From e1da59e0371cab5b6da99734e69b040223a2fabd Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 8 Jun 2015 22:10:21 +0300 Subject: [PATCH 1/6] shorewall-init: use consitent indent Signed-off-by: Tuomo Soini --- Shorewall-init/shorewall-init | 123 +++++++++++++++++----------------- 1 file changed, 62 insertions(+), 61 deletions(-) diff --git a/Shorewall-init/shorewall-init b/Shorewall-init/shorewall-init index 65a5befb7..8f2f4e03d 100644 --- a/Shorewall-init/shorewall-init +++ b/Shorewall-init/shorewall-init @@ -1,18 +1,19 @@ -#! /bin/bash -# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5 +#!/bin/bash +# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.6 # -# (c) 2012-2014 - Tom Eastep (teastep@shorewall.net) +# (c) 2012-2014 - Tom Eastep (teastep@shorewall.net) # -# On most distributions, this file should be called /etc/init.d/shorewall. +# On most distributions, this file should be called +# /etc/init.d/shorewall. # -# Complete documentation is available at http://shorewall.net +# Complete documentation is available at http://shorewall.net # -# This program is part of Shorewall. +# This program is part of Shorewall. # # This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by the -# Free Software Foundation, either version 2 of the license or, at your -# option, any later version. +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 2 of the license or, +# at your option, any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of @@ -22,7 +23,7 @@ # You should have received a copy of the GNU General Public License # along with this program; if not, see . # -######################################################################################### +############################################################################### # set the STATEDIR variable setstatedir() { local statedir @@ -46,7 +47,7 @@ setstatedir() { if [ -f "$SYSCONFDIR/shorewall-init" ]; then . $SYSCONFDIR/shorewall-init if [ -z "$PRODUCTS" ]; then - echo "ERROR: No products configured" >&2 + echo "ERROR: No products configured" >&2 exit 1 fi else @@ -56,71 +57,71 @@ fi # Initialize the firewall shorewall_start () { - local PRODUCT - local STATEDIR + local PRODUCT + local STATEDIR - echo -n "Initializing \"Shorewall-based firewalls\": " - for PRODUCT in $PRODUCTS; do - setstatedir + echo -n "Initializing \"Shorewall-based firewalls\": " + for PRODUCT in $PRODUCTS; do + setstatedir - if [ -x ${STATEDIR}/firewall ]; then - # - # Run in a sub-shell to avoid name collisions - # - ( - if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then - ${STATEDIR}/firewall ${OPTIONS} stop || exit 1 - else - exit 1 - fi - ) - else - echo ERROR: ${STATEDIR}/firewall does not exist or is not executable! - exit 1 - fi - done + if [ -x ${STATEDIR}/firewall ]; then + # + # Run in a sub-shell to avoid name collisions + # + ( + if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then + ${STATEDIR}/firewall ${OPTIONS} stop || exit 1 + else + exit 1 + fi + ) + else + echo ERROR: ${STATEDIR}/firewall does not exist or is not executable! + exit 1 + fi + done - if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then - ipset -R < "$SAVE_IPSETS" - fi + if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then + ipset -R < "$SAVE_IPSETS" + fi - return 0 + return 0 } # Clear the firewall shorewall_stop () { - local PRODUCT - local STATEDIR + local PRODUCT + local STATEDIR - echo -n "Clearing \"Shorewall-based firewalls\": " - for PRODUCT in $PRODUCTS; do - setstatedir + echo -n "Clearing \"Shorewall-based firewalls\": " + for PRODUCT in $PRODUCTS; do + setstatedir - if [ -x ${STATEDIR}/firewall ]; then - ${STATEDIR}/firewall ${OPTIONS} clear || exit 1 - fi - done + if [ -x ${STATEDIR}/firewall ]; then + ${STATEDIR}/firewall ${OPTIONS} clear || exit 1 + fi + done - if [ -n "$SAVE_IPSETS" ]; then - mkdir -p $(dirname "$SAVE_IPSETS") - if ipset -S > "${SAVE_IPSETS}.tmp"; then - grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" - fi - fi + if [ -n "$SAVE_IPSETS" ]; then + mkdir -p $(dirname "$SAVE_IPSETS") + if ipset -S > "${SAVE_IPSETS}.tmp"; then + grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" + fi + fi - return 0 + return 0 } case "$1" in - start) - shorewall_start - ;; - stop) - shorewall_stop - ;; - *) - echo "Usage: $0 {start|stop}" - exit 1 + start) + shorewall_start + ;; + stop) + shorewall_stop + ;; + *) + echo "Usage: $0 {start|stop}" + exit 1 esac exit 0 From f3a4e25d27ada90eb0840639f479ea2c798d8d5c Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 8 Jun 2015 22:15:35 +0300 Subject: [PATCH 2/6] Complete Shorewall-init improvements completes 548c0558c15f1ec10b3782014cefa996c58db03f Signed-off-by: Tuomo Soini --- Shorewall-init/shorewall-init | 39 ++++++++++++++++------------------- 1 file changed, 18 insertions(+), 21 deletions(-) diff --git a/Shorewall-init/shorewall-init b/Shorewall-init/shorewall-init index 8f2f4e03d..5b6e9ebc8 100644 --- a/Shorewall-init/shorewall-init +++ b/Shorewall-init/shorewall-init @@ -34,7 +34,9 @@ setstatedir() { [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT} if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then - ${SBINDIR}/$PRODUCT ${OPTIONS} compile -c || exit 1 + ${SBINDIR}/$PRODUCT ${OPTIONS} compile -c + else + return 0 fi } @@ -62,22 +64,17 @@ shorewall_start () { echo -n "Initializing \"Shorewall-based firewalls\": " for PRODUCT in $PRODUCTS; do - setstatedir - - if [ -x ${STATEDIR}/firewall ]; then - # - # Run in a sub-shell to avoid name collisions - # - ( - if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then - ${STATEDIR}/firewall ${OPTIONS} stop || exit 1 - else - exit 1 - fi - ) - else - echo ERROR: ${STATEDIR}/firewall does not exist or is not executable! - exit 1 + if setstatedir; then + if [ -x ${STATEDIR}/firewall ]; then + # + # Run in a sub-shell to avoid name collisions + # + ( + if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then + ${STATEDIR}/firewall ${OPTIONS} stop + fi + ) + fi fi done @@ -95,10 +92,10 @@ shorewall_stop () { echo -n "Clearing \"Shorewall-based firewalls\": " for PRODUCT in $PRODUCTS; do - setstatedir - - if [ -x ${STATEDIR}/firewall ]; then - ${STATEDIR}/firewall ${OPTIONS} clear || exit 1 + if setstatedir; then + if [ -x ${STATEDIR}/firewall ]; then + ${STATEDIR}/firewall ${OPTIONS} clear + fi fi done From 274f054d87156d273894eae24830c11f9fd1d47b Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 8 Jun 2015 22:18:01 +0300 Subject: [PATCH 3/6] Add to lib.common a new function not_configured() Signed-off-by: Tuomo Soini --- Shorewall-core/lib.common | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/Shorewall-core/lib.common b/Shorewall-core/lib.common index 5d0ec7ca1..3fbe95f83 100644 --- a/Shorewall-core/lib.common +++ b/Shorewall-core/lib.common @@ -79,6 +79,15 @@ fatal_error() # $@ = Message exit 2 } +# +# Not configured Error +# +not_configured() # $@ = Message +{ + echo " ERROR: $@" >&2 + exit 6 +} + # # Get the Shorewall version of the passed script # From e10c078a062e878ff7ab0e14f3d9df14165f3ec6 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 8 Jun 2015 22:23:38 +0300 Subject: [PATCH 4/6] Set exit code to 6 when startup is disabled Handles cases missed by 4b27c72c7944043a73261f1f8310fe5c1e89daec Signed-off-by: Tuomo Soini --- Shorewall/lib.cli-std | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/Shorewall/lib.cli-std b/Shorewall/lib.cli-std index cce2c1755..6dc804468 100644 --- a/Shorewall/lib.cli-std +++ b/Shorewall/lib.cli-std @@ -162,14 +162,13 @@ get_config() { if [ "$2" = Yes ]; then case $STARTUP_ENABLED in No|no|NO) - fatal_error "$g_product startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in ${g_confdir}/${g_program}.conf" + not_configured "$g_product startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in ${g_confdir}/${g_program}.conf" ;; Yes|yes|YES) ;; *) if [ -n "$STARTUP_ENABLED" ]; then - fatal_error "Invalid Value for STARTUP_ENABLED: $STARTUP_ENABLED" - exit 6 + not_configured "Invalid Value for STARTUP_ENABLED: $STARTUP_ENABLED" fi ;; esac @@ -497,7 +496,7 @@ start_command() { exit 0 fi - [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled" + [ -n "$STARTUP_ENABLED" ] || not_configured "Startup is disabled" while [ $finished -eq 0 -a $# -gt 0 ]; do option=$1 @@ -989,7 +988,7 @@ restart_command() { ;; esac - [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled" + [ -n "$STARTUP_ENABLED" ] || not_configured "Startup is disabled" if [ -z "$g_fast" -a -n "$AUTOMAKE" ]; then uptodate ${VARDIR}/firewall && g_fast=Yes @@ -1088,7 +1087,7 @@ refresh_command() { product_is_started || fatal_error "$g_product is not running" - [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled" + [ -n "$STARTUP_ENABLED" ] || not_configured "Startup is disabled" if compiler $g_debugging $nolock compile ${VARDIR}/.refresh; then run_postcompile ${VARDIR}/.refresh @@ -1177,7 +1176,7 @@ safe_commands() { ;; esac - [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled" + [ -n "$STARTUP_ENABLED" ] || not_configured "Startup is disabled" if product_is_started; then running=Yes @@ -1314,7 +1313,7 @@ try_command() { ;; esac - [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled" + [ -n "$STARTUP_ENABLED" ] || not_configured "Startup is disabled" if product_is_started; then running=Yes From f175ab853bc6c31ec3c7c7d714136dbb1bf4cac8 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Tue, 9 Jun 2015 20:29:45 +0300 Subject: [PATCH 5/6] rename not_configured() to not_configured_error() Signed-off-by: Tuomo Soini --- Shorewall-core/lib.common | 2 +- Shorewall/lib.cli-std | 14 +++++++------- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/Shorewall-core/lib.common b/Shorewall-core/lib.common index 3fbe95f83..28b0d5356 100644 --- a/Shorewall-core/lib.common +++ b/Shorewall-core/lib.common @@ -82,7 +82,7 @@ fatal_error() # $@ = Message # # Not configured Error # -not_configured() # $@ = Message +not_configured_error() # $@ = Message { echo " ERROR: $@" >&2 exit 6 diff --git a/Shorewall/lib.cli-std b/Shorewall/lib.cli-std index 6dc804468..924fa364f 100644 --- a/Shorewall/lib.cli-std +++ b/Shorewall/lib.cli-std @@ -162,13 +162,13 @@ get_config() { if [ "$2" = Yes ]; then case $STARTUP_ENABLED in No|no|NO) - not_configured "$g_product startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in ${g_confdir}/${g_program}.conf" + not_configured_error "$g_product startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in ${g_confdir}/${g_program}.conf" ;; Yes|yes|YES) ;; *) if [ -n "$STARTUP_ENABLED" ]; then - not_configured "Invalid Value for STARTUP_ENABLED: $STARTUP_ENABLED" + not_configured_error "Invalid Value for STARTUP_ENABLED: $STARTUP_ENABLED" fi ;; esac @@ -496,7 +496,7 @@ start_command() { exit 0 fi - [ -n "$STARTUP_ENABLED" ] || not_configured "Startup is disabled" + [ -n "$STARTUP_ENABLED" ] || not_configured_error "Startup is disabled" while [ $finished -eq 0 -a $# -gt 0 ]; do option=$1 @@ -988,7 +988,7 @@ restart_command() { ;; esac - [ -n "$STARTUP_ENABLED" ] || not_configured "Startup is disabled" + [ -n "$STARTUP_ENABLED" ] || not_configured_error "Startup is disabled" if [ -z "$g_fast" -a -n "$AUTOMAKE" ]; then uptodate ${VARDIR}/firewall && g_fast=Yes @@ -1087,7 +1087,7 @@ refresh_command() { product_is_started || fatal_error "$g_product is not running" - [ -n "$STARTUP_ENABLED" ] || not_configured "Startup is disabled" + [ -n "$STARTUP_ENABLED" ] || not_configured_error "Startup is disabled" if compiler $g_debugging $nolock compile ${VARDIR}/.refresh; then run_postcompile ${VARDIR}/.refresh @@ -1176,7 +1176,7 @@ safe_commands() { ;; esac - [ -n "$STARTUP_ENABLED" ] || not_configured "Startup is disabled" + [ -n "$STARTUP_ENABLED" ] || not_configured_error "Startup is disabled" if product_is_started; then running=Yes @@ -1313,7 +1313,7 @@ try_command() { ;; esac - [ -n "$STARTUP_ENABLED" ] || not_configured "Startup is disabled" + [ -n "$STARTUP_ENABLED" ] || not_configured_error "Startup is disabled" if product_is_started; then running=Yes From d9e4273e6bcd0120662565bfe90d66df3eea6e76 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 19 Jun 2015 10:00:05 -0700 Subject: [PATCH 6/6] Clarify the Universal configuration Signed-off-by: Tom Eastep --- docs/GettingStarted.xml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/docs/GettingStarted.xml b/docs/GettingStarted.xml index 7a0692401..82880363a 100644 --- a/docs/GettingStarted.xml +++ b/docs/GettingStarted.xml @@ -67,6 +67,12 @@ Universal configuration -- requires no configuration to protect a single system. + + + This configuration places all interfaces in the net zone. If you + add another interface or VPN, you will want to select a different + QuickStart Guide. + @@ -182,7 +188,7 @@ url="configuration_file_basics.htm#Ranges">Port Ranges - +