mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-25 00:53:49 +01:00
Final 1.3 Updates
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@41 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
390ee5a4a0
commit
5245e3b75a
@ -20,6 +20,10 @@ Changes since 1.2.13
|
||||
its own input and forward chain.
|
||||
|
||||
8. Added logic to allow a subzone to be excluded from a DNAT or REDIRECT rule.
|
||||
|
||||
9. Removed white list capability
|
||||
|
||||
10. Added 'filterping' interface option.
|
||||
|
||||
|
||||
|
||||
|
@ -6,8 +6,11 @@
|
||||
# the firewall will also define a DROP rule for each subnet broadcast
|
||||
# address defined in /etc/shorewall/interfaces (including "detect").
|
||||
#
|
||||
# Do not modify this file -- if you wish to change these rules, copy this
|
||||
# file to /etc/shorewall/common and modify that file.
|
||||
# Do not modify this file -- if you wish to change these rules, create
|
||||
# /etc/shorewall/common to replace it. It is suggested that you include
|
||||
# the command "source /etc/shorewall/common.def" in your
|
||||
# /etc/shorewall/common file so that you will continue to get the
|
||||
# advantage of new releases of this file.
|
||||
#
|
||||
run_iptables -A common -p icmp -j icmpdef
|
||||
############################################################################
|
||||
@ -32,7 +35,7 @@ run_iptables -A common -p udp --dport 1900 -j DROP
|
||||
run_iptables -A common -d 255.255.255.255 -j DROP
|
||||
run_iptables -A common -d 224.0.0.0/4 -j DROP
|
||||
############################################################################
|
||||
# AUTH -- Reject it so that connections don't get delayed.
|
||||
# AUTH -- Silently reject it so that connections don't get delayed.
|
||||
#
|
||||
run_iptables -A common -p tcp --dport 113 -j reject
|
||||
|
||||
|
@ -28,7 +28,7 @@
|
||||
# shown below. Simply run this script to revert to your prior version of
|
||||
# Shoreline Firewall.
|
||||
|
||||
VERSION=1.2.90
|
||||
VERSION=1.3.0
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -55,6 +55,22 @@ RCDLINKS="2,S41 3,S41 6,K41"
|
||||
# description: Packet filtering firewall
|
||||
#
|
||||
|
||||
###############################################################################
|
||||
# Search a list looking for a match -- returns zero if a match found #
|
||||
# 1 otherwise #
|
||||
###############################################################################
|
||||
list_search() # $1 = element to search for , $2-$n = list
|
||||
{
|
||||
local e=$1
|
||||
|
||||
while [ $# -gt 1 ]; do
|
||||
shift
|
||||
[ "x$e" = "x$1" ] && return 0
|
||||
done
|
||||
|
||||
return 1
|
||||
}
|
||||
|
||||
###############################################################################
|
||||
# Mutual exclusion -- These functions are jackets for the mutual exclusion #
|
||||
# routines in /etc/shorewall/functions. They invoke the #
|
||||
@ -74,7 +90,7 @@ my_mutex_off() {
|
||||
###############################################################################
|
||||
error_message() # $* = Error Message
|
||||
{
|
||||
echo "$@" >&2
|
||||
echo " $@" >&2
|
||||
}
|
||||
|
||||
###############################################################################
|
||||
@ -82,7 +98,7 @@ error_message() # $* = Error Message
|
||||
###############################################################################
|
||||
fatal_error() # $* = Error Message
|
||||
{
|
||||
echo "$@" >&2
|
||||
echo " $@" >&2
|
||||
stop_firewall
|
||||
exit 2
|
||||
}
|
||||
@ -93,7 +109,7 @@ fatal_error() # $* = Error Message
|
||||
###############################################################################
|
||||
startup_error() # $* = Error Message
|
||||
{
|
||||
echo "$@" >&2
|
||||
echo " $@" >&2
|
||||
my_mutex_off
|
||||
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
