mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-23 06:38:53 +01:00
Copy latest 2.4 version from Shorewall2/
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2264 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
90dd62e89e
commit
2a19eb8a5a
@ -1,4 +1,4 @@
|
||||
Shoreline Firewall (Shorewall) Version 2.2
|
||||
Shoreline Firewall (Shorewall) Version 2.4
|
||||
----- ----
|
||||
|
||||
-----------------------------------------------------------------------------
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall version 2.2 - Accounting File
|
||||
# Shorewall version 2.4 - Accounting File
|
||||
#
|
||||
# /etc/shorewall/accounting
|
||||
#
|
||||
@ -69,7 +69,7 @@
|
||||
#
|
||||
# The column may contain:
|
||||
#
|
||||
# [!][<user name or number>][:<group name or number>]
|
||||
# [!][<user name or number>][:<group name or number>][+<program name>]
|
||||
#
|
||||
# When this column is non-empty, the rule applies only
|
||||
# if the program generating the output is running under
|
||||
@ -83,6 +83,7 @@
|
||||
# #the 'kids' group
|
||||
# !:kids #program must not be run by a member
|
||||
# #of the 'kids' group
|
||||
# +upnpd #program named upnpd
|
||||
#
|
||||
# In all of the above columns except ACTION and CHAIN, the values "-",
|
||||
# "any" and "all" may be used as wildcards
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowAuth
|
||||
# Shorewall 2.4 /usr/share/shorewall/action.AllowAuth
|
||||
#
|
||||
# This action accepts Auth (identd) traffic.
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowDNS
|
||||
# Shorewall 2.4 /usr/share/shorewall/action.AllowDNS
|
||||
#
|
||||
# This action accepts DNS traffic.
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowFTP
|
||||
# Shorewall 2.4 /usr/share/shorewall/action.AllowFTP
|
||||
#
|
||||
# This action accepts FTP traffic. See
|
||||
# http://www.shorewall.net/FTP.html for additional considerations.
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowICMPs
|
||||
# Shorewall 2.4 /usr/share/shorewall/action.AllowICMPs
|
||||
#
|
||||
# ACCEPT needed ICMP types
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowIMAP
|
||||
# Shorewall 2.4 /usr/share/shorewall/action.AllowIMAP
|
||||
#
|
||||
# This action accepts IMAP traffic (secure and insecure):
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowNNTP
|
||||
# Shorewall 2.4 /usr/share/shorewall/action.AllowNNTP
|
||||
#
|
||||
# This action accepts NNTP traffic (Usenet) and encrypted NNTP (NNTPS)
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowNTP
|
||||
# Shorewall 2.4 /usr/share/shorewall/action.AllowNTP
|
||||
#
|
||||
# This action accepts NTP traffic (ntpd).
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowPCA
|
||||
# Shorewall 2.4 /usr/share/shorewall/action.AllowPCA
|
||||
#
|
||||
# This action accepts PCAnywere (tm)
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowPOP3
|
||||
# Shorewall 2.4 /usr/share/shorewall/action.AllowPOP3
|
||||
#
|
||||
# This action accepts POP3 traffic (secure and insecure):
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowPing
|
||||
# Shorewall 2.4 /usr/share/shorewall/action.AllowPing
|
||||
#
|
||||
# This action accepts 'ping' requests.
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowRdate
|
||||
# Shorewall 2.4 /usr/share/shorewall/action.AllowRdate
|
||||
#
|
||||
# This action accepts remote time retrieval (rdate).
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowSMB
|
||||
# Shorewall 2.4 /usr/share/shorewall/action.AllowSMB
|
||||
#
|
||||
# Allow Microsoft SMB traffic. You need to invoke this action in
|
||||
# both directions.
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowSMTP
|
||||
# Shorewall 2.4 /usr/share/shorewall/action.AllowSMTP
|
||||
#
|
||||
# This action accepts SMTP (email) traffic.
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowSNMP
|
||||
# Shorewall 2.4 /usr/share/shorewall/action.AllowSNMP
|
||||
#
|
||||
# This action accepts SNMP traffic (including traps):
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowSSH
|
||||
# Shorewall 2.4 /usr/share/shorewall/action.AllowSSH
|
||||
#
|
||||
# This action accepts secure shell (SSH) traffic.
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowTelnet
|
||||
# Shorewall 2.4 /usr/share/shorewall/action.AllowTelnet
|
||||
#
|
||||
# This action accepts Telnet traffic. For traffic over the
|
||||
# internet, telnet is inappropriate; use SSH instead
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowTrcrt
|
||||
# Shorewall 2.4 /usr/share/shorewall/action.AllowTrcrt
|
||||
#
|
||||
# This action accepts Traceroute (for up to 30 hops):
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowVNC
|
||||
# Shorewall 2.4 /usr/share/shorewall/action.AllowVNC
|
||||
#
|
||||
# This action accepts VNC traffic for VNC display's 0 - 9.
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowVNCL
|
||||
# Shorewall 2.4 /usr/share/shorewall/action.AllowVNCL
|
||||
#
|
||||
# This action accepts VNC traffic from Vncservers to Vncviewers in listen mode.
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowWeb
|
||||
# Shorewall 2.4 /usr/share/shorewall/action.AllowWeb
|
||||
#
|
||||
# This action accepts WWW traffic (secure and insecure):
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.Drop
|
||||
# Shorewall 2.4 /usr/share/shorewall/action.Drop
|
||||
#
|
||||
# The default DROP common rules
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.DropDNSrep
|
||||
# Shorewall 2.4 /usr/share/shorewall/action.DropDNSrep
|
||||
#
|
||||
# This action silently drops DNS UDP replies
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.DropPing
|
||||
# Shorewall 2.4 /usr/share/shorewall/action.DropPing
|
||||
#
|
||||
# This action silently drops 'ping' requests.
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.DropSMB
|
||||
# Shorewall 2.4 /usr/share/shorewall/action.DropSMB
|
||||
#
|
||||
# This action silently drops Microsoft SMB traffic
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.DropUPnP
|
||||
# Shorewall 2.4 /usr/share/shorewall/action.DropUPnP
|
||||
#
|
||||
# This action silently drops UPnP probes on UDP port 1900
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.Reject
|
||||
# Shorewall 2.4 /usr/share/shorewall/action.Reject
|
||||
#
|
||||
# The default REJECT action common rules
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.RejectAuth
|
||||
# Shorewall 2.4 /usr/share/shorewall/action.RejectAuth
|
||||
#
|
||||
# This action silently rejects Auth (tcp 113) traffic
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.RejectSMB
|
||||
# Shorewall 2.4 /usr/share/shorewall/action.RejectSMB
|
||||
#
|
||||
# This action silently rejects Microsoft SMB traffic
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.2 /etc/shorewall/action.template
|
||||
# Shorewall 2.4 /etc/shorewall/action.template
|
||||
#
|
||||
# This file is a template for files with names of the form
|
||||
# /etc/shorewall/action.<action-name> where <action> is an
|
||||
@ -70,7 +70,17 @@
|
||||
#
|
||||
# 10.0.0.4-10.0.0.9 Range of IP addresses; your
|
||||
# kernel and iptables must have
|
||||
# iprange match support.
|
||||
# iprange match support.
|
||||
#
|
||||
# +remote The name of an ipset prefaced
|
||||
# by "+". Your kernel and
|
||||
# iptables must have set match
|
||||
# support
|
||||
#
|
||||
# +remote[4] The name of the ipset may
|
||||
# followed by a number of
|
||||
# levels of ipset bindings
|
||||
# enclosed in square brackets.
|
||||
#
|
||||
# 192.168.1.1,192.168.1.2
|
||||
# Hosts 192.168.1.1 and
|
||||
@ -85,8 +95,9 @@
|
||||
# another colon (":") and an IP/MAC/subnet address
|
||||
# as described above (e.g., eth1:192.168.1.5).
|
||||
#
|
||||
# DEST Location of Server. Same as above with the exception that
|
||||
# MAC addresses are not allowed.
|
||||
# DEST Location of destination host. Same as above with the exception that
|
||||
# MAC addresses are not allowed and that you cannot specify
|
||||
# an ipset name in both the SOURCE and DEST columns.
|
||||
#
|
||||
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or
|
||||
# "all".
|
||||
@ -146,7 +157,7 @@
|
||||
#
|
||||
# The column may contain:
|
||||
#
|
||||
# [!][<user name or number>][:<group name or number>]
|
||||
# [!][<user name or number>][:<group name or number>][+<program name>]
|
||||
#
|
||||
# When this column is non-empty, the rule applies only
|
||||
# if the program generating the output is running under
|
||||
@ -160,6 +171,7 @@
|
||||
# #the 'kids' group
|
||||
# !:kids #program must not be run by a member
|
||||
# #of the 'kids' group
|
||||
# +upnpd #program named upnpd
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.2 /etc/shorewall/actions
|
||||
# Shorewall 2.4 /etc/shorewall/actions
|
||||
#
|
||||
# This file allows you to define new ACTIONS for use in rules
|
||||
# (/etc/shorewall/rules). You define the iptables rules to
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.2 /usr/share/shorewall/actions.std
|
||||
# Shorewall 2.4 /usr/share/shorewall/actions.std
|
||||
#
|
||||
# Please see http://shorewall.net/Actions.html for additional
|
||||
# information.
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.2 -- Blacklist File
|
||||
# Shorewall 2.4 -- Blacklist File
|
||||
#
|
||||
# /etc/shorewall/blacklist
|
||||
#
|
||||
@ -7,9 +7,10 @@
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
# ADDRESS/SUBNET - Host address, subnetwork, MAC address or IP address
|
||||
# ADDRESS/SUBNET - Host address, subnetwork, MAC address, IP address
|
||||
# range (if your kernel and iptables contain iprange
|
||||
# match support).
|
||||
# match support) or ipset name prefaced by "+" (if
|
||||
# your kernel supports ipset match).
|
||||
#
|
||||
# MAC addresses must be prefixed with "~" and use "-"
|
||||
# as a separator.
|
||||
@ -38,6 +39,13 @@
|
||||
# ADDRESS/SUBNET PROTOCOL PORT
|
||||
# 192.0.2.126 udp 53
|
||||
#
|
||||
# Example:
|
||||
#
|
||||
# To block DNS queries from addresses in the ipset 'dnsblack':
|
||||
#
|
||||
# ADDRESS/SUBNET PROTOCOL PORT
|
||||
# +dnsblack udp 53
|
||||
#
|
||||
# Please see http://shorewall.net/blacklisting_support.htm for additional
|
||||
# information.
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.2-- Bogons File
|
||||
# Shorewall 2.4 -- Bogons File
|
||||
#
|
||||
# /etc/shorewall/bogons
|
||||
#
|
||||
@ -45,19 +45,24 @@
|
||||
36.0.0.0/7 logdrop # Reserved
|
||||
39.0.0.0/8 logdrop # Reserved
|
||||
42.0.0.0/8 logdrop # Reserved
|
||||
77.0.0.0/8 logdrop # Reserved
|
||||
78.0.0.0/7 logdrop # Reserved
|
||||
49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
|
||||
50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
|
||||
74.0.0.0/7 logdrop # Reserved
|
||||
76.0.0.0/6 logdrop # Reserved
|
||||
89.0.0.0/8 logdrop # Reserved
|
||||
90.0.0.0/7 logdrop # Reserved
|
||||
92.0.0.0/6 logdrop # Reserved
|
||||
96.0.0.0/4 logdrop # Reserved
|
||||
112.0.0.0/5 logdrop # Reserved
|
||||
120.0.0.0/6 logdrop # Reserved
|
||||
127.0.0.0/8 logdrop # Reserved
|
||||
96.0.0.0/3 logdrop # Reserved
|
||||
127.0.0.0/8 logdrop # Loopback
|
||||
173.0.0.0/8 logdrop # Reserved
|
||||
174.0.0.0/7 logdrop # Reserved
|
||||
176.0.0.0/5 logdrop # Reserved
|
||||
184.0.0.0/6 logdrop # Reserved
|
||||
189.0.0.0/8 logdrop # Reserved
|
||||
190.0.0.0/8 logdrop # Reserved
|
||||
197.0.0.0/8 logdrop # Reserved
|
||||
223.0.0.0/8 logdrop # Reserved
|
||||
198.18.0.0/15 logdrop # Reserved
|
||||
223.0.0.0/8 logdrop # Reserved - Returned by APNIC in 2003
|
||||
240.0.0.0/4 logdrop # Reserved
|
||||
#
|
||||
# End of generated entries
|
||||
|
@ -1,296 +1,50 @@
|
||||
Changes in 2.2.5
|
||||
Changes in 2.4.0-Final
|
||||
|
||||
1) Correct behavior of PKTTYPE=No
|
||||
1) Add the ability to specify a weight in the balance option.
|
||||
|
||||
2) Fixed typo in the tunnel script.
|
||||
2) Remove "ipp2p" support in the rules file.
|
||||
|
||||
Changes in 2.2.4
|
||||
3) Fix duplicate routing table listings from "shorewall status"
|
||||
|
||||
1) Added support for UPnP
|
||||
Changes in 2.4.0-RC2
|
||||
|
||||
2) Add 'started' hook.
|
||||
1) Relax "detect" restriction.
|
||||
|
||||
3) Make an error message more self-explanatory
|
||||
2) Fix detection via 'nexthop' so it will work with BusyBox
|
||||
|
||||
4) Report Owner Match capability
|
||||
3) Merge Tuomo Soini's fix for "shorewall add"
|
||||
|
||||
5) Add Paul Traina's patch to install.sh.
|
||||
Changes in 2.4.0-RC1
|
||||
|
||||
6) Allow startup options to be overridden in /etc/sysconfig/shorewall
|
||||
or /etc/default/shorewall.
|
||||
1) Fix output from firewall itself vis-a-vis multiple providers.
|
||||
|
||||
7) Add support for SAME
|
||||
2) Merge and tweak Lorenzo Martignoni's 'safe-restart' patch.
|
||||
|
||||
8) Add 'shorewall show capabilities'
|
||||
Changes in 2.3.2
|
||||
|
||||
8) Add '-v' option
|
||||
1) Add support for -j ROUTE
|
||||
|
||||
9) Allow 'none' in /etc/shorewall/rules.
|
||||
2) Add TEST column to /etc/shorewall/routes
|
||||
|
||||
10) Add error message for invalid HOST(S) column contents.
