shorewall_code/Shorewall/firewall

3328 lines
75 KiB
Plaintext
Raw Normal View History

#!/bin/sh
#
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V3.2
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# (c) 1999,2000,2001,2002,2003,2004,2005,2006 - Tom Eastep (teastep@shorewall.net)
#
# tcstart from tc4shorewall Version 0.5
# (c) 2005 Arne Bernin <arne@ucbering.de>
# Modified by Tom Eastep for integration into the Shorewall distribution
# published under GPL Version 2#
#
# Complete documentation is available at http://shorewall.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
#
# If an error occurs while starting or restarting the firewall, the
# firewall is automatically stopped.
#
# Commands are:
#
# shorewall start Starts the firewall
# shorewall restart Restarts the firewall
# shorewall stop Stops the firewall
# shorewall reset Resets iptables packet and
# byte counts
# shorewall clear Remove all Shorewall chains
# and rules/policies.
# shorewall refresh . Rebuild the common chain
#
# Mutual exclusion -- These functions are jackets for the mutual exclusion
# routines in $FUNCTIONS. They invoke
# the corresponding function in that file if the user did
# not specify "nolock" on the runline.
#
my_mutex_on() {
[ -n "$NOLOCK" ] || { mutex_on; HAVE_MUTEX=Yes; }
}
my_mutex_off() {
[ -n "$HAVE_MUTEX" ] && { mutex_off; HAVE_MUTEX=; }
}
#
# Fatal error -- stops the firewall after issuing the error message
#
fatal_error() # $* = Error Message
{
Large merge of function from EXPERIMENTAL to HEAD. 1) Elimination of the "shorewall monitor" command. 2) The /etc/shorewall/ipsec and /etc/shorewall/zones file are combined into a single /etc/shorewall/zones file. This is done in an upwardly-compatible way so that current users can continue to use their existing files. 3) Support has been added for the arp_ignore interface option. 4) DROPINVALID has been removed from shorewall.conf. Behavior is as if DROPINVALID=No was specified. 5) The 'nobogons' option and BOGON_LOG_LEVEL are removed. 6) Error and warning messages have been made easier to spot by using capitalization (e.g., ERROR: and WARNING:). 7) The /etc/shorewall/policy file now contains a new connection policy and a policy for ESTABLISHED packets. Useful for users of snort-inline who want to pass all packets to the QUEUE target. 8) A new 'critical' option has been added to /etc/shorewall/routestopped. Shorewall insures communication between the firewall and 'critical' hosts throughout start, restart, stop and clear. Useful for diskless firewall's with NFS-mounted file systems, LDAP servers, Crossbow, etc. 9) Macros. Macros are very similar to actions but are easier to use, allow parameter substitution and are more efficient. Almost all of the standard actions have been converted to macros in the EXPERIMENTAL branch. 10) The default value of ADD_IP_ALIASES in shorewall.conf is changed to No. 11) If you have 'make' installed on your firewall, then when you use the '-f' option to 'shorewall start' (as happens when you reboot), if your /etc/shorewall/ directory contains files that were modified after Shorewall was last restarted then Shorewall is started using the config files rather than using the saved configuration. git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2409 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-07-26 01:08:09 +02:00
echo " ERROR: $@" >&2
stop_firewall
exit 2
}
#
# Fatal error during startup -- generate an error message and abend without
# altering the state of the firewall
#
startup_error() # $* = Error Message
{
Large merge of function from EXPERIMENTAL to HEAD. 1) Elimination of the "shorewall monitor" command. 2) The /etc/shorewall/ipsec and /etc/shorewall/zones file are combined into a single /etc/shorewall/zones file. This is done in an upwardly-compatible way so that current users can continue to use their existing files. 3) Support has been added for the arp_ignore interface option. 4) DROPINVALID has been removed from shorewall.conf. Behavior is as if DROPINVALID=No was specified. 5) The 'nobogons' option and BOGON_LOG_LEVEL are removed. 6) Error and warning messages have been made easier to spot by using capitalization (e.g., ERROR: and WARNING:). 7) The /etc/shorewall/policy file now contains a new connection policy and a policy for ESTABLISHED packets. Useful for users of snort-inline who want to pass all packets to the QUEUE target. 8) A new 'critical' option has been added to /etc/shorewall/routestopped. Shorewall insures communication between the firewall and 'critical' hosts throughout start, restart, stop and clear. Useful for diskless firewall's with NFS-mounted file systems, LDAP servers, Crossbow, etc. 9) Macros. Macros are very similar to actions but are easier to use, allow parameter substitution and are more efficient. Almost all of the standard actions have been converted to macros in the EXPERIMENTAL branch. 10) The default value of ADD_IP_ALIASES in shorewall.conf is changed to No. 11) If you have 'make' installed on your firewall, then when you use the '-f' option to 'shorewall start' (as happens when you reboot), if your /etc/shorewall/ directory contains files that were modified after Shorewall was last restarted then Shorewall is started using the config files rather than using the saved configuration. git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2409 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-07-26 01:08:09 +02:00
echo " ERROR: $@" >&2
my_mutex_off
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
[ -n "$RESTOREBASE" ] && rm -f $RESTOREBASE
kill $$
exit 2
}
#
# Send a message to STDOUT and the System Log
#
report () { # $* = message
progress_message3 "$@"
logger "$@"
}
#
# Run iptables and if an error occurs, stop the firewall and quit
#
run_iptables() {
#
# Purge the temporary files that we use to prevent duplicate '-m' specifications
#
[ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
[ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
if ! $IPTABLES $@ ; then
if [ -z "$STOPPING" ]; then
error_message "ERROR: Command \"$IPTABLES $@\" Failed"
stop_firewall
exit 2
fi
fi
}
#
# Version of 'run_iptables' that inserts white space after "!" in the arg list
#
run_iptables2() {
case "$@" in
*!*)
run_iptables $(fix_bang $@)
;;
*)
run_iptables $@
;;
esac
}
#
# Quietly run iptables
#
qt_iptables() {
#
# Purge the temporary files that we use to prevent duplicate '-m' specifications
#
[ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
[ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
qt $IPTABLES $@
}
#
# Run ip and if an error occurs, stop the firewall and quit
#
run_ip() {
if ! ip $@ ; then
if [ -z "$STOPPING" ]; then
error_message "ERROR: Command \"ip $@\" Failed"
stop_firewall
exit 2
fi
fi
}
#
# Run tc and if an error occurs, stop the firewall and quit
#
run_tc() {
if ! tc $@ ; then
if [ -z "$STOPPING" ]; then
error_message "ERROR: Command \"tc $@\" Failed"
stop_firewall
exit 2
fi
fi
}
#
# Delete a chain if it exists
#
deletechain() # $1 = name of chain
{
qt $IPTABLES -L $1 -n && qt $IPTABLES -F $1 && qt $IPTABLES -X $1
}
#
# Determine if a chain is a policy chain
#
is_policy_chain() # $1 = name of chain
{
eval test \"\$${1}_is_policy\" = Yes
}
#
# Set a standard chain's policy
#
setpolicy() # $1 = name of chain, $2 = policy
{
run_iptables -P $1 $2
}
#
# Set a standard chain to enable established and related connections
#
setcontinue() # $1 = name of chain
{
run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
}
#
# Flush one of the NAT table chains
#
flushnat() # $1 = name of chain
{
run_iptables -t nat -F $1
}
#
# Flush one of the Mangle table chains
#
flushmangle() # $1 = name of chain
{
run_iptables -t mangle -F $1
}
Large merge of function from EXPERIMENTAL to HEAD. 1) Elimination of the "shorewall monitor" command. 2) The /etc/shorewall/ipsec and /etc/shorewall/zones file are combined into a single /etc/shorewall/zones file. This is done in an upwardly-compatible way so that current users can continue to use their existing files. 3) Support has been added for the arp_ignore interface option. 4) DROPINVALID has been removed from shorewall.conf. Behavior is as if DROPINVALID=No was specified. 5) The 'nobogons' option and BOGON_LOG_LEVEL are removed. 6) Error and warning messages have been made easier to spot by using capitalization (e.g., ERROR: and WARNING:). 7) The /etc/shorewall/policy file now contains a new connection policy and a policy for ESTABLISHED packets. Useful for users of snort-inline who want to pass all packets to the QUEUE target. 8) A new 'critical' option has been added to /etc/shorewall/routestopped. Shorewall insures communication between the firewall and 'critical' hosts throughout start, restart, stop and clear. Useful for diskless firewall's with NFS-mounted file systems, LDAP servers, Crossbow, etc. 9) Macros. Macros are very similar to actions but are easier to use, allow parameter substitution and are more efficient. Almost all of the standard actions have been converted to macros in the EXPERIMENTAL branch. 10) The default value of ADD_IP_ALIASES in shorewall.conf is changed to No. 11) If you have 'make' installed on your firewall, then when you use the '-f' option to 'shorewall start' (as happens when you reboot), if your /etc/shorewall/ directory contains files that were modified after Shorewall was last restarted then Shorewall is started using the config files rather than using the saved configuration. git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2409 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-07-26 01:08:09 +02:00
#
# This function assumes that the TMP_DIR variable is set and that
# its value named an existing directory.
Large merge of function from EXPERIMENTAL to HEAD. 1) Elimination of the "shorewall monitor" command. 2) The /etc/shorewall/ipsec and /etc/shorewall/zones file are combined into a single /etc/shorewall/zones file. This is done in an upwardly-compatible way so that current users can continue to use their existing files. 3) Support has been added for the arp_ignore interface option. 4) DROPINVALID has been removed from shorewall.conf. Behavior is as if DROPINVALID=No was specified. 5) The 'nobogons' option and BOGON_LOG_LEVEL are removed. 6) Error and warning messages have been made easier to spot by using capitalization (e.g., ERROR: and WARNING:). 7) The /etc/shorewall/policy file now contains a new connection policy and a policy for ESTABLISHED packets. Useful for users of snort-inline who want to pass all packets to the QUEUE target. 8) A new 'critical' option has been added to /etc/shorewall/routestopped. Shorewall insures communication between the firewall and 'critical' hosts throughout start, restart, stop and clear. Useful for diskless firewall's with NFS-mounted file systems, LDAP servers, Crossbow, etc. 9) Macros. Macros are very similar to actions but are easier to use, allow parameter substitution and are more efficient. Almost all of the standard actions have been converted to macros in the EXPERIMENTAL branch. 10) The default value of ADD_IP_ALIASES in shorewall.conf is changed to No. 11) If you have 'make' installed on your firewall, then when you use the '-f' option to 'shorewall start' (as happens when you reboot), if your /etc/shorewall/ directory contains files that were modified after Shorewall was last restarted then Shorewall is started using the config files rather than using the saved configuration. git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2409 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-07-26 01:08:09 +02:00
#
determine_zones()
Large merge of function from EXPERIMENTAL to HEAD. 1) Elimination of the "shorewall monitor" command. 2) The /etc/shorewall/ipsec and /etc/shorewall/zones file are combined into a single /etc/shorewall/zones file. This is done in an upwardly-compatible way so that current users can continue to use their existing files. 3) Support has been added for the arp_ignore interface option. 4) DROPINVALID has been removed from shorewall.conf. Behavior is as if DROPINVALID=No was specified. 5) The 'nobogons' option and BOGON_LOG_LEVEL are removed. 6) Error and warning messages have been made easier to spot by using capitalization (e.g., ERROR: and WARNING:). 7) The /etc/shorewall/policy file now contains a new connection policy and a policy for ESTABLISHED packets. Useful for users of snort-inline who want to pass all packets to the QUEUE target. 8) A new 'critical' option has been added to /etc/shorewall/routestopped. Shorewall insures communication between the firewall and 'critical' hosts throughout start, restart, stop and clear. Useful for diskless firewall's with NFS-mounted file systems, LDAP servers, Crossbow, etc. 9) Macros. Macros are very similar to actions but are easier to use, allow parameter substitution and are more efficient. Almost all of the standard actions have been converted to macros in the EXPERIMENTAL branch. 10) The default value of ADD_IP_ALIASES in shorewall.conf is changed to No. 11) If you have 'make' installed on your firewall, then when you use the '-f' option to 'shorewall start' (as happens when you reboot), if your /etc/shorewall/ directory contains files that were modified after Shorewall was last restarted then Shorewall is started using the config files rather than using the saved configuration. git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2409 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-07-26 01:08:09 +02:00
{
local zone parent parents rest new_zone_file= r
merge_zone()
{
local z zones="$ZONES" merged=
if [ -n "$parents" ]; then
ZONES=
for z in $zones; do
if [ -z "$merged" ] && list_search $z $parents; then
ZONES="$ZONES $zone"
merged=Yes
fi
ZONES="$ZONES $z"
done
else
ZONES="$ZONES $zone"
fi
}
strip_file zones
ZONES=
IPV4_ZONES=
IPSEC_ZONES=
[ "$IPSECFILE" = zones ] && new_zone_file=Yes || test -n "${FW:=fw}"
while read zone type rest; do
expandv zone type
case $zone in
*:*)
parents=${zone#*:}
zone=${zone%:*}
[ -n "$zone" ] || startup_error "Invalid nested zone syntax: :$parents"
parents=$(separate_list $parents)
;;
*)
parents=
;;
esac
for parent in $parents; do
[ "$parent" = "$FW" ] && startup_error "Sub-zones of the firewall zone are not allowed"
list_search $parent $ZONES || startup_error "Parent zone not defined: $parent"
done
Large merge of function from EXPERIMENTAL to HEAD. 1) Elimination of the "shorewall monitor" command. 2) The /etc/shorewall/ipsec and /etc/shorewall/zones file are combined into a single /etc/shorewall/zones file. This is done in an upwardly-compatible way so that current users can continue to use their existing files. 3) Support has been added for the arp_ignore interface option. 4) DROPINVALID has been removed from shorewall.conf. Behavior is as if DROPINVALID=No was specified. 5) The 'nobogons' option and BOGON_LOG_LEVEL are removed. 6) Error and warning messages have been made easier to spot by using capitalization (e.g., ERROR: and WARNING:). 7) The /etc/shorewall/policy file now contains a new connection policy and a policy for ESTABLISHED packets. Useful for users of snort-inline who want to pass all packets to the QUEUE target. 8) A new 'critical' option has been added to /etc/shorewall/routestopped. Shorewall insures communication between the firewall and 'critical' hosts throughout start, restart, stop and clear. Useful for diskless firewall's with NFS-mounted file systems, LDAP servers, Crossbow, etc. 9) Macros. Macros are very similar to actions but are easier to use, allow parameter substitution and are more efficient. Almost all of the standard actions have been converted to macros in the EXPERIMENTAL branch. 10) The default value of ADD_IP_ALIASES in shorewall.conf is changed to No. 11) If you have 'make' installed on your firewall, then when you use the '-f' option to 'shorewall start' (as happens when you reboot), if your /etc/shorewall/ directory contains files that were modified after Shorewall was last restarted then Shorewall is started using the config files rather than using the saved configuration. git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2409 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-07-26 01:08:09 +02:00
[ ${#zone} -gt 5 ] && startup_error "Zone name longer than 5 characters: $zone"
case "$zone" in
[0-9*])
startup_error "Illegal zone name \"$zone\" in zones file"
;;
all|none)
startup_error "Reserved zone name \"$zone\" in zones file"
Large merge of function from EXPERIMENTAL to HEAD. 1) Elimination of the "shorewall monitor" command. 2) The /etc/shorewall/ipsec and /etc/shorewall/zones file are combined into a single /etc/shorewall/zones file. This is done in an upwardly-compatible way so that current users can continue to use their existing files. 3) Support has been added for the arp_ignore interface option. 4) DROPINVALID has been removed from shorewall.conf. Behavior is as if DROPINVALID=No was specified. 5) The 'nobogons' option and BOGON_LOG_LEVEL are removed. 6) Error and warning messages have been made easier to spot by using capitalization (e.g., ERROR: and WARNING:). 7) The /etc/shorewall/policy file now contains a new connection policy and a policy for ESTABLISHED packets. Useful for users of snort-inline who want to pass all packets to the QUEUE target. 8) A new 'critical' option has been added to /etc/shorewall/routestopped. Shorewall insures communication between the firewall and 'critical' hosts throughout start, restart, stop and clear. Useful for diskless firewall's with NFS-mounted file systems, LDAP servers, Crossbow, etc. 9) Macros. Macros are very similar to actions but are easier to use, allow parameter substitution and are more efficient. Almost all of the standard actions have been converted to macros in the EXPERIMENTAL branch. 10) The default value of ADD_IP_ALIASES in shorewall.conf is changed to No. 11) If you have 'make' installed on your firewall, then when you use the '-f' option to 'shorewall start' (as happens when you reboot), if your /etc/shorewall/ directory contains files that were modified after Shorewall was last restarted then Shorewall is started using the config files rather than using the saved configuration. git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2409 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-07-26 01:08:09 +02:00
;;
esac
if [ -n "$new_zone_file" ]; then
case ${type:=ipv4} in
ipv4|IPv4|IPV4|plain|-)
list_search $zone $ZONES $FW && startup_error "Zone $zone is defined more than once"
merge_zone
IPV4_ZONES="$IPV4_ZONES $zone"
;;
ipsec|IPSEC|ipsec4|IPSEC4)
list_search $zone $ZONES $FW && startup_error "Zone $zone is defined more than once"
[ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match"
eval ${zone}_is_ipsec=Yes
eval ${zone}_is_complex=Yes
merge_zone
IPSEC_ZONES="$IPSEC_ZONES $zone"
;;
firewall)
[ -n "$FW" ] && startup_error "Only one firewall zone may be defined"
list_search $zone $ZONES && startup_error "Zone $zone is defined more than once"
[ -n "$parents" ] && startup_error "The firewall zone may not be nested"
for r in $rest; do
[ "x$r" = x- ] || startup_error "OPTIONS not allowed on the firewall zone"
done
FW=$zone
;;
*)
startup_error "Invalid Zone Type: $type"
;;
esac
eval ${zone}_type=$type
else
list_search $zone $ZONES $FW && startup_error "Zone $zone is defined more than once"
ZONES="$ZONES $zone"
IPV4_ZONES="$IPV4_ZONES $zone"
eval ${zone}_type=ipv4
fi
done < $TMP_DIR/zones
Large merge of function from EXPERIMENTAL to HEAD. 1) Elimination of the "shorewall monitor" command. 2) The /etc/shorewall/ipsec and /etc/shorewall/zones file are combined into a single /etc/shorewall/zones file. This is done in an upwardly-compatible way so that current users can continue to use their existing files. 3) Support has been added for the arp_ignore interface option. 4) DROPINVALID has been removed from shorewall.conf. Behavior is as if DROPINVALID=No was specified. 5) The 'nobogons' option and BOGON_LOG_LEVEL are removed. 6) Error and warning messages have been made easier to spot by using capitalization (e.g., ERROR: and WARNING:). 7) The /etc/shorewall/policy file now contains a new connection policy and a policy for ESTABLISHED packets. Useful for users of snort-inline who want to pass all packets to the QUEUE target. 8) A new 'critical' option has been added to /etc/shorewall/routestopped. Shorewall insures communication between the firewall and 'critical' hosts throughout start, restart, stop and clear. Useful for diskless firewall's with NFS-mounted file systems, LDAP servers, Crossbow, etc. 9) Macros. Macros are very similar to actions but are easier to use, allow parameter substitution and are more efficient. Almost all of the standard actions have been converted to macros in the EXPERIMENTAL branch. 10) The default value of ADD_IP_ALIASES in shorewall.conf is changed to No. 11) If you have 'make' installed on your firewall, then when you use the '-f' option to 'shorewall start' (as happens when you reboot), if your /etc/shorewall/ directory contains files that were modified after Shorewall was last restarted then Shorewall is started using the config files rather than using the saved configuration. git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2409 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-07-26 01:08:09 +02:00
