forked from extern/shorewall_code
Changes for 1.3.6
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@179 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
0e9e5a4241
commit
f8832018d2
@ -192,12 +192,15 @@ run_tc() {
|
||||
################################################################################
|
||||
createchain() # $1 = chain name, $2 = If non-null, don't create default rules
|
||||
{
|
||||
local target
|
||||
|
||||
run_iptables -N $1
|
||||
|
||||
if [ $# -eq 1 ]; then
|
||||
state="ESTABLISHED"
|
||||
[ -n "$ALLOWRELATED" ] && state="$state,RELATED"
|
||||
run_iptables -A $1 -m state --state $state -j ACCEPT
|
||||
run_iptables -A $1 -m state --state NEW -p tcp !--syn -j newnotsyn
|
||||
fi
|
||||
|
||||
eval ${1}_exists=Yes
|
||||
@ -1236,7 +1239,7 @@ setup_proxy_arp() {
|
||||
interfaces=`find_interfaces_by_option proxyarp`
|
||||
|
||||
for interface in $interfaces; do
|
||||
if qt echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp; then
|
||||
if echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp 2> /dev/null; then
|
||||
echo " Enabled proxy ARP on $interface"
|
||||
else
|
||||
error_message "Warning: Unable to enable proxy ARP on $interface"
|
||||
@ -2713,11 +2716,19 @@ initialize_netfilter () {
|
||||
run_iptables -A FORWARD -p tcp \
|
||||
--tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
|
||||
|
||||
|
||||
createchain newnotsyn no
|
||||
run_user_exit newnotsyn
|
||||
[ -n "$LOGNEWNOTSYN" ] && \
|
||||
run_iptables -A newnotsyn -j LOG \
|
||||
--log-prefix "Shorewall:newnotsyn:DROP:" --log-level $LOGNEWNOTSYN
|
||||
run_iptables -A newnotsyn -j DROP
|
||||
|
||||
createchain icmpdef no
|
||||
createchain common no
|
||||
createchain reject no
|
||||
createchain dynamic no
|
||||
|
||||
|
||||
if [ -f /var/lib/shorewall/save ]; then
|
||||
echo "Restoring dynamic rules..."
|
||||
|
||||
@ -3388,6 +3399,7 @@ do_initialize() {
|
||||
DETECT_DNAT_IPADDRS=
|
||||
MERGE_HOSTS=
|
||||
MUTEX_TIMEOUT=
|
||||
LOGNEWNOTSYN=
|
||||
stopping=
|
||||
have_mutex=
|
||||
masq_seq=1
|
||||
|
@ -35,7 +35,9 @@
|
||||
# following:
|
||||
#
|
||||
# dhcp - interface is managed by DHCP or used by
|
||||
# a DHCP server running on the firewall.
|
||||
# a DHCP server running on the firewall or
|
||||
# you have a static IP but are on a LAN
|
||||
# segment with lots of Laptop DHCP clients.
|
||||
# noping - icmp echo-request (ping) packets
|
||||
# addressed to the firewall should
|
||||
# be ignored on this interface
|
||||
@ -65,7 +67,9 @@
|
||||
# addresses and you want to be able to
|
||||
# route between them.
|
||||
# routefilter - turn on kernel route filtering for this
|
||||
# interface (anti-spoofing measure).
|
||||
# interface (anti-spoofing measure). This
|
||||
# option can also be enabled globally in
|
||||
# the /etc/shorewall/shorewall.conf file.
|
||||
# dropunclean - Logs and drops mangled/invalid packets
|
||||
#
|
||||
# logunclean - Logs mangled/invalid packets but does
|
||||
|
@ -57,7 +57,7 @@
|
||||
#
|
||||
# You add a router to your local network to connect subnet
|
||||
# 192.168.1.0/24 which you also want to masquerade. You then
|
||||
# add the following entry to this file:
|
||||
# add a second entry for eth0 to this file:
|
||||
#
|
||||
# eth0 192.168.1.0/24
|
||||
#
|
||||
@ -76,6 +76,9 @@
|
||||
#
|
||||
# eth0 192.168.1.0/24 206.124.146.176
|
||||
#
|
||||
# This would normally be done when you have a static external
|
||||
# IP address since it makes the processing of outgoing
|
||||
# packets somewhat faster.
|
||||
##############################################################################
|
||||
#INTERFACE SUBNET ADDRESS
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
||||
|
@ -35,7 +35,7 @@
|
||||
# As shipped, the default policies are:
|
||||
#
|
||||
# a) All connections from the local network to the internet are allowed
|
||||
# b) All connections from the network are ignored but logged at syslog
|
||||
# b) All connections from the internet are ignored but logged at syslog
|
||||
# level KERNEL.INFO.
|
||||
# d) All other connection requests are rejected and logged at level
|
||||
# KERNEL.INFO.
|
||||
|
@ -29,7 +29,7 @@
|
||||
#
|
||||
# http://www.shorewall.net/pub/shorewall/contrib/iana_reserved/
|
||||
#
|
||||
# The program was contributed by Andy Wiggen
|
||||
# The program was contributed by Andy Wiggin
|
||||
#
|
||||
0.0.0.0/7 logdrop # Reserved
|
||||
2.0.0.0/8 logdrop # Reserved
|
||||
|
@ -9,26 +9,36 @@
|
||||
# (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
|
||||
##############################################################################
|
||||
#
|
||||
# NAME OF THE FIREWALL ZONE
|
||||
#
|
||||
# Name of the firewall zone -- if not set or if set to an empty string, "fw"
|
||||
# is assumed.
|
||||
#
|
||||
FW=fw
|
||||
|
||||
|
||||
#
|
||||
# SUBSYSTEM LOCK FILE
|
||||
#
|
||||
# Set this to the name of the lock file expected by your init scripts. For
|
||||
# RedHat, this should be /var/lock/subsys/shorewall. On Debian, it
|
||||
# should be /var/state/shorewall. If your init scripts don't use lock files,
|
||||
# set -this to "".
|
||||
# set this to "".
|
||||
#
|
||||
|
||||
SUBSYSLOCK=/var/run/shorewall
|
||||
|
||||
#
|
||||
# SHOREWALL TEMPORARY STATE DIRECTORY
|
||||
#
|
||||
# This is the directory where the firewall maintains state information while
|
||||
# it is running
|
||||
#
|
||||
|
||||
STATEDIR=/tmp/shorewall
|
||||
|
||||
#
|
||||
# ALLOW RELATED CONNECTIONS
|
||||
#
|
||||
# Set this to "yes" or "Yes" if you want to accept all connection requests
|
||||
# that are related to already established connections. For example, you want
|
||||
@ -39,6 +49,8 @@ STATEDIR=/tmp/shorewall
|
||||
|
||||
ALLOWRELATED=yes
|
||||
|
||||
#
|
||||
# KERNEL MODULE DIRECTORY
|
||||
#
|
||||
# If your netfilter kernel modules are in a directory other than
|
||||
# /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that
|
||||
@ -46,6 +58,8 @@ ALLOWRELATED=yes
|
||||
|
||||
MODULESDIR=
|
||||
|
||||
#
|
||||
# LOG RATE LIMITING
|
||||
#
|
||||
# The next two variables can be used to control the amount of log output
|
||||
# generated. LOGRATE is expressed as a number followed by an optional
|
||||
@ -54,22 +68,35 @@ MODULESDIR=
|
||||
# maximum initial burst size that will be logged. If set empty, the default
|
||||
# value of 5 will be used.
|
||||
#
|
||||
# Example:
|
||||
#
|
||||
# LOGRATE=10/minute
|
||||
# LOGBURST=5
|
||||
#
|
||||
# If BOTH variables are set empty then logging will not be rate-limited.
|
||||
#
|
||||
|
||||
LOGRATE=
|
||||
LOGBURST=
|
||||
|
||||
|
||||
#
|
||||
# LEVEL AT WHICH TO LOG 'UNCLEAN' PACKETS
|
||||
#
|
||||
# This variable determines the level at which Mangled/Invalid packets are logged
|
||||
# under the 'dropunclean' interface option. If you set this variable to an
|
||||
# empty value (e.g., LOGUNCLEAN= ), Mangled/Invalid packets will be dropped
|
||||
# silently.
|
||||
#
|
||||
# The value of this variable also determines the level at which Mangled/Invalid
|
||||
# packets are logged under the 'logunclean' interface option. If the variable
|
||||
# is empty, these packets will still be logged at the 'info' level.
|
||||
#
|
||||
|
||||
LOGUNCLEAN=info
|
||||
|
||||
#
|
||||
# LOG FILE LOCATION
|
||||
#
|
||||
# This variable tells the /sbin/shorewall program where to look for Shorewall
|
||||
# log messages. If not set or set to an empty string (e.g., LOGFILE="") then
|
||||
# /var/log/messages is assumed.
|
||||
@ -83,7 +110,7 @@ LOGUNCLEAN=info
|
||||
LOGFILE=/var/log/messages
|
||||
|
||||
#
|
||||
# Enable nat support.
|
||||
# ENABLE NAT SUPPORT
|
||||
#
|
||||
# You probally want yes here. Only gateways not doing NAT in any form, like
|
||||
# SNAT,DNAT masquerading, port forwading etc. should say "no" here.
|
||||
@ -91,7 +118,7 @@ LOGFILE=/var/log/messages
|
||||
NAT_ENABLED=Yes
|
||||
|
||||
#
|
||||
# Enable mangle support.
|
||||
# ENABLE MANGLE SUPPORT
|
||||
#
|
||||
# If you say "no" here, Shorewall will ignore the /etc/shorewall/tos file
|
||||
# and will not initialize the mangle table when starting or stopping
|
||||
@ -101,7 +128,7 @@ NAT_ENABLED=Yes
|
||||
MANGLE_ENABLED=Yes
|
||||
|
||||
#
|
||||
# Enable IP Forwarding
|
||||
# ENABLE IP FORWARDING
|
||||
#
|
||||
# If you say "On" or "on" here, IPV4 Packet Forwarding is enabled. If you
|
||||
# say "Off" or "off", packet forwarding will be disabled. You would only want
|
||||
@ -113,26 +140,27 @@ MANGLE_ENABLED=Yes
|
||||
# enable nor disable packet forwarding.
|
||||
#
|
||||
IP_FORWARDING=On
|
||||
|
||||
#
|
||||
# Automatically add IP Aliases
|
||||
# AUTOMATICALLY ADD NAT IP ADDRESSES
|
||||
#
|
||||
# If you say "Yes" or "yes" here, Shorewall will automatically add IP aliases
|
||||
# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses
|
||||
# for each NAT external address that you give in /etc/shorewall/nat. If you say
|
||||
# "No" or "no", you must add these aliases youself.
|
||||
#
|
||||
ADD_IP_ALIASES=Yes
|
||||
|
||||
#
|
||||
# Automatically add SNAT Aliases
|
||||
# AUTOMATICALLY ADD SNAT IP ADDRESSES
|
||||
#
|
||||
# If you say "Yes" or "yes" here, Shorewall will automatically add IP aliases
|
||||
# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses
|
||||
# for each SNAT external address that you give in /etc/shorewall/masq. If you say
|
||||
# "No" or "no", you must add these aliases youself.
|
||||
#
|
||||
ADD_SNAT_ALIASES=No
|
||||
|
||||
#
|
||||
# Enable Traffic Shaping
|
||||
# ENABLE TRAFFIC SHAPING
|
||||
#
|
||||
# If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If
|
||||
# you say "No" or "no" then traffic shaping is not enabled. If you enable traffic
|
||||
@ -142,7 +170,7 @@ ADD_SNAT_ALIASES=No
|
||||
TC_ENABLED=No
|
||||
|
||||
#
|
||||
# Blacklisting
|
||||
# BLACKLIST DISPOSITION
|
||||
#
|
||||
# Set this variable to the action that you want to perform on packets from
|
||||
# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty,
|
||||
@ -151,7 +179,7 @@ TC_ENABLED=No
|
||||
BLACKLIST_DISPOSITION=DROP
|
||||
|
||||
#
|
||||
# Blacklist Logging
|
||||
# BLACKLIST LOG LEVEL
|
||||
#
|
||||
# Set this variable to the syslogd level that you want blacklist packets logged
|
||||
# (beward of DOS attacks resulting from such logging). If not set, no logging
|
||||
@ -160,7 +188,7 @@ BLACKLIST_DISPOSITION=DROP
|
||||
BLACKLIST_LOGLEVEL=
|
||||
|
||||
#
|
||||
# MSS Clamping
|
||||
# MSS CLAMPING
|
||||
#
|
||||
# Set this variable to "Yes" or "yes" if you want the TCP "Clamp MSS to PMTU"
|
||||
# option. This option is most commonly required when your internet
|
||||
@ -189,17 +217,19 @@ BLACKLIST_LOGLEVEL=
|
||||
CLAMPMSS=No
|
||||
|
||||
#
|
||||
# Route Filtering
|
||||
# ROUTE FILTERING
|
||||
#
|
||||
# Set this variable to "Yes" or "yes" if you want kernel route filtering on all
|
||||
# interfaces (anti-spoofing measure).
|
||||
#
|
||||
# If this variable is not set or is set to the empty value, "No" is assumed.
|
||||
# In that case, you can still enable route filtering on individual interfaces
|
||||
# in the /etc/shorewall/interfaces file.
|
||||
|
||||
ROUTE_FILTER=No
|
||||
|
||||
#
|
||||
# NAT before RULES
|
||||
# NAT BEFORE RULES
|
||||
#
|
||||
# Shorewall has traditionally processed static NAT rules before port forwarding
|
||||
# rules. If you would like to reverse the order, set this variable to "No".
|
||||
@ -208,7 +238,7 @@ ROUTE_FILTER=No
|
||||
|
||||
NAT_BEFORE_RULES=Yes
|
||||
|
||||
# MULTIPORT
|
||||
# MULTIPORT support
|
||||
#
|
||||
# If your kernel includes the multiport match option
|
||||
# (CONFIG_IP_NF_MATCH_MULTIPORT), you may enable it's use here. When this
|
||||
@ -228,7 +258,7 @@ NAT_BEFORE_RULES=Yes
|
||||
|
||||
MULTIPORT=No
|
||||
|
||||
# DNAT IP Address Detection
|
||||
# DNAT IP ADDRESS DETECTION
|
||||
#
|
||||
# Normally when Shorewall encounters the following rule:
|
||||
#
|
||||
@ -259,7 +289,8 @@ MULTIPORT=No
|
||||
|
||||
DETECT_DNAT_IPADDRS=No
|
||||
|
||||
# Merge Hosts File
|
||||
#
|
||||
# MERGE HOSTS FILE
|
||||
#
|
||||
# The traditional behavior of the /etc/shorewall/hosts file has been that
|
||||
# if that file has ANY entry for a zone then the zone must be defined
|
||||
@ -292,7 +323,7 @@ DETECT_DNAT_IPADDRS=No
|
||||
MERGE_HOSTS=Yes
|
||||
|
||||
#
|
||||
# Mutex Timeout
|
||||
# MUTEX TIMEOUT
|
||||
#
|
||||
# The value of this variable determines the number of seconds that programs
|
||||
# will wait for exclusive access to the Shorewall lock file. After the number
|
||||
@ -306,4 +337,17 @@ MERGE_HOSTS=Yes
|
||||
|
||||
MUTEX_TIMEOUT=60
|
||||
|
||||
#
|
||||
# LOGGING 'New not SYN' rejects
|
||||
#
|
||||
# When a TCP packet that does not have the SYN flag set and the ACK and RST
|
||||
# flags clear then unless the packet is part of an established connection,
|
||||
# it will be rejected by the firewall. If you want these rejects logged,
|
||||
# then set LOGNEWNOTSYN to the syslog log level at which you want them logged.
|
||||
#
|
||||
# Example: LOGNEWNOTSYN=debug
|
||||
|
||||
|
||||
LOGNEWNOTSYN=
|
||||
|
||||
#LAST LINE -- DO NOT REMOVE
|
||||
|
@ -4,7 +4,7 @@
|
||||
# /etc/shorewall/tcrules
|
||||
#
|
||||
# Entries in this file cause packets to be marked as a means of
|
||||
# classifying them for traffic control.
|
||||
# classifying them for traffic control or policy routing.
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
|
@ -201,6 +201,7 @@ display_chains()
|
||||
showchain rfc1918
|
||||
showchain blacklst
|
||||
showchain reject
|
||||
showchain newnotsyn
|
||||
for zone in $zones all; do
|
||||
showchain ${zone}2all
|
||||
showchain @${zone}2all
|
||||
|
@ -1 +1 @@
|
||||
1.3.5a
|
||||
1.3.6
|
||||
|
Loading…
Reference in New Issue
Block a user