mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-26 17:43:15 +01:00
Changes for 1.3.9
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@267 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
43a722c9c5
commit
3c2d6c59ca
@ -70,10 +70,18 @@ list_search() # $1 = element to search for , $2-$n = list
|
||||
|
||||
return 1
|
||||
}
|
||||
###############################################################################
|
||||
# Function to count list elements #
|
||||
###############################################################################
|
||||
list_count() {
|
||||
local temp="`separate_list $1`"
|
||||
|
||||
echo $temp | wc -w
|
||||
}
|
||||
|
||||
###############################################################################
|
||||
# Mutual exclusion -- These functions are jackets for the mutual exclusion #
|
||||
# routines in /var/lib/shorewall/functions. They invoke #
|
||||
# routines in /usr/lib/shorewall/functions. They invoke #
|
||||
# the corresponding function in that file if the user did #
|
||||
# not specify "nolock" on the runline. #
|
||||
###############################################################################
|
||||
@ -200,6 +208,7 @@ createchain() # $1 = chain name, $2 = If non-null, don't create default rules
|
||||
state="ESTABLISHED"
|
||||
[ -n "$ALLOWRELATED" ] && state="$state,RELATED"
|
||||
run_iptables -A $1 -m state --state $state -j ACCEPT
|
||||
[ -z "$NEWNOTSYN" ] && \
|
||||
run_iptables -A $1 -m state --state NEW -p tcp !--syn -j newnotsyn
|
||||
fi
|
||||
|
||||
@ -583,7 +592,7 @@ validate_rule() {
|
||||
# Ensure that the passed comma-separated list has 15 or fewer elements
|
||||
#
|
||||
validate_list() {
|
||||
local temp=`separate_list $1`
|
||||
local temp="`separate_list $1`"
|
||||
|
||||
[ `echo $temp | wc -w` -le 15 ]
|
||||
}
|
||||
@ -600,10 +609,13 @@ validate_rule() {
|
||||
[ -n "$client" ] && case "$client" in
|
||||
-)
|
||||
;;
|
||||
*:*)
|
||||
cli="-i ${client%:*} -s ${client#*:}"
|
||||
;;
|
||||
~*)
|
||||
cli=`mac_match $client`
|
||||
;;
|
||||
[0-9]*|![0-9]*)
|
||||
*.*.*)
|
||||
#
|
||||
# IP Address, address or subnet
|
||||
#
|
||||
@ -623,7 +635,7 @@ validate_rule() {
|
||||
-)
|
||||
serv=
|
||||
;;
|
||||
[0-9]*|![0-9]*)
|
||||
*.*.*)
|
||||
serv=$server
|
||||
;;
|
||||
~*)
|
||||
@ -660,6 +672,7 @@ validate_rule() {
|
||||
state="-m state --state RELATED"
|
||||
;;
|
||||
*)
|
||||
state=
|
||||
[ -n "$port" ] && [ "x${port}" != "x-" ] && \
|
||||
startup_error "Port number not allowed with protocol " \
|
||||
"\"$proto\"; rule: \"$rule\""
|
||||
@ -766,7 +779,7 @@ validate_rule() {
|
||||
clientzone="$clients"
|
||||
clients=
|
||||
else
|
||||
clientzone="${clients%:*}"
|
||||
clientzone="${clients%%:*}"
|
||||
clients="${clients#*:}"
|
||||
[ -z "$clientzone" -o -z "$clients" ] && \
|
||||
startup_error "Error: Empty source zone or qualifier: rule \"$rule\""
|
||||
@ -1132,10 +1145,10 @@ setup_tunnels() # $1 = name of tunnels file
|
||||
setup_one_ipsec() # $1 = gateway $2 = gateway zone
|
||||
{
|
||||
options="-m state --state NEW -j ACCEPT"
|
||||
addrule $inchain -p 50 -s $1 $options
|
||||
addrule $outchain -p 50 -d $1 $options
|
||||
run_iptables -A $inchain -p 51 -s $1 $options
|
||||
run_iptables -A $outchain -p 51 -d $1 $options
|
||||
addrule $inchain -p 50 -s $1
|
||||
addrule $outchain -p 50 -d $1
|
||||
run_iptables -A $inchain -p 51 -s $1
|
||||
run_iptables -A $outchain -p 51 -d $1
|
||||
run_iptables -A $inchain -p udp -s $1 --sport 500 --dport 500 $options
|
||||
run_iptables -A $outchain -p udp -d $1 --dport 500 --sport 500 $options
|
||||
|
||||
@ -1153,9 +1166,8 @@ setup_tunnels() # $1 = name of tunnels file
|
||||
|
||||
setup_one_other() # $1 = TYPE, $2 = gateway, $3 = protocol
|
||||
{
|
||||
options="-m state --state NEW -j ACCEPT"
|
||||
addrule $inchain -p $3 -s $2 $options
|
||||
addrule $outchain -p $3 -d $2 $options
|
||||
addrule $inchain -p $3 -s $2
|
||||
addrule $outchain -p $3 -d $2
|
||||
|
||||
echo " $1 tunnel to $gateway defined."
|
||||
}
|
||||
@ -1372,7 +1384,7 @@ process_tc_rule()
|
||||
|
||||
if [ "x$source" != "x-" ]; then
|
||||
case $source in
|
||||
[0-9]*)
|
||||
*.*.*)
|
||||
r="-s $source "
|
||||
;;
|
||||
~*)
|
||||
@ -1615,7 +1627,10 @@ add_a_rule()
|
||||
[ -n "$client" ] && case "$client" in
|
||||
-)
|
||||
;;
|
||||
[0-9]*|![0-9]*)
|
||||
*:*)
|
||||
cli="-i ${client%:*} -s ${client#*:}"
|
||||
;;
|
||||
*.*.*)
|
||||
cli="-s $client"
|
||||
;;
|
||||
~*)
|
||||
@ -1634,7 +1649,7 @@ add_a_rule()
|
||||
-)
|
||||
serv=
|
||||
;;
|
||||
[0-9]*|![0-9]*)
|
||||
*.*.*)
|
||||
serv=$server
|
||||
;;
|
||||
*)
|
||||
@ -1689,6 +1704,7 @@ add_a_rule()
|
||||
state="-m state --state RELATED"
|
||||
;;
|
||||
*)
|
||||
state=
|
||||
[ -n "$port" ] && [ "x${port}" != "x-" ] && \
|
||||
fatal_error "Port number not allowed with protocol " \
|
||||
"\"$proto\"; rule: \"$rule\""
|
||||
@ -1728,7 +1744,11 @@ add_a_rule()
|
||||
|
||||
# A specific server or server port given
|
||||
|
||||
[ -n "$addr" -a "$addr" != "$serv" ] && add_nat_rule
|
||||
if [ -n "$addr" -a "$addr" != "$serv" ]; then
|
||||
add_nat_rule
|
||||
elif [ -n "$servport" -a "$servport" != "$port" ]; then
|
||||
add_nat_rule
|
||||
fi
|
||||
|
||||
serv="${serv:+-d $serv}"
|
||||
|
||||
@ -1771,14 +1791,6 @@ add_a_rule()
|
||||
################################################################################
|
||||
process_rule() {
|
||||
|
||||
# Function to count list elements
|
||||
|
||||
list_count() {
|
||||
local temp=`separate_list $1`
|
||||
|
||||
echo $temp | wc -w
|
||||
}
|
||||
|
||||
# Function Body -- isolate log level
|
||||
|
||||
if [ "$target" = "${target%:*}" ]; then
|
||||
@ -1815,7 +1827,7 @@ process_rule() {
|
||||
clientzone="$clients"
|
||||
clients=
|
||||
else
|
||||
clientzone="${clients%:*}"
|
||||
clientzone="${clients%%:*}"
|
||||
clients="${clients#*:}"
|
||||
[ -z "$clientzone" -o -z "$clients" ] && \
|
||||
fatal_error "Error: Empty source zone or qualifier: rule \"$rule\""
|
||||
@ -1962,7 +1974,7 @@ process_tos_rule() {
|
||||
fi
|
||||
|
||||
[ -n "$src" ] && case "$src" in
|
||||
[0-9]*|![0-9]*)
|
||||
*.*.*)
|
||||
#
|
||||
# IP Address or subnet
|
||||
#
|
||||
@ -2005,7 +2017,7 @@ process_tos_rule() {
|
||||
fi
|
||||
|
||||
[ -n "$dst" ] && case "$dst" in
|
||||
[0-9]*|![0-9]*)
|
||||
*.*.*)
|
||||
#
|
||||
# IP Address or subnet
|
||||
#
|
||||
@ -2322,7 +2334,7 @@ complete_standard_chain() # $1 = chain, $2 = source zone, $3 = destination zone
|
||||
run_user_exit $1
|
||||
|
||||
while read client server policy loglevel synparams; do
|
||||
expandv client server policy loglevelsynparams
|
||||
expandv client server policy loglevel synparams
|
||||
|
||||
[ "x$loglevel" = "x-" ] && loglevel=
|
||||
|
||||
@ -2396,6 +2408,10 @@ setup_masq()
|
||||
interface="${interface%:*}"
|
||||
fi
|
||||
|
||||
if ! list_search $interface $all_interfaces; then
|
||||
fatal_error "Error: Unknown interface $interface"
|
||||
fi
|
||||
|
||||
if [ "$subnet" = "${subnet%!*}" ]; then
|
||||
nomasq=
|
||||
else
|
||||
@ -2407,7 +2423,7 @@ setup_masq()
|
||||
iface=
|
||||
|
||||
case $subnet in
|
||||
[0-9]*|![0-9]*)
|
||||
*.*.*)
|
||||
source="$subnet"
|
||||
subnet="-s $subnet"
|
||||
;;
|
||||
@ -2496,15 +2512,34 @@ setup_intrazone() # $1 = zone
|
||||
ensurechain ${1}2${1}
|
||||
fi
|
||||
}
|
||||
###############################################################################
|
||||
