extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-27 01:53:27 +01:00
Code Issues Packages Projects Releases Wiki Activity

Changes for 1.3.9

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@267 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-09-29 21:47:51 +00:00
parent 43a722c9c5
commit 3c2d6c59ca
10 changed files with 291 additions and 119 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

274
Lrp/etc/init.d/shorewall
View File

@ -70,10 +70,18 @@ list_search() # $1 = element to search for , $2-$n = list
return 1 return 1
} }
###############################################################################
# Function to count list elements #
###############################################################################
list_count() {
local temp="`separate_list $1`"
echo $temp | wc -w
}
############################################################################### ###############################################################################
# Mutual exclusion -- These functions are jackets for the mutual exclusion # # Mutual exclusion -- These functions are jackets for the mutual exclusion #
# routines in /var/lib/shorewall/functions. They invoke # # routines in /usr/lib/shorewall/functions. They invoke #
# the corresponding function in that file if the user did # # the corresponding function in that file if the user did #
# not specify "nolock" on the runline. # # not specify "nolock" on the runline. #
############################################################################### ###############################################################################
@ -200,6 +208,7 @@ createchain() # $1 = chain name, $2 = If non-null, don't create default rules
state="ESTABLISHED" state="ESTABLISHED"
[ -n "$ALLOWRELATED" ] && state="$state,RELATED" [ -n "$ALLOWRELATED" ] && state="$state,RELATED"
run_iptables -A $1 -m state --state $state -j ACCEPT run_iptables -A $1 -m state --state $state -j ACCEPT
[ -z "$NEWNOTSYN" ] && \
run_iptables -A $1 -m state --state NEW -p tcp !--syn -j newnotsyn run_iptables -A $1 -m state --state NEW -p tcp !--syn -j newnotsyn
fi fi
@ -583,7 +592,7 @@ validate_rule() {
# Ensure that the passed comma-separated list has 15 or fewer elements # Ensure that the passed comma-separated list has 15 or fewer elements
# #
validate_list() { validate_list() {
local temp=`separate_list $1` local temp="`separate_list $1`"
[ `echo $temp | wc -w` -le 15 ] [ `echo $temp | wc -w` -le 15 ]
} }
@ -600,10 +609,13 @@ validate_rule() {
[ -n "$client" ] && case "$client" in [ -n "$client" ] && case "$client" in
-) -)
;; ;;
*:*)
cli="-i ${client%:*} -s ${client#*:}"
;;
~*) ~*)
cli=`mac_match $client` cli=`mac_match $client`
;; ;;
[0-9]*|![0-9]*) *.*.*)
# #
# IP Address, address or subnet # IP Address, address or subnet
# #
@ -623,7 +635,7 @@ validate_rule() {
-) -)
serv= serv=
;; ;;
[0-9]*|![0-9]*) *.*.*)
serv=$server serv=$server
;; ;;
~*) ~*)
@ -660,6 +672,7 @@ validate_rule() {
state="-m state --state RELATED" state="-m state --state RELATED"
;; ;;
*) *)
state=
[ -n "$port" ] && [ "x${port}" != "x-" ] && \ [ -n "$port" ] && [ "x${port}" != "x-" ] && \
startup_error "Port number not allowed with protocol " \ startup_error "Port number not allowed with protocol " \
"\"$proto\"; rule: \"$rule\"" "\"$proto\"; rule: \"$rule\""
@ -766,7 +779,7 @@ validate_rule() {
clientzone="$clients" clientzone="$clients"
clients= clients=
else else
clientzone="${clients%:*}" clientzone="${clients%%:*}"
clients="${clients#*:}" clients="${clients#*:}"
[ -z "$clientzone" -o -z "$clients" ] && \ [ -z "$clientzone" -o -z "$clients" ] && \
startup_error "Error: Empty source zone or qualifier: rule \"$rule\"" startup_error "Error: Empty source zone or qualifier: rule \"$rule\""
@ -1132,10 +1145,10 @@ setup_tunnels() # $1 = name of tunnels file
setup_one_ipsec() # $1 = gateway $2 = gateway zone setup_one_ipsec() # $1 = gateway $2 = gateway zone
{ {
options="-m state --state NEW -j ACCEPT" options="-m state --state NEW -j ACCEPT"
addrule $inchain -p 50 -s $1 $options addrule $inchain -p 50 -s $1
addrule $outchain -p 50 -d $1 $options addrule $outchain -p 50 -d $1
run_iptables -A $inchain -p 51 -s $1 $options run_iptables -A $inchain -p 51 -s $1
