utility without ever having
|
||||
to restart or refresh Shorewall. If you use the SAVE_IPSETS=Yes feature
|
||||
just be sure to "shorewall save" after altering the blacklist
|
||||
ipset(s).</para>
|
||||
<para>When you start or restart Shorewall (including using the
|
||||
<command>try</command> command) from the configuration directory, your
|
||||
ipsets will be configured from the saved ipsets file. Once again, this
|
||||
behavior is independent of the setting of SAVE_IPSETS.</para>
|
||||
|
||||
<para>As mentioned above, ipsets are well suited for large blacklists.
|
||||
You can maintain your blacklist using the 'ipset' utility without ever
|
||||
having to restart or refresh Shorewall. If you use the SAVE_IPSETS=Yes
|
||||
feature just be sure to "shorewall save" after altering the blacklist
|
||||
ipset(s).</para>
|
||||
</blockquote>
|
||||
|
||||
<para>If you are running Shorewall-perl:</para>
|
||||
|
||||
<blockquote>
|
||||
<para>Shorewall is now out of the ipset load/reload business. With
|
||||
scripts generated by the Perl-based Compiler, the Netfilter rule set is
|
||||
never cleared. That means that there is no opportunity for Shorewall to
|
||||
load/reload your ipsets since that cannot be done while there are any
|
||||
current rules using ipsets.</para>
|
||||
|
||||
<para>So:</para>
|
||||
|
||||
<orderedlist numeration="upperroman">
|
||||
<listitem>
|
||||
<para>Your ipsets must be loaded before Shorewall starts. You are
|
||||
free to try to do that with the following code in
|
||||
<filename>/etc/shorewall/init (it works for me; your mileage may
|
||||
vary)</filename>:</para>
|
||||
|
||||
<programlisting>if [ "$COMMAND" = start ]; then
|
||||
ipset -U :all: :all:
|
||||
ipset -U :all: :default:
|
||||
ipset -F
|
||||
ipset -X
|
||||
ipset -R < /etc/shorewall/ipsets
|
||||
fi</programlisting>
|
||||
|
||||
<para>The file <filename>/etc/shorewall/ipsets</filename> will
|
||||
normally be produced using the <command>ipset -S</command>
|
||||
command.</para>
|
||||
|
||||
<para>The above will work most of the time but will fail in a
|
||||
<command>shorewall stop</command> - <command>shorewall
|
||||
start</command> sequence if you use ipsets in your routestopped file
|
||||
(see below).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Your ipsets may not be reloaded until Shorewall is stopped or
|
||||
cleared.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>If you specify ipsets in your routestopped file then Shorewall
|
||||
must be cleared in order to reload your ipsets.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
<para>As a consequence, scripts generated by the Perl-based compiler
|
||||
will ignore <filename>/etc/shorewall/ipsets</filename> and will issue a
|
||||
warning if you set SAVE_IPSETS=Yes in
|
||||
<filename>shorewall.conf</filename>.</para>
|
||||
</blockquote>
|
||||
|
||||
<para>Example (Note -- this example is applicable to ipset versions up to
|
||||
and including 2.4. In 2.5, the binding feature of ipsets is scheduled for
|
||||
|
||||
@ -26,10 +26,13 @@ license is included in the section entitled <span
|
||||
href="GnuCopyright.htm" target="_self">GNU Free Documentation
|
||||
License</a></span>".
