From ad1da4a00772c18bbc6392d94c603208c7a8db05 Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Thu, 2 Aug 2018 18:57:57 +0100 Subject: [PATCH] Modernise shorewall configuration --- .../default/shorewall-interfaces.erb | 10 +- .../templates/default/shorewall.conf.erb | 245 ++++++++++++++---- .../default/shorewall6-interfaces.erb | 4 +- .../templates/default/shorewall6.conf.erb | 231 ++++++++++++++--- 4 files changed, 393 insertions(+), 97 deletions(-) diff --git a/cookbooks/networking/templates/default/shorewall-interfaces.erb b/cookbooks/networking/templates/default/shorewall-interfaces.erb index d8a5705d2..4701b9641 100644 --- a/cookbooks/networking/templates/default/shorewall-interfaces.erb +++ b/cookbooks/networking/templates/default/shorewall-interfaces.erb @@ -1,13 +1,15 @@ # DO NOT EDIT - This file is being maintained by Chef -# ZONE INTERFACE BROADCAST OPTIONS +?FORMAT 2 + +# ZONE INTERFACE OPTIONS <% node[:networking][:interfaces].each do |name,interface| -%> <% if interface[:interface] && interface[:family] == "inet" -%> <% if interface[:role] == "internal" -%> -loc <%= interface[:interface] %> detect nosmurfs,tcpflags +loc <%= interface[:interface] %> nosmurfs,tcpflags <% elsif interface[:role] == "external" -%> -net <%= interface[:interface] %> detect nosmurfs,tcpflags +net <%= interface[:interface] %> nosmurfs,tcpflags <% end -%> <% end -%> <% end -%> -loc tun+ detect nosmurfs,tcpflags +loc tun+ nosmurfs,tcpflags diff --git a/cookbooks/networking/templates/default/shorewall.conf.erb b/cookbooks/networking/templates/default/shorewall.conf.erb index da5c8c202..03c7c6fff 100644 --- a/cookbooks/networking/templates/default/shorewall.conf.erb +++ b/cookbooks/networking/templates/default/shorewall.conf.erb @@ -12,162 +12,273 @@ STARTUP_ENABLED=Yes VERBOSITY=1 +############################################################################### +# P A G E R +############################################################################### + +PAGER= + +############################################################################### +# F I R E W A L L +############################################################################### + +FIREWALL= + ############################################################################### # L O G G I N G ############################################################################### -LOGFILE=/var/log/messages +LOG_LEVEL="info" -STARTUP_LOG=/var/log/shorewall-init.log +BLACKLIST_LOG_LEVEL= + +INVALID_LOG_LEVEL= + +LOG_BACKEND= + +LOG_MARTIANS=Yes LOG_VERBOSITY=2 -LOGFORMAT="Shorewall:%s:%s:" +LOGALLNEW= + +LOGFILE=/var/log/messages + +LOGFORMAT="%s %s " LOGTAGONLY=No -LOGALLNEW= +LOGLIMIT="s:1/sec:10" -BLACKLIST_LOGLEVEL= +MACLIST_LOG_LEVEL="$LOG_LEVEL" -MACLIST_LOG_LEVEL=info +RELATED_LOG_LEVEL= -TCP_FLAGS_LOG_LEVEL=info +RPFILTER_LOG_LEVEL="$LOG_LEVEL" -SMURF_LOG_LEVEL=info +SFILTER_LOG_LEVEL="$LOG_LEVEL" -LOG_MARTIANS=Yes +SMURF_LOG_LEVEL="$LOG_LEVEL" + +STARTUP_LOG=/var/log/shorewall-init.log + +TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL" + +UNTRACKED_LOG_LEVEL= ############################################################################### # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S ############################################################################### +ARPTABLES= + +CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall" + +GEOIPDIR=/usr/share/xt_geoip/LE + IPTABLES= IP= -TC= - IPSET= -PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin +LOCKFILE= -SHOREWALL_SHELL=/bin/sh +MODULESDIR= -SUBSYSLOCK="" +NFACCT= -MODULESDIR= +PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin -CONFIG_PATH=/etc/shorewall:/usr/share/shorewall +PERL=/usr/bin/perl -RESTOREFILE= +RESTOREFILE=restore -IPSECFILE=zones +SHOREWALL_SHELL=/bin/sh -LOCKFILE= +SUBSYSLOCK="" + +TC= ############################################################################### # D E F A U L T A C T I O N S / M A C R O S ############################################################################### +<%- if node[:lsb][:release].to_f <= 16.04 %> +ACCEPT_DEFAULT="none" DROP_DEFAULT="Drop" +NFQUEUE_DEFAULT="none" +QUEUE_DEFAULT="none" REJECT_DEFAULT="Reject" +<%- else %> ACCEPT_DEFAULT="none" -QUEUE_DEFAULT="none" +BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL" +DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)" NFQUEUE_DEFAULT="none" +QUEUE_DEFAULT="none" +REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)" +<%- end %> ############################################################################### # R S H / R C P C O M M A N D S ############################################################################### -RSH_COMMAND='ssh ${root}@${system} ${command}' RCP_COMMAND='scp ${files} ${root}@${system}:${destination}' +RSH_COMMAND='ssh ${root}@${system} ${command}' ############################################################################### # F I R E W A L L O P T I O N S ############################################################################### -IP_FORWARDING=Keep +ACCOUNTING=Yes + +ACCOUNTING_TABLE=filter -ADD_IP_ALIASES=Yes +ADD_IP_ALIASES=No ADD_SNAT_ALIASES=No -RETAIN_ALIASES=No +ADMINISABSENTMINDED=Yes -TC_ENABLED=Internal +AUTOCOMMENT=Yes -TC_EXPERT=No +AUTOHELPERS=Yes -CLEAR_TC=Yes +<%- if node[:lsb][:release].to_f <= 16.04 %> +AUTOMAKE=No +<%- else %> +AUTOMAKE=Yes +<%- end %> -MARK_IN_FORWARD_CHAIN=No +BALANCE_PROVIDERS=No + +BASIC_FILTERS=No + +BLACKLIST="NEW,INVALID,UNTRACKED" CLAMPMSS=No -ROUTE_FILTER=Yes +CLEAR_TC=Yes + +COMPLETE=No + +DEFER_DNS_RESOLUTION=Yes + +DELETE_THEN_ADD=Yes DETECT_DNAT_IPADDRS=No -MUTEX_TIMEOUT=60 +DISABLE_IPV6=No -ADMINISABSENTMINDED=Yes +DOCKER=No -DELAYBLACKLISTLOAD=No +DONT_LOAD= -MODULE_SUFFIX=ko +DYNAMIC_BLACKLIST=Yes -DISABLE_IPV6=No +EXPAND_POLICIES=Yes + +EXPORTMODULES=Yes -BRIDGING=No +FASTACCEPT=No -DYNAMIC_ZONES=No +FORWARD_CLEAR_MARK= -PKTTYPE=Yes +HELPERS= -NULL_ROUTE_RFC1918=No +IGNOREUNKNOWNVARIABLES=No + +IMPLICIT_CONTINUE=No + +INLINE_MATCHES=No + +IPSET_WARNINGS=Yes + +IP_FORWARDING=Keep + +KEEP_RT_TABLES=No + +LOAD_HELPERS_ONLY=Yes MACLIST_TABLE=filter MACLIST_TTL= -SAVE_IPSETS=No +MANGLE_ENABLED=Yes MAPOLDACTIONS=No -FASTACCEPT=No +MARK_IN_FORWARD_CHAIN=No + +MINIUPNPD=No +<%- if node[:lsb][:release].to_f <= 16.04 %> + +MODULE_SUFFIX=ko +<%- end %> + +MULTICAST=No -IMPLICIT_CONTINUE=Yes +MUTEX_TIMEOUT=60 -USE_ACTIONS=Yes +NULL_ROUTE_RFC1918=No +<%- if node[:lsb][:release].to_f <= 14.04 %> OPTIMIZE=1 +<%- else %> +OPTIMIZE=All +<%- end %> -EXPORTPARAMS=Yes +OPTIMIZE_ACCOUNTING=No -EXPAND_POLICIES=Yes +PERL_HASH_SEED=0 -KEEP_RT_TABLES=No +REJECT_ACTION= -DELETE_THEN_ADD=Yes +REQUIRE_INTERFACE=No -MULTICAST=No +RESTART=restart -DONT_LOAD= +RESTORE_DEFAULT_ROUTE=Yes -AUTO_COMMENT=Yes +RESTORE_ROUTEMARKS=Yes -MANGLE_ENABLED=Yes +RETAIN_ALIASES=No + +ROUTE_FILTER=Yes + +SAVE_ARPTABLES=No + +SAVE_IPSETS=No + +TC_ENABLED=Internal + +TC_EXPERT=No + +TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" + +TRACK_PROVIDERS=Yes + +TRACK_RULES=No USE_DEFAULT_RT=No +<%- if node[:lsb][:release].to_f >= 18.04 %> -RESTORE_DEFAULT_ROUTE=Yes +USE_NFLOG_SIZE=No +<%- end %> -AUTOMAKE=No +USE_PHYSICAL_NAMES=No + +USE_RT_NAMES=No + +VERBOSE_MESSAGES=Yes + +WARNOLDCAPVERSION=Yes -TRACK_PROVIDERS=No +WORKAROUNDS=No -ZONE2ZONE=2 +ZERO_MARKS=No + +ZONE2ZONE=- ############################################################################### # P