diff --git a/LrpN/sbin/shorewall b/LrpN/sbin/shorewall index 35b17ebd3..ebebb2fd7 100755 --- a/LrpN/sbin/shorewall +++ b/LrpN/sbin/shorewall @@ -609,7 +609,7 @@ usage() # $1 = exit status echo " restart [ ]" echo " restore [ ]" echo " save [ ]" - echo " show [ [ ... ]|classifiers|connections|log|nat|tc|tos]" + echo " show [ [ ... ]|classifiers|connections|log|nat|tc|tos|zones]" echo " start [ ]" echo " stop" echo " status" @@ -913,6 +913,24 @@ case "$1" in echo show_classifiers ;; + zones) + [ $# -gt 2 ] && usage 1 + [ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall + if [ -f $STATEDIR/zones ]; then + echo "Shorewall-$version Zones at $HOSTNAME - $(date)" + echo + while read zone hosts; do + echo $zone + for host in $hosts; do + echo " $host" + done + done < $STATEDIR/zones + echo + else + echo " ERROR: $STATEDIR/zones does not exist" >&2 + exit 1 + fi + ;; *) shift @@ -964,6 +982,10 @@ case "$1" in echo "IP Configuration" echo ip addr ls + echo + echo "IP Stats" + echo + ip -stat link ls if qt which brctl; then echo @@ -1143,7 +1165,9 @@ case "$1" in cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$ if iptables-save | iptablesbug >> /var/lib/shorewall/restore-$$ ; then echo __EOF__ >> /var/lib/shorewall/restore-$$ - mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH + [ -f /var/lib/shorewall/restore-tail ] && \ + cat /var/lib/shorewall/restore-tail >> /var/lib/shorewall/restore-$$ + mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH chmod +x $RESTOREPATH echo " Currently-running Configuration Saved to $RESTOREPATH" else diff --git a/LrpN/usr/share/shorewall/firewall b/LrpN/usr/share/shorewall/firewall index 6aadddbdc..e60a51520 100755 --- a/LrpN/usr/share/shorewall/firewall +++ b/LrpN/usr/share/shorewall/firewall @@ -181,6 +181,17 @@ run_iptables2() { } +# +# Quietly run iptables +# +qt_iptables() { + + [ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev + [ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange + + qt $IPTABLES $@ +} + # # Run ip and if an error occurs, stop the firewall and quit # @@ -1756,9 +1767,14 @@ setup_ipsec() { set_mss1() # $1 = chain, $2 = MSS { eval local policy=\$${1}_policy - if [ "$policy" != NONE -a "$COMMAND" != add ]; then - ensurechain $1 - run_iptables -I $1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss $2 + + if [ "$policy" != NONE ]; then + case $COMMAND in + start|restart) + ensurechain $1 + run_iptables -I $1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss $2 + ;; + esac fi } # @@ -2066,8 +2082,9 @@ setup_mac_lists() { setup_syn_flood_chain () # $1 = policy chain # $2 = synparams + # $3 = loglevel { - local chain=$1 + local chain=@$1 local limit=$2 local limit_burst= @@ -2078,9 +2095,11 @@ setup_syn_flood_chain () ;; esac - run_iptables -N @$chain - run_iptables -A @$chain -m limit --limit $limit $limit_burst -j RETURN - run_iptables -A @$chain -j DROP + run_iptables -N $chain + run_iptables -A $chain -m limit --limit $limit $limit_burst -j RETURN + [ -n "$3" ] && \ + log_rule_limit $3 $chain $chain DROP "-m limit --limit 5/min --limit-burst 5" "" "" + run_iptables -A $chain -j DROP } # @@ -5465,21 +5484,20 @@ determine_capabilities() { PHYSDEV_MATCH= IPRANGE_MATCH= - if qt $IPTABLES -N fooX1234 ; then - qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes - qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes - qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes - qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes - qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes + qt $IPTABLES -N fooX1234 + qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes + qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes + qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes + qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes + qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes - if [ -n "$PKTTYPE" ]; then - qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT || PKTTYPE= - fi - - qt $IPTABLES -F fooX1234 - qt $IPTABLES -X fooX1234 + if [ -n "$PKTTYPE" ]; then + qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT || PKTTYPE= fi + + qt $IPTABLES -F fooX1234 + qt $IPTABLES -X fooX1234 } report_capability() # $1 = Capability Name, $2 Capability Setting (if any) @@ -6106,7 +6124,7 @@ add_common_rules() { run_iptables -A $(input_chain $interface) -j $chain run_iptables -A $(forward_chain $interface) -j $(dynamic_fwd $interface) - run_iptables -A OUTPUT -j $(dynamic_out $interface) + run_iptables -A OUTPUT -o $interface -j $(dynamic_out $interface) done fi @@ -6126,7 +6144,7 @@ apply_policy_rules() { eval loglevel=\$${chain}_loglevel eval synparams=\$${chain}_synparams - [ -n "$synparams" ] && setup_syn_flood_chain $chain $synparams + [ -n "$synparams" ] && setup_syn_flood_chain $chain $synparams $loglevel if havechain $chain; then [ -n "$synparams" ] && \ @@ -6280,8 +6298,9 @@ activate_rules() [ -n "$complex" ] && frwd_chain=${zone}_frwd + echo $zone $source_hosts >> ${STATEDIR}/zones + if [ -n "$DYNAMIC_ZONES" ]; then - echo $zone $source_hosts >> ${STATEDIR}/zones echo "$FW $zone $chain1" >> ${STATEDIR}/chains echo "$zone $FW $chain2" >> ${STATEDIR}/chains fi @@ -6541,9 +6560,28 @@ define_firewall() # $1 = Command (Start or Restart) [ -n "$aliases_to_add" ] && \ echo "Adding IP Addresses..." && add_ip_aliases + for file in chains nat proxyarp zones; do + append_file $file + done + + save_progress_message "Restoring Netfilter Configuration..." + + save_command 'iptables-restore << __EOF__' + + # 'shorewall save' appends the iptables-save output and '__EOF__' + + mv -f $RESTOREBASE /var/lib/shorewall/restore-base-$$ + + > $RESTOREBASE + + save_command "#" + save_command "# Restore tail file generated by Shorewall $version - $(date)" + save_command "#" + save_command "date > $STATEDIR/restarted" + run_user_exit start - [ -n "$DELAYBLACKLISTLOAD" ] && refresh_blacklist + [ -n "$DELAYBLACKLISTLOAD" ] && refresh_blacklist createchain shorewall no @@ -6553,19 +6591,8 @@ define_firewall() # $1 = Command (Start or Restart) rm -rf $TMP_DIR - for file in chains nat proxyarp zones; do - append_file $file - done - - save_command "date > $STATEDIR/restarted" - - save_progress_message "Restoring Netfilter Configuration..." - - save_command 'iptables-restore << __EOF__' - - # 'shorewall save' appends the iptables-save output and '__EOF__' - - mv -f $RESTOREBASE /var/lib/shorewall/restore-base + mv -f /var/lib/shorewall/restore-base-$$ /var/lib/shorewall/restore-base + mv -f $RESTOREBASE /var/lib/shorewall/restore-tail } @@ -6622,6 +6649,9 @@ add_to_zone() # $1 = [:] $2 = zone do_iptables() # $@ = command { + [ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev + [ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange + if ! $IPTABLES $@ ; then startup_error "Can't add $1 to zone $2" fi @@ -6630,7 +6660,7 @@ add_to_zone() # $1 = [:] $2 = zone # # Isolate interface and host parts # - interface=${1%:*} + interface=${1%%:*} host=${1#*:} [ -z "$host" ] && host="0.0.0.0/0" @@ -6735,7 +6765,7 @@ add_to_zone() # $1 = [:] $2 = zone while read z1 z2 chain; do if [ "$z1" = "$zone" ]; then if [ "$z2" = "$FW" ]; then - do_iptables -A $(dynamic_in $interface) $(source_ip_range $host) $policyin -j $chain + do_iptables -A $(dynamic_in $interface) $(match_source_hosts $host) $policyin -j $chain else source_chain=$(dynamic_fwd $interface) eval dest_hosts=\"\$${z2}_hosts\" @@ -6745,7 +6775,7 @@ add_to_zone() # $1 = [:] $2 = zone hosts=${h#*:} if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - do_iptables -A $source_chain $(source_ip_range $host) -o $iface $(match_dest_hosts $hosts) $policyout -j $chain + do_iptables -A $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) $policyout -j $chain fi done fi @@ -6754,7 +6784,7 @@ add_to_zone() # $1 = [:] $2 = zone # # Add a rule to the dynamic out chain for the interface # - do_iptables -A $(dynamic_out $interface) $(dest_ip_range $host) $policyout -j $chain + do_iptables -A $(dynamic_out $interface) $(match_dest_hosts $host) $policyout -j $chain else eval source_hosts=\"\$${z1}_hosts\" @@ -6763,7 +6793,7 @@ add_to_zone() # $1 = [:] $2 = zone hosts=${h#*:} if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - do_iptables -A $(dynamic_fwd $iface) $rulenum $(match_source_hosts $hosts) -o $interface $(dest_ip_range $host) $policyout -j $chain + do_iptables -A $(dynamic_fwd $iface) $rulenum $(match_source_hosts $hosts) -o $interface $(match_dest_hosts $host) $policyout -j $chain fi done fi @@ -6809,7 +6839,7 @@ delete_from_zone() # $1 = [:] $2 = zone # # Isolate interface and host parts # - interface=${1%:*} + interface=${1%%:*} host=${1#*:} [ -z "$host" ] && host="0.0.0.0/0" @@ -6878,14 +6908,14 @@ delete_from_zone() # $1 = [:] $2 = zone # # Delete any nat table entries for the host(s) # - qt $IPTABLES -t nat -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j ${zone}_dnat + qt_iptables -t nat -D $(dynamic_in $interface) $(match_source_hosts $host) $policyin -j ${zone}_dnat # # Delete rules rules the input chains for the passed interface # while read z1 z2 chain; do if [ "$z1" = "$zone" ]; then if [ "$z2" = "$FW" ]; then - qt $IPTABLES -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j $chain + qt_iptables -D $(dynamic_in $interface) $(match_source_hosts $host) $policyin -j $chain else source_chain=$(dynamic_fwd $interface) eval dest_hosts=\"\$${z2}_hosts\" @@ -6895,13 +6925,13 @@ delete_from_zone() # $1 = [:] $2 = zone hosts=${h#*:} if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - qt $IPTABLES -D $source_chain $(source_ip_range $host) -o $iface $(match_dest_hosts $hosts) $policyout -j $chain + qt_iptables -D $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) $policyout -j $chain fi done fi elif [ "$z2" = "$zone" ]; then if [ "$z1" = "$FW" ]; then - qt $IPTABLES -D $(dynamic_out $interface) $(dest_ip_range $host) $policyout -j $chain + qt_iptables -D $(dynamic_out $interface) $(match_dest_hosts $host) $policyout -j $chain else eval source_hosts=\"\$${z1}_hosts\" @@ -6910,7 +6940,7 @@ delete_from_zone() # $1 = [:] $2 = zone hosts=${h#*:} if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - qt $IPTABLES -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(dest_ip_range $host) $policyout -j $chain + qt_iptables -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(match_dest_hosts $host) $policyout -j $chain fi done fi diff --git a/LrpN/usr/share/shorewall/functions b/LrpN/usr/share/shorewall/functions index 0686362c6..80c5ef2d5 100644 --- a/LrpN/usr/share/shorewall/functions +++ b/LrpN/usr/share/shorewall/functions @@ -1,6 +1,6 @@ #!/bin/sh # -# Shorewall 2.1 -- /usr/share/shorewall/functions +# Shorewall 2.2 -- /usr/share/shorewall/functions # Function to truncate a string -- It uses 'cut -b -' # rather than ${v:first:last} because light-weight shells like ash and @@ -73,9 +73,9 @@ qt() # # Perform variable substitution on the passed argument and echo the result # -expand() # $1 = contents of variable which may be the name of another variable +expand() # $@ = contents of variable which may be the name of another variable { - eval echo \"$1\" + eval echo \"$@\" } # @@ -459,7 +459,7 @@ read_file() # $1 = file name, $2 = nest count while read first rest; do if [ "x$first" = "xINCLUDE" ]; then if [ $2 -lt 4 ]; then - read_file $(find_file ${rest%#*}) $(($2 + 1)) + read_file $(find_file $(expand ${rest%#*})) $(($2 + 1)) else echo " WARNING: INCLUDE in $1 ignored (nested too deeply)" >&2 fi @@ -477,7 +477,7 @@ read_file() # $1 = file name, $2 = nest count # Function for including one file into another # INCLUDE() { - . $(find_file $@) + . $(find_file $(expand $@)) } # diff --git a/LrpN/usr/share/shorewall/help b/LrpN/usr/share/shorewall/help index c35657ec0..61551ab34 100755 --- a/LrpN/usr/share/shorewall/help +++ b/LrpN/usr/share/shorewall/help @@ -29,11 +29,11 @@ case $1 in add) - echo "add: add [:] + echo "add: add [:][:] Adds a host or subnet to a dynamic zone usually used with VPN's. shorewall add interface[:host] zone - Adds the specified interface - (and host if included) to the specified zone. + (and bridge port/host if included) to the specified zone. Example: @@ -95,11 +95,11 @@ debug) ;; delete) - echo "delete: delete [:] + echo "delete: delete [:][:] Deletes a host or subnet from a dynamic zone usually used with VPN's. - shorewall delete interface[:host] zone - Deletes the specified - interface (and host if included) from the specified zone. + shorewall delete interface[:port][:host] zone - Deletes the specified + interface (and bridge port/host if included) from the specified zone. Example: @@ -219,7 +219,7 @@ save) ;; show) - echo "show: show [ [ ...] |classifiers|connections|log|nat|tc|tos] + echo "show: show [ [ ...] |classifiers|connections|log|nat|tc|tos|zones] shorewall [-x] show [ ... ] - produce a verbose report about the IPtable chain(s). (iptables -L chain -n -v) @@ -238,6 +238,8 @@ show) shorewall show tc - displays information about the traffic control/shaping configuration. + shorewall show zones - displays the contents of all zones. + When -x is given, that option is also passed to iptables to display actual packet and byte counts." ;; diff --git a/LrpN/usr/share/shorewall/version b/LrpN/usr/share/shorewall/version index 889244276..9d7c5ddc1 100644 --- a/LrpN/usr/share/shorewall/version +++ b/LrpN/usr/share/shorewall/version @@ -1 +1 @@ -2.2.0-Beta6 +2.2.0-Beta7 diff --git a/Shorewall-docs2/FAQ.xml b/Shorewall-docs2/FAQ.xml index 3245d84c0..dcce0b603 100644 --- a/Shorewall-docs2/FAQ.xml +++ b/Shorewall-docs2/FAQ.xml @@ -1635,7 +1635,7 @@ alias ipt_pkttype off url="http://www.cityofshoreline.com">the city where I live) and Firewall. The full name of the product is actually Shoreline Firewall but - Shorewall is must more commonly used. + Shorewall is much more commonly used.
@@ -1740,8 +1740,9 @@ alias ipt_pkttype off Netfilter/iptables doesn't fully support IPSEC in the 2.6 - Kernels -- there are interim instructions linked from the Shorewall IPSEC page. + Kernels -- kernel and iptables patches are available and the details + may be found at the Shorewall IPSEC-2.6 + page.