|
||||
</p>
|
||||
<p>October 25, 2008<br>
|
||||
<p>November 20, 2008<br>
|
||||
</p>
|
||||
<hr style="width: 100%; height: 2px;">
|
||||
<p><strong>2006-10-25 Shorewall 4.2.1<br>
|
||||
<p><strong>2008-11-20 Shorewall 4.2.2</strong></p>
|
||||
<p><strong></strong></p>
|
||||
<pre>Problems corrected in Shorewall 4.2.2<br><br>1) Shorewall-perl now insures that each line copied from a<br> configuration file or user exit is terminated with a newline<br> character.<br><br>2) When ipranges were used to define zones, Shorewall-perl could<br> generate invalid iptables-restore input if 'Repeat Match' was not<br> available. Repeat Match is not a true match -- it rather is a<br> feature of recent iptables releases that allows a match to be<br> repeated within a rule.<br><br>3) With Shorewall-perl, if a destination port list had exactly 16<br> ports, where a port-range counts as two ports, then Shorewall-perl<br> would fail to split the rule into multiple rules and an<br> iptables-restore error would result.<br><br>4) The change to Shorewall-perl in 4.2.1 that promised iptables 1.4.1<br> compatibility contained a typo that prevented it from working<br> correctly.<br><br>5) If a no-NAT rule (DNAT-, ACCEPT+, NONAT) included a destination IP<br> address and no zone name in the DEST column, Shorewall-perl would<br> reject the rule. If a zone name was specified, Shorewall-perl <br> would issue a Warning message.<br><br>6) Previously, if Extended conntrack match support was available, a<br> DNAT rule that specified a server port but no destination port <br> would generate invalid iptables-restore input. <br><br>Other changes in Shorewall 4.2.2<br><br>1) A macro supporting JAP (anonymization protocol) has been added.<br> It can be used as any other macro (e.g., JAP/ACCEPT) in the rules<br> file.<br><br>2) A macro supporting DAAP (Digital Audio Access Protocol) has been added.<br> It can be used as any other macro (e.g., DAAP/ACCEPT) in the rules<br> file.<br><br>3) A macro supporting DCC (Distributed Checksum Clearinghouse) has been<br> added. It can be used as any other macro (e.g., DCCP/ACCEPT) in the<br> rules file.<br><br>4) A macro supporting GNUnet (secure peer-to-peer networking) has been<br> added. It can be used as any other macro (e.g., GNUnet/ACCEPT) in the<br> rules file.<br><br>5) In 4.2.1, a single capability ("Extended conntrack match support")<br> was used both to control the use of --ctorigport and to trigger use<br> of the new syntax for inversion of --ctorigdst (e.g., "!<br> --ctorigdst ..."). In 4.2.2, these are controlled by two separate<br> capabilities. If you use a capabilities file when compiling your<br> configuration, be sure to generate a new one after installing<br> 4.2.2.<br></pre>
|
||||
<p><strong>2008-10-25 Shorewall 4.2.1<br>
|
||||
</strong><strong></strong></p>
|
||||
<pre>Problems corrected in Shorewall 4.2.1<br><br>1) A description of the CONNBYTES column has been added to<br> shorewall-tcrules(5).<br><br>2) Previously, Shorewall-perl would accept zero as the <max> value in<br> the CONNBYTES column of tcrules even when the <min> field was<br> non-zero. A value of zero for <max> was equivalent to omitting<br> <max>.<br><br>3) iptables 1.4.1 discontinued support of syntax generated by<br> shorewall in some cases. Shorewall now detects when the new syntax<br> is required and uses it instead.<br><br>4) The Shorewall-perl implementation of the LENGTH column in<br> /etc/shorewall/tcrules was incomplete with the result that <br> all LENGTH rules matched. Thanks to Lennart Sorensen for the patch.<br><br>5) The 'export' command no longer fails with the error:<br><br> /sbin/shorewall: 1413: Syntax error: "(" unexpected (expecting "fi")<br><br>Other changes in Shorewall 4.2.1<br><br>1) With the recent renewed interest in DOS attacks, it seems<br> appropriate to have connection limiting support in Shorewall. To<br> that end, a CONNLIMIT column has been added to both the policy and<br> rules files.<br><br> The content of these columns is of the format<br><br> [!] <limit>[:<mask>]<br><br> where<br><br> <limit> is the limit on simultaneous TCP connections.<br><br> <mask> specifies the size of the network to which<br> the limit applies and is specified as a<br> CIDR mask length. The default value for<br> <mask> is 32 which means that each remote<br> IP address can have <limit> TCP connections<br> active at once.<br><br> ! Not allowed in the policy file. In the rules file, it<br> causes connections to match when the number of<br> current connections exceeds <limit>.