diff --git a/Shorewall/INSTALL b/Shorewall/INSTALL index 70e46fabb..c62b8f681 100644 --- a/Shorewall/INSTALL +++ b/Shorewall/INSTALL @@ -27,7 +27,7 @@ o If you have an earlier version of Shoreline Firewall installed,see the o Edit the configuration files to fit your environment. To do this, I strongly advise you to follow the instructions at: - + http://www.shorewall.net/shorewall_quickstart_guide.htm o If you are using Caldera, Redhat, Mandrake, Corel, Slackware, SuSE or @@ -35,8 +35,8 @@ o If you are using Caldera, Redhat, Mandrake, Corel, Slackware, SuSE or o For other distributions, determine where your distribution installs init scripts and type "./install.sh " o Start the firewall by typing "shorewall start" -o If the install script was unable to configure Shoreline Firewall to - start audomatically at boot, see the HTML documentation contains in the +o If the install script was unable to configure Shoreline Firewall to + start automatically at boot, see the HTML documentation contains in the "documentation" directory. Upgrade: @@ -44,4 +44,4 @@ Upgrade: o run the install script as described above. o shorewall restart - + diff --git a/Shorewall/blacklist b/Shorewall/blacklist index 234935e05..66ca0d9e4 100755 --- a/Shorewall/blacklist +++ b/Shorewall/blacklist @@ -9,7 +9,7 @@ # # ADDRESS/SUBNET - Host address, subnetwork or MAC address # -# MAC addresses must be prefixed with "~" and use "-" +# MAC addresses must be prefixed with "~" and use "-" # as a separator. # # Example: ~00-A0-C9-15-39-78 @@ -27,7 +27,7 @@ # /etc/shorewall/shorewall.conf # # If PROTOCOL or PROTOCOL and PORTS are supplied, only packets matching -# the protocol (and one of the ports if PORTS supplied) are blocked. +# the protocol (and one of the ports if PORTS supplied) are blocked. # # Example: # diff --git a/Shorewall/common.def b/Shorewall/common.def index af8c11522..e22931b0c 100644 --- a/Shorewall/common.def +++ b/Shorewall/common.def @@ -1,7 +1,7 @@ ############################################################################ # Shorewall 1.4 -- /etc/shorewall/common.def # -# This file defines the rules that are applied before a policy of +# This file defines the rules that are applied before a policy of # DROP or REJECT is applied. In addition to the rules defined in this file, # the firewall will also define a DROP rule for each subnet broadcast # address defined in /etc/shorewall/interfaces (including "detect"). diff --git a/Shorewall/fallback.sh b/Shorewall/fallback.sh index a6a997d9c..3f8b41185 100755 --- a/Shorewall/fallback.sh +++ b/Shorewall/fallback.sh @@ -1,16 +1,16 @@ #!/bin/sh # -# Script to back out the installation of Shoreline Firewall and to restore the previous version of +# Script to back out the installation of Shoreline Firewall and to restore the previous version of # the program # -# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] +# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # # (c) 2001,2002,2003 - Tom Eastep (teastep@shorewall.net) # # Shorewall documentation is available at http://seattlefirewall.dyndns.org # # This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License +# it under the terms of Version 2 of the GNU General Public License # as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, @@ -25,7 +25,7 @@ # Usage: # # You may only use this script to back out the installation of the version -# shown below. Simply run this script to revert to your prior version of +# shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. VERSION=1.4.0-Beta1 @@ -46,7 +46,7 @@ restore_file() # $1 = file to restore echo "ERROR: Could not restore $1" exit 1 fi - fi + fi } if [ ! -f /usr/share/shorewall/version-${VERSION}.bkout ]; then @@ -77,7 +77,7 @@ restore_file /sbin/shorewall [ -f /etc/shorewall.conf.$VERSION ] && rm -f /etc/shorewall.conf.$VERSION restore_file /etc/shorewall/shorewall.conf - + restore_file /etc/shorewall/functions restore_file /usr/lib/shorewall/functions restore_file /var/lib/shorewall/functions @@ -92,7 +92,7 @@ restore_file /etc/shorewall/zones restore_file /etc/shorewall/policy restore_file /etc/shorewall/interfaces - + restore_file /etc/shorewall/hosts restore_file /etc/shorewall/rules diff --git a/Shorewall/firewall b/Shorewall/firewall index c5e99f493..2f5a88b78 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -2,7 +2,7 @@ # # The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V1.4 3/14/2003 # -# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] +# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # # (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net) # @@ -12,7 +12,7 @@ # Complete documentation is available at http://shorewall.net # # This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License +# it under the terms of Version 2 of the GNU General Public License # as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, @@ -29,13 +29,13 @@ # # Commands are: # -# shorewall start Starts the firewall +# shorewall start Starts the firewall # shorewall restart Restarts the firewall # shorewall stop Stops the firewall # shorewall status Displays firewall status # shorewall reset Resets iptabless packet and # byte counts -# shorewall clear Remove all Shorewall chains +# shorewall clear Remove all Shorewall chains # and rules/policies. # shorewall refresh . Rebuild the common chain # shorewall check Verify the more heavily-used @@ -258,7 +258,7 @@ chain_exists() # $1 = chain name { qt iptables -L $1 -n } - + # # Query NetFilter about the existence of a mangle chain # @@ -266,7 +266,7 @@ mangle_chain_exists() # $1 = chain name { qt iptables -t mangle -L $1 -n } - + # # Ensure that a chain exists (create it if it doesn't) # @@ -340,7 +340,7 @@ deletechain() # $1 = name of chain is_policy_chain() # $1 = name of chain { eval test \"\$${1}_is_policy\" = Yes -} +} # # Set a standard chain's policy @@ -373,7 +373,7 @@ chain_base() #$1 = interface { local c=${1%%+*} - case $c in + case $c in *.*) echo ${c%.*}_${c#*.} ;; @@ -387,7 +387,7 @@ chain_base() #$1 = interface # Find interfaces to a given zone # # Search the variables representing the contents of the interfaces file and -# for each record matching the passed ZONE, echo the expanded contents of +# for each record matching the passed ZONE, echo the expanded contents of # the "INTERFACE" column # find_interfaces() # $1 = interface zone @@ -496,7 +496,7 @@ determine_interfaces() { eval ${zone}_interfaces=\"\$interfaces\" done } - + # # Determine the defined hosts in each zone and generate report # @@ -517,7 +517,7 @@ determine_hosts() { done interfaces= - + for host in $hosts; do interface=${host%:*} if ! list_search $interface $interfaces; then @@ -537,7 +537,7 @@ determine_hosts() { display_list "$display Zone:" $hosts else error_message "Warning: Zone $zone is empty" - fi + fi done } @@ -559,7 +559,7 @@ validate_interfaces_file() { [ "x$z" = "x-" ] && z= - if [ -n "$z" ]; then + if [ -n "$z" ]; then validate_zone $z || startup_error "Invalid zone ($z) in record \"$r\"" fi @@ -575,11 +575,11 @@ validate_interfaces_file() { startup_error "Invalid Interface Name: $interface" ;; esac - + all_interfaces="$all_interfaces $interface" options=`separate_list $options` interface=`chain_base $interface` - + eval ${interface}_broadcast="$subnet" eval ${interface}_zone="$z" eval ${interface}_options=\"$options\" @@ -595,7 +595,7 @@ validate_interfaces_file() { ;; esac done - + [ -z "$all_interfaces" ] && startup_error "No Interfaces Defined" done < $TMP_DIR/interfaces @@ -637,7 +637,7 @@ validate_hosts_file() { mac_match() # $1 = MAC address formated as described above { echo "--match mac --mac-source `echo $1 | sed 's/~//;s/-/:/g'`" -} +} # # validate a record from the rules file @@ -655,7 +655,7 @@ validate_rule() { # validate_list() { local temp="`separate_list $1`" - + [ `echo $temp | wc -w` -le 15 ] } @@ -858,7 +858,7 @@ validate_rule() { [ -z "$clientzone" -o -z "$clients" ] && \ startup_error "Empty source zone or qualifier: rule \"$rule\"" fi - + if [ "$clientzone" = "${clientzone%\!*}" ]; then excludezones= else @@ -1036,7 +1036,7 @@ validate_policy() [ "x$chain" = "x${FW}2${FW}" ] && \ startup_error "fw->fw policy not allowed: $policy" - + if is_policy_chain $chain ; then startup_error "Duplicate policy $policy" fi @@ -1067,7 +1067,7 @@ validate_policy() else for zone in $zones $FW all; do eval pc=\$${zone}2${server}_policychain - + if [ -z "$pc" ]; then eval ${zone}2${server}_policychain=$chain print_policy $zone $server @@ -1077,16 +1077,16 @@ validate_policy() elif [ -n "$serverwild" ]; then for zone in $zones $FW all; do eval pc=\$${client}2${zone}_policychain - + if [ -z "$pc" ]; then - eval ${client}2${zone}_policychain=$chain + eval ${client}2${zone}_policychain=$chain print_policy $client $zone fi done else eval ${chain}_policychain=${chain} print_policy $client $server - fi + fi done < $TMP_DIR/policy } @@ -1116,7 +1116,7 @@ find_broadcasts() { find_interface_broadcasts() # $1 = Interface name { eval bcast=\$`chain_base ${1}`_broadcast - + if [ "x$bcast" = "xdetect" ]; then addr="`ip addr show $interface 2> /dev/null`" if [ -n "`echo "$addr" | grep 'inet.*brd '`" ]; then @@ -1127,7 +1127,7 @@ find_interface_broadcasts() # $1 = Interface name elif [ "x${bcast}" != "x-" ]; then echo `separate_list $bcast` fi - + } # @@ -1136,7 +1136,7 @@ find_interface_broadcasts() # $1 = Interface name # find_interface_address() # $1 = interface { - # + # # get the line of output containing the first IP address # addr=`ip addr show $1 2> /dev/null | grep inet | head -n1` @@ -1177,7 +1177,7 @@ find_hosts_by_option() # $1 = option eval options=\$`chain_base ${interface}`_options list_search $1 $options && \ echo ${interface}:0.0.0.0/0 - done + done } # @@ -1240,6 +1240,8 @@ stop_firewall() { stopping="Yes" + terminator= + deletechain shorewall run_user_exit stop @@ -1260,7 +1262,7 @@ stop_firewall() { hosts= - strip_file routestopped + strip_file routestopped while read interface host; do expandv interface host @@ -1330,7 +1332,7 @@ clear_firewall() { run_iptables -F echo 1 > /proc/sys/net/ipv4/ip_forward - + setpolicy INPUT ACCEPT setpolicy FORWARD ACCEPT setpolicy OUTPUT ACCEPT @@ -1357,7 +1359,7 @@ setup_tunnels() # $1 = name of tunnels file run_iptables -A $outchain -p 51 -d $1 -j ACCEPT run_iptables -A $outchain -p udp -d $1 --dport 500 --sport 500 $options - + if [ $2 = ipsec ]; then run_iptables -A $inchain -p udp -s $1 --sport 500 --dport 500 $options else @@ -1464,7 +1466,7 @@ setup_tunnels() # $1 = name of tunnels file else error_message "Invalid gateway zone ($z)" \ " -- Tunnel \"$tunnel\" Ignored" - fi + fi done < $TMP_DIR/tunnels } @@ -1579,7 +1581,7 @@ setup_mac_lists() { if ! havechain $chain ; then fatal_error "No hosts on $interface have the maclist option specified" fi - + macpart=`mac_match $mac` if [ -z "$addresses" ]; then @@ -1643,13 +1645,13 @@ setup_mac_lists() { for hosts in $maclist_hosts; do interface=${hosts%:*} hosts=${hosts#*:} - for chain in `first_chains $interface` ; do + for chain in `first_chains $interface` ; do run_iptables -A $chain -s $hosts -m state --state NEW \ -j `mac_chain $interface` done done -} - +} + # # Set up SYN flood protection # @@ -1670,7 +1672,7 @@ setup_syn_flood_chain () # # Enable SYN flood protection on a chain -# +# # Insert a jump rule to the protection chain from the first chain. Inserted # as the second rule and restrict the jump to SYN packets # @@ -1714,7 +1716,7 @@ setup_nat() { while read external interface internal allints localnat; do expandv external interface internal allints localnat - + iface=${interface%:*} if [ -n "$ADD_IP_ALIASES" ]; then @@ -1725,7 +1727,7 @@ setup_nat() { then addnatrule nat_in -d $external -j DNAT --to-destination $internal addnatrule nat_out -s $internal -j SNAT --to-source $external - + if [ "$localnat" = "Yes" -o "$localnat" = "yes" ]; then run_iptables2 -t nat -A OUTPUT -d $external \ -j DNAT --to-destination $internal @@ -1765,7 +1767,7 @@ delete_nat() { } # -# Process a TC Rule - $marking_chain is assumed to contain the name of the +# Process a TC Rule - $marking_chain is assumed to contain the name of the # default marking chain # process_tc_rule() @@ -1789,17 +1791,17 @@ process_tc_rule() if ! list_search $source $all_interfaces; then fatal_error "Unknown interface $source in rule \"$rule\"" fi - + r="-i $source " ;; esac fi if [ "$mark" != "${mark%:*}" ]; then - + [ "$chain" = tcout ] && \ fatal_error "Chain designator not allowed when source is \$FW; rule \"$rule\"" - + case "${mark#*:}" in p|P) chain=tcpre @@ -1814,7 +1816,7 @@ process_tc_rule() mark="${mark%:*}" fi - + [ "x$dest" = "x-" ] || r="${r}-d $dest " [ "$proto" = "all" ] || r="${r}-p $proto " [ "x$port" = "x-" ] || r="${r}--dport $port " @@ -1844,7 +1846,7 @@ setup_tc1() { # # Create the TC mangle chains # - + run_iptables -t mangle -N tcpre run_iptables -t mangle -N tcfor run_iptables -t mangle -N tcout @@ -1861,7 +1863,7 @@ setup_tc1() { # # Link to the TC mangle chains from the main chains # - + run_iptables -t mangle -A FORWARD -j tcfor run_iptables -t mangle -A PREROUTING -j tcpre run_iptables -t mangle -A OUTPUT -j tcout @@ -1912,7 +1914,7 @@ refresh_tc() { [ -n "$CLEAR_TC" ] && delete_tc [ -n "$MARK_IN_FORWARD_CHAIN" ] && chain=tcfor || chain=tcpre - + if mangle_chain_exists $chain; then # # Flush the TC mangle chains @@ -1928,7 +1930,7 @@ refresh_tc() { while read mark sources dests proto ports sports; do expandv mark sources dests proto ports sports rule=`echo "$mark $sources $dests $proto $ports $sports"` - process_tc_rule + process_tc_rule done < $TMP_DIR/tcrules run_user_exit tcstart @@ -1957,7 +1959,7 @@ add_nat_rule() { local chain # Be sure we should and can NAT - + case $logtarget in DNAT|REDIRECT) if [ -z "$NAT_ENABLED" ]; then @@ -2013,7 +2015,7 @@ add_nat_rule() { $multiport $dports -j $target1 else chain=`dnat_chain $source` - + if [ -n "$excludezones" ]; then chain=nonat${nonat_seq} nonat_seq=$(($nonat_seq + 1)) @@ -2029,7 +2031,7 @@ add_nat_rule() { done done fi - + for adr in $addr; do addnatrule $chain $proto $cli $sports \ -d $adr $multiport $dports -j $target1 @@ -2056,7 +2058,7 @@ add_nat_rule() { for source_host in $source_hosts; do [ "x${source_host#*:}" = "x0.0.0.0/0" ] && \ error_message "Warning: SNAT will occur on all connections to this server and port - rule \"$rule\"" - + addnatrule `snat_chain $dest` \ -s ${source_host#*:} $proto $sports $multiport \ -d $serv $dports -j SNAT --to-source $snat @@ -2171,7 +2173,7 @@ add_a_rule() proto="${proto:+-p $proto}" # Some misc. setup - + case "$logtarget" in REJECT) target=reject @@ -2194,7 +2196,7 @@ add_a_rule() esac # Complain if the rule is really a policy - + if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" ]; then error_message "Warning -- Rule \"$rule\" is a POLICY" error_message " -- and should be moved to the policy file" @@ -2267,7 +2269,7 @@ process_rule() # $1 = target # $4 = protocol # $5 = ports # $6 = cports - # $7 = address + # $7 = address { local target="$1" local clients="$2" @@ -2279,7 +2281,7 @@ process_rule() # $1 = target local rule="`echo $target $clients $servers $protocol $ports $cports $address`" # Function Body -- isolate log level - + if [ "$target" = "${target%:*}" ]; then loglevel= else @@ -2328,7 +2330,7 @@ process_rule() # $1 = target [ -z "$clientzone" -o -z "$clients" ] && \ fatal_error "Empty source zone or qualifier: rule \"$rule\"" fi - + if [ "$clientzone" = "${clientzone%\!*}" ]; then excludezones= else @@ -2457,20 +2459,20 @@ process_rules() # $1 = name of rules file process_wildcard_rule continue fi - + if [ "x$xservers" = xall ]; then xservers="$zones $FW" process_wildcard_rule continue fi - + process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress ;; *) rule="`echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress`" fatal_error "Invalid Target in rule \"$rule\"" ;; - + esac done < $TMP_DIR/rules } @@ -2866,7 +2868,7 @@ complete_standard_chain() # $1 = chain, $2 = source zone, $3 = destination zone local policychain= run_user_exit $1 - + eval policychain=\$${2}2${3}_policychain if [ -n "$policychain" ]; then @@ -2891,7 +2893,7 @@ rules_chain() # $1 = source zone, $2 = destination zone local chain=${1}2${2} havechain $chain && { echo $chain; return; } - + eval chain=\$${chain}_policychain [ -n "$chain" ] && { echo $chain; return; } @@ -2952,7 +2954,7 @@ setup_masq() if ! list_search $interface $all_interfaces; then fatal_error "Unknown interface $interface" fi - + if [ "$subnet" = "${subnet%!*}" ]; then nomasq= else @@ -2964,7 +2966,7 @@ setup_masq() iface= source="$subnet" - + case $subnet in *.*.*) ;; @@ -2987,7 +2989,7 @@ setup_masq() if [ -n "$address" -a -n "$ADD_SNAT_ALIASES" ]; then list_search $address $aliases_to_add || \ - aliases_to_add="$aliases_to_add $address $fullinterface" + aliases_to_add="$aliases_to_add $address $fullinterface" fi destination=$destnet @@ -2995,7 +2997,7 @@ setup_masq() if [ -n "$nomasq" ]; then newchain=masq${masq_seq} createnatchain $newchain - + if [ -n "$subnet" ]; then for s in $subnet; do addnatrule $chain -d $destnet $iface -s $s -j $newchain @@ -3013,7 +3015,7 @@ setup_masq() for addr in `separate_list $nomasq`; do addnatrule $chain -s $addr -j RETURN done - + source="$source except $nomasq" else destnet="-d $destnet" @@ -3097,13 +3099,13 @@ process_blacklist_rec() { source="-s $addr" ;; esac - + if [ -n "$protocol" ]; then proto=" -p $protocol " case $protocol in tcp|TCP|6|udp|UDP|17) - if [ -n "$ports" ]; then + if [ -n "$ports" ]; then if [ -n "$MULTIPORT" -a \ "$ports" != "${ports%,*}" -a \ "$ports" = "${ports%:*}" -a \ @@ -3144,7 +3146,7 @@ process_blacklist_rec() { elif [ -n "$protocol" ]; then addr="$addr $protocol" fi - + echo " $addr added to Black List" done } @@ -3168,7 +3170,7 @@ setup_blacklist() { for chain in `first_chains $interface`; do run_iptables -A $chain -j blacklst done - + echo " Blacklisting enabled on $interface" done @@ -3230,7 +3232,7 @@ add_ip_aliases() local interface local primary - do_one() + do_one() { # # Folks feel uneasy if they don't see all of the same @@ -3262,7 +3264,7 @@ add_ip_aliases() } set -- $aliases_to_add - + while [ $# -gt 0 ]; do external=$1 interface=$2 @@ -3273,7 +3275,7 @@ add_ip_aliases() interface="${interface%:*}" label="label $interface:$label" fi - + primary=`find_interface_address $interface` shift;shift [ "x${primary}" = "x${external}" ] || do_one @@ -3337,7 +3339,7 @@ initialize_netfilter () { determine_interfaces determine_hosts - + run_user_exit init # @@ -3345,12 +3347,14 @@ initialize_netfilter () { # (restart command). This reduces the length of time that the firewall isn't # accepting new connections. # - + strip_file rules strip_file proxyarp strip_file maclist strip_file nat + terminator=fatal_error + deletechain shorewall [ -n "$NAT_ENABLED" ] && delete_nat @@ -3368,7 +3372,7 @@ initialize_netfilter () { setpolicy INPUT DROP setpolicy OUTPUT DROP setpolicy FORWARD DROP - + deleteallchains setcontinue FORWARD @@ -3388,13 +3392,13 @@ initialize_netfilter () { run_iptables -A FORWARD -p tcp \ --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu - + if [ -z "$NEWNOTSYN" ]; then createchain newnotsyn no run_user_exit newnotsyn if [ -n "$LOGNEWNOTSYN" ]; then if [ "$LOGNEWNOTSYN" = ULOG ]; then - run_iptables -A newnotsyn -j ULOG + run_iptables -A newnotsyn -j ULOG --ulog-prefix "Shorewall:newnotsyn:DROP:" else run_iptables -A newnotsyn -j LOG \ @@ -3403,13 +3407,13 @@ initialize_netfilter () { fi run_iptables -A newnotsyn -j DROP - fi + fi createchain icmpdef no createchain common no createchain reject no createchain dynamic no - + if [ -f /var/lib/shorewall/save ]; then echo "Restoring dynamic rules..." @@ -3423,7 +3427,7 @@ initialize_netfilter () { esac done < /var/lib/shorewall/save fi - + echo "Creating input Chains..." for interface in $all_interfaces; do @@ -3438,7 +3442,7 @@ initialize_netfilter () { # Build the common chain -- called during [re]start and refresh # build_common_chain() { - + # # Common ICMP rules # @@ -3459,7 +3463,7 @@ build_common_chain() { if [ -n "$NEWNOTSYN" ]; then run_iptables -A common -p tcp --tcp-flags ACK ACK -j ACCEPT run_iptables -A common -p tcp --tcp-flags RST RST -j ACCEPT - fi + fi # # BROADCASTS # @@ -3564,9 +3568,9 @@ add_common_rules() { if [ -n "$norfc1918_interfaces" ]; then echo "Enabling RFC1918 Filtering" - + strip_file rfc1918 - + createchain rfc1918 no createchain logdrop no @@ -3586,7 +3590,7 @@ add_common_rules() { run_iptables -t mangle -A logdrop -j `logdisp man1918` run_iptables -t mangle -A logdrop -j DROP fi - + while read subnet target; do case $target in logdrop|DROP|RETURN) @@ -3605,23 +3609,23 @@ add_common_rules() { run_iptables2 -t mangle -A man1918 -d $subnet -j $target fi done < $TMP_DIR/rfc1918 - + for interface in $norfc1918_interfaces; do for chain in `first_chains $interface`; do run_iptables -A $chain -m state --state NEW -j rfc1918 done - + [ -n "$MANGLE_ENABLED" ] && \ run_iptables -t mangle -A PREROUTING -m state --state NEW -i $interface -j man1918 done fi - + interfaces=`find_interfaces_by_option tcpflags` if [ -n "$interfaces" ]; then echo "Setting up TCP Flags checking..." - + createchain tcpflags no if [ -n "$TCP_FLAGS_LOG_LEVEL" ]; then @@ -3661,7 +3665,7 @@ add_common_rules() { # hosts a web server. # run_iptables -A tcpflags -p tcp --syn --sport 0 $disposition - + for interface in $interfaces; do for chain in `first_chains $interface`; do run_iptables -A $chain -p tcp -j tcpflags @@ -3678,7 +3682,7 @@ add_common_rules() { # run_iptables -A INPUT -i lo -j ACCEPT run_iptables -A OUTPUT -o lo -j ACCEPT - + # # Route Filtering # @@ -3789,7 +3793,7 @@ apply_policy_rules() { # # Activate the rules # -activate_rules() +activate_rules() { local PREROUTING_rule=1 local POSTROUTING_rule=1 @@ -3801,11 +3805,11 @@ activate_rules() local sourcechain=$1 destchain=$2 shift shift - + havenatchain $destchain && \ run_iptables -t nat -A $sourcechain $@ -j $destchain } - + # # Jump to a RULES chain from one of the builtin nat chains # @@ -3817,7 +3821,7 @@ activate_rules() local sourcechain=$1 destchain=$2 shift shift - + if havenatchain $destchain; then if [ -n "$NAT_BEFORE_RULES" ]; then run_iptables -t nat -A $sourcechain $@ -j $destchain @@ -3853,12 +3857,12 @@ activate_rules() echo "$FW $zone $chain1" >> ${STATEDIR}/chains echo "$zone $FW $chain2" >> ${STATEDIR}/chains - + for host in $source_hosts; do interface=${host%:*} subnet=${host#*:} - run_iptables -A OUTPUT -o $interface -d $subnet -j $chain1 + run_iptables -A OUTPUT -o $interface -d $subnet -j $chain1 # # Add jumps from the builtin chains for DNAT and SNAT rules @@ -3887,7 +3891,7 @@ activate_rules() interface=${host%:*} subnet=${host#*:} chain1=`forward_chain $interface` - + if [ -n "$have_canonical" ]; then bounce=yes else @@ -4026,27 +4030,27 @@ define_firewall() # $1 = Command (Start or Restart) # check_config() { echo "Verifying Configuration..." - + verify_os_version - + load_kernel_modules - + echo "Determining Zones..." - + determine_zones - + [ -z "$zones" ] && startup_error "No Zones Defined" - + display_list "Zones:" $zones - + echo "Validating interfaces file..." - + validate_interfaces_file - + echo "Validating hosts file..." - + validate_hosts_file - + echo "Determining Hosts in Zones..." determine_interfaces @@ -4055,11 +4059,11 @@ check_config() { echo "Validating rules file..." validate_rules - + echo "Validating policy file..." - - validate_policy - + + validate_policy + rm -rf $TMP_DIR echo "Configuration Validated" @@ -4098,7 +4102,7 @@ refresh_firewall() # # Refresh Traffic Control # - [ -n "$TC_ENABLED" ] && refresh_tc + [ -n "$TC_ENABLED" ] && refresh_tc report "Shorewall Refreshed" @@ -4126,7 +4130,7 @@ add_to_zone() # $1 = [:] $2 = zone output_rule_num() { local num=`iptables -L OUTPUT -n --line-numbers | grep icmp | cut -d' ' -f1 | head -n1` - + [ -n "$num" ] && echo $(($num+1)) } # @@ -4185,12 +4189,12 @@ add_to_zone() # $1 = [:] $2 = zone startup_error "$1 already in zone $zone" fi done - + [ -z "$hosts" ] && hosts=$newhost || hosts="$hosts $newhost" fi eval ${z}_hosts=\"$hosts\" - + echo "$z $hosts" >> ${STATEDIR}/zones_$$ done < ${STATEDIR}/zones @@ -4241,7 +4245,7 @@ setup_intrazone() # $1 = zone rulenum=$(($rulenum + 1)) fi - do_iptables -I `input_chain $interface` $rulenum -s $host -j $chain + do_iptables -I `input_chain $interface` $rulenum -s $host -j $chain else # # Insert rules into the passed interface's forward chain @@ -4254,7 +4258,7 @@ setup_intrazone() # $1 = zone base=`chain_base $interface` eval rulenum=\$${base}_rulenum - + if [ -z "$rulenum" ]; then if list_search $interface $blacklist_interfaces; then rulenum=3 @@ -4265,16 +4269,16 @@ setup_intrazone() # $1 = zone if list_search $interface $maclist_interfaces; then rulenum=$(($rulenum + 1)) fi - + if list_search $interface $tcpflags_interfaces; then rulenum=$(($rulenum + 1)) fi fi - + for h in $dest_hosts; do iface=${h%:*} hosts=${h#*:} - + if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then do_iptables -I $source_chain $rulenum -s $host -o $iface -d $hosts -j $chain rulenum=$(($rulenum + 1)) @@ -4297,7 +4301,7 @@ setup_intrazone() # $1 = zone # We insert them after any blacklist rules # eval source_hosts=\"\$${z1}_hosts\" - + for h in $source_hosts; do iface=${h%:*} hosts=${h#*:} @@ -4305,7 +4309,7 @@ setup_intrazone() # $1 = zone base=`chain_base $iface` eval rulenum=\$${base}_rulenum - + if [ -z "$rulenum" ]; then if list_search $iface $blacklist_interfaces; then rulenum=3 @@ -4326,7 +4330,7 @@ setup_intrazone() # $1 = zone done < ${STATEDIR}/chains echo "$1 added to zone $2" -} +} # # Delete a host or subnet from a zone @@ -4344,7 +4348,7 @@ delete_from_zone() # $1 = [:] $2 = zone if [ "$z" = "$zone" ]; then temp=$hosts hosts= - + for h in $temp; do if [ "$h" = "$delhost" ]; then echo Yes @@ -4353,7 +4357,7 @@ delete_from_zone() # $1 = [:] $2 = zone fi done fi - + echo "$z $hosts" >> ${STATEDIR}/zones_$$ done < ${STATEDIR}/zones @@ -4412,7 +4416,7 @@ delete_from_zone() # $1 = [:] $2 = zone while read z1 z2 chain; do if [ "$z1" = "$zone" ]; then if [ "$z2" = "$FW" ]; then - qt iptables -D `input_chain $interface` -s $host -j $chain + qt iptables -D `input_chain $interface` -s $host -j $chain else source_chain=`forward_chain $interface` eval dest_hosts=\"\$${z2}_hosts\" @@ -4420,7 +4424,7 @@ delete_from_zone() # $1 = [:] $2 = zone for h in $dest_hosts $delhost; do iface=${h%:*} hosts=${h#*:} - + if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then qt iptables -D $source_chain -s $host -o $iface -d $hosts -j $chain fi @@ -4431,7 +4435,7 @@ delete_from_zone() # $1 = [:] $2 = zone qt iptables -D OUTPUT -o $interface -d $host -j $chain else eval source_hosts=\"\$${z1}_hosts\" - + for h in $source_hosts; do iface=${h%:*} hosts=${h#*:} @@ -4445,7 +4449,7 @@ delete_from_zone() # $1 = [:] $2 = zone done < ${STATEDIR}/chains echo "$1 removed from zone $2" -} +} # # Determine the value for a parameter that defaults to Yes @@ -4505,6 +4509,10 @@ do_initialize() { PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin # + # Establish termination function + # + terminator=startup_error + # # Clear all configuration variables # version= @@ -4560,7 +4568,7 @@ do_initialize() { else config=/etc/shorewall/shorewall.conf fi - + if [ -f $config ]; then . $config else @@ -4631,7 +4639,7 @@ do_initialize() { NEWNOTSYN=`added_param_value_yes NEWNOTSYN $NEWNOTSYN` maclist_target=reject - + if [ -n "$MACLIST_DISPOSITION" ] ; then case $MACLIST_DISPOSITION in REJECT) @@ -4800,7 +4808,7 @@ case "$command" in do_initialize check_config ;; - + add) [ $# -ne 3 ] && usage do_initialize diff --git a/Shorewall/functions b/Shorewall/functions index 6e2fd393b..865414121 100755 --- a/Shorewall/functions +++ b/Shorewall/functions @@ -4,9 +4,9 @@ # # Suppress all output for a command -# -qt() -{ +# +qt() +{ "$@" >/dev/null 2>&1 } @@ -25,15 +25,30 @@ find_file() # # Replace commas with spaces and echo the result # -separate_list() { +separate_list() { local list local part local newlist + # + # There's been whining about us not catching embedded white space in + # comma-separated lists. This is an attempt to snag some of the cases. + # + # The 'terminator' function will be set by the 'firewall' script to + # either 'startup_error' or 'fatal_error' depending on the command and + # command phase + # + case "$@" in + *,|,*|*,,*) + [ -n "$terminator" ] && \ + $terminator "Invalid comma-separated list \"$@\"" + echo "Warning -- invalid comma-separated list \"$@\"" >&2 + ;; + esac list="$@" part="${list%%,*}" newlist="$part" - + while [ "x$part" != "x$list" ]; do list="${list#*,}"; part="${list%%,*}"; @@ -69,7 +84,7 @@ find_display() # $1 = zone, $2 = name of the zone file done } -determine_zones() +determine_zones() { local zonefile=`find_file zones` diff --git a/Shorewall/hosts b/Shorewall/hosts index 8c0e3a3a5..3a390cc58 100644 --- a/Shorewall/hosts +++ b/Shorewall/hosts @@ -18,14 +18,14 @@ # a) The IP address of a host # b) A subnetwork in the form # / -# +# # The interface must be defined in the # /etc/shorewall/interfaces file. # # Examples: # # eth1:192.168.1.3 -# eth2:192.168.2.0/24 +# eth2:192.168.2.0/24 # # OPTIONS - A comma-separated list of options. Currently-defined # options are: diff --git a/Shorewall/init.sh b/Shorewall/init.sh index fa39f0fe3..70d6ff32e 100644 --- a/Shorewall/init.sh +++ b/Shorewall/init.sh @@ -3,7 +3,7 @@ RCDLINKS="2,S41 3,S41 6,K41" # # The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V1.4 3/14/2003 # -# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] +# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # # (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net) # @@ -13,7 +13,7 @@ RCDLINKS="2,S41 3,S41 6,K41" # Complete documentation is available at http://shorewall.net # # This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License +# it under the terms of Version 2 of the GNU General Public License # as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, @@ -30,7 +30,7 @@ RCDLINKS="2,S41 3,S41 6,K41" # # Commands are: # -# shorewall start Starts the firewall +# shorewall start Starts the firewall # shorewall restart Restarts the firewall # shorewall stop Stops the firewall # shorewall status Displays firewall status @@ -62,7 +62,7 @@ usage() { command="$1" case "$command" in - + stop|start|restart|status) exec /sbin/shorewall $@ diff --git a/Shorewall/install.sh b/Shorewall/install.sh index dbf3d36a2..3a5fa2442 100755 --- a/Shorewall/install.sh +++ b/Shorewall/install.sh @@ -2,14 +2,14 @@ # # Script to install Shoreline Firewall # -# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] +# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # # (c) 2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net) # # Seawall documentation is available at http://seawall.sourceforge.net # # This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License +# it under the terms of Version 2 of the GNU General Public License # as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, @@ -24,7 +24,7 @@ # Usage: # # If you are running a distribution that has a directory called /etc/rc.d/init.d or one -# called /etc/init.d or you are running Slackware then simply cd to the directory +# called /etc/init.d or you are running Slackware then simply cd to the directory # containing this script and run it. # # ./install.sh @@ -35,7 +35,7 @@ # ./install.sh /etc/rc.d/scripts # # The default is that the firewall will be started in run levels 2-5 starting at -# position 15 and stopping at position 90. This is correct RedHat/Mandrake, Debian, +# position 15 and stopping at position 90. This is correct RedHat/Mandrake, Debian, # Caldera and Corel. # # If you wish to change that, you can pass -r "". @@ -45,7 +45,7 @@ # # ./install.sh -r "23 15 90" # -# Example 2: You wish to start your firewall only in run level 3, start at position 5 +# Example 2: You wish to start your firewall only in run level 3, start at position 5 # and stop at position 95. # # ./install.sh -r "3 5 95" /etc/rc.d/scripts @@ -103,7 +103,7 @@ delete_file() # $1 = file to delete exit 1 fi fi -} +} modify_rclocal() { @@ -116,11 +116,11 @@ modify_rclocal() fi else cant_autostart - fi + fi } install_file_with_backup() # $1 = source $2 = target $3 = mode -{ +{ backup_file $2 run_install -o $OWNER -g $GROUP -m $3 $1 ${2} } @@ -182,7 +182,7 @@ while [ $# -gt 0 ] ; do done PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin - + # # Determine where to install the firewall script # @@ -224,7 +224,7 @@ fi # Change to the directory containing this script # cd "`dirname $0`" - + echo "Installing Shorewall Version $VERSION" # @@ -263,12 +263,12 @@ if [ -n "$RUNLEVELS" ]; then fi install_file_with_backup init.temp ${PREFIX}${DEST}/$FIREWALL 0544 - + rm -f init.temp awk.tmp else install_file_with_backup init.sh ${PREFIX}${DEST}/$FIREWALL 0544 fi - + echo echo "Shorewall script installed in ${PREFIX}${DEST}/$FIREWALL" @@ -306,12 +306,12 @@ if [ -f ${PREFIX}/etc/shorewall/functions ]; then backup_file ${PREFIX}/etc/shorewall/functions rm -f ${PREFIX}/etc/shorewall/functions fi - + if [ -f ${PREFIX}/var/lib/shorewall/functions ]; then backup_file ${PREFIX}/var/lib/shorewall/functions rm -f ${PREFIX}/var/lib/shorewall/functions fi - + install_file_with_backup functions ${PREFIX}/usr/share/shorewall/functions 0444 echo @@ -379,13 +379,13 @@ else echo echo "NAT file installed as ${PREFIX}/etc/shorewall/nat" fi -# +# # Install the Parameters file # if [ -f ${PREFIX}/etc/shorewall/params ]; then backup_file /etc/shorewall/params else - run_install -o $OWNER -g $GROUP -m 0600 params ${PREFIX}/etc/shorewall/params + run_install -o $OWNER -g $GROUP -m 0600 params ${PREFIX}/etc/shorewall/params echo echo "Parameter file installed as ${PREFIX}/etc/shorewall/params" fi diff --git a/Shorewall/interfaces b/Shorewall/interfaces index 9bbbfa296..cfc0e2b0e 100644 --- a/Shorewall/interfaces +++ b/Shorewall/interfaces @@ -14,7 +14,7 @@ # If the interface serves multiple zones that will be # defined in the /etc/shorewall/hosts file, you should # place "-" in this column. -# +# # INTERFACE Name of interface. Each interface may be listed only # once in this file. You may NOT specify the name of # an alias (e.g., eth0:0) here; see @@ -27,14 +27,14 @@ # column is left black.If the interface has multiple # addresses on multiple subnets then list the broadcast # addresses as a comma-separated list. -# +# # If you use the special value "detect", the firewall # will detect the broadcast address for you. If you # select this option, the interface must be up before # the firewall is started, you must have iproute # installed and the interface must only be associated # with a single subnet. -# +# # If you don't want to give a value for this column but # you want to enter a value in the OPTIONS column, enter # "-" in