mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-22 22:30:58 +01:00
Shorewall 2.2.4
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2065 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
e3a21c0865
commit
9174ac0fa3
@ -8,7 +8,7 @@
|
|||||||
#
|
#
|
||||||
# ACTION names should begin with an upper-case letter to
|
# ACTION names should begin with an upper-case letter to
|
||||||
# distinguish them from Shorewall-generated chain names and
|
# distinguish them from Shorewall-generated chain names and
|
||||||
# they must need the requirements of a Netfilter chain. If
|
# they must meet the requirements of a Netfilter chain. If
|
||||||
# you intend to log from the action then the name must be
|
# you intend to log from the action then the name must be
|
||||||
# no longer than 11 character in length. Names must also
|
# no longer than 11 character in length. Names must also
|
||||||
# meet the requirements for a Bourne Shell identifier (must
|
# meet the requirements for a Bourne Shell identifier (must
|
||||||
@ -24,6 +24,9 @@
|
|||||||
# If you specify ":DROP", ":REJECT" or ":ACCEPT" on a line by
|
# If you specify ":DROP", ":REJECT" or ":ACCEPT" on a line by
|
||||||
# itself, the associated policy will have no common action.
|
# itself, the associated policy will have no common action.
|
||||||
#
|
#
|
||||||
|
# Please see http://shorewall.net/Actions.html for additional
|
||||||
|
# information.
|
||||||
|
#
|
||||||
#ACTION
|
#ACTION
|
||||||
|
|
||||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
||||||
|
@ -38,6 +38,9 @@
|
|||||||
# ADDRESS/SUBNET PROTOCOL PORT
|
# ADDRESS/SUBNET PROTOCOL PORT
|
||||||
# 192.0.2.126 udp 53
|
# 192.0.2.126 udp 53
|
||||||
#
|
#
|
||||||
|
# Please see http://shorewall.net/blacklisting_support.htm for additional
|
||||||
|
# information.
|
||||||
|
#
|
||||||
###############################################################################
|
###############################################################################
|
||||||
#ADDRESS/SUBNET PROTOCOL PORT
|
#ADDRESS/SUBNET PROTOCOL PORT
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||||
|
@ -4,3 +4,5 @@
|
|||||||
# Add commands below that you want to be executed after shorewall has
|
# Add commands below that you want to be executed after shorewall has
|
||||||
# cleared any existing Netfilter rules and has enabled existing connections.
|
# cleared any existing Netfilter rules and has enabled existing connections.
|
||||||
#
|
#
|
||||||
|
# For additional information, see http://shorewall.net/shorewall_extension_scripts.htm
|
||||||
|
#
|
||||||
|
@ -15,6 +15,8 @@
|
|||||||
# 0.0.0.0/0 is assumed. If your kernel and iptables
|
# 0.0.0.0/0 is assumed. If your kernel and iptables
|
||||||
# include iprange match support then IP address ranges
|
# include iprange match support then IP address ranges
|
||||||
# are also permitted.
|
# are also permitted.
|
||||||
|
#
|
||||||
|
# For additional information, see http://shorewall.net/Documentation.htm#ECN
|
||||||
##############################################################################
|
##############################################################################
|
||||||
#INTERFACE HOST(S)
|
#INTERFACE HOST(S)
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||||
|
@ -135,5 +135,7 @@
|
|||||||
# /etc/shorewall/ipsec file then you do NOT
|
# /etc/shorewall/ipsec file then you do NOT
|
||||||
# need to specify the 'ipsec' option here.
|
# need to specify the 'ipsec' option here.
|
||||||
#
|
#
|
||||||
|
# For additional information, see http://shorewall.net/Documentation.htm#Hosts
|
||||||
|
#
|
||||||
#ZONE HOST(S) OPTIONS
|
#ZONE HOST(S) OPTIONS
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
|
||||||
|
@ -4,3 +4,5 @@
|
|||||||
# Add commands below that you want to be executed at the beginning of
|
# Add commands below that you want to be executed at the beginning of
|
||||||
# a "shorewall start" or "shorewall restart" command.
|
# a "shorewall start" or "shorewall restart" command.
|
||||||
#
|
#
|
||||||
|
# For additional information, see http://shorewall.net/shorewall_extension_scripts.htm
|
||||||
|
#
|
||||||
|
@ -5,3 +5,5 @@
|
|||||||
# "shorewall start" or "shorewall restart" commands at the point where
|
# "shorewall start" or "shorewall restart" commands at the point where
|
||||||
# Shorewall has not yet added any perminent rules to the builtin chains.
|
# Shorewall has not yet added any perminent rules to the builtin chains.
|
||||||
#
|
#
|
||||||
|
# For additional information, see http://shorewall.net/shorewall_extension_scripts.htm
|
||||||
|
#
|
||||||
|
@ -201,6 +201,9 @@
|
|||||||
# connections.
|
# connections.
|
||||||
#
|
#
|
||||||
# net ppp0 -
|
# net ppp0 -
|
||||||
|
#
|
||||||
|
# For additional information, see http://shorewall.net/Documentation.htm#Interfaces
|
||||||
|
#
|
||||||
##############################################################################
|
##############################################################################
|
||||||
#ZONE INTERFACE BROADCAST OPTIONS
|
#ZONE INTERFACE BROADCAST OPTIONS
|
||||||
#
|
#
|
||||||
|
@ -1,6 +1,11 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 2.2 - MAC list file
|
# Shorewall 2.2 - MAC list file
|
||||||
#
|
#
|
||||||
|
# This file is used to define the MAC addresses and optionally their
|
||||||
|
# associated IP addresses to be allowed to use the specified interface.
|
||||||
|
# The feature is enabled by using the maclist option in the interfaces
|
||||||
|
# or hosts configuration file.
|
||||||
|
#
|
||||||
# /etc/shorewall/maclist
|
# /etc/shorewall/maclist
|
||||||
#
|
#
|
||||||
# Columns are:
|
# Columns are:
|
||||||
@ -18,6 +23,9 @@
|
|||||||
# list of host and/or subnet addresses. If your kernel
|
# list of host and/or subnet addresses. If your kernel
|
||||||
# and iptables have iprange match support then IP
|
# and iptables have iprange match support then IP
|
||||||
# address ranges are also allowed.
|
# address ranges are also allowed.
|
||||||
|
#
|
||||||
|
# For additional information, see http://shorewall.net/MAC_Validation.html
|
||||||
|
#
|
||||||
##############################################################################
|
##############################################################################
|
||||||
#INTERFACE MAC IP ADDRESSES (Optional)
|
#INTERFACE MAC IP ADDRESSES (Optional)
|
||||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
||||||
|
@ -86,6 +86,20 @@
|
|||||||
# 192.0.2.4:5000-6000
|
# 192.0.2.4:5000-6000
|
||||||
# :4000-5000
|
# :4000-5000
|
||||||
#
|
#
|
||||||
|
# You can invoke the SAME target using the
|
||||||
|
# following in this column:
|
||||||
|
#
|
||||||
|
# SAME:[nodst:]<address-range>[,<address-range>...]
|
||||||
|
#
|
||||||
|
# The <address-ranges> may be single addresses.
|
||||||
|
#
|
||||||
|
# SAME works like SNAT with the exception that the
|
||||||
|
# same local IP address is assigned to each connection
|
||||||
|
# from a local address to a given remote address. If
|
||||||
|
# the 'nodst:' option is included, then the same source
|
||||||
|
# address is used for a given internal system regardless
|
||||||
|
# of which remote system is involved.
|
||||||
|
#
|
||||||
# If you want to leave this column empty
|
# If you want to leave this column empty
|
||||||
# but you need to specify the next column then
|
# but you need to specify the next column then
|
||||||
# place a hyphen ("-") here.
|
# place a hyphen ("-") here.
|
||||||
@ -195,6 +209,8 @@
|
|||||||
#
|
#
|
||||||
# THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!!
|
# THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!!
|
||||||
#
|
#
|
||||||
|
# For additional information, see http://shorewall.net/Documentation.htm#Masq
|
||||||
|
#
|
||||||
###############################################################################
|
###############################################################################
|
||||||
#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
|
#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
|
||||||
eth0 eth1
|
eth0 eth1
|
||||||
|
@ -7,6 +7,7 @@
|
|||||||
# dependency order. i.e., if M2 depends on M1 then you must load M1 before
|
# dependency order. i.e., if M2 depends on M1 then you must load M1 before
|
||||||
# you load M2.
|
# you load M2.
|
||||||
#
|
#
|
||||||
|
# For additional information, see http://shorewall.net/Documentation.htm#modules
|
||||||
|
|
||||||
loadmodule ip_tables
|
loadmodule ip_tables
|
||||||
loadmodule iptable_filter
|
loadmodule iptable_filter
|
||||||
|
@ -38,6 +38,8 @@
|
|||||||
#
|
#
|
||||||
# LOCAL If Yes or yes, NAT will be effective from the firewall
|
# LOCAL If Yes or yes, NAT will be effective from the firewall
|
||||||
# system
|
# system
|
||||||
|
#
|
||||||
|
# For additional information, see http://shorewall.net/NAT.htm
|
||||||
##############################################################################
|
##############################################################################
|
||||||
#EXTERNAL INTERFACE INTERNAL ALL LOCAL
|
#EXTERNAL INTERFACE INTERNAL ALL LOCAL
|
||||||
# INTERFACES
|
# INTERFACES
|
||||||
|
@ -75,6 +75,8 @@
|
|||||||
# level KERNEL.INFO.
|
# level KERNEL.INFO.
|
||||||
# d) All other connection requests are rejected and logged at level
|
# d) All other connection requests are rejected and logged at level
|
||||||
# KERNEL.INFO.
|
# KERNEL.INFO.
|
||||||
|
#
|
||||||
|
# See http://shorewall.net/Documentation.htm#Policy for additional information.
|
||||||
###############################################################################
|
###############################################################################
|
||||||
#SOURCE DEST POLICY LOG LIMIT:BURST
|
#SOURCE DEST POLICY LOG LIMIT:BURST
|
||||||
# LEVEL
|
# LEVEL
|
||||||
|
@ -39,6 +39,8 @@
|
|||||||
#
|
#
|
||||||
# #ADDRESS INTERFACE EXTERNAL
|
# #ADDRESS INTERFACE EXTERNAL
|
||||||
# 155.186.235.6 eth1 eth0
|
# 155.186.235.6 eth1 eth0
|
||||||
|
#
|
||||||
|
# See http://shorewall.net/ProxyARP.htm for additional information.
|
||||||
##############################################################################
|
##############################################################################
|
||||||
#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
|
#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||||
|
@ -31,6 +31,10 @@
|
|||||||
# eth2 192.168.1.0/24
|
# eth2 192.168.1.0/24
|
||||||
# eth0 192.0.2.44
|
# eth0 192.0.2.44
|
||||||
# br0 - routeback
|
# br0 - routeback
|
||||||
|
#
|
||||||
|
# See http://shorewall.net/Documentation.htm#Routestopped and
|
||||||
|
# http://shorewall.net/starting_and_stopping_shorewall.htm for additional
|
||||||
|
# information.
|
||||||
##############################################################################
|
##############################################################################
|
||||||
#INTERFACE HOST(S) OPTIONS
|
#INTERFACE HOST(S) OPTIONS
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||||
|
@ -42,6 +42,16 @@
|
|||||||
# Like DNAT but only generates the
|
# Like DNAT but only generates the
|
||||||
# DNAT iptables rule and not
|
# DNAT iptables rule and not
|
||||||
# the companion ACCEPT rule.
|
# the companion ACCEPT rule.
|
||||||
|
# SAME -- Similar to DNAT except that the
|
||||||
|
# port may not be remapped and when
|
||||||
|
# multiple server addresses are
|
||||||
|
# listed, all requests from a given
|
||||||
|
# remote system go to the same
|
||||||
|
# server.
|
||||||
|
# SAME- -- Advanced users only.
|
||||||
|
# Like SAME but only generates the
|
||||||
|
# NAT iptables rule and not
|
||||||
|
# the companion ACCEPT rule.
|
||||||
# REDIRECT -- Redirect the request to a local
|
# REDIRECT -- Redirect the request to a local
|
||||||
# port on the firewall.
|
# port on the firewall.
|
||||||
# REDIRECT-
|
# REDIRECT-
|
||||||
@ -102,11 +112,14 @@
|
|||||||
#
|
#
|
||||||
# SOURCE Source hosts to which the rule applies. May be a zone
|
# SOURCE Source hosts to which the rule applies. May be a zone
|
||||||
# defined in /etc/shorewall/zones, $FW to indicate the
|
# defined in /etc/shorewall/zones, $FW to indicate the
|
||||||
# firewall itself, or "all" If the ACTION is DNAT or
|
# firewall itself, "all" or "none" If the ACTION is DNAT or
|
||||||
# REDIRECT, sub-zones of the specified zone may be
|
# REDIRECT, sub-zones of the specified zone may be
|
||||||
# excluded from the rule by following the zone name with
|
# excluded from the rule by following the zone name with
|
||||||
# "!' and a comma-separated list of sub-zone names.
|
# "!' and a comma-separated list of sub-zone names.
|
||||||
#
|
#
|
||||||
|
# When "none" is used either in the SOURCE or DEST column,
|
||||||
|
# the rule is ignored.
|
||||||
|
#
|
||||||
# When "all" is used either in the SOURCE or DEST column
|
# When "all" is used either in the SOURCE or DEST column
|
||||||
# intra-zone traffic is not affected. You must add
|
# intra-zone traffic is not affected. You must add
|
||||||
# separate rules to handle that traffic.
|
# separate rules to handle that traffic.
|
||||||
@ -147,7 +160,10 @@
|
|||||||
#
|
#
|
||||||
# DEST Location of Server. May be a zone defined in
|
# DEST Location of Server. May be a zone defined in
|
||||||
# /etc/shorewall/zones, $FW to indicate the firewall
|
# /etc/shorewall/zones, $FW to indicate the firewall
|
||||||
# itself or "all"
|
# itself, "all" or "none".
|
||||||
|
#
|
||||||
|
# When "none" is used either in the SOURCE or DEST column,
|
||||||
|
# the rule is ignored.
|
||||||
#
|
#
|
||||||
# When "all" is used either in the SOURCE or DEST column
|
# When "all" is used either in the SOURCE or DEST column
|
||||||
# intra-zone traffic is not affected. You must add
|
# intra-zone traffic is not affected. You must add
|
||||||
@ -352,6 +368,4 @@ ACCEPT fw net icmp
|
|||||||
# allow loc to fw tcp/80 for weblet to work
|
# allow loc to fw tcp/80 for weblet to work
|
||||||
ACCEPT loc fw udp 53
|
ACCEPT loc fw udp 53
|
||||||
ACCEPT loc fw tcp 80
|
ACCEPT loc fw tcp 80
|
||||||
# uncomment to use dnsmasq's dhcpd in your LAN
|
|
||||||
#ACCEPT loc fw udp 67,68
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||||
|
@ -4,7 +4,9 @@
|
|||||||
# Add commands below that you want to be executed after shorewall has
|
# Add commands below that you want to be executed after shorewall has
|
||||||
# been started or restarted.
|
# been started or restarted.
|
||||||
#
|
#
|
||||||
|
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
|
||||||
|
# information.
|
||||||
|
#
|
||||||
for file in /etc/shorewall/start.d/* ; do
|
for file in /etc/shorewall/start.d/* ; do
|
||||||
run_user_exit $file
|
run_user_exit $file
|
||||||
done
|
done
|
||||||
|
|
||||||
|
@ -4,7 +4,8 @@
|
|||||||
# Add commands below that you want to be executed at the beginning of a
|
# Add commands below that you want to be executed at the beginning of a
|
||||||
# "shorewall stop" command.
|
# "shorewall stop" command.
|
||||||
#
|
#
|
||||||
|
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
|
||||||
|
# information.
|
||||||
for file in /etc/shorewall/stop.d/* ; do
|
for file in /etc/shorewall/stop.d/* ; do
|
||||||
run_user_exit $file
|
run_user_exit $file
|
||||||
done
|
done
|
||||||
|
|
||||||
|
@ -4,3 +4,5 @@
|
|||||||
# Add commands below that you want to be executed at the completion of a
|
# Add commands below that you want to be executed at the completion of a
|
||||||
# "shorewall stop" command.
|
# "shorewall stop" command.
|
||||||
#
|
#
|
||||||
|
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
|
||||||
|
# information.
|
||||||
|
@ -147,6 +147,8 @@
|
|||||||
# testing
|
# testing
|
||||||
# :C Designates a connection mark. If omitted,
|
# :C Designates a connection mark. If omitted,
|
||||||
# the packet mark's value is tested.
|
# the packet mark's value is tested.
|
||||||
|
#
|
||||||
|
# See http://shorewall.net/traffic_shaping.htm for additional information.
|
||||||
##############################################################################
|
##############################################################################
|
||||||
#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
|
#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
|
||||||
# PORT(S)
|
# PORT(S)
|
||||||
|
@ -108,6 +108,10 @@
|
|||||||
#
|
#
|
||||||
# generic:udp:4444 net 4.3.99.124
|
# generic:udp:4444 net 4.3.99.124
|
||||||
#
|
#
|
||||||
|
#
|
||||||
|
# See http://shorewall.net/Documentation.htm#Tunnels for additional information.
|
||||||
|
#
|
||||||
# TYPE ZONE GATEWAY GATEWAY
|
# TYPE ZONE GATEWAY GATEWAY
|
||||||
# ZONE
|
# ZONE
|
||||||
|
#
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||||
|
@ -4,6 +4,8 @@
|
|||||||
# This file determines your network zones. Columns are:
|
# This file determines your network zones. Columns are:
|
||||||
#
|
#
|
||||||
# ZONE Short name of the zone (5 Characters or less in length).
|
# ZONE Short name of the zone (5 Characters or less in length).
|
||||||
|
# The names "all" and "none" are reserved and may not be
|
||||||
|
# used as zone names.
|
||||||
# DISPLAY Display name of the zone
|
# DISPLAY Display name of the zone
|
||||||
# COMMENTS Comments about the zone
|
# COMMENTS Comments about the zone
|
||||||
#
|
#
|
||||||
|
@ -58,6 +58,7 @@
|
|||||||
# shorewall show {mangle|tos} Display the rules in the mangle table
|
# shorewall show {mangle|tos} Display the rules in the mangle table
|
||||||
# shorewall show tc Display traffic control info
|
# shorewall show tc Display traffic control info
|
||||||
# shorewall show classifiers Display classifiers
|
# shorewall show classifiers Display classifiers
|
||||||
|
# shorewall show capabilities Display iptables/kernel capabilities
|
||||||
# shorewall version Display the installed version id
|
# shorewall version Display the installed version id
|
||||||
# shorewall check Verify the more heavily-used
|
# shorewall check Verify the more heavily-used
|
||||||
# configuration files.
|
# configuration files.
|
||||||
@ -353,11 +354,18 @@ packet_log() # $1 = number of messages
|
|||||||
|
|
||||||
[ -n "$realtail" ] && options="-n$1"
|
[ -n "$realtail" ] && options="-n$1"
|
||||||
|
|
||||||
grep "${LOGFORMAT}" $LOGFILE | \
|
if [ -n "$VERBOSE" ]; then
|
||||||
sed s/" kernel:"// | \
|
grep "${LOGFORMAT}" $LOGFILE | \
|
||||||
sed s/" $host $LOGFORMAT"/" "/ | \
|
sed s/" kernel:"// | \
|
||||||
sed 's/MAC=.* SRC=/SRC=/' | \
|
sed s/" $host $LOGFORMAT"/" "/ | \
|
||||||
tail $options
|
tail $options
|
||||||
|
else
|
||||||
|
grep "${LOGFORMAT}" $LOGFILE | \
|
||||||
|
sed s/" kernel:"// | \
|
||||||
|
sed s/" $host $LOGFORMAT"/" "/ | \
|
||||||
|
sed 's/MAC=.* SRC=/SRC=/' | \
|
||||||
|
tail $options
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -595,7 +603,7 @@ help()
|
|||||||
#
|
#
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
echo "Usage: $(basename $0) [debug|trace] [nolock] [-c <directory>] [ -x ] [ -q ] [ -f ] <command>"
|
echo "Usage: $(basename $0) [debug|trace] [nolock] [ -x ] [ -q ] [ -f ] [ -v ] <command>"
|
||||||
echo "where <command> is one of:"
|
echo "where <command> is one of:"
|
||||||
echo " add <interface>[:{<bridge-port>[:<host>]|<host>}[,...]] ... <zone>"
|
echo " add <interface>[:{<bridge-port>[:<host>]|<host>}[,...]] ... <zone>"
|
||||||
echo " allow <address> ..."
|
echo " allow <address> ..."
|
||||||
@ -616,14 +624,13 @@ usage() # $1 = exit status
|
|||||||
echo " restart [ <directory> ]"
|
echo " restart [ <directory> ]"
|
||||||
echo " restore [ <file name> ]"
|
echo " restore [ <file name> ]"
|
||||||
echo " save [ <file name> ]"
|
echo " save [ <file name> ]"
|
||||||
echo " show [<chain> [ <chain> ... ]|classifiers|connections|log|nat|tc|tos|zones]"
|
echo " show [<chain> [ <chain> ... ]|capabilities|classifiers|connections|log|nat|tc|tos|zones]"
|
||||||
echo " start [ <directory> ]"
|
echo " start [ <directory> ]"
|
||||||
echo " stop"
|
echo " stop"
|
||||||
echo " status"
|
echo " status"
|
||||||
echo " try <directory> [ <timeout> ]"
|
echo " try <directory> [ <timeout> ]"
|
||||||
echo " version"
|
echo " version"
|
||||||
echo
|
echo
|
||||||
echo "The -c and -f options may not be specified with a <directory> in the start, restart and check commands"
|
|
||||||
exit $1
|
exit $1
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -664,6 +671,7 @@ SHOREWALL_DIR=
|
|||||||
QUIET=
|
QUIET=
|
||||||
IPT_OPTIONS="-nv"
|
IPT_OPTIONS="-nv"
|
||||||
FAST=
|
FAST=
|
||||||
|
VERBOSE=
|
||||||
|
|
||||||
done=0
|
done=0
|
||||||
|
|
||||||
@ -705,6 +713,10 @@ while [ $done -eq 0 ]; do
|
|||||||
FAST=Yes
|
FAST=Yes
|
||||||
option=${option#f}
|
option=${option#f}
|
||||||
;;
|
;;
|
||||||
|
v*)
|
||||||
|
VERBOSE=Yes
|
||||||
|
option=${option#v}
|
||||||
|
;;
|
||||||
*)
|
*)
|
||||||
usage 1
|
usage 1
|
||||||
;;
|
;;
|
||||||
@ -938,6 +950,9 @@ case "$1" in
|
|||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
|
capabilities)
|
||||||
|
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock capabilities
|
||||||
|
;;
|
||||||
*)
|
*)
|
||||||
shift
|
shift
|
||||||
|
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 2.1 /usr/share/shorewall/action.AllowICMPs
|
# Shorewall 2.2 /usr/share/shorewall/action.AllowICMPs
|
||||||
#
|
#
|
||||||
# ACCEPT needed ICMP types
|
# ACCEPT needed ICMP types
|
||||||
#
|
#
|
||||||
|
@ -11,6 +11,9 @@
|
|||||||
# 2. Copy this file to /etc/shorewall/action.<action name>
|
# 2. Copy this file to /etc/shorewall/action.<action name>
|
||||||
# 3. Add the desired rules to that file.
|
# 3. Add the desired rules to that file.
|
||||||
#
|
#
|
||||||
|
# Please see http://shorewall.net/Actions.html for additional
|
||||||
|
# information.
|
||||||
|
#
|
||||||
# Columns are:
|
# Columns are:
|
||||||
#
|
#
|
||||||
#
|
#
|
||||||
|
@ -1,6 +1,8 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 2.2 /usr/share/shorewall/actions.std
|
# Shorewall 2.2 /usr/share/shorewall/actions.std
|
||||||
#
|
#
|
||||||
|
# Please see http://shorewall.net/Actions.html for additional
|
||||||
|
# information.
|
||||||
#
|
#
|
||||||
# Builtin Actions are:
|
# Builtin Actions are:
|
||||||
#
|
#
|
||||||
@ -12,6 +14,10 @@
|
|||||||
# #conntrack state.
|
# #conntrack state.
|
||||||
# allowInvalid #Accept packets that are in the INVALID
|
# allowInvalid #Accept packets that are in the INVALID
|
||||||
# #conntrack state.
|
# #conntrack state.
|
||||||
|
# allowoutUPnP #Allow traffic from local command 'upnpd'
|
||||||
|
# allowinUPnP #Allow UPnP inbound (to firewall) traffic
|
||||||
|
# forwardUPnP #Allow traffic that upnpd has redirected from
|
||||||
|
# #'upnp' interfaces.
|
||||||
#
|
#
|
||||||
#ACTION
|
#ACTION
|
||||||
|
|
||||||
|
@ -44,11 +44,9 @@
|
|||||||
31.0.0.0/8 logdrop # Reserved
|
31.0.0.0/8 logdrop # Reserved
|
||||||
36.0.0.0/7 logdrop # Reserved
|
36.0.0.0/7 logdrop # Reserved
|
||||||
39.0.0.0/8 logdrop # Reserved
|
39.0.0.0/8 logdrop # Reserved
|
||||||
41.0.0.0/8 logdrop # Reserved
|
|
||||||
42.0.0.0/8 logdrop # Reserved
|
42.0.0.0/8 logdrop # Reserved
|
||||||
49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
|
49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
|
||||||
50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
|
50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
|
||||||
73.0.0.0/8 logdrop # Reserved
|
|
||||||
74.0.0.0/7 logdrop # Reserved
|
74.0.0.0/7 logdrop # Reserved
|
||||||
76.0.0.0/6 logdrop # Reserved
|
76.0.0.0/6 logdrop # Reserved
|
||||||
89.0.0.0/8 logdrop # Reserved
|
89.0.0.0/8 logdrop # Reserved
|
||||||
|
@ -937,7 +937,7 @@ validate_interfaces_file() {
|
|||||||
|
|
||||||
for option in $options; do
|
for option in $options; do
|
||||||
case $option in
|
case $option in
|
||||||
dhcp|norfc1918|nobogons|tcpflags|newnotsyn|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|maclist|nosmurfs|-)
|
dhcp|norfc1918|nobogons|tcpflags|newnotsyn|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|maclist|nosmurfs|upnp|-)
|
||||||
;;
|
;;
|
||||||
detectnets)
|
detectnets)
|
||||||
[ -n "$wildcard" ] && \
|
[ -n "$wildcard" ] && \
|
||||||
@ -975,13 +975,21 @@ validate_hosts_file() {
|
|||||||
r="$z $hosts $options"
|
r="$z $hosts $options"
|
||||||
validate_zone1 $z || startup_error "Invalid zone ($z) in record \"$r\""
|
validate_zone1 $z || startup_error "Invalid zone ($z) in record \"$r\""
|
||||||
|
|
||||||
interface=${hosts%%:*}
|
case $hosts in
|
||||||
iface=$(chain_base $interface)
|
*:*)
|
||||||
|
|
||||||
list_search $interface $ALL_INTERFACES || \
|
interface=${hosts%%:*}
|
||||||
startup_error "Unknown interface ($interface) in record \"$r\""
|
iface=$(chain_base $interface)
|
||||||
|
|
||||||
hosts=${hosts#*:}
|
list_search $interface $ALL_INTERFACES || \
|
||||||
|
startup_error "Unknown interface ($interface) in record \"$r\""
|
||||||
|
|
||||||
|
hosts=${hosts#*:}
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
fatal_error "Invalid HOST(S) column contents: $hosts"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
eval ports=\$${iface}_ports
|
eval ports=\$${iface}_ports
|
||||||
eval zports=\$${z}_ports
|
eval zports=\$${z}_ports
|
||||||
@ -2826,6 +2834,12 @@ check_config() {
|
|||||||
[ -n "$PHYSDEV_MATCH" ] || startup_error "BRIDGING=Yes requires Physdev Match support in your Kernel and iptables"
|
[ -n "$PHYSDEV_MATCH" ] || startup_error "BRIDGING=Yes requires Physdev Match support in your Kernel and iptables"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
[ "$MACLIST_TTL" = "0" ] && MACLIST_TTL=
|
||||||
|
|
||||||
|
if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then
|
||||||
|
startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables"
|
||||||
|
fi
|
||||||
|
|
||||||
echo "Determining Zones..."
|
echo "Determining Zones..."
|
||||||
|
|
||||||
determine_zones
|
determine_zones
|
||||||
@ -3473,7 +3487,8 @@ merge_levels() # $1=level at which superior action is called, $2=level at which
|
|||||||
#
|
#
|
||||||
process_actions1() {
|
process_actions1() {
|
||||||
|
|
||||||
ACTIONS="dropBcast allowBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid allowInvalid"
|
ACTIONS="dropBcast allowBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP allowoutUPnP forwardUPnP"
|
||||||
|
|
||||||
USEDACTIONS=
|
USEDACTIONS=
|
||||||
|
|
||||||
strip_file actions
|
strip_file actions
|
||||||
@ -3544,6 +3559,15 @@ process_actions1() {
|
|||||||
|
|
||||||
process_actions2() {
|
process_actions2() {
|
||||||
|
|
||||||
|
local interfaces="$(find_interfaces_by_option upnp)"
|
||||||
|
|
||||||
|
if [ -n "$interfaces" ]; then
|
||||||
|
if ! list_search forwardUPnP $USEDACTIONS; then
|
||||||
|
error_message "Warning:Missing forwardUPnP rule (required by 'upnp' interface option on $interfaces)"
|
||||||
|
USEDACTIONS="$USEDACTIONS forwardUPnP"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
progress_message " Generating Transitive Closure of Used-action List..."
|
progress_message " Generating Transitive Closure of Used-action List..."
|
||||||
|
|
||||||
changed=Yes
|
changed=Yes
|
||||||
@ -3695,6 +3719,26 @@ process_actions3() {
|
|||||||
run_iptables -A $xchain -m state --state INVALID -j ACCEPT
|
run_iptables -A $xchain -m state --state INVALID -j ACCEPT
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
|
forwardUPnP)
|
||||||
|
;;
|
||||||
|
allowinUPnP)
|
||||||
|
if [ "$COMMAND" != check ]; then
|
||||||
|
if [ -n "$xlevel" ]; then
|
||||||
|
log_rule_limit ${xlevel%\!} $xchain allowinUPnP ACCEPT "" "$xtag" -A -p udp --dport 1900
|
||||||
|
log_rule_limit ${xlevel%\!} $xchain allowinUPnP ACCEPT "" "$xtag" -A -p tcp --dport 49152
|
||||||
|
fi
|
||||||
|
|
||||||
|
run_iptables -A $xchain -p udp --dport 1900 -j ACCEPT
|
||||||
|
run_iptables -A $xchain -p tcp --dport 49152 -j ACCEPT
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
allowoutUPnP)
|
||||||
|
if [ "$COMMAND" != check ]; then
|
||||||
|
[ -n "$xlevel" ] && \
|
||||||
|
log_rule_limit ${xlevel%\!} $xchain allowoutUPnP ACCEPT "" "$xtag" -A -m owner --owner-cmd upnpd
|
||||||
|
run_iptables -A $xchain -m owner --cmd-owner upnpd -j ACCEPT
|
||||||
|
fi
|
||||||
|
;;
|
||||||
*)
|
*)
|
||||||
#
|
#
|
||||||
# Not a builtin
|
# Not a builtin
|
||||||
@ -3802,7 +3846,14 @@ add_nat_rule() {
|
|||||||
|
|
||||||
# Select target
|
# Select target
|
||||||
|
|
||||||
if [ -n "$serv" ]; then
|
if [ "$logtarget" = SAME ]; then
|
||||||
|
[ -n "$servport" ] && fatal_error "Port mapping not allowed in SAME rules"
|
||||||
|
serv1=
|
||||||
|
for srv in $(separate_list $serv); do
|
||||||
|
serv1="$serv1 --to ${srv}"
|
||||||
|
done
|
||||||
|
target1="SAME $serv1"
|
||||||
|
elif [ -n "$serv" ]; then
|
||||||
servport="${servport:+:$servport}"
|
servport="${servport:+:$servport}"
|
||||||
serv1=
|
serv1=
|
||||||
for srv in $(separate_list $serv); do
|
for srv in $(separate_list $serv); do
|
||||||
@ -4065,9 +4116,9 @@ add_a_rule()
|
|||||||
servport=${servport:=$port}
|
servport=${servport:=$port}
|
||||||
natrule=Yes
|
natrule=Yes
|
||||||
;;
|
;;
|
||||||
DNAT)
|
DNAT|SAME)
|
||||||
[ -n "$serv" ] || \
|
[ -n "$serv" ] || \
|
||||||
fatal_error "DNAT rules require a server address; rule: \"$rule\""
|
fatal_error "$logtarget rules require a server address; rule: \"$rule\""
|
||||||
natrule=Yes
|
natrule=Yes
|
||||||
;;
|
;;
|
||||||
LOG)
|
LOG)
|
||||||
@ -4084,7 +4135,7 @@ add_a_rule()
|
|||||||
if [ -n "$natrule" ]; then
|
if [ -n "$natrule" ]; then
|
||||||
add_nat_rule
|
add_nat_rule
|
||||||
elif [ -n "$addr" -a "$addr" != "$serv" ] || [ -n "$servport" -a "$servport" != "$port" ]; then
|
elif [ -n "$addr" -a "$addr" != "$serv" ] || [ -n "$servport" -a "$servport" != "$port" ]; then
|
||||||
fatal_error "Only DNAT and REDIRECT rules may specify destination mapping; rule \"$rule\""
|
fatal_error "Only DNAT, SAME and REDIRECT rules may specify destination mapping; rule \"$rule\""
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -z "$dnat_only" ]; then
|
if [ -z "$dnat_only" ]; then
|
||||||
@ -4139,7 +4190,7 @@ add_a_rule()
|
|||||||
|
|
||||||
[ -n "$addr" ] && fatal_error \
|
[ -n "$addr" ] && fatal_error \
|
||||||
"An ORIGINAL DESTINATION ($addr) is only allowed in" \
|
"An ORIGINAL DESTINATION ($addr) is only allowed in" \
|
||||||
" a DNAT or REDIRECT: \"$rule\""
|
" a DNAT, SAME or REDIRECT: \"$rule\""
|
||||||
|
|
||||||
if [ $COMMAND != check ]; then
|
if [ $COMMAND != check ]; then
|
||||||
if [ -n "$loglevel" ]; then
|
if [ -n "$loglevel" ]; then
|
||||||
@ -4289,7 +4340,7 @@ process_rule() # $1 = target
|
|||||||
CONTINUE)
|
CONTINUE)
|
||||||
target=RETURN
|
target=RETURN
|
||||||
;;
|
;;
|
||||||
DNAT*)
|
DNAT*|SAME*)
|
||||||
target=ACCEPT
|
target=ACCEPT
|
||||||
address=${address:=detect}
|
address=${address:=detect}
|
||||||
;;
|
;;
|
||||||
@ -4322,8 +4373,13 @@ process_rule() # $1 = target
|
|||||||
excludezones="${clientzone#*!}"
|
excludezones="${clientzone#*!}"
|
||||||
clientzone="${clientzone%!*}"
|
clientzone="${clientzone%!*}"
|
||||||
|
|
||||||
[ "$logtarget" = DNAT ] || [ "$logtarget" = REDIRECT ] ||\
|
case $logtarget in
|
||||||
fatal_error "Exclude list only allowed with DNAT or REDIRECT"
|
DNAT|REDIRECT|SAME)
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
fatal_error "Exclude list only allowed with DNAT, SAME or REDIRECT"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
fi
|
fi
|
||||||
|
|
||||||
validate_zone $clientzone || fatal_error "Undefined Client Zone in rule \"$rule\""
|
validate_zone $clientzone || fatal_error "Undefined Client Zone in rule \"$rule\""
|
||||||
@ -4386,7 +4442,7 @@ process_rule() # $1 = target
|
|||||||
protocol=${protocol:=all}
|
protocol=${protocol:=all}
|
||||||
|
|
||||||
case $logtarget in
|
case $logtarget in
|
||||||
DNAT*)
|
DNAT*|SAME)
|
||||||
if [ -n "$XMULTIPORT" ] && \
|
if [ -n "$XMULTIPORT" ] && \
|
||||||
! list_search $protocol "icmp" "ICMP" "1" && \
|
! list_search $protocol "icmp" "ICMP" "1" && \
|
||||||
[ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \
|
[ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \
|
||||||
@ -4540,7 +4596,7 @@ process_rules()
|
|||||||
}
|
}
|
||||||
|
|
||||||
do_it() {
|
do_it() {
|
||||||
expandv xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec
|
expandv xprotocol xports xcports xaddress xratelimit xuserspec
|
||||||
|
|
||||||
if [ "x$xclients" = xall ]; then
|
if [ "x$xclients" = xall ]; then
|
||||||
xclients="$zones $FW"
|
xclients="$zones $FW"
|
||||||
@ -4548,13 +4604,13 @@ process_rules()
|
|||||||
xservers="$zones $FW"
|
xservers="$zones $FW"
|
||||||
fi
|
fi
|
||||||
process_wildcard_rule
|
process_wildcard_rule
|
||||||
continue
|
return
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "x$xservers" = xall ]; then
|
if [ "x$xservers" = xall ]; then
|
||||||
xservers="$zones $FW"
|
xservers="$zones $FW"
|
||||||
process_wildcard_rule
|
process_wildcard_rule
|
||||||
continue
|
return
|
||||||
fi
|
fi
|
||||||
|
|
||||||
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
|
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
|
||||||
@ -4562,10 +4618,16 @@ process_rules()
|
|||||||
}
|
}
|
||||||
|
|
||||||
while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec; do
|
while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec; do
|
||||||
expandv xtarget
|
expandv xtarget xclients xservers
|
||||||
|
|
||||||
|
if [ "x$xclients" = xnone -o "x$servers" = xnone ]; then
|
||||||
|
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
|
||||||
|
progress_message " Rule \"$rule\" ignored."
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
|
||||||
case "${xtarget%%:*}" in
|
case "${xtarget%%:*}" in
|
||||||
ACCEPT|ACCEPT+|NONAT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE)
|
ACCEPT|ACCEPT+|NONAT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE|SAME|SAME-)
|
||||||
do_it
|
do_it
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
@ -4971,7 +5033,7 @@ rules_chain() # $1 = source zone, $2 = destination zone
|
|||||||
|
|
||||||
[ -n "$chain" ] && { echo $chain; return; }
|
[ -n "$chain" ] && { echo $chain; return; }
|
||||||
|
|
||||||
fatal_error "No appropriate chain for zone $1 to zone $2"
|
fatal_error "No policy defined for zone $1 to zone $2"
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -5116,6 +5178,8 @@ setup_masq()
|
|||||||
|
|
||||||
[ "x$addresses" = x- ] && addresses=
|
[ "x$addresses" = x- ] && addresses=
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
if [ -n "$addresses" -a -n "$add_snat_aliases" ]; then
|
if [ -n "$addresses" -a -n "$add_snat_aliases" ]; then
|
||||||
for address in $(separate_list $addresses); do
|
for address in $(separate_list $addresses); do
|
||||||
address=${address%:)}
|
address=${address%:)}
|
||||||
@ -5262,17 +5326,35 @@ setup_masq()
|
|||||||
target=MASQUERADE
|
target=MASQUERADE
|
||||||
|
|
||||||
if [ -n "$addresses" ]; then
|
if [ -n "$addresses" ]; then
|
||||||
for address in $(separate_list $addresses); do
|
case "$addresses" in
|
||||||
case $address in
|
SAME:nodst:*)
|
||||||
*.*.*.*)
|
target="SAME --nodst"
|
||||||
target=SNAT
|
addresses=${addresses#SAME:nodst:}
|
||||||
addrlist="$addrlist --to-source $address"
|
for address in $(separate_list $addresses); do
|
||||||
;;
|
addrlist="$addrlist --to $address";
|
||||||
*)
|
done
|
||||||
addrlist="$addrlist --to-ports ${address#:}"
|
;;
|
||||||
;;
|
SAME:*)
|
||||||
esac
|
target="SAME"
|
||||||
done
|
addresses=${addresses#SAME:}
|
||||||
|
for address in $(separate_list $addresses); do
|
||||||
|
addrlist="$addrlist --to $address";
|
||||||
|
done
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
for address in $(separate_list $addresses); do
|
||||||
|
case $address in
|
||||||
|
*.*.*.*)
|
||||||
|
target=SNAT
|
||||||
|
addrlist="$addrlist --to-source $address"
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
addrlist="$addrlist --to-ports ${address#:}"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
;;
|
||||||
|
esac
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -n "$networks" ]; then
|
if [ -n "$networks" ]; then
|
||||||
@ -5621,6 +5703,7 @@ determine_capabilities() {
|
|||||||
PHYSDEV_MATCH=
|
PHYSDEV_MATCH=
|
||||||
IPRANGE_MATCH=
|
IPRANGE_MATCH=
|
||||||
RECENT_MATCH=
|
RECENT_MATCH=
|
||||||
|
OWNER_MATCH=
|
||||||
|
|
||||||
qt $IPTABLES -N fooX1234
|
qt $IPTABLES -N fooX1234
|
||||||
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
|
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
|
||||||
@ -5630,6 +5713,7 @@ determine_capabilities() {
|
|||||||
qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes
|
qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes
|
||||||
qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
|
qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
|
||||||
qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes
|
qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes
|
||||||
|
qt $IPTABLES -A fooX1234 -m owner --cmd-owner foo -j ACCEPT && OWNER_MATCH=Yes
|
||||||
|
|
||||||
if [ -n "$PKTTYPE" ]; then
|
if [ -n "$PKTTYPE" ]; then
|
||||||
qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT || PKTTYPE=
|
qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT || PKTTYPE=
|
||||||
@ -5660,6 +5744,7 @@ report_capabilities() {
|
|||||||
report_capability "Physdev Match" $PHYSDEV_MATCH
|
report_capability "Physdev Match" $PHYSDEV_MATCH
|
||||||
report_capability "IP range Match" $IPRANGE_MATCH
|
report_capability "IP range Match" $IPRANGE_MATCH
|
||||||
report_capability "Recent Match" $RECENT_MATCH
|
report_capability "Recent Match" $RECENT_MATCH
|
||||||
|
report_capability "Owner Match" $OWNER_MATCH
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -5678,6 +5763,11 @@ initialize_netfilter () {
|
|||||||
[ -n "$PHYSDEV_MATCH" ] || startup_error "BRIDGING=Yes requires Physdev Match support in your Kernel and iptables"
|
[ -n "$PHYSDEV_MATCH" ] || startup_error "BRIDGING=Yes requires Physdev Match support in your Kernel and iptables"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
[ "$MACLIST_TTL" = "0" ] && MACLIST_TTL=
|
||||||
|
|
||||||
|
if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then
|
||||||
|
startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables"
|
||||||
|
fi
|
||||||
|
|
||||||
[ -n "$RFC1918_STRICT" -a -z "$CONNTRACK_MATCH" ] && \
|
[ -n "$RFC1918_STRICT" -a -z "$CONNTRACK_MATCH" ] && \
|
||||||
startup_error "RFC1918_STRICT=Yes requires Connection Tracking match"
|
startup_error "RFC1918_STRICT=Yes requires Connection Tracking match"
|
||||||
@ -6290,6 +6380,20 @@ add_common_rules() {
|
|||||||
run_iptables -A OUTPUT -o $interface -j $(dynamic_out $interface)
|
run_iptables -A OUTPUT -o $interface -j $(dynamic_out $interface)
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
|
#
|
||||||
|
# UPnP
|
||||||
|
#
|
||||||
|
interfaces=$(find_interfaces_by_option upnp)
|
||||||
|
|
||||||
|
if [ -n "$interfaces" ]; then
|
||||||
|
echo "Setting up UPnP..."
|
||||||
|
|
||||||
|
createnatchain UPnP
|
||||||
|
|
||||||
|
for interface in $interfaces; do
|
||||||
|
run_iptables -t nat -A PREROUTING -i $interface -j UPnP
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
|
||||||
setup_forwarding
|
setup_forwarding
|
||||||
}
|
}
|
||||||
@ -6767,6 +6871,7 @@ define_firewall() # $1 = Command (Start or Restart)
|
|||||||
mv -f /var/lib/shorewall/restore-base-$$ /var/lib/shorewall/restore-base
|
mv -f /var/lib/shorewall/restore-base-$$ /var/lib/shorewall/restore-base
|
||||||
mv -f $RESTOREBASE /var/lib/shorewall/restore-tail
|
mv -f $RESTOREBASE /var/lib/shorewall/restore-tail
|
||||||
|
|
||||||
|
run_user_exit started
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -7482,12 +7587,6 @@ do_initialize() {
|
|||||||
LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY)
|
LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY)
|
||||||
DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID)
|
DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID)
|
||||||
RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT)
|
RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT)
|
||||||
|
|
||||||
[ "$MACLIST_TTL" = "0" ] && MACLIST_TTL=
|
|
||||||
|
|
||||||
if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then
|
|
||||||
startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables"
|
|
||||||
fi
|
|
||||||
#
|
#
|
||||||
# Strip the files that we use often
|
# Strip the files that we use often
|
||||||
#
|
#
|
||||||
@ -7672,6 +7771,10 @@ case "$COMMAND" in
|
|||||||
EMPTY=
|
EMPTY=
|
||||||
$@
|
$@
|
||||||
;;
|
;;
|
||||||
|
capabilities)
|
||||||
|
do_initialize
|
||||||
|
report_capabilities
|
||||||
|
;;
|
||||||
*)
|
*)
|
||||||
usage
|
usage
|
||||||
;;
|
;;
|
||||||
|
@ -5,7 +5,7 @@
|
|||||||
#
|
#
|
||||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||||
#
|
#
|
||||||
# (c) 2003-2004 - Tom Eastep (teastep@shorewall.net)
|
# (c) 2003-2005 - Tom Eastep (teastep@shorewall.net)
|
||||||
# Steve Herber (herber@thing.com)
|
# Steve Herber (herber@thing.com)
|
||||||
#
|
#
|
||||||
# This file should be placed in /usr/share/shorewall/help
|
# This file should be placed in /usr/share/shorewall/help
|
||||||
@ -254,6 +254,8 @@ show)
|
|||||||
|
|
||||||
shorewall show zones - displays the contents of all zones.
|
shorewall show zones - displays the contents of all zones.
|
||||||
|
|
||||||
|
shorewall show capabilities - displays your kernel/iptables capabilities
|
||||||
|
|
||||||
When -x is given, that option is also passed to iptables to display actual packet and byte counts."
|
When -x is given, that option is also passed to iptables to display actual packet and byte counts."
|
||||||
;;
|
;;
|
||||||
|
|
||||||
|
@ -1 +1 @@
|
|||||||
2.2.3
|
2.2.4
|
||||||
|
Loading…
Reference in New Issue
Block a user