From 8925f25168aaa49e3d46447cf6f20af9406528e4 Mon Sep 17 00:00:00 2001 From: teastep Date: Mon, 15 Mar 2004 18:47:21 +0000 Subject: [PATCH] Initial revision git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1191 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- STABLE2/COPYING | 340 +++ STABLE2/INSTALL | 45 + STABLE2/accounting | 73 + STABLE2/action.AllowAuth | 10 + STABLE2/action.AllowDNS | 11 + STABLE2/action.AllowFTP | 11 + STABLE2/action.AllowIMAP | 11 + STABLE2/action.AllowNNTP | 10 + STABLE2/action.AllowNTP | 10 + STABLE2/action.AllowPCA | 11 + STABLE2/action.AllowPOP3 | 11 + STABLE2/action.AllowPing | 10 + STABLE2/action.AllowRdate | 10 + STABLE2/action.AllowSMB | 14 + STABLE2/action.AllowSMTP | 15 + STABLE2/action.AllowSNMP | 11 + STABLE2/action.AllowSSH | 10 + STABLE2/action.AllowTelnet | 11 + STABLE2/action.AllowTrcrt | 11 + STABLE2/action.AllowVNC | 10 + STABLE2/action.AllowVNCL | 10 + STABLE2/action.AllowWeb | 11 + STABLE2/action.Drop | 15 + STABLE2/action.DropDNSrep | 10 + STABLE2/action.DropPing | 10 + STABLE2/action.DropSMB | 15 + STABLE2/action.DropUPnP | 10 + STABLE2/action.Reject | 15 + STABLE2/action.RejectAuth | 10 + STABLE2/action.RejectSMB | 15 + STABLE2/action.template | 151 + STABLE2/actions | 27 + STABLE2/actions.std | 42 + STABLE2/blacklist | 43 + STABLE2/changelog.txt | 70 + STABLE2/default.debian | 18 + STABLE2/ecn | 18 + STABLE2/fallback.sh | 143 + STABLE2/firewall | 5801 ++++++++++++++++++++++++++++++++++++ STABLE2/functions | 609 ++++ STABLE2/help | 267 ++ STABLE2/hosts | 52 + STABLE2/init | 6 + STABLE2/init.debian.sh | 123 + STABLE2/init.sh | 74 + STABLE2/install.sh | 551 ++++ STABLE2/interfaces | 163 + STABLE2/maclist | 18 + STABLE2/masq | 99 + STABLE2/modules | 21 + STABLE2/nat | 38 + STABLE2/params | 25 + STABLE2/policy | 85 + STABLE2/proxyarp | 44 + STABLE2/releasenotes.txt | 229 ++ STABLE2/rfc1918 | 63 + STABLE2/routestopped | 25 + STABLE2/rules | 289 ++ STABLE2/shorewall | 972 ++++++ STABLE2/shorewall.conf | 560 ++++ STABLE2/shorewall.spec | 447 +++ STABLE2/start | 6 + STABLE2/stop | 6 + STABLE2/stopped | 6 + STABLE2/tcrules | 78 + STABLE2/tos | 52 + STABLE2/tunnel | 159 + STABLE2/tunnels | 110 + STABLE2/uninstall.sh | 109 + STABLE2/zones | 19 + 70 files changed, 12384 insertions(+) create mode 100644 STABLE2/COPYING create mode 100644 STABLE2/INSTALL create mode 100644 STABLE2/accounting create mode 100644 STABLE2/action.AllowAuth create mode 100644 STABLE2/action.AllowDNS create mode 100644 STABLE2/action.AllowFTP create mode 100644 STABLE2/action.AllowIMAP create mode 100644 STABLE2/action.AllowNNTP create mode 100644 STABLE2/action.AllowNTP create mode 100644 STABLE2/action.AllowPCA create mode 100644 STABLE2/action.AllowPOP3 create mode 100644 STABLE2/action.AllowPing create mode 100644 STABLE2/action.AllowRdate create mode 100644 STABLE2/action.AllowSMB create mode 100644 STABLE2/action.AllowSMTP create mode 100644 STABLE2/action.AllowSNMP create mode 100644 STABLE2/action.AllowSSH create mode 100644 STABLE2/action.AllowTelnet create mode 100644 STABLE2/action.AllowTrcrt create mode 100644 STABLE2/action.AllowVNC create mode 100644 STABLE2/action.AllowVNCL create mode 100644 STABLE2/action.AllowWeb create mode 100644 STABLE2/action.Drop create mode 100644 STABLE2/action.DropDNSrep create mode 100644 STABLE2/action.DropPing create mode 100644 STABLE2/action.DropSMB create mode 100644 STABLE2/action.DropUPnP create mode 100644 STABLE2/action.Reject create mode 100644 STABLE2/action.RejectAuth create mode 100644 STABLE2/action.RejectSMB create mode 100644 STABLE2/action.template create mode 100644 STABLE2/actions create mode 100644 STABLE2/actions.std create mode 100644 STABLE2/blacklist create mode 100644 STABLE2/changelog.txt create mode 100644 STABLE2/default.debian create mode 100644 STABLE2/ecn create mode 100755 STABLE2/fallback.sh create mode 100755 STABLE2/firewall create mode 100755 STABLE2/functions create mode 100644 STABLE2/help create mode 100644 STABLE2/hosts create mode 100644 STABLE2/init create mode 100755 STABLE2/init.debian.sh create mode 100644 STABLE2/init.sh create mode 100755 STABLE2/install.sh create mode 100644 STABLE2/interfaces create mode 100644 STABLE2/maclist create mode 100644 STABLE2/masq create mode 100644 STABLE2/modules create mode 100644 STABLE2/nat create mode 100644 STABLE2/params create mode 100644 STABLE2/policy create mode 100644 STABLE2/proxyarp create mode 100644 STABLE2/releasenotes.txt create mode 100644 STABLE2/rfc1918 create mode 100644 STABLE2/routestopped create mode 100644 STABLE2/rules create mode 100755 STABLE2/shorewall create mode 100644 STABLE2/shorewall.conf create mode 100644 STABLE2/shorewall.spec create mode 100644 STABLE2/start create mode 100644 STABLE2/stop create mode 100644 STABLE2/stopped create mode 100644 STABLE2/tcrules create mode 100644 STABLE2/tos create mode 100755 STABLE2/tunnel create mode 100644 STABLE2/tunnels create mode 100755 STABLE2/uninstall.sh create mode 100644 STABLE2/zones diff --git a/STABLE2/COPYING b/STABLE2/COPYING new file mode 100644 index 000000000..2ba72d57f --- /dev/null +++ b/STABLE2/COPYING @@ -0,0 +1,340 @@ + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc. + 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Library General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) 19yy + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) 19yy name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + , 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Library General +Public License instead of this License. diff --git a/STABLE2/INSTALL b/STABLE2/INSTALL new file mode 100644 index 000000000..004657813 --- /dev/null +++ b/STABLE2/INSTALL @@ -0,0 +1,45 @@ +Shoreline Firewall (Shorewall) Version 2.0 - 2/14/2004 +----- ---- + +----------------------------------------------------------------------------- + + This program is free software; you can redistribute it and/or modify + it under the terms of Version 2 of the GNU General Public License + as published by the Free Software Foundation. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA + +--------------------------------------------------------------------------- +If your system supports rpm, I recommend that you install the Shorewall +.rpm. If you want to install from the tarball: + +o Unpack the tarball +o cd to the shorewall- directory +o If you have an earlier version of Shoreline Firewall installed,see the + upgrade instructions below +o Edit the configuration files to fit your environment. + + To do this, I strongly advise you to follow the instructions at: + + http://www.shorewall.net/shorewall_quickstart_guide.htm + +o Type "./install.sh". +o Start the firewall by typing "shorewall start" +o If the install script was unable to configure Shoreline Firewall to + start automatically at boot, you will have to used your + distribution's runlevel editor to configure Shorewall manually. + +Upgrade: + +o run the install script as described above. +o "shorewall check" and correct any errors found. +o "shorewall restart" + + diff --git a/STABLE2/accounting b/STABLE2/accounting new file mode 100644 index 000000000..a0d352255 --- /dev/null +++ b/STABLE2/accounting @@ -0,0 +1,73 @@ +# +# Shorewall version 2.0 - Accounting File +# +# /etc/shorewall/accounting +# +# Accounting rules exist simply to count packets and bytes in categories +# that you define in this file. You may display these rules and their +# packet and byte counters using the "shorewall show accounting" command. +# +# Please see http://shorewall.net/Accounting.html for examples and +# additional information about how to use this file. +# +# +# Columns are: +# +# ACTION - What to do when a match is found. +# +# COUNT - Simply count the match and continue +# with the next rule +# DONE - Count the match and don't attempt +# to match any other accounting rules +# in the chain specified in the CHAIN +# column. +# [:COUNT] +# - Where is the name of +# a chain. Shorewall will create +# the chain automatically if it +# doesn't already exist. Causes +# a jump to that chain. If :COUNT +# is including, a counting rule +# matching this record will be +# added to +# +# CHAIN - The name of a chain. If specified as "-" the +# 'accounting' chain is assumed. This is the chain +# where the accounting rule is added. The chain will +# be created if it doesn't already exist. +# +# SOURCE - Packet Source +# +# The name of an interface, an address (host or net) or +# an interface name followed by ":" +# and a host or net address. +# +# DESTINATION - Packet Destination +# +# Format the same as the SOURCE column. +# +# PROTOCOL A protocol name (from /etc/protocols), a protocol +# number. +# +# DEST PORT Destination Port number +# +# Service name from /etc/services or port number. May +# only be specified if the protocol is TCP or UDP (6 +# or 17). +# +# SOURCE PORT Source Port number +# +# Service name from /etc/services or port number. May +# only be specified if the protocol is TCP or UDP (6 +# or 17). +# +# In all of the above columns except ACTION and CHAIN, the values "-", +# "any" and "all" may be used as wildcards +# +# Please see http://shorewall.net/Accounting.html for examples and +# additional information about how to use this file. +# +#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE +# PORT PORT +# +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/STABLE2/action.AllowAuth b/STABLE2/action.AllowAuth new file mode 100644 index 000000000..78bdc1266 --- /dev/null +++ b/STABLE2/action.AllowAuth @@ -0,0 +1,10 @@ +# +# Shorewall 2.0 /etc/shorewall/action.AllowAuth +# +# This action accepts Auth (identd) traffic. +# +###################################################################################### +#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP +ACCEPT - - tcp 113 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/STABLE2/action.AllowDNS b/STABLE2/action.AllowDNS new file mode 100644 index 000000000..2ac6a72ce --- /dev/null +++ b/STABLE2/action.AllowDNS @@ -0,0 +1,11 @@ +# +# Shorewall 2.0 /etc/shorewall/action.AllowDNS +# +# This action accepts DNS traffic. +# +###################################################################################### +#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP +ACCEPT - - udp 53 +ACCEPT - - tcp 53 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/STABLE2/action.AllowFTP b/STABLE2/action.AllowFTP new file mode 100644 index 000000000..cab5fa4e1 --- /dev/null +++ b/STABLE2/action.AllowFTP @@ -0,0 +1,11 @@ +# +# Shorewall 2.0 /etc/shorewall/action.AllowFTP +# +# This action accepts FTP traffic. See +# http://www.shorewall.net/FTP.html for additional considerations. +# +###################################################################################### +#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP +ACCEPT - - tcp 21 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/STABLE2/action.AllowIMAP b/STABLE2/action.AllowIMAP new file mode 100644 index 000000000..333bdf779 --- /dev/null +++ b/STABLE2/action.AllowIMAP @@ -0,0 +1,11 @@ +# +# Shorewall 2.0 /etc/shorewall/action.AllowIMAP +# +# This action accepts IMAP traffic (secure and insecure): +# +###################################################################################### +#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP +ACCEPT - - tcp 143 #Unsecure IMAP +ACCEPT - - tcp 993 #Secure IMAP +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/STABLE2/action.AllowNNTP b/STABLE2/action.AllowNNTP new file mode 100644 index 000000000..f4b745cfe --- /dev/null +++ b/STABLE2/action.AllowNNTP @@ -0,0 +1,10 @@ +# +# Shorewall 2.0 /etc/shorewall/action.AllowNNTP +# +# This action accepts NNTP traffic (Usenet). +# +###################################################################################### +#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP +ACCEPT - - tcp 119 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/STABLE2/action.AllowNTP b/STABLE2/action.AllowNTP new file mode 100644 index 000000000..6ef93652c --- /dev/null +++ b/STABLE2/action.AllowNTP @@ -0,0 +1,10 @@ +# +# Shorewall 2.0 /etc/shorewall/action.AllowNTP +# +# This action accepts NTP traffic (ntpd). +# +###################################################################################### +#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE +# PORT PORT(S) DEST LIMIT +ACCEPT - - udp 123 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/STABLE2/action.AllowPCA b/STABLE2/action.AllowPCA new file mode 100644 index 000000000..bda0e4a1f --- /dev/null +++ b/STABLE2/action.AllowPCA @@ -0,0 +1,11 @@ +# +# Shorewall 2.0 /etc/shorewall/action.AllowPCA +# +# This action accepts PCAnywere (tm) +# +###################################################################################### +#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP +ACCEPT - - udp 5631 +ACCEPT - - tcp 5632 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/STABLE2/action.AllowPOP3 b/STABLE2/action.AllowPOP3 new file mode 100644 index 000000000..b7756fee5 --- /dev/null +++ b/STABLE2/action.AllowPOP3 @@ -0,0 +1,11 @@ +# +# Shorewall 2.0 /etc/shorewall/action.AllowPOP3 +# +# This action accepts POP3 traffic (secure and insecure): +# +###################################################################################### +#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE +# PORT PORT(S) DEST LIMIT +ACCEPT - - tcp 110 #Unsecure POP3 +ACCEPT - - tcp 995 #Secure POP3 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/STABLE2/action.AllowPing b/STABLE2/action.AllowPing new file mode 100644 index 000000000..f18492201 --- /dev/null +++ b/STABLE2/action.AllowPing @@ -0,0 +1,10 @@ +# +# Shorewall 2.0 /etc/shorewall/action.AllowPing +# +# This action accepts 'ping' requests. +# +###################################################################################### +#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP +ACCEPT - - icmp 8 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/STABLE2/action.AllowRdate b/STABLE2/action.AllowRdate new file mode 100644 index 000000000..34cb7f75c --- /dev/null +++ b/STABLE2/action.AllowRdate @@ -0,0 +1,10 @@ +# +# Shorewall 2.0 /etc/shorewall/action.AllowRdate +# +# This action accepts remote time retrieval (rdate). +# +###################################################################################### +#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP +ACCEPT - - tcp 37 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/STABLE2/action.AllowSMB b/STABLE2/action.AllowSMB new file mode 100644 index 000000000..8914eae98 --- /dev/null +++ b/STABLE2/action.AllowSMB @@ -0,0 +1,14 @@ +# +# Shorewall 2.0 /etc/shorewall/action.AllowSMB +# +# Allow Microsoft SMB traffic. You need to invoke this action in +# both directions. +# +###################################################################################### +#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP +ACCEPT - - udp 135,445 +ACCEPT - - udp 137:139 +ACCEPT - - udp 1024: 137 +ACCEPT - - tcp 135,139,445 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/STABLE2/action.AllowSMTP b/STABLE2/action.AllowSMTP new file mode 100644 index 000000000..5a802a2d1 --- /dev/null +++ b/STABLE2/action.AllowSMTP @@ -0,0 +1,15 @@ +# +# Shorewall 2.0 /etc/shorewall/action.AllowSMTP +# +# This action accepts SMTP (email) traffic. +# +# Note: This action allows traffic between an MUA (Email client) +# and an MTA (mail server) or between MTAs. It does not enable +# reading of email via POP3 or IMAP. For those you need to use +# the AllowPOP3 or AllowIMAP actions. +# +###################################################################################### +#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP +ACCEPT - - tcp 25 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/STABLE2/action.AllowSNMP b/STABLE2/action.AllowSNMP new file mode 100644 index 000000000..11d78d126 --- /dev/null +++ b/STABLE2/action.AllowSNMP @@ -0,0 +1,11 @@ +# +# Shorewall 2.0 /etc/shorewall/action.AllowSNMP +# +# This action accepts SNMP traffic (including traps): +# +###################################################################################### +#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP +ACCEPT - - udp 161:162 +ACCEPT - - tcp 161 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/STABLE2/action.AllowSSH b/STABLE2/action.AllowSSH new file mode 100644 index 000000000..78e25bba9 --- /dev/null +++ b/STABLE2/action.AllowSSH @@ -0,0 +1,10 @@ +# +# Shorewall 2.0 /etc/shorewall/action.AllowSSH +# +# This action accepts secure shell (SSH) traffic. +# +###################################################################################### +#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP +ACCEPT - - tcp 22 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/STABLE2/action.AllowTelnet b/STABLE2/action.AllowTelnet new file mode 100644 index 000000000..5eebbb095 --- /dev/null +++ b/STABLE2/action.AllowTelnet @@ -0,0 +1,11 @@ +# +# Shorewall 2.0 /etc/shorewall/action.AllowTelnet +# +# This action accepts Telnet traffic. For traffic over the +# internet, telnet is inappropriate; use SSH instead +# +###################################################################################### +#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP +ACCEPT - - tcp 23 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/STABLE2/action.AllowTrcrt b/STABLE2/action.AllowTrcrt new file mode 100644 index 000000000..04a792539 --- /dev/null +++ b/STABLE2/action.AllowTrcrt @@ -0,0 +1,11 @@ +# +# Shorewall 2.0 /etc/shorewall/action.AllowTrcrt +# +# This action accepts Traceroute (for up to 20 hops): +# +###################################################################################### +#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP +ACCEPT - - udp 33434:33454 #UDP Traceroute +ACCEPT - - icmp 8 #ICMP Traceroute +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/STABLE2/action.AllowVNC b/STABLE2/action.AllowVNC new file mode 100644 index 000000000..423c30c77 --- /dev/null +++ b/STABLE2/action.AllowVNC @@ -0,0 +1,10 @@ +# +# Shorewall 2.0 /etc/shorewall/action.AllowVNC +# +# This action accepts VNC traffic for VNC display's 0 - 9. +# +###################################################################################### +#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP +ACCEPT - - tcp 5900:5909 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/STABLE2/action.AllowVNCL b/STABLE2/action.AllowVNCL new file mode 100644 index 000000000..83ff3fe81 --- /dev/null +++ b/STABLE2/action.AllowVNCL @@ -0,0 +1,10 @@ +# +# Shorewall 2.0 /etc/shorewall/action.AllowVNC +# +# This action accepts VNC traffic from Vncservers to Vncviewers in listen mode. +# +###################################################################################### +#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP +ACCEPT - - tcp 5500 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/STABLE2/action.AllowWeb b/STABLE2/action.AllowWeb new file mode 100644 index 000000000..f88028b12 --- /dev/null +++ b/STABLE2/action.AllowWeb @@ -0,0 +1,11 @@ +# +# Shorewall 2.0 /etc/shorewall/action.AllowWeb +# +# This action accepts WWW traffic (secure and insecure): +# +###################################################################################### +#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP +ACCEPT - - tcp 80 +ACCEPT - - TCP 443 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/STABLE2/action.Drop b/STABLE2/action.Drop new file mode 100644 index 000000000..00e03cfa1 --- /dev/null +++ b/STABLE2/action.Drop @@ -0,0 +1,15 @@ +# +# Shorewall 2.0 /etc/shorewall/action.Drop +# +# The default DROP common rules +# +###################################################################################### +#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP +RejectAuth +dropBcast +DropSMB +DropUPnP +dropNonSyn +DropDNSrep +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/STABLE2/action.DropDNSrep b/STABLE2/action.DropDNSrep new file mode 100644 index 000000000..949e3e655 --- /dev/null +++ b/STABLE2/action.DropDNSrep @@ -0,0 +1,10 @@ +# +# Shorewall 2.0 /etc/shorewall/action.DropDNSrep +# +# This action silently drops DNS UDP replies +# +###################################################################################### +#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP +DROP - - udp - 53 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/STABLE2/action.DropPing b/STABLE2/action.DropPing new file mode 100644 index 000000000..5aba7c207 --- /dev/null +++ b/STABLE2/action.DropPing @@ -0,0 +1,10 @@ +# +# Shorewall 2.0 /etc/shorewall/action.DropPing +# +# This action silently drops 'ping' requests. +# +###################################################################################### +#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP +DROP - - icmp 8 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/STABLE2/action.DropSMB b/STABLE2/action.DropSMB new file mode 100644 index 000000000..03a9ee15b --- /dev/null +++ b/STABLE2/action.DropSMB @@ -0,0 +1,15 @@ +# +# Shorewall 2.0 /etc/shorewall/action.DropSMB +# +# This action silently drops Microsoft SMB traffic +# +###################################################################################### +#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP +DROP - - udp 135 +DROP - - udp 137:139 +DROP - - udp 445 +DROP - - tcp 135 +DROP - - tcp 139 +DROP - - tcp 445 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/STABLE2/action.DropUPnP b/STABLE2/action.DropUPnP new file mode 100644 index 000000000..8ef56119c --- /dev/null +++ b/STABLE2/action.DropUPnP @@ -0,0 +1,10 @@ +# +# Shorewall 2.0 /etc/shorewall/action.DropUPnP +# +# This action silently drops UPnP probes on UDP port 1900 +# +###################################################################################### +#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP +DROP - - udp 1900 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/STABLE2/action.Reject b/STABLE2/action.Reject new file mode 100644 index 000000000..ddcd9ad58 --- /dev/null +++ b/STABLE2/action.Reject @@ -0,0 +1,15 @@ +# +# Shorewall 2.0 /etc/shorewall/action.Reject +# +# The default REJECT action common rules +# +###################################################################################### +#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP +RejectAuth +dropBcast +RejectSMB +DropUPnP +dropNonSyn +DropDNSrep +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/STABLE2/action.RejectAuth b/STABLE2/action.RejectAuth new file mode 100644 index 000000000..e3675d5bb --- /dev/null +++ b/STABLE2/action.RejectAuth @@ -0,0 +1,10 @@ +# +# Shorewall 2.0 /etc/shorewall/action.RejectAuth +# +# This action silently rejects Auth (tcp 113) traffic +# +###################################################################################### +#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP +REJECT - - tcp 113 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/STABLE2/action.RejectSMB b/STABLE2/action.RejectSMB new file mode 100644 index 000000000..db820e5dc --- /dev/null +++ b/STABLE2/action.RejectSMB @@ -0,0 +1,15 @@ +# +# Shorewall 2.0 /etc/shorewall/action.RejectSMB +# +# This action silently rejects Microsoft SMB traffic +# +###################################################################################### +#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP +REJECT - - udp 135 +REJECT - - udp 137:139 +REJECT - - udp 445 +REJECT - - tcp 135 +REJECT - - tcp 139 +REJECT - - tcp 445 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/STABLE2/action.template b/STABLE2/action.template new file mode 100644 index 000000000..75307117f --- /dev/null +++ b/STABLE2/action.template @@ -0,0 +1,151 @@ +# +# Shorewall 2.0 /etc/shorewall/action.template +# +# This file is a template for files with names of the form +# /etc/shorewall/action. where is an +# ACTION defined in /etc/shorewall/actions. +# +# To define a new action: +# +# 1. Add the to /etc/shorewall/actions +# 2. Copy this file to /etc/shorewall/action. +# 3. Add the desired rules to that file. +# +# Columns are: +# +# +# TARGET ACCEPT, DROP, REJECT, LOG, QUEUE or a +# previously-defined +# +# ACCEPT -- allow the connection request +# DROP -- ignore the request +# REJECT -- disallow the request and return an +# icmp-unreachable or an RST packet. +# LOG -- Simply log the packet and continue. +# QUEUE -- Queue the packet to a user-space +# application such as p2pwall. +# CONTINUE -- Discontinue processing this action +# and return to the point where the +# action was invoked. +# -- An defined in +# /etc/shorewall/actions. The +# must appear in that file BEFORE the +# one being defined in this file. +# +# The TARGET may optionally be followed +# by ":" and a syslog log level (e.g, REJECT:info or +# ACCEPT:debugging). This causes the packet to be +# logged at the specified level. +# +# You may also specify ULOG (must be in upper case) as a +# log level.This will log to the ULOG target for routing +# to a separate log through use of ulogd +# (http://www.gnumonks.org/projects/ulogd). +# +# SOURCE Source hosts to which the rule applies. +# A comma-separated list of subnets +# and/or hosts. Hosts may be specified by IP or MAC +# address; mac addresses must begin with "~" and must use +# "-" as a separator. +# +# 192.168.2.2 Host 192.168.2.2 +# +# 155.186.235.0/24 Subnet 155.186.235.0/24 +# +# 192.168.1.1,192.168.1.2 +# Hosts 192.168.1.1 and +# 192.168.1.2. +# ~00-A0-C9-15-39-78 Host with +# MAC address 00:A0:C9:15:39:78. +# +# Alternatively, clients may be specified by interface +# name. For example, eth1 specifies a +# client that communicates with the firewall system +# through eth1. This may be optionally followed by +# another colon (":") and an IP/MAC/subnet address +# as described above (e.g., eth1:192.168.1.5). +# +# DEST Location of Server. Same as above with the exception that +# MAC addresses are not allowed. +# +# Unlike in the SOURCE column, you may specify a range of +# up to 256 IP addresses using the syntax +# -. +# +# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or +# "all". +# +# DEST PORT(S) Destination Ports. A comma-separated list of Port +# names (from /etc/services), port numbers or port +# ranges; if the protocol is "icmp", this column is +# interpreted as the destination icmp-type(s). +# +# A port range is expressed as :. +# +# This column is ignored if PROTOCOL = all but must be +# entered if any of the following fields are supplied. +# In that case, it is suggested that this field contain +# "-" +# +# If your kernel contains multi-port match support, then +# only a single Netfilter rule will be generated if in +# this list and the CLIENT PORT(S) list below: +# 1. There are 15 or less ports listed. +# 2. No port ranges are included. +# Otherwise, a separate rule will be generated for each +# port. +# +# SOURCE PORT(S) (Optional) Port(s) used by the client. If omitted, +# any source port is acceptable. Specified as a comma- +# separated list of port names, port numbers or port +# ranges. +# +# If you don't want to restrict client ports but need to +# specify an ADDRESS in the next column, then place "-" +# in this column. +# +# If your kernel contains multi-port match support, then +# only a single Netfilter rule will be generated if in +# this list and the DEST PORT(S) list above: +# 1. There are 15 or less ports listed. +# 2. No port ranges are included. +# Otherwise, a separate rule will be generated for each +# port. +# +# RATE LIMIT You may rate-limit the rule by placing a value in +# this column: +# +# /[:] +# +# where is the number of connections per +# ("sec" or "min") and is the +# largest burst permitted. If no is given, +# a value of 5 is assumed. There may be no +# no whitespace embedded in the specification. +# +# Example: 10/sec:20 +# +# USER/GROUP This column may only be non-empty if the SOURCE is +# the firewall itself. +# +# The column may contain: +# +# [!][][:] +# +# When this column is non-empty, the rule applies only +# if the program generating the output is running under +# the effective and/or specified (or is +# NOT running under that id if "!" is given). +# +# Examples: +# +# joe #program must be run by joe +# :kids #program must be run by a member of +# #the 'kids' group +# !:kids #program must not be run by a member +# #of the 'kids' group +# +###################################################################################### +#TARGET SOURCE DEST PROTO DEST SOURCE RATE +# PORT PORT(S) LIMIT +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/STABLE2/actions b/STABLE2/actions new file mode 100644 index 000000000..8fb669752 --- /dev/null +++ b/STABLE2/actions @@ -0,0 +1,27 @@ +# +# Shorewall 2.0 /etc/shorewall/actions +# +# This file allows you to define new ACTIONS for use in rules +# (/etc/shorewall/rules). You define the iptables rules to +# be performed in an ACTION in +# /etc/shorewall/action.. +# +# ACTION names should begin with an upper-case letter to +# distinguish them from Shorewall-generated chain names and +# they must need the requirements of a Netfilter chain +# name as well as the requirements for a Bourne Shell identifier +# (must begin with a letter and be composed of letters, digits +# and underscore characters). +# +# If you follow the action name with ":DROP", ":REJECT" or +# :ACCEPT then the action will be taken before a DROP, REJECT or +# ACCEPT policy respectively is enforced. If you specify ":DROP", +# ":REJECT" or ":ACCEPT" on more than one action then only the +# last such action will be taken. +# +# If you specify ":DROP", ":REJECT" or ":ACCEPT" on a line by +# itself, the associated policy will have no common action. +# +#ACTION + +#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/STABLE2/actions.std b/STABLE2/actions.std new file mode 100644 index 000000000..2e9fbab99 --- /dev/null +++ b/STABLE2/actions.std @@ -0,0 +1,42 @@ +# +# Shorewall 2.0 /usr/share/shorewall/actions.std +# +# +# Builtin Actions are: +# +# dropBcast #Silently Drop Broadcast/multicast +# dropNonSyn #Silently Drop Non-syn TCP packets +# +#ACTION + +DropSMB #Silently Drops Microsoft SMB Traffic +RejectSMB #Silently Reject Microsoft SMB Traffic +DropUPnP #Silently Drop UPnP Probes +RejectAuth #Silently Reject Auth +DropPing #Silently Drop Ping +DropDNSrep #Silently Drop DNS Replies + +AllowPing #Accept Ping +AllowFTP #Accept FTP +AllowDNS #Accept DNS +AllowSSH #Accept SSH +AllowWeb #Allow Web Browsing +AllowSMB #Allow MS Networking +AllowAuth #Allow Auth (identd) +AllowSMTP #Allow SMTP (Email) +AllowPOP3 #Allow reading mail via POP3 +AllowIMAP #Allow reading mail via IMAP +AllowTelnet #Allow Telnet Access (not recommended for use over the + #Internet) +AllowVNC #Allow VNC viewer->server, Displays 0-9 +AllowVNCL #Allow VNC server->viewer in listening mode +AllowNTP #Allow Network Time Protocol (ntpd) +AllowRdate #Allow remote time (rdate). +AllowNNTP #Allow network news (Usenet). +AllowTrcrt #Allows Traceroute (20 hops) +AllowSNMP #Allows SNMP (including traps) +AllowPCA #Allows PCAnywhere (tm) + +Drop:DROP #Common Action for DROP policy +Reject:REJECT #Common Action for REJECT policy +#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/STABLE2/blacklist b/STABLE2/blacklist new file mode 100644 index 000000000..063724daa --- /dev/null +++ b/STABLE2/blacklist @@ -0,0 +1,43 @@ +# +# Shorewall 2.0 -- Blacklist File +# +# /etc/shorewall/blacklist +# +# This file contains a list of IP addresses, MAC addresses and/or subnetworks. +# +# Columns are: +# +# ADDRESS/SUBNET - Host address, subnetwork or MAC address +# +# MAC addresses must be prefixed with "~" and use "-" +# as a separator. +# +# Example: ~00-A0-C9-15-39-78 +# +# PROTOCOL - Optional. If specified, must be a protocol number +# or a protocol name from /etc/protocols. +# +# PORTS - Optional. May only be specified if the protocol +# is TCP (6) or UDP (17). A comma-separated list +# of port numbers or service names from /etc/services. +# +# When a packet arrives on in interface that has the 'blacklist' option +# specified, its source IP address is checked against this file and disposed of +# according to the BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL variables in +# /etc/shorewall/shorewall.conf +# +# If PROTOCOL or PROTOCOL and PORTS are supplied, only packets matching +# the protocol (and one of the ports if PORTS supplied) are blocked. +# +# Example: +# +# To block DNS queries from address 192.0.2.126: +# +# ADDRESS/SUBNET PROTOCOL PORT +# 192.0.2.126 udp 53 +# +############################################################################### +#ADDRESS/SUBNET PROTOCOL PORT +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE + + diff --git a/STABLE2/changelog.txt b/STABLE2/changelog.txt new file mode 100644 index 000000000..0ada9982f --- /dev/null +++ b/STABLE2/changelog.txt @@ -0,0 +1,70 @@ +Changes since 1.4.10 + +1) Remove 'unclean' support. + +2) Remove NAT_BEFORE_RULES. + +3) Remove HAVEROUTE column from ProxyARP. + +4) Change default for ALL INTERFACES in /etc/shorewall/nat. + +5) Rename the product to Shorewall2. + +6) Remove common chain. + +7) Add default action mechanism. + +8) Add USER/GROUP column to /etc/shorewall2/action.template. + +9) Get installer/uninstaller to work. + +10) Restore HAVEROUTE and add PERSISTENT column to the proxy arp file. + +11) Install correct init script on Debian. + +12) Get the attention of 'logunclean' and 'dropunclean' users. + +13) Replace all instances of `...` with $(...) for readability. + +14) Add action.AllowSNMP + +15) Move some code from firewall to functions + +16) Removed the DropBcast and DropNonSyn actions and replaced them with + builtin actions dropBcast and dropNonSyn. + +17) Make "trace" a synonym for "debug" + +18) Add the ":noah" option to IPSEC tunnels. + +19) Added a comment to the rules file to aid users who are terminally stupid. + +20) Only create the action chains that are actually used. + +21) Move actions.std and action.* files to /usr/share/shorewall. + +22) Added DISABLE_IPV6 option. + +23) Allow rate limiting on CONTINUE and REJECT. + +24) Move rfc1918 to /usr/share/shorewall + +25) Make detectnets and routeback play nice together. + +26) Avoid superfluous --state NEW tests. + +27) Allow backrouting of 'routestopped' devices. + +28) Fix the help file. + +29) Correct handling of !z1,z2,... in a DNAT/REDIRECT rule. + +30) Remove fw->fw policy. + +31) Issue clearer message if ip6tables not installed. + +32) Make 'CONTINUE' rules work again. + +33) Correct a comment in the rules file. Update for 2.0.0 final release. + +34) Eliminate Warning about Policy as rule when using actions. diff --git a/STABLE2/default.debian b/STABLE2/default.debian new file mode 100644 index 000000000..f5eeaf87b --- /dev/null +++ b/STABLE2/default.debian @@ -0,0 +1,18 @@ +# prevent startup with default configuration +# set the following varible to 1 in order to allow Shorewall to start + +startup=0 + +# if your Shorewall configuration requires detection of the ip address of a ppp +# interface, you must list such interfaces in "wait_interface" to get Shorewall to +# wait until the interface is configured. Otherwise the script will fail because +# it won't be able to detect the IP address. +# +# Example: +# wait_interface="ppp0" +# or +# wait_interface="ppp0 ppp1" +# or, if you have defined in /etc/shorewall/params +# wait_interface= + +# EOF diff --git a/STABLE2/ecn b/STABLE2/ecn new file mode 100644 index 000000000..644a63500 --- /dev/null +++ b/STABLE2/ecn @@ -0,0 +1,18 @@ +# +# Shorewall 2.0 - /etc/shorewall/ecn +# +# Use this file to list the destinations for which you want to +# disable ECN. +# +# This feature requires kernel 2.4.20 or later. If you run 2.4.20, +# you also need the patch found at http://www.shorewall.net/ecn/patch. +# That patch is included in kernels 2.4.21 and later. +# +# INTERFACE - Interface through which host(s) communicate with +# the firewall +# HOST(S) - (Optional) Comma-separated list of IP/subnet +# If left empty or supplied as "-", +# 0.0.0.0/0 is assumed. +############################################################################## +#INTERFACE HOST(S) +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/STABLE2/fallback.sh b/STABLE2/fallback.sh new file mode 100755 index 000000000..0426ef11b --- /dev/null +++ b/STABLE2/fallback.sh @@ -0,0 +1,143 @@ +#!/bin/sh +# +# Script to back out the installation of Shoreline Firewall and to restore the previous version of +# the program +# +# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] +# +# (c) 2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net) +# +# Shorewall documentation is available at http://seattlefirewall.dyndns.org +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of Version 2 of the GNU General Public License +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA +# +# Usage: +# +# You may only use this script to back out the installation of the version +# shown below. Simply run this script to revert to your prior version of +# Shoreline Firewall. + +VERSION=2.0.0 + +usage() # $1 = exit status +{ + echo "usage: $(basename $0)" + exit $1 +} + +restore_file() # $1 = file to restore +{ + if [ -f ${1}-${VERSION}.bkout -o -L ${1}-${VERSION}.bkout ]; then + if (mv -f ${1}-${VERSION}.bkout $1); then + echo + echo "$1 restored" + else + echo "ERROR: Could not restore $1" + exit 1 + fi + fi +} + +if [ ! -f /usr/share/shorewall/version-${VERSION}.bkout ]; then + echo "Shorewall Version $VERSION is not installed" + exit 1 +fi + +echo "Backing Out Installation of Shorewall $VERSION" + +if [ -L /usr/share/shorewall/init ]; then + FIREWALL=$(ls -l /usr/share/shorewall/firewall | sed 's/^.*> //') + restore_file $FIREWALL +else + restore_file /etc/init.d/shorewall +fi + +restore_file /usr/share/shorewall/firewall + +restore_file /sbin/shorewall + +restore_file /etc/shorewall/shorewall.conf + +restore_file /etc/shorewall/functions +restore_file /usr/lib/shorewall/functions +restore_file /var/lib/shorewall/functions +restore_file /usr/lib/shorewall/firewall +restore_file /usr/lib/shorewall/help + +restore_file /etc/shorewall/common.def + +restore_file /etc/shorewall/icmp.def + +restore_file /etc/shorewall/zones + +restore_file /etc/shorewall/policy + +restore_file /etc/shorewall/interfaces + +restore_file /etc/shorewall/hosts + +restore_file /etc/shorewall/rules + +restore_file /etc/shorewall/nat + +restore_file /etc/shorewall/params + +restore_file /etc/shorewall/proxyarp + +restore_file /etc/shorewall/routestopped + +restore_file /etc/shorewall/maclist + +restore_file /etc/shorewall/masq + +restore_file /etc/shorewall/modules + +restore_file /etc/shorewall/tcrules + +restore_file /etc/shorewall/tos + +restore_file /etc/shorewall/tunnels + +restore_file /etc/shorewall/blacklist + +restore_file /etc/shorewall/whitelist + +restore_file /etc/shorewall/rfc1918 +restore_file /usr/share/shorewall/rfc1918 + +restore_file /etc/shorewall/init + +restore_file /etc/shorewall/start + +restore_file /etc/shorewall/stop + +restore_file /etc/shorewall/stopped + +restore_file /etc/shorewall/ecn + +restore_file /etc/shorewall/accounting + +restore_file /etc/shorewall/actions.std + +restore_file /etc/shorewall/actions + +for f in /usr/share/shorewall/action.*-${VERSION}.bkout; do + restore_file $(echo $f | sed "s/-${VERSION}.bkout//") +done + +restore_file /usr/share/shorewall/version + +echo "Shorewall Restored to Version $oldversion" + + diff --git a/STABLE2/firewall b/STABLE2/firewall new file mode 100755 index 000000000..0fb91993b --- /dev/null +++ b/STABLE2/firewall @@ -0,0 +1,5801 @@ +#!/bin/sh +# +# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V2.0 3/14/2004 +# +# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] +# +# (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net) +# +# Complete documentation is available at http://shorewall.net +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of Version 2 of the GNU General Public License +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA +# +# If an error occurs while starting or restarting the firewall, the +# firewall is automatically stopped. +# +# Commands are: +# +# shorewall start Starts the firewall +# shorewall restart Restarts the firewall +# shorewall stop Stops the firewall +# shorewall status Displays firewall status +# shorewall reset Resets iptabless packet and +# byte counts +# shorewall clear Remove all Shorewall chains +# and rules/policies. +# shorewall refresh . Rebuild the common chain +# shorewall check Verify the more heavily-used +# configuration files. +# +# Mutual exclusion -- These functions are jackets for the mutual exclusion +# routines in $FUNCTIONS. They invoke +# the corresponding function in that file if the user did +# not specify "nolock" on the runline. +# +my_mutex_on() { + [ -n "$nolock" ] || { mutex_on; have_mutex=Yes; } +} + +my_mutex_off() { + [ -n "$have_mutex" ] && { mutex_off; have_mutex=; } +} + +# +# Message to stderr +# +error_message() # $* = Error Message +{ + echo " $@" >&2 +} + +# +# Fatal error -- stops the firewall after issuing the error message +# +fatal_error() # $* = Error Message +{ + echo " Error: $@" >&2 + if [ $COMMAND = check ]; then + [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR + else + stop_firewall + fi + exit 2 +} + +# +# Fatal error during startup -- generate an error message and abend with +# altering the state of the firewall +# +startup_error() # $* = Error Message +{ + echo " Error: $@" >&2 + my_mutex_off + [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR + kill $$ + exit 2 +} + +# +# Send a message to STDOUT and the System Log +# +report () { # $* = message + echo "$@" + logger "$@" +} + +# +# Run iptables and if an error occurs, stop the firewall and quit +# +run_iptables() { + + if ! iptables $@ ; then + [ -z "$stopping" ] && { stop_firewall; exit 2; } + fi +} + +# +# Version of 'run_iptables' that inserts white space after "!" in the arg list +# +run_iptables2() { + + if [ "x${*%!*}" = "x$*" ]; then + # + # No "!" in the command -- just execute it + # + run_iptables $@ + return + fi + # + # Need to insert white space before each "!" + # + run_iptables $(fix_bang $@) +} + +# +# Run ip and if an error occurs, stop the firewall and quit +# +run_ip() { + if ! ip $@ ; then + [ -z "$stopping" ] && { stop_firewall; exit 2; } + fi +} + +# +# Run arp and if an error occurs, stop the firewall and quit +# +run_arp() { + if ! arp $@ ; then + [ -z "$stopping" ] && { stop_firewall; exit 2; } + fi +} + +# +# Run tc and if an error occurs, stop the firewall and quit +# +run_tc() { + if ! tc $@ ; then + [ -z "$stopping" ] && { stop_firewall; exit 2; } + fi +} + +# +# Create a filter chain +# +# If the chain isn't one of the common chains then add a rule to the chain +# allowing packets that are part of an established connection. Create a +# variable exists_${1} and set its value to Yes to indicate that the chain now +# exists. +# +createchain() # $1 = chain name, $2 = If "yes", create default rules +{ + local c=$(chain_base $1) + + run_iptables -N $1 + + if [ $2 = yes ]; then + run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT + [ -z "$NEWNOTSYN" ] && \ + run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn + fi + + eval exists_${c}=Yes +} + +createchain2() # $1 = chain name, $2 = If "yes", create default rules +{ + local c=$(chain_base $1) + + if iptables -N $1; then + + if [ $2 = yes ]; then + run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT + [ -z "$NEWNOTSYN" ] && \ + run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn + fi + + eval exists_${c}=Yes + fi +} + +# +# Determine if a chain exists +# +# When we create a chain "chain", we create a variable named exists_chain and +# set its value to Yes. This function tests for the "exists_" variable +# corresponding to the passed chain having the value of "Yes". +# +havechain() # $1 = name of chain +{ + local c=$(chain_base $1) + + eval test \"\$exists_${c}\" = Yes +} + +# +# Query NetFilter about the existence of a filter chain +# +chain_exists() # $1 = chain name +{ + qt iptables -L $1 -n +} + +# +# Query NetFilter about the existence of a mangle chain +# +mangle_chain_exists() # $1 = chain name +{ + qt iptables -t mangle -L $1 -n +} + +# +# Ensure that a chain exists (create it if it doesn't) +# +ensurechain() # $1 = chain name +{ + havechain $1 || createchain $1 yes +} + +ensurechain1() # $1 = chain name +{ + havechain $1 || createchain $1 no +} + +# +# Add a rule to a chain creating the chain if necessary +# +addrule() # $1 = chain name, remainder of arguments specify the rule +{ + ensurechain $1 + run_iptables -A $@ +} + +# +# Create a nat chain +# +# Create a variable exists_nat_${1} and set its value to Yes to indicate that +# the chain now exists. +# +createnatchain() # $1 = chain name +{ + run_iptables -t nat -N $1 + + eval exists_nat_${1}=Yes +} + +# +# Determine if a nat chain exists +# +# When we create a chain "chain", we create a variable named exists_nat_chain +# and set its value to Yes. This function tests for the "exists_" variable +# corresponding to the passed chain having the value of "Yes". +# +havenatchain() # $1 = name of chain +{ + eval test \"\$exists_nat_${1}\" = Yes +} + +# +# Ensure that a nat chain exists (create it if it doesn't) +# +ensurenatchain() # $1 = chain name +{ + havenatchain $1 || createnatchain $1 +} + +# +# Add a rule to a nat chain creating the chain if necessary +# +addnatrule() # $1 = chain name, remainder of arguments specify the rule +{ + ensurenatchain $1 + run_iptables2 -t nat -A $@ +} + +# +# Delete a chain if it exists +# +deletechain() # $1 = name of chain +{ + qt iptables -L $1 -n && qt iptables -F $1 && qt iptables -X $1 +} + +# +# Determine if a chain is a policy chain +# +is_policy_chain() # $1 = name of chain +{ + eval test \"\$${1}_is_policy\" = Yes +} + +# +# Set a standard chain's policy +# +setpolicy() # $1 = name of chain, $2 = policy +{ + run_iptables -P $1 $2 +} + +# +# Set a standard chain to enable established and related connections +# +setcontinue() # $1 = name of chain +{ + run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT +} + +# +# Flush one of the NAT table chains +# +flushnat() # $1 = name of chain +{ + run_iptables -t nat -F $1 +} + +# +# Flush one of the Mangle table chains +# +flushmangle() # $1 = name of chain +{ + run_iptables -t mangle -F $1 +} + +# +# Find interfaces to a given zone +# +# Search the variables representing the contents of the interfaces file and +# for each record matching the passed ZONE, echo the expanded contents of +# the "INTERFACE" column +# +find_interfaces() # $1 = interface zone +{ + local zne=$1 + local z + local interface + + for interface in $all_interfaces; do + eval z=\$$(chain_base $interface)_zone + [ "x${z}" = x${zne} ] && echo $interface + done +} + +# +# Forward Chain for an interface +# +forward_chain() # $1 = interface +{ + echo $(chain_base $1)_fwd +} + +# +# Input Chain for an interface +# +input_chain() # $1 = interface +{ + echo $(chain_base $1)_in +} + +# +# Output Chain for an interface +# +output_chain() # $1 = interface +{ + echo $(chain_base $1)_out +} + +# +# Masquerade Chain for an interface +# +masq_chain() # $1 = interface +{ + echo $(chain_base $1)_masq +} + +# +# MAC Verification Chain for an interface +# +mac_chain() # $1 = interface +{ + echo $(chain_base $1)_mac +} + +# +# DNAT Chain from a zone +# +dnat_chain() # $1 = zone +{ + echo ${1}_dnat +} + +# +# SNAT Chain to a zone +# +snat_chain() # $1 = zone +{ + echo $(chain_base $1)_snat +} + +# +# ECN Chain to an interface +# +ecn_chain() # $1 = interface +{ + echo $(chain_base $1)_ecn +} + +# +# First chains for an interface +# +first_chains() #$1 = interface +{ + local c=$(chain_base $1) + + echo ${c}_fwd ${c}_in +} + +# +# Find hosts in a given zone +# +# Read hosts file and for each record matching the passed ZONE, +# echo the expanded contents of the "HOST(S)" column +# +find_hosts() # $1 = host zone +{ + local hosts interface address addresses + + while read z hosts options; do + if [ "x$(expand $z)" = "x$1" ]; then + expandv hosts + interface=${hosts%:*} + addresses=${hosts#*:} + for address in $(separate_list $addresses); do + echo $interface:$address + done + fi + done < $TMP_DIR/hosts +} + +# +# Determine the interfaces on the firewall +# +# For each zone, create a variable called ${zone}_interfaces. This +# variable contains a space-separated list of interfaces to the zone +# +determine_interfaces() { + for zone in $zones; do + interfaces=$(find_interfaces $zone) + interfaces=$(echo $interfaces) # Remove extra trash + eval ${zone}_interfaces=\"\$interfaces\" + done +} + +# +# Determine the defined hosts in each zone and generate report +# +determine_hosts() { + + for zone in $zones; do + hosts=$(find_hosts $zone) + hosts=$(echo $hosts) # Remove extra trash + + eval interfaces=\$${zone}_interfaces + + for interface in $interfaces; do + eval options=\$$(chain_base $interface)_options + if list_search detectnets $options; then + subnets=$(get_routed_subnets $interface) + else + subnets=0.0.0.0/0 + fi + + for subnet in $subnets; do + if [ -z "$hosts" ]; then + hosts=$interface:$subnet + else + hosts="$hosts $interface:$subnet" + fi + + if list_search routeback $options; then + eval ${zone}_routeback=\"$interface:$subnet \$${zone}_routeback\" + fi + done + done + + interfaces= + + for host in $hosts; do + interface=${host%:*} + if list_search $interface $interfaces; then + eval ${zone}_is_complex=Yes + else + if [ -z "$interfaces" ]; then + interfaces=$interface + else + interfaces="$interfaces $interface" + fi + fi + done + + eval ${zone}_interfaces="\$interfaces" + eval ${zone}_hosts="\$hosts" + + if [ -n "$hosts" ]; then + eval display=\$${zone}_display + display_list "$display Zone:" $hosts + else + error_message "Warning: Zone $zone is empty" + fi + done +} + +# +# Ensure that the passed zone is defined in the zones file or is the firewall +# +validate_zone() # $1 = zone +{ + list_search $1 $zones $FW +} + +# +# Validate the zone names and options in the interfaces file +# +validate_interfaces_file() { + local wildcard + local found_obsolete_option= + local z interface subnet options r iface option + + while read z interface subnet options; do + expandv z interface subnet options + r="$z $interface $subnet $options" + + [ "x$z" = "x-" ] && z= + + if [ -n "$z" ]; then + validate_zone $z || startup_error "Invalid zone ($z) in record \"$r\"" + fi + + list_search $interface $all_interfaces && \ + startup_error "Duplicate Interface $interface" + + wildcard= + + case $interface in + *:*) + startup_error "Invalid Interface Name: $interface" + ;; + *+*) + wildcard=Yes + ;; + esac + + all_interfaces="$all_interfaces $interface" + options=$(separate_list $options) + iface=$(chain_base $interface) + + eval ${iface}_broadcast="$subnet" + eval ${iface}_zone="$z" + eval ${iface}_options=\"$options\" + + for option in $options; do + case $option in + dhcp|norfc1918|tcpflags|newnotsyn|arp_filter|routefilter|blacklist|proxyarp|maclist|nosmurfs|-) + ;; + dropunclean|logunclean) + if [ -z "$found_obsolete_option" ]; then + found_obsolete_option=yes + error_message \ + "Warning: The 'dropunclean' and 'logunclean' options are not supported by Shorewall 2.0" + error_message \ + " PLEASE STAND BY WHILE SHOREWALL REFORMATS YOUR HARD DRIVE TO REMOVE THESE OPTIONS..." + sleep 5 + error_message "GOTCHA!!!! :-)" + error_message \ + " Now please remove these options from your interfaces file -- Thanks" + fi + ;; + detectnets) + [ -n "$wildcard" ] && \ + startup_error "The \"detectnets\" option may not be used with a wild-card interface" + ;; + routeback) + [ -n "$z" ] || startup_error "The routeback option may not be specified on a multi-zone interface" + ;; + *) + error_message "Warning: Invalid option ($option) in record \"$r\"" + ;; + esac + done + + [ -z "$all_interfaces" ] && startup_error "No Interfaces Defined" + + done < $TMP_DIR/interfaces +} + +# +# Validate the zone names and options in the hosts file +# +validate_hosts_file() { + local z hosts options r interface host option + + while read z hosts options; do + expandv z hosts options + r="$z $hosts $options" + validate_zone $z || startup_error "Invalid zone ($z) in record \"$r\"" + + interface=${hosts%:*} + + list_search $interface $all_interfaces || \ + startup_error "Unknown interface ($interface) in record \"$r\"" + + hosts=${hosts#*:} + + for host in $(separate_list $hosts); do + for option in $(separate_list $options); do + case $option in + maclist|-) + ;; + routeback) + eval ${z}_routeback=\"$interface:$host \$${z}_routeback\" + ;; + *) + error_message "Warning: Invalid option ($option) in record \"$r\"" + ;; + esac + done + done + done < $TMP_DIR/hosts +} + +# +# Format a match by the passed MAC address +# The passed address begins with "~" and uses "-" as a separator between bytes +# Example: ~01-02-03-04-05-06 +# +mac_match() # $1 = MAC address formated as described above +{ + echo "--match mac --mac-source $(echo $1 | sed 's/~//;s/-/:/g')" +} + +# +# validate the policy file +# +validate_policy() +{ + local clientwild + local serverwild + local zone + local zone1 + local pc + local chain + local policy + local loglevel + local synparams + + print_policy() # $1 = source zone, $2 = destination zone + { + [ $COMMAND != check ] || \ + [ $1 = $2 ] || \ + [ $1 = all ] || \ + [ $2 = all ] || \ + echo " Policy for $1 to $2 is $policy using chain $chain" + } + + all_policy_chains= + + strip_file policy + + while read client server policy loglevel synparams; do + expandv client server policy loglevel synparams + + clientwild= + serverwild= + + case "$client" in + all|ALL) + clientwild=Yes + ;; + *) + if ! validate_zone $client; then + startup_error "Undefined zone $client" + fi + esac + + case "$server" in + all|ALL) + serverwild=Yes + ;; + *) + if ! validate_zone $server; then + startup_error "Undefined zone $server" + fi + esac + + case $policy in + ACCEPT|REJECT|DROP|CONTINUE) + ;; + NONE) + [ "$client" = "$FW" -o "$server" = "$FW" ] && \ + startup_error " $client $server $policy $loglevel $synparams: NONE policy not allowed to/from the $FW zone" + + [ -n "$clientwild" -o -n "$serverwild" ] && \ + startup_error " $client $server $policy $loglevel $synparams: NONE policy not allowed with \"all\"" + ;; + *) + startup_error "Invalid policy $policy" + ;; + esac + + chain=${client}2${server} + + if is_policy_chain $chain ; then + startup_error "Duplicate policy $policy" + fi + + [ "x$loglevel" = "x-" ] && loglevel= + + [ $policy = NONE ] || all_policy_chains="$all_policy_chains $chain" + + eval ${chain}_is_policy=Yes + eval ${chain}_policy=$policy + eval ${chain}_loglevel=$loglevel + eval ${chain}_synparams=$synparams + + if [ -n "${clientwild}" ]; then + if [ -n "${serverwild}" ]; then + for zone in $zones $FW all; do + for zone1 in $zones $FW all; do + eval pc=\$${zone}2${zone1}_policychain + + if [ -z "$pc" ]; then + eval ${zone}2${zone1}_policychain=$chain + eval ${zone}2${zone1}_policy=$policy + print_policy $zone $zone1 + fi + done + done + else + for zone in $zones $FW all; do + eval pc=\$${zone}2${server}_policychain + + if [ -z "$pc" ]; then + eval ${zone}2${server}_policychain=$chain + eval ${zone}2${server}_policy=$policy + print_policy $zone $server + fi + done + fi + elif [ -n "$serverwild" ]; then + for zone in $zones $FW all; do + eval pc=\$${client}2${zone}_policychain + + if [ -z "$pc" ]; then + eval ${client}2${zone}_policychain=$chain + eval ${client}2${zone}_policy=$policy + print_policy $client $zone + fi + done + else + eval ${chain}_policychain=${chain} + print_policy $client $server + fi + + done < $TMP_DIR/policy +} + +# +# Find broadcast addresses +# +find_broadcasts() { + for interface in $all_interfaces; do + eval bcast=\$$(chain_base $interface)_broadcast + if [ "x$bcast" = "xdetect" ]; then + ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u + elif [ "x${bcast}" != "x-" ]; then + echo $(separate_list $bcast) + fi + done +} + +# +# Find interface address--returns the first IP address assigned to the passed +# device +# +find_interface_address() # $1 = interface +{ + # + # get the line of output containing the first IP address + # + addr=$(ip -f inet addr show $1 2> /dev/null | grep inet | head -n1) + # + # If there wasn't one, bail out now + # + [ -n "$addr" ] || fatal_error "Can't determine the IP address of $1" + # + # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link) + # along with everything else on the line + # + echo $addr | sed 's/inet //;s/\/.*//;s/ peer.*//' +} + +# +# Find interface addresses--returns the set of addresses assigned to the passed +# device +# +find_interface_addresses() # $1 = interface +{ + ip -f inet addr show $1 | grep inet | sed 's/inet //;s/\/.*//;s/ peer.*//' +} + +# +# Find interfaces that have the passed option specified +# +find_interfaces_by_option() # $1 = option +{ + for interface in $all_interfaces; do + eval options=\$$(chain_base $interface)_options + list_search $1 $options && echo $interface + done +} + +# +# Find hosts with the passed option +# +find_hosts_by_option() # $1 = option +{ + local ignore hosts interface address addresses options + + while read ignore hosts options; do + expandv options + if list_search $1 $(separate_list $options); then + expandv hosts + interface=${hosts%:*} + addresses=${hosts#*:} + for address in $(separate_list $addresses); do + echo $interface:$address + done + fi + done < $TMP_DIR/hosts + + for interface in $all_interfaces; do + eval options=\$$(chain_base $interface)_options + list_search $1 $options && \ + echo ${interface}:0.0.0.0/0 + done +} + +# +# Determine if there are interfaces of the given zone and option +# +# Returns zero if any such interfaces are found and returns one otherwise. +# +have_interfaces_in_zone_with_option() # $1 = zone, $2 = option +{ + local zne=$1 + local z + local interface + + for interface in $all_interfaces; do + eval z=\$$(chain_base $interface)_zone + + [ "x$z" = "x$zne" ] && \ + list_search $1 $options && \ + return 0 + done + + return 1 +} + +# +# Flush and delete all user-defined chains in the filter table +# +deleteallchains() { + run_iptables -F + run_iptables -X +} + +# +# Source a user exit file if it exists +# +run_user_exit() # $1 = file name +{ + local user_exit=$(find_file $1) + + if [ -f $user_exit ]; then + echo "Processing $user_exit ..." + . $user_exit + fi +} + +# +# Add a logging rule. +# +log_rule_limit() # $1 = log level, $2 = chain, $3 = disposition , $4 = rate limit $... = predicates for the rule +{ + local level=$1 + local chain=$2 + local disposition=$3 + local rulenum= + local limit="${4:-$LOGLIMIT}" + + shift;shift;shift;shift + + if [ -n "$LOGRULENUMBERS" ]; then + eval rulenum=\$${chain}_logrules + + [ -z "$rulenum" ] && rulenum=1 + + case $level in + ULOG) + eval iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix '"$(printf "$LOGFORMAT" $chain $rulenum $disposition)"' + ;; + *) + eval iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level \ + --log-prefix '"$(printf "$LOGFORMAT" $chain $rulenum $disposition)"' + ;; + esac + + if [ $? -ne 0 ] ; then + [ -z "$stopping" ] && { stop_firewall; exit 2; } + fi + + rulenum=$(($rulenum + 1)) + + eval ${chain}_logrules=$rulenum + else + case $level in + ULOG) + eval iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix '"$(printf "$LOGFORMAT" $chain $disposition)"' + ;; + *) + eval iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level \ + --log-prefix '"$(printf "$LOGFORMAT" $chain $disposition)"' + ;; + esac + + if [ $? -ne 0 ] ; then + [ -z "$stopping" ] && { stop_firewall; exit 2; } + fi + fi +} + +log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates for the rule +{ + local level=$1 + local chain=$2 + local disposition=$3 + + shift;shift;shift + + log_rule_limit $level $chain $disposition "$LOGLIMIT" $@ +} + +# +# Set /proc/sys/net/ipv4/ip_forward based on $IP_FORWARDING +# +setup_forwarding() { + case "$IP_FORWARDING" in + [Oo][Nn]) + echo 1 > /proc/sys/net/ipv4/ip_forward + echo "IP Forwarding Enabled" + ;; + [Oo][Ff][Ff]) + echo 0 > /proc/sys/net/ipv4/ip_forward + echo "IP Forwarding Disabled!" + ;; + esac +} + +# +# Disable IPV6 +# +disable_ipv6() { + if qt which ip6tables; then + ip6tables -P FORWARD DROP + ip6tables -P INPUT DROP + ip6tables -P OUTPUT DROP + else + error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system has no ip6tables" + fi +} + +# +# Stop the Firewall +# +stop_firewall() { + # + # Turn off trace unless we were tracing "stop" or "clear" + # + case $COMMAND in + stop|clear) + ;; + check) + kill $$ + exit 2 + ;; + *) + set +x + ;; + esac + + stopping="Yes" + + terminator= + + deletechain shorewall + + run_user_exit stop + + [ -n "$MANGLE_ENABLED" ] && \ + run_iptables -t mangle -F && \ + run_iptables -t mangle -X + + [ -n "$NAT_ENABLED" ] && delete_nat + delete_proxy_arp + [ -n "$CLEAR_TC" ] && delete_tc + + [ -n "$DISABLE_IPV6" ] && disable_ipv6 + + if [ -z "$ADMINISABSENTMINDED" ]; then + for chain in INPUT OUTPUT FORWARD; do + setpolicy $chain DROP + done + + deleteallchains + else + for chain in INPUT FORWARD; do + setpolicy $chain DROP + done + + setpolicy OUTPUT ACCEPT + + deleteallchains + + for chain in INPUT FORWARD; do + setcontinue $chain + done + fi + + hosts= + + strip_file routestopped + + while read interface host; do + expandv interface host + [ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0 + for h in $(separate_list $host); do + hosts="$hosts $interface:$h" + done + done < $TMP_DIR/routestopped + + for host in $hosts; do + interface=${host%:*} + subnet=${host#*:} + iptables -A INPUT -i $interface -s $subnet -j ACCEPT + [ -z "$ADMINISABSENTMINDED" ] && \ + iptables -A OUTPUT -o $interface -d $subnet -j ACCEPT + + for host1 in $hosts; do + iptables -A FORWARD -i $interface -s $subnet -o ${host1%:*} -d ${host1#*:} -j ACCEPT + done + done + + iptables -A INPUT -i lo -j ACCEPT + [ -z "$ADMINISABSENTMINDED" ] && \ + iptables -A OUTPUT -o lo -j ACCEPT + + for interface in $(find_interfaces_by_option dhcp); do + iptables -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT + [ -z "$ADMINISABSENTMINDED" ] && \ + iptables -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT + done + + setup_forwarding + + run_user_exit stopped + + logger "Shorewall Stopped" + + rm -rf $TMP_DIR + + case $COMMAND in + stop|clear) + ;; + *) + # + # The firewall is being stopped when we were trying to do something + # else. Remove the lock file and Kill the shell in case we're in a + # subshell + # + my_mutex_off + kill $$ + ;; + esac +} + +# +# Remove all rules and remove all user-defined chains +# +clear_firewall() { + stop_firewall + + run_iptables -F + + echo 1 > /proc/sys/net/ipv4/ip_forward + + setpolicy INPUT ACCEPT + setpolicy FORWARD ACCEPT + setpolicy OUTPUT ACCEPT + + ip6tables -P INPUT ACCEPT 2> /dev/null + ip6tables -P OUTPUT ACCEPT 2> /dev/null + ip6tables -P FORWARD ACCEPT 2> /dev/null + + run_user_exit clear + + logger "Shorewall Cleared" +} + +# +# Set up ipsec tunnels +# +setup_tunnels() # $1 = name of tunnels file +{ + local inchain + local outchain + + setup_one_ipsec() # $1 = gateway $2 = Tunnel Kind $3 = gateway zones + { + local kind=$2 noah= + + case $kind in + *:*) + noah=${kind#*:} + [ $noah = noah -o $noah = NOAH ] || fatal_error "Invalid IPSEC modifier $noah in tunnel \"$tunnel\"" + kind=${kind%:*} + ;; + esac + + [ $kind = IPSEC ] && kind=ipsec + + options="-m state --state NEW -j ACCEPT" + addrule $inchain -p 50 -s $1 -j ACCEPT + addrule $outchain -p 50 -d $1 -j ACCEPT + if [ -z "$noah" ]; then + run_iptables -A $inchain -p 51 -s $1 -j ACCEPT + run_iptables -A $outchain -p 51 -d $1 -j ACCEPT + fi + + run_iptables -A $outchain -p udp -d $1 --dport 500 --sport 500 $options + + if [ $kind = ipsec ]; then + run_iptables -A $inchain -p udp -s $1 --sport 500 --dport 500 $options + else + run_iptables -A $inchain -p udp -s $1 --dport 500 $options + run_iptables -A $inchain -p udp -s $1 --dport 4500 $options + fi + + for z in $(separate_list $3); do + if validate_zone $z; then + addrule ${FW}2${z} -p udp --sport 500 --dport 500 $options + if [ $kind = ipsec ]; then + addrule ${z}2${FW} -p udp --sport 500 --dport 500 $options + else + addrule ${z}2${FW} -p udp --dport 500 $options + addrule ${z}2${FW} -p udp --dport 4500 $options + fi + else + error_message "Warning: Invalid gateway zone ($z)" \ + " -- Tunnel \"$tunnel\" may encounter keying problems" + fi + done + + echo " IPSEC tunnel to $gateway defined." + } + + setup_one_other() # $1 = TYPE, $2 = gateway, $3 = protocol + { + addrule $inchain -p $3 -s $2 -j ACCEPT + addrule $outchain -p $3 -d $2 -j ACCEPT + + echo " $1 tunnel to $2 defined." + } + + setup_pptp_client() # $1 = gateway + { + addrule $outchain -p 47 -d $1 -j ACCEPT + addrule $inchain -p 47 -j ACCEPT + addrule $outchain -p tcp --dport 1723 -d $1 -j ACCEPT + + echo " PPTP tunnel to $1 defined." + } + + setup_pptp_server() + { + addrule $inchain -p 47 -j ACCEPT + addrule $outchain -p 47 -j ACCEPT + addrule $inchain -p tcp --dport 1723 -j ACCEPT + + echo " PPTP server defined." + } + + setup_one_openvpn() # $1 = gateway, $2 = kind[:port] + { + case $2 in + *:*) + p=${2#*:} + ;; + *) + p=5000 + ;; + esac + + addrule $inchain -p udp -s $1 --sport $p --dport $p -j ACCEPT + addrule $outchain -p udp -d $1 --sport $p --dport $p -j ACCEPT + + echo " OPENVPN tunnel to $1:$p defined." + } + + setup_one_generic() # $1 = gateway, $2 = kind:protocol[:port], $3 = Gateway Zone + { + local procotol + local p= + + case $2 in + *:*:*) + p=${2##*:} + protocol=${2%:*} + protocol=${protocol#*:} + ;; + *:*) + protocol=${2#*:} + ;; + *) + protocol=udp + p=5000 + ;; + esac + + p=${p:+--dport $p} + + addrule $inchain -p $protocol -s $1 $p -j ACCEPT + addrule $outchain -p $protocol -d $1 $p -j ACCEPT + + for z in $(separate_list $3); do + if validate_zone $z; then + addrule ${FW}2${z} -p $protocol $p -j ACCEPT + addrule ${z}2${FW} -p $protocol $p -j ACCEPT + else + error_message "Warning: Invalid gateway zone ($z)" \ + " -- Tunnel \"$tunnel\" may encounter problems" + fi + done + + echo " GENERIC tunnel to $1:$p defined." + } + + strip_file tunnels $1 + + while read kind z gateway z1; do + expandv kind z gateway z1 + tunnel="$(echo $kind $z $gateway $z1)" + if validate_zone $z; then + inchain=${z}2${FW} + outchain=${FW}2${z} + case $kind in + ipsec|IPSEC|ipsec:*|IPSEC:*) + setup_one_ipsec $gateway $kind $z1 + ;; + ipsecnat|IPSECNAT|ipsecnat:*|IPSECNAT:*) + setup_one_ipsec $gateway $kind $z1 + ;; + ipip|IPIP) + setup_one_other IPIP $gateway 4 + ;; + gre|GRE) + setup_one_other GRE $gateway 47 + ;; + 6to4|6TO4) + setup_one_other 6to4 $gateway 41 + ;; + pptpclient|PPTPCLIENT) + setup_pptp_client $gateway + ;; + pptpserver|PPTPSERVER) + setup_pptp_server + ;; + openvpn|OPENVPN|openvpn:*|OPENVPN:*) + setup_one_openvpn $gateway $kind + ;; + generic:*|GENERIC:*) + setup_one_generic $gateway $kind $z1 + ;; + *) + error_message "Tunnels of type $kind are not supported:" \ + "Tunnel \"$tunnel\" Ignored" + ;; + esac + else + error_message "Invalid gateway zone ($z)" \ + " -- Tunnel \"$tunnel\" Ignored" + fi + done < $TMP_DIR/tunnels +} + +# +# Setup Proxy ARP +# +setup_proxy_arp() { + + print_error() { + error_message "Invalid value for HAVEROUTE - ($haveroute)" + error_message "Entry \"$address $interface $external $haveroute\" ignored" + } + + print_error1() { + error_message "Invalid value for PERSISTENT - ($persistent)" + error_message "Entry \"$address $interface $external $haveroute $persistent\" ignored" + } + + print_warning() { + error_message "PERSISTENT setting ignored - ($persistent)" + error_message "Entry \"$address $interface $external $haveroute $persistent\"" + } + + setup_one_proxy_arp() { + + case $haveroute in + [Nn][Oo]) + haveroute= + ;; + [Yy][Ee][Ss]) + ;; + *) + if [ -n "$haveroute" ]; then + print_error + return + fi + ;; + esac + + case $persistent in + [Nn][Oo]) + persistent= + ;; + [Yy][Ee][Ss]) + ;; + *) + if [ -n "$persistent" ]; then + print_error1 + return + fi + + [ -z "$haveroute" ] || print_warning + ;; + esac + + if [ -z "$haveroute" ]; then + run_ip route replace $address dev $interface + [ -n "$persistent" ] && haveroute=yes + fi + + run_arp -Ds $address $external pub + + echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp + echo 0 > /proc/sys/net/ipv4/conf/$external/proxy_arp + + echo $address $interface $external $haveroute >> ${STATEDIR}/proxyarp + + echo " Host $address connected to $interface added to ARP on $external" + } + + > ${STATEDIR}/proxyarp + + while read address interface external haveroute persistent; do + expandv address interface external haveroute persistent + setup_one_proxy_arp + done < $TMP_DIR/proxyarp + + interfaces=$(find_interfaces_by_option proxyarp) + + for interface in $interfaces; do + if echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp 2> /dev/null; then + echo " Enabled proxy ARP on $interface" + else + error_message "Warning: Unable to enable proxy ARP on $interface" + fi + done +} + +# +# Set up MAC Verification +# +setup_mac_lists() { + local interface + local mac + local addresses + local address + local chain + local logpart + local macpart + local blob + local hosts + # + # Generate the list of interfaces having MAC verification + # + maclist_interfaces= + + for hosts in $maclist_hosts; do + interface=${hosts%:*} + if ! list_search $interface $maclist_interfaces; then\ + if [ -z "$maclist_interfaces" ]; then + maclist_interfaces=$interface + else + maclist_interfaces="$maclist_interfaces $interface" + fi + fi + done + + echo "Setting up MAC Verification on $maclist_interfaces..." + # + # Be sure that they are all ethernet interfaces + # + for interface in $maclist_interfaces; do + case $interface in + eth*|wlan*|br[0-9]|ath[0-9]) + ;; + *) + fatal_error "MAC verification is only supported on ethernet and 802.11b devices: $interface" + ;; + esac + + createchain $(mac_chain $interface) no + done + # + # Process the maclist file producing the verification rules + # + + while read interface mac addresses; do + expandv interface mac addresses + + chain=$(mac_chain $interface) + + if ! havechain $chain ; then + fatal_error "No hosts on $interface have the maclist option specified" + fi + + macpart=$(mac_match $mac) + + if [ -z "$addresses" ]; then + run_iptables -A $chain $macpart -j RETURN + else + for address in $(separate_list $addresses) ; do + run_iptables2 -A $chain $macpart -s $address -j RETURN + done + fi + done < $TMP_DIR/maclist + # + # Must take care of our own broadcasts and multicasts then terminate the verification + # chains + # + for interface in $maclist_interfaces; do + chain=$(mac_chain $interface) + + blob=$(ip link show $interface 2> /dev/null) + + [ -z "$blob" ] && \ + fatal_error "Interface $interface must be up before Shorewall can start" + + ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet //; s/brd //; s/scope.*//;' | while read address broadcast; do + if [ -n "$broadcast" ]; then + run_iptables -A $chain -s ${address%/*} -d $broadcast -j RETURN + fi + + run_iptables -A $chain -s $address -d 255.255.255.255 -j RETURN + run_iptables -A $chain -s $address -d 224.0.0.0/4 -j RETURN + done + + if [ -n "$MACLIST_LOG_LEVEL" ]; then + log_rule $MACLIST_LOG_LEVEL $chain $MACLIST_DISPOSITION + fi + + run_iptables -A $chain -j $maclist_target + done + # + # Generate jumps from the input and forward chains + # + for hosts in $maclist_hosts; do + interface=${hosts%:*} + hosts=${hosts#*:} + for chain in $(first_chains $interface) ; do + run_iptables -A $chain -s $hosts -m state --state NEW \ + -j $(mac_chain $interface) + done + done +} + +# +# Set up SYN flood protection +# +setup_syn_flood_chain () + # $1 = policy chain + # $2 = synparams +{ + local chain=$1 + local limit=$2 + local limit_burst= + + case $limit in + *:*) + limit_burst="--limit-burst ${limit#*:}" + limit=${limit%:*} + ;; + esac + + run_iptables -N @$chain + run_iptables -A @$chain -m limit --limit $limit $limit_burst -j RETURN + run_iptables -A @$chain -j DROP +} + +# +# Enable SYN flood protection on a chain +# +# Insert a jump rule to the protection chain from the first chain. Inserted +# as the second rule and restrict the jump to SYN packets +# +enable_syn_flood_protection() # $1 = chain, $2 = protection chain +{ + run_iptables -I $1 2 -p tcp --syn -j @$2 + echo " Enabled SYN flood protection" +} + +# +# Delete existing Proxy ARP +# +delete_proxy_arp() { + if [ -f ${STATEDIR}/proxyarp ]; then + while read address interface external haveroute; do + qt arp -i $external -d $address pub + [ -z "$haveroute" ] && qt ip route del $address dev $interface + done < ${STATEDIR}/proxyarp + + rm -f ${STATEDIR}/proxyarp + fi + + [ -d ${STATEDIR} ] && touch ${STATEDIR}/proxyarp + + for f in $(ls /proc/sys/net/ipv4/conf/*/proxy_arp); do + echo 0 > $f + done +} + +# +# Setup Static Network Address Translation (NAT) +# +setup_nat() { + local allints + # + # At this point, we're just interested in the network translation + # + > ${STATEDIR}/nat + + while read external interface internal allints localnat; do + expandv external interface internal allints localnat + + iface=${interface%:*} + + if [ -n "$ADD_IP_ALIASES" ]; then + qt ip addr del $external dev $iface + fi + + if [ -z "$allints" -o "$allints" = "Yes" -o "$allints" = "yes" ]; then + addnatrule nat_in -d $external -j DNAT --to-destination $internal + addnatrule nat_out -s $internal -j SNAT --to-source $external + + if [ "$localnat" = "Yes" -o "$localnat" = "yes" ]; then + run_iptables2 -t nat -A OUTPUT -d $external \ + -j DNAT --to-destination $internal + fi + elif [ -z "$allints" -o "$allints" = "No" -o "$allints" = "no" ]; then + addnatrule $(input_chain $iface) \ + -d $external -j DNAT --to-destination $internal + addnatrule $(output_chain $iface) \ + -s $internal -j SNAT --to-source $external + else + fatal_error "Invalid value ($allints) for ALL INTERFACES in entry \"$external $interface $internal $allints $localnet\"" + fi + + if [ -n "$ADD_IP_ALIASES" ]; then + list_search $external $aliases_to_add || \ + aliases_to_add="$aliases_to_add $external $interface" + fi + + echo " Host $internal NAT $external on $interface" + done < $TMP_DIR/nat +} + +# +# Delete existing Static NAT +# +delete_nat() { + run_iptables -t nat -F + run_iptables -t nat -X + + if [ -f ${STATEDIR}/nat ]; then + while read external interface; do + qt ip addr del $external dev $interface + done < ${STATEDIR}/nat + + rm -f {$STATEDIR}/nat + fi + + [ -d ${STATEDIR} ] && touch ${STATEDIR}/nat +} + +# +# Setup ECN disabling rules +# +setup_ecn() # $1 = file name +{ + local interfaces="" + local hosts + local h + + strip_file ecn $1 + + echo "Processing $1..." + + while read interface host; do + expandv interface host + list_search $interface $all_interfaces || \ + startup_error "Unknown interface $interface" + list_search $interface $interfaces || \ + interfaces="$interfaces $interface" + [ "x$host" = "x-" ] && host= + for h in $(separate_list ${host:-0.0.0.0/0}); do + hosts="$hosts $interface:$h" + done + done < $TMP_DIR/ecn + + if [ -n "$interfaces" ]; then + echo "Setting up ECN control on${interfaces}..." + + for interface in $interfaces; do + chain=$(ecn_chain $interface) + if mangle_chain_exists $chain; then + flushmangle $chain + else + run_iptables -t mangle -N $chain + run_iptables -t mangle -A POSTROUTING -p tcp -o $interface -j $chain + run_iptables -t mangle -A OUTPUT -p tcp -o $interface -j $chain + fi + done + + for host in $hosts; do + interface=${host%:*} + h=${host#*:} + run_iptables -t mangle -A $(ecn_chain $interface) -p tcp -d $h -j ECN --ecn-tcp-remove + echo " ECN Disabled to $h through $interface" + done + fi +} + +# +# Process a TC Rule - $marking_chain is assumed to contain the name of the +# default marking chain +# +process_tc_rule() +{ + chain=$marking_chain + + add_a_tc_rule() { + r= + + if [ "x$source" != "x-" ]; then + case $source in + *.*.*) + r="-s $source " + ;; + ~*) + r="$(mac_match $source) " + ;; + $FW) + chain=tcout + ;; + *) + if ! list_search $source $all_interfaces; then + fatal_error "Unknown interface $source in rule \"$rule\"" + fi + + r="-i $source " + ;; + esac + fi + + if [ "x${user:--}" != "x-" ]; then + + [ "$chain" != tcout ] && \ + fatal_error "Invalid use of a user/group: rule \"$rule\"" + + case "$user" in + *:*) + r="$r-m owner" + temp="${user%:*}" + [ -n "$temp" ] && r="$r --uid-owner $temp " + temp="${user#*:}" + [ -n "$temp" ] && r="$r --gid-owner $temp " + ;; + *) + r="$r-m owner --uid-owner $user " + ;; + esac + fi + + [ "x$dest" = "x-" ] || r="${r}-d $dest " + [ "$proto" = "all" ] || r="${r}-p $proto " + [ "x$port" = "x-" ] || r="${r}--dport $port " + [ "x$sport" = "x-" ] || r="${r}--sport $sport " + + run_iptables2 -t mangle -A $chain $r -j MARK --set-mark $mark + + } + + if [ "$mark" != "${mark%:*}" ]; then + + [ "$chain" = tcout ] && \ + fatal_error "Chain designator not allowed when source is \$FW; rule \"$rule\"" + + case "${mark#*:}" in + p|P) + chain=tcpre + ;; + f|F) + chain=tcfor + ;; + *) + fatal_error "Invalid chain designator: (${mark#*:}) in rule \"$rule\"" + ;; + esac + + mark="${mark%:*}" + fi + + for source in $(separate_list ${sources:=-}); do + for dest in $(separate_list ${dests:=-}); do + for port in $(separate_list ${ports:=-}); do + for sport in $(separate_list ${sports:=-}); do + add_a_tc_rule + done + done + done + done + + echo " TC Rule \"$rule\" added" +} + +# +# Setup queuing and classes +# +setup_tc1() { + # + # Create the TC mangle chains + # + + run_iptables -t mangle -N tcpre + run_iptables -t mangle -N tcfor + run_iptables -t mangle -N tcout + # + # Process the TC Rules File + # + strip_file tcrules + + while read mark sources dests proto ports sports user; do + expandv mark sources dests proto ports sports user + rule=$(echo "$mark $sources $dests $proto $ports $sports $user") + process_tc_rule + done < $TMP_DIR/tcrules + # + # Link to the TC mangle chains from the main chains + # + + run_iptables -t mangle -A FORWARD -j tcfor + run_iptables -t mangle -A PREROUTING -j tcpre + run_iptables -t mangle -A OUTPUT -j tcout + + run_user_exit tcstart + +} + +setup_tc() { + + echo "Setting up Traffic Control Rules..." + + setup_tc1 +} + +# +# Clear Traffic Shaping +# +delete_tc() +{ + + clear_one_tc() { + tc qdisc del dev $1 root 2> /dev/null + tc qdisc del dev $1 ingress 2> /dev/null + } + + run_user_exit tcclear + + run_ip link list | \ + while read inx interface details; do + case $inx in + [0-9]*) + clear_one_tc ${interface%:} + ;; + *) + ;; + esac + done +} + +# +# Process a record from the accounting file +# +process_accounting_rule() { + rule= + rule2= + jumpchain= + + accounting_error() { + error_message "Warning: Invalid Accounting rule" $action $chain $source $dest $proto $port $sport + } + + jump_to_chain() { + if ! havechain $jumpchain; then + if ! createchain2 $jumpchain No; then + accounting_error + return 2 + fi + fi + + rule="$rule -j $jumpchain" + } + + case $source in + *:*) + rule="-s ${source#*:} -i ${source%:*}" + ;; + *.*.*.*) + rule="-s $source" + ;; + -|all|any) + ;; + *) + [ -n "$source" ] && rule="-i $source" + ;; + esac + + [ -n "$dest" ] && case $dest in + *:*) + rule="$rule -d ${dest#*:} -o ${dest%:*}" + ;; + *.*.*.*) + rule="$rule -d $dest" + ;; + -|all|any) + ;; + *) + rule="$rule -o $dest" + ;; + esac + + [ -n "$proto" ] && case $proto in + -|any|all) + ;; + *) + rule="$rule -p $proto" + ;; + esac + + [ -n "$port" ] && case $port in + -|any|all) + ;; + *) + rule="$rule --dport $port" + ;; + esac + + [ -n "$sport" ] && case $sport in + -|any|all) + ;; + *) + rule="$rule --sport $sport" + ;; + esac + + case $action in + COUNT) + ;; + DONE) + rule="$rule -j RETURN" + ;; + *:COUNT) + rule2="$rule" + jumpchain=${action%:*} + jump_to_chain || return + ;; + JUMP:*) + jumpchain=${action#*:} + jump_to_chain || return + ;; + *) + jumpchain=$action + jump_to_chain || return + ;; + esac + + [ "x$chain" = "x-" ] && chain=accounting + [ -z "$chain" ] && chain=accounting + + ensurechain1 $chain + + if iptables -A $chain $rule ; then + [ "x$rule2" != x ] && run_iptables -A $jumpchain $rule2 + echo " Accounting rule" $action $chain $source $dest $proto $port $sport Added + else + accounting_error + fi +} + +# +# Set up Accounting +# +setup_accounting() # $1 = Name of accounting file +{ + + echo "Setting up Accounting..." + + strip_file accounting $1 + + while read action chain source dest proto port sport ; do + expandv action chain source dest proto port sport + process_accounting_rule + done < $TMP_DIR/accounting + + if havechain accounting; then + for chain in INPUT FORWARD OUTPUT; do + run_iptables -A $chain -j accounting + done + fi + +} + + +# +# Check the configuration +# +check_config() { + + disclaimer() { + echo + echo "Notice: The 'check' command is unsupported and problem" + echo " reports complaining about errors that it didn't catch" + echo " will not be accepted" + echo + } + + disclaimer + + report_capabilities + + echo "Verifying Configuration..." + + verify_os_version + + load_kernel_modules + + echo "Determining Zones..." + + determine_zones + + [ -z "$zones" ] && startup_error "ERROR: No Zones Defined" + + display_list "Zones:" $zones + + echo "Validating interfaces file..." + + validate_interfaces_file + + echo "Validating hosts file..." + + validate_hosts_file + + echo "Determining Hosts in Zones..." + + determine_interfaces + determine_hosts + + echo "Validating policy file..." + + validate_policy + + echo "Pre-validating Actions..." + + process_actions1 + + echo "Validating rules file..." + + rules=$(find_file rules) + strip_file rules $rules + process_rules + + echo "Validating Actions..." + + process_actions2 + + rm -rf $TMP_DIR + + echo "Configuration Validated" + + disclaimer + +} + +# +# Refresh queuing and classes +# +refresh_tc() { + + echo "Refreshing Traffic Control Rules..." + + [ -n "$CLEAR_TC" ] && delete_tc + + [ -n "$MARK_IN_FORWARD_CHAIN" ] && chain=tcfor || chain=tcpre + + if mangle_chain_exists $chain; then + # + # Flush the TC mangle chains + # + run_iptables -t mangle -F $chain + + run_iptables -t mangle -F tcout + # + # Process the TC Rules File + # + strip_file tcrules + + while read mark sources dests proto ports sports; do + expandv mark sources dests proto ports sports + rule=$(echo "$mark $sources $dests $proto $ports $sports") + process_tc_rule + done < $TMP_DIR/tcrules + + run_user_exit tcstart + else + setup_tc1 + fi + +} + +# +# Add one Filter Rule from an action -- Helper function for the action file processor +# +# The caller has established the following variables: +# check = current command. If 'check', we're executing a 'check' +# which only goes through the motions. +# client = SOURCE IP or MAC +# server = DESTINATION IP or interface +# protocol = Protocol +# address = Original Destination Address +# port = Destination Port +# cport = Source Port +# multioption = String to invoke multiport match if appropriate +# action = The chain for this rule +# ratelimit = Optional rate limiting clause +# userandgroup = owner match clause +# +add_an_action() +{ + do_ports() { + if [ -n "$port" ]; then + dports="--dport" + if [ -n "$multioption" -a "$port" != "${port%,*}" ]; then + multiport="$multioption" + dports="--dports" + fi + dports="$dports $port" + fi + + if [ -n "$cport" ]; then + sports="--sport" + if [ -n "$multioption" -a "$cport" != "${cport%,*}" ]; then + multiport="$multioption" + sports="--sports" + fi + sports="$sports $cport" + fi + } + + # Set source variables. The 'cli' variable will hold the client match predicate(s). + + cli= + + case "$client" in + -) + ;; + *:*) + cli="-i ${client%:*} -s ${client#*:}" + ;; + *.*.*) + cli="-s $client" + ;; + ~*) + cli=$(mac_match $client) + ;; + *) + [ -n "$client" ] && cli="-i $client" + ;; + esac + + # Set destination variables - 'serv' and 'dest_interface' hold the server match predicate(s). + + dest_interface= + serv= + + case "$server" in + -) + ;; + *.*.*) + serv=$server + ;; + ~*) + fatal_error "Rule \"$rule\" - Destination may not be specified by MAC Address" + ;; + *) + [ -n "$server" ] && dest_interface="-o $server" + ;; + esac + + # Setup protocol and port variables + + sports= + dports= + proto=$protocol + servport=$serverport + multiport= + + [ x$port = x- ] && port= + [ x$cport = x- ] && cport= + + case $proto in + tcp|TCP|6) + do_ports + [ "$target" = QUEUE ] && proto="$proto --syn" + ;; + udp|UDP|17) + do_ports + ;; + icmp|ICMP|1) + [ -n "$port" ] && dports="--icmp-type $port" + ;; + *) + [ -n "$port" ] && \ + fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\"" + ;; + esac + + proto="${proto:+-p $proto}" + + # Some misc. setup + + case "$logtarget" in + LOG) + [ -z "$loglevel" ] && fatal_error "LOG requires log level" + ;; + esac + + if [ $COMMAND != check ]; then + if [ -n "${serv}" ]; then + for serv1 in $(separate_list $serv); do + for srv in $(ip_range $serv1); do + if [ -n "$loglevel" ]; then + log_rule_limit $loglevel $action $logtarget "$ratelimit" $userandgroup \ + $(fix_bang $proto $sports $multiport $cli -d $srv $dports) + fi + + run_iptables2 -A $action $proto $multiport $cli $sports \ + -d $srv $dports $ratelimit $userandgroup -j $target + done + done + else + if [ -n "$loglevel" ]; then + log_rule_limit $loglevel $action $logtarget "$ratelimit" $userandgroup \ + $(fix_bang $proto $sports $multiport $cli $dports) + fi + + run_iptables2 -A $action $proto $multiport $cli $sports \ + $dports $ratelimit $userandgroup -j $target + fi + fi +} + +# +# Process a record from an action file for the 'start', 'restart' or 'check' commands +# +process_action() # $1 = action + # $2 = target + # $3 = clients + # $4 = servers + # $5 = protocol + # $6 = ports + # $7 = cports + # $8 = ratelimit + # $9 = userspec +{ + local action="$1" + local target="$2" + local clients="$3" + local servers="$4" + local protocol="$5" + local ports="$6" + local cports="$7" + local ratelimit="$8" + local userspec="$9" + local rule="$(echo $target $clients $servers $protocol $ports $cports $ratelimit)" + local userandgroup= + + if [ -n "$ratelimit" ]; then + case $ratelimit in + -) + ratelimit= + ;; + *:*) + ratelimit="-m limit --limit ${ratelimit%:*} --limit-burst ${ratelimit#*:}" + ;; + *) + ratelimit="-m limit --limit $ratelimit" + ;; + esac + fi + + [ "x$userspec" = "x-" ] && userspec= + + if [ -n "$userspec" ]; then + case "$userspec" in + !*:*) + if [ "$userspec" != "!:" ]; then + userandgroup="-m owner" + temp="${userspec#!}" + temp="${temp%:*}" + [ -n "$temp" ] && userandgroup="$userandgroup ! --uid-owner $temp" + temp="${userspec#*:}" + [ -n "$temp" ] && userandgroup="$userandgroup ! --gid-owner $temp" + fi + ;; + *:*) + if [ "$userspec" != ":" ]; then + userandgroup="-m owner" + temp="${userspec%:*}" + [ -n "$temp" ] && userandgroup="$userandgroup --uid-owner $temp" + temp="${userspec#*:}" + [ -n "$temp" ] && userandgroup="$userandgroup --gid-owner $temp" + fi + ;; + !*) + userandgroup="-m owner ! --uid-owner ${userspec#!}" + ;; + *) + userandgroup="-m owner --uid-owner $userspec" + ;; + esac + fi + + # Isolate log level + + if [ "$target" = "${target%:*}" ]; then + loglevel= + else + loglevel="${target#*:}" + target="${target%:*}" + expandv loglevel + fi + + logtarget="$target" + + case $target in + REJECT) + target=reject + ;; + CONTINUE) + target=RETURN + ;; + *) + ;; + esac + + # Generate Netfilter rule(s) + + [ "x$protocol" = "x-" ] && protocol=all || protocol=${protocol:=all} + + if [ -n "$MULTIPORT" ] && \ + ! list_search $protocol "icmp" "ICMP" "1" && \ + [ "$ports" = "${ports%:*}" -a \ + "$cports" = "${cports%:*}" -a \ + $(list_count $ports) -le 15 -a \ + $(list_count $cports) -le 15 ] + then + # + # MULTIPORT is enabled, there are no port ranges in the rule and less than + # 16 ports are listed - use multiport match. + # + multioption="-m multiport" + for client in $(separate_list ${clients:=-}); do + for server in $(separate_list ${servers:=-}); do + # + # add_a_rule() modifies these so we must set their values each time + # + port=${ports:=-} + cport=${cports:=-} + add_an_action + done + done + else + # + # MULTIPORT is disabled or the rule isn't compatible with multiport match + # + multioption= + for client in $(separate_list ${clients:=-}); do + for server in $(separate_list ${servers:=-}); do + for port in $(separate_list ${ports:=-}); do + for cport in $(separate_list ${cports:=-}); do + add_an_action + done + done + done + done + fi + # + # Report Result + # + if [ $COMMAND = check ]; then + echo " Rule \"$rule\" checked." + else + echo " Rule \"$rule\" added." + fi +} + +# +# Create an action chain and run it's associated user exit +# + +createactionchain() # $1 = chain name +{ + createchain $1 no + run_user_exit $1 +} + +# +# Read /etc/shorewall/actions and for each defined , pre-process +# /etc/shorewall/action. +# + +process_actions1() { + # + # Add the builtin actions + # + add_builtin_actions() { + + if [ "$COMMAND" != check ]; then + createchain dropBcast no + qt iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP + if ! qt iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP; then + # + # No pkttype support -- do it the hard way + # + for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do + run_iptables -A dropBcast -d $address -j DROP + done + fi + + createchain dropNonSyn no + run_iptables -A dropNonSyn -p tcp ! --syn -j DROP + fi + + ACTIONS="dropBcast dropNonSyn" + USEDACTIONS="dropBcast dropNonSyn" + + } + + add_builtin_actions + + strip_file actions + + strip_file actions.std /usr/share/shorewall/actions.std + + for inputfile in actions.std actions; do + while read xaction rest; do + [ "x$rest" = x ] || fatal_error "Invalid Action: $xaction $rest" + + case $xaction in + *:*) + temp=${xaction#*:} + xaction=${xaction%:*} + case $temp in + ACCEPT|REJECT|DROP) + eval ${temp}_common=$xaction + if ! list_search $xaction $USEDACTIONS; then + USEDACTIONS="$USEDACTIONS $xaction" + [ $COMMAND = check ] || createactionchain $xaction + fi + ;; + *) + fatal_error "Common Actions are only allowed for ACCEPT, DROP and REJECT" + ;; + esac + esac + + [ -z "$xaction" ] && continue + + [ "$xaction" = "$(chain_base $xaction)" ] || fatal_error "Invalid Action Name: $xaction" + + if ! list_search $xaction $ACTIONS; then + f=action.$xaction + fn=$(find_file $f) + + eval requiredby_${action}= + + if [ -f $fn ]; then + echo " Pre-processing $fn..." + strip_file $f $fn + while read xtarget xclients xservers xprotocol xports xcports xratelimit $xuserspec; do + expandv xtarget + temp="${xtarget%:*}" + case "${temp%<*}" in + ACCEPT|DROP|REJECT|LOG|QUEUE|CONTINUE) + ;; + *) + if list_search $temp $ACTIONS; then + eval requiredby_${xaction}=\"\$requiredby_${xaction} $temp\" + else + rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec)" + fatal_error "Invalid TARGET in rule \"$rule\"" + fi + ;; + + esac + done < $TMP_DIR/$f + else + fatal_error "Missing Action File: $f" + fi + + ACTIONS="$ACTIONS $xaction" + fi + done < $TMP_DIR/$inputfile + done +} +# +# Generate the transitive closure of $USEDACTIONS (the actions directly referred to in rules and as common actions) then +# process the associated action files. +# +process_actions2() { + # + # Process a rule where the source or destination is "all" + # + process_wildcard_rule() { + local yclients yservers ysourcezone ydestzone ypolicy + + for yclients in $xclients; do + for yservers in $xservers; do + ysourcezone=${yclients%%:*} + ydestzone=${yservers%%:*} + if [ "${ysourcezone}" != "${ydestzone}" ] ; then + eval ypolicy=\$${ysourcezone}2${ydestzone}_policy + if [ "$ypolicy" != NONE ] ; then + process_action $xaction $xtarget $yclients $yservers $xprotocol $xports $xcports $xratelimit $xuserspec + fi + fi + done + done + } + + do_it() { + expandv xclients xservers xprotocol xports xcports xratelimit xuserspec + + if [ "x$xclients" = xall ]; then + xclients="$zones $FW" + if [ "x$xservers" = xall ]; then + xservers="$zones $FW" + fi + process_wildcard_rule + continue + fi + + if [ "x$xservers" = xall ]; then + xservers="$zones $FW" + process_wildcard_rule + continue + fi + + process_action $xaction $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec + + } + # + # Generate the transitive closure of $USEDACTIONS + # + changed=Yes + + while [ -n "$changed" ]; do + changed= + for xaction in $USEDACTIONS; do + eval required=\"\$requiredby_${xaction}\" + for action in $required; do + if ! list_search $action $USEDACTIONS; then + USEDACTIONS="$USEDACTIONS $action" + [ $COMMAND = check ] || createactionchain $action + changed=Yes + fi + done + done + done + # + # Now process the relevant action files -- they were already stripped in process_actions1() above. + # + for xaction in $USEDACTIONS; do + case $xaction in + dropNonSyn|dropBcast) + ;; + *) + f=action.$xaction + fn=$(find_file $f) + + echo "Processing $fn..." + while read xtarget xclients xservers xprotocol xports xcports xratelimit $xuserspec; do + do_it + done < $TMP_DIR/$f + ;; + esac + done +} + +# +# Add a NAT rule - Helper function for the rules file processor +# +# The caller has established the following variables: +# command = The current command -- if 'check', we just go through +# the motions. +# cli = Source IP, interface or MAC Specification +# serv = Destination IP Specification +# servport = Port the server is listening on +# dest_interface = Destination Interface Specification +# proto = Protocol Specification +# addr = Original Destination Address +# dports = Destination Port Specification. 'dports' may be changed +# by this function +# cport = Source Port Specification +# multiport = String to invoke multiport match if appropriate +# ratelimit = Optional rate limiting clause +# userandgroup = -m owner match to limit the rule to a particular user and/or group +# +add_nat_rule() { + local chain + local excludedests= + + # Be sure we can NAT + + if [ -z "$NAT_ENABLED" ]; then + fatal_error "Rule \"$rule\" requires NAT which is disabled" + fi + + # Parse SNAT address if any + + if [ "$addr" != "${addr%:*}" ]; then + snat="${addr#*:}" + addr="${addr%:*}" + else + snat="" + fi + + # Set original destination address + + case $addr in + all) + addr= + ;; + detect) + addr= + if [ -n "$DETECT_DNAT_IPADDRS" -a "$source" != "$FW" ]; then + eval interfaces=\$${source}_interfaces + for interface in $interfaces; do + addr=${addr:+$addr,}$(find_interface_address $interface) + done + fi + ;; + !*) + if [ $(list_count $addr) -gt 1 ]; then + excludedests="$(separate_list ${addr#\!})" + addr= + fi + ;; + esac + + addr=${addr:-0.0.0.0/0} + + # Select target + + if [ -n "$serv" ]; then + servport="${servport:+:$servport}" + serv1= + for srv in $(separate_list $serv); do + serv1="$serv1 --to-destination ${srv}${servport}" + done + target1="DNAT $serv1" + else + target1="REDIRECT --to-port $servport" + fi + + if [ $source = $FW ]; then + [ -n "$excludezones" ] && fatal_error "Invalid Source in rule \"$rule\"" + fi + + # Generate nat table rules + + if [ $COMMAND != check ]; then + if [ "$source" = "$FW" ]; then + if [ -n "$excludedests" ]; then + chain=nonat${nonat_seq} + nonat_seq=$(($nonat_seq + 1)) + createnatchain $chain + + for adr in $(separate_list $addr); do + run_iptables2 -t nat -A OUTPUT $cli $proto $userandgroup $multiport $sports $dports -d $adr -j $chain + done + + for adr in $excludedests; do + addnatrule $chain -d $adr -j RETURN + done + + if [ -n "$loglevel" ]; then + log_rule $loglevel $chain $logtarget -t nat + fi + + addnatrule $chain $ratelimit $proto -j $target1 # Protocol is necessary for port redirection + else + for adr in $(separate_list $addr); do + if [ -n "$loglevel" ]; then + log_rule_limit $loglevel $OUTPUT $logtarget "$ratelimit" -t nat \ + $(fix_bang $proto $cli $sports $userandgroup -d $adr $multiport $dports) + fi + + run_iptables2 -t nat -A OUTPUT $ratelimit $proto $sports $userandgroup -d $adr $multiport $dports -j $target1 + done + fi + else + chain=$(dnat_chain $source) + + if [ -n "${excludezones}${excludedests}" ]; then + chain=nonat${nonat_seq} + nonat_seq=$(($nonat_seq + 1)) + createnatchain $chain + + for adr in $(separate_list $addr); do + addnatrule $(dnat_chain $source) $cli $proto $multiport $sports $dports -d $adr -j $chain + done + + for z in $(separate_list $excludezones); do + eval hosts=\$${z}_hosts + for host in $hosts; do + addnatrule $chain -s ${host#*:} -j RETURN + done + done + + for adr in $excludedests; do + addnatrule $chain -d $adr -j RETURN + done + + if [ -n "$loglevel" ]; then + log_rule_limit $loglevel $chain $logtarget "$ratelimit" -t nat + fi + + addnatrule $chain $ratelimit $proto -j $target1 # Protocol is necessary for port redirection + else + for adr in $(separate_list $addr); do + if [ -n "$loglevel" ]; then + ensurenatchain $chain + log_rule_limit $loglevel $chain $logtarget "$ratelimit" -t nat \ + $(fix_bang $proto $cli $sports -d $adr $multiport $dports) + fi + + addnatrule $chain $proto $ratelimit $cli $sports \ + -d $adr $multiport $dports -j $target1 + done + fi + fi + fi + + # Replace destination port by the new destination port + + if [ -n "$servport" ]; then + if [ -z "$multiport" ]; then + dports="--dport ${servport#*:}" + else + dports="--dports ${servport#*:}" + fi + fi + + # Handle SNAT + + if [ -n "$snat" ]; then + if [ -n "$cli" ]; then + [ $COMMAND = check ] || addnatrule $(snat_chain $dest) $proto $cli $multiport \ + $sports -d $serv $dports -j SNAT --to-source $snat + else + for source_host in $source_hosts; do + [ "x${source_host#*:}" = "x0.0.0.0/0" ] && \ + error_message "Warning: SNAT will occur on all connections to this server and port - rule \"$rule\"" + + [ $COMMAND = check ] || addnatrule $(snat_chain $dest) \ + -s ${source_host#*:} $proto $sports $multiport \ + -d $serv $dports -j SNAT --to-source $snat + done + fi + fi + + [ "x$addr" = "x0.0.0.0/0" ] && addr= + ratelimit= +} + +# +# Add one Filter Rule -- Helper function for the rules file processor +# +# The caller has established the following variables: +# command = current command. If 'check', we're executing a 'check' +# which only goes through the motions. +# client = SOURCE IP or MAC +# server = DESTINATION IP or interface +# protocol = Protocol +# address = Original Destination Address +# port = Destination Port +# cport = Source Port +# multioption = String to invoke multiport match if appropriate +# servport = Port the server listens on +# chain = The canonical chain for this rule +# ratelimit = Optional rate limiting clause +# userandgroup= -m owner clause +# userspec = User name +# +add_a_rule() +{ + local natrule= + + do_ports() { + if [ -n "$port" ]; then + dports="--dport" + if [ -n "$multioption" -a "$port" != "${port%,*}" ]; then + multiport="$multioption" + dports="--dports" + fi + dports="$dports $port" + fi + + if [ -n "$cport" ]; then + sports="--sport" + if [ -n "$multioption" -a "$cport" != "${cport%,*}" ]; then + multiport="$multioption" + sports="--sports" + fi + sports="$sports $cport" + fi + } + + # Set source variables. The 'cli' variable will hold the client match predicate(s). + + cli= + + case "$client" in + -) + ;; + *:*) + cli="-i ${client%:*} -s ${client#*:}" + ;; + *.*.*) + cli="-s $client" + ;; + ~*) + cli=$(mac_match $client) + ;; + *) + [ -n "$client" ] && cli="-i $client" + ;; + esac + + # Set destination variables - 'serv' and 'dest_interface' hold the server match predicate(s). + + dest_interface= + serv= + + case "$server" in + -) + ;; + *.*.*) + serv=$server + ;; + ~*) + fatal_error "Rule \"$rule\" - Destination may not be specified by MAC Address" + ;; + *) + [ -n "$server" ] && dest_interface="-o $server" + ;; + esac + + # Setup protocol and port variables + + sports= + dports= + proto=$protocol + addr=$address + servport=$serverport + multiport= + + [ x$port = x- ] && port= + [ x$cport = x- ] && cport= + + case $proto in + tcp|TCP|6) + do_ports + [ "$target" = QUEUE ] && proto="$proto --syn" + ;; + udp|UDP|17) + do_ports + ;; + icmp|ICMP|1) + [ -n "$port" ] && dports="--icmp-type $port" + ;; + all|ALL) + [ -n "$port" ] && \ + fatal_error "Port number not allowed with protocol \"all\"; rule: \"$rule\"" + proto= + ;; + *) + [ -n "$port" ] && \ + fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\"" + ;; + esac + + proto="${proto:+-p $proto}" + + # Some misc. setup + + case "$logtarget" in + REJECT) + [ -n "$servport" ] && \ + fatal_error "Server port may not be specified in a REJECT rule;"\ + "rule: \"$rule\"" + ;; + REDIRECT) + [ -n "$serv" ] && startup_error "REDIRECT rules cannot"\ + " specify a server IP; rule: \"$rule\"" + servport=${servport:=$port} + natrule=Yes + ;; + DNAT) + [ -n "$serv" ] || fatal_error "DNAT rules require a" \ + " server address; rule: \"$rule\"" + natrule=Yes + ;; + LOG) + [ -z "$loglevel" ] && fatal_error "LOG requires log level" + ;; + esac + + # Complain if the rule is really a policy + + case $logtarget in + ACCEPT|DROP|REJECT) + if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" -a -z "$userspec" ] ; then + error_message "Warning -- Rule \"$rule\" is a POLICY" + error_message " -- and should be moved to the policy file" + fi + ;; + esac + + if [ -n "${serv}${servport}" ]; then + if [ $COMMAND != check ]; then + + # A specific server or server port given + + if [ -n "$natrule" ]; then + add_nat_rule + elif [ -n "$addr" -a "$addr" != "$serv" ] || [ -n "$servport" -a "$servport" != "$port" ]; then + fatal_error "Only DNAT and REDIRECT rules may specify destination mapping; rule \"$rule\"" + fi + + if [ -z "$dnat_only" ]; then + if [ -n "$serv" ]; then + for serv1 in $(separate_list $serv); do + for srv in $(ip_range $serv1); do + if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then + for adr in $(separate_list $addr); do + if [ -n "$loglevel" -a -z "$natrule" ]; then + log_rule_limit $loglevel $chain $logtarget "$ratelimit" -m conntrack --ctorigdst $adr \ + $userandgroup $(fix_bang $proto $sports $multiport $cli -d $srv $dports) + fi + + run_iptables2 -A $chain $proto $ratelimit $multiport $cli $sports \ + -d $srv $dports -m conntrack --ctorigdst $adr $userandgroup -j $target + done + else + if [ -n "$loglevel" -a -z "$natrule" ]; then + log_rule_limit $loglevel $chain $logtarget "$ratelimit" $userandgroup \ + $(fix_bang $proto $sports $multiport $cli -d $srv $dports) + fi + + run_iptables2 -A $chain $proto $multiport $cli $sports \ + -d $srv $dports $ratelimit $userandgroup -j $target + fi + done + done + else + if [ -n "$loglevel" -a -z "$natrule" ]; then + log_rule_limit $loglevel $chain $logtarget "$ratelimit" $userandgroup \ + $(fix_bang $proto $sports $multiport $cli $dports) + fi + + run_iptables2 -A $chain $proto $multiport $cli $sports \ + $dports $ratelimit $userandgroup -j $target + fi + fi + fi + else + + # Destination is a simple zone + + [ -n "$addr" ] && fatal_error \ + "An ORIGINAL DESTINATION ($addr) is only allowed in" \ + " a DNAT or REDIRECT: \"$rule\"" + + if [ $COMMAND != check ]; then + if [ -n "$loglevel" ]; then + log_rule_limit $loglevel $chain $logtarget "$ratelimit" $userandgroup \ + $(fix_bang $proto $multiport $dest_interface $cli $sports $dports) + fi + + if [ $logtarget != LOG ]; then + run_iptables2 -A $chain $proto $multiport $dest_interface \ + $cli $sports $dports $ratelimit $userandgroup -j $target + fi + fi + fi +} + +# +# Process a record from the rules file for the 'start', 'restart' or 'check' commands +# +process_rule() # $1 = target + # $2 = clients + # $3 = servers + # $4 = protocol + # $5 = ports + # $6 = cports + # $7 = address + # $8 = ratelimit + # $9 = userspec +{ + local target="$1" + local clients="$2" + local servers="$3" + local protocol="$4" + local ports="$5" + local cports="$6" + local address="$7" + local ratelimit="$8" + local userspec="$9" + local userandgroup= + local rule="$(echo $target $clients $servers $protocol $ports $cports $address $ratelimit $userspec)" + + # Function Body - isolate rate limit + + [ "x$ratelimit" = "x-" ] && ratelimit= + + if [ -n "$ratelimit" ]; then + case $ratelimit in + *:*) + ratelimit="-m limit --limit ${ratelimit%:*} --limit-burst ${ratelimit#*:}" + ;; + *) + ratelimit="-m limit --limit $ratelimit" + ;; + esac + fi + + # Isolate log level + + if [ "$target" = "${target%:*}" ]; then + loglevel= + else + loglevel="${target#*:}" + target="${target%:*}" + expandv loglevel + fi + # + # Save the original target in 'logtarget' for logging rules + # + logtarget=${target%-} + # + # Targets ending in "-" only apply to the nat table + # + [ $target = $logtarget ] && dnat_only= || dnat_only=Yes + + # Tranform the rule: + # + # - parse the user specification + # - set 'target' to the filter table target. + # - make $FW the destination for REDIRECT + # - remove '-' suffix from logtargets while setting 'dnat_only' + # - clear 'address' if it has been set to '-' + + [ "x$userspec" = x- ] && userspec= + [ "x$address" = "x-" ] && address= + + if [ -n "$userspec" ]; then + case "$userspec" in + !*:*) + if [ "$userspec" != "!:" ]; then + userandgroup="-m owner" + temp="${userspec#!}" + temp="${temp%:*}" + [ -n "$temp" ] && userandgroup="$userandgroup ! --uid-owner $temp" + temp="${userspec#*:}" + [ -n "$temp" ] && userandgroup="$userandgroup ! --gid-owner $temp" + fi + ;; + *:*) + if [ "$userspec" != ":" ]; then + userandgroup="-m owner" + temp="${userspec%:*}" + [ -n "$temp" ] && userandgroup="$userandgroup --uid-owner $temp" + temp="${userspec#*:}" + [ -n "$temp" ] && userandgroup="$userandgroup --gid-owner $temp" + fi + ;; + !*) + userandgroup="-m owner ! --uid-owner ${userspec#!}" + ;; + *) + userandgroup="-m owner --uid-owner $userspec" + ;; + esac + fi + + case $target in + ACCEPT|LOG) + ;; + DROP) + [ -n "$ratelimit" ] && fatal_error "Rate Limiting not available with DROP" + ;; + REJECT) + target=reject + ;; + CONTINUE) + target=RETURN + ;; + DNAT*) + target=ACCEPT + address=${address:=detect} + ;; + REDIRECT*) + target=ACCEPT + address=${address:=all} + if [ "x-" = "x$servers" ]; then + servers=$FW + else + servers="$FW::$servers" + fi + ;; + esac + + # Parse and validate source + + if [ "$clients" = "${clients%:*}" ]; then + clientzone="$clients" + clients= + else + clientzone="${clients%%:*}" + clients="${clients#*:}" + [ -z "$clientzone" -o -z "$clients" ] && \ + fatal_error "Empty source zone or qualifier: rule \"$rule\"" + fi + + if [ "$clientzone" = "${clientzone%!*}" ]; then + excludezones= + else + excludezones="${clientzone#*!}" + clientzone="${clientzone%!*}" + + [ "$logtarget" = DNAT ] || [ "$logtarget" = REDIRECT ] ||\ + fatal_error "Exclude list only allowed with DNAT or REDIRECT" + fi + + validate_zone $clientzone || fatal_error "Undefined Client Zone in rule \"$rule\"" + + # Parse and validate destination + + source=$clientzone + + if [ $source = $FW ]; then + source_hosts= + elif [ -n "$userspec" ]; then + fatal_error "Invalid use of a user-qualification: rule \"$rule\"" + else + eval source_hosts=\"\$${source}_hosts\" + fi + + if [ "$servers" = "${servers%:*}" ] ; then + serverzone="$servers" + servers= + serverport= + else + serverzone="${servers%%:*}" + servers="${servers#*:}" + if [ "$servers" != "${servers%:*}" ] ; then + serverport="${servers#*:}" + servers="${servers%:*}" + [ -z "$serverzone" -o -z "$serverport" ] && \ + fatal_error "Empty destination zone or server port: rule \"$rule\"" + else + serverport= + [ -z "$serverzone" -o -z "$servers" ] && \ + fatal_error "Empty destination zone or qualifier: rule \"$rule\"" + fi + fi + + if ! validate_zone $serverzone; then + fatal_error "Undefined Server Zone in rule \"$rule\"" + fi + + dest=$serverzone + + # Ensure that this rule doesn't apply to a NONE policy pair of zones + + chain=${source}2${dest} + + eval policy=\$${chain}_policy + + [ -z "$policy" ] && \ + fatal_error "No policy defined from zone $source to zone $dest" + + [ $policy = NONE ] && \ + fatal_error "Rules may not override a NONE policy: rule \"$rule\"" + + # Create the canonical chain if it doesn't already exist + + [ $COMMAND = check ] || ensurechain $chain + + # Generate Netfilter rule(s) + + protocol=${protocol:=all} + + case $logtarget in + DNAT*) + if [ -n "$MULTIPORT" ] && \ + ! list_search $protocol "icmp" "ICMP" "1" && \ + [ "$ports" = "${ports%:*}" -a \ + "$cports" = "${cports%:*}" -a \ + $(list_count $ports) -le 15 -a \ + $(list_count $cports) -le 15 ] + then + # + # MULTIPORT is enabled, there are no port ranges in the rule and less than + # 16 ports are listed - use multiport match. + # + multioption="-m multiport" + for client in $(separate_list ${clients:=-}); do + # + # add_a_rule() modifies these so we must set their values each time + # + server=${servers:=-} + port=${ports:=-} + cport=${cports:=-} + add_a_rule + done + else + # + # MULTIPORT is disabled or the rule isn't compatible with multiport match + # + multioption= + for client in $(separate_list ${clients:=-}); do + for port in $(separate_list ${ports:=-}); do + for cport in $(separate_list ${cports:=-}); do + server=${servers:=-} + add_a_rule + done + done + done + fi + ;; + *) + + if [ -n "$MULTIPORT" ] && \ + ! list_search $protocol "icmp" "ICMP" "1" && \ + [ "$ports" = "${ports%:*}" -a \ + "$cports" = "${cports%:*}" -a \ + $(list_count $ports) -le 15 -a \ + $(list_count $cports) -le 15 ] + then + # + # MULTIPORT is enabled, there are no port ranges in the rule and less than + # 16 ports are listed - use multiport match. + # + multioption="-m multiport" + for client in $(separate_list ${clients:=-}); do + for server in $(separate_list ${servers:=-}); do + # + # add_a_rule() modifies these so we must set their values each time + # + port=${ports:=-} + cport=${cports:=-} + add_a_rule + done + done + else + # + # MULTIPORT is disabled or the rule isn't compatible with multiport match + # + multioption= + for client in $(separate_list ${clients:=-}); do + for server in $(separate_list ${servers:=-}); do + for port in $(separate_list ${ports:=-}); do + for cport in $(separate_list ${cports:=-}); do + add_a_rule + done + done + done + done + fi + ;; + esac + # + # Report Result + # + if [ $COMMAND = check ]; then + echo " Rule \"$rule\" checked." + else + echo " Rule \"$rule\" added." + fi +} + +# +# Process the rules file for the 'start', 'restart' or 'check' command. +# +process_rules() +{ + # + # Process a rule where the source or destination is "all" + # + process_wildcard_rule() { + local yclients yservers ysourcezone ydestzone ypolicy + + for yclients in $xclients; do + for yservers in $xservers; do + ysourcezone=${yclients%%:*} + ydestzone=${yservers%%:*} + if [ "${ysourcezone}" != "${ydestzone}" ] ; then + eval ypolicy=\$${ysourcezone}2${ydestzone}_policy + if [ "$ypolicy" != NONE ] ; then + process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec + fi + fi + done + done + } + + do_it() { + expandv xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec + + if [ "x$xclients" = xall ]; then + xclients="$zones $FW" + if [ "x$xservers" = xall ]; then + xservers="$zones $FW" + fi + process_wildcard_rule + continue + fi + + if [ "x$xservers" = xall ]; then + xservers="$zones $FW" + process_wildcard_rule + continue + fi + + process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec + } + + while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec; do + temp="${xtarget%:*}" + case "${temp%<*}" in + ACCEPT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE) + do_it + ;; + *) + if list_search $temp $ACTIONS; then + if ! list_search $temp $USEDACTIONS; then + [ $COMMAND = check ] || createactionchain $temp + USEDACTIONS="$USEDACTIONS $temp" + fi + + do_it + else + rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)" + fatal_error "Invalid Action in rule \"$rule\"" + fi + ;; + + esac + done < $TMP_DIR/rules +} + +# +# Process a record from the tos file +# +# The caller has loaded the column contents from the record into the following +# variables: +# +# src dst protocol sport dport tos +# +# and has loaded a space-separated list of their values in "rule". +# +process_tos_rule() { + # + # Parse the contents of the 'src' variable + # + if [ "$src" = "${src%:*}" ]; then + srczone="$src" + src= + else + srczone="${src%:*}" + src="${src#*:}" + fi + + source= + # + # Validate the source zone + # + if validate_zone $srczone; then + source=$srczone + elif [ "$srczone" = "all" ]; then + source="all" + else + error_message "Warning: Undefined Source Zone - rule \"$rule\" ignored" + return + fi + + [ -n "$src" ] && case "$src" in + *.*.*) + # + # IP Address or subnet + # + src="-s $src" + ;; + ~*) + src=$(mac_match $src) + ;; + *) + # + # Assume that this is a device name + # + src="-i $src" + ;; + esac + + # + # Parse the contents of the 'dst' variable + # + if [ "$dst" = "${dst%:*}" ]; then + dstzone="$dst" + dst= + else + dstzone="${dst%:*}" + dst="${dst#*:}" + fi + + dest= + # + # Validate the destination zone + # + if validate_zone $dstzone; then + dest=$dstzone + elif [ "$dstzone" = "all" ]; then + dest="all" + else + error_message \ + "Warning: Undefined Destination Zone - rule \"$rule\" ignored" + return + fi + + [ -n "$dst" ] && case "$dst" in + *.*.*) + # + # IP Address or subnet + # + ;; + *) + # + # Assume that this is a device name + # + error_message \ + "Warning: Invalid Destination - rule \"$rule\" ignored" + return + ;; + esac + + # + # Setup PROTOCOL and PORT variables + # + sports="" + dports="" + + case $protocol in + tcp|udp|TCP|UDP|6|17) + [ -n "$sport" ] && [ "x${sport}" != "x-" ] && \ + sports="--sport $sport" + [ -n "$dport" ] && [ "x${dport}" != "x-" ] && \ + dports="--dport $dport" + ;; + icmp|ICMP|0) + [ -n "$dport" ] && [ "x${dport}" != "x-" ] && \ + dports="--icmp-type $dport" + ;; + all|ALL) + protocol= + ;; + *) + ;; + esac + + protocol="${protocol:+-p $protocol}" + + tos="-j TOS --set-tos $tos" + + case "$dstzone" in + all|ALL) + dst=0.0.0.0/0 + ;; + *) + [ -z "$dst" ] && eval dst=\$${dstzone}_hosts + ;; + esac + + for dest in $dst; do + dest="-d $dest" + + case $srczone in + $FW) + run_iptables2 -t mangle -A outtos \ + $protocol $dest $dports $sports $tos + ;; + all|ALL) + run_iptables2 -t mangle -A outtos \ + $protocol $dest $dports $sports $tos + run_iptables2 -t mangle -A pretos \ + $protocol $dest $dports $sports $tos + ;; + *) + if [ -n "$src" ]; then + run_iptables2 -t mangle -A pretos $src \ + $protocol $dest $dports $sports $tos + else + eval interfaces=\$${srczone}_interfaces + + for interface in $interfaces; do + run_iptables2 -t mangle -A pretos -i $interface \ + $protocol $dest $dports $sports $tos + done + fi + ;; + esac + done + + echo " Rule \"$rule\" added." +} + +# +# Process the tos file +# +process_tos() # $1 = name of tos file +{ + echo "Processing $1..." + + run_iptables -t mangle -N pretos + run_iptables -t mangle -N outtos + + strip_file tos $1 + + while read src dst protocol sport dport tos; do + expandv src dst protocol sport dport tos + rule="$(echo $src $dst $protocol $sport $dport $tos)" + process_tos_rule + done < $TMP_DIR/tos + + run_iptables -t mangle -A PREROUTING -j pretos + run_iptables -t mangle -A OUTPUT -j outtos +} + +# +# Load a Kernel Module +# +loadmodule() # $1 = module name, $2 - * arguments +{ + local modulename=$1 + local modulefile + local suffix + + if [ -z "$(lsmod | grep $modulename)" ]; then + shift + + for suffix in $MODULE_SUFFIX ; do + modulefile=$MODULESDIR/${modulename}.${suffix} + + if [ -f $modulefile ]; then + insmod $modulefile $* + return + fi + done + fi +} + +# +# Display elements of a list with leading white space +# +display_list() # $1 = List Title, rest of $* = list to display +{ + [ $# -gt 1 ] && echo " $*" +} + +# +# Add policy rule ( and possibly logging rule) to the passed chain +# +policy_rules() # $1 = chain to add rules to + # $2 = policy + # $3 = loglevel +{ + local target="$2" + + case "$target" in + ACCEPT) + [ -n "$ACCEPT_common" ] && run_iptables -A $1 -j $ACCEPT_common + ;; + DROP) + [ -n "$DROP_common" ] && run_iptables -A $1 -j $DROP_common + ;; + REJECT) + [ -n "$REJECT_common" ] && run_iptables -A $1 -j $REJECT_common + target=reject + ;; + CONTINUE) + target= + ;; + *) + fatal_error "Invalid policy ($policy) for $1" + ;; + esac + + if [ $# -eq 3 -a "x${3}" != "x-" ]; then + log_rule $3 $1 $2 + fi + + [ -n "$target" ] && run_iptables -A $1 -j $target +} + +# +# Generate default policy & log level rules for the passed client & server +# zones +# +# This function is only called when the canonical chain for this client/server +# pair is known to exist. If the default policy for this pair specifies the +# same chain then we add the policy (and logging) rule to the canonical chain; +# otherwise add a rule to the canonical chain to jump to the appropriate +# policy chain. +# +default_policy() # $1 = client $2 = server +{ + local chain="${1}2${2}" + local policy= + local loglevel= + local chain1 + + jump_to_policy_chain() { + # + # Add a jump to from the canonical chain to the policy chain. On return, + # $chain is set to the name of the policy chain + # + run_iptables -A $chain -j $chain1 + chain=$chain1 + } + + apply_default() + { + # + # Generate policy file column values from the policy chain + # + eval policy=\$${chain1}_policy + eval loglevel=\$${chain1}_loglevel + eval synparams=\$${chain1}_synparams + # + # Add the appropriate rules to the canonical chain ($chain) to enforce + # the specified policy + + if [ "$chain" = "$chain1" ]; then + # + # The policy chain is the canonical chain; add policy rule to it + # The syn flood jump has already been added if required. + # + policy_rules $chain $policy $loglevel + else + # + # The policy chain is different from the canonical chain -- approach + # depends on the policy + # + case $policy in + ACCEPT) + if [ -n "$synparams" ]; then + # + # To avoid double-counting SYN packets, enforce the policy + # in this chain. + # + enable_syn_flood_protection $chain $chain1 + policy_rules $chain $policy $loglevel + else + # + # No problem with double-counting so just jump to the + # policy chain. + # + jump_to_policy_chain + fi + ;; + CONTINUE) + # + # Silly to jump to the policy chain -- add any logging + # rules and enable SYN flood protection if requested + # + [ -n "$synparams" ] && \ + enable_syn_flood_protection $chain $chain1 + policy_rules $chain $policy $loglevel + ;; + *) + # + # DROP or REJECT policy -- enforce in the policy chain and + # enable SYN flood protection if requested. + # + [ -n "$synparams" ] && \ + enable_syn_flood_protection $chain $chain1 + jump_to_policy_chain + ;; + esac + fi + + echo " Policy $policy for $1 to $2 using chain $chain" + } + + eval chain1=\$${1}2${2}_policychain + + if [ -n "$chain1" ]; then + apply_default $1 $2 + else + fatal_error "No default policy for zone $1 to zone $2" + fi +} + +# +# Complete a standard chain +# +# - run any supplied user exit +# - search the policy file for an applicable policy and add rules as +# appropriate +# - If no applicable policy is found, add rules for an assummed +# policy of DROP INFO +# +complete_standard_chain() # $1 = chain, $2 = source zone, $3 = destination zone +{ + local policy= + local loglevel= + local policychain= + + run_user_exit $1 + + eval policychain=\$${2}2${3}_policychain + + if [ -n "$policychain" ]; then + eval policy=\$${policychain}_policy + eval loglevel=\$${policychain}_loglevel + + policy_rules $1 $policy $loglevel + else + policy_rules $1 DROP INFO + fi +} + +# +# Find the appropriate chain to pass packets from a source zone to a +# destination zone +# +# If the canonical chain for this zone pair exists, echo it's name; otherwise +# locate and echo the name of the appropriate policy chain +# +rules_chain() # $1 = source zone, $2 = destination zone +{ + local chain=${1}2${2} + + havechain $chain && { echo $chain; return; } + + [ "$1" = "$2" ] && { echo ACCEPT; return; } + + eval chain=\$${chain}_policychain + + [ -n "$chain" ] && { echo $chain; return; } + + fatal_error "No appropriate chain for zone $1 to zone $2" +} + +# +# echo the list of subnets routed out of a given interface +# +get_routed_subnets() # $1 = interface name +{ + local address + local rest + + ip route show dev $1 2> /dev/null | + while read address rest; do + if [ "x$address" = xdefault ]; then + error_message "Warning: default route ignored on interface $1" + else + [ "$address" = "${address%/*}" ] && address="${address}/32" + echo $address + fi + done +} + +# +# Set up Source NAT (including masquerading) +# +setup_masq() +{ + setup_one() { + local using + + case $fullinterface in + *:*:*) + # Both alias name and subnet + destnets="${fullinterface##*:}" + fullinterface="${fullinterface%:*}" + ;; + *:*) + # Alias name OR subnet + case ${fullinterface#*:} in + *.