From d541d73549c04723fe545eeedd1902d934b00281 Mon Sep 17 00:00:00 2001 From: teastep Date: Wed, 25 Jun 2003 18:35:38 +0000 Subject: [PATCH] Shorewall 1.4.5 git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@614 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Lrp/etc/shorewall/rules | 16 ++- Lrp/sbin/shorewall | 15 ++- Lrp/usr/share/shorewall/firewall | 191 +++++++++++++++++++---------- Lrp/usr/share/shorewall/version | 2 +- Lrp/var/lib/lrpkg/shorwall.version | 2 +- 5 files changed, 153 insertions(+), 73 deletions(-) diff --git a/Lrp/etc/shorewall/rules b/Lrp/etc/shorewall/rules index 2ff32024f..5cc3c328e 100644 --- a/Lrp/etc/shorewall/rules +++ b/Lrp/etc/shorewall/rules @@ -162,14 +162,24 @@ # Otherwise, a separate rule will be generated for each # port. # -# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or -# REDIRECT) If included and different from the IP +# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT[-] or +# REDIRECT[-]) If included and different from the IP # address given in the SERVER column, this is an address # on some interface on the firewall and connections to # that address will be forwarded to the IP and port # specified in the DEST column. # -# The address may optionally be followed by +# A comma-separated list of addresses may also be used. +# This is usually most useful with the REDIRECT target +# where you want to redirect traffic destined for +# particular set of hosts. +# +# Finally, if the list of addresses begins with "!" then +# the rule will be followed only if the original +# destination address in the connection request does not +# match any of the addresses listed. +# +# The address (list) may optionally be followed by # a colon (":") and a second IP address. This causes # Shorewall to use the second IP address as the source # address in forwarded packets. See the Shorewall diff --git a/Lrp/sbin/shorewall b/Lrp/sbin/shorewall index 44c9cc5db..fa5555fa3 100755 --- a/Lrp/sbin/shorewall +++ b/Lrp/sbin/shorewall @@ -348,7 +348,16 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that timeout=$1 fi - qt which awk && { haveawk=Yes; determine_zones; } || haveawk= + + if qt which awk; then + TMP_DIR=/tmp/shorewall-$$ + mkdir $TMP_DIR + haveawk=Yes + determine_zones + rm -rf $TMP_DIR + else + haveawk= + fi while true; do display_chains @@ -756,7 +765,7 @@ case "$1" in echo " HITS PORT SERVICE(S)" echo " ---- ----- ----------" - grep '${LOGFORMAT}.*DPT' $LOGFILE | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | \ + grep "$LOGFORMAT.*DPT" $LOGFILE | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | \ while read count port ; do # List all services defined for the given port srv=`grep "^[^#].*\\b$port/" /etc/services | cut -f 1 | sort -u` @@ -776,7 +785,7 @@ case "$1" in try) [ -n "$SHOREWALL_DIR" ] && startup_error "Error: -c option may not be used with \"try\"" [ $# -lt 2 -o $# -gt 3 ] && usage 1 - if ! $0 -c $2 restart; then + if ! $0 $debugging -c $2 restart; then if ! iptables -L shorewall > /dev/null 2> /dev/null; then $0 start fi diff --git a/Lrp/usr/share/shorewall/firewall b/Lrp/usr/share/shorewall/firewall index d9cb5dd97..513d7b43c 100755 --- a/Lrp/usr/share/shorewall/firewall +++ b/Lrp/usr/share/shorewall/firewall @@ -354,11 +354,11 @@ setpolicy() # $1 = name of chain, $2 = policy } # -# Set a standard chain to enable established connections +# Set a standard chain to enable established and related connections # setcontinue() # $1 = name of chain { - run_iptables -A $1 -m state --state ESTABLISHED -j ACCEPT + run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT } # @@ -1000,7 +1000,7 @@ stop_firewall() { while read interface host; do expandv interface host - [ "x$host" = "x-" ] && host=0.0.0.0/0 + [ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0 for h in `separate_list $host`; do hosts="$hosts $interface:$h" done @@ -1793,19 +1793,13 @@ refresh_tc() { # add_nat_rule() { local chain + local excludedests= - # Be sure we should and can NAT + # Be sure we can NAT - case $logtarget in - DNAT|REDIRECT) - if [ -z "$NAT_ENABLED" ]; then - fatal_error "Rule \"$rule\" requires NAT which is disabled" - fi - ;; - *) - fatal_error "Only DNAT and REDIRECT rules may specify port mapping; rule \"$rule\"" - ;; - esac + if [ -z "$NAT_ENABLED" ]; then + fatal_error "Rule \"$rule\" requires NAT which is disabled" + fi # Parse SNAT address if any @@ -1823,14 +1817,20 @@ add_nat_rule() { addr= ;; detect) - addr= - if [ -n "$DETECT_DNAT_IPADDRS" -a "$source" != "$FW" ]; then - eval interfaces=\$${source}_interfaces - for interface in $interfaces; do - addr="`find_interface_address $interface` $addr" - done - fi - ;; + addr= + if [ -n "$DETECT_DNAT_IPADDRS" -a "$source" != "$FW" ]; then + eval interfaces=\$${source}_interfaces + for interface in $interfaces; do + addr=${addr:+$addr,}`find_interface_address $interface` + done + fi + ;; + !*) + if [ `list_count $addr` -gt 1 ]; then + excludedests="`separate_list ${addr#\!}`" + addr= + fi + ;; esac addr=${addr:-0.0.0.0/0} @@ -1844,42 +1844,75 @@ add_nat_rule() { target1="REDIRECT --to-port $servport" fi + if [ $source = $FW ]; then + [ -n "$excludezones" ] && fatal_error "Invalid Source in rule \"$rule\"" + fi + # Generate nat table rules if [ $command != check ]; then if [ "$source" = "$FW" ]; then - run_iptables2 -t nat -A OUTPUT $proto $sports -d $addr \ - $multiport $dports -j $target1 - else - chain=`dnat_chain $source` - - if [ -n "$excludezones" ]; then + if [ -n "$excludedests" ]; then chain=nonat${nonat_seq} nonat_seq=$(($nonat_seq + 1)) createnatchain $chain - addnatrule `dnat_chain $source` -j $chain + run_iptables -t nat -A OUTPUT $cli $proto $multiport $sports $dports -j $chain + + for adr in $excludedests; do + addnatrule $chain -d $adr -j RETURN + done + + if [ -n "$loglevel" ]; then + log_rule $loglevel $chain $logtarget -t nat + fi + + addnatrule $chain -j $target1 + else + for adr in `separate_list $addr`; do + run_iptables2 -t nat -A OUTPUT $proto $sports -d $adr \ + $multiport $dports -j $target1 + done + fi + else + chain=`dnat_chain $source` + + if [ -n "${excludezones}${excludedests}" ]; then + chain=nonat${nonat_seq} + nonat_seq=$(($nonat_seq + 1)) + createnatchain $chain + addnatrule `dnat_chain $source` $cli $proto $multiport $sports $dports -j $chain for z in $excludezones; do eval hosts=\$${z}_hosts for host in $hosts; do - for adr in $addr; do - addnatrule $chain $proto -s ${host#*:} \ - $multiport $sports -d $adr $dports -j RETURN + for adr in `separate_list $addr`; do + addnatrule $chain -s ${host#*:} -d $adr -j RETURN done done done + + for adr in $excludedests; do + addnatrule $chain -d $adr -j RETURN + done + + for adr in `separate_list $addr`; do + if [ -n "$loglevel" ]; then + log_rule $loglevel $chain $logtarget -t nat -d `fix_bang $adr` + fi + + addnatrule $chain -d $adr -j $target1 + done + else + for adr in `separate_list $addr`; do + if [ -n "$loglevel" ]; then + ensurenatchain $chain + log_rule $loglevel $chain $logtarget -t nat \ + `fix_bang $proto $cli $sports -d $adr $multiport $dports` + fi + + addnatrule $chain $proto $cli $sports \ + -d $adr $multiport $dports -j $target1 + done fi - - for adr in $addr; do - if [ -n "$loglevel" ]; then - ensurenatchain $chain - log_rule $loglevel $chain $logtarget -t nat \ - `fix_bang $proto $cli $sports -d $adr $multiport $dports` - loglevel= - fi - - addnatrule $chain $proto $cli $sports \ - -d $adr $multiport $dports -j $target1 - done fi fi @@ -1930,11 +1963,13 @@ add_nat_rule() { # add_a_rule() { - # Set source variables + local natrule= + + # Set source variables. The 'cli' variable will hold the client match predicate(s). cli= - [ -n "$client" ] && case "$client" in + case "$client" in -) ;; *:*) @@ -1947,16 +1982,16 @@ add_a_rule() cli=`mac_match $client` ;; *) - cli="-i $client" + [ -n "$client" ] && cli="-i $client" ;; esac - # Set destination variables + # Set destination variables - 'serv' and 'dest_interface' hold the server match predicate(s). dest_interface= serv= - [ -n "$server" ] && case "$server" in + case "$server" in -) ;; *.*.*) @@ -1966,7 +2001,7 @@ add_a_rule() fatal_error "Rule \"$rule\" - Destination may not be specified by MAC Address" ;; *) - dest_interface="-o $server" + [ -n "$server" ] && dest_interface="-o $server" ;; esac @@ -2032,10 +2067,12 @@ add_a_rule() [ -n "$serv" ] && startup_error "REDIRECT rules cannot"\ " specify a server IP; rule: \"$rule\"" servport=${servport:=$port} + natrule=Yes ;; DNAT) [ -n "$serv" ] || fatal_error "DNAT rules require a" \ " server address; rule: \"$rule\"" + natrule=Yes ;; LOG) [ -z "$loglevel" ] && fatal_error "LOG requires log level" @@ -2044,7 +2081,7 @@ add_a_rule() # Complain if the rule is really a policy - if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" ]; then + if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" -a "$logtarget" != LOG ]; then error_message "Warning -- Rule \"$rule\" is a POLICY" error_message " -- and should be moved to the policy file" fi @@ -2054,15 +2091,16 @@ add_a_rule() # A specific server or server port given - if [ -n "$addr" -a "$addr" != "$serv" ]; then - add_nat_rule - elif [ -n "$servport" -a "$servport" != "$port" ]; then + if [ -n "$natrule" ]; then add_nat_rule + elif [ -n "$addr" -a "$addr" != "$serv" ] || [ -n "$servport" -a "$servport" != "$port" ]; then + fatal_error "Only DNAT and REDIRECT rules may specify destination mapping; rule \"$rule\"" fi if [ -z "$dnat_only" -a $chain != ${FW}2${FW} ]; then serv="${serv:+-d $serv}" - if [ -n "$loglevel" ]; then + + if [ -n "$loglevel" -a -z "$natrule" ]; then log_rule $loglevel $chain $logtarget \ `fix_bang $proto $sports $multiport $state $cli $serv $dports` fi @@ -2126,7 +2164,12 @@ process_rule() # $1 = target logtarget="$target" dnat_only= - # Convert 1.3 Rule formats to 1.2 format + # Tranform the rule: + # + # - set 'target' to the filter table target. + # - make $FW the destination for REDIRECT + # - remove '-' suffix from logtargets while setting 'dnat_only' + # - clear 'address' if it has been set to '-' [ "x$address" = "x-" ] && address= @@ -2185,9 +2228,7 @@ process_rule() # $1 = target fatal_error "Exclude list only allowed with DNAT or REDIRECT" fi - if ! validate_zone $clientzone; then - fatal_error "Undefined Client Zone in rule \"$rule\"" - fi + validate_zone $clientzone || fatal_error "Undefined Client Zone in rule \"$rule\"" # Parse and validate destination @@ -2220,7 +2261,7 @@ process_rule() # $1 = target dest=$serverzone - # Create canonical chain if necessary + # Ensure that this rule doesn't apply to a NONE policy pair of zones chain=${source}2${dest} @@ -2229,11 +2270,14 @@ process_rule() # $1 = target [ $policy = NONE ] && \ fatal_error "Rules may not override a NONE policy: rule \"$rule\"" - [ $command = check ] || ensurechain $chain + # Be sure that this isn't a fw->fw rule. if [ "x$chain" = x${FW}2${FW} ]; then case $logtarget in - REDIRECT) + REDIRECT|DNAT) + # + # Redirect rules that have the firewall as the source are fw->fw rules + # ;; *) error_message "WARNING: fw -> fw rules are not supported; rule \"$rule\" ignored" @@ -2241,6 +2285,9 @@ process_rule() # $1 = target ;; esac else + + # Create the canonical chain if it doesn't already exist + [ $command = check ] || ensurechain $chain fi @@ -2252,15 +2299,25 @@ process_rule() # $1 = target `list_count $ports` -le 15 -a \ `list_count $cports` -le 15 ] then + # + # MULTIPORT is enabled, there are no port ranges in the rule and less than + # 16 ports are listed - use multiport match. + # multioption="-m multiport" for client in `separate_list ${clients:=-}`; do for server in `separate_list ${servers:=-}`; do + # + # add_a_rule() modifies these so we must set their values each time + # port=${ports:=-} cport=${cports:=-} add_a_rule done done else + # + # MULTIPORT is disabled or the rule isn't compatible with multiport match + # multioption= for client in `separate_list ${clients:=-}`; do for server in `separate_list ${servers:=-}`; do @@ -2272,7 +2329,9 @@ process_rule() # $1 = target done done fi - + # + # Report Result + # if [ $command = check ]; then echo " Rule \"$rule\" checked." else @@ -3774,9 +3833,11 @@ activate_rules() complete_standard_chain INPUT all $FW complete_standard_chain OUTPUT $FW all complete_standard_chain FORWARD all all - + # + # Remove rules added to keep the firewall alive during [re]start" + # for chain in INPUT OUTPUT FORWARD; do - run_iptables -D $chain -m state --state ESTABLISHED -j ACCEPT + run_iptables -D $chain -m state --state ESTABLISHED,RELATED -j ACCEPT run_iptables -D $chain -p udp --dport 53 -j ACCEPT done } diff --git a/Lrp/usr/share/shorewall/version b/Lrp/usr/share/shorewall/version index 25b670fc2..e516bb9d9 100644 --- a/Lrp/usr/share/shorewall/version +++ b/Lrp/usr/share/shorewall/version @@ -1 +1 @@ -1.4.4b +1.4.5 diff --git a/Lrp/var/lib/lrpkg/shorwall.version b/Lrp/var/lib/lrpkg/shorwall.version index d0688623d..e516bb9d9 100644 --- a/Lrp/var/lib/lrpkg/shorwall.version +++ b/Lrp/var/lib/lrpkg/shorwall.version @@ -1 +1 @@ -1.4.4a +1.4.5