Copy latest 2.4 version from Shorewall2/

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2264 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
paulgear 2005-07-09 05:55:29 +00:00
parent 90dd62e89e
commit 2a19eb8a5a
75 changed files with 1694 additions and 1569 deletions

View File

@ -1,4 +1,4 @@
Shoreline Firewall (Shorewall) Version 2.2
Shoreline Firewall (Shorewall) Version 2.4
----- ----
-----------------------------------------------------------------------------

View File

@ -1,5 +1,5 @@
#
# Shorewall version 2.2 - Accounting File
# Shorewall version 2.4 - Accounting File
#
# /etc/shorewall/accounting
#
@ -69,7 +69,7 @@
#
# The column may contain:
#
# [!][<user name or number>][:<group name or number>]
# [!][<user name or number>][:<group name or number>][+<program name>]
#
# When this column is non-empty, the rule applies only
# if the program generating the output is running under
@ -83,6 +83,7 @@
# #the 'kids' group
# !:kids #program must not be run by a member
# #of the 'kids' group
# +upnpd #program named upnpd
#
# In all of the above columns except ACTION and CHAIN, the values "-",
# "any" and "all" may be used as wildcards

View File

@ -1,5 +1,5 @@
#
# Shorewall 2.2 /usr/share/shorewall/action.AllowAuth
# Shorewall 2.4 /usr/share/shorewall/action.AllowAuth
#
# This action accepts Auth (identd) traffic.
#

View File

@ -1,5 +1,5 @@
#
# Shorewall 2.2 /usr/share/shorewall/action.AllowDNS
# Shorewall 2.4 /usr/share/shorewall/action.AllowDNS
#
# This action accepts DNS traffic.
#

View File

@ -1,5 +1,5 @@
#
# Shorewall 2.2 /usr/share/shorewall/action.AllowFTP
# Shorewall 2.4 /usr/share/shorewall/action.AllowFTP
#
# This action accepts FTP traffic. See
# http://www.shorewall.net/FTP.html for additional considerations.

View File

@ -1,5 +1,5 @@
#
# Shorewall 2.2 /usr/share/shorewall/action.AllowICMPs
# Shorewall 2.4 /usr/share/shorewall/action.AllowICMPs
#
# ACCEPT needed ICMP types
#

View File

@ -1,5 +1,5 @@
#
# Shorewall 2.2 /usr/share/shorewall/action.AllowIMAP
# Shorewall 2.4 /usr/share/shorewall/action.AllowIMAP
#
# This action accepts IMAP traffic (secure and insecure):
#

View File

@ -1,5 +1,5 @@
#
# Shorewall 2.2 /usr/share/shorewall/action.AllowNNTP
# Shorewall 2.4 /usr/share/shorewall/action.AllowNNTP
#
# This action accepts NNTP traffic (Usenet) and encrypted NNTP (NNTPS)
#

View File

@ -1,5 +1,5 @@
#
# Shorewall 2.2 /usr/share/shorewall/action.AllowNTP
# Shorewall 2.4 /usr/share/shorewall/action.AllowNTP
#
# This action accepts NTP traffic (ntpd).
#

View File

@ -1,5 +1,5 @@
#
# Shorewall 2.2 /usr/share/shorewall/action.AllowPCA
# Shorewall 2.4 /usr/share/shorewall/action.AllowPCA
#
# This action accepts PCAnywere (tm)
#

View File

@ -1,5 +1,5 @@
#
# Shorewall 2.2 /usr/share/shorewall/action.AllowPOP3
# Shorewall 2.4 /usr/share/shorewall/action.AllowPOP3
#
# This action accepts POP3 traffic (secure and insecure):
#

View File

@ -1,5 +1,5 @@
#
# Shorewall 2.2 /usr/share/shorewall/action.AllowPing
# Shorewall 2.4 /usr/share/shorewall/action.AllowPing
#
# This action accepts 'ping' requests.
#

View File

@ -1,5 +1,5 @@
#
# Shorewall 2.2 /usr/share/shorewall/action.AllowRdate
# Shorewall 2.4 /usr/share/shorewall/action.AllowRdate
#
# This action accepts remote time retrieval (rdate).
#

View File

@ -1,5 +1,5 @@
#
# Shorewall 2.2 /usr/share/shorewall/action.AllowSMB
# Shorewall 2.4 /usr/share/shorewall/action.AllowSMB
#
# Allow Microsoft SMB traffic. You need to invoke this action in
# both directions.

View File

@ -1,5 +1,5 @@
#
# Shorewall 2.2 /usr/share/shorewall/action.AllowSMTP
# Shorewall 2.4 /usr/share/shorewall/action.AllowSMTP
#
# This action accepts SMTP (email) traffic.
#

View File

@ -1,5 +1,5 @@
#
# Shorewall 2.2 /usr/share/shorewall/action.AllowSNMP
# Shorewall 2.4 /usr/share/shorewall/action.AllowSNMP
#
# This action accepts SNMP traffic (including traps):
#

View File

@ -1,5 +1,5 @@
#
# Shorewall 2.2 /usr/share/shorewall/action.AllowSSH
# Shorewall 2.4 /usr/share/shorewall/action.AllowSSH
#
# This action accepts secure shell (SSH) traffic.
#

View File

@ -1,5 +1,5 @@
#
# Shorewall 2.2 /usr/share/shorewall/action.AllowTelnet
# Shorewall 2.4 /usr/share/shorewall/action.AllowTelnet
#
# This action accepts Telnet traffic. For traffic over the
# internet, telnet is inappropriate; use SSH instead

View File

@ -1,5 +1,5 @@
#
# Shorewall 2.2 /usr/share/shorewall/action.AllowTrcrt
# Shorewall 2.4 /usr/share/shorewall/action.AllowTrcrt
#
# This action accepts Traceroute (for up to 30 hops):
#

View File

@ -1,5 +1,5 @@
#
# Shorewall 2.2 /usr/share/shorewall/action.AllowVNC
# Shorewall 2.4 /usr/share/shorewall/action.AllowVNC
#
# This action accepts VNC traffic for VNC display's 0 - 9.
#

View File

@ -1,5 +1,5 @@
#
# Shorewall 2.2 /usr/share/shorewall/action.AllowVNCL
# Shorewall 2.4 /usr/share/shorewall/action.AllowVNCL
#
# This action accepts VNC traffic from Vncservers to Vncviewers in listen mode.
#

View File

@ -1,5 +1,5 @@
#
# Shorewall 2.2 /usr/share/shorewall/action.AllowWeb
# Shorewall 2.4 /usr/share/shorewall/action.AllowWeb
#
# This action accepts WWW traffic (secure and insecure):
#

View File

@ -1,5 +1,5 @@
#
# Shorewall 2.2 /usr/share/shorewall/action.Drop
# Shorewall 2.4 /usr/share/shorewall/action.Drop
#
# The default DROP common rules
#

View File

@ -1,5 +1,5 @@
#
# Shorewall 2.2 /usr/share/shorewall/action.DropDNSrep
# Shorewall 2.4 /usr/share/shorewall/action.DropDNSrep
#
# This action silently drops DNS UDP replies
#

View File

@ -1,5 +1,5 @@
#
# Shorewall 2.2 /usr/share/shorewall/action.DropPing
# Shorewall 2.4 /usr/share/shorewall/action.DropPing
#
# This action silently drops 'ping' requests.
#

View File

@ -1,5 +1,5 @@
#
# Shorewall 2.2 /usr/share/shorewall/action.DropSMB
# Shorewall 2.4 /usr/share/shorewall/action.DropSMB
#
# This action silently drops Microsoft SMB traffic
#

View File

@ -1,5 +1,5 @@
#
# Shorewall 2.2 /usr/share/shorewall/action.DropUPnP
# Shorewall 2.4 /usr/share/shorewall/action.DropUPnP
#
# This action silently drops UPnP probes on UDP port 1900
#

View File

@ -1,5 +1,5 @@
#
# Shorewall 2.2 /usr/share/shorewall/action.Reject
# Shorewall 2.4 /usr/share/shorewall/action.Reject
#
# The default REJECT action common rules
#

View File

@ -1,5 +1,5 @@
#
# Shorewall 2.2 /usr/share/shorewall/action.RejectAuth
# Shorewall 2.4 /usr/share/shorewall/action.RejectAuth
#
# This action silently rejects Auth (tcp 113) traffic
#

View File

@ -1,5 +1,5 @@
#
# Shorewall 2.2 /usr/share/shorewall/action.RejectSMB
# Shorewall 2.4 /usr/share/shorewall/action.RejectSMB
#
# This action silently rejects Microsoft SMB traffic
#

View File

@ -1,5 +1,5 @@
#
# Shorewall 2.2 /etc/shorewall/action.template
# Shorewall 2.4 /etc/shorewall/action.template
#
# This file is a template for files with names of the form
# /etc/shorewall/action.<action-name> where <action> is an
@ -70,7 +70,17 @@
#
# 10.0.0.4-10.0.0.9 Range of IP addresses; your
# kernel and iptables must have
# iprange match support.
# iprange match support.
#
# +remote The name of an ipset prefaced
# by "+". Your kernel and
# iptables must have set match
# support
#
# +remote[4] The name of the ipset may
# followed by a number of
# levels of ipset bindings
# enclosed in square brackets.
#
# 192.168.1.1,192.168.1.2
# Hosts 192.168.1.1 and
@ -85,8 +95,9 @@
# another colon (":") and an IP/MAC/subnet address
# as described above (e.g., eth1:192.168.1.5).
#
# DEST Location of Server. Same as above with the exception that
# MAC addresses are not allowed.
# DEST Location of destination host. Same as above with the exception that
# MAC addresses are not allowed and that you cannot specify
# an ipset name in both the SOURCE and DEST columns.
#
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or
# "all".
@ -146,7 +157,7 @@
#
# The column may contain:
#
# [!][<user name or number>][:<group name or number>]
# [!][<user name or number>][:<group name or number>][+<program name>]
#
# When this column is non-empty, the rule applies only
# if the program generating the output is running under
@ -160,6 +171,7 @@
# #the 'kids' group
# !:kids #program must not be run by a member
# #of the 'kids' group
# +upnpd #program named upnpd
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/

View File

@ -1,5 +1,5 @@
#
# Shorewall 2.2 /etc/shorewall/actions
# Shorewall 2.4 /etc/shorewall/actions
#
# This file allows you to define new ACTIONS for use in rules
# (/etc/shorewall/rules). You define the iptables rules to

View File

@ -1,5 +1,5 @@
#
# Shorewall 2.2 /usr/share/shorewall/actions.std
# Shorewall 2.4 /usr/share/shorewall/actions.std
#
# Please see http://shorewall.net/Actions.html for additional
# information.

View File

@ -1,5 +1,5 @@
#
# Shorewall 2.2 -- Blacklist File
# Shorewall 2.4 -- Blacklist File
#
# /etc/shorewall/blacklist
#
@ -7,9 +7,10 @@
#
# Columns are:
#
# ADDRESS/SUBNET - Host address, subnetwork, MAC address or IP address
# ADDRESS/SUBNET - Host address, subnetwork, MAC address, IP address
# range (if your kernel and iptables contain iprange
# match support).
# match support) or ipset name prefaced by "+" (if
# your kernel supports ipset match).
#
# MAC addresses must be prefixed with "~" and use "-"
# as a separator.
@ -38,6 +39,13 @@
# ADDRESS/SUBNET PROTOCOL PORT
# 192.0.2.126 udp 53
#
# Example:
#
# To block DNS queries from addresses in the ipset 'dnsblack':
#
# ADDRESS/SUBNET PROTOCOL PORT
# +dnsblack udp 53
#
# Please see http://shorewall.net/blacklisting_support.htm for additional
# information.
#

View File

@ -1,5 +1,5 @@
#
# Shorewall 2.2-- Bogons File
# Shorewall 2.4 -- Bogons File
#
# /etc/shorewall/bogons
#
@ -45,19 +45,24 @@
36.0.0.0/7 logdrop # Reserved
39.0.0.0/8 logdrop # Reserved
42.0.0.0/8 logdrop # Reserved
77.0.0.0/8 logdrop # Reserved
78.0.0.0/7 logdrop # Reserved
49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
74.0.0.0/7 logdrop # Reserved
76.0.0.0/6 logdrop # Reserved
89.0.0.0/8 logdrop # Reserved
90.0.0.0/7 logdrop # Reserved
92.0.0.0/6 logdrop # Reserved
96.0.0.0/4 logdrop # Reserved
112.0.0.0/5 logdrop # Reserved
120.0.0.0/6 logdrop # Reserved
127.0.0.0/8 logdrop # Reserved
96.0.0.0/3 logdrop # Reserved
127.0.0.0/8 logdrop # Loopback
173.0.0.0/8 logdrop # Reserved
174.0.0.0/7 logdrop # Reserved
176.0.0.0/5 logdrop # Reserved
184.0.0.0/6 logdrop # Reserved
189.0.0.0/8 logdrop # Reserved
190.0.0.0/8 logdrop # Reserved
197.0.0.0/8 logdrop # Reserved
223.0.0.0/8 logdrop # Reserved
198.18.0.0/15 logdrop # Reserved
223.0.0.0/8 logdrop # Reserved - Returned by APNIC in 2003
240.0.0.0/4 logdrop # Reserved
#
# End of generated entries

View File

@ -1,296 +1,50 @@
Changes in 2.2.5
Changes in 2.4.0-Final
1) Correct behavior of PKTTYPE=No
1) Add the ability to specify a weight in the balance option.
2) Fixed typo in the tunnel script.
2) Remove "ipp2p" support in the rules file.
Changes in 2.2.4
3) Fix duplicate routing table listings from "shorewall status"
1) Added support for UPnP
Changes in 2.4.0-RC2
2) Add 'started' hook.
1) Relax "detect" restriction.
3) Make an error message more self-explanatory
2) Fix detection via 'nexthop' so it will work with BusyBox
4) Report Owner Match capability
3) Merge Tuomo Soini's fix for "shorewall add"
5) Add Paul Traina's patch to install.sh.
Changes in 2.4.0-RC1
6) Allow startup options to be overridden in /etc/sysconfig/shorewall
or /etc/default/shorewall.
1) Fix output from firewall itself vis-a-vis multiple providers.
7) Add support for SAME
2) Merge and tweak Lorenzo Martignoni's 'safe-restart' patch.
8) Add 'shorewall show capabilities'
Changes in 2.3.2
8) Add '-v' option
1) Add support for -j ROUTE
9) Allow 'none' in /etc/shorewall/rules.
2) Add TEST column to /etc/shorewall/routes
10) Add error message for invalid HOST(S) column contents.
3) Add support for different providers.
11) Apply Christian Rodriguez's patch for Slackware install.
4) Merge patch from Juan Jesús Prieto.
Changes in 2.2.3
5) Implement 'loose' routestopped option.
1) Added the 'continue' extension script.
6) Change 'loose' to 'source' and 'dest'
2) Obey 'routestopped' rules during [re]start.
7) Fix routing of connections from the firewall with multiple ISPs.
3) MACLIST_TTL added.
Changes in 2.3.1
4) Fix ! in hosts file
1) Change the behavior of SAVE_IPSETS and allow 'ipsets' files in
Shorewall configuration directories.
5) Add QUEUE policy.
Changes in 2.3.0
6) Fix routing output when advanced routing support not in kernel.
1) Implement support for --cmd-owner
Changes in 2.2.2
2) Implement support for ipsets.
1) The 'check' command disclaimer is toned down further and only
appears once in the 'check' output.
2) Enhanced support in the SOURCE column of /etc/shorewall/tcrules.
3) All calls to 'clear' are now conditional on the output device being
a terminal.
4) Apply Juergen Kreileder's patch for logging.
5) Add the output of 'arp -na' to the 'shorewall status' display.
6) Provide support for the Extended multiport match available in
2.6.11.
7) Fix logging rule generation.
8) Correct port numbers in action.AllowPCA.
9) Fix installer's handling of action.* files.
10) Implement RFC1918_STRICT
11) Verify interface names in the DEST column of tcrules.
Changes in 2.2.1
1) Add examples to the zones and policy files.
2) Simon Matter's patch for umask.
Changes since 2.0.3
1) Fix security vulnerability involving temporary files/directories.
2) Hack security fix so that it works under Slackware.
3) Correct mktempfile() for case where mktemp isn't installed.
4) Implement 'dropInvalid' builtin action.
5) Fix logging nat rules.
6) Fix COMMAND typos.
7) Add PKTTYPE option.
8) Enhancements to /etc/shorewall/masq
8) Allow overriding ADD_IP_ALIASES=Yes
9) Fix syntax error in setup_nat()
10) Port "shorewall status" changes from 2.0.7.
11) All config files are now empty.
12) Port blacklisting fix from 2.0.7
13) Pass rule chain and display chain separately to log_rule_limit.
Prep work for action logging.
14) Show the iptables/ip/tc command that failed when failure is fatal.
15) Implement STARTUP_ENABLED.
16) Added DNAT ONLY column to /etc/shorewall/nat.
17) Removed SNAT from ORIGINAL DESTINATION column.
18) Removed DNAT ONLY column.
19) Added IPSEC column to /etc/shorewall/masq.
20) No longer enforce source port 500 for ISAKMP.
21) Apply policy to interface/host options.
22) Fix policy and maclist.
23) Implement additional IPSEC options for zones and masq entries.
24) Deprecate the -c option in /sbin/shorewall.
25) Allow distinct input and output IPSEC parameters.
26) Allow source port remapping in /etc/shorewall/masq.
27) Include params file on 'restore'
28) Apply Richard Musil's patch.
29) Correct parsing of PROTO column in setup_tc1().
30) Verify Physdev match if BRIDGING=Yes
31) Don't NAT tunnel traffic.
32) Fix shorewall.spec to run chkconfig/insserv after initial install.
33) Add iprange support.
34) Add CLASSIFY support.
35) Fix iprange support so that ranges in both source and destination
work.
36) Remove logunclean and dropunclean
37) Fixed proxy arp flag setting for complex configurations.
38) Added RETAIN_ALIASES option.
39) Relax OpenVPN source port restrictions.
40) Implement DELAYBLACKLISTLOAD.
41) Avoid double-setting proxy arp flags.
42) Fix DELAYBLACKLISTLOAD=No.
43) Merge 'brctl show' change from 2.0.9.
44) Implememt LOGTAGONLY.
45) Merge 'tcrules' clarification from 2.0.10.
46) Implement 'sourceroute' interface option.
47) Add 'AllowICMPs' action.
48) Changed 'activate_rules' such that traffic from IPSEC hosts gets
handled before traffic from non-IPSEC zones.
49) Correct logmartians handling.
50) Add a clarification and fix a typo in the blacklist file.
51) Allow setting a specify MSS value.
52) Detect duplicate zone names.
53) Add mss=<number> option to the ipsec file.
54) Added CONNMARK/ipp2p support.
55) Added LOGALLNEW support.
56) Fix typo in check_config()
57) Allow outgoing NTP responses in action.AllowNTP.
58) Clarification of the 'ipsec' hosts file option.
59) Allow list in the SUBNET column of the rfc1918 file.
60) Restore missing '#' in the rfc1918 file.
61) Add note for Slackware users to INSTALL.
62) Allow interface in DEST tcrules column.
63) Remove 'ipt_unclean' from search expression in "log" commands.
64) Remove nonsense from IPSEC description in masq file.
65) Correct typo in rules file.
66) Update bogons file.
67) Add a rule for NNTPS to action.AllowNNTP
68) Fix "shorewall add"
69) Change CLIENT PORT(S) to SOURCE PORT(S) in tcrules file.
70) Correct typo in shorewall.conf.
71) Add the 'icmp_echo_ignore_all' file to the /proc display.
72) Apply Tuomas Jormola's IPTABLES patch.
73) Fixed some bugs in Tuomas's patch.
74) Correct bug in "shorewall add"
75) Correct bridge handling in "shorewall add" and "shorewall delete"
76) Add "shorewall show zones"
77) Remove dependency of "show zones" on dynamic zones.
78) Implement variable expansion in INCLUDE directives
79) More fixes for "shorewall delete" with bridging.
80) Split restore-base into two files.
81) Correct OUTPUT handling of dynamic zones.
83) Add adapter statistics to the output of "shorewall status".
84) Log drops due to policy rate limiting.
85) Continue determining capabilities when fooX1234 already exists.
86) Corrected typo in interfaces file.
87) Add DROPINVALID option.
88) Allow list of hosts in add and delete commands. Fix ipsec problem
with "add" and "delete"
89) Clarify add/delete syntax in /sbin/shorewall usage summary.
90) Implement OpenVPN TCP support.
91) Simplify the absurdly over-engineered code that restores the
dynamic chain.
92) Add OPENVPNPORT option.
93) Remove OPENVPNPORT option and change default port to 1194.
94) Avoid shell error during "shorewall stop/clear"
95) Change encryption to blowfish in 'ipsecvpn' script.
96) Correct rate limiting rule example.
97) Fix <if>:: handling in setup_masq().
98) Fix mis-leading typo in tunnels.
99) Fix brain-dead ipsec option handling in setup_masq().
100) Reconcile ipsec masq file implementation with the documentation.
101) Add netfilter module display to status output.
102) Add 'allowInvalid' builtin action.
103) Expand range of Traceroute ports.
102) Correct uninitialized variable in setup_ecn()
103) Allow DHCP to be IPSEC-encrypted.

View File

@ -1,5 +1,5 @@
#
# Shorewall version 2.2 - Default Config Path
# Shorewall version 2.4 - Default Config Path
#
# /usr/share/shorewall/configpath
#

View File

@ -1,5 +1,5 @@
############################################################################
# Shorewall 2.2 -- /etc/shorewall/continue
# Shorewall 2.4 -- /etc/shorewall/continue
#
# Add commands below that you want to be executed after shorewall has
# cleared any existing Netfilter rules and has enabled existing connections.

View File

@ -1,5 +1,5 @@
#
# Shorewall 2.2 - /etc/shorewall/ecn
# Shorewall 2.4 - /etc/shorewall/ecn
#
# Use this file to list the destinations for which you want to
# disable ECN.

View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=2.2.5
VERSION=2.4.0
usage() # $1 = exit status
{

File diff suppressed because it is too large Load Diff

View File

@ -1,6 +1,6 @@
#!/bin/sh
#
# Shorewall 2.2 -- /usr/share/shorewall/functions
# Shorewall 2.4 -- /usr/share/shorewall/functions
# Function to truncate a string -- It uses 'cut -b -<n>'
# rather than ${v:first:last} because light-weight shells like ash and
@ -159,9 +159,12 @@ find_file()
# Replace commas with spaces and echo the result
#
separate_list() {
local list
local list="$@"
local part
local newlist
local firstpart
local lastpart
local enclosure
#
# There's been whining about us not catching embedded white space in
# comma-separated lists. This is an attempt to snag some of the cases.
@ -170,12 +173,31 @@ separate_list() {
# either 'startup_error' or 'fatal_error' depending on the command and
# command phase
#
case "$@" in
case "$list" in
*,|,*|*,,*|*[[:space:]]*)
[ -n "$terminator" ] && \
$terminator "Invalid comma-separated list \"$@\""
echo "Warning -- invalid comma-separated list \"$@\"" >&2
;;
*\[*\]*)
#
# Where we need to embed comma-separated lists within lists, we enclose them
# within square brackets
#
firstpart=${list%%\[*}
lastpart=${list#*\[}
enclosure=${lastpart%\]*}
lastpart=${lastpart#*\]}
case $lastpart in
\,*)
echo "$(separate_list $firstpart)[$enclosure] $(separate_list ${lastpart#,})"
;;
*)
echo "$(separate_list $firstpart)[$enclosure]$(separate_list $lastpart)"
;;
esac
return
;;
esac
list="$@"
@ -756,6 +778,29 @@ find_device() {
done
}
#
# Find the value 'via' in the passed arguments then echo the next value
#
find_gateway() {
while [ $# -gt 1 ]; do
[ "x$1" = xvia ] && echo $2 && return
shift
done
}
#
# Find the value 'peer' in the passed arguments then echo the next value up to
# "/"
#
find_peer() {
while [ $# -gt 1 ]; do
[ "x$1" = xpeer ] && echo ${2%/*} && return
shift
done
}
#
# Find the interfaces that have a route to the passed address - the default
# route is not used.
@ -778,6 +823,14 @@ find_rt_interface() {
done
}
#
# Try to find the gateway through an interface looking for 'nexthop'
find_nexthop() # $1 = interface
{
echo $(find_gateway `ip route ls | grep "[[:space:]]nexthop.* $1"`)
}
#
# Find the default route's interface
#

View File

@ -1,6 +1,6 @@
#!/bin/sh
#
# Shorewall help subsystem - V2.2
# Shorewall help subsystem - V2.4
#
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
@ -55,7 +55,10 @@ address|host)
May be either a host IP address such as 192.168.1.4 or a network address in
CIDR format like 192.168.1.0/24. If your kernel and iptables contain iprange
match support then IP address ranges of the form <low address>-<high address>
are also permitted."
are also permitted. If your kernel and iptables contain ipset match support
then you may specify the name of an ipset prefaced by "+". The name of the
ipsec may be optionally followed by a number of levels of ipset bindings
(1 - 6) that are to be followed"
;;
allow)
@ -209,6 +212,19 @@ restart)
If \"-q\" is specified, less detain is displayed making it easier to spot warnings"
;;
safe-restart)
echo "safe-restart: safe-restart
Restart the same way as a shorewall restart except that previous firewall
configuration is backed up and will be restored if you notice any anomalies
or you are not able to reach the firewall any more."
;;
safe-start)
echo "safe-start: safe-start
Start the same way as a shorewall start except that in case of anomalies
shorewall clear is issued. "
;;
restore)
echo "restore: restore [ <file name> ]
Restore Shorewall to a state saved using the 'save' command

View File

@ -1,5 +1,5 @@
#
# Shorewall 2.2 - /etc/shorewall/hosts
# Shorewall 2.4 - /etc/shorewall/hosts
#
# THE ONLY TIME YOU NEED THIS FILE IS WHERE YOU HAVE MORE THAN
# ONE ZONE CONNECTED THROUGH A SINGLE INTERFACE.

View File

@ -1,5 +1,5 @@
############################################################################
# Shorewall 2.2 -- /etc/shorewall/init
# Shorewall 2.4 -- /etc/shorewall/init
#
# Add commands below that you want to be executed at the beginning of
# a "shorewall start" or "shorewall restart" command.

View File

@ -1,7 +1,7 @@
#!/bin/sh
RCDLINKS="2,S41 3,S41 6,K41"
#
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V2.2
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V2.4
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#

View File

@ -1,5 +1,5 @@
############################################################################
# Shorewall 2.2 -- /etc/shorewall/initdone
# Shorewall 2.4 -- /etc/shorewall/initdone
#
# Add commands below that you want to be executed during
# "shorewall start" or "shorewall restart" commands at the point where

View File

@ -22,7 +22,7 @@
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
#
VERSION=2.2.5
VERSION=2.4.0
usage() # $1 = exit status
{
@ -407,6 +407,28 @@ else
echo
echo "Blacklist file installed as ${PREFIX}/etc/shorewall/blacklist"
fi
#
# Install the Routes file
#
if [ -f ${PREFIX}/etc/shorewall/routes ]; then
backup_file /etc/shorewall/routes
else
run_install $OWNERSHIP -m 0600 routes ${PREFIX}/etc/shorewall/routes
echo
echo "Routes file installed as ${PREFIX}/etc/shorewall/routes"
fi
#
# Install the Providers file
#
if [ -f ${PREFIX}/etc/shorewall/providers ]; then
backup_file /etc/shorewall/providers
else
run_install $OWNERSHIP -m 0600 providers ${PREFIX}/etc/shorewall/providers
echo
echo "Providers file installed as ${PREFIX}/etc/shorewall/providers"
fi
#
# Backup and remove the whitelist file
#
@ -518,7 +540,7 @@ fi
if [ -f ${PREFIX}/etc/shorewall/started ]; then
backup_file /etc/shorewall/started
else
run_install -o $OWNER -g $GROUP -m 0600 started ${PREFIX}/etc/shorewall/started
run_install $OWNERSHIP -m 0600 started ${PREFIX}/etc/shorewall/started
echo
echo "Started file installed as ${PREFIX}/etc/shorewall/started"
fi

View File

@ -1,5 +1,5 @@
#
# Shorewall 2.2 -- Interfaces File
# Shorewall 2.4 -- Interfaces File
#
# /etc/shorewall/interfaces
#
@ -167,9 +167,10 @@
# detectnets - Automatically taylors the zone named
# in the ZONE column to include only those
# hosts routed through the interface.
#
# upnp - Incoming requests from this interface may
# be remapped via UPNP (upnpd).
#
#
# WARNING: DO NOT SET THE detectnets OPTION ON YOUR
# INTERNET INTERFACE.
#
@ -177,6 +178,12 @@
# significant but the list should have no embedded white
# space.
#
# GATEWAY This column is only meaningful if the 'default' OPTION
# is given -- it is ignored otherwise. You may specify
# the default gateway IP address for this interface here
# and Shorewall will use that IP address rather than any
# that it finds in the main routing table.
#
# Example 1: Suppose you have eth0 connected to a DSL modem and
# eth1 connected to your local network and that your
# local subnet is 192.168.1.0/24. The interface gets
@ -205,6 +212,6 @@
# For additional information, see http://shorewall.net/Documentation.htm#Interfaces
#
##############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
#ZONE INTERFACE BROADCAST OPTIONS GATEWAY
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

View File

@ -1,5 +1,5 @@
#
# Shorewall 2.2 - /etc/shorewall/ipsec
# Shorewall 2.4 - /etc/shorewall/ipsec
#
# This file defines the attributes of zones with respect to
# IPSEC. To use this file for any purpose except for setting mss,
@ -27,7 +27,7 @@
#
# proto=ah|esp|ipcomp
#
# mss=<number> (sets the MSS field in TCP packets)
# mss=<number> (sets the MSS field in TCP packets)
#
# mode=transport|tunnel
#

View File

@ -1,5 +1,5 @@
#
# Shorewall 2.2 - MAC list file
# Shorewall 2.4 - MAC list file
#
# This file is used to define the MAC addresses and optionally their
# associated IP addresses to be allowed to use the specified interface.

View File

@ -1,5 +1,5 @@
#
# Shorewall 2.2 - Masquerade file
# Shorewall 2.4 - Masquerade file
#
# /etc/shorewall/masq
#

View File

@ -1,5 +1,5 @@
##############################################################################
# Shorewall 2.2 /etc/shorewall/modules
# Shorewall 2.4 /etc/shorewall/modules
#
# This file loads the modules needed by the firewall.
#
@ -19,4 +19,9 @@
loadmodule ip_nat_ftp
loadmodule ip_nat_tftp
loadmodule ip_nat_irc
loadmodule ip_set
loadmodule ip_set_iphash
loadmodule ip_set_ipmap
loadmodule ip_set_macipmap
loadmodule ip_set_portmap

View File

@ -1,6 +1,6 @@
##############################################################################
#
# Shorewall 2.2 -- Network Address Translation Table
# Shorewall 2.4 -- Network Address Translation Table
#
# /etc/shorewall/nat
#

View File

@ -1,6 +1,6 @@
##############################################################################
#
# Shorewall 2.2 -- Network Mapping Table
# Shorewall 2.4 -- Network Mapping Table
#
# /etc/shorewall/netmap
#

View File

@ -1,5 +1,5 @@
#
# Shorewall 2.2 /etc/shorewall/params
# Shorewall 2.4 /etc/shorewall/params
#
# Assign any variables that you need here.
#

View File

@ -1,5 +1,5 @@
#
# Shorewall 2.2 -- Policy File
# Shorewall 2.4 -- Policy File
#
# /etc/shorewall/policy
#

View File

@ -1,6 +1,6 @@
##############################################################################
#
# Shorewall 2.2 -- Proxy ARP
# Shorewall 2.4 -- Proxy ARP
#
# /etc/shorewall/proxyarp
#

File diff suppressed because it is too large Load Diff

View File

@ -1,5 +1,5 @@
#
# Shorewall 2.2 -- RFC1918 File
# Shorewall 2.4 -- RFC1918 File
#
# /etc/shorewall/rfc1918
#

View File

@ -1,6 +1,6 @@
##############################################################################
#
# Shorewall 2.2 -- Hosts Accessible when the Firewall is Stopped
# Shorewall 2.4 -- Hosts Accessible when the Firewall is Stopped
#
# /etc/shorewall/routestopped
#
@ -23,7 +23,19 @@
# options. The currently-supported options are:
#
# routeback - Set up a rule to ACCEPT traffic from
# these hosts back to themselves.
# these hosts back to themselves.
#
# source - Allow traffic from these hosts to ANY
# destination. Without this option or the 'dest'
# option, only traffic from this host to other
# listed hosts (and the firewall) is allowed. If
# 'source' is specified then 'routeback' is redundent.
#
# dest - Allow traffic to these hosts from ANY
# source. Without this option or the 'source'
# option, only traffic from this host to other
# listed hosts (and the firewall) is allowed. If
# 'dest' is specified then 'routeback' is redundent.
#
# Example:
#
@ -31,6 +43,7 @@
# eth2 192.168.1.0/24
# eth0 192.0.2.44
# br0 - routeback
# eth3 - source
#
# See http://shorewall.net/Documentation.htm#Routestopped and
# http://shorewall.net/starting_and_stopping_shorewall.htm for additional

View File

@ -1,5 +1,5 @@
#
# Shorewall version 2.2 - Rules File
# Shorewall version 2.4 - Rules File
#
# /etc/shorewall/rules
#
@ -134,6 +134,11 @@
# Hosts may be specified as an IP address range using the
# syntax <low address>-<high address>. This requires that
# your kernel and iptables contain iprange match support.
# If you kernel and iptables have ipset match support then
# you may give the name of an ipset prefaced by "+". The
# ipset name may be optionally followed by a number from
# 1 to 6 enclosed in square brackets ([]) to indicate the
# number of levels of source bindings to be matched.
#
# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ
#
@ -189,6 +194,14 @@
# the connections will be assigned to addresses in the
# range in a round-robin fashion.
#
# If you kernel and iptables have ipset match support then
# you may give the name of an ipset prefaced by "+". The
# ipset name may be optionally followed by a number from
# 1 to 6 enclosed in square brackets ([]) to indicate the
# number of levels of destination bindings to be matched.
# Only one of the SOURCE and DEST columns may specify an
# ipset name.
#
# The port that the server is listening on may be
# included and separated from the server's IP address by
# ":". If omitted, the firewall will not modifiy the
@ -204,20 +217,14 @@
# contain the port number on the firewall that the
# request should be redirected to.
#
# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
# a number, or "all". "ipp2p" requires ipp2p match
# support in your kernel and iptables.
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or
# "all".
#
# DEST PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port
# ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s).
#
# If the protocol is ipp2p, this column is interpreted
# as an ipp2p option without the leading "--" (example "bit"
# for bit-torrent). If no port is given, "ipp2p" is
# assumed.
#
# A port range is expressed as <low port>:<high port>.
#
# This column is ignored if PROTOCOL = all but must be
@ -250,8 +257,8 @@
# Otherwise, a separate rule will be generated for each
# port.
#
# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT[-] or
# REDIRECT[-]) If included and different from the IP
# ORIGINAL DEST (0ptional) -- If ACTION is DNAT[-] or REDIRECT[-] then
# if included and different from the IP
# address given in the SERVER column, this is an address
# on some interface on the firewall and connections to
# that address will be forwarded to the IP and port
@ -267,6 +274,20 @@
# destination address in the connection request does not
# match any of the addresses listed.
#
# For other actions, this column may be included and may
# contain one or more addresses (host or network)
# separated by commas. Address ranges are not allowed.
# When this column is supplied, rules are generated
# that require that the original destination address matches
# one of the listed addresses. This feature is most useful when
# you want to generate a filter rule that corresponds to a
# DNAT- or REDIRECT- rule. In this usage, the list of
# addresses should not begin with "!".
#
# See http://shorewall.net/PortKnocking.html for an
# example of using an entry in this column with a
# user-defined action rule.
#
# RATE LIMIT You may rate-limit the rule by placing a value in
# this colume:
#
@ -285,7 +306,7 @@
#
# The column may contain:
#
# [!][<user name or number>][:<group name or number>]
# [!][<user name or number>][:<group name or number>][+<program name>]
#
# When this column is non-empty, the rule applies only
# if the program generating the output is running under
@ -299,6 +320,7 @@
# #the 'kids' group
# !:kids #program must not be run by a member
# #of the 'kids' group
# +upnpd #program named 'upnpd'
#
# Example: Accept SMTP requests from the DMZ to the internet
#

View File

@ -1,6 +1,6 @@
#!/bin/sh
#
# Shorewall Packet Filtering Firewall Control Program - V2.2
# Shorewall Packet Filtering Firewall Control Program - V2.4
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
@ -97,6 +97,14 @@
# shorewall iprange <address>-<address> Decomposes a range of IP addresses into
# a list of network/host addresses.
#
# shorewall safe-start Starts the firewall and promtp for a c
# confirmation to accept or reject the new
# configuration
#
# shorewall safe-restart Restarts the firewall and prompt for a
# confirmation to accept or reject the new
# configuration
#
# Fatal Error
#
fatal_error() # $@ = Message
@ -136,7 +144,7 @@ showchain() # $1 = name of chain
}
#
# The 'awk' hack that compensates for a bug in iptables-save (actually in libipt_policy.so) and can be removed when that bug is fixed.
# The 'awk' hack that compensates for bugs in iptables-save (or rather in the extension modules).
#
iptablesbug()
@ -146,6 +154,7 @@ iptablesbug()
/^-j/ { print sline $0; next };\
/-m policy.*-j/ { print $0; next };\
/-m policy/ { sline=$0; next };\
/--mask ff/ { sub( /--mask ff/, "--mask 0xff" ) };\
{print ; sline="" }'
else
echo " Warning: You don't have 'awk' on this system so the output of the save command may be unusable" >&2
@ -589,6 +598,88 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
done
}
#
# Save currently running configuration
#
save_config() {
[ "$nolock" ] || mutex_on
if qt $IPTABLES -L shorewall -n; then
[ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then
echo " ERROR: $RESTOREPATH exists and is not a saved Shorewall configuration"
else
case $RESTOREFILE in
save|restore-base)
echo " ERROR: Reserved file name: $RESTOREFILE"
;;
*)
if $IPTABLES -L dynamic -n > /var/lib/shorewall/save; then
echo " Dynamic Rules Saved"
if [ -f /var/lib/shorewall/restore-base ]; then
cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$
if iptables-save | iptablesbug >> /var/lib/shorewall/restore-$$ ; then
echo __EOF__ >> /var/lib/shorewall/restore-$$
[ -f /var/lib/shorewall/restore-tail ] && \
cat /var/lib/shorewall/restore-tail >> /var/lib/shorewall/restore-$$
mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH
chmod +x $RESTOREPATH
echo " Currently-running Configuration Saved to $RESTOREPATH"
rm -f ${RESTOREPATH}-ipsets
case ${SAVE_IPSETS:-No} in
[Yy][Ee][Ss])
RESTOREPATH=${RESTOREPATH}-ipsets
f=/var/lib/shorewall/restore-$$
echo "#!/bin/sh" > $f
echo "#This ipset restore file generated $(date) by Shorewall $version" >> $f
echo >> $f
echo ". /usr/share/shorewall/functions" >> $f
echo >> $f
grep '^MODULE' /var/lib/shorewall/restore-base >> $f
echo "reload_kernel_modules << __EOF__" >> $f
grep 'loadmodule ip_set' /var/lib/shorewall/restore-base >> $f
echo "__EOF__" >> $f
echo >> $f
echo "ipset -U :all: :all:" >> $f
echo "ipset -F" >> $f
echo "ipset -X" >> $f
echo "ipset -R << __EOF__" >> $f
ipset -S >> $f
echo "__EOF__" >> $f
mv -f $f $RESTOREPATH
chmod +x $RESTOREPATH
echo " Current Ipset Contents Saved to $RESTOREPATH"
;;
[Nn][Oo])
;;
*)
echo " WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS. Ipset contents not saved"
;;
esac
else
rm -f /var/lib/shorewall/restore-$$
echo " ERROR: Currently-running Configuration Not Saved"
fi
else
echo " ERROR: /var/lib/shorewall/restore-base does not exist"
fi
else
echo "Error Saving the Dynamic Rules"
fi
;;
esac
fi
else
echo "Shorewall isn't started"
fi
[ "$nolock" ] || mutex_off
}
#
# Help information
#
@ -630,6 +721,8 @@ usage() # $1 = exit status
echo " status"
echo " try <directory> [ <timeout> ]"
echo " version"
echo " safe-start"
echo " safe-restart"
echo
exit $1
}
@ -642,6 +735,7 @@ show_reset() {
echo "Counters reset $(cat $STATEDIR/restarted)" && \
echo
}
#
# Display's the passed file name followed by "=" and the file's contents.
#
@ -650,6 +744,27 @@ show_proc() # $1 = name of a file
[ -f $1 ] && echo " $1 = $(cat $1)"
}
read_yesno_with_timeout() {
read -t 60 yn 2> /dev/null
if [ $? -eq 2 ]
then
# read doesn't support timeout
test -x /bin/bash || return 2 # bash is not installed so the feature is not available
/bin/bash -c 'read -t 60 yn ; if [ "$yn" == "y" ] ; then exit 0 ; else exit 1 ; fi' # invoke bash and use its version of read
return $?
else
# read supports timeout
case "$yn" in
y|Y)
return 0
;;
*)
return 1
;;
esac
fi
}
#
# Execution begins here
#
@ -846,6 +961,17 @@ case "$1" in
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
if [ -x $RESTOREPATH ]; then
if [ -x ${RESTOREPATH}-ipsets ]; then
echo Restoring Ipsets...
#
# We must purge iptables to be sure that there are no
# references to ipsets
#
iptables -F
iptables -X
${RESTOREPATH}-ipsets
fi
echo Restoring Shorewall...
$RESTOREPATH
date > $STATEDIR/restarted
@ -1035,7 +1161,8 @@ case "$1" in
echo
ip rule ls
ip rule ls | while read rule; do
table=${rule##* }
echo ${rule##* }
done | sort -u | while read table; do
echo
echo "Table $table:"
echo
@ -1187,47 +1314,8 @@ case "$1" in
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
mutex_on
save_config
if qt $IPTABLES -L shorewall -n; then
[ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then
echo " ERROR: $RESTOREPATH exists and is not a saved Shorewall configuration"
else
case $RESTOREFILE in
save|restore-base)
echo " ERROR: Reserved file name: $RESTOREFILE"
;;
*)
if $IPTABLES -L dynamic -n > /var/lib/shorewall/save; then
echo " Dynamic Rules Saved"
if [ -f /var/lib/shorewall/restore-base ]; then
cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$
if iptables-save | iptablesbug >> /var/lib/shorewall/restore-$$ ; then
echo __EOF__ >> /var/lib/shorewall/restore-$$
[ -f /var/lib/shorewall/restore-tail ] && \
cat /var/lib/shorewall/restore-tail >> /var/lib/shorewall/restore-$$
mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH
chmod +x $RESTOREPATH
echo " Currently-running Configuration Saved to $RESTOREPATH"
else
rm -f /var/lib/shorewall/restore-$$
echo " ERROR: Currently-running Configuration Not Saved"
fi
else
echo " ERROR: /var/lib/shorewall/restore-base does not exist"
fi
else
echo "Error Saving the Dynamic Rules"
fi
;;
esac
fi
else
echo "Shorewall isn't started"
fi
mutex_off
;;
forget)
case $# in
@ -1246,6 +1334,12 @@ case "$1" in
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
if [ -x $RESTOREPATH ]; then
if [ -x ${RESTOREPATH}-ipsets ]; then
rm -f ${RESTOREPATH}-ipsets
echo " ${RESTOREPATH}-ipsets removed"
fi
rm -f $RESTOREPATH
echo " $RESTOREPATH removed"
elif [ -f $RESTOREPATH ]; then
@ -1302,11 +1396,22 @@ case "$1" in
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
if [ -x $RESTOREPATH ]; then
[ -n "$nolock" ] || mutex_on
if [ -x $RESTOREPATH ]; then
if [ -x ${RESTOREPATH}-ipsets ] ; then
echo Restoring Ipsets...
iptables -F
iptables -X
${RESTOREPATH}-ipsets
fi
echo Restoring Shorewall...
$RESTOREPATH && echo "Shorewall restored from /var/lib/shorewall/$RESTOREFILE"
[ -n "$nolock" ] || mutex_off
else
echo "File /var/lib/shorewall/$RESTOREFILE: file not found"
[ -n "$nolock" ] || mutex_off
exit 2
fi
;;
@ -1323,6 +1428,76 @@ case "$1" in
[ $# -ne 1 ] && usage 1
help $@
;;
safe-restart|safe-start)
# test is the shell supports timed read
read -t 0 junk 2> /dev/null
if [ $? -eq 2 -a ! -x /bin/bash ]
then
echo "Your shell does not support a feature required to execute this command".
exit 2
fi
mutex_on
if qt $IPTABLES -L shorewall -n
then
running=0
else
running=1
fi
if [ "$1" = "safe-start" -a $running -eq 0 ]
then
# the command is safe-start but the firewall is already running
$0 nolock $debugging start
ret=$?
exit 0
fi
if [ "$1" = "safe-start" -o $running -ne 0 ]
then
# the command is safe-start or shorewall is not started yet
command="start"
else
# the command is safe-restart and the firewall is already running
command="restart"
fi
if [ "$command" = "restart" ]
then
# save previous configuration
$0 nolock $debugging save "safe-start-restart"
fi
$0 nolock $debugging $command
echo -n "Do you want to accept the new firewall configuration? [y/n] "
read_yesno_with_timeout
if [ $? -eq 0 ]
then
echo "New configuration has been accepted"
if [ "$command" = "restart" ]
then
# removed previous configuration
rm /var/lib/shorewall/safe-start-restart
fi
else
if [ "$command" = "restart" ]
then
$0 nolock $debugging restore "safe-start-restart"
rm /var/lib/shorewall/safe-start-restart
else
$0 nolock $debugging clear
fi
mutex_off
echo "New configuration has been rejected and the old one restored"
exit 2
fi
mutex_off
[ $? -eq 0 ] && [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
;;
*)
usage 1
;;

