From f8832018d2cbc7fbf43662598cc058eb57c49f24 Mon Sep 17 00:00:00 2001 From: teastep Date: Tue, 6 Aug 2002 20:30:45 +0000 Subject: [PATCH] Changes for 1.3.6 git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@179 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Lrp/etc/init.d/shorewall | 16 ++++++- Lrp/etc/shorewall/interfaces | 8 +++- Lrp/etc/shorewall/masq | 5 +- Lrp/etc/shorewall/policy | 2 +- Lrp/etc/shorewall/rfc1918 | 2 +- Lrp/etc/shorewall/shorewall.conf | 82 ++++++++++++++++++++++++-------- Lrp/etc/shorewall/tcrules | 2 +- Lrp/sbin/shorewall | 1 + Lrp/var/lib/shorewall/version | 2 +- 9 files changed, 92 insertions(+), 28 deletions(-) diff --git a/Lrp/etc/init.d/shorewall b/Lrp/etc/init.d/shorewall index 9c3300c93..9c18802d7 100755 --- a/Lrp/etc/init.d/shorewall +++ b/Lrp/etc/init.d/shorewall @@ -192,12 +192,15 @@ run_tc() { ################################################################################ createchain() # $1 = chain name, $2 = If non-null, don't create default rules { + local target + run_iptables -N $1 if [ $# -eq 1 ]; then state="ESTABLISHED" [ -n "$ALLOWRELATED" ] && state="$state,RELATED" run_iptables -A $1 -m state --state $state -j ACCEPT + run_iptables -A $1 -m state --state NEW -p tcp !--syn -j newnotsyn fi eval ${1}_exists=Yes @@ -1236,7 +1239,7 @@ setup_proxy_arp() { interfaces=`find_interfaces_by_option proxyarp` for interface in $interfaces; do - if qt echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp; then + if echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp 2> /dev/null; then echo " Enabled proxy ARP on $interface" else error_message "Warning: Unable to enable proxy ARP on $interface" @@ -2713,11 +2716,19 @@ initialize_netfilter () { run_iptables -A FORWARD -p tcp \ --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu + + createchain newnotsyn no + run_user_exit newnotsyn + [ -n "$LOGNEWNOTSYN" ] && \ + run_iptables -A newnotsyn -j LOG \ + --log-prefix "Shorewall:newnotsyn:DROP:" --log-level $LOGNEWNOTSYN + run_iptables -A newnotsyn -j DROP + createchain icmpdef no createchain common no createchain reject no createchain dynamic no - + if [ -f /var/lib/shorewall/save ]; then echo "Restoring dynamic rules..." @@ -3388,6 +3399,7 @@ do_initialize() { DETECT_DNAT_IPADDRS= MERGE_HOSTS= MUTEX_TIMEOUT= + LOGNEWNOTSYN= stopping= have_mutex= masq_seq=1 diff --git a/Lrp/etc/shorewall/interfaces b/Lrp/etc/shorewall/interfaces index 6c535bd42..fb99fcf4e 100644 --- a/Lrp/etc/shorewall/interfaces +++ b/Lrp/etc/shorewall/interfaces @@ -35,7 +35,9 @@ # following: # # dhcp - interface is managed by DHCP or used by -# a DHCP server running on the firewall. +# a DHCP server running on the firewall or +# you have a static IP but are on a LAN +# segment with lots of Laptop DHCP clients. # noping - icmp echo-request (ping) packets # addressed to the firewall should # be ignored on this interface @@ -65,7 +67,9 @@ # addresses and you want to be able to # route between them. # routefilter - turn on kernel route filtering for this -# interface (anti-spoofing measure). +# interface (anti-spoofing measure). This +# option can also be enabled globally in +# the /etc/shorewall/shorewall.conf file. # dropunclean - Logs and drops mangled/invalid packets # # logunclean - Logs mangled/invalid packets but does diff --git a/Lrp/etc/shorewall/masq b/Lrp/etc/shorewall/masq index b6cb59c64..69894ddbb 100644 --- a/Lrp/etc/shorewall/masq +++ b/Lrp/etc/shorewall/masq @@ -57,7 +57,7 @@ # # You add a router to your local network to connect subnet # 192.168.1.0/24 which you also want to masquerade. You then -# add the following entry to this file: +# add a second entry for eth0 to this file: # # eth0 192.168.1.0/24 # @@ -76,6 +76,9 @@ # # eth0 192.168.1.0/24 206.124.146.176 # +# This would normally be done when you have a static external +# IP address since it makes the processing of outgoing +# packets somewhat faster. ############################################################################## #INTERFACE SUBNET ADDRESS #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Lrp/etc/shorewall/policy b/Lrp/etc/shorewall/policy index 8545ec919..abee2aa0c 100644 --- a/Lrp/etc/shorewall/policy +++ b/Lrp/etc/shorewall/policy @@ -35,7 +35,7 @@ # As shipped, the default policies are: # # a) All connections from the local network to the internet are allowed -# b) All connections