|
 |
36ae71 |
commit 2dc9c4abd97d2572a5c82991c67046be0b71af5b
|
|
|
36ae71 |
Author: Thomas Woerner <twoerner@redhat.com>
|
|
|
36ae71 |
Date: Fri Jan 24 14:43:40 2014 +0100
|
|
|
36ae71 |
|
|
|
36ae71 |
Enforce trust, block and drop zones in the filter table only (RHBZ#1055190)
|
|
|
36ae71 |
|
|
|
36ae71 |
Add an additional rule with the zone target (accept, reject
|
|
|
36ae71 |
or drop) to the base _zone only in the filter table.
|
|
|
36ae71 |
|
|
|
36ae71 |
Otherwise it is not be possible to have a zone with drop
|
|
|
36ae71 |
target, that is allowing traffic that is locally initiated
|
|
|
36ae71 |
or that adds additional rules.
|
|
|
36ae71 |
|
|
|
36ae71 |
Fixed descriptions of block and drop zone to reflect this.
|
|
|
36ae71 |
|
|
|
36ae71 |
diff --git a/config/zones/block.xml b/config/zones/block.xml
|
|
|
36ae71 |
index 81f582e..3b9f7a4 100644
|
|
|
36ae71 |
--- a/config/zones/block.xml
|
|
|
36ae71 |
+++ b/config/zones/block.xml
|
|
|
36ae71 |
@@ -1,5 +1,5 @@
|
|
|
36ae71 |
|
|
|
36ae71 |
<zone target="%%REJECT%%">
|
|
|
36ae71 |
<short>Block</short>
|
|
|
36ae71 |
- <description>Any incoming network connections are rejected. Only network connections initiated with this system are possible.</description>
|
|
|
36ae71 |
+ <description>Unsolicited incoming network packets are rejected. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.</description>
|
|
|
36ae71 |
</zone>
|
|
|
36ae71 |
diff --git a/config/zones/drop.xml b/config/zones/drop.xml
|
|
|
36ae71 |
index 5ea4fa0..a018f49 100644
|
|
|
36ae71 |
--- a/config/zones/drop.xml
|
|
|
36ae71 |
+++ b/config/zones/drop.xml
|
|
|
36ae71 |
@@ -1,5 +1,5 @@
|
|
|
36ae71 |
|
|
|
36ae71 |
<zone target="DROP">
|
|
|
36ae71 |
<short>Drop</short>
|
|
|
36ae71 |
- <description>Any incoming network packets are dropped. Only outgoing network connections are possible.</description>
|
|
|
36ae71 |
+ <description>Unsolicited incoming network packets are dropped. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.</description>
|
|
|
36ae71 |
</zone>
|
|
|
36ae71 |
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
|
|
|
36ae71 |
index 0822949..d378f33 100644
|
|
|
36ae71 |
--- a/src/firewall/core/fw_zone.py
|
|
|
36ae71 |
+++ b/src/firewall/core/fw_zone.py
|
|
|
36ae71 |
@@ -198,21 +198,18 @@ class FirewallZone:
|
|
|
36ae71 |
rules.append((ipv, [ _zone, 3, "-t", table,
|
|
|
36ae71 |
"-j", "%s_allow" % (_zone) ]))
|
|
|
36ae71 |
|
|
|
36ae71 |
- # handle trust and block zones:
|
|
|
36ae71 |
- # add an additional rule with the zone target (accept, reject or
|
|
|
36ae71 |
- # drop) to the base _zone, with the following limitations:
|
|
|
36ae71 |
- # - REJECT is only valid in the INPUT, FORWARD and
|
|
|
36ae71 |
- # OUTPUT chains, and user-defined chains which are only
|
|
|
36ae71 |
- # called from those chains
|
|
|
36ae71 |
- # - DROP is not supported in nat table
|
|
|
36ae71 |
+ # Handle trust, block and drop zones:
|
|
|
36ae71 |
+ # Add an additional rule with the zone target (accept, reject
|
|
|
36ae71 |
+ # or drop) to the base _zone only in the filter table.
|
|
|
36ae71 |
+ # Otherwise it is not be possible to have a zone with drop
|
|
|
36ae71 |
+ # target, that is allowing traffic that is locally initiated
|
|
|
36ae71 |
+ # or that adds additional rules. (RHBZ#1055190)
|
|
|
36ae71 |
target = self._zones[zone].target
|
|
|
36ae71 |
- if target != DEFAULT_ZONE_TARGET and not \
|
|
|
36ae71 |
- ((target in [ "REJECT", "%%REJECT%%" ] and \
|
|
|
36ae71 |
- chain not in [ "INPUT", "FORWARD_IN", "FORWARD_OUT",
|
|
|
36ae71 |
- "OUTPUT" ]) or \
|
|
|
36ae71 |
- (target == "DROP" and table == "nat")):
|
|
|
36ae71 |
- rules.append((ipv, [ _zone, 4, "-t", table,
|
|
|
36ae71 |
- "-j", self._zones[zone].target ]))
|
|
|
36ae71 |
+ if table == "filter" and \
|
|
|
36ae71 |
+ target in [ "ACCEPT", "REJECT", "%%REJECT%%", "DROP" ] and \
|
|
|
36ae71 |
+ chain in [ "INPUT", "FORWARD_IN", "FORWARD_OUT", "OUTPUT" ]:
|
|
|
36ae71 |
+ print "-->", _zone, create, table, chain, target
|
|
|
36ae71 |
+ rules.append((ipv, [ _zone, 4, "-t", table, "-j", target ]))
|
|
|
36ae71 |
|
|
|
36ae71 |
if create:
|
|
|
36ae71 |
# handle chains first
|
|
|
36ae71 |
commit 9c56a72b30bc00866cce4cf98e330f95b3a3d7a6
|
|
|
36ae71 |
Author: Thomas Woerner <twoerner@redhat.com>
|
|
|
36ae71 |
Date: Fri Jan 24 14:47:56 2014 +0100
|
|
|
36ae71 |
|
|
|
36ae71 |
Removed debug print in last commit
|
|
|
36ae71 |
|
|
|
36ae71 |
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
|
|
|
36ae71 |
index d378f33..407d21d 100644
|
|
|
36ae71 |
--- a/src/firewall/core/fw_zone.py
|
|
|
36ae71 |
+++ b/src/firewall/core/fw_zone.py
|
|
|
36ae71 |
@@ -208,7 +208,6 @@ class FirewallZone:
|
|
|
36ae71 |
if table == "filter" and \
|
|
|
36ae71 |
target in [ "ACCEPT", "REJECT", "%%REJECT%%", "DROP" ] and \
|
|
|
36ae71 |
chain in [ "INPUT", "FORWARD_IN", "FORWARD_OUT", "OUTPUT" ]:
|
|
|
36ae71 |
- print "-->", _zone, create, table, chain, target
|
|
|
36ae71 |
rules.append((ipv, [ _zone, 4, "-t", table, "-j", target ]))
|
|
|
36ae71 |
|
|
|
36ae71 |
if create:
|