<br> <br> When specified in the policy file, the limit is enforced on all<br> connections that are subject to the given policy (just like<br> LIMIT:BURST). The limit is checked on new connections before the<br> connection is passed through the rules in the NEW section of the<br> rules file.<br><br> It is important to note that while the limit is only checked for<br> those destinations specified in the DEST column, the number of<br> current connections is calculated over all destinations and not<br> just the destination specified in the DEST column.<br><br> Use of this feature requires the connlimit match capability in your<br> kernel and iptables. If you use a capabilities file when compiling<br> your Shorewall configuration(s), then you need to regenerate the<br> file using Shorewall or Shorewall-lite 4.2.1.<br><br>2) Shorewall now supports time/date restrictions on entries in the <br> rules file via a new TIME column.<br><br> The contents of this column is a series of one or more "time<br> elements" separated by apersands ("&"). Possible time elements are:<br><br> utc Times are expressed in Greenwich Mean Time.<br> localtz Times are expressed in local civil time (default)<br> timestart=hh:mm[:ss]<br> timestop=hh:mm[:ss] Start and stop time of day for rule<br> weekdays=ddd[,ddd]... where ddd is Mon,Tue,Wed,Thu,Fri,Sat or<br> Sun<br> monthdays=dd[,dd]... where dd is an ordinal day of the month.<br> datestart=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]<br> datestop=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]<br> where yyyy = Year<br> first mm = Month<br> dd = Day<br> hh = Hour<br> 2nd mm = Minute<br> ss = Second<br><br> Examples:<br><br> 1) utc&timestart=10:00&timestop=12:00<br><br> Between 10am and 12 noon each day, GMT<br><br> 2) datestart=2008-11-01T12:00<br><br> Beginning November 1, 2008 at noon LCT.<br><br> Use of this feature requires the time match capability in your<br> kernel and iptables. If you use a capabilities file when compiling<br> your Shorewall configuration(s), then you need to regenerate the<br> file using Shorewall or Shorewall-lite 4.2.1.<br></pre>
|
||||
<p><strong>2006-10-05 Shorewall 4.2.0</strong></p>
|
||||
|
||||
@ -23,7 +23,7 @@ Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of
|
||||
the
|
||||
license is included in the section entitled “<a href="GnuCopyright.htm"
|
||||
target="_self">GNU Free Documentation License</a>”.</p>
|
||||
<p>2008-10-05 </p>
|
||||
<p>2008-11-20 </p>
|
||||
<hr>
|
||||
<h2>Table of Contents</h2>
|
||||
<p><b><a href="#Which">Package Information</a><br>
|
||||
@ -179,28 +179,9 @@ which itself links to cvs:<br>
|
||||
<p>You will probably also want to download the HTML version of the
|
||||
documentation for easy reference.</p>
|
||||
<h2><a name="Updates"></a>Finding Updates that Correct Known Problems</h2>
|
||||
<p>Beginning with Shorewall 2.2.0, you will find a file named
|
||||
known_problems.txt in the download directory. This file lists the known
|
||||
problems with that version of Shorewall. If corrections are available,
|
||||
they
|
||||
will be listed in the known problems and you can download them from the
|
||||
'errata' subdirectory.</p>
|
||||
<p>Example:</p>
|
||||
<blockquote>
|
||||
<pre>ftp> cd pub/shorewall/2.2/shorewall-2.2.0250 OK.<br>Current directory is /pub/shorewall/2.2/shorewall-2.2.0<br>ftp> ls<br>227 Entering Passive Mode (206,124,146,177,35,91)<br>150 Accepted data connection<br>drwxr-sr-x 3 0 0 4096 Feb 1 09:52 .<br>drwxr-sr-x 3 0 0 4096 Jan 28 14:28 ..<br>-rw-r--r-- 1 0 0 500 Jan 28 14:27 2.2.0.md5sums<br>drwxr-sr-x 2 0 0 4096 Feb 1 09:51 errata <=== (1)<br>-rw-r--r-- 1 0 0 156 Feb 1 09:52 known_problems.txt <=== (2)<br>-rw-r--r-- 1 0 0 16059 Jan 24 16:13 patch-2.2.0<br>-rwxr-xr-x 1 0 0 22963 Jan 24 16:10 releasenotes.txt<br>-rw-r--r-- 1 0 0 100232 Jan 25 15:58 shorewall-2.2.0-1.noarch.rpm<br>-rw-r--r-- 1 0 0 122161 Jan 25 15:58 shorewall-2.2.0.tgz<br>-rw-r--r-- 1 0 0 2534077 Jan 28 13:29 shorewall-docs-html-2.2.0.tgz<br>-rw-r--r-- 1 0 0 4481205 Jan 28 13:29 shorewall-docs-xml-2.2.0.tgz<br>-rw-r--r-- 1 0 0 93905 Jan 25 15:58 shorewall-lrp-2.2.0.tgz<br>226-Options: -a -l<br>226 13 matches total<br>ftp><br></pre>
|
||||
</blockquote>
|
||||
<p style="margin-left: 0.42in;"><font face="monospace"><font
|
||||
color="#cc0000">(1) Directory containing updates. For Shorewall
|
||||
versions
|
||||
prior to 2.4.0, the updates/LRP directory contains those updates that
|
||||
apply
|
||||
to the LRP package.</font><br>
|
||||
<font color="#cc0000">(2) List of known problems, workarounds and
|
||||
updates..