A C K E T D I S P O S I T I O N @@ -175,8 +286,32 @@ ZONE2ZONE=2 BLACKLIST_DISPOSITION=DROP +INVALID_DISPOSITION=CONTINUE + MACLIST_DISPOSITION=REJECT +RELATED_DISPOSITION=ACCEPT + +RPFILTER_DISPOSITION=DROP + +SMURF_DISPOSITION=DROP + +SFILTER_DISPOSITION=DROP + TCP_FLAGS_DISPOSITION=DROP -#LAST LINE -- DO NOT REMOVE +UNTRACKED_DISPOSITION=CONTINUE + +################################################################################ +# P A C K E T M A R K L A Y O U T +################################################################################ + +TC_BITS= + +PROVIDER_BITS= + +PROVIDER_OFFSET= + +MASK_BITS= + +ZONE_BITS=0 diff --git a/cookbooks/networking/templates/default/shorewall6-interfaces.erb b/cookbooks/networking/templates/default/shorewall6-interfaces.erb index d2b4a3d91..8ba6b8c82 100644 --- a/cookbooks/networking/templates/default/shorewall6-interfaces.erb +++ b/cookbooks/networking/templates/default/shorewall6-interfaces.erb @@ -1,6 +1,8 @@ # DO NOT EDIT - This file is being maintained by Chef -# ZONE INTERFACE UNICAST OPTIONS +?FORMAT 2 + +# ZONE INTERFACE OPTIONS <% node[:networking][:interfaces].each do |name,interface| -%> <% if interface[:family] == "inet6" -%> <% if interface[:role] == "internal" -%> diff --git a/cookbooks/networking/templates/default/shorewall6.conf.erb b/cookbooks/networking/templates/default/shorewall6.conf.erb index 4fc0ffe82..275848a23 100644 --- a/cookbooks/networking/templates/default/shorewall6.conf.erb +++ b/cookbooks/networking/templates/default/shorewall6.conf.erb @@ -12,118 +12,247 @@ STARTUP_ENABLED=Yes VERBOSITY=1 +############################################################################### +# P A G E R +############################################################################### + +PAGER= + +############################################################################### +# F I R E W A L L +############################################################################### + +FIREWALL= + ############################################################################### # L O G G I N G ############################################################################### -LOGFILE=/var/log/messages +LOG_LEVEL="info" -STARTUP_LOG=/var/log/shorewall6-init.log +BLACKLIST_LOG_LEVEL= + +INVALID_LOG_LEVEL= + +LOG_BACKEND= LOG_VERBOSITY=2 -LOGFORMAT="Shorewall:%s:%s:" +LOGALLNEW= + +LOGFILE=/var/log/messages + +LOGFORMAT="%s %s " + +LOGLIMIT="s:1/sec:10" LOGTAGONLY=No -LOGALLNEW= +MACLIST_LOG_LEVEL="$LOG_LEVEL" + +RELATED_LOG_LEVEL= + +RPFILTER_LOG_LEVEL="$LOG_LEVEL" + +SFILTER_LOG_LEVEL="$LOG_LEVEL" + +SMURF_LOG_LEVEL="$LOG_LEVEL" -BLACKLIST_LOGLEVEL= +STARTUP_LOG=/var/log/shorewall6-init.log -TCP_FLAGS_LOG_LEVEL=info +TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL" -SMURF_LOG_LEVEL=info +UNTRACKED_LOG_LEVEL= ############################################################################### # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S ############################################################################### +CONFIG_PATH=":${CONFDIR}/shorewall6:/usr/share/shorewall6:${SHAREDIR}/shorewall" + +GEOIPDIR=/usr/share/xt_geoip/LE + IP6TABLES= IP= -TC= - IPSET= -PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin +LOCKFILE= -SHOREWALL_SHELL=/bin/sh +MODULESDIR= -SUBSYSLOCK="" +NFACCT= -MODULESDIR= +PERL=/usr/bin/perl -CONFIG_PATH=/etc/shorewall6:/usr/share/shorewall6:/usr/share/shorewall +PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin" -RESTOREFILE= +RESTOREFILE=restore -LOCKFILE= +SHOREWALL_SHELL=/bin/sh + +SUBSYSLOCK="" + +TC= ############################################################################### # D E F A