[ -z "$ZONES" ] && startup_error "No ipv4 or ipsec Zones Defined"
Large merge of function from EXPERIMENTAL to HEAD. 1) Elimination of the "shorewall monitor" command. 2) The /etc/shorewall/ipsec and /etc/shorewall/zones file are combined into a single /etc/shorewall/zones file. This is done in an upwardly-compatible way so that current users can continue to use their existing files. 3) Support has been added for the arp_ignore interface option. 4) DROPINVALID has been removed from shorewall.conf. Behavior is as if DROPINVALID=No was specified. 5) The 'nobogons' option and BOGON_LOG_LEVEL are removed. 6) Error and warning messages have been made easier to spot by using capitalization (e.g., ERROR: and WARNING:). 7) The /etc/shorewall/policy file now contains a new connection policy and a policy for ESTABLISHED packets. Useful for users of snort-inline who want to pass all packets to the QUEUE target. 8) A new 'critical' option has been added to /etc/shorewall/routestopped. Shorewall insures communication between the firewall and 'critical' hosts throughout start, restart, stop and clear. Useful for diskless firewall's with NFS-mounted file systems, LDAP servers, Crossbow, etc. 9) Macros. Macros are very similar to actions but are easier to use, allow parameter substitution and are more efficient. Almost all of the standard actions have been converted to macros in the EXPERIMENTAL branch. 10) The default value of ADD_IP_ALIASES in shorewall.conf is changed to No. 11) If you have 'make' installed on your firewall, then when you use the '-f' option to 'shorewall start' (as happens when you reboot), if your /etc/shorewall/ directory contains files that were modified after Shorewall was last restarted then Shorewall is started using the config files rather than using the saved configuration. git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2409 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-07-26 01:08:09 +02:00
[ -z "$FW" ] && startup_error "No Firewall Zone Defined"
Large merge of function from EXPERIMENTAL to HEAD. 1) Elimination of the "shorewall monitor" command. 2) The /etc/shorewall/ipsec and /etc/shorewall/zones file are combined into a single /etc/shorewall/zones file. This is done in an upwardly-compatible way so that current users can continue to use their existing files. 3) Support has been added for the arp_ignore interface option. 4) DROPINVALID has been removed from shorewall.conf. Behavior is as if DROPINVALID=No was specified. 5) The 'nobogons' option and BOGON_LOG_LEVEL are removed. 6) Error and warning messages have been made easier to spot by using capitalization (e.g., ERROR: and WARNING:). 7) The /etc/shorewall/policy file now contains a new connection policy and a policy for ESTABLISHED packets. Useful for users of snort-inline who want to pass all packets to the QUEUE target. 8) A new 'critical' option has been added to /etc/shorewall/routestopped. Shorewall insures communication between the firewall and 'critical' hosts throughout start, restart, stop and clear. Useful for diskless firewall's with NFS-mounted file systems, LDAP servers, Crossbow, etc. 9) Macros. Macros are very similar to actions but are easier to use, allow parameter substitution and are more efficient. Almost all of the standard actions have been converted to macros in the EXPERIMENTAL branch. 10) The default value of ADD_IP_ALIASES in shorewall.conf is changed to No. 11) If you have 'make' installed on your firewall, then when you use the '-f' option to 'shorewall start' (as happens when you reboot), if your /etc/shorewall/ directory contains files that were modified after Shorewall was last restarted then Shorewall is started using the config files rather than using the saved configuration. git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2409 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-07-26 01:08:09 +02:00
}
#
# Find interfaces to a given zone
#
# Search the variables representing the contents of the interfaces file and
# for each record matching the passed ZONE, echo the expanded contents of
# the "INTERFACE" column
#
find_interfaces() # $1 = interface zone
{
local zne=$1
local z
local interface
for interface in $ALL_INTERFACES; do
eval z=\$$(chain_base $interface)_zone
[ "x${z}" = x${zne} ] && echo $interface
done
}
#
# Forward Chain for an interface
#
forward_chain() # $1 = interface
{
echo $(chain_base $1)_fwd
}
#
# Input Chain for an interface
#
input_chain() # $1 = interface
{
echo $(chain_base $1)_in
}
#
# Output Chain for an interface
#
output_chain() # $1 = interface
{
echo $(chain_base $1)_out
}
#
# Masquerade Chain for an interface
#
masq_chain() # $1 = interface
{
echo $(chain_base $1)_masq
}
#
# MAC Verification Chain for an interface
#
mac_chain() # $1 = interface
{
echo $(chain_base $1)_mac
}
Large merge of function from EXPERIMENTAL to HEAD. 1) Elimination of the "shorewall monitor" command. 2) The /etc/shorewall/ipsec and /etc/shorewall/zones file are combined into a single /etc/shorewall/zones file. This is done in an upwardly-compatible way so that current users can continue to use their existing files. 3) Support has been added for the arp_ignore interface option. 4) DROPINVALID has been removed from shorewall.conf. Behavior is as if DROPINVALID=No was specified. 5) The 'nobogons' option and BOGON_LOG_LEVEL are removed. 6) Error and warning messages have been made easier to spot by using capitalization (e.g., ERROR: and WARNING:). 7) The /etc/shorewall/policy file now contains a new connection policy and a policy for ESTABLISHED packets. Useful for users of snort-inline who want to pass all packets to the QUEUE target. 8) A new 'critical' option has been added to /etc/shorewall/routestopped. Shorewall insures communication between the firewall and 'critical' hosts throughout start, restart, stop and clear. Useful for diskless firewall's with NFS-mounted file systems, LDAP servers, Crossbow, etc. 9) Macros. Macros are very similar to actions but are easier to use, allow parameter substitution and are more efficient. Almost all of the standard actions have been converted to macros in the EXPERIMENTAL branch. 10) The default value of ADD_IP_ALIASES in shorewall.conf is changed to No. 11) If you have 'make' installed on your firewall, then when you use the '-f' option to 'shorewall start' (as happens when you reboot), if your /etc/shorewall/ directory contains files that were modified after Shorewall was last restarted then Shorewall is started using the config files rather than using the saved configuration. git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2409 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-07-26 01:08:09 +02:00
macrecent_target() # $1 - interface
{
[ -n "$MACLIST_TTL" ] && echo $(chain_base $1)_rec || echo RETURN
}
#
# Functions for creating dynamic zone rules
#
dynamic_fwd() # $1 = interface
{
echo $(chain_base $1)_dynf
}
dynamic_in() # $1 = interface
{
echo $(chain_base $1)_dyni
}
dynamic_out() # $1 = interface
{
echo $(chain_base $1)_dyno
}
dynamic_chains() #$1 = interface
{
local c=$(chain_base $1)
echo ${c}_dyni ${c}_dynf ${c}_dyno
}
#
# DNAT Chain from a zone
#
dnat_chain() # $1 = zone
{
echo ${1}_dnat
}
#
# SNAT Chain to an interface
#
snat_chain() # $1 = interface
{
echo $(chain_base $1)_snat
}
#
# ECN Chain to an interface
#
ecn_chain() # $1 = interface
{
echo $(chain_base $1)_ecn
}
#
# First chains for an interface
#
first_chains() #$1 = interface
{
local c=$(chain_base $1)
echo ${c}_fwd ${c}_in
}
#
# Horrible hack to work around an iptables limitation
#
iprange_echo()
{
if [ -f $TMP_DIR/iprange ]; then
echo $@
else
echo "-m iprange $@"
> $TMP_DIR/iprange
fi
}
#
# Get set flags (ipsets).
#
get_set_flags() # $1 = set name and optional [levels], $2 = src or dst
{
local temp setname=$1 options=$2
[ -n "$IPSET_MATCH" ] || fatal_error "Your kernel and/or iptables does not include ipset match: $1"
case $1 in
*\[[1-6]\])
temp=${1#*\[}
temp=${temp%\]}
setname=${1%\[*}
while [ $temp -gt 1 ]; do
options="$options,$2"
temp=$(($temp - 1))
done
;;
*\[*\])
options=${1#*\[}
options=${options%\]}
setname=${1%\[*}
;;
*)
;;
esac
echo "--set ${setname#+} $options"
}
#
# Horrible hack to work around an iptables limitation
#
physdev_echo()
{
if [ -f $TMP_DIR/physdev ]; then
echo $@
else
echo -m physdev $@
> $TMP_DIR/physdev
fi
}
#
# We allow hosts to be specified by IP address or by physdev. These two functions
# are used to produce the proper match in a netfilter rule.
#
match_source_hosts()
{
if [ -n "$BRIDGING" ]; then
case $1 in
*:*)
physdev_echo "--physdev-in ${1%:*} $(source_ip_range ${1#*:})"
;;
*.*.*.*|+*|!+*)
echo $(source_ip_range $1)
;;
*)
physdev_echo "--physdev-in $1"
;;
esac
else
echo $(source_ip_range $1)
fi
}
match_dest_hosts()
{
if [ -n "$BRIDGING" ]; then
case $1 in
*:*)
physdev_echo "--physdev-out ${1%:*} $(dest_ip_range ${1#*:})"
;;
*.*.*.*|+*|!+*)
echo $(dest_ip_range $1)
;;
*)
physdev_echo "--physdev-out $1"
;;
esac
else
echo $(dest_ip_range $1)
fi
}
#
# Similarly, the source or destination in a rule can be qualified by a device name. If
# the device is defined in /etc/shorewall/interfaces then a normal interface match is
# generated (-i or -o); otherwise, a physdev match is generated.
#-------------------------------------------------------------------------------------
#
# loosely match the passed interface with those in /etc/shorewall/interfaces.
#
known_interface() # $1 = interface name
{
local iface
for iface in $ALL_INTERFACES ; do
if if_match $iface $1 ; then
return 0
fi
done
return 1
}
known_port() # $1 = port name
{
local port
for port in $ALL_PORTS ; do
if if_match $port $1 ; then
return 0
fi
done
return 1
}
match_source_dev()
{
if [ -n "$BRIDGING" ]; then
known_port $1 && physdev_echo "--physdev-in $1" || echo -i $1
else
echo -i $1
fi
}
match_dest_dev()
{
if [ -n "$BRIDGING" ]; then
known_port $1 && physdev_echo "--physdev-out $1" || echo -o $1
else
echo -o $1
fi
}
verify_interface()
{
known_interface $1 || { [ -n "$BRIDGING" ] && known_port $1 ; }
}
#
# Determine if communication to/from a host is encrypted using IPSEC
#
is_ipsec_host() # $1 = zone, $2 = host
{
eval local is_ipsec=\$${1}_is_ipsec
eval local hosts=\"\$${1}_ipsec_hosts\"
test -n "$is_ipsec" || list_search $2 $hosts
}
#
# Generate a match for decrypted packets
#
match_ipsec_in() # $1 = zone, $2 = host
{
if is_ipsec_host $1 $2 ; then
eval local options=\"\$${1}_ipsec_options \$${1}_ipsec_in_options\"
echo "-m policy --pol ipsec --dir in $options"
elif [ -n "$POLICY_MATCH" ]; then
echo "-m policy --pol none --dir in"
fi
}
#
# Generate a match for packets that will be encrypted
#
match_ipsec_out() # $1 = zone, $2 = host
{
if is_ipsec_host $1 $2 ; then
eval local options=\"\$${1}_ipsec_options \$${1}_ipsec_out_options\"
echo "-m policy --pol ipsec --dir out $options"
elif [ -n "$POLICY_MATCH" ]; then
echo "-m policy --pol none --dir out"
fi
}
#
# Jacket for ip_range() that takes care of iprange match
#
firewall_ip_range() # $1 = IP address or range
{
[ -n "$IPRANGE_MATCH" ] && echo $1 || ip_range $1
}
#
#
# Find hosts in a given zone
#
# Read hosts file and for each record matching the passed ZONE,
# echo the expanded contents of the "HOST(S)" column
#
find_hosts() # $1 = host zone
{
local hosts interface address addresses
while read z hosts options; do
if [ "x$(expand $z)" = "x$1" ]; then
expandv hosts
interface=${hosts%%:*}
addresses=${hosts#*:}
for address in $(separate_list $addresses); do
echo $interface:$address
done
fi
done < $TMP_DIR/hosts
}
#
# Determine the interfaces on the firewall
#
# For each zone, create a variable called ${zone}_interfaces. This
# variable contains a space-separated list of interfaces to the zone
#
determine_interfaces() {
Large merge of function from EXPERIMENTAL to HEAD. 1) Elimination of the "shorewall monitor" command. 2) The /etc/shorewall/ipsec and /etc/shorewall/zones file are combined into a single /etc/shorewall/zones file. This is done in an upwardly-compatible way so that current users can continue to use their existing files. 3) Support has been added for the arp_ignore interface option. 4) DROPINVALID has been removed from shorewall.conf. Behavior is as if DROPINVALID=No was specified. 5) The 'nobogons' option and BOGON_LOG_LEVEL are removed. 6) Error and warning messages have been made easier to spot by using capitalization (e.g., ERROR: and WARNING:). 7) The /etc/shorewall/policy file now contains a new connection policy and a policy for ESTABLISHED packets. Useful for users of snort-inline who want to pass all packets to the QUEUE target. 8) A new 'critical' option has been added to /etc/shorewall/routestopped. Shorewall insures communication between the firewall and 'critical' hosts throughout start, restart, stop and clear. Useful for diskless firewall's with NFS-mounted file systems, LDAP servers, Crossbow, etc. 9) Macros. Macros are very similar to actions but are easier to use, allow parameter substitution and are more efficient. Almost all of the standard actions have been converted to macros in the EXPERIMENTAL branch. 10) The default value of ADD_IP_ALIASES in shorewall.conf is changed to No. 11) If you have 'make' installed on your firewall, then when you use the '-f' option to 'shorewall start' (as happens when you reboot), if your /etc/shorewall/ directory contains files that were modified after Shorewall was last restarted then Shorewall is started using the config files rather than using the saved configuration. git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2409 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-07-26 01:08:09 +02:00
for zone in $ZONES; do
interfaces=$(find_interfaces $zone)
interfaces=$(echo $interfaces) # Remove extra trash
eval ${zone}_interfaces=\"\$interfaces\"
done
}
#
# Determine if an interface has a given option
#
interface_has_option() # $1 = interface, #2 = option
{
local options
eval options=\$$(chain_base $1)_options
list_search $2 $options
}
#
# Determine the defined hosts in each zone and generate report
#
determine_hosts() {
Large merge of function from EXPERIMENTAL to HEAD. 1) Elimination of the "shorewall monitor" command. 2) The /etc/shorewall/ipsec and /etc/shorewall/zones file are combined into a single /etc/shorewall/zones file. This is done in an upwardly-compatible way so that current users can continue to use their existing files. 3) Support has been added for the arp_ignore interface option. 4) DROPINVALID has been removed from shorewall.conf. Behavior is as if DROPINVALID=No was specified. 5) The 'nobogons' option and BOGON_LOG_LEVEL are removed. 6) Error and warning messages have been made easier to spot by using capitalization (e.g., ERROR: and WARNING:). 7) The /etc/shorewall/policy file now contains a new connection policy and a policy for ESTABLISHED packets. Useful for users of snort-inline who want to pass all packets to the QUEUE target. 8) A new 'critical' option has been added to /etc/shorewall/routestopped. Shorewall insures communication between the firewall and 'critical' hosts throughout start, restart, stop and clear. Useful for diskless firewall's with NFS-mounted file systems, LDAP servers, Crossbow, etc. 9) Macros. Macros are very similar to actions but are easier to use, allow parameter substitution and are more efficient. Almost all of the standard actions have been converted to macros in the EXPERIMENTAL branch. 10) The default value of ADD_IP_ALIASES in shorewall.conf is changed to No. 11) If you have 'make' installed on your firewall, then when you use the '-f' option to 'shorewall start' (as happens when you reboot), if your /etc/shorewall/ directory contains files that were modified after Shorewall was last restarted then Shorewall is started using the config files rather than using the saved configuration. git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2409 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-07-26 01:08:09 +02:00
for zone in $ZONES; do
hosts=$(find_hosts $zone)
hosts=$(echo $hosts) # Remove extra trash
eval interfaces=\$${zone}_interfaces
for interface in $interfaces; do
if interface_has_option $interface detectnets; then
networks=$(get_routed_networks $interface)
else
networks=0.0.0.0/0
fi
for network in $networks; do
if [ -z "$hosts" ]; then
hosts=$interface:$network
else
hosts="$hosts $interface:$network"
fi
if interface_has_option $interface routeback; then
eval ${zone}_routeback=\"$interface:$network \$${zone}_routeback\"
fi
done
done
interfaces=
for host in $hosts; do
interface=${host%:*}
if list_search $interface $interfaces; then
list_search $interface:0.0.0.0/0 $hosts && \
startup_error "Invalid zone definition for zone $zone"
list_search $interface:0/0 $hosts && \
startup_error "Invalid zone definition for zone $zone"
eval ${zone}_is_complex=Yes
else
if [ -z "$interfaces" ]; then
interfaces=$interface
else
interfaces="$interfaces $interface"
fi
fi
done
eval ${zone}_interfaces="\$interfaces"
eval ${zone}_hosts="\$hosts"
if [ -n "$hosts" ]; then
[ $VERBOSE -ge 1 ] && display_list "$zone Zone:" $hosts
else
Large merge of function from EXPERIMENTAL to HEAD. 1) Elimination of the "shorewall monitor" command. 2) The /etc/shorewall/ipsec and /etc/shorewall/zones file are combined into a single /etc/shorewall/zones file. This is done in an upwardly-compatible way so that current users can continue to use their existing files. 3) Support has been added for the arp_ignore interface option. 4) DROPINVALID has been removed from shorewall.conf. Behavior is as if DROPINVALID=No was specified. 5) The 'nobogons' option and BOGON_LOG_LEVEL are removed. 6) Error and warning messages have been made easier to spot by using capitalization (e.g., ERROR: and WARNING:). 7) The /etc/shorewall/policy file now contains a new connection policy and a policy for ESTABLISHED packets. Useful for users of snort-inline who want to pass all packets to the QUEUE target. 8) A new 'critical' option has been added to /etc/shorewall/routestopped. Shorewall insures communication between the firewall and 'critical' hosts throughout start, restart, stop and clear. Useful for diskless firewall's with NFS-mounted file systems, LDAP servers, Crossbow, etc. 9) Macros. Macros are very similar to actions but are easier to use, allow parameter substitution and are more efficient. Almost all of the standard actions have been converted to macros in the EXPERIMENTAL branch. 10) The default value of ADD_IP_ALIASES in shorewall.conf is changed to No. 11) If you have 'make' installed on your firewall, then when you use the '-f' option to 'shorewall start' (as happens when you reboot), if your /etc/shorewall/ directory contains files that were modified after Shorewall was last restarted then Shorewall is started using the config files rather than using the saved configuration. git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2409 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-07-26 01:08:09 +02:00
error_message "WARNING: Zone $zone is empty"
fi
done
}
#
# Ensure that the passed zone is defined in the zones file or is the firewall
#
validate_zone() # $1 = zone
{
Large merge of function from EXPERIMENTAL to HEAD. 1) Elimination of the "shorewall monitor" command. 2) The /etc/shorewall/ipsec and /etc/shorewall/zones file are combined into a single /etc/shorewall/zones file. This is done in an upwardly-compatible way so that current users can continue to use their existing files. 3) Support has been added for the arp_ignore interface option. 4) DROPINVALID has been removed from shorewall.conf. Behavior is as if DROPINVALID=No was specified. 5) The 'nobogons' option and BOGON_LOG_LEVEL are removed. 6) Error and warning messages have been made easier to spot by using capitalization (e.g., ERROR: and WARNING:). 7) The /etc/shorewall/policy file now contains a new connection policy and a policy for ESTABLISHED packets. Useful for users of snort-inline who want to pass all packets to the QUEUE target. 8) A new 'critical' option has been added to /etc/shorewall/routestopped. Shorewall insures communication between the firewall and 'critical' hosts throughout start, restart, stop and clear. Useful for diskless firewall's with NFS-mounted file systems, LDAP servers, Crossbow, etc. 9) Macros. Macros are very similar to actions but are easier to use, allow parameter substitution and are more efficient. Almost all of the standard actions have been converted to macros in the EXPERIMENTAL branch. 10) The default value of ADD_IP_ALIASES in shorewall.conf is changed to No. 11) If you have 'make' installed on your firewall, then when you use the '-f' option to 'shorewall start' (as happens when you reboot), if your /etc/shorewall/ directory contains files that were modified after Shorewall was last restarted then Shorewall is started using the config files rather than using the saved configuration. git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2409 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-07-26 01:08:09 +02:00
list_search $1 $ZONES $FW
}
#
# Ensure that the passed zone is defined in the zones file.
#
validate_zone1() # $1 = zone
{
Large merge of function from EXPERIMENTAL to HEAD. 1) Elimination of the "shorewall monitor" command. 2) The /etc/shorewall/ipsec and /etc/shorewall/zones file are combined into a single /etc/shorewall/zones file. This is done in an upwardly-compatible way so that current users can continue to use their existing files. 3) Support has been added for the arp_ignore interface option. 4) DROPINVALID has been removed from shorewall.conf. Behavior is as if DROPINVALID=No was specified. 5) The 'nobogons' option and BOGON_LOG_LEVEL are removed. 6) Error and warning messages have been made easier to spot by using capitalization (e.g., ERROR: and WARNING:). 7) The /etc/shorewall/policy file now contains a new connection policy and a policy for ESTABLISHED packets. Useful for users of snort-inline who want to pass all packets to the QUEUE target. 8) A new 'critical' option has been added to /etc/shorewall/routestopped. Shorewall insures communication between the firewall and 'critical' hosts throughout start, restart, stop and clear. Useful for diskless firewall's with NFS-mounted file systems, LDAP servers, Crossbow, etc. 9) Macros. Macros are very similar to actions but are easier to use, allow parameter substitution and are more efficient. Almost all of the standard actions have been converted to macros in the EXPERIMENTAL branch. 10) The default value of ADD_IP_ALIASES in shorewall.conf is changed to No. 11) If you have 'make' installed on your firewall, then when you use the '-f' option to 'shorewall start' (as happens when you reboot), if your /etc/shorewall/ directory contains files that were modified after Shorewall was last restarted then Shorewall is started using the config files rather than using the saved configuration. git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2409 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-07-26 01:08:09 +02:00
list_search $1 $ZONES
}
#
# Validate the zone names and options in the interfaces file
#
validate_interfaces_file() {
local wildcard
local found_obsolete_option=
local z interface networks options r iface option
while read z interface networks options; do
expandv z interface networks options
r="$z $interface $networks $options"
[ "x$z" = "x-" ] && z=
if [ -n "$z" ]; then
validate_zone $z || startup_error "Invalid zone ($z) in record \"$r\""
fi
list_search $interface $ALL_INTERFACES && \
startup_error "Duplicate Interface $interface"
wildcard=
case $interface in
*:*|+)
startup_error "Invalid Interface Name: $interface"
;;
*+)
wildcard=Yes
;;
esac
ALL_INTERFACES="$ALL_INTERFACES $interface"
options=$(separate_list $options)
iface=$(chain_base $interface)
eval ${iface}_broadcast="$networks"
eval ${iface}_zone="$z"
eval ${iface}_options=\"$options\"
for option in $options; do
case $option in
-)
;;
dhcp|tcpflags|arp_filter|routefilter|maclist|logmartians|sourceroute|blacklist|proxyarp|nosmurfs|upnp|-)
;;
norfc1918)
addr=$(ip -f inet addr show $interface 2> /dev/null | grep inet | head -n1)
if [ -n "$addr" ]; then
addr=$(echo $addr | sed 's/inet //;s/\/.*//;s/ peer.*//')
for network in 10.0.0.0/8 176.16.0.0/12 192.168.0.0/16; do
if in_network $addr $network; then
startup_error "The 'norfc1918' option may not be specified on an interface with an RFC 1918 address. Interface:$interface"
fi
done
fi
Large merge of function from EXPERIMENTAL to HEAD. 1) Elimination of the "shorewall monitor" command. 2) The /etc/shorewall/ipsec and /etc/shorewall/zones file are combined into a single /etc/shorewall/zones file. This is done in an upwardly-compatible way so that current users can continue to use their existing files. 3) Support has been added for the arp_ignore interface option. 4) DROPINVALID has been removed from shorewall.conf. Behavior is as if DROPINVALID=No was specified. 5) The 'nobogons' option and BOGON_LOG_LEVEL are removed. 6) Error and warning messages have been made easier to spot by using capitalization (e.g., ERROR: and WARNING:). 7) The /etc/shorewall/policy file now contains a new connection policy and a policy for ESTABLISHED packets. Useful for users of snort-inline who want to pass all packets to the QUEUE target. 8) A new 'critical' option has been added to /etc/shorewall/routestopped. Shorewall insures communication between the firewall and 'critical' hosts throughout start, restart, stop and clear. Useful for diskless firewall's with NFS-mounted file systems, LDAP servers, Crossbow, etc. 9) Macros. Macros are very similar to actions but are easier to use, allow parameter substitution and are more efficient. Almost all of the standard actions have been converted to macros in the EXPERIMENTAL branch. 10) The default value of ADD_IP_ALIASES in shorewall.conf is changed to No. 11) If you have 'make' installed on your firewall, then when you use the '-f' option to 'shorewall start' (as happens when you reboot), if your /etc/shorewall/ directory contains files that were modified after Shorewall was last restarted then Shorewall is started using the config files rather than using the saved configuration. git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2409 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-07-26 01:08:09 +02:00
;;
arp_ignore=*)
eval ${iface}_arp_ignore=${option#*=}
;;
arp_ignore)
eval ${iface}_arp_ignore=1
;;
detectnets)
[ -n "$wildcard" ] && \
startup_error "The \"detectnets\" option may not be used with a wild-card interface"
[ -n $EXPORT ] && \
startup_error "'detectnets' not permitted with the -e run-line option"
;;
routeback)
[ -n "$z" ] || startup_error "The routeback option may not be specified on a multi-zone interface"
;;
*)
Large merge of function from EXPERIMENTAL to HEAD. 1) Elimination of the "shorewall monitor" command. 2) The /etc/shorewall/ipsec and /etc/shorewall/zones file are combined into a single /etc/shorewall/zones file. This is done in an upwardly-compatible way so that current users can continue to use their existing files. 3) Support has been added for the arp_ignore interface option. 4) DROPINVALID has been removed from shorewall.conf. Behavior is as if DROPINVALID=No was specified. 5) The 'nobogons' option and BOGON_LOG_LEVEL are removed. 6) Error and warning messages have been made easier to spot by using capitalization (e.g., ERROR: and WARNING:). 7) The /etc/shorewall/policy file now contains a new connection policy and a policy for ESTABLISHED packets. Useful for users of snort-inline who want to pass all packets to the QUEUE target. 8) A new 'critical' option has been added to /etc/shorewall/routestopped. Shorewall insures communication between the firewall and 'critical' hosts throughout start, restart, stop and clear. Useful for diskless firewall's with NFS-mounted file systems, LDAP servers, Crossbow, etc. 9) Macros. Macros are very similar to actions but are easier to use, allow parameter substitution and are more efficient. Almost all of the standard actions have been converted to macros in the EXPERIMENTAL branch. 10) The default value of ADD_IP_ALIASES in shorewall.conf is changed to No. 11) If you have 'make' installed on your firewall, then when you use the '-f' option to 'shorewall start' (as happens when you reboot), if your /etc/shorewall/ directory contains files that were modified after Shorewall was last restarted then Shorewall is started using the config files rather than using the saved configuration. git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2409 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-07-26 01:08:09 +02:00
error_message "WARNING: Invalid option ($option) in record \"$r\""
;;
esac
done
done < $TMP_DIR/interfaces
[ -z "$ALL_INTERFACES" ] && startup_error "No Interfaces Defined"
}
#
# Check that a mark value or mask is less that 256
#
verify_mark() # $1 = value to test
{
verify_mark1()
{
[ $1 -lt 256 ]
}
verify_mark2()
{
verify_mark1 $1 2> /dev/null
}
verify_mark2 $1 || fatal_error "Invalid Mark or Mask value: $1"
}
#
# Format a match by the passed MAC address
# The passed address begins with "~" and uses "-" as a separator between bytes
# Example: ~01-02-03-04-05-06
#
mac_match() # $1 = MAC address formated as described above
{
echo "--match mac --mac-source $(echo $1 | sed 's/~//;s/-/:/g')"
}
#
# Find broadcast addresses -- if we are compiling a script and 'detect' is specified for an interface
# the function returns nothing for that interface
#
find_broadcasts() {
for interface in $ALL_INTERFACES; do
eval bcast=\$$(chain_base $interface)_broadcast
if [ "x$bcast" = "xdetect" ]; then
ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
elif [ "x${bcast}" != "x-" ]; then
echo $(separate_list $bcast)
fi
done
}
#
# Find interfaces that have the passed option specified
#
find_interfaces_by_option() # $1 = option
{
for interface in $ALL_INTERFACES; do
eval options=\$$(chain_base $interface)_options
list_search $1 $options && echo $interface
done
}
#
# This slightly slower version is used to find both the option and option followed
# by equal sign ("=") and a value
#
find_interfaces_by_option1() # $1 = option
{
local options option
for interface in $ALL_INTERFACES; do
eval options=\$$(chain_base $interface)_options
for option in $options; do
if [ "${option%=*}" = "$1" ]; then
echo $interface
break
fi
done
done
}
#
# Find hosts with the passed option
#
find_hosts_by_option() # $1 = option
{
local ignore hosts interface address addresses options ipsec= list
while read ignore hosts options; do
expandv options
list=$(separate_list $options)
if list_search $1 $list; then
list_search ipsec $list && ipsec=ipsec || ipsec=none
expandv hosts
interface=${hosts%%:*}
addresses=${hosts#*:}
for address in $(separate_list $addresses); do
echo ${ipsec}^$interface:$address
done
fi
done < $TMP_DIR/hosts
for interface in $ALL_INTERFACES; do
interface_has_option $interface $1 && \
echo none^${interface}:0.0.0.0/0
done
}
#
# Flush and delete all user-defined chains in the filter table
#
deleteallchains() {
run_iptables -F
run_iptables -X
}
#
# Process the routestopped file either adding or deleting rules
#
process_routestopped() # $1 = command
{
local hosts= interface host host1 options networks source= dest= matched
while read interface host options; do
expandv interface host options
[ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0
for h in $(separate_list $host); do
hosts="$hosts $interface:$h"
done
routeback=
if [ -n "$options" ]; then
for option in $(separate_list $options); do
case $option in
routeback)
if [ -n "$routeback" ]; then
Large merge of function from EXPERIMENTAL to HEAD. 1) Elimination of the "shorewall monitor" command. 2) The /etc/shorewall/ipsec and /etc/shorewall/zones file are combined into a single /etc/shorewall/zones file. This is done in an upwardly-compatible way so that current users can continue to use their existing files. 3) Support has been added for the arp_ignore interface option. 4) DROPINVALID has been removed from shorewall.conf. Behavior is as if DROPINVALID=No was specified. 5) The 'nobogons' option and BOGON_LOG_LEVEL are removed. 6) Error and warning messages have been made easier to spot by using capitalization (e.g., ERROR: and WARNING:). 7) The /etc/shorewall/policy file now contains a new connection policy and a policy for ESTABLISHED packets. Useful for users of snort-inline who want to pass all packets to the QUEUE target. 8) A new 'critical' option has been added to /etc/shorewall/routestopped. Shorewall insures communication between the firewall and 'critical' hosts throughout start, restart, stop and clear. Useful for diskless firewall's with NFS-mounted file systems, LDAP servers, Crossbow, etc. 9) Macros. Macros are very similar to actions but are easier to use, allow parameter substitution and are more efficient. Almost all of the standard actions have been converted to macros in the EXPERIMENTAL branch. 10) The default value of ADD_IP_ALIASES in shorewall.conf is changed to No. 11) If you have 'make' installed on your firewall, then when you use the '-f' option to 'shorewall start' (as happens when you reboot), if your /etc/shorewall/ directory contains files that were modified after Shorewall was last restarted then Shorewall is started using the config files rather than using the saved configuration. git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2409 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-07-26 01:08:09 +02:00
error_message "WARNING: Duplicate routestopped option ignored: routeback"
else
routeback=Yes
for h in $(separate_list $host); do
run_iptables $1 FORWARD -i $interface -o $interface $(both_ip_ranges $h $h) -j ACCEPT
done
fi
;;
source)
for h in $(separate_list $host); do
source="$source $interface:$h"
done
;;
dest)
for h in $(separate_list $host); do
dest="$dest $interface:$h"
done
;;
Large merge of function from EXPERIMENTAL to HEAD. 1) Elimination of the "shorewall monitor" command. 2) The /etc/shorewall/ipsec and /etc/shorewall/zones file are combined into a single /etc/shorewall/zones file. This is done in an upwardly-compatible way so that current users can continue to use their existing files. 3) Support has been added for the arp_ignore interface option. 4) DROPINVALID has been removed from shorewall.conf. Behavior is as if DROPINVALID=No was specified. 5) The 'nobogons' option and BOGON_LOG_LEVEL are removed. 6) Error and warning messages have been made easier to spot by using capitalization (e.g., ERROR: and WARNING:). 7) The /etc/shorewall/policy file now contains a new connection policy and a policy for ESTABLISHED packets. Useful for users of snort-inline who want to pass all packets to the QUEUE target. 8) A new 'critical' option has been added to /etc/shorewall/routestopped. Shorewall insures communication between the firewall and 'critical' hosts throughout start, restart, stop and clear. Useful for diskless firewall's with NFS-mounted file systems, LDAP servers, Crossbow, etc. 9) Macros. Macros are very similar to actions but are easier to use, allow parameter substitution and are more efficient. Almost all of the standard actions have been converted to macros in the EXPERIMENTAL branch. 10) The default value of ADD_IP_ALIASES in shorewall.conf is changed to No. 11) If you have 'make' installed on your firewall, then when you use the '-f' option to 'shorewall start' (as happens when you reboot), if your /etc/shorewall/ directory contains files that were modified after Shorewall was last restarted then Shorewall is started using the config files rather than using the saved configuration. git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2409 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-07-26 01:08:09 +02:00
critical)
;;
*)
Large merge of function from EXPERIMENTAL to HEAD. 1) Elimination of the "shorewall monitor" command. 2) The /etc/shorewall/ipsec and /etc/shorewall/zones file are combined into a single /etc/shorewall/zones file. This is done in an upwardly-compatible way so that current users can continue to use their existing files. 3) Support has been added for the arp_ignore interface option. 4) DROPINVALID has been removed from shorewall.conf. Behavior is as if DROPINVALID=No was specified. 5) The 'nobogons' option and BOGON_LOG_LEVEL are removed. 6) Error and warning messages have been made easier to spot by using capitalization (e.g., ERROR: and WARNING:). 7) The /etc/shorewall/policy file now contains a new connection policy and a policy for ESTABLISHED packets. Useful for users of snort-inline who want to pass all packets to the QUEUE target. 8) A new 'critical' option has been added to /etc/shorewall/routestopped. Shorewall insures communication between the firewall and 'critical' hosts throughout start, restart, stop and clear. Useful for diskless firewall's with NFS-mounted file systems, LDAP servers, Crossbow, etc. 9) Macros. Macros are very similar to actions but are easier to use, allow parameter substitution and are more efficient. Almost all of the standard actions have been converted to macros in the EXPERIMENTAL branch. 10) The default value of ADD_IP_ALIASES in shorewall.conf is changed to No. 11) If you have 'make' installed on your firewall, then when you use the '-f' option to 'shorewall start' (as happens when you reboot), if your /etc/shorewall/ directory contains files that were modified after Shorewall was last restarted then Shorewall is started using the config files rather than using the saved configuration. git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2409 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-07-26 01:08:09 +02:00
error_message "WARNING: Unknown routestopped option ignored: $option"
;;
esac
done
fi
done < $TMP_DIR/routestopped
for host in $hosts; do
interface=${host%:*}
networks=${host#*:}
run_iptables $1 INPUT -i $interface $(source_ip_range $networks) -j ACCEPT
[ -z "$ADMINISABSENTMINDED" -o $COMMAND != stop ] && \
run_iptables $1 OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
matched=
if list_search $host $source ; then
run_iptables $1 FORWARD -i $interface $(source_ip_range $networks) -j ACCEPT
matched=Yes
fi
if list_search $host $dest ; then
run_iptables $1 FORWARD -o $interface $(dest_ip_range $networks) -j ACCEPT
matched=Yes
fi
if [ -z "$matched" ]; then
for host1 in $hosts; do
[ "$host" != "$host1" ] && run_iptables $1 FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT
done
fi
done
}
Large merge of function from EXPERIMENTAL to HEAD. 1) Elimination of the "shorewall monitor" command. 2) The /etc/shorewall/ipsec and /etc/shorewall/zones file are combined into a single /etc/shorewall/zones file. This is done in an upwardly-compatible way so that current users can continue to use their existing files. 3) Support has been added for the arp_ignore interface option. 4) DROPINVALID has been removed from shorewall.conf. Behavior is as if DROPINVALID=No was specified. 5) The 'nobogons' option and BOGON_LOG_LEVEL are removed. 6) Error and warning messages have been made easier to spot by using capitalization (e.g., ERROR: and WARNING:). 7) The /etc/shorewall/policy file now contains a new connection policy and a policy for ESTABLISHED packets. Useful for users of snort-inline who want to pass all packets to the QUEUE target. 8) A new 'critical' option has been added to /etc/shorewall/routestopped. Shorewall insures communication between the firewall and 'critical' hosts throughout start, restart, stop and clear. Useful for diskless firewall's with NFS-mounted file systems, LDAP servers, Crossbow, etc. 9) Macros. Macros are very similar to actions but are easier to use, allow parameter substitution and are more efficient. Almost all of the standard actions have been converted to macros in the EXPERIMENTAL branch. 10) The default value of ADD_IP_ALIASES in shorewall.conf is changed to No. 11) If you have 'make' installed on your firewall, then when you use the '-f' option to 'shorewall start' (as happens when you reboot), if your /etc/shorewall/ directory contains files that were modified after Shorewall was last restarted then Shorewall is started using the config files rather than using the saved configuration. git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2409 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-07-26 01:08:09 +02:00
process_criticalhosts()
{
local hosts= interface host h options networks criticalhosts=
[ -f $TMP_DIR/routestopped ] || strip_file routestopped
while read interface host options; do
expandv interface host options
[ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0 || host=$(separate_list $host)
if [ -n "$options" ]; then
for option in $(separate_list $options); do
case $option in
routeback|source|dest)
;;
critical)
for h in $host; do
criticalhosts="$criticalhosts $interface:$h"
done
;;
*)
error_message "WARNING: Unknown routestopped option ignored: $option"
;;
esac
done
fi
Large merge of function from EXPERIMENTAL to HEAD. 1) Elimination of the "shorewall monitor" command. 2) The /etc/shorewall/ipsec and /etc/shorewall/zones file are combined into a single /etc/shorewall/zones file. This is done in an upwardly-compatible way so that current users can continue to use their existing files. 3) Support has been added for the arp_ignore interface option. 4) DROPINVALID has been removed from shorewall.conf. Behavior is as if DROPINVALID=No was specified. 5) The 'nobogons' option and BOGON_LOG_LEVEL are removed. 6) Error and warning messages have been made easier to spot by using capitalization (e.g., ERROR: and WARNING:). 7) The /etc/shorewall/policy file now contains a new connection policy and a policy for ESTABLISHED packets. Useful for users of snort-inline who want to pass all packets to the QUEUE target. 8) A new 'critical' option has been added to /etc/shorewall/routestopped. Shorewall insures communication between the firewall and 'critical' hosts throughout start, restart, stop and clear. Useful for diskless firewall's with NFS-mounted file systems, LDAP servers, Crossbow, etc. 9) Macros. Macros are very similar to actions but are easier to use, allow parameter substitution and are more efficient. Almost all of the standard actions have been converted to macros in the EXPERIMENTAL branch. 10) The default value of ADD_IP_ALIASES in shorewall.conf is changed to No. 11) If you have 'make' installed on your firewall, then when you use the '-f' option to 'shorewall start' (as happens when you reboot), if your /etc/shorewall/ directory contains files that were modified after Shorewall was last restarted then Shorewall is started using the config files rather than using the saved configuration. git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2409 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-07-26 01:08:09 +02:00
done < $TMP_DIR/routestopped
if [ -n "$criticalhosts" ]; then
CRITICALHOSTS=$criticalhosts
progress_message "Critical Hosts are:$CRITICALHOSTS"
fi
}
Large merge of function from EXPERIMENTAL to HEAD. 1) Elimination of the "shorewall monitor" command. 2) The /etc/shorewall/ipsec and /etc/shorewall/zones file are combined into a single /etc/shorewall/zones file. This is done in an upwardly-compatible way so that current users can continue to use their existing files. 3) Support has been added for the arp_ignore interface option. 4) DROPINVALID has been removed from shorewall.conf. Behavior is as if DROPINVALID=No was specified. 5) The 'nobogons' option and BOGON_LOG_LEVEL are removed. 6) Error and warning messages have been made easier to spot by using capitalization (e.g., ERROR: and WARNING:). 7) The /etc/shorewall/policy file now contains a new connection policy and a policy for ESTABLISHED packets. Useful for users of snort-inline who want to pass all packets to the QUEUE target. 8) A new 'critical' option has been added to /etc/shorewall/routestopped. Shorewall insures communication between the firewall and 'critical' hosts throughout start, restart, stop and clear. Useful for diskless firewall's with NFS-mounted file systems, LDAP servers, Crossbow, etc. 9) Macros. Macros are very similar to actions but are easier to use, allow parameter substitution and are more efficient. Almost all of the standard actions have been converted to macros in the EXPERIMENTAL branch. 10) The default value of ADD_IP_ALIASES in shorewall.conf is changed to No. 11) If you have 'make' installed on your firewall, then when you use the '-f' option to 'shorewall start' (as happens when you reboot), if your /etc/shorewall/ directory contains files that were modified after Shorewall was last restarted then Shorewall is started using the config files rather than using the saved configuration. git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2409 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-07-26 01:08:09 +02:00
#
# For each entry in the CRITICALHOSTS global list, add INPUT and OUTPUT rules to
# enable traffic to/from those hosts.
#
enable_critical_hosts()
Large merge of function from EXPERIMENTAL to HEAD. 1) Elimination of the "shorewall monitor" command. 2) The /etc/shorewall/ipsec and /etc/shorewall/zones file are combined into a single /etc/shorewall/zones file. This is done in an upwardly-compatible way so that current users can continue to use their existing files. 3) Support has been added for the arp_ignore interface option. 4) DROPINVALID has been removed from shorewall.conf. Behavior is as if DROPINVALID=No was specified. 5) The 'nobogons' option and BOGON_LOG_LEVEL are removed. 6) Error and warning messages have been made easier to spot by using capitalization (e.g., ERROR: and WARNING:). 7) The /etc/shorewall/policy file now contains a new connection policy and a policy for ESTABLISHED packets. Useful for users of snort-inline who want to pass all packets to the QUEUE target. 8) A new 'critical' option has been added to /etc/shorewall/routestopped. Shorewall insures communication between the firewall and 'critical' hosts throughout start, restart, stop and clear. Useful for diskless firewall's with NFS-mounted file systems, LDAP servers, Crossbow, etc. 9) Macros. Macros are very similar to actions but are easier to use, allow parameter substitution and are more efficient. Almost all of the standard actions have been converted to macros in the EXPERIMENTAL branch. 10) The default value of ADD_IP_ALIASES in shorewall.conf is changed to No. 11) If you have 'make' installed on your firewall, then when you use the '-f' option to 'shorewall start' (as happens when you reboot), if your /etc/shorewall/ directory contains files that were modified after Shorewall was last restarted then Shorewall is started using the config files rather than using the saved configuration. git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2409 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-07-26 01:08:09 +02:00
{
for host in $CRITICALHOSTS; do
interface=${host%:*}
networks=${host#*:}
$IPTABLES -A INPUT -i $interface $(source_ip_range $networks) -j ACCEPT
$IPTABLES -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
Large merge of function from EXPERIMENTAL to HEAD. 1) Elimination of the "shorewall monitor" command. 2) The /etc/shorewall/ipsec and /etc/shorewall/zones file are combined into a single /etc/shorewall/zones file. This is done in an upwardly-compatible way so that current users can continue to use their existing files. 3) Support has been added for the arp_ignore interface option. 4) DROPINVALID has been removed from shorewall.conf. Behavior is as if DROPINVALID=No was specified. 5) The 'nobogons' option and BOGON_LOG_LEVEL are removed. 6) Error and warning messages have been made easier to spot by using capitalization (e.g., ERROR: and WARNING:). 7) The /etc/shorewall/policy file now contains a new connection policy and a policy for ESTABLISHED packets. Useful for users of snort-inline who want to pass all packets to the QUEUE target. 8) A new 'critical' option has been added to /etc/shorewall/routestopped. Shorewall insures communication between the firewall and 'critical' hosts throughout start, restart, stop and clear. Useful for diskless firewall's with NFS-mounted file systems, LDAP servers, Crossbow, etc. 9) Macros. Macros are very similar to actions but are easier to use, allow parameter substitution and are more efficient. Almost all of the standard actions have been converted to macros in the EXPERIMENTAL branch. 10) The default value of ADD_IP_ALIASES in shorewall.conf is changed to No. 11) If you have 'make' installed on your firewall, then when you use the '-f' option to 'shorewall start' (as happens when you reboot), if your /etc/shorewall/ directory contains files that were modified after Shorewall was last restarted then Shorewall is started using the config files rather than using the saved configuration. git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2409 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-07-26 01:08:09 +02:00
done
}
#
# For each entry in the CRITICALHOSTS global list, delete the INPUT and OUTPUT rules that
# enable traffic to/from those hosts.
#
disable_critical_hosts()
Large merge of function from EXPERIMENTAL to HEAD. 1) Elimination of the "shorewall monitor" command. 2) The /etc/shorewall/ipsec and /etc/shorewall/zones file are combined into a single /etc/shorewall/zones file. This is done in an upwardly-compatible way so that current users can continue to use their existing files. 3) Support has been added for the arp_ignore interface option. 4) DROPINVALID has been removed from shorewall.conf. Behavior is as if DROPINVALID=No was specified. 5) The 'nobogons' option and BOGON_LOG_LEVEL are removed. 6) Error and warning messages have been made easier to spot by using capitalization (e.g., ERROR: and WARNING:). 7) The /etc/shorewall/policy file now contains a new connection policy and a policy for ESTABLISHED packets. Useful for users of snort-inline who want to pass all packets to the QUEUE target. 8) A new 'critical' option has been added to /etc/shorewall/routestopped. Shorewall insures communication between the firewall and 'critical' hosts throughout start, restart, stop and clear. Useful for diskless firewall's with NFS-mounted file systems, LDAP servers, Crossbow, etc. 9) Macros. Macros are very similar to actions but are easier to use, allow parameter substitution and are more efficient. Almost all of the standard actions have been converted to macros in the EXPERIMENTAL branch. 10) The default value of ADD_IP_ALIASES in shorewall.conf is changed to No. 11) If you have 'make' installed on your firewall, then when you use the '-f' option to 'shorewall start' (as happens when you reboot), if your /etc/shorewall/ directory contains files that were modified after Shorewall was last restarted then Shorewall is started using the config files rather than using the saved configuration. git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2409 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-07-26 01:08:09 +02:00
{
for host in $CRITICALHOSTS; do
interface=${host%:*}
networks=${host#*:}
$IPTABLES -D INPUT -i $interface $(source_ip_range $networks) -j ACCEPT
$IPTABLES -D OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
Large merge of function from EXPERIMENTAL to HEAD. 1) Elimination of the "shorewall monitor" command. 2) The /etc/shorewall/ipsec and /etc/shorewall/zones file are combined into a single /etc/shorewall/zones file. This is done in an upwardly-compatible way so that current users can continue to use their existing files. 3) Support has been added for the arp_ignore interface option. 4) DROPINVALID has been removed from shorewall.conf. Behavior is as if DROPINVALID=No was specified. 5) The 'nobogons' option and BOGON_LOG_LEVEL are removed. 6) Error and warning messages have been made easier to spot by using capitalization (e.g., ERROR: and WARNING:). 7) The /etc/shorewall/policy file now contains a new connection policy and a policy for ESTABLISHED packets. Useful for users of snort-inline who want to pass all packets to the QUEUE target. 8) A new 'critical' option has been added to /etc/shorewall/routestopped. Shorewall insures communication between the firewall and 'critical' hosts throughout start, restart, stop and clear. Useful for diskless firewall's with NFS-mounted file systems, LDAP servers, Crossbow, etc. 9) Macros. Macros are very similar to actions but are easier to use, allow parameter substitution and are more efficient. Almost all of the standard actions have been converted to macros in the EXPERIMENTAL branch. 10) The default value of ADD_IP_ALIASES in shorewall.conf is changed to No. 11) If you have 'make' installed on your firewall, then when you use the '-f' option to 'shorewall start' (as happens when you reboot), if your /etc/shorewall/ directory contains files that were modified after Shorewall was last restarted then Shorewall is started using the config files rather than using the saved configuration. git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2409 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-07-26 01:08:09 +02:00
done
}
#
# Stop the Firewall
#
stop_firewall() {
#
# Turn off trace unless we were tracing "stop" or "clear"
#
[ -n "$RESTOREBASE" ] && rm -f $RESTOREBASE
case $COMMAND in
stop|clear)
;;
*)
set +x
[ -n "${RESTOREFILE:=restore}" ]
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
if [ -x $RESTOREPATH ]; then
if [ -x ${RESTOREPATH}-ipsets ]; then
progress_message2 Restoring Ipsets...
#
# We must purge iptables to be sure that there are no
# references to ipsets
#
for table in mangle nat filter; do
iptables -t $table -F
iptables -t $table -X
done
${RESTOREPATH}-ipsets
fi
echo Restoring Shorewall...
if $RESTOREPATH restore; then
echo "Shorewall restored from $RESTOREPATH"
set_state "Started"
else
set_state "Unknown"
fi
my_mutex_off
kill $$
exit 2
fi
;;
esac
set_state "Stopping"
STOPPING="Yes"
TERMINATOR=
deletechain shorewall
run_user_exit stop
if [ -n "$MANGLE_ENABLED" ]; then
run_iptables -t mangle -F
run_iptables -t mangle -X
for chain in PREROUTING INPUT FORWARD POSTROUTING; do
qt $IPTABLES -t mangle -P $chain ACCEPT
done
fi
if [ -n "$RAW_TABLE" ]; then
run_iptables -t raw -F
run_iptables -t raw -X
for chain in PREROUTING OUTPUT; do
qt $IPTABLES -t raw -P $chain ACCEPT
done
fi
if [ -n "$NAT_ENABLED" ]; then
delete_nat
for chain in PREROUTING POSTROUTING OUTPUT; do
qt $IPTABLES -t nat -P $chain ACCEPT
done
fi
delete_proxy_arp
[ -n "$CLEAR_TC" ] && delete_tc1
[ -n "$DISABLE_IPV6" ] && disable_ipv6
process_criticalhosts
if [ -n "$CRITICALHOSTS" ]; then
if [ -z "$ADMINISABSENTMINDED" ]; then
for chain in INPUT OUTPUT; do
setpolicy $chain ACCEPT
done
setpolicy FORWARD DROP
deleteallchains
enable_critical_hosts
for chain in INPUT OUTPUT; do
setpolicy $chain DROP
done
else
for chain in INPUT OUTPUT; do
setpolicy $chain ACCEPT
done
setpolicy FORWARD DROP
deleteallchains
enable_critical_hosts
setpolicy INPUT DROP
for chain in INPUT FORWARD; do
setcontinue $chain
done
fi
elif [ -z "$ADMINISABSENTMINDED" ]; then
for chain in INPUT OUTPUT FORWARD; do
setpolicy $chain DROP
done
deleteallchains
else
for chain in INPUT FORWARD; do
setpolicy $chain DROP
done
setpolicy OUTPUT ACCEPT
deleteallchains
for chain in INPUT FORWARD; do
setcontinue $chain
done
fi
process_routestopped -A
$IPTABLES -A INPUT -i lo -j ACCEPT
[ -z "$ADMINISABSENTMINDED" ] && \
$IPTABLES -A OUTPUT -o lo -j ACCEPT
for interface in $(find_interfaces_by_option dhcp); do
$IPTABLES -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT
[ -z "$ADMINISABSENTMINDED" ] && \
$IPTABLES -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT
#
# This might be a bridge
#
$IPTABLES -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT
done
case "$IP_FORWARDING" in
[Oo][Nn])
echo 1 > /proc/sys/net/ipv4/ip_forward
progress_message2 "IP Forwarding Enabled"
;;
[Oo][Ff][Ff])
echo 0 > /proc/sys/net/ipv4/ip_forward
progress_message2 "IP Forwarding Disabled!"
;;
esac
run_user_exit stopped
set_state "Stopped"
logger "Shorewall Stopped"
rm -rf $TMP_DIR
case $COMMAND in
stop|clear)
;;
*)
#
# The firewall is being stopped when we were trying to do something
# else. Remove the lock file and Kill the shell in case we're in a
# subshell
#
my_mutex_off
kill $$
;;
esac
}
#
# Remove all rules and remove all user-defined chains
#
clear_firewall() {
stop_firewall
setpolicy INPUT ACCEPT
setpolicy FORWARD ACCEPT
setpolicy OUTPUT ACCEPT
run_iptables -F
echo 1 > /proc/sys/net/ipv4/ip_forward
if [ -n "$DISABLE_IPV6" ] && qt mywhich ip6tables; then
ip6tables -P INPUT ACCEPT 2> /dev/null
ip6tables -P OUTPUT ACCEPT 2> /dev/null
ip6tables -P FORWARD ACCEPT 2> /dev/null
fi
run_user_exit clear
set_state "Cleared"
logger "Shorewall Cleared"
}
#
# Process the ipsec information in the zones file
#
setup_ipsec() {
local zone using_ipsec=
do_options() # $1 = _in, _out or "" - $2 = option list
{
local option opts newoptions= val
[ x${2} = x- ] && return
opts=$(separate_list $2)
for option in $opts; do
val=${option#*=}
case $option in
mss=[0-9]*) ;;
strict) newoptions="$newoptions --strict" ;;
next) newoptions="$newoptions --next" ;;
reqid=*) newoptions="$newoptions --reqid $val" ;;
spi=*) newoptions="$newoptions --spi $val" ;;
proto=*) newoptions="$newoptions --proto $val" ;;
mode=*) newoptions="$newoptions --mode $val" ;;
tunnel-src=*) newoptions="$newoptions --tunnel-src $val" ;;
tunnel-dst=*) newoptions="$newoptions --tunnel-dst $val" ;;
reqid!=*) newoptions="$newoptions ! --reqid $val" ;;
spi!=*) newoptions="$newoptions ! --spi $val" ;;
proto!=*) newoptions="$newoptions ! --proto $val" ;;
mode!=*) newoptions="$newoptions ! --mode $val" ;;
tunnel-src!=*) newoptions="$newoptions ! --tunnel-src $val" ;;
tunnel-dst!=*) newoptions="$newoptions ! --tunnel-dst $val" ;;
*) fatal_error "Invalid option \"$option\" for zone $zone" ;;
esac
done
if [ -n "$newoptions" ]; then
[ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match"
eval ${zone}_is_complex=Yes
eval ${zone}_ipsec${1}_options=\"${newoptions# }\"
fi
}
case $IPSECFILE in
zones)
f=zones
progress_message "Setting up IPSEC..."
;;
*)
f=$IPSECFILE
strip_file $f
progress_message "Processing $f..."
using_ipsec=Yes
;;
esac
while read zone type options in_options out_options mss; do
expandv zone type options in_options out_options mss
if [ -n "$using_ipsec" ]; then
validate_zone1 $zone || fatal_error "Unknown zone: $zone"
Large merge of function from EXPERIMENTAL to HEAD. 1) Elimination of the "shorewall monitor" command. 2) The /etc/shorewall/ipsec and /etc/shorewall/zones file are combined into a single /etc/shorewall/zones file. This is done in an upwardly-compatible way so that current users can continue to use their existing files. 3) Support has been added for the arp_ignore interface option. 4) DROPINVALID has been removed from shorewall.conf. Behavior is as if DROPINVALID=No was specified. 5) The 'nobogons' option and BOGON_LOG_LEVEL are removed. 6) Error and warning messages have been made easier to spot by using capitalization (e.g., ERROR: and WARNING:). 7) The /etc/shorewall/policy file now contains a new connection policy and a policy for ESTABLISHED packets. Useful for users of snort-inline who want to pass all packets to the QUEUE target. 8) A new 'critical' option has been added to /etc/shorewall/routestopped. Shorewall insures communication between the firewall and 'critical' hosts throughout start, restart, stop and clear. Useful for diskless firewall's with NFS-mounted file systems, LDAP servers, Crossbow, etc. 9) Macros. Macros are very similar to actions but are easier to use, allow parameter substitution and are more efficient. Almost all of the standard actions have been converted to macros in the EXPERIMENTAL branch. 10) The default value of ADD_IP_ALIASES in shorewall.conf is changed to No. 11) If you have 'make' installed on your firewall, then when you use the '-f' option to 'shorewall start' (as happens when you reboot), if your /etc/shorewall/ directory contains files that were modified after Shorewall was last restarted then Shorewall is started using the config files rather than using the saved configuration. git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2409 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-07-26 01:08:09 +02:00
fi
if [ -n "$type" ]; then
if [ -n "$using_ipsec" ]; then
case $type in
No|no)
;;
Yes|yes)
[ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match"
eval ${zone}_is_ipsec=Yes
eval ${zone}_is_complex=Yes
eval ${zone}_type=ipsec4
;;
*)
fatal_error "Invalid IPSEC column contents"
;;
esac
fi
Large merge of function from EXPERIMENTAL to HEAD. 1) Elimination of the "shorewall monitor" command. 2) The /etc/shorewall/ipsec and /etc/shorewall/zones file are combined into a single /etc/shorewall/zones file. This is done in an upwardly-compatible way so that current users can continue to use their existing files. 3) Support has been added for the arp_ignore interface option. 4) DROPINVALID has been removed from shorewall.conf. Behavior is as if DROPINVALID=No was specified. 5) The 'nobogons' option and BOGON_LOG_LEVEL are removed. 6) Error and warning messages have been made easier to spot by using capitalization (e.g., ERROR: and WARNING:). 7) The /etc/shorewall/policy file now contains a new connection policy and a policy for ESTABLISHED packets. Useful for users of snort-inline who want to pass all packets to the QUEUE target. 8) A new 'critical' option has been added to /etc/shorewall/routestopped. Shorewall insures communication between the firewall and 'critical' hosts throughout start, restart, stop and clear. Useful for diskless firewall's with NFS-mounted file systems, LDAP servers, Crossbow, etc. 9) Macros. Macros are very similar to actions but are easier to use, allow parameter substitution and are more efficient. Almost all of the standard actions have been converted to macros in the EXPERIMENTAL branch. 10) The default value of ADD_IP_ALIASES in shorewall.conf is changed to No. 11) If you have 'make' installed on your firewall, then when you use the '-f' option to 'shorewall start' (as happens when you reboot), if your /etc/shorewall/ directory contains files that were modified after Shorewall was last restarted then Shorewall is started using the config files rather than using the saved configuration. git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2409 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-07-26 01:08:09 +02:00
do_options "" $options
do_options "_in" $in_options
do_options "_out" $out_options
fi
done < $TMP_DIR/$f
}
#
# Delete existing Proxy ARP
#
delete_proxy_arp() {
if [ -f /var/lib/shorewall/proxyarp ]; then
while read address interface external haveroute; do
case $COMMAND in
stop|clear)
qt arp -i $external -d $address pub
[ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface
;;
*)
if [ -n "$STOPPING" ]; then
qt arp -i $external -d $address pub
qt arp -i $external -d $address pub
[ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface
else
qt arp -i $external -d $address pub
if [ -z "$haveroute" ];then
[ -n "$NOROUTE" ] || qt ip route del $address dev $interface
fi
fi
;;
esac
done < /var/lib/shorewall/proxyarp
rm -f /var/lib/shorewall/proxyarp
fi
[ -d $STATEDIR ] && touch $STATEDIR/proxyarp
case $COMMAND in
stop|clear)
for f in /proc/sys/net/ipv4/conf/*; do
[ -f $f/proxy_arp ] && echo 0 > $f/proxy_arp
done
;;
*)
if [ -n "$STOPPING" ]; then
for f in /proc/sys/net/ipv4/conf/*; do
[ -f $f/proxy_arp ] && echo 0 > $f/proxy_arp
done
else
for f in /proc/sys/net/ipv4/conf/*; do
[ -f $f/proxy_arp ] && echo 0 > $f/proxy_arp
done
fi
;;
esac
}
#
# Delete existing Static NAT
#
delete_nat() {
run_iptables -t nat -F
run_iptables -t nat -X
if [ -f /var/lib/shorewall/nat ]; then
while read external interface; do
qt ip addr del $external dev $interface
done < /var/lib/shorewall/nat
rm -f {/var/lib/shorewall}/nat
fi
[ -d $STATEDIR ] && touch $STATEDIR/nat
}
#
# Setup Network Mapping (NETMAP)
#
setup_netmap() {
while read type net1 interface net2 ; do
expandv type net1 interface net2
list_search $interface $ALL_INTERFACES || \
fatal_error "Unknown interface $interface in entry \"$type $net1 $interface $net2\""
case $type in
DNAT)
addnatrule $(input_chain $interface) -d $net1 -j NETMAP --to $net2
;;
SNAT)
addnatrule $(output_chain $interface) -s $net1 -j NETMAP --to $net2
;;
*)
fatal_error "Invalid type $type in entry \"$type $net1 $interface $net2\""
;;
esac
progress_message " Network $net1 on $interface mapped to $net2 ($type)"
done < $TMP_DIR/netmap
}
#
# Setup ECN disabling rules
#
setup_ecn() # $1 = file name
{
local interfaces=""
local hosts=
local h
strip_file ecn $1
progress_message2 "Processing $1..."
while read interface host; do
expandv interface host
list_search $interface $ALL_INTERFACES || \
startup_error "Unknown interface $interface"
list_search $interface $interfaces || \
interfaces="$interfaces $interface"
[ "x$host" = "x-" ] && host=
for h in $(separate_list ${host:-0.0.0.0/0}); do
hosts="$hosts $interface:$h"
done
done < $TMP_DIR/ecn
if [ -n "$interfaces" ]; then
progress_message "Setting up ECN control on${interfaces}..."
for interface in $interfaces; do
chain=$(ecn_chain $interface)
if havemanglechain $chain; then
flushmangle $chain
else
createmanglechain $chain
run_iptables -t mangle -A POSTROUTING -p tcp -o $interface -j $chain
run_iptables -t mangle -A OUTPUT -p tcp -o $interface -j $chain
fi
done
for host in $hosts; do
interface=${host%:*}
h=${host#*:}
run_iptables -t mangle -A $(ecn_chain $interface) -p tcp $(dest_ip_range $h) -j ECN --ecn-tcp-remove
progress_message " ECN Disabled to $h through $interface"
done
fi
}
#
# Set up an exclusion chain
#
build_exclusion_chain() # $1 = variable to store chain name into $2 = table, $3 = SOURCE exclusion list, $4 = DESTINATION exclusion list
{
local c=excl_${EXCLUSION_SEQ} net
EXCLUSION_SEQ=$(( $EXCLUSION_SEQ + 1 ))
run_iptables -t $2 -N $c
for net in $(separate_list $3); do
run_iptables -t $2 -A $c $(source_ip_range $net) -j RETURN
done
for net in $(separate_list $4); do
run_iptables -t $2 -A $c $(dest_ip_range $net) -j RETURN
done
case $2 in
filter)
eval exists_${c}=Yes
;;
nat)
eval exists_nat_${c}=Yes
;;
esac
eval $1=$c
}
#
# Arne Bernin's 'tc4shorewall'
#
setup_traffic_shaping()
{
local mtu r2q tc_all_devices device mark rate ceil prio options devfile=$(find_file tcdevices) classfile=$(find_file tcclasses) devnum=1
mtu=1500
r2q=10
rate_to_kbit() {
local rateunit rate
rate=$1
rateunit=$( echo $rate | sed -e 's/[0-9]*//')
rate=$( echo $rate | sed -e 's/[a-z]*//g')
case $rateunit in
kbit)
rate=$rate
;;
mbit)
rate=$(expr $rate \* 1024)
;;
mbps)
rate=$(expr $rate \* 8192)
;;
kbps)
rate=$(expr $rate \* 8)
;;
*)
rate=$(expr $rate / 128)
;;
esac
echo $rate
}
calculate_quantum() {
local rate
rate=$1
rate=$(rate_to_kbit $rate)
rate=$(expr $rate \* 128 / $r2q )
if [ $rate -lt $mtu ] ; then
echo $mtu
else
echo $rate
fi
}
# get given outbandwidth for device
get_outband_for_dev() {
local device inband outband
while read device inband outband; do
expandv device inband outband
tcdev="$device $inband $outband"
if [ "$1" = "$device" ] ; then
echo $outband
return
fi
done < $TMP_DIR/tcdevices
}
check_tcclasses_options() {
while [ $# -gt 1 ]; do
shift
case $1 in
default|tcp-ack|tos-minimize-delay|tos-maximize-throughput|tos-maximize-reliability|tos-minimize-cost|tos-normal-service)
;;
*)
echo $1
return 1
;;
esac
done
return 0
}
get_defmark_for_dev() {
local searchdev searchmark device ceil prio options
searchdev=$1
while read device mark rate ceil prio options; do
expandv device mark rate ceil prio options
options=$(separate_list $options | tr '[A-Z]' '[a-z]')
tcdev="$device $mark $rate $ceil $prio $options"
if [ "$searchdev" = "$device" ] ; then
list_search "default" $options && echo $mark &&return 0
fi
done < $TMP_DIR/tcclasses
return 1
}
check_defmark_for_dev() {
get_defmark_for_dev $1 >/dev/null
}
validate_tcdevices_file() {
progress_message2 "Validating $devfile..."
local device local device inband outband
while read device inband outband; do
expandv device inband outband
tcdev="$device $inband $outband"
check_defmark_for_dev $device || fatal_error "Option default is not defined for any class in tcclasses for interface $device"
case $interface in
*:*|+)
fatal_error "Invalid Interface Name: $interface"
;;
esac
list_search $device $devices && fatal_error "Interface $device is defined more than once in tcdevices"
tc_all_devices="$tc_all_devices $device"
done < $TMP_DIR/tcdevices
}
validate_tcclasses_file() {
progress_message2 "Validating $classfile..."
local classlist device mark rate ceil prio bandw wrongopt allopts opt
allopts=""
while read device mark rate ceil prio options; do
expandv device mark rate ceil prio options
tcdev="$device $mark $rate $ceil $prio $options"
ratew=$(get_outband_for_dev $device)
options=$(separate_list $options | tr '[A-Z]' '[a-z]')
for opt in $options; do
list_search "$device-$opt" $allopts && fatal_error "option $opt already defined in a chain for interface $device in tcclasses"
allopts="$allopts $device-$opt"
done
wrongopt=$(check_tcclasses_options $options) || fatal_error "unknown option $wrongopt for class iface $device mark $mark in tcclasses file"
if [ -z "$ratew" ] ; then
fatal_error "device $device seems not to be configured in tcdevices"
fi
list_search "$device-$mark" $classlist && fatal_error "Mark $mark for interface $device defined more than once in tcclasses"
classlist="$classlist $device-$mark"
done < $TMP_DIR/tcclasses
}
add_root_tc() {
local defmark
defmark=$(get_defmark_for_dev $device)
qt tc qdisc del dev $device root
qt tc qdisc del dev $device ingress
run_tc qdisc add dev $device root handle $devnum: htb default 1$defmark
run_tc class add dev $device parent $devnum: classid $devnum:1 htb rate $outband
run_tc qdisc add dev $device handle ffff: ingress
run_tc filter add dev $device parent ffff: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate ${inband} burst 10k drop flowid :1
eval $(chain_base $device)_devnum=$devnum
devnum=$(($devnum + 1))
}
add_tc_class() {
local full classid
full=$(get_outband_for_dev $device)
full=$(rate_to_kbit $full)
if [ -z "$prio" ] ; then
prio=1
fi
case $rate in
*full*)
rate=$(echo $rate | sed -e "s/full/$full/")
rate="$(($rate))kbit"
;;
esac
case $ceil in
*full*)
ceil=$(echo $ceil | sed -e "s/full/$full/")
ceil="$(($ceil))kbit"
;;
esac
eval devnum=\$$(chain_base $device)_devnum
classid=$devnum:1$mark
[ -n "$devnum" ] || fatal_error "Device $device not defined in $devfile"
run_tc class add dev $device parent $devnum:1 classid $classid htb rate $rate ceil $ceil prio $prio quantum $(calculate_quantum $rate)
run_tc qdisc add dev $device parent $classid handle 1$mark: sfq perturb 10
# add filters
if [ -n "$CLASSIFY_TARGET" ]; then
run_iptables -t mangle -A tcpost -o $device -m mark --mark $mark -j CLASSIFY --set-class $classid
else
run_tc filter add dev $device protocol ip parent $devnum:0 prio 1 handle $mark fw classid $classid
fi
#options
list_search "tcp-ack" $options && run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid $classid
list_search "tos-minimize-delay" $options && run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip tos 0x10 0xff flowid $classid
list_search "tos-minimize-cost" $options && run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip tos 0x02 0xff flowid $classid
list_search "tos-maximize-troughput" $options && run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip tos 0x08 0xff flowid $classid
list_search "tos-minimize-reliability" $options && run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip tos 0x04 0xff flowid $classid
list_search "tos-normal-service" $options && run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip tos 0x00 0xff flowid $classid
# tcp
}
strip_file tcdevices $devfile
strip_file tcclasses $classfile
validate_tcdevices_file
validate_tcclasses_file
if [ -s $TMP_DIR/tcdevices ]; then
progress_message2 "Processing $devfile..."
while read device inband outband defmark ackmark; do
expandv device inband outband defmark ackmark
tcdev="$device $inband $outband"
add_root_tc
progress_message " TC Device $tcdev Added."
done < $TMP_DIR/tcdevices
fi
if [ -s $TMP_DIR/tcclasses ]; then
progress_message2 "Processing $classfile..."
while read device mark rate ceil prio options; do
expandv device mark rate ceil prio options
tcdev="$device $mark $rate $ceil $prio $options"
options=$(separate_list $options | tr '[A-Z]' '[a-z]')
add_tc_class
progress_message " TC Class \"$tcdev\" Added."
done < $TMP_DIR/tcclasses
fi
}
#
# Process a TC Rule - $MARKING_CHAIN is assumed to contain the name of the
# default marking chain
#
process_tc_rule()
{
chain=$MARKING_CHAIN target="MARK --set-mark" marktest=
verify_designator() {
[ "$chain" = tcout ] && \
fatal_error "Chain designator not allowed when source is \$FW; rule \"$rule\""
chain=$1
mark="${mark%:*}"
}
do_ipp2p()
{
[ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\""
[ "x$port" = "x-" ] && port="ipp2p"
case $proto in
*:*)
proto=${proto#*:}
;;
*)
proto=tcp
;;
esac
r="${r}-p $proto -m ipp2p --${port} "
}
add_a_tc_rule() {
r=
if [ "x$source" != "x-" ]; then
case $source in
$FW:*)
[ $chain = tcpost ] || chain=tcout
r="$(source_ip_range ${source#*:}) "
;;
*.*.*|+*|!+*)
r="$(source_ip_range $source) "
;;
~*)
r="$(mac_match $source) "
;;
$FW)
[ $chain = tcpost ] || chain=tcout
;;
*)
verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\""
r="$(match_source_dev $source) "
;;
esac
fi
if [ "x${user:--}" != "x-" ]; then
[ "$chain" != tcout ] && \
fatal_error "Invalid use of a user/group: rule \"$rule\""
r="$r-m owner"
case "$user" in
*+*)
r="$r --cmd-owner ${user#*+} "
user=${user%+*}
;;
esac
case "$user" in
*:*)
temp="${user%:*}"
[ -n "$temp" ] && r="$r --uid-owner $temp "
temp="${user#*:}"
[ -n "$temp" ] && r="$r --gid-owner $temp "
;;
*)
[ -n "$user" ] && r="$r --uid-owner $user "
;;
esac
fi
[ -n "$marktest" ] && r="${r}-m ${marktest}--mark $testval "
if [ "x$dest" != "x-" ]; then
case $dest in
*.*.*|+*|!+*)
r="${r}$(dest_ip_range $dest) "
;;
*)
[ "$chain" = tcpre ] && fatal_error "Destination interface is not allowed in the PREROUTING chain"
verify_interface $dest || fatal_error "Unknown interface $dest in rule \"$rule\""
r="${r}$(match_dest_dev $dest) "
;;
esac
fi
if [ "x${length:=-}" != "x-" ]; then
[ -n "$LENGTH_MATCH" ] || fatal_error "Your kernel and/or iptables does not have length match support. Rule: \"$rule\""
r="${r}-m length --length ${length} "
fi
multiport=
case $proto in
ipp2p|IPP2P|ipp2p:*|IPP2P:*)
do_ipp2p
;;
icmp|ICMP|1)
r="${r}-p icmp "
[ "x$port" = "x-" ] || r="${r}--icmp-type $port"
;;
*)
[ "x$proto" = "x-" ] && proto=all
[ "x$proto" = "x" ] && proto=all
[ "$proto" = "all" ] || r="${r}-p $proto "
[ "x$port" = "x-" ] || r="${r}--dport $port "
;;
esac
[ "x$sport" = "x-" ] || r="${r}--sport $sport "
if [ -n "${excludesources}${excludedests}" ]; then
build_exclusion_chain chain1 mangle "$excludesources" "$excludedests"
run_iptables2 -t mangle -A $chain $r -j $chain1
run_iptables -t mangle -A $chain1 -j $target $mark
else
run_iptables2 -t mangle -A $chain $r -j $target $mark
fi
}
if [ "$mark" != "${mark%:*}" ]; then
case "${mark#*:}" in
p|P)
verify_designator tcpre
;;
cp|CP)
verify_designator tcpre
target="CONNMARK --set-mark"
;;
f|F)
verify_designator tcfor
;;
cf|CF)
verify_designator tcfor
target="CONNMARK --set-mark"
;;
c|C)
target="CONNMARK --set-mark"
mark=${mark%:*}
;;
*)
chain=tcpost
target="CLASSIFY --set-class"
;;
esac
fi
case $mark in
SAVE)
target="CONNMARK --save-mark --mask 255"
mark=
;;
SAVE/*)
target="CONNMARK --save-mark --mask"
mark=${mark#*/}
verify_mark $mark
;;
RESTORE)
target="CONNMARK --restore-mark --mask 255"
mark=
;;
RESTORE/*)
target="CONNMARK --restore-mark --mask"
mark=${mark#*/}
verify_mark $mark
;;
CONTINUE)
target=RETURN
mark=
;;
*)
if [ "$chain" != tcpost ]; then
verify_mark $mark
fi
;;
esac
case $testval in
-)
;;
!*:C)
marktest="connmark ! "
testval=${testval%:*}
testval=${testval#!}
;;
*:C)
marktest="connmark "
testval=${testval%:*}
;;
!*)
marktest="mark ! "
testval=${testval#!}
;;
*)
[ -n "$testval" ] && marktest="mark "
;;
esac
if [ -n "$marktest" ] ; then
case $testval in
*/*)
verify_mark ${testval%/*}
verify_mark ${testval#*/}
;;
*)
verify_mark $testval
testval=$testval/255
;;
esac
fi
excludesources=
case ${sources:=-} in
*!*!*)
fatal_error "Invalid SOURCE in rule \"$rule\""
;;
!*)
if [ $(list_count $sourcess) -gt 1 ]; then
excludesources=${sources#!}
sources=-
fi
;;
*!*)
excludesources=${sources#*!}
sources=${sources%!*}
;;
esac
excludedests=
case ${dests:=-} in
*!*!*)
fatal_error "Invalid DEST in rule \"$rule\""
;;
!*)
if [ $(list_count $dests) -gt 1 ]; then
excludedests=${dests#*!}
dests=-
fi
;;
*!*)
excludedests=${dests#*!}
dests=${dests%!*}
;;
esac
for source in $(separate_list $sources); do
for dest in $(separate_list $dests); do
for port in $(separate_list ${ports:=-}); do
for sport in $(separate_list ${sports:=-}); do
add_a_tc_rule
done
done
done
done
progress_message " TC Rule \"$rule\" added"
}
#
# Setup queuing and classes
#
setup_tc1() {
#
# Create the TC mangle chains
#
createmanglechain tcpre
createmanglechain tcfor
createmanglechain tcout
createmanglechain tcpost
#
# Process the TC Rules File
#
strip_file tcrules
while read mark sources dests proto ports sports user testval length; do
expandv mark sources dests proto ports sports user testval length
rule=$(echo "$mark $sources $dests $proto $ports $sports $user $testval $length")
process_tc_rule
done < $TMP_DIR/tcrules
#
# Link to the TC mangle chains from the main chains
#
if [ -n "$ROUTEMARK_INTERFACES" ]; then
#
# Route marks are restored in PREROUTING/OUTPUT prior to these rules. We only send
# packets that are not part of a marked connection to the 'tcpre/tcout' chains
#
run_iptables -t mangle -A PREROUTING -m mark --mark 0 -j tcpre
run_iptables -t mangle -A OUTPUT -m mark --mark 0 -j tcout
else
run_iptables -t mangle -A PREROUTING -j tcpre
run_iptables -t mangle -A OUTPUT -j tcout
fi
run_iptables -t mangle -A FORWARD -j tcfor
run_iptables -t mangle -A POSTROUTING -j tcpost
if [ -n "$TC_SCRIPT" ]; then
run_user_exit $TC_SCRIPT
elif [ -n "$TC_ENABLED" ]; then
setup_traffic_shaping
fi
}
setup_tc() {
progress_message2 "Setting up Traffic Control Rules..."
setup_tc1
}
#
# Clear Traffic Shaping
#
delete_tc()
{
clear_one_tc() {
tc qdisc del dev $1 root 2> /dev/null
tc qdisc del dev $1 ingress 2> /dev/null
}
run_user_exit tcclear
run_ip link list | \
while read inx interface details; do
case $inx in
[0-9]*)
clear_one_tc ${interface%:}
;;
*)
;;
esac
done
}
#
# Refresh queuing and classes
#
refresh_tc() {
progress_message2 "Refreshing Traffic Control Rules..."
[ -n "$CLEAR_TC" ] && delete_tc1
[ -n "$MARK_IN_FORWARD_CHAIN" ] && chain=tcfor || chain=tcpre
if qt $IPTABLES -t mangle -L $chain -n ; then
#
# Flush the TC mangle chains
#
run_iptables -t mangle -F tcfor
run_iptables -t mangle -F tcpre
run_iptables -t mangle -F tcout
run_iptables -t mangle -F tcpost
#
# Process the TC Rules File
#
strip_file tcrules
while read mark sources dests proto ports sports user testval length; do
expandv mark sources dests proto ports sports user testval length
rule=$(echo "$mark $sources $dests $proto $ports $sports $user $testval $length")
process_tc_rule
done < $TMP_DIR/tcrules
else
setup_tc1
fi
if [ -n "$TC_SCRIPT" ]; then
run_user_exit $TC_SCRIPT
elif [ -n "$TC_ENABLED" ]; then
setup_traffic_shaping
fi
}
#
# Display elements of a list with leading white space
#
display_list() # $1 = List Title, rest of $* = list to display
{
[ $# -gt 1 ] && echo " $*"
}
policy_rules() # $1 = chain to add rules to
# $2 = policy
# $3 = loglevel
{
local target="$2"
case "$target" in
ACCEPT)
[ -n "$ACCEPT_common" ] && run_iptables -A $1 -j $ACCEPT_common
;;
DROP)
[ -n "$DROP_common" ] && run_iptables -A $1 -j $DROP_common
;;
REJECT)
[ -n "$REJECT_common" ] && run_iptables -A $1 -j $REJECT_common
target=reject
;;
QUEUE)
[ -n "$QUEUE_common" ] && run_iptables -A $1 -j $QUEUE_common
;;
CONTINUE)
target=
;;
*)
fatal_error "Invalid policy ($policy) for $1"
;;
esac
Large merge of function from EXPERIMENTAL to HEAD. 1) Elimination of the "shorewall monitor" command. 2) The /etc/shorewall/ipsec and /etc/shorewall/zones file are combined into a single /etc/shorewall/zones file. This is done in an upwardly-compatible way so that current users can continue to use their existing files. 3) Support has been added for the arp_ignore interface option. 4) DROPINVALID has been removed from shorewall.conf. Behavior is as if DROPINVALID=No was specified. 5) The 'nobogons' option and BOGON_LOG_LEVEL are removed. 6) Error and warning messages have been made easier to spot by using capitalization (e.g., ERROR: and WARNING:). 7) The /etc/shorewall/policy file now contains a new connection policy and a policy for ESTABLISHED packets. Useful for users of snort-inline who want to pass all packets to the QUEUE target. 8) A new 'critical' option has been added to /etc/shorewall/routestopped. Shorewall insures communication between the firewall and 'critical' hosts throughout start, restart, stop and clear. Useful for diskless firewall's with NFS-mounted file systems, LDAP servers, Crossbow, etc. 9) Macros. Macros are very similar to actions but are easier to use, allow parameter substitution and are more efficient. Almost all of the standard actions have been converted to macros in the EXPERIMENTAL branch. 10) The default value of ADD_IP_ALIASES in shorewall.conf is changed to No. 11) If you have 'make' installed on your firewall, then when you use the '-f' option to 'shorewall start' (as happens when you reboot), if your /etc/shorewall/ directory contains files that were modified after Shorewall was last restarted then Shorewall is started using the config files rather than using the saved configuration. git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2409 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-07-26 01:08:09 +02:00
if [ $# -eq 3 -a "x${3}" != "x-" ]; then
log_rule $3 $1 $2
fi
[ -n "$target" ] && run_iptables -A $1 -j $target
}
#
# Add a record to the blacklst chain
#
# $source = address match
# $proto = protocol selector
# $dport = destination port selector
#
add_blacklist_rule() {
if [ -n "$BLACKLIST_LOGLEVEL" ]; then
log_rule $BLACKLIST_LOGLEVEL blacklst $BLACKLIST_DISPOSITION $(fix_bang $source $proto $dport)
fi
run_iptables2 -A blacklst $source $proto $dport -j $disposition
}
#
# Process a record from the blacklist file
#
# $networks = address/networks
# $protocol = Protocol Number/Name
# $port = Port Number/Name
#
process_blacklist_rec() {
local source
local addr
local proto
local dport
local temp
local setname
for addr in $(separate_list $networks); do
case $addr in
-)
source=
;;
~*)
addr=$(echo $addr | sed 's/~//;s/-/:/g')
source="--match mac --mac-source $addr"
;;
*)
source="$(source_ip_range $addr)"
;;
esac
if [ -n "$protocol" ]; then
proto=" -p $protocol "
case $protocol in
tcp|TCP|6|udp|UDP|17)
if [ -n "$ports" ]; then
if [ -n "$MULTIPORT" -a \
"$ports" != "${ports%,*}" -a \
"$ports" = "${ports%:*}" -a \
$(list_count $ports) -le 15 ]
then
dport="-m multiport --dports $ports"
add_blacklist_rule
else
for dport in $(separate_list $ports); do
dport="--dport $dport"
add_blacklist_rule
done
fi
else
add_blacklist_rule
fi
;;
icmp|ICMP|0)
if [ -n "$ports" ]; then
for dport in $(separate_list $ports); do
dport="--icmp-type $dport"
add_blacklist_rule
done
else
add_blacklist_rule
fi
;;
*)
add_blacklist_rule
;;
esac
else
add_blacklist_rule
Large merge of function from EXPERIMENTAL to HEAD. 1) Elimination of the "shorewall monitor" command. 2) The /etc/shorewall/ipsec and /etc/shorewall/zones file are combined into a single /etc/shorewall/zones file. This is done in an upwardly-compatible way so that current users can continue to use their existing files. 3) Support has been added for the arp_ignore interface option. 4) DROPINVALID has been removed from shorewall.conf. Behavior is as if DROPINVALID=No was specified. 5) The 'nobogons' option and BOGON_LOG_LEVEL are removed. 6) Error and warning messages have been made easier to spot by using capitalization (e.g., ERROR: and WARNING:). 7) The /etc/shorewall/policy file now contains a new connection policy and a policy for ESTABLISHED packets. Useful for users of snort-inline who want to pass all packets to the QUEUE target. 8) A new 'critical' option has been added to /etc/shorewall/routestopped. Shorewall insures communication between the firewall and 'critical' hosts throughout start, restart, stop and clear. Useful for diskless firewall's with NFS-mounted file systems, LDAP servers, Crossbow, etc. 9) Macros. Macros are very similar to actions but are easier to use, allow parameter substitution and are more efficient. Almost all of the standard actions have been converted to macros in the EXPERIMENTAL branch. 10) The default value of ADD_IP_ALIASES in shorewall.conf is changed to No. 11) If you have 'make' installed on your firewall, then when you use the '-f' option to 'shorewall start' (as happens when you reboot), if your /etc/shorewall/ directory contains files that were modified after Shorewall was last restarted then Shorewall is started using the config files rather than using the saved configuration. git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2409 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-07-26 01:08:09 +02:00
fi
if [ -n "$ports" ]; then
addr="$addr $protocol $ports"
elif [ -n "$protocol" ]; then
addr="$addr $protocol"
fi
progress_message " $addr added to Black List"
done
}
Large merge of function from EXPERIMENTAL to HEAD. 1) Elimination of the "shorewall monitor" command. 2) The /etc/shorewall/ipsec and /etc/shorewall/zones file are combined into a single /etc/shorewall/zones file. This is done in an upwardly-compatible way so that current users can continue to use their existing files. 3) Support has been added for the arp_ignore interface option. 4) DROPINVALID has been removed from shorewall.conf. Behavior is as if DROPINVALID=No was specified. 5) The 'nobogons' option and BOGON_LOG_LEVEL are removed. 6) Error and warning messages have been made easier to spot by using capitalization (e.g., ERROR: and WARNING:). 7) The /etc/shorewall/policy file now contains a new connection policy and a policy for ESTABLISHED packets. Useful for users of snort-inline who want to pass all packets to the QUEUE target. 8) A new 'critical' option has been added to /etc/shorewall/routestopped. Shorewall insures communication between the firewall and 'critical' hosts throughout start, restart, stop and clear. Useful for diskless firewall's with NFS-mounted file systems, LDAP servers, Crossbow, etc. 9) Macros. Macros are very similar to actions but are easier to use, allow parameter substitution and are more efficient. Almost all of the standard actions have been converted to macros in the EXPERIMENTAL branch. 10) The default value of ADD_IP_ALIASES in shorewall.conf is changed to No. 11) If you have 'make' installed on your firewall, then when you use the '-f' option to 'shorewall start' (as happens when you reboot), if your /etc/shorewall/ directory contains files that were modified after Shorewall was last restarted then Shorewall is started using the config files rather than using the saved configuration. git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2409 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-07-26 01:08:09 +02:00
#
# Refresh the Black List
#
refresh_blacklist() {
local f=$(find_file blacklist)
local disposition=$BLACKLIST_DISPOSITION
if qt $IPTABLES -L blacklst -n ; then
progress_message2 "Loading Black List..."
strip_file blacklist $f
[ "$disposition" = REJECT ] && disposition=reject
run_iptables -F blacklst
while read networks protocol ports; do
expandv networks protocol ports
process_blacklist_rec
done < $TMP_DIR/blacklist
fi
}
#
# Verify the Black List
#
validate_blacklist() {
local f=$(find_file blacklist)
local disposition=$BLACKLIST_DISPOSITION
progress_message2 "Checking Black List..."
strip_file blacklist $f
[ "$disposition" = REJECT ] && disposition=reject
while read networks protocol ports; do
expandv networks protocol ports
process_blacklist_rec
done < $TMP_DIR/blacklist
}
Large merge of function from EXPERIMENTAL to HEAD. 1) Elimination of the "shorewall monitor" command. 2) The /etc/shorewall/ipsec and /etc/shorewall/zones file are combined into a single /etc/shorewall/zones file. This is done in an upwardly-compatible way so that current users can continue to use their existing files. 3) Support has been added for the arp_ignore interface option. 4) DROPINVALID has been removed from shorewall.conf. Behavior is as if DROPINVALID=No was specified. 5) The 'nobogons' option and BOGON_LOG_LEVEL are removed. 6) Error and warning messages have been made easier to spot by using capitalization (e.g., ERROR: and WARNING:). 7) The /etc/shorewall/policy file now contains a new connection policy and a policy for ESTABLISHED packets. Useful for users of snort-inline who want to pass all packets to the QUEUE target. 8) A new 'critical' option has been added to /etc/shorewall/routestopped. Shorewall insures communication between the firewall and 'critical' hosts throughout start, restart, stop and clear. Useful for diskless firewall's with NFS-mounted file systems, LDAP servers, Crossbow, etc. 9) Macros. Macros are very similar to actions but are easier to use, allow parameter substitution and are more efficient. Almost all of the standard actions have been converted to macros in the EXPERIMENTAL branch. 10) The default value of ADD_IP_ALIASES in shorewall.conf is changed to No. 11) If you have 'make' installed on your firewall, then when you use the '-f' option to 'shorewall start' (as happens when you reboot), if your /etc/shorewall/ directory contains files that were modified after Shorewall was last restarted then Shorewall is started using the config files rather than using the saved configuration. git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2409 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-07-26 01:08:09 +02:00
#
# Verify that kernel has netfilter support
#
verify_os_version() {
osversion=$(uname -r)
case $osversion in
2.4.*|2.5.*|2.6.*)
;;
*)
startup_error "Shorewall version $VERSION does not work with kernel version $osversion"
;;
esac
[ $COMMAND = start -a -n "$(lsmod 2> /dev/null | grep '^ipchains')" ] && \
startup_error "Shorewall can't start with the ipchains kernel module loaded - see FAQ #8"
}
#
# Check for disabled startup
#
check_disabled_startup() {
if [ -z "$STARTUP_ENABLED" ]; then
echo " Shorewall Startup is disabled -- to enable startup"
echo " after you have completed Shorewall configuration,"
echo " change the setting of STARTUP_ENABLED to Yes in"
echo " /etc/shorewall/shorewall.conf"
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
my_mutex_off
exit 2
fi
}
#
# Refresh the firewall
#
refresh_firewall()
{
#
progress_message3 "Refreshing Shorewall..."
progress_message2 "Determining Zones and Interfaces..."
determine_zones
validate_interfaces_file
determine_interfaces
run_user_exit refresh
#
# Blacklist
#
refresh_blacklist
ecn=$(find_file ecn)
[ -f $ecn ] && [ -n "$MANGLE_ENABLED" ] && setup_ecn $ecn
#
# Refresh Traffic Control
#
[ -n "$MANGLE_ENABLED" ] && refresh_tc
report "Shorewall Refreshed"
rm -rf $TMP_DIR
}
#
# Add a host or networks to a zone
#
add_to_zone() # $1...${n-1} = <interface>[:<hosts>] $n = zone
{
local interface host zone z h z1 z2 chain
local dhcp_interfaces blacklist_interfaces maclist_interfaces
local tcpflags_interfaces newhostlist=
local rulenum source_chain dest_hosts iface hosts hostlist=
nat_chain_exists() # $1 = chain name
{
qt $IPTABLES -t nat -L $1 -n
}
do_iptables() # $@ = command
{
[ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
[ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
if ! $IPTABLES $@ ; then
error_message "ERROR: Can't add $newhost to zone $zone"
fi
}
#
# Load $zones
#
determine_zones
#
# Validate Interfaces File
#
validate_interfaces_file
#
# Validate Hosts File
#
validate_hosts_file
#
# Validate IPSec File
#
f=$(find_file $IPSECFILE)
[ -f $f ] && setup_ipsec $f
#
# Normalize host list
#
while [ $# -gt 1 ]; do
interface=${1%%:*}
host=${1#*:}
#
# Be sure that the interface was dynamic at last [re]start
#
if ! chain_exists $(input_chain $interface) ; then
startup_error "Unknown interface $interface"
fi
if ! chain_exists $(dynamic_in $interface) ; then
startup_error "At last Shorewall [re]start, DYNAMIC_ZONES=No in shorewall.conf"
fi
if [ -z "$host" ]; then
hostlist="$hostlist $interface:0.0.0.0/0"
else
for h in $(separate_list $host); do
hostlist="$hostlist $interface:$h"
done
fi
shift
done
#
# Validate Zone
#
zone=$1
validate_zone $zone || startup_error "Unknown zone: $zone"
[ "$zone" = $FW ] && startup_error "Can't add $1 to firewall zone"
#
# Be sure that Shorewall has been restarted using a DZ-aware version of the code
#
[ -f /var/lib/shorewall/chains ] || startup_error "/var/lib/shorewall/chains -- file not found"
[ -f /var/lib/shorewall/zones ] || startup_error "/var/lib/shorewall/zones -- file not found"
#
# Check for duplicates and create a new zone state file
#
> /var/lib/shorewall/zones_$$
while read z type hosts; do
if [ "$z" = "$zone" ]; then
for h in $hostlist; do
list_search $h $hosts
if [ "$?" -gt 0 ]; then
newhostlist="$newhostlist $h"
else
error_message "$h already in zone $zone"
fi
done
[ -z "$hosts" ] && hosts=$newhostlist || hosts="$hosts $newhostlist"
fi
eval ${z}_hosts=\"$hosts\"
echo "$z $type $hosts" >> /var/lib/shorewall/zones_$$
done < /var/lib/shorewall/zones
mv -f /var/lib/shorewall/zones_$$ /var/lib/shorewall/zones
TERMINATOR=fatal_error
#
# Create a new Zone state file
#
for newhost in $newhostlist; do
#
# Isolate interface and host parts
#
interface=${newhost%%:*}
host=${newhost#*:}
#
# If the zone passed in the command has a dnat chain then insert a rule in
# the nat table PREROUTING chain to jump to that chain when the source
# matches the new host(s)#
#
chain=${zone}_dnat
if nat_chain_exists $chain; then
do_iptables -t nat -A $(dynamic_in $interface) $(source_ip_range $host) $(match_ipsec_in $zone $newhost) -j $chain
fi
#
# Insert new rules into the filter table for the passed interface
#
while read z1 z2 chain; do
[ "$z1" = "$z2" ] && op="-I" || op="-A"
if [ "$z1" = "$zone" ]; then
if [ "$z2" = "$FW" ]; then
do_iptables $op $(dynamic_in $interface) $(match_source_hosts $host) $(match_ipsec_in $z1 $newhost) -j $chain
else
source_chain=$(dynamic_fwd $interface)
if is_ipsec_host $z1 $newhost ; then
do_iptables $op $source_chain $(match_source_hosts $host) $(match_ipsec_in $z1 $newhost) -j ${z1}_frwd
else
eval dest_hosts=\"\$${z2}_hosts\"
for h in $dest_hosts; do
iface=${h%%:*}
hosts=${h#*:}
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
do_iptables $op $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) $(match_ipsec_out $z2 $h) -j $chain
fi
done
fi
fi
elif [ "$z2" = "$zone" ]; then
if [ "$z1" = "$FW" ]; then
#
# Add a rule to the dynamic out chain for the interface
#
do_iptables $op $(dynamic_out $interface) $(match_dest_hosts $host) $(match_ipsec_out $z2 $newhost) -j $chain
else
eval source_hosts=\"\$${z1}_hosts\"
for h in $source_hosts; do
iface=${h%%:*}
hosts=${h#*:}
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
if is_ipsec_host $z1 $h; then
do_iptables $op ${z1}_dyn -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $newhost) -j $chain
else
do_iptables $op $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $newhost) -j $chain
fi
fi
done
fi
fi
done < /var/lib/shorewall/chains
progress_message "$newhost added to zone $zone"
done
rm -rf $TMP_DIR
}
#
# Delete a host or networks from a zone
#
delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
{
local interface host zone z h z1 z2 chain delhost
local dhcp_interfaces blacklist_interfaces maclist_interfaces tcpflags_interfaces
local rulenum source_chain dest_hosts iface hosts hostlist=
#
# Load $zones
#
determine_zones
#
# Validate Interfaces File
#
validate_interfaces_file
#
# Validate Hosts File
#
validate_hosts_file
#
# Validate IPSec File
#
f=$(find_file ipsec)
[ -f $f ] && setup_ipsec $f
#
# Normalize host list
#
while [ $# -gt 1 ]; do
interface=${1%%:*}
host=${1#*:}
#
# Be sure that the interface was dynamic at last [re]start
#
if ! chain_exists $(input_chain $interface) ; then
startup_error "Unknown interface $interface"
fi
if ! chain_exists $(dynamic_in $interface) ; then
startup_error "At last Shorewall [re]start, DYNAMIC_ZONES=No in shorewall.conf"
fi
if [ -z "$host" ]; then
hostlist="$hostlist $interface:0.0.0.0/0"
else
for h in $(separate_list $host); do
hostlist="$hostlist $interface:$h"
done
fi
shift
done
#
# Validate Zone
#
zone=$1
validate_zone $zone || startup_error "Unknown zone: $zone"
[ "$zone" = $FW ] && startup_error "Can't delete from the firewall zone"
#
# Be sure that Shorewall has been restarted using a DZ-aware version of the code
#
[ -f /var/lib/shorewall/chains ] || startup_error "/var/lib/shorewall/chains -- file not found"
[ -f /var/lib/shorewall/zones ] || startup_error "/var/lib/shorewall/zones -- file not found"
#
# Delete the passed hosts from the zone state file
#
> /var/lib/shorewall/zones_$$
while read z hosts; do
if [ "$z" = "$zone" ]; then
temp=$hosts
hosts=
for host in $hostlist; do
found=
for h in $temp; do
if [ "$h" = "$host" ]; then
found=Yes
break
fi
done
[ -n "$found" ] || error_message "WARNING: $host does not appear to be in zone $zone"
done
for h in $temp; do
found=
for host in $hostlist; do
if [ "$h" = "$host" ]; then
found=Yes
break
fi
done
[ -n "$found" ] || hosts="$hosts $h"
done
fi
eval ${z}_hosts=\"$hosts\"
echo "$z $hosts" >> /var/lib/shorewall/zones_$$
done < /var/lib/shorewall/zones
mv -f /var/lib/shorewall/zones_$$ /var/lib/shorewall/zones
TERMINATOR=fatal_error
for delhost in $hostlist; do
interface=${delhost%%:*}
host=${delhost#*:}
#
# Delete any nat table entries for the host(s)
#
qt_iptables -t nat -D $(dynamic_in $interface) $(match_source_hosts $host) $(match_ipsec_in $zone $delhost) -j ${zone}_dnat
#
# Delete rules rules the input chains for the passed interface
#
while read z1 z2 chain; do
if [ "$z1" = "$zone" ]; then
if [ "$z2" = "$FW" ]; then
qt_iptables -D $(dynamic_in $interface) $(match_source_hosts $host) $(match_ipsec_in $z1 $delhost) -j $chain
else
source_chain=$(dynamic_fwd $interface)
if is_ipsec_host $z1 $delhost ; then
qt_iptables -D $source_chain $(match_source_hosts $host) $(match_ipsec_in $z1 $newhost) -j ${z1}_frwd
else
eval dest_hosts=\"\$${z2}_hosts\"
[ "$z2" = "$zone" ] && dest_hosts="$dest_hosts $hostlist"
for h in $dest_hosts; do
iface=${h%%:*}
hosts=${h#*:}
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
qt_iptables -D $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) $(match_ipsec_out $z2 $h) -j $chain
fi
done
fi
fi
elif [ "$z2" = "$zone" ]; then
if [ "$z1" = "$FW" ]; then
qt_iptables -D $(dynamic_out $interface) $(match_dest_hosts $host) $(match_ipsec_out $z2 $delhost) -j $chain
else
eval source_hosts=\"\$${z1}_hosts\"
for h in $source_hosts; do
iface=${h%%:*}
hosts=${h#*:}
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
if is_ipsec_host $z1 $h; then
qt_iptables -D ${z1}_dyn -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $delhost) -j $chain
else
qt_iptables -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $delhost) -j $chain
fi
fi
done
fi
fi
done < /var/lib/shorewall/chains
progress_message "$delhost removed from zone $zone"
done
rm -rf $TMP_DIR
}
#
# Determine the value for a parameter that defaults to Yes
#
added_param_value_yes() # $1 = Parameter Name, $2 = Parameter value
{
local val="$2"
if [ -z "$val" ]; then
echo "Yes"
else case $val in
[Yy][Ee][Ss])
echo "Yes"
;;
[Nn][Oo])
echo ""
;;
*)
startup_error "Invalid value ($val) for $1"
;;
esac
fi
}
#
# Determine the value for a parameter that defaults to No
#
added_param_value_no() # $1 = Parameter Name, $2 = Parameter value
{
local val="$2"
if [ -z "$val" ]; then
echo ""
else case $val in
[Yy][Ee][Ss])
echo "Yes"
;;
[Nn][Oo])
echo ""
;;
*)
startup_error "Invalid value ($val) for $1"
;;
esac
fi
}
#
# Initialize this program
#
do_initialize() {
# Run all utility programs using the C locale
#
# Thanks to Vincent Planchenault for this tip #
export LC_ALL=C
# Make sure umask is sane
umask 077
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
#
# Establish termination function
#
TERMINATOR=startup_error
#
# Clear all configuration variables
#
VERSION=
IPTABLES=
FW=
SUBSYSLOCK=
ALLOWRELATED=Yes
LOGRATE=
LOGBURST=
LOGPARMS=
LOGLIMIT=
ADD_IP_ALIASES=
ADD_SNAT_ALIASES=
TC_ENABLED=
BLACKLIST_DISPOSITION=
BLACKLIST_LOGLEVEL=
CLAMPMSS=
ROUTE_FILTER=
LOG_MARTIANS=
DETECT_DNAT_IPADDRS=
MUTEX_TIMEOUT=
FORWARDPING=
MACLIST_DISPOSITION=
MACLIST_LOG_LEVEL=
TCP_FLAGS_DISPOSITION=
TCP_FLAGS_LOG_LEVEL=
RFC1918_LOG_LEVEL=
MARK_IN_FORWARD_CHAIN=
SHARED_DIR=/usr/share/shorewall
FUNCTIONS=
VERSION_FILE=
LOGFORMAT=
LOGRULENUMBERS=
ADMINISABSENTMINDED=
BLACKLISTNEWONLY=
MODULE_SUFFIX=
ACTIONS=
USEDACTIONS=
SMURF_LOG_LEVEL=
DISABLE_IPV6=
BRIDGING=
DYNAMIC_ZONES=
PKTTYPE=
USEPKTYPE=
RETAIN_ALIASES=
DELAYBLACKLISTLOAD=
LOGTAGONLY=
LOGALLNEW=
RFC1918_STRICT=
MACLIST_TTL=
SAVE_IPSETS=
RESTOREFILE=
Large merge of function from EXPERIMENTAL to HEAD. 1) Elimination of the "shorewall monitor" command. 2) The /etc/shorewall/ipsec and /etc/shorewall/zones file are combined into a single /etc/shorewall/zones file. This is done in an upwardly-compatible way so that current users can continue to use their existing files. 3) Support has been added for the arp_ignore interface option. 4) DROPINVALID has been removed from shorewall.conf. Behavior is as if DROPINVALID=No was specified. 5) The 'nobogons' option and BOGON_LOG_LEVEL are removed. 6) Error and warning messages have been made easier to spot by using capitalization (e.g., ERROR: and WARNING:). 7) The /etc/shorewall/policy file now contains a new connection policy and a policy for ESTABLISHED packets. Useful for users of snort-inline who want to pass all packets to the QUEUE target. 8) A new 'critical' option has been added to /etc/shorewall/routestopped. Shorewall insures communication between the firewall and 'critical' hosts throughout start, restart, stop and clear. Useful for diskless firewall's with NFS-mounted file systems, LDAP servers, Crossbow, etc. 9) Macros. Macros are very similar to actions but are easier to use, allow parameter substitution and are more efficient. Almost all of the standard actions have been converted to macros in the EXPERIMENTAL branch. 10) The default value of ADD_IP_ALIASES in shorewall.conf is changed to No. 11) If you have 'make' installed on your firewall, then when you use the '-f' option to 'shorewall start' (as happens when you reboot), if your /etc/shorewall/ directory contains files that were modified after Shorewall was last restarted then Shorewall is started using the config files rather than using the saved configuration. git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2409 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-07-26 01:08:09 +02:00
MAPOLDACTIONS=
RESTOREBASE=
TMP_DIR=
ALL_INTERFACES=
ROUTEMARK_INTERFACES=
IPSECMARK=256
PROVIDERS=
Large merge of function from EXPERIMENTAL to HEAD. 1) Elimination of the "shorewall monitor" command. 2) The /etc/shorewall/ipsec and /etc/shorewall/zones file are combined into a single /etc/shorewall/zones file. This is done in an upwardly-compatible way so that current users can continue to use their existing files. 3) Support has been added for the arp_ignore interface option. 4) DROPINVALID has been removed from shorewall.conf. Behavior is as if DROPINVALID=No was specified. 5) The 'nobogons' option and BOGON_LOG_LEVEL are removed. 6) Error and warning messages have been made easier to spot by using capitalization (e.g., ERROR: and WARNING:). 7) The /etc/shorewall/policy file now contains a new connection policy and a policy for ESTABLISHED packets. Useful for users of snort-inline who want to pass all packets to the QUEUE target. 8) A new 'critical' option has been added to /etc/shorewall/routestopped. Shorewall insures communication between the firewall and 'critical' hosts throughout start, restart, stop and clear. Useful for diskless firewall's with NFS-mounted file systems, LDAP servers, Crossbow, etc. 9) Macros. Macros are very similar to actions but are easier to use, allow parameter substitution and are more efficient. Almost all of the standard actions have been converted to macros in the EXPERIMENTAL branch. 10) The default value of ADD_IP_ALIASES in shorewall.conf is changed to No. 11) If you have 'make' installed on your firewall, then when you use the '-f' option to 'shorewall start' (as happens when you reboot), if your /etc/shorewall/ directory contains files that were modified after Shorewall was last restarted then Shorewall is started using the config files rather than using the saved configuration. git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2409 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-07-26 01:08:09 +02:00
CRITICALHOSTS=
IPSECFILE=
EXCLUSION_SEQ=1
STOPPING=
HAVE_MUTEX=
ALIASES_TO_ADD=
SECTION=ESTABLISHED
SECTIONS=
ALL_PORTS=
FUNCTIONS=$SHARED_DIR/functions
if [ -f $FUNCTIONS ]; then
[ $VERBOSE -gt 1 ] && echo "Loading $FUNCTIONS..."
. $FUNCTIONS
else
startup_error "$FUNCTIONS does not exist!"
fi
TMP_DIR=$(mktempdir)
[ -n "$TMP_DIR" ] && chmod 700 $TMP_DIR || \
startup_error "Can't create a temporary directory"
trap "[ -n "$RESTOREBASE" ] && rm -f $RESTOREBASE;rm -rf $TMP_DIR; my_mutex_off; exit 2" 1 2 3 4 5 6 9
ensure_config_path
VERSION_FILE=$SHARED_DIR/version
[ -f $VERSION_FILE ] && VERSION=$(cat $VERSION_FILE)
run_user_exit params
config=$(find_file shorewall.conf)
if [ -f $config ]; then
if [ -r $config ]; then
progress_message "Processing $config..."
. $config
else
startup_error "Cannot read $config (Hint: Are you root?)"
fi
else
startup_error "$config does not exist!"
fi
#
# Restore CONFIG_PATH if the shorewall.conf file cleared it
#
ensure_config_path
#
# Determine the capabilities of the installed iptables/netfilter
# We load the kernel modules here to accurately determine
# capabilities when module autoloading isn't enabled.
#
PKTTYPE=$(added_param_value_no PKTTYPE $PKTTYPE)
[ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
if [ -z "$EXPORT" ]; then
load_kernel_modules
if [ -z "$IPTABLES" ]; then
IPTABLES=$(mywhich iptables 2> /dev/null)
[ -z "$IPTABLES" ] && startup_error "Can't find iptables executable"
else
[ -e "$IPTABLES" ] || startup_error "\$IPTABLES=$IPTABLES does not exist or is not executable"
fi
determine_capabilities
[ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
else
f=$(find_file capabilities)
[ -f $f ] && . $f || startup_error "The -e flag requires a capabilities file"
fi
ALLOWRELATED="$(added_param_value_yes ALLOWRELATED $ALLOWRELATED)"
[ -n "$ALLOWRELATED" ] || \
startup_error "ALLOWRELATED=No is not supported"
ADD_IP_ALIASES="$(added_param_value_yes ADD_IP_ALIASES $ADD_IP_ALIASES)"
if [ -n "${LOGRATE}${LOGBURST}" ]; then
LOGLIMIT="--match limit"
[ -n "$LOGRATE" ] && LOGLIMIT="$LOGLIMIT --limit $LOGRATE"
[ -n "$LOGBURST" ] && LOGLIMIT="$LOGLIMIT --limit-burst $LOGBURST"
fi
if [ -n "$IP_FORWARDING" ]; then
case "$IP_FORWARDING" in
[Oo][Nn]|[Oo][Ff][Ff]|[Kk][Ee][Ee][Pp])
;;
*)
startup_error "Invalid value ($IP_FORWARDING) for IP_FORWARDING"
;;
esac
else
IP_FORWARDING=On
fi
[ -n "${BLACKLIST_DISPOSITION:=DROP}" ]
case "$CLAMPMSS" in
[0-9]*)
;;
*)
CLAMPMSS=$(added_param_value_no CLAMPMSS $CLAMPMSS)
;;
esac
ADD_SNAT_ALIASES=$(added_param_value_no ADD_SNAT_ALIASES $ADD_SNAT_ALIASES)
ROUTE_FILTER=$(added_param_value_no ROUTE_FILTER $ROUTE_FILTER)
LOG_MARTIANS=$(added_param_value_no LOG_MARTIANS $LOG_MARTIANS)
DETECT_DNAT_IPADDRS=$(added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS)
FORWARDPING=$(added_param_value_no FORWARDPING $FORWARDPING)
[ -n "$FORWARDPING" ] && \
startup_error "FORWARDPING=Yes is no longer supported"
maclist_target=reject
if [ -n "$MACLIST_DISPOSITION" ] ; then
case $MACLIST_DISPOSITION in
REJECT)
;;
DROP)
maclist_target=DROP
;;
ACCEPT)
maclist_target=RETURN
;;
*)
startup_error "Invalid value ($MACLIST_DISPOSITION) for MACLIST_DISPOSITION"
;;
esac
else
MACLIST_DISPOSITION=REJECT
fi
if [ -n "$TCP_FLAGS_DISPOSITION" ] ; then
case $TCP_FLAGS_DISPOSITION in
REJECT|ACCEPT|DROP)
;;
*)
startup_error "Invalid value ($TCP_FLAGS_DISPOSITION) for TCP_FLAGS_DISPOSITION"
;;
esac
else
TCP_FLAGS_DISPOSITION=DROP
fi
[ -n "${RFC1918_LOG_LEVEL:=info}" ]
MARK_IN_FORWARD_CHAIN=$(added_param_value_no MARK_IN_FORWARD_CHAIN $MARK_IN_FORWARD_CHAIN)
[ -n "$MARK_IN_FORWARD_CHAIN" ] && MARKING_CHAIN=tcfor || MARKING_CHAIN=tcpre
CLEAR_TC=$(added_param_value_yes CLEAR_TC $CLEAR_TC)
if [ -n "$LOGFORMAT" ]; then
if [ -n "$(echo $LOGFORMAT | grep '%d')" ]; then
LOGRULENUMBERS=Yes
temp=$(printf "$LOGFORMAT" fooxx 1 barxx 2> /dev/null)
if [ $? -ne 0 ]; then
startup_error "Invalid LOGFORMAT string: \"$LOGFORMAT\""
fi
else
temp=$(printf "$LOGFORMAT" fooxx barxx 2> /dev/null)
if [ $? -ne 0 ]; then
startup_error "Invalid LOGFORMAT string: \"$LOGFORMAT\""
fi
fi
[ ${#temp} -le 29 ] || startup_error "LOGFORMAT string is longer than 29 characters: \"$LOGFORMAT\""
else
LOGFORMAT="Shorewall:%s:%s:"
fi
ADMINISABSENTMINDED=$(added_param_value_no ADMINISABSENTMINDED $ADMINISABSENTMINDED)
BLACKLISTNEWONLY=$(added_param_value_no BLACKLISTNEWONLY $BLACKLISTNEWONLY)
DISABLE_IPV6=$(added_param_value_no DISABLE_IPV6 $DISABLE_IPV6)
BRIDGING=$(added_param_value_no BRIDGING $BRIDGING)
DYNAMIC_ZONES=$(added_param_value_no DYNAMIC_ZONES $DYNAMIC_ZONES)
STARTUP_ENABLED=$(added_param_value_yes STARTUP_ENABLED $STARTUP_ENABLED)
RETAIN_ALIASES=$(added_param_value_no RETAIN_ALIASES $RETAIN_ALIASES)
[ -n "${ADD_IP_ALIASES}${ADD_SNAT_ALIASES}" ] || RETAIN_ALIASES=
DELAYBLACKLISTLOAD=$(added_param_value_no DELAYBLACKLISTLOAD $DELAYBLACKLISTLOAD)
LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY)
RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT)
Large merge of function from EXPERIMENTAL to HEAD. 1) Elimination of the "shorewall monitor" command. 2) The /etc/shorewall/ipsec and /etc/shorewall/zones file are combined into a single /etc/shorewall/zones file. This is done in an upwardly-compatible way so that current users can continue to use their existing files. 3) Support has been added for the arp_ignore interface option. 4) DROPINVALID has been removed from shorewall.conf. Behavior is as if DROPINVALID=No was specified. 5) The 'nobogons' option and BOGON_LOG_LEVEL are removed. 6) Error and warning messages have been made easier to spot by using capitalization (e.g., ERROR: and WARNING:). 7) The /etc/shorewall/policy file now contains a new connection policy and a policy for ESTABLISHED packets. Useful for users of snort-inline who want to pass all packets to the QUEUE target. 8) A new 'critical' option has been added to /etc/shorewall/routestopped. Shorewall insures communication between the firewall and 'critical' hosts throughout start, restart, stop and clear. Useful for diskless firewall's with NFS-mounted file systems, LDAP servers, Crossbow, etc. 9) Macros. Macros are very similar to actions but are easier to use, allow parameter substitution and are more efficient. Almost all of the standard actions have been converted to macros in the EXPERIMENTAL branch. 10) The default value of ADD_IP_ALIASES in shorewall.conf is changed to No. 11) If you have 'make' installed on your firewall, then when you use the '-f' option to 'shorewall start' (as happens when you reboot), if your /etc/shorewall/ directory contains files that were modified after Shorewall was last restarted then Shorewall is started using the config files rather than using the saved configuration. git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2409 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-07-26 01:08:09 +02:00
SAVE_IPSETS=$(added_param_value_no SAVE_IPSETS $SAVE_IPSETS)
MAPOLDACTIONS=$(added_param_value_yes MAPOLDACTIONS $MAPOLDACTIONS)
FASTACCEPT=$(added_param_value_no FASTACCEPT $FASTACCEPT)
Large merge of function from EXPERIMENTAL to HEAD. 1) Elimination of the "shorewall monitor" command. 2) The /etc/shorewall/ipsec and /etc/shorewall/zones file are combined into a single /etc/shorewall/zones file. This is done in an upwardly-compatible way so that current users can continue to use their existing files. 3) Support has been added for the arp_ignore interface option. 4) DROPINVALID has been removed from shorewall.conf. Behavior is as if DROPINVALID=No was specified. 5) The 'nobogons' option and BOGON_LOG_LEVEL are removed. 6) Error and warning messages have been made easier to spot by using capitalization (e.g., ERROR: and WARNING:). 7) The /etc/shorewall/policy file now contains a new connection policy and a policy for ESTABLISHED packets. Useful for users of snort-inline who want to pass all packets to the QUEUE target. 8) A new 'critical' option has been added to /etc/shorewall/routestopped. Shorewall insures communication between the firewall and 'critical' hosts throughout start, restart, stop and clear. Useful for diskless firewall's with NFS-mounted file systems, LDAP servers, Crossbow, etc. 9) Macros. Macros are very similar to actions but are easier to use, allow parameter substitution and are more efficient. Almost all of the standard actions have been converted to macros in the EXPERIMENTAL branch. 10) The default value of ADD_IP_ALIASES in shorewall.conf is changed to No. 11) If you have 'make' installed on your firewall, then when you use the '-f' option to 'shorewall start' (as happens when you reboot), if your /etc/shorewall/ directory contains files that were modified after Shorewall was last restarted then Shorewall is started using the config files rather than using the saved configuration. git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2409 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-07-26 01:08:09 +02:00
case ${IPSECFILE:=ipsec} in
ipsec|zones)
;;
*)
startup_error "Invalid value ($IPSECFILE) for IPSECFILE option"
;;
esac
case ${MACLIST_TABLE:=filter} in
filter)
;;
mangle)
[ $MACLIST_DISPOSITION = reject ] && startup_error "MACLIST_DISPOSITION=REJECT is not allowed with MACLIST_TABLE=mangle"
;; *)
startup_error "Invalid value ($MACLIST_TABLE) for MACLIST_TABLE option"
;;
esac
TC_SCRIPT=
if [ -n "$TC_ENABLED" ] ; then
case "$TC_ENABLED" in
[Yy][Ee][Ss])
TC_ENABLED=
TC_SCRIPT=$(find_file tcstart)
[ -f $TC_SCRIPT ] || startup_error "Unable to find tcstart file"
;;
[Ii][Nn][Tt][Ee][Rr][Nn][Aa][Ll])
TC_ENABLED=Yes
;;
[Nn][Oo])
TC_ENABLED=
;;
esac
else
TC_ENABLED=Yes
fi
if [ -n "$TC_ENABLED" ];then
[ -n "$MANGLE_ENABLED" ] || startup_error "Traffic Shaping requires mangle support in your kernel and iptables"
fi
Large merge of function from EXPERIMENTAL to HEAD. 1) Elimination of the "shorewall monitor" command. 2) The /etc/shorewall/ipsec and /etc/shorewall/zones file are combined into a single /etc/shorewall/zones file. This is done in an upwardly-compatible way so that current users can continue to use their existing files. 3) Support has been added for the arp_ignore interface option. 4) DROPINVALID has been removed from shorewall.conf. Behavior is as if DROPINVALID=No was specified. 5) The 'nobogons' option and BOGON_LOG_LEVEL are removed. 6) Error and warning messages have been made easier to spot by using capitalization (e.g., ERROR: and WARNING:). 7) The /etc/shorewall/policy file now contains a new connection policy and a policy for ESTABLISHED packets. Useful for users of snort-inline who want to pass all packets to the QUEUE target. 8) A new 'critical' option has been added to /etc/shorewall/routestopped. Shorewall insures communication between the firewall and 'critical' hosts throughout start, restart, stop and clear. Useful for diskless firewall's with NFS-mounted file systems, LDAP servers, Crossbow, etc. 9) Macros. Macros are very similar to actions but are easier to use, allow parameter substitution and are more efficient. Almost all of the standard actions have been converted to macros in the EXPERIMENTAL branch. 10) The default value of ADD_IP_ALIASES in shorewall.conf is changed to No. 11) If you have 'make' installed on your firewall, then when you use the '-f' option to 'shorewall start' (as happens when you reboot), if your /etc/shorewall/ directory contains files that were modified after Shorewall was last restarted then Shorewall is started using the config files rather than using the saved configuration. git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2409 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-07-26 01:08:09 +02:00
[ "x${SHOREWALL_DIR}" = "x." ] && SHOREWALL_DIR="$PWD"
#
# Strip the files that we use often
#
strip_file interfaces
strip_file hosts
#
# Check out the user's shell
#
[ -n "${SHOREWALL_SHELL:=/bin/sh}" ]
temp=$(decodeaddr 192.168.1.1)
if [ $(encodeaddr $temp) != 192.168.1.1 ]; then
startup_error "Shell $SHOREWALL_SHELL is broken and may not be used with Shorewall"
fi
rm -f $TMP_DIR/physdev
rm -f $TMP_DIR/iprange
}
#
# Give Usage Information
#
usage() {
echo "Usage: $0 [debug] {start|stop|reset|restart|refresh|clear}"
exit 1
}
#
# E X E C U T I O N B E G I N S H E R E
#
#
# Start trace if first arg is "debug"
#
[ $# -gt 1 ] && [ "$1" = "debug" ] && { set -x ; shift ; }
NOLOCK=
[ $# -gt 1 ] && [ "$1" = "nolock" ] && { NOLOCK=Yes; shift ; }
trap "my_mutex_off; exit 2" 1 2 3 4 5 6 9
COMMAND="$1"
case "$COMMAND" in
stop)
[ $# -ne 1 ] && usage
do_initialize
my_mutex_on
#
# Don't want to do a 'stop' when startup is disabled
#
check_disabled_startup
progress_message3 "Stopping Shorewall..."
stop_firewall
[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
progress_message3 "done."
my_mutex_off
;;
reset)
[ $# -ne 1 ] && usage
do_initialize
my_mutex_on
if ! shorewall_is_started ; then
echo "Shorewall Not Started"
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
my_mutex_off
exit 2;
fi
$IPTABLES -Z
$IPTABLES -t nat -Z
$IPTABLES -t mangle -Z
report "Shorewall Counters Reset"
Large merge of function from EXPERIMENTAL to HEAD. 1) Elimination of the "shorewall monitor" command. 2) The /etc/shorewall/ipsec and /etc/shorewall/zones file are combined into a single /etc/shorewall/zones file. This is done in an upwardly-compatible way so that current users can continue to use their existing files. 3) Support has been added for the arp_ignore interface option. 4) DROPINVALID has been removed from shorewall.conf. Behavior is as if DROPINVALID=No was specified. 5) The 'nobogons' option and BOGON_LOG_LEVEL are removed. 6) Error and warning messages have been made easier to spot by using capitalization (e.g., ERROR: and WARNING:). 7) The /etc/shorewall/policy file now contains a new connection policy and a policy for ESTABLISHED packets. Useful for users of snort-inline who want to pass all packets to the QUEUE target. 8) A new 'critical' option has been added to /etc/shorewall/routestopped. Shorewall insures communication between the firewall and 'critical' hosts throughout start, restart, stop and clear. Useful for diskless firewall's with NFS-mounted file systems, LDAP servers, Crossbow, etc. 9) Macros. Macros are very similar to actions but are easier to use, allow parameter substitution and are more efficient. Almost all of the standard actions have been converted to macros in the EXPERIMENTAL branch. 10) The default value of ADD_IP_ALIASES in shorewall.conf is changed to No. 11) If you have 'make' installed on your firewall, then when you use the '-f' option to 'shorewall start' (as happens when you reboot), if your /etc/shorewall/ directory contains files that were modified after Shorewall was last restarted then Shorewall is started using the config files rather than using the saved configuration. git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2409 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-07-26 01:08:09 +02:00
date > /var/lib/shorewall/restarted
my_mutex_off
;;
refresh)
[ $# -ne 1 ] && usage
do_initialize
my_mutex_on
if ! shorewall_is_started ; then
echo "Shorewall Not Started" >&2
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
my_mutex_off
exit 2;
fi
refresh_firewall;
my_mutex_off
;;
clear)
[ $# -ne 1 ] && usage
do_initialize
my_mutex_on
progress_message3 "Clearing Shorewall..."
clear_firewall
[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
progress_message3 "done."
my_mutex_off
;;
add)
[ $# -lt 3 ] && usage
do_initialize
my_mutex_on
if ! shorewall_is_started ; then
echo "Shorewall Not Started"
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
my_mutex_off
exit 2;
fi
shift
add_to_zone $@
my_mutex_off
;;
delete)
[ $# -lt 3 ] && usage
do_initialize
my_mutex_on
if ! shorewall_is_started ; then
echo "Shorewall Not Started"
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
my_mutex_off
exit 2;
fi
shift
delete_from_zone $@
my_mutex_off
;;
call)
#
# Undocumented way to call functions in /usr/share/shorewall/firewall directly
#
shift
do_initialize
EMPTY=
$@
;;
*)
usage
;;
esac