|
||||
3) Add support for different providers.
|
||||
|
||||
11) Apply Christian Rodriguez's patch for Slackware install.
|
||||
4) Merge patch from Juan Jesús Prieto.
|
||||
|
||||
Changes in 2.2.3
|
||||
5) Implement 'loose' routestopped option.
|
||||
|
||||
1) Added the 'continue' extension script.
|
||||
6) Change 'loose' to 'source' and 'dest'
|
||||
|
||||
2) Obey 'routestopped' rules during [re]start.
|
||||
7) Fix routing of connections from the firewall with multiple ISPs.
|
||||
|
||||
3) MACLIST_TTL added.
|
||||
Changes in 2.3.1
|
||||
|
||||
4) Fix ! in hosts file
|
||||
1) Change the behavior of SAVE_IPSETS and allow 'ipsets' files in
|
||||
Shorewall configuration directories.
|
||||
|
||||
5) Add QUEUE policy.
|
||||
Changes in 2.3.0
|
||||
|
||||
6) Fix routing output when advanced routing support not in kernel.
|
||||
1) Implement support for --cmd-owner
|
||||
|
||||
Changes in 2.2.2
|
||||
2) Implement support for ipsets.
|
||||
|
||||
1) The 'check' command disclaimer is toned down further and only
|
||||
appears once in the 'check' output.
|
||||
|
||||
2) Enhanced support in the SOURCE column of /etc/shorewall/tcrules.
|
||||
|
||||
3) All calls to 'clear' are now conditional on the output device being
|
||||
a terminal.
|
||||
|
||||
4) Apply Juergen Kreileder's patch for logging.
|
||||
|
||||
5) Add the output of 'arp -na' to the 'shorewall status' display.
|
||||
|
||||
6) Provide support for the Extended multiport match available in
|
||||
2.6.11.
|
||||
|
||||
7) Fix logging rule generation.
|
||||
|
||||
8) Correct port numbers in action.AllowPCA.
|
||||
|
||||
9) Fix installer's handling of action.* files.
|
||||
|
||||
10) Implement RFC1918_STRICT
|
||||
|
||||
11) Verify interface names in the DEST column of tcrules.
|
||||
|
||||
Changes in 2.2.1
|
||||
|
||||
1) Add examples to the zones and policy files.
|
||||
|
||||
2) Simon Matter's patch for umask.
|
||||
|
||||
Changes since 2.0.3
|
||||
|
||||
1) Fix security vulnerability involving temporary files/directories.
|
||||
|
||||
2) Hack security fix so that it works under Slackware.
|
||||
|
||||
3) Correct mktempfile() for case where mktemp isn't installed.
|
||||
|
||||
4) Implement 'dropInvalid' builtin action.
|
||||
|
||||
5) Fix logging nat rules.
|
||||
|
||||
6) Fix COMMAND typos.
|
||||
|
||||
7) Add PKTTYPE option.
|
||||
|
||||
8) Enhancements to /etc/shorewall/masq
|
||||
|
||||
8) Allow overriding ADD_IP_ALIASES=Yes
|
||||
|
||||
9) Fix syntax error in setup_nat()
|
||||
|
||||
10) Port "shorewall status" changes from 2.0.7.
|
||||
|
||||
11) All config files are now empty.
|
||||
|
||||
12) Port blacklisting fix from 2.0.7
|
||||
|
||||
13) Pass rule chain and display chain separately to log_rule_limit.
|
||||
Prep work for action logging.
|
||||
|
||||
14) Show the iptables/ip/tc command that failed when failure is fatal.
|
||||
|
||||
15) Implement STARTUP_ENABLED.
|
||||
|
||||
16) Added DNAT ONLY column to /etc/shorewall/nat.
|
||||
|
||||
17) Removed SNAT from ORIGINAL DESTINATION column.
|
||||
|
||||
18) Removed DNAT ONLY column.
|
||||
|
||||
19) Added IPSEC column to /etc/shorewall/masq.
|
||||
|
||||
20) No longer enforce source port 500 for ISAKMP.
|
||||
|
||||
21) Apply policy to interface/host options.
|
||||
|
||||
22) Fix policy and maclist.
|
||||
|
||||
23) Implement additional IPSEC options for zones and masq entries.
|
||||
|
||||
24) Deprecate the -c option in /sbin/shorewall.
|
||||
|
||||
25) Allow distinct input and output IPSEC parameters.
|
||||
|
||||
26) Allow source port remapping in /etc/shorewall/masq.
|
||||
|
||||
27) Include params file on 'restore'
|
||||
|
||||
28) Apply Richard Musil's patch.
|
||||
|
||||
29) Correct parsing of PROTO column in setup_tc1().
|
||||
|
||||
30) Verify Physdev match if BRIDGING=Yes
|
||||
|
||||
31) Don't NAT tunnel traffic.
|
||||
|
||||
32) Fix shorewall.spec to run chkconfig/insserv after initial install.
|
||||
|
||||
33) Add iprange support.
|
||||
|
||||
34) Add CLASSIFY support.
|
||||
|
||||
35) Fix iprange support so that ranges in both source and destination
|
||||
work.
|
||||
|
||||
36) Remove logunclean and dropunclean
|
||||
|
||||
37) Fixed proxy arp flag setting for complex configurations.
|
||||
|
||||
38) Added RETAIN_ALIASES option.
|
||||
|
||||
39) Relax OpenVPN source port restrictions.
|
||||
|
||||
40) Implement DELAYBLACKLISTLOAD.
|
||||
|
||||
41) Avoid double-setting proxy arp flags.
|
||||
|
||||
42) Fix DELAYBLACKLISTLOAD=No.
|
||||
|
||||
43) Merge 'brctl show' change from 2.0.9.
|
||||
|
||||
44) Implememt LOGTAGONLY.
|
||||
|
||||
45) Merge 'tcrules' clarification from 2.0.10.
|
||||
|
||||
46) Implement 'sourceroute' interface option.
|
||||
|
||||
47) Add 'AllowICMPs' action.
|
||||
|
||||
48) Changed 'activate_rules' such that traffic from IPSEC hosts gets
|
||||
handled before traffic from non-IPSEC zones.
|
||||
|
||||
49) Correct logmartians handling.
|
||||
|
||||
50) Add a clarification and fix a typo in the blacklist file.
|
||||
|
||||
51) Allow setting a specify MSS value.
|
||||
|
||||
52) Detect duplicate zone names.
|
||||
|
||||
53) Add mss=<number> option to the ipsec file.
|
||||
|
||||
54) Added CONNMARK/ipp2p support.
|
||||
|
||||
55) Added LOGALLNEW support.
|
||||
|
||||
56) Fix typo in check_config()
|
||||
|
||||
57) Allow outgoing NTP responses in action.AllowNTP.
|
||||
|
||||
58) Clarification of the 'ipsec' hosts file option.
|
||||
|
||||
59) Allow list in the SUBNET column of the rfc1918 file.
|
||||
|
||||
60) Restore missing '#' in the rfc1918 file.
|
||||
|
||||
61) Add note for Slackware users to INSTALL.
|
||||
|
||||
62) Allow interface in DEST tcrules column.
|
||||
|
||||
63) Remove 'ipt_unclean' from search expression in "log" commands.
