extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-25 00:53:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

1.3 Beta 2 Snapshot

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@27 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-05-18 13:45:23 +00:00
parent e3b9278c5e
commit 44170128c2
27 changed files with 451 additions and 212 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/INSTALL
View File

@ -1,4 +1,4 @@
Shoreline Firewall (Shorewall) Version 1.2 - 12/21/2001
Shoreline Firewall (Shorewall) Version 1.3 - 6/14/2002
----- ----
-----------------------------------------------------------------------------

2
Shorewall/blacklist
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.2 -- Blacklist File
# Shorewall 1.3 -- Blacklist File
#
# /etc/shorewall/blacklist
#

32
Shorewall/changelog.txt
View File

@ -1,11 +1,29 @@
Changes since 1.2.12
Changes since 1.2.13
1. Changed all file versions to 1.3
2. Changed the rules file and firewall file to implement the new forwarding
and redirection syntax.
3. Removed the sample rules from the rules file -- the quickstart samples
should provide those sample rules.
4. Added a silent Auth reject rule to common.def.
5. Changed the handling of the nat table to have a separate chain for each
source zone.
6. Removed the code that tested each rules column for "none" -- this was never
documented and was there to support the brain-dead parameterized samples.
7. Reworked the chain structure in the filter table so that each interface has
its own input and forward chain.
8. Added logic to allow a subzone to be excluded from a DNAT or REDIRECT rule.
1. Added whitelist support
2. Added SYN Flood Protection
3. Make aliases added under ADD_IP_ALIASES and ADD_SNAT_ALIASES look more
like what people expect.
4. Merged shorewall.conf file patch that adds the kernel config help
text for TCPMSS to the description of the Shorewall parameter.

7
Shorewall/common.def
View File

@ -1,5 +1,5 @@
############################################################################
# Shorewall 1.1 -- /etc/shorewall/common.def
# Shorewall 1.3 -- /etc/shorewall/common.def
#
# This file defines the rules that are applied before a policy of
# DROP or REJECT is applied. In addition to the rules defined in this file,
@ -31,4 +31,9 @@ run_iptables -A common -p udp --dport 1900 -j DROP
#
run_iptables -A common -d 255.255.255.255 -j DROP
run_iptables -A common -d 224.0.0.0/4 -j DROP
############################################################################
# AUTH -- Reject it so that connections don't get delayed.
#
run_iptables -A common -p tcp --dport 113 -j reject

2
Shorewall/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=1.2.13
VERSION=1.2.90
usage() # $1 = exit status
{

425
Shorewall/firewall
View File

@ -1,7 +1,7 @@
#!/bin/sh
RCDLINKS="2,S41 3,S41 6,K41"
#
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V1.2 12/21/2001
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V1.3 6/14/2002
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
@ -216,6 +216,48 @@ addrule() # $1 = chain name, remainder of arguments specify the rule
run_iptables -A $@
}
################################################################################
# Create a nat chain #
# #
# Create a variable ${1}_nat_exists and set its value to Yes to indicate that #
# the chain now exists. #
################################################################################
createnatchain() # $1 = chain name
{
run_iptables -t nat -N $1
eval ${1}_nat_exists=Yes
}
################################################################################
# Determine if a nat chain exists #
# #
# When we create a chain "chain", we create a variable named chain_nat_exists #
# and set its value to Yes. This function tests for the "_exists" variable #
# corresponding to the passed chain having the value of "Yes". #
################################################################################
havenatchain() # $1 = name of chain
{
eval test \"\$${1}_nat_exists\" = Yes
}
################################################################################
# Ensure that a chain exists (create it if it doesn't) #
################################################################################
ensurenatchain() # $1 = chain name
{
havenatchain $1 || createnatchain $1
}
################################################################################
# Add a rule to a nat chain creating the chain if necessary #
################################################################################
addnatrule() # $1 = chain name, remainder of arguments specify the rule
{
ensurenatchain $1
run_iptables -t nat -A $@
}
################################################################################
# Delete a chain if it exists #
################################################################################
@ -265,6 +307,42 @@ find_interfaces() # $1 = interface zone
done < $TMP_DIR/interfaces
}
################################################################################
# Chain name base for an interface #
################################################################################
chain_base() #$1 = interface
{
local c=${1%%+*}
echo ${c:=multi}
}
################################################################################
# Forward Chain for an interface #
################################################################################
forward_chain() # $1 = interface
{
echo `chain_base $interface`_fwd
}
################################################################################
# Input Chain for an interface #
################################################################################
input_chain() # $1 = interface
{
echo `chain_base $interface`_in
}
################################################################################
# First chains for an interface #
################################################################################
first_chains() #$1 = interface
{
local c=`chain_base $1`
echo ${c}_fwd ${c}_in
}
################################################################################
# Find hosts in a given zone #
# #
@ -287,16 +365,11 @@ find_hosts() # $1 = host zone
# variable contains a space-separated list of interfaces to the zone #
################################################################################
determine_interfaces() {
local all_interfaces
for zone in $zones multi; do
interfaces=`find_interfaces $zone`
interfaces=`echo $interfaces` # Remove extra trash
eval ${zone}_interfaces="\$interfaces"
all_interfaces=${all_interfaces:-$interfaces}
done
[ -n "$all_interfaces" ] || startup_error "Error: No interfaces defined"
}
################################################################################
@ -360,6 +433,12 @@ validate_interfaces_file() {
r="$z $interface $subnet $options"
[ "x$z" = "x-" ] || validate_zone $z || startup_error "Invalid zone ($z) in record \"$r\""
for intr in $all_interfaces; do
[ "$intr" = "$interface" ] && startup_error "Duplicate Interface $intr"
done
all_interfaces="$all_interfaces $interface"
for option in `separate_list $options`; do
case $option in
dhcp|noping|routestopped|norfc1918|multi|routefilter|dropunclean|logunclean|blacklist|-)
@ -369,6 +448,9 @@ validate_interfaces_file() {
;;
esac
done
[ -z "$all_interfaces" ] && startup_error "Error: No Interfaces Defined"
done < $TMP_DIR/interfaces
}
@ -537,6 +619,33 @@ validate_rule() {
fi
logtarget="$target"
#
# DNAT and REDIRECT targets were implemented in version 1.3 to replace
# an older syntax. We simply map the new syntax into the old and proceed;
# that way, people who have files with the old syntax don't need to
# convert right away.
#
case $target in
DNAT)
target=ACCEPT
address=${address:=all}
;;
REDIRECT)
target=ACCEPT
address=${address:=all}
if [ "x-" = "x$servers" ]; then
servers=$FW
else
servers="fw::$servers"
fi
;;
ACCEPT|DROP|REJECT)
;;
*)
startup_error " Error: Invalid target;" \
" rule: \"$rule\""
esac
if [ "$clients" = "${clients%:*}" ]; then
clientzone="$clients"
@ -545,6 +654,16 @@ validate_rule() {
clientzone="${clients%:*}"
clients="${clients#*:}"
fi
if [ "$clientzone" = "${clientzone%\!*}" ]; then
excludezones=
else
excludezones="${clientzone#*\!}"
clientzone="${clientzone%\!*}"
[ "$logtarget" = DNAT ] || [ "$logtarget" = REDIRECT ] ||\
startup_error " Error: Exclude list only allowed with DNAT or REDIRECT"
fi
############################################################################
# Validate the Source Zone
@ -584,23 +703,17 @@ validate_rule() {
############################################################################
# Iterate through the various lists validating individual rules
#
[ "$ports" = "none" -o "$ports" = "None" -o \
"$cports" = "none" -o "$cports" = "None" -o \
"$clients" = "none" -o "$clients" = "None" -o \
"$servers" = "none" -o "$servers" = "None" ] || \
{
for client in `separate_list ${clients:=-}`; do
for server in `separate_list ${servers:=-}`; do
for port in `separate_list ${ports:=-}`; do
for cport in `separate_list ${cports:=-}`; do
validate_a_rule
done
done
for client in `separate_list ${clients:=-}`; do
for server in `separate_list ${servers:=-}`; do
for port in `separate_list ${ports:=-}`; do
for cport in `separate_list ${cports:=-}`; do
validate_a_rule
done
done
done
done
done
echo " Rule \"$rule\" validated."
}
echo " Rule \"$rule\" validated."
}
################################################################################
@ -614,7 +727,7 @@ validate_rules() # $1 = name of rules file
expandv clients servers protocol ports cports address
case "$target" in
ACCEPT*|DROP*|REJECT*)
ACCEPT*|DROP*|REJECT*|DNAT*|REDIRECT*)
rule="`echo $target $clients $servers $protocol $ports $cports $address`"
validate_rule
;;
@ -876,7 +989,7 @@ setup_tunnels() # $1 = name of tunnels file
return 1
fi
options="-mstate --state NEW -j ACCEPT"
options="-m state --state NEW -j ACCEPT"
inchain=${1}2${FW}
outchain=${FW}2${1}
addrule $inchain -p 50 -s $2 $options
@ -906,7 +1019,7 @@ setup_tunnels() # $1 = name of tunnels file
return 1
fi
options="-mstate --state NEW -j ACCEPT"
options="-m state --state NEW -j ACCEPT"
inchain=${1}2${FW}
outchain=${FW}2${1}
addrule $inchain -p $3 -s $2 $options
@ -1239,9 +1352,82 @@ delete_tc()
# and has loaded a space-separated list of their values in "rule". #
################################################################################
process_rule() {
############################################################################
# Add a NAT rule
#
add_nat_rule() {
local chain
if [ -z "$NAT_ENABLED" ]; then
fatal_error \
" Error - Rule \"$rule\" requires NAT which is disabled"
fi
if [ "$target" != "ACCEPT" ]; then
fatal_error " Error - Only ACCEPT rules may specify " \
"port mapping; rule \"$rule\""
fi
if [ "$addr" != "${addr%:*}" ]; then
snat="${addr#*:}"
addr="${addr%:*}"
else
snat=""
fi
[ "$addr" = "all" ] && addr= || addr="-d $addr"
if [ -n "$serv" ]; then
servport="${servport:+:$servport}"
target1="DNAT --to-destination ${serv}${servport}"
else
target1="REDIRECT --to-port $servport"
fi
if [ "$source" = "$FW" ]; then
run_iptables -t nat -A OUTPUT $proto $sports $addr \
$dports -j $target1
else
chain=$source
if [ -n "$excludezones" ]; then
chain=nonat${nonat_seq}
nonat_seq=$(($nonat_seq + 1))
createnatchain $chain
addnatrule $source -j $chain
for z in $excludezones; do
eval hosts=\$${z}_hosts
for host in $hosts; do
addnatrule $chain $proto -s ${host#*:} \
$sports $addr $dports -j RETURN
done
done
fi
addnatrule $chain $proto $cli $sports \
$addr $dports -j $target1
fi
[ -n "$servport" ] && dports="--dport ${servport#*:}"
if [ -n "$snat" ]; then
if [ -n "$cli" ]; then
run_iptables -t nat -A POSTROUTING $proto $cli \
$sports -d $serv $dports -j SNAT --to-source $snat
else
for source_host in $source_hosts; do
run_iptables -t nat -A POSTROUTING \
-s ${source_host#*:} $proto $sports \
-d $serv $dports -j SNAT --to-source $snat
done
fi
fi
}
############################################################################
# Add one rule
#
add_a_rule() {
########################################################################
# Determine the format of the client
@ -1316,8 +1502,15 @@ process_rule() {
esac
proto="${proto:+-p $proto}"
[ "$target" = REJECT ] && target=reject
case "$logtarget" in
REJECT)
target=reject
;;
REDIRECT)
servport=${servport:=$port}
;;
esac
if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" ]; then
error_message " Warning -- Rule \"$rule\" is a POLICY"
@ -1332,67 +1525,13 @@ process_rule() {
##############################################################
# Must use Prerouting DNAT
#
if [ -z "$NAT_ENABLED" ]; then
fatal_error \
" Error - Rule \"$rule\" requires NAT which is disabled"
fi
if [ "$target" != "ACCEPT" ]; then
fatal_error " Error - Only ACCEPT rules may specify " \
"port mapping; rule \"$rule\""
fi
if [ "$addr" != "${addr%:*}" ]; then
snat="${addr#*:}"
addr="${addr%:*}"
else
snat=""
fi
[ "$addr" = "all" ] && addr= || addr="-d $addr"
if [ -n "$serv" ]; then
servport="${servport:+:$servport}"
target1="DNAT --to-destination ${serv}${servport}"
else
target1="REDIRECT --to-port $servport"
fi
if [ "$source" = "$FW" ]; then
run_iptables -t nat -A OUTPUT $proto $sports $addr \
$dports -j $target1
elif [ -n "$cli" ]; then
run_iptables -t nat -A PREROUTING $proto $cli $sports \
$addr $dports -j $target1
else
for source_host in $source_hosts; do
run_iptables -t nat -A PREROUTING \
-i ${source_host%:*} \
-s ${source_host#*:} $proto $sports \
$addr $dports -j $target1
done
fi
[ -n "$servport" ] && dports="--dport ${servport#*:}"
if [ -n "$snat" ]; then
if [ -n "$cli" ]; then
run_iptables -t nat -A POSTROUTING $proto $cli \
$sports -d $serv $dports -j SNAT --to-source $snat
else
for source_host in $source_hosts; do
run_iptables -t nat -A POSTROUTING \
-s ${source_host#*:} $proto $sports \
-d $serv $dports -j SNAT --to-source $snat
done
fi
fi
add_nat_rule
fi
serv="${serv:+-d $serv}"
[ -n "$loglevel" ] && run_iptables -A $chain $proto $state $cli \
$sports $serv $dports -j LOG $LOGPARMS --log-prefix \
[ -n "$loglevel" ] && run_iptables -A $chain $proto $state \
$cli $sports $serv $dports -j LOG $LOGPARMS --log-prefix \
"Shorewall:$chain:$logtarget:" --log-level $loglevel
run_iptables -A $chain $proto $state $cli $sports \
$serv $dports -j $target
@ -1403,12 +1542,12 @@ process_rule() {
[ -n "$addr" ] && fatal_error \
" Error: An ADDRESS ($addr) is only allowed in" \
" a port mapping rule: \"$rule\""
[ -n "$loglevel" ] && run_iptables -A $chain $proto \
$dest_interface $state $cli $sports $dports -j LOG \
$LOGPARMS --log-prefix "Shorewall:$chain:$logtarget:" \
--log-level $loglevel
run_iptables -A $chain $proto $dest_interface $state \
$cli $sports $dports -j $target
fi
@ -1427,6 +1566,28 @@ process_rule() {
fi
logtarget="$target"
#
# DNAT and REDIRECT targets were implemented in version 1.3 to replace
# an older syntax. We simply map the new syntax into the old and proceed;
# that way, people who have files with the old syntax don't need to
# convert right away.
#
case $target in
DNAT)
target=ACCEPT
address=${address:=all}
;;
REDIRECT)
target=ACCEPT
address=${address:=all}
if [ "x-" = "x$servers" ]; then
servers=$FW
else
servers="$FW::$servers"
fi
;;
esac
if [ "$clients" = "${clients%:*}" ]; then
clientzone="$clients"
@ -1435,6 +1596,16 @@ process_rule() {
clientzone="${clients%:*}"
clients="${clients#*:}"
fi
if [ "$clientzone" = "${clientzone%\!*}" ]; then
excludezones=
else
excludezones="${clientzone#*\!}"
clientzone="${clientzone%\!*}"
[ "$logtarget" = DNAT ] || [ "$logtarget" = REDIRECT ] ||\
fatal_error " Error: Exclude list only allowed with DNAT or REDIRECT"
fi
############################################################################
# Validate the Source Zone
@ -1473,30 +1644,24 @@ process_rule() {
dest=$serverzone
############################################################################
# Create the canonlcal chain if it doesn't exist
# Create the canonical chain if it doesn't exist
#
chain=${source}2${dest}
ensurechain $chain
############################################################################
# Iterate through the various lists creating individual rules
#
[ "$ports" = "none" -o "$ports" = "None" -o \
"$cports" = "none" -o "$cports" = "None" -o \
"$clients" = "none" -o "$clients" = "None" -o \
"$servers" = "none" -o "$servers" = "None" ] || \
{
for client in `separate_list ${clients:=-}`; do
for server in `separate_list ${servers:=-}`; do
for port in `separate_list ${ports:=-}`; do
for cport in `separate_list ${cports:=-}`; do
add_a_rule
done
done
for client in `separate_list ${clients:=-}`; do
for server in `separate_list ${servers:=-}`; do
for port in `separate_list ${ports:=-}`; do
for cport in `separate_list ${cports:=-}`; do
add_a_rule
done
done
done
done
done
echo " Rule \"$rule\" added."
}
echo " Rule \"$rule\" added."
}
################################################################################
@ -1509,7 +1674,7 @@ process_rules() # $1 = name of rules file
while read target clients servers protocol ports cports address; do
case "$target" in
ACCEPT*|DROP*|REJECT*)
ACCEPT*|DROP*|REJECT*|DNAT*|REDIRECT*)
expandv clients servers protocol ports cports address
rule="`echo $target $clients $servers $protocol $ports $cports $address`"
process_rule
@ -2146,8 +2311,10 @@ setup_blacklist() {
createchain blacklst no
for interface in $interfaces; do
run_iptables -A INPUT -i $interface -j blacklst
run_iptables -A FORWARD -i $interface -j blacklst
for chain in `first_chains $interface`; do
run_iptables -A $chain -i $interface -j blacklst
done
echo " Blacklisting enabled on $interface"
done
@ -2319,6 +2486,17 @@ initialize_netfilter () {
createchain icmpdef no
createchain common no
createchain reject no
echo "Creating input Chains..."
for interface in $all_interfaces; do
chain=`forward_chain $interface`
if ! havechain $chain; then
createchain $chain no
createchain `input_chain $interface` no
fi
done
}
################################################################################
@ -2349,7 +2527,7 @@ add_common_rules() {
echo "Mangled/Invalid Packet filtering enabled on:"
for interface in $interfaces; do
for chain in INPUT FORWARD; do
for chain in `first_chains $interface`; do
run_iptables -A $chain -i $interface --match unclean -j badpkt
done
echo " $interface"
@ -2372,7 +2550,7 @@ add_common_rules() {
echo "Mangled/Invalid Packet Logging enabled on:"
for interface in $interfaces; do
for chain in INPUT FORWARD; do
for chain in `first_chains $interface`; do
run_iptables -A $chain -i $interface --match unclean -j logpkt
done
echo " $interface"
@ -2465,8 +2643,10 @@ add_common_rules() {
done
for interface in $norfc1918_interfaces; do
run_iptables -A INPUT -i $interface -j rfc1918
run_iptables -A FORWARD -i $interface -j rfc1918
for chain in `first_chains $interface`; do
run_iptables -A $chain -i $interface -j rfc1918
done
[ -n "$MANGLE_ENABLED" ] && \
run_iptables -t mangle -A PREROUTING -i $interface -j rfc1918
done
@ -2596,8 +2776,8 @@ activate_rules() {
for host in $source_hosts; do
interface=${host%:*}
subnet=${host#*:}
chain=INPUT
chain=`input_chain $interface`
if [ "$zone" != "multi" ]; then
#
# If we have a 'multi2fw' chain and the current interface is
@ -2613,6 +2793,11 @@ activate_rules() {
run_iptables -A OUTPUT -o \
$interface -d $subnet -j `rules_chain $FW $zone`
if havenatchain $zone; then
run_iptables -t nat -A PREROUTING \
-i $interface -s $subnet -j $zone
fi
fi
run_iptables -A $chain -i $interface -s $subnet \
@ -2627,17 +2812,20 @@ activate_rules() {
for host in $source_hosts; do
interface=${host%:*}
subnet=${host#*:}
chain1=`forward_chain $interface`
for host1 in $dest_hosts; do
interface1=${host1%:*}
subnet1=${host1#*:}
[ $interface = $interface1 -a "x$subnet" = "x$subnet1" ] ||\
run_iptables -A FORWARD -i $interface -s $subnet \
run_iptables -A $chain1 -i $interface -s $subnet \
-o $interface1 -d $subnet1 -j $chain
done
done
done
done
while read zone interface broadcast options; do
@ -2647,12 +2835,18 @@ activate_rules() {
expandv interface options && \
for option in `separate_list $options`; do
[ "$option" = "multi" ] && \
run_iptables -A FORWARD -i $interface \
run_iptables -A `forward_chain $interface` \
-i $interface \
-o $interface -j ${zone}2${zone} && \
break 1
done
done
done < $TMP_DIR/interfaces
for interface in $all_interfaces; do
run_iptables -A FORWARD -i $interface -j `forward_chain $interface`
run_iptables -A INPUT -i $interface -j `input_chain $interface`
done
complete_standard_chain INPUT all $FW
complete_standard_chain OUTPUT $FW all
@ -2705,8 +2899,8 @@ define_firewall() # $1 = Command (Start or Restart)
echo "Adding rules for DHCP"
for interface in `find_interfaces_by_option dhcp`; do
iptables -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT
iptables -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT
run_iptables -A `input_chain $interface` -p udp --dport 67:68 -j ACCEPT
run_iptables -A OUTPUT -o $interface -p udp --dport 67:68 -j ACCEPT
done
echo "Setting up ICMP Echo handling..."
@ -2935,6 +3129,7 @@ do_initialize() {
stopping=
have_mutex=
masq_seq=1
nonat_seq=1
TMP_DIR=/tmp/shorewall-$$
rm -rf $TMP_DIR
@ -3053,7 +3248,7 @@ case "$command" in
exit 0;
fi
define_firewall "Start" && [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
my_mutex_off
my_mutex_off
;;
restart)
do_initialize

2
Shorewall/functions
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.2 -- /etc/shorewall/functions
# Shorewall 1.3 -- /etc/shorewall/functions
#
# Suppress all output for a command

2
Shorewall/hosts
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.2 - /etc/shorewall/hosts
# Shorewall 1.3 - /etc/shorewall/hosts
#
# WARNING: 90% of Shorewall users don't need to add entries to this
# file and 80% of those who try to add such entries get it

2
Shorewall/icmp.def
View File

@ -1,5 +1,5 @@
##############################################################################
# Shorewall 1.2 /etc/shorewall/icmp.def
# Shorewall 1.3 /etc/shorewall/icmp.def
#
# This file defines the default rules for accepting ICMP packets.
#

2
Shorewall/install.sh
View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall.
#
VERSION=1.2.13
VERSION=1.2.90
usage() # $1 = exit status
{

2
Shorewall/interfaces
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.2 -- Interfaces File
# Shorewall 1.3 -- Interfaces File
#
# /etc/shorewall/interfaces
#

2
Shorewall/masq
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.2 - Masquerade file
# Shorewall 1.3 - Masquerade file
#
# /etc/shorewall/masq
#

2
Shorewall/modules
View File

@ -1,5 +1,5 @@
##############################################################################
# Shorewall 1.2 /etc/shorewall/modules
# Shorewall 1.3 /etc/shorewall/modules
#
# This file loads the modules needed by the firewall.

2
Shorewall/nat
View File

@ -1,6 +1,6 @@
##############################################################################
#
# Shorewall 1.2 -- Network Address Translation Table
# Shorewall 1.3 -- Network Address Translation Table
#
# /etc/shorewall/nat
#

2
Shorewall/params
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.2 /etc/shorewall/params
# Shorewall 1.3 /etc/shorewall/params
#
# Assign any variables that you need here.
#

10
Shorewall/policy
View File

@ -1,20 +1,20 @@
#
# Shorewall 1.2 -- Policy File
# Shorewall 1.3 -- Policy File
#
# /etc/shorewall/policy
#
# This file determines what to do with a new connection request if we
# don't get a match from the /etc/shorewall/rules file or from the
# /etc/shorewall/common[.def] file. For each client/server pair, the
# /etc/shorewall/common[.def] file. For each source/destination pair, the
# file is processed in order until a match is found ("all" will match
# any client or server).
#
# Columns are:
#
# CLIENT Location of client. Must be the name of a zone defined
# SOURCE Source zone. Must be the name of a zone defined
# in /etc/shorewall/zones, $FW or "all".
#
# SERVER Location of server. Must be the name of a zone defined
# DEST Destination zone. Must be the name of a zone defined
# in /etc/shorewall/zones, $FW or "all"
#
# POLICY Policy if no match from the rules file is found. Must
@ -40,7 +40,7 @@
# d) All other connection requests are rejected and logged at level
# KERNEL.INFO.
###############################################################################
#CLIENT SERVER POLICY LOG LEVEL LIMIT:BURST
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc net ACCEPT
net all DROP info
all all REJECT info

2
Shorewall/proxyarp
View File

@ -1,6 +1,6 @@
##############################################################################
#
# Shorewall 1.2 -- Proxy ARP
# Shorewall 1.3 -- Proxy ARP
#
# /etc/shorewall/proxyarp
#

24
Shorewall/releasenotes.txt
View File

@ -1,12 +1,20 @@
This is a minor release of Shorewall.
This is a major release of Shorewall.
In this release:
1. Whitelist support has been added.
2. Optional SYN Flood protection is now available.
3. Aliases added under ADD_IP_ALIASES and ADD_SNAT_ALIASES
now use the VLSM and broadcast address of the interface's
primary address.
4. Port forwarding rules may now optionally override the
contents of the /etc/shorewall/nat file.
1. The rules syntax for port forwarding and port redirection has been
simplified.
2. Compatibility has been maintained with version 1.2 configurations so
that users may migrate their configuration at their convenience.
WARNING: Compatibility has NOT been maintained with the parameterized
sample configurations which were withdrawn on 4/8/2002. Users
still employing one of those samples must upgrade to the
latest samples before running Shorewall 1.3 (Beta or Release).
3. You may now exclude zone A from a DNAT or REDIRECT rule that applies
to zone B where zone A is a subzone of sone B.

106
Shorewall/rules
View File

@ -1,7 +1,7 @@
#
# Shorewall version 1.2 - Rules File
# Shorewall version 1.3 - Rules File
#
# /etc/shorewall/rules
# /etc/shorewall/rules
#
# Rules in this file govern connection establishment. Requests and
# responses are automatically allowed using connection tracking.
@ -12,32 +12,31 @@
# given. Notice that no white space is permitted between "!" and the
# address/subnet.
#
# If any of the following columns contain the word "none" then the rule
# is ignored:
#
# PORT(S), CLIENT PORT(S), CLIENT(S) and SERVER.
#
# Columns are:
#
#
# RESULT ACCEPT, DROP or REJECT
# ACTION ACCEPT, DROP, REJECT, DNAT or REDIRECT
#
# ACCEPT -- allow the connection request
# DROP -- ignore the request
# REJECT -- disallow the request and return an
# icmp-unreachable packet.
# ACCEPT -- allow the connection request
# DROP -- ignore the request
# REJECT -- disallow the request and return an
# icmp-unreachable or an RST packet.
# DNAT -- Forward the request to another
# system (and optionally another port).
# REDIRECT -- Redirect the request to a local
# port on the firewall.
#
# May optionally be followed by ":" and a syslog log
# level (e.g, REJECT:info). This causes the packet to be
# logged at the specified level.
#
# CLIENT(S) Hosts permitted to be clients. May be a zone defined
# SOURCE Hosts permitted to be clients. May be a zone defined
# in /etc/shorewall/zones or $FW to indicate the
# firewall itself.
#
# Clients may be further restricted to a list of subnets
# and/or hosts by appending ":" and a comma-separated
# list of subnets and/or hosts. Hosts may be specified
# list of subnets and/or hosts. Hosts may be specified
# by IP or MAC address; mac addresses must begin with
# "~" and must use "-" as a separator.
#
@ -49,7 +48,7 @@
# loc:192.168.1.1,192.168.1.2
# Hosts 192.168.1.1 and
# 192.168.1.2 in the local zone.
# loc:~00-A0-C9-15-39-78 Host in the local zone with
# loc:~00-A0-C9-15-39-78 Host in the local zone with
# MAC address 00:A0:C9:15:39:78.
#
# Alternatively, clients may be specified by interface
@ -57,7 +56,7 @@
# example, loc:eth1 specifies a client that
# communicates with the firewall system through eth1.
#
# SERVER Location of Server. May be a zone defined in
# DEST Location of Server. May be a zone defined in
# /etc/shorewall/zones or $FW to indicate the firewall
# itself.
#
@ -70,17 +69,21 @@
# ":". If omitted, the firewall will not modifiy the
# destination port.
#
# Example: loc:192.168.1.3:8080 specifies a local
# Example: loc:192.168.1.3:3128 specifies a local
# server at IP address 192.168.1.3 and listening on port
# 8080. The port number MUST be specified as an integer
# 3128. The port number MUST be specified as an integer
# and not as a name from /etc/services.
#
# if the RESULT is REDIRECT, this column needs only to
# contain the port number on the firewall that the request
# should be redirected to.
#
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number,
# "all" or "related". If "related", the remainder of the
# entry must be omitted and connection requests that are
# related to existing requests will be accepted.
#
# PORT(S) Destination Ports. A comma-separated list of Port
# DEST PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port
# ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s).
@ -99,53 +102,48 @@
# specify an ADDRESS in the next column, then place "-"
# in this column.
#
# ADDRESS (0ptional) If included and different from the IP
# DEST ADDRESS (0ptional) If included and different from the IP
# address given in the SERVER column, this is an address
# on some interface on the firewall and connections to
# that address will be forwarded to the IP and port
# specified in the SERVER column.
#
# If the special value "all" is used, then requests from
# the client zone given in the CLIENT(s) column with the
# destination port given in PORT(s) will be forwarded to
# the IP address given in SERVER. The value "all" is
# intended to be used when your internet IP address is
# dynamic and you want to do port forwarding or you want
# to do proxy redirection. IT SHOULD NOT BE USED IN ANY
# OTHER SITUATION.
# The address may optionally be followed by
# a colon (":") and a second IP address. This causes
# Shorewall to use the second IP address as the source
# address in forwarded packets. See the Shorewall
# documentation for restrictions concerning this feature.
# If no source IP address is given, the original source
# address is not altered.
#
# The address (or "all") may optionally be followed by
# a colon (":") an an IP address. This causes Shorewall
# to use the specified IP address as the source address
# in forwarded packets. See the Shorewall documentation
# for restrictions concerning this feature. If no source
# IP address is given, the original source address is not
# altered.
# Example: Accept SMTP requests from the DMZ to the internet
#
# #ACTION SOURCE DEST PROTO DEST SOURCE DEST
# # PORT PORT(S) ADDRESS
# ACCEPT dmz net tcp smtp
#
# Example: Forward all ssh and http connection requests from the internet
# to local system 192.168.1.3
#
# #RESULT CLIENTS SERVER(S) PROTO PORT(S) CLIENT PORT(S) ADDRESS
# ACCEPT net loc:192.168.1.3 tcp ssh,http - all
# #ACTION SOURCE DEST PROTO DEST SOURCE DEST
# # PORT PORT(S) ADDRESS
# DNAT net loc:192.168.1.3 tcp ssh,http
#
# Example: Redirect all locally-originating www connection requests to
# port 8080 on the firewall (Squid running on the firewall
# system)except when the destination address is 192.168.2.2
# port 3128 on the firewall (Squid running on the firewall
# system) except when the destination address is 192.168.2.2
#
# #RESULT CLIENTS SERVER(S) PROTO PORTS(S) CLIENT PORT(S) ADDRESS
# ACCEPT loc $FW::8080 tcp www - !192.168.2.2
# #ACTION SOURCE DEST PROTO DEST SOURCE DEST
# # PORT PORT(S) ADDRESS
# REDIRECT loc 3128 tcp www - !192.168.2.2
#
# Example: All http requests from the internet to address
# 130.252.100.69 are to be forwarded to 192.168.1.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE DEST
# # PORT PORT(S) ADDRESS
# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
##############################################################################
#RESULT CLIENT(S) SERVER(S) PROTO PORT(S) CLIENT PORT(S) ADDRESS
#
# Allow SSH from the local network
#
ACCEPT loc $FW tcp ssh
#
# Allow SSH and Auth from the internet
#
ACCEPT net $FW tcp ssh,auth
#
# Run an NTP daemon on the firewall that is synced with outside sources
#
ACCEPT $FW net udp ntp
#ACTION SOURCE DEST PROTO DEST SOURCE DEST
# PORT PORT(S) ADDRESS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

15
Shorewall/shorewall
View File

@ -1,6 +1,6 @@
#!/bin/sh
#
# Shorewall Packet Filtering Firewall Control Program - V1.2 - 12/21/2001
# Shorewall Packet Filtering Firewall Control Program - V1.3 - 6/14/2002
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
@ -144,7 +144,20 @@ display_chains()
timed_read
clear
echo -e "$banner `date`\\n"
echo -e "Input Chains\\n"
chains=`grep '^Chain.*_[in|fwd]' /tmp/chains-$$ | cut -d' ' -f 2`
for chain in $chains; do
showchain $chain
done
timed_read
for zone in $zones multi; do
if [ -n "`grep "^Chain \.*${zone}" /tmp/chains-$$`" ] ; then
clear
echo -e "$banner `date`\\n"

2
Shorewall/shorewall.conf
View File

@ -1,5 +1,5 @@
##############################################################################
# /etc/shorewall/shorewall.conf V1.2 - Change the following variables to
# /etc/shorewall/shorewall.conf V1.3 - Change the following variables to
# match your setup
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]

6
Shorewall/shorewall.spec
View File

@ -1,6 +1,6 @@
%define name shorewall
%define version 1.2
%define release 13
%define release 90
%define prefix /usr
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@ -17,7 +17,6 @@ BuildArch: noarch
BuildRoot: /%{_tmppath}/%{name}-%{version}-%{release}-root
Requires: iptables
Conflicts: kernel <= 2.2
Provides: shorewall
%description
@ -79,6 +78,9 @@ if [ $1 = 0 ]; then if [ -x /sbin/insserv ]; then /sbin/insserv -r /etc/init.d/s
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog
* Wed May 8 Tom Eastep <tom@shorewall.net>
- changed version to 90
- removed 'provides' tag.
* Tue Apr 23 2002 Tom Eastep <tom@shorewall.net>
- changed version to 13
- Added whitelist file.

2
Shorewall/tcrules
View File

@ -1,5 +1,5 @@
#
# Shorewall version 1.2 - Traffic Control Rules File
# Shorewall version 1.3 - Traffic Control Rules File
#
# /etc/shorewall/tcrules
#

2
Shorewall/tos
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.2 -- /etc/shorewall/tos
# Shorewall 1.3 -- /etc/shorewall/tos
#
# This file defines rules for setting Type Of Service (TOS)
#

2
Shorewall/tunnel
View File

@ -2,7 +2,7 @@
RCDLINKS="2,S45 3,S45 6,K45"
################################################################################
# Script to create a gre or ipip tunnel -- Shorewall 1.2
# Script to create a gre or ipip tunnel -- Shorewall 1.3
#
# Modified - Steve Cowles 5/9/2000
# Incorporated init {start|stop} syntax and iproute2 usage

2
Shorewall/tunnels
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.2 - /etc/shorewall/tunnels
# Shorewall 1.3 - /etc/shorewall/tunnels
#
# This file defines IPSEC, GRE and IPIP tunnels.
#

2
Shorewall/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall
VERSION=1.2.13
VERSION=1.2.90
usage() # $1 = exit status
{