forked from extern/shorewall_code
Add new options to /etc/shorewall/hosts
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1220 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
f857af963e
commit
c789d7ac7a
@ -17,3 +17,5 @@ Changes since 2.0.0
|
|||||||
8) Implement Sean Mathews's fix fix Proxy ARP and IPSEC.
|
8) Implement Sean Mathews's fix fix Proxy ARP and IPSEC.
|
||||||
|
|
||||||
9) Improve zone-definition checking.
|
9) Improve zone-definition checking.
|
||||||
|
|
||||||
|
10) Add additional options to hosts file
|
||||||
|
@ -975,7 +975,7 @@ find_hosts_by_option() # $1 = option
|
|||||||
done < $TMP_DIR/hosts
|
done < $TMP_DIR/hosts
|
||||||
|
|
||||||
for interface in $all_interfaces; do
|
for interface in $all_interfaces; do
|
||||||
interface_has_option $interface $option && \
|
interface_has_option $interface $1 && \
|
||||||
echo ${interface}:0.0.0.0/0
|
echo ${interface}:0.0.0.0/0
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
@ -1889,7 +1889,7 @@ process_tc_rule()
|
|||||||
fatal_error "Unknown interface $source in rule \"$rule\""
|
fatal_error "Unknown interface $source in rule \"$rule\""
|
||||||
fi
|
fi
|
||||||
|
|
||||||
r="$(select_source_dev) $source "
|
r="$(match_source_dev) $source "
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
fi
|
fi
|
||||||
@ -4207,11 +4207,11 @@ process_blacklist_rec() {
|
|||||||
# Setup the Black List
|
# Setup the Black List
|
||||||
#
|
#
|
||||||
setup_blacklist() {
|
setup_blacklist() {
|
||||||
local interfaces=$(find_interfaces_by_option blacklist)
|
local hosts=$(find_hosts_by_option blacklist)
|
||||||
local f=$(find_file blacklist)
|
local f=$(find_file blacklist)
|
||||||
local disposition=$BLACKLIST_DISPOSITION
|
local disposition=$BLACKLIST_DISPOSITION
|
||||||
|
|
||||||
if [ -n "$interfaces" -a -f $f ]; then
|
if [ -n "$hosts" -a -f $f ]; then
|
||||||
echo "Setting up Blacklisting..."
|
echo "Setting up Blacklisting..."
|
||||||
|
|
||||||
strip_file blacklist $f
|
strip_file blacklist $f
|
||||||
@ -4220,12 +4220,17 @@ setup_blacklist() {
|
|||||||
|
|
||||||
[ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW" || state=
|
[ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW" || state=
|
||||||
|
|
||||||
for interface in $interfaces; do
|
for host in $hosts; do
|
||||||
|
interface=${host%%:*}
|
||||||
|
network=${host#*:}
|
||||||
|
|
||||||
for chain in $(first_chains $interface); do
|
for chain in $(first_chains $interface); do
|
||||||
run_iptables -A $chain $state -j blacklst
|
run_iptables -A $chain $state $(match_source_hosts $network) -j blacklst
|
||||||
done
|
done
|
||||||
|
|
||||||
echo " Blacklisting enabled on $interface"
|
[ $network = 0/0.0.0.0 ] && network= || network=":$network"
|
||||||
|
|
||||||
|
echo " Blacklisting enabled on ${interface}${network}"
|
||||||
done
|
done
|
||||||
|
|
||||||
[ "$disposition" = REJECT ] && disposition=reject
|
[ "$disposition" = REJECT ] && disposition=reject
|
||||||
@ -4605,15 +4610,18 @@ add_common_rules() {
|
|||||||
#
|
#
|
||||||
# SMURFS
|
# SMURFS
|
||||||
#
|
#
|
||||||
interfaces=$(find_interfaces_by_option nosmurfs)
|
hosts=$(find_hosts_by_option nosmurfs)
|
||||||
|
|
||||||
if [ -n "$interfaces" ]; then
