Shorewall 1.4.3

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@556 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-05-18 18:44:24 +00:00
parent 72bb7e0a83
commit 8386b811ff
6 changed files with 74 additions and 39 deletions

View File

@ -54,6 +54,15 @@
LOGFILE=/var/log/messages
#
# LOG MARKER
#
# Used to identify Shorewall log messages. If you are using fireparse, you must
# set this to "fp=Shorewall:". You may not use the ULOG level with fireparse and
# you must not embed white space in the LOGMARKER value.
LOGMARKER="Shorewall:"
#
# LOG RATE LIMITING
#

View File

@ -10,7 +10,7 @@
# The columns are:
#
# TYPE -- must start in column 1 and be "ipsec", "ipsecnat","ip"
# "gre", "pptpclient", "pptpserver" or "openvpn".
# "gre", "6to4", "pptpclient", "pptpserver" or "openvpn".
#
# If type is "openvpn", it may optionally be followed
# by ":" and the port number used by the tunnel. if no

View File

@ -134,6 +134,8 @@ get_config() {
fi
[ -n "$FW" ] || FW=fw
[ -n "$LOGMARKER" ] || LOGMARKER="Shorewall:"
}
#
@ -259,9 +261,9 @@ packet_log() # $1 = number of messages
[ -n "$realtail" ] && options="-n$1"
grep 'Shorewall:\|ipt_unclean' $LOGFILE | \
grep "${LOGMARKER}\|ipt_unclean" $LOGFILE | \
sed s/" kernel:"// | \
sed s/" $host Shorewall:"/" "/ | \
sed s/" $host $LOGMARKER"/" "/ | \
sed s/" $host kernel: ipt_unclean: "/" "/ | \
sed 's/MAC=.*SRC=/SRC=/' | \
tail $options
@ -732,27 +734,27 @@ case "$1" in
timeout=30
if [ `grep -c "Shorewall:" $LOGFILE ` -gt 0 ] ; then
if [ `grep -c "$LOGMARKER" $LOGFILE ` -gt 0 ] ; then
echo " HITS IP DATE"
echo " ---- --------------- ------"
grep "Shorewall:" $LOGFILE | sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\3 \1/' | sort | uniq -c | sort -rn
grep "$LOGMARKER" $LOGFILE | sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\3 \1/' | sort | uniq -c | sort -rn
echo ""
echo " HITS IP PORT"
echo " ---- --------------- -----"
grep "Shorewall:" $LOGFILE | sed 's/\(.*SRC=\)\(.*\)\( DST=.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2 \4/
grep "$LOGMARKER" $LOGFILE | sed 's/\(.*SRC=\)\(.*\)\( DST=.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2 \4/
t
s/\(.*SRC=\)\(.*\)\( DST=.*\)/\2/' | sort | uniq -c | sort -rn
echo ""
echo " HITS DATE"
echo " ---- ------"
grep "Shorewall:" $LOGFILE | sed 's/\(.\{6\}\)\(.*\)/\1/' | sort | uniq -c | sort -rn
grep "$LOGMARKER" $LOGFILE | sed 's/\(.\{6\}\)\(.*\)/\1/' | sort | uniq -c | sort -rn
echo ""
echo " HITS PORT SERVICE(S)"
echo " ---- ----- ----------"
grep 'Shorewall:.*DPT' $LOGFILE | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | \
grep '${LOGMARKER}.*DPT' $LOGFILE | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | \
while read count port ; do
# List all services defined for the given port
srv=`grep "^[^#].*\\b$port/" /etc/services | cut -f 1 | sort -u`

View File

@ -95,7 +95,11 @@ error_message() # $* = Error Message
fatal_error() # $* = Error Message
{
echo " Error: $@" >&2
[ $command = check ] || stop_firewall
if [ $command = check ]; then
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
else
stop_firewall
fi
exit 2
}
@ -1130,6 +1134,9 @@ setup_tunnels() # $1 = name of tunnels file
gre|GRE)
setup_one_other GRE $gateway 47
;;
6to4|6TO4)
setup_one_other 6to4 $gateway 41
;;
pptpclient|PPTPCLIENT)
setup_pptp_client $gateway
;;
@ -1316,7 +1323,7 @@ setup_mac_lists() {
done
[ -n "$logpart" ] && \
run_iptables -A $chain $logpart "Shorewall:$chain:$MACLIST_DISPOSITION:"
run_iptables -A $chain $logpart "${LOGMARKER}$chain:$MACLIST_DISPOSITION:"
run_iptables -A $chain -j $maclist_target
done
@ -2015,11 +2022,11 @@ add_a_rule()
if [ "$loglevel" = ULOG ]; then
run_iptables2 -A $chain $proto $multiport \
$state $cli $sports $serv $dports -j ULOG $LOGPARMS \
--ulog-prefix "Shorewall:$chain:$logtarget:"
--ulog-prefix "${LOGMARKER}$chain:$logtarget:"
else
run_iptables2 -A $chain $proto $multiport \
$state $cli $sports $serv $dports -j LOG $LOGPARMS \
--log-prefix "Shorewall:$chain:$logtarget:" \
--log-prefix "${LOGMARKER}$chain:$logtarget:" \
--log-level $loglevel
fi
fi
@ -2042,11 +2049,11 @@ add_a_rule()
if [ "$loglevel" = ULOG ]; then
run_iptables2 -A $chain $proto $multiport \
$dest_interface $state $cli $sports $dports -j ULOG \
$LOGPARMS --ulog-prefix "Shorewall:$chain:$logtarget:"
$LOGPARMS --ulog-prefix "${LOGMARKER}$chain:$logtarget:"
else
run_iptables2 -A $chain $proto $multiport \
$dest_interface $state $cli $sports $dports -j LOG \
$LOGPARMS --log-prefix "Shorewall:$chain:$logtarget:" \
$LOGPARMS --log-prefix "${LOGMARKER}$chain:$logtarget:" \
--log-level $loglevel
fi
fi
@ -2551,10 +2558,10 @@ policy_rules() # $1 = chain to add rules to
if [ $# -eq 3 -a "x${3}" != "x-" ]; then
if [ "$3" = ULOG ]; then
run_iptables -A $1 -j ULOG $LOGPARMS \
--ulog-prefix "Shorewall:${1}:${2}:"
--ulog-prefix "${LOGMARKER}${1}:${2}:"
else
run_iptables -A $1 -j LOG $LOGPARMS \
--log-prefix "Shorewall:${1}:${2}:" --log-level $3
--log-prefix "${LOGMARKER}${1}:${2}:" --log-level $3
fi
fi
@ -2878,11 +2885,11 @@ add_blacklist_rule() {
if [ "$BLACKLIST_LOGLEVEL" = ULOG ]; then
run_iptables2 -A blacklst $source $proto $dport -j \
ULOG $LOGPARMS --ulog-prefix \
"Shorewall:blacklst:$BLACKLIST_DISPOSITION:"
"${LOGMARKER}blacklst:$BLACKLIST_DISPOSITION:"
else
run_iptables2 -A blacklst $source $proto $dport -j \
LOG $LOGPARMS --log-prefix \
"Shorewall:blacklst:$BLACKLIST_DISPOSITION:" \
"${LOGMARKER}blacklst:$BLACKLIST_DISPOSITION:" \
--log-level $BLACKLIST_LOGLEVEL
fi
fi
@ -3196,6 +3203,12 @@ initialize_netfilter () {
setcontinue INPUT
setcontinue OUTPUT
#
# Enable the Loopback interface
#
run_iptables -A INPUT -i lo -j ACCEPT
run_iptables -A OUTPUT -o lo -j ACCEPT
#
# Allow DNS lookups during startup for FQDNs and deep-six INVALID packets
#
@ -3216,10 +3229,10 @@ initialize_netfilter () {
if [ -n "$LOGNEWNOTSYN" ]; then
if [ "$LOGNEWNOTSYN" = ULOG ]; then
run_iptables -A newnotsyn -j ULOG $LOGPARMS \
--ulog-prefix "Shorewall:newnotsyn:DROP:"
--ulog-prefix "${LOGMARKER}newnotsyn:DROP:"
else
run_iptables -A newnotsyn -j LOG $LOGPARMS \
--log-prefix "Shorewall:newnotsyn:DROP:" --log-level $LOGNEWNOTSYN
--log-prefix "${LOGMARKER}newnotsyn:DROP:" --log-level $LOGNEWNOTSYN
fi
fi
@ -3294,16 +3307,26 @@ add_common_rules() {
logdisp() # $1 = Chain Name
{
if [ "$RFC1918_LOG_LEVEL" = ULOG ]; then
echo "ULOG $LOGPARMS --ulog-prefix Shorewall:${1}:DROP:"
echo "ULOG $LOGPARMS --ulog-prefix ${LOGMARKER}${1}:DROP:"
else
echo "LOG $LOGPARMS --log-prefix Shorewall:${1}:DROP: --log-level $RFC1918_LOG_LEVEL"
echo "LOG $LOGPARMS --log-prefix ${LOGMARKER}${1}:DROP: --log-level $RFC1918_LOG_LEVEL"
fi
}
#
# Reject Rules
#
run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset
run_iptables -A reject -j REJECT
run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset
run_iptables -A reject -p udp -j REJECT
#
# Not all versions of iptables support these so don't complain if they don't work
#
qt iptables -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
if ! qt iptables -A reject -j REJECT --reject-with icmp-host-prohibited; then
#
# In case the above doesn't work
#
run_iptables -A reject -j REJECT
fi
#
# dropunclean rules
#
@ -3314,10 +3337,10 @@ add_common_rules() {
if [ -n "$LOGUNCLEAN" ]; then
if [ "$LOGUNCLEAN" = ULOG ]; then
logoptions="-j ULOG $LOGPARMS --ulog-prefix Shorewall:badpkt:DROP:"
logoptions="-j ULOG $LOGPARMS --ulog-prefix ${LOGMARKER}badpkt:DROP:"
logoptions="$logoptions --log-ip-options"
else
logoptions="-j LOG $LOGPARMS --log-prefix Shorewall:badpkt:DROP:"
logoptions="-j LOG $LOGPARMS --log-prefix ${LOGMARKER}badpkt:DROP:"
logoptions="$logoptions --log-level $LOGUNCLEAN --log-ip-options"
fi
@ -3346,10 +3369,10 @@ add_common_rules() {
[ -z"$LOGUNCLEAN" ] && LOGUNCLEAN=info
if [ "$LOGUNCLEAN" = ULOG ]; then
logoptions="-j ULOG $LOGPARMS --ulog-prefix Shorewall:logpkt:LOG:"
logoptions="-j ULOG $LOGPARMS --ulog-prefix ${LOGMARKER}logpkt:LOG:"
logoptions="$logoptions --log-ip-options"
else
logoptions="-j LOG $LOGPARMS --log-prefix Shorewall:logpkt:LOG:"
logoptions="-j LOG $LOGPARMS --log-prefix ${LOGMARKER}logpkt:LOG:"
logoptions="$logoptions --log-level $LOGUNCLEAN --log-ip-options"
fi
@ -3450,12 +3473,12 @@ add_common_rules() {
if [ "$TCP_FLAGS_LOG_LEVEL" = ULOG ]; then
run_iptables -A logflags -j ULOG $LOGPARMS \
--ulog-prefix "Shorewall:logflags:$TCP_FLAGS_DISPOSITION:" \
--ulog-prefix "${LOGMARKER}logflags:$TCP_FLAGS_DISPOSITION:" \
--log-tcp-options --log-ip-options
else
run_iptables -A logflags -j LOG $LOGPARMS \
--log-level $TCP_FLAGS_LOG_LEVEL \
--log-prefix "Shorewall:logflags:$TCP_FLAGS_DISPOSITION:" \
--log-prefix "${LOGMARKER}logflags:$TCP_FLAGS_DISPOSITION:" \
--log-tcp-options --log-ip-options
fi
case $TCP_FLAGS_DISPOSITION in
@ -3494,12 +3517,6 @@ add_common_rules() {
#
setup_blacklist
#
# Enable the Loopback interface
#
run_iptables -A INPUT -i lo -j ACCEPT
run_iptables -A OUTPUT -o lo -j ACCEPT
#
# Route Filtering
#
@ -4101,6 +4118,8 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
fi
done < ${STATEDIR}/chains
rm -rf $TMP_DIR
echo "$1 added to zone $2"
}
@ -4209,7 +4228,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
qt iptables -D OUTPUT -o $interface -d $host -j $chain
else
eval source_hosts=\"\$${z1}_hosts\"
for h in $source_hosts; do
iface=${h%:*}
hosts=${h#*:}
@ -4222,6 +4241,8 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
fi
done < ${STATEDIR}/chains
rm -rf $TMP_DIR
echo "$1 removed from zone $2"
}
@ -4323,6 +4344,7 @@ do_initialize() {
SHARED_DIR=/usr/share/shorewall
FUNCTIONS=
VERSION_FILE=
LOGMARKER=
stopping=
have_mutex=
@ -4449,6 +4471,8 @@ do_initialize() {
CLEAR_TC=
fi
[ -n "$LOGMARKER" ] || LOGMARKER="Shorewall:"
#
# Strip the files that we use often
#

View File

@ -1 +1 @@
1.4.2
1.4.3

View File

@ -1 +1 @@
1.4.2
1.4.3