U L T A C T I O N S / M A C R O S ############################################################################### +<%- if node[:lsb][:release].to_f <= 16.04 %> +ACCEPT_DEFAULT="none" DROP_DEFAULT="Drop" +NFQUEUE_DEFAULT="none" +QUEUE_DEFAULT="none" REJECT_DEFAULT="Reject" +<%- else %> ACCEPT_DEFAULT="none" -QUEUE_DEFAULT="none" +BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL" +DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)" NFQUEUE_DEFAULT="none" +QUEUE_DEFAULT="none" +REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)" +<%- end %> ############################################################################### # R S H / R C P C O M M A N D S ############################################################################### -RSH_COMMAND='ssh ${root}@${system} ${command}' RCP_COMMAND='scp ${files} ${root}@${system}:${destination}' +RSH_COMMAND='ssh ${root}@${system} ${command}' ############################################################################### # F I R E W A L L O P T I O N S ############################################################################### -IP_FORWARDING=Off +ACCOUNTING=Yes -TC_ENABLED=No +ACCOUNTING_TABLE=filter -TC_EXPERT=No +ADMINISABSENTMINDED=Yes -CLEAR_TC=No +AUTOCOMMENT=Yes -MARK_IN_FORWARD_CHAIN=No +AUTOHELPERS=Yes + +<%- if node[:lsb][:release].to_f <= 16.04 %> +AUTOMAKE=No +<%- else %> +AUTOMAKE=Yes +<%- end %> + +BALANCE_PROVIDERS=No + +BASIC_FILTERS=No + +BLACKLIST="NEW,INVALID,UNTRACKED" CLAMPMSS=No -MUTEX_TIMEOUT=60 +CLEAR_TC=No -ADMINISABSENTMINDED=Yes +COMPLETE=No -MODULE_SUFFIX=ko +DEFER_DNS_RESOLUTION=Yes + +DELETE_THEN_ADD=Yes + +DONT_LOAD= + +DYNAMIC_BLACKLIST=Yes + +EXPAND_POLICIES=Yes + +EXPORTMODULES=Yes FASTACCEPT=No -IMPLICIT_CONTINUE=Yes +FORWARD_CLEAR_MARK=Yes -OPTIMIZE=1 +HELPERS= -EXPORTPARAMS=Yes +IGNOREUNKNOWNVARIABLES=No -EXPAND_POLICIES=Yes +IMPLICIT_CONTINUE=No -KEEP_RT_TABLES=Yes +INLINE_MATCHES=No -DELETE_THEN_ADD=Yes +IPSET_WARNINGS=Yes -DONT_LOAD= +IP_FORWARDING=Keep + +KEEP_RT_TABLES=No + +LOAD_HELPERS_ONLY=Yes + +MACLIST_TABLE=filter -AUTO_COMMENT=Yes +MACLIST_TTL= MANGLE_ENABLED=Yes -AUTOMAKE=No +MARK_IN_FORWARD_CHAIN=No + +MINIUPNPD=No +<%- if node[:lsb][:release].to_f <= 16.04 %> + +MODULE_SUFFIX=ko +<%- end %> + +MUTEX_TIMEOUT=60 + +<%- if node[:lsb][:release].to_f <= 14.04 %> +OPTIMIZE=1 +<%- else %> +OPTIMIZE=All +<%- end %> + +OPTIMIZE_ACCOUNTING=No + +PERL_HASH_SEED=0 + +REJECT_ACTION= + +REQUIRE_INTERFACE=No + +RESTART=restart -TRACK_PROVIDERS=No +RESTORE_DEFAULT_ROUTE=Yes -ZONE2ZONE=2 +RESTORE_ROUTEMARKS=Yes + +SAVE_IPSETS=No + +TC_ENABLED=Shared + +TC_EXPERT=No + +TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" + +TRACK_PROVIDERS=Yes + +TRACK_RULES=No + +USE_DEFAULT_RT=Yes +<%- if node[:lsb][:release].to_f >= 18.04 %> + +USE_NFLOG_SIZE=No +<%- end %> + +USE_PHYSICAL_NAMES=No + +USE_RT_NAMES=No + +VERBOSE_MESSAGES=Yes + +WARNOLDCAPVERSION=Yes + +WORKAROUNDS=No + +ZERO_MARKS=No + +ZONE2ZONE= ############################################################################### # P A C K E T D I S P O S I T I O N @@ -131,6 +260,34 @@ ZONE2ZONE=2 BLACKLIST_DISPOSITION=DROP +INVALID_DISPOSITION=CONTINUE + +MACLIST_DISPOSITION=REJECT + +RELATED_DISPOSITION=ACCEPT + +SFILTER_DISPOSITION=DROP + +RPFILTER_DISPOSITION=DROP + +SMURF_DISPOSITION=DROP + TCP_FLAGS_DISPOSITION=DROP +UNTRACKED_DISPOSITION=CONTINUE + +################################################################################ +# P A C K E T M A R K L A Y O U T +################################################################################ + +TC_BITS= + +PROVIDER_BITS= + +PROVIDER_OFFSET= + +MASK_BITS= + +ZONE_BITS=0 + #LAST LINE -- DO NOT REMOVE -- 2.43.2