extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-22 07:33:43 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch '5.1.12'

Browse Source 
# Conflicts:
#	Shorewall/Perl/Shorewall/Config.pm
This commit is contained in:
Tom Eastep 2018-02-09 17:16:12 -08:00
commit 12bbbbfa2a
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
26 changed files with 189 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
Shorewall/Macros/macro.Apcupsd Normal file
View File

@ -0,0 +1,9 @@
#
# Shorewall -- /usr/share/shorewall/macro.Apcupsd
#
# This macro handles apcupsd traffic.
#
###############################################################################
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER
PARAM - - tcp 3551

16
Shorewall/Macros/macro.FreeIPA Normal file
View File

@ -0,0 +1,16 @@
#
# Shorewall -- /usr/share/shorewall/macro.FreeIPA
#
# This macro handles FreeIPA server traffic.
#
###############################################################################
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER
DNS
HTTP
HTTPS
Kerberos
Kpasswd
LDAP
LDAPS
NTP

18
Shorewall/Macros/macro.IPMI
View File

@ -11,14 +11,20 @@
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER
PARAM - - tcp 623 # RMCP
PARAM - - udp 623 # RMCP
PARAM - - tcp 3668,3669 # Virtual Media, Secure (Dell)
PARAM - - tcp 5120,5123 # CD, floppy (Asus, Aten)
PARAM - - tcp 5120,5122,5123 # CD,FD,HD (Asus, Aten)
PARAM - - tcp 5900,5901 # Remote Console (Aten, Dell)
PARAM - - tcp 7578 # Remote Console (AMI)
PARAM - - tcp 3520 # Remote Console (Redfish)
PARAM - - udp 623 # RMCP
PARAM - - tcp 8889 # WS-MAN
HTTP
HTTPS
SNMP
SSH # Serial over Lan
Telnet
SNMP
# TLS/secure ports
PARAM - - tcp 3520 # Remote Console (Redfish)
PARAM - - tcp 3669 # Virtual Media (Dell)
PARAM - - tcp 5124,5126,5127 # CD,FD,HD (AMI)
PARAM - - tcp 7582 # Remote Console (AMI)
HTTPS
SSH # Serial over Lan

10
Shorewall/Macros/macro.Kpasswd Normal file
View File

@ -0,0 +1,10 @@
#
# Shorewall -- /usr/share/shorewall/macro.Kpasswd
#
# This macro handles Kerberos "passwd" traffic.
#
###############################################################################
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER
PARAM - - tcp 464
PARAM - - udp 464

9
Shorewall/Macros/macro.RedisSecure Normal file
View File

@ -0,0 +1,9 @@
#
# Shorewall -- /usr/share/shorewall/macro.RedisSecure
#
# This macro handles Redis Secure (SSL/TLS) traffic.
#
###############################################################################
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER
PARAM - - tcp 6380

9
Shorewall/Macros/macro.Rwhois Normal file
View File

@ -0,0 +1,9 @@
#
# Shorewall -- /usr/share/shorewall/macro.Rwhois
#
# This macro handles Remote Who Is (rwhois) traffic.
#
###############################################################################
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER
PARAM - - tcp 4321

9
Shorewall/Macros/macro.SSDP Normal file
View File

@ -0,0 +1,9 @@
#
# Shorewall -- /usr/share/shorewall/macro.SSDP
#
# This macro handles SSDP (used by DLNA/UPnP) client traffic.
#
###############################################################################
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER
PARAM - - udp 1900

10
Shorewall/Macros/macro.SSDPserver Normal file
View File

@ -0,0 +1,10 @@
#
# Shorewall -- /usr/share/shorewall/macro.SSDPserver
#
# This macro handles SSDP (used by DLNA/UPnP) server bidirectional traffic.
#
###############################################################################
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER
PARAM - - udp 1900
PARAM DEST SOURCE udp - 1900

