forked from extern/shorewall_code
Add MAC verification
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@306 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
9f691d20e4
commit
cd555022bf
@ -101,6 +101,8 @@ restore_file /etc/shorewall/proxyarp
|
||||
|
||||
restore_file /etc/shorewall/routestopped
|
||||
|
||||
restore_file /etc/shorewall/maclist
|
||||
|
||||
restore_file /etc/shorewall/masq
|
||||
|
||||
restore_file /etc/shorewall/modules
|
||||
|
@ -511,7 +511,7 @@ validate_interfaces_file() {
|
||||
case $option in
|
||||
dhcp|noping|filterping|routestopped|norfc1918|multi)
|
||||
;;
|
||||
routefilter|dropunclean|logunclean|blacklist|proxyarp|-)
|
||||
routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-)
|
||||
;;
|
||||
*)
|
||||
error_message "Warning: Invalid option ($option) in record \"$r\""
|
||||
@ -925,6 +925,30 @@ find_broadcasts() {
|
||||
done < $TMP_DIR/interfaces
|
||||
}
|
||||
|
||||
################################################################################
|
||||
# Find interface broadcast addresses #
|
||||
################################################################################
|
||||
find_interface_broadcasts() # $1 = Interface name
|
||||
{
|
||||
while read z interface bcast options; do
|
||||
expandv interface bcast
|
||||
if [ "$interface" = "$1" ]; then
|
||||
if [ "x$bcast" = "xdetect" ]; then
|
||||
addr="`ip addr show $interface 2> /dev/null`"
|
||||
if [ -n "`echo "$addr" | grep 'inet.*brd '`" ]; then
|
||||
addr="`echo "$addr" | \
|
||||
grep "inet " | sed 's/^.* inet.*brd //;s/scope.*//'`"
|
||||
echo $addr | cut -d' ' -f 1
|
||||
fi
|
||||
elif [ "x${bcast}" != "x-" ]; then
|
||||
echo `separate_list $bcast`
|
||||
fi
|
||||
|
||||
return
|
||||
fi
|
||||
done < $TMP_DIR/interfaces
|
||||
}
|
||||
|
||||
################################################################################
|
||||
# Find interface address--returns the first IP address assigned to the passed #
|
||||
# device #
|
||||
@ -1276,6 +1300,57 @@ setup_proxy_arp() {
|
||||
done
|
||||
}
|
||||
|
||||
###############################################################################
|
||||
# Set up MAC List Chains #
|
||||
###############################################################################
|
||||
setup_mac_lists() {
|
||||
|
||||
for interface in $maclist_interfaces; do
|
||||
createchain ${interface}_mac no
|
||||
done
|
||||
|
||||
strip_file maclist
|
||||
|
||||
while read interface mac address; do
|
||||
chain=${interface}_mac
|
||||
|
||||
if ! havechain $chain ; then
|
||||
error_message "Warning: $interface does not have the maclist option specified"
|
||||
continue
|
||||
fi
|
||||
|
||||
[ -n "$address" ] && addr_match="-s $address" || addr_match=
|
||||
|
||||
run_iptables -A ${interface}_mac `mac_match $mac` $addr_match -j RETURN
|
||||
done < $TMP_DIR/maclist
|
||||
|
||||
if [ -n "$MACLIST_LOG_LEVEL" ]; then
|
||||
logpart="-j LOG $LOGPARMS --log-level $MACLIST_LOG_LEVEL --log-prefix"
|
||||
else
|
||||
logpart=
|
||||
fi
|
||||
|
||||
for interface in $maclist_interfaces; do
|
||||
chain=${interface}_mac
|
||||
#
|
||||
# Must take care of our own broadcasts
|
||||
#
|
||||
source="-s `find_interface_address $interface`"
|
||||
|
||||
for address in `find_interface_broadcasts $interface` 255.255.255.255 ; do
|
||||
run_iptables -A $chain $source -d $address -j RETURN
|
||||
done
|
||||
|
||||
[ -n "$logpart" ] && \
|
||||
run_iptables -A $chain $logpart "Shorewall:$chain:$MACLIST_DISPOSITION:"
|
||||
|
||||
run_iptables -A $chain -j $maclist_target
|
||||
|
||||
run_iptables -A `input_chain $interface` -m state --state NEW -j $chain
|
||||
run_iptables -A `forward_chain $interface` -m state --state NEW -j $chain
|
||||
done
|
||||
}
|
||||
|
||||
###############################################################################
|
||||
# Set up SYN flood protection #
|
||||
###############################################################################
|
||||
@ -3335,6 +3410,13 @@ define_firewall() # $1 = Command (Start or Restart)
|
||||
[ -f $tunnels ] && \
|
||||
echo "Processing $tunnels..." && setup_tunnels $tunnels
|
||||
|
||||
maclist_interfaces=`find_interfaces_by_option maclist`
|
||||
|
||||
if [ -n "$maclist_interfaces" ] ; then
|
||||
echo "Setting up MAC Verification on $maclist_interfaces..."
|
||||
setup_mac_lists
|
||||
fi
|
||||
|
||||
rules=`find_file rules`
|
||||
|
||||
echo "Processing $rules..."
|
||||
@ -3882,6 +3964,8 @@ do_initialize() {
|
||||
NEWNOTSYN=
|
||||
LOGNEWNOTSYN=
|
||||
FORWARDPING=
|
||||
MACLIST_DISPOSITION=
|
||||
MACLIST_LOG_LEVEL=
|
||||
stopping=
|
||||
have_mutex=
|
||||
masq_seq=1
|
||||
@ -3961,6 +4045,24 @@ do_initialize() {
|
||||
MERGE_HOSTS=`added_param_value_no MERGE_HOSTS $MERGE_HOSTS`
|
||||
FORWARDPING=`added_param_value_no FORWARDPING $FORWARDPING`
|
||||
NEWNOTSYN=`added_param_value_yes NEWNOTSYN $NEWNOTSYN`
|
||||
|
||||
maclist_target=reject
|
||||
|
||||
if [ -n "$MACLIST_DISPOSITION" ] ; then
|
||||
case $MACLIST_DISPOSITION in
|
||||
REJECT)
|
||||
;;
|
||||
ACCEPT|DROP)
|
||||
maclist_target=$MACLIST_DISPOSITION
|
||||
;;
|
||||
*)
|
||||
startup_error "Invalid value ($MACLIST_DISPOSITION) for MACLIST_DISPOSITION"
|
||||
;;
|
||||
esac
|
||||
else
|
||||
MACLIST_DISPOSITION=REJECT
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
################################################################################
|
||||
|
@ -382,6 +382,15 @@ else
|
||||
echo -e "\nStopped Routing file installed as ${PREFIX}/etc/shorewall/routestopped"
|
||||
fi
|
||||
#
|
||||
# Install the Mac List file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/maclist ]; then
|
||||
backup_file /etc/shorewall/maclist
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 maclist ${PREFIX}/etc/shorewall/maclist
|
||||
echo -e "\nMAC list file installed as ${PREFIX}/etc/shorewall/maclist"
|
||||
fi
|
||||
#
|
||||
# Install the Masq file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/masq ]; then
|
||||
|
@ -81,6 +81,11 @@
|
||||
# . . blacklist - Check packets arriving on this interface
|
||||
# against the /etc/shorewall/blacklist
|
||||
# file.
|
||||
# maclist - Connection requests from this interface
|
||||
# are compared against the contents of
|
||||
# /etc/shorewall/maclist. If this option
|
||||
# is specified, the interface must be
|
||||
# up before Shorewall is started.
|
||||
# proxyarp -
|
||||
# Sets
|
||||
# /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
|
||||
|
@ -383,4 +383,25 @@ FORWARDPING=Yes
|
||||
|
||||
NEWNOTSYN=No
|
||||
|
||||
#
|
||||
# MAC List Disposition
|
||||
#
|
||||
# This variable determines the disposition of connection requests arriving
|
||||
# on interfaces that have the 'maclist' option and that are from a device
|
||||
# that is not listed for that interface in /etc/shorewall/maclist. Valid
|
||||
# values are ACCEPT, DROP and REJECT. If not specified or specified as
|
||||
# empty (MACLIST_DISPOSITION="") then REJECT is assumed
|
||||
|
||||
MACLIST_DISPOSITION=REJECT
|
||||
|
||||
#
|
||||
# MAC List Log Level
|
||||
#
|
||||
# Specifies the logging level for connection requests that fail MAC
|
||||
# verification. If set to the empty value (MACLIST_LOG_LEVEL="") then
|
||||
# such connection requests will not be logged.
|
||||
#
|
||||
|
||||
MACLIST_LOG_LEVEL=info
|
||||
|
||||
#LAST LINE -- DO NOT REMOVE
|
||||
|
@ -85,6 +85,7 @@ fi
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/params
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/proxyarp
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/routestopped
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/maclist
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/masq
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/modules
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/tcrules
|
||||
@ -100,6 +101,8 @@ fi
|
||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
|
||||
|
||||
%changelog
|
||||
* Tue Oct 22 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Added maclist file
|
||||
* Tue Oct 15 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.3.10
|
||||
- Replaced symlink with real file
|
||||
|
Loading…
Reference in New Issue
Block a user