holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Shorewall 1.4.8

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@794 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-11-28 19:09:18 +00:00
parent f9c596a465
commit ce7dddfc5a
6 changed files with 190 additions and 125 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Lrp/etc/shorewall/rules
View File

@ -46,6 +46,8 @@
# to the rules defined for that # to the rules defined for that
# (those) zone(s). # (those) zone(s).
# LOG -- Simply log the packet and continue. # LOG -- Simply log the packet and continue.
# QUEUE -- Queue the packet to a user-space
# application such as p2pwall.
# #
# You may rate-limit the rule by optionally # You may rate-limit the rule by optionally
# following ACCEPT, DNAT[-], REDIRECT[-] or LOG with # following ACCEPT, DNAT[-], REDIRECT[-] or LOG with

29
Lrp/etc/shorewall/shorewall.conf
View File

@ -350,11 +350,12 @@ CLAMPMSS=No
# ROUTE FILTERING # ROUTE FILTERING
# #
# Set this variable to "Yes" or "yes" if you want kernel route filtering on all # Set this variable to "Yes" or "yes" if you want kernel route filtering on all
# interfaces (anti-spoofing measure). # interfaces started while Shorewall is started (anti-spoofing measure).
# #
# If this variable is not set or is set to the empty value, "No" is assumed. # If this variable is not set or is set to the empty value, "No" is assumed.
# In that case, you can still enable route filtering on individual interfaces # Regardless of the setting of ROUTE_FILTER, you can still enable route filtering
# in the /etc/shorewall/interfaces file. # on individual interfaces using the 'routefilter' option in the
# /etc/shorewall/interfaces file.
ROUTE_FILTER=No ROUTE_FILTER=No
@ -463,6 +464,28 @@ NEWNOTSYN=No
# #
ADMINISABSENTMINDED=Yes ADMINISABSENTMINDED=Yes
#
# BLACKLIST Behavior
#
# Shorewall offers two types of blacklisting:
#
# - static blacklisting through the /etc/shorewall/blacklist file together
# with the 'blacklist' interface option.
# - dynamic blacklisting using the 'drop', 'reject' and 'allow' commands.
#
# The following variable determines whether the blacklist is checked for each
# packet or for each new connection.
#
# BLACKLISTNEWONLY=Yes Only consult blacklists for new connection
# requests
#
# BLACKLISTNEWONLY=No Consult blacklists for all packets.
#
# If the BLACKLISTNEWONLY option is not set or is set to the empty value then
# BLACKLISTNEWONLY=No is assumed.
#
BLACKLISTNEWONLY=Yes
################################################################################ ################################################################################
# P A C K E T D I S P O S I T I O N # P A C K E T D I S P O S I T I O N
################################################################################ ################################################################################

