diff --git a/STABLE/accounting b/STABLE/accounting new file mode 100644 index 000000000..29a912813 --- /dev/null +++ b/STABLE/accounting @@ -0,0 +1,73 @@ +# +# Shorewall version 1.4 - Accounting File +# +# /etc/shorewall/accounting +# +# Accounting rules exist simply to count packets and bytes in categories +# that you define in this file. You may display these rules and their +# packet and byte counters using the "shorewall show accounting" command. +# +# Please see http://shorewall.net/Accounting.html for examples and +# additional information about how to use this file. +# +# +# Columns are: +# +# ACTION - What to do when a match is found. +# +# COUNT - Simply count the match and continue +# with the next rule +# DONE - Count the match and don't attempt +# to match any other accounting rules +# in the chain specified in the CHAIN +# column. +# [:COUNT] +# - Where is the name of +# a chain. Shorewall will create +# the chain automatically if it +# doesn't already exist. Causes +# a jump to that chain. If :COUNT +# is including, a counting rule +# matching this record will be +# added to +# +# CHAIN - The name of a chain. If specified as "-" the +# 'accounting' chain is assumed. This is the chain +# where the accounting rule is added. The chain will +# be created if it doesn't already exist. +# +# SOURCE - Packet Source +# +# The name of an interface, an address (host or net) or +# an interface name followed by ":" +# and a host or net address. +# +# DESTINATION - Packet Destination +# +# Format the same as the SOURCE column. +# +# PROTOCOL A protocol name (from /etc/protocols), a protocol +# number. +# +# DEST PORT Destination Port number +# +# Service name from /etc/services or port number. May +# only be specified if the protocol is TCP or UDP (6 +# or 17). +# +# SOURCE PORT Source Port number +# +# Service name from /etc/services or port number. May +# only be specified if the protocol is TCP or UDP (6 +# or 17). +# +# In all of the above columns except ACTION and CHAIN, the values "-", +# "any" and "all" may be used as wildcards +# +# Please see http://shorewall.net/Accounting.html for examples and +# additional information about how to use this file. +# +#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE +# PORT PORT +# +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/STABLE/action.template b/STABLE/action.template new file mode 100644 index 000000000..b54419b65 --- /dev/null +++ b/STABLE/action.template @@ -0,0 +1,131 @@ +# +# Shorewall 1.4 /etc/shorewall/action.template +# +# This file is a template for files with names of the form +# /etc/shorewall/action. where is an +# ACTION defined in /etc/shorewall/actions. +# +# To define a new action: +# +# 1. Add the to /etc/shorewall/actions +# 2. Copy this file to /etc/shorewall/action. +# 3. Add the desired rules to that file. +# +# Columns are: +# +# +# TARGET ACCEPT, DROP, REJECT, LOG, QUEUE or a +# previously-defined +# +# ACCEPT -- allow the connection request +# DROP -- ignore the request +# REJECT -- disallow the request and return an +# icmp-unreachable or an RST packet. +# LOG -- Simply log the packet and continue. +# QUEUE -- Queue the packet to a user-space +# application such as p2pwall. +# -- An defined in +# /etc/shorewall/actions. The +# must appear in that file BEFORE the +# one being defined in this file. +# +# The TARGET may optionally be followed +# by ":" and a syslog log level (e.g, REJECT:info or +# ACCEPT:debugging). This causes the packet to be +# logged at the specified level. +# +# You may also specify ULOG (must be in upper case) as a +# log level.This will log to the ULOG target for routing +# to a separate log through use of ulogd +# (http://www.gnumonks.org/projects/ulogd). +# +# SOURCE Source hosts to which the rule applies. +# A comma-separated list of subnets +# and/or hosts. Hosts may be specified by IP or MAC +# address; mac addresses must begin with "~" and must use +# "-" as a separator. +# +# 192.168.2.2 Host 192.168.2.2 +# +# 155.186.235.0/24 Subnet 155.186.235.0/24 +# +# 192.168.1.1,192.168.1.2 +# Hosts 192.168.1.1 and +# 192.168.1.2. +# ~00-A0-C9-15-39-78 Host with +# MAC address 00:A0:C9:15:39:78. +# +# Alternatively, clients may be specified by interface +# name. For example, eth1 specifies a +# client that communicates with the firewall system +# through eth1. This may be optionally followed by +# another colon (":") and an IP/MAC/subnet address +# as described above (e.g., eth1:192.168.1.5). +# +# DEST Location of Server. Same as above with the exception that +# MAC addresses are not allowed. +# +# Unlike in the SOURCE column, you may specify a range of +# up to 256 IP addresses using the syntax +# -. +# +# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or +# "all". +# +# DEST PORT(S) Destination Ports. A comma-separated list of Port +# names (from /etc/services), port numbers or port +# ranges; if the protocol is "icmp", this column is +# interpreted as the destination icmp-type(s). +# +# A port range is expressed as :. +# +# This column is ignored if PROTOCOL = all but must be +# entered if any of the following ields are supplied. +# In that case, it is suggested that this field contain +# "-" +# +# If your kernel contains multi-port match support, then +# only a single Netfilter rule will be generated if in +# this list and the CLIENT PORT(S) list below: +# 1. There are 15 or less ports listed. +# 2. No port ranges are included. +# Otherwise, a separate rule will be generated for each +# port. +# +# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted, +# any source port is acceptable. Specified as a comma- +# separated list of port names, port numbers or port +# ranges. +# +# If you don't want to restrict client ports but need to +# specify an ADDRESS in the next column, then place "-" +# in this column. +# +# If your kernel contains multi-port match support, then +# only a single Netfilter rule will be generated if in +# this list and the DEST PORT(S) list above: +# 1. There are 15 or less ports listed. +# 2. No port ranges are included. +# Otherwise, a separate rule will be generated for each +# port. +# +# RATE LIMIT You may rate-limit the rule by placing a value in +# this column: +# +# /[:] +# +# where is the number of connections per +# ("sec" or "min") and is the +# largest burst permitted. If no is given, +# a value of 5 is assumed. There may be no +# no whitespace embedded in the specification. +# +# Example: 10/sec:20 +# +# If you place a rate limit in this column, you may not +# place a similar limit in the TARGET column. +# +###################################################################################### +#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE +# PORT PORT(S) DEST LIMIT +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/STABLE/actions b/STABLE/actions new file mode 100644 index 000000000..d48927a96 --- /dev/null +++ b/STABLE/actions @@ -0,0 +1,16 @@ +# +# Shorewall 1.4 /etc/shorewall/actions +# +# This file allows you to define new ACTIONS for use in rules +# (/etc/shorewall/rules). You define the iptables rules to +# be performed in an ACTION in +# /etc/shorewall/action.. +# +# ACTION names should begin with an upper-case letter to +# distinguish them from Shorewall-generated chain names and +# they must need the requirements of a Netfilter chain +# name. +# +#ACTION + +#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/STABLE/changelog.txt b/STABLE/changelog.txt index 2ec1d03fc..0e06751d8 100644 --- a/STABLE/changelog.txt +++ b/STABLE/changelog.txt @@ -1,40 +1,23 @@ -Changes since 1.4.7 +Changes since 1.4.8 -1) Applied patch from Tuomo Soini that fixes syntax error occuring with - some versions of 'ash'. +1) Replace "Static NAT" with "One-to-one NAT". -2) Applied Andrew Zhoglo's patch that avoids using multiport match for - ICMP. +2) Change SMB common rules to DROP. -3) Added support for QUEUE target. +3) Change wording in release notes. -4) Fix error handling after "Unable to determine the routes..." +4) Move ip_forward handling to a function. -5) Fix handling of LOGUNCLEAN +5) Change 'norfc1918' logging to log out of chains named 'rfc1918'. -6) Added BLACKLISTNEWONLY support. +6) Reword the description of NEWNOTSYN in shorewall.conf. -7) Correct optimization for 'complex' zones. +7) Added MODULE_SUFFIX option to shorewall.conf. -8) Fix tcrules processing. +8) Add /etc/shorewall/actions and /etc/shorewall/action.template -9) Liberalize chain names used in the accounting file. +9) Fix SNAT handling in DNAT rules. -10) Fix the fix for 'complex' zones (twice). +10) Change default to NEWNOTSYN=Yes -11) Remove incorrect comment from shorewall.conf regarding Debian - lockfiles. - -12) Change "_exists" suffix (including _nat_exists) to an "exists_" - prefix to allow chain names beginning with a digit without - lengthening the variable name. - -13) Applied and improved Eric Bowles's fix for route filtering. - -14) Corrected handling of /32 addresses with broadcast in maclist - processing. - -15) Generate error for NONE policy where source or destination zone is - the firewall itself. - -16) Fix 'routeback' for wildcard interfaces. \ No newline at end of file +11) Add rule to drop null source addressed ICMPs. diff --git a/STABLE/common.def b/STABLE/common.def index 5e1ce0657..ea3abeb35 100644 --- a/STABLE/common.def +++ b/STABLE/common.def @@ -16,12 +16,12 @@ run_iptables -A common -p icmp -j icmpdef ############################################################################ # NETBIOS chatter # -run_iptables -A common -p udp --dport 135 -j reject -run_iptables -A common -p udp --dport 137:139 -j reject -run_iptables -A common -p udp --dport 445 -j reject -run_iptables -A common -p tcp --dport 139 -j reject -run_iptables -A common -p tcp --dport 445 -j reject -run_iptables -A common -p tcp --dport 135 -j reject +run_iptables -A common -p udp --dport 135 -j DROP +run_iptables -A common -p udp --dport 137:139 -j DROP +run_iptables -A common -p udp --dport 445 -j DROP +run_iptables -A common -p tcp --dport 139 -j DROP +run_iptables -A common -p tcp --dport 445 -j DROP +run_iptables -A common -p tcp --dport 135 -j DROP ############################################################################ # UPnP # @@ -37,7 +37,13 @@ run_iptables -A common -d 224.0.0.0/4 -j DROP run_iptables -A common -p tcp --dport 113 -j reject ############################################################################ # DNS -- Silenty drop late replies +# run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP +############################################################################ +# ICMP -- Silently drop null-address ICMPs +# +run_iptables -A common -p icmp -s 0.0.0.0 -j DROP +run_iptables -A common -p icmp -d 0.0.0.0 -j DROP diff --git a/STABLE/fallback.sh b/STABLE/fallback.sh index 7c7612ab6..7b41b29b5 100755 --- a/STABLE/fallback.sh +++ b/STABLE/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=1.4.8 +VERSION=1.4.9 usage() # $1 = exit status { @@ -79,6 +79,8 @@ restore_file /sbin/shorewall restore_file /etc/shorewall/shorewall.conf restore_file /etc/shorewall/functions +restore_file /usr/share/shorewall/functions +restore_file /usr/share/shorewall/firewall restore_file /usr/lib/shorewall/functions restore_file /var/lib/shorewall/functions restore_file /usr/lib/shorewall/firewall @@ -140,7 +142,14 @@ restore_file /etc/shorewall/usersets restore_file /etc/shorewall/users -if [ -f /usr/lib/shorewall/version-${VERSION}.bkout ]; then +restore_file /etc/shorewall/actions + +restore_file /etc/shorewall/action.template + +if [ -f /usr/share/shorewall/version-${VERSION}.bkout ]; then + restore_file /usr/share/shorewall/version + oldversion="`cat /usr/share/shorewall/version`" +elif [ -f /usr/lib/shorewall/version-${VERSION}.bkout ]; then restore_file /usr/lib/shorewall/version oldversion="`cat /usr/lib/shorewall/version`" elif [ -f /var/lib/shorewall/version-${VERSION}.bkout ]; then diff --git a/STABLE/firewall b/STABLE/firewall index 684c7ec6b..f74af7606 100755 --- a/STABLE/firewall +++ b/STABLE/firewall @@ -1027,6 +1027,22 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo log_rule_limit $level $chain $disposition "$LOGLIMIT" $@ } +# +# Set /proc/sys/net/ipv4/ip_forward based on $IP_FORWARDING +# +setup_forwarding() { + case "$IP_FORWARDING" in + [Oo][Nn]) + echo 1 > /proc/sys/net/ipv4/ip_forward + echo "IP Forwarding Enabled" + ;; + [Oo][Ff][Ff]) + echo 0 > /proc/sys/net/ipv4/ip_forward + echo "IP Forwarding Disabled!" + ;; + esac +} + # # Stop the Firewall # @@ -1118,14 +1134,7 @@ stop_firewall() { iptables -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT done - case "$IP_FORWARDING" in - [Oo][Nn]) - echo 1 > /proc/sys/net/ipv4/ip_forward - ;; - [Oo][Ff][Ff]) - echo 0 > /proc/sys/net/ipv4/ip_forward - ;; - esac + setup_forwarding run_user_exit stopped @@ -2063,6 +2072,10 @@ check_config() { validate_policy + echo "Validating Actions..." + + process_actions + echo "Validating rules file..." rules=`find_file rules` @@ -2113,6 +2126,349 @@ refresh_tc() { } +# +# Add one Filter Rule from an action -- Helper function for the action file processor +# +# The caller has established the following variables: +# check = current command. If 'check', we're executing a 'check' +# which only goes through the motions. +# client = SOURCE IP or MAC +# server = DESTINATION IP or interface +# protocol = Protocol +# address = Original Destination Address +# port = Destination Port +# cport = Source Port +# multioption = String to invoke multiport match if appropriate +# action = The chain for this rule +# ratelimit = Optional rate limiting clause +# +add_an_action() +{ + do_ports() { + if [ -n "$port" ]; then + dports="--dport" + if [ -n "$multioption" -a "$port" != "${port%,*}" ]; then + multiport="$multioption" + dports="--dports" + fi + dports="$dports $port" + fi + + if [ -n "$cport" ]; then + sports="--sport" + if [ -n "$multioption" -a "$cport" != "${cport%,*}" ]; then + multiport="$multioption" + sports="--sports" + fi + sports="$sports $cport" + fi + } + + # Set source variables. The 'cli' variable will hold the client match predicate(s). + + cli= + + case "$client" in + -) + ;; + *:*) + cli="-i ${client%:*} -s ${client#*:}" + ;; + *.*.*) + cli="-s $client" + ;; + ~*) + cli=`mac_match $client` + ;; + *) + [ -n "$client" ] && cli="-i $client" + ;; + esac + + # Set destination variables - 'serv' and 'dest_interface' hold the server match predicate(s). + + dest_interface= + serv= + + case "$server" in + -) + ;; + *.*.*) + serv=$server + ;; + ~*) + fatal_error "Rule \"$rule\" - Destination may not be specified by MAC Address" + ;; + *) + [ -n "$server" ] && dest_interface="-o $server" + ;; + esac + + # Setup protocol and port variables + + sports= + dports= + state="-m state --state NEW" + proto=$protocol + servport=$serverport + multiport= + + [ x$port = x- ] && port= + [ x$cport = x- ] && cport= + + case $proto in + tcp|TCP|6) + do_ports + [ "$target" = QUEUE ] && proto="$proto --syn" + ;; + udp|UDP|17) + do_ports + ;; + icmp|ICMP|1) + [ -n "$port" ] && dports="--icmp-type $port" + state= + ;; + all|ALL) + [ -n "$port" ] && \ + fatal_error "Port number not allowed with protocol \"all\"; rule: \"$rule\"" + proto= + ;; + *) + state= + [ -n "$port" ] && \ + fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\"" + ;; + esac + + proto="${proto:+-p $proto}" + + # Some misc. setup + + case "$logtarget" in + LOG) + [ -z "$loglevel" ] && fatal_error "LOG requires log level" + ;; + esac + + if [ $command != check ]; then + if [ -n "${serv}" ]; then + for serv1 in `separate_list $serv`; do + for srv in `ip_range $serv1`; do + if [ -n "$loglevel" ]; then + log_rule_limit $loglevel $action $logtarget "$ratelimit" \ + `fix_bang $proto $sports $multiport $state $cli -d $srv $dports` + fi + + run_iptables2 -A $action $proto $multiport $state $cli $sports \ + -d $srv $dports $ratelimit -j $target + done + done + else + if [ -n "$loglevel" ]; then + log_rule_limit $loglevel $action $logtarget "$ratelimit" \ + `fix_bang $proto $sports $multiport $state $cli $dports` + fi + + run_iptables2 -A $action $proto $multiport $state $cli $sports \ + $dports $ratelimit -j $target + fi + fi +} + +# +# Process a record from an action file for the 'start', 'restart' or 'check' commands +# +process_action() # $1 = action + # $1 = target + # $2 = clients + # $3 = servers + # $4 = protocol + # $5 = ports + # $6 = cports + # $7 = ratelimit +{ + local action="$1" + local target="$2" + local clients="$3" + local servers="$4" + local protocol="$5" + local ports="$6" + local cports="$7" + local ratelimit="$8" + local rule="`echo $target $clients $servers $protocol $ports $cports $ratelimit`" + + if [ -n "$ratelimit" ]; then + case $ratelimit in + -) + ratelimit= + ;; + *:*) + ratelimit="-m limit --limit ${ratelimit%:*} --limit-burst ${ratelimit#*:}" + ;; + *) + ratelimit="-m limit --limit $ratelimit" + ;; + esac + fi + + # Isolate log level + + if [ "$target" = "${target%:*}" ]; then + loglevel= + else + loglevel="${target#*:}" + target="${target%:*}" + expandv loglevel + fi + + logtarget="$target" + + case $target in + ACCEPT|LOG) + ;; + REJECT) + target=reject + ;; + *) + ;; + esac + + # Generate Netfilter rule(s) + + protocol=${protocol:=all} + + if [ -n "$MULTIPORT" ] && \ + ! list_search $protocol "icmp" "ICMP" "1" && \ + [ "$ports" = "${ports%:*}" -a \ + "$cports" = "${cports%:*}" -a \ + `list_count $ports` -le 15 -a \ + `list_count $cports` -le 15 ] + then + # + # MULTIPORT is enabled, there are no port ranges in the rule and less than + # 16 ports are listed - use multiport match. + # + multioption="-m multiport" + for client in `separate_list ${clients:=-}`; do + for server in `separate_list ${servers:=-}`; do + # + # add_a_rule() modifies these so we must set their values each time + # + port=${ports:=-} + cport=${cports:=-} + add_an_action + done + done + else + # + # MULTIPORT is disabled or the rule isn't compatible with multiport match + # + multioption= + for client in `separate_list ${clients:=-}`; do + for server in `separate_list ${servers:=-}`; do + for port in `separate_list ${ports:=-}`; do + for cport in `separate_list ${cports:=-}`; do + add_an_action + done + done + done + done + fi + # + # Report Result + # + if [ $command = check ]; then + echo " Rule \"$rule\" checked." + else + echo " Rule \"$rule\" added." + fi +} + +# +# Read /etc/shorewall/actions and for each defined , process +# /etc/shorewall/action. +# + +process_actions() { + # + # Process a rule where the source or destination is "all" + # + process_wildcard_rule() { + local yclients yservers ysourcezone ydestzone ypolicy + + for yclients in $xclients; do + for yservers in $xservers; do + ysourcezone=${yclients%%:*} + ydestzone=${yservers%%:*} + if [ "${ysourcezone}" != "${ydestzone}" ] ; then + eval ypolicy=\$${ysourcezone}2${ydestzone}_policy + if [ "$ypolicy" != NONE ] ; then + process_action $xaction $xtarget $yclients $yservers $xprotocol $xports $xcports $xratelimit + fi + fi + done + done + } + + do_it() { + expandv xclients xservers xprotocol xports xcports xratelimit + + if [ "x$xclients" = xall ]; then + xclients="$zones $FW" + if [ "x$xservers" = xall ]; then + xservers="$zones $FW" + fi + process_wildcard_rule + continue + fi + + if [ "x$xservers" = xall ]; then + xservers="$zones $FW" + process_wildcard_rule + continue + fi + + process_action $xaction $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit + } + + strip_file actions + + while read xaction rest; do + [ "x$rest" = x ] || fatal_error "Invalid Action: $xaction $rest" + [ "$command" = check ] || createchain $xaction No + + f=action.$xaction + fn=`find_file $f` + + if [ -f $fn ]; then + echo "Processing $fn..." + strip_file $f $fn + while read xtarget xclients xservers xprotocol xports xcports xratelimit ; do + expandv xtarget + temp="${xtarget%:*}" + case "${temp%<*}" in + ACCEPT|DROP|REJECT|LOG|QUEUE) + do_it + ;; + *) + if list_search $temp $ACTIONS; then + do_it + else + rule="`echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit`" + fatal_error "Invalid TARGET in rule \"$rule\"" + fi + ;; + + esac + done < $TMP_DIR/$f + else + fatal_error "Missing Action File: $f" + fi + + ACTIONS="$ACTIONS $xaction" + done < $TMP_DIR/actions +} + # # Add a NAT rule - Helper function for the rules file processor # @@ -2878,41 +3234,56 @@ process_rules() # Process a rule where the source or destination is "all" # process_wildcard_rule() { + local yclients yservers ysourcezone ydestzone ypolicy + for yclients in $xclients; do for yservers in $xservers; do - if [ "${yclients}" != "${yservers}" ] ; then - process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserset + ysourcezone=${yclients%%:*} + ydestzone=${yservers%%:*} + if [ "${ysourcezone}" != "${ydestzone}" ] ; then + eval ypolicy=\$${ysourcezone}2${ydestzone}_policy + if [ "$ypolicy" != NONE ] ; then + process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserset + fi fi done done } + do_it() { + expandv xclients xservers xprotocol xports xcports xaddress xratelimit xuserset + + if [ "x$xclients" = xall ]; then + xclients="$zones $FW" + if [ "x$xservers" = xall ]; then + xservers="$zones $FW" + fi + process_wildcard_rule + continue + fi + + if [ "x$xservers" = xall ]; then + xservers="$zones $FW" + process_wildcard_rule + continue + fi + + process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserset + } + while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserset; do temp="${xtarget%:*}" case "${temp%<*}" in ACCEPT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE) - expandv xclients xservers xprotocol xports xcports xaddress xratelimit xuserset - - if [ "x$xclients" = xall ]; then - xclients="$zones $FW" - if [ "x$xservers" = xall ]; then - xservers="$zones $FW" - fi - process_wildcard_rule - continue - fi - - if [ "x$xservers" = xall ]; then - xservers="$zones $FW" - process_wildcard_rule - continue - fi - - process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserset + do_it ;; *) - rule="`echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserset`" - fatal_error "Invalid Action in rule \"$rule\"" + if list_search $temp $ACTIONS; then + do_it + else + rule="`echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserset`" + fatal_error "Invalid Action in rule \"$rule\"" + fi ;; esac @@ -3117,7 +3488,7 @@ loadmodule() # $1 = module name, $2 - * arguments if [ -z "`lsmod | grep $modulename`" ]; then shift - for suffix in o gz ko o.gz ; do + for suffix in $MODULE_SUFFIX ; do modulefile=$MODULESDIR/${modulename}.${suffix} if [ -f $modulefile ]; then @@ -4081,13 +4452,13 @@ add_common_rules() { strip_file rfc1918 - createchain rfc1918 no + createchain norfc1918 no - createchain logdrop no + createchain rfc1918 no - log_rule $RFC1918_LOG_LEVEL logdrop DROP + log_rule $RFC1918_LOG_LEVEL rfc1918 DROP - run_iptables -A logdrop -j DROP + run_iptables -A rfc1918 -j DROP if [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ]; then # @@ -4099,27 +4470,30 @@ add_common_rules() { # Also add a chain to log and drop any RFC1918 packets that we find # run_iptables -t mangle -N man1918 - run_iptables -t mangle -N logdrop - log_rule $RFC1918_LOG_LEVEL logdrop DROP -t mangle - run_iptables -t mangle -A logdrop -j DROP + run_iptables -t mangle -N rfc1918 + log_rule $RFC1918_LOG_LEVEL rfc1918 DROP -t mangle + run_iptables -t mangle -A rfc1918 -j DROP fi while read subnet target; do case $target in - logdrop|DROP|RETURN) + logdrop) + target=rfc1918 + ;; + DROP|RETURN) ;; *) fatal_error "Invalid target ($target) for $subnet" ;; esac - run_iptables2 -A rfc1918 -s $subnet -j $target + run_iptables2 -A norfc1918 -s $subnet -j $target if [ -n "$CONNTRACK_MATCH" ]; then # # We have connection tracking match -- match on the original destination # - run_iptables2 -A rfc1918 -m conntrack --ctorigdst $subnet -j $target + run_iptables2 -A norfc1918 -m conntrack --ctorigdst $subnet -j $target elif [ -n "$MANGLE_ENABLED" ]; then # # No connection tracking match but we have mangling -- add a rule to @@ -4131,7 +4505,7 @@ add_common_rules() { for interface in $norfc1918_interfaces; do for chain in `first_chains $interface`; do - run_iptables -A $chain -m state --state NEW -j rfc1918 + run_iptables -A $chain -m state --state NEW -j norfc1918 done [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ] && \ @@ -4237,19 +4611,8 @@ add_common_rules() { [ -n "$ROUTE_FILTER" ] && echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter run_ip route flush cache fi - # - # IP Forwarding - # - case "$IP_FORWARDING" in - [Oo][Nn]) - echo 1 > /proc/sys/net/ipv4/ip_forward - echo "IP Forwarding Enabled" - ;; - [Oo][Ff][Ff]) - echo 0 > /proc/sys/net/ipv4/ip_forward - echo "IP Forwarding Disabled!" - ;; - esac + + setup_forwarding } # @@ -4475,6 +4838,7 @@ activate_rules() run_iptables -D $chain -m state --state ESTABLISHED,RELATED -j ACCEPT run_iptables -D $chain -p udp --dport 53 -j ACCEPT done + } # @@ -4534,6 +4898,10 @@ define_firewall() # $1 = Command (Start or Restart) rules=`find_file rules` + echo "Processing Actions..." + + process_actions + echo "Processing $rules..." process_rules @@ -5059,6 +5427,8 @@ do_initialize() { LOGRULENUMBERS= ADMINISABSENTMINDED= BLACKLISTNEWONLY= + MODULE_SUFFIX= + ACTIONS= stopping= have_mutex= @@ -5209,6 +5579,8 @@ do_initialize() { fi ADMINISABSENTMINDED=`added_param_value_no ADMINISABSENTMINDED $ADMINISABSENTMINDED` BLACKLISTNEWONLY=`added_param_value_no BLACKLISTNEWONLY $BLACKLISTNEWONLY` + [ -n "$MODULE_SUFFIX" ] || MODULE_SUFFIX="o gz ko o.gz" + # # Strip the files that we use often # diff --git a/STABLE/help b/STABLE/help new file mode 100644 index 000000000..f3a0c8927 --- /dev/null +++ b/STABLE/help @@ -0,0 +1,248 @@ +#!/bin/sh +# +# Shorewall help subsystem - V1.4 - 3/14/2003 +# +# +# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] +# +# (c) 2003 - Tom Eastep (teastep@shorewall.net) +# Steve Herber (herber@thing.com) +# +# This file should be placed in /usr/share/shorewall/help +# +# Shorewall documentation is available at http://shorewall.sourceforge.net +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of Version 2 of the GNU General Public License +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA +################################################################################## + +case $1 in + +add) + echo "add: add [:] + Adds a host or subnet to a dynamic zone usually used with VPN's. + + shorewall add interface[:host] zone - Adds the specified interface + (and host if included) to the specified zone. + + Example: + + shorewall add ipsec0:192.0.2.24 vpn1 -- adds the address 192.0.2.24 + from interface ipsec0 to the zone vpn1. + + See also \"help host\"" + ;; + +address|host) + echo "<$1>: + May be either a host IP address such as 192.168.1.4 or a network address in + CIDR format like 192.168.1.0/24" + ;; + +allow) + echo "allow: allow
... + Re-enables receipt of packets from hosts previously blacklisted + by a drop or reject command. + + Shorewall allow, drop, rejct and save implement dynamic blacklisting. + + See also \"help address\"" + ;; + +check) + echo "check: check [ -c ] + Performs a cursory validation of the zones, interfaces, hosts, + rules and policy files. Use this if you are unsure of any edits + you have made to the shorewall configuration. See the try command + examples for a recommended way to make changes." + ;; + +clear) + echo "clear: clear + Clear will remove all rules and chains installed by Shoreline. + The firewall is then wide open and unprotected. Existing + connections are untouched. Clear is often used to see if the + firewall is causing connection problems." + ;; + +debug) + echo "debug: debug + If you include the keyword debug as the first argument to any + of these commands: + + start|stop|restart|reset|clear|refresh|check|add|delete + + then a shell trace of the command is produced. For example: + + shorewall debug start 2> /tmp/trace + + The above command would trace the 'start' command and + place the trace information in the file /tmp/trace." + ;; + +delete) + echo "delete: delete [:] + Deletes a host or subnet from a dynamic zone usually used with VPN's. + + shorewall delete interface[:host] zone - Deletes the specified + interface (and host if included) from the specified zone. + + Example: + + shorewall delete ipsec0:192.0.2.24 vpn1 -- deletes the address + 192.0.2.24 from interface ipsec0 from zone vpn1 + + See also \"help host\"" + ;; + +drop) + echo "$1: $1
... + Causes packets from the specified
to be ignored + + Shorewall allow, drop, rejct and save implement dynamic blacklisting. + + See also \"help address\"" + ;; + +help) + echo "help: help [ | host | address ] + Display helpful information about the shorewall commands." + ;; + +hits) + echo "hits: hits + Produces several reports about the Shorewall packet log messages + in the current /var/log/messages file." + ;; + +ipcalc) + echo "ipcalc: ipcalc [ address mask | address/vlsm ] + Ipcalc displays the network address, broadcast address, + network in CIDR notation and netmask corresponding to the input[s]." + ;; + +iprange) + echo "iprange: iprange address1-address2 + Iprange decomposes the specified range of IP addresses into the + equivalent list of network/host addresses." + ;; + +logwatch) + echo "logwatch: logwatch [] + Monitors the LOGFILE, $LOGFILE, + and produces an audible alarm when new Shorewall messages are logged." + ;; + +monitor) + echo "monitor: monitor [] + Continuously display the firewall status, last 20 log entries and nat. + When the log entry display changes, an audible alarm is sounded." + ;; + +refresh) + echo "refresh: refresh + The rules involving the broadcast addresses of firewall interfaces, + the black list, traffic control rules and ECN control rules are recreated + to reflect any changes made. Existing connections are untouched" + ;; + +reject) + echo "$1: $1
... + Causes packets from the specified
to be rejected + + Shorewall allow, drop, rejct and save implement dynamic blacklisting. + + See also \"help address\"" + ;; + +reset) + echo "reset: reset + All the packet and byte counters in the firewall are reset." + ;; + +restart) + echo "restart: restart [ -c ] + Restart is the same as a shorewall stop && shorewall start. + Existing connections are dropped." + ;; + +save) + echo "save: save + The dynamic data is stored in /var/lib/shorewall/save + Shorewall allow, drop, rejct and save implement dynamic blacklisting." + ;; + +show) + echo "show: show [ [ ...] |classifiers|connections|log|nat|tc|tos] + shorewall show [ ... ] - produce a verbose report about the IPtable chain(s). + (iptables -L chain -n -v) + + shorewall show nat - produce a verbose report about the nat table. + (iptables -t nat -L -n -v) + + shorewall show tos - produce a verbose report about the mangle table. + (iptables -t mangle -L -n -v) + + shorewall show log - display the last 20 packet log entries. + + shorewall show connections - displays the IP connections currently + being tracked by the firewall. + + shorewall show tc - displays information about the traffic + control/shaping configuration." + ;; + +start) + echo "start: start [ -c ] + Start shorewall. Existing connections through shorewall managed + interfaces are untouched. New connections will be allowed only + if they are allowed by the firewall rules or policies." + ;; + +stop) + echo "stop: stop + Stops the firewall. All existing connections, except those + listed in /etc/shorewall/routestopped, are taken down. + The only new traffic permitted through the firewall + is from systems listed in /etc/shorewall/routestopped." + ;; + +status) + echo "status: status + Produce a verbose report about the firewall. + + (iptables -L -n -v)" + ;; + +try) + echo "try: try [ ] + Restart shorewall using the specified configuration. If an error + occurs during the restart, then another shorewall restart is performed + using the default configuration. If a timeout is specified then + the restart is always performed after the timeout occurs and uses + the default configuration." + ;; + +version) + echo "version: version + Show the current shorewall version which is: $version" + ;; + +*) + echo "$1: $1 is not recognized by the help command" + ;; + +esac + +exit 0 # always ok + diff --git a/STABLE/install.sh b/STABLE/install.sh index 925546d38..8506989c7 100755 --- a/STABLE/install.sh +++ b/STABLE/install.sh @@ -54,7 +54,7 @@ # /etc/rc.d/rc.local file is modified to start the firewall. # -VERSION=1.4.8 +VERSION=1.4.9 usage() # $1 = exit status { @@ -586,6 +586,26 @@ else echo "Users file installed as ${PREFIX}/etc/shorewall/users" fi # +# Install the Actions file +# +if [ -f ${PREFIX}/etc/shorewall/actions ]; then + backup_file /etc/shorewall/actions +else + run_install -o $OWNER -g $GROUP -m 0600 actions ${PREFIX}/etc/shorewall/actions + echo + echo "Actions file installed as ${PREFIX}/etc/shorewall/actions" +fi +# +# Install the Action Template file +# +if [ -f ${PREFIX}/etc/shorewall/action.template ]; then + backup_file /etc/shorewall/action.template +else + run_install -o $OWNER -g $GROUP -m 0600 action.template ${PREFIX}/etc/shorewall/action.template + echo + echo "Action Template file installed as ${PREFIX}/etc/shorewall/action.template" +fi +# # Backup the version file # if [ -z "$PREFIX" ]; then diff --git a/STABLE/interfaces b/STABLE/interfaces index 7cc373f74..03d5a1df7 100644 --- a/STABLE/interfaces +++ b/STABLE/interfaces @@ -103,6 +103,11 @@ # This option has no effect if # NEWNOTSYN=Yes. # +# routeback - If specified, indicates that Shorewall +# should include rules that allow filtering +# traffic arriving on this interface back +# out that same interface. +# # arp_filter - If specified, this interface will only # respond to ARP who-has requests for IP # addresses configured on the interface. diff --git a/STABLE/nat b/STABLE/nat index b56c938ca..7bbbcd54d 100644 --- a/STABLE/nat +++ b/STABLE/nat @@ -4,11 +4,12 @@ # # /etc/shorewall/nat # -# This file is used to define static Network Address Translation (NAT). +# This file is used to define one-to-one Network Address Translation +# (NAT). # # WARNING: If all you want to do is simple port forwarding, do NOT use this # file. See http://www.shorewall.net/FAQ.htm#faq1. Also, in most -# cases, Proxy ARP is a better solution that static NAT. +# cases, Proxy ARP is a better solution that one-to-one NAT. # # Columns must be separated by white space and are: # diff --git a/STABLE/releasenotes.txt b/STABLE/releasenotes.txt index 3dd145478..0ef99088c 100644 --- a/STABLE/releasenotes.txt +++ b/STABLE/releasenotes.txt @@ -1,115 +1,104 @@ This is a minor release of Shorewall. -Problems Corrected since version 1.4.7: +Problems Corrected since version 1.4.8: -1) Tuomo Soini has supplied a correction to a problem that occurs using - some versions of 'ash'. The symptom is that "shorewall start" fails - with: +1) There has been a low continuing level of confusion over the terms + "Source NAT" (SNAT) and "Static NAT". To avoid future confusion, all + instances of "Static NAT" have been replaced with "One-to-one NAT" + in the documentation and configuration files. - local: --limit: bad variable name - iptables v1.2.8: Couldn't load match `-j':/lib/iptables/libipt_-j.so: - cannot open shared object file: No such file or directory - Try `iptables -h' or 'iptables --help' for more information. +2) The description of NEWNOTSYN in shorewall.conf has been reworded for + clarity. -2) Andres Zhoglo has supplied a correction that avoids trying to use - the multiport match iptables facility on ICMP rules. +3) Wild-card rules (those involving "all" as SOURCE or DEST) will no + longer produce an error if they attempt to add a rule that would + override a NONE policy. The logic for expanding these wild-card + rules now simply skips those (SOURCE,DEST) pairs that have a NONE + policy. - Example of rule that previously caused "shorewall start" to fail: - - ACCEPT loc $FW icmp 0,8,11,12 - -3) Previously, if the following error message was issued, Shorewall - was left in an inconsistent state. - - Error: Unable to determine the routes through interface xxx - -4) Handling of the LOGUNCLEAN option in shorewall.conf has been - corrected. - -5) In Shorewall 1.4.2, an optimization was added. This optimization - involved creating a chain named "_frwd" for most zones - defined using the /etc/shorewall/hosts file. It has since been - discovered that in many cases these new chains contain redundant - rules and that the "optimization" turns out to be less than - optimal. The implementation has now been corrected. - -6) When the MARK value in a tcrules entry is followed by ":F" or ":P", - the ":F" or ":P" was previously only applied to the first Netfilter - rule generated by the entry. It is now applied to all entries. - -7) The original fix for item 5) above contained a bug which caused the - "_frwd" chain to have too few rules. That has been corrected - (twice). - -8) An incorrect comment concerning Debian's use of the SYBSYSLOCK - option has been removed from shorewall.conf. - -9) Previously, neither the 'routefilter' interface option nor the - ROUTE_FILTER parameter were working properly. This has been - corrected (thanks to Eric Bowles for his patch). The definition - of the ROUTE_FILTER option has changed however. Previously, - ROUTE_FILTER=Yes was documented as enabling route filtering on all - interfaces (which didn't work). Beginning with this release, setting - ROUTE_FILTER=Yes will enable route filtering of all interfaces - brought up while Shorewall is started. As a consequence, - ROUTE_FILTER=Yes can coexist with the use of the 'routefilter' - option in the interfaces file. - -10) If MAC verification was enabled on an interface that had a /32 - address with a broadcast address then an error would occur during - startup. - -11) The NONE policy's intended use is to suppress the generating of - rules that can't possibly be traversed. This means that a policy of - NONE is inappropriate where the source or destination zone is - $FW. Shorewall now generates an error message if such a policy is - given in /etc/shorewall/policy. Previously such a policy caused - "shorewall start" to fail. - -12) The 'routeback' option was broken for wildcard interfaces (e.g., - "tun+"). This has been corrected so that 'routeback' now works as - expected in this case. +4) DNAT rules that also specified SNAT now work reliably. Previously, + there were cases where the SNAT specification was effectively + ignored. Migration Issues: -1. The definition of the ROUTE_FILTER option in shorewall.conf has - changed as described in item 9) above. +None. New Features: -1. A new QUEUE action has been introduced for rules. QUEUE allows you - to pass connection requests to a user-space filter such as ftwall - (http://p2pwall.sourceforge.net). The ftwall program allows for - effective filtering of p2p applications such as Kazaa. +1) The documentation has been completely rebased to Docbook XML. The + documentation is now released as separate HTML and XML packages. - For example, to use ftwall to filter P2P clients in your 'loc' zone, - you would add the following rules: +2) To cut down on the number of "Why are these ports closed rather than + stealthed?" questions, the SMB-related rules in + /etc/shorewall/common.def have been changed from 'reject' to 'DROP'. - QUEUE loc net tcp - QUEUE loc net udp - QUEUE loc fw udp +3) For easier identification, packets logged under the 'norfc1918' + interface option are now logged out of chains named + 'rfc1918'. Previously, such packets were logged under chains named + 'logdrop'. - You would normally want to place those three rules BEFORE any ACCEPT - rules for loc->net or loc->fw udp or tcp. +4) Distributors and developers seem to be regularly inventing new + naming conventions for kernel modules. To avoid the need to change + Shorewall code for each new convention, the MODULE_SUFFIX option has + been added to shorewall.conf. MODULE_SUFFIX may be set to the suffix + for module names in your particular distribution. If MODULE_SUFFIX + is not set in shorewall.conf, Shorewall will use the list "o gz ko + o.gz". - Note: When the protocol specified is TCP ("tcp", "TCP" or "6"), - Shorewall will only pass connection requests (SYN packets) to user - space. This is for compatibility with ftwall. + To see what suffix is used by your distribution: -2. A BLACKLISTNEWNONLY option has been added to shorewall.conf. When - this option is set to "Yes", the blacklists (dynamic and static) - are only consulted for new connection requests. When set to "No" - (the default if the variable is not set), the blacklists are - consulted on every packet. + ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter - Setting this option to "No" allows blacklisting to stop existing - connections from a newly blacklisted host but is more expensive in - terms of packet processing time. This is especially true if the - blacklists contain a large number of entries. + All of the files listed should have the same suffix (extension). Set + MODULE_SUFFIX to that suffix. -3. Chain names used in the /etc/shorewall/accounting file may now begin - with a digit ([0-9]) and may contain embedded dashes ("-"). + Examples: + If all files end in ".kzo" then set MODULE_SUFFIX="kzo" + If all files end in ".kz.o" then set MODULE_SUFFIX="kz.o" +5) Support for user defined rule ACTIONS has been implemented through + two new files: + /etc/shorewall/actions - used to list the user-defined ACTIONS. + /etc/shorewall/action.template - For each user defined , copy + this file to + /etc/shorewall/action. and + add the appropriate rules for that + . + Once an has been defined, it may be used like any of the + builtin ACTIONS (ACCEPT, DROP, etc.) in /etc/shorewall/rules. + Example: You want an action that logs a packet at the 'info' level + and accepts the connection. + + In /etc/shorewall/actions, you would add: + + LogAndAccept + + You would then copy /etc/shorewall/action.template to + /etc/shorewall/action.LogAndAccept and in that file, you would add the two + rules: + + LOG:info + ACCEPT + +6) The default value for NEWNOTSYN in shorewall.conf is now "Yes" + (non-syn TCP packets that are not part of an existing connection are + filtered according to the rules and policies rather than being + dropped). I have made this change for two reasons: + + a) NEWNOTSYN=No tends to result in lots of "stuck" connections since + any timeout during TCP session tear down results in the firewall + dropping all of the retries. + + b) The old default of NEWNOTSYN=No and LOGNEWNOTSYN=info resulted in + lots of confusing messages when a connection got "stuck". While I + could have changed the default value of LOGNEWNOTSYN to suppress + logging, I dislike defaults that silently throw away packets. + +7) The common.def file now contains an entry that silently drops ICMP + packets with a null source address. Ad Koster reported a case where + these were occuring frequently as a result of a broken system on his + external network. diff --git a/STABLE/rules b/STABLE/rules index 463368608..77ced5bb1 100644 --- a/STABLE/rules +++ b/STABLE/rules @@ -15,8 +15,8 @@ # Columns are: # # -# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE -# or LOG. +# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE, +# LOG or an . # # ACCEPT -- allow the connection request # DROP -- ignore the request @@ -48,6 +48,8 @@ # LOG -- Simply log the packet and continue. # QUEUE -- Queue the packet to a user-space # application such as p2pwall. +# -- The name of an action defined in +# /etc/shorewall/actions. # # You may rate-limit the rule by optionally # following ACCEPT, DNAT[-], REDIRECT[-] or LOG with diff --git a/STABLE/shorewall.conf b/STABLE/shorewall.conf index 548914232..a2ad3995c 100644 --- a/STABLE/shorewall.conf +++ b/STABLE/shorewall.conf @@ -221,7 +221,7 @@ STATEDIR=/var/lib/shorewall # KERNEL MODULE DIRECTORY # # If your netfilter kernel modules are in a directory other than -# /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that +# /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter then specify that # directory in this variable. Example: MODULESDIR=/etc/modules. MODULESDIR= @@ -417,13 +417,30 @@ MUTEX_TIMEOUT=60 # # NEWNOTSYN # -# If this variable is set to "No" or "no", then when a TCP packet that does -# not have the SYN flag set and the ACK and RST flags clear then unless the -# packet is part of an established connection, it will be dropped by the -# firewall +# TCP connections are established using the familiar three-way "handshake": # -# If this variable is set to "Yes" or "yes" then such packets will not be -# dropped but will pass through the normal rule processing. +# CLIENT SERVER +# +# SYN--------------------> +# <------------------SYN,ACK +# ACK--------------------> +# +# The first packet in that exchange (packet with the SYN flag on and the ACK +# and RST flags off) is referred to in Netfilter terminology as a "syn" packet. +# A packet is said to be NEW if it is not part of or related to an already +# established connection. +# +# The NETNOTSYN option determines the handling of non-SYN packets (those with +# SYN off or with ACK or RST on) that are not associated with an already +# established connection. +# +# If NEWNOTSYN is set to "No" or "no", then non-SYN packets that are not +# part of an already established connection, it will be dropped by the +# firewall. The setting of LOGNEWNOTSYN above determines if these packets are +# logged before they are dropped. +# +# If NEWNOTSYN is set to "Yes" or "yes" then such packets will not be +# dropped but will pass through the normal rule/policy processing. # # Users with a High-availability setup with two firewall's and one acting # as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may @@ -431,8 +448,15 @@ MUTEX_TIMEOUT=60 # # The behavior of NEWNOTSYN=Yes may also be enabled on a per-interface basis # using the 'newnotsyn' option in /etc/shorewall/interfaces. +# +# I find that NEWNOTSYN=No tends to result in lots of "stuck" +# connections because any network timeout during TCP session tear down +# results in retries being dropped (Netfilter has removed the +# connection from the conntrack table but the end-points haven't +# completed shutting down the connection). I therefore have chosen +# NEWNOTSYN=Yes as the default value. -NEWNOTSYN=No +NEWNOTSYN=Yes # # FOR ADMINS THAT REPEATEDLY SHOOT THEMSELVES IN THE FOOT @@ -485,6 +509,29 @@ ADMINISABSENTMINDED=Yes # BLACKLISTNEWONLY=Yes +# MODULE NAME SUFFIX +# +# When loading a module named in /etc/shorewall/modules, Shorewall normally +# looks in the MODULES DIRECTORY (see MODULESDIR above) for files whose names +# end in ".o", ".ko", ".gz" or "o.gz". If your distribution uses a different +# naming convention then you can specify the suffix (extension) for module +# names in this variable. +# +# To see what suffix is used by your distribution: +# +# ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter +# +# All of the file names listed should have the same suffix (extension). Set +# MODULE_SUFFIX to that suffix. +# +# Examples: +# +# If all file names end with ".kzo" then set MODULE_SUFFIX="kzo" +# If all file names end with ".kz.o" then set MODULE_SUFFIX="kz.o" +# + +MODULE_SUFFIX= + ################################################################################ # P A C K E T D I S P O S I T I O N ################################################################################ diff --git a/STABLE/shorewall.spec b/STABLE/shorewall.spec index aa3ad3e80..bbf1a1854 100644 --- a/STABLE/shorewall.spec +++ b/STABLE/shorewall.spec @@ -1,5 +1,5 @@ %define name shorewall -%define version 1.4.8 +%define version 1.4.9 %define release 1 %define prefix /usr @@ -100,14 +100,25 @@ fi %attr(0600,root,root) %config(noreplace) /etc/shorewall/accounting %attr(0600,root,root) %config(noreplace) /etc/shorewall/usersets %attr(0600,root,root) %config(noreplace) /etc/shorewall/users +%attr(0600,root,root) %config(noreplace) /etc/shorewall/actions +%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.template %attr(0544,root,root) /sbin/shorewall %attr(0444,root,root) /usr/share/shorewall/functions %attr(0544,root,root) /usr/share/shorewall/firewall %attr(0544,root,root) /usr/share/shorewall/help -%doc documentation %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %changelog +* Tue Jan 13 2004 Tom Eastep +- Changed version to 1.4.9 +* Mon Dec 29 2003 Tom Eastep +- Remove Documentation from this RPM +* Sun Dec 28 2003 Tom Eastep +- Updated for Beta 2 +* Sun Dec 07 2003 Tom Eastep +- Added User Defined Actions Files +* Wed Dec 03 2003 Tom Eastep +- Added User Defined Actions Files * Fri Nov 07 2003 Tom Eastep - Changed version to 1.4.8 * Sat Nov 01 2003 Tom Eastep diff --git a/STABLE/uninstall.sh b/STABLE/uninstall.sh index d81c08903..f21e230cd 100755 --- a/STABLE/uninstall.sh +++ b/STABLE/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Seattle Firewall -VERSION=1.4.8 +VERSION=1.4.9 usage() # $1 = exit status { @@ -60,8 +60,8 @@ remove_file() # $1 = file to restore fi } -if [ -f /usr/lib/shorewall/version ]; then - INSTALLED_VERSION="`cat /usr/lib/shorewall/version`" +if [ -f /usr/share/shorewall/version ]; then + INSTALLED_VERSION="`cat /usr/share/shorewall/version`" if [ "$INSTALLED_VERSION" != "$VERSION" ]; then echo "WARNING: Shorewall Version $INSTALLED_VERSION is installed" echo " and this is the $VERSION uninstaller." diff --git a/STABLE/users b/STABLE/users new file mode 100644 index 000000000..8e82f3d8a --- /dev/null +++ b/STABLE/users @@ -0,0 +1,25 @@ +# +# Shorewall version 1.4 - Users File +# +# /etc/shorewall/users +# +# This file is used to associate local users and/or groups to Shorewall +# "User Sets". +# Columns are: +# +# USERSET The name of a user set defined in +# /etc/shorewall/usersets. +# +# USER A Linux user name or number defined in /etc/passwd. +# +# GROUP A linux group name or number defined in /etc/groups. +# +# The GROUP may be omitted. If it is supplied, then the USER may be +# entered as "-" in which case all members of the specified group are +# included in the USERSET. +# +################################################################################ +#USERSET USER GROUP +# +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE + diff --git a/STABLE/usersets b/STABLE/usersets new file mode 100644 index 000000000..f147d01c3 --- /dev/null +++ b/STABLE/usersets @@ -0,0 +1,29 @@ +# +# Shorewall version 1.4 - Users Sets File +# +# /etc/shorewall/usersets +# +# A user set is a list of , or names and can +# be used to control access by individual users to other network hosts +# from the firewall system. +# +# Columns are: +# +# USERSET The name of a user set. May be up to 6 characters in +# length and must be a valid shell identifier. +# +# REJECT The log level for REJECT rules that match a user in this +# userset. +# +# ACCEPT The log level for ACCEPT rules that match a user in this +# userset. +# +# DROP The log level for DROP rules that match a user in this +# userset. +# +# To omit one of the last three columns yet supply a value to one of the +# following ones, enter "-". +# +#USERSET REJECT ACCEPT DROP +# +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE