Add new options to /etc/shorewall/hosts

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1220 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-03-22 21:15:54 +00:00
parent f857af963e
commit c789d7ac7a
5 changed files with 136 additions and 32 deletions

View File

@ -17,3 +17,5 @@ Changes since 2.0.0
8) Implement Sean Mathews's fix fix Proxy ARP and IPSEC. 8) Implement Sean Mathews's fix fix Proxy ARP and IPSEC.
9) Improve zone-definition checking. 9) Improve zone-definition checking.
10) Add additional options to hosts file

View File

@ -975,7 +975,7 @@ find_hosts_by_option() # $1 = option
done < $TMP_DIR/hosts done < $TMP_DIR/hosts
for interface in $all_interfaces; do for interface in $all_interfaces; do
interface_has_option $interface $option && \ interface_has_option $interface $1 && \
echo ${interface}:0.0.0.0/0 echo ${interface}:0.0.0.0/0
done done
} }
@ -1889,7 +1889,7 @@ process_tc_rule()
fatal_error "Unknown interface $source in rule \"$rule\"" fatal_error "Unknown interface $source in rule \"$rule\""
fi fi
r="$(select_source_dev) $source " r="$(match_source_dev) $source "
;; ;;
esac esac
fi fi
@ -4207,11 +4207,11 @@ process_blacklist_rec() {
# Setup the Black List # Setup the Black List
# #
setup_blacklist() { setup_blacklist() {
local interfaces=$(find_interfaces_by_option blacklist) local hosts=$(find_hosts_by_option blacklist)
local f=$(find_file blacklist) local f=$(find_file blacklist)
local disposition=$BLACKLIST_DISPOSITION local disposition=$BLACKLIST_DISPOSITION
if [ -n "$interfaces" -a -f $f ]; then if [ -n "$hosts" -a -f $f ]; then
echo "Setting up Blacklisting..." echo "Setting up Blacklisting..."
strip_file blacklist $f strip_file blacklist $f
@ -4220,12 +4220,17 @@ setup_blacklist() {
[ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW" || state= [ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW" || state=
for interface in $interfaces; do for host in $hosts; do
interface=${host%%:*}
network=${host#*:}
for chain in $(first_chains $interface); do for chain in $(first_chains $interface); do
run_iptables -A $chain $state -j blacklst run_iptables -A $chain $state $(match_source_hosts $network) -j blacklst
done done
echo " Blacklisting enabled on $interface" [ $network = 0/0.0.0.0 ] && network= || network=":$network"
echo " Blacklisting enabled on ${interface}${network}"
done done
[ "$disposition" = REJECT ] && disposition=reject [ "$disposition" = REJECT ] && disposition=reject
@ -4605,15 +4610,18 @@ add_common_rules() {
# #
# SMURFS # SMURFS
# #
interfaces=$(find_interfaces_by_option nosmurfs) hosts=$(find_hosts_by_option nosmurfs)
if [ -n "$interfaces" ]; then if [ -n "$hosts" ]; then
echo "Adding Anti-smurf Rules" echo "Adding Anti-smurf Rules"
for interface in $interfaces; do for host in $hosts; do
interface=${host%%:*}
subnet=${host#*:}
for chain in $(first_chains $interface); do for chain in $(first_chains $interface); do
run_iptables -A $chain -m state --state NEW -j smurfs run_iptables -A $chain -m state --state NEW $(match_source_hosts $network) -j smurfs
done done
done done
fi fi
@ -4639,9 +4647,9 @@ add_common_rules() {
# #
# RFC 1918 # RFC 1918
# #
norfc1918_interfaces="$(find_interfaces_by_option norfc1918)" hosts="$(find_hosts_by_option norfc1918)"
if [ -n "$norfc1918_interfaces" ]; then if [ -n "$hosts" ]; then
echo "Enabling RFC1918 Filtering" echo "Enabling RFC1918 Filtering"
strip_file rfc1918 strip_file rfc1918
@ -4697,21 +4705,24 @@ add_common_rules() {
fi fi
done < $TMP_DIR/rfc1918 done < $TMP_DIR/rfc1918
for interface in $norfc1918_interfaces; do for host in $hosts; do
interface=${host%%:*}
subnet=${host#*:}
for chain in $(first_chains $interface); do for chain in $(first_chains $interface); do
run_iptables -A $chain -m state --state NEW -j norfc1918 run_iptables -A $chain -m state --state NEW $(match_source_hosts $subnet) -j norfc1918
done done
[ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ] && \ [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ] && \
run_iptables -t mangle -A PREROUTING -m state --state NEW -i $interface -j man1918 run_iptables -t mangle -A PREROUTING -m state --state NEW -i $interface $(match_source_hosts $subnet) -j man1918
done done
fi fi
# #
# Bogons # Bogons
# #
nobogon_interfaces="$(find_interfaces_by_option bogons)" hosts="$(find_hosts_by_option bogons)"
if [ -n "$nobogon_interfaces" ]; then if [ -n "$hosts" ]; then
echo "Enabling Bogon Filtering" echo "Enabling Bogon Filtering"
strip_file bogons strip_file bogons
@ -4740,17 +4751,20 @@ add_common_rules() {
done < $TMP_DIR/bogons done < $TMP_DIR/bogons
for interface in $nobogon_interfaces; do for host in $hosts; do
interface=${host%%:*}
network=${host#*:}
for chain in $(first_chains $interface); do for chain in $(first_chains $interface); do
run_iptables -A $chain -m state --state NEW -j nobogons run_iptables -A $chain -m state --state NEW $(match_source_hosts $network) -j nobogons
done done
done done
fi fi
interfaces=$(find_interfaces_by_option tcpflags) hosts=$(find_hosts_by_option tcpflags)
if [ -n "$interfaces" ]; then if [ -n "$hosts" ]; then
echo "Setting up TCP Flags checking..." echo "Setting up TCP Flags checking..."
createchain tcpflags no createchain tcpflags no
@ -4791,9 +4805,12 @@ add_common_rules() {
# #
run_iptables -A tcpflags -p tcp --syn --sport 0 $disposition run_iptables -A tcpflags -p tcp --syn --sport 0 $disposition
for interface in $interfaces; do for host in $hosts; do
interface=${host%%:*}
network=${host#*:}
for chain in $(first_chains $interface); do for chain in $(first_chains $interface); do
run_iptables -A $chain -p tcp -j tcpflags run_iptables -A $chain -p tcp $(match_source_hosts $network) -j tcpflags
done done
done done
fi fi
@ -5117,7 +5134,6 @@ activate_rules()
run_iptables -D $chain -m state --state ESTABLISHED,RELATED -j ACCEPT run_iptables -D $chain -m state --state ESTABLISHED,RELATED -j ACCEPT
run_iptables -D $chain -p udp --dport 53 -j ACCEPT run_iptables -D $chain -p udp --dport 53 -j ACCEPT
done done
} }
# #

