forked from extern/shorewall_code
Compare commits
47 Commits
Author | SHA1 | Date | |
---|---|---|---|
|
21e012044a | ||
|
0a6c0c4d40 | ||
|
7e8673d2e3 | ||
|
778302daba | ||
|
ef2f19ce35 | ||
|
36be5ed814 | ||
|
86dcfdf964 | ||
|
d2f7e13ddd | ||
|
bcde251c87 | ||
|
50d1dbc237 | ||
|
d530ac8759 | ||
|
a45479ca8d | ||
|
8348f1d154 | ||
|
b015bc3c0d | ||
|
f73b98668d | ||
|
3991b44de0 | ||
|
769f618650 | ||
|
e20feedde8 | ||
|
eebe693c3a | ||
|
b1a883ecaf | ||
|
14206dde87 | ||
|
cf9a8d51aa | ||
|
0e81d6c90c | ||
|
218fd75119 | ||
|
3974314bae | ||
|
b90f6e38bc | ||
|
726eb0c8c0 | ||
|
6154959d97 | ||
|
0c4d6983ef | ||
|
6ab1cc4fac | ||
|
d279f378f8 | ||
|
210f56c54e | ||
|
f38eb15350 | ||
|
e41126ae2f | ||
|
2ec7ac020b | ||
|
11688d22b2 | ||
|
10e77d8680 | ||
|
c1b64e0ddd | ||
|
27ab3c71c0 | ||
|
f05b72327e | ||
|
5c716827d6 | ||
|
55eeee761c | ||
|
79653e942f | ||
|
1e5ec013b0 | ||
|
5287e85eb4 | ||
|
7266e1bd89 | ||
|
584040b413 |
@ -23,7 +23,7 @@
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
|
||||
VERSION=4.4.21
|
||||
VERSION=xxx #The Build script inserts the actual version.
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -1,6 +1,6 @@
|
||||
%define name shorewall-init
|
||||
%define version 4.4.21
|
||||
%define release 0base
|
||||
%define release 2
|
||||
|
||||
Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
|
||||
Name: %{name}
|
||||
@ -119,8 +119,16 @@ fi
|
||||
%doc COPYING changelog.txt releasenotes.txt
|
||||
|
||||
%changelog
|
||||
* Wed Jun 29 2011 Tom Eastep tom@shorewall.net
|
||||
* Sat Jul 23 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.21-2
|
||||
* Mon Jul 11 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.21-1
|
||||
* Wed Jul 06 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.21-0base
|
||||
* Mon Jul 04 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.21-0RC3
|
||||
* Sun Jul 03 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.21-0RC2
|
||||
* Thu Jun 23 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.21-0RC1
|
||||
* Sun Jun 19 2011 Tom Eastep tom@shorewall.net
|
||||
|
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Shorewall Firewall
|
||||
|
||||
VERSION=4.4.21
|
||||
VERSION=xxx #The Build script inserts the actual version
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -22,7 +22,7 @@
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
|
||||
VERSION=4.4.21
|
||||
VERSION=xxx #The Build script inserts the actual version
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -1,6 +1,6 @@
|
||||
%define name shorewall-lite
|
||||
%define version 4.4.21
|
||||
%define release 0base
|
||||
%define release 2
|
||||
|
||||
Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
|
||||
Name: %{name}
|
||||
@ -103,8 +103,16 @@ fi
|
||||
%doc COPYING changelog.txt releasenotes.txt
|
||||
|
||||
%changelog
|
||||
* Wed Jun 29 2011 Tom Eastep tom@shorewall.net
|
||||
* Sat Jul 23 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.21-2
|
||||
* Mon Jul 11 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.21-1
|
||||
* Wed Jul 06 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.21-0base
|
||||
* Mon Jul 04 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.21-0RC3
|
||||
* Sun Jul 03 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.21-0RC2
|
||||
* Thu Jun 23 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.21-0RC1
|
||||
* Sun Jun 19 2011 Tom Eastep tom@shorewall.net
|
||||
|
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Shorewall Firewall
|
||||
|
||||
VERSION=4.4.21
|
||||
VERSION=xxx #The Build script inserts the actual version
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -35,7 +35,7 @@ use strict;
|
||||
our @ISA = qw(Exporter);
|
||||
our @EXPORT = qw( setup_accounting );
|
||||
our @EXPORT_OK = qw( );
|
||||
our $VERSION = '4.4.21';
|
||||
our $VERSION = '4.4_21';
|
||||
|
||||
#
|
||||
# Per-IP accounting tables. Each entry contains the associated network.
|
||||
|
@ -587,6 +587,8 @@ sub handle_port_list( $$$$$$ );
|
||||
sub handle_port_list( $$$$$$ ) {
|
||||
my ($chainref, $rule, $dport, $first, $ports, $rest) = @_;
|
||||
|
||||
our $splitcount;
|
||||
|
||||
if ( port_count( $ports ) > 15 ) {
|
||||
#
|
||||
# More than 15 ports specified
|
||||
@ -621,12 +623,14 @@ sub handle_port_list( $$$$$$ ) {
|
||||
handle_port_list( $chainref, $newrule, 0, $1, $2, $3 );
|
||||
} else {
|
||||
push_rule ( $chainref, $newrule );
|
||||
$splitcount++;
|
||||
}
|
||||
}
|
||||
} elsif ( $dport && $rule =~ /^(.* --sports\s+)([^ ]+)(.*)$/ ) {
|
||||
handle_port_list( $chainref, $rule, 0, $1, $2, $3 );
|
||||
} else {
|
||||
push_rule ( $chainref, $rule );
|
||||
$splitcount++;
|
||||
}
|
||||
}
|
||||
|
||||
@ -636,7 +640,8 @@ sub handle_port_list( $$$$$$ ) {
|
||||
sub handle_icmptype_list( $$$$ ) {
|
||||
my ($chainref, $first, $types, $rest) = @_;
|
||||
my @ports = split ',', $types;
|
||||
push_rule ( $chainref, join ( '', $first, shift @ports, $rest ) ) while @ports;
|
||||
our $splitcount;
|
||||
push_rule ( $chainref, join ( '', $first, shift @ports, $rest ) ), $splitcount++ while @ports;
|
||||
}
|
||||
|
||||
#
|
||||
@ -647,6 +652,8 @@ sub handle_icmptype_list( $$$$ ) {
|
||||
sub add_rule($$;$) {
|
||||
my ($chainref, $rule, $expandports) = @_;
|
||||
|
||||
our $splitcount;
|
||||
|
||||
assert( ! reftype $rule );
|
||||
|
||||
$iprangematch = 0;
|
||||
@ -678,15 +685,24 @@ sub add_rule($$;$) {
|
||||
handle_icmptype_list( $chainref, $first, $types, $rest );
|
||||
} else {
|
||||
push_rule( $chainref, $rule );
|
||||
$splitcount++;
|
||||
}
|
||||
} else {
|
||||
push_rule ( $chainref, $rule );
|
||||
$splitcount++;
|
||||
}
|
||||
} else {
|
||||
push_rule( $chainref, $rule );
|
||||
}
|
||||
}
|
||||
|
||||
sub add_counted_rule($$) {
|
||||
my ( $chainref, $rule ) = @_;
|
||||
our $splitcount = 0;
|
||||
add_rule( $chainref, $rule, 1 );
|
||||
return $splitcount;
|
||||
}
|
||||
|
||||
#
|
||||
# Make the first chain a referent of the second
|
||||
#
|
||||
@ -1339,6 +1355,13 @@ sub add_jump( $$$;$$$ ) {
|
||||
}
|
||||
}
|
||||
|
||||
sub add_counted_jump( $$$ ) {
|
||||
my ( $chainref, $to, $rule ) = @_;
|
||||
our $splitcount = 0;
|
||||
add_jump( $chainref, $to, 0, $rule, 1 );
|
||||
return $splitcount - 1;
|
||||
}
|
||||
|
||||
#
|
||||
# Delete jumps previously added via add_jump. If the target chain is empty, reset its
|
||||
# referenced flag
|
||||
@ -3364,7 +3387,7 @@ sub log_rule_limit( $$$$$$$$ ) {
|
||||
$prefix = "-j $level --nflog-prefix \"$prefix\" ";
|
||||
} elsif ( $level =~ '^LOGMARK' ) {
|
||||
$prefix = join( '', substr( $prefix, 0, 12 ) , ':' ) if length $prefix > 13;
|
||||
$prefix = "-j LOGMARK --log-level $level --log-prefix \"$prefix\" ";
|
||||
$prefix = "-j $level --log-prefix \"$prefix\" ";
|
||||
} else {
|
||||
$prefix = "-j LOG $globals{LOGPARMS}--log-level $level --log-prefix \"$prefix\" ";
|
||||
}
|
||||
@ -3864,6 +3887,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
my $table = $chainref->{table};
|
||||
my $jump = $target ? '-j ' . $target : '';
|
||||
my $mac;
|
||||
my $rulecount = 0;
|
||||
|
||||
our @ends = ();
|
||||
#
|
||||
@ -3910,7 +3934,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
#
|
||||
# Isolate Source Interface, if any
|
||||
#
|
||||
if ( $source ) {
|
||||
if ( supplied $source ) {
|
||||
if ( $source eq '-' ) {
|
||||
$source = '';
|
||||
} elsif ( $family == F_IPV4 ) {
|
||||
@ -3924,7 +3948,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
} else {
|
||||
$iiface = $source;
|
||||
}
|
||||
} elsif ( $source =~ /^(.+?):<(.+)>\s*$/ || $source =~ /^(.+?):\[(.+)\]\s*$/ ) {
|
||||
} elsif ( $source =~ /^(.+?):<(.+)>\s*$/ || $source =~ /^(.+?):\[(.+)\]\s*$/ || $source =~ /^(.+?):(!?\+.+)$/ ) {
|
||||
$iiface = $1;
|
||||
$inets = $2;
|
||||
} elsif ( $source =~ /:/ ) {
|
||||
@ -3945,7 +3969,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
#
|
||||
# Verify Interface, if any
|
||||
#
|
||||
if ( $iiface ) {
|
||||
if ( supplied $iiface ) {
|
||||
fatal_error "Unknown Interface ($iiface)" unless known_interface $iiface;
|
||||
|
||||
if ( $restriction & POSTROUTE_RESTRICT ) {
|
||||
@ -3981,7 +4005,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
#
|
||||
# Isolate Destination Interface, if any
|
||||
#
|
||||
if ( $dest ) {
|
||||
if ( supplied $dest ) {
|
||||
if ( $dest eq '-' ) {
|
||||
$dest = '';
|
||||
} elsif ( ( $restriction & PREROUTE_RESTRICT ) && $dest =~ /^detect:(.*)$/ ) {
|
||||
@ -4023,7 +4047,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
} else {
|
||||
$diface = $dest;
|
||||
}
|
||||
} elsif ( $dest =~ /^(.+?):<(.+)>\s*$/ || $dest =~ /^(.+?):\[(.+)\]\s*$/) {
|
||||
} elsif ( $dest =~ /^(.+?):<(.+)>\s*$/ || $dest =~ /^(.+?):\[(.+)\]\s*$/ || $dest =~ /^(.+?):(!?\+.+)$/ ) {
|
||||
$diface = $1;
|
||||
$dnets = $2;
|
||||
} elsif ( $dest =~ /:/ ) {
|
||||
@ -4032,7 +4056,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
} else {
|
||||
$dnets = $dest;
|
||||
}
|
||||
} elsif ( $dest =~ /^(?:\+|&|\..*\.)/ ) {
|
||||
} elsif ( $dest =~ /(?:\+|&|\..*\.)/ ) {
|
||||
$dnets = $dest;
|
||||
} else {
|
||||
$diface = $dest;
|
||||
@ -4044,7 +4068,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
#
|
||||
# Verify Destination Interface, if any
|
||||
#
|
||||
if ( $diface ) {
|
||||
if ( supplied $diface ) {
|
||||
fatal_error "Unknown Interface ($diface)" unless known_interface $diface;
|
||||
|
||||
if ( $restriction & PREROUTE_RESTRICT ) {
|
||||
@ -4246,8 +4270,8 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
my $source_match = match_source_net( $inet, $restriction, $mac ) if have_capability( 'KLUDGEFREE' );
|
||||
|
||||
for my $dnet ( mysplit $dnets ) {
|
||||
$source_match = match_source_net( $inet, $restriction, $mac ) unless have_capability( 'KLUDGEFREE' );
|
||||
add_jump( $chainref, $echainref, 0, join( '', $rule, $source_match, match_dest_net( $dnet ), $onet ), 1 );
|
||||
$source_match = match_source_net( $inet, $restriction, $mac ) unless $globals{KLUDGEFREE};
|
||||
$rulecount += add_counted_jump( $chainref, $echainref, join( '', $rule, $source_match, match_dest_net( $dnet ), $onet ) );
|
||||
}
|
||||
|
||||
conditional_rule_end( $chainref ) if $cond;
|
||||
@ -4255,6 +4279,11 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
|
||||
conditional_rule_end( $chainref ) if $cond;
|
||||
}
|
||||
|
||||
while ( $rulecount-- > 0 ) {
|
||||
add_reference $chainref, $echainref;
|
||||
}
|
||||
|
||||
#
|
||||
# Generate RETURNs for each exclusion
|
||||
#
|
||||
@ -4290,7 +4319,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
#
|
||||
# Generate Final Rule
|
||||
#
|
||||
add_rule $fromref = $echainref, $exceptionrule . $jump , 1 unless $disposition eq 'LOG';
|
||||
$rulecount = add_counted_rule( $fromref = $echainref, $exceptionrule . $jump ) unless $disposition eq 'LOG';
|
||||
|
||||
$done = 1;
|
||||
}
|
||||
@ -4323,7 +4352,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
#
|
||||
# No logging -- add the target rule with matches to the rule chain
|
||||
#
|
||||
add_rule( $fromref = $chainref, $matches . $jump , 1 );
|
||||
$rulecount = add_counted_rule( $fromref = $chainref, $matches . $jump );
|
||||
} elsif ( $disposition eq 'LOG' || $disposition eq 'COUNT' ) {
|
||||
#
|
||||
# The log rule must be added with matches to the rule chain
|
||||
@ -4349,7 +4378,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
'add',
|
||||
$matches );
|
||||
|
||||
add_rule( $fromref = $chainref, $matches . $jump, 1 );
|
||||
$rulecount = add_counted_rule( $fromref = $chainref, $matches . $jump );
|
||||
} else {
|
||||
#
|
||||
# Find/Create a chain that both logs and applies the target action
|
||||
@ -4380,7 +4409,10 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
my $targetref = $chain_table{$table}{$target};
|
||||
if ( $targetref ) {
|
||||
$targetref->{referenced} = 1;
|
||||
add_reference $fromref, $targetref;
|
||||
|
||||
for ( my $i = 0; $i < $rulecount; $i++ ) {
|
||||
add_reference $fromref, $targetref;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -242,6 +242,7 @@ my %capdesc = ( NAT_ENABLED => 'NAT',
|
||||
OWNER_MATCH => 'Owner Match',
|
||||
IPSET_MATCH => 'Ipset Match',
|
||||
OLD_IPSET_MATCH => 'Old Ipset Match',
|
||||
IPSET_V5 => 'Version 5 IPSETs',
|
||||
CONNMARK => 'CONNMARK Target',
|
||||
XCONNMARK => 'Extended CONNMARK Target',
|
||||
CONNMARK_MATCH => 'Connmark Match',
|
||||
@ -2131,10 +2132,21 @@ sub validate_level( $ ) {
|
||||
return $rawlevel;
|
||||
}
|
||||
|
||||
if ( $level eq 'LOGMARK' ) {
|
||||
if ( $level =~ /^LOGMARK --/ ) {
|
||||
require_capability ( 'LOG_TARGET' , 'A log level other than NONE', 's' );
|
||||
return $rawlevel;
|
||||
}
|
||||
|
||||
if ( $level =~ /LOGMARK[(](.*)[)]$/ ) {
|
||||
my $sublevel = $1;
|
||||
|
||||
$sublevel = $validlevels{$sublevel} unless $sublevel =~ /^[0-7]$/;
|
||||
|
||||
level_error( $level ) unless defined $sublevel =~ /^[0-7]$/;
|
||||
|
||||
require_capability ( 'LOG_TARGET' , 'A log level other than NONE', 's' );
|
||||
require_capability( 'LOGMARK_TARGET' , 'LOGMARK', 's' );
|
||||
return 'LOGMARK';
|
||||
return "LOGMARK --log-level $sublevel";
|
||||
}
|
||||
|
||||
level_error( $rawlevel );
|
||||
|
@ -536,6 +536,7 @@ sub valid_6address( $ ) {
|
||||
}
|
||||
|
||||
return 0 if @address > $max;
|
||||
return 0 unless $address =~ /^[a-f:\d]+$/;
|
||||
return 0 unless ( @address == $max ) || $address =~ /::/;
|
||||
return 0 if $address =~ /:::/ || $address =~ /::.*::/;
|
||||
|
||||
|
@ -1222,7 +1222,7 @@ sub add_interface_jumps {
|
||||
unless get_interface_option( $interface, 'port' );
|
||||
}
|
||||
} else {
|
||||
add_rule ( $filter_table->{FORWAR}, match_source_dev( $interface) . match_dest_dev( $interface) . '-j ACCEPT' ) unless $interfaceref->{nets} || ! $interfaceref->{options}{bridge};
|
||||
add_rule ( $filter_table->{FORWARD}, match_source_dev( $interface) . match_dest_dev( $interface) . '-j ACCEPT' ) unless $interfaceref->{nets} || ! $interfaceref->{options}{bridge};
|
||||
|
||||
add_jump( $filter_table->{FORWARD} , $forwardref , 0, match_source_dev( $interface ) ) unless $forward_jump_added{$interface} || ! use_forward_chain $interface, $forwardref;
|
||||
add_jump( $filter_table->{INPUT} , $inputref , 0, match_source_dev( $interface ) ) unless $input_jump_added{$interface} || ! use_input_chain $interface, $inputref;
|
||||
|
@ -163,8 +163,8 @@ sub process_one_masq( )
|
||||
if ( $addresses eq 'random' ) {
|
||||
$randomize = '--random ';
|
||||
} else {
|
||||
$addresses =~ s/:persistent$// and $persistent = '--persistent ';
|
||||
$addresses =~ s/:random$// and $randomize = '--random ';
|
||||
$addresses =~ s/:persistent$// and $persistent = ' --persistent ';
|
||||
$addresses =~ s/:random$// and $randomize = ' --random ';
|
||||
|
||||
require_capability 'PERSISTENT_SNAT', ':persistent', 's' if $persistent;
|
||||
|
||||
|
@ -1163,7 +1163,7 @@ sub dropBcast( $$$$ ) {
|
||||
if ( $family == F_IPV4 ) {
|
||||
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ';
|
||||
} else {
|
||||
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', join( ' ', ' -d' , IPv6_MULTICAST , '-j DROP ' );
|
||||
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', join( ' ', ' -d' , IPv6_MULTICAST , '' );
|
||||
}
|
||||
}
|
||||
|
||||
@ -1180,13 +1180,13 @@ sub dropBcast( $$$$ ) {
|
||||
add_jump $chainref, $target, 0, "-d \$address ";
|
||||
decr_cmd_level $chainref;
|
||||
add_commands $chainref, 'done';
|
||||
|
||||
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
|
||||
}
|
||||
|
||||
if ( $family == F_IPV4 ) {
|
||||
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
|
||||
add_jump $chainref, $target, 0, "-d 224.0.0.0/4 ";
|
||||
} else {
|
||||
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', join( ' ', ' -d' , IPv6_MULTICAST . ' ' ) if $level ne '';
|
||||
add_jump $chainref, $target, 0, join( ' ', '-d', IPv6_MULTICAST . ' ' );
|
||||
}
|
||||
}
|
||||
@ -1199,11 +1199,14 @@ sub allowBcast( $$$$ ) {
|
||||
if ( $family == F_IPV4 && have_capability( 'ADDRTYPE' ) ) {
|
||||
if ( $level ne '' ) {
|
||||
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
|
||||
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ';
|
||||
if ( $family == F_IPV4 ) {
|
||||
log_rule_limit $level, $chainref, 'dropBcast' , 'ACCECT', '', $tag, 'add', ' -d 224.0.0.0/4 ';
|
||||
} else {
|
||||
log_rule_limit $level, $chainref, 'dropBcast' , 'ACCEPT', '', $tag, 'add', join( ' ', ' -d' , IPv6_MULTICAST . ' ' );
|
||||
}
|
||||
}
|
||||
|
||||
add_jump $chainref, $target, 0, "-m addrtype --dst-type BROADCAST ";
|
||||
add_jump $chainref, $target, 0, "-d 224.0.0.0/4 ";
|
||||
} else {
|
||||
if ( $family == F_IPV4 ) {
|
||||
add_commands $chainref, 'for address in $ALL_BCASTS; do';
|
||||
@ -1216,14 +1219,14 @@ sub allowBcast( $$$$ ) {
|
||||
add_rule $chainref, "-d \$address -j $target";
|
||||
decr_cmd_level $chainref;
|
||||
add_commands $chainref, 'done';
|
||||
}
|
||||
|
||||
if ( $family == F_IPV4 ) {
|
||||
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
|
||||
add_jump $chainref, $target, 0, "-d 224.0.0.0/4 ";
|
||||
} else {
|
||||
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d ' . IPv6_MULTICAST . ' ' if $level ne '';
|
||||
add_jump $chainref, $target, 0, join ( ' ', '-d', IPv6_MULTICAST, ' ' );
|
||||
}
|
||||
if ( $family == F_IPV4 ) {
|
||||
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
|
||||
add_jump $chainref, $target, 0, "-d 224.0.0.0/4 ";
|
||||
} else {
|
||||
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d ' . IPv6_MULTICAST . ' ' if $level ne '';
|
||||
add_jump $chainref, $target, 0, join ( ' ', '-d', IPv6_MULTICAST . ' ' );
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -205,7 +205,15 @@ sub process_tc_rule( ) {
|
||||
|
||||
my ( $mark, $designator, $remainder ) = split( /:/, $originalmark, 3 );
|
||||
|
||||
fatal_error "Invalid MARK ($originalmark)" if defined $remainder || ! defined $mark || $mark eq '';
|
||||
fatal_error "Invalid MARK ($originalmark)" unless supplied $mark;
|
||||
|
||||
if ( $remainder ) {
|
||||
if ( $originalmark =~ /^\w+\(?.*\)$/ ) {
|
||||
$mark = $originalmark; # Most likely, an IPv6 address is included in the parameter list
|
||||
} else {
|
||||
fatal_error "Invalid MARK ($originalmark)";
|
||||
}
|
||||
}
|
||||
|
||||
my $chain = $globals{MARKING_CHAIN};
|
||||
my $target = 'MARK --set-mark';
|
||||
@ -376,6 +384,10 @@ sub process_tc_rule( ) {
|
||||
$target .= " --on-port $port";
|
||||
|
||||
if ( supplied $ip ) {
|
||||
if ( $family == F_IPV6 ) {
|
||||
$ip = $1 if $ip =~ /^\[(.+)\]$/ || $ip =~ /^<(.+)>$/;
|
||||
}
|
||||
|
||||
validate_address $ip, 1;
|
||||
$target .= " --on-ip $ip";
|
||||
}
|
||||
|
@ -1725,26 +1725,28 @@ sub process_host( ) {
|
||||
if ( $hosts =~ /^([\w.@%-]+\+?):(.*)$/ ) {
|
||||
$interface = $1;
|
||||
$hosts = $2;
|
||||
|
||||
if ( $hosts =~ /^\+/ ) {
|
||||
$zoneref->{options}{complex} = 1;
|
||||
fatal_error "ipset name qualification is disallowed in this file" if $hosts =~ /[\[\]]/;
|
||||
fatal_error "Invalid ipset name ($hosts)" unless $hosts =~ /^\+[a-zA-Z][-\w]*$/;
|
||||
}
|
||||
|
||||
fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface}) && $interfaceref->{root};
|
||||
} else {
|
||||
fatal_error "Invalid HOST(S) column contents: $hosts";
|
||||
}
|
||||
} elsif ( $hosts =~ /^([\w.@%-]+\+?):<(.*)>\s*$/ || $hosts =~ /^([\w.@%-]+\+?):\[(.*)\]\s*$/ || $hosts =~ /^([\w.@%-]+\+?):(dynamic)\s*$/ ) {
|
||||
} elsif ( $hosts =~ /^([\w.@%-]+\+?):<(.*)>$/ ||
|
||||
$hosts =~ /^([\w.@%-]+\+?):\[(.*)\]$/ ||
|
||||
$hosts =~ /^([\w.@%-]+\+?):(!?\+.*)$/ ||
|
||||
$hosts =~ /^([\w.@%-]+\+?):(dynamic)$/ ) {
|
||||
$interface = $1;
|
||||
$hosts = $2;
|
||||
$zoneref->{options}{complex} = 1 if $hosts =~ /^\+/;
|
||||
|
||||
fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface})->{root};
|
||||
} else {
|
||||
fatal_error "Invalid HOST(S) column contents: $hosts"
|
||||
}
|
||||
|
||||
if ( $hosts =~ /^!?\+/ ) {
|
||||
$zoneref->{options}{complex} = 1;
|
||||
fatal_error "ipset name qualification is disallowed in this file" if $hosts =~ /[\[\]]/;
|
||||
fatal_error "Invalid ipset name ($hosts)" unless $hosts =~ /^!?\+[a-zA-Z][-\w]*$/;
|
||||
}
|
||||
|
||||
if ( $type == BPORT ) {
|
||||
if ( $zoneref->{bridge} eq '' ) {
|
||||
fatal_error 'Bridge Port Zones may only be associated with bridge ports' unless $interfaceref->{options}{port};
|
||||
|
@ -36,7 +36,7 @@ FORMAT 2
|
||||
# The following magic provides different defaults for $2 thru $5, when $1 is
|
||||
# 'audit'.
|
||||
#
|
||||
BEGIN PERL
|
||||
BEGIN PERL;
|
||||
use Shorewall::Config;
|
||||
|
||||
my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
|
||||
@ -54,7 +54,7 @@ if ( defined $p1 ) {
|
||||
|
||||
1;
|
||||
|
||||
END PERL
|
||||
END PERL;
|
||||
|
||||
DEFAULTS -,REJECT,DROP,ACCEPT,DROP
|
||||
|
||||
|
@ -32,7 +32,7 @@ FORMAT 2
|
||||
# The following magic provides different defaults for $2 thru $5, when $1 is
|
||||
# 'audit'.
|
||||
#
|
||||
BEGIN PERL
|
||||
BEGIN PERL;
|
||||
use Shorewall::Config;
|
||||
|
||||
my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
|
||||
@ -50,7 +50,7 @@ if ( defined $p1 ) {
|
||||
|
||||
1;
|
||||
|
||||
END PERL
|
||||
END PERL;
|
||||
|
||||
DEFAULTS -,REJECT,REJECT,ACCEPT,DROP
|
||||
|
||||
|
@ -1,5 +1,35 @@
|
||||
Changes in Shorewall 4.4.21.2
|
||||
|
||||
1) Correct reference accounting when long port lists are split.
|
||||
|
||||
Changes in Shorewall 4.4.21.1
|
||||
|
||||
1) Update release documents.
|
||||
|
||||
2) Add IPSET_V5 to %capdesc.
|
||||
|
||||
3) Correct addition of orphan chain FORWAR.
|
||||
|
||||
4) Fix -j SNAT --to-address ... --persistent
|
||||
|
||||
5) Fix LOGMARK.
|
||||
|
||||
Changes in Shorewall 4.4.21 Final
|
||||
|
||||
1) Update release documents.
|
||||
|
||||
2) Correct handling of IPv6 address in TPROXY.
|
||||
|
||||
Changes in Shorewall 4.4.21 RC 3
|
||||
|
||||
1) Make shorewall[6].conf quoting consistent with 'update'.
|
||||
|
||||
2) Implement parameterized default actions in IPv6
|
||||
|
||||
3) Use local config in load and reload
|
||||
|
||||
Changes in Shorewall 4.4.21 RC 2
|
||||
|
||||
1) Correct code generated by TPROXY.
|
||||
|
||||
2) Make 'fallback' and 'balance' mutually exclusive.
|
||||
|
@ -51,7 +51,7 @@ TCP_FLAGS_LOG_LEVEL=info
|
||||
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
|
||||
###############################################################################
|
||||
|
||||
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
|
||||
CONFIG_PATH="/etc/shorewall:/usr/share/shorewall"
|
||||
|
||||
IPTABLES=
|
||||
|
||||
@ -61,7 +61,7 @@ IPSET=
|
||||
|
||||
MODULESDIR=
|
||||
|
||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"
|
||||
|
||||
PERL=/usr/bin/perl
|
||||
|
||||
@ -77,11 +77,11 @@ TC=
|
||||
# D E F A U L T A C T I O N S / M A C R O S
|
||||
###############################################################################
|
||||
|
||||
ACCEPT_DEFAULT="none"
|
||||
DROP_DEFAULT="Drop"
|
||||
NFQUEUE_DEFAULT="none"
|
||||
QUEUE_DEFAULT="none"
|
||||
REJECT_DEFAULT="Reject"
|
||||
ACCEPT_DEFAULT=none
|
||||
DROP_DEFAULT=Drop
|
||||
NFQUEUE_DEFAULT=none
|
||||
QUEUE_DEFAULT=none
|
||||
REJECT_DEFAULT=Reject
|
||||
|
||||
###############################################################################
|
||||
# R S H / R C P C O M M A N D S
|
||||
|
@ -22,7 +22,7 @@
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
|
||||
VERSION=4.4.21
|
||||
VERSION=xxx #The Build script inserts the actual version
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -1,2 +1,38 @@
|
||||
1) On systems running Upstart, shorewall-init cannot reliably secure
|
||||
the firewall before interfaces are brought up.
|
||||
|
||||
2) A harmless 'unitialized variable' diagnostic is issued by the
|
||||
compiler when it is displaying the capabilities.
|
||||
|
||||
Corrected in Shorewall 4.4.21.
|
||||
|
||||
3) As the result of a typo, an orphan filter chain named FORWAR can
|
||||
be created under rare circumstances. This chain is deleted by
|
||||
OPTIMIZE level 4.
|
||||
|
||||
Corrected in Shorewall 4.4.21.
|
||||
|
||||
4) The SNAT options --persistent and --randomize (/etc/shorewall/masq)
|
||||
generate invalid iptables input.
|
||||
|
||||
Corrected in Shorewall 4.4.21.
|
||||
|
||||
5) The LOGMARK log level was generated invalid iptables input making
|
||||
it unusable.
|
||||
|
||||
Corrected in Shorewall 4.4.21.
|
||||
|
||||
6) Under rare conditions, long port lists (>15 ports) can result in
|
||||
the following failure when optimization level 4 is enabled.
|
||||
|
||||
Use of uninitialized value in numeric gt (>)
|
||||
at /usr/share/shorewall/Shorewall/Chains.pm line 1264.
|
||||
|
||||
ERROR: Internal error in
|
||||
Shorewall::Chains::decrement_reference_count at
|
||||
/usr/share/shorewall/Shorewall/Chains.pm line 1264
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
@ -13,6 +13,7 @@
|
||||
# copy.
|
||||
#
|
||||
###############################################################################
|
||||
loadmodule xt_set
|
||||
loadmodule ip_set
|
||||
loadmodule ip_set_iphash
|
||||
loadmodule ip_set_ipmap
|
||||
|
@ -1,5 +1,5 @@
|
||||
----------------------------------------------------------------------------
|
||||
S H O R E W A L L 4 . 4 . 2 1
|
||||
S H O R E W A L L 4 . 4 . 2 1 . 1
|
||||
----------------------------------------------------------------------------
|
||||
|
||||
I. PROBLEMS CORRECTED IN THIS RELEASE
|
||||
@ -13,6 +13,37 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
|
||||
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
|
||||
----------------------------------------------------------------------------
|
||||
|
||||
4.4.21.1
|
||||
|
||||
1) A harmless Perl runtime "uninitialized variable" diagnostic has
|
||||
been eliminated from the compiler. The diagnostic was issued while
|
||||
displaying the capabilities.
|
||||
|
||||
2) As the result of a typo, an orphan filter chain named FORWAR could
|
||||
be created under rare circumstances. This chain was deleted by
|
||||
OPTIMIZE level 4.
|
||||
|
||||
3) The SNAT options --persistent and --randomize now work properly
|
||||
(/etc/shorewall/masq).
|
||||
|
||||
4) The LOGMARK log level was previously generated invalid iptables
|
||||
input making it unusable. That has been corrected.
|
||||
|
||||
The syntax for LOGMARK is now:
|
||||
|
||||
LOGMARK(<priority>)
|
||||
|
||||
where <priority> is a syslog priority (1-7 or debug, info, notice,
|
||||
etc.).
|
||||
|
||||
Example rule:
|
||||
|
||||
#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
LOG:LOGMARK(info) lan dmz udp 1234
|
||||
|
||||
4.4.21 Final
|
||||
|
||||
1) All problems corrections included in Shorewall 4.4.20.1 - 4.4.20.3
|
||||
(see below).
|
||||
|
||||
@ -42,6 +73,42 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
|
||||
have always been mutually exclusive but the compiler previously
|
||||
didn't enforce that restriction. Now it does.
|
||||
|
||||
5) The Shorewall and Shorewall6 'load' and 'reload' commands
|
||||
previously used the setting of RSH_COMMAND and RCP_COMMAND from
|
||||
/etc/shorewall/shorewall.conf (/etc/shorewall6/shorewall6.conf).
|
||||
|
||||
These commands now use the .conf file in the current working
|
||||
directory.
|
||||
|
||||
6) The ipset modules are now automatically loaded by Shorewall6 when
|
||||
LOAD_HELPERS_ONLY=No is specified in shorewall6.conf. Additionally,
|
||||
there is now a /usr/share/shorewall6/modules.ipset file that lists
|
||||
all of the required modules.
|
||||
|
||||
7) TPROXY was previously not described in shorewall-tcrules(5) or
|
||||
shorewall6-tcrules(5). These descriptions have been added.
|
||||
|
||||
In addition, Shorewall6 now correctly handles the third TPROXY
|
||||
parameter (<ip address>). Previously, the following error was
|
||||
generated:
|
||||
|
||||
ERROR: Invalid MARK (TPROXY(10,3128,::1)) :
|
||||
/etc/shorewall6/tcrules (line 4)
|
||||
|
||||
8) With LOAD_HELPERS_ONLY=Yes, the compiler could use the deprectated
|
||||
--set parameter to the ipset match when --match-set was
|
||||
appropriate.
|
||||
|
||||
9) If 'shorewall clear' was executed when there was no
|
||||
/var/lib/shorewall/firewall file, the following incorrect error
|
||||
message was produced:
|
||||
|
||||
ERROR: Shorewall6 has never been started
|
||||
|
||||
The message now reads:
|
||||
|
||||
ERROR: Shorewall has never been started
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
I I. K N O W N P R O B L E M S R E M A I N I N G
|
||||
----------------------------------------------------------------------------
|
||||
@ -65,7 +132,9 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
|
||||
|
||||
Where <def1> is the default value for the first parameter, <def2>
|
||||
is the default value for the second parameter and so on. To specify
|
||||
an empty default, use '-'.
|
||||
an empty default, use '-'. Note that the corresponding parameter
|
||||
variable ($n) will still expand to '-' but will be treated as empty
|
||||
by the builtin actions such as dropInvalid.
|
||||
|
||||
The DEFAULTS directive also determines the maximum number of
|
||||
parameters that an action may have. If more parameters are passed
|
||||
|
@ -1278,12 +1278,17 @@ reload_command() # $* = original arguments less the command.
|
||||
[ -f $capabilities ] || getcaps=Yes
|
||||
fi
|
||||
|
||||
if [ -n "$getcaps" ]; then
|
||||
if [ -f $directory/shorewall.conf ]; then
|
||||
. $directory/shorewall.conf
|
||||
ensure_config_path
|
||||
if [ -f $directory/shorewall.conf ]; then
|
||||
if [ -f $directory/params ]; then
|
||||
. $directory/params
|
||||
fi
|
||||
|
||||
. $directory/shorewall.conf
|
||||
|
||||
ensure_config_path
|
||||
fi
|
||||
|
||||
if [ -n "$getcaps" ]; then
|
||||
[ -n "$DONT_LOAD" ] && DONT_LOAD="$(echo $DONT_LOAD | tr ',' ' ')"
|
||||
|
||||
progress_message "Getting Capabilities on system $system..."
|
||||
|
@ -1,6 +1,6 @@
|
||||
%define name shorewall
|
||||
%define version 4.4.21
|
||||
%define release 0base
|
||||
%define release 2
|
||||
|
||||
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
|
||||
Name: %{name}
|
||||
@ -111,8 +111,16 @@ fi
|
||||
%doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples
|
||||
|
||||
%changelog
|
||||
* Wed Jun 29 2011 Tom Eastep tom@shorewall.net
|
||||
* Sat Jul 23 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.21-2
|
||||
* Mon Jul 11 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.21-1
|
||||
* Wed Jul 06 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.21-0base
|
||||
* Mon Jul 04 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.21-0RC3
|
||||
* Sun Jul 03 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.21-0RC2
|
||||
* Thu Jun 23 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.21-0RC1
|
||||
* Sun Jun 19 2011 Tom Eastep tom@shorewall.net
|
||||
|
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Shorewall Firewall
|
||||
|
||||
VERSION=4.4.21
|
||||
VERSION=xxx #The Build script inserts the actual version
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -22,7 +22,7 @@
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
|
||||
VERSION=4.4.21
|
||||
VERSION=xxx #The build script will insert the actual version
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -1,6 +1,6 @@
|
||||
%define name shorewall6-lite
|
||||
%define version 4.4.21
|
||||
%define release 0base
|
||||
%define release 2
|
||||
|
||||
Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
|
||||
Name: %{name}
|
||||
@ -94,8 +94,16 @@ fi
|
||||
%doc COPYING changelog.txt releasenotes.txt
|
||||
|
||||
%changelog
|
||||
* Wed Jun 29 2011 Tom Eastep tom@shorewall.net
|
||||
* Sat Jul 23 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.21-2
|
||||
* Mon Jul 11 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.21-1
|
||||
* Wed Jul 06 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.21-0base
|
||||
* Mon Jul 04 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.21-0RC3
|
||||
* Sun Jul 03 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.21-0RC2
|
||||
* Thu Jun 23 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.21-0RC1
|
||||
* Sun Jun 19 2011 Tom Eastep tom@shorewall.net
|
||||
|
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Shorewall Firewall
|
||||
|
||||
VERSION=4.4.21
|
||||
VERSION=xxx #The Build script inserts the actual version
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -8,33 +8,37 @@
|
||||
###############################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
|
||||
FORMAT 2
|
||||
DEFAULTS ACCEPT
|
||||
|
||||
COMMENT Needed ICMP types (RFC4890)
|
||||
|
||||
ACCEPT - - ipv6-icmp destination-unreachable
|
||||
ACCEPT - - ipv6-icmp packet-too-big
|
||||
ACCEPT - - ipv6-icmp time-exceeded
|
||||
ACCEPT - - ipv6-icmp parameter-problem
|
||||
$1 - - ipv6-icmp destination-unreachable
|
||||
$1 - - ipv6-icmp packet-too-big
|
||||
$1 - - ipv6-icmp time-exceeded
|
||||
$1 - - ipv6-icmp parameter-problem
|
||||
|
||||
# The following should have a ttl of 255 and must be allowed to transit a bridge
|
||||
ACCEPT - - ipv6-icmp router-solicitation
|
||||
ACCEPT - - ipv6-icmp router-advertisement
|
||||
ACCEPT - - ipv6-icmp neighbour-solicitation
|
||||
ACCEPT - - ipv6-icmp neighbour-advertisement
|
||||
ACCEPT - - ipv6-icmp 137 # Redirect
|
||||
ACCEPT - - ipv6-icmp 141 # Inverse neighbour discovery solicitation
|
||||
ACCEPT - - ipv6-icmp 142 # Inverse neighbour discovery advertisement
|
||||
$1 - - ipv6-icmp router-solicitation
|
||||
$1 - - ipv6-icmp router-advertisement
|
||||
$1 - - ipv6-icmp neighbour-solicitation
|
||||
$1 - - ipv6-icmp neighbour-advertisement
|
||||
$1 - - ipv6-icmp 137 # Redirect
|
||||
$1 - - ipv6-icmp 141 # Inverse neighbour discovery solicitation
|
||||
$1 - - ipv6-icmp 142 # Inverse neighbour discovery advertisement
|
||||
|
||||
# The following should have a link local source address and must be allowed to transit a bridge
|
||||
ACCEPT fe80::/10 - ipv6-icmp 130 # Listener query
|
||||
ACCEPT fe80::/10 - ipv6-icmp 131 # Listener report
|
||||
ACCEPT fe80::/10 - ipv6-icmp 132 # Listener done
|
||||
ACCEPT fe80::/10 - ipv6-icmp 143 # Listener report v2
|
||||
$1 fe80::/10 - ipv6-icmp 130 # Listener query
|
||||
$1 fe80::/10 - ipv6-icmp 131 # Listener report
|
||||
$1 fe80::/10 - ipv6-icmp 132 # Listener done
|
||||
$1 fe80::/10 - ipv6-icmp 143 # Listener report v2
|
||||
|
||||
# The following should be received with a ttl of 255 and must be allowed to transit a bridge
|
||||
ACCEPT - - ipv6-icmp 148 # Certificate path solicitation
|
||||
ACCEPT - - ipv6-icmp 149 # Certificate path advertisement
|
||||
$1 - - ipv6-icmp 148 # Certificate path solicitation
|
||||
$1 - - ipv6-icmp 149 # Certificate path advertisement
|
||||
|
||||
# The following should have a link local source address and a ttl of 1 and must be allowed to transit abridge
|
||||
ACCEPT fe80::/10 - ipv6-icmp 151 # Multicast router advertisement
|
||||
ACCEPT fe80::/10 - ipv6-icmp 152 # Multicast router solicitation
|
||||
ACCEPT fe80::/10 - ipv6-icmp 153 # Multicast router termination
|
||||
$1 fe80::/10 - ipv6-icmp 151 # Multicast router advertisement
|
||||
$1 fe80::/10 - ipv6-icmp 152 # Multicast router solicitation
|
||||
$1 fe80::/10 - ipv6-icmp 153 # Multicast router termination
|
||||
|
@ -15,38 +15,78 @@
|
||||
# c) Ensure that certain ICMP packets that are necessary for successful
|
||||
# internet operation are always ACCEPTed.
|
||||
#
|
||||
# The action accepts five optional parameters:
|
||||
#
|
||||
# 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
|
||||
# actions.
|
||||
# 2 - Action to take with Auth requests. Default is REJECT or A_REJECT,
|
||||
# depending on the setting of the first parameter.
|
||||
# 3 - Action to take with SMB requests. Default is DROP or A_DROP,
|
||||
# depending on the setting of the first parameter.
|
||||
# 4 - Action to take with required ICMP packets. Default is ACCEPT or
|
||||
# A_ACCEPT depending on the first parameter.
|
||||
# 5 - Action to take with late UDP replies (UDP source port 53). Default
|
||||
# is DROP or A_DROP depending on the first parameter.
|
||||
#
|
||||
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
|
||||
#
|
||||
###############################################################################
|
||||
FORMAT 2
|
||||
#
|
||||
# The following magic provides different defaults for $2 thru $5, when $1 is
|
||||
# 'audit'.
|
||||
#
|
||||
BEGIN PERL;
|
||||
use Shorewall::Config;
|
||||
|
||||
my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
|
||||
|
||||
if ( defined $p1 ) {
|
||||
if ( $p1 eq 'audit' ) {
|
||||
set_action_param( 2, 'A_REJECT') unless supplied $p2;
|
||||
set_action_param( 3, 'A_DROP') unless supplied $p3;
|
||||
set_action_param( 4, 'A_ACCEPT' ) unless supplied $p4;
|
||||
set_action_param( 5, 'A_DROP' ) unless supplied $p5;
|
||||
} else {
|
||||
fatal_error "Invalid value ($p1) for first Drop parameter" if supplied $p1;
|
||||
}
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
END PERL;
|
||||
|
||||
DEFAULTS -,REJECT,DROP,ACCEPT,DROP
|
||||
|
||||
#TARGET SOURCE DEST PROTO DPORT SPORT
|
||||
#
|
||||
# Reject 'auth'
|
||||
#
|
||||
Auth(REJECT)
|
||||
Auth($2)
|
||||
#
|
||||
# ACCEPT critical ICMP types
|
||||
#
|
||||
AllowICMPs - - ipv6-icmp
|
||||
AllowICMPs($4) - - ipv6-icmp
|
||||
#
|
||||
# Drop Broadcasts so they don't clutter up the log
|
||||
# (broadcasts must *not* be rejected).
|
||||
#
|
||||
dropBcast
|
||||
dropBcast($1)
|
||||
#
|
||||
# Drop packets that are in the INVALID state -- these are usually ICMP packets
|
||||
# and just confuse people when they appear in the log.
|
||||
#
|
||||
dropInvalid
|
||||
dropInvalid($1)
|
||||
#
|
||||
# Drop Microsoft noise so that it doesn't clutter up the log.
|
||||
#
|
||||
SMB(DROP)
|
||||
SMB($3)
|
||||
#
|
||||
# Drop 'newnotsyn' traffic so that it doesn't get logged.
|
||||
#
|
||||
dropNotSyn - - tcp
|
||||
dropNotSyn($1) - - tcp
|
||||
#
|
||||
# Drop late-arriving DNS replies. These are just a nuisance and clutter up
|
||||
# the log.
|
||||
#
|
||||
DropDNSrep
|
||||
DropDNSrep($5)
|
||||
|
@ -12,39 +12,79 @@
|
||||
# b) Ensure that certain ICMP packets that are necessary for successful
|
||||
# internet operation are always ACCEPTed.
|
||||
#
|
||||
# The action accepts five optional parameters:
|
||||
#
|
||||
# 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
|
||||
# actions.
|
||||
# 2 - Action to take with Auth requests. Default is REJECT or A_REJECT,
|
||||
# depending on the setting of the first parameter.
|
||||
# 3 - Action to take with SMB requests. Default is REJECT or A_REJECT,
|
||||
# depending on the setting of the first parameter.
|
||||
# 4 - Action to take with required ICMP packets. Default is ACCEPT or
|
||||
# A_ACCEPT depending on the first parameter.
|
||||
# 5 - Action to take with late UDP replies (UDP source port 53). Default
|
||||
# is DROP or A_DROP depending on the first parameter.
|
||||
#
|
||||
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
|
||||
###############################################################################
|
||||
FORMAT 2
|
||||
#
|
||||
# The following magic provides different defaults for $2 thru $5, when $1 is
|
||||
# 'audit'.
|
||||
#
|
||||
BEGIN PERL;
|
||||
use Shorewall::Config;
|
||||
|
||||
my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
|
||||
|
||||
if ( defined $p1 ) {
|
||||
if ( $p1 eq 'audit' ) {
|
||||
set_action_param( 2, 'A_REJECT') unless supplied $p2;
|
||||
set_action_param( 3, 'A_REJECT') unless supplied $p3;
|
||||
set_action_param( 4, 'A_ACCEPT' ) unless supplied $p4;
|
||||
set_action_param( 5, 'A_DROP' ) unless supplied $p5;
|
||||
} else {
|
||||
fatal_error "Invalid value ($p1) for first Reject parameter" if supplied $p1;
|
||||
}
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
END PERL;
|
||||
|
||||
DEFAULTS -,REJECT,REJECT,ACCEPT,DROP
|
||||
|
||||
#TARGET SOURCE DEST PROTO
|
||||
#
|
||||
# Don't log 'auth' -- REJECT
|
||||
#
|
||||
Auth(REJECT)
|
||||
Auth($2)
|
||||
#
|
||||
# Drop Multicasts so they don't clutter up the log
|
||||
# (broadcasts must *not* be rejected).
|
||||
#
|
||||
AllowICMPs - - ipv6-icmp
|
||||
AllowICMPs($4) - - ipv6-icmp
|
||||
#
|
||||
# Drop Broadcasts so they don't clutter up the log
|
||||
# (broadcasts must *not* be rejected).
|
||||
#
|
||||
dropBcast
|
||||
dropBcast($1)
|
||||
#
|
||||
# Drop packets that are in the INVALID state -- these are usually ICMP packets
|
||||
# and just confuse people when they appear in the log (these ICMPs cannot be
|
||||
# rejected).
|
||||
#
|
||||
dropInvalid
|
||||
dropInvalid($1)
|
||||
#
|
||||
# Reject Microsoft noise so that it doesn't clutter up the log.
|
||||
#
|
||||
SMB(REJECT)
|
||||
SMB($3)
|
||||
#
|
||||
# Drop 'newnotsyn' traffic so that it doesn't get logged.
|
||||
#
|
||||
dropNotSyn - - tcp
|
||||
dropNotSyn($1) - - tcp
|
||||
#
|
||||
# Drop late-arriving DNS replies. These are just a nuisance and clutter up
|
||||
# the log.
|
||||
#
|
||||
DropDNSrep
|
||||
DropDNSrep($5)
|
||||
|
@ -50,7 +50,7 @@ TCP_FLAGS_LOG_LEVEL=info
|
||||
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
|
||||
###############################################################################
|
||||
|
||||
CONFIG_PATH=/etc/shorewall6:/usr/share/shorewall6:/usr/share/shorewall
|
||||
CONFIG_PATH="/etc/shorewall6:/usr/share/shorewall6:/usr/share/shorewall"
|
||||
|
||||
IP6TABLES=
|
||||
|
||||
@ -62,7 +62,7 @@ MODULESDIR=
|
||||
|
||||
PERL=/usr/bin/perl
|
||||
|
||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"
|
||||
|
||||
RESTOREFILE=restore
|
||||
|
||||
@ -76,11 +76,11 @@ TC=
|
||||
# D E F A U L T A C T I O N S / M A C R O S
|
||||
###############################################################################
|
||||
|
||||
ACCEPT_DEFAULT="none"
|
||||
DROP_DEFAULT="Drop"
|
||||
NFQUEUE_DEFAULT="none"
|
||||
QUEUE_DEFAULT="none"
|
||||
REJECT_DEFAULT="Reject"
|
||||
ACCEPT_DEFAULT=none
|
||||
DROP_DEFAULT=Drop
|
||||
NFQUEUE_DEFAULT=none
|
||||
QUEUE_DEFAULT=none
|
||||
REJECT_DEFAULT=Reject
|
||||
|
||||
###############################################################################
|
||||
# R S H / R C P C O M M A N D S
|
||||
|
@ -22,7 +22,7 @@
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
|
||||
VERSION=4.4.21
|
||||
VERSION=xxx #The build script will insert the actual version
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -1670,8 +1670,8 @@ determine_capabilities() {
|
||||
|
||||
if qt ipset -N $chain hash:ip family inet6; then
|
||||
IPSET_V5=Yes
|
||||
if qt $IP6TABLES -A $chain -m set --set $chain src -j ACCEPT; then
|
||||
qt $IP6TABLES -D $chain -m set --set $chain src -j ACCEPT
|
||||
if qt $IP6TABLES -A $chain -m set --match-set $chain src -j ACCEPT; then
|
||||
qt $IP6TABLES -D $chain -m set --match-set $chain src -j ACCEPT
|
||||
IPSET_MATCH=Yes
|
||||
elif qt $IP6TABLES -A $chain -m set --set $chain src -j ACCEPT; then
|
||||
qt $IP6TABLES -D $chain -m set --set $chain src -j ACCEPT
|
||||
|
@ -26,6 +26,10 @@ INCLUDE modules.xtables
|
||||
#
|
||||
INCLUDE helpers
|
||||
#
|
||||
# Ipset
|
||||
#
|
||||
INCLUDE modules.ipset
|
||||
#
|
||||
# Traffic Shaping
|
||||
#
|
||||
INCLUDE modules.tc
|
||||
|
27
Shorewall6/modules.ipset
Normal file
27
Shorewall6/modules.ipset
Normal file
@ -0,0 +1,27 @@
|
||||
#
|
||||
# Shorewall version 4 - IP Set Modules File
|
||||
#
|
||||
# /usr/share/shorewall6/modules.ipset
|
||||
#
|
||||
# This file loads the modules that may be needed by the firewall.
|
||||
#
|
||||
# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
|
||||
# dependency order. i.e., if M2 depends on M1 then you must load M1
|
||||
# before you load M2.
|
||||
#
|
||||
# If you need to modify this file, copy it to /etc/shorewall6 and modify the
|
||||
# copy.
|
||||
#
|
||||
###############################################################################
|
||||
loadmodule xt_set
|
||||
loadmodule ip_set
|
||||
loadmodule ip_set_iphash
|
||||
loadmodule ip_set_ipmap
|
||||
loadmodule ip_set_ipporthash
|
||||
loadmodule ip_set_iptree
|
||||
loadmodule ip_set_iptreemap
|
||||
loadmodule ip_set_macipmap
|
||||
loadmodule ip_set_nethash
|
||||
loadmodule ip_set_portmap
|
||||
loadmodule ipt_SET
|
||||
loadmodule ipt_set
|
@ -1279,12 +1279,17 @@ reload_command() # $* = original arguments less the command.
|
||||
[ -f $capabilities ] || getcaps=Yes
|
||||
fi
|
||||
|
||||
if [ -n "$getcaps" ]; then
|
||||
if [ -f $directory/shorewall6.conf ]; then
|
||||
. $directory/shorewall6.conf
|
||||
ensure_config_path
|
||||
if [ -f $directory/shorewall6.conf ]; then
|
||||
if [ -f $directory/params ]; then
|
||||
. $directory/params
|
||||
fi
|
||||
|
||||
. $directory/shorewall6.conf
|
||||
|
||||
ensure_config_path
|
||||
fi
|
||||
|
||||
if [ -n "$getcaps" ]; then
|
||||
[ -n "$DONT_LOAD" ] && DONT_LOAD="$(echo $DONT_LOAD | tr ',' ' ')"
|
||||
|
||||
progress_message "Getting Capabilities on system $system..."
|
||||
|
@ -1,6 +1,6 @@
|
||||
%define name shorewall6
|
||||
%define version 4.4.21
|
||||
%define release 0base
|
||||
%define release 2
|
||||
|
||||
Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
|
||||
Name: %{name}
|
||||
@ -101,8 +101,16 @@ fi
|
||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
|
||||
|
||||
%changelog
|
||||
* Wed Jun 29 2011 Tom Eastep tom@shorewall.net
|
||||
* Sat Jul 23 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.21-2
|
||||
* Mon Jul 11 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.21-1
|
||||
* Wed Jul 06 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.21-0base
|
||||
* Mon Jul 04 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.21-0RC3
|
||||
* Sun Jul 03 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.21-0RC2
|
||||
* Thu Jun 23 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.21-0RC1
|
||||
* Sun Jun 19 2011 Tom Eastep tom@shorewall.net
|
||||
|
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Shorewall Firewall
|
||||
|
||||
VERSION=4.4.21
|
||||
VERSION=xxx #The Build script inserts the actual version
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -372,10 +372,7 @@ REDIRECT net - tcp 80 - 1.2.3.4</programlisting>
|
||||
|
||||
<para>Example: ACTION(REDIRECT,-,info)</para>
|
||||
|
||||
<para>In the above example, $2 would expand to nothing.</para>
|
||||
|
||||
<para>If you want to make '-' a parameter value, use '--' (e.g.,
|
||||
ACTION(REDIRECT,--.info)).</para>
|
||||
<para>In the above example, $2 would expand to '-'.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.4.21, you can specify the default
|
||||
values of your FORMAT-2 actions:</para>
|
||||
|
@ -130,6 +130,15 @@
|
||||
<para>The files from the web site that are maintained in HTML format.
|
||||
are kept in this directory.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>release</title>
|
||||
|
||||
<para>Added in Shorewall 4.4.22, this directory contains the files that
|
||||
contain release-dependent information (change.txt, releasenotes.txt,
|
||||
.spec files, etc). This is actually a symbolic link to ../release which
|
||||
has it's own Git repository.</para>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
@ -156,7 +165,7 @@
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>build44</title>
|
||||
<title>build</title>
|
||||
|
||||
<para>This is the script that builds Shorewall 4.4 packages from
|
||||
Git.</para>
|
||||
@ -270,8 +279,8 @@
|
||||
<para>The general form of the build command is:</para>
|
||||
|
||||
<blockquote>
|
||||
<para><command>build44</command> [ -<replaceable>options</replaceable>
|
||||
] <replaceable>release</replaceable> [ <replaceable>prior
|
||||
<para><command>build</command> [ -<replaceable>options</replaceable> ]
|
||||
<replaceable>release</replaceable> [ <replaceable>prior
|
||||
release</replaceable> ]</para>
|
||||
</blockquote>
|
||||
|
||||
@ -383,28 +392,27 @@
|
||||
4.3.6:</para>
|
||||
|
||||
<blockquote>
|
||||
<para><command>build44 4.3.7 4.3.6</command></para>
|
||||
<para><command>build 4.3.7 4.3.6</command></para>
|
||||
</blockquote>
|
||||
|
||||
<para>Example 2 - Build Shorewall 4.2.7.1 Shorewall and generate patches
|
||||
against 4.2.7:</para>
|
||||
|
||||
<blockquote>
|
||||
<para><command>build44 -trc 4.3.7.1 4.3.7</command></para>
|
||||
<para><command>build -trc 4.3.7.1 4.3.7</command></para>
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>upload44</title>
|
||||
<title>upload</title>
|
||||
|
||||
<para>This script is used to upload a release to www1.shorewall.net. The
|
||||
command is run in the build directory for the major release of the
|
||||
command is run in the build directory for the minor release of the
|
||||
product.</para>
|
||||
|
||||
<blockquote>
|
||||
<para><command>upload44</command> [
|
||||
-<replaceable>products</replaceable> ]
|
||||
<replaceable>release</replaceable></para>
|
||||
<para><command>upload</command> [ -<replaceable>products</replaceable>
|
||||
] <replaceable>release</replaceable></para>
|
||||
</blockquote>
|
||||
|
||||
<para>where</para>
|
||||
@ -474,13 +482,13 @@
|
||||
<para>Example 1 - Upload release 4.3.7:</para>
|
||||
|
||||
<blockquote>
|
||||
<para><command>upload44 4.3.7</command></para>
|
||||
<para><command>upload 4.3.7</command></para>
|
||||
</blockquote>
|
||||
|
||||
<para>Example 2 - Upload shorewall-4.3.7.3:</para>
|
||||
|
||||
<blockquote>
|
||||
<para><command>upload44 -c 4.3.7.3</command></para>
|
||||
<para><command>upload -c 4.3.7.3</command></para>
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
|
40
docs/FAQ.xml
40
docs/FAQ.xml
@ -341,6 +341,12 @@ DNAT net:<emphasis>address</emphasis> loc:<emphasis>local-IP-address</empha
|
||||
sniffer such as tcpdump or Wireshark to further diagnose the
|
||||
problem.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The traffic is entering your firewall on a different
|
||||
interface (interfaces reversed in
|
||||
<filename>/etc/shorewall/interfaces</filename>?).</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
|
||||
@ -2810,5 +2816,39 @@ EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254
|
||||
If you simply want to allow all traffic between ports, then see <ulink
|
||||
url="SimpleBridge.html">http://www.shorewall.net/SimpleBridge.html</ulink>.</para>
|
||||
</section>
|
||||
|
||||
<section id="faq95">
|
||||
<title>(FAQ 95) What is this $FW that I see in the configuration files
|
||||
and documentation?</title>
|
||||
|
||||
<para><emphasis role="bold">Answer: FW</emphasis> is a <ulink
|
||||
url="configuration_file_basics.htm#Variables">shell variable</ulink>
|
||||
that expands to the name that you gave to the firewall zone in <ulink
|
||||
url="manpages/shorewall-zones.html">shorewall-zones</ulink>(5). The
|
||||
default name for the firewall zone is <emphasis
|
||||
role="bold">fw</emphasis>:</para>
|
||||
|
||||
<programlisting>#ZONE TYPE OPTIONS
|
||||
<emphasis role="bold">fw</emphasis> firewall</programlisting>
|
||||
|
||||
<para>So, using the default or sample configurations, writing <emphasis
|
||||
role="bold">$FW</emphasis> is the same as writing <emphasis
|
||||
role="bold">fw</emphasis>. If you give the firewall zone a different
|
||||
name, <emphasis role="bold">gate</emphasis> for example, then writing
|
||||
<emphasis role="bold">$FW</emphasis> would be the same as writing
|
||||
<emphasis role="bold">gate</emphasis>.</para>
|
||||
|
||||
<programlisting>#ZONE TYPE OPTIONS
|
||||
<emphasis role="bold">gate</emphasis> firewall</programlisting>
|
||||
|
||||
<section id="faq95a">
|
||||
<title>Why was that done?</title>
|
||||
|
||||
<para><emphasis role="bold">Answer:</emphasis> The firewall zone has
|
||||
special semantics, so having a way to refer to it in a
|
||||
configuration-independent way makes writing the documentation,
|
||||
examples, macros, etc. easier.</para>
|
||||
</section>
|
||||
</section>
|
||||
</section>
|
||||
</article>
|
||||
|
@ -421,6 +421,15 @@ FTP(ACCEPT) dmz net</programlisting>
|
||||
|
||||
<programlisting>Apr 28 23:55:09 gateway kernel: conntrack_ftp: partial PORT 715014972+1</programlisting>
|
||||
|
||||
<para>or this one:</para>
|
||||
|
||||
<programlisting>21:37:40 insert-master kernel: [832161.057782] <emphasis
|
||||
role="bold">nf_ct_ftp: dropping
|
||||
packet</emphasis> IN=eth4 OUT= MAC=00:0a:cd:1a:d1:95:00:22:6b:be:3c:41:08:00
|
||||
SRC=66.199.187.46 DST=192.168.41.1 LEN=102 TOS=0x00 PREC=0x00 TTL=45
|
||||
ID=30239 DF PROTO=TCP SPT=21 DPT=50892 SEQ=698644583 ACK=3438176321
|
||||
WINDOW=46 RES=0x00 ACK PSH URGP=0 OPT (0101080A932DFE0231935CF7) MARK=0x1</programlisting>
|
||||
|
||||
<para>I see this problem occasionally with the FTP server in my DMZ. My
|
||||
solution is to add the following rule:</para>
|
||||
|
||||
|
@ -1598,6 +1598,30 @@ DNAT net loc:192.168.1.3 tcp 4000:4100</programlisting>
|
||||
passes, one of the bursts will be regained; if no packets hit the rule for
|
||||
30 seconds, the burst will be fully recharged; back where we
|
||||
started.</para>
|
||||
|
||||
<note>
|
||||
<para>The LOGRATE and LOGBURST options are deprecated in favor of
|
||||
LOGLIMIT.</para>
|
||||
</note>
|
||||
|
||||
<para>Shorewall also supports per-IP rate limiting. </para>
|
||||
|
||||
<para>Another example from <ulink
|
||||
url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5):</para>
|
||||
|
||||
<simplelist>
|
||||
<member>LOGLIMIT="s:5/min:5"</member>
|
||||
</simplelist>
|
||||
|
||||
<para>Here, the leading "s:" indicates that logging is to be limited by
|
||||
source IP address ("d:" would indicate limiting by destination IP
|
||||
address).</para>
|
||||
|
||||
<para>"s:" is followed by the rate (5 messages per minute) and the burst
|
||||
(5).</para>
|
||||
|
||||
<para>The rate and limit arguments have the same meaning as in the example
|
||||
above.</para>
|
||||
</section>
|
||||
|
||||
<section id="Logical">
|
||||
|
@ -43,26 +43,11 @@
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">MARK/CLASSIFY</emphasis> -
|
||||
{<emphasis>value</emphasis>|<emphasis>major</emphasis><emphasis
|
||||
role="bold">:</emphasis><emphasis>minor</emphasis>|<emphasis
|
||||
role="bold">RESTORE</emphasis>[<emphasis
|
||||
role="bold">/</emphasis><emphasis>mask</emphasis>]|<emphasis
|
||||
role="bold">SAVE</emphasis>[<emphasis
|
||||
role="bold">/</emphasis><emphasis>mask</emphasis>]|<emphasis
|
||||
role="bold">CONTINUE</emphasis>|<emphasis
|
||||
role="bold">SAME</emphasis>|<emphasis
|
||||
role="bold">COMMENT</emphasis>|<emphasis
|
||||
role="bold">IPMARK</emphasis>[([(<emphasis
|
||||
role="bold">src</emphasis>|<emphasis
|
||||
role="bold">dst</emphasis>}][,[<emphasis>mask1</emphasis>][,[<emphasis>mask2</emphasis>][,[<emphasis>shift</emphasis>]]]]])]}[<emphasis
|
||||
role="bold">:</emphasis>{<emphasis role="bold">C</emphasis>|<emphasis
|
||||
role="bold">F</emphasis>|<emphasis role="bold">P</emphasis>|<emphasis
|
||||
role="bold">T</emphasis>|<emphasis role="bold">CF</emphasis>|<emphasis
|
||||
role="bold">CP</emphasis>|<emphasis
|
||||
role="bold">CT</emphasis>|I:CI}]</term>
|
||||
<replaceable>mark</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>May assume one of the following values.</para>
|
||||
<para>Where <replaceable>mark</replaceable> may assume one of the
|
||||
following values.</para>
|
||||
|
||||
<orderedlist numeration="arabic">
|
||||
<listitem>
|
||||
@ -397,6 +382,39 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
|
||||
above so that all of your <replaceable>minor</replaceable>
|
||||
classes will have a value > 256.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis
|
||||
role="bold">TPROXY</emphasis>(<replaceable>mark</replaceable>[/<replaceable>mask</replaceable>][,[<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])</para>
|
||||
|
||||
<para>Transparently redirects a packet without altering the IP
|
||||
header. Requires a local provider to be defined in <ulink
|
||||
url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
|
||||
|
||||
<para>There are three parameters to TPROXY - only the first
|
||||
(mark) is required:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para><replaceable>mark</replaceable> - the MARK value
|
||||
corresponding to the local provider in <ulink
|
||||
url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><replaceable>port</replaceable> - the port on which
|
||||
the proxy server is listening. If omitted, the original
|
||||
destination port.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><replaceable>address</replaceable> - a local (to the
|
||||
firewall) IP address on which the proxy server is listening.
|
||||
If omitted, the IP address of the interface on which the
|
||||
request arrives.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
@ -72,7 +72,19 @@
|
||||
from <ulink
|
||||
url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>
|
||||
and can be configured to log all Shorewall messages to their own log
|
||||
file</para>
|
||||
file.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.4.22, LOGMARK is also a valid level which
|
||||
logs the packet's mark value along with the other usual information. The
|
||||
syntax is:</para>
|
||||
|
||||
<simplelist>
|
||||
<member><emphasis
|
||||
role="bold">LOGMARK</emphasis><replaceable>(priority)</replaceable></member>
|
||||
</simplelist>
|
||||
|
||||
<para>where <replaceable>priority</replaceable> is one of the levels
|
||||
listed in the list above.</para>
|
||||
|
||||
<para>The following options may be set in shorewall.conf.</para>
|
||||
|
||||
|
@ -43,22 +43,11 @@
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">MARK/CLASSIFY</emphasis> -
|
||||
{<emphasis>value</emphasis>|<emphasis>major</emphasis><emphasis
|
||||
role="bold">:</emphasis><emphasis>minor</emphasis>|<emphasis
|
||||
role="bold">RESTORE</emphasis>[<emphasis
|
||||
role="bold">/</emphasis><emphasis>mask</emphasis>]|<emphasis
|
||||
role="bold">SAVE</emphasis>[<emphasis
|
||||
role="bold">/</emphasis><emphasis>mask</emphasis>]|<emphasis
|
||||
role="bold">CONTINUE</emphasis>|<emphasis
|
||||
role="bold">COMMENT</emphasis>}[<emphasis
|
||||
role="bold">:</emphasis>{<emphasis role="bold">C</emphasis>|<emphasis
|
||||
role="bold">F</emphasis>|<emphasis role="bold">P</emphasis>|<emphasis
|
||||
role="bold">T</emphasis>|<emphasis role="bold">CF</emphasis>|<emphasis
|
||||
role="bold">CP</emphasis>|<emphasis
|
||||
role="bold">CT</emphasis>|I|CI}]</term>
|
||||
<replaceable>mark</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>May assume one of the following values.</para>
|
||||
<para><replaceable>mark</replaceable> may assume one of the
|
||||
following values.</para>
|
||||
|
||||
<orderedlist numeration="arabic">
|
||||
<listitem>
|
||||
@ -290,6 +279,39 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
|
||||
<para>To stop the comment from being attached to further rules,
|
||||
simply include COMMENT on a line by itself.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis
|
||||
role="bold">TPROXY</emphasis>(<replaceable>mark</replaceable>[/<replaceable>mask</replaceable>][,[<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])</para>
|
||||
|
||||
<para>Transparently redirects a packet without altering the IP
|
||||
header. Requires a local provider to be defined in <ulink
|
||||
url="shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
|
||||
|
||||
<para>There are three parameters to TPROXY - only the first
|
||||
(mark) is required:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para><replaceable>mark</replaceable> - the MARK value
|
||||
corresponding to the local provider in <ulink
|
||||
url="shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><replaceable>port</replaceable> - the port on which
|
||||
the proxy server is listening. If omitted, the original
|
||||
destination port.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><replaceable>address</replaceable> - a local (to the
|
||||
firewall) IP address on which the proxy server is listening.
|
||||
If omitted, the IP address of the interface on which the
|
||||
request arrives.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
Loading…
Reference in New Issue
Block a user