|
||||
|
||||
64) Remove nonsense from IPSEC description in masq file.
|
||||
|
||||
65) Correct typo in rules file.
|
||||
|
||||
66) Update bogons file.
|
||||
|
||||
67) Add a rule for NNTPS to action.AllowNNTP
|
||||
|
||||
68) Fix "shorewall add"
|
||||
|
||||
69) Change CLIENT PORT(S) to SOURCE PORT(S) in tcrules file.
|
||||
|
||||
70) Correct typo in shorewall.conf.
|
||||
|
||||
71) Add the 'icmp_echo_ignore_all' file to the /proc display.
|
||||
|
||||
72) Apply Tuomas Jormola's IPTABLES patch.
|
||||
|
||||
73) Fixed some bugs in Tuomas's patch.
|
||||
|
||||
74) Correct bug in "shorewall add"
|
||||
|
||||
75) Correct bridge handling in "shorewall add" and "shorewall delete"
|
||||
|
||||
76) Add "shorewall show zones"
|
||||
|
||||
77) Remove dependency of "show zones" on dynamic zones.
|
||||
|
||||
78) Implement variable expansion in INCLUDE directives
|
||||
|
||||
79) More fixes for "shorewall delete" with bridging.
|
||||
|
||||
80) Split restore-base into two files.
|
||||
|
||||
81) Correct OUTPUT handling of dynamic zones.
|
||||
|
||||
83) Add adapter statistics to the output of "shorewall status".
|
||||
|
||||
84) Log drops due to policy rate limiting.
|
||||
|
||||
85) Continue determining capabilities when fooX1234 already exists.
|
||||
|
||||
86) Corrected typo in interfaces file.
|
||||
|
||||
87) Add DROPINVALID option.
|
||||
|
||||
88) Allow list of hosts in add and delete commands. Fix ipsec problem
|
||||
with "add" and "delete"
|
||||
|
||||
89) Clarify add/delete syntax in /sbin/shorewall usage summary.
|
||||
|
||||
90) Implement OpenVPN TCP support.
|
||||
|
||||
91) Simplify the absurdly over-engineered code that restores the
|
||||
dynamic chain.
|
||||
|
||||
92) Add OPENVPNPORT option.
|
||||
|
||||
93) Remove OPENVPNPORT option and change default port to 1194.
|
||||
|
||||
94) Avoid shell error during "shorewall stop/clear"
|
||||
|
||||
95) Change encryption to blowfish in 'ipsecvpn' script.
|
||||
|
||||
96) Correct rate limiting rule example.
|
||||
|
||||
97) Fix <if>:: handling in setup_masq().
|
||||
|
||||
98) Fix mis-leading typo in tunnels.
|
||||
|
||||
99) Fix brain-dead ipsec option handling in setup_masq().
|
||||
|
||||
100) Reconcile ipsec masq file implementation with the documentation.
|
||||
|
||||
101) Add netfilter module display to status output.
|
||||
|
||||
102) Add 'allowInvalid' builtin action.
|
||||
|
||||
103) Expand range of Traceroute ports.
|
||||
|
||||
102) Correct uninitialized variable in setup_ecn()
|
||||
|
||||
103) Allow DHCP to be IPSEC-encrypted.
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall version 2.2 - Default Config Path
|
||||
# Shorewall version 2.4 - Default Config Path
|
||||
#
|
||||
# /usr/share/shorewall/configpath
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
############################################################################
|
||||
# Shorewall 2.2 -- /etc/shorewall/continue
|
||||
# Shorewall 2.4 -- /etc/shorewall/continue
|
||||
#
|
||||
# Add commands below that you want to be executed after shorewall has
|
||||
# cleared any existing Netfilter rules and has enabled existing connections.
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.2 - /etc/shorewall/ecn
|
||||
# Shorewall 2.4 - /etc/shorewall/ecn
|
||||
#
|
||||
# Use this file to list the destinations for which you want to
|
||||
# disable ECN.
|
||||
|
@ -28,7 +28,7 @@
|
||||
# shown below. Simply run this script to revert to your prior version of
|
||||
# Shoreline Firewall.
|
||||
|
||||
VERSION=2.2.5
|
||||
VERSION=2.4.0
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -1,6 +1,6 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Shorewall 2.2 -- /usr/share/shorewall/functions
|
||||
# Shorewall 2.4 -- /usr/share/shorewall/functions
|
||||
|
||||
# Function to truncate a string -- It uses 'cut -b -<n>'
|
||||
# rather than ${v:first:last} because light-weight shells like ash and
|
||||
@ -159,9 +159,12 @@ find_file()
|
||||
# Replace commas with spaces and echo the result
|
||||
#
|
||||
separate_list() {
|
||||
local list
|
||||
local list="$@"
|
||||
local part
|
||||
local newlist
|
||||
local firstpart
|
||||
local lastpart
|
||||
local enclosure
|
||||
#
|
||||
# There's been whining about us not catching embedded white space in
|
||||
# comma-separated lists. This is an attempt to snag some of the cases.
|
||||
@ -170,12 +173,31 @@ separate_list() {
|
||||
# either 'startup_error' or 'fatal_error' depending on the command and
|
||||
# command phase
|
||||
#
|
||||
case "$@" in
|
||||
case "$list" in
|
||||
*,|,*|*,,*|*[[:space:]]*)
|
||||
[ -n "$terminator" ] && \
|
||||
$terminator "Invalid comma-separated list \"$@\""
|
||||
echo "Warning -- invalid comma-separated list \"$@\"" >&2
|
||||
;;
|
||||
*\[*\]*)
|
||||
#
|
||||
# Where we need to embed comma-separated lists within lists, we enclose them
|
||||
# within square brackets
|
||||
#
|
||||
firstpart=${list%%\[*}
|
||||
lastpart=${list#*\[}
|
||||
enclosure=${lastpart%\]*}
|
||||
lastpart=${lastpart#*\]}
|
||||
case $lastpart in
|
||||
\,*)
|
||||
echo "$(separate_list $firstpart)[$enclosure] $(separate_list ${lastpart#,})"
|
||||
;;
|
||||
*)
|
||||
echo "$(separate_list $firstpart)[$enclosure]$(separate_list $lastpart)"
|
||||
;;
|
||||
esac
|
||||
return
|
||||
;;
|
||||
esac
|
||||
|
||||
list="$@"
|
||||
@ -756,6 +778,29 @@ find_device() {
|
||||
done
|
||||
}
|
||||
|
||||
#
|
||||
# Find the value 'via' in the passed arguments then echo the next value
|
||||
#
|
||||
|
||||
find_gateway() {
|
||||
while [ $# -gt 1 ]; do
|
||||
[ "x$1" = xvia ] && echo $2 && return
|
||||
shift
|
||||
done
|
||||
}
|
||||
|
||||
#
|
||||
# Find the value 'peer' in the passed arguments then echo the next value up to
|
||||
# "/"
|
||||
#
|
||||
|
||||
find_peer() {
|
||||
while [ $# -gt 1 ]; do
|
||||
[ "x$1" = xpeer ] && echo ${2%/*} && return
|
||||
shift
|
||||
done
|
||||
}
|
||||
|
||||
#
|
||||
# Find the interfaces that have a route to the passed address - the default
|
||||
# route is not used.
|
||||
@ -778,6 +823,14 @@ find_rt_interface() {
|
||||
done
|
||||
}
|
||||
|
||||
#
|
||||
# Try to find the gateway through an interface looking for 'nexthop'
|
||||
|
||||
find_nexthop() # $1 = interface
|
||||
{
|
||||
echo $(find_gateway `ip route ls | grep "[[:space:]]nexthop.* $1"`)
|
||||
}
|
||||
|
||||
#
|
||||
# Find the default route's interface
|
||||
#
|
||||
|
@ -1,6 +1,6 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Shorewall help subsystem - V2.2
|
||||
# Shorewall help subsystem - V2.4
|
||||
#
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
@ -55,7 +55,10 @@ address|host)
|
||||
May be either a host IP address such as 192.168.1.4 or a network address in
|
||||
CIDR format like 192.168.1.0/24. If your kernel and iptables contain iprange
|
||||
match support then IP address ranges of the form <low address>-<high address>
|
||||
are also permitted."
