diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 086531c16..66672b27f 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -6,6 +6,8 @@ Changes in 3.2.0 Beta 2 3) Add 'refreshed' extension script. +4) Implement 'logdrop' and 'logreject' + Changes in 3.1.x. and 3.2.x 1) Removal of dynamic zones. diff --git a/Shorewall/compiler b/Shorewall/compiler index 8a44126e7..ffcdda2a8 100755 --- a/Shorewall/compiler +++ b/Shorewall/compiler @@ -7261,15 +7261,23 @@ initialize_netfilter () { createchain reject no createchain dynamic no + createchain logdrop no + createchain logreject no createchain smurfs no + log_rule ${BLACKLIST_LOGLEVEL:-info} logdrop DROP + log_rule ${BLACKLIST_LOGLEVEL:-info} logreject REJECT + + run_iptables -A logdrop -j DROP + run_iptables -A logreject -j reject + indent >&3 << __EOF__ if [ -f /var/lib/shorewall/save ]; then progress_message2 "Setting up dynamic rules..." while read target ignore1 ignore2 address rest; do case \$target in - DROP|reject) + DROP|reject|logdrop|logreject) run_iptables -A dynamic -s \$address -j \$target ;; esac diff --git a/Shorewall/help b/Shorewall/help index ff6a3c7a3..372c5298e 100755 --- a/Shorewall/help +++ b/Shorewall/help @@ -161,7 +161,7 @@ drop) echo "$1: $1
... Causes packets from the specified
to be ignored - Shorewall allow, drop, reject and save implement dynamic blacklisting. + Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting. See also \"help address\"" ;; @@ -215,12 +215,30 @@ iprange) equivalent list of network/host addresses." ;; +logdrop) + echo "$1: $1
... + Causes packets from the specified
to be ignored and loged. + + Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting. + + See also \"help address\"" + ;; + logwatch) echo "logwatch: logwatch [] Monitors the LOGFILE, $LOGFILE, and produces an audible alarm when new Shorewall messages are logged." ;; +logreject) + echo "$1: $1
... + Causes packets from the specified
to be rejected and logged. + + Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting. + + See also \"help address\"" + ;; + refresh) echo "refresh: refresh The rules involving the broadcast addresses of firewall interfaces, @@ -232,7 +250,7 @@ reject) echo "$1: $1
... Causes packets from the specified
to be rejected - Shorewall allow, drop, rejct and save implement dynamic blacklisting. + Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting. See also \"help address\"" ;; @@ -283,7 +301,7 @@ save) and 'shorewall -f start' commands. If is not given then the state is saved in the file specified by the RESTOREFILE option in shorewall.conf. - Shorewall allow, drop, rejct and save implement dynamic blacklisting. + Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting. See also \"help restore\" and \"help forget\"" ;; diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 244d4d0db..dbd0f6214 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -43,6 +43,17 @@ Other changes in 3.2.0 Beta 2 1) A 'refreshed' extension script has been added -- it is executed after "shorewall refresh" has finished. +2) Two new dynamic blacklisting commands have been added: + + logdrop -- like 'drop' but causes the dropped packets to be logged. + + logreject -- like 'reject' but causes the rejected packets to be + logged. + + Packets are logged at the BLACKLIST_LOGLEVEL if one was specified at the + last "shorewall [re]start"; otherwise, they are logged at the 'info' + log level. + Migration Considerations: 1) A number of macros have been split into two. The macros affected are: diff --git a/Shorewall/shorewall b/Shorewall/shorewall index b2e4d9469..578fef2b3 100755 --- a/Shorewall/shorewall +++ b/Shorewall/shorewall @@ -1314,6 +1314,8 @@ usage() # $1 = exit status echo " ipcalc {
/ |
}" echo " ipdecimal {
| }" echo " iprange
-
" + echo " logdrop
..." + echo " logreject
..." echo " logwatch []" echo " refresh" echo " reject
..." @@ -1777,6 +1779,8 @@ case "$COMMAND" in shift qt $IPTABLES -D dynamic -s $1 -j reject qt $IPTABLES -D dynamic -s $1 -j DROP + qt $IPTABLES -D dynamic -s $1 -j logreject + qt $IPTABLES -D dynamic -s $1 -j logdrop $IPTABLES -A dynamic -s $1 -j DROP || break 1 echo "$1 Dropped" done @@ -1786,7 +1790,7 @@ case "$COMMAND" in exit 2 fi ;; - reject) + logdrop) [ -n "$debugging" ] && set -x [ $# -eq 1 ] && usage 1 if shorewall_is_started ; then @@ -1795,7 +1799,29 @@ case "$COMMAND" in shift qt $IPTABLES -D dynamic -s $1 -j reject qt $IPTABLES -D dynamic -s $1 -j DROP - $IPTABLES -A dynamic -s $1 -j reject || break 1 + qt $IPTABLES -D dynamic -s $1 -j logreject + qt $IPTABLES -D dynamic -s $1 -j logdrop + $IPTABLES -A dynamic -s $1 -j logdrop || break 1 + echo "$1 Dropped" + done + mutex_off + else + error_message "ERROR: Shorewall is not started" + exit 2 + fi + ;; + reject|logreject) + [ -n "$debugging" ] && set -x + [ $# -eq 1 ] && usage 1 + if shorewall_is_started ; then + mutex_on + while [ $# -gt 1 ]; do + shift + qt $IPTABLES -D dynamic -s $1 -j reject + qt $IPTABLES -D dynamic -s $1 -j DROP + qt $IPTABLES -D dynamic -s $1 -j logreject + qt $IPTABLES -D dynamic -s $1 -j logdrop + $IPTABLES -A dynamic -s $1 -j $COMMAND || break 1 echo "$1 Rejected" done mutex_off @@ -1811,7 +1837,11 @@ case "$COMMAND" in mutex_on while [ $# -gt 1 ]; do shift - if qt $IPTABLES -D dynamic -s $1 -j reject || qt $IPTABLES -D dynamic -s $1 -j DROP; then + if qt $IPTABLES -D dynamic -s $1 -j reject ||\ + qt $IPTABLES -D dynamic -s $1 -j DROP ||\ + qt $IPTABLES -D dynamic -s $1 -j logdrop ||\ + qt $IPTABLES -D dynamic -s $1 -j logreject + then echo "$1 Allowed" else echo "$1 Not Dropped or Rejected"