extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-20 09:47:51 +02:00
Code Issues Packages Projects Releases Wiki Activity

Shorewall 1.4.3a Changes

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@561 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-05-20 23:21:38 +00:00
parent 11b0cead80
commit 16de6e1b86
13 changed files with 2833 additions and 2693 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
STABLE/changelog.txt
View File

@ -9,3 +9,5 @@ Changes since 1.4.2
4. Return more appropriate ICMP responses if the systems supports them. 4. Return more appropriate ICMP responses if the systems supports them.
5. Silently drop UDP 135 in common.def.

1
STABLE/common.def
View File

@ -16,6 +16,7 @@ run_iptables -A common -p icmp -j icmpdef
############################################################################ ############################################################################
# NETBIOS chatter # NETBIOS chatter
# #
run_iptables -A common -p udp --dport 135 -j reject
run_iptables -A common -p udp --dport 137:139 -j reject run_iptables -A common -p udp --dport 137:139 -j reject
run_iptables -A common -p udp --dport 445 -j reject run_iptables -A common -p udp --dport 445 -j reject
run_iptables -A common -p tcp --dport 139 -j reject run_iptables -A common -p tcp --dport 139 -j reject

91
STABLE/documentation/NAT.htm
View File

@ -16,12 +16,12 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Static NAT</font></h1> <h1 align="center"><font color="#ffffff">Static NAT</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -29,7 +29,7 @@
<p><font color="#ff0000"><b>IMPORTANT: If all you want to do is forward <p><font color="#ff0000"><b>IMPORTANT: If all you want to do is forward
ports to servers behind your firewall, you do NOT want to use static ports to servers behind your firewall, you do NOT want to use static
NAT. Port forwarding can be accomplished with simple entries in the NAT. Port forwarding can be accomplished with simple entries in the
<a href="Documentation.htm#Rules">rules file</a>.</b></font></p> <a href="Documentation.htm#Rules">rules file</a>.</b></font></p>
<p>Static NAT is a way to make systems behind a firewall and configured <p>Static NAT is a way to make systems behind a firewall and configured
with private IP addresses (those reserved for private use in RFC1918) with private IP addresses (those reserved for private use in RFC1918)
@ -41,40 +41,39 @@ I strongly recommend that you read the <a
<p align="center"><strong> <img src="images/staticnat.png" <p align="center"><strong> <img src="images/staticnat.png"
width="435" height="397"> width="435" height="397">
</strong></p> </strong></p>
<blockquote> </blockquote> <blockquote> </blockquote>
<p align="left">Static NAT can be used to make the systems with the <p align="left">Static NAT can be used to make the systems with the 10.1.1.*
10.1.1.* addresses appear to be on the upper (130.252.100.*) subnet. If addresses appear to be on the upper (130.252.100.*) subnet. If we assume
we assume that the interface to the upper subnet is eth0, then the following that the interface to the upper subnet is eth0, then the following /etc/shorewall/NAT
/etc/shorewall/NAT file would make the lower left-hand system appear file would make the lower left-hand system appear to have IP address
to have IP address 130.252.100.18 and the right-hand one to have IP address 130.252.100.18 and the right-hand one to have IP address 130.252.100.19.</p>
130.252.100.19.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr>
<td><b>EXTERNAL</b></td>
<td><b>INTERFACE</b></td>
<td><b>INTERNAL</b></td>
<td><b>ALL INTERFACES</b></td>
<td><b>LOCAL</b></td>
</tr>
<tr> <tr>
<td>130.252.100.18</td> <td><b>EXTERNAL</b></td>
<td>eth0</td> <td><b>INTERFACE</b></td>
<td>10.1.1.2</td> <td><b>INTERNAL</b></td>
<td>yes</td> <td><b>ALL INTERFACES</b></td>
<td>yes</td> <td><b>LOCAL</b></td>
</tr> </tr>
<tr> <tr>
<td>130.252.100.19</td> <td>130.252.100.18</td>
<td>eth0</td> <td>eth0</td>
<td>10.1.1.3</td> <td>10.1.1.2</td>
<td>yes</td> <td>yes</td>
<td>yes</td> <td>yes</td>
</tr> </tr>
<tr>
<td>130.252.100.19</td>
<td>eth0</td>
<td>10.1.1.3</td>
<td>yes</td>
<td>yes</td>
</tr>
</tbody> </tbody>
</table> </table>
@ -83,18 +82,21 @@ to have IP address 130.252.100.18 and the right-hand one to have IP address
example) is (are) not included in any specification in /etc/shorewall/masq example) is (are) not included in any specification in /etc/shorewall/masq
or /etc/shorewall/proxyarp.</p> or /etc/shorewall/proxyarp.</p>
<p><a name="AllInterFaces"></a>Note 1: The "ALL INTERFACES" column <p><a name="AllInterFaces"></a>Note 1: The "ALL INTERFACES" column is used
is used to specify whether access to the external IP from all firewall to specify whether access to the external IP from all firewall interfaces
interfaces should undergo NAT (Yes or yes) or if only access from the should undergo NAT (Yes or yes) or if only access from the interface in
interface in the INTERFACE column should undergo NAT. If you leave this the INTERFACE column should undergo NAT. If you leave this column empty,
column empty, "Yes" is assumed. The ALL INTERFACES column was added "Yes" is assumed. The ALL INTERFACES column was added in version 1.1.6.</p>
in version 1.1.6.</p>
<p>Note 2: Shorewall will automatically add the external address to the <p>Note 2: Shorewall will automatically add the external address to the
specified interface unless you specify <a specified interface unless you specify <a
href="Documentation.htm#Aliases">ADD_IP_ALIASES</a>="no" (or "No") in href="Documentation.htm#Aliases">ADD_IP_ALIASES</a>="no" (or "No") in
/etc/shorewall/shorewall.conf; If you do not set ADD_IP_ALIASES or if /etc/shorewall/shorewall.conf; If you do not set ADD_IP_ALIASES or if
you set it to "Yes" or "yes" then you must NOT configure your own alias(es).</p> you set it to "Yes" or "yes" then you must NOT configure your own alias(es).
<b>RESTRICTION: </b>Shorewall can only add external addresses to an interface
that is configured with a single subnetwork -- if your external interface
has addresses in more than one subnetwork, Shorewall can only add addresses
to the first one.</p>
<p><a name="LocalPackets"></a>Note 3: The contents of the "LOCAL" column <p><a name="LocalPackets"></a>Note 3: The contents of the "LOCAL" column
determine whether packets originating on the firewall itself and destined determine whether packets originating on the firewall itself and destined
@ -102,13 +104,14 @@ for the EXTERNAL address are redirected to the internal ADDRESS. If this
column contains "yes" or "Yes" (and the ALL INTERFACES COLUMN also contains column contains "yes" or "Yes" (and the ALL INTERFACES COLUMN also contains
"Yes" or "yes") then such packets are redirected; otherwise, such packets "Yes" or "yes") then such packets are redirected; otherwise, such packets
are not redirected. The LOCAL column was added in version 1.1.8.</p> are not redirected. The LOCAL column was added in version 1.1.8.</p>
</blockquote> </blockquote>
<blockquote> </blockquote> <blockquote> </blockquote>
<p><font size="2">Last updated 1/11/2003 - </font><font size="2"> <a <p><font size="2">Last updated 4/11/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p> href="support.htm">Tom Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font> © <font <a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
<br>
</body> </body>
</html> </html>

2537
STABLE/documentation/News.htm
View File

File diff suppressed because it is too large Load Diff

BIN
STABLE/documentation/images/network.png
View File

Binary file not shown.

220
STABLE/documentation/seattlefirewall_index.htm
View File

@ -7,29 +7,29 @@
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.4</title> <title>Shoreline Firewall (Shorewall) 1.4</title>
<base target="_self"> <base target="_self">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="4" <table border="0" cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3" style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" height="90"> <td width="100%" height="90">
<h1 align="center"> <font size="4"><i> <a <h1 align="center"> <font size="4"><i> <a
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4" href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
alt="Shorwall Logo" height="70" width="85" align="left" alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0"> src="images/washington.jpg" border="0">
</a></i></font><a </a></i></font><a
href="http://www.shorewall.net" target="_top"><img border="1" href="http://www.shorewall.net" target="_top"><img border="1"
src="images/shorewall.jpg" width="119" height="38" hspace="4" src="images/shorewall.jpg" width="119" height="38" hspace="4"
alt="(Shorewall Logo)" align="right" vspace="4"> alt="(Shorewall Logo)" align="right" vspace="4">
</a></h1> </a></h1>
<small><small><small><small><a <small><small><small><small><a
href="http://www.shorewall.net" target="_top"> </a></small></small></small></small> href="http://www.shorewall.net" target="_top"> </a></small></small></small></small>
@ -40,17 +40,17 @@
<h1><font color="#ffffff"> Shorewall 1.4</font><i><font <h1><font color="#ffffff"> Shorewall 1.4</font><i><font
color="#ffffff"> <small><small><small>"iptables made easy"</small></small></small></font></i><a color="#ffffff"> <small><small><small>"iptables made easy"</small></small></small></font></i><a
href="1.3" target="_top"><font color="#ffffff"><br> href="1.3" target="_top"><font color="#ffffff"><br>
</font></a><br> </font></a><br>
</h1> </h1>
</div> </div>
<p><a href="http://www.shorewall.net" target="_top"> </a> </p> <p><a href="http://www.shorewall.net" target="_top"> </a> </p>
</td> </td>
</tr> </tr>
</tbody> </tbody>
@ -60,44 +60,44 @@
<center> <center>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"> style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody>
<tr>
<td width="90%"> <tbody>
<tr>
<td width="90%">
<h2 align="left">What is it?</h2> <h2 align="left">What is it?</h2>
<p>The Shoreline Firewall, more commonly known as "Shorewall", is a <p>The Shoreline Firewall, more commonly known as "Shorewall", is
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
that can be used on a dedicated firewall system, a multi-function firewall that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p> gateway/router/server or on a standalone GNU/Linux system.</p>
<p>This program is free software; you can redistribute it and/or modify <p>This program is free software; you can redistribute it and/or modify
it it
under the terms of <a under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU href="http://www.gnu.org/licenses/gpl.html">Version 2 of the
General Public License</a> as published by the Free Software GNU General Public License</a> as published by the Free Software
Foundation.<br> Foundation.<br>
<br> <br>
This This
program is distributed in the hope that program is distributed in the hope that
it will be useful, but WITHOUT ANY WARRANTY; it will be useful, but WITHOUT ANY WARRANTY;
without even the implied warranty of MERCHANTABILITY without even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. or FITNESS FOR A PARTICULAR PURPOSE.
See the GNU General Public License for more See the GNU General Public License for more details.<br>
details.<br>
<br> <br>
You You
should have received a copy of the GNU should have received a copy of the GNU
General Public License along with General Public License along with
this program; if not, write to the Free Software this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, Foundation, Inc., 675 Mass Ave, Cambridge,
MA 02139, USA</p> MA 02139, USA</p>
@ -112,62 +112,85 @@ General Public License along with
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2> <h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
If so, almost <b>NOTHING </b>on this site will apply directly to your setup. If so, almost <b>NOTHING </b>on this site will apply directly to your
If you want to use the documentation that you find here, it is best if you setup. If you want to use the documentation that you find here, it is best
uninstall what you have and install a setup that matches the documentation if you uninstall what you have and install a setup that matches the documentation
on this site. See the <a href="two-interface.htm">Two-interface QuickStart on this site. See the <a href="two-interface.htm">Two-interface QuickStart
Guide</a> for details.<br> Guide</a> for details.<br>
<h2> Getting Started with Shorewall</h2> <h2> Getting Started with Shorewall</h2>
New to Shorewall? Start by selecting the <a New to Shorewall? Start by selecting the <a
href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most closely href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most closely
match your environment and follow the step by step instructions.<br> match your environment and follow the step by step instructions.<br>
<h2>News</h2> <h2>News</h2>
<p><b>5/20/2003 - Shorewall-1.4.3a</b><b> </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
</b><b> </b><br>
</p>
This version primarily corrects the documentation included in the .tgz and
in the .rpm. In addition: <br>
<ol>
<li>(This change is in 1.4.3 but is not documented) If you are running
iptables 1.2.7a and kernel 2.4.20, then Shorewall will return reject replies
as follows:<br>
   a) tcp - RST<br>
   b) udp - ICMP port unreachable<br>
   c) icmp - ICMP host unreachable<br>
   d) Otherwise - ICMP host prohibited<br>
If you are running earlier software, Shorewall will follow it's traditional
convention:<br>
   a) tcp - RST<br>
   b) Otherwise - ICMP port unreachable</li>
<li>UDP port 135 is now silently dropped in the common.def chain.
Remember that this chain is traversed just before a DROP or REJECT policy
is enforced.<br>
</li>
</ol>
<p><b>5/18/2003 - Shorewall 1.4.3 </b><b><img border="0" <p><b>5/18/2003 - Shorewall 1.4.3 </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)"> src="images/new10.gif" width="28" height="12" alt="(New)">
</b><br> </b><br>
</p> </p>
    <b>Problems Corrected:<br>     <b>Problems Corrected:<br>
</b> </b>
<ol> <ol>
<li>There were several cases where Shorewall would fail to remove <li>There were several cases where Shorewall would fail to remove
a temporary directory from /tmp. These cases have been corrected.</li> a temporary directory from /tmp. These cases have been corrected.</li>
<li>The rules for allowing all traffic via the loopback interface <li>The rules for allowing all traffic via the loopback interface
have been moved to before the rule that drops status=INVALID packets. This have been moved to before the rule that drops status=INVALID packets. This
insures that all loopback traffic is allowed even if Netfilter connection insures that all loopback traffic is allowed even if Netfilter connection
tracking is confused.</li> tracking is confused.</li>
</ol> </ol>
    <b>New Features:<br>     <b>New Features:<br>
</b> </b>
<ol> <ol>
<li> <a href="6to4.htm">IPV6-IPV4 (6to4) tunnels are</a> now supported <li> <a href="6to4.htm">IPV6-IPV4 (6to4) tunnels are</a> now supported
in the /etc/shorewall/tunnels file.</li> in the /etc/shorewall/tunnels file.</li>
<li>Shorewall can now be easily integrated with fireparse (http://www.fireparse.com) <li>Shorewall can now be easily integrated with fireparse (http://www.fireparse.com)
by setting LOGMARKER="fp=" in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a> by setting LOGMARKER="fp=" in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a>
Note: You may not use ULOG with fireparse unless you modify fireparse. </li> Note: You may not use ULOG with fireparse unless you modify fireparse. </li>
</ol> </ol>
<p><b>5/10/2003 - Shorewall Mirror in Asia</b><b> </b><br> <p><b>5/10/2003 - Shorewall Mirror in Asia</b><b> </b><br>
</p> </p>
Ed Greshko has established a mirror in Taiwan -- Thanks Ed! Ed Greshko has established a mirror in Taiwan -- Thanks Ed!
<p><b>5/8/2003 - Shorewall Mirror in Chile</b><b>  </b></p> <p><b>5/8/2003 - Shorewall Mirror in Chile</b><b>  </b></p>
<p>Thanks to Darcy Ganga, there is now an HTTP mirror in Santiago Chile.<br> <p>Thanks to Darcy Ganga, there is now an HTTP mirror in Santiago Chile.<br>
</p> </p>
<p><b>4/26/2003 - lists.shorewall.net Downtime</b><b> </b></p> <p><b>4/26/2003 - lists.shorewall.net Downtime</b><b> </b></p>
<p>The list server will be down this morning for upgrade to RH9.0.<br> <p>The list server will be down this morning for upgrade to RH9.0.<br>
</p> </p>
<p><b>4/21/2003 - Samples updated for Shorewall version 1.4.2</b><b> <p><b>4/21/2003 - Samples updated for Shorewall version 1.4.2</b><b>
@ -175,7 +198,7 @@ Note: You may not use ULOG with fireparse unless you modify fireparse. </li>
<p>Thanks to Francesca Smith, the sample configurations are now upgraded <p>Thanks to Francesca Smith, the sample configurations are now upgraded
to Shorewall version 1.4.2.</p> to Shorewall version 1.4.2.</p>
<p><b>4/12/2002 - Greater Seattle Linux Users Group Presentation</b><b> <p><b>4/12/2002 - Greater Seattle Linux Users Group Presentation</b><b>
@ -183,12 +206,12 @@ Note: You may not use ULOG with fireparse unless you modify fireparse. </li>
<blockquote>This morning, I gave <a href="GSLUG.htm" target="_top">a <blockquote>This morning, I gave <a href="GSLUG.htm" target="_top">a
Shorewall presentation to GSLUG</a>. The presentation is in Shorewall presentation to GSLUG</a>. The presentation is
HTML format but was generated from Microsoft PowerPoint and is best viewed in HTML format but was generated from Microsoft PowerPoint and is best
using Internet Explorer (although Konqueror also seems to work reasonably viewed using Internet Explorer (although Konqueror also seems to work
well as does Opera 7.1.0). Neither Opera 6 nor Netscape work well to reasonably well as does Opera 7.1.0). Neither Opera 6 nor Netscape work
view the presentation.<br> well to view the presentation.<br>
</blockquote> </blockquote>
<p><b></b></p> <p><b></b></p>
@ -199,7 +222,7 @@ view the presentation.<br>
</ol> </ol>
</blockquote> </blockquote>
@ -211,64 +234,67 @@ view the presentation.<br>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img <p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36" border="0" src="images/leaflogo.gif" width="49" height="36"
alt="(Leaf Logo)"> alt="(Leaf Logo)">
</a>Jacques </a>Jacques
Nilo and Eric Wolzak have a LEAF (router/firewall/gateway Nilo and Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution on a floppy, CD or compact flash) distribution
called <i>Bering</i> that called <i>Bering</i> that
features Shorewall-1.3.14 and Kernel-2.4.20. features Shorewall-1.3.14 and Kernel-2.4.20.
You can find their work at: <a You can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br> href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a></p> </a></p>
<b>Congratulations to Jacques and Eric on the recent release of Bering <b>Congratulations to Jacques and Eric on the recent release of Bering
1.2!!! </b><br> 1.2!!! </b><br>
<h2><a name="Donations"></a>Donations</h2> <h2><a name="Donations"></a>Donations</h2>
</td> </td>
<td width="88" bgcolor="#4b017c" valign="top" align="center">
<td width="88" bgcolor="#4b017c" valign="top" align="center">
<form method="post" <form method="post"
action="http://lists.shorewall.net/cgi-bin/htsearch"> action="http://lists.shorewall.net/cgi-bin/htsearch">
<strong><br> <strong><br>
<font color="#ffffff"><b>Note: <font color="#ffffff"><b>Note:
</b></font></strong><font color="#ffffff">Search is unavailable </b></font></strong><font color="#ffffff">Search is unavailable
Daily 0200-0330 GMT.</font><br> Daily 0200-0330 GMT.</font><br>
<strong></strong> <strong></strong>
<p><font color="#ffffff"><strong>Quick Search</strong></font><br> <p><font color="#ffffff"><strong>Quick Search</strong></font><br>
<font face="Arial" <font face="Arial"
size="-1"> <input type="text" name="words" size="15"></font><font size="-1"> <input type="text" name="words" size="15"></font><font
size="-1"> </font> <font face="Arial" size="-1"> <input size="-1"> </font> <font face="Arial" size="-1"> <input
type="hidden" name="format" value="long"> <input type="hidden" type="hidden" name="format" value="long"> <input type="hidden"
name="method" value="and"> <input type="hidden" name="config" name="method" value="and"> <input type="hidden" name="config"
value="htdig"> <input type="submit" value="Search"></font> </p> value="htdig"> <input type="submit" value="Search"></font> </p>
<font face="Arial"> <input <font face="Arial"> <input
type="hidden" name="exclude" type="hidden" name="exclude"
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form> value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
<p><font color="#ffffff"><b><a <p><font color="#ffffff"><b><a
href="http://lists.shorewall.net/htdig/search.html"><font href="http://lists.shorewall.net/htdig/search.html"><font
color="#ffffff">Extended Search</font></a></b></font></p> color="#ffffff">Extended Search</font></a></b></font></p>
<br> <br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</center> </center>
</div> </div>
<table border="0" cellpadding="5" cellspacing="0" <table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2" style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td <td
width="100%" style="margin-top: 1px;"> width="100%" style="margin-top: 1px;">
@ -276,26 +302,24 @@ Daily 0200-0330 GMT.</font><br>
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10"> hspace="10">
</a></p> </a></p>
<p align="center"><font size="4" color="#ffffff">Shorewall is free but <p align="center"><font size="4" color="#ffffff">Shorewall is free
if you try it and find it useful, please consider making a donation but if you try it and find it useful, please consider making a donation
to to
<a href="http://www.starlight.org"><font color="#ffffff">Starlight Children's <a href="http://www.starlight.org"><font color="#ffffff">Starlight
Foundation.</font></a> Thanks!</font></p> Children's Foundation.</font></a> Thanks!</font></p>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p><font size="2">Updated 5/18/2003 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2">Updated 5/19/2003 - <a href="support.htm">Tom Eastep</a></font>
<br> <br>
<br> </p>
</p>
<br>
</body> </body>
</html> </html>

240
STABLE/documentation/sourceforge_index.htm
View File

@ -7,17 +7,18 @@
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.3</title> <title>Shoreline Firewall (Shorewall) 1.3</title>
<base target="_self"> <base target="_self">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="4" <table border="0" cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3" style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody>
<tr>
<td width="100%" height="90"> <tbody>
<tr>
<td width="100%" height="90">
<h1 align="center"> <font size="4"><i> <a <h1 align="center"> <font size="4"><i> <a
@ -25,16 +26,16 @@
alt="Shorwall Logo" height="70" width="85" align="left" alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0"> src="images/washington.jpg" border="0">
</a></i></font><font color="#ffffff">Shorewall 1.4 - </a></i></font><font color="#ffffff">Shorewall 1.4 -
<font size="4">"<i>iptables made easy"</i></font></font><br> <font size="4">"<i>iptables made easy"</i></font></font><br>
<a target="_top" href="1.3/index.html"><font <a target="_top" href="1.3/index.html"><font
color="#ffffff"> </font></a><a target="_top" color="#ffffff"> </font></a><a target="_top"
href="http://www1.shorewall.net/1.2/index.htm"><font color="#ffffff"><small><small><small><br> href="http://www1.shorewall.net/1.2/index.htm"><font color="#ffffff"><small><small><small><br>
</small></small></small></font></a> </small></small></small></font></a>
</h1> </h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
@ -45,10 +46,10 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"> style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody> <tbody>
<tr> <tr>
<td width="90%"> <td width="90%">
<h2 align="left">What is it?</h2> <h2 align="left">What is it?</h2>
@ -56,34 +57,34 @@
<p>The Shoreline Firewall, more commonly known as "Shorewall", is <p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> a <a href="http://www.netfilter.org">Netfilter</a>
(iptables) based firewall that can be used on (iptables) based firewall that can be used on
a dedicated firewall system, a multi-function gateway/router/server a dedicated firewall system, a multi-function gateway/router/server
or on a standalone GNU/Linux system.</p> or on a standalone GNU/Linux system.</p>
<p>This program is free software; you can redistribute it and/or modify <p>This program is free software; you can redistribute it and/or modify
it it
under the terms of <a under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU href="http://www.gnu.org/licenses/gpl.html">Version 2 of the
General Public License</a> as published by the Free Software GNU General Public License</a> as published by the Free Software
Foundation.<br> Foundation.<br>
<br> <br>
This
program is distributed in the hope that
it will be useful, but WITHOUT ANY WARRANTY;
without even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE.
See the GNU General Public License for more
details.<br>
<br> This program is distributed in the hope
You that it will be useful, but WITHOUT ANY
should have received a copy of the GNU WARRANTY; without even the implied warranty
General Public License along with of MERCHANTABILITY or FITNESS FOR A PARTICULAR
this program; if not, write to the Free Software PURPOSE. See the GNU General Public License
for more details.<br>
<br>
You should have received a copy of the GNU
General Public License along with
this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, Foundation, Inc., 675 Mass Ave, Cambridge,
MA 02139, USA</p> MA 02139, USA</p>
@ -95,42 +96,66 @@ details.<br>
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2> <h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
If so, almost <b>NOTHING </b>on this site will apply directly to your setup. If so, almost <b>NOTHING </b>on this site will apply directly to your
If you want to use the documentation that you find here, it is best if you setup. If you want to use the documentation that you find here, it is best
uninstall what you have and install a setup that matches the documentation if you uninstall what you have and install a setup that matches the documentation
on this site. See the <a href="two-interface.htm">Two-interface QuickStart on this site. See the <a href="two-interface.htm">Two-interface QuickStart
Guide</a> for details.<br> Guide</a> for details.<br>
<h2>Getting Started with Shorewall</h2> <h2>Getting Started with Shorewall</h2>
New to Shorewall? Start by selecting the <a New to Shorewall? Start by selecting the <a
href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most closely href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most closely
match your environment and follow the step by step instructions.<br> match your environment and follow the step by step instructions.<br>
<h2><b>News</b></h2> <h2><b>News</b></h2>
<b> </b> <b> </b>
<p><b>5/20/2003 - Shorewall-1.4.3a</b><b> </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
</b><b> </b><br>
</p>
This version primarily corrects the documentation included in the .tgz and
in the .rpm. In addition: <br>
<ol>
<li>(This change is in 1.4.3 but is not documented) If you are running
iptables 1.2.7a and kernel 2.4.20, then Shorewall will return reject replies
as follows:<br>
   a) tcp - RST<br>
   b) udp - ICMP port unreachable<br>
   c) icmp - ICMP host unreachable<br>
   d) Otherwise - ICMP host prohibited<br>
If you are running earlier software, Shorewall will follow it's traditional
convention:<br>
   a) tcp - RST<br>
   b) Otherwise - ICMP port unreachable</li>
<li>UDP port 135 is now silently dropped in the common.def chain.
Remember that this chain is traversed just before a DROP or REJECT policy
is enforced.<br>
</li>
</ol>
<p><b>5/18/2003 - Shorewall 1.4.3 </b><b><img border="0" <p><b>5/18/2003 - Shorewall 1.4.3 </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)"> src="images/new10.gif" width="28" height="12" alt="(New)">
</b><br> </b><br>
</p> </p>
    <b>Problems Corrected:<br>     <b>Problems Corrected:<br>
</b> </b>
<ol> <ol>
<li>There were several cases where Shorewall would fail to remove <li>There were several cases where Shorewall would fail to remove
a temporary directory from /tmp. These cases have been corrected.</li> a temporary directory from /tmp. These cases have been corrected.</li>
<li>The rules for allowing all traffic via the loopback interface <li>The rules for allowing all traffic via the loopback interface
have been moved to before the rule that drops status=INVALID packets. This have been moved to before the rule that drops status=INVALID packets. This
insures that all loopback traffic is allowed even if Netfilter connection insures that all loopback traffic is allowed even if Netfilter connection
tracking is confused.</li> tracking is confused.</li>
</ol> </ol>
    <b>New Features:<br>     <b>New Features:<br>
</b> </b>
<ol> <ol>
<li><a href="6to4.htm"> </a><a href="6to4.htm">IPV6-IPV4 (6to4) <li><a href="6to4.htm"> </a><a href="6to4.htm">IPV6-IPV4 (6to4)
tunnels </a>are now supported in the /etc/shorewall/tunnels file.</li> tunnels </a>are now supported in the /etc/shorewall/tunnels file.</li>
<li>Shorewall can now be easily integrated with fireparse (<a <li>Shorewall can now be easily integrated with fireparse (<a
href="http://www.fireparse.com">http://www.fireparse.com</a>) by setting href="http://www.fireparse.com">http://www.fireparse.com</a>) by setting
LOGMARKER="fp=" in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a> LOGMARKER="fp=" in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a>
Note: You may not use ULOG with fireparse unless you modify fireparse. </li> Note: You may not use ULOG with fireparse unless you modify fireparse. </li>
@ -138,25 +163,27 @@ Note: You may not use ULOG with fireparse unless you modify fireparse. </li>
</ol> </ol>
<p><b>5/10/2003 - Shorewall Mirror in Asia</b><b> </b><br> <p><b>5/10/2003 - Shorewall Mirror in Asia</b><b> </b><br>
</p> </p>
Ed Greshko has established a mirror in Taiwan -- Thanks Ed! Ed Greshko has established a mirror in Taiwan -- Thanks Ed!
<p><b>5/8/2003 - Shorewall Mirror in Chile</b><b>  </b></p> <p><b>5/8/2003 - Shorewall Mirror in Chile</b><b>  </b></p>
<p>Thanks to Darcy Ganga, there is now an HTTP mirror in Santiago Chile.<br> <p>Thanks to Darcy Ganga, there is now an HTTP mirror in Santiago Chile.<br>
</p> </p>
<p><b>4/26/2003 - lists.shorewall.net Downtime</b><b>  </b></p> <p><b>4/26/2003 - lists.shorewall.net Downtime</b><b>  </b></p>
<p>The list server will be down this morning for upgrade to RH9.0.<br> <p>The list server will be down this morning for upgrade to RH9.0.<br>
</p> </p>
<p><b>4/21/2003 - Samples updated for Shorewall version 1.4.2</b><b> <p><b>4/21/2003 - Samples updated for Shorewall version 1.4.2</b><b>
</b></p> </b></p>
<p>Thanks to Francesca Smith, the sample configurations are now upgraded <p>Thanks to Francesca Smith, the sample configurations are now upgraded
to Shorewall version 1.4.2.</p> to Shorewall version 1.4.2.</p>
<p><b>4/12/2002 - Greater Seattle Linux Users Group Presentation</b><b> <p><b>4/12/2002 - Greater Seattle Linux Users Group Presentation</b><b>
@ -165,10 +192,10 @@ Note: You may not use ULOG with fireparse unless you modify fireparse. </li>
<blockquote> This morning, I gave <a href="GSLUG.htm" <blockquote> This morning, I gave <a href="GSLUG.htm"
target="_top">a Shorewall presentation to GSLUG</a>. The presentation target="_top">a Shorewall presentation to GSLUG</a>. The presentation
is in HTML format but was generated from Microsoft PowerPoint and is is in HTML format but was generated from Microsoft PowerPoint and
best viewed using Internet Explorer (although Konqueror also seems to is best viewed using Internet Explorer (although Konqueror also seems
work reasonably well as does Opera 7.1.0). Neither Opera 6 nor Netscape to work reasonably well as does Opera 7.1.0). Neither Opera 6 nor Netscape
work well to view the presentation.</blockquote> work well to view the presentation.</blockquote>
<p><b></b></p> <p><b></b></p>
@ -179,130 +206,131 @@ Note: You may not use ULOG with fireparse unless you modify fireparse. </li>
</ol> </ol>
</blockquote> </blockquote>
<p><a href="file:///Z:/Shorewall-docs/News.htm"></a></p> <p><a href="file:///Z:/Shorewall-docs/News.htm"></a></p>
<b> </b> <b> </b>
<p><b><a href="News.htm">More News</a></b></p> <p><b><a href="News.htm">More News</a></b></p>
<b> </b> <b> </b>
<h2><b> </b></h2> <h2><b> </b></h2>
<b> </b> <b> </b>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img <p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36" border="0" src="images/leaflogo.gif" width="49" height="36"
alt="(Leaf Logo)"> alt="(Leaf Logo)">
</a>Jacques Nilo and Eric Wolzak have </a>Jacques Nilo and Eric Wolzak have
a LEAF (router/firewall/gateway on a floppy, a LEAF (router/firewall/gateway on a floppy,
CD or compact flash) distribution called CD or compact flash) distribution called
<i>Bering</i> that features Shorewall-1.3.14 <i>Bering</i> that features Shorewall-1.3.14
and Kernel-2.4.20. You can find their and Kernel-2.4.20. You can find their work
work at: <a at: <a href="http://leaf.sourceforge.net/devel/jnilo">
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p> http://leaf.sourceforge.net/devel/jnilo</a></p>
<b>Congratulations to Jacques and Eric on <b>Congratulations to Jacques and Eric on
the recent release of Bering 1.2!!! </b><br> the recent release of Bering 1.2!!! </b><br>
<h1 align="center"><b><a href="http://www.sf.net"><img <h1 align="center"><b><a href="http://www.sf.net"><img
align="left" alt="SourceForge Logo" align="left" alt="SourceForge Logo"
src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3"> src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3">
</a></b></h1> </a></b></h1>
<b> </b> <b> </b>
<h4><b> </b></h4> <h4><b> </b></h4>
<b> </b> <b> </b>
<h2><b>This site is hosted by the generous folks at <a <h2><b>This site is hosted by the generous folks at <a
href="http://www.sf.net">SourceForge.net</a> </b></h2> href="http://www.sf.net">SourceForge.net</a> </b></h2>
<b> </b> <b> </b>
<h2><b><a name="Donations"></a>Donations</b></h2> <h2><b><a name="Donations"></a>Donations</b></h2>
<b> </b></td> <b> </b></td>
<td width="88" bgcolor="#4b017c" valign="top" <td width="88" bgcolor="#4b017c" valign="top"
align="center"> align="center">
<form method="post" <form method="post"
action="http://lists.shorewall.net/cgi-bin/htsearch"> action="http://lists.shorewall.net/cgi-bin/htsearch">
<p><strong><br> <p><strong><br>
<font color="#ffffff"><b>Note: </b></font></strong> <font color="#ffffff"><b>Note: </b></font></strong>
<font color="#ffffff">Search is unavailable Daily 0200-0330 <font color="#ffffff">Search is unavailable Daily 0200-0330
GMT.</font><br> GMT.</font><br>
 </p>  </p>
<p><font color="#ffffff"><strong>Quick Search</strong></font><br> <p><font color="#ffffff"><strong>Quick Search</strong></font><br>
<font face="Arial" size="-1"> <input <font face="Arial" size="-1"> <input
type="text" name="words" size="15"></font><font size="-1"> </font><font type="text" name="words" size="15"></font><font size="-1"> </font><font
face="Arial" size="-1"> <input type="hidden" name="format" face="Arial" size="-1"> <input type="hidden" name="format"
value="long"> <input type="hidden" name="method" value="and"> value="long"> <input type="hidden" name="method" value="and">
<input type="hidden" name="config" value="htdig"> <input <input type="hidden" name="config" value="htdig"> <input
type="submit" value="Search"></font> </p> type="submit" value="Search"></font> </p>
<font face="Arial"> <input type="hidden" <font face="Arial"> <input type="hidden"
name="exclude" value="[http://lists.shorewall.net/pipermail/*]"> name="exclude" value="[http://lists.shorewall.net/pipermail/*]">
</font> </form> </font> </form>
<p><font color="#ffffff"><b> <a <p><font color="#ffffff"><b> <a
href="http://lists.shorewall.net/htdig/search.html"> <font href="http://lists.shorewall.net/htdig/search.html"> <font
color="#ffffff">Extended Search</font></a></b></font></p> color="#ffffff">Extended Search</font></a></b></font></p>
<a target="_top" <a target="_top"
href="file:///vfat/Shorewall-docs/1.3/index.html"><font color="#ffffff"> href="file:///vfat/Shorewall-docs/1.3/index.html"><font color="#ffffff">
</font></a><a target="_top" </font></a><a target="_top"
href="http://www1.shorewall.net/1.2/index.htm"><font color="#ffffff"><small><small><small></small></small></small></font></a><br> href="http://www1.shorewall.net/1.2/index.htm"><font color="#ffffff"><small><small><small></small></small></small></font></a><br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</center> </center>
</div> </div>
<table border="0" cellpadding="5" cellspacing="0" <table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2" style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" style="margin-top: 1px;">
<td width="100%" style="margin-top: 1px;">
<p align="center"><a href="http://www.starlight.org"> <img <p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10"> hspace="10">
</a></p> </a></p>
<p align="center"><font size="4" color="#ffffff">Shorewall is free but <p align="center"><font size="4" color="#ffffff">Shorewall is free
if you try it and find it useful, please consider making a donation but if you try it and find it useful, please consider making a donation
to to
<a href="http://www.starlight.org"><font color="#ffffff">Starlight <a href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></p> Children's Foundation.</font></a> Thanks!</font></p>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p><font size="2">Updated 5/18/2003 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2">Updated 5/19/2003 - <a href="support.htm">Tom Eastep</a></font>
<br> <br>
</p> </p>
<br>
<br>
</body> </body>
</html> </html>

2
STABLE/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of # shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall. # Shoreline Firewall.
VERSION=1.4.3 VERSION=1.4.3a
usage() # $1 = exit status usage() # $1 = exit status
{ {

65
STABLE/firewall
View File

@ -95,7 +95,11 @@ error_message() # $* = Error Message
fatal_error() # $* = Error Message fatal_error() # $* = Error Message
{ {
echo " Error: $@" >&2 echo " Error: $@" >&2
[ $command = check ] || stop_firewall if [ $command = check ]; then
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
else
stop_firewall
fi
exit 2 exit 2
} }
@ -1130,6 +1134,9 @@ setup_tunnels() # $1 = name of tunnels file
gre|GRE) gre|GRE)
setup_one_other GRE $gateway 47 setup_one_other GRE $gateway 47
;; ;;
6to4|6TO4)
setup_one_other 6to4 $gateway 41
;;
pptpclient|PPTPCLIENT) pptpclient|PPTPCLIENT)
setup_pptp_client $gateway setup_pptp_client $gateway
;; ;;
@ -1316,7 +1323,7 @@ setup_mac_lists() {
done done
[ -n "$logpart" ] && \ [ -n "$logpart" ] && \
run_iptables -A $chain $logpart "Shorewall:$chain:$MACLIST_DISPOSITION:" run_iptables -A $chain $logpart "${LOGMARKER}$chain:$MACLIST_DISPOSITION:"
run_iptables -A $chain -j $maclist_target run_iptables -A $chain -j $maclist_target
done done
@ -2015,11 +2022,11 @@ add_a_rule()
if [ "$loglevel" = ULOG ]; then if [ "$loglevel" = ULOG ]; then
run_iptables2 -A $chain $proto $multiport \ run_iptables2 -A $chain $proto $multiport \
$state $cli $sports $serv $dports -j ULOG $LOGPARMS \ $state $cli $sports $serv $dports -j ULOG $LOGPARMS \
--ulog-prefix "Shorewall:$chain:$logtarget:" --ulog-prefix "${LOGMARKER}$chain:$logtarget:"
else else
run_iptables2 -A $chain $proto $multiport \ run_iptables2 -A $chain $proto $multiport \
$state $cli $sports $serv $dports -j LOG $LOGPARMS \ $state $cli $sports $serv $dports -j LOG $LOGPARMS \
--log-prefix "Shorewall:$chain:$logtarget:" \ --log-prefix "${LOGMARKER}$chain:$logtarget:" \
--log-level $loglevel --log-level $loglevel
fi fi
fi fi
@ -2042,11 +2049,11 @@ add_a_rule()
if [ "$loglevel" = ULOG ]; then if [ "$loglevel" = ULOG ]; then
run_iptables2 -A $chain $proto $multiport \ run_iptables2 -A $chain $proto $multiport \
$dest_interface $state $cli $sports $dports -j ULOG \ $dest_interface $state $cli $sports $dports -j ULOG \
$LOGPARMS --ulog-prefix "Shorewall:$chain:$logtarget:" $LOGPARMS --ulog-prefix "${LOGMARKER}$chain:$logtarget:"
else else
run_iptables2 -A $chain $proto $multiport \ run_iptables2 -A $chain $proto $multiport \
$dest_interface $state $cli $sports $dports -j LOG \ $dest_interface $state $cli $sports $dports -j LOG \
$LOGPARMS --log-prefix "Shorewall:$chain:$logtarget:" \ $LOGPARMS --log-prefix "${LOGMARKER}$chain:$logtarget:" \
--log-level $loglevel --log-level $loglevel
fi fi
fi fi
@ -2551,10 +2558,10 @@ policy_rules() # $1 = chain to add rules to
if [ $# -eq 3 -a "x${3}" != "x-" ]; then if [ $# -eq 3 -a "x${3}" != "x-" ]; then
if [ "$3" = ULOG ]; then if [ "$3" = ULOG ]; then
run_iptables -A $1 -j ULOG $LOGPARMS \ run_iptables -A $1 -j ULOG $LOGPARMS \
--ulog-prefix "Shorewall:${1}:${2}:" --ulog-prefix "${LOGMARKER}${1}:${2}:"
else else
run_iptables -A $1 -j LOG $LOGPARMS \ run_iptables -A $1 -j LOG $LOGPARMS \
--log-prefix "Shorewall:${1}:${2}:" --log-level $3 --log-prefix "${LOGMARKER}${1}:${2}:" --log-level $3
fi fi
fi fi
@ -2878,11 +2885,11 @@ add_blacklist_rule() {
if [ "$BLACKLIST_LOGLEVEL" = ULOG ]; then if [ "$BLACKLIST_LOGLEVEL" = ULOG ]; then
run_iptables2 -A blacklst $source $proto $dport -j \ run_iptables2 -A blacklst $source $proto $dport -j \
ULOG $LOGPARMS --ulog-prefix \ ULOG $LOGPARMS --ulog-prefix \
"Shorewall:blacklst:$BLACKLIST_DISPOSITION:" "${LOGMARKER}blacklst:$BLACKLIST_DISPOSITION:"
else else
run_iptables2 -A blacklst $source $proto $dport -j \ run_iptables2 -A blacklst $source $proto $dport -j \
LOG $LOGPARMS --log-prefix \ LOG $LOGPARMS --log-prefix \
"Shorewall:blacklst:$BLACKLIST_DISPOSITION:" \ "${LOGMARKER}blacklst:$BLACKLIST_DISPOSITION:" \
--log-level $BLACKLIST_LOGLEVEL --log-level $BLACKLIST_LOGLEVEL
fi fi
fi fi
@ -3198,6 +3205,7 @@ initialize_netfilter () {
# #
# Enable the Loopback interface # Enable the Loopback interface
#
run_iptables -A INPUT -i lo -j ACCEPT run_iptables -A INPUT -i lo -j ACCEPT
run_iptables -A OUTPUT -o lo -j ACCEPT run_iptables -A OUTPUT -o lo -j ACCEPT
@ -3221,10 +3229,10 @@ initialize_netfilter () {
if [ -n "$LOGNEWNOTSYN" ]; then if [ -n "$LOGNEWNOTSYN" ]; then
if [ "$LOGNEWNOTSYN" = ULOG ]; then if [ "$LOGNEWNOTSYN" = ULOG ]; then
run_iptables -A newnotsyn -j ULOG $LOGPARMS \ run_iptables -A newnotsyn -j ULOG $LOGPARMS \
--ulog-prefix "Shorewall:newnotsyn:DROP:" --ulog-prefix "${LOGMARKER}newnotsyn:DROP:"
else else
run_iptables -A newnotsyn -j LOG $LOGPARMS \ run_iptables -A newnotsyn -j LOG $LOGPARMS \
--log-prefix "Shorewall:newnotsyn:DROP:" --log-level $LOGNEWNOTSYN --log-prefix "${LOGMARKER}newnotsyn:DROP:" --log-level $LOGNEWNOTSYN
fi fi
fi fi
@ -3299,16 +3307,26 @@ add_common_rules() {
logdisp() # $1 = Chain Name logdisp() # $1 = Chain Name
{ {
if [ "$RFC1918_LOG_LEVEL" = ULOG ]; then if [ "$RFC1918_LOG_LEVEL" = ULOG ]; then
echo "ULOG $LOGPARMS --ulog-prefix Shorewall:${1}:DROP:" echo "ULOG $LOGPARMS --ulog-prefix ${LOGMARKER}${1}:DROP:"
else else
echo "LOG $LOGPARMS --log-prefix Shorewall:${1}:DROP: --log-level $RFC1918_LOG_LEVEL" echo "LOG $LOGPARMS --log-prefix ${LOGMARKER}${1}:DROP: --log-level $RFC1918_LOG_LEVEL"
fi fi
} }
# #
# Reject Rules # Reject Rules
# #
run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset
run_iptables -A reject -j REJECT run_iptables -A reject -p udp -j REJECT
#
# Not all versions of iptables support these so don't complain if they don't work
#
qt iptables -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
if ! qt iptables -A reject -j REJECT --reject-with icmp-host-prohibited; then
#
# In case the above doesn't work
#
run_iptables -A reject -j REJECT
fi
# #
# dropunclean rules # dropunclean rules
# #
@ -3319,10 +3337,10 @@ add_common_rules() {
if [ -n "$LOGUNCLEAN" ]; then if [ -n "$LOGUNCLEAN" ]; then
if [ "$LOGUNCLEAN" = ULOG ]; then if [ "$LOGUNCLEAN" = ULOG ]; then
logoptions="-j ULOG $LOGPARMS --ulog-prefix Shorewall:badpkt:DROP:" logoptions="-j ULOG $LOGPARMS --ulog-prefix ${LOGMARKER}badpkt:DROP:"
logoptions="$logoptions --log-ip-options" logoptions="$logoptions --log-ip-options"
else else
logoptions="-j LOG $LOGPARMS --log-prefix Shorewall:badpkt:DROP:" logoptions="-j LOG $LOGPARMS --log-prefix ${LOGMARKER}badpkt:DROP:"
logoptions="$logoptions --log-level $LOGUNCLEAN --log-ip-options" logoptions="$logoptions --log-level $LOGUNCLEAN --log-ip-options"
fi fi
@ -3351,10 +3369,10 @@ add_common_rules() {
[ -z"$LOGUNCLEAN" ] && LOGUNCLEAN=info [ -z"$LOGUNCLEAN" ] && LOGUNCLEAN=info
if [ "$LOGUNCLEAN" = ULOG ]; then if [ "$LOGUNCLEAN" = ULOG ]; then
logoptions="-j ULOG $LOGPARMS --ulog-prefix Shorewall:logpkt:LOG:" logoptions="-j ULOG $LOGPARMS --ulog-prefix ${LOGMARKER}logpkt:LOG:"
logoptions="$logoptions --log-ip-options" logoptions="$logoptions --log-ip-options"
else else
logoptions="-j LOG $LOGPARMS --log-prefix Shorewall:logpkt:LOG:" logoptions="-j LOG $LOGPARMS --log-prefix ${LOGMARKER}logpkt:LOG:"
logoptions="$logoptions --log-level $LOGUNCLEAN --log-ip-options" logoptions="$logoptions --log-level $LOGUNCLEAN --log-ip-options"
fi fi
@ -3455,12 +3473,12 @@ add_common_rules() {
if [ "$TCP_FLAGS_LOG_LEVEL" = ULOG ]; then if [ "$TCP_FLAGS_LOG_LEVEL" = ULOG ]; then
run_iptables -A logflags -j ULOG $LOGPARMS \ run_iptables -A logflags -j ULOG $LOGPARMS \
--ulog-prefix "Shorewall:logflags:$TCP_FLAGS_DISPOSITION:" \ --ulog-prefix "${LOGMARKER}logflags:$TCP_FLAGS_DISPOSITION:" \
--log-tcp-options --log-ip-options --log-tcp-options --log-ip-options
else else
run_iptables -A logflags -j LOG $LOGPARMS \ run_iptables -A logflags -j LOG $LOGPARMS \
--log-level $TCP_FLAGS_LOG_LEVEL \ --log-level $TCP_FLAGS_LOG_LEVEL \
--log-prefix "Shorewall:logflags:$TCP_FLAGS_DISPOSITION:" \ --log-prefix "${LOGMARKER}logflags:$TCP_FLAGS_DISPOSITION:" \
--log-tcp-options --log-ip-options --log-tcp-options --log-ip-options
fi fi
case $TCP_FLAGS_DISPOSITION in case $TCP_FLAGS_DISPOSITION in
@ -4326,6 +4344,7 @@ do_initialize() {
SHARED_DIR=/usr/share/shorewall SHARED_DIR=/usr/share/shorewall
FUNCTIONS= FUNCTIONS=
VERSION_FILE= VERSION_FILE=
LOGMARKER=
stopping= stopping=
have_mutex= have_mutex=
@ -4452,6 +4471,8 @@ do_initialize() {
CLEAR_TC= CLEAR_TC=
fi fi
[ -n "$LOGMARKER" ] || LOGMARKER="Shorewall:"
# #
# Strip the files that we use often # Strip the files that we use often
# #

2
STABLE/install.sh
View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall. # /etc/rc.d/rc.local file is modified to start the firewall.
# #
VERSION=1.4.3 VERSION=1.4.3a
usage() # $1 = exit status usage() # $1 = exit status
{ {

16
STABLE/releasenotes.txt
View File

@ -19,3 +19,19 @@ New Features:
(http://www.fireparse.com) by setting LOGMARKER="fp=" in (http://www.fireparse.com) by setting LOGMARKER="fp=" in
/etc/shorewall/shorewall.conf. Note: You may not use ULOG /etc/shorewall/shorewall.conf. Note: You may not use ULOG
with fireparse unless you modify fireparse. with fireparse unless you modify fireparse.
3) If you are running iptables 1.2.7a and kernel 2.4.20, then
Shorewall will return reject replies as follows:
a) tcp - RST
b) udp - ICMP port unreachable
c) icmp - ICMP host unreachable
d) Otherwise - ICMP host prohibited
If you are running earlier software, Shorewall will follow it's
traditional convention:
a) tcp - RST
b) Otherwise - ICMP port unreachable
4) UDP Port 135 is now silently dropped in the common.def chain.

4
STABLE/shorewall.spec
View File

@ -1,5 +1,5 @@
%define name shorewall %define name shorewall
%define version 1.4.3 %define version 1.4.3a
%define release 1 %define release 1
%define prefix /usr %define prefix /usr
@ -105,6 +105,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog %changelog
* Mon May 19 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.3a-1
* Sun May 18 2003 Tom Eastep <tom@shorewall.net> * Sun May 18 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.3-1 - Changed version to 1.4.3-1
* Mon Apr 07 2003 Tom Eastep <tom@shorewall.net> * Mon Apr 07 2003 Tom Eastep <tom@shorewall.net>

2
STABLE/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall # shown below. Simply run this script to remove Seattle Firewall
VERSION=1.4.3 VERSION=1.4.3a
usage() # $1 = exit status usage() # $1 = exit status
{ {