From 2c84f6433a72d2471df4a251ac26d990ef36ae7c Mon Sep 17 00:00:00 2001
From: paulgear <paulgear@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Thu, 26 Jan 2006 03:13:34 +0000
Subject: [PATCH] Separated out all SSL services from their plaintext
 equivalents, added a few comments about usage.  Suggest deprecating macro.Web
 in favour of HTTP & HTTPS.  Any comments?

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3383 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall/macro.HTTP  | 12 ++++++++++++
 Shorewall/macro.HTTPS | 12 ++++++++++++
 Shorewall/macro.IMAP  |  6 +++---
 Shorewall/macro.IMAPS | 13 +++++++++++++
 Shorewall/macro.LDAP  | 10 +++++++---
 Shorewall/macro.LDAPS | 17 +++++++++++++++++
 Shorewall/macro.NNTP  |  6 +++---
 Shorewall/macro.NNTPS | 13 +++++++++++++
 Shorewall/macro.POP3  |  6 +++---
 Shorewall/macro.POP3S | 13 +++++++++++++
 Shorewall/macro.SMTP  |  8 +++++---
 Shorewall/macro.SMTPS | 17 +++++++++++++++++
 Shorewall/macro.Web   |  4 +++-
 13 files changed, 121 insertions(+), 16 deletions(-)
 create mode 100644 Shorewall/macro.HTTP
 create mode 100644 Shorewall/macro.HTTPS
 create mode 100644 Shorewall/macro.IMAPS
 create mode 100644 Shorewall/macro.LDAPS
 create mode 100644 Shorewall/macro.NNTPS
 create mode 100644 Shorewall/macro.POP3S
 create mode 100644 Shorewall/macro.SMTPS

diff --git a/Shorewall/macro.HTTP b/Shorewall/macro.HTTP
new file mode 100644
index 000000000..87b5ff17a
--- /dev/null
+++ b/Shorewall/macro.HTTP
@@ -0,0 +1,12 @@
+#
+# Shorewall version 3.2 - HTTP Macro
+#
+# /usr/share/shorewall/macro.HTTP
+#
+#	This macro handles plaintext HTTP (WWW) traffic.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
+PARAM	-	-	tcp	80
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall/macro.HTTPS b/Shorewall/macro.HTTPS
new file mode 100644
index 000000000..60255abb6
--- /dev/null
+++ b/Shorewall/macro.HTTPS
@@ -0,0 +1,12 @@
+#
+# Shorewall version 3.2 - HTTPS Macro
+#
+# /usr/share/shorewall/macro.HTTPS
+#
+#	This macro handles HTTPS (WWW over SSL) traffic.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
+PARAM	-	-	tcp	443
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall/macro.IMAP b/Shorewall/macro.IMAP
index 8d676bc71..711982092 100644
--- a/Shorewall/macro.IMAP
+++ b/Shorewall/macro.IMAP
@@ -3,11 +3,11 @@
 #
 # /usr/share/shorewall/macro.IMAP
 #
-#	This macro handles IMAP traffic (secure and insecure).
+#	This macro handles plaintext IMAP traffic.  For encrypted IMAP,
+#	see macro.IMAPS.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
 #				PORT	PORT(S)	DEST		LIMIT	GROUP
-PARAM	-	-	tcp	143	# Unsecure IMAP	
-PARAM	-	-	tcp	993	# Secure IMAP
+PARAM	-	-	tcp	143
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall/macro.IMAPS b/Shorewall/macro.IMAPS
new file mode 100644
index 000000000..01d29c971
--- /dev/null
+++ b/Shorewall/macro.IMAPS
@@ -0,0 +1,13 @@
+#
+# Shorewall version 3.2 - IMAPS Macro
+#
+# /usr/share/shorewall/macro.IMAPS
+#
+#	This macro handles encrypted IMAP traffic.  For plaintext IMAP
+#	(not recommended), see macro.IMAP.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
+PARAM	-	-	tcp	993
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall/macro.LDAP b/Shorewall/macro.LDAP
index 9a95ed9c8..85f8009ca 100644
--- a/Shorewall/macro.LDAP
+++ b/Shorewall/macro.LDAP
@@ -3,11 +3,15 @@
 #
 # /usr/share/shorewall/macro.LDAP
 #
-#	This macro handles LDAP traffic (secure and insecure)
+#	This macro handles plaintext LDAP traffic.  For encrypted LDAP
+#	traffic, see macro.LDAPS.  Use of LDAPS is recommended (and is
+#	required by some directory services) if you want to do user
+#	authentication over LDAP.  Note that some LDAP implementations
+#	support initiating TLS connections via the plaintext LDAP port.
+#	Consult your LDAP server documentation for details.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
 #				PORT	PORT(S)	DEST		LIMIT	GROUP
-PARAM	-	-	tcp	389	# plaintext
-PARAM	-	-	tcp	636	# over SSL
+PARAM	-	-	tcp	389
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall/macro.LDAPS b/Shorewall/macro.LDAPS
new file mode 100644
index 000000000..a559df8c5
--- /dev/null
+++ b/Shorewall/macro.LDAPS
@@ -0,0 +1,17 @@
+#
+# Shorewall version 3.2 - LDAPS Macro
+#
+# /usr/share/shorewall/macro.LDAPS
+#
+#	This macro handles encrypted LDAP traffic.  For plaintext LDAP
+#	traffic, see macro.LDAP.  Use of LDAPS is recommended (and is
+#	required by some directory services) if you want to do user
+#	authentication over LDAP.  Note that some LDAP implementations
+#	support initiating TLS connections via the plaintext LDAP port.
+#	Consult your LDAP server documentation for details.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
+PARAM	-	-	tcp	636
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall/macro.NNTP b/Shorewall/macro.NNTP
index 97caa0894..91912f97e 100644
--- a/Shorewall/macro.NNTP
+++ b/Shorewall/macro.NNTP
@@ -3,11 +3,11 @@
 #
 # /usr/share/shorewall/macro.NNTP
 #
-#	This macro handles NNTP traffic (Usenet) and encrypted NNTP (NNTPS)
+#	This macro handles plaintext NNTP traffic (Usenet).  For
+#	encrypted NNTP, see macro.NNTPS.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
 #				PORT	PORT(S)	DEST		LIMIT	GROUP
-PARAM	-	-	tcp	119	# plaintext
-PARAM	-	-	tcp	563	# over SSL
+PARAM	-	-	tcp	119
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall/macro.NNTPS b/Shorewall/macro.NNTPS
new file mode 100644
index 000000000..aaa7c67a8
--- /dev/null
+++ b/Shorewall/macro.NNTPS
@@ -0,0 +1,13 @@
+#
+# Shorewall version 3.2 NNTPS Macro
+#
+# /usr/share/shorewall/macro.NNTPS
+#
+#	This macro handles encrypted NNTP traffic (Usenet).  For
+#	plaintext NNTP, see macro.NNTP.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
+PARAM	-	-	tcp	563
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall/macro.POP3 b/Shorewall/macro.POP3
index c446596ec..5221f3bc2 100644
--- a/Shorewall/macro.POP3
+++ b/Shorewall/macro.POP3
@@ -3,11 +3,11 @@
 #
 # /usr/share/shorewall/macro.POP3
 #
-#	This macro handles POP3 traffic (secure and insecure).
+#	This macro handles plaintext POP3 traffic.  For encrypted POP3,
+#	see macro.POP3S.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
 #				PORT	PORT(S)	DEST		LIMIT	GROUP
-PARAM	-	-	tcp	110	# Unsecure POP3	
-PARAM	-	-	tcp	995	# Secure POP3
+PARAM	-	-	tcp	110
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall/macro.POP3S b/Shorewall/macro.POP3S
new file mode 100644
index 000000000..b920a5280
--- /dev/null
+++ b/Shorewall/macro.POP3S
@@ -0,0 +1,13 @@
+#
+# Shorewall version 3.2 - POP3S Macro
+#
+# /usr/share/shorewall/macro.POP3S
+#
+#	This macro handles encrypted POP3 traffic.  For plaintext POP3,
+#	see macro.POP3.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
+PARAM	-	-	tcp	995	# Secure POP3
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall/macro.SMTP b/Shorewall/macro.SMTP
index 871848a8a..711fd5dd8 100644
--- a/Shorewall/macro.SMTP
+++ b/Shorewall/macro.SMTP
@@ -3,7 +3,10 @@
 #
 # /usr/share/shorewall/macro.SMTP
 #
-#	This macro handles SMTP (email) traffic.
+#	This macro handles plaintext SMTP (email) traffic.  For SMTP
+#	encrypted over SSL, use macro.SMTPS.  Note that STARTTLS can be
+#	used over the standard STMP port, so the use of this macro
+#	doesn't necessarily imply the use of an insecure connection.
 #
 #	Note: This macro handles traffic between an MUA (Email client)
 #	and an MTA (mail server) or between MTAs. It does not enable
@@ -13,6 +16,5 @@
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
 #				PORT	PORT(S)	DEST		LIMIT	GROUP
-PARAM	-	-	tcp	25	# plaintext
-PARAM	-	-	tcp	465	# over SSL
+PARAM	-	-	tcp	25
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall/macro.SMTPS b/Shorewall/macro.SMTPS
new file mode 100644
index 000000000..0fc910a40
--- /dev/null
+++ b/Shorewall/macro.SMTPS
@@ -0,0 +1,17 @@
+#
+# Shorewall version 3.2 - SMTPS Macro
+#
+# /usr/share/shorewall/macro.SMTPS
+#
+#	This macro handles encrypted SMTPS (email) traffic.
+#
+#	Note: This macro handles traffic between an MUA (Email client)
+#	and an MTA (mail server) or between MTAs. It does not enable
+#	reading of email via POP3 or IMAP. For those you need to use
+#	the POP3(S) or IMAP(S) macros.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
+PARAM	-	-	tcp	465
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall/macro.Web b/Shorewall/macro.Web
index 4d296bd7f..d8a2ff386 100644
--- a/Shorewall/macro.Web
+++ b/Shorewall/macro.Web
@@ -3,7 +3,9 @@
 #
 # /usr/share/shorewall/macro.Web
 #
-#	This macro handles WWW traffic (secure and insecure).
+#	This macro handles WWW traffic (secure and insecure).  This
+#	macro is deprecated - use of macro.HTTP and macro.HTTPS instead
+#	is recommended.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/