mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-31 18:48:56 +01:00
More 2.0 Updates
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1142 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
d1caa706a5
commit
870366caf7
@ -1,49 +0,0 @@
|
|||||||
############################################################################
|
|
||||||
# Shorewall 1.4 -- /etc/shorewall/common.def
|
|
||||||
#
|
|
||||||
# This file defines the rules that are applied before a policy of
|
|
||||||
# DROP or REJECT is applied. In addition to the rules defined in this file,
|
|
||||||
# the firewall will also define a DROP rule for each subnet broadcast
|
|
||||||
# address defined in /etc/shorewall/interfaces (including "detect").
|
|
||||||
#
|
|
||||||
# Do not modify this file -- if you wish to change these rules, create
|
|
||||||
# /etc/shorewall/common to replace it. It is suggested that you include
|
|
||||||
# the command ". /etc/shorewall/common.def" in your
|
|
||||||
# /etc/shorewall/common file so that you will continue to get the
|
|
||||||
# advantage of new releases of this file.
|
|
||||||
#
|
|
||||||
run_iptables -A common -p icmp -j icmpdef
|
|
||||||
############################################################################
|
|
||||||
# NETBIOS chatter
|
|
||||||
#
|
|
||||||
run_iptables -A common -p udp --dport 135 -j DROP
|
|
||||||
run_iptables -A common -p udp --dport 137:139 -j DROP
|
|
||||||
run_iptables -A common -p udp --dport 445 -j DROP
|
|
||||||
run_iptables -A common -p tcp --dport 139 -j DROP
|
|
||||||
run_iptables -A common -p tcp --dport 445 -j DROP
|
|
||||||
run_iptables -A common -p tcp --dport 135 -j DROP
|
|
||||||
############################################################################
|
|
||||||
# UPnP
|
|
||||||
#
|
|
||||||
run_iptables -A common -p udp --dport 1900 -j DROP
|
|
||||||
############################################################################
|
|
||||||
# BROADCASTS
|
|
||||||
#
|
|
||||||
run_iptables -A common -d 255.255.255.255 -j DROP
|
|
||||||
run_iptables -A common -d 224.0.0.0/4 -j DROP
|
|
||||||
############################################################################
|
|
||||||
# AUTH -- Silently reject it so that connections don't get delayed.
|
|
||||||
#
|
|
||||||
run_iptables -A common -p tcp --dport 113 -j reject
|
|
||||||
############################################################################
|
|
||||||
# DNS -- Silenty drop late replies
|
|
||||||
#
|
|
||||||
run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
|
|
||||||
############################################################################
|
|
||||||
# ICMP -- Silently drop null-address ICMPs
|
|
||||||
#
|
|
||||||
run_iptables -A common -p icmp -s 0.0.0.0 -j DROP
|
|
||||||
run_iptables -A common -p icmp -d 0.0.0.0 -j DROP
|
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -265,13 +265,6 @@ install_file_with_backup help ${PREFIX}/usr/share/shorewall/help 0544
|
|||||||
|
|
||||||
echo
|
echo
|
||||||
echo "Help command executor installed in ${PREFIX}/usr/share/shorewall/help"
|
echo "Help command executor installed in ${PREFIX}/usr/share/shorewall/help"
|
||||||
#
|
|
||||||
# Install the common.def file
|
|
||||||
#
|
|
||||||
install_file_with_backup common.def ${PREFIX}/etc/shorewall/common.def 0444
|
|
||||||
|
|
||||||
echo
|
|
||||||
echo "Common rules installed in ${PREFIX}/etc/shorewall/common.def"
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Delete the icmp.def file
|
# Delete the icmp.def file
|
||||||
@ -510,13 +503,10 @@ fi
|
|||||||
#
|
#
|
||||||
# Install the Standard Actions file
|
# Install the Standard Actions file
|
||||||
#
|
#
|
||||||
if [ -f ${PREFIX}/etc/shorewall/actions.std ]; then
|
install_file_with_backup actions.std ${PREFIX}/etc/shorewall/actions.std 0600
|
||||||
backup_file /etc/shorewall/actions.std
|
echo
|
||||||
else
|
echo "Standard actions file installed as ${PREFIX}/etc/shorewall/actions.std"
|
||||||
run_install -o $OWNER -g $GROUP -m 0600 actions.std ${PREFIX}/etc/shorewall/actions.std
|
|
||||||
echo
|
|
||||||
echo "Standard actions file installed as ${PREFIX}/etc/shorewall/actions.std"
|
|
||||||
fi
|
|
||||||
#
|
#
|
||||||
# Install the Actions file
|
# Install the Actions file
|
||||||
#
|
#
|
||||||
|
@ -39,7 +39,6 @@
|
|||||||
# Like REDIRET but only generates the
|
# Like REDIRET but only generates the
|
||||||
# REDIRECT iptables rule and not
|
# REDIRECT iptables rule and not
|
||||||
# the companion ACCEPT rule.
|
# the companion ACCEPT rule.
|
||||||
#
|
|
||||||
# CONTINUE -- (For experts only). Do not process
|
# CONTINUE -- (For experts only). Do not process
|
||||||
# any of the following rules for this
|
# any of the following rules for this
|
||||||
# (source zone,destination zone). If
|
# (source zone,destination zone). If
|
||||||
@ -51,16 +50,33 @@
|
|||||||
# (those) zone(s).
|
# (those) zone(s).
|
||||||
# LOG -- Simply log the packet and continue.
|
# LOG -- Simply log the packet and continue.
|
||||||
# QUEUE -- Queue the packet to a user-space
|
# QUEUE -- Queue the packet to a user-space
|
||||||
# application such as ftwall
|
# application such as p2pwall.
|
||||||
# (http://p2pwall.sf.net).
|
|
||||||
# <action> -- The name of an action defined in
|
# <action> -- The name of an action defined in
|
||||||
# /etc/shorewall/actions.
|
# /etc/shorewall/actions.
|
||||||
#
|
#
|
||||||
# The ACTION may optionally be followed
|
# You may rate-limit the rule by optionally
|
||||||
|
# following ACCEPT, DNAT[-], REDIRECT[-] or LOG with
|
||||||
|
#
|
||||||
|
# < <rate>/<interval>[:<burst>] >
|
||||||
|
#
|
||||||
|
# where <rate> is the number of connections per
|
||||||
|
# <interval> ("sec" or "min") and <burst> is the
|
||||||
|
# largest burst permitted. If no <burst> is given,
|
||||||
|
# a value of 5 is assumed. There may be no
|
||||||
|
# no whitespace embedded in the specification.
|
||||||
|
#
|
||||||
|
# Example: ACCEPT<10/sec:20>
|
||||||
|
#
|
||||||
|
# The ACTION (and rate limit) may optionally be followed
|
||||||
# by ":" and a syslog log level (e.g, REJECT:info or
|
# by ":" and a syslog log level (e.g, REJECT:info or
|
||||||
# DNAT:debug). This causes the packet to be
|
# DNAT<4/sec:8>:debugging). This causes the packet to be
|
||||||
# logged at the specified level.
|
# logged at the specified level.
|
||||||
#
|
#
|
||||||
|
# NOTE: For those of you who prefer to place the
|
||||||
|
# rate limit in a separate column, see the RATE LIMIT
|
||||||
|
# column below. If you specify a value in that column,
|
||||||
|
# you must not include a rate limit in the ACTION column
|
||||||
|
#
|
||||||
# You may also specify ULOG (must be in upper case) as a
|
# You may also specify ULOG (must be in upper case) as a
|
||||||
# log level.This will log to the ULOG target for routing
|
# log level.This will log to the ULOG target for routing
|
||||||
# to a separate log through use of ulogd
|
# to a separate log through use of ulogd
|
||||||
@ -216,6 +232,9 @@
|
|||||||
#
|
#
|
||||||
# Example: 10/sec:20
|
# Example: 10/sec:20
|
||||||
#
|
#
|
||||||
|
# If you place a rate limit in this column, you may not
|
||||||
|
# place a similar limit in the ACTION column.
|
||||||
|
#
|
||||||
# USER/GROUP This column may only be non-empty if the SOURCE is
|
# USER/GROUP This column may only be non-empty if the SOURCE is
|
||||||
# the firewall itself.
|
# the firewall itself.
|
||||||
#
|
#
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
%define name shorewall
|
%define name shorewall
|
||||||
%define version 2.0.0
|
%define version 2.0.0
|
||||||
%define release 0Beta1
|
%define release 0Beta2
|
||||||
%define prefix /usr
|
%define prefix /usr
|
||||||
|
|
||||||
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
|
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
|
||||||
@ -73,7 +73,7 @@ fi
|
|||||||
%attr(0700,root,root) %dir /usr/share/shorewall
|
%attr(0700,root,root) %dir /usr/share/shorewall
|
||||||
%attr(0700,root,root) %dir /var/lib/shorewall
|
%attr(0700,root,root) %dir /var/lib/shorewall
|
||||||
%attr(0600,root,root) /usr/share/shorewall/version
|
%attr(0600,root,root) /usr/share/shorewall/version
|
||||||
%attr(0600,root,root) /etc/shorewall/common.def
|
%attr(0600,root,root) /etc/shorewall/actions.std
|
||||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/shorewall.conf
|
%attr(0600,root,root) %config(noreplace) /etc/shorewall/shorewall.conf
|
||||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/zones
|
%attr(0600,root,root) %config(noreplace) /etc/shorewall/zones
|
||||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/policy
|
%attr(0600,root,root) %config(noreplace) /etc/shorewall/policy
|
||||||
@ -127,7 +127,6 @@ fi
|
|||||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.RejectSMB
|
%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.RejectSMB
|
||||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.template
|
%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.template
|
||||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/actions
|
%attr(0600,root,root) %config(noreplace) /etc/shorewall/actions
|
||||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/actions.std
|
|
||||||
|
|
||||||
%attr(0544,root,root) /sbin/shorewall
|
%attr(0544,root,root) /sbin/shorewall
|
||||||
%attr(0444,root,root) /usr/share/shorewall/functions
|
%attr(0444,root,root) /usr/share/shorewall/functions
|
||||||
@ -136,6 +135,10 @@ fi
|
|||||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
|
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Sat Feb 14 2004 Tom Eastep <tom@shorewall.net>
|
||||||
|
- Removed common.def
|
||||||
|
- Unconditionally replace actions.std
|
||||||
|
- Update for Beta 2
|
||||||
* Thu Feb 12 2004 Tom Eastep <tom@shorewall.net>
|
* Thu Feb 12 2004 Tom Eastep <tom@shorewall.net>
|
||||||
- Added action.AllowPCA
|
- Added action.AllowPCA
|
||||||
* Sun Feb 08 2004 Tom Eastep <tom@shorewall.net>
|
* Sun Feb 08 2004 Tom Eastep <tom@shorewall.net>
|
||||||
|
Loading…
Reference in New Issue
Block a user