extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-14 21:56:52 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update for Shorewall 2.2.0 Beta 5

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1767 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-11-26 18:53:04 +00:00
parent fa89a86f71
commit 01cded414d
14 changed files with 185 additions and 103 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
LrpN/etc/shorewall/shorewall.conf
View File

@ -247,6 +247,15 @@ LOG_MARTIANS=No
################################################################################ ################################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
################################################################################ ################################################################################
#
# IPTABLES
#
# Full path to iptables executable Shorewall uses to build the firewall. If
# not specified or if specified with an empty value (e.g., IPTABLES="") then
# the iptables executable located via the PATH setting below is used.
#
IPTABLES=
# #
# PATH - Change this if you want to change the order in which Shorewall # PATH - Change this if you want to change the order in which Shorewall
# searches directories for executable files. # searches directories for executable files.

2
LrpN/etc/shorewall/tcrules
View File

@ -115,7 +115,7 @@
# In that case, it is suggested that this field contain # In that case, it is suggested that this field contain
# "-" # "-"
# #
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted, # SOURCE PORT(S) (Optional) Source port(s). If omitted,
# any source port is acceptable. Specified as a comma- # any source port is acceptable. Specified as a comma-
# separated list of port names, port numbers or port # separated list of port names, port numbers or port
# ranges. # ranges.

66
LrpN/sbin/shorewall
View File

@ -192,6 +192,19 @@ get_config() {
[ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:" [ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:"
if [ -n "$IPTABLES" ]; then
if [ ! -e "$IPTABLES" ]; then
echo " ERROR: The program specified in IPTABLES does not exist or is not executable" >&2
exit 2
fi
else
IPTABLES=$(which iptables 2> /dev/null)
if [ -z "$IPTABLES" ] ; then
echo " ERROR: Can't find iptables executable" >&2
exit 2
fi
fi
if [ -n "$SHOREWALL_SHELL" ]; then if [ -n "$SHOREWALL_SHELL" ]; then
if [ ! -e "$SHOREWALL_SHELL" ]; then if [ ! -e "$SHOREWALL_SHELL" ]; then
echo " ERROR: The program specified in SHOREWALL_SHELL does not exist or is not executable" >&2 echo " ERROR: The program specified in SHOREWALL_SHELL does not exist or is not executable" >&2
@ -223,7 +236,7 @@ display_chains()
TMPFILE=$(mktempfile) TMPFILE=$(mktempfile)
[ -n "$TMPFILE" ] || { echo " ERROR:Cannot create temporary file" >&2; exit 1; } [ -n "$TMPFILE" ] || { echo " ERROR:Cannot create temporary file" >&2; exit 1; }
iptables -L $IPT_OPTIONS >> $TMPFILE $IPTABLES -L $IPT_OPTIONS >> $TMPFILE
clear clear
echo "$banner $(date)" echo "$banner $(date)"
@ -306,7 +319,7 @@ display_chains()
qt rm -f $TMPFILE qt rm -f $TMPFILE
else else
iptables -L -n -v $IPTABLES -L -n -v
timed_read timed_read
fi fi
trap - 1 2 3 4 5 6 9 trap - 1 2 3 4 5 6 9
@ -407,7 +420,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
get_config get_config
host=$(echo $HOSTNAME | sed 's/\..*$//') host=$(echo $HOSTNAME | sed 's/\..*$//')
oldrejects=$(iptables -L -v -n | grep 'LOG') oldrejects=$($IPTABLES -L -v -n | grep 'LOG')
if [ $1 -lt 0 ]; then if [ $1 -lt 0 ]; then
let "timeout=- $1" let "timeout=- $1"
@ -440,7 +453,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
show_reset show_reset
rejects=$(iptables -L -v -n | grep 'LOG') rejects=$($IPTABLES -L -v -n | grep 'LOG')
if [ "$rejects" != "$oldrejects" ]; then if [ "$rejects" != "$oldrejects" ]; then
oldrejects="$rejects" oldrejects="$rejects"
@ -467,7 +480,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
echo echo
echo "NAT Status" echo "NAT Status"
echo echo
iptables -t nat -L $IPT_OPTIONS $IPTABLES -t nat -L $IPT_OPTIONS
timed_read timed_read
clear clear
@ -476,7 +489,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
echo echo
echo "TOS/MARK Status" echo "TOS/MARK Status"
echo echo
iptables -t mangle -L $IPT_OPTIONS $IPTABLES -t mangle -L $IPT_OPTIONS
timed_read timed_read
clear clear
@ -517,7 +530,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
get_config get_config
host=$(echo $HOSTNAME | sed 's/\..*$//') host=$(echo $HOSTNAME | sed 's/\..*$//')
oldrejects=$(iptables -L -v -n | grep 'LOG') oldrejects=$($IPTABLES -L -v -n | grep 'LOG')
if [ $1 -lt 0 ]; then if [ $1 -lt 0 ]; then
timeout=$((- $1)) timeout=$((- $1))
@ -539,7 +552,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
show_reset show_reset
rejects=$(iptables -L -v -n | grep 'LOG') rejects=$($IPTABLES -L -v -n | grep 'LOG')
if [ "$rejects" != "$oldrejects" ]; then if [ "$rejects" != "$oldrejects" ]; then
oldrejects="$rejects" oldrejects="$rejects"
@ -876,14 +889,14 @@ case "$1" in
echo "Shorewall-$version NAT at $HOSTNAME - $(date)" echo "Shorewall-$version NAT at $HOSTNAME - $(date)"
echo echo
show_reset show_reset
iptables -t nat -L $IPT_OPTIONS $IPTABLES -t nat -L $IPT_OPTIONS
;; ;;
tos|mangle) tos|mangle)
[ $# -gt 2 ] && usage 1 [ $# -gt 2 ] && usage 1
echo "Shorewall-$version TOS at $HOSTNAME - $(date)" echo "Shorewall-$version TOS at $HOSTNAME - $(date)"
echo echo
show_reset show_reset
iptables -t mangle -L $IPT_OPTIONS $IPTABLES -t mangle -L $IPT_OPTIONS
;; ;;
log) log)
[ $# -gt 2 ] && usage 1 [ $# -gt 2 ] && usage 1
@ -914,10 +927,10 @@ case "$1" in
show_reset show_reset
if [ $# -gt 0 ]; then if [ $# -gt 0 ]; then
for chain in $*; do for chain in $*; do
iptables -L $chain $IPT_OPTIONS $IPTABLES -L $chain $IPT_OPTIONS
done done
else else
iptables -L $IPT_OPTIONS $IPTABLES -L $IPT_OPTIONS
fi fi
;; ;;
esac esac
@ -941,17 +954,17 @@ case "$1" in
echo echo
show_reset show_reset
host=$(echo $HOSTNAME | sed 's/\..*$//') host=$(echo $HOSTNAME | sed 's/\..*$//')
iptables -L $IPT_OPTIONS $IPTABLES -L $IPT_OPTIONS
echo echo
packet_log 20 packet_log 20
echo echo
echo "NAT Table" echo "NAT Table"
echo echo
iptables -t nat -L $IPT_OPTIONS $IPTABLES -t nat -L $IPT_OPTIONS
echo echo
echo "Mangle Table" echo "Mangle Table"
echo echo
iptables -t mangle -L $IPT_OPTIONS $IPTABLES -t mangle -L $IPT_OPTIONS
echo echo
cat /proc/net/ip_conntrack cat /proc/net/ip_conntrack
echo echo
@ -971,6 +984,7 @@ case "$1" in
echo echo
show_proc /proc/sys/net/ipv4/ip_forward show_proc /proc/sys/net/ipv4/ip_forward
show_proc /proc/sys/net/ipv4/icmp_echo_ignore_all
for directory in /proc/sys/net/ipv4/conf/*; do for directory in /proc/sys/net/ipv4/conf/*; do
for file in proxy_arp arp_filter rp_filter log_martians; do for file in proxy_arp arp_filter rp_filter log_martians; do
@ -1041,10 +1055,10 @@ case "$1" in
[ -n "$SHOREWALL_DIR" ] && startup_error "Error: -c option may not be used with \"try\"" [ -n "$SHOREWALL_DIR" ] && startup_error "Error: -c option may not be used with \"try\""
[ $# -lt 2 -o $# -gt 3 ] && usage 1 [ $# -lt 2 -o $# -gt 3 ] && usage 1
if ! $0 $debugging -c $2 restart; then if ! $0 $debugging -c $2 restart; then
if ! iptables -L shorewall > /dev/null 2> /dev/null; then if ! $IPTABLES -L shorewall > /dev/null 2> /dev/null; then
$0 start $0 start
fi fi
elif ! iptables -L shorewall > /dev/null 2> /dev/null; then elif ! $IPTABLES -L shorewall > /dev/null 2> /dev/null; then
$0 start $0 start
elif [ $# -eq 3 ]; then elif [ $# -eq 3 ]; then
sleep $3 sleep $3
@ -1067,9 +1081,9 @@ case "$1" in
mutex_on mutex_on
while [ $# -gt 1 ]; do while [ $# -gt 1 ]; do
shift shift
qt iptables -D dynamic -s $1 -j reject qt $IPTABLES -D dynamic -s $1 -j reject
qt iptables -D dynamic -s $1 -j DROP qt $IPTABLES -D dynamic -s $1 -j DROP
iptables -A dynamic -s $1 -j DROP || break 1 $IPTABLES -A dynamic -s $1 -j DROP || break 1
echo "$1 Dropped" echo "$1 Dropped"
done done
mutex_off mutex_off
@ -1080,9 +1094,9 @@ case "$1" in
mutex_on mutex_on
while [ $# -gt 1 ]; do while [ $# -gt 1 ]; do
shift shift
qt iptables -D dynamic -s $1 -j reject qt $IPTABLES -D dynamic -s $1 -j reject
qt iptables -D dynamic -s $1 -j DROP qt $IPTABLES -D dynamic -s $1 -j DROP
iptables -A dynamic -s $1 -j reject || break 1 $IPTABLES -A dynamic -s $1 -j reject || break 1
echo "$1 Rejected" echo "$1 Rejected"
done done
mutex_off mutex_off
@ -1093,7 +1107,7 @@ case "$1" in
mutex_on mutex_on
while [ $# -gt 1 ]; do while [ $# -gt 1 ]; do
shift shift
if qt iptables -D dynamic -s $1 -j reject || qt iptables -D dynamic -s $1 -j DROP; then if qt $IPTABLES -D dynamic -s $1 -j reject || qt $IPTABLES -D dynamic -s $1 -j DROP; then
echo "$1 Allowed" echo "$1 Allowed"
else else
echo "$1 Not Dropped or Rejected" echo "$1 Not Dropped or Rejected"
@ -1122,7 +1136,7 @@ case "$1" in
mutex_on mutex_on
if qt iptables -L shorewall -n; then if qt $IPTABLES -L shorewall -n; then
[ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall [ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then
@ -1133,7 +1147,7 @@ case "$1" in
echo " ERROR: Reserved file name: $RESTOREFILE" echo " ERROR: Reserved file name: $RESTOREFILE"
;; ;;
*) *)
if iptables -L dynamic -n > /var/lib/shorewall/save; then if $IPTABLES -L dynamic -n > /var/lib/shorewall/save; then
echo " Dynamic Rules Saved" echo " Dynamic Rules Saved"
if [ -f /var/lib/shorewall/restore-base ]; then if [ -f /var/lib/shorewall/restore-base ]; then
cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$ cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$

113
LrpN/usr/share/shorewall/firewall
View File

@ -156,9 +156,9 @@ run_iptables() {
[ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev [ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
[ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange [ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
if ! iptables $@ ; then if ! $IPTABLES $@ ; then
if [ -z "$stopping" ]; then if [ -z "$stopping" ]; then
error_message "ERROR: Command \"iptables $@\" Failed" error_message "ERROR: Command \"$IPTABLES $@\" Failed"
stop_firewall stop_firewall
exit 2 exit 2
fi fi
@ -234,7 +234,7 @@ createchain2() # $1 = chain name, $2 = If "yes", create default rules
{ {
local c=$(chain_base $1) local c=$(chain_base $1)
if iptables -N $1; then if $IPTABLES -N $1; then
if [ $2 = yes ]; then if [ $2 = yes ]; then
run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
@ -265,7 +265,7 @@ havechain() # $1 = name of chain
# #
chain_exists() # $1 = chain name chain_exists() # $1 = chain name
{ {
qt iptables -L $1 -n qt $IPTABLES -L $1 -n
} }
# #
@ -273,7 +273,7 @@ chain_exists() # $1 = chain name
# #
mangle_chain_exists() # $1 = chain name mangle_chain_exists() # $1 = chain name
{ {
qt iptables -t mangle -L $1 -n qt $IPTABLES -t mangle -L $1 -n
} }
# #
@ -351,7 +351,7 @@ addnatrule() # $1 = chain name, remainder of arguments specify the rule
# #
deletechain() # $1 = name of chain deletechain() # $1 = name of chain
{ {
qt iptables -L $1 -n && qt iptables -F $1 && qt iptables -X $1 qt $IPTABLES -L $1 -n && qt $IPTABLES -F $1 && qt $IPTABLES -X $1
} }
# #
@ -1292,10 +1292,10 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = dispositi
case $level in case $level in
ULOG) ULOG)
iptables $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix" $IPTABLES $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix"
;; ;;
*) *)
iptables $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix" $IPTABLES $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix"
;; ;;
esac esac
@ -1462,7 +1462,7 @@ stop_firewall() {
else else
routeback=Yes routeback=Yes
for h in $(separate_list $host); do for h in $(separate_list $host); do
iptables -A FORWARD -i $interface -o $interface $(both_ip_ranges $h $h) -j ACCEPT $IPTABLES -A FORWARD -i $interface -o $interface $(both_ip_ranges $h $h) -j ACCEPT
done done
fi fi
;; ;;
@ -1478,27 +1478,27 @@ stop_firewall() {
for host in $hosts; do for host in $hosts; do
interface=${host%:*} interface=${host%:*}
networks=${host#*:} networks=${host#*:}
iptables -A INPUT -i $interface $(source_ip_range $networks) -j ACCEPT $IPTABLES -A INPUT -i $interface $(source_ip_range $networks) -j ACCEPT
[ -z "$ADMINISABSENTMINDED" ] && \ [ -z "$ADMINISABSENTMINDED" ] && \
iptables -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT $IPTABLES -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
for host1 in $hosts; do for host1 in $hosts; do
[ "$host" != "$host1" ] && iptables -A FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT [ "$host" != "$host1" ] && $IPTABLES -A FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT
done done
done done
iptables -A INPUT -i lo -j ACCEPT $IPTABLES -A INPUT -i lo -j ACCEPT
[ -z "$ADMINISABSENTMINDED" ] && \ [ -z "$ADMINISABSENTMINDED" ] && \
iptables -A OUTPUT -o lo -j ACCEPT $IPTABLES -A OUTPUT -o lo -j ACCEPT
for interface in $(find_interfaces_by_option dhcp); do for interface in $(find_interfaces_by_option dhcp); do
iptables -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT $IPTABLES -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT
[ -z "$ADMINISABSENTMINDED" ] && \ [ -z "$ADMINISABSENTMINDED" ] && \
iptables -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT $IPTABLES -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT
# #
# This might be a bridge # This might be a bridge
# #
iptables -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT $IPTABLES -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT
done done
case "$IP_FORWARDING" in case "$IP_FORWARDING" in
@ -2700,7 +2700,7 @@ process_accounting_rule() {
ensurechain1 $chain ensurechain1 $chain
if iptables -A $chain $(fix_bang $rule) ; then if $IPTABLES -A $chain $(fix_bang $rule) ; then
[ -n "$rule2" ] && run_iptables2 -A $jumpchain $rule2 [ -n "$rule2" ] && run_iptables2 -A $jumpchain $rule2
progress_message " Accounting rule" $action $chain $source $dest $proto $port $sport $user Added progress_message " Accounting rule" $action $chain $source $dest $proto $port $sport $user Added
else else
@ -5303,7 +5303,7 @@ refresh_blacklist() {
local f=$(find_file blacklist) local f=$(find_file blacklist)
local disposition=$BLACKLIST_DISPOSITION local disposition=$BLACKLIST_DISPOSITION
if qt iptables -L blacklst -n ; then if qt $IPTABLES -L blacklst -n ; then
echo "Loading Black List..." echo "Loading Black List..."
strip_file blacklist $f strip_file blacklist $f
@ -5456,8 +5456,8 @@ verify_ip() {
# Determine which optional facilities are supported by iptables/netfilter # Determine which optional facilities are supported by iptables/netfilter
# #
determine_capabilities() { determine_capabilities() {
qt iptables -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED= qt $IPTABLES -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED=
qt iptables -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED= qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
CONNTRACK_MATCH= CONNTRACK_MATCH=
MULTIPORT= MULTIPORT=
@ -5465,20 +5465,20 @@ determine_capabilities() {
PHYSDEV_MATCH= PHYSDEV_MATCH=
IPRANGE_MATCH= IPRANGE_MATCH=
if qt iptables -N fooX1234 ; then if qt $IPTABLES -N fooX1234 ; then
qt iptables -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
qt iptables -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
qt iptables -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes
qt iptables -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes
qt iptables -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
if [ -n "$PKTTYPE" ]; then if [ -n "$PKTTYPE" ]; then
qt iptables -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT || PKTTYPE= qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT || PKTTYPE=
fi fi
qt iptables -F fooX1234 qt $IPTABLES -F fooX1234
qt iptables -X fooX1234 qt $IPTABLES -X fooX1234
fi fi
} }
@ -5706,8 +5706,8 @@ add_common_rules() {
# Reject Rules -- Don't respond to broadcasts with an ICMP # Reject Rules -- Don't respond to broadcasts with an ICMP
# #
if [ -n "$PKTTYPE" ]; then if [ -n "$PKTTYPE" ]; then
qt iptables -A reject -m pkttype --pkt-type broadcast -j DROP qt $IPTABLES -A reject -m pkttype --pkt-type broadcast -j DROP
if ! qt iptables -A reject -m pkttype --pkt-type multicast -j DROP; then if ! qt $IPTABLES -A reject -m pkttype --pkt-type multicast -j DROP; then
# #
# No pkttype support -- do it the hard way # No pkttype support -- do it the hard way
# #
@ -5728,8 +5728,8 @@ add_common_rules() {
# #
# Not all versions of iptables support these so don't complain if they don't work # Not all versions of iptables support these so don't complain if they don't work
# #
qt iptables -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable qt $IPTABLES -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
if ! qt iptables -A reject -j REJECT --reject-with icmp-host-prohibited; then if ! qt $IPTABLES -A reject -j REJECT --reject-with icmp-host-prohibited; then
# #
# In case the above doesn't work # In case the above doesn't work
# #
@ -5792,7 +5792,7 @@ add_common_rules() {
if [ -n "$BRIDGING" ]; then if [ -n "$BRIDGING" ]; then
eval is_bridge=\$$(chain_base $interface)_ports eval is_bridge=\$$(chain_base $interface)_ports
[ -n "$is_bridge" ] && \ [ -n "$is_bridge" ] && \
iptables -A $(forward_chain $interface) -p udp -o $interface --dport 67:68 $policyin -j ACCEPT $IPTABLES -A $(forward_chain $interface) -p udp -o $interface --dport 67:68 $policyin -j ACCEPT
fi fi
run_iptables -A $(input_chain $interface) -p udp --dport 67:68 $policyin -j ACCEPT run_iptables -A $(input_chain $interface) -p udp --dport 67:68 $policyin -j ACCEPT
run_iptables -A OUTPUT -o $interface -p udp --dport 67:68 $policyout -j ACCEPT run_iptables -A OUTPUT -o $interface -p udp --dport 67:68 $policyout -j ACCEPT
@ -6617,12 +6617,12 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
nat_chain_exists() # $1 = chain name nat_chain_exists() # $1 = chain name
{ {
qt iptables -t nat -L $1 -n qt $IPTABLES -t nat -L $1 -n
} }
do_iptables() # $@ = command do_iptables() # $@ = command
{ {
if ! iptables $@ ; then if ! $IPTABLES $@ ; then
startup_error "Can't add $1 to zone $2" startup_error "Can't add $1 to zone $2"
fi fi
} }
@ -6878,14 +6878,14 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
# #
# Delete any nat table entries for the host(s) # Delete any nat table entries for the host(s)
# #
qt iptables -t nat -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j ${zone}_dnat qt $IPTABLES -t nat -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j ${zone}_dnat
# #
# Delete rules rules the input chains for the passed interface # Delete rules rules the input chains for the passed interface
# #
while read z1 z2 chain; do while read z1 z2 chain; do
if [ "$z1" = "$zone" ]; then if [ "$z1" = "$zone" ]; then
if [ "$z2" = "$FW" ]; then if [ "$z2" = "$FW" ]; then
qt iptables -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j $chain qt $IPTABLES -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j $chain
else else
source_chain=$(dynamic_fwd $interface) source_chain=$(dynamic_fwd $interface)
eval dest_hosts=\"\$${z2}_hosts\" eval dest_hosts=\"\$${z2}_hosts\"
@ -6895,13 +6895,13 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
hosts=${h#*:} hosts=${h#*:}
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
qt iptables -D $source_chain $(source_ip_range $host) -o $iface $(match_dest_hosts $hosts) $policyout -j $chain qt $IPTABLES -D $source_chain $(source_ip_range $host) -o $iface $(match_dest_hosts $hosts) $policyout -j $chain
fi fi
done done
fi fi
elif [ "$z2" = "$zone" ]; then elif [ "$z2" = "$zone" ]; then
if [ "$z1" = "$FW" ]; then if [ "$z1" = "$FW" ]; then
qt iptables -D $(dynamic_out $interface) $(dest_ip_range $host) $policyout -j $chain qt $IPTABLES -D $(dynamic_out $interface) $(dest_ip_range $host) $policyout -j $chain
else else
eval source_hosts=\"\$${z1}_hosts\" eval source_hosts=\"\$${z1}_hosts\"
@ -6910,7 +6910,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
hosts=${h#*:} hosts=${h#*:}
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
qt iptables -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(dest_ip_range $host) $policyout -j $chain qt $IPTABLES -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(dest_ip_range $host) $policyout -j $chain
fi fi
done done
fi fi
@ -6988,6 +6988,7 @@ do_initialize() {
# Clear all configuration variables # Clear all configuration variables
# #
version= version=
IPTABLES=
FW= FW=
SUBSYSLOCK= SUBSYSLOCK=
STATEDIR= STATEDIR=
@ -7102,6 +7103,14 @@ do_initialize() {
[ -d $STATEDIR ] || mkdir -p $STATEDIR [ -d $STATEDIR ] || mkdir -p $STATEDIR
if [ -z "$IPTABLES" ]; then
IPTABLES=$(which iptables 2> /dev/null)
[ -z "$IPTABLES" ] && startup_error "Can't find iptables executable"
else
[ -e "$IPTABLES" ] || startup_error "\$IPTABLES=$IPTABLES does not exist or is not executable"
fi
[ -z "$FW" ] && FW=fw [ -z "$FW" ] && FW=fw
ALLOWRELATED="$(added_param_value_yes ALLOWRELATED $ALLOWRELATED)" ALLOWRELATED="$(added_param_value_yes ALLOWRELATED $ALLOWRELATED)"
@ -7283,7 +7292,7 @@ case "$COMMAND" in
[ $# -ne 1 ] && usage [ $# -ne 1 ] && usage
do_initialize do_initialize
my_mutex_on my_mutex_on
if qt iptables -L shorewall -n ; then if qt $IPTABLES -L shorewall -n ; then
[ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
echo "Shorewall Already Started" echo "Shorewall Already Started"
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
@ -7298,7 +7307,7 @@ case "$COMMAND" in
[ $# -ne 1 ] && usage [ $# -ne 1 ] && usage
do_initialize do_initialize
my_mutex_on my_mutex_on
if qt iptables -L shorewall -n ; then if qt $IPTABLES -L shorewall -n ; then
define_firewall "Restart" define_firewall "Restart"
else else
echo "Shorewall Not Currently Running" echo "Shorewall Not Currently Running"
@ -7313,22 +7322,22 @@ case "$COMMAND" in
[ $# -ne 1 ] && usage [ $# -ne 1 ] && usage
echo "Shorewall-$version Status at $HOSTNAME - $(date)" echo "Shorewall-$version Status at $HOSTNAME - $(date)"
echo echo
iptables -L -n -v $IPTABLES -L -n -v
;; ;;
reset) reset)
[ $# -ne 1 ] && usage [ $# -ne 1 ] && usage
do_initialize do_initialize
my_mutex_on my_mutex_on
if ! qt iptables -L shorewall -n ; then if ! qt $IPTABLES -L shorewall -n ; then
echo "Shorewall Not Started" echo "Shorewall Not Started"
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
my_mutex_off my_mutex_off
exit 2; exit 2;
fi fi
iptables -Z $IPTABLES -Z
iptables -t nat -Z $IPTABLES -t nat -Z
iptables -t mangle -Z $IPTABLES -t mangle -Z
report "Shorewall Counters Reset" report "Shorewall Counters Reset"
date > $STATEDIR/restarted date > $STATEDIR/restarted
my_mutex_off my_mutex_off
@ -7338,7 +7347,7 @@ case "$COMMAND" in
[ $# -ne 1 ] && usage [ $# -ne 1 ] && usage
do_initialize do_initialize
my_mutex_on my_mutex_on
if ! qt iptables -L shorewall -n ; then if ! qt $IPTABLES -L shorewall -n ; then
echo "Shorewall Not Started" echo "Shorewall Not Started"
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
my_mutex_off my_mutex_off
@ -7369,7 +7378,7 @@ case "$COMMAND" in
[ $# -ne 3 ] && usage [ $# -ne 3 ] && usage
do_initialize do_initialize
my_mutex_on my_mutex_on
if ! qt iptables -L shorewall -n ; then if ! qt $IPTABLES -L shorewall -n ; then
echo "Shorewall Not Started" echo "Shorewall Not Started"
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
my_mutex_off my_mutex_off
@ -7383,7 +7392,7 @@ case "$COMMAND" in
[ $# -ne 3 ] && usage [ $# -ne 3 ] && usage
do_initialize do_initialize
my_mutex_on my_mutex_on
if ! qt iptables -L shorewall -n ; then if ! qt $IPTABLES -L shorewall -n ; then
echo "Shorewall Not Started" echo "Shorewall Not Started"
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
my_mutex_off my_mutex_off

2
LrpN/usr/share/shorewall/version
View File

@ -1 +1 @@
2.2.0-Beta4 2.2.0-Beta5

39
Shorewall-docs2/Documentation.xml
View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2004-11-18</pubdate> <pubdate>2004-11-26</pubdate>
<copyright> <copyright>
<year>2001-2004</year> <year>2001-2004</year>
@ -1245,7 +1245,7 @@ loc loc REJECT info</programlisting>
<para>UNLESS the user defines the zone badly so that intra-zone rules <para>UNLESS the user defines the zone badly so that intra-zone rules
are required. In that case, Shorewall will not try to guess what the are required. In that case, Shorewall will not try to guess what the
user's intentions are and will treat traffic within the affected zone(s) user's intentions are and will treat traffic within the affected zone(s)
just like any other traffic. </para> just like any other traffic.</para>
<para>Any time that you have multiple interfaces associated with a <para>Any time that you have multiple interfaces associated with a
single zone, you should ask yourself if you really want traffic routed single zone, you should ask yourself if you really want traffic routed
@ -2771,6 +2771,17 @@ eth0 eth1 206.124.146.176</programlisting>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>IPTABLES</term>
<listitem>
<para>(Added at version 2.2.0) — This parameter names the iptables
executable to be used by Shorewall. If not specified or if specified
as a null value, then the iptables executable located usint the PATH
option is used.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term>LOGFORMAT</term> <term>LOGFORMAT</term>
@ -2938,6 +2949,22 @@ eth0 eth1 206.124.146.176</programlisting>
<para>If you have a HA setup with failover to another firewall, you <para>If you have a HA setup with failover to another firewall, you
should have NEWNOTSYN=Yes on both firewalls. You should also select should have NEWNOTSYN=Yes on both firewalls. You should also select
NEWNOTSYN=Yes if you have asymmetric routing.</para> NEWNOTSYN=Yes if you have asymmetric routing.</para>
<note>
<para>I find that NEWNOTSYN=No tends to result in lots of "stuck"
connections because any network timeout during TCP session tear
down results in retries being dropped (Netfilter has removed the
connection from the conntrack table but the end-points haven't
completed shutting down the connection). I therefore have chosen
NEWNOTSYN=Yes as the default value and I advise caution in using
NEWNOTSYN=Yes.</para>
<para>If you are looking for a way to defeat "stealth TCP scans"
then I recommend the <emphasis role="bold">tcpflags</emphasis>
interface option in <link
linkend="Interfaces">/etc/shorewall/interfaces</link> rather than
NEWNOTSYN=No.</para>
</note>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -2953,9 +2980,9 @@ eth0 eth1 206.124.146.176</programlisting>
LOGNEWNOTSYN=ULOG|</para> LOGNEWNOTSYN=ULOG|</para>
<note> <note>
<para>Packets logged under this option are usually the result of <para>Packets logged under this option are usually the result of a
broken remote IP stacks rather than the result of any sort of "stuck" connection rather than as the result of an attempt to
attempt to breach your firewall.</para> breach your firewall.</para>
</note> </note>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -3992,4 +4019,4 @@ eth1 -</programlisting>
</revision> </revision>
</revhistory></para> </revhistory></para>
</appendix> </appendix>
</article> </article>

7
Shorewall-docs2/FAQ.xml
View File

@ -17,7 +17,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2004-11-18</pubdate> <pubdate>2004-11-24</pubdate>
<copyright> <copyright>
<year>2001-2004</year> <year>2001-2004</year>
@ -1105,7 +1105,10 @@ LOGBURST=""</programlisting>
to report problems back to the sender of a packet; this is what is to report problems back to the sender of a packet; this is what is
happening here. Unfortunately, where NAT is involved (including SNAT, happening here. Unfortunately, where NAT is involved (including SNAT,
DNAT and Masquerade), there are a lot of broken implementations. That is DNAT and Masquerade), there are a lot of broken implementations. That is
what you are seeing with these messages.</para> what you are seeing with these messages. When Netfilter displays these
messages, the part before the "[" describes the ICMP packet and the part
between the "[" and "]" describes the packet for which the ICMP is a
response.</para>
<para>Here is my interpretation of what is happening -- to confirm this <para>Here is my interpretation of what is happening -- to confirm this
analysis, one would have to have packet sniffers placed a both ends of analysis, one would have to have packet sniffers placed a both ends of

10
Shorewall-docs2/myfiles.xml
View File

@ -308,11 +308,11 @@ $EXT_IF $OMAK
my rfc1918 file. I copied /usr/share/shorewall/rfc1918 to my rfc1918 file. I copied /usr/share/shorewall/rfc1918 to
/etc/shorewall/rfc1918 and changed it as follows:</para> /etc/shorewall/rfc1918 and changed it as follows:</para>
<programlisting>#SUBNET TARGET <programlisting>#SUBNET TARGET
<emphasis role="bold">192.168.1.1 RETURN</emphasis> <emphasis role="bold">192.168.1.1 RETURN</emphasis>
172.16.0.0/12 logdrop # RFC 1918 172.16.0.0/12 logdrop # RFC 1918
192.168.0.0/16 logdrop # RFC 1918 192.168.0.0/16 logdrop # RFC 1918
10.0.0.0/8 logdrop # RFC 1918 10.0.0.0/8 logdrop # RFC 1918
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
</programlisting> </programlisting>
</blockquote> </blockquote>

26
Shorewall-docs2/upgrade_issues.xml
View File

@ -97,8 +97,8 @@
</listitem> </listitem>
<listitem> <listitem>
<para> If shorewall.conf is upgraded to the latest version, it needs <para>If shorewall.conf is upgraded to the latest version, it needs to
to be modified to set STARTUP_ENABLED=Yes.</para> be modified to set STARTUP_ENABLED=Yes.</para>
</listitem> </listitem>
<listitem> <listitem>
@ -122,7 +122,7 @@
<listitem> <listitem>
<para>The ORIGINAL DEST column of the /etc/shorewall/rules file may no <para>The ORIGINAL DEST column of the /etc/shorewall/rules file may no
longer contain a second (SNAT) address. You must use an entry in longer contain a second (SNAT) address. You must use an entry in
/etc/shorewall/masq instead. </para> /etc/shorewall/masq instead.</para>
<para>Example from Shorewall FAQ #1:</para> <para>Example from Shorewall FAQ #1:</para>
@ -140,7 +140,7 @@ loc eth1 detect routeback</programlisting>
# PORT DEST # PORT DEST
DNAT loc loc:192.168.1.12 tcp 80 - 130.252.100.69:192.168.1.254 </programlisting> DNAT loc loc:192.168.1.12 tcp 80 - 130.252.100.69:192.168.1.254 </programlisting>
<para> Shorewall 2.1 and Later:</para> <para>Shorewall 2.1 and Later:</para>
<para>/etc/shorewall/interfaces</para> <para>/etc/shorewall/interfaces</para>
@ -389,6 +389,24 @@ DNAT loc loc:192.168.1.12 tcp 80 - 130.252.100.69</p
</itemizedlist> </itemizedlist>
</section> </section>
<section>
<title>Version &gt;= 1.4.9</title>
<itemizedlist>
<listitem>
<para>The default value of NEWNOTSYN set in <ulink
url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink> has
been changed from 'No' to 'Yes'. I find that NEWNOTSYN=No tends to
result in lots of "stuck" connections because any network timeout
during TCP session tear down results in retries being dropped
(Netfilter has removed the connection from the conntrack table but the
end-points haven't completed shutting down the connection). I
therefore have chosen NEWNOTSYN=Yes as the default value and I advise
caution in using NEWNOTSYN=Yes.</para>
</listitem>
</itemizedlist>
</section>
<section> <section>
<title>Version &gt;= 1.4.8</title> <title>Version &gt;= 1.4.8</title>

2
Shorewall2/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of # shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall. # Shoreline Firewall.
VERSION=2.2.0-Beta4 VERSION=2.2.0-Beta5
usage() # $1 = exit status usage() # $1 = exit status
{ {

2
Shorewall2/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
# #
VERSION=2.2.0-Beta4 VERSION=2.2.0-Beta5
usage() # $1 = exit status usage() # $1 = exit status
{ {

2
Shorewall2/releasenotes.txt
View File

@ -1,4 +1,4 @@
Shorewall 2.2.0-Beta4 Shorewall 2.2.0-Beta5
---------------------------------------------------------------------- ----------------------------------------------------------------------
Problems Corrected since 2.0.3 Problems Corrected since 2.0.3

6
Shorewall2/shorewall.spec
View File

@ -1,6 +1,6 @@
%define name shorewall %define name shorewall
%define version 2.2.0 %define version 2.2.0
%define release 0Beta4 %define release 0Beta5
%define prefix /usr %define prefix /usr
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@ -137,8 +137,10 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog %changelog
* Fri Nov 26 2004 Tom Eastep tom@shorewall.net
- Updated to 2.2.0-0Beta5
* Fri Nov 19 2004 Tom Eastep tom@shorewall.net * Fri Nov 19 2004 Tom Eastep tom@shorewall.net
- Updated to 2.2.0-0Beta3 - Updated to 2.2.0-0Beta4
* Tue Nov 09 2004 Tom Eastep tom@shorewall.net * Tue Nov 09 2004 Tom Eastep tom@shorewall.net
- Updated to 2.2.0-0Beta3 - Updated to 2.2.0-0Beta3
* Tue Nov 02 2004 Tom Eastep tom@shorewall.net * Tue Nov 02 2004 Tom Eastep tom@shorewall.net

2
Shorewall2/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall # shown below. Simply run this script to remove Seattle Firewall
VERSION=2.2.0-Beta4 VERSION=2.2.0-Beta5
usage() # $1 = exit status usage() # $1 = exit status
{ {