diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt index 4d57c02ed..047b23c6e 100644 --- a/Shorewall2/changelog.txt +++ b/Shorewall2/changelog.txt @@ -4,6 +4,8 @@ Changes in 2.2.1 2) Simon Matter's patch for umask. +3) Added MACLISTNEWONLY option. + Changes since 2.0.3 1) Fix security vulnerability involving temporary files/directories. diff --git a/Shorewall2/firewall b/Shorewall2/firewall index 892a9aa76..45394ca63 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -2073,10 +2073,11 @@ setup_mac_lists() { ipsec=${hosts%^*} hosts=${hosts#*^} [ -n "$POLICY_MATCH" ] && policy="-m policy --pol $ipsec --dir in" || policy= + [ -n "$MACLISTNEWONLY" ] && state="-m state --state NEW" || state= interface=${hosts%%:*} hosts=${hosts#*:} for chain in $(first_chains $interface) ; do - run_iptables -A $chain $(match_source_hosts $hosts) -m state --state NEW \ + run_iptables -A $chain $(match_source_hosts $hosts) $state \ $policy -j $(mac_chain $interface) done done @@ -7126,6 +7127,7 @@ do_initialize() { LOGTAGONLY= LOGALLNEW= DROPINVALID= + MACLISTNEWONLY= RESTOREBASE= TMP_DIR= @@ -7321,6 +7323,7 @@ do_initialize() { DELAYBLACKLISTLOAD=$(added_param_value_no DELAYBLACKLISTLOAD $DELAYBLACKLISTLOAD) LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY) DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID) + MACLISTNEWONLY=$(added_param_value_yes MACLISTNEWONLY $MACLISTNEWONLY) # # Strip the files that we use often # diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index 66e942969..14d2f9c15 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -10,6 +10,13 @@ Problems corrected in version 2.2.1 files in /var/lib/shorewall to be world-readable. Shorewall now uses umask 0177. ----------------------------------------------------------------------- +New Features in version 2.2.1 + +1) A MACLISTNEWONLY option is added to shorewall.conf. When set to Yes + (the default), then only new incoming connection requests are + checked against the maclist. If set to No, all incoming packets are + checked. +----------------------------------------------------------------------- Issues when migrating from Shorewall 2.0 to Shorewall 2.2: 1) Shorewall configuration files except shorewall.conf are now empty diff --git a/Shorewall2/shorewall.conf b/Shorewall2/shorewall.conf index a92cb9d7c..7fce78dc0 100755 --- a/Shorewall2/shorewall.conf +++ b/Shorewall2/shorewall.conf @@ -633,6 +633,22 @@ ADMINISABSENTMINDED=Yes # BLACKLISTNEWONLY=Yes +# +# MACLIST Behavior +# +# The following variable determines whether the maclist is checked for each +# packet or for each new connection. +# +# MACLISTNEWONLY=Yes Only consult the interface's maclist for new +# connection requests +# +# MACLISTNEWONLY=No Consult maclists for all packets. +# +# If the MACLISTNEWONLY option is not set or is set to the empty value then +# BLACKLISTNEWONLY=Yes is assumed. +# +BLACKLISTNEWONLY=Yes + # # Users with a large blacklist find that "shorwall [re]start" takes a long # time and that new connections are disabled during that time. By setting