Shorewall 1.4.6_20030727

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@679 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-07-27 18:17:39 +00:00
parent f7ea7cdd41
commit a7c1270e07
7 changed files with 311 additions and 19 deletions

View File

@ -6,3 +6,5 @@ Changes since 1.4.6
MANGLE_ENABLED is set before it is tested.
3) Fixed MAC address handling in the SOURCE column of tcrules.
4) Merged and corrected Steve Herber's command-specific help patch.

View File

@ -82,6 +82,7 @@ restore_file /etc/shorewall/functions
restore_file /usr/lib/shorewall/functions
restore_file /var/lib/shorewall/functions
restore_file /usr/lib/shorewall/firewall
restore_file /usr/lib/shorewall/help
restore_file /etc/shorewall/common.def

260
Shorewall/help Executable file
View File

@ -0,0 +1,260 @@
#!/bin/sh
#
# Shorewall help subsystem - V1.4 - 3/14/2003
#
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# (c) 2003 - Tom Eastep (teastep@shorewall.net)
# Steve Herber (herber@thing.com)
#
# This file should be placed in /usr/share/shorewall/help
#
# Shorewall documentation is available at http://shorewall.sourceforge.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
##################################################################################
case $1 in
add)
echo "add: add <interface>[:<host>] <zone>
Adds a host or subnet to a dynamic zone usually used with VPN's.
shorewall add interface[:host] zone - Adds the specified interface
(and host if included) to the specified zone.
Example:
shorewall add ipsec0:192.0.2.24 vpn1 -- adds the address 192.0.2.24
from interface ipsec0 to the zone vpn1.
See also \"help host\""
;;
address|host)
echo "<$1>:
May be either a host IP address such as 192.168.1.4 or a network address in
CIDR format like 192.168.1.0/24"
;;
allow)
echo "allow: allow <address> ...
Re-enables receipt of packets from hosts previously blacklisted
by a drop, dropall, reject or rejectall command.
Shorewall allow, drop, dropall, reject, rejectall, and save implement
dynamic blacklisting.
See also \"help address\""
;;
check)
echo "check: check [ -c <configuration-directory> ]
Performs a cursory validation of the zones, interfaces, hosts,
rules and policy files. Use this if you are unsure of any edits
you have made to the shorewall configuration. See the try command
examples for a recommended way to make changes."
;;
clear)
echo "clear: clear
Clear will remove all rules and chains installed by Shoreline.
The firewall is then wide open and unprotected. Existing
connections are untouched. Clear is often used to see if the
firewall is causing connection problems."
;;
debug)
echo "debug: debug
If you include the keyword debug as the first argument to any
of these commands:
start|stop|restart|reset|clear|refresh|check|add|delete
then a shell trace of the command is produced. For example:
shorewall debug start 2> /tmp/trace
The above command would trace the 'start' command and
place the trace information in the file /tmp/trace."
;;
delete)
echo "delete: delete <interface>[:<host>] <zone>
Deletes a host or subnet from a dynamic zone usually used with VPN's.
shorewall delete interface[:host] zone - Deletes the specified
interface (and host if included) from the specified zone.
Example:
shorewall delete ipsec0:192.0.2.24 vpn1 -- deletes the address
192.0.2.24 from interface ipsec0 from zone vpn1
See also \"help host\""
;;
drop|dropall)
echo "$1: $1 <address> ...
Causes packets from the specified <address> to be ignored
Shorewall allow, drop, dropall, reject, rejectall, and save implement
dynamic blacklisting.
'dropall' causes all interfaces to be monitored for packets from the
given address while 'drop' causes only those interfaces with a route
to the address to be monitored.
See also \"help address\""
;;
help)
echo "help: help [<command> | host | address ]
Display helpful information about the shorewall commands."
;;
hits)
echo "hits: hits
Produces several reports about the Shorewall packet log messages
in the current /var/log/messages file."
;;
ipcalc)
echo "ipcalc: ipcalc [ address mask | address/vlsm ]
Ipcalc displays the network address, broadcast address,
network in CIDR notation and netmask corresponding to the input[s]."
;;
iprange)
echo "iprange: iprange address1-address2
Iprange decomposes the specified range of IP addresses into the
equivalent list of network/host addresses."
;;
logwatch)
echo "logwatch: logwatch [<refresh interval>]
Monitors the LOGFILE, $LOGFILE,
and produces an audible alarm when new Shorewall messages are logged."
;;
monitor)
echo "monitor: monitor [<refresh_interval>]
Continuously display the firewall status, last 20 log entries and nat.
When the log entry display changes, an audible alarm is sounded."
;;
refresh)
echo "refresh: refresh
The rules involving the broadcast addresses of firewall interfaces,
the black list, traffic control rules and ECN control rules are recreated
to reflect any changes made. Existing connections are untouched"
;;
reject|rejectall)
echo "$1: $1 <address> ...
Causes packets from the specified <address> to be rejected
Shorewall allow, drop, dropall, reject, rejectall, and save implement
dynamic blacklisting.
'rejectall' causes all interfaces to be monitored for packets from the
given address while 'reject' causes only those interfaces with a route
to the address to be monitored.
See also \"help address\""
;;
reset)
echo "reset: reset
All the packet and byte counters in the firewall are reset."
;;
restart)
echo "restart: restart [ -c <configuration-directory> ]
Restart is the same as a shorewall stop && shorewall start.
Existing connections are dropped."
;;
save)
echo "save: save
The dynamic data is stored in /var/lib/shorewall/save
Shorewall allow, drop, dropall, reject, rejectall, and save implement
dynamic blacklisting."
;;
show)
echo "show: show [<chain>|classifiers|connections|log|nat|tc|tos]
shorewall show chain - produce a verbose report about the IPtable chains.
(iptables -L chain -n -v)
shorewall show nat - produce a verbose report about the nat table.
(iptables -t nat -L -n -v)
shorewall show tos - produce a verbose report about the mangle table.
(iptables -t mangle -L -n -v)
shorewall show log - display the last 20 packet log entries.
shorewall show connections - displays the IP connections currently
being tracked by the firewall.
shorewall show tc - displays information about the traffic
control/shaping configuration."
;;
start)
echo "start: start [ -c <configuration-directory> ]
Start shorewall. Existing connections through shorewall managed
interfaces are untouched. New connections will be allowed only
if they are allowed by the firewall rules or policies."
;;
stop)
echo "stop: stop
Stops the firewall. All existing connections, except those
listed in /etc/shorewall/routestopped, are taken down.
The only new traffic permitted through the firewall
is from systems listed in /etc/shorewall/routestopped."
;;
status)
echo "status: status
Produce a verbose report about the firewall.
(iptables -L -n -v)"
;;
try)
echo "try: try <configuration-directory> [ <timeout> ]
Restart shorewall using the specified configuration. If an error
occurs during the restart, then another shorewall restart is performed
using the default configuration. If a timeout is specified then
the restart is always performed after the timeout occurs and uses
the default configuration."
;;
version)
echo "version: version
Show the current shorewall version which is: $version"
;;
*)
echo "$1: $1 is not recognized by the help command"
;;
esac
exit 0 # always ok

View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall.
#
VERSION=1.4.6-20030726
VERSION=1.4.6-20030727
usage() # $1 = exit status
{
@ -316,6 +316,14 @@ install_file_with_backup functions ${PREFIX}/usr/share/shorewall/functions 0444
echo
echo "Common functions installed in ${PREFIX}/usr/share/shorewall/functions"
#
# Install the Help file
#
install_file_with_backup help ${PREFIX}/usr/share/shorewall/help 0544
echo
echo "Help command executor installed in ${PREFIX}/usr/share/shorewall/help"
#
# Install the common.def file
#

View File

@ -9,8 +9,6 @@ Problems Corrected since version 1.4.6:
tcrules file. Previously, these addresses resulted in an invalid
iptables command.
None.
Migration Issues:
1) Once you have installed this version of Shorewall, you must
@ -32,3 +30,5 @@ New Features:
that do what 'drop' and 'reject' used to do; namely, when an address
is blacklisted using these new commands, it will be blacklisted on
all of your firewall's interfaces.
2) Thanks to Steve Herber, the help command can now give
command-specific help.

View File

@ -555,6 +555,16 @@ save_dynamic_blacklist() {
fi
}
#
# Help information
#
help()
{
[ -x $HELP ] && { export version; exec $HELP $*; }
echo "Help subsystem is not installed at $HELP"
}
#
# Give Usage Information
#
@ -563,27 +573,28 @@ usage() # $1 = exit status
echo "Usage: `basename $0` [debug] [nolock] [-c <directory>] <command>"
echo "where <command> is one of:"
echo " add <interface>[:<host>] <zone>"
echo " allow <address> ..."
echo " check"
echo " clear"
echo " delete <interface>[:<host>] <zone>"
echo " drop|dropall <address> ..."
echo " help [ <command > | host | address ]"
echo " hits"
echo " ipcalc [ <address>/<vlsm> | <address> <netmask> ]"
echo " iprange <address>-<address>"
echo " logwatch [<refresh interval>]"
echo " monitor [<refresh interval>]"
echo " refresh"
echo " reject|rejectall <address> ..."
echo " reset"
echo " restart"
echo " save"
echo " show [<chain>|classifiers|connections|log|nat|tc|tos]"
echo " start"
echo " stop"
echo " reset"
echo " restart"
echo " status"
echo " clear"
echo " refresh"
echo " hits"
echo " monitor [<refresh interval>]"
echo " version"
echo " check"
echo " try <directory> [ <timeout> ]"
echo " logwatch [<refresh interval>]"
echo " drop|dropall <address> ..."
echo " reject|rejectall <address> ..."
echo " allow <address> ..."
echo " save"
echo " ipcalc [ <address>/<vlsm> | <address> <netmask> ]"
echo " iprange <address>-<address>"
echo " version"
exit $1
}
@ -653,6 +664,7 @@ SHARED_DIR=/usr/share/shorewall
FIREWALL=$SHARED_DIR/firewall
FUNCTIONS=$SHARED_DIR/functions
VERSION_FILE=$SHARED_DIR/version
HELP=$SHARED_DIR/help
if [ -f $FUNCTIONS ]; then
. $FUNCTIONS
@ -1008,6 +1020,11 @@ case "$1" in
shift;
$@
;;
help)
shift
[ $# -ne 1 ] && usage 1
help $@
;;
*)
usage 1
;;

View File

@ -1,5 +1,5 @@
%define name shorewall
%define version 1.4.6_20030726
%define version 1.4.6_20030727
%define release 1
%define prefix /usr
@ -101,10 +101,14 @@ fi
%attr(0544,root,root) /sbin/shorewall
%attr(0444,root,root) /usr/share/shorewall/functions
%attr(0544,root,root) /usr/share/shorewall/firewall
%attr(0544,root,root) /usr/share/shorewall/help
%doc documentation
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog
* Sun Jul 27 2003 Tom Eastep <tom@shorewall.net>
- Added /usr/share/shorewall/help
- Changed version to 1.4.6_20030727-1
* Sat Jul 26 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.6_20030726-1
* Sat Jul 19 2003 Tom Eastep <tom@shorewall.net>