Shorewall 2.2.4

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2065 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-04-23 16:30:47 +00:00
parent e3a21c0865
commit 9174ac0fa3
30 changed files with 269 additions and 61 deletions

View File

@ -8,7 +8,7 @@
# #
# ACTION names should begin with an upper-case letter to # ACTION names should begin with an upper-case letter to
# distinguish them from Shorewall-generated chain names and # distinguish them from Shorewall-generated chain names and
# they must need the requirements of a Netfilter chain. If # they must meet the requirements of a Netfilter chain. If
# you intend to log from the action then the name must be # you intend to log from the action then the name must be
# no longer than 11 character in length. Names must also # no longer than 11 character in length. Names must also
# meet the requirements for a Bourne Shell identifier (must # meet the requirements for a Bourne Shell identifier (must
@ -24,6 +24,9 @@
# If you specify ":DROP", ":REJECT" or ":ACCEPT" on a line by # If you specify ":DROP", ":REJECT" or ":ACCEPT" on a line by
# itself, the associated policy will have no common action. # itself, the associated policy will have no common action.
# #
# Please see http://shorewall.net/Actions.html for additional
# information.
#
#ACTION #ACTION
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

View File

@ -38,6 +38,9 @@
# ADDRESS/SUBNET PROTOCOL PORT # ADDRESS/SUBNET PROTOCOL PORT
# 192.0.2.126 udp 53 # 192.0.2.126 udp 53
# #
# Please see http://shorewall.net/blacklisting_support.htm for additional
# information.
#
############################################################################### ###############################################################################
#ADDRESS/SUBNET PROTOCOL PORT #ADDRESS/SUBNET PROTOCOL PORT
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

View File

@ -4,3 +4,5 @@
# Add commands below that you want to be executed after shorewall has # Add commands below that you want to be executed after shorewall has
# cleared any existing Netfilter rules and has enabled existing connections. # cleared any existing Netfilter rules and has enabled existing connections.
# #
# For additional information, see http://shorewall.net/shorewall_extension_scripts.htm
#

View File

@ -15,6 +15,8 @@
# 0.0.0.0/0 is assumed. If your kernel and iptables # 0.0.0.0/0 is assumed. If your kernel and iptables
# include iprange match support then IP address ranges # include iprange match support then IP address ranges
# are also permitted. # are also permitted.
#
# For additional information, see http://shorewall.net/Documentation.htm#ECN
############################################################################## ##############################################################################
#INTERFACE HOST(S) #INTERFACE HOST(S)
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

View File

@ -135,5 +135,7 @@
# /etc/shorewall/ipsec file then you do NOT # /etc/shorewall/ipsec file then you do NOT
# need to specify the 'ipsec' option here. # need to specify the 'ipsec' option here.
# #
# For additional information, see http://shorewall.net/Documentation.htm#Hosts
#
#ZONE HOST(S) OPTIONS #ZONE HOST(S) OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

View File

@ -4,3 +4,5 @@
# Add commands below that you want to be executed at the beginning of # Add commands below that you want to be executed at the beginning of
# a "shorewall start" or "shorewall restart" command. # a "shorewall start" or "shorewall restart" command.
# #
# For additional information, see http://shorewall.net/shorewall_extension_scripts.htm
#

View File

@ -5,3 +5,5 @@
# "shorewall start" or "shorewall restart" commands at the point where # "shorewall start" or "shorewall restart" commands at the point where
# Shorewall has not yet added any perminent rules to the builtin chains. # Shorewall has not yet added any perminent rules to the builtin chains.
# #
# For additional information, see http://shorewall.net/shorewall_extension_scripts.htm
#

View File

@ -201,6 +201,9 @@
# connections. # connections.
# #
# net ppp0 - # net ppp0 -
#
# For additional information, see http://shorewall.net/Documentation.htm#Interfaces
#
############################################################################## ##############################################################################
#ZONE INTERFACE BROADCAST OPTIONS #ZONE INTERFACE BROADCAST OPTIONS
# #

View File

@ -1,6 +1,11 @@
# #
# Shorewall 2.2 - MAC list file # Shorewall 2.2 - MAC list file
# #
# This file is used to define the MAC addresses and optionally their
# associated IP addresses to be allowed to use the specified interface.
# The feature is enabled by using the maclist option in the interfaces
# or hosts configuration file.
#
# /etc/shorewall/maclist # /etc/shorewall/maclist
# #
# Columns are: # Columns are:
@ -18,6 +23,9 @@
# list of host and/or subnet addresses. If your kernel # list of host and/or subnet addresses. If your kernel
# and iptables have iprange match support then IP # and iptables have iprange match support then IP
# address ranges are also allowed. # address ranges are also allowed.
#
# For additional information, see http://shorewall.net/MAC_Validation.html
#
############################################################################## ##############################################################################
#INTERFACE MAC IP ADDRESSES (Optional) #INTERFACE MAC IP ADDRESSES (Optional)
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

View File

@ -86,6 +86,20 @@
# 192.0.2.4:5000-6000 # 192.0.2.4:5000-6000
# :4000-5000 # :4000-5000
# #
# You can invoke the SAME target using the
# following in this column:
#
# SAME:[nodst:]<address-range>[,<address-range>...]
#
# The <address-ranges> may be single addresses.
#
# SAME works like SNAT with the exception that the
# same local IP address is assigned to each connection
# from a local address to a given remote address. If
# the 'nodst:' option is included, then the same source
# address is used for a given internal system regardless
# of which remote system is involved.
#
# If you want to leave this column empty # If you want to leave this column empty
# but you need to specify the next column then # but you need to specify the next column then
# place a hyphen ("-") here. # place a hyphen ("-") here.
@ -195,6 +209,8 @@
# #
# THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!! # THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!!
# #
# For additional information, see http://shorewall.net/Documentation.htm#Masq
#
############################################################################### ###############################################################################
#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
eth0 eth1 eth0 eth1

View File

@ -7,6 +7,7 @@
# dependency order. i.e., if M2 depends on M1 then you must load M1 before # dependency order. i.e., if M2 depends on M1 then you must load M1 before
# you load M2. # you load M2.
# #
# For additional information, see http://shorewall.net/Documentation.htm#modules
loadmodule ip_tables loadmodule ip_tables
loadmodule iptable_filter loadmodule iptable_filter

View File

@ -38,6 +38,8 @@
# #
# LOCAL If Yes or yes, NAT will be effective from the firewall # LOCAL If Yes or yes, NAT will be effective from the firewall
# system # system
#
# For additional information, see http://shorewall.net/NAT.htm
############################################################################## ##############################################################################
#EXTERNAL INTERFACE INTERNAL ALL LOCAL #EXTERNAL INTERFACE INTERNAL ALL LOCAL
# INTERFACES # INTERFACES

View File

@ -75,6 +75,8 @@
# level KERNEL.INFO. # level KERNEL.INFO.
# d) All other connection requests are rejected and logged at level # d) All other connection requests are rejected and logged at level
# KERNEL.INFO. # KERNEL.INFO.
#
# See http://shorewall.net/Documentation.htm#Policy for additional information.
############################################################################### ###############################################################################
#SOURCE DEST POLICY LOG LIMIT:BURST #SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL # LEVEL

View File

@ -39,6 +39,8 @@
# #
# #ADDRESS INTERFACE EXTERNAL # #ADDRESS INTERFACE EXTERNAL
# 155.186.235.6 eth1 eth0 # 155.186.235.6 eth1 eth0
#
# See http://shorewall.net/ProxyARP.htm for additional information.
############################################################################## ##############################################################################
#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

View File

@ -31,6 +31,10 @@
# eth2 192.168.1.0/24 # eth2 192.168.1.0/24
# eth0 192.0.2.44 # eth0 192.0.2.44
# br0 - routeback # br0 - routeback
#
# See http://shorewall.net/Documentation.htm#Routestopped and
# http://shorewall.net/starting_and_stopping_shorewall.htm for additional
# information.
############################################################################## ##############################################################################
#INTERFACE HOST(S) OPTIONS #INTERFACE HOST(S) OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

View File

@ -42,6 +42,16 @@
# Like DNAT but only generates the # Like DNAT but only generates the
# DNAT iptables rule and not # DNAT iptables rule and not
# the companion ACCEPT rule. # the companion ACCEPT rule.
# SAME -- Similar to DNAT except that the
# port may not be remapped and when
# multiple server addresses are
# listed, all requests from a given
# remote system go to the same
# server.
# SAME- -- Advanced users only.
# Like SAME but only generates the
# NAT iptables rule and not
# the companion ACCEPT rule.
# REDIRECT -- Redirect the request to a local # REDIRECT -- Redirect the request to a local
# port on the firewall. # port on the firewall.
# REDIRECT- # REDIRECT-
@ -102,11 +112,14 @@
# #
# SOURCE Source hosts to which the rule applies. May be a zone # SOURCE Source hosts to which the rule applies. May be a zone
# defined in /etc/shorewall/zones, $FW to indicate the # defined in /etc/shorewall/zones, $FW to indicate the
# firewall itself, or "all" If the ACTION is DNAT or # firewall itself, "all" or "none" If the ACTION is DNAT or
# REDIRECT, sub-zones of the specified zone may be # REDIRECT, sub-zones of the specified zone may be
# excluded from the rule by following the zone name with # excluded from the rule by following the zone name with
# "!' and a comma-separated list of sub-zone names. # "!' and a comma-separated list of sub-zone names.
# #
# When "none" is used either in the SOURCE or DEST column,
# the rule is ignored.
#
# When "all" is used either in the SOURCE or DEST column # When "all" is used either in the SOURCE or DEST column
# intra-zone traffic is not affected. You must add # intra-zone traffic is not affected. You must add
# separate rules to handle that traffic. # separate rules to handle that traffic.
@ -147,7 +160,10 @@
# #
# DEST Location of Server. May be a zone defined in # DEST Location of Server. May be a zone defined in
# /etc/shorewall/zones, $FW to indicate the firewall # /etc/shorewall/zones, $FW to indicate the firewall
# itself or "all" # itself, "all" or "none".
#
# When "none" is used either in the SOURCE or DEST column,
# the rule is ignored.
# #
# When "all" is used either in the SOURCE or DEST column # When "all" is used either in the SOURCE or DEST column
# intra-zone traffic is not affected. You must add # intra-zone traffic is not affected. You must add
@ -352,6 +368,4 @@ ACCEPT fw net icmp
# allow loc to fw tcp/80 for weblet to work # allow loc to fw tcp/80 for weblet to work
ACCEPT loc fw udp 53 ACCEPT loc fw udp 53
ACCEPT loc fw tcp 80 ACCEPT loc fw tcp 80
# uncomment to use dnsmasq's dhcpd in your LAN
#ACCEPT loc fw udp 67,68
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

View File

@ -4,7 +4,9 @@
# Add commands below that you want to be executed after shorewall has # Add commands below that you want to be executed after shorewall has
# been started or restarted. # been started or restarted.
# #
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information.
#
for file in /etc/shorewall/start.d/* ; do for file in /etc/shorewall/start.d/* ; do
run_user_exit $file run_user_exit $file
done done

View File

@ -4,7 +4,8 @@
# Add commands below that you want to be executed at the beginning of a # Add commands below that you want to be executed at the beginning of a
# "shorewall stop" command. # "shorewall stop" command.
# #
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information.
for file in /etc/shorewall/stop.d/* ; do for file in /etc/shorewall/stop.d/* ; do
run_user_exit $file run_user_exit $file
done done

View File

@ -4,3 +4,5 @@
# Add commands below that you want to be executed at the completion of a # Add commands below that you want to be executed at the completion of a
# "shorewall stop" command. # "shorewall stop" command.
# #
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information.

View File

@ -147,6 +147,8 @@
# testing # testing
# :C Designates a connection mark. If omitted, # :C Designates a connection mark. If omitted,
# the packet mark's value is tested. # the packet mark's value is tested.
#
# See http://shorewall.net/traffic_shaping.htm for additional information.
############################################################################## ##############################################################################
#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST #MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
# PORT(S) # PORT(S)

View File

@ -108,6 +108,10 @@
# #
# generic:udp:4444 net 4.3.99.124 # generic:udp:4444 net 4.3.99.124
# #
#
# See http://shorewall.net/Documentation.htm#Tunnels for additional information.
#
# TYPE ZONE GATEWAY GATEWAY # TYPE ZONE GATEWAY GATEWAY
# ZONE # ZONE
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

View File

@ -4,6 +4,8 @@
# This file determines your network zones. Columns are: # This file determines your network zones. Columns are:
# #
# ZONE Short name of the zone (5 Characters or less in length). # ZONE Short name of the zone (5 Characters or less in length).
# The names "all" and "none" are reserved and may not be
# used as zone names.
# DISPLAY Display name of the zone # DISPLAY Display name of the zone
# COMMENTS Comments about the zone # COMMENTS Comments about the zone
# #

View File

@ -58,6 +58,7 @@
# shorewall show {mangle|tos} Display the rules in the mangle table # shorewall show {mangle|tos} Display the rules in the mangle table
# shorewall show tc Display traffic control info # shorewall show tc Display traffic control info
# shorewall show classifiers Display classifiers # shorewall show classifiers Display classifiers
# shorewall show capabilities Display iptables/kernel capabilities
# shorewall version Display the installed version id # shorewall version Display the installed version id
# shorewall check Verify the more heavily-used # shorewall check Verify the more heavily-used
# configuration files. # configuration files.
@ -353,11 +354,18 @@ packet_log() # $1 = number of messages
[ -n "$realtail" ] && options="-n$1" [ -n "$realtail" ] && options="-n$1"
grep "${LOGFORMAT}" $LOGFILE | \ if [ -n "$VERBOSE" ]; then
sed s/" kernel:"// | \ grep "${LOGFORMAT}" $LOGFILE | \
sed s/" $host $LOGFORMAT"/" "/ | \ sed s/" kernel:"// | \
sed 's/MAC=.* SRC=/SRC=/' | \ sed s/" $host $LOGFORMAT"/" "/ | \
tail $options tail $options
else
grep "${LOGFORMAT}" $LOGFILE | \
sed s/" kernel:"// | \
sed s/" $host $LOGFORMAT"/" "/ | \
sed 's/MAC=.* SRC=/SRC=/' | \
tail $options
fi
} }
# #
@ -595,7 +603,7 @@ help()
# #
usage() # $1 = exit status usage() # $1 = exit status
{ {
echo "Usage: $(basename $0) [debug|trace] [nolock] [-c <directory>] [ -x ] [ -q ] [ -f ] <command>" echo "Usage: $(basename $0) [debug|trace] [nolock] [ -x ] [ -q ] [ -f ] [ -v ] <command>"
echo "where <command> is one of:" echo "where <command> is one of:"
echo " add <interface>[:{<bridge-port>[:<host>]|<host>}[,...]] ... <zone>" echo " add <interface>[:{<bridge-port>[:<host>]|<host>}[,...]] ... <zone>"
echo " allow <address> ..." echo " allow <address> ..."
@ -616,14 +624,13 @@ usage() # $1 = exit status
echo " restart [ <directory> ]" echo " restart [ <directory> ]"
echo " restore [ <file name> ]" echo " restore [ <file name> ]"
echo " save [ <file name> ]" echo " save [ <file name> ]"
echo " show [<chain> [ <chain> ... ]|classifiers|connections|log|nat|tc|tos|zones]" echo " show [<chain> [ <chain> ... ]|capabilities|classifiers|connections|log|nat|tc|tos|zones]"
echo " start [ <directory> ]" echo " start [ <directory> ]"
echo " stop" echo " stop"
echo " status" echo " status"
echo " try <directory> [ <timeout> ]" echo " try <directory> [ <timeout> ]"
echo " version" echo " version"
echo echo
echo "The -c and -f options may not be specified with a <directory> in the start, restart and check commands"
exit $1 exit $1
} }
@ -664,6 +671,7 @@ SHOREWALL_DIR=
QUIET= QUIET=
IPT_OPTIONS="-nv" IPT_OPTIONS="-nv"
FAST= FAST=
VERBOSE=
done=0 done=0
@ -705,6 +713,10 @@ while [ $done -eq 0 ]; do
FAST=Yes FAST=Yes
option=${option#f} option=${option#f}
;; ;;
v*)
VERBOSE=Yes
option=${option#v}
;;
*) *)
usage 1 usage 1
;; ;;
@ -938,6 +950,9 @@ case "$1" in
exit 1 exit 1
fi fi
;; ;;
capabilities)
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock capabilities
;;
*) *)
shift shift

View File

@ -1,5 +1,5 @@
# #
# Shorewall 2.1 /usr/share/shorewall/action.AllowICMPs # Shorewall 2.2 /usr/share/shorewall/action.AllowICMPs
# #
# ACCEPT needed ICMP types # ACCEPT needed ICMP types
# #

View File

@ -11,6 +11,9 @@
# 2. Copy this file to /etc/shorewall/action.<action name> # 2. Copy this file to /etc/shorewall/action.<action name>
# 3. Add the desired rules to that file. # 3. Add the desired rules to that file.
# #
# Please see http://shorewall.net/Actions.html for additional
# information.
#
# Columns are: # Columns are:
# #
# #

