forked from extern/shorewall_code
Compare commits
9 Commits
5.0.13-bas
...
4.4.8-base
| Author | SHA1 | Date | |
|---|---|---|---|
|
34e59b066e | ||
|
|
e158509421 | ||
|
|
9efb7bed29 | ||
|
|
c1477fd719 | ||
|
|
acdd361540 | ||
|
|
41b666449e | ||
|
|
fab2ce3d74 | ||
|
|
9bb1caa4bc | ||
|
|
f363825261 |
@@ -823,7 +823,7 @@ sub compiler {
|
||||
#
|
||||
generate_matrix;
|
||||
|
||||
if ( $config{OPTIMIZE} > 0 && $config{OPTIMIZE} & 6 ) {
|
||||
if ( $config{OPTIMIZE} & 6 ) {
|
||||
progress_message2 'Optimizing Ruleset...';
|
||||
#
|
||||
# Optimize Policy Chains
|
||||
|
||||
@@ -223,9 +223,12 @@ sub setup_blacklist() {
|
||||
my $chainref;
|
||||
my ( $level, $disposition ) = @config{'BLACKLIST_LOGLEVEL', 'BLACKLIST_DISPOSITION' };
|
||||
my $target = $disposition eq 'REJECT' ? 'reject' : $disposition;
|
||||
|
||||
#
|
||||
# We go ahead and generate the blacklist chain and jump to it, even if it turns out to be empty. That is necessary
|
||||
# for 'refresh' to work properly.
|
||||
#
|
||||
if ( @$hosts ) {
|
||||
$chainref = new_standard_chain 'blacklst';
|
||||
$chainref = dont_delete new_standard_chain 'blacklst';
|
||||
|
||||
if ( defined $level && $level ne '' ) {
|
||||
my $logchainref = new_standard_chain 'blacklog';
|
||||
|
||||
@@ -76,7 +76,7 @@ our @EXPORT = qw( NOTHING
|
||||
);
|
||||
|
||||
our @EXPORT_OK = qw( initialize );
|
||||
our $VERSION = '4.4_7';
|
||||
our $VERSION = '4.4_8';
|
||||
|
||||
#
|
||||
# IPSEC Option types
|
||||
@@ -926,7 +926,7 @@ sub process_interface( $ ) {
|
||||
if ( $options{bridge} ) {
|
||||
require_capability( 'PHYSDEV_MATCH', 'The "bridge" option', 's');
|
||||
fatal_error "Bridges may not have wildcard names" if $wildcard;
|
||||
$options{routeback} = 1;
|
||||
$hostoptions{routeback} = $options{routeback} = 1;
|
||||
}
|
||||
|
||||
$zoneref->{options}{in_out}{routeback} = 1 if $zoneref && $options{routeback};
|
||||
|
||||
@@ -71,11 +71,11 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
|
||||
while [ -n "$option" ]; do
|
||||
case $option in
|
||||
v*)
|
||||
VERBOSITY=$(($VERBOSITY + 1 ))
|
||||
[ $VERBOSITY -lt 2 ] && VERBOSITY=$(($VERBOSITY + 1 ))
|
||||
option=${option#v}
|
||||
;;
|
||||
q*)
|
||||
VERBOSITY=$(($VERBOSITY - 1 ))
|
||||
[ $VERBOSITY -gt -1 ] && VERBOSITY=$(($VERBOSITY - 1 ))
|
||||
option=${option#q}
|
||||
;;
|
||||
n*)
|
||||
@@ -260,7 +260,7 @@ case "$COMMAND" in
|
||||
;;
|
||||
status)
|
||||
[ $# -ne 1 ] && usage 2
|
||||
echo "$g_product-$SHORWEALL_VERSION Status at $(hostname) - $(date)"
|
||||
echo "$g_product-$SHOREWALL_VERSION Status at $(hostname) - $(date)"
|
||||
echo
|
||||
if shorewall_is_started; then
|
||||
echo "$g_product is running"
|
||||
|
||||
@@ -71,11 +71,11 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
|
||||
while [ -n "$option" ]; do
|
||||
case $option in
|
||||
v*)
|
||||
VERBOSITY=$(($VERBOSITY + 1 ))
|
||||
[ $VERBOSITY -lt 2 ] && VERBOSITY=$(($VERBOSITY + 1 ))
|
||||
option=${option#v}
|
||||
;;
|
||||
q*)
|
||||
VERBOSITY=$(($VERBOSITY - 1 ))
|
||||
[ $VERBOSITY -gt -1 ] && VERBOSITY=$(($VERBOSITY - 1 ))
|
||||
option=${option#q}
|
||||
;;
|
||||
n*)
|
||||
|
||||
@@ -35,6 +35,8 @@ Changes in Shorewall 4.4.8
|
||||
|
||||
17) Issue warnings when 'blacklist' but no blacklist file entries.
|
||||
|
||||
18) Don't optimize 'blacklst'.
|
||||
|
||||
Changes in Shorewall 4.4.7
|
||||
|
||||
1) Backport optimization changes from 4.5.
|
||||
|
||||
@@ -281,6 +281,11 @@ I I I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
|
||||
ERROR: iptables-restore Failed. Input is in
|
||||
/var/lib/shorewall/.iptables-restore-input
|
||||
|
||||
11) Previously, with optimization 4, the 'blacklst' chain could be
|
||||
optimized away. If the blacklist file was then changed and a
|
||||
'shorewall refresh' executed, those new changes would not be included
|
||||
in the active ruleset.
