extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-22 23:53:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Changes for 1.3.9

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@267 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-09-29 21:47:51 +00:00
parent 43a722c9c5
commit 3c2d6c59ca
10 changed files with 291 additions and 119 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

312
Lrp/etc/init.d/shorewall
View File

@ -70,10 +70,18 @@ list_search() # $1 = element to search for , $2-$n = list
return 1
}
###############################################################################
# Function to count list elements #
###############################################################################
list_count() {
local temp="`separate_list $1`"
echo $temp | wc -w
}
###############################################################################
# Mutual exclusion -- These functions are jackets for the mutual exclusion #
# routines in /var/lib/shorewall/functions. They invoke #
# routines in /usr/lib/shorewall/functions. They invoke #
# the corresponding function in that file if the user did #
# not specify "nolock" on the runline. #
###############################################################################
@ -200,7 +208,8 @@ createchain() # $1 = chain name, $2 = If non-null, don't create default rules
state="ESTABLISHED"
[ -n "$ALLOWRELATED" ] && state="$state,RELATED"
run_iptables -A $1 -m state --state $state -j ACCEPT
run_iptables -A $1 -m state --state NEW -p tcp !--syn -j newnotsyn
[ -z "$NEWNOTSYN" ] && \
run_iptables -A $1 -m state --state NEW -p tcp !--syn -j newnotsyn
fi
eval ${1}_exists=Yes
@ -583,7 +592,7 @@ validate_rule() {
# Ensure that the passed comma-separated list has 15 or fewer elements
#
validate_list() {
local temp=`separate_list $1`
local temp="`separate_list $1`"
[ `echo $temp | wc -w` -le 15 ]
}
@ -600,10 +609,13 @@ validate_rule() {
[ -n "$client" ] && case "$client" in
-)
;;
*:*)
cli="-i ${client%:*} -s ${client#*:}"
;;
~*)
cli=`mac_match $client`
;;
[0-9]*|![0-9]*)
*.*.*)
#
# IP Address, address or subnet
#
@ -623,7 +635,7 @@ validate_rule() {
-)
serv=
;;
[0-9]*|![0-9]*)
*.*.*)
serv=$server
;;
~*)
@ -660,6 +672,7 @@ validate_rule() {
state="-m state --state RELATED"
;;
*)
state=
[ -n "$port" ] && [ "x${port}" != "x-" ] && \
startup_error "Port number not allowed with protocol " \
"\"$proto\"; rule: \"$rule\""
@ -766,7 +779,7 @@ validate_rule() {
clientzone="$clients"
clients=
else
clientzone="${clients%:*}"
clientzone="${clients%%:*}"
clients="${clients#*:}"
[ -z "$clientzone" -o -z "$clients" ] && \
startup_error "Error: Empty source zone or qualifier: rule \"$rule\""
@ -1132,10 +1145,10 @@ setup_tunnels() # $1 = name of tunnels file
setup_one_ipsec() # $1 = gateway $2 = gateway zone
{
options="-m state --state NEW -j ACCEPT"
addrule $inchain -p 50 -s $1 $options
addrule $outchain -p 50 -d $1 $options
run_iptables -A $inchain -p 51 -s $1 $options
run_iptables -A $outchain -p 51 -d $1 $options
addrule $inchain -p 50 -s $1
addrule $outchain -p 50 -d $1
run_iptables -A $inchain -p 51 -s $1
run_iptables -A $outchain -p 51 -d $1
run_iptables -A $inchain -p udp -s $1 --sport 500 --dport 500 $options
run_iptables -A $outchain -p udp -d $1 --dport 500 --sport 500 $options
@ -1153,9 +1166,8 @@ setup_tunnels() # $1 = name of tunnels file
setup_one_other() # $1 = TYPE, $2 = gateway, $3 = protocol
{
options="-m state --state NEW -j ACCEPT"
addrule $inchain -p $3 -s $2 $options
addrule $outchain -p $3 -d $2 $options
addrule $inchain -p $3 -s $2
addrule $outchain -p $3 -d $2
echo " $1 tunnel to $gateway defined."
}
@ -1372,7 +1384,7 @@ process_tc_rule()
if [ "x$source" != "x-" ]; then
case $source in
[0-9]*)
*.*.*)
r="-s $source "
;;
~*)
@ -1615,7 +1627,10 @@ add_a_rule()
[ -n "$client" ] && case "$client" in
-)
;;
[0-9]*|![0-9]*)
*:*)
cli="-i ${client%:*} -s ${client#*:}"
;;
*.*.*)
cli="-s $client"
;;
~*)
@ -1634,7 +1649,7 @@ add_a_rule()
-)
serv=
;;
[0-9]*|![0-9]*)
*.*.*)
serv=$server
;;
*)
@ -1689,6 +1704,7 @@ add_a_rule()
state="-m state --state RELATED"
;;
