mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-09 01:04:06 +01:00
Remove contrib directory
This commit is contained in:
parent
a9c3e6f80a
commit
140b8ffc3a
@ -1 +0,0 @@
|
||||
Paul Gear <paul@gear.dyndns.org>
|
@ -1 +0,0 @@
|
||||
None known at present.
|
@ -1,340 +0,0 @@
|
||||
GNU GENERAL PUBLIC LICENSE
|
||||
Version 2, June 1991
|
||||
|
||||
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
|
||||
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
||||
Everyone is permitted to copy and distribute verbatim copies
|
||||
of this license document, but changing it is not allowed.
|
||||
|
||||
Preamble
|
||||
|
||||
The licenses for most software are designed to take away your
|
||||
freedom to share and change it. By contrast, the GNU General Public
|
||||
License is intended to guarantee your freedom to share and change free
|
||||
software--to make sure the software is free for all its users. This
|
||||
General Public License applies to most of the Free Software
|
||||
Foundation's software and to any other program whose authors commit to
|
||||
using it. (Some other Free Software Foundation software is covered by
|
||||
the GNU Library General Public License instead.) You can apply it to
|
||||
your programs, too.
|
||||
|
||||
When we speak of free software, we are referring to freedom, not
|
||||
price. Our General Public Licenses are designed to make sure that you
|
||||
have the freedom to distribute copies of free software (and charge for
|
||||
this service if you wish), that you receive source code or can get it
|
||||
if you want it, that you can change the software or use pieces of it
|
||||
in new free programs; and that you know you can do these things.
|
||||
|
||||
To protect your rights, we need to make restrictions that forbid
|
||||
anyone to deny you these rights or to ask you to surrender the rights.
|
||||
These restrictions translate to certain responsibilities for you if you
|
||||
distribute copies of the software, or if you modify it.
|
||||
|
||||
For example, if you distribute copies of such a program, whether
|
||||
gratis or for a fee, you must give the recipients all the rights that
|
||||
you have. You must make sure that they, too, receive or can get the
|
||||
source code. And you must show them these terms so they know their
|
||||
rights.
|
||||
|
||||
We protect your rights with two steps: (1) copyright the software, and
|
||||
(2) offer you this license which gives you legal permission to copy,
|
||||
distribute and/or modify the software.
|
||||
|
||||
Also, for each author's protection and ours, we want to make certain
|
||||
that everyone understands that there is no warranty for this free
|
||||
software. If the software is modified by someone else and passed on, we
|
||||
want its recipients to know that what they have is not the original, so
|
||||
that any problems introduced by others will not reflect on the original
|
||||
authors' reputations.
|
||||
|
||||
Finally, any free program is threatened constantly by software
|
||||
patents. We wish to avoid the danger that redistributors of a free
|
||||
program will individually obtain patent licenses, in effect making the
|
||||
program proprietary. To prevent this, we have made it clear that any
|
||||
patent must be licensed for everyone's free use or not licensed at all.
|
||||
|
||||
The precise terms and conditions for copying, distribution and
|
||||
modification follow.
|
||||
|
||||
GNU GENERAL PUBLIC LICENSE
|
||||
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
|
||||
|
||||
0. This License applies to any program or other work which contains
|
||||
a notice placed by the copyright holder saying it may be distributed
|
||||
under the terms of this General Public License. The "Program", below,
|
||||
refers to any such program or work, and a "work based on the Program"
|
||||
means either the Program or any derivative work under copyright law:
|
||||
that is to say, a work containing the Program or a portion of it,
|
||||
either verbatim or with modifications and/or translated into another
|
||||
language. (Hereinafter, translation is included without limitation in
|
||||
the term "modification".) Each licensee is addressed as "you".
|
||||
|
||||
Activities other than copying, distribution and modification are not
|
||||
covered by this License; they are outside its scope. The act of
|
||||
running the Program is not restricted, and the output from the Program
|
||||
is covered only if its contents constitute a work based on the
|
||||
Program (independent of having been made by running the Program).
|
||||
Whether that is true depends on what the Program does.
|
||||
|
||||
1. You may copy and distribute verbatim copies of the Program's
|
||||
source code as you receive it, in any medium, provided that you
|
||||
conspicuously and appropriately publish on each copy an appropriate
|
||||
copyright notice and disclaimer of warranty; keep intact all the
|
||||
notices that refer to this License and to the absence of any warranty;
|
||||
and give any other recipients of the Program a copy of this License
|
||||
along with the Program.
|
||||
|
||||
You may charge a fee for the physical act of transferring a copy, and
|
||||
you may at your option offer warranty protection in exchange for a fee.
|
||||
|
||||
2. You may modify your copy or copies of the Program or any portion
|
||||
of it, thus forming a work based on the Program, and copy and
|
||||
distribute such modifications or work under the terms of Section 1
|
||||
above, provided that you also meet all of these conditions:
|
||||
|
||||
a) You must cause the modified files to carry prominent notices
|
||||
stating that you changed the files and the date of any change.
|
||||
|
||||
b) You must cause any work that you distribute or publish, that in
|
||||
whole or in part contains or is derived from the Program or any
|
||||
part thereof, to be licensed as a whole at no charge to all third
|
||||
parties under the terms of this License.
|
||||
|
||||
c) If the modified program normally reads commands interactively
|
||||
when run, you must cause it, when started running for such
|
||||
interactive use in the most ordinary way, to print or display an
|
||||
announcement including an appropriate copyright notice and a
|
||||
notice that there is no warranty (or else, saying that you provide
|
||||
a warranty) and that users may redistribute the program under
|
||||
these conditions, and telling the user how to view a copy of this
|
||||
License. (Exception: if the Program itself is interactive but
|
||||
does not normally print such an announcement, your work based on
|
||||
the Program is not required to print an announcement.)
|
||||
|
||||
These requirements apply to the modified work as a whole. If
|
||||
identifiable sections of that work are not derived from the Program,
|
||||
and can be reasonably considered independent and separate works in
|
||||
themselves, then this License, and its terms, do not apply to those
|
||||
sections when you distribute them as separate works. But when you
|
||||
distribute the same sections as part of a whole which is a work based
|
||||
on the Program, the distribution of the whole must be on the terms of
|
||||
this License, whose permissions for other licensees extend to the
|
||||
entire whole, and thus to each and every part regardless of who wrote it.
|
||||
|
||||
Thus, it is not the intent of this section to claim rights or contest
|
||||
your rights to work written entirely by you; rather, the intent is to
|
||||
exercise the right to control the distribution of derivative or
|
||||
collective works based on the Program.
|
||||
|
||||
In addition, mere aggregation of another work not based on the Program
|
||||
with the Program (or with a work based on the Program) on a volume of
|
||||
a storage or distribution medium does not bring the other work under
|
||||
the scope of this License.
|
||||
|
||||
3. You may copy and distribute the Program (or a work based on it,
|
||||
under Section 2) in object code or executable form under the terms of
|
||||
Sections 1 and 2 above provided that you also do one of the following:
|
||||
|
||||
a) Accompany it with the complete corresponding machine-readable
|
||||
source code, which must be distributed under the terms of Sections
|
||||
1 and 2 above on a medium customarily used for software interchange; or,
|
||||
|
||||
b) Accompany it with a written offer, valid for at least three
|
||||
years, to give any third party, for a charge no more than your
|
||||
cost of physically performing source distribution, a complete
|
||||
machine-readable copy of the corresponding source code, to be
|
||||
distributed under the terms of Sections 1 and 2 above on a medium
|
||||
customarily used for software interchange; or,
|
||||
|
||||
c) Accompany it with the information you received as to the offer
|
||||
to distribute corresponding source code. (This alternative is
|
||||
allowed only for noncommercial distribution and only if you
|
||||
received the program in object code or executable form with such
|
||||
an offer, in accord with Subsection b above.)
|
||||
|
||||
The source code for a work means the preferred form of the work for
|
||||
making modifications to it. For an executable work, complete source
|
||||
code means all the source code for all modules it contains, plus any
|
||||
associated interface definition files, plus the scripts used to
|
||||
control compilation and installation of the executable. However, as a
|
||||
special exception, the source code distributed need not include
|
||||
anything that is normally distributed (in either source or binary
|
||||
form) with the major components (compiler, kernel, and so on) of the
|
||||
operating system on which the executable runs, unless that component
|
||||
itself accompanies the executable.
|
||||
|
||||
If distribution of executable or object code is made by offering
|
||||
access to copy from a designated place, then offering equivalent
|
||||
access to copy the source code from the same place counts as
|
||||
distribution of the source code, even though third parties are not
|
||||
compelled to copy the source along with the object code.
|
||||
|
||||
4. You may not copy, modify, sublicense, or distribute the Program
|
||||
except as expressly provided under this License. Any attempt
|
||||
otherwise to copy, modify, sublicense or distribute the Program is
|
||||
void, and will automatically terminate your rights under this License.
|
||||
However, parties who have received copies, or rights, from you under
|
||||
this License will not have their licenses terminated so long as such
|
||||
parties remain in full compliance.
|
||||
|
||||
5. You are not required to accept this License, since you have not
|
||||
signed it. However, nothing else grants you permission to modify or
|
||||
distribute the Program or its derivative works. These actions are
|
||||
prohibited by law if you do not accept this License. Therefore, by
|
||||
modifying or distributing the Program (or any work based on the
|
||||
Program), you indicate your acceptance of this License to do so, and
|
||||
all its terms and conditions for copying, distributing or modifying
|
||||
the Program or works based on it.
|
||||
|
||||
6. Each time you redistribute the Program (or any work based on the
|
||||
Program), the recipient automatically receives a license from the
|
||||
original licensor to copy, distribute or modify the Program subject to
|
||||
these terms and conditions. You may not impose any further
|
||||
restrictions on the recipients' exercise of the rights granted herein.
|
||||
You are not responsible for enforcing compliance by third parties to
|
||||
this License.
|
||||
|
||||
7. If, as a consequence of a court judgment or allegation of patent
|
||||
infringement or for any other reason (not limited to patent issues),
|
||||
conditions are imposed on you (whether by court order, agreement or
|
||||
otherwise) that contradict the conditions of this License, they do not
|
||||
excuse you from the conditions of this License. If you cannot
|
||||
distribute so as to satisfy simultaneously your obligations under this
|
||||
License and any other pertinent obligations, then as a consequence you
|
||||
may not distribute the Program at all. For example, if a patent
|
||||
license would not permit royalty-free redistribution of the Program by
|
||||
all those who receive copies directly or indirectly through you, then
|
||||
the only way you could satisfy both it and this License would be to
|
||||
refrain entirely from distribution of the Program.
|
||||
|
||||
If any portion of this section is held invalid or unenforceable under
|
||||
any particular circumstance, the balance of the section is intended to
|
||||
apply and the section as a whole is intended to apply in other
|
||||
circumstances.
|
||||
|
||||
It is not the purpose of this section to induce you to infringe any
|
||||
patents or other property right claims or to contest validity of any
|
||||
such claims; this section has the sole purpose of protecting the
|
||||
integrity of the free software distribution system, which is
|
||||
implemented by public license practices. Many people have made
|
||||
generous contributions to the wide range of software distributed
|
||||
through that system in reliance on consistent application of that
|
||||
system; it is up to the author/donor to decide if he or she is willing
|
||||
to distribute software through any other system and a licensee cannot
|
||||
impose that choice.
|
||||
|
||||
This section is intended to make thoroughly clear what is believed to
|
||||
be a consequence of the rest of this License.
|
||||
|
||||
8. If the distribution and/or use of the Program is restricted in
|
||||
certain countries either by patents or by copyrighted interfaces, the
|
||||
original copyright holder who places the Program under this License
|
||||
may add an explicit geographical distribution limitation excluding
|
||||
those countries, so that distribution is permitted only in or among
|
||||
countries not thus excluded. In such case, this License incorporates
|
||||
the limitation as if written in the body of this License.
|
||||
|
||||
9. The Free Software Foundation may publish revised and/or new versions
|
||||
of the General Public License from time to time. Such new versions will
|
||||
be similar in spirit to the present version, but may differ in detail to
|
||||
address new problems or concerns.
|
||||
|
||||
Each version is given a distinguishing version number. If the Program
|
||||
specifies a version number of this License which applies to it and "any
|
||||
later version", you have the option of following the terms and conditions
|
||||
either of that version or of any later version published by the Free
|
||||
Software Foundation. If the Program does not specify a version number of
|
||||
this License, you may choose any version ever published by the Free Software
|
||||
Foundation.
|
||||
|
||||
10. If you wish to incorporate parts of the Program into other free
|
||||
programs whose distribution conditions are different, write to the author
|
||||
to ask for permission. For software which is copyrighted by the Free
|
||||
Software Foundation, write to the Free Software Foundation; we sometimes
|
||||
make exceptions for this. Our decision will be guided by the two goals
|
||||
of preserving the free status of all derivatives of our free software and
|
||||
of promoting the sharing and reuse of software generally.
|
||||
|
||||
NO WARRANTY
|
||||
|
||||
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
|
||||
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
|
||||
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
|
||||
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
|
||||
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
|
||||
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
|
||||
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
|
||||
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
|
||||
REPAIR OR CORRECTION.
|
||||
|
||||
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
|
||||
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
|
||||
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
|
||||
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
|
||||
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
|
||||
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
|
||||
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
|
||||
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
|
||||
POSSIBILITY OF SUCH DAMAGES.
|
||||
|
||||
END OF TERMS AND CONDITIONS
|
||||
|
||||
How to Apply These Terms to Your New Programs
|
||||
|
||||
If you develop a new program, and you want it to be of the greatest
|
||||
possible use to the public, the best way to achieve this is to make it
|
||||
free software which everyone can redistribute and change under these terms.
|
||||
|
||||
To do so, attach the following notices to the program. It is safest
|
||||
to attach them to the start of each source file to most effectively
|
||||
convey the exclusion of warranty; and each file should have at least
|
||||
the "copyright" line and a pointer to where the full notice is found.
|
||||
|
||||
<one line to give the program's name and a brief idea of what it does.>
|
||||
Copyright (C) <year> <name of author>
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation; either version 2 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
This program is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License
|
||||
along with this program; if not, write to the Free Software
|
||||
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
||||
|
||||
|
||||
Also add information on how to contact you by electronic and paper mail.
|
||||
|
||||
If the program is interactive, make it output a short notice like this
|
||||
when it starts in an interactive mode:
|
||||
|
||||
Gnomovision version 69, Copyright (C) year name of author
|
||||
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
|
||||
This is free software, and you are welcome to redistribute it
|
||||
under certain conditions; type `show c' for details.
|
||||
|
||||
The hypothetical commands `show w' and `show c' should show the appropriate
|
||||
parts of the General Public License. Of course, the commands you use may
|
||||
be called something other than `show w' and `show c'; they could even be
|
||||
mouse-clicks or menu items--whatever suits your program.
|
||||
|
||||
You should also get your employer (if you work as a programmer) or your
|
||||
school, if any, to sign a "copyright disclaimer" for the program, if
|
||||
necessary. Here is a sample; alter the names:
|
||||
|
||||
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
|
||||
`Gnomovision' (which makes passes at compilers) written by James Hacker.
|
||||
|
||||
<signature of Ty Coon>, 1 April 1989
|
||||
Ty Coon, President of Vice
|
||||
|
||||
This General Public License does not permit incorporating your program into
|
||||
proprietary programs. If your program is a subroutine library, you may
|
||||
consider it more useful to permit linking proprietary applications with the
|
||||
library. If this is what you want to do, use the GNU Library General
|
||||
Public License instead of this License.
|
@ -1,14 +0,0 @@
|
||||
0.1.1 Paul Gear <paul@gear.dyndns.org> No idea when
|
||||
- Initial release.
|
||||
|
||||
0.1.2 Paul Gear <paul@gear.dyndns.org> No idea when
|
||||
- Removed filtering of zones that are on the same interface.
|
||||
This caused problems when a zone was accessible via more than
|
||||
one interface.
|
||||
|
||||
0.1.3 Paul Gear <paul@gear.dyndns.org> No idea when
|
||||
- Optimisation to detect whether system is a router and remove
|
||||
redundant zones from rules and policies if so.
|
||||
|
||||
3.2.0-beta1 Paul Gear <paul@gear.dyndns.org>
|
||||
- First attempt at compatibility with Shorewall 3.2.x.
|
@ -1,124 +0,0 @@
|
||||
Shoreline Firewall configuration generator
|
||||
(c) Copyright 2004-2006 Paul D. Gear <paul@gear.dyndns.org>
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation; either version 2 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
This program is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License
|
||||
along with this program; if not, write to the Free Software
|
||||
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
||||
|
||||
|
||||
SHOREWALL
|
||||
|
||||
The quick plug:
|
||||
|
||||
- Shorewall is the only firewall i trust.
|
||||
|
||||
The IT Manager plug:
|
||||
|
||||
- Shorewall is a policy-driven firewall which lets you think about your
|
||||
firewall at a higher level than iptables commands.
|
||||
|
||||
The hard sell to you crazy people still maintaining manual firewall scripts:
|
||||
|
||||
- Shorewall is a wrapper around the kernel iptables, so your existing
|
||||
Linux firewall skills transfer. I converted from a 900-plus-line
|
||||
ipchains shell script to around 50 lines of shorewall configuration in
|
||||
less than 4 hours, with no prior experience.
|
||||
|
||||
|
||||
ISSUES
|
||||
|
||||
- I'm paranoid - i want more than one firewall between me and the world.
|
||||
|
||||
- Configuring multiple firewalls separately is a recipe for getting your
|
||||
rules out of sync, and allowing security problems to creep in.
|
||||
|
||||
- IT Manager types (like me) like to know their policy is consistently
|
||||
implemented.
|
||||
|
||||
|
||||
SOLUTION
|
||||
|
||||
Shoregen is a script that generates shorewall configurations for multiple
|
||||
firewalls from a common set of rules and policies. Only the minimal
|
||||
information necessary for operation is stored on each firewall, so, for
|
||||
example, your DMZ server doesn't need to know about the rules on your
|
||||
internal network, but at the same time, it gets consistent rules to your
|
||||
outer guard.
|
||||
|
||||
|
||||
PHILOSOPHY
|
||||
|
||||
Shoregen assumes the X-Files approach to firewall design: trust no one.
|
||||
That is, paranoia is a virtue. All access should be as limited as possible
|
||||
for things to work. If you don't already agree with this philosophy, you
|
||||
may find some of the things shoregen does frustrating, but then again,
|
||||
you're probably not reading this document. :-)
|
||||
|
||||
|
||||
DESIGN
|
||||
|
||||
Shoregen distinguishes between two different types of shorewall
|
||||
configuration files. Most shorewall configuration files are simply
|
||||
concatenated together from parts constructed from common and host-specific
|
||||
parts. These are called simple configs; shoregen doesn't substantially
|
||||
alter them, and uses little information from them.
|
||||
|
||||
Configs with which shoregen is more concerned are treated separately, and
|
||||
additional features beyond the scope of shorewall itself are implemented.
|
||||
Most importantly, two new policy/rule keywords are introduced: WARN and
|
||||
BAN. These keywords are not included in shoregen's output, but when a
|
||||
subsequent rule or policy is encountered which matches a rule or policy
|
||||
marked WARN or BAN, an error message is issued. In the case of BAN, the
|
||||
offending line is also dropped from the output, and a non-zero return code
|
||||
issued.
|
||||
|
||||
|
||||
PREREQUISITES
|
||||
|
||||
The tools you will need to use shoregen are:
|
||||
perl The main shoregen script is written in Perl
|
||||
rsync Used to keep /etc/shorewall directories on your firewalls
|
||||
in sync with the central repository
|
||||
ssh Encrypted transport for rsync
|
||||
make Optional, but saves a few keystrokes.
|
||||
|
||||
|
||||
USAGE
|
||||
|
||||
Put shoregen and install_shoregen in a directory on your PATH.
|
||||
|
||||
Make a central directory for your configs. I recommend somewhere in a
|
||||
trusted user's home directory or central system admin repository. This
|
||||
directory should be on a trusted machine in the most secure part of your
|
||||
network. Put all of your policies, rules, and zones together in the
|
||||
correct order in files in the top level of this directory.
|
||||
|
||||
For each of the simple configs you want to generate centrally, create a
|
||||
directory, with a file called COMMON (if necessary) containing the content
|
||||
you want to see in that file on all hosts, and a file named for each host
|
||||
for host-specific content. I recommend that the default shorewall
|
||||
configuration file be placed in the COMMON file of the corresponding
|
||||
directory, with directives that are not appropriate commented out.
|
||||
|
||||
When shoregen is run, it places the generated files in the directory
|
||||
SPOOL/<host>, where <host> is the hostname of the target firewall. The
|
||||
files in this directory are synchronised and the firewall checked and/or
|
||||
restarted by a simple wrapper script called install_shoregen.
|
||||
|
||||
See the samples directory for a starting point configuration. It provides
|
||||
some suggested policies & rules for the network shown in example1.png. The
|
||||
sample configuration has not been tested in any way.
|
||||
|
||||
I hope you find shoregen useful. I welcome your comments, contributions,
|
||||
criticisms, and questions.
|
||||
|
@ -1,21 +0,0 @@
|
||||
|
||||
- Make it possible for a host to have the same $FW name as the zone in
|
||||
which it belongs, and have shoregen automatically create appropriate
|
||||
rules.
|
||||
|
||||
- At the moment, if a fully-expanded policy file (such as is shown
|
||||
|
||||
- Better rule & policy sanitisation.
|
||||
|
||||
- Hosts and interfaces could be reduced based on what's used in the policy
|
||||
and rules files.
|
||||
|
||||
- The Makefile could be improved to detect changes in the lower level
|
||||
config files and call shoregen automatically when they are out-of-date.
|
||||
At the moment, shoregen is so simple (and thus fast) that the amount of
|
||||
time that would be saved by a clever Makefile (in comparison to the
|
||||
rsync, ssh, and shorewall steps) is probably not worth the trouble to
|
||||
code.
|
||||
|
||||
- Automatic generation of firewall hosts & interfaces files.
|
||||
|
@ -1,116 +0,0 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# $Id: install_shoregen,v 1.5 2004/04/22 11:12:51 paulgear Exp $
|
||||
#
|
||||
# Wrapper script to install shoregen-generated shorewall configuration files.
|
||||
#
|
||||
|
||||
#
|
||||
# (c) Copyright 2004 Paul D. Gear <paul@gear.dyndns.org>
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify it
|
||||
# under the terms of the GNU General Public License as published by the
|
||||
# Free Software Foundation; either version 2 of the License, or (at your
|
||||
# option) any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful, but
|
||||
# WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
|
||||
# Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License along
|
||||
# with this program; if not, write to the Free Software Foundation, Inc.,
|
||||
# 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA, or go to
|
||||
# <http://www.gnu.org/licenses/old-licenses/gpl-2.0.txtl> on the World Wide Web.
|
||||
|
||||
VERBOSE=0
|
||||
RESTART=0
|
||||
CHECK=1
|
||||
TIME=0
|
||||
|
||||
usage()
|
||||
{
|
||||
echo "Usage: $0 [--verbose] [--restart] host ...
|
||||
Generates and installs shorewall configuration on the given hosts" >&2
|
||||
exit 1
|
||||
}
|
||||
|
||||
error()
|
||||
{
|
||||
echo "$0: ERROR -" "$@" >&2
|
||||
}
|
||||
|
||||
while :; do
|
||||
case "$1" in
|
||||
|
||||
-v|--verbose)
|
||||
VERBOSE=1
|
||||
shift
|
||||
;;
|
||||
|
||||
-r|--restart)
|
||||
RESTART=1
|
||||
shift
|
||||
;;
|
||||
|
||||
-c|--nocheck)
|
||||
CHECK=0
|
||||
shift
|
||||
;;
|
||||
|
||||
-t|--notime)
|
||||
TIME=0
|
||||
shift
|
||||
;;
|
||||
|
||||
--)
|
||||
shift
|
||||
break 2
|
||||
;;
|
||||
|
||||
--*)
|
||||
error "Unrecognised option $1"
|
||||
usage
|
||||
;;
|
||||
|
||||
*)
|
||||
break 2
|
||||
;;
|
||||
|
||||
esac
|
||||
done
|
||||
|
||||
set -e
|
||||
set -u
|
||||
|
||||
if [ "$#" -lt 1 ]; then
|
||||
usage
|
||||
fi
|
||||
|
||||
USER=root
|
||||
RSYNC_ARGS="--recursive --backup --times --cvs-exclude --rsh=ssh"
|
||||
#--progress
|
||||
if [ "$VERBOSE" -gt 0 ]; then
|
||||
RSYNC_ARGS="$RSYNC_ARGS --verbose"
|
||||
fi
|
||||
DIR=/etc/shorewall
|
||||
SW_PATH=/sbin/shorewall
|
||||
|
||||
PATH=$PATH:
|
||||
|
||||
if [ "$TIME" -gt 0 ]; then
|
||||
TIME="time"
|
||||
else
|
||||
TIME=""
|
||||
fi
|
||||
|
||||
for HOST; do
|
||||
shoregen $HOST
|
||||
rsync $RSYNC_ARGS SPOOL/$HOST/ $USER@$HOST:$DIR/
|
||||
if [ "$CHECK" -gt 0 ]; then
|
||||
$TIME ssh -l $USER -t $HOST $SW_PATH check
|
||||
fi
|
||||
if [ "$RESTART" -gt 0 ]; then
|
||||
$TIME ssh -l $USER -t $HOST $SW_PATH restart
|
||||
fi
|
||||
done
|
@ -1,10 +0,0 @@
|
||||
FLAGS=-c -r
|
||||
HOSTS=ig proxy mail og
|
||||
|
||||
default: $(HOSTS)
|
||||
|
||||
$(HOSTS):
|
||||
shoregen $@
|
||||
|
||||
install: $(HOSTS)
|
||||
install_shoregen -c -r $(HOSTS)
|
Binary file not shown.
Binary file not shown.
Before Width: | Height: | Size: 30 KiB |
@ -1,13 +0,0 @@
|
||||
# ZONE HOST(S) OPTIONS
|
||||
|
||||
# I used the vi command
|
||||
# !Gsort -k2 -k1
|
||||
# to sort this file, starting at the next line.
|
||||
mail eth0:$MAIL
|
||||
og eth0:$OG
|
||||
proxy eth0:$PROXY
|
||||
net eth0:0.0.0.0/0
|
||||
lan eth1:$LAN
|
||||
other eth1:0.0.0.0/0
|
||||
guest eth2:$GUEST
|
||||
other eth2:0.0.0.0/0
|
@ -1,7 +0,0 @@
|
||||
# ZONE HOST(S) OPTIONS
|
||||
guest eth0:$GUEST
|
||||
ig eth0:$IG
|
||||
lan eth0:$LAN
|
||||
og eth0:$OG
|
||||
proxy eth0:$PROXY
|
||||
net eth0:0.0.0.0/0
|
@ -1,7 +0,0 @@
|
||||
# ZONE HOST(S) OPTIONS
|
||||
guest eth0:$GUEST
|
||||
ig eth0:$IG
|
||||
lan eth0:$LAN
|
||||
mail eth0:$MAIL
|
||||
proxy eth0:$PROXY
|
||||
other eth0:0.0.0.0/0
|
@ -1,7 +0,0 @@
|
||||
# ZONE HOST(S) OPTIONS
|
||||
guest eth0:$GUEST
|
||||
ig eth0:$IG
|
||||
lan eth0:$LAN
|
||||
mail eth0:$MAIL
|
||||
og eth0:$OG
|
||||
net eth0:0.0.0.0/0
|
@ -1,5 +0,0 @@
|
||||
#ZONE INTERFACE BROADCAST OPTIONS
|
||||
- eth0 detect -
|
||||
- eth1 detect dhcp
|
||||
- eth2 detect dhcp
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
@ -1,3 +0,0 @@
|
||||
#ZONE INTERFACE BROADCAST OPTIONS
|
||||
- eth0 detect -
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
@ -1,5 +0,0 @@
|
||||
#ZONE INTERFACE BROADCAST OPTIONS
|
||||
- eth0 detect -
|
||||
net eth1 detect norfc1918,blacklist,dhcp
|
||||
net ppp+ detect norfc1918,blacklist
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
@ -1,3 +0,0 @@
|
||||
#ZONE INTERFACE BROADCAST OPTIONS
|
||||
- eth0 detect -
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
@ -1,9 +0,0 @@
|
||||
# These are parameterised firstly so they only live in one place, and
|
||||
# secondly because they can appear on different interfaces, but with a
|
||||
# constant address.
|
||||
OG=10.1.1.1
|
||||
MAIL=10.1.1.2
|
||||
PROXY=10.1.1.3
|
||||
IG=10.1.1.4
|
||||
LAN=10.1.2.0/24
|
||||
GUEST=10.1.3.0/24
|
@ -1,112 +0,0 @@
|
||||
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST EXT
|
||||
|
||||
#
|
||||
# Meta-policies - no ACCEPT/DNAT rules contravening these may be defined in
|
||||
# the policy or rules file. These are not part of shorewall and do not
|
||||
# actually block any traffic. They are about stopping the firewall
|
||||
# administrator from activating silly rules. Note that these rules should
|
||||
# always be accompanied by a corresponding REJECT/BAN policy as they don't
|
||||
# actually set the shorewall policy (see below for these).
|
||||
#
|
||||
# These policies are samples only and are not suggested for your
|
||||
# environment. You must decide on the policies that are right for you.
|
||||
#
|
||||
|
||||
guest lan BAN
|
||||
proxy lan BAN
|
||||
mail lan BAN
|
||||
og lan BAN
|
||||
net lan BAN
|
||||
|
||||
proxy guest BAN
|
||||
mail guest BAN
|
||||
og guest BAN
|
||||
net guest BAN
|
||||
|
||||
proxy ig BAN
|
||||
mail ig BAN
|
||||
og ig BAN
|
||||
net ig BAN
|
||||
|
||||
net proxy BAN
|
||||
|
||||
proxy og BAN
|
||||
mail og BAN
|
||||
net og BAN
|
||||
|
||||
ig net BAN
|
||||
|
||||
|
||||
#
|
||||
# Now the normal policies. We define each set of zone pairs individually
|
||||
# so that Shorewall produces more meaningful error messages.
|
||||
#
|
||||
|
||||
lan guest ACCEPT info
|
||||
lan ig REJECT info
|
||||
lan proxy REJECT info
|
||||
lan mail REJECT info
|
||||
lan og REJECT info
|
||||
lan net REJECT info
|
||||
lan other REJECT info
|
||||
lan all REJECT info
|
||||
|
||||
guest lan REJECT info
|
||||
guest ig REJECT info
|
||||
guest proxy REJECT info
|
||||
guest mail REJECT info
|
||||
guest og REJECT info
|
||||
guest net ACCEPT info
|
||||
guest other REJECT info
|
||||
guest all REJECT info
|
||||
|
||||
ig lan REJECT info
|
||||
ig guest REJECT info
|
||||
ig proxy REJECT info
|
||||
ig mail REJECT info
|
||||
ig og REJECT info
|
||||
ig net REJECT info
|
||||
ig other REJECT info
|
||||
ig all REJECT info
|
||||
|
||||
proxy lan REJECT info
|
||||
proxy guest REJECT info
|
||||
proxy ig REJECT info
|
||||
proxy mail REJECT info
|
||||
proxy og REJECT info
|
||||
proxy net ACCEPT
|
||||
proxy other REJECT info
|
||||
proxy all REJECT info
|
||||
|
||||
mail lan REJECT info
|
||||
mail guest REJECT info
|
||||
mail ig REJECT info
|
||||
mail proxy REJECT info
|
||||
mail og REJECT info
|
||||
mail net REJECT info
|
||||
mail other REJECT info
|
||||
mail all REJECT info
|
||||
|
||||
og lan REJECT info
|
||||
og guest REJECT info
|
||||
og ig REJECT info
|
||||
og proxy REJECT info
|
||||
og mail REJECT info
|
||||
og net REJECT info
|
||||
og other REJECT info
|
||||
og all REJECT info
|
||||
|
||||
net lan DROP info
|
||||
net guest DROP info
|
||||
net ig DROP info
|
||||
net proxy DROP info
|
||||
net mail DROP info
|
||||
net og DROP info
|
||||
net other DROP info
|
||||
net all DROP info
|
||||
|
||||
# Catch-all policies
|
||||
other all DROP info
|
||||
all all DROP info
|
||||
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
@ -1,187 +0,0 @@
|
||||
#
|
||||
# $Id: rules,v 1.4 2004/04/24 12:26:25 paulgear Exp $
|
||||
#
|
||||
# Master Rules File
|
||||
#
|
||||
# This file is organised into 4 main sections:
|
||||
# 1. Rules that need to transcend the more general WARN/BAN rules. The
|
||||
# reason for this is typically system administration and
|
||||
# troubleshooting. This section should be kept as small as possible.
|
||||
# 2. WARN/BAN rules to put restrictions on which rules contravening
|
||||
# policies may be created. This section should be as large as
|
||||
# possible, if you take a traditional (i.e. paranoid) approach to
|
||||
# firewall design.
|
||||
# 3. Noise-reducing rules for illegitimate traffic. This is typically
|
||||
# small, but may grow as time goes on.
|
||||
# 4. Normal rules which define the holes in your firewall. Again, this
|
||||
# should include only the rules you need and no more. However, even
|
||||
# on a simple home network like mine, this section tends to get
|
||||
# large!
|
||||
#
|
||||
|
||||
#
|
||||
# Order by port, protocol, dest zone (in->out order), src zone (in->out
|
||||
# order).
|
||||
#
|
||||
|
||||
#ACTION CLIENT(S) SERVER(S) PROTO PORT(S) CLIENT PORT(S) ADDRESS
|
||||
|
||||
#
|
||||
# Section 1: Rules that need to transcend WARN/BAN rules in section 2.
|
||||
#
|
||||
# Nearly all of these rules should be limited to system administration
|
||||
# terminals. These would be better put in a separate zone.
|
||||
#
|
||||
|
||||
# ping (more below)
|
||||
ACCEPT lan og icmp 8
|
||||
|
||||
# ssh (more below)
|
||||
ACCEPT lan og tcp 22
|
||||
ACCEPT ig og tcp 22
|
||||
|
||||
# SNMP (more below) - for MRTG stats run from LAN
|
||||
ACCEPT lan og udp 161
|
||||
|
||||
# syslog (more below)
|
||||
ACCEPT ig lan udp 514
|
||||
|
||||
# Squid - this wouldn't be necessary except that a lot of OS updates are
|
||||
# rather large...
|
||||
ACCEPT mail proxy tcp 3128
|
||||
|
||||
#
|
||||
# Section 2: WARN/BAN rule directives
|
||||
#
|
||||
|
||||
BAN ig lan
|
||||
BAN mail proxy
|
||||
BAN lan og
|
||||
BAN ig og
|
||||
|
||||
#
|
||||
# Section 3: Drop noisy junk
|
||||
#
|
||||
|
||||
# auth - reverse of the SMTP rules below
|
||||
REJECT mail lan tcp 113
|
||||
REJECT mail guest tcp 113
|
||||
REJECT mail ig tcp 113
|
||||
REJECT mail proxy tcp 113
|
||||
REJECT mail og tcp 113
|
||||
REJECT net og tcp 113
|
||||
REJECT mail net tcp 113
|
||||
|
||||
# KaZaA file sharing
|
||||
DROP net og tcp 1214
|
||||
|
||||
# Gnutella server
|
||||
REJECT net og tcp 6346,6347
|
||||
|
||||
# Half-Life
|
||||
REJECT net og udp 27015,27016
|
||||
|
||||
|
||||
#
|
||||
# Section 4: Normal traffic
|
||||
#
|
||||
|
||||
# ping (more above)
|
||||
ACCEPT lan ig icmp 8
|
||||
ACCEPT lan proxy icmp 8
|
||||
ACCEPT lan mail icmp 8
|
||||
ACCEPT ig proxy icmp 8
|
||||
ACCEPT ig mail icmp 8
|
||||
ACCEPT og proxy icmp 8
|
||||
ACCEPT og mail icmp 8
|
||||
ACCEPT og net icmp 8
|
||||
|
||||
# FTP
|
||||
ACCEPT proxy net tcp 21
|
||||
|
||||
# ssh (more above)
|
||||
ACCEPT lan ig tcp 22
|
||||
ACCEPT lan proxy tcp 22
|
||||
ACCEPT lan mail tcp 22
|
||||
ACCEPT lan net tcp 22
|
||||
ACCEPT ig proxy tcp 22
|
||||
ACCEPT ig mail tcp 22
|
||||
ACCEPT proxy mail tcp 22
|
||||
ACCEPT proxy net tcp 22
|
||||
|
||||
# SMTP
|
||||
ACCEPT lan mail tcp 25
|
||||
ACCEPT guest mail tcp 25
|
||||
ACCEPT ig mail tcp 25
|
||||
ACCEPT proxy mail tcp 25
|
||||
ACCEPT og mail tcp 25
|
||||
DNAT net mail:$MAIL tcp 25
|
||||
ACCEPT mail net tcp 25
|
||||
|
||||
# DNS - assumes split DNS, with internal DNS run in LAN, external DNS on
|
||||
# proxy, and mail independent of the rest (proxy & mail should run their
|
||||
# own caches).
|
||||
ACCEPT lan proxy tcp 53
|
||||
ACCEPT lan proxy udp 53
|
||||
ACCEPT guest proxy tcp 53
|
||||
ACCEPT guest proxy udp 53
|
||||
ACCEPT ig proxy tcp 53
|
||||
ACCEPT ig proxy udp 53
|
||||
ACCEPT og proxy tcp 53
|
||||
ACCEPT og proxy udp 53
|
||||
ACCEPT proxy net tcp 53
|
||||
ACCEPT proxy net udp 53
|
||||
ACCEPT mail net tcp 53
|
||||
ACCEPT mail net udp 53
|
||||
|
||||
# HTTP
|
||||
ACCEPT proxy net tcp 80
|
||||
|
||||
# POP3 - must be proxied through mail
|
||||
ACCEPT mail net tcp 110
|
||||
ACCEPT lan mail tcp 110
|
||||
|
||||
# NNTP - application layer proxy (e.g. leafnode) on proxy
|
||||
ACCEPT lan proxy tcp 119
|
||||
ACCEPT proxy net tcp 119
|
||||
|
||||
# NTP - we really need more than 2 servers, but this is only an example. :-)
|
||||
ACCEPT lan proxy udp 123
|
||||
ACCEPT lan mail udp 123
|
||||
ACCEPT ig proxy udp 123
|
||||
ACCEPT ig mail udp 123
|
||||
ACCEPT proxy net udp 123
|
||||
ACCEPT mail net udp 123
|
||||
ACCEPT og proxy udp 123
|
||||
ACCEPT og mail udp 123
|
||||
|
||||
# IMAP
|
||||
ACCEPT lan mail tcp 143
|
||||
ACCEPT guest mail tcp 143
|
||||
|
||||
# SNMP (more above) - for MRTG stats
|
||||
ACCEPT lan ig udp 161
|
||||
ACCEPT lan proxy udp 161
|
||||
ACCEPT lan mail udp 161
|
||||
|
||||
# HTTPS
|
||||
ACCEPT proxy net tcp 443
|
||||
|
||||
# syslog (more above) - DMZ & OG hosts log to mail, IG & LAN hosts log to LAN
|
||||
ACCEPT og mail udp 514
|
||||
ACCEPT proxy mail udp 514
|
||||
|
||||
# Squid
|
||||
ACCEPT lan proxy tcp 3128
|
||||
ACCEPT guest proxy tcp 3128
|
||||
ACCEPT ig proxy tcp 3128
|
||||
ACCEPT og proxy tcp 3128
|
||||
|
||||
# Webmin
|
||||
ACCEPT lan proxy tcp 10000
|
||||
ACCEPT guest proxy tcp 10000
|
||||
ACCEPT ig proxy tcp 10000
|
||||
ACCEPT og proxy tcp 10000
|
||||
|
||||
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
@ -1,569 +0,0 @@
|
||||
##############################################################################
|
||||
# /etc/shorewall/shorewall.conf V1.4 - Change the following variables to
|
||||
# match your setup
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
#
|
||||
# This file should be placed in /etc/shorewall
|
||||
#
|
||||
# (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
|
||||
##############################################################################
|
||||
# L O G G I N G
|
||||
##############################################################################
|
||||
#
|
||||
# General note about log levels. Log levels are a method of describing
|
||||
# to syslog (8) the importance of a message and a number of parameters
|
||||
# in this file have log levels as their value.
|
||||
#
|
||||
# Valid levels are:
|
||||
#
|
||||
# 7 debug
|
||||
# 6 info
|
||||
# 5 notice
|
||||
# 4 warning
|
||||
# 3 err
|
||||
# 2 crit
|
||||
# 1 alert
|
||||
# 0 emerg
|
||||
#
|
||||
# For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall
|
||||
# log messages are generated by NetFilter and are logged using facility
|
||||
# 'kern' and the level that you specifify. If you are unsure of the level
|
||||
# to choose, 6 (info) is a safe bet. You may specify levels by name or by
|
||||
# number.
|
||||
#
|
||||
# If you have build your kernel with ULOG target support, you may also
|
||||
# specify a log level of ULOG (must be all caps). Rather than log its
|
||||
# messages to syslogd, Shorewall will direct netfilter to log the messages
|
||||
# via the ULOG target which will send them to a process called 'ulogd'.
|
||||
# ulogd is available from http://www.gnumonks.org/projects/ulogd and can be
|
||||
# configured to log all Shorewall message to their own log file
|
||||
################################################################################
|
||||
#
|
||||
# LOG FILE LOCATION
|
||||
#
|
||||
# This variable tells the /sbin/shorewall program where to look for Shorewall
|
||||
# log messages. If not set or set to an empty string (e.g., LOGFILE="") then
|
||||
# /var/log/messages is assumed.
|
||||
#
|
||||
# WARNING: The LOGFILE variable simply tells the 'shorewall' program where to
|
||||
# look for Shorewall messages.It does NOT control the destination for
|
||||
# these messages. For information about how to do that, see
|
||||
#
|
||||
# http://www.shorewall.net/shorewall_logging.html
|
||||
|
||||
LOGFILE=/var/log/messages
|
||||
|
||||
#
|
||||
# LOG FORMAT
|
||||
#
|
||||
# Shell 'printf' Formatting template for the --log-prefix value in log messages
|
||||
# generated by Shorewall to identify Shorewall log messages. The supplied
|
||||
# template is expected to accept either two or three arguments; the first is
|
||||
# the chain name, the second (optional) is the logging rule number within that
|
||||
# chain and the third is the ACTION specifying the disposition of the packet
|
||||
# being logged. You must use the %d formatting type for the rule number; if your
|
||||
# template does not contain %d then the rule number will not be included.
|
||||
#
|
||||
# If you want to integrate Shorewall with fireparse, then set LOGFORMAT as:
|
||||
#
|
||||
# LOGFORMAT="fp=%s:%d a=%s "
|
||||
#
|
||||
# If not specified or specified as empty (LOGFORMAT="") then the value
|
||||
# "Shorewall:%s:%s:" is assumed.
|
||||
#
|
||||
# CAUTION: /sbin/shorewall uses the leading part of the LOGFORMAT string (up
|
||||
# to but not including the first '%') to find log messages in the 'show log',
|
||||
# 'status' and 'hits' commands. This part should not be omitted (the
|
||||
# LOGFORMAT should not begin with "%") and the leading part should be
|
||||
# sufficiently unique for /sbin/shorewall to identify Shorewall messages.
|
||||
|
||||
LOGFORMAT="Shorewall:%s:%s:"
|
||||
|
||||
#
|
||||
# LOG RATE LIMITING
|
||||
#
|
||||
# The next two variables can be used to control the amount of log output
|
||||
# generated. LOGRATE is expressed as a number followed by an optional
|
||||
# `/second', `/minute', `/hour', or `/day' suffix and specifies the maximum
|
||||
# rate at which a particular message will occur. LOGBURST determines the
|
||||
# maximum initial burst size that will be logged. If set empty, the default
|
||||
# value of 5 will be used.
|
||||
#
|
||||
# Example:
|
||||
#
|
||||
# LOGRATE=10/minute
|
||||
# LOGBURST=5
|
||||
#
|
||||
# If BOTH variables are set empty then logging will not be rate-limited.
|
||||
#
|
||||
|
||||
LOGRATE=10/minute
|
||||
LOGBURST=5
|
||||
|
||||
#
|
||||
# LEVEL AT WHICH TO LOG 'UNCLEAN' PACKETS
|
||||
#
|
||||
# This variable determines the level at which Mangled/Invalid packets are logged
|
||||
# under the 'dropunclean' interface option. If you set this variable to an
|
||||
# empty value (e.g., LOGUNCLEAN= ), Mangled/Invalid packets will be dropped
|
||||
# silently.
|
||||
#
|
||||
# The value of this variable also determines the level at which Mangled/Invalid
|
||||
# packets are logged under the 'logunclean' interface option. If the variable
|
||||
# is empty, these packets will still be logged at the 'info' level.
|
||||
#
|
||||
# See the comment at the top of this section for a description of log levels
|
||||
#
|
||||
|
||||
LOGUNCLEAN=info
|
||||
|
||||
#
|
||||
# BLACKLIST LOG LEVEL
|
||||
#
|
||||
# Set this variable to the syslogd level that you want blacklist packets logged
|
||||
# (beware of DOS attacks resulting from such logging). If not set, no logging
|
||||
# of blacklist packets occurs.
|
||||
#
|
||||
# See the comment at the top of this section for a description of log levels
|
||||
#
|
||||
BLACKLIST_LOGLEVEL=
|
||||
|
||||
#
|
||||
# LOGGING 'New not SYN' rejects
|
||||
#
|
||||
# This variable only has an effect when NEWNOTSYN=No (see below).
|
||||
#
|
||||
# When a TCP packet that does not have the SYN flag set and the ACK and RST
|
||||
# flags clear then unless the packet is part of an established connection,
|
||||
# it will be rejected by the firewall. If you want these rejects logged,
|
||||
# then set LOGNEWNOTSYN to the syslog log level at which you want them logged.
|
||||
#
|
||||
# See the comment at the top of this section for a description of log levels
|
||||
#
|
||||
# Example: LOGNEWNOTSYN=debug
|
||||
|
||||
|
||||
LOGNEWNOTSYN=info
|
||||
|
||||
#
|
||||
# MAC List Log Level
|
||||
#
|
||||
# Specifies the logging level for connection requests that fail MAC
|
||||
# verification. If set to the empty value (MACLIST_LOG_LEVEL="") then
|
||||
# such connection requests will not be logged.
|
||||
#
|
||||
# See the comment at the top of this section for a description of log levels
|
||||
#
|
||||
|
||||
MACLIST_LOG_LEVEL=info
|
||||
|
||||
#
|
||||
# TCP FLAGS Log Level
|
||||
#
|
||||
# Specifies the logging level for packets that fail TCP Flags
|
||||
# verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then
|
||||
# such packets will not be logged.
|
||||
#
|
||||
# See the comment at the top of this section for a description of log levels
|
||||
#
|
||||
|
||||
TCP_FLAGS_LOG_LEVEL=info
|
||||
|
||||
#
|
||||
# RFC1918 Log Level
|
||||
#
|
||||
# Specifies the logging level for packets that fail RFC 1918
|
||||
# verification. If set to the empty value (RFC1918_LOG_LEVEL="") then
|
||||
# RFC1918_LOG_LEVEL=info is assumed.
|
||||
#
|
||||
# See the comment at the top of this section for a description of log levels
|
||||
#
|
||||
|
||||
RFC1918_LOG_LEVEL=info
|
||||
|
||||
################################################################################
|
||||
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
|
||||
################################################################################
|
||||
#
|
||||
# PATH - Change this if you want to change the order in which Shorewall
|
||||
# searches directories for executable files.
|
||||
#
|
||||
#PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin
|
||||
|
||||
#
|
||||
# SHELL
|
||||
#
|
||||
# The firewall script is normally interpreted by /bin/sh. If you wish to change
|
||||
# the shell used to interpret that script, specify the shell here.
|
||||
|
||||
SHOREWALL_SHELL=/bin/sh
|
||||
|
||||
# SUBSYSTEM LOCK FILE
|
||||
#
|
||||
# Set this to the name of the lock file expected by your init scripts. For
|
||||
# RedHat, this should be /var/lock/subsys/shorewall. If your init scripts don't
|
||||
# use lock files, set this to "".
|
||||
#
|
||||
|
||||
SUBSYSLOCK=/var/lock/subsys/shorewall
|
||||
|
||||
#
|
||||
# SHOREWALL TEMPORARY STATE DIRECTORY
|
||||
#
|
||||
# This is the directory where the firewall maintains state information while
|
||||
# it is running
|
||||
#
|
||||
|
||||
STATEDIR=/var/lib/shorewall
|
||||
|
||||
#
|
||||
# KERNEL MODULE DIRECTORY
|
||||
#
|
||||
# If your netfilter kernel modules are in a directory other than
|
||||
# /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter then specify that
|
||||
# directory in this variable. Example: MODULESDIR=/etc/modules.
|
||||
|
||||
MODULESDIR=
|
||||
|
||||
################################################################################
|
||||
# F I R E W A L L O P T I O N S
|
||||
################################################################################
|
||||
|
||||
# NAME OF THE FIREWALL ZONE
|
||||
#
|
||||
# Name of the firewall zone -- if not set or if set to an empty string, "fw"
|
||||
# is assumed.
|
||||
#
|
||||
#FW=fw
|
||||
|
||||
#
|
||||
# ENABLE IP FORWARDING
|
||||
#
|
||||
# If you say "On" or "on" here, IPV4 Packet Forwarding is enabled. If you
|
||||
# say "Off" or "off", packet forwarding will be disabled. You would only want
|
||||
# to disable packet forwarding if you are installing Shorewall on a
|
||||
# standalone system or if you want all traffic through the Shorewall system
|
||||
# to be handled by proxies.
|
||||
#
|
||||
# If you set this variable to "Keep" or "keep", Shorewall will neither
|
||||
# enable nor disable packet forwarding.
|
||||
#
|
||||
#IP_FORWARDING=On
|
||||
|
||||
#
|
||||
# AUTOMATICALLY ADD NAT IP ADDRESSES
|
||||
#
|
||||
# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses
|
||||
# for each NAT external address that you give in /etc/shorewall/nat. If you say
|
||||
# "No" or "no", you must add these aliases youself.
|
||||
#
|
||||
ADD_IP_ALIASES=Yes
|
||||
|
||||
#
|
||||
# AUTOMATICALLY ADD SNAT IP ADDRESSES
|
||||
#
|
||||
# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses
|
||||
# for each SNAT external address that you give in /etc/shorewall/masq. If you say
|
||||
# "No" or "no", you must add these aliases youself. LEAVE THIS SET TO "No" unless
|
||||
# you are sure that you need it -- most people don't!!!
|
||||
#
|
||||
ADD_SNAT_ALIASES=No
|
||||
|
||||
#
|
||||
# ENABLE TRAFFIC SHAPING
|
||||
#
|
||||
# If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If
|
||||
# you say "No" or "no" then traffic shaping is not enabled. If you enable traffic
|
||||
# shaping you must have iproute[2] installed (the "ip" and "tc" utilities) and
|
||||
# you must enable packet mangling above.
|
||||
#
|
||||
TC_ENABLED=No
|
||||
|
||||
#
|
||||
# Clear Traffic Shapping/Control
|
||||
#
|
||||
# If this option is set to 'No' then Shorewall won't clear the current
|
||||
# traffic control rules during [re]start. This setting is intended
|
||||
# for use by people that prefer to configure traffic shaping when
|
||||
# the network interfaces come up rather than when the firewall
|
||||
# is started. If that is what you want to do, set TC_ENABLED=Yes and
|
||||
# CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That
|
||||
# way, your traffic shaping rules can still use the 'fwmark'
|
||||
# classifier based on packet marking defined in /etc/shorewall/tcrules.
|
||||
#
|
||||
# If omitted, CLEAR_TC=Yes is assumed.
|
||||
|
||||
CLEAR_TC=Yes
|
||||
|
||||
#
|
||||
# Mark Packets in the forward chain
|
||||
#
|
||||
# When processing the tcrules file, Shorewall normally marks packets in the
|
||||
# PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set
|
||||
# this to "Yes". If not specified or if set to the empty value (e.g.,
|
||||
# MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed.
|
||||
#
|
||||
# Marking packets in the FORWARD chain has the advantage that inbound
|
||||
# packets destined for Masqueraded/SNATed local hosts have had their destination
|
||||
# address rewritten so they can be marked based on their destination. When
|
||||
# packets are marked in the PREROUTING chain, packets destined for
|
||||
# Masqueraded/SNATed local hosts still have a destination address corresponding
|
||||
# to the firewall's external interface.
|
||||
#
|
||||
# Note: Older kernels do not support marking packets in the FORWARD chain and
|
||||
# setting this variable to Yes may cause startup problems.
|
||||
|
||||
MARK_IN_FORWARD_CHAIN=No
|
||||
|
||||
#
|
||||
# MSS CLAMPING
|
||||
#
|
||||
# Set this variable to "Yes" or "yes" if you want the TCP "Clamp MSS to PMTU"
|
||||
# option. This option is most commonly required when your internet
|
||||
# interface is some variant of PPP (PPTP or PPPoE). Your kernel must
|
||||
# have CONFIG_IP_NF_TARGET_TCPMSS set.
|
||||
#
|
||||
# [From the kernel help:
|
||||
#
|
||||
# This option adds a `TCPMSS' target, which allows you to alter the
|
||||
# MSS value of TCP SYN packets, to control the maximum size for that
|
||||
# connection (usually limiting it to your outgoing interface's MTU
|
||||
# minus 40).
|
||||
#
|
||||
# This is used to overcome criminally braindead ISPs or servers which
|
||||
# block ICMP Fragmentation Needed packets. The symptoms of this
|
||||
# problem are that everything works fine from your Linux
|
||||
# firewall/router, but machines behind it can never exchange large
|
||||
# packets:
|
||||
# 1) Web browsers connect, then hang with no data received.
|
||||
# 2) Small mail works fine, but large emails hang.
|
||||
# 3) ssh works fine, but scp hangs after initial handshaking.
|
||||
# ]
|
||||
#
|
||||
# If left blank, or set to "No" or "no", the option is not enabled.
|
||||
#
|
||||
CLAMPMSS=No
|
||||
|
||||
#
|
||||
# ROUTE FILTERING
|
||||
#
|
||||
# Set this variable to "Yes" or "yes" if you want kernel route filtering on all
|
||||
# interfaces started while Shorewall is started (anti-spoofing measure).
|
||||
#
|
||||
# If this variable is not set or is set to the empty value, "No" is assumed.
|
||||
# Regardless of the setting of ROUTE_FILTER, you can still enable route filtering
|
||||
# on individual interfaces using the 'routefilter' option in the
|
||||
# /etc/shorewall/interfaces file.
|
||||
|
||||
ROUTE_FILTER=yes
|
||||
|
||||
#
|
||||
# NAT BEFORE RULES
|
||||
#
|
||||
# Shorewall has traditionally processed static NAT rules before port forwarding
|
||||
# rules. If you would like to reverse the order, set this variable to "No".
|
||||
#
|
||||
# If this variable is not set or is set to the empty value, "Yes" is assumed.
|
||||
|
||||
NAT_BEFORE_RULES=Yes
|
||||
|
||||
# DNAT IP ADDRESS DETECTION
|
||||
#
|
||||
# Normally when Shorewall encounters the following rule:
|
||||
#
|
||||
# DNAT net loc:192.168.1.3 tcp 80
|
||||
#
|
||||
# it will forward TCP port 80 connections from the net to 192.168.1.3
|
||||
# REGARDLESS OF THE ORIGINAL DESTINATION ADDRESS. This behavior is
|
||||
# convenient for two reasons:
|
||||
#
|
||||
# a) If the the network interface has a dynamic IP address, the
|
||||
# firewall configuration will work even when the address
|
||||
# changes.
|
||||
#
|
||||
# b) It saves having to configure the IP address in the rule
|
||||
# while still allowing the firewall to be started before the
|
||||
# internet interface is brought up.
|
||||
#
|
||||
# This default behavior can also have a negative effect. If the
|
||||
# internet interface has more than one IP address then the above
|
||||
# rule will forward connection requests on all of these addresses;
|
||||
# that may not be what is desired.
|
||||
#
|
||||
# By setting DETECT_DNAT_IPADDRS=Yes, rules such as the above will apply
|
||||
# only if the original destination address is the primary IP address of
|
||||
# one of the interfaces associated with the source zone. Note that this
|
||||
# requires all interfaces to the source zone to be up when the firewall
|
||||
# is [re]started.
|
||||
|
||||
DETECT_DNAT_IPADDRS=No
|
||||
|
||||
#
|
||||
# MUTEX TIMEOUT
|
||||
#
|
||||
# The value of this variable determines the number of seconds that programs
|
||||
# will wait for exclusive access to the Shorewall lock file. After the number
|
||||
# of seconds corresponding to the value of this variable, programs will assume
|
||||
# that the last program to hold the lock died without releasing the lock.
|
||||
#
|
||||
# If not set or set to the empty value, a value of 60 (60 seconds) is assumed.
|
||||
#
|
||||
# An appropriate value for this parameter would be twice the length of time
|
||||
# that it takes your firewall system to process a "shorewall restart" command.
|
||||
|
||||
MUTEX_TIMEOUT=60
|
||||
|
||||
#
|
||||
# NEWNOTSYN
|
||||
#
|
||||
# TCP connections are established using the familiar three-way "handshake":
|
||||
#
|
||||
# CLIENT SERVER
|
||||
#
|
||||
# SYN-------------------->
|
||||
# <------------------SYN,ACK
|
||||
# ACK-------------------->
|
||||
#
|
||||
# The first packet in that exchange (packet with the SYN flag on and the ACK
|
||||
# and RST flags off) is referred to in Netfilter terminology as a "syn" packet.
|
||||
# A packet is said to be NEW if it is not part of or related to an already
|
||||
# established connection.
|
||||
#
|
||||
# The NETNOTSYN option determines the handling of non-SYN packets (those with
|
||||
# SYN off or with ACK or RST on) that are not associated with an already
|
||||
# established connection.
|
||||
#
|
||||
# If NEWNOTSYN is set to "No" or "no", then non-SYN packets that are not
|
||||
# part of an already established connection, it will be dropped by the
|
||||
# firewall. The setting of LOGNEWNOTSYN above determines if these packets are
|
||||
# logged before they are dropped.
|
||||
#
|
||||
# If NEWNOTSYN is set to "Yes" or "yes" then such packets will not be
|
||||
# dropped but will pass through the normal rule/policy processing.
|
||||
#
|
||||
# Users with a High-availability setup with two firewall's and one acting
|
||||
# as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may
|
||||
# also need to select NEWNOTSYN=Yes.
|
||||
#
|
||||
# The behavior of NEWNOTSYN=Yes may also be enabled on a per-interface basis
|
||||
# using the 'newnotsyn' option in /etc/shorewall/interfaces.
|
||||
#
|
||||
# I find that NEWNOTSYN=No tends to result in lots of "stuck"
|
||||
# connections because any network timeout during TCP session tear down
|
||||
# results in retries being dropped (Netfilter has removed the
|
||||
# connection from the conntrack table but the end-points haven't
|
||||
# completed shutting down the connection). I therefore have chosen
|
||||
# NEWNOTSYN=Yes as the default value.
|
||||
|
||||
NEWNOTSYN=Yes
|
||||
|
||||
#
|
||||
# FOR ADMINS THAT REPEATEDLY SHOOT THEMSELVES IN THE FOOT
|
||||
#
|
||||
# Normally, when a "shorewall stop" command is issued or an error occurs during
|
||||
# the execution of another shorewall command, Shorewall puts the firewall into
|
||||
# a state where only traffic to/from the hosts listed in
|
||||
# /etc/shorewall/routestopped is accepted.
|
||||
#
|
||||
# When performing remote administration on a Shorewall firewall, it is
|
||||
# therefore recommended that the IP address of the computer being used for
|
||||
# administration be added to the firewall's /etc/shorewall/routestopped file.
|
||||
#
|
||||
# Some administrators have a hard time remembering to do this with the result
|
||||
# that they get to drive across town in the middle of the night to restart
|
||||
# a remote firewall (or worse, they have to get someone out of bed to drive
|
||||
# across town to restart a very remote firewall).
|
||||
#
|
||||
# For those administrators, we offer ADMINISABSENTMINDED=Yes. With this setting,
|
||||
# when the firewall enters the 'stopped' state:
|
||||
#
|
||||
# All traffic that is part of or related to established connections is still
|
||||
# allowed and all OUTPUT traffic is allowed. This is in addition to traffic
|
||||
# to and from hosts listed in /etc/shorewall/routestopped.
|
||||
#
|
||||
# If this variable is not set or it is set to the null value then
|
||||
# ADMINISABSENTMINDED=No is assumed.
|
||||
#
|
||||
ADMINISABSENTMINDED=Yes
|
||||
|
||||
#
|
||||
# BLACKLIST Behavior
|
||||
#
|
||||
# Shorewall offers two types of blacklisting:
|
||||
#
|
||||
# - static blacklisting through the /etc/shorewall/blacklist file together
|
||||
# with the 'blacklist' interface option.
|
||||
# - dynamic blacklisting using the 'drop', 'reject' and 'allow' commands.
|
||||
#
|
||||
# The following variable determines whether the blacklist is checked for each
|
||||
# packet or for each new connection.
|
||||
#
|
||||
# BLACKLISTNEWONLY=Yes Only consult blacklists for new connection
|
||||
# requests
|
||||
#
|
||||
# BLACKLISTNEWONLY=No Consult blacklists for all packets.
|
||||
#
|
||||
# If the BLACKLISTNEWONLY option is not set or is set to the empty value then
|
||||
# BLACKLISTNEWONLY=No is assumed.
|
||||
#
|
||||
BLACKLISTNEWONLY=Yes
|
||||
|
||||
# MODULE NAME SUFFIX
|
||||
#
|
||||
# When loading a module named in /etc/shorewall/modules, Shorewall normally
|
||||
# looks in the MODULES DIRECTORY (see MODULESDIR above) for files whose names
|
||||
# end in ".o", ".ko", ".gz" or "o.gz". If your distribution uses a different
|
||||
# naming convention then you can specify the suffix (extension) for module
|
||||
# names in this variable.
|
||||
#
|
||||
# To see what suffix is used by your distribution:
|
||||
#
|
||||
# ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
|
||||
#
|
||||
# All of the file names listed should have the same suffix (extension). Set
|
||||
# MODULE_SUFFIX to that suffix.
|
||||
#
|
||||
# Examples:
|
||||
#
|
||||
# If all file names end with ".kzo" then set MODULE_SUFFIX="kzo"
|
||||
# If all file names end with ".kz.o" then set MODULE_SUFFIX="kz.o"
|
||||
#
|
||||
|
||||
MODULE_SUFFIX=
|
||||
|
||||
################################################################################
|
||||
# P A C K E T D I S P O S I T I O N
|
||||
################################################################################
|
||||
#
|
||||
# BLACKLIST DISPOSITION
|
||||
#
|
||||
# Set this variable to the action that you want to perform on packets from
|
||||
# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty,
|
||||
# DROP is assumed.
|
||||
#
|
||||
BLACKLIST_DISPOSITION=DROP
|
||||
|
||||
#
|
||||
# MAC List Disposition
|
||||
#
|
||||
# This variable determines the disposition of connection requests arriving
|
||||
# on interfaces that have the 'maclist' option and that are from a device
|
||||
# that is not listed for that interface in /etc/shorewall/maclist. Valid
|
||||
# values are ACCEPT, DROP and REJECT. If not specified or specified as
|
||||
# empty (MACLIST_DISPOSITION="") then REJECT is assumed
|
||||
|
||||
MACLIST_DISPOSITION=REJECT
|
||||
|
||||
#
|
||||
# TCP FLAGS Disposition
|
||||
#
|
||||
# This variable determins the disposition of packets having an invalid
|
||||
# combination of TCP flags that are received on interfaces having the
|
||||
# 'tcpflags' option specified in /etc/shorewall/interfaces. If not specified
|
||||
# or specified as empty (TCP_FLAGS_DISPOSITION="") then DROP is assumed.
|
||||
|
||||
TCP_FLAGS_DISPOSITION=DROP
|
||||
|
||||
#LAST LINE -- DO NOT REMOVE
|
@ -1,2 +0,0 @@
|
||||
FW=ig
|
||||
IP_FORWARDING=On
|
@ -1,2 +0,0 @@
|
||||
FW=enoch
|
||||
IP_FORWARDING=Off
|
@ -1,2 +0,0 @@
|
||||
FW=og
|
||||
IP_FORWARDING=On
|
@ -1,2 +0,0 @@
|
||||
FW=dmz
|
||||
IP_FORWARDING=Off
|
@ -1,10 +0,0 @@
|
||||
#ZONE DISPLAY COMMENTS
|
||||
lan LAN Local network
|
||||
guest Guest Untrusted LAN hosts
|
||||
ig IG Inner Guard
|
||||
og OG Outer Guard
|
||||
mail Mail Mail server
|
||||
proxy Proxy Proxy server
|
||||
net Net Internet
|
||||
other Other Basket for things that don't fit elsewhere
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
@ -1,443 +0,0 @@
|
||||
#!/usr/bin/perl -w
|
||||
#
|
||||
# shoregen: Generate shorewall configuration for a host from central
|
||||
# configuration files.
|
||||
#
|
||||
|
||||
#
|
||||
# (c) Copyright 2004-2006 Paul D. Gear <paul@gear.dyndns.org>
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify it
|
||||
# under the terms of the GNU General Public License as published by the
|
||||
# Free Software Foundation; either version 2 of the License, or (at your
|
||||
# option) any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful, but
|
||||
# WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
|
||||
# Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License along
|
||||
# with this program; if not, write to the Free Software Foundation, Inc.,
|
||||
# 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA, or go to
|
||||
# <http://www.gnu.org/licenses/old-licenses/gpl-2.0.txtl> on the World Wide Web.
|
||||
#
|
||||
|
||||
use strict;
|
||||
|
||||
my $VERBOSE = 1;
|
||||
my $DEBUG = 1;
|
||||
my $DATE = scalar localtime;
|
||||
my $HEADER = "#\n# Shorewall %s - constructed by $0 on $DATE\n#\n\n";
|
||||
my $ret = 0; # return code to shell
|
||||
|
||||
if ($#ARGV != 0) {
|
||||
print STDERR "Usage: $0 <hostname>\n";
|
||||
exit 1;
|
||||
}
|
||||
|
||||
my $base = ".";
|
||||
my $host = $ARGV[ 0 ];
|
||||
my $spool = "$base/SPOOL";
|
||||
my $dir = "$spool/$host";
|
||||
|
||||
|
||||
#
|
||||
# Messaging routines for use by the program itself - any errors that are
|
||||
# generated externally (e.g. file opening problems) are reported using the
|
||||
# usual perl 'die' or 'warn' functions.
|
||||
#
|
||||
|
||||
sub info
|
||||
{
|
||||
print "$0: @_\n";
|
||||
}
|
||||
|
||||
sub mesg
|
||||
{
|
||||
my $type = shift;
|
||||
print STDERR "$0: $type - @_\n";
|
||||
}
|
||||
|
||||
sub warning
|
||||
{
|
||||
mesg "WARNING", @_;
|
||||
}
|
||||
|
||||
sub error
|
||||
{
|
||||
mesg "ERROR", @_;
|
||||
++$ret;
|
||||
}
|
||||
|
||||
sub fatal
|
||||
{
|
||||
mesg "FATAL", @_;
|
||||
++$ret;
|
||||
exit $ret;
|
||||
}
|
||||
|
||||
|
||||
#
|
||||
# These bits make the files that actually get copied to the target host
|
||||
#
|
||||
|
||||
sub stripfile
|
||||
{
|
||||
open( my $file, $_[ 0 ] ) or die "Can't open $_[ 0 ] for reading: $!";
|
||||
my @file;
|
||||
|
||||
for (<$file>) {
|
||||
s/\s*#.*$//g; # remove all comments
|
||||
next if m/^\s*$/; # skip blank lines
|
||||
push @file, $_;
|
||||
}
|
||||
|
||||
close $file or warn "Can't close $_[ 0 ] after reading: $!";
|
||||
|
||||
return @file;
|
||||
}
|
||||
|
||||
|
||||
#
|
||||
# Construct a configuration file given a number of input files
|
||||
#
|
||||
sub constructfile
|
||||
{
|
||||
my $confname = shift;
|
||||
my $dst = shift;
|
||||
my $foundone = 0;
|
||||
|
||||
info "Constructing $confname" if $VERBOSE > 1;
|
||||
|
||||
open( my $DST, ">$dst" ) or die "Can't create $dst: $!";
|
||||
printf $DST $HEADER, $confname;
|
||||
|
||||
for my $file (@_) {
|
||||
if (-r $file) {
|
||||
$foundone = 1;
|
||||
print $DST "##$file\n" if $DEBUG > 1;
|
||||
print $DST stripfile $file;
|
||||
}
|
||||
}
|
||||
|
||||
close $DST or warn "Can't close $dst: $!";
|
||||
|
||||
if (!$foundone) {
|
||||
warning "\"$confname\" not present. " .
|
||||
"Existing file on $host will be preserved." if $VERBOSE > 2;
|
||||
unlink $dst;
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# main
|
||||
#
|
||||
|
||||
my $fw; # Firewall zone for this host
|
||||
my $router; # Is this host a router?
|
||||
my @globalzones; # All known zones
|
||||
my %globalzones;
|
||||
my %hostzones; # zones applicable to this host
|
||||
my $outfile; # filename holders
|
||||
my $conf; # config file we're processing at present
|
||||
my %warnban; # meta-rules/policies
|
||||
|
||||
|
||||
# Change to the base configuration directory
|
||||
die "Configuration directory $base doesn't exist!" if ! -d $base;
|
||||
chdir $base or die "Can't change directory to $base: $!";
|
||||
|
||||
# Create spool directories if necessary
|
||||
if (! -d "$spool") {
|
||||
mkdir "$spool" or die "Can't create spool directory $spool: $!";
|
||||
}
|
||||
if (! -d $dir) {
|
||||
mkdir $dir or die "Can't create host spool directory $dir: $!";
|
||||
}
|
||||
|
||||
|
||||
#
|
||||
# Construct all the simple config files.
|
||||
#
|
||||
|
||||
# Config files for which the host-specific file is included *first*
|
||||
my @hostfirstconfigs = qw(
|
||||
accounting
|
||||
actions
|
||||
blacklist
|
||||
bogons
|
||||
continue
|
||||
ecn
|
||||
hosts
|
||||
interfaces
|
||||
maclist
|
||||
masq
|
||||
nat
|
||||
netmap
|
||||
proxyarp
|
||||
rfc1918
|
||||
routestopped
|
||||
route_rules
|
||||
start
|
||||
started
|
||||
stop
|
||||
stopped
|
||||
tcclasses
|
||||
tcdevices
|
||||
tos
|
||||
tunnels
|
||||
);
|
||||
|
||||
# Config files for which the host-specific file is included *last*
|
||||
my @hostlastconfigs = qw(
|
||||
common
|
||||
configpath
|
||||
init
|
||||
initdone
|
||||
ipsec
|
||||
modules
|
||||
params
|
||||
providers
|
||||
shorewall.conf
|
||||
tcrules
|
||||
);
|
||||
|
||||
|
||||
for my $conf (@hostfirstconfigs) {
|
||||
constructfile "$conf", "$dir/$conf", "$conf/$host", "$conf/COMMON";
|
||||
}
|
||||
|
||||
for my $conf (@hostlastconfigs) {
|
||||
constructfile "$conf", "$dir/$conf", "$conf/COMMON", "$conf/$host";
|
||||
}
|
||||
|
||||
#
|
||||
# The remaining config files (policy, rules, zones) are processed uniquely.
|
||||
#
|
||||
|
||||
# Find the firewall name of this host
|
||||
open( my $infile, "$dir/shorewall.conf" ) or
|
||||
die "Can't open $dir/shorewall.conf: $!";
|
||||
|
||||
for (<$infile>) {
|
||||
if (/^\s*FW=(\S+)/) {
|
||||
$fw = $1 unless defined $fw;
|
||||
}
|
||||
if (/^\s*IP_FORWARDING=(\S+)/) {
|
||||
$router = $1 unless defined $router;
|
||||
}
|
||||
}
|
||||
|
||||
close $infile;
|
||||
|
||||
|
||||
# The firewall name must be defined
|
||||
unless (defined $fw) {
|
||||
fatal "Can't find firewall name (FW variable) for $host in $dir/shorewall.conf";
|
||||
}
|
||||
|
||||
# Router must be defined
|
||||
unless (defined $router) {
|
||||
fatal "Can't find IP_FORWARDING setting for $host in $dir/shorewall.conf";
|
||||
}
|
||||
if ($router =~ m/On|Yes/i) {
|
||||
$router = 1;
|
||||
}
|
||||
else {
|
||||
$router = 0;
|
||||
}
|
||||
print "fw=$fw, router=$router\n" if $DEBUG > 3;
|
||||
|
||||
# Find all valid zones
|
||||
unless (-r "zones") {
|
||||
fatal "You must provide a global zone file";
|
||||
}
|
||||
|
||||
|
||||
for (stripfile "zones") {
|
||||
chomp;
|
||||
my ($zone, $details) = split /[\s:]+/, $_, 2;
|
||||
push @globalzones, $zone;
|
||||
$globalzones{ $zone } = $details;
|
||||
}
|
||||
|
||||
#
|
||||
# Work out which zones apply to this host from the combination of hosts &
|
||||
# interfaces. The first field in both files is the zone name, and the
|
||||
# second (minus any trailing ips) is the interface, which we save as well
|
||||
# for later reference.
|
||||
#
|
||||
|
||||
for my $infile ("$dir/hosts", "$dir/interfaces") {
|
||||
if (-r $infile) {
|
||||
for (stripfile $infile) {
|
||||
chomp;
|
||||
my @F = split;
|
||||
next if $#F < 0;
|
||||
next if $F[ 0 ] eq "-";
|
||||
my @IF = split /:/, $F[ 0 ]; # strip off parent zone, if present
|
||||
$hostzones{ $IF[ 0 ] } = 1;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
$conf = "zones";
|
||||
|
||||
#
|
||||
# Create the zones file from the intersection of the above - note the order
|
||||
# from the original zone file must be preserved, hence the need for the
|
||||
# array as well as the hash.
|
||||
#
|
||||
|
||||
open( $outfile, ">$dir/$conf" ) or
|
||||
die "Can't open $dir/$conf for writing: $!";
|
||||
|
||||
printf $outfile $HEADER, "$conf";
|
||||
my %tmpzones = %hostzones; # Take a copy of all the zones,
|
||||
|
||||
for my $zone (@globalzones) {
|
||||
if (exists $tmpzones{ $zone }) {
|
||||
print $outfile "$zone $globalzones{ $zone }\n";
|
||||
delete $tmpzones{ $zone }; # deleting those found as we go along.
|
||||
}
|
||||
}
|
||||
|
||||
close $outfile or warn "Can't close $dir/$conf after writing: $!";
|
||||
|
||||
for my $zone (sort keys %tmpzones) { # Warn if we've got any zones left now.
|
||||
#next if $zone eq "-";
|
||||
warning "No entry for $zone in global zones file - ignored";
|
||||
}
|
||||
undef %tmpzones;
|
||||
|
||||
|
||||
my @tmp = sort keys %hostzones;
|
||||
info "FW zone for $host: $fw" if $VERBOSE > 0;
|
||||
info "Other zones for $host: @tmp" if $VERBOSE > 0;
|
||||
|
||||
#
|
||||
# Add 'all' as a valid source or destination. Added here so it doesn't get
|
||||
# checked in %tmpzones check above. Also add firewall itself. (The
|
||||
# numbers are not important as long as they are non-zero.)
|
||||
#
|
||||
|
||||
$hostzones{"all"} = 1;
|
||||
$hostzones{$fw} = 1;
|
||||
|
||||
#
|
||||
# Create the policy file, including only the applicable zones.
|
||||
#
|
||||
|
||||
$conf = "policy";
|
||||
if (! -r $conf) {
|
||||
fatal "You must provide a global \"$conf\" file";
|
||||
}
|
||||
|
||||
open( $outfile, ">$dir/$conf" ) or
|
||||
die "Can't open $dir/$conf for writing: $!";
|
||||
printf $outfile $HEADER, "$conf";
|
||||
|
||||
for (stripfile $conf) {
|
||||
chomp;
|
||||
|
||||
my ($src, $dst, $pol, $rest) = split /\s+/, $_, 4;
|
||||
|
||||
print "$src, $dst, $pol, $rest\n" if $DEBUG > 3;
|
||||
|
||||
# Both source and destination zones must be valid on this host for this
|
||||
# policy to apply.
|
||||
next unless defined $hostzones{$src} and defined $hostzones{$dst};
|
||||
|
||||
# Source and destination zones must be on different interfaces as well,
|
||||
# except for the case of all2all.
|
||||
#next if ($hostzones{$src} eq $hostzones{$dst} && $src ne "all");
|
||||
|
||||
# Save WARN & BAN details for later rules processing
|
||||
if ($pol eq "WARN" or $pol eq "BAN") {
|
||||
if (exists $warnban{$src}{$dst}) {
|
||||
error "Duplicate WARN/BAN rule: $src,$dst,$pol - possible typo?";
|
||||
}
|
||||
$warnban{$src}{$dst} = $pol;
|
||||
next;
|
||||
}
|
||||
|
||||
printf $outfile "%s\n", $_;
|
||||
}
|
||||
close $outfile or warn "Can't close $dir/$conf for writing: $!";
|
||||
|
||||
|
||||
#
|
||||
# Create the rules file, only including the applicable zones and taking
|
||||
# into account any WARN or BAN policies.
|
||||
#
|
||||
|
||||
$conf = "rules";
|
||||
if (! -r $conf) {
|
||||
fatal "You must provide a global \"$conf\" file";
|
||||
}
|
||||
|
||||
open( $outfile, ">$dir/$conf" ) or
|
||||
die "Can't open $dir/$conf for writing: $!";
|
||||
printf $outfile $HEADER, "$conf";
|
||||
|
||||
for my $infile ("$conf.COMMON", "$conf.$host", "$conf") {
|
||||
next unless -r $infile;
|
||||
for (stripfile $infile) {
|
||||
chomp;
|
||||
|
||||
my ($act, $src, $dst, $rest) = split /\s+/, $_, 4;
|
||||
|
||||
$act =~ s/:.*//; # strip off logging directives
|
||||
$src =~ s/:.*//; # strip off host & port specifiers
|
||||
$dst =~ s/:.*//; # strip off host & port specifiers
|
||||
|
||||
print "$act, $src, $dst, $rest\n" if $DEBUG > 3;
|
||||
|
||||
# Both source and destination zones must be valid on this host
|
||||
# for this rule to apply.
|
||||
next unless defined $hostzones{$src} and defined $hostzones{$dst};
|
||||
|
||||
# If host is not a router, either the source or destination zone
|
||||
# must be the firewall itself.
|
||||
if (!$router) {
|
||||
next unless $src eq $fw
|
||||
or $dst eq $fw
|
||||
or $src eq "all"
|
||||
or $dst eq "all";
|
||||
}
|
||||
|
||||
# Save additional WARN/BAN rules
|
||||
if ($act eq "WARN" or $act eq "BAN") {
|
||||
if (exists $warnban{$src}{$dst}) {
|
||||
error "Duplicate WARN/BAN rule: $src,$dst,$act - possible typo?";
|
||||
}
|
||||
$warnban{$src}{$dst} = $act;
|
||||
next;
|
||||
}
|
||||
|
||||
# Check against WARN/BAN rules
|
||||
if (exists $warnban{$src}{$dst} && $act =~ /^(ACCEPT|Allow|DNAT)/) {
|
||||
if ($warnban{$src}{$dst} eq "WARN") {
|
||||
warning "Rule contravenes WARN policy:\n\t$_";
|
||||
}
|
||||
else { # $warnban{$src}{$dst} eq "BAN"
|
||||
error "Rule contravenes BAN policy (omitted):\n\t$_";
|
||||
next;
|
||||
}
|
||||
}
|
||||
|
||||
# Mangle DNAT rules if the destination is the local machine
|
||||
if ($act =~ /^DNAT/ && $dst eq $fw) {
|
||||
$_ =~ s/\bDNAT(-)?/ACCEPT/; # change rule type
|
||||
$_ =~ s/\b$fw:\S+/$dst/; # strip trailing server address/port
|
||||
}
|
||||
|
||||
printf $outfile "%s\n", $_;
|
||||
}
|
||||
}
|
||||
close $outfile or warn "Can't close $dir/$conf for writing: $!";
|
||||
|
||||
|
||||
# Finished - return whatever we produced above...
|
||||
exit $ret;
|
@ -1,3 +0,0 @@
|
||||
Shoregen is a script that generates Shoreline Firewall configurations for
|
||||
multiple firewalls from a common set of rules and policies. Only the
|
||||
minimal information necessary for operation is stored on each firewall.
|
@ -1,4 +0,0 @@
|
||||
# $Id: files,v 1.2 2004/04/24 13:15:14 paulgear Exp $
|
||||
/usr/bin/%{name}
|
||||
/usr/bin/install_%{name}
|
||||
%doc /usr/share/doc/%{name}-%{version}/
|
@ -1,10 +0,0 @@
|
||||
# $Id: header,v 1.1 2004/04/24 12:53:04 paulgear Exp $
|
||||
Summary: Shoreline Firewall configuration generator
|
||||
License: GPL
|
||||
Group: Applications/System
|
||||
BuildArch: noarch
|
||||
URL: http://paulgear.webhop.net/linux/#shoregen
|
||||
Packager: Paul Gear <paul@gear.dyndns.org>
|
||||
Requires: openssh
|
||||
Requires: perl
|
||||
Requires: rsync
|
@ -1,9 +0,0 @@
|
||||
# $Id: install,v 1.6 2004/04/24 13:15:14 paulgear Exp $
|
||||
|
||||
install -d -m 0700 $RPM_BUILD_ROOT/usr/bin/
|
||||
install -m 0555 install_%{name} %{name} $RPM_BUILD_ROOT/usr/bin/
|
||||
|
||||
install -d -m 0755 $RPM_BUILD_ROOT/usr/share/doc/%{name}-%{version}/
|
||||
install -m 0444 AUTHORS BUGS COPYING README TODO $RPM_BUILD_ROOT/usr/share/doc/%{name}-%{version}/
|
||||
cp -r samples $RPM_BUILD_ROOT/usr/share/doc/%{name}-%{version}/
|
||||
chmod -R go=u-w $RPM_BUILD_ROOT/usr/share/doc/%{name}-%{version}/
|
@ -1,2 +0,0 @@
|
||||
install
|
||||
# $Id: type,v 1.2 2004/04/24 13:13:57 paulgear Exp $
|
Loading…
Reference in New Issue
Block a user