|
||||
are also permitted. If your kernel and iptables contain ipset match support
|
||||
then you may specify the name of an ipset prefaced by "+". The name of the
|
||||
ipsec may be optionally followed by a number of levels of ipset bindings
|
||||
(1 - 6) that are to be followed"
|
||||
;;
|
||||
|
||||
allow)
|
||||
@ -209,6 +212,19 @@ restart)
|
||||
If \"-q\" is specified, less detain is displayed making it easier to spot warnings"
|
||||
;;
|
||||
|
||||
safe-restart)
|
||||
echo "safe-restart: safe-restart
|
||||
Restart the same way as a shorewall restart except that previous firewall
|
||||
configuration is backed up and will be restored if you notice any anomalies
|
||||
or you are not able to reach the firewall any more."
|
||||
;;
|
||||
|
||||
safe-start)
|
||||
echo "safe-start: safe-start
|
||||
Start the same way as a shorewall start except that in case of anomalies
|
||||
shorewall clear is issued. "
|
||||
;;
|
||||
|
||||
restore)
|
||||
echo "restore: restore [ <file name> ]
|
||||
Restore Shorewall to a state saved using the 'save' command
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.2 - /etc/shorewall/hosts
|
||||
# Shorewall 2.4 - /etc/shorewall/hosts
|
||||
#
|
||||
# THE ONLY TIME YOU NEED THIS FILE IS WHERE YOU HAVE MORE THAN
|
||||
# ONE ZONE CONNECTED THROUGH A SINGLE INTERFACE.
|
||||
|
@ -1,5 +1,5 @@
|
||||
############################################################################
|
||||
# Shorewall 2.2 -- /etc/shorewall/init
|
||||
# Shorewall 2.4 -- /etc/shorewall/init
|
||||
#
|
||||
# Add commands below that you want to be executed at the beginning of
|
||||
# a "shorewall start" or "shorewall restart" command.
|
||||
|
@ -1,7 +1,7 @@
|
||||
#!/bin/sh
|
||||
RCDLINKS="2,S41 3,S41 6,K41"
|
||||
#
|
||||
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V2.2
|
||||
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V2.4
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
############################################################################
|
||||
# Shorewall 2.2 -- /etc/shorewall/initdone
|
||||
# Shorewall 2.4 -- /etc/shorewall/initdone
|
||||
#
|
||||
# Add commands below that you want to be executed during
|
||||
# "shorewall start" or "shorewall restart" commands at the point where
|
||||
|
@ -22,7 +22,7 @@
|
||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||
#
|
||||
|
||||
VERSION=2.2.5
|
||||
VERSION=2.4.0
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
@ -407,6 +407,28 @@ else
|
||||
echo
|
||||
echo "Blacklist file installed as ${PREFIX}/etc/shorewall/blacklist"
|
||||
fi
|
||||
#
|
||||
# Install the Routes file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/routes ]; then
|
||||
backup_file /etc/shorewall/routes
|
||||
else
|
||||
run_install $OWNERSHIP -m 0600 routes ${PREFIX}/etc/shorewall/routes
|
||||
echo
|
||||
echo "Routes file installed as ${PREFIX}/etc/shorewall/routes"
|
||||
fi
|
||||
|
||||
#
|
||||
# Install the Providers file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/providers ]; then
|
||||
backup_file /etc/shorewall/providers
|
||||
else
|
||||
run_install $OWNERSHIP -m 0600 providers ${PREFIX}/etc/shorewall/providers
|
||||
echo
|
||||
echo "Providers file installed as ${PREFIX}/etc/shorewall/providers"
|
||||
fi
|
||||
|
||||
#
|
||||
# Backup and remove the whitelist file
|
||||
#
|
||||
@ -518,7 +540,7 @@ fi
|
||||
if [ -f ${PREFIX}/etc/shorewall/started ]; then
|
||||
backup_file /etc/shorewall/started
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 started ${PREFIX}/etc/shorewall/started
|
||||
run_install $OWNERSHIP -m 0600 started ${PREFIX}/etc/shorewall/started
|
||||
echo
|
||||
echo "Started file installed as ${PREFIX}/etc/shorewall/started"