View File

@ -58,5 +58,66 @@
# to send requests originating from this # to send requests originating from this
# group to a server in the group. # group to a server in the group.
# #
# norfc1918 - This option only makes sense for ports
# on a bridge.
#
# The port should not accept
# any packets whose source is in one
# of the ranges reserved by RFC 1918
# (i.e., private or "non-routable"
# addresses. If packet mangling or
# connection-tracking match is enabled in
# your kernel, packets whose destination
# addresses are reserved by RFC 1918 are
# also rejected.
#
# nobogons - This option only makes sense for ports
# on a bridge.
#
# This port should not accept
# any packets whose source is in one
# of the ranges reserved by IANA (this
# option does not cover those ranges
# reserved by RFC 1918 -- see
# 'norfc1918' above).
#
# . . blacklist - This option only makes sense for ports
# on a bridge.
#
# Check packets arriving on this port
# against the /etc/shorewall/blacklist
# file.
#
# tcpflags - Packets arriving from these hosts are
# checked for certain illegal combinations
# of TCP flags. Packets found to have
# such a combination of flags are handled
# according to the setting of
# TCP_FLAGS_DISPOSITION after having been
# logged according to the setting of
# TCP_FLAGS_LOG_LEVEL.
#
# nosmurfs - This option only makes sense for ports
# on a bridge.
#
# Filter packets for smurfs
# (packets with a broadcast
# address as the source).
#
# Smurfs will be optionally logged based
# on the setting of SMURF_LOG_LEVEL in
# shorewall.conf. After logging, the
# packets are dropped.
#
# newnotsyn - TCP packets that don't have the SYN
# flag set and which are not part of an
# established connection will be accepted
# from these hosts, even if
# NEWNOTSYN=No has been specified in
# /etc/shorewall/shorewall.conf.
#
# This option has no effect if
# NEWNOTSYN=Yes.
#
#ZONE HOST(S) OPTIONS #ZONE HOST(S) OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

View File

@ -63,15 +63,23 @@
# any packets whose source is in one # any packets whose source is in one
# of the ranges reserved by RFC 1918 # of the ranges reserved by RFC 1918
# (i.e., private or "non-routable" # (i.e., private or "non-routable"
# addresses. If packet mangling is # addresses. If packet mangling or
# enabled in shorewall.conf, packets # connection-tracking match is enabled in
# whose destination addresses are # your kernel, packets whose destination
# reserved by RFC 1918 are also rejected. # addresses are reserved by RFC 1918 are
# also rejected.
#
# nobogons - This interface should not receive
# any packets whose source is in one
# of the ranges reserved by IANA (this
# option does not cover those ranges
# reserved by RFC 1918 -- see above).
# #
# routefilter - turn on kernel route filtering for this # routefilter - turn on kernel route filtering for this
# interface (anti-spoofing measure). This # interface (anti-spoofing measure). This
# option can also be enabled globally in # option can also be enabled globally in
# the /etc/shorewall/shorewall.conf file. # the /etc/shorewall/shorewall.conf file.
#
# . . blacklist - Check packets arriving on this interface # . . blacklist - Check packets arriving on this interface
# against the /etc/shorewall/blacklist # against the /etc/shorewall/blacklist
# file. # file.

View File

@ -86,3 +86,20 @@ New Features:
Error: Invalid zone definition for zone <name of zone> Error: Invalid zone definition for zone <name of zone>
Terminated Terminated
5) To support bridging, the following options have been added to
entries in /etc/shorewall/hosts:
norfc1918
nobogons
blacklist
tcpflags
nosmurfs
newnotsyn
With the excpection of 'newnotsyn', these options are only
useful when the entry refers to a bridge port.
Example:
#ZONE HOST(S) OPTIONS
net br0:eth0 norfc1918,nobogons,blacklist,tcpflags,nosmurfs