diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt index 9156197cd..c2fd56bdb 100644 --- a/Shorewall2/changelog.txt +++ b/Shorewall2/changelog.txt @@ -34,3 +34,5 @@ Changes since 1.4.10 builtin actions dropBcast and dropNonSyn. 17) Make "trace" a synonym for "debug" + +18) Add the ":noah" option to IPSEC tunnels. diff --git a/Shorewall2/firewall b/Shorewall2/firewall index 810e23392..9abbe294e 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -1115,15 +1115,29 @@ setup_tunnels() # $1 = name of tunnels file setup_one_ipsec() # $1 = gateway $2 = Tunnel Kind $3 = gateway zones { + local kind=$2 noah= + + case $kind in + *:*) + noah=${kind#*:} + [ $noah = noah -o $noah = NOAH ] || fatal_error "Invalid IPSEC modifier $noah in tunnel \"$tunnel\"" + kind=${kind%:*} + ;; + esac + + [ $kind = IPSEC ] && kind=ipsec + options="-m state --state NEW -j ACCEPT" addrule $inchain -p 50 -s $1 -j ACCEPT addrule $outchain -p 50 -d $1 -j ACCEPT - run_iptables -A $inchain -p 51 -s $1 -j ACCEPT - run_iptables -A $outchain -p 51 -d $1 -j ACCEPT + if [ -z "$noah" ]; then + run_iptables -A $inchain -p 51 -s $1 -j ACCEPT + run_iptables -A $outchain -p 51 -d $1 -j ACCEPT + fi run_iptables -A $outchain -p udp -d $1 --dport 500 --sport 500 $options - if [ $2 = ipsec ]; then + if [ $kind = ipsec ]; then run_iptables -A $inchain -p udp -s $1 --sport 500 --dport 500 $options else run_iptables -A $inchain -p udp -s $1 --dport 500 $options @@ -1133,7 +1147,7 @@ setup_tunnels() # $1 = name of tunnels file for z in $(separate_list $3); do if validate_zone $z; then addrule ${FW}2${z} -p udp --sport 500 --dport 500 $options - if [ $2 = ipsec ]; then + if [ $kind = ipsec ]; then addrule ${z}2${FW} -p udp --sport 500 --dport 500 $options else addrule ${z}2${FW} -p udp --dport 500 $options @@ -1238,11 +1252,11 @@ setup_tunnels() # $1 = name of tunnels file inchain=${z}2${FW} outchain=${FW}2${z} case $kind in - ipsec|IPSEC) - setup_one_ipsec $gateway ipsec $z1 + ipsec|IPSEC|ipsec:*|IPSEC:*) + setup_one_ipsec $gateway $kind $z1 ;; - ipsecnat|IPSECNAT) - setup_one_ipsec $gateway ipsecnat $z1 + ipsecnat|IPSECNAT|ipsecnat:*|IPSECNAT:*) + setup_one_ipsec $gateway $kind $z1 ;; ipip|IPIP) setup_one_other IPIP $gateway 4 diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index 1bfe2d685..9b28ed2c6 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -161,5 +161,10 @@ New Features: The trace information would be written to the file /tmp/trace. +6) When defining an ipsec tunnel in /etc/shorewall/tunnels, if you + follow the tunnel type ("ipsec" or "ipsecnet") with ":noah" + (e.g., "ipsec:noah"), then Shorewall will only create rules for + ESP (protocol 50) and will not create rules for AH (protocol 51). + diff --git a/Shorewall2/tunnels b/Shorewall2/tunnels index 3123bbf63..2c032cb21 100644 --- a/Shorewall2/tunnels +++ b/Shorewall2/tunnels @@ -13,6 +13,10 @@ # "gre", "6to4", "pptpclient", "pptpserver", "openvpn" or # "generic" # +# If the type is "ipsec" or "ipsecnat", it may be followed +# by ":noah" to indicate that the Authentication Header +# protocol (51) is not used by the tunnel. +# # If type is "openvpn", it may optionally be followed # by ":" and the port number used by the tunnel. if no # ":" and port number are included, then the default port @@ -42,9 +46,10 @@ # Example 1: # # IPSec tunnel. The remote gateway is 4.33.99.124 and -# the remote subnet is 192.168.9.0/24 +# the remote subnet is 192.168.9.0/24. The tunnel does +# not use the AH protocol # -# ipsec net 4.33.99.124 +# ipsec:noah net 4.33.99.124 # # Example 2: #