*) + # It's a subnet + destnets="${fullinterface#*:}" + fullinterface="${fullinterface%:*}" + ;; + *) + #it's an alias name + destnets="0.0.0.0/0" + ;; + esac + ;; + *) + destnets="0.0.0.0/0" + ;; + esac + + interface=${fullinterface%:*} + + if ! list_search $interface $all_interfaces; then + fatal_error "Unknown interface $interface" + fi + + if [ "$subnet" = "${subnet%!*}" ]; then + nomasq= + else + nomasq="${subnet#*!}" + subnet="${subnet%!*}" + fi + + + source="$subnet" + + case $subnet in + *.*.*) + ;; + *) + subnets=$(get_routed_subnets $subnet) + [ -z "$subnets" ] && fatal_error "Unable to determine the routes through interface $subnet" + subnet="$subnets" + ;; + esac + + if [ -n "$addresses" -a -n "$ADD_SNAT_ALIASES" ]; then + for address in $(separate_list $addresses); do + for addr in $(ip_range_explicit $address) ; do + if ! list_search $addr $aliases_to_add; then + aliases_to_add="$aliases_to_add $addr $fullinterface" + case $fullinterface in + *:*) + fullinterface=${fullinterface%:*}:$((${fullinterface#*:} + 1 )) + ;; + esac + fi + done + done + fi + + destination=$destnets + + chain=$(masq_chain $interface) + + case $destnets in + !*) + newchain=masq${masq_seq} + createnatchain $newchain + destnets=${destnets#!} + + for destnet in $(separate_list $destnets); do + addnatrule $newchain -d $destnet -j RETURN + done + + if [ -n "$subnet" ]; then + for s in $subnet; do + addnatrule $chain -s $s -j $newchain + done + subnet= + else + addnatrule $chain -j $newchain + fi + + masq_seq=$(($masq_seq + 1)) + chain=$newchain + destnets=0.0.0.0/0 + + if [ -n "$nomasq" ]; then + for addr in $(separate_list $nomasq); do + addnatrule $chain -s $addr -j RETURN + done + source="$source except $nomasq" + fi + ;; + *) + if [ -n "$nomasq" ]; then + newchain=masq${masq_seq} + createnatchain $newchain + + if [ -n "$subnet" ]; then + for s in $subnet; do + for destnet in $(separate_list $destnets); do + addnatrule $chain -d $destnet -s $s -j $newchain + done + done + else + for destnet in $(separate_list $destnets); do + addnatrule $chain -d $destnet -j $newchain + done + fi + + masq_seq=$(($masq_seq + 1)) + chain=$newchain + subnet= + destnets=0.0.0.0/0 + + for addr in $(separate_list $nomasq); do + addnatrule $chain -s $addr -j RETURN + done + + source="$source except $nomasq" + fi + ;; + esac + + addrlist= + if [ -n "$addresses" ]; then + for address in $(separate_list $addresses); do + addrlist="$addrlist --to-source $address" + done + fi + + if [ -n "$subnet" ]; then + for s in $subnet; do + if [ -n "$addresses" ]; then + for destnet in $(separate_list $destnets); do + addnatrule $chain -s $s -d $destnet -j SNAT $addrlist + done + echo " To $destination from $s through ${interface} using $addresses" + else + for destnet in $(separate_list $destnets); do + addnatrule $chain -s $s -d $destnet -j MASQUERADE + done + echo " To $destination from $s through ${interface}" + fi + done + elif [ -n "$addresses" ]; then + for destnet in $(separate_list $destnets); do + addnatrule $chain -d $destnet -j SNAT $addrlist + done + echo " To $destination from $source through ${interface} using $addresses" + else + for destnet in $(separate_list $destnets); do + addnatrule $chain -d $destnet -j MASQUERADE + done + echo " To $destination from $source through ${interface}" + fi + + } + + strip_file masq $1 + + [ -n "$NAT_ENABLED" ] && echo "Masqueraded Subnets and Hosts:" + + while read fullinterface subnet addresses; do + expandv fullinterface subnet addresses + [ -n "$NAT_ENABLED" ] && setup_one || \ + error_message "Warning: NAT disabled; masq rule ignored" + done < $TMP_DIR/masq +} + +# +# Add a record to the blacklst chain +# +# $source = address match +# $proto = protocol selector +# $dport = destination port selector +# +add_blacklist_rule() { + if [ -n "$BLACKLIST_LOGLEVEL" ]; then + log_rule $BLACKLIST_LOGLEVEL blacklst $BLACKLIST_DISPOSITION $(fix_bang $source $proto $dport) + fi + + run_iptables2 -A blacklst $source $proto $dport -j $disposition +} + +# +# Process a record from the blacklist file +# +# $subnet = address/subnet +# $protocol = Protocol Number/Name +# $port = Port Number/Name +# +process_blacklist_rec() { + local source + local addr + local proto + local dport + + for addr in $(separate_list $subnet); do + case $addr in + ~*) + addr=$(echo $addr | sed 's/~//;s/-/:/g') + source="--match mac --mac-source $addr" + ;; + *) + source="-s $addr" + ;; + esac + + if [ -n "$protocol" ]; then + proto=" -p $protocol " + + case $protocol in + tcp|TCP|6|udp|UDP|17) + if [ -n "$ports" ]; then + if [ -n "$MULTIPORT" -a \ + "$ports" != "${ports%,*}" -a \ + "$ports" = "${ports%:*}" -a \ + $(list_count $ports) -le 15 ] + then + dport="-m multiport --dports $ports" + add_blacklist_rule + else + for dport in $(separate_list $ports); do + dport="--dport $dport" + add_blacklist_rule + done + fi + else + add_blacklist_rule + fi + ;; + icmp|ICMP|0) + if [ -n "$ports" ]; then + for dport in $(separate_list $ports); do + dport="--icmp-type $dport" + add_blacklist_rule + done + else + add_blacklist_rule + fi + ;; + *) + add_blacklist_rule + ;; + esac + else + add_blacklist_rule + fi + + if [ -n "$ports" ]; then + addr="$addr $protocol $ports" + elif [ -n "$protocol" ]; then + addr="$addr $protocol" + fi + + echo " $addr added to Black List" + done +} + +# +# Setup the Black List +# +setup_blacklist() { + local interfaces=$(find_interfaces_by_option blacklist) + local f=$(find_file blacklist) + local disposition=$BLACKLIST_DISPOSITION + + if [ -n "$interfaces" -a -f $f ]; then + echo "Setting up Blacklisting..." + + strip_file blacklist $f + + createchain blacklst no + + [ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW" || state= + + for interface in $interfaces; do + for chain in $(first_chains $interface); do + run_iptables -A $chain $state -j blacklst + done + + echo " Blacklisting enabled on $interface" + done + + [ "$disposition" = REJECT ] && disposition=reject + + while read subnet protocol ports; do + expandv subnet protocol ports + process_blacklist_rec + done < $TMP_DIR/blacklist + + fi +} + +# +# Refresh the Black List +# +refresh_blacklist() { + local f=$(find_file blacklist) + local disposition=$BLACKLIST_DISPOSITION + + if qt iptables -L blacklst -n ; then + echo "Refreshing Black List..." + + strip_file blacklist $f + + [ "$disposition" = REJECT ] && disposition=reject + + run_iptables -F blacklst + + while read subnet protocol ports; do + expandv subnet protocol ports + process_blacklist_rec + done < $TMP_DIR/blacklist + fi +} + +# +# Verify that kernel has netfilter support +# +verify_os_version() { + + osversion=$(uname -r) + + case $osversion in + 2.4.*|2.5.*|2.6.*) + ;; + *) + startup_error "Shorewall version $version does not work with kernel version $osversion" + ;; + esac + + [ $COMMAND = start -a -n "$(lsmod 2> /dev/null | grep '^ipchains')" ] && \ + startup_error "Shorewall can't start with the ipchains kernel module loaded - see FAQ #8" +} + +# +# Add IP Aliases +# +add_ip_aliases() +{ + local addresses external interface inet cidr rest val + + address_details() + { + # + # Folks feel uneasy if they don't see all of the same + # decoration on these IP addresses that they see when their + # distro's net config tool adds them. In an attempt to reduce + # the anxiety level, we have the following code which sets + # the VLSM and BRD from an existing address in the same subnet + # + # Get all of the lines that contain inet addresses + # + ip -f inet addr show $interface 2> /dev/null | grep 'inet' | while read inet cidr rest ; do + case $cidr in + */*) + if in_subnet $external $cidr; then + echo "/${cidr#*/} brd $(broadcastaddress $cidr)" + break + fi + ;; + esac + done + } + + do_one() + { + val=$(address_details) + run_ip addr add ${external}${val} dev $interface $label + echo "$external $interface" >> ${STATEDIR}/nat + [ -n "$label" ] && label="with $label" + echo " IP Address $external added to interface $interface $label" + } + + set -- $aliases_to_add + + while [ $# -gt 0 ]; do + external=$1 + interface=$2 + label= + + if [ "$interface" != "${interface%:*}" ]; then + label="${interface#*:}" + interface="${interface%:*}" + label="label $interface:$label" + fi + + shift;shift + + list_search $external $(find_interface_addresses $interface) || do_one + done +} + +# +# Load kernel modules required for Shorewall +# +load_kernel_modules() { + + [ -z "$MODULESDIR" ] && \ + MODULESDIR=/lib/modules/$osversion/kernel/net/ipv4/netfilter + + modules=$(find_file modules) + + if [ -f $modules -a -d $MODULESDIR ]; then + echo "Loading Modules..." + . $modules + fi +} + +# Verify that the 'ip' program is installed + +verify_ip() { + qt ip link ls ||\ + startup_error "Shorewall $version requires the iproute package ('ip' utility)" +} + +# +# Determine which optional facilities are supported by iptables/netfilter +# +determine_capabilities() { + qt iptables -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED= + qt iptables -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED= + + CONNTRACK_MATCH= + MULTIPORT= + + if qt iptables -N fooX1234 ; then + qt iptables -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes + qt iptables -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes + + qt iptables -F fooX1234 + qt iptables -X fooX1234 + fi +} + +report_capability() # $1 = Capability Name, $2 Capability Setting (if any) +{ + local setting= + + [ "x$1" = "xYes" ] && { setting="Available"; shift; } || setting="Not available" + + echo " " $@: $setting +} + +report_capabilities() { + echo "Shorewall has detected the following iptables/netfilter capabilities:" + report_capability $NAT_ENABLED "NAT" + report_capability $MANGLE_ENABLED "Packet Mangling" + report_capability $MULTIPORT "Multi-port Match" + report_capability $CONNTRACK_MATCH "Connection Tracking Match" +} + +# +# Perform Initialization +# - Delete all old rules +# - Delete all user chains +# - Set the POLICY on all standard chains and add a rule to allow packets +# that are part of established connections +# - Determine the zones +# +initialize_netfilter () { + + report_capabilities + + echo "Determining Zones..." + + determine_zones + + [ -z "$zones" ] && startup_error "No Zones Defined" + + display_list "Zones:" $zones + + echo "Validating interfaces file..." + + validate_interfaces_file + + echo "Validating hosts file..." + + validate_hosts_file + + echo "Validating Policy file..." + + validate_policy + + echo "Determining Hosts in Zones..." + + determine_interfaces + determine_hosts + + run_user_exit init + + # + # The some files might be large so strip them while the firewall is still running + # (restart command). This reduces the length of time that the firewall isn't + # accepting new connections. + # + + strip_file rules + strip_file proxyarp + strip_file maclist + strip_file nat + + terminator=fatal_error + + deletechain shorewall + + [ -n "$NAT_ENABLED" ] && delete_nat + + delete_proxy_arp + + [ -n "$MANGLE_ENABLED" ] && \ + run_iptables -t mangle -F && \ + run_iptables -t mangle -X + + [ -n "$CLEAR_TC" ] && delete_tc + + echo "Deleting user chains..." + + setpolicy INPUT DROP + setpolicy OUTPUT DROP + setpolicy FORWARD DROP + + deleteallchains + + setcontinue FORWARD + setcontinue INPUT + setcontinue OUTPUT + + [ -n "$DISABLE_IPV6" ] && disable_ipv6 + + # + # Enable the Loopback interface for now + # + run_iptables -A INPUT -i lo -j ACCEPT + run_iptables -A OUTPUT -o lo -j ACCEPT + + accounting_file=$(find_file accounting) + + [ -f $accounting_file ] && setup_accounting $accounting_file + + # + # Allow DNS lookups during startup for FQDNs and deep-six INVALID packets + # + + for chain in INPUT OUTPUT FORWARD; do + run_iptables -A $chain -p udp --dport 53 -j ACCEPT + run_iptables -A $chain -p ! icmp -m state --state INVALID -j DROP + done + + [ -n "$CLAMPMSS" ] && \ + run_iptables -A FORWARD -p tcp \ + --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu + + + if [ -z "$NEWNOTSYN" ]; then + createchain newnotsyn no + + for interface in $(find_interfaces_by_option newnotsyn); do + run_iptables -A newnotsyn -i $interface -p tcp --tcp-flags ACK ACK -j ACCEPT + run_iptables -A newnotsyn -i $interface -p tcp --tcp-flags RST RST -j ACCEPT + run_iptables -A newnotsyn -i $interface -p tcp --tcp-flags FIN FIN -j ACCEPT + run_iptables -A newnotsyn -i $interface -j RETURN + done + + run_user_exit newnotsyn + + if [ -n "$LOGNEWNOTSYN" ]; then + log_rule $LOGNEWNOTSYN newnotsyn DROP + fi + + run_iptables -A newnotsyn -j DROP + fi + + createchain icmpdef no + createchain reject no + createchain dynamic no + createchain smurfs no + + if [ -f /var/lib/shorewall/save ]; then + echo "Restoring dynamic rules..." + + if [ -f /var/lib/shorewall/save ]; then + while read target ignore1 ignore2 address rest; do + case $target in + DROP|reject) + run_iptables2 -A dynamic -s $address -j $target + ;; + *) + ;; + esac + done < /var/lib/shorewall/save + fi + fi + + [ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW" || state= + + echo "Creating Interface Chains..." + + for interface in $all_interfaces; do + createchain $(forward_chain $interface) no + run_iptables -A $(forward_chain $interface) $state -j dynamic + createchain $(input_chain $interface) no + run_iptables -A $(input_chain $interface) $state -j dynamic + done +} + +# +# Construct zone-independent rules +# +add_common_rules() { + local savelogparms="$LOGPARMS" + local broadcasts="$(find_broadcasts) 255.255.255.255 224.0.0.0/4" + # + # Populate the smurf chain + # + for address in $broadcasts ; do + [ -n "$SMURF_LOG_LEVEL" ] && log_rule $SMURF_LOG_LEVEL smurfs DROP -s $address + run_iptables -A smurfs -s $address -j DROP + done + # + # Reject Rules -- Don't respond to broadcasts with an ICMP + # + qt iptables -A reject -m pkttype --pkt-type broadcast -j DROP + if ! qt iptables -A reject -m pkttype --pkt-type multicast -j DROP; then + # + # No pkttype support -- do it the hard way + # + for address in $broadcasts ; do + run_iptables -A reject -d $address -j DROP + done + fi + # + # Don't feed the smurfs + # + for address in $broadcasts ; do + run_iptables -A reject -s $address -j DROP + done + + run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset + run_iptables -A reject -p udp -j REJECT + # + # Not all versions of iptables support these so don't complain if they don't work + # + qt iptables -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable + if ! qt iptables -A reject -j REJECT --reject-with icmp-host-prohibited; then + # + # In case the above doesn't work + # + run_iptables -A reject -j REJECT + fi + + # + # Process Black List + # + setup_blacklist + + # + # SMURFS + # + interfaces=$(find_interfaces_by_option nosmurfs) + + if [ -n "$interfaces" ]; then + + echo "Adding Anti-smurf Rules" + + for interface in $interfaces; do + for chain in $(first_chains $interface); do + run_iptables -A $chain -m state --state NEW -j smurfs + done + done + fi + # + # DHCP + # + interfaces=$(find_interfaces_by_option dhcp) + + if [ -n "$interfaces" ]; then + + echo "Adding rules for DHCP" + + for interface in $interfaces; do + run_iptables -A $(input_chain $interface) -p udp --dport 67:68 -j ACCEPT + run_iptables -A OUTPUT -o $interface -p udp --dport 67:68 -j ACCEPT + done + fi + # + # RFC 1918 + # + norfc1918_interfaces="$(find_interfaces_by_option norfc1918)" + + if [ -n "$norfc1918_interfaces" ]; then + echo "Enabling RFC1918 Filtering" + + strip_file rfc1918 + + createchain norfc1918 no + + createchain rfc1918 no + + log_rule $RFC1918_LOG_LEVEL rfc1918 DROP + + run_iptables -A rfc1918 -j DROP + + if [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ]; then + # + # Mangling is enabled but conntrack match isn't available -- + # create a chain in the mangle table to filter RFC1918 destination + # addresses. This must be done in the mangle table before we apply + # any DNAT rules in the nat table + # + # Also add a chain to log and drop any RFC1918 packets that we find + # + run_iptables -t mangle -N man1918 + run_iptables -t mangle -N rfc1918 + log_rule $RFC1918_LOG_LEVEL rfc1918 DROP -t mangle + run_iptables -t mangle -A rfc1918 -j DROP + fi + + while read subnet target; do + case $target in + logdrop) + target=rfc1918 + ;; + DROP|RETURN) + ;; + *) + fatal_error "Invalid target ($target) for $subnet" + ;; + esac + + run_iptables2 -A norfc1918 -s $subnet -j $target + + if [ -n "$CONNTRACK_MATCH" ]; then + # + # We have connection tracking match -- match on the original destination + # + run_iptables2 -A norfc1918 -m conntrack --ctorigdst $subnet -j $target + elif [ -n "$MANGLE_ENABLED" ]; then + # + # No connection tracking match but we have mangling -- add a rule to + # the mangle table + # + run_iptables2 -t mangle -A man1918 -d $subnet -j $target + fi + done < $TMP_DIR/rfc1918 + + for interface in $norfc1918_interfaces; do + for chain in $(first_chains $interface); do + run_iptables -A $chain -m state --state NEW -j norfc1918 + done + + [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ] && \ + run_iptables -t mangle -A PREROUTING -m state --state NEW -i $interface -j man1918 + done + + fi + + interfaces=$(find_interfaces_by_option tcpflags) + + if [ -n "$interfaces" ]; then + echo "Setting up TCP Flags checking..." + + createchain tcpflags no + + if [ -n "$TCP_FLAGS_LOG_LEVEL" ]; then + createchain logflags no + + savelogparms="$LOGPARMS" + + LOGPARMS="$LOGPARMS --log-ip-options" + + log_rule $TCP_FLAGS_LOG_LEVEL logflags $TCP_FLAGS_DISPOSITION + + LOGPARMS="$savelogparms" + + case $TCP_FLAGS_DISPOSITION in + REJECT) + run_iptables -A logflags -j REJECT --reject-with tcp-reset + ;; + *) + run_iptables -A logflags -j $TCP_FLAGS_DISPOSITION + ;; + esac + + disposition="-j logflags" + else + disposition="-j $TCP_FLAGS_DISPOSITION" + fi + + run_iptables -A tcpflags -p tcp --tcp-flags ALL FIN,URG,PSH $disposition + run_iptables -A tcpflags -p tcp --tcp-flags ALL NONE $disposition + run_iptables -A tcpflags -p tcp --tcp-flags SYN,RST SYN,RST $disposition + run_iptables -A tcpflags -p tcp --tcp-flags SYN,FIN SYN,FIN $disposition + # + # There are a lot of probes to ports 80, 3128 and 8080 that use a source + # port of 0. This catches them even if they are directed at an IP that + # hosts a web server. + # + run_iptables -A tcpflags -p tcp --syn --sport 0 $disposition + + for interface in $interfaces; do + for chain in $(first_chains $interface); do + run_iptables -A $chain -p tcp -j tcpflags + done + done + fi + # + # ARP Filtering + # + for f in /proc/sys/net/ipv4/conf/*/arp_filter; do + echo 0 > $f + done + + interfaces=$(find_interfaces_by_option arp_filter) + + if [ -n "$interfaces" ]; then + echo "Setting up ARP Filtering..." + + for interface in $interfaces; do + file=/proc/sys/net/ipv4/conf/$interface/arp_filter + if [ -f $file ]; then + echo 1 > $file + else + error_message \ + "Warning: Cannot set ARP filtering on $interface" + fi + done + fi + # + # Route Filtering + # + interfaces="$(find_interfaces_by_option routefilter)" + + if [ -n "$interfaces" -o -n "$ROUTE_FILTER" ]; then + echo "Setting up Kernel Route Filtering..." + + for f in /proc/sys/net/ipv4/conf/*/rp_filter; do + echo 0 > $f + done + + for interface in $interfaces; do + file=/proc/sys/net/ipv4/conf/$interface/rp_filter + if [ -f $file ]; then + echo 1 > $file + else + error_message \ + "Warning: Cannot set route filtering on $interface" + fi + done + + echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter + [ -n "$ROUTE_FILTER" ] && echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter + run_ip route flush cache + fi + + setup_forwarding +} + +# +# Scan the policy file defining the necessary chains +# Add the appropriate policy rule(s) to the end of each canonical chain +# +apply_policy_rules() { + # + # Create policy chains + # + for chain in $all_policy_chains; do + eval policy=\$${chain}_policy + eval loglevel=\$${chain}_loglevel + eval synparams=\$${chain}_synparams + + [ -n "$synparams" ] && setup_syn_flood_chain $chain $synparams + + if havechain $chain; then + [ -n "$synparams" ] && \ + run_iptables -I $chain 2 -p tcp --syn -j @$chain + else + # + # The chain doesn't exist. Create the chain and add policy + # rules + # + # We must include the ESTABLISHED and RELATED state + # rule here to account for replys and reverse + # related sessions associated with sessions going + # in the other direction + # + createchain $chain yes + + # + # If either client or server is 'all' then this MUST be + # a policy chain and we must apply the appropriate policy rules + # + # Otherwise, this is a canonical chain which will be handled in + # the for loop below + # + case $chain in + all2*|*2all) + policy_rules $chain $policy $loglevel + ;; + esac + + [ -n "$synparams" ] && \ + [ $policy = ACCEPT -o $policy = CONTINUE ] && \ + run_iptables -I $chain 2 -p tcp --syn -j @$chain + fi + + done + + # + # Add policy rules to canonical chains + # + for zone in $FW $zones; do + for zone1 in $FW $zones; do + chain=${zone}2${zone1} + if havechain $chain; then + run_user_exit $chain + default_policy $zone $zone1 + fi + done + done +} + +# +# Activate the rules +# +activate_rules() +{ + local PREROUTING_rule=1 + local POSTROUTING_rule=1 + # + # Jump to a NAT chain from one of the builtin nat chains + # + addnatjump() # $1 = BUILTIN chain, $2 = user chain, $3 - * other arguments + { + local sourcechain=$1 destchain=$2 + shift + shift + + havenatchain $destchain && \ + run_iptables -t nat -A $sourcechain $@ -j $destchain + } + + # + # Jump to a RULES chain from one of the builtin nat chains. These jumps are + # are inserted before jumps to static NAT chains. + # + addrulejump() # $1 = BUILTIN chain, $2 = user chain, $3 - * other arguments + { + local sourcechain=$1 destchain=$2 + shift + shift + + if havenatchain $destchain; then + eval run_iptables -t nat -I $sourcechain \ + \$${sourcechain}_rule $@ -j $destchain + eval ${sourcechain}_rule=\$\(\(\$${sourcechain}_rule + 1\)\) + fi + } + + # + # Add jumps from the builtin chains to the nat chains + # + addnatjump PREROUTING nat_in + addnatjump POSTROUTING nat_out + + for interface in $all_interfaces; do + addnatjump PREROUTING $(input_chain $interface) -i $interface + addnatjump POSTROUTING $(output_chain $interface) -o $interface + done + + > ${STATEDIR}/chains + > ${STATEDIR}/zones + + for zone in $zones; do + eval source_hosts=\$${zone}_hosts + + echo $zone $source_hosts >> ${STATEDIR}/zones + + chain1=$(rules_chain $FW $zone) + chain2=$(rules_chain $zone $FW) + + eval complex=\$${zone}_is_complex + + if [ -n "$complex" ]; then + frwd_chain=${zone}_frwd + createchain $frwd_chain No + fi + + echo "$FW $zone $chain1" >> ${STATEDIR}/chains + echo "$zone $FW $chain2" >> ${STATEDIR}/chains + + need_broadcast= + + for host in $source_hosts; do + interface=${host%:*} + subnet=${host#*:} + + run_iptables -A OUTPUT -o $interface -d $subnet -j $chain1 + + # + # Add jumps from the builtin chains for DNAT and SNAT rules + # + addrulejump PREROUTING $(dnat_chain $zone) -i $interface -s $subnet + addrulejump POSTROUTING $(snat_chain $zone) -o $interface -d $subnet + + run_iptables -A $(input_chain $interface) -s $subnet -j $chain2 + + [ -n "$complex" ] && \ + run_iptables -A $(forward_chain $interface) -s $subnet -j $frwd_chain + + if [ "$subnet" != 0.0.0.0/0 ]; then + if ! list_search $interface $need_broadcast ; then + eval options=\$$(chain_base $interface)_options + list_search detectnets $options && need_broadcast="$need_broadcast $interface" + fi + fi + done + + + for interface in $need_broadcast ; do + run_iptables -A OUTPUT -o $interface -d 255.255.255.255 -j $chain1 + run_iptables -A OUTPUT -o $interface -d 224.0.0.0/4 -j $chain1 + done + + for zone1 in $zones; do + + eval policy=\$${zone}2${zone1}_policy + + [ "$policy" = NONE ] && continue + + eval dest_hosts=\$${zone1}_hosts + + chain="$(rules_chain $zone $zone1)" + + echo "$zone $zone1 $chain" >> ${STATEDIR}/chains + + if [ $zone = $zone1 ]; then + eval routeback=\"\$${zone}_routeback\" + else + routeback= + fi + + if [ -n "$complex" ]; then + for host1 in $dest_hosts; do + interface1=${host1%:*} + subnet1=${host1#*:} + if [ $(list_count1 $source_hosts) -eq 1 -a "$source_hosts" = "$host1" ]; then + if list_search $host1 $routeback; then + run_iptables -A $frwd_chain -o $interface1 -d $subnet1 -j $chain + fi + else + run_iptables -A $frwd_chain -o $interface1 -d $subnet1 -j $chain + fi + done + else + for host in $source_hosts; do + interface=${host%:*} + subnet=${host#*:} + + chain1=$(forward_chain $interface) + + for host1 in $dest_hosts; do + interface1=${host1%:*} + subnet1=${host1#*:} + + if [ "$host" != "$host1" ] || list_search $host $routeback; then + run_iptables -A $chain1 -s $subnet -o $interface1 -d $subnet1 -j $chain + fi + done + done + fi + done + done + + for interface in $all_interfaces; do + run_iptables -A FORWARD -i $interface -j $(forward_chain $interface) + run_iptables -A INPUT -i $interface -j $(input_chain $interface) + addnatjump POSTROUTING $(masq_chain $interface) -o $interface + done + + chain=${FW}2${FW} + + if havechain $chain; then + # + # There is a fw->fw chain. Send loopback output through that chain + # + run_ip link ls | grep LOOPBACK | while read ordinal interface rest ; do + run_iptables -A OUTPUT -o ${interface%:*} -j $chain + done + # + # And delete the unconditional ACCEPT rule + # + run_iptables -D OUTPUT -o lo -j ACCEPT + fi + + complete_standard_chain INPUT all $FW + complete_standard_chain OUTPUT $FW all + complete_standard_chain FORWARD all all + # + # Remove rules added to keep the firewall alive during [re]start" + # + for chain in INPUT OUTPUT FORWARD; do + run_iptables -D $chain -m state --state ESTABLISHED,RELATED -j ACCEPT + run_iptables -D $chain -p udp --dport 53 -j ACCEPT + done + +} + +# +# Check for disabled startup +# +check_disabled_startup() { + if [ -f /etc/shorewall/startup_disabled ]; then + echo " Shorewall Startup is disabled -- to enable startup" + echo " after you have completed Shorewall configuration," + echo " remove the file /etc/shorewall/startup_disabled" + + [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR + my_mutex_off + exit 2 + fi +} + +# +# Start/Restart the Firewall +# +define_firewall() # $1 = Command (Start or Restart) +{ + check_disabled_startup + + echo "${1}ing Shorewall..." + + verify_os_version + + verify_ip + + load_kernel_modules + + echo "Initializing..." + + initialize_netfilter + + echo "Configuring Proxy ARP" + + setup_proxy_arp + + echo "Setting up NAT..." + + setup_nat + + echo "Adding Common Rules" + + add_common_rules + + tunnels=$(find_file tunnels) + + [ -f $tunnels ] && \ + echo "Processing $tunnels..." && setup_tunnels $tunnels + + maclist_hosts=$(find_hosts_by_option maclist) + + if [ -n "$maclist_hosts" ] ; then + setup_mac_lists + fi + + rules=$(find_file rules) + + echo "Pre-processing Actions..." + + process_actions1 + + echo "Processing $rules..." + + process_rules + + echo "Processing Actions..." + + process_actions2 + + policy=$(find_file policy) + + echo "Processing $policy..." + + apply_policy_rules + + masq=$(find_file masq) + + [ -f $masq ] && setup_masq $masq + + tos=$(find_file tos) + + [ -f $tos ] && [ -n "$MANGLE_ENABLED" ] && process_tos $tos + + ecn=$(find_file ecn) + + [ -f $ecn ] && [ -n "$MANGLE_ENABLED" ] && setup_ecn $ecn + + [ -n "$TC_ENABLED" ] && setup_tc + + echo "Activating Rules..." + + activate_rules + + [ -n "$aliases_to_add" ] && \ + echo "Adding IP Addresses..." && \ + add_ip_aliases + + run_user_exit start + + createchain shorewall no + + date > $STATEDIR/restarted + + report "Shorewall ${1}ed" + + rm -rf $TMP_DIR +} + +# +# Refresh the firewall +# +refresh_firewall() +{ + echo "Refreshing Shorewall..." + + echo "Determining Zones and Interfaces..." + + determine_zones + + validate_interfaces_file + + [ -z "$zones" ] && startup_error "No Zones Defined" + + determine_interfaces + + run_user_exit refresh + + # + # Blacklist + # + refresh_blacklist + + ecn=$(find_file ecn) + + [ -f $ecn ] && [ -n "$MANGLE_ENABLED" ] && setup_ecn $ecn + # + # Refresh Traffic Control + # + [ -n "$TC_ENABLED" ] && refresh_tc + + report "Shorewall Refreshed" + + rm -rf $TMP_DIR +} + +# +# Add a host or subnet to a zone +# +add_to_zone() # $1 = [:] $2 = zone +{ + local base interface host newhost zone z h z1 z2 chain terminator + local dhcp_interfaces blacklist_interfaces maclist_interfaces tcpflags_interfaces + local rulenum source_chain dest_hosts iface hosts + + nat_chain_exists() # $1 = chain name + { + qt iptables -t nat -L $1 -n + } + + do_iptables() # $@ = command + { + if ! iptables $@ ; then + startup_error "Can't add $1 to zone $2" + fi + } + + output_rule_num() { + local num=$(iptables -L OUTPUT -n --line-numbers | grep icmp | cut -d' ' -f1 | head -n1) + + [ -n "$num" ] && echo $(($num+1)) + } + # + # Isolate interface and host parts + # + interface=${1%:*} + host=${1#*:} + + [ -z "$host" ] && host="0.0.0.0/0" + # + # Load $zones + # + determine_zones + # + # Validate Interfaces File + # + validate_interfaces_file + # + # Validate Zone + # + zone=$2 + + validate_zone $zone || startup_error "Unknown zone: $zone" + + [ "$zone" = $FW ] && startup_error "Can't add $1 to firewall zone" + # + # Be sure that Shorewall has been restarted using a DZ-aware version of the code + # + [ -f ${STATEDIR}/chains ] || startup_error "${STATEDIR}/chains -- file not found" + [ -f ${STATEDIR}/zones ] || startup_error "${STATEDIR}/zones -- file not found" + # + # Be sure that the interface was present at last [re]start + # + if ! chain_exists $(input_chain $interface) ; then + startup_error "Unknown interface $interface" + fi + # + # Build lists of interfaces with special rules + # + dhcp_interfaces=$(find_interfaces_by_option dhcp) + blacklist_interfaces=$(find_interfaces_by_option blacklist) + maclist_interfaces=$(find_interfaces_by_option maclist) + tcpflags_interfaces=$(find_interfaces_by_option tcpflags) + # + # Normalize the first argument to this function + # + newhost="$interface:$host" + + terminator=fatal_error + # + # Create a new Zone state file + # + > ${STATEDIR}/zones_$$ + # + # Add $1 to the Zone state file + # + while read z hosts; do + if [ "$z" = "$zone" ]; then + for h in $hosts; do + if [ "$h" = "$newhost" ]; then + rm -f ${STATEDIR}/zones_$$ + startup_error "$1 already in zone $zone" + fi + done + + [ -z "$hosts" ] && hosts=$newhost || hosts="$hosts $newhost" + fi + + eval ${z}_hosts=\"$hosts\" + + echo "$z $hosts" >> ${STATEDIR}/zones_$$ + done < ${STATEDIR}/zones + + mv -f ${STATEDIR}/zones_$$ ${STATEDIR}/zones + # + # If the zone passed in the command has a dnat chain then insert a rule in + # the nat table PREROUTING chain to jump to that chain when the source + # matches the new host(s)# + # + chain=${zone}_dnat + + if nat_chain_exists $chain; then + do_iptables -t nat -I PREROUTING -i $interface -s $host -j $chain + fi + # + # Insert new rules into the input chains for the passed interface + # + while read z1 z2 chain; do + if [ "$z1" = "$zone" ]; then + if [ "$z2" = "$FW" ]; then + # + # We will insert the rule right after the DHCP, 'ping' and + # MAC rules (if any) + # + if list_search $interface $dhcp_interfaces; then + rulenum=3 + else + rulenum=2 + fi + + if list_search $interface $maclist_interfaces; then + rulenum=$(($rulenum + 1)) + fi + + if list_search $interface $tcpflags_interfaces; then + rulenum=$(($rulenum + 1)) + fi + + do_iptables -I $(input_chain $interface) $rulenum -s $host -j $chain + else + # + # Insert rules into the passed interface's forward chain + # + # We insert them after any blacklist/MAC verification rules + # + source_chain=$(forward_chain $interface) + eval dest_hosts=\"\$${z2}_hosts\" + + base=$(chain_base $interface) + + eval rulenum=\$${base}_rulenum + + if [ -z "$rulenum" ]; then + if list_search $interface $blacklist_interfaces; then + rulenum=3 + else + rulenum=2 + fi + + if list_search $interface $maclist_interfaces; then + rulenum=$(($rulenum + 1)) + fi + + if list_search $interface $tcpflags_interfaces; then + rulenum=$(($rulenum + 1)) + fi + fi + + for h in $dest_hosts; do + iface=${h%:*} + hosts=${h#*:} + + if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then + do_iptables -I $source_chain $rulenum -s $host -o $iface -d $hosts -j $chain + rulenum=$(($rulenum + 1)) + fi + done + + eval ${base}_rulenum=$rulenum + + fi + elif [ "$z2" = "$zone" ]; then + if [ "$z1" = "$FW" ]; then + # + # Add a rule to the OUTPUT chain -- always after the icmp * ACCEPT rule + # + do_iptables -I OUTPUT $(output_rule_num) -o $interface -d $host -j $chain + else + # + # Insert rules into the source interface's forward chain + # + # We insert them after any blacklist rules + # + eval source_hosts=\"\$${z1}_hosts\" + + for h in $source_hosts; do + iface=${h%:*} + hosts=${h#*:} + + base=$(chain_base $iface) + + eval rulenum=\$${base}_rulenum + + if [ -z "$rulenum" ]; then + if list_search $iface $blacklist_interfaces; then + rulenum=3 + else + rulenum=2 + fi + fi + + if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then + do_iptables -I $(forward_chain $iface) $rulenum -s $hosts -o $interface -d $host -j $chain + rulenum=$(($rulenum + 1)) + fi + + eval ${base}_rulenum=$rulenum + done + fi + fi + done < ${STATEDIR}/chains + + rm -rf $TMP_DIR + + echo "$1 added to zone $2" +} + +# +# Delete a host or subnet from a zone +# +delete_from_zone() # $1 = [:] $2 = zone +{ + # + # Delete the subnect host(s) from the zone state file + # + delete_from_zones_file() + { + > ${STATEDIR}/zones_$$ + + while read z hosts; do + if [ "$z" = "$zone" ]; then + temp=$hosts + hosts= + + for h in $temp; do + if [ "$h" = "$delhost" ]; then + echo Yes + else + hosts="$hosts $h" + fi + done + fi + + echo "$z $hosts" >> ${STATEDIR}/zones_$$ + done < ${STATEDIR}/zones + + mv -f ${STATEDIR}/zones_$$ ${STATEDIR}/zones + } + # + # Isolate interface and host parts + # + interface=${1%:*} + host=${1#*:} + + [ -z "$host" ] && host="0.0.0.0/0" + # + # Load $zones + # + determine_zones + + zone=$2 + + validate_zone $zone || startup_error "Unknown zone: $zone" + + [ "$zone" = $FW ] && startup_error "Can't remove $1 from firewall zone" + # + # Be sure that Shorewall has been restarted using a DZ-aware version of the code + # + [ -f ${STATEDIR}/chains ] || startup_error "${STATEDIR}/chains -- file not found" + [ -f ${STATEDIR}/zones ] || startup_error "${STATEDIR}/zones -- file not found" + # + # Be sure that the interface was present at last [re]start + # + if ! chain_exists $(input_chain $interface) ; then + startup_error "Unknown interface $interface" + fi + # + # Normalize the first argument to this function + # + delhost="$interface:$host" + # + # Delete the passed hosts from the zone state file + # + [ -z "$(delete_from_zones_file)" ] && \ + error_message "Warning: $1 does not appear to be in zone $2" + # + # Construct the zone host maps + # + while read z hosts; do + eval ${z}_hosts=\"$hosts\" + done < ${STATEDIR}/zones + + terminator=fatal_error + # + # Delete any nat table entries for the host(s) + # + qt iptables -t nat -D PREROUTING -i $interface -s $host -j ${zone}_dnat + # + # Delete rules rules the input chains for the passed interface + # + while read z1 z2 chain; do + if [ "$z1" = "$zone" ]; then + if [ "$z2" = "$FW" ]; then + qt iptables -D $(input_chain $interface) -s $host -j $chain + else + source_chain=$(forward_chain $interface) + eval dest_hosts=\"\$${z2}_hosts\" + + for h in $dest_hosts $delhost; do + iface=${h%:*} + hosts=${h#*:} + + if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then + qt iptables -D $source_chain -s $host -o $iface -d $hosts -j $chain + fi + done + fi + elif [ "$z2" = "$zone" ]; then + if [ "$z1" = "$FW" ]; then + qt iptables -D OUTPUT -o $interface -d $host -j $chain + else + eval source_hosts=\"\$${z1}_hosts\" + + for h in $source_hosts; do + iface=${h%:*} + hosts=${h#*:} + + if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then + qt iptables -D $(forward_chain $iface) -s $hosts -o $interface -d $host -j $chain + fi + done + fi + fi + done < ${STATEDIR}/chains + + rm -rf $TMP_DIR + + echo "$1 removed from zone $2" +} + +# +# Determine the value for a parameter that defaults to Yes +# +added_param_value_yes() # $1 = Parameter Name, $2 = Parameter value +{ + local val="$2" + + if [ -z "$val" ]; then + echo "Yes" + else case $val in + [Yy][Ee][Ss]) + echo "Yes" + ;; + [Nn][Oo]) + echo "" + ;; + *) + startup_error "Invalid value ($val) for $1" + ;; + esac + fi +} + +# +# Determine the value for a parameter that defaults to No +# +added_param_value_no() # $1 = Parameter Name, $2 = Parameter value +{ + local val="$2" + + if [ -z "$val" ]; then + echo "" + else case $val in + [Yy][Ee][Ss]) + echo "Yes" + ;; + [Nn][Oo]) + echo "" + ;; + *) + startup_error "Invalid value ($val) for $1" + ;; + esac + fi +} + +# +# Initialize this program +# +do_initialize() { + + # Run all utility programs using the C locale + # + # Thanks to Vincent Planchenault for this tip # + + export LC_ALL=C + + PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin + # + # Establish termination function + # + terminator=startup_error + # + # Clear all configuration variables + # + version= + FW= + SUBSYSLOCK= + STATEDIR= + ALLOWRELATED=Yes + LOGRATE= + LOGBURST= + LOGPARMS= + LOGLIMIT= + ADD_IP_ALIASES= + ADD_SNAT_ALIASES= + TC_ENABLED= + BLACKLIST_DISPOSITION= + BLACKLIST_LOGLEVEL= + CLAMPMSS= + ROUTE_FILTER= + DETECT_DNAT_IPADDRS= + MUTEX_TIMEOUT= + NEWNOTSYN= + LOGNEWNOTSYN= + FORWARDPING= + MACLIST_DISPOSITION= + MACLIST_LOG_LEVEL= + TCP_FLAGS_DISPOSITION= + TCP_FLAGS_LOG_LEVEL= + RFC1918_LOG_LEVEL= + MARK_IN_FORWARD_CHAIN= + SHARED_DIR=/usr/share/shorewall + FUNCTIONS= + VERSION_FILE= + LOGFORMAT= + LOGRULENUMBERS= + ADMINISABSENTMINDED= + BLACKLISTNEWONLY= + MODULE_SUFFIX= + ACTIONS= + USEDACTIONS= + SMURF_LOG_LEVEL= + DISABLE_IPV6= + + stopping= + have_mutex= + masq_seq=1 + nonat_seq=1 + aliases_to_add= + + TMP_DIR=/tmp/shorewall-$$ + rm -rf $TMP_DIR + mkdir -p $TMP_DIR && chmod 700 $TMP_DIR || \ + startup_error "Can't create $TMP_DIR" + + trap "rm -rf $TMP_DIR; my_mutex_off; exit 2" 1 2 3 4 5 6 9 + + FUNCTIONS=$SHARED_DIR/functions + + if [ -f $FUNCTIONS ]; then + echo "Loading $FUNCTIONS..." + . $FUNCTIONS + else + startup_error "$FUNCTIONS does not exist!" + fi + + VERSION_FILE=$SHARED_DIR/version + + [ -f $VERSION_FILE ] && version=$(cat $VERSION_FILE) + + run_user_exit params + + config=$(find_file shorewall.conf) + + if [ -f $config ]; then + echo "Processing $config..." + . $config + else + echo "$config does not exist!" >&2 + exit 2 + fi + # + # Determine the capabilities of the installed iptables/netfilter + # + determine_capabilities + + [ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall + + [ -d $STATEDIR ] || mkdir -p $STATEDIR + + [ -z "$FW" ] && FW=fw + + ALLOWRELATED="$(added_param_value_yes ALLOWRELATED $ALLOWRELATED)" + [ -n "$ALLOWRELATED" ] || \ + startup_error "ALLOWRELATED=No is not supported" + ADD_IP_ALIASES="$(added_param_value_yes ADD_IP_ALIASES $ADD_IP_ALIASES)" + TC_ENABLED="$(added_param_value_yes TC_ENABLED $TC_ENABLED)" + + if [ -n "${LOGRATE}${LOGBURST}" ]; then + LOGLIMIT="--match limit" + [ -n "$LOGRATE" ] && LOGLIMIT="$LOGLIMIT --limit $LOGRATE" + [ -n "$LOGBURST" ] && LOGLIMIT="$LOGLIMIT --limit-burst $LOGBURST" + fi + + if [ -n "$IP_FORWARDING" ]; then + case "$IP_FORWARDING" in + [Oo][Nn]|[Oo][Ff][Ff]|[Kk][Ee][Ee][Pp]) + ;; + *) + startup_error "Invalid value ($IP_FORWARDING) for IP_FORWARDING" + ;; + esac + else + IP_FORWARDING=On + fi + + if [ -n "$TC_ENABLED" -a -z "$MANGLE_ENABLED" ]; then + startup_error "Traffic Control requires Mangle" + fi + + [ -z "$BLACKLIST_DISPOSITION" ] && BLACKLIST_DISPOSITION=DROP + + CLAMPMSS=$(added_param_value_no CLAMPMSS $CLAMPMSS) + ADD_SNAT_ALIASES=$(added_param_value_no ADD_SNAT_ALIASES $ADD_SNAT_ALIASES) + ROUTE_FILTER=$(added_param_value_no ROUTE_FILTER $ROUTE_FILTER) + DETECT_DNAT_IPADDRS=$(added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS) + FORWARDPING=$(added_param_value_no FORWARDPING $FORWARDPING) + [ -n "$FORWARDPING" ] && \ + startup_error "FORWARDPING=Yes is no longer supported" + + NEWNOTSYN=$(added_param_value_yes NEWNOTSYN $NEWNOTSYN) + + maclist_target=reject + + if [ -n "$MACLIST_DISPOSITION" ] ; then + case $MACLIST_DISPOSITION in + REJECT) + ;; + ACCEPT|DROP) + maclist_target=$MACLIST_DISPOSITION + ;; + *) + startup_error "Invalid value ($MACLIST_DISPOSITION) for MACLIST_DISPOSITION" + ;; + esac + else + MACLIST_DISPOSITION=REJECT + fi + + if [ -n "$TCP_FLAGS_DISPOSITION" ] ; then + case $TCP_FLAGS_DISPOSITION in + REJECT|ACCEPT|DROP) + ;; + *) + startup_error "Invalid value ($TCP_FLAGS_DISPOSITION) for TCP_FLAGS_DISPOSITION" + ;; + esac + else + TCP_FLAGS_DISPOSITION=DROP + fi + + [ -z "$RFC1918_LOG_LEVEL" ] && RFC1918_LOG_LEVEL=info + MARK_IN_FORWARD_CHAIN=$(added_param_value_no MARK_IN_FORWARD_CHAIN $MARK_IN_FORWARD_CHAIN) + [ -n "$MARK_IN_FORWARD_CHAIN" ] && marking_chain=tcfor || marking_chain=tcpre + if [ -n "$TC_ENABLED" ]; then + CLEAR_TC=$(added_param_value_yes CLEAR_TC $CLEAR_TC) + else + CLEAR_TC= + fi + + if [ -n "$LOGFORMAT" ]; then + if [ -n "$(echo $LOGFORMAT | grep '%d')" ]; then + LOGRULENUMBERS=Yes + temp=$(printf "$LOGFORMAT" fooxx 1 barxx 2> /dev/null) + if [ $? -ne 0 ]; then + startup_error "Invalid LOGFORMAT string: \"$LOGFORMAT\"" + fi + else + temp=$(printf "$LOGFORMAT" fooxx barxx 2> /dev/null) + if [ $? -ne 0 ]; then + startup_error "Invalid LOGFORMAT string: \"$LOGFORMAT\"" + fi + fi + + if [ ${#temp} -gt 29 ]; then + startup_error "LOGFORMAT string is too long: \"$LOGFORMAT\"" + fi + else + LOGFORMAT="Shorewall:%s:%s:" + fi + ADMINISABSENTMINDED=$(added_param_value_no ADMINISABSENTMINDED $ADMINISABSENTMINDED) + BLACKLISTNEWONLY=$(added_param_value_no BLACKLISTNEWONLY $BLACKLISTNEWONLY) + DISABLE_IPV6=$(added_param_value_no DISABLE_IPV6 $DISABLE_IPV6) + [ -n "$MODULE_SUFFIX" ] || MODULE_SUFFIX="o gz ko o.gz" + + # + # Strip the files that we use often + # + strip_file interfaces + strip_file hosts + # + # Check out the user's shell + # + [ -n "$SHOREWALL_SHELL" ] || SHOREWALL_SHELL=/bin/sh + + temp=$(decodeaddr 192.168.1.1) + if [ $(encodeaddr $temp) != 192.168.1.1 ]; then + startup_error "Shell $SHOREWALL_SHELL is broken and may not be used with Shorewall" + fi +} + +# +# Give Usage Information +# +usage() { + echo "Usage: $0 [debug] {start|stop|reset|restart|status|refresh|clear|{add|delete} [:hosts] zone}}" + exit 1 +} + +# +# E X E C U T I O N B E G I N S H E R E +# +# +# Start trace if first arg is "debug" +# +[ $# -gt 1 ] && [ "$1" = "debug" ] && { set -x ; shift ; } + +nolock= + +[ $# -gt 1 ] && [ "$1" = "nolock" ] && { nolock=Yes; shift ; } + +trap "my_mutex_off; exit 2" 1 2 3 4 5 6 9 + +COMMAND="$1" + +case "$COMMAND" in + stop) + [ $# -ne 1 ] && usage + do_initialize + my_mutex_on + # + # Don't want to do a 'stop' when startup is disabled + # + check_disabled_startup + echo -n "Stopping Shorewall..." + stop_firewall + [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK + echo "done." + my_mutex_off + ;; + + start) + [ $# -ne 1 ] && usage + do_initialize + my_mutex_on + if qt iptables -L shorewall -n ; then + [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK + echo "Shorewall Already Started" + [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR + my_mutex_off + exit 0; + fi + define_firewall "Start" && [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK + my_mutex_off + ;; + + restart) + [ $# -ne 1 ] && usage + do_initialize + my_mutex_on + if qt iptables -L shorewall -n ; then + define_firewall "Restart" + else + echo "Shorewall Not Currently Running" + define_firewall "Start" + fi + + [ $? -eq 0 ] && [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK + my_mutex_off + ;; + + status) + [ $# -ne 1 ] && usage + echo "Shorewall-$version Status at $HOSTNAME - $(date)" + echo + iptables -L -n -v + ;; + + reset) + [ $# -ne 1 ] && usage + do_initialize + my_mutex_on + if ! qt iptables -L shorewall -n ; then + echo "Shorewall Not Started" + [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR + my_mutex_off + exit 2; + fi + iptables -Z + iptables -t nat -Z + iptables -t mangle -Z + report "Shorewall Counters Reset" + date > $STATEDIR/restarted + my_mutex_off + ;; + + refresh) + [ $# -ne 1 ] && usage + do_initialize + my_mutex_on + if ! qt iptables -L shorewall -n ; then + echo "Shorewall Not Started" + [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR + my_mutex_off + exit 2; + fi + refresh_firewall; + my_mutex_off + ;; + + clear) + [ $# -ne 1 ] && usage + do_initialize + my_mutex_on + echo -n "Clearing Shorewall..." + clear_firewall + [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK + echo "done." + my_mutex_off + ;; + + check) + [ $# -ne 1 ] && usage + do_initialize + check_config + ;; + + add) + [ $# -ne 3 ] && usage + do_initialize + my_mutex_on + if ! qt iptables -L shorewall -n ; then + echo "Shorewall Not Started" + [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR + my_mutex_off + exit 2; + fi + add_to_zone $2 $3 + my_mutex_off + ;; + + delete) + [ $# -ne 3 ] && usage + do_initialize + my_mutex_on + if ! qt iptables -L shorewall -n ; then + echo "Shorewall Not Started" + [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR + my_mutex_off + exit 2; + fi + delete_from_zone $2 $3 + my_mutex_off + ;; + + call) + # + # Undocumented way to call functions in /usr/share/shorewall/firewall directly + # + shift; + do_initialize + EMPTY= + $@ + ;; + *) + usage + ;; + +esac diff --git a/STABLE2/functions b/STABLE2/functions new file mode 100755 index 000000000..9a9210325 --- /dev/null +++ b/STABLE2/functions @@ -0,0 +1,609 @@ +#!/bin/sh +# +# Shorewall 2.0 -- /usr/share/shorewall/functions + +# +# Search a list looking for a match -- returns zero if a match found +# 1 otherwise +# +list_search() # $1 = element to search for , $2-$n = list +{ + local e=$1 + + while [ $# -gt 1 ]; do + shift + [ "x$e" = "x$1" ] && return 0 + done + + return 1 +} + +# +# Functions to count list elements +# - - - - - - - - - - - - - - - - +# Whitespace-separated list +# +list_count1() { + echo $# +} +# +# Comma-separated list +# +list_count() { + list_count1 $(separate_list $1) +} + +# +# Suppress all output for a command +# +qt() +{ + "$@" >/dev/null 2>&1 +} + +# +# Perform variable substitution on the passed argument and echo the result +# +expand() # $1 = contents of variable which may be the name of another variable +{ + eval echo \"$1\" +} + +# +# Perform variable substitition on the values of the passed list of variables +# +expandv() # $* = list of variable names +{ + local varval + + while [ $# -gt 0 ]; do + eval varval=\$${1} + eval $1=\"$varval\" + shift + done +} + +# +# Replace all leading "!" with "! " in the passed argument list +# + +fix_bang() { + local i; + + for i in $@; do + case $i in + !*) + echo "! ${i#!}" + ;; + *) + echo $i + ;; + esac + done +} + +# +# Find a File -- For relative file name, look first in $SHOREWALL_DIR then in /etc/shorewall +# +find_file() +{ + case $1 in + /*) + echo $1 + ;; + *) + if [ -n "$SHOREWALL_DIR" -a -f $SHOREWALL_DIR/$1 ]; then + echo $SHOREWALL_DIR/$1 + elif [ -f /etc/shorewall/$1 ]; then + echo /etc/shorewall/$1 + elif [ -f /usr/share/shorewall/$1 ]; then + echo /usr/share/shorewall/$1 + else + echo /etc/shorewall/$1 + fi + ;; + esac +} + +# +# Replace commas with spaces and echo the result +# +separate_list() { + local list + local part + local newlist + # + # There's been whining about us not catching embedded white space in + # comma-separated lists. This is an attempt to snag some of the cases. + # + # The 'terminator' function will be set by the 'firewall' script to + # either 'startup_error' or 'fatal_error' depending on the command and + # command phase + # + case "$@" in + *,|,*|*,,*|*[[:space:]]*) + [ -n "$terminator" ] && \ + $terminator "Invalid comma-separated list \"$@\"" + echo "Warning -- invalid comma-separated list \"$@\"" >&2 + ;; + esac + + list="$@" + part="${list%%,*}" + newlist="$part" + + while [ "x$part" != "x$list" ]; do + list="${list#*,}"; + part="${list%%,*}"; + newlist="$newlist $part"; + done + + echo "$newlist" +} + +# +# Find the zones +# +find_zones() # $1 = name of the zone file +{ + while read zone display comments; do + [ -n "$zone" ] && case "$zone" in + \#*) + ;; + $FW) + echo "Reserved zone name \"$zone\" in zones file ignored" >&2 + ;; + *) + echo $zone + ;; + esac + done < $1 +} + +find_display() # $1 = zone, $2 = name of the zone file +{ + grep ^$1 $2 | while read z display comments; do + [ "x$1" = "x$z" ] && echo $display + done +} +# +# This function assumes that the TMP_DIR variable is set and that +# its value named an existing directory. +# +determine_zones() +{ + local zonefile=$(find_file zones) + + multi_display=Multi-zone + strip_file zones $zonefile + zones=$(find_zones $TMP_DIR/zones) + zones=$(echo $zones) # Remove extra trash + + for zone in $zones; do + dsply=$(find_display $zone $TMP_DIR/zones) + eval ${zone}_display=\$dsply + done +} + +# +# The following functions may be used by apps that wish to ensure that +# the state of Shorewall isn't changing +# +# This function loads the STATEDIR variable (directory where Shorewall is to +# store state files). If your application supports alternate Shorewall +# configurations then the name of the alternate configuration directory should +# be in $SHOREWALL_DIR at the time of the call. +# +# If the shorewall.conf file does not exist, this function does not return +# +get_statedir() +{ + MUTEX_TIMEOUT= + + local config=$(find_file shorewall.conf) + + if [ -f $config ]; then + . $config + else + echo "/etc/shorewall/shorewall.conf does not exist!" >&2 + exit 2 + fi + + [ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall +} + +# +# Call this function to assert MUTEX with Shorewall. If you invoke the +# /sbin/shorewall program while holding MUTEX, you should pass "nolock" as +# the first argument. Example "shorewall nolock refresh" +# +# This function uses the lockfile utility from procmail if it exists. +# Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the +# behavior of lockfile. +# +mutex_on() +{ + local try=0 + local lockf=$STATEDIR/lock + + MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60} + + if [ $MUTEX_TIMEOUT -gt 0 ]; then + + [ -d $STATEDIR ] || mkdir -p $STATEDIR + + if qt which lockfile; then + lockfile -${MUTEX_TIMEOUT} -r1 ${lockf} + else + while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do + sleep 1 + try=$((${try} + 1)) + done + + if [ ${try} -lt ${MUTEX_TIMEOUT} ] ; then + # Create the lockfile + echo $$ > ${lockf} + else + echo "Giving up on lock file ${lockf}" >&2 + fi + fi + fi +} + +# +# Call this function to release MUTEX +# +mutex_off() +{ + rm -f $STATEDIR/lock +} + +# +# Read a file and handle "INCLUDE" directives +# + +read_file() # $1 = file name, $2 = nest count +{ + local first rest + + if [ -f $1 ]; then + while read first rest; do + if [ "x$first" = "xINCLUDE" ]; then + if [ $2 -lt 4 ]; then + read_file $(find_file ${rest%#*}) $(($2 + 1)) + else + echo " WARNING: INCLUDE in $1 ignored (nested too deeply)" >&2 + fi + else + echo "$first $rest" + fi + done < $1 + else + [ -n "$terminator" ] && $terminator "No such file: $1" + echo "Warning -- No such file: $1" + fi +} + +# +# Function for including one file into another +# +INCLUDE() { + . $(find_file $@) +} + +# +# Strip comments and blank lines from a file and place the result in the +# temporary directory +# +strip_file() # $1 = Base Name of the file, $2 = Full Name of File (optional) +{ + local fname + + [ $# = 1 ] && fname=$(find_file $1) || fname=$2 + + if [ -f $fname ]; then + read_file $fname 0 | cut -d'#' -f1 | grep -v '^[[:space:]]*$' > $TMP_DIR/$1 + else + > $TMP_DIR/$1 + fi +} + +# +# Note: The following set of IP address manipulation functions have anomalous +# behavior when the shell only supports 32-bit signed arithmatic and +# the IP address is 128.0.0.0 or 128.0.0.1. +# +# +# So that emacs doesn't get lost, we use $LEFTSHIFT rather than << +# +LEFTSHIFT='<<' + +# +# Convert an IP address in dot quad format to an integer +# +decodeaddr() { + local x + local temp=0 + local ifs=$IFS + + IFS=. + + for x in $1; do + temp=$(( $(( $temp $LEFTSHIFT 8 )) | $x )) + done + + echo $temp + + IFS=$ifs +} + +# +# convert an integer to dot quad format +# +encodeaddr() { + addr=$1 + local x + local y=$(($addr & 255)) + + for x in 1 2 3 ; do + addr=$(($addr >> 8)) + y=$(($addr & 255)).$y + done + + echo $y +} + +# +# Enumerate the members of an IP range -- When using a shell supporting only +# 32-bit signed arithmetic, the range cannot span 128.0.0.0. +# +# Comes in two flavors: +# +# ip_range() - produces a mimimal list of network/host addresses that spans +# the range. +# +# ip_range_explicit() - explicitly enumerates the range. +# +ip_range() { + local first last l x y z vlsm + + case $1 in + [0-9]*.*.*.*-*.*.*.*) + ;; + *) + echo $1 + return + ;; + esac + + first=$(decodeaddr ${1%-*}) + last=$(decodeaddr ${1#*-}) + + if [ $first -gt $last ]; then + fatal_error "Invalid IP address range: $1" + fi + + l=$(( $last + 1 )) + + while [ $first -le $last ]; do + vlsm= + x=31 + y=2 + z=1 + + while [ $(( $first % $y )) -eq 0 -a $(( $first + $y )) -le $l ]; do + vlsm=/$x + x=$(( $x - 1 )) + z=$y + y=$(( $y * 2 )) + done + + echo $(encodeaddr $first)$vlsm + first=$(($first + $z)) + done +} + +ip_range_explicit() { + local first last + + case $1 in + [0-9]*.*.*.*-*.*.*.*) + ;; + *) + echo $1 + return + ;; + esac + + first=$(decodeaddr ${1%-*}) + last=$(decodeaddr ${1#*-}) + + if [ $first -gt $last ]; then + fatal_error "Invalid IP address range: $1" + fi + + while [ $first -le $last ]; do + echo $(encodeaddr $first) + first=$(($first + 1)) + done +} + +# +# Netmask from CIDR +# +ip_netmask() { + local vlsm=${1#*/} + + [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 $LEFTSHIFT $(( 32 - $vlsm )) )) +} + +# +# Network address from CIDR +# +ip_network() { + local decodedaddr=$(decodeaddr ${1%/*}) + local netmask=$(ip_netmask $1) + + echo $(encodeaddr $(($decodedaddr & $netmask))) +} + +# +# The following hack is supplied to compensate for the fact that many of +# the popular light-weight Bourne shell derivatives don't support XOR ("^"). +# + +ip_broadcast() { + local x=$(( 32 - ${1#*/} )) + + [ $x -eq 0 ] && echo -1 || echo $(( $(( 1 $LEFTSHIFT $x )) - 1 )) +} + +# +# Calculate broadcast address from CIDR +# +broadcastaddress() { + local decodedaddr=$(decodeaddr ${1%/*}) + local netmask=$(ip_netmask $1) + local broadcast=$(ip_broadcast $1) + + echo $(encodeaddr $(( $(($decodedaddr & $netmask)) | $broadcast ))) +} + +# +# Test for subnet membership +# +in_subnet() # $1 = IP address, $2 = CIDR network +{ + local netmask=$(ip_netmask $2) + + test $(( $(decodeaddr $1) & $netmask)) -eq $(( $(decodeaddr ${2%/*}) & $netmask )) +} + +# +# Netmask to VLSM +# +ip_vlsm() { + local mask=$(decodeaddr $1) + local vlsm=0 + local x=$(( 128 $LEFTSHIFT 24 )) + + while [ $(( $x & $mask )) -ne 0 ]; do + [ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Don't Ask... + vlsm=$(($vlsm + 1)) + done + + if [ $(( $mask & 2147483647)) -ne 0 ]; then + echo "Invalid net mask: $1" >&2 + else + echo $vlsm + fi +} + + +# +# Chain name base for an interface -- replace all periods with underscores in the passed name. +# The result is echoed (less "+" and anything following). +# +chain_base() #$1 = interface +{ + local c=${1%%+*} + + while true; do + case $c in + *.*) + c="${c%.*}_${c##*.}" + ;; + *-*) + c="${c%-*}_${c##*-}" + ;; + *) + echo ${c:=common} + return + ;; + esac + done +} + +# +# Remove trailing digits from a name +# +strip_trailing_digits() { + echo $1 | sed s'/[0-9].*$//' +} + +# +# Loosly Match the name of an interface +# + +if_match() # $1 = Name in interfaces file - may end in "+" + # $2 = Name from routing table +{ + local if_file=$1 + local rt_table=$2 + + case $if_file in + *+) + test "$(strip_trailing_digits $rt_table)" = "${if_file%+}" + ;; + *) + test "$rt_table" = "$if_file" + ;; + esac +} + +# +# Find the value 'dev' in the passed arguments then echo the next value +# + +find_device() { + while [ $# -gt 1 ]; do + [ "x$1" = xdev ] && echo $2 && return + shift + done +} + +# +# Find the interfaces that have a route to the passed address - the default +# route is not used. +# + +find_rt_interface() { + ip route ls | while read addr rest; do + case $addr in + */*) + in_subnet ${1%/*} $addr && echo $(find_device $rest) + ;; + default) + ;; + *) + if [ "$addr" = "$1" -o "$addr/32" = "$1" ]; then + echo $(find_device $rest) + fi + ;; + esac + done +} + +# +# Find the default route's interface +# +find_default_interface() { + ip route ls | while read first rest; do + [ "$first" = default ] && echo $(find_device $rest) && return + done +} + +# +# Echo the name of the interface(s) that will be used to send to the +# passed address +# + +find_interface_by_address() { + local dev="$(find_rt_interface $1)" + local first rest + + [ -z "$dev" ] && dev=$(find_default_interface) + + [ -n "$dev" ] && echo $dev +} + diff --git a/STABLE2/help b/STABLE2/help new file mode 100644 index 000000000..4ed47f396 --- /dev/null +++ b/STABLE2/help @@ -0,0 +1,267 @@ +#!/bin/sh +# +# Shorewall help subsystem - V2.0 - 2/14/2004 +# +# +# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] +# +# (c) 2003-2004 - Tom Eastep (teastep@shorewall.net) +# Steve Herber (herber@thing.com) +# +# This file should be placed in /usr/share/shorewall/help +# +# Shorewall documentation is available at http://shorewall.sourceforge.net +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of Version 2 of the GNU General Public License +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA +################################################################################## + +case $1 in + +add) + echo "add: add [:] + Adds a host or subnet to a dynamic zone usually used with VPN's. + + shorewall add interface[:host] zone - Adds the specified interface + (and host if included) to the specified zone. + + Example: + + shorewall add ipsec0:192.0.2.24 vpn1 -- adds the address 192.0.2.24 + from interface ipsec0 to the zone vpn1. + + See also \"help host\"" + ;; + +address|host) + echo "<$1>: + May be either a host IP address such as 192.168.1.4 or a network address in + CIDR format like 192.168.1.0/24" + ;; + +allow) + echo "allow: allow
... + Re-enables receipt of packets from hosts previously blacklisted + by a drop or reject command. + + Shorewall allow, drop, rejct and save implement dynamic blacklisting. + + See also \"help address\"" + ;; + +check) + echo "check: check [ -c ] + Performs a cursory validation of the zones, interfaces, hosts, + rules and policy files. Use this if you are unsure of any edits + you have made to the shorewall configuration. See the try command + examples for a recommended way to make changes." + ;; + +clear) + echo "clear: clear + Clear will remove all rules and chains installed by Shoreline. + The firewall is then wide open and unprotected. Existing + connections are untouched. Clear is often used to see if the + firewall is causing connection problems." + ;; + +debug) + echo "debug: debug + If you include the keyword debug as the first argument to any + of these commands: + + start|stop|restart|reset|clear|refresh|check|add|delete + + then a shell trace of the command is produced. For example: + + shorewall debug start 2> /tmp/trace + + The above command would trace the 'start' command and + place the trace information in the file /tmp/trace. + + The word 'trace' is a synonym for 'debug'." + ;; + +delete) + echo "delete: delete [:] + Deletes a host or subnet from a dynamic zone usually used with VPN's. + + shorewall delete interface[:host] zone - Deletes the specified + interface (and host if included) from the specified zone. + + Example: + + shorewall delete ipsec0:192.0.2.24 vpn1 -- deletes the address + 192.0.2.24 from interface ipsec0 from zone vpn1 + + See also \"help host\"" + ;; + +drop) + echo "$1: $1
... + Causes packets from the specified
to be ignored + + Shorewall allow, drop, rejct and save implement dynamic blacklisting. + + See also \"help address\"" + ;; + +help) + echo "help: help [ | host | address ] + Display helpful information about the shorewall commands." + ;; + +hits) + echo "hits: hits + Produces several reports about the Shorewall packet log messages + in the current /var/log/messages file." + ;; + +ipcalc) + echo "ipcalc: ipcalc [ address mask | address/vlsm ] + Ipcalc displays the network address, broadcast address, + network in CIDR notation and netmask corresponding to the input[s]." + ;; + +iprange) + echo "iprange: iprange address1-address2 + Iprange decomposes the specified range of IP addresses into the + equivalent list of network/host addresses." + ;; + +logwatch) + echo "logwatch: logwatch [] + Monitors the LOGFILE, $LOGFILE, + and produces an audible alarm when new Shorewall messages are logged." + ;; + +monitor) + echo "monitor: monitor [] + Continuously display the firewall status, last 20 log entries and nat. + When the log entry display changes, an audible alarm is sounded." + ;; + +refresh) + echo "refresh: refresh + The rules involving the broadcast addresses of firewall interfaces, + the black list, traffic control rules and ECN control rules are recreated + to reflect any changes made. Existing connections are untouched" + ;; + +reject) + echo "$1: $1
... + Causes packets from the specified
to be rejected + + Shorewall allow, drop, rejct and save implement dynamic blacklisting. + + See also \"help address\"" + ;; + +reset) + echo "reset: reset + All the packet and byte counters in the firewall are reset." + ;; + +restart) + echo "restart: restart [ -c ] + Restart is the same as a shorewall stop && shorewall start. + Existing connections are dropped." + ;; + +save) + echo "save: save + The dynamic data is stored in /var/lib/shorewall/save + Shorewall allow, drop, rejct and save implement dynamic blacklisting." + ;; + +show) + echo "show: show [ [ ...] |classifiers|connections|log|nat|tc|tos] + shorewall show [ ... ] - produce a verbose report about the IPtable chain(s). + (iptables -L chain -n -v) + + shorewall show nat - produce a verbose report about the nat table. + (iptables -t nat -L -n -v) + + shorewall show tos - produce a verbose report about the mangle table. + (iptables -t mangle -L -n -v) + + shorewall show log - display the last 20 packet log entries. + + shorewall show connections - displays the IP connections currently + being tracked by the firewall. + + shorewall show tc - displays information about the traffic + control/shaping configuration." + ;; + +start) + echo "start: start [ -c ] + Start shorewall. Existing connections through shorewall managed + interfaces are untouched. New connections will be allowed only + if they are allowed by the firewall rules or policies." + ;; + +stop) + echo "stop: stop + Stops the firewall. All existing connections, except those + listed in /etc/shorewall/routestopped, are taken down. + The only new traffic permitted through the firewall + is from systems listed in /etc/shorewall/routestopped." + ;; + +status) + echo "status: status + Produce a verbose report about the firewall. + + (iptables -L -n -v)" + ;; + +trace) + echo "trace: trace + If you include the keyword trace as the first argument to any + of these commands: + + start|stop|restart|reset|clear|refresh|check|add|delete + + then a shell trace of the command is produced. For example: + + shorewall trace start 2> /tmp/trace + + The above command would trace the 'start' command and + place the trace information in the file /tmp/trace. + + The word 'debug' is a synonym for 'trace'." + ;; + +try) + echo "try: try [ ] + Restart shorewall using the specified configuration. If an error + occurs during the restart, then another shorewall restart is performed + using the default configuration. If a timeout is specified then + the restart is always performed after the timeout occurs and uses + the default configuration." + ;; + +version) + echo "version: version + Show the current shorewall version which is: $version" + ;; + +*) + echo "$1: $1 is not recognized by the help command" + ;; + +esac + +exit 0 # always ok + diff --git a/STABLE2/hosts b/STABLE2/hosts new file mode 100644 index 000000000..129e5431b --- /dev/null +++ b/STABLE2/hosts @@ -0,0 +1,52 @@ +# +# Shorewall 2.0 - /etc/shorewall/hosts +# +# THE ONLY TIME YOU NEED THIS FILE IS WHERE YOU HAVE MORE THAN +# ONE ZONE CONNECTED THROUGH A SINGLE INTERFACE. +# +# IF YOU DON'T HAVE THAT SITUATION THEN DON'T TOUCH THIS FILE. +# +# This file is used to define zones in terms of subnets and/or +# individual IP addresses. Most simple setups don't need to +# (should not) place anything in this file. +# +# ZONE - The name of a zone defined in /etc/shorewall/zones +# +# HOST(S) - The name of an interface followed by a colon (":") and +# a comma-separated list whose elements are either: +# +# a) The IP address of a host +# b) A subnetwork in the form +# / +# +# The interface must be defined in the +# /etc/shorewall/interfaces file. +# +# Examples: +# +# eth1:192.168.1.3 +# eth2:192.168.2.0/24 +# eth3:192.168.2.0/24,192.168.3.1 +# +# OPTIONS - A comma-separated list of options. Currently-defined +# options are: +# +# maclist - Connection requests from these hosts +# are compared against the contents of +# /etc/shorewall/maclist. If this option +# is specified, the interface must be +# an ethernet NIC and must be up before +# Shorewall is started. +# +# routeback - Shorewall show set up the infrastructure +# to pass packets from this/these +# address(es) back to themselves. This is +# necessary of hosts in this group use the +# services of a transparent proxy that is +# a member of the group or if DNAT is used +# to send requests originating from this +# group to a server in the group. +# +# +#ZONE HOST(S) OPTIONS +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE diff --git a/STABLE2/init b/STABLE2/init new file mode 100644 index 000000000..cdd21c79b --- /dev/null +++ b/STABLE2/init @@ -0,0 +1,6 @@ +############################################################################ +# Shorewall 2.0 -- /etc/shorewall/init +# +# Add commands below that you want to be executed at the beginning of +# a "shorewall start" or "shorewall restart" command. +# diff --git a/STABLE2/init.debian.sh b/STABLE2/init.debian.sh new file mode 100755 index 000000000..237f581fc --- /dev/null +++ b/STABLE2/init.debian.sh @@ -0,0 +1,123 @@ +#!/bin/sh + +SRWL=/sbin/shorewall +WAIT_FOR_IFUP=/usr/share/shorewall/wait4ifup +# Note, set INITLOG to /dev/null if you do not want to +# keep logs of the firewall (not recommended) +INITLOG=/var/log/shorewall-init.log + +test -x $SRWL || exit 0 +test -x $WAIT_FOR_IFUP || exit 0 +test -n $INITLOG || { + echo "INITLOG cannot be empty, please configure $0" ; + exit 1; +} + +if [ "$(id -u)" != "0" ] +then + echo "You must be root to start, stop or restart \"Shorewall firewall\"." + exit 1 +fi + +echo_notdone () { + + if [ "$INITLOG" = "/dev/null" ] ; then + "not done." + else + "not done (check $INITLOG)." + fi + +} + +not_configured () { + echo "#### WARNING ####" + echo "the firewall won't be started/stopped unless it is configured" + if [ "$1" != "stop" ] + then + echo "" + echo "please configure it and then edit /etc/default/shorewall" + echo "and set the \"startup\" variable to 1 in order to allow " + echo "shorewall to start" + fi + echo "#################" + exit 0 +} + +# parse the shorewall params file in order to use params in +# /etc/default/shorewall +if [ -f "/etc/shorewall/params" ] +then + . /etc/shorewall/params +fi + +# check if shorewall is configured or not +if [ -f "/etc/default/shorewall" ] +then + . /etc/default/shorewall + if [ "$startup" != "1" ] + then + not_configured + fi +else + not_configured +fi + +# wait an unconfigured interface +wait_for_pppd () { + if [ "$wait_interface" != "" ] + then + for i in $wait_interface + do + $WAIT_FOR_IFUP $i 90 + done + fi +} + +# start the firewall +shorewall_start () { + echo -n "Starting \"Shorewall firewall\": " + wait_for_pppd + $SRWL start >> $INITLOG 2>&1 && echo "done." || echo_notdone + return 0 +} + +# stop the firewall +shorewall_stop () { + echo -n "Stopping \"Shorewall firewall\": " + $SRWL stop >> $INITLOG 2>&1 && echo "done." || echo_notdone + return 0 +} + +# restart the firewall +shorewall_restart () { + echo -n "Restarting \"Shorewall firewall\": " + $SRWL restart >> $INITLOG 2>&1 && echo "done." || echo_notdone + return 0 +} + +# refresh the firewall +shorewall_refresh () { + echo -n "Refreshing \"Shorewall firewall\": " + $SRWL refresh >> $INITLOG 2>&1 && echo "done." || echo_notdone + return 0 +} + +case "$1" in + start) + shorewall_start + ;; + stop) + shorewall_stop + ;; + refresh) + shorewall_refresh + ;; + force-reload|restart) + shorewall_restart + ;; + *) + echo "Usage: /etc/init.d/shorewall {start|stop|refresh|restart|force-reload}" + exit 1 +esac + +exit 0 diff --git a/STABLE2/init.sh b/STABLE2/init.sh new file mode 100644 index 000000000..dc6cdd5aa --- /dev/null +++ b/STABLE2/init.sh @@ -0,0 +1,74 @@ +#!/bin/sh +RCDLINKS="2,S41 3,S41 6,K41" +# +# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V2.0 3/14/2003 +# +# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] +# +# (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net) +# +# On most distributions, this file should be called /etc/init.d/shorewall. +# +# Complete documentation is available at http://shorewall.net +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of Version 2 of the GNU General Public License +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA +# +# If an error occurs while starting or restarting the firewall, the +# firewall is automatically stopped. +# +# Commands are: +# +# shorewall start Starts the firewall +# shorewall restart Restarts the firewall +# shorewall stop Stops the firewall +# shorewall status Displays firewall status +# +#### BEGIN INIT INFO +# Provides: shorewall +# Required-Start: $network +# Required-Stop: +# Default-Start: 2 3 5 +# Default-Stop: 0 1 6 +# Description: starts and stops the shorewall firewall +### END INIT INFO + +# chkconfig: 2345 25 90 +# description: Packet filtering firewall +# + +################################################################################ +# Give Usage Information # +################################################################################ +usage() { + echo "Usage: $0 start|stop|restart|status" + exit 1 +} + +################################################################################ +# E X E C U T I O N B E G I N S H E R E # +################################################################################ +command="$1" + +case "$command" in + + stop|start|restart|status) + + exec /sbin/shorewall $@ + ;; + *) + + usage + ;; + +esac diff --git a/STABLE2/install.sh b/STABLE2/install.sh new file mode 100755 index 000000000..5dd432d76 --- /dev/null +++ b/STABLE2/install.sh @@ -0,0 +1,551 @@ +#!/bin/sh +# +# Script to install Shoreline Firewall +# +# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] +# +# (c) 2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net) +# +# Shorewall documentation is available at http://shorewall.net +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of Version 2 of the GNU General Public License +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA +# + +VERSION=2.0.0 + +usage() # $1 = exit status +{ + ME=$(basename $0) + echo "usage: $ME" + echo " $ME -v" + echo " $ME -h" + exit $1 +} + +run_install() +{ + if ! install $*; then + echo + echo "ERROR: Failed to install $*" + exit 1 + fi +} + +cant_autostart() +{ + echo + echo "WARNING: Unable to configure shorewall to start" + echo " automatically at boot" +} + +backup_file() # $1 = file to backup +{ + if [ -z "$PREFIX" -a -f $1 -a ! -f ${1}-${VERSION}.bkout ]; then + if (cp $1 ${1}-${VERSION}.bkout); then + echo + echo "$1 saved to ${1}-${VERSION}.bkout" + else + exit 1 + fi + fi +} + +delete_file() # $1 = file to delete +{ + if [ -z "$PREFIX" -a -f $1 -a ! -f ${1}-${VERSION}.bkout ]; then + if (mv $1 ${1}-${VERSION}.bkout); then + echo + echo "$1 moved to ${1}-${VERSION}.bkout" + else + exit 1 + fi + fi +} + +install_file_with_backup() # $1 = source $2 = target $3 = mode +{ + backup_file $2 + run_install -o $OWNER -g $GROUP -m $3 $1 ${2} +} + +# +# Parse the run line +# +# DEST is the SysVInit script directory +# RUNLEVELS is the chkconfig parmeters for firewall +# ARGS is "yes" if we've already parsed an argument +# +DEST="" +RUNLEVELS="" +ARGS="" + +if [ -z "$OWNER" ] ; then + OWNER=root +fi + +if [ -z "$GROUP" ] ; then + GROUP=root +fi + +while [ $# -gt 0 ] ; do + case "$1" in + -h|help|?) + usage 0 + ;; + -v) + echo "Shorewall Firewall Installer Version $VERSION" + exit 0 + ;; + *) + usage 1 + ;; + esac + shift + ARGS="yes" +done + +PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin + +if [ -z "$DEST" ]; then + DEST=/etc/init.d +fi + +# +# Determine where to install the firewall script +# +DEBIAN= + +if [ -n "$PREFIX" ]; then + install -d -o $OWNER -g $GROUP -m 755 ${PREFIX}/sbin + install -d -o $OWNER -g $GROUP -m 755 ${PREFIX}${DEST} +elif [ -d /etc/apt -a -e /usr/bin/dpkg ]; then + DEBIAN=yes +fi + +# +# Change to the directory containing this script +# +cd "$(dirname $0)" + +echo "Installing Shorewall Version $VERSION" + +# +# Check for /etc/shorewall +# +if [ -d ${PREFIX}/etc/shorewall ]; then + first_install="" +else + first_install="Yes" +fi + +install_file_with_backup shorewall ${PREFIX}/sbin/shorewall 0544 + +echo +echo "shorewall control program installed in ${PREFIX}/sbin/shorewall" + +# +# Install the Firewall Script +# +if [ -n "$DEBIAN" ]; then + install_file_with_backup init.debian.sh /etc/init.d/shorewall 0544 +else + install_file_with_backup init.sh ${PREFIX}${DEST}/shorewall 0544 +fi + +echo +echo "Shorewall script installed in ${PREFIX}${DEST}/shorewall" + +# +# Create /etc/shorewall, /usr/share/shorewall and /var/shorewall if needed +# +mkdir -p ${PREFIX}/etc/shorewall +mkdir -p ${PREFIX}/usr/share/shorewall +mkdir -p ${PREFIX}/var/lib/shorewall +# +# Install the config file +# +if [ -f ${PREFIX}/etc/shorewall/shorewall.conf ]; then + backup_file /etc/shorewall/shorewall.conf +else + run_install -o $OWNER -g $GROUP -m 0744 shorewall.conf ${PREFIX}/etc/shorewall/shorewall.conf + echo + echo "Config file installed as ${PREFIX}/etc/shorewall/shorewall.conf" +fi +# +# Install the zones file +# +if [ -f ${PREFIX}/etc/shorewall/zones ]; then + backup_file /etc/shorewall/zones +else + run_install -o $OWNER -g $GROUP -m 0744 zones ${PREFIX}/etc/shorewall/zones + echo + echo "Zones file installed as ${PREFIX}/etc/shorewall/zones" +fi + +# +# Install the functions file +# +if [ -f ${PREFIX}/etc/shorewall/functions ]; then + backup_file ${PREFIX}/etc/shorewall/functions + rm -f ${PREFIX}/etc/shorewall/functions +fi + +install_file_with_backup functions ${PREFIX}/usr/share/shorewall/functions 0444 + +echo +echo "Common functions installed in ${PREFIX}/usr/share/shorewall/functions" + +# +# Install the Help file +# +install_file_with_backup help ${PREFIX}/usr/share/shorewall/help 0544 + +echo +echo "Help command executor installed in ${PREFIX}/usr/share/shorewall/help" + +# +# Delete the icmp.def file +# +delete_file icmp.def + +# +# Install the policy file +# +if [ -f ${PREFIX}/etc/shorewall/policy ]; then + backup_file /etc/shorewall/policy +else + run_install -o $OWNER -g $GROUP -m 0600 policy ${PREFIX}/etc/shorewall/policy + echo + echo "Policy file installed as ${PREFIX}/etc/shorewall/policy" +fi +# +# Install the interfaces file +# +if [ -f ${PREFIX}/etc/shorewall/interfaces ]; then + backup_file /etc/shorewall/interfaces +else + run_install -o $OWNER -g $GROUP -m 0600 interfaces ${PREFIX}/etc/shorewall/interfaces + echo + echo "Interfaces file installed as ${PREFIX}/etc/shorewall/interfaces" +fi +# +# Install the hosts file +# +if [ -f ${PREFIX}/etc/shorewall/hosts ]; then + backup_file /etc/shorewall/hosts +else + run_install -o $OWNER -g $GROUP -m 0600 hosts ${PREFIX}/etc/shorewall/hosts + echo + echo "Hosts file installed as ${PREFIX}/etc/shorewall/hosts" +fi +# +# Install the rules file +# +if [ -f ${PREFIX}/etc/shorewall/rules ]; then + backup_file /etc/shorewall/rules +else + run_install -o $OWNER -g $GROUP -m 0600 rules ${PREFIX}/etc/shorewall/rules + echo + echo "Rules file installed as ${PREFIX}/etc/shorewall/rules" +fi +# +# Install the NAT file +# +if [ -f ${PREFIX}/etc/shorewall/nat ]; then + backup_file /etc/shorewall/nat +else + run_install -o $OWNER -g $GROUP -m 0600 nat ${PREFIX}/etc/shorewall/nat + echo + echo "NAT file installed as ${PREFIX}/etc/shorewall/nat" +fi +# +# Install the Parameters file +# +if [ -f ${PREFIX}/etc/shorewall/params ]; then + backup_file /etc/shorewall/params +else + run_install -o $OWNER -g $GROUP -m 0600 params ${PREFIX}/etc/shorewall/params + echo + echo "Parameter file installed as ${PREFIX}/etc/shorewall/params" +fi +# +# Install the proxy ARP file +# +if [ -f ${PREFIX}/etc/shorewall/proxyarp ]; then + backup_file /etc/shorewall/proxyarp +else + run_install -o $OWNER -g $GROUP -m 0600 proxyarp ${PREFIX}/etc/shorewall/proxyarp + echo + echo "Proxy ARP file installed as ${PREFIX}/etc/shorewall/proxyarp" +fi +# +# Install the Stopped Routing file +# +if [ -f ${PREFIX}/etc/shorewall/routestopped ]; then + backup_file /etc/shorewall/routestopped +else + run_install -o $OWNER -g $GROUP -m 0600 routestopped ${PREFIX}/etc/shorewall/routestopped + echo + echo "Stopped Routing file installed as ${PREFIX}/etc/shorewall/routestopped" +fi +# +# Install the Mac List file +# +if [ -f ${PREFIX}/etc/shorewall/maclist ]; then + backup_file /etc/shorewall/maclist +else + run_install -o $OWNER -g $GROUP -m 0600 maclist ${PREFIX}/etc/shorewall/maclist + echo + echo "MAC list file installed as ${PREFIX}/etc/shorewall/maclist" +fi +# +# Install the Masq file +# +if [ -f ${PREFIX}/etc/shorewall/masq ]; then + backup_file /etc/shorewall/masq +else + run_install -o $OWNER -g $GROUP -m 0600 masq ${PREFIX}/etc/shorewall/masq + echo + echo "Masquerade file installed as ${PREFIX}/etc/shorewall/masq" +fi +# +# Install the Modules file +# +if [ -f ${PREFIX}/etc/shorewall/modules ]; then + backup_file /etc/shorewall/modules +else + run_install -o $OWNER -g $GROUP -m 0600 modules ${PREFIX}/etc/shorewall/modules + echo + echo "Modules file installed as ${PREFIX}/etc/shorewall/modules" +fi +# +# Install the TC Rules file +# +if [ -f ${PREFIX}/etc/shorewall/tcrules ]; then + backup_file /etc/shorewall/tcrules +else + run_install -o $OWNER -g $GROUP -m 0600 tcrules ${PREFIX}/etc/shorewall/tcrules + echo + echo "TC Rules file installed as ${PREFIX}/etc/shorewall/tcrules" +fi + +# +# Install the TOS file +# +if [ -f ${PREFIX}/etc/shorewall/tos ]; then + backup_file /etc/shorewall/tos +else + run_install -o $OWNER -g $GROUP -m 0600 tos ${PREFIX}/etc/shorewall/tos + echo + echo "TOS file installed as ${PREFIX}/etc/shorewall/tos" +fi +# +# Install the Tunnels file +# +if [ -f ${PREFIX}/etc/shorewall/tunnels ]; then + backup_file /etc/shorewall/tunnels +else + run_install -o $OWNER -g $GROUP -m 0600 tunnels ${PREFIX}/etc/shorewall/tunnels + echo + echo "Tunnels file installed as ${PREFIX}/etc/shorewall/tunnels" +fi +# +# Install the blacklist file +# +if [ -f ${PREFIX}/etc/shorewall/blacklist ]; then + backup_file /etc/shorewall/blacklist +else + run_install -o $OWNER -g $GROUP -m 0600 blacklist ${PREFIX}/etc/shorewall/blacklist + echo + echo "Blacklist file installed as ${PREFIX}/etc/shorewall/blacklist" +fi +# +# Backup and remove the whitelist file +# +if [ -f ${PREFIX}/etc/shorewall/whitelist ]; then + backup_file /etc/shorewall/whitelist + rm -f ${PREFIX}/etc/shorewall/whitelist +fi +# +# Install the rfc1918 file +# +install_file_with_backup rfc1918 ${PREFIX}/usr/share/shorewall/rfc1918 0600 +echo +echo "RFC 1918 file installed as ${PREFIX}/etc/shorewall/rfc1918" +# +# Install the init file +# +if [ -f ${PREFIX}/etc/shorewall/init ]; then + backup_file /etc/shorewall/init +else + run_install -o $OWNER -g $GROUP -m 0600 init ${PREFIX}/etc/shorewall/init + echo + echo "Init file installed as ${PREFIX}/etc/shorewall/init" +fi +# +# Install the start file +# +if [ -f ${PREFIX}/etc/shorewall/start ]; then + backup_file /etc/shorewall/start +else + run_install -o $OWNER -g $GROUP -m 0600 start ${PREFIX}/etc/shorewall/start + echo + echo "Start file installed as ${PREFIX}/etc/shorewall/start" +fi +# +# Install the stop file +# +if [ -f ${PREFIX}/etc/shorewall/stop ]; then + backup_file /etc/shorewall/stop +else + run_install -o $OWNER -g $GROUP -m 0600 stop ${PREFIX}/etc/shorewall/stop + echo + echo "Stop file installed as ${PREFIX}/etc/shorewall/stop" +fi +# +# Install the stopped file +# +if [ -f ${PREFIX}/etc/shorewall/stopped ]; then + backup_file /etc/shorewall/stopped +else + run_install -o $OWNER -g $GROUP -m 0600 stopped ${PREFIX}/etc/shorewall/stopped + echo + echo "Stopped file installed as ${PREFIX}/etc/shorewall/stopped" +fi +# +# Install the ECN file +# +if [ -f ${PREFIX}/etc/shorewall/ecn ]; then + backup_file /etc/shorewall/ecn +else + run_install -o $OWNER -g $GROUP -m 0600 ecn ${PREFIX}/etc/shorewall/ecn + echo + echo "ECN file installed as ${PREFIX}/etc/shorewall/ecn" +fi +# +# Install the Accounting file +# +if [ -f ${PREFIX}/etc/shorewall/accounting ]; then + backup_file /etc/shorewall/accounting +else + run_install -o $OWNER -g $GROUP -m 0600 accounting ${PREFIX}/etc/shorewall/accounting + echo + echo "Accounting file installed as ${PREFIX}/etc/shorewall/accounting" +fi +# +# +# Install the Standard Actions file +# +install_file_with_backup actions.std ${PREFIX}/usr/share/shorewall/actions.std 0600 +echo +echo "Standard actions file installed as ${PREFIX}/etc/shorewall/actions.std" + +# +# Install the Actions file +# +if [ -f ${PREFIX}/etc/shorewall/actions ]; then + backup_file /etc/shorewall/actions +else + run_install -o $OWNER -g $GROUP -m 0600 actions ${PREFIX}/etc/shorewall/actions + echo + echo "Actions file installed as ${PREFIX}/etc/shorewall/actions" +fi +# +# Install the Action files +# +for f in action.* ; do + if [ -f ${PREFIX}/usr/share/shorewall/$f ]; then + backup_file /usr/share/shorewall/$f + else + run_install -o $OWNER -g $GROUP -m 0600 $f ${PREFIX}/usr/share/shorewall/$f + echo + echo "Action ${f#*.} file installed as ${PREFIX}/etc/shorewall/$f" + fi +done +# +# Backup the version file +# +if [ -z "$PREFIX" ]; then + if [ -f /usr/share/shorewall/version ]; then + backup_file /usr/share/shorewall/version + fi +fi +# +# Create the version file +# +echo "$VERSION" > ${PREFIX}/usr/share/shorewall/version +chmod 644 ${PREFIX}/usr/share/shorewall/version +# +# Remove and create the symbolic link to the init script +# + +if [ -z "$PREFIX" ]; then + rm -f /usr/share/shorewall/init + ln -s ${DEST}/shorewall /usr/share/shorewall/init +fi + +# +# Install the firewall script +# +install_file_with_backup firewall ${PREFIX}/usr/share/shorewall/firewall 0544 + +if [ -z "$PREFIX" -a -n "$first_install" ]; then + if [ -n "$DEBIAN" ]; then + run_install -o $OWNER -g $GROUP -m 0644 default.debian /etc/default/shorewall + ln -s ../init.d/shorewall /etc/rcS.d/S40shorewall + echo + echo "shorewall will start automatically at boot" + echo "Set startup=1 in /etc/default/shorewall to enable" + else + if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then + if insserv /etc/init.d/shorewalls ; then + echo + echo "shorewall will start automatically at boot" + echo "Remove /etc/shorewall/startup_disabled in /etc/default/shorewall to enable" + else + cant_autostart + fi + elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then + if chkconfig --add shorewall ; then + echo + echo "shorewall will start automatically in run levels as follows:" + echo "Remove /etc/shorewall/startup_disabled in /etc/default/shorewall to enable" + chkconfig --list shorewall + else + cant_autostart + fi + elif [ -x /sbin/rc-update ]; then + if rc-update add shorewall default; then + echo + echo "shorewall will start automatically at boot" + echo "Remove /etc/shorewall/startup_disabled in /etc/default/shorewall to enable" + else + cant_autostart + fi + else + cant_autostart + fi + + echo \ +"######################################################################## +# REMOVE THIS FILE AFTER YOU HAVE CONFIGURED SHOREWALL # +########################################################################" > /etc/shorewall/startup_disabled + fi +fi + +# +# Report Success +# +echo +echo "shorewall Version $VERSION Installed" diff --git a/STABLE2/interfaces b/STABLE2/interfaces new file mode 100644 index 000000000..9d25a0f1f --- /dev/null +++ b/STABLE2/interfaces @@ -0,0 +1,163 @@ +# +# Shorewall 2.0 -- Interfaces File +# +# /etc/shorewall/interfaces +# +# You must add an entry in this file for each network interface on your +# firewall system. +# +# Columns are: +# +# ZONE Zone for this interface. Must match the short name +# of a zone defined in /etc/shorewall/zones. +# +# If the interface serves multiple zones that will be +# defined in the /etc/shorewall/hosts file, you should +# place "-" in this column. +# +# INTERFACE Name of interface. Each interface may be listed only +# once in this file. You may NOT specify the name of +# an alias (e.g., eth0:0) here; see +# http://www.shorewall.net/FAQ.htm#faq18 +# +# You may specify wildcards here. For example, if you +# want to make an entry that applies to all PPP +# interfaces, use 'ppp+'. +# +# There is no need to define the loopback interface (lo) +# in this file. +# +# BROADCAST The broadcast address for the subnetwork to which the +# interface belongs. For P-T-P interfaces, this +# column is left black.If the interface has multiple +# addresses on multiple subnets then list the broadcast +# addresses as a comma-separated list. +# +# If you use the special value "detect", the firewall +# will detect the broadcast address for you. If you +# select this option, the interface must be up before +# the firewall is started, you must have iproute +# installed. +# +# If you don't want to give a value for this column but +# you want to enter a value in the OPTIONS column, enter +# "-" in this column. +# +# OPTIONS A comma-separated list of options including the +# following: +# +# dhcp - interface is managed by DHCP or used by +# a DHCP server running on the firewall or +# you have a static IP but are on a LAN +# segment with lots of Laptop DHCP clients. +# norfc1918 - This interface should not receive +# any packets whose source is in one +# of the ranges reserved by RFC 1918 +# (i.e., private or "non-routable" +# addresses. If packet mangling is +# enabled in shorewall.conf, packets +# whose destination addresses are +# reserved by RFC 1918 are also rejected. +# routefilter - turn on kernel route filtering for this +# interface (anti-spoofing measure). This +# option can also be enabled globally in +# the /etc/shorewall/shorewall.conf file. +# . . blacklist - Check packets arriving on this interface +# against the /etc/shorewall/blacklist +# file. +# maclist - Connection requests from this interface +# are compared against the contents of +# /etc/shorewall/maclist. If this option +# is specified, the interface must be +# an ethernet NIC and must be up before +# Shorewall is started. +# tcpflags - Packets arriving on this interface are +# checked for certain illegal combinations +# of TCP flags. Packets found to have +# such a combination of flags are handled +# according to the setting of +# TCP_FLAGS_DISPOSITION after having been +# logged according to the setting of +# TCP_FLAGS_LOG_LEVEL. +# proxyarp - +# Sets +# /proc/sys/net/ipv4/conf//proxy_arp. +# Do NOT use this option if you are +# employing Proxy ARP through entries in +# /etc/shorewall/proxyarp. This option is +# intended soley for use with Proxy ARP +# sub-networking as described at: +# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet +# +# newnotsyn - TCP packets that don't have the SYN +# flag set and which are not part of an +# established connection will be accepted +# from this interface, even if +# NEWNOTSYN=No has been specified in +# /etc/shorewall/shorewall.conf. +# +# This option has no effect if +# NEWNOTSYN=Yes. +# +# routeback - If specified, indicates that Shorewall +# should include rules that allow filtering +# traffic arriving on this interface back +# out that same interface. +# +# arp_filter - If specified, this interface will only +# respond to ARP who-has requests for IP +# addresses configured on the interface. +# If not specified, the interface can +# respond to ARP who-has requests for +# IP addresses on any of the firewall's +# interface. The interface must be up +# when Shorewall is started. +# +# nosmurfs - Filter packets for smurfs +# (packets with a broadcast +# address as the source). +# +# Smurfs will be optionally logged based +# on the setting of SMURF_LOG_LEVEL in +# shorewall.conf. After logging, the +# packets are dropped. +# +# detectnets - Automatically taylors the zone named +# in the ZONE column to include only those +# hosts routed through the interface. +# +# WARNING: DO NOT SET THE detectnets OPTION ON YOUR +# INTERNET INTERFACE! +# +# The order in which you list the options is not +# significant but the list should have no embedded white +# space. +# +# Example 1: Suppose you have eth0 connected to a DSL modem and +# eth1 connected to your local network and that your +# local subnet is 192.168.1.0/24. The interface gets +# it's IP address via DHCP from subnet +# 206.191.149.192/27. You have a DMZ with subnet +# 192.168.2.0/24 using eth2. +# +# Your entries for this setup would look like: +# +# net eth0 206.191.149.223 dhcp +# local eth1 192.168.1.255 +# dmz eth2 192.168.2.255 +# +# Example 2: The same configuration without specifying broadcast +# addresses is: +# +# net eth0 detect dhcp +# loc eth1 detect +# dmz eth2 detect +# +# Example 3: You have a simple dial-in system with no ethernet +# connections. +# +# net ppp0 - +############################################################################## +#ZONE INTERFACE BROADCAST OPTIONS +# +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/STABLE2/maclist b/STABLE2/maclist new file mode 100644 index 000000000..e26c3bf42 --- /dev/null +++ b/STABLE2/maclist @@ -0,0 +1,18 @@ +# +# Shorewall 2.0 - MAC list file +# +# /etc/shorewall/maclist +# +# Columns are: +# +# INTERFACE Network interface to a host +# +# MAC MAC address of the host -- you do not need to use +# the Shorewall format for MAC addresses here +# +# IP ADDRESSES Optional -- if specified, both the MAC and IP address +# must match. This column can contain a comma-separated +# list of host and/or subnet addresses. +############################################################################## +#INTERFACE MAC IP ADDRESSES (Optional) +#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/STABLE2/masq b/STABLE2/masq new file mode 100644 index 000000000..c7b4534a7 --- /dev/null +++ b/STABLE2/masq @@ -0,0 +1,99 @@ +# +# Shorewall 2.0 - Masquerade file +# +# /etc/shorewall/masq +# +# Use this file to define dynamic NAT (Masquerading) and to define Source NAT +# (SNAT). +# +# Columns are: +# +# INTERFACE -- Outgoing interface. This is usually your internet +# interface. If ADD_SNAT_ALIASES=Yes in +# /etc/shorewall/shorewall.conf, you may add ":" and +# a digit to indicate that you want the alias added with +# that name (e.g., eth0:0). This will allow the alias to +# be displayed with ifconfig. THAT IS THE ONLY USE FOR +# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER +# PLACE IN YOUR SHOREWALL CONFIGURATION. +# +# This may be qualified by adding the character +# ":" followed by a destination host or subnet. +# +# +# SUBNET -- Subnet that you wish to masquerade. You can specify this as +# a subnet or as an interface. If you give the name of an +# interface, you must have iproute installed and the interface +# must be up before you start the firewall. +# +# In order to exclude a subset of the specified SUBNET, you +# may append "!" and a comma-separated list of IP addresses +# and/or subnets that you wish to exclude. +# +# Example: eth1!192.168.1.4,192.168.32.0/27 +# +# In that example traffic from eth1 would be masqueraded unless +# it came from 192.168.1.4 or 196.168.32.0/27 +# +# ADDRESS -- (Optional). If you specify an address here, SNAT will be +# used and this will be the source address. If +# ADD_SNAT_ALIASES is set to Yes or yes in +# /etc/shorewall/shorewall.conf then Shorewall +# will automatically add this address to the +# INTERFACE named in the first column. +# +# You may also specify a range of up to 256 +# IP addresses if you want the SNAT address to +# be assigned from that range in a round-robin +# range by connection. The range is specified by +# -. +# +# Example: 206.124.146.177-206.124.146.180 +# +# Finally, you may also specify a comma-separated +# list of ranges and/or addresses in this column. +# +# This column may not contain DNS Names. +# +# Example 1: +# +# You have a simple masquerading setup where eth0 connects to +# a DSL or cable modem and eth1 connects to your local network +# with subnet 192.168.0.0/24. +# +# Your entry in the file can be either: +# +# eth0 eth1 +# +# or +# +# eth0 192.168.0.0/24 +# +# Example 2: +# +# You add a router to your local network to connect subnet +# 192.168.1.0/24 which you also want to masquerade. You then +# add a second entry for eth0 to this file: +# +# eth0 192.168.1.0/24 +# +# Example 3: +# +# You have an IPSEC tunnel through ipsec0 and you want to +# masquerade packets coming from 192.168.1.0/24 but only if +# these packets are destined for hosts in 10.1.1.0/24: +# +# ipsec0:10.1.1.0/24 196.168.1.0/24 +# +# Example 4: +# +# You want all outgoing traffic from 192.168.1.0/24 through +# eth0 to use source address 206.124.146.176 which is NOT the +# primary address of eth0. You want 206.124.146.176 added to +# be added to eth0 with name eth0:0. +# +# eth0:0 192.168.1.0/24 206.124.146.176 +# +############################################################################## +#INTERFACE SUBNET ADDRESS +#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/STABLE2/modules b/STABLE2/modules new file mode 100644 index 000000000..6621f36b3 --- /dev/null +++ b/STABLE2/modules @@ -0,0 +1,21 @@ +############################################################################## +# Shorewall 2.0 /etc/shorewall/modules +# +# This file loads the modules needed by the firewall. +# +# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in +# dependency order. i.e., if M2 depends on M1 then you must load M1 before +# you load M2. +# + + loadmodule ip_tables + loadmodule iptable_filter + loadmodule ip_conntrack + loadmodule ip_conntrack_ftp + loadmodule ip_conntrack_tftp + loadmodule ip_conntrack_irc + loadmodule iptable_nat + loadmodule ip_nat_ftp + loadmodule ip_nat_tftp + loadmodule ip_nat_irc + diff --git a/STABLE2/nat b/STABLE2/nat new file mode 100644 index 000000000..7d3afb532 --- /dev/null +++ b/STABLE2/nat @@ -0,0 +1,38 @@ +############################################################################## +# +# Shorewall 2.0 -- Network Address Translation Table +# +# /etc/shorewall/nat +# +# This file is used to define one-to-one Network Address Translation +# (NAT). +# +# WARNING: If all you want to do is simple port forwarding, do NOT use this +# file. See http://www.shorewall.net/FAQ.htm#faq1. Also, in most +# cases, Proxy ARP is a better solution that one-to-one NAT. +# +# Columns must be separated by white space and are: +# +# EXTERNAL External IP Address - this should NOT be the primary +# IP address of the interface named in the next +# column and must not be a DNS Name. +# INTERFACE Interface that you want to EXTERNAL address to appear +# on. If ADD_IP_ALIASES=Yes in shorewall.conf, you may +# follow the interface name with ":" and a digit to +# indicate that you want Shorewall to add the alias +# with this name (e.g., "eth0:0"). That allows you to +# see the alias with ifconfig. THAT IS THE ONLY THING +# THAT THIS NAME IS GOOD FOR -- YOU CANNOT USE IT +# ANYWHERE ELSE IN YOUR SHORWALL CONFIGURATION. +# INTERNAL Internal Address (must not be a DNS Name). +# ALL INTERFACES If Yes or yes, NAT will be effective from all hosts. +# If No or no (or left empty) then NAT will be effective +# only through the interface named in the INTERFACE +# column +# LOCAL If Yes or yes and the ALL INTERFACES column contains +# Yes or yes, NAT will be effective from the firewall +# system +############################################################################## +#EXTERNAL INTERFACE INTERNAL ALL LOCAL +# INTERFACES +#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/STABLE2/params b/STABLE2/params new file mode 100644 index 000000000..5873bf90a --- /dev/null +++ b/STABLE2/params @@ -0,0 +1,25 @@ +# +# Shorewall 2.0 /etc/shorewall/params +# +# Assign any variables that you need here. +# +# It is suggested that variable names begin with an upper case letter +# to distinguish them from variables used internally within the +# Shorewall programs +# +# Example: +# +# NET_IF=eth0 +# NET_BCAST=130.252.100.255 +# NET_OPTIONS=routefilter,norfc1918 +# +# Example (/etc/shorewall/interfaces record): +# +# net $NET_IF $NET_BCAST $NET_OPTIONS +# +# The result will be the same as if the record had been written +# +# net eth0 130.252.100.255 routefilter,norfc1918 +# +############################################################################## +#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/STABLE2/policy b/STABLE2/policy new file mode 100644 index 000000000..d56b67ea7 --- /dev/null +++ b/STABLE2/policy @@ -0,0 +1,85 @@ +# +# Shorewall 2.0 -- Policy File +# +# /etc/shorewall/policy +# +# THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT +# +# This file determines what to do with a new connection request if we +# don't get a match from the /etc/shorewall/rules file . For each +# source/destination pair, the file is processed in order until a +# match is found ("all" will match any client or server). +# +# Columns are: +# +# SOURCE Source zone. Must be the name of a zone defined +# in /etc/shorewall/zones, $FW or "all". +# +# DEST Destination zone. Must be the name of a zone defined +# in /etc/shorewall/zones, $FW or "all" +# +# POLICY Policy if no match from the rules file is found. Must +# be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE". +# +# ACCEPT - Accept the connection +# DROP - Ignore the connection request +# REJECT - For TCP, send RST. For all other, send +# "port unreachable" ICMP. +# CONTINUE - Pass the connection request past +# any other rules that it might also +# match (where the source or destination +# zone in those rules is a superset of +# the SOURCE or DEST in this policy). +# NONE - Assume that there will never be any +# packets from this SOURCE +# to this DEST. Shorewall will not set up +# any infrastructure to handle such +# packets and you may not have any rules +# with this SOURCE and DEST in the +# /etc/shorewall/rules file. If such a +# packet _is_ received, the result is +# undefined. NONE may not be used if the +# SOURCE or DEST columns contain the +# firewall zone ($FW) or "all". +# +# If this column contains ACCEPT, DROP or REJECT and a +# corresponding common action is defined in +# /etc/shorewall/actions (or /usr/share/shorewall/actions.std) +# then that action will be invoked before the policy named in +# this column is inforced. +# +# LOG LEVEL If supplied, each connection handled under the default +# POLICY is logged at that level. If not supplied, no +# log message is generated. See syslog.conf(5) for a +# description of log levels. +# +# Beginning with Shorewall version 1.3.12, you may +# also specify ULOG (must be in upper case). This will +# log to the ULOG target and sent to a separate log +# through use of ulogd +# (http://www.gnumonks.org/projects/ulogd). +# +# If you don't want to log but need to specify the +# following column, place "-" here. +# +# LIMIT:BURST If passed, specifies the maximum TCP connection rate +# and the size of an acceptable burst. If not specified, +# TCP connections are not limited. +# +# As shipped, the default policies are: +# +# a) All connections from the local network to the internet are allowed +# b) All connections from the internet are ignored but logged at syslog +# level KERNEL.INFO. +# d) All other connection requests are rejected and logged at level +# KERNEL.INFO. +############################################################################### +#SOURCE DEST POLICY LOG LIMIT:BURST +# LEVEL +loc net ACCEPT +net all DROP info +# +# THE FOLLOWING POLICY MUST BE LAST +# +all all REJECT info +#LAST LINE -- DO NOT REMOVE diff --git a/STABLE2/proxyarp b/STABLE2/proxyarp new file mode 100644 index 000000000..b21a4f432 --- /dev/null +++ b/STABLE2/proxyarp @@ -0,0 +1,44 @@ +############################################################################## +# +# Shorewall 2.0 -- Proxy ARP +# +# /etc/shorewall/proxyarp +# +# This file is used to define Proxy ARP. +# +# Columns must be separated by white space and are: +# +# ADDRESS IP Address +# +# INTERFACE Local interface where system is connected. If the +# local interface is obvious from the subnetting, +# you may enter "-" in this column. +# +# EXTERNAL External Interface to be used to access this system +# +# HAVEROUTE If there is already a route from the firewall to +# the host whose address is given, enter "Yes" or "yes" +# in this column. Otherwise, entry "no", "No" or leave +# the column empty and Shorewall will add the route for +# you. If Shorewall adds the route,the route will be +# persistent if the PERSISTENT column contains Yes; +# otherwise, "shorewall stop" or "shorewall clear" will +# delete the route. +# +# PERSISTENT If HAVEROUTE is No or "no", then the value of this +# column determines if the route added by Shorewall +# persists after a "shorewall stop" or a "shorewall +# clear". If this column contains "Yes" or "yes" then +# the route persists; If the column is empty or contains +# "No"or "no" then the route is deleted at "shorewall +# stop" or "shorewall clear". +# +# Example: Host with IP 155.186.235.6 is connected to +# interface eth1 and we want hosts attached via eth0 +# to be able to access it using that address. +# +# #ADDRESS INTERFACE EXTERNAL +# 155.186.235.6 eth1 eth0 +############################################################################## +#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/STABLE2/releasenotes.txt b/STABLE2/releasenotes.txt new file mode 100644 index 000000000..f809cc15d --- /dev/null +++ b/STABLE2/releasenotes.txt @@ -0,0 +1,229 @@ +Shorewall 2.0.0a + +---------------------------------------------------------------------- +Problems Corrected since 1.4.10 + +1) A blank USER/GROUP column in /etc/shorewall/tcrules no longer causes + a [re]start error. + +2) The 'fgrep' utility is no longer required (caused startup problems + on LEAF/Bering). + +3) The "shorewall add" command no longer inserts rules before checking + of the blacklist. + +4) The 'detectnets' and 'routeback' options may now be used together + with the intended effect. + +5) The following syntax previously produced an error: + + DNAT z1!z2,z3 z4... + +Problems Corrected since RC2 + +1) CONTINUE rules now work again. + +2) A comment in the rules file has been corrected. + +Problems Corrected since 2.0.0 + +1) Using actions in the manner recommended in the documentation + results in a Warning that the rule is a policy. + +----------------------------------------------------------------------- +Issues when migrating from Shorewall 1.4.x to Shorewall 2.0.0: + +1) The 'dropunclean' and 'logunclean' interface options are no longer + supported. If either option is specified in + /etc/shorewall/interfaces, an threatening message will be + generated. + +2) The NAT_BEFORE_RULES option has been removed from + shorewall.conf. The behavior of Shorewall is as if + NAT_BEFORE_RULES=No had been specified. In other words, DNAT rules + now always take precidence over one-to-one NAT specifications. + +3) The default value for the ALL INTERFACES column in + /etc/shorewall/nat has changed. In Shorewall 1.*, if the column was + left empty, a value of "Yes" was assumed. This has been changed so + that a value of "No" is now assumed. + +4) The following files don't exist in Shorewall 2.0: + + /etc/shorewall/common.def + /etc/shorewall/common + /etc/shorewall/icmpdef + /etc/shorewall/action.template (Moved to /usr/share/shorewall) + /etc/shorewall/rfc1918 (Moved to /usr/share/shorewall). + + The /etc/shorewall/action file now allows an action to be + designated as the "common" action for a particular policy type by + following the action name with ":" and the policy (DROP, REJECT or + ACCEPT). + + The file /usr/share/shorewall/actions.std has been added to define those + actions that are released as part of Shorewall. In that file are + two actions as follows: + + Drop:DROP + Reject:REJECT + + The "Drop" action is the common action for DROP policies while the + "Reject" action is the default action for "REJECT" policies. These + actions will be performed on packets prior to applying the DROP or + REJECT policy respectively. In the first release, the difference + between "Reject" and "Drop" is that "Reject" REJECTs SMB traffic + while "Drop" silently drops such traffic. + + As described above, Shorewall allows a common action for ACCEPT + policies but does not specify such an action in the default + configuration. + + If for some reason, you don't wish to have a common DROP or REJECT + action, just include :DROP or :REJECT respectively in your + /etc/shorewall/actions file. + + The file /usr/share/shorewall/actions.std catalogs the standard + actions and is processed prior to /etc/shorewall/actions. This + causes a large number of actions to be defined. The files which + define these aactions are also located in /usr/share/shorewall as + is the he action template file (action.template). + + In the initial release, the following actions are defined: + + dropBcast #Silently Drops Broadcast Traffic + dropNonSyn #Silently Drop Non-syn TCP packets + + DropSMB #Silently Drops Microsoft SMB Traffic + RejectSMB #Silently Reject Microsoft SMB Traffic + DropUPnP #Silently Drop UPnP Probes + RejectAuth #Silently Reject Auth + DropPing #Silently Drop Ping + DropDNSrep #Silently Drop DNS Replies + + AllowPing #Accept Ping + AllowFTP #Accept FTP + AllowDNS #Accept DNS + AllowSSH #Accept SSH + AllowWeb #Allow Web Browsing + AllowSMB #Allow MS Networking + AllowAuth #Allow Auth (identd) + AllowSMTP #Allow SMTP (Email) + AllowPOP3 #Allow reading mail via POP3 + AllowIMAP #Allow reading mail via IMAP + AllowTelnet #Allow Telnet Access (not recommended for use over the + #Internet) + AllowVNC #Allow VNC, Displays 0-9 + AllowVNCL #Allow access to VNC viewer in listen mode + AllowNTP #Allow Network Time Protocol (ntpd) + AllowRdate #Allow remote time (rdate). + AllowNNTP #Allow network news (Usenet). + AllowTrcrt #Allows Traceroute (20 hops) + AllowSNMP #Allows SNMP (including traps) + AllowPCA #Allows PCAnywhere (tm). + + Drop:DROP #Common rules for DROP policy + Reject:REJECT #Common Action for Reject policy + + These actions may be used in the ACTION column of the rules + column. So for example, to allow FTP from your loc zone to your firewall, + you would place this rule in /etc/shorewall/rules: + + #ACTION SOURCE DEST + AllowFTP loc fw + + if you want to redefine any of the Shorewall-defined actions, + simply copy the appropriate action file from /usr/share/shorewall + to /etc/shorewall and modify the copy as desired. Your modified + copy will be used rather than the original one in + /usr/share/shorewall. + + Note: The 'dropBcast' and 'dropNonSyn' actions are built into + Shorewall and may not be changed. + + Beginning with version 2.0.0-Beta2, Shorewall will only create a + chain for those actions that are actually used. + +5) The /etc/shorewall directory no longer contains a 'users' file or a + 'usersets' file. Similar functionality is now available using + user-defined actions. + + Now, action files created by copying + /usr/share/shorewall/action.template may now specify a USER and or + GROUP name/id in the final column just like in the rules file (see + below). It is thus possible to create actions that control traffic + from a list of users and/or groups. + + The last column in /etc/shorewall/rules is now labeled USER/GROUP + and may contain: + + [!][:] + [!][:] + [!]: + [!]: + [!]: + [!]: + [!]: + [!]: + +6) It is no longer possible to specify rate limiting in the ACTION + column of /etc/shorewall/rules -- you must use the RATE LIMIT + column. + +7) Depending on which method you use to upgrade, if you have your own + version of /etc/shorewall/rfc1918, you may have to take special + action to restore it after the upgrade. Look for + /etc/shorewall/rfc1918*, locate the proper file and rename it back + to /etc/shorewall/rfc1918. The contents of that file will supercede + the contents of /usr/share/shorewall/rfc1918. + +New Features: + +1) The INCLUDE directive now allows absolute file names. + +2) A 'nosmurfs' interface option has been added to + /etc/shorewall/interfaces. When specified for an interface, this + option causes smurfs (packets with a broadcast address as their + source) to be dropped and optionally logged (based on the setting of + a new SMURF_LOG_LEVEL option in shorewall.conf). + +3) fw->fw traffic may now be controlled by Shorewall. There is no need + to define the loopback interface in /etc/shorewall/interfaces; you + simply add a fw->fw policy and fw->fw rules. If you have neither a + fw->fw policy nor fw->fw rules, all fw->fw traffic is allowed. + +4) There is a new PERSISTENT column in the proxyarp file. A value of + "Yes" in this column means that the route added by Shorewall for + this host will remain after a "shorewall stop" or "shorewall clear". + +5) "trace" is now a synonym for "debug" in /sbin/shorewall commands. + So to trace the "start" command, you could enter: + + shorewall trace start 2> /tmp/trace + + The trace information would be written to the file /tmp/trace. + +6) When defining an ipsec tunnel in /etc/shorewall/tunnels, if you + follow the tunnel type ("ipsec" or "ipsecnet") with ":noah" + (e.g., "ipsec:noah"), then Shorewall will only create rules for + ESP (protocol 50) and will not create rules for AH (protocol 51). + +7) A new DISABLE_IPV6 option has been added to shorewall.conf. When + this option is set to "Yes", Shorewall will set the policy for the + IPv6 INPUT, OUTPUT and FORWARD chains to DROP during "shorewall + [re]start" and "shorewall stop". Regardless of the setting of this + variable, "shorewall clear" will silently attempt to set these + policies to ACCEPT. + + If this option is not set in your existing shorewall.conf then a + setting of DISABLE_IPV6=No is assumed in which case, Shorewall will + not touch any IPv6 settings except during "shorewall clear". + +8) The CONTINUE target is now available in action definitions. CONTINUE + terminates processing of the current action and returns to the point + where that action was invoked. + + + + + diff --git a/STABLE2/rfc1918 b/STABLE2/rfc1918 new file mode 100644 index 000000000..01123a4b7 --- /dev/null +++ b/STABLE2/rfc1918 @@ -0,0 +1,63 @@ +# +# Shorewall 2.0-- RFC1918 File +# +# /etc/shorewall/rfc1918 +# +# Lists the subnetworks that are blocked by the 'norfc1918' interface option. +# +# The default list includes those IP addresses listed in RFC 1918, those listed +# as 'reserved' by the IANA, the DHCP Autoconfig class B, and the class C +# reserved for use in documentation and examples. +# +# Columns are: +# +# SUBNET The subnet (host addresses also allowed) +# TARGET Where to send packets to/from this subnet +# RETURN - let the packet be processed normally +# DROP - silently drop the packet +# logdrop - log then drop +# +############################################################################### +#SUBNET TARGET +255.255.255.255 RETURN # We need to allow limited broadcast +169.254.0.0/16 DROP # DHCP autoconfig +172.16.0.0/12 logdrop # RFC 1918 +192.0.2.0/24 logdrop # Example addresses (RFC 3330) +192.168.0.0/16 logdrop # RFC 1918 +# +# The following are generated with the help of the Python program found at: +# +# http://www.shorewall.net/pub/shorewall/contrib/iana_reserved/ +# +# The program was contributed by Andy Wiggin +# +0.0.0.0/7 logdrop # Reserved +2.0.0.0/8 logdrop # Reserved +5.0.0.0/8 logdrop # Reserved +7.0.0.0/8 logdrop # Reserved +10.0.0.0/8 logdrop # Reserved +23.0.0.0/8 logdrop # Reserved +27.0.0.0/8 logdrop # Reserved +31.0.0.0/8 logdrop # Reserved +36.0.0.0/7 logdrop # Reserved +39.0.0.0/8 logdrop # Reserved +41.0.0.0/8 logdrop # Reserved +42.0.0.0/8 logdrop # Reserved +49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98 +50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98 +58.0.0.0/7 logdrop # Reserved +70.0.0.0/7 logdrop # Reserved +72.0.0.0/5 logdrop # Reserved +85.0.0.0/8 logdrop # Reserved +86.0.0.0/7 logdrop # Reserved +88.0.0.0/5 logdrop # Reserved +96.0.0.0/3 logdrop # Reserved +127.0.0.0/8 logdrop # Loopback +197.0.0.0/8 logdrop # Reserved +198.18.0.0/15 logdrop # Reserved +223.0.0.0/8 logdrop # Reserved - Returned by APNIC in 2003 +240.0.0.0/4 logdrop # Reserved +# +# End of generated entries +# +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/STABLE2/routestopped b/STABLE2/routestopped new file mode 100644 index 000000000..40d0f4d29 --- /dev/null +++ b/STABLE2/routestopped @@ -0,0 +1,25 @@ +############################################################################## +# +# Shorewall 2.0 -- Hosts Accessible when the Firewall is Stopped +# +# /etc/shorewall/routestopped +# +# This file is used to define the hosts that are accessible when the +# firewall is stopped +# +# Columns must be separated by white space and are: +# +# INTERFACE - Interface through which host(s) communicate with +# the firewall +# HOST(S) - (Optional) Comma-separated list of IP/subnet +# If left empty or supplied as "-", +# 0.0.0.0/0 is assumed. +# +# Example: +# +# INTERFACE HOST(S) +# eth2 192.168.1.0/24 +# eth0 192.0.2.44 +############################################################################## +#INTERFACE HOST(S) +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/STABLE2/rules b/STABLE2/rules new file mode 100644 index 000000000..3d4adb7c5 --- /dev/null +++ b/STABLE2/rules @@ -0,0 +1,289 @@ +# +# Shorewall version 2.0 - Rules File +# +# /etc/shorewall/rules +# +# Rules in this file govern connection establishment. Requests and +# responses are automatically allowed using connection tracking. For any +# particular (source,dest) pair of zones, the rules are evaluated in the +# order in which they appear in this file and the first match is the one +# that determines the disposition of the request. +# +# In most places where an IP address or subnet is allowed, you +# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to +# indicate that the rule matches all addresses except the address/subnet +# given. Notice that no white space is permitted between "!" and the +# address/subnet. +#------------------------------------------------------------------------------ +# WARNING: If you masquerade or use SNAT from a local system to the internet, +# you cannot use an ACCEPT rule to allow traffic from the internet to +# that system. You *must* use a DNAT rule instead. +#-------------------------------------------------------------------------------# +# Columns are: +# +# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE, +# LOG, QUEUE or an . +# +# ACCEPT -- allow the connection request +# DROP -- ignore the request +# REJECT -- disallow the request and return an +# icmp-unreachable or an RST packet. +# DNAT -- Forward the request to another +# system (and optionally another +# port). +# DNAT- -- Advanced users only. +# Like DNAT but only generates the +# DNAT iptables rule and not +# the companion ACCEPT rule. +# REDIRECT -- Redirect the request to a local +# port on the firewall. +# REDIRECT- +# -- Advanced users only. +# Like REDIRET but only generates the +# REDIRECT iptables rule and not +# the companion ACCEPT rule. +# +# CONTINUE -- (For experts only). Do not process +# any of the following rules for this +# (source zone,destination zone). If +# The source and/or destination IP +# address falls into a zone defined +# later in /etc/shorewall/zones, this +# connection request will be passed +# to the rules defined for that +# (those) zone(s). +# LOG -- Simply log the packet and continue. +# QUEUE -- Queue the packet to a user-space +# application such as ftwall +# (http://p2pwall.sf.net). +# -- The name of an action defined in +# /etc/shorewall/actions or in +# /usr/share/shorewall/actions.std. +# +# The ACTION may optionally be followed +# by ":" and a syslog log level (e.g, REJECT:info or +# DNAT:debug). This causes the packet to be +# logged at the specified level. +# +# You may also specify ULOG (must be in upper case) as a +# log level.This will log to the ULOG target for routing +# to a separate log through use of ulogd +# (http://www.gnumonks.org/projects/ulogd). +# +# SOURCE Source hosts to which the rule applies. May be a zone +# defined in /etc/shorewall/zones, $FW to indicate the +# firewall itself, or "all" If the ACTION is DNAT or +# REDIRECT, sub-zones of the specified zone may be +# excluded from the rule by following the zone name with +# "!' and a comma-separated list of sub-zone names. +# +# Except when "all" is specified, clients may be further +# restricted to a list of subnets and/or hosts by +# appending ":" and a comma-separated list of subnets +# and/or hosts. Hosts may be specified by IP or MAC +# address; mac addresses must begin with "~" and must use +# "-" as a separator. +# +# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ +# +# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the +# Internet +# +# loc:192.168.1.1,192.168.1.2 +# Hosts 192.168.1.1 and +# 192.168.1.2 in the local zone. +# loc:~00-A0-C9-15-39-78 Host in the local zone with +# MAC address 00:A0:C9:15:39:78. +# +# Alternatively, clients may be specified by interface +# by appending ":" to the zone name followed by the +# interface name. For example, loc:eth1 specifies a +# client that communicates with the firewall system +# through eth1. This may be optionally followed by +# another colon (":") and an IP/MAC/subnet address +# as described above (e.g., loc:eth1:192.168.1.5). +# +# DEST Location of Server. May be a zone defined in +# /etc/shorewall/zones, $FW to indicate the firewall +# itself or "all" +# +# Except when "all" is specified, the server may be +# further restricted to a particular subnet, host or +# interface by appending ":" and the subnet, host or +# interface. See above. +# +# Restrictions: +# +# 1. MAC addresses are not allowed. +# 2. In DNAT rules, only IP addresses are +# allowed; no FQDNs or subnet addresses +# are permitted. +# 3. You may not specify both an interface and +# an address. +# +# Unlike in the SOURCE column, you may specify a range of +# up to 256 IP addresses using the syntax +# -. When the ACTION is DNAT or DNAT-, +# the connections will be assigned to addresses in the +# range in a round-robin fashion. +# +# The port that the server is listening on may be +# included and separated from the server's IP address by +# ":". If omitted, the firewall will not modifiy the +# destination port. A destination port may only be +# included if the ACTION is DNAT or REDIRECT. +# +# Example: loc:192.168.1.3:3128 specifies a local +# server at IP address 192.168.1.3 and listening on port +# 3128. The port number MUST be specified as an integer +# and not as a name from /etc/services. +# +# if the ACTION is REDIRECT, this column needs only to +# contain the port number on the firewall that the +# request should be redirected to. +# +# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or +# "all". +# +# DEST PORT(S) Destination Ports. A comma-separated list of Port +# names (from /etc/services), port numbers or port +# ranges; if the protocol is "icmp", this column is +# interpreted as the destination icmp-type(s). +# +# A port range is expressed as :. +# +# This column is ignored if PROTOCOL = all but must be +# entered if any of the following ields are supplied. +# In that case, it is suggested that this field contain +# "-" +# +# If your kernel contains multi-port match support, then +# only a single Netfilter rule will be generated if in +# this list and the CLIENT PORT(S) list below: +# 1. There are 15 or less ports listed. +# 2. No port ranges are included. +# Otherwise, a separate rule will be generated for each +# port. +# +# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted, +# any source port is acceptable. Specified as a comma- +# separated list of port names, port numbers or port +# ranges. +# +# If you don't want to restrict client ports but need to +# specify an ADDRESS in the next column, then place "-" +# in this column. +# +# If your kernel contains multi-port match support, then +# only a single Netfilter rule will be generated if in +# this list and the DEST PORT(S) list above: +# 1. There are 15 or less ports listed. +# 2. No port ranges are included. +# Otherwise, a separate rule will be generated for each +# port. +# +# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT[-] or +# REDIRECT[-]) If included and different from the IP +# address given in the SERVER column, this is an address +# on some interface on the firewall and connections to +# that address will be forwarded to the IP and port +# specified in the DEST column. +# +# A comma-separated list of addresses may also be used. +# This is usually most useful with the REDIRECT target +# where you want to redirect traffic destined for +# particular set of hosts. +# +# Finally, if the list of addresses begins with "!" then +# the rule will be followed only if the original +# destination address in the connection request does not +# match any of the addresses listed. +# +# The address (list) may optionally be followed by +# a colon (":") and a second IP address. This causes +# Shorewall to use the second IP address as the source +# address in forwarded packets. See the Shorewall +# documentation for restrictions concerning this feature. +# If no source IP address is given, the original source +# address is not altered. +# +# RATE LIMIT You may rate-limit the rule by placing a value in +# this colume: +# +# /[:] +# +# where is the number of connections per +# ("sec" or "min") and is the +# largest burst permitted. If no is given, +# a value of 5 is assumed. There may be no +# no whitespace embedded in the specification. +# +# Example: 10/sec:20 +# +# USER/GROUP This column may only be non-empty if the SOURCE is +# the firewall itself. +# +# The column may contain: +# +# [!][][:] +# +# When this column is non-empty, the rule applies only +# if the program generating the output is running under +# the effective and/or specified (or is +# NOT running under that id if "!" is given). +# +# Examples: +# +# joe #program must be run by joe +# :kids #program must be run by a member of +# #the 'kids' group +# !:kids #program must not be run by a member +# #of the 'kids' group +# +# Example: Accept SMTP requests from the DMZ to the internet +# +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# ACCEPT dmz net tcp smtp +# +# Example: Forward all ssh and http connection requests from the internet +# to local system 192.168.1.3 +# +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# DNAT net loc:192.168.1.3 tcp ssh,http +# +# Example: Forward all http connection requests from the internet +# to local system 192.168.1.3 with a limit of 3 per second and +# a maximum burst of 10 +# +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# DNAT<3/sec:10> net loc:192.168.1.3 tcp http +# +# Example: Redirect all locally-originating www connection requests to +# port 3128 on the firewall (Squid running on the firewall +# system) except when the destination address is 192.168.2.2 +# +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# REDIRECT loc 3128 tcp www - !192.168.2.2 +# +# Example: All http requests from the internet to address +# 130.252.100.69 are to be forwarded to 192.168.1.3 +# +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69 +# +# Example: You want to accept SSH connections to your firewall only +# from internet IP addresses 130.252.100.69 and 130.252.100.70 +# +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# ACCEPT net:130.252.100.69,130.252.100.70 fw \ +# tcp 22 +#################################################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# PORT PORT(S) DEST LIMIT GROUP +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/STABLE2/shorewall b/STABLE2/shorewall new file mode 100755 index 000000000..42efa2091 --- /dev/null +++ b/STABLE2/shorewall @@ -0,0 +1,972 @@ +#!/bin/sh +# +# Shorewall Packet Filtering Firewall Control Program - V2.0 - 3/14/2004 +# +# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] +# +# (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net) +# +# This file should be placed in /sbin/shorewall. +# +# Shorewall documentation is available at http://shorewall.sourceforge.net +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of Version 2 of the GNU General Public License +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA +# +# If an error occurs while starting or restarting the firewall, the +# firewall is automatically stopped. +# +# The firewall uses configuration files in /etc/shorewall/ - skeleton +# files is included with the firewall. +# +# Commands are: +# +# shorewall add [:] zone Adds a host or subnet to a zone +# shorewall delete [:] zone Deletes a host or subnet from a zone +# shorewall start Starts the firewall +# shorewall restart Restarts the firewall +# shorewall stop Stops the firewall +# shorewall monitor [ refresh-interval ] Repeatedly Displays firewall status +# plus the last 20 "interesting" +# packets +# shorewall status Displays firewall status +# shorewall reset Resets iptables packet and +# byte counts +# shorewall clear Open the floodgates by +# removing all iptables rules +# and setting the three permanent +# chain policies to ACCEPT +# shorewall refresh Rebuild the common chain to +# compensate for a change of +# broadcast address on any "detect" +# interface. +# shorewall show [ ... ] Display the rules in each listed +# shorewall show log Print the last 20 log messages +# shorewall show connections Show the kernel's connection +# tracking table +# shorewall show nat Display the rules in the nat table +# shorewall show {mangle|tos} Display the rules in the mangle table +# shorewall show tc Display traffic control info +# shorewall show classifiers Display classifiers +# shorewall version Display the installed version id +# shorewall check Verify the more heavily-used +# configuration files. +# shorewall try [ ] Try a new configuration and if +# it doesn't work, revert to the +# standard one. If a timeout is supplied +# the command reverts back to the +# standard configuration after that many +# seconds have elapsed after successfully +# starting the new configuration. +# shorewall logwatch [ refresh-interval ] Monitor the local log for Shorewall +# messages. +# shorewall drop
... Temporarily drop all packets from the +# listed address(es) +# shorewall reject
... Temporarily reject all packets from the +# listed address(es) +# shorewall allow
... Reenable address(es) previously +# disabled with "drop" or "reject" +# shorewall save Save the list of "rejected" and +# "dropped" addresses so that it will +# be automatically reinstated the +# next time that Shorewall starts. +# +# shorewall ipaddr [
/ |
] +# +# Displays information about the network +# defined by the argument[s] +# +# shorewall iprange
-
Decomposes a range of IP addresses into +# a list of network/host addresses. +# +# Fatal Error +# +fatal_error() # $@ = Message +{ + echo " $@" >&2 + exit 2 +} + +# Display a chain if it exists +# + +showfirstchain() # $1 = name of chain +{ + awk \ + 'BEGIN {prnt=0; rslt=1; }; \ + /^$/ { next; };\ + /^Chain/ {if ( prnt == 1 ) { rslt=0; exit 0; }; };\ + /Chain '$1'/ { prnt=1; }; \ + { if (prnt == 1) print; };\ + END { exit rslt; }' /tmp/chains-$$ +} + +showchain() # $1 = name of chain +{ + if [ "$firstchain" = "Yes" ]; then + if showfirstchain $1; then + firstchain= + fi + else + awk \ + 'BEGIN {prnt=0;};\ + /^$|^ pkts/ { next; };\ + /^Chain/ {if ( prnt == 1 ) exit; };\ + /Chain '$1'/ { prnt=1; };\ + { if (prnt == 1) print; }' /tmp/chains-$$ + fi +} + +# +# Set the configuration variables from shorewall.conf +# +get_config() { + + [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages + + if [ ! -f $LOGFILE ]; then + echo "LOGFILE ($LOGFILE) does not exist!" >&2 + exit 2 + fi + # + # See if we have a real version of "tail" -- use separate redirection so + # that ash (aka /bin/sh on LRP) doesn't crap + # + if ( tail -n5 $LOGFILE > /dev/null 2> /dev/null ) ; then + realtail="Yes" + else + realtail="" + fi + + [ -n "$FW" ] || FW=fw + + [ -n "LOGFORMAT" ] && LOGFORMAT="${LOGFORMAT%%%*}" + + [ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:" + + if [ -n "$SHOREWALL_SHELL" ]; then + if [ ! -e "$SHOREWALL_SHELL" ]; then + echo "The program specified in SHOREWALL_SHELL does not exist or is not executable" >&2 + exit 2 + fi + fi +} + +# +# Display IPTABLES rules -- we used to store them in a variable but ash +# dies when trying to display large sets of rules +# +display_chains() +{ + trap "rm -f /tmp/chains-$$; exit 1" 1 2 3 4 5 6 9 + + if [ "$haveawk" = "Yes" ]; then + # + # Send the output to a temporary file since ash craps if we try to store + # the output in a variable. + # + iptables -L -n -v > /tmp/chains-$$ + + clear + echo "$banner $(date)" + echo + echo "Standard Chains" + echo + firstchain="Yes" + showchain INPUT + showchain OUTPUT + showchain FORWARD + + timed_read + + clear + echo "$banner $(date)" + echo + firstchain=Yes + echo "Input Chains" + echo + + chains=$(grep '^Chain.*_[in|fwd]' /tmp/chains-$$ | cut -d' ' -f 2) + + for chain in $chains; do + showchain $chain + done + + timed_read + + for zone in $zones; do + + if [ -n "$(grep "^Chain \.*${zone}" /tmp/chains-$$)" ] ; then + clear + echo "$banner $(date)" + echo + firstchain=Yes + eval display=\$${zone}_display + echo "$display Chains" + echo + for zone1 in $FW $zones; do + showchain ${zone}2$zone1 + showchain @${zone}2$zone1 + [ "$zone" != "$zone1" ] && \ + showchain ${zone1}2${zone} && \ + showchain @${zone1}2${zone} + done + + timed_read + fi + done + + clear + echo "$banner $(date)" + echo + firstchain=Yes + echo "Policy Chains" + echo + showchain common + showchain badpkt + showchain icmpdef + showchain rfc1918 + showchain blacklst + showchain reject + showchain newnotsyn + for zone in $zones all; do + showchain ${zone}2all + showchain @${zone}2all + [ "$zone" = "all" ] || { showchain all2${zone}; showchain @all2${zone}; } + done + + timed_read + + clear + echo "$banner $(date)" + echo + firstchain=Yes + echo "Dynamic Chain" + echo + showchain dynamic + timed_read + + qt rm -f /tmp/chains-$$ + else + iptables -L -n -v + timed_read + fi + trap - 1 2 3 4 5 6 9 + +} + +# +# Delay $timeout seconds -- if we're running on a recent bash2 then allow +# to terminate the delay +# +timed_read () +{ + read -t $timeout foo 2> /dev/null + + test $? -eq 2 && sleep $timeout +} + +# +# Display the last $1 packets logged +# +packet_log() # $1 = number of messages +{ + local options + + [ -n "$realtail" ] && options="-n$1" + + grep "${LOGFORMAT}\|ipt_unclean" $LOGFILE | \ + sed s/" kernel:"// | \ + sed s/" $host $LOGFORMAT"/" "/ | \ + sed s/" $host kernel: ipt_unclean: "/" "/ | \ + sed 's/MAC=.*SRC=/SRC=/' | \ + tail $options +} + +# +# Show traffic control information +# +show_tc() { + + show_one_tc() { + local device=${1%@*} + qdisc=$(tc qdisc list dev $device) + + if [ -n "$qdisc" ]; then + echo Device $device: + tc -s -d qdisc show dev $device + tc -s -d class show dev $device + echo + fi + } + + ip link list | \ + while read inx interface details; do + case $inx in + [0-9]*) + show_one_tc ${interface%:} + ;; + *) + ;; + esac + done + +} + +# +# Show classifier information +# +show_classifiers() { + + show_one_classifier() { + local device=${1%@*} + qdisc=$(tc qdisc list dev $device) + + if [ -n "$qdisc" ]; then + echo Device $device: + tc -s filter ls dev $device + echo + fi + } + + ip link list | \ + while read inx interface details; do + case $inx in + [0-9]*) + show_one_classifier ${interface%:} + ;; + *) + ;; + esac + done + +} +# +# Monitor the Firewall +# +monitor_firewall() # $1 = timeout -- if negative, prompt each time that + # an 'interesting' packet count changes +{ + + get_config + host=$(echo $HOSTNAME | sed 's/\..*$//') + oldrejects=$(iptables -L -v -n | grep 'LOG') + + if [ $1 -lt 0 ]; then + let "timeout=- $1" + pause="Yes" + else + pause="No" + timeout=$1 + fi + + + if qt which awk; then + TMP_DIR=/tmp/shorewall-$$ + mkdir $TMP_DIR + haveawk=Yes + determine_zones + rm -rf $TMP_DIR + else + haveawk= + fi + + while true; do + display_chains + + clear + echo "$banner $(date)" + echo + + echo "Dropped/Rejected Packet Log" + echo + + show_reset + + rejects=$(iptables -L -v -n | grep 'LOG') + + if [ "$rejects" != "$oldrejects" ]; then + oldrejects="$rejects" + + $RING_BELL + + packet_log 20 + + if [ "$pause" = "Yes" ]; then + echo + echo $ECHO_N 'Enter any character to continue: ' + read foo + else + timed_read + fi + else + echo + packet_log 20 + timed_read + fi + + clear + echo "$banner $(date)" + echo + echo "NAT Status" + echo + iptables -t nat -L -n -v + timed_read + + clear + echo "$banner $(date)" + echo + echo + echo "TOS/MARK Status" + echo + iptables -t mangle -L -n -v + timed_read + + clear + echo "$banner $(date)" + echo + echo + echo "Tracked Connections" + echo + cat /proc/net/ip_conntrack + timed_read + + clear + echo "$banner $(date)" + echo + echo + echo "Traffic Shaping/Control" + echo + show_tc + timed_read + + clear + echo "$banner $(date)" + echo + echo + echo "Packet Classifiers" + echo + show_classifiers + timed_read + done +} + +# +# Watch the Firewall Log +# +logwatch() # $1 = timeout -- if negative, prompt each time that + # an 'interesting' packet count changes +{ + + get_config + host=$(echo $HOSTNAME | sed 's/\..*$//') + oldrejects=$(iptables -L -v -n | grep 'LOG') + + if [ $1 -lt 0 ]; then + timeout=$((- $1)) + pause="Yes" + else + pause="No" + timeout=$1 + fi + + qt which awk && haveawk=Yes || haveawk= + + while true; do + clear + echo "$banner $(date)" + echo + + echo "Dropped/Rejected Packet Log" + echo + + show_reset + + rejects=$(iptables -L -v -n | grep 'LOG') + + if [ "$rejects" != "$oldrejects" ]; then + oldrejects="$rejects" + + $RING_BELL + + packet_log 40 + + if [ "$pause" = "Yes" ]; then + echo + echo $ECHO_N 'Enter any character to continue: ' + read foo + else + timed_read + fi + else + echo + packet_log 40 + timed_read + fi + done +} + +# +# Help information +# +help() +{ + [ -x $HELP ] && { export version; exec $HELP $*; } + echo "Help subsystem is not installed at $HELP" +} + +# +# Give Usage Information +# +usage() # $1 = exit status +{ + echo "Usage: $(basename $0) [debug|trace] [nolock] [-c ] " + echo "where is one of:" + echo " add [:] " + echo " allow
..." + echo " check" + echo " clear" + echo " delete [:] " + echo " drop
..." + echo " help [ | host | address ]" + echo " hits" + echo " ipcalc [
/ |
]" + echo " iprange
-
" + echo " logwatch []" + echo " monitor []" + echo " refresh" + echo " reject
..." + echo " reset" + echo " restart" + echo " save" + echo " show [ [ ... ]|classifiers|connections|log|nat|tc|tos]" + echo " start" + echo " stop" + echo " status" + echo " try [ ]" + echo " version" + exit $1 +} + +# +# Display the time that the counters were last reset +# +show_reset() { + [ -f $STATEDIR/restarted ] && \ + echo "Counters reset $(cat $STATEDIR/restarted)" && \ + echo +} + +# +# Execution begins here +# +debugging= + +if [ $# -gt 0 ] && [ "$1" = "debug" -o "$1" = "trace" ]; then + debugging=debug + shift +fi + +nolock= + +if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then + nolock=nolock + shift +fi + +SHOREWALL_DIR= +done=0 + +while [ $done -eq 0 ]; do + [ $# -eq 0 ] && usage 1 + case $1 in + -c) + [ $# -eq 1 ] && usage 1 + + if [ ! -d $2 ]; then + if [ -e $2 ]; then + echo "$2 is not a directory" >&2 && exit 2 + else + echo "Directory $2 does not exist" >&2 && exit 2 + fi + fi + + SHOREWALL_DIR=$2 + shift + shift + ;; + *) + done=1 + ;; + esac +done + +if [ $# -eq 0 ]; then + usage 1 +fi + +[ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR + +PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin +MUTEX_TIMEOUT= + +SHARED_DIR=/usr/share/shorewall +FIREWALL=$SHARED_DIR/firewall +FUNCTIONS=$SHARED_DIR/functions +VERSION_FILE=$SHARED_DIR/version +HELP=$SHARED_DIR/help + +if [ -f $FUNCTIONS ]; then + . $FUNCTIONS +else + echo "$FUNCTIONS does not exist!" >&2 + exit 2 +fi + +config=$(find_file shorewall.conf) + +if [ -f $config ]; then + . $config +else + echo "$config does not exist!" >&2 + exit 2 +fi + +[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall + +if [ ! -f $FIREWALL ]; then + echo "ERROR: Shorewall is not properly installed" + if [ -L $FIREWALL ]; then + echo " $FIREWALL is a symbolic link to a" + echo " non-existant file" + else + echo " The file $FIREWALL does not exist" + fi + + exit 2 +fi + +if [ -f $VERSION_FILE ]; then + version=$(cat $VERSION_FILE) +else + echo "ERROR: Shorewall is not properly installed" + echo " The file $VERSION_FILE does not exist" + exit 1 +fi + +banner="Shorewall-$version Status at $HOSTNAME -" + + +case $(echo -e) in + -e*) + RING_BELL="echo \a" + ;; + *) + RING_BELL="echo -e \a" + ;; +esac + +case $(echo -n "Testing") in + -n*) + ECHO_N= + ;; + *) + ECHO_N=-n + ;; +esac + +case "$1" in + start|stop|restart|reset|clear|refresh|check) + [ $# -ne 1 ] && usage 1 + get_config + exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1 + ;; + add|delete) + [ $# -ne 3 ] && usage 1 + get_config + exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1 $2 $3 + ;; + show|list) + [ -n "$debugging" ] && set -x + case "$2" in + connections) + [ $# -gt 2 ] && usage 1 + echo "Shorewall-$version Connections at $HOSTNAME - $(date)" + echo + cat /proc/net/ip_conntrack + ;; + nat) + [ $# -gt 2 ] && usage 1 + echo "Shorewall-$version NAT at $HOSTNAME - $(date)" + echo + show_reset + iptables -t nat -L -n -v + ;; + tos|mangle) + [ $# -gt 2 ] && usage 1 + echo "Shorewall-$version TOS at $HOSTNAME - $(date)" + echo + show_reset + iptables -t mangle -L -n -v + ;; + log) + [ $# -gt 2 ] && usage 1 + get_config + echo "Shorewall-$version Log at $HOSTNAME - $(date)" + echo + show_reset + host=$(echo $HOSTNAME | sed 's/\..*$//') + packet_log 20 + ;; + tc) + [ $# -gt 2 ] && usage 1 + echo "Shorewall-$version Traffic Control at $HOSTNAME - $(date)" + echo + show_tc + ;; + classifiers) + [ $# -gt 2 ] && usage 1 + echo "Shorewall-$version Clasifiers at $HOSTNAME - $(date)" + echo + show_classifiers + ;; + *) + shift + + echo "Shorewall-$version $([ $# -gt 1 ] && echo Chains || echo Chain) $* at $HOSTNAME - $(date)" + echo + show_reset + if [ $# -gt 0 ]; then + for chain in $*; do + iptables -L $chain -n -v + done + else + iptables -L -n -v + fi + ;; + esac + ;; + monitor) + [ -n "$debugging" ] && set -x + if [ $# -eq 2 ]; then + monitor_firewall $2 + elif [ $# -eq 1 ]; then + monitor_firewall 30 + else + usage 1 + fi + ;; + status) + [ -n "$debugging" ] && set -x + [ $# -eq 1 ] || usage 1 + get_config + clear + echo "Shorewall-$version Status at $HOSTNAME - $(date)" + echo + show_reset + host=$(echo $HOSTNAME | sed 's/\..*$//') + iptables -L -n -v + echo + packet_log 20 + echo + echo "NAT Table" + echo + iptables -t nat -L -n -v + echo + echo "Mangle Table" + echo + iptables -t mangle -L -n -v + echo + cat /proc/net/ip_conntrack + ;; + hits) + [ -n "$debugging" ] && set -x + [ $# -eq 1 ] || usage 1 + get_config + clear + echo "Shorewall-$version Hits at $HOSTNAME - $(date)" + echo + + timeout=30 + + if [ $(grep -c "$LOGFORMAT" $LOGFILE ) -gt 0 ] ; then + echo " HITS IP DATE" + echo " ---- --------------- ------" + grep "$LOGFORMAT" $LOGFILE | sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\3 \1/' | sort | uniq -c | sort -rn + echo "" + + echo " HITS IP PORT" + echo " ---- --------------- -----" + grep "$LOGFORMAT" $LOGFILE | sed 's/\(.*SRC=\)\(.*\)\( DST=.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2 \4/ + t + s/\(.*SRC=\)\(.*\)\( DST=.*\)/\2/' | sort | uniq -c | sort -rn + echo "" + + echo " HITS DATE" + echo " ---- ------" + grep "$LOGFORMAT" $LOGFILE | sed 's/\(.\{6\}\)\(.*\)/\1/' | sort | uniq -c | sort -rn + echo "" + + echo " HITS PORT SERVICE(S)" + echo " ---- ----- ----------" + grep "$LOGFORMAT.*DPT" $LOGFILE | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | \ + while read count port ; do + # List all services defined for the given port + srv=$(grep "^[^#].*\\b$port/" /etc/services | cut -f 1 | sort -u) + srv=$(echo $srv | sed 's/ /,/g') + + if [ -n "$srv" ] ; then + printf '%7d %5d %s\n' $count $port $srv + else + printf '%7d %5d\n' $count $port + fi + done + fi + ;; + version) + echo $version + ;; + try) + [ -n "$SHOREWALL_DIR" ] && startup_error "Error: -c option may not be used with \"try\"" + [ $# -lt 2 -o $# -gt 3 ] && usage 1 + if ! $0 $debugging -c $2 restart; then + if ! iptables -L shorewall > /dev/null 2> /dev/null; then + $0 start + fi + elif ! iptables -L shorewall > /dev/null 2> /dev/null; then + $0 start + elif [ $# -eq 3 ]; then + sleep $3 + $0 restart + fi + ;; + logwatch) + [ -n "$debugging" ] && set -x + if [ $# -eq 2 ]; then + logwatch $2 + elif [ $# -eq 1 ]; then + logwatch 30 + else + usage 1 + fi + ;; + drop) + [ -n "$debugging" ] && set -x + [ $# -eq 1 ] && usage 1 + mutex_on + while [ $# -gt 1 ]; do + shift + qt iptables -D dynamic -s $1 -j reject + qt iptables -D dynamic -s $1 -j DROP + iptables -A dynamic -s $1 -j DROP || break 1 + echo "$1 Dropped" + done + mutex_off + ;; + reject) + [ -n "$debugging" ] && set -x + [ $# -eq 1 ] && usage 1 + mutex_on + while [ $# -gt 1 ]; do + shift + qt iptables -D dynamic -s $1 -j reject + qt iptables -D dynamic -s $1 -j DROP + iptables -A dynamic -s $1 -j reject || break 1 + echo "$1 Rejected" + done + mutex_off + ;; + allow) + [ -n "$debugging" ] && set -x + [ $# -eq 1 ] && usage 1 + mutex_on + while [ $# -gt 1 ]; do + shift + if qt iptables -D dynamic -s $1 -j reject || qt iptables -D dynamic -s $1 -j DROP; then + echo "$1 Allowed" + else + echo "$1 Not Dropped or Rejected" + fi + done + mutex_off + ;; + save) + [ -n "$debugging" ] && set -x + [ $# -ne 1 ] && usage 1 + mutex_on + if qt iptables -L shorewall -n; then + [ -d /var/lib/shorewall ] || mkdir /var/lib/shorewall + + if iptables -L dynamic -n > /var/lib/shorewall/save; then + echo "Dynamic Rules Saved" + else + echo "Error Saving the Dynamic Rules" + fi + else + echo "Shorewall isn't started" + fi + mutex_off + ;; + ipcalc) + [ -n "$debugging" ] && set -x + if [ $# -eq 2 ]; then + address=${2%/*} + vlsm=${2#*/} + elif [ $# -eq 3 ]; then + address=$2 + vlsm=$(ip_vlsm $3) + else + usage 1 + fi + + [ -z "$vlsm" ] && exit 2 + [ "x$address" = "x$vlsm" ] && usage 2 + [ $vlsm -gt 32 ] && echo "Invalid VLSM: /$vlsm" >&2 && exit 2 + + address=$address/$vlsm + + echo " CIDR=$address" + temp=$(ip_netmask $address); echo " NETMASK=$(encodeaddr $temp)" + temp=$(ip_network $address); echo " NETWORK=$temp" + temp=$(broadcastaddress $address); echo " BROADCAST=$temp" + ;; + + iprange) + [ -n "$debugging" ] && set -x + case $2 in + *.*.*.*-*.*.*.*) + ip_range $2 + ;; + *) + usage 1 + ;; + esac + ;; + call) + [ -n "$debugging" ] && set -x + # + # Undocumented way to call functions in /usr/share/shorewall/functions directly + # + shift; + $@ + ;; + help) + shift + [ $# -ne 1 ] && usage 1 + help $@ + ;; + *) + usage 1 + ;; + +esac diff --git a/STABLE2/shorewall.conf b/STABLE2/shorewall.conf new file mode 100644 index 000000000..1e0bd1755 --- /dev/null +++ b/STABLE2/shorewall.conf @@ -0,0 +1,560 @@ +############################################################################## +# /etc/shorewall/shorewall.conf V2.0 - Change the following variables to +# match your setup +# +# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] +# +# This file should be placed in /etc/shorewall +# +# (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net) +############################################################################## +# L O G G I N G +############################################################################## +# +# General note about log levels. Log levels are a method of describing +# to syslog (8) the importance of a message and a number of parameters +# in this file have log levels as their value. +# +# Valid levels are: +# +# 7 debug +# 6 info +# 5 notice +# 4 warning +# 3 err +# 2 crit +# 1 alert +# 0 emerg +# +# For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall +# log messages are generated by NetFilter and are logged using facility +# 'kern' and the level that you specifify. If you are unsure of the level +# to choose, 6 (info) is a safe bet. You may specify levels by name or by +# number. +# +# If you have built your kernel with ULOG target support, you may also +# specify a log level of ULOG (must be all caps). Rather than log its +# messages to syslogd, Shorewall will direct netfilter to log the messages +# via the ULOG target which will send them to a process called 'ulogd'. +# ulogd is available from http://www.gnumonks.org/projects/ulogd and can be +# configured to log all Shorewall message to their own log file +################################################################################ +# +# LOG FILE LOCATION +# +# This variable tells the /sbin/shorewall program where to look for Shorewall +# log messages. If not set or set to an empty string (e.g., LOGFILE="") then +# /var/log/messages is assumed. +# +# WARNING: The LOGFILE variable simply tells the 'shorewall' program where to +# look for Shorewall messages.It does NOT control the destination for +# these messages. For information about how to do that, see +# +# http://www.shorewall.net/shorewall_logging.html + +LOGFILE=/var/log/messages + +# +# LOG FORMAT +# +# Shell 'printf' Formatting template for the --log-prefix value in log messages +# generated by Shorewall to identify Shorewall log messages. The supplied +# template is expected to accept either two or three arguments; the first is +# the chain name, the second (optional) is the logging rule number within that +# chain and the third is the ACTION specifying the disposition of the packet +# being logged. You must use the %d formatting type for the rule number; if your +# template does not contain %d then the rule number will not be included. +# +# If you want to integrate Shorewall with fireparse, then set LOGFORMAT as: +# +# LOGFORMAT="fp=%s:%d a=%s " +# +# If not specified or specified as empty (LOGFORMAT="") then the value +# "Shorewall:%s:%s:" is assumed. +# +# CAUTION: /sbin/shorewall uses the leading part of the LOGFORMAT string (up +# to but not including the first '%') to find log messages in the 'show log', +# 'status' and 'hits' commands. This part should not be omitted (the +# LOGFORMAT should not begin with "%") and the leading part should be +# sufficiently unique for /sbin/shorewall to identify Shorewall messages. + +LOGFORMAT="Shorewall:%s:%s:" + +# +# LOG RATE LIMITING +# +# The next two variables can be used to control the amount of log output +# generated. LOGRATE is expressed as a number followed by an optional +# `/second', `/minute', `/hour', or `/day' suffix and specifies the maximum +# rate at which a particular message will occur. LOGBURST determines the +# maximum initial burst size that will be logged. If set empty, the default +# value of 5 will be used. +# +# Example: +# +# LOGRATE=10/minute +# LOGBURST=5 +# +# If BOTH variables are set empty then logging will not be rate-limited. +# + +LOGRATE= +LOGBURST= + +# +# BLACKLIST LOG LEVEL +# +# Set this variable to the syslogd level that you want blacklist packets logged +# (beware of DOS attacks resulting from such logging). If not set, no logging +# of blacklist packets occurs. +# +# See the comment at the top of this section for a description of log levels +# +BLACKLIST_LOGLEVEL= + +# +# LOGGING 'New not SYN' rejects +# +# This variable only has an effect when NEWNOTSYN=No (see below). +# +# When a TCP packet that does not have the SYN flag set and the ACK and RST +# flags clear then unless the packet is part of an established connection, +# it will be rejected by the firewall. If you want these rejects logged, +# then set LOGNEWNOTSYN to the syslog log level at which you want them logged. +# +# See the comment at the top of this section for a description of log levels +# +# Example: LOGNEWNOTSYN=debug + + +LOGNEWNOTSYN=info + +# +# MAC List Log Level +# +# Specifies the logging level for connection requests that fail MAC +# verification. If set to the empty value (MACLIST_LOG_LEVEL="") then +# such connection requests will not be logged. +# +# See the comment at the top of this section for a description of log levels +# + +MACLIST_LOG_LEVEL=info + +# +# TCP FLAGS Log Level +# +# Specifies the logging level for packets that fail TCP Flags +# verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then +# such packets will not be logged. +# +# See the comment at the top of this section for a description of log levels +# + +TCP_FLAGS_LOG_LEVEL=info + +# +# RFC1918 Log Level +# +# Specifies the logging level for packets that fail RFC 1918 +# verification. If set to the empty value (RFC1918_LOG_LEVEL="") then +# RFC1918_LOG_LEVEL=info is assumed. +# +# See the comment at the top of this section for a description of log levels +# + +RFC1918_LOG_LEVEL=info + +# +# SMURF Log Level +# +# Specifies the logging level for smurf packets dropped by the +#'nosmurfs' interface option in /etc/shorewall/interfaces. If set to the empty +# value ( SMURF_LOG_LEVEL="" ) then dropped smurfs are not logged. + +SMURF_LOG_LEVEL=info + +################################################################################ +# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S +################################################################################ +# +# PATH - Change this if you want to change the order in which Shorewall +# searches directories for executable files. +# +PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin + +# +# SHELL +# +# The firewall script is normally interpreted by /bin/sh. If you wish to change +# the shell used to interpret that script, specify the shell here. + +SHOREWALL_SHELL=/bin/sh + +# SUBSYSTEM LOCK FILE +# +# Set this to the name of the lock file expected by your init scripts. For +# RedHat, this should be /var/lock/subsys/shorewall. If your init scripts don't +# use lock files, set this to "". +# + +SUBSYSLOCK=/var/lock/subsys/shorewall + +# +# SHOREWALL TEMPORARY STATE DIRECTORY +# +# This is the directory where the firewall maintains state information while +# it is running +# + +STATEDIR=/var/lib/shorewall + +# +# KERNEL MODULE DIRECTORY +# +# If your netfilter kernel modules are in a directory other than +# /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter then specify that +# directory in this variable. Example: MODULESDIR=/etc/modules. + +MODULESDIR= + +################################################################################ +# F I R E W A L L O P T I O N S +################################################################################ + +# NAME OF THE FIREWALL ZONE +# +# Name of the firewall zone -- if not set or if set to an empty string, "fw" +# is assumed. +# +FW=fw + +# +# ENABLE IP FORWARDING +# +# If you say "On" or "on" here, IPV4 Packet Forwarding is enabled. If you +# say "Off" or "off", packet forwarding will be disabled. You would only want +# to disable packet forwarding if you are installing Shorewall on a +# standalone system or if you want all traffic through the Shorewall system +# to be handled by proxies. +# +# If you set this variable to "Keep" or "keep", Shorewall will neither +# enable nor disable packet forwarding. +# +IP_FORWARDING=On + +# +# AUTOMATICALLY ADD NAT IP ADDRESSES +# +# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses +# for each NAT external address that you give in /etc/shorewall/nat. If you say +# "No" or "no", you must add these aliases youself. +# +ADD_IP_ALIASES=Yes + +# +# AUTOMATICALLY ADD SNAT IP ADDRESSES +# +# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses +# for each SNAT external address that you give in /etc/shorewall/masq. If you say +# "No" or "no", you must add these aliases youself. LEAVE THIS SET TO "No" unless +# you are sure that you need it -- most people don't!!! +# +ADD_SNAT_ALIASES=No + +# +# ENABLE TRAFFIC SHAPING +# +# If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If +# you say "No" or "no" then traffic shaping is not enabled. If you enable traffic +# shaping you must have iproute[2] installed (the "ip" and "tc" utilities) and +# you must enable packet mangling above. +# +TC_ENABLED=No + +# +# Clear Traffic Shapping/Control +# +# If this option is set to 'No' then Shorewall won't clear the current +# traffic control rules during [re]start. This setting is intended +# for use by people that prefer to configure traffic shaping when +# the network interfaces come up rather than when the firewall +# is started. If that is what you want to do, set TC_ENABLED=Yes and +# CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That +# way, your traffic shaping rules can still use the 'fwmark' +# classifier based on packet marking defined in /etc/shorewall/tcrules. +# +# If omitted, CLEAR_TC=Yes is assumed. + +CLEAR_TC=Yes + +# +# Mark Packets in the forward chain +# +# When processing the tcrules file, Shorewall normally marks packets in the +# PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set +# this to "Yes". If not specified or if set to the empty value (e.g., +# MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed. +# +# Marking packets in the FORWARD chain has the advantage that inbound +# packets destined for Masqueraded/SNATed local hosts have had their destination +# address rewritten so they can be marked based on their destination. When +# packets are marked in the PREROUTING chain, packets destined for +# Masqueraded/SNATed local hosts still have a