277
Lrp/usr/share/shorewall/firewall
View File

@ -57,14 +57,18 @@ list_search() # $1 = element to search for , $2-$n = list
} }
# #
# Function to count list elements # Functions to count list elements
# - - - - - - - - - - - - - - - -
# Whitespace-separated list
#
list_count1() {
echo $#
}
#
# Comma-separated list
# #
list_count() { list_count() {
arg_count() { list_count1 `separate_list $1`
echo $#
}
arg_count `separate_list $1`
} }
# #
@ -225,11 +229,13 @@ run_tc() {
# #
# If the chain isn't one of the common chains then add a rule to the chain # If the chain isn't one of the common chains then add a rule to the chain
# allowing packets that are part of an established connection. Create a # allowing packets that are part of an established connection. Create a
# variable ${1}_exists and set its value to Yes to indicate that the chain now # variable exists_${1} and set its value to Yes to indicate that the chain now
# exists. # exists.
# #
createchain() # $1 = chain name, $2 = If "yes", create default rules createchain() # $1 = chain name, $2 = If "yes", create default rules
{ {
local c=`chain_base $1`
run_iptables -N $1 run_iptables -N $1
if [ $2 = yes ]; then if [ $2 = yes ]; then
@ -238,11 +244,13 @@ createchain() # $1 = chain name, $2 = If "yes", create default rules
run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn
fi fi
eval ${1}_exists=Yes eval exists_${c}=Yes
} }
createchain2() # $1 = chain name, $2 = If "yes", create default rules createchain2() # $1 = chain name, $2 = If "yes", create default rules
{ {
local c=`chain_base $1`
if iptables -N $1; then if iptables -N $1; then
if [ $2 = yes ]; then if [ $2 = yes ]; then
@ -251,20 +259,22 @@ createchain2() # $1 = chain name, $2 = If "yes", create default rules
run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn
fi fi
eval ${1}_exists=Yes eval exists_${c}=Yes
fi fi
} }
# #
# Determine if a chain exists # Determine if a chain exists
# #
# When we create a chain "chain", we create a variable named chain_exists and # When we create a chain "chain", we create a variable named exists_chain and
# set its value to Yes. This function tests for the "_exists" variable # set its value to Yes. This function tests for the "exists_" variable
# corresponding to the passed chain having the value of "Yes". # corresponding to the passed chain having the value of "Yes".
# #
havechain() # $1 = name of chain havechain() # $1 = name of chain
{ {
eval test \"\$${1}_exists\" = Yes local c=`chain_base $1`
eval test \"\$exists_${c}\" = Yes
} }
# #
@ -303,26 +313,26 @@ addrule() # $1 = chain name, remainder of arguments specify the rule
# #
# Create a nat chain # Create a nat chain
# #
# Create a variable ${1}_nat_exists and set its value to Yes to indicate that # Create a variable exists_nat_${1} and set its value to Yes to indicate that
# the chain now exists. # the chain now exists.
# #
createnatchain() # $1 = chain name createnatchain() # $1 = chain name
{ {
run_iptables -t nat -N $1 run_iptables -t nat -N $1
eval ${1}_nat_exists=Yes eval exists_nat_${1}=Yes
} }
# #
# Determine if a nat chain exists # Determine if a nat chain exists
# #
# When we create a chain "chain", we create a variable named chain_nat_exists # When we create a chain "chain", we create a variable named exists_nat_chain
# and set its value to Yes. This function tests for the "_exists" variable # and set its value to Yes. This function tests for the "exists_" variable
# corresponding to the passed chain having the value of "Yes". # corresponding to the passed chain having the value of "Yes".
# #
havenatchain() # $1 = name of chain havenatchain() # $1 = name of chain
{ {
eval test \"\$${1}_nat_exists\" = Yes eval test \"\$exists_nat_${1}\" = Yes
} }
# #
@ -626,11 +636,11 @@ validate_interfaces_file() {
all_interfaces="$all_interfaces $interface" all_interfaces="$all_interfaces $interface"
options=`separate_list $options` options=`separate_list $options`
interface=`chain_base $interface` iface=`chain_base $interface`
eval ${interface}_broadcast="$subnet" eval ${iface}_broadcast="$subnet"
eval ${interface}_zone="$z" eval ${iface}_zone="$z"
eval ${interface}_options=\"$options\" eval ${iface}_options=\"$options\"