run_iptables -A $outchain -p 51 -d $1 $options run_iptables -A $outchain -p 51 -d $1
run_iptables -A $inchain -p udp -s $1 --sport 500 --dport 500 $options run_iptables -A $inchain -p udp -s $1 --sport 500 --dport 500 $options
run_iptables -A $outchain -p udp -d $1 --dport 500 --sport 500 $options run_iptables -A $outchain -p udp -d $1 --dport 500 --sport 500 $options
@ -1153,9 +1166,8 @@ setup_tunnels() # $1 = name of tunnels file
setup_one_other() # $1 = TYPE, $2 = gateway, $3 = protocol setup_one_other() # $1 = TYPE, $2 = gateway, $3 = protocol
{ {
options="-m state --state NEW -j ACCEPT" addrule $inchain -p $3 -s $2
addrule $inchain -p $3 -s $2 $options addrule $outchain -p $3 -d $2
addrule $outchain -p $3 -d $2 $options
echo " $1 tunnel to $gateway defined." echo " $1 tunnel to $gateway defined."
} }
@ -1372,7 +1384,7 @@ process_tc_rule()
if [ "x$source" != "x-" ]; then if [ "x$source" != "x-" ]; then
case $source in case $source in
[0-9]*) *.*.*)
r="-s $source " r="-s $source "
;; ;;
~*) ~*)
@ -1615,7 +1627,10 @@ add_a_rule()
[ -n "$client" ] && case "$client" in [ -n "$client" ] && case "$client" in
-) -)
;; ;;
[0-9]*|![0-9]*) *:*)
cli="-i ${client%:*} -s ${client#*:}"
;;
*.*.*)
cli="-s $client" cli="-s $client"
;; ;;
~*) ~*)
@ -1634,7 +1649,7 @@ add_a_rule()
-) -)
serv= serv=
;; ;;
[0-9]*|![0-9]*) *.*.*)
serv=$server serv=$server
;; ;;
*) *)
@ -1689,6 +1704,7 @@ add_a_rule()
state="-m state --state RELATED" state="-m state --state RELATED"
;; ;;
*) *)
state=
[ -n "$port" ] && [ "x${port}" != "x-" ] && \ [ -n "$port" ] && [ "x${port}" != "x-" ] && \
fatal_error "Port number not allowed with protocol " \ fatal_error "Port number not allowed with protocol " \
"\"$proto\"; rule: \"$rule\"" "\"$proto\"; rule: \"$rule\""
@ -1728,7 +1744,11 @@ add_a_rule()
# A specific server or server port given # A specific server or server port given
[ -n "$addr" -a "$addr" != "$serv" ] && add_nat_rule if [ -n "$addr" -a "$addr" != "$serv" ]; then
add_nat_rule
elif [ -n "$servport" -a "$servport" != "$port" ]; then
add_nat_rule
fi
serv="${serv:+-d $serv}" serv="${serv:+-d $serv}"
@ -1771,14 +1791,6 @@ add_a_rule()
################################################################################ ################################################################################
process_rule() { process_rule() {
# Function to count list elements
list_count() {
local temp=`separate_list $1`
echo $temp | wc -w
}
# Function Body -- isolate log level # Function Body -- isolate log level
if [ "$target" = "${target%:*}" ]; then if [ "$target" = "${target%:*}" ]; then
@ -1815,7 +1827,7 @@ process_rule() {
clientzone="$clients" clientzone="$clients"
clients= clients=
else else
clientzone="${clients%:*}" clientzone="${clients%%:*}"
clients="${clients#*:}" clients="${clients#*:}"
[ -z "$clientzone" -o -z "$clients" ] && \ [ -z "$clientzone" -o -z "$clients" ] && \
fatal_error "Error: Empty source zone or qualifier: rule \"$rule\"" fatal_error "Error: Empty source zone or qualifier: rule \"$rule\""
@ -1962,7 +1974,7 @@ process_tos_rule() {
fi fi
[ -n "$src" ] && case "$src" in [ -n "$src" ] && case "$src" in
[0-9]*|![0-9]*) *.*.*)
# #
# IP Address or subnet # IP Address or subnet
# #
@ -2005,7 +2017,7 @@ process_tos_rule() {
fi fi
[ -n "$dst" ] && case "$dst" in [ -n "$dst" ] && case "$dst" in
[0-9]*|![0-9]*) *.*.*)
# #
# IP Address or subnet # IP Address or subnet
# #
@ -2322,7 +2334,7 @@ complete_standard_chain() # $1 = chain, $2 = source zone, $3 = destination zone
run_user_exit $1 run_user_exit $1
while read client server policy loglevel synparams; do while read client server policy loglevel synparams; do
expandv client server policy loglevelsynparams expandv client server policy loglevel synparams
[ "x$loglevel" = "x-" ] && loglevel= [ "x$loglevel" = "x-" ] && loglevel=
@ -2396,6 +2408,10 @@ setup_masq()
interface="${interface%:*}" interface="${interface%:*}"
fi fi
if ! list_search $interface $all_interfaces; then
fatal_error "Error: Unknown interface $interface"
fi
if [ "$subnet" = "${subnet%!*}" ]; then if [ "$subnet" = "${subnet%!*}" ]; then
nomasq= nomasq=
else else
@ -2407,7 +2423,7 @@ setup_masq()
iface= iface=
case $subnet in case $subnet in
[0-9]*|![0-9]*) *.*.*)
source="$subnet" source="$subnet"
subnet="-s $subnet" subnet="-s $subnet"
;; ;;
@ -2496,15 +2512,34 @@ setup_intrazone() # $1 = zone
ensurechain ${1}2${1} ensurechain ${1}2${1}
fi fi
} }
###############################################################################
# Add a record to the blacklst chain #
# #
# $source = address match #
# $proto = protocol selector #
# $dport = destination port selector #
###############################################################################
add_blacklist_rule() {
[ -n "$BLACKLIST_LOGLEVEL" ] && \
run_iptables -A blacklst $source $proto $dport -j \
LOG $LOGPARMS --log-prefix \
"Shorewall:blacklst:$BLACKLIST_DISPOSITION:" \
--log-level $BLACKLIST_LOGLEVEL
run_iptables -A blacklst $source $proto $dport -j $disposition
}
############################################################################### ###############################################################################
# Process a record from the blacklist file # # Process a record from the blacklist file #
# # # #
# $subnet = address/subnet # # $subnet = address/subnet #
# $protocol = Protocol Number/Name #
# $port = Port Number/Name #
############################################################################### ###############################################################################
process_blacklist_rec() { process_blacklist_rec() {
local source local source
local addr local addr
local proto
local dport
for addr in `separate_list $subnet`; do for addr in `separate_list $subnet`; do
case $addr in case $addr in
@ -2517,11 +2552,52 @@ process_blacklist_rec() {
;; ;;
esac esac
[ -n "$BLACKLIST_LOGLEVEL" ] && \ if [ -n "$protocol" ]; then
run_iptables -A blacklst $source -j LOG $LOGPARMS --log-prefix \ proto=" -p $protocol "
"Shorewall:blacklst:$BLACKLIST_DISPOSITION:" \
--log-level $BLACKLIST_LOGLEVEL case $protocol in
run_iptables -A blacklst $source -j $disposition tcp|TCP|6|udp|UDP|17)
if [ -n "$ports" ]; then
if [ -n "$MULTIPORT" -a \
"$ports" != "${ports%,*}" -a \
"$ports" = "${ports%:*}" -a \
`list_count $ports` -le 15 ]
then
dport="-m multiport --dports $ports"
add_blacklist_rule
else
for dport in `separate_list $ports`; do
dport="--dport $dport"
add_blacklist_rule
done
fi
else
add_blacklist_rule
fi
;;
icmp|ICMP|0)
if [ -n "$ports" ]; then
for dport in `separate_list $ports`; do
dport="--icmp-type $dport"
add_blacklist_rule
done
else
add_blacklist_rule
fi
;;
*)
add_blacklist_rule
;;
esac
else
add_blacklist_rule
fi
if [ -n "$ports" ]; then
addr="$addr $protocol $ports"
elif [ -n "$protocol" ]; then
addr="$addr $protocol"
fi
echo " $addr added to Black List" echo " $addr added to Black List"
done done
@ -2552,8 +2628,8 @@ setup_blacklist() {
[ "$disposition" = REJECT ] && disposition=reject [ "$disposition" = REJECT ] && disposition=reject
while read subnet; do while read subnet protocol ports; do
expandv subnet expandv subnet protocol ports
process_blacklist_rec process_blacklist_rec
done < $TMP_DIR/blacklist done < $TMP_DIR/blacklist
@ -2576,8 +2652,8 @@ refresh_blacklist() {
run_iptables -F blacklst run_iptables -F blacklst
while read subnet; do while read subnet protocol ports; do
expandv subnet expandv subnet protocol ports
process_blacklist_rec process_blacklist_rec
done < $TMP_DIR/blacklist done < $TMP_DIR/blacklist
fi fi
@ -2720,18 +2796,25 @@ initialize_netfilter () {
setcontinue FORWARD setcontinue FORWARD
setcontinue INPUT setcontinue INPUT
setcontinue OUTPUT setcontinue OUTPUT
#
# Allow DNS lookups during startup for FQDNs
#
run_iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
run_iptables -A FORWARD -p udp --dport 53 -j ACCEPT
[ -n "$CLAMPMSS" ] && \ [ -n "$CLAMPMSS" ] && \
run_iptables -A FORWARD -p tcp \ run_iptables -A FORWARD -p tcp \
--tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
if [ -z "$NEWNOTSYN" ]; then
createchain newnotsyn no createchain newnotsyn no
run_user_exit newnotsyn run_user_exit newnotsyn
[ -n "$LOGNEWNOTSYN" ] && \ [ -n "$LOGNEWNOTSYN" ] && \
run_iptables -A newnotsyn -j LOG \ run_iptables -A newnotsyn -j LOG \
--log-prefix "Shorewall:newnotsyn:DROP:" --log-level $LOGNEWNOTSYN --log-prefix "Shorewall:newnotsyn:DROP:" --log-level $LOGNEWNOTSYN
run_iptables -A newnotsyn -j DROP run_iptables -A newnotsyn -j DROP
fi
createchain icmpdef no createchain icmpdef no
createchain common no createchain common no
@ -2762,6 +2845,42 @@ initialize_netfilter () {
done done
} }
################################################################################
# Build the common chain -- called during [re]start and refresh #
################################################################################
build_common_chain() {
###########################################################################
# PING
#
[ -n "$FORWARDPING" ] && \
run_iptables -A icmpdef -p icmp --icmp-type echo-request -j ACCEPT
############################################################################
# Common ICMP rules
#
run_user_exit icmpdef
############################################################################
# Common rules in each chain
#
common=`find_file common`
if [ -f $common ]; then
. $common
else
. `find_file common.def`
fi
###########################################################################
# New Not Syn Stuff
#
if [ -n "$NEWNOTSYN" ]; then
run_iptables -A common -p tcp --tcp-flags ACK ACK -j ACCEPT
run_iptables -A common -p tcp --tcp-flags RST RST -j ACCEPT
fi
###########################################################################
# BROADCASTS
#
drop_broadcasts `find_broadcasts`
}
################################################################################ ################################################################################
# Construct zone-independent rules # # Construct zone-independent rules #
################################################################################ ################################################################################
@ -2825,29 +2944,9 @@ add_common_rules() {
echo " $interface" echo " $interface"
done done
fi fi
###########################################################################
# PING
#
[ -n "$FORWARDPING" ] && \
run_iptables -A common -p icmp --icmp-type echo-request -j ACCEPT
############################################################################
# Common ICMP rules
#
run_user_exit icmpdef
############################################################################
# Common rules in each chain
#
common=`find_file common`
if [ -f $common ]; then build_common_chain
. $common
else
. `find_file common.def`
fi
###########################################################################
# BROADCASTS
#
drop_broadcasts `find_broadcasts`
########################################################################### ###########################################################################
# DHCP # DHCP
# #
@ -3108,11 +3207,20 @@ activate_rules()
chain="`rules_chain $zone $zone1`" chain="`rules_chain $zone $zone1`"
if havechain ${zone}2${zone1} || havechain ${zone1}2${zone}; then
have_canonical=Yes
else
have_canonical=
fi
for host in $source_hosts; do for host in $source_hosts; do
interface=${host%:*} interface=${host%:*}
subnet=${host#*:} subnet=${host#*:}
chain1=`forward_chain $interface` chain1=`forward_chain $interface`
if [ -n "$have_canonical" ]; then
multi=yes
else
case $interface in case $interface in
*+*) *+*)
multi=yes multi=yes
@ -3121,6 +3229,7 @@ activate_rules()
list_search $interface $multi_interfaces && multi=yes || multi= list_search $interface $multi_interfaces && multi=yes || multi=
;; ;;
esac esac
fi
for host1 in $dest_hosts; do for host1 in $dest_hosts; do
interface1=${host1%:*} interface1=${host1%:*}
@ -3148,6 +3257,9 @@ activate_rules()
run_iptables -D INPUT 1 run_iptables -D INPUT 1
run_iptables -D OUTPUT 1 run_iptables -D OUTPUT 1
run_iptables -D FORWARD 1 run_iptables -D FORWARD 1
run_iptables -D OUTPUT -p udp --dport 53 -j ACCEPT
run_iptables -D FORWARD -p udp --dport 53 -j ACCEPT
} }
################################################################################ ################################################################################
@ -3155,6 +3267,16 @@ activate_rules()
################################################################################ ################################################################################
define_firewall() # $1 = Command (Start or Restart) define_firewall() # $1 = Command (Start or Restart)
