Compare commits

...

47 Commits

Author SHA1 Message Date
Tom Eastep
21e012044a Another fix for reference counting.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-07-23 12:13:45 -07:00
Tom Eastep
0a6c0c4d40 Bump version 2011-07-23 08:16:49 -07:00
Tom Eastep
7e8673d2e3 Correct reference accounting when long port lists are split
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-07-23 07:34:08 -07:00
Tom Eastep
778302daba Update release documents for 4.4.21.1
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-07-19 07:01:02 -07:00
Tom Eastep
ef2f19ce35 Fix LOGMARK
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-07-19 06:53:49 -07:00
Tom Eastep
36be5ed814 Document fix for --persistent and --random
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-07-18 15:51:56 -07:00
Tom Eastep
86dcfdf964 Fix :persistent and :random in /etc/shorewall/masq
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-07-18 15:41:17 -07:00
Tom Eastep
d2f7e13ddd Document FORWAR -> FORWARD typo fix.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-07-18 15:16:38 -07:00
Tom Eastep
bcde251c87 Fix typo in generate_matrix()
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-07-18 14:20:07 -07:00
Tom Eastep
50d1dbc237 Eliminate 'unitialized variable' warning.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-07-15 08:35:35 -07:00
Tom Eastep
d530ac8759 Add a FAQ regarding $FW
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-07-14 07:49:20 -07:00
Tom Eastep
a45479ca8d Make install/uninstall files version independent
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-07-13 07:10:07 -07:00
Tom Eastep
8348f1d154 Prepare 4.4.21.1 in the event that we need it
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-07-11 12:30:32 -07:00
Tom Eastep
b015bc3c0d Fix exclusion in IPv6 hosts file.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-07-09 17:27:56 -07:00
Tom Eastep
f73b98668d Fix ipsets in IPv6 hosts file
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-07-09 16:16:28 -07:00
Tom Eastep
3991b44de0 Another IPv6 ipset issue (z:!+set in the DEST column)
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-07-09 15:36:07 -07:00
Tom Eastep
769f618650 Document renaming of scripts in the Build document
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-07-09 15:22:01 -07:00
Tom Eastep
e20feedde8 Mention reversed interfaces in FAQ 1b.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-07-09 09:35:56 -07:00
Tom Eastep
eebe693c3a Correct Accounting module version
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-07-09 07:07:52 -07:00
Tom Eastep
b1a883ecaf Tighten up source and dest checking in expand_rule()
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-07-09 06:50:23 -07:00
Tom Eastep
14206dde87 Correct change that tightened editing of IPv6 addresses
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-07-08 18:34:01 -07:00
Tom Eastep
cf9a8d51aa Another fix for IPv6 and IPSETs
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-07-08 16:32:03 -07:00
Tom Eastep
0e81d6c90c Correct handling of <interface>:+<ipset> in Shorewall6.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-07-08 15:55:58 -07:00
Tom Eastep
218fd75119 Transfer corrected problems from unreleased 4.4.20.4
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-07-08 08:34:32 -07:00
Tom Eastep
3974314bae Expand explaination of rate limiting
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-07-08 07:08:39 -07:00
Tom Eastep
b90f6e38bc Correct TPROXY/IPv6 address fix
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-07-07 18:11:54 -07:00
Tom Eastep
726eb0c8c0 Document fix for TPROXY and IPv6
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-07-07 06:37:52 -07:00
Tom Eastep
6154959d97 Allow IPv6 Address as the third argument to TPROXY
- also update the manpages to describe TPROXY

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-07-07 06:33:13 -07:00
Tom Eastep
0c4d6983ef Show alternative message for partial PORT or PASV reply
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-07-06 13:12:18 -07:00
Tom Eastep
6ab1cc4fac Version to 4.4.21
Also update the release notes to mention that the ipset modules are now
loaded by Shorewall6.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-07-06 10:59:00 -07:00
Tom Eastep
d279f378f8 Document fix for load/reload
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-07-05 12:58:50 -07:00
Tom Eastep
210f56c54e Make load and reload use the .conf file in the CWD
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-07-05 09:56:47 -07:00
Tom Eastep
f38eb15350 Correct check for new ipset match syntax
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-07-05 07:50:32 -07:00
Tom Eastep
e41126ae2f Add modules.ipset to modules INCLUDEs.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-07-04 16:19:07 -07:00
Tom Eastep
2ec7ac020b Correct loading of xt_ipset
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-07-04 16:06:27 -07:00
Tom Eastep
11688d22b2 Add semicolons in new actions.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-07-04 14:27:21 -07:00
Tom Eastep
10e77d8680 Correct IPv6 action.Drop
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-07-04 08:02:17 -07:00
Tom Eastep
c1b64e0ddd Version to RC 3
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-07-04 07:17:59 -07:00
Tom Eastep
27ab3c71c0 Implement parameterized default actions for IPv6
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-07-04 07:13:32 -07:00
Tom Eastep
f05b72327e Corrections to dropBcast/allowBcast
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-07-03 15:54:24 -07:00
Tom Eastep
5c716827d6 Update change log
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-07-03 13:11:52 -07:00
Tom Eastep
55eeee761c Don't quote the empty setting of LOGLIMIT
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-07-03 12:53:47 -07:00
Tom Eastep
79653e942f Version to RC 1 -- again
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-07-03 12:25:22 -07:00
Tom Eastep
1e5ec013b0 Make config file quoting more consistent with update
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-07-03 12:20:11 -07:00
Tom Eastep
5287e85eb4 Correct handling of IPv6 dropped/accepted broadcast packets
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-07-03 09:36:04 -07:00
Tom Eastep
7266e1bd89 Update documentation to reflect the fact that '-' is not really an empty parameter
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-07-03 09:21:28 -07:00
Tom Eastep
584040b413 Bump Version to RC 2 2011-07-03 09:04:35 -07:00
48 changed files with 669 additions and 176 deletions

View File

@ -23,7 +23,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.4.21
VERSION=xxx #The Build script inserts the actual version.
usage() # $1 = exit status
{

View File

@ -1,6 +1,6 @@
%define name shorewall-init
%define version 4.4.21
%define release 0base
%define release 2
Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
Name: %{name}
@ -119,8 +119,16 @@ fi
%doc COPYING changelog.txt releasenotes.txt
%changelog
* Wed Jun 29 2011 Tom Eastep tom@shorewall.net
* Sat Jul 23 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.21-2
* Mon Jul 11 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.21-1
* Wed Jul 06 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.21-0base
* Mon Jul 04 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.21-0RC3
* Sun Jul 03 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.21-0RC2
* Thu Jun 23 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.21-0RC1
* Sun Jun 19 2011 Tom Eastep tom@shorewall.net

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.4.21
VERSION=xxx #The Build script inserts the actual version
usage() # $1 = exit status
{

View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.4.21
VERSION=xxx #The Build script inserts the actual version
usage() # $1 = exit status
{

View File

@ -1,6 +1,6 @@
%define name shorewall-lite
%define version 4.4.21
%define release 0base
%define release 2
Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
Name: %{name}
@ -103,8 +103,16 @@ fi
%doc COPYING changelog.txt releasenotes.txt
%changelog
* Wed Jun 29 2011 Tom Eastep tom@shorewall.net
* Sat Jul 23 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.21-2
* Mon Jul 11 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.21-1
* Wed Jul 06 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.21-0base
* Mon Jul 04 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.21-0RC3
* Sun Jul 03 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.21-0RC2
* Thu Jun 23 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.21-0RC1
* Sun Jun 19 2011 Tom Eastep tom@shorewall.net

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.4.21
VERSION=xxx #The Build script inserts the actual version
usage() # $1 = exit status
{

View File

@ -35,7 +35,7 @@ use strict;
our @ISA = qw(Exporter);
our @EXPORT = qw( setup_accounting );
our @EXPORT_OK = qw( );
our $VERSION = '4.4.21';
our $VERSION = '4.4_21';
#
# Per-IP accounting tables. Each entry contains the associated network.

View File

@ -587,6 +587,8 @@ sub handle_port_list( $$$$$$ );
sub handle_port_list( $$$$$$ ) {
my ($chainref, $rule, $dport, $first, $ports, $rest) = @_;
our $splitcount;
if ( port_count( $ports ) > 15 ) {
#
# More than 15 ports specified
@ -621,12 +623,14 @@ sub handle_port_list( $$$$$$ ) {
handle_port_list( $chainref, $newrule, 0, $1, $2, $3 );
} else {
push_rule ( $chainref, $newrule );
$splitcount++;
}
}
} elsif ( $dport && $rule =~ /^(.* --sports\s+)([^ ]+)(.*)$/ ) {
handle_port_list( $chainref, $rule, 0, $1, $2, $3 );
} else {
push_rule ( $chainref, $rule );
$splitcount++;
}
}
@ -636,7 +640,8 @@ sub handle_port_list( $$$$$$ ) {
sub handle_icmptype_list( $$$$ ) {
my ($chainref, $first, $types, $rest) = @_;
my @ports = split ',', $types;
push_rule ( $chainref, join ( '', $first, shift @ports, $rest ) ) while @ports;
our $splitcount;
push_rule ( $chainref, join ( '', $first, shift @ports, $rest ) ), $splitcount++ while @ports;
}
#
@ -647,6 +652,8 @@ sub handle_icmptype_list( $$$$ ) {
sub add_rule($$;$) {
my ($chainref, $rule, $expandports) = @_;
our $splitcount;
assert( ! reftype $rule );
$iprangematch = 0;
@ -678,13 +685,22 @@ sub add_rule($$;$) {
handle_icmptype_list( $chainref, $first, $types, $rest );
} else {
push_rule( $chainref, $rule );
$splitcount++;
}
} else {
push_rule ( $chainref, $rule );
$splitcount++;
}
} else {
push_rule( $chainref, $rule );
}
} else {
push_rule( $chainref, $rule );
}
sub add_counted_rule($$) {
my ( $chainref, $rule ) = @_;
our $splitcount = 0;
add_rule( $chainref, $rule, 1 );
return $splitcount;
}
#
@ -1339,6 +1355,13 @@ sub add_jump( $$$;$$$ ) {
}
}
sub add_counted_jump( $$$ ) {
my ( $chainref, $to, $rule ) = @_;
our $splitcount = 0;
add_jump( $chainref, $to, 0, $rule, 1 );
return $splitcount - 1;
}
#
# Delete jumps previously added via add_jump. If the target chain is empty, reset its
# referenced flag
@ -3364,7 +3387,7 @@ sub log_rule_limit( $$$$$$$$ ) {
$prefix = "-j $level --nflog-prefix \"$prefix\" ";
} elsif ( $level =~ '^LOGMARK' ) {
$prefix = join( '', substr( $prefix, 0, 12 ) , ':' ) if length $prefix > 13;
$prefix = "-j LOGMARK --log-level $level --log-prefix \"$prefix\" ";
$prefix = "-j $level --log-prefix \"$prefix\" ";
} else {
$prefix = "-j LOG $globals{LOGPARMS}--log-level $level --log-prefix \"$prefix\" ";
}
@ -3864,6 +3887,7 @@ sub expand_rule( $$$$$$$$$$;$ )
my $table = $chainref->{table};
my $jump = $target ? '-j ' . $target : '';
my $mac;
my $rulecount = 0;
our @ends = ();
#
@ -3910,7 +3934,7 @@ sub expand_rule( $$$$$$$$$$;$ )
#
# Isolate Source Interface, if any
#
if ( $source ) {
if ( supplied $source ) {
if ( $source eq '-' ) {
$source = '';
} elsif ( $family == F_IPV4 ) {
@ -3924,7 +3948,7 @@ sub expand_rule( $$$$$$$$$$;$ )
} else {
$iiface = $source;
}
} elsif ( $source =~ /^(.+?):<(.+)>\s*$/ || $source =~ /^(.+?):\[(.+)\]\s*$/ ) {
} elsif ( $source =~ /^(.+?):<(.+)>\s*$/ || $source =~ /^(.+?):\[(.+)\]\s*$/ || $source =~ /^(.+?):(!?\+.+)$/ ) {
$iiface = $1;
$inets = $2;
} elsif ( $source =~ /:/ ) {
@ -3945,7 +3969,7 @@ sub expand_rule( $$$$$$$$$$;$ )
#
# Verify Interface, if any
#
if ( $iiface ) {
if ( supplied $iiface ) {
fatal_error "Unknown Interface ($iiface)" unless known_interface $iiface;
if ( $restriction & POSTROUTE_RESTRICT ) {
@ -3981,7 +4005,7 @@ sub expand_rule( $$$$$$$$$$;$ )
#
# Isolate Destination Interface, if any
#
if ( $dest ) {
if ( supplied $dest ) {
if ( $dest eq '-' ) {
$dest = '';
} elsif ( ( $restriction & PREROUTE_RESTRICT ) && $dest =~ /^detect:(.*)$/ ) {
@ -4023,7 +4047,7 @@ sub expand_rule( $$$$$$$$$$;$ )
} else {
$diface = $dest;
}
} elsif ( $dest =~ /^(.+?):<(.+)>\s*$/ || $dest =~ /^(.+?):\[(.+)\]\s*$/) {
} elsif ( $dest =~ /^(.+?):<(.+)>\s*$/ || $dest =~ /^(.+?):\[(.+)\]\s*$/ || $dest =~ /^(.+?):(!?\+.+)$/ ) {
$diface = $1;
$dnets = $2;
} elsif ( $dest =~ /:/ ) {
@ -4032,7 +4056,7 @@ sub expand_rule( $$$$$$$$$$;$ )
} else {
$dnets = $dest;
}
} elsif ( $dest =~ /^(?:\+|&|\..*\.)/ ) {
} elsif ( $dest =~ /(?:\+|&|\..*\.)/ ) {
$dnets = $dest;
} else {
$diface = $dest;
@ -4044,7 +4068,7 @@ sub expand_rule( $$$$$$$$$$;$ )
#
# Verify Destination Interface, if any
#
if ( $diface ) {
if ( supplied $diface ) {
fatal_error "Unknown Interface ($diface)" unless known_interface $diface;
if ( $restriction & PREROUTE_RESTRICT ) {
@ -4246,8 +4270,8 @@ sub expand_rule( $$$$$$$$$$;$ )
my $source_match = match_source_net( $inet, $restriction, $mac ) if have_capability( 'KLUDGEFREE' );
for my $dnet ( mysplit $dnets ) {
$source_match = match_source_net( $inet, $restriction, $mac ) unless have_capability( 'KLUDGEFREE' );
add_jump( $chainref, $echainref, 0, join( '', $rule, $source_match, match_dest_net( $dnet ), $onet ), 1 );
$source_match = match_source_net( $inet, $restriction, $mac ) unless $globals{KLUDGEFREE};
$rulecount += add_counted_jump( $chainref, $echainref, join( '', $rule, $source_match, match_dest_net( $dnet ), $onet ) );
}
conditional_rule_end( $chainref ) if $cond;
@ -4255,6 +4279,11 @@ sub expand_rule( $$$$$$$$$$;$ )
conditional_rule_end( $chainref ) if $cond;
}
while ( $rulecount-- > 0 ) {
add_reference $chainref, $echainref;
}
#
# Generate RETURNs for each exclusion
#
@ -4290,7 +4319,7 @@ sub expand_rule( $$$$$$$$$$;$ )
#
# Generate Final Rule
#
add_rule $fromref = $echainref, $exceptionrule . $jump , 1 unless $disposition eq 'LOG';
$rulecount = add_counted_rule( $fromref = $echainref, $exceptionrule . $jump ) unless $disposition eq 'LOG';
$done = 1;
}
@ -4323,7 +4352,7 @@ sub expand_rule( $$$$$$$$$$;$ )
#
# No logging -- add the target rule with matches to the rule chain
#
add_rule( $fromref = $chainref, $matches . $jump , 1 );
$rulecount = add_counted_rule( $fromref = $chainref, $matches . $jump );
} elsif ( $disposition eq 'LOG' || $disposition eq 'COUNT' ) {
#
# The log rule must be added with matches to the rule chain
@ -4349,7 +4378,7 @@ sub expand_rule( $$$$$$$$$$;$ )
'add',
$matches );
add_rule( $fromref = $chainref, $matches . $jump, 1 );
$rulecount = add_counted_rule( $fromref = $chainref, $matches . $jump );
} else {
#
# Find/Create a chain that both logs and applies the target action
@ -4380,9 +4409,12 @@ sub expand_rule( $$$$$$$$$$;$ )
my $targetref = $chain_table{$table}{$target};
if ( $targetref ) {
$targetref->{referenced} = 1;
for ( my $i = 0; $i < $rulecount; $i++ ) {
add_reference $fromref, $targetref;
}
}
}
while ( @ends ) {
decr_cmd_level $chainref;