from the network are ignored but logged at syslog +# b) All connections from the internet are ignored but logged at syslog # level KERNEL.INFO. # d) All other connection requests are rejected and logged at level # KERNEL.INFO. diff --git a/Lrp/etc/shorewall/rfc1918 b/Lrp/etc/shorewall/rfc1918 index be07cb894..d3ef5954a 100644 --- a/Lrp/etc/shorewall/rfc1918 +++ b/Lrp/etc/shorewall/rfc1918 @@ -29,7 +29,7 @@ # # http://www.shorewall.net/pub/shorewall/contrib/iana_reserved/ # -# The program was contributed by Andy Wiggen +# The program was contributed by Andy Wiggin # 0.0.0.0/7 logdrop # Reserved 2.0.0.0/8 logdrop # Reserved diff --git a/Lrp/etc/shorewall/shorewall.conf b/Lrp/etc/shorewall/shorewall.conf index 221c84350..5648b8642 100644 --- a/Lrp/etc/shorewall/shorewall.conf +++ b/Lrp/etc/shorewall/shorewall.conf @@ -9,26 +9,36 @@ # (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net) ############################################################################## # +# NAME OF THE FIREWALL ZONE +# # Name of the firewall zone -- if not set or if set to an empty string, "fw" # is assumed. # FW=fw +# +# SUBSYSTEM LOCK FILE +# # Set this to the name of the lock file expected by your init scripts. For # RedHat, this should be /var/lock/subsys/shorewall. On Debian, it # should be /var/state/shorewall. If your init scripts don't use lock files, -# set -this to "". +# set this to "". # SUBSYSLOCK=/var/run/shorewall +# +# SHOREWALL TEMPORARY STATE DIRECTORY +# # This is the directory where the firewall maintains state information while # it is running # STATEDIR=/tmp/shorewall +# +# ALLOW RELATED CONNECTIONS # # Set this to "yes" or "Yes" if you want to accept all connection requests # that are related to already established connections. For example, you want @@ -39,6 +49,8 @@ STATEDIR=/tmp/shorewall ALLOWRELATED=yes +# +# KERNEL MODULE DIRECTORY # # If your netfilter kernel modules are in a directory other than # /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that @@ -46,6 +58,8 @@ ALLOWRELATED=yes MODULESDIR= +# +# LOG RATE LIMITING # # The next two variables can be used to control the amount of log output # generated. LOGRATE is expressed as a number followed by an optional @@ -54,22 +68,35 @@ MODULESDIR= # maximum initial burst size that will be logged. If set empty, the default # value of 5 will be used. # +# Example: +# +# LOGRATE=10/minute +# LOGBURST=5 +# # If BOTH variables are set empty then logging will not be rate-limited. # LOGRATE= LOGBURST= - +# +# LEVEL AT WHICH TO LOG 'UNCLEAN' PACKETS # # This variable determines the level at which Mangled/Invalid packets are logged # under the 'dropunclean' interface option. If you set this variable to an # empty value (e.g., LOGUNCLEAN= ), Mangled/Invalid packets will be dropped # silently. # +# The value of this variable also determines the level at which Mangled/Invalid +# packets are logged under the 'logunclean' interface option. If the variable +# is empty, these packets will still be logged at the 'info' level. +# LOGUNCLEAN=info +# +# LOG FILE LOCATION +# # This variable tells the /sbin/shorewall program where to look for Shorewall # log messages. If not set or set to an empty string (e.g., LOGFILE="") then # /var/log/messages is assumed. @@ -83,7 +110,7 @@ LOGUNCLEAN=info LOGFILE=/var/log/messages # -# Enable nat support. +# ENABLE NAT SUPPORT # # You probally want yes here. Only gateways not doing NAT in any form, like # SNAT,DNAT masquerading, port forwading etc. should say "no" here. @@ -91,7 +118,7 @@ LOGFILE=/var/log/messages NAT_ENABLED=Yes # -# Enable mangle support. +# ENABLE MANGLE SUPPORT # # If you say "no" here, Shorewall will ignore the /etc/shorewall/tos file # and will not initialize the mangle table when starting or stopping @@ -101,7 +128,7 @@ NAT_ENABLED=Yes MANGLE_ENABLED=Yes # -# Enable IP Forwarding +# ENABLE IP FORWARDING # # If you say "On" or "on" here, IPV4 Packet Forwarding is enabled. If you # say "Off" or "off", packet forwarding will be disabled. You would only want @@ -113,26 +140,27 @@ MANGLE_ENABLED=Yes # enable nor disable packet forwarding. # IP_FORWARDING=On + # -# Automatically add IP Aliases +# AUTOMATICALLY ADD NAT IP ADDRESSES # -# If you say "Yes" or "yes" here, Shorewall will automatically add IP aliases +# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses # for each NAT external address