diff --git a/Shorewall/firewall b/Shorewall/firewall index 5b8f98347..9b0472964 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -47,7 +47,6 @@ # the corresponding function in that file if the user did # not specify "nolock" on the runline. # -# my_mutex_on() { [ -n "$nolock" ] || { mutex_on; HAVE_MUTEX=Yes; } } @@ -458,6 +457,14 @@ addnatrule() # $1 = chain name, remainder of arguments specify the rule run_iptables2 -t nat -A $@ } +# +# Delete a chain if it exists +# +deletechain() # $1 = name of chain +{ + qt $IPTABLES -L $1 -n && qt $IPTABLES -F $1 && qt $IPTABLES -X $1 +} + # # Determine if a chain is a policy chain # @@ -1678,7 +1685,7 @@ validate_hosts_file() { # # Format a match by the passed MAC address # The passed address begins with "~" and uses "-" as a separator between bytes -# Example: ~01-02-03.24-05-06 +# Example: ~01-02-03-04-05-06 # mac_match() # $1 = MAC address formated as described above { @@ -2093,6 +2100,231 @@ disable_critical_hosts() done } +# +# Stop the Firewall +# +stop_firewall() { + # + # Turn off trace unless we were tracing "stop" or "clear" + # + + [ -n "$RESTOREBASE" ] && rm -f $RESTOREBASE + + case $COMMAND in + stop|clear) + ;; + check|compile) + kill $$ + exit 2 + ;; + *) + set +x + + [ -n "${RESTOREFILE:=restore}" ] + + RESTOREPATH=/var/lib/shorewall/$RESTOREFILE + + if [ -x $RESTOREPATH ]; then + + if [ -x ${RESTOREPATH}-ipsets ]; then + progress_message2 Restoring Ipsets... + # + # We must purge iptables to be sure that there are no + # references to ipsets + # + for table in mangle nat filter; do + iptables -t $table -F + iptables -t $table -X + done + + ${RESTOREPATH}-ipsets + fi + + echo Restoring Shorewall... + + if $RESTOREPATH; then + echo "Shorewall restored from $RESTOREPATH" + set_state "Started" + else + set_state "Unknown" + fi + + my_mutex_off + kill $$ + exit 2 + fi + ;; + esac + + set_state "Stopping" + + STOPPING="Yes" + + TERMINATOR= + + deletechain shorewall + + run_user_exit stop + + if [ -n "$MANGLE_ENABLED" ]; then + run_iptables -t mangle -F + run_iptables -t mangle -X + for chain in PREROUTING INPUT FORWARD POSTROUTING; do + qt $IPTABLES -t mangle -P $chain ACCEPT + done + fi + + if [ -n "$RAW_TABLE" ]; then + run_iptables -t raw -F + run_iptables -t raw -X + for chain in PREROUTING OUTPUT; do + qt $IPTABLES -t raw -P $chain ACCEPT + done + fi + + if [ -n "$NAT_ENABLED" ]; then + delete_nat + for chain in PREROUTING POSTROUTING OUTPUT; do + qt $IPTABLES -t nat -P $chain ACCEPT + done + fi + + delete_proxy_arp + [ -n "$CLEAR_TC" ] && delete_tc1 + + [ -n "$DISABLE_IPV6" ] && disable_ipv6 + + process_criticalhosts + + if [ -n "$CRITICALHOSTS" ]; then + if [ -z "$ADMINISABSENTMINDED" ]; then + for chain in INPUT OUTPUT; do + setpolicy $chain ACCEPT + done + + setpolicy FORWARD DROP + + deleteallchains + + enable_critical_hosts + + for chain in INPUT OUTPUT; do + setpolicy $chain DROP + done + else + for chain in INPUT OUTPUT; do + setpolicy $chain ACCEPT + done + + setpolicy FORWARD DROP + + deleteallchains + + enable_critical_hosts + + setpolicy INPUT DROP + + for chain in INPUT FORWARD; do + setcontinue $chain + done + fi + elif [ -z "$ADMINISABSENTMINDED" ]; then + for chain in INPUT OUTPUT FORWARD; do + setpolicy $chain DROP + done + + deleteallchains + else + for chain in INPUT FORWARD; do + setpolicy $chain DROP + done + + setpolicy OUTPUT ACCEPT + + deleteallchains + + for chain in INPUT FORWARD; do + setcontinue $chain + done + fi + + process_routestopped -A + + $IPTABLES -A INPUT -i lo -j ACCEPT + [ -z "$ADMINISABSENTMINDED" ] && \ + $IPTABLES -A OUTPUT -o lo -j ACCEPT + + for interface in $(find_interfaces_by_option dhcp); do + $IPTABLES -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT + [ -z "$ADMINISABSENTMINDED" ] && \ + $IPTABLES -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT + # + # This might be a bridge + # + $IPTABLES -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT + done + + case "$IP_FORWARDING" in + [Oo][Nn]) + echo 1 > /proc/sys/net/ipv4/ip_forward + progress_message2 "IP Forwarding Enabled" + ;; + [Oo][Ff][Ff]) + echo 0 > /proc/sys/net/ipv4/ip_forward + progress_message2 "IP Forwarding Disabled!" + ;; + esac + + run_user_exit stopped + + set_state "Stopped" + + logger "Shorewall Stopped" + + rm -rf $TMP_DIR + + case $COMMAND in + stop|clear) + ;; + *) + # + # The firewall is being stopped when we were trying to do something + # else. Remove the lock file and Kill the shell in case we're in a + # subshell + # + my_mutex_off + kill $$ + ;; + esac +} + +# +# Remove all rules and remove all user-defined chains +# +clear_firewall() { + stop_firewall + + setpolicy INPUT ACCEPT + setpolicy FORWARD ACCEPT + setpolicy OUTPUT ACCEPT + + run_iptables -F + + echo 1 > /proc/sys/net/ipv4/ip_forward + + if qt mywhich ip6tables; then + ip6tables -P INPUT ACCEPT 2> /dev/null + ip6tables -P OUTPUT ACCEPT 2> /dev/null + ip6tables -P FORWARD ACCEPT 2> /dev/null + fi + + run_user_exit clear + + set_state "Cleared" + + logger "Shorewall Cleared" +} + # # Set up ipsec tunnels # @@ -2825,20 +3057,12 @@ setup_syn_flood_chains() delete_proxy_arp() { if [ -f /var/lib/shorewall/proxyarp ]; then while read address interface external haveroute; do - case $COMMAND in - compile) - save_command "qt arp -i $external -d $address pub" - [ -z "$haveroute" ] && save_command "qt ip route del $address dev $interface" - ;; - stop|clear) - qt arp -i $external -d $address pub - [ -z "$haveroute" ] || qt ip route del $address dev $interface - ;; - *) - run_and_save_command qt arp -i $external -d $address pub - [ -z "${haveroute}" ] && run_and_save_command "[ -n \"\$NOROUTES\" ] || qt ip route del $address dev $interface" - ;; - esac + run_and_save_command "qt arp -i $external -d $address pub" + if [ $COMMAND = compile ]; then + [ -z "$haveroute" ] && save_command "qt ip route del $address dev $interface" + else + [ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface + fi done < /var/lib/shorewall/proxyarp [ $COMMAND = compile ] || rm -f /var/lib/shorewall/proxyarp @@ -3432,9 +3656,9 @@ process_tc_rule() esac fi - if [ "x${length:=-}" != "x-" ]; then - [ -n "$LENGTH_MATCH" ] || fatal_error "Your kernel and/or iptables does not have length match support. Rule: \"$rule\"" - r="${r}-m length --length ${length} " + if [ "x{$length:=-}" != "x-" ]; then + [ -n "$LENGTH_MATCH" ] || fatal_error "Your kernel and/or iptables does not have length match support. Rule: \"$rule\"" + r="${r}-m length --length ${length} " fi multiport= @@ -8952,6 +9176,46 @@ fi cat >> $RESTOREBASE << __EOF__ +stop_firewall() +{ + set +x + + [ -n "\${RESTOREFILE:=restore}" ] + + RESTOREPATH=/var/lib/shorewall/$RESTOREFILE + + if [ -x \$RESTOREPATH ]; then + + if [ -x \${RESTOREPATH}-ipsets ]; then + progress_message2 Restoring Ipsets... + # + # We must purge iptables to be sure that there are no + # references to ipsets + # + for table in nat mangle filter; do + iptables -t \$table -F + iptables -t \$table -X + done + + \${RESTOREPATH}-ipsets + fi + + echo Restoring Shorewall... + + if \$RESTOREPATH; then + echo "Shorewall restored from \$RESTOREPATH" + set_state "Started" + else + set_state "Unknown" + fi + elif [ -x /sbin/shorewall ]; then + /sbin/shorewall stop + fi + + kill \$\$ + exit 2 +} + fatal_error() { echo " ERROR: \$@" >&2 @@ -8968,11 +9232,6 @@ run_iptables() fi } -my_mutex_off() -{ - true -} - run_ip() { if ! ip \$@; then @@ -8990,54 +9249,16 @@ run_tc() { fi } -stop_firewall() { - - [ -n "\${RESTOREFILE:=restore}" ] - - RESTOREPATH=/var/lib/shorewall/\$RESTOREFILE - - if [ -x \$RESTOREPATH ]; then - if [ -x \${RESTOREPATH}-ipsets ]; then - progress_message2 Restoring Ipsets... - # - # We must purge iptables to be sure that there are no - # references to ipsets - # - for table in mangle nat filter; do - iptables -t \$table -F - iptables -t \$table -X - done - - \${RESTOREPATH}-ipsets - fi - - echo Restoring Shorewall... - - if \$RESTOREPATH; then - echo "Shorewall restored from \$RESTOREPATH" - set_state "Started" - else - set_state "Unknown" - fi - elif [ -x /sbin/shorewall ]; then - /sbin/shorewall nolock stop - fi - - kill \$\$ - exit 2 -} - __EOF__ f=$(find_file params) [ -f $f ] && \ save_command ". $(resolve_file $f)" - cat >> $RESTOREBASE << __EOF__ # # These variables are required by the library functions called in this script # -COMMAND=run +COMMAND=restore [ -n \${QUIET:=0} ] MODULESDIR="$MODULESDIR" MODULE_SUFFIX="$MODULE_SUFFIX" @@ -9046,42 +9267,24 @@ LOGTAGONLY="$LOGTAGONLY" LOGRULENUMBERS="$LOGRULENUMBERS" LOGFORMAT="$LOGFORMAT" RESTOREFILE="$RESTOREFILE" -PKTTYPE="$PKTTYPE" -CLEAR_TC="$CLEAR_TC" -DISABLE_IPV6="$DISABLE_IPV6" -CRITICALHOSTS="$CRITICALHOSTS" -ADMINISABSENTMINDED="$ADMINISABSENTMINDED" -IP_FORWARDING="$IP_FORWARDING" -CONFIG_PATH="$CONFIG_PATH" STOPPING= -# -# The library function require the existence of /var/lib/shorewall -# -mkdir -p /var/lib/shorewall -# -# And they require knowledge of the capabilities -# -determine_capabilities __EOF__ - if [ -z "$EXPORT" ]; then - cat >> $RESTOREBASE << __EOF__ +if [ -z "$EXPORT" ]; then + cat >> $RESTOREBASE << __EOF__ if [ ! -f /usr/share/shorewall/version ] || [ \$(cat /usr/share/shorewall/version) != $VERSION ]; then error_message "ERROR: This script requires Shorewall version $VERSION" exit 2 fi +__EOF__ +fi +cat >> $RESTOREBASE << __EOF__ + +load_kernel_modules __EOF__ - fi - - if [ -n "$PROGRAM" ]; then - save_command "define_firewall() {" - save_command "" - fi - - save_command "load_kernel_modules" progress_message2 "Initializing..." save_progress_message "Initializing..." @@ -9179,80 +9382,6 @@ __EOF__ run_user_exit started - if [ -n "$PROGRAM" ]; then - cat >> $RESTOREBASE << __EOF__ -} - -usage() -{ - echo "Usage: \$0 {start|stop|restart|reload|clear|status}" - exit 1 -} - -[ \$# -ne 1 ] && usage - - -COMMAND="\$1" - -case "\$COMMAND" in - stop) - echo "Stopping Firewall..." - stop_firewall - echo "done." - ;; - - start) - echo "Starting Firewall..." - define_firewall - echo "done." - ;; - restart) - echo "Restarting Firewall..." - define_firewall - echo "done." - ;; - reload) - echo "Reloading Firewall..." - define_firewall - echo "done." - ;; - clear) - echo "Clearing Firewall..." - clear_firewall - echo "done." - ;; - status) - echo "Firewall Status at \$HOSTNAME - \$(date)" - echo - if qt iptables -L shorewall -n ; then - echo "Firewall is running" - status=0 - else - echo "Firewall is stopped" - status=4 - fi - - if [ -f /var/lib/shorewall/state ]; then - state="\$(cat /var/lib/shorewall/state)" - case $state in - Stopped*|Clear*) - status=3 - ;; - esac - else - state=Unknown - fi - echo "State:\$state" - echo - exit \$status - ;; - *) - usage - ;; -esac -__EOF__ - fi - mv -f $RESTOREBASE $outfile chmod 700 $outfile diff --git a/Shorewall/functions b/Shorewall/functions index e6024a637..d6ea53bc3 100755 --- a/Shorewall/functions +++ b/Shorewall/functions @@ -1217,237 +1217,4 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo log_rule_limit $level $chain $chain $disposition "$LOGLIMIT" "" -A $@ } -# -# Delete a chain if it exists -# -deletechain() # $1 = name of chain -{ - qt $IPTABLES -L $1 -n && qt $IPTABLES -F $1 && qt $IPTABLES -X $1 -} - -# -# Stop the Firewall -# -stop_firewall() { - # - # Turn off trace unless we were tracing "stop" or "clear" - # - - [ -n "$RESTOREBASE" ] && rm -f $RESTOREBASE - - case $COMMAND in - stop|clear) - ;; - check|compile) - kill $$ - exit 2 - ;; - *) - set +x - - [ -n "${RESTOREFILE:=restore}" ] - - RESTOREPATH=/var/lib/shorewall/$RESTOREFILE - - if [ -x $RESTOREPATH ]; then - - if [ -x ${RESTOREPATH}-ipsets ]; then - progress_message2 Restoring Ipsets... - # - # We must purge iptables to be sure that there are no - # references to ipsets - # - for table in mangle nat filter; do - iptables -t $table -F - iptables -t $table -X - done - - ${RESTOREPATH}-ipsets - fi - - echo Restoring Shorewall... - - if $RESTOREPATH; then - echo "Shorewall restored from $RESTOREPATH" - set_state "Started" - else - set_state "Unknown" - fi - - my_mutex_off - kill $$ - exit 2 - fi - ;; - esac - - set_state "Stopping" - - STOPPING="Yes" - - TERMINATOR= - - deletechain shorewall - - run_user_exit stop - - if [ -n "$MANGLE_ENABLED" ]; then - run_iptables -t mangle -F - run_iptables -t mangle -X - for chain in PREROUTING INPUT FORWARD POSTROUTING; do - qt $IPTABLES -t mangle -P $chain ACCEPT - done - fi - - if [ -n "$RAW_TABLE" ]; then - run_iptables -t raw -F - run_iptables -t raw -X - for chain in PREROUTING OUTPUT; do - qt $IPTABLES -t raw -P $chain ACCEPT - done - fi - - if [ -n "$NAT_ENABLED" ]; then - delete_nat - for chain in PREROUTING POSTROUTING OUTPUT; do - qt $IPTABLES -t nat -P $chain ACCEPT - done - fi - - delete_proxy_arp - [ -n "$CLEAR_TC" ] && delete_tc1 - - [ -n "$DISABLE_IPV6" ] && disable_ipv6 - - process_criticalhosts - - if [ -n "$CRITICALHOSTS" ]; then - if [ -z "$ADMINISABSENTMINDED" ]; then - for chain in INPUT OUTPUT; do - setpolicy $chain ACCEPT - done - - setpolicy FORWARD DROP - - deleteallchains - - enable_critical_hosts - - for chain in INPUT OUTPUT; do - setpolicy $chain DROP - done - else - for chain in INPUT OUTPUT; do - setpolicy $chain ACCEPT - done - - setpolicy FORWARD DROP - - deleteallchains - - enable_critical_hosts - - setpolicy INPUT DROP - - for chain in INPUT FORWARD; do - setcontinue $chain - done - fi - elif [ -z "$ADMINISABSENTMINDED" ]; then - for chain in INPUT OUTPUT FORWARD; do - setpolicy $chain DROP - done - - deleteallchains - else - for chain in INPUT FORWARD; do - setpolicy $chain DROP - done - - setpolicy OUTPUT ACCEPT - - deleteallchains - - for chain in INPUT FORWARD; do - setcontinue $chain - done - fi - - process_routestopped -A - - $IPTABLES -A INPUT -i lo -j ACCEPT - [ -z "$ADMINISABSENTMINDED" ] && \ - $IPTABLES -A OUTPUT -o lo -j ACCEPT - - for interface in $(find_interfaces_by_option dhcp); do - $IPTABLES -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT - [ -z "$ADMINISABSENTMINDED" ] && \ - $IPTABLES -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT - # - # This might be a bridge - # - $IPTABLES -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT - done - - case "$IP_FORWARDING" in - [Oo][Nn]) - echo 1 > /proc/sys/net/ipv4/ip_forward - progress_message2 "IP Forwarding Enabled" - ;; - [Oo][Ff][Ff]) - echo 0 > /proc/sys/net/ipv4/ip_forward - progress_message2 "IP Forwarding Disabled!" - ;; - esac - - run_user_exit stopped - - set_state "Stopped" - - logger "Shorewall Stopped" - - rm -rf $TMP_DIR - - case $COMMAND in - stop|clear) - ;; - *) - # - # The firewall is being stopped when we were trying to do something - # else. Remove the lock file and Kill the shell in case we're in a - # subshell - # - my_mutex_off - kill $$ - ;; - esac -} - -# -# Remove all rules and remove all user-defined chains -# -clear_firewall() { - stop_firewall - - setpolicy INPUT ACCEPT - setpolicy FORWARD ACCEPT - setpolicy OUTPUT ACCEPT - - run_iptables -F - - echo 1 > /proc/sys/net/ipv4/ip_forward - - if qt mywhich ip6tables; then - ip6tables -P INPUT ACCEPT 2> /dev/null - ip6tables -P OUTPUT ACCEPT 2> /dev/null - ip6tables -P FORWARD ACCEPT 2> /dev/null - fi - - run_user_exit clear - - set_state "Cleared" - - logger "Shorewall Cleared" -} - SHOREWALL_LIBRARY=Loaded diff --git a/Shorewall/tcrules b/Shorewall/tcrules index 320953e9e..65d4187d4 100755 --- a/Shorewall/tcrules +++ b/Shorewall/tcrules @@ -164,10 +164,10 @@ # # If you don't want to define a test but need to specify # anything in the following columns, place a "-" in this -# field. +# field. # # LENGTH (Optional) Packet Length. This field, if present -# allow you to match the length of a packet against +# allow you to match the length of a packet against # a specific value or range of values. You must have # iptables length support for this to work. If you let # it empy or place an "-" here, no length match will be