View File

@ -242,6 +242,7 @@ my %capdesc = ( NAT_ENABLED => 'NAT',
OWNER_MATCH => 'Owner Match',
IPSET_MATCH => 'Ipset Match',
OLD_IPSET_MATCH => 'Old Ipset Match',
IPSET_V5 => 'Version 5 IPSETs',
CONNMARK => 'CONNMARK Target',
XCONNMARK => 'Extended CONNMARK Target',
CONNMARK_MATCH => 'Connmark Match',
@ -2131,10 +2132,21 @@ sub validate_level( $ ) {
return $rawlevel;
}
if ( $level eq 'LOGMARK' ) {
if ( $level =~ /^LOGMARK --/ ) {
require_capability ( 'LOG_TARGET' , 'A log level other than NONE', 's' );
return $rawlevel;
}
if ( $level =~ /LOGMARK[(](.*)[)]$/ ) {
my $sublevel = $1;
$sublevel = $validlevels{$sublevel} unless $sublevel =~ /^[0-7]$/;
level_error( $level ) unless defined $sublevel =~ /^[0-7]$/;
require_capability ( 'LOG_TARGET' , 'A log level other than NONE', 's' );
require_capability( 'LOGMARK_TARGET' , 'LOGMARK', 's' );
return 'LOGMARK';
return "LOGMARK --log-level $sublevel";
}
level_error( $rawlevel );

View File

@ -536,6 +536,7 @@ sub valid_6address( $ ) {
}
return 0 if @address > $max;
return 0 unless $address =~ /^[a-f:\d]+$/;
return 0 unless ( @address == $max ) || $address =~ /::/;
return 0 if $address =~ /:::/ || $address =~ /::.*::/;

View File

@ -1222,7 +1222,7 @@ sub add_interface_jumps {
unless get_interface_option( $interface, 'port' );
}
} else {
add_rule ( $filter_table->{FORWAR}, match_source_dev( $interface) . match_dest_dev( $interface) . '-j ACCEPT' ) unless $interfaceref->{nets} || ! $interfaceref->{options}{bridge};
add_rule ( $filter_table->{FORWARD}, match_source_dev( $interface) . match_dest_dev( $interface) . '-j ACCEPT' ) unless $interfaceref->{nets} || ! $interfaceref->{options}{bridge};
add_jump( $filter_table->{FORWARD} , $forwardref , 0, match_source_dev( $interface ) ) unless $forward_jump_added{$interface} || ! use_forward_chain $interface, $forwardref;
add_jump( $filter_table->{INPUT} , $inputref , 0, match_source_dev( $interface ) ) unless $input_jump_added{$interface} || ! use_input_chain $interface, $inputref;

View File

@ -1163,7 +1163,7 @@ sub dropBcast( $$$$ ) {
if ( $family == F_IPV4 ) {
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ';
} else {
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', join( ' ', ' -d' , IPv6_MULTICAST , '-j DROP ' );
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', join( ' ', ' -d' , IPv6_MULTICAST , '' );
}
}
@ -1180,13 +1180,13 @@ sub dropBcast( $$$$ ) {
add_jump $chainref, $target, 0, "-d \$address ";
decr_cmd_level $chainref;
add_commands $chainref, 'done';
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
}
if ( $family == F_IPV4 ) {
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
add_jump $chainref, $target, 0, "-d 224.0.0.0/4 ";
} else {
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', join( ' ', ' -d' , IPv6_MULTICAST . ' ' ) if $level ne '';
add_jump $chainref, $target, 0, join( ' ', '-d', IPv6_MULTICAST . ' ' );
}
}
@ -1199,11 +1199,14 @@ sub allowBcast( $$$$ ) {
if ( $family == F_IPV4 && have_capability( 'ADDRTYPE' ) ) {
if ( $level ne '' ) {
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ';
if ( $family == F_IPV4 ) {
log_rule_limit $level, $chainref, 'dropBcast' , 'ACCECT', '', $tag, 'add', ' -d 224.0.0.0/4 ';
} else {
log_rule_limit $level, $chainref, 'dropBcast' , 'ACCEPT', '', $tag, 'add', join( ' ', ' -d' , IPv6_MULTICAST . ' ' );
}
}
add_jump $chainref, $target, 0, "-m addrtype --dst-type BROADCAST ";
add_jump $chainref, $target, 0, "-d 224.0.0.0/4 ";
} else {
if ( $family == F_IPV4 ) {
add_commands $chainref, 'for address in $ALL_BCASTS; do';
@ -1216,14 +1219,14 @@ sub allowBcast( $$$$ ) {
add_rule $chainref, "-d \$address -j $target";
decr_cmd_level $chainref;
add_commands $chainref, 'done';
}
if ( $family == F_IPV4 ) {
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
add_jump $chainref, $target, 0, "-d 224.0.0.0/4 ";
} else {
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d ' . IPv6_MULTICAST . ' ' if $level ne '';
add_jump $chainref, $target, 0, join ( ' ', '-d', IPv6_MULTICAST, ' ' );
}
add_jump $chainref, $target, 0, join ( ' ', '-d', IPv6_MULTICAST . ' ' );
}
}