|
if [ -n "$hosts" ]; then
|
||||||
|
|
||||||
echo "Adding Anti-smurf Rules"
|
echo "Adding Anti-smurf Rules"
|
||||||
|
|
||||||
for interface in $interfaces; do
|
for host in $hosts; do
|
||||||
|
interface=${host%%:*}
|
||||||
|
subnet=${host#*:}
|
||||||
|
|
||||||
for chain in $(first_chains $interface); do
|
for chain in $(first_chains $interface); do
|
||||||
run_iptables -A $chain -m state --state NEW -j smurfs
|
run_iptables -A $chain -m state --state NEW $(match_source_hosts $network) -j smurfs
|
||||||
done
|
done
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
@ -4639,9 +4647,9 @@ add_common_rules() {
|
|||||||
#
|
#
|
||||||
# RFC 1918
|
# RFC 1918
|
||||||
#
|
#
|
||||||
norfc1918_interfaces="$(find_interfaces_by_option norfc1918)"
|
hosts="$(find_hosts_by_option norfc1918)"
|
||||||
|
|
||||||
if [ -n "$norfc1918_interfaces" ]; then
|
if [ -n "$hosts" ]; then
|
||||||
echo "Enabling RFC1918 Filtering"
|
echo "Enabling RFC1918 Filtering"
|
||||||
|
|
||||||
strip_file rfc1918
|
strip_file rfc1918
|
||||||
@ -4697,21 +4705,24 @@ add_common_rules() {
|
|||||||
fi
|
fi
|
||||||
done < $TMP_DIR/rfc1918
|
done < $TMP_DIR/rfc1918
|
||||||
|
|
||||||
for interface in $norfc1918_interfaces; do
|
for host in $hosts; do
|
||||||
|
interface=${host%%:*}
|
||||||
|
subnet=${host#*:}
|
||||||
|
|
||||||
for chain in $(first_chains $interface); do
|
for chain in $(first_chains $interface); do
|
||||||
run_iptables -A $chain -m state --state NEW -j norfc1918
|
run_iptables -A $chain -m state --state NEW $(match_source_hosts $subnet) -j norfc1918
|
||||||
done
|
done
|
||||||
|
|
||||||
[ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ] && \
|
[ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ] && \
|
||||||
run_iptables -t mangle -A PREROUTING -m state --state NEW -i $interface -j man1918
|
run_iptables -t mangle -A PREROUTING -m state --state NEW -i $interface $(match_source_hosts $subnet) -j man1918
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
#
|
#
|
||||||
# Bogons
|
# Bogons
|
||||||
#
|
#
|
||||||
nobogon_interfaces="$(find_interfaces_by_option bogons)"
|
hosts="$(find_hosts_by_option bogons)"
|
||||||
|
|
||||||
if [ -n "$nobogon_interfaces" ]; then
|
if [ -n "$hosts" ]; then
|
||||||
echo "Enabling Bogon Filtering"
|
echo "Enabling Bogon Filtering"
|
||||||
|
|
||||||
strip_file bogons
|
strip_file bogons
|
||||||
@ -4740,17 +4751,20 @@ add_common_rules() {
|
|||||||
|
|
||||||
done < $TMP_DIR/bogons
|
done < $TMP_DIR/bogons
|
||||||
|
|
||||||
for interface in $nobogon_interfaces; do
|
for host in $hosts; do
|
||||||
|
interface=${host%%:*}
|
||||||
|
network=${host#*:}
|
||||||
|
|
||||||
for chain in $(first_chains $interface); do
|
for chain in $(first_chains $interface); do
|
||||||
run_iptables -A $chain -m state --state NEW -j nobogons
|
run_iptables -A $chain -m state --state NEW $(match_source_hosts $network) -j nobogons
|
||||||
done
|
done
|
||||||
done
|
done
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
interfaces=$(find_interfaces_by_option tcpflags)
|
hosts=$(find_hosts_by_option tcpflags)
|
||||||
|
|
||||||
if [ -n "$interfaces" ]; then
|
if [ -n "$hosts" ]; then
|
||||||
echo "Setting up TCP Flags checking..."