for option in $options; do for option in $options; do
case $option in case $option in
@ -753,7 +763,14 @@ validate_policy()
esac esac
case $policy in case $policy in
ACCEPT|REJECT|DROP|CONTINUE|NONE) ACCEPT|REJECT|DROP|CONTINUE)
;;
NONE)
[ "$client" = "$FW" -o "$server" = "$FW" ] && \
startup_error " $client $server $policy $loglevel $synparams: NONE policy not allowed to/from the $FW zone"
[ -n "$clientwild" -o -n "$serverwild" ] && \
startup_error " $client $server $policy $loglevel $synparams: NONE policy not allowed with \"all\""
;; ;;
*) *)
startup_error "Invalid policy $policy" startup_error "Invalid policy $policy"
@ -771,8 +788,6 @@ validate_policy()
[ "x$loglevel" = "x-" ] && loglevel= [ "x$loglevel" = "x-" ] && loglevel=
chain=${client}2${server}
[ $policy = NONE ] || all_policy_chains="$all_policy_chains $chain" [ $policy = NONE ] || all_policy_chains="$all_policy_chains $chain"
eval ${chain}_is_policy=Yes eval ${chain}_is_policy=Yes
@ -960,7 +975,7 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = disposition , $4 = rate limi
local chain=$2 local chain=$2
local disposition=$3 local disposition=$3
local rulenum= local rulenum=
local limit=${4:-$LOGLIMIT} local limit="${4:-$LOGLIMIT}"
shift;shift;shift;shift shift;shift;shift;shift
@ -1452,28 +1467,19 @@ setup_mac_lists() {
# #
for interface in $maclist_interfaces; do for interface in $maclist_interfaces; do
chain=`mac_chain $interface` chain=`mac_chain $interface`
blob=`ip -f inet addr show $interface 2> /dev/null | grep inet | sed 's/inet //; s/brd //; s/scope.*//;'`
blob=`ip link show $interface 2> /dev/null`
[ -z "$blob" ] && \ [ -z "$blob" ] && \
fatal_error "Interface $interface must be up before Shorewall can start" fatal_error "Interface $interface must be up before Shorewall can start"
set -- $blob ip -f inet addr show $interface 2> /dev/null | grep inet | sed 's/inet //; s/brd //; s/scope.*//;' | while read address broadcast; do
if [ -n "$broadcast" ]; then
while [ $# -gt 0 ]; do run_iptables -A $chain -s ${address%/*} -d $broadcast -j RETURN
address=${1%/*} fi
case $1 in
*/32)
;;
*)
run_iptables -A $chain -s $address -d $2 -j RETURN
shift
;;
esac
run_iptables -A $chain -s $address -d 255.255.255.255 -j RETURN run_iptables -A $chain -s $address -d 255.255.255.255 -j RETURN
run_iptables -A $chain -s $address -d 224.0.0.0/4 -j RETURN run_iptables -A $chain -s $address -d 224.0.0.0/4 -j RETURN
shift
done done
if [ -n "$MACLIST_LOG_LEVEL" ]; then if [ -n "$MACLIST_LOG_LEVEL" ]; then
@ -1668,9 +1674,10 @@ setup_ecn() # $1 = file name
# #
process_tc_rule() process_tc_rule()
{ {
chain=$marking_chain
add_a_tc_rule() { add_a_tc_rule() {
r= r=
chain=$marking_chain
if [ "x$source" != "x-" ]; then if [ "x$source" != "x-" ]; then
case $source in case $source in
@ -1693,26 +1700,6 @@ process_tc_rule()
esac esac
fi fi
if [ "$mark" != "${mark%:*}" ]; then
[ "$chain" = tcout ] && \
fatal_error "Chain designator not allowed when source is \$FW; rule \"$rule\""
case "${mark#*:}" in
p|P)
chain=tcpre
;;
f|F)
chain=tcfor
;;
*)
fatal_error "Invalid chain designator: (${mark#*:}) in rule \"$rule\""
;;
esac
mark="${mark%:*}"
fi
[ "x$dest" = "x-" ] || r="${r}-d $dest " [ "x$dest" = "x-" ] || r="${r}-d $dest "
[ "$proto" = "all" ] || r="${r}-p $proto " [ "$proto" = "all" ] || r="${r}-p $proto "
[ "x$port" = "x-" ] || r="${r}--dport $port " [ "x$port" = "x-" ] || r="${r}--dport $port "
@ -1722,6 +1709,26 @@ process_tc_rule()
} }
if [ "$mark" != "${mark%:*}" ]; then
[ "$chain" = tcout ] && \
fatal_error "Chain designator not allowed when source is \$FW; rule \"$rule\""
case "${mark#*:}" in
p|P)
chain=tcpre
;;
f|F)
chain=tcfor
;;
*)
fatal_error "Invalid chain designator: (${mark#*:}) in rule \"$rule\""
;;
esac
mark="${mark%:*}"
fi
for source in `separate_list ${sources:=-}`; do for source in `separate_list ${sources:=-}`; do
for dest in `separate_list ${dests:=-}`; do for dest in `separate_list ${dests:=-}`; do
for port in `separate_list ${ports:=-}`; do for port in `separate_list ${ports:=-}`; do
@ -2315,6 +2322,26 @@ add_a_rule()
{ {
local natrule= local natrule=
do_ports() {
if [ -n "$port" ]; then
dports="--dport"
if [ -n "$multioption" -a "$port" != "${port%,*}" ]; then
multiport="$multioption"