|
||||
</font> </font></p>
|
||||
<p>Beginning with Shorewall 4.0.6, updated packages that include fixes
|
||||
to
|
||||
known problems may also be made available.</p>
|
||||
known problems are made available.</p>
|
||||
<p>Example:</p>
|
||||
<blockquote>
|
||||
<pre>ftp> cd pub/shorewall/4.0/shorewall-4.0.6<br>250 OK. Current directory is /pub/shorewall/4.0/shorewall-4.0.6<br>ftp> ls<br>200 PORT command successful<br>150 Connecting to port 36018<br>drwxr-sr-x 4 1006 8 4096 Dec 1 08:16 .<br>drwxr-sr-x 9 1006 8 4096 Nov 23 08:22 ..<br>-rw-r--r-- 1 1006 8 194 Nov 24 07:38 4.0.6-2.md5sums<br>-rw-r--r-- 1 1006 8 218 Nov 24 07:38 4.0.6-2.sha1sums<br>-rw-r--r-- 1 1006 8 841 Nov 26 13:26 4.0.6.md5sums<br>-rw-r--r-- 1 1006 8 945 Nov 26 13:26 4.0.6.sha1sums<br>-rw-r--r-- 1 1006 8 322 Nov 26 08:35 README.txt<br>drwxr-xr-x 4 1006 8 4096 Nov 23 17:16 errata<br>drwxr-xr-x 4 1006 8 4096 Nov 23 08:21 <strong>base</strong>
|
||||
|
||||
@ -22,11 +22,12 @@ the
|
||||
license is included in the section entitled <span
|
||||
style="text-decoration: underline;">"</span><a href="GnuCopyright.htm"
|
||||
target="_self">GNU Free Documentation License</a>".</p>
|
||||
<p>2008-11-19</p>
|
||||
<p>2008-11-20</p>
|
||||
<hr style="width: 100%; height: 2px;">
|
||||
<h2><a style="color: rgb(255, 0, 0);" target="_top"
|
||||
href="http://wiki.shorewall.net/wiki/LogoDesignCompetition">Check out
|
||||
the Shorewall Logo Design Competition</a>!<br>
|
||||
the Shorewall Logo Design Competition</a><span
|
||||
style="color: rgb(255, 0, 0);">!</span><br>
|
||||
</h2>
|
||||
<h2>Table of Contents</h2>
|
||||
<p style="margin-bottom: 0in; margin-left: 0.42in;"><a href="#Intro">Introduction
|
||||
@ -125,15 +126,15 @@ Features page</a>.<br>
|
||||
</p>
|
||||
<h3><a name="Releases"></a>Current Shorewall Releases</h3>
|
||||
<p style="margin-left: 40px;">The <span style="font-weight: bold;">current
|
||||
Stable Release</span> version is 4.2.1<br>
|
||||
Stable Release</span> version is 4.2.2<br>
|
||||
</p>
|
||||
<ul style="margin-left: 40px;">
|
||||
<li>Here are the <a
|
||||
href="http://www1.shorewall.net/pub/shorewall/4.2/shorewall-4.2.1/releasenotes.txt">release
|
||||
href="http://www1.shorewall.net/pub/shorewall/4.2/shorewall-4.2.2/releasenotes.txt">release
|
||||
notes</a> <br>
|
||||
</li>
|
||||
<li>Here are the <a
|
||||
href="http://www1.shorewall.net/pub/shorewall/4.2/shorewall-4.2.1/known_problems.txt">known
|
||||
href="http://www1.shorewall.net/pub/shorewall/4.2/shorewall-4.2.2/known_problems.txt">known
|
||||
problems</a>.
|
||||
<p>Read more about the <a href="Shorewall-4.html">Release here</a>.<br>
|
||||
</p>
|
||||
|
||||
Loading…
Reference in New Issue
Block a user