forked from extern/shorewall_code
Add UPnP support
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2031 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
1180175379
commit
c5949a0119
@ -12,6 +12,10 @@
|
||||
# #conntrack state.
|
||||
# allowInvalid #Accept packets that are in the INVALID
|
||||
# #conntrack state.
|
||||
# allowoutUPnP #Allow traffic from local command 'upnpd'
|
||||
# allowinUPnP #Allow UPnP inbound (to firewall) traffic
|
||||
# forwardUPnP #Allow traffic that upnpd has redirected from
|
||||
# #'upnp' interfaces.
|
||||
#
|
||||
#ACTION
|
||||
|
||||
|
@ -1,3 +1,7 @@
|
||||
Changes in 2.2.4
|
||||
|
||||
1) Added support for UPnP
|
||||
|
||||
Changes in 2.2.3
|
||||
|
||||
1) Added the 'continue' extension script.
|
||||
|
@ -937,7 +937,7 @@ validate_interfaces_file() {
|
||||
|
||||
for option in $options; do
|
||||
case $option in
|
||||
dhcp|norfc1918|nobogons|tcpflags|newnotsyn|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|maclist|nosmurfs|-)
|
||||
dhcp|norfc1918|nobogons|tcpflags|newnotsyn|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|maclist|nosmurfs|upnp|-)
|
||||
;;
|
||||
detectnets)
|
||||
[ -n "$wildcard" ] && \
|
||||
@ -3473,7 +3473,8 @@ merge_levels() # $1=level at which superior action is called, $2=level at which
|
||||
#
|
||||
process_actions1() {
|
||||
|
||||
ACTIONS="dropBcast allowBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid allowInvalid"
|
||||
ACTIONS="dropBcast allowBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP allowoutUPnP forwardUPnP"
|
||||
|
||||
USEDACTIONS=
|
||||
|
||||
strip_file actions
|
||||
@ -3544,6 +3545,15 @@ process_actions1() {
|
||||
|
||||
process_actions2() {
|
||||
|
||||
local interfaces="$(find_interfaces_by_option upnp)"
|
||||
|
||||
if [ -n "$interfaces" ]; then
|
||||
if ! list_search forwardUPnP $USEDACTIONS; then
|
||||
error_message "Warning:Missing forwardUPnP rule (required by 'upnp' interface option on $interfaces)"
|
||||
USEDACTIONS="$USEDACTIONS forwardUPnP"
|
||||
fi
|
||||
fi
|
||||
|
||||
progress_message " Generating Transitive Closure of Used-action List..."
|
||||
|
||||
changed=Yes
|
||||
@ -3695,6 +3705,26 @@ process_actions3() {
|
||||
run_iptables -A $xchain -m state --state INVALID -j ACCEPT
|
||||
fi
|
||||
;;
|
||||
forwardUPnP)
|
||||
;;
|
||||
allowinUPnP)
|
||||
if [ "$COMMAND" != check ]; then
|
||||
if [ -n "$xlevel" ]; then
|
||||
log_rule_limit ${xlevel%\!} $xchain allowinUPnP ACCEPT "" "$xtag" -A -p udp --dport 1900
|
||||
log_rule_limit ${xlevel%\!} $xchain allowinUPnP ACCEPT "" "$xtag" -A -p tcp --dport 49152
|
||||
fi
|
||||
|
||||
run_iptables -A $xchain -p udp --dport 1900 -j ACCEPT
|
||||
run_iptables -A $xchain -p tcp --dport 49152 -j ACCEPT
|
||||
fi
|
||||
;;
|
||||
allowoutUPnP)
|
||||
if [ "$COMMAND" != check ]; then
|
||||
[ -n "$xlevel" ] && \
|
||||
log_rule_limit ${xlevel%\!} $xchain allowoutUPnP ACCEPT "" "$xtag" -A -m owner --owner-cmd upnpd
|
||||
run_iptables -A $xchain -m owner --cmd-owner upnpd -j ACCEPT
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
#
|
||||
# Not a builtin
|
||||
@ -6290,6 +6320,20 @@ add_common_rules() {
|
||||
run_iptables -A OUTPUT -o $interface -j $(dynamic_out $interface)
|
||||
done
|
||||
fi
|
||||
#
|
||||
# UPnP
|
||||
#
|
||||
interfaces=$(find_interfaces_by_option upnp)
|
||||
|
||||
if [ -n "$interfaces" ]; then
|
||||
echo "Setting up UPnP..."
|
||||
|
||||
createnatchain UPnP
|
||||
|
||||
for interface in $interfaces; do
|
||||
run_iptables -t nat -A PREROUTING -i $interface -j UPnP
|
||||
done
|
||||
fi
|
||||
|
||||
setup_forwarding
|
||||
}
|
||||
@ -6387,7 +6431,9 @@ activate_rules()
|
||||
# are inserted before jumps to one-to-one NAT chains.
|
||||
#
|
||||
addrulejump() # $1 = BUILTIN chain, $2 = user chain, $3 - * other arguments
|
||||
{
|
||||
{ interfaces=$(find_interfaces_by_option upnp)
|
||||
|
||||
|
||||
local sourcechain=$1 destchain=$2
|
||||
shift
|
||||
shift
|
||||
@ -6402,7 +6448,7 @@ activate_rules()
|
||||
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
#
|
||||
# Add jumps to early SNAT chains
|
||||
#
|
||||
@ -6697,6 +6743,7 @@ define_firewall() # $1 = Command (Start or Restart)
|
||||
|
||||
echo "Initializing..."; initialize_netfilter
|
||||
echo "Configuring Proxy ARP"; setup_proxy_arp
|
||||
|
||||
echo "Setting up NAT..."; setup_nat
|
||||
echo "Setting up NETMAP..."; setup_netmap
|
||||
echo "Adding Common Rules"; add_common_rules
|
||||
|
@ -167,6 +167,8 @@
|
||||
# detectnets - Automatically taylors the zone named
|
||||
# in the ZONE column to include only those
|
||||
# hosts routed through the interface.
|
||||
# upnp - Incoming requests from this interface may
|
||||
# be remapped via UPNP (upnpd).
|
||||
#
|
||||
# WARNING: DO NOT SET THE detectnets OPTION ON YOUR
|
||||
# INTERNET INTERFACE.
|
||||
|
@ -1,4 +1,67 @@
|
||||
Shorewall 2.2.3
|
||||
Shorewall 2.2.4
|
||||
|
||||
-----------------------------------------------------------------------
|
||||
Problems corrected in version 2.2.4
|
||||
|
||||
None.
|
||||
|
||||
-----------------------------------------------------------------------
|
||||
New Features in version 2.2.4
|
||||
|
||||
1) Support has been added for UPnP using linux-igd
|
||||
(http://linux-idg.sourceforge.net). UPnP is required by a number of
|
||||
popular applications including MSN IM.
|
||||
|
||||
WARNING: From a security architecture viewpoint, UPnP is a
|
||||
disaster. It assumes that:
|
||||
|
||||
a) All local systems and their users are complete
|
||||
trustworthy.
|
||||
|
||||
b) No local system is infected with any worm or trojan.
|
||||
|
||||
If either of these assumptions are not true then UPnP can
|
||||
be used to totally defeat you firewall and to allow
|
||||
incoming connections to arbitrary local systems on any port
|
||||
whatsoever.
|
||||
|
||||
In short: USE UPnP AT YOUR OWN RISK.
|
||||
|
||||
WARNING: Building and installing linux-igd is not for the faint of
|
||||
heart. You must download the source from the CVS and be
|
||||
prepared to do quite a bit of fiddling with the include
|
||||
files from libupnp (which is required to build and/or run
|
||||
linux-igd).
|
||||
|
||||
linux-idg Configuration:
|
||||
|
||||
In /etc/upnpd.conf, you will want:
|
||||
|
||||
insert_forward_rules = yes
|
||||
prerouting_chain_name = UPnP
|
||||
forward_chain_name = forwardUPnP
|
||||
|
||||
Shorewall Configuration:
|
||||
|
||||
In /etc/shorewall/interfaces, you need the 'upnp' option
|
||||
on your external interface.
|
||||
|
||||
If your fw->loc policy is not ACCEPT then you need this
|
||||
rule:
|
||||
|
||||
allowoutUPnP fw loc
|
||||
|
||||
If your loc->fw policy is not ACCEPT then you need this
|
||||
rule:
|
||||
|
||||
allowinUPnP loc fw
|
||||
|
||||
You MUST have this rule:
|
||||
|
||||
forwardUPnP net loc
|
||||
|
||||
You must also ensure that you have a route to 224.0.0.0/4 on your
|
||||
internal (local) interface.
|
||||
|
||||
-----------------------------------------------------------------------
|
||||
Problems corrected in version 2.2.3
|
||||
|
Loading…
Reference in New Issue
Block a user