|
||||
kill $$
|
||||
@ -312,7 +328,7 @@ chain_base() #$1 = interface
|
||||
{
|
||||
local c=${1%%+*}
|
||||
|
||||
echo ${c:=multi}
|
||||
echo ${c:=common}
|
||||
}
|
||||
|
||||
################################################################################
|
||||
@ -405,7 +421,7 @@ determine_hosts() {
|
||||
eval display=\$${zone}_display
|
||||
display_list "$display Zone:" $hosts
|
||||
else
|
||||
error_message " Warning: Zone $zone is empty"
|
||||
error_message "Warning: Zone $zone is empty"
|
||||
fi
|
||||
done
|
||||
}
|
||||
@ -415,11 +431,7 @@ determine_hosts() {
|
||||
################################################################################
|
||||
validate_zone() # $1 = zone
|
||||
{
|
||||
local zone
|
||||
for zone in $zones $FW; do
|
||||
[ "$zone" = "$1" ] && return 0
|
||||
done
|
||||
return 1
|
||||
list_search $1 $zones $FW
|
||||
}
|
||||
|
||||
################################################################################
|
||||
@ -431,18 +443,17 @@ validate_interfaces_file() {
|
||||
r="$z $interface $subnet $options"
|
||||
[ "x$z" = "x-" ] || validate_zone $z || startup_error "Invalid zone ($z) in record \"$r\""
|
||||
|
||||
for intr in $all_interfaces; do
|
||||
[ "$intr" = "$interface" ] && startup_error "Duplicate Interface $intr"
|
||||
done
|
||||
list_search $intr $all_interfaces && \
|
||||
startup_error "Duplicate Interface $intr"
|
||||
|
||||
all_interfaces="$all_interfaces $interface"
|
||||
|
||||
for option in `separate_list $options`; do
|
||||
case $option in
|
||||
dhcp|noping|routestopped|norfc1918|multi|routefilter|dropunclean|logunclean|blacklist|-)
|
||||
dhcp|noping|filterping|routestopped|norfc1918|multi|routefilter|dropunclean|logunclean|blacklist|-)
|
||||
;;
|
||||
*)
|
||||
error_message " Warning: Invalid option ($option) in record \"$r\""
|
||||
error_message "Warning: Invalid option ($option) in record \"$r\""
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@ -466,7 +477,7 @@ validate_hosts_file() {
|
||||
routestopped|-)
|
||||
;;
|
||||
*)
|
||||
error_message " Warning: Invalid option ($option) in record \"$r\""
|
||||
error_message "Warning: Invalid option ($option) in record \"$r\""
|
||||
;;
|
||||
esac
|
||||
done
|
||||
@ -561,14 +572,14 @@ validate_rule() {
|
||||
[ -n "$port" ] && dports="--icmp-type $port"
|
||||
state=""
|
||||
;;
|
||||
all|ALL)
|
||||
proto=
|
||||
;;
|
||||
related|RELATED)
|
||||
proto=
|
||||
state="-m state --state RELATED"
|
||||
;;
|
||||
*)
|
||||
[ -n "$port" ] && [ "x${port}" != "x-" ] && \
|
||||
startup_error "Port number not allowed with protocol " \
|
||||
"\"$proto\"; rule: \"$rule\""
|
||||
;;
|
||||
esac
|
||||
|
||||
@ -579,13 +590,19 @@ validate_rule() {
|
||||
target=reject
|
||||
;;
|
||||
REDIRECT)
|
||||
[ -n "$serv" ] && startup_error "Error: REDIRECT rules cannot"\
|
||||
" specify a server IP; rule: \"$rule\""
|
||||
servport=${servport:=$port}
|
||||
;;
|
||||
DNAT)
|
||||
[ -n "$serv" ] || startup_error "Error: DNAT rules require a" \
|
||||
" server address; rule: \"$rule\""
|
||||
;;
|
||||
esac
|
||||
|
||||
if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" ]; then
|
||||
error_message " Warning -- Rule \"$rule\" is a POLICY"
|
||||
error_message " -- and should be moved to the policy file"
|
||||
error_message "Warning -- Rule \"$rule\" is a POLICY"
|
||||
error_message " -- and should be moved to the policy file"
|
||||
fi
|
||||
|
||||
if [ -n "${serv}${servport}" ]; then
|
||||
@ -598,18 +615,18 @@ validate_rule() {
|
||||
#
|
||||
if [ -z "$NAT_ENABLED" ]; then
|
||||
startup_error \
|
||||
" Error - Rule \"$rule\" requires NAT which is disabled"
|
||||
"Error - Rule \"$rule\" requires NAT which is disabled"
|
||||
fi
|
||||
|
||||
if [ "$target" != "ACCEPT" ]; then
|
||||
startup_error " Error - Only ACCEPT rules may specify " \