|
||||
fi
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.2 -- Interfaces File
|
||||
# Shorewall 2.4 -- Interfaces File
|
||||
#
|
||||
# /etc/shorewall/interfaces
|
||||
#
|
||||
@ -167,9 +167,10 @@
|
||||
# detectnets - Automatically taylors the zone named
|
||||
# in the ZONE column to include only those
|
||||
# hosts routed through the interface.
|
||||
#
|
||||
# upnp - Incoming requests from this interface may
|
||||
# be remapped via UPNP (upnpd).
|
||||
#
|
||||
#
|
||||
# WARNING: DO NOT SET THE detectnets OPTION ON YOUR
|
||||
# INTERNET INTERFACE.
|
||||
#
|
||||
@ -177,6 +178,12 @@
|
||||
# significant but the list should have no embedded white
|
||||
# space.
|
||||
#
|
||||
# GATEWAY This column is only meaningful if the 'default' OPTION
|
||||
# is given -- it is ignored otherwise. You may specify
|
||||
# the default gateway IP address for this interface here
|
||||
# and Shorewall will use that IP address rather than any
|
||||
# that it finds in the main routing table.
|
||||
#
|
||||
# Example 1: Suppose you have eth0 connected to a DSL modem and
|
||||
# eth1 connected to your local network and that your
|
||||
# local subnet is 192.168.1.0/24. The interface gets
|
||||
@ -205,6 +212,6 @@
|
||||
# For additional information, see http://shorewall.net/Documentation.htm#Interfaces
|
||||
#
|
||||
##############################################################################
|
||||
#ZONE INTERFACE BROADCAST OPTIONS
|
||||
#ZONE INTERFACE BROADCAST OPTIONS GATEWAY
|
||||
#
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.2 - /etc/shorewall/ipsec
|
||||
# Shorewall 2.4 - /etc/shorewall/ipsec
|
||||
#
|
||||
# This file defines the attributes of zones with respect to
|
||||
# IPSEC. To use this file for any purpose except for setting mss,
|
||||
@ -27,7 +27,7 @@
|
||||
#
|
||||
# proto=ah|esp|ipcomp
|
||||
#
|
||||
# mss=<number> (sets the MSS field in TCP packets)
|
||||
# mss=<number> (sets the MSS field in TCP packets)
|
||||
#
|
||||
# mode=transport|tunnel
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.2 - MAC list file
|
||||
# Shorewall 2.4 - MAC list file
|
||||
#
|
||||
# This file is used to define the MAC addresses and optionally their
|
||||
# associated IP addresses to be allowed to use the specified interface.
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.2 - Masquerade file
|
||||
# Shorewall 2.4 - Masquerade file
|
||||
#
|
||||
# /etc/shorewall/masq
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
##############################################################################
|
||||
# Shorewall 2.2 /etc/shorewall/modules
|
||||
# Shorewall 2.4 /etc/shorewall/modules
|
||||
#
|
||||
# This file loads the modules needed by the firewall.
|
||||
#
|
||||
@ -19,4 +19,9 @@
|
||||
loadmodule ip_nat_ftp
|
||||
loadmodule ip_nat_tftp
|
||||
loadmodule ip_nat_irc
|
||||
loadmodule ip_set
|
||||
loadmodule ip_set_iphash
|
||||
loadmodule ip_set_ipmap
|
||||
loadmodule ip_set_macipmap
|
||||
loadmodule ip_set_portmap
|
||||
|
||||
|
@ -1,6 +1,6 @@
|
||||
##############################################################################
|
||||
#
|
||||
# Shorewall 2.2 -- Network Address Translation Table
|
||||
# Shorewall 2.4 -- Network Address Translation Table
|
||||
#
|
||||
# /etc/shorewall/nat
|
||||
#
|
||||
|
@ -1,6 +1,6 @@
|
||||
##############################################################################
|
||||
#
|
||||
# Shorewall 2.2 -- Network Mapping Table
|
||||
# Shorewall 2.4 -- Network Mapping Table
|
||||
#
|
||||
# /etc/shorewall/netmap
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.2 /etc/shorewall/params
|
||||
# Shorewall 2.4 /etc/shorewall/params
|
||||
#
|
||||
# Assign any variables that you need here.
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.2 -- Policy File
|
||||
# Shorewall 2.4 -- Policy File
|
||||
#
|
||||
# /etc/shorewall/policy
|
||||
#
|
||||
|
@ -1,6 +1,6 @@
|
||||
##############################################################################
|
||||
#
|
||||
# Shorewall 2.2 -- Proxy ARP
|
||||
# Shorewall 2.4 -- Proxy ARP
|
||||
#
|
||||
# /etc/shorewall/proxyarp
|
||||
#
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.2 -- RFC1918 File
|
||||
# Shorewall 2.4 -- RFC1918 File
|
||||
#
|
||||
# /etc/shorewall/rfc1918
|
||||
#
|
||||
|
@ -1,6 +1,6 @@
|
||||
##############################################################################
|
||||
#
|
||||
# Shorewall 2.2 -- Hosts Accessible when the Firewall is Stopped
|
||||
# Shorewall 2.4 -- Hosts Accessible when the Firewall is Stopped
|
||||
#
|
||||
# /etc/shorewall/routestopped
|
||||
#
|
||||
@ -23,7 +23,19 @@
|
||||
# options. The currently-supported options are:
|
||||
#
|
||||
# routeback - Set up a rule to ACCEPT traffic from
|
||||
# these hosts back to themselves.
|
||||
# these hosts back to themselves.
|
||||
#
|
||||
# source - Allow traffic from these hosts to ANY
|
||||
# destination. Without this option or the 'dest'
|
||||
# option, only traffic from this host to other
|
||||
# listed hosts (and the firewall) is allowed. If
|
||||
# 'source' is specified then 'routeback' is redundent.
|
||||
#
|
||||
# dest - Allow traffic to these hosts from ANY
|
||||
# source. Without this option or the 'source'
|
||||
# option, only traffic from this host to other
|
||||
# listed hosts (and the firewall) is allowed. If
|
||||
# 'dest' is specified then 'routeback' is redundent.
|
||||
#
|
||||
# Example:
|
||||
#
|
||||
@ -31,6 +43,7 @@
|
||||
# eth2 192.168.1.0/24
|
||||
# eth0 192.0.2.44
|
||||
# br0 - routeback
|
||||
# eth3 - source
|
||||
#
|
||||
# See http://shorewall.net/Documentation.htm#Routestopped and
|
||||
# http://shorewall.net/starting_and_stopping_shorewall.htm for additional
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall version 2.2 - Rules File