6
Shorewall/Perl/Shorewall/Config.pm
View File

@ -834,7 +834,7 @@ sub initialize( $;$$$) {
TC_SCRIPT => '',
EXPORT => 0,
KLUDGEFREE => '',
VERSION => "5.1.12-Beta2",
VERSION => "5.1.12",
CAPVERSION => 50112 ,
BLACKLIST_LOG_TAG => '',
RELATED_LOG_TAG => '',
@ -2412,6 +2412,10 @@ sub split_line2( $$;$$$ ) {
fatal_error "Only one set of double semicolons (';;') allowed on a line" if defined $rest;
$currline = $columns;
#
# Remove trailing white space
#
$currline =~ s/\s*$//;
$inline_matches = $pairs;
#

2
Shorewall/Samples/Universal/shorewall.conf
View File

@ -183,7 +183,7 @@ IGNOREUNKNOWNVARIABLES=No
IMPLICIT_CONTINUE=No
INLINE_MATCHES=Yes
INLINE_MATCHES=No
IPSET_WARNINGS=Yes

2
Shorewall/Samples/one-interface/shorewall.conf
View File

@ -194,7 +194,7 @@ IGNOREUNKNOWNVARIABLES=No
IMPLICIT_CONTINUE=No
INLINE_MATCHES=Yes
INLINE_MATCHES=No
IPSET_WARNINGS=Yes

2
Shorewall/Samples/three-interfaces/shorewall.conf
View File

@ -191,7 +191,7 @@ IGNOREUNKNOWNVARIABLES=No
IMPLICIT_CONTINUE=No
INLINE_MATCHES=Yes
INLINE_MATCHES=No
IPSET_WARNINGS=Yes

2
Shorewall/Samples/two-interfaces/shorewall.conf
View File

@ -194,7 +194,7 @@ IGNOREUNKNOWNVARIABLES=No
IMPLICIT_CONTINUE=No
INLINE_MATCHES=Yes
INLINE_MATCHES=No
IPSET_WARNINGS=Yes

2
Shorewall6/Samples6/Universal/shorewall6.conf
View File

@ -170,7 +170,7 @@ IGNOREUNKNOWNVARIABLES=No
IMPLICIT_CONTINUE=No
INLINE_MATCHES=Yes
INLINE_MATCHES=No
IPSET_WARNINGS=Yes

2
Shorewall6/Samples6/one-interface/shorewall6.conf
View File

@ -171,7 +171,7 @@ IGNOREUNKNOWNVARIABLES=No
IMPLICIT_CONTINUE=No
INLINE_MATCHES=Yes
INLINE_MATCHES=No
IPSET_WARNINGS=Yes

2
Shorewall6/Samples6/three-interfaces/shorewall6.conf
View File

@ -170,7 +170,7 @@ IGNOREUNKNOWNVARIABLES=No
IMPLICIT_CONTINUE=No
INLINE_MATCHES=Yes
INLINE_MATCHES=No
IPSET_WARNINGS=Yes

2
Shorewall6/Samples6/two-interfaces/shorewall6.conf
View File

@ -170,7 +170,7 @@ IGNOREUNKNOWNVARIABLES=No
IMPLICIT_CONTINUE=No
INLINE_MATCHES=Yes
INLINE_MATCHES=No
IPSET_WARNINGS=Yes

75
docs/IPSEC-2.6.xml
View File

@ -107,7 +107,7 @@
requires an appropriate SA to exist. SAs may be created manually using
<command>setkey</command>(8) but most often, they are created by a
cooperative process involving the ISAKMP protocol and a daemon included in
your IPSEC package (StrongSwan, LibreSwan, ipsec-tools/Racoon, etc.) .
your IPsec package (StrongSwan, LibreSwan, ipsec-tools/Racoon, etc.) .
Incoming traffic is verified against the SPD to ensure that no unencrypted
traffic is accepted in violation of the administrator's policies.</para>
@ -227,7 +227,7 @@
<important>
<para>This article provides guidance regarding configuring Shorewall to
use with IPSEC. For configuring IPSEC itself, consult your IPSEC
use with IPsec. For configuring IPsec itself, consult your IPsec
product's documentation.</para>
</important>
</section>
@ -681,4 +681,75 @@ ipip <emphasis role="bold">vpn</emphasis> 0.0.0.0/0</prog
the INPUT chain.</para>
</important>
</section>
<section>
<title>Using SNAT to Force Traffic over an IPsec Tunnel</title>
<para>Cases can arise where you need to use an IPsec tunnel to access a
remote network, but you have no control over the associated security
polices. In such cases, the resulting tunnel is accessible from your
firewall but not from your local networks.</para>
<para>Let's take an example:</para>
<itemizedlist>
<listitem>
<para>Remote gateway 192.0.2.26</para>
</listitem>
<listitem>
<para>Remote subnet 172.22.4.0/24</para>
</listitem>
<listitem>
<para>Your public IP address is 192.0.2.199</para>
</listitem>
<listitem>
<para>Your Internet-facing interface is eth0</para>
</listitem>
<listitem>
<para>Your local network is 192.168.219.0/24</para>
</listitem>
<listitem>
<para>You want to access 172.22.4.0/24 from 192.168.219.0/24</para>
</listitem>
<listitem>
<para>The IPsec tunnel is configured between 172.22.4.0/24 and
192.0.2.199</para>
</listitem>
</itemizedlist>
<para>You need to configure as follows.</para>
<para>/etc/shorewall/zones:</para>
<programlisting>#ZONE TYPE OPTIONS
...
vpn ip # Note that the zone <emphasis role="bold">cannot</emphasis> be declared as type ipsec
...</programlisting>
<para>/etc/shorewall/interfaces:</para>
<programlisting>#ZONE INTERFACE OPTIONS
net eth0 nets=(!172.22.4.0/24),... # You must exclude the remote network from the net zone</programlisting>
<para>/etc/shorewall/hosts:</para>
<programlisting>#ZONE HOSTS OPTIONS
vpn eth0:172.22.4.0/24 mss=1380,destonly
vpn eth0:0.0.0.0/0 mss=1380,ipsec</programlisting>
<para>/etc/shorewall/snat:</para>
<programlisting>SNAT(192.0.2.199) 192.168.219.0/24 eth0:172.22.4.0/24</programlisting>
<para>/etc/shorewall/tunnels:</para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
ipsec net 192.0.2.26 vpn</programlisting>
</section>
</article>

2
docs/MultiISP.xml
View File

@ -1233,7 +1233,7 @@ gateway:~ #</programlisting>
those clients. See<link linkend="Openvpn"> Example 2</link>
below.</para>
<para>If you have an IPSEC gateway on your firewall, be sure to
<para>If you have an IPsec gateway on your firewall, be sure to
arrange for ESP packets to be routed out of the same interface that
you have configured your keying daemon to use.</para>
</section>

2
docs/SharedConfig.xml
View File

@ -1021,7 +1021,7 @@ Mirrors(ACCEPT:none) { SOURCE=net, DEST=dmz:$SERVER, PROTO=tcp, DPORT=873 }
<section>
<title>tunnels</title>
<para>Both address families define IPSEC tunnels:</para>
<para>Both address families define IPsec tunnels:</para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
ipsecnat {ZONE=net, GATEWAY=$ALL, GATEWAY_ZONE=vpn }

10
docs/VPN.xml
View File

@ -43,7 +43,7 @@
<para>It is often the case that a system behind the firewall needs to be
able to access a remote network through Virtual Private Networking (VPN).
The two most common means for doing this are IPSEC and PPTP. The basic
The two most common means for doing this are IPsec and PPTP. The basic
setup is shown in the following diagram:</para>
<graphic fileref="images/VPN.png"/>
@ -60,8 +60,8 @@
modules file, Shorewall (Lite) will attempt to load these modules when
Shorewall (Lite) is started.</para>
<para>If IPSEC is being used, you should configure IPSEC to use
<firstterm>NAT Traversal</firstterm> -- Under NAT traversal the IPSEC
<para>If IPsec is being used, you should configure IPsec to use
<firstterm>NAT Traversal</firstterm> -- Under NAT traversal the IPsec
packets (protocol 50 or 51) are encapsulated in UDP packets (normally with
destination port 4500). Additionally, <firstterm>keep-alive
messages</firstterm> are sent frequently so that NATing gateways between
@ -69,10 +69,10 @@
way that I connect to the HP Intranet and it works flawlessly without
anything in Shorewall other than my ACCEPT loc-&gt;net policy. NAT
traversal is available as a patch for Windows 2K and is a standard feature
of Windows XP -- simply select "L2TP IPSec VPN" from the "Type of VPN"
of Windows XP -- simply select "L2TP IPsec VPN" from the "Type of VPN"
pulldown.</para>
<para>Alternatively, if you have an IPSEC gateway behind your firewall
<para>Alternatively, if you have an IPsec gateway behind your firewall
then you can try the following: only one system may connect to the remote
gateway and there are firewall configuration requirements as
follows:</para>

2
docs/bridge-Shorewall-perl.xml
View File

@ -508,7 +508,7 @@ rc-update add bridge boot
packet arrived on and/or the bridge port that a packet will be sent over.
The latter has proved to be problematic because it requires that the
evaluation of rules be deferred until the destination bridge port is
known. This deferral has the unfortunate side effect that it makes IPSEC
known. This deferral has the unfortunate side effect that it makes IPsec
Netfilter filtration incompatible with bridges. To work around this
problem, in kernel version 2.6.20 the Netfilter developers decided to
remove the deferred processing in two cases:</para>

6
docs/configuration_file_basics.xml
View File

@ -854,6 +854,12 @@ INLINE net $FW ; -m recent --rcheck 10 --hitcount 5 -
semicolons (";;"). If alternate input is present, the adjacent
semicolons should follow that input.</para>
<caution>
<para>INLINE_MATCHES=Yes is deprecated and will no longer be
supported in Shorewall 5.2 and beyond. Use two adjacent semicolons
to introduce inline matches.</para>
</caution>
<para>Example from the masq file that spits outgoing SNAT between
two public IP addresses</para>

6
docs/ports.xml
View File

@ -242,7 +242,7 @@ IMAPS(ACCEPT) &lt;source&gt; &lt;destination&gt; # IMAP over SSL.</programlis
</section>
<section id="IPSEC">
<title>IPSEC</title>
<title>IPsec</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis> &lt;destination&gt;</emphasis> 50
@ -252,8 +252,8 @@ ACCEPT <emphasis>&lt;destination&gt;</emphasis> <emphasis>&lt;source&gt;</e
ACCEPT <emphasis>&lt;destination&gt;</emphasis> <emphasis>&lt;source&gt;</emphasis> 51
ACCEPT <emphasis>&lt;destination&gt;</emphasis> <emphasis>&lt;source&gt;</emphasis> udp 500</programlisting>
<para>Lots more information <ulink url="IPSEC.htm">here</ulink> and <ulink
url="VPN.htm">here</ulink>.</para>
<para>Lots more information <ulink url="IPSEC-2.6.html">here</ulink> and
<ulink url="VPN.htm">here</ulink>.</para>
</section>
<section id="LDAP">

2
docs/shorewall_features.xml
View File

@ -176,7 +176,7 @@
<itemizedlist>
<listitem>
<para><ulink url="manpages/shorewall-tunnels.html">IPSEC, GRE,
<para><ulink url="manpages/shorewall-tunnels.html">IPsec, GRE,
IPIP and OpenVPN Tunnels</ulink>.</para>
</listitem>

2
docs/support.xml
View File

@ -277,7 +277,7 @@ State:Stopped (Thu Mar 30 14:08:11 PDT 2006)</programlisting>
</listitem>
<listitem>
<para>If your problem has anything to do with IPSEC, be sure that
<para>If your problem has anything to do with IPsec, be sure that
the ipsec-tools package is installed.</para>
</listitem>