mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-22 14:20:40 +01:00
More 2.0 Updates
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1142 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
d1caa706a5
commit
870366caf7
@ -1,49 +0,0 @@
|
||||
############################################################################
|
||||
# Shorewall 1.4 -- /etc/shorewall/common.def
|
||||
#
|
||||
# This file defines the rules that are applied before a policy of
|
||||
# DROP or REJECT is applied. In addition to the rules defined in this file,
|
||||
# the firewall will also define a DROP rule for each subnet broadcast
|
||||
# address defined in /etc/shorewall/interfaces (including "detect").
|
||||
#
|
||||
# Do not modify this file -- if you wish to change these rules, create
|
||||
# /etc/shorewall/common to replace it. It is suggested that you include
|
||||
# the command ". /etc/shorewall/common.def" in your
|
||||
# /etc/shorewall/common file so that you will continue to get the
|
||||
# advantage of new releases of this file.
|
||||
#
|
||||
run_iptables -A common -p icmp -j icmpdef
|
||||
############################################################################
|
||||
# NETBIOS chatter
|
||||
#
|
||||
run_iptables -A common -p udp --dport 135 -j DROP
|
||||
run_iptables -A common -p udp --dport 137:139 -j DROP
|
||||
run_iptables -A common -p udp --dport 445 -j DROP
|
||||
run_iptables -A common -p tcp --dport 139 -j DROP
|
||||
run_iptables -A common -p tcp --dport 445 -j DROP
|
||||
run_iptables -A common -p tcp --dport 135 -j DROP
|
||||
############################################################################
|
||||
# UPnP
|
||||
#
|
||||
run_iptables -A common -p udp --dport 1900 -j DROP
|
||||
############################################################################
|
||||
# BROADCASTS
|
||||
#
|
||||
run_iptables -A common -d 255.255.255.255 -j DROP
|
||||
run_iptables -A common -d 224.0.0.0/4 -j DROP
|
||||
############################################################################
|
||||
# AUTH -- Silently reject it so that connections don't get delayed.
|
||||
#
|
||||
run_iptables -A common -p tcp --dport 113 -j reject
|
||||
############################################################################
|
||||
# DNS -- Silenty drop late replies
|
||||
#
|
||||
run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
|
||||
############################################################################
|
||||
# ICMP -- Silently drop null-address ICMPs
|
||||
#
|
||||
run_iptables -A common -p icmp -s 0.0.0.0 -j DROP
|
||||
run_iptables -A common -p icmp -d 0.0.0.0 -j DROP
|
||||
|
||||
|
||||
|
||||
@ -265,13 +265,6 @@ install_file_with_backup help ${PREFIX}/usr/share/shorewall/help 0544
|
||||
|
||||
echo
|
||||
echo "Help command executor installed in ${PREFIX}/usr/share/shorewall/help"
|
||||
#
|
||||
# Install the common.def file
|
||||
#
|
||||
install_file_with_backup common.def ${PREFIX}/etc/shorewall/common.def 0444
|
||||
|
||||
echo
|
||||
echo "Common rules installed in ${PREFIX}/etc/shorewall/common.def"
|
||||
|
||||
#
|
||||
# Delete the icmp.def file
|
||||
@ -510,13 +503,10 @@ fi
|
||||
#
|
||||
# Install the Standard Actions file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/actions.std ]; then
|
||||
backup_file /etc/shorewall/actions.std
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 actions.std ${PREFIX}/etc/shorewall/actions.std
|
||||
echo
|
||||
echo "Standard actions file installed as ${PREFIX}/etc/shorewall/actions.std"
|
||||
fi
|
||||
install_file_with_backup actions.std ${PREFIX}/etc/shorewall/actions.std 0600
|
||||
echo
|
||||
echo "Standard actions file installed as ${PREFIX}/etc/shorewall/actions.std"
|
||||
|
||||
#
|
||||
# Install the Actions file
|
||||
#
|
||||
|
||||
@ -39,7 +39,6 @@
|
||||
# Like REDIRET but only generates the
|
||||
# REDIRECT iptables rule and not
|
||||
# the companion ACCEPT rule.
|
||||
#
|
||||
# CONTINUE -- (For experts only). Do not process
|
||||
# any of the following rules for this
|
||||
# (source zone,destination zone). If
|
||||
@ -51,16 +50,33 @@
|
||||
# (those) zone(s).
|
||||
# LOG -- Simply log the packet and continue.
|
||||
# QUEUE -- Queue the packet to a user-space
|
||||
# application such as ftwall
|
||||
# (http://p2pwall.sf.net).
|
||||
# application such as p2pwall.
|
||||
# <action> -- The name of an action defined in
|
||||
# /etc/shorewall/actions.
|
||||
#
|
||||
# The ACTION may optionally be followed
|
||||
# You may rate-limit the rule by optionally
|
||||
# following ACCEPT, DNAT[-], REDIRECT[-] or LOG with
|
||||
#
|
||||
# < <rate>/<interval>[:<burst>] >
|
||||
#
|
||||
# where <rate> is the number of connections per
|
||||
# <interval> ("sec" or "min") and <burst> is the
|
||||
# largest burst permitted. If no <burst> is given,
|
||||
# a value of 5 is assumed. There may be no
|
||||
# no whitespace embedded in the specification.
|
||||
#
|
||||
# Example: ACCEPT<10/sec:20>
|
||||
#
|
||||
# The ACTION (and rate limit) may optionally be followed
|
||||
# by ":" and a syslog log level (e.g, REJECT:info or
|
||||
# DNAT:debug). This causes the packet to be
|
||||
# DNAT<4/sec:8>:debugging). This causes the packet to be
|
||||
# logged at the specified level.
|
||||
#
|
||||
# NOTE: For those of you who prefer to place the
|
||||
# rate limit in a separate column, see the RATE LIMIT
|
||||
# column below. If you specify a value in that column,
|
||||
# you must not include a rate limit in the ACTION column
|
||||
#
|
||||
# You may also specify ULOG (must be in upper case) as a
|
||||
# log level.This will log to the ULOG target for routing
|
||||
# to a separate log through use of ulogd
|
||||
@ -216,6 +232,9 @@
|
||||
#
|
||||
# Example: 10/sec:20
|
||||
#
|
||||
# If you place a rate limit in this column, you may not
|
||||
# place a similar limit in the ACTION column.
|
||||
#
|
||||
# USER/GROUP This column may only be non-empty if the SOURCE is
|
||||
# the firewall itself.
|
||||
#
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
%define name shorewall
|
||||
%define version 2.0.0
|
||||
%define release 0Beta1
|
||||
%define release 0Beta2
|
||||
%define prefix /usr
|
||||
|
||||
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
|
||||
@ -73,7 +73,7 @@ fi
|
||||
%attr(0700,root,root) %dir /usr/share/shorewall
|
||||
%attr(0700,root,root) %dir /var/lib/shorewall
|
||||
%attr(0600,root,root) /usr/share/shorewall/version
|
||||
%attr(0600,root,root) /etc/shorewall/common.def
|
||||
%attr(0600,root,root) /etc/shorewall/actions.std
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/shorewall.conf
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/zones
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/policy
|
||||
@ -127,7 +127,6 @@ fi
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.RejectSMB
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.template
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/actions
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/actions.std
|
||||
|
||||
%attr(0544,root,root) /sbin/shorewall
|
||||
%attr(0444,root,root) /usr/share/shorewall/functions
|
||||
@ -136,6 +135,10 @@ fi
|
||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
|
||||
|
||||
%changelog
|
||||
* Sat Feb 14 2004 Tom Eastep <tom@shorewall.net>
|
||||
- Removed common.def
|
||||
- Unconditionally replace actions.std
|
||||
- Update for Beta 2
|
||||
* Thu Feb 12 2004 Tom Eastep <tom@shorewall.net>
|
||||
- Added action.AllowPCA
|
||||
* Sun Feb 08 2004 Tom Eastep <tom@shorewall.net>
|
||||
|
||||
Loading…
Reference in New Issue
Block a user