mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-22 23:53:30 +01:00
Initial revision
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1191 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
2e929e1083
commit
8925f25168
340
STABLE2/COPYING
Normal file
340
STABLE2/COPYING
Normal file
@ -0,0 +1,340 @@
|
||||
GNU GENERAL PUBLIC LICENSE
|
||||
Version 2, June 1991
|
||||
|
||||
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
|
||||
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
||||
Everyone is permitted to copy and distribute verbatim copies
|
||||
of this license document, but changing it is not allowed.
|
||||
|
||||
Preamble
|
||||
|
||||
The licenses for most software are designed to take away your
|
||||
freedom to share and change it. By contrast, the GNU General Public
|
||||
License is intended to guarantee your freedom to share and change free
|
||||
software--to make sure the software is free for all its users. This
|
||||
General Public License applies to most of the Free Software
|
||||
Foundation's software and to any other program whose authors commit to
|
||||
using it. (Some other Free Software Foundation software is covered by
|
||||
the GNU Library General Public License instead.) You can apply it to
|
||||
your programs, too.
|
||||
|
||||
When we speak of free software, we are referring to freedom, not
|
||||
price. Our General Public Licenses are designed to make sure that you
|
||||
have the freedom to distribute copies of free software (and charge for
|
||||
this service if you wish), that you receive source code or can get it
|
||||
if you want it, that you can change the software or use pieces of it
|
||||
in new free programs; and that you know you can do these things.
|
||||
|
||||
To protect your rights, we need to make restrictions that forbid
|
||||
anyone to deny you these rights or to ask you to surrender the rights.
|
||||
These restrictions translate to certain responsibilities for you if you
|
||||
distribute copies of the software, or if you modify it.
|
||||
|
||||
For example, if you distribute copies of such a program, whether
|
||||
gratis or for a fee, you must give the recipients all the rights that
|
||||
you have. You must make sure that they, too, receive or can get the
|
||||
source code. And you must show them these terms so they know their
|
||||
rights.
|
||||
|
||||
We protect your rights with two steps: (1) copyright the software, and
|
||||
(2) offer you this license which gives you legal permission to copy,
|
||||
distribute and/or modify the software.
|
||||
|
||||
Also, for each author's protection and ours, we want to make certain
|
||||
that everyone understands that there is no warranty for this free
|
||||
software. If the software is modified by someone else and passed on, we
|
||||
want its recipients to know that what they have is not the original, so
|
||||
that any problems introduced by others will not reflect on the original
|
||||
authors' reputations.
|
||||
|
||||
Finally, any free program is threatened constantly by software
|
||||
patents. We wish to avoid the danger that redistributors of a free
|
||||
program will individually obtain patent licenses, in effect making the
|
||||
program proprietary. To prevent this, we have made it clear that any
|
||||
patent must be licensed for everyone's free use or not licensed at all.
|
||||
|
||||
The precise terms and conditions for copying, distribution and
|
||||
modification follow.
|
||||
|
||||
GNU GENERAL PUBLIC LICENSE
|
||||
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
|
||||
|
||||
0. This License applies to any program or other work which contains
|
||||
a notice placed by the copyright holder saying it may be distributed
|
||||
under the terms of this General Public License. The "Program", below,
|
||||
refers to any such program or work, and a "work based on the Program"
|
||||
means either the Program or any derivative work under copyright law:
|
||||
that is to say, a work containing the Program or a portion of it,
|
||||
either verbatim or with modifications and/or translated into another
|
||||
language. (Hereinafter, translation is included without limitation in
|
||||
the term "modification".) Each licensee is addressed as "you".
|
||||
|
||||
Activities other than copying, distribution and modification are not
|
||||
covered by this License; they are outside its scope. The act of
|
||||
running the Program is not restricted, and the output from the Program
|
||||
is covered only if its contents constitute a work based on the
|
||||
Program (independent of having been made by running the Program).
|
||||
Whether that is true depends on what the Program does.
|
||||
|
||||
1. You may copy and distribute verbatim copies of the Program's
|
||||
source code as you receive it, in any medium, provided that you
|
||||
conspicuously and appropriately publish on each copy an appropriate
|
||||
copyright notice and disclaimer of warranty; keep intact all the
|
||||
notices that refer to this License and to the absence of any warranty;
|
||||
and give any other recipients of the Program a copy of this License
|
||||
along with the Program.
|
||||
|
||||
You may charge a fee for the physical act of transferring a copy, and
|
||||
you may at your option offer warranty protection in exchange for a fee.
|
||||
|
||||
2. You may modify your copy or copies of the Program or any portion
|
||||
of it, thus forming a work based on the Program, and copy and
|
||||
distribute such modifications or work under the terms of Section 1
|
||||
above, provided that you also meet all of these conditions:
|
||||
|
||||
a) You must cause the modified files to carry prominent notices
|
||||
stating that you changed the files and the date of any change.
|
||||
|
||||
b) You must cause any work that you distribute or publish, that in
|
||||
whole or in part contains or is derived from the Program or any
|
||||
part thereof, to be licensed as a whole at no charge to all third
|
||||
parties under the terms of this License.
|
||||
|
||||
c) If the modified program normally reads commands interactively
|
||||
when run, you must cause it, when started running for such
|
||||
interactive use in the most ordinary way, to print or display an
|
||||
announcement including an appropriate copyright notice and a
|
||||
notice that there is no warranty (or else, saying that you provide
|
||||
a warranty) and that users may redistribute the program under
|
||||
these conditions, and telling the user how to view a copy of this
|
||||
License. (Exception: if the Program itself is interactive but
|
||||
does not normally print such an announcement, your work based on
|
||||
the Program is not required to print an announcement.)
|
||||
|
||||
These requirements apply to the modified work as a whole. If
|
||||
identifiable sections of that work are not derived from the Program,
|
||||
and can be reasonably considered independent and separate works in
|
||||
themselves, then this License, and its terms, do not apply to those
|
||||
sections when you distribute them as separate works. But when you
|
||||
distribute the same sections as part of a whole which is a work based
|
||||
on the Program, the distribution of the whole must be on the terms of
|
||||
this License, whose permissions for other licensees extend to the
|
||||
entire whole, and thus to each and every part regardless of who wrote it.
|
||||
|
||||
Thus, it is not the intent of this section to claim rights or contest
|
||||
your rights to work written entirely by you; rather, the intent is to
|
||||
exercise the right to control the distribution of derivative or
|
||||
collective works based on the Program.
|
||||
|
||||
In addition, mere aggregation of another work not based on the Program
|
||||
with the Program (or with a work based on the Program) on a volume of
|
||||
a storage or distribution medium does not bring the other work under
|
||||
the scope of this License.
|
||||
|
||||
3. You may copy and distribute the Program (or a work based on it,
|
||||
under Section 2) in object code or executable form under the terms of
|
||||
Sections 1 and 2 above provided that you also do one of the following:
|
||||
|
||||
a) Accompany it with the complete corresponding machine-readable
|
||||
source code, which must be distributed under the terms of Sections
|
||||
1 and 2 above on a medium customarily used for software interchange; or,
|
||||
|
||||
b) Accompany it with a written offer, valid for at least three
|
||||
years, to give any third party, for a charge no more than your
|
||||
cost of physically performing source distribution, a complete
|
||||
machine-readable copy of the corresponding source code, to be
|
||||
distributed under the terms of Sections 1 and 2 above on a medium
|
||||
customarily used for software interchange; or,
|
||||
|
||||
c) Accompany it with the information you received as to the offer
|
||||
to distribute corresponding source code. (This alternative is
|
||||
allowed only for noncommercial distribution and only if you
|
||||
received the program in object code or executable form with such
|
||||
an offer, in accord with Subsection b above.)
|
||||
|
||||
The source code for a work means the preferred form of the work for
|
||||
making modifications to it. For an executable work, complete source
|
||||
code means all the source code for all modules it contains, plus any
|
||||
associated interface definition files, plus the scripts used to
|
||||
control compilation and installation of the executable. However, as a
|
||||
special exception, the source code distributed need not include
|
||||
anything that is normally distributed (in either source or binary
|
||||
form) with the major components (compiler, kernel, and so on) of the
|
||||
operating system on which the executable runs, unless that component
|
||||
itself accompanies the executable.
|
||||
|
||||
If distribution of executable or object code is made by offering
|
||||
access to copy from a designated place, then offering equivalent
|
||||
access to copy the source code from the same place counts as
|
||||
distribution of the source code, even though third parties are not
|
||||
compelled to copy the source along with the object code.
|
||||
|
||||
4. You may not copy, modify, sublicense, or distribute the Program
|
||||
except as expressly provided under this License. Any attempt
|
||||
otherwise to copy, modify, sublicense or distribute the Program is
|
||||
void, and will automatically terminate your rights under this License.
|
||||
However, parties who have received copies, or rights, from you under
|
||||
this License will not have their licenses terminated so long as such
|
||||
parties remain in full compliance.
|
||||
|
||||
5. You are not required to accept this License, since you have not
|
||||
signed it. However, nothing else grants you permission to modify or
|
||||
distribute the Program or its derivative works. These actions are
|
||||
prohibited by law if you do not accept this License. Therefore, by
|
||||
modifying or distributing the Program (or any work based on the
|
||||
Program), you indicate your acceptance of this License to do so, and
|
||||
all its terms and conditions for copying, distributing or modifying
|
||||
the Program or works based on it.
|
||||
|
||||
6. Each time you redistribute the Program (or any work based on the
|
||||
Program), the recipient automatically receives a license from the
|
||||
original licensor to copy, distribute or modify the Program subject to
|
||||
these terms and conditions. You may not impose any further
|
||||
restrictions on the recipients' exercise of the rights granted herein.
|
||||
You are not responsible for enforcing compliance by third parties to
|
||||
this License.
|
||||
|
||||
7. If, as a consequence of a court judgment or allegation of patent
|
||||
infringement or for any other reason (not limited to patent issues),
|
||||
conditions are imposed on you (whether by court order, agreement or
|
||||
otherwise) that contradict the conditions of this License, they do not
|
||||
excuse you from the conditions of this License. If you cannot
|
||||
distribute so as to satisfy simultaneously your obligations under this
|
||||
License and any other pertinent obligations, then as a consequence you
|
||||
may not distribute the Program at all. For example, if a patent
|
||||
license would not permit royalty-free redistribution of the Program by
|
||||
all those who receive copies directly or indirectly through you, then
|
||||
the only way you could satisfy both it and this License would be to
|
||||
refrain entirely from distribution of the Program.
|
||||
|
||||
If any portion of this section is held invalid or unenforceable under
|
||||
any particular circumstance, the balance of the section is intended to
|
||||
apply and the section as a whole is intended to apply in other
|
||||
circumstances.
|
||||
|
||||
It is not the purpose of this section to induce you to infringe any
|
||||
patents or other property right claims or to contest validity of any
|
||||
such claims; this section has the sole purpose of protecting the
|
||||
integrity of the free software distribution system, which is
|
||||
implemented by public license practices. Many people have made
|
||||
generous contributions to the wide range of software distributed
|
||||
through that system in reliance on consistent application of that
|
||||
system; it is up to the author/donor to decide if he or she is willing
|
||||
to distribute software through any other system and a licensee cannot
|
||||
impose that choice.
|
||||
|
||||
This section is intended to make thoroughly clear what is believed to
|
||||
be a consequence of the rest of this License.
|
||||
|
||||
8. If the distribution and/or use of the Program is restricted in
|
||||
certain countries either by patents or by copyrighted interfaces, the
|
||||
original copyright holder who places the Program under this License
|
||||
may add an explicit geographical distribution limitation excluding
|
||||
those countries, so that distribution is permitted only in or among
|
||||
countries not thus excluded. In such case, this License incorporates
|
||||
the limitation as if written in the body of this License.
|
||||
|
||||
9. The Free Software Foundation may publish revised and/or new versions
|
||||
of the General Public License from time to time. Such new versions will
|
||||
be similar in spirit to the present version, but may differ in detail to
|
||||
address new problems or concerns.
|
||||
|
||||
Each version is given a distinguishing version number. If the Program
|
||||
specifies a version number of this License which applies to it and "any
|
||||
later version", you have the option of following the terms and conditions
|
||||
either of that version or of any later version published by the Free
|
||||
Software Foundation. If the Program does not specify a version number of
|
||||
this License, you may choose any version ever published by the Free Software
|
||||
Foundation.
|
||||
|
||||
10. If you wish to incorporate parts of the Program into other free
|
||||
programs whose distribution conditions are different, write to the author
|
||||
to ask for permission. For software which is copyrighted by the Free
|
||||
Software Foundation, write to the Free Software Foundation; we sometimes
|
||||
make exceptions for this. Our decision will be guided by the two goals
|
||||
of preserving the free status of all derivatives of our free software and
|
||||
of promoting the sharing and reuse of software generally.
|
||||
|
||||
NO WARRANTY
|
||||
|
||||
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
|
||||
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
|
||||
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
|
||||
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
|
||||
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
|
||||
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
|
||||
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
|
||||
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
|
||||
REPAIR OR CORRECTION.
|
||||
|
||||
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
|
||||
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
|
||||
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
|
||||
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
|
||||
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
|
||||
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
|
||||
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
|
||||
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
|
||||
POSSIBILITY OF SUCH DAMAGES.
|
||||
|
||||
END OF TERMS AND CONDITIONS
|
||||
|
||||
How to Apply These Terms to Your New Programs
|
||||
|
||||
If you develop a new program, and you want it to be of the greatest
|
||||
possible use to the public, the best way to achieve this is to make it
|
||||
free software which everyone can redistribute and change under these terms.
|
||||
|
||||
To do so, attach the following notices to the program. It is safest
|
||||
to attach them to the start of each source file to most effectively
|
||||
convey the exclusion of warranty; and each file should have at least
|
||||
the "copyright" line and a pointer to where the full notice is found.
|
||||
|
||||
<one line to give the program's name and a brief idea of what it does.>
|
||||
Copyright (C) 19yy <name of author>
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation; either version 2 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
This program is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License
|
||||
along with this program; if not, write to the Free Software
|
||||
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
||||
|
||||
|
||||
Also add information on how to contact you by electronic and paper mail.
|
||||
|
||||
If the program is interactive, make it output a short notice like this
|
||||
when it starts in an interactive mode:
|
||||
|
||||
Gnomovision version 69, Copyright (C) 19yy name of author
|
||||
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
|
||||
This is free software, and you are welcome to redistribute it
|
||||
under certain conditions; type `show c' for details.
|
||||
|
||||
The hypothetical commands `show w' and `show c' should show the appropriate
|
||||
parts of the General Public License. Of course, the commands you use may
|
||||
be called something other than `show w' and `show c'; they could even be
|
||||
mouse-clicks or menu items--whatever suits your program.
|
||||
|
||||
You should also get your employer (if you work as a programmer) or your
|
||||
school, if any, to sign a "copyright disclaimer" for the program, if
|
||||
necessary. Here is a sample; alter the names:
|
||||
|
||||
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
|
||||
`Gnomovision' (which makes passes at compilers) written by James Hacker.
|
||||
|
||||
<signature of Ty Coon>, 1 April 1989
|
||||
Ty Coon, President of Vice
|
||||
|
||||
This General Public License does not permit incorporating your program into
|
||||
proprietary programs. If your program is a subroutine library, you may
|
||||
consider it more useful to permit linking proprietary applications with the
|
||||
library. If this is what you want to do, use the GNU Library General
|
||||
Public License instead of this License.
|
45
STABLE2/INSTALL
Normal file
45
STABLE2/INSTALL
Normal file
@ -0,0 +1,45 @@
|
||||
Shoreline Firewall (Shorewall) Version 2.0 - 2/14/2004
|
||||
----- ----
|
||||
|
||||
-----------------------------------------------------------------------------
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of Version 2 of the GNU General Public License
|
||||
as published by the Free Software Foundation.
|
||||
|
||||
This program is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License
|
||||
along with this program; if not, write to the Free Software
|
||||
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||
|
||||
---------------------------------------------------------------------------
|
||||
If your system supports rpm, I recommend that you install the Shorewall
|
||||
.rpm. If you want to install from the tarball:
|
||||
|
||||
o Unpack the tarball
|
||||
o cd to the shorewall-<version> directory
|
||||
o If you have an earlier version of Shoreline Firewall installed,see the
|
||||
upgrade instructions below
|
||||
o Edit the configuration files to fit your environment.
|
||||
|
||||
To do this, I strongly advise you to follow the instructions at:
|
||||
|
||||
http://www.shorewall.net/shorewall_quickstart_guide.htm
|
||||
|
||||
o Type "./install.sh".
|
||||
o Start the firewall by typing "shorewall start"
|
||||
o If the install script was unable to configure Shoreline Firewall to
|
||||
start automatically at boot, you will have to used your
|
||||
distribution's runlevel editor to configure Shorewall manually.
|
||||
|
||||
Upgrade:
|
||||
|
||||
o run the install script as described above.
|
||||
o "shorewall check" and correct any errors found.
|
||||
o "shorewall restart"
|
||||
|
||||
|
73
STABLE2/accounting
Normal file
73
STABLE2/accounting
Normal file
@ -0,0 +1,73 @@
|
||||
#
|
||||
# Shorewall version 2.0 - Accounting File
|
||||
#
|
||||
# /etc/shorewall/accounting
|
||||
#
|
||||
# Accounting rules exist simply to count packets and bytes in categories
|
||||
# that you define in this file. You may display these rules and their
|
||||
# packet and byte counters using the "shorewall show accounting" command.
|
||||
#
|
||||
# Please see http://shorewall.net/Accounting.html for examples and
|
||||
# additional information about how to use this file.
|
||||
#
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
# ACTION - What to do when a match is found.
|
||||
#
|
||||
# COUNT - Simply count the match and continue
|
||||
# with the next rule
|
||||
# DONE - Count the match and don't attempt
|
||||
# to match any other accounting rules
|
||||
# in the chain specified in the CHAIN
|
||||
# column.
|
||||
# <chain>[:COUNT]
|
||||
# - Where <chain> is the name of
|
||||
# a chain. Shorewall will create
|
||||
# the chain automatically if it
|
||||
# doesn't already exist. Causes
|
||||
# a jump to that chain. If :COUNT
|
||||
# is including, a counting rule
|
||||
# matching this record will be
|
||||
# added to <chain>
|
||||
#
|
||||
# CHAIN - The name of a chain. If specified as "-" the
|
||||
# 'accounting' chain is assumed. This is the chain
|
||||
# where the accounting rule is added. The chain will
|
||||
# be created if it doesn't already exist.
|
||||
#
|
||||
# SOURCE - Packet Source
|
||||
#
|
||||
# The name of an interface, an address (host or net) or
|
||||
# an interface name followed by ":"
|
||||
# and a host or net address.
|
||||
#
|
||||
# DESTINATION - Packet Destination
|
||||
#
|
||||
# Format the same as the SOURCE column.
|
||||
#
|
||||
# PROTOCOL A protocol name (from /etc/protocols), a protocol
|
||||
# number.
|
||||
#
|
||||
# DEST PORT Destination Port number
|
||||
#
|
||||
# Service name from /etc/services or port number. May
|
||||
# only be specified if the protocol is TCP or UDP (6
|
||||
# or 17).
|
||||
#
|
||||
# SOURCE PORT Source Port number
|
||||
#
|
||||
# Service name from /etc/services or port number. May
|
||||
# only be specified if the protocol is TCP or UDP (6
|
||||
# or 17).
|
||||
#
|
||||
# In all of the above columns except ACTION and CHAIN, the values "-",
|
||||
# "any" and "all" may be used as wildcards
|
||||
#
|
||||
# Please see http://shorewall.net/Accounting.html for examples and
|
||||
# additional information about how to use this file.
|
||||
#
|
||||
#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE
|
||||
# PORT PORT
|
||||
#
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
10
STABLE2/action.AllowAuth
Normal file
10
STABLE2/action.AllowAuth
Normal file
@ -0,0 +1,10 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowAuth
|
||||
#
|
||||
# This action accepts Auth (identd) traffic.
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
ACCEPT - - tcp 113
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
11
STABLE2/action.AllowDNS
Normal file
11
STABLE2/action.AllowDNS
Normal file
@ -0,0 +1,11 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowDNS
|
||||
#
|
||||
# This action accepts DNS traffic.
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
ACCEPT - - udp 53
|
||||
ACCEPT - - tcp 53
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
11
STABLE2/action.AllowFTP
Normal file
11
STABLE2/action.AllowFTP
Normal file
@ -0,0 +1,11 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowFTP
|
||||
#
|
||||
# This action accepts FTP traffic. See
|
||||
# http://www.shorewall.net/FTP.html for additional considerations.
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
ACCEPT - - tcp 21
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
11
STABLE2/action.AllowIMAP
Normal file
11
STABLE2/action.AllowIMAP
Normal file
@ -0,0 +1,11 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowIMAP
|
||||
#
|
||||
# This action accepts IMAP traffic (secure and insecure):
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
ACCEPT - - tcp 143 #Unsecure IMAP
|
||||
ACCEPT - - tcp 993 #Secure IMAP
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
10
STABLE2/action.AllowNNTP
Normal file
10
STABLE2/action.AllowNNTP
Normal file
@ -0,0 +1,10 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowNNTP
|
||||
#
|
||||
# This action accepts NNTP traffic (Usenet).
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
ACCEPT - - tcp 119
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
10
STABLE2/action.AllowNTP
Normal file
10
STABLE2/action.AllowNTP
Normal file
@ -0,0 +1,10 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowNTP
|
||||
#
|
||||
# This action accepts NTP traffic (ntpd).
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
||||
# PORT PORT(S) DEST LIMIT
|
||||
ACCEPT - - udp 123
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
11
STABLE2/action.AllowPCA
Normal file
11
STABLE2/action.AllowPCA
Normal file
@ -0,0 +1,11 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowPCA
|
||||
#
|
||||
# This action accepts PCAnywere (tm)
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
ACCEPT - - udp 5631
|
||||
ACCEPT - - tcp 5632
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
11
STABLE2/action.AllowPOP3
Normal file
11
STABLE2/action.AllowPOP3
Normal file
@ -0,0 +1,11 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowPOP3
|
||||
#
|
||||
# This action accepts POP3 traffic (secure and insecure):
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
||||
# PORT PORT(S) DEST LIMIT
|
||||
ACCEPT - - tcp 110 #Unsecure POP3
|
||||
ACCEPT - - tcp 995 #Secure POP3
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
10
STABLE2/action.AllowPing
Normal file
10
STABLE2/action.AllowPing
Normal file
@ -0,0 +1,10 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowPing
|
||||
#
|
||||
# This action accepts 'ping' requests.
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
ACCEPT - - icmp 8
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
10
STABLE2/action.AllowRdate
Normal file
10
STABLE2/action.AllowRdate
Normal file
@ -0,0 +1,10 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowRdate
|
||||
#
|
||||
# This action accepts remote time retrieval (rdate).
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
ACCEPT - - tcp 37
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
14
STABLE2/action.AllowSMB
Normal file
14
STABLE2/action.AllowSMB
Normal file
@ -0,0 +1,14 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowSMB
|
||||
#
|
||||
# Allow Microsoft SMB traffic. You need to invoke this action in
|
||||
# both directions.
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
ACCEPT - - udp 135,445
|
||||
ACCEPT - - udp 137:139
|
||||
ACCEPT - - udp 1024: 137
|
||||
ACCEPT - - tcp 135,139,445
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
15
STABLE2/action.AllowSMTP
Normal file
15
STABLE2/action.AllowSMTP
Normal file
@ -0,0 +1,15 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowSMTP
|
||||
#
|
||||
# This action accepts SMTP (email) traffic.
|
||||
#
|
||||
# Note: This action allows traffic between an MUA (Email client)
|
||||
# and an MTA (mail server) or between MTAs. It does not enable
|
||||
# reading of email via POP3 or IMAP. For those you need to use
|
||||
# the AllowPOP3 or AllowIMAP actions.
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
ACCEPT - - tcp 25
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
11
STABLE2/action.AllowSNMP
Normal file
11
STABLE2/action.AllowSNMP
Normal file
@ -0,0 +1,11 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowSNMP
|
||||
#
|
||||
# This action accepts SNMP traffic (including traps):
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
ACCEPT - - udp 161:162
|
||||
ACCEPT - - tcp 161
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
10
STABLE2/action.AllowSSH
Normal file
10
STABLE2/action.AllowSSH
Normal file
@ -0,0 +1,10 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowSSH
|
||||
#
|
||||
# This action accepts secure shell (SSH) traffic.
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
ACCEPT - - tcp 22
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
11
STABLE2/action.AllowTelnet
Normal file
11
STABLE2/action.AllowTelnet
Normal file
@ -0,0 +1,11 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowTelnet
|
||||
#
|
||||
# This action accepts Telnet traffic. For traffic over the
|
||||
# internet, telnet is inappropriate; use SSH instead
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
ACCEPT - - tcp 23
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
11
STABLE2/action.AllowTrcrt
Normal file
11
STABLE2/action.AllowTrcrt
Normal file
@ -0,0 +1,11 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowTrcrt
|
||||
#
|
||||
# This action accepts Traceroute (for up to 20 hops):
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
ACCEPT - - udp 33434:33454 #UDP Traceroute
|
||||
ACCEPT - - icmp 8 #ICMP Traceroute
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
10
STABLE2/action.AllowVNC
Normal file
10
STABLE2/action.AllowVNC
Normal file
@ -0,0 +1,10 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowVNC
|
||||
#
|
||||
# This action accepts VNC traffic for VNC display's 0 - 9.
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
ACCEPT - - tcp 5900:5909
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
10
STABLE2/action.AllowVNCL
Normal file
10
STABLE2/action.AllowVNCL
Normal file
@ -0,0 +1,10 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowVNC
|
||||
#
|
||||
# This action accepts VNC traffic from Vncservers to Vncviewers in listen mode.
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
ACCEPT - - tcp 5500
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
11
STABLE2/action.AllowWeb
Normal file
11
STABLE2/action.AllowWeb
Normal file
@ -0,0 +1,11 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowWeb
|
||||
#
|
||||
# This action accepts WWW traffic (secure and insecure):
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
ACCEPT - - tcp 80
|
||||
ACCEPT - - TCP 443
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
15
STABLE2/action.Drop
Normal file
15
STABLE2/action.Drop
Normal file
@ -0,0 +1,15 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.Drop
|
||||
#
|
||||
# The default DROP common rules
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
RejectAuth
|
||||
dropBcast
|
||||
DropSMB
|
||||
DropUPnP
|
||||
dropNonSyn
|
||||
DropDNSrep
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
10
STABLE2/action.DropDNSrep
Normal file
10
STABLE2/action.DropDNSrep
Normal file
@ -0,0 +1,10 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.DropDNSrep
|
||||
#
|
||||
# This action silently drops DNS UDP replies
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
DROP - - udp - 53
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
10
STABLE2/action.DropPing
Normal file
10
STABLE2/action.DropPing
Normal file
@ -0,0 +1,10 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.DropPing
|
||||
#
|
||||
# This action silently drops 'ping' requests.
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
DROP - - icmp 8
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
15
STABLE2/action.DropSMB
Normal file
15
STABLE2/action.DropSMB
Normal file
@ -0,0 +1,15 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.DropSMB
|
||||
#
|
||||
# This action silently drops Microsoft SMB traffic
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
DROP - - udp 135
|
||||
DROP - - udp 137:139
|
||||
DROP - - udp 445
|
||||
DROP - - tcp 135
|
||||
DROP - - tcp 139
|
||||
DROP - - tcp 445
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
10
STABLE2/action.DropUPnP
Normal file
10
STABLE2/action.DropUPnP
Normal file
@ -0,0 +1,10 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.DropUPnP
|
||||
#
|
||||
# This action silently drops UPnP probes on UDP port 1900
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
DROP - - udp 1900
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
15
STABLE2/action.Reject
Normal file
15
STABLE2/action.Reject
Normal file
@ -0,0 +1,15 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.Reject
|
||||
#
|
||||
# The default REJECT action common rules
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
RejectAuth
|
||||
dropBcast
|
||||
RejectSMB
|
||||
DropUPnP
|
||||
dropNonSyn
|
||||
DropDNSrep
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
10
STABLE2/action.RejectAuth
Normal file
10
STABLE2/action.RejectAuth
Normal file
@ -0,0 +1,10 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.RejectAuth
|
||||
#
|
||||
# This action silently rejects Auth (tcp 113) traffic
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
REJECT - - tcp 113
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
15
STABLE2/action.RejectSMB
Normal file
15
STABLE2/action.RejectSMB
Normal file
@ -0,0 +1,15 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.RejectSMB
|
||||
#
|
||||
# This action silently rejects Microsoft SMB traffic
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
REJECT - - udp 135
|
||||
REJECT - - udp 137:139
|
||||
REJECT - - udp 445
|
||||
REJECT - - tcp 135
|
||||
REJECT - - tcp 139
|
||||
REJECT - - tcp 445
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
151
STABLE2/action.template
Normal file
151
STABLE2/action.template
Normal file
@ -0,0 +1,151 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.template
|
||||
#
|
||||
# This file is a template for files with names of the form
|
||||
# /etc/shorewall/action.<action-name> where <action> is an
|
||||
# ACTION defined in /etc/shorewall/actions.
|
||||
#
|
||||
# To define a new action:
|
||||
#
|
||||
# 1. Add the <action name> to /etc/shorewall/actions
|
||||
# 2. Copy this file to /etc/shorewall/action.<action name>
|
||||
# 3. Add the desired rules to that file.
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
#
|
||||
# TARGET ACCEPT, DROP, REJECT, LOG, QUEUE or a
|
||||
# previously-defined <action>
|
||||
#
|
||||
# ACCEPT -- allow the connection request
|
||||
# DROP -- ignore the request
|
||||
# REJECT -- disallow the request and return an
|
||||
# icmp-unreachable or an RST packet.
|
||||
# LOG -- Simply log the packet and continue.
|
||||
# QUEUE -- Queue the packet to a user-space
|
||||
# application such as p2pwall.
|
||||
# CONTINUE -- Discontinue processing this action
|
||||
# and return to the point where the
|
||||
# action was invoked.
|
||||
# <action> -- An <action> defined in
|
||||
# /etc/shorewall/actions. The <action>
|
||||
# must appear in that file BEFORE the
|
||||
# one being defined in this file.
|
||||
#
|
||||
# The TARGET may optionally be followed
|
||||
# by ":" and a syslog log level (e.g, REJECT:info or
|
||||
# ACCEPT:debugging). This causes the packet to be
|
||||
# logged at the specified level.
|
||||
#
|
||||
# You may also specify ULOG (must be in upper case) as a
|
||||
# log level.This will log to the ULOG target for routing
|
||||
# to a separate log through use of ulogd
|
||||
# (http://www.gnumonks.org/projects/ulogd).
|
||||
#
|
||||
# SOURCE Source hosts to which the rule applies.
|
||||
# A comma-separated list of subnets
|
||||
# and/or hosts. Hosts may be specified by IP or MAC
|
||||
# address; mac addresses must begin with "~" and must use
|
||||
# "-" as a separator.
|
||||
#
|
||||
# 192.168.2.2 Host 192.168.2.2
|
||||
#
|
||||
# 155.186.235.0/24 Subnet 155.186.235.0/24
|
||||
#
|
||||
# 192.168.1.1,192.168.1.2
|
||||
# Hosts 192.168.1.1 and
|
||||
# 192.168.1.2.
|
||||
# ~00-A0-C9-15-39-78 Host with
|
||||
# MAC address 00:A0:C9:15:39:78.
|
||||
#
|
||||
# Alternatively, clients may be specified by interface
|
||||
# name. For example, eth1 specifies a
|
||||
# client that communicates with the firewall system
|
||||
# through eth1. This may be optionally followed by
|
||||
# another colon (":") and an IP/MAC/subnet address
|
||||
# as described above (e.g., eth1:192.168.1.5).
|
||||
#
|
||||
# DEST Location of Server. Same as above with the exception that
|
||||
# MAC addresses are not allowed.
|
||||
#
|
||||
# Unlike in the SOURCE column, you may specify a range of
|
||||
# up to 256 IP addresses using the syntax
|
||||
# <first ip>-<last ip>.
|
||||
#
|
||||
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or
|
||||
# "all".
|
||||
#
|
||||
# DEST PORT(S) Destination Ports. A comma-separated list of Port
|
||||
# names (from /etc/services), port numbers or port
|
||||
# ranges; if the protocol is "icmp", this column is
|
||||
# interpreted as the destination icmp-type(s).
|
||||
#
|
||||
# A port range is expressed as <low port>:<high port>.
|
||||
#
|
||||
# This column is ignored if PROTOCOL = all but must be
|
||||
# entered if any of the following fields are supplied.
|
||||
# In that case, it is suggested that this field contain
|
||||
# "-"
|
||||
#
|
||||
# If your kernel contains multi-port match support, then
|
||||
# only a single Netfilter rule will be generated if in
|
||||
# this list and the CLIENT PORT(S) list below:
|
||||
# 1. There are 15 or less ports listed.
|
||||
# 2. No port ranges are included.
|
||||
# Otherwise, a separate rule will be generated for each
|
||||
# port.
|
||||
#
|
||||
# SOURCE PORT(S) (Optional) Port(s) used by the client. If omitted,
|
||||
# any source port is acceptable. Specified as a comma-
|
||||
# separated list of port names, port numbers or port
|
||||
# ranges.
|
||||
#
|
||||
# If you don't want to restrict client ports but need to
|
||||
# specify an ADDRESS in the next column, then place "-"
|
||||
# in this column.
|
||||
#
|
||||
# If your kernel contains multi-port match support, then
|
||||
# only a single Netfilter rule will be generated if in
|
||||
# this list and the DEST PORT(S) list above:
|
||||
# 1. There are 15 or less ports listed.
|
||||
# 2. No port ranges are included.
|
||||
# Otherwise, a separate rule will be generated for each
|
||||
# port.
|
||||
#
|
||||
# RATE LIMIT You may rate-limit the rule by placing a value in
|
||||
# this column:
|
||||
#
|
||||
# <rate>/<interval>[:<burst>]
|
||||
#
|
||||
# where <rate> is the number of connections per
|
||||
# <interval> ("sec" or "min") and <burst> is the
|
||||
# largest burst permitted. If no <burst> is given,
|
||||
# a value of 5 is assumed. There may be no
|
||||
# no whitespace embedded in the specification.
|
||||
#
|
||||
# Example: 10/sec:20
|
||||
#
|
||||
# USER/GROUP This column may only be non-empty if the SOURCE is
|
||||
# the firewall itself.
|
||||
#
|
||||
# The column may contain:
|
||||
#
|
||||
# [!][<user name or number>][:<group name or number>]
|
||||
#
|
||||
# When this column is non-empty, the rule applies only
|
||||
# if the program generating the output is running under
|
||||
# the effective <user> and/or <group> specified (or is
|
||||
# NOT running under that id if "!" is given).
|
||||
#
|
||||
# Examples:
|
||||
#
|
||||
# joe #program must be run by joe
|
||||
# :kids #program must be run by a member of
|
||||
# #the 'kids' group
|
||||
# !:kids #program must not be run by a member
|
||||
# #of the 'kids' group
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
|
||||
# PORT PORT(S) LIMIT
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
27
STABLE2/actions
Normal file
27
STABLE2/actions
Normal file
@ -0,0 +1,27 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/actions
|
||||
#
|
||||
# This file allows you to define new ACTIONS for use in rules
|
||||
# (/etc/shorewall/rules). You define the iptables rules to
|
||||
# be performed in an ACTION in
|
||||
# /etc/shorewall/action.<action-name>.
|
||||
#
|
||||
# ACTION names should begin with an upper-case letter to
|
||||
# distinguish them from Shorewall-generated chain names and
|
||||
# they must need the requirements of a Netfilter chain
|
||||
# name as well as the requirements for a Bourne Shell identifier
|
||||
# (must begin with a letter and be composed of letters, digits
|
||||
# and underscore characters).
|
||||
#
|
||||
# If you follow the action name with ":DROP", ":REJECT" or
|
||||
# :ACCEPT then the action will be taken before a DROP, REJECT or
|
||||
# ACCEPT policy respectively is enforced. If you specify ":DROP",
|
||||
# ":REJECT" or ":ACCEPT" on more than one action then only the
|
||||
# last such action will be taken.
|
||||
#
|
||||
# If you specify ":DROP", ":REJECT" or ":ACCEPT" on a line by
|
||||
# itself, the associated policy will have no common action.
|
||||
#
|
||||
#ACTION
|
||||
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
42
STABLE2/actions.std
Normal file
42
STABLE2/actions.std
Normal file
@ -0,0 +1,42 @@
|
||||
#
|
||||
# Shorewall 2.0 /usr/share/shorewall/actions.std
|
||||
#
|
||||
#
|
||||
# Builtin Actions are:
|
||||
#
|
||||
# dropBcast #Silently Drop Broadcast/multicast
|
||||
# dropNonSyn #Silently Drop Non-syn TCP packets
|
||||
#
|
||||
#ACTION
|
||||
|
||||
DropSMB #Silently Drops Microsoft SMB Traffic
|
||||
RejectSMB #Silently Reject Microsoft SMB Traffic
|
||||
DropUPnP #Silently Drop UPnP Probes
|
||||
RejectAuth #Silently Reject Auth
|
||||
DropPing #Silently Drop Ping
|
||||
DropDNSrep #Silently Drop DNS Replies
|
||||
|
||||
AllowPing #Accept Ping
|
||||
AllowFTP #Accept FTP
|
||||
AllowDNS #Accept DNS
|
||||
AllowSSH #Accept SSH
|
||||
AllowWeb #Allow Web Browsing
|
||||
AllowSMB #Allow MS Networking
|
||||
AllowAuth #Allow Auth (identd)
|
||||
AllowSMTP #Allow SMTP (Email)
|
||||
AllowPOP3 #Allow reading mail via POP3
|
||||
AllowIMAP #Allow reading mail via IMAP
|
||||
AllowTelnet #Allow Telnet Access (not recommended for use over the
|
||||
#Internet)
|
||||
AllowVNC #Allow VNC viewer->server, Displays 0-9
|
||||
AllowVNCL #Allow VNC server->viewer in listening mode
|
||||
AllowNTP #Allow Network Time Protocol (ntpd)
|
||||
AllowRdate #Allow remote time (rdate).
|
||||
AllowNNTP #Allow network news (Usenet).
|
||||
AllowTrcrt #Allows Traceroute (20 hops)
|
||||
AllowSNMP #Allows SNMP (including traps)
|
||||
AllowPCA #Allows PCAnywhere (tm)
|
||||
|
||||
Drop:DROP #Common Action for DROP policy
|
||||
Reject:REJECT #Common Action for REJECT policy
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
43
STABLE2/blacklist
Normal file
43
STABLE2/blacklist
Normal file
@ -0,0 +1,43 @@
|
||||
#
|
||||
# Shorewall 2.0 -- Blacklist File
|
||||
#
|
||||
# /etc/shorewall/blacklist
|
||||
#
|
||||
# This file contains a list of IP addresses, MAC addresses and/or subnetworks.
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
# ADDRESS/SUBNET - Host address, subnetwork or MAC address
|
||||
#
|
||||
# MAC addresses must be prefixed with "~" and use "-"
|
||||
# as a separator.
|
||||
#
|
||||
# Example: ~00-A0-C9-15-39-78
|
||||
#
|
||||
# PROTOCOL - Optional. If specified, must be a protocol number
|
||||
# or a protocol name from /etc/protocols.
|
||||
#
|
||||
# PORTS - Optional. May only be specified if the protocol
|
||||
# is TCP (6) or UDP (17). A comma-separated list
|
||||
# of port numbers or service names from /etc/services.
|
||||
#
|
||||
# When a packet arrives on in interface that has the 'blacklist' option
|
||||
# specified, its source IP address is checked against this file and disposed of
|
||||
# according to the BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL variables in
|
||||
# /etc/shorewall/shorewall.conf
|
||||
#
|
||||
# If PROTOCOL or PROTOCOL and PORTS are supplied, only packets matching
|
||||
# the protocol (and one of the ports if PORTS supplied) are blocked.
|
||||
#
|
||||
# Example:
|
||||
#
|
||||
# To block DNS queries from address 192.0.2.126:
|
||||
#
|
||||
# ADDRESS/SUBNET PROTOCOL PORT
|
||||
# 192.0.2.126 udp 53
|
||||
#
|
||||
###############################################################################
|
||||
#ADDRESS/SUBNET PROTOCOL PORT
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
|
70
STABLE2/changelog.txt
Normal file
70
STABLE2/changelog.txt
Normal file
@ -0,0 +1,70 @@
|
||||
Changes since 1.4.10
|
||||
|
||||
1) Remove 'unclean' support.
|
||||
|
||||
2) Remove NAT_BEFORE_RULES.
|
||||
|
||||
3) Remove HAVEROUTE column from ProxyARP.
|
||||
|
||||
4) Change default for ALL INTERFACES in /etc/shorewall/nat.
|
||||
|
||||
5) Rename the product to Shorewall2.
|
||||
|
||||
6) Remove common chain.
|
||||
|
||||
7) Add default action mechanism.
|
||||
|
||||
8) Add USER/GROUP column to /etc/shorewall2/action.template.
|
||||
|
||||
9) Get installer/uninstaller to work.
|
||||
|
||||
10) Restore HAVEROUTE and add PERSISTENT column to the proxy arp file.
|
||||
|
||||
11) Install correct init script on Debian.
|
||||
|
||||
12) Get the attention of 'logunclean' and 'dropunclean' users.
|
||||
|
||||
13) Replace all instances of `...` with $(...) for readability.
|
||||
|
||||
14) Add action.AllowSNMP
|
||||
|
||||
15) Move some code from firewall to functions
|
||||
|
||||
16) Removed the DropBcast and DropNonSyn actions and replaced them with
|
||||
builtin actions dropBcast and dropNonSyn.
|
||||
|
||||
17) Make "trace" a synonym for "debug"
|
||||
|
||||
18) Add the ":noah" option to IPSEC tunnels.
|
||||
|
||||
19) Added a comment to the rules file to aid users who are terminally stupid.
|
||||
|
||||
20) Only create the action chains that are actually used.
|
||||
|
||||
21) Move actions.std and action.* files to /usr/share/shorewall.
|
||||
|
||||
22) Added DISABLE_IPV6 option.
|
||||
|
||||
23) Allow rate limiting on CONTINUE and REJECT.
|
||||
|
||||
24) Move rfc1918 to /usr/share/shorewall
|
||||
|
||||
25) Make detectnets and routeback play nice together.
|
||||
|
||||
26) Avoid superfluous --state NEW tests.
|
||||
|
||||
27) Allow backrouting of 'routestopped' devices.
|
||||
|
||||
28) Fix the help file.
|
||||
|
||||
29) Correct handling of !z1,z2,... in a DNAT/REDIRECT rule.
|
||||
|
||||
30) Remove fw->fw policy.
|
||||
|
||||
31) Issue clearer message if ip6tables not installed.
|
||||
|
||||
32) Make 'CONTINUE' rules work again.
|
||||
|
||||
33) Correct a comment in the rules file. Update for 2.0.0 final release.
|
||||
|
||||
34) Eliminate Warning about Policy as rule when using actions.
|
18
STABLE2/default.debian
Normal file
18
STABLE2/default.debian
Normal file
@ -0,0 +1,18 @@
|
||||
# prevent startup with default configuration
|
||||
# set the following varible to 1 in order to allow Shorewall to start
|
||||
|
||||
startup=0
|
||||
|
||||
# if your Shorewall configuration requires detection of the ip address of a ppp
|
||||
# interface, you must list such interfaces in "wait_interface" to get Shorewall to
|
||||
# wait until the interface is configured. Otherwise the script will fail because
|
||||
# it won't be able to detect the IP address.
|
||||
#
|
||||
# Example:
|
||||
# wait_interface="ppp0"
|
||||
# or
|
||||
# wait_interface="ppp0 ppp1"
|
||||
# or, if you have defined in /etc/shorewall/params
|
||||
# wait_interface=
|
||||
|
||||
# EOF
|
18
STABLE2/ecn
Normal file
18
STABLE2/ecn
Normal file
@ -0,0 +1,18 @@
|
||||
#
|
||||
# Shorewall 2.0 - /etc/shorewall/ecn
|
||||
#
|
||||
# Use this file to list the destinations for which you want to
|
||||
# disable ECN.
|
||||
#
|
||||
# This feature requires kernel 2.4.20 or later. If you run 2.4.20,
|
||||
# you also need the patch found at http://www.shorewall.net/ecn/patch.
|
||||
# That patch is included in kernels 2.4.21 and later.
|
||||
#
|
||||
# INTERFACE - Interface through which host(s) communicate with
|
||||
# the firewall
|
||||
# HOST(S) - (Optional) Comma-separated list of IP/subnet
|
||||
# If left empty or supplied as "-",
|
||||
# 0.0.0.0/0 is assumed.
|
||||
##############################################################################
|
||||
#INTERFACE HOST(S)
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
143
STABLE2/fallback.sh
Executable file
143
STABLE2/fallback.sh
Executable file
@ -0,0 +1,143 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Script to back out the installation of Shoreline Firewall and to restore the previous version of
|
||||
# the program
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Shorewall documentation is available at http://seattlefirewall.dyndns.org
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||
#
|
||||
# Usage:
|
||||
#
|
||||
# You may only use this script to back out the installation of the version
|
||||
# shown below. Simply run this script to revert to your prior version of
|
||||
# Shoreline Firewall.
|
||||
|
||||
VERSION=2.0.0
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
echo "usage: $(basename $0)"
|
||||
exit $1
|
||||
}
|
||||
|
||||
restore_file() # $1 = file to restore
|
||||
{
|
||||
if [ -f ${1}-${VERSION}.bkout -o -L ${1}-${VERSION}.bkout ]; then
|
||||
if (mv -f ${1}-${VERSION}.bkout $1); then
|
||||
echo
|
||||
echo "$1 restored"
|
||||
else
|
||||
echo "ERROR: Could not restore $1"
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
if [ ! -f /usr/share/shorewall/version-${VERSION}.bkout ]; then
|
||||
echo "Shorewall Version $VERSION is not installed"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "Backing Out Installation of Shorewall $VERSION"
|
||||
|
||||
if [ -L /usr/share/shorewall/init ]; then
|
||||
FIREWALL=$(ls -l /usr/share/shorewall/firewall | sed 's/^.*> //')
|
||||
restore_file $FIREWALL
|
||||
else
|
||||
restore_file /etc/init.d/shorewall
|
||||
fi
|
||||
|
||||
restore_file /usr/share/shorewall/firewall
|
||||
|
||||
restore_file /sbin/shorewall
|
||||
|
||||
restore_file /etc/shorewall/shorewall.conf
|
||||
|
||||
restore_file /etc/shorewall/functions
|
||||
restore_file /usr/lib/shorewall/functions
|
||||
restore_file /var/lib/shorewall/functions
|
||||
restore_file /usr/lib/shorewall/firewall
|
||||
restore_file /usr/lib/shorewall/help
|
||||
|
||||
restore_file /etc/shorewall/common.def
|
||||
|
||||
restore_file /etc/shorewall/icmp.def
|
||||
|
||||
restore_file /etc/shorewall/zones
|
||||
|
||||
restore_file /etc/shorewall/policy
|
||||
|
||||
restore_file /etc/shorewall/interfaces
|
||||
|
||||
restore_file /etc/shorewall/hosts
|
||||
|
||||
restore_file /etc/shorewall/rules
|
||||
|
||||
restore_file /etc/shorewall/nat
|
||||
|
||||
restore_file /etc/shorewall/params
|
||||
|
||||
restore_file /etc/shorewall/proxyarp
|
||||
|
||||
restore_file /etc/shorewall/routestopped
|
||||
|
||||
restore_file /etc/shorewall/maclist
|
||||
|
||||
restore_file /etc/shorewall/masq
|
||||
|
||||
restore_file /etc/shorewall/modules
|
||||
|
||||
restore_file /etc/shorewall/tcrules
|
||||
|
||||
restore_file /etc/shorewall/tos
|
||||
|
||||
restore_file /etc/shorewall/tunnels
|
||||
|
||||
restore_file /etc/shorewall/blacklist
|
||||
|
||||
restore_file /etc/shorewall/whitelist
|
||||
|
||||
restore_file /etc/shorewall/rfc1918
|
||||
restore_file /usr/share/shorewall/rfc1918
|
||||
|
||||
restore_file /etc/shorewall/init
|
||||
|
||||
restore_file /etc/shorewall/start
|
||||
|
||||
restore_file /etc/shorewall/stop
|
||||
|
||||
restore_file /etc/shorewall/stopped
|
||||
|
||||
restore_file /etc/shorewall/ecn
|
||||
|
||||
restore_file /etc/shorewall/accounting
|
||||
|
||||
restore_file /etc/shorewall/actions.std
|
||||
|
||||
restore_file /etc/shorewall/actions
|
||||
|
||||
for f in /usr/share/shorewall/action.*-${VERSION}.bkout; do
|
||||
restore_file $(echo $f | sed "s/-${VERSION}.bkout//")
|
||||
done
|
||||
|
||||
restore_file /usr/share/shorewall/version
|
||||
|
||||
echo "Shorewall Restored to Version $oldversion"
|
||||
|
||||
|
5801
STABLE2/firewall
Executable file
5801
STABLE2/firewall
Executable file
File diff suppressed because it is too large
Load Diff
609
STABLE2/functions
Executable file
609
STABLE2/functions
Executable file
@ -0,0 +1,609 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Shorewall 2.0 -- /usr/share/shorewall/functions
|
||||
|
||||
#
|
||||
# Search a list looking for a match -- returns zero if a match found
|
||||
# 1 otherwise
|
||||
#
|
||||
list_search() # $1 = element to search for , $2-$n = list
|
||||
{
|
||||
local e=$1
|
||||
|
||||
while [ $# -gt 1 ]; do
|
||||
shift
|
||||
[ "x$e" = "x$1" ] && return 0
|
||||
done
|
||||
|
||||
return 1
|
||||
}
|
||||
|
||||
#
|
||||
# Functions to count list elements
|
||||
# - - - - - - - - - - - - - - - -
|
||||
# Whitespace-separated list
|
||||
#
|
||||
list_count1() {
|
||||
echo $#
|
||||
}
|
||||
#
|
||||
# Comma-separated list
|
||||
#
|
||||
list_count() {
|
||||
list_count1 $(separate_list $1)
|
||||
}
|
||||
|
||||
#
|
||||
# Suppress all output for a command
|
||||
#
|
||||
qt()
|
||||
{
|
||||
"$@" >/dev/null 2>&1
|
||||
}
|
||||
|
||||
#
|
||||
# Perform variable substitution on the passed argument and echo the result
|
||||
#
|
||||
expand() # $1 = contents of variable which may be the name of another variable
|
||||
{
|
||||
eval echo \"$1\"
|
||||
}
|
||||
|
||||
#
|
||||
# Perform variable substitition on the values of the passed list of variables
|
||||
#
|
||||
expandv() # $* = list of variable names
|
||||
{
|
||||
local varval
|
||||
|
||||
while [ $# -gt 0 ]; do
|
||||
eval varval=\$${1}
|
||||
eval $1=\"$varval\"
|
||||
shift
|
||||
done
|
||||
}
|
||||
|
||||
#
|
||||
# Replace all leading "!" with "! " in the passed argument list
|
||||
#
|
||||
|
||||
fix_bang() {
|
||||
local i;
|
||||
|
||||
for i in $@; do
|
||||
case $i in
|
||||
!*)
|
||||
echo "! ${i#!}"
|
||||
;;
|
||||
*)
|
||||
echo $i
|
||||
;;
|
||||
esac
|
||||
done
|
||||
}
|
||||
|
||||
#
|
||||
# Find a File -- For relative file name, look first in $SHOREWALL_DIR then in /etc/shorewall
|
||||
#
|
||||
find_file()
|
||||
{
|
||||
case $1 in
|
||||
/*)
|
||||
echo $1
|
||||
;;
|
||||
*)
|
||||
if [ -n "$SHOREWALL_DIR" -a -f $SHOREWALL_DIR/$1 ]; then
|
||||
echo $SHOREWALL_DIR/$1
|
||||
elif [ -f /etc/shorewall/$1 ]; then
|
||||
echo /etc/shorewall/$1
|
||||
elif [ -f /usr/share/shorewall/$1 ]; then
|
||||
echo /usr/share/shorewall/$1
|
||||
else
|
||||
echo /etc/shorewall/$1
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
#
|
||||
# Replace commas with spaces and echo the result
|
||||
#
|
||||
separate_list() {
|
||||
local list
|
||||
local part
|
||||
local newlist
|
||||
#
|
||||
# There's been whining about us not catching embedded white space in
|
||||
# comma-separated lists. This is an attempt to snag some of the cases.
|
||||
#
|
||||
# The 'terminator' function will be set by the 'firewall' script to
|
||||
# either 'startup_error' or 'fatal_error' depending on the command and
|
||||
# command phase
|
||||
#
|
||||
case "$@" in
|
||||
*,|,*|*,,*|*[[:space:]]*)
|
||||
[ -n "$terminator" ] && \
|
||||
$terminator "Invalid comma-separated list \"$@\""
|
||||
echo "Warning -- invalid comma-separated list \"$@\"" >&2
|
||||
;;
|
||||
esac
|
||||
|
||||
list="$@"
|
||||
part="${list%%,*}"
|
||||
newlist="$part"
|
||||
|
||||
while [ "x$part" != "x$list" ]; do
|
||||
list="${list#*,}";
|
||||
part="${list%%,*}";
|
||||
newlist="$newlist $part";
|
||||
done
|
||||
|
||||
echo "$newlist"
|
||||
}
|
||||
|
||||
#
|
||||
# Find the zones
|
||||
#
|
||||
find_zones() # $1 = name of the zone file
|
||||
{
|
||||
while read zone display comments; do
|
||||
[ -n "$zone" ] && case "$zone" in
|
||||
\#*)
|
||||
;;
|
||||
$FW)
|
||||
echo "Reserved zone name \"$zone\" in zones file ignored" >&2
|
||||
;;
|
||||
*)
|
||||
echo $zone
|
||||
;;
|
||||
esac
|
||||
done < $1
|
||||
}
|
||||
|
||||
find_display() # $1 = zone, $2 = name of the zone file
|
||||
{
|
||||
grep ^$1 $2 | while read z display comments; do
|
||||
[ "x$1" = "x$z" ] && echo $display
|
||||
done
|
||||
}
|
||||
#
|
||||
# This function assumes that the TMP_DIR variable is set and that
|
||||
# its value named an existing directory.
|
||||
#
|
||||
determine_zones()
|
||||
{
|
||||
local zonefile=$(find_file zones)
|
||||
|
||||
multi_display=Multi-zone
|
||||
strip_file zones $zonefile
|
||||
zones=$(find_zones $TMP_DIR/zones)
|
||||
zones=$(echo $zones) # Remove extra trash
|
||||
|
||||
for zone in $zones; do
|
||||
dsply=$(find_display $zone $TMP_DIR/zones)
|
||||
eval ${zone}_display=\$dsply
|
||||
done
|
||||
}
|
||||
|
||||
#
|
||||
# The following functions may be used by apps that wish to ensure that
|
||||
# the state of Shorewall isn't changing
|
||||
#
|
||||
# This function loads the STATEDIR variable (directory where Shorewall is to
|
||||
# store state files). If your application supports alternate Shorewall
|
||||
# configurations then the name of the alternate configuration directory should
|
||||
# be in $SHOREWALL_DIR at the time of the call.
|
||||
#
|
||||
# If the shorewall.conf file does not exist, this function does not return
|
||||
#
|
||||
get_statedir()
|
||||
{
|
||||
MUTEX_TIMEOUT=
|
||||
|
||||
local config=$(find_file shorewall.conf)
|
||||
|
||||
if [ -f $config ]; then
|
||||
. $config
|
||||
else
|
||||
echo "/etc/shorewall/shorewall.conf does not exist!" >&2
|
||||
exit 2
|
||||
fi
|
||||
|
||||
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
|
||||
}
|
||||
|
||||
#
|
||||
# Call this function to assert MUTEX with Shorewall. If you invoke the
|
||||
# /sbin/shorewall program while holding MUTEX, you should pass "nolock" as
|
||||
# the first argument. Example "shorewall nolock refresh"
|
||||
#
|
||||
# This function uses the lockfile utility from procmail if it exists.
|
||||
# Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the
|
||||
# behavior of lockfile.
|
||||
#
|
||||
mutex_on()
|
||||
{
|
||||
local try=0
|
||||
local lockf=$STATEDIR/lock
|
||||
|
||||
MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}
|
||||
|
||||
if [ $MUTEX_TIMEOUT -gt 0 ]; then
|
||||
|
||||
[ -d $STATEDIR ] || mkdir -p $STATEDIR
|
||||
|
||||
if qt which lockfile; then
|
||||
lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
|
||||
else
|
||||
while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
|
||||
sleep 1
|
||||
try=$((${try} + 1))
|
||||
done
|
||||
|
||||
if [ ${try} -lt ${MUTEX_TIMEOUT} ] ; then
|
||||
# Create the lockfile
|
||||
echo $$ > ${lockf}
|
||||
else
|
||||
echo "Giving up on lock file ${lockf}" >&2
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Call this function to release MUTEX
|
||||
#
|
||||
mutex_off()
|
||||
{
|
||||
rm -f $STATEDIR/lock
|
||||
}
|
||||
|
||||
#
|
||||
# Read a file and handle "INCLUDE" directives
|
||||
#
|
||||
|
||||
read_file() # $1 = file name, $2 = nest count
|
||||
{
|
||||
local first rest
|
||||
|
||||
if [ -f $1 ]; then
|
||||
while read first rest; do
|
||||
if [ "x$first" = "xINCLUDE" ]; then
|
||||
if [ $2 -lt 4 ]; then
|
||||
read_file $(find_file ${rest%#*}) $(($2 + 1))
|
||||
else
|
||||
echo " WARNING: INCLUDE in $1 ignored (nested too deeply)" >&2
|
||||
fi
|
||||
else
|
||||
echo "$first $rest"
|
||||
fi
|
||||
done < $1
|
||||
else
|
||||
[ -n "$terminator" ] && $terminator "No such file: $1"
|
||||
echo "Warning -- No such file: $1"
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Function for including one file into another
|
||||
#
|
||||
INCLUDE() {
|
||||
. $(find_file $@)
|
||||
}
|
||||
|
||||
#
|
||||
# Strip comments and blank lines from a file and place the result in the
|
||||
# temporary directory
|
||||
#
|
||||
strip_file() # $1 = Base Name of the file, $2 = Full Name of File (optional)
|
||||
{
|
||||
local fname
|
||||
|
||||
[ $# = 1 ] && fname=$(find_file $1) || fname=$2
|
||||
|
||||
if [ -f $fname ]; then
|
||||
read_file $fname 0 | cut -d'#' -f1 | grep -v '^[[:space:]]*$' > $TMP_DIR/$1
|
||||
else
|
||||
> $TMP_DIR/$1
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Note: The following set of IP address manipulation functions have anomalous
|
||||
# behavior when the shell only supports 32-bit signed arithmatic and
|
||||
# the IP address is 128.0.0.0 or 128.0.0.1.
|
||||
#
|
||||
#
|
||||
# So that emacs doesn't get lost, we use $LEFTSHIFT rather than <<
|
||||
#
|
||||
LEFTSHIFT='<<'
|
||||
|
||||
#
|
||||
# Convert an IP address in dot quad format to an integer
|
||||
#
|
||||
decodeaddr() {
|
||||
local x
|
||||
local temp=0
|
||||
local ifs=$IFS
|
||||
|
||||
IFS=.
