commit 2dc9c4abd97d2572a5c82991c67046be0b71af5b
Author: Thomas Woerner <twoerner@redhat.com>
Date: Fri Jan 24 14:43:40 2014 +0100
Enforce trust, block and drop zones in the filter table only (RHBZ#1055190)
Add an additional rule with the zone target (accept, reject
or drop) to the base _zone only in the filter table.
Otherwise it is not be possible to have a zone with drop
target, that is allowing traffic that is locally initiated
or that adds additional rules.
Fixed descriptions of block and drop zone to reflect this.
diff --git a/config/zones/block.xml b/config/zones/block.xml
index 81f582e..3b9f7a4 100644
--- a/config/zones/block.xml
+++ b/config/zones/block.xml
@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="utf-8"?>
<zone target="%%REJECT%%">
<short>Block</short>
- <description>Any incoming network connections are rejected. Only network connections initiated with this system are possible.</description>
+ <description>Unsolicited incoming network packets are rejected. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.</description>
</zone>
diff --git a/config/zones/drop.xml b/config/zones/drop.xml
index 5ea4fa0..a018f49 100644
--- a/config/zones/drop.xml
+++ b/config/zones/drop.xml
@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="utf-8"?>
<zone target="DROP">
<short>Drop</short>
- <description>Any incoming network packets are dropped. Only outgoing network connections are possible.</description>
+ <description>Unsolicited incoming network packets are dropped. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.</description>
</zone>
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
index 0822949..d378f33 100644
--- a/src/firewall/core/fw_zone.py
+++ b/src/firewall/core/fw_zone.py
@@ -198,21 +198,18 @@ class FirewallZone:
rules.append((ipv, [ _zone, 3, "-t", table,
"-j", "%s_allow" % (_zone) ]))
- # handle trust and block zones:
- # add an additional rule with the zone target (accept, reject or
- # drop) to the base _zone, with the following limitations:
- # - REJECT is only valid in the INPUT, FORWARD and
- # OUTPUT chains, and user-defined chains which are only
- # called from those chains
- # - DROP is not supported in nat table
+ # Handle trust, block and drop zones:
+ # Add an additional rule with the zone target (accept, reject
+ # or drop) to the base _zone only in the filter table.
+ # Otherwise it is not be possible to have a zone with drop
+ # target, that is allowing traffic that is locally initiated
+ # or that adds additional rules. (RHBZ#1055190)
target = self._zones[zone].target
- if target != DEFAULT_ZONE_TARGET and not \
- ((target in [ "REJECT", "%%REJECT%%" ] and \
- chain not in [ "INPUT", "FORWARD_IN", "FORWARD_OUT",
- "OUTPUT" ]) or \
- (target == "DROP" and table == "nat")):
- rules.append((ipv, [ _zone, 4, "-t", table,
- "-j", self._zones[zone].target ]))
+ if table == "filter" and \
+ target in [ "ACCEPT", "REJECT", "%%REJECT%%", "DROP" ] and \
+ chain in [ "INPUT", "FORWARD_IN", "FORWARD_OUT", "OUTPUT" ]:
+ print "-->", _zone, create, table, chain, target
+ rules.append((ipv, [ _zone, 4, "-t", table, "-j", target ]))
if create:
# handle chains first
commit 9c56a72b30bc00866cce4cf98e330f95b3a3d7a6
Author: Thomas Woerner <twoerner@redhat.com>
Date: Fri Jan 24 14:47:56 2014 +0100
Removed debug print in last commit
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
index d378f33..407d21d 100644
--- a/src/firewall/core/fw_zone.py
+++ b/src/firewall/core/fw_zone.py
@@ -208,7 +208,6 @@ class FirewallZone:
if table == "filter" and \
target in [ "ACCEPT", "REJECT", "%%REJECT%%", "DROP" ] and \
chain in [ "INPUT", "FORWARD_IN", "FORWARD_OUT", "OUTPUT" ]:
- print "-->", _zone, create, table, chain, target
rules.append((ipv, [ _zone, 4, "-t", table, "-j", target ]))
if create: