extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-08 00:34:04 +01:00
Code Issues Packages Projects Releases Wiki Activity

Copy latest 2.2 version from STABLE2/

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2263 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
paulgear 2005-07-09 05:45:05 +00:00
parent 921a7223d4
commit 90dd62e89e
78 changed files with 5089 additions and 2066 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/INSTALL
View File

@ -1,4 +1,4 @@
Shoreline Firewall (Shorewall) Version 2.0 - 2/14/2004
Shoreline Firewall (Shorewall) Version 2.2
----- ----
-----------------------------------------------------------------------------

33
Shorewall/accounting
View File

@ -1,5 +1,5 @@
#
# Shorewall version 2.0 - Accounting File
# Shorewall version 2.2 - Accounting File
#
# /etc/shorewall/accounting
#
@ -47,9 +47,12 @@
# Format the same as the SOURCE column.
#
# PROTOCOL A protocol name (from /etc/protocols), a protocol
# number.
# number, or "ipp2p"
#
# DEST PORT Destination Port number
# DEST PORT Destination Port number. If the PROTOCOL is "ipp2p" then
# this column must contain an ipp2p option ("iptables -m
# ipp2p --help") without the leading "--". If no option
# is given in this column, "ipp2p" is assumed.
#
# Service name from /etc/services or port number. May
# only be specified if the protocol is TCP or UDP (6
@ -61,13 +64,33 @@
# only be specified if the protocol is TCP or UDP (6
# or 17).
#
# USER/GROUP This column may only be non-empty if the CHAIN is
# OUTPUT.
#
# The column may contain:
#
# [!][<user name or number>][:<group name or number>]
#
# When this column is non-empty, the rule applies only
# if the program generating the output is running under
# the effective <user> and/or <group> specified (or is
# NOT running under that id if "!" is given).
#
# Examples:
#
# joe #program must be run by joe
# :kids #program must be run by a member of
# #the 'kids' group
# !:kids #program must not be run by a member
# #of the 'kids' group
#
# In all of the above columns except ACTION and CHAIN, the values "-",
# "any" and "all" may be used as wildcards
#
# Please see http://shorewall.net/Accounting.html for examples and
# additional information about how to use this file.
#
#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE
# PORT PORT
#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/
# PORT PORT GROUP
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

2
Shorewall/action.AllowAuth
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowAuth
# Shorewall 2.2 /usr/share/shorewall/action.AllowAuth
#
# This action accepts Auth (identd) traffic.
#

2
Shorewall/action.AllowDNS
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowDNS
# Shorewall 2.2 /usr/share/shorewall/action.AllowDNS
#
# This action accepts DNS traffic.
#

2
Shorewall/action.AllowFTP
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowFTP
# Shorewall 2.2 /usr/share/shorewall/action.AllowFTP
#
# This action accepts FTP traffic. See
# http://www.shorewall.net/FTP.html for additional considerations.

11
Shorewall/action.AllowICMPs Normal file
View File

@ -0,0 +1,11 @@
#
# Shorewall 2.2 /usr/share/shorewall/action.AllowICMPs
#
# ACCEPT needed ICMP types
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
#
ACCEPT - - icmp fragmentation-needed
ACCEPT - - icmp time-exceeded

2
Shorewall/action.AllowIMAP
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowIMAP
# Shorewall 2.2 /usr/share/shorewall/action.AllowIMAP
#
# This action accepts IMAP traffic (secure and insecure):
#

2
Shorewall/action.AllowNNTP
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.0 /usr/share/shorewall/action.AllowNNTP
# Shorewall 2.2 /usr/share/shorewall/action.AllowNNTP
#
# This action accepts NNTP traffic (Usenet) and encrypted NNTP (NNTPS)
#

3
Shorewall/action.AllowNTP
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowNTP
# Shorewall 2.2 /usr/share/shorewall/action.AllowNTP
#
# This action accepts NTP traffic (ntpd).
#
@ -7,4 +7,5 @@
#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# PORT PORT(S) DEST LIMIT
ACCEPT - - udp 123
ACCEPT - - udp 1024: 123
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

6
Shorewall/action.AllowPCA
View File

@ -1,11 +1,11 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowPCA
# Shorewall 2.2 /usr/share/shorewall/action.AllowPCA
#
# This action accepts PCAnywere (tm)
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - udp 5631
ACCEPT - - tcp 5632
ACCEPT - - udp 5632
ACCEPT - - tcp 5631
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

2
Shorewall/action.AllowPOP3
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowPOP3
# Shorewall 2.2 /usr/share/shorewall/action.AllowPOP3
#
# This action accepts POP3 traffic (secure and insecure):
#

2
Shorewall/action.AllowPing
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowPing
# Shorewall 2.2 /usr/share/shorewall/action.AllowPing
#
# This action accepts 'ping' requests.
#

2
Shorewall/action.AllowRdate
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowRdate
# Shorewall 2.2 /usr/share/shorewall/action.AllowRdate
#
# This action accepts remote time retrieval (rdate).
#

2
Shorewall/action.AllowSMB
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowSMB
# Shorewall 2.2 /usr/share/shorewall/action.AllowSMB
#
# Allow Microsoft SMB traffic. You need to invoke this action in
# both directions.

2
Shorewall/action.AllowSMTP
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowSMTP
# Shorewall 2.2 /usr/share/shorewall/action.AllowSMTP
#
# This action accepts SMTP (email) traffic.
#

2
Shorewall/action.AllowSNMP
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowSNMP
# Shorewall 2.2 /usr/share/shorewall/action.AllowSNMP
#
# This action accepts SNMP traffic (including traps):
#

2
Shorewall/action.AllowSSH
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowSSH
# Shorewall 2.2 /usr/share/shorewall/action.AllowSSH
#
# This action accepts secure shell (SSH) traffic.
#

2
Shorewall/action.AllowTelnet
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowTelnet
# Shorewall 2.2 /usr/share/shorewall/action.AllowTelnet
#
# This action accepts Telnet traffic. For traffic over the
# internet, telnet is inappropriate; use SSH instead

2
Shorewall/action.AllowTrcrt
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowTrcrt
# Shorewall 2.2 /usr/share/shorewall/action.AllowTrcrt
#
# This action accepts Traceroute (for up to 30 hops):
#

2
Shorewall/action.AllowVNC
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowVNC
# Shorewall 2.2 /usr/share/shorewall/action.AllowVNC
#
# This action accepts VNC traffic for VNC display's 0 - 9.
#

2
Shorewall/action.AllowVNCL
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowVNC
# Shorewall 2.2 /usr/share/shorewall/action.AllowVNCL
#
# This action accepts VNC traffic from Vncservers to Vncviewers in listen mode.
#

4
Shorewall/action.AllowWeb
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowWeb
# Shorewall 2.2 /usr/share/shorewall/action.AllowWeb
#
# This action accepts WWW traffic (secure and insecure):
#
@ -7,5 +7,5 @@
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 80
ACCEPT - - TCP 443
ACCEPT - - tcp 443
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

41
Shorewall/action.Drop
View File

@ -1,16 +1,49 @@
#
# Shorewall 2.0 /etc/shorewall/action.Drop
# Shorewall 2.2 /usr/share/shorewall/action.Drop
#
# The default DROP common rules
#
# This action is invoked before a DROP policy is enforced. The purpose of the action
# is:
#
# a) Avoid logging lots of useless cruft.
# b) Ensure that 'auth' requests are rejected, even if the policy is DROP.
# Otherwise, you may experience problems establishing connections with
# servers that use auth.
# c) Ensure that certain ICMP packets that are necessary for successful
# internet operation are always ACCEPTed.
#
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!!!!
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
#TARGET SOURCE DEST PROTO
#
# Reject 'auth'
#
RejectAuth
#
# Don't log broadcasts
#
dropBcast
#
# ACCEPT critical ICMP types
#
AllowICMPs - - icmp
#
# Drop packets that in the INVALID state -- these are usually ICMP packets and just
# confuse people when they appear in the log.
#
dropInvalid
#
# Drop Microsoft noise so that it doesn't clutter up the log.
#
DropSMB
DropUPnP
dropNotSyn
#
# Drop 'newnotsyn' traffic so that it doesn't get logged.
#
dropNotSyn - - tcp
#
# Drop late-arriving DNS replies. These are just a nuisance and clutter up the log.
#
DropDNSrep
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

2
Shorewall/action.DropDNSrep
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.0 /etc/shorewall/action.DropDNSrep
# Shorewall 2.2 /usr/share/shorewall/action.DropDNSrep
#
# This action silently drops DNS UDP replies
#

2
Shorewall/action.DropPing
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.0 /etc/shorewall/action.DropPing
# Shorewall 2.2 /usr/share/shorewall/action.DropPing
#
# This action silently drops 'ping' requests.
#

2
Shorewall/action.DropSMB
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.0 /etc/shorewall/action.DropSMB
# Shorewall 2.2 /usr/share/shorewall/action.DropSMB
#
# This action silently drops Microsoft SMB traffic
#

2
Shorewall/action.DropUPnP
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.0 /etc/shorewall/action.DropUPnP
# Shorewall 2.2 /usr/share/shorewall/action.DropUPnP
#
# This action silently drops UPnP probes on UDP port 1900
#

38
Shorewall/action.Reject
View File

@ -1,16 +1,46 @@
#
# Shorewall 2.0 /etc/shorewall/action.Reject
# Shorewall 2.2 /usr/share/shorewall/action.Reject
#
# The default REJECT action common rules
#
# This action is invoked before a REJECT policy is enforced. The purpose of the action
# is:
#
# a) Avoid logging lots of useless cruft.
# b) Ensure that certain ICMP packets that are necessary for successful
# internet operation are always ACCEPTed.
#
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!!!!
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
#TARGET SOURCE DEST PROTO
#
# Don't log 'auth' REJECT
#
RejectAuth
#
# Drop Broadcasts so they don't clutter up the log (broadcasts must *not* be rejected).
#
dropBcast
#
# ACCEPT critical ICMP types
#
AllowICMPs - - icmp
#
# Drop packets that in the INVALID state -- these are usually ICMP packets and just
# confuse people when they appear in the log (these ICMPs cannot be rejected).
#
dropInvalid
#
# Drop Microsoft noise so that it doesn't clutter up the lot.
#
RejectSMB
DropUPnP
dropNotSyn
#
# Drop 'newnotsyn' traffic so that it doesn't get logged.
#
dropNotSyn - - tcp
#
# Drop late-arriving DNS replies. These are just a nuisance and clutter up the log.
#
DropDNSrep
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

2
Shorewall/action.RejectAuth
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.0 /etc/shorewall/action.RejectAuth
# Shorewall 2.2 /usr/share/shorewall/action.RejectAuth
#
# This action silently rejects Auth (tcp 113) traffic
#

2
Shorewall/action.RejectSMB
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.0 /etc/shorewall/action.RejectSMB
# Shorewall 2.2 /usr/share/shorewall/action.RejectSMB
#
# This action silently rejects Microsoft SMB traffic
#

21
Shorewall/action.template
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.0 /etc/shorewall/action.template
# Shorewall 2.2 /etc/shorewall/action.template
#
# This file is a template for files with names of the form
# /etc/shorewall/action.<action-name> where <action> is an
@ -11,6 +11,9 @@
# 2. Copy this file to /etc/shorewall/action.<action name>
# 3. Add the desired rules to that file.
#
# Please see http://shorewall.net/Actions.html for additional
# information.
#
# Columns are:
#
#
@ -37,6 +40,10 @@
# ACCEPT:debugging). This causes the packet to be
# logged at the specified level.
#
# The special log level 'none' does not result in logging
# but rather exempts the rule from being overridden by a
# non-forcing log level when the action is invoked.
#
# You may also specify ULOG (must be in upper case) as a
# log level.This will log to the ULOG target for routing
# to a separate log through use of ulogd
@ -61,6 +68,10 @@
#
# 155.186.235.0/24 Subnet 155.186.235.0/24
#
# 10.0.0.4-10.0.0.9 Range of IP addresses; your
# kernel and iptables must have
# iprange match support.
#
# 192.168.1.1,192.168.1.2
# Hosts 192.168.1.1 and
# 192.168.1.2.
@ -77,10 +88,6 @@
# DEST Location of Server. Same as above with the exception that
# MAC addresses are not allowed.
#
# Unlike in the SOURCE column, you may specify a range of
# up to 256 IP addresses using the syntax
# <first ip>-<last ip>.
#
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or
# "all".
#
@ -155,6 +162,6 @@
# #of the 'kids' group
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) LIMIT
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

9
Shorewall/actions
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.0 /etc/shorewall/actions
# Shorewall 2.2 /etc/shorewall/actions
#
# This file allows you to define new ACTIONS for use in rules
# (/etc/shorewall/rules). You define the iptables rules to
@ -8,7 +8,7 @@
#
# ACTION names should begin with an upper-case letter to
# distinguish them from Shorewall-generated chain names and
# they must need the requirements of a Netfilter chain. If
# they must meet the requirements of a Netfilter chain. If
# you intend to log from the action then the name must be
# no longer than 11 character in length. Names must also
# meet the requirements for a Bourne Shell identifier (must
@ -22,7 +22,10 @@
# last such action will be taken.
#
# If you specify ":DROP", ":REJECT" or ":ACCEPT" on a line by
# itself, the associated policy will have no common action.
# itself, the associated policy will have no common action.
#
# Please see http://shorewall.net/Actions.html for additional
# information.
#
#ACTION

24
Shorewall/actions.std
View File

@ -1,22 +1,23 @@
#
# Shorewall 2.0 /usr/share/shorewall/actions.std
# Shorewall 2.2 /usr/share/shorewall/actions.std
#
# Please see http://shorewall.net/Actions.html for additional
# information.
#
# Builtin Actions are:
#
# allowBcast #Silently Allow Broadcast/multicast
# dropBcast #Silently Drop Broadcast/multicast
# dropNonSyn #Silently Drop Non-syn TCP packets
# rejNonSyn #Silently Reject Non-syn TCP packets
# logNonSyn #Log Non-syn TCP packets with disposition LOG
# dLogNonSyn #Log Non-syn TCP packets with disposition DROP
# rLogNonSyn #Log Non-syn TCP packets with disposition REJECT
# dropNotSyn #Silently Drop Non-syn TCP packets
# rejNotSyn #Silently Reject Non-syn TCP packets
# dropInvalid #Silently Drop packets that are in the INVALID
# #conntrack state.
# allowInvalid #Accept packets that are in the INVALID conntrack
# #state
#
# The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in
# shorewall.conf. If that option isn't specified then 'info' is used.
# allowInvalid #Accept packets that are in the INVALID
# #conntrack state.
# allowoutUPnP #Allow traffic from local command 'upnpd'
# allowinUPnP #Allow UPnP inbound (to firewall) traffic
# forwardUPnP #Allow traffic that upnpd has redirected from
# #'upnp' interfaces.
#
#ACTION
@ -36,6 +37,7 @@ AllowSMB #Allow MS Networking
AllowAuth #Allow Auth (identd)
AllowSMTP #Allow SMTP (Email)
AllowPOP3 #Allow reading mail via POP3
AllowICMPs #Allows critical ICMP types
AllowIMAP #Allow reading mail via IMAP
AllowTelnet #Allow Telnet Access (not recommended for use over the
#Internet)

17
Shorewall/blacklist
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.0 -- Blacklist File
# Shorewall 2.2 -- Blacklist File
#
# /etc/shorewall/blacklist
#
@ -7,7 +7,9 @@
#
# Columns are:
#
# ADDRESS/SUBNET - Host address, subnetwork or MAC address
# ADDRESS/SUBNET - Host address, subnetwork, MAC address or IP address
# range (if your kernel and iptables contain iprange
# match support).
#
# MAC addresses must be prefixed with "~" and use "-"
# as a separator.
@ -21,10 +23,10 @@
# is TCP (6) or UDP (17). A comma-separated list
# of port numbers or service names from /etc/services.
#
# When a packet arrives on in interface that has the 'blacklist' option
# specified, its source IP address is checked against this file and disposed of
# according to the BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL variables in
# /etc/shorewall/shorewall.conf
# When a packet arrives on an interface that has the 'blacklist' option
# specified in /etc/shorewall/interfaces, its source IP address is checked
# against this file and disposed of according to the BLACKLIST_DISPOSITION and
# BLACKLIST_LOGLEVEL variables in /etc/shorewall/shorewall.conf
#
# If PROTOCOL or PROTOCOL and PORTS are supplied, only packets matching
# the protocol (and one of the ports if PORTS supplied) are blocked.
@ -36,6 +38,9 @@
# ADDRESS/SUBNET PROTOCOL PORT
# 192.0.2.126 udp 53
#
# Please see http://shorewall.net/blacklisting_support.htm for additional
# information.
#
###############################################################################
#ADDRESS/SUBNET PROTOCOL PORT
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

27
Shorewall/bogons
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.0-- Bogons File
# Shorewall 2.2-- Bogons File
#
# /etc/shorewall/bogons
#
@ -14,7 +14,9 @@
#
# Columns are:
#
# SUBNET The subnet (host addresses also allowed)
# SUBNET The subnet (host addresses also allowed as are IP
# address ranges provided that your kernel and iptables
# include iprange match support).
# TARGET Where to send packets to/from this subnet
# RETURN - let the packet be processed normally
# DROP - silently drop the packet
@ -42,27 +44,20 @@
31.0.0.0/8 logdrop # Reserved
36.0.0.0/7 logdrop # Reserved
39.0.0.0/8 logdrop # Reserved
41.0.0.0/8 logdrop # Reserved
42.0.0.0/8 logdrop # Reserved
49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
73.0.0.0/8 logdrop # Reserved
74.0.0.0/7 logdrop # Reserved
76.0.0.0/6 logdrop # Reserved
89.0.0.0/8 logdrop # Reserved
90.0.0.0/7 logdrop # Reserved
77.0.0.0/8 logdrop # Reserved
78.0.0.0/7 logdrop # Reserved
92.0.0.0/6 logdrop # Reserved
96.0.0.0/3 logdrop # Reserved
127.0.0.0/8 logdrop # Loopback
96.0.0.0/4 logdrop # Reserved
112.0.0.0/5 logdrop # Reserved
120.0.0.0/6 logdrop # Reserved
127.0.0.0/8 logdrop # Reserved
173.0.0.0/8 logdrop # Reserved
174.0.0.0/7 logdrop # Reserved
176.0.0.0/5 logdrop # Reserved
184.0.0.0/6 logdrop # Reserved
189.0.0.0/8 logdrop # Reserved
190.0.0.0/8 logdrop # Reserved
197.0.0.0/8 logdrop # Reserved
198.18.0.0/15 logdrop # Reserved
223.0.0.0/8 logdrop # Reserved - Returned by APNIC in 2003
223.0.0.0/8 logdrop # Reserved
240.0.0.0/4 logdrop # Reserved
#
# End of generated entries

63
Shorewall/bogons.new
View File

@ -1,63 +0,0 @@
#
# Shorewall 2.0-- Bogons File
#
# /etc/shorewall/bogons
#
# Lists the subnetworks that are blocked by the 'nobogons' interface option.
#
# The default list includes those those ip ADDRESSES listed
# as 'reserved' by the IANA, the DHCP Autoconfig class B, and the class C
# reserved for use in documentation and examples.
#
# DO NOT MODIFY THIS FILE. IF YOU NEED TO MAKE CHANGES, COPY THE FILE
# TO /etc/shorewall AND MODIFY THE COPY.
#
# Columns are:
#
# SUBNET The subnet (host addresses also allowed)
# TARGET Where to send packets to/from this subnet
# RETURN - let the packet be processed normally
# DROP - silently drop the packet
# logdrop - log then drop
#
###############################################################################
#SUBNET TARGET
0.0.0.0 RETURN # Stop the DHCP whining
255.255.255.255 RETURN # We need to allow limited broadcast
169.254.0.0/16 DROP # DHCP autoconfig
192.0.2.0/24 logdrop # Example addresses (RFC 3330)
#
# The following are generated with the help of the Python program found at:
#
# http://www.shorewall.net/pub/shorewall/contrib/iana_reserved/
#
# The program was contributed by Andy Wiggin
#
0.0.0.0/7 logdrop # Reserved
2.0.0.0/8 logdrop # Reserved
5.0.0.0/8 logdrop # Reserved
7.0.0.0/8 logdrop # Reserved
23.0.0.0/8 logdrop # Reserved
27.0.0.0/8 logdrop # Reserved
31.0.0.0/8 logdrop # Reserved
36.0.0.0/7 logdrop # Reserved
39.0.0.0/8 logdrop # Reserved
42.0.0.0/8 logdrop # Reserved
77.0.0.0/8 logdrop # Reserved
78.0.0.0/7 logdrop # Reserved
92.0.0.0/6 logdrop # Reserved
96.0.0.0/4 logdrop # Reserved
112.0.0.0/5 logdrop # Reserved
120.0.0.0/6 logdrop # Reserved
127.0.0.0/8 logdrop # Reserved
173.0.0.0/8 logdrop # Reserved
174.0.0.0/7 logdrop # Reserved
176.0.0.0/5 logdrop # Reserved
184.0.0.0/6 logdrop # Reserved
197.0.0.0/8 logdrop # Reserved
223.0.0.0/8 logdrop # Reserved
240.0.0.0/4 logdrop # Reserved
#
# End of generated entries
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

303
Shorewall/changelog.txt
View File

@ -1,121 +1,296 @@
Changes in 2.0.4
Changes in 2.2.5
1) Fix DNAT logging with 'fw' as the source zone.
1) Correct behavior of PKTTYPE=No
Change in 2.0.5
2) Fixed typo in the tunnel script.
1) Eradicate more RESTOREBASE messages.
Changes in 2.2.4
2) Remove 'mangle' reference from shorewall.conf.
1) Added support for UPnP
Change in 2.0.6
2) Add 'started' hook.
1) Add PKTTYPE option.
3) Make an error message more self-explanatory
shorewall.conf
firewall
4) Report Owner Match capability
2) Sanitized some correct but confusing code in determine_hosts().
5) Add Paul Traina's patch to install.sh.
There was a loop:
6) Allow startup options to be overridden in /etc/sysconfig/shorewall
or /etc/default/shorewall.
for networks in $networks
...
7) Add support for SAME
It now reads:
8) Add 'shorewall show capabilities'
for network in $networks
...
8) Add '-v' option
9) Allow 'none' in /etc/shorewall/rules.
3) Don't give shorewall.conf and zones execute permission.
4) Backport 'dropInvalid' from 2.1
10) Add error message for invalid HOST(S) column contents.
Changes in 2.0.7
11) Apply Christian Rodriguez's patch for Slackware install.
1) Include output of "ip rule ls" and "ip route ls" in "shorewall
status".
Changes in 2.2.3
2) Consult PKTTYPE when generating 'REJECT' rules.
1) Added the 'continue' extension script.
3) Enhance IP/Routing output in "shorewall status".
2) Obey 'routestopped' rules during [re]start.
4) Correct handling of multiple 'blacklist' interfaces.
3) MACLIST_TTL added.
5) Add "0.0.0.0 RETURN" to nobogons.
4) Fix ! in hosts file
Changes in 2.0.8
5) Add QUEUE policy.
1) Removed dead code from process_actions2()
6) Fix routing output when advanced routing support not in kernel.
2) Corrected read command in process_actions2() (userspec)
Changes in 2.2.2
Changes in 2.0.9
1) The 'check' command disclaimer is toned down further and only
appears once in the 'check' output.
1) Corrected setup_tc1() handling of the PROTO column.
2) Enhanced support in the SOURCE column of /etc/shorewall/tcrules.
2) Added warning about ADD_SNAT_ALIASES in the masq file.
3) All calls to 'clear' are now conditional on the output device being
a terminal.
3) Added "brctl show" to the status command.
4) Apply Juergen Kreileder's patch for logging.
Changes in 2.0.10
5) Add the output of 'arp -na' to the 'shorewall status' display.
1) Corrected GATEWAY handling for 'pptpserver's
6) Provide support for the Extended multiport match available in
2.6.11.
2) Correct log rule number generation.
7) Fix logging rule generation.
3) Add clarification to /etc/shorewall/tcrules.
8) Correct port numbers in action.AllowPCA.
4) Apply part of Ian Allen's fix for down interface in the SUBNET
column of /etc/shorewall/masq.
9) Fix installer's handling of action.* files.
5) Add key /proc settings to "shorewall status" output.
10) Implement RFC1918_STRICT
Changes in 2.0.11
11) Verify interface names in the DEST column of tcrules.
1) Add note for Slackware users to INSTALL.
Changes in 2.2.1
2) Correct bogons file.
1) Add examples to the zones and policy files.
3) Replace service names by port numbers in /etc/shorewall/tos.
2) Simon Matter's patch for umask.
4) Added NNTPS to action.AllowNNTP.
Changes since 2.0.3
5) Fix install.sh
1) Fix security vulnerability involving temporary files/directories.
Changes in 2.0.12
2) Hack security fix so that it works under Slackware.
1) Correct typo in shorewall.conf.
3) Correct mktempfile() for case where mktemp isn't installed.
2) Fix "shorewall add" and "shorewall delete" with bridging.
4) Implement 'dropInvalid' builtin action.
3) Implement variable expansion in INCLUDE directives
5) Fix logging nat rules.
4) Split restore-base into two files.
6) Fix COMMAND typos.
5) Correct dynamic zone OUTPUT handling.
7) Add PKTTYPE option.
Changes in 2.0.13
8) Enhancements to /etc/shorewall/masq
1) Correct typo in "shorewall add" code.
8) Allow overriding ADD_IP_ALIASES=Yes
Changes in 2.0.14
9) Fix syntax error in setup_nat()
1) Log drops due to policy rate limiting.
10) Port "shorewall status" changes from 2.0.7.
2) Fix typo in interfaces file.
11) All config files are now empty.
3) Eliminate "bad variable" errors during stop/clear.
12) Port blacklisting fix from 2.0.7
4) Fix typo in tunnels file.
13) Pass rule chain and display chain separately to log_rule_limit.
Prep work for action logging.
Changes in 2.0.15
14) Show the iptables/ip/tc command that failed when failure is fatal.
1) Increased port range for Traceroute.
15) Implement STARTUP_ENABLED.
2) Corrected port of rate-limit logging change.
16) Added DNAT ONLY column to /etc/shorewall/nat.
Changes in 2.0.16
17) Removed SNAT from ORIGINAL DESTINATION column.
1) Backport DROPINVALID from 2.2.0.
18) Removed DNAT ONLY column.
19) Added IPSEC column to /etc/shorewall/masq.
20) No longer enforce source port 500 for ISAKMP.
21) Apply policy to interface/host options.
22) Fix policy and maclist.
23) Implement additional IPSEC options for zones and masq entries.
24) Deprecate the -c option in /sbin/shorewall.
25) Allow distinct input and output IPSEC parameters.
26) Allow source port remapping in /etc/shorewall/masq.
27) Include params file on 'restore'
28) Apply Richard Musil's patch.
29) Correct parsing of PROTO column in setup_tc1().
30) Verify Physdev match if BRIDGING=Yes
31) Don't NAT tunnel traffic.
32) Fix shorewall.spec to run chkconfig/insserv after initial install.
33) Add iprange support.
34) Add CLASSIFY support.
35) Fix iprange support so that ranges in both source and destination
work.
36) Remove logunclean and dropunclean
37) Fixed proxy arp flag setting for complex configurations.
38) Added RETAIN_ALIASES option.
39) Relax OpenVPN source port restrictions.
40) Implement DELAYBLACKLISTLOAD.
41) Avoid double-setting proxy arp flags.
42) Fix DELAYBLACKLISTLOAD=No.
43) Merge 'brctl show' change from 2.0.9.
44) Implememt LOGTAGONLY.
45) Merge 'tcrules' clarification from 2.0.10.
46) Implement 'sourceroute' interface option.
47) Add 'AllowICMPs' action.
48) Changed 'activate_rules' such that traffic from IPSEC hosts gets
handled before traffic from non-IPSEC zones.
49) Correct logmartians handling.
50) Add a clarification and fix a typo in the blacklist file.
51) Allow setting a specify MSS value.
52) Detect duplicate zone names.
53) Add mss=<number> option to the ipsec file.
54) Added CONNMARK/ipp2p support.
55) Added LOGALLNEW support.
56) Fix typo in check_config()
57) Allow outgoing NTP responses in action.AllowNTP.
58) Clarification of the 'ipsec' hosts file option.
59) Allow list in the SUBNET column of the rfc1918 file.
60) Restore missing '#' in the rfc1918 file.
61) Add note for Slackware users to INSTALL.
62) Allow interface in DEST tcrules column.
63) Remove 'ipt_unclean' from search expression in "log" commands.
64) Remove nonsense from IPSEC description in masq file.
65) Correct typo in rules file.
66) Update bogons file.
67) Add a rule for NNTPS to action.AllowNNTP
68) Fix "shorewall add"
69) Change CLIENT PORT(S) to SOURCE PORT(S) in tcrules file.
70) Correct typo in shorewall.conf.
71) Add the 'icmp_echo_ignore_all' file to the /proc display.
72) Apply Tuomas Jormola's IPTABLES patch.
73) Fixed some bugs in Tuomas's patch.
74) Correct bug in "shorewall add"
75) Correct bridge handling in "shorewall add" and "shorewall delete"
76) Add "shorewall show zones"
77) Remove dependency of "show zones" on dynamic zones.
78) Implement variable expansion in INCLUDE directives
79) More fixes for "shorewall delete" with bridging.
80) Split restore-base into two files.
81) Correct OUTPUT handling of dynamic zones.
83) Add adapter statistics to the output of "shorewall status".
84) Log drops due to policy rate limiting.
85) Continue determining capabilities when fooX1234 already exists.
86) Corrected typo in interfaces file.
87) Add DROPINVALID option.
88) Allow list of hosts in add and delete commands. Fix ipsec problem
with "add" and "delete"
89) Clarify add/delete syntax in /sbin/shorewall usage summary.
90) Implement OpenVPN TCP support.
91) Simplify the absurdly over-engineered code that restores the
dynamic chain.
92) Add OPENVPNPORT option.
93) Remove OPENVPNPORT option and change default port to 1194.
94) Avoid shell error during "shorewall stop/clear"
95) Change encryption to blowfish in 'ipsecvpn' script.
96) Correct rate limiting rule example.
97) Fix <if>:: handling in setup_masq().
98) Fix mis-leading typo in tunnels.
99) Fix brain-dead ipsec option handling in setup_masq().
100) Reconcile ipsec masq file implementation with the documentation.
101) Add netfilter module display to status output.
102) Add 'allowInvalid' builtin action.
103) Expand range of Traceroute ports.
102) Correct uninitialized variable in setup_ecn()
103) Allow DHCP to be IPSEC-encrypted.

4
Shorewall/configpath
View File

@ -1,7 +1,7 @@
#
# Shorewall version 2.0 - Default Config Path
# Shorewall version 2.2 - Default Config Path
#
# /usr/share/shorewall/configpath
#
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall

8
Shorewall/continue Normal file
View File

@ -0,0 +1,8 @@
############################################################################
# Shorewall 2.2 -- /etc/shorewall/continue
#
# Add commands below that you want to be executed after shorewall has
# cleared any existing Netfilter rules and has enabled existing connections.
#
# For additional information, see http://shorewall.net/shorewall_extension_scripts.htm
#

8
Shorewall/ecn
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.0 - /etc/shorewall/ecn
# Shorewall 2.2 - /etc/shorewall/ecn
#
# Use this file to list the destinations for which you want to
# disable ECN.
@ -12,7 +12,11 @@
# the firewall
# HOST(S) - (Optional) Comma-separated list of IP/subnet
# If left empty or supplied as "-",
# 0.0.0.0/0 is assumed.
# 0.0.0.0/0 is assumed. If your kernel and iptables
# include iprange match support then IP address ranges
# are also permitted.
#
# For additional information, see http://shorewall.net/Documentation.htm#ECN
##############################################################################
#INTERFACE HOST(S)
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

6
Shorewall/fallback.sh
View File

@ -5,7 +5,7 @@
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# (c) 2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
# (c) 2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
#
# Shorewall documentation is available at http://seattlefirewall.dyndns.org
#
@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=2.0.16
VERSION=2.2.5
usage() # $1 = exit status
{
@ -85,6 +85,8 @@ restore_file /etc/shorewall/policy
restore_file /etc/shorewall/interfaces
restore_file /etc/shorewall/ipsec
restore_file /etc/shorewall/hosts
restore_file /etc/shorewall/rules

3182
Shorewall/firewall
View File

File diff suppressed because it is too large Load Diff

82
Shorewall/functions
View File

@ -1,6 +1,27 @@
#!/bin/sh
#
# Shorewall 2.0 -- /usr/share/shorewall/functions
# Shorewall 2.2 -- /usr/share/shorewall/functions
# Function to truncate a string -- It uses 'cut -b -<n>'
# rather than ${v:first:last} because light-weight shells like ash and
# dash do not support that form of expansion.
#
truncate() # $1 = length
{
cut -b -${1}
}
#
# Split a colon-separated list into a space-separated list
#
split() {
local ifs=$IFS
IFS=:
set -- $1
echo $*
IFS=$ifs
}
#
# Search a list looking for a match -- returns zero if a match found
@ -226,10 +247,13 @@ find_zones() # $1 = name of the zone file
{
while read zone display comments; do
[ -n "$zone" ] && case "$zone" in
[0-9*])
echo " Warning: Illegal zone name \"$zone\" in zones file ignored" 2>&2
;;
\#*)
;;
$FW)
echo "Reserved zone name \"$zone\" in zones file ignored" >&2
$FW|all|none)
echo " Warning: Reserved zone name \"$zone\" in zones file ignored" >&2
;;
*)
echo $zone
@ -255,12 +279,16 @@ determine_zones()
multi_display=Multi-zone
strip_file zones $zonefile
zones=$(find_zones $TMP_DIR/zones)
zones=$(echo $zones) # Remove extra trash
newzones=
for zone in $zones; do
dsply=$(find_display $zone $TMP_DIR/zones)
[ ${#zone} -gt 5 ] && echo " Warning: Zone name longer than 5 characters: $zone" >&2
eval ${zone}_display=\$dsply
newzones="$newzones $zone"
done
zones=${newzones# }
}
#
@ -377,7 +405,7 @@ mktempfile() {
> $1/shorewall-$$ && echo $1/shorewall-$$
;;
*)
echo " ERROR:Internal error in mktempfile"
echo " ERROR:Internal error in mktempfile" >&2
;;
esac
else
@ -393,7 +421,7 @@ mktempfile() {
> /tmp/shorewall-$$ && echo /tmp/shorewall-$$
;;
*)
echo " ERROR:Internal error in mktempfile"
echo " ERROR:Internal error in mktempfile" >&2
;;
esac
fi
@ -417,10 +445,10 @@ mktempdir() {
mkdir /tmp/shorewall-$$ && chmod 700 /tmp/shorewall-$$ && echo /tmp/shorewall-$$
;;
*)
echo " ERROR:Internal error in mktempdir"
echo " ERROR:Internal error in mktempdir" >&2
;;
esac
}
}
#
# Read a file and handle "INCLUDE" directives
@ -531,13 +559,20 @@ encodeaddr() {
ip_range() {
local first last l x y z vlsm
case $1 in
[0-9]*.*.*.*-*.*.*.*)
;;
*)
echo $1
return
;;
case $1 in
!*)
#
# Let iptables complain if it's a range
#
echo $1
return
;;
[0-9]*.*.*.*-*.*.*.*)
;;
*)
echo $1
return
;;
esac
first=$(decodeaddr ${1%-*})
@ -680,6 +715,9 @@ chain_base() #$1 = interface
*-*)
c="${c%-*}_${c##*-}"
;;
*%*)
c="${c%\%*}_${c##*%}"
;;
*)
echo ${c:=common}
return
@ -699,11 +737,7 @@ if_match() # $1 = Name in interfaces file - may end in "+"
case $1 in
*+)
#
# Can't use ${2:0:${#pattern}} because ash and dash don't support that flavor of
# variable expansion :-(
#
test "x$(echo $2 | cut -b -${#pattern} )" = "x${pattern}"
test "x$(echo $2 | truncate ${#pattern} )" = "x${pattern}"
;;
*)
test "x$1" = "x$2"
@ -767,3 +801,11 @@ find_interface_by_address() {
[ -n "$dev" ] && echo $dev
}
#
# Find interface addresses--returns the set of addresses assigned to the passed
# device
#
find_interface_addresses() # $1 = interface
{
ip -f inet addr show $1 | grep inet | sed 's/inet //;s/\/.*//;s/ peer.*//'
}

53
Shorewall/help
View File

@ -1,11 +1,11 @@
#!/bin/sh
#
# Shorewall help subsystem - V2.0 - 2/14/2004
# Shorewall help subsystem - V2.2
#
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# (c) 2003-2004 - Tom Eastep (teastep@shorewall.net)
# (c) 2003-2005 - Tom Eastep (teastep@shorewall.net)
# Steve Herber (herber@thing.com)
#
# This file should be placed in /usr/share/shorewall/help
@ -29,11 +29,18 @@
case $1 in
add)
echo "add: add <interface>[:<bridge-port>][:<host>] <zone>
Adds a host or subnet to a dynamic zone usually used with VPN's.
echo "add: add <interface>[:<host-list>] ... <zone>
Adds a list of hosts or subnets to a dynamic zone usually used with VPN's.
shorewall add interface[:port][:host] zone - Adds the specified interface
(and bridge port/host if included) to the specified zone.
shorewall add interface:host-list ... zone - Adds the specified interface
(and host-list if included) to the specified zone.
A host-list is a comma-separated list whose elements are:
A host or network address
The name of a bridge port
The name of a bridge port followed by a colon (":") and a host or
network address.
Example:
@ -46,7 +53,9 @@ add)
address|host)
echo "<$1>:
May be either a host IP address such as 192.168.1.4 or a network address in
CIDR format like 192.168.1.0/24"
CIDR format like 192.168.1.0/24. If your kernel and iptables contain iprange
match support then IP address ranges of the form <low address>-<high address>
are also permitted."
;;
allow)
@ -60,7 +69,7 @@ allow)
;;
check)
echo "check: check [ -c <configuration-directory> ]
echo "check: check [ <configuration-directory> ]
Performs a cursory validation of the zones, interfaces, hosts,
rules and policy files. Use this if you are unsure of any edits
you have made to the shorewall configuration. See the try command
@ -93,11 +102,18 @@ debug)
;;
delete)
echo "delete: delete <interface>[:<bridge-port>][:<host>] <zone>
Deletes a host or subnet from a dynamic zone usually used with VPN's.
echo "delete: delete <interface>[:<host-list>] ... <zone>
Deletes a list of hosts or networks from a dynamic zone usually used with VPN's.
shorewall delete interface[:port][:host] zone - Deletes the specified
interface (and bridge port/host if included) from the specified zone.
shorewall delete interface[:host-list] ... zone - Deletes the specified
interfaces (and host list if included) from the specified zone.
A host-list is a comma-separated list whose elements are:
A host or network address
The name of a bridge port
The name of a bridge port followed by a colon (":") and a host or
network address.
Example:
@ -187,7 +203,7 @@ reset)
;;
restart)
echo "restart: restart [ -q ] [ -c <configuration-directory> ]
echo "restart: [ -q ] restart [ <configuration-directory> ]
Restart is the same as a shorewall stop && shorewall start.
Existing connections are maintained.
If \"-q\" is specified, less detain is displayed making it easier to spot warnings"
@ -217,7 +233,7 @@ save)
;;
show)
echo "show: show [ <chain> [ <chain> ...] |classifiers|connections|log|nat|tc|tos]
echo "show: show [ <chain> [ <chain> ...] |classifiers|connections|log|nat|tc|tos|zones]
shorewall [-x] show <chain> [ <chain> ... ] - produce a verbose report about the IPtable chain(s).
(iptables -L chain -n -v)
@ -236,17 +252,22 @@ show)
shorewall show tc - displays information about the traffic
control/shaping configuration.
shorewall show zones - displays the contents of all zones.
shorewall show capabilities - displays your kernel/iptables capabilities
When -x is given, that option is also passed to iptables to display actual packet and byte counts."
;;
start)
echo "start: [ -q ] [ -f ] [ -c <configuration-directory> ] start
echo "start: [ -q ] [ -f ] start [ <configuration-directory> ]
Start shorewall. Existing connections through shorewall managed
interfaces are untouched. New connections will be allowed only
if they are allowed by the firewall rules or policies.
If \"-q\" is specified, less detail is displayed making it easier to spot warnings
If \"-f\" is specified, the saved configuration specified by the RESTOREFILE option
in shorewall.conf will be restored if that saved configuration exists"
in shorewall.conf will be restored if that saved configuration exists. In that
case, a <configuration-directory> may not be specified".
;;
stop)

19
Shorewall/hosts
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.0 - /etc/shorewall/hosts
# Shorewall 2.2 - /etc/shorewall/hosts
#
# THE ONLY TIME YOU NEED THIS FILE IS WHERE YOU HAVE MORE THAN
# ONE ZONE CONNECTED THROUGH A SINGLE INTERFACE.
@ -28,12 +28,15 @@
# a) The IP address of a host
# b) A subnetwork in the form
# <subnet-address>/<mask width>
# c) A physical port name; only allowed when the
# c) An IP address range of the form <low address>-<high
# address>. Your kernel and iptables must have iprange
# match support.
# d) A physical port name; only allowed when the
# interface names a bridge created by the
# brctl addbr command. This port must not
# be defined in /etc/shorewall/interfaces and may
# optionally followed by a colon (":") and a
# host or network IP.
# host or network IP or a range.
# See http://www.shorewall.net/Bridge.html for details.
#
# Examples:
@ -43,6 +46,7 @@
# eth3:192.168.2.0/24,192.168.3.1
# br0:eth4
# br0:eth0:192.168.1.16/28
# eth4:192.168.1.44-192.168.1.49
#
# OPTIONS - A comma-separated list of options. Currently-defined
# options are:
@ -124,5 +128,14 @@
# This option has no effect if
# NEWNOTSYN=Yes.
#
# ipsec - The zone is accessed via a
# kernel 2.6 ipsec SA. Note that if the
# zone named in the ZONE column is
# specified as an IPSEC zone in the
# /etc/shorewall/ipsec file then you do NOT
# need to specify the 'ipsec' option here.
#
# For additional information, see http://shorewall.net/Documentation.htm#Hosts
#
#ZONE HOST(S) OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

4
Shorewall/init
View File

@ -1,6 +1,8 @@
############################################################################
# Shorewall 2.0 -- /etc/shorewall/init
# Shorewall 2.2 -- /etc/shorewall/init
#
# Add commands below that you want to be executed at the beginning of
# a "shorewall start" or "shorewall restart" command.
#
# For additional information, see http://shorewall.net/shorewall_extension_scripts.htm
#

3
Shorewall/init.debian.sh
View File

@ -5,6 +5,7 @@ WAIT_FOR_IFUP=/usr/share/shorewall/wait4ifup
# Note, set INITLOG to /dev/null if you do not want to
# keep logs of the firewall (not recommended)
INITLOG=/var/log/shorewall-init.log
OPTIONS="-f"
test -x $SRWL || exit 0
test -n $INITLOG || {
@ -83,7 +84,7 @@ wait_for_pppd () {
shorewall_start () {
echo -n "Starting \"Shorewall firewall\": "
wait_for_pppd
$SRWL -f start >> $INITLOG 2>&1 && echo "done." || echo_notdone
$SRWL $OPTIONS start >> $INITLOG 2>&1 && echo "done." || echo_notdone
return 0
}

16
Shorewall/init.sh
View File

@ -1,11 +1,11 @@
#!/bin/sh
RCDLINKS="2,S41 3,S41 6,K41"
#
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V2.0 3/14/2003
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V2.2
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
# (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
#
# On most distributions, this file should be called /etc/init.d/shorewall.
#
@ -55,6 +55,16 @@ usage() {
exit 1
}
################################################################################
# Get startup options (override default)
################################################################################
OPTIONS="-f"
if [ -f /etc/sysconfig/shorewall ]; then
. /etc/sysconfig/shorewall
elif [ -f /etc/default/shorewall ] ; then
. /etc/default/shorewall
fi
################################################################################
# E X E C U T I O N B E G I N S H E R E #
################################################################################
@ -64,7 +74,7 @@ case "$command" in
start)
exec /sbin/shorewall -f start
exec /sbin/shorewall $OPTIONS start
;;
stop|restart|status)

4
Shorewall/initdone
View File

@ -1,7 +1,9 @@
############################################################################
# Shorewall 2.0 -- /etc/shorewall/initdone
# Shorewall 2.2 -- /etc/shorewall/initdone
#
# Add commands below that you want to be executed during
# "shorewall start" or "shorewall restart" commands at the point where
# Shorewall has not yet added any perminent rules to the builtin chains.
#
# For additional information, see http://shorewall.net/shorewall_extension_scripts.htm
#

195
Shorewall/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
#
VERSION=2.0.16
VERSION=2.2.5
usage() # $1 = exit status
{
@ -76,7 +76,7 @@ delete_file() # $1 = file to delete
install_file_with_backup() # $1 = source $2 = target $3 = mode
{
backup_file $2
run_install -o $OWNER -g $GROUP -m $3 $1 ${2}
run_install $OWNERSHIP -m $3 $1 ${2}
}
#
@ -133,11 +133,21 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
#
DEBIAN=
OWNERSHIP="-o $OWNER -g $GROUP"
if [ -n "$PREFIX" ]; then
install -d -o $OWNER -g $GROUP -m 755 ${PREFIX}/sbin
install -d -o $OWNER -g $GROUP -m 755 ${PREFIX}${DEST}
if [ `id -u` != 0 ] ; then
echo "Not setting file owner/group permissions, not running as root."
OWNERSHIP=""
fi
install -d $OWNERSHIP -m 755 ${PREFIX}/sbin
install -d $OWNERSHIP -m 755 ${PREFIX}${DEST}
elif [ -d /etc/apt -a -e /usr/bin/dpkg ]; then
DEBIAN=yes
elif [ -f /etc/slackware-version ] ; then
DEST="/etc/rc.d"
INIT="rc.firewall"
fi
#
@ -176,16 +186,16 @@ echo "Shorewall script installed in ${PREFIX}${DEST}/$INIT"
#
# Create /etc/shorewall, /usr/share/shorewall and /var/shorewall if needed
#
mkdir -p ${PREFIX}/etc/shorewall && chmod 700 ${PREFIX}/etc/shorewall
mkdir -p ${PREFIX}/usr/share/shorewall && chmod 700 ${PREFIX}/usr/share/shorewall
mkdir -p ${PREFIX}/var/lib/shorewall && chmod 700 ${PREFIX}/var/lib/shorewall
mkdir -p ${PREFIX}/etc/shorewall
mkdir -p ${PREFIX}/usr/share/shorewall
mkdir -p ${PREFIX}/var/lib/shorewall
#
# Install the config file
#
if [ -f ${PREFIX}/etc/shorewall/shorewall.conf ]; then
backup_file /etc/shorewall/shorewall.conf
else
run_install -o $OWNER -g $GROUP -m 0600 shorewall.conf ${PREFIX}/etc/shorewall/shorewall.conf
run_install $OWNERSHIP -m 0744 shorewall.conf ${PREFIX}/etc/shorewall/shorewall.conf
echo
echo "Config file installed as ${PREFIX}/etc/shorewall/shorewall.conf"
fi
@ -195,7 +205,7 @@ fi
if [ -f ${PREFIX}/etc/shorewall/zones ]; then
backup_file /etc/shorewall/zones
else
run_install -o $OWNER -g $GROUP -m 0600 zones ${PREFIX}/etc/shorewall/zones
run_install $OWNERSHIP -m 0744 zones ${PREFIX}/etc/shorewall/zones
echo
echo "Zones file installed as ${PREFIX}/etc/shorewall/zones"
fi
@ -232,7 +242,7 @@ delete_file icmp.def
if [ -f ${PREFIX}/etc/shorewall/policy ]; then
backup_file /etc/shorewall/policy
else
run_install -o $OWNER -g $GROUP -m 0600 policy ${PREFIX}/etc/shorewall/policy
run_install $OWNERSHIP -m 0600 policy ${PREFIX}/etc/shorewall/policy
echo
echo "Policy file installed as ${PREFIX}/etc/shorewall/policy"
fi
@ -242,17 +252,27 @@ fi
if [ -f ${PREFIX}/etc/shorewall/interfaces ]; then
backup_file /etc/shorewall/interfaces
else
run_install -o $OWNER -g $GROUP -m 0600 interfaces ${PREFIX}/etc/shorewall/interfaces
run_install $OWNERSHIP -m 0600 interfaces ${PREFIX}/etc/shorewall/interfaces
echo
echo "Interfaces file installed as ${PREFIX}/etc/shorewall/interfaces"
fi
#
# Install the ipsec file
#
if [ -f ${PREFIX}/etc/shorewall/ipsec ]; then
backup_file /etc/shorewall/ipsec
else
run_install $OWNERSHIP -m 0600 ipsec ${PREFIX}/etc/shorewall/ipsec
echo
echo "Ipsec file installed as ${PREFIX}/etc/shorewall/ipsec"
fi
#
# Install the hosts file
#
if [ -f ${PREFIX}/etc/shorewall/hosts ]; then
backup_file /etc/shorewall/hosts
else
run_install -o $OWNER -g $GROUP -m 0600 hosts ${PREFIX}/etc/shorewall/hosts
run_install $OWNERSHIP -m 0600 hosts ${PREFIX}/etc/shorewall/hosts
echo
echo "Hosts file installed as ${PREFIX}/etc/shorewall/hosts"
fi
@ -262,7 +282,7 @@ fi
if [ -f ${PREFIX}/etc/shorewall/rules ]; then
backup_file /etc/shorewall/rules
else
run_install -o $OWNER -g $GROUP -m 0600 rules ${PREFIX}/etc/shorewall/rules
run_install $OWNERSHIP -m 0600 rules ${PREFIX}/etc/shorewall/rules
echo
echo "Rules file installed as ${PREFIX}/etc/shorewall/rules"
fi
@ -272,7 +292,7 @@ fi
if [ -f ${PREFIX}/etc/shorewall/nat ]; then
backup_file /etc/shorewall/nat
else
run_install -o $OWNER -g $GROUP -m 0600 nat ${PREFIX}/etc/shorewall/nat
run_install $OWNERSHIP -m 0600 nat ${PREFIX}/etc/shorewall/nat
echo
echo "NAT file installed as ${PREFIX}/etc/shorewall/nat"
fi
@ -282,7 +302,7 @@ fi
if [ -f ${PREFIX}/etc/shorewall/netmap ]; then
backup_file /etc/shorewall/netmap
else
run_install -o $OWNER -g $GROUP -m 0600 netmap ${PREFIX}/etc/shorewall/netmap
run_install $OWNERSHIP -m 0600 netmap ${PREFIX}/etc/shorewall/netmap
echo
echo "NETMAP file installed as ${PREFIX}/etc/shorewall/netmap"
fi
@ -292,7 +312,7 @@ fi
if [ -f ${PREFIX}/etc/shorewall/params ]; then
backup_file /etc/shorewall/params
else
run_install -o $OWNER -g $GROUP -m 0600 params ${PREFIX}/etc/shorewall/params
run_install $OWNERSHIP -m 0600 params ${PREFIX}/etc/shorewall/params
echo
echo "Parameter file installed as ${PREFIX}/etc/shorewall/params"
fi
@ -302,7 +322,7 @@ fi
if [ -f ${PREFIX}/etc/shorewall/proxyarp ]; then
backup_file /etc/shorewall/proxyarp
else
run_install -o $OWNER -g $GROUP -m 0600 proxyarp ${PREFIX}/etc/shorewall/proxyarp
run_install $OWNERSHIP -m 0600 proxyarp ${PREFIX}/etc/shorewall/proxyarp
echo
echo "Proxy ARP file installed as ${PREFIX}/etc/shorewall/proxyarp"
fi
@ -312,7 +332,7 @@ fi
if [ -f ${PREFIX}/etc/shorewall/routestopped ]; then
backup_file /etc/shorewall/routestopped
else
run_install -o $OWNER -g $GROUP -m 0600 routestopped ${PREFIX}/etc/shorewall/routestopped
run_install $OWNERSHIP -m 0600 routestopped ${PREFIX}/etc/shorewall/routestopped
echo
echo "Stopped Routing file installed as ${PREFIX}/etc/shorewall/routestopped"
fi
@ -322,7 +342,7 @@ fi
if [ -f ${PREFIX}/etc/shorewall/maclist ]; then
backup_file /etc/shorewall/maclist
else
run_install -o $OWNER -g $GROUP -m 0600 maclist ${PREFIX}/etc/shorewall/maclist
run_install $OWNERSHIP -m 0600 maclist ${PREFIX}/etc/shorewall/maclist
echo
echo "MAC list file installed as ${PREFIX}/etc/shorewall/maclist"
fi
@ -332,7 +352,7 @@ fi
if [ -f ${PREFIX}/etc/shorewall/masq ]; then
backup_file /etc/shorewall/masq
else
run_install -o $OWNER -g $GROUP -m 0600 masq ${PREFIX}/etc/shorewall/masq
run_install $OWNERSHIP -m 0600 masq ${PREFIX}/etc/shorewall/masq
echo
echo "Masquerade file installed as ${PREFIX}/etc/shorewall/masq"
fi
@ -342,7 +362,7 @@ fi
if [ -f ${PREFIX}/etc/shorewall/modules ]; then
backup_file /etc/shorewall/modules
else
run_install -o $OWNER -g $GROUP -m 0600 modules ${PREFIX}/etc/shorewall/modules
run_install $OWNERSHIP -m 0600 modules ${PREFIX}/etc/shorewall/modules
echo
echo "Modules file installed as ${PREFIX}/etc/shorewall/modules"
fi
@ -352,7 +372,7 @@ fi
if [ -f ${PREFIX}/etc/shorewall/tcrules ]; then
backup_file /etc/shorewall/tcrules
else
run_install -o $OWNER -g $GROUP -m 0600 tcrules ${PREFIX}/etc/shorewall/tcrules
run_install $OWNERSHIP -m 0600 tcrules ${PREFIX}/etc/shorewall/tcrules
echo
echo "TC Rules file installed as ${PREFIX}/etc/shorewall/tcrules"
fi
@ -363,7 +383,7 @@ fi
if [ -f ${PREFIX}/etc/shorewall/tos ]; then
backup_file /etc/shorewall/tos
else
run_install -o $OWNER -g $GROUP -m 0600 tos ${PREFIX}/etc/shorewall/tos
run_install $OWNERSHIP -m 0600 tos ${PREFIX}/etc/shorewall/tos
echo
echo "TOS file installed as ${PREFIX}/etc/shorewall/tos"
fi
@ -373,7 +393,7 @@ fi
if [ -f ${PREFIX}/etc/shorewall/tunnels ]; then
backup_file /etc/shorewall/tunnels
else
run_install -o $OWNER -g $GROUP -m 0600 tunnels ${PREFIX}/etc/shorewall/tunnels
run_install $OWNERSHIP -m 0600 tunnels ${PREFIX}/etc/shorewall/tunnels
echo
echo "Tunnels file installed as ${PREFIX}/etc/shorewall/tunnels"
fi
@ -383,7 +403,7 @@ fi
if [ -f ${PREFIX}/etc/shorewall/blacklist ]; then
backup_file /etc/shorewall/blacklist
else
run_install -o $OWNER -g $GROUP -m 0600 blacklist ${PREFIX}/etc/shorewall/blacklist
run_install $OWNERSHIP -m 0600 blacklist ${PREFIX}/etc/shorewall/blacklist
echo
echo "Blacklist file installed as ${PREFIX}/etc/shorewall/blacklist"
fi
@ -418,7 +438,7 @@ echo " Default config path file installed as ${PREFIX}/usr/share/shorewall/confi
if [ -f ${PREFIX}/etc/shorewall/init ]; then
backup_file /etc/shorewall/init
else
run_install -o $OWNER -g $GROUP -m 0600 init ${PREFIX}/etc/shorewall/init
run_install $OWNERSHIP -m 0600 init ${PREFIX}/etc/shorewall/init
echo
echo "Init file installed as ${PREFIX}/etc/shorewall/init"
fi
@ -428,7 +448,7 @@ fi
if [ -f ${PREFIX}/etc/shorewall/initdone ]; then
backup_file /etc/shorewall/initdone
else
run_install -o $OWNER -g $GROUP -m 0600 initdone ${PREFIX}/etc/shorewall/initdone
run_install $OWNERSHIP -m 0600 initdone ${PREFIX}/etc/shorewall/initdone
echo
echo "Initdone file installed as ${PREFIX}/etc/shorewall/initdone"
fi
@ -438,7 +458,7 @@ fi
if [ -f ${PREFIX}/etc/shorewall/start ]; then
backup_file /etc/shorewall/start
else
run_install -o $OWNER -g $GROUP -m 0600 start ${PREFIX}/etc/shorewall/start
run_install $OWNERSHIP -m 0600 start ${PREFIX}/etc/shorewall/start
echo
echo "Start file installed as ${PREFIX}/etc/shorewall/start"
fi
@ -448,7 +468,7 @@ fi
if [ -f ${PREFIX}/etc/shorewall/stop ]; then
backup_file /etc/shorewall/stop
else
run_install -o $OWNER -g $GROUP -m 0600 stop ${PREFIX}/etc/shorewall/stop
run_install $OWNERSHIP -m 0600 stop ${PREFIX}/etc/shorewall/stop
echo
echo "Stop file installed as ${PREFIX}/etc/shorewall/stop"
fi
@ -458,7 +478,7 @@ fi
if [ -f ${PREFIX}/etc/shorewall/stopped ]; then
backup_file /etc/shorewall/stopped
else
run_install -o $OWNER -g $GROUP -m 0600 stopped ${PREFIX}/etc/shorewall/stopped
run_install $OWNERSHIP -m 0600 stopped ${PREFIX}/etc/shorewall/stopped
echo
echo "Stopped file installed as ${PREFIX}/etc/shorewall/stopped"
fi
@ -468,7 +488,7 @@ fi
if [ -f ${PREFIX}/etc/shorewall/ecn ]; then
backup_file /etc/shorewall/ecn
else
run_install -o $OWNER -g $GROUP -m 0600 ecn ${PREFIX}/etc/shorewall/ecn
run_install $OWNERSHIP -m 0600 ecn ${PREFIX}/etc/shorewall/ecn
echo
echo "ECN file installed as ${PREFIX}/etc/shorewall/ecn"
fi
@ -478,11 +498,30 @@ fi
if [ -f ${PREFIX}/etc/shorewall/accounting ]; then
backup_file /etc/shorewall/accounting
else
run_install -o $OWNER -g $GROUP -m 0600 accounting ${PREFIX}/etc/shorewall/accounting
run_install $OWNERSHIP -m 0600 accounting ${PREFIX}/etc/shorewall/accounting
echo
echo "Accounting file installed as ${PREFIX}/etc/shorewall/accounting"
fi
#
# Install the Continue file
#
if [ -f ${PREFIX}/etc/shorewall/continue ]; then
backup_file /etc/shorewall/continue
else
run_install $OWNERSHIP -m 0600 continue ${PREFIX}/etc/shorewall/continue
echo
echo "Continue file installed as ${PREFIX}/etc/shorewall/continue"
fi
#
# Install the Started file
#
if [ -f ${PREFIX}/etc/shorewall/started ]; then
backup_file /etc/shorewall/started
else
run_install -o $OWNER -g $GROUP -m 0600 started ${PREFIX}/etc/shorewall/started
echo
echo "Started file installed as ${PREFIX}/etc/shorewall/started"
fi
#
# Install the Standard Actions file
#
@ -496,7 +535,7 @@ echo "Standard actions file installed as ${PREFIX}/etc/shorewall/actions.std"
if [ -f ${PREFIX}/etc/shorewall/actions ]; then
backup_file /etc/shorewall/actions
else
run_install -o $OWNER -g $GROUP -m 0600 actions ${PREFIX}/etc/shorewall/actions
run_install $OWNERSHIP -m 0600 actions ${PREFIX}/etc/shorewall/actions
echo
echo "Actions file installed as ${PREFIX}/etc/shorewall/actions"
fi
@ -504,13 +543,9 @@ fi
# Install the Action files
#
for f in action.* ; do
if [ -f ${PREFIX}/usr/share/shorewall/$f ]; then
backup_file /usr/share/shorewall/$f
else
run_install -o $OWNER -g $GROUP -m 0600 $f ${PREFIX}/usr/share/shorewall/$f
echo
echo "Action ${f#*.} file installed as ${PREFIX}/usr/share/shorewall/$f"
fi
install_file_with_backup $f ${PREFIX}/usr/share/shorewall/$f 0600
echo
echo "Action ${f#*.} file installed as ${PREFIX}/usr/share/shorewall/$f"
done
#
# Backup the version file
@ -539,53 +574,45 @@ fi
#
install_file_with_backup firewall ${PREFIX}/usr/share/shorewall/firewall 0544
if [ -z "$PREFIX" ]; then
if [ -n "$first_install" ]; then
if [ -n "$DEBIAN" ]; then
run_install -o $OWNER -g $GROUP -m 0644 default.debian /etc/default/shorewall
ln -s ../init.d/shorewall /etc/rcS.d/S40shorewall
echo
echo "shorewall will start automatically at boot"
echo "Set startup=1 in /etc/default/shorewall to enable"
else
if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
if insserv /etc/init.d/shorewall ; then
echo
echo "shorewall will start automatically at boot"
echo "Remove /etc/shorewall/startup_disabled in /etc/default/shorewall to enable"
else
cant_autostart
fi
elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
if chkconfig --add shorewall ; then
echo
echo "shorewall will start automatically in run levels as follows:"
echo "Remove /etc/shorewall/startup_disabled in /etc/default/shorewall to enable"
chkconfig --list shorewall
else
cant_autostart
fi
elif [ -x /sbin/rc-update ]; then
if rc-update add shorewall default; then
echo
echo "shorewall will start automatically at boot"
echo "Remove /etc/shorewall/startup_disabled in /etc/default/shorewall to enable"
else
cant_autostart
fi
elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
if [ -z "$PREFIX" -a -n "$first_install" ]; then
if [ -n "$DEBIAN" ]; then
run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall
ln -s ../init.d/shorewall /etc/rcS.d/S40shorewall
echo
echo "shorewall will start automatically at boot"
echo "Set startup=1 in /etc/default/shorewall to enable"
else
if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
if insserv /etc/init.d/shorewall ; then
echo
echo "shorewall will start automatically at boot"
echo "Set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf to enable"
else
cant_autostart
fi
echo \
"########################################################################
# REMOVE THIS FILE AFTER YOU HAVE CONFIGURED SHOREWALL #
########################################################################" > /etc/shorewall/startup_disabled
elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
if chkconfig --add shorewall ; then
echo
echo "shorewall will start automatically in run levels as follows:"
echo "Set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf to enable"
chkconfig --list shorewall
else
cant_autostart
fi
elif [ -x /sbin/rc-update ]; then
if rc-update add shorewall default; then
echo
echo "shorewall will start automatically at boot"
echo "Set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf to enable"
else
cant_autostart
fi
elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
cant_autostart
fi
elif [ -n "$DEBIAN" -a ! -f /etc/default/shorewall ]; then
run_install -o $OWNER -g $GROUP -m 0644 default.debian /etc/default/shorewall
fi
fi
fi
fi
#
# Report Success
#

20
Shorewall/interfaces
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.0 -- Interfaces File
# Shorewall 2.2 -- Interfaces File
#
# /etc/shorewall/interfaces
#
@ -75,12 +75,23 @@
# option does not cover those ranges
# reserved by RFC 1918 -- see above).
#
# I PERSONALLY RECOMMEND AGAINST USING
# THE 'nobogons' OPTION.
#
# routefilter - turn on kernel route filtering for this
# interface (anti-spoofing measure). This
# option can also be enabled globally in
# the /etc/shorewall/shorewall.conf file.
#
# . . blacklist - Check packets arriving on this interface
# logmartians - turn on kernel martian logging (logging
# of packets with impossible source
# addresses. It is suggested that if you
# set routefilter on an interface that
# you also set logmartians. This option
# may also be enabled globally in the
# /etc/shorewall/shorewall.conf file.
#
# blacklist - Check packets arriving on this interface
# against the /etc/shorewall/blacklist
# file.
#
@ -156,6 +167,8 @@
# detectnets - Automatically taylors the zone named
# in the ZONE column to include only those
# hosts routed through the interface.
# upnp - Incoming requests from this interface may
# be remapped via UPNP (upnpd).
#
# WARNING: DO NOT SET THE detectnets OPTION ON YOUR
# INTERNET INTERFACE.
@ -188,6 +201,9 @@
# connections.
#
# net ppp0 -
#
# For additional information, see http://shorewall.net/Documentation.htm#Interfaces
#
##############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
#

59
Shorewall/ipsec Normal file
View File

@ -0,0 +1,59 @@
#
# Shorewall 2.2 - /etc/shorewall/ipsec
#
# This file defines the attributes of zones with respect to
# IPSEC. To use this file for any purpose except for setting mss,
# you must be running a 2.6 kernel and both your kernel and iptables
# must include Policy Match Support.
#
# The columns are:
#
# ZONE The name of a zone defined in /etc/shorewall/zones. The
# $FW zone may not be listed.
#
# IPSEC Yes -- Communication with all zone hosts is encrypted
# ONLY No -- Communication with some zone hosts is encrypted.
# Encrypted hosts are designated using the 'ipsec'
# option in /etc/shorewall/hosts.
#
# OPTIONS, A comma-separated list of options as follows:
# IN OPTIONS,
# OUT OPTIONS reqid=<number> where <number> is specified
# using setkey(8) using the 'unique:<number>
# option for the SPD level.
#
# spi=<number> where <number> is the SPI of
# the SA used to encrypt/decrypt packets.
#
# proto=ah|esp|ipcomp
#
# mss=<number> (sets the MSS field in TCP packets)
#
# mode=transport|tunnel
#
# tunnel-src=<address>[/<mask>] (only
# available with mode=tunnel)
#
# tunnel-dst=<address>[/<mask>] (only
# available with mode=tunnel)
#
# strict Means that packets must match all rules.
#
# next Separates rules; can only be used with
# strict..
#
# Example:
# mode=transport,reqid=44
#
# The options in the OPTIONS column are applied to both incoming
# and outgoing traffic. The IN OPTIONS are applied to incoming
# traffic (in addition to OPTIONS) and the OUT OPTIONS are
# applied to outgoing traffic.
#
# If you wish to leave a column empty but need to make an entry
# in a following column, use "-".
###################################################################################
#ZONE IPSEC OPTIONS IN OUT
# ONLY OPTIONS OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

296
Shorewall/ipsecvpn Normal file
View File

@ -0,0 +1,296 @@
#!/bin/sh
################################################################################
#
# ipsecvpn -- script for use on a roadwarrior to start/stop a tunnel-mode
# IPSEC connection
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# (c) 2004,2005 - Tom Eastep (teastep@shorewall.net)
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
RCDLINKS="2,S42 3,S42 6,K42"
#### BEGIN INIT INFO
# Provides: ipsecvpn
# Required-Start: $shorewall
# Required-Stop:
# Default-Start: 2 3 5
# Default-Stop: 0 1 6
# Description: starts and stops a tunnel-mode VPN connection
### END INIT INFO
# chkconfig: 2345 26 89
# description: IPSEC tunnel-mode connection
#
################################################################################
#
# External Interface
#
INTERFACE=eth0
#
# Remote IPSEC Gateway
#
GATEWAY=1.2.3.4
#
# Networks behind the remote gateway (space-separated list)
#
NETWORKS="192.168.1.0/24"
#
# Directory where X.509 certificates are stored.
#
CERTS=/etc/certs
#
# Certificate to be used for this connection. The cert
# directory must contain:
#
# ${CERT}.pem - the certificate
# ${CERT}_key.pem - the certificates's key
#
CERT=roadwarrior
#
# The setkey binary
#
SETKEY=/usr/sbin/setkey
#
# The racoon binary
#
RACOON=/usr/sbin/racoon
#
# Message to stderr
#
error_message() # $* = Error Message
{
echo " $@" >&2
}
#
# Fatal error -- stops the firewall after issuing the error message
#
fatal_error() # $* = Error Message
{
echo " Error: $@" >&2
exit 2
}
#
# Find interface address--returns the first IP address assigned to the passed
# device
#
find_first_interface_address() # $1 = interface
{
#
# get the line of output containing the first IP address
#
addr=$(ip -f inet addr show $1 2> /dev/null | grep inet | head -n1)
#
# If there wasn't one, bail out now
#
[ -n "$addr" ] || fatal_error "Can't determine the IP address of $1"
#
# Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
# along with everything else on the line
#
echo $addr | sed 's/inet //;s/\/.*//;s/ peer.*//'
}
#
# Create a Racoon configuration file using the variables above
#
make_racoon_conf() {
echo "path certificate \"$CERTS\";"
echo
echo "listen"
echo "{"
echo " isakmp $IPADDR;"
echo "}"
echo
echo "remote $GATEWAY"
echo "{"
echo " exchange_mode main;"
echo " certificate_type x509 \"$CERT.pem\" \"${CERT}_key.pem\";"
echo " verify_cert on;"
echo " my_identifier asn1dn ;"
echo " peers_identifier asn1dn ;"
echo " verify_identifier on ;"
echo " lifetime time 24 hour ;"
echo " proposal {"
echo " encryption_algorithm blowfish;"
echo " hash_algorithm sha1;"
echo " authentication_method rsasig ;"
echo " dh_group 2 ;"
echo " }"
echo "}"
echo
for network in $NETWORKS; do
echo "sainfo address $IPADDR/32 any address $network any"
echo "{"
echo " pfs_group 2;"
echo " lifetime time 12 hour ;"
echo " encryption_algorithm blowfish ;"
echo " authentication_algorithm hmac_sha1, hmac_md5 ;"
echo " compression_algorithm deflate ;"
echo "}"
echo
echo "sainfo address $network any address $IPADDR/32 any"
echo "{"
echo " pfs_group 2;"
echo " lifetime time 12 hour ;"
echo " encryption_algorithm blowfish ;"
echo " authentication_algorithm hmac_sha1, hmac_md5 ;"
echo " compression_algorithm deflate ;"
echo "}"
done
echo "sainfo address $IPADDR/32 any address $GATEWAY/32 any"
echo "{"
echo " pfs_group 2;"
echo " lifetime time 12 hour ;"
echo " encryption_algorithm blowfish ;"
echo " authentication_algorithm hmac_sha1, hmac_md5 ;"
echo " compression_algorithm deflate ;"
echo "}"
echo
echo "sainfo address $GATEWAY/32 any address $IPADDR/32 any"
echo "{"
echo " pfs_group 2;"
echo " lifetime time 12 hour ;"
echo " encryption_algorithm blowfish ;"
echo " authentication_algorithm hmac_sha1, hmac_md5 ;"
echo " compression_algorithm deflate ;"
echo "}"
}
#
# Make a setkey configuration file using the variables above
#
make_setkey_conf()
{
echo "flush;"
echo "spdflush;"
echo "spdadd $IPADDR/32 $GATEWAY/32 any -P out ipsec esp/tunnel/${IPADDR}-${GATEWAY}/require;"
echo "spdadd $GATEWAY/32 $IPADDR/32 any -P in ipsec esp/tunnel/${GATEWAY}-${IPADDR}/require;"
for network in $NETWORKS; do
echo "spdadd $IPADDR/32 $network any -P out ipsec esp/tunnel/${IPADDR}-${GATEWAY}/require;"
echo "spdadd $network $IPADDR/32 any -P in ipsec esp/tunnel/${GATEWAY}-${IPADDR}/require;"
done
}
#
# Start the Tunnel
#
start()
{
#
# Get the first IP address configured on the device in INTERFACE
#
IPADDR=$(find_first_interface_address $INTERFACE)
#
# Create the name of the setkey temporary file
#
TEMPFILE=$(mktemp /tmp/$(basename $0).XXXXXXXX)
[ $? -eq 0 ] || fatal_error "Can't create temporary file name"
#
# Create the file
#
make_setkey_conf > $TEMPFILE
#
# Create the SPD
#
$SETKEY -f $TEMPFILE
#
# We can now remove the file
#
rm -f $TEMPFILE
#
# Create another name -- make this distict to aid debugging
# (just comment out the 'rm' commands)
#
TEMPFILE=$(mktemp /tmp/$(basename $0).XXXXXXXX)
[ $? -eq 0 ] || fatal_error "Can't create temporary file name"
#
# Create the file
#
make_racoon_conf > $TEMPFILE
#
# Start Racoon Daemon
#
$RACOON -4 -f $TEMPFILE
#
# Once the Daemon is running, we can remove the file
#
rm -f $TEMPFILE
}
#
# Stop the Tunnel
#
stop()
{
#
# Kill any racoon daemons
#
killall racoon
#
# Purge the SAD and SPD
#
setkey -F -FP
}
#
# Display command syntax and abend
#
usage()
{
error_message "usage: $(basename $0) [start|stop|restart]"
exit 1
}
################################################################################
# C O D E S T A R T S H E R E
################################################################################
[ $# -eq 1 ] || usage
case $1 in
start)
start
;;
stop)
stop
;;
restart)
stop
sleep 2
start
;;
*)
usage
;;
esac

14
Shorewall/maclist
View File

@ -1,5 +1,10 @@
#
# Shorewall 2.0 - MAC list file
# Shorewall 2.2 - MAC list file
#
# This file is used to define the MAC addresses and optionally their
# associated IP addresses to be allowed to use the specified interface.
# The feature is enabled by using the maclist option in the interfaces
# or hosts configuration file.
#
# /etc/shorewall/maclist
#
@ -15,7 +20,12 @@
#
# IP ADDRESSES Optional -- if specified, both the MAC and IP address
# must match. This column can contain a comma-separated
# list of host and/or subnet addresses.
# list of host and/or subnet addresses. If your kernel
# and iptables have iprange match support then IP
# address ranges are also allowed.
#
# For additional information, see http://shorewall.net/MAC_Validation.html
#
##############################################################################
#INTERFACE MAC IP ADDRESSES (Optional)
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

96
Shorewall/masq
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.0 - Masquerade file
# Shorewall 2.2 - Masquerade file
#
# /etc/shorewall/masq
#
@ -20,6 +20,24 @@
# This may be qualified by adding the character
# ":" followed by a destination host or subnet.
#
# If you wish to inhibit the action of ADD_SNAT_ALIASES
# for this entry then include the ":" but omit the digit:
#
# eth0:
# eth2::192.0.2.32/27
#
# Normally Masq/SNAT rules are evaluated after those for
# one-to-one NAT (/etc/shorewall/nat file). If you want
# the rule to be applied before one-to-one NAT rules,
# prefix the interface name with "+":
#
# +eth0
# +eth0:192.0.2.32/27
# +eth0:2
#
# This feature should only be required if you need to
# insert rules in this file that preempt entries in
# /etc/shorewall/nat.
#
# SUBNET -- Subnet that you wish to masquerade. You can specify this as
# a subnet or as an interface. If you give the name of an
@ -42,13 +60,6 @@
# will automatically add this address to the
# INTERFACE named in the first column.
#
# If you have set ADD_SNAT_ALIASES=Yes in
# /etc/shorewall/shorewall.conf then DO NOT
# PLACE YOUR EXTERNAL INTERFACE'S PRIMARY IP
# ADDRESS IN THIS COLUMN -- If you do so, you
# will loose your default route when Shorewall
# starts.
#
# You may also specify a range of up to 256
# IP addresses if you want the SNAT address to
# be assigned from that range in a round-robin
@ -59,9 +70,36 @@
#
# Finally, you may also specify a comma-separated
# list of ranges and/or addresses in this column.
#
#
# This column may not contain DNS Names.
#
# Normally, Netfilter will attempt to retain
# the source port number. You may cause
# netfilter to remap the source port by following
# an address or range (if any) by ":" and
# a port range with the format <low port>-
# <high port>. If this is done, you must
# specify "tcp" or "udp" in the PROTO column.
#
# Examples:
#
# 192.0.2.4:5000-6000
# :4000-5000
#
# You can invoke the SAME target using the
# following in this column:
#
# SAME:[nodst:]<address-range>[,<address-range>...]
#
# The <address-ranges> may be single addresses.
#
# SAME works like SNAT with the exception that the
# same local IP address is assigned to each connection
# from a local address to a given remote address. If
# the 'nodst:' option is included, then the same source
# address is used for a given internal system regardless
# of which remote system is involved.
#
# If you want to leave this column empty
# but you need to specify the next column then
# place a hyphen ("-") here.
@ -82,6 +120,42 @@
# support and a maximum of 15 ports may be
# listed.
#
# IPSEC -- (Optional) If you specify a value other than "-" in this
# column, you must be running kernel 2.6 and
# your kernel and iptables must include policy
# match support.
#
# Comma-separated list of options from the following.
# Only packets that will be encrypted via an SA that
# matches these options will have their source address
# changed.
#
# Yes or yes -- must be the only option listed
# and matches all outbound traffic that will be
# encrypted.
#
# reqid=<number> where <number> is specified
# using setkey(8) using the 'unique:<number>
# option for the SPD level.
#
# spi=<number> where <number> is the SPI of
# the SA.
#
# proto=ah|esp|ipcomp
#
# mode=transport|tunnel
#
# tunnel-src=<address>[/<mask>] (only
# available with mode=tunnel)
#
# tunnel-dst=<address>[/<mask>] (only
# available with mode=tunnel)
#
# strict Means that packets must match all
# rules.
#
# next Separates rules; can only be used
# with strict..
#
# Example 1:
#
@ -135,6 +209,8 @@
#
# THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!!
#
# For additional information, see http://shorewall.net/Documentation.htm#Masq
#
###############################################################################
#INTERFACE SUBNET ADDRESS PROTO PORT(S)
#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

3
Shorewall/modules
View File

@ -1,5 +1,5 @@
##############################################################################
# Shorewall 2.0 /etc/shorewall/modules
# Shorewall 2.2 /etc/shorewall/modules
#
# This file loads the modules needed by the firewall.
#
@ -7,6 +7,7 @@
# dependency order. i.e., if M2 depends on M1 then you must load M1 before
# you load M2.
#
# For additional information, see http://shorewall.net/Documentation.htm#modules
loadmodule ip_tables
loadmodule iptable_filter

14
Shorewall/nat
View File

@ -1,6 +1,6 @@
##############################################################################
#
# Shorewall 2.0 -- Network Address Translation Table
# Shorewall 2.2 -- Network Address Translation Table
#
# /etc/shorewall/nat
#
@ -16,6 +16,7 @@
# EXTERNAL External IP Address - this should NOT be the primary
# IP address of the interface named in the next
# column and must not be a DNS Name.
#
# INTERFACE Interface that you want to EXTERNAL address to appear
# on. If ADD_IP_ALIASES=Yes in shorewall.conf, you may
# follow the interface name with ":" and a digit to
@ -24,14 +25,23 @@
# see the alias with ifconfig. THAT IS THE ONLY THING
# THAT THIS NAME IS GOOD FOR -- YOU CANNOT USE IT
# ANYWHERE ELSE IN YOUR SHORWALL CONFIGURATION.
#
# If you want to override ADD_IP_ALIASES=Yes for a
# particular entry, follow the interface name with
# ":" and no digit (e.g., "eth0:").
# INTERNAL Internal Address (must not be a DNS Name).
#
# ALL INTERFACES If Yes or yes, NAT will be effective from all hosts.
# If No or no (or left empty) then NAT will be effective
# only through the interface named in the INTERFACE
# column
#
# LOCAL If Yes or yes, NAT will be effective from the firewall
# system
#
# For additional information, see http://shorewall.net/NAT.htm
##############################################################################
#EXTERNAL INTERFACE INTERNAL ALL LOCAL
#EXTERNAL INTERFACE INTERNAL ALL LOCAL
# INTERFACES
#
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

2
Shorewall/netmap
View File

@ -1,6 +1,6 @@
##############################################################################
#
# Shorewall 2.0 -- Network Mapping Table
# Shorewall 2.2 -- Network Mapping Table
#
# /etc/shorewall/netmap
#

2
Shorewall/params
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.0 /etc/shorewall/params
# Shorewall 2.2 /etc/shorewall/params
#
# Assign any variables that you need here.
#

23
Shorewall/policy
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.0 -- Policy File
# Shorewall 2.2 -- Policy File
#
# /etc/shorewall/policy
#
@ -25,6 +25,8 @@
# DROP - Ignore the connection request
# REJECT - For TCP, send RST. For all other, send
# "port unreachable" ICMP.
# QUEUE - Send the request to a user-space
# application using the QUEUE target.
# CONTINUE - Pass the connection request past
# any other rules that it might also
# match (where the source or destination
@ -66,20 +68,25 @@
# and the size of an acceptable burst. If not specified,
# TCP connections are not limited.
#
# As shipped, the default policies are:
# Example:
#
# a) All connections from the local network to the internet are allowed
# b) All connections from the internet are ignored but logged at syslog
# level KERNEL.INFO.
# d) All other connection requests are rejected and logged at level
# KERNEL.INFO.
#
# #SOURCE DEST POLICY LOG
# # LEVEL
# loc net ACCEPT
# net all DROP info
# #
# # THE FOLLOWING POLICY MUST BE LAST
# #
# all all REJECT info
#
# See http://shorewall.net/Documentation.htm#Policy for additional information.
###############################################################################
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
loc net ACCEPT
net all DROP info
#
# THE FOLLOWING POLICY MUST BE LAST
#
all all REJECT info
#LAST LINE -- DO NOT REMOVE

4
Shorewall/proxyarp
View File

@ -1,6 +1,6 @@
##############################################################################
#
# Shorewall 2.0 -- Proxy ARP
# Shorewall 2.2 -- Proxy ARP
#
# /etc/shorewall/proxyarp
#
@ -39,6 +39,8 @@
#
# #ADDRESS INTERFACE EXTERNAL
# 155.186.235.6 eth1 eth0
#
# See http://shorewall.net/ProxyARP.htm for additional information.
##############################################################################
#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

1189
Shorewall/releasenotes.txt
View File

File diff suppressed because it is too large Load Diff

27
Shorewall/rfc1918
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.0-- RFC1918 File
# Shorewall 2.2 -- RFC1918 File
#
# /etc/shorewall/rfc1918
#
@ -12,14 +12,33 @@
#
# Columns are:
#
# SUBNET The subnet (host addresses also allowed)
# SUBNETS A comma-separated list of subnet addresses
# (host addresses also allowed as are IP
# address ranges provided that your kernel and iptables
# have iprange match support).
# TARGET Where to send packets to/from this subnet
# RETURN - let the packet be processed normally
# DROP - silently drop the packet
# logdrop - log then drop
#
###############################################################################
#SUBNET TARGET
# By default, the RETURN target causes 'norfc1918' processing to cease for a
# packet if the packet's source IP address matches the rule. Thus, if you have:
#
# SUBNETS TARGET
# 192.168.1.0/24 RETURN
#
# then traffic from 192.168.1.4 to 10.0.3.9 will be accepted even though you
# also have:
#
# SUBNETS TARGET
# 10.0.0.0/8 logdrop
#
# Setting RFC1918_STRICT=Yes in shorewall.conf will cause such traffic to be
# logged and dropped since while the packet's source matches the RETURN rule,
# the packet's destination matches the 'logdrop' rule.
#
################################################################################
#SUBNETS TARGET
172.16.0.0/12 logdrop # RFC 1918
192.168.0.0/16 logdrop # RFC 1918
10.0.0.0/8 logdrop # RFC 1918

13
Shorewall/routestopped
View File

@ -1,17 +1,22 @@
##############################################################################
#
# Shorewall 2.0 -- Hosts Accessible when the Firewall is Stopped
# Shorewall 2.2 -- Hosts Accessible when the Firewall is Stopped
#
# /etc/shorewall/routestopped
#
# This file is used to define the hosts that are accessible when the
# firewall is stopped
# firewall is stopped or when it is in the process of being
# [re]started.
#
# Columns must be separated by white space and are:
#
# INTERFACE - Interface through which host(s) communicate with
# the firewall
# HOST(S) - (Optional) Comma-separated list of IP/subnet
# addresses. If your kernel and iptables include
# iprange match support, IP address ranges are also
# allowed.
#
# If left empty or supplied as "-",
# 0.0.0.0/0 is assumed.
# OPTIONS - (Optional) A comma-separated list of
@ -26,6 +31,10 @@
# eth2 192.168.1.0/24
# eth0 192.0.2.44
# br0 - routeback
#
# See http://shorewall.net/Documentation.htm#Routestopped and
# http://shorewall.net/starting_and_stopping_shorewall.htm for additional
# information.
##############################################################################
#INTERFACE HOST(S) OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

74
Shorewall/rules
View File

@ -1,5 +1,5 @@
#
# Shorewall version 2.0 - Rules File
# Shorewall version 2.2 - Rules File
#
# /etc/shorewall/rules
#
@ -42,6 +42,16 @@
# Like DNAT but only generates the
# DNAT iptables rule and not
# the companion ACCEPT rule.
# SAME -- Similar to DNAT except that the
# port may not be remapped and when
# multiple server addresses are
# listed, all requests from a given
# remote system go to the same
# server.
# SAME- -- Advanced users only.
# Like SAME but only generates the
# NAT iptables rule and not
# the companion ACCEPT rule.
# REDIRECT -- Redirect the request to a local
# port on the firewall.
# REDIRECT-
@ -72,6 +82,20 @@
# DNAT:debug). This causes the packet to be
# logged at the specified level.
#
# If the ACTION names an action defined in
# /etc/shorewall/actions or in
# /usr/share/shorewall/actions.std then:
#
# - If the log level is followed by "!' then all rules
# in the action are logged at the log level.
#
# - If the log level is not followed by "!" then only
# those rules in the action that do not specify
# logging are logged at the specified level.
#
# - The special log level 'none!' suppresses logging
# by the action.
#
# You may also specify ULOG (must be in upper case) as a
# log level.This will log to the ULOG target for routing
# to a separate log through use of ulogd
@ -88,11 +112,14 @@
#
# SOURCE Source hosts to which the rule applies. May be a zone
# defined in /etc/shorewall/zones, $FW to indicate the
# firewall itself, or "all" If the ACTION is DNAT or
# firewall itself, "all" or "none" If the ACTION is DNAT or
# REDIRECT, sub-zones of the specified zone may be
# excluded from the rule by following the zone name with
# "!' and a comma-separated list of sub-zone names.
#
# When "none" is used either in the SOURCE or DEST column,
# the rule is ignored.
#
# When "all" is used either in the SOURCE or DEST column
# intra-zone traffic is not affected. You must add
# separate rules to handle that traffic.
@ -104,6 +131,10 @@
# address; mac addresses must begin with "~" and must use
# "-" as a separator.
#
# Hosts may be specified as an IP address range using the
# syntax <low address>-<high address>. This requires that
# your kernel and iptables contain iprange match support.
#
# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ
#
# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the
@ -115,6 +146,10 @@
# loc:~00-A0-C9-15-39-78 Host in the local zone with
# MAC address 00:A0:C9:15:39:78.
#
# net:192.0.2.11-192.0.2.17
# Hosts 192.0.2.11-192.0.2.17 in
# the net zone.
#
# Alternatively, clients may be specified by interface
# by appending ":" to the zone name followed by the
# interface name. For example, loc:eth1 specifies a
@ -125,7 +160,10 @@
#
# DEST Location of Server. May be a zone defined in
# /etc/shorewall/zones, $FW to indicate the firewall
# itself or "all"
# itself, "all" or "none".
#
# When "none" is used either in the SOURCE or DEST column,
# the rule is ignored.
#
# When "all" is used either in the SOURCE or DEST column
# intra-zone traffic is not affected. You must add
@ -145,7 +183,7 @@
# 3. You may not specify both an interface and
# an address.
#
# Unlike in the SOURCE column, you may specify a range of
# Like in the SOURCE column, you may specify a range of
# up to 256 IP addresses using the syntax
# <first ip>-<last ip>. When the ACTION is DNAT or DNAT-,
# the connections will be assigned to addresses in the
@ -166,14 +204,20 @@
# contain the port number on the firewall that the
# request should be redirected to.
#
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or
# "all".
# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
# a number, or "all". "ipp2p" requires ipp2p match
# support in your kernel and iptables.
#
# DEST PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port
# ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s).
#
# If the protocol is ipp2p, this column is interpreted
# as an ipp2p option without the leading "--" (example "bit"
# for bit-torrent). If no port is given, "ipp2p" is
# assumed.
#
# A port range is expressed as <low port>:<high port>.
#
# This column is ignored if PROTOCOL = all but must be
@ -195,8 +239,8 @@
# ranges.
#
# If you don't want to restrict client ports but need to
# specify an ORIGINAL DEST in the next column, then
# place "-" in this column.
# specify an ORIGINAL DEST in the next column, then place
# "-" in this column.
#
# If your kernel contains multi-port match support, then
# only a single Netfilter rule will be generated if in
@ -223,14 +267,6 @@
# destination address in the connection request does not
# match any of the addresses listed.
#
# The address (list) may optionally be followed by
# a colon (":") and a second IP address. This causes
# Shorewall to use the second IP address as the source
# address in forwarded packets. See the Shorewall
# documentation for restrictions concerning this feature.
# If no source IP address is given, the original source
# address is not altered.
#
# RATE LIMIT You may rate-limit the rule by placing a value in
# this colume:
#
@ -281,9 +317,9 @@
# to local system 192.168.1.3 with a limit of 3 per second and
# a maximum burst of 10
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# DNAT<3/sec:10> net loc:192.168.1.3 tcp http
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# # PORT PORT(S) DEST LIMIT
# DNAT net loc:192.168.1.3 tcp http - - 3/sec:10
#
# Example: Redirect all locally-originating www connection requests to
# port 3128 on the firewall (Squid running on the firewall

306
Shorewall/shorewall
View File

@ -1,10 +1,10 @@
#!/bin/sh
#
# Shorewall Packet Filtering Firewall Control Program - V2.0 - 3/14/2004
# Shorewall Packet Filtering Firewall Control Program - V2.2
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
# (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
#
# This file should be placed in /sbin/shorewall.
#
@ -33,7 +33,7 @@
#
# shorewall add <iface>[:<host>] zone Adds a host or subnet to a zone
# shorewall delete <iface>[:<host>] zone Deletes a host or subnet from a zone
# shorewall start Starts the firewall
# shorewall start Starts the firewall
# shorewall restart Restarts the firewall
# shorewall stop Stops the firewall
# shorewall monitor [ refresh-interval ] Repeatedly Displays firewall status
@ -58,6 +58,7 @@
# shorewall show {mangle|tos} Display the rules in the mangle table
# shorewall show tc Display traffic control info
# shorewall show classifiers Display classifiers
# shorewall show capabilities Display iptables/kernel capabilities
# shorewall version Display the installed version id
# shorewall check Verify the more heavily-used
# configuration files.
@ -134,6 +135,24 @@ showchain() # $1 = name of chain
fi
}
#
# The 'awk' hack that compensates for a bug in iptables-save (actually in libipt_policy.so) and can be removed when that bug is fixed.
#
iptablesbug()
{
if qt which awk ; then
awk 'BEGIN {sline=""; };\
/^-j/ { print sline $0; next };\
/-m policy.*-j/ { print $0; next };\
/-m policy/ { sline=$0; next };\
{print ; sline="" }'
else
echo " Warning: You don't have 'awk' on this system so the output of the save command may be unusable" >&2
cat
fi
}
#
# Validate the value of RESTOREFILE
#
@ -174,6 +193,19 @@ get_config() {
[ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:"
if [ -n "$IPTABLES" ]; then
if [ ! -e "$IPTABLES" ]; then
echo " ERROR: The program specified in IPTABLES does not exist or is not executable" >&2
exit 2
fi
else
IPTABLES=$(which iptables 2> /dev/null)
if [ -z "$IPTABLES" ] ; then
echo " ERROR: Can't find iptables executable" >&2
exit 2
fi
fi
if [ -n "$SHOREWALL_SHELL" ]; then
if [ ! -e "$SHOREWALL_SHELL" ]; then
echo " ERROR: The program specified in SHOREWALL_SHELL does not exist or is not executable" >&2
@ -189,6 +221,13 @@ get_config() {
}
#
# Clear descriptor 1 if it is a terminal
#
clear_term() {
[ -t 1 ] && clear
}
#
# Display IPTABLES rules -- we used to store them in a variable but ash
# dies when trying to display large sets of rules
@ -205,9 +244,9 @@ display_chains()
TMPFILE=$(mktempfile)
[ -n "$TMPFILE" ] || { echo " ERROR:Cannot create temporary file" >&2; exit 1; }
iptables -L $IPT_OPTIONS >> $TMPFILE
$IPTABLES -L $IPT_OPTIONS >> $TMPFILE
clear
clear_term
echo "$banner $(date)"
echo
echo "Standard Chains"
@ -219,7 +258,7 @@ display_chains()
timed_read
clear
clear_term
echo "$banner $(date)"
echo
firstchain=Yes
@ -237,7 +276,7 @@ display_chains()
for zone in $zones; do
if [ -n "$(grep "^Chain \.*${zone}" $TMPFILE)" ] ; then
clear
clear_term
echo "$banner $(date)"
echo
firstchain=Yes
@ -256,7 +295,7 @@ display_chains()
fi
done
clear
clear_term
echo "$banner $(date)"
echo
firstchain=Yes
@ -277,7 +316,7 @@ display_chains()
timed_read
clear
clear_term
echo "$banner $(date)"
echo
firstchain=Yes
@ -288,7 +327,7 @@ display_chains()
qt rm -f $TMPFILE
else
iptables -L -n -v
$IPTABLES -L -n -v
timed_read
fi
trap - 1 2 3 4 5 6 9
@ -315,12 +354,18 @@ packet_log() # $1 = number of messages
[ -n "$realtail" ] && options="-n$1"
grep "${LOGFORMAT}\|ipt_unclean" $LOGFILE | \
sed s/" kernel:"// | \
sed s/" $host $LOGFORMAT"/" "/ | \
sed s/" $host kernel: ipt_unclean: "/" "/ | \
sed 's/MAC=.* SRC=/SRC=/' | \
tail $options
if [ -n "$VERBOSE" ]; then
grep "${LOGFORMAT}" $LOGFILE | \
sed s/" kernel:"// | \
sed s/" $host $LOGFORMAT"/" "/ | \
tail $options
else
grep "${LOGFORMAT}" $LOGFILE | \
sed s/" kernel:"// | \
sed s/" $host $LOGFORMAT"/" "/ | \
sed 's/MAC=.* SRC=/SRC=/' | \
tail $options
fi
}
#
@ -388,9 +433,8 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
# an 'interesting' packet count changes
{
get_config
host=$(echo $HOSTNAME | sed 's/\..*$//')
oldrejects=$(iptables -L -v -n | grep 'LOG')
oldrejects=$($IPTABLES -L -v -n | grep 'LOG')
if [ $1 -lt 0 ]; then
let "timeout=- $1"
@ -414,7 +458,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
while true; do
display_chains
clear
clear_term
echo "$banner $(date)"
echo
@ -423,7 +467,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
show_reset
rejects=$(iptables -L -v -n | grep 'LOG')
rejects=$($IPTABLES -L -v -n | grep 'LOG')
if [ "$rejects" != "$oldrejects" ]; then
oldrejects="$rejects"
@ -445,24 +489,24 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
timed_read
fi
clear
clear_term
echo "$banner $(date)"
echo
echo "NAT Status"
echo
iptables -t nat -L $IPT_OPTIONS
$IPTABLES -t nat -L $IPT_OPTIONS
timed_read
clear
clear_term
echo "$banner $(date)"
echo
echo
echo "TOS/MARK Status"
echo
iptables -t mangle -L $IPT_OPTIONS
$IPTABLES -t mangle -L $IPT_OPTIONS
timed_read
clear
clear_term
echo "$banner $(date)"
echo
echo
@ -471,7 +515,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
cat /proc/net/ip_conntrack
timed_read
clear
clear_term
echo "$banner $(date)"
echo
echo
@ -480,7 +524,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
show_tc
timed_read
clear
clear_term
echo "$banner $(date)"
echo
echo
@ -498,9 +542,8 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
# an 'interesting' packet count changes
{
get_config
host=$(echo $HOSTNAME | sed 's/\..*$//')
oldrejects=$(iptables -L -v -n | grep 'LOG')
oldrejects=$($IPTABLES -L -v -n | grep 'LOG')
if [ $1 -lt 0 ]; then
timeout=$((- $1))
@ -513,7 +556,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
qt which awk && haveawk=Yes || haveawk=
while true; do
clear
clear_term
echo "$banner $(date)"
echo
@ -522,7 +565,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
show_reset
rejects=$(iptables -L -v -n | grep 'LOG')
rejects=$($IPTABLES -L -v -n | grep 'LOG')
if [ "$rejects" != "$oldrejects" ]; then
oldrejects="$rejects"
@ -560,13 +603,13 @@ help()
#
usage() # $1 = exit status
{
echo "Usage: $(basename $0) [debug|trace] [nolock] [-c <directory>] [ -x ] [ -q ] [ -f ] <command>"
echo "Usage: $(basename $0) [debug|trace] [nolock] [ -x ] [ -q ] [ -f ] [ -v ] <command>"
echo "where <command> is one of:"
echo " add <interface>[:<host>] <zone>"
echo " add <interface>[:{<bridge-port>[:<host>]|<host>}[,...]] ... <zone>"
echo " allow <address> ..."
echo " check"
echo " check [ <directory> ]"
echo " clear"
echo " delete <interface>[:<host>] <zone>"
echo " delete <interface>[:{<bridge-port>[:<host>]|<host>}[,...]] ... <zone>"
echo " drop <address> ..."
echo " forget [ <file name> ]"
echo " help [ <command > | host | address ]"
@ -578,15 +621,16 @@ usage() # $1 = exit status
echo " refresh"
echo " reject <address> ..."
echo " reset"
echo " restart"
echo " restart [ <directory> ]"
echo " restore [ <file name> ]"
echo " save [ <file name> ]"
echo " show [<chain> [ <chain> ... ]|classifiers|connections|log|nat|tc|tos]"
echo " start"
echo " show [<chain> [ <chain> ... ]|capabilities|classifiers|connections|log|nat|tc|tos|zones]"
echo " start [ <directory> ]"
echo " stop"
echo " status"
echo " try <directory> [ <timeout> ]"
echo " version"
echo
exit $1
}
@ -598,8 +642,11 @@ show_reset() {
echo "Counters reset $(cat $STATEDIR/restarted)" && \
echo
}
show_proc() {
#
# Display's the passed file name followed by "=" and the file's contents.
#
show_proc() # $1 = name of a file
{
[ -f $1 ] && echo " $1 = $(cat $1)"
}
@ -624,6 +671,7 @@ SHOREWALL_DIR=
QUIET=
IPT_OPTIONS="-nv"
FAST=
VERBOSE=
done=0
@ -665,6 +713,10 @@ while [ $done -eq 0 ]; do
FAST=Yes
option=${option#f}
;;
v*)
VERBOSE=Yes
option=${option#v}
;;
*)
usage 1
;;
@ -721,6 +773,8 @@ ensure_config_path
export CONFIG_PATH
get_config
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
if [ ! -f $FIREWALL ]; then
@ -765,8 +819,28 @@ esac
case "$1" in
start)
[ $# -ne 1 ] && usage 1
get_config
case $# in
1)
;;
2)
[ -n "$SHOREWALL_DIR" -o -n "$FAST" ] && usage 2
if [ ! -d $2 ]; then
if [ -e $2 ]; then
echo "$2 is not a directory" >&2 && exit 2
else
echo "Directory $2 does not exist" >&2 && exit 2
fi
fi
SHOREWALL_DIR=$2
export SHOREWALL_DIR
;;
*)
usage 1
;;
esac
if [ -n "$FAST" ]; then
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
@ -783,15 +857,37 @@ case "$1" in
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start
fi
;;
stop|restart|reset|clear|refresh|check)
stop|reset|clear|refresh)
[ $# -ne 1 ] && usage 1
get_config
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1
;;
check|restart)
case $# in
1)
;;
2)
[ -n "$SHOREWALL_DIR" ] && usage 2
if [ ! -d $2 ]; then
if [ -e $2 ]; then
echo "$2 is not a directory" >&2 && exit 2
else
echo "Directory $2 does not exist" >&2 && exit 2
fi
fi
SHOREWALL_DIR=$2
export SHOREWALL_DIR
;;
*)
usage 1
;;
esac
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1
;;
add|delete)
[ $# -ne 3 ] && usage 1
get_config
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1 $2 $3
[ $# -lt 3 ] && usage 1
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $@
;;
show|list)
[ -n "$debugging" ] && set -x
@ -807,18 +903,17 @@ case "$1" in
echo "Shorewall-$version NAT at $HOSTNAME - $(date)"
echo
show_reset
iptables -t nat -L $IPT_OPTIONS
$IPTABLES -t nat -L $IPT_OPTIONS
;;
tos|mangle)
[ $# -gt 2 ] && usage 1
echo "Shorewall-$version TOS at $HOSTNAME - $(date)"
echo
show_reset
iptables -t mangle -L $IPT_OPTIONS
$IPTABLES -t mangle -L $IPT_OPTIONS
;;
log)
[ $# -gt 2 ] && usage 1
get_config
echo "Shorewall-$version Log at $HOSTNAME - $(date)"
echo
show_reset
@ -837,6 +932,27 @@ case "$1" in
echo
show_classifiers
;;
zones)
[ $# -gt 2 ] && usage 1
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
if [ -f $STATEDIR/zones ]; then
echo "Shorewall-$version Zones at $HOSTNAME - $(date)"
echo
while read zone hosts; do
echo $zone
for host in $hosts; do
echo " $host"
done
done < $STATEDIR/zones
echo
else
echo " ERROR: $STATEDIR/zones does not exist" >&2
exit 1
fi
;;
capabilities)
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock capabilities
;;
*)
shift
@ -845,10 +961,10 @@ case "$1" in
show_reset
if [ $# -gt 0 ]; then
for chain in $*; do
iptables -L $chain $IPT_OPTIONS
$IPTABLES -L $chain $IPT_OPTIONS
done
else
iptables -L $IPT_OPTIONS
$IPTABLES -L $IPT_OPTIONS
fi
;;
esac
@ -866,29 +982,32 @@ case "$1" in
status)
[ -n "$debugging" ] && set -x
[ $# -eq 1 ] || usage 1
get_config
clear
clear_term
echo "Shorewall-$version Status at $HOSTNAME - $(date)"
echo
show_reset
host=$(echo $HOSTNAME | sed 's/\..*$//')
iptables -L $IPT_OPTIONS
$IPTABLES -L $IPT_OPTIONS
echo
packet_log 20
echo
echo "NAT Table"
echo
iptables -t nat -L $IPT_OPTIONS
$IPTABLES -t nat -L $IPT_OPTIONS
echo
echo "Mangle Table"
echo
iptables -t mangle -L $IPT_OPTIONS
$IPTABLES -t mangle -L $IPT_OPTIONS
echo
cat /proc/net/ip_conntrack
echo
echo "IP Configuration"
echo
ip addr ls
echo
echo "IP Stats"
echo
ip -stat link ls
if qt which brctl; then
echo
@ -902,30 +1021,49 @@ case "$1" in
echo
show_proc /proc/sys/net/ipv4/ip_forward
show_proc /proc/sys/net/ipv4/icmp_echo_ignore_all
for directory in /proc/sys/net/ipv4/conf/*; do
for file in proxy_arp arp_filter rp_filter; do
for file in proxy_arp arp_filter rp_filter log_martians; do
show_proc $directory/$file
done
done
echo
echo "Routing Rules"
echo
ip rule ls
ip rule ls | while read rule; do
table=${rule##* }
if [ -n "$(ip rule ls)" ]; then
echo
echo "Table $table:"
echo "Routing Rules"
echo
ip route ls table $table
done
ip rule ls
ip rule ls | while read rule; do
table=${rule##* }
echo
echo "Table $table:"
echo
ip route ls table $table
done
else
echo
echo "Routing Table"
echo
ip route ls
fi
echo
echo "ARP"
echo
arp -na
if qt which lsmod; then
echo
echo "Modules"
echo
lsmod | grep -E '^ip_|^ipt_'
fi
;;
hits)
[ -n "$debugging" ] && set -x
[ $# -eq 1 ] || usage 1
get_config
clear
clear_term
echo "Shorewall-$version Hits at $HOSTNAME - $(date)"
echo
@ -972,10 +1110,10 @@ case "$1" in
[ -n "$SHOREWALL_DIR" ] && startup_error "Error: -c option may not be used with \"try\""
[ $# -lt 2 -o $# -gt 3 ] && usage 1
if ! $0 $debugging -c $2 restart; then
if ! iptables -L shorewall > /dev/null 2> /dev/null; then
if ! $IPTABLES -L shorewall > /dev/null 2> /dev/null; then
$0 start
fi
elif ! iptables -L shorewall > /dev/null 2> /dev/null; then
elif ! $IPTABLES -L shorewall > /dev/null 2> /dev/null; then
$0 start
elif [ $# -eq 3 ]; then
sleep $3
@ -998,9 +1136,9 @@ case "$1" in
mutex_on
while [ $# -gt 1 ]; do
shift
qt iptables -D dynamic -s $1 -j reject
qt iptables -D dynamic -s $1 -j DROP
iptables -A dynamic -s $1 -j DROP || break 1
qt $IPTABLES -D dynamic -s $1 -j reject
qt $IPTABLES -D dynamic -s $1 -j DROP
$IPTABLES -A dynamic -s $1 -j DROP || break 1
echo "$1 Dropped"
done
mutex_off
@ -1011,9 +1149,9 @@ case "$1" in
mutex_on
while [ $# -gt 1 ]; do
shift
qt iptables -D dynamic -s $1 -j reject
qt iptables -D dynamic -s $1 -j DROP
iptables -A dynamic -s $1 -j reject || break 1
qt $IPTABLES -D dynamic -s $1 -j reject
qt $IPTABLES -D dynamic -s $1 -j DROP
$IPTABLES -A dynamic -s $1 -j reject || break 1
echo "$1 Rejected"
done
mutex_off
@ -1024,7 +1162,7 @@ case "$1" in
mutex_on
while [ $# -gt 1 ]; do
shift
if qt iptables -D dynamic -s $1 -j reject || qt iptables -D dynamic -s $1 -j DROP; then
if qt $IPTABLES -D dynamic -s $1 -j reject || qt $IPTABLES -D dynamic -s $1 -j DROP; then
echo "$1 Allowed"
else
echo "$1 Not Dropped or Rejected"
@ -1035,8 +1173,6 @@ case "$1" in
save)
[ -n "$debugging" ] && set -x
get_config
case $# in
1)
;;
@ -1053,7 +1189,7 @@ case "$1" in
mutex_on
if qt iptables -L shorewall -n; then
if qt $IPTABLES -L shorewall -n; then
[ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then
@ -1064,11 +1200,11 @@ case "$1" in
echo " ERROR: Reserved file name: $RESTOREFILE"
;;
*)
if iptables -L dynamic -n > /var/lib/shorewall/save; then
if $IPTABLES -L dynamic -n > /var/lib/shorewall/save; then
echo " Dynamic Rules Saved"
if [ -f /var/lib/shorewall/restore-base ]; then
cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$
if iptables-save >> /var/lib/shorewall/restore-$$ ; then
if iptables-save | iptablesbug >> /var/lib/shorewall/restore-$$ ; then
echo __EOF__ >> /var/lib/shorewall/restore-$$
[ -f /var/lib/shorewall/restore-tail ] && \
cat /var/lib/shorewall/restore-tail >> /var/lib/shorewall/restore-$$
@ -1094,7 +1230,6 @@ case "$1" in
mutex_off
;;
forget)
get_config
case $# in
1)
;;
@ -1114,7 +1249,7 @@ case "$1" in
rm -f $RESTOREPATH
echo " $RESTOREPATH removed"
elif [ -f $RESTOREPATH ]; then
echo " ERROR: $RESTOREPATH exists and is not a saved Shorewall configuration"
echo " $RESTOREPATH exists and is not a saved Shorewall configuration"
fi
;;
ipcalc)
@ -1153,7 +1288,6 @@ case "$1" in
esac
;;
restore)
get_config
case $# in
1)
;;

168
Shorewall/shorewall.conf
View File

@ -1,12 +1,20 @@
##############################################################################
# /etc/shorewall/shorewall.conf V2.0 - Change the following variables to
# /etc/shorewall/shorewall.conf V2.2 - Change the following variables to
# match your setup
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# This file should be placed in /etc/shorewall
#
# (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
# (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
##############################################################################
# S T A R T U P E N A B L E D
##############################################################################
# Once you have configured Shorewall, you may change the setting of
# this variable to 'Yes'
STARTUP_ENABLED=No
##############################################################################
# L O G G I N G
##############################################################################
@ -15,6 +23,11 @@
# to syslog (8) the importance of a message and a number of parameters
# in this file have log levels as their value.
#
# These levels are defined by syslog and are used to determine the destination
# of the messages through entries in /etc/syslog.conf (5). The syslog
# documentation refers to these as "priorities"; Netfilter calls them "levels"
# and Shorewall also uses that term.
#
# Valid levels are:
#
# 7 debug
@ -36,8 +49,10 @@
# specify a log level of ULOG (must be all caps). Rather than log its
# messages to syslogd, Shorewall will direct netfilter to log the messages
# via the ULOG target which will send them to a process called 'ulogd'.
# ulogd is available from http://www.gnumonks.org/projects/ulogd and can be
# configured to log all Shorewall message to their own log file
# ulogd is available with most Linux distributions (although it probably isn't
# installed by default). Ulogd is also available from
# http://www.gnumonks.org/projects/ulogd and can be configured to log all
# Shorewall message to their own log file
################################################################################
#
# LOG FILE LOCATION
@ -80,6 +95,18 @@ LOGFILE=/var/log/messages
LOGFORMAT="Shorewall:%s:%s:"
#
# LOG FORMAT Continued
#
# Using the default LOGFORMAT, chain names may not exceed 11 characters or
# truncation of the log prefix may occur. Longer chain names may be used with
# log tags if you set LOGTAGONLY=Yes. With LOGTAGONLY=Yes, if a log tag is
# specified then the tag is included in the log prefix in place of the chain
# name.
#
LOGTAGONLY=No
#
# LOG RATE LIMITING
#
@ -110,6 +137,18 @@ LOGFORMAT="Shorewall:%s:%s:"
LOGRATE=
LOGBURST=
#
# LOG ALL NEW
#
# This option should only be used when you are trying to analyze a problem.
# It causes all packets in the Netfilter NEW state to be logged as the
# first rule in each builtin chain. To use this option, set LOGALLNEW to
# the log level that you want these packets logged at (e.g.,
# LOGALLNEW=debug).
#
LOGALLNEW=
#
# BLACKLIST LOG LEVEL
#
@ -201,9 +240,29 @@ SMURF_LOG_LEVEL=info
#
BOGON_LOG_LEVEL=info
#
# MARTIAN LOGGING
#
# Setting LOG_MARTIANS=Yes will enable kernel logging of all received packets
# that have impossible source IP addresses. This logging may be enabled
# on individual interfaces by using the 'logmartians' option in
# /etc/shorewall/interfaces.
#
LOG_MARTIANS=No
################################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
################################################################################
#
# IPTABLES
#
# Full path to iptables executable Shorewall uses to build the firewall. If
# not specified or if specified with an empty value (e.g., IPTABLES="") then
# the iptables executable located via the PATH setting below is used.
#
IPTABLES=
#
# PATH - Change this if you want to change the order in which Shorewall
# searches directories for executable files.
@ -251,8 +310,9 @@ MODULESDIR=
# This option holds a list of directory names separated by colons
# (":"). Shorewall will search each directory in turn when looking for a
# configuration file. When processing a 'try' command or a command
# containing the "-c" option, Shorewall will automatically add the
# directory specified in the command to the front of this list.
# containing the "-c" option or that specifies a configuration directory,
# Shorewall will automatically add the directory specified in the command
# to the front of this list.
#
# If not specified or specified as null ("CONFIG_PATH=""),
# CONFIG_PATH=/etc/shorewall:/usr/share/shorewall is assumed.
@ -320,6 +380,21 @@ ADD_IP_ALIASES=Yes
#
ADD_SNAT_ALIASES=No
#
# RETAIN EXISTING ALIASES/IP ADDRESSES
#
# Normally, when ADD_IP_ALIASES=Yes and/or ADD_SNAT_ALIASES=Yes then Shorewall
# will first delete the address then re-add it. This is to ensure that the
# address is added with the specified label. Unfortunately, this can cause
# problems if it results in the deletion of the last IP address on an
# interface because then all routes through the interface are automatically
# removed.
#
# You can cause Shorewall to retain existing addresses by setting
# RETAIN_ALIASES=Yes.
#
RETAIN_ALIASES=No
#
# ENABLE TRAFFIC SHAPING
#
@ -392,6 +467,14 @@ MARK_IN_FORWARD_CHAIN=No
#
# If left blank, or set to "No" or "no", the option is not enabled.
#
# You may also set this option to a numeric value in which case Shorewall will
# set up a rule to modify the MSS value in SYN packets to the value that
# you specify.
#
# Example:
#
# CLAMPMSS=1400
#
CLAMPMSS=No
#
@ -550,6 +633,14 @@ ADMINISABSENTMINDED=Yes
#
BLACKLISTNEWONLY=Yes
#
# Users with a large blacklist find that "shorwall [re]start" takes a long
# time and that new connections are disabled during that time. By setting
# DELAYBLACKLISTLOAD=Yes, you can cause Shorewall to enable new connections
# before loading the blacklist.
DELAYBLACKLISTLOAD=No
# MODULE NAME SUFFIX
#
# When loading a module named in /etc/shorewall/modules, Shorewall normally
@ -608,16 +699,9 @@ DYNAMIC_ZONES=No
# USE PKTTYPE MATCH
#
# Some users have reported problems with the PKTTYPE match extension not being
# able to match certain broadcast packets.
#
# Other users have complained of the following message when
# starting Shorewall:
#
# modprobe: cant locate module ipt_pkttype
#
# If you set PKTTYPE=No then Shorewallwill use IP addresses to detect
# broadcasts rather than pkttype. If not given or if given as empty
# (PKTTYPE="") then PKTTYPE=Yes is assumed.
# able to match certain broadcast packets. If you set PKTTYPE=No then Shorewall
# will use IP addresses to detect broadcasts rather than pkttype. If not given
# or if given as empty (PKTTYPE="") then PKTTYPE=Yes is assumed.
PKTTYPE=Yes
@ -655,6 +739,58 @@ PKTTYPE=Yes
# DROPINVALID=Yes is assumed.
DROPINVALID=No
#
# RFC 1918 BEHAVIOR
#
# Traditionally, the RETURN target in the 'rfc1918' file has caused 'norfc1918'
# processing to cease for a packet if the packet's source IP address matches
# the rule. Thus, if you have:
#
# SUBNETS TARGET
# 192.168.1.0/24 RETURN
#
# then traffic from 192.168.1.4 to 10.0.3.9 will be accepted even though you
# also have:
#
# SUBNETS TARGET
# 10.0.0.0/8 logdrop
#
# Setting RFC1918_STRICT=Yes will cause such traffic to be logged and dropped
# since while the packet's source matches the RETURN rule, the packet's
# destination matches the 'logdrop' rule.
#
# If not specified or specified as empty (e.g., RFC1918_STRICT="") then
# RFC1918_STRICT=No is assumed.
#
# WARNING: RFC1918_STRICT=Yes requires that your kernel and iptables support
# 'conntrack state' match.
RFC1918_STRICT=No
#
# MACLIST caching
#
# If your iptables and kernel support the "Recent Match" (see the output of
# "shorewall check" near the top), you can cache the results of a 'maclist'
# file lookup and thus reduce the overhead associated with MAC Verification
# (/etc/shorewall/maclist).
#
# When a new connection arrives from a 'maclist' interface, the packet passes
# through then list of entries for that interface in /etc/shorewall/maclist. If
# there is a match then the source IP address is added to the 'Recent' set for
# that interface. Subsequent connection attempts from that IP address occuring
# within $MACLIST_TTL seconds will be accepted without having to scan all of
# the entries. After $MACLIST_TTL from the first accepted connection request,
# the next connection request from that IP address will be checked against
# the entire list.
#
# If MACLIST_TTL is not specified or is specified as empty (e.g,
# MACLIST_TTL="" or is specified as zero then 'maclist' lookups will not
# be cached.
MACLIST_TTL=
################################################################################
# P A C K E T D I S P O S I T I O N
################################################################################

433
Shorewall/shorewall.spec
View File

@ -1,5 +1,5 @@
%define name shorewall
%define version 2.0.16
%define version 2.2.5
%define release 1
%define prefix /usr
@ -41,12 +41,6 @@ rm -rf $RPM_BUILD_ROOT
%post
if [ $1 -eq 1 ]; then
echo \
"########################################################################
# REMOVE THIS FILE AFTER YOU HAVE CONFIGURED SHOREWALL #
########################################################################" \
> /etc/shorewall/startup_disabled
if [ -x /sbin/insserv ]; then
/sbin/insserv /etc/rc.d/shorewall
elif [ -x /sbin/chkconfig ]; then
@ -76,6 +70,7 @@ fi
%attr(0600,root,root) %config(noreplace) /etc/shorewall/zones
%attr(0600,root,root) %config(noreplace) /etc/shorewall/policy
%attr(0600,root,root) %config(noreplace) /etc/shorewall/interfaces
%attr(0600,root,root) %config(noreplace) /etc/shorewall/ipsec
%attr(0600,root,root) %config(noreplace) /etc/shorewall/rules
%attr(0600,root,root) %config(noreplace) /etc/shorewall/nat
%attr(0600,root,root) %config(noreplace) /etc/shorewall/netmap
@ -98,6 +93,8 @@ fi
%attr(0600,root,root) %config(noreplace) /etc/shorewall/ecn
%attr(0600,root,root) %config(noreplace) /etc/shorewall/accounting
%attr(0600,root,root) %config(noreplace) /etc/shorewall/actions
%attr(0600,root,root) %config(noreplace) /etc/shorewall/continue
%attr(0600,root,root) %config(noreplace) /etc/shorewall/started
%attr(0544,root,root) /sbin/shorewall
@ -106,6 +103,7 @@ fi
%attr(0600,root,root) /usr/share/shorewall/action.AllowAuth
%attr(0600,root,root) /usr/share/shorewall/action.AllowDNS
%attr(0600,root,root) /usr/share/shorewall/action.AllowFTP
%attr(0600,root,root) /usr/share/shorewall/action.AllowICMPs
%attr(0600,root,root) /usr/share/shorewall/action.AllowIMAP
%attr(0600,root,root) /usr/share/shorewall/action.AllowNNTP
%attr(0600,root,root) /usr/share/shorewall/action.AllowNTP
@ -138,386 +136,49 @@ fi
%attr(0600,root,root) /usr/share/shorewall/bogons
%attr(0600,root,root) /usr/share/shorewall/configpath
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn
%changelog
* Tue Feb 01 2005 Tom Eastep tom@shorewall.net
- Updated to 2.0.16-1
* Wed Jan 12 2005 Tom Eastep tom@shorewall.net
- Updated to 2.0.15-1
* Mon Jan 03 2005 Tom Eastep tom@shorewall.net
- Updated to 2.0.14-1
* Thu Dec 02 2004 Tom Eastep tom@shorewall.net
- Updated to 2.0.13-1
* Wed Dec 01 2004 Tom Eastep tom@shorewall.net
- Updated to 2.0.12-1
* Mon Nov 22 2004 Tom Eastep tom@shorewall.net
- Updated to 2.0.11-1
* Mon Oct 25 2004 Tom Eastep tom@shorewall.net
- Updated to 2.0.10-1
* Thu Sep 23 2004 Tom Eastep tom@shorewall.net
- Updated to 2.0.9-1
* Sun Aug 22 2004 Tom Eastep tom@shorewall.net
- Updated to 2.0.8-1
* Tue Jul 20 2004 Tom Eastep tom@shorewall.net
- Updated to 2.0.7-1
* Sun Jul 11 2004 Tom Eastep tom@shorewall.net
- Updated to 2.0.6-1
* Fri Jul 09 2004 Tom Eastep tom@shorewall.net
- Updated to 2.0.5-1
* Tue Jul 06 2004 Tom Eastep tom@shorewall.net
- Updated to 2.0.4-1
* Fri Jul 02 2004 Tom Eastep tom@shorewall.net
- Updated to 2.0.3c-1
* Wed Jun 30 2004 Tom Eastep tom@shorewall.net
- Updated to 2.0.3b-1
* Mon Jun 28 2004 Tom Eastep tom@shorewall.net
- Updated to 2.0.3a-1
* Wed Jun 23 2004 Tom Eastep tom@shorewall.net
- Updated to 2.0.3-1
* Sat Jun 19 2004 Tom Eastep tom@shorewall.net
- Updated to 2.0.2-0RC2
* Tue Jun 15 2004 Tom Eastep tom@shorewall.net
- Updated to 2.0.2-0RC1
* Mon Jun 14 2004 Tom Eastep tom@shorewall.net
- Added %attr spec for /etc/init.d/shorewall
* Sat May 15 2004 Tom Eastep tom@shorewall.net
- Updated for 2.0.2a-1
* Thu May 13 2004 Tom Eastep tom@shorewall.net
- Updated for 2.0.2-1
* Mon May 10 2004 Tom Eastep tom@shorewall.net
- Add /etc/shorewall/initdone
* Fri May 07 2004 Tom Eastep tom@shorewall.net
- Shorewall 2.0.2-RC1
* Tue May 04 2004 Tom Eastep tom@shorewall.net
- Shorewall 2.0.2-Beta2
* Tue Apr 13 2004 Tom Eastep tom@shorewall.net
- Add /usr/share/shorewall/configpath
* Mon Apr 05 2004 Tom Eastep tom@shorewall.net
- Updated for 2.0.1-1
* Thu Apr 02 2004 Tom Eastep tom@shorewall.net
- Updated for 2.0.1 RC5
* Thu Apr 01 2004 Tom Eastep tom@shorewall.net
- Updated for 2.0.1 RC4
* Sun Mar 28 2004 Tom Eastep tom@shorewall.net
- Updated for 2.0.1 RC3
* Thu Mar 25 2004 Tom Eastep tom@shorewall.net
- Updated for 2.0.1 RC2
* Wed Mar 24 2004 Tom Eastep tom@shorewall.net
- Updated for 2.0.1 RC1
* Fri Mar 19 2004 Tom Eastep tom@shorewall.net
- Updated for 2.0.1 Beta 2
* Thu Mar 18 2004 Tom Eastep tom@shorewall.net
- Added netmap file
* Wed Mar 17 2004 Tom Eastep <tom@shorewall.net>
- Update for 2.0.1 Beta 1
* Wed Mar 17 2004 Tom Eastep <tom@shorewall.net>
- Add bogons file
* Sat Mar 13 2004 Tom Eastep <tom@shorewall.net>
- Update for 2.0.0 Final
* Sat Mar 06 2004 Tom Eastep <tom@shorewall.net>
- Update for RC2
* Fri Feb 27 2004 Tom Eastep <tom@shorewall.net>
- Update for RC1
* Mon Feb 16 2004 Tom Eastep <tom@shorewall.net>
- Moved rfc1918 to /usr/share/shorewall
- Update for Beta 3
* Sat Feb 14 2004 Tom Eastep <tom@shorewall.net>
- Removed common.def
- Unconditionally replace actions.std
- Update for Beta 2
* Thu Feb 12 2004 Tom Eastep <tom@shorewall.net>
- Added action.AllowPCA
* Sun Feb 08 2004 Tom Eastep <tom@shorewall.net>
- Updates for Shorewall 2.0.0.
* Mon Dec 29 2003 Tom Eastep <tom@shorewall.net>
- Remove Documentation from this RPM
* Sun Dec 28 2003 Tom Eastep <tom@shorewall.net>
- Updated for Beta 2
* Sun Dec 07 2003 Tom Eastep <tom@shorewall.net>
- Added User Defined Actions Files
* Wed Dec 03 2003 Tom Eastep <tom@shorewall.net>
- Added User Defined Actions Files
* Fri Nov 07 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.8
* Sat Nov 01 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.8-0RC2
* Thu Oct 30 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.8-0RC1
* Sat Oct 04 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.7-1
- Removed conflict with 2.2 Kernels
* Mon Sep 22 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.7-0RC2
* Thu Sep 18 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.7-0RC1
* Mon Sep 15 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.7-0Beta2
* Mon Aug 25 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.7-0Beta1
* Sat Aug 23 2003 Tom Eastep <tom@shorewall.net>
- Added /etc/shorewall/users
- Changed version to 1.4.6_20030823-1
* Thu Aug 21 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.6_20030821-1
- Added /etc/shorewall/usersets
* Wed Aug 13 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.6_20030813-1
* Sat Aug 09 2003 Tom Eastep <tom@shorewall.net>
- Added /etc/shorewall/accounting
* Sat Aug 09 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.6_20030809-1
* Thu Jul 31 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.6_20030731-1
* Sun Jul 27 2003 Tom Eastep <tom@shorewall.net>
- Added /usr/share/shorewall/help
- Changed version to 1.4.6_20030727-1
* Sat Jul 26 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.6_20030726-1
* Sat Jul 19 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.6-1
* Mon Jul 14 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.6-0RC1
* Mon Jul 07 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.6-0Beta2
* Fri Jul 04 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.6-0Beta1
* Tue Jun 17 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.5-1
* Thu May 29 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.4b-1
* Tue May 27 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.4a-1
* Thu May 22 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.4-1
* Mon May 19 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.3a-1
* Sun May 18 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.3-1
* Mon Apr 07 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.2-1
* Fri Mar 21 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.1-1
* Mon Mar 17 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.0-1
* Fri Mar 07 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.0-0RC2
* Wed Mar 05 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.0-0RC1
* Mon Feb 24 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.0-0Beta2
* Sun Feb 23 2003 Tom Eastep <tom@shorewall.net>
- Add ecn file
* Fri Feb 21 2003 Tom Eastep <tom@shorewall.net>
- Changes version to 1.4.0-0Beta1
* Thu Feb 06 2003 Tom Eastep <tom@shorewall.net>
- Changes version to 1.4.0Alpha1
- Delete icmp.def
- Move firewall and version to /usr/share/shorewall
* Tue Feb 04 2003 Tom Eastep <tom@shorewall.net>
- Changes version to 1.3.14-0RC1
* Tue Jan 28 2003 Tom Eastep <tom@shorewall.net>
- Changes version to 1.3.14-0Beta2
* Sat Jan 25 2003 Tom Eastep <tom@shorewall.net>
- Changes version to 1.3.14-0Beta1
* Mon Jan 13 2003 Tom Eastep <tom@shorewall.net>
- Changes version to 1.3.13
* Fri Dec 27 2002 Tom Eastep <tom@shorewall.net>
- Changes version to 1.3.12
* Sun Dec 22 2002 Tom Eastep <tom@shorewall.net>
- Changes version to 1.3.12-0Beta3
* Fri Dec 20 2002 Tom Eastep <tom@shorewall.net>
- Changes version to 1.3.12-0Beta2
* Wed Dec 18 2002 Tom Eastep <tom@shorewall.net>
- Changes version to 1.3.12-0Beta1
- Add init, start, stop and stopped files.
* Tue Dec 03 2002 Tom Eastep <tom@shorewall.net>
- Changes version to 1.3.11a
* Sun Nov 24 2002 Tom Eastep <tom@shorewall.net>
- Changes version to 1.3.11
* Sat Nov 09 2002 Tom Eastep <tom@shorewall.net>
- Changes version to 1.3.10
* Wed Oct 23 2002 Tom Eastep <tom@shorewall.net>
- Changes version to 1.3.10b1
* Tue Oct 22 2002 Tom Eastep <tom@shorewall.net>
- Added maclist file
* Tue Oct 15 2002 Tom Eastep <tom@shorewall.net>
- Changed version to 1.3.10
- Replaced symlink with real file
* Wed Oct 09 2002 Tom Eastep <tom@shorewall.net>
- Changed version to 1.3.9b
* Mon Sep 30 2002 Tom Eastep <tom@shorewall.net>
- Changed version to 1.3.9a
* Thu Sep 18 2002 Tom Eastep <tom@shorewall.net>
- Changed version to 1.3.8
* Mon Sep 16 2002 Tom Eastep <tom@shorewall.net>
- Changed version to 1.3.8
* Mon Sep 02 2002 Tom Eastep <tom@shorewall.net>
- Changed version to 1.3.7c
* Mon Aug 26 2002 Tom Eastep <tom@shorewall.net>
- Changed version to 1.3.7b
* Thu Aug 22 2002 Tom Eastep <tom@shorewall.net>
- Changed version to 1.3.7a
* Thu Aug 22 2002 Tom Eastep <tom@shorewall.net>
- Changed version to 1.3.7
* Sun Aug 04 2002 Tom Eastep <tom@shorewall.net>
- Changed version to 1.3.6
* Mon Jul 29 2002 Tom Eastep <tom@shorewall.net>
- Changed version to 1.3.5b
* Sat Jul 13 2002 Tom Eastep <tom@shorewall.net>
- Changed version to 1.3.4
* Wed Jul 10 2002 Tom Eastep <tom@shorewall.net>
- Added 'routestopped' configuration file.
* Fri Jul 05 2002 Tom Eastep <tom@shorewall.net>
- Changed version to 1.3.3
* Sat Jun 15 2002 Tom Eastep <tom@shorewall.net>
- Changed version and release for new convention
- Moved version,firewall and functions to /var/lib/shorewall
* Sun Jun 02 2002 Tom Eastep <tom@shorewall.net>
- Changed version to 1.3.2
* Fri May 31 2002 Tom Eastep <tom@shorewall.net>
- Changed version to 1.3.1
- Added the rfc1918 file
* Wed May 29 2002 Tom Eastep <tom@shorewall.net>
- Changed version to 1.3.0
* Mon May 20 2002 Tom Eastep <tom@shorewall.net>
- Removed whitelist file
* Sat May 18 2002 Tom Eastep <tom@shorewall.net>
- changed version to 91
* Wed May 8 2002 Tom Eastep <tom@shorewall.net>
- changed version to 90
- removed 'provides' tag.
* Tue Apr 23 2002 Tom Eastep <tom@shorewall.net>
- changed version to 13
- Added whitelist file.
* Thu Apr 18 2002 Tom Eastep <tom@shorewall.net>
- changed version to 12
* Tue Apr 16 2002 Tom Eastep <tom@shorewall.net>
- Merged Stefan's changes to create single RPM
* Mon Apr 15 2002 Stefan Mohr <stefan@familie-mohr.com>
- changed to SuSE Linux 7.3
* Wed Apr 10 2002 Tom Eastep <tom@shorewall.net>
- changed Version to 11
* Tue Mar 19 2002 Tom Eastep <tom@shorewall.net>
- changed Version to 10
* Sat Mar 09 2002 Tom Eastep <tom@shorewall.net>
- changed Version to 9
* Sat Feb 23 2002 Tom Eastep <tom@shorewall.net>
- changed Version to 8
* Thu Feb 21 2002 Tom Eastep <tom@shorewall.net>
- changed Version to 7
* Tue Feb 05 2002 Tom Eastep <tom@shorewall.net>
- changed Version to 6
* Wed Jan 30 2002 Tom Eastep <tom@shorewall.net>
- changed Version to 5
* Sat Jan 26 2002 Tom Eastep <tom@shorewall.net>
- changed Version to 4
- Merged Ajay's change to allow build by non-root
* Sun Jan 12 2002 Tom Eastep <tom@shorewall.net>
- changed Version to 3
* Tue Jan 01 2002 Tom Eastep <tom@shorewall.net>
- changed Version to 2
- Updated URL
- Added blacklist file
* Mon Dec 31 2001 Tom Eastep <tom@shorewall.net>
- changed Version to 1
* Wed Dec 19 2001 Tom Eastep <tom@shorewall.net>
- changed Version to 0
* Tue Dec 18 2001 Tom Eastep <tom@shorewall.net>
- changed Version to Rc1
* Sat Dec 15 2001 Tom Eastep <tom@shorewall.net>
- changed Version to Beta2
* Thu Nov 08 2001 Tom Eastep <tom@shorewall.net>
- changed Version to 1.2
- added tcrules file
* Sun Oct 21 2001 Tom Eastep <tom@shorewall.net>
- changed release to 17
* Sun Oct 21 2001 Tom Eastep <tom@shorewall.net>
- changed release to 16
* Sun Oct 14 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
- changed release to 15
* Thu Oct 11 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
- changed release to 14
* Tue Sep 11 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
- changed release to 13
- added params file
* Tue Aug 28 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
- Changed release to 12
* Fri Jul 27 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
- Changed release to 11
* Sun Jul 08 2001 Ajay Ramaswamy <ajayr@bigfoot.com>
- reorganized spec file
- s/Copyright/License/
- now will build fron rpm -tb
* Fri Jul 06 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
- Changed release to 10
* Tue Jun 19 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
- Changed release to 9
- Added tunnel file
- Readded tunnels file
* Mon Jun 18 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
- Changed release to 8
* Sat Jun 02 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
- Changed release to 7
- Changed iptables dependency.
* Tue May 22 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
- Changed release to 6
- Added tunnels file
* Sat May 19 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
- Changed release to 5
- Added modules and tos files
* Sat May 12 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
- Changed release to 4
- Added changelog.txt and releasenotes.txt
* Sat Apr 28 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
- Changed release to 3
* Mon Apr 9 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
- Added files common.def and icmpdef.def
- Changed release to 2
* Wed Apr 4 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
- Changed the release to 1.
* Mon Mar 26 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
- Changed the version to 1.1
- Added hosts file
* Sun Mar 18 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
- Changed the release to 4
- Added Zones and Functions files
* Mon Mar 12 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
- Change ipchains dependency to an iptables dependency and
changed the release to 3
* Fri Mar 9 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
- Add additional files.
* Thu Mar 8 2001 Tom EAstep <teastep@seattlefirewall.dyndns.org>
- Change version to 1.0.2
* Tue Mar 6 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
- Change version to 1.0.1
* Sun Mar 4 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
- Changes for Shorewall
* Thu Feb 22 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
- Change version to 4.1.0
* Fri Feb 2 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
- Change version to 4.0.4
* Mon Jan 22 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
- Change version to 4.0.2
* Sat Jan 20 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
- Changed version to 4.0
* Fri Jan 5 2001 Tom Eastep <teastep@evergo.net>
- Added dmzclients file
* Sun Dec 24 2000 Tom Eastep <teastep@evergo.net>
- Added ftpserver file
* Sat Aug 12 2000 Tom Eastep <teastep@evergo.net>
- Added "nat" and "proxyarp" files for 4.0
* Mon May 20 2000 Tom Eastep <teastep@evergo.net>
- added updown file
* Sat May 20 2000 Simon Piette <spiette@generation.net>
- Corrected the group - Networking/Utilities
- Added "noreplace" attributes to config files, so current confis is not
changed.
- Added the version file.
* Sat May 20 2000 Tom Eastep <teastep@evergo.net>
- Converted Simon's patch to version 3.1
* Sat May 20 2000 Simon Piette <spiette@generation.net>
- 3.0.2 Initial RPM
Patched the install script so it can take a PREFIX variable
* Fri May 20 2005 Tom Eastep tom@shorewall.net
- Updated to 2.2.5-1
* Mon Apr 11 2005 Tom Eastep tom@shorewall.net
- Updated to 2.2.4-1
* Fri Apr 08 2005 Tom Eastep tom@shorewall.net
- Added /etc/shorewall/started
* Tue Apr 05 2005 Tom Eastep tom@shorewall.net
- Updated to 2.2.3-1
* Mon Mar 07 2005 Tom Eastep tom@shorewall.net
- Updated to 2.2.2-1
* Mon Jan 24 2005 Tom Eastep tom@shorewall.net
- Updated to 2.2.1-1
* Mon Jan 24 2005 Tom Eastep tom@shorewall.net
- Updated to 2.2.0-1
* Mon Jan 17 2005 Tom Eastep tom@shorewall.net
- Updated to 2.2.0-0RC5
* Thu Jan 06 2005 Tom Eastep tom@shorewall.net
- Updated to 2.2.0-0RC4
* Thu Dec 30 2004 Tom Eastep tom@shorewall.net
- Updated to 2.2.0-0RC3
* Fri Dec 24 2004 Tom Eastep tom@shorewall.net
- Updated to 2.2.0-0RC2
* Sun Dec 19 2004 Tom Eastep tom@shorewall.net
- Updated to 2.2.0-0RC1
- Added ipsecvpn file
* Sat Dec 11 2004 Tom Eastep tom@shorewall.net
- Updated to 2.2.0-0Beta8
* Mon Nov 29 2004 Tom Eastep tom@shorewall.net
- Updated to 2.2.0-0Beta7
* Fri Nov 26 2004 Tom Eastep tom@shorewall.net
- Updated to 2.2.0-0Beta6
* Fri Nov 26 2004 Tom Eastep tom@shorewall.net
- Updated to 2.2.0-0Beta5
* Fri Nov 19 2004 Tom Eastep tom@shorewall.net
- Updated to 2.2.0-0Beta4
* Tue Nov 09 2004 Tom Eastep tom@shorewall.net
- Updated to 2.2.0-0Beta3
* Tue Nov 02 2004 Tom Eastep tom@shorewall.net
- Updated to 2.2.0-0Beta2
* Fri Oct 22 2004 Tom Eastep tom@shorewall.net
- Updated to 2.2.0-0Beta1

4
Shorewall/start
View File

@ -1,6 +1,8 @@
############################################################################
# Shorewall 2.0 -- /etc/shorewall/start
# Shorewall 2.2 -- /etc/shorewall/start
#
# Add commands below that you want to be executed after shorewall has
# been started or restarted.
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information.

15
Shorewall/started Normal file
View File

@ -0,0 +1,15 @@
############################################################################
# Shorewall 2.2 -- /etc/shorewall/started
#
# Add commands below that you want to be executed after shorewall has
# been completely started or restarted. The difference between this
# extension script and /etc/shorewall/start is that this one is invoked
# after delayed loading of the blacklist (DELAYBLACKLISTLOAD=Yes) and
# after the 'shorewall' chain has been created (thus signaling that the
# firewall is completely up.
#
# This script should not change the firewall configuration directly but may
# do so indirectly by running /sbin/shorewall with the 'nolock' option.
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information.

4
Shorewall/stop
View File

@ -1,6 +1,8 @@
############################################################################
# Shorewall 2.0 -- /etc/shorewall/stop
# Shorewall 2.2 -- /etc/shorewall/stop
#
# Add commands below that you want to be executed at the beginning of a
# "shorewall stop" command.
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information.

4
Shorewall/stopped
View File

@ -1,6 +1,8 @@
############################################################################
# Shorewall 2.0 -- /etc/shorewall/stopped
# Shorewall 2.2 -- /etc/shorewall/stopped
#
# Add commands below that you want to be executed at the completion of a
# "shorewall stop" command.
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information.

108
Shorewall/tcrules
View File

@ -1,5 +1,5 @@
#
# Shorewall version 2.0 - Traffic Control Rules File
# Shorewall version 2.2 - Traffic Control Rules File
#
# /etc/shorewall/tcrules
#
@ -19,23 +19,69 @@
# Columns are:
#
#
# MARK The mark value which is an
# integer in the range 1-255
# MARK/ a) A mark value which is a integer in the range 1-255
# CLASSIFY
# May optionally be followed by ":P" or ":F"
# where ":P" indicates that marking should occur in
# the PREROUTING chain and ":F" indicates that marking
# should occur in the FORWARD chain. If neither
# ":P" nor ":F" follow the mark value then the chain is
# determined by the setting of MARK_IN_FORWARD_CHAIN in
# /etc/shorewall/shorewall.conf.
#
# May optionally be followed by ":P" or ":F"
# where ":P" indicates that marking should occur in
# the PREROUTING chain and ":F" indicates that marking
# should occur in the FORWARD chain. If neither
# ":P" nor ":F" follow the mark value then the chain is
# determined by the setting of MARK_IN_FORWARD_CHAIN in
# /etc/shorewall/shorewall.conf.
# If your kernel and iptables include CONNMARK support
# then you can also mark the connection rather than
# the packet.
#
# The mark value may be optionally followed by "/"
# and a mask value (used to determine those bits of
# the connection mark to actually be set). The
# mark and optional mask are then followed by one of:
#
# C - Mark the connection in the chain determined
# by the setting of MARK_IN_FORWARD_CHAIN
#
# CF: Mark the connection in the FORWARD chain
#
# CP: Mark the connection in the PREROUTING chain.
#
# b) A classification of the form <major>:<minor> where
# <major> and <minor> are integers. Corresponds to
# the 'class' specification in these traffic shaping
# modules:
#
# - atm
# - cbq
# - dsmark
# - pfifo_fast
# - htb
# - prio
#
# Classify always occurs in the POSTROUTING chain.
#
# c) RESTORE[/mask] -- restore the packet's mark from the
# connection's mark using the supplied mask if any.
# Your kernel and iptables must include CONNMARK support.
# As in a) above, may be followed by ":P" or ":F
#
# c) SAVE[/mask] -- save the packet's mark to the
# connection's mark using the supplied mask if any.
# Your kernel and iptables must include CONNMARK support.
# As in a) above, may be followed by ":P" or ":F
#
# d) CONTINUE -- don't process any more marking rules in
# the table. As in a) above, may be followed by ":P" or
# ":F".
#
# SOURCE Source of the packet. A comma-separated list of
# interface names, IP addresses, MAC addresses
# and/or subnets. Use $FW if the packet originates on
# and/or subnets. If your kernel and iptables include
# iprange match support, IP address ranges are also
# allowed. Use $FW if the packet originates on
# the firewall in which case the MARK column may NOT
# specify either ":P" or ":F" (marking always occurs
# in the OUTPUT chain).
# in the OUTPUT chain). $FW may be optionally followed
# by ":" and a host/network address.
#
# MAC addresses must be prefixed with "~" and use
# "-" as a separator.
@ -43,22 +89,34 @@
# Example: ~00-A0-C9-15-39-78
#
# DEST Destination of the packet. Comma separated list of
# IP addresses and/or subnets.
# IP addresses and/or subnets. If your kernel and
# iptables include iprange match support, IP address
# ranges are also allowed.
#
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number,
# or "all".
# If the MARK column specificies a classification of
# the form <major>:<minor> then this column may also
# contain an interface name.
#
# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
# a number, or "all". "ipp2p" requires ipp2p match
# support in your kernel and iptables.
#
# PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port
# ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s).
#
# If the protocol is ipp2p, this column is interpreted
# as an ipp2p option without the leading "--" (example "bit"
# for bit-torrent). If no PORT is given, "ipp2p" is
# assumed.
#
# This column is ignored if PROTOCOL = all but must be
# entered if any of the following field is supplied.
# In that case, it is suggested that this field contain
# "-"
#
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
# SOURCE PORT(S) (Optional) Source port(s). If omitted,
# any source port is acceptable. Specified as a comma-
# separated list of port names, port numbers or port
# ranges.
@ -75,9 +133,23 @@
# [<user name or number>]:[<group name or number>]
#
# The colon is optionnal when specifying only a user.
# Examples : john: / john / :users / john:users
# Examples : john: / john / :users / john:users
#
# TEST Defines a test on the existing packet or connection mark.
# The rule will match only if the test returns true. Tests
# have the format [!]<value>[/<mask>][:C]
#
# Where:
#
# ! Inverts the test (not equal)
# <value> Value of the packet or connection mark.
# <mask> A mask to be applied to the mark before
# testing
# :C Designates a connection mark. If omitted,
# the packet mark's value is tested.
#
# See http://shorewall.net/traffic_shaping.htm for additional information.
##############################################################################
#MARK SOURCE DEST PROTO PORT(S) CLIENT USER
#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
# PORT(S)
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

8
Shorewall/tos
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.0 -- /etc/shorewall/tos
# Shorewall 2.2 -- /etc/shorewall/tos
#
# This file defines rules for setting Type Of Service (TOS)
#
@ -43,10 +43,4 @@
#
##############################################################################
#SOURCE DEST PROTOCOL SOURCE PORTS DEST PORTS TOS
all all tcp - 22 16
all all tcp 22 - 16
all all tcp - 21 16
all all tcp 21 - 16
all all tcp 20 - 8
all all tcp - 20 8
#LAST LINE -- Add your entries above -- DO NOT REMOVE

6
Shorewall/tunnel
View File

@ -2,14 +2,14 @@
RCDLINKS="2,S45 3,S45 6,K45"
################################################################################
# Script to create a gre or ipip tunnel -- Shorewall 2.0
# Script to create a gre or ipip tunnel -- Shorewall 2.2
#
# Modified - Steve Cowles 5/9/2000
# Incorporated init {start|stop} syntax and iproute2 usage
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# (c) 2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
# (c) 2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
#
# Modify the following variables to match your configuration
#
@ -108,7 +108,7 @@ do_start() {
case $tunnel_type in
gre)
ip tunnel add $tunnel mode gre remote $gateway local $myrealip ttl 255 ${key:+key $key)
ip tunnel add $tunnel mode gre remote $gateway local $myrealip ttl 255 ${key:+key $key}
;;
*)
ip tunnel add $tunnel mode ipip remote $gateway

11
Shorewall/tunnels
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.0 - /etc/shorewall/tunnels
# Shorewall 2.2 - /etc/shorewall/tunnels
#
# This file defines IPSEC, GRE, IPIP and OPENVPN tunnels.
#
@ -34,7 +34,10 @@
#
# GATEWAY -- The IP address of the remote tunnel gateway. If the
# remote getway has no fixed address (Road Warrior)
# then specify the gateway as 0.0.0.0/0.
# then specify the gateway as 0.0.0.0/0. May be
# specified as a network address and if your kernel and
# iptables include iprange match support then IP address
# ranges are also allowed.
#
# GATEWAY
# ZONES -- Optional. If the gateway system specified in the third
@ -105,6 +108,10 @@
#
# generic:udp:4444 net 4.3.99.124
#
#
# See http://shorewall.net/Documentation.htm#Tunnels for additional information.
#
# TYPE ZONE GATEWAY GATEWAY
# ZONE
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall/uninstall.sh
View File

@ -4,7 +4,7 @@
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# (c) 2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
# (c) 2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
#
# Shorewall documentation is available at http://shorewall.sourceforge.net
#
@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall
VERSION=2.0.16
VERSION=2.2.5
usage() # $1 = exit status
{

18
Shorewall/zones
View File

@ -1,9 +1,11 @@
#
# Shorewall 2.0 /etc/shorewall/zones
# Shorewall 2.2 /etc/shorewall/zones
#
# This file determines your network zones. Columns are:
#
# ZONE Short name of the zone (5 Characters or less in length).
# The names "all" and "none" are reserved and may not be
# used as zone names.
# DISPLAY Display name of the zone
# COMMENTS Comments about the zone
#
@ -11,9 +13,15 @@
# OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts.
#
# See http://www.shorewall.net/Documentation.htm#Nested
#--------------------------------------------------------------------------------
# Example zones:
#
#ZONE DISPLAY COMMENTS
net Net Internet
loc Local Local networks
dmz DMZ Demilitarized zone
# You have a three interface firewall with internet, local and DMZ interfaces.
#
# #ZONE DISPLAY COMMENTS
# net Internet The big bad Internet
# loc Local Local Network
# dmz DMZ Demilitarized zone.
#
#ZONE DISPLAY COMMENTS
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE