extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-22 07:33:43 +01:00
Code Issues Packages Projects Releases Wiki Activity

1) Remove trailing white space.

Browse Source 
2) Improve detection of white space in comma-separated lists.
3) Fix a typo in the INSTALL file.


git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@464 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-02-23 14:10:37 +00:00
parent 5f9ff7336a
commit 21cb22303f
27 changed files with 279 additions and 256 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Shorewall/INSTALL
View File

@ -27,7 +27,7 @@ o If you have an earlier version of Shoreline Firewall installed,see the
o Edit the configuration files to fit your environment.
To do this, I strongly advise you to follow the instructions at:
http://www.shorewall.net/shorewall_quickstart_guide.htm
o If you are using Caldera, Redhat, Mandrake, Corel, Slackware, SuSE or
@ -35,8 +35,8 @@ o If you are using Caldera, Redhat, Mandrake, Corel, Slackware, SuSE or
o For other distributions, determine where your distribution installs
init scripts and type "./install.sh <init script directory>"
o Start the firewall by typing "shorewall start"
o If the install script was unable to configure Shoreline Firewall to
start audomatically at boot, see the HTML documentation contains in the
o If the install script was unable to configure Shoreline Firewall to
start automatically at boot, see the HTML documentation contains in the
"documentation" directory.
Upgrade:
@ -44,4 +44,4 @@ Upgrade:
o run the install script as described above.
o shorewall restart

4
Shorewall/blacklist
View File

@ -9,7 +9,7 @@
#
# ADDRESS/SUBNET - Host address, subnetwork or MAC address
#
# MAC addresses must be prefixed with "~" and use "-"
# MAC addresses must be prefixed with "~" and use "-"
# as a separator.
#
# Example: ~00-A0-C9-15-39-78
@ -27,7 +27,7 @@
# /etc/shorewall/shorewall.conf
#
# If PROTOCOL or PROTOCOL and PORTS are supplied, only packets matching
# the protocol (and one of the ports if PORTS supplied) are blocked.
# the protocol (and one of the ports if PORTS supplied) are blocked.
#
# Example:
#

2
Shorewall/common.def
View File

@ -1,7 +1,7 @@
############################################################################
# Shorewall 1.4 -- /etc/shorewall/common.def
#
# This file defines the rules that are applied before a policy of
# This file defines the rules that are applied before a policy of
# DROP or REJECT is applied. In addition to the rules defined in this file,
# the firewall will also define a DROP rule for each subnet broadcast
# address defined in /etc/shorewall/interfaces (including "detect").

14
Shorewall/fallback.sh
View File

@ -1,16 +1,16 @@
#!/bin/sh
#
# Script to back out the installation of Shoreline Firewall and to restore the previous version of
# Script to back out the installation of Shoreline Firewall and to restore the previous version of
# the program
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# (c) 2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
#
# Shorewall documentation is available at http://seattlefirewall.dyndns.org
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
@ -25,7 +25,7 @@
# Usage:
#
# You may only use this script to back out the installation of the version
# shown below. Simply run this script to revert to your prior version of
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=1.4.0-Beta1
@ -46,7 +46,7 @@ restore_file() # $1 = file to restore
echo "ERROR: Could not restore $1"
exit 1
fi
fi
fi
}
if [ ! -f /usr/share/shorewall/version-${VERSION}.bkout ]; then
@ -77,7 +77,7 @@ restore_file /sbin/shorewall
[ -f /etc/shorewall.conf.$VERSION ] && rm -f /etc/shorewall.conf.$VERSION
restore_file /etc/shorewall/shorewall.conf
restore_file /etc/shorewall/functions
restore_file /usr/lib/shorewall/functions
restore_file /var/lib/shorewall/functions
@ -92,7 +92,7 @@ restore_file /etc/shorewall/zones
restore_file /etc/shorewall/policy
restore_file /etc/shorewall/interfaces
restore_file /etc/shorewall/hosts
restore_file /etc/shorewall/rules

280
Shorewall/firewall
View File

@ -2,7 +2,7 @@
#
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V1.4 3/14/2003
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
#
@ -12,7 +12,7 @@
# Complete documentation is available at http://shorewall.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
@ -29,13 +29,13 @@
#
# Commands are:
#
# shorewall start Starts the firewall
# shorewall start Starts the firewall
# shorewall restart Restarts the firewall
# shorewall stop Stops the firewall
# shorewall status Displays firewall status
# shorewall reset Resets iptabless packet and
# byte counts
# shorewall clear Remove all Shorewall chains
# shorewall clear Remove all Shorewall chains
# and rules/policies.
# shorewall refresh . Rebuild the common chain
# shorewall check Verify the more heavily-used
@ -258,7 +258,7 @@ chain_exists() # $1 = chain name
{
qt iptables -L $1 -n
}
#
# Query NetFilter about the existence of a mangle chain
#
@ -266,7 +266,7 @@ mangle_chain_exists() # $1 = chain name
{
qt iptables -t mangle -L $1 -n
}
#
# Ensure that a chain exists (create it if it doesn't)
#
@ -340,7 +340,7 @@ deletechain() # $1 = name of chain
is_policy_chain() # $1 = name of chain
{
eval test \"\$${1}_is_policy\" = Yes
}
}
#
# Set a standard chain's policy
@ -373,7 +373,7 @@ chain_base() #$1 = interface
{
local c=${1%%+*}
case $c in
case $c in
*.*)
echo ${c%.*}_${c#*.}
;;
@ -387,7 +387,7 @@ chain_base() #$1 = interface
# Find interfaces to a given zone
#
# Search the variables representing the contents of the interfaces file and
# for each record matching the passed ZONE, echo the expanded contents of
# for each record matching the passed ZONE, echo the expanded contents of
# the "INTERFACE" column
#
find_interfaces() # $1 = interface zone
@ -496,7 +496,7 @@ determine_interfaces() {
eval ${zone}_interfaces=\"\$interfaces\"
done
}
#
# Determine the defined hosts in each zone and generate report
#
@ -517,7 +517,7 @@ determine_hosts() {
done
interfaces=
for host in $hosts; do
interface=${host%:*}
if ! list_search $interface $interfaces; then
@ -537,7 +537,7 @@ determine_hosts() {
display_list "$display Zone:" $hosts
else
error_message "Warning: Zone $zone is empty"
fi
fi
done
}
@ -559,7 +559,7 @@ validate_interfaces_file() {
[ "x$z" = "x-" ] && z=
if [ -n "$z" ]; then
if [ -n "$z" ]; then
validate_zone $z || startup_error "Invalid zone ($z) in record \"$r\""
fi
@ -575,11 +575,11 @@ validate_interfaces_file() {
startup_error "Invalid Interface Name: $interface"
;;
esac
all_interfaces="$all_interfaces $interface"
options=`separate_list $options`
interface=`chain_base $interface`
eval ${interface}_broadcast="$subnet"
eval ${interface}_zone="$z"
eval ${interface}_options=\"$options\"
@ -595,7 +595,7 @@ validate_interfaces_file() {
;;
esac
done
[ -z "$all_interfaces" ] && startup_error "No Interfaces Defined"
done < $TMP_DIR/interfaces
@ -637,7 +637,7 @@ validate_hosts_file() {
mac_match() # $1 = MAC address formated as described above
{
echo "--match mac --mac-source `echo $1 | sed 's/~//;s/-/:/g'`"
}
}
#
# validate a record from the rules file
@ -655,7 +655,7 @@ validate_rule() {
#
validate_list() {
local temp="`separate_list $1`"
[ `echo $temp | wc -w` -le 15 ]
}
@ -858,7 +858,7 @@ validate_rule() {
[ -z "$clientzone" -o -z "$clients" ] && \
startup_error "Empty source zone or qualifier: rule \"$rule\""
fi
if [ "$clientzone" = "${clientzone%\!*}" ]; then
excludezones=
else
@ -1036,7 +1036,7 @@ validate_policy()
[ "x$chain" = "x${FW}2${FW}" ] && \
startup_error "fw->fw policy not allowed: $policy"
if is_policy_chain $chain ; then
startup_error "Duplicate policy $policy"
fi
@ -1067,7 +1067,7 @@ validate_policy()
else
for zone in $zones $FW all; do
eval pc=\$${zone}2${server}_policychain
if [ -z "$pc" ]; then
eval ${zone}2${server}_policychain=$chain
print_policy $zone $server
@ -1077,16 +1077,16 @@ validate_policy()
elif [ -n "$serverwild" ]; then
for zone in $zones $FW all; do
eval pc=\$${client}2${zone}_policychain
if [ -z "$pc" ]; then
eval ${client}2${zone}_policychain=$chain
eval ${client}2${zone}_policychain=$chain
print_policy $client $zone
fi
done
else
eval ${chain}_policychain=${chain}
print_policy $client $server
fi
fi
done < $TMP_DIR/policy
}
@ -1116,7 +1116,7 @@ find_broadcasts() {
find_interface_broadcasts() # $1 = Interface name
{
eval bcast=\$`chain_base ${1}`_broadcast
if [ "x$bcast" = "xdetect" ]; then
addr="`ip addr show $interface 2> /dev/null`"
if [ -n "`echo "$addr" | grep 'inet.*brd '`" ]; then
@ -1127,7 +1127,7 @@ find_interface_broadcasts() # $1 = Interface name
elif [ "x${bcast}" != "x-" ]; then
echo `separate_list $bcast`
fi
}
#
@ -1136,7 +1136,7 @@ find_interface_broadcasts() # $1 = Interface name
#
find_interface_address() # $1 = interface
{
#
#
# get the line of output containing the first IP address
#
addr=`ip addr show $1 2> /dev/null | grep inet | head -n1`
@ -1177,7 +1177,7 @@ find_hosts_by_option() # $1 = option
eval options=\$`chain_base ${interface}`_options
list_search $1 $options && \
echo ${interface}:0.0.0.0/0
done
done
}
#
@ -1240,6 +1240,8 @@ stop_firewall() {
stopping="Yes"
terminator=
deletechain shorewall
run_user_exit stop
@ -1260,7 +1262,7 @@ stop_firewall() {
hosts=
strip_file routestopped
strip_file routestopped
while read interface host; do
expandv interface host
@ -1330,7 +1332,7 @@ clear_firewall() {
run_iptables -F
echo 1 > /proc/sys/net/ipv4/ip_forward
setpolicy INPUT ACCEPT
setpolicy FORWARD ACCEPT
setpolicy OUTPUT ACCEPT
@ -1357,7 +1359,7 @@ setup_tunnels() # $1 = name of tunnels file
run_iptables -A $outchain -p 51 -d $1 -j ACCEPT
run_iptables -A $outchain -p udp -d $1 --dport 500 --sport 500 $options
if [ $2 = ipsec ]; then
run_iptables -A $inchain -p udp -s $1 --sport 500 --dport 500 $options
else
@ -1464,7 +1466,7 @@ setup_tunnels() # $1 = name of tunnels file
else
error_message "Invalid gateway zone ($z)" \
" -- Tunnel \"$tunnel\" Ignored"
fi
fi
done < $TMP_DIR/tunnels
}
@ -1579,7 +1581,7 @@ setup_mac_lists() {
if ! havechain $chain ; then
fatal_error "No hosts on $interface have the maclist option specified"
fi
macpart=`mac_match $mac`
if [ -z "$addresses" ]; then
@ -1643,13 +1645,13 @@ setup_mac_lists() {
for hosts in $maclist_hosts; do
interface=${hosts%:*}
hosts=${hosts#*:}
for chain in `first_chains $interface` ; do
for chain in `first_chains $interface` ; do
run_iptables -A $chain -s $hosts -m state --state NEW \
-j `mac_chain $interface`
done
done
}
}
#
# Set up SYN flood protection
#
@ -1670,7 +1672,7 @@ setup_syn_flood_chain ()
#
# Enable SYN flood protection on a chain
#
#
# Insert a jump rule to the protection chain from the first chain. Inserted
# as the second rule and restrict the jump to SYN packets
#
@ -1714,7 +1716,7 @@ setup_nat() {
while read external interface internal allints localnat; do
expandv external interface internal allints localnat
iface=${interface%:*}
if [ -n "$ADD_IP_ALIASES" ]; then
@ -1725,7 +1727,7 @@ setup_nat() {
then
addnatrule nat_in -d $external -j DNAT --to-destination $internal
addnatrule nat_out -s $internal -j SNAT --to-source $external
if [ "$localnat" = "Yes" -o "$localnat" = "yes" ]; then
run_iptables2 -t nat -A OUTPUT -d $external \
-j DNAT --to-destination $internal
@ -1765,7 +1767,7 @@ delete_nat() {
}
#
# Process a TC Rule - $marking_chain is assumed to contain the name of the
# Process a TC Rule - $marking_chain is assumed to contain the name of the
# default marking chain
#
process_tc_rule()
@ -1789,17 +1791,17 @@ process_tc_rule()
if ! list_search $source $all_interfaces; then
fatal_error "Unknown interface $source in rule \"$rule\""
fi
r="-i $source "
;;
esac
fi
if [ "$mark" != "${mark%:*}" ]; then
[ "$chain" = tcout ] && \
fatal_error "Chain designator not allowed when source is \$FW; rule \"$rule\""
case "${mark#*:}" in
p|P)
chain=tcpre
@ -1814,7 +1816,7 @@ process_tc_rule()
mark="${mark%:*}"
fi
[ "x$dest" = "x-" ] || r="${r}-d $dest "
[ "$proto" = "all" ] || r="${r}-p $proto "
[ "x$port" = "x-" ] || r="${r}--dport $port "
@ -1844,7 +1846,7 @@ setup_tc1() {
#
# Create the TC mangle chains
#
run_iptables -t mangle -N tcpre
run_iptables -t mangle -N tcfor
run_iptables -t mangle -N tcout
@ -1861,7 +1863,7 @@ setup_tc1() {
#
# Link to the TC mangle chains from the main chains
#
run_iptables -t mangle -A FORWARD -j tcfor
run_iptables -t mangle -A PREROUTING -j tcpre
run_iptables -t mangle -A OUTPUT -j tcout
@ -1912,7 +1914,7 @@ refresh_tc() {
[ -n "$CLEAR_TC" ] && delete_tc
[ -n "$MARK_IN_FORWARD_CHAIN" ] && chain=tcfor || chain=tcpre
if mangle_chain_exists $chain; then
#
# Flush the TC mangle chains
@ -1928,7 +1930,7 @@ refresh_tc() {
while read mark sources dests proto ports sports; do
expandv mark sources dests proto ports sports
rule=`echo "$mark $sources $dests $proto $ports $sports"`
process_tc_rule
process_tc_rule
done < $TMP_DIR/tcrules
run_user_exit tcstart
@ -1957,7 +1959,7 @@ add_nat_rule() {
local chain
# Be sure we should and can NAT
case $logtarget in
DNAT|REDIRECT)
if [ -z "$NAT_ENABLED" ]; then
@ -2013,7 +2015,7 @@ add_nat_rule() {
$multiport $dports -j $target1
else
chain=`dnat_chain $source`
if [ -n "$excludezones" ]; then
chain=nonat${nonat_seq}
nonat_seq=$(($nonat_seq + 1))
@ -2029,7 +2031,7 @@ add_nat_rule() {
done
done
fi
for adr in $addr; do
addnatrule $chain $proto $cli $sports \
-d $adr $multiport $dports -j $target1
@ -2056,7 +2058,7 @@ add_nat_rule() {
for source_host in $source_hosts; do
[ "x${source_host#*:}" = "x0.0.0.0/0" ] && \
error_message "Warning: SNAT will occur on all connections to this server and port - rule \"$rule\""
addnatrule `snat_chain $dest` \
-s ${source_host#*:} $proto $sports $multiport \
-d $serv $dports -j SNAT --to-source $snat
@ -2171,7 +2173,7 @@ add_a_rule()
proto="${proto:+-p $proto}"
# Some misc. setup
case "$logtarget" in
REJECT)
target=reject
@ -2194,7 +2196,7 @@ add_a_rule()
esac
# Complain if the rule is really a policy
if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" ]; then
error_message "Warning -- Rule \"$rule\" is a POLICY"
error_message " -- and should be moved to the policy file"
@ -2267,7 +2269,7 @@ process_rule() # $1 = target
# $4 = protocol
# $5 = ports
# $6 = cports
# $7 = address
# $7 = address
{
local target="$1"
local clients="$2"
@ -2279,7 +2281,7 @@ process_rule() # $1 = target
local rule="`echo $target $clients $servers $protocol $ports $cports $address`"
# Function Body -- isolate log level
if [ "$target" = "${target%:*}" ]; then
loglevel=
else
@ -2328,7 +2330,7 @@ process_rule() # $1 = target
[ -z "$clientzone" -o -z "$clients" ] && \
fatal_error "Empty source zone or qualifier: rule \"$rule\""
fi
if [ "$clientzone" = "${clientzone%\!*}" ]; then
excludezones=
else
@ -2457,20 +2459,20 @@ process_rules() # $1 = name of rules file
process_wildcard_rule
continue
fi
if [ "x$xservers" = xall ]; then
xservers="$zones $FW"
process_wildcard_rule
continue
fi
process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress
;;
*)
rule="`echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress`"
fatal_error "Invalid Target in rule \"$rule\""
;;
esac
done < $TMP_DIR/rules
}
@ -2866,7 +2868,7 @@ complete_standard_chain() # $1 = chain, $2 = source zone, $3 = destination zone
local policychain=
run_user_exit $1
eval policychain=\$${2}2${3}_policychain
if [ -n "$policychain" ]; then
@ -2891,7 +2893,7 @@ rules_chain() # $1 = source zone, $2 = destination zone
local chain=${1}2${2}
havechain $chain && { echo $chain; return; }
eval chain=\$${chain}_policychain
[ -n "$chain" ] && { echo $chain; return; }
@ -2952,7 +2954,7 @@ setup_masq()
if ! list_search $interface $all_interfaces; then
fatal_error "Unknown interface $interface"
fi
if [ "$subnet" = "${subnet%!*}" ]; then
nomasq=
else
@ -2964,7 +2966,7 @@ setup_masq()
iface=
source="$subnet"
case $subnet in
*.*.*)
;;
@ -2987,7 +2989,7 @@ setup_masq()
if [ -n "$address" -a -n "$ADD_SNAT_ALIASES" ]; then
list_search $address $aliases_to_add || \
aliases_to_add="$aliases_to_add $address $fullinterface"
aliases_to_add="$aliases_to_add $address $fullinterface"
fi
destination=$destnet
@ -2995,7 +2997,7 @@ setup_masq()
if [ -n "$nomasq" ]; then
newchain=masq${masq_seq}
createnatchain $newchain
if [ -n "$subnet" ]; then
for s in $subnet; do
addnatrule $chain -d $destnet $iface -s $s -j $newchain
@ -3013,7 +3015,7 @@ setup_masq()
for addr in `separate_list $nomasq`; do
addnatrule $chain -s $addr -j RETURN
done
source="$source except $nomasq"
else
destnet="-d $destnet"
@ -3097,13 +3099,13 @@ process_blacklist_rec() {
source="-s $addr"
;;
esac
if [ -n "$protocol" ]; then
proto=" -p $protocol "
case $protocol in
tcp|TCP|6|udp|UDP|17)
if [ -n "$ports" ]; then
if [ -n "$ports" ]; then
if [ -n "$MULTIPORT" -a \
"$ports" != "${ports%,*}" -a \
"$ports" = "${ports%:*}" -a \
@ -3144,7 +3146,7 @@ process_blacklist_rec() {
elif [ -n "$protocol" ]; then
addr="$addr $protocol"
fi
echo " $addr added to Black List"
done
}
@ -3168,7 +3170,7 @@ setup_blacklist() {
for chain in `first_chains $interface`; do
run_iptables -A $chain -j blacklst
done
echo " Blacklisting enabled on $interface"
done
@ -3230,7 +3232,7 @@ add_ip_aliases()
local interface
local primary
do_one()
do_one()
{
#
# Folks feel uneasy if they don't see all of the same
@ -3262,7 +3264,7 @@ add_ip_aliases()
}
set -- $aliases_to_add
while [ $# -gt 0 ]; do
external=$1
interface=$2
@ -3273,7 +3275,7 @@ add_ip_aliases()
interface="${interface%:*}"
label="label $interface:$label"
fi
primary=`find_interface_address $interface`
shift;shift
[ "x${primary}" = "x${external}" ] || do_one
@ -3337,7 +3339,7 @@ initialize_netfilter () {
determine_interfaces
determine_hosts
run_user_exit init
#
@ -3345,12 +3347,14 @@ initialize_netfilter () {
# (restart command). This reduces the length of time that the firewall isn't
# accepting new connections.
#
strip_file rules
strip_file proxyarp
strip_file maclist
strip_file nat
terminator=fatal_error
deletechain shorewall
[ -n "$NAT_ENABLED" ] && delete_nat
@ -3368,7 +3372,7 @@ initialize_netfilter () {
setpolicy INPUT DROP
setpolicy OUTPUT DROP
setpolicy FORWARD DROP
deleteallchains
setcontinue FORWARD
@ -3388,13 +3392,13 @@ initialize_netfilter () {
run_iptables -A FORWARD -p tcp \
--tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
if [ -z "$NEWNOTSYN" ]; then
createchain newnotsyn no
run_user_exit newnotsyn
if [ -n "$LOGNEWNOTSYN" ]; then
if [ "$LOGNEWNOTSYN" = ULOG ]; then
run_iptables -A newnotsyn -j ULOG
run_iptables -A newnotsyn -j ULOG
--ulog-prefix "Shorewall:newnotsyn:DROP:"
else
run_iptables -A newnotsyn -j LOG \
@ -3403,13 +3407,13 @@ initialize_netfilter () {
fi
run_iptables -A newnotsyn -j DROP
fi
fi
createchain icmpdef no
createchain common no
createchain reject no
createchain dynamic no
if [ -f /var/lib/shorewall/save ]; then
echo "Restoring dynamic rules..."
@ -3423,7 +3427,7 @@ initialize_netfilter () {
esac
done < /var/lib/shorewall/save
fi
echo "Creating input Chains..."
for interface in $all_interfaces; do
@ -3438,7 +3442,7 @@ initialize_netfilter () {
# Build the common chain -- called during [re]start and refresh
#
build_common_chain() {
#
# Common ICMP rules
#
@ -3459,7 +3463,7 @@ build_common_chain() {
if [ -n "$NEWNOTSYN" ]; then
run_iptables -A common -p tcp --tcp-flags ACK ACK -j ACCEPT
run_iptables -A common -p tcp --tcp-flags RST RST -j ACCEPT
fi
fi
#
# BROADCASTS
#
@ -3564,9 +3568,9 @@ add_common_rules() {
if [ -n "$norfc1918_interfaces" ]; then
echo "Enabling RFC1918 Filtering"
strip_file rfc1918
createchain rfc1918 no
createchain logdrop no
@ -3586,7 +3590,7 @@ add_common_rules() {
run_iptables -t mangle -A logdrop -j `logdisp man1918`
run_iptables -t mangle -A logdrop -j DROP
fi
while read subnet target; do
case $target in
logdrop|DROP|RETURN)
@ -3605,23 +3609,23 @@ add_common_rules() {
run_iptables2 -t mangle -A man1918 -d $subnet -j $target
fi
done < $TMP_DIR/rfc1918
for interface in $norfc1918_interfaces; do
for chain in `first_chains $interface`; do
run_iptables -A $chain -m state --state NEW -j rfc1918
done
[ -n "$MANGLE_ENABLED" ] && \
run_iptables -t mangle -A PREROUTING -m state --state NEW -i $interface -j man1918
done
fi
interfaces=`find_interfaces_by_option tcpflags`
if [ -n "$interfaces" ]; then
echo "Setting up TCP Flags checking..."
createchain tcpflags no
if [ -n "$TCP_FLAGS_LOG_LEVEL" ]; then
@ -3661,7 +3665,7 @@ add_common_rules() {
# hosts a web server.
#
run_iptables -A tcpflags -p tcp --syn --sport 0 $disposition
for interface in $interfaces; do
for chain in `first_chains $interface`; do
run_iptables -A $chain -p tcp -j tcpflags
@ -3678,7 +3682,7 @@ add_common_rules() {
#
run_iptables -A INPUT -i lo -j ACCEPT
run_iptables -A OUTPUT -o lo -j ACCEPT
#
# Route Filtering
#
@ -3789,7 +3793,7 @@ apply_policy_rules() {
#
# Activate the rules
#
activate_rules()
activate_rules()
{
local PREROUTING_rule=1
local POSTROUTING_rule=1
@ -3801,11 +3805,11 @@ activate_rules()
local sourcechain=$1 destchain=$2
shift
shift
havenatchain $destchain && \
run_iptables -t nat -A $sourcechain $@ -j $destchain
}
#
# Jump to a RULES chain from one of the builtin nat chains
#
@ -3817,7 +3821,7 @@ activate_rules()
local sourcechain=$1 destchain=$2
shift
shift
if havenatchain $destchain; then
if [ -n "$NAT_BEFORE_RULES" ]; then
run_iptables -t nat -A $sourcechain $@ -j $destchain
@ -3853,12 +3857,12 @@ activate_rules()
echo "$FW $zone $chain1" >> ${STATEDIR}/chains
echo "$zone $FW $chain2" >> ${STATEDIR}/chains
for host in $source_hosts; do
interface=${host%:*}
subnet=${host#*:}
run_iptables -A OUTPUT -o $interface -d $subnet -j $chain1
run_iptables -A OUTPUT -o $interface -d $subnet -j $chain1
#
# Add jumps from the builtin chains for DNAT and SNAT rules
@ -3887,7 +3891,7 @@ activate_rules()
interface=${host%:*}
subnet=${host#*:}
chain1=`forward_chain $interface`
if [ -n "$have_canonical" ]; then
bounce=yes
else
@ -4026,27 +4030,27 @@ define_firewall() # $1 = Command (Start or Restart)
#
check_config() {
echo "Verifying Configuration..."
verify_os_version
load_kernel_modules
echo "Determining Zones..."
determine_zones
[ -z "$zones" ] && startup_error "No Zones Defined"
display_list "Zones:" $zones
echo "Validating interfaces file..."
validate_interfaces_file
echo "Validating hosts file..."
validate_hosts_file
echo "Determining Hosts in Zones..."
determine_interfaces
@ -4055,11 +4059,11 @@ check_config() {
echo "Validating rules file..."
validate_rules
echo "Validating policy file..."
validate_policy
validate_policy
rm -rf $TMP_DIR
echo "Configuration Validated"
@ -4098,7 +4102,7 @@ refresh_firewall()
#
# Refresh Traffic Control
#
[ -n "$TC_ENABLED" ] && refresh_tc
[ -n "$TC_ENABLED" ] && refresh_tc
report "Shorewall Refreshed"
@ -4126,7 +4130,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
output_rule_num() {
local num=`iptables -L OUTPUT -n --line-numbers | grep icmp | cut -d' ' -f1 | head -n1`
[ -n "$num" ] && echo $(($num+1))
}
#
@ -4185,12 +4189,12 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
startup_error "$1 already in zone $zone"
fi
done
[ -z "$hosts" ] && hosts=$newhost || hosts="$hosts $newhost"
fi
eval ${z}_hosts=\"$hosts\"
echo "$z $hosts" >> ${STATEDIR}/zones_$$
done < ${STATEDIR}/zones
@ -4241,7 +4245,7 @@ setup_intrazone() # $1 = zone
rulenum=$(($rulenum + 1))
fi
do_iptables -I `input_chain $interface` $rulenum -s $host -j $chain
do_iptables -I `input_chain $interface` $rulenum -s $host -j $chain
else
#
# Insert rules into the passed interface's forward chain
@ -4254,7 +4258,7 @@ setup_intrazone() # $1 = zone
base=`chain_base $interface`
eval rulenum=\$${base}_rulenum
if [ -z "$rulenum" ]; then
if list_search $interface $blacklist_interfaces; then
rulenum=3
@ -4265,16 +4269,16 @@ setup_intrazone() # $1 = zone
if list_search $interface $maclist_interfaces; then
rulenum=$(($rulenum + 1))
fi
if list_search $interface $tcpflags_interfaces; then
rulenum=$(($rulenum + 1))
fi
fi
for h in $dest_hosts; do
iface=${h%:*}
hosts=${h#*:}
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
do_iptables -I $source_chain $rulenum -s $host -o $iface -d $hosts -j $chain
rulenum=$(($rulenum + 1))
@ -4297,7 +4301,7 @@ setup_intrazone() # $1 = zone
# We insert them after any blacklist rules
#
eval source_hosts=\"\$${z1}_hosts\"
for h in $source_hosts; do
iface=${h%:*}
hosts=${h#*:}
@ -4305,7 +4309,7 @@ setup_intrazone() # $1 = zone
base=`chain_base $iface`
eval rulenum=\$${base}_rulenum
if [ -z "$rulenum" ]; then
if list_search $iface $blacklist_interfaces; then
rulenum=3
@ -4326,7 +4330,7 @@ setup_intrazone() # $1 = zone
done < ${STATEDIR}/chains
echo "$1 added to zone $2"
}
}
#
# Delete a host or subnet from a zone
@ -4344,7 +4348,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
if [ "$z" = "$zone" ]; then
temp=$hosts
hosts=
for h in $temp; do
if [ "$h" = "$delhost" ]; then
echo Yes
@ -4353,7 +4357,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
fi
done
fi
echo "$z $hosts" >> ${STATEDIR}/zones_$$
done < ${STATEDIR}/zones
@ -4412,7 +4416,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
while read z1 z2 chain; do
if [ "$z1" = "$zone" ]; then
if [ "$z2" = "$FW" ]; then
qt iptables -D `input_chain $interface` -s $host -j $chain
qt iptables -D `input_chain $interface` -s $host -j $chain
else
source_chain=`forward_chain $interface`
eval dest_hosts=\"\$${z2}_hosts\"
@ -4420,7 +4424,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
for h in $dest_hosts $delhost; do
iface=${h%:*}
hosts=${h#*:}
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
qt iptables -D $source_chain -s $host -o $iface -d $hosts -j $chain
fi
@ -4431,7 +4435,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
qt iptables -D OUTPUT -o $interface -d $host -j $chain
else
eval source_hosts=\"\$${z1}_hosts\"
for h in $source_hosts; do
iface=${h%:*}
hosts=${h#*:}
@ -4445,7 +4449,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
done < ${STATEDIR}/chains
echo "$1 removed from zone $2"
}
}
#
# Determine the value for a parameter that defaults to Yes
@ -4505,6 +4509,10 @@ do_initialize() {
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
#
# Establish termination function
#
terminator=startup_error
#
# Clear all configuration variables
#
version=
@ -4560,7 +4568,7 @@ do_initialize() {
else
config=/etc/shorewall/shorewall.conf
fi
if [ -f $config ]; then
. $config
else
@ -4631,7 +4639,7 @@ do_initialize() {
NEWNOTSYN=`added_param_value_yes NEWNOTSYN $NEWNOTSYN`
maclist_target=reject
if [ -n "$MACLIST_DISPOSITION" ] ; then
case $MACLIST_DISPOSITION in
REJECT)
@ -4800,7 +4808,7 @@ case "$command" in
do_initialize
check_config
;;
add)
[ $# -ne 3 ] && usage
do_initialize

27
Shorewall/functions
View File

@ -4,9 +4,9 @@
#
# Suppress all output for a command
#
qt()
{
#
qt()
{
"$@" >/dev/null 2>&1
}
@ -25,15 +25,30 @@ find_file()
#
# Replace commas with spaces and echo the result
#
separate_list() {
separate_list() {
local list
local part
local newlist
#
# There's been whining about us not catching embedded white space in
# comma-separated lists. This is an attempt to snag some of the cases.
#
# The 'terminator' function will be set by the 'firewall' script to
# either 'startup_error' or 'fatal_error' depending on the command and
# command phase
#
case "$@" in
*,|,*|*,,*)
[ -n "$terminator" ] && \
$terminator "Invalid comma-separated list \"$@\""
echo "Warning -- invalid comma-separated list \"$@\"" >&2
;;
esac
list="$@"
part="${list%%,*}"
newlist="$part"
while [ "x$part" != "x$list" ]; do
list="${list#*,}";
part="${list%%,*}";
@ -69,7 +84,7 @@ find_display() # $1 = zone, $2 = name of the zone file
done
}
determine_zones()
determine_zones()
{
local zonefile=`find_file zones`

4
Shorewall/hosts
View File

@ -18,14 +18,14 @@
# a) The IP address of a host
# b) A subnetwork in the form
# <subnet-address>/<mask width>
#
#
# The interface must be defined in the
# /etc/shorewall/interfaces file.
#
# Examples:
#
# eth1:192.168.1.3
# eth2:192.168.2.0/24
# eth2:192.168.2.0/24
#
# OPTIONS - A comma-separated list of options. Currently-defined
# options are:

8
Shorewall/init.sh
View File

@ -3,7 +3,7 @@ RCDLINKS="2,S41 3,S41 6,K41"
#
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V1.4 3/14/2003
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
#
@ -13,7 +13,7 @@ RCDLINKS="2,S41 3,S41 6,K41"
# Complete documentation is available at http://shorewall.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
@ -30,7 +30,7 @@ RCDLINKS="2,S41 3,S41 6,K41"
#
# Commands are:
#
# shorewall start Starts the firewall
# shorewall start Starts the firewall
# shorewall restart Restarts the firewall
# shorewall stop Stops the firewall
# shorewall status Displays firewall status
@ -62,7 +62,7 @@ usage() {
command="$1"
case "$command" in
stop|start|restart|status)
exec /sbin/shorewall $@

32
Shorewall/install.sh
View File

@ -2,14 +2,14 @@
#
# Script to install Shoreline Firewall
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# (c) 2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
#
# Seawall documentation is available at http://seawall.sourceforge.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
@ -24,7 +24,7 @@
# Usage:
#
# If you are running a distribution that has a directory called /etc/rc.d/init.d or one
# called /etc/init.d or you are running Slackware then simply cd to the directory
# called /etc/init.d or you are running Slackware then simply cd to the directory
# containing this script and run it.
#
# ./install.sh
@ -35,7 +35,7 @@
# ./install.sh /etc/rc.d/scripts
#
# The default is that the firewall will be started in run levels 2-5 starting at
# position 15 and stopping at position 90. This is correct RedHat/Mandrake, Debian,
# position 15 and stopping at position 90. This is correct RedHat/Mandrake, Debian,
# Caldera and Corel.
#
# If you wish to change that, you can pass -r "<levels startpos stoppos>".
@ -45,7 +45,7 @@
#
# ./install.sh -r "23 15 90"
#
# Example 2: You wish to start your firewall only in run level 3, start at position 5
# Example 2: You wish to start your firewall only in run level 3, start at position 5
# and stop at position 95.
#
# ./install.sh -r "3 5 95" /etc/rc.d/scripts
@ -103,7 +103,7 @@ delete_file() # $1 = file to delete
exit 1
fi
fi
}
}
modify_rclocal()
{
@ -116,11 +116,11 @@ modify_rclocal()
fi
else
cant_autostart
fi
fi
}
install_file_with_backup() # $1 = source $2 = target $3 = mode
{
{
backup_file $2
run_install -o $OWNER -g $GROUP -m $3 $1 ${2}
}
@ -182,7 +182,7 @@ while [ $# -gt 0 ] ; do
done
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
#
# Determine where to install the firewall script
#
@ -224,7 +224,7 @@ fi
# Change to the directory containing this script
#
cd "`dirname $0`"
echo "Installing Shorewall Version $VERSION"
#
@ -263,12 +263,12 @@ if [ -n "$RUNLEVELS" ]; then
fi
install_file_with_backup init.temp ${PREFIX}${DEST}/$FIREWALL 0544
rm -f init.temp awk.tmp
else
install_file_with_backup init.sh ${PREFIX}${DEST}/$FIREWALL 0544
fi
echo
echo "Shorewall script installed in ${PREFIX}${DEST}/$FIREWALL"
@ -306,12 +306,12 @@ if [ -f ${PREFIX}/etc/shorewall/functions ]; then
backup_file ${PREFIX}/etc/shorewall/functions
rm -f ${PREFIX}/etc/shorewall/functions
fi
if [ -f ${PREFIX}/var/lib/shorewall/functions ]; then
backup_file ${PREFIX}/var/lib/shorewall/functions
rm -f ${PREFIX}/var/lib/shorewall/functions
fi
install_file_with_backup functions ${PREFIX}/usr/share/shorewall/functions 0444
echo
@ -379,13 +379,13 @@ else
echo
echo "NAT file installed as ${PREFIX}/etc/shorewall/nat"
fi
#
#
# Install the Parameters file
#
if [ -f ${PREFIX}/etc/shorewall/params ]; then
backup_file /etc/shorewall/params
else
run_install -o $OWNER -g $GROUP -m 0600 params ${PREFIX}/etc/shorewall/params
run_install -o $OWNER -g $GROUP -m 0600 params ${PREFIX}/etc/shorewall/params
echo
echo "Parameter file installed as ${PREFIX}/etc/shorewall/params"
fi

12
Shorewall/interfaces
View File

@ -14,7 +14,7 @@
# If the interface serves multiple zones that will be
# defined in the /etc/shorewall/hosts file, you should
# place "-" in this column.
#
#
# INTERFACE Name of interface. Each interface may be listed only
# once in this file. You may NOT specify the name of
# an alias (e.g., eth0:0) here; see
@ -27,14 +27,14 @@
# column is left black.If the interface has multiple
# addresses on multiple subnets then list the broadcast
# addresses as a comma-separated list.
#
#
# If you use the special value "detect", the firewall
# will detect the broadcast address for you. If you
# select this option, the interface must be up before
# the firewall is started, you must have iproute
# installed and the interface must only be associated
# with a single subnet.
#
#
# If you don't want to give a value for this column but
# you want to enter a value in the OPTIONS column, enter
# "-" in this column.
@ -79,8 +79,8 @@
# TCP_FLAGS_DISPOSITION after having been
# logged according to the setting of
# TCP_FLAGS_LOG_LEVEL.
# proxyarp -
# Sets
# proxyarp -
# Sets
# /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
# Do NOT use this option if you are
# employing Proxy ARP through entries in
@ -88,7 +88,7 @@
# intended soley for use with Proxy ARP
# sub-networking as described at:
# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
#
#
# The order in which you list the options is not
# significant but the list should have no embedded white
# space.

2
Shorewall/maclist
View File

@ -6,7 +6,7 @@
# Columns are:
#
# INTERFACE Network interface to a host
#
#
# MAC MAC address of the host -- you do not need to use
# the Shorewall format for MAC addresses here
#

14
Shorewall/masq
View File

@ -13,8 +13,8 @@
# /etc/shorewall/shorewall.conf, you may add ":" and
# a digit to indicate that you want the alias added with
# that name (e.g., eth0:0). This will allow the alias to
# be displayed with ifconfig. THAT IS THE ONLY USE FOR
# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER
# be displayed with ifconfig. THAT IS THE ONLY USE FOR
# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER
# PLACE IN YOUR SHOREWALL CONFIGURATION.
#
# This may be qualified by adding the character
@ -25,7 +25,7 @@
# a subnet or as an interface. If you give the name of an
# interface, you must have iproute installed and the interface
# must be up before you start the firewall.
#
#
# In order to exclude a subset of the specified SUBNET, you
# may append "!" and a comma-separated list of IP addresses
# and/or subnets that you wish to exclude.
@ -37,17 +37,17 @@
#
# ADDRESS -- (Optional). If you specify an address here, SNAT will be
# used and this will be the source address. If
# ADD_SNAT_ALIASES is set to Yes or yes in
# ADD_SNAT_ALIASES is set to Yes or yes in
# /etc/shorewall/shorewall.conf then Shorewall
# will automatically add this address to the
# INTERFACE named in the first column.
# INTERFACE named in the first column.
#
# WARNING: Do NOT specify ADD_SNAT_ALIASES=Yes if
# the address given in this column is the primary
# IP address for the interface in the INTERFACE
# column.
#
# This column may not contain a DNS Name.
# This column may not contain a DNS Name.
#
# Example 1:
#
@ -83,7 +83,7 @@
#
# You want all outgoing traffic from 192.168.1.0/24 through
# eth0 to use source address 206.124.146.176 which is NOT the
# primary address of eth0. You want 206.124.146.176 added to
# primary address of eth0. You want 206.124.146.176 added to
# be added to eth0 with name eth0:0.
#
# eth0:0 192.168.1.0/24 206.124.146.176

2
Shorewall/nat
View File

@ -17,7 +17,7 @@
# column and must not be a DNS Name.
# INTERFACE Interface that we want to EXTERNAL address to appear
# on. If ADD_IP_ALIASES=Yes in shorewall.conf, you may
# follow the interface name with ":" and a digit to
# follow the interface name with ":" and a digit to
# indicate that you want Shorewall to add the alias
# with this name (e.g., "eth0:0"). That allows you to
# see the alias with ifconfig. THAT IS THE ONLY THING

2
Shorewall/proxyarp
View File

@ -4,7 +4,7 @@
#
# /etc/shorewall/proxyarp
#
# This file is used to define Proxy ARP.
# This file is used to define Proxy ARP.
#
# Columns must be separated by white space and are:
#

2
Shorewall/releasenotes.txt
View File

@ -68,4 +68,4 @@ Changes for 1.4 include:

2
Shorewall/rfc1918
View File

@ -43,7 +43,7 @@
39.0.0.0/8 logdrop # Reserved
41.0.0.0/8 logdrop # Reserved
42.0.0.0/8 logdrop # Reserved
49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
58.0.0.0/7 logdrop # Reserved
60.0.0.0/8 logdrop # Reserved