View File

@ -1,5 +1,5 @@
##############################################################################
# /etc/shorewall/shorewall.conf V2.2 - Change the following variables to
# /etc/shorewall/shorewall.conf V2.4 - Change the following variables to
# match your setup
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
@ -158,6 +158,7 @@ LOGALLNEW=
#
# See the comment at the top of this section for a description of log levels
#
BLACKLIST_LOGLEVEL=
#
@ -174,7 +175,6 @@ BLACKLIST_LOGLEVEL=
#
# Example: LOGNEWNOTSYN=debug
LOGNEWNOTSYN=info
#
@ -251,6 +251,7 @@ BOGON_LOG_LEVEL=info
#
LOG_MARTIANS=No
################################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
################################################################################
@ -261,12 +262,14 @@ LOG_MARTIANS=No
# not specified or if specified with an empty value (e.g., IPTABLES="") then
# the iptables executable located via the PATH setting below is used.
#
IPTABLES=
#
# PATH - Change this if you want to change the order in which Shorewall
# searches directories for executable files.
#
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
#
@ -336,6 +339,7 @@ CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
# assumed.
RESTOREFILE=
################################################################################
# F I R E W A L L O P T I O N S
################################################################################
@ -345,6 +349,7 @@ RESTOREFILE=
# Name of the firewall zone -- if not set or if set to an empty string, "fw"
# is assumed.
#
FW=fw
#
@ -359,6 +364,7 @@ FW=fw
# If you set this variable to "Keep" or "keep", Shorewall will neither
# enable nor disable packet forwarding.
#
IP_FORWARDING=On
#
@ -368,6 +374,7 @@ IP_FORWARDING=On
# for each NAT external address that you give in /etc/shorewall/nat. If you say
# "No" or "no", you must add these aliases youself.
#
ADD_IP_ALIASES=Yes
#
@ -378,6 +385,7 @@ ADD_IP_ALIASES=Yes
# "No" or "no", you must add these aliases youself. LEAVE THIS SET TO "No" unless
# you are sure that you need it -- most people don't!!!
#
ADD_SNAT_ALIASES=No
#
@ -393,6 +401,7 @@ ADD_SNAT_ALIASES=No
# You can cause Shorewall to retain existing addresses by setting
# RETAIN_ALIASES=Yes.
#
RETAIN_ALIASES=No
#
@ -475,6 +484,7 @@ MARK_IN_FORWARD_CHAIN=No
#
# CLAMPMSS=1400
#
CLAMPMSS=No
#
@ -571,7 +581,6 @@ MUTEX_TIMEOUT=60
# The behavior of NEWNOTSYN=Yes may also be enabled on a per-interface basis
# using the 'newnotsyn' option in /etc/shorewall/interfaces and on a
# network or host basis using the same option in /etc/shorewall/hosts.
#
# I find that NEWNOTSYN=No tends to result in lots of "stuck"
# connections because any network timeout during TCP session tear down
@ -609,6 +618,7 @@ NEWNOTSYN=Yes
# If this variable is not set or it is set to the null value then
# ADMINISABSENTMINDED=No is assumed.
#
ADMINISABSENTMINDED=Yes
#
@ -631,6 +641,7 @@ ADMINISABSENTMINDED=Yes
# If the BLACKLISTNEWONLY option is not set or is set to the empty value then
# BLACKLISTNEWONLY=No is assumed.
#
BLACKLISTNEWONLY=Yes
#
@ -791,6 +802,20 @@ RFC1918_STRICT=No
MACLIST_TTL=
#
# Save/Restore IPSETS
#
# If SAVE_IPSETS=Yes then Shorewall will:
#
# Restore the last saved ipset contents during "shorewall [re]start"
# Save the current ipset contents during "shorewall save"
#
# Regardless of the setting of SAVE_IPSETS, if ipset contents were
# saved during a "shorewall save" then they will be restored during
# a subsequent "shorewall restore".
SAVE_IPSETS=No
################################################################################
# P A C K E T D I S P O S I T I O N
################################################################################

View File

@ -1,5 +1,5 @@
%define name shorewall
%define version 2.2.5
%define version 2.4.0
%define release 1
%define prefix /usr
@ -95,6 +95,8 @@ fi
%attr(0600,root,root) %config(noreplace) /etc/shorewall/actions
%attr(0600,root,root) %config(noreplace) /etc/shorewall/continue
%attr(0600,root,root) %config(noreplace) /etc/shorewall/started
%attr(0600,root,root) %config(noreplace) /etc/shorewall/routes
%attr(0600,root,root) %config(noreplace) /etc/shorewall/providers
%attr(0544,root,root) /sbin/shorewall
@ -139,8 +141,16 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn
%changelog
* Fri May 20 2005 Tom Eastep tom@shorewall.net
- Updated to 2.2.5-1
* Thu Jun 02 2005 Tom Eastep tom@shorewall.net
- Updated to 2.4.0-1
* Sun May 30 2005 Tom Eastep tom@shorewall.net
- Updated to 2.4.0-0RC2
* Thu May 19 2005 Tom Eastep tom@shorewall.net
- Updated to 2.4.0-0RC1
* Thu May 19 2005 Tom Eastep tom@shorewall.net
- Updated to 2.3.2-1
* Sun May 15 2005 Tom Eastep tom@shorewall.net
- Updated to 2.3.1-1
* Mon Apr 11 2005 Tom Eastep tom@shorewall.net
- Updated to 2.2.4-1
* Fri Apr 08 2005 Tom Eastep tom@shorewall.net

View File

@ -1,5 +1,5 @@
############################################################################
# Shorewall 2.2 -- /etc/shorewall/start
# Shorewall 2.4 -- /etc/shorewall/start
#
# Add commands below that you want to be executed after shorewall has
# been started or restarted.

View File

@ -1,5 +1,5 @@
############################################################################
# Shorewall 2.2 -- /etc/shorewall/started
# Shorewall 2.4 -- /etc/shorewall/started
#
# Add commands below that you want to be executed after shorewall has
# been completely started or restarted. The difference between this

View File

@ -1,5 +1,5 @@
############################################################################
# Shorewall 2.2 -- /etc/shorewall/stop
# Shorewall 2.4 -- /etc/shorewall/stop
#
# Add commands below that you want to be executed at the beginning of a
# "shorewall stop" command.

View File

@ -1,5 +1,5 @@
############################################################################
# Shorewall 2.2 -- /etc/shorewall/stopped
# Shorewall 2.4 -- /etc/shorewall/stopped
#
# Add commands below that you want to be executed at the completion of a
# "shorewall stop" command.

View File

@ -1,5 +1,5 @@
#
# Shorewall version 2.2 - Traffic Control Rules File
# Shorewall version 2.4 - Traffic Control Rules File
#
# /etc/shorewall/tcrules
#
@ -16,10 +16,14 @@
# final mark for each packet will be the one assigned by the
# LAST tcrule that matches.
#
# If you use multiple internet providers with the 'track' option,
# in /etc/shorewall/providers be sure to read the restrictions at
# http://shorewall.net/Shorewall_and_Routing.html.
#
# Columns are:
#
#
# MARK/ a) A mark value which is a integer in the range 1-255
# MARK/ a) A mark value which is an integer in the range 1-255
# CLASSIFY
# May optionally be followed by ":P" or ":F"
# where ":P" indicates that marking should occur in
@ -130,10 +134,11 @@
#
# It may contain :
#
# [<user name or number>]:[<group name or number>]
# [<user name or number>]:[<group name or number>][+<program name>]
#
# The colon is optionnal when specifying only a user.
# Examples : john: / john / :users / john:users
# The colon is optionnal when specifying only a user
# or a program name.
# Examples : john: , john , :users , john:users , +mozilla-bin
#
# TEST Defines a test on the existing packet or connection mark.
# The rule will match only if the test returns true. Tests

View File

@ -1,5 +1,5 @@
#
# Shorewall 2.2 -- /etc/shorewall/tos
# Shorewall 2.4 -- /etc/shorewall/tos
#
# This file defines rules for setting Type Of Service (TOS)
#

View File

@ -2,7 +2,7 @@
RCDLINKS="2,S45 3,S45 6,K45"
################################################################################
# Script to create a gre or ipip tunnel -- Shorewall 2.2
# Script to create a gre or ipip tunnel -- Shorewall 2.4
#
# Modified - Steve Cowles 5/9/2000
# Incorporated init {start|stop} syntax and iproute2 usage

View File

@ -1,5 +1,5 @@
#
# Shorewall 2.2 - /etc/shorewall/tunnels
# Shorewall 2.4 - /etc/shorewall/tunnels
#
# This file defines IPSEC, GRE, IPIP and OPENVPN tunnels.
#

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall
VERSION=2.2.5
VERSION=2.4.0
usage() # $1 = exit status
{

View File

@ -1,5 +1,5 @@
#
# Shorewall 2.2 /etc/shorewall/zones
# Shorewall 2.4 /etc/shorewall/zones
#
# This file determines your network zones. Columns are:
#