*)
state=
[ -n "$port" ] && [ "x${port}" != "x-" ] && \
fatal_error "Port number not allowed with protocol " \
"\"$proto\"; rule: \"$rule\""
@ -1728,7 +1744,11 @@ add_a_rule()
# A specific server or server port given
[ -n "$addr" -a "$addr" != "$serv" ] && add_nat_rule
if [ -n "$addr" -a "$addr" != "$serv" ]; then
add_nat_rule
elif [ -n "$servport" -a "$servport" != "$port" ]; then
add_nat_rule
fi
serv="${serv:+-d $serv}"
@ -1771,14 +1791,6 @@ add_a_rule()
################################################################################
process_rule() {
# Function to count list elements
list_count() {
local temp=`separate_list $1`
echo $temp | wc -w
}
# Function Body -- isolate log level
if [ "$target" = "${target%:*}" ]; then
@ -1815,7 +1827,7 @@ process_rule() {
clientzone="$clients"
clients=
else
clientzone="${clients%:*}"
clientzone="${clients%%:*}"
clients="${clients#*:}"
[ -z "$clientzone" -o -z "$clients" ] && \
fatal_error "Error: Empty source zone or qualifier: rule \"$rule\""
@ -1962,7 +1974,7 @@ process_tos_rule() {
fi
[ -n "$src" ] && case "$src" in
[0-9]*|![0-9]*)
*.*.*)
#
# IP Address or subnet
#
@ -2005,7 +2017,7 @@ process_tos_rule() {
fi
[ -n "$dst" ] && case "$dst" in
[0-9]*|![0-9]*)
*.*.*)
#
# IP Address or subnet
#
@ -2322,7 +2334,7 @@ complete_standard_chain() # $1 = chain, $2 = source zone, $3 = destination zone
run_user_exit $1
while read client server policy loglevel synparams; do
expandv client server policy loglevelsynparams
expandv client server policy loglevel synparams
[ "x$loglevel" = "x-" ] && loglevel=
@ -2396,6 +2408,10 @@ setup_masq()
interface="${interface%:*}"
fi
if ! list_search $interface $all_interfaces; then
fatal_error "Error: Unknown interface $interface"
fi
if [ "$subnet" = "${subnet%!*}" ]; then
nomasq=
else
@ -2407,7 +2423,7 @@ setup_masq()
iface=
case $subnet in
[0-9]*|![0-9]*)
*.*.*)
source="$subnet"
subnet="-s $subnet"
;;
@ -2496,15 +2512,34 @@ setup_intrazone() # $1 = zone
ensurechain ${1}2${1}
fi
}
###############################################################################
# Add a record to the blacklst chain #
# #
# $source = address match #
# $proto = protocol selector #
# $dport = destination port selector #
###############################################################################
add_blacklist_rule() {
[ -n "$BLACKLIST_LOGLEVEL" ] && \
run_iptables -A blacklst $source $proto $dport -j \
LOG $LOGPARMS --log-prefix \
"Shorewall:blacklst:$BLACKLIST_DISPOSITION:" \
--log-level $BLACKLIST_LOGLEVEL
run_iptables -A blacklst $source $proto $dport -j $disposition
}
###############################################################################
# Process a record from the blacklist file #
# #
# $subnet = address/subnet #
# $protocol = Protocol Number/Name #
# $port = Port Number/Name #
###############################################################################
process_blacklist_rec() {
local source
local addr
local proto
local dport
for addr in `separate_list $subnet`; do
case $addr in
@ -2516,14 +2551,55 @@ process_blacklist_rec() {
source="-s $addr"
;;
esac
if [ -n "$protocol" ]; then
proto=" -p $protocol "
[ -n "$BLACKLIST_LOGLEVEL" ] && \
run_iptables -A blacklst $source -j LOG $LOGPARMS --log-prefix \
"Shorewall:blacklst:$BLACKLIST_DISPOSITION:" \
--log-level $BLACKLIST_LOGLEVEL
run_iptables -A blacklst $source -j $disposition
case $protocol in
tcp|TCP|6|udp|UDP|17)
if [ -n "$ports" ]; then
if [ -n "$MULTIPORT" -a \
"$ports" != "${ports%,*}" -a \
"$ports" = "${ports%:*}" -a \
`list_count $ports` -le 15 ]
then
dport="-m multiport --dports $ports"
add_blacklist_rule
else
for dport in `separate_list $ports`; do
dport="--dport $dport"
add_blacklist_rule
done
fi
else
add_blacklist_rule
fi
;;
icmp|ICMP|0)
if [ -n "$ports" ]; then
for dport in `separate_list $ports`; do
dport="--icmp-type $dport"
add_blacklist_rule
done
else
add_blacklist_rule
fi
;;
*)
add_blacklist_rule
;;
esac
else
add_blacklist_rule
fi
echo " $addr added to Black List"
if [ -n "$ports" ]; then
addr="$addr $protocol $ports"
elif [ -n "$protocol" ]; then
addr="$addr $protocol"
fi
echo " $addr added to Black List"
done
}
@ -2552,8 +2628,8 @@ setup_blacklist() {
[ "$disposition" = REJECT ] && disposition=reject
while read subnet; do
expandv subnet
while read subnet protocol ports; do
expandv subnet protocol ports
process_blacklist_rec
done < $TMP_DIR/blacklist
@ -2576,8 +2652,8 @@ refresh_blacklist() {
run_iptables -F blacklst
while read subnet; do
expandv subnet
while read subnet protocol ports; do
expandv subnet protocol ports
process_blacklist_rec
done < $TMP_DIR/blacklist
fi
@ -2714,24 +2790,31 @@ initialize_netfilter () {
setpolicy INPUT DROP
setpolicy OUTPUT DROP
setpolicy FORWARD DROP
deleteallchains
setcontinue FORWARD
setcontinue INPUT
setcontinue OUTPUT
#
# Allow DNS lookups during startup for FQDNs
#
run_iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
run_iptables -A FORWARD -p udp --dport 53 -j ACCEPT
[ -n "$CLAMPMSS" ] && \
run_iptables -A FORWARD -p tcp \
--tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
createchain newnotsyn no
run_user_exit newnotsyn
[ -n "$LOGNEWNOTSYN" ] && \
run_iptables -A newnotsyn -j LOG \
--log-prefix "Shorewall:newnotsyn:DROP:" --log-level $LOGNEWNOTSYN
run_iptables -A newnotsyn -j DROP
if [ -z "$NEWNOTSYN" ]; then
createchain newnotsyn no
run_user_exit newnotsyn
[ -n "$LOGNEWNOTSYN" ] && \
run_iptables -A newnotsyn -j LOG \
--log-prefix "Shorewall:newnotsyn:DROP:" --log-level $LOGNEWNOTSYN
run_iptables -A newnotsyn -j DROP
fi
createchain icmpdef no
createchain common no
@ -2762,6 +2845,42 @@ initialize_netfilter () {
done
}
################################################################################
# Build the common chain -- called during [re]start and refresh #
################################################################################
build_common_chain() {
###########################################################################
# PING
#
[ -n "$FORWARDPING" ] && \
run_iptables -A icmpdef -p icmp --icmp-type echo-request -j ACCEPT
############################################################################
# Common ICMP rules
#
run_user_exit icmpdef
############################################################################
# Common rules in each chain
#
common=`find_file common`
if [ -f $common ]; then
. $common
else
. `find_file common.def`
fi
###########################################################################
# New Not Syn Stuff
#
if [ -n "$NEWNOTSYN" ]; then
run_iptables -A common -p tcp --tcp-flags ACK ACK -j ACCEPT
run_iptables -A common -p tcp --tcp-flags RST RST -j ACCEPT
fi
###########################################################################
# BROADCASTS
#
drop_broadcasts `find_broadcasts`
}
################################################################################
# Construct zone-independent rules #
################################################################################
@ -2825,37 +2944,17 @@ add_common_rules() {
echo " $interface"
done
fi
###########################################################################
# PING
#
[ -n "$FORWARDPING" ] && \
run_iptables -A common -p icmp --icmp-type echo-request -j ACCEPT
############################################################################
# Common ICMP rules
#
run_user_exit icmpdef
############################################################################
# Common rules in each chain
#
common=`find_file common`
if [ -f $common ]; then
. $common
else
. `find_file common.def`
fi
###########################################################################
# BROADCASTS
#
drop_broadcasts `find_broadcasts`
build_common_chain
###########################################################################
# DHCP
#
echo "Adding rules for DHCP"
for interface in `find_interfaces_by_option dhcp`; do
run_iptables -A `input_chain $interface` -p udp --dport 67:68 -j ACCEPT
run_iptables -A OUTPUT -o $interface -p udp --dport 67:68 -j ACCEPT
run_iptables -A `input_chain $interface` -p udp --dport 67:68 -j ACCEPT
run_iptables -A OUTPUT -o $interface -p udp --dport 67:68 -j ACCEPT
done
###########################################################################
@ -3108,19 +3207,29 @@ activate_rules()
chain="`rules_chain $zone $zone1`"
if havechain ${zone}2${zone1} || havechain ${zone1}2${zone}; then
have_canonical=Yes
else
have_canonical=
fi
for host in $source_hosts; do
interface=${host%:*}
subnet=${host#*:}
chain1=`forward_chain $interface`
case $interface in
*+*)
multi=yes
;;
*)
list_search $interface $multi_interfaces && multi=yes || multi=
;;
esac
if [ -n "$have_canonical" ]; then
multi=yes
else
case $interface in
*+*)
multi=yes
;;
*)
list_search $interface $multi_interfaces && multi=yes || multi=
;;
esac
fi
for host1 in $dest_hosts; do
interface1=${host1%:*}
@ -3148,6 +3257,9 @@ activate_rules()
run_iptables -D INPUT 1
run_iptables -D OUTPUT 1
run_iptables -D FORWARD 1
run_iptables -D OUTPUT -p udp --dport 53 -j ACCEPT
run_iptables -D FORWARD -p udp --dport 53 -j ACCEPT
}
################################################################################
@ -3155,6 +3267,16 @@ activate_rules()
################################################################################
define_firewall() # $1 = Command (Start or Restart)
{
if [ -f /etc/shorewall/startup_disabled ]; then
echo " Shorewall Startup is disabled -- to enable startup"
echo " after you have completed Shorewall configuration,"
echo " remove the file /etc/shorewall/startup_disabled"
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
my_mutex_off
exit 2
fi
echo "${1}ing Shorewall..."
verify_os_version
@ -3232,7 +3354,7 @@ define_firewall() # $1 = Command (Start or Restart)
createchain shorewall no
date > /var/lib/shorewall/restarted
date > $STATEDIR/restarted
report "Shorewall ${1}ed"
@ -3303,25 +3425,8 @@ refresh_firewall()
run_iptables -F common
echo "Adding Common Rules"
###########################################################################
# PING
#
[ -n "$FORWARDPING" ] && \
run_iptables -A common -p icmp --icmp-type echo-request -j ACCEPT
############################################################################
# Common rules in each chain
#
common=`find_file common`
if [ -f $common ]; then
. $common
else
. `find_file common.def`
fi
###########################################################################
# BROADCASTS
#
drop_broadcasts `find_broadcasts`
build_common_chain
###########################################################################
# Blacklist
@ -3416,6 +3521,7 @@ do_initialize() {
DETECT_DNAT_IPADDRS=
MERGE_HOSTS=
MUTEX_TIMEOUT=
NEWNOTSYN=
LOGNEWNOTSYN=
FORWARDPING=
stopping=
@ -3431,7 +3537,7 @@ do_initialize() {
trap "rm -rf $TMP_DIR; my_mutex_off; exit 2" 1 2 3 4 5 6 9
functions=/var/lib/shorewall/functions
functions=/usr/lib/shorewall/functions
if [ -f $functions ]; then
. $functions
@ -3439,7 +3545,7 @@ do_initialize() {
startup_error "$functions does not exist!"
fi
version_file=/var/lib/shorewall/version
version_file=/usr/lib/shorewall/version
[ -f $version_file ] && version=`cat $version_file`
#
@ -3455,6 +3561,7 @@ do_initialize() {
[ -d $STATEDIR ] || mkdir -p $STATEDIR
[ -z "$FW" ] && FW=fw
ALLOWRELATED="`added_param_value_yes ALLOWRELATED $ALLOWRELATED`"
@ -3495,6 +3602,7 @@ do_initialize() {
DETECT_DNAT_IPADDRS=`added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS`
MERGE_HOSTS=`added_param_value_no MERGE_HOSTS $MERGE_HOSTS`
FORWARDPING=`added_param_value_no FORWARDPING $FORWARDPING`
NEWNOTSYN=`added_param_value_yes NEWNOTSYN $NEWNOTSYN`
}
################################################################################
@ -3541,6 +3649,7 @@ case "$command" in
if qt iptables -L shorewall -n ; then
[ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
echo "Shorewall Already Started"
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
my_mutex_off
exit 0;
fi
@ -3570,7 +3679,7 @@ case "$command" in
reset)
iptables -L -n -Z -v
report "Shorewall Counters Reset"
date > /var/lib/shorewall/restarted
date > $STATEDIR/restarted
;;
refresh)
@ -3578,6 +3687,7 @@ case "$command" in
my_mutex_on
if ! qt iptables -L shorewall -n ; then
echo "Shorewall Not Started"
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
my_mutex_off
exit 2;
fi

30
Lrp/etc/shorewall/blacklist
View File

@ -4,16 +4,40 @@
# /etc/shorewall/blacklist
#
# This file contains a list of IP addresses, MAC addresses and/or subnetworks.
#
# Columns are:
#
# ADDRESS/SUBNET - Host address, subnetwork or MAC address
#
# MAC addresses must be prefixed with "~" and use "-"
# as a separator.
#
# Example: ~00-A0-C9-15-39-78
#
# PROTOCOL - Optional. If specified, must be a protocol number
# or a protocol name from /etc/protocols.
#
# PORTS - Optional. May only be specified if the protocol
# is TCP (6) or UDP (17). A comma-separated list
# of port numbers or service names from /etc/services.
#
# When a packet arrives on in interface that has the 'blacklist' option
# specified, its source IP address is checked against this file and disposed of
# according to the BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL variables in
# /etc/shorewall/shorewall.conf
#
# MAC addresses must be prefixed with "~" and use "-" as a separator.
# If PROTOCOL or PROTOCOL and PORTS are supplied, only packets matching
# the protocol (and one of the ports if PORTS supplied) are blocked.
#
# Example:
#
# To block DNS queries from address 192.0.2.126:
#
# ADDRESS/SUBNET PROTOCOL PORT
# 192.0.2.126 udp 53
#
# Example: ~00-A0-C9-15-39-78
###############################################################################
#ADDRESS/SUBNET
#ADDRESS/SUBNET PROTOCOL PORT
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Lrp/etc/shorewall/masq
View File

@ -37,7 +37,9 @@
# WARNING: Do NOT specify ADD_SNAT_ALIASES=Yes if
# the address given in this column is the primary
# IP address for the interface in the INTERFACE
# column.
# column.
#
# This column may not contain a DNS Name.
#
# Example 1:
#

4
Lrp/etc/shorewall/nat
View File

@ -14,10 +14,10 @@
#
# EXTERNAL External IP Address - this should NOT be the primary
# IP address of the interface named in the next
# column.
# column and must not be a DNS Name.
# INTERFACE Interface that we want to EXTERNAL address to appear
# on
# INTERNAL Internal Address
# INTERNAL Internal Address (must not be a DNS Name).
# ALL INTERFACES If Yes or yes (or left empty), NAT will be effective
# from all hosts. If No or no then NAT will be effective
# only through the interface named in the INTERFACE

16
Lrp/etc/shorewall/rules
View File

@ -56,9 +56,12 @@
# MAC address 00:A0:C9:15:39:78.
#
# Alternatively, clients may be specified by interface
# by appending ":" followed by the interface name. For
# example, loc:eth1 specifies a client that
# communicates with the firewall system through eth1.
# by appending ":" to the zone name followed by the
# interface name. For example, loc:eth1 specifies a
# client that communicates with the firewall system
# through eth1. This may be optionally followed by
# another colon (":") and an IP/MAC/subnet address
# as described above (e.g., loc:eth1:192.168.1.5).
#
# DEST Location of Server. May be a zone defined in
# /etc/shorewall/zones or $FW to indicate the firewall
@ -68,6 +71,13 @@
# subnet, host or interface by appending ":" and the
# subnet, host or interface. See above.
#
# Restrictions:
#
# 1. MAC addresses are not allowed.
# 2. In DNAT rules, only IP addresses are
# allowed; no FQDNs or subnet addresses
# are permitted.
#
# The port that the server is listening on may be
# included and separated from the server's IP address by
# ":". If omitted, the firewall will not modifiy the

19
Lrp/etc/shorewall/shorewall.conf
View File

@ -340,6 +340,8 @@ MUTEX_TIMEOUT=60
#
# LOGGING 'New not SYN' rejects
#
# This variable only has an effect when NEWNOTSYN=No (see below).
#
# When a TCP packet that does not have the SYN flag set and the ACK and RST
# flags clear then unless the packet is part of an established connection,
# it will be rejected by the firewall. If you want these rejects logged,
@ -358,4 +360,21 @@ LOGNEWNOTSYN=
FORWARDPING=Yes
#
# NEWNOTSYN
#
# If this variable is set to "No" or "no", then When a TCP packet that does
# not have the SYN flag set and the ACK and RST flags clear then unless the
# packet is part of an established connection, it will be dropped by the
# firewall
#
# If this variable is set to "Yes" or "yes" then such packets will not be
# dropped but will pass through the normal rule processing.
#
# Users with a High-availability setup with two firewall's and one acting
# as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may
# also need to select NEWNOTSYN=Yes.
NEWNOTSYN=No
#LAST LINE -- DO NOT REMOVE

21
Lrp/sbin/shorewall
View File

@ -312,6 +312,8 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
echo -e "Dropped/Rejected Packet Log\\n"
show_reset
rejects=`iptables -L -v -n | grep 'LOG'`
if [ "$rejects" != "$oldrejects" ]; then
@ -384,6 +386,8 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
echo -e "Dropped/Rejected Packet Log\\n"
show_reset
rejects=`iptables -L -v -n | grep 'LOG'`
if [ "$rejects" != "$oldrejects" ]; then
@ -437,8 +441,8 @@ usage() # $1 = exit status
# Display the time that the counters were last reset #
#################################################################################
show_reset() {
[ -f /var/lib/shorewall/restarted ] && \
echo -e "Counters reset `cat /var/lib/shorewall/restarted`\\n"
[ -f $STATEDIR/restarted ] && \
echo -e "Counters reset `cat $STATEDIR/restarted`\\n"
}
#################################################################################
@ -491,7 +495,7 @@ fi
[ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR
functions=/var/lib/shorewall/functions
functions=/usr/lib/shorewall/functions
if [ -f $functions ]; then
. $functions
@ -500,7 +504,7 @@ else
exit 2
fi
firewall=/var/lib/shorewall/firewall
firewall=/usr/lib/shorewall/firewall
if [ ! -f $firewall ]; then
echo "ERROR: Shorewall is not properly installed"
@ -508,7 +512,7 @@ if [ ! -f $firewall ]; then
echo " $firewall is a symbolic link to a"
echo " non-existant file"
else
echo " The file /var/lib/shorewall/firewall does not exist"
echo " The file /usr/lib/shorewall/firewall does not exist"
fi
exit 2
@ -516,13 +520,13 @@ fi
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
version_file=/var/lib/shorewall/version
version_file=/usr/lib/shorewall/version
if [ -f $version_file ]; then
version=`cat $version_file`
else
echo "ERROR: Shorewall is not properly installed"
echo " The file /var/lib/shorewall/version does not exist"
echo " The file /usr/lib/shorewall/version does not exist"
exit 1
fi
@ -546,6 +550,7 @@ case "$1" in
iptables -t nat -L -n -v
;;
tos|mangle)
get_config
echo -e "Shorewall-$version TOS at $HOSTNAME - `date`\\n"
show_reset
iptables -t mangle -L -n -v
@ -553,6 +558,7 @@ case "$1" in
log)
get_config
echo -e "Shorewall-$version Log at $HOSTNAME - `date`\\n"
show_reset
host=`echo $HOSTNAME | sed 's/\..*$//'`
packet_log 20
;;
@ -561,6 +567,7 @@ case "$1" in
show_tc
;;
*)
get_config
echo -e "Shorewall-$version Chain $2 at $HOSTNAME - `date`\\n"
show_reset
iptables -L $2 -n -v

2
Lrp/var/lib/shorewall/functions → Lrp/usr/lib/shorewall/functions
View File

@ -1,6 +1,6 @@
#!/bin/sh
#
# Shorewall 1.3 -- /var/lib/shorewall/functions
# Shorewall 1.3 -- /usr/lib/shorewall/functions
#
# Suppress all output for a command

1
Lrp/var/lib/lrpkg/shorwall.list
View File

@ -1,5 +1,6 @@
etc/init.d/shorewall
etc/shorewall
sbin/shorewall
usr/lib/shorewall
var/lib/shorewall
var/lib/lrpkg/shorwall.*

1
Lrp/var/lib/shorewall/version
View File

@ -1 +0,0 @@
1.3.7c