|
||||
|
||||
for x in $1; do
|
||||
temp=$(( $(( $temp $LEFTSHIFT 8 )) | $x ))
|
||||
done
|
||||
|
||||
echo $temp
|
||||
|
||||
IFS=$ifs
|
||||
}
|
||||
|
||||
#
|
||||
# convert an integer to dot quad format
|
||||
#
|
||||
encodeaddr() {
|
||||
addr=$1
|
||||
local x
|
||||
local y=$(($addr & 255))
|
||||
|
||||
for x in 1 2 3 ; do
|
||||
addr=$(($addr >> 8))
|
||||
y=$(($addr & 255)).$y
|
||||
done
|
||||
|
||||
echo $y
|
||||
}
|
||||
|
||||
#
|
||||
# Enumerate the members of an IP range -- When using a shell supporting only
|
||||
# 32-bit signed arithmetic, the range cannot span 128.0.0.0.
|
||||
#
|
||||
# Comes in two flavors:
|
||||
#
|
||||
# ip_range() - produces a mimimal list of network/host addresses that spans
|
||||
# the range.
|
||||
#
|
||||
# ip_range_explicit() - explicitly enumerates the range.
|
||||
#
|
||||
ip_range() {
|
||||
local first last l x y z vlsm
|
||||
|
||||
case $1 in
|
||||
[0-9]*.*.*.*-*.*.*.*)
|
||||
;;
|
||||
*)
|
||||
echo $1
|
||||
return
|
||||
;;
|
||||
esac
|
||||
|
||||
first=$(decodeaddr ${1%-*})
|
||||
last=$(decodeaddr ${1#*-})
|
||||
|
||||
if [ $first -gt $last ]; then
|
||||
fatal_error "Invalid IP address range: $1"
|
||||
fi
|
||||
|
||||
l=$(( $last + 1 ))
|
||||
|
||||
while [ $first -le $last ]; do
|
||||
vlsm=
|
||||
x=31
|
||||
y=2
|
||||
z=1
|
||||
|
||||
while [ $(( $first % $y )) -eq 0 -a $(( $first + $y )) -le $l ]; do
|
||||
vlsm=/$x
|
||||
x=$(( $x - 1 ))
|
||||
z=$y
|
||||
y=$(( $y * 2 ))
|
||||
done
|
||||
|
||||
echo $(encodeaddr $first)$vlsm
|
||||
first=$(($first + $z))
|
||||
done
|
||||
}
|
||||
|
||||
ip_range_explicit() {
|
||||
local first last
|
||||
|
||||
case $1 in
|
||||
[0-9]*.*.*.*-*.*.*.*)
|
||||
;;
|
||||
*)
|
||||
echo $1
|
||||
return
|
||||
;;
|
||||
esac
|
||||
|
||||
first=$(decodeaddr ${1%-*})
|
||||
last=$(decodeaddr ${1#*-})
|
||||
|
||||
if [ $first -gt $last ]; then
|
||||
fatal_error "Invalid IP address range: $1"
|
||||
fi
|
||||
|
||||
while [ $first -le $last ]; do
|
||||
echo $(encodeaddr $first)
|
||||
first=$(($first + 1))
|
||||
done
|
||||
}
|
||||
|
||||
#
|
||||
# Netmask from CIDR
|
||||
#
|
||||
ip_netmask() {
|
||||
local vlsm=${1#*/}
|
||||
|
||||
[ $vlsm -eq 0 ] && echo 0 || echo $(( -1 $LEFTSHIFT $(( 32 - $vlsm )) ))
|
||||
}
|
||||
|
||||
#
|
||||
# Network address from CIDR
|
||||
#
|
||||
ip_network() {
|
||||
local decodedaddr=$(decodeaddr ${1%/*})
|
||||
local netmask=$(ip_netmask $1)
|
||||
|
||||
echo $(encodeaddr $(($decodedaddr & $netmask)))
|
||||
}
|
||||
|
||||
#
|
||||
# The following hack is supplied to compensate for the fact that many of
|
||||
# the popular light-weight Bourne shell derivatives don't support XOR ("^").
|
||||
#
|
||||
|
||||
ip_broadcast() {
|
||||
local x=$(( 32 - ${1#*/} ))
|
||||
|
||||
[ $x -eq 0 ] && echo -1 || echo $(( $(( 1 $LEFTSHIFT $x )) - 1 ))
|
||||
}
|
||||
|
||||
#
|
||||
# Calculate broadcast address from CIDR
|
||||
#
|
||||
broadcastaddress() {
|
||||
local decodedaddr=$(decodeaddr ${1%/*})
|
||||
local netmask=$(ip_netmask $1)
|
||||
local broadcast=$(ip_broadcast $1)
|
||||
|
||||
echo $(encodeaddr $(( $(($decodedaddr & $netmask)) | $broadcast )))
|
||||
}
|
||||
|
||||
#
|
||||
# Test for subnet membership
|
||||
#
|
||||
in_subnet() # $1 = IP address, $2 = CIDR network
|
||||
{
|
||||
local netmask=$(ip_netmask $2)
|
||||
|
||||
test $(( $(decodeaddr $1) & $netmask)) -eq $(( $(decodeaddr ${2%/*}) & $netmask ))
|
||||
}
|
||||
|
||||
#
|
||||
# Netmask to VLSM
|
||||
#
|
||||
ip_vlsm() {
|
||||
local mask=$(decodeaddr $1)
|
||||
local vlsm=0
|
||||
local x=$(( 128 $LEFTSHIFT 24 ))
|
||||
|
||||
while [ $(( $x & $mask )) -ne 0 ]; do
|
||||
[ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Don't Ask...
|
||||
vlsm=$(($vlsm + 1))
|
||||
done
|
||||
|
||||
if [ $(( $mask & 2147483647)) -ne 0 ]; then
|
||||
echo "Invalid net mask: $1" >&2
|
||||
else
|
||||
echo $vlsm
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
#
|
||||
# Chain name base for an interface -- replace all periods with underscores in the passed name.
|
||||
# The result is echoed (less "+" and anything following).
|
||||
#
|
||||
chain_base() #$1 = interface
|
||||
{
|
||||
local c=${1%%+*}
|
||||
|
||||
while true; do
|
||||
case $c in
|
||||
*.*)
|
||||
c="${c%.*}_${c##*.}"
|
||||
;;
|
||||
*-*)
|
||||
c="${c%-*}_${c##*-}"
|
||||
;;
|
||||
*)
|
||||
echo ${c:=common}
|
||||
return
|
||||
;;
|
||||
esac
|
||||
done
|
||||
}
|
||||
|
||||
#
|
||||
# Remove trailing digits from a name
|
||||
#
|
||||
strip_trailing_digits() {
|
||||
echo $1 | sed s'/[0-9].*$//'
|
||||
}
|
||||
|
||||
#
|
||||
# Loosly Match the name of an interface
|
||||
#
|
||||
|
||||
if_match() # $1 = Name in interfaces file - may end in "+"
|
||||
# $2 = Name from routing table
|
||||
{
|
||||
local if_file=$1
|
||||
local rt_table=$2
|
||||
|
||||
case $if_file in
|
||||
*+)
|
||||
test "$(strip_trailing_digits $rt_table)" = "${if_file%+}"
|
||||
;;
|
||||
*)
|
||||
test "$rt_table" = "$if_file"
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
#
|
||||
# Find the value 'dev' in the passed arguments then echo the next value
|
||||
#
|
||||
|
||||
find_device() {
|
||||
while [ $# -gt 1 ]; do
|
||||
[ "x$1" = xdev ] && echo $2 && return
|
||||
shift
|
||||
done
|
||||
}
|
||||
|
||||
#
|
||||
# Find the interfaces that have a route to the passed address - the default
|
||||
# route is not used.
|
||||
#
|
||||
|
||||
find_rt_interface() {
|
||||
ip route ls | while read addr rest; do
|
||||
case $addr in
|
||||
*/*)
|
||||
in_subnet ${1%/*} $addr && echo $(find_device $rest)
|
||||
;;
|
||||
default)
|
||||
;;
|
||||
*)
|
||||
if [ "$addr" = "$1" -o "$addr/32" = "$1" ]; then
|
||||
echo $(find_device $rest)
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
done
|
||||
}
|
||||
|
||||
#
|
||||
# Find the default route's interface
|
||||
#
|
||||
find_default_interface() {
|
||||
ip route ls | while read first rest; do
|
||||
[ "$first" = default ] && echo $(find_device $rest) && return
|
||||
done
|
||||
}
|
||||
|
||||
#
|
||||
# Echo the name of the interface(s) that will be used to send to the
|
||||
# passed address
|
||||
#
|
||||
|
||||
find_interface_by_address() {
|
||||
local dev="$(find_rt_interface $1)"
|
||||
local first rest
|
||||
|
||||
[ -z "$dev" ] && dev=$(find_default_interface)
|
||||
|
||||
[ -n "$dev" ] && echo $dev
|
||||
}
|
||||
|
267
STABLE2/help
Normal file
267
STABLE2/help
Normal file
@ -0,0 +1,267 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Shorewall help subsystem - V2.0 - 2/14/2004
|
||||
#
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 2003-2004 - Tom Eastep (teastep@shorewall.net)
|
||||
# Steve Herber (herber@thing.com)
|
||||
#
|
||||
# This file should be placed in /usr/share/shorewall/help
|
||||
#
|
||||
# Shorewall documentation is available at http://shorewall.sourceforge.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||
##################################################################################
|
||||
|
||||
case $1 in
|
||||
|
||||
add)
|
||||
echo "add: add <interface>[:<host>] <zone>
|
||||
Adds a host or subnet to a dynamic zone usually used with VPN's.
|
||||
|
||||
shorewall add interface[:host] zone - Adds the specified interface
|
||||
(and host if included) to the specified zone.
|
||||
|
||||
Example:
|
||||
|
||||
shorewall add ipsec0:192.0.2.24 vpn1 -- adds the address 192.0.2.24
|
||||
from interface ipsec0 to the zone vpn1.
|
||||
|
||||
See also \"help host\""
|
||||
;;
|
||||
|
||||
address|host)
|
||||
echo "<$1>:
|
||||
May be either a host IP address such as 192.168.1.4 or a network address in
|
||||
CIDR format like 192.168.1.0/24"
|
||||
;;
|
||||
|
||||
allow)
|
||||
echo "allow: allow <address> ...
|
||||
Re-enables receipt of packets from hosts previously blacklisted
|
||||
by a drop or reject command.
|
||||
|
||||
Shorewall allow, drop, rejct and save implement dynamic blacklisting.
|
||||
|
||||
See also \"help address\""
|
||||
;;
|
||||
|
||||
check)
|
||||
echo "check: check [ -c <configuration-directory> ]
|
||||
Performs a cursory validation of the zones, interfaces, hosts,
|
||||
rules and policy files. Use this if you are unsure of any edits
|
||||
you have made to the shorewall configuration. See the try command
|
||||
examples for a recommended way to make changes."
|
||||
;;
|
||||
|
||||
clear)
|
||||
echo "clear: clear
|
||||
Clear will remove all rules and chains installed by Shoreline.
|
||||
The firewall is then wide open and unprotected. Existing
|
||||
connections are untouched. Clear is often used to see if the
|
||||
firewall is causing connection problems."
|
||||
;;
|
||||
|
||||
debug)
|
||||
echo "debug: debug
|
||||
If you include the keyword debug as the first argument to any
|
||||
of these commands:
|
||||
|
||||
start|stop|restart|reset|clear|refresh|check|add|delete
|
||||
|
||||
then a shell trace of the command is produced. For example:
|
||||
|
||||
shorewall debug start 2> /tmp/trace
|
||||
|
||||
The above command would trace the 'start' command and
|
||||
place the trace information in the file /tmp/trace.
|
||||
|
||||
The word 'trace' is a synonym for 'debug'."
|
||||
;;
|
||||
|
||||
delete)
|
||||
echo "delete: delete <interface>[:<host>] <zone>
|
||||
Deletes a host or subnet from a dynamic zone usually used with VPN's.
|
||||
|
||||
shorewall delete interface[:host] zone - Deletes the specified
|
||||
interface (and host if included) from the specified zone.
|
||||
|
||||
Example:
|
||||
|
||||
shorewall delete ipsec0:192.0.2.24 vpn1 -- deletes the address
|
||||
192.0.2.24 from interface ipsec0 from zone vpn1
|
||||
|
||||
See also \"help host\""
|
||||
;;
|
||||
|
||||
drop)
|
||||
echo "$1: $1 <address> ...
|
||||
Causes packets from the specified <address> to be ignored
|
||||
|
||||
Shorewall allow, drop, rejct and save implement dynamic blacklisting.
|
||||
|
||||
See also \"help address\""
|
||||
;;
|
||||
|
||||
help)
|
||||
echo "help: help [<command> | host | address ]
|
||||
Display helpful information about the shorewall commands."
|
||||
;;
|
||||
|
||||
hits)
|
||||
echo "hits: hits
|
||||
Produces several reports about the Shorewall packet log messages
|
||||
in the current /var/log/messages file."
|
||||
;;
|
||||
|
||||
ipcalc)
|
||||
echo "ipcalc: ipcalc [ address mask | address/vlsm ]
|
||||
Ipcalc displays the network address, broadcast address,
|
||||
network in CIDR notation and netmask corresponding to the input[s]."
|
||||
;;
|
||||
|
||||
iprange)
|
||||
echo "iprange: iprange address1-address2
|
||||
Iprange decomposes the specified range of IP addresses into the
|
||||
equivalent list of network/host addresses."
|
||||
;;
|
||||
|
||||
logwatch)
|
||||
echo "logwatch: logwatch [<refresh interval>]
|
||||
Monitors the LOGFILE, $LOGFILE,
|
||||
and produces an audible alarm when new Shorewall messages are logged."
|
||||
;;
|
||||
|
||||
monitor)
|
||||
echo "monitor: monitor [<refresh_interval>]
|
||||
Continuously display the firewall status, last 20 log entries and nat.
|
||||
When the log entry display changes, an audible alarm is sounded."
|
||||
;;
|
||||
|
||||
refresh)
|
||||
echo "refresh: refresh
|
||||
The rules involving the broadcast addresses of firewall interfaces,
|
||||
the black list, traffic control rules and ECN control rules are recreated
|
||||
to reflect any changes made. Existing connections are untouched"
|
||||
;;
|
||||
|
||||
reject)
|
||||
echo "$1: $1 <address> ...
|
||||
Causes packets from the specified <address> to be rejected
|
||||
|
||||
Shorewall allow, drop, rejct and save implement dynamic blacklisting.
|
||||
|
||||
See also \"help address\""
|
||||
;;
|
||||
|
||||
reset)
|
||||
echo "reset: reset
|
||||
All the packet and byte counters in the firewall are reset."
|
||||
;;
|
||||
|
||||
restart)
|
||||
echo "restart: restart [ -c <configuration-directory> ]
|
||||
Restart is the same as a shorewall stop && shorewall start.
|
||||
Existing connections are dropped."
|
||||
;;
|
||||
|
||||
save)
|
||||
echo "save: save
|
||||
The dynamic data is stored in /var/lib/shorewall/save
|
||||
Shorewall allow, drop, rejct and save implement dynamic blacklisting."
|
||||
;;
|
||||
|
||||
show)
|
||||
echo "show: show [<chain> [ <chain> ...] |classifiers|connections|log|nat|tc|tos]
|
||||
shorewall show <chain> [ <chain> ... ] - produce a verbose report about the IPtable chain(s).
|
||||
(iptables -L chain -n -v)
|
||||
|
||||
shorewall show nat - produce a verbose report about the nat table.
|
||||
(iptables -t nat -L -n -v)
|
||||
|
||||
shorewall show tos - produce a verbose report about the mangle table.
|
||||
(iptables -t mangle -L -n -v)
|
||||
|
||||
shorewall show log - display the last 20 packet log entries.
|
||||
|
||||
shorewall show connections - displays the IP connections currently
|
||||
being tracked by the firewall.
|
||||
|
||||
shorewall show tc - displays information about the traffic
|
||||
control/shaping configuration."
|
||||
;;
|
||||
|
||||
start)
|
||||
echo "start: start [ -c <configuration-directory> ]
|
||||
Start shorewall. Existing connections through shorewall managed
|
||||
interfaces are untouched. New connections will be allowed only
|
||||
if they are allowed by the firewall rules or policies."
|
||||
;;
|
||||
|
||||
stop)
|
||||
echo "stop: stop
|
||||
Stops the firewall. All existing connections, except those
|
||||
listed in /etc/shorewall/routestopped, are taken down.
|
||||
The only new traffic permitted through the firewall
|
||||
is from systems listed in /etc/shorewall/routestopped."
|
||||
;;
|
||||
|
||||
status)
|
||||
echo "status: status
|
||||
Produce a verbose report about the firewall.
|
||||
|
||||
(iptables -L -n -v)"
|
||||
;;
|
||||
|
||||
trace)
|
||||
echo "trace: trace
|
||||
If you include the keyword trace as the first argument to any
|
||||
of these commands:
|
||||
|
||||
start|stop|restart|reset|clear|refresh|check|add|delete
|
||||
|
||||
then a shell trace of the command is produced. For example:
|
||||
|
||||
shorewall trace start 2> /tmp/trace
|
||||
|
||||
The above command would trace the 'start' command and
|
||||
place the trace information in the file /tmp/trace.
|
||||
|
||||
The word 'debug' is a synonym for 'trace'."
|
||||
;;
|
||||
|
||||
try)
|
||||
echo "try: try <configuration-directory> [ <timeout> ]
|
||||
Restart shorewall using the specified configuration. If an error
|
||||
occurs during the restart, then another shorewall restart is performed
|
||||
using the default configuration. If a timeout is specified then
|
||||
the restart is always performed after the timeout occurs and uses
|
||||
the default configuration."
|
||||
;;
|
||||
|
||||
version)
|
||||
echo "version: version
|
||||
Show the current shorewall version which is: $version"
|
||||
;;
|
||||
|
||||
*)
|
||||
echo "$1: $1 is not recognized by the help command"
|
||||
;;
|
||||
|
||||
esac
|
||||
|
||||
exit 0 # always ok
|
||||
|
52
STABLE2/hosts
Normal file
52
STABLE2/hosts
Normal file
@ -0,0 +1,52 @@
|
||||
#
|
||||
# Shorewall 2.0 - /etc/shorewall/hosts
|
||||
#
|
||||
# THE ONLY TIME YOU NEED THIS FILE IS WHERE YOU HAVE MORE THAN
|
||||
# ONE ZONE CONNECTED THROUGH A SINGLE INTERFACE.
|
||||
#
|
||||
# IF YOU DON'T HAVE THAT SITUATION THEN DON'T TOUCH THIS FILE.
|
||||
#
|
||||
# This file is used to define zones in terms of subnets and/or
|
||||
# individual IP addresses. Most simple setups don't need to
|
||||
# (should not) place anything in this file.
|
||||
#
|
||||
# ZONE - The name of a zone defined in /etc/shorewall/zones
|
||||
#
|
||||
# HOST(S) - The name of an interface followed by a colon (":") and
|
||||
# a comma-separated list whose elements are either:
|
||||
#
|
||||
# a) The IP address of a host
|
||||
# b) A subnetwork in the form
|
||||
# <subnet-address>/<mask width>
|
||||
#
|
||||
# The interface must be defined in the
|
||||
# /etc/shorewall/interfaces file.
|
||||
#
|
||||
# Examples:
|
||||
#
|
||||
# eth1:192.168.1.3
|
||||
# eth2:192.168.2.0/24
|
||||
# eth3:192.168.2.0/24,192.168.3.1
|
||||
#
|
||||
# OPTIONS - A comma-separated list of options. Currently-defined
|
||||
# options are:
|
||||
#
|
||||
# maclist - Connection requests from these hosts
|
||||
# are compared against the contents of
|
||||
# /etc/shorewall/maclist. If this option
|
||||
# is specified, the interface must be
|
||||
# an ethernet NIC and must be up before
|
||||
# Shorewall is started.
|
||||
#
|
||||
# routeback - Shorewall show set up the infrastructure
|
||||
# to pass packets from this/these
|
||||
# address(es) back to themselves. This is
|
||||
# necessary of hosts in this group use the
|
||||
# services of a transparent proxy that is
|
||||
# a member of the group or if DNAT is used
|
||||
# to send requests originating from this
|
||||
# group to a server in the group.
|
||||
#
|
||||
#
|
||||
#ZONE HOST(S) OPTIONS
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
|
6
STABLE2/init
Normal file
6
STABLE2/init
Normal file
@ -0,0 +1,6 @@
|
||||
############################################################################
|
||||
# Shorewall 2.0 -- /etc/shorewall/init
|
||||
#
|
||||
# Add commands below that you want to be executed at the beginning of
|
||||
# a "shorewall start" or "shorewall restart" command.
|
||||
#
|
123
STABLE2/init.debian.sh
Executable file
123
STABLE2/init.debian.sh
Executable file
@ -0,0 +1,123 @@
|
||||
#!/bin/sh
|
||||
|
||||
SRWL=/sbin/shorewall
|
||||
WAIT_FOR_IFUP=/usr/share/shorewall/wait4ifup
|
||||
# Note, set INITLOG to /dev/null if you do not want to
|
||||
# keep logs of the firewall (not recommended)
|
||||
INITLOG=/var/log/shorewall-init.log
|
||||
|
||||
test -x $SRWL || exit 0
|
||||
test -x $WAIT_FOR_IFUP || exit 0
|
||||
test -n $INITLOG || {
|
||||
echo "INITLOG cannot be empty, please configure $0" ;
|
||||
exit 1;
|
||||
}
|
||||
|
||||
if [ "$(id -u)" != "0" ]
|
||||
then
|
||||
echo "You must be root to start, stop or restart \"Shorewall firewall\"."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo_notdone () {
|
||||
|
||||
if [ "$INITLOG" = "/dev/null" ] ; then
|
||||
"not done."
|
||||
else
|
||||
"not done (check $INITLOG)."
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
not_configured () {
|
||||
echo "#### WARNING ####"
|
||||
echo "the firewall won't be started/stopped unless it is configured"
|
||||
if [ "$1" != "stop" ]
|
||||
then
|
||||
echo ""
|
||||
echo "please configure it and then edit /etc/default/shorewall"
|
||||
echo "and set the \"startup\" variable to 1 in order to allow "
|
||||
echo "shorewall to start"
|
||||
fi
|
||||
echo "#################"
|
||||
exit 0
|
||||
}
|
||||
|
||||
# parse the shorewall params file in order to use params in
|
||||
# /etc/default/shorewall
|
||||
if [ -f "/etc/shorewall/params" ]
|
||||
then
|
||||
. /etc/shorewall/params
|
||||
fi
|
||||
|
||||
# check if shorewall is configured or not
|
||||
if [ -f "/etc/default/shorewall" ]
|
||||
then
|
||||
. /etc/default/shorewall
|
||||
if [ "$startup" != "1" ]
|
||||
then
|
||||
not_configured
|
||||
fi
|
||||
else
|
||||
not_configured
|
||||
fi
|
||||
|
||||
# wait an unconfigured interface
|
||||
wait_for_pppd () {
|
||||
if [ "$wait_interface" != "" ]
|
||||
then
|
||||
for i in $wait_interface
|
||||
do
|
||||
$WAIT_FOR_IFUP $i 90
|
||||
done
|
||||
fi
|
||||
}
|
||||
|
||||
# start the firewall
|
||||
shorewall_start () {
|
||||
echo -n "Starting \"Shorewall firewall\": "
|
||||
wait_for_pppd
|
||||
$SRWL start >> $INITLOG 2>&1 && echo "done." || echo_notdone
|
||||
return 0
|
||||
}
|
||||
|
||||
# stop the firewall
|
||||
shorewall_stop () {
|
||||
echo -n "Stopping \"Shorewall firewall\": "
|
||||
$SRWL stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
|
||||
return 0
|
||||
}
|
||||
|
||||
# restart the firewall
|
||||
shorewall_restart () {
|
||||
echo -n "Restarting \"Shorewall firewall\": "
|
||||
$SRWL restart >> $INITLOG 2>&1 && echo "done." || echo_notdone
|
||||
return 0
|
||||
}
|
||||
|
||||
# refresh the firewall
|
||||
shorewall_refresh () {
|
||||
echo -n "Refreshing \"Shorewall firewall\": "
|
||||
$SRWL refresh >> $INITLOG 2>&1 && echo "done." || echo_notdone
|
||||
return 0
|
||||
}
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
shorewall_start
|
||||
;;
|
||||
stop)
|
||||
shorewall_stop
|
||||
;;
|
||||
refresh)
|
||||
shorewall_refresh
|
||||
;;
|
||||
force-reload|restart)
|
||||
shorewall_restart
|
||||
;;
|
||||
*)
|
||||
echo "Usage: /etc/init.d/shorewall {start|stop|refresh|restart|force-reload}"
|
||||
exit 1
|
||||
esac
|
||||
|
||||
exit 0
|
74
STABLE2/init.sh
Normal file
74
STABLE2/init.sh
Normal file
@ -0,0 +1,74 @@
|
||||
#!/bin/sh
|
||||
RCDLINKS="2,S41 3,S41 6,K41"
|
||||
#
|
||||
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V2.0 3/14/2003
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# On most distributions, this file should be called /etc/init.d/shorewall.
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||
#
|
||||
# If an error occurs while starting or restarting the firewall, the
|
||||
# firewall is automatically stopped.
|
||||
#
|
||||
# Commands are:
|
||||
#
|
||||
# shorewall start Starts the firewall
|
||||
# shorewall restart Restarts the firewall
|
||||
# shorewall stop Stops the firewall
|
||||
# shorewall status Displays firewall status
|
||||
#
|
||||
#### BEGIN INIT INFO
|
||||
# Provides: shorewall
|
||||
# Required-Start: $network
|
||||
# Required-Stop:
|
||||
# Default-Start: 2 3 5
|
||||
# Default-Stop: 0 1 6
|
||||
# Description: starts and stops the shorewall firewall
|
||||
### END INIT INFO
|
||||
|
||||
# chkconfig: 2345 25 90
|
||||
# description: Packet filtering firewall
|
||||
#
|
||||
|
||||
################################################################################
|
||||
# Give Usage Information #
|
||||
################################################################################
|
||||
usage() {
|
||||
echo "Usage: $0 start|stop|restart|status"
|
||||
exit 1
|
||||
}
|
||||
|
||||
################################################################################
|
||||
# E X E C U T I O N B E G I N S H E R E #
|
||||
################################################################################
|
||||
command="$1"
|
||||
|
||||
case "$command" in
|
||||
|
||||
stop|start|restart|status)
|
||||
|
||||
exec /sbin/shorewall $@
|
||||
;;
|
||||
*)
|
||||
|
||||
usage
|
||||
;;
|
||||
|
||||
esac
|
551
STABLE2/install.sh
Executable file
551
STABLE2/install.sh
Executable file
@ -0,0 +1,551 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Script to install Shoreline Firewall
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Shorewall documentation is available at http://shorewall.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||
#
|
||||
|
||||
VERSION=2.0.0
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
ME=$(basename $0)
|
||||
echo "usage: $ME"
|
||||
echo " $ME -v"
|
||||
echo " $ME -h"
|
||||
exit $1
|
||||
}
|
||||
|
||||
run_install()
|
||||
{
|
||||
if ! install $*; then
|
||||
echo
|
||||
echo "ERROR: Failed to install $*"
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
cant_autostart()
|
||||
{
|
||||
echo
|
||||
echo "WARNING: Unable to configure shorewall to start"
|
||||
echo " automatically at boot"
|
||||
}
|
||||
|
||||
backup_file() # $1 = file to backup
|
||||
{
|
||||
if [ -z "$PREFIX" -a -f $1 -a ! -f ${1}-${VERSION}.bkout ]; then
|
||||
if (cp $1 ${1}-${VERSION}.bkout); then
|
||||
echo
|
||||
echo "$1 saved to ${1}-${VERSION}.bkout"
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
delete_file() # $1 = file to delete
|
||||
{
|
||||
if [ -z "$PREFIX" -a -f $1 -a ! -f ${1}-${VERSION}.bkout ]; then
|
||||
if (mv $1 ${1}-${VERSION}.bkout); then
|
||||
echo
|
||||
echo "$1 moved to ${1}-${VERSION}.bkout"
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
install_file_with_backup() # $1 = source $2 = target $3 = mode
|
||||
{
|
||||
backup_file $2
|
||||
run_install -o $OWNER -g $GROUP -m $3 $1 ${2}
|
||||
}
|
||||
|
||||
#
|
||||
# Parse the run line
|
||||
#
|
||||
# DEST is the SysVInit script directory
|
||||
# RUNLEVELS is the chkconfig parmeters for firewall
|
||||
# ARGS is "yes" if we've already parsed an argument
|
||||
#
|
||||
DEST=""
|
||||
RUNLEVELS=""
|
||||
ARGS=""
|
||||
|
||||
if [ -z "$OWNER" ] ; then
|
||||
OWNER=root
|
||||
fi
|
||||
|
||||
if [ -z "$GROUP" ] ; then
|
||||
GROUP=root
|
||||
fi
|
||||
|
||||
while [ $# -gt 0 ] ; do
|
||||
case "$1" in
|
||||
-h|help|?)
|
||||
usage 0
|
||||
;;
|
||||
-v)
|
||||
echo "Shorewall Firewall Installer Version $VERSION"
|
||||
exit 0
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
shift
|
||||
ARGS="yes"
|
||||
done
|
||||
|
||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||
|
||||
if [ -z "$DEST" ]; then
|
||||
DEST=/etc/init.d
|
||||
fi
|
||||
|
||||
#
|
||||
# Determine where to install the firewall script
|
||||
#
|
||||
DEBIAN=
|
||||
|
||||
if [ -n "$PREFIX" ]; then
|
||||
install -d -o $OWNER -g $GROUP -m 755 ${PREFIX}/sbin
|
||||
install -d -o $OWNER -g $GROUP -m 755 ${PREFIX}${DEST}
|
||||
elif [ -d /etc/apt -a -e /usr/bin/dpkg ]; then
|
||||
DEBIAN=yes
|
||||
fi
|
||||
|
||||
#
|
||||
# Change to the directory containing this script
|
||||
#
|
||||
cd "$(dirname $0)"
|
||||
|
||||
echo "Installing Shorewall Version $VERSION"
|
||||
|
||||
#
|
||||
# Check for /etc/shorewall
|
||||
#
|
||||
if [ -d ${PREFIX}/etc/shorewall ]; then
|
||||
first_install=""
|
||||
else
|
||||
first_install="Yes"
|
||||
fi
|
||||
|
||||
install_file_with_backup shorewall ${PREFIX}/sbin/shorewall 0544
|
||||
|
||||
echo
|
||||
echo "shorewall control program installed in ${PREFIX}/sbin/shorewall"
|
||||
|
||||
#
|
||||
# Install the Firewall Script
|
||||
#
|
||||
if [ -n "$DEBIAN" ]; then
|
||||
install_file_with_backup init.debian.sh /etc/init.d/shorewall 0544
|
||||
else
|
||||
install_file_with_backup init.sh ${PREFIX}${DEST}/shorewall 0544
|
||||
fi
|
||||
|
||||
echo
|
||||
echo "Shorewall script installed in ${PREFIX}${DEST}/shorewall"
|
||||
|
||||
#
|
||||
# Create /etc/shorewall, /usr/share/shorewall and /var/shorewall if needed
|
||||
#
|
||||
mkdir -p ${PREFIX}/etc/shorewall
|
||||
mkdir -p ${PREFIX}/usr/share/shorewall
|
||||
mkdir -p ${PREFIX}/var/lib/shorewall
|
||||
#
|
||||
# Install the config file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/shorewall.conf ]; then
|
||||
backup_file /etc/shorewall/shorewall.conf
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0744 shorewall.conf ${PREFIX}/etc/shorewall/shorewall.conf
|
||||
echo
|
||||
echo "Config file installed as ${PREFIX}/etc/shorewall/shorewall.conf"
|
||||
fi
|
||||
#
|
||||
# Install the zones file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/zones ]; then
|
||||
backup_file /etc/shorewall/zones
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0744 zones ${PREFIX}/etc/shorewall/zones
|
||||
echo
|
||||
echo "Zones file installed as ${PREFIX}/etc/shorewall/zones"
|
||||
fi
|
||||
|
||||
#
|
||||
# Install the functions file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/functions ]; then
|
||||
backup_file ${PREFIX}/etc/shorewall/functions
|
||||
rm -f ${PREFIX}/etc/shorewall/functions
|
||||
fi
|
||||
|
||||
install_file_with_backup functions ${PREFIX}/usr/share/shorewall/functions 0444
|
||||
|
||||
echo
|
||||
echo "Common functions installed in ${PREFIX}/usr/share/shorewall/functions"
|
||||
|
||||
#
|
||||
# Install the Help file
|
||||
#
|
||||
install_file_with_backup help ${PREFIX}/usr/share/shorewall/help 0544
|
||||
|
||||
echo
|
||||
echo "Help command executor installed in ${PREFIX}/usr/share/shorewall/help"
|
||||
|
||||
#
|
||||
# Delete the icmp.def file
|
||||
#
|
||||
delete_file icmp.def
|
||||
|
||||
#
|
||||
# Install the policy file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/policy ]; then
|
||||
backup_file /etc/shorewall/policy
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 policy ${PREFIX}/etc/shorewall/policy
|
||||
echo
|
||||
echo "Policy file installed as ${PREFIX}/etc/shorewall/policy"
|
||||
fi
|
||||
#
|
||||
# Install the interfaces file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/interfaces ]; then
|
||||
backup_file /etc/shorewall/interfaces
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 interfaces ${PREFIX}/etc/shorewall/interfaces
|
||||
echo
|
||||
echo "Interfaces file installed as ${PREFIX}/etc/shorewall/interfaces"
|
||||
fi
|
||||
#
|
||||
# Install the hosts file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/hosts ]; then
|
||||
backup_file /etc/shorewall/hosts
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 hosts ${PREFIX}/etc/shorewall/hosts
|
||||
echo
|
||||
echo "Hosts file installed as ${PREFIX}/etc/shorewall/hosts"
|
||||
fi
|
||||
#
|
||||
# Install the rules file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/rules ]; then
|
||||
backup_file /etc/shorewall/rules
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 rules ${PREFIX}/etc/shorewall/rules
|
||||
echo
|
||||
echo "Rules file installed as ${PREFIX}/etc/shorewall/rules"
|
||||
fi
|
||||
#
|
||||
# Install the NAT file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/nat ]; then
|
||||
backup_file /etc/shorewall/nat
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 nat ${PREFIX}/etc/shorewall/nat
|
||||
echo
|
||||
echo "NAT file installed as ${PREFIX}/etc/shorewall/nat"
|
||||
fi
|
||||
#
|
||||
# Install the Parameters file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/params ]; then
|
||||
backup_file /etc/shorewall/params
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 params ${PREFIX}/etc/shorewall/params
|
||||
echo
|
||||
echo "Parameter file installed as ${PREFIX}/etc/shorewall/params"
|
||||
fi
|
||||
#
|
||||
# Install the proxy ARP file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/proxyarp ]; then
|
||||
backup_file /etc/shorewall/proxyarp
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 proxyarp ${PREFIX}/etc/shorewall/proxyarp
|
||||
echo
|
||||
echo "Proxy ARP file installed as ${PREFIX}/etc/shorewall/proxyarp"
|
||||
fi
|
||||
#
|
||||
# Install the Stopped Routing file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/routestopped ]; then
|
||||
backup_file /etc/shorewall/routestopped
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 routestopped ${PREFIX}/etc/shorewall/routestopped
|
||||
echo
|
||||
echo "Stopped Routing file installed as ${PREFIX}/etc/shorewall/routestopped"
|
||||
fi
|
||||
#
|
||||
# Install the Mac List file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/maclist ]; then
|
||||
backup_file /etc/shorewall/maclist
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 maclist ${PREFIX}/etc/shorewall/maclist
|
||||
echo
|
||||
echo "MAC list file installed as ${PREFIX}/etc/shorewall/maclist"
|
||||
fi
|
||||
#
|
||||
# Install the Masq file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/masq ]; then
|
||||
backup_file /etc/shorewall/masq
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 masq ${PREFIX}/etc/shorewall/masq
|
||||
echo
|
||||
echo "Masquerade file installed as ${PREFIX}/etc/shorewall/masq"
|
||||
fi
|
||||
#
|
||||
# Install the Modules file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/modules ]; then
|
||||
backup_file /etc/shorewall/modules
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 modules ${PREFIX}/etc/shorewall/modules
|
||||
echo
|
||||
echo "Modules file installed as ${PREFIX}/etc/shorewall/modules"
|
||||
fi
|
||||
#
|
||||
# Install the TC Rules file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/tcrules ]; then
|
||||
backup_file /etc/shorewall/tcrules
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 tcrules ${PREFIX}/etc/shorewall/tcrules
|
||||
echo
|
||||
echo "TC Rules file installed as ${PREFIX}/etc/shorewall/tcrules"
|
||||
fi
|
||||
|
||||
#
|
||||
# Install the TOS file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/tos ]; then
|
||||
backup_file /etc/shorewall/tos
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 tos ${PREFIX}/etc/shorewall/tos
|
||||
echo
|
||||
echo "TOS file installed as ${PREFIX}/etc/shorewall/tos"
|
||||
fi
|
||||
#
|
||||
# Install the Tunnels file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/tunnels ]; then
|
||||
backup_file /etc/shorewall/tunnels
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 tunnels ${PREFIX}/etc/shorewall/tunnels
|
||||
echo
|
||||
echo "Tunnels file installed as ${PREFIX}/etc/shorewall/tunnels"
|
||||
fi
|
||||
#
|
||||
# Install the blacklist file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/blacklist ]; then
|
||||
backup_file /etc/shorewall/blacklist
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 blacklist ${PREFIX}/etc/shorewall/blacklist
|
||||
echo
|
||||
echo "Blacklist file installed as ${PREFIX}/etc/shorewall/blacklist"
|
||||
fi
|
||||
#
|
||||
# Backup and remove the whitelist file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/whitelist ]; then
|
||||
backup_file /etc/shorewall/whitelist
|
||||
rm -f ${PREFIX}/etc/shorewall/whitelist
|
||||
fi
|
||||
#
|
||||
# Install the rfc1918 file
|
||||
#
|
||||
install_file_with_backup rfc1918 ${PREFIX}/usr/share/shorewall/rfc1918 0600
|
||||
echo
|
||||
echo "RFC 1918 file installed as ${PREFIX}/etc/shorewall/rfc1918"
|
||||
#
|
||||
# Install the init file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/init ]; then
|
||||
backup_file /etc/shorewall/init
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 init ${PREFIX}/etc/shorewall/init
|
||||
echo
|
||||
echo "Init file installed as ${PREFIX}/etc/shorewall/init"
|
||||
fi
|
||||
#
|
||||
# Install the start file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/start ]; then
|
||||
backup_file /etc/shorewall/start
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 start ${PREFIX}/etc/shorewall/start
|
||||
echo
|
||||
echo "Start file installed as ${PREFIX}/etc/shorewall/start"
|
||||
fi
|
||||
#
|
||||
# Install the stop file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/stop ]; then
|
||||
backup_file /etc/shorewall/stop
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 stop ${PREFIX}/etc/shorewall/stop
|
||||
echo
|
||||
echo "Stop file installed as ${PREFIX}/etc/shorewall/stop"
|
||||
fi
|
||||
#
|
||||
# Install the stopped file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/stopped ]; then
|
||||
backup_file /etc/shorewall/stopped
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 stopped ${PREFIX}/etc/shorewall/stopped
|
||||
echo
|
||||
echo "Stopped file installed as ${PREFIX}/etc/shorewall/stopped"
|
||||
fi
|
||||
#
|
||||
# Install the ECN file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/ecn ]; then
|
||||
backup_file /etc/shorewall/ecn
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 ecn ${PREFIX}/etc/shorewall/ecn
|
||||
echo
|
||||
echo "ECN file installed as ${PREFIX}/etc/shorewall/ecn"
|
||||
fi
|
||||
#
|
||||
# Install the Accounting file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/accounting ]; then
|
||||
backup_file /etc/shorewall/accounting
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 accounting ${PREFIX}/etc/shorewall/accounting
|
||||
echo
|
||||
echo "Accounting file installed as ${PREFIX}/etc/shorewall/accounting"
|
||||
fi
|
||||
#
|
||||
#
|
||||
# Install the Standard Actions file
|
||||
#
|
||||
install_file_with_backup actions.std ${PREFIX}/usr/share/shorewall/actions.std 0600
|
||||
echo
|
||||
echo "Standard actions file installed as ${PREFIX}/etc/shorewall/actions.std"
|
||||
|
||||
#
|
||||
# Install the Actions file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/actions ]; then
|
||||
backup_file /etc/shorewall/actions
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 actions ${PREFIX}/etc/shorewall/actions
|
||||
echo
|
||||
echo "Actions file installed as ${PREFIX}/etc/shorewall/actions"
|
||||
fi
|
||||
#
|
||||
# Install the Action files
|
||||
#
|
||||
for f in action.* ; do
|
||||
if [ -f ${PREFIX}/usr/share/shorewall/$f ]; then
|
||||
backup_file /usr/share/shorewall/$f
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 $f ${PREFIX}/usr/share/shorewall/$f
|
||||
echo
|
||||
echo "Action ${f#*.} file installed as ${PREFIX}/etc/shorewall/$f"
|
||||
fi
|
||||
done
|
||||
#
|
||||
# Backup the version file
|
||||
#
|
||||
if [ -z "$PREFIX" ]; then
|
||||
if [ -f /usr/share/shorewall/version ]; then
|
||||
backup_file /usr/share/shorewall/version
|
||||
fi
|
||||
fi
|
||||
#
|
||||
# Create the version file
|
||||
#
|
||||
echo "$VERSION" > ${PREFIX}/usr/share/shorewall/version
|
||||
chmod 644 ${PREFIX}/usr/share/shorewall/version
|
||||
#
|
||||
# Remove and create the symbolic link to the init script
|
||||
#
|
||||
|
||||
if [ -z "$PREFIX" ]; then
|
||||
rm -f /usr/share/shorewall/init
|
||||
ln -s ${DEST}/shorewall /usr/share/shorewall/init
|
||||
fi
|
||||
|
||||
#
|
||||
# Install the firewall script
|
||||
#
|
||||
install_file_with_backup firewall ${PREFIX}/usr/share/shorewall/firewall 0544
|
||||
|
||||
if [ -z "$PREFIX" -a -n "$first_install" ]; then
|
||||
if [ -n "$DEBIAN" ]; then
|
||||
run_install -o $OWNER -g $GROUP -m 0644 default.debian /etc/default/shorewall
|
||||
ln -s ../init.d/shorewall /etc/rcS.d/S40shorewall
|
||||
echo
|
||||
echo "shorewall will start automatically at boot"
|
||||
echo "Set startup=1 in /etc/default/shorewall to enable"
|
||||
else
|
||||
if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
|
||||
if insserv /etc/init.d/shorewalls ; then
|
||||
echo
|
||||
echo "shorewall will start automatically at boot"
|
||||
echo "Remove /etc/shorewall/startup_disabled in /etc/default/shorewall to enable"
|
||||
else
|
||||
cant_autostart
|
||||
fi
|
||||
elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
|
||||
if chkconfig --add shorewall ; then
|
||||
echo
|
||||
echo "shorewall will start automatically in run levels as follows:"
|
||||
echo "Remove /etc/shorewall/startup_disabled in /etc/default/shorewall to enable"
|
||||
chkconfig --list shorewall
|
||||
else
|
||||
cant_autostart
|
||||
fi
|
||||
elif [ -x /sbin/rc-update ]; then
|
||||
if rc-update add shorewall default; then
|
||||
echo
|
||||
echo "shorewall will start automatically at boot"
|
||||
echo "Remove /etc/shorewall/startup_disabled in /etc/default/shorewall to enable"
|
||||
else
|
||||
cant_autostart
|
||||
fi
|
||||
else
|
||||
cant_autostart
|
||||
fi
|
||||
|
||||
echo \
|
||||
"########################################################################
|
||||
# REMOVE THIS FILE AFTER YOU HAVE CONFIGURED SHOREWALL #
|
||||
########################################################################" > /etc/shorewall/startup_disabled
|
||||
fi
|
||||
fi
|
||||
|
||||
#
|
||||
# Report Success
|
||||
#
|
||||
echo
|
||||
echo "shorewall Version $VERSION Installed"
|
163
STABLE2/interfaces
Normal file
163
STABLE2/interfaces
Normal file
@ -0,0 +1,163 @@
|
||||
#
|
||||
# Shorewall 2.0 -- Interfaces File
|
||||
#
|
||||
# /etc/shorewall/interfaces
|
||||
#
|
||||
# You must add an entry in this file for each network interface on your
|
||||
# firewall system.
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
# ZONE Zone for this interface. Must match the short name
|
||||
# of a zone defined in /etc/shorewall/zones.
|
||||
#
|
||||
# If the interface serves multiple zones that will be
|
||||
# defined in the /etc/shorewall/hosts file, you should
|
||||
# place "-" in this column.
|
||||
#
|
||||
# INTERFACE Name of interface. Each interface may be listed only
|
||||
# once in this file. You may NOT specify the name of
|
||||
# an alias (e.g., eth0:0) here; see
|
||||
# http://www.shorewall.net/FAQ.htm#faq18
|
||||
#
|
||||
# You may specify wildcards here. For example, if you
|
||||
# want to make an entry that applies to all PPP
|
||||
# interfaces, use 'ppp+'.
|
||||
#
|
||||
# There is no need to define the loopback interface (lo)
|
||||
# in this file.
|
||||
#
|
||||
# BROADCAST The broadcast address for the subnetwork to which the
|
||||
# interface belongs. For P-T-P interfaces, this
|
||||
# column is left black.If the interface has multiple
|
||||
# addresses on multiple subnets then list the broadcast
|
||||
# addresses as a comma-separated list.
|
||||
#
|
||||
# If you use the special value "detect", the firewall
|
||||
# will detect the broadcast address for you. If you
|
||||
# select this option, the interface must be up before
|
||||
# the firewall is started, you must have iproute
|
||||
# installed.
|
||||
#
|
||||
# If you don't want to give a value for this column but
|
||||
# you want to enter a value in the OPTIONS column, enter
|
||||
# "-" in this column.
|
||||
#
|
||||
# OPTIONS A comma-separated list of options including the
|
||||
# following:
|
||||
#
|
||||
# dhcp - interface is managed by DHCP or used by
|
||||
# a DHCP server running on the firewall or
|
||||
# you have a static IP but are on a LAN
|
||||
# segment with lots of Laptop DHCP clients.
|
||||
# norfc1918 - This interface should not receive
|
||||
# any packets whose source is in one
|
||||
# of the ranges reserved by RFC 1918
|
||||
# (i.e., private or "non-routable"
|
||||
# addresses. If packet mangling is
|
||||
# enabled in shorewall.conf, packets
|
||||
# whose destination addresses are
|
||||
# reserved by RFC 1918 are also rejected.
|
||||
# routefilter - turn on kernel route filtering for this
|
||||
# interface (anti-spoofing measure). This
|
||||
# option can also be enabled globally in
|
||||
# the /etc/shorewall/shorewall.conf file.
|
||||
# . . blacklist - Check packets arriving on this interface
|
||||
# against the /etc/shorewall/blacklist
|
||||
# file.
|
||||
# maclist - Connection requests from this interface
|
||||
# are compared against the contents of
|
||||
# /etc/shorewall/maclist. If this option
|
||||
# is specified, the interface must be
|
||||
# an ethernet NIC and must be up before
|
||||
# Shorewall is started.
|
||||
# tcpflags - Packets arriving on this interface are
|
||||
# checked for certain illegal combinations
|
||||
# of TCP flags. Packets found to have
|
||||
# such a combination of flags are handled
|
||||
# according to the setting of
|
||||
# TCP_FLAGS_DISPOSITION after having been
|
||||
# logged according to the setting of
|
||||
# TCP_FLAGS_LOG_LEVEL.
|
||||
# proxyarp -
|
||||
# Sets
|
||||
# /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
|
||||
# Do NOT use this option if you are
|
||||
# employing Proxy ARP through entries in
|
||||
# /etc/shorewall/proxyarp. This option is
|
||||
# intended soley for use with Proxy ARP
|
||||
# sub-networking as described at:
|
||||
# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
|
||||
#
|
||||
# newnotsyn - TCP packets that don't have the SYN
|
||||
# flag set and which are not part of an
|
||||
# established connection will be accepted
|
||||
# from this interface, even if
|
||||
# NEWNOTSYN=No has been specified in
|
||||
# /etc/shorewall/shorewall.conf.
|
||||
#
|
||||
# This option has no effect if
|
||||
# NEWNOTSYN=Yes.
|
||||
#
|
||||
# routeback - If specified, indicates that Shorewall
|
||||
# should include rules that allow filtering
|
||||
# traffic arriving on this interface back
|
||||
# out that same interface.
|
||||
#
|
||||
# arp_filter - If specified, this interface will only
|
||||
# respond to ARP who-has requests for IP
|
||||
# addresses configured on the interface.
|
||||
# If not specified, the interface can
|
||||
# respond to ARP who-has requests for
|
||||
# IP addresses on any of the firewall's
|
||||
# interface. The interface must be up
|
||||
# when Shorewall is started.
|
||||
#
|
||||
# nosmurfs - Filter packets for smurfs
|
||||
# (packets with a broadcast
|
||||
# address as the source).
|
||||
#
|
||||
# Smurfs will be optionally logged based
|
||||
# on the setting of SMURF_LOG_LEVEL in
|
||||
# shorewall.conf. After logging, the
|
||||
# packets are dropped.
|
||||
#
|
||||
# detectnets - Automatically taylors the zone named
|
||||
# in the ZONE column to include only those
|
||||
# hosts routed through the interface.
|
||||
#
|
||||
# WARNING: DO NOT SET THE detectnets OPTION ON YOUR
|
||||
# INTERNET INTERFACE!
|
||||
#
|
||||
# The order in which you list the options is not
|
||||
# significant but the list should have no embedded white
|
||||
# space.
|
||||
#
|
||||
# Example 1: Suppose you have eth0 connected to a DSL modem and
|
||||
# eth1 connected to your local network and that your
|
||||
# local subnet is 192.168.1.0/24. The interface gets
|
||||
# it's IP address via DHCP from subnet
|
||||
# 206.191.149.192/27. You have a DMZ with subnet
|
||||
# 192.168.2.0/24 using eth2.
|
||||
#
|
||||
# Your entries for this setup would look like:
|
||||
#
|
||||
# net eth0 206.191.149.223 dhcp
|
||||
# local eth1 192.168.1.255
|
||||
# dmz eth2 192.168.2.255
|
||||
#
|
||||
# Example 2: The same configuration without specifying broadcast
|
||||
# addresses is:
|
||||
#
|
||||
# net eth0 detect dhcp
|
||||
# loc eth1 detect
|
||||
# dmz eth2 detect
|
||||
#
|
||||
# Example 3: You have a simple dial-in system with no ethernet
|
||||
# connections.
|
||||
#
|
||||
# net ppp0 -
|
||||
##############################################################################
|
||||
#ZONE INTERFACE BROADCAST OPTIONS
|
||||
#
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
18
STABLE2/maclist
Normal file
18
STABLE2/maclist
Normal file
@ -0,0 +1,18 @@
|
||||
#
|
||||
# Shorewall 2.0 - MAC list file
|
||||
#
|
||||
# /etc/shorewall/maclist
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
# INTERFACE Network interface to a host
|
||||
#
|
||||
# MAC MAC address of the host -- you do not need to use
|
||||
# the Shorewall format for MAC addresses here
|
||||
#
|
||||
# IP ADDRESSES Optional -- if specified, both the MAC and IP address
|
||||
# must match. This column can contain a comma-separated
|
||||
# list of host and/or subnet addresses.
|
||||
##############################################################################
|
||||
#INTERFACE MAC IP ADDRESSES (Optional)
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
99
STABLE2/masq
Normal file
99
STABLE2/masq
Normal file
@ -0,0 +1,99 @@
|
||||
#
|
||||
# Shorewall 2.0 - Masquerade file
|
||||
#
|
||||
# /etc/shorewall/masq
|
||||
#
|
||||
# Use this file to define dynamic NAT (Masquerading) and to define Source NAT
|
||||
# (SNAT).
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
# INTERFACE -- Outgoing interface. This is usually your internet
|
||||
# interface. If ADD_SNAT_ALIASES=Yes in
|
||||
# /etc/shorewall/shorewall.conf, you may add ":" and
|
||||
# a digit to indicate that you want the alias added with
|
||||
# that name (e.g., eth0:0). This will allow the alias to
|
||||
# be displayed with ifconfig. THAT IS THE ONLY USE FOR
|
||||
# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER
|
||||
# PLACE IN YOUR SHOREWALL CONFIGURATION.
|
||||
#
|
||||
# This may be qualified by adding the character
|
||||
# ":" followed by a destination host or subnet.
|
||||
#
|
||||
#
|
||||
# SUBNET -- Subnet that you wish to masquerade. You can specify this as
|
||||
# a subnet or as an interface. If you give the name of an
|
||||
# interface, you must have iproute installed and the interface
|
||||
# must be up before you start the firewall.
|
||||
#
|
||||
# In order to exclude a subset of the specified SUBNET, you
|
||||
# may append "!" and a comma-separated list of IP addresses
|
||||
# and/or subnets that you wish to exclude.
|
||||
#
|
||||
# Example: eth1!192.168.1.4,192.168.32.0/27
|
||||
#
|
||||
# In that example traffic from eth1 would be masqueraded unless
|
||||
# it came from 192.168.1.4 or 196.168.32.0/27
|
||||
#
|
||||
# ADDRESS -- (Optional). If you specify an address here, SNAT will be
|
||||
# used and this will be the source address. If
|
||||
# ADD_SNAT_ALIASES is set to Yes or yes in
|
||||
# /etc/shorewall/shorewall.conf then Shorewall
|
||||
# will automatically add this address to the
|
||||
# INTERFACE named in the first column.
|
||||
#
|
||||
# You may also specify a range of up to 256
|
||||
# IP addresses if you want the SNAT address to
|
||||
# be assigned from that range in a round-robin
|
||||
# range by connection. The range is specified by
|
||||
# <first ip in range>-<last ip in range>.
|
||||
#
|
||||
# Example: 206.124.146.177-206.124.146.180
|
||||
#
|
||||
# Finally, you may also specify a comma-separated
|
||||
# list of ranges and/or addresses in this column.
|
||||
#
|
||||
# This column may not contain DNS Names.
|
||||
#
|
||||
# Example 1:
|
||||
#
|
||||
# You have a simple masquerading setup where eth0 connects to
|
||||
# a DSL or cable modem and eth1 connects to your local network
|
||||
# with subnet 192.168.0.0/24.
|
||||
#
|
||||
# Your entry in the file can be either:
|
||||
#
|
||||
# eth0 eth1
|
||||
#
|
||||
# or
|
||||
#
|
||||
# eth0 192.168.0.0/24
|
||||
#
|
||||
# Example 2:
|
||||
#
|
||||
# You add a router to your local network to connect subnet
|
||||
# 192.168.1.0/24 which you also want to masquerade. You then
|
||||
# add a second entry for eth0 to this file:
|
||||
#
|
||||
# eth0 192.168.1.0/24
|
||||
#
|
||||
# Example 3:
|
||||
#
|
||||
# You have an IPSEC tunnel through ipsec0 and you want to
|
||||
# masquerade packets coming from 192.168.1.0/24 but only if
|
||||
# these packets are destined for hosts in 10.1.1.0/24:
|
||||
#
|
||||
# ipsec0:10.1.1.0/24 196.168.1.0/24
|
||||
#
|
||||
# Example 4:
|
||||
#
|
||||
# You want all outgoing traffic from 192.168.1.0/24 through
|
||||
# eth0 to use source address 206.124.146.176 which is NOT the
|
||||
# primary address of eth0. You want 206.124.146.176 added to
|
||||
# be added to eth0 with name eth0:0.
|
||||
#
|
||||
# eth0:0 192.168.1.0/24 206.124.146.176
|
||||
#
|
||||
##############################################################################
|
||||
#INTERFACE SUBNET ADDRESS
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
21
STABLE2/modules
Normal file
21
STABLE2/modules
Normal file
@ -0,0 +1,21 @@
|
||||
##############################################################################
|
||||
# Shorewall 2.0 /etc/shorewall/modules
|
||||
#
|
||||
# This file loads the modules needed by the firewall.
|
||||
#
|
||||
# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
|
||||
# dependency order. i.e., if M2 depends on M1 then you must load M1 before
|
||||
# you load M2.
|
||||
#
|
||||
|
||||
loadmodule ip_tables
|
||||
loadmodule iptable_filter
|
||||
loadmodule ip_conntrack
|
||||
loadmodule ip_conntrack_ftp
|
||||
loadmodule ip_conntrack_tftp
|
||||
loadmodule ip_conntrack_irc
|
||||
loadmodule iptable_nat
|
||||
loadmodule ip_nat_ftp
|
||||
loadmodule ip_nat_tftp
|
||||
loadmodule ip_nat_irc
|
||||
|
38
STABLE2/nat
Normal file
38
STABLE2/nat
Normal file
@ -0,0 +1,38 @@
|
||||
##############################################################################
|
||||
#
|
||||
# Shorewall 2.0 -- Network Address Translation Table
|
||||
#
|
||||
# /etc/shorewall/nat
|
||||
#
|
||||
# This file is used to define one-to-one Network Address Translation
|
||||
# (NAT).
|
||||
#
|
||||
# WARNING: If all you want to do is simple port forwarding, do NOT use this
|
||||
# file. See http://www.shorewall.net/FAQ.htm#faq1. Also, in most
|
||||
# cases, Proxy ARP is a better solution that one-to-one NAT.
|
||||
#
|
||||
# Columns must be separated by white space and are:
|
||||
#
|
||||
# EXTERNAL External IP Address - this should NOT be the primary
|
||||
# IP address of the interface named in the next
|
||||
# column and must not be a DNS Name.
|
||||
# INTERFACE Interface that you want to EXTERNAL address to appear
|
||||
# on. If ADD_IP_ALIASES=Yes in shorewall.conf, you may
|
||||
# follow the interface name with ":" and a digit to
|
||||
# indicate that you want Shorewall to add the alias
|
||||
# with this name (e.g., "eth0:0"). That allows you to
|
||||
# see the alias with ifconfig. THAT IS THE ONLY THING
|
||||
# THAT THIS NAME IS GOOD FOR -- YOU CANNOT USE IT
|
||||
# ANYWHERE ELSE IN YOUR SHORWALL CONFIGURATION.
|
||||
# INTERNAL Internal Address (must not be a DNS Name).
|
||||
# ALL INTERFACES If Yes or yes, NAT will be effective from all hosts.
|
||||
# If No or no (or left empty) then NAT will be effective
|
||||
# only through the interface named in the INTERFACE
|
||||
# column
|
||||
# LOCAL If Yes or yes and the ALL INTERFACES column contains
|
||||
# Yes or yes, NAT will be effective from the firewall
|
||||
# system
|
||||
##############################################################################
|
||||
#EXTERNAL INTERFACE INTERNAL ALL LOCAL
|
||||
# INTERFACES
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
25
STABLE2/params
Normal file
25
STABLE2/params
Normal file
@ -0,0 +1,25 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/params
|
||||
#
|
||||
# Assign any variables that you need here.
|
||||
#
|
||||
# It is suggested that variable names begin with an upper case letter
|
||||
# to distinguish them from variables used internally within the
|
||||
# Shorewall programs
|
||||
#
|
||||
# Example:
|
||||
#
|
||||
# NET_IF=eth0
|
||||
# NET_BCAST=130.252.100.255
|
||||
# NET_OPTIONS=routefilter,norfc1918
|
||||
#
|
||||
# Example (/etc/shorewall/interfaces record):
|
||||
#
|
||||
# net $NET_IF $NET_BCAST $NET_OPTIONS
|
||||
#
|
||||
# The result will be the same as if the record had been written
|
||||
#
|
||||
# net eth0 130.252.100.255 routefilter,norfc1918
|
||||
#
|
||||
##############################################################################
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
85
STABLE2/policy
Normal file
85
STABLE2/policy
Normal file
@ -0,0 +1,85 @@
|
||||
#
|
||||
# Shorewall 2.0 -- Policy File
|
||||
#
|
||||
# /etc/shorewall/policy
|
||||
#
|
||||
# THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT
|
||||
#
|
||||
# This file determines what to do with a new connection request if we
|
||||
# don't get a match from the /etc/shorewall/rules file . For each
|
||||
# source/destination pair, the file is processed in order until a
|
||||
# match is found ("all" will match any client or server).
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
# SOURCE Source zone. Must be the name of a zone defined
|
||||
# in /etc/shorewall/zones, $FW or "all".
|
||||
#
|
||||
# DEST Destination zone. Must be the name of a zone defined
|
||||
# in /etc/shorewall/zones, $FW or "all"
|
||||
#
|
||||
# POLICY Policy if no match from the rules file is found. Must
|
||||
# be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE".
|
||||
#
|
||||
# ACCEPT - Accept the connection
|
||||
# DROP - Ignore the connection request
|
||||
# REJECT - For TCP, send RST. For all other, send
|
||||
# "port unreachable" ICMP.
|
||||
# CONTINUE - Pass the connection request past
|
||||
# any other rules that it might also
|
||||
# match (where the source or destination
|
||||
# zone in those rules is a superset of
|
||||
# the SOURCE or DEST in this policy).
|
||||
# NONE - Assume that there will never be any
|
||||
# packets from this SOURCE
|
||||
# to this DEST. Shorewall will not set up
|
||||
# any infrastructure to handle such
|
||||
# packets and you may not have any rules
|
||||
# with this SOURCE and DEST in the
|
||||
# /etc/shorewall/rules file. If such a
|
||||
# packet _is_ received, the result is
|
||||
# undefined. NONE may not be used if the
|
||||
# SOURCE or DEST columns contain the
|
||||
# firewall zone ($FW) or "all".
|
||||
#
|
||||
# If this column contains ACCEPT, DROP or REJECT and a
|
||||
# corresponding common action is defined in
|
||||
# /etc/shorewall/actions (or /usr/share/shorewall/actions.std)
|
||||
# then that action will be invoked before the policy named in
|
||||
# this column is inforced.
|
||||
#
|
||||
# LOG LEVEL If supplied, each connection handled under the default
|
||||
# POLICY is logged at that level. If not supplied, no
|
||||
# log message is generated. See syslog.conf(5) for a
|
||||
# description of log levels.
|
||||
#
|
||||
# Beginning with Shorewall version 1.3.12, you may
|
||||
# also specify ULOG (must be in upper case). This will
|
||||
# log to the ULOG target and sent to a separate log
|
||||
# through use of ulogd
|
||||
# (http://www.gnumonks.org/projects/ulogd).
|
||||
#
|
||||
# If you don't want to log but need to specify the
|
||||
# following column, place "-" here.
|
||||
#
|
||||
# LIMIT:BURST If passed, specifies the maximum TCP connection rate
|
||||
# and the size of an acceptable burst. If not specified,
|
||||
# TCP connections are not limited.
|
||||
#
|
||||
# As shipped, the default policies are:
|
||||
#
|
||||
# a) All connections from the local network to the internet are allowed
|
||||
# b) All connections from the internet are ignored but logged at syslog
|
||||
# level KERNEL.INFO.
|
||||
# d) All other connection requests are rejected and logged at level
|
||||
# KERNEL.INFO.
|
||||
###############################################################################
|
||||
#SOURCE DEST POLICY LOG LIMIT:BURST
|
||||
# LEVEL
|
||||
loc net ACCEPT
|
||||
net all DROP info
|
||||
#
|
||||
# THE FOLLOWING POLICY MUST BE LAST
|
||||
#
|
||||
all all REJECT info
|
||||
#LAST LINE -- DO NOT REMOVE
|
44
STABLE2/proxyarp
Normal file
44
STABLE2/proxyarp
Normal file
@ -0,0 +1,44 @@
|
||||
##############################################################################
|
||||
#
|
||||
# Shorewall 2.0 -- Proxy ARP
|
||||
#
|
||||
# /etc/shorewall/proxyarp
|
||||
#
|
||||
# This file is used to define Proxy ARP.
|
||||
#
|
||||
# Columns must be separated by white space and are:
|
||||
#
|
||||
# ADDRESS IP Address
|
||||
#
|
||||
# INTERFACE Local interface where system is connected. If the
|
||||
# local interface is obvious from the subnetting,
|
||||
# you may enter "-" in this column.
|
||||
#
|
||||
# EXTERNAL External Interface to be used to access this system
|
||||
#
|
||||
# HAVEROUTE If there is already a route from the firewall to
|
||||
# the host whose address is given, enter "Yes" or "yes"
|
||||
# in this column. Otherwise, entry "no", "No" or leave
|
||||
# the column empty and Shorewall will add the route for
|
||||
# you. If Shorewall adds the route,the route will be
|
||||
# persistent if the PERSISTENT column contains Yes;
|
||||
# otherwise, "shorewall stop" or "shorewall clear" will
|
||||
# delete the route.
|
||||
#
|
||||
# PERSISTENT If HAVEROUTE is No or "no", then the value of this
|
||||
# column determines if the route added by Shorewall
|
||||
# persists after a "shorewall stop" or a "shorewall
|
||||
# clear". If this column contains "Yes" or "yes" then
|
||||
# the route persists; If the column is empty or contains
|
||||
# "No"or "no" then the route is deleted at "shorewall
|
||||
# stop" or "shorewall clear".
|
||||
#
|
||||
# Example: Host with IP 155.186.235.6 is connected to
|
||||
# interface eth1 and we want hosts attached via eth0
|
||||
# to be able to access it using that address.
|
||||
#
|
||||
# #ADDRESS INTERFACE EXTERNAL
|
||||
# 155.186.235.6 eth1 eth0
|
||||
##############################################################################
|
||||
#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
229
STABLE2/releasenotes.txt
Normal file
229
STABLE2/releasenotes.txt
Normal file
@ -0,0 +1,229 @@
|
||||
Shorewall 2.0.0a
|
||||
|
||||
----------------------------------------------------------------------
|
||||
Problems Corrected since 1.4.10
|
||||
|
||||
1) A blank USER/GROUP column in /etc/shorewall/tcrules no longer causes
|
||||
a [re]start error.