destination address corresponding +# to the firewall's external interface. +# +# Note: Older kernels do not support marking packets in the FORWARD chain and +# setting this variable to Yes may cause startup problems. + +MARK_IN_FORWARD_CHAIN=No + +# +# MSS CLAMPING +# +# Set this variable to "Yes" or "yes" if you want the TCP "Clamp MSS to PMTU" +# option. This option is most commonly required when your internet +# interface is some variant of PPP (PPTP or PPPoE). Your kernel must +# have CONFIG_IP_NF_TARGET_TCPMSS set. +# +# [From the kernel help: +# +# This option adds a `TCPMSS' target, which allows you to alter the +# MSS value of TCP SYN packets, to control the maximum size for that +# connection (usually limiting it to your outgoing interface's MTU +# minus 40). +# +# This is used to overcome criminally braindead ISPs or servers which +# block ICMP Fragmentation Needed packets. The symptoms of this +# problem are that everything works fine from your Linux +# firewall/router, but machines behind it can never exchange large +# packets: +# 1) Web browsers connect, then hang with no data received. +# 2) Small mail works fine, but large emails hang. +# 3) ssh works fine, but scp hangs after initial handshaking. +# ] +# +# If left blank, or set to "No" or "no", the option is not enabled. +# +CLAMPMSS=No + +# +# ROUTE FILTERING +# +# Set this variable to "Yes" or "yes" if you want kernel route filtering on all +# interfaces started while Shorewall is started (anti-spoofing measure). +# +# If this variable is not set or is set to the empty value, "No" is assumed. +# Regardless of the setting of ROUTE_FILTER, you can still enable route filtering +# on individual interfaces using the 'routefilter' option in the +# /etc/shorewall/interfaces file. + +ROUTE_FILTER=No + +# DNAT IP ADDRESS DETECTION +# +# Normally when Shorewall encounters the following rule: +# +# DNAT net loc:192.168.1.3 tcp 80 +# +# it will forward TCP port 80 connections from the net to 192.168.1.3 +# REGARDLESS OF THE ORIGINAL DESTINATION ADDRESS. This behavior is +# convenient for two reasons: +# +# a) If the the network interface has a dynamic IP address, the +# firewall configuration will work even when the address +# changes. +# +# b) It saves having to configure the IP address in the rule +# while still allowing the firewall to be started before the +# internet interface is brought up. +# +# This default behavior can also have a negative effect. If the +# internet interface has more than one IP address then the above +# rule will forward connection requests on all of these addresses; +# that may not be what is desired. +# +# By setting DETECT_DNAT_IPADDRS=Yes, rules such as the above will apply +# only if the original destination address is the primary IP address of +# one of the interfaces associated with the source zone. Note that this +# requires all interfaces to the source zone to be up when the firewall +# is [re]started. + +DETECT_DNAT_IPADDRS=No + +# +# MUTEX TIMEOUT +# +# The value of this variable determines the number of seconds that programs +# will wait for exclusive access to the Shorewall lock file. After the number +# of seconds corresponding to the value of this variable, programs will assume +# that the last program to hold the lock died without releasing the lock. +# +# If not set or set to the empty value, a value of 60 (60 seconds) is assumed. +# +# An appropriate value for this parameter would be twice the length of time +# that it takes your firewall system to process a "shorewall restart" command. + +MUTEX_TIMEOUT=60 + +# +# NEWNOTSYN +# +# TCP connections are established using the familiar three-way "handshake": +# +# CLIENT SERVER +# +# SYN--------------------> +# <------------------SYN,ACK +# ACK--------------------> +# +# The first packet in that exchange (packet with the SYN flag on and the ACK +# and RST flags off) is referred to in Netfilter terminology as a "syn" packet. +# A packet is said to be NEW if it is not part of or related to an already +# established connection. +# +# The NETNOTSYN option determines the handling of non-SYN packets (those with +# SYN off or with ACK or RST on) that are not associated with an already +# established connection. +# +# If NEWNOTSYN is set to "No" or "no", then non-SYN packets that are not +# part of an already established connection, it will be dropped by the +# firewall. The setting of LOGNEWNOTSYN above determines if these packets are +# logged before they are dropped. +# +# If NEWNOTSYN is set to "Yes" or "yes" then such packets will not be +# dropped but will pass through the normal rule/policy processing. +# +# Users with a High-availability setup with two firewall's and one acting +# as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may +# also need to select NEWNOTSYN=Yes. +# +# The behavior of NEWNOTSYN=Yes may also be enabled on a per-interface basis +# using the 'newnotsyn' option in /etc/shorewall/interfaces. +# +# I find that NEWNOTSYN=No tends to result in lots of "stuck" +# connections because any network timeout during TCP session tear down +# results in retries being dropped (Netfilter has removed the +# connection from the conntrack table but the end-points haven't +# completed shutting down the connection). I therefore have chosen +# NEWNOTSYN=Yes as the default value. + +NEWNOTSYN=Yes + +# +# FOR ADMINS THAT REPEATEDLY SHOOT THEMSELVES IN THE FOOT +# +# Normally, when a "shorewall stop" command is issued or an error occurs during +# the execution of another shorewall command, Shorewall puts the firewall into +# a state where only traffic to/from the hosts listed in +# /etc/shorewall/routestopped is accepted. +# +# When performing remote administration on a Shorewall firewall, it is +# therefore recommended that the IP address of the computer being used for +# administration be added to the firewall's /etc/shorewall/routestopped file. +# +# Some administrators have a hard time remembering to do this with the result +# that they get to drive across town in the middle of the night to restart +# a remote firewall (or worse, they have to get someone out of bed to drive +# across town to restart a very remote firewall). +# +# For those administrators, we offer ADMINISABSENTMINDED=Yes. With this setting, +# when the firewall enters the 'stopped' state: +# +# All traffic that is part of or related to established connections is still +# allowed and all OUTPUT traffic is allowed. This is in addition to traffic +# to and from hosts listed in /etc/shorewall/routestopped. +# +# If this variable is not set or it is set to the null value then +# ADMINISABSENTMINDED=No is assumed. +# +ADMINISABSENTMINDED=Yes + +# +# BLACKLIST Behavior +# +# Shorewall offers two types of blacklisting: +# +# - static blacklisting through the /etc/shorewall/blacklist file together +# with the 'blacklist' interface option. +# - dynamic blacklisting using the 'drop', 'reject' and 'allow' commands. +# +# The following variable determines whether the blacklist is checked for each +# packet or for each new connection. +# +# BLACKLISTNEWONLY=Yes Only consult blacklists for new connection +# requests +# +# BLACKLISTNEWONLY=No Consult blacklists for all packets. +# +# If the BLACKLISTNEWONLY option is not set or is set to the empty value then +# BLACKLISTNEWONLY=No is assumed. +# +BLACKLISTNEWONLY=Yes + +# MODULE NAME SUFFIX +# +# When loading a module named in /etc/shorewall/modules, Shorewall normally +# looks in the MODULES DIRECTORY (see MODULESDIR above) for files whose names +# end in ".o", ".ko", ".gz" or "o.gz". If your distribution uses a different +# naming convention then you can specify the suffix (extension) for module +# names in this variable. +# +# To see what suffix is used by your distribution: +# +# ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter +# +# All of the file names listed should have the same suffix (extension). Set +# MODULE_SUFFIX to that suffix. +# +# Examples: +# +# If all file names end with ".kzo" then set MODULE_SUFFIX="kzo" +# If all file names end with ".kz.o" then set MODULE_SUFFIX="kz.o" +# + +MODULE_SUFFIX= + +# +# DISABLE IPV6 +# +# Distributions (notably SuSE) are beginning to ship with IPV6 +# enabled. If you are not using IPV6, you are at risk of being +# exploited by users who do. Setting DISABLE_IPV6=Yes will cause +# Shorewall to disable IPV6 traffic to/from and through your +# firewall system. This requires that you have ip6tables installed. + +DISABLE_IPV6=Yes +################################################################################ +# P A C K E T D I S P O S I T I O N +################################################################################ +# +# BLACKLIST DISPOSITION +# +# Set this variable to the action that you want to perform on packets from +# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty, +# DROP is assumed. +# +BLACKLIST_DISPOSITION=DROP + +# +# MAC List Disposition +# +# This variable determines the disposition of connection requests arriving +# on interfaces that have the 'maclist' option and that are from a device +# that is not listed for that interface in /etc/shorewall/maclist. Valid +# values are ACCEPT, DROP and REJECT. If not specified or specified as +# empty (MACLIST_DISPOSITION="") then REJECT is assumed + +MACLIST_DISPOSITION=REJECT + +# +# TCP FLAGS Disposition +# +# This variable determins the disposition of packets having an invalid +# combination of TCP flags that are received on interfaces having the +# 'tcpflags' option specified in /etc/shorewall/interfaces. If not specified +# or specified as empty (TCP_FLAGS_DISPOSITION="") then DROP is assumed. + +TCP_FLAGS_DISPOSITION=DROP + +#LAST LINE -- DO NOT REMOVE diff --git a/STABLE2/shorewall.spec b/STABLE2/shorewall.spec new file mode 100644 index 000000000..639f7c9e1 --- /dev/null +++ b/STABLE2/shorewall.spec @@ -0,0 +1,447 @@ +%define name shorewall +%define version 2.0.0 +%define release 1 +%define prefix /usr + +Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. +Name: %{name} +Version: %{version} +Release: %{release} +Prefix: %{prefix} +License: GPL +Packager: Tom Eastep +Group: Networking/Utilities +Source: %{name}-%{version}.tgz +URL: http://www.shorewall.net/ +BuildArch: noarch +BuildRoot: %{_tmppath}/%{name}-%{version}-root +Requires: iptables iproute + +%description + +The Shoreline Firewall, more commonly known as "Shorewall", is a Netfilter +(iptables) based firewall that can be used on a dedicated firewall system, +a multi-function gateway/ router/server or on a standalone GNU/Linux system. + +%prep + +%setup + +%build + +%install +export PREFIX=$RPM_BUILD_ROOT ; \ +export OWNER=`id -n -u` ; \ +export GROUP=`id -n -g` ;\ +./install.sh + +%clean +rm -rf $RPM_BUILD_ROOT + +%post + +if [ $1 -eq 1 ]; then + echo \ +"######################################################################## +# REMOVE THIS FILE AFTER YOU HAVE CONFIGURED SHOREWALL # +########################################################################" \ + > /etc/shorewall/startup_disabled + + if [ -x /sbin/insserv ]; then + /sbin/insserv /etc/rc.d/shorewall + elif [ -x /sbin/chkconfig ]; then + /sbin/chkconfig --add shorewall; + fi +fi + +%preun + +if [ $1 = 0 ]; then + if [ -x /sbin/insserv ]; then + /sbin/insserv -r /etc/init.d/shorewall + elif [ -x /sbin/chkconfig ]; then + /sbin/chkconfig --del shorewall + fi + + rm -f /etc/shorewall/startup_disabled + +fi + +%files +/etc/init.d/shorewall +%attr(0700,root,root) %dir /etc/shorewall +%attr(0700,root,root) %dir /usr/share/shorewall +%attr(0700,root,root) %dir /var/lib/shorewall +%attr(0600,root,root) %config(noreplace) /etc/shorewall/shorewall.conf +%attr(0600,root,root) %config(noreplace) /etc/shorewall/zones +%attr(0600,root,root) %config(noreplace) /etc/shorewall/policy +%attr(0600,root,root) %config(noreplace) /etc/shorewall/interfaces +%attr(0600,root,root) %config(noreplace) /etc/shorewall/rules +%attr(0600,root,root) %config(noreplace) /etc/shorewall/nat +%attr(0600,root,root) %config(noreplace) /etc/shorewall/params +%attr(0600,root,root) %config(noreplace) /etc/shorewall/proxyarp +%attr(0600,root,root) %config(noreplace) /etc/shorewall/routestopped +%attr(0600,root,root) %config(noreplace) /etc/shorewall/maclist +%attr(0600,root,root) %config(noreplace) /etc/shorewall/masq +%attr(0600,root,root) %config(noreplace) /etc/shorewall/modules +%attr(0600,root,root) %config(noreplace) /etc/shorewall/tcrules +%attr(0600,root,root) %config(noreplace) /etc/shorewall/tos +%attr(0600,root,root) %config(noreplace) /etc/shorewall/tunnels +%attr(0600,root,root) %config(noreplace) /etc/shorewall/hosts +%attr(0600,root,root) %config(noreplace) /etc/shorewall/blacklist +%attr(0600,root,root) %config(noreplace) /etc/shorewall/init +%attr(0600,root,root) %config(noreplace) /etc/shorewall/start +%attr(0600,root,root) %config(noreplace) /etc/shorewall/stop +%attr(0600,root,root) %config(noreplace) /etc/shorewall/stopped +%attr(0600,root,root) %config(noreplace) /etc/shorewall/ecn +%attr(0600,root,root) %config(noreplace) /etc/shorewall/accounting +%attr(0600,root,root) %config(noreplace) /etc/shorewall/actions + +%attr(0544,root,root) /sbin/shorewall + +%attr(0600,root,root) /usr/share/shorewall/version +%attr(0600,root,root) /usr/share/shorewall/actions.std +%attr(0600,root,root) /usr/share/shorewall/action.AllowAuth +%attr(0600,root,root) /usr/share/shorewall/action.AllowDNS +%attr(0600,root,root) /usr/share/shorewall/action.AllowFTP +%attr(0600,root,root) /usr/share/shorewall/action.AllowIMAP +%attr(0600,root,root) /usr/share/shorewall/action.AllowNNTP +%attr(0600,root,root) /usr/share/shorewall/action.AllowNTP +%attr(0600,root,root) /usr/share/shorewall/action.AllowPCA +%attr(0600,root,root) /usr/share/shorewall/action.AllowPing +%attr(0600,root,root) /usr/share/shorewall/action.AllowPOP3 +%attr(0600,root,root) /usr/share/shorewall/action.AllowRdate +%attr(0600,root,root) /usr/share/shorewall/action.AllowSMB +%attr(0600,root,root) /usr/share/shorewall/action.AllowSMTP +%attr(0600,root,root) /usr/share/shorewall/action.AllowSNMP +%attr(0600,root,root) /usr/share/shorewall/action.AllowSSH +%attr(0600,root,root) /usr/share/shorewall/action.AllowTelnet +%attr(0600,root,root) /usr/share/shorewall/action.AllowTrcrt +%attr(0600,root,root) /usr/share/shorewall/action.AllowVNC +%attr(0600,root,root) /usr/share/shorewall/action.AllowVNCL +%attr(0600,root,root) /usr/share/shorewall/action.AllowWeb +%attr(0600,root,root) /usr/share/shorewall/action.Drop +%attr(0600,root,root) /usr/share/shorewall/action.DropDNSrep +%attr(0600,root,root) /usr/share/shorewall/action.DropPing +%attr(0600,root,root) /usr/share/shorewall/action.DropSMB +%attr(0600,root,root) /usr/share/shorewall/action.DropUPnP +%attr(0600,root,root) /usr/share/shorewall/action.Reject +%attr(0600,root,root) /usr/share/shorewall/action.RejectAuth +%attr(0600,root,root) /usr/share/shorewall/action.RejectSMB +%attr(0600,root,root) /usr/share/shorewall/action.template +%attr(0444,root,root) /usr/share/shorewall/functions +%attr(0544,root,root) /usr/share/shorewall/firewall +%attr(0544,root,root) /usr/share/shorewall/help +%attr(0600,root,root) /usr/share/shorewall/rfc1918 + +%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel + +%changelog +* Sat Mar 13 2004 Tom Eastep +- Update for 2.0.0 Final +* Sat Mar 06 2004 Tom Eastep +- Update for RC2 +* Fri Feb 27 2004 Tom Eastep +- Update for RC1 +* Mon Feb 16 2004 Tom Eastep +- Moved rfc1918 to /usr/share/shorewall +- Update for Beta 3 +* Sat Feb 14 2004 Tom Eastep +- Removed common.def +- Unconditionally replace actions.std +- Update for Beta 2 +* Thu Feb 12 2004 Tom Eastep +- Added action.AllowPCA +* Sun Feb 08 2004 Tom Eastep +- Updates for Shorewall 2.0.0. +* Mon Dec 29 2003 Tom Eastep +- Remove Documentation from this RPM +* Sun Dec 28 2003 Tom Eastep +- Updated for Beta 2 +* Sun Dec 07 2003 Tom Eastep +- Added User Defined Actions Files +* Wed Dec 03 2003 Tom Eastep +- Added User Defined Actions Files +* Fri Nov 07 2003 Tom Eastep +- Changed version to 1.4.8 +* Sat Nov 01 2003 Tom Eastep +- Changed version to 1.4.8-0RC2 +* Thu Oct 30 2003 Tom Eastep +- Changed version to 1.4.8-0RC1 +* Sat Oct 04 2003 Tom Eastep +- Changed version to 1.4.7-1 +- Removed conflict with 2.2 Kernels +* Mon Sep 22 2003 Tom Eastep +- Changed version to 1.4.7-0RC2 +* Thu Sep 18 2003 Tom Eastep +- Changed version to 1.4.7-0RC1 +* Mon Sep 15 2003 Tom Eastep +- Changed version to 1.4.7-0Beta2 +* Mon Aug 25 2003 Tom Eastep +- Changed version to 1.4.7-0Beta1 +* Sat Aug 23 2003 Tom Eastep +- Added /etc/shorewall/users +- Changed version to 1.4.6_20030823-1 +* Thu Aug 21 2003 Tom Eastep +- Changed version to 1.4.6_20030821-1 +- Added /etc/shorewall/usersets +* Wed Aug 13 2003 Tom Eastep +- Changed version to 1.4.6_20030813-1 +* Sat Aug 09 2003 Tom Eastep +- Added /etc/shorewall/accounting +* Sat Aug 09 2003 Tom Eastep +- Changed version to 1.4.6_20030809-1 +* Thu Jul 31 2003 Tom Eastep +- Changed version to 1.4.6_20030731-1 +* Sun Jul 27 2003 Tom Eastep +- Added /usr/share/shorewall/help +- Changed version to 1.4.6_20030727-1 +* Sat Jul 26 2003 Tom Eastep +- Changed version to 1.4.6_20030726-1 +* Sat Jul 19 2003 Tom Eastep +- Changed version to 1.4.6-1 +* Mon Jul 14 2003 Tom Eastep +- Changed version to 1.4.6-0RC1 +* Mon Jul 07 2003 Tom Eastep +- Changed version to 1.4.6-0Beta2 +* Fri Jul 04 2003 Tom Eastep +- Changed version to 1.4.6-0Beta1 +* Tue Jun 17 2003 Tom Eastep +- Changed version to 1.4.5-1 +* Thu May 29 2003 Tom Eastep +- Changed version to 1.4.4b-1 +* Tue May 27 2003 Tom Eastep +- Changed version to 1.4.4a-1 +* Thu May 22 2003 Tom Eastep +- Changed version to 1.4.4-1 +* Mon May 19 2003 Tom Eastep +- Changed version to 1.4.3a-1 +* Sun May 18 2003 Tom Eastep +- Changed version to 1.4.3-1 +* Mon Apr 07 2003 Tom Eastep +- Changed version to 1.4.2-1 +* Fri Mar 21 2003 Tom Eastep +- Changed version to 1.4.1-1 +* Mon Mar 17 2003 Tom Eastep +- Changed version to 1.4.0-1 +* Fri Mar 07 2003 Tom Eastep +- Changed version to 1.4.0-0RC2 +* Wed Mar 05 2003 Tom Eastep +- Changed version to 1.4.0-0RC1 +* Mon Feb 24 2003 Tom Eastep +- Changed version to 1.4.0-0Beta2 +* Sun Feb 23 2003 Tom Eastep +- Add ecn file +* Fri Feb 21 2003 Tom Eastep +- Changes version to 1.4.0-0Beta1 +* Thu Feb 06 2003 Tom Eastep +- Changes version to 1.4.0Alpha1 +- Delete icmp.def +- Move firewall and version to /usr/share/shorewall +* Tue Feb 04 2003 Tom Eastep +- Changes version to 1.3.14-0RC1 +* Tue Jan 28 2003 Tom Eastep +- Changes version to 1.3.14-0Beta2 +* Sat Jan 25 2003 Tom Eastep +- Changes version to 1.3.14-0Beta1 +* Mon Jan 13 2003 Tom Eastep +- Changes version to 1.3.13 +* Fri Dec 27 2002 Tom Eastep +- Changes version to 1.3.12 +* Sun Dec 22 2002 Tom Eastep +- Changes version to 1.3.12-0Beta3 +* Fri Dec 20 2002 Tom Eastep +- Changes version to 1.3.12-0Beta2 +* Wed Dec 18 2002 Tom Eastep +- Changes version to 1.3.12-0Beta1 +- Add init, start, stop and stopped files. +* Tue Dec 03 2002 Tom Eastep +- Changes version to 1.3.11a +* Sun Nov 24 2002 Tom Eastep +- Changes version to 1.3.11 +* Sat Nov 09 2002 Tom Eastep +- Changes version to 1.3.10 +* Wed Oct 23 2002 Tom Eastep +- Changes version to 1.3.10b1 +* Tue Oct 22 2002 Tom Eastep +- Added maclist file +* Tue Oct 15 2002 Tom Eastep +- Changed version to 1.3.10 +- Replaced symlink with real file +* Wed Oct 09 2002 Tom Eastep +- Changed version to 1.3.9b +* Mon Sep 30 2002 Tom Eastep +- Changed version to 1.3.9a +* Thu Sep 18 2002 Tom Eastep +- Changed version to 1.3.8 +* Mon Sep 16 2002 Tom Eastep +- Changed version to 1.3.8 +* Mon Sep 02 2002 Tom Eastep +- Changed version to 1.3.7c +* Mon Aug 26 2002 Tom Eastep +- Changed version to 1.3.7b +* Thu Aug 22 2002 Tom Eastep +- Changed version to 1.3.7a +* Thu Aug 22 2002 Tom Eastep +- Changed version to 1.3.7 +* Sun Aug 04 2002 Tom Eastep +- Changed version to 1.3.6 +* Mon Jul 29 2002 Tom Eastep +- Changed version to 1.3.5b +* Sat Jul 13 2002 Tom Eastep +- Changed version to 1.3.4 +* Wed Jul 10 2002 Tom Eastep +- Added 'routestopped' configuration file. +* Fri Jul 05 2002 Tom Eastep +- Changed version to 1.3.3 +* Sat Jun 15 2002 Tom Eastep +- Changed version and release for new convention +- Moved version,firewall and functions to /var/lib/shorewall +* Sun Jun 02 2002 Tom Eastep +- Changed version to 1.3.2 +* Fri May 31 2002 Tom Eastep +- Changed version to 1.3.1 +- Added the rfc1918 file +* Wed May 29 2002 Tom Eastep +- Changed version to 1.3.0 +* Mon May 20 2002 Tom Eastep +- Removed whitelist file +* Sat May 18 2002 Tom Eastep +- changed version to 91 +* Wed May 8 2002 Tom Eastep +- changed version to 90 +- removed 'provides' tag. +* Tue Apr 23 2002 Tom Eastep +- changed version to 13 +- Added whitelist file. +* Thu Apr 18 2002 Tom Eastep +- changed version to 12 +* Tue Apr 16 2002 Tom Eastep +- Merged Stefan's changes to create single RPM +* Mon Apr 15 2002 Stefan Mohr +- changed to SuSE Linux 7.3 +* Wed Apr 10 2002 Tom Eastep +- changed Version to 11 +* Tue Mar 19 2002 Tom Eastep +- changed Version to 10 +* Sat Mar 09 2002 Tom Eastep +- changed Version to 9 +* Sat Feb 23 2002 Tom Eastep +- changed Version to 8 +* Thu Feb 21 2002 Tom Eastep +- changed Version to 7 +* Tue Feb 05 2002 Tom Eastep +- changed Version to 6 +* Wed Jan 30 2002 Tom Eastep +- changed Version to 5 +* Sat Jan 26 2002 Tom Eastep +- changed Version to 4 +- Merged Ajay's change to allow build by non-root +* Sun Jan 12 2002 Tom Eastep +- changed Version to 3 +* Tue Jan 01 2002 Tom Eastep +- changed Version to 2 +- Updated URL +- Added blacklist file +* Mon Dec 31 2001 Tom Eastep +- changed Version to 1 +* Wed Dec 19 2001 Tom Eastep +- changed Version to 0 +* Tue Dec 18 2001 Tom Eastep +- changed Version to Rc1 +* Sat Dec 15 2001 Tom Eastep +- changed Version to Beta2 +* Thu Nov 08 2001 Tom Eastep +- changed Version to 1.2 +- added tcrules file +* Sun Oct 21 2001 Tom Eastep +- changed release to 17 +* Sun Oct 21 2001 Tom Eastep +- changed release to 16 +* Sun Oct 14 2001 Tom Eastep +- changed release to 15 +* Thu Oct 11 2001 Tom Eastep +- changed release to 14 +* Tue Sep 11 2001 Tom Eastep +- changed release to 13 +- added params file +* Tue Aug 28 2001 Tom Eastep +- Changed release to 12 +* Fri Jul 27 2001 Tom Eastep +- Changed release to 11 +* Sun Jul 08 2001 Ajay Ramaswamy +- reorganized spec file +- s/Copyright/License/ +- now will build fron rpm -tb +* Fri Jul 06 2001 Tom Eastep +- Changed release to 10 +* Tue Jun 19 2001 Tom Eastep +- Changed release to 9 +- Added tunnel file +- Readded tunnels file +* Mon Jun 18 2001 Tom Eastep +- Changed release to 8 +* Sat Jun 02 2001 Tom Eastep +- Changed release to 7 +- Changed iptables dependency. +* Tue May 22 2001 Tom Eastep +- Changed release to 6 +- Added tunnels file +* Sat May 19 2001 Tom Eastep +- Changed release to 5 +- Added modules and tos files +* Sat May 12 2001 Tom Eastep +- Changed release to 4 +- Added changelog.txt and releasenotes.txt +* Sat Apr 28 2001 Tom Eastep +- Changed release to 3 +* Mon Apr 9 2001 Tom Eastep +- Added files common.def and icmpdef.def +- Changed release to 2 +* Wed Apr 4 2001 Tom Eastep +- Changed the release to 1. +* Mon Mar 26 2001 Tom Eastep +- Changed the version to 1.1 +- Added hosts file +* Sun Mar 18 2001 Tom Eastep +- Changed the release to 4 +- Added Zones and Functions files +* Mon Mar 12 2001 Tom Eastep +- Change ipchains dependency to an iptables dependency and + changed the release to 3 +* Fri Mar 9 2001 Tom Eastep +- Add additional files. +* Thu Mar 8 2001 Tom EAstep +- Change version to 1.0.2 +* Tue Mar 6 2001 Tom Eastep +- Change version to 1.0.1 +* Sun Mar 4 2001 Tom Eastep +- Changes for Shorewall +* Thu Feb 22 2001 Tom Eastep +- Change version to 4.1.0 +* Fri Feb 2 2001 Tom Eastep +- Change version to 4.0.4 +* Mon Jan 22 2001 Tom Eastep +- Change version to 4.0.2 +* Sat Jan 20 2001 Tom Eastep +- Changed version to 4.0 +* Fri Jan 5 2001 Tom Eastep +- Added dmzclients file +* Sun Dec 24 2000 Tom Eastep +- Added ftpserver file +* Sat Aug 12 2000 Tom Eastep +- Added "nat" and "proxyarp" files for 4.0 +* Mon May 20 2000 Tom Eastep +- added updown file +* Sat May 20 2000 Simon Piette +- Corrected the group - Networking/Utilities +- Added "noreplace" attributes to config files, so current confis is not + changed. +- Added the version file. +* Sat May 20 2000 Tom Eastep +- Converted Simon's patch to version 3.1 +* Sat May 20 2000 Simon Piette +- 3.0.2 Initial RPM + Patched the install script so it can take a PREFIX variable + + diff --git a/STABLE2/start b/STABLE2/start new file mode 100644 index 000000000..c3b48057e --- /dev/null +++ b/STABLE2/start @@ -0,0 +1,6 @@ +############################################################################ +# Shorewall 2.0 -- /etc/shorewall/start +# +# Add commands below that you want to be executed after shorewall has +# been started or restarted. +# diff --git a/STABLE2/stop b/STABLE2/stop new file mode 100644 index 000000000..78c5fa97b --- /dev/null +++ b/STABLE2/stop @@ -0,0 +1,6 @@ +############################################################################ +# Shorewall 2.0 -- /etc/shorewall/stop +# +# Add commands below that you want to be executed at the beginning of a +# "shorewall stop" command. +# diff --git a/STABLE2/stopped b/STABLE2/stopped new file mode 100644 index 000000000..16feb827b --- /dev/null +++ b/STABLE2/stopped @@ -0,0 +1,6 @@ +############################################################################ +# Shorewall 2.0 -- /etc/shorewall/stopped +# +# Add commands below that you want to be executed at the completion of a +# "shorewall stop" command. +# diff --git a/STABLE2/tcrules b/STABLE2/tcrules new file mode 100644 index 000000000..59bffde0a --- /dev/null +++ b/STABLE2/tcrules @@ -0,0 +1,78 @@ +# +# Shorewall version 2.0 - Traffic Control Rules File +# +# /etc/shorewall/tcrules +# +# Entries in this file cause packets to be marked as a means of +# classifying them for traffic control or policy routing. +# +# I M P O R T A N T ! ! ! ! +# +# FOR ENTRIES IN THIS FILE TO HAVE ANY EFFECT, YOU MUST SET +# TC_ENABLED=Yes in /etc/shorewall/shorewall.conf +# +# Columns are: +# +# +# MARK The mark value which is an +# integer in the range 1-255 +# +# May optionally be followed by ":P" or ":F" +# where ":P" indicates that marking should occur in +# the PREROUTING chain and ":F" indicates that marking +# should occur in the FORWARD chain. If neither +# ":P" nor ":F" follow the mark value then the chain is +# determined by the setting of MARK_IN_FORWARD_CHAIN in +# /etc/shorewall/shorewall.conf. +# +# SOURCE Source of the packet. A comma-separated list of +# interface names, IP addresses, MAC addresses +# and/or subnets. Use $FW if the packet originates on +# the firewall in which case the MARK column may NOT +# specify either ":P" or ":F" (marking always occurs +# in the OUTPUT chain). +# +# MAC addresses must be prefixed with "~" and use +# "-" as a separator. +# +# Example: ~00-A0-C9-15-39-78 +# +# DEST Destination of the packet. Comma separated list of +# IP addresses and/or subnets. +# +# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, +# or "all". +# +# PORT(S) Destination Ports. A comma-separated list of Port +# names (from /etc/services), port numbers or port +# ranges; if the protocol is "icmp", this column is +# interpreted as the destination icmp-type(s). +# +# This column is ignored if PROTOCOL = all but must be +# entered if any of the following field is supplied. +# In that case, it is suggested that this field contain +# "-" +# +# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted, +# any source port is acceptable. Specified as a comma- +# separated list of port names, port numbers or port +# ranges. +# +# USER This column may only be non-empty if the SOURCE is +# the firewall itself. +# +# When this column is non-empty, the rule applies only +# if the program generating the output is running under +# the effective user and/or group. +# +# It may contain : +# +# []:[] +# +# The colon is optionnal when specifying only a user. +# Examples : john: / john / :users / john:users +# +############################################################################## +#MARK SOURCE DEST PROTO PORT(S) CLIENT USER +# PORT(S) +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/STABLE2/tos b/STABLE2/tos new file mode 100644 index 000000000..ff2bbb281 --- /dev/null +++ b/STABLE2/tos @@ -0,0 +1,52 @@ +# +# Shorewall 2.0 -- /etc/shorewall/tos +# +# This file defines rules for setting Type Of Service (TOS) +# +# Columns are: +# +# SOURCE Name of a zone declared in /etc/shorewall/zones, "all" +# or $FW. +# +# If not "all" or $FW, may optionally be followed by +# ":" and an IP address, a MAC address, a subnet +# specification or the name of an interface. +# +# Example: loc:192.168.2.3 +# +# MAC addresses must be prefixed with "~" and use +# "-" as a separator. +# +# Example: ~00-A0-C9-15-39-78 +# +# DEST Name of a zone declared in /etc/shorewall/zones, "all" +# or $FW. +# +# If not "all" or $FW, may optionally be followed by +# ":" and an IP address or a subnet specification +# +# Example: loc:192.168.2.3 +# +# PROTOCOL Protocol. +# +# SOURCE PORTS Source port or port range. If all ports, use "-". +# +# DEST PORTS Destination port or port range. If all ports, use "-" +# +# TOS Type of service. Must be one of the following: +# +# Minimize-Delay (16) +# Maximize-Throughput (8) +# Maximize-Reliability (4) +# Minimize-Cost (2) +# Normal-Service (0) +# +############################################################################## +#SOURCE DEST PROTOCOL SOURCE PORTS DEST PORTS TOS +all all tcp - ssh 16 +all all tcp ssh - 16 +all all tcp - ftp 16 +all all tcp ftp - 16 +all all tcp ftp-data - 8 +all all tcp - ftp-data 8 +#LAST LINE -- Add your entries above -- DO NOT REMOVE diff --git a/STABLE2/tunnel b/STABLE2/tunnel new file mode 100755 index 000000000..82634d5cb --- /dev/null +++ b/STABLE2/tunnel @@ -0,0 +1,159 @@ +#!/bin/sh + +RCDLINKS="2,S45 3,S45 6,K45" +################################################################################ +# Script to create a gre or ipip tunnel -- Shorewall 2.0 +# +# Modified - Steve Cowles 5/9/2000 +# Incorporated init {start|stop} syntax and iproute2 usage +# +# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] +# +# (c) 2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net) +# +# Modify the following variables to match your configuration +# +# chkconfig: 2345 26 89 +# description: GRE/IP Tunnel +# +################################################################################ + +# +# Type of tunnel (gre or ipip) +# + +tunnel_type=gre + +# Name of the tunnel +# + +tunnel="dfwbos" +# +# Address of your External Interface (only required for gre tunnels) +# +myrealip="x.x.x.x" + +# Address of the local system -- this is the address of one of your +# local interfaces (or for a mobile host, the address that this system has +# when attached to the local network). +# + +myip="192.168.1.254" + +# Address of the Remote system -- this is the address of one of the +# remote system's local interfaces (or if the remote system is a mobile host, +# the address that it uses when attached to the local network). + +hisip="192.168.9.1" + +# Internet address of the Remote system +# + +gateway="x.x.x.x" + +# Remote sub-network -- if the remote system is a gateway for a +# private subnetwork that you wish to +# access, enter it here. If the remote +# system is a stand-alone/mobile host, leave this +# empty + +subnet="192.168.9.0/24" + +PATH=$PATH:/sbin:/usr/sbin:/usr/local/sbin + +load_modules () { + case $tunnel_type in + ipip) + echo "Loading IP-ENCAP Module" + modprobe ipip + ;; + gre) + echo "Loading GRE Module" + modprobe ip_gre + ;; + esac +} + +do_stop() { + + if [ -n "`ip link show $tunnel 2>/dev/null`" ]; then + echo "Stopping $tunnel" + ip link set dev $tunnel down + fi + + if [ -n "`ip addr show $tunnel 2>/dev/null`" ]; then + echo "Deleting $tunnel" + ip tunnel del $tunnel + fi +} + +do_start() { + + #NOTE: Comment out the next line if you have built gre/ipip into your kernel + + load_modules + + if [ -n "`ip link show $tunnel 2>/dev/null`" ]; then + do_stop + fi + + echo "Adding $tunnel" + + case $tunnel_type in + gre) + ip tunnel add $tunnel mode gre remote $gateway local $myrealip ttl 255 + ;; + *) + ip tunnel add $tunnel mode ipip remote $gateway + ;; + esac + + echo "Starting $tunnel" + + + ip link set dev $tunnel up + + case $tunnel_type in + gre) + ip addr add $myip dev $tunnel + ;; + *) + ip addr add $myip peer $hisip dev $tunnel + ;; + esac + + # + # As with all interfaces, the 2.4 kernels will add the obvious host + # route for this point-to-point interface + # + + if [ -n "$subnet" ]; then + echo "Adding Routes" + case $tunnel_type in + gre) + ip route add $subnet dev $tunnel + ;; + ipip) + ip route add $subnet via $gateway dev $tunnel onlink + ;; + esac + fi +} + +case "$1" in + start) + do_start + ;; + stop) + do_stop + ;; + restart) + do_stop + sleep 1 + do_start + ;; + *) + echo "Usage: $0 {start|stop|restart}" + exit 1 +esac +exit 0 diff --git a/STABLE2/tunnels b/STABLE2/tunnels new file mode 100644 index 000000000..2c032cb21 --- /dev/null +++ b/STABLE2/tunnels @@ -0,0 +1,110 @@ +# +# Shorewall 2.0 - /etc/shorewall/tunnels +# +# This file defines IPSEC, GRE, IPIP and OPENVPN tunnels. +# +# IPIP, GRE and OPENVPN tunnels must be configured on the +# firewall/gateway itself. IPSEC endpoints may be defined +# on the firewall/gateway or on an internal system. +# +# The columns are: +# +# TYPE -- must start in column 1 and be "ipsec", "ipsecnat","ip" +# "gre", "6to4", "pptpclient", "pptpserver", "openvpn" or +# "generic" +# +# If the type is "ipsec" or "ipsecnat", it may be followed +# by ":noah" to indicate that the Authentication Header +# protocol (51) is not used by the tunnel. +# +# If type is "openvpn", it may optionally be followed +# by ":" and the port number used by the tunnel. if no +# ":" and port number are included, then the default port +# of 5000 will be used +# +# If type is "generic", it must be followed by ":" and +# a protocol name (from /etc/protocols) or a protocol +# number. If the protocol is "tcp" or "udp" (6 or 17), +# then it may optionally be followed by ":" and a +# port number. +# +# ZONE -- The zone of the physical interface through which +# tunnel traffic passes. This is normally your internet +# zone. +# +# GATEWAY -- The IP address of the remote tunnel gateway. If the +# remote getway has no fixed address (Road Warrior) +# then specify the gateway as 0.0.0.0/0. +# +# GATEWAY +# ZONES -- Optional. If the gateway system specified in the third +# column is a standalone host then this column should +# contain a comma-separated list of the names of the +# zones that the host might be in. This column only +# applies to IPSEC and generic tunnels. +# +# Example 1: +# +# IPSec tunnel. The remote gateway is 4.33.99.124 and +# the remote subnet is 192.168.9.0/24. The tunnel does +# not use the AH protocol +# +# ipsec:noah net 4.33.99.124 +# +# Example 2: +# +# Road Warrior (LapTop that may connect from anywhere) +# where the "gw" zone is used to represent the remote +# LapTop. +# +# ipsec net 0.0.0.0/0 gw +# +# Example 3: +# +# Host 4.33.99.124 is a standalone system connected +# via an ipsec tunnel to the firewall system. The host +# is in zone gw. +# +# ipsec net 4.33.99.124 gw +# +# Example 4: +# +# Road Warriors that may belong to zones vpn1, vpn2 or +# vpn3. The FreeS/Wan _updown script will add the +# host to the appropriate zone using the "shorewall add" +# command on connect and will remove the host from the +# zone at disconnect time. +# +# ipsec net 0.0.0.0/0 vpn1,vpn2,vpn3 +# +# Example 5: +# +# You run the Linux PPTP client on your firewall and +# connect to server 192.0.2.221. +# +# pptpclient net 192.0.2.221 +# +# Example 6: +# +# You run a PPTP server on your firewall. +# +# pptpserver net +# +# Example 7: +# +# OPENVPN tunnel. The remote gateway is 4.33.99.124 and +# openvpn uses port 7777. +# +# openvpn:7777 net 4.33.99.124 +# +# Example 8: +# +# You have a tunnel that is not one of the supported types. +# Your tunnel uses UDP port 4444. The other end of the +# tunnel is 4.3.99.124. +# +# generic:udp:4444 net 4.3.99.124 +# +# TYPE ZONE GATEWAY GATEWAY +# ZONE +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/STABLE2/uninstall.sh b/STABLE2/uninstall.sh new file mode 100755 index 000000000..3ed960efa --- /dev/null +++ b/STABLE2/uninstall.sh @@ -0,0 +1,109 @@ +#!/bin/sh +# +# Script to back uninstall Shoreline Firewall +# +# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] +# +# (c) 2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net) +# +# Shorewall documentation is available at http://shorewall.sourceforge.net +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of Version 2 of the GNU General Public License +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA +# +# Usage: +# +# You may only use this script to uninstall the version +# shown below. Simply run this script to remove Seattle Firewall + +VERSION=2.0.0 + +usage() # $1 = exit status +{ + ME=$(basename $0) + echo "usage: $ME" + exit $1 +} + +qt() +{ + "$@" >/dev/null 2>&1 +} + +restore_file() # $1 = file to restore +{ + if [ -f ${1}-shorewall.bkout ]; then + if (mv -f ${1}-shorewall.bkout $1); then + echo + echo "$1 restored" + else + exit 1 + fi + fi +} + +remove_file() # $1 = file to restore +{ + if [ -f $1 -o -L $1 ] ; then + rm -f $1 + echo "$1 Removed" + fi +} + +if [ -f /usr/share/shorewall/version ]; then + INSTALLED_VERSION="$(cat /usr/share/shorewall/version)" + if [ "$INSTALLED_VERSION" != "$VERSION" ]; then + echo "WARNING: Shorewall Version $INSTALLED_VERSION is installed" + echo " and this is the $VERSION uninstaller." + VERSION="$INSTALLED_VERSION" + fi +else + echo "WARNING: Shorewall Version $VERSION is not installed" + VERSION="" +fi + +echo "Uninstalling shorewall $VERSION" + +if qt iptables -L shorewall -n; then + /sbin/shorewall clear +fi + +if [ -L /usr/share/shorewall/init ]; then + FIREWALL=$(ls -l /usr/share/shorewall/init | sed 's/^.*> //') +else + FIREWALL=/etc/init.d/shorewall +fi + +if [ -n "$FIREWALL" ]; then + if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then + insserv -r $FIREWALL + elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then + chkconfig --del $(basename $FIREWALL) + else + rm -f /etc/rc*.d/*$(basename $FIREWALL) + fi + + remove_file $FIREWALL + rm -f ${FIREWALL}-*.bkout +fi + +rm -f /sbin/shorewall +rm -f /sbin/shorewall-*.bkout + +rm -rf /etc/shorewall +rm -rf /var/lib/shorewall +rm -rf /usr/share/shorewall + +echo "Shorewall Uninstalled" + + diff --git a/STABLE2/zones b/STABLE2/zones new file mode 100644 index 000000000..5c13ce6cc --- /dev/null +++ b/STABLE2/zones @@ -0,0 +1,19 @@ +# +# Shorewall 2.0 /etc/shorewall/zones +# +# This file determines your network zones. Columns are: +# +# ZONE Short name of the zone (5 Characters or less in length). +# DISPLAY Display name of the zone +# COMMENTS Comments about the zone +# +# THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED OR +# OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts. +# +# See http://www.shorewall.net/Documentation.htm#Nested +# +#ZONE DISPLAY COMMENTS +net Net Internet +loc Local Local networks +dmz DMZ Demilitarized zone +#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE