extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-20 01:37:59 +02:00
Code Issues Packages Projects Releases Wiki Activity

Updates for 2.1.10

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1661 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-10-03 23:51:29 +00:00
parent 255fb2be1c
commit 757b144de2
7 changed files with 177 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
LrpN/etc/shorewall/actions
View File

@ -8,10 +8,12 @@
# #
# ACTION names should begin with an upper-case letter to # ACTION names should begin with an upper-case letter to
# distinguish them from Shorewall-generated chain names and # distinguish them from Shorewall-generated chain names and
# they must need the requirements of a Netfilter chain # they must need the requirements of a Netfilter chain. If
# name as well as the requirements for a Bourne Shell identifier # you intend to log from the action then the name must be
# (must begin with a letter and be composed of letters, digits # no longer than 11 character in length. Names must also
# and underscore characters). # meet the requirements for a Bourne Shell identifier (must
# begin with a letter and be composed of letters, digits and
# underscore characters).
# #
# If you follow the action name with ":DROP", ":REJECT" or # If you follow the action name with ":DROP", ":REJECT" or
# :ACCEPT then the action will be taken before a DROP, REJECT or # :ACCEPT then the action will be taken before a DROP, REJECT or

9
LrpN/etc/shorewall/interfaces
View File

@ -80,6 +80,14 @@
# option can also be enabled globally in # option can also be enabled globally in
# the /etc/shorewall/shorewall.conf file. # the /etc/shorewall/shorewall.conf file.
# #
# logmartians - turn on kernel martian logging (logging
# of packets with impossible source
# addresses. It is suggested that if you
# set routefilter on an interface that
# you also set logmartians. This option
# may also be enabled globally in the
# /etc/shorewall/shorewall.conf file.
#
# blacklist - Check packets arriving on this interface # blacklist - Check packets arriving on this interface
# against the /etc/shorewall/blacklist # against the /etc/shorewall/blacklist
# file. # file.
@ -190,6 +198,7 @@
# net ppp0 - # net ppp0 -
############################################################################## ##############################################################################
#ZONE INTERFACE BROADCAST OPTIONS #ZONE INTERFACE BROADCAST OPTIONS
#
net eth0 detect dhcp,routefilter,norfc1918 net eth0 detect dhcp,routefilter,norfc1918
loc eth1 detect dhcp loc eth1 detect dhcp
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

23
LrpN/etc/shorewall/shorewall.conf
View File

@ -88,6 +88,18 @@ LOGFILE=/var/log/shorewall.log
LOGFORMAT="Shorewall:%s:%s:" LOGFORMAT="Shorewall:%s:%s:"
#
# LOG FORMAT Continued
#
# Using the default LOGFORMAT, chain names may not exceed 11 characters or
# truncation of the log prefix may occur. Longer chain names may be used with
# log tags if you set LOGTAGONLY=Yes. With LOGTAGONLY=Yes, if a log tag is
# specified then the tag is included in the log prefix in place of the chain
# name.
#
LOGTAGONLY=No
# #
# LOG RATE LIMITING # LOG RATE LIMITING
# #
@ -209,6 +221,17 @@ SMURF_LOG_LEVEL=ULOG
# #
BOGON_LOG_LEVEL=ULOG BOGON_LOG_LEVEL=ULOG
#
# MARTIAN LOGGING
#
# Setting LOG_MARTIANS=Yes will enable kernel logging of all received packets
# that have impossible source IP addresses. This logging may be enabled
# on individual interfaces by using the 'logmartians' option in
# /etc/shorewall/interfaces.
#
LOG_MARTIANS=No
################################################################################ ################################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
################################################################################ ################################################################################

5
LrpN/etc/shorewall/tcrules
View File

@ -11,6 +11,11 @@
# FOR ENTRIES IN THIS FILE TO HAVE ANY EFFECT, YOU MUST SET # FOR ENTRIES IN THIS FILE TO HAVE ANY EFFECT, YOU MUST SET
# TC_ENABLED=Yes in /etc/shorewall/shorewall.conf # TC_ENABLED=Yes in /etc/shorewall/shorewall.conf
# #
# Unlike rules in the /etc/shorewall/rules file, evaluation
# of rules in this file will continue after a match. So the
# final mark for each packet will be the one assigned by the
# LAST tcrule that matches.
#
# Columns are: # Columns are:
# #
# #

33
LrpN/sbin/shorewall
View File

@ -618,6 +618,13 @@ show_reset() {
echo "Counters reset $(cat $STATEDIR/restarted)" && \ echo "Counters reset $(cat $STATEDIR/restarted)" && \
echo echo
} }
#
# Display's the passed file name followed by "=" and the file's contents.
#
show_proc() # $1 = name of a file
{
[ -f $1 ] && echo " $1 = $(cat $1)"
}
# #
# Execution begins here # Execution begins here
@ -863,7 +870,7 @@ case "$1" in
[ $# -gt 2 ] && usage 1 [ $# -gt 2 ] && usage 1
echo "Shorewall-$version Connections at $HOSTNAME - $(date)" echo "Shorewall-$version Connections at $HOSTNAME - $(date)"
echo echo
cat /proc/net/ip_conntrack cat /pro/net/ip_conntrack
;; ;;
nat) nat)
[ $# -gt 2 ] && usage 1 [ $# -gt 2 ] && usage 1
@ -952,6 +959,26 @@ case "$1" in
echo "IP Configuration" echo "IP Configuration"
echo echo
ip addr ls ip addr ls
if qt which brctl; then
echo
echo "Bridges"
echo
brctl show
fi
echo
echo "/proc"
echo
show_proc /proc/sys/net/ipv4/ip_forward
for directory in /proc/sys/net/ipv4/conf/*; do
for file in proxy_arp arp_filter rp_filter log_martians; do
show_proc $directory/$file
done
done
echo echo
echo "Routing Rules" echo "Routing Rules"
echo echo
@ -1104,7 +1131,7 @@ case "$1" in
else else
case $RESTOREFILE in case $RESTOREFILE in
save|restore-base) save|restore-base)
echo " ERROR: Reserved file name: save" echo " ERROR: Reserved file name: $RESTOREFILE"
;; ;;
*) *)
if iptables -L dynamic -n > /var/lib/shorewall/save; then if iptables -L dynamic -n > /var/lib/shorewall/save; then
@ -1155,7 +1182,7 @@ case "$1" in
rm -f $RESTOREPATH rm -f $RESTOREPATH
echo " $RESTOREPATH removed" echo " $RESTOREPATH removed"
elif [ -f $RESTOREPATH ]; then elif [ -f $RESTOREPATH ]; then
echo " ERROR: $RESTOREPATH is not a restore script" echo " $RESTOREPATH exists and is not a saved Shorewall configuration"
fi fi
;; ;;
ipcalc) ipcalc)

133
LrpN/usr/share/shorewall/firewall
View File

@ -298,6 +298,12 @@ addrule() # $1 = chain name, remainder of arguments specify the rule
run_iptables -A $@ run_iptables -A $@
} }
addrule2() # $1 = chain name, remainder of arguments specify the rule
{
ensurechain $1
run_iptables2 -A $@
}
# #
# Create a nat chain # Create a nat chain
# #
@ -899,7 +905,7 @@ validate_interfaces_file() {
for option in $options; do for option in $options; do
case $option in case $option in
dhcp|norfc1918|nobogons|tcpflags|newnotsyn|arp_filter|routefilter|blacklist|proxyarp|maclist|nosmurfs|-) dhcp|norfc1918|nobogons|tcpflags|newnotsyn|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|maclist|nosmurfs|-)
;; ;;
detectnets) detectnets)
[ -n "$wildcard" ] && \ [ -n "$wildcard" ] && \
@ -971,7 +977,7 @@ validate_hosts_file() {
;; ;;
ipsec) ipsec)
[ -n "$POLICY_MATCH" ] || \ [ -n "$POLICY_MATCH" ] || \
startup_error "Your kernel and/or iptables does not not support policy match: ipsec" startup_error "Your kernel and/or iptables does not support policy match: ipsec"
eval ${z}_ipsec_hosts=\"\$${z}_ipsec_hosts $interface:$host\" eval ${z}_ipsec_hosts=\"\$${z}_ipsec_hosts $interface:$host\"
eval ${z}_is_complex=Yes eval ${z}_is_complex=Yes
;; ;;
@ -1239,18 +1245,24 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = dispositi
local limit="${5:-$LOGLIMIT}" local limit="${5:-$LOGLIMIT}"
local tag=${6:+$6 } local tag=${6:+$6 }
local prefix local prefix
local base=$(chain_base $displayChain)
shift;shift;shift;shift;shift shift;shift;shift;shift;shift
if [ -n "$LOGRULENUMBERS" ]; then if [ -n "$tag" -a -n "$LOGTAGONLY" ]; then
eval rulenum=\$${chain}_logrules displayChain=$tag
tag=
fi
[ -z "$rulenum" ] && rulenum=1 if [ -n "$LOGRULENUMBERS" ]; then
eval rulenum=\$${base}_logrules
rulenum=${rulenum:-1}
prefix="$(printf "$LOGFORMAT" $displayChain $rulenum $disposition)${tag}" prefix="$(printf "$LOGFORMAT" $displayChain $rulenum $disposition)${tag}"
rulenum=$(($rulenum + 1)) rulenum=$(($rulenum + 1))
eval ${chain}_logrules=$rulenum eval ${base}_logrules=$rulenum
else else
prefix="$(printf "$LOGFORMAT" $displayChain $disposition)${tag}" prefix="$(printf "$LOGFORMAT" $displayChain $disposition)${tag}"
fi fi
@ -1552,8 +1564,8 @@ setup_tunnels() # $1 = name of tunnels file
[ $kind = IPSEC ] && kind=ipsec [ $kind = IPSEC ] && kind=ipsec
options="-m state --state NEW -j ACCEPT" options="-m state --state NEW -j ACCEPT"
addrule $inchain -p 50 $(source_ip_range $1) -j ACCEPT addrule2 $inchain -p 50 $(source_ip_range $1) -j ACCEPT
addrule $outchain -p 50 $(dest_ip_range $1) -j ACCEPT addrule2 $outchain -p 50 $(dest_ip_range $1) -j ACCEPT
if [ -z "$noah" ]; then if [ -z "$noah" ]; then
run_iptables -A $inchain -p 51 $(source_ip_range $1) -j ACCEPT run_iptables -A $inchain -p 51 $(source_ip_range $1) -j ACCEPT
run_iptables -A $outchain -p 51 $(dest_ip_range $1) -j ACCEPT run_iptables -A $outchain -p 51 $(dest_ip_range $1) -j ACCEPT
@ -1578,7 +1590,7 @@ setup_tunnels() # $1 = name of tunnels file
addrule ${z}2${FW} -p udp --dport 4500 $options addrule ${z}2${FW} -p udp --dport 4500 $options
fi fi
else else
fatal_error ": Invalid gateway zone ($z) -- Tunnel \"$tunnel\"" fatal_error "Invalid gateway zone ($z) -- Tunnel \"$tunnel\""
fi fi
done done
@ -1587,26 +1599,26 @@ setup_tunnels() # $1 = name of tunnels file
setup_one_other() # $1 = TYPE, $2 = gateway, $3 = protocol setup_one_other() # $1 = TYPE, $2 = gateway, $3 = protocol
{ {
addrule $inchain -p $3 $(source_ip_range $2) -j ACCEPT addrule2 $inchain -p $3 $(source_ip_range $2) -j ACCEPT
addrule $outchain -p $3 $(dest_ip_range $2) -j ACCEPT addrule2 $outchain -p $3 $(dest_ip_range $2) -j ACCEPT
progress_message " $1 tunnel to $2 defined." progress_message " $1 tunnel to $2 defined."
} }
setup_pptp_client() # $1 = gateway setup_pptp_client() # $1 = gateway
{ {
addrule $outchain -p 47 $(dest_ip_range $1) -j ACCEPT addrule2 $outchain -p 47 $(dest_ip_range $1) -j ACCEPT
addrule $inchain -p 47 -j ACCEPT addrule2 $inchain -p 47 $(source_ip_range $1) -j ACCEPT
addrule $outchain -p tcp --dport 1723 $(dest_ip_range $1) -j ACCEPT addrule2 $outchain -p tcp --dport 1723 $(dest_ip_range $1) -j ACCEPT
progress_message " PPTP tunnel to $1 defined." progress_message " PPTP tunnel to $1 defined."
} }
setup_pptp_server() setup_pptp_server() # $1 = gateway
{ {
addrule $inchain -p 47 -j ACCEPT addrule2 $inchain -p 47 $(source_ip_range $1) -j ACCEPT
addrule $outchain -p 47 -j ACCEPT addrule2 $outchain -p 47 $(dest_ip_range $1) -j ACCEPT
addrule $inchain -p tcp --dport 1723 -j ACCEPT addrule2 $inchain -p tcp --dport 1723 $(source_ip_range $1) -j ACCEPT
progress_message " PPTP server defined." progress_message " PPTP server defined."
} }
@ -1622,8 +1634,8 @@ setup_tunnels() # $1 = name of tunnels file
;; ;;
esac esac
addrule $inchain -p udp $(source_ip_range $1) --dport $p -j ACCEPT addrule2 $inchain -p udp $(source_ip_range $1) --dport $p -j ACCEPT
addrule $outchain -p udp $(dest_ip_range $1) --dport $p -j ACCEPT addrule2 $outchain -p udp $(dest_ip_range $1) --dport $p -j ACCEPT
progress_message " OPENVPN tunnel to $1:$p defined." progress_message " OPENVPN tunnel to $1:$p defined."
} }
@ -1650,8 +1662,8 @@ setup_tunnels() # $1 = name of tunnels file
p=${p:+--dport $p} p=${p:+--dport $p}
addrule $inchain -p $protocol $(source_ip_range $1) $p -j ACCEPT addrule2 $inchain -p $protocol $(source_ip_range $1) $p -j ACCEPT
addrule $outchain -p $protocol $(dest_ip_range $1) $p -j ACCEPT addrule2 $outchain -p $protocol $(dest_ip_range $1) $p -j ACCEPT
for z in $(separate_list $3); do for z in $(separate_list $3); do
if validate_zone $z; then if validate_zone $z; then
@ -1674,6 +1686,7 @@ setup_tunnels() # $1 = name of tunnels file
if validate_zone $z; then if validate_zone $z; then
inchain=${z}2${FW} inchain=${z}2${FW}
outchain=${FW}2${z} outchain=${FW}2${z}
gateway=${gateway:-0.0.0.0/0}
case $kind in case $kind in
ipsec|IPSEC|ipsec:*|IPSEC:*) ipsec|IPSEC|ipsec:*|IPSEC:*)
setup_one_ipsec $gateway $kind $z1 setup_one_ipsec $gateway $kind $z1
@ -1694,7 +1707,7 @@ setup_tunnels() # $1 = name of tunnels file
setup_pptp_client $gateway setup_pptp_client $gateway
;; ;;
pptpserver|PPTPSERVER) pptpserver|PPTPSERVER)
setup_pptp_server setup_pptp_server $gateway
;; ;;
openvpn|OPENVPN|openvpn:*|OPENVPN:*) openvpn|OPENVPN|openvpn:*|OPENVPN:*)
setup_one_openvpn $gateway $kind setup_one_openvpn $gateway $kind
@ -1855,6 +1868,7 @@ setup_proxy_arp() {
done < $TMP_DIR/proxyarp done < $TMP_DIR/proxyarp
for interface in $resetlist; do for interface in $resetlist; do
list_search $interface $setlist || \
run_and_save_command "echo 0 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" run_and_save_command "echo 0 > /proc/sys/net/ipv4/conf/$interface/proxy_arp"
done done
@ -1910,14 +1924,6 @@ setup_mac_lists() {
# Be sure that they are all ethernet interfaces # Be sure that they are all ethernet interfaces
# #
for interface in $maclist_interfaces; do for interface in $maclist_interfaces; do
case $interface in
eth*|wlan*|br[0-9]|ath[0-9])
;;
*)
fatal_error "MAC verification is only supported on ethernet and 802.11b devices: $interface"
;;
esac
createchain $(mac_chain $interface) no createchain $(mac_chain $interface) no
done done
# #
@ -3243,7 +3249,7 @@ process_actions1() {
case $xaction in case $xaction in
*:*) *:*)
temp=${xaction#*:} temp=${xaction#*:}
[ ${#temp} -le 11 ] || fatal_error "Action Name Longer than 11 Characters: $temp" [ ${#temp} -le 30 ] || fatal_error "Action Name Longer than 30 Characters: $temp"
xaction=${xaction%:*} xaction=${xaction%:*}
case $temp in case $temp in
ACCEPT|REJECT|DROP) ACCEPT|REJECT|DROP)
@ -5132,7 +5138,7 @@ setup_blacklist() {
[ "$disposition" = REJECT ] && disposition=reject [ "$disposition" = REJECT ] && disposition=reject
if [ -n "$DELAYBLACKLISTLOAD" ]; then if [ -z "$DELAYBLACKLISTLOAD" ]; then
while read networks protocol ports; do while read networks protocol ports; do
expandv networks protocol ports expandv networks protocol ports
process_blacklist_rec process_blacklist_rec
@ -5864,11 +5870,68 @@ add_common_rules() {
if [ -n "$ROUTE_FILTER" ]; then if [ -n "$ROUTE_FILTER" ]; then
run_and_save_command "echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter" run_and_save_command "echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter"
run_and_save_command "echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter"
fi fi
run_and_save_command ip route flush cache run_and_save_command ip route flush cache
fi fi
#
# Martian Logging
#
interfaces="$(find_interfaces_by_option logmartians)"
if [ -n "$interfaces" -o -n "$LOG_MARTIANS" ]; then
echo "Setting up Martian Logging..."
save_progress_message "Restoring Martian Logging..."
for f in /proc/sys/net/ipv4/conf/*; do
run_and_save_command "[ -f $f/log_martians ] && echo 0 > $f/log_martians"
done
for interface in $interfaces; do
file=proc/sys/net/ipv4/conf/$interface/log_martians
if [ -f $file ]; then
run_and_save_command "echo 1 > $file"
else
error_message \
"Warning: Cannot set Martian logging on $interface"
fi
done
if [ -n "$LOG_MARTIANS" ]; then
run_and_save_command "echo 1 > /proc/sys/net/ipv4/conf/default/log_martians"
run_and_save_command "echo 1 > /proc/sys/net/ipv4/conf/all/log_martians"
fi
fi
#
# Source Routing
#
save_progress_message "Restoring Accept Source Routing..."
for f in /proc/sys/net/ipv4/conf/*; do
run_and_save_command "[ -f $f/accept_source_route ] && echo 0 > $f/accept_source_route"
done
interfaces=$(find_interfaces_by_option sourceroute)
if [ -n "$interfaces" ]; then
echo "Setting up Accept Source Routing..."
for interface in $interfaces; do
file=/proc/sys/net/ipv4/conf/$interface/accept_source_route
if [ -f $file ]; then
run_and_save_command "echo 1 > $file"
else
error_message \
"Warning: Cannot set Accept Source Routing on $interface"
fi
done
fi
if [ -n "$DYNAMIC_ZONES" ]; then if [ -n "$DYNAMIC_ZONES" ]; then
echo "Setting up Dynamic Zone Chains..." echo "Setting up Dynamic Zone Chains..."
@ -6736,6 +6799,7 @@ do_initialize() {
BLACKLIST_LOGLEVEL= BLACKLIST_LOGLEVEL=
CLAMPMSS= CLAMPMSS=
ROUTE_FILTER= ROUTE_FILTER=
LOG_MARTIANS=
DETECT_DNAT_IPADDRS= DETECT_DNAT_IPADDRS=
MUTEX_TIMEOUT= MUTEX_TIMEOUT=
NEWNOTSYN= NEWNOTSYN=
@ -6765,6 +6829,7 @@ do_initialize() {
PKTTYPE= PKTTYPE=
RETAIN_ALIASES= RETAIN_ALIASES=
DELAYBLACKLISTLOAD= DELAYBLACKLISTLOAD=
LOGTAGONLY=
RESTOREBASE= RESTOREBASE=
TMP_DIR= TMP_DIR=
@ -6867,6 +6932,7 @@ do_initialize() {
CLAMPMSS=$(added_param_value_no CLAMPMSS $CLAMPMSS) CLAMPMSS=$(added_param_value_no CLAMPMSS $CLAMPMSS)
ADD_SNAT_ALIASES=$(added_param_value_no ADD_SNAT_ALIASES $ADD_SNAT_ALIASES) ADD_SNAT_ALIASES=$(added_param_value_no ADD_SNAT_ALIASES $ADD_SNAT_ALIASES)
ROUTE_FILTER=$(added_param_value_no ROUTE_FILTER $ROUTE_FILTER) ROUTE_FILTER=$(added_param_value_no ROUTE_FILTER $ROUTE_FILTER)
LOG_MARTIANS=$(added_param_value_no LOG_MARTIANS $LOG_MARTIANS)
DETECT_DNAT_IPADDRS=$(added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS) DETECT_DNAT_IPADDRS=$(added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS)
FORWARDPING=$(added_param_value_no FORWARDPING $FORWARDPING) FORWARDPING=$(added_param_value_no FORWARDPING $FORWARDPING)
[ -n "$FORWARDPING" ] && \ [ -n "$FORWARDPING" ] && \
@ -6941,6 +7007,7 @@ do_initialize() {
STARTUP_ENABLED=$(added_param_value_yes STARTUP_ENABLED $STARTUP_ENABLED) STARTUP_ENABLED=$(added_param_value_yes STARTUP_ENABLED $STARTUP_ENABLED)
RETAIN_ALIASES=$(added_param_value_no RETAIN_ALIASES $RETAIN_ALIASES) RETAIN_ALIASES=$(added_param_value_no RETAIN_ALIASES $RETAIN_ALIASES)
DELAYBLACKLISTLOAD=$(added_param_value_no DELAYBLACKLISTLOAD $DELAYBLACKLISTLOAD) DELAYBLACKLISTLOAD=$(added_param_value_no DELAYBLACKLISTLOAD $DELAYBLACKLISTLOAD)
LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY)
# #
# Strip the files that we use often # Strip the files that we use often
# #

2
LrpN/usr/share/shorewall/version
View File

@ -1 +1 @@
2.1.9 2.1.10