extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-22 13:39:06 +01:00
Code Issues Packages Projects Releases Wiki Activity

More Shorewall Lite Updates

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3981 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-06-03 17:16:27 +00:00
parent 4bd371be4b
commit 5fee7defcf
4 changed files with 154 additions and 113 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

139
docs/CompiledPrograms.xml
View File

@ -5,7 +5,7 @@
<!--$Id$-->
<articleinfo>
<title>Compiled Firewall Programs</title>
<title>Compiled Firewall Programs and Shorewall Lite</title>
<authorgroup>
<author>
@ -103,6 +103,14 @@
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>You must install Shorewall Lite on the system where you want
to run the script. You then install the compiled program in
/usr/share/shorewall/firewall and use the /sbin/shorewall program
included with Shorewall Lite to control the firewall just as if the
full Shorewall distribution was installed.</para>
</listitem>
</orderedlist>
</section>
</section>
@ -114,8 +122,8 @@
command:</para>
<blockquote>
<para><command>shorewall compile [ -e ] [ -d &lt;distro&gt; ] [
&lt;directory name&gt; ] &lt;path name&gt;</command></para>
<para><command>shorewall compile [ -e ] [ &lt;directory name&gt; ]
&lt;path name&gt;</command></para>
</blockquote>
<para>where</para>
@ -128,8 +136,8 @@
<listitem>
<para>Indicates that the program is to be "exported" to another
system. When this flag is set, the "detectnets" interface is not
allowed but the created program may be run on a system that
doesn't even have Shorewall installed.</para>
allowed but the created program may be run on a system that has
only Shorewall Lite installed</para>
<para>When this flag is given, Shorewall does not probe the
current system to determine the kernel/iptables features that it
@ -139,33 +147,6 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-d &lt;distro&gt;</term>
<listitem>
<para>is normally used with "-e" and specifies the Linux
distribution that is running on the remote system. The program
will be tailored so that it integrates with the initialization
script system (init) on that system. Distributions currently
supported are:</para>
<simplelist>
<member>suse</member>
<member>redhat</member>
<member>debian (Note that Debian compiled programs may not be
installed directly into <filename
class="directory">/etc/init.d</filename> — they require the
soon-to-be-released Shorewall-minimal Debian package.</member>
</simplelist>
<para>If <emphasis role="bold">-d</emphasis> is not specified, the
compiled program is generally not suitable for being installed in
<filename class="directory">/etc/init.d</filename>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>&lt;directory name&gt;</term>
@ -188,57 +169,64 @@
</section>
<section>
<title>/usr/share/shorewall/configfiles (Added in version 3.2.0 RC
1)</title>
<title>Shorewall Lite (Added in version 3.2.0 RC 1)</title>
<para>The <filename
class="directory">/usr/share/shorewall/configfiles</filename> directory
contains a copy of the Shorewall configuration files that are normally
installed in <filename class="directory">/etc/shorewall</filename>.</para>
<para>Shorewall Lite is a companion product to Shorewall and is designed
to allow you to maintain all Shorewall configuration information on a
single system within your network.</para>
<para>Suppose that you want to create a configuration directory for remote
system 'gateway'.</para>
<orderedlist>
<orderedlist numeration="loweralpha">
<listitem>
<para><command>mkdir gateway</command></para>
<para>You install the full Shorewall release on one system within your
network. You need not configure Shorewall there and you may totally
disable startup of Shorewall in your init scripts. For ease of
reference, we call this system the 'administrative system'.</para>
</listitem>
<listitem>
<para><command>cp /usr/share/shorewall/configfiles/*
gateway</command></para>
<para>On each system where you wish to run a Shorewall-generated
firewall, you install Shorewall Lite. For ease of reference, we will
call these systems the 'firewall systems'.</para>
</listitem>
<listitem>
<para>Generate a <filename>capabilities</filename> file on the
'gateway' system as described in the next section and copy that file
to the <filename class="directory">gateway</filename>
<para>On the administrative system you create a separete
'configuration directory' for each firewall system. You copy the
contents of /usr/share/shorewall/configfiles into each configuration
directory.</para>
</listitem>
<listitem>
<para>Modify the files in the <filename
class="directory">gateway</filename> directory to match the
configuration on 'gateway'.</para>
<para>On each firewall system, you run:</para>
<programlisting><command>/usr/share/shorewall/shorecap &gt; capabilities</command>
<command>scp capabilities &lt;admin system&gt;:&lt;this system's config dir&gt;</command></programlisting>
</listitem>
<listitem>
<para><command>cd gateway</command></para>
<para>On the administrative system, for each firewall system you do
the following (this may be done by a non-root user):</para>
<orderedlist>
<listitem>
<para>modify the files in the corresponding configuration
directory appropriately.</para>
</listitem>
<listitem>
<para></para>
<programlisting><command>cd &lt;configuration directory&gt;</command>
<command>/sbin/shorewall compile -e . firewall</command>
<command>scp firewall root@&lt;firewall system&gt;:/usr/share/shorewall/</command></programlisting>
</listitem>
</orderedlist>
</listitem>
<listitem>
<para><command>/sbin/shorewall compile -e . firewall</command></para>
</listitem>
<para>On each firewall system:</para>
<listitem>
<para>Copy the <filename>firewall</filename> file to <filename
class="directory">/etc/init.d</filename> on system 'gateway' and
arrange for it to be started at boot time.</para>
</listitem>
<listitem>
<para>On the 'gateway' system, <command>/etc/init.d/firewall
start</command></para>
<programlisting><command>shorewall start</command></programlisting>
</listitem>
</orderedlist>
</section>
@ -254,10 +242,10 @@
<blockquote>
<programlisting>NAT_ENABLED=Yes # NAT
MANGLE_ENABLED=Yes # Packet Mangling
CONNTRACK_MATCH=Yes # Connection Tracking Match
USEPKTTYPE= # Packet Type Match
MULTIPORT=Yes # Multi-port Match
XMULTIPORT=Yes # Extended Multi-port Match
CONNTRACK_MATCH=Yes # Connection Tracking Match
USEPKTTYPE= # Packet Type Match
POLICY_MATCH=Yes # Policy Match
PHYSDEV_MATCH=Yes # Physdev Match
LENGTH_MATCH=Yes # Packet Length Match
@ -266,12 +254,17 @@ RECENT_MATCH=Yes # Recent Match
OWNER_MATCH=Yes # Owner match
IPSET_MATCH= # Ipset Match
CONNMARK=Yes # CONNMARK Target
XCONNMARK=Yes # Extended CONNMARK Target
CONNMARK_MATCH=Yes # Connmark Match
XCONNMARK_MATCH=Yes # Extended Connmark Match
RAW_TABLE=Yes # Raw Table
IPP2P_MATCH= # IPP2P Match
CLASSIFY_TARGET=Yes # CLASSIFY Target
ENHANCED_REJECT=Yes # Extended REJECT
KLUDGEFREE= # iptables accepts multiple "-m iprange" or "-m physdev" in a single command</programlisting>
KLUDGEFREE= # iptables accepts multiple "-m iprange" or "-m physdev" in a single command
MARK=Yes # MARK Target Support
XMARK=YES # Extended MARK Target Support
MANGLE_FORWARD # Mangle table has FORWARD chain</programlisting>
</blockquote>
<para>As you can see, the file contains a simple list of shell variable
@ -279,15 +272,15 @@ KLUDGEFREE= # iptables accepts multiple "-m iprange" or "-m
<command>shorewall show capabilities</command> command appear in the same
order as the output of that command.</para>
<para>To aid in creating this file, Shorewall 3.1 and later include a
shorecap program. The program is installed in the
<filename>/usr/share/shorewall/</filename> directory and may be copied to
/usr/bin on a remote system then run as follows:</para>
<para>To aid in creating this file, Shorewall Lite includes a
<command>shorecap</command> program. The program is installed in the
<filename>/usr/share/shorewall/</filename> directory and may be run as
follows:</para>
<blockquote>
<para><command>[ IPTABLES=&lt;iptables binary&gt; ] [
MODULESDIR=&lt;kernel modules directory&gt; ] shorecap &gt;
capabilities</command></para>
MODULESDIR=&lt;kernel modules directory&gt; ]
/usr/share/shorewall/shorecap &gt; capabilities</command></para>
</blockquote>
<para>The IPTABLES and MODULESDIR options have their <ulink
@ -300,7 +293,7 @@ KLUDGEFREE= # iptables accepts multiple "-m iprange" or "-m
</section>
<section>
<title>Running compiled programs</title>
<title>Running compiled programs directly</title>
<para>Compiled firewall programs are complete programs that support the
following run-line commands:</para>

47
docs/starting_and_stopping_shorewall.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2006-05-31</pubdate>
<pubdate>2006-06-03</pubdate>
<copyright>
<year>2004</year>
@ -647,8 +647,8 @@
<term>compile (Shorewall 3.1 and later)</term>
<listitem>
<para><command>shorewall compile [ -e ] [ -d &lt;distro&gt; ] [
&lt;directory name&gt; ] &lt;path name&gt;</command></para>
<para><command>shorewall compile [ -e ] [ &lt;directory name&gt; ]
&lt;path name&gt;</command></para>
<para>Compiles the current configuration into the executable file
&lt;path name&gt;. If &lt;path name&gt; names a file in
@ -656,36 +656,13 @@
command.</para>
<para>When -e is specified, the compilation is being performed on a
system other than where the compiled script will run. This option
disables certain configuration options that require the script to be
compiled where it is to be run and allows the script to be run on a
system that does not have Shorewall installed at all. The file
/etc/shorewall/capabilities must be present when -e is used; that
file specifies the iptables/kernel capabilities on the target
system.</para>
<para>When -d &lt;distribution&gt; is given, the script is built for
installation in <filename class="directory">/etc/init.d</filename>
on the distribution specified by &lt;distro&gt;. Currently supported
values for &lt;distro&gt;are:</para>
<simplelist>
<member>redhat (also good for Fedora Core and CentOS)</member>
<member>debian (Requires the soon to be released Shorewall-minimal
package to be run on Debian)</member>
<member>suse</member>
</simplelist>
<para>Usually specified together with -e. If not specified, the
output file is not suitable for installation into <filename
class="directory">/etc/init.d/</filename></para>
<para>Example:<blockquote>
<para><command>shorewall compile -ed redhat foo</command></para>
</blockquote>Additional distributions are expected to be supported
shortly.</para>
system other than where the compiled script will run under Shorewall
Lite. This option disables certain configuration options that
require the script to be compiled where it is to be run and allows
the script to be run on a system where Shorewall Lite is installed.
The file /etc/shorewall/capabilities must be present when -e is
used; that file specifies the iptables/kernel capabilities on the
target system.</para>
<para>The compiled script is a complete program that supports the
following commands:</para>
@ -715,10 +692,6 @@
<para>The options have their same meaning is when they are passed to
<filename>/sbin/shorewall</filename> itself.</para>
<para>When the '-e' option is specified during compilation, the
program may be installed in /etc/init.d/ and serve as the firewall
on a system without Shorewall installed.</para>
<para>For additional information about the
<command>compile</command> command, see <ulink
url="CompiledPrograms.html">this article</ulink>.</para>

79
tools/build/makeshorewall
View File

@ -56,17 +56,22 @@ RPMDIR=~/rpm/
# Directory where you want the release to be built
#
DIR=$PWD
################################################################################
# V A R I A B L E S
################################################################################
VERSION=
OLDVERSION=
SHOREWALLDIR=
SHOREWALLLITEDIR=
SOURCEDIR=
SVNBRANCH=
LITESVNBRANCH=
XMLPROJ=
RPMNAME=
LITERPMNAME=
TARBALL=
LITETARBALL=
LOGFILE=
HTMLDIR=
BUILDTARBALL=
@ -74,6 +79,7 @@ BUILDRPM=
BUILDXML=
BUILDHTML=
SAMPLESTAG=
HASLITE=
################################################################################
# F U N C T I O N S
################################################################################
@ -214,15 +220,19 @@ case $VERSION in
;;
3.2.*)
SVNBRANCH="trunk/Shorewall"
LITESVNBRANCH="trunk/Shorewall-lite"
DOCTAG="trunk/docs"
XMLPROJ="docs-3.2"
SAMPLESTAG="trunk/Samples"
HASLITE=Yes
;;
3.3.*)
SVNBRANCH="trunk/Shorewall"
LITESVNBRANCH="trunk/Shorewall-lite"
DOCTAG="trunk/docs"
XMLPROJ="docs-3.3"
SAMPLESTAG="trunk/Samples"
HASLITE=Yes
;;
*)
echo "Unsupported Version: $VERSION"
@ -242,16 +252,22 @@ case $VERSION in
# Beta or Release Candidate
#
SHOREWALLDIR=shorewall-${VERSION%-*}
SHOREWALLLITEDIR=shorewall-lite-${VERSION%-*}
TARBALL=shorewall-${VERSION%-*}.tgz
LITETARBALL=shorewall-lite-${VERSION%-*}.tgz
RPMNAME=shorewall-${VERSION%-*}-0${VERSION#*-}.noarch.rpm
LITERPMNAME=shorewall-lite-${VERSION%-*}-0${VERSION#*-}.noarch.rpm
;;
*)
#
# Normal Release
#
SHOREWALLDIR=shorewall-$VERSION
SHOREWALLLITEDIR=shorewall-lite-$VERSION
TARBALL=shorewall-$VERSION.tgz
LITETARBALL=shorewall-lite-$VERSION.tgz
RPMNAME=shorewall-${VERSION}-1.noarch.rpm
LITERPMNAME=shorewall-lite-${VERSION}-1.noarch.rpm
;;
esac
@ -259,9 +275,11 @@ HTMLDIR=shorewall-docs-html-$VERSION
if [ -n "${BUILDTARBALL}${BUILDRPM}" ]; then
report "Shorewall directory is $DIR/$SHOREWALLDIR"
report "Shorewall Lite directory is $DIR/$SHOREWALLLITEDIR"
report "SVN tag is $SVNBRANCH"
[ -n "$BUILDTARBALL" ] && report "TARBALL is $TARBALL"
[ -n "$BUILDRPM" ] && report "RPM is $RPMNAME"
report "Lite SVN tag is $LITESVNBRANCH"
[ -n "$BUILDTARBALL" ] && report "TARBALL is $TARBALL" && report "LITETARBALL is $LITETARBALL"
[ -n "$BUILDRPM" ] && report "RPM is $RPMNAME" && report "LITERPM is $LITERPMNAME"
fi
[ -n "$BUILDHTML" ] && report "HTML Directory is $HTMLDIR"
@ -270,14 +288,25 @@ if [ -n "${BUILDTARBALL}${BUILDRPM}" ]; then
progress_message "Exporting $SVNBRANCH from SVN..."
rm -rf $SHOREWALLDIR
rm -rf $SHOREWALLLITEDIR
do_or_die "svn export --non-interactive --force https://svn.sourceforge.net/svnroot/shorewall/$SVNBRANCH $SHOREWALLDIR >> $LOGFILE 2>&1"
do_or_die "svn export --non-interactive --force https://svn.sourceforge.net/svnroot/shorewall/$SVNBRANCH $SHOREWALLDIR >> $LOGFILE 2>&1"
if [ -n "$HASLITE" ]; then
progress_message "Exporting $LITESVNBRANCH from SVN..."
do_or_die "svn export --non-interactive --force https://svn.sourceforge.net/svnroot/shorewall/$LITESVNBRANCH $SHOREWALLLITEDIR >> $LOGFILE 2>&1"
fi
fgrep VERSION=$VERSION $SHOREWALLDIR/install.sh > /dev/null 2>&1 || fatal_error "install.sh has wrong version"
fgrep VERSION=$VERSION $SHOREWALLDIR/uninstall.sh > /dev/null 2>&1 || fatal_error "uninstall.sh has wrong version"
fgrep VERSION=$VERSION $SHOREWALLDIR/fallback.sh > /dev/null 2>&1 || fatal_error "fallback.sh has wrong version"
[ -f $SHOREWALLDIR/shorecap ] && \
{ fgrep VERSION=$VERSION $SHOREWALLDIR/shorecap > /dev/null 2>&1 || fatal_error "shorecap has wrong version"; }
if [ -n "$HASLITE" ]; then
fgrep VERSION=$VERSION $SHOREWALLLITEDIR/install.sh > /dev/null 2>&1 || fatal_error "Lite install.sh has wrong version"
fgrep VERSION=$VERSION $SHOREWALLLITEDIR/uninstall.sh > /dev/null 2>&1 || fatal_error "Lite uninstall.sh has wrong version"
fgrep VERSION=$VERSION $SHOREWALLLITEDIR/fallback.sh > /dev/null 2>&1 || fatal_error "Lite fallback.sh has wrong version"
fgrep VERSION=$VERSION $SHOREWALLLITEDIR/shorecap > /dev/null 2>&1 || fatal_error "Lite shorecap has wrong version"
fi
if [ -n "$SAMPLESTAG" ]; then
cd $SHOREWALLDIR
@ -297,6 +326,17 @@ if [ -n "${BUILDTARBALL}${BUILDRPM}" ]; then
rm -f ${shoreball}.asc
do_or_die "$GPG $shoreball"
done
if [ -n "$HASLITE" ]; then
progress_message "Creating $DIR/$LITETARBALL..."
do_or_die "tar -zcvf $LITETARBALL $SHOREWALLLITEDIR >> $LOGFILE 2>&1"
do_or_die "tar -jcvf shorewall-lite-${VERSION%-*}.tar.bz2 $SHOREWALLLITEDIR >> $LOGFILE 2>&1"
for shoresuffix in tgz tar.bz2; do
shoreball=shorewall-lite-${VERSION%-*}.${shoresuffix}
report "GPG signing $DIR/$shoreball"
rm -f ${shoreball}.asc
do_or_die "$GPG $shoreball"
done
fi
fi
if [ -n "$BUILDRPM" ]; then
@ -304,6 +344,13 @@ if [ -n "${BUILDTARBALL}${BUILDRPM}" ]; then
do_or_die "rpmbuild -tb --sign $TARBALL >> $LOGFILE 2>&1"
do_or_die cp -a $RPMDIR/RPMS/noarch/$RPMNAME .
if [ -n "$HASLITE" ]; then
progress_message "Building $LITERPMNAME..."
do_or_die "rpmbuild -tb --sign $LITETARBALL >> $LOGFILE 2>&1"
do_or_die cp -a $RPMDIR/RPMS/noarch/$LITERPMNAME .
fi
fi
fi
@ -442,6 +489,28 @@ fi
rm -f ${betaball}.asc
do_or_die "$GPG $betaball"
done
if [ -n "$HASLITE" ]; then
progress_message "Creating $DIR/shorewall-lite-$VERSION..."
rm -rf shorewall-lite-$VERSION
do_or_die mv $SHOREWALLLITEDIR shorewall-lite-$VERSION
progress_message "Creating $DIR/shorewall-lite-${VERSION}.tgz ..."
do_or_die "tar -zcvf shorewall-lite-${VERSION}.tgz shorewall-lite-$VERSION >> $LOGFILE 2>&1"
do_or_die "tar -jcvf shorewall-lite-$VERSION.tar.bz2 shorewall-lite-$VERSION >> $LOGFILE 2>&1"
for shoresuffix in tgz tar.bz2; do
betaball=shorewall-lite-$VERSION.${shoresuffix}
report "GPG signing $DIR/$betaball tarball"
rm -f ${betaball}.asc
do_or_die "$GPG $betaball"
done
fi
;;
esac
@ -457,6 +526,10 @@ case $VERSION in
*Beta*|*RC*)
do_or_die "md5sum shorewall-${VERSION%-*}-0${VERSION#*-}.noarch.rpm >> $VERSION.md5sums"
do_or_die "sha1sum shorewall-${VERSION%-*}-0${VERSION#*-}.noarch.rpm >> $VERSION.sha1sums"
if [ -n "$HASLITE" ]; then
do_or_die "md5sum shorewall-lite-${VERSION%-*}-0${VERSION#*-}.noarch.rpm >> $VERSION.md5sums"
do_or_die "sha1sum shorewall-lite-${VERSION%-*}-0${VERSION#*-}.noarch.rpm >> $VERSION.sha1sums"
fi
;;
esac

2
tools/build/upload
View File

@ -1,6 +1,7 @@
#/bin/sh
rpm=
literpm=
case $1 in
*.*[13569].*)
@ -9,6 +10,7 @@ case $1 in
*Beta*|*RC*)
DEST="root@mail.shorewall.net:/srv/ftp/pub/shorewall/development/${1%.*}/shorewall-$1"
rpm=shorewall-${1%-*}-0${1#*-}.noarch.rpm
literpm=shorewall-lite-${1%-*}-0${1#*-}.noarch.rpm
;;
*)
DEST="root@mail.shorewall.net:/srv/ftp/pub/shorewall/${1%.*}/shorewall-$1"