extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-09 01:04:06 +01:00
Code Issues Packages Projects Releases Wiki Activity

Move 2.0.16 to Lrp

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1941 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-02-02 21:47:42 +00:00
parent 627713e621
commit 7030c427f5
67 changed files with 3593 additions and 1677 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
Lrp/etc/init.d/shorewall
View File

@ -1,14 +1,13 @@
#!/bin/sh
RCDLINKS="2,S41 3,S41 6,K41"
#
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V1.4 3/14/2003
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V2.0 3/14/2003
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
# (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
#
# On most distributions, this file should be called:
# /etc/rc.d/init.d/shorewall or /etc/init.d/shorewall
# On most distributions, this file should be called /etc/init.d/shorewall.
#
# Complete documentation is available at http://shorewall.net
#

2
Lrp/etc/shorewall/accounting
View File

@ -1,5 +1,5 @@
#
# Shorewall version 1.4 - Accounting File
# Shorewall version 2.0 - Accounting File
#
# /etc/shorewall/accounting
#

19
Lrp/etc/shorewall/actions
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.4 /etc/shorewall/actions
# Shorewall 2.1 /etc/shorewall/actions
#
# This file allows you to define new ACTIONS for use in rules
# (/etc/shorewall/rules). You define the iptables rules to
@ -8,8 +8,21 @@
#
# ACTION names should begin with an upper-case letter to
# distinguish them from Shorewall-generated chain names and
# they must need the requirements of a Netfilter chain
# name.
# they must need the requirements of a Netfilter chain. If
# you intend to log from the action then the name must be
# no longer than 11 character in length. Names must also
# meet the requirements for a Bourne Shell identifier (must
# begin with a letter and be composed of letters, digits and
# underscore characters).
#
# If you follow the action name with ":DROP", ":REJECT" or
# :ACCEPT then the action will be taken before a DROP, REJECT or
# ACCEPT policy respectively is enforced. If you specify ":DROP",
# ":REJECT" or ":ACCEPT" on more than one action then only the
# last such action will be taken.
#
# If you specify ":DROP", ":REJECT" or ":ACCEPT" on a line by
# itself, the associated policy will have no common action.
#
#ACTION

2
Lrp/etc/shorewall/blacklist
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.4 -- Blacklist File
# Shorewall 2.0 -- Blacklist File
#
# /etc/shorewall/blacklist
#

2
Lrp/etc/shorewall/ecn
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.4 - /etc/shorewall/ecn
# Shorewall 2.0 - /etc/shorewall/ecn
#
# Use this file to list the destinations for which you want to
# disable ECN.

105
Lrp/etc/shorewall/hosts
View File

@ -1,39 +1,48 @@
#
# Shorewall 1.4 - /etc/shorewall/hosts
# Shorewall 2.0 - /etc/shorewall/hosts
#
# THERE ARE TWO CASES WHERE YOU NEED THIS FILE:
#
# 1) YOU HAVE MULTIPLE NETWORKS IN THE SAME ZONE CONNECTED TO
# A SINGLE INTERFACE AND YOU WANT THE SHOREWALL BOX TO ROUTE
# BETWEEN THESE NETWORKS.
#
# 2) YOU HAVE MORE THAN ONE ZONE CONNECTED THROUGH A SINGLE
# INTERFACE.
#
# IF YOU DON'T HAVE EITHER OF THESE SITUATIONS THEN DON'T TOUCH
# THIS FILE.
# THE ONLY TIME YOU NEED THIS FILE IS WHERE YOU HAVE MORE THAN
# ONE ZONE CONNECTED THROUGH A SINGLE INTERFACE.
#
# IF YOU DON'T HAVE THAT SITUATION THEN DON'T TOUCH THIS FILE.
#------------------------------------------------------------------------------
# IF YOU HAVE AN ENTRY FOR A ZONE AND INTERFACE IN
# /etc/shorewall/interfaces THEN DO NOT ADD ANY ENTRIES FOR THAT
# ZONE AND INTERFACE IN THIS FILE.
#------------------------------------------------------------------------------
# This file is used to define zones in terms of subnets and/or
# individual IP addresses. Most simple setups don't need to
# (should not) place anything in this file.
#
# The order of entries in this file is not significant in
# determining zone composition. Rather, the order that the zones
# are defined in /etc/shorewall/zones determines the order in
# which the records in this file are interpreted.
#
# ZONE - The name of a zone defined in /etc/shorewall/zones
#
# HOST(S) - The name of an interface followed by a colon (":") and
# HOST(S) - The name of an interface defined in the
# /etc/shorewall/interfaces file followed by a colon (":") and
# a comma-separated list whose elements are either:
#
# a) The IP address of a host
# b) A subnetwork in the form
# <subnet-address>/<mask width>
#
# The interface must be defined in the
# /etc/shorewall/interfaces file.
# c) A physical port name; only allowed when the
# interface names a bridge created by the
# brctl addbr command. This port must not
# be defined in /etc/shorewall/interfaces and may
# optionally followed by a colon (":") and a
# host or network IP.
# See http://www.shorewall.net/Bridge.html for details.
#
# Examples:
#
# eth1:192.168.1.3
# eth2:192.168.2.0/24
# eth3:192.168.2.0/24,192.168.3.1
# br0:eth4
# br0:eth0:192.168.1.16/28
#
# OPTIONS - A comma-separated list of options. Currently-defined
# options are:
@ -45,15 +54,75 @@
# an ethernet NIC and must be up before
# Shorewall is started.
#
# routeback - Shorewall show set up the infrastructure
# routeback - Shorewall should set up the infrastructure
# to pass packets from this/these
# address(es) back to themselves. This is
# necessary of hosts in this group use the
# necessary if hosts in this group use the
# services of a transparent proxy that is
# a member of the group or if DNAT is used
# to send requests originating from this
# group to a server in the group.
#
# norfc1918 - This option only makes sense for ports
# on a bridge.
#
# The port should not accept
# any packets whose source is in one
# of the ranges reserved by RFC 1918
# (i.e., private or "non-routable"
# addresses. If packet mangling or
# connection-tracking match is enabled in
# your kernel, packets whose destination
# addresses are reserved by RFC 1918 are
# also rejected.
#
# nobogons - This option only makes sense for ports
# on a bridge.
#
# This port should not accept
# any packets whose source is in one
# of the ranges reserved by IANA (this
# option does not cover those ranges
# reserved by RFC 1918 -- see
# 'norfc1918' above).
#
# blacklist - This option only makes sense for ports
# on a bridge.
#
# Check packets arriving on this port
# against the /etc/shorewall/blacklist
# file.
#
# tcpflags - Packets arriving from these hosts are
# checked for certain illegal combinations
# of TCP flags. Packets found to have
# such a combination of flags are handled
# according to the setting of
# TCP_FLAGS_DISPOSITION after having been
# logged according to the setting of
# TCP_FLAGS_LOG_LEVEL.
#
# nosmurfs - This option only makes sense for ports
# on a bridge.
#
# Filter packets for smurfs
# (packets with a broadcast
# address as the source).
#
# Smurfs will be optionally logged based
# on the setting of SMURF_LOG_LEVEL in
# shorewall.conf. After logging, the
# packets are dropped.
#
# newnotsyn - TCP packets that don't have the SYN
# flag set and which are not part of an
# established connection will be accepted
# from these hosts, even if
# NEWNOTSYN=No has been specified in
# /etc/shorewall/shorewall.conf.
#
# This option has no effect if
# NEWNOTSYN=Yes.
#
#ZONE HOST(S) OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

2
Lrp/etc/shorewall/init
View File

@ -1,5 +1,5 @@
############################################################################
# Shorewall 1.4 -- /etc/shorewall/init
# Shorewall 2.0 -- /etc/shorewall/init
#
# Add commands below that you want to be executed at the beginning of
# a "shorewall start" or "shorewall restart" command.

74
Lrp/etc/shorewall/interfaces
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.4 -- Interfaces File
# Shorewall 2.0 -- Interfaces File
#
# /etc/shorewall/interfaces
#
@ -24,11 +24,12 @@
# want to make an entry that applies to all PPP
# interfaces, use 'ppp+'.
#
# DO NOT DEFINE THE LOOPBACK INTERFACE (lo) IN THIS FILE.
# There is no need to define the loopback interface (lo)
# in this file.
#
# BROADCAST The broadcast address for the subnetwork to which the
# interface belongs. For P-T-P interfaces, this
# column is left black.If the interface has multiple
# column is left blank.If the interface has multiple
# addresses on multiple subnets then list the broadcast
# addresses as a comma-separated list.
#
@ -36,8 +37,7 @@
# will detect the broadcast address for you. If you
# select this option, the interface must be up before
# the firewall is started, you must have iproute
# installed and the interface must only be associated
# with a single subnet.
# installed.
#
# If you don't want to give a value for this column but
# you want to enter a value in the OPTIONS column, enter
@ -46,35 +46,51 @@
# OPTIONS A comma-separated list of options including the
# following:
#
# dhcp - interface is managed by DHCP or used by
# a DHCP server running on the firewall or
# you have a static IP but are on a LAN
# segment with lots of Laptop DHCP clients.
# dhcp - Specify this option when any of
# the following are true:
# 1. the interface gets its IP address
# via DHCP
# 2. the interface is used by
# a DHCP server running on the firewall
# 3. you have a static IP but are on a LAN
# segment with lots of Laptop DHCP
# clients.
# 4. the interface is a bridge with
# a DHCP server on one port and DHCP
# clients on another port.
#
# norfc1918 - This interface should not receive
# any packets whose source is in one
# of the ranges reserved by RFC 1918
# (i.e., private or "non-routable"
# addresses. If packet mangling is
# enabled in shorewall.conf, packets
# whose destination addresses are
# reserved by RFC 1918 are also rejected.
# addresses. If packet mangling or
# connection-tracking match is enabled in
# your kernel, packets whose destination
# addresses are reserved by RFC 1918 are
# also rejected.
#
# nobogons - This interface should not receive
# any packets whose source is in one
# of the ranges reserved by IANA (this
# option does not cover those ranges
# reserved by RFC 1918 -- see above).
#
# routefilter - turn on kernel route filtering for this
# interface (anti-spoofing measure). This
# option can also be enabled globally in
# the /etc/shorewall/shorewall.conf file.
# dropunclean - Logs and drops mangled/invalid packets
#
# logunclean - Logs mangled/invalid packets but does
# not drop them.
# . . blacklist - Check packets arriving on this interface
# against the /etc/shorewall/blacklist
# file.
#
# maclist - Connection requests from this interface
# are compared against the contents of
# /etc/shorewall/maclist. If this option
# is specified, the interface must be
# an ethernet NIC and must be up before
# Shorewall is started.
#
# tcpflags - Packets arriving on this interface are
# checked for certain illegal combinations
# of TCP flags. Packets found to have
@ -83,6 +99,7 @@
# TCP_FLAGS_DISPOSITION after having been
# logged according to the setting of
# TCP_FLAGS_LOG_LEVEL.
#
# proxyarp -
# Sets
# /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
@ -98,11 +115,21 @@
# established connection will be accepted
# from this interface, even if
# NEWNOTSYN=No has been specified in
# /etc/shorewall/shorewall.conf.
# /etc/shorewall/shorewall.conf. In other
# words, packets coming in on this interface
# are processed as if NEWNOTSYN=Yes had been
# specified in /etc/shorewall/shorewall.conf.
#
# This option has no effect if
# NEWNOTSYN=Yes.
#
# It is the opinion of the author that
# NEWNOTSYN=No creates more problems than
# it solves and I recommend against using
# that setting in shorewall.conf (hence
# making the use of the 'newnotsyn'
# interface option unnecessary).
#
# routeback - If specified, indicates that Shorewall
# should include rules that allow filtering
# traffic arriving on this interface back
@ -117,12 +144,21 @@
# interface. The interface must be up
# when Shorewall is started.
#
# nosmurfs - Filter packets for smurfs
# (packets with a broadcast
# address as the source).
#
# Smurfs will be optionally logged based
# on the setting of SMURF_LOG_LEVEL in
# shorewall.conf. After logging, the
# packets are dropped.
#
# detectnets - Automatically taylors the zone named
# in the ZONE column to include only those
# hosts routed through the interface.
#
# WARNING: DO NOT SET THE detectnets OPTION ON YOUR
# INTERNET INTERFACE!
# INTERNET INTERFACE.
#
# The order in which you list the options is not
# significant but the list should have no embedded white
@ -154,4 +190,6 @@
# net ppp0 -
##############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp,routefilter,norfc1918
loc eth1 detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

7
Lrp/etc/shorewall/maclist
View File

@ -1,11 +1,14 @@
#
# Shorewall 1.4 - MAC list file
# Shorewall 2.0 - MAC list file
#
# /etc/shorewall/maclist
#
# Columns are:
#
# INTERFACE Network interface to a host
# INTERFACE Network interface to a host. If the interface
# names a bridge, it may be optionally followed by
# a colon (":") and a physical port name (e.g.,
# br0:eth4).
#
# MAC MAC address of the host -- you do not need to use
# the Shorewall format for MAC addresses here

55
Lrp/etc/shorewall/masq
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.4 - Masquerade file
# Shorewall 2.0 - Masquerade file
#
# /etc/shorewall/masq
#
@ -18,12 +18,7 @@
# PLACE IN YOUR SHOREWALL CONFIGURATION.
#
# This may be qualified by adding the character
# ":" followed by a comma-separed list of
# destination hosts or subnets. If this list begins with
# "!" then masquerading will occur if and only if the
# connection destination is NOT included in the list.
# Otherwise, the masquerading will occur if and only if
# the destination IS included in the list.
# ":" followed by a destination host or subnet.
#
#
# SUBNET -- Subnet that you wish to masquerade. You can specify this as
@ -47,6 +42,13 @@
# will automatically add this address to the
# INTERFACE named in the first column.
#
# If you have set ADD_SNAT_ALIASES=Yes in
# /etc/shorewall/shorewall.conf then DO NOT
# PLACE YOUR EXTERNAL INTERFACE'S PRIMARY IP
# ADDRESS IN THIS COLUMN -- If you do so, you
# will loose your default route when Shorewall
# starts.
#
# You may also specify a range of up to 256
# IP addresses if you want the SNAT address to
# be assigned from that range in a round-robin
@ -60,6 +62,27 @@
#
# This column may not contain DNS Names.
#
# If you want to leave this column empty
# but you need to specify the next column then
# place a hyphen ("-") here.
#
# PROTO -- (Optional) If you wish to restrict this entry to a
# particular protocol then enter the protocol
# name (from /etc/protocols) or number here.
#
# PORT(S) -- (Optional) If the PROTO column specifies TCP (protocol 6)
# or UDP (protocol 17) then you may list one
# or more port numbers (or names from
# /etc/services) separated by commas or you
# may list a single port range
# (<low port>:<high port>).
#
# Where a comma-separated list is given, your
# kernel and iptables must have multiport match
# support and a maximum of 15 ports may be
# listed.
#
#
# Example 1:
#
# You have a simple masquerading setup where eth0 connects to
@ -99,6 +122,20 @@
#
# eth0:0 192.168.1.0/24 206.124.146.176
#
##############################################################################
#INTERFACE SUBNET ADDRESS
# Example 5:
#
# You want all outgoing SMTP traffic entering the firewall
# on eth1 to be sent from eth0 with source IP address
# 206.124.146.177. You want all other outgoing traffic
# from eth1 to be sent from eth0 with source IP address
# 206.124.146.176.
#
# eth0 eth1 206.124.146.177 tcp smtp
# eth0 eth1 206.124.146.176
#
# THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!!
#
###############################################################################
#INTERFACE SUBNET ADDRESS PROTO PORT(S)
eth0 eth1
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

4
Lrp/etc/shorewall/modules
View File

@ -1,5 +1,5 @@
##############################################################################
# Shorewall 1.4 /etc/shorewall/modules
# Shorewall 2.0 /etc/shorewall/modules
#
# This file loads the modules needed by the firewall.
#
@ -12,8 +12,10 @@
loadmodule iptable_filter
loadmodule ip_conntrack
loadmodule ip_conntrack_ftp
loadmodule ip_conntrack_tftp
loadmodule ip_conntrack_irc
loadmodule iptable_nat
loadmodule ip_nat_ftp
loadmodule ip_nat_tftp
loadmodule ip_nat_irc

16
Lrp/etc/shorewall/nat
View File

@ -1,21 +1,22 @@
##############################################################################
#
# Shorewall 1.4 -- Network Address Translation Table
# Shorewall 2.0 -- Network Address Translation Table
#
# /etc/shorewall/nat
#
# This file is used to define static Network Address Translation (NAT).
# This file is used to define one-to-one Network Address Translation
# (NAT).
#
# WARNING: If all you want to do is simple port forwarding, do NOT use this
# file. See http://www.shorewall.net/FAQ.htm#faq1. Also, in most
# cases, Proxy ARP is a better solution that static NAT.
# cases, Proxy ARP is a better solution that one-to-one NAT.
#
# Columns must be separated by white space and are:
#
# EXTERNAL External IP Address - this should NOT be the primary
# IP address of the interface named in the next
# column and must not be a DNS Name.
# INTERFACE Interface that we want to EXTERNAL address to appear
# INTERFACE Interface that you want to EXTERNAL address to appear
# on. If ADD_IP_ALIASES=Yes in shorewall.conf, you may
# follow the interface name with ":" and a digit to
# indicate that you want Shorewall to add the alias
@ -24,12 +25,11 @@
# THAT THIS NAME IS GOOD FOR -- YOU CANNOT USE IT
# ANYWHERE ELSE IN YOUR SHORWALL CONFIGURATION.
# INTERNAL Internal Address (must not be a DNS Name).
# ALL INTERFACES If Yes or yes (or left empty), NAT will be effective
# from all hosts. If No or no then NAT will be effective
# ALL INTERFACES If Yes or yes, NAT will be effective from all hosts.
# If No or no (or left empty) then NAT will be effective
# only through the interface named in the INTERFACE
# column
# LOCAL If Yes or yes and the ALL INTERFACES column contains
# Yes or yes, NAT will be effective from the firewall
# LOCAL If Yes or yes, NAT will be effective from the firewall
# system
##############################################################################
#EXTERNAL INTERFACE INTERNAL ALL LOCAL

2
Lrp/etc/shorewall/params
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.4 /etc/shorewall/params
# Shorewall 2.0 /etc/shorewall/params
#
# Assign any variables that you need here.
#

33
Lrp/etc/shorewall/policy
View File

@ -1,15 +1,14 @@
#
# Shorewall 1.4 -- Policy File
# Shorewall 2.0 -- Policy File
#
# /etc/shorewall/policy
#
# THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT
#
# This file determines what to do with a new connection request if we
# don't get a match from the /etc/shorewall/rules file or from the
# /etc/shorewall/common[.def] file. For each source/destination pair, the
# file is processed in order until a match is found ("all" will match
# any client or server).
# don't get a match from the /etc/shorewall/rules file . For each
# source/destination pair, the file is processed in order until a
# match is found ("all" will match any client or server).
#
# Columns are:
#
@ -19,10 +18,6 @@
# DEST Destination zone. Must be the name of a zone defined
# in /etc/shorewall/zones, $FW or "all"
#
# WARNING: Firewall->Firewall policies are not allowed; if
# you have a policy where both SOURCE and DEST are $FW,
# Shorewall will not start!
#
# POLICY Policy if no match from the rules file is found. Must
# be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE".
#
@ -43,7 +38,15 @@
# with this SOURCE and DEST in the
# /etc/shorewall/rules file. If such a
# packet _is_ received, the result is
# undefined.
# undefined. NONE may not be used if the
# SOURCE or DEST columns contain the
# firewall zone ($FW) or "all".
#
# If this column contains ACCEPT, DROP or REJECT and a
# corresponding common action is defined in
# /etc/shorewall/actions (or /usr/share/shorewall/actions.std)
# then that action will be invoked before the policy named in
# this column is inforced.
#
# LOG LEVEL If supplied, each connection handled under the default
# POLICY is logged at that level. If not supplied, no
@ -57,7 +60,7 @@
# (http://www.gnumonks.org/projects/ulogd).
#
# If you don't want to log but need to specify the
# following column, place "_" here.
# following column, place "-" here.
#
# LIMIT:BURST If passed, specifies the maximum TCP connection rate
# and the size of an acceptable burst. If not specified,
@ -74,9 +77,13 @@
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
loc net ACCEPT
net all DROP info
net all DROP ULOG
# If you want open access to the Internet from your Firewall
# remove the comment from the following line.
#fw net ACCEPT
#
# THE FOLLOWING POLICY MUST BE LAST
#
all all REJECT info
all all REJECT ULOG
#LAST LINE -- DO NOT REMOVE

24
Lrp/etc/shorewall/proxyarp
View File

@ -1,6 +1,6 @@
##############################################################################
#
# Shorewall 1.4 -- Proxy ARP
# Shorewall 2.0 -- Proxy ARP
#
# /etc/shorewall/proxyarp
#
@ -9,22 +9,36 @@
# Columns must be separated by white space and are:
#
# ADDRESS IP Address
#
# INTERFACE Local interface where system is connected. If the
# local interface is obvious from the subnetting,
# you may enter "-" in this column.
#
# EXTERNAL External Interface to be used to access this system
#
# HAVEROUTE If there is already a route from the firewall to
# the host whose address is given, enter "Yes" or "yes"
# in this column. Otherwise, entry "no", "No" or leave
# the column empty.
# the column empty and Shorewall will add the route for
# you. If Shorewall adds the route,the route will be
# persistent if the PERSISTENT column contains Yes;
# otherwise, "shorewall stop" or "shorewall clear" will
# delete the route.
#
# PERSISTENT If HAVEROUTE is No or "no", then the value of this
# column determines if the route added by Shorewall
# persists after a "shorewall stop" or a "shorewall
# clear". If this column contains "Yes" or "yes" then
# the route persists; If the column is empty or contains
# "No"or "no" then the route is deleted at "shorewall
# stop" or "shorewall clear".
#
# Example: Host with IP 155.186.235.6 is connected to
# interface eth1 and we want hosts attached via eth0
# to be able to access it using that address.
#
# #ADDRESS INTERFACE EXTERNAL HAVEROUTE
# 155.186.235.6 eth1 eth0 No
# #ADDRESS INTERFACE EXTERNAL
# 155.186.235.6 eth1 eth0
##############################################################################
#ADDRESS INTERFACE EXTERNAL HAVEROUTE
#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Lrp/etc/shorewall/routestopped
View File

@ -1,6 +1,6 @@
##############################################################################
#
# Shorewall 1.4 -- Hosts Accessible when the Firewall is Stopped
# Shorewall 2.0 -- Hosts Accessible when the Firewall is Stopped
#
# /etc/shorewall/routestopped
#
@ -14,12 +14,18 @@
# HOST(S) - (Optional) Comma-separated list of IP/subnet
# If left empty or supplied as "-",
# 0.0.0.0/0 is assumed.
# OPTIONS - (Optional) A comma-separated list of
# options. The currently-supported options are:
#
# routeback - Set up a rule to ACCEPT traffic from
# these hosts back to themselves.
#
# Example:
#
# INTERFACE HOST(S)
# INTERFACE HOST(S) OPTIONS
# eth2 192.168.1.0/24
# eth0 192.0.2.44
# br0 - routeback
##############################################################################
#INTERFACE HOST(S)
#INTERFACE HOST(S) OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

127
Lrp/etc/shorewall/rules
View File

@ -1,24 +1,37 @@
#
# Shorewall version 1.4 - Rules File
# Shorewall version 2.0 - Rules File
#
# /etc/shorewall/rules
#
# Rules in this file govern connection establishment. Requests and
# responses are automatically allowed using connection tracking.
# responses are automatically allowed using connection tracking. For any
# particular (source,dest) pair of zones, the rules are evaluated in the
# order in which they appear in this file and the first match is the one
# that determines the disposition of the request.
#
# In most places where an IP address or subnet is allowed, you
# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
# indicate that the rule matches all addresses except the address/subnet
# given. Notice that no white space is permitted between "!" and the
# address/subnet.
#
#------------------------------------------------------------------------------
# WARNING: If you masquerade or use SNAT from a local system to the internet,
# you cannot use an ACCEPT rule to allow traffic from the internet to
# that system. You *must* use a DNAT rule instead.
#-------------------------------------------------------------------------------#
# Columns are:
#
#
# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
# LOG or an <action>.
# LOG, QUEUE or an <action>.
#
# ACCEPT -- allow the connection request
# ACCEPT+ -- like ACCEPT but also excludes the
# connection from any subsequent
# DNAT[-] or REDIRECT[-] rules
# NONAT -- Excludes the connection from any
# subsequent DNAT[-] or REDIRECT[-]
# rules but doesn't generate a rule
# to accept the traffic.
# DROP -- ignore the request
# REJECT -- disallow the request and return an
# icmp-unreachable or an RST packet.
@ -36,6 +49,7 @@
# Like REDIRET but only generates the
# REDIRECT iptables rule and not
# the companion ACCEPT rule.
#
# CONTINUE -- (For experts only). Do not process
# any of the following rules for this
# (source zone,destination zone). If
@ -47,38 +61,31 @@
# (those) zone(s).
# LOG -- Simply log the packet and continue.
# QUEUE -- Queue the packet to a user-space
# application such as p2pwall.
# application such as ftwall
# (http://p2pwall.sf.net).
# <action> -- The name of an action defined in
# /etc/shorewall/actions.
# /etc/shorewall/actions or in
# /usr/share/shorewall/actions.std.
#
# You may rate-limit the rule by optionally
# following ACCEPT, DNAT[-], REDIRECT[-] or LOG with
#
# < <rate>/<interval>[:<burst>] >
#
# where <rate> is the number of connections per
# <interval> ("sec" or "min") and <burst> is the
# largest burst permitted. If no <burst> is given,
# a value of 5 is assumed. There may be no
# no whitespace embedded in the specification.
#
# Example: ACCEPT<10/sec:20>
#
# The ACTION (and rate limit) may optionally be followed
# The ACTION may optionally be followed
# by ":" and a syslog log level (e.g, REJECT:info or
# DNAT<4/sec:8>:debugging). This causes the packet to be
# DNAT:debug). This causes the packet to be
# logged at the specified level.
#
# NOTE: For those of you who prefer to place the
# rate limit in a separate column, see the RATE LIMIT
# column below. If you specify a value in that column,
# you must not include a rate limit in the ACTION column
#
# You may also specify ULOG (must be in upper case) as a
# log level.This will log to the ULOG target for routing
# to a separate log through use of ulogd
# (http://www.gnumonks.org/projects/ulogd).
#
# Actions specifying logging may be followed by a
# log tag (a string of alphanumeric characters)
# are appended to the string generated by the
# LOGPREFIX (in /etc/shorewall/shorewall.conf).
#
# Example: ACCEPT:info:ftp would include 'ftp '
# at the end of the log prefix generated by the
# LOGPREFIX setting.
#
# SOURCE Source hosts to which the rule applies. May be a zone
# defined in /etc/shorewall/zones, $FW to indicate the
# firewall itself, or "all" If the ACTION is DNAT or
@ -86,6 +93,10 @@
# excluded from the rule by following the zone name with
# "!' and a comma-separated list of sub-zone names.
#
# When "all" is used either in the SOURCE or DEST column
# intra-zone traffic is not affected. You must add
# separate rules to handle that traffic.
#
# Except when "all" is specified, clients may be further
# restricted to a list of subnets and/or hosts by
# appending ":" and a comma-separated list of subnets
@ -116,6 +127,10 @@
# /etc/shorewall/zones, $FW to indicate the firewall
# itself or "all"
#
# When "all" is used either in the SOURCE or DEST column
# intra-zone traffic is not affected. You must add
# separate rules to handle that traffic.
#
# Except when "all" is specified, the server may be
# further restricted to a particular subnet, host or
# interface by appending ":" and the subnet, host or
@ -180,8 +195,8 @@
# ranges.
#
# If you don't want to restrict client ports but need to
# specify an ADDRESS in the next column, then place "-"
# in this column.
# specify an ORIGINAL DEST in the next column, then place
# "-" in this column.
#
# If your kernel contains multi-port match support, then
# only a single Netfilter rule will be generated if in
@ -229,25 +244,25 @@
#
# Example: 10/sec:20
#
# If you place a rate limit in this column, you may not
# place a similar limit in the ACTION column.
#
# USER SET This column may only be non-empty if the SOURCE is
# the firewall itself and the ACTION is ACCEPT, DROP or
# REJECT.
# USER/GROUP This column may only be non-empty if the SOURCE is
# the firewall itself.
#
# The column may contain a user set name defined in the
# /etc/shorewall/usersets file or it may contain:
# The column may contain:
#
# [<user name or number>]:[<group name or number>]
# [!][<user name or number>][:<group name or number>]
#
# When this column is non-empty, the rule applies only
# if the program generating the output is running under
# the effective <user>(s) and/or <group>(s) specified.
# When a user set name is given, a log level may not be
# present in the ACTION column; logging for such rules is
# controlled by the user set's entry in
# /etc/shorewall/usersets.
# the effective <user> and/or <group> specified (or is
# NOT running under that id if "!" is given).
#
# Examples:
#
# joe #program must be run by joe
# :kids #program must be run by a member of
# #the 'kids' group
# !:kids #program must not be run by a member
# #of the 'kids' group
#
# Example: Accept SMTP requests from the DMZ to the internet
#
@ -293,6 +308,28 @@
# ACCEPT net:130.252.100.69,130.252.100.70 fw \
# tcp 22
####################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER
# PORT PORT(S) DEST LIMIT
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
# PORT PORT(S) DEST LIMIT
# Accept DNS connections from the firewall to the network
#
ACCEPT fw net tcp 53
ACCEPT fw net udp 53
# Accept SSH connections from the local network for administration
#
ACCEPT loc fw tcp 22
# Allow Ping To And From Firewall
#
ACCEPT loc fw icmp 8
ACCEPT net fw icmp 8
ACCEPT fw loc icmp 8
ACCEPT fw net icmp 8
#
# Bering specific rules:
# allow loc to fw udp/53 for local/caching DNS servers to work
# allow loc to fw tcp/80 for weblet to work
# allow loc to fw udp/67 and udp/68 for dnsmasq's dhcpd to work
ACCEPT loc fw udp 53
ACCEPT loc fw tcp 80
ACCEPT loc fw udp 67,68
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

217
Lrp/etc/shorewall/shorewall.conf
View File

@ -1,12 +1,12 @@
##############################################################################
# /etc/shorewall/shorewall.conf V1.4 - Change the following variables to
# /etc/shorewall/shorewall.conf V2.0 - Change the following variables to
# match your setup
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# This file should be placed in /etc/shorewall
#
# (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
# (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
##############################################################################
# L O G G I N G
##############################################################################
@ -32,7 +32,7 @@
# to choose, 6 (info) is a safe bet. You may specify levels by name or by
# number.
#
# If you have build your kernel with ULOG target support, you may also
# If you have built your kernel with ULOG target support, you may also
# specify a log level of ULOG (must be all caps). Rather than log its
# messages to syslogd, Shorewall will direct netfilter to log the messages
# via the ULOG target which will send them to a process called 'ulogd'.
@ -52,7 +52,7 @@
#
# http://www.shorewall.net/shorewall_logging.html
LOGFILE=/var/log/messages
LOGFILE=/var/log/shorewall.log
#
# LOG FORMAT
@ -90,34 +90,26 @@ LOGFORMAT="Shorewall:%s:%s:"
# maximum initial burst size that will be logged. If set empty, the default
# value of 5 will be used.
#
# If BOTH variables are set empty then logging will not be rate-limited.
#
# Example:
#
# LOGRATE=10/minute
# LOGBURST=5
#
# If BOTH variables are set empty then logging will not be rate-limited.
# For each logging rule, the first time the rule is reached, the packet
# will be logged; in fact, since the burst is 5, the first five packets
# will be logged. After this, it will be 6 seconds (1 minute divided by
# the rate of 10) before a message will be logged from the rule, regardless
# of how many packets reach it. Also, every 6 seconds which passes without
# matching a packet, one of the bursts will be regained; if no packets hit
# the rule for 30 seconds, the burst will be fully recharged; back where
# we started.
#
LOGRATE=
LOGBURST=
#
# LEVEL AT WHICH TO LOG 'UNCLEAN' PACKETS
#
# This variable determines the level at which Mangled/Invalid packets are logged
# under the 'dropunclean' interface option. If you set this variable to an
# empty value (e.g., LOGUNCLEAN= ), Mangled/Invalid packets will be dropped
# silently.
#
# The value of this variable also determines the level at which Mangled/Invalid
# packets are logged under the 'logunclean' interface option. If the variable
# is empty, these packets will still be logged at the 'info' level.
#
# See the comment at the top of this section for a description of log levels
#
LOGUNCLEAN=info
#
# BLACKLIST LOG LEVEL
#
@ -144,7 +136,7 @@ BLACKLIST_LOGLEVEL=
# Example: LOGNEWNOTSYN=debug
LOGNEWNOTSYN=info
LOGNEWNOTSYN=ULOG
#
# MAC List Log Level
@ -156,7 +148,7 @@ LOGNEWNOTSYN=info
# See the comment at the top of this section for a description of log levels
#
MACLIST_LOG_LEVEL=info
MACLIST_LOG_LEVEL=ULOG
#
# TCP FLAGS Log Level
@ -168,7 +160,7 @@ MACLIST_LOG_LEVEL=info
# See the comment at the top of this section for a description of log levels
#
TCP_FLAGS_LOG_LEVEL=info
TCP_FLAGS_LOG_LEVEL=ULOG
#
# RFC1918 Log Level
@ -180,8 +172,35 @@ TCP_FLAGS_LOG_LEVEL=info
# See the comment at the top of this section for a description of log levels
#
RFC1918_LOG_LEVEL=info
RFC1918_LOG_LEVEL=ULOG
#
# SMURF Log Level
#
# Specifies the logging level for smurf packets dropped by the
#'nosmurfs' interface option in /etc/shorewall/interfaces and in
# /etc/shorewall/hosts. If set to the empty value ( SMURF_LOG_LEVEL=""
# ) then dropped smurfs are not logged.
#
# See the comment at the top of this section for a description of log levels
#
SMURF_LOG_LEVEL=ULOG
#
# BOGON Log Level
#
# Specifies the logging level for bogon packets dropped by the
#'nobogons' interface option in /etc/shorewall/interfaces and in
# /etc/shorewall/hosts. If set to the empty value
# ( BOGON_LOG_LEVEL="" ) then packets whose TARGET is 'logdrop'
# in /usr/share/shorewall/bogons are logged at the 'info' level.
#
# See the comment at the top of this section for a description of log levels
#
BOGON_LOG_LEVEL=ULOG
################################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
################################################################################
@ -215,7 +234,7 @@ SUBSYSLOCK=/var/run/shorewall
# it is running
#
STATEDIR=/tmp/shorewall
STATEDIR=/var/state/shorewall
#
# KERNEL MODULE DIRECTORY
@ -226,6 +245,37 @@ STATEDIR=/tmp/shorewall
MODULESDIR=
#
# CONFIGURATION SEARCH PATH
#
# This option holds a list of directory names separated by colons
# (":"). Shorewall will search each directory in turn when looking for a
# configuration file. When processing a 'try' command or a command
# containing the "-c" option, Shorewall will automatically add the
# directory specified in the command to the front of this list.
#
# If not specified or specified as null ("CONFIG_PATH=""),
# CONFIG_PATH=/etc/shorewall:/usr/share/shorewall is assumed.
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
#
# RESTORE SCRIPT
#
# This option determines the script to be run in the following cases:
#
# shorewall -f start
# shorewall restore
# shorewall save
# shorewall forget
# Failure of shorewall start or shorewall restart
#
# The value of the option must be the name of an executable file in the
# directory /var/lib/shorewall. If this option is not set or if it is
# set to the empty value (RESTOREFILE="") then RESTOREFILE=restore is
# assumed.
RESTOREFILE=
################################################################################
# F I R E W A L L O P T I O N S
################################################################################
@ -358,16 +408,6 @@ CLAMPMSS=No
ROUTE_FILTER=No
#
# NAT BEFORE RULES
#
# Shorewall has traditionally processed static NAT rules before port forwarding
# rules. If you would like to reverse the order, set this variable to "No".
#
# If this variable is not set or is set to the empty value, "Yes" is assumed.
NAT_BEFORE_RULES=Yes
# DNAT IP ADDRESS DETECTION
#
# Normally when Shorewall encounters the following rule:
@ -430,12 +470,12 @@ MUTEX_TIMEOUT=60
# A packet is said to be NEW if it is not part of or related to an already
# established connection.
#
# The NETNOTSYN option determines the handling of non-SYN packets (those with
# The NEWNOTSYN option determines the handling of non-SYN packets (those with
# SYN off or with ACK or RST on) that are not associated with an already
# established connection.
#
# If NEWNOTSYN is set to "No" or "no", then non-SYN packets that are not
# part of an already established connection, it will be dropped by the
# part of an already established connection will be dropped by the
# firewall. The setting of LOGNEWNOTSYN above determines if these packets are
# logged before they are dropped.
#
@ -447,7 +487,9 @@ MUTEX_TIMEOUT=60
# also need to select NEWNOTSYN=Yes.
#
# The behavior of NEWNOTSYN=Yes may also be enabled on a per-interface basis
# using the 'newnotsyn' option in /etc/shorewall/interfaces.
# using the 'newnotsyn' option in /etc/shorewall/interfaces and on a
# network or host basis using the same option in /etc/shorewall/hosts.
#
# I find that NEWNOTSYN=No tends to result in lots of "stuck"
# connections because any network timeout during TCP session tear down
@ -513,9 +555,9 @@ BLACKLISTNEWONLY=Yes
#
# When loading a module named in /etc/shorewall/modules, Shorewall normally
# looks in the MODULES DIRECTORY (see MODULESDIR above) for files whose names
# end in ".o", ".ko", ".gz" or "o.gz". If your distribution uses a different
# naming convention then you can specify the suffix (extension) for module
# names in this variable.
# end in ".o", ".ko", ".gz", "o.gz" or "ko.gz" . If your distribution uses a
# different naming convention then you can specify the suffix (extension) for
# module names in this variable.
#
# To see what suffix is used by your distribution:
#
@ -532,6 +574,89 @@ BLACKLISTNEWONLY=Yes
MODULE_SUFFIX=
#
# DISABLE IPV6
#
# Distributions (notably SuSE) are beginning to ship with IPV6
# enabled. If you are not using IPV6, you are at risk of being
# exploited by users who do. Setting DISABLE_IPV6=Yes will cause
# Shorewall to disable IPV6 traffic to/from and through your
# firewall system. This requires that you have ip6tables installed.
# Should be set to "No" for LEAF/LRP
DISABLE_IPV6=No
#
# BRIDGING
#
# If you wish to control traffic through a bridge (see http://bridge.sf.net),
# then set BRIDGING=Yes. Your kernel must have the physdev match option
# enabled; that option is available at the above URL for 2.4 kernels and
# is included as a standard part of the 2.6 series kernels. If not
# specified or specified as empty (BRIDGING="") then "No" is assumed.
#
BRIDGING=No
#
# DYNAMIC ZONES
#
# If you need to be able to add and delete hosts from zones dynamically then
# set DYNAMIC_ZONES=Yes. Otherwise, set DYNAMIC_ZONES=No.
DYNAMIC_ZONES=No
#
# USE PKTTYPE MATCH
#
# Some users have reported problems with the PKTTYPE match extension not being
# able to match certain broadcast packets.
#
# Other users have complained of the following message when
# starting Shorewall:
#
# modprobe: cant locate module ipt_pkttype
#
# If you set PKTTYPE=No then Shorewallwill use IP addresses to detect
# broadcasts rather than pkttype. If not given or if given as empty
# (PKTTYPE="") then PKTTYPE=Yes is assumed.
PKTTYPE=Yes
#
# DROP INVALID PACKETS
#
# Netfilter classifies packets relative to its connection tracking table into
# four states:
#
# NEW - thes packet initiates a new connection
# ESTABLISHED - thes packet is part of an established connection
# RELATED - thes packet is related to an established connection; it may
# establish a new connection
# INVALID - the packet does not related to the table in any sensible way.
#
# Recent 2.6 kernels include code that evaluates TCP packets based on TCP
# Window analysis. This can cause packets that were previously classified as
# NEW or ESTABLISHED to be classified as INVALID.
#
# The new kernel code can be disabled by including this command in your
# /etc/shorewall/init file:
#
# echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
#
# Additional kernel logging about INVALID TCP packets may be obtained by
# adding this command to /etc/shorewall/init:
#
# echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid
#
# Traditionally, Shorewall has dropped INVALID TCP packets early. The DROPINVALID
# option allows INVALID packets to be passed through the normal rules chains by
# setting DROPINVALID=No.
#
# If not specified or if specified as empty (e.g., DROPINVALID="") then
# DROPINVALID=Yes is assumed.
DROPINVALID=No
################################################################################
# P A C K E T D I S P O S I T I O N
################################################################################
@ -542,6 +667,7 @@ MODULE_SUFFIX=
# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty,
# DROP is assumed.
#
BLACKLIST_DISPOSITION=DROP
#
@ -560,8 +686,9 @@ MACLIST_DISPOSITION=REJECT
#
# This variable determins the disposition of packets having an invalid
# combination of TCP flags that are received on interfaces having the
# 'tcpflags' option specified in /etc/shorewall/interfaces. If not specified
# or specified as empty (TCP_FLAGS_DISPOSITION="") then DROP is assumed.
# 'tcpflags' option specified in /etc/shorewall/interfaces or in
# /etc/shorewall/hosts. If not specified or specified as empty
# (TCP_FLAGS_DISPOSITION="") then DROP is assumed.
TCP_FLAGS_DISPOSITION=DROP

6
Lrp/etc/shorewall/start
View File

@ -1,6 +1,10 @@
############################################################################
# Shorewall 1.4 -- /etc/shorewall/start
# Shorewall 2.0 -- /etc/shorewall/start
#
# Add commands below that you want to be executed after shorewall has
# been started or restarted.
#
for file in /etc/shorewall/start.d/* ; do
run_user_exit $file
done

6
Lrp/etc/shorewall/stop
View File

@ -1,6 +1,10 @@
############################################################################
# Shorewall 1.4 -- /etc/shorewall/stop
# Shorewall 2.0 -- /etc/shorewall/stop
#
# Add commands below that you want to be executed at the beginning of a
# "shorewall stop" command.
#
for file in /etc/shorewall/stop.d/* ; do
run_user_exit $file
done

2
Lrp/etc/shorewall/stopped
View File

@ -1,5 +1,5 @@
############################################################################
# Shorewall 1.4 -- /etc/shorewall/stopped
# Shorewall 2.0 -- /etc/shorewall/stopped
#
# Add commands below that you want to be executed at the completion of a
# "shorewall stop" command.

7
Lrp/etc/shorewall/tcrules
View File

@ -1,5 +1,5 @@
#
# Shorewall version 1.4 - Traffic Control Rules File
# Shorewall version 2.0 - Traffic Control Rules File
#
# /etc/shorewall/tcrules
#
@ -11,6 +11,11 @@
# FOR ENTRIES IN THIS FILE TO HAVE ANY EFFECT, YOU MUST SET
# TC_ENABLED=Yes in /etc/shorewall/shorewall.conf
#
# Unlike rules in the /etc/shorewall/rules file, evaluation
# of rules in this file will continue after a match. So the
# final mark for each packet will be the one assigned by the
# LAST tcrule that matches.
#
# Columns are:
#
#

14
Lrp/etc/shorewall/tos
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.4 -- /etc/shorewall/tos
# Shorewall 2.0 -- /etc/shorewall/tos
#
# This file defines rules for setting Type Of Service (TOS)
#
@ -43,10 +43,10 @@
#
##############################################################################
#SOURCE DEST PROTOCOL SOURCE PORTS DEST PORTS TOS
all all tcp - ssh 16
all all tcp ssh - 16
all all tcp - ftp 16
all all tcp ftp - 16
all all tcp ftp-data - 8
all all tcp - ftp-data 8
all all tcp - 22 16
all all tcp 22 - 16
all all tcp - 21 16
all all tcp 21 - 16
all all tcp 20 - 8
all all tcp - 20 8
#LAST LINE -- Add your entries above -- DO NOT REMOVE

11
Lrp/etc/shorewall/tunnels
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.4 - /etc/shorewall/tunnels
# Shorewall 2.0 - /etc/shorewall/tunnels
#
# This file defines IPSEC, GRE, IPIP and OPENVPN tunnels.
#
@ -13,6 +13,10 @@
# "gre", "6to4", "pptpclient", "pptpserver", "openvpn" or
# "generic"
#
# If the type is "ipsec" or "ipsecnat", it may be followed
# by ":noah" to indicate that the Authentication Header
# protocol (51) is not used by the tunnel.
#
# If type is "openvpn", it may optionally be followed
# by ":" and the port number used by the tunnel. if no
# ":" and port number are included, then the default port
@ -42,9 +46,10 @@
# Example 1:
#
# IPSec tunnel. The remote gateway is 4.33.99.124 and
# the remote subnet is 192.168.9.0/24
# the remote subnet is 192.168.9.0/24. The tunnel does
# not use the AH protocol
#
# ipsec net 4.33.99.124
# ipsec:noah net 4.33.99.124
#
# Example 2:
#

4
Lrp/etc/shorewall/zones
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.4 /etc/shorewall/zones
# Shorewall 2.0 /etc/shorewall/zones
#
# This file determines your network zones. Columns are:
#
@ -15,5 +15,5 @@
#ZONE DISPLAY COMMENTS
net Net Internet
loc Local Local networks
dmz DMZ Demilitarized zone
#dmz DMZ Demilitarized zone
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

423
Lrp/sbin/shorewall
View File

@ -1,11 +1,10 @@
#!/bin/sh
#
# Shorewall Packet Filtering Firewall Control Program - V1.4 - 3/14/2003
# Shorewall Packet Filtering Firewall Control Program - V2.0 - 3/14/2004
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
#
# (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
#
# This file should be placed in /sbin/shorewall.
#
@ -77,10 +76,17 @@
# listed address(es)
# shorewall allow <address> ... Reenable address(es) previously
# disabled with "drop" or "reject"
# shorewall save Save the list of "rejected" and
# shorewall save [ <file> ] Save the list of "rejected" and
# "dropped" addresses so that it will
# be automatically reinstated the
# next time that Shorewall starts.
# Save the current state so that 'shorewall
# restore' can be used.
#
# shorewall forget [ <file> ] Discard the data saved by 'shorewall save'
#
# shorewall restore [ <file> ] Restore the state of the firewall from
# previously saved information.
#
# shorewall ipaddr [ <address>/<cidr> | <address> <netmask> ]
#
@ -128,6 +134,19 @@ showchain() # $1 = name of chain
fi
}
#
# Validate the value of RESTOREFILE
#
validate_restorefile() # $* = label
{
case $RESTOREFILE in
*/*)
echo " ERROR: $@ must specify a simple file name: $RESTOREFILE" >&2
exit 2
;;
esac
}
#
# Set the configuration variables from shorewall.conf
#
@ -157,10 +176,17 @@ get_config() {
if [ -n "$SHOREWALL_SHELL" ]; then
if [ ! -e "$SHOREWALL_SHELL" ]; then
echo "The program specified in SHOREWALL_SHELL does not exist or is not executable" >&2
echo " ERROR: The program specified in SHOREWALL_SHELL does not exist or is not executable" >&2
exit 2
fi
fi
[ -n "$RESTOREFILE" ] || RESTOREFILE=restore
validate_restorefile RESTOREFILE
export RESTOREFILE
}
#
@ -169,7 +195,7 @@ get_config() {
#
display_chains()
{
trap "rm -f $TMPFILE; exit 1" 1 2 3 4 5 6 9
trap "rm -f /tmp/chains-$$; exit 1" 1 2 3 4 5 6 9
if [ "$haveawk" = "Yes" ]; then
#
@ -177,13 +203,12 @@ display_chains()
# the output in a variable.
#
TMPFILE=$(mktempfile)
[ -n "$TMPFILE" ] || { echo " ERROR:Cannot create temporary file" >&2; exit 1; }
[ -n "$TMPFILE" ] || { echo "Cannot create a temporary file" >&2; exit 2; }
iptables -L -n -v >> $TMPFILE
iptables -L $IPT_OPTIONS >> $TMPFILE
clear
echo "$banner `date`"
echo "$banner $(date)"
echo
echo "Standard Chains"
echo
@ -195,13 +220,13 @@ display_chains()
timed_read
clear
echo "$banner `date`"
echo "$banner $(date)"
echo
firstchain=Yes
echo "Input Chains"
echo
chains=`grep '^Chain.*_[in|fwd]' $TMPFILE | cut -d' ' -f 2`
chains=$(grep '^Chain.*_[in|fwd]' $TMPFILE | cut -d' ' -f 2)
for chain in $chains; do
showchain $chain
@ -211,9 +236,9 @@ display_chains()
for zone in $zones; do
if [ -n "`grep "^Chain \.*${zone}" $TMPFILE`" ] ; then
if [ -n "$(grep "^Chain \.*${zone}" $TMPFILE)" ] ; then
clear
echo "$banner `date`"
echo "$banner $(date)"
echo
firstchain=Yes
eval display=\$${zone}_display
@ -232,7 +257,7 @@ display_chains()
done
clear
echo "$banner `date`"
echo "$banner $(date)"
echo
firstchain=Yes
echo "Policy Chains"
@ -253,7 +278,7 @@ display_chains()
timed_read
clear
echo "$banner `date`"
echo "$banner $(date)"
echo
firstchain=Yes
echo "Dynamic Chain"
@ -294,7 +319,7 @@ packet_log() # $1 = number of messages
sed s/" kernel:"// | \
sed s/" $host $LOGFORMAT"/" "/ | \
sed s/" $host kernel: ipt_unclean: "/" "/ | \
sed 's/MAC=.*SRC=/SRC=/' | \
sed 's/MAC=.* SRC=/SRC=/' | \
tail $options
}
@ -305,7 +330,7 @@ show_tc() {
show_one_tc() {
local device=${1%@*}
qdisc=`tc qdisc list dev $device`
qdisc=$(tc qdisc list dev $device)
if [ -n "$qdisc" ]; then
echo Device $device:
@ -335,7 +360,7 @@ show_classifiers() {
show_one_classifier() {
local device=${1%@*}
qdisc=`tc qdisc list dev $device`
qdisc=$(tc qdisc list dev $device)
if [ -n "$qdisc" ]; then
echo Device $device:
@ -364,8 +389,8 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
{
get_config
host=`echo $HOSTNAME | sed 's/\..*$//'`
oldrejects=`iptables -L -v -n | grep 'LOG'`
host=$(echo $HOSTNAME | sed 's/\..*$//')
oldrejects=$(iptables -L -v -n | grep 'LOG')
if [ $1 -lt 0 ]; then
let "timeout=- $1"
@ -378,7 +403,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
if qt which awk; then
TMP_DIR=$(mktempdir)
[ -n "$TMP_DIR" ] || { echo "Unable to create a temporary directory" >&2; exit 2; }
[ -n "$TMP_DIR" ] || { echo " ERROR:Cannot create temporary directory" >&2; exit 1; }
haveawk=Yes
determine_zones
rm -rf $TMP_DIR
@ -390,7 +415,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
display_chains
clear
echo "$banner `date`"
echo "$banner $(date)"
echo
echo "Dropped/Rejected Packet Log"
@ -398,7 +423,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
show_reset
rejects=`iptables -L -v -n | grep 'LOG'`
rejects=$(iptables -L -v -n | grep 'LOG')
if [ "$rejects" != "$oldrejects" ]; then
oldrejects="$rejects"
@ -421,24 +446,24 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
fi
clear
echo "$banner `date`"
echo "$banner $(date)"
echo
echo "NAT Status"
echo
iptables -t nat -L -n -v
iptables -t nat -L $IPT_OPTIONS
timed_read
clear
echo "$banner `date`"
echo "$banner $(date)"
echo
echo
echo "TOS/MARK Status"
echo
iptables -t mangle -L -n -v
iptables -t mangle -L $IPT_OPTIONS
timed_read
clear
echo "$banner `date`"
echo "$banner $(date)"
echo
echo
echo "Tracked Connections"
@ -447,7 +472,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
timed_read
clear
echo "$banner `date`"
echo "$banner $(date)"
echo
echo
echo "Traffic Shaping/Control"
@ -456,7 +481,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
timed_read
clear
echo "$banner `date`"
echo "$banner $(date)"
echo
echo
echo "Packet Classifiers"
@ -474,8 +499,8 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
{
get_config
host=`echo $HOSTNAME | sed 's/\..*$//'`
oldrejects=`iptables -L -v -n | grep 'LOG'`
host=$(echo $HOSTNAME | sed 's/\..*$//')
oldrejects=$(iptables -L -v -n | grep 'LOG')
if [ $1 -lt 0 ]; then
timeout=$((- $1))
@ -489,7 +514,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
while true; do
clear
echo "$banner `date`"
echo "$banner $(date)"
echo
echo "Dropped/Rejected Packet Log"
@ -497,7 +522,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
show_reset
rejects=`iptables -L -v -n | grep 'LOG'`
rejects=$(iptables -L -v -n | grep 'LOG')
if [ "$rejects" != "$oldrejects" ]; then
oldrejects="$rejects"
@ -535,7 +560,7 @@ help()
#
usage() # $1 = exit status
{
echo "Usage: `basename $0` [debug] [nolock] [-c <directory>] <command>"
echo "Usage: $(basename $0) [debug|trace] [nolock] [-c <directory>] [ -x ] [ -q ] [ -f ] <command>"
echo "where <command> is one of:"
echo " add <interface>[:<host>] <zone>"
echo " allow <address> ..."
@ -543,6 +568,7 @@ usage() # $1 = exit status
echo " clear"
echo " delete <interface>[:<host>] <zone>"
echo " drop <address> ..."
echo " forget [ <file name> ]"
echo " help [ <command > | host | address ]"
echo " hits"
echo " ipcalc [ <address>/<vlsm> | <address> <netmask> ]"
@ -553,7 +579,8 @@ usage() # $1 = exit status
echo " reject <address> ..."
echo " reset"
echo " restart"
echo " save"
echo " restore [ <file name> ]"
echo " save [ <file name> ]"
echo " show [<chain> [ <chain> ... ]|classifiers|connections|log|nat|tc|tos]"
echo " start"
echo " stop"
@ -568,16 +595,20 @@ usage() # $1 = exit status
#
show_reset() {
[ -f $STATEDIR/restarted ] && \
echo "Counters reset `cat $STATEDIR/restarted`" && \
echo "Counters reset $(cat $STATEDIR/restarted)" && \
echo
}
show_proc() {
[ -f $1 ] && echo " $1 = $(cat $1)"
}
#
# Execution begins here
#
debugging=
if [ $# -gt 0 ] && [ "$1" = "debug" ]; then
if [ $# -gt 0 ] && [ "$1" = "debug" -o "$1" = "trace" ]; then
debugging=debug
shift
fi
@ -590,29 +621,60 @@ if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then
fi
SHOREWALL_DIR=
QUIET=
IPT_OPTIONS="-nv"
FAST=
done=0
while [ $done -eq 0 ]; do
[ $# -eq 0 ] && usage 1
case $1 in
-c)
[ $# -eq 1 ] && usage 1
option=$1
case $option in
-*)
option=${option#-}
if [ ! -d $2 ]; then
if [ -e $2 ]; then
echo "$2 is not a directory" >&2 && exit 2
else
echo "Directory $2 does not exist" >&2 && exit 2
fi
fi
[ -z "$option" ] && usage 1
while [ -n "$option" ]; do
case $option in
c)
[ $# -eq 1 ] && usage 1
SHOREWALL_DIR=$2
shift
shift
;;
*)
done=1
;;
if [ ! -d $2 ]; then
if [ -e $2 ]; then
echo "$2 is not a directory" >&2 && exit 2
else
echo "Directory $2 does not exist" >&2 && exit 2
fi
fi
SHOREWALL_DIR=$2
option=
shift
;;
x*)
IPT_OPTIONS="-xnv"
option=${option#x}
;;
q*)
QUIET=Yes
option=${option#q}
;;
f*)
FAST=Yes
option=${option#f}
;;
*)
usage 1
;;
esac
done
shift
;;
*)
done=1
;;
esac
done
@ -621,6 +683,7 @@ if [ $# -eq 0 ]; then
fi
[ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR
[ -n "$QUIET" ] && export QUIET
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
MUTEX_TIMEOUT=
@ -638,15 +701,26 @@ else
exit 2
fi
config=`find_file shorewall.conf`
ensure_config_path
config=$(find_file shorewall.conf)
if [ -f $config ]; then
. $config
if [ -r $config ]; then
. $config
else
echo "Cannot read $config! (Hint: Are you root?)" >&2
exit 1
fi
else
echo "$config does not exist!" >&2
exit 2
fi
ensure_config_path
export CONFIG_PATH
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
if [ ! -f $FIREWALL ]; then
@ -662,7 +736,7 @@ if [ ! -f $FIREWALL ]; then
fi
if [ -f $VERSION_FILE ]; then
version=`cat $VERSION_FILE`
version=$(cat $VERSION_FILE)
else
echo "ERROR: Shorewall is not properly installed"
echo " The file $VERSION_FILE does not exist"
@ -671,8 +745,7 @@ fi
banner="Shorewall-$version Status at $HOSTNAME -"
case `echo -e` in
case $(echo -e) in
-e*)
RING_BELL="echo \a"
;;
@ -681,7 +754,7 @@ case `echo -e` in
;;
esac
case `echo -n "Testing"` in
case $(echo -n "Testing") in
-n*)
ECHO_N=
;;
@ -691,7 +764,26 @@ case `echo -n "Testing"` in
esac
case "$1" in
start|stop|restart|reset|clear|refresh|check)
start)
[ $# -ne 1 ] && usage 1
get_config
if [ -n "$FAST" ]; then
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
if [ -x $RESTOREPATH ]; then
echo Restoring Shorewall...
$RESTOREPATH
date > $STATEDIR/restarted
echo Shorewall restored from $RESTOREPATH
else
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start
fi
else
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start
fi
;;
stop|restart|reset|clear|refresh|check)
[ $# -ne 1 ] && usage 1
get_config
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1
@ -702,65 +794,67 @@ case "$1" in
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1 $2 $3
;;
show|list)
[ -n "$debugging" ] && set -x
case "$2" in
connections)
[ $# -gt 2 ] && usage 1
echo "Shorewall-$version Connections at $HOSTNAME - `date`"
echo "Shorewall-$version Connections at $HOSTNAME - $(date)"
echo
cat /proc/net/ip_conntrack
;;
nat)
[ $# -gt 2 ] && usage 1
echo "Shorewall-$version NAT at $HOSTNAME - `date`"
echo "Shorewall-$version NAT at $HOSTNAME - $(date)"
echo
show_reset
iptables -t nat -L -n -v
iptables -t nat -L $IPT_OPTIONS
;;
tos|mangle)
[ $# -gt 2 ] && usage 1
echo "Shorewall-$version TOS at $HOSTNAME - `date`"
echo "Shorewall-$version TOS at $HOSTNAME - $(date)"
echo
show_reset
iptables -t mangle -L -n -v
iptables -t mangle -L $IPT_OPTIONS
;;
log)
[ $# -gt 2 ] && usage 1
get_config
echo "Shorewall-$version Log at $HOSTNAME - `date`"
echo "Shorewall-$version Log at $HOSTNAME - $(date)"
echo
show_reset
host=`echo $HOSTNAME | sed 's/\..*$//'`
host=$(echo $HOSTNAME | sed 's/\..*$//')
packet_log 20
;;
tc)
[ $# -gt 2 ] && usage 1
echo "Shorewall-$version Traffic Control at $HOSTNAME - `date`"
echo "Shorewall-$version Traffic Control at $HOSTNAME - $(date)"
echo
show_tc
;;
classifiers)
[ $# -gt 2 ] && usage 1
echo "Shorewall-$version Clasifiers at $HOSTNAME - `date`"
echo "Shorewall-$version Clasifiers at $HOSTNAME - $(date)"
echo
show_classifiers
;;
*)
shift
echo "Shorewall-$version `[ $# -gt 1 ] && echo Chains || echo Chain` $* at $HOSTNAME - `date`"
echo "Shorewall-$version $([ $# -gt 1 ] && echo Chains || echo Chain) $* at $HOSTNAME - $(date)"
echo
show_reset
if [ $# -gt 0 ]; then
for chain in $*; do
iptables -L $chain -n -v
iptables -L $chain $IPT_OPTIONS
done
else
iptables -L -n -v
iptables -L $IPT_OPTIONS
fi
;;
esac
;;
monitor)
[ -n "$debugging" ] && set -x
if [ $# -eq 2 ]; then
monitor_firewall $2
elif [ $# -eq 1 ]; then
@ -770,37 +864,74 @@ case "$1" in
fi
;;
status)
[ -n "$debugging" ] && set -x
[ $# -eq 1 ] || usage 1
get_config
clear
echo "Shorewall-$version Status at $HOSTNAME - `date`"
echo "Shorewall-$version Status at $HOSTNAME - $(date)"
echo
show_reset
host=`echo $HOSTNAME | sed 's/\..*$//'`
iptables -L -n -v
host=$(echo $HOSTNAME | sed 's/\..*$//')
iptables -L $IPT_OPTIONS
echo
packet_log 20
echo
echo "NAT Table"
echo
iptables -t nat -L -n -v
iptables -t nat -L $IPT_OPTIONS
echo
echo "Mangle Table"
echo
iptables -t mangle -L -n -v
iptables -t mangle -L $IPT_OPTIONS
echo
cat /proc/net/ip_conntrack
echo
echo "IP Configuration"
echo
ip addr ls
if qt which brctl; then
echo
echo "Bridges"
echo
brctl show
fi
echo
echo "/proc"
echo
show_proc /proc/sys/net/ipv4/ip_forward
for directory in /proc/sys/net/ipv4/conf/*; do
for file in proxy_arp arp_filter rp_filter; do
show_proc $directory/$file
done
done
echo
echo "Routing Rules"
echo
ip rule ls
ip rule ls | while read rule; do
table=${rule##* }
echo
echo "Table $table:"
echo
ip route ls table $table
done
;;
hits)
[ -n "$debugging" ] && set -x
[ $# -eq 1 ] || usage 1
get_config
clear
echo "Shorewall-$version Hits at $HOSTNAME - `date`"
echo "Shorewall-$version Hits at $HOSTNAME - $(date)"
echo
timeout=30
if [ `grep -c "$LOGFORMAT" $LOGFILE ` -gt 0 ] ; then
if [ $(grep -c "$LOGFORMAT" $LOGFILE ) -gt 0 ] ; then
echo " HITS IP DATE"
echo " ---- --------------- ------"
grep "$LOGFORMAT" $LOGFILE | sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\3 \1/' | sort | uniq -c | sort -rn
@ -823,8 +954,8 @@ case "$1" in
grep "$LOGFORMAT.*DPT" $LOGFILE | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | \
while read count port ; do
# List all services defined for the given port
srv=`grep "^[^#].*\\b$port/" /etc/services | cut -f 1 | sort -u`
srv=`echo $srv | sed 's/ /,/g'`
srv=$(grep "^[^#].*\\b$port/" /etc/services | cut -f 1 | sort -u)
srv=$(echo $srv | sed 's/ /,/g')
if [ -n "$srv" ] ; then
printf '%7d %5d %s\n' $count $port $srv
@ -852,6 +983,7 @@ case "$1" in
fi
;;
logwatch)
[ -n "$debugging" ] && set -x
if [ $# -eq 2 ]; then
logwatch $2
elif [ $# -eq 1 ]; then
@ -861,6 +993,7 @@ case "$1" in
fi
;;
drop)
[ -n "$debugging" ] && set -x
[ $# -eq 1 ] && usage 1
mutex_on
while [ $# -gt 1 ]; do
@ -873,6 +1006,7 @@ case "$1" in
mutex_off
;;
reject)
[ -n "$debugging" ] && set -x
[ $# -eq 1 ] && usage 1
mutex_on
while [ $# -gt 1 ]; do
@ -885,6 +1019,7 @@ case "$1" in
mutex_off
;;
allow)
[ -n "$debugging" ] && set -x
[ $# -eq 1 ] && usage 1
mutex_on
while [ $# -gt 1 ]; do
@ -898,28 +1033,98 @@ case "$1" in
mutex_off
;;
save)
[ $# -ne 1 ] && usage 1
mutex_on
if qt iptables -L shorewall -n; then
[ -d /var/lib/shorewall ] || { mkdir /var/lib/shorewall; chmod 700 /var/lib/shorewall; }
[ -n "$debugging" ] && set -x
if iptables -L dynamic -n > /var/lib/shorewall/save; then
echo "Dynamic Rules Saved"
get_config
case $# in
1)
;;
2)
RESTOREFILE="$2"
validate_restorefile '<restore file>'
;;
*)
usage 1
;;
esac
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
mutex_on
if qt iptables -L shorewall -n; then
[ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then
echo " ERROR: $RESTOREPATH exists and is not a saved Shorewall configuration"
else
echo "Error Saving the Dynamic Rules"
case $RESTOREFILE in
save|restore-base)
echo " ERROR: Reserved file name: $RESTOREFILE"
;;
*)
if iptables -L dynamic -n > /var/lib/shorewall/save; then
echo " Dynamic Rules Saved"
if [ -f /var/lib/shorewall/restore-base ]; then
cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$
if iptables-save >> /var/lib/shorewall/restore-$$ ; then
echo __EOF__ >> /var/lib/shorewall/restore-$$
[ -f /var/lib/shorewall/restore-tail ] && \
cat /var/lib/shorewall/restore-tail >> /var/lib/shorewall/restore-$$
mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH
chmod +x $RESTOREPATH
echo " Currently-running Configuration Saved to $RESTOREPATH"
else
rm -f /var/lib/shorewall/restore-$$
echo " ERROR: Currently-running Configuration Not Saved"
fi
else
echo " ERROR: /var/lib/shorewall/restore-base does not exist"
fi
else
echo "Error Saving the Dynamic Rules"
fi
;;
esac
fi
else
echo "Shorewall isn't started"
fi
mutex_off
;;
forget)
get_config
case $# in
1)
;;
2)
RESTOREFILE="$2"
validate_restorefile '<restore file>'
;;
*)
usage 1
;;
esac
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
if [ -x $RESTOREPATH ]; then
rm -f $RESTOREPATH
echo " $RESTOREPATH removed"
elif [ -f $RESTOREPATH ]; then
echo " ERROR: $RESTOREPATH exists and is not a saved Shorewall configuration"
fi
;;
ipcalc)
[ -n "$debugging" ] && set -x
if [ $# -eq 2 ]; then
address=${2%/*}
vlsm=${2#*/}
elif [ $# -eq 3 ]; then
address=$2
vlsm=`ip_vlsm $3`
vlsm=$(ip_vlsm $3)
else
usage 1
fi
@ -930,13 +1135,14 @@ case "$1" in
address=$address/$vlsm
echo " CIDR=$address"
temp=`ip_netmask $address`; echo " NETMASK=`encodeaddr $temp`"
temp=`ip_network $address`; echo " NETWORK=$temp"
temp=`broadcastaddress $address`; echo " BROADCAST=$temp"
echo " CIDR=$address"
temp=$(ip_netmask $address); echo " NETMASK=$(encodeaddr $temp)"
temp=$(ip_network $address); echo " NETWORK=$temp"
temp=$(broadcastaddress $address); echo " BROADCAST=$temp"
;;
iprange)
[ -n "$debugging" ] && set -x
case $2 in
*.*.*.*-*.*.*.*)
ip_range $2
@ -946,7 +1152,32 @@ case "$1" in
;;
esac
;;
restore)
get_config
case $# in
1)
;;
2)
RESTOREFILE="$2"
validate_restorefile '<restore file>'
;;
*)
usage 1
;;
esac
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
if [ -x $RESTOREPATH ]; then
echo Restoring Shorewall...
$RESTOREPATH && echo "Shorewall restored from /var/lib/shorewall/$RESTOREFILE"
else
echo "File /var/lib/shorewall/$RESTOREFILE: file not found"
exit 2
fi
;;
call)
[ -n "$debugging" ] && set -x
#
# Undocumented way to call functions in /usr/share/shorewall/functions directly
#

10
Lrp/usr/share/shorewall/action.AllowAuth Normal file
View File

@ -0,0 +1,10 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowAuth
#
# This action accepts Auth (identd) traffic.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 113
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

11
Lrp/usr/share/shorewall/action.AllowDNS Normal file
View File

@ -0,0 +1,11 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowDNS
#
# This action accepts DNS traffic.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - udp 53
ACCEPT - - tcp 53
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

11
Lrp/usr/share/shorewall/action.AllowFTP Normal file
View File

@ -0,0 +1,11 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowFTP
#
# This action accepts FTP traffic. See
# http://www.shorewall.net/FTP.html for additional considerations.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 21
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

11
Lrp/usr/share/shorewall/action.AllowIMAP Normal file
View File

@ -0,0 +1,11 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowIMAP
#
# This action accepts IMAP traffic (secure and insecure):
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 143 #Unsecure IMAP
ACCEPT - - tcp 993 #Secure IMAP
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

11
Lrp/usr/share/shorewall/action.AllowNNTP Normal file
View File

@ -0,0 +1,11 @@
#
# Shorewall 2.0 /usr/share/shorewall/action.AllowNNTP
#
# This action accepts NNTP traffic (Usenet) and encrypted NNTP (NNTPS)
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 119
ACCEPT - - tcp 563
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Lrp/usr/share/shorewall/action.AllowNTP Normal file
View File

@ -0,0 +1,10 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowNTP
#
# This action accepts NTP traffic (ntpd).
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# PORT PORT(S) DEST LIMIT
ACCEPT - - udp 123
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

11
Lrp/usr/share/shorewall/action.AllowPCA Normal file
View File

@ -0,0 +1,11 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowPCA
#
# This action accepts PCAnywere (tm)
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - udp 5631
ACCEPT - - tcp 5632
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

11
Lrp/usr/share/shorewall/action.AllowPOP3 Normal file
View File

@ -0,0 +1,11 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowPOP3
#
# This action accepts POP3 traffic (secure and insecure):
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# PORT PORT(S) DEST LIMIT
ACCEPT - - tcp 110 #Unsecure POP3
ACCEPT - - tcp 995 #Secure POP3
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Lrp/usr/share/shorewall/action.AllowPing Normal file
View File

@ -0,0 +1,10 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowPing
#
# This action accepts 'ping' requests.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - icmp 8
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Lrp/usr/share/shorewall/action.AllowRdate Normal file
View File

@ -0,0 +1,10 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowRdate
#
# This action accepts remote time retrieval (rdate).
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 37
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

14
Lrp/usr/share/shorewall/action.AllowSMB Normal file
View File

@ -0,0 +1,14 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowSMB
#
# Allow Microsoft SMB traffic. You need to invoke this action in
# both directions.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - udp 135,445
ACCEPT - - udp 137:139
ACCEPT - - udp 1024: 137
ACCEPT - - tcp 135,139,445
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

15
Lrp/usr/share/shorewall/action.AllowSMTP Normal file
View File

@ -0,0 +1,15 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowSMTP
#
# This action accepts SMTP (email) traffic.
#
# Note: This action allows traffic between an MUA (Email client)
# and an MTA (mail server) or between MTAs. It does not enable
# reading of email via POP3 or IMAP. For those you need to use
# the AllowPOP3 or AllowIMAP actions.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 25
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

11
Lrp/usr/share/shorewall/action.AllowSNMP Normal file
View File

@ -0,0 +1,11 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowSNMP
#
# This action accepts SNMP traffic (including traps):
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - udp 161:162
ACCEPT - - tcp 161
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Lrp/usr/share/shorewall/action.AllowSSH Normal file
View File

@ -0,0 +1,10 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowSSH
#
# This action accepts secure shell (SSH) traffic.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 22
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

11
Lrp/usr/share/shorewall/action.AllowTelnet Normal file
View File

@ -0,0 +1,11 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowTelnet
#
# This action accepts Telnet traffic. For traffic over the
# internet, telnet is inappropriate; use SSH instead
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 23
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

11
Lrp/usr/share/shorewall/action.AllowTrcrt Normal file
View File

@ -0,0 +1,11 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowTrcrt
#
# This action accepts Traceroute (for up to 30 hops):
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - udp 33434:33524 #UDP Traceroute
ACCEPT - - icmp 8 #ICMP Traceroute
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Lrp/usr/share/shorewall/action.AllowVNC Normal file
View File

@ -0,0 +1,10 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowVNC
#
# This action accepts VNC traffic for VNC display's 0 - 9.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 5900:5909
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Lrp/usr/share/shorewall/action.AllowVNCL Normal file
View File

@ -0,0 +1,10 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowVNC
#
# This action accepts VNC traffic from Vncservers to Vncviewers in listen mode.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 5500
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

11
Lrp/usr/share/shorewall/action.AllowWeb Normal file
View File

@ -0,0 +1,11 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowWeb
#
# This action accepts WWW traffic (secure and insecure):
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 80
ACCEPT - - TCP 443
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

16
Lrp/usr/share/shorewall/action.Drop Normal file
View File

@ -0,0 +1,16 @@
#
# Shorewall 2.0 /etc/shorewall/action.Drop
#
# The default DROP common rules
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
RejectAuth
dropBcast
dropInvalid
DropSMB
DropUPnP
dropNotSyn
DropDNSrep
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Lrp/usr/share/shorewall/action.DropDNSrep Normal file
View File

@ -0,0 +1,10 @@
#
# Shorewall 2.0 /etc/shorewall/action.DropDNSrep
#
# This action silently drops DNS UDP replies
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
DROP - - udp - 53
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Lrp/usr/share/shorewall/action.DropPing Normal file
View File

@ -0,0 +1,10 @@
#
# Shorewall 2.0 /etc/shorewall/action.DropPing
#
# This action silently drops 'ping' requests.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
DROP - - icmp 8
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

15
Lrp/usr/share/shorewall/action.DropSMB Normal file
View File

@ -0,0 +1,15 @@
#
# Shorewall 2.0 /etc/shorewall/action.DropSMB
#
# This action silently drops Microsoft SMB traffic
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
DROP - - udp 135
DROP - - udp 137:139
DROP - - udp 445
DROP - - tcp 135
DROP - - tcp 139
DROP - - tcp 445
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Lrp/usr/share/shorewall/action.DropUPnP Normal file
View File

@ -0,0 +1,10 @@
#
# Shorewall 2.0 /etc/shorewall/action.DropUPnP
#
# This action silently drops UPnP probes on UDP port 1900
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
DROP - - udp 1900
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

16
Lrp/usr/share/shorewall/action.Reject Normal file
View File

@ -0,0 +1,16 @@
#
# Shorewall 2.0 /etc/shorewall/action.Reject
#
# The default REJECT action common rules
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
RejectAuth
dropBcast
dropInvalid
RejectSMB
DropUPnP
dropNotSyn
DropDNSrep
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Lrp/usr/share/shorewall/action.RejectAuth Normal file
View File

@ -0,0 +1,10 @@
#
# Shorewall 2.0 /etc/shorewall/action.RejectAuth
#
# This action silently rejects Auth (tcp 113) traffic
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
REJECT - - tcp 113
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

15
Lrp/usr/share/shorewall/action.RejectSMB Normal file
View File

@ -0,0 +1,15 @@
#
# Shorewall 2.0 /etc/shorewall/action.RejectSMB
#
# This action silently rejects Microsoft SMB traffic
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
REJECT - - udp 135
REJECT - - udp 137:139
REJECT - - udp 445
REJECT - - tcp 135
REJECT - - tcp 139
REJECT - - tcp 445
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

160
Lrp/usr/share/shorewall/action.template Normal file
View File

@ -0,0 +1,160 @@
#
# Shorewall 2.0 /etc/shorewall/action.template
#
# This file is a template for files with names of the form
# /etc/shorewall/action.<action-name> where <action> is an
# ACTION defined in /etc/shorewall/actions.
#
# To define a new action:
#
# 1. Add the <action name> to /etc/shorewall/actions
# 2. Copy this file to /etc/shorewall/action.<action name>
# 3. Add the desired rules to that file.
#
# Columns are:
#
#
# TARGET ACCEPT, DROP, REJECT, LOG, QUEUE or a
# previously-defined <action>
#
# ACCEPT -- allow the connection request
# DROP -- ignore the request
# REJECT -- disallow the request and return an
# icmp-unreachable or an RST packet.
# LOG -- Simply log the packet and continue.
# QUEUE -- Queue the packet to a user-space
# application such as p2pwall.
# CONTINUE -- Discontinue processing this action
# and return to the point where the
# action was invoked.
# <action> -- An <action> defined in
# /etc/shorewall/actions. The <action>
# must appear in that file BEFORE the
# one being defined in this file.
#
# The TARGET may optionally be followed
# by ":" and a syslog log level (e.g, REJECT:info or
# ACCEPT:debugging). This causes the packet to be
# logged at the specified level.
#
# You may also specify ULOG (must be in upper case) as a
# log level.This will log to the ULOG target for routing
# to a separate log through use of ulogd
# (http://www.gnumonks.org/projects/ulogd).
#
# Actions specifying logging may be followed by a
# log tag (a string of alphanumeric characters)
# are appended to the string generated by the
# LOGPREFIX (in /etc/shorewall/shorewall.conf).
#
# Example: ACCEPT:info:ftp would include 'ftp '
# at the end of the log prefix generated by the
# LOGPREFIX setting.
#
# SOURCE Source hosts to which the rule applies.
# A comma-separated list of subnets
# and/or hosts. Hosts may be specified by IP or MAC
# address; mac addresses must begin with "~" and must use
# "-" as a separator.
#
# 192.168.2.2 Host 192.168.2.2
#
# 155.186.235.0/24 Subnet 155.186.235.0/24
#
# 192.168.1.1,192.168.1.2
# Hosts 192.168.1.1 and
# 192.168.1.2.
# ~00-A0-C9-15-39-78 Host with
# MAC address 00:A0:C9:15:39:78.
#
# Alternatively, clients may be specified by interface
# name. For example, eth1 specifies a
# client that communicates with the firewall system
# through eth1. This may be optionally followed by
# another colon (":") and an IP/MAC/subnet address
# as described above (e.g., eth1:192.168.1.5).
#
# DEST Location of Server. Same as above with the exception that
# MAC addresses are not allowed.
#
# Unlike in the SOURCE column, you may specify a range of
# up to 256 IP addresses using the syntax
# <first ip>-<last ip>.
#
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or
# "all".
#
# DEST PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port
# ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s).
#
# A port range is expressed as <low port>:<high port>.
#
# This column is ignored if PROTOCOL = all but must be
# entered if any of the following fields are supplied.
# In that case, it is suggested that this field contain
# "-"
#
# If your kernel contains multi-port match support, then
# only a single Netfilter rule will be generated if in
# this list and the CLIENT PORT(S) list below:
# 1. There are 15 or less ports listed.
# 2. No port ranges are included.
# Otherwise, a separate rule will be generated for each
# port.
#
# SOURCE PORT(S) (Optional) Port(s) used by the client. If omitted,
# any source port is acceptable. Specified as a comma-
# separated list of port names, port numbers or port
# ranges.
#
# If you don't want to restrict client ports but need to
# specify an ADDRESS in the next column, then place "-"
# in this column.
#
# If your kernel contains multi-port match support, then
# only a single Netfilter rule will be generated if in
# this list and the DEST PORT(S) list above:
# 1. There are 15 or less ports listed.
# 2. No port ranges are included.
# Otherwise, a separate rule will be generated for each
# port.
#
# RATE LIMIT You may rate-limit the rule by placing a value in
# this column:
#
# <rate>/<interval>[:<burst>]
#
# where <rate> is the number of connections per
# <interval> ("sec" or "min") and <burst> is the
# largest burst permitted. If no <burst> is given,
# a value of 5 is assumed. There may be no
# no whitespace embedded in the specification.
#
# Example: 10/sec:20
#
# USER/GROUP This column may only be non-empty if the SOURCE is
# the firewall itself.
#
# The column may contain:
#
# [!][<user name or number>][:<group name or number>]
#
# When this column is non-empty, the rule applies only
# if the program generating the output is running under
# the effective <user> and/or <group> specified (or is
# NOT running under that id if "!" is given).
#
# Examples:
#
# joe #program must be run by joe
# :kids #program must be run by a member of
# #the 'kids' group
# !:kids #program must not be run by a member
# #of the 'kids' group
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) LIMIT
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

53
Lrp/usr/share/shorewall/actions.std Normal file
View File

@ -0,0 +1,53 @@
#
# Shorewall 2.0 /usr/share/shorewall/actions.std
#
#
# Builtin Actions are:
#
# dropBcast #Silently Drop Broadcast/multicast
# dropNonSyn #Silently Drop Non-syn TCP packets
# rejNonSyn #Silently Reject Non-syn TCP packets
# logNonSyn #Log Non-syn TCP packets with disposition LOG
# dLogNonSyn #Log Non-syn TCP packets with disposition DROP
# rLogNonSyn #Log Non-syn TCP packets with disposition REJECT
# dropInvalid #Silently Drop packets that are in the INVALID
# #conntrack state.
# allowInvalid #Accept packets that are in the INVALID conntrack
# #state
#
# The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in
# shorewall.conf. If that option isn't specified then 'info' is used.
#
#ACTION
DropSMB #Silently Drops Microsoft SMB Traffic
RejectSMB #Silently Reject Microsoft SMB Traffic
DropUPnP #Silently Drop UPnP Probes
RejectAuth #Silently Reject Auth
DropPing #Silently Drop Ping
DropDNSrep #Silently Drop DNS Replies
AllowPing #Accept Ping
AllowFTP #Accept FTP
AllowDNS #Accept DNS
AllowSSH #Accept SSH
AllowWeb #Allow Web Browsing
AllowSMB #Allow MS Networking
AllowAuth #Allow Auth (identd)
AllowSMTP #Allow SMTP (Email)
AllowPOP3 #Allow reading mail via POP3
AllowIMAP #Allow reading mail via IMAP
AllowTelnet #Allow Telnet Access (not recommended for use over the
#Internet)
AllowVNC #Allow VNC viewer->server, Displays 0-9
AllowVNCL #Allow VNC server->viewer in listening mode
AllowNTP #Allow Network Time Protocol (ntpd)
AllowRdate #Allow remote time (rdate).
AllowNNTP #Allow network news (Usenet).
AllowTrcrt #Allows Traceroute (20 hops)
AllowSNMP #Allows SNMP (including traps)
AllowPCA #Allows PCAnywhere (tm)
Drop:DROP #Common Action for DROP policy
Reject:REJECT #Common Action for REJECT policy
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

33
Lrp/etc/shorewall/rfc1918 → Lrp/usr/share/shorewall/bogons
View File

@ -1,14 +1,17 @@
#
# Shorewall 1.4 -- RFC1918 File
# Shorewall 2.0-- Bogons File
#
# /etc/shorewall/rfc1918
# /etc/shorewall/bogons
#
# Lists the subnetworks that are blocked by the 'norfc1918' interface option.
# Lists the subnetworks that are blocked by the 'nobogons' interface option.
#
# The default list includes those IP addresses listed in RFC 1918, those listed
# The default list includes those those ip ADDRESSES listed
# as 'reserved' by the IANA, the DHCP Autoconfig class B, and the class C
# reserved for use in documentation and examples.
#
# DO NOT MODIFY THIS FILE. IF YOU NEED TO MAKE CHANGES, COPY THE FILE
# TO /etc/shorewall AND MODIFY THE COPY.
#
# Columns are:
#
# SUBNET The subnet (host addresses also allowed)
@ -19,11 +22,10 @@
#
###############################################################################
#SUBNET TARGET
0.0.0.0 RETURN # Stop the DHCP whining
255.255.255.255 RETURN # We need to allow limited broadcast
169.254.0.0/16 DROP # DHCP autoconfig
172.16.0.0/12 logdrop # RFC 1918
192.0.2.0/24 logdrop # Example addresses (RFC 3330)
192.168.0.0/16 logdrop # RFC 1918
#
# The following are generated with the help of the Python program found at:
#
@ -35,7 +37,6 @@
2.0.0.0/8 logdrop # Reserved
5.0.0.0/8 logdrop # Reserved
7.0.0.0/8 logdrop # Reserved
10.0.0.0/8 logdrop # Reserved
23.0.0.0/8 logdrop # Reserved
27.0.0.0/8 logdrop # Reserved
31.0.0.0/8 logdrop # Reserved
@ -45,14 +46,20 @@
42.0.0.0/8 logdrop # Reserved
49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
58.0.0.0/7 logdrop # Reserved
70.0.0.0/7 logdrop # Reserved
72.0.0.0/5 logdrop # Reserved
85.0.0.0/8 logdrop # Reserved
86.0.0.0/7 logdrop # Reserved
88.0.0.0/5 logdrop # Reserved
73.0.0.0/8 logdrop # Reserved
74.0.0.0/7 logdrop # Reserved
76.0.0.0/6 logdrop # Reserved
89.0.0.0/8 logdrop # Reserved
90.0.0.0/7 logdrop # Reserved
92.0.0.0/6 logdrop # Reserved
96.0.0.0/3 logdrop # Reserved
127.0.0.0/8 logdrop # Loopback
173.0.0.0/8 logdrop # Reserved
174.0.0.0/7 logdrop # Reserved
176.0.0.0/5 logdrop # Reserved
184.0.0.0/6 logdrop # Reserved
189.0.0.0/8 logdrop # Reserved
190.0.0.0/8 logdrop # Reserved
197.0.0.0/8 logdrop # Reserved
198.18.0.0/15 logdrop # Reserved
223.0.0.0/8 logdrop # Reserved - Returned by APNIC in 2003

7
Lrp/usr/share/shorewall/configpath Normal file
View File

@ -0,0 +1,7 @@
#
# Shorewall version 2.0 - Default Config Path
#
# /usr/share/shorewall/configpath
#
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall

3072
Lrp/usr/share/shorewall/firewall
View File

File diff suppressed because it is too large Load Diff

298
Lrp/usr/share/shorewall/functions
View File

@ -1,6 +1,45 @@
#!/bin/sh
#
# Shorewall 1.4 -- /usr/lib/shorewall/functions
# Shorewall 2.0 -- /usr/share/shorewall/functions
#
# Search a list looking for a match -- returns zero if a match found
# 1 otherwise
#
list_search() # $1 = element to search for , $2-$n = list
{
local e=$1
while [ $# -gt 1 ]; do
shift
[ "x$e" = "x$1" ] && return 0
done
return 1
}
#
# Functions to count list elements
# - - - - - - - - - - - - - - - -
# Whitespace-separated list
#
list_count1() {
echo $#
}
#
# Comma-separated list
#
list_count() {
list_count1 $(separate_list $1)
}
#
# Conditionally produce message
#
progress_message() # $* = Message
{
[ -n "$QUIET" ] || echo "$@"
}
#
# Suppress all output for a command
@ -11,15 +50,88 @@ qt()
}
#
# Find a File -- Look first in $SHOREWALL_DIR then in /etc/shorewall
# Perform variable substitution on the passed argument and echo the result
#
expand() # $@ = contents of variable which may be the name of another variable
{
eval echo \"$@\"
}
#
# Perform variable substitition on the values of the passed list of variables
#
expandv() # $* = list of variable names
{
local varval
while [ $# -gt 0 ]; do
eval varval=\$${1}
eval $1=\"$varval\"
shift
done
}
#
# Replace all leading "!" with "! " in the passed argument list
#
fix_bang() {
local i;
for i in $@; do
case $i in
!*)
echo "! ${i#!}"
;;
*)
echo $i
;;
esac
done
}
#
# Set default config path
#
ensure_config_path() {
local F=/usr/share/shorewall/configpath
if [ -z "$CONFIG_PATH" ]; then
[ -f $F ] || { echo " ERROR: $F does not exist"; exit 2; }
. $F
fi
}
#
# Find a File -- For relative file name, look first in $SHOREWALL_DIR then in /etc/shorewall
#
find_file()
{
if [ -n "$SHOREWALL_DIR" -a -f $SHOREWALL_DIR/$1 ]; then
echo $SHOREWALL_DIR/$1
else
echo /etc/shorewall/$1
fi
local saveifs= directory
case $1 in
/*)
echo $1
;;
*)
if [ -n "$SHOREWALL_DIR" -a -f $SHOREWALL_DIR/$1 ]; then
echo $SHOREWALL_DIR/$1
else
saveifs=$IFS
IFS=:
for directory in $CONFIG_PATH; do
if [ -f $directory/$1 ]; then
echo $directory/$1
IFS=$saveifs
return
fi
done
IFS=$saveifs
echo /etc/shorewall/$1
fi
;;
esac
}
#
@ -58,6 +170,55 @@ separate_list() {
echo "$newlist"
}
#
# Load a Kernel Module
#
loadmodule() # $1 = module name, $2 - * arguments
{
local modulename=$1
local modulefile
local suffix
moduleloader=modprobe
if ! qt which modprobe; then
moduleloader=insmod
fi
if [ -z "$(lsmod | grep $modulename)" ]; then
shift
for suffix in $MODULE_SUFFIX ; do
modulefile=$MODULESDIR/${modulename}.${suffix}
if [ -f $modulefile ]; then
case $moduleloader in
insmod)
insmod $modulefile $*
;;
*)
modprobe $modulename $*
;;
esac
return
fi
done
fi
}
#
# Reload the Modules
#
reload_kernel_modules() {
[ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
while read command; do
eval $command
done
}
#
# Find the zones
#
@ -67,7 +228,7 @@ find_zones() # $1 = name of the zone file
[ -n "$zone" ] && case "$zone" in
\#*)
;;
$FW|multi)
$FW)
echo "Reserved zone name \"$zone\" in zones file ignored" >&2
;;
*)
@ -89,15 +250,15 @@ find_display() # $1 = zone, $2 = name of the zone file
#
determine_zones()
{
local zonefile=`find_file zones`
local zonefile=$(find_file zones)
multi_display=Multi-zone
strip_file zones $zonefile
zones=`find_zones $TMP_DIR/zones`
zones=`echo $zones` # Remove extra trash
zones=$(find_zones $TMP_DIR/zones)
zones=$(echo $zones) # Remove extra trash
for zone in $zones; do
dsply=`find_display $zone $TMP_DIR/zones`
dsply=$(find_display $zone $TMP_DIR/zones)
eval ${zone}_display=\$dsply
done
}
@ -117,7 +278,7 @@ get_statedir()
{
MUTEX_TIMEOUT=
local config=`find_file shorewall.conf`
local config=$(find_file shorewall.conf)
if [ -f $config ]; then
. $config
@ -238,7 +399,6 @@ mktempfile() {
fi
}
#
# create a temporary directory
#
@ -260,8 +420,7 @@ mktempdir() {
echo " ERROR:Internal error in mktempdir"
;;
esac
}
}
#
# Read a file and handle "INCLUDE" directives
@ -271,24 +430,29 @@ read_file() # $1 = file name, $2 = nest count
{
local first rest
while read first rest; do
if [ "x$first" = "xINCLUDE" ]; then
if [ $2 -lt 4 ]; then
read_file `find_file ${rest%#*}` $(($2 + 1))
if [ -f $1 ]; then
while read first rest; do
if [ "x$first" = "xINCLUDE" ]; then
if [ $2 -lt 4 ]; then
read_file $(find_file $(expand ${rest%#*})) $(($2 + 1))
else
echo " WARNING: INCLUDE in $1 ignored (nested too deeply)" >&2
fi
else
echo " WARNING: INCLUDE in $1 ignored (nested too deeply)" >&2
echo "$first $rest"
fi
else
echo "$first $rest"
fi
done < $1
done < $1
else
[ -n "$terminator" ] && $terminator "No such file: $1"
echo "Warning -- No such file: $1"
fi
}
#
# Function for including one file into another
#
INCLUDE() {
. `find_file $@`
. $(find_file $(expand $@))
}
#
@ -299,7 +463,7 @@ strip_file() # $1 = Base Name of the file, $2 = Full Name of File (optional)
{
local fname
[ $# = 1 ] && fname=`find_file $1` || fname=$2
[ $# = 1 ] && fname=$(find_file $1) || fname=$2
if [ -f $fname ]; then
read_file $fname 0 | cut -d'#' -f1 | grep -v '^[[:space:]]*$' > $TMP_DIR/$1
@ -376,8 +540,8 @@ ip_range() {
;;
esac
first=`decodeaddr ${1%-*}`
last=`decodeaddr ${1#*-}`
first=$(decodeaddr ${1%-*})
last=$(decodeaddr ${1#*-})
if [ $first -gt $last ]; then
fatal_error "Invalid IP address range: $1"
@ -398,7 +562,7 @@ ip_range() {
y=$(( $y * 2 ))
done
echo `encodeaddr $first`$vlsm
echo $(encodeaddr $first)$vlsm
first=$(($first + $z))
done
}
@ -415,15 +579,15 @@ ip_range_explicit() {
;;
esac
first=`decodeaddr ${1%-*}`
last=`decodeaddr ${1#*-}`
first=$(decodeaddr ${1%-*})
last=$(decodeaddr ${1#*-})
if [ $first -gt $last ]; then
fatal_error "Invalid IP address range: $1"
fi
while [ $first -le $last ]; do
echo `encodeaddr $first`
echo $(encodeaddr $first)
first=$(($first + 1))
done
}
@ -441,10 +605,10 @@ ip_netmask() {
# Network address from CIDR
#
ip_network() {
local decodedaddr=`decodeaddr ${1%/*}`
local netmask=`ip_netmask $1`
local decodedaddr=$(decodeaddr ${1%/*})
local netmask=$(ip_netmask $1)
echo `encodeaddr $(($decodedaddr & $netmask))`
echo $(encodeaddr $(($decodedaddr & $netmask)))
}
#
@ -462,37 +626,37 @@ ip_broadcast() {
# Calculate broadcast address from CIDR
#
broadcastaddress() {
local decodedaddr=`decodeaddr ${1%/*}`
local netmask=`ip_netmask $1`
local broadcast=`ip_broadcast $1`
local decodedaddr=$(decodeaddr ${1%/*})
local netmask=$(ip_netmask $1)
local broadcast=$(ip_broadcast $1)
echo `encodeaddr $(( $(($decodedaddr & $netmask)) | $broadcast ))`
echo $(encodeaddr $(( $(($decodedaddr & $netmask)) | $broadcast )))
}
#
# Test for subnet membership
# Test for network membership
#
in_subnet() # $1 = IP address, $2 = CIDR network
in_network() # $1 = IP address, $2 = CIDR network
{
local netmask=`ip_netmask $2`
local netmask=$(ip_netmask $2)
test $(( `decodeaddr $1` & $netmask)) -eq $(( `decodeaddr ${2%/*}` & $netmask ))
test $(( $(decodeaddr $1) & $netmask)) -eq $(( $(decodeaddr ${2%/*}) & $netmask ))
}
#
# Netmask to VLSM
#
ip_vlsm() {
local mask=`decodeaddr $1`
local mask=$(decodeaddr $1)
local vlsm=0
local x=$(( 128 $LEFTSHIFT 24 ))
local x=$(( 128 $LEFTSHIFT 24 )) # 0x80000000
while [ $(( $x & $mask )) -ne 0 ]; do
[ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Don't Ask...
[ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Not all shells shift 0x80000000 left properly.
vlsm=$(($vlsm + 1))
done
if [ $(( $mask & 2147483647)) -ne 0 ]; then
if [ $(( $mask & 2147483647 )) -ne 0 ]; then # 2147483647 = 0x7fffffff
echo "Invalid net mask: $1" >&2
else
echo $vlsm
@ -502,11 +666,11 @@ ip_vlsm() {
#
# Chain name base for an interface -- replace all periods with underscores in the passed name.
# The result is echoed (less "+" and anything following).
# The result is echoed (less trailing "+").
#
chain_base() #$1 = interface
{
local c=${1%%+*}
local c=${1%%+}
while true; do
case $c in
@ -524,29 +688,25 @@ chain_base() #$1 = interface
done
}
#
# Remove trailing digits from a name
#
strip_trailing_digits() {
echo $1 | sed s'/[0-9].*$//'
}
#
# Loosly Match the name of an interface
#
if_match() # $1 = Name in interfaces file - may end in "+"
# $2 = Name from routing table
# $2 = Full interface name - may also end in "+"
{
local if_file=$1
local rt_table=$2
case $if_file in
local pattern=${1%+}
case $1 in
*+)
test "`strip_trailing_digits $rt_table`" = "${if_file%+}"
#
# Can't use ${2:0:${#pattern}} because ash and dash don't support that flavor of
# variable expansion :-(
#
test "x$(echo $2 | cut -b -${#pattern} )" = "x${pattern}"
;;
*)
test "$rt_table" = "$if_file"
test "x$1" = "x$2"
;;
esac
}
@ -571,13 +731,13 @@ find_rt_interface() {
ip route ls | while read addr rest; do
case $addr in
*/*)
in_subnet ${1%/*} $addr && echo `find_device $rest`
in_network ${1%/*} $addr && echo $(find_device $rest)
;;
default)
;;
*)
if [ "$addr" = "$1" -o "$addr/32" = "$1" ]; then
echo `find_device $rest`
echo $(find_device $rest)
fi
;;
esac
@ -589,7 +749,7 @@ find_rt_interface() {
#
find_default_interface() {
ip route ls | while read first rest; do
[ "$first" = default ] && echo `find_device $rest` && return
[ "$first" = default ] && echo $(find_device $rest) && return
done
}
@ -599,10 +759,10 @@ find_default_interface() {
#
find_interface_by_address() {
local dev="`find_rt_interface $1`"
local dev="$(find_rt_interface $1)"
local first rest
[ -z "$dev" ] && dev=`find_default_interface`
[ -z "$dev" ] && dev=$(find_default_interface)
[ -n "$dev" ] && echo $dev
}

114
Lrp/usr/share/shorewall/help
View File

@ -1,12 +1,12 @@
#!/bin/sh
#
# Shorewall help subsystem - V1.4 - 3/14/2003
# Shorewall help subsystem - V2.0 - 2/14/2004
#
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# (c) 2003 - Tom Eastep (teastep@shorewall.net)
# Steve Herber (herber@thing.com)
# (c) 2003-2004 - Tom Eastep (teastep@shorewall.net)
# Steve Herber (herber@thing.com)
#
# This file should be placed in /usr/share/shorewall/help
#
@ -29,11 +29,11 @@
case $1 in
add)
echo "add: add <interface>[:<host>] <zone>
echo "add: add <interface>[:<bridge-port>][:<host>] <zone>
Adds a host or subnet to a dynamic zone usually used with VPN's.
shorewall add interface[:host] zone - Adds the specified interface
(and host if included) to the specified zone.
shorewall add interface[:port][:host] zone - Adds the specified interface
(and bridge port/host if included) to the specified zone.
Example:
@ -87,15 +87,17 @@ debug)
shorewall debug start 2> /tmp/trace
The above command would trace the 'start' command and
place the trace information in the file /tmp/trace."
place the trace information in the file /tmp/trace.
The word 'trace' is a synonym for 'debug'."
;;
delete)
echo "delete: delete <interface>[:<host>] <zone>
echo "delete: delete <interface>[:<bridge-port>][:<host>] <zone>
Deletes a host or subnet from a dynamic zone usually used with VPN's.
shorewall delete interface[:host] zone - Deletes the specified
interface (and host if included) from the specified zone.
shorewall delete interface[:port][:host] zone - Deletes the specified
interface (and bridge port/host if included) from the specified zone.
Example:
@ -114,6 +116,14 @@ drop)
See also \"help address\""
;;
forget)
echo "forget: forget [ <file name> ]
Deletes /var/lib/shorewall/<file name>. If no <file name> is given then
the file specified by RESTOREFILE in shorewall.conf is removed.
See also \"help save\""
;;
help)
echo "help: help [<command> | host | address ]
Display helpful information about the shorewall commands."
@ -145,15 +155,21 @@ logwatch)
monitor)
echo "monitor: monitor [<refresh_interval>]
shorewall [-x] monitor [<refresh_interval>]
Continuously display the firewall status, last 20 log entries and nat.
When the log entry display changes, an audible alarm is sounded."
When the log entry display changes, an audible alarm is sounded.
When -x is given, that option is also passed to iptables to display actual packet and byte counts."
;;
refresh)
echo "refresh: refresh
echo "refresh: [ -q ] refresh
The rules involving the broadcast addresses of firewall interfaces,
the black list, traffic control rules and ECN control rules are recreated
to reflect any changes made. Existing connections are untouched"
to reflect any changes made. Existing connections are untouched
If \"-q\" is specified, less detain is displayed making it easier to spot warnings"
;;
reject)
@ -171,26 +187,45 @@ reset)
;;
restart)
echo "restart: restart [ -c <configuration-directory> ]
echo "restart: restart [ -q ] [ -c <configuration-directory> ]
Restart is the same as a shorewall stop && shorewall start.
Existing connections are dropped."
Existing connections are maintained.
If \"-q\" is specified, less detain is displayed making it easier to spot warnings"
;;
restore)
echo "restore: restore [ <file name> ]
Restore Shorewall to a state saved using the 'save' command
Existing connections are maintained. The <file name> names a restore file in
/var/lib/shorewall created using "shorewall save"; if no <file name> is given
then Shorewall will be restored from the file specified by the RESTOREFILE
option in shorewall.conf.
See also \"help save\" and \"help forget\""
;;
save)
echo "save: save
The dynamic data is stored in /var/lib/shorewall/save
Shorewall allow, drop, rejct and save implement dynamic blacklisting."
echo "save: save [ <file name> ]
The dynamic data is stored in /var/lib/shorewall/save. The state of the
firewall is stored in /var/lib/shorewall/<file name> for use by the 'shorewall restore'
and 'shorewall -f start' commands. If <file name> is not given then the state is saved
in the file specified by the RESTOREFILE option in shorewall.conf.
Shorewall allow, drop, rejct and save implement dynamic blacklisting.
See also \"help restore\" and \"help forget\""
;;
show)
echo "show: show [<chain> [ <chain> ...] |classifiers|connections|log|nat|tc|tos]
shorewall show <chain> [ <chain> ... ] - produce a verbose report about the IPtable chain(s).
echo "show: show [ <chain> [ <chain> ...] |classifiers|connections|log|nat|tc|tos]
shorewall [-x] show <chain> [ <chain> ... ] - produce a verbose report about the IPtable chain(s).
(iptables -L chain -n -v)
shorewall show nat - produce a verbose report about the nat table.
shorewall [-x] show nat - produce a verbose report about the nat table.
(iptables -t nat -L -n -v)
shorewall show tos - produce a verbose report about the mangle table.
shorewall [-x] show tos - produce a verbose report about the mangle table.
(iptables -t mangle -L -n -v)
shorewall show log - display the last 20 packet log entries.
@ -199,14 +234,19 @@ show)
being tracked by the firewall.
shorewall show tc - displays information about the traffic
control/shaping configuration."
control/shaping configuration.
When -x is given, that option is also passed to iptables to display actual packet and byte counts."
;;
start)
echo "start: start [ -c <configuration-directory> ]
echo "start: [ -q ] [ -f ] [ -c <configuration-directory> ] start
Start shorewall. Existing connections through shorewall managed
interfaces are untouched. New connections will be allowed only
if they are allowed by the firewall rules or policies."
if they are allowed by the firewall rules or policies.
If \"-q\" is specified, less detail is displayed making it easier to spot warnings
If \"-f\" is specified, the saved configuration specified by the RESTOREFILE option
in shorewall.conf will be restored if that saved configuration exists"
;;
stop)
@ -219,9 +259,31 @@ stop)
status)
echo "status: status
shorewall [-x] status
Produce a verbose report about the firewall.
(iptables -L -n -v)"
(iptables -L -n -)
When -x is given, that option is also passed to iptables to display actual packet and byte counts."
;;
trace)
echo "trace: trace
If you include the keyword trace as the first argument to any
of these commands:
start|stop|restart|reset|clear|refresh|check|add|delete
then a shell trace of the command is produced. For example:
shorewall trace start 2> /tmp/trace
The above command would trace the 'start' command and
place the trace information in the file /tmp/trace.
The word 'debug' is a synonym for 'trace'."
;;
try)

26
Lrp/usr/share/shorewall/rfc1918 Normal file
View File

@ -0,0 +1,26 @@
#
# Shorewall 2.0-- RFC1918 File
#
# /etc/shorewall/rfc1918
#
# Lists the subnetworks that are blocked by the 'norfc1918' interface option.
#
# The default list includes those IP addresses listed in RFC 1918.
#
# DO NOT MODIFY THIS FILE. IF YOU NEED TO MAKE CHANGES, COPY THE FILE
# TO /etc/shorewall AND MODIFY THE COPY.
#
# Columns are:
#
# SUBNET The subnet (host addresses also allowed)
# TARGET Where to send packets to/from this subnet
# RETURN - let the packet be processed normally
# DROP - silently drop the packet
# logdrop - log then drop
#
###############################################################################
#SUBNET TARGET
172.16.0.0/12 logdrop # RFC 1918
192.168.0.0/16 logdrop # RFC 1918
10.0.0.0/8 logdrop # RFC 1918
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

2
Lrp/usr/share/shorewall/version
View File

@ -1 +1 @@
1.4.10g
2.0.16

4
Lrp/var/lib/lrpkg/shorwall.conf
View File

@ -15,14 +15,10 @@
/etc/shorewall/modules Modules Netfilter modules to load
/etc/shorewall/tos TOS Type of Service policy
/etc/shorewall/blacklist Blacklist Blacklisted hosts
/etc/shorewall/rfc1918 RFC1918 Defines 'norfc1918' interface option
/etc/shorewall/ecn ECN Disable ECN to hosts and networks
/etc/shorewall/init Init Commands executed before [re]start
/etc/shorewall/start Start Commands executed after [re]start
/etc/shorewall/stop Stop Commands executed before stop
/etc/shorewall/stopped Stopped Commands executed after stop
/etc/shorewall/accounting Account Traffic Accounting Rules
/etc/shorewall/usersets UserSets User Set definitions
/etc/shorewall/users Users " " "
/etc/shorewall/actions Actions Define user actions
/etc/shorewall/action.templage Template Template for user-defined actions

1
Lrp/var/lib/lrpkg/shorwall.exclude.list Normal file
View File

@ -0,0 +1 @@
var/lib/shorewall/*

3
Lrp/var/lib/lrpkg/shorwall.help
View File

@ -1,2 +1,3 @@
Shoreline Firewall (Shorewall)
See: http://www.shorewall.net
Homepage: http://www.shorewall.net
Requires: iptables.lrp

1
Lrp/var/lib/lrpkg/shorwall.list
View File

@ -2,4 +2,5 @@ etc/init.d/shorewall
etc/shorewall
sbin/shorewall
usr/share/shorewall
var/lib/shorewall
var/lib/lrpkg/shorwall.*

2
Lrp/var/lib/lrpkg/shorwall.version
View File

@ -1 +1 @@
1.4.10f
2.0.16