4
Shorewall/routestopped
View File

@ -4,7 +4,7 @@
#
# /etc/shorewall/routestopped
#
# This file is used to define the hosts that are accessible when the
# This file is used to define the hosts that are accessible when the
# firewall is stopped
#
# Columns must be separated by white space and are:
@ -12,7 +12,7 @@
# INTERFACE - Interface through which host(s) communicate with
# the firewall
# HOST(S) - (Optional) Comma-separated list of IP/subnet
# If left empty or supplied as "-",
# If left empty or supplied as "-",
# 0.0.0.0/0 is assumed.
#
# Example:

6
Shorewall/rules
View File

@ -24,7 +24,7 @@
# DNAT -- Forward the request to another
# system (and optionally another
# port).
# DNAT- -- Advanced users only.
# DNAT- -- Advanced users only.
# Like DNAT but only generates the
# DNAT iptables rule and not
# the companion ACCEPT rule.
@ -122,7 +122,7 @@
# interpreted as the destination icmp-type(s).
#
# A port range is expressed as <low port>:<high port>.
#
#
# This column is ignored if PROTOCOL = all but must be
# entered if any of the following ields are supplied.
# In that case, it is suggested that this field contain
@ -153,7 +153,7 @@
# Otherwise, a separate rule will be generated for each
# port.
#
# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or
# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or
# REDIRECT) If included and different from the IP
# address given in the SERVER column, this is an address
# on some interface on the firewall and connections to

34
Shorewall/shorewall
View File

@ -2,7 +2,7 @@
#
# Shorewall Packet Filtering Firewall Control Program - V1.4 - 3/14/2003
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
#
@ -12,7 +12,7 @@
# Shorewall documentation is available at http://shorewall.sourceforge.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
@ -23,7 +23,7 @@
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
#
#
# If an error occurs while starting or restarting the firewall, the
# firewall is automatically stopped.
#
@ -34,13 +34,13 @@
#
# shorewall add <iface>[:<host>] zone Adds a host or subnet to a zone
# shorewall delete <iface>[:<host>] zone Deletes a host or subnet from a zone
# shorewall start Starts the firewall
# shorewall start Starts the firewall
# shorewall restart Restarts the firewall
# shorewall stop Stops the firewall
# shorewall monitor [ refresh-interval ] Repeatedly Displays firewall status
# plus the last 20 "interesting"
# packets
# shorewall status Displays firewall status
# shorewall status Displays firewall status
# shorewall reset Resets iptables packet and
# byte counts
# shorewall clear Open the floodgates by
@ -75,7 +75,7 @@
# listed address(es)
# shorewall reject <address> ... Temporarily reject all packets from the
# listed address(es)
# shorewall allow <address> ... Reenable address(es) previously
# shorewall allow <address> ... Reenable address(es) previously
# disabled with "drop" or "reject"
# shorewall save Save the list of "rejected" and
# "dropped" addresses so that it will
@ -142,7 +142,7 @@ get_config() {
display_chains()
{
trap "rm -f /tmp/chains-$$; exit 1" 1 2 3 4 5 6 9
if [ "$haveawk" = "Yes" ]; then
#
# Send the output to a temporary file since ash craps if we try to store
@ -170,11 +170,11 @@ display_chains()
echo
chains=`grep '^Chain.*_[in|fwd]' /tmp/chains-$$ | cut -d' ' -f 2`
for chain in $chains; do
showchain $chain
done
timed_read
for zone in $zones; do
@ -242,7 +242,7 @@ display_chains()
# Delay $timeout seconds -- if we're running on a recent bash2 then allow
# <enter> to terminate the delay
#
timed_read ()
timed_read ()
{
read -t $timeout foo 2> /dev/null
@ -252,7 +252,7 @@ timed_read ()
#
# Display the last $1 packets logged
#
packet_log() # $1 = number of messages
packet_log() # $1 = number of messages
{
local options
@ -334,7 +334,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
get_config
host=`echo $HOSTNAME | sed 's/\..*$//'`
oldrejects=`iptables -L -v -n | grep 'LOG'`
if [ $1 -lt 0 ]; then
let "timeout=- $1"
pause="Yes"
@ -347,7 +347,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
while true; do
display_chains
clear
echo "$banner `date`"
echo
@ -361,7 +361,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
if [ "$rejects" != "$oldrejects" ]; then
oldrejects="$rejects"
$RING_BELL
packet_log 20
@ -435,7 +435,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
get_config
host=`echo $HOSTNAME | sed 's/\..*$//'`
oldrejects=`iptables -L -v -n | grep 'LOG'`
if [ $1 -lt 0 ]; then
timeout=$((- $1))
pause="Yes"
@ -754,7 +754,7 @@ case "$1" in
echo ""
echo " HITS PORT SERVICE(S)"
echo " ---- ----- ----------"
echo " ---- ----- ----------"
grep 'Shorewall:.*DPT' $LOGFILE | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | \
while read count port ; do
# List all services defined for the given port
@ -853,4 +853,4 @@ case "$1" in
*)
usage 1
;;
esac
esac

42
Shorewall/shorewall.conf
View File

@ -2,7 +2,7 @@
# /etc/shorewall/shorewall.conf V1.4 - Change the following variables to
# match your setup
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# This file should be placed in /etc/shorewall
#
@ -19,7 +19,7 @@ SHARED_DIR=/usr/share/shorewall
# L O G G I N G
##############################################################################
#
# General note about log levels. Log levels are a method of describing
# General note about log levels. Log levels are a method of describing
# to syslog (8) the importance of a message and a number of parameters
# in this file have log levels as their value.
#
@ -35,16 +35,16 @@ SHARED_DIR=/usr/share/shorewall
# 0 emerg
#
# For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall
# log messages are generated by NetFilter and are logged using facility
# log messages are generated by NetFilter and are logged using facility
# 'kern' and the level that you specifify. If you are unsure of the level
# to choose, 6 (info) is a safe bet. You may specify levels by name or by
# number.
#
# If you have build your kernel with ULOG target support, you may also
# If you have build your kernel with ULOG target support, you may also
# specify a log level of ULOG (must be all caps). Rather than log its
# messages to syslogd, Shorewall will direct netfilter to log the messages
# via the ULOG target which will send them to a process called 'ulogd'.
# ulogd is available from http://www.gnumonks.org/projects/ulogd and can be
# ulogd is available from http://www.gnumonks.org/projects/ulogd and can be
# configured to log all Shorewall message to their own log file
################################################################################
#
@ -118,7 +118,7 @@ BLACKLIST_LOGLEVEL=
#
# When a TCP packet that does not have the SYN flag set and the ACK and RST
# flags clear then unless the packet is part of an established connection,
# it will be rejected by the firewall. If you want these rejects logged,
# it will be rejected by the firewall. If you want these rejects logged,
# then set LOGNEWNOTSYN to the syslog log level at which you want them logged.
#
# See the comment at the top of this section for a description of log levels
@ -133,10 +133,10 @@ LOGNEWNOTSYN=
#
# Specifies the logging level for connection requests that fail MAC
# verification. If set to the empty value (MACLIST_LOG_LEVEL="") then
# such connection requests will not be logged.
# such connection requests will not be logged.
#
# See the comment at the top of this section for a description of log levels
#
#
MACLIST_LOG_LEVEL=info
@ -145,10 +145,10 @@ MACLIST_LOG_LEVEL=info
#
# Specifies the logging level for packets that fail TCP Flags
# verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then
# such packets will not be logged.
# such packets will not be logged.
#
# See the comment at the top of this section for a description of log levels
#
#
TCP_FLAGS_LOG_LEVEL=info
@ -160,7 +160,7 @@ TCP_FLAGS_LOG_LEVEL=info
# RFC1918_LOG_LEVEL=info is assumed.
#
# See the comment at the top of this section for a description of log levels
#
#
RFC1918_LOG_LEVEL=info
@ -169,7 +169,7 @@ RFC1918_LOG_LEVEL=info
################################################################################
#
# PATH - Change this if you want to change the order in which Shorewall
# searches directories for executable files.
# searches directories for executable files.
#
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@ -294,13 +294,13 @@ CLEAR_TC=Yes
#
# When processing the tcrules file, Shorewall normally marks packets in the
# PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set
# this to "Yes". If not specified or if set to the empty value (e.g.,
# this to "Yes". If not specified or if set to the empty value (e.g.,
# MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed.
#
# Marking packets in the FORWARD chain has the advantage that inbound
# packets destined for Masqueraded/SNATed local hosts have had their destination
# address rewritten so they can be marked based on their destination. When
# packets are marked in the PREROUTING chain, packets destined for
# packets are marked in the PREROUTING chain, packets destined for
# Masqueraded/SNATed local hosts still have a destination address corresponding
# to the firewall's external interface.
#
@ -387,27 +387,27 @@ MULTIPORT=No
# DNAT net loc:192.168.1.3 tcp 80
#
# it will forward TCP port 80 connections from the net to 192.168.1.3
# REGARDLESS OF THE ORIGINAL DESTINATION ADDRESS. This behavior is
# REGARDLESS OF THE ORIGINAL DESTINATION ADDRESS. This behavior is
# convenient for two reasons:
#
# a) If the the network interface has a dynamic IP address, the
# firewall configuration will work even when the address
# changes.
#
# b) It saves having to configure the IP address in the rule
# b) It saves having to configure the IP address in the rule
# while still allowing the firewall to be started before the
# internet interface is brought up.
#
# This default behavior can also have a negative effect. If the
# internet interface has more than one IP address then the above
# rule will forward connection requests on all of these addresses;
# internet interface has more than one IP address then the above
# rule will forward connection requests on all of these addresses;
# that may not be what is desired.
#
# By setting DETECT_DNAT_IPADDRS=Yes, rules such as the above will apply
# only if the original destination address is the primary IP address of
# one of the interfaces associated with the source zone. Note that this
# requires all interfaces to the source zone to be up when the firewall
# is [re]started.
# is [re]started.
DETECT_DNAT_IPADDRS=No
@ -440,7 +440,7 @@ MUTEX_TIMEOUT=60
# Users with a High-availability setup with two firewall's and one acting
# as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may
# also need to select NEWNOTSYN=Yes.
NEWNOTSYN=No
################################################################################
@ -469,7 +469,7 @@ MACLIST_DISPOSITION=REJECT
#
# TCP FLAGS Disposition
#
# This variable determins the disposition of packets having an invalid
# This variable determins the disposition of packets having an invalid
# combination of TCP flags that are received on interfaces having the
# 'tcpflags' option specified in /etc/shorewall/interfaces. If not specified
# or specified as empty (TCP_FLAGS_DISPOSITION="") then DROP is assumed.

8
Shorewall/shorewall.spec
View File

@ -48,10 +48,10 @@ if [ $1 -eq 1 ]; then
########################################################################" \
> /etc/shorewall/startup_disabled
if [ -x /sbin/insserv ]; then
if [ -x /sbin/insserv ]; then
/sbin/insserv /etc/rc.d/shorewall
elif [ -x /sbin/chkconfig ]; then
/sbin/chkconfig --add shorewall;
/sbin/chkconfig --add shorewall;
fi
fi
@ -68,7 +68,7 @@ if [ $1 = 0 ]; then
fi
%files
%files
/etc/init.d/shorewall
%attr(0700,root,root) %dir /etc/shorewall
%attr(0700,root,root) %dir /usr/share/shorewall
@ -279,7 +279,7 @@ fi
- Changed the release to 4
- Added Zones and Functions files
* Mon Mar 12 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
- Change ipchains dependency to an iptables dependency and
- Change ipchains dependency to an iptables dependency and
changed the release to 3
* Fri Mar 9 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
- Add additional files.

2
Shorewall/start
View File

@ -1,6 +1,6 @@
############################################################################
# Shorewall 1.4 -- /etc/shorewall/start
#
# Add commands below that you want to be executed after shorewall has
# Add commands below that you want to be executed after shorewall has
# been started or restarted.
#

4
Shorewall/tcrules
View File

@ -26,10 +26,10 @@
# /etc/shorewall/shorewall.conf.
#
# SOURCE Source of the packet. A comma-separated list of
# interface names, IP addresses, MAC addresses
# interface names, IP addresses, MAC addresses
# and/or subnets. Use $FW if the packet originates on
# the firewall in which case the MARK column may NOT
# specify either ":P" or ":F" (marking always occurs
# specify either ":P" or ":F" (marking always occurs
# in the OUTPUT chain).
#
# MAC addresses must be prefixed with "~" and use

4
Shorewall/tunnel
View File

@ -6,8 +6,8 @@ RCDLINKS="2,S45 3,S45 6,K45"
#
# Modified - Steve Cowles 5/9/2000
# Incorporated init {start|stop} syntax and iproute2 usage
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# (c) 2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
#

2
Shorewall/tunnels
View File

@ -25,7 +25,7 @@
# remote getway has no fixed address (Road Warrior)
# then specify the gateway as 0.0.0.0/0.
#
# GATEWAY
# GATEWAY
# ZONES -- Optional. If the gateway system specified in the third
# column is a standalone host then this column should
# contain a comma-separated list of the names of the

10
Shorewall/uninstall.sh
View File

@ -2,14 +2,14 @@
#
# Script to back uninstall Shoreline Firewall
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# (c) 2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
#
# Shorewall documentation is available at http://shorewall.sourceforge.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
@ -35,8 +35,8 @@ usage() # $1 = exit status
exit $1
}
qt()
{
qt()
{
"$@" >/dev/null 2>&1
}
@ -49,7 +49,7 @@ restore_file() # $1 = file to restore
else
exit 1
fi
fi
fi
}
remove_file() # $1 = file to restore

4
Shorewall/zones
View File

@ -3,12 +3,12 @@
#
# This file determines your network zones. Columns are:
#
# ZONE Short name of the zone
# ZONE Short name of the zone
# DISPLAY Display name of the zone
# COMMENTS Comments about the zone
#
#ZONE DISPLAY COMMENTS
net Net Internet
net Net Internet
loc Local Local networks
dmz DMZ Demilitarized zone
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE