mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-22 07:33:43 +01:00
Update for Shorewall 2.2.0 Beta 2
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1734 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
d69e5c496a
commit
29e3991465
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall version 2.1 - Accounting File
|
||||
# Shorewall version 2.2 - Accounting File
|
||||
#
|
||||
# /etc/shorewall/accounting
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.1 /etc/shorewall/actions
|
||||
# Shorewall 2.2 /etc/shorewall/actions
|
||||
#
|
||||
# This file allows you to define new ACTIONS for use in rules
|
||||
# (/etc/shorewall/rules). You define the iptables rules to
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.1 -- Blacklist File
|
||||
# Shorewall 2.2 -- Blacklist File
|
||||
#
|
||||
# /etc/shorewall/blacklist
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.1 - /etc/shorewall/ecn
|
||||
# Shorewall 2.2 - /etc/shorewall/ecn
|
||||
#
|
||||
# Use this file to list the destinations for which you want to
|
||||
# disable ECN.
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.1 - /etc/shorewall/hosts
|
||||
# Shorewall 2.2 - /etc/shorewall/hosts
|
||||
#
|
||||
# THE ONLY TIME YOU NEED THIS FILE IS WHERE YOU HAVE MORE THAN
|
||||
# ONE ZONE CONNECTED THROUGH A SINGLE INTERFACE.
|
||||
@ -129,7 +129,11 @@
|
||||
# NEWNOTSYN=Yes.
|
||||
#
|
||||
# ipsec - The zone is accessed via a
|
||||
# kernel 2.6 ipsec SA.
|
||||
# kernel 2.6 ipsec SA. Note that if the
|
||||
# zone named in the ZONE column is
|
||||
# specified as an IPSEC zone in the
|
||||
# /etc/shorewall/ipsec file then you do NOT
|
||||
# need to specify the 'ipsec' option here.
|
||||
#
|
||||
#ZONE HOST(S) OPTIONS
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
############################################################################
|
||||
# Shorewall 2.0 -- /etc/shorewall/init
|
||||
# Shorewall 2.2 -- /etc/shorewall/init
|
||||
#
|
||||
# Add commands below that you want to be executed at the beginning of
|
||||
# a "shorewall start" or "shorewall restart" command.
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
############################################################################
|
||||
# Shorewall 2.0 -- /etc/shorewall/initdone
|
||||
# Shorewall 2.2 -- /etc/shorewall/initdone
|
||||
#
|
||||
# Add commands below that you want to be executed during
|
||||
# "shorewall start" or "shorewall restart" commands at the point where
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.1 -- Interfaces File
|
||||
# Shorewall 2.2 -- Interfaces File
|
||||
#
|
||||
# /etc/shorewall/interfaces
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.1 - /etc/shorewall/ipsec
|
||||
# Shorewall 2.2 - /etc/shorewall/ipsec
|
||||
#
|
||||
# This file defines the attributes of zones with respect to
|
||||
# IPSEC. To use this file, you must be running a 2.6 kernel and
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.1 - MAC list file
|
||||
# Shorewall 2.2 - MAC list file
|
||||
#
|
||||
# /etc/shorewall/maclist
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.1 - Masquerade file
|
||||
# Shorewall 2.2 - Masquerade file
|
||||
#
|
||||
# /etc/shorewall/masq
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
##############################################################################
|
||||
# Shorewall 2.0 /etc/shorewall/modules
|
||||
# Shorewall 2.2 /etc/shorewall/modules
|
||||
#
|
||||
# This file loads the modules needed by the firewall.
|
||||
#
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
##############################################################################
|
||||
#
|
||||
# Shorewall 2.0 -- Network Address Translation Table
|
||||
# Shorewall 2.2 -- Network Address Translation Table
|
||||
#
|
||||
# /etc/shorewall/nat
|
||||
#
|
||||
@ -16,6 +16,7 @@
|
||||
# EXTERNAL External IP Address - this should NOT be the primary
|
||||
# IP address of the interface named in the next
|
||||
# column and must not be a DNS Name.
|
||||
#
|
||||
# INTERFACE Interface that you want to EXTERNAL address to appear
|
||||
# on. If ADD_IP_ALIASES=Yes in shorewall.conf, you may
|
||||
# follow the interface name with ":" and a digit to
|
||||
@ -29,13 +30,16 @@
|
||||
# particular entry, follow the interface name with
|
||||
# ":" and no digit (e.g., "eth0:").
|
||||
# INTERNAL Internal Address (must not be a DNS Name).
|
||||
#
|
||||
# ALL INTERFACES If Yes or yes, NAT will be effective from all hosts.
|
||||
# If No or no (or left empty) then NAT will be effective
|
||||
# only through the interface named in the INTERFACE
|
||||
# column
|
||||
#
|
||||
# LOCAL If Yes or yes, NAT will be effective from the firewall
|
||||
# system
|
||||
##############################################################################
|
||||
#EXTERNAL INTERFACE INTERNAL ALL LOCAL
|
||||
#EXTERNAL INTERFACE INTERNAL ALL LOCAL
|
||||
# INTERFACES
|
||||
#
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.1 /etc/shorewall/params
|
||||
# Shorewall 2.2 /etc/shorewall/params
|
||||
#
|
||||
# Assign any variables that you need here.
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.1 -- Policy File
|
||||
# Shorewall 2.2 -- Policy File
|
||||
#
|
||||
# /etc/shorewall/policy
|
||||
#
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
##############################################################################
|
||||
#
|
||||
# Shorewall 2.1 -- Proxy ARP
|
||||
# Shorewall 2.2 -- Proxy ARP
|
||||
#
|
||||
# /etc/shorewall/proxyarp
|
||||
#
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
##############################################################################
|
||||
#
|
||||
# Shorewall 2.1 -- Hosts Accessible when the Firewall is Stopped
|
||||
# Shorewall 2.2 -- Hosts Accessible when the Firewall is Stopped
|
||||
#
|
||||
# /etc/shorewall/routestopped
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall version 2.1 - Rules File
|
||||
# Shorewall version 2.2 - Rules File
|
||||
#
|
||||
# /etc/shorewall/rules
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
############################################################################
|
||||
# Shorewall 2.1 -- /etc/shorewall/start
|
||||
# Shorewall 2.2 -- /etc/shorewall/start
|
||||
#
|
||||
# Add commands below that you want to be executed after shorewall has
|
||||
# been started or restarted.
|
||||
@ -7,4 +7,4 @@
|
||||
for file in /etc/shorewall/start.d/* ; do
|
||||
run_user_exit $file
|
||||
done
|
||||
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
############################################################################
|
||||
# Shorewall 2.1 -- /etc/shorewall/stop
|
||||
# Shorewall 2.2 -- /etc/shorewall/stop
|
||||
#
|
||||
# Add commands below that you want to be executed at the beginning of a
|
||||
# "shorewall stop" command.
|
||||
@ -7,4 +7,4 @@
|
||||
for file in /etc/shorewall/stop.d/* ; do
|
||||
run_user_exit $file
|
||||
done
|
||||
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
############################################################################
|
||||
# Shorewall 2.1 -- /etc/shorewall/stopped
|
||||
# Shorewall 2.2 -- /etc/shorewall/stopped
|
||||
#
|
||||
# Add commands below that you want to be executed at the completion of a
|
||||
# "shorewall stop" command.
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall version 2.1 - Traffic Control Rules File
|
||||
# Shorewall version 2.2 - Traffic Control Rules File
|
||||
#
|
||||
# /etc/shorewall/tcrules
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.1 -- /etc/shorewall/tos
|
||||
# Shorewall 2.2 -- /etc/shorewall/tos
|
||||
#
|
||||
# This file defines rules for setting Type Of Service (TOS)
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.1 - /etc/shorewall/tunnels
|
||||
# Shorewall 2.2 - /etc/shorewall/tunnels
|
||||
#
|
||||
# This file defines IPSEC, GRE, IPIP and OPENVPN tunnels.
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.1 /etc/shorewall/zones
|
||||
# Shorewall 2.2 /etc/shorewall/zones
|
||||
#
|
||||
# This file determines your network zones. Columns are:
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.1 /usr/share/shorewall/action.AllowAuth
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowAuth
|
||||
#
|
||||
# This action accepts Auth (identd) traffic.
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.1 /usr/share/shorewall/action.AllowDNS
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowDNS
|
||||
#
|
||||
# This action accepts DNS traffic.
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.1 /usr/share/shorewall/action.AllowFTP
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowFTP
|
||||
#
|
||||
# This action accepts FTP traffic. See
|
||||
# http://www.shorewall.net/FTP.html for additional considerations.
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.1 /usr/share/shorewall/action.AllowIMAP
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowIMAP
|
||||
#
|
||||
# This action accepts IMAP traffic (secure and insecure):
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.1 /usr/share/shorewall/action.AllowNNTP
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowNNTP
|
||||
#
|
||||
# This action accepts NNTP traffic (Usenet).
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.1 /usr/share/shorewall/action.AllowNTP
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowNTP
|
||||
#
|
||||
# This action accepts NTP traffic (ntpd).
|
||||
#
|
||||
@ -7,4 +7,5 @@
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
||||
# PORT PORT(S) DEST LIMIT
|
||||
ACCEPT - - udp 123
|
||||
ACCEPT - - udp 1024: 123
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.1 /usr/share/shorewall/action.AllowPCA
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowPCA
|
||||
#
|
||||
# This action accepts PCAnywere (tm)
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.1 /usr/share/shorewall/action.AllowPOP3
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowPOP3
|
||||
#
|
||||
# This action accepts POP3 traffic (secure and insecure):
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.1 /usr/share/shorewall/action.AllowPing
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowPing
|
||||
#
|
||||
# This action accepts 'ping' requests.
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.1 /usr/share/shorewall/action.AllowRdate
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowRdate
|
||||
#
|
||||
# This action accepts remote time retrieval (rdate).
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.1 /usr/share/shorewall/action.AllowSMB
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowSMB
|
||||
#
|
||||
# Allow Microsoft SMB traffic. You need to invoke this action in
|
||||
# both directions.
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.1 /usr/share/shorewall/action.AllowSMTP
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowSMTP
|
||||
#
|
||||
# This action accepts SMTP (email) traffic.
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.1 /usr/share/shorewall/action.AllowSNMP
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowSNMP
|
||||
#
|
||||
# This action accepts SNMP traffic (including traps):
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.1 /usr/share/shorewall/action.AllowSSH
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowSSH
|
||||
#
|
||||
# This action accepts secure shell (SSH) traffic.
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.1 /usr/share/shorewall/action.AllowTelnet
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowTelnet
|
||||
#
|
||||
# This action accepts Telnet traffic. For traffic over the
|
||||
# internet, telnet is inappropriate; use SSH instead
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.1 /usr/share/shorewall/action.AllowTrcrt
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowTrcrt
|
||||
#
|
||||
# This action accepts Traceroute (for up to 20 hops):
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.1 /usr/share/shorewall/action.AllowVNC
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowVNC
|
||||
#
|
||||
# This action accepts VNC traffic for VNC display's 0 - 9.
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.1 /usr/share/shorewall/action.AllowVNCL
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowVNCL
|
||||
#
|
||||
# This action accepts VNC traffic from Vncservers to Vncviewers in listen mode.
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.1 /usr/share/shorewall/action.AllowWeb
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowWeb
|
||||
#
|
||||
# This action accepts WWW traffic (secure and insecure):
|
||||
#
|
||||
@ -7,5 +7,5 @@
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
ACCEPT - - tcp 80
|
||||
ACCEPT - - TCP 443
|
||||
ACCEPT - - tcp 443
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.1 /usr/share/shorewall/action.Drop
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.Drop
|
||||
#
|
||||
# The default DROP common rules
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.1 /usr/share/shorewall/action.DropDNSrep
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.DropDNSrep
|
||||
#
|
||||
# This action silently drops DNS UDP replies
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.1 /usr/share/shorewall/action.DropPing
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.DropPing
|
||||
#
|
||||
# This action silently drops 'ping' requests.
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.1 /usr/share/shorewall/action.DropSMB
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.DropSMB
|
||||
#
|
||||
# This action silently drops Microsoft SMB traffic
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.1 /usr/share/shorewall/action.DropUPnP
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.DropUPnP
|
||||
#
|
||||
# This action silently drops UPnP probes on UDP port 1900
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.1 /usr/share/shorewall/action.Reject
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.Reject
|
||||
#
|
||||
# The default REJECT action common rules
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.1 /usr/share/shorewall/action.RejectAuth
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.RejectAuth
|
||||
#
|
||||
# This action silently rejects Auth (tcp 113) traffic
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.1 /usr/share/shorewall/action.RejectSMB
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.RejectSMB
|
||||
#
|
||||
# This action silently rejects Microsoft SMB traffic
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.1 /etc/shorewall/action.template
|
||||
# Shorewall 2.2 /etc/shorewall/action.template
|
||||
#
|
||||
# This file is a template for files with names of the form
|
||||
# /etc/shorewall/action.<action-name> where <action> is an
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.1 /usr/share/shorewall/actions.std
|
||||
# Shorewall 2.2 /usr/share/shorewall/actions.std
|
||||
#
|
||||
#
|
||||
# Builtin Actions are:
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V2.1
|
||||
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V2.2
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
@ -1986,7 +1986,6 @@ setup_mac_lists() {
|
||||
#
|
||||
# Process the maclist file producing the verification rules
|
||||
#
|
||||
|
||||
while read interface mac addresses; do
|
||||
expandv interface mac addresses
|
||||
|
||||
@ -2750,7 +2749,7 @@ check_config() {
|
||||
echo "Determining Zones..."
|
||||
|
||||
determine_zones
|
||||
check_dupliate_zones
|
||||
check_duplicate_zones
|
||||
|
||||
[ -z "$zones" ] && startup_error "ERROR: No Zones Defined"
|
||||
|
||||
@ -5834,20 +5833,22 @@ add_common_rules() {
|
||||
;;
|
||||
esac
|
||||
|
||||
run_iptables2 -A norfc1918 $(source_ip_range $networks) -j $target
|
||||
|
||||
if [ -n "$CONNTRACK_MATCH" ]; then
|
||||
#
|
||||
# We have connection tracking match -- match on the original destination
|
||||
#
|
||||
run_iptables2 -A norfc1918 -m conntrack --ctorigdst $networks -j $target
|
||||
elif [ -n "$MANGLE_ENABLED" ]; then
|
||||
#
|
||||
# No connection tracking match but we have mangling -- add a rule to
|
||||
# the mangle table
|
||||
#
|
||||
run_iptables2 -t mangle -A man1918 $(dest_ip_range $networks) -j $target
|
||||
fi
|
||||
for network in $(separate_list $networks); do
|
||||
run_iptables2 -A norfc1918 $(source_ip_range $network) -j $target
|
||||
|
||||
if [ -n "$CONNTRACK_MATCH" ]; then
|
||||
#
|
||||
# We have connection tracking match -- match on the original destination
|
||||
#
|
||||
run_iptables2 -A norfc1918 -m conntrack --ctorigdst $network -j $target
|
||||
elif [ -n "$MANGLE_ENABLED" ]; then
|
||||
#
|
||||
# No connection tracking match but we have mangling -- add a rule to
|
||||
# the mangle table
|
||||
#
|
||||
run_iptables2 -t mangle -A man1918 $(dest_ip_range $network) -j $target
|
||||
fi
|
||||
done
|
||||
done < $TMP_DIR/rfc1918
|
||||
|
||||
for host in $hosts; do
|
||||
|
||||
@ -1 +1 @@
|
||||
2.2.0-Beta1
|
||||
2.2.0-Beta2
|
||||
|
||||
Loading…
Reference in New Issue
Block a user