|
||||
startup_error "Error - Only ACCEPT rules may specify " \
|
||||
"port mapping; rule \"$rule\""
|
||||
fi
|
||||
fi
|
||||
else
|
||||
[ -n "$addr" ] && startup_error \
|
||||
" Error: An ADDRESS ($addr) is only allowed in" \
|
||||
" a port mapping rule: \"$rule\""
|
||||
"Error: An ADDRESS ($addr) is only allowed in" \
|
||||
" a DNAT or REDIRECT rule: \"$rule\""
|
||||
fi
|
||||
}
|
||||
############################################################################
|
||||
@ -649,7 +666,7 @@ validate_rule() {
|
||||
ACCEPT|DROP|REJECT)
|
||||
;;
|
||||
*)
|
||||
startup_error " Error: Invalid target;" \
|
||||
startup_error "Error: Invalid target;" \
|
||||
" rule: \"$rule\""
|
||||
|
||||
esac
|
||||
@ -669,13 +686,13 @@ validate_rule() {
|
||||
clientzone="${clientzone%\!*}"
|
||||
|
||||
[ "$logtarget" = DNAT ] || [ "$logtarget" = REDIRECT ] ||\
|
||||
startup_error " Error: Exclude list only allowed with DNAT or REDIRECT"
|
||||
startup_error "Error: Exclude list only allowed with DNAT or REDIRECT"
|
||||
fi
|
||||
############################################################################
|
||||
# Validate the Source Zone
|
||||
|
||||
if ! validate_zone $clientzone; then
|
||||
startup_error " Error: Undefined Client Zone in rule \"$rule\""
|
||||
startup_error "Error: Undefined Client Zone in rule \"$rule\""
|
||||
fi
|
||||
|
||||
source=$clientzone
|
||||
@ -703,7 +720,7 @@ validate_rule() {
|
||||
# Validate the destination zone
|
||||
#
|
||||
if ! validate_zone $serverzone; then
|
||||
startup_error " Error: Undefined Server Zone in rule \"$rule\""
|
||||
startup_error "Error: Undefined Server Zone in rule \"$rule\""
|
||||
fi
|
||||
|
||||
dest=$serverzone
|
||||
@ -760,7 +777,7 @@ validate_policy()
|
||||
;;
|
||||
*)
|
||||
if ! validate_zone $client; then
|
||||
startup_error " Error: Undefined zone $client"
|
||||
startup_error "Error: Undefined zone $client"
|
||||
fi
|
||||
esac
|
||||
|
||||
@ -769,7 +786,7 @@ validate_policy()
|
||||
;;
|
||||
*)
|
||||
if ! validate_zone $server; then
|
||||
startup_error " Error: Undefined zone $server"
|
||||
startup_error "Error: Undefined zone $server"
|
||||
fi
|
||||
esac
|
||||
|
||||
@ -777,7 +794,7 @@ validate_policy()
|
||||
ACCEPT|REJECT|DROP|CONTINUE)
|
||||
;;
|
||||
*)
|
||||
startup_error " Error: Invalid policy $policy"
|
||||
startup_error "Error: Invalid policy $policy"
|
||||
;;
|
||||
esac
|
||||
|
||||
@ -812,9 +829,8 @@ find_interfaces_by_option() # $1 = option
|
||||
{
|
||||
while read ignore interface subnet options; do
|
||||
expandv options
|
||||
for option in `separate_list $options`; do
|
||||
[ "$option" = "$1" ] && echo `expand $interface` && break 1
|
||||
done
|
||||
list_search $1 `separate_list $options` && \
|
||||
echo `expand $interface` && break 1
|
||||
done < $TMP_DIR/interfaces
|
||||
}
|
||||
|
||||
@ -825,17 +841,15 @@ find_hosts_by_option() # $1 = option
|
||||
{
|
||||
while read ignore hosts options; do
|
||||
expandv options
|
||||
for option in `separate_list $options`; do
|
||||
[ "$option" = "$1" ] && echo `expand $hosts`
|
||||
done
|
||||
list_search $1 `separate_list $options` && \
|
||||
echo `expand $hosts`
|
||||
done < $TMP_DIR/hosts
|
||||
|
||||
while read ignore interface ignore1 options; do
|
||||
expandv options
|
||||
for option in `separate_list $options`; do
|
||||
[ "$option" = "$1" ] && \
|
||||
echo `expand $interface`:0.0.0.0/0 && break 1
|
||||
done
|
||||
list_search $1 `separate_list $options` && \
|
||||
echo `expand $interface`:0.0.0.0/0 && \
|
||||
break 1
|
||||
done < $TMP_DIR/interfaces
|
||||
}
|
||||
|
||||
@ -849,11 +863,9 @@ have_interfaces_in_zone_with_option() # $1 = zone, $2 = option
|
||||
local zne=$1
|
||||
|
||||
while read z interface broadcast options; do
|
||||
[ "x`expand $z`" = "x$zne" ] && \
|
||||
expandv options && \
|
||||
for option in `separate_list $options`; do
|
||||
[ "$option" = "$2" ] && return 0
|
||||
done
|
||||
[ "x`expand $z`" = "x$zne" ] && expandv options && \
|
||||
list_search $1 `separate_list $options` && \
|
||||
return 0
|
||||
done < $TMP_DIR/interfaces
|
||||
return 1
|
||||
}
|
||||
@ -1219,7 +1231,7 @@ setup_nat() {
|
||||
}
|
||||
|
||||
################################################################################
|
||||
# Delete existing Static NAT and Port Forwarding #
|
||||
# Delete existing Static NAT #
|
||||
################################################################################
|
||||
delete_nat() {
|
||||
run_iptables -t nat -F
|
||||
@ -1358,11 +1370,11 @@ process_rule() {
|
||||
|
||||
if [ -z "$NAT_ENABLED" ]; then
|
||||
fatal_error \
|
||||
" Error - Rule \"$rule\" requires NAT which is disabled"
|
||||
"Error - Rule \"$rule\" requires NAT which is disabled"
|
||||
fi
|
||||
|
||||
if [ "$target" != "ACCEPT" ]; then
|
||||
fatal_error " Error - Only ACCEPT rules may specify " \
|
||||
fatal_error "Error - Only DNAT and REDIRECT rules may specify " \
|
||||
"port mapping; rule \"$rule\""
|
||||
fi
|
||||
|
||||
@ -1373,7 +1385,7 @@ process_rule() {
|
||||
snat=""
|
||||
fi
|
||||
|
||||
[ "$addr" = "all" ] && addr= || addr="-d $addr"
|
||||
[ "$addr" = "all" ] && addr= || addr=${addr:+-d $addr}
|
||||
|
||||
if [ -n "$serv" ]; then
|
||||
servport="${servport:+:$servport}"
|
||||
@ -1489,6 +1501,9 @@ process_rule() {
|
||||
state=""
|
||||
;;
|
||||
all|ALL)
|
||||
[ -n "$port" ] && [ "x${port}" != "x-" ] && \
|
||||
fatal_error "Port number not allowed with \"all\";" \
|
||||
" rule: \"$rule\""
|
||||
proto=
|
||||
;;
|
||||
related|RELATED)
|
||||
@ -1496,6 +1511,9 @@ process_rule() {
|
||||
state="-m state --state RELATED"
|
||||
;;
|
||||
*)
|
||||
[ -n "$port" ] && [ "x${port}" != "x-" ] && \
|
||||
fatal_error "Port number not allowed with protocol " \
|
||||
"\"$proto\"; rule: \"$rule\""
|
||||
;;
|
||||
esac
|
||||
|
||||
@ -1506,13 +1524,19 @@ process_rule() {
|
||||
target=reject
|
||||
;;
|
||||
REDIRECT)
|
||||
[ -n "$serv" ] && startup_error "Error: REDIRECT rules cannot"\
|
||||
" specify a server IP; rule: \"$rule\""
|
||||
servport=${servport:=$port}
|
||||
;;
|
||||
DNAT)
|
||||
[ -n "$serv" ] || fatal_error "Error: DNAT rules require a" \
|
||||
" server address; rule: \"$rule\""
|
||||
;;
|
||||
esac
|
||||
|
||||
if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" ]; then
|
||||
error_message " Warning -- Rule \"$rule\" is a POLICY"
|
||||
error_message " -- and should be moved to the policy file"
|
||||
error_message "Warning -- Rule \"$rule\" is a POLICY"
|
||||
error_message " -- and should be moved to the policy file"
|
||||
fi
|
||||
|
||||
if [ -n "${serv}${servport}" ]; then
|
||||
@ -1521,7 +1545,7 @@ process_rule() {
|
||||
#
|
||||
if [ -n "$addr" -a "$addr" != "$serv" ]; then
|
||||
##############################################################
|
||||
# Must use Prerouting DNAT
|
||||
# Must use Prerouting DNAT or REDIRECT
|
||||
#
|
||||
add_nat_rule
|
||||
fi
|
||||
@ -1538,8 +1562,8 @@ process_rule() {
|
||||
# Destination is just a zone or an interface
|
||||
#
|
||||
[ -n "$addr" ] && fatal_error \
|
||||
" Error: An ADDRESS ($addr) is only allowed in" \
|
||||
" a port mapping rule: \"$rule\""
|
||||
"Error: An ADDRESS ($addr) is only allowed in" \
|
||||
" a DNAT or REDIRECT: \"$rule\""
|
||||
|
||||
[ -n "$loglevel" ] && run_iptables -A $chain $proto \
|
||||
$dest_interface $state $cli $sports $dports -j LOG \
|
||||
@ -1550,6 +1574,7 @@ process_rule() {
|
||||
$cli $sports $dports -j $target
|
||||
fi
|
||||
}
|
||||
|
||||
############################################################################
|
||||
# P r o c e s s _ R u l e S t a r t s H e r e
|
||||
############################################################################
|
||||
@ -1602,14 +1627,14 @@ process_rule() {
|
||||
clientzone="${clientzone%\!*}"
|
||||
|
||||
[ "$logtarget" = DNAT ] || [ "$logtarget" = REDIRECT ] ||\
|
||||
fatal_error " Error: Exclude list only allowed with DNAT or REDIRECT"
|
||||
fatal_error "Error: Exclude list only allowed with DNAT or REDIRECT"
|
||||
fi
|
||||
|
||||
############################################################################
|
||||
# Validate the Source Zone
|
||||
|
||||
if ! validate_zone $clientzone; then
|
||||
fatal_error " Error: Undefined Client Zone in rule \"$rule\""
|
||||
fatal_error "Error: Undefined Client Zone in rule \"$rule\""
|
||||
fi
|
||||
|
||||
source=$clientzone
|
||||
@ -1637,7 +1662,7 @@ process_rule() {
|
||||
# Validate the destination zone
|
||||
#
|
||||
if ! validate_zone $serverzone; then
|
||||
fatal_error " Error: Undefined Server Zone in rule \"$rule\""
|
||||
fatal_error "Error: Undefined Server Zone in rule \"$rule\""
|
||||
fi
|
||||
|
||||
dest=$serverzone
|
||||
@ -2267,32 +2292,6 @@ process_blacklist_rec() {
|
||||
done
|
||||
}
|
||||
|
||||
###############################################################################
|
||||
# Process a record from the whilelist file #
|
||||
# #
|
||||
# $subnet = address/subnet #
|
||||
###############################################################################
|
||||
process_whitelist_rec() {
|
||||
local source
|
||||
local addr
|
||||
|
||||
for addr in `separate_list $subnet`; do
|
||||
case $addr in
|
||||
~*)
|
||||
addr=`echo $addr | sed 's/~//;s/-/:/g'`
|
||||
source="--match mac --mac-source $addr"
|
||||
;;
|
||||
*)
|
||||
source="-s $addr"
|
||||
;;
|
||||
esac
|
||||
|
||||
run_iptables -A common $source -j ACCEPT
|
||||
|
||||
echo " $addr added to White List"
|
||||
done
|
||||
}
|
||||
|
||||
###############################################################################
|
||||
# Setup the Black List #
|
||||
###############################################################################
|
||||
@ -2326,25 +2325,6 @@ setup_blacklist() {
|
||||
fi
|
||||
}
|
||||
|
||||
###############################################################################
|
||||
# Setup the White List #
|
||||
###############################################################################
|
||||
setup_whitelist() {
|
||||
local f=`find_file whitelist`
|
||||
|
||||
if [ -f $f ]; then
|
||||
echo "Setting up Whitelisting..."
|
||||
|
||||
strip_file whitelist $f
|
||||
|
||||
while read subnet; do
|
||||
expandv subnet
|
||||
process_whitelist_rec
|
||||
done < $TMP_DIR/whitelist
|
||||
|
||||
fi
|
||||
}
|
||||
|
||||
###############################################################################
|
||||
# Refresh the Black List #
|
||||
###############################################################################
|
||||
@ -2369,25 +2349,6 @@ refresh_blacklist() {
|
||||
fi
|
||||
}
|
||||
|
||||
###############################################################################
|
||||
# Refresh the White List #
|
||||
###############################################################################
|
||||
refresh_whitelist() {
|
||||
local f=`find_file whitelist`
|
||||
|
||||
if [ -f $f ]; then
|
||||
echo "Refreshing White List..."
|
||||
|
||||
strip_file whitelist $f
|
||||
|
||||
while read subnet; do
|
||||
expandv subnet
|
||||
process_whitelist_rec
|
||||
done < $TMP_DIR/whitelist
|
||||
|
||||
fi
|
||||
}
|
||||
|
||||
###############################################################################
|
||||
# Verify that kernel has netfilter support #
|
||||
###############################################################################
|
||||
@ -2488,12 +2449,8 @@ initialize_netfilter () {
|
||||
echo "Creating input Chains..."
|
||||
|
||||
for interface in $all_interfaces; do
|
||||
chain=`forward_chain $interface`
|
||||
|
||||
if ! havechain $chain; then
|
||||
createchain $chain no
|
||||
createchain `input_chain $interface` no
|
||||
fi
|
||||
createchain `forward_chain $interface` no
|
||||
createchain `input_chain $interface` no
|
||||
done
|
||||
}
|
||||
|
||||
@ -2554,11 +2511,6 @@ add_common_rules() {
|
||||
echo " $interface"
|
||||
done
|
||||
fi
|
||||
############################################################################
|
||||
# White List
|
||||
#
|
||||
setup_whitelist
|
||||
|
||||
############################################################################
|
||||
# Common ICMP rules
|
||||
#
|
||||
@ -2764,6 +2716,8 @@ apply_policy_rules() {
|
||||
################################################################################
|
||||
activate_rules() {
|
||||
|
||||
multi_interfaces=`find_interfaces_by_option multi`
|
||||
|
||||
for zone in $zones; do
|
||||
eval source_hosts=\$${zone}_hosts
|
||||
|
||||
@ -2792,34 +2746,25 @@ activate_rules() {
|
||||
interface=${host%:*}
|
||||
subnet=${host#*:}
|
||||
chain1=`forward_chain $interface`
|
||||
list_search $interface $multi_interfaces && multi=yes || multi=
|
||||
|
||||
for host1 in $dest_hosts; do
|
||||
interface1=${host1%:*}
|
||||
subnet1=${host1#*:}
|
||||
|
||||
[ $interface = $interface1 -a "x$subnet" = "x$subnet1" ] ||\
|
||||
|
||||
if [ $interface != $interface1 -o \
|
||||
"x$subnet" != "x$subnet1" -o \
|
||||
-n "$multi" ]; then
|
||||
run_iptables -A $chain1 -s $subnet \
|
||||
-o $interface1 -d $subnet1 -j $chain
|
||||
fi
|
||||
done
|
||||
|
||||
|
||||
done
|
||||
done
|
||||
|
||||
done
|
||||
|
||||
while read zone interface broadcast options; do
|
||||
expandv zone
|
||||
if [ "x$zone" != "x-" ]; then
|
||||
expandv interface options
|
||||
for option in `separate_list $options`; do
|
||||
[ "$option" = "multi" ] && \
|
||||
run_iptables -A `forward_chain $interface` \
|
||||
-o $interface -j ${zone}2${zone} && \
|
||||
break 1
|
||||
done
|
||||
fi
|
||||
done < $TMP_DIR/interfaces
|
||||
|
||||
for interface in $all_interfaces; do
|
||||
run_iptables -A FORWARD -i $interface -j `forward_chain $interface`
|
||||
run_iptables -A INPUT -i $interface -j `input_chain $interface`
|
||||
@ -2864,9 +2809,6 @@ define_firewall() # $1 = Command (Start or Restart)
|
||||
[ -f $tunnels ] && \
|
||||
echo "Processing $tunnels..." && setup_tunnels $tunnels
|
||||
|
||||
chains="`run_iptables -L -n | grep ^Chain | cut -d' ' -f2`"
|
||||
chains=`echo $chains`
|
||||
|
||||
rules=`find_file rules`
|
||||
|
||||
echo "Processing $rules..."
|
||||
@ -2882,13 +2824,20 @@ define_firewall() # $1 = Command (Start or Restart)
|
||||
|
||||
echo "Setting up ICMP Echo handling..."
|
||||
|
||||
filterping_interfaces="`find_interfaces_by_option filterping`"
|
||||
noping_interfaces="`find_interfaces_by_option noping`"
|
||||
|
||||
for interface in $all_interfaces; do
|
||||
[ -n "`echo $noping_interfaces | grep $interface`" ] && \
|
||||
target=DROP || target=ACCEPT
|
||||
run_iptables -A `input_chain $interface` \
|
||||
-p icmp --icmp-type echo-request -j $target
|
||||
if ! list_search $interface $filterping_interfaces; then
|
||||
if list_search $interface $noping_interfaces; then
|
||||
target=DROP
|
||||
else
|
||||
target=ACCEPT
|
||||
fi
|
||||
|
||||
run_iptables -A `input_chain $interface` \
|
||||
-p icmp --icmp-type echo-request -j $target
|
||||
fi
|
||||
done
|
||||
|
||||
[ -z "$NAT_BEFORE_RULES" ] && setup_nat
|
||||
@ -2911,7 +2860,6 @@ define_firewall() # $1 = Command (Start or Restart)
|
||||
|
||||
[ -n "$TC_ENABLED" ] && setup_tc
|
||||
|
||||
|
||||
echo "Activating Rules..."
|
||||
|
||||
activate_rules
|
||||
@ -2984,13 +2932,10 @@ refresh_firewall()
|
||||
|
||||
determine_interfaces
|
||||
|
||||
run_user_exit refresh
|
||||
|
||||
run_iptables -F common
|
||||
|
||||
############################################################################
|
||||
# White List
|
||||
#
|
||||
refresh_whitelist
|
||||
|
||||
echo "Adding Common Rules"
|
||||
############################################################################
|
||||
# Common rules in each chain
|
||||
@ -3208,6 +3153,7 @@ case "$command" in
|
||||
echo "done."
|
||||
my_mutex_off
|
||||
;;
|
||||
|
||||
start)
|
||||
do_initialize
|
||||
my_mutex_on
|
||||
@ -3220,6 +3166,7 @@ case "$command" in
|
||||
define_firewall "Start" && [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
|
||||
my_mutex_off
|
||||
;;
|
||||
|
||||
restart)
|
||||
do_initialize
|
||||
my_mutex_on
|
||||
@ -3233,14 +3180,17 @@ case "$command" in
|
||||
[ $? -eq 0 ] && [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
|
||||
my_mutex_off
|
||||
;;
|
||||
|
||||
status)
|
||||
echo -e "Shorewall-$version Status at $HOSTNAME - `date`\\n"
|
||||
iptables -L -n -v
|
||||
;;
|
||||
|
||||
reset)
|
||||
iptables -L -n -Z -v
|
||||
report "Shorewall Counters Reset"
|
||||
;;
|
||||
|
||||
refresh)
|
||||
do_initialize
|
||||
my_mutex_on
|
||||
@ -3252,6 +3202,7 @@ case "$command" in
|
||||
refresh_firewall;
|
||||
my_mutex_off
|
||||
;;
|
||||
|
||||
clear)
|
||||
do_initialize
|
||||
my_mutex_on
|
||||
@ -3262,11 +3213,14 @@ case "$command" in
|
||||
echo "done."
|
||||
my_mutex_off
|
||||
;;
|
||||
|
||||
check)
|
||||
do_initialize
|
||||
check_config
|
||||
;;
|
||||
|
||||
*)
|
||||
usage
|
||||
;;
|
||||
|
||||
esac
|
||||
|
@ -3,11 +3,16 @@
|
||||
#
|
||||
# This file defines the default rules for accepting ICMP packets.
|
||||
#
|
||||
# Do not modify this file -- if you want to change these rules, copy this
|
||||
# file to /etc/shorewall/icmpdef and modify that file.
|
||||
# Do not modify this file -- if you wish to change these rules, create
|
||||
# /etc/shorewall/icmpdef to replace it. It is suggested that you include
|
||||
# the command "source /etc/shorewall/icmp.def" in your
|
||||
# /etc/shorewall/icmpdef file so that you will continue to get the
|
||||
# advantage of new releases of this file.
|
||||
#
|
||||
# In particular, if you want to accept 'ping' everywhere then add
|
||||
# For example, if you want to accept 'ping' everywhere then create
|
||||
# /etc/shorewall/icmpdef with the following two lines:
|
||||
#
|
||||
# source /etc/shorewall/icmp.def
|
||||
# run_iptables -A icmpdef -p ICMP --icmp-type echo-request -j ACCEPT
|
||||
#
|
||||
run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT
|
||||
|
@ -54,7 +54,7 @@
|
||||
# /etc/rc.d/rc.local file is modified to start the firewall.
|
||||
#
|
||||
|
||||
VERSION=1.2.90
|
||||
VERSION=1.3.0
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
@ -416,13 +416,11 @@ else
|
||||
echo -e "\nBlacklist file installed as ${PREFIX}/etc/shorewall/blacklist"
|
||||
fi
|
||||
#
|
||||
# Install the whitelist file
|
||||
# Backup and remove the whitelist file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/whitelist ]; then
|
||||
backup_file /etc/shorewall/whitelist
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 whitelist ${PREFIX}/etc/shorewall/whitelist
|
||||
echo -e "\nWhitelist file installed as ${PREFIX}/etc/shorewall/whitelist"
|
||||
rm -f ${PREFIX}/etc/shorewall/whitelist
|
||||
fi
|
||||
#
|
||||
# Backup the version file
|
||||
|
@ -36,8 +36,18 @@
|
||||
#
|
||||
# dhcp - interface is managed by DHCP or used by
|
||||
# a DHCP server running on the firewall.
|
||||
# noping - icmp echo-request (ping) packets should
|
||||
# noping - icmp echo-request (ping) packets
|
||||
# addressed to the firewall should
|
||||
# be ignored on this interface
|
||||
# filterping - icmp echo-request (ping) packets
|
||||
# addressed to the firewall should
|
||||
# be controlled by the rules file and
|
||||
# applicable policy. If neither 'noping'
|
||||
# nor 'filterping' are specified then
|
||||
# the firewall will respond to 'ping'
|
||||
# requests. 'filterping' takes
|
||||
# precedence over 'noping' if both are
|
||||
# given.
|
||||
# routestopped - When the firewall is stopped, allow
|
||||
# and route traffic to and from this
|
||||
# interface.
|
||||
|
@ -14,7 +14,18 @@ WARNING: Compatibility has NOT been maintained with the parameterized
|
||||
latest samples before running Shorewall 1.3 (Beta or Release).
|
||||
|
||||
3. You may now exclude zone A from a DNAT or REDIRECT rule that applies
|
||||
to zone B where zone A is a subzone of sone B.
|
||||
to zone B where zone A is a subzone of sone B.
|
||||
|
||||
4. The whitelist capability has been deimplemented. With recent changes
|
||||
to the firewall structure and change 3. above, white lists are now
|
||||
best implemented using zones as shown at:
|
||||
|
||||
http://www.shorewall.net/whitelisting_under_shorewall.htm
|
||||
|
||||
5. A 'filterping' interface option has been added to allow the
|
||||
rules and policy files to control the handling of ICMP echo-request
|
||||
(ping) requests that are addressed to the firewall.
|
||||
|
||||
|
||||
|
||||
|
||||
|
@ -72,18 +72,20 @@
|
||||
showfirstchain() # $1 = name of chain
|
||||
{
|
||||
awk \
|
||||
'BEGIN {prnt=0;}; \
|
||||
'BEGIN {prnt=0; rslt=1; }; \
|
||||
/^$/ { next; };\
|
||||
/^Chain/ {if ( prnt == 1 ) exit; };\
|
||||
/^Chain/ {if ( prnt == 1 ) { rslt=0; exit 0; }; };\
|
||||
/Chain '$1'/ { prnt=1; }; \
|
||||
{ if (prnt == 1) print; }' /tmp/chains-$$
|
||||
{ if (prnt == 1) print; };\
|
||||
END { exit rslt; }' /tmp/chains-$$
|
||||
}
|
||||
|
||||
showchain() # $1 = name of chain
|
||||
{
|
||||
if [ "$firstchain" = "Yes" ]; then
|
||||
showfirstchain $1
|
||||
firstchain=
|
||||
if showfirstchain $1; then
|
||||
firstchain=
|
||||
fi
|
||||
else
|
||||
awk \
|
||||
'BEGIN {prnt=0;};\
|
||||
@ -146,6 +148,7 @@ display_chains()
|
||||
|
||||
clear
|
||||
echo -e "$banner `date`\\n"
|
||||
firstchain=Yes
|
||||
echo -e "Input Chains\\n"
|
||||
|
||||
chains=`grep '^Chain.*_[in|fwd]' /tmp/chains-$$ | cut -d' ' -f 2`
|
||||
@ -180,8 +183,8 @@ display_chains()
|
||||
echo -e "$banner `date`\\n"
|
||||
firstchain=Yes
|
||||
echo -e "Policy Chains\\n"
|
||||
showchain badpkt
|
||||
showchain common
|
||||
showchain badpkt
|
||||
showchain icmpdef
|
||||
showchain rfc1918
|
||||
showchain blacklst
|
||||
|
@ -1,6 +1,6 @@
|
||||
%define name shorewall
|
||||
%define version 1.2
|
||||
%define release 90
|
||||
%define version 1.3
|
||||
%define release 0
|
||||
%define prefix /usr
|
||||
|
||||
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
|
||||
@ -70,7 +70,6 @@ if [ $1 = 0 ]; then if [ -x /sbin/insserv ]; then /sbin/insserv -r /etc/init.d/s
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/tunnels
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/hosts
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/blacklist
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/whitelist
|
||||
%attr(0544,root,root) /sbin/shorewall
|
||||
%attr(0444,root,root) /etc/shorewall/functions
|
||||
/etc/shorewall/firewall
|
||||
@ -78,7 +77,13 @@ if [ $1 = 0 ]; then if [ -x /sbin/insserv ]; then /sbin/insserv -r /etc/init.d/s
|
||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
|
||||
|
||||
%changelog
|
||||
* Wed May 8 Tom Eastep <tom@shorewall.net>
|
||||
* Wed May 29 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.3.0
|
||||
* Mon May 20 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Removed whitelist file
|
||||
* Sat May 18 2002 Tom Eastep <tom@shorewall.net>
|
||||
- changed version to 91
|
||||
* Wed May 8 2002 Tom Eastep <tom@shorewall.net>
|
||||
- changed version to 90
|
||||
- removed 'provides' tag.
|
||||
* Tue Apr 23 2002 Tom Eastep <tom@shorewall.net>
|
||||
|
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Seattle Firewall
|
||||
|
||||
VERSION=1.2.90
|
||||
VERSION=1.3.0
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -1,18 +0,0 @@
|
||||
#
|
||||
# Shorewall 1.2 -- Whitelist File
|
||||
#
|
||||
# /etc/shorewall/whitelist
|
||||
#
|
||||
# This file contains a list of IP addresses, MAC addresses and/or subnetworks.
|
||||
# If a connection request fails to match any of the rules defined in
|
||||
# /etc/shorewall/rules then the connection source is compared against this
|
||||
# list; if a match is found, the connection request is accepted.
|
||||
#
|
||||
# MAC addresses must be prefixed with "~" and use "-" as a separator.
|
||||
#
|
||||
# Example: ~00-A0-C9-15-39-78
|
||||
###############################################################################
|
||||
#ADDRESS/SUBNET
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 1.2 /etc/shorewall/zones
|
||||
# Shorewall 1.3 /etc/shorewall/zones
|
||||
#
|
||||
# This file determines your network zones. Columns are:
|
||||
#
|
||||
|
Loading…
Reference in New Issue
Block a user