View File

@ -205,7 +205,15 @@ sub process_tc_rule( ) {
my ( $mark, $designator, $remainder ) = split( /:/, $originalmark, 3 );
fatal_error "Invalid MARK ($originalmark)" if defined $remainder || ! defined $mark || $mark eq '';
fatal_error "Invalid MARK ($originalmark)" unless supplied $mark;
if ( $remainder ) {
if ( $originalmark =~ /^\w+\(?.*\)$/ ) {
$mark = $originalmark; # Most likely, an IPv6 address is included in the parameter list
} else {
fatal_error "Invalid MARK ($originalmark)";
}
}
my $chain = $globals{MARKING_CHAIN};
my $target = 'MARK --set-mark';
@ -376,6 +384,10 @@ sub process_tc_rule( ) {
$target .= " --on-port $port";
if ( supplied $ip ) {
if ( $family == F_IPV6 ) {
$ip = $1 if $ip =~ /^\[(.+)\]$/ || $ip =~ /^<(.+)>$/;
}
validate_address $ip, 1;
$target .= " --on-ip $ip";
}

View File

@ -1725,26 +1725,28 @@ sub process_host( ) {
if ( $hosts =~ /^([\w.@%-]+\+?):(.*)$/ ) {
$interface = $1;
$hosts = $2;
if ( $hosts =~ /^\+/ ) {
$zoneref->{options}{complex} = 1;
fatal_error "ipset name qualification is disallowed in this file" if $hosts =~ /[\[\]]/;
fatal_error "Invalid ipset name ($hosts)" unless $hosts =~ /^\+[a-zA-Z][-\w]*$/;
}
fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface}) && $interfaceref->{root};
} else {
fatal_error "Invalid HOST(S) column contents: $hosts";
}
} elsif ( $hosts =~ /^([\w.@%-]+\+?):<(.*)>\s*$/ || $hosts =~ /^([\w.@%-]+\+?):\[(.*)\]\s*$/ || $hosts =~ /^([\w.@%-]+\+?):(dynamic)\s*$/ ) {
} elsif ( $hosts =~ /^([\w.@%-]+\+?):<(.*)>$/ ||
$hosts =~ /^([\w.@%-]+\+?):\[(.*)\]$/ ||
$hosts =~ /^([\w.@%-]+\+?):(!?\+.*)$/ ||
$hosts =~ /^([\w.@%-]+\+?):(dynamic)$/ ) {
$interface = $1;
$hosts = $2;
$zoneref->{options}{complex} = 1 if $hosts =~ /^\+/;
fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface})->{root};
} else {
fatal_error "Invalid HOST(S) column contents: $hosts"
}
if ( $hosts =~ /^!?\+/ ) {
$zoneref->{options}{complex} = 1;
fatal_error "ipset name qualification is disallowed in this file" if $hosts =~ /[\[\]]/;
fatal_error "Invalid ipset name ($hosts)" unless $hosts =~ /^!?\+[a-zA-Z][-\w]*$/;
}
if ( $type == BPORT ) {
if ( $zoneref->{bridge} eq '' ) {
fatal_error 'Bridge Port Zones may only be associated with bridge ports' unless $interfaceref->{options}{port};

View File

@ -36,7 +36,7 @@ FORMAT 2
# The following magic provides different defaults for $2 thru $5, when $1 is
# 'audit'.
#
BEGIN PERL
BEGIN PERL;
use Shorewall::Config;
my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
@ -54,7 +54,7 @@ if ( defined $p1 ) {
1;
END PERL
END PERL;
DEFAULTS -,REJECT,DROP,ACCEPT,DROP

View File

@ -32,7 +32,7 @@ FORMAT 2
# The following magic provides different defaults for $2 thru $5, when $1 is
# 'audit'.
#
BEGIN PERL
BEGIN PERL;
use Shorewall::Config;
my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
@ -50,7 +50,7 @@ if ( defined $p1 ) {
1;
END PERL
END PERL;
DEFAULTS -,REJECT,REJECT,ACCEPT,DROP

View File

@ -1,5 +1,35 @@
Changes in Shorewall 4.4.21.2
1) Correct reference accounting when long port lists are split.
Changes in Shorewall 4.4.21.1
1) Update release documents.
2) Add IPSET_V5 to %capdesc.
3) Correct addition of orphan chain FORWAR.
4) Fix -j SNAT --to-address ... --persistent
5) Fix LOGMARK.
Changes in Shorewall 4.4.21 Final
1) Update release documents.
2) Correct handling of IPv6 address in TPROXY.
Changes in Shorewall 4.4.21 RC 3
1) Make shorewall[6].conf quoting consistent with 'update'.
2) Implement parameterized default actions in IPv6
3) Use local config in load and reload
Changes in Shorewall 4.4.21 RC 2
1) Correct code generated by TPROXY.
2) Make 'fallback' and 'balance' mutually exclusive.

View File

@ -51,7 +51,7 @@ TCP_FLAGS_LOG_LEVEL=info
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
###############################################################################
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
CONFIG_PATH="/etc/shorewall:/usr/share/shorewall"
IPTABLES=
@ -61,7 +61,7 @@ IPSET=
MODULESDIR=
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"
PERL=/usr/bin/perl
@ -77,11 +77,11 @@ TC=
# D E F A U L T A C T I O N S / M A C R O S
###############################################################################
ACCEPT_DEFAULT="none"
DROP_DEFAULT="Drop"
NFQUEUE_DEFAULT="none"
QUEUE_DEFAULT="none"
REJECT_DEFAULT="Reject"
ACCEPT_DEFAULT=none
DROP_DEFAULT=Drop
NFQUEUE_DEFAULT=none
QUEUE_DEFAULT=none
REJECT_DEFAULT=Reject
###############################################################################
# R S H / R C P C O M M A N D S

View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.4.21
VERSION=xxx #The Build script inserts the actual version
usage() # $1 = exit status
{

View File

@ -1,2 +1,38 @@
1) On systems running Upstart, shorewall-init cannot reliably secure
the firewall before interfaces are brought up.
2) A harmless 'unitialized variable' diagnostic is issued by the
compiler when it is displaying the capabilities.
Corrected in Shorewall 4.4.21.
3) As the result of a typo, an orphan filter chain named FORWAR can
be created under rare circumstances. This chain is deleted by
OPTIMIZE level 4.
Corrected in Shorewall 4.4.21.
4) The SNAT options --persistent and --randomize (/etc/shorewall/masq)
generate invalid iptables input.
Corrected in Shorewall 4.4.21.
5) The LOGMARK log level was generated invalid iptables input making
it unusable.
Corrected in Shorewall 4.4.21.
6) Under rare conditions, long port lists (>15 ports) can result in
the following failure when optimization level 4 is enabled.
Use of uninitialized value in numeric gt (>)
at /usr/share/shorewall/Shorewall/Chains.pm line 1264.
ERROR: Internal error in
Shorewall::Chains::decrement_reference_count at
/usr/share/shorewall/Shorewall/Chains.pm line 1264

View File

@ -13,6 +13,7 @@
# copy.
#
###############################################################################
loadmodule xt_set
loadmodule ip_set
loadmodule ip_set_iphash
loadmodule ip_set_ipmap

View File

@ -1,5 +1,5 @@
----------------------------------------------------------------------------
S H O R E W A L L 4 . 4 . 2 1
S H O R E W A L L 4 . 4 . 2 1 . 1
----------------------------------------------------------------------------
I. PROBLEMS CORRECTED IN THIS RELEASE
@ -13,6 +13,37 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
4.4.21.1
1) A harmless Perl runtime "uninitialized variable" diagnostic has
been eliminated from the compiler. The diagnostic was issued while
displaying the capabilities.
2) As the result of a typo, an orphan filter chain named FORWAR could
be created under rare circumstances. This chain was deleted by
OPTIMIZE level 4.
3) The SNAT options --persistent and --randomize now work properly
(/etc/shorewall/masq).
4) The LOGMARK log level was previously generated invalid iptables
input making it unusable. That has been corrected.
The syntax for LOGMARK is now:
LOGMARK(<priority>)
where <priority> is a syslog priority (1-7 or debug, info, notice,
etc.).
Example rule:
#ACTION SOURCE DEST PROTO DEST
# PORT(S)
LOG:LOGMARK(info) lan dmz udp 1234
4.4.21 Final
1) All problems corrections included in Shorewall 4.4.20.1 - 4.4.20.3
(see below).
@ -42,6 +73,42 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
have always been mutually exclusive but the compiler previously
didn't enforce that restriction. Now it does.
5) The Shorewall and Shorewall6 'load' and 'reload' commands
previously used the setting of RSH_COMMAND and RCP_COMMAND from
/etc/shorewall/shorewall.conf (/etc/shorewall6/shorewall6.conf).
These commands now use the .conf file in the current working
directory.
6) The ipset modules are now automatically loaded by Shorewall6 when
LOAD_HELPERS_ONLY=No is specified in shorewall6.conf. Additionally,
there is now a /usr/share/shorewall6/modules.ipset file that lists
all of the required modules.
7) TPROXY was previously not described in shorewall-tcrules(5) or
shorewall6-tcrules(5). These descriptions have been added.
In addition, Shorewall6 now correctly handles the third TPROXY
parameter (<ip address>). Previously, the following error was
generated:
ERROR: Invalid MARK (TPROXY(10,3128,::1)) :
/etc/shorewall6/tcrules (line 4)
8) With LOAD_HELPERS_ONLY=Yes, the compiler could use the deprectated
--set parameter to the ipset match when --match-set was
appropriate.
9) If 'shorewall clear' was executed when there was no
/var/lib/shorewall/firewall file, the following incorrect error
message was produced:
ERROR: Shorewall6 has never been started
The message now reads:
ERROR: Shorewall has never been started
----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
----------------------------------------------------------------------------
@ -65,7 +132,9 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
Where <def1> is the default value for the first parameter, <def2>
is the default value for the second parameter and so on. To specify
an empty default, use '-'.
an empty default, use '-'. Note that the corresponding parameter
variable ($n) will still expand to '-' but will be treated as empty
by the builtin actions such as dropInvalid.
The DEFAULTS directive also determines the maximum number of
parameters that an action may have. If more parameters are passed

View File

@ -1278,12 +1278,17 @@ reload_command() # $* = original arguments less the command.
[ -f $capabilities ] || getcaps=Yes
fi
if [ -n "$getcaps" ]; then
if [ -f $directory/shorewall.conf ]; then
if [ -f $directory/params ]; then
. $directory/params
fi
. $directory/shorewall.conf
ensure_config_path
fi
if [ -n "$getcaps" ]; then
[ -n "$DONT_LOAD" ] && DONT_LOAD="$(echo $DONT_LOAD | tr ',' ' ')"
progress_message "Getting Capabilities on system $system..."

View File

@ -1,6 +1,6 @@
%define name shorewall
%define version 4.4.21
%define release 0base
%define release 2
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
Name: %{name}
@ -111,8 +111,16 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples
%changelog
* Wed Jun 29 2011 Tom Eastep tom@shorewall.net
* Sat Jul 23 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.21-2
* Mon Jul 11 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.21-1
* Wed Jul 06 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.21-0base
* Mon Jul 04 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.21-0RC3
* Sun Jul 03 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.21-0RC2
* Thu Jun 23 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.21-0RC1
* Sun Jun 19 2011 Tom Eastep tom@shorewall.net

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.4.21
VERSION=xxx #The Build script inserts the actual version
usage() # $1 = exit status
{

View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.4.21
VERSION=xxx #The build script will insert the actual version
usage() # $1 = exit status
{

View File

@ -1,6 +1,6 @@
%define name shorewall6-lite
%define version 4.4.21
%define release 0base
%define release 2
Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
Name: %{name}
@ -94,8 +94,16 @@ fi
%doc COPYING changelog.txt releasenotes.txt
%changelog
* Wed Jun 29 2011 Tom Eastep tom@shorewall.net
* Sat Jul 23 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.21-2
* Mon Jul 11 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.21-1
* Wed Jul 06 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.21-0base
* Mon Jul 04 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.21-0RC3
* Sun Jul 03 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.21-0RC2
* Thu Jun 23 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.21-0RC1
* Sun Jun 19 2011 Tom Eastep tom@shorewall.net

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.4.21
VERSION=xxx #The Build script inserts the actual version
usage() # $1 = exit status
{

View File

@ -8,33 +8,37 @@
###############################################################################
#TARGET SOURCE DEST PROTO DEST
# PORT(S)
FORMAT 2
DEFAULTS ACCEPT
COMMENT Needed ICMP types (RFC4890)
ACCEPT - - ipv6-icmp destination-unreachable
ACCEPT - - ipv6-icmp packet-too-big
ACCEPT - - ipv6-icmp time-exceeded
ACCEPT - - ipv6-icmp parameter-problem
$1 - - ipv6-icmp destination-unreachable
$1 - - ipv6-icmp packet-too-big
$1 - - ipv6-icmp time-exceeded
$1 - - ipv6-icmp parameter-problem
# The following should have a ttl of 255 and must be allowed to transit a bridge
ACCEPT - - ipv6-icmp router-solicitation
ACCEPT - - ipv6-icmp router-advertisement
ACCEPT - - ipv6-icmp neighbour-solicitation
ACCEPT - - ipv6-icmp neighbour-advertisement
ACCEPT - - ipv6-icmp 137 # Redirect
ACCEPT - - ipv6-icmp 141 # Inverse neighbour discovery solicitation
ACCEPT - - ipv6-icmp 142 # Inverse neighbour discovery advertisement
$1 - - ipv6-icmp router-solicitation
$1 - - ipv6-icmp router-advertisement
$1 - - ipv6-icmp neighbour-solicitation
$1 - - ipv6-icmp neighbour-advertisement
$1 - - ipv6-icmp 137 # Redirect
$1 - - ipv6-icmp 141 # Inverse neighbour discovery solicitation
$1 - - ipv6-icmp 142 # Inverse neighbour discovery advertisement
# The following should have a link local source address and must be allowed to transit a bridge
ACCEPT fe80::/10 - ipv6-icmp 130 # Listener query
ACCEPT fe80::/10 - ipv6-icmp 131 # Listener report
ACCEPT fe80::/10 - ipv6-icmp 132 # Listener done
ACCEPT fe80::/10 - ipv6-icmp 143 # Listener report v2
$1 fe80::/10 - ipv6-icmp 130 # Listener query
$1 fe80::/10 - ipv6-icmp 131 # Listener report
$1 fe80::/10 - ipv6-icmp 132 # Listener done
$1 fe80::/10 - ipv6-icmp 143 # Listener report v2
# The following should be received with a ttl of 255 and must be allowed to transit a bridge
ACCEPT - - ipv6-icmp 148 # Certificate path solicitation
ACCEPT - - ipv6-icmp 149 # Certificate path advertisement
$1 - - ipv6-icmp 148 # Certificate path solicitation
$1 - - ipv6-icmp 149 # Certificate path advertisement
# The following should have a link local source address and a ttl of 1 and must be allowed to transit abridge
ACCEPT fe80::/10 - ipv6-icmp 151 # Multicast router advertisement
ACCEPT fe80::/10 - ipv6-icmp 152 # Multicast router solicitation
ACCEPT fe80::/10 - ipv6-icmp 153 # Multicast router termination
$1 fe80::/10 - ipv6-icmp 151 # Multicast router advertisement
$1 fe80::/10 - ipv6-icmp 152 # Multicast router solicitation
$1 fe80::/10 - ipv6-icmp 153 # Multicast router termination

View File

@ -15,38 +15,78 @@
# c) Ensure that certain ICMP packets that are necessary for successful
# internet operation are always ACCEPTed.
#
# The action accepts five optional parameters:
#
# 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
# actions.
# 2 - Action to take with Auth requests. Default is REJECT or A_REJECT,
# depending on the setting of the first parameter.
# 3 - Action to take with SMB requests. Default is DROP or A_DROP,
# depending on the setting of the first parameter.
# 4 - Action to take with required ICMP packets. Default is ACCEPT or
# A_ACCEPT depending on the first parameter.
# 5 - Action to take with late UDP replies (UDP source port 53). Default
# is DROP or A_DROP depending on the first parameter.
#
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
#
###############################################################################
FORMAT 2
#
# The following magic provides different defaults for $2 thru $5, when $1 is
# 'audit'.
#
BEGIN PERL;
use Shorewall::Config;
my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
if ( defined $p1 ) {
if ( $p1 eq 'audit' ) {
set_action_param( 2, 'A_REJECT') unless supplied $p2;
set_action_param( 3, 'A_DROP') unless supplied $p3;
set_action_param( 4, 'A_ACCEPT' ) unless supplied $p4;
set_action_param( 5, 'A_DROP' ) unless supplied $p5;
} else {
fatal_error "Invalid value ($p1) for first Drop parameter" if supplied $p1;
}
}
1;
END PERL;
DEFAULTS -,REJECT,DROP,ACCEPT,DROP
#TARGET SOURCE DEST PROTO DPORT SPORT
#
# Reject 'auth'
#
Auth(REJECT)
Auth($2)
#
# ACCEPT critical ICMP types
#
AllowICMPs - - ipv6-icmp
AllowICMPs($4) - - ipv6-icmp
#
# Drop Broadcasts so they don't clutter up the log
# (broadcasts must *not* be rejected).
#
dropBcast
dropBcast($1)
#
# Drop packets that are in the INVALID state -- these are usually ICMP packets
# and just confuse people when they appear in the log.
#
dropInvalid
dropInvalid($1)
#
# Drop Microsoft noise so that it doesn't clutter up the log.
#
SMB(DROP)
SMB($3)
#
# Drop 'newnotsyn' traffic so that it doesn't get logged.
#
dropNotSyn - - tcp
dropNotSyn($1) - - tcp
#
# Drop late-arriving DNS replies. These are just a nuisance and clutter up
# the log.
#
DropDNSrep
DropDNSrep($5)

View File

@ -12,39 +12,79 @@
# b) Ensure that certain ICMP packets that are necessary for successful
# internet operation are always ACCEPTed.
#
# The action accepts five optional parameters:
#
# 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
# actions.
# 2 - Action to take with Auth requests. Default is REJECT or A_REJECT,
# depending on the setting of the first parameter.
# 3 - Action to take with SMB requests. Default is REJECT or A_REJECT,
# depending on the setting of the first parameter.
# 4 - Action to take with required ICMP packets. Default is ACCEPT or
# A_ACCEPT depending on the first parameter.
# 5 - Action to take with late UDP replies (UDP source port 53). Default
# is DROP or A_DROP depending on the first parameter.
#
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
###############################################################################
FORMAT 2
#
# The following magic provides different defaults for $2 thru $5, when $1 is
# 'audit'.
#
BEGIN PERL;
use Shorewall::Config;
my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
if ( defined $p1 ) {
if ( $p1 eq 'audit' ) {
set_action_param( 2, 'A_REJECT') unless supplied $p2;
set_action_param( 3, 'A_REJECT') unless supplied $p3;
set_action_param( 4, 'A_ACCEPT' ) unless supplied $p4;
set_action_param( 5, 'A_DROP' ) unless supplied $p5;
} else {
fatal_error "Invalid value ($p1) for first Reject parameter" if supplied $p1;
}
}
1;
END PERL;
DEFAULTS -,REJECT,REJECT,ACCEPT,DROP
#TARGET SOURCE DEST PROTO
#
# Don't log 'auth' -- REJECT
#
Auth(REJECT)
Auth($2)
#
# Drop Multicasts so they don't clutter up the log
# (broadcasts must *not* be rejected).
#
AllowICMPs - - ipv6-icmp
AllowICMPs($4) - - ipv6-icmp
#
# Drop Broadcasts so they don't clutter up the log
# (broadcasts must *not* be rejected).
#
dropBcast
dropBcast($1)
#
# Drop packets that are in the INVALID state -- these are usually ICMP packets
# and just confuse people when they appear in the log (these ICMPs cannot be
# rejected).
#
dropInvalid
dropInvalid($1)
#
# Reject Microsoft noise so that it doesn't clutter up the log.
#
SMB(REJECT)
SMB($3)
#
# Drop 'newnotsyn' traffic so that it doesn't get logged.
#
dropNotSyn - - tcp
dropNotSyn($1) - - tcp
#
# Drop late-arriving DNS replies. These are just a nuisance and clutter up
# the log.
#
DropDNSrep
DropDNSrep($5)

View File

@ -50,7 +50,7 @@ TCP_FLAGS_LOG_LEVEL=info
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
###############################################################################
CONFIG_PATH=/etc/shorewall6:/usr/share/shorewall6:/usr/share/shorewall
CONFIG_PATH="/etc/shorewall6:/usr/share/shorewall6:/usr/share/shorewall"
IP6TABLES=
@ -62,7 +62,7 @@ MODULESDIR=
PERL=/usr/bin/perl
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"
RESTOREFILE=restore
@ -76,11 +76,11 @@ TC=
# D E F A U L T A C T I O N S / M A C R O S
###############################################################################
ACCEPT_DEFAULT="none"
DROP_DEFAULT="Drop"
NFQUEUE_DEFAULT="none"
QUEUE_DEFAULT="none"
REJECT_DEFAULT="Reject"
ACCEPT_DEFAULT=none
DROP_DEFAULT=Drop
NFQUEUE_DEFAULT=none
QUEUE_DEFAULT=none
REJECT_DEFAULT=Reject
###############################################################################
# R S H / R C P C O M M A N D S

View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.4.21
VERSION=xxx #The build script will insert the actual version
usage() # $1 = exit status
{

View File

@ -1670,8 +1670,8 @@ determine_capabilities() {
if qt ipset -N $chain hash:ip family inet6; then
IPSET_V5=Yes
if qt $IP6TABLES -A $chain -m set --set $chain src -j ACCEPT; then
qt $IP6TABLES -D $chain -m set --set $chain src -j ACCEPT
if qt $IP6TABLES -A $chain -m set --match-set $chain src -j ACCEPT; then
qt $IP6TABLES -D $chain -m set --match-set $chain src -j ACCEPT
IPSET_MATCH=Yes
elif qt $IP6TABLES -A $chain -m set --set $chain src -j ACCEPT; then
qt $IP6TABLES -D $chain -m set --set $chain src -j ACCEPT

View File

@ -26,6 +26,10 @@ INCLUDE modules.xtables
#
INCLUDE helpers
#
# Ipset
#
INCLUDE modules.ipset
#
# Traffic Shaping
#
INCLUDE modules.tc

27
Shorewall6/modules.ipset Normal file
View File

@ -0,0 +1,27 @@
#
# Shorewall version 4 - IP Set Modules File
#
# /usr/share/shorewall6/modules.ipset
#
# This file loads the modules that may be needed by the firewall.
#
# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
# dependency order. i.e., if M2 depends on M1 then you must load M1
# before you load M2.
#
# If you need to modify this file, copy it to /etc/shorewall6 and modify the
# copy.
#
###############################################################################
loadmodule xt_set
loadmodule ip_set
loadmodule ip_set_iphash
loadmodule ip_set_ipmap
loadmodule ip_set_ipporthash
loadmodule ip_set_iptree
loadmodule ip_set_iptreemap
loadmodule ip_set_macipmap
loadmodule ip_set_nethash
loadmodule ip_set_portmap
loadmodule ipt_SET
loadmodule ipt_set

View File

@ -1279,12 +1279,17 @@ reload_command() # $* = original arguments less the command.
[ -f $capabilities ] || getcaps=Yes
fi
if [ -n "$getcaps" ]; then
if [ -f $directory/shorewall6.conf ]; then
if [ -f $directory/params ]; then
. $directory/params
fi
. $directory/shorewall6.conf
ensure_config_path
fi
if [ -n "$getcaps" ]; then
[ -n "$DONT_LOAD" ] && DONT_LOAD="$(echo $DONT_LOAD | tr ',' ' ')"
progress_message "Getting Capabilities on system $system..."

View File

@ -1,6 +1,6 @@
%define name shorewall6
%define version 4.4.21
%define release 0base
%define release 2
Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
Name: %{name}
@ -101,8 +101,16 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
%changelog
* Wed Jun 29 2011 Tom Eastep tom@shorewall.net
* Sat Jul 23 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.21-2
* Mon Jul 11 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.21-1
* Wed Jul 06 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.21-0base
* Mon Jul 04 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.21-0RC3
* Sun Jul 03 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.21-0RC2
* Thu Jun 23 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.21-0RC1
* Sun Jun 19 2011 Tom Eastep tom@shorewall.net

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.4.21
VERSION=xxx #The Build script inserts the actual version
usage() # $1 = exit status
{

View File

@ -372,10 +372,7 @@ REDIRECT net - tcp 80 - 1.2.3.4</programlisting>
<para>Example: ACTION(REDIRECT,-,info)</para>
<para>In the above example, $2 would expand to nothing.</para>
<para>If you want to make '-' a parameter value, use '--' (e.g.,
ACTION(REDIRECT,--.info)).</para>
<para>In the above example, $2 would expand to '-'.</para>
<para>Beginning with Shorewall 4.4.21, you can specify the default
values of your FORMAT-2 actions:</para>

View File

@ -130,6 +130,15 @@
<para>The files from the web site that are maintained in HTML format.
are kept in this directory.</para>
</section>
<section>
<title>release</title>
<para>Added in Shorewall 4.4.22, this directory contains the files that
contain release-dependent information (change.txt, releasenotes.txt,
.spec files, etc). This is actually a symbolic link to ../release which
has it's own Git repository.</para>
</section>
</section>
<section>
@ -156,7 +165,7 @@
</section>
<section>
<title>build44</title>
<title>build</title>
<para>This is the script that builds Shorewall 4.4 packages from
Git.</para>
@ -270,8 +279,8 @@
<para>The general form of the build command is:</para>
<blockquote>
<para><command>build44</command> [ -<replaceable>options</replaceable>
] <replaceable>release</replaceable> [ <replaceable>prior
<para><command>build</command> [ -<replaceable>options</replaceable> ]
<replaceable>release</replaceable> [ <replaceable>prior
release</replaceable> ]</para>
</blockquote>
@ -383,28 +392,27 @@
4.3.6:</para>
<blockquote>
<para><command>build44 4.3.7 4.3.6</command></para>
<para><command>build 4.3.7 4.3.6</command></para>
</blockquote>
<para>Example 2 - Build Shorewall 4.2.7.1 Shorewall and generate patches
against 4.2.7:</para>
<blockquote>
<para><command>build44 -trc 4.3.7.1 4.3.7</command></para>
<para><command>build -trc 4.3.7.1 4.3.7</command></para>
</blockquote>
</section>
<section>
<title>upload44</title>
<title>upload</title>
<para>This script is used to upload a release to www1.shorewall.net. The
command is run in the build directory for the major release of the
command is run in the build directory for the minor release of the
product.</para>
<blockquote>
<para><command>upload44</command> [
-<replaceable>products</replaceable> ]
<replaceable>release</replaceable></para>
<para><command>upload</command> [ -<replaceable>products</replaceable>
] <replaceable>release</replaceable></para>
</blockquote>
<para>where</para>
@ -474,13 +482,13 @@
<para>Example 1 - Upload release 4.3.7:</para>
<blockquote>
<para><command>upload44 4.3.7</command></para>
<para><command>upload 4.3.7</command></para>
</blockquote>
<para>Example 2 - Upload shorewall-4.3.7.3:</para>
<blockquote>
<para><command>upload44 -c 4.3.7.3</command></para>
<para><command>upload -c 4.3.7.3</command></para>
</blockquote>
</section>

View File

@ -341,6 +341,12 @@ DNAT net:<emphasis>address</emphasis> loc:<emphasis>local-IP-address</empha
sniffer such as tcpdump or Wireshark to further diagnose the
problem.</para>
</listitem>
<listitem>
<para>The traffic is entering your firewall on a different
interface (interfaces reversed in
<filename>/etc/shorewall/interfaces</filename>?).</para>
</listitem>
</itemizedlist>
</listitem>
@ -2810,5 +2816,39 @@ EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254
If you simply want to allow all traffic between ports, then see <ulink
url="SimpleBridge.html">http://www.shorewall.net/SimpleBridge.html</ulink>.</para>
</section>
<section id="faq95">
<title>(FAQ 95) What is this $FW that I see in the configuration files
and documentation?</title>
<para><emphasis role="bold">Answer: FW</emphasis> is a <ulink
url="configuration_file_basics.htm#Variables">shell variable</ulink>
that expands to the name that you gave to the firewall zone in <ulink
url="manpages/shorewall-zones.html">shorewall-zones</ulink>(5). The
default name for the firewall zone is <emphasis
role="bold">fw</emphasis>:</para>
<programlisting>#ZONE TYPE OPTIONS
<emphasis role="bold">fw</emphasis> firewall</programlisting>
<para>So, using the default or sample configurations, writing <emphasis
role="bold">$FW</emphasis> is the same as writing <emphasis
role="bold">fw</emphasis>. If you give the firewall zone a different
name, <emphasis role="bold">gate</emphasis> for example, then writing
<emphasis role="bold">$FW</emphasis> would be the same as writing
<emphasis role="bold">gate</emphasis>.</para>
<programlisting>#ZONE TYPE OPTIONS
<emphasis role="bold">gate</emphasis> firewall</programlisting>
<section id="faq95a">
<title>Why was that done?</title>
<para><emphasis role="bold">Answer:</emphasis> The firewall zone has
special semantics, so having a way to refer to it in a
configuration-independent way makes writing the documentation,
examples, macros, etc. easier.</para>
</section>
</section>
</section>
</article>

View File

@ -421,6 +421,15 @@ FTP(ACCEPT) dmz net</programlisting>
<programlisting>Apr 28 23:55:09 gateway kernel: conntrack_ftp: partial PORT 715014972+1</programlisting>
<para>or this one:</para>
<programlisting>21:37:40 insert-master kernel: [832161.057782] <emphasis
role="bold">nf_ct_ftp: dropping
packet</emphasis> IN=eth4 OUT= MAC=00:0a:cd:1a:d1:95:00:22:6b:be:3c:41:08:00
SRC=66.199.187.46 DST=192.168.41.1 LEN=102 TOS=0x00 PREC=0x00 TTL=45
ID=30239 DF PROTO=TCP SPT=21 DPT=50892 SEQ=698644583 ACK=3438176321
WINDOW=46 RES=0x00 ACK PSH URGP=0 OPT (0101080A932DFE0231935CF7) MARK=0x1</programlisting>
<para>I see this problem occasionally with the FTP server in my DMZ. My
solution is to add the following rule:</para>

View File

@ -1598,6 +1598,30 @@ DNAT net loc:192.168.1.3 tcp 4000:4100</programlisting>
passes, one of the bursts will be regained; if no packets hit the rule for
30 seconds, the burst will be fully recharged; back where we
started.</para>
<note>
<para>The LOGRATE and LOGBURST options are deprecated in favor of
LOGLIMIT.</para>
</note>
<para>Shorewall also supports per-IP rate limiting. </para>
<para>Another example from <ulink
url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5):</para>
<simplelist>
<member>LOGLIMIT="s:5/min:5"</member>
</simplelist>
<para>Here, the leading "s:" indicates that logging is to be limited by
source IP address ("d:" would indicate limiting by destination IP
address).</para>
<para>"s:" is followed by the rate (5 messages per minute) and the burst
(5).</para>
<para>The rate and limit arguments have the same meaning as in the example
above.</para>
</section>
<section id="Logical">

View File

@ -43,26 +43,11 @@
<variablelist>
<varlistentry>
<term><emphasis role="bold">MARK/CLASSIFY</emphasis> -
{<emphasis>value</emphasis>|<emphasis>major</emphasis><emphasis
role="bold">:</emphasis><emphasis>minor</emphasis>|<emphasis
role="bold">RESTORE</emphasis>[<emphasis
role="bold">/</emphasis><emphasis>mask</emphasis>]|<emphasis
role="bold">SAVE</emphasis>[<emphasis
role="bold">/</emphasis><emphasis>mask</emphasis>]|<emphasis
role="bold">CONTINUE</emphasis>|<emphasis
role="bold">SAME</emphasis>|<emphasis
role="bold">COMMENT</emphasis>|<emphasis
role="bold">IPMARK</emphasis>[([(<emphasis
role="bold">src</emphasis>|<emphasis
role="bold">dst</emphasis>}][,[<emphasis>mask1</emphasis>][,[<emphasis>mask2</emphasis>][,[<emphasis>shift</emphasis>]]]]])]}[<emphasis
role="bold">:</emphasis>{<emphasis role="bold">C</emphasis>|<emphasis
role="bold">F</emphasis>|<emphasis role="bold">P</emphasis>|<emphasis
role="bold">T</emphasis>|<emphasis role="bold">CF</emphasis>|<emphasis
role="bold">CP</emphasis>|<emphasis
role="bold">CT</emphasis>|I:CI}]</term>
<replaceable>mark</replaceable></term>
<listitem>
<para>May assume one of the following values.</para>
<para>Where <replaceable>mark</replaceable> may assume one of the
following values.</para>
<orderedlist numeration="arabic">
<listitem>
@ -397,6 +382,39 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
above so that all of your <replaceable>minor</replaceable>
classes will have a value &gt; 256.</para>
</listitem>
<listitem>
<para><emphasis
role="bold">TPROXY</emphasis>(<replaceable>mark</replaceable>[/<replaceable>mask</replaceable>][,[<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])</para>
<para>Transparently redirects a packet without altering the IP
header. Requires a local provider to be defined in <ulink
url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
<para>There are three parameters to TPROXY - only the first
(mark) is required:</para>
<itemizedlist>
<listitem>
<para><replaceable>mark</replaceable> - the MARK value
corresponding to the local provider in <ulink
url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
</listitem>
<listitem>
<para><replaceable>port</replaceable> - the port on which
the proxy server is listening. If omitted, the original
destination port.</para>
</listitem>
<listitem>
<para><replaceable>address</replaceable> - a local (to the
firewall) IP address on which the proxy server is listening.
If omitted, the IP address of the interface on which the
request arrives.</para>
</listitem>
</itemizedlist>
</listitem>
</orderedlist>
</listitem>
</varlistentry>

View File

@ -72,7 +72,19 @@
from <ulink
url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>
and can be configured to log all Shorewall messages to their own log
file</para>
file.</para>
<para>Beginning with Shorewall 4.4.22, LOGMARK is also a valid level which
logs the packet's mark value along with the other usual information. The
syntax is:</para>
<simplelist>
<member><emphasis
role="bold">LOGMARK</emphasis><replaceable>(priority)</replaceable></member>
</simplelist>
<para>where <replaceable>priority</replaceable> is one of the levels
listed in the list above.</para>
<para>The following options may be set in shorewall.conf.</para>

View File

@ -43,22 +43,11 @@
<variablelist>
<varlistentry>
<term><emphasis role="bold">MARK/CLASSIFY</emphasis> -
{<emphasis>value</emphasis>|<emphasis>major</emphasis><emphasis
role="bold">:</emphasis><emphasis>minor</emphasis>|<emphasis
role="bold">RESTORE</emphasis>[<emphasis
role="bold">/</emphasis><emphasis>mask</emphasis>]|<emphasis
role="bold">SAVE</emphasis>[<emphasis
role="bold">/</emphasis><emphasis>mask</emphasis>]|<emphasis
role="bold">CONTINUE</emphasis>|<emphasis
role="bold">COMMENT</emphasis>}[<emphasis
role="bold">:</emphasis>{<emphasis role="bold">C</emphasis>|<emphasis
role="bold">F</emphasis>|<emphasis role="bold">P</emphasis>|<emphasis
role="bold">T</emphasis>|<emphasis role="bold">CF</emphasis>|<emphasis
role="bold">CP</emphasis>|<emphasis
role="bold">CT</emphasis>|I|CI}]</term>
<replaceable>mark</replaceable></term>
<listitem>
<para>May assume one of the following values.</para>
<para><replaceable>mark</replaceable> may assume one of the
following values.</para>
<orderedlist numeration="arabic">
<listitem>
@ -290,6 +279,39 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
<para>To stop the comment from being attached to further rules,
simply include COMMENT on a line by itself.</para>
</listitem>
<listitem>
<para><emphasis
role="bold">TPROXY</emphasis>(<replaceable>mark</replaceable>[/<replaceable>mask</replaceable>][,[<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])</para>
<para>Transparently redirects a packet without altering the IP
header. Requires a local provider to be defined in <ulink
url="shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
<para>There are three parameters to TPROXY - only the first
(mark) is required:</para>
<itemizedlist>
<listitem>
<para><replaceable>mark</replaceable> - the MARK value
corresponding to the local provider in <ulink
url="shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
</listitem>
<listitem>
<para><replaceable>port</replaceable> - the port on which
the proxy server is listening. If omitted, the original
destination port.</para>
</listitem>
<listitem>
<para><replaceable>address</replaceable> - a local (to the
firewall) IP address on which the proxy server is listening.
If omitted, the IP address of the interface on which the
request arrives.</para>
</listitem>
</itemizedlist>
</listitem>
</orderedlist>
</listitem>
</varlistentry>