this column. @@ -79,8 +79,8 @@ # TCP_FLAGS_DISPOSITION after having been # logged according to the setting of # TCP_FLAGS_LOG_LEVEL. -# proxyarp - -# Sets +# proxyarp - +# Sets # /proc/sys/net/ipv4/conf//proxy_arp. # Do NOT use this option if you are # employing Proxy ARP through entries in @@ -88,7 +88,7 @@ # intended soley for use with Proxy ARP # sub-networking as described at: # http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet -# +# # The order in which you list the options is not # significant but the list should have no embedded white # space. diff --git a/Shorewall/maclist b/Shorewall/maclist index 69a3dcda2..91b5e0f35 100644 --- a/Shorewall/maclist +++ b/Shorewall/maclist @@ -6,7 +6,7 @@ # Columns are: # # INTERFACE Network interface to a host -# +# # MAC MAC address of the host -- you do not need to use # the Shorewall format for MAC addresses here # diff --git a/Shorewall/masq b/Shorewall/masq index 5afcc9b69..27826945c 100755 --- a/Shorewall/masq +++ b/Shorewall/masq @@ -13,8 +13,8 @@ # /etc/shorewall/shorewall.conf, you may add ":" and # a digit to indicate that you want the alias added with # that name (e.g., eth0:0). This will allow the alias to -# be displayed with ifconfig. THAT IS THE ONLY USE FOR -# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER +# be displayed with ifconfig. THAT IS THE ONLY USE FOR +# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER # PLACE IN YOUR SHOREWALL CONFIGURATION. # # This may be qualified by adding the character @@ -25,7 +25,7 @@ # a subnet or as an interface. If you give the name of an # interface, you must have iproute installed and the interface # must be up before you start the firewall. -# +# # In order to exclude a subset of the specified SUBNET, you # may append "!" and a comma-separated list of IP addresses # and/or subnets that you wish to exclude. @@ -37,17 +37,17 @@ # # ADDRESS -- (Optional). If you specify an address here, SNAT will be # used and this will be the source address. If -# ADD_SNAT_ALIASES is set to Yes or yes in +# ADD_SNAT_ALIASES is set to Yes or yes in # /etc/shorewall/shorewall.conf then Shorewall # will automatically add this address to the -# INTERFACE named in the first column. +# INTERFACE named in the first column. # # WARNING: Do NOT specify ADD_SNAT_ALIASES=Yes if # the address given in this column is the primary # IP address for the interface in the INTERFACE # column. # -# This column may not contain a DNS Name. +# This column may not contain a DNS Name. # # Example 1: # @@ -83,7 +83,7 @@ # # You want all outgoing traffic from 192.168.1.0/24 through # eth0 to use source address 206.124.146.176 which is NOT the -# primary address of eth0. You want 206.124.146.176 added to +# primary address of eth0. You want 206.124.146.176 added to # be added to eth0 with name eth0:0. # # eth0:0 192.168.1.0/24 206.124.146.176 diff --git a/Shorewall/nat b/Shorewall/nat index 64fa40bea..4c0db0cf7 100755 --- a/Shorewall/nat +++ b/Shorewall/nat @@ -17,7 +17,7 @@ # column and must not be a DNS Name. # INTERFACE Interface that we want to EXTERNAL address to appear # on. If ADD_IP_ALIASES=Yes in shorewall.conf, you may -# follow the interface name with ":" and a digit to +# follow the interface name with ":" and a digit to # indicate that you want Shorewall to add the alias # with this name (e.g., "eth0:0"). That allows you to # see the alias with ifconfig. THAT IS THE ONLY THING diff --git a/Shorewall/proxyarp b/Shorewall/proxyarp index e1cd46951..81c88a512 100644 --- a/Shorewall/proxyarp +++ b/Shorewall/proxyarp @@ -4,7 +4,7 @@ # # /etc/shorewall/proxyarp # -# This file is used to define Proxy ARP. +# This file is used to define Proxy ARP. # # Columns must be separated by white space and are: # diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 70b567973..e2dacc00d 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -68,4 +68,4 @@ Changes for 1.4 include: - + diff --git a/Shorewall/rfc1918 b/Shorewall/rfc1918 index 48e96df65..fdfd1b45c 100644 --- a/Shorewall/rfc1918 +++ b/Shorewall/rfc1918 @@ -43,7 +43,7 @@ 39.0.0.0/8 logdrop # Reserved 41.0.0.0/8 logdrop # Reserved 42.0.0.0/8 logdrop # Reserved -49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98 +49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98 50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98 58.0.0.0/7 logdrop # Reserved 60.0.0.0/8 logdrop # Reserved diff --git a/Shorewall/routestopped b/Shorewall/routestopped index 0d40dd2fd..55698c986 100644 --- a/Shorewall/routestopped +++ b/Shorewall/routestopped @@ -4,7 +4,7 @@ # # /etc/shorewall/routestopped # -# This file is used to define the hosts that are accessible when the +# This file is used to define the hosts that are accessible when the # firewall is stopped # # Columns must be separated by white space and are: @@ -12,7 +12,7 @@ # INTERFACE - Interface through which host(s) communicate with # the firewall # HOST(S) - (Optional) Comma-separated list of IP/subnet -# If left empty or supplied as "-", +# If left empty or supplied as "-", # 0.0.0.0/0 is assumed. # # Example: diff --git a/Shorewall/rules b/Shorewall/rules index a53055489..0a80d62c5 100755 --- a/Shorewall/rules +++ b/Shorewall/rules @@ -24,7 +24,7 @@ # DNAT -- Forward the request to another # system (and optionally another # port). -# DNAT- -- Advanced users only. +# DNAT- -- Advanced users only. # Like DNAT but only generates the # DNAT iptables rule and not # the companion ACCEPT rule. @@ -122,7 +122,7 @@ # interpreted as the destination icmp-type(s). # # A port range is expressed as :. -# +# # This column is ignored if PROTOCOL = all but must be # entered if any of the following ields are supplied. # In that case, it is suggested that this field contain @@ -153,7 +153,7 @@ # Otherwise, a separate rule will be generated for each # port. # -# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or +# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or # REDIRECT) If included and different from the IP # address given in the SERVER column, this is an address # on some interface on the firewall and connections to diff --git a/Shorewall/shorewall b/Shorewall/shorewall index 4c23a9dbd..b87f77de0 100755 --- a/Shorewall/shorewall +++ b/Shorewall/shorewall @@ -2,7 +2,7 @@ # # Shorewall Packet Filtering Firewall Control Program - V1.4 - 3/14/2003 # -# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] +# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # # (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net) # @@ -12,7 +12,7 @@ # Shorewall documentation is available at http://shorewall.sourceforge.net # # This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License +# it under the terms of Version 2 of the GNU General Public License # as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, @@ -23,7 +23,7 @@ # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA -# +# # If an error occurs while starting or restarting the firewall, the # firewall is automatically stopped. # @@ -34,13 +34,13 @@ # # shorewall add [:] zone Adds a host or subnet to a zone # shorewall delete [:] zone Deletes a host or subnet from a zone -# shorewall start Starts the firewall +# shorewall start Starts the firewall # shorewall restart Restarts the firewall # shorewall stop Stops the firewall # shorewall monitor [ refresh-interval ] Repeatedly Displays firewall status # plus the last 20 "interesting" # packets -# shorewall status Displays firewall status +# shorewall status Displays firewall status # shorewall reset Resets iptables packet and # byte counts # shorewall clear Open the floodgates by @@ -75,7 +75,7 @@ # listed address(es) # shorewall reject
... Temporarily reject all packets from the # listed address(es) -# shorewall allow
... Reenable address(es) previously +# shorewall allow
... Reenable address(es) previously # disabled with "drop" or "reject" # shorewall save Save the list of "rejected" and # "dropped" addresses so that it will @@ -142,7 +142,7 @@ get_config() { display_chains() { trap "rm -f /tmp/chains-$$; exit 1" 1 2 3 4 5 6 9 - + if [ "$haveawk" = "Yes" ]; then # # Send the output to a temporary file since ash craps if we try to store @@ -170,11 +170,11 @@ display_chains() echo chains=`grep '^Chain.*_[in|fwd]' /tmp/chains-$$ | cut -d' ' -f 2` - + for chain in $chains; do showchain $chain done - + timed_read for zone in $zones; do @@ -242,7 +242,7 @@ display_chains() # Delay $timeout seconds -- if we're running on a recent bash2 then allow # to terminate the delay # -timed_read () +timed_read () { read -t $timeout foo 2> /dev/null @@ -252,7 +252,7 @@ timed_read () # # Display the last $1 packets logged # -packet_log() # $1 = number of messages +packet_log() # $1 = number of messages { local options @@ -334,7 +334,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that get_config host=`echo $HOSTNAME | sed 's/\..*$//'` oldrejects=`iptables -L -v -n | grep 'LOG'` - + if [ $1 -lt 0 ]; then let "timeout=- $1" pause="Yes" @@ -347,7 +347,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that while true; do display_chains - + clear echo "$banner `date`" echo @@ -361,7 +361,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that if [ "$rejects" != "$oldrejects" ]; then oldrejects="$rejects" - + $RING_BELL packet_log 20 @@ -435,7 +435,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that get_config host=`echo $HOSTNAME | sed 's/\..*$//'` oldrejects=`iptables -L -v -n | grep 'LOG'` - + if [ $1 -lt 0 ]; then timeout=$((- $1)) pause="Yes" @@ -754,7 +754,7 @@ case "$1" in echo "" echo " HITS PORT SERVICE(S)" - echo " ---- ----- ----------" + echo " ---- ----- ----------" grep 'Shorewall:.*DPT' $LOGFILE | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | \ while read count port ; do # List all services defined for the given port @@ -853,4 +853,4 @@ case "$1" in *) usage 1 ;; -esac +esac diff --git a/Shorewall/shorewall.conf b/Shorewall/shorewall.conf index af413a36a..894839d32 100755 --- a/Shorewall/shorewall.conf +++ b/Shorewall/shorewall.conf @@ -2,7 +2,7 @@ # /etc/shorewall/shorewall.conf V1.4 - Change the following variables to # match your setup # -# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] +# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # # This file should be placed in /etc/shorewall # @@ -19,7 +19,7 @@ SHARED_DIR=/usr/share/shorewall # L O G G I N G ############################################################################## # -# General note about log levels. Log levels are a method of describing +# General note about log levels. Log levels are a method of describing # to syslog (8) the importance of a message and a number of parameters # in this file have log levels as their value. # @@ -35,16 +35,16 @@ SHARED_DIR=/usr/share/shorewall # 0 emerg # # For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall -# log messages are generated by NetFilter and are logged using facility +# log messages are generated by NetFilter and are logged using facility # 'kern' and the level that you specifify. If you are unsure of the level # to choose, 6 (info) is a safe bet. You may specify levels by name or by # number. # -# If you have build your kernel with ULOG target support, you may also +# If you have build your kernel with ULOG target support, you may also # specify a log level of ULOG (must be all caps). Rather than log its # messages to syslogd, Shorewall will direct netfilter to log the messages # via the ULOG target which will send them to a process called 'ulogd'. -# ulogd is available from http://www.gnumonks.org/projects/ulogd and can be +# ulogd is available from http://www.gnumonks.org/projects/ulogd and can be # configured to log all Shorewall message to their own log file ################################################################################ # @@ -118,7 +118,7 @@ BLACKLIST_LOGLEVEL= # # When a TCP packet that does not have the SYN flag set and the ACK and RST # flags clear then unless the packet is part of an established connection, -# it will be rejected by the firewall. If you want these rejects logged, +# it will be rejected by the firewall. If you want these rejects logged, # then set LOGNEWNOTSYN to the syslog log level at which you want them logged. # # See the comment at the top of this section for a description of log levels @@ -133,10 +133,10 @@ LOGNEWNOTSYN= # # Specifies the logging level for connection requests that fail MAC # verification. If set to the empty value (MACLIST_LOG_LEVEL="") then -# such connection requests will not be logged. +# such connection requests will not be logged. # # See the comment at the top of this section for a description of log levels -# +# MACLIST_LOG_LEVEL=info @@ -145,10 +145,10 @@ MACLIST_LOG_LEVEL=info # # Specifies the logging level for packets that fail TCP Flags # verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then -# such packets will not be logged. +# such packets will not be logged. # # See the comment at the top of this section for a description of log levels -# +# TCP_FLAGS_LOG_LEVEL=info @@ -160,7 +160,7 @@ TCP_FLAGS_LOG_LEVEL=info # RFC1918_LOG_LEVEL=info is assumed. # # See the comment at the top of this section for a description of log levels -# +# RFC1918_LOG_LEVEL=info @@ -169,7 +169,7 @@ RFC1918_LOG_LEVEL=info ################################################################################ # # PATH - Change this if you want to change the order in which Shorewall -# searches directories for executable files. +# searches directories for executable files. # PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin @@ -294,13 +294,13 @@ CLEAR_TC=Yes # # When processing the tcrules file, Shorewall normally marks packets in the # PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set -# this to "Yes". If not specified or if set to the empty value (e.g., +# this to "Yes". If not specified or if set to the empty value (e.g., # MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed. # # Marking packets in the FORWARD chain has the advantage that inbound # packets destined for Masqueraded/SNATed local hosts have had their destination # address rewritten so they can be marked based on their destination. When -# packets are marked in the PREROUTING chain, packets destined for +# packets are marked in the PREROUTING chain, packets destined for # Masqueraded/SNATed local hosts still have a destination address corresponding # to the firewall's external interface. # @@ -387,27 +387,27 @@ MULTIPORT=No # DNAT net loc:192.168.1.3 tcp 80 # # it will forward TCP port 80 connections from the net to 192.168.1.3 -# REGARDLESS OF THE ORIGINAL DESTINATION ADDRESS. This behavior is +# REGARDLESS OF THE ORIGINAL DESTINATION ADDRESS. This behavior is # convenient for two reasons: # # a) If the the network interface has a dynamic IP address, the # firewall configuration will work even when the address # changes. # -# b) It saves having to configure the IP address in the rule +# b) It saves having to configure the IP address in the rule # while still allowing the firewall to be started before the # internet interface is brought up. # # This default behavior can also have a negative effect. If the -# internet interface has more than one IP address then the above -# rule will forward connection requests on all of these addresses; +# internet interface has more than one IP address then the above +# rule will forward connection requests on all of these addresses; # that may not be what is desired. # # By setting DETECT_DNAT_IPADDRS=Yes, rules such as the above will apply # only if the original destination address is the primary IP address of # one of the interfaces associated with the source zone. Note that this # requires all interfaces to the source zone to be up when the firewall -# is [re]started. +# is [re]started. DETECT_DNAT_IPADDRS=No @@ -440,7 +440,7 @@ MUTEX_TIMEOUT=60 # Users with a High-availability setup with two firewall's and one acting # as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may # also need to select NEWNOTSYN=Yes. - + NEWNOTSYN=No ################################################################################ @@ -469,7 +469,7 @@ MACLIST_DISPOSITION=REJECT # # TCP FLAGS Disposition # -# This variable determins the disposition of packets having an invalid +# This variable determins the disposition of packets having an invalid # combination of TCP flags that are received on interfaces having the # 'tcpflags' option specified in /etc/shorewall/interfaces. If not specified # or specified as empty (TCP_FLAGS_DISPOSITION="") then DROP is assumed. diff --git a/Shorewall/shorewall.spec b/Shorewall/shorewall.spec index 80487d244..1bff0ad83 100644 --- a/Shorewall/shorewall.spec +++ b/Shorewall/shorewall.spec @@ -48,10 +48,10 @@ if [ $1 -eq 1 ]; then ########################################################################" \ > /etc/shorewall/startup_disabled - if [ -x /sbin/insserv ]; then + if [ -x /sbin/insserv ]; then /sbin/insserv /etc/rc.d/shorewall elif [ -x /sbin/chkconfig ]; then - /sbin/chkconfig --add shorewall; + /sbin/chkconfig --add shorewall; fi fi @@ -68,7 +68,7 @@ if [ $1 = 0 ]; then fi -%files +%files /etc/init.d/shorewall %attr(0700,root,root) %dir /etc/shorewall %attr(0700,root,root) %dir /usr/share/shorewall @@ -279,7 +279,7 @@ fi - Changed the release to 4 - Added Zones and Functions files * Mon Mar 12 2001 Tom Eastep -- Change ipchains dependency to an iptables dependency and +- Change ipchains dependency to an iptables dependency and changed the release to 3 * Fri Mar 9 2001 Tom Eastep - Add additional files. diff --git a/Shorewall/start b/Shorewall/start index 5f7ee769e..7b46073f8 100644 --- a/Shorewall/start +++ b/Shorewall/start @@ -1,6 +1,6 @@ ############################################################################ # Shorewall 1.4 -- /etc/shorewall/start # -# Add commands below that you want to be executed after shorewall has +# Add commands below that you want to be executed after shorewall has # been started or restarted. # diff --git a/Shorewall/tcrules b/Shorewall/tcrules index 3d37eb2ba..32215538c 100755 --- a/Shorewall/tcrules +++ b/Shorewall/tcrules @@ -26,10 +26,10 @@ # /etc/shorewall/shorewall.conf. # # SOURCE Source of the packet. A comma-separated list of -# interface names, IP addresses, MAC addresses +# interface names, IP addresses, MAC addresses # and/or subnets. Use $FW if the packet originates on # the firewall in which case the MARK column may NOT -# specify either ":P" or ":F" (marking always occurs +# specify either ":P" or ":F" (marking always occurs # in the OUTPUT chain). # # MAC addresses must be prefixed with "~" and use diff --git a/Shorewall/tunnel b/Shorewall/tunnel index 25933b071..2cb20ca36 100755 --- a/Shorewall/tunnel +++ b/Shorewall/tunnel @@ -6,8 +6,8 @@ RCDLINKS="2,S45 3,S45 6,K45" # # Modified - Steve Cowles 5/9/2000 # Incorporated init {start|stop} syntax and iproute2 usage -# -# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] +# +# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # # (c) 2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net) # diff --git a/Shorewall/tunnels b/Shorewall/tunnels index 93f889fa3..ee45c54b3 100644 --- a/Shorewall/tunnels +++ b/Shorewall/tunnels @@ -25,7 +25,7 @@ # remote getway has no fixed address (Road Warrior) # then specify the gateway as 0.0.0.0/0. # -# GATEWAY +# GATEWAY # ZONES -- Optional. If the gateway system specified in the third # column is a standalone host then this column should # contain a comma-separated list of the names of the diff --git a/Shorewall/uninstall.sh b/Shorewall/uninstall.sh index b778e2082..63a8a0be5 100755 --- a/Shorewall/uninstall.sh +++ b/Shorewall/uninstall.sh @@ -2,14 +2,14 @@ # # Script to back uninstall Shoreline Firewall # -# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] +# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # # (c) 2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net) # # Shorewall documentation is available at http://shorewall.sourceforge.net # # This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License +# it under the terms of Version 2 of the GNU General Public License # as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, @@ -35,8 +35,8 @@ usage() # $1 = exit status exit $1 } -qt() -{ +qt() +{ "$@" >/dev/null 2>&1 } @@ -49,7 +49,7 @@ restore_file() # $1 = file to restore else exit 1 fi - fi + fi } remove_file() # $1 = file to restore diff --git a/Shorewall/zones b/Shorewall/zones index ffc23b55d..e9b882473 100644 --- a/Shorewall/zones +++ b/Shorewall/zones @@ -3,12 +3,12 @@ # # This file determines your network zones. Columns are: # -# ZONE Short name of the zone +# ZONE Short name of the zone # DISPLAY Display name of the zone # COMMENTS Comments about the zone # #ZONE DISPLAY COMMENTS -net Net Internet +net Net Internet loc Local Local networks dmz DMZ Demilitarized zone #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE