extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-15 04:04:10 +01:00
Code Issues Packages Projects Releases Wiki Activity

Shorewall-1.4.6a

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@675 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-07-23 14:25:05 +00:00
parent a63d259b40
commit 00b43e6a2e
10 changed files with 3963 additions and 3684 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
STABLE/changelog.txt
View File

@ -51,3 +51,6 @@ Changes since 1.4.5
21. Support Linux 2.6 compressed modules.
22. Don't display DHCP message when there are no DHCP interface.
23. Move determine_capabilities call to do_initialize to ensure that
MANGLE_ENABLED is set before it is tested.

1457
STABLE/documentation/News.htm
View File

File diff suppressed because it is too large Load Diff

102
STABLE/documentation/seattlefirewall_index.htm
View File

@ -28,8 +28,8 @@
src="images/washington.jpg" alt="" width="97" height="80" hspace="4"
border="0">
</a></td>
<td valign="middle" width="34%" align="center"
bgcolor="#3366ff">
<td valign="middle" width="34%"
align="center" bgcolor="#3366ff">
@ -39,8 +39,8 @@
<img
src="images/Logo1.png" alt="(Shorewall Logo)" width="430" height="90">
<img src="images/Logo1.png"
alt="(Shorewall Logo)" width="430" height="90">
</div>
</td>
<td valign="middle" width="33%">
@ -90,9 +90,9 @@
<p>The Shoreline Firewall, more commonly known as "Shorewall", is a
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
that can be used on a dedicated firewall system, a multi-function
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
firewall that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p>
@ -103,8 +103,8 @@
<p>This program is free software; you can redistribute it and/or modify
it under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
General Public License</a> as published by the Free Software
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the
GNU General Public License</a> as published by the Free Software
Foundation.<br>
<br>
@ -166,6 +166,7 @@ step by step instructions.<br>
The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a> is a good place to start as is the Quick Search to your right.
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
If so, the documentation<b> </b>on this site
will not apply directly to your setup. If you want to use the
@ -189,14 +190,25 @@ step by step instructions.<br>
<p><b>7/20/2003 - Shorewall-1.4.6</b><b> <img border="0"
<p><b>7/22/2003 - Shorewall-1.4.6a</b><b> <img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
<br>
</b></p>
<b>Problems Corrected:</b><br>
<ol>
<li>Previously, if TC_ENABLED is set to yes in shorewall.conf then
Shorewall would fail to start with the error "ERROR:  Traffic Control requires
Mangle"; that problem has been corrected.</li>
</ol>
<p><b>7/20/2003 - Shorewall-1.4.6</b><b> <img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
</b><br>
</p>
<blockquote> </blockquote>
<p><b>Problems Corrected:</b><br>
</p>
@ -226,15 +238,17 @@ in the nat table (one for each element in the list). Shorewall now correctly
are no DHCP rules to add.<br>
</li>
</ol>
<p><b>Migration Issues:</b><br>
</p>
<ol>
<li>In earlier versions, an undocumented feature allowed
entries in the host file as follows:<br>
entries in the host file as follows:<br>
<br>
    z    eth1:192.168.1.0/24,eth2:192.168.2.0/24<br>
<br>
@ -249,8 +263,10 @@ entries in the host file as follows:<br>
are now automatically detected by Shorewall (see below).<br>
</li>
</ol>
<p><b>New Features:</b><br>
</p>
@ -363,12 +379,12 @@ filtering in the filter table (rfc1918 chain).</li>
      iprange &lt;address&gt;-&lt;address&gt;<br>
<br>
This command decomposes a range of IP addressses into a list of
network and host addresses. The command can be useful if you need to construct
an efficient set of rules that accept connections from a range of network
addresses.<br>
network and host addresses. The command can be useful if you need to
construct an efficient set of rules that accept connections from a range
of network addresses.<br>
<br>
Note: If your shell only supports 32-bit signed arithmetic (ash
or dash) then the range may not span 128.0.0.0.<br>
or dash) then the range may not span 128.0.0.0.<br>
<br>
Example:<br>
<br>
@ -397,27 +413,29 @@ or dash) then the range may not span 128.0.0.0.<br>
</li>
<li>The "shorewall check" command now includes the chain name when
printing the applicable policy for each pair of zones.<br>
 <br>
    Example:<br>
 <br>
        Policy for dmz to net is REJECT using chain all2all<br>
 <br>
This means that the policy for connections from the dmz to the internet is
REJECT and the applicable entry in the /etc/shorewall/policy was the all-&gt;all
 <br>
    Example:<br>
 <br>
        Policy for dmz to net is REJECT using chain all2all<br>
 <br>
This means that the policy for connections from the dmz to the internet
is REJECT and the applicable entry in the /etc/shorewall/policy was the all-&gt;all
policy.<br>
<br>
</li>
<li>Support for the 2.6 Kernel series has been added.<br>
</li>
</ol>
<p><b>7/15/2003 - New Mirror in Brazil</b><b> <img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
<br>
</b></p>
Thanks to the folks at securityopensource.org.br, there is now a <a
href="http://shorewall.securityopensource.org.br" target="_top">Shorewall
Thanks to the folks at securityopensource.org.br, there is now a
<a href="http://shorewall.securityopensource.org.br" target="_top">Shorewall
mirror in Brazil</a>.
<p><b>6/17/2003 - Shorewall-1.4.5</b><b> </b></p>
@ -429,10 +447,10 @@ policy.<br>
<ol>
<li>The command "shorewall debug try &lt;directory&gt;"
now correctly traces the attempt.</li>
<li>The INCLUDE directive now works properly in the
zones file; previously, INCLUDE in that file was ignored.</li>
<li>/etc/shorewall/routestopped records with an empty
second column are no longer ignored.<br>
<li>The INCLUDE directive now works properly in
the zones file; previously, INCLUDE in that file was ignored.</li>
<li>/etc/shorewall/routestopped records with an
empty second column are no longer ignored.<br>
</li>
@ -445,10 +463,9 @@ policy.<br>
<ol>
<li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-]
rule may now contain a list of addresses. If the list begins with
"!' then the rule will take effect only if the original destination
address in the connection request does not match any of the addresses
listed.</li>
rule may now contain a list of addresses. If the list begins with "!'
then the rule will take effect only if the original destination address
in the connection request does not match any of the addresses listed.</li>
</ol>
@ -460,7 +477,7 @@ listed.</li>
<p>The firewall at shorewall.net has been upgraded to the 2.4.21 kernel
and iptables 1.2.8 (using the "official" RPM from netfilter.org).
No problems have been encountered with this set of software. The Shorewall
No problems have been encountered with this set of software. The Shorewall
version is 1.4.4b plus the accumulated changes for 1.4.5.<br>
</p>
@ -468,10 +485,12 @@ No problems have been encountered with this set of software. The Shorewall
<p><b>6/8/2003 - Updated Samples</b><b> </b></p>
<p>Thanks to Francesca Smith, the samples have been updated to Shorewall
version 1.4.4.</p>
<p><b></b></p>
@ -479,10 +498,12 @@ No problems have been encountered with this set of software. The Shorewall
</ol>
<p><a href="News.htm">More News</a></p>
@ -506,7 +527,7 @@ No problems have been encountered with this set of software. The Shorewall
<b>Congratulations to Jacques and Eric
on the recent release of Bering 1.2!!! </b><br>
on the recent release of Bering 1.2!!! </b><br>
@ -596,11 +617,10 @@ on the recent release of Bering 1.2!!! </b><br>
<p align="center"><font size="4" color="#ffffff"><br>
<font size="+2"> Shorewall is free but if
you try it and find it useful, please consider making a donation
you try it and find it useful, please consider making a donation
to
<a href="http://www.starlight.org"><font
color="#ffffff">Starlight Children's Foundation.</font></a>
Thanks!</font></font></p>
<a href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></font></p>
</td>
@ -612,8 +632,10 @@ Thanks!</font></font></p>
</table>
<p><font size="2">Updated 7/19/2003 - <a href="support.htm">Tom Eastep</a></font>
<p><font size="2">Updated 7/22/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
<br>
</p>
</body>
</html>