View File

@ -1,6 +1,8 @@
# #
# Shorewall 2.2 /usr/share/shorewall/actions.std # Shorewall 2.2 /usr/share/shorewall/actions.std
# #
# Please see http://shorewall.net/Actions.html for additional
# information.
# #
# Builtin Actions are: # Builtin Actions are:
# #
@ -12,6 +14,10 @@
# #conntrack state. # #conntrack state.
# allowInvalid #Accept packets that are in the INVALID # allowInvalid #Accept packets that are in the INVALID
# #conntrack state. # #conntrack state.
# allowoutUPnP #Allow traffic from local command 'upnpd'
# allowinUPnP #Allow UPnP inbound (to firewall) traffic
# forwardUPnP #Allow traffic that upnpd has redirected from
# #'upnp' interfaces.
# #
#ACTION #ACTION

View File

@ -44,11 +44,9 @@
31.0.0.0/8 logdrop # Reserved 31.0.0.0/8 logdrop # Reserved
36.0.0.0/7 logdrop # Reserved 36.0.0.0/7 logdrop # Reserved
39.0.0.0/8 logdrop # Reserved 39.0.0.0/8 logdrop # Reserved
41.0.0.0/8 logdrop # Reserved
42.0.0.0/8 logdrop # Reserved 42.0.0.0/8 logdrop # Reserved
49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98 49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98 50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
73.0.0.0/8 logdrop # Reserved
74.0.0.0/7 logdrop # Reserved 74.0.0.0/7 logdrop # Reserved
76.0.0.0/6 logdrop # Reserved 76.0.0.0/6 logdrop # Reserved
89.0.0.0/8 logdrop # Reserved 89.0.0.0/8 logdrop # Reserved

View File

@ -937,7 +937,7 @@ validate_interfaces_file() {
for option in $options; do for option in $options; do
case $option in case $option in
dhcp|norfc1918|nobogons|tcpflags|newnotsyn|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|maclist|nosmurfs|-) dhcp|norfc1918|nobogons|tcpflags|newnotsyn|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|maclist|nosmurfs|upnp|-)
;; ;;
detectnets) detectnets)
[ -n "$wildcard" ] && \ [ -n "$wildcard" ] && \
@ -975,13 +975,21 @@ validate_hosts_file() {
r="$z $hosts $options" r="$z $hosts $options"
validate_zone1 $z || startup_error "Invalid zone ($z) in record \"$r\"" validate_zone1 $z || startup_error "Invalid zone ($z) in record \"$r\""
interface=${hosts%%:*} case $hosts in
iface=$(chain_base $interface) *:*)
list_search $interface $ALL_INTERFACES || \ interface=${hosts%%:*}
startup_error "Unknown interface ($interface) in record \"$r\"" iface=$(chain_base $interface)
hosts=${hosts#*:} list_search $interface $ALL_INTERFACES || \
startup_error "Unknown interface ($interface) in record \"$r\""
hosts=${hosts#*:}
;;
*)
fatal_error "Invalid HOST(S) column contents: $hosts"
;;
esac
eval ports=\$${iface}_ports eval ports=\$${iface}_ports
eval zports=\$${z}_ports eval zports=\$${z}_ports
@ -2826,6 +2834,12 @@ check_config() {
[ -n "$PHYSDEV_MATCH" ] || startup_error "BRIDGING=Yes requires Physdev Match support in your Kernel and iptables" [ -n "$PHYSDEV_MATCH" ] || startup_error "BRIDGING=Yes requires Physdev Match support in your Kernel and iptables"
fi fi
[ "$MACLIST_TTL" = "0" ] && MACLIST_TTL=
if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then
startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables"
fi
echo "Determining Zones..." echo "Determining Zones..."
determine_zones determine_zones
@ -3473,7 +3487,8 @@ merge_levels() # $1=level at which superior action is called, $2=level at which
# #
process_actions1() { process_actions1() {
ACTIONS="dropBcast allowBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid allowInvalid" ACTIONS="dropBcast allowBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP allowoutUPnP forwardUPnP"
USEDACTIONS= USEDACTIONS=
strip_file actions strip_file actions
@ -3544,6 +3559,15 @@ process_actions1() {
process_actions2() { process_actions2() {
local interfaces="$(find_interfaces_by_option upnp)"
if [ -n "$interfaces" ]; then
if ! list_search forwardUPnP $USEDACTIONS; then
error_message "Warning:Missing forwardUPnP rule (required by 'upnp' interface option on $interfaces)"
USEDACTIONS="$USEDACTIONS forwardUPnP"
fi
fi
progress_message " Generating Transitive Closure of Used-action List..." progress_message " Generating Transitive Closure of Used-action List..."
changed=Yes changed=Yes
@ -3695,6 +3719,26 @@ process_actions3() {
run_iptables -A $xchain -m state --state INVALID -j ACCEPT run_iptables -A $xchain -m state --state INVALID -j ACCEPT
fi fi
;; ;;
forwardUPnP)
;;
allowinUPnP)
if [ "$COMMAND" != check ]; then
if [ -n "$xlevel" ]; then
log_rule_limit ${xlevel%\!} $xchain allowinUPnP ACCEPT "" "$xtag" -A -p udp --dport 1900
log_rule_limit ${xlevel%\!} $xchain allowinUPnP ACCEPT "" "$xtag" -A -p tcp --dport 49152
fi
run_iptables -A $xchain -p udp --dport 1900 -j ACCEPT
run_iptables -A $xchain -p tcp --dport 49152 -j ACCEPT
fi
;;
allowoutUPnP)
if [ "$COMMAND" != check ]; then
[ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain allowoutUPnP ACCEPT "" "$xtag" -A -m owner --owner-cmd upnpd
run_iptables -A $xchain -m owner --cmd-owner upnpd -j ACCEPT
fi
;;
*) *)
# #
# Not a builtin # Not a builtin
@ -3802,7 +3846,14 @@ add_nat_rule() {
# Select target # Select target
if [ -n "$serv" ]; then if [ "$logtarget" = SAME ]; then
[ -n "$servport" ] && fatal_error "Port mapping not allowed in SAME rules"
serv1=
for srv in $(separate_list $serv); do
serv1="$serv1 --to ${srv}"
done
target1="SAME $serv1"
elif [ -n "$serv" ]; then
servport="${servport:+:$servport}" servport="${servport:+:$servport}"
serv1= serv1=
for srv in $(separate_list $serv); do for srv in $(separate_list $serv); do
@ -4065,9 +4116,9 @@ add_a_rule()
servport=${servport:=$port} servport=${servport:=$port}
natrule=Yes natrule=Yes
;; ;;
DNAT) DNAT|SAME)
[ -n "$serv" ] || \ [ -n "$serv" ] || \
fatal_error "DNAT rules require a server address; rule: \"$rule\"" fatal_error "$logtarget rules require a server address; rule: \"$rule\""
natrule=Yes natrule=Yes
;; ;;
LOG) LOG)
@ -4084,7 +4135,7 @@ add_a_rule()
if [ -n "$natrule" ]; then if [ -n "$natrule" ]; then
add_nat_rule add_nat_rule
elif [ -n "$addr" -a "$addr" != "$serv" ] || [ -n "$servport" -a "$servport" != "$port" ]; then elif [ -n "$addr" -a "$addr" != "$serv" ] || [ -n "$servport" -a "$servport" != "$port" ]; then
fatal_error "Only DNAT and REDIRECT rules may specify destination mapping; rule \"$rule\"" fatal_error "Only DNAT, SAME and REDIRECT rules may specify destination mapping; rule \"$rule\""
fi fi
if [ -z "$dnat_only" ]; then if [ -z "$dnat_only" ]; then
@ -4139,7 +4190,7 @@ add_a_rule()
[ -n "$addr" ] && fatal_error \ [ -n "$addr" ] && fatal_error \
"An ORIGINAL DESTINATION ($addr) is only allowed in" \ "An ORIGINAL DESTINATION ($addr) is only allowed in" \
" a DNAT or REDIRECT: \"$rule\"" " a DNAT, SAME or REDIRECT: \"$rule\""
if [ $COMMAND != check ]; then if [ $COMMAND != check ]; then
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
@ -4289,7 +4340,7 @@ process_rule() # $1 = target
CONTINUE) CONTINUE)
target=RETURN target=RETURN
;; ;;
DNAT*) DNAT*|SAME*)
target=ACCEPT target=ACCEPT
address=${address:=detect} address=${address:=detect}
;; ;;
@ -4322,8 +4373,13 @@ process_rule() # $1 = target
excludezones="${clientzone#*!}" excludezones="${clientzone#*!}"
clientzone="${clientzone%!*}" clientzone="${clientzone%!*}"
[ "$logtarget" = DNAT ] || [ "$logtarget" = REDIRECT ] ||\ case $logtarget in
fatal_error "Exclude list only allowed with DNAT or REDIRECT" DNAT|REDIRECT|SAME)
;;
*)
fatal_error "Exclude list only allowed with DNAT, SAME or REDIRECT"
;;
esac
fi fi
validate_zone $clientzone || fatal_error "Undefined Client Zone in rule \"$rule\"" validate_zone $clientzone || fatal_error "Undefined Client Zone in rule \"$rule\""
@ -4386,7 +4442,7 @@ process_rule() # $1 = target
protocol=${protocol:=all} protocol=${protocol:=all}
case $logtarget in case $logtarget in
DNAT*) DNAT*|SAME)
if [ -n "$XMULTIPORT" ] && \ if [ -n "$XMULTIPORT" ] && \
! list_search $protocol "icmp" "ICMP" "1" && \ ! list_search $protocol "icmp" "ICMP" "1" && \
[ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \ [ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \
@ -4540,7 +4596,7 @@ process_rules()
} }
do_it() { do_it() {
expandv xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec expandv xprotocol xports xcports xaddress xratelimit xuserspec
if [ "x$xclients" = xall ]; then if [ "x$xclients" = xall ]; then
xclients="$zones $FW" xclients="$zones $FW"
@ -4548,13 +4604,13 @@ process_rules()
xservers="$zones $FW" xservers="$zones $FW"
fi fi
process_wildcard_rule process_wildcard_rule
continue return
fi fi
if [ "x$xservers" = xall ]; then if [ "x$xservers" = xall ]; then
xservers="$zones $FW" xservers="$zones $FW"
process_wildcard_rule process_wildcard_rule
continue return
fi fi
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)" rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
@ -4562,10 +4618,16 @@ process_rules()
} }
while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec; do while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec; do
expandv xtarget expandv xtarget xclients xservers
if [ "x$xclients" = xnone -o "x$servers" = xnone ]; then
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
progress_message " Rule \"$rule\" ignored."
continue
fi
case "${xtarget%%:*}" in case "${xtarget%%:*}" in
ACCEPT|ACCEPT+|NONAT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE) ACCEPT|ACCEPT+|NONAT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE|SAME|SAME-)
do_it do_it
;; ;;
*) *)
@ -4971,7 +5033,7 @@ rules_chain() # $1 = source zone, $2 = destination zone
[ -n "$chain" ] && { echo $chain; return; } [ -n "$chain" ] && { echo $chain; return; }
fatal_error "No appropriate chain for zone $1 to zone $2" fatal_error "No policy defined for zone $1 to zone $2"
} }
# #
@ -5116,6 +5178,8 @@ setup_masq()
[ "x$addresses" = x- ] && addresses= [ "x$addresses" = x- ] && addresses=
if [ -n "$addresses" -a -n "$add_snat_aliases" ]; then if [ -n "$addresses" -a -n "$add_snat_aliases" ]; then
for address in $(separate_list $addresses); do for address in $(separate_list $addresses); do
address=${address%:)} address=${address%:)}
@ -5262,17 +5326,35 @@ setup_masq()
target=MASQUERADE target=MASQUERADE
if [ -n "$addresses" ]; then if [ -n "$addresses" ]; then
for address in $(separate_list $addresses); do case "$addresses" in
case $address in SAME:nodst:*)
*.*.*.*) target="SAME --nodst"
target=SNAT addresses=${addresses#SAME:nodst:}
addrlist="$addrlist --to-source $address" for address in $(separate_list $addresses); do
;; addrlist="$addrlist --to $address";
*) done
addrlist="$addrlist --to-ports ${address#:}" ;;
;; SAME:*)
esac target="SAME"
done addresses=${addresses#SAME:}
for address in $(separate_list $addresses); do
addrlist="$addrlist --to $address";
done
;;
*)
for address in $(separate_list $addresses); do
case $address in
*.*.*.*)
target=SNAT
addrlist="$addrlist --to-source $address"
;;
*)
addrlist="$addrlist --to-ports ${address#:}"
;;
esac
done
;;
esac
fi fi
if [ -n "$networks" ]; then if [ -n "$networks" ]; then
@ -5621,6 +5703,7 @@ determine_capabilities() {
PHYSDEV_MATCH= PHYSDEV_MATCH=
IPRANGE_MATCH= IPRANGE_MATCH=
RECENT_MATCH= RECENT_MATCH=
OWNER_MATCH=
qt $IPTABLES -N fooX1234 qt $IPTABLES -N fooX1234
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
@ -5630,6 +5713,7 @@ determine_capabilities() {
qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes
qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes
qt $IPTABLES -A fooX1234 -m owner --cmd-owner foo -j ACCEPT && OWNER_MATCH=Yes
if [ -n "$PKTTYPE" ]; then if [ -n "$PKTTYPE" ]; then
qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT || PKTTYPE= qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT || PKTTYPE=
@ -5660,6 +5744,7 @@ report_capabilities() {
report_capability "Physdev Match" $PHYSDEV_MATCH report_capability "Physdev Match" $PHYSDEV_MATCH
report_capability "IP range Match" $IPRANGE_MATCH report_capability "IP range Match" $IPRANGE_MATCH
report_capability "Recent Match" $RECENT_MATCH report_capability "Recent Match" $RECENT_MATCH
report_capability "Owner Match" $OWNER_MATCH
} }
# #
@ -5678,6 +5763,11 @@ initialize_netfilter () {
[ -n "$PHYSDEV_MATCH" ] || startup_error "BRIDGING=Yes requires Physdev Match support in your Kernel and iptables" [ -n "$PHYSDEV_MATCH" ] || startup_error "BRIDGING=Yes requires Physdev Match support in your Kernel and iptables"
fi fi
[ "$MACLIST_TTL" = "0" ] && MACLIST_TTL=
if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then
startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables"
fi
[ -n "$RFC1918_STRICT" -a -z "$CONNTRACK_MATCH" ] && \ [ -n "$RFC1918_STRICT" -a -z "$CONNTRACK_MATCH" ] && \
startup_error "RFC1918_STRICT=Yes requires Connection Tracking match" startup_error "RFC1918_STRICT=Yes requires Connection Tracking match"
@ -6290,6 +6380,20 @@ add_common_rules() {
run_iptables -A OUTPUT -o $interface -j $(dynamic_out $interface) run_iptables -A OUTPUT -o $interface -j $(dynamic_out $interface)
done done
fi fi
#
# UPnP
#
interfaces=$(find_interfaces_by_option upnp)
if [ -n "$interfaces" ]; then
echo "Setting up UPnP..."
createnatchain UPnP
for interface in $interfaces; do
run_iptables -t nat -A PREROUTING -i $interface -j UPnP
done
fi
setup_forwarding setup_forwarding
} }
@ -6767,6 +6871,7 @@ define_firewall() # $1 = Command (Start or Restart)
mv -f /var/lib/shorewall/restore-base-$$ /var/lib/shorewall/restore-base mv -f /var/lib/shorewall/restore-base-$$ /var/lib/shorewall/restore-base
mv -f $RESTOREBASE /var/lib/shorewall/restore-tail mv -f $RESTOREBASE /var/lib/shorewall/restore-tail
run_user_exit started
} }
# #
@ -7482,12 +7587,6 @@ do_initialize() {
LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY) LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY)
DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID) DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID)
RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT) RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT)
[ "$MACLIST_TTL" = "0" ] && MACLIST_TTL=
if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then
startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables"
fi
# #
# Strip the files that we use often # Strip the files that we use often
# #
@ -7672,6 +7771,10 @@ case "$COMMAND" in
EMPTY= EMPTY=
$@ $@
;; ;;
capabilities)
do_initialize
report_capabilities
;;
*) *)
usage usage
;; ;;

View File

@ -5,7 +5,7 @@
# #
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
# #
# (c) 2003-2004 - Tom Eastep (teastep@shorewall.net) # (c) 2003-2005 - Tom Eastep (teastep@shorewall.net)
# Steve Herber (herber@thing.com) # Steve Herber (herber@thing.com)
# #
# This file should be placed in /usr/share/shorewall/help # This file should be placed in /usr/share/shorewall/help
@ -254,6 +254,8 @@ show)
shorewall show zones - displays the contents of all zones. shorewall show zones - displays the contents of all zones.
shorewall show capabilities - displays your kernel/iptables capabilities
When -x is given, that option is also passed to iptables to display actual packet and byte counts." When -x is given, that option is also passed to iptables to display actual packet and byte counts."
;; ;;

View File

@ -1 +1 @@
2.2.3 2.2.4