|
echo "Setting up TCP Flags checking..."
|
||||||
|
|
||||||
createchain tcpflags no
|
createchain tcpflags no
|
||||||
@ -4791,9 +4805,12 @@ add_common_rules() {
|
|||||||
#
|
#
|
||||||
run_iptables -A tcpflags -p tcp --syn --sport 0 $disposition
|
run_iptables -A tcpflags -p tcp --syn --sport 0 $disposition
|
||||||
|
|
||||||
for interface in $interfaces; do
|
for host in $hosts; do
|
||||||
|
interface=${host%%:*}
|
||||||
|
network=${host#*:}
|
||||||
|
|
||||||
for chain in $(first_chains $interface); do
|
for chain in $(first_chains $interface); do
|
||||||
run_iptables -A $chain -p tcp -j tcpflags
|
run_iptables -A $chain -p tcp $(match_source_hosts $network) -j tcpflags
|
||||||
done
|
done
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
@ -5117,7 +5134,6 @@ activate_rules()
|
|||||||
run_iptables -D $chain -m state --state ESTABLISHED,RELATED -j ACCEPT
|
run_iptables -D $chain -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||||
run_iptables -D $chain -p udp --dport 53 -j ACCEPT
|
run_iptables -D $chain -p udp --dport 53 -j ACCEPT
|
||||||
done
|
done
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
|
@ -58,5 +58,66 @@
|
|||||||
# to send requests originating from this
|
# to send requests originating from this
|
||||||
# group to a server in the group.
|
# group to a server in the group.
|
||||||
#
|
#
|
||||||
|
# norfc1918 - This option only makes sense for ports
|
||||||
|
# on a bridge.
|
||||||
|
#
|
||||||
|
# The port should not accept
|
||||||
|
# any packets whose source is in one
|
||||||
|
# of the ranges reserved by RFC 1918
|
||||||
|
# (i.e., private or "non-routable"
|
||||||
|
# addresses. If packet mangling or
|
||||||
|
# connection-tracking match is enabled in
|
||||||
|
# your kernel, packets whose destination
|
||||||
|
# addresses are reserved by RFC 1918 are
|
||||||
|
# also rejected.
|
||||||
|
#
|
||||||
|
# nobogons - This option only makes sense for ports
|
||||||
|
# on a bridge.
|
||||||
|
#
|
||||||
|
# This port should not accept
|
||||||
|
# any packets whose source is in one
|
||||||
|
# of the ranges reserved by IANA (this
|
||||||
|
# option does not cover those ranges
|
||||||
|
# reserved by RFC 1918 -- see
|
||||||
|
# 'norfc1918' above).
|
||||||
|
#
|
||||||
|
# . . blacklist - This option only makes sense for ports
|
||||||
|
# on a bridge.
|
||||||
|
#
|
||||||
|
# Check packets arriving on this port
|
||||||
|
# against the /etc/shorewall/blacklist
|
||||||
|
# file.
|
||||||
|
#
|
||||||
|
# tcpflags - Packets arriving from these hosts are
|
||||||
|
# checked for certain illegal combinations
|
||||||
|
# of TCP flags. Packets found to have
|
||||||
|
# such a combination of flags are handled
|
||||||
|
# according to the setting of
|
||||||
|
# TCP_FLAGS_DISPOSITION after having been
|
||||||
|
# logged according to the setting of
|
||||||
|
# TCP_FLAGS_LOG_LEVEL.
|
||||||
|
#
|
||||||
|
# nosmurfs - This option only makes sense for ports
|
||||||
|
# on a bridge.
|
||||||
|
#
|
||||||
|
# Filter packets for smurfs
|
||||||
|
# (packets with a broadcast
|
||||||
|
# address as the source).
|