that you give in /etc/shorewall/nat. If you say # "No" or "no", you must add these aliases youself. # ADD_IP_ALIASES=Yes # -# Automatically add SNAT Aliases +# AUTOMATICALLY ADD SNAT IP ADDRESSES # -# If you say "Yes" or "yes" here, Shorewall will automatically add IP aliases +# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses # for each SNAT external address that you give in /etc/shorewall/masq. If you say # "No" or "no", you must add these aliases youself. # ADD_SNAT_ALIASES=No # -# Enable Traffic Shaping +# ENABLE TRAFFIC SHAPING # # If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If # you say "No" or "no" then traffic shaping is not enabled. If you enable traffic @@ -142,7 +170,7 @@ ADD_SNAT_ALIASES=No TC_ENABLED=No # -# Blacklisting +# BLACKLIST DISPOSITION # # Set this variable to the action that you want to perform on packets from # Blacklisted systems. Must be DROP or REJECT. If not set or set to empty, @@ -151,7 +179,7 @@ TC_ENABLED=No BLACKLIST_DISPOSITION=DROP # -# Blacklist Logging +# BLACKLIST LOG LEVEL # # Set this variable to the syslogd level that you want blacklist packets logged # (beward of DOS attacks resulting from such logging). If not set, no logging @@ -160,7 +188,7 @@ BLACKLIST_DISPOSITION=DROP BLACKLIST_LOGLEVEL= # -# MSS Clamping +# MSS CLAMPING # # Set this variable to "Yes" or "yes" if you want the TCP "Clamp MSS to PMTU" # option. This option is most commonly required when your internet @@ -189,17 +217,19 @@ BLACKLIST_LOGLEVEL= CLAMPMSS=No # -# Route Filtering +# ROUTE FILTERING # # Set this variable to "Yes" or "yes" if you want kernel route filtering on all # interfaces (anti-spoofing measure). # # If this variable is not set or is set to the empty value, "No" is assumed. +# In that case, you can still enable route filtering on individual interfaces +# in the /etc/shorewall/interfaces file. ROUTE_FILTER=No # -# NAT before RULES +# NAT BEFORE RULES # # Shorewall has traditionally processed static NAT rules before port forwarding # rules. If you would like to reverse the order, set this variable to "No". @@ -208,7 +238,7 @@ ROUTE_FILTER=No NAT_BEFORE_RULES=Yes -# MULTIPORT +# MULTIPORT support # # If your kernel includes the multiport match option # (CONFIG_IP_NF_MATCH_MULTIPORT), you may enable it's use here. When this @@ -228,7 +258,7 @@ NAT_BEFORE_RULES=Yes MULTIPORT=No -# DNAT IP Address Detection +# DNAT IP ADDRESS DETECTION # # Normally when Shorewall encounters the following rule: # @@ -259,7 +289,8 @@ MULTIPORT=No DETECT_DNAT_IPADDRS=No -# Merge Hosts File +# +# MERGE HOSTS FILE # # The traditional behavior of the /etc/shorewall/hosts file has been that # if that file has ANY entry for a zone then the zone must be defined @@ -292,7 +323,7 @@ DETECT_DNAT_IPADDRS=No MERGE_HOSTS=Yes # -# Mutex Timeout +# MUTEX TIMEOUT # # The value of this variable determines the number of seconds that programs # will wait for exclusive access to the Shorewall lock file. After the number @@ -306,4 +337,17 @@ MERGE_HOSTS=Yes MUTEX_TIMEOUT=60 +# +# LOGGING 'New not SYN' rejects +# +# When a TCP packet that does not have the SYN flag set and the ACK and RST +# flags clear then unless the packet is part of an established connection, +# it will be rejected by the firewall. If you want these rejects logged, +# then set LOGNEWNOTSYN to the syslog log level at which you want them logged. +# +# Example: LOGNEWNOTSYN=debug + + +LOGNEWNOTSYN= + #LAST LINE -- DO NOT REMOVE diff --git a/Lrp/etc/shorewall/tcrules b/Lrp/etc/shorewall/tcrules index b36d01091..793a09994 100644 --- a/Lrp/etc/shorewall/tcrules +++ b/Lrp/etc/shorewall/tcrules @@ -4,7 +4,7 @@ # /etc/shorewall/tcrules # # Entries in this file cause packets to be marked as a means of -# classifying them for traffic control. +# classifying them for traffic control or policy routing. # # Columns are: # diff --git a/Lrp/sbin/shorewall b/Lrp/sbin/shorewall index a06ded68c..196b838cd 100755 --- a/Lrp/sbin/shorewall +++ b/Lrp/sbin/shorewall @@ -201,6 +201,7 @@ display_chains() showchain rfc1918 showchain blacklst showchain reject + showchain newnotsyn for zone in $zones all; do showchain ${zone}2all showchain @${zone}2all diff --git a/Lrp/var/lib/shorewall/version b/Lrp/var/lib/shorewall/version index 0e2601308..95b25aee2 100644 --- a/Lrp/var/lib/shorewall/version +++ b/Lrp/var/lib/shorewall/version @@ -1 +1 @@ -1.3.5a +1.3.6