mirror of
https://gitlab.com/shorewall/code.git
synced 2025-06-11 12:16:57 +02:00
Shorewall 1.4.6_20030727
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@679 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
f7ea7cdd41
commit
a7c1270e07
@ -6,3 +6,5 @@ Changes since 1.4.6
|
||||
MANGLE_ENABLED is set before it is tested.
|
||||
|
||||
3) Fixed MAC address handling in the SOURCE column of tcrules.
|
||||
|
||||
4) Merged and corrected Steve Herber's command-specific help patch.
|
||||
|
@ -82,6 +82,7 @@ restore_file /etc/shorewall/functions
|
||||
restore_file /usr/lib/shorewall/functions
|
||||
restore_file /var/lib/shorewall/functions
|
||||
restore_file /usr/lib/shorewall/firewall
|
||||
restore_file /usr/lib/shorewall/help
|
||||
|
||||
restore_file /etc/shorewall/common.def
|
||||
|
||||
|
260
Shorewall/help
Executable file
260
Shorewall/help
Executable file
@ -0,0 +1,260 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Shorewall help subsystem - V1.4 - 3/14/2003
|
||||
#
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 2003 - Tom Eastep (teastep@shorewall.net)
|
||||
# Steve Herber (herber@thing.com)
|
||||
#
|
||||
# This file should be placed in /usr/share/shorewall/help
|
||||
#
|
||||
# Shorewall documentation is available at http://shorewall.sourceforge.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||
##################################################################################
|
||||
|
||||
case $1 in
|
||||
|
||||
add)
|
||||
echo "add: add <interface>[:<host>] <zone>
|
||||
Adds a host or subnet to a dynamic zone usually used with VPN's.
|
||||
|
||||
shorewall add interface[:host] zone - Adds the specified interface
|
||||
(and host if included) to the specified zone.
|
||||
|
||||
Example:
|
||||
|
||||
shorewall add ipsec0:192.0.2.24 vpn1 -- adds the address 192.0.2.24
|
||||
from interface ipsec0 to the zone vpn1.
|
||||
|
||||
See also \"help host\""
|
||||
;;
|
||||
|
||||
address|host)
|
||||
echo "<$1>:
|
||||
May be either a host IP address such as 192.168.1.4 or a network address in
|
||||
CIDR format like 192.168.1.0/24"
|
||||
;;
|
||||
|
||||
allow)
|
||||
echo "allow: allow <address> ...
|
||||
Re-enables receipt of packets from hosts previously blacklisted
|
||||
by a drop, dropall, reject or rejectall command.
|
||||
|
||||
Shorewall allow, drop, dropall, reject, rejectall, and save implement
|
||||
dynamic blacklisting.
|
||||
|
||||
See also \"help address\""
|
||||
;;
|
||||
|
||||
check)
|
||||
echo "check: check [ -c <configuration-directory> ]
|
||||
Performs a cursory validation of the zones, interfaces, hosts,
|
||||
rules and policy files. Use this if you are unsure of any edits
|
||||
you have made to the shorewall configuration. See the try command
|
||||
examples for a recommended way to make changes."
|
||||
;;
|
||||
|
||||
clear)
|
||||
echo "clear: clear
|
||||
Clear will remove all rules and chains installed by Shoreline.
|
||||
The firewall is then wide open and unprotected. Existing
|
||||
connections are untouched. Clear is often used to see if the
|
||||
firewall is causing connection problems."
|
||||
;;
|
||||
|
||||
debug)
|
||||
echo "debug: debug
|
||||
If you include the keyword debug as the first argument to any
|
||||
of these commands:
|
||||
|
||||
start|stop|restart|reset|clear|refresh|check|add|delete
|
||||
|
||||
then a shell trace of the command is produced. For example:
|
||||
|
||||
shorewall debug start 2> /tmp/trace
|
||||
|
||||
The above command would trace the 'start' command and
|
||||
place the trace information in the file /tmp/trace."
|
||||
;;
|
||||
|
||||
delete)
|
||||
echo "delete: delete <interface>[:<host>] <zone>
|
||||
Deletes a host or subnet from a dynamic zone usually used with VPN's.
|
||||
|
||||
shorewall delete interface[:host] zone - Deletes the specified
|
||||
interface (and host if included) from the specified zone.
|
||||
|
||||
Example:
|
||||
|
||||
shorewall delete ipsec0:192.0.2.24 vpn1 -- deletes the address
|
||||
192.0.2.24 from interface ipsec0 from zone vpn1
|
||||
|
||||
See also \"help host\""
|
||||
;;
|
||||
|
||||
drop|dropall)
|
||||
echo "$1: $1 <address> ...
|
||||
Causes packets from the specified <address> to be ignored
|
||||
|
||||
Shorewall allow, drop, dropall, reject, rejectall, and save implement
|
||||
dynamic blacklisting.
|
||||
|
||||
'dropall' causes all interfaces to be monitored for packets from the
|
||||
given address while 'drop' causes only those interfaces with a route
|
||||
to the address to be monitored.
|
||||
|
||||
See also \"help address\""
|
||||
;;
|
||||
|
||||
help)
|
||||
echo "help: help [<command> | host | address ]
|
||||
Display helpful information about the shorewall commands."
|
||||
;;
|
||||
|
||||
hits)
|
||||
echo "hits: hits
|
||||
Produces several reports about the Shorewall packet log messages
|
||||
in the current /var/log/messages file."
|
||||
;;
|
||||
|
||||
ipcalc)
|
||||
echo "ipcalc: ipcalc [ address mask | address/vlsm ]
|
||||
Ipcalc displays the network address, broadcast address,
|
||||
network in CIDR notation and netmask corresponding to the input[s]."
|
||||
;;
|
||||
|
||||
iprange)
|
||||
echo "iprange: iprange address1-address2
|
||||
Iprange decomposes the specified range of IP addresses into the
|
||||
equivalent list of network/host addresses."
|
||||
;;
|
||||
|
||||
logwatch)
|
||||
echo "logwatch: logwatch [<refresh interval>]
|
||||
Monitors the LOGFILE, $LOGFILE,
|
||||
and produces an audible alarm when new Shorewall messages are logged."
|
||||
;;
|
||||
|
||||
monitor)
|
||||
echo "monitor: monitor [<refresh_interval>]
|
||||
Continuously display the firewall status, last 20 log entries and nat.
|
||||
When the log entry display changes, an audible alarm is sounded."
|
||||
;;
|
||||
|
||||
refresh)
|
||||
echo "refresh: refresh
|
||||
The rules involving the broadcast addresses of firewall interfaces,
|
||||
the black list, traffic control rules and ECN control rules are recreated
|
||||
to reflect any changes made. Existing connections are untouched"
|
||||
;;
|
||||
|
||||
reject|rejectall)
|
||||
echo "$1: $1 <address> ...
|
||||
Causes packets from the specified <address> to be rejected
|
||||
|
||||
Shorewall allow, drop, dropall, reject, rejectall, and save implement
|
||||
dynamic blacklisting.
|
||||
|
||||
'rejectall' causes all interfaces to be monitored for packets from the
|
||||
given address while 'reject' causes only those interfaces with a route
|
||||
to the address to be monitored.
|
||||
|
||||
See also \"help address\""
|
||||
;;
|
||||
|
||||
reset)
|
||||
echo "reset: reset
|
||||
All the packet and byte counters in the firewall are reset."
|
||||
;;
|
||||
|
||||
restart)
|
||||
echo "restart: restart [ -c <configuration-directory> ]
|
||||
Restart is the same as a shorewall stop && shorewall start.
|
||||
Existing connections are dropped."
|
||||
;;
|
||||
|
||||
save)
|
||||
echo "save: save
|
||||
The dynamic data is stored in /var/lib/shorewall/save
|
||||
Shorewall allow, drop, dropall, reject, rejectall, and save implement
|
||||
dynamic blacklisting."
|
||||
;;
|
||||
|
||||
show)
|
||||
echo "show: show [<chain>|classifiers|connections|log|nat|tc|tos]
|
||||
shorewall show chain - produce a verbose report about the IPtable chains.
|
||||
(iptables -L chain -n -v)
|
||||
|
||||
shorewall show nat - produce a verbose report about the nat table.
|
||||
(iptables -t nat -L -n -v)
|
||||
|
||||
shorewall show tos - produce a verbose report about the mangle table.
|
||||
(iptables -t mangle -L -n -v)
|
||||
|
||||
shorewall show log - display the last 20 packet log entries.
|
||||
|
||||
shorewall show connections - displays the IP connections currently
|
||||
being tracked by the firewall.
|
||||
|
||||
shorewall show tc - displays information about the traffic
|
||||
control/shaping configuration."
|
||||
;;
|
||||
|
||||
start)
|
||||
echo "start: start [ -c <configuration-directory> ]
|
||||
Start shorewall. Existing connections through shorewall managed
|
||||
interfaces are untouched. New connections will be allowed only
|
||||
if they are allowed by the firewall rules or policies."
|
||||
;;
|
||||
|
||||
stop)
|
||||
echo "stop: stop
|
||||
Stops the firewall. All existing connections, except those
|
||||
listed in /etc/shorewall/routestopped, are taken down.
|
||||
The only new traffic permitted through the firewall
|
||||
is from systems listed in /etc/shorewall/routestopped."
|
||||
;;
|
||||
|
||||
status)
|
||||
echo "status: status
|
||||
Produce a verbose report about the firewall.
|
||||
|
||||
(iptables -L -n -v)"
|
||||
;;
|
||||
|
||||
try)
|
||||
echo "try: try <configuration-directory> [ <timeout> ]
|
||||
Restart shorewall using the specified configuration. If an error
|
||||
occurs during the restart, then another shorewall restart is performed
|
||||
using the default configuration. If a timeout is specified then
|
||||
the restart is always performed after the timeout occurs and uses
|
||||
the default configuration."
|
||||
;;
|
||||
|
||||
version)
|
||||
echo "version: version
|
||||
Show the current shorewall version which is: $version"
|
||||
;;
|
||||
|
||||
*)
|
||||
echo "$1: $1 is not recognized by the help command"
|
||||
;;
|
||||
|
||||
esac
|
||||
|
||||
exit 0 # always ok
|
||||
|
@ -54,7 +54,7 @@
|
||||
# /etc/rc.d/rc.local file is modified to start the firewall.
|
||||
#
|
||||
|
||||
VERSION=1.4.6-20030726
|
||||
VERSION=1.4.6-20030727
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
@ -316,6 +316,14 @@ install_file_with_backup functions ${PREFIX}/usr/share/shorewall/functions 0444
|
||||
|
||||
echo
|
||||
echo "Common functions installed in ${PREFIX}/usr/share/shorewall/functions"
|
||||
|
||||
#
|
||||
# Install the Help file
|
||||
#
|
||||
install_file_with_backup help ${PREFIX}/usr/share/shorewall/help 0544
|
||||
|
||||
echo
|
||||
echo "Help command executor installed in ${PREFIX}/usr/share/shorewall/help"
|
||||
#
|
||||
# Install the common.def file
|
||||
#
|
||||
|
@ -9,8 +9,6 @@ Problems Corrected since version 1.4.6:
|
||||
tcrules file. Previously, these addresses resulted in an invalid
|
||||
iptables command.
|
||||
|
||||
None.
|
||||
|
||||
Migration Issues:
|
||||
|
||||
1) Once you have installed this version of Shorewall, you must
|
||||
@ -32,3 +30,5 @@ New Features:
|
||||
that do what 'drop' and 'reject' used to do; namely, when an address
|
||||
is blacklisted using these new commands, it will be blacklisted on
|
||||
all of your firewall's interfaces.
|
||||
2) Thanks to Steve Herber, the help command can now give
|
||||
command-specific help.
|
||||
|
@ -555,6 +555,16 @@ save_dynamic_blacklist() {
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
#
|
||||
# Help information
|
||||
#
|
||||
help()
|
||||
{
|
||||
[ -x $HELP ] && { export version; exec $HELP $*; }
|
||||
echo "Help subsystem is not installed at $HELP"
|
||||
}
|
||||
|
||||
#
|
||||
# Give Usage Information
|
||||
#
|
||||
@ -563,27 +573,28 @@ usage() # $1 = exit status
|
||||
echo "Usage: `basename $0` [debug] [nolock] [-c <directory>] <command>"
|
||||
echo "where <command> is one of:"
|
||||
echo " add <interface>[:<host>] <zone>"
|
||||
echo " allow <address> ..."
|
||||
echo " check"
|
||||
echo " clear"
|
||||
echo " delete <interface>[:<host>] <zone>"
|
||||
echo " drop|dropall <address> ..."
|
||||
echo " help [ <command > | host | address ]"
|
||||
echo " hits"
|
||||
echo " ipcalc [ <address>/<vlsm> | <address> <netmask> ]"
|
||||
echo " iprange <address>-<address>"
|
||||
echo " logwatch [<refresh interval>]"
|
||||
echo " monitor [<refresh interval>]"
|
||||
echo " refresh"
|
||||
echo " reject|rejectall <address> ..."
|
||||
echo " reset"
|
||||
echo " restart"
|
||||
echo " save"
|
||||
echo " show [<chain>|classifiers|connections|log|nat|tc|tos]"
|
||||
echo " start"
|
||||
echo " stop"
|
||||
echo " reset"
|
||||
echo " restart"
|
||||
echo " status"
|
||||
echo " clear"
|
||||
echo " refresh"
|
||||
echo " hits"
|
||||
echo " monitor [<refresh interval>]"
|
||||
echo " version"
|
||||
echo " check"
|
||||
echo " try <directory> [ <timeout> ]"
|
||||
echo " logwatch [<refresh interval>]"
|
||||
echo " drop|dropall <address> ..."
|
||||
echo " reject|rejectall <address> ..."
|
||||
echo " allow <address> ..."
|
||||
echo " save"
|
||||
echo " ipcalc [ <address>/<vlsm> | <address> <netmask> ]"
|
||||
echo " iprange <address>-<address>"
|
||||
echo " version"
|
||||
exit $1
|
||||
}
|
||||
|
||||
@ -653,6 +664,7 @@ SHARED_DIR=/usr/share/shorewall
|
||||
FIREWALL=$SHARED_DIR/firewall
|
||||
FUNCTIONS=$SHARED_DIR/functions
|
||||
VERSION_FILE=$SHARED_DIR/version
|
||||
HELP=$SHARED_DIR/help
|
||||
|
||||
if [ -f $FUNCTIONS ]; then
|
||||
. $FUNCTIONS
|
||||
@ -1008,6 +1020,11 @@ case "$1" in
|
||||
shift;
|
||||
$@
|
||||
;;
|
||||
help)
|
||||
shift
|
||||
[ $# -ne 1 ] && usage 1
|
||||
help $@
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
;;
|
||||
|
@ -1,5 +1,5 @@
|
||||
%define name shorewall
|
||||
%define version 1.4.6_20030726
|
||||
%define version 1.4.6_20030727
|
||||
%define release 1
|
||||
%define prefix /usr
|
||||
|
||||
@ -101,10 +101,14 @@ fi
|
||||
%attr(0544,root,root) /sbin/shorewall
|
||||
%attr(0444,root,root) /usr/share/shorewall/functions
|
||||
%attr(0544,root,root) /usr/share/shorewall/firewall
|
||||
%attr(0544,root,root) /usr/share/shorewall/help
|
||||
%doc documentation
|
||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
|
||||
|
||||
%changelog
|
||||
* Sun Jul 27 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Added /usr/share/shorewall/help
|
||||
- Changed version to 1.4.6_20030727-1
|
||||
* Sat Jul 26 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.6_20030726-1
|
||||
* Sat Jul 19 2003 Tom Eastep <tom@shorewall.net>
|
||||
|
Loading…
x
Reference in New Issue
Block a user