forked from extern/shorewall_code
Correct typo in /etc/shorewall/policy; Allow "all+" in SOURCE/DEST in /etc/shorewall/rules to enable intra-zone traffic
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2454 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
d90f4a7b2d
commit
f56e907907
@ -5493,14 +5493,15 @@ process_rules() # $1 = "Yes" if the target is a macro.
|
|||||||
#
|
#
|
||||||
# Process a rule where the source or destination is "all"
|
# Process a rule where the source or destination is "all"
|
||||||
#
|
#
|
||||||
process_wildcard_rule() {
|
process_wildcard_rule() # $1 = Yes, if this is a macro, $2 = Yes if we want intrazone traffic
|
||||||
|
{
|
||||||
local yclients yservers ysourcezone ydestzone ypolicy
|
local yclients yservers ysourcezone ydestzone ypolicy
|
||||||
|
|
||||||
for yclients in $xclients; do
|
for yclients in $xclients; do
|
||||||
for yservers in $xservers; do
|
for yservers in $xservers; do
|
||||||
ysourcezone=${yclients%%:*}
|
ysourcezone=${yclients%%:*}
|
||||||
ydestzone=${yservers%%:*}
|
ydestzone=${yservers%%:*}
|
||||||
if [ "${ysourcezone}" != "${ydestzone}" ] ; then
|
if [ "$2" = Yes -o "${ysourcezone}" != "${ydestzone}" ] ; then
|
||||||
eval ypolicy=\$${ysourcezone}2${ydestzone}_policy
|
eval ypolicy=\$${ysourcezone}2${ydestzone}_policy
|
||||||
if [ "$ypolicy" != NONE ] ; then
|
if [ "$ypolicy" != NONE ] ; then
|
||||||
if [ "$1" = Yes ]; then
|
if [ "$1" = Yes ]; then
|
||||||
@ -5517,20 +5518,34 @@ process_rules() # $1 = "Yes" if the target is a macro.
|
|||||||
|
|
||||||
do_it() # $1 = "Yes" if the target is a macro.
|
do_it() # $1 = "Yes" if the target is a macro.
|
||||||
{
|
{
|
||||||
expandv xprotocol xports xcports xaddress xratelimit xuserspec
|
expandv xprotocol xports xcports xaddress xratelimit xuserspec intrazone=
|
||||||
|
|
||||||
|
case $xclients in
|
||||||
|
all+)
|
||||||
|
xclients=all
|
||||||
|
intrazone=Yes
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
case $xservers in
|
||||||
|
all+)
|
||||||
|
xservers=all
|
||||||
|
intrazone=Yes
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
if [ "x$xclients" = xall ]; then
|
if [ "x$xclients" = xall ]; then
|
||||||
xclients="$ZONES $FW"
|
xclients="$ZONES $FW"
|
||||||
if [ "x$xservers" = xall ]; then
|
if [ "x$xservers" = xall ]; then
|
||||||
xservers="$ZONES $FW"
|
xservers="$ZONES $FW"
|
||||||
fi
|
fi
|
||||||
process_wildcard_rule $1
|
process_wildcard_rule "$1" $intrazone
|
||||||
return
|
return
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "x$xservers" = xall ]; then
|
if [ "x$xservers" = xall ]; then
|
||||||
xservers="$ZONES $FW"
|
xservers="$ZONES $FW"
|
||||||
process_wildcard_rule $1
|
process_wildcard_rule "$1" $intrazone
|
||||||
return
|
return
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|||||||
@ -51,7 +51,7 @@
|
|||||||
# /etc/shorewall/actions (or
|
# /etc/shorewall/actions (or
|
||||||
# /usr/share/shorewall/actions.std) then that action
|
# /usr/share/shorewall/actions.std) then that action
|
||||||
# will be invoked before the policy named in this column
|
# will be invoked before the policy named in this column
|
||||||
# is inforced.
|
# is enforced.
|
||||||
#
|
#
|
||||||
# The policy determined the default treatment of new
|
# The policy determined the default treatment of new
|
||||||
# connection requests and may optionally be followed by
|
# connection requests and may optionally be followed by
|
||||||
|
|||||||
@ -157,6 +157,9 @@ Migration Considerations:
|
|||||||
upgrading to this release before "shorewall status" will show
|
upgrading to this release before "shorewall status" will show
|
||||||
anything but "Unknown" for the state.
|
anything but "Unknown" for the state.
|
||||||
|
|
||||||
|
8) The "shorewall forget" command now removes the dynamic blacklist
|
||||||
|
save file (/var/lib/shorewall/save).
|
||||||
|
|
||||||
New Features in Shorewall 2.5.0
|
New Features in Shorewall 2.5.0
|
||||||
|
|
||||||
1) Error and warning messages are made easier to spot by using
|
1) Error and warning messages are made easier to spot by using
|
||||||
@ -298,5 +301,13 @@ New Features in Shorewall 2.5.0
|
|||||||
WARNING -- DO NOT SPECIFY arp_ignore FOR ANY INTERFACE INVOLVED IN
|
WARNING -- DO NOT SPECIFY arp_ignore FOR ANY INTERFACE INVOLVED IN
|
||||||
PROXY ARP.
|
PROXY ARP.
|
||||||
|
|
||||||
|
7) In /etc/shorewall/rules, "all+" in the SOURCE or DEST column works
|
||||||
|
like "all" but also includes intrazone traffic. So the rule:
|
||||||
|
|
||||||
|
ACCEPT loc all+ tcp 22
|
||||||
|
|
||||||
|
would allow SSH traffic from loc->loc whereas
|
||||||
|
|
||||||
|
ACCEPT loc all tcp 22
|
||||||
|
|
||||||
|
does not.
|
||||||
|
|||||||
@ -112,20 +112,21 @@
|
|||||||
#
|
#
|
||||||
# SOURCE Source hosts to which the rule applies. May be a zone
|
# SOURCE Source hosts to which the rule applies. May be a zone
|
||||||
# defined in /etc/shorewall/zones, $FW to indicate the
|
# defined in /etc/shorewall/zones, $FW to indicate the
|
||||||
# firewall itself, "all" or "none" If the ACTION is DNAT
|
# firewall itself, "all", "all+" or "none" If the ACTION
|
||||||
# or REDIRECT, sub-zones of the specified zone may be
|
# is DNAT or REDIRECT, sub-zones of the specified zone
|
||||||
# excluded from the rule by following the zone name with
|
# may be excluded from the rule by following the zone
|
||||||
# "!' and a comma-separated list of sub-zone names.
|
# name with "!' and a comma-separated list of sub-zone
|
||||||
|
# names.
|
||||||
#
|
#
|
||||||
# When "none" is used either in the SOURCE or DEST
|
# When "none" is used either in the SOURCE or DEST
|
||||||
# column, the rule is ignored.
|
# column, the rule is ignored.
|
||||||
#
|
#
|
||||||
# When "all" is used either in the SOURCE or DEST column
|
# When "all" is used either in the SOURCE or DEST column
|
||||||
# intra-zone traffic is not affected. You must add
|
# intra-zone traffic is not affected. When "all+" is
|
||||||
# separate rules to handle that traffic.
|
# used, intra-zone traffic is affected.
|
||||||
#
|
#
|
||||||
# Except when "all" is specified, clients may be further
|
# Except when "all[+]" is specified, clients may be
|
||||||
# restricted to a list of subnets and/or hosts by
|
# further restricted to a list of subnets and/or hosts by
|
||||||
# appending ":" and a comma-separated list of subnets
|
# appending ":" and a comma-separated list of subnets
|
||||||
# and/or hosts. Hosts may be specified by IP or MAC
|
# and/or hosts. Hosts may be specified by IP or MAC
|
||||||
# address; mac addresses must begin with "~" and must use
|
# address; mac addresses must begin with "~" and must use
|
||||||
@ -166,16 +167,16 @@
|
|||||||
#
|
#
|
||||||
# DEST Location of Server. May be a zone defined in
|
# DEST Location of Server. May be a zone defined in
|
||||||
# /etc/shorewall/zones, $FW to indicate the firewall
|
# /etc/shorewall/zones, $FW to indicate the firewall
|
||||||
# itself, "all" or "none".
|
# itself, "all". "all+" or "none".
|
||||||
#
|
#
|
||||||
# When "none" is used either in the SOURCE or DEST
|
# When "none" is used either in the SOURCE or DEST
|
||||||
# column, the rule is ignored.
|
# column, the rule is ignored.
|
||||||
#
|
#
|
||||||
# When "all" is used either in the SOURCE or DEST column
|
# When "all" is used either in the SOURCE or DEST column
|
||||||
# intra-zone traffic is not affected. You must add
|
# intra-zone traffic is not affected. When "all+" is
|
||||||
# separate rules to handle that traffic.
|
# used, intra-zone traffic is affected.
|
||||||
#
|
#
|
||||||
# Except when "all" is specified, the server may be
|
# Except when "all[+]" is specified, the server may be
|
||||||
# further restricted to a particular subnet, host or
|
# further restricted to a particular subnet, host or
|
||||||
# interface by appending ":" and the subnet, host or
|
# interface by appending ":" and the subnet, host or
|
||||||
# interface. See above.
|
# interface. See above.
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user