extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-24 19:51:40 +02:00
Code Issues Packages Projects Releases Wiki Activity

Changes for 1.3.10

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@321 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-11-09 18:24:03 +00:00
parent a6c7cf06ee
commit 5d60471420
11 changed files with 1283 additions and 575 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1655
Lrp/etc/init.d/shorewall
View File

File diff suppressed because it is too large Load Diff

6
Lrp/etc/shorewall/hosts
View File

@ -35,6 +35,12 @@
# route messages to and from this # route messages to and from this
# member when the firewall is in the # member when the firewall is in the
# stopped state # stopped state
# maclist - Connection requests from these hosts
# are compared against the contents of
# /etc/shorewall/maclist. If this option
# is specified, the interface must be
# an ethernet NIC and must be up before
# Shorewall is started.
# #
# #
#ZONE HOST(S) OPTIONS #ZONE HOST(S) OPTIONS

10
Lrp/etc/shorewall/interfaces
View File

@ -16,7 +16,9 @@
# place "-" in this column. # place "-" in this column.
# #
# INTERFACE Name of interface. Each interface may be listed only # INTERFACE Name of interface. Each interface may be listed only
# once in this file. # once in this file. You may NOT specify the name of
# an alias (e.g., eth0:0) here; see
# http://www.shorewall.net/FAQ.htm#faq18
# #
# BROADCAST The broadcast address for the subnetwork to which the # BROADCAST The broadcast address for the subnetwork to which the
# interface belongs. For P-T-P interfaces, this # interface belongs. For P-T-P interfaces, this
@ -81,6 +83,12 @@
# . . blacklist - Check packets arriving on this interface # . . blacklist - Check packets arriving on this interface
# against the /etc/shorewall/blacklist # against the /etc/shorewall/blacklist
# file. # file.
# maclist - Connection requests from this interface
# are compared against the contents of
# /etc/shorewall/maclist. If this option
# is specified, the interface must be
# an ethernet NIC and must be up before
# Shorewall is started.
# proxyarp - # proxyarp -
# Sets # Sets
# /proc/sys/net/ipv4/conf/<interface>/proxy_arp. # /proc/sys/net/ipv4/conf/<interface>/proxy_arp.

18
Lrp/etc/shorewall/maclist Normal file
View File

@ -0,0 +1,18 @@
#
# Shorewall 1.3 - MAC list file
#
# /etc/shorewall/maclist
#
# Columns are:
#
# INTERFACE Network interface to a host
#
# MAC MAC address of the host -- you do not need to use
# the Shorewall format for MAC addresses here
#
# IP ADDRESSES Optional -- if specified, both the MAC and IP address
# must match. This column can contain a comma-separated
# list of host and/or subnet addresses.
##############################################################################
#INTERFACE MAC IP ADDRESSES (Optional)
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

30
Lrp/etc/shorewall/shorewall.conf
View File

@ -8,6 +8,12 @@
# #
# (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net) # (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
############################################################################## ##############################################################################
#
# PATH - Change this if you want to change the order in which Shorewall
# searches directories for executable files.
#
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
# #
# NAME OF THE FIREWALL ZONE # NAME OF THE FIREWALL ZONE
# #
@ -155,7 +161,8 @@ ADD_IP_ALIASES=Yes
# #
# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses # If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses
# for each SNAT external address that you give in /etc/shorewall/masq. If you say # for each SNAT external address that you give in /etc/shorewall/masq. If you say
# "No" or "no", you must add these aliases youself. # "No" or "no", you must add these aliases youself. LEAVE THIS SET TO "No" unless
# you are sure that you need it -- most people don't!!!
# #
ADD_SNAT_ALIASES=No ADD_SNAT_ALIASES=No
@ -377,4 +384,25 @@ FORWARDPING=Yes
NEWNOTSYN=No NEWNOTSYN=No
#
# MAC List Disposition
#
# This variable determines the disposition of connection requests arriving
# on interfaces that have the 'maclist' option and that are from a device
# that is not listed for that interface in /etc/shorewall/maclist. Valid
# values are ACCEPT, DROP and REJECT. If not specified or specified as
# empty (MACLIST_DISPOSITION="") then REJECT is assumed
MACLIST_DISPOSITION=REJECT
#
# MAC List Log Level
#
# Specifies the logging level for connection requests that fail MAC
# verification. If set to the empty value (MACLIST_LOG_LEVEL="") then
# such connection requests will not be logged.
#
MACLIST_LOG_LEVEL=info
#LAST LINE -- DO NOT REMOVE #LAST LINE -- DO NOT REMOVE

34
Lrp/etc/shorewall/tunnels
View File

@ -9,7 +9,8 @@
# #
# The columns are: # The columns are:
# #
# TYPE -- must start in column 1 and be "ipsec", "ip" or "gre" # TYPE -- must start in column 1 and be "ipsec", "ipsecnat","ip"
# "gre","pptpclient" or "pptpserver"
# #
# ZONE -- The zone of the physical interface through which # ZONE -- The zone of the physical interface through which
# tunnel traffic passes. This is normally your internet # tunnel traffic passes. This is normally your internet
@ -19,10 +20,10 @@
# remote getway has no fixed address (Road Warrior) # remote getway has no fixed address (Road Warrior)
# then specify the gateway as 0.0.0.0/0. # then specify the gateway as 0.0.0.0/0.
# #
# GATEWAY ZONE-- Optional. If the gateway system specified in the third # GATEWAY ZONES -- Optional. If the gateway system specified in the third
# column is a standalone host then this column should # column is a standalone host then this column should
# contain the name of the zone that the host is in. This # contain a comma-separated list of the names of the zones that
# column only applies to IPSEC tunnels. # the host might be in. This column only applies to IPSEC tunnels.
# #
# Example 1: # Example 1:
# #
@ -47,5 +48,28 @@
# #
# ipsec net 4.33.99.124 gw # ipsec net 4.33.99.124 gw
# #
# TYPE ZONE GATEWAY GATEWAY ZONE # Example 4:
#
# Road Warriors that may belong to zones vpn1, vpn2 or
# vpn3. The FreeS/Wan _updown script will add the
# host to the appropriate zone using the "shorewall add"
# command on connect and will remove the host from the
# zone at disconnect time.
#
# ipsec net 0.0.0.0/0 vpn1,vpn2,vpn3
#
# Example 5:
#
# You run the Linux PPTP client on your firewall and
# connect to server 192.0.2.221.
#
# pptpclient net 192.0.2.221
#
# Example 6:
#
# You run a PPTP server on your firewall.
#
# pptpserver net
#
# TYPE ZONE GATEWAY GATEWAY ZONE
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

79
Lrp/sbin/shorewall
View File

@ -32,6 +32,8 @@
# #
# Commands are: # Commands are:
# #
# shorewall add <iface>[:<host>] zone Adds a host or subnet to a zone
# shorewall delete <iface>[:<host>] zone Deletes a host or subnet from a zone
# shorewall start Starts the firewall # shorewall start Starts the firewall
# shorewall restart Restarts the firewall # shorewall restart Restarts the firewall
# shorewall stop Stops the firewall # shorewall stop Stops the firewall
@ -108,11 +110,10 @@ showchain() # $1 = name of chain
fi fi
} }
################################################################################# #
# Set the configuration variables from shorewall.conf # # Set the configuration variables from shorewall.conf
################################################################################# #
get_config() { get_config() {
get_statedir
[ -z "$LOGFILE" ] && LOGFILE=/var/log/messages [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages
@ -133,10 +134,10 @@ get_config() {
[ -n "$FW" ] || FW=fw [ -n "$FW" ] || FW=fw
} }
################################################################################# #
# Display IPTABLES rules -- we used to store them in a variable but ash # # Display IPTABLES rules -- we used to store them in a variable but ash
# dies when trying to display large sets of rules # # dies when trying to display large sets of rules
################################################################################# #
display_chains() display_chains()
{ {
trap "rm -f /tmp/chains-$$; exit 1" 1 2 3 4 5 6 9 trap "rm -f /tmp/chains-$$; exit 1" 1 2 3 4 5 6 9
@ -226,10 +227,10 @@ display_chains()
} }
################################################################################# #
# Delay $timeout seconds -- if we're running on a recent bash2 then allow # # Delay $timeout seconds -- if we're running on a recent bash2 then allow
# <enter> to terminate the delay # # <enter> to terminate the delay
################################################################################# #
timed_read () timed_read ()
{ {
read -t $timeout foo 2> /dev/null read -t $timeout foo 2> /dev/null
@ -237,9 +238,9 @@ timed_read ()
test $? -eq 2 && sleep $timeout test $? -eq 2 && sleep $timeout
} }
################################################################################# #
# Display the last $1 packets logged # # Display the last $1 packets logged
################################################################################# #
packet_log() # $1 = number of messages packet_log() # $1 = number of messages
{ {
local options local options
@ -253,9 +254,9 @@ packet_log() # $1 = number of messages
tail $options tail $options
} }
################################################################################# #
# Show traffic control information # # Show traffic control information
################################################################################# #
show_tc() { show_tc() {
show_one_tc() { show_one_tc() {
@ -283,9 +284,9 @@ show_tc() {
} }
################################################################################# #
# Monitor the Firewall # # Monitor the Firewall
################################################################################# #
monitor_firewall() # $1 = timeout -- if negative, prompt each time that monitor_firewall() # $1 = timeout -- if negative, prompt each time that
# an 'interesting' packet count changes # an 'interesting' packet count changes
{ {
@ -359,9 +360,9 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
done done
} }
################################################################################# #
# Watch the Firewall Log # # Watch the Firewall Log
################################################################################# #
logwatch() # $1 = timeout -- if negative, prompt each time that logwatch() # $1 = timeout -- if negative, prompt each time that
# an 'interesting' packet count changes # an 'interesting' packet count changes
{ {
@ -409,13 +410,15 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
done done
} }
################################################################################# #
# Give Usage Information # # Give Usage Information
################################################################################# #
usage() # $1 = exit status usage() # $1 = exit status
{ {
echo "Usage: `basename $0` [debug] [nolock] [-c <directory>] <command>" echo "Usage: `basename $0` [debug] [nolock] [-c <directory>] <command>"
echo "where <command> is one of:" echo "where <command> is one of:"
echo " add <interface>[:<host>] <zone>"
echo " delete <interface>[:<host>] <zone>"
echo " show [<chain>|connections|log|nat|tc|tos]" echo " show [<chain>|connections|log|nat|tc|tos]"
echo " start" echo " start"
echo " stop" echo " stop"
@ -437,17 +440,17 @@ usage() # $1 = exit status
exit $1 exit $1
} }
################################################################################# #
# Display the time that the counters were last reset # # Display the time that the counters were last reset
################################################################################# #
show_reset() { show_reset() {
[ -f $STATEDIR/restarted ] && \ [ -f $STATEDIR/restarted ] && \
echo -e "Counters reset `cat $STATEDIR/restarted`\\n" echo -e "Counters reset `cat $STATEDIR/restarted`\\n"
} }
################################################################################# #
# Execution begins here # # Execution begins here
################################################################################# #
debugging= debugging=
if [ $# -gt 0 ] && [ "$1" = "debug" ]; then if [ $# -gt 0 ] && [ "$1" = "debug" ]; then
@ -532,11 +535,17 @@ fi
banner="Shorewall-$version Status at $HOSTNAME -" banner="Shorewall-$version Status at $HOSTNAME -"
get_statedir
case "$1" in case "$1" in
start|stop|restart|reset|clear|refresh|check) start|stop|restart|reset|clear|refresh|check)
[ $# -ne 1 ] && usage 1 [ $# -ne 1 ] && usage 1
exec $firewall $debugging $nolock $1 exec $firewall $debugging $nolock $1
;; ;;
add|delete)
[ $# -ne 3 ] && usage 1
exec $firewall $debugging $nolock $1 $2 $3
;;
show) show)
[ $# -gt 2 ] && usage 1 [ $# -gt 2 ] && usage 1
case "$2" in case "$2" in
@ -550,7 +559,6 @@ case "$1" in
iptables -t nat -L -n -v iptables -t nat -L -n -v
;; ;;
tos|mangle) tos|mangle)
get_config
echo -e "Shorewall-$version TOS at $HOSTNAME - `date`\\n" echo -e "Shorewall-$version TOS at $HOSTNAME - `date`\\n"
show_reset show_reset
iptables -t mangle -L -n -v iptables -t mangle -L -n -v
@ -567,7 +575,6 @@ case "$1" in
show_tc show_tc
;; ;;
*) *)
get_config
echo -e "Shorewall-$version Chain $2 at $HOSTNAME - `date`\\n" echo -e "Shorewall-$version Chain $2 at $HOSTNAME - `date`\\n"
show_reset show_reset
iptables -L $2 -n -v iptables -L $2 -n -v
@ -710,6 +717,8 @@ case "$1" in
[ $# -ne 1 ] && usage 1 [ $# -ne 1 ] && usage 1
mutex_on mutex_on
if qt iptables -L shorewall -n; then if qt iptables -L shorewall -n; then
[ -d /var/lib/shorewall ] || mkdir /var/lib/shorewall
if iptables -L dynamic -n > /var/lib/shorewall/save; then if iptables -L dynamic -n > /var/lib/shorewall/save; then
echo "Dynamic Rules Saved" echo "Dynamic Rules Saved"
else else

22
Lrp/usr/lib/shorewall/functions
View File

@ -80,17 +80,17 @@ determine_zones()
} }
############################################################################### #
# The following functions may be used by apps that wish to ensure that # The following functions may be used by apps that wish to ensure that
# the state of Shorewall isn't changing # the state of Shorewall isn't changing
#------------------------------------------------------------------------------ #
# This function loads the STATEDIR variable (directory where Shorewall is to # This function loads the STATEDIR variable (directory where Shorewall is to
# store state files). If your application supports alternate Shorewall # store state files). If your application supports alternate Shorewall
# configurations then the name of the alternate configuration directory should # configurations then the name of the alternate configuration directory should
# be in $SHOREWALL_DIR at the time of the call. # be in $SHOREWALL_DIR at the time of the call.
# #
# If the shorewall.conf file does not exist, this function does not return # If the shorewall.conf file does not exist, this function does not return
############################################################################### #
get_statedir() get_statedir()
{ {
MUTEX_TIMEOUT= MUTEX_TIMEOUT=
@ -107,7 +107,7 @@ get_statedir()
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall [ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
} }
############################################################################### #
# Call this function to assert MUTEX with Shorewall. If you invoke the # Call this function to assert MUTEX with Shorewall. If you invoke the
# /sbin/shorewall program while holding MUTEX, you should pass "nolock" as # /sbin/shorewall program while holding MUTEX, you should pass "nolock" as
# the first argument. Example "shorewall nolock refresh" # the first argument. Example "shorewall nolock refresh"
@ -115,7 +115,7 @@ get_statedir()
# This function uses the lockfile utility from procmail if it exists. # This function uses the lockfile utility from procmail if it exists.
# Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the # Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the
# behavior of lockfile. # behavior of lockfile.
############################################################################### #
mutex_on() mutex_on()
{ {
local try=0 local try=0
@ -145,18 +145,18 @@ mutex_on()
fi fi
} }
############################################################################### #
# Call this function to release MUTEX # Call this function to release MUTEX
############################################################################### #
mutex_off() mutex_off()
{ {
rm -f $STATEDIR/lock rm -f $STATEDIR/lock
} }
############################################################################### #
# Strip comments and blank lines from a file and place the result in the # # Strip comments and blank lines from a file and place the result in the
# temporary directory # # temporary directory
############################################################################### #
strip_file() # $1 = Base Name of the file, $2 = Full Name of File (optional) strip_file() # $1 = Base Name of the file, $2 = Full Name of File (optional)
{ {
local fname local fname

1
Lrp/var/lib/lrpkg/shorwall.conf
View File

@ -4,6 +4,7 @@
/etc/shorewall/hosts Hosts Define specific zones /etc/shorewall/hosts Hosts Define specific zones
/etc/shorewall/policy Policy Firewall high-level policy /etc/shorewall/policy Policy Firewall high-level policy
/etc/shorewall/rules Rules Exceptions to policy /etc/shorewall/rules Rules Exceptions to policy
/etc/shorewall/maclist Maclist MAC Verification
/etc/shorewall/masq Masq Internal MASQ Server Configuration /etc/shorewall/masq Masq Internal MASQ Server Configuration
/etc/shorewall/proxyarp ProxyArp Proxy ARP Configuration /etc/shorewall/proxyarp ProxyArp Proxy ARP Configuration
/etc/shorewall/routestopped Stopped Hosts admitted after 'shorewall stop' /etc/shorewall/routestopped Stopped Hosts admitted after 'shorewall stop'

1
Lrp/var/lib/lrpkg/shorwall.list
View File

@ -2,5 +2,4 @@ etc/init.d/shorewall
etc/shorewall etc/shorewall
sbin/shorewall sbin/shorewall
usr/lib/shorewall usr/lib/shorewall
var/lib/shorewall
var/lib/lrpkg/shorwall.* var/lib/lrpkg/shorwall.*

2
Lrp/var/lib/lrpkg/shorwall.version
View File

@ -1 +1 @@
1.3.9 1.3.10