|
||||
|
||||
2) The 'fgrep' utility is no longer required (caused startup problems
|
||||
on LEAF/Bering).
|
||||
|
||||
3) The "shorewall add" command no longer inserts rules before checking
|
||||
of the blacklist.
|
||||
|
||||
4) The 'detectnets' and 'routeback' options may now be used together
|
||||
with the intended effect.
|
||||
|
||||
5) The following syntax previously produced an error:
|
||||
|
||||
DNAT z1!z2,z3 z4...
|
||||
|
||||
Problems Corrected since RC2
|
||||
|
||||
1) CONTINUE rules now work again.
|
||||
|
||||
2) A comment in the rules file has been corrected.
|
||||
|
||||
Problems Corrected since 2.0.0
|
||||
|
||||
1) Using actions in the manner recommended in the documentation
|
||||
results in a Warning that the rule is a policy.
|
||||
|
||||
-----------------------------------------------------------------------
|
||||
Issues when migrating from Shorewall 1.4.x to Shorewall 2.0.0:
|
||||
|
||||
1) The 'dropunclean' and 'logunclean' interface options are no longer
|
||||
supported. If either option is specified in
|
||||
/etc/shorewall/interfaces, an threatening message will be
|
||||
generated.
|
||||
|
||||
2) The NAT_BEFORE_RULES option has been removed from
|
||||
shorewall.conf. The behavior of Shorewall is as if
|
||||
NAT_BEFORE_RULES=No had been specified. In other words, DNAT rules
|
||||
now always take precidence over one-to-one NAT specifications.
|
||||
|
||||
3) The default value for the ALL INTERFACES column in
|
||||
/etc/shorewall/nat has changed. In Shorewall 1.*, if the column was
|
||||
left empty, a value of "Yes" was assumed. This has been changed so
|
||||
that a value of "No" is now assumed.
|
||||
|
||||
4) The following files don't exist in Shorewall 2.0:
|
||||
|
||||
/etc/shorewall/common.def
|
||||
/etc/shorewall/common
|
||||
/etc/shorewall/icmpdef
|
||||
/etc/shorewall/action.template (Moved to /usr/share/shorewall)
|
||||
/etc/shorewall/rfc1918 (Moved to /usr/share/shorewall).
|
||||
|
||||
The /etc/shorewall/action file now allows an action to be
|
||||
designated as the "common" action for a particular policy type by
|
||||
following the action name with ":" and the policy (DROP, REJECT or
|
||||
ACCEPT).
|
||||
|
||||
The file /usr/share/shorewall/actions.std has been added to define those
|
||||
actions that are released as part of Shorewall. In that file are
|
||||
two actions as follows:
|
||||
|
||||
Drop:DROP
|
||||
Reject:REJECT
|
||||
|
||||
The "Drop" action is the common action for DROP policies while the
|
||||
"Reject" action is the default action for "REJECT" policies. These
|
||||
actions will be performed on packets prior to applying the DROP or
|
||||
REJECT policy respectively. In the first release, the difference
|
||||
between "Reject" and "Drop" is that "Reject" REJECTs SMB traffic
|
||||
while "Drop" silently drops such traffic.
|
||||
|
||||
As described above, Shorewall allows a common action for ACCEPT
|
||||
policies but does not specify such an action in the default
|
||||
configuration.
|
||||
|
||||
If for some reason, you don't wish to have a common DROP or REJECT
|
||||
action, just include :DROP or :REJECT respectively in your
|
||||
/etc/shorewall/actions file.
|
||||
|
||||
The file /usr/share/shorewall/actions.std catalogs the standard
|
||||
actions and is processed prior to /etc/shorewall/actions. This
|
||||
causes a large number of actions to be defined. The files which
|
||||
define these aactions are also located in /usr/share/shorewall as
|
||||
is the he action template file (action.template).
|
||||
|
||||
In the initial release, the following actions are defined:
|
||||
|
||||
dropBcast #Silently Drops Broadcast Traffic
|
||||
dropNonSyn #Silently Drop Non-syn TCP packets
|
||||
|
||||
DropSMB #Silently Drops Microsoft SMB Traffic
|
||||
RejectSMB #Silently Reject Microsoft SMB Traffic
|
||||
DropUPnP #Silently Drop UPnP Probes
|
||||
RejectAuth #Silently Reject Auth
|
||||
DropPing #Silently Drop Ping
|
||||
DropDNSrep #Silently Drop DNS Replies
|
||||
|
||||
AllowPing #Accept Ping
|
||||
AllowFTP #Accept FTP
|
||||
AllowDNS #Accept DNS
|
||||
AllowSSH #Accept SSH
|
||||
AllowWeb #Allow Web Browsing
|
||||
AllowSMB #Allow MS Networking
|
||||
AllowAuth #Allow Auth (identd)
|
||||
AllowSMTP #Allow SMTP (Email)
|
||||
AllowPOP3 #Allow reading mail via POP3
|
||||
AllowIMAP #Allow reading mail via IMAP
|
||||
AllowTelnet #Allow Telnet Access (not recommended for use over the
|
||||
#Internet)
|
||||
AllowVNC #Allow VNC, Displays 0-9
|
||||
AllowVNCL #Allow access to VNC viewer in listen mode
|
||||
AllowNTP #Allow Network Time Protocol (ntpd)
|
||||
AllowRdate #Allow remote time (rdate).
|
||||
AllowNNTP #Allow network news (Usenet).
|
||||
AllowTrcrt #Allows Traceroute (20 hops)
|
||||
AllowSNMP #Allows SNMP (including traps)
|
||||
AllowPCA #Allows PCAnywhere (tm).
|
||||
|
||||
Drop:DROP #Common rules for DROP policy
|
||||
Reject:REJECT #Common Action for Reject policy
|
||||
|
||||
These actions may be used in the ACTION column of the rules
|
||||
column. So for example, to allow FTP from your loc zone to your firewall,
|
||||
you would place this rule in /etc/shorewall/rules:
|
||||
|
||||
#ACTION SOURCE DEST
|
||||
AllowFTP loc fw
|
||||
|
||||
if you want to redefine any of the Shorewall-defined actions,
|
||||
simply copy the appropriate action file from /usr/share/shorewall
|
||||
to /etc/shorewall and modify the copy as desired. Your modified
|
||||
copy will be used rather than the original one in
|
||||
/usr/share/shorewall.
|
||||
|
||||
Note: The 'dropBcast' and 'dropNonSyn' actions are built into
|
||||
Shorewall and may not be changed.
|
||||
|
||||
Beginning with version 2.0.0-Beta2, Shorewall will only create a
|
||||
chain for those actions that are actually used.
|
||||
|
||||
5) The /etc/shorewall directory no longer contains a 'users' file or a
|
||||
'usersets' file. Similar functionality is now available using
|
||||
user-defined actions.
|
||||
|
||||
Now, action files created by copying
|
||||
/usr/share/shorewall/action.template may now specify a USER and or
|
||||
GROUP name/id in the final column just like in the rules file (see
|
||||
below). It is thus possible to create actions that control traffic
|
||||
from a list of users and/or groups.
|
||||
|
||||
The last column in /etc/shorewall/rules is now labeled USER/GROUP
|
||||
and may contain:
|
||||
|
||||
[!]<user number>[:]
|
||||
[!]<user name>[:]
|
||||
[!]:<group number>
|
||||
[!]:<group name>
|
||||
[!]<user number>:<group number>
|
||||
[!]<user number>:<group name>
|
||||
[!]<user name>:<group number>
|
||||
[!]<user name>:<group name>
|
||||
|
||||
6) It is no longer possible to specify rate limiting in the ACTION
|
||||
column of /etc/shorewall/rules -- you must use the RATE LIMIT
|
||||
column.
|
||||
|
||||
7) Depending on which method you use to upgrade, if you have your own
|
||||
version of /etc/shorewall/rfc1918, you may have to take special
|
||||
action to restore it after the upgrade. Look for
|
||||
/etc/shorewall/rfc1918*, locate the proper file and rename it back
|
||||
to /etc/shorewall/rfc1918. The contents of that file will supercede
|
||||
the contents of /usr/share/shorewall/rfc1918.
|
||||
|
||||
New Features:
|
||||
|
||||
1) The INCLUDE directive now allows absolute file names.
|
||||
|
||||
2) A 'nosmurfs' interface option has been added to
|
||||
/etc/shorewall/interfaces. When specified for an interface, this
|
||||
option causes smurfs (packets with a broadcast address as their
|
||||
source) to be dropped and optionally logged (based on the setting of
|
||||
a new SMURF_LOG_LEVEL option in shorewall.conf).
|
||||
|
||||
3) fw->fw traffic may now be controlled by Shorewall. There is no need
|
||||
to define the loopback interface in /etc/shorewall/interfaces; you
|
||||
simply add a fw->fw policy and fw->fw rules. If you have neither a
|
||||
fw->fw policy nor fw->fw rules, all fw->fw traffic is allowed.
|
||||
|
||||
4) There is a new PERSISTENT column in the proxyarp file. A value of
|
||||
"Yes" in this column means that the route added by Shorewall for
|
||||
this host will remain after a "shorewall stop" or "shorewall clear".
|
||||
|
||||
5) "trace" is now a synonym for "debug" in /sbin/shorewall commands.
|
||||
So to trace the "start" command, you could enter:
|
||||
|
||||
shorewall trace start 2> /tmp/trace
|
||||
|
||||
The trace information would be written to the file /tmp/trace.
|
||||
|
||||
6) When defining an ipsec tunnel in /etc/shorewall/tunnels, if you
|
||||
follow the tunnel type ("ipsec" or "ipsecnet") with ":noah"
|
||||
(e.g., "ipsec:noah"), then Shorewall will only create rules for
|
||||
ESP (protocol 50) and will not create rules for AH (protocol 51).
|
||||
|
||||
7) A new DISABLE_IPV6 option has been added to shorewall.conf. When
|
||||
this option is set to "Yes", Shorewall will set the policy for the
|
||||
IPv6 INPUT, OUTPUT and FORWARD chains to DROP during "shorewall
|
||||
[re]start" and "shorewall stop". Regardless of the setting of this
|
||||
variable, "shorewall clear" will silently attempt to set these
|
||||
policies to ACCEPT.
|
||||
|
||||
If this option is not set in your existing shorewall.conf then a
|
||||
setting of DISABLE_IPV6=No is assumed in which case, Shorewall will
|
||||
not touch any IPv6 settings except during "shorewall clear".
|
||||
|
||||
8) The CONTINUE target is now available in action definitions. CONTINUE
|
||||
terminates processing of the current action and returns to the point
|
||||
where that action was invoked.
|
||||
|
||||
|
||||
|
||||
|
||||
|
63
STABLE2/rfc1918
Normal file
63
STABLE2/rfc1918
Normal file
@ -0,0 +1,63 @@
|
||||
#
|
||||
# Shorewall 2.0-- RFC1918 File
|
||||
#
|
||||
# /etc/shorewall/rfc1918
|
||||
#
|
||||
# Lists the subnetworks that are blocked by the 'norfc1918' interface option.
|
||||
#
|
||||
# The default list includes those IP addresses listed in RFC 1918, those listed
|
||||
# as 'reserved' by the IANA, the DHCP Autoconfig class B, and the class C
|
||||
# reserved for use in documentation and examples.
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
# SUBNET The subnet (host addresses also allowed)
|
||||
# TARGET Where to send packets to/from this subnet
|
||||
# RETURN - let the packet be processed normally
|
||||
# DROP - silently drop the packet
|
||||
# logdrop - log then drop
|
||||
#
|
||||
###############################################################################
|
||||
#SUBNET TARGET
|
||||
255.255.255.255 RETURN # We need to allow limited broadcast
|
||||
169.254.0.0/16 DROP # DHCP autoconfig
|
||||
172.16.0.0/12 logdrop # RFC 1918
|
||||
192.0.2.0/24 logdrop # Example addresses (RFC 3330)
|
||||
192.168.0.0/16 logdrop # RFC 1918
|
||||
#
|
||||
# The following are generated with the help of the Python program found at:
|
||||
#
|
||||
# http://www.shorewall.net/pub/shorewall/contrib/iana_reserved/
|
||||
#
|
||||
# The program was contributed by Andy Wiggin
|
||||
#
|
||||
0.0.0.0/7 logdrop # Reserved
|
||||
2.0.0.0/8 logdrop # Reserved
|
||||
5.0.0.0/8 logdrop # Reserved
|
||||
7.0.0.0/8 logdrop # Reserved
|
||||
10.0.0.0/8 logdrop # Reserved
|
||||
23.0.0.0/8 logdrop # Reserved
|
||||
27.0.0.0/8 logdrop # Reserved
|
||||
31.0.0.0/8 logdrop # Reserved
|
||||
36.0.0.0/7 logdrop # Reserved
|
||||
39.0.0.0/8 logdrop # Reserved
|
||||
41.0.0.0/8 logdrop # Reserved
|
||||
42.0.0.0/8 logdrop # Reserved
|
||||
49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
|
||||
50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
|
||||
58.0.0.0/7 logdrop # Reserved
|
||||
70.0.0.0/7 logdrop # Reserved
|
||||
72.0.0.0/5 logdrop # Reserved
|
||||
85.0.0.0/8 logdrop # Reserved
|
||||
86.0.0.0/7 logdrop # Reserved
|
||||
88.0.0.0/5 logdrop # Reserved
|
||||
96.0.0.0/3 logdrop # Reserved
|
||||
127.0.0.0/8 logdrop # Loopback
|
||||
197.0.0.0/8 logdrop # Reserved
|
||||
198.18.0.0/15 logdrop # Reserved
|
||||
223.0.0.0/8 logdrop # Reserved - Returned by APNIC in 2003
|
||||
240.0.0.0/4 logdrop # Reserved
|
||||
#
|
||||
# End of generated entries
|
||||
#
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
25
STABLE2/routestopped
Normal file
25
STABLE2/routestopped
Normal file
@ -0,0 +1,25 @@
|
||||
##############################################################################
|
||||
#
|
||||
# Shorewall 2.0 -- Hosts Accessible when the Firewall is Stopped
|
||||
#
|
||||
# /etc/shorewall/routestopped
|
||||
#
|
||||
# This file is used to define the hosts that are accessible when the
|
||||
# firewall is stopped
|
||||
#
|
||||
# Columns must be separated by white space and are:
|
||||
#
|
||||
# INTERFACE - Interface through which host(s) communicate with
|
||||
# the firewall
|
||||
# HOST(S) - (Optional) Comma-separated list of IP/subnet
|
||||
# If left empty or supplied as "-",
|
||||
# 0.0.0.0/0 is assumed.
|
||||
#
|
||||
# Example:
|
||||
#
|
||||
# INTERFACE HOST(S)
|
||||
# eth2 192.168.1.0/24
|
||||
# eth0 192.0.2.44
|
||||
##############################################################################
|
||||
#INTERFACE HOST(S)
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
289
STABLE2/rules
Normal file
289
STABLE2/rules
Normal file
@ -0,0 +1,289 @@
|
||||
#
|
||||
# Shorewall version 2.0 - Rules File
|
||||
#
|
||||
# /etc/shorewall/rules
|
||||
#
|
||||
# Rules in this file govern connection establishment. Requests and
|
||||
# responses are automatically allowed using connection tracking. For any
|
||||
# particular (source,dest) pair of zones, the rules are evaluated in the
|
||||
# order in which they appear in this file and the first match is the one
|
||||
# that determines the disposition of the request.
|
||||
#
|
||||
# In most places where an IP address or subnet is allowed, you
|
||||
# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
|
||||
# indicate that the rule matches all addresses except the address/subnet
|
||||
# given. Notice that no white space is permitted between "!" and the
|
||||
# address/subnet.
|
||||
#------------------------------------------------------------------------------
|
||||
# WARNING: If you masquerade or use SNAT from a local system to the internet,
|
||||
# you cannot use an ACCEPT rule to allow traffic from the internet to
|
||||
# that system. You *must* use a DNAT rule instead.
|
||||
#-------------------------------------------------------------------------------#
|
||||
# Columns are:
|
||||
#
|
||||
# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
|
||||
# LOG, QUEUE or an <action>.
|
||||
#
|
||||
# ACCEPT -- allow the connection request
|
||||
# DROP -- ignore the request
|
||||
# REJECT -- disallow the request and return an
|
||||
# icmp-unreachable or an RST packet.
|
||||
# DNAT -- Forward the request to another
|
||||
# system (and optionally another
|
||||
# port).
|
||||
# DNAT- -- Advanced users only.
|
||||
# Like DNAT but only generates the
|
||||
# DNAT iptables rule and not
|
||||
# the companion ACCEPT rule.
|
||||
# REDIRECT -- Redirect the request to a local
|
||||
# port on the firewall.
|
||||
# REDIRECT-
|
||||
# -- Advanced users only.
|
||||
# Like REDIRET but only generates the
|
||||
# REDIRECT iptables rule and not
|
||||
# the companion ACCEPT rule.
|
||||
#
|
||||
# CONTINUE -- (For experts only). Do not process
|
||||
# any of the following rules for this
|
||||
# (source zone,destination zone). If
|
||||
# The source and/or destination IP
|
||||
# address falls into a zone defined
|
||||
# later in /etc/shorewall/zones, this
|
||||
# connection request will be passed
|
||||
# to the rules defined for that
|
||||
# (those) zone(s).
|
||||
# LOG -- Simply log the packet and continue.
|
||||
# QUEUE -- Queue the packet to a user-space
|
||||
# application such as ftwall
|
||||
# (http://p2pwall.sf.net).
|
||||
# <action> -- The name of an action defined in
|
||||
# /etc/shorewall/actions or in
|
||||
# /usr/share/shorewall/actions.std.
|
||||
#
|
||||
# The ACTION may optionally be followed
|
||||
# by ":" and a syslog log level (e.g, REJECT:info or
|
||||
# DNAT:debug). This causes the packet to be
|
||||
# logged at the specified level.
|
||||
#
|
||||
# You may also specify ULOG (must be in upper case) as a
|
||||
# log level.This will log to the ULOG target for routing
|
||||
# to a separate log through use of ulogd
|
||||
# (http://www.gnumonks.org/projects/ulogd).
|
||||
#
|
||||
# SOURCE Source hosts to which the rule applies. May be a zone
|
||||
# defined in /etc/shorewall/zones, $FW to indicate the
|
||||
# firewall itself, or "all" If the ACTION is DNAT or
|
||||
# REDIRECT, sub-zones of the specified zone may be
|
||||
# excluded from the rule by following the zone name with
|
||||
# "!' and a comma-separated list of sub-zone names.
|
||||
#
|
||||
# Except when "all" is specified, clients may be further
|
||||
# restricted to a list of subnets and/or hosts by
|
||||
# appending ":" and a comma-separated list of subnets
|
||||
# and/or hosts. Hosts may be specified by IP or MAC
|
||||
# address; mac addresses must begin with "~" and must use
|
||||
# "-" as a separator.
|
||||
#
|
||||
# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ
|
||||
#
|
||||
# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the
|
||||
# Internet
|
||||
#
|
||||
# loc:192.168.1.1,192.168.1.2
|
||||
# Hosts 192.168.1.1 and
|
||||
# 192.168.1.2 in the local zone.
|
||||
# loc:~00-A0-C9-15-39-78 Host in the local zone with
|
||||
# MAC address 00:A0:C9:15:39:78.
|
||||
#
|
||||
# Alternatively, clients may be specified by interface
|
||||
# by appending ":" to the zone name followed by the
|
||||
# interface name. For example, loc:eth1 specifies a
|
||||
# client that communicates with the firewall system
|
||||
# through eth1. This may be optionally followed by
|
||||
# another colon (":") and an IP/MAC/subnet address
|
||||
# as described above (e.g., loc:eth1:192.168.1.5).
|
||||
#
|
||||
# DEST Location of Server. May be a zone defined in
|
||||
# /etc/shorewall/zones, $FW to indicate the firewall
|
||||
# itself or "all"
|
||||
#
|
||||
# Except when "all" is specified, the server may be
|
||||
# further restricted to a particular subnet, host or
|
||||
# interface by appending ":" and the subnet, host or
|
||||
# interface. See above.
|
||||
#
|
||||
# Restrictions:
|
||||
#
|
||||
# 1. MAC addresses are not allowed.
|
||||
# 2. In DNAT rules, only IP addresses are
|
||||
# allowed; no FQDNs or subnet addresses
|
||||
# are permitted.
|
||||
# 3. You may not specify both an interface and
|
||||
# an address.
|
||||
#
|
||||
# Unlike in the SOURCE column, you may specify a range of
|
||||
# up to 256 IP addresses using the syntax
|
||||
# <first ip>-<last ip>. When the ACTION is DNAT or DNAT-,
|
||||
# the connections will be assigned to addresses in the
|
||||
# range in a round-robin fashion.
|
||||
#
|
||||
# The port that the server is listening on may be
|
||||
# included and separated from the server's IP address by
|
||||
# ":". If omitted, the firewall will not modifiy the
|
||||
# destination port. A destination port may only be
|
||||
# included if the ACTION is DNAT or REDIRECT.
|
||||
#
|
||||
# Example: loc:192.168.1.3:3128 specifies a local
|
||||
# server at IP address 192.168.1.3 and listening on port
|
||||
# 3128. The port number MUST be specified as an integer
|
||||
# and not as a name from /etc/services.
|
||||
#
|
||||
# if the ACTION is REDIRECT, this column needs only to
|
||||
# contain the port number on the firewall that the
|
||||
# request should be redirected to.
|
||||
#
|
||||
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or
|
||||
# "all".
|
||||
#
|
||||
# DEST PORT(S) Destination Ports. A comma-separated list of Port
|
||||
# names (from /etc/services), port numbers or port
|
||||
# ranges; if the protocol is "icmp", this column is
|
||||
# interpreted as the destination icmp-type(s).
|
||||
#
|
||||
# A port range is expressed as <low port>:<high port>.
|
||||
#
|
||||
# This column is ignored if PROTOCOL = all but must be
|
||||
# entered if any of the following ields are supplied.
|
||||
# In that case, it is suggested that this field contain
|
||||
# "-"
|
||||
#
|
||||
# If your kernel contains multi-port match support, then
|
||||
# only a single Netfilter rule will be generated if in
|
||||
# this list and the CLIENT PORT(S) list below:
|
||||
# 1. There are 15 or less ports listed.
|
||||
# 2. No port ranges are included.
|
||||
# Otherwise, a separate rule will be generated for each
|
||||
# port.
|
||||
#
|
||||
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
|
||||
# any source port is acceptable. Specified as a comma-
|
||||
# separated list of port names, port numbers or port
|
||||
# ranges.
|
||||
#
|
||||
# If you don't want to restrict client ports but need to
|
||||
# specify an ADDRESS in the next column, then place "-"
|
||||
# in this column.
|
||||
#
|
||||
# If your kernel contains multi-port match support, then
|
||||
# only a single Netfilter rule will be generated if in
|
||||
# this list and the DEST PORT(S) list above:
|
||||
# 1. There are 15 or less ports listed.
|
||||
# 2. No port ranges are included.
|
||||
# Otherwise, a separate rule will be generated for each
|
||||
# port.
|
||||
#
|
||||
# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT[-] or
|
||||
# REDIRECT[-]) If included and different from the IP
|
||||
# address given in the SERVER column, this is an address
|
||||
# on some interface on the firewall and connections to
|
||||
# that address will be forwarded to the IP and port
|
||||
# specified in the DEST column.
|
||||
#
|
||||
# A comma-separated list of addresses may also be used.
|
||||
# This is usually most useful with the REDIRECT target
|
||||
# where you want to redirect traffic destined for
|
||||
# particular set of hosts.
|
||||
#
|
||||
# Finally, if the list of addresses begins with "!" then
|
||||
# the rule will be followed only if the original
|
||||
# destination address in the connection request does not
|
||||
# match any of the addresses listed.
|
||||
#
|
||||
# The address (list) may optionally be followed by
|
||||
# a colon (":") and a second IP address. This causes
|
||||
# Shorewall to use the second IP address as the source
|
||||
# address in forwarded packets. See the Shorewall
|
||||
# documentation for restrictions concerning this feature.
|
||||
# If no source IP address is given, the original source
|
||||
# address is not altered.
|
||||
#
|
||||
# RATE LIMIT You may rate-limit the rule by placing a value in
|
||||
# this colume:
|
||||
#
|
||||
# <rate>/<interval>[:<burst>]
|
||||
#
|
||||
# where <rate> is the number of connections per
|
||||
# <interval> ("sec" or "min") and <burst> is the
|
||||
# largest burst permitted. If no <burst> is given,
|
||||
# a value of 5 is assumed. There may be no
|
||||
# no whitespace embedded in the specification.
|
||||
#
|
||||
# Example: 10/sec:20
|
||||
#
|
||||
# USER/GROUP This column may only be non-empty if the SOURCE is
|
||||
# the firewall itself.
|
||||
#
|
||||
# The column may contain:
|
||||
#
|
||||
# [!][<user name or number>][:<group name or number>]
|
||||
#
|
||||
# When this column is non-empty, the rule applies only
|
||||
# if the program generating the output is running under
|
||||
# the effective <user> and/or <group> specified (or is
|
||||
# NOT running under that id if "!" is given).
|
||||
#
|
||||
# Examples:
|
||||
#
|
||||
# joe #program must be run by joe
|
||||
# :kids #program must be run by a member of
|
||||
# #the 'kids' group
|
||||
# !:kids #program must not be run by a member
|
||||
# #of the 'kids' group
|
||||
#
|
||||
# Example: Accept SMTP requests from the DMZ to the internet
|
||||
#
|
||||
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||
# # PORT PORT(S) DEST
|
||||
# ACCEPT dmz net tcp smtp
|
||||
#
|
||||
# Example: Forward all ssh and http connection requests from the internet
|
||||
# to local system 192.168.1.3
|
||||
#
|
||||
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||
# # PORT PORT(S) DEST
|
||||
# DNAT net loc:192.168.1.3 tcp ssh,http
|
||||
#
|
||||
# Example: Forward all http connection requests from the internet
|
||||
# to local system 192.168.1.3 with a limit of 3 per second and
|
||||
# a maximum burst of 10
|
||||
#
|
||||
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||
# # PORT PORT(S) DEST
|
||||
# DNAT<3/sec:10> net loc:192.168.1.3 tcp http
|
||||
#
|
||||
# Example: Redirect all locally-originating www connection requests to
|
||||
# port 3128 on the firewall (Squid running on the firewall
|
||||
# system) except when the destination address is 192.168.2.2
|
||||
#
|
||||
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||
# # PORT PORT(S) DEST
|
||||
# REDIRECT loc 3128 tcp www - !192.168.2.2
|
||||
#
|
||||
# Example: All http requests from the internet to address
|
||||
# 130.252.100.69 are to be forwarded to 192.168.1.3
|
||||
#
|
||||
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||
# # PORT PORT(S) DEST
|
||||
# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
|
||||
#
|
||||
# Example: You want to accept SSH connections to your firewall only
|
||||
# from internet IP addresses 130.252.100.69 and 130.252.100.70
|
||||
#
|
||||
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||
# # PORT PORT(S) DEST
|
||||
# ACCEPT net:130.252.100.69,130.252.100.70 fw \
|
||||
# tcp 22
|
||||
####################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
972
STABLE2/shorewall
Executable file
972
STABLE2/shorewall
Executable file
@ -0,0 +1,972 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Shorewall Packet Filtering Firewall Control Program - V2.0 - 3/14/2004
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# This file should be placed in /sbin/shorewall.
|
||||
#
|
||||
# Shorewall documentation is available at http://shorewall.sourceforge.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||
#
|
||||
# If an error occurs while starting or restarting the firewall, the
|
||||
# firewall is automatically stopped.
|
||||
#
|
||||
# The firewall uses configuration files in /etc/shorewall/ - skeleton
|
||||
# files is included with the firewall.
|
||||
#
|
||||
# Commands are:
|
||||
#
|
||||
# shorewall add <iface>[:<host>] zone Adds a host or subnet to a zone
|
||||
# shorewall delete <iface>[:<host>] zone Deletes a host or subnet from a zone
|
||||
# shorewall start Starts the firewall
|
||||
# shorewall restart Restarts the firewall
|
||||
# shorewall stop Stops the firewall
|
||||
# shorewall monitor [ refresh-interval ] Repeatedly Displays firewall status
|
||||
# plus the last 20 "interesting"
|
||||
# packets
|
||||
# shorewall status Displays firewall status
|
||||
# shorewall reset Resets iptables packet and
|
||||
# byte counts
|
||||
# shorewall clear Open the floodgates by
|
||||
# removing all iptables rules
|
||||
# and setting the three permanent
|
||||
# chain policies to ACCEPT
|
||||
# shorewall refresh Rebuild the common chain to
|
||||
# compensate for a change of
|
||||
# broadcast address on any "detect"
|
||||
# interface.
|
||||
# shorewall show <chain> [ <chain> ... ] Display the rules in each <chain> listed
|
||||
# shorewall show log Print the last 20 log messages
|
||||
# shorewall show connections Show the kernel's connection
|
||||
# tracking table
|
||||
# shorewall show nat Display the rules in the nat table
|
||||
# shorewall show {mangle|tos} Display the rules in the mangle table
|
||||
# shorewall show tc Display traffic control info
|
||||
# shorewall show classifiers Display classifiers
|
||||
# shorewall version Display the installed version id
|
||||
# shorewall check Verify the more heavily-used
|
||||
# configuration files.
|
||||
# shorewall try <directory> [ <timeout> ] Try a new configuration and if
|
||||
# it doesn't work, revert to the
|
||||
# standard one. If a timeout is supplied
|
||||
# the command reverts back to the
|
||||
# standard configuration after that many
|
||||
# seconds have elapsed after successfully
|
||||
# starting the new configuration.
|
||||
# shorewall logwatch [ refresh-interval ] Monitor the local log for Shorewall
|
||||
# messages.
|
||||
# shorewall drop <address> ... Temporarily drop all packets from the
|
||||
# listed address(es)
|
||||
# shorewall reject <address> ... Temporarily reject all packets from the
|
||||
# listed address(es)
|
||||
# shorewall allow <address> ... Reenable address(es) previously
|
||||
# disabled with "drop" or "reject"
|
||||
# shorewall save Save the list of "rejected" and
|
||||
# "dropped" addresses so that it will
|
||||
# be automatically reinstated the
|
||||
# next time that Shorewall starts.
|
||||
#
|
||||
# shorewall ipaddr [ <address>/<cidr> | <address> <netmask> ]
|
||||
#
|
||||
# Displays information about the network
|
||||
# defined by the argument[s]
|
||||
#
|
||||
# shorewall iprange <address>-<address> Decomposes a range of IP addresses into
|
||||
# a list of network/host addresses.
|
||||
#
|
||||
# Fatal Error
|
||||
#
|
||||
fatal_error() # $@ = Message
|
||||
{
|
||||
echo " $@" >&2
|
||||
exit 2
|
||||
}
|
||||
|
||||
# Display a chain if it exists
|
||||
#
|
||||
|
||||
showfirstchain() # $1 = name of chain
|
||||
{
|
||||
awk \
|
||||
'BEGIN {prnt=0; rslt=1; }; \
|
||||
/^$/ { next; };\
|
||||
/^Chain/ {if ( prnt == 1 ) { rslt=0; exit 0; }; };\
|
||||
/Chain '$1'/ { prnt=1; }; \
|
||||
{ if (prnt == 1) print; };\
|
||||
END { exit rslt; }' /tmp/chains-$$
|
||||
}
|
||||
|
||||
showchain() # $1 = name of chain
|
||||
{
|
||||
if [ "$firstchain" = "Yes" ]; then
|
||||
if showfirstchain $1; then
|
||||
firstchain=
|
||||
fi
|
||||
else
|
||||
awk \
|
||||
'BEGIN {prnt=0;};\
|
||||
/^$|^ pkts/ { next; };\
|
||||
/^Chain/ {if ( prnt == 1 ) exit; };\
|
||||
/Chain '$1'/ { prnt=1; };\
|
||||
{ if (prnt == 1) print; }' /tmp/chains-$$
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Set the configuration variables from shorewall.conf
|
||||
#
|
||||
get_config() {
|
||||
|
||||
[ -z "$LOGFILE" ] && LOGFILE=/var/log/messages
|
||||
|
||||
if [ ! -f $LOGFILE ]; then
|
||||
echo "LOGFILE ($LOGFILE) does not exist!" >&2
|
||||
exit 2
|
||||
fi
|
||||
#
|
||||
# See if we have a real version of "tail" -- use separate redirection so
|
||||
# that ash (aka /bin/sh on LRP) doesn't crap
|
||||
#
|
||||
if ( tail -n5 $LOGFILE > /dev/null 2> /dev/null ) ; then
|
||||
realtail="Yes"
|
||||
else
|
||||
realtail=""
|
||||
fi
|
||||
|
||||
[ -n "$FW" ] || FW=fw
|
||||
|
||||
[ -n "LOGFORMAT" ] && LOGFORMAT="${LOGFORMAT%%%*}"
|
||||
|
||||
[ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:"
|
||||
|
||||
if [ -n "$SHOREWALL_SHELL" ]; then
|
||||
if [ ! -e "$SHOREWALL_SHELL" ]; then
|
||||
echo "The program specified in SHOREWALL_SHELL does not exist or is not executable" >&2
|
||||
exit 2
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Display IPTABLES rules -- we used to store them in a variable but ash
|
||||
# dies when trying to display large sets of rules
|
||||
#
|
||||
display_chains()
|
||||
{
|
||||
trap "rm -f /tmp/chains-$$; exit 1" 1 2 3 4 5 6 9
|
||||
|
||||
if [ "$haveawk" = "Yes" ]; then
|
||||
#
|
||||
# Send the output to a temporary file since ash craps if we try to store
|
||||
# the output in a variable.
|
||||
#
|
||||
iptables -L -n -v > /tmp/chains-$$
|
||||
|
||||
clear
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
echo "Standard Chains"
|
||||
echo
|
||||
firstchain="Yes"
|
||||
showchain INPUT
|
||||
showchain OUTPUT
|
||||
showchain FORWARD
|
||||
|
||||
timed_read
|
||||
|
||||
clear
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
firstchain=Yes
|
||||
echo "Input Chains"
|
||||
echo
|
||||
|
||||
chains=$(grep '^Chain.*_[in|fwd]' /tmp/chains-$$ | cut -d' ' -f 2)
|
||||
|
||||
for chain in $chains; do
|
||||
showchain $chain
|
||||
done
|
||||
|
||||
timed_read
|
||||
|
||||
for zone in $zones; do
|
||||
|
||||
if [ -n "$(grep "^Chain \.*${zone}" /tmp/chains-$$)" ] ; then
|
||||
clear
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
firstchain=Yes
|
||||
eval display=\$${zone}_display
|
||||
echo "$display Chains"
|
||||
echo
|
||||
for zone1 in $FW $zones; do
|
||||
showchain ${zone}2$zone1
|
||||
showchain @${zone}2$zone1
|
||||
[ "$zone" != "$zone1" ] && \
|
||||
showchain ${zone1}2${zone} && \
|
||||
showchain @${zone1}2${zone}
|
||||
done
|
||||
|
||||
timed_read
|
||||
fi
|
||||
done
|
||||
|
||||
clear
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
firstchain=Yes
|
||||
echo "Policy Chains"
|
||||
echo
|
||||
showchain common
|
||||
showchain badpkt
|
||||
showchain icmpdef
|
||||
showchain rfc1918
|
||||
showchain blacklst
|
||||
showchain reject
|
||||
showchain newnotsyn
|
||||
for zone in $zones all; do
|
||||
showchain ${zone}2all
|
||||
showchain @${zone}2all
|
||||
[ "$zone" = "all" ] || { showchain all2${zone}; showchain @all2${zone}; }
|
||||
done
|
||||
|
||||
timed_read
|
||||
|
||||
clear
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
firstchain=Yes
|
||||
echo "Dynamic Chain"
|
||||
echo
|
||||
showchain dynamic
|
||||
timed_read
|
||||
|
||||
qt rm -f /tmp/chains-$$
|
||||
else
|
||||
iptables -L -n -v
|
||||
timed_read
|
||||
fi
|
||||
trap - 1 2 3 4 5 6 9
|
||||
|
||||
}
|
||||
|
||||
#
|
||||
# Delay $timeout seconds -- if we're running on a recent bash2 then allow
|
||||
# <enter> to terminate the delay
|
||||
#
|
||||
timed_read ()
|
||||
{
|
||||
read -t $timeout foo 2> /dev/null
|
||||
|
||||
test $? -eq 2 && sleep $timeout
|
||||
}
|
||||
|
||||
#
|
||||
# Display the last $1 packets logged
|
||||
#
|
||||
packet_log() # $1 = number of messages
|
||||
{
|
||||
local options
|
||||
|
||||
[ -n "$realtail" ] && options="-n$1"
|
||||
|
||||
grep "${LOGFORMAT}\|ipt_unclean" $LOGFILE | \
|
||||
sed s/" kernel:"// | \
|
||||
sed s/" $host $LOGFORMAT"/" "/ | \
|
||||
sed s/" $host kernel: ipt_unclean: "/" "/ | \
|
||||
sed 's/MAC=.*SRC=/SRC=/' | \
|
||||
tail $options
|
||||
}
|
||||
|
||||
#
|
||||
# Show traffic control information
|
||||
#
|
||||
show_tc() {
|
||||
|
||||
show_one_tc() {
|
||||
local device=${1%@*}
|
||||
qdisc=$(tc qdisc list dev $device)
|
||||
|
||||
if [ -n "$qdisc" ]; then
|
||||
echo Device $device:
|
||||
tc -s -d qdisc show dev $device
|
||||
tc -s -d class show dev $device
|
||||
echo
|
||||
fi
|
||||
}
|
||||
|
||||
ip link list | \
|
||||
while read inx interface details; do
|
||||
case $inx in
|
||||
[0-9]*)
|
||||
show_one_tc ${interface%:}
|
||||
;;
|
||||
*)
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
}
|
||||
|
||||
#
|
||||
# Show classifier information
|
||||
#
|
||||
show_classifiers() {
|
||||
|
||||
show_one_classifier() {
|
||||
local device=${1%@*}
|
||||
qdisc=$(tc qdisc list dev $device)
|
||||
|
||||
if [ -n "$qdisc" ]; then
|
||||
echo Device $device:
|
||||
tc -s filter ls dev $device
|
||||
echo
|
||||
fi
|
||||
}
|
||||
|
||||
ip link list | \
|
||||
while read inx interface details; do
|
||||
case $inx in
|
||||
[0-9]*)
|
||||
show_one_classifier ${interface%:}
|
||||
;;
|
||||
*)
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
}
|
||||
#
|
||||
# Monitor the Firewall
|
||||
#
|
||||
monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
||||
# an 'interesting' packet count changes
|
||||
{
|
||||
|
||||
get_config
|
||||
host=$(echo $HOSTNAME | sed 's/\..*$//')
|
||||
oldrejects=$(iptables -L -v -n | grep 'LOG')
|
||||
|
||||
if [ $1 -lt 0 ]; then
|
||||
let "timeout=- $1"
|
||||
pause="Yes"
|
||||
else
|
||||
pause="No"
|
||||
timeout=$1
|
||||
fi
|
||||
|
||||
|
||||
if qt which awk; then
|
||||
TMP_DIR=/tmp/shorewall-$$
|
||||
mkdir $TMP_DIR
|
||||
haveawk=Yes
|
||||
determine_zones
|
||||
rm -rf $TMP_DIR
|
||||
else
|
||||
haveawk=
|
||||
fi
|
||||
|
||||
while true; do
|
||||
display_chains
|
||||
|
||||
clear
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
|
||||
echo "Dropped/Rejected Packet Log"
|
||||
echo
|
||||
|
||||
show_reset
|
||||
|
||||
rejects=$(iptables -L -v -n | grep 'LOG')
|
||||
|
||||
if [ "$rejects" != "$oldrejects" ]; then
|
||||
oldrejects="$rejects"
|
||||
|
||||
$RING_BELL
|
||||
|
||||
packet_log 20
|
||||
|
||||
if [ "$pause" = "Yes" ]; then
|
||||
echo
|
||||
echo $ECHO_N 'Enter any character to continue: '
|
||||
read foo
|
||||
else
|
||||
timed_read
|
||||
fi
|
||||
else
|
||||
echo
|
||||
packet_log 20
|
||||
timed_read
|
||||
fi
|
||||
|
||||
clear
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
echo "NAT Status"
|
||||
echo
|
||||
iptables -t nat -L -n -v
|
||||
timed_read
|
||||
|
||||
clear
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
echo
|
||||
echo "TOS/MARK Status"
|
||||
echo
|
||||
iptables -t mangle -L -n -v
|
||||
timed_read
|
||||
|
||||
clear
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
echo
|
||||
echo "Tracked Connections"
|
||||
echo
|
||||
cat /proc/net/ip_conntrack
|
||||
timed_read
|
||||
|
||||
clear
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
echo
|
||||
echo "Traffic Shaping/Control"
|
||||
echo
|
||||
show_tc
|
||||
timed_read
|
||||
|
||||
clear
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
echo
|
||||
echo "Packet Classifiers"
|
||||
echo
|
||||
show_classifiers
|
||||
timed_read
|
||||
done
|
||||
}
|
||||
|
||||
#
|
||||
# Watch the Firewall Log
|
||||
#
|
||||
logwatch() # $1 = timeout -- if negative, prompt each time that
|
||||
# an 'interesting' packet count changes
|
||||
{
|
||||
|
||||
get_config
|
||||
host=$(echo $HOSTNAME | sed 's/\..*$//')
|
||||
oldrejects=$(iptables -L -v -n | grep 'LOG')
|
||||
|
||||
if [ $1 -lt 0 ]; then
|
||||
timeout=$((- $1))
|
||||
pause="Yes"
|
||||
else
|
||||
pause="No"
|
||||
timeout=$1
|
||||
fi
|
||||
|
||||
qt which awk && haveawk=Yes || haveawk=
|
||||
|
||||
while true; do
|
||||
clear
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
|
||||
echo "Dropped/Rejected Packet Log"
|
||||
echo
|
||||
|
||||
show_reset
|
||||
|
||||
rejects=$(iptables -L -v -n | grep 'LOG')
|
||||
|
||||
if [ "$rejects" != "$oldrejects" ]; then
|
||||
oldrejects="$rejects"
|
||||
|
||||
$RING_BELL
|
||||
|
||||
packet_log 40
|
||||
|
||||
if [ "$pause" = "Yes" ]; then
|
||||
echo
|
||||
echo $ECHO_N 'Enter any character to continue: '
|
||||
read foo
|
||||
else
|
||||
timed_read
|
||||
fi
|
||||
else
|
||||
echo
|
||||
packet_log 40
|
||||
timed_read
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
#
|
||||
# Help information
|
||||
#
|
||||
help()
|
||||
{
|
||||
[ -x $HELP ] && { export version; exec $HELP $*; }
|
||||
echo "Help subsystem is not installed at $HELP"
|
||||
}
|
||||
|
||||
#
|
||||
# Give Usage Information
|
||||
#
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
echo "Usage: $(basename $0) [debug|trace] [nolock] [-c <directory>] <command>"
|
||||
echo "where <command> is one of:"
|
||||
echo " add <interface>[:<host>] <zone>"
|
||||
echo " allow <address> ..."
|
||||
echo " check"
|
||||
echo " clear"
|
||||
echo " delete <interface>[:<host>] <zone>"
|
||||
echo " drop <address> ..."
|
||||
echo " help [ <command > | host | address ]"
|
||||
echo " hits"
|
||||
echo " ipcalc [ <address>/<vlsm> | <address> <netmask> ]"
|
||||
echo " iprange <address>-<address>"
|
||||
echo " logwatch [<refresh interval>]"
|
||||
echo " monitor [<refresh interval>]"
|
||||
echo " refresh"
|
||||
echo " reject <address> ..."
|
||||
echo " reset"
|
||||
echo " restart"
|
||||
echo " save"
|
||||
echo " show [<chain> [ <chain> ... ]|classifiers|connections|log|nat|tc|tos]"
|
||||
echo " start"
|
||||
echo " stop"
|
||||
echo " status"
|
||||
echo " try <directory> [ <timeout> ]"
|
||||
echo " version"
|
||||
exit $1
|
||||
}
|
||||
|
||||
#
|
||||
# Display the time that the counters were last reset
|
||||
#
|
||||
show_reset() {
|
||||
[ -f $STATEDIR/restarted ] && \
|
||||
echo "Counters reset $(cat $STATEDIR/restarted)" && \
|
||||
echo
|
||||
}
|
||||
|
||||
#
|
||||
# Execution begins here
|
||||
#
|
||||
debugging=
|
||||
|
||||
if [ $# -gt 0 ] && [ "$1" = "debug" -o "$1" = "trace" ]; then
|
||||
debugging=debug
|
||||
shift
|
||||
fi
|
||||
|
||||
nolock=
|
||||
|
||||
if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then
|
||||
nolock=nolock
|
||||
shift
|
||||
fi
|
||||
|
||||
SHOREWALL_DIR=
|
||||
done=0
|
||||
|
||||
while [ $done -eq 0 ]; do
|
||||
[ $# -eq 0 ] && usage 1
|
||||
case $1 in
|
||||
-c)
|
||||
[ $# -eq 1 ] && usage 1
|
||||
|
||||
if [ ! -d $2 ]; then
|
||||
if [ -e $2 ]; then
|
||||
echo "$2 is not a directory" >&2 && exit 2
|
||||
else
|
||||
echo "Directory $2 does not exist" >&2 && exit 2
|
||||
fi
|
||||
fi
|
||||
|
||||
SHOREWALL_DIR=$2
|
||||
shift
|
||||
shift
|
||||
;;
|
||||
*)
|
||||
done=1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
if [ $# -eq 0 ]; then
|
||||
usage 1
|
||||
fi
|
||||
|
||||
[ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR
|
||||
|
||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||
MUTEX_TIMEOUT=
|
||||
|
||||
SHARED_DIR=/usr/share/shorewall
|
||||
FIREWALL=$SHARED_DIR/firewall
|
||||
FUNCTIONS=$SHARED_DIR/functions
|
||||
VERSION_FILE=$SHARED_DIR/version
|
||||
HELP=$SHARED_DIR/help
|
||||
|
||||
if [ -f $FUNCTIONS ]; then
|
||||
. $FUNCTIONS
|
||||
else
|
||||
echo "$FUNCTIONS does not exist!" >&2
|
||||
exit 2
|
||||
fi
|
||||
|
||||
config=$(find_file shorewall.conf)
|
||||
|
||||
if [ -f $config ]; then
|
||||
. $config
|
||||
else
|
||||
echo "$config does not exist!" >&2
|
||||
exit 2
|
||||
fi
|
||||
|
||||
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
|
||||
|
||||
if [ ! -f $FIREWALL ]; then
|
||||
echo "ERROR: Shorewall is not properly installed"
|
||||
if [ -L $FIREWALL ]; then
|
||||
echo " $FIREWALL is a symbolic link to a"
|
||||
echo " non-existant file"
|
||||
else
|
||||
echo " The file $FIREWALL does not exist"
|
||||
fi
|
||||
|
||||
exit 2
|
||||
fi
|
||||
|
||||
if [ -f $VERSION_FILE ]; then
|
||||
version=$(cat $VERSION_FILE)
|
||||
else
|
||||
echo "ERROR: Shorewall is not properly installed"
|
||||
echo " The file $VERSION_FILE does not exist"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
banner="Shorewall-$version Status at $HOSTNAME -"
|
||||
|
||||
|
||||
case $(echo -e) in
|
||||
-e*)
|
||||
RING_BELL="echo \a"
|
||||
;;
|
||||
*)
|
||||
RING_BELL="echo -e \a"
|
||||
;;
|
||||
esac
|
||||
|
||||
case $(echo -n "Testing") in
|
||||
-n*)
|
||||
ECHO_N=
|
||||
;;
|
||||
*)
|
||||
ECHO_N=-n
|
||||
;;
|
||||
esac
|
||||
|
||||
case "$1" in
|
||||
start|stop|restart|reset|clear|refresh|check)
|
||||
[ $# -ne 1 ] && usage 1
|
||||
get_config
|
||||
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1
|
||||
;;
|
||||
add|delete)
|
||||
[ $# -ne 3 ] && usage 1
|
||||
get_config
|
||||
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1 $2 $3
|
||||
;;
|
||||
show|list)
|
||||
[ -n "$debugging" ] && set -x
|
||||
case "$2" in
|
||||
connections)
|
||||
[ $# -gt 2 ] && usage 1
|
||||
echo "Shorewall-$version Connections at $HOSTNAME - $(date)"
|
||||
echo
|
||||
cat /proc/net/ip_conntrack
|
||||
;;
|
||||
nat)
|
||||
[ $# -gt 2 ] && usage 1
|
||||
echo "Shorewall-$version NAT at $HOSTNAME - $(date)"
|
||||
echo
|
||||
show_reset
|
||||
iptables -t nat -L -n -v
|
||||
;;
|
||||
tos|mangle)
|
||||
[ $# -gt 2 ] && usage 1
|
||||
echo "Shorewall-$version TOS at $HOSTNAME - $(date)"
|
||||
echo
|
||||
show_reset
|
||||
iptables -t mangle -L -n -v
|
||||
;;
|
||||
log)
|
||||
[ $# -gt 2 ] && usage 1
|
||||
get_config
|
||||
echo "Shorewall-$version Log at $HOSTNAME - $(date)"
|
||||
echo
|
||||
show_reset
|
||||
host=$(echo $HOSTNAME | sed 's/\..*$//')
|
||||
packet_log 20
|
||||
;;
|
||||
tc)
|
||||
[ $# -gt 2 ] && usage 1
|
||||
echo "Shorewall-$version Traffic Control at $HOSTNAME - $(date)"
|
||||
echo
|
||||
show_tc
|
||||
;;
|
||||
classifiers)
|
||||
[ $# -gt 2 ] && usage 1
|
||||
echo "Shorewall-$version Clasifiers at $HOSTNAME - $(date)"
|
||||
echo
|
||||
show_classifiers
|
||||
;;
|
||||
*)
|
||||
shift
|
||||
|
||||
echo "Shorewall-$version $([ $# -gt 1 ] && echo Chains || echo Chain) $* at $HOSTNAME - $(date)"
|
||||
echo
|
||||
show_reset
|
||||
if [ $# -gt 0 ]; then
|
||||
for chain in $*; do
|
||||
iptables -L $chain -n -v
|
||||
done
|
||||
else
|
||||
iptables -L -n -v
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
monitor)
|
||||
[ -n "$debugging" ] && set -x
|
||||
if [ $# -eq 2 ]; then
|
||||
monitor_firewall $2
|
||||
elif [ $# -eq 1 ]; then
|
||||
monitor_firewall 30
|
||||
else
|
||||
usage 1
|
||||
fi
|
||||
;;
|
||||
status)
|
||||
[ -n "$debugging" ] && set -x
|
||||
[ $# -eq 1 ] || usage 1
|
||||
get_config
|
||||
clear
|
||||
echo "Shorewall-$version Status at $HOSTNAME - $(date)"
|
||||
echo
|
||||
show_reset
|
||||
host=$(echo $HOSTNAME | sed 's/\..*$//')
|
||||
iptables -L -n -v
|
||||
echo
|
||||
packet_log 20
|
||||
echo
|
||||
echo "NAT Table"
|
||||
echo
|
||||
iptables -t nat -L -n -v
|
||||
echo
|
||||
echo "Mangle Table"
|
||||
echo
|
||||
iptables -t mangle -L -n -v
|
||||
echo
|
||||
cat /proc/net/ip_conntrack
|
||||
;;
|
||||
hits)
|
||||
[ -n "$debugging" ] && set -x
|
||||
[ $# -eq 1 ] || usage 1
|
||||
get_config
|
||||
clear
|
||||
echo "Shorewall-$version Hits at $HOSTNAME - $(date)"
|
||||
echo
|
||||
|
||||
timeout=30
|
||||
|
||||
if [ $(grep -c "$LOGFORMAT" $LOGFILE ) -gt 0 ] ; then
|
||||
echo " HITS IP DATE"
|
||||
echo " ---- --------------- ------"
|
||||
grep "$LOGFORMAT" $LOGFILE | sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\3 \1/' | sort | uniq -c | sort -rn
|
||||
echo ""
|
||||
|
||||
echo " HITS IP PORT"
|
||||
echo " ---- --------------- -----"
|
||||
grep "$LOGFORMAT" $LOGFILE | sed 's/\(.*SRC=\)\(.*\)\( DST=.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2 \4/
|
||||
t
|
||||
s/\(.*SRC=\)\(.*\)\( DST=.*\)/\2/' | sort | uniq -c | sort -rn
|
||||
echo ""
|
||||
|
||||
echo " HITS DATE"
|
||||
echo " ---- ------"
|
||||
grep "$LOGFORMAT" $LOGFILE | sed 's/\(.\{6\}\)\(.*\)/\1/' | sort | uniq -c | sort -rn
|
||||
echo ""
|
||||
|
||||
echo " HITS PORT SERVICE(S)"
|
||||
echo " ---- ----- ----------"
|
||||
grep "$LOGFORMAT.*DPT" $LOGFILE | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | \
|
||||
while read count port ; do
|
||||
# List all services defined for the given port
|
||||
srv=$(grep "^[^#].*\\b$port/" /etc/services | cut -f 1 | sort -u)
|
||||
srv=$(echo $srv | sed 's/ /,/g')
|
||||
|
||||
if [ -n "$srv" ] ; then
|
||||
printf '%7d %5d %s\n' $count $port $srv
|
||||
else
|
||||
printf '%7d %5d\n' $count $port
|
||||
fi
|
||||
done
|
||||
fi
|
||||
;;
|
||||
version)
|
||||
echo $version
|
||||
;;
|
||||
try)
|
||||
[ -n "$SHOREWALL_DIR" ] && startup_error "Error: -c option may not be used with \"try\""
|
||||
[ $# -lt 2 -o $# -gt 3 ] && usage 1
|
||||
if ! $0 $debugging -c $2 restart; then
|
||||
if ! iptables -L shorewall > /dev/null 2> /dev/null; then
|
||||
$0 start
|
||||
fi
|
||||
elif ! iptables -L shorewall > /dev/null 2> /dev/null; then
|
||||
$0 start
|
||||
elif [ $# -eq 3 ]; then
|
||||
sleep $3
|
||||
$0 restart
|
||||
fi
|
||||
;;
|
||||
logwatch)
|
||||
[ -n "$debugging" ] && set -x
|
||||
if [ $# -eq 2 ]; then
|
||||
logwatch $2
|
||||
elif [ $# -eq 1 ]; then
|
||||
logwatch 30
|
||||
else
|
||||
usage 1
|
||||
fi
|
||||
;;
|
||||
drop)
|
||||
[ -n "$debugging" ] && set -x
|
||||
[ $# -eq 1 ] && usage 1
|
||||
mutex_on
|
||||
while [ $# -gt 1 ]; do
|
||||
shift
|
||||
qt iptables -D dynamic -s $1 -j reject
|
||||
qt iptables -D dynamic -s $1 -j DROP
|
||||
iptables -A dynamic -s $1 -j DROP || break 1
|
||||
echo "$1 Dropped"
|
||||
done
|
||||
mutex_off
|
||||
;;
|
||||
reject)
|
||||
[ -n "$debugging" ] && set -x
|
||||
[ $# -eq 1 ] && usage 1
|
||||
mutex_on
|
||||
while [ $# -gt 1 ]; do
|
||||
shift
|
||||
qt iptables -D dynamic -s $1 -j reject
|
||||
qt iptables -D dynamic -s $1 -j DROP
|
||||
iptables -A dynamic -s $1 -j reject || break 1
|
||||
echo "$1 Rejected"
|
||||
done
|
||||
mutex_off
|
||||
;;
|
||||
allow)
|
||||
[ -n "$debugging" ] && set -x
|
||||
[ $# -eq 1 ] && usage 1
|
||||
mutex_on
|
||||
while [ $# -gt 1 ]; do
|
||||
shift
|
||||
if qt iptables -D dynamic -s $1 -j reject || qt iptables -D dynamic -s $1 -j DROP; then
|
||||
echo "$1 Allowed"
|
||||
else
|
||||
echo "$1 Not Dropped or Rejected"
|
||||
fi
|
||||
done
|
||||
mutex_off
|
||||
;;
|
||||
save)
|
||||
[ -n "$debugging" ] && set -x
|
||||
[ $# -ne 1 ] && usage 1
|
||||
mutex_on
|
||||
if qt iptables -L shorewall -n; then
|
||||
[ -d /var/lib/shorewall ] || mkdir /var/lib/shorewall
|
||||
|
||||
if iptables -L dynamic -n > /var/lib/shorewall/save; then
|
||||
echo "Dynamic Rules Saved"
|
||||
else
|
||||
echo "Error Saving the Dynamic Rules"
|
||||
fi
|
||||
else
|
||||
echo "Shorewall isn't started"
|
||||
fi
|
||||
mutex_off
|
||||
;;
|
||||
ipcalc)
|
||||
[ -n "$debugging" ] && set -x
|
||||
if [ $# -eq 2 ]; then
|
||||
address=${2%/*}
|
||||
vlsm=${2#*/}
|
||||
elif [ $# -eq 3 ]; then
|
||||
address=$2
|
||||
vlsm=$(ip_vlsm $3)
|
||||
else
|
||||
usage 1
|
||||
fi
|
||||
|
||||
[ -z "$vlsm" ] && exit 2
|
||||
[ "x$address" = "x$vlsm" ] && usage 2
|
||||
[ $vlsm -gt 32 ] && echo "Invalid VLSM: /$vlsm" >&2 && exit 2
|
||||
|
||||
address=$address/$vlsm
|
||||
|
||||
echo " CIDR=$address"
|
||||
temp=$(ip_netmask $address); echo " NETMASK=$(encodeaddr $temp)"
|
||||
temp=$(ip_network $address); echo " NETWORK=$temp"
|
||||
temp=$(broadcastaddress $address); echo " BROADCAST=$temp"
|
||||
;;
|
||||
|
||||
iprange)
|
||||
[ -n "$debugging" ] && set -x
|
||||
case $2 in
|
||||
*.*.*.*-*.*.*.*)
|
||||
ip_range $2
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
call)
|
||||
[ -n "$debugging" ] && set -x
|
||||
#
|
||||
# Undocumented way to call functions in /usr/share/shorewall/functions directly
|
||||
#
|
||||
shift;
|
||||
$@
|
||||
;;
|
||||
help)
|
||||
shift
|
||||
[ $# -ne 1 ] && usage 1
|
||||
help $@
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
;;
|
||||
|
||||
esac
|
560
STABLE2/shorewall.conf
Normal file
560
STABLE2/shorewall.conf
Normal file
@ -0,0 +1,560 @@
|
||||
##############################################################################
|
||||
# /etc/shorewall/shorewall.conf V2.0 - Change the following variables to
|
||||
# match your setup
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# This file should be placed in /etc/shorewall
|
||||
#
|
||||
# (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
|
||||
##############################################################################
|
||||
# L O G G I N G
|
||||
##############################################################################
|
||||
#
|
||||
# General note about log levels. Log levels are a method of describing
|
||||
# to syslog (8) the importance of a message and a number of parameters
|
||||
# in this file have log levels as their value.
|
||||
#
|
||||
# Valid levels are:
|
||||
#
|
||||
# 7 debug
|
||||
# 6 info
|
||||
# 5 notice
|
||||
# 4 warning
|
||||
# 3 err
|
||||
# 2 crit
|
||||
# 1 alert
|
||||
# 0 emerg
|
||||
#
|
||||
# For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall
|
||||
# log messages are generated by NetFilter and are logged using facility
|
||||
# 'kern' and the level that you specifify. If you are unsure of the level
|
||||
# to choose, 6 (info) is a safe bet. You may specify levels by name or by
|
||||
# number.
|
||||
#
|
||||
# If you have built your kernel with ULOG target support, you may also
|
||||
# specify a log level of ULOG (must be all caps). Rather than log its
|
||||
# messages to syslogd, Shorewall will direct netfilter to log the messages
|
||||
# via the ULOG target which will send them to a process called 'ulogd'.
|
||||
# ulogd is available from http://www.gnumonks.org/projects/ulogd and can be
|
||||
# configured to log all Shorewall message to their own log file
|
||||
################################################################################
|
||||
#
|
||||
# LOG FILE LOCATION
|
||||
#
|
||||
# This variable tells the /sbin/shorewall program where to look for Shorewall
|
||||
# log messages. If not set or set to an empty string (e.g., LOGFILE="") then
|
||||
# /var/log/messages is assumed.
|
||||
#
|
||||
# WARNING: The LOGFILE variable simply tells the 'shorewall' program where to
|
||||
# look for Shorewall messages.It does NOT control the destination for
|
||||
# these messages. For information about how to do that, see
|
||||
#
|
||||
# http://www.shorewall.net/shorewall_logging.html
|
||||
|
||||
LOGFILE=/var/log/messages
|
||||
|
||||
#
|
||||
# LOG FORMAT
|
||||
#
|
||||
# Shell 'printf' Formatting template for the --log-prefix value in log messages
|
||||
# generated by Shorewall to identify Shorewall log messages. The supplied
|
||||
# template is expected to accept either two or three arguments; the first is
|
||||
# the chain name, the second (optional) is the logging rule number within that
|
||||
# chain and the third is the ACTION specifying the disposition of the packet
|
||||
# being logged. You must use the %d formatting type for the rule number; if your
|
||||
# template does not contain %d then the rule number will not be included.
|
||||
#
|
||||
# If you want to integrate Shorewall with fireparse, then set LOGFORMAT as:
|
||||
#
|
||||
# LOGFORMAT="fp=%s:%d a=%s "
|
||||
#
|
||||
# If not specified or specified as empty (LOGFORMAT="") then the value
|
||||
# "Shorewall:%s:%s:" is assumed.
|
||||
#
|
||||
# CAUTION: /sbin/shorewall uses the leading part of the LOGFORMAT string (up
|
||||
# to but not including the first '%') to find log messages in the 'show log',
|
||||
# 'status' and 'hits' commands. This part should not be omitted (the
|
||||
# LOGFORMAT should not begin with "%") and the leading part should be
|
||||
# sufficiently unique for /sbin/shorewall to identify Shorewall messages.
|
||||
|
||||
LOGFORMAT="Shorewall:%s:%s:"
|
||||
|
||||
#
|
||||
# LOG RATE LIMITING
|
||||
#
|
||||
# The next two variables can be used to control the amount of log output
|
||||
# generated. LOGRATE is expressed as a number followed by an optional
|
||||
# `/second', `/minute', `/hour', or `/day' suffix and specifies the maximum
|
||||
# rate at which a particular message will occur. LOGBURST determines the
|
||||
# maximum initial burst size that will be logged. If set empty, the default
|
||||
# value of 5 will be used.
|
||||
#
|
||||
# Example:
|
||||
#
|
||||
# LOGRATE=10/minute
|
||||
# LOGBURST=5
|
||||
#
|
||||
# If BOTH variables are set empty then logging will not be rate-limited.
|
||||
#
|
||||
|
||||
LOGRATE=
|
||||
LOGBURST=
|
||||
|
||||
#
|
||||
# BLACKLIST LOG LEVEL
|
||||
#
|
||||
# Set this variable to the syslogd level that you want blacklist packets logged
|
||||
# (beware of DOS attacks resulting from such logging). If not set, no logging
|
||||
# of blacklist packets occurs.
|
||||
#
|
||||
# See the comment at the top of this section for a description of log levels
|
||||
#
|
||||
BLACKLIST_LOGLEVEL=
|
||||
|
||||
#
|
||||
# LOGGING 'New not SYN' rejects
|
||||
#
|
||||
# This variable only has an effect when NEWNOTSYN=No (see below).
|
||||
#
|
||||
# When a TCP packet that does not have the SYN flag set and the ACK and RST
|
||||
# flags clear then unless the packet is part of an established connection,
|
||||
# it will be rejected by the firewall. If you want these rejects logged,
|
||||
# then set LOGNEWNOTSYN to the syslog log level at which you want them logged.
|
||||
#
|
||||
# See the comment at the top of this section for a description of log levels
|
||||
#
|
||||
# Example: LOGNEWNOTSYN=debug
|
||||
|
||||
|
||||
LOGNEWNOTSYN=info
|
||||
|
||||
#
|
||||
# MAC List Log Level
|
||||
#
|
||||
# Specifies the logging level for connection requests that fail MAC
|
||||
# verification. If set to the empty value (MACLIST_LOG_LEVEL="") then
|
||||
# such connection requests will not be logged.
|
||||
#
|
||||
# See the comment at the top of this section for a description of log levels
|
||||
#
|
||||
|
||||
MACLIST_LOG_LEVEL=info
|
||||
|
||||
#
|
||||
# TCP FLAGS Log Level
|
||||
#
|
||||
# Specifies the logging level for packets that fail TCP Flags
|
||||
# verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then
|
||||
# such packets will not be logged.
|
||||
#
|
||||
# See the comment at the top of this section for a description of log levels
|
||||
#
|
||||
|
||||
TCP_FLAGS_LOG_LEVEL=info
|
||||
|
||||
#
|
||||
# RFC1918 Log Level
|
||||
#
|
||||
# Specifies the logging level for packets that fail RFC 1918
|
||||
# verification. If set to the empty value (RFC1918_LOG_LEVEL="") then
|
||||
# RFC1918_LOG_LEVEL=info is assumed.
|
||||
#
|
||||
# See the comment at the top of this section for a description of log levels
|
||||
#
|
||||
|
||||
RFC1918_LOG_LEVEL=info
|
||||
|
||||
#
|
||||
# SMURF Log Level
|
||||
#
|
||||
# Specifies the logging level for smurf packets dropped by the
|
||||
#'nosmurfs' interface option in /etc/shorewall/interfaces. If set to the empty
|
||||
# value ( SMURF_LOG_LEVEL="" ) then dropped smurfs are not logged.
|
||||
|
||||
SMURF_LOG_LEVEL=info
|
||||
|
||||
################################################################################
|
||||
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
|
||||
################################################################################
|
||||
#
|
||||
# PATH - Change this if you want to change the order in which Shorewall
|
||||
# searches directories for executable files.
|
||||
#
|
||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||
|
||||
#
|
||||
# SHELL
|
||||
#
|
||||
# The firewall script is normally interpreted by /bin/sh. If you wish to change
|
||||
# the shell used to interpret that script, specify the shell here.
|
||||
|
||||
SHOREWALL_SHELL=/bin/sh
|
||||
|
||||
# SUBSYSTEM LOCK FILE
|
||||
#
|
||||
# Set this to the name of the lock file expected by your init scripts. For
|
||||
# RedHat, this should be /var/lock/subsys/shorewall. If your init scripts don't
|
||||
# use lock files, set this to "".
|
||||
#
|
||||
|
||||
SUBSYSLOCK=/var/lock/subsys/shorewall
|
||||
|
||||
#
|
||||
# SHOREWALL TEMPORARY STATE DIRECTORY
|
||||
#
|
||||
# This is the directory where the firewall maintains state information while
|
||||
# it is running
|
||||
#
|
||||
|
||||
STATEDIR=/var/lib/shorewall
|
||||
|
||||
#
|
||||
# KERNEL MODULE DIRECTORY
|
||||
#
|
||||
# If your netfilter kernel modules are in a directory other than
|
||||
# /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter then specify that
|
||||
# directory in this variable. Example: MODULESDIR=/etc/modules.
|
||||
|
||||
MODULESDIR=
|
||||
|
||||
################################################################################
|
||||
# F I R E W A L L O P T I O N S
|
||||
################################################################################
|
||||
|
||||
# NAME OF THE FIREWALL ZONE
|
||||
#
|
||||
# Name of the firewall zone -- if not set or if set to an empty string, "fw"
|
||||
# is assumed.
|
||||
#
|
||||
FW=fw
|
||||
|
||||
#
|
||||
# ENABLE IP FORWARDING
|
||||
#
|
||||
# If you say "On" or "on" here, IPV4 Packet Forwarding is enabled. If you
|
||||
# say "Off" or "off", packet forwarding will be disabled. You would only want
|
||||
# to disable packet forwarding if you are installing Shorewall on a
|
||||
# standalone system or if you want all traffic through the Shorewall system
|
||||
# to be handled by proxies.
|
||||
#
|
||||
# If you set this variable to "Keep" or "keep", Shorewall will neither
|
||||
# enable nor disable packet forwarding.
|
||||
#
|
||||
IP_FORWARDING=On
|
||||
|
||||
#
|
||||
# AUTOMATICALLY ADD NAT IP ADDRESSES
|
||||
#
|
||||
# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses
|
||||
# for each NAT external address that you give in /etc/shorewall/nat. If you say
|
||||
# "No" or "no", you must add these aliases youself.
|
||||
#
|
||||
ADD_IP_ALIASES=Yes
|
||||
|
||||
#
|
||||
# AUTOMATICALLY ADD SNAT IP ADDRESSES
|
||||
#
|
||||
# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses
|
||||
# for each SNAT external address that you give in /etc/shorewall/masq. If you say
|
||||
# "No" or "no", you must add these aliases youself. LEAVE THIS SET TO "No" unless
|
||||
# you are sure that you need it -- most people don't!!!
|
||||
#
|
||||
ADD_SNAT_ALIASES=No
|
||||
|
||||
#
|
||||
# ENABLE TRAFFIC SHAPING
|
||||
#
|
||||
# If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If
|
||||
# you say "No" or "no" then traffic shaping is not enabled. If you enable traffic
|
||||
# shaping you must have iproute[2] installed (the "ip" and "tc" utilities) and
|
||||
# you must enable packet mangling above.
|
||||
#
|
||||
TC_ENABLED=No
|
||||
|
||||
#
|
||||
# Clear Traffic Shapping/Control
|
||||
#
|
||||
# If this option is set to 'No' then Shorewall won't clear the current
|
||||
# traffic control rules during [re]start. This setting is intended
|
||||
# for use by people that prefer to configure traffic shaping when
|
||||
# the network interfaces come up rather than when the firewall
|
||||
# is started. If that is what you want to do, set TC_ENABLED=Yes and
|
||||
# CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That
|
||||
# way, your traffic shaping rules can still use the 'fwmark'
|
||||
# classifier based on packet marking defined in /etc/shorewall/tcrules.
|
||||
#
|
||||
# If omitted, CLEAR_TC=Yes is assumed.
|
||||
|
||||
CLEAR_TC=Yes
|
||||
|
||||
#
|
||||
# Mark Packets in the forward chain
|
||||
#
|
||||
# When processing the tcrules file, Shorewall normally marks packets in the
|
||||
# PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set
|
||||
# this to "Yes". If not specified or if set to the empty value (e.g.,
|
||||
# MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed.
|
||||
#
|
||||
# Marking packets in the FORWARD chain has the advantage that inbound
|
||||
# packets destined for Masqueraded/SNATed local hosts have had their destination
|
||||
# address rewritten so they can be marked based on their destination. When
|
||||
# packets are marked in the PREROUTING chain, packets destined for
|
||||
# Masqueraded/SNATed local hosts still have a destination address corresponding
|
||||
# to the firewall's external interface.
|
||||
#
|
||||
# Note: Older kernels do not support marking packets in the FORWARD chain and
|
||||
# setting this variable to Yes may cause startup problems.
|
||||
|
||||
MARK_IN_FORWARD_CHAIN=No
|
||||
|
||||
#
|
||||
# MSS CLAMPING
|
||||
#
|
||||
# Set this variable to "Yes" or "yes" if you want the TCP "Clamp MSS to PMTU"
|
||||
# option. This option is most commonly required when your internet
|
||||
# interface is some variant of PPP (PPTP or PPPoE). Your kernel must
|
||||
# have CONFIG_IP_NF_TARGET_TCPMSS set.
|
||||
#
|
||||
# [From the kernel help:
|
||||
#
|
||||
# This option adds a `TCPMSS' target, which allows you to alter the
|
||||
# MSS value of TCP SYN packets, to control the maximum size for that
|
||||
# connection (usually limiting it to your outgoing interface's MTU
|
||||
# minus 40).
|
||||
#
|
||||
# This is used to overcome criminally braindead ISPs or servers which
|
||||
# block ICMP Fragmentation Needed packets. The symptoms of this
|
||||
# problem are that everything works fine from your Linux
|
||||
# firewall/router, but machines behind it can never exchange large
|
||||
# packets:
|
||||
# 1) Web browsers connect, then hang with no data received.
|
||||
# 2) Small mail works fine, but large emails hang.
|
||||
# 3) ssh works fine, but scp hangs after initial handshaking.
|
||||
# ]
|
||||
#
|
||||
# If left blank, or set to "No" or "no", the option is not enabled.
|
||||
#
|
||||
CLAMPMSS=No
|
||||
|
||||
#
|
||||
# ROUTE FILTERING
|
||||
#
|
||||
# Set this variable to "Yes" or "yes" if you want kernel route filtering on all
|
||||
# interfaces started while Shorewall is started (anti-spoofing measure).
|
||||
#
|
||||
# If this variable is not set or is set to the empty value, "No" is assumed.
|
||||
# Regardless of the setting of ROUTE_FILTER, you can still enable route filtering
|
||||
# on individual interfaces using the 'routefilter' option in the
|
||||
# /etc/shorewall/interfaces file.
|
||||
|
||||
ROUTE_FILTER=No
|
||||
|
||||
# DNAT IP ADDRESS DETECTION
|
||||
#
|
||||
# Normally when Shorewall encounters the following rule:
|
||||
#
|
||||
# DNAT net loc:192.168.1.3 tcp 80
|
||||
#
|
||||
# it will forward TCP port 80 connections from the net to 192.168.1.3
|
||||
# REGARDLESS OF THE ORIGINAL DESTINATION ADDRESS. This behavior is
|
||||
# convenient for two reasons:
|
||||
#
|
||||
# a) If the the network interface has a dynamic IP address, the
|
||||
# firewall configuration will work even when the address
|
||||
# changes.
|
||||
#
|
||||
# b) It saves having to configure the IP address in the rule
|
||||
# while still allowing the firewall to be started before the
|
||||
# internet interface is brought up.
|
||||
#
|
||||
# This default behavior can also have a negative effect. If the
|
||||
# internet interface has more than one IP address then the above
|
||||
# rule will forward connection requests on all of these addresses;
|
||||
# that may not be what is desired.
|
||||
#
|
||||
# By setting DETECT_DNAT_IPADDRS=Yes, rules such as the above will apply
|
||||
# only if the original destination address is the primary IP address of
|
||||
# one of the interfaces associated with the source zone. Note that this
|
||||
# requires all interfaces to the source zone to be up when the firewall
|
||||
# is [re]started.
|
||||
|
||||
DETECT_DNAT_IPADDRS=No
|
||||
|
||||
#
|
||||
# MUTEX TIMEOUT
|
||||
#
|
||||
# The value of this variable determines the number of seconds that programs
|
||||
# will wait for exclusive access to the Shorewall lock file. After the number
|
||||
# of seconds corresponding to the value of this variable, programs will assume
|
||||
# that the last program to hold the lock died without releasing the lock.
|
||||
#
|
||||
# If not set or set to the empty value, a value of 60 (60 seconds) is assumed.
|
||||
#
|
||||
# An appropriate value for this parameter would be twice the length of time
|
||||
# that it takes your firewall system to process a "shorewall restart" command.
|
||||
|
||||
MUTEX_TIMEOUT=60
|
||||
|
||||
#
|
||||
# NEWNOTSYN
|
||||
#
|
||||
# TCP connections are established using the familiar three-way "handshake":
|
||||
#
|
||||
# CLIENT SERVER
|
||||
#
|
||||
# SYN-------------------->
|
||||
# <------------------SYN,ACK
|
||||
# ACK-------------------->
|
||||
#
|
||||
# The first packet in that exchange (packet with the SYN flag on and the ACK
|
||||
# and RST flags off) is referred to in Netfilter terminology as a "syn" packet.
|
||||
# A packet is said to be NEW if it is not part of or related to an already
|
||||
# established connection.
|
||||
#
|
||||
# The NETNOTSYN option determines the handling of non-SYN packets (those with
|
||||
# SYN off or with ACK or RST on) that are not associated with an already
|
||||
# established connection.
|
||||
#
|
||||
# If NEWNOTSYN is set to "No" or "no", then non-SYN packets that are not
|
||||
# part of an already established connection, it will be dropped by the
|
||||
# firewall. The setting of LOGNEWNOTSYN above determines if these packets are
|
||||
# logged before they are dropped.
|
||||
#
|
||||
# If NEWNOTSYN is set to "Yes" or "yes" then such packets will not be
|
||||
# dropped but will pass through the normal rule/policy processing.
|
||||
#
|
||||
# Users with a High-availability setup with two firewall's and one acting
|
||||
# as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may
|
||||
# also need to select NEWNOTSYN=Yes.
|
||||
#
|
||||
# The behavior of NEWNOTSYN=Yes may also be enabled on a per-interface basis
|
||||
# using the 'newnotsyn' option in /etc/shorewall/interfaces.
|
||||
#
|
||||
# I find that NEWNOTSYN=No tends to result in lots of "stuck"
|
||||
# connections because any network timeout during TCP session tear down
|
||||
# results in retries being dropped (Netfilter has removed the
|
||||
# connection from the conntrack table but the end-points haven't
|
||||
# completed shutting down the connection). I therefore have chosen
|
||||
# NEWNOTSYN=Yes as the default value.
|
||||
|
||||
NEWNOTSYN=Yes
|
||||
|
||||
#
|
||||
# FOR ADMINS THAT REPEATEDLY SHOOT THEMSELVES IN THE FOOT
|
||||
#
|
||||
# Normally, when a "shorewall stop" command is issued or an error occurs during
|
||||
# the execution of another shorewall command, Shorewall puts the firewall into
|
||||
# a state where only traffic to/from the hosts listed in
|
||||
# /etc/shorewall/routestopped is accepted.
|
||||
#
|
||||
# When performing remote administration on a Shorewall firewall, it is
|
||||
# therefore recommended that the IP address of the computer being used for
|
||||
# administration be added to the firewall's /etc/shorewall/routestopped file.
|
||||
#
|
||||
# Some administrators have a hard time remembering to do this with the result
|
||||
# that they get to drive across town in the middle of the night to restart
|
||||
# a remote firewall (or worse, they have to get someone out of bed to drive
|
||||
# across town to restart a very remote firewall).
|
||||
#
|
||||
# For those administrators, we offer ADMINISABSENTMINDED=Yes. With this setting,
|
||||
# when the firewall enters the 'stopped' state:
|
||||
#
|
||||
# All traffic that is part of or related to established connections is still
|
||||
# allowed and all OUTPUT traffic is allowed. This is in addition to traffic
|
||||
# to and from hosts listed in /etc/shorewall/routestopped.
|
||||
#
|
||||
# If this variable is not set or it is set to the null value then
|
||||
# ADMINISABSENTMINDED=No is assumed.
|
||||
#
|
||||
ADMINISABSENTMINDED=Yes
|
||||
|
||||
#
|
||||
# BLACKLIST Behavior
|
||||
#
|
||||
# Shorewall offers two types of blacklisting:
|
||||
#
|
||||
# - static blacklisting through the /etc/shorewall/blacklist file together
|
||||
# with the 'blacklist' interface option.
|
||||
# - dynamic blacklisting using the 'drop', 'reject' and 'allow' commands.
|
||||
#
|
||||
# The following variable determines whether the blacklist is checked for each
|
||||
# packet or for each new connection.
|
||||
#
|
||||
# BLACKLISTNEWONLY=Yes Only consult blacklists for new connection
|
||||
# requests
|
||||
#
|
||||
# BLACKLISTNEWONLY=No Consult blacklists for all packets.
|
||||
#
|
||||
# If the BLACKLISTNEWONLY option is not set or is set to the empty value then
|
||||
# BLACKLISTNEWONLY=No is assumed.
|
||||
#
|
||||
BLACKLISTNEWONLY=Yes
|
||||
|
||||
# MODULE NAME SUFFIX
|
||||
#
|
||||
# When loading a module named in /etc/shorewall/modules, Shorewall normally
|
||||
# looks in the MODULES DIRECTORY (see MODULESDIR above) for files whose names
|
||||
# end in ".o", ".ko", ".gz" or "o.gz". If your distribution uses a different
|
||||
# naming convention then you can specify the suffix (extension) for module
|
||||
# names in this variable.
|
||||
#
|
||||
# To see what suffix is used by your distribution:
|
||||
#
|
||||
# ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
|
||||
#
|
||||
# All of the file names listed should have the same suffix (extension). Set
|
||||
# MODULE_SUFFIX to that suffix.
|
||||
#
|
||||
# Examples:
|
||||
#
|
||||
# If all file names end with ".kzo" then set MODULE_SUFFIX="kzo"
|
||||
# If all file names end with ".kz.o" then set MODULE_SUFFIX="kz.o"
|
||||
#
|
||||
|
||||
MODULE_SUFFIX=
|
||||
|
||||
#
|
||||
# DISABLE IPV6
|
||||
#
|
||||
# Distributions (notably SuSE) are beginning to ship with IPV6
|
||||
# enabled. If you are not using IPV6, you are at risk of being
|
||||
# exploited by users who do. Setting DISABLE_IPV6=Yes will cause
|
||||
# Shorewall to disable IPV6 traffic to/from and through your
|
||||
# firewall system. This requires that you have ip6tables installed.
|
||||
|
||||
DISABLE_IPV6=Yes
|
||||
################################################################################
|
||||
# P A C K E T D I S P O S I T I O N
|
||||
################################################################################
|
||||
#
|
||||
# BLACKLIST DISPOSITION
|
||||
#
|
||||
# Set this variable to the action that you want to perform on packets from
|
||||
# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty,
|
||||
# DROP is assumed.
|
||||
#
|
||||
BLACKLIST_DISPOSITION=DROP
|
||||
|
||||
#
|
||||
# MAC List Disposition
|
||||
#
|
||||
# This variable determines the disposition of connection requests arriving
|
||||
# on interfaces that have the 'maclist' option and that are from a device
|
||||
# that is not listed for that interface in /etc/shorewall/maclist. Valid
|
||||
# values are ACCEPT, DROP and REJECT. If not specified or specified as
|
||||
# empty (MACLIST_DISPOSITION="") then REJECT is assumed
|
||||
|
||||
MACLIST_DISPOSITION=REJECT
|
||||
|
||||
#
|
||||
# TCP FLAGS Disposition
|
||||
#
|
||||
# This variable determins the disposition of packets having an invalid
|
||||
# combination of TCP flags that are received on interfaces having the
|
||||
# 'tcpflags' option specified in /etc/shorewall/interfaces. If not specified
|
||||
# or specified as empty (TCP_FLAGS_DISPOSITION="") then DROP is assumed.
|
||||
|
||||
TCP_FLAGS_DISPOSITION=DROP
|
||||
|
||||
#LAST LINE -- DO NOT REMOVE
|
447
STABLE2/shorewall.spec
Normal file
447
STABLE2/shorewall.spec
Normal file
@ -0,0 +1,447 @@
|
||||
%define name shorewall
|
||||
%define version 2.0.0
|
||||
%define release 1
|
||||
%define prefix /usr
|
||||
|
||||
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
|
||||
Name: %{name}
|
||||
Version: %{version}
|
||||
Release: %{release}
|
||||
Prefix: %{prefix}
|
||||
License: GPL
|
||||
Packager: Tom Eastep <teastep@shorewall.net>
|
||||
Group: Networking/Utilities
|
||||
Source: %{name}-%{version}.tgz
|
||||
URL: http://www.shorewall.net/
|
||||
BuildArch: noarch
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-root
|
||||
Requires: iptables iproute
|
||||
|
||||
%description
|
||||
|
||||
The Shoreline Firewall, more commonly known as "Shorewall", is a Netfilter
|
||||
(iptables) based firewall that can be used on a dedicated firewall system,
|
||||
a multi-function gateway/ router/server or on a standalone GNU/Linux system.
|
||||
|
||||
%prep
|
||||
|
||||
%setup
|
||||
|
||||
%build
|
||||
|
||||
%install
|
||||
export PREFIX=$RPM_BUILD_ROOT ; \
|
||||
export OWNER=`id -n -u` ; \
|
||||
export GROUP=`id -n -g` ;\
|
||||
./install.sh
|
||||
|
||||
%clean
|
||||
rm -rf $RPM_BUILD_ROOT
|
||||
|
||||
%post
|
||||
|
||||
if [ $1 -eq 1 ]; then
|
||||
echo \
|
||||
"########################################################################
|
||||
# REMOVE THIS FILE AFTER YOU HAVE CONFIGURED SHOREWALL #
|
||||
########################################################################" \
|
||||
> /etc/shorewall/startup_disabled
|
||||
|
||||
if [ -x /sbin/insserv ]; then
|
||||
/sbin/insserv /etc/rc.d/shorewall
|
||||
elif [ -x /sbin/chkconfig ]; then
|
||||
/sbin/chkconfig --add shorewall;
|
||||
fi
|
||||
fi
|
||||
|
||||
%preun
|
||||
|
||||
if [ $1 = 0 ]; then
|
||||
if [ -x /sbin/insserv ]; then
|
||||
/sbin/insserv -r /etc/init.d/shorewall
|
||||
elif [ -x /sbin/chkconfig ]; then
|
||||
/sbin/chkconfig --del shorewall
|
||||
fi
|
||||
|
||||
rm -f /etc/shorewall/startup_disabled
|
||||
|
||||
fi
|
||||
|
||||
%files
|
||||
/etc/init.d/shorewall
|
||||
%attr(0700,root,root) %dir /etc/shorewall
|
||||
%attr(0700,root,root) %dir /usr/share/shorewall
|
||||
%attr(0700,root,root) %dir /var/lib/shorewall
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/shorewall.conf
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/zones
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/policy
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/interfaces
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/rules
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/nat
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/params
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/proxyarp
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/routestopped
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/maclist
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/masq
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/modules
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/tcrules
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/tos
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/tunnels
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/hosts
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/blacklist
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/init
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/start
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/stop
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/stopped
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/ecn
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/accounting
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/actions
|
||||
|
||||
%attr(0544,root,root) /sbin/shorewall
|
||||
|
||||
%attr(0600,root,root) /usr/share/shorewall/version
|
||||
%attr(0600,root,root) /usr/share/shorewall/actions.std
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.AllowAuth
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.AllowDNS
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.AllowFTP
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.AllowIMAP
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.AllowNNTP
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.AllowNTP
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.AllowPCA
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.AllowPing
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.AllowPOP3
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.AllowRdate
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.AllowSMB
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.AllowSMTP
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.AllowSNMP
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.AllowSSH
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.AllowTelnet
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.AllowTrcrt
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.AllowVNC
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.AllowVNCL
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.AllowWeb
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.Drop
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.DropDNSrep
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.DropPing
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.DropSMB
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.DropUPnP
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.Reject
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.RejectAuth
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.RejectSMB
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.template
|
||||
%attr(0444,root,root) /usr/share/shorewall/functions
|
||||
%attr(0544,root,root) /usr/share/shorewall/firewall
|
||||
%attr(0544,root,root) /usr/share/shorewall/help
|
||||
%attr(0600,root,root) /usr/share/shorewall/rfc1918
|
||||
|
||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
|
||||
|
||||
%changelog
|
||||
* Sat Mar 13 2004 Tom Eastep <tom@shorewall.net>
|
||||
- Update for 2.0.0 Final
|
||||
* Sat Mar 06 2004 Tom Eastep <tom@shorewall.net>
|
||||
- Update for RC2
|
||||
* Fri Feb 27 2004 Tom Eastep <tom@shorewall.net>
|
||||
- Update for RC1
|
||||
* Mon Feb 16 2004 Tom Eastep <tom@shorewall.net>
|
||||
- Moved rfc1918 to /usr/share/shorewall
|
||||
- Update for Beta 3
|
||||
* Sat Feb 14 2004 Tom Eastep <tom@shorewall.net>
|
||||
- Removed common.def
|
||||
- Unconditionally replace actions.std
|
||||
- Update for Beta 2
|
||||
* Thu Feb 12 2004 Tom Eastep <tom@shorewall.net>
|
||||
- Added action.AllowPCA
|
||||
* Sun Feb 08 2004 Tom Eastep <tom@shorewall.net>
|
||||
- Updates for Shorewall 2.0.0.
|
||||
* Mon Dec 29 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Remove Documentation from this RPM
|
||||
* Sun Dec 28 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Updated for Beta 2
|
||||
* Sun Dec 07 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Added User Defined Actions Files
|
||||
* Wed Dec 03 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Added User Defined Actions Files
|
||||
* Fri Nov 07 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.8
|
||||
* Sat Nov 01 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.8-0RC2
|
||||
* Thu Oct 30 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.8-0RC1
|
||||
* Sat Oct 04 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.7-1
|
||||
- Removed conflict with 2.2 Kernels
|
||||
* Mon Sep 22 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.7-0RC2
|
||||
* Thu Sep 18 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.7-0RC1
|
||||
* Mon Sep 15 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.7-0Beta2
|
||||
* Mon Aug 25 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.7-0Beta1
|
||||
* Sat Aug 23 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Added /etc/shorewall/users
|
||||
- Changed version to 1.4.6_20030823-1
|
||||
* Thu Aug 21 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.6_20030821-1
|
||||
- Added /etc/shorewall/usersets
|
||||
* Wed Aug 13 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.6_20030813-1
|
||||
* Sat Aug 09 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Added /etc/shorewall/accounting
|
||||
* Sat Aug 09 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.6_20030809-1
|
||||
* Thu Jul 31 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.6_20030731-1
|
||||
* Sun Jul 27 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Added /usr/share/shorewall/help
|
||||
- Changed version to 1.4.6_20030727-1
|
||||
* Sat Jul 26 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.6_20030726-1
|
||||
* Sat Jul 19 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.6-1
|
||||
* Mon Jul 14 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.6-0RC1
|
||||
* Mon Jul 07 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.6-0Beta2
|
||||
* Fri Jul 04 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.6-0Beta1
|
||||
* Tue Jun 17 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.5-1
|
||||
* Thu May 29 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.4b-1
|
||||
* Tue May 27 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.4a-1
|
||||
* Thu May 22 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.4-1
|
||||
* Mon May 19 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.3a-1
|
||||
* Sun May 18 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.3-1
|
||||
* Mon Apr 07 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.2-1
|
||||
* Fri Mar 21 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.1-1
|
||||
* Mon Mar 17 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.0-1
|
||||
* Fri Mar 07 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.0-0RC2
|
||||
* Wed Mar 05 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.0-0RC1
|
||||
* Mon Feb 24 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.0-0Beta2
|
||||
* Sun Feb 23 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Add ecn file
|
||||
* Fri Feb 21 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changes version to 1.4.0-0Beta1
|
||||
* Thu Feb 06 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changes version to 1.4.0Alpha1
|
||||
- Delete icmp.def
|
||||
- Move firewall and version to /usr/share/shorewall
|
||||
* Tue Feb 04 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changes version to 1.3.14-0RC1
|
||||
* Tue Jan 28 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changes version to 1.3.14-0Beta2
|
||||
* Sat Jan 25 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changes version to 1.3.14-0Beta1
|
||||
* Mon Jan 13 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changes version to 1.3.13
|
||||
* Fri Dec 27 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changes version to 1.3.12
|
||||
* Sun Dec 22 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changes version to 1.3.12-0Beta3
|
||||
* Fri Dec 20 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changes version to 1.3.12-0Beta2
|
||||
* Wed Dec 18 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changes version to 1.3.12-0Beta1
|
||||
- Add init, start, stop and stopped files.
|
||||
* Tue Dec 03 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changes version to 1.3.11a
|
||||
* Sun Nov 24 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changes version to 1.3.11
|
||||
* Sat Nov 09 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changes version to 1.3.10
|
||||
* Wed Oct 23 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changes version to 1.3.10b1
|
||||
* Tue Oct 22 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Added maclist file
|
||||
* Tue Oct 15 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.3.10
|
||||
- Replaced symlink with real file
|
||||
* Wed Oct 09 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.3.9b
|
||||
* Mon Sep 30 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.3.9a
|
||||
* Thu Sep 18 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.3.8
|
||||
* Mon Sep 16 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.3.8
|
||||
* Mon Sep 02 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.3.7c
|
||||
* Mon Aug 26 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.3.7b
|
||||
* Thu Aug 22 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.3.7a
|
||||
* Thu Aug 22 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.3.7
|
||||
* Sun Aug 04 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.3.6
|
||||
* Mon Jul 29 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.3.5b
|
||||
* Sat Jul 13 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.3.4
|
||||
* Wed Jul 10 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Added 'routestopped' configuration file.
|
||||
* Fri Jul 05 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.3.3
|
||||
* Sat Jun 15 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version and release for new convention
|
||||
- Moved version,firewall and functions to /var/lib/shorewall
|
||||
* Sun Jun 02 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.3.2
|
||||
* Fri May 31 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.3.1
|
||||
- Added the rfc1918 file
|
||||
* Wed May 29 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.3.0
|
||||
* Mon May 20 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Removed whitelist file
|
||||
* Sat May 18 2002 Tom Eastep <tom@shorewall.net>
|
||||
- changed version to 91
|
||||
* Wed May 8 2002 Tom Eastep <tom@shorewall.net>
|
||||
- changed version to 90
|
||||
- removed 'provides' tag.
|
||||
* Tue Apr 23 2002 Tom Eastep <tom@shorewall.net>
|
||||
- changed version to 13
|
||||
- Added whitelist file.
|
||||
* Thu Apr 18 2002 Tom Eastep <tom@shorewall.net>
|
||||
- changed version to 12
|
||||
* Tue Apr 16 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Merged Stefan's changes to create single RPM
|
||||
* Mon Apr 15 2002 Stefan Mohr <stefan@familie-mohr.com>
|
||||
- changed to SuSE Linux 7.3
|
||||
* Wed Apr 10 2002 Tom Eastep <tom@shorewall.net>
|
||||
- changed Version to 11
|
||||
* Tue Mar 19 2002 Tom Eastep <tom@shorewall.net>
|
||||
- changed Version to 10
|
||||
* Sat Mar 09 2002 Tom Eastep <tom@shorewall.net>
|
||||
- changed Version to 9
|
||||
* Sat Feb 23 2002 Tom Eastep <tom@shorewall.net>
|
||||
- changed Version to 8
|
||||
* Thu Feb 21 2002 Tom Eastep <tom@shorewall.net>
|
||||
- changed Version to 7
|
||||
* Tue Feb 05 2002 Tom Eastep <tom@shorewall.net>
|
||||
- changed Version to 6
|
||||
* Wed Jan 30 2002 Tom Eastep <tom@shorewall.net>
|
||||
- changed Version to 5
|
||||
* Sat Jan 26 2002 Tom Eastep <tom@shorewall.net>
|
||||
- changed Version to 4
|
||||
- Merged Ajay's change to allow build by non-root
|
||||
* Sun Jan 12 2002 Tom Eastep <tom@shorewall.net>
|
||||
- changed Version to 3
|
||||
* Tue Jan 01 2002 Tom Eastep <tom@shorewall.net>
|
||||
- changed Version to 2
|
||||
- Updated URL
|
||||
- Added blacklist file
|
||||
* Mon Dec 31 2001 Tom Eastep <tom@shorewall.net>
|
||||
- changed Version to 1
|
||||
* Wed Dec 19 2001 Tom Eastep <tom@shorewall.net>
|
||||
- changed Version to 0
|
||||
* Tue Dec 18 2001 Tom Eastep <tom@shorewall.net>
|
||||
- changed Version to Rc1
|
||||
* Sat Dec 15 2001 Tom Eastep <tom@shorewall.net>
|
||||
- changed Version to Beta2
|
||||
* Thu Nov 08 2001 Tom Eastep <tom@shorewall.net>
|
||||
- changed Version to 1.2
|
||||
- added tcrules file
|
||||
* Sun Oct 21 2001 Tom Eastep <tom@shorewall.net>
|
||||
- changed release to 17
|
||||
* Sun Oct 21 2001 Tom Eastep <tom@shorewall.net>
|
||||
- changed release to 16
|
||||
* Sun Oct 14 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
||||
- changed release to 15
|
||||
* Thu Oct 11 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
||||
- changed release to 14
|
||||
* Tue Sep 11 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
||||
- changed release to 13
|
||||
- added params file
|
||||
* Tue Aug 28 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
||||
- Changed release to 12
|
||||
* Fri Jul 27 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
||||
- Changed release to 11
|
||||
* Sun Jul 08 2001 Ajay Ramaswamy <ajayr@bigfoot.com>
|
||||
- reorganized spec file
|
||||
- s/Copyright/License/
|
||||
- now will build fron rpm -tb
|
||||
* Fri Jul 06 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
||||
- Changed release to 10
|
||||
* Tue Jun 19 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
||||
- Changed release to 9
|
||||
- Added tunnel file
|
||||
- Readded tunnels file
|
||||
* Mon Jun 18 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
||||
- Changed release to 8
|
||||
* Sat Jun 02 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
||||
- Changed release to 7
|
||||
- Changed iptables dependency.
|
||||
* Tue May 22 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
||||
- Changed release to 6
|
||||
- Added tunnels file
|
||||
* Sat May 19 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
||||
- Changed release to 5
|
||||
- Added modules and tos files
|
||||
* Sat May 12 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
||||
- Changed release to 4
|
||||
- Added changelog.txt and releasenotes.txt
|
||||
* Sat Apr 28 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
||||
- Changed release to 3
|
||||
* Mon Apr 9 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
||||
- Added files common.def and icmpdef.def
|
||||
- Changed release to 2
|
||||
* Wed Apr 4 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
||||
- Changed the release to 1.
|
||||
* Mon Mar 26 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
|
||||
- Changed the version to 1.1
|
||||
- Added hosts file
|
||||
* Sun Mar 18 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
|
||||
- Changed the release to 4
|
||||
- Added Zones and Functions files
|
||||
* Mon Mar 12 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
|
||||
- Change ipchains dependency to an iptables dependency and
|
||||
changed the release to 3
|
||||
* Fri Mar 9 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
|
||||
- Add additional files.
|
||||
* Thu Mar 8 2001 Tom EAstep <teastep@seattlefirewall.dyndns.org>
|
||||
- Change version to 1.0.2
|
||||
* Tue Mar 6 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
|
||||
- Change version to 1.0.1
|
||||
* Sun Mar 4 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
|
||||
- Changes for Shorewall
|
||||
* Thu Feb 22 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
|
||||
- Change version to 4.1.0
|
||||
* Fri Feb 2 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
|
||||
- Change version to 4.0.4
|
||||
* Mon Jan 22 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
|
||||
- Change version to 4.0.2
|
||||
* Sat Jan 20 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
|
||||
- Changed version to 4.0
|
||||
* Fri Jan 5 2001 Tom Eastep <teastep@evergo.net>
|
||||
- Added dmzclients file
|
||||
* Sun Dec 24 2000 Tom Eastep <teastep@evergo.net>
|
||||
- Added ftpserver file
|
||||
* Sat Aug 12 2000 Tom Eastep <teastep@evergo.net>
|
||||
- Added "nat" and "proxyarp" files for 4.0
|
||||
* Mon May 20 2000 Tom Eastep <teastep@evergo.net>
|
||||
- added updown file
|
||||
* Sat May 20 2000 Simon Piette <spiette@generation.net>
|
||||
- Corrected the group - Networking/Utilities
|
||||
- Added "noreplace" attributes to config files, so current confis is not
|
||||
changed.
|
||||
- Added the version file.
|
||||
* Sat May 20 2000 Tom Eastep <teastep@evergo.net>
|
||||
- Converted Simon's patch to version 3.1
|
||||
* Sat May 20 2000 Simon Piette <spiette@generation.net>
|
||||
- 3.0.2 Initial RPM
|
||||
Patched the install script so it can take a PREFIX variable
|
||||
|
||||
|
6
STABLE2/start
Normal file
6
STABLE2/start
Normal file
@ -0,0 +1,6 @@
|
||||
############################################################################
|
||||
# Shorewall 2.0 -- /etc/shorewall/start
|
||||
#
|
||||
# Add commands below that you want to be executed after shorewall has
|
||||
# been started or restarted.
|
||||
#
|
6
STABLE2/stop
Normal file
6
STABLE2/stop
Normal file
@ -0,0 +1,6 @@
|
||||
############################################################################
|
||||
# Shorewall 2.0 -- /etc/shorewall/stop
|
||||
#
|
||||
# Add commands below that you want to be executed at the beginning of a
|
||||
# "shorewall stop" command.
|
||||
#
|
6
STABLE2/stopped
Normal file
6
STABLE2/stopped
Normal file
@ -0,0 +1,6 @@
|
||||
############################################################################
|
||||
# Shorewall 2.0 -- /etc/shorewall/stopped
|
||||
#
|
||||
# Add commands below that you want to be executed at the completion of a
|
||||
# "shorewall stop" command.
|
||||
#
|
78
STABLE2/tcrules
Normal file
78
STABLE2/tcrules
Normal file
@ -0,0 +1,78 @@
|
||||
#
|
||||
# Shorewall version 2.0 - Traffic Control Rules File
|
||||
#
|
||||
# /etc/shorewall/tcrules
|
||||
#
|
||||
# Entries in this file cause packets to be marked as a means of
|
||||
# classifying them for traffic control or policy routing.
|
||||
#
|
||||
# I M P O R T A N T ! ! ! !
|
||||
#
|
||||
# FOR ENTRIES IN THIS FILE TO HAVE ANY EFFECT, YOU MUST SET
|
||||
# TC_ENABLED=Yes in /etc/shorewall/shorewall.conf
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
#
|
||||
# MARK The mark value which is an
|
||||
# integer in the range 1-255
|
||||
#
|
||||
# May optionally be followed by ":P" or ":F"
|
||||
# where ":P" indicates that marking should occur in
|
||||
# the PREROUTING chain and ":F" indicates that marking
|
||||
# should occur in the FORWARD chain. If neither
|
||||
# ":P" nor ":F" follow the mark value then the chain is
|
||||
# determined by the setting of MARK_IN_FORWARD_CHAIN in
|
||||
# /etc/shorewall/shorewall.conf.
|
||||
#
|
||||
# SOURCE Source of the packet. A comma-separated list of
|
||||
# interface names, IP addresses, MAC addresses
|
||||
# and/or subnets. Use $FW if the packet originates on
|
||||
# the firewall in which case the MARK column may NOT
|
||||
# specify either ":P" or ":F" (marking always occurs
|
||||
# in the OUTPUT chain).
|
||||
#
|
||||
# MAC addresses must be prefixed with "~" and use
|
||||
# "-" as a separator.
|
||||
#
|
||||
# Example: ~00-A0-C9-15-39-78
|
||||
#
|
||||
# DEST Destination of the packet. Comma separated list of
|
||||
# IP addresses and/or subnets.
|
||||
#
|
||||
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number,
|
||||
# or "all".
|
||||
#
|
||||
# PORT(S) Destination Ports. A comma-separated list of Port
|
||||
# names (from /etc/services), port numbers or port
|
||||
# ranges; if the protocol is "icmp", this column is
|
||||
# interpreted as the destination icmp-type(s).
|
||||
#
|
||||
# This column is ignored if PROTOCOL = all but must be
|
||||
# entered if any of the following field is supplied.
|
||||
# In that case, it is suggested that this field contain
|
||||
# "-"
|
||||
#
|
||||
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
|
||||
# any source port is acceptable. Specified as a comma-
|
||||
# separated list of port names, port numbers or port
|
||||
# ranges.
|
||||
#
|
||||
# USER This column may only be non-empty if the SOURCE is
|
||||
# the firewall itself.
|
||||
#
|
||||
# When this column is non-empty, the rule applies only
|
||||
# if the program generating the output is running under
|
||||
# the effective user and/or group.
|
||||
#
|
||||
# It may contain :
|
||||
#
|
||||
# [<user name or number>]:[<group name or number>]
|
||||
#
|
||||
# The colon is optionnal when specifying only a user.
|
||||
# Examples : john: / john / :users / john:users
|
||||
#
|
||||
##############################################################################
|
||||
#MARK SOURCE DEST PROTO PORT(S) CLIENT USER
|
||||
# PORT(S)
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
52
STABLE2/tos
Normal file
52
STABLE2/tos
Normal file
@ -0,0 +1,52 @@
|
||||
#
|
||||
# Shorewall 2.0 -- /etc/shorewall/tos
|
||||
#
|
||||
# This file defines rules for setting Type Of Service (TOS)
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
# SOURCE Name of a zone declared in /etc/shorewall/zones, "all"
|
||||
# or $FW.
|
||||
#
|
||||
# If not "all" or $FW, may optionally be followed by
|
||||
# ":" and an IP address, a MAC address, a subnet
|
||||
# specification or the name of an interface.
|
||||
#
|
||||
# Example: loc:192.168.2.3
|
||||
#
|
||||
# MAC addresses must be prefixed with "~" and use
|
||||
# "-" as a separator.
|
||||
#
|
||||
# Example: ~00-A0-C9-15-39-78
|
||||
#
|
||||
# DEST Name of a zone declared in /etc/shorewall/zones, "all"
|
||||
# or $FW.
|
||||
#
|
||||
# If not "all" or $FW, may optionally be followed by
|
||||
# ":" and an IP address or a subnet specification
|
||||
#
|
||||
# Example: loc:192.168.2.3
|
||||
#
|
||||
# PROTOCOL Protocol.
|
||||
#
|
||||
# SOURCE PORTS Source port or port range. If all ports, use "-".
|
||||
#
|
||||
# DEST PORTS Destination port or port range. If all ports, use "-"
|
||||
#
|
||||
# TOS Type of service. Must be one of the following:
|
||||
#
|
||||
# Minimize-Delay (16)
|
||||
# Maximize-Throughput (8)
|
||||
# Maximize-Reliability (4)
|
||||
# Minimize-Cost (2)
|
||||
# Normal-Service (0)
|
||||
#
|
||||
##############################################################################
|
||||
#SOURCE DEST PROTOCOL SOURCE PORTS DEST PORTS TOS
|
||||
all all tcp - ssh 16
|
||||
all all tcp ssh - 16
|
||||
all all tcp - ftp 16
|
||||
all all tcp ftp - 16
|
||||
all all tcp ftp-data - 8
|
||||
all all tcp - ftp-data 8
|
||||
#LAST LINE -- Add your entries above -- DO NOT REMOVE
|
159
STABLE2/tunnel
Executable file
159
STABLE2/tunnel
Executable file
@ -0,0 +1,159 @@
|
||||
#!/bin/sh
|
||||
|
||||
RCDLINKS="2,S45 3,S45 6,K45"
|
||||
################################################################################
|
||||
# Script to create a gre or ipip tunnel -- Shorewall 2.0
|
||||
#
|
||||
# Modified - Steve Cowles 5/9/2000
|
||||
# Incorporated init {start|stop} syntax and iproute2 usage
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Modify the following variables to match your configuration
|
||||
#
|
||||
# chkconfig: 2345 26 89
|
||||
# description: GRE/IP Tunnel
|
||||
#
|
||||
################################################################################
|
||||
|
||||
#
|
||||
# Type of tunnel (gre or ipip)
|
||||
#
|
||||
|
||||
tunnel_type=gre
|
||||
|
||||
# Name of the tunnel
|
||||
#
|
||||
|
||||
tunnel="dfwbos"
|
||||
#
|
||||
# Address of your External Interface (only required for gre tunnels)
|
||||
#
|
||||
myrealip="x.x.x.x"
|
||||
|
||||
# Address of the local system -- this is the address of one of your
|
||||
# local interfaces (or for a mobile host, the address that this system has
|
||||
# when attached to the local network).
|
||||
#
|
||||
|
||||
myip="192.168.1.254"
|
||||
|
||||
# Address of the Remote system -- this is the address of one of the
|
||||
# remote system's local interfaces (or if the remote system is a mobile host,
|
||||
# the address that it uses when attached to the local network).
|
||||
|
||||
hisip="192.168.9.1"
|
||||
|
||||
# Internet address of the Remote system
|
||||
#
|
||||
|
||||
gateway="x.x.x.x"
|
||||
|
||||
# Remote sub-network -- if the remote system is a gateway for a
|
||||
# private subnetwork that you wish to
|
||||
# access, enter it here. If the remote
|
||||
# system is a stand-alone/mobile host, leave this
|
||||
# empty
|
||||
|
||||
subnet="192.168.9.0/24"
|
||||
|
||||
PATH=$PATH:/sbin:/usr/sbin:/usr/local/sbin
|
||||
|
||||
load_modules () {
|
||||
case $tunnel_type in
|
||||
ipip)
|
||||
echo "Loading IP-ENCAP Module"
|
||||
modprobe ipip
|
||||
;;
|
||||
gre)
|
||||
echo "Loading GRE Module"
|
||||
modprobe ip_gre
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
do_stop() {
|
||||
|
||||
if [ -n "`ip link show $tunnel 2>/dev/null`" ]; then
|
||||
echo "Stopping $tunnel"
|
||||
ip link set dev $tunnel down
|
||||
fi
|
||||
|
||||
if [ -n "`ip addr show $tunnel 2>/dev/null`" ]; then
|
||||
echo "Deleting $tunnel"
|
||||
ip tunnel del $tunnel
|
||||
fi
|
||||
}
|
||||
|
||||
do_start() {
|
||||
|
||||
#NOTE: Comment out the next line if you have built gre/ipip into your kernel
|
||||
|
||||
load_modules
|
||||
|
||||
if [ -n "`ip link show $tunnel 2>/dev/null`" ]; then
|
||||
do_stop
|
||||
fi
|
||||
|
||||
echo "Adding $tunnel"
|
||||
|
||||
case $tunnel_type in
|
||||
gre)
|
||||
ip tunnel add $tunnel mode gre remote $gateway local $myrealip ttl 255
|
||||
;;
|
||||
*)
|
||||
ip tunnel add $tunnel mode ipip remote $gateway
|
||||
;;
|
||||
esac
|
||||
|
||||
echo "Starting $tunnel"
|
||||
|
||||
|
||||
ip link set dev $tunnel up
|
||||
|
||||
case $tunnel_type in
|
||||
gre)
|
||||
ip addr add $myip dev $tunnel
|
||||
;;
|
||||
*)
|
||||
ip addr add $myip peer $hisip dev $tunnel
|
||||
;;
|
||||
esac
|
||||
|
||||
#
|
||||
# As with all interfaces, the 2.4 kernels will add the obvious host
|
||||
# route for this point-to-point interface
|
||||
#
|
||||
|
||||
if [ -n "$subnet" ]; then
|
||||
echo "Adding Routes"
|
||||
case $tunnel_type in
|
||||
gre)
|
||||
ip route add $subnet dev $tunnel
|
||||
;;
|
||||
ipip)
|
||||
ip route add $subnet via $gateway dev $tunnel onlink
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
}
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
do_start
|
||||
;;
|
||||
stop)
|
||||
do_stop
|
||||
;;
|
||||
restart)
|
||||
do_stop
|
||||
sleep 1
|
||||
do_start
|
||||
;;
|
||||
*)
|
||||
echo "Usage: $0 {start|stop|restart}"
|
||||
exit 1
|
||||
esac
|
||||
exit 0
|
110
STABLE2/tunnels
Normal file
110
STABLE2/tunnels
Normal file
@ -0,0 +1,110 @@
|
||||
#
|
||||
# Shorewall 2.0 - /etc/shorewall/tunnels
|
||||
#
|
||||
# This file defines IPSEC, GRE, IPIP and OPENVPN tunnels.
|
||||
#
|
||||
# IPIP, GRE and OPENVPN tunnels must be configured on the
|
||||
# firewall/gateway itself. IPSEC endpoints may be defined
|
||||
# on the firewall/gateway or on an internal system.
|
||||
#
|
||||
# The columns are:
|
||||
#
|
||||
# TYPE -- must start in column 1 and be "ipsec", "ipsecnat","ip"
|
||||
# "gre", "6to4", "pptpclient", "pptpserver", "openvpn" or
|
||||
# "generic"
|
||||
#
|
||||
# If the type is "ipsec" or "ipsecnat", it may be followed
|
||||
# by ":noah" to indicate that the Authentication Header
|
||||
# protocol (51) is not used by the tunnel.
|
||||
#
|
||||
# If type is "openvpn", it may optionally be followed
|
||||
# by ":" and the port number used by the tunnel. if no
|
||||
# ":" and port number are included, then the default port
|
||||
# of 5000 will be used
|
||||
#
|
||||
# If type is "generic", it must be followed by ":" and
|
||||
# a protocol name (from /etc/protocols) or a protocol
|
||||
# number. If the protocol is "tcp" or "udp" (6 or 17),
|
||||
# then it may optionally be followed by ":" and a
|
||||
# port number.
|
||||
#
|
||||
# ZONE -- The zone of the physical interface through which
|
||||
# tunnel traffic passes. This is normally your internet
|
||||
# zone.
|
||||
#
|
||||
# GATEWAY -- The IP address of the remote tunnel gateway. If the
|
||||
# remote getway has no fixed address (Road Warrior)
|
||||
# then specify the gateway as 0.0.0.0/0.
|
||||
#
|
||||
# GATEWAY
|
||||
# ZONES -- Optional. If the gateway system specified in the third
|
||||
# column is a standalone host then this column should
|
||||
# contain a comma-separated list of the names of the
|
||||
# zones that the host might be in. This column only
|
||||
# applies to IPSEC and generic tunnels.
|
||||
#
|
||||
# Example 1:
|
||||
#
|
||||
# IPSec tunnel. The remote gateway is 4.33.99.124 and
|
||||
# the remote subnet is 192.168.9.0/24. The tunnel does
|
||||
# not use the AH protocol
|
||||
#
|
||||
# ipsec:noah net 4.33.99.124
|
||||
#
|
||||
# Example 2:
|
||||
#
|
||||
# Road Warrior (LapTop that may connect from anywhere)
|
||||
# where the "gw" zone is used to represent the remote
|
||||
# LapTop.
|
||||
#
|
||||
# ipsec net 0.0.0.0/0 gw
|
||||
#
|
||||
# Example 3:
|
||||
#
|
||||
# Host 4.33.99.124 is a standalone system connected
|
||||
# via an ipsec tunnel to the firewall system. The host
|
||||
# is in zone gw.
|
||||
#
|
||||
# ipsec net 4.33.99.124 gw
|
||||
#
|
||||
# Example 4:
|
||||
#
|
||||
# Road Warriors that may belong to zones vpn1, vpn2 or
|
||||
# vpn3. The FreeS/Wan _updown script will add the
|
||||
# host to the appropriate zone using the "shorewall add"
|
||||
# command on connect and will remove the host from the
|
||||
# zone at disconnect time.
|
||||
#
|
||||
# ipsec net 0.0.0.0/0 vpn1,vpn2,vpn3
|
||||
#
|
||||
# Example 5:
|
||||
#
|
||||
# You run the Linux PPTP client on your firewall and
|
||||
# connect to server 192.0.2.221.
|
||||
#
|
||||
# pptpclient net 192.0.2.221
|
||||
#
|
||||
# Example 6:
|
||||
#
|
||||
# You run a PPTP server on your firewall.
|
||||
#
|
||||
# pptpserver net
|
||||
#
|
||||
# Example 7:
|
||||
#
|
||||
# OPENVPN tunnel. The remote gateway is 4.33.99.124 and
|
||||
# openvpn uses port 7777.
|
||||
#
|
||||
# openvpn:7777 net 4.33.99.124
|
||||
#
|
||||
# Example 8:
|
||||
#
|
||||
# You have a tunnel that is not one of the supported types.
|
||||
# Your tunnel uses UDP port 4444. The other end of the
|
||||
# tunnel is 4.3.99.124.
|
||||
#
|
||||
# generic:udp:4444 net 4.3.99.124
|
||||
#
|
||||
# TYPE ZONE GATEWAY GATEWAY
|
||||
# ZONE
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
109
STABLE2/uninstall.sh
Executable file
109
STABLE2/uninstall.sh
Executable file
@ -0,0 +1,109 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Script to back uninstall Shoreline Firewall
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Shorewall documentation is available at http://shorewall.sourceforge.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||
#
|
||||
# Usage:
|
||||
#
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Seattle Firewall
|
||||
|
||||
VERSION=2.0.0
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
ME=$(basename $0)
|
||||
echo "usage: $ME"
|
||||
exit $1
|
||||
}
|
||||
|
||||
qt()
|
||||
{
|
||||
"$@" >/dev/null 2>&1
|
||||
}
|
||||
|
||||
restore_file() # $1 = file to restore
|
||||
{
|
||||
if [ -f ${1}-shorewall.bkout ]; then
|
||||
if (mv -f ${1}-shorewall.bkout $1); then
|
||||
echo
|
||||
echo "$1 restored"
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
remove_file() # $1 = file to restore
|
||||
{
|
||||
if [ -f $1 -o -L $1 ] ; then
|
||||
rm -f $1
|
||||
echo "$1 Removed"
|
||||
fi
|
||||
}
|
||||
|
||||
if [ -f /usr/share/shorewall/version ]; then
|
||||
INSTALLED_VERSION="$(cat /usr/share/shorewall/version)"
|
||||
if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
|
||||
echo "WARNING: Shorewall Version $INSTALLED_VERSION is installed"
|
||||
echo " and this is the $VERSION uninstaller."
|
||||
VERSION="$INSTALLED_VERSION"
|
||||
fi
|
||||
else
|
||||
echo "WARNING: Shorewall Version $VERSION is not installed"
|
||||
VERSION=""
|
||||
fi
|
||||
|
||||
echo "Uninstalling shorewall $VERSION"
|
||||
|
||||
if qt iptables -L shorewall -n; then
|
||||
/sbin/shorewall clear
|
||||
fi
|
||||
|
||||
if [ -L /usr/share/shorewall/init ]; then
|
||||
FIREWALL=$(ls -l /usr/share/shorewall/init | sed 's/^.*> //')
|
||||
else
|
||||
FIREWALL=/etc/init.d/shorewall
|
||||
fi
|
||||
|
||||
if [ -n "$FIREWALL" ]; then
|
||||
if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
|
||||
insserv -r $FIREWALL
|
||||
elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
|
||||
chkconfig --del $(basename $FIREWALL)
|
||||
else
|
||||
rm -f /etc/rc*.d/*$(basename $FIREWALL)
|
||||
fi
|
||||
|
||||
remove_file $FIREWALL
|
||||
rm -f ${FIREWALL}-*.bkout
|
||||
fi
|
||||
|
||||
rm -f /sbin/shorewall
|
||||
rm -f /sbin/shorewall-*.bkout
|
||||
|
||||
rm -rf /etc/shorewall
|
||||
rm -rf /var/lib/shorewall
|
||||
rm -rf /usr/share/shorewall
|
||||
|
||||
echo "Shorewall Uninstalled"
|
||||
|
||||
|
19
STABLE2/zones
Normal file
19
STABLE2/zones
Normal file
@ -0,0 +1,19 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/zones
|
||||
#
|
||||
# This file determines your network zones. Columns are:
|
||||
#
|
||||
# ZONE Short name of the zone (5 Characters or less in length).
|
||||
# DISPLAY Display name of the zone
|
||||
# COMMENTS Comments about the zone
|
||||
#
|
||||
# THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED OR
|
||||
# OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts.
|
||||
#
|
||||
# See http://www.shorewall.net/Documentation.htm#Nested
|
||||
#
|
||||
#ZONE DISPLAY COMMENTS
|
||||
net Net Internet
|
||||
loc Local Local networks
|
||||
dmz DMZ Demilitarized zone
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
Loading…
Reference in New Issue
Block a user