From ab3d3e0ce9c96400ad7a8e6350aebd48b7f613ec Mon Sep 17 00:00:00 2001 From: teastep Date: Fri, 14 May 2004 13:40:31 +0000 Subject: [PATCH] Shorewall 2.0.2 git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1327 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Lrp2/etc/shorewall/hosts | 9 +- Lrp2/etc/shorewall/interfaces | 12 +- Lrp2/etc/shorewall/masq | 38 +- Lrp2/etc/shorewall/nat | 3 +- Lrp2/etc/shorewall/rules | 16 + Lrp2/etc/shorewall/shorewall.conf | 62 ++- Lrp2/sbin/shorewall | 132 ++++- Lrp2/usr/share/shorewall/bogons | 14 +- Lrp2/usr/share/shorewall/firewall | 719 +++++++++++++++++----------- Lrp2/usr/share/shorewall/functions | 35 +- Lrp2/usr/share/shorewall/help | 68 ++- Lrp2/usr/share/shorewall/version | 2 +- Lrp2/var/lib/lrpkg/shorwall.list | 1 + Lrp2/var/lib/lrpkg/shorwall.version | 2 +- 14 files changed, 750 insertions(+), 363 deletions(-) diff --git a/Lrp2/etc/shorewall/hosts b/Lrp2/etc/shorewall/hosts index 2aaf93a97..49e322adb 100644 --- a/Lrp2/etc/shorewall/hosts +++ b/Lrp2/etc/shorewall/hosts @@ -14,6 +14,11 @@ # individual IP addresses. Most simple setups don't need to # (should not) place anything in this file. # +# The order of entries in this file is not significant in +# determining zone composition. Rather, the order that the zones +# are defined in /etc/shorewall/zones determines the order in +# which the records in this file are interpreted. +# # ZONE - The name of a zone defined in /etc/shorewall/zones # # HOST(S) - The name of an interface defined in the @@ -49,10 +54,10 @@ # an ethernet NIC and must be up before # Shorewall is started. # -# routeback - Shorewall show set up the infrastructure +# routeback - Shorewall should set up the infrastructure # to pass packets from this/these # address(es) back to themselves. This is -# necessary of hosts in this group use the +# necessary if hosts in this group use the # services of a transparent proxy that is # a member of the group or if DNAT is used # to send requests originating from this diff --git a/Lrp2/etc/shorewall/interfaces b/Lrp2/etc/shorewall/interfaces index 9a9642362..64c02ee22 100644 --- a/Lrp2/etc/shorewall/interfaces +++ b/Lrp2/etc/shorewall/interfaces @@ -115,11 +115,21 @@ # established connection will be accepted # from this interface, even if # NEWNOTSYN=No has been specified in -# /etc/shorewall/shorewall.conf. +# /etc/shorewall/shorewall.conf. In other +# words, packets coming in on this interface +# are processed as if NEWNOTSYN=Yes had been +# specified in /etc/shorewall/shorewall.conf. # # This option has no effect if # NEWNOTSYN=Yes. # +# It is the opinion of the author that +# NEWNOTSYN=No creates more problems than +# it solves and I recommend against using +# that setting in shorewall.conf (hence +# making the use of the 'newnotsyn' +# interface option unnecessary). +# # routeback - If specified, indicates that Shorewall # should include rules that allow filtering # traffic arriving on this interface back diff --git a/Lrp2/etc/shorewall/masq b/Lrp2/etc/shorewall/masq index c7b4534a7..109c198ad 100644 --- a/Lrp2/etc/shorewall/masq +++ b/Lrp2/etc/shorewall/masq @@ -55,6 +55,27 @@ # # This column may not contain DNS Names. # +# If you want to leave this column empty +# but you need to specify the next column then +# place a hyphen ("-") here. +# +# PROTO -- (Optional) If you wish to restrict this entry to a +# particular protocol then enter the protocol +# name (from /etc/protocols) or number here. +# +# PORT(S) -- (Optional) If the PROTO column specifies TCP (protocol 6) +# or UDP (protocol 17) then you may list one +# or more port numbers (or names from +# /etc/services) separated by commas or you +# may list a single port range +# (:). +# +# Where a comma-separated list is given, your +# kernel and iptables must have multiport match +# support and a maximum of 15 ports may be +# listed. +# +# # Example 1: # # You have a simple masquerading setup where eth0 connects to @@ -94,6 +115,19 @@ # # eth0:0 192.168.1.0/24 206.124.146.176 # -############################################################################## -#INTERFACE SUBNET ADDRESS +# Example 5: +# +# You want all outgoing SMTP traffic entering the firewall +# on eth1 to be sent from eth0 with source IP address +# 206.124.146.177. You want all other outgoing traffic +# from eth1 to be sent from eth0 with source IP address +# 206.124.146.176. +# +# eth0 eth1 206.124.146.177 tcp smtp +# eth0 eth1 206.124.146.176 +# +# THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!! +# +############################################################################### +#INTERFACE SUBNET ADDRESS PROTO PORT(S) #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Lrp2/etc/shorewall/nat b/Lrp2/etc/shorewall/nat index 7d3afb532..dbd44c4f0 100644 --- a/Lrp2/etc/shorewall/nat +++ b/Lrp2/etc/shorewall/nat @@ -29,8 +29,7 @@ # If No or no (or left empty) then NAT will be effective # only through the interface named in the INTERFACE # column -# LOCAL If Yes or yes and the ALL INTERFACES column contains -# Yes or yes, NAT will be effective from the firewall +# LOCAL If Yes or yes, NAT will be effective from the firewall # system ############################################################################## #EXTERNAL INTERFACE INTERNAL ALL LOCAL diff --git a/Lrp2/etc/shorewall/rules b/Lrp2/etc/shorewall/rules index 3d4adb7c5..4df78481b 100644 --- a/Lrp2/etc/shorewall/rules +++ b/Lrp2/etc/shorewall/rules @@ -25,6 +25,13 @@ # LOG, QUEUE or an . # # ACCEPT -- allow the connection request +# ACCEPT+ -- like ACCEPT but also excludes the +# connection from any subsequent +# DNAT[-] or REDIRECT[-] rules +# NONAT -- Excludes the connection from any +# subsequent DNAT[-] or REDIRECT[-] +# rules but doesn't generate a rule +# to accept the traffic. # DROP -- ignore the request # REJECT -- disallow the request and return an # icmp-unreachable or an RST packet. @@ -70,6 +77,15 @@ # to a separate log through use of ulogd # (http://www.gnumonks.org/projects/ulogd). # +# Actions specifying logging may be followed by a +# log tag (a string of alphanumeric characters) +# are appended to the string generated by the +# LOGPREFIX (in /etc/shorewall/shorewall.conf). +# +# Example: ACCEPT:info:ftp would include 'ftp ' +# at the end of the log prefix generated by the +# LOGPREFIX setting. +# # SOURCE Source hosts to which the rule applies. May be a zone # defined in /etc/shorewall/zones, $FW to indicate the # firewall itself, or "all" If the ACTION is DNAT or diff --git a/Lrp2/etc/shorewall/shorewall.conf b/Lrp2/etc/shorewall/shorewall.conf index c2f28100b..e553f469d 100755 --- a/Lrp2/etc/shorewall/shorewall.conf +++ b/Lrp2/etc/shorewall/shorewall.conf @@ -90,12 +90,21 @@ LOGFORMAT="Shorewall:%s:%s:" # maximum initial burst size that will be logged. If set empty, the default # value of 5 will be used. # +# If BOTH variables are set empty then logging will not be rate-limited. +# # Example: # # LOGRATE=10/minute # LOGBURST=5 # -# If BOTH variables are set empty then logging will not be rate-limited. +# For each logging rule, the first time the rule is reached, the packet +# will be logged; in fact, since the burst is 5, the first five packets +# will be logged. After this, it will be 6 seconds (1 minute divided by +# the rate of 10) before a message will be logged from the rule, regardless +# of how many packets reach it. Also, every 6 seconds which passes without +# matching a packet, one of the bursts will be regained; if no packets hit +# the rule for 30 seconds, the burst will be fully recharged; back where +# we started. # LOGRATE= @@ -169,8 +178,10 @@ RFC1918_LOG_LEVEL=info # SMURF Log Level # # Specifies the logging level for smurf packets dropped by the -#'nosmurfs' interface option in /etc/shorewall/interfaces. If set to the empty -# value ( SMURF_LOG_LEVEL="" ) then dropped smurfs are not logged. +#'nosmurfs' interface option in /etc/shorewall/interfaces and in +# /etc/shorewall/hosts. If set to the empty value ( SMURF_LOG_LEVEL="" +# ) then dropped smurfs are not logged. + # # See the comment at the top of this section for a description of log levels # @@ -181,8 +192,9 @@ SMURF_LOG_LEVEL=info # BOGON Log Level # # Specifies the logging level for bogon packets dropped by the -#'nobogons' interface option in /etc/shorewall/interfaces. If set to the empty -# value ( BOGON_LOG_LEVEL="" ) then packets whose TARGET is 'logdrop' +#'nobogons' interface option in /etc/shorewall/interfaces and in +# /etc/shorewall/hosts. If set to the empty value +# ( BOGON_LOG_LEVEL="" ) then packets whose TARGET is 'logdrop' # in /usr/share/shorewall/bogons are logged at the 'info' level. # # See the comment at the top of this section for a description of log levels @@ -222,7 +234,7 @@ SUBSYSLOCK=/var/run/shorewall # it is running # -STATEDIR=/tmp/shorewall +STATEDIR=/var/state/shorewall # # KERNEL MODULE DIRECTORY @@ -233,6 +245,19 @@ STATEDIR=/tmp/shorewall MODULESDIR= +# +# CONFIGURATION SEARCH PATH +# +# This option holds a list of directory names separated by colons +# (":"). Shorewall will search each directory in turn when looking for a +# configuration file. When processing a 'try' command or a command +# containing the "-c" option, Shorewall will automatically add the +# directory specified in the command to the front of this list. +# +# If not specified or specified as null ("CONFIG_PATH=""), +# CONFIG_PATH=/etc/shorewall:/usr/share/shorewall is assumed. + +CONFIG_PATH=/etc/shorewall:/usr/share/shorewall ################################################################################ # F I R E W A L L O P T I O N S ################################################################################ @@ -432,7 +457,7 @@ MUTEX_TIMEOUT=60 # established connection. # # If NEWNOTSYN is set to "No" or "no", then non-SYN packets that are not -# part of an already established connection, it will be dropped by the +# part of an already established connection will be dropped by the # firewall. The setting of LOGNEWNOTSYN above determines if these packets are # logged before they are dropped. # @@ -444,7 +469,9 @@ MUTEX_TIMEOUT=60 # also need to select NEWNOTSYN=Yes. # # The behavior of NEWNOTSYN=Yes may also be enabled on a per-interface basis -# using the 'newnotsyn' option in /etc/shorewall/interfaces. +# using the 'newnotsyn' option in /etc/shorewall/interfaces and on a +# network or host basis using the same option in /etc/shorewall/hosts. + # # I find that NEWNOTSYN=No tends to result in lots of "stuck" # connections because any network timeout during TCP session tear down @@ -510,9 +537,9 @@ BLACKLISTNEWONLY=Yes # # When loading a module named in /etc/shorewall/modules, Shorewall normally # looks in the MODULES DIRECTORY (see MODULESDIR above) for files whose names -# end in ".o", ".ko", ".gz" or "o.gz". If your distribution uses a different -# naming convention then you can specify the suffix (extension) for module -# names in this variable. +# end in ".o", ".ko", ".gz", "o.gz" or "ko.gz" . If your distribution uses a +# different naming convention then you can specify the suffix (extension) for +# module names in this variable. # # To see what suffix is used by your distribution: # @@ -551,6 +578,14 @@ DISABLE_IPV6=Yes # BRIDGING=No + +# +# DYNAMIC ZONES +# +# If you need to be able to add and delete hosts from zones dynamically then +# set DYNAMIC_ZONES=Yes. Otherwise, set DYNAMIC_ZONES=No. + +DYNAMIC_ZONES=No ################################################################################ # P A C K E T D I S P O S I T I O N ################################################################################ @@ -580,8 +615,9 @@ MACLIST_DISPOSITION=REJECT # # This variable determins the disposition of packets having an invalid # combination of TCP flags that are received on interfaces having the -# 'tcpflags' option specified in /etc/shorewall/interfaces. If not specified -# or specified as empty (TCP_FLAGS_DISPOSITION="") then DROP is assumed. +# 'tcpflags' option specified in /etc/shorewall/interfaces or in +# /etc/shorewall/hosts. If not specified or specified as empty +# (TCP_FLAGS_DISPOSITION="") then DROP is assumed. TCP_FLAGS_DISPOSITION=DROP diff --git a/Lrp2/sbin/shorewall b/Lrp2/sbin/shorewall index 90185f2d9..0883fce27 100755 --- a/Lrp2/sbin/shorewall +++ b/Lrp2/sbin/shorewall @@ -80,6 +80,10 @@ # "dropped" addresses so that it will # be automatically reinstated the # next time that Shorewall starts. +# Save the current state so that 'shorewall +# restore' can be used. +# +# shorewall forget Discard the data saved by 'shorewall save' # # shorewall ipaddr [
/ |
] # @@ -160,6 +164,7 @@ get_config() { exit 2 fi fi + } # @@ -530,7 +535,7 @@ help() # usage() # $1 = exit status { - echo "Usage: $(basename $0) [debug|trace] [nolock] [-c ] [ -x ] " + echo "Usage: $(basename $0) [debug|trace] [nolock] [-c ] [ -x ] [ -q ] " echo "where is one of:" echo " add [:] " echo " allow
..." @@ -538,6 +543,7 @@ usage() # $1 = exit status echo " clear" echo " delete [:] " echo " drop
..." + echo " forget" echo " help [ | host | address ]" echo " hits" echo " ipcalc [
/ |
]" @@ -548,6 +554,7 @@ usage() # $1 = exit status echo " reject
..." echo " reset" echo " restart" + echo " restore" echo " save" echo " show [ [ ... ]|classifiers|connections|log|nat|tc|tos]" echo " start" @@ -585,34 +592,60 @@ if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then fi SHOREWALL_DIR= +QUIET= IPT_OPTIONS="-nv" +FAST= + done=0 while [ $done -eq 0 ]; do [ $# -eq 0 ] && usage 1 - case $1 in - -c) - [ $# -eq 1 ] && usage 1 + option=$1 + case $option in + -*) + option=${option#-} - if [ ! -d $2 ]; then - if [ -e $2 ]; then - echo "$2 is not a directory" >&2 && exit 2 - else - echo "Directory $2 does not exist" >&2 && exit 2 - fi - fi + [ -z "$option" ] && usage 1 + + while [ -n "$option" ]; do + case $option in + c) + [ $# -eq 1 ] && usage 1 - SHOREWALL_DIR=$2 - shift - shift - ;; - -x) - IPT_OPTIONS="-xnv" - shift - ;; - *) - done=1 - ;; + if [ ! -d $2 ]; then + if [ -e $2 ]; then + echo "$2 is not a directory" >&2 && exit 2 + else + echo "Directory $2 does not exist" >&2 && exit 2 + fi + fi + + SHOREWALL_DIR=$2 + option= + shift + ;; + x*) + IPT_OPTIONS="-xnv" + option=${option#x} + ;; + q*) + QUIET=Yes + option=${option#q} + ;; + f*) + FAST=Yes + option=${option#f} + ;; + *) + usage 1 + ;; + esac + done + shift + ;; + *) + done=1 + ;; esac done @@ -621,6 +654,7 @@ if [ $# -eq 0 ]; then fi [ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR +[ -n "$QUIET" ] && export QUIET PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin MUTEX_TIMEOUT= @@ -638,6 +672,8 @@ else exit 2 fi +ensure_config_path + config=$(find_file shorewall.conf) if [ -f $config ]; then @@ -647,6 +683,10 @@ else exit 2 fi +ensure_config_path + +export CONFIG_PATH + [ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall if [ ! -f $FIREWALL ]; then @@ -691,7 +731,23 @@ case $(echo -n "Testing") in esac case "$1" in - start|stop|restart|reset|clear|refresh|check) + start) + [ $# -ne 1 ] && usage 1 + get_config + if [ -n "$FAST" ]; then + if [ -f /var/lib/shorewall/restore ]; then + echo Restoring Shorewall... + . /var/lib/shorewall/restore + date > $STATEDIR/restarted + echo Shorewall restored + else + exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start + fi + else + exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start + fi + ;; + stop|restart|reset|clear|refresh|check) [ $# -ne 1 ] && usage 1 get_config exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1 @@ -909,11 +965,24 @@ case "$1" in [ -n "$debugging" ] && set -x [ $# -ne 1 ] && usage 1 mutex_on + if qt iptables -L shorewall -n; then [ -d /var/lib/shorewall ] || mkdir /var/lib/shorewall if iptables -L dynamic -n > /var/lib/shorewall/save; then - echo "Dynamic Rules Saved" + echo " Dynamic Rules Saved" + if [ -f /var/lib/shorewall/restore-base ]; then + cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$ + if iptables-save >> /var/lib/shorewall/restore-$$ ; then + echo EOF >> /var/lib/shorewall/restore-$$ + mv -f /var/lib/shorewall/restore-$$ /var/lib/shorewall/restore + chmod +x /var/lib/shorewall/restore + echo " Currently-running Configuration Saved" + else + rm -f /var/lib/shorewall/restore-$$ + echo " ERROR: Currently-running Configuration Not Saved" + fi + fi else echo "Error Saving the Dynamic Rules" fi @@ -922,6 +991,11 @@ case "$1" in fi mutex_off ;; + forget) + rm -f /var/lib/shorewall/restore + rm -f /var/lib/shorewall/save + echo " Previously saved information discarded" + ;; ipcalc) [ -n "$debugging" ] && set -x if [ $# -eq 2 ]; then @@ -957,6 +1031,16 @@ case "$1" in ;; esac ;; + restore) + if [ -f /var/lib/shorewall/restore ]; then + echo Restoring Shorewall... + . /var/lib/shorewall/restore + echo Shorewall restored + else + echo "File /var/lib/shorewall/restore: file not found" + exit 2 + fi + ;; call) [ -n "$debugging" ] && set -x # diff --git a/Lrp2/usr/share/shorewall/bogons b/Lrp2/usr/share/shorewall/bogons index a628499bd..6d65a1846 100644 --- a/Lrp2/usr/share/shorewall/bogons +++ b/Lrp2/usr/share/shorewall/bogons @@ -46,13 +46,19 @@ 49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98 50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98 58.0.0.0/7 logdrop # Reserved -70.0.0.0/7 logdrop # Reserved +71.0.0.0/8 logdrop # Reserved 72.0.0.0/5 logdrop # Reserved -85.0.0.0/8 logdrop # Reserved -86.0.0.0/7 logdrop # Reserved -88.0.0.0/5 logdrop # Reserved +89.0.0.0/8 logdrop # Reserved +90.0.0.0/7 logdrop # Reserved +92.0.0.0/6 logdrop # Reserved 96.0.0.0/3 logdrop # Reserved 127.0.0.0/8 logdrop # Loopback +173.0.0.0/8 logdrop # Reserved +174.0.0.0/7 logdrop # Reserved +176.0.0.0/5 logdrop # Reserved +184.0.0.0/6 logdrop # Reserved +189.0.0.0/8 logdrop # Reserved +190.0.0.0/8 logdrop # Reserved 197.0.0.0/8 logdrop # Reserved 198.18.0.0/15 logdrop # Reserved 223.0.0.0/8 logdrop # Reserved - Returned by APNIC in 2003 diff --git a/Lrp2/usr/share/shorewall/firewall b/Lrp2/usr/share/shorewall/firewall index ebaea2e66..469074252 100755 --- a/Lrp2/usr/share/shorewall/firewall +++ b/Lrp2/usr/share/shorewall/firewall @@ -51,6 +51,11 @@ my_mutex_off() { [ -n "$have_mutex" ] && { mutex_off; have_mutex=; } } +progress_message() # $* = Message +{ + [ -n "$QUIET" ] || echo "$@" +} + # # Message to stderr # @@ -94,6 +99,47 @@ report () { # $* = message logger "$@" } +# +# Write the passed args to /var/lib/shorewall/restore-$$ +# +save_command() +{ + echo "$@" >> /var/lib/shorewall/restore-$$ +} + +# +# Save the passed command in the restore script then run it -- returns the status of the command +# If the command involves file redirection then it must be enclosed in quotes as in: +# +# run_and_save_command "echo 1 > /proc/sys/net/ipv4/ip_forward" +# +run_and_save_command() +{ + echo "$@" >> /var/lib/shorewall/restore-$$ + eval $* +} + +# +# Run the passed command and if it succeeds, save it in the restore script. If it fails, stop the firewall and die +# +ensure_and_save_command() +{ + if eval $* ; then + echo "$@" >> /var/lib/shorewall/restore-$$ + else + [ -z "$stopping" ] && { stop_firewall; exit 2; } + fi +} + +# +# Append a file to /var/lib/shorewall/restore-$$ +# +append_file() { + save_command "cat > $STATEDIR/$1 << EOF" + cat $STATEDIR/$1 >> /var/lib/shorewall/restore-$$ + save_command EOF +} + # # Run iptables and if an error occurs, stop the firewall and quit # @@ -391,6 +437,31 @@ mac_chain() # $1 = interface echo $(chain_base $1)_mac } +# +# Functions for creating dynamic zone rules +# +dynamic_fwd() # $1 = interface +{ + echo $(chain_base $1)_dynf +} + +dynamic_in() # $1 = interface +{ + echo $(chain_base $1)_dyni +} + +dynamic_out() # $1 = interface +{ + echo $(chain_base $1)_dyno +} + +dynamic_chains() #$1 = interface +{ + local c=$(chain_base $1) + + echo ${c}_dyni ${c}_dynf ${c}_dyno +} + # # DNAT Chain from a zone # @@ -479,6 +550,7 @@ match_dest_hosts() echo -d $1 fi } + # # Similarly, the source or destination in a rule can be qualified by a device name. If # the device is defined in /etc/shorewall/interfaces then a normal interface match is @@ -815,7 +887,7 @@ validate_policy() [ $1 = $2 ] || \ [ $1 = all ] || \ [ $2 = all ] || \ - echo " Policy for $1 to $2 is $policy using chain $chain" + progress_message " Policy for $1 to $2 is $policy using chain $chain" } all_policy_chains= @@ -1038,7 +1110,7 @@ run_user_exit() # $1 = file name local user_exit=$(find_file $1) if [ -f $user_exit ]; then - echo "Processing $user_exit ..." + progress_message "Processing $user_exit ..." . $user_exit fi } @@ -1046,52 +1118,47 @@ run_user_exit() # $1 = file name # # Add a logging rule. # -log_rule_limit() # $1 = log level, $2 = chain, $3 = disposition , $4 = rate limit $... = predicates for the rule +log_rule_limit() # $1 = log level, $2 = chain, $3 = disposition , $4 = rate limit $5=log tag $... = predicates for the rule { local level=$1 local chain=$2 local disposition=$3 local rulenum= local limit="${4:-$LOGLIMIT}" + local tag=${5:+$5 } + local prefix - shift;shift;shift;shift + shift;shift;shift;shift;shift if [ -n "$LOGRULENUMBERS" ]; then eval rulenum=\$${chain}_logrules [ -z "$rulenum" ] && rulenum=1 - case $level in - ULOG) - eval iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix '"$(printf "$LOGFORMAT" $chain $rulenum $disposition)"' - ;; - *) - eval iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level \ - --log-prefix '"$(printf "$LOGFORMAT" $chain $rulenum $disposition)"' - ;; - esac - - if [ $? -ne 0 ] ; then - [ -z "$stopping" ] && { stop_firewall; exit 2; } - fi + prefix="$(printf "$LOGFORMAT" $chain $rulenum $disposition)${tag}" rulenum=$(($rulenum + 1)) - eval ${chain}_logrules=$rulenum else - case $level in - ULOG) - eval iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix '"$(printf "$LOGFORMAT" $chain $disposition)"' - ;; - *) - eval iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level \ - --log-prefix '"$(printf "$LOGFORMAT" $chain $disposition)"' - ;; - esac + prefix="$(printf "$LOGFORMAT" $chain $disposition)${tag}" + fi + + if [ ${#prefix} -gt 29 ]; then + prefix="$(echo $prefix | cut -b -29)" + error_message "Warning: Log Prefix shortened to \"$prefix\"" + fi + + case $level in + ULOG) + iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix" + ;; + *) + iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix" + ;; + esac - if [ $? -ne 0 ] ; then - [ -z "$stopping" ] && { stop_firewall; exit 2; } - fi + if [ $? -ne 0 ] ; then + [ -z "$stopping" ] && { stop_firewall; exit 2; } fi } @@ -1103,7 +1170,7 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo shift;shift;shift - log_rule_limit $level $chain $disposition "$LOGLIMIT" $@ + log_rule_limit $level $chain $disposition "$LOGLIMIT" "" $@ } # @@ -1112,11 +1179,11 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo setup_forwarding() { case "$IP_FORWARDING" in [Oo][Nn]) - echo 1 > /proc/sys/net/ipv4/ip_forward + run_and_save_command "echo 1 > /proc/sys/net/ipv4/ip_forward" echo "IP Forwarding Enabled" ;; [Oo][Ff][Ff]) - echo 0 > /proc/sys/net/ipv4/ip_forward + run_and_save_command "echo 0 > /proc/sys/net/ipv4/ip_forward" echo "IP Forwarding Disabled!" ;; esac @@ -1126,12 +1193,16 @@ setup_forwarding() { # Disable IPV6 # disable_ipv6() { - if qt which ip6tables; then - ip6tables -P FORWARD DROP - ip6tables -P INPUT DROP - ip6tables -P OUTPUT DROP - else - error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables" + local foo=$(ip -f inet6 addr ls 2> /dev/null) + + if [ -n "$foo" ]; then + if qt which ip6tables; then + ip6tables -P FORWARD DROP && save_command ip6tables -P FORWARD DROP + ip6tables -P INPUT DROP && save_command ip6tables -P INPUT DROP + ip6tables -P OUTPUT DROP && save_command ip6tables -P OUTPUT DROP + else + error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables" + fi fi } @@ -1151,6 +1222,16 @@ stop_firewall() { ;; *) set +x + rm -f /var/lib/shorewall/restore-$$ + + if [ -f /var/lib/shorewall/restore ]; then + echo Restoring Shorewall... + . /var/lib/shorewall/restore + echo Shorewall restored + my_mutex_off + kill $$ + exit 2 + fi ;; esac @@ -1270,6 +1351,8 @@ stop_firewall() { # else. Remove the lock file and Kill the shell in case we're in a # subshell # + rm -f /var/lib/shorewall/restore-$$ + my_mutex_off kill $$ ;; @@ -1290,9 +1373,11 @@ clear_firewall() { setpolicy FORWARD ACCEPT setpolicy OUTPUT ACCEPT - ip6tables -P INPUT ACCEPT 2> /dev/null - ip6tables -P OUTPUT ACCEPT 2> /dev/null - ip6tables -P FORWARD ACCEPT 2> /dev/null + if qt which ip6tables; then + ip6tables -P INPUT ACCEPT 2> /dev/null + ip6tables -P OUTPUT ACCEPT 2> /dev/null + ip6tables -P FORWARD ACCEPT 2> /dev/null + fi run_user_exit clear @@ -1353,7 +1438,7 @@ setup_tunnels() # $1 = name of tunnels file fi done - echo " IPSEC tunnel to $gateway defined." + progress_message " IPSEC tunnel to $gateway defined." } setup_one_other() # $1 = TYPE, $2 = gateway, $3 = protocol @@ -1361,7 +1446,7 @@ setup_tunnels() # $1 = name of tunnels file addrule $inchain -p $3 -s $2 -j ACCEPT addrule $outchain -p $3 -d $2 -j ACCEPT - echo " $1 tunnel to $2 defined." + progress_message " $1 tunnel to $2 defined." } setup_pptp_client() # $1 = gateway @@ -1370,7 +1455,7 @@ setup_tunnels() # $1 = name of tunnels file addrule $inchain -p 47 -j ACCEPT addrule $outchain -p tcp --dport 1723 -d $1 -j ACCEPT - echo " PPTP tunnel to $1 defined." + progress_message " PPTP tunnel to $1 defined." } setup_pptp_server() @@ -1379,7 +1464,7 @@ setup_tunnels() # $1 = name of tunnels file addrule $outchain -p 47 -j ACCEPT addrule $inchain -p tcp --dport 1723 -j ACCEPT - echo " PPTP server defined." + progress_message " PPTP server defined." } setup_one_openvpn() # $1 = gateway, $2 = kind[:port] @@ -1396,7 +1481,7 @@ setup_tunnels() # $1 = name of tunnels file addrule $inchain -p udp -s $1 --sport $p --dport $p -j ACCEPT addrule $outchain -p udp -d $1 --sport $p --dport $p -j ACCEPT - echo " OPENVPN tunnel to $1:$p defined." + progress_message " OPENVPN tunnel to $1:$p defined." } setup_one_generic() # $1 = gateway, $2 = kind:protocol[:port], $3 = Gateway Zone @@ -1434,7 +1519,7 @@ setup_tunnels() # $1 = name of tunnels file fi done - echo " GENERIC tunnel to $1:$p defined." + progress_message " GENERIC tunnel to $1:$p defined." } strip_file tunnels $1 @@ -1526,30 +1611,29 @@ setup_proxy_arp() { persistent= ;; [Yy][Ee][Ss]) + [ -z "$haveroute" ] || print_warning ;; *) if [ -n "$persistent" ]; then print_error1 return fi - - [ -z "$haveroute" ] || print_warning ;; esac if [ -z "$haveroute" ]; then - run_ip route replace $address dev $interface + ensure_and_save_command ip route replace $address dev $interface [ -n "$persistent" ] && haveroute=yes fi - run_arp -i $external -Ds $address $external pub + ensure_and_save_command arp -i $external -Ds $address $external pub - echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp - echo 0 > /proc/sys/net/ipv4/conf/$external/proxy_arp + run_and_save_command "echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" + run_and_save_command "echo 0 > /proc/sys/net/ipv4/conf/$external/proxy_arp" echo $address $interface $external $haveroute >> ${STATEDIR}/proxyarp - echo " Host $address connected to $interface added to ARP on $external" + progress_message " Host $address connected to $interface added to ARP on $external" } > ${STATEDIR}/proxyarp @@ -1563,7 +1647,8 @@ setup_proxy_arp() { for interface in $interfaces; do if echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp 2> /dev/null; then - echo " Enabled proxy ARP on $interface" + progress_message " Enabled proxy ARP on $interface" + save_command "echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" else error_message "Warning: Unable to enable proxy ARP on $interface" fi @@ -1599,7 +1684,7 @@ setup_mac_lists() { fi done - echo "Setting up MAC Verification on $maclist_interfaces..." + progress_message "Setting up MAC Verification on $maclist_interfaces..." # # Be sure that they are all ethernet interfaces # @@ -1720,7 +1805,7 @@ setup_syn_flood_chain () enable_syn_flood_protection() # $1 = chain, $2 = protection chain { run_iptables -I $1 2 -p tcp --syn -j @$2 - echo " Enabled SYN flood protection" + progress_message " Enabled SYN flood protection" } # @@ -1759,32 +1844,35 @@ setup_nat() { iface=${interface%:*} if [ -n "$ADD_IP_ALIASES" ]; then - qt ip addr del $external dev $iface + run_and_save_command qt ip addr del $external dev $iface fi - if [ "$allints" = "Yes" -o "$allints" = "yes" ]; then + if [ "x$allints" = "xYes" -o "x$allints" = "xyes" ]; then addnatrule nat_in -d $external -j DNAT --to-destination $internal addnatrule nat_out -s $internal -j SNAT --to-source $external - if [ "$localnat" = "Yes" -o "$localnat" = "yes" ]; then - run_iptables2 -t nat -A OUTPUT -d $external \ - -j DNAT --to-destination $internal - fi - elif [ -z "$allints" -o "$allints" = "No" -o "$allints" = "no" ]; then + elif [ -z "$allints" -o "x$allints" = "x-" -o "x$allints" = "xNo" -o "x$allints" = "xno" ]; then addnatrule $(input_chain $iface) \ -d $external -j DNAT --to-destination $internal addnatrule $(output_chain $iface) \ -s $internal -j SNAT --to-source $external else - fatal_error "Invalid value ($allints) for ALL INTERFACES in entry \"$external $interface $internal $allints $localnet\"" + fatal_error "Invalid value ($allints) for ALL INTERFACES in entry \"$external $interface $internal $allints $localnat\"" fi + if [ "x$localnat" = "xYes" -o "x$localnat" = "xyes" ]; then + run_iptables2 -t nat -A OUTPUT -d $external -j DNAT --to-destination $internal + elif [ "x$localnat" != "x-" -a -n "$localnat" -a "x$localnat" != "xNo" -a "x$localnat" != "xno" ]; then + fatal_error "Invalid value ($allints) for LOCAL in entry \"$external $interface $internal $allints $localnat\"" + fi + + if [ -n "$ADD_IP_ALIASES" ]; then list_search $external $aliases_to_add || \ aliases_to_add="$aliases_to_add $external $interface" fi - echo " Host $internal NAT $external on $interface" + progress_message " Host $internal NAT $external on $interface" done < $TMP_DIR/nat } @@ -1829,7 +1917,7 @@ setup_netmap() { ;; esac - echo " Network $net1 on $interface mapped to $net2 ($type)" + progress_message " Network $net1 on $interface mapped to $net2 ($type)" done < $TMP_DIR/netmap } @@ -1860,7 +1948,7 @@ setup_ecn() # $1 = file name done < $TMP_DIR/ecn if [ -n "$interfaces" ]; then - echo "Setting up ECN control on${interfaces}..." + progress_message "Setting up ECN control on${interfaces}..." for interface in $interfaces; do chain=$(ecn_chain $interface) @@ -1877,7 +1965,7 @@ setup_ecn() # $1 = file name interface=${host%:*} h=${host#*:} run_iptables -t mangle -A $(ecn_chain $interface) -p tcp -d $h -j ECN --ecn-tcp-remove - echo " ECN Disabled to $h through $interface" + progress_message " ECN Disabled to $h through $interface" done fi } @@ -1972,7 +2060,7 @@ process_tc_rule() done done - echo " TC Rule \"$rule\" added" + progress_message " TC Rule \"$rule\" added" } # @@ -2005,6 +2093,7 @@ setup_tc1() { run_iptables -t mangle -A OUTPUT -j tcout run_user_exit tcstart + save_command . $(find_file tcstart) } @@ -2022,8 +2111,9 @@ delete_tc() { clear_one_tc() { - tc qdisc del dev $1 root 2> /dev/null - tc qdisc del dev $1 ingress 2> /dev/null + run_and_save_command "tc qdisc del dev $1 root 2> /dev/null" + run_and_save_command "tc qdisc del dev $1 ingress 2> /dev/null" + } run_user_exit tcclear @@ -2143,7 +2233,7 @@ process_accounting_rule() { if iptables -A $chain $rule ; then [ "x$rule2" != x ] && run_iptables -A $jumpchain $rule2 - echo " Accounting rule" $action $chain $source $dest $proto $port $sport Added + progress_message " Accounting rule" $action $chain $source $dest $proto $port $sport Added else accounting_error fi @@ -2294,6 +2384,7 @@ refresh_tc() { # action = The chain for this rule # ratelimit = Optional rate limiting clause # userandgroup = owner match clause +# logtag = Log tag # add_an_action() { @@ -2400,7 +2491,7 @@ add_an_action() for serv1 in $(separate_list $serv); do for srv in $(ip_range $serv1); do if [ -n "$loglevel" ]; then - log_rule_limit $loglevel $action $logtarget "$ratelimit" $userandgroup \ + log_rule_limit $loglevel $action $logtarget "$ratelimit" "$logtag" $userandgroup \ $(fix_bang $proto $sports $multiport $cli -d $srv $dports) fi @@ -2410,7 +2501,7 @@ add_an_action() done else if [ -n "$loglevel" ]; then - log_rule_limit $loglevel $action $logtarget "$ratelimit" $userandgroup \ + log_rule_limit $loglevel $action $logtarget "$ratelimit" "$logtag" $userandgroup \ $(fix_bang $proto $sports $multiport $cli $dports) fi @@ -2444,6 +2535,7 @@ process_action() # $1 = action local userspec="$9" local rule="$(echo $target $clients $servers $protocol $ports $cports $ratelimit)" local userandgroup= + local logtag= if [ -n "$ratelimit" ]; then case $ratelimit in @@ -2497,10 +2589,16 @@ process_action() # $1 = action loglevel= else loglevel="${target#*:}" - target="${target%:*}" + target="${target%%:*}" expandv loglevel + if [ "$loglevel" != "${loglevel%:*}" ]; then + logtag="${loglevel#*:}" + loglevel="${loglevel%:*}" + expandv logtag + fi + fi - + logtarget="$target" case $target in @@ -2559,9 +2657,9 @@ process_action() # $1 = action # Report Result # if [ $COMMAND = check ]; then - echo " Rule \"$rule\" checked." + progress_message " Rule \"$rule\" checked." else - echo " Rule \"$rule\" added." + progress_message " Rule \"$rule\" added." fi } @@ -2650,7 +2748,7 @@ process_actions1() { strip_file $f $fn while read xtarget xclients xservers xprotocol xports xcports xratelimit $xuserspec; do expandv xtarget - temp="${xtarget%:*}" + temp="${xtarget%%:*}" case "${temp%<*}" in ACCEPT|DROP|REJECT|LOG|QUEUE|CONTINUE) ;; @@ -2776,6 +2874,7 @@ process_actions2() { # multiport = String to invoke multiport match if appropriate # ratelimit = Optional rate limiting clause # userandgroup = -m owner match to limit the rule to a particular user and/or group +# logtag = Log tag # add_nat_rule() { local chain @@ -2863,7 +2962,7 @@ add_nat_rule() { else for adr in $(separate_list $addr); do if [ -n "$loglevel" ]; then - log_rule_limit $loglevel $OUTPUT $logtarget "$ratelimit" -t nat \ + log_rule_limit $loglevel $OUTPUT $logtarget "$ratelimit" "$logtag" -t nat \ $(fix_bang $proto $cli $sports $userandgroup -d $adr $multiport $dports) fi @@ -2902,7 +3001,7 @@ add_nat_rule() { for adr in $(separate_list $addr); do if [ -n "$loglevel" ]; then ensurenatchain $chain - log_rule_limit $loglevel $chain $logtarget "$ratelimit" -t nat \ + log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logtag" -t nat \ $(fix_bang $proto $cli $sports -d $adr $multiport $dports) fi @@ -2962,7 +3061,8 @@ add_nat_rule() { # chain = The canonical chain for this rule # ratelimit = Optional rate limiting clause # userandgroup= -m owner clause -# userspec = User name +# userspec = User name +# logtag = Log tag # add_a_rule() { @@ -3024,7 +3124,10 @@ add_a_rule() fatal_error "Rule \"$rule\" - Destination may not be specified by MAC Address" ;; *) - [ -n "$server" ] && dest_interface="$(match_dest_dev $server)" + if [ -n "$server" ]; then + [ -n "$nonat" ] && fatal_error "Destination interface not allowe with $logtarget" + dest_interface="$(match_dest_dev $server)" + fi ;; esac @@ -3068,7 +3171,6 @@ add_a_rule() case "$logtarget" in ACCEPT|DROP|REJECT|CONTINUE) - [ "$logtarget" = REJECT -a -n "$servport" ] && \ fatal_error "Server port may not be specified in a REJECT rule; rule: \"$rule\"" if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" -a -z "$userspec" ] ; then @@ -3110,7 +3212,7 @@ add_a_rule() if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then for adr in $(separate_list $addr); do if [ -n "$loglevel" -a -z "$natrule" ]; then - log_rule_limit $loglevel $chain $logtarget "$ratelimit" -m conntrack --ctorigdst $adr \ + log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logtag" -m conntrack --ctorigdst $adr \ $userandgroup $(fix_bang $proto $sports $multiport $cli -d $srv $dports) fi @@ -3119,23 +3221,33 @@ add_a_rule() done else if [ -n "$loglevel" -a -z "$natrule" ]; then - log_rule_limit $loglevel $chain $logtarget "$ratelimit" $userandgroup \ + log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logtag" $userandgroup \ $(fix_bang $proto $sports $multiport $cli -d $srv $dports) fi + + [ -n "$nonat" ] && \ + addnatrule $(dnat_chain $source) $proto $multiport \ + $cli $sports -d $srv $dports $ratelimit $userandgroup -j RETURN - run_iptables2 -A $chain $proto $multiport $cli $sports \ - -d $srv $dports $ratelimit $userandgroup -j $target + [ "$logtarget" != NONAT ] && \ + run_iptables2 -A $chain $proto $multiport $cli $sports \ + -d $srv $dports $ratelimit $userandgroup -j $target fi done done else if [ -n "$loglevel" -a -z "$natrule" ]; then - log_rule_limit $loglevel $chain $logtarget "$ratelimit" $userandgroup \ + log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logtag" $userandgroup \ $(fix_bang $proto $sports $multiport $cli $dports) fi - run_iptables2 -A $chain $proto $multiport $cli $sports \ - $dports $ratelimit $userandgroup -j $target + [ -n "$nonat" ] && \ + addnatrule $(dnat_chain $source) $proto $multiport \ + $cli $sports $dports $ratelimit $userandgroup -j RETURN + + [ "$logtarget" != NONAT ] && \ + run_iptables2 -A $chain $proto $multiport $cli $sports \ + $dports $ratelimit $userandgroup -j $target fi fi fi @@ -3149,13 +3261,18 @@ add_a_rule() if [ $COMMAND != check ]; then if [ -n "$loglevel" ]; then - log_rule_limit $loglevel $chain $logtarget "$ratelimit" $userandgroup \ + log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logtag" $userandgroup \ $(fix_bang $proto $multiport $dest_interface $cli $sports $dports) fi - if [ $logtarget != LOG ]; then - run_iptables2 -A $chain $proto $multiport $dest_interface \ - $cli $sports $dports $ratelimit $userandgroup -j $target + if [ "$logtarget" != LOG ]; then + [ -n "$nonat" ] && \ + addnatrule $(dnat_chain $source) $proto $multiport \ + $cli $sports $dports $ratelimit $userandgroup -j RETURN + + [ "$logtarget" != NONAT ] && \ + run_iptables2 -A $chain $proto $multiport $dest_interface \ + $cli $sports $dports $ratelimit $userandgroup -j $target fi fi fi @@ -3185,6 +3302,8 @@ process_rule() # $1 = target local userspec="$9" local userandgroup= local rule="$(echo $target $clients $servers $protocol $ports $cports $address $ratelimit $userspec)" + local logtag= + local nonat= # Function Body - isolate rate limit @@ -3207,8 +3326,14 @@ process_rule() # $1 = target loglevel= else loglevel="${target#*:}" - target="${target%:*}" + target="${target%%:*}" expandv loglevel + if [ "$loglevel" != "${loglevel%:*}" ]; then + logtag="${loglevel#*:}" + loglevel="${loglevel%:*}" + expandv logtag + fi + fi # # Save the original target in 'logtarget' for logging rules @@ -3261,6 +3386,10 @@ process_rule() # $1 = target fi case $target in + ACCEPT+|NONAT) + nonat=Yes + target=ACCEPT + ;; ACCEPT|LOG) ;; DROP) @@ -3451,9 +3580,9 @@ process_rule() # $1 = target # Report Result # if [ $COMMAND = check ]; then - echo " Rule \"$rule\" checked." + progress_message " Rule \"$rule\" checked." else - echo " Rule \"$rule\" added." + progress_message " Rule \"$rule\" added." fi } @@ -3504,9 +3633,9 @@ process_rules() } while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec; do - temp="${xtarget%:*}" + temp="${xtarget%%:*}" case "${temp%<*}" in - ACCEPT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE) + ACCEPT|ACCEPT+|NONAT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE) do_it ;; *) @@ -3688,7 +3817,7 @@ process_tos_rule() { esac done - echo " Rule \"$rule\" added." + progress_message " Rule \"$rule\" added." } # @@ -3721,6 +3850,11 @@ loadmodule() # $1 = module name, $2 - * arguments local modulename=$1 local modulefile local suffix + moduleloader=modprobe + + if ! qt which modprobe; then + moduleloader=insmod + fi if [ -z "$(lsmod | grep $modulename)" ]; then shift @@ -3729,7 +3863,15 @@ loadmodule() # $1 = module name, $2 - * arguments modulefile=$MODULESDIR/${modulename}.${suffix} if [ -f $modulefile ]; then - insmod $modulefile $* + case $moduleloader in + insmod) + insmod $modulefile $* + ;; + *) + modprobe $modulename + ;; + esac + return fi done @@ -3866,7 +4008,7 @@ default_policy() # $1 = client $2 = server esac fi - echo " Policy $policy for $1 to $2 using chain $chain" + progress_message " Policy $policy for $1 to $2 using chain $chain" } eval chain1=\$${1}2${2}_policychain @@ -4007,12 +4149,15 @@ setup_masq() ;; esac + [ "x$addresses" = x- ] && addresses= + if [ -n "$addresses" -a -n "$ADD_SNAT_ALIASES" ]; then for address in $(separate_list $addresses); do for addr in $(ip_range_explicit $address) ; do if ! list_search $addr $aliases_to_add; then + save_command qt ip addr del $addr dev $interface aliases_to_add="$aliases_to_add $addr $fullinterface" - case $fullinterface in + case $fullinterface in *:*) fullinterface=${fullinterface%:*}:$((${fullinterface#*:} + 1 )) ;; @@ -4022,6 +4167,50 @@ setup_masq() done fi + [ "x$proto" = x- ] && proto= + [ "x$ports" = x- ] && ports= + + if [ -n "$proto" ]; then + + displayproto="($proto)" + + case $proto in + tcp|TCP|udp|UDP|6|17) + if [ -n "$ports" ]; then + displayproto="($proto $ports)" + + listcount=$(list_count $ports) + + if [ $listcount -gt 1 ]; then + case $ports in + *:*) + fatal_error "Port Range not allowed in list ($ports)" + ;; + *) + if [ -n "$MULTIPORT" ]; then + [ $listcount -gt 15 ] && fatal_error "Too many entries in port list ($ports)" + ports="-m multiport --dports $ports" + else + fatal_error "Port Ranges require multiport match support in your kernel ($ports)" + fi + ;; + esac + else + ports="--dport $ports" + fi + fi + ;; + *) + [ -n "$ports" ] && fatal_error "Ports only allowed with UDP or TCP ($ports)" + ;; + esac + + proto="-p $proto" + else + displayproto="(all)" + [ -n "$ports" ] && fatal_error "Ports only allowed with UDP or TCP ($ports)" + fi + destination=$destnets chain=$(masq_chain $interface) @@ -4038,7 +4227,7 @@ setup_masq() if [ -n "$networks" ]; then for s in $networks; do - addnatrule $chain -s $s -j $newchain + addnatrule $chain -s $s $proto $ports -j $newchain done networks= else @@ -4048,6 +4237,8 @@ setup_masq() masq_seq=$(($masq_seq + 1)) chain=$newchain destnets=0.0.0.0/0 + proto= + ports= if [ -n "$nomasq" ]; then for addr in $(separate_list $nomasq); do @@ -4064,12 +4255,12 @@ setup_masq() if [ -n "$networks" ]; then for s in $networks; do for destnet in $(separate_list $destnets); do - addnatrule $chain -d $destnet -s $s -j $newchain + addnatrule $chain -d $destnet -s $s $proto $ports -j $newchain done done else for destnet in $(separate_list $destnets); do - addnatrule $chain -d $destnet -j $newchain + addnatrule $chain -d $destnet $proto $ports -j $newchain done fi @@ -4077,6 +4268,8 @@ setup_masq() chain=$newchain networks= destnets=0.0.0.0/0 + proto= + ports= for addr in $(separate_list $nomasq); do addnatrule $chain -s $addr -j RETURN @@ -4088,6 +4281,7 @@ setup_masq() esac addrlist= + if [ -n "$addresses" ]; then for address in $(separate_list $addresses); do addrlist="$addrlist --to-source $address" @@ -4098,26 +4292,26 @@ setup_masq() for s in $networks; do if [ -n "$addresses" ]; then for destnet in $(separate_list $destnets); do - addnatrule $chain -s $s -d $destnet -j SNAT $addrlist + addnatrule $chain -s $s -d $destnet $proto $ports -j SNAT $addrlist done - echo " To $destination from $s through ${interface} using $addresses" + progress_message " To $destination $displayproto from $s through ${interface} using $addresses" else for destnet in $(separate_list $destnets); do - addnatrule $chain -s $s -d $destnet -j MASQUERADE + addnatrule $chain -s $s -d $destnet $proto $ports -j MASQUERADE done - echo " To $destination from $s through ${interface}" + progress_message " To $destination $displayproto from $s through ${interface}" fi done elif [ -n "$addresses" ]; then for destnet in $(separate_list $destnets); do - addnatrule $chain -d $destnet -j SNAT $addrlist + addnatrule $chain -d $destnet $proto $ports -j SNAT $addrlist done - echo " To $destination from $source through ${interface} using $addresses" + echo " To $destination $displayproto from $source through ${interface} using $addresses" else for destnet in $(separate_list $destnets); do - addnatrule $chain -d $destnet -j MASQUERADE + addnatrule $chain -d $destnet $proto $ports -j MASQUERADE done - echo " To $destination from $source through ${interface}" + progress_message " To $destination $displayproto from $source through ${interface}" fi } @@ -4126,8 +4320,8 @@ setup_masq() [ -n "$NAT_ENABLED" ] && echo "Masqueraded Networks and Hosts:" - while read fullinterface networks addresses; do - expandv fullinterface networks addresses + while read fullinterface networks addresses proto ports; do + expandv fullinterface networks addresses proto ports [ -n "$NAT_ENABLED" ] && setup_one || \ error_message "Warning: NAT disabled; masq rule ignored" done < $TMP_DIR/masq @@ -4219,7 +4413,7 @@ process_blacklist_rec() { addr="$addr $protocol" fi - echo " $addr added to Black List" + progress_message " $addr added to Black List" done } @@ -4250,7 +4444,7 @@ setup_blacklist() { [ $network = 0/0.0.0.0 ] && network= || network=":$network" - echo " Blacklisting enabled on ${interface}${network}" + progress_message " Blacklisting enabled on ${interface}${network}" done [ "$disposition" = REJECT ] && disposition=reject @@ -4338,10 +4532,10 @@ add_ip_aliases() do_one() { val=$(address_details) - run_ip addr add ${external}${val} dev $interface $label + ensure_and_save_command ip addr add ${external}${val} dev $interface $label echo "$external $interface" >> ${STATEDIR}/nat [ -n "$label" ] && label="with $label" - echo " IP Address $external added to interface $interface $label" + progress_message " IP Address $external added to interface $interface $label" } set -- $aliases_to_add @@ -4622,6 +4816,8 @@ add_common_rules() { run_iptables -A reject -j REJECT fi + run_user_exit initdone + # # Process Black List # @@ -4838,7 +5034,7 @@ add_common_rules() { # ARP Filtering # for f in /proc/sys/net/ipv4/conf/*/arp_filter; do - echo 0 > $f + run_and_save_command "echo 0 > $f" done interfaces=$(find_interfaces_by_option arp_filter) @@ -4849,7 +5045,7 @@ add_common_rules() { for interface in $interfaces; do file=/proc/sys/net/ipv4/conf/$interface/arp_filter if [ -f $file ]; then - echo 1 > $file + run_and_save_command "echo 1 > $file" else error_message \ "Warning: Cannot set ARP filtering on $interface" @@ -4865,22 +5061,43 @@ add_common_rules() { echo "Setting up Kernel Route Filtering..." for f in /proc/sys/net/ipv4/conf/*/rp_filter; do - echo 0 > $f + run_and_save_command "echo 0 > $f" done for interface in $interfaces; do file=/proc/sys/net/ipv4/conf/$interface/rp_filter if [ -f $file ]; then - echo 1 > $file + run_and_save_command "echo 1 > $file" else error_message \ "Warning: Cannot set route filtering on $interface" fi done - echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter - [ -n "$ROUTE_FILTER" ] && echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter - run_ip route flush cache + run_and_save_command "echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter" + + if [ -n "$ROUTE_FILTER" ]; then + run_and_save_command "echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter" + fi + + run_and_save_command ip route flush cache + fi + + if [ -n "$DYNAMIC_ZONES" ]; then + echo "Setting up Dynamic Zone Chains..." + + for interface in $all_interfaces; do + for chain in $(dynamic_chains $interface); do + createchain $chain no + done + + chain=$(dynamic_in $interface) + createnatchain $chain + + run_iptables -A $(input_chain $interface) -j $chain + run_iptables -A $(forward_chain $interface) -j $(dynamic_fwd $interface) + run_iptables -A OUTPUT -j $(dynamic_out $interface) + done fi setup_forwarding @@ -4992,6 +5209,12 @@ activate_rules() fi } + # + # Add jumps for dynamic nat chains + # + [ -n "$DYNAMIC_ZONES" ] && for interface in $all_interfaces ; do + addrulejump PREROUTING $(dynamic_in $interface) + done # # Add jumps from the builtin chains to the nat chains # @@ -5009,8 +5232,6 @@ activate_rules() for zone in $zones; do eval source_hosts=\$${zone}_hosts - echo $zone $source_hosts >> ${STATEDIR}/zones - chain1=$(rules_chain $FW $zone) chain2=$(rules_chain $zone $FW) @@ -5021,8 +5242,11 @@ activate_rules() createchain $frwd_chain No fi - echo "$FW $zone $chain1" >> ${STATEDIR}/chains - echo "$zone $FW $chain2" >> ${STATEDIR}/chains + if [ -n "$DYNAMIC_ZONES" ]; then + echo $zone $source_hosts >> ${STATEDIR}/zones + echo "$FW $zone $chain1" >> ${STATEDIR}/chains + echo "$zone $FW $chain2" >> ${STATEDIR}/chains + fi need_broadcast= @@ -5070,7 +5294,7 @@ activate_rules() chain="$(rules_chain $zone $zone1)" - echo "$zone $zone1 $chain" >> ${STATEDIR}/chains + [ -n "$DYNAMIC_ZONES" ] && echo "$zone $zone1 $chain" >> ${STATEDIR}/chains if [ $zone = $zone1 ]; then # @@ -5130,7 +5354,6 @@ activate_rules() done for interface in $all_interfaces ; do - run_iptables -A FORWARD -i $interface -j $(forward_chain $interface) run_iptables -A INPUT -i $interface -j $(input_chain $interface) addnatjump POSTROUTING $(masq_chain $interface) -o $interface @@ -5196,83 +5419,42 @@ define_firewall() # $1 = Command (Start or Restart) echo "${1}ing Shorewall..." verify_os_version - verify_ip - load_kernel_modules - echo "Initializing..." - - initialize_netfilter - - echo "Configuring Proxy ARP" - - setup_proxy_arp - - echo "Setting up NAT..." - - setup_nat - - echo "Setting up NETMAP..." - - setup_netmap - - echo "Adding Common Rules" - - add_common_rules + echo "Initializing..."; initialize_netfilter + echo "Configuring Proxy ARP"; setup_proxy_arp + echo "Setting up NAT..."; setup_nat + echo "Setting up NETMAP..."; setup_netmap + echo "Adding Common Rules"; add_common_rules tunnels=$(find_file tunnels) - [ -f $tunnels ] && \ - echo "Processing $tunnels..." && setup_tunnels $tunnels + echo "Processing $tunnels..." && setup_tunnels $tunnels maclist_hosts=$(find_hosts_by_option maclist) + [ -n "$maclist_hosts" ] && setup_mac_lists - if [ -n "$maclist_hosts" ] ; then - setup_mac_lists - fi - - rules=$(find_file rules) - - echo "Pre-processing Actions..." - - process_actions1 - - echo "Processing $rules..." - - process_rules - - echo "Processing Actions..." - - process_actions2 - - policy=$(find_file policy) - - echo "Processing $policy..." - - apply_policy_rules + echo "Pre-processing Actions..."; process_actions1 + echo "Processing $(find_file rules)..."; process_rules + echo "Processing Actions..."; process_actions2 + echo "Processing $(find_file policy)..."; apply_policy_rules masq=$(find_file masq) - - [ -f $masq ] && setup_masq $masq + [ -f $masq ] && setup_masq $masq tos=$(find_file tos) - [ -f $tos ] && [ -n "$MANGLE_ENABLED" ] && process_tos $tos ecn=$(find_file ecn) - [ -f $ecn ] && [ -n "$MANGLE_ENABLED" ] && setup_ecn $ecn - [ -n "$TC_ENABLED" ] && setup_tc + [ -n "$TC_ENABLED" ] && setup_tc - echo "Activating Rules..." - - activate_rules + echo "Activating Rules..."; activate_rules [ -n "$aliases_to_add" ] && \ - echo "Adding IP Addresses..." && \ - add_ip_aliases + echo "Adding IP Addresses..." && add_ip_aliases run_user_exit start @@ -5283,6 +5465,19 @@ define_firewall() # $1 = Command (Start or Restart) report "Shorewall ${1}ed" rm -rf $TMP_DIR + + for file in chains nat proxyarp zones; do + append_file $file + done + + save_command "date > $STATEDIR/restarted" + + save_command 'iptables-restore << EOF' + + # 'shorewall save' appends the iptables-save output and 'EOF' + + mv -f /var/lib/shorewall/restore-$$ /var/lib/shorewall/restore-base + } # @@ -5343,11 +5538,6 @@ add_to_zone() # $1 = [:] $2 = zone fi } - output_rule_num() { - local num=$(iptables -L OUTPUT -n --line-numbers | grep icmp | cut -d' ' -f1 | head -n1) - - [ -n "$num" ] && echo $(($num+1)) - } # # Isolate interface and host parts # @@ -5371,24 +5561,22 @@ add_to_zone() # $1 = [:] $2 = zone validate_zone $zone || startup_error "Unknown zone: $zone" [ "$zone" = $FW ] && startup_error "Can't add $1 to firewall zone" + # # Be sure that Shorewall has been restarted using a DZ-aware version of the code # [ -f ${STATEDIR}/chains ] || startup_error "${STATEDIR}/chains -- file not found" [ -f ${STATEDIR}/zones ] || startup_error "${STATEDIR}/zones -- file not found" # - # Be sure that the interface was present at last [re]start + # Be sure that the interface was dynamic at last [re]start # if ! chain_exists $(input_chain $interface) ; then startup_error "Unknown interface $interface" fi - # - # Build lists of interfaces with special rules - # - dhcp_interfaces=$(find_interfaces_by_option dhcp) - blacklist_interfaces=$(find_interfaces_by_option blacklist) - maclist_interfaces=$(find_interfaces_by_option maclist) - tcpflags_interfaces=$(find_interfaces_by_option tcpflags) + + if ! chain_exists $(dynamic_in $interface) ; then + startup_error "At last Shorewall [re]start, DYNAMIC_ZONES=No in shorewall.conf" + fi # # Normalize the first argument to this function # @@ -5428,111 +5616,44 @@ add_to_zone() # $1 = [:] $2 = zone chain=${zone}_dnat if nat_chain_exists $chain; then - do_iptables -t nat -I PREROUTING -i $interface -s $host -j $chain + do_iptables -t nat -A $(dynamic_in $interface) -s $host -j $chain fi # - # Insert new rules into the input chains for the passed interface + # Insert new rules into the filter table for the passed interface # while read z1 z2 chain; do if [ "$z1" = "$zone" ]; then if [ "$z2" = "$FW" ]; then - # - # We will insert the rule right after the DHCP, 'ping' and - # MAC rules (if any) - # - if list_search $interface $dhcp_interfaces; then - rulenum=3 - else - rulenum=2 - fi - - if list_search $interface $maclist_interfaces; then - rulenum=$(($rulenum + 1)) - fi - - if list_search $interface $tcpflags_interfaces; then - rulenum=$(($rulenum + 1)) - fi - - do_iptables -I $(input_chain $interface) $rulenum -s $host -j $chain + do_iptables -A $(dynamic_in $interface) -s $host -j $chain else - # - # Insert rules into the passed interface's forward chain - # - # We insert them after any blacklist/MAC verification rules - # - source_chain=$(forward_chain $interface) + source_chain=$(dynamic_fwd $interface) eval dest_hosts=\"\$${z2}_hosts\" - base=$(chain_base $interface) - - eval rulenum=\$${base}_rulenum - - if [ -z "$rulenum" ]; then - if list_search $interface $blacklist_interfaces; then - rulenum=3 - else - rulenum=2 - fi - - if list_search $interface $maclist_interfaces; then - rulenum=$(($rulenum + 1)) - fi - - if list_search $interface $tcpflags_interfaces; then - rulenum=$(($rulenum + 1)) - fi - fi - for h in $dest_hosts; do iface=${h%%:*} hosts=${h#*:} if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - do_iptables -I $source_chain $rulenum -s $host -o $iface $(match_dest_hosts $hosts) -j $chain - rulenum=$(($rulenum + 1)) + do_iptables -A $source_chain -s $host -o $iface $(match_dest_hosts $hosts) -j $chain fi done - - eval ${base}_rulenum=$rulenum - fi elif [ "$z2" = "$zone" ]; then if [ "$z1" = "$FW" ]; then # - # Add a rule to the OUTPUT chain -- always after the icmp * ACCEPT rule + # Add a rule to the dynamic out chain for the interface # - do_iptables -I OUTPUT $(output_rule_num) -o $interface -d $host -j $chain + do_iptables -A $(dynamic_out $interface) -d $host -j $chain else - # - # Insert rules into the source interface's forward chain - # - # We insert them after any blacklist rules - # eval source_hosts=\"\$${z1}_hosts\" for h in $source_hosts; do iface=${h%%:*} hosts=${h#*:} - base=$(chain_base $iface) - - eval rulenum=\$${base}_rulenum - - if [ -z "$rulenum" ]; then - if list_search $iface $blacklist_interfaces; then - rulenum=3 - else - rulenum=2 - fi - fi - if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - do_iptables -I $(forward_chain $iface) $rulenum $(match_source_hosts $hosts) -o $interface -d $host -j $chain - rulenum=$(($rulenum + 1)) + do_iptables -A $(dynamic_fwd $iface) $rulenum $(match_source_hosts $hosts) -o $interface -d $host -j $chain fi - - eval ${base}_rulenum=$rulenum done fi fi @@ -5540,7 +5661,7 @@ add_to_zone() # $1 = [:] $2 = zone rm -rf $TMP_DIR - echo "$1 added to zone $2" + progress_message "$1 added to zone $2" } # @@ -5602,6 +5723,10 @@ delete_from_zone() # $1 = [:] $2 = zone if ! chain_exists $(input_chain $interface) ; then startup_error "Unknown interface $interface" fi + + if ! chain_exists $(dynamic_in $interface) ; then + startup_error "Interface $interface is not dynamic" + fi # # Normalize the first argument to this function # @@ -5622,16 +5747,16 @@ delete_from_zone() # $1 = [:] $2 = zone # # Delete any nat table entries for the host(s) # - qt iptables -t nat -D PREROUTING -i $interface -s $host -j ${zone}_dnat + qt iptables -t nat -D $(dynamic_in $interface) -s $host -j ${zone}_dnat # # Delete rules rules the input chains for the passed interface # while read z1 z2 chain; do if [ "$z1" = "$zone" ]; then if [ "$z2" = "$FW" ]; then - qt iptables -D $(input_chain $interface) -s $host -j $chain + qt iptables -D $(dynamic_in $interface) -s $host -j $chain else - source_chain=$(forward_chain $interface) + source_chain=$(dynamic_fwd $interface) eval dest_hosts=\"\$${z2}_hosts\" for h in $dest_hosts $delhost; do @@ -5639,13 +5764,13 @@ delete_from_zone() # $1 = [:] $2 = zone hosts=${h#*:} if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - qt iptables -D $source_chain -s $host -o $iface $(match_source_hosts $hosts) -j $chain + qt iptables -D $source_chain -s $host -o $iface $(match_dest_hosts $hosts) -j $chain fi done fi elif [ "$z2" = "$zone" ]; then if [ "$z1" = "$FW" ]; then - qt iptables -D OUTPUT -o $interface -d $host -j $chain + qt iptables -D $(dynamic_out $interface) -d $host -j $chain else eval source_hosts=\"\$${z1}_hosts\" @@ -5654,7 +5779,7 @@ delete_from_zone() # $1 = [:] $2 = zone hosts=${h#*:} if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - qt iptables -D $(forward_chain $iface) $(match_source_hosts $hosts) -o $interface -d $host -j $chain + qt iptables -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface -d $host -j $chain fi done fi @@ -5663,7 +5788,7 @@ delete_from_zone() # $1 = [:] $2 = zone rm -rf $TMP_DIR - echo "$1 removed from zone $2" + progress_message "$1 removed from zone $2" } # @@ -5772,6 +5897,7 @@ do_initialize() { SMURF_LOG_LEVEL= DISABLE_IPV6= BRIDGING= + DYNAMIC_ZONES= stopping= have_mutex= @@ -5789,12 +5915,14 @@ do_initialize() { FUNCTIONS=$SHARED_DIR/functions if [ -f $FUNCTIONS ]; then - echo "Loading $FUNCTIONS..." + [ -n "$QUIET" ] || echo "Loading $FUNCTIONS..." . $FUNCTIONS else startup_error "$FUNCTIONS does not exist!" fi + ensure_config_path + VERSION_FILE=$SHARED_DIR/version [ -f $VERSION_FILE ] && version=$(cat $VERSION_FILE) @@ -5804,13 +5932,17 @@ do_initialize() { config=$(find_file shorewall.conf) if [ -f $config ]; then - echo "Processing $config..." + [ -n "$QUIET" ] || echo "Processing $config..." . $config else echo "$config does not exist!" >&2 exit 2 fi # + # Restore CONFIG_PATH if the shorewall.conf file cleared it + # + ensure_config_path + # # Determine the capabilities of the installed iptables/netfilter # determine_capabilities @@ -5925,7 +6057,9 @@ do_initialize() { BLACKLISTNEWONLY=$(added_param_value_no BLACKLISTNEWONLY $BLACKLISTNEWONLY) DISABLE_IPV6=$(added_param_value_no DISABLE_IPV6 $DISABLE_IPV6) BRIDGING=$(added_param_value_no BRIDGING $BRIDGING) - [ -n "$MODULE_SUFFIX" ] || MODULE_SUFFIX="o gz ko o.gz" + DYNAMIC_ZONES=$(added_param_value_no DYNAMIC_ZONES $DYNAMIC_ZONES) + + [ -n "$MODULE_SUFFIX" ] || MODULE_SUFFIX="o gz ko o.gz ko.gz" # # Strip the files that we use often @@ -5943,6 +6077,9 @@ do_initialize() { fi rm -f $TMP_DIR/physdev + + echo '#bin/sh' > /var/lib/shorewall/restore-$$ + echo ". /usr/share/shorewall/functions" >> /var/lib/shorewall/restore-$$ } # diff --git a/Lrp2/usr/share/shorewall/functions b/Lrp2/usr/share/shorewall/functions index c96f9c5bd..a856a3d32 100644 --- a/Lrp2/usr/share/shorewall/functions +++ b/Lrp2/usr/share/shorewall/functions @@ -82,11 +82,24 @@ fix_bang() { done } +# +# Set default config path +# +ensure_config_path() { + local F=/usr/share/shorewall/configpath + if [ -z "$CONFIG_PATH" ]; then + [ -f $F ] || { echo " ERROR: $F does not exist"; exit 2; } + . $F + fi +} + # # Find a File -- For relative file name, look first in $SHOREWALL_DIR then in /etc/shorewall # find_file() { + local saveifs= directory + case $1 in /*) echo $1 @@ -94,11 +107,19 @@ find_file() *) if [ -n "$SHOREWALL_DIR" -a -f $SHOREWALL_DIR/$1 ]; then echo $SHOREWALL_DIR/$1 - elif [ -f /etc/shorewall/$1 ]; then - echo /etc/shorewall/$1 - elif [ -f /usr/share/shorewall/$1 ]; then - echo /usr/share/shorewall/$1 else + saveifs=$IFS + IFS=: + for directory in $CONFIG_PATH; do + if [ -f $directory/$1 ]; then + echo $directory/$1 + IFS=$saveifs + return + fi + done + + IFS=$saveifs + echo /etc/shorewall/$1 fi ;; @@ -485,14 +506,14 @@ in_network() # $1 = IP address, $2 = CIDR network ip_vlsm() { local mask=$(decodeaddr $1) local vlsm=0 - local x=$(( 128 $LEFTSHIFT 24 )) + local x=$(( 128 $LEFTSHIFT 24 )) # 0x80000000 while [ $(( $x & $mask )) -ne 0 ]; do - [ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Don't Ask... + [ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Not all shells shift 0x80000000 left properly. vlsm=$(($vlsm + 1)) done - if [ $(( $mask & 2147483647)) -ne 0 ]; then + if [ $(( $mask & 2147483647 )) -ne 0 ]; then # 2147483647 = 0x7fffffff echo "Invalid net mask: $1" >&2 else echo $vlsm diff --git a/Lrp2/usr/share/shorewall/help b/Lrp2/usr/share/shorewall/help index 4ed47f396..af39ec8e7 100755 --- a/Lrp2/usr/share/shorewall/help +++ b/Lrp2/usr/share/shorewall/help @@ -116,6 +116,14 @@ drop) See also \"help address\"" ;; +forget) + echo "forget: forget + Deletes /var/lib/shorewall/save and /var/lib/shorewall/restore. Those + files are created by the 'shorewall save' command + + See also \"help save\"" + ;; + help) echo "help: help [ | host | address ] Display helpful information about the shorewall commands." @@ -147,15 +155,21 @@ logwatch) monitor) echo "monitor: monitor [] + + shorewall [-x] monitor [] + Continuously display the firewall status, last 20 log entries and nat. - When the log entry display changes, an audible alarm is sounded." + When the log entry display changes, an audible alarm is sounded. + + When -x is given, that option is also passed to iptables to display actual packet and byte counts." ;; refresh) - echo "refresh: refresh + echo "refresh: [ -q ] refresh The rules involving the broadcast addresses of firewall interfaces, the black list, traffic control rules and ECN control rules are recreated - to reflect any changes made. Existing connections are untouched" + to reflect any changes made. Existing connections are untouched + If \"-q\" is specified, less detain is displayed making it easier to spot warnings" ;; reject) @@ -173,26 +187,41 @@ reset) ;; restart) - echo "restart: restart [ -c ] + echo "restart: restart [ -q ] [ -c ] Restart is the same as a shorewall stop && shorewall start. - Existing connections are dropped." + Existing connections are maintained. + If \"-q\" is specified, less detain is displayed making it easier to spot warnings" + ;; + +restore) + echo "restore: restore + Restore Shorewall to its last state saved using the 'save' command + Existing connections are maintained. + + See also \"help save\" and \"help forget\"" ;; save) echo "save: save - The dynamic data is stored in /var/lib/shorewall/save - Shorewall allow, drop, rejct and save implement dynamic blacklisting." + The dynamic data is stored in /var/lib/shorewall/save. The state of the + firewall is stored in /var/lib/shorewall/restore for use by the 'shorewall restore' + and 'shorewall -f start' commands. + + Shorewall allow, drop, rejct and save implement dynamic blacklisting. + + See also \"help restore\" and \"help forget\"" ;; show) - echo "show: show [ [ ...] |classifiers|connections|log|nat|tc|tos] - shorewall show [ ... ] - produce a verbose report about the IPtable chain(s). + echo "show: show [ [ ...] |classifiers|connections|log|nat|tc|tos] + + shorewall [-x] show [ ... ] - produce a verbose report about the IPtable chain(s). (iptables -L chain -n -v) - shorewall show nat - produce a verbose report about the nat table. + shorewall [-x] show nat - produce a verbose report about the nat table. (iptables -t nat -L -n -v) - shorewall show tos - produce a verbose report about the mangle table. + shorewall [-x] show tos - produce a verbose report about the mangle table. (iptables -t mangle -L -n -v) shorewall show log - display the last 20 packet log entries. @@ -201,14 +230,18 @@ show) being tracked by the firewall. shorewall show tc - displays information about the traffic - control/shaping configuration." + control/shaping configuration. + + When -x is given, that option is also passed to iptables to display actual packet and byte counts." ;; start) - echo "start: start [ -c ] + echo "start: [ -q ] [ -f ] [ -c ] start Start shorewall. Existing connections through shorewall managed interfaces are untouched. New connections will be allowed only - if they are allowed by the firewall rules or policies." + if they are allowed by the firewall rules or policies. + If \"-q\" is specified, less detain is displayed making it easier to spot warnings + If \"-f\" is specified, the last saved configuraton if any will be restored" ;; stop) @@ -221,9 +254,14 @@ stop) status) echo "status: status + + shorewall [-x] status + Produce a verbose report about the firewall. - (iptables -L -n -v)" + (iptables -L -n -) + + When -x is given, that option is also passed to iptables to display actual packet and byte counts." ;; trace) diff --git a/Lrp2/usr/share/shorewall/version b/Lrp2/usr/share/shorewall/version index 38f77a65b..e9307ca57 100644 --- a/Lrp2/usr/share/shorewall/version +++ b/Lrp2/usr/share/shorewall/version @@ -1 +1 @@ -2.0.1 +2.0.2 diff --git a/Lrp2/var/lib/lrpkg/shorwall.list b/Lrp2/var/lib/lrpkg/shorwall.list index 48a0731ed..04bd7a15b 100644 --- a/Lrp2/var/lib/lrpkg/shorwall.list +++ b/Lrp2/var/lib/lrpkg/shorwall.list @@ -2,4 +2,5 @@ etc/init.d/shorewall etc/shorewall sbin/shorewall usr/share/shorewall +var/lib/shorewall var/lib/lrpkg/shorwall.* diff --git a/Lrp2/var/lib/lrpkg/shorwall.version b/Lrp2/var/lib/lrpkg/shorwall.version index 54ef5dd13..e9307ca57 100644 --- a/Lrp2/var/lib/lrpkg/shorwall.version +++ b/Lrp2/var/lib/lrpkg/shorwall.version @@ -1 +1 @@ -2.0.0-RC1 +2.0.2