dports="--dports"
fi
dports="$dports $port"
fi
if [ -n "$cport" ]; then
sports="--sport"
if [ -n "$multioption" -a "$cport" != "${cport%,*}" ]; then
multiport="$multioption"
sports="--sports"
fi
sports="$sports $cport"
fi
}
# Set source variables. The 'cli' variable will hold the client match predicate(s). # Set source variables. The 'cli' variable will hold the client match predicate(s).
cli= cli=
@ -2369,25 +2396,13 @@ add_a_rule()
[ x$cport = x- ] && cport= [ x$cport = x- ] && cport=
case $proto in case $proto in
tcp|udp|TCP|UDP|6|17) tcp|TCP|6)
if [ -n "$port" ]; then do_ports
dports="--dport" [ "$target" = QUEUE ] && proto="$proto --syn"
if [ -n "$multioption" -a "$port" != "${port%,*}" ]; then ;;
multiport="$multioption" udp|UDP|17)
dports="--dports" do_ports
fi ;;
dports="$dports $port"
fi
if [ -n "$cport" ]; then
sports="--sport"
if [ -n "$multioption" -a "$cport" != "${cport%,*}" ]; then
multiport="$multioption"
sports="--sports"
fi
sports="$sports $cport"
fi
;;
icmp|ICMP|1) icmp|ICMP|1)
[ -n "$port" ] && dports="--icmp-type $port" [ -n "$port" ] && dports="--icmp-type $port"
state= state=
@ -2761,10 +2776,13 @@ process_rule() # $1 = target
# Generate Netfilter rule(s) # Generate Netfilter rule(s)
protocol=${protocol:=all}
case $logtarget in case $logtarget in
DNAT*) DNAT*)
if [ -n "$MULTIPORT" -a \ if [ -n "$MULTIPORT" ] && \
"$ports" = "${ports%:*}" -a \ ! list_search $protocol "icmp" "ICMP" "1" && \
[ "$ports" = "${ports%:*}" -a \
"$cports" = "${cports%:*}" -a \ "$cports" = "${cports%:*}" -a \
`list_count $ports` -le 15 -a \ `list_count $ports` -le 15 -a \
`list_count $cports` -le 15 ] `list_count $cports` -le 15 ]
@ -2800,8 +2818,9 @@ process_rule() # $1 = target
;; ;;
*) *)
if [ -n "$MULTIPORT" -a \ if [ -n "$MULTIPORT" ] && \
"$ports" = "${ports%:*}" -a \ ! list_search $protocol "icmp" "ICMP" "1" && \
[ "$ports" = "${ports%:*}" -a \
"$cports" = "${cports%:*}" -a \ "$cports" = "${cports%:*}" -a \
`list_count $ports` -le 15 -a \ `list_count $ports` -le 15 -a \
`list_count $cports` -le 15 ] `list_count $cports` -le 15 ]
@ -2869,7 +2888,7 @@ process_rules()
while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserset; do while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserset; do
temp="${xtarget%:*}" temp="${xtarget%:*}"
case "${temp%<*}" in case "${temp%<*}" in
ACCEPT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE) ACCEPT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE)
expandv xclients xservers xprotocol xports xcports xaddress xratelimit xuserset expandv xclients xservers xprotocol xports xcports xaddress xratelimit xuserset
if [ "x$xclients" = xall ]; then if [ "x$xclients" = xall ]; then
@ -3387,7 +3406,7 @@ setup_masq()
;; ;;
*) *)
subnets=`get_routed_subnets $subnet` subnets=`get_routed_subnets $subnet`
[ -z "$subnets" ] && startup_error "Unable to determine the routes through interface $subnet" [ -z "$subnets" ] && fatal_error "Unable to determine the routes through interface $subnet"
subnet="$subnets" subnet="$subnets"
;; ;;
esac esac
@ -3578,9 +3597,11 @@ setup_blacklist() {
createchain blacklst no createchain blacklst no
[ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW" || state=
for interface in $interfaces; do for interface in $interfaces; do
for chain in `first_chains $interface`; do for chain in `first_chains $interface`; do
run_iptables -A $chain -j blacklst run_iptables -A $chain $state -j blacklst
done done
echo " Blacklisting enabled on $interface" echo " Blacklisting enabled on $interface"
@ -3899,13 +3920,15 @@ initialize_netfilter () {
fi fi
fi fi
[ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW" || state=
echo "Creating Interface Chains..." echo "Creating Interface Chains..."
for interface in $all_interfaces; do for interface in $all_interfaces; do
createchain `forward_chain $interface` no createchain `forward_chain $interface` no
run_iptables -A `forward_chain $interface` -j dynamic run_iptables -A `forward_chain $interface` $state -j dynamic
createchain `input_chain $interface` no createchain `input_chain $interface` no
run_iptables -A `input_chain $interface` -j dynamic run_iptables -A `input_chain $interface` $state -j dynamic
done done
} }
@ -4003,7 +4026,7 @@ add_common_rules() {
