From c789d7ac7a5abcf07ca343320fa219777b6fbd56 Mon Sep 17 00:00:00 2001 From: teastep Date: Mon, 22 Mar 2004 21:15:54 +0000 Subject: [PATCH] Add new options to /etc/shorewall/hosts git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1220 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall2/changelog.txt | 2 ++ Shorewall2/firewall | 70 +++++++++++++++++++++++-------------- Shorewall2/hosts | 61 ++++++++++++++++++++++++++++++++ Shorewall2/interfaces | 16 ++++++--- Shorewall2/releasenotes.txt | 19 +++++++++- 5 files changed, 136 insertions(+), 32 deletions(-) diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt index 0bff4846b..c42097248 100644 --- a/Shorewall2/changelog.txt +++ b/Shorewall2/changelog.txt @@ -17,3 +17,5 @@ Changes since 2.0.0 8) Implement Sean Mathews's fix fix Proxy ARP and IPSEC. 9) Improve zone-definition checking. + +10) Add additional options to hosts file diff --git a/Shorewall2/firewall b/Shorewall2/firewall index 6a627b773..8162f0a0a 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -975,7 +975,7 @@ find_hosts_by_option() # $1 = option done < $TMP_DIR/hosts for interface in $all_interfaces; do - interface_has_option $interface $option && \ + interface_has_option $interface $1 && \ echo ${interface}:0.0.0.0/0 done } @@ -1889,7 +1889,7 @@ process_tc_rule() fatal_error "Unknown interface $source in rule \"$rule\"" fi - r="$(select_source_dev) $source " + r="$(match_source_dev) $source " ;; esac fi @@ -4207,11 +4207,11 @@ process_blacklist_rec() { # Setup the Black List # setup_blacklist() { - local interfaces=$(find_interfaces_by_option blacklist) + local hosts=$(find_hosts_by_option blacklist) local f=$(find_file blacklist) local disposition=$BLACKLIST_DISPOSITION - if [ -n "$interfaces" -a -f $f ]; then + if [ -n "$hosts" -a -f $f ]; then echo "Setting up Blacklisting..." strip_file blacklist $f @@ -4220,12 +4220,17 @@ setup_blacklist() { [ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW" || state= - for interface in $interfaces; do - for chain in $(first_chains $interface); do - run_iptables -A $chain $state -j blacklst - done + for host in $hosts; do + interface=${host%%:*} + network=${host#*:} - echo " Blacklisting enabled on $interface" + for chain in $(first_chains $interface); do + run_iptables -A $chain $state $(match_source_hosts $network) -j blacklst + done + + [ $network = 0/0.0.0.0 ] && network= || network=":$network" + + echo " Blacklisting enabled on ${interface}${network}" done [ "$disposition" = REJECT ] && disposition=reject @@ -4605,15 +4610,18 @@ add_common_rules() { # # SMURFS # - interfaces=$(find_interfaces_by_option nosmurfs) + hosts=$(find_hosts_by_option nosmurfs) - if [ -n "$interfaces" ]; then + if [ -n "$hosts" ]; then echo "Adding Anti-smurf Rules" - for interface in $interfaces; do + for host in $hosts; do + interface=${host%%:*} + subnet=${host#*:} + for chain in $(first_chains $interface); do - run_iptables -A $chain -m state --state NEW -j smurfs + run_iptables -A $chain -m state --state NEW $(match_source_hosts $network) -j smurfs done done fi @@ -4639,9 +4647,9 @@ add_common_rules() { # # RFC 1918 # - norfc1918_interfaces="$(find_interfaces_by_option norfc1918)" + hosts="$(find_hosts_by_option norfc1918)" - if [ -n "$norfc1918_interfaces" ]; then + if [ -n "$hosts" ]; then echo "Enabling RFC1918 Filtering" strip_file rfc1918 @@ -4697,21 +4705,24 @@ add_common_rules() { fi done < $TMP_DIR/rfc1918 - for interface in $norfc1918_interfaces; do + for host in $hosts; do + interface=${host%%:*} + subnet=${host#*:} + for chain in $(first_chains $interface); do - run_iptables -A $chain -m state --state NEW -j norfc1918 + run_iptables -A $chain -m state --state NEW $(match_source_hosts $subnet) -j norfc1918 done [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ] && \ - run_iptables -t mangle -A PREROUTING -m state --state NEW -i $interface -j man1918 + run_iptables -t mangle -A PREROUTING -m state --state NEW -i $interface $(match_source_hosts $subnet) -j man1918 done fi # # Bogons # - nobogon_interfaces="$(find_interfaces_by_option bogons)" + hosts="$(find_hosts_by_option bogons)" - if [ -n "$nobogon_interfaces" ]; then + if [ -n "$hosts" ]; then echo "Enabling Bogon Filtering" strip_file bogons @@ -4740,17 +4751,20 @@ add_common_rules() { done < $TMP_DIR/bogons - for interface in $nobogon_interfaces; do + for host in $hosts; do + interface=${host%%:*} + network=${host#*:} + for chain in $(first_chains $interface); do - run_iptables -A $chain -m state --state NEW -j nobogons + run_iptables -A $chain -m state --state NEW $(match_source_hosts $network) -j nobogons done done fi - interfaces=$(find_interfaces_by_option tcpflags) + hosts=$(find_hosts_by_option tcpflags) - if [ -n "$interfaces" ]; then + if [ -n "$hosts" ]; then echo "Setting up TCP Flags checking..." createchain tcpflags no @@ -4791,9 +4805,12 @@ add_common_rules() { # run_iptables -A tcpflags -p tcp --syn --sport 0 $disposition - for interface in $interfaces; do + for host in $hosts; do + interface=${host%%:*} + network=${host#*:} + for chain in $(first_chains $interface); do - run_iptables -A $chain -p tcp -j tcpflags + run_iptables -A $chain -p tcp $(match_source_hosts $network) -j tcpflags done done fi @@ -5117,7 +5134,6 @@ activate_rules() run_iptables -D $chain -m state --state ESTABLISHED,RELATED -j ACCEPT run_iptables -D $chain -p udp --dport 53 -j ACCEPT done - } # diff --git a/Shorewall2/hosts b/Shorewall2/hosts index 12f9740d7..746fd2634 100644 --- a/Shorewall2/hosts +++ b/Shorewall2/hosts @@ -58,5 +58,66 @@ # to send requests originating from this # group to a server in the group. # +# norfc1918 - This option only makes sense for ports +# on a bridge. +# +# The port should not accept +# any packets whose source is in one +# of the ranges reserved by RFC 1918 +# (i.e., private or "non-routable" +# addresses. If packet mangling or +# connection-tracking match is enabled in +# your kernel, packets whose destination +# addresses are reserved by RFC 1918 are +# also rejected. +# +# nobogons - This option only makes sense for ports +# on a bridge. +# +# This port should not accept +# any packets whose source is in one +# of the ranges reserved by IANA (this +# option does not cover those ranges +# reserved by RFC 1918 -- see +# 'norfc1918' above). +# +# . . blacklist - This option only makes sense for ports +# on a bridge. +# +# Check packets arriving on this port +# against the /etc/shorewall/blacklist +# file. +# +# tcpflags - Packets arriving from these hosts are +# checked for certain illegal combinations +# of TCP flags. Packets found to have +# such a combination of flags are handled +# according to the setting of +# TCP_FLAGS_DISPOSITION after having been +# logged according to the setting of +# TCP_FLAGS_LOG_LEVEL. +# +# nosmurfs - This option only makes sense for ports +# on a bridge. +# +# Filter packets for smurfs +# (packets with a broadcast +# address as the source). +# +# Smurfs will be optionally logged based +# on the setting of SMURF_LOG_LEVEL in +# shorewall.conf. After logging, the +# packets are dropped. +# +# newnotsyn - TCP packets that don't have the SYN +# flag set and which are not part of an +# established connection will be accepted +# from these hosts, even if +# NEWNOTSYN=No has been specified in +# /etc/shorewall/shorewall.conf. +# +# This option has no effect if +# NEWNOTSYN=Yes. +# #ZONE HOST(S) OPTIONS #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE diff --git a/Shorewall2/interfaces b/Shorewall2/interfaces index 575286e03..9a9642362 100644 --- a/Shorewall2/interfaces +++ b/Shorewall2/interfaces @@ -63,15 +63,23 @@ # any packets whose source is in one # of the ranges reserved by RFC 1918 # (i.e., private or "non-routable" -# addresses. If packet mangling is -# enabled in shorewall.conf, packets -# whose destination addresses are -# reserved by RFC 1918 are also rejected. +# addresses. If packet mangling or +# connection-tracking match is enabled in +# your kernel, packets whose destination +# addresses are reserved by RFC 1918 are +# also rejected. +# +# nobogons - This interface should not receive +# any packets whose source is in one +# of the ranges reserved by IANA (this +# option does not cover those ranges +# reserved by RFC 1918 -- see above). # # routefilter - turn on kernel route filtering for this # interface (anti-spoofing measure). This # option can also be enabled globally in # the /etc/shorewall/shorewall.conf file. +# # . . blacklist - Check packets arriving on this interface # against the /etc/shorewall/blacklist # file. diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index c89b705a6..433950372 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -85,4 +85,21 @@ New Features: ... Error: Invalid zone definition for zone Terminated - + +5) To support bridging, the following options have been added to + entries in /etc/shorewall/hosts: + + norfc1918 + nobogons + blacklist + tcpflags + nosmurfs + newnotsyn + + With the excpection of 'newnotsyn', these options are only + useful when the entry refers to a bridge port. + + Example: + + #ZONE HOST(S) OPTIONS + net br0:eth0 norfc1918,nobogons,blacklist,tcpflags,nosmurfs