diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 7bb6b1934..62b45bdef 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -20,6 +20,10 @@ Changes since 1.2.13 its own input and forward chain. 8. Added logic to allow a subzone to be excluded from a DNAT or REDIRECT rule. + +9. Removed white list capability + +10. Added 'filterping' interface option. diff --git a/Shorewall/common.def b/Shorewall/common.def index e317d6239..dd25169a0 100644 --- a/Shorewall/common.def +++ b/Shorewall/common.def @@ -6,8 +6,11 @@ # the firewall will also define a DROP rule for each subnet broadcast # address defined in /etc/shorewall/interfaces (including "detect"). # -# Do not modify this file -- if you wish to change these rules, copy this -# file to /etc/shorewall/common and modify that file. +# Do not modify this file -- if you wish to change these rules, create +# /etc/shorewall/common to replace it. It is suggested that you include +# the command "source /etc/shorewall/common.def" in your +# /etc/shorewall/common file so that you will continue to get the +# advantage of new releases of this file. # run_iptables -A common -p icmp -j icmpdef ############################################################################ @@ -32,7 +35,7 @@ run_iptables -A common -p udp --dport 1900 -j DROP run_iptables -A common -d 255.255.255.255 -j DROP run_iptables -A common -d 224.0.0.0/4 -j DROP ############################################################################ -# AUTH -- Reject it so that connections don't get delayed. +# AUTH -- Silently reject it so that connections don't get delayed. # run_iptables -A common -p tcp --dport 113 -j reject diff --git a/Shorewall/fallback.sh b/Shorewall/fallback.sh index 80c9b6d1a..b4754950b 100755 --- a/Shorewall/fallback.sh +++ b/Shorewall/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=1.2.90 +VERSION=1.3.0 usage() # $1 = exit status { diff --git a/Shorewall/firewall b/Shorewall/firewall index 7d5ddb694..0a2c341a7 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -55,6 +55,22 @@ RCDLINKS="2,S41 3,S41 6,K41" # description: Packet filtering firewall # +############################################################################### +# Search a list looking for a match -- returns zero if a match found # +# 1 otherwise # +############################################################################### +list_search() # $1 = element to search for , $2-$n = list +{ + local e=$1 + + while [ $# -gt 1 ]; do + shift + [ "x$e" = "x$1" ] && return 0 + done + + return 1 +} + ############################################################################### # Mutual exclusion -- These functions are jackets for the mutual exclusion # # routines in /etc/shorewall/functions. They invoke the # @@ -74,7 +90,7 @@ my_mutex_off() { ############################################################################### error_message() # $* = Error Message { - echo "$@" >&2 + echo " $@" >&2 } ############################################################################### @@ -82,7 +98,7 @@ error_message() # $* = Error Message ############################################################################### fatal_error() # $* = Error Message { - echo "$@" >&2 + echo " $@" >&2 stop_firewall exit 2 } @@ -93,7 +109,7 @@ fatal_error() # $* = Error Message ############################################################################### startup_error() # $* = Error Message { - echo "$@" >&2 + echo " $@" >&2 my_mutex_off [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR kill $$ @@ -312,7 +328,7 @@ chain_base() #$1 = interface { local c=${1%%+*} - echo ${c:=multi} + echo ${c:=common} } ################################################################################ @@ -405,7 +421,7 @@ determine_hosts() { eval display=\$${zone}_display display_list "$display Zone:" $hosts else - error_message " Warning: Zone $zone is empty" + error_message "Warning: Zone $zone is empty" fi done } @@ -415,11 +431,7 @@ determine_hosts() { ################################################################################ validate_zone() # $1 = zone { - local zone - for zone in $zones $FW; do - [ "$zone" = "$1" ] && return 0 - done - return 1 + list_search $1 $zones $FW } ################################################################################ @@ -431,18 +443,17 @@ validate_interfaces_file() { r="$z $interface $subnet $options" [ "x$z" = "x-" ] || validate_zone $z || startup_error "Invalid zone ($z) in record \"$r\"" - for intr in $all_interfaces; do - [ "$intr" = "$interface" ] && startup_error "Duplicate Interface $intr" - done + list_search $intr $all_interfaces && \ + startup_error "Duplicate Interface $intr" all_interfaces="$all_interfaces $interface" for option in `separate_list $options`; do case $option in - dhcp|noping|routestopped|norfc1918|multi|routefilter|dropunclean|logunclean|blacklist|-) + dhcp|noping|filterping|routestopped|norfc1918|multi|routefilter|dropunclean|logunclean|blacklist|-) ;; *) - error_message " Warning: Invalid option ($option) in record \"$r\"" + error_message "Warning: Invalid option ($option) in record \"$r\"" ;; esac done @@ -466,7 +477,7 @@ validate_hosts_file() { routestopped|-) ;; *) - error_message " Warning: Invalid option ($option) in record \"$r\"" + error_message "Warning: Invalid option ($option) in record \"$r\"" ;; esac done @@ -561,14 +572,14 @@ validate_rule() { [ -n "$port" ] && dports="--icmp-type $port" state="" ;; - all|ALL) - proto= - ;; related|RELATED) proto= state="-m state --state RELATED" ;; *) + [ -n "$port" ] && [ "x${port}" != "x-" ] && \ + startup_error "Port number not allowed with protocol " \ + "\"$proto\"; rule: \"$rule\"" ;; esac @@ -579,13 +590,19 @@ validate_rule() { target=reject ;; REDIRECT) + [ -n "$serv" ] && startup_error "Error: REDIRECT rules cannot"\ + " specify a server IP; rule: \"$rule\"" servport=${servport:=$port} ;; + DNAT) + [ -n "$serv" ] || startup_error "Error: DNAT rules require a" \ + " server address; rule: \"$rule\"" + ;; esac if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" ]; then - error_message " Warning -- Rule \"$rule\" is a POLICY" - error_message " -- and should be moved to the policy file" + error_message "Warning -- Rule \"$rule\" is a POLICY" + error_message " -- and should be moved to the policy file" fi if [ -n "${serv}${servport}" ]; then @@ -598,18 +615,18 @@ validate_rule() { # if [ -z "$NAT_ENABLED" ]; then startup_error \ - " Error - Rule \"$rule\" requires NAT which is disabled" + "Error - Rule \"$rule\" requires NAT which is disabled" fi if [ "$target" != "ACCEPT" ]; then - startup_error " Error - Only ACCEPT rules may specify " \ + startup_error "Error - Only ACCEPT rules may specify " \ "port mapping; rule \"$rule\"" fi fi else [ -n "$addr" ] && startup_error \ - " Error: An ADDRESS ($addr) is only allowed in" \ - " a port mapping rule: \"$rule\"" + "Error: An ADDRESS ($addr) is only allowed in" \ + " a DNAT or REDIRECT rule: \"$rule\"" fi } ############################################################################ @@ -649,7 +666,7 @@ validate_rule() { ACCEPT|DROP|REJECT) ;; *) - startup_error " Error: Invalid target;" \ + startup_error "Error: Invalid target;" \ " rule: \"$rule\"" esac @@ -669,13 +686,13 @@ validate_rule() { clientzone="${clientzone%\!*}" [ "$logtarget" = DNAT ] || [ "$logtarget" = REDIRECT ] ||\ - startup_error " Error: Exclude list only allowed with DNAT or REDIRECT" + startup_error "Error: Exclude list only allowed with DNAT or REDIRECT" fi ############################################################################ # Validate the Source Zone if ! validate_zone $clientzone; then - startup_error " Error: Undefined Client Zone in rule \"$rule\"" + startup_error "Error: Undefined Client Zone in rule \"$rule\"" fi source=$clientzone @@ -703,7 +720,7 @@ validate_rule() { # Validate the destination zone # if ! validate_zone $serverzone; then - startup_error " Error: Undefined Server Zone in rule \"$rule\"" + startup_error "Error: Undefined Server Zone in rule \"$rule\"" fi dest=$serverzone @@ -760,7 +777,7 @@ validate_policy() ;; *) if ! validate_zone $client; then - startup_error " Error: Undefined zone $client" + startup_error "Error: Undefined zone $client" fi esac @@ -769,7 +786,7 @@ validate_policy() ;; *) if ! validate_zone $server; then - startup_error " Error: Undefined zone $server" + startup_error "Error: Undefined zone $server" fi esac @@ -777,7 +794,7 @@ validate_policy() ACCEPT|REJECT|DROP|CONTINUE) ;; *) - startup_error " Error: Invalid policy $policy" + startup_error "Error: Invalid policy $policy" ;; esac @@ -812,9 +829,8 @@ find_interfaces_by_option() # $1 = option { while read ignore interface subnet options; do expandv options - for option in `separate_list $options`; do - [ "$option" = "$1" ] && echo `expand $interface` && break 1 - done + list_search $1 `separate_list $options` && \ + echo `expand $interface` && break 1 done < $TMP_DIR/interfaces } @@ -825,17 +841,15 @@ find_hosts_by_option() # $1 = option { while read ignore hosts options; do expandv options - for option in `separate_list $options`; do - [ "$option" = "$1" ] && echo `expand $hosts` - done + list_search $1 `separate_list $options` && \ + echo `expand $hosts` done < $TMP_DIR/hosts while read ignore interface ignore1 options; do expandv options - for option in `separate_list $options`; do - [ "$option" = "$1" ] && \ - echo `expand $interface`:0.0.0.0/0 && break 1 - done + list_search $1 `separate_list $options` && \ + echo `expand $interface`:0.0.0.0/0 && \ + break 1 done < $TMP_DIR/interfaces } @@ -849,11 +863,9 @@ have_interfaces_in_zone_with_option() # $1 = zone, $2 = option local zne=$1 while read z interface broadcast options; do - [ "x`expand $z`" = "x$zne" ] && \ - expandv options && \ - for option in `separate_list $options`; do - [ "$option" = "$2" ] && return 0 - done + [ "x`expand $z`" = "x$zne" ] && expandv options && \ + list_search $1 `separate_list $options` && \ + return 0 done < $TMP_DIR/interfaces return 1 } @@ -1219,7 +1231,7 @@ setup_nat() { } ################################################################################ -# Delete existing Static NAT and Port Forwarding # +# Delete existing Static NAT # ################################################################################ delete_nat() { run_iptables -t nat -F @@ -1358,11 +1370,11 @@ process_rule() { if [ -z "$NAT_ENABLED" ]; then fatal_error \ - " Error - Rule \"$rule\" requires NAT which is disabled" + "Error - Rule \"$rule\" requires NAT which is disabled" fi if [ "$target" != "ACCEPT" ]; then - fatal_error " Error - Only ACCEPT rules may specify " \ + fatal_error "Error - Only DNAT and REDIRECT rules may specify " \ "port mapping; rule \"$rule\"" fi @@ -1373,7 +1385,7 @@ process_rule() { snat="" fi - [ "$addr" = "all" ] && addr= || addr="-d $addr" + [ "$addr" = "all" ] && addr= || addr=${addr:+-d $addr} if [ -n "$serv" ]; then servport="${servport:+:$servport}" @@ -1489,6 +1501,9 @@ process_rule() { state="" ;; all|ALL) + [ -n "$port" ] && [ "x${port}" != "x-" ] && \ + fatal_error "Port number not allowed with \"all\";" \ + " rule: \"$rule\"" proto= ;; related|RELATED) @@ -1496,6 +1511,9 @@ process_rule() { state="-m state --state RELATED" ;; *) + [ -n "$port" ] && [ "x${port}" != "x-" ] && \ + fatal_error "Port number not allowed with protocol " \ + "\"$proto\"; rule: \"$rule\"" ;; esac @@ -1506,13 +1524,19 @@ process_rule() { target=reject ;; REDIRECT) + [ -n "$serv" ] && startup_error "Error: REDIRECT rules cannot"\ + " specify a server IP; rule: \"$rule\"" servport=${servport:=$port} ;; + DNAT) + [ -n "$serv" ] || fatal_error "Error: DNAT rules require a" \ + " server address; rule: \"$rule\"" + ;; esac if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" ]; then - error_message " Warning -- Rule \"$rule\" is a POLICY" - error_message " -- and should be moved to the policy file" + error_message "Warning -- Rule \"$rule\" is a POLICY" + error_message " -- and should be moved to the policy file" fi if [ -n "${serv}${servport}" ]; then @@ -1521,7 +1545,7 @@ process_rule() { # if [ -n "$addr" -a "$addr" != "$serv" ]; then ############################################################## - # Must use Prerouting DNAT + # Must use Prerouting DNAT or REDIRECT # add_nat_rule fi @@ -1538,8 +1562,8 @@ process_rule() { # Destination is just a zone or an interface # [ -n "$addr" ] && fatal_error \ - " Error: An ADDRESS ($addr) is only allowed in" \ - " a port mapping rule: \"$rule\"" + "Error: An ADDRESS ($addr) is only allowed in" \ + " a DNAT or REDIRECT: \"$rule\"" [ -n "$loglevel" ] && run_iptables -A $chain $proto \ $dest_interface $state $cli $sports $dports -j LOG \ @@ -1550,6 +1574,7 @@ process_rule() { $cli $sports $dports -j $target fi } + ############################################################################ # P r o c e s s _ R u l e S t a r t s H e r e ############################################################################ @@ -1602,14 +1627,14 @@ process_rule() { clientzone="${clientzone%\!*}" [ "$logtarget" = DNAT ] || [ "$logtarget" = REDIRECT ] ||\ - fatal_error " Error: Exclude list only allowed with DNAT or REDIRECT" + fatal_error "Error: Exclude list only allowed with DNAT or REDIRECT" fi ############################################################################ # Validate the Source Zone if ! validate_zone $clientzone; then - fatal_error " Error: Undefined Client Zone in rule \"$rule\"" + fatal_error "Error: Undefined Client Zone in rule \"$rule\"" fi source=$clientzone @@ -1637,7 +1662,7 @@ process_rule() { # Validate the destination zone # if ! validate_zone $serverzone; then - fatal_error " Error: Undefined Server Zone in rule \"$rule\"" + fatal_error "Error: Undefined Server Zone in rule \"$rule\"" fi dest=$serverzone @@ -2267,32 +2292,6 @@ process_blacklist_rec() { done } -############################################################################### -# Process a record from the whilelist file # -# # -# $subnet = address/subnet # -############################################################################### -process_whitelist_rec() { - local source - local addr - - for addr in `separate_list $subnet`; do - case $addr in - ~*) - addr=`echo $addr | sed 's/~//;s/-/:/g'` - source="--match mac --mac-source $addr" - ;; - *) - source="-s $addr" - ;; - esac - - run_iptables -A common $source -j ACCEPT - - echo " $addr added to White List" - done -} - ############################################################################### # Setup the Black List # ############################################################################### @@ -2326,25 +2325,6 @@ setup_blacklist() { fi } -############################################################################### -# Setup the White List # -############################################################################### -setup_whitelist() { - local f=`find_file whitelist` - - if [ -f $f ]; then - echo "Setting up Whitelisting..." - - strip_file whitelist $f - - while read subnet; do - expandv subnet - process_whitelist_rec - done < $TMP_DIR/whitelist - - fi -} - ############################################################################### # Refresh the Black List # ############################################################################### @@ -2369,25 +2349,6 @@ refresh_blacklist() { fi } -############################################################################### -# Refresh the White List # -############################################################################### -refresh_whitelist() { - local f=`find_file whitelist` - - if [ -f $f ]; then - echo "Refreshing White List..." - - strip_file whitelist $f - - while read subnet; do - expandv subnet - process_whitelist_rec - done < $TMP_DIR/whitelist - - fi -} - ############################################################################### # Verify that kernel has netfilter support # ############################################################################### @@ -2488,12 +2449,8 @@ initialize_netfilter () { echo "Creating input Chains..." for interface in $all_interfaces; do - chain=`forward_chain $interface` - - if ! havechain $chain; then - createchain $chain no - createchain `input_chain $interface` no - fi + createchain `forward_chain $interface` no + createchain `input_chain $interface` no done } @@ -2554,11 +2511,6 @@ add_common_rules() { echo " $interface" done fi - ############################################################################ - # White List - # - setup_whitelist - ############################################################################ # Common ICMP rules # @@ -2764,6 +2716,8 @@ apply_policy_rules() { ################################################################################ activate_rules() { + multi_interfaces=`find_interfaces_by_option multi` + for zone in $zones; do eval source_hosts=\$${zone}_hosts @@ -2792,34 +2746,25 @@ activate_rules() { interface=${host%:*} subnet=${host#*:} chain1=`forward_chain $interface` + list_search $interface $multi_interfaces && multi=yes || multi= for host1 in $dest_hosts; do interface1=${host1%:*} subnet1=${host1#*:} - - [ $interface = $interface1 -a "x$subnet" = "x$subnet1" ] ||\ + + if [ $interface != $interface1 -o \ + "x$subnet" != "x$subnet1" -o \ + -n "$multi" ]; then run_iptables -A $chain1 -s $subnet \ -o $interface1 -d $subnet1 -j $chain + fi done - + done done done - while read zone interface broadcast options; do - expandv zone - if [ "x$zone" != "x-" ]; then - expandv interface options - for option in `separate_list $options`; do - [ "$option" = "multi" ] && \ - run_iptables -A `forward_chain $interface` \ - -o $interface -j ${zone}2${zone} && \ - break 1 - done - fi - done < $TMP_DIR/interfaces - for interface in $all_interfaces; do run_iptables -A FORWARD -i $interface -j `forward_chain $interface` run_iptables -A INPUT -i $interface -j `input_chain $interface` @@ -2864,9 +2809,6 @@ define_firewall() # $1 = Command (Start or Restart) [ -f $tunnels ] && \ echo "Processing $tunnels..." && setup_tunnels $tunnels - chains="`run_iptables -L -n | grep ^Chain | cut -d' ' -f2`" - chains=`echo $chains` - rules=`find_file rules` echo "Processing $rules..." @@ -2882,13 +2824,20 @@ define_firewall() # $1 = Command (Start or Restart) echo "Setting up ICMP Echo handling..." + filterping_interfaces="`find_interfaces_by_option filterping`" noping_interfaces="`find_interfaces_by_option noping`" for interface in $all_interfaces; do - [ -n "`echo $noping_interfaces | grep $interface`" ] && \ - target=DROP || target=ACCEPT - run_iptables -A `input_chain $interface` \ - -p icmp --icmp-type echo-request -j $target + if ! list_search $interface $filterping_interfaces; then + if list_search $interface $noping_interfaces; then + target=DROP + else + target=ACCEPT + fi + + run_iptables -A `input_chain $interface` \ + -p icmp --icmp-type echo-request -j $target + fi done [ -z "$NAT_BEFORE_RULES" ] && setup_nat @@ -2911,7 +2860,6 @@ define_firewall() # $1 = Command (Start or Restart) [ -n "$TC_ENABLED" ] && setup_tc - echo "Activating Rules..." activate_rules @@ -2984,13 +2932,10 @@ refresh_firewall() determine_interfaces + run_user_exit refresh + run_iptables -F common - ############################################################################ - # White List - # - refresh_whitelist - echo "Adding Common Rules" ############################################################################ # Common rules in each chain @@ -3208,6 +3153,7 @@ case "$command" in echo "done." my_mutex_off ;; + start) do_initialize my_mutex_on @@ -3220,6 +3166,7 @@ case "$command" in define_firewall "Start" && [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK my_mutex_off ;; + restart) do_initialize my_mutex_on @@ -3233,14 +3180,17 @@ case "$command" in [ $? -eq 0 ] && [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK my_mutex_off ;; + status) echo -e "Shorewall-$version Status at $HOSTNAME - `date`\\n" iptables -L -n -v ;; + reset) iptables -L -n -Z -v report "Shorewall Counters Reset" ;; + refresh) do_initialize my_mutex_on @@ -3252,6 +3202,7 @@ case "$command" in refresh_firewall; my_mutex_off ;; + clear) do_initialize my_mutex_on @@ -3262,11 +3213,14 @@ case "$command" in echo "done." my_mutex_off ;; + check) do_initialize check_config ;; + *) usage ;; + esac diff --git a/Shorewall/icmp.def b/Shorewall/icmp.def index 109a4e8ea..629b724d9 100644 --- a/Shorewall/icmp.def +++ b/Shorewall/icmp.def @@ -3,11 +3,16 @@ # # This file defines the default rules for accepting ICMP packets. # -# Do not modify this file -- if you want to change these rules, copy this -# file to /etc/shorewall/icmpdef and modify that file. +# Do not modify this file -- if you wish to change these rules, create +# /etc/shorewall/icmpdef to replace it. It is suggested that you include +# the command "source /etc/shorewall/icmp.def" in your +# /etc/shorewall/icmpdef file so that you will continue to get the +# advantage of new releases of this file. # -# In particular, if you want to accept 'ping' everywhere then add +# For example, if you want to accept 'ping' everywhere then create +# /etc/shorewall/icmpdef with the following two lines: # +# source /etc/shorewall/icmp.def # run_iptables -A icmpdef -p ICMP --icmp-type echo-request -j ACCEPT # run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT diff --git a/Shorewall/install.sh b/Shorewall/install.sh index 69301a135..b9038d6d2 100755 --- a/Shorewall/install.sh +++ b/Shorewall/install.sh @@ -54,7 +54,7 @@ # /etc/rc.d/rc.local file is modified to start the firewall. # -VERSION=1.2.90 +VERSION=1.3.0 usage() # $1 = exit status { @@ -416,13 +416,11 @@ else echo -e "\nBlacklist file installed as ${PREFIX}/etc/shorewall/blacklist" fi # -# Install the whitelist file +# Backup and remove the whitelist file # if [ -f ${PREFIX}/etc/shorewall/whitelist ]; then backup_file /etc/shorewall/whitelist -else - run_install -o $OWNER -g $GROUP -m 0600 whitelist ${PREFIX}/etc/shorewall/whitelist - echo -e "\nWhitelist file installed as ${PREFIX}/etc/shorewall/whitelist" + rm -f ${PREFIX}/etc/shorewall/whitelist fi # # Backup the version file diff --git a/Shorewall/interfaces b/Shorewall/interfaces index 638db2d5f..555a8fd27 100644 --- a/Shorewall/interfaces +++ b/Shorewall/interfaces @@ -36,8 +36,18 @@ # # dhcp - interface is managed by DHCP or used by # a DHCP server running on the firewall. -# noping - icmp echo-request (ping) packets should +# noping - icmp echo-request (ping) packets +# addressed to the firewall should # be ignored on this interface +# filterping - icmp echo-request (ping) packets +# addressed to the firewall should +# be controlled by the rules file and +# applicable policy. If neither 'noping' +# nor 'filterping' are specified then +# the firewall will respond to 'ping' +# requests. 'filterping' takes +# precedence over 'noping' if both are +# given. # routestopped - When the firewall is stopped, allow # and route traffic to and from this # interface. diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index b56aab60f..c2e45d818 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -14,7 +14,18 @@ WARNING: Compatibility has NOT been maintained with the parameterized latest samples before running Shorewall 1.3 (Beta or Release). 3. You may now exclude zone A from a DNAT or REDIRECT rule that applies - to zone B where zone A is a subzone of sone B. + to zone B where zone A is a subzone of sone B. + +4. The whitelist capability has been deimplemented. With recent changes + to the firewall structure and change 3. above, white lists are now + best implemented using zones as shown at: + + http://www.shorewall.net/whitelisting_under_shorewall.htm +5. A 'filterping' interface option has been added to allow the + rules and policy files to control the handling of ICMP echo-request + (ping) requests that are addressed to the firewall. + + diff --git a/Shorewall/shorewall b/Shorewall/shorewall index 8571572d8..7472b3f93 100755 --- a/Shorewall/shorewall +++ b/Shorewall/shorewall @@ -72,18 +72,20 @@ showfirstchain() # $1 = name of chain { awk \ - 'BEGIN {prnt=0;}; \ + 'BEGIN {prnt=0; rslt=1; }; \ /^$/ { next; };\ - /^Chain/ {if ( prnt == 1 ) exit; };\ + /^Chain/ {if ( prnt == 1 ) { rslt=0; exit 0; }; };\ /Chain '$1'/ { prnt=1; }; \ - { if (prnt == 1) print; }' /tmp/chains-$$ + { if (prnt == 1) print; };\ + END { exit rslt; }' /tmp/chains-$$ } showchain() # $1 = name of chain { if [ "$firstchain" = "Yes" ]; then - showfirstchain $1 - firstchain= + if showfirstchain $1; then + firstchain= + fi else awk \ 'BEGIN {prnt=0;};\ @@ -146,6 +148,7 @@ display_chains() clear echo -e "$banner `date`\\n" + firstchain=Yes echo -e "Input Chains\\n" chains=`grep '^Chain.*_[in|fwd]' /tmp/chains-$$ | cut -d' ' -f 2` @@ -180,8 +183,8 @@ display_chains() echo -e "$banner `date`\\n" firstchain=Yes echo -e "Policy Chains\\n" - showchain badpkt showchain common + showchain badpkt showchain icmpdef showchain rfc1918 showchain blacklst diff --git a/Shorewall/shorewall.spec b/Shorewall/shorewall.spec index f21da0923..17ff89435 100644 --- a/Shorewall/shorewall.spec +++ b/Shorewall/shorewall.spec @@ -1,6 +1,6 @@ %define name shorewall -%define version 1.2 -%define release 90 +%define version 1.3 +%define release 0 %define prefix /usr Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. @@ -70,7 +70,6 @@ if [ $1 = 0 ]; then if [ -x /sbin/insserv ]; then /sbin/insserv -r /etc/init.d/s %attr(0600,root,root) %config(noreplace) /etc/shorewall/tunnels %attr(0600,root,root) %config(noreplace) /etc/shorewall/hosts %attr(0600,root,root) %config(noreplace) /etc/shorewall/blacklist -%attr(0600,root,root) %config(noreplace) /etc/shorewall/whitelist %attr(0544,root,root) /sbin/shorewall %attr(0444,root,root) /etc/shorewall/functions /etc/shorewall/firewall @@ -78,7 +77,13 @@ if [ $1 = 0 ]; then if [ -x /sbin/insserv ]; then /sbin/insserv -r /etc/init.d/s %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %changelog -* Wed May 8 Tom Eastep +* Wed May 29 2002 Tom Eastep +- Changed version to 1.3.0 +* Mon May 20 2002 Tom Eastep +- Removed whitelist file +* Sat May 18 2002 Tom Eastep +- changed version to 91 +* Wed May 8 2002 Tom Eastep - changed version to 90 - removed 'provides' tag. * Tue Apr 23 2002 Tom Eastep diff --git a/Shorewall/uninstall.sh b/Shorewall/uninstall.sh index 0ebae124a..7f66db8e0 100755 --- a/Shorewall/uninstall.sh +++ b/Shorewall/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Seattle Firewall -VERSION=1.2.90 +VERSION=1.3.0 usage() # $1 = exit status { diff --git a/Shorewall/whitelist b/Shorewall/whitelist deleted file mode 100644 index cce680b17..000000000 --- a/Shorewall/whitelist +++ /dev/null @@ -1,18 +0,0 @@ -# -# Shorewall 1.2 -- Whitelist File -# -# /etc/shorewall/whitelist -# -# This file contains a list of IP addresses, MAC addresses and/or subnetworks. -# If a connection request fails to match any of the rules defined in -# /etc/shorewall/rules then the connection source is compared against this -# list; if a match is found, the connection request is accepted. -# -# MAC addresses must be prefixed with "~" and use "-" as a separator. -# -# Example: ~00-A0-C9-15-39-78 -############################################################################### -#ADDRESS/SUBNET -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE - - diff --git a/Shorewall/zones b/Shorewall/zones index 5e3dca11b..6d5add70c 100644 --- a/Shorewall/zones +++ b/Shorewall/zones @@ -1,5 +1,5 @@ # -# Shorewall 1.2 /etc/shorewall/zones +# Shorewall 1.3 /etc/shorewall/zones # # This file determines your network zones. Columns are: #