if [ -n "$interfaces" ]; then if [ -n "$interfaces" ]; then
createchain logpkt no createchain logpkt no
[ -z"$LOGUNCLEAN" ] && LOGUNCLEAN=info [ -z "$LOGUNCLEAN" ] && LOGUNCLEAN=info
LOGPARMS="$LOGPARMS --log-ip-options" LOGPARMS="$LOGPARMS --log-ip-options"
@ -4175,6 +4198,7 @@ add_common_rules() {
if [ -n "$interfaces" ]; then if [ -n "$interfaces" ]; then
echo "Setting up ARP Filtering..." echo "Setting up ARP Filtering..."
for interface in $interfaces; do for interface in $interfaces; do
file=/proc/sys/net/ipv4/conf/$interface/arp_filter file=/proc/sys/net/ipv4/conf/$interface/arp_filter
if [ -f $file ]; then if [ -f $file ]; then
@ -4188,28 +4212,28 @@ add_common_rules() {
# #
# Route Filtering # Route Filtering
# #
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 0 > $f
done
interfaces="`find_interfaces_by_option routefilter`" interfaces="`find_interfaces_by_option routefilter`"
if [ -n "$interfaces" -o -n "$ROUTE_FILTER" ]; then if [ -n "$interfaces" -o -n "$ROUTE_FILTER" ]; then
echo "Setting up Kernel Route Filtering..." echo "Setting up Kernel Route Filtering..."
if [ -n "$ROUTE_FILTER" ]; then for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter echo 0 > $f
else done
for interface in $interfaces; do
file=/proc/sys/net/ipv4/conf/$interface/rp_filter for interface in $interfaces; do
if [ -f $file ]; then file=/proc/sys/net/ipv4/conf/$interface/rp_filter
echo 1 > $file if [ -f $file ]; then
else echo 1 > $file
error_message \ else
"Warning: Cannot set route filtering on $interface" error_message \
fi "Warning: Cannot set route filtering on $interface"
done fi
fi done
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
[ -n "$ROUTE_FILTER" ] && echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
run_ip route flush cache
fi fi
# #
# IP Forwarding # IP Forwarding
@ -4381,6 +4405,7 @@ activate_rules()
[ -n "$complex" ] && \ [ -n "$complex" ] && \
run_iptables -A `forward_chain $interface` -s $subnet -j $frwd_chain run_iptables -A `forward_chain $interface` -s $subnet -j $frwd_chain
done done
for zone1 in $zones; do for zone1 in $zones; do
@ -4401,24 +4426,34 @@ activate_rules()
routeback= routeback=
fi fi
for host in $source_hosts; do if [ -n "$complex" ]; then
interface=${host%:*}
if [ -n "$complex" ]; then
chain1=$frwd_chain
else
chain1=`forward_chain $interface`
fi
for host1 in $dest_hosts; do for host1 in $dest_hosts; do
interface1=${host1%:*} interface1=${host1%:*}
subnet1=${host1#*:} subnet1=${host1#*:}
if [ `list_count1 $source_hosts` -eq 1 -a "$source_hosts" = "$host1" ]; then
if [ "$host" != "$host1" ] || list_search $host $routeback; then if list_search $host1 $routeback; then
run_iptables -A $chain1 -o $interface1 -d $subnet1 -j $chain run_iptables -A $frwd_chain -o $interface1 -d $subnet1 -j $chain
fi
else
run_iptables -A $frwd_chain -o $interface1 -d $subnet1 -j $chain
fi fi
done done
done else
for host in $source_hosts; do
interface=${host%:*}
chain1=`forward_chain $interface`
for host1 in $dest_hosts; do
interface1=${host1%:*}
subnet1=${host1#*:}
if [ "$host" != "$host1" ] || list_search $host $routeback; then
run_iptables -A $chain1 -o $interface1 -d $subnet1 -j $chain
fi
done
done
fi
done done
done done
@ -5021,6 +5056,7 @@ do_initialize() {
LOGFORMAT= LOGFORMAT=
LOGRULENUMBERS= LOGRULENUMBERS=
ADMINISABSENTMINDED= ADMINISABSENTMINDED=
BLACKLISTNEWONLY=
stopping= stopping=
have_mutex= have_mutex=
@ -5170,6 +5206,7 @@ do_initialize() {
LOGFORMAT="Shorewall:%s:%s:" LOGFORMAT="Shorewall:%s:%s:"
fi fi
ADMINISABSENTMINDED=`added_param_value_no ADMINISABSENTMINDED $ADMINISABSENTMINDED` ADMINISABSENTMINDED=`added_param_value_no ADMINISABSENTMINDED $ADMINISABSENTMINDED`
BLACKLISTNEWONLY=`added_param_value_no BLACKLISTNEWONLY $BLACKLISTNEWONLY`
# #
# Strip the files that we use often # Strip the files that we use often
# #

3
Lrp/usr/share/shorewall/functions
View File

@ -425,6 +425,9 @@ chain_base() #$1 = interface
*.*) *.*)
c="${c%.*}_${c##*.}" c="${c%.*}_${c##*.}"
;; ;;
*-*)
c="${c%-*}_${c##*-}"
;;
*) *)
echo ${c:=common} echo ${c:=common}
return return

2
Lrp/usr/share/shorewall/version
View File

@ -1 +1 @@
1.4.7 1.4.8

2
Lrp/var/lib/lrpkg/shorwall.version
View File

@ -1 +1 @@
1.4.7 1.4.8