||||||
|
#
|
||||||
|
# Smurfs will be optionally logged based
|
||||||
|
# on the setting of SMURF_LOG_LEVEL in
|
||||||
|
# shorewall.conf. After logging, the
|
||||||
|
# packets are dropped.
|
||||||
|
#
|
||||||
|
# newnotsyn - TCP packets that don't have the SYN
|
||||||
|
# flag set and which are not part of an
|
||||||
|
# established connection will be accepted
|
||||||
|
# from these hosts, even if
|
||||||
|
# NEWNOTSYN=No has been specified in
|
||||||
|
# /etc/shorewall/shorewall.conf.
|
||||||
|
#
|
||||||
|
# This option has no effect if
|
||||||
|
# NEWNOTSYN=Yes.
|
||||||
|
#
|
||||||
#ZONE HOST(S) OPTIONS
|
#ZONE HOST(S) OPTIONS
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
|
||||||
|
@ -63,15 +63,23 @@
|
|||||||
# any packets whose source is in one
|
# any packets whose source is in one
|
||||||
# of the ranges reserved by RFC 1918
|
# of the ranges reserved by RFC 1918
|
||||||
# (i.e., private or "non-routable"
|
# (i.e., private or "non-routable"
|
||||||
# addresses. If packet mangling is
|
# addresses. If packet mangling or
|
||||||
# enabled in shorewall.conf, packets
|
# connection-tracking match is enabled in
|
||||||
# whose destination addresses are
|
# your kernel, packets whose destination
|
||||||
# reserved by RFC 1918 are also rejected.
|
# addresses are reserved by RFC 1918 are
|
||||||
|
# also rejected.
|
||||||
|
#
|
||||||
|
# nobogons - This interface should not receive
|
||||||
|
# any packets whose source is in one
|
||||||
|
# of the ranges reserved by IANA (this
|
||||||
|
# option does not cover those ranges
|
||||||
|
# reserved by RFC 1918 -- see above).
|
||||||
#
|
#
|
||||||
# routefilter - turn on kernel route filtering for this
|
# routefilter - turn on kernel route filtering for this
|
||||||
# interface (anti-spoofing measure). This
|
# interface (anti-spoofing measure). This
|
||||||
# option can also be enabled globally in
|
# option can also be enabled globally in
|
||||||
# the /etc/shorewall/shorewall.conf file.
|
# the /etc/shorewall/shorewall.conf file.
|
||||||
|
#
|
||||||
# . . blacklist - Check packets arriving on this interface
|
# . . blacklist - Check packets arriving on this interface
|
||||||
# against the /etc/shorewall/blacklist
|
# against the /etc/shorewall/blacklist
|
||||||
# file.
|
# file.
|
||||||
|
@ -86,3 +86,20 @@ New Features:
|
|||||||
Error: Invalid zone definition for zone <name of zone>
|
Error: Invalid zone definition for zone <name of zone>
|
||||||
Terminated
|
Terminated
|
||||||
|
|
||||||
|
5) To support bridging, the following options have been added to
|
||||||
|
entries in /etc/shorewall/hosts:
|
||||||
|
|
||||||
|
norfc1918
|
||||||
|
nobogons
|
||||||
|
blacklist
|
||||||
|
tcpflags
|
||||||
|
nosmurfs
|
||||||
|
newnotsyn
|
||||||
|
|
||||||
|
With the excpection of 'newnotsyn', these options are only
|
||||||
|
useful when the entry refers to a bridge port.
|
||||||
|
|
||||||
|
Example:
|
||||||
|
|
||||||
|
#ZONE HOST(S) OPTIONS
|
||||||
|
net br0:eth0 norfc1918,nobogons,blacklist,tcpflags,nosmurfs
|
||||||
|
Loading…
Reference in New Issue
Block a user