commit 2dc9c4abd97d2572a5c82991c67046be0b71af5b Author: Thomas Woerner Date: Fri Jan 24 14:43:40 2014 +0100 Enforce trust, block and drop zones in the filter table only (RHBZ#1055190) Add an additional rule with the zone target (accept, reject or drop) to the base _zone only in the filter table. Otherwise it is not be possible to have a zone with drop target, that is allowing traffic that is locally initiated or that adds additional rules. Fixed descriptions of block and drop zone to reflect this. diff --git a/config/zones/block.xml b/config/zones/block.xml index 81f582e..3b9f7a4 100644 --- a/config/zones/block.xml +++ b/config/zones/block.xml @@ -1,5 +1,5 @@ Block - Any incoming network connections are rejected. Only network connections initiated with this system are possible. + Unsolicited incoming network packets are rejected. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed. diff --git a/config/zones/drop.xml b/config/zones/drop.xml index 5ea4fa0..a018f49 100644 --- a/config/zones/drop.xml +++ b/config/zones/drop.xml @@ -1,5 +1,5 @@ Drop - Any incoming network packets are dropped. Only outgoing network connections are possible. + Unsolicited incoming network packets are dropped. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed. diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py index 0822949..d378f33 100644 --- a/src/firewall/core/fw_zone.py +++ b/src/firewall/core/fw_zone.py @@ -198,21 +198,18 @@ class FirewallZone: rules.append((ipv, [ _zone, 3, "-t", table, "-j", "%s_allow" % (_zone) ])) - # handle trust and block zones: - # add an additional rule with the zone target (accept, reject or - # drop) to the base _zone, with the following limitations: - # - REJECT is only valid in the INPUT, FORWARD and - # OUTPUT chains, and user-defined chains which are only - # called from those chains - # - DROP is not supported in nat table + # Handle trust, block and drop zones: + # Add an additional rule with the zone target (accept, reject + # or drop) to the base _zone only in the filter table. + # Otherwise it is not be possible to have a zone with drop + # target, that is allowing traffic that is locally initiated + # or that adds additional rules. (RHBZ#1055190) target = self._zones[zone].target - if target != DEFAULT_ZONE_TARGET and not \ - ((target in [ "REJECT", "%%REJECT%%" ] and \ - chain not in [ "INPUT", "FORWARD_IN", "FORWARD_OUT", - "OUTPUT" ]) or \ - (target == "DROP" and table == "nat")): - rules.append((ipv, [ _zone, 4, "-t", table, - "-j", self._zones[zone].target ])) + if table == "filter" and \ + target in [ "ACCEPT", "REJECT", "%%REJECT%%", "DROP" ] and \ + chain in [ "INPUT", "FORWARD_IN", "FORWARD_OUT", "OUTPUT" ]: + print "-->", _zone, create, table, chain, target + rules.append((ipv, [ _zone, 4, "-t", table, "-j", target ])) if create: # handle chains first commit 9c56a72b30bc00866cce4cf98e330f95b3a3d7a6 Author: Thomas Woerner Date: Fri Jan 24 14:47:56 2014 +0100 Removed debug print in last commit diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py index d378f33..407d21d 100644 --- a/src/firewall/core/fw_zone.py +++ b/src/firewall/core/fw_zone.py @@ -208,7 +208,6 @@ class FirewallZone: if table == "filter" and \ target in [ "ACCEPT", "REJECT", "%%REJECT%%", "DROP" ] and \ chain in [ "INPUT", "FORWARD_IN", "FORWARD_OUT", "OUTPUT" ]: - print "-->", _zone, create, table, chain, target rules.append((ipv, [ _zone, 4, "-t", table, "-j", target ])) if create: