More 2.0 Updates

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1142 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-02-14 16:36:30 +00:00
parent d1caa706a5
commit 870366caf7
4 changed files with 34 additions and 71 deletions

View File

@ -1,49 +0,0 @@
############################################################################
# Shorewall 1.4 -- /etc/shorewall/common.def
#
# This file defines the rules that are applied before a policy of
# DROP or REJECT is applied. In addition to the rules defined in this file,
# the firewall will also define a DROP rule for each subnet broadcast
# address defined in /etc/shorewall/interfaces (including "detect").
#
# Do not modify this file -- if you wish to change these rules, create
# /etc/shorewall/common to replace it. It is suggested that you include
# the command ". /etc/shorewall/common.def" in your
# /etc/shorewall/common file so that you will continue to get the
# advantage of new releases of this file.
#
run_iptables -A common -p icmp -j icmpdef
############################################################################
# NETBIOS chatter
#
run_iptables -A common -p udp --dport 135 -j DROP
run_iptables -A common -p udp --dport 137:139 -j DROP
run_iptables -A common -p udp --dport 445 -j DROP
run_iptables -A common -p tcp --dport 139 -j DROP
run_iptables -A common -p tcp --dport 445 -j DROP
run_iptables -A common -p tcp --dport 135 -j DROP
############################################################################
# UPnP
#
run_iptables -A common -p udp --dport 1900 -j DROP
############################################################################
# BROADCASTS
#
run_iptables -A common -d 255.255.255.255 -j DROP
run_iptables -A common -d 224.0.0.0/4 -j DROP
############################################################################
# AUTH -- Silently reject it so that connections don't get delayed.
#
run_iptables -A common -p tcp --dport 113 -j reject
############################################################################
# DNS -- Silenty drop late replies
#
run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
############################################################################
# ICMP -- Silently drop null-address ICMPs
#
run_iptables -A common -p icmp -s 0.0.0.0 -j DROP
run_iptables -A common -p icmp -d 0.0.0.0 -j DROP

View File

@ -265,13 +265,6 @@ install_file_with_backup help ${PREFIX}/usr/share/shorewall/help 0544
echo echo
echo "Help command executor installed in ${PREFIX}/usr/share/shorewall/help" echo "Help command executor installed in ${PREFIX}/usr/share/shorewall/help"
#
# Install the common.def file
#
install_file_with_backup common.def ${PREFIX}/etc/shorewall/common.def 0444
echo
echo "Common rules installed in ${PREFIX}/etc/shorewall/common.def"
# #
# Delete the icmp.def file # Delete the icmp.def file
@ -510,13 +503,10 @@ fi
# #
# Install the Standard Actions file # Install the Standard Actions file
# #
if [ -f ${PREFIX}/etc/shorewall/actions.std ]; then install_file_with_backup actions.std ${PREFIX}/etc/shorewall/actions.std 0600
backup_file /etc/shorewall/actions.std echo
else echo "Standard actions file installed as ${PREFIX}/etc/shorewall/actions.std"
run_install -o $OWNER -g $GROUP -m 0600 actions.std ${PREFIX}/etc/shorewall/actions.std
echo
echo "Standard actions file installed as ${PREFIX}/etc/shorewall/actions.std"
fi
# #
# Install the Actions file # Install the Actions file
# #

View File

@ -39,7 +39,6 @@
# Like REDIRET but only generates the # Like REDIRET but only generates the
# REDIRECT iptables rule and not # REDIRECT iptables rule and not
# the companion ACCEPT rule. # the companion ACCEPT rule.
#
# CONTINUE -- (For experts only). Do not process # CONTINUE -- (For experts only). Do not process
# any of the following rules for this # any of the following rules for this
# (source zone,destination zone). If # (source zone,destination zone). If
@ -51,16 +50,33 @@
# (those) zone(s). # (those) zone(s).
# LOG -- Simply log the packet and continue. # LOG -- Simply log the packet and continue.
# QUEUE -- Queue the packet to a user-space # QUEUE -- Queue the packet to a user-space
# application such as ftwall # application such as p2pwall.
# (http://p2pwall.sf.net).
# <action> -- The name of an action defined in # <action> -- The name of an action defined in
# /etc/shorewall/actions. # /etc/shorewall/actions.
# #
# The ACTION may optionally be followed # You may rate-limit the rule by optionally
# following ACCEPT, DNAT[-], REDIRECT[-] or LOG with
#
# < <rate>/<interval>[:<burst>] >
#
# where <rate> is the number of connections per
# <interval> ("sec" or "min") and <burst> is the
# largest burst permitted. If no <burst> is given,
# a value of 5 is assumed. There may be no
# no whitespace embedded in the specification.
#
# Example: ACCEPT<10/sec:20>
#
# The ACTION (and rate limit) may optionally be followed
# by ":" and a syslog log level (e.g, REJECT:info or # by ":" and a syslog log level (e.g, REJECT:info or
# DNAT:debug). This causes the packet to be # DNAT<4/sec:8>:debugging). This causes the packet to be
# logged at the specified level. # logged at the specified level.
# #
# NOTE: For those of you who prefer to place the
# rate limit in a separate column, see the RATE LIMIT
# column below. If you specify a value in that column,
# you must not include a rate limit in the ACTION column
#
# You may also specify ULOG (must be in upper case) as a # You may also specify ULOG (must be in upper case) as a
# log level.This will log to the ULOG target for routing # log level.This will log to the ULOG target for routing
# to a separate log through use of ulogd # to a separate log through use of ulogd
@ -216,6 +232,9 @@
# #
# Example: 10/sec:20 # Example: 10/sec:20
# #
# If you place a rate limit in this column, you may not
# place a similar limit in the ACTION column.
#
# USER/GROUP This column may only be non-empty if the SOURCE is # USER/GROUP This column may only be non-empty if the SOURCE is
# the firewall itself. # the firewall itself.
# #

View File

@ -1,6 +1,6 @@
%define name shorewall %define name shorewall
%define version 2.0.0 %define version 2.0.0
%define release 0Beta1 %define release 0Beta2
%define prefix /usr %define prefix /usr
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@ -73,7 +73,7 @@ fi
%attr(0700,root,root) %dir /usr/share/shorewall %attr(0700,root,root) %dir /usr/share/shorewall
%attr(0700,root,root) %dir /var/lib/shorewall %attr(0700,root,root) %dir /var/lib/shorewall
%attr(0600,root,root) /usr/share/shorewall/version %attr(0600,root,root) /usr/share/shorewall/version
%attr(0600,root,root) /etc/shorewall/common.def %attr(0600,root,root) /etc/shorewall/actions.std
%attr(0600,root,root) %config(noreplace) /etc/shorewall/shorewall.conf %attr(0600,root,root) %config(noreplace) /etc/shorewall/shorewall.conf
%attr(0600,root,root) %config(noreplace) /etc/shorewall/zones %attr(0600,root,root) %config(noreplace) /etc/shorewall/zones
%attr(0600,root,root) %config(noreplace) /etc/shorewall/policy %attr(0600,root,root) %config(noreplace) /etc/shorewall/policy
@ -127,7 +127,6 @@ fi
%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.RejectSMB %attr(0600,root,root) %config(noreplace) /etc/shorewall/action.RejectSMB
%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.template %attr(0600,root,root) %config(noreplace) /etc/shorewall/action.template
%attr(0600,root,root) %config(noreplace) /etc/shorewall/actions %attr(0600,root,root) %config(noreplace) /etc/shorewall/actions
%attr(0600,root,root) %config(noreplace) /etc/shorewall/actions.std
%attr(0544,root,root) /sbin/shorewall %attr(0544,root,root) /sbin/shorewall
%attr(0444,root,root) /usr/share/shorewall/functions %attr(0444,root,root) /usr/share/shorewall/functions
@ -136,6 +135,10 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog %changelog
* Sat Feb 14 2004 Tom Eastep <tom@shorewall.net>
- Removed common.def
- Unconditionally replace actions.std
- Update for Beta 2
* Thu Feb 12 2004 Tom Eastep <tom@shorewall.net> * Thu Feb 12 2004 Tom Eastep <tom@shorewall.net>
- Added action.AllowPCA - Added action.AllowPCA
* Sun Feb 08 2004 Tom Eastep <tom@shorewall.net> * Sun Feb 08 2004 Tom Eastep <tom@shorewall.net>