Hello community, here is the log from the commit of package SuSEfirewall2 checked in at Sun Jul 8 22:44:23 CEST 2007. -------- --- SuSEfirewall2/SuSEfirewall2.changes 2007-06-21 09:19:07.000000000 +0200 +++ /mounts/work_src_done/NOARCH/SuSEfirewall2/SuSEfirewall2.changes 2007-07-06 15:28:02.000000000 +0200 @@ -1,0 +2,6 @@ +Fri Jul 6 15:27:53 CEST 2007 - lnussel@suse.de + +- New configuration options: FW_NOMASQ_NETS, FW_FORWARD_REJECT, + FW_FORWARD_DROP + +------------------------------------------------------------------- Old: ---- SuSEfirewall2-3.6_SVNr180.tar.bz2 New: ---- SuSEfirewall2-3.6_SVNr181.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ SuSEfirewall2.spec ++++++ --- /var/tmp/diff_new_pack.Wtv500/_old 2007-07-08 22:44:10.000000000 +0200 +++ /var/tmp/diff_new_pack.Wtv500/_new 2007-07-08 22:44:10.000000000 +0200 @@ -1,5 +1,5 @@ # -# spec file for package SuSEfirewall2 (Version 3.6_SVNr180) +# spec file for package SuSEfirewall2 (Version 3.6_SVNr181) # # Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany. # This file and all modifications and additions to the pristine @@ -12,9 +12,9 @@ # icecream 0 Name: SuSEfirewall2 -Version: 3.6_SVNr180 -Release: 2 -License: GNU General Public License (GPL) +Version: 3.6_SVNr181 +Release: 1 +License: GPL v2 or later Group: Productivity/Networking/Security Provides: personal-firewall SuSEfirewall Obsoletes: personal-firewall SuSEfirewall @@ -196,6 +196,9 @@ rm -rf %{buildroot} %changelog +* Fri Jul 06 2007 - lnussel@suse.de +- New configuration options: FW_NOMASQ_NETS, FW_FORWARD_REJECT, + FW_FORWARD_DROP * Thu Jun 21 2007 - lnussel@suse.de - manually move SuSEfirewall2_init from boot.d to runlevel directory (#285872) ++++++ SuSEfirewall2-3.6_SVNr180.tar.bz2 -> SuSEfirewall2-3.6_SVNr181.tar.bz2 ++++++ diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/SuSEfirewall2-3.6_SVNr180/SuSEfirewall2 new/SuSEfirewall2-3.6_SVNr181/SuSEfirewall2 --- old/SuSEfirewall2-3.6_SVNr180/SuSEfirewall2 2007-06-13 15:38:58.000000000 +0200 +++ new/SuSEfirewall2-3.6_SVNr181/SuSEfirewall2 2007-07-06 15:13:19.000000000 +0200 @@ -1744,8 +1744,15 @@ # <source network>,<destination network>[,protocol[,port[,flags]]] forwarding_rules() { - local nets net1 net2 flags more_args_in more_args_out chain iptables - for nets in $FW_FORWARD; do + local nets net1 net2 flags more_args_in more_args_out chain iptables var services + local target="$1" + if [ "$target" = ACCEPT ]; then + var="FW_FORWARD" + else + var="FW_FORWARD_${target}" + fi + eval services="\"\$$var\"" + for nets in $services; do IFS=, eval set -- \$nets net1="$1" @@ -1781,19 +1788,19 @@ fi for chain in $forward_zones; do chain=forward_$chain - $LAC $iptables -A $chain ${LOG}"-`rulelog $chain`-ACC-FORW " -s $net1 -d $net2 $proto $port -m state --state NEW $more_args_in - $LAA $iptables -A $chain ${LOG}"-`rulelog $chain`-ACC-FORW " -s $net1 -d $net2 $proto $port $more_args_in - $iptables -A $chain -j "$ACCEPT" -m state --state NEW,ESTABLISHED,RELATED -s $net1 -d $net2 $proto $port $more_args_in - $iptables -A $chain -j "$ACCEPT" -m state --state ESTABLISHED,RELATED -s $net2 -d $net1 $proto $rport $more_args_in + $LAC $iptables -A $chain ${LOG}"-`rulelog $chain`-${target:0:3}-FORW " -s $net1 -d $net2 $proto $port -m state --state NEW $more_args_in + $LAA $iptables -A $chain ${LOG}"-`rulelog $chain`-${target:0:3}-FORW " -s $net1 -d $net2 $proto $port $more_args_in + $iptables -A $chain -j "$target" -m state --state NEW,ESTABLISHED,RELATED -s $net1 -d $net2 $proto $port $more_args_in + $iptables -A $chain -j "$target" -m state --state ESTABLISHED,RELATED -s $net2 -d $net1 $proto $rport $more_args_in if [ -n "$more_args_out" ]; then - $LAC $iptables -A $chain ${LOG}"-`rulelog $chain`-ACC-FORW " -s $net1 -d $net2 $proto $port -m state --state NEW $more_args_out - $LAA $iptables -A $chain ${LOG}"-`rulelog $chain`-ACC-FORW " -s $net1 -d $net2 $proto $port $more_args_out - $iptables -A $chain -j "$ACCEPT" -m state --state NEW,ESTABLISHED,RELATED -s $net1 -d $net2 $proto $port $more_args_out - $iptables -A $chain -j "$ACCEPT" -m state --state ESTABLISHED,RELATED -s $net2 -d $net1 $proto $rport $more_args_out + $LAC $iptables -A $chain ${LOG}"-`rulelog $chain`-${target:0:3}-FORW " -s $net1 -d $net2 $proto $port -m state --state NEW $more_args_out + $LAA $iptables -A $chain ${LOG}"-`rulelog $chain`-${target:0:3}-FORW " -s $net1 -d $net2 $proto $port $more_args_out + $iptables -A $chain -j "$target" -m state --state NEW,ESTABLISHED,RELATED -s $net1 -d $net2 $proto $port $more_args_out + $iptables -A $chain -j "$target" -m state --state ESTABLISHED,RELATED -s $net2 -d $net1 $proto $rport $more_args_out fi done else - error "too few parameters in FW_FORWARD -> $nets" + error "too few parameters in $var -> $nets" fi done } @@ -1803,7 +1810,12 @@ local nets net1 net2 proto port dev snet2 sport local szone dzone sdev sdevs local z d - for nets in $FW_MASQ_NETS; do + local var='FW_NOMASQ_NETS' + for nets in $FW_NOMASQ_NETS -- $FW_MASQ_NETS; do + if [ "$nets" = '--' ]; then # cheap hack + var='FW_MASQ_NETS' + continue + fi IFS=, eval set -- \$nets net1="$1" @@ -1813,10 +1825,10 @@ rport="" if [ -n "$5" ]; then - error "Too many arguments in FW_MASQ_NETS -> $nets" + error "Too many arguments in $var -> $nets" elif [ -z "$net1" ]; then - error "source network must not be empty in FW_MASQ_NETS -> $nets" - elif [ -z "$proto" -a -z "$port" ] || check_proto_port "$proto" "$port" '' 'FW_MASQ_NETS'; then + error "source network must not be empty in $var -> $nets" + elif [ -z "$proto" -a -z "$port" ] || check_proto_port "$proto" "$port" '' "$var"; then net1=${net1/\!/\! } net2=${net2/\!/\! } snet2="" @@ -1829,6 +1841,11 @@ d=${dev//[^A-Za-z0-9]/_} eval z=\${iface_$d} + if [ "$var" = "FW_NOMASQ_NETS" ]; then # cheap hack + $IPTABLES -A POSTROUTING -j ACCEPT -t nat -s $net1 $net2 $proto $port -o $dev + continue + fi + for dzone in $forward_zones; do dzone=forward_$dzone for szone in $forward_zones; do @@ -2143,7 +2160,9 @@ allow_class_routing - forwarding_rules + forwarding_rules DROP + forwarding_rules REJECT + forwarding_rules ACCEPT if [ "$FW_MASQUERADE" = yes ]; then masquerading_rules diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/SuSEfirewall2-3.6_SVNr180/SuSEfirewall2.sysconfig new/SuSEfirewall2-3.6_SVNr181/SuSEfirewall2.sysconfig --- old/SuSEfirewall2-3.6_SVNr180/SuSEfirewall2.sysconfig 2007-03-21 16:22:58.000000000 +0100 +++ new/SuSEfirewall2-3.6_SVNr181/SuSEfirewall2.sysconfig 2007-07-06 15:15:21.000000000 +0200 @@ -90,7 +90,7 @@ # want forwarding or masquerading you still have to add the external interfaces # individually. "any" can be mixed with other interface names. # -# Examples: "eth-id-00:e0:4c:9f:61:9a", "ippp0 ippp1", "any dsl0" +# Examples: "ippp0 ippp1", "any dsl0" # # Note: alias interfaces (like eth0:1) are ignored # @@ -107,7 +107,7 @@ # # Format: space separated list of interface or configuration names # -# Examples: "eth-id-00:e0:4c:9f:61:9a", "tr0", "eth0 eth1" +# Examples: "tr0", "eth0 eth1" # FW_DEV_INT="" @@ -128,7 +128,7 @@ # # Format: space separated list of interface or configuration names # -# Examples: "eth-id-00:e0:4c:9f:61:9a", "tr0", "eth0 eth1" +# Examples: "tr0", "eth0 eth1" # FW_DEV_DMZ="" @@ -214,9 +214,34 @@ # 10.0.1.0/24 network is allowed to access unprivileged # ports whereas 10.0.2.0/24 is granted unrestricted # access. +# - "0/0,!10.0.0.0/8" unrestricted access to the internet +# with the exception of 10.0.0.8 which will not be +# masqueraded. # FW_MASQ_NETS="0/0" +## Type: string +## Default: 0/0 +# +# Which computers/networks should be excluded from beeing masqueraded? +# Note that this only affects the POSTROUTING chain of the nat +# table. Ie the forwarding rules installed by FW_MASQ_NETS do not +# include the listed exceptions. +# *** Since you may use FW_NOMASQ_NETS together with IPsec make sure +# that the policy database is loaded even when the tunnel is not up +# yet. Otherwise packets to the listed networks will be forwarded to +# the internet unencrypted! *** +# +# Format: space separated list of +# <source network>[,<destination network>,<protocol>[,port[:port]] +# +# If the protocol is icmp then port is interpreted as icmp type +# +# Examples: - "0/0,10.0.0.0/8" do not masquerade packets from +# anywhere to the 10.0.0.0/8 network +# +FW_NOMASQ_NETS="" + ## Type: yesno ## Default: no # @@ -507,6 +532,26 @@ ## Type: string # +# 13a.) +# +# same as FW_FORWARD but packages are rejected instead of accepted +# +# Requires: FW_ROUTE +# +FW_FORWARD_REJECT="" + +## Type: string +# +# 13b.) +# +# same as FW_FORWARD but packages are dropped instead of accepted +# +# Requires: FW_ROUTE +# +FW_FORWARD_DROP="" + +## Type: string +# # 14.) # Which services accessed from the internet should be allowed to masqueraded # servers (on the internal network or dmz)? ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org
participants (1)
-
root@Hilbert.suse.de