mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-27 08:39:00 +01:00
Initial revision
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@10 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
af87d30b67
commit
7c78bb16a7
340
Shorewall/COPYING
Normal file
340
Shorewall/COPYING
Normal file
@ -0,0 +1,340 @@
|
||||
GNU GENERAL PUBLIC LICENSE
|
||||
Version 2, June 1991
|
||||
|
||||
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
|
||||
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
||||
Everyone is permitted to copy and distribute verbatim copies
|
||||
of this license document, but changing it is not allowed.
|
||||
|
||||
Preamble
|
||||
|
||||
The licenses for most software are designed to take away your
|
||||
freedom to share and change it. By contrast, the GNU General Public
|
||||
License is intended to guarantee your freedom to share and change free
|
||||
software--to make sure the software is free for all its users. This
|
||||
General Public License applies to most of the Free Software
|
||||
Foundation's software and to any other program whose authors commit to
|
||||
using it. (Some other Free Software Foundation software is covered by
|
||||
the GNU Library General Public License instead.) You can apply it to
|
||||
your programs, too.
|
||||
|
||||
When we speak of free software, we are referring to freedom, not
|
||||
price. Our General Public Licenses are designed to make sure that you
|
||||
have the freedom to distribute copies of free software (and charge for
|
||||
this service if you wish), that you receive source code or can get it
|
||||
if you want it, that you can change the software or use pieces of it
|
||||
in new free programs; and that you know you can do these things.
|
||||
|
||||
To protect your rights, we need to make restrictions that forbid
|
||||
anyone to deny you these rights or to ask you to surrender the rights.
|
||||
These restrictions translate to certain responsibilities for you if you
|
||||
distribute copies of the software, or if you modify it.
|
||||
|
||||
For example, if you distribute copies of such a program, whether
|
||||
gratis or for a fee, you must give the recipients all the rights that
|
||||
you have. You must make sure that they, too, receive or can get the
|
||||
source code. And you must show them these terms so they know their
|
||||
rights.
|
||||
|
||||
We protect your rights with two steps: (1) copyright the software, and
|
||||
(2) offer you this license which gives you legal permission to copy,
|
||||
distribute and/or modify the software.
|
||||
|
||||
Also, for each author's protection and ours, we want to make certain
|
||||
that everyone understands that there is no warranty for this free
|
||||
software. If the software is modified by someone else and passed on, we
|
||||
want its recipients to know that what they have is not the original, so
|
||||
that any problems introduced by others will not reflect on the original
|
||||
authors' reputations.
|
||||
|
||||
Finally, any free program is threatened constantly by software
|
||||
patents. We wish to avoid the danger that redistributors of a free
|
||||
program will individually obtain patent licenses, in effect making the
|
||||
program proprietary. To prevent this, we have made it clear that any
|
||||
patent must be licensed for everyone's free use or not licensed at all.
|
||||
|
||||
The precise terms and conditions for copying, distribution and
|
||||
modification follow.
|
||||
|
||||
GNU GENERAL PUBLIC LICENSE
|
||||
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
|
||||
|
||||
0. This License applies to any program or other work which contains
|
||||
a notice placed by the copyright holder saying it may be distributed
|
||||
under the terms of this General Public License. The "Program", below,
|
||||
refers to any such program or work, and a "work based on the Program"
|
||||
means either the Program or any derivative work under copyright law:
|
||||
that is to say, a work containing the Program or a portion of it,
|
||||
either verbatim or with modifications and/or translated into another
|
||||
language. (Hereinafter, translation is included without limitation in
|
||||
the term "modification".) Each licensee is addressed as "you".
|
||||
|
||||
Activities other than copying, distribution and modification are not
|
||||
covered by this License; they are outside its scope. The act of
|
||||
running the Program is not restricted, and the output from the Program
|
||||
is covered only if its contents constitute a work based on the
|
||||
Program (independent of having been made by running the Program).
|
||||
Whether that is true depends on what the Program does.
|
||||
|
||||
1. You may copy and distribute verbatim copies of the Program's
|
||||
source code as you receive it, in any medium, provided that you
|
||||
conspicuously and appropriately publish on each copy an appropriate
|
||||
copyright notice and disclaimer of warranty; keep intact all the
|
||||
notices that refer to this License and to the absence of any warranty;
|
||||
and give any other recipients of the Program a copy of this License
|
||||
along with the Program.
|
||||
|
||||
You may charge a fee for the physical act of transferring a copy, and
|
||||
you may at your option offer warranty protection in exchange for a fee.
|
||||
|
||||
2. You may modify your copy or copies of the Program or any portion
|
||||
of it, thus forming a work based on the Program, and copy and
|
||||
distribute such modifications or work under the terms of Section 1
|
||||
above, provided that you also meet all of these conditions:
|
||||
|
||||
a) You must cause the modified files to carry prominent notices
|
||||
stating that you changed the files and the date of any change.
|
||||
|
||||
b) You must cause any work that you distribute or publish, that in
|
||||
whole or in part contains or is derived from the Program or any
|
||||
part thereof, to be licensed as a whole at no charge to all third
|
||||
parties under the terms of this License.
|
||||
|
||||
c) If the modified program normally reads commands interactively
|
||||
when run, you must cause it, when started running for such
|
||||
interactive use in the most ordinary way, to print or display an
|
||||
announcement including an appropriate copyright notice and a
|
||||
notice that there is no warranty (or else, saying that you provide
|
||||
a warranty) and that users may redistribute the program under
|
||||
these conditions, and telling the user how to view a copy of this
|
||||
License. (Exception: if the Program itself is interactive but
|
||||
does not normally print such an announcement, your work based on
|
||||
the Program is not required to print an announcement.)
|
||||
|
||||
These requirements apply to the modified work as a whole. If
|
||||
identifiable sections of that work are not derived from the Program,
|
||||
and can be reasonably considered independent and separate works in
|
||||
themselves, then this License, and its terms, do not apply to those
|
||||
sections when you distribute them as separate works. But when you
|
||||
distribute the same sections as part of a whole which is a work based
|
||||
on the Program, the distribution of the whole must be on the terms of
|
||||
this License, whose permissions for other licensees extend to the
|
||||
entire whole, and thus to each and every part regardless of who wrote it.
|
||||
|
||||
Thus, it is not the intent of this section to claim rights or contest
|
||||
your rights to work written entirely by you; rather, the intent is to
|
||||
exercise the right to control the distribution of derivative or
|
||||
collective works based on the Program.
|
||||
|
||||
In addition, mere aggregation of another work not based on the Program
|
||||
with the Program (or with a work based on the Program) on a volume of
|
||||
a storage or distribution medium does not bring the other work under
|
||||
the scope of this License.
|
||||
|
||||
3. You may copy and distribute the Program (or a work based on it,
|
||||
under Section 2) in object code or executable form under the terms of
|
||||
Sections 1 and 2 above provided that you also do one of the following:
|
||||
|
||||
a) Accompany it with the complete corresponding machine-readable
|
||||
source code, which must be distributed under the terms of Sections
|
||||
1 and 2 above on a medium customarily used for software interchange; or,
|
||||
|
||||
b) Accompany it with a written offer, valid for at least three
|
||||
years, to give any third party, for a charge no more than your
|
||||
cost of physically performing source distribution, a complete
|
||||
machine-readable copy of the corresponding source code, to be
|
||||
distributed under the terms of Sections 1 and 2 above on a medium
|
||||
customarily used for software interchange; or,
|
||||
|
||||
c) Accompany it with the information you received as to the offer
|
||||
to distribute corresponding source code. (This alternative is
|
||||
allowed only for noncommercial distribution and only if you
|
||||
received the program in object code or executable form with such
|
||||
an offer, in accord with Subsection b above.)
|
||||
|
||||
The source code for a work means the preferred form of the work for
|
||||
making modifications to it. For an executable work, complete source
|
||||
code means all the source code for all modules it contains, plus any
|
||||
associated interface definition files, plus the scripts used to
|
||||
control compilation and installation of the executable. However, as a
|
||||
special exception, the source code distributed need not include
|
||||
anything that is normally distributed (in either source or binary
|
||||
form) with the major components (compiler, kernel, and so on) of the
|
||||
operating system on which the executable runs, unless that component
|
||||
itself accompanies the executable.
|
||||
|
||||
If distribution of executable or object code is made by offering
|
||||
access to copy from a designated place, then offering equivalent
|
||||
access to copy the source code from the same place counts as
|
||||
distribution of the source code, even though third parties are not
|
||||
compelled to copy the source along with the object code.
|
||||
|
||||
4. You may not copy, modify, sublicense, or distribute the Program
|
||||
except as expressly provided under this License. Any attempt
|
||||
otherwise to copy, modify, sublicense or distribute the Program is
|
||||
void, and will automatically terminate your rights under this License.
|
||||
However, parties who have received copies, or rights, from you under
|
||||
this License will not have their licenses terminated so long as such
|
||||
parties remain in full compliance.
|
||||
|
||||
5. You are not required to accept this License, since you have not
|
||||
signed it. However, nothing else grants you permission to modify or
|
||||
distribute the Program or its derivative works. These actions are
|
||||
prohibited by law if you do not accept this License. Therefore, by
|
||||
modifying or distributing the Program (or any work based on the
|
||||
Program), you indicate your acceptance of this License to do so, and
|
||||
all its terms and conditions for copying, distributing or modifying
|
||||
the Program or works based on it.
|
||||
|
||||
6. Each time you redistribute the Program (or any work based on the
|
||||
Program), the recipient automatically receives a license from the
|
||||
original licensor to copy, distribute or modify the Program subject to
|
||||
these terms and conditions. You may not impose any further
|
||||
restrictions on the recipients' exercise of the rights granted herein.
|
||||
You are not responsible for enforcing compliance by third parties to
|
||||
this License.
|
||||
|
||||
7. If, as a consequence of a court judgment or allegation of patent
|
||||
infringement or for any other reason (not limited to patent issues),
|
||||
conditions are imposed on you (whether by court order, agreement or
|
||||
otherwise) that contradict the conditions of this License, they do not
|
||||
excuse you from the conditions of this License. If you cannot
|
||||
distribute so as to satisfy simultaneously your obligations under this
|
||||
License and any other pertinent obligations, then as a consequence you
|
||||
may not distribute the Program at all. For example, if a patent
|
||||
license would not permit royalty-free redistribution of the Program by
|
||||
all those who receive copies directly or indirectly through you, then
|
||||
the only way you could satisfy both it and this License would be to
|
||||
refrain entirely from distribution of the Program.
|
||||
|
||||
If any portion of this section is held invalid or unenforceable under
|
||||
any particular circumstance, the balance of the section is intended to
|
||||
apply and the section as a whole is intended to apply in other
|
||||
circumstances.
|
||||
|
||||
It is not the purpose of this section to induce you to infringe any
|
||||
patents or other property right claims or to contest validity of any
|
||||
such claims; this section has the sole purpose of protecting the
|
||||
integrity of the free software distribution system, which is
|
||||
implemented by public license practices. Many people have made
|
||||
generous contributions to the wide range of software distributed
|
||||
through that system in reliance on consistent application of that
|
||||
system; it is up to the author/donor to decide if he or she is willing
|
||||
to distribute software through any other system and a licensee cannot
|
||||
impose that choice.
|
||||
|
||||
This section is intended to make thoroughly clear what is believed to
|
||||
be a consequence of the rest of this License.
|
||||
|
||||
8. If the distribution and/or use of the Program is restricted in
|
||||
certain countries either by patents or by copyrighted interfaces, the
|
||||
original copyright holder who places the Program under this License
|
||||
may add an explicit geographical distribution limitation excluding
|
||||
those countries, so that distribution is permitted only in or among
|
||||
countries not thus excluded. In such case, this License incorporates
|
||||
the limitation as if written in the body of this License.
|
||||
|
||||
9. The Free Software Foundation may publish revised and/or new versions
|
||||
of the General Public License from time to time. Such new versions will
|
||||
be similar in spirit to the present version, but may differ in detail to
|
||||
address new problems or concerns.
|
||||
|
||||
Each version is given a distinguishing version number. If the Program
|
||||
specifies a version number of this License which applies to it and "any
|
||||
later version", you have the option of following the terms and conditions
|
||||
either of that version or of any later version published by the Free
|
||||
Software Foundation. If the Program does not specify a version number of
|
||||
this License, you may choose any version ever published by the Free Software
|
||||
Foundation.
|
||||
|
||||
10. If you wish to incorporate parts of the Program into other free
|
||||
programs whose distribution conditions are different, write to the author
|
||||
to ask for permission. For software which is copyrighted by the Free
|
||||
Software Foundation, write to the Free Software Foundation; we sometimes
|
||||
make exceptions for this. Our decision will be guided by the two goals
|
||||
of preserving the free status of all derivatives of our free software and
|
||||
of promoting the sharing and reuse of software generally.
|
||||
|
||||
NO WARRANTY
|
||||
|
||||
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
|
||||
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
|
||||
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
|
||||
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
|
||||
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
|
||||
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
|
||||
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
|
||||
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
|
||||
REPAIR OR CORRECTION.
|
||||
|
||||
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
|
||||
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
|
||||
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
|
||||
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
|
||||
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
|
||||
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
|
||||
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
|
||||
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
|
||||
POSSIBILITY OF SUCH DAMAGES.
|
||||
|
||||
END OF TERMS AND CONDITIONS
|
||||
|
||||
How to Apply These Terms to Your New Programs
|
||||
|
||||
If you develop a new program, and you want it to be of the greatest
|
||||
possible use to the public, the best way to achieve this is to make it
|
||||
free software which everyone can redistribute and change under these terms.
|
||||
|
||||
To do so, attach the following notices to the program. It is safest
|
||||
to attach them to the start of each source file to most effectively
|
||||
convey the exclusion of warranty; and each file should have at least
|
||||
the "copyright" line and a pointer to where the full notice is found.
|
||||
|
||||
<one line to give the program's name and a brief idea of what it does.>
|
||||
Copyright (C) 19yy <name of author>
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation; either version 2 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
This program is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License
|
||||
along with this program; if not, write to the Free Software
|
||||
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
||||
|
||||
|
||||
Also add information on how to contact you by electronic and paper mail.
|
||||
|
||||
If the program is interactive, make it output a short notice like this
|
||||
when it starts in an interactive mode:
|
||||
|
||||
Gnomovision version 69, Copyright (C) 19yy name of author
|
||||
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
|
||||
This is free software, and you are welcome to redistribute it
|
||||
under certain conditions; type `show c' for details.
|
||||
|
||||
The hypothetical commands `show w' and `show c' should show the appropriate
|
||||
parts of the General Public License. Of course, the commands you use may
|
||||
be called something other than `show w' and `show c'; they could even be
|
||||
mouse-clicks or menu items--whatever suits your program.
|
||||
|
||||
You should also get your employer (if you work as a programmer) or your
|
||||
school, if any, to sign a "copyright disclaimer" for the program, if
|
||||
necessary. Here is a sample; alter the names:
|
||||
|
||||
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
|
||||
`Gnomovision' (which makes passes at compilers) written by James Hacker.
|
||||
|
||||
<signature of Ty Coon>, 1 April 1989
|
||||
Ty Coon, President of Vice
|
||||
|
||||
This General Public License does not permit incorporating your program into
|
||||
proprietary programs. If your program is a subroutine library, you may
|
||||
consider it more useful to permit linking proprietary applications with the
|
||||
library. If this is what you want to do, use the GNU Library General
|
||||
Public License instead of this License.
|
43
Shorewall/INSTALL
Normal file
43
Shorewall/INSTALL
Normal file
@ -0,0 +1,43 @@
|
||||
Shoreline Firewall (Shorewall) Version 1.2 - 12/21/2001
|
||||
----- ----
|
||||
|
||||
-----------------------------------------------------------------------------
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of Version 2 of the GNU General Public License
|
||||
as published by the Free Software Foundation.
|
||||
|
||||
This program is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License
|
||||
along with this program; if not, write to the Free Software
|
||||
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||
|
||||
---------------------------------------------------------------------------
|
||||
If your system supports rpm, I recommend that you install the Shorewall
|
||||
.rpm. If you want to install from the tarball:
|
||||
|
||||
o Unpack the tarball
|
||||
o cd to the shorewall-<version> directory
|
||||
o If you have an earlier version of Shoreline Firewall installed,see the
|
||||
upgrade instructions below
|
||||
o Edit the files policy, interfaces, rules, nat, proxyarp and masq to
|
||||
fit your environment.
|
||||
o If you are using Caldera, Redhat, Mandrake, Corel, Slackware, SuSE or
|
||||
Debian, then type "./install.sh".
|
||||
o For other distributions, determine where your distribution installs
|
||||
init scripts and type "./install.sh <init script directory>"
|
||||
o Start the firewall by typing "shorewall start"
|
||||
o If the install script was unable to configure Shoreline Firewall to
|
||||
start audomatically at boot, see the HTML documentation contains in the
|
||||
"documentation" directory.
|
||||
|
||||
Upgrade:
|
||||
|
||||
o run the install script as described above.
|
||||
o shorewall restart
|
||||
|
||||
|
19
Shorewall/blacklist
Executable file
19
Shorewall/blacklist
Executable file
@ -0,0 +1,19 @@
|
||||
#
|
||||
# Shorewall 1.2 -- Blacklist File
|
||||
#
|
||||
# /etc/shorewall/blacklist
|
||||
#
|
||||
# This file contains a list of IP addresses, MAC addresses and/or subnetworks.
|
||||
# When a packet arrives on in interface that has the 'blacklist' option
|
||||
# specified, its source IP address is checked against this file and disposed of
|
||||
# according to the BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL variables in
|
||||
# /etc/shorewall/shorewall.conf
|
||||
#
|
||||
# MAC addresses must be prefixed with "~" and use "-" as a separator.
|
||||
#
|
||||
# Example: ~00-A0-C9-15-39-78
|
||||
###############################################################################
|
||||
#ADDRESS/SUBNET
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
|
17
Shorewall/changelog.txt
Executable file
17
Shorewall/changelog.txt
Executable file
@ -0,0 +1,17 @@
|
||||
Changes since 1.2.12
|
||||
|
||||
1. Added whitelist support
|
||||
2. Added SYN Flood Protection
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
34
Shorewall/common.def
Normal file
34
Shorewall/common.def
Normal file
@ -0,0 +1,34 @@
|
||||
############################################################################
|
||||
# Shorewall 1.1 -- /etc/shorewall/common.def
|
||||
#
|
||||
# This file defines the rules that are applied before a policy of
|
||||
# DROP or REJECT is applied. In addition to the rules defined in this file,
|
||||
# the firewall will also define a DROP rule for each subnet broadcast
|
||||
# address defined in /etc/shorewall/interfaces (including "detect").
|
||||
#
|
||||
# Do not modify this file -- if you wish to change these rules, copy this
|
||||
# file to /etc/shorewall/common and modify that file.
|
||||
#
|
||||
run_iptables -A common -p icmp -j icmpdef
|
||||
############################################################################
|
||||
# accept ACKs and RSTs that aren't related to any session so that the
|
||||
# protocol stack can handle them
|
||||
#
|
||||
run_iptables -A common -p tcp --tcp-flags ACK ACK -j ACCEPT
|
||||
run_iptables -A common -p tcp --tcp-flags RST RST -j ACCEPT
|
||||
############################################################################
|
||||
# NETBIOS chatter
|
||||
#
|
||||
run_iptables -A common -p udp --dport 137:139 -j REJECT
|
||||
run_iptables -A common -p udp --dport 445 -j REJECT
|
||||
run_iptables -A common -p tcp --dport 135 -j reject
|
||||
############################################################################
|
||||
# UPnP
|
||||
#
|
||||
run_iptables -A common -p udp --dport 1900 -j DROP
|
||||
############################################################################
|
||||
# BROADCASTS
|
||||
#
|
||||
run_iptables -A common -d 255.255.255.255 -j DROP
|
||||
run_iptables -A common -d 224.0.0.0/4 -j DROP
|
||||
|
112
Shorewall/fallback.sh
Executable file
112
Shorewall/fallback.sh
Executable file
@ -0,0 +1,112 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Script to back out the installation of Shoreline Firewall and to restore the previous version of
|
||||
# the program
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 2001,2002 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Shorewall documentation is available at http://seattlefirewall.dyndns.org
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||
#
|
||||
# Usage:
|
||||
#
|
||||
# You may only use this script to back out the installation of the version
|
||||
# shown below. Simply run this script to revert to your prior version of
|
||||
# Shoreline Firewall.
|
||||
|
||||
VERSION=1.2.13
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
echo "usage: `basename $0`"
|
||||
exit $1
|
||||
}
|
||||
|
||||
restore_file() # $1 = file to restore
|
||||
{
|
||||
if [ -f ${1}-${VERSION}.bkout ]; then
|
||||
if (mv -f ${1}-${VERSION}.bkout $1); then
|
||||
echo
|
||||
echo "$1 restored"
|
||||
else
|
||||
echo "ERROR: Could not restore $1"
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
if [ ! -f /etc/shorewall/version-${VERSION}.bkout ]; then
|
||||
echo "Seattle Firewall Version $VERSION is not installed"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "Backing Out Installation of Shorewall $VERSION"
|
||||
|
||||
if [ -L /etc/shorewall/firewall ]; then
|
||||
FIREWALL=`ls -l /etc/shorewall/firewall | sed 's/^.*> //'`
|
||||
restore_file $FIREWALL
|
||||
fi
|
||||
|
||||
restore_file /sbin/shorewall
|
||||
|
||||
[ -f /etc/shorewall.conf.$VERSION ] && rm -f /etc/shorewall.conf.$VERSION
|
||||
|
||||
restore_file /etc/shorewall/shorewall.conf
|
||||
|
||||
restore_file /etc/shorewall/functions
|
||||
|
||||
restore_file /etc/shorewall/common.def
|
||||
|
||||
restore_file /etc/shorewall/icmp.def
|
||||
|
||||
restore_file /etc/shorewall/zones
|
||||
|
||||
restore_file /etc/shorewall/policy
|
||||
|
||||
restore_file /etc/shorewall/interfaces
|
||||
|
||||
restore_file /etc/shorewall/hosts
|
||||
|
||||
restore_file /etc/shorewall/rules
|
||||
|
||||
restore_file /etc/shorewall/nat
|
||||
|
||||
restore_file /etc/shorewall/params
|
||||
|
||||
restore_file /etc/shorewall/proxyarp
|
||||
|
||||
restore_file /etc/shorewall/masq
|
||||
|
||||
restore_file /etc/shorewall/modules
|
||||
|
||||
restore_file /etc/shorewall/tcrules
|
||||
|
||||
restore_file /etc/shorewall/tos
|
||||
|
||||
restore_file /etc/shorewall/tunnels
|
||||
|
||||
restore_file /etc/shorewall/blacklist
|
||||
|
||||
restore_file /etc/shorewall/whitelist
|
||||
|
||||
restore_file /etc/shorewall/version
|
||||
|
||||
oldversion="`cat /etc/shorewall/version`"
|
||||
|
||||
echo "Shorewall Restored to Version $oldversion"
|
||||
|
||||
|
3074
Shorewall/firewall
Executable file
3074
Shorewall/firewall
Executable file
File diff suppressed because it is too large
Load Diff
167
Shorewall/functions
Executable file
167
Shorewall/functions
Executable file
@ -0,0 +1,167 @@
|
||||
#
|
||||
# Shorewall 1.2 -- /etc/shorewall/functions
|
||||
|
||||
#
|
||||
# Suppress all output for a command
|
||||
#
|
||||
qt()
|
||||
{
|
||||
"$@" >/dev/null 2>&1
|
||||
}
|
||||
|
||||
#
|
||||
# Find a File -- Look first in $SHOREWALL_DIR then in /etc/shorewall
|
||||
#
|
||||
find_file()
|
||||
{
|
||||
if [ -n "$SHOREWALL_DIR" -a -f $SHOREWALL_DIR/$1 ]; then
|
||||
echo $SHOREWALL_DIR/$1
|
||||
else
|
||||
echo /etc/shorewall/$1
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Replace commas with spaces and echo the result
|
||||
#
|
||||
separate_list()
|
||||
{
|
||||
echo $1 | sed 's/,/ /g'
|
||||
}
|
||||
|
||||
#
|
||||
# Find the zones
|
||||
#
|
||||
find_zones() # $1 = name of the zone file
|
||||
{
|
||||
while read zone display comments; do
|
||||
[ -n "$zone" ] && case "$zone" in
|
||||
\#*)
|
||||
;;
|
||||
$FW|multi)
|
||||
echo "Reserved zone name \"$zone\" in zones file ignored" >&2
|
||||
;;
|
||||
*)
|
||||
echo $zone
|
||||
;;
|
||||
esac
|
||||
done < $1
|
||||
}
|
||||
|
||||
find_display() # $1 = zone, $2 = name of the zone file
|
||||
{
|
||||
grep ^$1 $2 | while read z display comments; do
|
||||
[ "x$1" = "x$z" ] && echo $display
|
||||
done
|
||||
}
|
||||
|
||||
determine_zones()
|
||||
{
|
||||
local zonefile=`find_file zones`
|
||||
|
||||
multi_display=Multi-zone
|
||||
|
||||
if [ -f $zonefile ]; then
|
||||
zones=`find_zones $zonefile`
|
||||
zones=`echo $zones` # Remove extra trash
|
||||
|
||||
for zone in $zones; do
|
||||
dsply=`find_display $zone $zonefile`
|
||||
eval ${zone}_display=\$dsply
|
||||
done
|
||||
else
|
||||
zones="net local dmz gw"
|
||||
net_display=Net
|
||||
local_display=Local
|
||||
dmz_display=DMZ
|
||||
gw_display=Gateway
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
###############################################################################
|
||||
# The following functions may be used by apps that wish to ensure that
|
||||
# the state of Shorewall isn't changing
|
||||
#------------------------------------------------------------------------------
|
||||
# This function loads the STATEDIR variable (directory where Shorewall is to
|
||||
# store state files). If your application supports alternate Shorewall
|
||||
# configurations then the name of the alternate configuration directory should
|
||||
# be in $SHOREWALL_DIR at the time of the call.
|
||||
#
|
||||
# If the shorewall.conf file does not exist, this function does not return
|
||||
###############################################################################
|
||||
get_statedir()
|
||||
{
|
||||
local config=`find_file shorewall.conf`
|
||||
|
||||
if [ -f $config ]; then
|
||||
. $config
|
||||
else
|
||||
echo "/etc/shorewall/shorewall.conf does not exist!" >&2
|
||||
exit 2
|
||||
fi
|
||||
|
||||
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
|
||||
}
|
||||
|
||||
###############################################################################
|
||||
# Call this function to assert MUTEX with Shorewall. If you invoke the
|
||||
# /sbin/shorewall program while holding MUTEX, you should pass "nolock" as
|
||||
# the first argument. Example "shorewall nolock refresh"
|
||||
#
|
||||
# This function uses the lockfile utility from procmail if it exists.
|
||||
# Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the
|
||||
# behavior of lockfile.
|
||||
###############################################################################
|
||||
mutex_on()
|
||||
{
|
||||
local try=0
|
||||
local max=15
|
||||
local int=2
|
||||
|
||||
local lockf=$STATEDIR/lock
|
||||
|
||||
[ -d $STATEDIR ] || mkdir -p $STATEDIR
|
||||
|
||||
if qt which lockfile; then
|
||||
lockfile -030 -r1 ${lockf} || exit 2
|
||||
else
|
||||
while [ -f ${lockf} -a ${try} -lt ${max} ] ; do
|
||||
sleep ${int}
|
||||
try=$((${try} + 1))
|
||||
done
|
||||
|
||||
if [ ${try} -lt ${max} ] ; then
|
||||
# Create the lockfile
|
||||
echo $$ > ${lockf}
|
||||
else
|
||||
echo "Giving up on lock file ${lockf}" >&2
|
||||
exit 2
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
###############################################################################
|
||||
# Call this function to release MUTEX
|
||||
###############################################################################
|
||||
mutex_off()
|
||||
{
|
||||
rm -f $STATEDIR/lock
|
||||
}
|
||||
|
||||
###############################################################################
|
||||
# Strip comments and blank lines from a file and place the result in the #
|
||||
# temporary directory #
|
||||
###############################################################################
|
||||
strip_file() # $1 = Base Name of the file, $2 = Full Name of File (optional)
|
||||
{
|
||||
local fname
|
||||
|
||||
[ $# = 1 ] && fname=`find_file $1` || fname=$2
|
||||
|
||||
if [ -f $fname ]; then
|
||||
cut -d'#' -f1 $fname | grep -v '^[[:space:]]*$' > $TMP_DIR/$1
|
||||
else
|
||||
> $TMP_DIR/$1
|
||||
fi
|
||||
}
|
36
Shorewall/hosts
Normal file
36
Shorewall/hosts
Normal file
@ -0,0 +1,36 @@
|
||||
#
|
||||
# Shorewall 1.2 - /etc/shorewall/hosts
|
||||
#
|
||||
# WARNING: 90% of Shorewall users don't need to add entries to this
|
||||
# file and 80% of those who try to add such entries get it
|
||||
# wrong. Unless you are ABSOLUTELY SURE that you need entries
|
||||
# in this file, don't touch it!
|
||||
#
|
||||
# This file is used to define zones in terms of subnets and/or
|
||||
# individual IP addresses. Most simple setups don't need to
|
||||
# (should not) place anything in this file.
|
||||
#
|
||||
# ZONE - The name of a zone defined in /etc/shorewall/zones
|
||||
#
|
||||
# HOST(S) - The name of an interface followed by a colon (":") and
|
||||
# either:
|
||||
#
|
||||
# a) The IP address of a host
|
||||
# b) A subnetwork in the form
|
||||
# <subnet-address>/<mask width>
|
||||
#
|
||||
# Examples:
|
||||
#
|
||||
# eth1:192.168.1.3
|
||||
# eth2:192.168.2.0/24
|
||||
#
|
||||
# OPTIONS - A comma-separated list of options. Currently-defined
|
||||
# options are:
|
||||
#
|
||||
# routestopped - route messages to and from this
|
||||
# member when the firewall is in the
|
||||
# stopped state
|
||||
#
|
||||
#
|
||||
#ZONE HOST(S) OPTIONS
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
|
17
Shorewall/icmp.def
Normal file
17
Shorewall/icmp.def
Normal file
@ -0,0 +1,17 @@
|
||||
##############################################################################
|
||||
# Shorewall 1.2 /etc/shorewall/icmp.def
|
||||
#
|
||||
# This file defines the default rules for accepting ICMP packets.
|
||||
#
|
||||
# Do not modify this file -- if you want to change these rules, copy this
|
||||
# file to /etc/shorewall/icmpdef and modify that file.
|
||||
#
|
||||
# In particular, if you want to accept 'ping' everywhere then add
|
||||
#
|
||||
# run_iptables -A icmpdef -p ICMP --icmp-type echo-request -j ACCEPT
|
||||
#
|
||||
run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT
|
||||
run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT
|
||||
run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT
|
||||
run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT
|
||||
run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT
|
478
Shorewall/install.sh
Executable file
478
Shorewall/install.sh
Executable file
@ -0,0 +1,478 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Script to install Shoreline Firewall
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Seawall documentation is available at http://seawall.sourceforge.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||
#
|
||||
# Usage:
|
||||
#
|
||||
# If you are running a distribution that has a directory called /etc/rc.d/init.d or one
|
||||
# called /etc/init.d or you are running Slackware then simply cd to the directory
|
||||
# containing this script and run it.
|
||||
#
|
||||
# ./install.sh
|
||||
#
|
||||
# If you don't have either of those directories, you will need to determine where the
|
||||
# SysVInit scripts are kept on your system and pass the name of that directory.
|
||||
#
|
||||
# ./install.sh /etc/rc.d/scripts
|
||||
#
|
||||
# The default is that the firewall will be started in run levels 2-5 starting at
|
||||
# position 15 and stopping at position 90. This is correct RedHat/Mandrake, Debian,
|
||||
# Caldera and Corel.
|
||||
#
|
||||
# If you wish to change that, you can pass -r "<levels startpos stoppos>".
|
||||
#
|
||||
# Example 1: You wish to start your firewall in runlevels 2 and three, start at position
|
||||
# 15 and stop at position 90
|
||||
#
|
||||
# ./install.sh -r "23 15 90"
|
||||
#
|
||||
# Example 2: You wish to start your firewall only in run level 3, start at position 5
|
||||
# and stop at position 95.
|
||||
#
|
||||
# ./install.sh -r "3 5 95" /etc/rc.d/scripts
|
||||
#
|
||||
# For distributions that don't include chkconfig (Slackware, for example), the
|
||||
# /etc/rc.d/rc.local file is modified to start the firewall.
|
||||
#
|
||||
|
||||
VERSION=1.2.13
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
ME=`basename $0`
|
||||
echo "usage: $ME [ -r \"<chkconfig parameters>\" ] [ <init scripts directory> ]"
|
||||
echo " $ME [ -v ]"
|
||||
echo " $ME [ -h ]"
|
||||
exit $1
|
||||
}
|
||||
|
||||
run_install()
|
||||
{
|
||||
if ! install $*; then
|
||||
echo -e "\nERROR: Failed to install $*"
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
cant_autostart()
|
||||
{
|
||||
echo -e "\nWARNING: Unable to configure Shorewall to start"
|
||||
echo " automatically at boot"
|
||||
}
|
||||
|
||||
backup_file() # $1 = file to backup
|
||||
{
|
||||
if [ -z "$PREFIX" -a -f $1 -a ! -f ${1}-${VERSION}.bkout ]; then
|
||||
if (cp $1 ${1}-${VERSION}.bkout); then
|
||||
echo
|
||||
echo "$1 saved to ${1}-${VERSION}.bkout"
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
modify_rclocal()
|
||||
{
|
||||
if [ -f /etc/rc.d/rc.local ]; then
|
||||
if [ -z "`grep shorewall /etc/rc.d/rc.local`" ]; then
|
||||
cp -f /etc/rc.d/rc.local /etc/rc.d/rc.local-shorewall.bkout
|
||||
echo >> /etc/rc.d/rc.local
|
||||
echo "/sbin/shorewall start" >> /etc/rc.d/rc.local
|
||||
echo "/etc/rc.d/rc.local modified to start Shorewall"
|
||||
fi
|
||||
else
|
||||
cant_autostart
|
||||
fi
|
||||
}
|
||||
|
||||
install_file_with_backup() # $1 = source $2 = target $3 = mode
|
||||
{
|
||||
backup_file $2
|
||||
run_install -o $OWNER -g $GROUP -m $3 $1 ${2}
|
||||
}
|
||||
|
||||
#
|
||||
# Parse the run line
|
||||
#
|
||||
# DEST is the SysVInit script directory
|
||||
# RUNLEVELS is the chkconfig parmeters for firewall
|
||||
# ARGS is "yes" if we've already parsed an argument
|
||||
#
|
||||
DEST=""
|
||||
RUNLEVELS=""
|
||||
ARGS=""
|
||||
|
||||
if [ -z "$OWNER" ] ; then
|
||||
OWNER=root
|
||||
fi
|
||||
|
||||
if [ -z "$GROUP" ] ; then
|
||||
GROUP=root
|
||||
fi
|
||||
|
||||
while [ $# -gt 0 ] ; do
|
||||
case "$1" in
|
||||
-h|help|?)
|
||||
if [ -n "$ARGS" ]; then
|
||||
usage 1
|
||||
fi
|
||||
|
||||
usage 0
|
||||
;;
|
||||
-r)
|
||||
if [ -n "$RUNLEVELS" -o $# -eq 1 ]; then
|
||||
usage 1
|
||||
fi
|
||||
|
||||
RUNLEVELS="$2";
|
||||
shift
|
||||
;;
|
||||
-v)
|
||||
if [ -n "$ARGS" ]; then
|
||||
usage 1
|
||||
fi
|
||||
|
||||
echo "Seattle Firewall Installer Version $VERSION"
|
||||
exit 0
|
||||
;;
|
||||
*)
|
||||
if [ -n "$DEST" ]; then
|
||||
usage 1
|
||||
fi
|
||||
|
||||
DEST="$1"
|
||||
;;
|
||||
esac
|
||||
shift
|
||||
ARGS="yes"
|
||||
done
|
||||
|
||||
#
|
||||
# Determine where to install the firewall script
|
||||
#
|
||||
if [ -n "$PREFIX" ]; then
|
||||
install -d -o $OWNER -g $GROUP -m 755 ${PREFIX}/sbin
|
||||
install -d -o $OWNER -g $GROUP -m 755 ${PREFIX}${DEST}
|
||||
fi
|
||||
|
||||
FIREWALL="shorewall"
|
||||
|
||||
if [ -z "$DEST" ]; then
|
||||
#
|
||||
# We make this first test so that on RedHat systems that have Seawall installed,
|
||||
# we can still use PREFIX (the code that reads the existing symbolic link
|
||||
# fails dreadfully if the link is relative and PREFIX is non-null).
|
||||
#
|
||||
if [ -x /etc/rc.d/init.d/firewall ]; then
|
||||
DEST=/etc/rc.d/init.d
|
||||
elif [ -L /etc/shorewall/firewall ]; then
|
||||
TEMP=`ls -l /etc/shorewall/firewall | sed 's/^.*> //'`
|
||||
DEST=`dirname $TEMP`
|
||||
FIREWALL=`basename $TEMP`
|
||||
elif [ -d /etc/rc.d/init.d ]; then
|
||||
DEST=/etc/rc.d/init.d
|
||||
elif [ -d /etc/init.d ]; then
|
||||
DEST=/etc/init.d
|
||||
elif [ -f /etc/rc.d/rc.local ]; then
|
||||
DEST=/etc/rc.d
|
||||
FIREWALL="rc.shorewall"
|
||||
else
|
||||
echo "ERROR: Can't determine where to install the firewall script"
|
||||
echo " Rerun $0 passing the name of the SysVInit script directory"
|
||||
echo " on your system"
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
#
|
||||
# Change to the directory containing this script
|
||||
#
|
||||
cd "`dirname $0`"
|
||||
|
||||
echo "Installing Shorewall Version $VERSION"
|
||||
|
||||
#
|
||||
# Check for /etc/shorewall
|
||||
#
|
||||
if [ -d ${PREFIX}/etc/shorewall ]; then
|
||||
first_install=""
|
||||
else
|
||||
first_install="Yes"
|
||||
fi
|
||||
|
||||
install_file_with_backup shorewall ${PREFIX}/sbin/shorewall 0544
|
||||
|
||||
echo -e "\nShorewall control program installed in ${PREFIX}/sbin/shorewall"
|
||||
|
||||
#
|
||||
# Install the Firewall Script
|
||||
#
|
||||
if [ -n "$RUNLEVELS" ]; then
|
||||
#
|
||||
# User specified chkconfig parameters -- build an awk script to install them
|
||||
# in the firewall script
|
||||
#
|
||||
echo "/# chkconfig/ { print \"# chkconfig: $RUNLEVELS\" ; next }" > awk.temp
|
||||
echo "{ print }" >> awk.temp
|
||||
|
||||
awk -f awk.temp firewall > firewall.temp
|
||||
|
||||
if [ $? -ne 0 ]; then
|
||||
echo -e "\nERROR: Error running awk."
|
||||
echo " You must run `basename $0` without the "-r" option then edit"
|
||||
echo " $DEST/$FIREWALL manually (line beginning '# chkconfig:')"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
install_file_with_backup firewall.temp ${PREFIX}${DEST}/$FIREWALL 0544
|
||||
|
||||
rm -f firewall.temp awk.tmp
|
||||
else
|
||||
install_file_with_backup firewall ${PREFIX}${DEST}/$FIREWALL 0544
|
||||
fi
|
||||
|
||||
echo -e "\nShorewall script installed in ${PREFIX}${DEST}/$FIREWALL"
|
||||
|
||||
#
|
||||
# Create /etc/shorewall if needed
|
||||
#
|
||||
if [ ! -d ${PREFIX}/etc/shorewall ]; then
|
||||
mkdir ${PREFIX}/etc/shorewall
|
||||
fi
|
||||
#
|
||||
# Install the config file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/shorewall.conf ]; then
|
||||
backup_file /etc/shorewall/shorewall.conf
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0744 shorewall.conf ${PREFIX}/etc/shorewall/shorewall.conf
|
||||
echo -e "\nConfig file installed as ${PREFIX}/etc/shorewall/shorewall.conf"
|
||||
fi
|
||||
#
|
||||
# Install the zones file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/zones ]; then
|
||||
backup_file /etc/shorewall/zones
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0744 zones ${PREFIX}/etc/shorewall/zones
|
||||
echo -e "\nZones file installed as ${PREFIX}/etc/shorewall/policy"
|
||||
fi
|
||||
|
||||
#
|
||||
# Install the functions file
|
||||
#
|
||||
install_file_with_backup functions ${PREFIX}/etc/shorewall/functions 0444
|
||||
|
||||
echo -e "\nCommon functions installed in ${PREFIX}/etc/shorewall/functions"
|
||||
#
|
||||
# Install the common.def file
|
||||
#
|
||||
install_file_with_backup common.def ${PREFIX}/etc/shorewall/common.def 0444
|
||||
|
||||
echo -e "\nCommon rules installed in ${PREFIX}/etc/shorewall/common.def"
|
||||
#
|
||||
# Install the icmp.def file
|
||||
#
|
||||
install_file_with_backup icmp.def ${PREFIX}/etc/shorewall/icmp.def 0444
|
||||
|
||||
echo -e "\nCommon ICMP rules installed in ${PREFIX}/etc/shorewall/icmp.def"
|
||||
|
||||
#
|
||||
# Install the policy file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/policy ]; then
|
||||
backup_file /etc/shorewall/policy
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 policy ${PREFIX}/etc/shorewall/policy
|
||||
echo -e "\nPolicy file installed as ${PREFIX}/etc/shorewall/policy"
|
||||
fi
|
||||
#
|
||||
# Install the interfaces file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/interfaces ]; then
|
||||
backup_file /etc/shorewall/interfaces
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 interfaces ${PREFIX}/etc/shorewall/interfaces
|
||||
echo -e "\nInterfaces file installed as ${PREFIX}/etc/shorewall/interfaces"
|
||||
fi
|
||||
#
|
||||
# Install the hosts file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/hosts ]; then
|
||||
backup_file /etc/shorewall/hosts
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 hosts ${PREFIX}/etc/shorewall/hosts
|
||||
echo -e "\nHosts file installed as ${PREFIX}/etc/shorewall/hosts"
|
||||
fi
|
||||
#
|
||||
# Install the rules file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/rules ]; then
|
||||
backup_file /etc/shorewall/rules
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 rules ${PREFIX}/etc/shorewall/rules
|
||||
echo -e "\nRules file installed as ${PREFIX}/etc/shorewall/rules"
|
||||
fi
|
||||
#
|
||||
# Install the NAT file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/nat ]; then
|
||||
backup_file /etc/shorewall/nat
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 nat ${PREFIX}/etc/shorewall/nat
|
||||
echo -e "\nNAT file installed as ${PREFIX}/etc/shorewall/nat"
|
||||
fi
|
||||
#
|
||||
# Install the Parameters file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/params ]; then
|
||||
backup_file /etc/shorewall/params
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 params ${PREFIX}/etc/shorewall/params
|
||||
echo -e "\nParameter file installed as ${PREFIX}/etc/shorewall/params"
|
||||
fi
|
||||
#
|
||||
# Install the proxy ARP file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/proxyarp ]; then
|
||||
backup_file /etc/shorewall/proxyarp
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 proxyarp ${PREFIX}/etc/shorewall/proxyarp
|
||||
echo -e "\nProxy ARP file installed as ${PREFIX}/etc/shorewall/proxyarp"
|
||||
fi
|
||||
#
|
||||
# Install the Masq file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/masq ]; then
|
||||
backup_file /etc/shorewall/masq
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 masq ${PREFIX}/etc/shorewall/masq
|
||||
echo -e "\nMasquerade file installed as ${PREFIX}/etc/shorewall/masq"
|
||||
fi
|
||||
#
|
||||
# Install the Modules file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/modules ]; then
|
||||
backup_file /etc/shorewall/modules
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 modules ${PREFIX}/etc/shorewall/modules
|
||||
echo -e "\nModules file installed as ${PREFIX}/etc/shorewall/modules"
|
||||
fi
|
||||
#
|
||||
# Install the TC Rules file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/tcrules ]; then
|
||||
backup_file /etc/shorewall/tcrules
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 tcrules ${PREFIX}/etc/shorewall/tcrules
|
||||
echo -e "\nTC Rules file installed as ${PREFIX}/etc/shorewall/tcrules"
|
||||
fi
|
||||
|
||||
#
|
||||
# Install the TOS file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/tos ]; then
|
||||
backup_file /etc/shorewall/tos
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 tos ${PREFIX}/etc/shorewall/tos
|
||||
echo -e "\nTOS file installed as ${PREFIX}/etc/shorewall/tos"
|
||||
fi
|
||||
#
|
||||
# Install the Tunnels file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/tunnels ]; then
|
||||
backup_file /etc/shorewall/tunnels
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 tunnels ${PREFIX}/etc/shorewall/tunnels
|
||||
echo -e "\nTunnels file installed as ${PREFIX}/etc/shorewall/tunnels"
|
||||
fi
|
||||
#
|
||||
# Install the blacklist file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/blacklist ]; then
|
||||
backup_file /etc/shorewall/blacklist
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 blacklist ${PREFIX}/etc/shorewall/blacklist
|
||||
echo -e "\nBlacklist file installed as ${PREFIX}/etc/shorewall/blacklist"
|
||||
fi
|
||||
#
|
||||
# Install the whitelist file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/whitelist ]; then
|
||||
backup_file /etc/shorewall/whitelist
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 whitelist ${PREFIX}/etc/shorewall/whitelist
|
||||
echo -e "\nWhitelist file installed as ${PREFIX}/etc/shorewall/whitelist"
|
||||
fi
|
||||
#
|
||||
# Backup the version file
|
||||
#
|
||||
if [ -z "$PREFIX" ]; then
|
||||
if [ -f /etc/shorewall/version ]; then
|
||||
backup_file /etc/shorewall/version
|
||||
elif [ -n "$oldversion" ]; then
|
||||
echo $oldversion > /etc/shorewall/version-${VERSION}.bkout
|
||||
else
|
||||
echo "Unknown" > /etc/shorewall/version-${VERSION}.bkout
|
||||
fi
|
||||
fi
|
||||
#
|
||||
# Create the version file
|
||||
#
|
||||
echo "$VERSION" > ${PREFIX}/etc/shorewall/version
|
||||
chmod 644 ${PREFIX}/etc/shorewall/version
|
||||
#
|
||||
# Remove and create the symbolic link to the firewall script
|
||||
#
|
||||
|
||||
if [ -z "$PREFIX" ]; then
|
||||
rm -f /etc/shorewall/firewall
|
||||
ln -s ${DEST}/${FIREWALL} /etc/shorewall/firewall
|
||||
else
|
||||
pushd ${PREFIX}/etc/shorewall/ >> /dev/null && ln -s ../..${DEST}/${FIREWALL} firewall && popd >> /dev/null
|
||||
fi
|
||||
|
||||
echo -e "\n${PREFIX}/etc/shorewall/firewall linked to ${PREFIX}$DEST/$FIREWALL"
|
||||
|
||||
if [ -z "$PREFIX" -a -n "$first_install" ]; then
|
||||
if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
|
||||
if insserv /etc/init.d/shorewall ; then
|
||||
echo -e "\nFirewall will start automatically at boot"
|
||||
else
|
||||
cant_autostart
|
||||
fi
|
||||
elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
|
||||
if chkconfig --add $FIREWALL ; then
|
||||
echo -e "\nFirewall will automatically start in run levels as follows:"
|
||||
chkconfig --list $FIREWALL
|
||||
else
|
||||
cant_autostart
|
||||
fi
|
||||
else
|
||||
modify_rclocal
|
||||
fi
|
||||
fi
|
||||
#
|
||||
# Report Success
|
||||
#
|
||||
echo -e "\nShorewall Version $VERSION Installed"
|
94
Shorewall/interfaces
Normal file
94
Shorewall/interfaces
Normal file
@ -0,0 +1,94 @@
|
||||
#
|
||||
# Shorewall 1.2 -- Interfaces File
|
||||
#
|
||||
# /etc/shorewall/interfaces
|
||||
#
|
||||
# You must add an entry in this file for each network interface on your
|
||||
# firewall system.
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
# ZONE Zone for this interface. Must match the short name
|
||||
# of a zone defined in /etc/shorewall/zones.
|
||||
#
|
||||
# If the interface serves multiple zones that will be
|
||||
# defined in the /etc/shorewall/hosts file, you may
|
||||
# place "-" in this column.
|
||||
#
|
||||
# INTERFACE Name of interface
|
||||
#
|
||||
# BROADCAST The broadcast address for the subnetwork to which the
|
||||
# interface belongs. For P-T-P interfaces, this
|
||||
# column is left black.
|
||||
#
|
||||
# If you use the special value "detect", the firewall
|
||||
# will detect the broadcast address for you. If you
|
||||
# select this option, the interface must be up before
|
||||
# the firewall is started and you must have iproute
|
||||
# installed.
|
||||
#
|
||||
# If you don't want to give a value for this column but
|
||||
# you want to enter a value in the OPTIONS column, enter
|
||||
# "-" in this column.
|
||||
#
|
||||
# OPTIONS A comma-separated list of options including the
|
||||
# following:
|
||||
#
|
||||
# dhcp - interface is managed by DHCP or used by
|
||||
# a DHCP server running on the firewall.
|
||||
# noping - icmp echo-request (ping) packets should
|
||||
# be ignored on this interface
|
||||
# routestopped - When the firewall is stopped, allow
|
||||
# and route traffic to and from this
|
||||
# interface.
|
||||
# norfc1918 - This interface should not receive
|
||||
# any packets whose source is in one
|
||||
# of the ranges reserved by RFC 1918
|
||||
# (i.e., private or "non-routable"
|
||||
# addresses. If packet mangling is
|
||||
# enabled in shorewall.conf, packets
|
||||
# whose destination addresses are
|
||||
# reserved by RFC 1918 are also rejected.
|
||||
# multi - This interface has multiple IP
|
||||
# addresses and you want to be able to
|
||||
# route between them.
|
||||
# routefilter - turn on kernel route filtering for this
|
||||
# interface (anti-spoofing measure).
|
||||
# dropunclean - Logs and drops mangled/invalid packets
|
||||
#
|
||||
# logunclean - Logs mangled/invalid packets but does
|
||||
# not drop them.
|
||||
# . . blacklist - Check packets arriving on this interface
|
||||
# against the /etc/shorewall/blacklist
|
||||
# file.
|
||||
#
|
||||
# Example 1: Suppose you have eth0 connected to a DSL modem and
|
||||
# eth1 connected to your local network and that your
|
||||
# local subnet is 192.168.1.0/24. The interface gets
|
||||
# it's IP address via DHCP from subnet
|
||||
# 206.191.149.192/27 and you want pings from the internet
|
||||
# to be ignored. You interface a DMZ with subnet
|
||||
# 192.168.2.0/24 using eth2. You want to be able to
|
||||
# access the firewall from the local network when the
|
||||
# firewall is stopped.
|
||||
#
|
||||
# Your entries for this setup would look like:
|
||||
#
|
||||
# net eth0 206.191.149.223 noping,dhcp
|
||||
# local eth1 192.168.1.255 routestopped
|
||||
# dmz eth2 192.168.2.255
|
||||
#
|
||||
# Example 2: The same configuration without specifying broadcast
|
||||
# addresses is:
|
||||
#
|
||||
# net eth0 detect noping,dhcp
|
||||
# loc eth1 detect routestopped
|
||||
# dmz eth2 detect
|
||||
#
|
||||
# Example 3: You have a simple dial-in system with no ethernet
|
||||
# connections and you want to ignore ping requests.
|
||||
#
|
||||
# net ppp0 - noping
|
||||
##############################################################################
|
||||
#ZONE INTERFACE BROADCAST OPTIONS
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
81
Shorewall/masq
Executable file
81
Shorewall/masq
Executable file
@ -0,0 +1,81 @@
|
||||
#
|
||||
# Shorewall 1.2 - Masquerade file
|
||||
#
|
||||
# /etc/shorewall/masq
|
||||
#
|
||||
# Use this file to define dynamic NAT (Masquerading) and to define Source NAT
|
||||
# (SNAT).
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
# INTERFACE -- Outgoing interface. This is usually your internet
|
||||
# interface. This may be qualified by adding the character
|
||||
# ":" followed by a destination host or subnet.
|
||||
#
|
||||
#
|
||||
# SUBNET -- Subnet that you wish to masquerade. You can specify this as
|
||||
# a subnet or as an interface. If you give the name of an
|
||||
# interface, you must have iproute installed and the interface
|
||||
# must be up before you start the firewall.
|
||||
#
|
||||
# In order to exclude a subset of the specified SUBNET, you
|
||||
# may append "!" and a comma-separated list of IP addresses
|
||||
# and/or subnets that you wish to exclude.
|
||||
#
|
||||
# Example: eth1!192.168.1.4,192.168.32.0/27
|
||||
#
|
||||
# In that example traffic from eth1 would be masqueraded unless
|
||||
# it came from 192.168.1.4 or 196.168.32.0/27
|
||||
#
|
||||
# ADDRESS -- (Optional). If you specify an address here, SNAT will be
|
||||
# used and this will be the source address. If
|
||||
# ADD_SNAT_ALIASES is set to Yes or yes in
|
||||
# /etc/shorewall/shorewall.conf then Shorewall
|
||||
# will automatically add this address to the
|
||||
# INTERFACE named in the first column.
|
||||
#
|
||||
# WARNING: Do NOT specify ADD_SNAT_ALIASES=Yes if
|
||||
# the address given in this column is the primary
|
||||
# IP address for the interface in the INTERFACE
|
||||
# column.
|
||||
#
|
||||
# Example 1:
|
||||
#
|
||||
# You have a simple masquerading setup where eth0 connects to
|
||||
# a DSL or cable modem and eth1 connects to your local network
|
||||
# with subnet 192.168.0.0/24.
|
||||
#
|
||||
# Your entry in the file can be either:
|
||||
#
|
||||
# eth0 eth1
|
||||
#
|
||||
# or
|
||||
#
|
||||
# eth0 192.168.0.0/24
|
||||
#
|
||||
# Example 2:
|
||||
#
|
||||
# You add a router to your local network to connect subnet
|
||||
# 192.168.1.0/24 which you also want to masquerade. You then
|
||||
# add the following entry to this file:
|
||||
#
|
||||
# eth0 192.168.1.0/24
|
||||
#
|
||||
# Example 3:
|
||||
#
|
||||
# You have an IPSEC tunnel through ipsec0 and you want to
|
||||
# masquerade packets coming from 192.168.1.0/24 but only if
|
||||
# these packets are destined for hosts in 10.1.1.0/24:
|
||||
#
|
||||
# ipsec0:10.1.1.0/24 196.168.1.0/24
|
||||
#
|
||||
# Example 4:
|
||||
#
|
||||
# You want all outgoing traffic from 192.168.1.0/24 through
|
||||
# eth0 to use source address 206.124.146.176.
|
||||
#
|
||||
# eth0 192.168.1.0/24 206.124.146.176
|
||||
#
|
||||
##############################################################################
|
||||
#INTERFACE SUBNET ADDRESS
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
14
Shorewall/modules
Normal file
14
Shorewall/modules
Normal file
@ -0,0 +1,14 @@
|
||||
##############################################################################
|
||||
# Shorewall 1.2 /etc/shorewall/modules
|
||||
#
|
||||
# This file loads the modules needed by the firewall.
|
||||
|
||||
loadmodule ip_tables
|
||||
loadmodule iptable_filter
|
||||
loadmodule ip_conntrack
|
||||
loadmodule ip_conntrack_ftp
|
||||
loadmodule ip_conntrack_irc
|
||||
loadmodule iptable_nat
|
||||
loadmodule ip_nat_ftp
|
||||
loadmodule ip_nat_irc
|
||||
|
30
Shorewall/nat
Executable file
30
Shorewall/nat
Executable file
@ -0,0 +1,30 @@
|
||||
##############################################################################
|
||||
#
|
||||
# Shorewall 1.2 -- Network Address Translation Table
|
||||
#
|
||||
# /etc/shorewall/nat
|
||||
#
|
||||
# This file is used to define static Network Address Translation (NAT).
|
||||
#
|
||||
# WARNING: If all you want to do is simple port forwarding, do NOT use this
|
||||
# file. See http://www.shorewall.net/FAQ.htm#faq1. Also, in most
|
||||
# cases, Proxy ARP is a better solution that static NAT.
|
||||
#
|
||||
# Columns must be separated by white space and are:
|
||||
#
|
||||
# EXTERNAL External IP Address - this should NOT be the primary
|
||||
# IP address of the interface named in the next
|
||||
# column
|
||||
# INTERFACE Interface that we want to EXTERNAL address to appear
|
||||
# on
|
||||
# INTERNAL Internal Address
|
||||
# ALL INTERFACES If Yes or yes (or left empty), NAT will be effective
|
||||
# from all hosts. If No or no then NAT will be effective
|
||||
# only through the interface named in the INTERFACE
|
||||
# column
|
||||
# LOCAL If Yes or yes and the ALL INTERFACES column contains
|
||||
# Yes or yes, NAT will be effective from the firewall
|
||||
# system
|
||||
##############################################################################
|
||||
#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
43
Shorewall/params
Normal file
43
Shorewall/params
Normal file
@ -0,0 +1,43 @@
|
||||
#
|
||||
# Shorewall 1.2 /etc/shorewall/params
|
||||
#
|
||||
# Assign any variables that you need here.
|
||||
#
|
||||
# It is suggested that variable names begin with an upper case letter
|
||||
# to distinguish them from variables used internally within the
|
||||
# Shorewall programs
|
||||
#
|
||||
# Example:
|
||||
#
|
||||
# NET_IF=eth0
|
||||
# NET_BCAST=130.252.100.255
|
||||
# NET_OPTIONS=noping,norfc1918
|
||||
#
|
||||
# Example (/etc/shorewall/interfaces record):
|
||||
#
|
||||
# net $NET_IF $NET_BCAST $NET_OPTIONS
|
||||
#
|
||||
# The result will be the same as if the record had been written
|
||||
#
|
||||
# net eth0 130.252.100.255 noping,norfc1918
|
||||
#
|
||||
# Variables can be used in the following places in the other configuration
|
||||
# files:
|
||||
#
|
||||
# /etc/shorewall/interfaces:
|
||||
# /etc/shorewall/hosts
|
||||
#
|
||||
# All except the first column.
|
||||
#
|
||||
# /etc/shorewall/rules
|
||||
#
|
||||
# First column after ":".
|
||||
# All remaining columns
|
||||
#
|
||||
# /etc/shorewall/tunnels
|
||||
# /etc/shorewall/proxyarp
|
||||
# /etc/shorewall/nat
|
||||
#
|
||||
# All columns
|
||||
##############################################################################
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
47
Shorewall/policy
Normal file
47
Shorewall/policy
Normal file
@ -0,0 +1,47 @@
|
||||
#
|
||||
# Shorewall 1.2 -- Policy File
|
||||
#
|
||||
# /etc/shorewall/policy
|
||||
#
|
||||
# This file determines what to do with a new connection request if we
|
||||
# don't get a match from the /etc/shorewall/rules file or from the
|
||||
# /etc/shorewall/common[.def] file. For each client/server pair, the
|
||||
# file is processed in order until a match is found ("all" will match
|
||||
# any client or server).
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
# CLIENT Location of client. Must be the name of a zone defined
|
||||
# in /etc/shorewall/zones, $FW or "all".
|
||||
#
|
||||
# SERVER Location of server. Must be the name of a zone defined
|
||||
# in /etc/shorewall/zones, $FW or "all"
|
||||
#
|
||||
# POLICY Policy if no match from the rules file is found. Must
|
||||
# be "ACCEPT", "DENY", "REJECT" or "CONTINUE"
|
||||
#
|
||||
# LOG LEVEL If supplied, each connection handled under the default
|
||||
# POLICY is logged at that level. If not supplied, no
|
||||
# log message is generated. See syslog.conf(5) for a
|
||||
# description of log levels.
|
||||
#
|
||||
# If you don't want to log but need to specify the
|
||||
# following column, place "_" here.
|
||||
#
|
||||
# LIMIT:BURST If passed, specifies the maximum TCP connection rate
|
||||
# and the size of an acceptable burst. If not specified,
|
||||
# TCP connections are not limited.
|
||||
#
|
||||
# As shipped, the default policies are:
|
||||
#
|
||||
# a) All connections from the local network to the internet are allowed
|
||||
# b) All connections from the network are ignored but logged at syslog
|
||||
# level KERNEL.INFO.
|
||||
# d) All other connection requests are rejected and logged at level
|
||||
# KERNEL.INFO.
|
||||
###############################################################################
|
||||
#CLIENT SERVER POLICY LOG LEVEL LIMIT:BURST
|
||||
loc net ACCEPT
|
||||
net all DROP info
|
||||
all all REJECT info
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
30
Shorewall/proxyarp
Normal file
30
Shorewall/proxyarp
Normal file
@ -0,0 +1,30 @@
|
||||
##############################################################################
|
||||
#
|
||||
# Shorewall 1.2 -- Proxy ARP
|
||||
#
|
||||
# /etc/shorewall/proxyarp
|
||||
#
|
||||
# This file is used to define Proxy ARP.
|
||||
#
|
||||
# Columns must be separated by white space and are:
|
||||
#
|
||||
# ADDRESS IP Address
|
||||
# INTERFACE Local interface where system is connected. If the
|
||||
# local interface is obvious from the subnetting,
|
||||
# you may enter "-" in this column.
|
||||
# EXTERNAL External Interface to be used to access this system
|
||||
#
|
||||
# HAVEROUTE If there is already a route from the firewall to
|
||||
# the host whose address is given, enter "Yes" or "yes"
|
||||
# in this column. Otherwise, entry "no", "No" or leave
|
||||
# the column empty.
|
||||
#
|
||||
# Example: Host with IP 155.186.235.6 is connected to
|
||||
# interface eth1 and we want hosts attached via eth0
|
||||
# to be able to access it using that address.
|
||||
#
|
||||
# #ADDRESS INTERFACE EXTERNAL HAVEROUTE
|
||||
# 155.186.235.6 eth1 eth0 No
|
||||
##############################################################################
|
||||
#ADDRESS INTERFACE EXTERNAL HAVEROUTE
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
16
Shorewall/releasenotes.txt
Executable file
16
Shorewall/releasenotes.txt
Executable file
@ -0,0 +1,16 @@
|
||||
This is a minor release of Shorewall.
|
||||
|
||||
In this release:
|
||||
|
||||
1. Whitelist support has been added.
|
||||
2. Optional SYN Flood protection is now available
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
151
Shorewall/rules
Executable file
151
Shorewall/rules
Executable file
@ -0,0 +1,151 @@
|
||||
#
|
||||
# Shorewall version 1.2 - Rules File
|
||||
#
|
||||
# /etc/shorewall/rules
|
||||
#
|
||||
# Rules in this file govern connection establishment. Requests and
|
||||
# responses are automatically allowed using connection tracking.
|
||||
#
|
||||
# In most places where an IP address or subnet is allowed, you
|
||||
# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
|
||||
# indicate that the rule matches all addresses except the address/subnet
|
||||
# given. Notice that no white space is permitted between "!" and the
|
||||
# address/subnet.
|
||||
#
|
||||
# If any of the following columns contain the word "none" then the rule
|
||||
# is ignored:
|
||||
#
|
||||
# PORT(S), CLIENT PORT(S), CLIENT(S) and SERVER.
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
#
|
||||
# RESULT ACCEPT, DROP or REJECT
|
||||
#
|
||||
# ACCEPT -- allow the connection request
|
||||
# DROP -- ignore the request
|
||||
# REJECT -- disallow the request and return an
|
||||
# icmp-unreachable packet.
|
||||
#
|
||||
# May optionally be followed by ":" and a syslog log
|
||||
# level (e.g, REJECT:info). This causes the packet to be
|
||||
# logged at the specified level.
|
||||
#
|
||||
# CLIENT(S) Hosts permitted to be clients. May be a zone defined
|
||||
# in /etc/shorewall/zones or $FW to indicate the
|
||||
# firewall itself.
|
||||
#
|
||||
# Clients may be further restricted to a list of subnets
|
||||
# and/or hosts by appending ":" and a comma-separated
|
||||
# list of subnets and/or hosts. Hosts may be specified
|
||||
# by IP or MAC address; mac addresses must begin with
|
||||
# "~" and must use "-" as a separator.
|
||||
#
|
||||
# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ
|
||||
#
|
||||
# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the
|
||||
# Internet
|
||||
#
|
||||
# loc:192.168.1.1,192.168.1.2
|
||||
# Hosts 192.168.1.1 and
|
||||
# 192.168.1.2 in the local zone.
|
||||
# loc:~00-A0-C9-15-39-78 Host in the local zone with
|
||||
# MAC address 00:A0:C9:15:39:78.
|
||||
#
|
||||
# Alternatively, clients may be specified by interface
|
||||
# by appending ":" followed by the interface name. For
|
||||
# example, loc:eth1 specifies a client that
|
||||
# communicates with the firewall system through eth1.
|
||||
#
|
||||
# SERVER Location of Server. May be a zone defined in
|
||||
# /etc/shorewall/zones or $FW to indicate the firewall
|
||||
# itself.
|
||||
#
|
||||
# The server may be further restricted to a particular
|
||||
# subnet, host or interface by appending ":" and the
|
||||
# subnet, host or interface. See above.
|
||||
#
|
||||
# The port that the server is listening on may be
|
||||
# included and separated from the server's IP address by
|
||||
# ":". If omitted, the firewall will not modifiy the
|
||||
# destination port.
|
||||
#
|
||||
# Example: loc:192.168.1.3:8080 specifies a local
|
||||
# server at IP address 192.168.1.3 and listening on port
|
||||
# 8080. The port number MUST be specified as an integer
|
||||
# and not as a name from /etc/services.
|
||||
#
|
||||
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number,
|
||||
# "all" or "related". If "related", the remainder of the
|
||||
# entry must be omitted and connection requests that are
|
||||
# related to existing requests will be accepted.
|
||||
#
|
||||
# PORT(S) Destination Ports. A comma-separated list of Port
|
||||
# names (from /etc/services), port numbers or port
|
||||
# ranges; if the protocol is "icmp", this column is
|
||||
# interpreted as the destination icmp-type(s).
|
||||
#
|
||||
# This column is ignored if PROTOCOL = all but must be
|
||||
# entered if any of the following ields are supplied.
|
||||
# In that case, it is suggested that this field contain
|
||||
# "-"
|
||||
#
|
||||
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
|
||||
# any source port is acceptable. Specified as a comma-
|
||||
# separated list of port names, port numbers or port
|
||||
# ranges.
|
||||
#
|
||||
# If you don't want to restrict client ports but need to
|
||||
# specify an ADDRESS in the next column, then place "-"
|
||||
# in this column.
|
||||
#
|
||||
# ADDRESS (0ptional) If included and different from the IP
|
||||
# address given in the SERVER column, this is an address
|
||||
# on some interface on the firewall and connections to
|
||||
# that address will be forwarded to the IP and port
|
||||
# specified in the SERVER column.
|
||||
#
|
||||
# If the special value "all" is used, then requests from
|
||||
# the client zone given in the CLIENT(s) column with the
|
||||
# destination port given in PORT(s) will be forwarded to
|
||||
# the IP address given in SERVER. The value "all" is
|
||||
# intended to be used when your internet IP address is
|
||||
# dynamic and you want to do port forwarding or you want
|
||||
# to do proxy redirection. IT SHOULD NOT BE USED IN ANY
|
||||
# OTHER SITUATION.
|
||||
#
|
||||
# The address (or "all") may optionally be followed by
|
||||
# a colon (":") an an IP address. This causes Shorewall
|
||||
# to use the specified IP address as the source address
|
||||
# in forwarded packets. See the Shorewall documentation
|
||||
# for restrictions concerning this feature. If no source
|
||||
# IP address is given, the original source address is not
|
||||
# altered.
|
||||
#
|
||||
# Example: Forward all ssh and http connection requests from the internet
|
||||
# to local system 192.168.1.3
|
||||
#
|
||||
# #RESULT CLIENTS SERVER(S) PROTO PORT(S) CLIENT PORT(S) ADDRESS
|
||||
# ACCEPT net loc:192.168.1.3 tcp ssh,http - all
|
||||
#
|
||||
# Example: Redirect all locally-originating www connection requests to
|
||||
# port 8080 on the firewall (Squid running on the firewall
|
||||
# system)except when the destination address is 192.168.2.2
|
||||
#
|
||||
# #RESULT CLIENTS SERVER(S) PROTO PORTS(S) CLIENT PORT(S) ADDRESS
|
||||
# ACCEPT loc $FW::8080 tcp www - !192.168.2.2
|
||||
##############################################################################
|
||||
#RESULT CLIENT(S) SERVER(S) PROTO PORT(S) CLIENT PORT(S) ADDRESS
|
||||
#
|
||||
# Allow SSH from the local network
|
||||
#
|
||||
ACCEPT loc $FW tcp ssh
|
||||
#
|
||||
# Allow SSH and Auth from the internet
|
||||
#
|
||||
ACCEPT net $FW tcp ssh,auth
|
||||
#
|
||||
# Run an NTP daemon on the firewall that is synced with outside sources
|
||||
#
|
||||
ACCEPT $FW net udp ntp
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
561
Shorewall/shorewall
Executable file
561
Shorewall/shorewall
Executable file
@ -0,0 +1,561 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Shorewall Packet Filtering Firewall Control Program - V1.2 - 12/21/2001
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
#
|
||||
# This file should be placed in /sbin/shorewall.
|
||||
#
|
||||
# Shorewall documentation is available at http://shorewall.sourceforge.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||
#
|
||||
# If an error occurs while starting or restarting the firewall, the
|
||||
# firewall is automatically stopped.
|
||||
#
|
||||
# The firewall uses configuration files in /etc/shorewall/ - skeleton
|
||||
# files is included with the firewall.
|
||||
#
|
||||
# Commands are:
|
||||
#
|
||||
# shorewall start Starts the firewall
|
||||
# shorewall restart Restarts the firewall
|
||||
# shorewall stop Stops the firewall
|
||||
# shorewall monitor [ refresh-interval ] Repeatedly Displays firewall status
|
||||
# plus the last 20 "interesting"
|
||||
# packets
|
||||
# shorewall status Displays firewall status
|
||||
# shorewall reset Resets iptables packet and
|
||||
# byte counts
|
||||
# shorewall clear Open the floodgates by
|
||||
# removing all iptables rules
|
||||
# and setting the three permanent
|
||||
# chain policies to ACCEPT
|
||||
# shorewall refresh Rebuild the common chain to
|
||||
# compensate for a change of
|
||||
# broadcast address on any "detect"
|
||||
# interface.
|
||||
# shorewall show <chain> Display the rules in a <chain>
|
||||
# shorewall show log Print the last 20 log messages
|
||||
# shorewall show connections Show the kernel's connection
|
||||
# tracking table
|
||||
# shorewall show nat Display the rules in the nat table
|
||||
# shorewall show {mangle|tos} Display the rules in the mangle table
|
||||
# shorewall show tc Display traffic control info
|
||||
# shorewall version Display the installed version id
|
||||
# shorewall check Verify the more heavily-used
|
||||
# configuration files.
|
||||
# shorewall try <directory> [ <timeout> ] Try a new configuration and if
|
||||
# it doesn't work, revert to the
|
||||
# standard one. If a timeout is supplied
|
||||
# the command reverts back to the
|
||||
# standard configuration after that many
|
||||
# seconds have elapsed after successfully
|
||||
# starting the new configuration.
|
||||
#
|
||||
# Display a chain if it exists
|
||||
#
|
||||
showfirstchain() # $1 = name of chain
|
||||
{
|
||||
awk \
|
||||
'BEGIN {prnt=0;}; \
|
||||
/^$/ { next; };\
|
||||
/^Chain/ {if ( prnt == 1 ) exit; };\
|
||||
/Chain '$1'/ { prnt=1; }; \
|
||||
{ if (prnt == 1) print; }' /tmp/chains-$$
|
||||
}
|
||||
|
||||
showchain() # $1 = name of chain
|
||||
{
|
||||
if [ "$firstchain" = "Yes" ]; then
|
||||
showfirstchain $1
|
||||
firstchain=
|
||||
else
|
||||
awk \
|
||||
'BEGIN {prnt=0;};\
|
||||
/^$|^ pkts/ { next; };\
|
||||
/^Chain/ {if ( prnt == 1 ) exit; };\
|
||||
/Chain '$1'/ { prnt=1; };\
|
||||
{ if (prnt == 1) print; }' /tmp/chains-$$
|
||||
fi
|
||||
}
|
||||
|
||||
#################################################################################
|
||||
# Set the configuration variables from shorewall.conf #
|
||||
#################################################################################
|
||||
get_config() {
|
||||
get_statedir
|
||||
|
||||
[ -z "$LOGFILE" ] && LOGFILE=/var/log/messages
|
||||
|
||||
if [ ! -f $LOGFILE ]; then
|
||||
echo "LOGFILE ($LOGFILE) does not exist!" >&2
|
||||
exit 2
|
||||
fi
|
||||
#
|
||||
# See if we have a real version of "tail" -- use separate redirection so
|
||||
# that ash (aka /bin/sh on LRP) doesn't crap
|
||||
#
|
||||
if ( tail -n5 $LOGFILE > /dev/null 2> /dev/null ) ; then
|
||||
realtail="Yes"
|
||||
else
|
||||
realtail=""
|
||||
fi
|
||||
|
||||
[ -n "$FW" ] || FW=fw
|
||||
}
|
||||
|
||||
#################################################################################
|
||||
# Display IPTABLES rules -- we used to store them in a variable but ash #
|
||||
# dies when trying to display large sets of rules #
|
||||
#################################################################################
|
||||
display_chains()
|
||||
{
|
||||
trap "rm -f /tmp/chains-$$; exit 1" 1 2 3 4 5 6 9
|
||||
|
||||
if [ "$haveawk" = "Yes" ]; then
|
||||
#
|
||||
# Send the output to a temporary file since ash craps if we try to store
|
||||
# the output in a variable.
|
||||
#
|
||||
iptables -L -n -v > /tmp/chains-$$
|
||||
|
||||
clear
|
||||
echo -e "$banner `date`\\n"
|
||||
echo -e "Standard Chains\\n"
|
||||
firstchain="Yes"
|
||||
showchain INPUT
|
||||
showchain OUTPUT
|
||||
showchain FORWARD
|
||||
|
||||
timed_read
|
||||
|
||||
for zone in $zones multi; do
|
||||
if [ -n "`grep "^Chain \.*${zone}" /tmp/chains-$$`" ] ; then
|
||||
clear
|
||||
echo -e "$banner `date`\\n"
|
||||
firstchain=Yes
|
||||
eval display=\$${zone}_display
|
||||
echo -e "$display Chains\\n"
|
||||
for zone1 in $FW $zones; do
|
||||
showchain ${zone}2$zone1
|
||||
showchain @${zone}2$zone1
|
||||
[ "$zone" != "$zone1" ] && \
|
||||
showchain ${zone1}2${zone} && \
|
||||
showchain @${zone1}2${zone}
|
||||
done
|
||||
|
||||
timed_read
|
||||
fi
|
||||
done
|
||||
|
||||
clear
|
||||
echo -e "$banner `date`\\n"
|
||||
firstchain=Yes
|
||||
echo -e "Policy Chains\\n"
|
||||
showchain badpkt
|
||||
showchain common
|
||||
showchain icmpdef
|
||||
showchain rfc1918
|
||||
showchain blacklst
|
||||
showchain reject
|
||||
for zone in $zones all; do
|
||||
showchain ${zone}2all
|
||||
showchain @${zone}2all
|
||||
[ "$zone" = "all" ] || { showchain all2${zone}; showchain @all2${zone}; }
|
||||
done
|
||||
|
||||
timed_read
|
||||
|
||||
qt rm -f /tmp/chains-$$
|
||||
else
|
||||
iptables -L -n -v
|
||||
timed_read
|
||||
fi
|
||||
trap - 1 2 3 4 5 6 9
|
||||
|
||||
}
|
||||
|
||||
#################################################################################
|
||||
# Delay $timeout seconds -- if we're running on a recent bash2 then allow #
|
||||
# <enter> to terminate the delay #
|
||||
#################################################################################
|
||||
timed_read ()
|
||||
{
|
||||
read -t $timeout foo 2> /dev/null
|
||||
|
||||
test $? -eq 2 && sleep $timeout
|
||||
}
|
||||
|
||||
#################################################################################
|
||||
# Display the last 20 packets logged #
|
||||
#################################################################################
|
||||
packet_log()
|
||||
{
|
||||
local options
|
||||
|
||||
[ -n "$realtail" ] && options="-n20"
|
||||
|
||||
grep 'Shorewall:\|ipt_unclean' $LOGFILE | \
|
||||
sed s/" $host kernel: Shorewall:"/" "/ | \
|
||||
sed s/" $host kernel: ipt_unclean: "/" "/ | \
|
||||
sed 's/MAC=.*SRC=/SRC=/' | \
|
||||
tail $options
|
||||
}
|
||||
|
||||
#################################################################################
|
||||
# Show traffic control information #
|
||||
#################################################################################
|
||||
show_tc() {
|
||||
|
||||
show_one_tc() {
|
||||
local device=${1%@*}
|
||||
qdisc=`tc qdisc list dev $device`
|
||||
|
||||
if [ -n "$qdisc" ]; then
|
||||
echo Device $device:
|
||||
tc -s -d qdisc show dev $device
|
||||
tc -s -d class show dev $device
|
||||
echo
|
||||
fi
|
||||
}
|
||||
|
||||
ip link list | \
|
||||
while read inx interface details; do
|
||||
case $inx in
|
||||
[0-9]*)
|
||||
show_one_tc ${interface%:}
|
||||
;;
|
||||
*)
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
}
|
||||
|
||||
#################################################################################
|
||||
# Monitor the Firewall #
|
||||
#################################################################################
|
||||
monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
||||
# an 'interesting' packet count changes
|
||||
{
|
||||
|
||||
get_config
|
||||
host=`echo $HOSTNAME | sed 's/\..*$//'`
|
||||
oldrejects=`iptables -L -v -n | grep 'LOG'`
|
||||
|
||||
if [ $1 -lt 0 ]; then
|
||||
let "timeout=- $1"
|
||||
pause="Yes"
|
||||
else
|
||||
pause="No"
|
||||
timeout=$1
|
||||
fi
|
||||
|
||||
qt which awk && { haveawk=Yes; determine_zones; } || haveawk=
|
||||
|
||||
while true; do
|
||||
display_chains
|
||||
|
||||
clear
|
||||
echo -e "$banner `date`\\n"
|
||||
|
||||
echo -e "Dropped/Rejected Packet Log\\n"
|
||||
|
||||
rejects=`iptables -L -v -n | grep 'LOG'`
|
||||
|
||||
if [ "$rejects" != "$oldrejects" ]; then
|
||||
oldrejects="$rejects"
|
||||
echo -e '\a'
|
||||
packet_log
|
||||
|
||||
if [ "$pause" = "Yes" ]; then
|
||||
echo -en '\nEnter any character to continue: '
|
||||
read foo
|
||||
else
|
||||
timed_read
|
||||
fi
|
||||
else
|
||||
if [ "$pause" != "Yes" ]; then
|
||||
echo
|
||||
packet_log
|
||||
fi
|
||||
|
||||
timed_read
|
||||
fi
|
||||
|
||||
clear
|
||||
echo -e "$banner `date`\\n"
|
||||
echo -e "NAT Status\\n"
|
||||
iptables -t nat -L -n -v
|
||||
echo -e "\\nTOS/MARK Status\\n"
|
||||
iptables -t mangle -L -n -v
|
||||
timed_read
|
||||
|
||||
clear
|
||||
echo -e "$banner `date`\\n"
|
||||
echo -e "\\nTracked Connections\\n"
|
||||
cat /proc/net/ip_conntrack
|
||||
timed_read
|
||||
|
||||
clear
|
||||
echo -e "$banner `date`\\n"
|
||||
echo -e "\\nTraffic Shaping/Control\\n"
|
||||
show_tc
|
||||
timed_read
|
||||
done
|
||||
}
|
||||
|
||||
#################################################################################
|
||||
# Give Usage Information #
|
||||
#################################################################################
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
echo "Usage: `basename $0` [debug] [nolock] [-c <directory>] <command>"
|
||||
echo "where <command> is one of:"
|
||||
echo " show [<chain>|connections|log|nat|tc|tos]"
|
||||
echo " start"
|
||||
echo " stop"
|
||||
echo " reset"
|
||||
echo " restart"
|
||||
echo " status"
|
||||
echo " clear"
|
||||
echo " refresh"
|
||||
echo " hits"
|
||||
echo " monitor [<refresh interval>]"
|
||||
echo " version"
|
||||
echo " check"
|
||||
echo " try <directory> [ <timeout> ]"
|
||||
exit $1
|
||||
}
|
||||
|
||||
#################################################################################
|
||||
# Execution begins here #
|
||||
#################################################################################
|
||||
debugging=
|
||||
|
||||
if [ $# -gt 0 ] && [ "$1" = "debug" ]; then
|
||||
debugging=debug
|
||||
shift
|
||||
fi
|
||||
|
||||
nolock=
|
||||
|
||||
if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then
|
||||
nolock=nolock
|
||||
shift
|
||||
fi
|
||||
|
||||
SHOREWALL_DIR=
|
||||
done=0
|
||||
|
||||
while [ $done -eq 0 ]; do
|
||||
[ $# -eq 0 ] && usage 1
|
||||
case $1 in
|
||||
-c)
|
||||
[ $# -eq 1 ] && usage 1
|
||||
|
||||
if [ ! -d $2 ]; then
|
||||
if [ -e $2 ]; then
|
||||
echo "$2 is not a directory" >&2 && exit 2
|
||||
else
|
||||
echo "Directory $2 does not exist" >&2 && exit 2
|
||||
fi
|
||||
fi
|
||||
|
||||
SHOREWALL_DIR=$2
|
||||
shift
|
||||
shift
|
||||
;;
|
||||
*)
|
||||
done=1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
if [ $# -eq 0 ] || [ $# -gt 3 ]; then
|
||||
usage 1
|
||||
fi
|
||||
|
||||
functions=/etc/shorewall/functions
|
||||
|
||||
if [ -n "$SHOREWALL_DIR" ]; then
|
||||
export SHOREWALL_DIR
|
||||
[ -f $SHOREWALL_DIR/functions ] && functions=$SHOREWALL_DIR/functions
|
||||
fi
|
||||
|
||||
if [ -f $functions ]; then
|
||||
. $functions
|
||||
else
|
||||
echo "/etc/shorewall/functions does not exist!" >&2
|
||||
exit 2
|
||||
fi
|
||||
|
||||
firewall=`find_file firewall`
|
||||
|
||||
if [ ! -f $firewall ]; then
|
||||
echo "ERROR: Shorewall is not properly installed"
|
||||
if [ -L $firewall ]; then
|
||||
echo " $firewall is a symbolic link to a"
|
||||
echo " non-existant file"
|
||||
else
|
||||
echo " The file /etc/shorewall/firewall does not exist"
|
||||
fi
|
||||
|
||||
exit 2
|
||||
fi
|
||||
|
||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||
|
||||
version_file=`find_file version`
|
||||
|
||||
if [ -f $version_file ]; then
|
||||
version=`cat $version_file`
|
||||
else
|
||||
echo "ERROR: Shoreline Firewall is not properly installed"
|
||||
echo " The file /etc/shorewall/version does not exist"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
banner="Shorewall-$version Status at $HOSTNAME -"
|
||||
|
||||
case "$1" in
|
||||
start|stop|restart|reset|clear|refresh|check)
|
||||
[ $# -ne 1 ] && usage 1
|
||||
exec $firewall $debugging $nolock $1
|
||||
;;
|
||||
show)
|
||||
[ $# -gt 2 ] && usage 1
|
||||
case "$2" in
|
||||
connections)
|
||||
echo -e "Shorewall-$version Connections at $HOSTNAME - `date`\\n"
|
||||
cat /proc/net/ip_conntrack
|
||||
;;
|
||||
nat)
|
||||
echo -e "Shorewall-$version NAT at $HOSTNAME - `date`\\n"
|
||||
iptables -t nat -L -n -v
|
||||
;;
|
||||
tos|mangle)
|
||||
echo -e "Shorewall-$version TOS at $HOSTNAME - `date`\\n"
|
||||
iptables -t mangle -L -n -v
|
||||
;;
|
||||
log)
|
||||
get_config
|
||||
echo -e "Shorewall-$version Log at $HOSTNAME - `date`\\n"
|
||||
host=`echo $HOSTNAME | sed 's/\..*$//'`
|
||||
packet_log
|
||||
;;
|
||||
tc)
|
||||
echo -e "Shorewall-$version Traffic Control at $HOSTNAME - `date`\\n"
|
||||
show_tc
|
||||
;;
|
||||
*)
|
||||
echo -e "Shorewall-$version Chain $2 at $HOSTNAME - `date`\\n"
|
||||
iptables -L $2 -n -v
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
monitor)
|
||||
if [ $# -eq 2 ]; then
|
||||
monitor_firewall $2
|
||||
elif [ $# -eq 1 ]; then
|
||||
monitor_firewall 30
|
||||
else
|
||||
usage 1
|
||||
fi
|
||||
;;
|
||||
status)
|
||||
[ $# -eq 1 ] || usage 1
|
||||
get_config
|
||||
clear
|
||||
echo -e "Shorewall-$version Status at $HOSTNAME - `date`\\n"
|
||||
host=`echo $HOSTNAME | sed 's/\..*$//'`
|
||||
iptables -L -n -v
|
||||
echo
|
||||
packet_log
|
||||
echo
|
||||
iptables -t nat -L -n -v
|
||||
echo
|
||||
iptables -t mangle -L -n -v
|
||||
echo
|
||||
cat /proc/net/ip_conntrack
|
||||
;;
|
||||
hits)
|
||||
[ $# -eq 1 ] || usage 1
|
||||
get_config
|
||||
clear
|
||||
echo -e "Shorewall-$version Hits at $HOSTNAME - `date`\\n"
|
||||
timeout=30
|
||||
|
||||
if [ `grep -c "Shorewall:" $LOGFILE ` -gt 0 ] ; then
|
||||
echo " HITS IP DATE"
|
||||
grep "Shorewall:" $LOGFILE | sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\3 \1/' | sort | uniq -c | sort -rn
|
||||
echo ""
|
||||
|
||||
echo " HITS IP"
|
||||
grep "Shorewall:" $LOGFILE | sed 's/\(.*SRC=\)\(.* \)\(DST=.*\)/\2/' | sort | uniq -c | sort -rn
|
||||
echo ""
|
||||
|
||||
echo " HITS DATE"
|
||||
grep "Shorewall:" $LOGFILE | sed 's/\(.\{6\}\)\(.*\)/\1/' | sort | uniq -c | sort -rn
|
||||
echo ""
|
||||
|
||||
echo " HITS PORT SERVICE(S)"
|
||||
grep 'Shorewall:.*DPT' $LOGFILE | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | \
|
||||
while read count port ; do
|
||||
# List all services defined for the given port
|
||||
srv=`grep "\\b$port/" /etc/services | cut -f 1 | sort -u`
|
||||
srv=`echo $srv | sed 's/ /,/g'`
|
||||
|
||||
if [ -n "$srv" ] ; then
|
||||
printf '%7d %5d %s\n' $count $port $srv
|
||||
else
|
||||
printf '%7d %5d\n' $count $port
|
||||
fi
|
||||
done
|
||||
fi
|
||||
;;
|
||||
version)
|
||||
echo $version
|
||||
;;
|
||||
try)
|
||||
[ -n "$SHOREWALL_DIR" ] && startup_error "Error: -c option may not be used with \"try\""
|
||||
[ $# -lt 2 -o $# -gt 3 ] && usage 1
|
||||
$0 -c $2 restart
|
||||
if ! iptables -L shorewall > /dev/null 2> /dev/null; then
|
||||
$0 start
|
||||
elif [ $# -eq 3 ]; then
|
||||
sleep $3
|
||||
$0 restart
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
189
Shorewall/shorewall.conf
Executable file
189
Shorewall/shorewall.conf
Executable file
@ -0,0 +1,189 @@
|
||||
##############################################################################
|
||||
# /etc/shorewall/shorewall.conf V1.2 - Change the following variables to
|
||||
# match your setup
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# This file should be placed in /etc/shorewall
|
||||
#
|
||||
# (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
|
||||
##############################################################################
|
||||
#
|
||||
# Name of the firewall zone -- if not set or if set to an empty string, "fw"
|
||||
# is assumed.
|
||||
#
|
||||
FW=fw
|
||||
|
||||
|
||||
# Set this to the name of the lock file expected by your init scripts. For
|
||||
# RedHat, this should be /var/lock/subsys/shorewall. On Debian, it
|
||||
# should be /var/state/shorewall. If your init scripts don't use lock files,
|
||||
# set -this to "".
|
||||
#
|
||||
|
||||
SUBSYSLOCK=/var/lock/subsys/shorewall
|
||||
|
||||
# This is the directory where the firewall maintains state information while
|
||||
# it is running
|
||||
#
|
||||
|
||||
STATEDIR=/var/lib/shorewall
|
||||
|
||||
#
|
||||
# Set this to "yes" or "Yes" if you want to accept all connection requests
|
||||
# that are related to already established connections. For example, you want
|
||||
# to accept FTP data connections. If you say "no" here, then to accept
|
||||
# these connections between particular zones or hosts, you must include
|
||||
# explicit "related" rules in /etc/shorewall/rules.
|
||||
#
|
||||
|
||||
ALLOWRELATED="yes"
|
||||
|
||||
#
|
||||
# If your netfilter kernel modules are in a directory other than
|
||||
# /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that
|
||||
# directory in this variable. Example: MODULESDIR=/etc/modules.
|
||||
|
||||
MODULESDIR=""
|
||||
|
||||
#
|
||||
# The next two variables can be used to control the amount of log output
|
||||
# generated. LOGRATE is expressed as a number followed by an optional
|
||||
# `/second', `/minute', `/hour', or `/day' suffix and specifies the maximum
|
||||
# rate at which a particular message will occur. LOGBURST determines the
|
||||
# maximum initial burst size that will be logged. If set empty, the default
|
||||
# value of 5 will be used.
|
||||
#
|
||||
# If BOTH variables are set empty then logging will not be rate-limited.
|
||||
#
|
||||
|
||||
LOGRATE=""
|
||||
LOGBURST=""
|
||||
|
||||
|
||||
#
|
||||
# This variable determines the level at which Mangled/Invalid packets are logged
|
||||
# under the 'dropunclean' interface option. If you set this variable to an
|
||||
# empty value (e.g., LOGUNCLEAN= ), Mangled/Invalid packets will be dropped
|
||||
# silently.
|
||||
#
|
||||
|
||||
LOGUNCLEAN=info
|
||||
|
||||
# This variable tells the /sbin/shorewall program where to look for Shorewall
|
||||
# log messages. If not set or set to an empty string (e.g., LOGFILE="") then
|
||||
# /var/log/messages is assumed.
|
||||
#
|
||||
# WARNING: The LOGFILE variable simply tells the 'shorewall' program where to
|
||||
# look for Shorewall messages.It does NOT control the destination for
|
||||
# these messages. For information about how to do that, see
|
||||
#
|
||||
# http://www.shorewall.net/FAQ.htm#faq6
|
||||
|
||||
LOGFILE="/var/log/messages"
|
||||
|
||||
#
|
||||
# Enable nat support.
|
||||
#
|
||||
# You probally want yes here. Only gateways not doing NAT in any form, like
|
||||
# SNAT,DNAT masquerading, port forwading etc. should say "no" here.
|
||||
#
|
||||
NAT_ENABLED="Yes"
|
||||
|
||||
#
|
||||
# Enable mangle support.
|
||||
#
|
||||
# If you say "no" here, Shorewall will ignore the /etc/shorewall/tos file
|
||||
# and will not initialize the mangle table when starting or stopping
|
||||
# your firewall. You must enable mangling if you want Traffic Shaping
|
||||
# (see TC_ENABLED below).
|
||||
#
|
||||
MANGLE_ENABLED="Yes"
|
||||
|
||||
#
|
||||
# Enable IP Forwarding
|
||||
#
|
||||
# If you say "On" or "on" here, IPV4 Packet Forwarding is enabled. If you
|
||||
# say "Off" or "off", packet forwarding will be disabled. You would only want
|
||||
# to disable packet forwarding if you are installing Shorewall on a
|
||||
# standalone system or if you want all traffic through the Shorewall system
|
||||
# to be handled by proxies.
|
||||
#
|
||||
# If you set this variable to "Keep" or "keep", Shorewall will neither
|
||||
# enable nor disable packet forwarding.
|
||||
#
|
||||
IP_FORWARDING="On"
|
||||
#
|
||||
# Automatically add IP Aliases
|
||||
#
|
||||
# If you say "Yes" or "yes" here, Shorewall will automatically add IP aliases
|
||||
# for each NAT external address that you give in /etc/shorewall/nat. If you say
|
||||
# "No" or "no", you must add these aliases youself.
|
||||
#
|
||||
ADD_IP_ALIASES="Yes"
|
||||
|
||||
#
|
||||
# Automatically add SNAT Aliases
|
||||
#
|
||||
# If you say "Yes" or "yes" here, Shorewall will automatically add IP aliases
|
||||
# for each SNAT external address that you give in /etc/shorewall/masq. If you say
|
||||
# "No" or "no", you must add these aliases youself.
|
||||
#
|
||||
ADD_SNAT_ALIASES="No"
|
||||
|
||||
#
|
||||
# Enable Traffic Shaping
|
||||
#
|
||||
# If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If
|
||||
# you say "No" or "no" then traffic shaping is not enabled. If you enable traffic
|
||||
# shaping you must have iproute[2] installed (the "ip" and "tc" utilities) and
|
||||
# you must enable packet mangling above.
|
||||
#
|
||||
TC_ENABLED="No"
|
||||
|
||||
#
|
||||
# Blacklisting
|
||||
#
|
||||
# Set this variable to the action that you want to perform on packets from
|
||||
# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty,
|
||||
# DROP is assumed.
|
||||
#
|
||||
BLACKLIST_DISPOSITION=DROP
|
||||
|
||||
#
|
||||
# Blacklist Logging
|
||||
#
|
||||
# Set this variable to the syslogd level that you want blacklist packets logged
|
||||
# (beward of DOS attacks resulting from such logging). If not set, no logging
|
||||
# of blacklist packets occurs.
|
||||
#
|
||||
BLACKLIST_LOGLEVEL=
|
||||
|
||||
#
|
||||
# MSS Clamping
|
||||
#
|
||||
# Set this variable to "Yes" or "yes" if you want the TCP "Clamp MSS to PMTU"
|
||||
# option. This option is most commonly required when your internet
|
||||
# interface is some variant of PPP (PPTP or PPPoE). Your kernel must
|
||||
#
|
||||
# If left blank, or set to "No" or "no", the option is not enabled.
|
||||
#
|
||||
CLAMPMSS="No"
|
||||
|
||||
#
|
||||
# Route Filtering
|
||||
#
|
||||
# Set this variable to "Yes" or "yes" if you want kernel route filtering on all
|
||||
# interfaces (anti-spoofing measure).
|
||||
#
|
||||
ROUTE_FILTER="No"
|
||||
|
||||
#
|
||||
# NAT before RULES
|
||||
#
|
||||
# Shorewall has traditionally processed static NAT rules before port forwarding
|
||||
# rules. If you would like to reverse the order, set this variable to "No".
|
||||
|
||||
NAT_BEFORE_RULES="Yes"
|
||||
|
||||
#LAST LINE -- DO NOT REMOVE
|
215
Shorewall/shorewall.spec
Normal file
215
Shorewall/shorewall.spec
Normal file
@ -0,0 +1,215 @@
|
||||
%define name shorewall
|
||||
%define version 1.2
|
||||
%define release 13
|
||||
%define prefix /usr
|
||||
|
||||
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
|
||||
Name: %{name}
|
||||
Version: %{version}
|
||||
Release: %{release}
|
||||
Prefix: %{prefix}
|
||||
License: GPL
|
||||
Packager: Tom Eastep <teastep@shorewall.net>
|
||||
Group: Networking/Utilities
|
||||
Source: %{name}-%{version}.%{release}.tgz
|
||||
URL: http://www.shorewall.net/
|
||||
BuildArch: noarch
|
||||
BuildRoot: /%{_tmppath}/%{name}-%{version}-%{release}-root
|
||||
Requires: iptables
|
||||
Conflicts: kernel <= 2.2
|
||||
Provides: shorewall
|
||||
|
||||
%description
|
||||
|
||||
Shoreline Firewall is an iptables-based firewall for Linux systems. The firewall
|
||||
is designed to be used on:
|
||||
|
||||
a) Single systems attached to the internet via dial-in POP or ISDN.
|
||||
b) Single systems attached full-time to the internet (ASDL, Cable, etc.)
|
||||
c) Linux system used as a Masquerading gateway for one or more client and/or
|
||||
server systems.
|
||||
|
||||
%prep
|
||||
|
||||
%setup -n %name-%version.%release
|
||||
|
||||
%build
|
||||
|
||||
%install
|
||||
export PREFIX=$RPM_BUILD_ROOT ; \
|
||||
export OWNER=`id -n -u` ; \
|
||||
export GROUP=`id -n -g` ;\
|
||||
./install.sh /etc/init.d
|
||||
|
||||
%clean
|
||||
rm -rf $RPM_BUILD_ROOT
|
||||
|
||||
%post
|
||||
if [ -x /sbin/insserv ]; then /sbin/insserv /etc/rc.d/shorewall; elif [ -x /sbin/chkconfig ]; then /sbin/chkconfig --add shorewall; fi
|
||||
|
||||
%preun
|
||||
if [ $1 = 0 ]; then if [ -x /sbin/insserv ]; then /sbin/insserv -r /etc/init.d/shorewall ; elif [ -x /sbin/chkconfig ]; then /sbin/chkconfig --del shorewall; fi ; fi
|
||||
|
||||
%files
|
||||
/etc/init.d/shorewall
|
||||
%attr(0700,root,root) %dir /etc/shorewall
|
||||
%attr(0600,root,root) /etc/shorewall/version
|
||||
%attr(0600,root,root) /etc/shorewall/common.def
|
||||
%attr(0600,root,root) /etc/shorewall/icmp.def
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/shorewall.conf
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/zones
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/policy
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/interfaces
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/rules
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/nat
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/params
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/proxyarp
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/masq
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/modules
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/tcrules
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/tos
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/tunnels
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/hosts
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/blacklist
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/whitelist
|
||||
%attr(0544,root,root) /sbin/shorewall
|
||||
%attr(0444,root,root) /etc/shorewall/functions
|
||||
/etc/shorewall/firewall
|
||||
%doc documentation
|
||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
|
||||
|
||||
%changelog
|
||||
* Tue Apr 23 2002 Tom Eastep <tom@shorewall.net>
|
||||
- changed version to 13
|
||||
- Added whitelist file.
|
||||
* Thu Apr 18 2002 Tom Eastep <tom@shorewall.net>
|
||||
- changed version to 12
|
||||
* Tue Apr 16 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Merged Stefan's changes to create single RPM
|
||||
* Mon Apr 15 2002 Stefan Mohr <stefan@familie-mohr.com>
|
||||
- changed to SuSE Linux 7.3
|
||||
* Wed Apr 10 2002 Tom Eastep <tom@shorewall.net>
|
||||
- changed Version to 11
|
||||
* Tue Mar 19 2002 Tom Eastep <tom@shorewall.net>
|
||||
- changed Version to 10
|
||||
* Sat Mar 09 2002 Tom Eastep <tom@shorewall.net>
|
||||
- changed Version to 9
|
||||
* Sat Feb 23 2002 Tom Eastep <tom@shorewall.net>
|
||||
- changed Version to 8
|
||||
* Thu Feb 21 2002 Tom Eastep <tom@shorewall.net>
|
||||
- changed Version to 7
|
||||
* Tue Feb 05 2002 Tom Eastep <tom@shorewall.net>
|
||||
- changed Version to 6
|
||||
* Wed Jan 30 2002 Tom Eastep <tom@shorewall.net>
|
||||
- changed Version to 5
|
||||
* Sat Jan 26 2002 Tom Eastep <tom@shorewall.net>
|
||||
- changed Version to 4
|
||||
- Merged Ajay's change to allow build by non-root
|
||||
* Sun Jan 12 2002 Tom Eastep <tom@shorewall.net>
|
||||
- changed Version to 3
|
||||
* Tue Jan 01 2002 Tom Eastep <tom@shorewall.net>
|
||||
- changed Version to 2
|
||||
- Updated URL
|
||||
- Added blacklist file
|
||||
* Mon Dec 31 2001 Tom Eastep <tom@shorewall.net>
|
||||
- changed Version to 1
|
||||
* Wed Dec 19 2001 Tom Eastep <tom@shorewall.net>
|
||||
- changed Version to 0
|
||||
* Tue Dec 18 2001 Tom Eastep <tom@shorewall.net>
|
||||
- changed Version to Rc1
|
||||
* Sat Dec 15 2001 Tom Eastep <tom@shorewall.net>
|
||||
- changed Version to Beta2
|
||||
* Thu Nov 08 2001 Tom Eastep <tom@shorewall.net>
|
||||
- changed Version to 1.2
|
||||
- added tcrules file
|
||||
* Sun Oct 21 2001 Tom Eastep <tom@shorewall.net>
|
||||
- changed release to 17
|
||||
* Sun Oct 21 2001 Tom Eastep <tom@shorewall.net>
|
||||
- changed release to 16
|
||||
* Sun Oct 14 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
||||
- changed release to 15
|
||||
* Thu Oct 11 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
||||
- changed release to 14
|
||||
* Tue Sep 11 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
||||
- changed release to 13
|
||||
- added params file
|
||||
* Tue Aug 28 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
||||
- Changed release to 12
|
||||
* Fri Jul 27 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
||||
- Changed release to 11
|
||||
* Sun Jul 08 2001 Ajay Ramaswamy <ajayr@bigfoot.com>
|
||||
- reorganized spec file
|
||||
- s/Copyright/License/
|
||||
- now will build fron rpm -tb
|
||||
* Fri Jul 06 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
||||
- Changed release to 10
|
||||
* Tue Jun 19 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
||||
- Changed release to 9
|
||||
- Added tunnel file
|
||||
- Readded tunnels file
|
||||
* Mon Jun 18 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
||||
- Changed release to 8
|
||||
* Sat Jun 02 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
||||
- Changed release to 7
|
||||
- Changed iptables dependency.
|
||||
* Tue May 22 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
||||
- Changed release to 6
|
||||
- Added tunnels file
|
||||
* Sat May 19 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
||||
- Changed release to 5
|
||||
- Added modules and tos files
|
||||
* Sat May 12 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
||||
- Changed release to 4
|
||||
- Added changelog.txt and releasenotes.txt
|
||||
* Sat Apr 28 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
||||
- Changed release to 3
|
||||
* Mon Apr 9 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
||||
- Added files common.def and icmpdef.def
|
||||
- Changed release to 2
|
||||
* Wed Apr 4 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
||||
- Changed the release to 1.
|
||||
* Mon Mar 26 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
|
||||
- Changed the version to 1.1
|
||||
- Added hosts file
|
||||
* Sun Mar 18 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
|
||||
- Changed the release to 4
|
||||
- Added Zones and Functions files
|
||||
* Mon Mar 12 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
|
||||
- Change ipchains dependency to an iptables dependency and
|
||||
changed the release to 3
|
||||
* Fri Mar 9 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
|
||||
- Add additional files.
|
||||
* Thu Mar 8 2001 Tom EAstep <teastep@seattlefirewall.dyndns.org>
|
||||
- Change version to 1.0.2
|
||||
* Tue Mar 6 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
|
||||
- Change version to 1.0.1
|
||||
* Sun Mar 4 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
|
||||
- Changes for Shorewall
|
||||
* Thu Feb 22 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
|
||||
- Change version to 4.1.0
|
||||
* Fri Feb 2 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
|
||||
- Change version to 4.0.4
|
||||
* Mon Jan 22 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
|
||||
- Change version to 4.0.2
|
||||
* Sat Jan 20 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
|
||||
- Changed version to 4.0
|
||||
* Fri Jan 5 2001 Tom Eastep <teastep@evergo.net>
|
||||
- Added dmzclients file
|
||||
* Sun Dec 24 2000 Tom Eastep <teastep@evergo.net>
|
||||
- Added ftpserver file
|
||||
* Sat Aug 12 2000 Tom Eastep <teastep@evergo.net>
|
||||
- Added "nat" and "proxyarp" files for 4.0
|
||||
* Mon May 20 2000 Tom Eastep <teastep@evergo.net>
|
||||
- added updown file
|
||||
* Sat May 20 2000 Simon Piette <spiette@generation.net>
|
||||
- Corrected the group - Networking/Utilities
|
||||
- Added "noreplace" attributes to config files, so current confis is not
|
||||
changed.
|
||||
- Added the version file.
|
||||
* Sat May 20 2000 Tom Eastep <teastep@evergo.net>
|
||||
- Converted Simon's patch to version 3.1
|
||||
* Sat May 20 2000 Simon Piette <spiette@generation.net>
|
||||
- 3.0.2 Initial RPM
|
||||
Patched the install script so it can take a PREFIX variable
|
||||
|
||||
|
47
Shorewall/tcrules
Executable file
47
Shorewall/tcrules
Executable file
@ -0,0 +1,47 @@
|
||||
#
|
||||
# Shorewall version 1.2 - Traffic Control Rules File
|
||||
#
|
||||
# /etc/shorewall/tcrules
|
||||
#
|
||||
# Entries in this file cause packets to be marked as a means of
|
||||
# classifying them for traffic control.
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
#
|
||||
# MARK The mark value which is an
|
||||
# integer in the range 1-255
|
||||
#
|
||||
# SOURCE Source of the packet. A comma-separated list of
|
||||
# interface names, IP addresses, MAC addresses
|
||||
# and/or subnets. Use $FW if the packet originates on
|
||||
# the firewall.
|
||||
#
|
||||
# MAC addresses must be prefixed with "~" and use
|
||||
# "-" as a separator.
|
||||
#
|
||||
# Example: ~00-A0-C9-15-39-78
|
||||
#
|
||||
# DEST Destination of the packet. Comma separated list of
|
||||
# IP addresses and/or subnets.
|
||||
#
|
||||
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number,
|
||||
# or "all".
|
||||
#
|
||||
# PORT(S) Destination Ports. A comma-separated list of Port
|
||||
# names (from /etc/services), port numbers or port
|
||||
# ranges; if the protocol is "icmp", this column is
|
||||
# interpreted as the destination icmp-type(s).
|
||||
#
|
||||
# This column is ignored if PROTOCOL = all but must be
|
||||
# entered if any of the following field is supplied.
|
||||
# In that case, it is suggested that this field contain
|
||||
# "-"
|
||||
#
|
||||
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
|
||||
# any source port is acceptable. Specified as a comma-
|
||||
# separated list of port names, port numbers or port
|
||||
# ranges.
|
||||
##############################################################################
|
||||
#MARK SOURCE DEST PROTO PORT(S) CLIENT PORT(S)
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
52
Shorewall/tos
Executable file
52
Shorewall/tos
Executable file
@ -0,0 +1,52 @@
|
||||
#
|
||||
# Shorewall 1.2 -- /etc/shorewall/tos
|
||||
#
|
||||
# This file defines rules for setting Type Of Service (TOS)
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
# SOURCE Name of a zone declared in /etc/shorewall/zones, "all"
|
||||
# or $FW.
|
||||
#
|
||||
# If not "all" or $FW, may optionally be followed by
|
||||
# ":" and an IP address, a MAC address, a subnet
|
||||
# specification or the name of an interface.
|
||||
#
|
||||
# Example: loc:192.168.2.3
|
||||
#
|
||||
# MAC addresses must be prefixed with "~" and use
|
||||
# "-" as a separator.
|
||||
#
|
||||
# Example: ~00-A0-C9-15-39-78
|
||||
#
|
||||
# DEST Name of a zone declared in /etc/shorewall/zones, "all"
|
||||
# or $FW.
|
||||
#
|
||||
# If not "all" or $FW, may optionally be followed by
|
||||
# ":" and an IP address or a subnet specification
|
||||
#
|
||||
# Example: loc:192.168.2.3
|
||||
#
|
||||
# PROTOCOL Protocol.
|
||||
#
|
||||
# SOURCE PORTS Source port or port range. If all ports, use "-".
|
||||
#
|
||||
# DEST PORTS Destination port or port range. If all ports, use "-"
|
||||
#
|
||||
# TOS Type of service. Must be one of the following:
|
||||
#
|
||||
# Minimize-Delay (16)
|
||||
# Maximize-Throughput (8)
|
||||
# Maximize-Reliability (4)
|
||||
# Minimize-Cost (2)
|
||||
# Normal-Service (0)
|
||||
#
|
||||
##############################################################################
|
||||
#SOURCE DEST PROTOCOL SOURCE PORTS DEST PORTS TOS
|
||||
all all tcp - ssh 16
|
||||
all all tcp ssh - 16
|
||||
all all tcp - ftp 16
|
||||
all all tcp ftp - 16
|
||||
all all tcp ftp-data - 8
|
||||
all all tcp - ftp-data 8
|
||||
#LAST LINE -- Add your entries above -- DO NOT REMOVE
|
159
Shorewall/tunnel
Executable file
159
Shorewall/tunnel
Executable file
@ -0,0 +1,159 @@
|
||||
#!/bin/sh
|
||||
|
||||
RCDLINKS="2,S45 3,S45 6,K45"
|
||||
################################################################################
|
||||
# Script to create a gre or ipip tunnel -- Shorewall 1.2
|
||||
#
|
||||
# Modified - Steve Cowles 5/9/2000
|
||||
# Incorporated init {start|stop} syntax and iproute2 usage
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Modify the following variables to match your configuration
|
||||
#
|
||||
# chkconfig: 2345 26 89
|
||||
# description: GRE/IP Tunnel
|
||||
#
|
||||
################################################################################
|
||||
|
||||
#
|
||||
# Type of tunnel (gre or ipip)
|
||||
#
|
||||
|
||||
tunnel_type=gre
|
||||
|
||||
# Name of the tunnel
|
||||
#
|
||||
|
||||
tunnel="dfwbos"
|
||||
#
|
||||
# Address of your External Interface (only required for gre tunnels)
|
||||
#
|
||||
myrealip="x.x.x.x"
|
||||
|
||||
# Address of the local system -- this is the address of one of your
|
||||
# local interfaces (or for a mobile host, the address that this system has
|
||||
# when attached to the local network).
|
||||
#
|
||||
|
||||
myip="192.168.1.254"
|
||||
|
||||
# Address of the Remote system -- this is the address of one of the
|
||||
# remote system's local interfaces (or if the remote system is a mobile host,
|
||||
# the address that it uses when attached to the local network).
|
||||
|
||||
hisip="192.168.9.1"
|
||||
|
||||
# Internet address of the Remote system
|
||||
#
|
||||
|
||||
gateway="x.x.x.x"
|
||||
|
||||
# Remote sub-network -- if the remote system is a gateway for a
|
||||
# private subnetwork that you wish to
|
||||
# access, enter it here. If the remote
|
||||
# system is a stand-alone/mobile host, leave this
|
||||
# empty
|
||||
|
||||
subnet="192.168.9.0/24"
|
||||
|
||||
PATH=$PATH:/sbin:/usr/sbin:/usr/local/sbin
|
||||
|
||||
load_modules () {
|
||||
case $tunnel_type in
|
||||
ipip)
|
||||
echo "Loading IP-ENCAP Module"
|
||||
modprobe ipip
|
||||
;;
|
||||
gre)
|
||||
echo "Loading GRE Module"
|
||||
modprobe ip_gre
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
do_stop() {
|
||||
|
||||
if [ -n "`ip link show $tunnel 2>/dev/null`" ]; then
|
||||
echo "Stopping $tunnel"
|
||||
ip link set dev $tunnel down
|
||||
fi
|
||||
|
||||
if [ -n "`ip addr show $tunnel 2>/dev/null`" ]; then
|
||||
echo "Deleting $tunnel"
|
||||
ip tunnel del $tunnel
|
||||
fi
|
||||
}
|
||||
|
||||
do_start() {
|
||||
|
||||
#NOTE: Comment out the next line if you have built gre/ipip into your kernel
|
||||
|
||||
load_modules
|
||||
|
||||
if [ -n "`ip link show $tunnel 2>/dev/null`" ]; then
|
||||
do_stop
|
||||
fi
|
||||
|
||||
echo "Adding $tunnel"
|
||||
|
||||
case $tunnel_type in
|
||||
gre)
|
||||
ip tunnel add $tunnel mode gre remote $gateway local $myrealip ttl 255
|
||||
;;
|
||||
*)
|
||||
ip tunnel add $tunnel mode ipip remote $gateway
|
||||
;;
|
||||
esac
|
||||
|
||||
echo "Starting $tunnel"
|
||||
|
||||
|
||||
ip link set dev $tunnel up
|
||||
|
||||
case $tunnel_type in
|
||||
gre)
|
||||
ip addr add $myip dev $tunnel
|
||||
;;
|
||||
*)
|
||||
ip addr add $myip peer $hisip dev $tunnel
|
||||
;;
|
||||
esac
|
||||
|
||||
#
|
||||
# As with all interfaces, the 2.4 kernels will add the obvious host
|
||||
# route for this point-to-point interface
|
||||
#
|
||||
|
||||
if [ -n "$subnet" ]; then
|
||||
echo "Adding Routes"
|
||||
case $tunnel_type in
|
||||
gre)
|
||||
ip route add $subnet dev $tunnel
|
||||
;;
|
||||
ipip)
|
||||
ip route add $subnet via $gateway dev $tunnel onlink
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
}
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
do_start
|
||||
;;
|
||||
stop)
|
||||
do_stop
|
||||
;;
|
||||
restart)
|
||||
do_stop
|
||||
sleep 1
|
||||
do_start
|
||||
;;
|
||||
*)
|
||||
echo "Usage: $0 {start|stop|restart}"
|
||||
exit 1
|
||||
esac
|
||||
exit 0
|
51
Shorewall/tunnels
Normal file
51
Shorewall/tunnels
Normal file
@ -0,0 +1,51 @@
|
||||
#
|
||||
# Shorewall 1.2 - /etc/shorewall/tunnels
|
||||
#
|
||||
# This file defines IPSEC, GRE and IPIP tunnels.
|
||||
#
|
||||
# IPIP and GRE tunnels must be configured on the firewall/gateway itself.
|
||||
# IPSEC endpoints may be defined on the firewall/gateway or on an
|
||||
# internal system.
|
||||
#
|
||||
# The columns are:
|
||||
#
|
||||
# TYPE -- must start in column 1 and be "ipsec", "ip" or "gre"
|
||||
#
|
||||
# ZONE -- The zone of the physical interface through which
|
||||
# tunnel traffic passes. This is normally your internet
|
||||
# zone.
|
||||
#
|
||||
# GATEWAY -- The IP address of the remote tunnel gateway. If the
|
||||
# remote getway has no fixed address (Road Warrior)
|
||||
# then specify the gateway as 0.0.0.0/0.
|
||||
#
|
||||
# GATEWAY ZONE-- Optional. If the gateway system specified in the third
|
||||
# column is a standalone host then this column should
|
||||
# contain the name of the zone that the host is in. This
|
||||
# column only applies to IPSEC tunnels.
|
||||
#
|
||||
# Example 1:
|
||||
#
|
||||
# IPSec tunnel. The remote gateway is 4.33.99.124 and
|
||||
# the remote subnet is 192.168.9.0/24
|
||||
#
|
||||
# ipsec net 4.33.99.124
|
||||
#
|
||||
# Example 2:
|
||||
#
|
||||
# Road Warrior (LapTop that may connect from anywhere)
|
||||
# where the "gw" zone is used to represent the remote
|
||||
# LapTop.
|
||||
#
|
||||
# ipsec net 0.0.0.0/0 gw
|
||||
#
|
||||
# Example 3:
|
||||
#
|
||||
# Host 4.33.99.124 is a standalone system connected
|
||||
# via an ipsec tunnel to the firewall system. The host
|
||||
# is in zone gw.
|
||||
#
|
||||
# ipsec net 4.33.99.124 gw
|
||||
#
|
||||
# TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
155
Shorewall/uninstall.sh
Executable file
155
Shorewall/uninstall.sh
Executable file
@ -0,0 +1,155 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Script to back uninstall Shoreline Firewall
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Shorewall documentation is available at http://shorewall.sourceforge.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||
#
|
||||
# Usage:
|
||||
#
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Seattle Firewall
|
||||
|
||||
VERSION=1.2.13
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
ME=`basename $0`
|
||||
echo "usage: $ME"
|
||||
exit $1
|
||||
}
|
||||
|
||||
restore_file() # $1 = file to restore
|
||||
{
|
||||
if [ -f ${1}-shorewall.bkout ]; then
|
||||
if (mv -f ${1}-shorewall.bkout $1); then
|
||||
echo
|
||||
echo "$1 restored"
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
remove_file() # $1 = file to restore
|
||||
{
|
||||
if [ -f $1 -o -L $1 ] ; then
|
||||
rm -f $1
|
||||
echo "$1 Removed"
|
||||
fi
|
||||
}
|
||||
|
||||
if [ -f /etc/shorewall/version ]; then
|
||||
INSTALLED_VERSION="`cat /etc/shorewall/version`"
|
||||
if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
|
||||
echo "WARNING: Shoreline Firewall Version $INSTALLED_VERSION is installed"
|
||||
echo " and this is the $VERSION uninstaller."
|
||||
VERSION="$INSTALLED_VERSION"
|
||||
fi
|
||||
else
|
||||
echo "WARNING: Shoreline Firewall Version $VERSION is not installed"
|
||||
VERSION=""
|
||||
fi
|
||||
|
||||
echo "Uninstalling Shoreline Firewall $VERSION"
|
||||
|
||||
if [ -L /etc/shorewall/firewall ]; then
|
||||
FIREWALL=`ls -l /etc/shorewall/firewall | sed 's/^.*> //'`
|
||||
|
||||
if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
|
||||
insserv -r $FIREWALL
|
||||
elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
|
||||
chkconfig --del `basename $FIREWALL`
|
||||
fi
|
||||
|
||||
remove_file $FIREWALL
|
||||
fi
|
||||
|
||||
remove_file /sbin/shorewall
|
||||
|
||||
if [ -n "$VERSION" ]; then
|
||||
restore_file /etc/rc.d/rc.local
|
||||
remove_file /etc/shorewall/shorewall.conf-${VERSION}.bkout
|
||||
remove_file /etc/shorewall/zones-${VERSION}.bkout
|
||||
remove_file /etc/shorewall/policy-${VERSION}.bkout
|
||||
remove_file /etc/shorewall/interfaces-${VERSION}.bkout
|
||||
remove_file /etc/shorewall/rules-${VERSION}.bkout
|
||||
remove_file /etc/shorewall/nat-${VERSION}.bkout
|
||||
remove_file /etc/shorewall/params-${VERSION}.bkout
|
||||
remove_file /etc/shorewall/proxyarp-${VERSION}.bkout
|
||||
remove_file /etc/shorewall/masq-${VERSION}.bkout
|
||||
remove_file /etc/shorewall/version-${VERSION}.bkout
|
||||
remove_file /etc/shorewall/functions-${VERSION}.bkout
|
||||
remove_file /etc/shorewall/common.def-${VERSION}.bkout
|
||||
remove_file /etc/shorewall/icmp.def-${VERSION}.bkout
|
||||
remove_file /etc/shorewall/tunnels-${VERSION}.bkout
|
||||
remove_file /etc/shorewall/tcrules-${VERSION}.bkout
|
||||
remove_file /etc/shorewall/tos-${VERSION}.bkout
|
||||
remove_file /etc/shorewall/modules-${VERSION}.bkout
|
||||
remove_file /etc/shorewall/blacklist-${VERSION}.bkout
|
||||
remove_file /etc/shorewall/whitelist-${VERSION}.bkout
|
||||
fi
|
||||
|
||||
remove_file /etc/shorewall/firewall
|
||||
|
||||
remove_file /etc/shorewall/functions
|
||||
|
||||
remove_file /etc/shorewall/common.def
|
||||
|
||||
remove_file /etc/shorewall/icmp.def
|
||||
|
||||
remove_file /etc/shorewall/zones
|
||||
|
||||
remove_file /etc/shorewall/policy
|
||||
|
||||
remove_file /etc/shorewall/interfaces
|
||||
|
||||
remove_file /etc/shorewall/hosts
|
||||
|
||||
remove_file /etc/shorewall/rules
|
||||
|
||||
remove_file /etc/shorewall/nat
|
||||
|
||||
remove_file /etc/shorewall/params
|
||||
|
||||
remove_file /etc/shorewall/proxyarp
|
||||
|
||||
remove_file /etc/shorewall/masq
|
||||
|
||||
remove_file /etc/shorewall/modules
|
||||
|
||||
remove_file /etc/shorewall/tcrules
|
||||
|
||||
remove_file /etc/shorewall/tos
|
||||
|
||||
remove_file /etc/shorewall/tunnels
|
||||
|
||||
remove_file /etc/shorewall/blacklist
|
||||
|
||||
remove_file /etc/shorewall/whitelist
|
||||
|
||||
remove_file /etc/shorewall/shorewall.conf
|
||||
|
||||
remove_file /etc/shorewall/version
|
||||
|
||||
rmdir /etc/shorewall
|
||||
|
||||
echo "Shoreline Firewall Uninstalled"
|
||||
|
||||
|
18
Shorewall/whitelist
Normal file
18
Shorewall/whitelist
Normal file
@ -0,0 +1,18 @@
|
||||
#
|
||||
# Shorewall 1.2 -- Whitelist File
|
||||
#
|
||||
# /etc/shorewall/whitelist
|
||||
#
|
||||
# This file contains a list of IP addresses, MAC addresses and/or subnetworks.
|
||||
# If a connection request fails to match any of the rules defined in
|
||||
# /etc/shorewall/rules then the connection source is compared against this
|
||||
# list; if a match is found, the connection request is accepted.
|
||||
#
|
||||
# MAC addresses must be prefixed with "~" and use "-" as a separator.
|
||||
#
|
||||
# Example: ~00-A0-C9-15-39-78
|
||||
###############################################################################
|
||||
#ADDRESS/SUBNET
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
|
14
Shorewall/zones
Normal file
14
Shorewall/zones
Normal file
@ -0,0 +1,14 @@
|
||||
#
|
||||
# Shorewall 1.2 /etc/shorewall/zones
|
||||
#
|
||||
# This file determines your network zones. Columns are:
|
||||
#
|
||||
# ZONE Short name of the zone
|
||||
# DISPLAY Display name of the zone
|
||||
# COMMENTS Comments about the zone
|
||||
#
|
||||
#ZONE DISPLAY COMMENTS
|
||||
net Net Internet
|
||||
loc Local Local networks
|
||||
dmz DMZ Demilitarized zone
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
Loading…
Reference in New Issue
Block a user