# Add a record to the blacklst chain #
|
||||
# #
|
||||
# $source = address match #
|
||||
# $proto = protocol selector #
|
||||
# $dport = destination port selector #
|
||||
###############################################################################
|
||||
add_blacklist_rule() {
|
||||
[ -n "$BLACKLIST_LOGLEVEL" ] && \
|
||||
run_iptables -A blacklst $source $proto $dport -j \
|
||||
LOG $LOGPARMS --log-prefix \
|
||||
"Shorewall:blacklst:$BLACKLIST_DISPOSITION:" \
|
||||
--log-level $BLACKLIST_LOGLEVEL
|
||||
run_iptables -A blacklst $source $proto $dport -j $disposition
|
||||
}
|
||||
|
||||
###############################################################################
|
||||
# Process a record from the blacklist file #
|
||||
# #
|
||||
# $subnet = address/subnet #
|
||||
# $protocol = Protocol Number/Name #
|
||||
# $port = Port Number/Name #
|
||||
###############################################################################
|
||||
process_blacklist_rec() {
|
||||
local source
|
||||
local addr
|
||||
local proto
|
||||
local dport
|
||||
|
||||
for addr in `separate_list $subnet`; do
|
||||
case $addr in
|
||||
@ -2517,11 +2552,52 @@ process_blacklist_rec() {
|
||||
;;
|
||||
esac
|
||||
|
||||
[ -n "$BLACKLIST_LOGLEVEL" ] && \
|
||||
run_iptables -A blacklst $source -j LOG $LOGPARMS --log-prefix \
|
||||
"Shorewall:blacklst:$BLACKLIST_DISPOSITION:" \
|
||||
--log-level $BLACKLIST_LOGLEVEL
|
||||
run_iptables -A blacklst $source -j $disposition
|
||||
if [ -n "$protocol" ]; then
|
||||
proto=" -p $protocol "
|
||||
|
||||
case $protocol in
|
||||
tcp|TCP|6|udp|UDP|17)
|
||||
if [ -n "$ports" ]; then
|
||||
if [ -n "$MULTIPORT" -a \
|
||||
"$ports" != "${ports%,*}" -a \
|
||||
"$ports" = "${ports%:*}" -a \
|
||||
`list_count $ports` -le 15 ]
|
||||
then
|
||||
dport="-m multiport --dports $ports"
|
||||
add_blacklist_rule
|
||||
else
|
||||
for dport in `separate_list $ports`; do
|
||||
dport="--dport $dport"
|
||||
add_blacklist_rule
|
||||
done
|
||||
fi
|
||||
else
|
||||
add_blacklist_rule
|
||||
fi
|
||||
;;
|
||||
icmp|ICMP|0)
|
||||
if [ -n "$ports" ]; then
|
||||
for dport in `separate_list $ports`; do
|
||||
dport="--icmp-type $dport"
|
||||
add_blacklist_rule
|
||||
done
|
||||
else
|
||||
add_blacklist_rule
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
add_blacklist_rule
|
||||
;;
|
||||
esac
|
||||
else
|
||||
add_blacklist_rule
|
||||
fi
|
||||
|
||||
if [ -n "$ports" ]; then
|
||||
addr="$addr $protocol $ports"
|
||||
elif [ -n "$protocol" ]; then
|
||||
addr="$addr $protocol"
|
||||
fi
|
||||
|
||||
echo " $addr added to Black List"
|
||||
done
|
||||
@ -2552,8 +2628,8 @@ setup_blacklist() {
|
||||
|
||||
[ "$disposition" = REJECT ] && disposition=reject
|
||||
|
||||
while read subnet; do
|
||||
expandv subnet
|
||||
while read subnet protocol ports; do
|
||||
expandv subnet protocol ports
|
||||
process_blacklist_rec
|
||||
done < $TMP_DIR/blacklist
|
||||
|
||||
@ -2576,8 +2652,8 @@ refresh_blacklist() {
|
||||
|
||||
run_iptables -F blacklst
|
||||
|
||||
while read subnet; do
|
||||
expandv subnet
|
||||
while read subnet protocol ports; do
|
||||
expandv subnet protocol ports
|
||||
process_blacklist_rec
|
||||
done < $TMP_DIR/blacklist
|
||||
fi
|
||||
@ -2720,18 +2796,25 @@ initialize_netfilter () {
|
||||
setcontinue FORWARD
|
||||
setcontinue INPUT
|
||||
setcontinue OUTPUT
|
||||
#
|
||||
# Allow DNS lookups during startup for FQDNs
|
||||
#
|
||||
run_iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
|
||||
run_iptables -A FORWARD -p udp --dport 53 -j ACCEPT
|
||||
|
||||
[ -n "$CLAMPMSS" ] && \
|
||||
run_iptables -A FORWARD -p tcp \
|
||||
--tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
|
||||
|
||||
|
||||
if [ -z "$NEWNOTSYN" ]; then
|
||||
createchain newnotsyn no
|
||||
run_user_exit newnotsyn
|
||||
[ -n "$LOGNEWNOTSYN" ] && \
|
||||
run_iptables -A newnotsyn -j LOG \
|
||||
--log-prefix "Shorewall:newnotsyn:DROP:" --log-level $LOGNEWNOTSYN
|
||||
run_iptables -A newnotsyn -j DROP
|
||||
fi
|
||||
|
||||
createchain icmpdef no
|
||||
createchain common no
|
||||
@ -2762,6 +2845,42 @@ initialize_netfilter () {
|
||||
done
|
||||
}
|
||||
|
||||
################################################################################
|
||||
# Build the common chain -- called during [re]start and refresh #
|
||||
################################################################################
|
||||
build_common_chain() {
|
||||
###########################################################################
|
||||
# PING
|
||||
#
|
||||
[ -n "$FORWARDPING" ] && \
|
||||
run_iptables -A icmpdef -p icmp --icmp-type echo-request -j ACCEPT
|
||||
############################################################################
|
||||
# Common ICMP rules
|
||||
#
|
||||
run_user_exit icmpdef
|
||||
############################################################################
|
||||
# Common rules in each chain
|
||||
#
|
||||
common=`find_file common`
|
||||
|
||||
if [ -f $common ]; then
|
||||
. $common
|
||||
else
|
||||
. `find_file common.def`
|
||||
fi
|
||||
###########################################################################
|
||||
# New Not Syn Stuff
|
||||
#
|
||||
if [ -n "$NEWNOTSYN" ]; then
|
||||
run_iptables -A common -p tcp --tcp-flags ACK ACK -j ACCEPT
|
||||
run_iptables -A common -p tcp --tcp-flags RST RST -j ACCEPT
|
||||
fi
|
||||
###########################################################################
|
||||
# BROADCASTS
|
||||
#
|
||||
drop_broadcasts `find_broadcasts`
|
||||
}
|
||||
|
||||
################################################################################
|
||||
# Construct zone-independent rules #
|
||||
################################################################################
|
||||
@ -2825,29 +2944,9 @@ add_common_rules() {
|
||||
echo " $interface"
|
||||
done
|
||||
fi
|
||||
###########################################################################
|
||||
# PING
|
||||
#
|
||||
[ -n "$FORWARDPING" ] && \
|
||||
run_iptables -A common -p icmp --icmp-type echo-request -j ACCEPT
|
||||
############################################################################
|
||||
# Common ICMP rules
|
||||
#
|
||||
run_user_exit icmpdef
|
||||
############################################################################
|
||||
# Common rules in each chain
|
||||
#
|
||||
common=`find_file common`
|
||||
|
||||
if [ -f $common ]; then
|
||||
. $common
|
||||
else
|
||||
. `find_file common.def`
|
||||
fi
|
||||
###########################################################################
|
||||
# BROADCASTS
|
||||
#
|
||||
drop_broadcasts `find_broadcasts`
|
||||
build_common_chain
|
||||
|
||||
###########################################################################
|
||||
# DHCP
|
||||
#
|
||||
@ -3108,11 +3207,20 @@ activate_rules()
|
||||
|
||||
chain="`rules_chain $zone $zone1`"
|
||||
|
||||
if havechain ${zone}2${zone1} || havechain ${zone1}2${zone}; then
|
||||
have_canonical=Yes
|
||||
else
|
||||
have_canonical=
|
||||
fi
|
||||
|
||||
for host in $source_hosts; do
|
||||
interface=${host%:*}
|
||||
subnet=${host#*:}
|
||||
chain1=`forward_chain $interface`
|
||||
|
||||
if [ -n "$have_canonical" ]; then
|
||||
multi=yes
|
||||
else
|
||||
case $interface in
|
||||
*+*)
|
||||
multi=yes
|
||||
@ -3121,6 +3229,7 @@ activate_rules()
|
||||
list_search $interface $multi_interfaces && multi=yes || multi=
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
for host1 in $dest_hosts; do
|
||||
interface1=${host1%:*}
|
||||
@ -3148,6 +3257,9 @@ activate_rules()
|
||||
run_iptables -D INPUT 1
|
||||
run_iptables -D OUTPUT 1
|
||||
run_iptables -D FORWARD 1
|
||||
|
||||
run_iptables -D OUTPUT -p udp --dport 53 -j ACCEPT
|
||||
run_iptables -D FORWARD -p udp --dport 53 -j ACCEPT
|
||||
}
|
||||
|
||||
################################################################################
|
||||
@ -3155,6 +3267,16 @@ activate_rules()
|
||||
################################################################################
|
||||
define_firewall() # $1 = Command (Start or Restart)
|
||||
{
|
||||
if [ -f /etc/shorewall/startup_disabled ]; then
|
||||
echo " Shorewall Startup is disabled -- to enable startup"
|
||||
echo " after you have completed Shorewall configuration,"
|
||||
echo " remove the file /etc/shorewall/startup_disabled"
|
||||
|
||||
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
|
||||
my_mutex_off
|
||||
exit 2
|
||||
fi
|
||||
|
||||
echo "${1}ing Shorewall..."
|
||||
|
||||
verify_os_version
|
||||
@ -3232,7 +3354,7 @@ define_firewall() # $1 = Command (Start or Restart)
|
||||
|
||||
createchain shorewall no
|
||||
|
||||
date > /var/lib/shorewall/restarted
|
||||
date > $STATEDIR/restarted
|
||||
|
||||
report "Shorewall ${1}ed"
|
||||
|
||||
@ -3303,25 +3425,8 @@ refresh_firewall()
|
||||
run_iptables -F common
|
||||
|
||||
echo "Adding Common Rules"
|
||||
###########################################################################
|
||||
# PING
|
||||
#
|
||||
[ -n "$FORWARDPING" ] && \
|
||||
run_iptables -A common -p icmp --icmp-type echo-request -j ACCEPT
|
||||
############################################################################
|
||||
# Common rules in each chain
|
||||
#
|
||||
common=`find_file common`
|
||||
|
||||
if [ -f $common ]; then
|
||||
. $common
|
||||
else
|
||||
. `find_file common.def`
|
||||
fi
|
||||
###########################################################################
|
||||
# BROADCASTS
|
||||
#
|
||||
drop_broadcasts `find_broadcasts`
|
||||
build_common_chain
|
||||
|
||||
###########################################################################
|
||||
# Blacklist
|
||||
@ -3416,6 +3521,7 @@ do_initialize() {
|
||||
DETECT_DNAT_IPADDRS=
|
||||
MERGE_HOSTS=
|
||||
MUTEX_TIMEOUT=
|
||||
NEWNOTSYN=
|
||||
LOGNEWNOTSYN=
|
||||
FORWARDPING=
|
||||
stopping=
|
||||
@ -3431,7 +3537,7 @@ do_initialize() {
|
||||
|
||||
trap "rm -rf $TMP_DIR; my_mutex_off; exit 2" 1 2 3 4 5 6 9
|
||||
|
||||
functions=/var/lib/shorewall/functions
|
||||
functions=/usr/lib/shorewall/functions
|
||||
|
||||
if [ -f $functions ]; then
|
||||
. $functions
|
||||
@ -3439,7 +3545,7 @@ do_initialize() {
|
||||
startup_error "$functions does not exist!"
|
||||
fi
|
||||
|
||||
version_file=/var/lib/shorewall/version
|
||||
version_file=/usr/lib/shorewall/version
|
||||
|
||||
[ -f $version_file ] && version=`cat $version_file`
|
||||
#
|
||||
@ -3455,6 +3561,7 @@ do_initialize() {
|
||||
|
||||
[ -d $STATEDIR ] || mkdir -p $STATEDIR
|
||||
|
||||
|
||||
[ -z "$FW" ] && FW=fw
|
||||
|
||||
ALLOWRELATED="`added_param_value_yes ALLOWRELATED $ALLOWRELATED`"
|
||||
@ -3495,6 +3602,7 @@ do_initialize() {
|
||||
DETECT_DNAT_IPADDRS=`added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS`
|
||||
MERGE_HOSTS=`added_param_value_no MERGE_HOSTS $MERGE_HOSTS`
|
||||
FORWARDPING=`added_param_value_no FORWARDPING $FORWARDPING`
|
||||
NEWNOTSYN=`added_param_value_yes NEWNOTSYN $NEWNOTSYN`
|
||||
}
|
||||
|
||||
################################################################################
|
||||
@ -3541,6 +3649,7 @@ case "$command" in
|
||||
if qt iptables -L shorewall -n ; then
|
||||
[ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
|
||||
echo "Shorewall Already Started"
|
||||
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
|
||||
my_mutex_off
|
||||
exit 0;
|
||||
fi
|
||||
@ -3570,7 +3679,7 @@ case "$command" in
|
||||
reset)
|
||||
iptables -L -n -Z -v
|
||||
report "Shorewall Counters Reset"
|
||||
date > /var/lib/shorewall/restarted
|
||||
date > $STATEDIR/restarted
|
||||
;;
|
||||
|
||||
refresh)
|
||||
@ -3578,6 +3687,7 @@ case "$command" in
|
||||
my_mutex_on
|
||||
if ! qt iptables -L shorewall -n ; then
|
||||
echo "Shorewall Not Started"
|
||||
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
|
||||
my_mutex_off
|
||||
exit 2;
|
||||
fi
|
||||
|
@ -4,16 +4,40 @@
|
||||
# /etc/shorewall/blacklist
|
||||
#
|
||||
# This file contains a list of IP addresses, MAC addresses and/or subnetworks.
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
# ADDRESS/SUBNET - Host address, subnetwork or MAC address
|
||||
#
|
||||
# MAC addresses must be prefixed with "~" and use "-"
|
||||
# as a separator.
|
||||
#
|
||||
# Example: ~00-A0-C9-15-39-78
|
||||
#
|
||||
# PROTOCOL - Optional. If specified, must be a protocol number
|
||||
# or a protocol name from /etc/protocols.
|
||||
#
|
||||
# PORTS - Optional. May only be specified if the protocol
|
||||
# is TCP (6) or UDP (17). A comma-separated list
|
||||
# of port numbers or service names from /etc/services.
|
||||
#
|
||||
# When a packet arrives on in interface that has the 'blacklist' option
|
||||
# specified, its source IP address is checked against this file and disposed of
|
||||
# according to the BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL variables in
|
||||
# /etc/shorewall/shorewall.conf
|
||||
#
|
||||
# MAC addresses must be prefixed with "~" and use "-" as a separator.
|
||||
# If PROTOCOL or PROTOCOL and PORTS are supplied, only packets matching
|
||||
# the protocol (and one of the ports if PORTS supplied) are blocked.
|
||||
#
|
||||
# Example:
|
||||
#
|
||||
# To block DNS queries from address 192.0.2.126:
|
||||
#
|
||||
# ADDRESS/SUBNET PROTOCOL PORT
|
||||
# 192.0.2.126 udp 53
|
||||
#
|
||||
# Example: ~00-A0-C9-15-39-78
|
||||
###############################################################################
|
||||
#ADDRESS/SUBNET
|
||||
#ADDRESS/SUBNET PROTOCOL PORT
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
|
||||
|
@ -39,6 +39,8 @@
|
||||
# IP address for the interface in the INTERFACE
|
||||
# column.
|
||||
#
|
||||
# This column may not contain a DNS Name.
|
||||
#
|
||||
# Example 1:
|
||||
#
|
||||
# You have a simple masquerading setup where eth0 connects to
|
||||
|
@ -14,10 +14,10 @@
|
||||
#
|
||||
# EXTERNAL External IP Address - this should NOT be the primary
|
||||
# IP address of the interface named in the next
|
||||
# column.
|
||||
# column and must not be a DNS Name.
|
||||
# INTERFACE Interface that we want to EXTERNAL address to appear
|
||||
# on
|
||||
# INTERNAL Internal Address
|
||||
# INTERNAL Internal Address (must not be a DNS Name).
|
||||
# ALL INTERFACES If Yes or yes (or left empty), NAT will be effective
|
||||
# from all hosts. If No or no then NAT will be effective
|
||||
# only through the interface named in the INTERFACE
|
||||
|
@ -56,9 +56,12 @@
|
||||
# MAC address 00:A0:C9:15:39:78.
|
||||
#
|
||||
# Alternatively, clients may be specified by interface
|
||||
# by appending ":" followed by the interface name. For
|
||||
# example, loc:eth1 specifies a client that
|
||||
# communicates with the firewall system through eth1.
|
||||
# by appending ":" to the zone name followed by the
|
||||
# interface name. For example, loc:eth1 specifies a
|
||||
# client that communicates with the firewall system
|
||||
# through eth1. This may be optionally followed by
|
||||
# another colon (":") and an IP/MAC/subnet address
|
||||
# as described above (e.g., loc:eth1:192.168.1.5).
|
||||
#
|
||||
# DEST Location of Server. May be a zone defined in
|
||||
# /etc/shorewall/zones or $FW to indicate the firewall
|
||||
@ -68,6 +71,13 @@
|
||||
# subnet, host or interface by appending ":" and the
|
||||
# subnet, host or interface. See above.
|
||||
#
|
||||
# Restrictions:
|
||||
#
|
||||
# 1. MAC addresses are not allowed.
|
||||
# 2. In DNAT rules, only IP addresses are
|
||||
# allowed; no FQDNs or subnet addresses
|
||||
# are permitted.
|
||||
#
|
||||
# The port that the server is listening on may be
|
||||
# included and separated from the server's IP address by
|
||||
# ":". If omitted, the firewall will not modifiy the
|
||||
|
@ -340,6 +340,8 @@ MUTEX_TIMEOUT=60
|
||||
#
|
||||
# LOGGING 'New not SYN' rejects
|
||||
#
|
||||
# This variable only has an effect when NEWNOTSYN=No (see below).
|
||||
#
|
||||
# When a TCP packet that does not have the SYN flag set and the ACK and RST
|
||||
# flags clear then unless the packet is part of an established connection,
|
||||
# it will be rejected by the firewall. If you want these rejects logged,
|
||||
@ -358,4 +360,21 @@ LOGNEWNOTSYN=
|
||||
|
||||
FORWARDPING=Yes
|
||||
|
||||
#
|
||||
# NEWNOTSYN
|
||||
#
|
||||
# If this variable is set to "No" or "no", then When a TCP packet that does
|
||||
# not have the SYN flag set and the ACK and RST flags clear then unless the
|
||||
# packet is part of an established connection, it will be dropped by the
|
||||
# firewall
|
||||
#
|
||||
# If this variable is set to "Yes" or "yes" then such packets will not be
|
||||
# dropped but will pass through the normal rule processing.
|
||||
#
|
||||
# Users with a High-availability setup with two firewall's and one acting
|
||||
# as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may
|
||||
# also need to select NEWNOTSYN=Yes.
|
||||
|
||||
NEWNOTSYN=No
|
||||
|
||||
#LAST LINE -- DO NOT REMOVE
|
||||
|
@ -312,6 +312,8 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
||||
|
||||
echo -e "Dropped/Rejected Packet Log\\n"
|
||||
|
||||
show_reset
|
||||
|
||||
rejects=`iptables -L -v -n | grep 'LOG'`
|
||||
|
||||
if [ "$rejects" != "$oldrejects" ]; then
|
||||
@ -384,6 +386,8 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
|
||||
|
||||
echo -e "Dropped/Rejected Packet Log\\n"
|
||||
|
||||
show_reset
|
||||
|
||||
rejects=`iptables -L -v -n | grep 'LOG'`
|
||||
|
||||
if [ "$rejects" != "$oldrejects" ]; then
|
||||
@ -437,8 +441,8 @@ usage() # $1 = exit status
|
||||
# Display the time that the counters were last reset #
|
||||
#################################################################################
|
||||
show_reset() {
|
||||
[ -f /var/lib/shorewall/restarted ] && \
|
||||
echo -e "Counters reset `cat /var/lib/shorewall/restarted`\\n"
|
||||
[ -f $STATEDIR/restarted ] && \
|
||||
echo -e "Counters reset `cat $STATEDIR/restarted`\\n"
|
||||
}
|
||||
|
||||
#################################################################################
|
||||
@ -491,7 +495,7 @@ fi
|
||||
|
||||
[ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR
|
||||
|
||||
functions=/var/lib/shorewall/functions
|
||||
functions=/usr/lib/shorewall/functions
|
||||
|
||||
if [ -f $functions ]; then
|
||||
. $functions
|
||||
@ -500,7 +504,7 @@ else
|
||||
exit 2
|
||||
fi
|
||||
|
||||
firewall=/var/lib/shorewall/firewall
|
||||
firewall=/usr/lib/shorewall/firewall
|
||||
|
||||
if [ ! -f $firewall ]; then
|
||||
echo "ERROR: Shorewall is not properly installed"
|
||||
@ -508,7 +512,7 @@ if [ ! -f $firewall ]; then
|
||||
echo " $firewall is a symbolic link to a"
|
||||
echo " non-existant file"
|
||||
else
|
||||
echo " The file /var/lib/shorewall/firewall does not exist"
|
||||
echo " The file /usr/lib/shorewall/firewall does not exist"
|
||||
fi
|
||||
|
||||
exit 2
|
||||
@ -516,13 +520,13 @@ fi
|
||||
|
||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||
|
||||
version_file=/var/lib/shorewall/version
|
||||
version_file=/usr/lib/shorewall/version
|
||||
|
||||
if [ -f $version_file ]; then
|
||||
version=`cat $version_file`
|
||||
else
|
||||
echo "ERROR: Shorewall is not properly installed"
|
||||
echo " The file /var/lib/shorewall/version does not exist"
|
||||
echo " The file /usr/lib/shorewall/version does not exist"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
@ -546,6 +550,7 @@ case "$1" in
|
||||
iptables -t nat -L -n -v
|
||||
;;
|
||||
tos|mangle)
|
||||
get_config
|
||||
echo -e "Shorewall-$version TOS at $HOSTNAME - `date`\\n"
|
||||
show_reset
|
||||
iptables -t mangle -L -n -v
|
||||
@ -553,6 +558,7 @@ case "$1" in
|
||||
log)
|
||||
get_config
|
||||
echo -e "Shorewall-$version Log at $HOSTNAME - `date`\\n"
|
||||
show_reset
|
||||
host=`echo $HOSTNAME | sed 's/\..*$//'`
|
||||
packet_log 20
|
||||
;;
|
||||
@ -561,6 +567,7 @@ case "$1" in
|
||||
show_tc
|
||||
;;
|
||||
*)
|
||||
get_config
|
||||
echo -e "Shorewall-$version Chain $2 at $HOSTNAME - `date`\\n"
|
||||
show_reset
|
||||
iptables -L $2 -n -v
|
||||
|
@ -1,6 +1,6 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Shorewall 1.3 -- /var/lib/shorewall/functions
|
||||
# Shorewall 1.3 -- /usr/lib/shorewall/functions
|
||||
|
||||
#
|
||||
# Suppress all output for a command
|
@ -1,5 +1,6 @@
|
||||
etc/init.d/shorewall
|
||||
etc/shorewall
|
||||
sbin/shorewall
|
||||
usr/lib/shorewall
|
||||
var/lib/shorewall
|
||||
var/lib/lrpkg/shorwall.*
|
||||
|
@ -1 +0,0 @@
|
||||
1.3.7c
|
Loading…
Reference in New Issue
Block a user