From 870366caf75d69d15855f24b8d3af8e74c3665bd Mon Sep 17 00:00:00 2001 From: teastep Date: Sat, 14 Feb 2004 16:36:30 +0000 Subject: [PATCH] More 2.0 Updates git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1142 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall2/common.def | 49 --------------------------------------- Shorewall2/install.sh | 18 ++++---------- Shorewall2/rules | 29 +++++++++++++++++++---- Shorewall2/shorewall.spec | 9 ++++--- 4 files changed, 34 insertions(+), 71 deletions(-) delete mode 100644 Shorewall2/common.def diff --git a/Shorewall2/common.def b/Shorewall2/common.def deleted file mode 100644 index ea3abeb35..000000000 --- a/Shorewall2/common.def +++ /dev/null @@ -1,49 +0,0 @@ -############################################################################ -# Shorewall 1.4 -- /etc/shorewall/common.def -# -# This file defines the rules that are applied before a policy of -# DROP or REJECT is applied. In addition to the rules defined in this file, -# the firewall will also define a DROP rule for each subnet broadcast -# address defined in /etc/shorewall/interfaces (including "detect"). -# -# Do not modify this file -- if you wish to change these rules, create -# /etc/shorewall/common to replace it. It is suggested that you include -# the command ". /etc/shorewall/common.def" in your -# /etc/shorewall/common file so that you will continue to get the -# advantage of new releases of this file. -# -run_iptables -A common -p icmp -j icmpdef -############################################################################ -# NETBIOS chatter -# -run_iptables -A common -p udp --dport 135 -j DROP -run_iptables -A common -p udp --dport 137:139 -j DROP -run_iptables -A common -p udp --dport 445 -j DROP -run_iptables -A common -p tcp --dport 139 -j DROP -run_iptables -A common -p tcp --dport 445 -j DROP -run_iptables -A common -p tcp --dport 135 -j DROP -############################################################################ -# UPnP -# -run_iptables -A common -p udp --dport 1900 -j DROP -############################################################################ -# BROADCASTS -# -run_iptables -A common -d 255.255.255.255 -j DROP -run_iptables -A common -d 224.0.0.0/4 -j DROP -############################################################################ -# AUTH -- Silently reject it so that connections don't get delayed. -# -run_iptables -A common -p tcp --dport 113 -j reject -############################################################################ -# DNS -- Silenty drop late replies -# -run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP -############################################################################ -# ICMP -- Silently drop null-address ICMPs -# -run_iptables -A common -p icmp -s 0.0.0.0 -j DROP -run_iptables -A common -p icmp -d 0.0.0.0 -j DROP - - - diff --git a/Shorewall2/install.sh b/Shorewall2/install.sh index fe21fb47f..5b2ad5afe 100755 --- a/Shorewall2/install.sh +++ b/Shorewall2/install.sh @@ -265,13 +265,6 @@ install_file_with_backup help ${PREFIX}/usr/share/shorewall/help 0544 echo echo "Help command executor installed in ${PREFIX}/usr/share/shorewall/help" -# -# Install the common.def file -# -install_file_with_backup common.def ${PREFIX}/etc/shorewall/common.def 0444 - -echo -echo "Common rules installed in ${PREFIX}/etc/shorewall/common.def" # # Delete the icmp.def file @@ -510,13 +503,10 @@ fi # # Install the Standard Actions file # -if [ -f ${PREFIX}/etc/shorewall/actions.std ]; then - backup_file /etc/shorewall/actions.std -else - run_install -o $OWNER -g $GROUP -m 0600 actions.std ${PREFIX}/etc/shorewall/actions.std - echo - echo "Standard actions file installed as ${PREFIX}/etc/shorewall/actions.std" -fi +install_file_with_backup actions.std ${PREFIX}/etc/shorewall/actions.std 0600 +echo +echo "Standard actions file installed as ${PREFIX}/etc/shorewall/actions.std" + # # Install the Actions file # diff --git a/Shorewall2/rules b/Shorewall2/rules index c26000d14..54a7e2363 100755 --- a/Shorewall2/rules +++ b/Shorewall2/rules @@ -39,7 +39,6 @@ # Like REDIRET but only generates the # REDIRECT iptables rule and not # the companion ACCEPT rule. -# # CONTINUE -- (For experts only). Do not process # any of the following rules for this # (source zone,destination zone). If @@ -51,16 +50,33 @@ # (those) zone(s). # LOG -- Simply log the packet and continue. # QUEUE -- Queue the packet to a user-space -# application such as ftwall -# (http://p2pwall.sf.net). +# application such as p2pwall. # -- The name of an action defined in # /etc/shorewall/actions. # -# The ACTION may optionally be followed +# You may rate-limit the rule by optionally +# following ACCEPT, DNAT[-], REDIRECT[-] or LOG with +# +# < /[:] > +# +# where is the number of connections per +# ("sec" or "min") and is the +# largest burst permitted. If no is given, +# a value of 5 is assumed. There may be no +# no whitespace embedded in the specification. +# +# Example: ACCEPT<10/sec:20> +# +# The ACTION (and rate limit) may optionally be followed # by ":" and a syslog log level (e.g, REJECT:info or -# DNAT:debug). This causes the packet to be +# DNAT<4/sec:8>:debugging). This causes the packet to be # logged at the specified level. # +# NOTE: For those of you who prefer to place the +# rate limit in a separate column, see the RATE LIMIT +# column below. If you specify a value in that column, +# you must not include a rate limit in the ACTION column +# # You may also specify ULOG (must be in upper case) as a # log level.This will log to the ULOG target for routing # to a separate log through use of ulogd @@ -216,6 +232,9 @@ # # Example: 10/sec:20 # +# If you place a rate limit in this column, you may not +# place a similar limit in the ACTION column. +# # USER/GROUP This column may only be non-empty if the SOURCE is # the firewall itself. # diff --git a/Shorewall2/shorewall.spec b/Shorewall2/shorewall.spec index a2e3f04b9..cb140ab3d 100644 --- a/Shorewall2/shorewall.spec +++ b/Shorewall2/shorewall.spec @@ -1,6 +1,6 @@ %define name shorewall %define version 2.0.0 -%define release 0Beta1 +%define release 0Beta2 %define prefix /usr Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. @@ -73,7 +73,7 @@ fi %attr(0700,root,root) %dir /usr/share/shorewall %attr(0700,root,root) %dir /var/lib/shorewall %attr(0600,root,root) /usr/share/shorewall/version -%attr(0600,root,root) /etc/shorewall/common.def +%attr(0600,root,root) /etc/shorewall/actions.std %attr(0600,root,root) %config(noreplace) /etc/shorewall/shorewall.conf %attr(0600,root,root) %config(noreplace) /etc/shorewall/zones %attr(0600,root,root) %config(noreplace) /etc/shorewall/policy @@ -127,7 +127,6 @@ fi %attr(0600,root,root) %config(noreplace) /etc/shorewall/action.RejectSMB %attr(0600,root,root) %config(noreplace) /etc/shorewall/action.template %attr(0600,root,root) %config(noreplace) /etc/shorewall/actions -%attr(0600,root,root) %config(noreplace) /etc/shorewall/actions.std %attr(0544,root,root) /sbin/shorewall %attr(0444,root,root) /usr/share/shorewall/functions @@ -136,6 +135,10 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %changelog +* Sat Feb 14 2004 Tom Eastep +- Removed common.def +- Unconditionally replace actions.std +- Update for Beta 2 * Thu Feb 12 2004 Tom Eastep - Added action.AllowPCA * Sun Feb 08 2004 Tom Eastep