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
I V. K N O W N P R O B L E M S R E M A I N I N G
|
||||
----------------------------------------------------------------------------
|
||||
|
||||
@@ -86,6 +86,46 @@
|
||||
|
||||
127.0.0.1 localhost
|
||||
|
||||
<emphasis role="bold">172.20.0.1 openvpn.shorewall.net openvpn
|
||||
172.20.0.2 vpn02.shorewall.net vpn02
|
||||
172.20.0.3 vpn03.shorewall.net vpn03
|
||||
172.20.0.4 vpn04.shorewall.net vpn04
|
||||
172.20.0.5 vpn05.shorewall.net vpn05
|
||||
172.20.0.6 vpn06.shorewall.net vpn06
|
||||
172.20.0.7 vpn07.shorewall.net vpn07
|
||||
172.20.0.8 vpn08.shorewall.net vpn08
|
||||
172.20.0.9 vpn09.shorewall.net vpn09
|
||||
172.20.0.10 vpn10.shorewall.net vpn10
|
||||
172.20.0.11 vpn11.shorewall.net vpn11
|
||||
172.20.0.12 vpn12.shorewall.net vpn12
|
||||
172.20.0.13 vpn13.shorewall.net vpn13
|
||||
172.20.0.14 vpn14.shorewall.net vpn14
|
||||
172.20.0.15 vpn15.shorewall.net vpn15
|
||||
172.20.0.16 vpn16.shorewall.net vpn16
|
||||
|
||||
172.20.1.1 linksys.shorewall.net linksys
|
||||
172.20.1.100 hp8500.shorewall.net hp8500
|
||||
172.20.1.102 ursa.shorewall.net ursa
|
||||
172.20.1.105 tarry.shorewall.net tarry
|
||||
172.20.1.107 teastep.shorewall.net teastep
|
||||
172.20.1.109 hpmini.shorewall.net hpmini
|
||||
|
||||
172.20.1.130 lanursa.shorewall.net lanursa
|
||||
172.20.1.131 wookie.shorewall.net wookie
|
||||
172.20.1.132 tipper.shorewall.net tipper
|
||||
172.20.1.133 nasty.shorewall.net nasty
|
||||
172.20.1.134 ursadog.shorewall.net ursadog
|
||||
172.20.1.135 opensuse.shorewall.net opensuse
|
||||
172.20.1.136 centos.shorewall.net centos
|
||||
172.20.1.137 fedora.shorewall.net fedora
|
||||
172.20.1.138 debian.shorewall.net debian
|
||||
172.20.1.139 archlinux.shorewall.net archlinux
|
||||
172.20.1.140 foobar.shorewall.net foobar
|
||||
172.20.1.141 deblap.shorewall.net deblap
|
||||
172.20.1.254 firewall.shorewall.net firewall
|
||||
|
||||
206.124.146.254 blarg.shorewall.net blarg
|
||||
</emphasis>
|
||||
# special IPv6 addresses
|
||||
::1 localhost ipv6-localhost ipv6-loopback
|
||||
|
||||
@@ -95,24 +135,18 @@ ff00::0 ipv6-mcastprefix
|
||||
ff02::1 ipv6-allnodes
|
||||
ff02::2 ipv6-allrouters
|
||||
ff02::3 ipv6-allhosts
|
||||
127.0.0.2 ursa.shorewall.net ursa
|
||||
<emphasis role="bold">172.20.1.1 linksys.shorewall.net linksys
|
||||
192.168.0.1 opensuse.shorewall.net opensuse
|
||||
192.168.0.2 debian.shorewall.net debian
|
||||
192.168.0.3 ubuntu.shorewall.net ubuntu
|
||||
192.168.0.4 fedora.shoreawll.net fedora
|
||||
192.168.0.5 opensuse11.shorewall.net opensuse11
|
||||
192.168.0.6 centos.shorewall.net centos
|
||||
192.168.0.7 debian32.shorewall.net debian32
|
||||
192.168.0.8 fedora9.shorewall.net fedora9</emphasis>
|
||||
206.124.146.254 blarg.shorewall.net blarg
|
||||
|
||||
<emphasis role="bold">2002:ce7c:92b4::1 gateway6.shorewall.net gateway6
|
||||
2002:ce7c:92b4:1::2 mail6.shorewall.net mail6
|
||||
2002:ce7c:92b4:1::2 lists6.shorewall.net lists6
|
||||
2002:ce7c:92b4:2::2 server6.shorewall.net server6</emphasis>
|
||||
|
||||
</programlisting></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Configure your local network hosts to use the firewall/router as
|
||||
their DNS server. If your local hosts are configured using DHCP, that
|
||||
is a simple one-line change to the DHCP configuration.</para>
|
||||
<para> If your local hosts are configured using DHCP, that is a simple
|
||||
one-line change to the DHCP configuration.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
@@ -128,8 +162,45 @@ ff02::3 ipv6-allhosts
|
||||
linksys.shorewall.net has address 206.124.146.180
|
||||
gateway:~ # </programlisting></para>
|
||||
|
||||
<para>From ubuntu (192.168.0.3):<programlisting>teastep@ubuntu:~$ host linksys
|
||||
<para>From Tipper (192.168.1.132):<programlisting>teastep@tipper:~$ host linksys
|
||||
linksys.shorewall.net has address 172.20.1.1
|
||||
teastep@ubuntu:~$ </programlisting></para>
|
||||
teastep@tipper:~$ </programlisting></para>
|
||||
|
||||
<para>As a bonus, dnsmasq can also act as a DHCP server. Here are some
|
||||
exerpts from the corresponding /etc/dnsmasq.conf:</para>
|
||||
|
||||
<programlisting>interface=eth1
|
||||
|
||||
dhcp-range=172.20.1.210,172.20.1.219,24h
|
||||
|
||||
dhcp-host=00:11:85:89:da:9b,172.20.1.220
|
||||
|
||||
dhcp-host=00:1A:73:DB:8C:35,172.20.1.102
|
||||
dhcp-host=00:25:B3:9F:5B:FD,172.20.1.100
|
||||
dhcp-host=00:1F:E1:07:53:CA,172.20.1.105
|
||||
dhcp-host=00:1F:29:7B:04:04,172.20.1.107
|
||||
dhcp-host=00:24:2b:59:96:e2,172.20.1.109
|
||||
|
||||
dhcp-host=00:1B:24:CB:2B:CC,172.20.1.130
|
||||
dhcp-host=00:21:5a:22:ac:e0,172.20.1.131
|
||||
dhcp-host=08:00:27:B1:46:a9,172.20.1.132
|
||||
dhcp-host=08:00:27:31:45:83,172.20.1.133
|
||||
dhcp-host=08:00:27:28:64:50,172.20.1.134
|
||||
dhcp-host=08:00:27:4b:38:88,172.20.1.135
|
||||
dhcp-host=08:00:27:f6:4d:65,172.20.1.136
|
||||
dhcp-host=08:00:27:dc:cd:94,172.20.1.137
|
||||
dhcp-host=08:00:27:0f:d3:8f,172.20.1.138
|
||||
dhcp-host=08:00:27:42:9c:01,172.20.1.139
|
||||
dhcp-host=08:00:27:5a:6c:d8,172.20.1.140
|
||||
dhcp-host=08:00:27:da:96:78,172.20.1.141
|
||||
|
||||
dhcp-option=19,0 # option ip-forwarding off
|
||||
dhcp-option=44,0.0.0.0 # set netbios-over-TCP/IP nameserver(s) aka WINS server(s)
|
||||
dhcp-option=45,0.0.0.0 # netbios datagram distribution server
|
||||
dhcp-option=46,8 # netbios node type
|
||||
dhcp-option=47 # empty netbios scope.
|
||||
|
||||
dhcp-option=option:domain-search,shorewall.net
|
||||
</programlisting>
|
||||
</section>
|
||||
</article>
|
||||
</article>
|
||||
|
||||
@@ -935,7 +935,8 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
logged packets. Please see iptables(8) for a description of the
|
||||
behavior of these parameters (the iptables option --limit is set by
|
||||
LOGRATE and --limit-burst is set by LOGBURST). If both parameters
|
||||
are set empty, no rate-limiting will occur.</para>
|
||||
are set empty, no rate-limiting will occur. If you supply one of
|
||||
these, then you should also supply the other.</para>
|
||||
|
||||
<para>Example:</para>
|
||||
|
||||
@@ -1222,6 +1223,10 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
<para>action chains (user-defined)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>'blacklst' chain</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>dynamic</para>
|
||||
</listitem>
|
||||
|
||||
@@ -812,7 +812,8 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
logged packets. Please see ip6tables(8) for a description of the
|
||||
behavior of these parameters (the ip6tables option --limit is set by
|
||||
LOGRATE and --limit-burst is set by LOGBURST). If both parameters
|
||||
are set empty, no rate-limiting will occur.</para>
|
||||
are set empty, no rate-limiting will occur. If you supply one of
|
||||
these, then you should also supply the other.</para>
|
||||
|
||||
<para>Example:</para>
|
||||
|
||||
@@ -1010,6 +1011,10 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
<para>action chains (user-defined)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>'blacklst' chain</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>dynamic</para>
|
||||
</listitem>
|
||||
|
||||
Reference in New Issue
Block a user