extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-02 02:49:54 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update for Shorewall 2.2.0 Beta 5

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1767 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-11-26 18:53:04 +00:00
parent fa89a86f71
commit 01cded414d
14 changed files with 185 additions and 103 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
LrpN/etc/shorewall/shorewall.conf
View File

@ -247,6 +247,15 @@ LOG_MARTIANS=No
################################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
################################################################################
#
# IPTABLES
#
# Full path to iptables executable Shorewall uses to build the firewall. If
# not specified or if specified with an empty value (e.g., IPTABLES="") then
# the iptables executable located via the PATH setting below is used.
#
IPTABLES=
#
# PATH - Change this if you want to change the order in which Shorewall
# searches directories for executable files.

2
LrpN/etc/shorewall/tcrules
View File

@ -115,7 +115,7 @@
# In that case, it is suggested that this field contain
# "-"
#
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
# SOURCE PORT(S) (Optional) Source port(s). If omitted,
# any source port is acceptable. Specified as a comma-
# separated list of port names, port numbers or port
# ranges.

66
LrpN/sbin/shorewall
View File

@ -192,6 +192,19 @@ get_config() {
[ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:"
if [ -n "$IPTABLES" ]; then
if [ ! -e "$IPTABLES" ]; then
echo " ERROR: The program specified in IPTABLES does not exist or is not executable" >&2
exit 2
fi
else
IPTABLES=$(which iptables 2> /dev/null)
if [ -z "$IPTABLES" ] ; then
echo " ERROR: Can't find iptables executable" >&2
exit 2
fi
fi
if [ -n "$SHOREWALL_SHELL" ]; then
if [ ! -e "$SHOREWALL_SHELL" ]; then
echo " ERROR: The program specified in SHOREWALL_SHELL does not exist or is not executable" >&2
@ -223,7 +236,7 @@ display_chains()
TMPFILE=$(mktempfile)
[ -n "$TMPFILE" ] || { echo " ERROR:Cannot create temporary file" >&2; exit 1; }
iptables -L $IPT_OPTIONS >> $TMPFILE
$IPTABLES -L $IPT_OPTIONS >> $TMPFILE
clear
echo "$banner $(date)"
@ -306,7 +319,7 @@ display_chains()
qt rm -f $TMPFILE
else
iptables -L -n -v
$IPTABLES -L -n -v
timed_read
fi
trap - 1 2 3 4 5 6 9
@ -407,7 +420,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
get_config
host=$(echo $HOSTNAME | sed 's/\..*$//')
oldrejects=$(iptables -L -v -n | grep 'LOG')
oldrejects=$($IPTABLES -L -v -n | grep 'LOG')
if [ $1 -lt 0 ]; then
let "timeout=- $1"
@ -440,7 +453,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
show_reset
rejects=$(iptables -L -v -n | grep 'LOG')
rejects=$($IPTABLES -L -v -n | grep 'LOG')
if [ "$rejects" != "$oldrejects" ]; then
oldrejects="$rejects"
@ -467,7 +480,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
echo
echo "NAT Status"
echo
iptables -t nat -L $IPT_OPTIONS
$IPTABLES -t nat -L $IPT_OPTIONS
timed_read
clear
@ -476,7 +489,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
echo
echo "TOS/MARK Status"
echo
iptables -t mangle -L $IPT_OPTIONS
$IPTABLES -t mangle -L $IPT_OPTIONS
timed_read
clear
@ -517,7 +530,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
get_config
host=$(echo $HOSTNAME | sed 's/\..*$//')
oldrejects=$(iptables -L -v -n | grep 'LOG')
oldrejects=$($IPTABLES -L -v -n | grep 'LOG')
if [ $1 -lt 0 ]; then
timeout=$((- $1))