90
STABLE/documentation/sourceforge_index.htm
View File

@ -80,18 +80,19 @@
<p>This program is free software; you can redistribute it and/or modify
it under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the
GNU General Public License</a> as published by the Free Software
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
General Public License</a> as published by the Free Software
Foundation.<br>
<br>
This program is distributed
in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without
but WITHOUT ANY WARRANTY; without
even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE.
See the GNU General Public License for more details.<br>
See the GNU General Public License for more
details.<br>
<br>
@ -119,8 +120,8 @@ but WITHOUT ANY WARRANTY; without
For older versions:<br>
<ul>
<li>The 1.3 site is <a href="http://www.shorewall.net/1.3"
target="_top">here.</a></li>
<li>The 1.3 site is <a
href="http://www.shorewall.net/1.3" target="_top">here.</a></li>
<li>The 1.2 site is <a href="http://shorewall.net/1.2/"
target="_top">here</a>.<br>
</li>
@ -131,8 +132,8 @@ but WITHOUT ANY WARRANTY; without
New to Shorewall? Start by selecting
the <a
href="file:///vfat/Shorewall-docs/shorewall_quickstart_guide.htm">QuickStart
Guide</a> that most closely match your environment and
follow the step by step instructions.<br>
Guide</a> that most closely match your environment and follow
the step by step instructions.<br>
<h2>Looking for Information?</h2>
The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
@ -140,11 +141,11 @@ follow the step by step instructions.<br>
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
If so, the documentation<b> </b>on this site
will not apply directly to your setup. If you want to use the documentation
that you find here, you will want to consider uninstalling what you
have and installing a setup that matches the documentation on
this site. See the <a href="two-interface.htm">Two-interface QuickStart
Guide</a> for details.
will not apply directly to your setup. If you want to use the
documentation that you find here, you will want to consider uninstalling
what you have and installing a setup that matches the documentation
on this site. See the <a href="two-interface.htm">Two-interface
QuickStart Guide</a> for details.
<h2></h2>
@ -154,6 +155,17 @@ this site. See the <a href="two-interface.htm">Two-interface QuickStart
<h2><b>News</b></h2>
<p><b>7/22/2003 - Shorewall-1.4.6a</b><b> <img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
<br>
</b></p>
<b>Problems Corrected:</b><br>
<ol>
<li>Previously, if TC_ENABLED is set to yes in shorewall.conf then
Shorewall would fail to start with the error "ERROR:  Traffic Control requires
Mangle"; that problem has been corrected.</li>
</ol>
<p><b>7/20/2003 - Shorewall-1.4.6</b><b> <img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
<br>
@ -170,13 +182,13 @@ this site. See the <a href="two-interface.htm">Two-interface QuickStart
<br>
</li>
<li>Where a list of IP addresses appears in the DEST column of
a DNAT[-] rule, Shorewall incorrectly created multiple DNAT rules in the
nat table (one for each element in the list). Shorewall now correctly creates
a single DNAT rule with multiple "--to-destination" clauses.<br>
a DNAT[-] rule, Shorewall incorrectly created multiple DNAT rules in
the nat table (one for each element in the list). Shorewall now correctly
creates a single DNAT rule with multiple "--to-destination" clauses.<br>
<br>
</li>
<li>Corrected a problem in Beta 1 where DNS names containing a
"-" were mis-handled when they appeared in the DEST column of a rule.<br>
"-" were mis-handled when they appeared in the DEST column of a rule.<br>
<br>
</li>
<li>A number of problems with rule parsing have been corrected.
@ -186,14 +198,16 @@ as lists in the ORIGINAL DESTINATION column.<br>
</li>
<li>The message "Adding rules for DHCP" is now suppressed if there
are no DHCP rules to add.</li>
</ol>
<p><b>Migration Issues:</b><br>
</p>
<ol>
<li>In earlier versions, an undocumented feature allowed entries
in the host file as follows:<br>
<li>In earlier versions, an undocumented feature allowed
entries in the host file as follows:<br>
<br>
    z    eth1:192.168.1.0/24,eth2:192.168.2.0/24<br>
<br>
@ -267,10 +281,11 @@ outcome:<br>
If this extension is available, the ruleset generated by Shorewall
