diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 1b8791d28..cb745a978 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -6,3 +6,5 @@ Changes since 1.4.6 MANGLE_ENABLED is set before it is tested. 3) Fixed MAC address handling in the SOURCE column of tcrules. + +4) Merged and corrected Steve Herber's command-specific help patch. diff --git a/Shorewall/fallback.sh b/Shorewall/fallback.sh index 2ed23c2e8..22a3a658a 100755 --- a/Shorewall/fallback.sh +++ b/Shorewall/fallback.sh @@ -82,6 +82,7 @@ restore_file /etc/shorewall/functions restore_file /usr/lib/shorewall/functions restore_file /var/lib/shorewall/functions restore_file /usr/lib/shorewall/firewall +restore_file /usr/lib/shorewall/help restore_file /etc/shorewall/common.def diff --git a/Shorewall/help b/Shorewall/help new file mode 100755 index 000000000..059df2eb0 --- /dev/null +++ b/Shorewall/help @@ -0,0 +1,260 @@ +#!/bin/sh +# +# Shorewall help subsystem - V1.4 - 3/14/2003 +# +# +# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] +# +# (c) 2003 - Tom Eastep (teastep@shorewall.net) +# Steve Herber (herber@thing.com) +# +# This file should be placed in /usr/share/shorewall/help +# +# Shorewall documentation is available at http://shorewall.sourceforge.net +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of Version 2 of the GNU General Public License +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA +################################################################################## + +case $1 in + +add) + echo "add: add [:] + Adds a host or subnet to a dynamic zone usually used with VPN's. + + shorewall add interface[:host] zone - Adds the specified interface + (and host if included) to the specified zone. + + Example: + + shorewall add ipsec0:192.0.2.24 vpn1 -- adds the address 192.0.2.24 + from interface ipsec0 to the zone vpn1. + + See also \"help host\"" + ;; + +address|host) + echo "<$1>: + May be either a host IP address such as 192.168.1.4 or a network address in + CIDR format like 192.168.1.0/24" + ;; + +allow) + echo "allow: allow
... + Re-enables receipt of packets from hosts previously blacklisted + by a drop, dropall, reject or rejectall command. + + Shorewall allow, drop, dropall, reject, rejectall, and save implement + dynamic blacklisting. + + See also \"help address\"" + ;; + +check) + echo "check: check [ -c ] + Performs a cursory validation of the zones, interfaces, hosts, + rules and policy files. Use this if you are unsure of any edits + you have made to the shorewall configuration. See the try command + examples for a recommended way to make changes." + ;; + +clear) + echo "clear: clear + Clear will remove all rules and chains installed by Shoreline. + The firewall is then wide open and unprotected. Existing + connections are untouched. Clear is often used to see if the + firewall is causing connection problems." + ;; + +debug) + echo "debug: debug + If you include the keyword debug as the first argument to any + of these commands: + + start|stop|restart|reset|clear|refresh|check|add|delete + + then a shell trace of the command is produced. For example: + + shorewall debug start 2> /tmp/trace + + The above command would trace the 'start' command and + place the trace information in the file /tmp/trace." + ;; + +delete) + echo "delete: delete [:] + Deletes a host or subnet from a dynamic zone usually used with VPN's. + + shorewall delete interface[:host] zone - Deletes the specified + interface (and host if included) from the specified zone. + + Example: + + shorewall delete ipsec0:192.0.2.24 vpn1 -- deletes the address + 192.0.2.24 from interface ipsec0 from zone vpn1 + + See also \"help host\"" + ;; + +drop|dropall) + echo "$1: $1
... + Causes packets from the specified
to be ignored + + Shorewall allow, drop, dropall, reject, rejectall, and save implement + dynamic blacklisting. + + 'dropall' causes all interfaces to be monitored for packets from the + given address while 'drop' causes only those interfaces with a route + to the address to be monitored. + + See also \"help address\"" + ;; + +help) + echo "help: help [ | host | address ] + Display helpful information about the shorewall commands." + ;; + +hits) + echo "hits: hits + Produces several reports about the Shorewall packet log messages + in the current /var/log/messages file." + ;; + +ipcalc) + echo "ipcalc: ipcalc [ address mask | address/vlsm ] + Ipcalc displays the network address, broadcast address, + network in CIDR notation and netmask corresponding to the input[s]." + ;; + +iprange) + echo "iprange: iprange address1-address2 + Iprange decomposes the specified range of IP addresses into the + equivalent list of network/host addresses." + ;; + +logwatch) + echo "logwatch: logwatch [] + Monitors the LOGFILE, $LOGFILE, + and produces an audible alarm when new Shorewall messages are logged." + ;; + +monitor) + echo "monitor: monitor [] + Continuously display the firewall status, last 20 log entries and nat. + When the log entry display changes, an audible alarm is sounded." + ;; + +refresh) + echo "refresh: refresh + The rules involving the broadcast addresses of firewall interfaces, + the black list, traffic control rules and ECN control rules are recreated + to reflect any changes made. Existing connections are untouched" + ;; + +reject|rejectall) + echo "$1: $1
... + Causes packets from the specified
to be rejected + + Shorewall allow, drop, dropall, reject, rejectall, and save implement + dynamic blacklisting. + + 'rejectall' causes all interfaces to be monitored for packets from the + given address while 'reject' causes only those interfaces with a route + to the address to be monitored. + + See also \"help address\"" + ;; + +reset) + echo "reset: reset + All the packet and byte counters in the firewall are reset." + ;; + +restart) + echo "restart: restart [ -c ] + Restart is the same as a shorewall stop && shorewall start. + Existing connections are dropped." + ;; + +save) + echo "save: save + The dynamic data is stored in /var/lib/shorewall/save + Shorewall allow, drop, dropall, reject, rejectall, and save implement + dynamic blacklisting." + ;; + +show) + echo "show: show [|classifiers|connections|log|nat|tc|tos] + shorewall show chain - produce a verbose report about the IPtable chains. + (iptables -L chain -n -v) + + shorewall show nat - produce a verbose report about the nat table. + (iptables -t nat -L -n -v) + + shorewall show tos - produce a verbose report about the mangle table. + (iptables -t mangle -L -n -v) + + shorewall show log - display the last 20 packet log entries. + + shorewall show connections - displays the IP connections currently + being tracked by the firewall. + + shorewall show tc - displays information about the traffic + control/shaping configuration." + ;; + +start) + echo "start: start [ -c ] + Start shorewall. Existing connections through shorewall managed + interfaces are untouched. New connections will be allowed only + if they are allowed by the firewall rules or policies." + ;; + +stop) + echo "stop: stop + Stops the firewall. All existing connections, except those + listed in /etc/shorewall/routestopped, are taken down. + The only new traffic permitted through the firewall + is from systems listed in /etc/shorewall/routestopped." + ;; + +status) + echo "status: status + Produce a verbose report about the firewall. + + (iptables -L -n -v)" + ;; + +try) + echo "try: try [ ] + Restart shorewall using the specified configuration. If an error + occurs during the restart, then another shorewall restart is performed + using the default configuration. If a timeout is specified then + the restart is always performed after the timeout occurs and uses + the default configuration." + ;; + +version) + echo "version: version + Show the current shorewall version which is: $version" + ;; + +*) + echo "$1: $1 is not recognized by the help command" + ;; + +esac + +exit 0 # always ok + diff --git a/Shorewall/install.sh b/Shorewall/install.sh index 94231684a..b0f7c4c57 100755 --- a/Shorewall/install.sh +++ b/Shorewall/install.sh @@ -54,7 +54,7 @@ # /etc/rc.d/rc.local file is modified to start the firewall. # -VERSION=1.4.6-20030726 +VERSION=1.4.6-20030727 usage() # $1 = exit status { @@ -316,6 +316,14 @@ install_file_with_backup functions ${PREFIX}/usr/share/shorewall/functions 0444 echo echo "Common functions installed in ${PREFIX}/usr/share/shorewall/functions" + +# +# Install the Help file +# +install_file_with_backup help ${PREFIX}/usr/share/shorewall/help 0544 + +echo +echo "Help command executor installed in ${PREFIX}/usr/share/shorewall/help" # # Install the common.def file # diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index aa16b933a..3be81fc92 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -9,8 +9,6 @@ Problems Corrected since version 1.4.6: tcrules file. Previously, these addresses resulted in an invalid iptables command. -None. - Migration Issues: 1) Once you have installed this version of Shorewall, you must @@ -32,3 +30,5 @@ New Features: that do what 'drop' and 'reject' used to do; namely, when an address is blacklisted using these new commands, it will be blacklisted on all of your firewall's interfaces. +2) Thanks to Steve Herber, the help command can now give + command-specific help. diff --git a/Shorewall/shorewall b/Shorewall/shorewall index a3d01eae3..ff9132581 100755 --- a/Shorewall/shorewall +++ b/Shorewall/shorewall @@ -555,6 +555,16 @@ save_dynamic_blacklist() { fi } + +# +# Help information +# +help() +{ + [ -x $HELP ] && { export version; exec $HELP $*; } + echo "Help subsystem is not installed at $HELP" +} + # # Give Usage Information # @@ -563,27 +573,28 @@ usage() # $1 = exit status echo "Usage: `basename $0` [debug] [nolock] [-c ] " echo "where is one of:" echo " add [:] " + echo " allow
..." + echo " check" + echo " clear" echo " delete [:] " + echo " drop|dropall
..." + echo " help [ | host | address ]" + echo " hits" + echo " ipcalc [
/ |
]" + echo " iprange
-
" + echo " logwatch []" + echo " monitor []" + echo " refresh" + echo " reject|rejectall
..." + echo " reset" + echo " restart" + echo " save" echo " show [|classifiers|connections|log|nat|tc|tos]" echo " start" echo " stop" - echo " reset" - echo " restart" echo " status" - echo " clear" - echo " refresh" - echo " hits" - echo " monitor []" - echo " version" - echo " check" echo " try [ ]" - echo " logwatch []" - echo " drop|dropall
..." - echo " reject|rejectall
..." - echo " allow
..." - echo " save" - echo " ipcalc [
/ |
]" - echo " iprange
-
" + echo " version" exit $1 } @@ -653,6 +664,7 @@ SHARED_DIR=/usr/share/shorewall FIREWALL=$SHARED_DIR/firewall FUNCTIONS=$SHARED_DIR/functions VERSION_FILE=$SHARED_DIR/version +HELP=$SHARED_DIR/help if [ -f $FUNCTIONS ]; then . $FUNCTIONS @@ -1008,6 +1020,11 @@ case "$1" in shift; $@ ;; + help) + shift + [ $# -ne 1 ] && usage 1 + help $@ + ;; *) usage 1 ;; diff --git a/Shorewall/shorewall.spec b/Shorewall/shorewall.spec index 0b66e0862..6b29c2b5b 100644 --- a/Shorewall/shorewall.spec +++ b/Shorewall/shorewall.spec @@ -1,5 +1,5 @@ %define name shorewall -%define version 1.4.6_20030726 +%define version 1.4.6_20030727 %define release 1 %define prefix /usr @@ -101,10 +101,14 @@ fi %attr(0544,root,root) /sbin/shorewall %attr(0444,root,root) /usr/share/shorewall/functions %attr(0544,root,root) /usr/share/shorewall/firewall +%attr(0544,root,root) /usr/share/shorewall/help %doc documentation %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %changelog +* Sun Jul 27 2003 Tom Eastep +- Added /usr/share/shorewall/help +- Changed version to 1.4.6_20030727-1 * Sat Jul 26 2003 Tom Eastep - Changed version to 1.4.6_20030726-1 * Sat Jul 19 2003 Tom Eastep