From 2a19eb8a5a259472c953cce2f9e34a12a317bb4c Mon Sep 17 00:00:00 2001 From: paulgear Date: Sat, 9 Jul 2005 05:55:29 +0000 Subject: [PATCH] Copy latest 2.4 version from Shorewall2/ git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2264 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/INSTALL | 2 +- Shorewall/accounting | 5 +- Shorewall/action.AllowAuth | 2 +- Shorewall/action.AllowDNS | 2 +- Shorewall/action.AllowFTP | 2 +- Shorewall/action.AllowICMPs | 2 +- Shorewall/action.AllowIMAP | 2 +- Shorewall/action.AllowNNTP | 2 +- Shorewall/action.AllowNTP | 2 +- Shorewall/action.AllowPCA | 2 +- Shorewall/action.AllowPOP3 | 2 +- Shorewall/action.AllowPing | 2 +- Shorewall/action.AllowRdate | 2 +- Shorewall/action.AllowSMB | 2 +- Shorewall/action.AllowSMTP | 2 +- Shorewall/action.AllowSNMP | 2 +- Shorewall/action.AllowSSH | 2 +- Shorewall/action.AllowTelnet | 2 +- Shorewall/action.AllowTrcrt | 2 +- Shorewall/action.AllowVNC | 2 +- Shorewall/action.AllowVNCL | 2 +- Shorewall/action.AllowWeb | 2 +- Shorewall/action.Drop | 2 +- Shorewall/action.DropDNSrep | 2 +- Shorewall/action.DropPing | 2 +- Shorewall/action.DropSMB | 2 +- Shorewall/action.DropUPnP | 2 +- Shorewall/action.Reject | 2 +- Shorewall/action.RejectAuth | 2 +- Shorewall/action.RejectSMB | 2 +- Shorewall/action.template | 22 +- Shorewall/actions | 2 +- Shorewall/actions.std | 2 +- Shorewall/blacklist | 14 +- Shorewall/bogons | 21 +- Shorewall/changelog.txt | 296 +------- Shorewall/configpath | 2 +- Shorewall/continue | 2 +- Shorewall/ecn | 2 +- Shorewall/fallback.sh | 2 +- Shorewall/firewall | 965 +++++++++++++++++++++---- Shorewall/functions | 59 +- Shorewall/help | 20 +- Shorewall/hosts | 2 +- Shorewall/init | 2 +- Shorewall/init.sh | 2 +- Shorewall/initdone | 2 +- Shorewall/install.sh | 26 +- Shorewall/interfaces | 13 +- Shorewall/ipsec | 4 +- Shorewall/maclist | 2 +- Shorewall/masq | 2 +- Shorewall/modules | 7 +- Shorewall/nat | 2 +- Shorewall/netmap | 2 +- Shorewall/params | 2 +- Shorewall/policy | 2 +- Shorewall/proxyarp | 2 +- Shorewall/releasenotes.txt | 1311 +++++++++------------------------- Shorewall/rfc1918 | 2 +- Shorewall/routestopped | 17 +- Shorewall/rules | 46 +- Shorewall/shorewall | 263 +++++-- Shorewall/shorewall.conf | 31 +- Shorewall/shorewall.spec | 16 +- Shorewall/start | 2 +- Shorewall/started | 2 +- Shorewall/stop | 2 +- Shorewall/stopped | 2 +- Shorewall/tcrules | 15 +- Shorewall/tos | 2 +- Shorewall/tunnel | 2 +- Shorewall/tunnels | 2 +- Shorewall/uninstall.sh | 2 +- Shorewall/zones | 2 +- 75 files changed, 1694 insertions(+), 1569 deletions(-) diff --git a/Shorewall/INSTALL b/Shorewall/INSTALL index 7805f5c86..9be61b23c 100644 --- a/Shorewall/INSTALL +++ b/Shorewall/INSTALL @@ -1,4 +1,4 @@ -Shoreline Firewall (Shorewall) Version 2.2 +Shoreline Firewall (Shorewall) Version 2.4 ----- ---- ----------------------------------------------------------------------------- diff --git a/Shorewall/accounting b/Shorewall/accounting index d21c03326..849cb043b 100755 --- a/Shorewall/accounting +++ b/Shorewall/accounting @@ -1,5 +1,5 @@ # -# Shorewall version 2.2 - Accounting File +# Shorewall version 2.4 - Accounting File # # /etc/shorewall/accounting # @@ -69,7 +69,7 @@ # # The column may contain: # -# [!][][:] +# [!][][:][+] # # When this column is non-empty, the rule applies only # if the program generating the output is running under @@ -83,6 +83,7 @@ # #the 'kids' group # !:kids #program must not be run by a member # #of the 'kids' group +# +upnpd #program named upnpd # # In all of the above columns except ACTION and CHAIN, the values "-", # "any" and "all" may be used as wildcards diff --git a/Shorewall/action.AllowAuth b/Shorewall/action.AllowAuth index af54a9e9c..a23bd787f 100644 --- a/Shorewall/action.AllowAuth +++ b/Shorewall/action.AllowAuth @@ -1,5 +1,5 @@ # -# Shorewall 2.2 /usr/share/shorewall/action.AllowAuth +# Shorewall 2.4 /usr/share/shorewall/action.AllowAuth # # This action accepts Auth (identd) traffic. # diff --git a/Shorewall/action.AllowDNS b/Shorewall/action.AllowDNS index 9887b9795..be8c9defb 100644 --- a/Shorewall/action.AllowDNS +++ b/Shorewall/action.AllowDNS @@ -1,5 +1,5 @@ # -# Shorewall 2.2 /usr/share/shorewall/action.AllowDNS +# Shorewall 2.4 /usr/share/shorewall/action.AllowDNS # # This action accepts DNS traffic. # diff --git a/Shorewall/action.AllowFTP b/Shorewall/action.AllowFTP index 0a0c9951b..da51ece0a 100644 --- a/Shorewall/action.AllowFTP +++ b/Shorewall/action.AllowFTP @@ -1,5 +1,5 @@ # -# Shorewall 2.2 /usr/share/shorewall/action.AllowFTP +# Shorewall 2.4 /usr/share/shorewall/action.AllowFTP # # This action accepts FTP traffic. See # http://www.shorewall.net/FTP.html for additional considerations. diff --git a/Shorewall/action.AllowICMPs b/Shorewall/action.AllowICMPs index 91e462913..4269d3844 100644 --- a/Shorewall/action.AllowICMPs +++ b/Shorewall/action.AllowICMPs @@ -1,5 +1,5 @@ # -# Shorewall 2.2 /usr/share/shorewall/action.AllowICMPs +# Shorewall 2.4 /usr/share/shorewall/action.AllowICMPs # # ACCEPT needed ICMP types # diff --git a/Shorewall/action.AllowIMAP b/Shorewall/action.AllowIMAP index 71e7b15d1..1bb9bed72 100644 --- a/Shorewall/action.AllowIMAP +++ b/Shorewall/action.AllowIMAP @@ -1,5 +1,5 @@ # -# Shorewall 2.2 /usr/share/shorewall/action.AllowIMAP +# Shorewall 2.4 /usr/share/shorewall/action.AllowIMAP # # This action accepts IMAP traffic (secure and insecure): # diff --git a/Shorewall/action.AllowNNTP b/Shorewall/action.AllowNNTP index a5d68b49e..92246ce51 100644 --- a/Shorewall/action.AllowNNTP +++ b/Shorewall/action.AllowNNTP @@ -1,5 +1,5 @@ # -# Shorewall 2.2 /usr/share/shorewall/action.AllowNNTP +# Shorewall 2.4 /usr/share/shorewall/action.AllowNNTP # # This action accepts NNTP traffic (Usenet) and encrypted NNTP (NNTPS) # diff --git a/Shorewall/action.AllowNTP b/Shorewall/action.AllowNTP index 936954769..de9a57909 100644 --- a/Shorewall/action.AllowNTP +++ b/Shorewall/action.AllowNTP @@ -1,5 +1,5 @@ # -# Shorewall 2.2 /usr/share/shorewall/action.AllowNTP +# Shorewall 2.4 /usr/share/shorewall/action.AllowNTP # # This action accepts NTP traffic (ntpd). # diff --git a/Shorewall/action.AllowPCA b/Shorewall/action.AllowPCA index 26b57bdca..3284a9150 100644 --- a/Shorewall/action.AllowPCA +++ b/Shorewall/action.AllowPCA @@ -1,5 +1,5 @@ # -# Shorewall 2.2 /usr/share/shorewall/action.AllowPCA +# Shorewall 2.4 /usr/share/shorewall/action.AllowPCA # # This action accepts PCAnywere (tm) # diff --git a/Shorewall/action.AllowPOP3 b/Shorewall/action.AllowPOP3 index 4634b9bbd..c478ca9ea 100644 --- a/Shorewall/action.AllowPOP3 +++ b/Shorewall/action.AllowPOP3 @@ -1,5 +1,5 @@ # -# Shorewall 2.2 /usr/share/shorewall/action.AllowPOP3 +# Shorewall 2.4 /usr/share/shorewall/action.AllowPOP3 # # This action accepts POP3 traffic (secure and insecure): # diff --git a/Shorewall/action.AllowPing b/Shorewall/action.AllowPing index 4ef4eeae1..8d7d358c3 100644 --- a/Shorewall/action.AllowPing +++ b/Shorewall/action.AllowPing @@ -1,5 +1,5 @@ # -# Shorewall 2.2 /usr/share/shorewall/action.AllowPing +# Shorewall 2.4 /usr/share/shorewall/action.AllowPing # # This action accepts 'ping' requests. # diff --git a/Shorewall/action.AllowRdate b/Shorewall/action.AllowRdate index 5c1d8054f..14e961d22 100644 --- a/Shorewall/action.AllowRdate +++ b/Shorewall/action.AllowRdate @@ -1,5 +1,5 @@ # -# Shorewall 2.2 /usr/share/shorewall/action.AllowRdate +# Shorewall 2.4 /usr/share/shorewall/action.AllowRdate # # This action accepts remote time retrieval (rdate). # diff --git a/Shorewall/action.AllowSMB b/Shorewall/action.AllowSMB index b7f1e4412..b8d55add0 100644 --- a/Shorewall/action.AllowSMB +++ b/Shorewall/action.AllowSMB @@ -1,5 +1,5 @@ # -# Shorewall 2.2 /usr/share/shorewall/action.AllowSMB +# Shorewall 2.4 /usr/share/shorewall/action.AllowSMB # # Allow Microsoft SMB traffic. You need to invoke this action in # both directions. diff --git a/Shorewall/action.AllowSMTP b/Shorewall/action.AllowSMTP index 2ad5f2597..d7d8a86c9 100644 --- a/Shorewall/action.AllowSMTP +++ b/Shorewall/action.AllowSMTP @@ -1,5 +1,5 @@ # -# Shorewall 2.2 /usr/share/shorewall/action.AllowSMTP +# Shorewall 2.4 /usr/share/shorewall/action.AllowSMTP # # This action accepts SMTP (email) traffic. # diff --git a/Shorewall/action.AllowSNMP b/Shorewall/action.AllowSNMP index 33b1b4c0d..69258bc4b 100644 --- a/Shorewall/action.AllowSNMP +++ b/Shorewall/action.AllowSNMP @@ -1,5 +1,5 @@ # -# Shorewall 2.2 /usr/share/shorewall/action.AllowSNMP +# Shorewall 2.4 /usr/share/shorewall/action.AllowSNMP # # This action accepts SNMP traffic (including traps): # diff --git a/Shorewall/action.AllowSSH b/Shorewall/action.AllowSSH index 71ae5adbf..31e26266f 100644 --- a/Shorewall/action.AllowSSH +++ b/Shorewall/action.AllowSSH @@ -1,5 +1,5 @@ # -# Shorewall 2.2 /usr/share/shorewall/action.AllowSSH +# Shorewall 2.4 /usr/share/shorewall/action.AllowSSH # # This action accepts secure shell (SSH) traffic. # diff --git a/Shorewall/action.AllowTelnet b/Shorewall/action.AllowTelnet index 3b06d098a..d0e141e59 100644 --- a/Shorewall/action.AllowTelnet +++ b/Shorewall/action.AllowTelnet @@ -1,5 +1,5 @@ # -# Shorewall 2.2 /usr/share/shorewall/action.AllowTelnet +# Shorewall 2.4 /usr/share/shorewall/action.AllowTelnet # # This action accepts Telnet traffic. For traffic over the # internet, telnet is inappropriate; use SSH instead diff --git a/Shorewall/action.AllowTrcrt b/Shorewall/action.AllowTrcrt index 9fbce93fa..3c6dd46df 100644 --- a/Shorewall/action.AllowTrcrt +++ b/Shorewall/action.AllowTrcrt @@ -1,5 +1,5 @@ # -# Shorewall 2.2 /usr/share/shorewall/action.AllowTrcrt +# Shorewall 2.4 /usr/share/shorewall/action.AllowTrcrt # # This action accepts Traceroute (for up to 30 hops): # diff --git a/Shorewall/action.AllowVNC b/Shorewall/action.AllowVNC index bf6a40aa9..44724991c 100644 --- a/Shorewall/action.AllowVNC +++ b/Shorewall/action.AllowVNC @@ -1,5 +1,5 @@ # -# Shorewall 2.2 /usr/share/shorewall/action.AllowVNC +# Shorewall 2.4 /usr/share/shorewall/action.AllowVNC # # This action accepts VNC traffic for VNC display's 0 - 9. # diff --git a/Shorewall/action.AllowVNCL b/Shorewall/action.AllowVNCL index 2bcabd2a4..33b2d258e 100644 --- a/Shorewall/action.AllowVNCL +++ b/Shorewall/action.AllowVNCL @@ -1,5 +1,5 @@ # -# Shorewall 2.2 /usr/share/shorewall/action.AllowVNCL +# Shorewall 2.4 /usr/share/shorewall/action.AllowVNCL # # This action accepts VNC traffic from Vncservers to Vncviewers in listen mode. # diff --git a/Shorewall/action.AllowWeb b/Shorewall/action.AllowWeb index f32049606..a8c2693d7 100644 --- a/Shorewall/action.AllowWeb +++ b/Shorewall/action.AllowWeb @@ -1,5 +1,5 @@ # -# Shorewall 2.2 /usr/share/shorewall/action.AllowWeb +# Shorewall 2.4 /usr/share/shorewall/action.AllowWeb # # This action accepts WWW traffic (secure and insecure): # diff --git a/Shorewall/action.Drop b/Shorewall/action.Drop index fc8188d18..4a6acab08 100644 --- a/Shorewall/action.Drop +++ b/Shorewall/action.Drop @@ -1,5 +1,5 @@ # -# Shorewall 2.2 /usr/share/shorewall/action.Drop +# Shorewall 2.4 /usr/share/shorewall/action.Drop # # The default DROP common rules # diff --git a/Shorewall/action.DropDNSrep b/Shorewall/action.DropDNSrep index 760ac92e3..89342d4ff 100644 --- a/Shorewall/action.DropDNSrep +++ b/Shorewall/action.DropDNSrep @@ -1,5 +1,5 @@ # -# Shorewall 2.2 /usr/share/shorewall/action.DropDNSrep +# Shorewall 2.4 /usr/share/shorewall/action.DropDNSrep # # This action silently drops DNS UDP replies # diff --git a/Shorewall/action.DropPing b/Shorewall/action.DropPing index fb079bac6..5efb6872b 100644 --- a/Shorewall/action.DropPing +++ b/Shorewall/action.DropPing @@ -1,5 +1,5 @@ # -# Shorewall 2.2 /usr/share/shorewall/action.DropPing +# Shorewall 2.4 /usr/share/shorewall/action.DropPing # # This action silently drops 'ping' requests. # diff --git a/Shorewall/action.DropSMB b/Shorewall/action.DropSMB index ac2218470..336e77602 100644 --- a/Shorewall/action.DropSMB +++ b/Shorewall/action.DropSMB @@ -1,5 +1,5 @@ # -# Shorewall 2.2 /usr/share/shorewall/action.DropSMB +# Shorewall 2.4 /usr/share/shorewall/action.DropSMB # # This action silently drops Microsoft SMB traffic # diff --git a/Shorewall/action.DropUPnP b/Shorewall/action.DropUPnP index 30a4865f8..68d27acfe 100644 --- a/Shorewall/action.DropUPnP +++ b/Shorewall/action.DropUPnP @@ -1,5 +1,5 @@ # -# Shorewall 2.2 /usr/share/shorewall/action.DropUPnP +# Shorewall 2.4 /usr/share/shorewall/action.DropUPnP # # This action silently drops UPnP probes on UDP port 1900 # diff --git a/Shorewall/action.Reject b/Shorewall/action.Reject index 9e116eb22..d12fb66a9 100644 --- a/Shorewall/action.Reject +++ b/Shorewall/action.Reject @@ -1,5 +1,5 @@ # -# Shorewall 2.2 /usr/share/shorewall/action.Reject +# Shorewall 2.4 /usr/share/shorewall/action.Reject # # The default REJECT action common rules # diff --git a/Shorewall/action.RejectAuth b/Shorewall/action.RejectAuth index a89ee4dfc..802e71ab7 100644 --- a/Shorewall/action.RejectAuth +++ b/Shorewall/action.RejectAuth @@ -1,5 +1,5 @@ # -# Shorewall 2.2 /usr/share/shorewall/action.RejectAuth +# Shorewall 2.4 /usr/share/shorewall/action.RejectAuth # # This action silently rejects Auth (tcp 113) traffic # diff --git a/Shorewall/action.RejectSMB b/Shorewall/action.RejectSMB index 19cc5af2d..719b5e3e8 100644 --- a/Shorewall/action.RejectSMB +++ b/Shorewall/action.RejectSMB @@ -1,5 +1,5 @@ # -# Shorewall 2.2 /usr/share/shorewall/action.RejectSMB +# Shorewall 2.4 /usr/share/shorewall/action.RejectSMB # # This action silently rejects Microsoft SMB traffic # diff --git a/Shorewall/action.template b/Shorewall/action.template index a5bbce819..f2c7ef97a 100644 --- a/Shorewall/action.template +++ b/Shorewall/action.template @@ -1,5 +1,5 @@ # -# Shorewall 2.2 /etc/shorewall/action.template +# Shorewall 2.4 /etc/shorewall/action.template # # This file is a template for files with names of the form # /etc/shorewall/action. where is an @@ -70,7 +70,17 @@ # # 10.0.0.4-10.0.0.9 Range of IP addresses; your # kernel and iptables must have -# iprange match support. +# iprange match support. +# +# +remote The name of an ipset prefaced +# by "+". Your kernel and +# iptables must have set match +# support +# +# +remote[4] The name of the ipset may +# followed by a number of +# levels of ipset bindings +# enclosed in square brackets. # # 192.168.1.1,192.168.1.2 # Hosts 192.168.1.1 and @@ -85,8 +95,9 @@ # another colon (":") and an IP/MAC/subnet address # as described above (e.g., eth1:192.168.1.5). # -# DEST Location of Server. Same as above with the exception that -# MAC addresses are not allowed. +# DEST Location of destination host. Same as above with the exception that +# MAC addresses are not allowed and that you cannot specify +# an ipset name in both the SOURCE and DEST columns. # # PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or # "all". @@ -146,7 +157,7 @@ # # The column may contain: # -# [!][][:] +# [!][][:][+] # # When this column is non-empty, the rule applies only # if the program generating the output is running under @@ -160,6 +171,7 @@ # #the 'kids' group # !:kids #program must not be run by a member # #of the 'kids' group +# +upnpd #program named upnpd # ###################################################################################### #TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ diff --git a/Shorewall/actions b/Shorewall/actions index c057929d5..41becaac4 100644 --- a/Shorewall/actions +++ b/Shorewall/actions @@ -1,5 +1,5 @@ # -# Shorewall 2.2 /etc/shorewall/actions +# Shorewall 2.4 /etc/shorewall/actions # # This file allows you to define new ACTIONS for use in rules # (/etc/shorewall/rules). You define the iptables rules to diff --git a/Shorewall/actions.std b/Shorewall/actions.std index 7dfb23fcc..c61df8354 100644 --- a/Shorewall/actions.std +++ b/Shorewall/actions.std @@ -1,5 +1,5 @@ # -# Shorewall 2.2 /usr/share/shorewall/actions.std +# Shorewall 2.4 /usr/share/shorewall/actions.std # # Please see http://shorewall.net/Actions.html for additional # information. diff --git a/Shorewall/blacklist b/Shorewall/blacklist index 8511c3137..1b587e45b 100755 --- a/Shorewall/blacklist +++ b/Shorewall/blacklist @@ -1,5 +1,5 @@ # -# Shorewall 2.2 -- Blacklist File +# Shorewall 2.4 -- Blacklist File # # /etc/shorewall/blacklist # @@ -7,9 +7,10 @@ # # Columns are: # -# ADDRESS/SUBNET - Host address, subnetwork, MAC address or IP address +# ADDRESS/SUBNET - Host address, subnetwork, MAC address, IP address # range (if your kernel and iptables contain iprange -# match support). +# match support) or ipset name prefaced by "+" (if +# your kernel supports ipset match). # # MAC addresses must be prefixed with "~" and use "-" # as a separator. @@ -38,6 +39,13 @@ # ADDRESS/SUBNET PROTOCOL PORT # 192.0.2.126 udp 53 # +# Example: +# +# To block DNS queries from addresses in the ipset 'dnsblack': +# +# ADDRESS/SUBNET PROTOCOL PORT +# +dnsblack udp 53 +# # Please see http://shorewall.net/blacklisting_support.htm for additional # information. # diff --git a/Shorewall/bogons b/Shorewall/bogons index 3da36a44b..afb49a555 100644 --- a/Shorewall/bogons +++ b/Shorewall/bogons @@ -1,5 +1,5 @@ # -# Shorewall 2.2-- Bogons File +# Shorewall 2.4 -- Bogons File # # /etc/shorewall/bogons # @@ -45,19 +45,24 @@ 36.0.0.0/7 logdrop # Reserved 39.0.0.0/8 logdrop # Reserved 42.0.0.0/8 logdrop # Reserved -77.0.0.0/8 logdrop # Reserved -78.0.0.0/7 logdrop # Reserved +49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98 +50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98 +74.0.0.0/7 logdrop # Reserved +76.0.0.0/6 logdrop # Reserved +89.0.0.0/8 logdrop # Reserved +90.0.0.0/7 logdrop # Reserved 92.0.0.0/6 logdrop # Reserved -96.0.0.0/4 logdrop # Reserved -112.0.0.0/5 logdrop # Reserved -120.0.0.0/6 logdrop # Reserved -127.0.0.0/8 logdrop # Reserved +96.0.0.0/3 logdrop # Reserved +127.0.0.0/8 logdrop # Loopback 173.0.0.0/8 logdrop # Reserved 174.0.0.0/7 logdrop # Reserved 176.0.0.0/5 logdrop # Reserved 184.0.0.0/6 logdrop # Reserved +189.0.0.0/8 logdrop # Reserved +190.0.0.0/8 logdrop # Reserved 197.0.0.0/8 logdrop # Reserved -223.0.0.0/8 logdrop # Reserved +198.18.0.0/15 logdrop # Reserved +223.0.0.0/8 logdrop # Reserved - Returned by APNIC in 2003 240.0.0.0/4 logdrop # Reserved # # End of generated entries diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 35522d62f..b142d9deb 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -1,296 +1,50 @@ -Changes in 2.2.5 +Changes in 2.4.0-Final -1) Correct behavior of PKTTYPE=No +1) Add the ability to specify a weight in the balance option. -2) Fixed typo in the tunnel script. +2) Remove "ipp2p" support in the rules file. -Changes in 2.2.4 +3) Fix duplicate routing table listings from "shorewall status" -1) Added support for UPnP +Changes in 2.4.0-RC2 -2) Add 'started' hook. +1) Relax "detect" restriction. -3) Make an error message more self-explanatory +2) Fix detection via 'nexthop' so it will work with BusyBox -4) Report Owner Match capability +3) Merge Tuomo Soini's fix for "shorewall add" -5) Add Paul Traina's patch to install.sh. +Changes in 2.4.0-RC1 -6) Allow startup options to be overridden in /etc/sysconfig/shorewall - or /etc/default/shorewall. +1) Fix output from firewall itself vis-a-vis multiple providers. -7) Add support for SAME +2) Merge and tweak Lorenzo Martignoni's 'safe-restart' patch. -8) Add 'shorewall show capabilities' +Changes in 2.3.2 -8) Add '-v' option +1) Add support for -j ROUTE -9) Allow 'none' in /etc/shorewall/rules. +2) Add TEST column to /etc/shorewall/routes -10) Add error message for invalid HOST(S) column contents. +3) Add support for different providers. -11) Apply Christian Rodriguez's patch for Slackware install. +4) Merge patch from Juan Jesús Prieto. -Changes in 2.2.3 +5) Implement 'loose' routestopped option. -1) Added the 'continue' extension script. +6) Change 'loose' to 'source' and 'dest' -2) Obey 'routestopped' rules during [re]start. +7) Fix routing of connections from the firewall with multiple ISPs. -3) MACLIST_TTL added. +Changes in 2.3.1 -4) Fix ! in hosts file +1) Change the behavior of SAVE_IPSETS and allow 'ipsets' files in + Shorewall configuration directories. -5) Add QUEUE policy. +Changes in 2.3.0 -6) Fix routing output when advanced routing support not in kernel. +1) Implement support for --cmd-owner -Changes in 2.2.2 +2) Implement support for ipsets. -1) The 'check' command disclaimer is toned down further and only - appears once in the 'check' output. -2) Enhanced support in the SOURCE column of /etc/shorewall/tcrules. - -3) All calls to 'clear' are now conditional on the output device being - a terminal. - -4) Apply Juergen Kreileder's patch for logging. - -5) Add the output of 'arp -na' to the 'shorewall status' display. - -6) Provide support for the Extended multiport match available in - 2.6.11. - -7) Fix logging rule generation. - -8) Correct port numbers in action.AllowPCA. - -9) Fix installer's handling of action.* files. - -10) Implement RFC1918_STRICT - -11) Verify interface names in the DEST column of tcrules. - -Changes in 2.2.1 - -1) Add examples to the zones and policy files. - -2) Simon Matter's patch for umask. - -Changes since 2.0.3 - -1) Fix security vulnerability involving temporary files/directories. - -2) Hack security fix so that it works under Slackware. - -3) Correct mktempfile() for case where mktemp isn't installed. - -4) Implement 'dropInvalid' builtin action. - -5) Fix logging nat rules. - -6) Fix COMMAND typos. - -7) Add PKTTYPE option. - -8) Enhancements to /etc/shorewall/masq - -8) Allow overriding ADD_IP_ALIASES=Yes - -9) Fix syntax error in setup_nat() - -10) Port "shorewall status" changes from 2.0.7. - -11) All config files are now empty. - -12) Port blacklisting fix from 2.0.7 - -13) Pass rule chain and display chain separately to log_rule_limit. - Prep work for action logging. - -14) Show the iptables/ip/tc command that failed when failure is fatal. - -15) Implement STARTUP_ENABLED. - -16) Added DNAT ONLY column to /etc/shorewall/nat. - -17) Removed SNAT from ORIGINAL DESTINATION column. - -18) Removed DNAT ONLY column. - -19) Added IPSEC column to /etc/shorewall/masq. - -20) No longer enforce source port 500 for ISAKMP. - -21) Apply policy to interface/host options. - -22) Fix policy and maclist. - -23) Implement additional IPSEC options for zones and masq entries. - -24) Deprecate the -c option in /sbin/shorewall. - -25) Allow distinct input and output IPSEC parameters. - -26) Allow source port remapping in /etc/shorewall/masq. - -27) Include params file on 'restore' - -28) Apply Richard Musil's patch. - -29) Correct parsing of PROTO column in setup_tc1(). - -30) Verify Physdev match if BRIDGING=Yes - -31) Don't NAT tunnel traffic. - -32) Fix shorewall.spec to run chkconfig/insserv after initial install. - -33) Add iprange support. - -34) Add CLASSIFY support. - -35) Fix iprange support so that ranges in both source and destination - work. - -36) Remove logunclean and dropunclean - -37) Fixed proxy arp flag setting for complex configurations. - -38) Added RETAIN_ALIASES option. - -39) Relax OpenVPN source port restrictions. - -40) Implement DELAYBLACKLISTLOAD. - -41) Avoid double-setting proxy arp flags. - -42) Fix DELAYBLACKLISTLOAD=No. - -43) Merge 'brctl show' change from 2.0.9. - -44) Implememt LOGTAGONLY. - -45) Merge 'tcrules' clarification from 2.0.10. - -46) Implement 'sourceroute' interface option. - -47) Add 'AllowICMPs' action. - -48) Changed 'activate_rules' such that traffic from IPSEC hosts gets - handled before traffic from non-IPSEC zones. - -49) Correct logmartians handling. - -50) Add a clarification and fix a typo in the blacklist file. - -51) Allow setting a specify MSS value. - -52) Detect duplicate zone names. - -53) Add mss= option to the ipsec file. - -54) Added CONNMARK/ipp2p support. - -55) Added LOGALLNEW support. - -56) Fix typo in check_config() - -57) Allow outgoing NTP responses in action.AllowNTP. - -58) Clarification of the 'ipsec' hosts file option. - -59) Allow list in the SUBNET column of the rfc1918 file. - -60) Restore missing '#' in the rfc1918 file. - -61) Add note for Slackware users to INSTALL. - -62) Allow interface in DEST tcrules column. - -63) Remove 'ipt_unclean' from search expression in "log" commands. - -64) Remove nonsense from IPSEC description in masq file. - -65) Correct typo in rules file. - -66) Update bogons file. - -67) Add a rule for NNTPS to action.AllowNNTP - -68) Fix "shorewall add" - -69) Change CLIENT PORT(S) to SOURCE PORT(S) in tcrules file. - -70) Correct typo in shorewall.conf. - -71) Add the 'icmp_echo_ignore_all' file to the /proc display. - -72) Apply Tuomas Jormola's IPTABLES patch. - -73) Fixed some bugs in Tuomas's patch. - -74) Correct bug in "shorewall add" - -75) Correct bridge handling in "shorewall add" and "shorewall delete" - -76) Add "shorewall show zones" - -77) Remove dependency of "show zones" on dynamic zones. - -78) Implement variable expansion in INCLUDE directives - -79) More fixes for "shorewall delete" with bridging. - -80) Split restore-base into two files. - -81) Correct OUTPUT handling of dynamic zones. - -83) Add adapter statistics to the output of "shorewall status". - -84) Log drops due to policy rate limiting. - -85) Continue determining capabilities when fooX1234 already exists. - -86) Corrected typo in interfaces file. - -87) Add DROPINVALID option. - -88) Allow list of hosts in add and delete commands. Fix ipsec problem - with "add" and "delete" - -89) Clarify add/delete syntax in /sbin/shorewall usage summary. - -90) Implement OpenVPN TCP support. - -91) Simplify the absurdly over-engineered code that restores the - dynamic chain. - -92) Add OPENVPNPORT option. - -93) Remove OPENVPNPORT option and change default port to 1194. - -94) Avoid shell error during "shorewall stop/clear" - -95) Change encryption to blowfish in 'ipsecvpn' script. - -96) Correct rate limiting rule example. - -97) Fix :: handling in setup_masq(). - -98) Fix mis-leading typo in tunnels. - -99) Fix brain-dead ipsec option handling in setup_masq(). - -100) Reconcile ipsec masq file implementation with the documentation. - -101) Add netfilter module display to status output. - -102) Add 'allowInvalid' builtin action. - -103) Expand range of Traceroute ports. - -102) Correct uninitialized variable in setup_ecn() - -103) Allow DHCP to be IPSEC-encrypted. diff --git a/Shorewall/configpath b/Shorewall/configpath index f38591919..c31607581 100644 --- a/Shorewall/configpath +++ b/Shorewall/configpath @@ -1,5 +1,5 @@ # -# Shorewall version 2.2 - Default Config Path +# Shorewall version 2.4 - Default Config Path # # /usr/share/shorewall/configpath # diff --git a/Shorewall/continue b/Shorewall/continue index d1300c577..e65e2c901 100644 --- a/Shorewall/continue +++ b/Shorewall/continue @@ -1,5 +1,5 @@ ############################################################################ -# Shorewall 2.2 -- /etc/shorewall/continue +# Shorewall 2.4 -- /etc/shorewall/continue # # Add commands below that you want to be executed after shorewall has # cleared any existing Netfilter rules and has enabled existing connections. diff --git a/Shorewall/ecn b/Shorewall/ecn index 77b981b76..f3b43d7ad 100644 --- a/Shorewall/ecn +++ b/Shorewall/ecn @@ -1,5 +1,5 @@ # -# Shorewall 2.2 - /etc/shorewall/ecn +# Shorewall 2.4 - /etc/shorewall/ecn # # Use this file to list the destinations for which you want to # disable ECN. diff --git a/Shorewall/fallback.sh b/Shorewall/fallback.sh index b5f063268..ac9a0a016 100755 --- a/Shorewall/fallback.sh +++ b/Shorewall/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=2.2.5 +VERSION=2.4.0 usage() # $1 = exit status { diff --git a/Shorewall/firewall b/Shorewall/firewall index 744cc4a92..25633f900 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -1,6 +1,6 @@ #!/bin/sh # -# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V2.2 +# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V2.4 # # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # @@ -218,6 +218,19 @@ run_tc() { fi } +# +# Run ipset and if an error occurs, stop the firewall and quit +# +run_ipset() { + if ! ipset $@ ; then + if [ -z "$stopping" ]; then + error_message "ERROR: Command \"ipset $@\" Failed" + stop_firewall + exit 2 + fi + fi +} + # # Create a filter chain # @@ -260,7 +273,7 @@ createchain2() # $1 = chain name, $2 = If "yes", create default rules # # Determine if a chain exists # -# When we create a chain "chain", we create a variable named exists_chain and +# When we create a chain "x", we create a variable named exists_x and # set its value to Yes. This function tests for the "exists_" variable # corresponding to the passed chain having the value of "Yes". # @@ -541,6 +554,36 @@ iprange_echo() fi } +# +# Get set flags (ipsets). +# +get_set_flags() # $1 = set name and optional [levels], $2 = src or dst +{ + local temp setname=$1 options=$2 + + [ -n "$IPSET_MATCH" ] || fatal_error "Your kernel and/or iptables does not include ipset match: $1" + + case $1 in + *\[[1-6]\]) + temp=${1#*\[} + temp=${temp%\]} + setname=${1%\[*} + while [ $temp -gt 1 ]; do + options="$options,$2" + temp=$(($temp - 1)) + done + ;; + *\[*\]) + options=${1#*\[} + options=${options%\]} + setname=${1%\[*} + ;; + *) + ;; + esac + + echo "--set ${setname#+} $options" +} # # Source IP range @@ -558,6 +601,12 @@ source_ip_range() # $1 = Address or Address Range ;; esac ;; + !+*) + echo "-m set ! $(get_set_flags ${1#!} src)" + ;; + +*) + echo "-m set $(get_set_flags $1 src)" + ;; *) echo "-s $1" ;; @@ -580,6 +629,12 @@ dest_ip_range() # $1 = Address or Address Range ;; esac ;; + !+*) + echo "-m set ! $(get_set_flags ${1#!} dst)" + ;; + +*) + echo "-m set $(get_set_flags $1 dst)" + ;; *) echo "-d $1" ;; @@ -588,29 +643,45 @@ dest_ip_range() # $1 = Address or Address Range both_ip_ranges() # $1 = Source address or range, $2 = dest address or range { - local prefix= match= + local rangeprefix= setprefix= rangematch= setmatch= case $1 in *.*.*.*-*.*.*.*) - prefix="-m iprange" - match="--src-range $1" + rangeprefix="-m iprange" + rangematch="--src-range $1" + ;; + !+*) + setprefix="-m set" + setmatch="! $(get_set_flags ${1#!} src)" + ;; + +*) + setprefix="-m set" + setmatch="$(get_set_flags $1 src)" ;; *) - match="-s $1" + rangematch="-s $1" ;; esac case $2 in *.*.*.*-*.*.*.*) - prefix="-m iprange" - match="$match --dst-range $2" + rangeprefix="-m iprange" + rangematch="$rangematch --dst-range $2" + ;; + !+*) + setprefix="-m set" + match="$setmatch ! $(get_set_flags ${2#!} dst)" + ;; + +*) + setprefix="-m set" + setmatch="$setmatch $(get_set_flags $2 dst)" ;; *) - match="$match -d $2" + rangematch="$rangematch -d $2" ;; esac - echo "$prefix $match" + echo "$rangeprefix $rangematch $setprefix $setmatch" } # @@ -637,7 +708,7 @@ match_source_hosts() *:*) physdev_echo "--physdev-in ${1%:*} $(source_ip_range ${1#*:})" ;; - *.*.*.*) + *.*.*.*|+*|!+*) echo $(source_ip_range $1) ;; *) @@ -656,7 +727,7 @@ match_dest_hosts() *:*) physdev_echo "--physdev-out ${1%:*} $(dest_ip_range ${1#*:})" ;; - *.*.*.*) + *.*.*.*|+*|!+*) echo $(dest_ip_range $1) ;; *) @@ -836,15 +907,15 @@ determine_hosts() { networks=0.0.0.0/0 fi - for networks in $networks; do + for network in $networks; do if [ -z "$hosts" ]; then - hosts=$interface:$networks + hosts=$interface:$network else - hosts="$hosts $interface:$networks" + hosts="$hosts $interface:$network" fi if interface_has_option $interface routeback; then - eval ${zone}_routeback=\"$interface:$networks \$${zone}_routeback\" + eval ${zone}_routeback=\"$interface:$network \$${zone}_routeback\" fi done done @@ -903,7 +974,7 @@ validate_interfaces_file() { local found_obsolete_option= local z interface networks options r iface option - while read z interface networks options; do + while read z interface networks options gateway; do expandv z interface networks options r="$z $interface $networks $options" @@ -937,6 +1008,8 @@ validate_interfaces_file() { for option in $options; do case $option in + -) + ;; dhcp|norfc1918|nobogons|tcpflags|newnotsyn|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|maclist|nosmurfs|upnp|-) ;; detectnets) @@ -952,11 +1025,181 @@ validate_interfaces_file() { esac done - [ -z "$ALL_INTERFACES" ] && startup_error "No Interfaces Defined" + if [ -n "$gateway" ]; then + if ! list_search default $options; then + error_message "Warning: GATEWAY ignored when the 'default' option is not given: \"$r\"" + fi + eval ${iface}_gateway=$gateway + fi done < $TMP_DIR/interfaces + + [ -z "$ALL_INTERFACES" ] && startup_error "No Interfaces Defined" } +# +# Check that a mark value or mask is less that 256 +# +verify_mark() # $1 = value to test +{ + verify_mark1() + { + [ $1 -lt 256 ] + } + + verify_mark2() + { + verify_mark1 $1 2> /dev/null + } + + verify_mark2 $1 || fatal_error "Invalid Mark or Mask value: $1" +} + +# +# Process the providers file +# +setup_providers() +{ + local table number mark duplicate interface gateway options provider address + + add_a_provider() { + local t n iface option + + for t in $PROVIDERS; do + if [ "$t" = "$table" ]; then + fatal_error "Duplicate Provider: $table, provider: \"$provider\"" + fi + + eval n=\$${t}_number + + if [ $n -eq $number ]; then + fatal_error "Duplicate Provider number: $number, provider: \"$provider\"" + fi + done + + eval ${table}_number=$number + + run_and_save_command qt ip route flush table $number + + if [ "x$duplicate" != x- ]; then + run_ip route show table $duplicate | while read net route; do + case $net in + default|nexthop) + ;; + *) + ensure_and_save_command ip route add table $number $net $route + ;; + esac + done + fi + + if [ "x$gateway" = xdetect ] ; then + # + # First assume that this is some sort of point-to-point interface + # + gateway=$( find_peer $(ip addr ls $interface ) ) + # + # Maybe there's a default route through this gateway already + # + [ -n "$gateway" ] || gateway=$(find_gateway $(ip route ls dev $interface)) + # + # Last hope -- is there a load-balancing route through the interface? + # + [ -n "$gateway" ] || gateway=$(find_nexthop $interface) + # + # Be sure we found one + # + [ -n "$gateway" ] || fatal_error "Unable to detect the gateway through interface $interface" + fi + + ensure_and_save_command ip route add default via $gateway dev $interface table $number + + verify_mark $mark + + eval ${table}_mark=$mark + + run_and_save_command qt ip rule del fwmark $mark + + ensure_and_save_command ip rule add fwmark $mark table $number + + for address in $(find_interface_addresses $interface); do + run_and_save_command qt ip rule del from $address + ensure_and_save_command ip rule add from $address table $number + done + + for option in $(separate_list $options); do + case $option in + -) + ;; + track) + iface=$(chain_base $interface) + eval ${iface}_routemark=$mark + ROUTEMARK_INTERFACES="$ROUTEMARK_INTERFACES $interface" + ;; + balance=*) + DEFAULT_ROUTE="$DEFAULT_ROUTE nexthop via $gateway dev $interface weight ${option#*=}" + ;; + balance) + DEFAULT_ROUTE="$DEFAULT_ROUTE nexthop via $gateway dev $interface weight 1" + ;; + *) + error_message " Warning: Invalid option ($option) ignored in provider \"$provider\"" + ;; + esac + done + + + } + + strip_file providers $1 + + if [ -s $TMP_DIR/providers ]; then + echo "Processing $1..." + + save_progress_message "Restoring Providers..." + + while read table number mark duplicate interface gateway options; do + expandv table number mark duplicate interface gateway options + provider="$table $number $mark $duplicate $interface $gateway $options" + add_a_provider + PROVIDERS="$PROVIDERS $table" + progress_message " Provider $provider Added" + done < $TMP_DIR/providers + + if [ -n "$PROVIDERS" ]; then + if [ -n "$DEFAULT_ROUTE" ]; then + run_ip route replace default scope global $DEFAULT_ROUTE + progress_message " Default route $DEFAULT_ROUTE Added." + fi + + cat > /etc/iproute2/rt_tables <> /etc/iproute2/rt_tables + done + + save_command "cat > /etc/iproute2/rt_tables << __EOF__" + cat /etc/iproute2/rt_tables >> $RESTOREBASE + save_command __EOF__ + + fi + + ensure_and_save_command ip route flush cache + fi +} + # # Validate the zone names and options in the hosts file # @@ -1004,12 +1247,21 @@ validate_hosts_file() { ;; *.*.*.*) ;; + +*) + eval ${z}_is_complex=Yes + ;; *) known_interface $host && \ startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host" check_bridge_port $host ;; esac + else + case $host in + +*) + eval ${z}_is_complex=Yes + ;; + esac fi for option in $(separate_list $options) ; do @@ -1260,7 +1512,7 @@ deleteallchains() { run_iptables -X } -# +## # Source a user exit file if it exists # run_user_exit() # $1 = file name @@ -1409,7 +1661,7 @@ disable_ipv6_1() { process_routestopped() # $1 = command { - local hosts= interface host host1 options networks + local hosts= interface host host1 options networks source= dest= matched while read interface host options; do expandv interface host options @@ -1433,6 +1685,16 @@ process_routestopped() # $1 = command done fi ;; + source) + for h in $(separate_list $host); do + source="$source $interface:$h" + done + ;; + dest) + for h in $(separate_list $host); do + dest="$dest $interface:$h" + done + ;; *) error_message "Warning: Unknown routestopped option ignored: $option" ;; @@ -1442,6 +1704,7 @@ process_routestopped() # $1 = command done < $TMP_DIR/routestopped + for host in $hosts; do interface=${host%:*} networks=${host#*:} @@ -1449,9 +1712,23 @@ process_routestopped() # $1 = command [ -z "$ADMINISABSENTMINDED" ] && \ run_iptables $1 OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT - for host1 in $hosts; do - [ "$host" != "$host1" ] && run_iptables $1 FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT - done + matched= + + if list_search $host $source ; then + run_iptables $1 FORWARD -i $interface $(source_ip_range $networks) -j ACCEPT + matched=Yes + fi + + if list_search $host $dest ; then + run_iptables $1 FORWARD -o $interface $(dest_ip_range $networks) -j ACCEPT + matched=Yes + fi + + if [ -z "$matched" ]; then + for host1 in $hosts; do + [ "$host" != "$host1" ] && run_iptables $1 FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT + done + fi done } @@ -1480,6 +1757,18 @@ stop_firewall() { RESTOREPATH=/var/lib/shorewall/$RESTOREFILE if [ -x $RESTOREPATH ]; then + + if [ -x ${RESTOREPATH}-ipsets ]; then + echo Restoring Ipsets... + # + # We must purge iptables to be sure that there are no + # references to ipsets + # + iptables -F + iptables -X + ${RESTOREPATH}-ipsets + fi + echo Restoring Shorewall... $RESTOREPATH echo "Shorewall restored from $RESTOREPATH" @@ -1512,22 +1801,22 @@ stop_firewall() { for chain in INPUT OUTPUT FORWARD; do setpolicy $chain DROP done - + deleteallchains else for chain in INPUT FORWARD; do setpolicy $chain DROP done - + setpolicy OUTPUT ACCEPT - + deleteallchains for chain in INPUT FORWARD; do setcontinue $chain done fi - + hosts= [ -f $TMP_DIR/routestopped ] || strip_file routestopped @@ -1586,14 +1875,14 @@ stop_firewall() { clear_firewall() { stop_firewall - run_iptables -F - - echo 1 > /proc/sys/net/ipv4/ip_forward - setpolicy INPUT ACCEPT setpolicy FORWARD ACCEPT setpolicy OUTPUT ACCEPT + run_iptables -F + + echo 1 > /proc/sys/net/ipv4/ip_forward + if qt which ip6tables; then ip6tables -P INPUT ACCEPT 2> /dev/null ip6tables -P OUTPUT ACCEPT 2> /dev/null @@ -2360,13 +2649,14 @@ setup_ecn() # $1 = file name fi } + # # Process a TC Rule - $MARKING_CHAIN is assumed to contain the name of the # default marking chain # process_tc_rule() { - chain=$MARKING_CHAIN target="MARK --set-mark" marktest= + chain=$MARKING_CHAIN target="MARK --set-mark" marktest= verify_designator() { [ "$chain" = tcout ] && \ @@ -2380,16 +2670,16 @@ process_tc_rule() if [ "x$source" != "x-" ]; then case $source in - *.*.*) + $FW:*) + chain=tcout + r="$(source_ip_range ${source#*:}) " + ;; + *.*.*|+*|!+*) r="$(source_ip_range $source) " ;; ~*) r="$(mac_match $source) " ;; - $FW:*) - chain=tcout - r="$(source_ip_range ${source%:*}) " - ;; $FW) chain=tcout ;; @@ -2405,16 +2695,24 @@ process_tc_rule() [ "$chain" != tcout ] && \ fatal_error "Invalid use of a user/group: rule \"$rule\"" + r="$r-m owner" + + case "$user" in + *+*) + r="$r --cmd-owner ${user#*+} " + user=${user%+*} + ;; + esac + case "$user" in *:*) - r="$r-m owner" temp="${user%:*}" [ -n "$temp" ] && r="$r --uid-owner $temp " temp="${user#*:}" [ -n "$temp" ] && r="$r --gid-owner $temp " ;; *) - r="$r-m owner --uid-owner $user " + [ -n "$user" ] && r="$r --uid-owner $user " ;; esac fi @@ -2423,7 +2721,7 @@ process_tc_rule() if [ "x$dest" != "x-" ]; then case $dest in - *.*.*) + *.*.*|+*|!+*) r="${r}$(dest_ip_range $dest) " ;; *) @@ -2480,30 +2778,38 @@ process_tc_rule() chain=tcpost ;; esac + fi case $mark in SAVE) - target="CONNMARK --save-mark" + target="CONNMARK --save-mark --mask 255" mark= ;; SAVE/*) target="CONNMARK --save-mark --mask" mark=${mark#*/} + verify_mark $mark ;; RESTORE) - target="CONNMARK --restore-mark" + target="CONNMARK --restore-mark --mask 255" mark= ;; RESTORE/*) target="CONNMARK --restore-mark --mask" mark=${mark#*/} + verify_mark $mark ;; CONTINUE) target=RETURN mark= ;; - esac + *) + if [ "$chain" != tcpost ]; then + verify_mark $mark + fi + ;; + esac case $testval in -) @@ -2526,6 +2832,19 @@ process_tc_rule() ;; esac + if [ -n "$marktest" ] ; then + case $testval in + */*) + verify_mark ${testval%/*} + verify_mark ${testval#*/} + ;; + *) + verify_mark $testval + testval=$testval/255 + ;; + esac + fi + for source in $(separate_list ${sources:=-}); do for dest in $(separate_list ${dests:=-}); do for port in $(separate_list ${ports:=-}); do @@ -2548,6 +2867,12 @@ setup_tc1() { # run_iptables -t mangle -N tcpre + + for interface in $ROUTEMARK_INTERFACES; do + eval mark=\$$(chain_base $interface)_routemark + run_iptables -t mangle -A tcpre -m connmark --mark $mark -j RETURN + done + run_iptables -t mangle -N tcfor run_iptables -t mangle -N tcout run_iptables -t mangle -N tcpost @@ -2646,6 +2971,7 @@ process_accounting_rule() { rule= rule2= jumpchain= + user1= accounting_error() { error_message "Warning: Invalid Accounting rule" $action $chain $source $dest $proto $port $sport $user @@ -2670,13 +2996,14 @@ process_accounting_rule() { rule="$rule -j $jumpchain" } + case $source in *:*) accounting_interface_verify ${source%:*} - rule="-s ${source#*:} $(match_source_dev ${source%:*})" + rule="$(source_ip_range ${source#*:}) $(match_source_dev ${source%:*})" ;; - *.*.*.*) - rule="-s $source" + *.*.*.*|+*|!+*) + rule="$(source_ip_range $source)" ;; -|all|any) ;; @@ -2693,7 +3020,7 @@ process_accounting_rule() { accounting_interface_verify ${dest%:*} rule="$rule $(dest_ip_range ${dest#*:}) $(match_dest_dev ${dest%:*})" ;; - *.*.*.*) + *.*.*.*|+*|!*) rule="$rule $(dest_ip_range $dest)" ;; -|all|any) @@ -2735,19 +3062,52 @@ process_accounting_rule() { [ -n "$user" ] && case $user in -|any|all) ;; - *:*) - [ "$chain" != OUTPUT ] && \ - fatal_error "Invalid use of a user/group: chain is not OUTPUT but $chain" - rule="$rule -m owner" - temp="${user%:*}" - [ -n "$temp" ] && rule="$rule --uid-owner $temp " - temp="${user#*:}" - [ -n "$temp" ] && rule="$rule --gid-owner $temp " - ;; *) [ "$chain" != OUTPUT ] && \ fatal_error "Invalid use of a user/group: chain is not OUTPUT but $chain" - rule="$rule -m owner --uid-owner $user " + rule="$rule -m owner" + user1="$user" + + case "$user" in + !*+*) + if [ -n "${user#*+}" ]; then + rule="$rule ! --cmd-owner ${user#*+} " + fi + user1=${user%+*} + ;; + *+*) + if [ -n "${user#*+}" ]; then + rule="$rule --cmd-owner ${user#*+} " + fi + user1=${user%+*} + ;; + esac + + case "$user1" in + !*:*) + if [ "$user1" != "!:" ]; then + temp="${user1#!}" + temp="${temp%:*}" + [ -n "$temp" ] && rule="$rule ! --uid-owner $temp " + temp="${user1#*:}" + [ -n "$temp" ] && rule="$rule ! --gid-owner $temp " + fi + ;; + *:*) + if [ "$user1" != ":" ]; then + temp="${user1%:*}" + [ -n "$temp" ] && rule="$rule --uid-owner $temp " + temp="${user1#*:}" + [ -n "$temp" ] && rule="$rule --gid-owner $temp " + fi + ;; + !*) + [ "$user1" != "!" ] && rule="$rule ! --uid-owner ${user1#!} " + ;; + *) + [ -n "$user1" ] && rule="$rule --uid-owner $user1 " + ;; + esac ;; esac @@ -2872,6 +3232,8 @@ check_config() { validate_policy + validate_blacklist + echo "Pre-validating Actions..." process_actions1 @@ -2993,8 +3355,8 @@ add_an_action() action_interface_verify ${client%:*} cli="$(match_source_dev ${client%:*}) $(source_ip_range ${client#*:})" ;; - *.*.*) - cli="-s $client" + *.*.*|+*|!+*) + cli="$(source_ip_range $client)" ;; ~*) cli=$(mac_match $client) @@ -3015,7 +3377,7 @@ add_an_action() case "$server" in -) ;; - *.*.*) + *.*.*|+*|!+*) serv=$server ;; ~*) @@ -3073,7 +3435,7 @@ add_an_action() for srv in $(firewall_ip_range $serv1); do if [ -n "$loglevel" ]; then log_rule_limit $loglevel $chain $action $logtarget "$ratelimit" "$logtag" -A $userandgroup \ - $(fix_bang $proto $sports $multiport $cli $(source_ip_range $srv) $dports) + $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) fi run_iptables2 -A $chain $proto $multiport $cli $sports \ @@ -3136,10 +3498,26 @@ process_action() # $1 = chain (Chain to add the rules to) [ "x$userspec" = "x-" ] && userspec= if [ -n "$userspec" ]; then + userandgroup="-m owner" + + case "$userspec" in + !*+*) + if [ -n "${userspec#*+}" ]; then + userandgroup="$userandgroup ! --cmd-owner ${userspec#*+}" + fi + userspec=${userspec%+*} + ;; + *+*) + if [ -n "${userspec#*+}" ]; then + userandgroup="$userandgroup --cmd-owner ${userspec#*+}" + fi + userspec=${userspec%+*} + ;; + esac + case "$userspec" in !*:*) if [ "$userspec" != "!:" ]; then - userandgroup="-m owner" temp="${userspec#!}" temp="${temp%:*}" [ -n "$temp" ] && userandgroup="$userandgroup ! --uid-owner $temp" @@ -3149,7 +3527,6 @@ process_action() # $1 = chain (Chain to add the rules to) ;; *:*) if [ "$userspec" != ":" ]; then - userandgroup="-m owner" temp="${userspec%:*}" [ -n "$temp" ] && userandgroup="$userandgroup --uid-owner $temp" temp="${userspec#*:}" @@ -3157,12 +3534,14 @@ process_action() # $1 = chain (Chain to add the rules to) fi ;; !*) - userandgroup="-m owner ! --uid-owner ${userspec#!}" + [ "$userspec" != "!" ] && userandgroup="$userandgroup ! --uid-owner ${userspec#!}" ;; *) - userandgroup="-m owner --uid-owner $userspec" + [ -n "$userspec" ] && userandgroup="$userandgroup --uid-owner $userspec" ;; esac + + [ "$userandgroup" = "-m owner" ] && userandgroup= fi # Isolate log level @@ -4022,7 +4401,7 @@ add_a_rule() rule_interface_verify ${client%:*} cli="$(match_source_dev ${client%:*}) $(source_ip_range ${client#*:})" ;; - *.*.*) + *.*.*|+*) cli="$(source_ip_range $client)" ;; ~*) @@ -4044,7 +4423,7 @@ add_a_rule() case "$server" in -) ;; - *.*.*) + *.*.*|+*) serv=$server ;; ~*) @@ -4087,12 +4466,6 @@ add_a_rule() fatal_error "Port number not allowed with protocol \"all\"; rule: \"$rule\"" proto= ;; - ipp2p) - dports="-m ipp2p --${port:-ipp2p}" - port= - proto=tcp - do_ports - ;; *) [ -n "$port" ] && \ fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\"" @@ -4105,7 +4478,7 @@ add_a_rule() case "$logtarget" in ACCEPT|DROP|REJECT|CONTINUE) - if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" -a -z "$userspec" ] ; then + if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" -a -z "$userandgroup" ] ; then error_message "Warning -- Rule \"$rule\" is a POLICY" error_message " -- and should be moved to the policy file" fi @@ -4134,8 +4507,8 @@ add_a_rule() if [ -n "$natrule" ]; then add_nat_rule - elif [ -n "$addr" -a "$addr" != "$serv" ] || [ -n "$servport" -a "$servport" != "$port" ]; then - fatal_error "Only DNAT, SAME and REDIRECT rules may specify destination mapping; rule \"$rule\"" + elif [ -n "$servport" -a "$servport" != "$port" ]; then + fatal_error "Only DNAT, SAME and REDIRECT rules may specify destination port mapping; rule \"$rule\"" fi if [ -z "$dnat_only" ]; then @@ -4158,13 +4531,15 @@ add_a_rule() $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) fi - [ -n "$nonat" ] && \ + if [ -n "$nonat" ]; then addnatrule $(dnat_chain $source) $proto $multiport \ $cli $sports $(dest_ip_range $srv) $dports $ratelimit $userandgroup -j RETURN - - [ "$logtarget" != NONAT ] && \ + fi + + if [ "$logtarget" != NONAT ]; then run_iptables2 -A $chain $proto $multiport $cli $sports \ $(dest_ip_range $srv) $dports $ratelimit $userandgroup -j $target + fi fi done done @@ -4188,24 +4563,43 @@ add_a_rule() # Destination is a simple zone - [ -n "$addr" ] && fatal_error \ - "An ORIGINAL DESTINATION ($addr) is only allowed in" \ - " a DNAT, SAME or REDIRECT: \"$rule\"" - if [ $COMMAND != check ]; then - if [ -n "$loglevel" ]; then - log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A $userandgroup \ - $(fix_bang $proto $multiport $cli $dest_interface $sports $dports) - fi + if [ -n "$addr" ]; then + for adr in $(separate_list $addr); do + if [ -n "$loglevel" ]; then + log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A $userandgroup \ + $(fix_bang $proto $multiport $cli $dest_interface $sports $dports -m conntrack --ctorigdst $adr) + fi - if [ "$logtarget" != LOG ]; then - [ -n "$nonat" ] && \ - addnatrule $(dnat_chain $source) $proto $multiport \ - $cli $sports $dports $ratelimit $userandgroup -j RETURN + if [ "$logtarget" != LOG ]; then + if [ -n "$nonat" ]; then + addnatrule $(dnat_chain $source) $proto $multiport \ + $cli $sports $dports $ratelimit $userandgroup -m conntrack --ctorigdst $adr -j RETURN + fi + + if [ "$logtarget" != NONAT ]; then + run_iptables2 -A $chain $proto $multiport $cli $dest_interface \ + $sports $dports $ratelimit $userandgroup -m conntrack --ctorigdst $adr -j $target + fi + fi + done + else + if [ -n "$loglevel" ]; then + log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A $userandgroup \ + $(fix_bang $proto $multiport $cli $dest_interface $sports $dports) + fi - [ "$logtarget" != NONAT ] && \ - run_iptables2 -A $chain $proto $multiport $cli $dest_interface \ - $sports $dports $ratelimit $userandgroup -j $target + if [ "$logtarget" != LOG ]; then + if [ -n "$nonat" ]; then + addnatrule $(dnat_chain $source) $proto $multiport \ + $cli $sports $dports $ratelimit $userandgroup -j RETURN + fi + + if [ "$logtarget" != NONAT ]; then + run_iptables2 -A $chain $proto $multiport $cli $dest_interface \ + $sports $dports $ratelimit $userandgroup -j $target + fi + fi fi fi fi @@ -4295,10 +4689,27 @@ process_rule() # $1 = target [ "x$address" = "x-" ] && address= if [ -n "$userspec" ]; then + + userandgroup="-m owner" + + case "$userspec" in + !*+*) + if [ -n "${userspec#*+}" ]; then + userandgroup="$userandgroup ! --cmd-owner ${userspec#*+}" + fi + userspec=${userspec%+*} + ;; + *+*) + if [ -n "${userspec#*+}" ]; then + userandgroup="$userandgroup --cmd-owner ${userspec#*+}" + fi + userspec=${userspec%+*} + ;; + esac + case "$userspec" in !*:*) if [ "$userspec" != "!:" ]; then - userandgroup="-m owner" temp="${userspec#!}" temp="${temp%:*}" [ -n "$temp" ] && userandgroup="$userandgroup ! --uid-owner $temp" @@ -4308,7 +4719,6 @@ process_rule() # $1 = target ;; *:*) if [ "$userspec" != ":" ]; then - userandgroup="-m owner" temp="${userspec%:*}" [ -n "$temp" ] && userandgroup="$userandgroup --uid-owner $temp" temp="${userspec#*:}" @@ -4316,12 +4726,14 @@ process_rule() # $1 = target fi ;; !*) - userandgroup="-m owner ! --uid-owner ${userspec#!}" + [ "$userspec" != "!" ] && userandgroup="$userandgroup ! --uid-owner ${userspec#!}" ;; *) - userandgroup="-m owner --uid-owner $userspec" + [ -n "$userspec" ] && userandgroup="$userandgroup --uid-owner $userspec" ;; esac + + [ "$userandgroup" = "-m owner" ] && userandgroup= fi case $target in @@ -4685,7 +5097,7 @@ process_tos_rule() { fi [ -n "$src" ] && case "$src" in - *.*.*) + *.*.*|+*|!+*) # # IP Address or networks # @@ -4733,7 +5145,7 @@ process_tos_rule() { fi [ -n "$dst" ] && case "$dst" in - *.*.*) + *.*.*|+*|!+*) # # IP Address or networks # @@ -4825,19 +5237,21 @@ process_tos() # $1 = name of tos file { echo "Processing $1..." - run_iptables -t mangle -N pretos - run_iptables -t mangle -N outtos - strip_file tos $1 - while read src dst protocol sport dport tos; do - expandv src dst protocol sport dport tos - rule="$(echo $src $dst $protocol $sport $dport $tos)" - process_tos_rule - done < $TMP_DIR/tos + if [ -s $TMP_DIR/tos ] ; then + run_iptables -t mangle -N pretos + run_iptables -t mangle -N outtos - run_iptables -t mangle -A PREROUTING -j pretos - run_iptables -t mangle -A OUTPUT -j outtos + while read src dst protocol sport dport tos; do + expandv src dst protocol sport dport tos + rule="$(echo $src $dst $protocol $sport $dport $tos)" + process_tos_rule + done < $TMP_DIR/tos + + run_iptables -t mangle -A PREROUTING -j pretos + run_iptables -t mangle -A OUTPUT -j outtos + fi } # @@ -5055,6 +5469,176 @@ get_routed_networks() # $1 = interface name done } +# +# Add a route from /etc/shorewall/routes +# +add_a_route() +{ + local r= + local chain=routefwd + local marktest= + + if [ "x$source" != "x-" ]; then + case ${source} in + $FW:*) + chain=routeout + r="$(source_ip_range ${source%:*}) " + ;; + *:*) + r="$(match_source_dev ${source%:*}) $(source_ip_range ${source#*:}) " + ;; + *.*.*|+*|!+*) + r="$(source_ip_range $source) " + ;; + ~*) + r="$(mac_match $source) " + ;; + $FW) + chain=routeout + ;; + *) + verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\"" + r="$(match_source_dev) $source " + ;; + esac + fi + + if [ "x$dest" != "x-" ]; then + case $dest in + *:*) + verify_interface ${dest%:*} || fatal_error "Unknown interface ${dest%:*} in rule \"$rule\"" + r="$(match_dest_dev ${dest%:*}) $(dest_ip_range ${dest#*:}) " + ;; + *.*.*|+*|!+*) + r="${r}$(dest_ip_range $dest) " + ;; + *) + verify_interface $dest || fatal_error "Unknown interface $dest in rule \"$rule\"" + r="${r}$(match_dest_dev $dest) " + ;; + esac + fi + + if [ "x$proto" = xipp2p ]; then + [ "x$port" = "x-" ] && port="ipp2p" + r="${r}-p tcp -m ipp2p --${port} " + else + [ "x$proto" = "x-" ] && proto=all + [ "x$proto" = "x" ] && proto=all + [ "$proto" = "all" ] || r="${r}-p $proto " + [ "x$port" = "x-" ] || r="${r}-m multiport --dports $port " + fi + + if [ "x${sport:--}" != "x-" ]; then + [ "x$port" = "x-" ] && r="${r}-m multiport " + r="${r}--sports $sport " + fi + + case $testval in + -) + testval= + ;; + !*:C) + marktest="connmark ! " + testval=${testval%:*} + testval=${testval#!} + ;; + *:C) + marktest="connmark " + testval=${testval%:*} + ;; + !*) + marktest="mark ! " + testval=${testval#!} + ;; + *) + [ -n "$testval" ] && marktest="mark " + ;; + esac + + if [ -n "$testval" ] ; then + case $testval in + */*) + verify_mark ${testval%/*} + verify_mark ${testval#*/} + ;; + *) + verify_mark $testval + testval=$testval/255 + ;; + esac + fi + + [ -n "$marktest" ] && r="${r}-m ${marktest}--mark $testval " + + r="${r}-j ROUTE " + + [ "x${interface:--}" != x- ] && r="${r}--oif $interface " + + [ "x${gateway:--}" != x- ] && r="${r}--gw $gateway" + + run_iptables2 -t mangle -A $chain $r --continue + + progress_message " Routing Rule \"$rule\" Added." +} + + +# +# Set up Routing +# +setup_routes() # $1 = file name +{ + local created_chains= + # + # Create routing chains + # + create_routing_chains() + { + if [ -z "$created_chains" ]; then + run_iptables -t mangle -N routefwd + run_iptables -t mangle -A FORWARD -j routefwd + run_iptables -t mangle -N routeout + run_iptables -t mangle -A OUTPUT -j routeout + run_iptables -t mangle -A PREROUTING -m connmark ! --mark 0 -j CONNMARK --restore-mark + created_chains=Yes + fi + } + + strip_file routes $1 + + if [ -s $TMP_DIR/routes ]; then + echo "Processing $1..." + [ -n "$ROUTE_TARGET" ] || \ + fatal_error "Entries in /etc/shorewall/routes requires that your kernel and iptables have ROUTE target support" + create_routing_chains + + while read source dest proto port sport testval interface gateway; do + expandv source dest proto port sport testval interface gateway + rule="$source $dest $proto $port $sport testval $interface $gateway" + add_a_route + done < $TMP_DIR/routes + fi + + if [ -n "$ROUTEMARK_INTERFACES" ]; then + create_routing_chains + + run_iptables -t mangle -N routemark + + for interface in $ROUTEMARK_INTERFACES ; do + + iface=$(chain_base $interface) + eval mark_value=\$${iface}_routemark + + run_iptables -t mangle -A PREROUTING -i $interface -m mark --mark 0 -j routemark + run_iptables -t mangle -A routemark -i $interface -j MARK --set-mark $mark_value + + done + + run_iptables -t mangle -A routemark -m mark ! --mark 0 -j CONNMARK --save-mark --mask 255 + fi + +} + # # Set up Source NAT (including masquerading) # @@ -5167,7 +5751,7 @@ setup_masq() source="$networks" case $source in - *.*.*) + *.*.*|+*|!+*) ;; *) networks=$(get_routed_networks $networks) @@ -5176,9 +5760,7 @@ setup_masq() ;; esac - [ "x$addresses" = x- ] && addresses= - - + [ "x$addresses" = x- ] && addresses= if [ -n "$addresses" -a -n "$add_snat_aliases" ]; then for address in $(separate_list $addresses); do @@ -5405,11 +5987,13 @@ setup_masq() # $dport = destination port selector # add_blacklist_rule() { - if [ -n "$BLACKLIST_LOGLEVEL" ]; then - log_rule $BLACKLIST_LOGLEVEL blacklst $BLACKLIST_DISPOSITION $(fix_bang $source $proto $dport) + if [ "$COMMAND" != check ]; then + if [ -n "$BLACKLIST_LOGLEVEL" ]; then + log_rule $BLACKLIST_LOGLEVEL blacklst $BLACKLIST_DISPOSITION $(fix_bang $source $proto $dport) + fi + + run_iptables2 -A blacklst $source $proto $dport -j $disposition fi - - run_iptables2 -A blacklst $source $proto $dport -j $disposition } # @@ -5424,16 +6008,18 @@ process_blacklist_rec() { local addr local proto local dport + local temp + local setname for addr in $(separate_list $networks); do case $addr in - ~*) - addr=$(echo $addr | sed 's/~//;s/-/:/g') - source="--match mac --mac-source $addr" - ;; - *) - source="$(source_ip_range $addr)" - ;; + ~*) + addr=$(echo $addr | sed 's/~//;s/-/:/g') + source="--match mac --mac-source $addr" + ;; + *) + source="$(source_ip_range $addr)" + ;; esac if [ -n "$protocol" ]; then @@ -5483,7 +6069,11 @@ process_blacklist_rec() { addr="$addr $protocol" fi - progress_message " $addr added to Black List" + if [ "$COMMAND" = check ]; then + progress_message " $addr" Verified + else + progress_message " $addr added to Black List" + fi done } @@ -5555,6 +6145,25 @@ refresh_blacklist() { fi } +# +# Verify the Black List +# +validate_blacklist() { + local f=$(find_file blacklist) + local disposition=$BLACKLIST_DISPOSITION + + echo "Checking Black List..." + + strip_file blacklist $f + + [ "$disposition" = REJECT ] && disposition=reject + + while read networks protocol ports; do + expandv networks protocol ports + process_blacklist_rec + done < $TMP_DIR/blacklist +} + # # Verify that kernel has netfilter support # @@ -5704,6 +6313,11 @@ determine_capabilities() { IPRANGE_MATCH= RECENT_MATCH= OWNER_MATCH= + IPSET_MATCH= + ROUTE_TARGET= + XMARK= + CONNMARK= + CONNMARK_MATCH= qt $IPTABLES -N fooX1234 qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes @@ -5714,6 +6328,25 @@ determine_capabilities() { qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes qt $IPTABLES -A fooX1234 -m owner --cmd-owner foo -j ACCEPT && OWNER_MATCH=Yes + qt $IPTABLES -A fooX1234 -m connmark --mark 2 -j ACCEPT && CONNMARK_MATCH=Yes + + qt $IPTABLES -t mangle -N fooX1234 + qt $IPTABLES -t mangle -A fooX1234 -j ROUTE --oif eth0 && ROUTE_TARGET=Yes + qt $IPTABLES -t mangle -A fooX1234 -j MARK --or-mark 2 && XMARK=Yes + qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark && CONNMARK=Yes + qt $IPTABLES -t mangle -F fooX1234 + qt $IPTABLES -t mangle -X fooX1234 + + + qt ipset -X fooX1234 # Just in case something went wrong the last time + + if qt ipset -N fooX1234 iphash ; then + if qt $IPTABLES -A fooX1234 -m set --set fooX1234 src -j ACCEPT; then + qt $IPTABLES -D fooX1234 -m set --set fooX1234 src -j ACCEPT + IPSET_MATCH=Yes + fi + qt ipset -X fooX1234 + fi if [ -n "$PKTTYPE" ]; then qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT || PKTTYPE= @@ -5745,6 +6378,11 @@ report_capabilities() { report_capability "IP range Match" $IPRANGE_MATCH report_capability "Recent Match" $RECENT_MATCH report_capability "Owner Match" $OWNER_MATCH + report_capability "Ipset Match" $IPSET_MATCH + report_capability "ROUTE Target" $ROUTE_TARGET + report_capability "Extended MARK Target" $XMARK + report_capability "CONNMARK Target" $CONNMARK + report_capability "Connmark Match" $CONNMARK_MATCH } # @@ -5834,16 +6472,27 @@ initialize_netfilter () { exists_INPUT=Yes exists_OUTPUT=Yes exists_FORWARD=Yes + setpolicy INPUT DROP setpolicy OUTPUT DROP setpolicy FORWARD DROP - + deleteallchains - + setcontinue FORWARD setcontinue INPUT setcontinue OUTPUT + f=$(find_file ipsets) + + if [ -f $f ]; then + echo "Processing $f ..." + ipset -U :all: :all: + run_ipset -F + run_ipset -X + run_ipset -R < $f + fi + run_user_exit continue f=$(find_file routestopped) @@ -5861,6 +6510,7 @@ initialize_netfilter () { # run_iptables -A INPUT -i lo -j ACCEPT run_iptables -A OUTPUT -o lo -j ACCEPT + # # Allow DNS lookups during startup for FQDNs @@ -5913,7 +6563,6 @@ initialize_netfilter () { run_iptables -A newnotsyn -j DROP fi - createchain icmpdef no createchain reject no createchain dynamic no createchain smurfs no @@ -6601,7 +7250,7 @@ activate_rules() fi case $networks in - *.*.*.*) + *.*.*.*|+*) if [ "$networks" != 0.0.0.0/0 ]; then if ! list_search $interface $need_broadcast ; then interface_has_option $interface detectnets && need_broadcast="$need_broadcast $interface" @@ -6684,7 +7333,7 @@ activate_rules() fi done done - + for interface in $ALL_INTERFACES ; do run_iptables -A FORWARD -i $interface -j $(forward_chain $interface) run_iptables -A INPUT -i $interface -j $(input_chain $interface) @@ -6800,7 +7449,14 @@ define_firewall() # $1 = Command (Start or Restart) save_load_kernel_modules echo "Initializing..."; initialize_netfilter + echo "Configuring Proxy ARP"; setup_proxy_arp + # + # [re]-Establish routing + # + setup_providers $(find_file providers) + setup_routes $(find_file routes) + echo "Setting up NAT..."; setup_nat echo "Setting up NETMAP..."; setup_netmap echo "Adding Common Rules"; add_common_rules @@ -6840,7 +7496,7 @@ define_firewall() # $1 = Command (Start or Restart) for file in chains nat proxyarp zones; do append_file $file done - + save_progress_message "Restoring Netfilter Configuration..." save_command 'iptables-restore << __EOF__' @@ -6917,7 +7573,8 @@ refresh_firewall() add_to_zone() # $1...${n-1} = [:] $n = zone { local interface host zone z h z1 z2 chain - local dhcp_interfaces blacklist_interfaces maclist_interfaces tcpflags_interfaces + local dhcp_interfaces blacklist_interfaces maclist_interfaces + local tcpflags_interfaces newhostlist= local rulenum source_chain dest_hosts iface hosts hostlist= nat_chain_exists() # $1 = chain name @@ -7001,16 +7658,16 @@ add_to_zone() # $1...${n-1} = [:] $n = zone while read z hosts; do if [ "$z" = "$zone" ]; then - for h in $hosts; do - for host in $hostlist; do - if [ "$h" = "$host" ]; then - rm -f ${STATEDIR}/zones_$$ - startup_error "$host already in zone $zone" - fi - done + for h in $hostlist; do + list_search $h $hosts + if [ "$?" -gt 0 ]; then + newhostlist="$newhostlist $h" + else + error_message "$h already in zone $zone" + fi done - [ -z "$hosts" ] && hosts=$hostlist || hosts="$hosts $hostlist" + [ -z "$hosts" ] && hosts=$newhostlist || hosts="$hosts $newhostlist" fi eval ${z}_hosts=\"$hosts\" @@ -7024,7 +7681,7 @@ add_to_zone() # $1...${n-1} = [:] $n = zone # # Create a new Zone state file # - for newhost in $hostlist; do + for newhost in $newhostlist; do # # Isolate interface and host parts # @@ -7044,13 +7701,14 @@ add_to_zone() # $1...${n-1} = [:] $n = zone # Insert new rules into the filter table for the passed interface # while read z1 z2 chain; do + [ "$z1" = "$z2" ] && op="-I" || op="-A" if [ "$z1" = "$zone" ]; then if [ "$z2" = "$FW" ]; then - do_iptables -A $(dynamic_in $interface) $(match_source_hosts $host) $(match_ipsec_in $z1 $newhost) -j $chain + do_iptables $op $(dynamic_in $interface) $(match_source_hosts $host) $(match_ipsec_in $z1 $newhost) -j $chain else source_chain=$(dynamic_fwd $interface) if is_ipsec_host $z1 $newhost ; then - do_iptables -A $source_chain $(match_source_hosts $host) $(match_ipsec_in $z1 $newhost) -j ${z1}_frwd + do_iptables $op $source_chain $(match_source_hosts $host) $(match_ipsec_in $z1 $newhost) -j ${z1}_frwd else eval dest_hosts=\"\$${z2}_hosts\" @@ -7059,7 +7717,7 @@ add_to_zone() # $1...${n-1} = [:] $n = zone hosts=${h#*:} if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - do_iptables -A $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) $(match_ipsec_out $z2 $h) -j $chain + do_iptables $op $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) $(match_ipsec_out $z2 $h) -j $chain fi done fi @@ -7069,7 +7727,7 @@ add_to_zone() # $1...${n-1} = [:] $n = zone # # Add a rule to the dynamic out chain for the interface # - do_iptables -A $(dynamic_out $interface) $(match_dest_hosts $host) $(match_ipsec_out $z2 $newhost) -j $chain + do_iptables $op $(dynamic_out $interface) $(match_dest_hosts $host) $(match_ipsec_out $z2 $newhost) -j $chain else eval source_hosts=\"\$${z1}_hosts\" @@ -7079,9 +7737,9 @@ add_to_zone() # $1...${n-1} = [:] $n = zone if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then if is_ipsec_host $z1 $h; then - do_iptables -A ${z1}_dyn -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $newhost) -j $chain + do_iptables $op ${z1}_dyn -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $newhost) -j $chain else - do_iptables -A $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $newhost) -j $chain + do_iptables $op $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $newhost) -j $chain fi fi done @@ -7184,7 +7842,7 @@ delete_from_zone() # $1 = [:] $2 = zone fi done - [ -n "$found" ] || error_message "Warning: $1 does not appear to be in zone $2" + [ -n "$found" ] || error_message "Warning: $host does not appear to be in zone $zone" done for h in $temp; do @@ -7391,10 +8049,15 @@ do_initialize() { DROPINVALID= RFC1918_STRICT= MACLIST_TTL= + SAVE_IPSETS= + RESTOREFILE= RESTOREBASE= TMP_DIR= ALL_INTERFACES= + ROUTEMARK_INTERFACES= + ROUTEMARK=256 + PROVIDERS= stopping= have_mutex= @@ -7588,6 +8251,7 @@ do_initialize() { LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY) DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID) RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT) + SAVE_IPSETS=$(added_param_value_no SAVE_IPSETS $SAVE_IPSETS) # # Strip the files that we use often # @@ -7772,10 +8436,13 @@ case "$COMMAND" in EMPTY= $@ ;; + capabilities) + [ $# -ne 1 ] && usage do_initialize report_capabilities ;; + *) usage ;; diff --git a/Shorewall/functions b/Shorewall/functions index f2db68cc0..74391002c 100755 --- a/Shorewall/functions +++ b/Shorewall/functions @@ -1,6 +1,6 @@ #!/bin/sh # -# Shorewall 2.2 -- /usr/share/shorewall/functions +# Shorewall 2.4 -- /usr/share/shorewall/functions # Function to truncate a string -- It uses 'cut -b -' # rather than ${v:first:last} because light-weight shells like ash and @@ -159,9 +159,12 @@ find_file() # Replace commas with spaces and echo the result # separate_list() { - local list + local list="$@" local part local newlist + local firstpart + local lastpart + local enclosure # # There's been whining about us not catching embedded white space in # comma-separated lists. This is an attempt to snag some of the cases. @@ -170,12 +173,31 @@ separate_list() { # either 'startup_error' or 'fatal_error' depending on the command and # command phase # - case "$@" in + case "$list" in *,|,*|*,,*|*[[:space:]]*) [ -n "$terminator" ] && \ $terminator "Invalid comma-separated list \"$@\"" echo "Warning -- invalid comma-separated list \"$@\"" >&2 ;; + *\[*\]*) + # + # Where we need to embed comma-separated lists within lists, we enclose them + # within square brackets + # + firstpart=${list%%\[*} + lastpart=${list#*\[} + enclosure=${lastpart%\]*} + lastpart=${lastpart#*\]} + case $lastpart in + \,*) + echo "$(separate_list $firstpart)[$enclosure] $(separate_list ${lastpart#,})" + ;; + *) + echo "$(separate_list $firstpart)[$enclosure]$(separate_list $lastpart)" + ;; + esac + return + ;; esac list="$@" @@ -756,6 +778,29 @@ find_device() { done } +# +# Find the value 'via' in the passed arguments then echo the next value +# + +find_gateway() { + while [ $# -gt 1 ]; do + [ "x$1" = xvia ] && echo $2 && return + shift + done +} + +# +# Find the value 'peer' in the passed arguments then echo the next value up to +# "/" +# + +find_peer() { + while [ $# -gt 1 ]; do + [ "x$1" = xpeer ] && echo ${2%/*} && return + shift + done +} + # # Find the interfaces that have a route to the passed address - the default # route is not used. @@ -778,6 +823,14 @@ find_rt_interface() { done } +# +# Try to find the gateway through an interface looking for 'nexthop' + +find_nexthop() # $1 = interface +{ + echo $(find_gateway `ip route ls | grep "[[:space:]]nexthop.* $1"`) +} + # # Find the default route's interface # diff --git a/Shorewall/help b/Shorewall/help index 1ec86f6c0..c71258134 100755 --- a/Shorewall/help +++ b/Shorewall/help @@ -1,6 +1,6 @@ #!/bin/sh # -# Shorewall help subsystem - V2.2 +# Shorewall help subsystem - V2.4 # # # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] @@ -55,7 +55,10 @@ address|host) May be either a host IP address such as 192.168.1.4 or a network address in CIDR format like 192.168.1.0/24. If your kernel and iptables contain iprange match support then IP address ranges of the form - - are also permitted." + are also permitted. If your kernel and iptables contain ipset match support + then you may specify the name of an ipset prefaced by "+". The name of the + ipsec may be optionally followed by a number of levels of ipset bindings + (1 - 6) that are to be followed" ;; allow) @@ -209,6 +212,19 @@ restart) If \"-q\" is specified, less detain is displayed making it easier to spot warnings" ;; +safe-restart) + echo "safe-restart: safe-restart + Restart the same way as a shorewall restart except that previous firewall + configuration is backed up and will be restored if you notice any anomalies + or you are not able to reach the firewall any more." + ;; + +safe-start) + echo "safe-start: safe-start + Start the same way as a shorewall start except that in case of anomalies + shorewall clear is issued. " + ;; + restore) echo "restore: restore [ ] Restore Shorewall to a state saved using the 'save' command diff --git a/Shorewall/hosts b/Shorewall/hosts index 0016f976d..4dabb7c00 100644 --- a/Shorewall/hosts +++ b/Shorewall/hosts @@ -1,5 +1,5 @@ # -# Shorewall 2.2 - /etc/shorewall/hosts +# Shorewall 2.4 - /etc/shorewall/hosts # # THE ONLY TIME YOU NEED THIS FILE IS WHERE YOU HAVE MORE THAN # ONE ZONE CONNECTED THROUGH A SINGLE INTERFACE. diff --git a/Shorewall/init b/Shorewall/init index 571a9b31d..41c49e614 100644 --- a/Shorewall/init +++ b/Shorewall/init @@ -1,5 +1,5 @@ ############################################################################ -# Shorewall 2.2 -- /etc/shorewall/init +# Shorewall 2.4 -- /etc/shorewall/init # # Add commands below that you want to be executed at the beginning of # a "shorewall start" or "shorewall restart" command. diff --git a/Shorewall/init.sh b/Shorewall/init.sh index 2a7dd230d..f340edd80 100644 --- a/Shorewall/init.sh +++ b/Shorewall/init.sh @@ -1,7 +1,7 @@ #!/bin/sh RCDLINKS="2,S41 3,S41 6,K41" # -# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V2.2 +# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V2.4 # # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # diff --git a/Shorewall/initdone b/Shorewall/initdone index 74460af0e..cec87fe90 100755 --- a/Shorewall/initdone +++ b/Shorewall/initdone @@ -1,5 +1,5 @@ ############################################################################ -# Shorewall 2.2 -- /etc/shorewall/initdone +# Shorewall 2.4 -- /etc/shorewall/initdone # # Add commands below that you want to be executed during # "shorewall start" or "shorewall restart" commands at the point where diff --git a/Shorewall/install.sh b/Shorewall/install.sh index 9bf67ff15..3471ae284 100755 --- a/Shorewall/install.sh +++ b/Shorewall/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # -VERSION=2.2.5 +VERSION=2.4.0 usage() # $1 = exit status { @@ -407,6 +407,28 @@ else echo echo "Blacklist file installed as ${PREFIX}/etc/shorewall/blacklist" fi +# +# Install the Routes file +# +if [ -f ${PREFIX}/etc/shorewall/routes ]; then + backup_file /etc/shorewall/routes +else + run_install $OWNERSHIP -m 0600 routes ${PREFIX}/etc/shorewall/routes + echo + echo "Routes file installed as ${PREFIX}/etc/shorewall/routes" +fi + +# +# Install the Providers file +# +if [ -f ${PREFIX}/etc/shorewall/providers ]; then + backup_file /etc/shorewall/providers +else + run_install $OWNERSHIP -m 0600 providers ${PREFIX}/etc/shorewall/providers + echo + echo "Providers file installed as ${PREFIX}/etc/shorewall/providers" +fi + # # Backup and remove the whitelist file # @@ -518,7 +540,7 @@ fi if [ -f ${PREFIX}/etc/shorewall/started ]; then backup_file /etc/shorewall/started else - run_install -o $OWNER -g $GROUP -m 0600 started ${PREFIX}/etc/shorewall/started + run_install $OWNERSHIP -m 0600 started ${PREFIX}/etc/shorewall/started echo echo "Started file installed as ${PREFIX}/etc/shorewall/started" fi diff --git a/Shorewall/interfaces b/Shorewall/interfaces index bbb0c9687..623ab8bad 100644 --- a/Shorewall/interfaces +++ b/Shorewall/interfaces @@ -1,5 +1,5 @@ # -# Shorewall 2.2 -- Interfaces File +# Shorewall 2.4 -- Interfaces File # # /etc/shorewall/interfaces # @@ -167,9 +167,10 @@ # detectnets - Automatically taylors the zone named # in the ZONE column to include only those # hosts routed through the interface. +# # upnp - Incoming requests from this interface may # be remapped via UPNP (upnpd). -# +# # WARNING: DO NOT SET THE detectnets OPTION ON YOUR # INTERNET INTERFACE. # @@ -177,6 +178,12 @@ # significant but the list should have no embedded white # space. # +# GATEWAY This column is only meaningful if the 'default' OPTION +# is given -- it is ignored otherwise. You may specify +# the default gateway IP address for this interface here +# and Shorewall will use that IP address rather than any +# that it finds in the main routing table. +# # Example 1: Suppose you have eth0 connected to a DSL modem and # eth1 connected to your local network and that your # local subnet is 192.168.1.0/24. The interface gets @@ -205,6 +212,6 @@ # For additional information, see http://shorewall.net/Documentation.htm#Interfaces # ############################################################################## -#ZONE INTERFACE BROADCAST OPTIONS +#ZONE INTERFACE BROADCAST OPTIONS GATEWAY # #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/ipsec b/Shorewall/ipsec index 84e884edc..ddd44f712 100644 --- a/Shorewall/ipsec +++ b/Shorewall/ipsec @@ -1,5 +1,5 @@ # -# Shorewall 2.2 - /etc/shorewall/ipsec +# Shorewall 2.4 - /etc/shorewall/ipsec # # This file defines the attributes of zones with respect to # IPSEC. To use this file for any purpose except for setting mss, @@ -27,7 +27,7 @@ # # proto=ah|esp|ipcomp # -# mss= (sets the MSS field in TCP packets) +# mss= (sets the MSS field in TCP packets) # # mode=transport|tunnel # diff --git a/Shorewall/maclist b/Shorewall/maclist index f364048cd..0835985f1 100644 --- a/Shorewall/maclist +++ b/Shorewall/maclist @@ -1,5 +1,5 @@ # -# Shorewall 2.2 - MAC list file +# Shorewall 2.4 - MAC list file # # This file is used to define the MAC addresses and optionally their # associated IP addresses to be allowed to use the specified interface. diff --git a/Shorewall/masq b/Shorewall/masq index 22adaa1b9..cc96de934 100755 --- a/Shorewall/masq +++ b/Shorewall/masq @@ -1,5 +1,5 @@ # -# Shorewall 2.2 - Masquerade file +# Shorewall 2.4 - Masquerade file # # /etc/shorewall/masq # diff --git a/Shorewall/modules b/Shorewall/modules index 4b969b4bb..6846bc688 100644 --- a/Shorewall/modules +++ b/Shorewall/modules @@ -1,5 +1,5 @@ ############################################################################## -# Shorewall 2.2 /etc/shorewall/modules +# Shorewall 2.4 /etc/shorewall/modules # # This file loads the modules needed by the firewall. # @@ -19,4 +19,9 @@ loadmodule ip_nat_ftp loadmodule ip_nat_tftp loadmodule ip_nat_irc + loadmodule ip_set + loadmodule ip_set_iphash + loadmodule ip_set_ipmap + loadmodule ip_set_macipmap + loadmodule ip_set_portmap diff --git a/Shorewall/nat b/Shorewall/nat index 5078bec21..2b8b0e87e 100755 --- a/Shorewall/nat +++ b/Shorewall/nat @@ -1,6 +1,6 @@ ############################################################################## # -# Shorewall 2.2 -- Network Address Translation Table +# Shorewall 2.4 -- Network Address Translation Table # # /etc/shorewall/nat # diff --git a/Shorewall/netmap b/Shorewall/netmap index 8faac6fc1..f9be759df 100644 --- a/Shorewall/netmap +++ b/Shorewall/netmap @@ -1,6 +1,6 @@ ############################################################################## # -# Shorewall 2.2 -- Network Mapping Table +# Shorewall 2.4 -- Network Mapping Table # # /etc/shorewall/netmap # diff --git a/Shorewall/params b/Shorewall/params index 24d1c94ae..79e2fda61 100644 --- a/Shorewall/params +++ b/Shorewall/params @@ -1,5 +1,5 @@ # -# Shorewall 2.2 /etc/shorewall/params +# Shorewall 2.4 /etc/shorewall/params # # Assign any variables that you need here. # diff --git a/Shorewall/policy b/Shorewall/policy index a6c4b230a..6327c596a 100644 --- a/Shorewall/policy +++ b/Shorewall/policy @@ -1,5 +1,5 @@ # -# Shorewall 2.2 -- Policy File +# Shorewall 2.4 -- Policy File # # /etc/shorewall/policy # diff --git a/Shorewall/proxyarp b/Shorewall/proxyarp index a48fefc53..d9e508976 100644 --- a/Shorewall/proxyarp +++ b/Shorewall/proxyarp @@ -1,6 +1,6 @@ ############################################################################## # -# Shorewall 2.2 -- Proxy ARP +# Shorewall 2.4 -- Proxy ARP # # /etc/shorewall/proxyarp # diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 74299285c..129de5222 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -1,1042 +1,367 @@ -Shorewall 2.2.5 +Shorewall 2.4.0 ----------------------------------------------------------------------- -Problems corrected in version 2.2.5 - -1) Previously, if PKTTYPE=No in shorewall.conf then pkttype match would - still be used if the kernel supported it. - -2) A typo in the 'tunnel' script has been corrected (Thanks to Patrik - Varmecký). - -3) A warning is now generated if an invalid short zone name is used in - /etc/shorewall/zones. +Problems Corrected since 2.4.0-RC2 +1) Previously, "shorewall status" could list the same routing table's + contents more than once. ----------------------------------------------------------------------- -Problems corrected in version 2.2.4 +Upgrade Issues when moving to 2.4.0 -1) The error message: +1) Shorewall now enforces the restriction that mark values used in + /etc/shorewall/tcrules are less than 256. If you are using mark + values >= 256, you must change your configuration before you + upgrade. - Error: No appropriate chain for zone to zone - - has been changed to one that is more self-explanatory: - - Error: No policy defined for zone to zone - -2) When only an interface name appeared in the HOST(S) column of an - /etc/shorewall/hosts file entry, a misleading iptables error message - resulted. Now the following message is generated: - - Error: Invalid HOST(S) column contents: +2) The value "ipp2p" is no longer accepted in the PROTO column of the + rules file. This support has never worked as intended and filtering + P2P applications this way is a bad idea to begin with (you should be + using a proxy). +3) LEAF/Bering packages for version 2.4.0 and later will not be + available from shorewall.net. See http://leaf.sf.net for the lastest + version of Shorewall for LEAF variants. ----------------------------------------------------------------------- -New Features in version 2.2.4 +New Features in version 2.4.0 -1) Support has been added for UPnP using linux-igd - (http://linux-igd.sourceforge.net). UPnP is required by a number of - popular applications including MSN IM. +1) Shorewall 2.4.0 includes support for multiple internet interfaces to + different ISPs. - WARNING: From a security architecture viewpoint, UPnP is a - disaster. It assumes that: + The file /etc/shorewall/providers may be used to define the + different providers. It can actually be used to define alternate + routing tables so uses like transparent proxy can use the file as + well. - a) All local systems and their users are completely - trustworthy. + Columns are: - b) No local system is infected with any worm or trojan. + NAME The provider name. - If either of these assumptions are not true then UPnP can - be used to totally defeat your firewall and to allow - incoming connections to arbitrary local systems on any port - whatsoever. + NUMBER The provider number -- a number between 1 and 15 - In short: USE UPnP AT YOUR OWN RISK. + MARK A FWMARK value used in your + /etc/shorewall/tcrules file to direct packets to + this provider. - WARNING: The linux-igd project appears to be inactive and the web - site does not display correctly on any open source browser - that I've tried. + DUPLICATE The name of an existing table to duplicate. May + be 'main' or the name of a previous provider. - Building and installing linux-igd is not for the faint of - heart. You must download the source from CVS and be - prepared to do quite a bit of fiddling with the include - files from libupnp (which is required to build and/or run - linux-igd). + INTERFACE The name of the network interface to the + provider. Must be listed in + /etc/shorewall/interfaces. - linux-igd Configuration: + GATEWAY The IP address of the provider's gateway router. + If you enter "detect" here then Shorewall will + attempt to determine the gateway IP address + automatically. - In /etc/upnpd.conf, you will want: + OPTIONS A comma-separated list selected from the + following: - insert_forward_rules = yes - prerouting_chain_name = UPnP - forward_chain_name = forwardUPnP + track If specified, connections FROM this interface are + to be tracked so that responses may be routed + back out this same interface. - Shorewall Configuration: + You want specify 'track' if internet hosts will be + connecting to local servers through this + provider. - In /etc/shorewall/interfaces, you need the 'upnp' option - on your external interface. + Because of limitations in the 'ip' utility and + policy routing, you may not use the SAVE or + RESTORE tcrules options or use connection + marking on any traffic to or from this + interface. For traffic control purposes, you + must mark packets in the FORWARD chain (or + better yet, use the CLASSIFY target). - If your fw->loc policy is not ACCEPT then you need this - rule: + balance The providers that have 'balance' specified will + get outbound traffic load-balanced among them. By + default, all interfaces with 'balance' specified + will have the same weight (1). You can change the + weight of the route out of the interface by + specifiying balance= where is + the desired route weight. - allowoutUPnP fw loc + Example: You run squid in your DMZ on IP address + 192.168.2.99. Your DMZ interface is eth2 - Note: To use 'allowoutUPnP', your iptables and kernel must - support the 'owner match' feature (see the output of - "shorewall check"). + #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS + Squid 1 1 - eth2 192.168.2.99 - - If your loc->fw policy is not ACCEPT then you need this - rule: + Use of this feature requires that your kernel and iptables + support CONNMARK target and conntrack match support. It does NOT + require the ROUTE target extension. - allowinUPnP loc fw + WARNING: The current version of iptables (1.3.1) is broken with + respect to CONNMARK and iptables-save/iptables-restore. This means + that if you configure multiple ISPs, "shorewall restore" will + fail. You must patch your iptables using the patch at + http://shorewall.net/pub/shorewall/contrib/iptables/CONNMARK.diff. - You MUST have this rule: +2) Shorewall 2.3.0 supports the 'cmd-owner' option of the owner match + facility in Netfilter. Like all owner match options, 'cmd-owner' may + only be applied to traffic that originates on the firewall. - forwardUPnP net loc + The syntax of the USER/GROUP column in the following files has been + extended: - You must also ensure that you have a route to 224.0.0.0/4 on your - internal (local) interface. + /etc/shorewall/accounting + /etc/shorewall/rules + /etc/shorewall/tcrules + /usr/share/shorewall/action.template -2) A new 'started' extension script has been added. The difference - between this extension script and /etc/shorewall/start is that this - one is invoked after delayed loading of the blacklist - (DELAYBLACKLISTLOAD=Yes) and after the 'shorewall' chain has been - created (thus signaling that the firewall is completely up. + To specify a command, prefix the command name with "+". - /etc/shorewall/started should not change the firewall configuration - directly but may do so indirectly by running /sbin/shorewall with - the 'nolock' option. + Examples: -3) By default, shorewall is started with the "-f" (fast) option when - your system boots. You can override that setting by setting the - OPTIONS variable in /etc/sysconfig/shorewall (SuSE/Redhat) or - /etc/default/shorewall (Debian/Bering). If neither file exists, feel - free to create one. + +mozilla-bin #The program is named "mozilla-bin" + joe+mozilla-bin #The program is named "mozilla-bin" and + #is being run by user "joe" + joe:users+mozilla-bin #The program is named "mozilla-bin" and + #is being run by user "joe" with + #effective group "users". - Example: If you want Shorewall to always use the config files even - if there is a saved configuration, then specify: + Note that this is not a particularly robust feature and I would + never advertise it as a "Personal Firewall" equivalent. Using + symbolic links, it's easy to alias command names to be anything you + want. - OPTIONS="" +3) Support has been added for ipsets + (see http://people.netfilter.org/kadlec/ipset/). -4) Shorewall now has support for the SAME target. This change affects - the /etc/shorewall/masq and /etc/shorewall/rules file. + In most places where a host or network address may be used, you may + also use the name of an ipset prefaced by "+". - SAME is useful when you specify multiple target IP addresses (in the - ADDRESSES column of /etc/shorewall/masq or in the DEST column of - /etc/shorewall/rules). + Example: "+Mirrors" - If you use normal SNAT then multiple connections from a given local - host to hosts on the internet can be assigned different source IP - addresses. This confuses some applications that use multiple - connections. To correct this problem, prefix the list of address - ranges in the ADDRESS column with "SAME:" - - Example: SAME:206.124.146.176-206.124.146.180 - - If you want each internal system to use the same IP address from the - list regardless of which internet host it is talking to then prefix - the rages with "SAME:nodst:". - - Example: SAME:nodst:206.124.146.176-206.124.146.180 + The name of the set may be optionally followed by: - Note that it is not possible to map port numbers when using SAME. - - In the rules file, when multiple connections from an internet host - match a SAME rule then all of the connections will be sent to the - same internal server. SAME rules are very similar to DNAT rules with - the keyword SAME replacing DNAT. As in the masq file, changing the - port number is not supported. - -5) A "shorewall show capabilities" command has been added to report the - capabilities of your kernel and iptables. - - Example: - - gateway:~# shorewall show capabilities - Loading /usr/share/shorewall/functions... - Processing /etc/shorewall/params ... - Processing /etc/shorewall/shorewall.conf... - Loading Modules... - Shorewall has detected the following iptables/netfilter capabilities: - NAT: Available - Packet Mangling: Available - Multi-port Match: Available - Extended Multi-port Match: Available - Connection Tracking Match: Available - Packet Type Match: Not available - Policy Match: Available - Physdev Match: Available - IP range Match: Available - Recent Match: Available - Owner Match: Available - gateway:~# - -6) A "-v" option has been added to /sbin/shorewall. Currently, this - option only affects the "show log" command (e.g., "shorewall -v show - log") and the "monitor" command. In these commands, it causes the - MAC address in the log message (if any) to be displayed. As - previously, when "-v" is omitted, the MAC address is suppressed. - -7) In /etc/shorewall/rules, a value of 'none' in either the SOURCE or - DEST columns now causes the rule to be ignored. This is most useful - when used with shell variables: - - Example: - - /etc/shorewall/rules: - - AllowFTP $FTP_CLIENTS fw - - When FTP_CLIENTS is set to 'none', the above rule is ignored. - Otherwise, the rule is evaluated and generates Netfilter rules. - -8) The installer now detects that it is running on a Slackware system - and adjusts the DEST and INIT variables accordingly. - ------------------------------------------------------------------------ -Problems corrected in version 2.2.3 - -1) If a zone is defined in /etc/shorewall/hosts using - :! in the HOSTS column then startup errors occur - on "shorewall [re]start". - -2) Previously, if "shorewall status" was run on a system whose kernel - lacked advanced routing support (CONFIG_IP_ADVANCED_ROUTER), then - no routing information was displayed. - ------------------------------------------------------------------------ -New Features in version 2.2.3 - -1) A new extension script "continue" has been added. This script is - invoked after Shorewall has set the built-in filter chains' - policy to DROP, deleted any existing Netfilter rules and user - chains and has enabled existing connections. - - It is useful for enabling certain communication while Shorewall is - being [re]started. Be sure to delete any rules that you add here in - your /etc/shorewall/start file. - -2) There has been ongoing confusion about how the - /etc/shorewall/routestopped file works. People understand how it - works with the 'shorewall stop' command but when they read that - 'shorewall restart' is logically equivalent to 'shorewall stop' - followed by 'shorewall start' then they erroneously conclude that - /etc/shorewall/routestopped can be used to enable new connections - during 'shorewall restart'. Up to now, it cannot -- that file is not - processed during either 'shorewall start' or 'shorewall restart'. - - Beginning with Shorewall version 2.2.3, /etc/shorewall/routestopped - will be processed TWICE during 'shorewall start' and during - 'shorewall restart'. It will be processed early in the command - execution to add rules allowing new connections while the command - is running and it will be processed again when the - command is complete to remove the rules added earlier. - - The result of this change will be that during most of [re]start, new - connections will be allowed in accordance with the contents of - /etc/shorewall/routestopped. - -3) The performance of configurations with a large numbers of entries in - /etc/shorewall/maclist can be improved by setting the new - MACLIST_TTL variable in /etc/shorewall/shorewall.conf. - - If your iptables and kernel support the "Recent Match" (see the - output of "shorewall check" near the top), you can cache the results - of a 'maclist' file lookup and thus reduce the overhead associated - with MAC Verification. - - When a new connection arrives from a 'maclist' interface, the packet - passes through then list of entries for that interface in - /etc/shorewall/maclist. If there is a match then the source IP - address is added to the 'Recent' set for that interface. Subsequent - connection attempts from that IP address occuring within - $MACLIST_TTL seconds will be accepted without having to scan all - of the entries. After $MACLIST_TTL from the first accepted - connection request from an IP address, the next connection request - from that IP address will be checked against the entire list. - - If MACLIST_TTL is not specified or is specified as empty (e.g, - MACLIST_TTL="" or is specified as zero then 'maclist' lookups - will not be cached. - -4) You can now specify QUEUE as a policy and you can designate a - common action for QUEUE policies in /etc/shorewall/actions. This is - useful for sending packets to something like Snort Inline. - ------------------------------------------------------------------------ -Problems corrected in version 2.2.2 - -1) The SOURCE column in the /etc/shorewall/tcrules file now allows IP - ranges (assuming that your iptables and kernel support ranges). - -2) If A is a user-defined action and you have file /etc/shorewall/A - then when that file is invoked, the $TAG value may be incorrect. - -3) Previously, if an iptables command generating a logging rule - failed, the Shorewall [re]start was still successful. This error - is now considered fatal and Shorewall will be either restored from - the last save (if any) or it will be stopped. - -4) The port numbers for UDP and TCP were previously reversed in the - /usr/share/shorewall/action.AllowPCA file. - -5) Previously, the 'install.sh' script did not update the - /usr/share/shorewall/action.* files. - -6) Previously, when an interface name appeared in the DEST column of - /etc/shorewall/tcrules, the name was not validated against the set - of defined interfaces and bridge ports. - ------------------------------------------------------------------------ -New Features in version 2.2.2 - -1) The SOURCE column in the /etc/shorewall/tcrules file now allows $FW - to be optionally followed by ":" and a host/network address or - address range. - -2) Shorewall now clears the output device only if it is a - terminal. This avoids ugly control sequences being placed in files - when /sbin/shorewall output is redirected. - -3) The output from 'arp -na' has been added to the 'shorewall status' - display. - -4) The 2.6.11 Linux kernel and iptables 1.3.0 now allow port ranges - to appear in port lists handled by "multiport match". If Shorewall - detects this capability, it will use "multiport match" for port - lists containing port ranges. Be cautioned that each port range - counts for TWO ports and a port list handled with "multiport match" - can still specify a maximum of 15 ports. - - As always, if a port list in /etc/shorewall/rules is incompatible - with "multiport match", a separate iptables rule will be generated - for each element in the list. - -5) Traditionally, the RETURN target in the 'rfc1918' file has caused - 'norfc1918' processing to cease for a packet if the packet's source - IP address matches the rule. Thus, if you have: - - SUBNETS TARGET - 192.168.1.0/24 RETURN - - then traffic from 192.168.1.4 to 10.0.3.9 will be accepted even - though you also have: - - SUBNETS TARGET - 10.0.0.0/8 logdrop - - Setting RFC1918_STRICT=Yes in shorewall.conf will cause such traffic - to be logged and dropped since while the packet's source matches the - RETURN rule, the packet's destination matches the 'logdrop' rule. - - If not specified or specified as empty (e.g., RFC1918_STRICT="") - then RFC1918_STRICT=No is assumed. - - WARNING: RFC1918_STRICT=Yes requires that your kernel and iptables - support 'Connection Tracking' match. ------------------------------------------------------------------------ -Problems corrected in version 2.2.1 - -1) The /etc/shorewall/policy file contained a misleading comment and - both that file and the /etc/shorewall/zones file lacked examples. - -2) Shorewall previously used root's default umask which could cause - files in /var/lib/shorewall to be world-readable. Shorewall now uses - umask 0177. - -3) In log messages produced by logging a built-in action, the packet - disposition was displayed incorrectly. - - Example: - - rejNotSyn:ULOG all all tcp - - produces the log message: - - Feb 12 23:57:08 server Shorewall:rejNotSyn:ULOG: ... - - rather than - - Feb 12 23:57:08 server Shorewall:rejNotSyn:REJECT: ... - -3) The comments regarding built-in actions in - /usr/share/shorewall/actions.std have been corrected. - -4) The /etc/shorewall/policy file in the LRP package was missing the - 'all->all' policy. - ------------------------------------------------------------------------ -Issues when migrating from Shorewall 2.0 to Shorewall 2.2: - -1) Shorewall configuration files except shorewall.conf are now empty - (they contain only comments). If you wish to retain the defaults - in any of the following files, you should copy these files before - upgrading them then restore them after the upgrade: - - /etc/shorewall/zones - /etc/shorewall/policy - /etc/shorewall/tos - -2) The following builtin actions have been removed and have been - replaced by the new action logging implementation described in the - new features below. - - logNotSyn - rLogNotSyn - dLogNotSyn - -3) If shorewall.conf is upgraded to the latest version, it needs to be - modified to set STARTUP_ENABLED=Yes - -4) The Leaf/Bering version of Shorewall was previously named: - - shorwall-.lrp - - Beginning with 2.2, that file will now be named: - - shorewall-lrp-.tgz - - Simply rename that file to 'shorwall.lrp' when installing it on your - LEAF/Bering system. - -5) The ORIGINAL DEST column of the /etc/shorewall/rules file may no - longer contain a second (SNAT) address. You must use an entry in - /etc/shorewall/masq instead. - - Example from Shorewall FAQ #1: - - Prior to Shorewall 2.2: - - /etc/shorewall/interfaces - - loc eth1 detect routeback,... - - /etc/shorewall/rules - - DNAT loc loc:192.168.1.12 tcp 80 \ - - 130.252.100.69:192.168.1.254 - - Shorewall 2.2 and Later: - - /etc/shorewall/interfaces - - loc eth1 detect routeback,... - - /etc/shorewall/masq: - - eth1 eth1 192.168.1.254 tcp 80 - - - /etc/shorewall/rules: - - DNAT loc loc:192.168.1.12 tcp 80 \ - - 130.252.100.69 - -6) The 'logunclean' and 'dropunclean' options that were deprecated in - Shorewall 2.0 have now been removed completely. - -7) A new IPTABLES variable has been added to shorewall.conf. This - variable names the iptables executable that Shorewall will use. The - variable is set to "/sbin/iptables". If you use the new - shorewall.conf, you may need to change this setting to maintain - compabibility with your current setup (if you use your existing - shorewall.conf that does not set IPTABLES then you should - experience no change in behavior). - -8) The default port for OpenVPN tunnels has been changed from 5000 to - 1194 to reflect the recent IANA allocation of that port for - OpenVPN. - ------------------------------------------------------------------------ -New Features in Shorewall 2.2.0: - -1) ICMP packets that are in the INVALID state are now dropped by the - Reject and Drop default actions. They do so using the new - 'dropInvalid' builtin action. An 'allowInvalid' builtin action is - also provided which accepts packets in that state. - -2) The /etc/shorewall/masq file INTERFACE column now allows additional - options. - - Normally MASQUERADE/SNAT rules are evaluated after one-to-one NAT - rules defined in the /etc/shorewall/nat file. If you preceed the - interface name with a plus sign ("+") then the rule will be - evaluated before one-to-one NAT. - - Examples: - - +eth0 - +eth1:192.0.2.32/27 - - Also, the effect of ADD_SNAT_ALIASES=Yes can be negated for an - entry by following the interface name by ":" but no digit. - - Examples: - - eth0: - eth1::192.0.2.32/27 - +eth3: - -3) Similar to 2), the /etc/shorewall/nat file INTERFACE column now allows - you to override the setting of ADD_IP_ALIASES=Yes by following the - interface name with ":" but no digit. - -4) All configuration files in the Shorewall distribution with the - exception of shorewall.conf are now empty. In particular, the - /etc/shorewall/zones, /etc/shorewall/policy and /etc/shorewall/tos - files now have no active entries. Hopefully this will stop the - questions on the support and development lists regarding why the - default entries are the way they are. - -5) Previously, including a log level (and optionally a log tag) on a - rule that specified a user-defined (or Shorewall-defined) action - would log all traffic passed to the action. Beginning with this - release, specifying a log level in a rule that specifies a user- - or Shorewall-defined action will cause each rule in the action to - be logged with the specified level (and tag). - - The extent to which logging of action rules occurs is goverend by - the following: - - a) When you invoke an action and specify a log level, only those - rules in the action that have no log level will be changed to log - at the level specified at the action invocation. - - Example: - - /etc/shorewall/action.foo: - - ACCEPT - - tcp 22 - bar:info - - /etc/shorewall/rules: - - foo:debug fw net - - Logging in the invoked 'foo' action will be: - - ACCEPT:debug - - tcp 22 - bar:info - - b) If you follow the log level with "!" then logging will - be at that level for all rules recursively invoked by the action - - Example: - - /etc/shorewall/action.foo: - - ACCEPT - - tcp 22 - bar:info - - /etc/shorewall/rules: - - foo:debug! fw net - - Logging in the invoke 'foo' action will be: - - ACCEPT:debug - - tcp 22 - bar:debug! - - This change has an effect on extension scripts used with - user-defined actions. If you define an action 'acton' and you have - an /etc/shorewall/acton script then when that script is invoked, - the following three variables will be set for use by the script: - - $CHAIN = the name of the chain where your rules are to be - placed. When logging is used on an action invocation, - Shorewall creates a chain with a slightly different name from - the action itself. - - $LEVEL = Log level. If empty, no logging was specified. - - $TAG = Log Tag. - - Example: - - /etc/shorewall/rules: - - acton:info:test - - Your /etc/shorewall/acton file will be run with: - - $CHAIN="%acton1" - $LEVEL="info" - $TAG="test" - -6) The /etc/shorewall/startup_disabled file is no longer created when - Shorewall is first installed. Rather, the variable STARTUP_ENABLED - is set to 'No' in /etc/shorewall/shorewall.conf. In order to get - Shorewall to start, that variable's value must be set to - 'Yes'. This change accomplishes two things: - - a) It prevents Shorewall from being started prematurely by the - user's initialization scripts. - - b) It causes /etc/shorewall/shorewall.conf to be modified so that - it won't be replaced by upgrades using RPM. - -7) Some additional support has been added for the 2.6 Kernel IPSEC - implementation. To use this support, you must have installed the - IPSEC policy match patch and the four IPSEC/Netfilter patches - from Patch-0-Matic-ng. The policy match patch affects both your - kernel and iptables. - - There are two ways to specify that IPSEC is to be used when - communicating with a set of hosts; both methods involve the new - /etc/shorewall/ipsec file: - - a) If encrypted communication is used with all hosts in a zone, - then you can designate the zone as an "ipsec" zone by placing - 'Yes" in the IPSEC ONLY column in the /etc/shorewall/ipsec: - - #ZONE IPSEC OPTIONS ... - # ONLY - vpn Yes - - The hosts in the zone (if any) must be specified in - /etc/shorewall/hosts but you do not need to specify the 'ipsec' - option on the entries in that file (see below). - - Dynamic zones involving IPSEC must use that technique. - - Example: - - Under 2.4 Kernel FreeS/Wan: - - /etc/shorewall/zones: - - net Net The big bad Internet - vpn VPN Remote Network - - /etc/shorewall/interfaces: - - net eth0 ... - vpn ipsec0 ... - - Under 2.6 Kernel with this new support: - - /etc/shorewall/zones: - - net Net The big bad Internet - vpn VPN Remote Network - - /etc/shorewall/interfaces: - - net eth0 ... - - /etc/shorewall/hosts: - - vpn eth0:0.0.0.0/0 - - /etc/shorewall/ipsec - - vpn Yes - - b) If only part of the hosts in a zone require encrypted - communication, you may use of the new 'ipsec' option in - /etc/shorewall/hosts to designate those hosts. - - Example: - - Under 2.4 Kernel FreeS/Wan: - - /etc/shorewall/zones: - - net Net The big bad Internet - loc Local Extended local zone - - /etc/shorewall/interfaces: - - net eth0 ... - loc eth1 ... - loc ipsec0 ... - - Under 2.6 Kernel with this new support: - - /etc/shorewall/zones: - - net Net The big bad Internet - vpn VPN Remote Network - - /etc/shorewall/interfaces: - - net eth0 ... - loc eth1 ... - - /etc/shorewall/hosts: - - vpn eth0:0.0.0.0/0 ipsec,... - - Regardless of which technique you choose, you can specify - additional SA options for the zone in the /etc/shorewall/ipsec - entry. - - The OPTIONS, IN OPTIONS and OUT OPTIONS columns specify the - input-output, input and output characteristics of the security - associations to be used to decrypt (input) or encrypt (output) traffic - to/from the zone. - - The available options are: - - reqid[!]= where is specified using setkey(8) using - the 'unique:' option for the SPD level. - - spi[!]= where is the SPI of the SA. Since - different SAs are used to encrypt and decrypt traffic, this - option should only be listed in the IN OPTIONS and OUT OPTIONS - columns. - - proto[!]=ah|esp|ipcomp - - mss= (sets the MSS value in TCP SYN packets and is not - related to policy matching) - - mode[!]=transport|tunnel - - tunnel-src[!]=
[/] (only available with mode=tunnel) - - tunnel-dst[!]=
[/] (only available with - mode=tunnel). Because tunnel source and destination are - dependent on the direction of the traffic, these options - should only appear in the IN OPTIONS and OUT OPTIONS columns. - - strict (if specified, packets must match all policies; - policies are delimited by 'next'). - - next (only available with strict) - - Examples: - - #ZONE IPSEC OPTIONS IN OUT... - # ONLY OPTIONS OPTIONS - vpn Yes mode=tunnel,proto=esp spi=1000 spi=1001 - loc No reqid=44,mode=transport - - The /etc/shorewall/masq file has a new IPSEC column added. If you - specify Yes or yes in that column then the unencrypted packets will - have their source address changed. Otherwise, the unencrypted - packets will not have their source addresses changed. This column - may also contain a comma-separated list of the options specified - above in which case only those packets that will be encrypted - by an SA matching the given options will have their source address - changed. - -8) To improve interoperability, tunnels of type 'ipsec' no longer - enforce the use of source port 500 for ISAKMP and OpenVPN - tunnels no longer enforce use of the specified port as both the - source and destination ports. - -9) A new 'allowBcast' builtin action has been added -- it silently - allows broadcasts and multicasts. - -10) The -c option in /sbin/shorewall commands is now deprecated. The - commands where -c was previously allowed now permit you to specify - a configuration directory after the command: - - shorewall check [ ] - shorewall restart [ ] - shorewall start [ ] - -11) Normally, when SNAT or MASQUERADE is applied to a tcp or udp - connection, Netfilter attempts to retain the source port - number. If it has to change to port number to avoid - , conflicts, it tries to do so - within port ranges ( < 512, 512-1023, and > 1023). You may - now specify an explicit range of source ports to be used - by following the address or address range (if any) in the - ADDRESS column with ":" and a port range in the format - -. You must specify either "tcp" or - "udp" in the PROTO column. - - Examples 1 -- MASQUERADE with tcp source ports 4000-5000: - - #INTERFACE SUBNET ADDRESS PROTO - eth0 192.168.1.0/24 :4000-5000 tcp - - Example 2 -- SNAT with udp source ports 7000-8000: - - #INTERFACE SUBNET ADDRESS PROTO - eth0 10.0.0.0/8 192.0.2.44:7000-8000 udp - -12) You may now account by user/group ID for outbound traffic from the - firewall itself with entries in /etc/shorewall/accounting. Such - accounting rules must be placed in the OUTPUT chain. - - See the comments at the top of /etc/shorewall/accounting for - details. - -13) Shorewall now verifies that your kernel and iptables have physdev - match support if BRIDGING=Yes in shorewall.conf. - -14) Beginning with this release, if your kernel and iptables have - iprange match support (see the output from "shorewall check"), then - with the exception of the /etc/shorewall/netmap file, anywhere that - a network address may appear an IP address range of the form - may also appear. - -15) Support has been added for the iptables CLASSIFY target. That - target allows you to classify packets for traffic shaping directly - rather than indirectly through fwmark. Simply enter the - : classification in the first column of - /etc/shorewall/tcrules: - - Example: - - #MARK/ SOURCE DEST PROTO PORT(S) - #CLASSIFY - 1:30 - eth0 tcp 25 - - Note that when using this form of rule, it is acceptable to include - the name of an interface in the DEST column. - - Marking using the CLASSIFY target always occurs in the POSTROUTING - chain of the mangle table and is not affected by the setting of - MARK_IN_FORWARD_CHAIN in shorewall.conf. - -16) During "shorewall start", IP addresses to be added as a consequence - of ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes are quietly deleted - when /etc/shorewall/nat and /etc/shorewall/masq are processed then - the are re-added later. This is done to help ensure that the - addresses can be added with the specified labels but can have - the undesirable side effect of causing routes to be quietly - deleted. A new RETAIN_ALIASES option has been added to - shorewall.conf; when this option is set to Yes, existing addresses - will not be deleted. Regardless of the setting of RETAIN_ALIASES, - addresses added during "shorewall start" are still deleted at a - subsequent "shorewall stop" or "shorewall restart". - -17) Users with a large black list (from /etc/shorewall/blacklist) may - want to set the new DELAYBLACKLISTLOAD option in - shorewall.conf. When DELAYBLACKLISTLOAD=Yes, Shorewall will - enable new connections before loading the blacklist rules. While - this may allow connections from blacklisted hosts to slip by during - construction of the blacklist, it can substantially reduce the time - that all new connections are disabled during "shorewall [re]start". - -18) Using the default LOGFORMAT, chain names longer than 11 characters - (such as in user-defined actions) may result in log prefix - truncation. A new shorewall.conf action LOGTAGONLY has been added - to deal with this problem. When LOGTAGONLY=Yes, logging rules that - specify a log tag will substitute the tag for the chain name in the - log prefix. - - Example -- file /etc/shorewall/action.thisisaverylogactionname: - - Rule: - - DROP:info:ftp 0.0.0.0/0 0.0.0.0/0 tcp 21 - - Log prefix with LOGTAGONLY=No: - - Shorewall:thisisaverylongacti - - Log prefix with LOGTAGONLY=Yes: - - Shorewall:ftp:DROP - -19) Shorewall now resets the 'accept_source_route' flag for all - interfaces. If you wish to accept source routing on an interface, - you must specify the new 'sourceroute' interface option in - /etc/shorewall/interfaces. - -20) The default Drop and Reject actions now invoke the new standard - action 'AllowICMPs'. This new action accepts critical ICMP types: - - Type 3 code 4 (fragmentation needed) - Type 11 (TTL exceeded) - -21) Explicit control over the kernel's Martian logging is now provided - using the new 'logmartians' interface option. If you include - 'logmartians' in the interface option list then logging of Martian - packets on will be enabled on the specified interface. - If you wish to globally enable martian logging, you can set - LOG_MARTIANS=Yes in shorewall.conf. - -22) You may now cause Shorewall to use the '--set-mss' option of the - TCPMSS target. In other words, you can cause Shorewall to set the - MSS field of SYN packets passing through the firewall to the value - you specify. This feature extends the existing CLAMPMSS option in - /etc/shorewall/shorewall.conf by allowing that option to have a - numeric value as well as the values "Yes" and "No". - - Example: - - CLAMPMSS=1400 - -23) Shorewall now includes support for the ipp2p match facility. This - is a departure from my usual policy in that the ipp2p match - facility is included in Patch-O-Matic-NG and is unlikely to ever be - included in the kernel.org source tree. Questions about how to - install the patch or how to build your kernel and/or iptables - should not be posted on the Shorewall mailing lists. - - In the following files, the "PROTO" or "PROTOCOL" column may - contain "ipp2p": - - /etc/shorewall/rules - /etc/shorewall/tcrules - /etc/shorewall/accounting - - When the PROTO or PROTOCOL column contains "ipp2p" then the DEST - PORT(S) or PORT(S) column may contain a recognized ipp2p option; - for a list of the options and their meaning, at a root prompt: - - iptables -m ipp2p --help - - You must not include the leading "--" on the option; Shorewall will - supply those characters for you. If you do not include an option - then "ipp2p" is assumed (Shorewall will generate "-m ipp2p - --ipp2p"). - -24) Shorewall now has support for the CONNMARK target from iptables. - See the /etc/shorewall/tcrules file for details. - -25) A new debugging option LOGALLNEW has been added to - shorewall.conf. When set to a log level, this option causes - Shorewall to generaate a logging rule as the first rule in each - builtin chain. - - - The table name is used as the chain name in the log prefix. - - The chain name is used as the target in the log prefix. - - Example: Using the default LOGFORMAT, the log prefix for logging - from the nat table's PREROUTING chain is: - - Shorewall:nat:PREROUTING - - IMPORTANT: There is no rate limiting on these logging rules so - use LOGALLNEW at your own risk; it may cause high CPU and disk - utilization and you may not be able to control your firewall after - you enable this option. - - DANGER: DO NOT USE THIS OPTION IF THE RESULTING LOG MESSAGES WILL - BE SENT TO ANOTHER SYSTEM. - -26) The SUBNET column in /etc/shorewall/rfc1918 has been renamed - SUBNETS and it is now possible to specify a list of addresses in - that column. - -27) The AllowNNTP action now also allows NNTP over SSL/TLS (NNTPS). - -28) For consistency, the CLIENT PORT(S) column in the tcrules file has - been renamed SOURCE PORT(S). - -29) The contents of /proc/sys/net/ip4/icmp_echo_ignore_all is now shown - in the output of "shorewall status". - -30) A new IPTABLES option has been added to shorewall.conf. IPTABLES - can be used to designate the iptables executable to be used by - Shorewall. If not specified, the iptables executable determined by - the PATH setting is used. - -31) You can now use the "shorewall show zones" command to display the - current contents of the zones. This is particularly useful if you - use dynamic zones (DYNAMIC_ZONES=Yes in shorewall.conf). - - Example: - - ursa:/etc/shorewall # shorewall show zones - Shorewall-2.2.0-Beta7 Zones at ursa - Sat Nov 27 11:18:25 PST 2004 - - loc - eth0:192.168.1.0/24 - eth1:1.2.3.4 - net - eth0:0.0.0.0/0 - WiFi - eth1:0.0.0.0/0 - sec - eth1:0.0.0.0/0 - - ursa:/etc/shorewall # - -32) Variable expansion may now be used with the INCLUDE directive. - - Example: - - /etc/shorewall/params - - FILE=/etc/foo/bar - - Any other config file: - - INCLUDE $FILE - -33) The output of "shorewall status" now includes the results of "ip - -stat link ls". This helps diagnose performance problems caused by - link errors. - -34) Previously, when rate-limiting was specified in - /etc/shorewall/policy (LIMIT:BURST column), any traffic which - exceeded the specified rate was silently dropped. Now, if a log - level is given in the entry (LEVEL column) then drops are logged at - that level at a rate of 5/min with a burst of 5. - -35) Recent 2.6 kernels include code that evaluates TCP packets based on - TCP Window analysis. This can cause packets that were previously - classified as NEW or ESTABLISHED to be classified as INVALID. - - The new kernel code can be disabled by including this command in - your /etc/shorewall/init file: - - echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal - - Additional kernel logging about INVALID TCP packets may be - obtained by adding this command to /etc/shorewall/init: - - echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid - - Traditionally, Shorewall has dropped INVALID TCP packets early. The - new DROPINVALID option allows INVALID packets to be passed through - the normal rules chains by setting DROPINVALID=No. - - If not specified or if specified as empty (e.g., DROPINVALID="") - then DROPINVALID=Yes is assumed. - -36) The "shorewall add" and "shorewall delete" commands now accept a - list of hosts to add or delete. - - Examples: - - shorewall add eth1:1.2.3.4 eth1:2.3.4.5 z12 - shorewall delete eth1:1.2.3.4 eth1:2.3.4.5 z12 - - The above commands may also be written: - - shorewall add eth1:1.2.3.4,2.3.4.5 z12 - shorewall delete eth1:1.2.3.4,2.3.4.5 z12 + a) a number from 1 to 6 enclosed in square brackets ([]) -- this + number indicates the maximum number of ipset binding levels that + are to be matched. Depending on the context where the ipset name + is used, either all "src" or all "dst" matches will be used. -37) TCP OpenVPN tunnels are now supported using the 'openvpn' tunnel - type. OpenVPN entries in /etc/shorewall/tunnels have this format: + Example: "+Mirrors[4]" - openvpn[:{tcp|udp}][:] + b) a series of "src" and "dst" options separated by commas and + inclosed in square brackets ([]). These will be passed directly + to iptables in the generated --set clause. See the ipset + documentation for details. - Examples: + Example: "+Mirrors[src,dst,src]" + + Note that "+Mirrors[4]" used in the SOURCE column of the rules + file is equivalent to "+Mirrors[src,src,src,src]". - openvpn:tcp net 1.2.3.4 # TCP tunnel on port 1194 - openvpn:3344 net 1.2.3.4 # UDP on port 3344 - openvpn:tcp:4455 net 1.2.3.4 # TCP on port 4455 + To generate a negative match, prefix the "+" with "!" as in + "!+Mirrors". + + Example 1: Blacklist all hosts in an ipset named "blacklist" + + /etc/shorewall/blacklist + + #ADDRESS/SUBNET PROTOCOL PORT + +blacklist + + Example 2: Allow SSH from all hosts in an ipset named "sshok: + + /etc/shorewall/rules + + #ACTION SOURCE DEST PROTO DEST PORT(S) + ACCEPT +sshok fw tcp 22 + + Shorewall can automatically capture the contents of your ipsets for + you. If you specify SAVE_IPSETS=Yes in /etc/shorewall/shorewall.conf + then "shorewall save" will save the contents of your ipsets. The file + where the sets are saved is formed by taking the name where the + Shorewall configuration is stored and appending "-ipsets". So if you + enter the command "shorewall save standard" then your Shorewall + configuration will be saved in /var/lib/shorewall/standard and your + ipset contents will be saved in /var/lib/shorewall/standard-ipsets. + Assuming the default RESTOREFILE setting, if you just enter + "shorewall save" then your Shorewall configuration will be saved in + /var/lib/shorewall/restore and your ipset contents will be saved in + /var/lib/shorewall/restore-ipsets. + + Regardless of the setting of SAVE_IPSETS, the "shorewall -f start" + and "shorewall restore" commands will restore the ipset contents + corresponding to the Shorewall configuration restored provided that + the saved Shorewall configuration specified exists. + + For example, "shorewall restore standard" would restore the ipset + contents from /var/lib/shorewall/standard-ipsets provided that + /var/lib/shorewall/standard exists and is executable and that + /var/lib/shorewall/standard-ipsets exists and is executable. + + Also regardless of the setting of SAVE_IPSETS, the "shorewall forget" + command will purge the saved ipset information (if any) associated + with the saved shorewall configuration being removed. + + You can also associate ipset contents with Shorewall configuration + directories using the following command: + + ipset -S > /ipsets + + Example: + + ipset -S > /etc/shorewall/ipsets + + When you start or restart Shorewall (including using the 'try' + command) from the configuration directory, your ipsets will be + configured from the saved ipsets file. Once again, this behavior is + independent of the setting of SAVE_IPSETS. + + Ipsets are well suited for large blacklists. You can maintain your + blacklist using the 'ipset' utility without ever having to restart + or refresh Shorewall. If you use the SAVE_IPSETS=Yes feature just be + sure to "shorewall save" after altering the blacklist ipset(s). + + Example /etc/shorewall/blacklist: + + #ADDRESS/SUBNET PROTOCOL PORT + +Blacklist[src,dst] + +Blacklistnets[src,dst] + + Create the blacklist ipsets using: + + ipset -N Blacklist iphash + ipset -N Blacklistnets nethash + + Add entries + + ipset -A Blacklist 206.124.146.177 + ipset -A Blacklistnets 206.124.146.0/24 + + To allow entries for individual ports + + ipset -N SMTP portmap --from 1 --to 31 + ipset -A SMTP 25 + + ipset -A Blacklist 206.124.146.177 + ipset -B Blacklist 206.124.146.177 -b SMTP + + Now only port 25 will be blocked from 206.124.146.177. + +4) Shorewall 2.4.0 can now configure routing if your kernel and + iptables support the ROUTE target extension. This extension is + available in Patch-O-Matic-ng. This feature is *EXPERIMENTAL* since + the Netfilter team have no intention of ever releasing the ROUTE + target extension to kernel.org. + + Routing is configured using the /etc/shorewall/routes file. Columns + in the file are as follows: + + SOURCE Source of the packet. May be any of the + following: + + + - A host or network address + - A network interface name. + - The name of an ipset prefaced with "+" + - $FW (for packets originating on the firewall) + - A MAC address in Shorewall format + - A range of IP addresses (assuming that your + kernel and iptables support range match) + - A network interface name followed by ":" + and an address or address range. + + DEST Destination of the packet. May be any of the + following: + + - A host or network address + - A network interface name (determined from + routing table(s)) + - The name of an ipset prefaced with "+" + - A network interface name followed by ":" + and an address or address range. + + PROTO Protocol - Must be "tcp", "udp", "icmp", + "ipp2p", a number, or "all". "ipp2p" requires + ipp2p match support in your kernel and + iptables. + + PORT(S) Destination Ports. A comma-separated list of + Port names (from /etc/services), port numbers + or port ranges; if the protocol is "icmp", this + column is interpreted as the destination + icmp-type(s). + + If the protocol is ipp2p, this column is + interpreted as an ipp2p option without the + leading "--" (example "bit" for bit-torrent). + If no PORT is given, "ipp2p" is assumed. + + This column is ignored if PROTOCOL = all but + must be entered if any of the following field + is supplied. In that case, it is suggested that + this field contain "-" + + SOURCE PORT(S) (Optional) Source port(s). If omitted, + any source port is acceptable. Specified as a + comma-separated list of port names, port + numbers or port ranges. + + TEST Defines a test on the existing packet or + connection mark. + + The rule will match only if the test returns + true. Tests have the format + [!][/][:C] + + Where: + + ! Inverts the test (not equal) + Value of the packet or + connection mark. + + A mask to be applied to the + mark before testing + :C Designates a connection + mark. If omitted, the packet + mark's value is tested. + + INTERFACE The interface that the packet is to be routed + out of. If you do not specify this field then + you must place "-" in this column and enter an + IP address in the GATEWAY column. + + GATEWAY The gateway that the packet is to be forewarded + through. + +5) Normally when Shorewall is stopped, starting or restarting then + connections are allowed from hosts listed in + /etc/shorewall/routestopped to the firewall and to other hosts + listed in /etc/shorewall/routestopped. + + A new 'source' option is added for entries in that file which will + cause Shorewall to allow traffic from the host listed in the entry + to ANY other host. When 'source' is specified in an entry, it is + unnecessary to also specify 'routeback'. + + Similarly, a new 'dest' option is added which will cause Shorewall + to allow traffic to the host listed in the entry from ANY other + host. When 'source' is specified in an entry, it is unnecessary to + also specify 'routeback'. + +6) This change was implemented by Lorenzo Martignoni. It provides two + new commands: "safe-start" and "safe-restart". + + safe-start starts Shorewall then prompts you to ask you if + everything looks ok. If you answer "no" or if you don't answer + within 60 seconds, a "shorewall clear" is executed. + + safe-restart saves your current configuration to + /var/lib/shorewall/safe-restart then issues a "shorewall restart"; + It then prompts you to ask if you if you want to accept the new + configuration. If you answer "no" or if you don't answer within 60 + seconds, the configuration is restored to its prior state. + + These new commands require either that your /bin/sh supports the + "-t" option to the 'read' command or that you have /bin/bash + installed. -38) A new 'ipsecvpn' script is included in the tarball and in the - RPM. The RPM installs the file in the Documentation directory - (/usr/share/doc/packages/shorewall-2.2.0-0RC1). - This script is intended for use on Roadwarrior laptops for - establishing an IPSEC SA to/from remote networks. The script has - some limitations: - - Only one instance of the script may be used at a time. - - Only the first SPD accessed will be instantiated at the remote - gateway. So while the script creates SPDs to/from the remote - gateway and each network listed in the NETWORKS setting at the - front of the script, only one of these may be used at a time. -39) The IANA has recently registered port 1194 for use by OpenVPN. In - previous versions of Shorewall (and OpenVPN), the default port was - 5000 but has been changed to 1194 to conform to the new OpenVPN - default. -40) The output of "shorewall status" now lists the loaded netfilter - kernel modules. -41) The range of UDP ports opened by the AllowTrcrt action has been - increased to 33434:33524. diff --git a/Shorewall/rfc1918 b/Shorewall/rfc1918 index f728b4491..306efccbf 100644 --- a/Shorewall/rfc1918 +++ b/Shorewall/rfc1918 @@ -1,5 +1,5 @@ # -# Shorewall 2.2 -- RFC1918 File +# Shorewall 2.4 -- RFC1918 File # # /etc/shorewall/rfc1918 # diff --git a/Shorewall/routestopped b/Shorewall/routestopped index 64b0fe504..ec3dffc32 100644 --- a/Shorewall/routestopped +++ b/Shorewall/routestopped @@ -1,6 +1,6 @@ ############################################################################## # -# Shorewall 2.2 -- Hosts Accessible when the Firewall is Stopped +# Shorewall 2.4 -- Hosts Accessible when the Firewall is Stopped # # /etc/shorewall/routestopped # @@ -23,7 +23,19 @@ # options. The currently-supported options are: # # routeback - Set up a rule to ACCEPT traffic from -# these hosts back to themselves. +# these hosts back to themselves. +# +# source - Allow traffic from these hosts to ANY +# destination. Without this option or the 'dest' +# option, only traffic from this host to other +# listed hosts (and the firewall) is allowed. If +# 'source' is specified then 'routeback' is redundent. +# +# dest - Allow traffic to these hosts from ANY +# source. Without this option or the 'source' +# option, only traffic from this host to other +# listed hosts (and the firewall) is allowed. If +# 'dest' is specified then 'routeback' is redundent. # # Example: # @@ -31,6 +43,7 @@ # eth2 192.168.1.0/24 # eth0 192.0.2.44 # br0 - routeback +# eth3 - source # # See http://shorewall.net/Documentation.htm#Routestopped and # http://shorewall.net/starting_and_stopping_shorewall.htm for additional diff --git a/Shorewall/rules b/Shorewall/rules index 06b40d5a6..1ab6c7b6c 100755 --- a/Shorewall/rules +++ b/Shorewall/rules @@ -1,5 +1,5 @@ # -# Shorewall version 2.2 - Rules File +# Shorewall version 2.4 - Rules File # # /etc/shorewall/rules # @@ -134,6 +134,11 @@ # Hosts may be specified as an IP address range using the # syntax -. This requires that # your kernel and iptables contain iprange match support. +# If you kernel and iptables have ipset match support then +# you may give the name of an ipset prefaced by "+". The +# ipset name may be optionally followed by a number from +# 1 to 6 enclosed in square brackets ([]) to indicate the +# number of levels of source bindings to be matched. # # dmz:192.168.2.2 Host 192.168.2.2 in the DMZ # @@ -189,6 +194,14 @@ # the connections will be assigned to addresses in the # range in a round-robin fashion. # +# If you kernel and iptables have ipset match support then +# you may give the name of an ipset prefaced by "+". The +# ipset name may be optionally followed by a number from +# 1 to 6 enclosed in square brackets ([]) to indicate the +# number of levels of destination bindings to be matched. +# Only one of the SOURCE and DEST columns may specify an +# ipset name. +# # The port that the server is listening on may be # included and separated from the server's IP address by # ":". If omitted, the firewall will not modifiy the @@ -204,20 +217,14 @@ # contain the port number on the firewall that the # request should be redirected to. # -# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p", -# a number, or "all". "ipp2p" requires ipp2p match -# support in your kernel and iptables. +# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or +# "all". # # DEST PORT(S) Destination Ports. A comma-separated list of Port # names (from /etc/services), port numbers or port # ranges; if the protocol is "icmp", this column is # interpreted as the destination icmp-type(s). # -# If the protocol is ipp2p, this column is interpreted -# as an ipp2p option without the leading "--" (example "bit" -# for bit-torrent). If no port is given, "ipp2p" is -# assumed. -# # A port range is expressed as :. # # This column is ignored if PROTOCOL = all but must be @@ -250,8 +257,8 @@ # Otherwise, a separate rule will be generated for each # port. # -# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT[-] or -# REDIRECT[-]) If included and different from the IP +# ORIGINAL DEST (0ptional) -- If ACTION is DNAT[-] or REDIRECT[-] then +# if included and different from the IP # address given in the SERVER column, this is an address # on some interface on the firewall and connections to # that address will be forwarded to the IP and port @@ -267,6 +274,20 @@ # destination address in the connection request does not # match any of the addresses listed. # +# For other actions, this column may be included and may +# contain one or more addresses (host or network) +# separated by commas. Address ranges are not allowed. +# When this column is supplied, rules are generated +# that require that the original destination address matches +# one of the listed addresses. This feature is most useful when +# you want to generate a filter rule that corresponds to a +# DNAT- or REDIRECT- rule. In this usage, the list of +# addresses should not begin with "!". +# +# See http://shorewall.net/PortKnocking.html for an +# example of using an entry in this column with a +# user-defined action rule. +# # RATE LIMIT You may rate-limit the rule by placing a value in # this colume: # @@ -285,7 +306,7 @@ # # The column may contain: # -# [!][][:] +# [!][][:][+] # # When this column is non-empty, the rule applies only # if the program generating the output is running under @@ -299,6 +320,7 @@ # #the 'kids' group # !:kids #program must not be run by a member # #of the 'kids' group +# +upnpd #program named 'upnpd' # # Example: Accept SMTP requests from the DMZ to the internet # diff --git a/Shorewall/shorewall b/Shorewall/shorewall index 5c19408da..2437f7e1c 100755 --- a/Shorewall/shorewall +++ b/Shorewall/shorewall @@ -1,6 +1,6 @@ #!/bin/sh # -# Shorewall Packet Filtering Firewall Control Program - V2.2 +# Shorewall Packet Filtering Firewall Control Program - V2.4 # # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # @@ -97,6 +97,14 @@ # shorewall iprange
-
Decomposes a range of IP addresses into # a list of network/host addresses. # +# shorewall safe-start Starts the firewall and promtp for a c +# confirmation to accept or reject the new +# configuration +# +# shorewall safe-restart Restarts the firewall and prompt for a +# confirmation to accept or reject the new +# configuration +# # Fatal Error # fatal_error() # $@ = Message @@ -136,7 +144,7 @@ showchain() # $1 = name of chain } # -# The 'awk' hack that compensates for a bug in iptables-save (actually in libipt_policy.so) and can be removed when that bug is fixed. +# The 'awk' hack that compensates for bugs in iptables-save (or rather in the extension modules). # iptablesbug() @@ -146,6 +154,7 @@ iptablesbug() /^-j/ { print sline $0; next };\ /-m policy.*-j/ { print $0; next };\ /-m policy/ { sline=$0; next };\ + /--mask ff/ { sub( /--mask ff/, "--mask 0xff" ) };\ {print ; sline="" }' else echo " Warning: You don't have 'awk' on this system so the output of the save command may be unusable" >&2 @@ -589,6 +598,88 @@ logwatch() # $1 = timeout -- if negative, prompt each time that done } +# +# Save currently running configuration +# +save_config() { + [ "$nolock" ] || mutex_on + + if qt $IPTABLES -L shorewall -n; then + [ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall + + if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then + echo " ERROR: $RESTOREPATH exists and is not a saved Shorewall configuration" + else + case $RESTOREFILE in + save|restore-base) + echo " ERROR: Reserved file name: $RESTOREFILE" + ;; + *) + if $IPTABLES -L dynamic -n > /var/lib/shorewall/save; then + echo " Dynamic Rules Saved" + if [ -f /var/lib/shorewall/restore-base ]; then + cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$ + if iptables-save | iptablesbug >> /var/lib/shorewall/restore-$$ ; then + echo __EOF__ >> /var/lib/shorewall/restore-$$ + [ -f /var/lib/shorewall/restore-tail ] && \ + cat /var/lib/shorewall/restore-tail >> /var/lib/shorewall/restore-$$ + mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH + chmod +x $RESTOREPATH + echo " Currently-running Configuration Saved to $RESTOREPATH" + + rm -f ${RESTOREPATH}-ipsets + + case ${SAVE_IPSETS:-No} in + [Yy][Ee][Ss]) + RESTOREPATH=${RESTOREPATH}-ipsets + + f=/var/lib/shorewall/restore-$$ + + echo "#!/bin/sh" > $f + echo "#This ipset restore file generated $(date) by Shorewall $version" >> $f + echo >> $f + echo ". /usr/share/shorewall/functions" >> $f + echo >> $f + grep '^MODULE' /var/lib/shorewall/restore-base >> $f + echo "reload_kernel_modules << __EOF__" >> $f + grep 'loadmodule ip_set' /var/lib/shorewall/restore-base >> $f + echo "__EOF__" >> $f + echo >> $f + echo "ipset -U :all: :all:" >> $f + echo "ipset -F" >> $f + echo "ipset -X" >> $f + echo "ipset -R << __EOF__" >> $f + ipset -S >> $f + echo "__EOF__" >> $f + mv -f $f $RESTOREPATH + chmod +x $RESTOREPATH + echo " Current Ipset Contents Saved to $RESTOREPATH" + ;; + [Nn][Oo]) + ;; + *) + echo " WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS. Ipset contents not saved" + ;; + esac + else + rm -f /var/lib/shorewall/restore-$$ + echo " ERROR: Currently-running Configuration Not Saved" + fi + else + echo " ERROR: /var/lib/shorewall/restore-base does not exist" + fi + else + echo "Error Saving the Dynamic Rules" + fi + ;; + esac + fi + else + echo "Shorewall isn't started" + fi + + [ "$nolock" ] || mutex_off +} # # Help information # @@ -630,6 +721,8 @@ usage() # $1 = exit status echo " status" echo " try [ ]" echo " version" + echo " safe-start" + echo " safe-restart" echo exit $1 } @@ -642,6 +735,7 @@ show_reset() { echo "Counters reset $(cat $STATEDIR/restarted)" && \ echo } + # # Display's the passed file name followed by "=" and the file's contents. # @@ -650,6 +744,27 @@ show_proc() # $1 = name of a file [ -f $1 ] && echo " $1 = $(cat $1)" } +read_yesno_with_timeout() { + read -t 60 yn 2> /dev/null + if [ $? -eq 2 ] + then + # read doesn't support timeout + test -x /bin/bash || return 2 # bash is not installed so the feature is not available + /bin/bash -c 'read -t 60 yn ; if [ "$yn" == "y" ] ; then exit 0 ; else exit 1 ; fi' # invoke bash and use its version of read + return $? + else + # read supports timeout + case "$yn" in + y|Y) + return 0 + ;; + *) + return 1 + ;; + esac + fi +} + # # Execution begins here # @@ -846,6 +961,17 @@ case "$1" in RESTOREPATH=/var/lib/shorewall/$RESTOREFILE if [ -x $RESTOREPATH ]; then + if [ -x ${RESTOREPATH}-ipsets ]; then + echo Restoring Ipsets... + # + # We must purge iptables to be sure that there are no + # references to ipsets + # + iptables -F + iptables -X + ${RESTOREPATH}-ipsets + fi + echo Restoring Shorewall... $RESTOREPATH date > $STATEDIR/restarted @@ -1035,7 +1161,8 @@ case "$1" in echo ip rule ls ip rule ls | while read rule; do - table=${rule##* } + echo ${rule##* } + done | sort -u | while read table; do echo echo "Table $table:" echo @@ -1187,47 +1314,8 @@ case "$1" in RESTOREPATH=/var/lib/shorewall/$RESTOREFILE - mutex_on + save_config - if qt $IPTABLES -L shorewall -n; then - [ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall - - if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then - echo " ERROR: $RESTOREPATH exists and is not a saved Shorewall configuration" - else - case $RESTOREFILE in - save|restore-base) - echo " ERROR: Reserved file name: $RESTOREFILE" - ;; - *) - if $IPTABLES -L dynamic -n > /var/lib/shorewall/save; then - echo " Dynamic Rules Saved" - if [ -f /var/lib/shorewall/restore-base ]; then - cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$ - if iptables-save | iptablesbug >> /var/lib/shorewall/restore-$$ ; then - echo __EOF__ >> /var/lib/shorewall/restore-$$ - [ -f /var/lib/shorewall/restore-tail ] && \ - cat /var/lib/shorewall/restore-tail >> /var/lib/shorewall/restore-$$ - mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH - chmod +x $RESTOREPATH - echo " Currently-running Configuration Saved to $RESTOREPATH" - else - rm -f /var/lib/shorewall/restore-$$ - echo " ERROR: Currently-running Configuration Not Saved" - fi - else - echo " ERROR: /var/lib/shorewall/restore-base does not exist" - fi - else - echo "Error Saving the Dynamic Rules" - fi - ;; - esac - fi - else - echo "Shorewall isn't started" - fi - mutex_off ;; forget) case $# in @@ -1246,6 +1334,12 @@ case "$1" in RESTOREPATH=/var/lib/shorewall/$RESTOREFILE if [ -x $RESTOREPATH ]; then + + if [ -x ${RESTOREPATH}-ipsets ]; then + rm -f ${RESTOREPATH}-ipsets + echo " ${RESTOREPATH}-ipsets removed" + fi + rm -f $RESTOREPATH echo " $RESTOREPATH removed" elif [ -f $RESTOREPATH ]; then @@ -1302,11 +1396,22 @@ case "$1" in RESTOREPATH=/var/lib/shorewall/$RESTOREFILE - if [ -x $RESTOREPATH ]; then + [ -n "$nolock" ] || mutex_on + + if [ -x $RESTOREPATH ]; then + if [ -x ${RESTOREPATH}-ipsets ] ; then + echo Restoring Ipsets... + iptables -F + iptables -X + ${RESTOREPATH}-ipsets + fi + echo Restoring Shorewall... $RESTOREPATH && echo "Shorewall restored from /var/lib/shorewall/$RESTOREFILE" + [ -n "$nolock" ] || mutex_off else echo "File /var/lib/shorewall/$RESTOREFILE: file not found" + [ -n "$nolock" ] || mutex_off exit 2 fi ;; @@ -1323,6 +1428,76 @@ case "$1" in [ $# -ne 1 ] && usage 1 help $@ ;; + safe-restart|safe-start) + # test is the shell supports timed read + read -t 0 junk 2> /dev/null + if [ $? -eq 2 -a ! -x /bin/bash ] + then + echo "Your shell does not support a feature required to execute this command". + exit 2 + fi + + mutex_on + + if qt $IPTABLES -L shorewall -n + then + running=0 + else + running=1 + fi + + if [ "$1" = "safe-start" -a $running -eq 0 ] + then + # the command is safe-start but the firewall is already running + $0 nolock $debugging start + ret=$? + exit 0 + fi + + if [ "$1" = "safe-start" -o $running -ne 0 ] + then + # the command is safe-start or shorewall is not started yet + command="start" + else + # the command is safe-restart and the firewall is already running + command="restart" + fi + + if [ "$command" = "restart" ] + then + # save previous configuration + $0 nolock $debugging save "safe-start-restart" + fi + + $0 nolock $debugging $command + + echo -n "Do you want to accept the new firewall configuration? [y/n] " + read_yesno_with_timeout + if [ $? -eq 0 ] + then + echo "New configuration has been accepted" + if [ "$command" = "restart" ] + then + # removed previous configuration + rm /var/lib/shorewall/safe-start-restart + fi + else + if [ "$command" = "restart" ] + then + $0 nolock $debugging restore "safe-start-restart" + rm /var/lib/shorewall/safe-start-restart + else + $0 nolock $debugging clear + fi + + mutex_off + echo "New configuration has been rejected and the old one restored" + exit 2 + fi + + mutex_off + [ $? -eq 0 ] && [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK + ;; *) usage 1 ;; diff --git a/Shorewall/shorewall.conf b/Shorewall/shorewall.conf index 424aeefe0..7df925578 100755 --- a/Shorewall/shorewall.conf +++ b/Shorewall/shorewall.conf @@ -1,5 +1,5 @@ ############################################################################## -# /etc/shorewall/shorewall.conf V2.2 - Change the following variables to +# /etc/shorewall/shorewall.conf V2.4 - Change the following variables to # match your setup # # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] @@ -158,6 +158,7 @@ LOGALLNEW= # # See the comment at the top of this section for a description of log levels # + BLACKLIST_LOGLEVEL= # @@ -174,7 +175,6 @@ BLACKLIST_LOGLEVEL= # # Example: LOGNEWNOTSYN=debug - LOGNEWNOTSYN=info # @@ -251,6 +251,7 @@ BOGON_LOG_LEVEL=info # LOG_MARTIANS=No + ################################################################################ # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S ################################################################################ @@ -261,12 +262,14 @@ LOG_MARTIANS=No # not specified or if specified with an empty value (e.g., IPTABLES="") then # the iptables executable located via the PATH setting below is used. # + IPTABLES= # # PATH - Change this if you want to change the order in which Shorewall # searches directories for executable files. # + PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin # @@ -336,6 +339,7 @@ CONFIG_PATH=/etc/shorewall:/usr/share/shorewall # assumed. RESTOREFILE= + ################################################################################ # F I R E W A L L O P T I O N S ################################################################################ @@ -345,6 +349,7 @@ RESTOREFILE= # Name of the firewall zone -- if not set or if set to an empty string, "fw" # is assumed. # + FW=fw # @@ -359,6 +364,7 @@ FW=fw # If you set this variable to "Keep" or "keep", Shorewall will neither # enable nor disable packet forwarding. # + IP_FORWARDING=On # @@ -368,6 +374,7 @@ IP_FORWARDING=On # for each NAT external address that you give in /etc/shorewall/nat. If you say # "No" or "no", you must add these aliases youself. # + ADD_IP_ALIASES=Yes # @@ -378,6 +385,7 @@ ADD_IP_ALIASES=Yes # "No" or "no", you must add these aliases youself. LEAVE THIS SET TO "No" unless # you are sure that you need it -- most people don't!!! # + ADD_SNAT_ALIASES=No # @@ -393,6 +401,7 @@ ADD_SNAT_ALIASES=No # You can cause Shorewall to retain existing addresses by setting # RETAIN_ALIASES=Yes. # + RETAIN_ALIASES=No # @@ -475,6 +484,7 @@ MARK_IN_FORWARD_CHAIN=No # # CLAMPMSS=1400 # + CLAMPMSS=No # @@ -571,7 +581,6 @@ MUTEX_TIMEOUT=60 # The behavior of NEWNOTSYN=Yes may also be enabled on a per-interface basis # using the 'newnotsyn' option in /etc/shorewall/interfaces and on a # network or host basis using the same option in /etc/shorewall/hosts. - # # I find that NEWNOTSYN=No tends to result in lots of "stuck" # connections because any network timeout during TCP session tear down @@ -609,6 +618,7 @@ NEWNOTSYN=Yes # If this variable is not set or it is set to the null value then # ADMINISABSENTMINDED=No is assumed. # + ADMINISABSENTMINDED=Yes # @@ -631,6 +641,7 @@ ADMINISABSENTMINDED=Yes # If the BLACKLISTNEWONLY option is not set or is set to the empty value then # BLACKLISTNEWONLY=No is assumed. # + BLACKLISTNEWONLY=Yes # @@ -791,6 +802,20 @@ RFC1918_STRICT=No MACLIST_TTL= +# +# Save/Restore IPSETS +# +# If SAVE_IPSETS=Yes then Shorewall will: +# +# Restore the last saved ipset contents during "shorewall [re]start" +# Save the current ipset contents during "shorewall save" +# +# Regardless of the setting of SAVE_IPSETS, if ipset contents were +# saved during a "shorewall save" then they will be restored during +# a subsequent "shorewall restore". + +SAVE_IPSETS=No + ################################################################################ # P A C K E T D I S P O S I T I O N ################################################################################ diff --git a/Shorewall/shorewall.spec b/Shorewall/shorewall.spec index 2854e317a..dd0e38d04 100644 --- a/Shorewall/shorewall.spec +++ b/Shorewall/shorewall.spec @@ -1,5 +1,5 @@ %define name shorewall -%define version 2.2.5 +%define version 2.4.0 %define release 1 %define prefix /usr @@ -95,6 +95,8 @@ fi %attr(0600,root,root) %config(noreplace) /etc/shorewall/actions %attr(0600,root,root) %config(noreplace) /etc/shorewall/continue %attr(0600,root,root) %config(noreplace) /etc/shorewall/started +%attr(0600,root,root) %config(noreplace) /etc/shorewall/routes +%attr(0600,root,root) %config(noreplace) /etc/shorewall/providers %attr(0544,root,root) /sbin/shorewall @@ -139,8 +141,16 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn %changelog -* Fri May 20 2005 Tom Eastep tom@shorewall.net -- Updated to 2.2.5-1 +* Thu Jun 02 2005 Tom Eastep tom@shorewall.net +- Updated to 2.4.0-1 +* Sun May 30 2005 Tom Eastep tom@shorewall.net +- Updated to 2.4.0-0RC2 +* Thu May 19 2005 Tom Eastep tom@shorewall.net +- Updated to 2.4.0-0RC1 +* Thu May 19 2005 Tom Eastep tom@shorewall.net +- Updated to 2.3.2-1 +* Sun May 15 2005 Tom Eastep tom@shorewall.net +- Updated to 2.3.1-1 * Mon Apr 11 2005 Tom Eastep tom@shorewall.net - Updated to 2.2.4-1 * Fri Apr 08 2005 Tom Eastep tom@shorewall.net diff --git a/Shorewall/start b/Shorewall/start index 471a8a9b0..10f1655ad 100644 --- a/Shorewall/start +++ b/Shorewall/start @@ -1,5 +1,5 @@ ############################################################################ -# Shorewall 2.2 -- /etc/shorewall/start +# Shorewall 2.4 -- /etc/shorewall/start # # Add commands below that you want to be executed after shorewall has # been started or restarted. diff --git a/Shorewall/started b/Shorewall/started index 255e0a7ad..8d49213fb 100644 --- a/Shorewall/started +++ b/Shorewall/started @@ -1,5 +1,5 @@ ############################################################################ -# Shorewall 2.2 -- /etc/shorewall/started +# Shorewall 2.4 -- /etc/shorewall/started # # Add commands below that you want to be executed after shorewall has # been completely started or restarted. The difference between this diff --git a/Shorewall/stop b/Shorewall/stop index 2c4acbdb6..b12ea8d9b 100644 --- a/Shorewall/stop +++ b/Shorewall/stop @@ -1,5 +1,5 @@ ############################################################################ -# Shorewall 2.2 -- /etc/shorewall/stop +# Shorewall 2.4 -- /etc/shorewall/stop # # Add commands below that you want to be executed at the beginning of a # "shorewall stop" command. diff --git a/Shorewall/stopped b/Shorewall/stopped index b1aa78ab4..997f46755 100644 --- a/Shorewall/stopped +++ b/Shorewall/stopped @@ -1,5 +1,5 @@ ############################################################################ -# Shorewall 2.2 -- /etc/shorewall/stopped +# Shorewall 2.4 -- /etc/shorewall/stopped # # Add commands below that you want to be executed at the completion of a # "shorewall stop" command. diff --git a/Shorewall/tcrules b/Shorewall/tcrules index 3a758b262..69f8f2222 100755 --- a/Shorewall/tcrules +++ b/Shorewall/tcrules @@ -1,5 +1,5 @@ # -# Shorewall version 2.2 - Traffic Control Rules File +# Shorewall version 2.4 - Traffic Control Rules File # # /etc/shorewall/tcrules # @@ -16,10 +16,14 @@ # final mark for each packet will be the one assigned by the # LAST tcrule that matches. # +# If you use multiple internet providers with the 'track' option, +# in /etc/shorewall/providers be sure to read the restrictions at +# http://shorewall.net/Shorewall_and_Routing.html. +# # Columns are: # # -# MARK/ a) A mark value which is a integer in the range 1-255 +# MARK/ a) A mark value which is an integer in the range 1-255 # CLASSIFY # May optionally be followed by ":P" or ":F" # where ":P" indicates that marking should occur in @@ -130,10 +134,11 @@ # # It may contain : # -# []:[] +# []:[][+] # -# The colon is optionnal when specifying only a user. -# Examples : john: / john / :users / john:users +# The colon is optionnal when specifying only a user +# or a program name. +# Examples : john: , john , :users , john:users , +mozilla-bin # # TEST Defines a test on the existing packet or connection mark. # The rule will match only if the test returns true. Tests diff --git a/Shorewall/tos b/Shorewall/tos index 1a41a5d6c..2b37ddd57 100755 --- a/Shorewall/tos +++ b/Shorewall/tos @@ -1,5 +1,5 @@ # -# Shorewall 2.2 -- /etc/shorewall/tos +# Shorewall 2.4 -- /etc/shorewall/tos # # This file defines rules for setting Type Of Service (TOS) # diff --git a/Shorewall/tunnel b/Shorewall/tunnel index 5aedabbca..1f5527b5d 100755 --- a/Shorewall/tunnel +++ b/Shorewall/tunnel @@ -2,7 +2,7 @@ RCDLINKS="2,S45 3,S45 6,K45" ################################################################################ -# Script to create a gre or ipip tunnel -- Shorewall 2.2 +# Script to create a gre or ipip tunnel -- Shorewall 2.4 # # Modified - Steve Cowles 5/9/2000 # Incorporated init {start|stop} syntax and iproute2 usage diff --git a/Shorewall/tunnels b/Shorewall/tunnels index 83a4d7949..e80dd54c4 100644 --- a/Shorewall/tunnels +++ b/Shorewall/tunnels @@ -1,5 +1,5 @@ # -# Shorewall 2.2 - /etc/shorewall/tunnels +# Shorewall 2.4 - /etc/shorewall/tunnels # # This file defines IPSEC, GRE, IPIP and OPENVPN tunnels. # diff --git a/Shorewall/uninstall.sh b/Shorewall/uninstall.sh index 0c56410c9..f7146225a 100755 --- a/Shorewall/uninstall.sh +++ b/Shorewall/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Seattle Firewall -VERSION=2.2.5 +VERSION=2.4.0 usage() # $1 = exit status { diff --git a/Shorewall/zones b/Shorewall/zones index 88a3ecfef..d0fe7705e 100644 --- a/Shorewall/zones +++ b/Shorewall/zones @@ -1,5 +1,5 @@ # -# Shorewall 2.2 /etc/shorewall/zones +# Shorewall 2.4 /etc/shorewall/zones # # This file determines your network zones. Columns are: #