is changed in the following ways:</li>
<ul>
<li>To handle 'norfc1918' filtering, Shorewall will not
create chains in the mangle table but will rather do all 'norfc1918'
filtering in the filter table (rfc1918 chain).</li>
create chains in the mangle table but will rather do all 'norfc1918' filtering
in the filter table (rfc1918 chain).</li>
<li>Recall that Shorewall DNAT rules generate two netfilter
rules; one in the nat table and one in the filter table. If the Connection
Tracking Match Extension is available, the rule in the filter table is
@ -279,6 +294,7 @@ specified (or defaulted to) in the DNAT rule.<br>
<br>
</li>
</ul>
<li>The shell used to interpret the firewall script (/usr/share/shorewall/firewall)
may now be specified using the SHOREWALL_SHELL parameter in shorewall.conf.<br>
@ -318,13 +334,13 @@ specified (or defaulted to) in the DNAT rule.<br>
<br>
      iprange &lt;address&gt;-&lt;address&gt;<br>
<br>
This command decomposes a range of IP addressses into a list of network
and host addresses. The command can be useful if you need to construct
an efficient set of rules that accept connections from a range of network
addresses.<br>
This command decomposes a range of IP addressses into a list of
network and host addresses. The command can be useful if you need to
construct an efficient set of rules that accept connections from a range
of network addresses.<br>
<br>
Note: If your shell only supports 32-bit signed arithmetic (ash or
dash) then the range may not span 128.0.0.0.<br>
Note: If your shell only supports 32-bit signed arithmetic (ash
or dash) then the range may not span 128.0.0.0.<br>
<br>
Example:<br>
<br>
@ -360,7 +376,7 @@ name when printing the applicable policy for each pair of zones.<br>
 <br>
This means that the policy for connections from the dmz to the internet
is REJECT and the applicable entry in the /etc/shorewall/policy was the all-&gt;all
policy.<br>
policy.<br>
<br>
</li>
<li>Support for the 2.6 Kernel series has been added.<br>
@ -393,7 +409,7 @@ policy.<br>
<li>The command "shorewall debug try &lt;directory&gt;"
now correctly traces the attempt.</li>
<li>The INCLUDE directive now works properly in the
zones file; previously, INCLUDE in that file was ignored.</li>
zones file; previously, INCLUDE in that file was ignored.</li>
<li>/etc/shorewall/routestopped records with an empty
second column are no longer ignored.<br>
</li>
@ -418,8 +434,8 @@ zones file; previously, INCLUDE in that file was ignored.</li>
<p><b>6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8</b><b>
</b></p>
The firewall at shorewall.net has been upgraded to the 2.4.21
kernel and iptables 1.2.8 (using the "official" RPM from netfilter.org).
The firewall at shorewall.net has been upgraded to the
2.4.21 kernel and iptables 1.2.8 (using the "official" RPM from netfilter.org).
No problems have been encountered with this set of software. The Shorewall
version is 1.4.4b plus the accumulated changes for 1.4.5.
@ -470,6 +486,7 @@ zones file; previously, INCLUDE in that file was ignored.</li>
<p><a href="file:///Z:/Shorewall-docs/News.htm"></a></p>
<b> </b>
@ -569,8 +586,8 @@ zones file; previously, INCLUDE in that file was ignored.</li>
type="hidden" name="method" value="and"> <input type="hidden"
name="config" value="htdig"> <input type="submit"
value="Search"></font> </p>
<font face="Arial"> <input
type="hidden" name="exclude"
<font face="Arial">
<input type="hidden" name="exclude"
value="[http://lists.shorewall.net/pipermail/*]"> </font>
</form>
@ -606,7 +623,8 @@ zones file; previously, INCLUDE in that file was ignored.</li>
<tr>
<td width="100%" style="margin-top: 1px;">
<td width="100%"
style="margin-top: 1px;">
@ -625,7 +643,7 @@ zones file; previously, INCLUDE in that file was ignored.</li>
<p align="center"><font size="4" color="#ffffff"><br>
<font size="+2">Shorewall is free but if you
try it and find it useful, please consider making a donation
try it and find it useful, please consider making a donation
to
<a href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></font></p>
@ -640,7 +658,7 @@ try it and find it useful, please consider making a donation
</table>
<p><font size="2">Updated 7/19/2003 - <a href="support.htm">Tom Eastep</a></font>
<p><font size="2">Updated 7/22/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
</body>

2
STABLE/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=1.4.6
VERSION=1.4.6a
usage() # $1 = exit status
{

366
STABLE/firewall
View File

@ -233,8 +233,7 @@ createchain() # $1 = chain name, $2 = If "yes", create default rules
run_iptables -N $1
if [ $2 = yes ]; then
state="ESTABLISHED,RELATED"
run_iptables -A $1 -m state --state $state -j ACCEPT
run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
[ -z "$NEWNOTSYN" ] && \
run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn
fi
@ -495,10 +494,17 @@ first_chains() #$1 = interface
#
find_hosts() # $1 = host zone
{
local hosts
local hosts interface address addresses
while read z hosts options; do
[ "x`expand $z`" = "x$1" ] && expandv hosts && echo `separate_list $hosts`
if [ "x`expand $z`" = "x$1" ]; then
expandv hosts
interface=${hosts%:*}
addresses=${hosts#*:}
for address in `separate_list $addresses`; do
echo $interface:$address
done
fi
done < $TMP_DIR/hosts
}
@ -608,7 +614,7 @@ validate_interfaces_file() {
for option in $options; do
case $option in
dhcp|norfc1918|tcpflags)
dhcp|norfc1918|tcpflags|newnotsyn)
;;
routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-)
;;
@ -636,18 +642,20 @@ validate_hosts_file() {
r="$z $hosts $options"
validate_zone $z || startup_error "Invalid zone ($z) in record \"$r\""
for host in `separate_list $hosts`; do
interface=${host%:*}
interface=${hosts%:*}
list_search $interface $all_interfaces || \
startup_error "Unknown interface ($interface) in record \"$r\""
hosts=${hosts#*:}
for host in `separate_list $hosts`; do
for option in `separate_list $options`; do
case $option in
maclist|-)
;;
routeback)
eval ${z}_routeback=\"$host \$${z}_routeback\"
eval ${z}_routeback=\"$interface:$host \$${z}_routeback\"
;;
*)
error_message "Warning: Invalid option ($option) in record \"$r\""
@ -689,7 +697,7 @@ validate_policy()
[ $1 = $2 ] || \
[ $1 = all ] || \
[ $2 = all ] || \
echo " Policy for $1 to $2 is $policy"
echo " Policy for $1 to $2 is $policy using chain $chain"
}
all_policy_chains=
@ -832,6 +840,15 @@ find_interface_address() # $1 = interface
echo $addr | sed 's/inet //;s/\/.*//;s/ peer.*//'
}
#
# Find interface addresses--returns the set of addresses assigned to the passed
# device
#
find_interface_addresses() # $1 = interface
{
ip addr show $1 | grep inet | sed 's/inet //;s/\/.*//;s/ peer.*//'
}
#
# Find interfaces that have the passed option specified
#
@ -848,10 +865,18 @@ find_interfaces_by_option() # $1 = option
#
find_hosts_by_option() # $1 = option
{
local ignore hosts interface address addresses options
while read ignore hosts options; do
expandv options
list_search $1 `separate_list $options` && \
echo `expand $hosts`
if list_search $1 `separate_list $options`; then
expandv hosts
interface=${hosts%:*}
addresses=${hosts#*:}
for address in `separate_list $addresses`; do
echo $interface:$address
done
fi
done < $TMP_DIR/hosts
for interface in $all_interfaces; do
@ -1685,14 +1710,16 @@ check_config() {
disclaimer() {
echo
echo "WARNING: THE 'check' COMMAND IS TOTALLY UNSUPPORTED AND PROBLEM"
echo " REPORTS COMPLAINING ABOUT ERRORS THAT IT DIDN'T CATCH"
echo " WILL NOT BE ACCEPTED"
echo "Notice: The 'check' command is unsupported and problem"
echo " reports complaining about errors that it didn't catch"
echo " will not be accepted"
echo
}
disclaimer
report_capabilities
echo "Verifying Configuration..."
verify_os_version
@ -1839,7 +1866,11 @@ add_nat_rule() {
if [ -n "$serv" ]; then
servport="${servport:+:$servport}"
target1="DNAT --to-destination ${serv}${servport}"
serv1=
for srv in `separate_list $serv`; do
serv1="$serv1 --to-destination ${srv}${servport}"
done
target1="DNAT $serv1"
else
target1="REDIRECT --to-port $servport"
fi
@ -1856,7 +1887,10 @@ add_nat_rule() {
chain=nonat${nonat_seq}
nonat_seq=$(($nonat_seq + 1))
createnatchain $chain
run_iptables -t nat -A OUTPUT $cli $proto $multiport $sports $dports -j $chain
for adr in `separate_list $addr`; do
run_iptables2 -t nat -A OUTPUT $cli $proto $multiport $sports $dports -d $adr -j $chain
done
for adr in $excludedests; do
addnatrule $chain -d $adr -j RETURN
@ -1866,11 +1900,15 @@ add_nat_rule() {
log_rule $loglevel $chain $logtarget -t nat
fi
addnatrule $chain $proto -j $target1
addnatrule $chain $proto -j $target1 # Protocol is necessary for port redirection
else
for adr in `separate_list $addr`; do
run_iptables2 -t nat -A OUTPUT $proto $sports -d $adr \
$multiport $dports -j $target1
if [ -n "$loglevel" ]; then
log_rule $loglevel $OUTPUT $logtarget -t nat \
`fix_bang $proto $cli $sports -d $adr $multiport $dports`
fi
run_iptables2 -t nat -A OUTPUT $proto $sports -d $adr $multiport $dports -j $target1
done
fi
else
@ -1880,13 +1918,15 @@ add_nat_rule() {
chain=nonat${nonat_seq}
nonat_seq=$(($nonat_seq + 1))
createnatchain $chain
addnatrule `dnat_chain $source` $cli $proto $multiport $sports $dports -j $chain
for adr in `separate_list $addr`; do
addnatrule `dnat_chain $source` $cli $proto $multiport $sports $dports -d $adr -j $chain
done
for z in $excludezones; do
eval hosts=\$${z}_hosts
for host in $hosts; do
for adr in `separate_list $addr`; do
addnatrule $chain -s ${host#*:} -d $adr -j RETURN
done
addnatrule $chain -s ${host#*:} -j RETURN
done
done
@ -1894,13 +1934,11 @@ add_nat_rule() {
addnatrule $chain -d $adr -j RETURN
done
for adr in `separate_list $addr`; do
if [ -n "$loglevel" ]; then
log_rule $loglevel $chain $logtarget -t nat -d `fix_bang $adr`
log_rule $loglevel $chain $logtarget -t nat
fi
addnatrule $chain $proto -d $adr -j $target1
done
addnatrule $chain $proto -j $target1 # Protocol is necessary for port redirection
else
for adr in `separate_list $addr`; do
if [ -n "$loglevel" ]; then
@ -1943,6 +1981,8 @@ add_nat_rule() {
done
fi
fi
[ "x$addr" = "x0.0.0.0/0" ] && addr=
}
#
@ -2015,9 +2055,12 @@ add_a_rule()
servport=$serverport
multiport=
[ x$port = x- ] && port=
[ x$cport = x- ] && cport=
case $proto in
tcp|udp|TCP|UDP|6|17)
if [ -n "$port" -a "x${port}" != "x-" ]; then
if [ -n "$port" ]; then
dports="--dport"
if [ -n "$multioption" -a "$port" != "${port%,*}" ]; then
multiport="$multioption"
@ -2026,7 +2069,7 @@ add_a_rule()
dports="$dports $port"
fi
if [ -n "$cport" -a "x${cport}" != "x-" ]; then
if [ -n "$cport" ]; then
sports="--sport"
if [ -n "$multioption" -a "$cport" != "${cport%,*}" ]; then
multiport="$multioption"
@ -2036,18 +2079,17 @@ add_a_rule()
fi
;;
icmp|ICMP|1)
[ -n "$port" ] && [ "x${port}" != "x-" ] && \
dports="--icmp-type $port"
[ -n "$port" ] && dports="--icmp-type $port"
state=
;;
all|ALL)
[ -n "$port" ] && [ "x${port}" != "x-" ] && \
fatal_error "Port number not allowed with \"all\"; rule: \"$rule\""
[ -n "$port" ] && \
fatal_error "Port number not allowed with protocol \"all\"; rule: \"$rule\""
proto=
;;
*)
state=
[ -n "$port" ] && [ "x${port}" != "x-" ] && \
[ -n "$port" ] && \
fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\""
;;
esac
@ -2098,15 +2140,39 @@ add_a_rule()
fi
if [ -z "$dnat_only" -a $chain != ${FW}2${FW} ]; then
serv="${serv:+-d $serv}"
if [ -n "$serv" ]; then
for serv1 in `separate_list $serv`; do
for srv in `ip_range $serv1`; do
if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then
for adr in `separate_list $addr`; do
if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule $loglevel $chain $logtarget \
`fix_bang $proto $sports $multiport $state $cli $serv $dports`
log_rule $loglevel $chain $logtarget -m conntrack --ctorigdst $adr \
`fix_bang $proto $sports $multiport $state $cli -d $srv $dports`
fi
run_iptables2 -A $chain $proto $multiport $state $cli $sports \
$serv $dports -j $target
-d $srv $dports -m conntrack --ctorigdst $adr -j $target
done
else
if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule $loglevel $chain $logtarget \
`fix_bang $proto $sports $multiport $state $cli -d $srv $dports`
fi
run_iptables2 -A $chain $proto $multiport $state $cli $sports \
-d $srv $dports -j $target
fi
done
done
else
if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule $loglevel $chain $logtarget \
`fix_bang $proto $sports $multiport $state $cli $dports`
fi
run_iptables2 -A $chain $proto $multiport $state $cli $sports \
$dports -j $target
fi
fi
fi
else
@ -2293,6 +2359,45 @@ process_rule() # $1 = target
# Generate Netfilter rule(s)
case $logtarget in
DNAT*)
if [ -n "$MULTIPORT" -a \
"$ports" = "${ports%:*}" -a \
"$cports" = "${cports%:*}" -a \
`list_count $ports` -le 15 -a \
`list_count $cports` -le 15 ]
then
#
# MULTIPORT is enabled, there are no port ranges in the rule and less than
# 16 ports are listed - use multiport match.
#
multioption="-m multiport"
for client in `separate_list ${clients:=-}`; do
#
# add_a_rule() modifies these so we must set their values each time
#
server=${servers:=-}
port=${ports:=-}
cport=${cports:=-}
add_a_rule
done
else
#
# MULTIPORT is disabled or the rule isn't compatible with multiport match
#
multioption=
for client in `separate_list ${clients:=-}`; do
for port in `separate_list ${ports:=-}`; do
for cport in `separate_list ${cports:=-}`; do
server=${servers:=-}
add_a_rule
done
done
done
fi
;;
*)
if [ -n "$MULTIPORT" -a \
"$ports" = "${ports%:*}" -a \
"$cports" = "${cports%:*}" -a \
@ -2329,6 +2434,8 @@ process_rule() # $1 = target
done
done
fi
;;
esac
#
# Report Result
#
@ -2360,7 +2467,7 @@ process_rules() # $1 = name of rules file
while read xtarget xclients xservers xprotocol xports xcports xaddress; do
case "${xtarget%:*}" in
ACCEPT|DROP|REJECT|DNAT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE)
ACCEPT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE)
expandv xclients xservers xprotocol xports xcports xaddress
if [ "x$xclients" = xall ]; then
@ -2382,7 +2489,7 @@ process_rules() # $1 = name of rules file
;;
*)
rule="`echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress`"
fatal_error "Invalid Target in rule \"$rule\""
fatal_error "Invalid Action in rule \"$rule\""
;;
esac
@ -2582,24 +2689,19 @@ loadmodule() # $1 = module name, $2 - * arguments
{
local modulename=$1
local modulefile
local suffix
if [ -z "`lsmod | grep $modulename`" ]; then
shift
modulefile=$MODULESDIR/${modulename}.o
for suffix in o gz ko ; do
modulefile=$MODULESDIR/${modulename}.${suffix}
if [ -f $modulefile ]; then
insmod $modulefile $*
return
fi
#
# If the modules directory contains compressed modules then we'll
# assume that insmod can load them
#
modulefile=${modulefile}.gz
if [ -f $modulefile ]; then
insmod $modulefile $*
fi
done
fi
}
@ -2900,8 +3002,16 @@ setup_masq()
esac
if [ -n "$address" -a -n "$ADD_SNAT_ALIASES" ]; then
list_search $address $aliases_to_add || \
aliases_to_add="$aliases_to_add $address $fullinterface"
for addr in `ip_range $address` ; do
if ! list_search $addr $aliases_to_add; then
aliases_to_add="$aliases_to_add $addr $fullinterface"
case $fullinterface in
*:*)
fullinterface=${fullinterface%:*}:$((${fullinterface#*:} + 1 ))
;;
esac
fi
done
fi
destination=$destnet
@ -3118,7 +3228,7 @@ verify_os_version() {
osversion=`uname -r`
case $osversion in
2.4.*|2.5.*)
2.4.*|2.5.*|2.6.*)
;;
*)
startup_error "Shorewall version $version does not work with kernel version $osversion"
@ -3134,35 +3244,30 @@ verify_os_version() {
#
add_ip_aliases()
{
local external
local interface
local primary
local addresses external interface inet cidr rest val
do_one()
address_details()
{
#
# Folks feel uneasy if they don't see all of the same
# decoration on these IP addresses that they see when their
# distro's net config tool adds them. In an attempt to reduce
# the anxiety level, we have the following code which sets
# the VLSM and BRD from the primary address
# the VLSM and BRD from an existing address in the same subnet
#
# Get all of the lines that contain inet addresses with broadcast
# Get all of the lines that contain inet addresses
#
val=`ip addr show $interface | grep 'inet.*brd '` 2> /dev/null
if [ -n "$val" ] ; then
#
# Hack off the leading 'inet <ip addr>' (actually cut off the
# "/" as well but add it back in).
#
val="/${val#*/}"
#
# Now get the VLSM, "brd" and the broadcast address
#
val=${val%% scope*}
ip addr show $interface 2> /dev/null | grep 'inet' | while read inet cidr rest ; do
if in_subnet $external $cidr; then
echo "/${cidr#*/} brd `broadcastaddress $cidr`"
break
fi
done
}
do_one()
{
val=`address_details`
run_ip addr add ${external}${val} dev $interface $label
echo "$external $interface" >> ${STATEDIR}/nat
[ -n "$label" ] && label="with $label"
@ -3182,9 +3287,9 @@ add_ip_aliases()
label="label $interface:$label"
fi
primary=`find_interface_address $interface`
shift;shift
[ "x${primary}" = "x${external}" ] || do_one
list_search $external `find_interface_addresses $interface` || do_one
done
}
@ -3207,10 +3312,46 @@ load_kernel_modules() {
# Verify that the 'ip' program is installed
verify_ip() {
qt which ip ||\
qt ip link ls ||\
startup_error "Shorewall $version requires the iproute package ('ip' utility)"
}
#
# Determine which optional facilities are supported by iptables/netfilter
#
determine_capabilities() {
qt iptables -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED=
qt iptables -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
CONNTRACK_MATCH=
MULTIPORT=
if qt iptables -N fooX1234 ; then
qt iptables -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
qt iptables -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
qt iptables -F fooX1234
qt iptables -X fooX1234
fi
}
report_capability() # $1 = Capability Name, $2 Capability Setting (if any)
{
local setting=
[ "x$1" = "xYes" ] && { setting="Available"; shift; } || setting="Not available"
echo " " $@: $setting
}
report_capabilities() {
echo "Shorewall has detected the following iptables/netfilter capabilities:"
report_capability $NAT_ENABLED "NAT"
report_capability $MANGLE_ENABLED "Packet Mangling"
report_capability $MULTIPORT "Multi-port Match"
report_capability $CONNTRACK_MATCH "Connection Tracking Match"
}
#
# Perform Initialization
# - Delete all old rules
@ -3221,6 +3362,8 @@ verify_ip() {
#
initialize_netfilter () {
report_capabilities
echo "Determining Zones..."
determine_zones
@ -3307,7 +3450,16 @@ initialize_netfilter () {
if [ -z "$NEWNOTSYN" ]; then
createchain newnotsyn no
for interface in `find_interfaces_by_option newnotsyn`; do
run_iptables -A newnotsyn -i $interface -p tcp --tcp-flags ACK ACK -j ACCEPT
run_iptables -A newnotsyn -i $interface -p tcp --tcp-flags RST RST -j ACCEPT
run_iptables -A newnotsyn -i $interface -p tcp --tcp-flags FIN FIN -j ACCEPT
run_iptables -A newnotsyn -i $interface -j RETURN
done
run_user_exit newnotsyn
if [ -n "$LOGNEWNOTSYN" ]; then
log_rule $LOGNEWNOTSYN newnotsyn DROP
fi
@ -3334,7 +3486,7 @@ initialize_netfilter () {
done < /var/lib/shorewall/save
fi
echo "Creating input Chains..."
echo "Creating Interface Chains..."
for interface in $all_interfaces; do
createchain `forward_chain $interface` no
@ -3369,6 +3521,7 @@ build_common_chain() {
if [ -n "$NEWNOTSYN" ]; then
run_iptables -A common -p tcp --tcp-flags ACK ACK -j ACCEPT
run_iptables -A common -p tcp --tcp-flags RST RST -j ACCEPT
run_iptables -A common -p tcp --tcp-flags FIN FIN -j ACCEPT
fi
#
# BROADCASTS
@ -3462,13 +3615,17 @@ add_common_rules() {
#
# DHCP
#
interfaces=`find_interfaces_by_option dhcp`
if [ -n "$interfaces" ]; then
echo "Adding rules for DHCP"
for interface in `find_interfaces_by_option dhcp`; do
for interface in $interfaces; do
run_iptables -A `input_chain $interface` -p udp --dport 67:68 -j ACCEPT
run_iptables -A OUTPUT -o $interface -p udp --dport 67:68 -j ACCEPT
done
fi
#
# RFC 1918
#
@ -3487,11 +3644,12 @@ add_common_rules() {
run_iptables -A logdrop -j DROP
if [ -n "$MANGLE_ENABLED" ]; then
if [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ]; then
#
# Mangling is enabled -- create a chain in the mangle table to
# filter RFC1918 destination addresses. This must be done in the
# mangle table before we apply any DNAT rules in the nat table
# Mangling is enabled but conntrack match isn't available --
# create a chain in the mangle table to filter RFC1918 destination
# addresses. This must be done in the mangle table before we apply
# any DNAT rules in the nat table
#
# Also add a chain to log and drop any RFC1918 packets that we find
#
@ -3511,11 +3669,17 @@ add_common_rules() {
esac
run_iptables2 -A rfc1918 -s $subnet -j $target
if [ -n "$CONNTRACK_MATCH" ]; then
#
# If packet mangling is enabled, trap packets with an
# RFC1918 destination
# We have connection tracking match -- match on the original destination
#
run_iptables2 -A rfc1918 -m conntrack --ctorigdst $subnet -j $target
elif [ -n "$MANGLE_ENABLED" ]; then
#
# No connection tracking match but we have mangling -- add a rule to
# the mangle table
#
if [ -n "$MANGLE_ENABLED" ]; then
run_iptables2 -t mangle -A man1918 -d $subnet -j $target
fi
done < $TMP_DIR/rfc1918
@ -3525,7 +3689,7 @@ add_common_rules() {
run_iptables -A $chain -m state --state NEW -j rfc1918
done
[ -n "$MANGLE_ENABLED" ] && \
[ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ] && \
run_iptables -t mangle -A PREROUTING -m state --state NEW -i $interface -j man1918
done
@ -4366,6 +4530,7 @@ added_param_value_no() # $1 = Parameter Name, $2 = Parameter value
# Initialize this program
#
do_initialize() {
# Run all utility programs using the C locale
#
# Thanks to Vincent Planchenault for this tip #
@ -4388,8 +4553,6 @@ do_initialize() {
LOGRATE=
LOGBURST=
LOGPARMS=
NAT_ENABLED=
MANGLE_ENABLED=
ADD_IP_ALIASES=
ADD_SNAT_ALIASES=
TC_ENABLED=
@ -4399,7 +4562,6 @@ do_initialize() {
CLAMPMSS=
ROUTE_FILTER=
NAT_BEFORE_RULES=
MULTIPORT=
DETECT_DNAT_IPADDRS=
MUTEX_TIMEOUT=
NEWNOTSYN=
@ -4433,6 +4595,7 @@ do_initialize() {
FUNCTIONS=$SHARED_DIR/functions
if [ -f $FUNCTIONS ]; then
echo "Loading $FUNCTIONS..."
. $FUNCTIONS
else
startup_error "$FUNCTIONS does not exist!"
@ -4453,6 +4616,10 @@ do_initialize() {
echo "$config does not exist!" >&2
exit 2
fi
#
# Determine the capabilities of the installed iptables/netfilter
#
determine_capabilities
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
@ -4463,8 +4630,6 @@ do_initialize() {
ALLOWRELATED="`added_param_value_yes ALLOWRELATED $ALLOWRELATED`"
[ -n "$ALLOWRELATED" ] || \
startup_error "ALLOWRELATED=No is not supported"
NAT_ENABLED="`added_param_value_yes NAT_ENABLED $NAT_ENABLED`"
MANGLE_ENABLED="`added_param_value_yes MANGLE_ENABLED $MANGLE_ENABLED`"
ADD_IP_ALIASES="`added_param_value_yes ADD_IP_ALIASES $ADD_IP_ALIASES`"
TC_ENABLED="`added_param_value_yes TC_ENABLED $TC_ENABLED`"
@ -4496,7 +4661,6 @@ do_initialize() {
ADD_SNAT_ALIASES=`added_param_value_no ADD_SNAT_ALIASES $ADD_SNAT_ALIASES`
ROUTE_FILTER=`added_param_value_no ROUTE_FILTER $ROUTE_FILTER`
NAT_BEFORE_RULES=`added_param_value_yes NAT_BEFORE_RULES $NAT_BEFORE_RULES`
MULTIPORT=`added_param_value_no MULTIPORT $MULTIPORT`
DETECT_DNAT_IPADDRS=`added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS`
FORWARDPING=`added_param_value_no FORWARDPING $FORWARDPING`
[ -n "$FORWARDPING" ] && \
@ -4567,6 +4731,15 @@ do_initialize() {
#
strip_file interfaces
strip_file hosts
#
# Check out the user's shell
#
[ -n "$SHOREWALL_SHELL" ] || SHOREWALL_SHELL=/bin/sh
temp=`decodeaddr 192.168.1.1`
if [ `encodeaddr $temp` != 192.168.1.1 ]; then
startup_error "Shell $SHOREWALL_SHELL is broken and may not be used with Shorewall"
fi
}
#
@ -4719,6 +4892,15 @@ case "$command" in
my_mutex_off
;;
call)
#
# Undocumented way to call functions in /usr/share/shorewall/firewall directly
#
shift;
do_initialize
EMPTY=
$@
;;
*)
usage
;;

2
STABLE/install.sh
View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall.
#
VERSION=1.4.6
VERSION=1.4.6a
usage() # $1 = exit status
{

3
STABLE/releasenotes.txt
View File

@ -20,6 +20,9 @@ Problems Corrected:
5) The message "Adding rules for DHCP" is now suppressed if there are
no DHCP rules to add.
6) Corrected problem in 1.4.6 where the MANGLE_ENABLED variable was
being tested before it was set.
Migration Issues:
1) In earlier versions, an undocumented feature allowed entries in

4
STABLE/shorewall.spec
View File

@ -1,5 +1,5 @@
%define name shorewall
%define version 1.4.6
%define version 1.4.6a
%define release 1
%define prefix /usr
@ -105,6 +105,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog
* Tue Jul 22 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.6a-1
* Sat Jul 19 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.6-1
* Mon Jul 14 2003 Tom Eastep <tom@shorewall.net>

2
STABLE/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall
VERSION=1.4.6
VERSION=1.4.6a
usage() # $1 = exit status
{