|
||||
# Shorewall version 2.4 - Rules File
|
||||
#
|
||||
# /etc/shorewall/rules
|
||||
#
|
||||
@ -134,6 +134,11 @@
|
||||
# Hosts may be specified as an IP address range using the
|
||||
# syntax <low address>-<high address>. This requires that
|
||||
# your kernel and iptables contain iprange match support.
|
||||
# If you kernel and iptables have ipset match support then
|
||||
# you may give the name of an ipset prefaced by "+". The
|
||||
# ipset name may be optionally followed by a number from
|
||||
# 1 to 6 enclosed in square brackets ([]) to indicate the
|
||||
# number of levels of source bindings to be matched.
|
||||
#
|
||||
# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ
|
||||
#
|
||||
@ -189,6 +194,14 @@
|
||||
# the connections will be assigned to addresses in the
|
||||
# range in a round-robin fashion.
|
||||
#
|
||||
# If you kernel and iptables have ipset match support then
|
||||
# you may give the name of an ipset prefaced by "+". The
|
||||
# ipset name may be optionally followed by a number from
|
||||
# 1 to 6 enclosed in square brackets ([]) to indicate the
|
||||
# number of levels of destination bindings to be matched.
|
||||
# Only one of the SOURCE and DEST columns may specify an
|
||||
# ipset name.
|
||||
#
|
||||
# The port that the server is listening on may be
|
||||
# included and separated from the server's IP address by
|
||||
# ":". If omitted, the firewall will not modifiy the
|
||||
@ -204,20 +217,14 @@
|
||||
# contain the port number on the firewall that the
|
||||
# request should be redirected to.
|
||||
#
|
||||
# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
|
||||
# a number, or "all". "ipp2p" requires ipp2p match
|
||||
# support in your kernel and iptables.
|
||||
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or
|
||||
# "all".
|
||||
#
|
||||
# DEST PORT(S) Destination Ports. A comma-separated list of Port
|
||||
# names (from /etc/services), port numbers or port
|
||||
# ranges; if the protocol is "icmp", this column is
|
||||
# interpreted as the destination icmp-type(s).
|
||||
#
|
||||
# If the protocol is ipp2p, this column is interpreted
|
||||
# as an ipp2p option without the leading "--" (example "bit"
|
||||
# for bit-torrent). If no port is given, "ipp2p" is
|
||||
# assumed.
|
||||
#
|
||||
# A port range is expressed as <low port>:<high port>.
|
||||
#
|
||||
# This column is ignored if PROTOCOL = all but must be
|
||||
@ -250,8 +257,8 @@
|
||||
# Otherwise, a separate rule will be generated for each
|
||||
# port.
|
||||
#
|
||||
# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT[-] or
|
||||
# REDIRECT[-]) If included and different from the IP
|
||||
# ORIGINAL DEST (0ptional) -- If ACTION is DNAT[-] or REDIRECT[-] then
|
||||
# if included and different from the IP
|
||||
# address given in the SERVER column, this is an address
|
||||
# on some interface on the firewall and connections to
|
||||
# that address will be forwarded to the IP and port
|
||||
@ -267,6 +274,20 @@
|
||||
# destination address in the connection request does not
|
||||
# match any of the addresses listed.
|
||||
#
|
||||
# For other actions, this column may be included and may
|
||||
# contain one or more addresses (host or network)
|
||||
# separated by commas. Address ranges are not allowed.
|
||||
# When this column is supplied, rules are generated
|
||||
# that require that the original destination address matches
|
||||
# one of the listed addresses. This feature is most useful when
|
||||
# you want to generate a filter rule that corresponds to a
|
||||
# DNAT- or REDIRECT- rule. In this usage, the list of
|
||||
# addresses should not begin with "!".
|
||||
#
|
||||
# See http://shorewall.net/PortKnocking.html for an
|
||||
# example of using an entry in this column with a
|
||||
# user-defined action rule.
|
||||
#
|
||||
# RATE LIMIT You may rate-limit the rule by placing a value in
|
||||
# this colume:
|
||||
#
|
||||
@ -285,7 +306,7 @@
|
||||
#
|
||||
# The column may contain:
|
||||
#
|
||||
# [!][<user name or number>][:<group name or number>]
|
||||
# [!][<user name or number>][:<group name or number>][+<program name>]
|
||||
#
|
||||
# When this column is non-empty, the rule applies only
|
||||
# if the program generating the output is running under
|
||||
@ -299,6 +320,7 @@
|
||||
# #the 'kids' group
|
||||
# !:kids #program must not be run by a member
|
||||
# #of the 'kids' group
|
||||
# +upnpd #program named 'upnpd'
|
||||
#
|
||||
# Example: Accept SMTP requests from the DMZ to the internet
|
||||
#
|
||||
|
@ -1,6 +1,6 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Shorewall Packet Filtering Firewall Control Program - V2.2
|
||||
# Shorewall Packet Filtering Firewall Control Program - V2.4
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
@ -97,6 +97,14 @@
|
||||
# shorewall iprange <address>-<address> Decomposes a range of IP addresses into
|
||||
# a list of network/host addresses.
|
||||
#
|
||||
# shorewall safe-start Starts the firewall and promtp for a c
|
||||
# confirmation to accept or reject the new
|
||||
# configuration
|
||||
#
|
||||
# shorewall safe-restart Restarts the firewall and prompt for a
|
||||
# confirmation to accept or reject the new
|
||||
# configuration
|
||||
#
|
||||
# Fatal Error
|
||||
#
|
||||
fatal_error() # $@ = Message
|
||||
@ -136,7 +144,7 @@ showchain() # $1 = name of chain
|
||||
}
|
||||
|
||||
#
|
||||
# The 'awk' hack that compensates for a bug in iptables-save (actually in libipt_policy.so) and can be removed when that bug is fixed.
|
||||
# The 'awk' hack that compensates for bugs in iptables-save (or rather in the extension modules).
|
||||
#
|
||||
|
||||
iptablesbug()
|
||||
@ -146,6 +154,7 @@ iptablesbug()
|
||||
/^-j/ { print sline $0; next };\
|
||||
/-m policy.*-j/ { print $0; next };\
|
||||
/-m policy/ { sline=$0; next };\
|
||||
/--mask ff/ { sub( /--mask ff/, "--mask 0xff" ) };\
|
||||
{print ; sline="" }'
|
||||
else
|
||||
echo " Warning: You don't have 'awk' on this system so the output of the save command may be unusable" >&2
|
||||
@ -589,6 +598,88 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
|
||||
done
|
||||
}
|
||||
|
||||
#
|
||||
# Save currently running configuration
|
||||
#
|
||||
save_config() {
|
||||
[ "$nolock" ] || mutex_on
|
||||
|
||||
if qt $IPTABLES -L shorewall -n; then
|
||||
[ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
|
||||
|
||||
if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then
|
||||
echo " ERROR: $RESTOREPATH exists and is not a saved Shorewall configuration"
|
||||
else
|
||||
case $RESTOREFILE in
|
||||
save|restore-base)
|
||||
echo " ERROR: Reserved file name: $RESTOREFILE"
|
||||
;;
|
||||
*)
|
||||
if $IPTABLES -L dynamic -n > /var/lib/shorewall/save; then
|
||||
echo " Dynamic Rules Saved"
|
||||
if [ -f /var/lib/shorewall/restore-base ]; then
|
||||
cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$
|
||||
if iptables-save | iptablesbug >> /var/lib/shorewall/restore-$$ ; then
|
||||
echo __EOF__ >> /var/lib/shorewall/restore-$$
|
||||
[ -f /var/lib/shorewall/restore-tail ] && \
|
||||
cat /var/lib/shorewall/restore-tail >> /var/lib/shorewall/restore-$$
|
||||
mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH
|
||||
chmod +x $RESTOREPATH
|
||||
echo " Currently-running Configuration Saved to $RESTOREPATH"
|
||||
|
||||
rm -f ${RESTOREPATH}-ipsets
|
||||
|
||||
case ${SAVE_IPSETS:-No} in
|
||||
[Yy][Ee][Ss])
|
||||
RESTOREPATH=${RESTOREPATH}-ipsets
|
||||
|
||||
f=/var/lib/shorewall/restore-$$
|
||||
|
||||
echo "#!/bin/sh" > $f
|
||||
echo "#This ipset restore file generated $(date) by Shorewall $version" >> $f
|
||||
echo >> $f
|
||||
echo ". /usr/share/shorewall/functions" >> $f
|
||||
echo >> $f
|
||||
grep '^MODULE' /var/lib/shorewall/restore-base >> $f
|
||||
echo "reload_kernel_modules << __EOF__" >> $f
|
||||
grep 'loadmodule ip_set' /var/lib/shorewall/restore-base >> $f
|
||||
echo "__EOF__" >> $f
|
||||
echo >> $f
|
||||
echo "ipset -U :all: :all:" >> $f
|
||||
echo "ipset -F" >> $f
|
||||
echo "ipset -X" >> $f
|
||||
echo "ipset -R << __EOF__" >> $f
|
||||
ipset -S >> $f
|
||||
echo "__EOF__" >> $f
|
||||
mv -f $f $RESTOREPATH
|
||||
chmod +x $RESTOREPATH
|
||||
echo " Current Ipset Contents Saved to $RESTOREPATH"
|
||||
;;
|
||||
[Nn][Oo])
|
||||
;;
|
||||
*)
|
||||
echo " WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS. Ipset contents not saved"
|
||||
;;
|
||||
esac
|
||||
else
|
||||
rm -f /var/lib/shorewall/restore-$$
|
||||
echo " ERROR: Currently-running Configuration Not Saved"
|
||||
fi
|
||||
else
|
||||
echo " ERROR: /var/lib/shorewall/restore-base does not exist"
|
||||
fi
|
||||
else
|
||||
echo "Error Saving the Dynamic Rules"
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
else
|
||||
echo "Shorewall isn't started"
|
||||
fi
|
||||
|
||||
[ "$nolock" ] || mutex_off
|
||||
}
|
||||
#
|
||||
# Help information
|
||||
#
|
||||
@ -630,6 +721,8 @@ usage() # $1 = exit status
|
||||
echo " status"
|
||||
echo " try <directory> [ <timeout> ]"
|
||||
echo " version"
|
||||
echo " safe-start"
|
||||
echo " safe-restart"
|
||||
echo
|
||||
exit $1
|
||||
}
|
||||
@ -642,6 +735,7 @@ show_reset() {
|
||||
echo "Counters reset $(cat $STATEDIR/restarted)" && \
|
||||
echo
|
||||
}
|
||||
|
||||
#
|
||||
# Display's the passed file name followed by "=" and the file's contents.
|
||||
#
|
||||
@ -650,6 +744,27 @@ show_proc() # $1 = name of a file
|
||||
[ -f $1 ] && echo " $1 = $(cat $1)"
|
||||
}
|
||||
|
||||
read_yesno_with_timeout() {
|
||||
read -t 60 yn 2> /dev/null
|
||||
if [ $? -eq 2 ]
|
||||
then
|
||||
# read doesn't support timeout
|
||||
test -x /bin/bash || return 2 # bash is not installed so the feature is not available
|
||||
/bin/bash -c 'read -t 60 yn ; if [ "$yn" == "y" ] ; then exit 0 ; else exit 1 ; fi' # invoke bash and use its version of read
|
||||
return $?
|
||||
else
|
||||
# read supports timeout
|
||||
case "$yn" in
|
||||
y|Y)
|
||||
return 0
|
||||
;;
|
||||
*)
|
||||
return 1
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Execution begins here
|
||||
#
|
||||
@ -846,6 +961,17 @@ case "$1" in
|
||||
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
|
||||
|
||||
if [ -x $RESTOREPATH ]; then
|
||||
if [ -x ${RESTOREPATH}-ipsets ]; then
|
||||
echo Restoring Ipsets...
|
||||
#
|
||||
# We must purge iptables to be sure that there are no
|
||||
# references to ipsets
|
||||
#
|
||||
iptables -F
|
||||
iptables -X
|
||||
${RESTOREPATH}-ipsets
|
||||
fi
|
||||
|
||||
echo Restoring Shorewall...
|
||||
$RESTOREPATH
|
||||
date > $STATEDIR/restarted
|
||||
@ -1035,7 +1161,8 @@ case "$1" in
|
||||
echo
|
||||
ip rule ls
|
||||
ip rule ls | while read rule; do
|
||||
table=${rule##* }
|
||||
echo ${rule##* }
|
||||
done | sort -u | while read table; do
|
||||
echo
|
||||
echo "Table $table:"
|
||||
echo
|
||||
@ -1187,47 +1314,8 @@ case "$1" in
|
||||
|
||||
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
|
||||
|
||||
mutex_on
|
||||
save_config
|
||||
|
||||
if qt $IPTABLES -L shorewall -n; then
|
||||
[ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
|
||||
|
||||
if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then
|
||||
echo " ERROR: $RESTOREPATH exists and is not a saved Shorewall configuration"
|
||||
else
|
||||
case $RESTOREFILE in
|
||||
save|restore-base)
|
||||
echo " ERROR: Reserved file name: $RESTOREFILE"
|
||||
;;
|
||||
*)
|
||||
if $IPTABLES -L dynamic -n > /var/lib/shorewall/save; then
|
||||
echo " Dynamic Rules Saved"
|
||||
if [ -f /var/lib/shorewall/restore-base ]; then
|
||||
cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$
|
||||
if iptables-save | iptablesbug >> /var/lib/shorewall/restore-$$ ; then
|
||||
echo __EOF__ >> /var/lib/shorewall/restore-$$
|
||||
[ -f /var/lib/shorewall/restore-tail ] && \
|
||||
cat /var/lib/shorewall/restore-tail >> /var/lib/shorewall/restore-$$
|
||||
mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH
|
||||
chmod +x $RESTOREPATH
|
||||
echo " Currently-running Configuration Saved to $RESTOREPATH"
|
||||
else
|
||||
rm -f /var/lib/shorewall/restore-$$
|
||||
echo " ERROR: Currently-running Configuration Not Saved"
|
||||
fi
|
||||
else
|
||||
echo " ERROR: /var/lib/shorewall/restore-base does not exist"
|
||||
fi
|
||||
else
|
||||
echo "Error Saving the Dynamic Rules"
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
else
|
||||
echo "Shorewall isn't started"
|
||||
fi
|
||||
mutex_off
|
||||
;;
|
||||
forget)
|
||||
case $# in
|
||||
@ -1246,6 +1334,12 @@ case "$1" in
|
||||
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
|
||||
|
||||
if [ -x $RESTOREPATH ]; then
|
||||
|
||||
if [ -x ${RESTOREPATH}-ipsets ]; then
|
||||
rm -f ${RESTOREPATH}-ipsets
|
||||
echo " ${RESTOREPATH}-ipsets removed"
|
||||
fi
|
||||
|
||||
rm -f $RESTOREPATH
|
||||
echo " $RESTOREPATH removed"
|
||||
elif [ -f $RESTOREPATH ]; then
|
||||
@ -1302,11 +1396,22 @@ case "$1" in
|
||||
|
||||
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
|
||||
|
||||
if [ -x $RESTOREPATH ]; then
|
||||
[ -n "$nolock" ] || mutex_on
|
||||
|
||||
if [ -x $RESTOREPATH ]; then
|
||||
if [ -x ${RESTOREPATH}-ipsets ] ; then
|
||||
echo Restoring Ipsets...
|
||||
iptables -F
|
||||
iptables -X
|
||||
${RESTOREPATH}-ipsets
|
||||
fi
|
||||
|
||||
echo Restoring Shorewall...
|
||||
$RESTOREPATH && echo "Shorewall restored from /var/lib/shorewall/$RESTOREFILE"
|
||||
[ -n "$nolock" ] || mutex_off
|
||||
else
|
||||
echo "File /var/lib/shorewall/$RESTOREFILE: file not found"
|
||||
[ -n "$nolock" ] || mutex_off
|
||||
exit 2
|
||||
fi
|
||||
;;
|
||||
@ -1323,6 +1428,76 @@ case "$1" in
|
||||
[ $# -ne 1 ] && usage 1
|
||||
help $@
|
||||
;;
|
||||
safe-restart|safe-start)
|
||||
# test is the shell supports timed read
|
||||
read -t 0 junk 2> /dev/null
|
||||
if [ $? -eq 2 -a ! -x /bin/bash ]
|
||||
then
|
||||
echo "Your shell does not support a feature required to execute this command".
|
||||
exit 2
|
||||
fi
|
||||
|
||||
mutex_on
|
||||
|
||||
if qt $IPTABLES -L shorewall -n
|
||||
then
|
||||
running=0
|
||||
else
|
||||
running=1
|
||||
fi
|
||||
|
||||
if [ "$1" = "safe-start" -a $running -eq 0 ]
|
||||
then
|
||||
# the command is safe-start but the firewall is already running
|
||||
$0 nolock $debugging start
|
||||
ret=$?
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [ "$1" = "safe-start" -o $running -ne 0 ]
|
||||
then
|
||||
# the command is safe-start or shorewall is not started yet
|
||||
command="start"
|
||||
else
|
||||
# the command is safe-restart and the firewall is already running |