diff --git a/Shorewall-common/changelog.txt b/Shorewall-common/changelog.txt index 420d00c13..66a5fb74a 100644 --- a/Shorewall-common/changelog.txt +++ b/Shorewall-common/changelog.txt @@ -18,6 +18,8 @@ Changes in 4.1.7 9) Add ORIGINAL DEST column to macros. +10) Add NULL_ROUTE_RFC1918 option. + Changes in 4.1.6 1) Deprecate IMPLICIT_CONTINUE=Yes diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt index 671248477..bf9e8b119 100644 --- a/Shorewall-common/releasenotes.txt +++ b/Shorewall-common/releasenotes.txt @@ -196,8 +196,14 @@ New Features in 4.1.7. The column must be left empty if the macro is to be used in the body of an action. - Note that the position of the ORIGINAL DEST column is different - from its position in the /etc/shorewall/rules file. Beware! + The new column is placed between the SOURCE PORT(S) and RATE LIMIT + columns. So that Shorewall-perl can determine which column layout + each macro has, a new FORMAT directive is added: + + FORMAT {1|2} + + The default is FORMAT 1 which is the old format. FORMAT 2 specifies + that the macro is in the new format. 5) Shorewall-perl implements a new Rfc1918 macro that deals with RFC 1918 addresses. This macro should be used in place of @@ -205,17 +211,33 @@ New Features in 4.1.7. The macro body is: - #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ ORIGINAL - # PORT(S) PORT(S) LIMIT GROUP DEST + #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ + # PORT(S) PORT(S) DEST LIMIT GROUP + FORMAT 2 PARAM SOURCE:10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 \ - DEST - - - - - - - PARAM SOURCE DEST - - - - - 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 + DEST - - - - - - + PARAM SOURCE DEST - - - 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 + #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE The 'norfc1918' option on the interface associated with zone 'z' and with RFC1018_STRICT=Yes is equivalent to: Rfc1918(DROP) z all +6) A better way to perform RFC 1918 filtration is to null-route the + address ranges reserved by RFC 1918. You can do that by setting the + new NULL_ROUTE_RFC1918 option to 'Yes' in shorewall.conf. + + It is highly recommended that you also set ROUTE_FILTER=Yes to get + Martian messages. These will help diagnose problems where you need + to be able to access hosts with RFC 1918 addresses that are outside + of your local networks. Sometimes, these can be subtle such as the + case where your ISP is using RFC 1918 addresses on their DHCP + servers. + + NULL_ROUTE_RFC1918 defaults to 'No' and is only supported by + Shorewall-perl; Shorewall-shell ignores the option. + New Features in Shorewall 4.1. 1) Shorewall 4.1 contains support for multiple Internet providers diff --git a/Shorewall-perl/Shorewall/Config.pm b/Shorewall-perl/Shorewall/Config.pm index 9ed08cab1..47d3ccd3c 100644 --- a/Shorewall-perl/Shorewall/Config.pm +++ b/Shorewall-perl/Shorewall/Config.pm @@ -357,6 +357,7 @@ sub initialize() { DONT_LOAD => '', AUTO_COMMENT => undef , MANGLE_ENABLED => undef , + NULL_ROUTE_RFC1918 => undef , # # Packet Disposition # @@ -1894,6 +1895,7 @@ sub get_configuration( $ ) { default_yes_no 'MULTICAST' , ''; default_yes_no 'MARK_IN_FORWARD_CHAIN' , ''; default_yes_no 'MANGLE_ENABLED' , 'Yes'; + default_yes_no 'NULL_ROUTE_RFC1918' , ''; $capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK}; diff --git a/Shorewall-perl/Shorewall/IPAddrs.pm b/Shorewall-perl/Shorewall/IPAddrs.pm index b6cd5a6e4..24ef35bba 100644 --- a/Shorewall-perl/Shorewall/IPAddrs.pm +++ b/Shorewall-perl/Shorewall/IPAddrs.pm @@ -45,7 +45,7 @@ our @EXPORT = qw( ALLIPv4 ip_range_explicit expand_port_range allipv4 - rfc1918_neworks + rfc1918_networks resolve_proto proto_name validate_port diff --git a/Shorewall-perl/Shorewall/Providers.pm b/Shorewall-perl/Shorewall/Providers.pm index d9f55a096..0cf979900 100644 --- a/Shorewall-perl/Shorewall/Providers.pm +++ b/Shorewall-perl/Shorewall/Providers.pm @@ -454,6 +454,19 @@ sub add_an_rtrule( $$$$ ) { } sub setup_providers() { + # + # This probably doesn't belong here but looking forward to the day when we get Shorewall out of the routing business, + # it makes sense to keep all of the routing code together + # + if ( $config{NULL_ROUTE_RFC1918} ) { + emit 'if [ -z "$NOROUTES" ]; then'; + push_indent; + save_progress_message "Null Routing the RFC 1918 subnets"; + emit "run_ip route replace unreachable $_" for rfc1918_networks; + pop_indent; + emit "fi\n"; + } + my $providers = 0; my $fn = open_file 'providers';