{ {
if [ -f /etc/shorewall/startup_disabled ]; then
echo " Shorewall Startup is disabled -- to enable startup"
echo " after you have completed Shorewall configuration,"
echo " remove the file /etc/shorewall/startup_disabled"
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
my_mutex_off
exit 2
fi
echo "${1}ing Shorewall..." echo "${1}ing Shorewall..."
verify_os_version verify_os_version
@ -3232,7 +3354,7 @@ define_firewall() # $1 = Command (Start or Restart)
createchain shorewall no createchain shorewall no
date > /var/lib/shorewall/restarted date > $STATEDIR/restarted
report "Shorewall ${1}ed" report "Shorewall ${1}ed"
@ -3303,25 +3425,8 @@ refresh_firewall()
run_iptables -F common run_iptables -F common
echo "Adding Common Rules" echo "Adding Common Rules"
###########################################################################
# PING
#
[ -n "$FORWARDPING" ] && \
run_iptables -A common -p icmp --icmp-type echo-request -j ACCEPT
############################################################################
# Common rules in each chain
#
common=`find_file common`
if [ -f $common ]; then build_common_chain
. $common
else
. `find_file common.def`
fi
###########################################################################
# BROADCASTS
#
drop_broadcasts `find_broadcasts`
########################################################################### ###########################################################################
# Blacklist # Blacklist
@ -3416,6 +3521,7 @@ do_initialize() {
DETECT_DNAT_IPADDRS= DETECT_DNAT_IPADDRS=
MERGE_HOSTS= MERGE_HOSTS=
MUTEX_TIMEOUT= MUTEX_TIMEOUT=
NEWNOTSYN=
LOGNEWNOTSYN= LOGNEWNOTSYN=
FORWARDPING= FORWARDPING=
stopping= stopping=
@ -3431,7 +3537,7 @@ do_initialize() {
trap "rm -rf $TMP_DIR; my_mutex_off; exit 2" 1 2 3 4 5 6 9 trap "rm -rf $TMP_DIR; my_mutex_off; exit 2" 1 2 3 4 5 6 9
functions=/var/lib/shorewall/functions functions=/usr/lib/shorewall/functions
if [ -f $functions ]; then if [ -f $functions ]; then
. $functions . $functions
@ -3439,7 +3545,7 @@ do_initialize() {
startup_error "$functions does not exist!" startup_error "$functions does not exist!"
fi fi
version_file=/var/lib/shorewall/version version_file=/usr/lib/shorewall/version
[ -f $version_file ] && version=`cat $version_file` [ -f $version_file ] && version=`cat $version_file`
# #
@ -3455,6 +3561,7 @@ do_initialize() {
[ -d $STATEDIR ] || mkdir -p $STATEDIR [ -d $STATEDIR ] || mkdir -p $STATEDIR
[ -z "$FW" ] && FW=fw [ -z "$FW" ] && FW=fw
ALLOWRELATED="`added_param_value_yes ALLOWRELATED $ALLOWRELATED`" ALLOWRELATED="`added_param_value_yes ALLOWRELATED $ALLOWRELATED`"
@ -3495,6 +3602,7 @@ do_initialize() {
DETECT_DNAT_IPADDRS=`added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS` DETECT_DNAT_IPADDRS=`added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS`
MERGE_HOSTS=`added_param_value_no MERGE_HOSTS $MERGE_HOSTS` MERGE_HOSTS=`added_param_value_no MERGE_HOSTS $MERGE_HOSTS`
FORWARDPING=`added_param_value_no FORWARDPING $FORWARDPING` FORWARDPING=`added_param_value_no FORWARDPING $FORWARDPING`
NEWNOTSYN=`added_param_value_yes NEWNOTSYN $NEWNOTSYN`
} }
################################################################################ ################################################################################
@ -3541,6 +3649,7 @@ case "$command" in
if qt iptables -L shorewall -n ; then if qt iptables -L shorewall -n ; then
[ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
echo "Shorewall Already Started" echo "Shorewall Already Started"
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
my_mutex_off my_mutex_off
exit 0; exit 0;
fi fi
@ -3570,7 +3679,7 @@ case "$command" in
reset) reset)
iptables -L -n -Z -v iptables -L -n -Z -v
report "Shorewall Counters Reset" report "Shorewall Counters Reset"
date > /var/lib/shorewall/restarted date > $STATEDIR/restarted
;; ;;
refresh) refresh)
@ -3578,6 +3687,7 @@ case "$command" in
my_mutex_on my_mutex_on
if ! qt iptables -L shorewall -n ; then if ! qt iptables -L shorewall -n ; then
echo "Shorewall Not Started" echo "Shorewall Not Started"
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
my_mutex_off my_mutex_off
exit 2; exit 2;
fi fi

30
Lrp/etc/shorewall/blacklist
View File

@ -4,16 +4,40 @@
# /etc/shorewall/blacklist # /etc/shorewall/blacklist
# #
# This file contains a list of IP addresses, MAC addresses and/or subnetworks. # This file contains a list of IP addresses, MAC addresses and/or subnetworks.
#
# Columns are:
#
# ADDRESS/SUBNET - Host address, subnetwork or MAC address
#
# MAC addresses must be prefixed with "~" and use "-"
# as a separator.
#
# Example: ~00-A0-C9-15-39-78
#
# PROTOCOL - Optional. If specified, must be a protocol number
# or a protocol name from /etc/protocols.
#
# PORTS - Optional. May only be specified if the protocol
# is TCP (6) or UDP (17). A comma-separated list
# of port numbers or service names from /etc/services.
#
# When a packet arrives on in interface that has the 'blacklist' option # When a packet arrives on in interface that has the 'blacklist' option
# specified, its source IP address is checked against this file and disposed of # specified, its source IP address is checked against this file and disposed of
# according to the BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL variables in # according to the BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL variables in
# /etc/shorewall/shorewall.conf # /etc/shorewall/shorewall.conf
# #
# MAC addresses must be prefixed with "~" and use "-" as a separator. # If PROTOCOL or PROTOCOL and PORTS are supplied, only packets matching
# the protocol (and one of the ports if PORTS supplied) are blocked.
#
# Example:
#
# To block DNS queries from address 192.0.2.126:
#
# ADDRESS/SUBNET PROTOCOL PORT
# 192.0.2.126 udp 53
# #
# Example: ~00-A0-C9-15-39-78
############################################################################### ###############################################################################
#ADDRESS/SUBNET #ADDRESS/SUBNET PROTOCOL PORT
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

2
Lrp/etc/shorewall/masq
View File

@ -39,6 +39,8 @@
# IP address for the interface in the INTERFACE # IP address for the interface in the INTERFACE
# column. # column.
# #
# This column may not contain a DNS Name.
#
# Example 1: # Example 1:
# #
# You have a simple masquerading setup where eth0 connects to # You have a simple masquerading setup where eth0 connects to

4
Lrp/etc/shorewall/nat
View File

@ -14,10 +14,10 @@
# #
# EXTERNAL External IP Address - this should NOT be the primary # EXTERNAL External IP Address - this should NOT be the primary
# IP address of the interface named in the next # IP address of the interface named in the next
# column. # column and must not be a DNS Name.
# INTERFACE Interface that we want to EXTERNAL address to appear # INTERFACE Interface that we want to EXTERNAL address to appear
# on # on
# INTERNAL Internal Address # INTERNAL Internal Address (must not be a DNS Name).
# ALL INTERFACES If Yes or yes (or left empty), NAT will be effective # ALL INTERFACES If Yes or yes (or left empty), NAT will be effective
# from all hosts. If No or no then NAT will be effective # from all hosts. If No or no then NAT will be effective
# only through the interface named in the INTERFACE # only through the interface named in the INTERFACE

16
Lrp/etc/shorewall/rules
View File

@ -56,9 +56,12 @@
# MAC address 00:A0:C9:15:39:78. # MAC address 00:A0:C9:15:39:78.
# #
# Alternatively, clients may be specified by interface # Alternatively, clients may be specified by interface
# by appending ":" followed by the interface name. For # by appending ":" to the zone name followed by the
# example, loc:eth1 specifies a client that # interface name. For example, loc:eth1 specifies a
# communicates with the firewall system through eth1. # client that communicates with the firewall system
# through eth1. This may be optionally followed by
# another colon (":") and an IP/MAC/subnet address
# as described above (e.g., loc:eth1:192.168.1.5).
# #
# DEST Location of Server. May be a zone defined in # DEST Location of Server. May be a zone defined in
# /etc/shorewall/zones or $FW to indicate the firewall # /etc/shorewall/zones or $FW to indicate the firewall
@ -68,6 +71,13 @@
# subnet, host or interface by appending ":" and the # subnet, host or interface by appending ":" and the
# subnet, host or interface. See above. # subnet, host or interface. See above.
# #
# Restrictions:
#
# 1. MAC addresses are not allowed.
# 2. In DNAT rules, only IP addresses are
# allowed; no FQDNs or subnet addresses
# are permitted.
#
# The port that the server is listening on may be # The port that the server is listening on may be
# included and separated from the server's IP address by # included and separated from the server's IP address by
# ":". If omitted, the firewall will not modifiy the # ":". If omitted, the firewall will not modifiy the

19
Lrp/etc/shorewall/shorewall.conf
View File

@ -340,6 +340,8 @@ MUTEX_TIMEOUT=60
# #
# LOGGING 'New not SYN' rejects # LOGGING 'New not SYN' rejects
# #
# This variable only has an effect when NEWNOTSYN=No (see below).
#
# When a TCP packet that does not have the SYN flag set and the ACK and RST # When a TCP packet that does not have the SYN flag set and the ACK and RST
# flags clear then unless the packet is part of an established connection, # flags clear then unless the packet is part of an established connection,
# it will be rejected by the firewall. If you want these rejects logged, # it will be rejected by the firewall. If you want these rejects logged,
@ -358,4 +360,21 @@ LOGNEWNOTSYN=
FORWARDPING=Yes FORWARDPING=Yes
#
# NEWNOTSYN
#
# If this variable is set to "No" or "no", then When a TCP packet that does
# not have the SYN flag set and the ACK and RST flags clear then unless the
# packet is part of an established connection, it will be dropped by the
# firewall
#
# If this variable is set to "Yes" or "yes" then such packets will not be
# dropped but will pass through the normal rule processing.
#
# Users with a High-availability setup with two firewall's and one acting
# as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may
# also need to select NEWNOTSYN=Yes.
NEWNOTSYN=No
#LAST LINE -- DO NOT REMOVE #LAST LINE -- DO NOT REMOVE

21
Lrp/sbin/shorewall
View File

@ -312,6 +312,8 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
echo -e "Dropped/Rejected Packet Log\\n" echo -e "Dropped/Rejected Packet Log\\n"
show_reset
rejects=`iptables -L -v -n | grep 'LOG'` rejects=`iptables -L -v -n | grep 'LOG'`
if [ "$rejects" != "$oldrejects" ]; then if [ "$rejects" != "$oldrejects" ]; then
@ -384,6 +386,8 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
echo -e "Dropped/Rejected Packet Log\\n" echo -e "Dropped/Rejected Packet Log\\n"
show_reset
rejects=`iptables -L -v -n | grep 'LOG'` rejects=`iptables -L -v -n | grep 'LOG'`
if [ "$rejects" != "$oldrejects" ]; then if [ "$rejects" != "$oldrejects" ]; then
@ -437,8 +441,8 @@ usage() # $1 = exit status
# Display the time that the counters were last reset # # Display the time that the counters were last reset #
################################################################################# #################################################################################
show_reset() { show_reset() {
[ -f /var/lib/shorewall/restarted ] && \ [ -f $STATEDIR/restarted ] && \
echo -e "Counters reset `cat /var/lib/shorewall/restarted`\\n" echo -e "Counters reset `cat $STATEDIR/restarted`\\n"
} }
################################################################################# #################################################################################
@ -491,7 +495,7 @@ fi
[ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR [ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR
functions=/var/lib/shorewall/functions functions=/usr/lib/shorewall/functions
if [ -f $functions ]; then if [ -f $functions ]; then
. $functions . $functions
@ -500,7 +504,7 @@ else
exit 2 exit 2
fi fi
firewall=/var/lib/shorewall/firewall firewall=/usr/lib/shorewall/firewall
if [ ! -f $firewall ]; then if [ ! -f $firewall ]; then
echo "ERROR: Shorewall is not properly installed" echo "ERROR: Shorewall is not properly installed"
@ -508,7 +512,7 @@ if [ ! -f $firewall ]; then
echo " $firewall is a symbolic link to a" echo " $firewall is a symbolic link to a"
echo " non-existant file" echo " non-existant file"
else else
echo " The file /var/lib/shorewall/firewall does not exist" echo " The file /usr/lib/shorewall/firewall does not exist"
fi fi
exit 2 exit 2
@ -516,13 +520,13 @@ fi
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
version_file=/var/lib/shorewall/version version_file=/usr/lib/shorewall/version
if [ -f $version_file ]; then if [ -f $version_file ]; then
version=`cat $version_file` version=`cat $version_file`
else else
echo "ERROR: Shorewall is not properly installed" echo "ERROR: Shorewall is not properly installed"
echo " The file /var/lib/shorewall/version does not exist" echo " The file /usr/lib/shorewall/version does not exist"
exit 1 exit 1
fi fi
@ -546,6 +550,7 @@ case "$1" in
iptables -t nat -L -n -v iptables -t nat -L -n -v
;; ;;
tos|mangle) tos|mangle)
get_config
echo -e "Shorewall-$version TOS at $HOSTNAME - `date`\\n" echo -e "Shorewall-$version TOS at $HOSTNAME - `date`\\n"
show_reset show_reset
iptables -t mangle -L -n -v iptables -t mangle -L -n -v
@ -553,6 +558,7 @@ case "$1" in
log) log)
get_config get_config
echo -e "Shorewall-$version Log at $HOSTNAME - `date`\\n" echo -e "Shorewall-$version Log at $HOSTNAME - `date`\\n"
show_reset
host=`echo $HOSTNAME | sed 's/\..*$//'` host=`echo $HOSTNAME | sed 's/\..*$//'`
packet_log 20 packet_log 20
;; ;;
@ -561,6 +567,7 @@ case "$1" in
show_tc show_tc
;; ;;
*) *)
get_config
echo -e "Shorewall-$version Chain $2 at $HOSTNAME - `date`\\n" echo -e "Shorewall-$version Chain $2 at $HOSTNAME - `date`\\n"
show_reset show_reset
iptables -L $2 -n -v iptables -L $2 -n -v

2
Lrp/var/lib/shorewall/functions → Lrp/usr/lib/shorewall/functions
View File

@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# #
# Shorewall 1.3 -- /var/lib/shorewall/functions # Shorewall 1.3 -- /usr/lib/shorewall/functions
# #
# Suppress all output for a command # Suppress all output for a command

1
Lrp/var/lib/lrpkg/shorwall.list
View File

@ -1,5 +1,6 @@
etc/init.d/shorewall etc/init.d/shorewall
etc/shorewall etc/shorewall
sbin/shorewall sbin/shorewall
usr/lib/shorewall
var/lib/shorewall var/lib/shorewall
var/lib/lrpkg/shorwall.* var/lib/lrpkg/shorwall.*

1
Lrp/var/lib/shorewall/version
View File

@ -1 +0,0 @@
1.3.7c