@ -539,7 +552,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
show_reset
rejects=$(iptables -L -v -n | grep 'LOG')
rejects=$($IPTABLES -L -v -n | grep 'LOG')
if [ "$rejects" != "$oldrejects" ]; then
oldrejects="$rejects"
@ -876,14 +889,14 @@ case "$1" in
echo "Shorewall-$version NAT at $HOSTNAME - $(date)"
echo
show_reset
iptables -t nat -L $IPT_OPTIONS
$IPTABLES -t nat -L $IPT_OPTIONS
;;
tos|mangle)
[ $# -gt 2 ] && usage 1
echo "Shorewall-$version TOS at $HOSTNAME - $(date)"
echo
show_reset
iptables -t mangle -L $IPT_OPTIONS
$IPTABLES -t mangle -L $IPT_OPTIONS
;;
log)
[ $# -gt 2 ] && usage 1
@ -914,10 +927,10 @@ case "$1" in
show_reset
if [ $# -gt 0 ]; then
for chain in $*; do
iptables -L $chain $IPT_OPTIONS
$IPTABLES -L $chain $IPT_OPTIONS
done
else
iptables -L $IPT_OPTIONS
$IPTABLES -L $IPT_OPTIONS
fi
;;
esac
@ -941,17 +954,17 @@ case "$1" in
echo
show_reset
host=$(echo $HOSTNAME | sed 's/\..*$//')
iptables -L $IPT_OPTIONS
$IPTABLES -L $IPT_OPTIONS
echo
packet_log 20
echo
echo "NAT Table"
echo
iptables -t nat -L $IPT_OPTIONS
$IPTABLES -t nat -L $IPT_OPTIONS
echo
echo "Mangle Table"
echo
iptables -t mangle -L $IPT_OPTIONS
$IPTABLES -t mangle -L $IPT_OPTIONS
echo
cat /proc/net/ip_conntrack
echo
@ -971,6 +984,7 @@ case "$1" in
echo
show_proc /proc/sys/net/ipv4/ip_forward
show_proc /proc/sys/net/ipv4/icmp_echo_ignore_all
for directory in /proc/sys/net/ipv4/conf/*; do
for file in proxy_arp arp_filter rp_filter log_martians; do
@ -1041,10 +1055,10 @@ case "$1" in
[ -n "$SHOREWALL_DIR" ] && startup_error "Error: -c option may not be used with \"try\""
[ $# -lt 2 -o $# -gt 3 ] && usage 1
if ! $0 $debugging -c $2 restart; then
if ! iptables -L shorewall > /dev/null 2> /dev/null; then
if ! $IPTABLES -L shorewall > /dev/null 2> /dev/null; then
$0 start
fi
elif ! iptables -L shorewall > /dev/null 2> /dev/null; then
elif ! $IPTABLES -L shorewall > /dev/null 2> /dev/null; then
$0 start
elif [ $# -eq 3 ]; then
sleep $3
@ -1067,9 +1081,9 @@ case "$1" in
mutex_on
while [ $# -gt 1 ]; do
shift
qt iptables -D dynamic -s $1 -j reject
qt iptables -D dynamic -s $1 -j DROP
iptables -A dynamic -s $1 -j DROP || break 1
qt $IPTABLES -D dynamic -s $1 -j reject
qt $IPTABLES -D dynamic -s $1 -j DROP
$IPTABLES -A dynamic -s $1 -j DROP || break 1
echo "$1 Dropped"
done
mutex_off
@ -1080,9 +1094,9 @@ case "$1" in
mutex_on
while [ $# -gt 1 ]; do
shift
qt iptables -D dynamic -s $1 -j reject
qt iptables -D dynamic -s $1 -j DROP
iptables -A dynamic -s $1 -j reject || break 1
qt $IPTABLES -D dynamic -s $1 -j reject
qt $IPTABLES -D dynamic -s $1 -j DROP
$IPTABLES -A dynamic -s $1 -j reject || break 1
echo "$1 Rejected"
done
mutex_off
@ -1093,7 +1107,7 @@ case "$1" in
mutex_on
while [ $# -gt 1 ]; do
shift
if qt iptables -D dynamic -s $1 -j reject || qt iptables -D dynamic -s $1 -j DROP; then
if qt $IPTABLES -D dynamic -s $1 -j reject || qt $IPTABLES -D dynamic -s $1 -j DROP; then
echo "$1 Allowed"
else
echo "$1 Not Dropped or Rejected"
@ -1122,7 +1136,7 @@ case "$1" in
mutex_on
if qt iptables -L shorewall -n; then
if qt $IPTABLES -L shorewall -n; then
[ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then
@ -1133,7 +1147,7 @@ case "$1" in
echo " ERROR: Reserved file name: $RESTOREFILE"
;;
*)
if iptables -L dynamic -n > /var/lib/shorewall/save; then
if $IPTABLES -L dynamic -n > /var/lib/shorewall/save; then
echo " Dynamic Rules Saved"
if [ -f /var/lib/shorewall/restore-base ]; then
cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$

113
LrpN/usr/share/shorewall/firewall
View File

@ -156,9 +156,9 @@ run_iptables() {
[ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
[ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
if ! iptables $@ ; then
if ! $IPTABLES $@ ; then
if [ -z "$stopping" ]; then
error_message "ERROR: Command \"iptables $@\" Failed"
error_message "ERROR: Command \"$IPTABLES $@\" Failed"
stop_firewall
exit 2
fi
@ -234,7 +234,7 @@ createchain2() # $1 = chain name, $2 = If "yes", create default rules
{
local c=$(chain_base $1)
if iptables -N $1; then
if $IPTABLES -N $1; then
if [ $2 = yes ]; then
run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
@ -265,7 +265,7 @@ havechain() # $1 = name of chain
#
chain_exists() # $1 = chain name
{
qt iptables -L $1 -n
qt $IPTABLES -L $1 -n
}
#
@ -273,7 +273,7 @@ chain_exists() # $1 = chain name
#
mangle_chain_exists() # $1 = chain name
{
qt iptables -t mangle -L $1 -n
qt $IPTABLES -t mangle -L $1 -n
}
#
@ -351,7 +351,7 @@ addnatrule() # $1 = chain name, remainder of arguments specify the rule
#
deletechain() # $1 = name of chain
{
qt iptables -L $1 -n && qt iptables -F $1 && qt iptables -X $1
qt $IPTABLES -L $1 -n && qt $IPTABLES -F $1 && qt $IPTABLES -X $1
}
#
@ -1292,10 +1292,10 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = dispositi
case $level in
ULOG)
iptables $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix"
$IPTABLES $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix"
;;
*)
iptables $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix"
$IPTABLES $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix"
;;
esac
@ -1462,7 +1462,7 @@ stop_firewall() {
else
routeback=Yes
for h in $(separate_list $host); do
iptables -A FORWARD -i $interface -o $interface $(both_ip_ranges $h $h) -j ACCEPT
$IPTABLES -A FORWARD -i $interface -o $interface $(both_ip_ranges $h $h) -j ACCEPT
done
fi
;;
@ -1478,27 +1478,27 @@ stop_firewall() {
for host in $hosts; do
interface=${host%:*}
networks=${host#*:}
iptables -A INPUT -i $interface $(source_ip_range $networks) -j ACCEPT
$IPTABLES -A INPUT -i $interface $(source_ip_range $networks) -j ACCEPT
[ -z "$ADMINISABSENTMINDED" ] && \
iptables -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
$IPTABLES -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
for host1 in $hosts; do
[ "$host" != "$host1" ] && iptables -A FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT
[ "$host" != "$host1" ] && $IPTABLES -A FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT
done
done
iptables -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT
[ -z "$ADMINISABSENTMINDED" ] && \
iptables -A OUTPUT -o lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
for interface in $(find_interfaces_by_option dhcp); do
iptables -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT
$IPTABLES -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT
[ -z "$ADMINISABSENTMINDED" ] && \
iptables -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT
$IPTABLES -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT
#
# This might be a bridge
#
iptables -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT
$IPTABLES -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT
done
case "$IP_FORWARDING" in
@ -2700,7 +2700,7 @@ process_accounting_rule() {
ensurechain1 $chain
if iptables -A $chain $(fix_bang $rule) ; then
if $IPTABLES -A $chain $(fix_bang $rule) ; then
[ -n "$rule2" ] && run_iptables2 -A $jumpchain $rule2
progress_message " Accounting rule" $action $chain $source $dest $proto $port $sport $user Added
else
@ -5303,7 +5303,7 @@ refresh_blacklist() {
local f=$(find_file blacklist)
local disposition=$BLACKLIST_DISPOSITION
if qt iptables -L blacklst -n ; then
if qt $IPTABLES -L blacklst -n ; then
echo "Loading Black List..."
strip_file blacklist $f
@ -5456,8 +5456,8 @@ verify_ip() {
# Determine which optional facilities are supported by iptables/netfilter
#
determine_capabilities() {
qt iptables -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED=
qt iptables -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
qt $IPTABLES -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED=
qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
CONNTRACK_MATCH=
MULTIPORT=
@ -5465,20 +5465,20 @@ determine_capabilities() {
PHYSDEV_MATCH=
IPRANGE_MATCH=
if qt iptables -N fooX1234 ; then
qt iptables -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
qt iptables -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
qt iptables -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes
qt iptables -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes
qt iptables -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
if qt $IPTABLES -N fooX1234 ; then
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes
qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes
qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
if [ -n "$PKTTYPE" ]; then
qt iptables -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT || PKTTYPE=
qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT || PKTTYPE=
fi
qt iptables -F fooX1234
qt iptables -X fooX1234
qt $IPTABLES -F fooX1234
qt $IPTABLES -X fooX1234
fi
}
@ -5706,8 +5706,8 @@ add_common_rules() {
# Reject Rules -- Don't respond to broadcasts with an ICMP
#
if [ -n "$PKTTYPE" ]; then
qt iptables -A reject -m pkttype --pkt-type broadcast -j DROP
if ! qt iptables -A reject -m pkttype --pkt-type multicast -j DROP; then
qt $IPTABLES -A reject -m pkttype --pkt-type broadcast -j DROP
if ! qt $IPTABLES -A reject -m pkttype --pkt-type multicast -j DROP; then
#
# No pkttype support -- do it the hard way
#
@ -5728,8 +5728,8 @@ add_common_rules() {
#
# Not all versions of iptables support these so don't complain if they don't work
#
qt iptables -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
if ! qt iptables -A reject -j REJECT --reject-with icmp-host-prohibited; then
qt $IPTABLES -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
if ! qt $IPTABLES -A reject -j REJECT --reject-with icmp-host-prohibited; then
#
# In case the above doesn't work
#
@ -5792,7 +5792,7 @@ add_common_rules() {
if [ -n "$BRIDGING" ]; then
eval is_bridge=\$$(chain_base $interface)_ports
[ -n "$is_bridge" ] && \
iptables -A $(forward_chain $interface) -p udp -o $interface --dport 67:68 $policyin -j ACCEPT
$IPTABLES -A $(forward_chain $interface) -p udp -o $interface --dport 67:68 $policyin -j ACCEPT
fi
run_iptables -A $(input_chain $interface) -p udp --dport 67:68 $policyin -j ACCEPT
run_iptables -A OUTPUT -o $interface -p udp --dport 67:68 $policyout -j ACCEPT
@ -6617,12 +6617,12 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
nat_chain_exists() # $1 = chain name
{
qt iptables -t nat -L $1 -n
qt $IPTABLES -t nat -L $1 -n
}
do_iptables() # $@ = command
{
if ! iptables $@ ; then
if ! $IPTABLES $@ ; then
startup_error "Can't add $1 to zone $2"
fi
}
@ -6878,14 +6878,14 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
#
# Delete any nat table entries for the host(s)
#
qt iptables -t nat -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j ${zone}_dnat
qt $IPTABLES -t nat -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j ${zone}_dnat
#
# Delete rules rules the input chains for the passed interface
#
while read z1 z2 chain; do
if [ "$z1" = "$zone" ]; then
if [ "$z2" = "$FW" ]; then
qt iptables -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j $chain
qt $IPTABLES -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j $chain
else
source_chain=$(dynamic_fwd $interface)
eval dest_hosts=\"\$${z2}_hosts\"
@ -6895,13 +6895,13 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
hosts=${h#*:}
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
qt iptables -D $source_chain $(source_ip_range $host) -o $iface $(match_dest_hosts $hosts) $policyout -j $chain
qt $IPTABLES -D $source_chain $(source_ip_range $host) -o $iface $(match_dest_hosts $hosts) $policyout -j $chain
fi
done
fi
elif [ "$z2" = "$zone" ]; then
if [ "$z1" = "$FW" ]; then
qt iptables -D $(dynamic_out $interface) $(dest_ip_range $host) $policyout -j $chain
qt $IPTABLES -D $(dynamic_out $interface) $(dest_ip_range $host) $policyout -j $chain
else
eval source_hosts=\"\$${z1}_hosts\"
@ -6910,7 +6910,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
hosts=${h#*:}
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
qt iptables -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(dest_ip_range $host) $policyout -j $chain
qt $IPTABLES -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(dest_ip_range $host) $policyout -j $chain
fi
done
fi
@ -6988,6 +6988,7 @@ do_initialize() {
# Clear all configuration variables
#
version=
IPTABLES=
FW=
SUBSYSLOCK=
STATEDIR=
@ -7102,6 +7103,14 @@ do_initialize() {
[ -d $STATEDIR ] || mkdir -p $STATEDIR
if [ -z "$IPTABLES" ]; then
IPTABLES=$(which iptables 2> /dev/null)
[ -z "$IPTABLES" ] && startup_error "Can't find iptables executable"
else
[ -e "$IPTABLES" ] || startup_error "\$IPTABLES=$IPTABLES does not exist or is not executable"
fi
[ -z "$FW" ] && FW=fw
ALLOWRELATED="$(added_param_value_yes ALLOWRELATED $ALLOWRELATED)"
@ -7283,7 +7292,7 @@ case "$COMMAND" in
[ $# -ne 1 ] && usage
do_initialize
my_mutex_on
if qt iptables -L shorewall -n ; then
if qt $IPTABLES -L shorewall -n ; then
[ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
echo "Shorewall Already Started"
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
@ -7298,7 +7307,7 @@ case "$COMMAND" in
[ $# -ne 1 ] && usage
do_initialize
my_mutex_on
if qt iptables -L shorewall -n ; then
if qt $IPTABLES -L shorewall -n ; then
define_firewall "Restart"
else
echo "Shorewall Not Currently Running"
@ -7313,22 +7322,22 @@ case "$COMMAND" in
[ $# -ne 1 ] && usage
echo "Shorewall-$version Status at $HOSTNAME - $(date)"
echo
iptables -L -n -v
$IPTABLES -L -n -v
;;
reset)
[ $# -ne 1 ] && usage
do_initialize
my_mutex_on
if ! qt iptables -L shorewall -n ; then
if ! qt $IPTABLES -L shorewall -n ; then
echo "Shorewall Not Started"
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
my_mutex_off
exit 2;
fi
iptables -Z
iptables -t nat -Z
iptables -t mangle -Z
$IPTABLES -Z
$IPTABLES -t nat -Z
$IPTABLES -t mangle -Z
report "Shorewall Counters Reset"
date > $STATEDIR/restarted
my_mutex_off
@ -7338,7 +7347,7 @@ case "$COMMAND" in
[ $# -ne 1 ] && usage
do_initialize
my_mutex_on
if ! qt iptables -L shorewall -n ; then
if ! qt $IPTABLES -L shorewall -n ; then
echo "Shorewall Not Started"
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
my_mutex_off
@ -7369,7 +7378,7 @@ case "$COMMAND" in
[ $# -ne 3 ] && usage
do_initialize
my_mutex_on
if ! qt iptables -L shorewall -n ; then
if ! qt $IPTABLES -L shorewall -n ; then
echo "Shorewall Not Started"
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
my_mutex_off
@ -7383,7 +7392,7 @@ case "$COMMAND" in
[ $# -ne 3 ] && usage
do_initialize
my_mutex_on
if ! qt iptables -L shorewall -n ; then
if ! qt $IPTABLES -L shorewall -n ; then
echo "Shorewall Not Started"
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
my_mutex_off

2
LrpN/usr/share/shorewall/version
View File

@ -1 +1 @@
2.2.0-Beta4
2.2.0-Beta5

39
Shorewall-docs2/Documentation.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-11-18</pubdate>
<pubdate>2004-11-26</pubdate>
<copyright>
<year>2001-2004</year>
@ -1245,7 +1245,7 @@ loc loc REJECT info</programlisting>
<para>UNLESS the user defines the zone badly so that intra-zone rules
are required. In that case, Shorewall will not try to guess what the
user's intentions are and will treat traffic within the affected zone(s)
just like any other traffic. </para>
just like any other traffic.</para>
<para>Any time that you have multiple interfaces associated with a
single zone, you should ask yourself if you really want traffic routed
@ -2771,6 +2771,17 @@ eth0 eth1 206.124.146.176</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>IPTABLES</term>
<listitem>
<para>(Added at version 2.2.0) — This parameter names the iptables
executable to be used by Shorewall. If not specified or if specified
as a null value, then the iptables executable located usint the PATH
option is used.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>LOGFORMAT</term>
@ -2938,6 +2949,22 @@ eth0 eth1 206.124.146.176</programlisting>
<para>If you have a HA setup with failover to another firewall, you
should have NEWNOTSYN=Yes on both firewalls. You should also select
NEWNOTSYN=Yes if you have asymmetric routing.</para>
<note>
<para>I find that NEWNOTSYN=No tends to result in lots of "stuck"
connections because any network timeout during TCP session tear
down results in retries being dropped (Netfilter has removed the
connection from the conntrack table but the end-points haven't
completed shutting down the connection). I therefore have chosen
NEWNOTSYN=Yes as the default value and I advise caution in using
NEWNOTSYN=Yes.</para>
<para>If you are looking for a way to defeat "stealth TCP scans"
then I recommend the <emphasis role="bold">tcpflags</emphasis>
interface option in <link
linkend="Interfaces">/etc/shorewall/interfaces</link> rather than
NEWNOTSYN=No.</para>
</note>
</listitem>
</varlistentry>
@ -2953,9 +2980,9 @@ eth0 eth1 206.124.146.176</programlisting>
LOGNEWNOTSYN=ULOG|</para>
<note>
<para>Packets logged under this option are usually the result of
broken remote IP stacks rather than the result of any sort of
attempt to breach your firewall.</para>
<para>Packets logged under this option are usually the result of a
"stuck" connection rather than as the result of an attempt to
breach your firewall.</para>
</note>
</listitem>
</varlistentry>
@ -3992,4 +4019,4 @@ eth1 -</programlisting>
</revision>
</revhistory></para>
</appendix>
</article>
</article>

7
Shorewall-docs2/FAQ.xml
View File

@ -17,7 +17,7 @@
</author>
</authorgroup>
<pubdate>2004-11-18</pubdate>
<pubdate>2004-11-24</pubdate>
<copyright>
<year>2001-2004</year>
@ -1105,7 +1105,10 @@ LOGBURST=""</programlisting>
to report problems back to the sender of a packet; this is what is
happening here. Unfortunately, where NAT is involved (including SNAT,
DNAT and Masquerade), there are a lot of broken implementations. That is
what you are seeing with these messages.</para>
what you are seeing with these messages. When Netfilter displays these
messages, the part before the "[" describes the ICMP packet and the part
between the "[" and "]" describes the packet for which the ICMP is a
response.</para>
<para>Here is my interpretation of what is happening -- to confirm this
analysis, one would have to have packet sniffers placed a both ends of

10
Shorewall-docs2/myfiles.xml
View File

@ -308,11 +308,11 @@ $EXT_IF $OMAK
my rfc1918 file. I copied /usr/share/shorewall/rfc1918 to
/etc/shorewall/rfc1918 and changed it as follows:</para>
<programlisting>#SUBNET TARGET
<emphasis role="bold">192.168.1.1 RETURN</emphasis>
172.16.0.0/12 logdrop # RFC 1918
192.168.0.0/16 logdrop # RFC 1918
10.0.0.0/8 logdrop # RFC 1918
<programlisting>#SUBNET TARGET
<emphasis role="bold">192.168.1.1 RETURN</emphasis>
172.16.0.0/12 logdrop # RFC 1918
192.168.0.0/16 logdrop # RFC 1918
10.0.0.0/8 logdrop # RFC 1918
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
</programlisting>
</blockquote>

26
Shorewall-docs2/upgrade_issues.xml
View File

@ -97,8 +97,8 @@
</listitem>
<listitem>
<para> If shorewall.conf is upgraded to the latest version, it needs
to be modified to set STARTUP_ENABLED=Yes.</para>
<para>If shorewall.conf is upgraded to the latest version, it needs to
be modified to set STARTUP_ENABLED=Yes.</para>
</listitem>
<listitem>
@ -122,7 +122,7 @@
<listitem>
<para>The ORIGINAL DEST column of the /etc/shorewall/rules file may no
longer contain a second (SNAT) address. You must use an entry in
/etc/shorewall/masq instead. </para>
/etc/shorewall/masq instead.</para>
<para>Example from Shorewall FAQ #1:</para>
@ -140,7 +140,7 @@ loc eth1 detect routeback</programlisting>
# PORT DEST
DNAT loc loc:192.168.1.12 tcp 80 - 130.252.100.69:192.168.1.254 </programlisting>
<para> Shorewall 2.1 and Later:</para>
<para>Shorewall 2.1 and Later:</para>
<para>/etc/shorewall/interfaces</para>
@ -389,6 +389,24 @@ DNAT loc loc:192.168.1.12 tcp 80 - 130.252.100.69</p
</itemizedlist>
</section>
<section>
<title>Version &gt;= 1.4.9</title>
<itemizedlist>
<listitem>
<para>The default value of NEWNOTSYN set in <ulink
url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink> has
been changed from 'No' to 'Yes'. I find that NEWNOTSYN=No tends to
result in lots of "stuck" connections because any network timeout
during TCP session tear down results in retries being dropped
(Netfilter has removed the connection from the conntrack table but the
end-points haven't completed shutting down the connection). I
therefore have chosen NEWNOTSYN=Yes as the default value and I advise
caution in using NEWNOTSYN=Yes.</para>
</listitem>
</itemizedlist>
</section>
<section>
<title>Version &gt;= 1.4.8</title>

2
Shorewall2/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=2.2.0-Beta4
VERSION=2.2.0-Beta5
usage() # $1 = exit status
{

2
Shorewall2/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
#
VERSION=2.2.0-Beta4
VERSION=2.2.0-Beta5
usage() # $1 = exit status
{

2
Shorewall2/releasenotes.txt
View File

@ -1,4 +1,4 @@
Shorewall 2.2.0-Beta4
Shorewall 2.2.0-Beta5
----------------------------------------------------------------------
Problems Corrected since 2.0.3

6
Shorewall2/shorewall.spec
View File

@ -1,6 +1,6 @@
%define name shorewall
%define version 2.2.0
%define release 0Beta4
%define release 0Beta5
%define prefix /usr
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@ -137,8 +137,10 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog
* Fri Nov 26 2004 Tom Eastep tom@shorewall.net
- Updated to 2.2.0-0Beta5
* Fri Nov 19 2004 Tom Eastep tom@shorewall.net
- Updated to 2.2.0-0Beta3
- Updated to 2.2.0-0Beta4
* Tue Nov 09 2004 Tom Eastep tom@shorewall.net
- Updated to 2.2.0-0Beta3
* Tue Nov 02 2004 Tom Eastep tom@shorewall.net

2
Shorewall2/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall
VERSION=2.2.0-Beta4
VERSION=2.2.0-Beta5
usage() # $1 = exit status
{