extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-21 23:23:13 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add Shorewall Lite

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3971 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-06-03 15:16:21 +00:00
parent 8cb7933f4f
commit ae9d76b881
20 changed files with 6659 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

340
Shorewall-lite/COPYING Normal file
View File

@ -0,0 +1,340 @@
GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users. This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by
the GNU Library General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it
if you want it, that you can change the software or use pieces of it
in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid
anyone to deny you these rights or to ask you to surrender the rights.
These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must give the recipients all the rights that
you have. You must make sure that they, too, receive or can get the
source code. And you must show them these terms so they know their
rights.
We protect your rights with two steps: (1) copyright the software, and
(2) offer you this license which gives you legal permission to copy,
distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain
that everyone understands that there is no warranty for this free
software. If the software is modified by someone else and passed on, we
want its recipients to know that what they have is not the original, so
that any problems introduced by others will not reflect on the original
authors' reputations.
Finally, any free program is threatened constantly by software
patents. We wish to avoid the danger that redistributors of a free
program will individually obtain patent licenses, in effect making the
program proprietary. To prevent this, we have made it clear that any
patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and
modification follow.
GNU GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains
a notice placed by the copyright holder saying it may be distributed
under the terms of this General Public License. The "Program", below,
refers to any such program or work, and a "work based on the Program"
means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it,
either verbatim or with modifications and/or translated into another
language. (Hereinafter, translation is included without limitation in
the term "modification".) Each licensee is addressed as "you".
Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running the Program is not restricted, and the output from the Program
is covered only if its contents constitute a work based on the
Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.
You may charge a fee for the physical act of transferring a copy, and
you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices
stating that you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the Program or any
part thereof, to be licensed as a whole at no charge to all third
parties under the terms of this License.
c) If the modified program normally reads commands interactively
when run, you must cause it, when started running for such
interactive use in the most ordinary way, to print or display an
announcement including an appropriate copyright notice and a
notice that there is no warranty (or else, saying that you provide
a warranty) and that users may redistribute the program under
these conditions, and telling the user how to view a copy of this
License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on
the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the Program,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based
on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Program.
In addition, mere aggregation of another work not based on the Program
with the Program (or with a work based on the Program) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.
3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections
1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer
to distribute corresponding source code. (This alternative is
allowed only for noncommercial distribution and only if you
received the program in object code or executable form with such
an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source
code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to
control compilation and installation of the executable. However, as a
special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.
If distribution of executable or object code is made by offering
access to copy from a designated place, then offering equivalent
access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not
compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program
except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense or distribute the Program is
void, and will automatically terminate your rights under this License.
However, parties who have received copies, or rights, from you under
this License will not have their licenses terminated so long as such
parties remain in full compliance.
5. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to modify or
distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by
modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License.
7. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all. For example, if a patent
license would not permit royalty-free redistribution of the Program by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under
any particular circumstance, the balance of the section is intended to
apply and the section as a whole is intended to apply in other
circumstances.
It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system, which is
implemented by public license practices. Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.
This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Program under this License
may add an explicit geographical distribution limitation excluding
those countries, so that distribution is permitted only in or among
countries not thus excluded. In such case, this License incorporates
the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions
of the General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the Program
specifies a version number of this License which applies to it and "any
later version", you have the option of following the terms and conditions
either of that version or of any later version published by the Free
Software Foundation. If the Program does not specify a version number of
this License, you may choose any version ever published by the Free Software
Foundation.
10. If you wish to incorporate parts of the Program into other free
programs whose distribution conditions are different, write to the author
to ask for permission. For software which is copyrighted by the Free
Software Foundation, write to the Free Software Foundation; we sometimes
make exceptions for this. Our decision will be guided by the two goals
of preserving the free status of all derivatives of our free software and
of promoting the sharing and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
convey the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) 19yy <name of author>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Also add information on how to contact you by electronic and paper mail.
If the program is interactive, make it output a short notice like this
when it starts in an interactive mode:
Gnomovision version 69, Copyright (C) 19yy name of author
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, the commands you use may
be called something other than `show w' and `show c'; they could even be
mouse-clicks or menu items--whatever suits your program.
You should also get your employer (if you work as a programmer) or your
school, if any, to sign a "copyright disclaimer" for the program, if
necessary. Here is a sample; alter the names:
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
`Gnomovision' (which makes passes at compilers) written by James Hacker.
<signature of Ty Coon>, 1 April 1989
Ty Coon, President of Vice
This General Public License does not permit incorporating your program into
proprietary programs. If your program is a subroutine library, you may
consider it more useful to permit linking proprietary applications with the
library. If this is what you want to do, use the GNU Library General
Public License instead of this License.

48
Shorewall-lite/INSTALL Normal file
View File

@ -0,0 +1,48 @@
Shoreline Firewall (Shorewall) Version 3.2
----- ----
-----------------------------------------------------------------------------
This program is free software; you can redistribute it and/or modify
it under the terms of Version 2 of the GNU General Public License
as published by the Free Software Foundation.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
---------------------------------------------------------------------------
If your system supports rpm, I recommend that you install the Shorewall
.rpm. If you want to install from the tarball:
o Unpack the tarball
o cd to the shorewall-<version> directory
o If you have an earlier version of Shoreline Firewall installed,see the
upgrade instructions below
o Edit the configuration files to fit your environment.
To do this, I strongly advise you to follow the instructions at:
http://www.shorewall.net/shorewall_quickstart_guide.htm
o Type:
./install.sh
o Start the firewall by typing "shorewall start"
o If the install script was unable to configure Shoreline Firewall to
start automatically at boot, you will have to used your
distribution's runlevel editor to configure Shorewall manually.
Upgrade:
o run the install script as described above.
o "shorewall check" and correct any errors found.
o "shorewall restart"

1
Shorewall-lite/README.txt Normal file
View File

@ -0,0 +1 @@
This is the Shorewall Development 3.2 branch of CVS.

3
Shorewall-lite/changelog.txt Normal file
View File

@ -0,0 +1,3 @@
Changes in 3.2.0 RC 1
1) First Release.

103
Shorewall-lite/fallback.sh Executable file
View File

@ -0,0 +1,103 @@
#!/bin/sh
#
# Script to back out the installation of Shorewall Lite and to restore the previous version of
# the program
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# (c) 2006 - Tom Eastep (teastep@shorewall.net)
#
# Shorewall documentation is available at http://shorewall.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
#
# Usage:
#
# You may only use this script to back out the installation of the version
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=3.2.0-RC1
usage() # $1 = exit status
{
echo "usage: $(basename $0)"
exit $1
}
restore_directory() # $1 = directory to restore
{
if [ -d ${1}-${VERSION}.bkout ]; then
if mv -f $1 ${1}-${VERSION} && mv ${1}-${VERSION}.bkout $1; then
echo
echo "$1 restored"
rm -rf ${1}-${VERSION}
else
echo "ERROR: Could not restore $1"
exit 1
fi
fi
}
restore_file() # $1 = file to restore, $2 = (Optional) Directory to restore from
{
if [ -n "$2" ]; then
local file=$(basename $1)
if [ -f $2/$file ]; then
if mv -f $2/$file $1 ; then
echo
echo "$1 restored"
return
fi
echo "ERROR: Could not restore $1"
exit 1
fi
fi
if [ -f ${1}-${VERSION}.bkout -o -L ${1}-${VERSION}.bkout ]; then
if (mv -f ${1}-${VERSION}.bkout $1); then
echo
echo "$1 restored"
else
echo "ERROR: Could not restore $1"
exit 1
fi
fi
}
if [ ! -f /usr/share/shorewall-${VERSION}.bkout/version ]; then
echo "Shorewall Version $VERSION is not installed"
exit 1
fi
echo "Backing Out Installation of Shorewall $VERSION"
if [ -L /usr/share/shorewall/init ]; then
FIREWALL=$(ls -l /usr/share/shorewall/init | sed 's/^.*> //')
restore_file $FIREWALL /usr/share/shorewall-${VERSION}.bkout
else
restore_file /etc/init.d/shorewall /usr/share/shorewall-${VERSION}.bkout
fi
restore_file /sbin/shorewall /var/lib/shorewall-${VERSION}.bkout
restore_directory /etc/shorewall
restore_directory /usr/share/shorewall
restore_directory /var/lib/shorewall
echo "Shorewall Lite Restored to Version $(cat /usr/share/shorewall/version)"

2202
Shorewall-lite/functions Normal file
View File

File diff suppressed because it is too large Load Diff

414
Shorewall-lite/help Executable file
View File

@ -0,0 +1,414 @@
#!/bin/sh
#
# Shorewall help subsystem - V3.2
#
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# (c) 2003-2006 - Tom Eastep (teastep@shorewall.net)
# Steve Herber (herber@thing.com)
#
# This file should be placed in /usr/share/shorewall/help
#
# Shorewall documentation is available at http://shorewall.sourceforge.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
##################################################################################
case $1 in
add)
echo "add: add <interface>[:<host-list>] ... <zone>
Adds a list of hosts or subnets to a dynamic zone usually used with VPN's.
shorewall add interface:host-list ... zone - Adds the specified interface
(and host-list if included) to the specified zone.
A host-list is a comma-separated list whose elements are:
A host or network address
The name of a bridge port
The name of a bridge port followed by a colon (":") and a host or
network address.
Example:
shorewall add ipsec0:192.0.2.24 vpn1 -- adds the address 192.0.2.24
from interface ipsec0 to the zone vpn1.
See also \"help host\""
;;
address|host)
echo "<$1>:
May be either a host IP address such as 192.168.1.4 or a network address in
CIDR format like 192.168.1.0/24. If your kernel and iptables contain iprange
match support then IP address ranges of the form <low address>-<high address>
are also permitted. If your kernel and iptables contain ipset match support
then you may specify the name of an ipset prefaced by "+". The name of the
ipsec may be optionally followed by a number of levels of ipset bindings
(1 - 6) that are to be followed"
;;
allow)
echo "allow: allow <address> ...
Re-enables receipt of packets from hosts previously blacklisted
by a drop or reject command.
Shorewall allow, drop, rejct and save implement dynamic blacklisting.
See also \"help address\""
;;
check)
echo "check: check [ -e ] [ <configuration-directory> ]
Performs a cursory validation of the zones, interfaces, hosts,
rules, policy, masq, blacklist, proxyarp, nat and provider files. Use this
if you are unsure of any edits you have made to the shorewall configuration.
See the try command examples for a recommended way to make changes.
The \"-e\" option causes Shorewall to use the /etc/shorewall/capabilities
file to determine the capabilities of the target system rather than probing
for them on the local system."
;;
clear)
echo "clear: clear
Clear will remove all rules and chains installed by Shoreline.
The firewall is then wide open and unprotected. Existing
connections are untouched. Clear is often used to see if the
firewall is causing connection problems."
;;
compile)
echo "compile: compile [ -e ] [ -d <distro> ] [ <directory name> ] <path name>
Compiles the current configuration into the executable file
<path name>. If <path name> names a file in /var/lib/shorewall then
the file may be executed using the \"restore\" command.
When -e is specified, the compilation is being performed on a system
other than where the compiled script will run. This option disables
certain configuration options that require the script to be compiled
where it is to be run.
When -d <distribution> is given, the script is built for execution
on the distribution specified by <distro>. Currently supported
distributions are:
suse
redhat (which is also appropriate for Fedora Core and CentOS).
Usually specified together with -e.
Example:
shorewall compile -ed redhat foo
Additional distributions are expected to be supported shortly."
;;
debug)
echo "debug: debug
If you include the keyword debug as the first argument to any
of these commands:
start|stop|restart|reset|clear|refresh|check|add|delete
then a shell trace of the command is produced. For example:
shorewall debug start 2> /tmp/trace
The above command would trace the 'start' command and
place the trace information in the file /tmp/trace.
The word 'trace' is a synonym for 'debug'."
;;
delete)
echo "delete: delete <interface>[:<host-list>] ... <zone>
Deletes a list of hosts or networks from a dynamic zone usually used with VPN's.
shorewall delete interface[:host-list] ... zone - Deletes the specified
interfaces (and host list if included) from the specified zone.
A host-list is a comma-separated list whose elements are:
A host or network address
The name of a bridge port
The name of a bridge port followed by a colon (":") and a host or
network address.
Example:
shorewall delete ipsec0:192.0.2.24 vpn1 -- deletes the address
192.0.2.24 from interface ipsec0 from zone vpn1
See also \"help host\""
;;
drop)
echo "$1: $1 <address> ...
Causes packets from the specified <address> to be ignored
Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
See also \"help address\""
;;
dump)
echo "dump: dump
shorewall [-x] dump
Produce a verbose report about the firewall for problem analysis.
(iptables -L -n -)
When -x is given, that option is also passed to iptables to display actual packet and byte counts."
;;
forget)
echo "forget: forget [ <file name> ]
Deletes /var/lib/shorewall/<file name>. If no <file name> is given then
the file specified by RESTOREFILE in shorewall.conf is removed.
See also \"help save\""
;;
help)
echo "help: help [<command> | host | address ]
Display helpful information about the shorewall commands."
;;
hits)
echo "hits: hits
Produces several reports about the Shorewall packet log messages
in the current /var/log/messages file."
;;
ipcalc)
echo "ipcalc: ipcalc { address mask | address/vlsm }
Ipcalc displays the network address, broadcast address,
network in CIDR notation and netmask corresponding to the input[s]."
;;
ipdecimal)
echo "ipdecimal: ipdecimal { <IP address> | <integer> }
Converts an IP address into its 32-bit decimal equivalent and
vice versa"
;;
iprange)
echo "iprange: iprange address1-address2
Iprange decomposes the specified range of IP addresses into the
equivalent list of network/host addresses."
;;
logdrop)
echo "$1: $1 <address> ...
Causes packets from the specified <address> to be ignored and loged.
Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
See also \"help address\""
;;
logwatch)
echo "logwatch: logwatch [ -m ] [<refresh interval>]
Monitors the LOGFILE, $LOGFILE,
and produces an audible alarm when new Shorewall messages are logged.
If \"-m\" is specified, then MAC addresses in the log entries (if any) are displayed."
;;
logreject)
echo "$1: $1 <address> ...
Causes packets from the specified <address> to be rejected and logged.
Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
See also \"help address\""
;;
refresh)
echo "refresh: refresh
The rules involving the broadcast addresses of firewall interfaces,
the black list, and ECN control rules are recreated to reflect any
changes made. Existing connections are untouched."
;;
reject)
echo "$1: $1 <address> ...
Causes packets from the specified <address> to be rejected
Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
See also \"help address\""
;;
reset)
echo "reset: reset
All the packet and byte counters in the firewall are reset."
;;
restart)
echo "restart: restart [ -n ] [ <configuration-directory> ]
Restart is the same as a shorewall stop && shorewall start.
Existing connections are maintained.
If \"-n\" is specified, no changes to routing will be made"
;;
safe-restart)
echo "safe-restart: safe-restart
Restart the same way as a shorewall restart except that previous firewall
configuration is backed up and will be restored if you notice any anomalies
or you are not able to reach the firewall any more."
;;
safe-start)
echo "safe-start: safe-start
Start the same way as a shorewall start except that in case of anomalies
shorewall clear is issued. "
;;
restore)
echo "restore: restore [ -n ] [ <file name> ]
Restore Shorewall to a state saved using the 'save' command
Existing connections are maintained. The <file name> names a restore file in
/var/lib/shorewall created using \"shorewall save\"; if no <file name> is given
then Shorewall will be restored from the file specified by the RESTOREFILE
option in shorewall.conf.
If \"-n\" is specified, no changes to routing will be made.
See also \"help save\", \"help compile\" and \"help forget\""
;;
save)
echo "save: save [ <file name> ]
The dynamic data is stored in /var/lib/shorewall/save. The state of the
firewall is stored in /var/lib/shorewall/<file name> for use by the 'shorewall restore'
and 'shorewall -f start' commands. If <file name> is not given then the state is saved
in the file specified by the RESTOREFILE option in shorewall.conf.
Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
See also \"help restore\" and \"help forget\""
;;
show)
echo "show: show [ <chain> [ <chain> ...] |actions|classifiers|connections|log|macros|mangle|nat|tc|zones]
shorewall [-x] show <chain> [ <chain> ... ] - produce a verbose report about the IPtable chain(s).
(iptables -L chain -n -v)
shorewall show actions - produce a list of builtin actions and actions defined in /usr/share/shorewall/actions.std and /etc/shorewall
shorewall [-x] show mangle - produce a verbose report about the mangle table.
(iptables -t mangle -L -n -v)
shorewall [-x] show nat - produce a verbose report about the nat table.
(iptables -t nat -L -n -v)
shorewall show [ -m ] log - display the last 20 packet log entries. If \"-m\" is specified, then
MAC addresses in the log entries (if any) are displayed.
shorewall show macros -- displays the standard macros.
shorewall show connections - displays the IP connections currently
being tracked by the firewall.
shorewall show tc - displays information about the traffic
control/shaping configuration.
shorewall show zones - displays the contents of all zones.
shorewall show capabilities - displays your kernel/iptables capabilities
When -x is given, that option is also passed to iptables to display actual packet and byte counts."
;;
start)
echo "start: start [ -f ] [ -n ] [ <configuration-directory> ]
Start shorewall. Existing connections through shorewall managed
interfaces are untouched. New connections will be allowed only
if they are allowed by the firewall rules or policies.
If \"-f\" is specified, the saved configuration specified by the RESTOREFILE option
in shorewall.conf will be restored if that saved configuration exists. In that
case, a <configuration-directory> may not be specified.
If \"-n\" is specified, no changes to routing will be made."
;;
stop)
echo "stop: stop
Stops the firewall. All existing connections, except those
listed in /etc/shorewall/routestopped, are taken down.
The only new traffic permitted through the firewall
is from systems listed in /etc/shorewall/routestopped."
;;
status)
echo "status: status
shorewall status
Displays the Shorewall status (running/not-running).
Also displays the Shorewall state as shown in the state diagram at
http://www.shorewall.net/starting_and_stopping_shorewall. The time and
date when that state was reached is also displayed."
;;
trace)
echo "trace: trace
If you include the keyword trace as the first argument to any
of these commands:
start|stop|restart|reset|clear|refresh|check|add|delete
then a shell trace of the command is produced. For example:
shorewall trace start 2> /tmp/trace
The above command would trace the 'start' command and
place the trace information in the file /tmp/trace.
The word 'debug' is a synonym for 'trace'."
;;
try)
echo "try: try [ -n ] <configuration-directory> [ <timeout> ]
Restart shorewall using the specified configuration. If an error
occurs during the restart, then another shorewall restart is performed
using the default configuration. If a timeout is specified then
the restart is always performed after the timeout occurs and uses
the default configuration.
The \"-n\" option will be passed down to the underlying commands (see
'start', 'restart' and 'restore')"
;;
version)
echo "version: version
Show the current shorewall version which is: $version"
;;
*)
echo "$1: $1 is not recognized by the help command"
;;
esac
exit 0 # always ok

58
Shorewall-lite/init.archlinux.sh Executable file
View File

@ -0,0 +1,58 @@
#!/bin/bash
OPTIONS="-f"
if [ -f /etc/sysconfig/shorewall ] ; then
. /etc/sysconfig/shorewall
elif [ -f /etc/default/shorewall ] ; then
. /etc/default/shorewall
fi
# if you want to override options, do so in /etc/sysconfig/shorewall or
# in /etc/default/shorewall --
# i strongly encourage you use the latter, since /etc/sysconfig/ does not exist.
. /etc/rc.conf
. /etc/rc.d/functions
DAEMON_NAME="shorewall" # of course shorewall is NOT a deamon.
case "$1" in
start)
stat_busy "Starting $DAEMON_NAME"
/sbin/shorewall $OPTIONS start &>/dev/null
if [ $? -gt 0 ]; then
stat_fail
else
add_daemon $DAEMON_NAME
stat_done
fi
;;
stop)
stat_busy "Stopping $DAEMON_NAME"
/sbin/shorewall stop &>/dev/null
if [ $? -gt 0 ]; then
stat_fail
else
rm_daemon $DAEMON_NAME
stat_done
fi
;;
restart|reload)
stat_busy "Restarting $DAEMON_NAME"
/sbin/shorewall restart &>/dev/null
if [ $? -gt 0 ]; then
stat_fail
else
stat_done
fi
;;
*)
echo "usage: $0 {start|stop|restart}"
esac
exit 0

130
Shorewall-lite/init.debian.sh Executable file
View File

@ -0,0 +1,130 @@
#!/bin/sh
SRWL=/sbin/shorewall
WAIT_FOR_IFUP=/usr/share/shorewall/wait4ifup
# Note, set INITLOG to /dev/null if you do not want to
# keep logs of the firewall (not recommended)
INITLOG=/var/log/shorewall-init.log
OPTIONS="-f"
test -x $SRWL || exit 0
test -n $INITLOG || {
echo "INITLOG cannot be empty, please configure $0" ;
exit 1;
}
if [ "$(id -u)" != "0" ]
then
echo "You must be root to start, stop or restart \"Shorewall firewall\"."
exit 1
fi
echo_notdone () {
if [ "$INITLOG" = "/dev/null" ] ; then
"not done."
else
"not done (check $INITLOG)."
fi
}
not_configured () {
echo "#### WARNING ####"
echo "the firewall won't be started/stopped unless it is configured"
if [ "$1" != "stop" ]
then
echo ""
echo "please configure it and then edit /etc/default/shorewall"
echo "and set the \"startup\" variable to 1 in order to allow "
echo "shorewall to start"
fi
echo "#################"
exit 0
}
# parse the shorewall params file in order to use params in
# /etc/default/shorewall
if [ -f "/etc/shorewall/params" ]
then
. /etc/shorewall/params
fi
# check if shorewall is configured or not
if [ -f "/etc/default/shorewall" ]
then
. /etc/default/shorewall
if [ "$startup" != "1" ]
then
not_configured
fi
else
not_configured
fi
# wait an unconfigured interface
wait_for_pppd () {
if [ "$wait_interface" != "" ]
then
if [ -f $WAIT_FOR_IFUP ]
then
for i in $wait_interface
do
$WAIT_FOR_IFUP $i 90
done
else
echo "$WAIT_FOR_IFUP: File not found" >> $INITLOG
echo_notdone
exit 2
fi
fi
}
# start the firewall
shorewall_start () {
echo -n "Starting \"Shorewall firewall\": "
wait_for_pppd
$SRWL $OPTIONS start >> $INITLOG 2>&1 && echo "done." || echo_notdone
return 0
}
# stop the firewall
shorewall_stop () {
echo -n "Stopping \"Shorewall firewall\": "
$SRWL stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
return 0
}
# restart the firewall
shorewall_restart () {
echo -n "Restarting \"Shorewall firewall\": "
$SRWL restart >> $INITLOG 2>&1 && echo "done." || echo_notdone
return 0
}
# refresh the firewall
shorewall_refresh () {
echo -n "Refreshing \"Shorewall firewall\": "
$SRWL refresh >> $INITLOG 2>&1 && echo "done." || echo_notdone
return 0
}
case "$1" in
start)
shorewall_start
;;
stop)
shorewall_stop
;;
refresh)
shorewall_refresh
;;
force-reload|restart)
shorewall_restart
;;
*)
echo "Usage: /etc/init.d/shorewall {start|stop|refresh|restart|force-reload}"
exit 1
esac
exit 0

89
Shorewall-lite/init.sh Executable file
View File

@ -0,0 +1,89 @@
#!/bin/sh
RCDLINKS="2,S41 3,S41 6,K41"
#
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V3.2
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
#
# On most distributions, this file should be called /etc/init.d/shorewall.
#
# Complete documentation is available at http://shorewall.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
#
# If an error occurs while starting or restarting the firewall, the
# firewall is automatically stopped.
#
# Commands are:
#
# shorewall start Starts the firewall
# shorewall restart Restarts the firewall
# shorewall reload Reload the firewall
# (same as restart)
# shorewall stop Stops the firewall
# shorewall status Displays firewall status
#
# chkconfig: 2345 25 90
# description: Packet filtering firewall
### BEGIN INIT INFO
# Provides: shorewall
# Required-Start: $network
# Required-Stop:
# Default-Start: 2 3 5
# Default-Stop: 0 1 6
# Description: starts and stops the shorewall firewall
### END INIT INFO
################################################################################
# Give Usage Information #
################################################################################
usage() {
echo "Usage: $0 start|stop|reload|restart|status"
exit 1
}
################################################################################
# Get startup options (override default)
################################################################################
OPTIONS="-f"
if [ -f /etc/sysconfig/shorewall ]; then
. /etc/sysconfig/shorewall
elif [ -f /etc/default/shorewall ] ; then
. /etc/default/shorewall
fi
################################################################################
# E X E C U T I O N B E G I N S H E R E #
################################################################################
command="$1"
case "$command" in
start)
exec /sbin/shorewall $OPTIONS $@
;;
stop|restart|status)
exec /sbin/shorewall $@
;;
reload)
shift
exec /sbin/shorewall restart $@
;;
*)
usage
;;
esac

645
Shorewall-lite/install.sh Executable file
View File

@ -0,0 +1,645 @@
#!/bin/sh
#
# Script to install Shoreline Firewall
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# (c) 2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
#
# Shorewall documentation is available at http://shorewall.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
#
VERSION=3.2.0-RC1
usage() # $1 = exit status
{
ME=$(basename $0)
echo "usage: $ME"
echo " $ME -v"
echo " $ME -h"
exit $1
}
split() {
local ifs=$IFS
IFS=:
set -- $1
echo $*
IFS=$ifs
}
qt()
{
"$@" >/dev/null 2>&1
}
mywhich() {
local dir
for dir in $(split $PATH); do
if [ -x $dir/$1 ]; then
echo $dir/$1
return 0
fi
done
return 2
}
run_install()
{
if ! install $*; then
echo
echo "ERROR: Failed to install $*" >&2
exit 1
fi
}
cant_autostart()
{
echo
echo "WARNING: Unable to configure shorewall to start automatically at boot" >&2
}
backup_directory() # $1 = directory to backup
{
if [ -d $1 ]; then
if cp -a $1 ${1}-${VERSION}.bkout ; then
echo
echo "$1 saved to ${1}-${VERSION}.bkout"
else
exit 1
fi
fi
}
backup_file() # $1 = file to backup, $2 = (optional) Directory in which to create the backup
{
if [ -z "$PREFIX" ]; then
if [ -f $1 -a ! -f ${1}-${VERSION}.bkout ]; then
if [ -n "$2" ]; then
if [ -d $2 ]; then
if cp -f $1 $2 ; then
echo
echo "$1 saved to $2/$(basename $1)"
else
exit 1
fi
fi
elif cp $1 ${1}-${VERSION}.bkout; then
echo
echo "$1 saved to ${1}-${VERSION}.bkout"
else
exit 1
fi
fi
fi
}
delete_file() # $1 = file to delete
{
rm -f $1
}
install_file() # $1 = source $2 = target $3 = mode
{
run_install $OWNERSHIP -m $3 $1 ${2}
}
install_file_with_backup() # $1 = source $2 = target $3 = mode $4 = (optional) backup directory
{
backup_file $2 $4
run_install $OWNERSHIP -m $3 $1 ${2}
}
#
# Parse the run line
#
# DEST is the SysVInit script directory
# INIT is the name of the script in the $DEST directory
# RUNLEVELS is the chkconfig parmeters for firewall
# ARGS is "yes" if we've already parsed an argument
#
ARGS=""
if [ -z "$DEST" ] ; then
DEST="/etc/init.d"
fi
if [ -z "$INIT" ] ; then
INIT="shorewall"
fi
if [ -z "$RUNLEVELS" ] ; then
RUNLEVELS=""
fi
if [ -z "$OWNER" ] ; then
OWNER=root
fi
if [ -z "$GROUP" ] ; then
GROUP=root
fi
while [ $# -gt 0 ] ; do
case "$1" in
-h|help|?)
usage 0
;;
-v)
echo "Shorewall Firewall Installer Version $VERSION"
exit 0
;;
*)
usage 1
;;
esac
shift
ARGS="yes"
done
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
#
# Determine where to install the firewall script
#
DEBIAN=
OWNERSHIP="-o $OWNER -g $GROUP"
if [ -n "$PREFIX" ]; then
if [ `id -u` != 0 ] ; then
echo "Not setting file owner/group permissions, not running as root."
OWNERSHIP=""
fi
install -d $OWNERSHIP -m 755 ${PREFIX}/sbin
install -d $OWNERSHIP -m 755 ${PREFIX}${DEST}
elif [ -d /etc/apt -a -e /usr/bin/dpkg ]; then
DEBIAN=yes
elif [ -f /etc/slackware-version ] ; then
DEST="/etc/rc.d"
INIT="rc.firewall"
elif [ -f /etc/arch-release ] ; then
DEST="/etc/rc.d"
INIT="shorewall"
ARCHLINUX=yes
fi
#
# Change to the directory containing this script
#
cd "$(dirname $0)"
echo "Installing Shorewall Version $VERSION"
#
# First do Backups
#
#
# Check for /etc/shorewall
#
if [ -d ${PREFIX}/etc/shorewall ]; then
first_install=""
backup_directory ${PREFIX}/etc/shorewall
backup_directory ${PREFIX}/usr/share/shorewall
backup_directory ${PREFIX}/var/lib/shorewall
else
first_install="Yes"
fi
install_file_with_backup shorewall ${PREFIX}/sbin/shorewall 0544 ${PREFIX}/var/lib/shorewall-${VERSION}.bkout
echo "shorewall control program installed in ${PREFIX}/sbin/shorewall"
#
# Install the Firewall Script
#
if [ -n "$DEBIAN" ]; then
install_file_with_backup init.debian.sh /etc/init.d/shorewall 0544 ${PREFIX}/usr/share/shorewall-${VERSION}.bkout
elif [ -n "$ARCHLINUX" ]; then
install_file_with_backup init.archlinux.sh ${PREFIX}${DEST}/$INIT 0544 ${PREFIX}/usr/share/shorewall-${VERSION}.bkout
else
install_file_with_backup init.sh ${PREFIX}${DEST}/$INIT 0544 ${PREFIX}/usr/share/shorewall-${VERSION}.bkout
fi
echo "Shorewall script installed in ${PREFIX}${DEST}/$INIT"
#
# Create /etc/shorewall, /usr/share/shorewall and /var/shorewall if needed
#
mkdir -p ${PREFIX}/etc/shorewall
mkdir -p ${PREFIX}/usr/share/shorewall
mkdir -p ${PREFIX}/var/lib/shorewall
chmod 755 ${PREFIX}/etc/shorewall
chmod 755 ${PREFIX}/usr/share/shorewall
#
# Install the config file
#
if [ ! -f ${PREFIX}/etc/shorewall/shorewall.conf ]; then
run_install $OWNERSHIP -m 0744 shorewall.conf ${PREFIX}/etc/shorewall/shorewall.conf
echo "Config file installed as ${PREFIX}/etc/shorewall/shorewall.conf"
fi
if [ -n "$ARCHLINUX" ] ; then
sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${PREFIX}/etc/shorewall/shorewall.conf
fi
#
# Install the zones file
#
if [ ! -f ${PREFIX}/etc/shorewall/zones ]; then
run_install $OWNERSHIP -m 0744 zones ${PREFIX}/etc/shorewall/zones
echo "Zones file installed as ${PREFIX}/etc/shorewall/zones"
fi
#
# Install the functions file
#
install_file functions ${PREFIX}/usr/share/shorewall/functions 0444
echo "Common functions installed in ${PREFIX}/usr/share/shorewall/functions"
#
# Install the Compiler
#
install_file compiler ${PREFIX}/usr/share/shorewall/compiler 0555
echo
echo "Compiler installed in ${PREFIX}/usr/share/shorewall/compiler"
#
# Install Shorecap
#
install_file shorecap ${PREFIX}/usr/share/shorewall/shorecap 0555
echo
echo "Capability file builder installed in ${PREFIX}/usr/share/shorewall/shorecap"
# Install the Help file
#
install_file help ${PREFIX}/usr/share/shorewall/help 0544
echo "Help command executor installed in ${PREFIX}/usr/share/shorewall/help"
#
# Install the policy file
#
if [ ! -f ${PREFIX}/etc/shorewall/policy ]; then
run_install $OWNERSHIP -m 0600 policy ${PREFIX}/etc/shorewall/policy
echo "Policy file installed as ${PREFIX}/etc/shorewall/policy"
fi
#
# Install the interfaces file
#
if [ ! -f ${PREFIX}/etc/shorewall/interfaces ]; then
run_install $OWNERSHIP -m 0600 interfaces ${PREFIX}/etc/shorewall/interfaces
echo "Interfaces file installed as ${PREFIX}/etc/shorewall/interfaces"
fi
#
# Install the ipsec file
#
if [ ! -f ${PREFIX}/etc/shorewall/ipsec ]; then
run_install $OWNERSHIP -m 0600 ipsec ${PREFIX}/etc/shorewall/ipsec
echo "Dummy IPSEC file installed as ${PREFIX}/etc/shorewall/ipsec"
fi
#
# Install the hosts file
#
if [ ! -f ${PREFIX}/etc/shorewall/hosts ]; then
run_install $OWNERSHIP -m 0600 hosts ${PREFIX}/etc/shorewall/hosts
echo "Hosts file installed as ${PREFIX}/etc/shorewall/hosts"
fi
#
# Install the rules file
#
if [ ! -f ${PREFIX}/etc/shorewall/rules ]; then
run_install $OWNERSHIP -m 0600 rules ${PREFIX}/etc/shorewall/rules
echo "Rules file installed as ${PREFIX}/etc/shorewall/rules"
fi
#
# Install the NAT file
#
if [ ! -f ${PREFIX}/etc/shorewall/nat ]; then
run_install $OWNERSHIP -m 0600 nat ${PREFIX}/etc/shorewall/nat
echo "NAT file installed as ${PREFIX}/etc/shorewall/nat"
fi
#
# Install the NETMAP file
#
if [ ! -f ${PREFIX}/etc/shorewall/netmap ]; then
run_install $OWNERSHIP -m 0600 netmap ${PREFIX}/etc/shorewall/netmap
echo "NETMAP file installed as ${PREFIX}/etc/shorewall/netmap"
fi
#
# Install the Parameters file
#
if [ ! -f ${PREFIX}/etc/shorewall/params ]; then
run_install $OWNERSHIP -m 0600 params ${PREFIX}/etc/shorewall/params
echo "Parameter file installed as ${PREFIX}/etc/shorewall/params"
fi
#
# Install the proxy ARP file
#
if [ ! -f ${PREFIX}/etc/shorewall/proxyarp ]; then
run_install $OWNERSHIP -m 0600 proxyarp ${PREFIX}/etc/shorewall/proxyarp
echo "Proxy ARP file installed as ${PREFIX}/etc/shorewall/proxyarp"
fi
#
# Install the Stopped Routing file
#
if [ ! -f ${PREFIX}/etc/shorewall/routestopped ]; then
run_install $OWNERSHIP -m 0600 routestopped ${PREFIX}/etc/shorewall/routestopped
echo "Stopped Routing file installed as ${PREFIX}/etc/shorewall/routestopped"
fi
#
# Install the Mac List file
#
if [ ! -f ${PREFIX}/etc/shorewall/maclist ]; then
run_install $OWNERSHIP -m 0600 maclist ${PREFIX}/etc/shorewall/maclist
echo "MAC list file installed as ${PREFIX}/etc/shorewall/maclist"
fi
#
# Install the Masq file
#
if [ ! -f ${PREFIX}/etc/shorewall/masq ]; then
run_install $OWNERSHIP -m 0600 masq ${PREFIX}/etc/shorewall/masq
echo "Masquerade file installed as ${PREFIX}/etc/shorewall/masq"
fi
#
# Install the Modules file
#
if [ ! -f ${PREFIX}/etc/shorewall/modules ]; then
run_install $OWNERSHIP -m 0600 modules ${PREFIX}/etc/shorewall/modules
echo "Modules file installed as ${PREFIX}/etc/shorewall/modules"
fi
#
# Install the TC Rules file
#
if [ ! -f ${PREFIX}/etc/shorewall/tcrules ]; then
run_install $OWNERSHIP -m 0600 tcrules ${PREFIX}/etc/shorewall/tcrules
echo "TC Rules file installed as ${PREFIX}/etc/shorewall/tcrules"
fi
#
# Install the TOS file
#
if [ ! -f ${PREFIX}/etc/shorewall/tos ]; then
run_install $OWNERSHIP -m 0600 tos ${PREFIX}/etc/shorewall/tos
echo "TOS file installed as ${PREFIX}/etc/shorewall/tos"
fi
#
# Install the Tunnels file
#
if [ ! -f ${PREFIX}/etc/shorewall/tunnels ]; then
run_install $OWNERSHIP -m 0600 tunnels ${PREFIX}/etc/shorewall/tunnels
echo "Tunnels file installed as ${PREFIX}/etc/shorewall/tunnels"
fi
#
# Install the blacklist file
#
if [ ! -f ${PREFIX}/etc/shorewall/blacklist ]; then
run_install $OWNERSHIP -m 0600 blacklist ${PREFIX}/etc/shorewall/blacklist
echo "Blacklist file installed as ${PREFIX}/etc/shorewall/blacklist"
fi
#
# Delete the Routes file
#
delete_file ${PREFIX}/etc/shorewall/routes
#
# Delete the tcstart file
#
delete_file ${PREFIX}/usr/share/shorewall/tcstart
#
# Install the Providers file
#
if [ ! -f ${PREFIX}/etc/shorewall/providers ]; then
run_install $OWNERSHIP -m 0600 providers ${PREFIX}/etc/shorewall/providers
echo "Providers file installed as ${PREFIX}/etc/shorewall/providers"
fi
#
# Install the Route Rules file
#
if [ ! -f ${PREFIX}/etc/shorewall/route_rules ]; then
run_install $OWNERSHIP -m 0600 route_rules ${PREFIX}/etc/shorewall/route_rules
echo "Routing rules file installed as ${PREFIX}/etc/shorewall/route_rules"
fi
#
# Install the tcclasses file
#
if [ ! -f ${PREFIX}/etc/shorewall/tcclasses ]; then
run_install $OWNERSHIP -m 0600 tcclasses ${PREFIX}/etc/shorewall/tcclasses
echo "TC Classes file installed as ${PREFIX}/etc/shorewall/tcclasses"
fi
#
# Install the tcdevices file
#
if [ ! -f ${PREFIX}/etc/shorewall/tcdevices ]; then
run_install $OWNERSHIP -m 0600 tcdevices ${PREFIX}/etc/shorewall/tcdevices
echo "TC Devices file installed as ${PREFIX}/etc/shorewall/tcdevices"
fi
#
# Install the rfc1918 file
#
install_file rfc1918 ${PREFIX}/usr/share/shorewall/rfc1918 0600
echo "RFC 1918 file installed as ${PREFIX}/usr/share/shorewall/rfc1918"
#
# Install the default config path file
#
install_file configpath ${PREFIX}/usr/share/shorewall/configpath 0600
echo "Default config path file installed as ${PREFIX}/usr/share/shorewall/configpath"
#
# Install the init file
#
if [ ! -f ${PREFIX}/etc/shorewall/init ]; then
run_install $OWNERSHIP -m 0600 init ${PREFIX}/etc/shorewall/init
echo "Init file installed as ${PREFIX}/etc/shorewall/init"
fi
#
# Install the initdone file
#
if [ ! -f ${PREFIX}/etc/shorewall/initdone ]; then
run_install $OWNERSHIP -m 0600 initdone ${PREFIX}/etc/shorewall/initdone
echo "Initdone file installed as ${PREFIX}/etc/shorewall/initdone"
fi
#
# Install the start file
#
if [ ! -f ${PREFIX}/etc/shorewall/start ]; then
run_install $OWNERSHIP -m 0600 start ${PREFIX}/etc/shorewall/start
echo "Start file installed as ${PREFIX}/etc/shorewall/start"
fi
#
# Install the stop file
#
if [ ! -f ${PREFIX}/etc/shorewall/stop ]; then
run_install $OWNERSHIP -m 0600 stop ${PREFIX}/etc/shorewall/stop
echo "Stop file installed as ${PREFIX}/etc/shorewall/stop"
fi
#
# Install the stopped file
#
if [ ! -f ${PREFIX}/etc/shorewall/stopped ]; then
run_install $OWNERSHIP -m 0600 stopped ${PREFIX}/etc/shorewall/stopped
echo "Stopped file installed as ${PREFIX}/etc/shorewall/stopped"
fi
#
# Install the ECN file
#
if [ ! -f ${PREFIX}/etc/shorewall/ecn ]; then
run_install $OWNERSHIP -m 0600 ecn ${PREFIX}/etc/shorewall/ecn
echo "ECN file installed as ${PREFIX}/etc/shorewall/ecn"
fi
#
# Install the Accounting file
#
if [ ! -f ${PREFIX}/etc/shorewall/accounting ]; then
run_install $OWNERSHIP -m 0600 accounting ${PREFIX}/etc/shorewall/accounting
echo "Accounting file installed as ${PREFIX}/etc/shorewall/accounting"
fi
#
# Install the Continue file
#
if [ ! -f ${PREFIX}/etc/shorewall/continue ]; then
run_install $OWNERSHIP -m 0600 continue ${PREFIX}/etc/shorewall/continue
echo "Continue file installed as ${PREFIX}/etc/shorewall/continue"
fi
#
# Install the Started file
#
if [ ! -f ${PREFIX}/etc/shorewall/started ]; then
run_install $OWNERSHIP -m 0600 started ${PREFIX}/etc/shorewall/started
echo "Started file installed as ${PREFIX}/etc/shorewall/started"
fi
#
# Install the Standard Actions file
#
install_file actions.std ${PREFIX}/usr/share/shorewall/actions.std 0644
echo "Standard actions file installed as ${PREFIX}/etc/shorewall/actions.std"
#
# Install the Actions file
#
if [ ! -f ${PREFIX}/etc/shorewall/actions ]; then
run_install $OWNERSHIP -m 0644 actions ${PREFIX}/etc/shorewall/actions
echo "Actions file installed as ${PREFIX}/etc/shorewall/actions"
fi
#
# Install the Makefile
#
run_install $OWNERSHIP -m 0600 Makefile ${PREFIX}/etc/shorewall/Makefile
echo "Makefile installed as ${PREFIX}/etc/shorewall/Makefile"
#
# Install the Action files
#
for f in action.* ; do
install_file $f ${PREFIX}/usr/share/shorewall/$f 0644
echo "Action ${f#*.} file installed as ${PREFIX}/usr/share/shorewall/$f"
done
install_file Limit ${PREFIX}/usr/share/shorewall/Limit 0600
echo "Limit action extension script installed as ${PREFIX}/usr/share/shorewall/Limit"
#
# Install the Macro files
#
for f in macro.* ; do
install_file $f ${PREFIX}/usr/share/shorewall/$f 0644
echo "Macro ${f#*.} file installed as ${PREFIX}/usr/share/shorewall/$f"
done
#
# Install the program skeleton files
#
for f in prog.* ; do
install_file $f ${PREFIX}/usr/share/shorewall/$f 0644
echo "Program skeleton file ${f#*.} installed as ${PREFIX}/usr/share/shorewall/$f"
done
#
# Create the version file
#
echo "$VERSION" > ${PREFIX}/usr/share/shorewall/version
chmod 644 ${PREFIX}/usr/share/shorewall/version
#
# Remove and create the symbolic link to the init script
#
if [ -z "$PREFIX" ]; then
rm -f /usr/share/shorewall/init
ln -s ${DEST}/${INIT} /usr/share/shorewall/init
fi
#
# Install the firewall script
#
install_file firewall ${PREFIX}/usr/share/shorewall/firewall 0544
if [ -z "$PREFIX" -a -n "$first_install" ]; then
if [ -n "$DEBIAN" ]; then
run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall
ln -s ../init.d/shorewall /etc/rcS.d/S40shorewall
echo "shorewall will start automatically at boot"
echo "Set startup=1 in /etc/default/shorewall to enable"
touch /var/log/shorewall-init.log
qt mywhich perl && perl -p -w -i -e 's/^STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/;s/^IP_FORWARDING=On/IP_FORWARDING=Keep/' /etc/shorewall/shorewall.conf
else
if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
if insserv /etc/init.d/shorewall ; then
echo "shorewall will start automatically at boot"
echo "Set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf to enable"
else
cant_autostart
fi
elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
if chkconfig --add shorewall ; then
echo "shorewall will start automatically in run levels as follows:"
echo "Set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf to enable"
chkconfig --list shorewall
else
cant_autostart
fi
elif [ -x /sbin/rc-update ]; then
if rc-update add shorewall default; then
echo "shorewall will start automatically at boot"
echo "Set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf to enable"
else
cant_autostart
fi
elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
cant_autostart
fi
fi
fi
#
# Report Success
#
echo "shorewall Version $VERSION Installed"

52
Shorewall-lite/releasenotes.txt Normal file
View File

@ -0,0 +1,52 @@
Shorewall Lite 3.2.0 RC 1
Problems Corrected in 3.2.0 RC 1
None.
Other changes in 3.2.0 RC 1
None.
New Features:
Shorewall Lite is a companion product to Shorewall and is designed to
allow you to maintain all Shorewall configuration information on a
single system within your network.
a) You install the full Shorewall release on one system within your
network. You need not configure Shorewall there and you may totally
disable startup of Shorewall in your init scripts. For ease of
reference, we call this system the 'administrative system'.
b) On each system where you wish to run a Shorewall-generated firewall,
you install Shorewall Lite. For ease of reference, we will call these
systems the 'firewall systems'.
c) On the administrative system you create a separete 'configuration
directory' for each firewall system. You copy the contents of
/usr/share/shorewall/configfiles into each configuration directory.
d) On each firewall system, you run:
/usr/share/shorewall/shorecap > capabilities
The 'capabilities' file is then copied to the corresponding
configuration directory on the administrative system.
e) On the administrative system, for each firewall system you:
1) modify the files in the corresponding configuration
directory appropriately.
2) As a non-root user:
cd <configuration directory>
/sbin/shorewall compile . firewall
Then copy the compiled 'firewall' script to
/usr/share/shorewall/firewall on the corresponding firewall
system.
3) On the firewall system, 'shorewall start'.

348
Shorewall-lite/shorecap Executable file
View File

@ -0,0 +1,348 @@
#!/bin/sh
#
# Shorewall Packet Filtering Firewall Capabilities Detector
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# (c) 2006 - Tom Eastep (teastep@shorewall.net)
#
# This file should be placed in /sbin/shorewall.
#
# Shorewall documentation is available at http://shorewall.sourceforge.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
#
#
# This program may be used to create a /etc/shorewall/capabilities file for
# use in compiling Shorewall firewalls on another system.
#
# On the target system (the system where the firewall program is to run):
#
# [ IPTABLES=<iptables binary> ] [ MODULESDIR=<kernel modules directory> ] shorecap > capabilities
#
# Now move the capabilities file to the compilation system. The file must
# be placed in a directory on the CONFIG_PATH to be used when compiling firewalls
# for the target system.
#
# Default values for the two variables are:
#
# IPTABLES - iptables
# MODULESDIR - /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
#
# Shorewall need not be installed on the target system to run shorecap. If the '-e' flag is
# used during firewall compilation, then the generated firewall program will likewise not
# require Shorewall to be installed.
VERSION=3.2.0-RC1
#
# Suppress all output for a command
#
qt()
{
"$@" >/dev/null 2>&1
}
#
# Split a colon-separated list into a space-separated list
#
split() {
local ifs=$IFS
IFS=:
set -- $1
echo $*
IFS=$ifs
}
#
# Internal version of 'which'
#
mywhich() {
local dir
for dir in $(split $PATH); do
if [ -x $dir/$1 ]; then
echo $dir/$1
return 0
fi
done
return 2
}
#
# Load a Kernel Module
#
loadmodule() # $1 = module name, $2 - * arguments
{
local modulename=$1
local modulefile
local suffix
moduleloader=modprobe
if ! qt mywhich modprobe; then
moduleloader=insmod
fi
if [ -z "$(lsmod | grep $modulename)" ]; then
shift
for suffix in $MODULE_SUFFIX ; do
modulefile=$MODULESDIR/${modulename}.${suffix}
if [ -f $modulefile ]; then
case $moduleloader in
insmod)
insmod $modulefile $*
;;
*)
modprobe $modulename $*
;;
esac
return
fi
done
fi
}
#
# Load kernel modules required for Shorewall
#
load_kernel_modules()
{
[ -z "$MODULESDIR" ] && \
MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
#
# Essential Modules
#
loadmodule ip_tables
loadmodule iptable_filter
loadmodule ip_conntrack
#
# Helpers
#
loadmodule ip_conntrack_ftp
loadmodule ip_conntrack_tftp
loadmodule ip_conntrack_irc
loadmodule iptable_nat
loadmodule ip_nat_ftp
loadmodule ip_nat_tftp
loadmodule ip_nat_irc
loadmodule ip_set
loadmodule ip_set_iphash
loadmodule ip_set_ipmap
loadmodule ip_set_macipmap
loadmodule ip_set_portmap
#
# Traffic Shaping
#
loadmodule sch_sfq
loadmodule sch_ingress
loadmodule sch_htb
loadmodule cls_u32
#
# Extensions
#
loadmodule ipt_addrtype
loadmodule ipt_ah
loadmodule ipt_CLASSIFY
loadmodule ipt_CLUSTERIP
loadmodule ipt_comment
loadmodule ipt_connmark
loadmodule ipt_CONNMARK
loadmodule ipt_conntrack
loadmodule ipt_dscp
loadmodule ipt_DSCP
loadmodule ipt_ecn
loadmodule ipt_ECN
loadmodule ipt_esp
loadmodule ipt_hashlimit
loadmodule ipt_helper
loadmodule ipt_ipp2p
loadmodule ipt_iprange
loadmodule ipt_length
loadmodule ipt_limit
loadmodule ipt_LOG
loadmodule ipt_mac
loadmodule ipt_mark
loadmodule ipt_MARK
loadmodule ipt_MASQUERADE
loadmodule ipt_multiport
loadmodule ipt_NETMAP
loadmodule ipt_NOTRACK
loadmodule ipt_owner
loadmodule ipt_physdev
loadmodule ipt_pkttype
loadmodule ipt_policy
loadmodule ipt_realm
loadmodule ipt_recent
loadmodule ipt_REDIRECT
loadmodule ipt_REJECT
loadmodule ipt_SAME
loadmodule ipt_sctp
loadmodule ipt_set
loadmodule ipt_state
loadmodule ipt_tcpmss
loadmodule ipt_TCPMSS
loadmodule ipt_tos
loadmodule ipt_TOS
loadmodule ipt_ttl
loadmodule ipt_TTL
loadmodule ipt_ULOG
}
#
# Determine which optional facilities are supported by iptables/netfilter
#
determine_capabilities() {
[ -z "$IPTABLES" ] && IPTABLES=$(mywhich iptables)
[ -z "$IPTABLES" ] && { echo "ERROR: Can't find IPTABLES executable" ; exit 2; }
qt $IPTABLES -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED=
qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
CONNTRACK_MATCH=
MULTIPORT=
XMULTIPORT=
POLICY_MATCH=
PHYSDEV_MATCH=
IPRANGE_MATCH=
RECENT_MATCH=
OWNER_MATCH=
IPSET_MATCH=
CONNMARK=
CONNMARK_MATCH=
RAW_TABLE=
IPP2P_MATCH=
LENGTH_MATCH=
CLASSIFY_TARGET=
ENHANCED_REJECT=
USEPKTTYPE=
KLUDGEFREE=
MARK=
XMARK=
MANGLE_FORWARD=
qt $IPTABLES -N fooX1234
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes
qt $IPTABLES -A fooX1234 -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT && POLICY_MATCH=Yes
if qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT; then
PHYSDEV_MATCH=Yes
qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth1 -m physdev --physdev-out eth1 -j ACCEPT && KLUDGEFREE=Yes
fi
if qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT; then
IPRANGE_MATCH=Yes
if [ -z "${KLUDGEFREE}${PHYSDEV_MATCH}" ]; then
qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT && KLUDGEFREE=Yes
fi
fi
qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes
qt $IPTABLES -A fooX1234 -m owner --uid-owner 0 -j ACCEPT && OWNER_MATCH=Yes
if qt $IPTABLES -A fooX1234 -m connmark --mark 2 -j ACCEPT; then
CONNMARK_MATCH=Yes
qt $IPTABLES -A fooX1234 -m connmark --mark 2/0xFF -j ACCEPT && XCONNMARK_MATCH=Yes
fi
qt $IPTABLES -A fooX1234 -p tcp -m ipp2p --ipp2p -j ACCEPT && IPP2P_MATCH=Yes
qt $IPTABLES -A fooX1234 -m length --length 10:20 -j ACCEPT && LENGTH_MATCH=Yes
qt $IPTABLES -A fooX1234 -j REJECT --reject-with icmp-host-prohibited && ENHANCED_REJECT=Yes
if [ -n "$MANGLE_ENABLED" ]; then
qt $IPTABLES -t mangle -N fooX1234
if qt $IPTABLES -t mangle -A fooX1234 -j MARK --set-mark 1; then
MARK=Yes
qt $IPTABLES -t mangle -A fooX1234 -j MARK --and-mark 0xFF && XMARK=Yes
fi
if qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark; then
CONNMARK=Yes
qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark --mask 0xFF && XCONNMARK=Yes
fi
qt $IPTABLES -t mangle -A fooX1234 -j CLASSIFY --set-class 1:1 && CLASSIFY_TARGET=Yes
qt $IPTABLES -t mangle -F fooX1234
qt $IPTABLES -t mangle -X fooX1234
qt $IPTABLES -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes
fi
qt $IPTABLES -t raw -L -n && RAW_TABLE=Yes
if qt mywhich ipset; then
qt ipset -X fooX1234 # Just in case something went wrong the last time
if qt ipset -N fooX1234 iphash ; then
if qt $IPTABLES -A fooX1234 -m set --set fooX1234 src -j ACCEPT; then
qt $IPTABLES -D fooX1234 -m set --set fooX1234 src -j ACCEPT
IPSET_MATCH=Yes
fi
qt ipset -X fooX1234
fi
fi
qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
qt $IPTABLES -F fooX1234
qt $IPTABLES -X fooX1234
}
report_capability() # $1 = Capability
{
eval echo $1=\$$1
}
report_capabilities() {
echo "#"
echo "# Shorewall $VERSION detected the following iptables/netfilter capabilities - $(date)"
echo "#"
report_capability NAT_ENABLED
report_capability MANGLE_ENABLED
report_capability MULTIPORT
report_capability XMULTIPORT
report_capability CONNTRACK_MATCH
report_capability USEPKTTYPE
report_capability POLICY_MATCH
report_capability PHYSDEV_MATCH
report_capability LENGTH_MATCH
report_capability IPRANGE_MATCH
report_capability RECENT_MATCH
report_capability OWNER_MATCH
report_capability IPSET_MATCH
report_capability CONNMARK
report_capability XCONNMARK
report_capability CONNMARK_MATCH
report_capability XCONNMARK_MATCH
report_capability RAW_TABLE
report_capability IPP2P_MATCH
report_capability CLASSIFY_TARGET
report_capability ENHANCED_REJECT
report_capability KLUDGEFREE
report_capability MARK
report_capability XMARK
report_capability MANGLE_FORWARD
}
load_kernel_modules
determine_capabilities
report_capabilities

1648
Shorewall-lite/shorewall Executable file
View File

File diff suppressed because it is too large Load Diff

148
Shorewall-lite/shorewall.conf Normal file
View File

@ -0,0 +1,148 @@
###############################################################################
# /etc/shorewall/shorewall.conf V3.0 - Change the following variables to
# match your setup
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# This file should be placed in /etc/shorewall
#
# (c) 2006 - Tom Eastep (teastep@shorewall.net)
#
###############################################################################
# V E R B O S I T Y
###############################################################################
#
# Shorewall has traditionally been very noisy. You may now set the default
# level of verbosity here.
#
# Values are:
#
# 0 -- Silent. You may make it more verbose using the -v option
# 1 -- Major progress messages displayed
# 2 -- All progress messages displayed (old default behavior)
#
# If not specified, then 2 is assumed
VERBOSITY=1
###############################################################################
# L O G G I N G
###############################################################################
#
# General note about log levels. Log levels are a method of describing
# to syslog (8) the importance of a message and a number of parameters
# in this file have log levels as their value.
#
# These levels are defined by syslog and are used to determine the destination
# of the messages through entries in /etc/syslog.conf (5). The syslog
# documentation refers to these as "priorities"; Netfilter calls them "levels"
# and Shorewall also uses that term.
#
# Valid levels are:
#
# 7 debug
# 6 info
# 5 notice
# 4 warning
# 3 err
# 2 crit
# 1 alert
# 0 emerg
#
# For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall
# log messages are generated by NetFilter and are logged using facility
# 'kern' and the level that you specifify. If you are unsure of the level
# to choose, 6 (info) is a safe bet. You may specify levels by name or by
# number.
#
# If you have built your kernel with ULOG target support, you may also
# specify a log level of ULOG (must be all caps). Rather than log its
# messages to syslogd, Shorewall will direct netfilter to log the messages
# via the ULOG target which will send them to a process called 'ulogd'.
# ulogd is available with most Linux distributions (although it probably isn't
# installed by default). Ulogd is also available from
# http://www.gnumonks.org/projects/ulogd and can be configured to log all
# Shorewall message to their own log file
###############################################################################
#
# LOG FILE LOCATION
#
# This variable tells the /sbin/shorewall program where to look for Shorewall
# log messages. If not set or set to an empty string (e.g., LOGFILE="") then
# /var/log/messages is assumed.
#
# WARNING: The LOGFILE variable simply tells the 'shorewall' program where to
# look for Shorewall messages.It does NOT control the destination for
# these messages. For information about how to do that, see
#
# http://www.shorewall.net/shorewall_logging.html
#
LOGFILE=/var/log/messages
#
# LOG FORMAT
#
# Shell 'printf' Formatting template for the --log-prefix value in log messages
# generated by Shorewall to identify Shorewall log messages. The supplied
# template is expected to accept either two or three arguments; the first is
# the chain name, the second (optional) is the logging rule number within that
# chain and the third is the ACTION specifying the disposition of the packet
# being logged. You must use the %d formatting type for the rule number; if
# your template does not contain %d then the rule number will not be included.
#
# If you want to integrate Shorewall with fireparse, then set LOGFORMAT as:
#
# LOGFORMAT="fp=%s:%d a=%s "
#
# If not specified or specified as empty (LOGFORMAT="") then the value
# "Shorewall:%s:%s:" is assumed.
#
# CAUTION: /sbin/shorewall uses the leading part of the LOGFORMAT string (up
# to but not including the first '%') to find log messages in the 'show log',
# 'status' and 'hits' commands. This part should not be omitted (the
# LOGFORMAT should not begin with "%") and the leading part should be
# sufficiently unique for /sbin/shorewall to identify Shorewall messages.
#
LOGFORMAT="Shorewall:%s:%s:"
###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
###############################################################################
#
# IPTABLES
#
# Full path to iptables executable Shorewall uses to build the firewall. If
# not specified or if specified with an empty value (e.g., IPTABLES="") then
# the iptables executable located via the PATH setting below is used.
#
IPTABLES=
#
# PATH - Change this if you want to change the order in which Shorewall
# searches directories for executable files.
#
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
#
# SHELL
#
# The firewall script is normally interpreted by /bin/sh. If you wish to change
# the shell used to interpret that script, specify the shell here.
#
SHOREWALL_SHELL=/bin/sh
# SUBSYSTEM LOCK FILE
#
# Set this to the name of the lock file expected by your init scripts. For
# RedHat, this should be /var/lock/subsys/shorewall. If your init scripts don't
# use lock files, set this to "".
#
SUBSYSLOCK=/var/lock/subsys/shorewall
#LAST LINE -- DO NOT REMOVE

313
Shorewall-lite/shorewall.spec Normal file
View File

@ -0,0 +1,313 @@
%define name shorewall
%define version 3.2.0
%define release 0Beta4
%define prefix /usr
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
Name: %{name}
Version: %{version}
Release: %{release}
Prefix: %{prefix}
License: GPL
Packager: Tom Eastep <teastep@shorewall.net>
Group: Networking/Utilities
Source: %{name}-%{version}.tgz
URL: http://www.shorewall.net/
BuildArch: noarch
BuildRoot: %{_tmppath}/%{name}-%{version}-root
Requires: iptables iproute
%description
The Shoreline Firewall, more commonly known as "Shorewall", is a Netfilter
(iptables) based firewall that can be used on a dedicated firewall system,
a multi-function gateway/ router/server or on a standalone GNU/Linux system.
%prep
%setup
%build
%install
export PREFIX=$RPM_BUILD_ROOT ; \
export OWNER=`id -n -u` ; \
export GROUP=`id -n -g` ;\
./install.sh
%clean
rm -rf $RPM_BUILD_ROOT
%post
if [ $1 -eq 1 ]; then
if [ -x /sbin/insserv ]; then
/sbin/insserv /etc/rc.d/shorewall
elif [ -x /sbin/chkconfig ]; then
/sbin/chkconfig --add shorewall;
fi
fi
%preun
if [ $1 = 0 ]; then
if [ -x /sbin/insserv ]; then
/sbin/insserv -r /etc/init.d/shorewall
elif [ -x /sbin/chkconfig ]; then
/sbin/chkconfig --del shorewall
fi
rm -f /etc/shorewall/startup_disabled
fi
%files
%defattr(0644,root,root,0755)
%attr(0544,root,root) /etc/init.d/shorewall
%attr(0755,root,root) %dir /etc/shorewall
%attr(0755,root,root) %dir /usr/share/shorewall
%attr(0700,root,root) %dir /var/lib/shorewall
%attr(0644,root,root) %config(noreplace) /etc/shorewall/shorewall.conf
%attr(0600,root,root) %config(noreplace) /etc/shorewall/zones
%attr(0600,root,root) %config(noreplace) /etc/shorewall/policy
%attr(0600,root,root) %config(noreplace) /etc/shorewall/interfaces
%attr(0600,root,root) %config(noreplace) /etc/shorewall/ipsec
%attr(0600,root,root) %config(noreplace) /etc/shorewall/rules
%attr(0600,root,root) %config(noreplace) /etc/shorewall/nat
%attr(0600,root,root) %config(noreplace) /etc/shorewall/netmap
%attr(0600,root,root) %config(noreplace) /etc/shorewall/params
%attr(0600,root,root) %config(noreplace) /etc/shorewall/proxyarp
%attr(0600,root,root) %config(noreplace) /etc/shorewall/routestopped
%attr(0600,root,root) %config(noreplace) /etc/shorewall/maclist
%attr(0600,root,root) %config(noreplace) /etc/shorewall/masq
%attr(0600,root,root) %config(noreplace) /etc/shorewall/modules
%attr(0600,root,root) %config(noreplace) /etc/shorewall/tcrules
%attr(0600,root,root) %config(noreplace) /etc/shorewall/tos
%attr(0600,root,root) %config(noreplace) /etc/shorewall/tunnels
%attr(0600,root,root) %config(noreplace) /etc/shorewall/hosts
%attr(0600,root,root) %config(noreplace) /etc/shorewall/blacklist
%attr(0600,root,root) %config(noreplace) /etc/shorewall/init
%attr(0600,root,root) %config(noreplace) /etc/shorewall/initdone
%attr(0600,root,root) %config(noreplace) /etc/shorewall/start
%attr(0600,root,root) %config(noreplace) /etc/shorewall/stop
%attr(0600,root,root) %config(noreplace) /etc/shorewall/stopped
%attr(0600,root,root) %config(noreplace) /etc/shorewall/ecn
%attr(0600,root,root) %config(noreplace) /etc/shorewall/accounting
%attr(0600,root,root) %config(noreplace) /etc/shorewall/actions
%attr(0600,root,root) %config(noreplace) /etc/shorewall/continue
%attr(0600,root,root) %config(noreplace) /etc/shorewall/started
%attr(0600,root,root) %config(noreplace) /etc/shorewall/providers
%attr(0600,root,root) %config(noreplace) /etc/shorewall/route_rules
%attr(0600,root,root) %config(noreplace) /etc/shorewall/tcclasses
%attr(0600,root,root) %config(noreplace) /etc/shorewall/tcdevices
%attr(0600,root,root) /etc/shorewall/Makefile
%attr(0555,root,root) /sbin/shorewall
%attr(0644,root,root) /usr/share/shorewall/version
%attr(0644,root,root) /usr/share/shorewall/actions.std
%attr(0644,root,root) /usr/share/shorewall/action.Drop
%attr(0644,root,root) /usr/share/shorewall/action.Limit
%attr(0644,root,root) /usr/share/shorewall/action.Reject
%attr(0644,root,root) /usr/share/shorewall/action.template
%attr(0555,root,root) /usr/share/shorewall/compiler
%attr(0444,root,root) /usr/share/shorewall/functions
%attr(0544,root,root) /usr/share/shorewall/firewall
%attr(0544,root,root) /usr/share/shorewall/shorecap
%attr(0544,root,root) /usr/share/shorewall/help
%attr(0644,root,root) /usr/share/shorewall/Limit
%attr(0644,root,root) /usr/share/shorewall/macro.AllowICMPs
%attr(0644,root,root) /usr/share/shorewall/macro.Amanda
%attr(0644,root,root) /usr/share/shorewall/macro.Auth
%attr(0644,root,root) /usr/share/shorewall/macro.BitTorrent
%attr(0644,root,root) /usr/share/shorewall/macro.CVS
%attr(0644,root,root) /usr/share/shorewall/macro.Distcc
%attr(0644,root,root) /usr/share/shorewall/macro.DNS
%attr(0644,root,root) /usr/share/shorewall/macro.DropDNSrep
%attr(0644,root,root) /usr/share/shorewall/macro.DropUPnP
%attr(0644,root,root) /usr/share/shorewall/macro.Edonkey
%attr(0644,root,root) /usr/share/shorewall/macro.FTP
%attr(0644,root,root) /usr/share/shorewall/macro.Gnutella
%attr(0644,root,root) /usr/share/shorewall/macro.HTTP
%attr(0644,root,root) /usr/share/shorewall/macro.HTTPS
%attr(0644,root,root) /usr/share/shorewall/macro.ICQ
%attr(0644,root,root) /usr/share/shorewall/macro.IMAP
%attr(0644,root,root) /usr/share/shorewall/macro.IMAPS
%attr(0644,root,root) /usr/share/shorewall/macro.LDAP
%attr(0644,root,root) /usr/share/shorewall/macro.LDAPS
%attr(0644,root,root) /usr/share/shorewall/macro.MySQL
%attr(0644,root,root) /usr/share/shorewall/macro.NNTP
%attr(0644,root,root) /usr/share/shorewall/macro.NNTPS
%attr(0644,root,root) /usr/share/shorewall/macro.NTP
%attr(0644,root,root) /usr/share/shorewall/macro.NTPbrd
%attr(0644,root,root) /usr/share/shorewall/macro.PCA
%attr(0644,root,root) /usr/share/shorewall/macro.Ping
%attr(0644,root,root) /usr/share/shorewall/macro.POP3
%attr(0644,root,root) /usr/share/shorewall/macro.POP3S
%attr(0644,root,root) /usr/share/shorewall/macro.PostgreSQL
%attr(0644,root,root) /usr/share/shorewall/macro.Rdate
%attr(0644,root,root) /usr/share/shorewall/macro.Rsync
%attr(0644,root,root) /usr/share/shorewall/macro.SMB
%attr(0644,root,root) /usr/share/shorewall/macro.SMBBI
%attr(0644,root,root) /usr/share/shorewall/macro.SMBswat
%attr(0644,root,root) /usr/share/shorewall/macro.SMTP
%attr(0644,root,root) /usr/share/shorewall/macro.SMTPS
%attr(0644,root,root) /usr/share/shorewall/macro.SNMP
%attr(0644,root,root) /usr/share/shorewall/macro.SPAMD
%attr(0644,root,root) /usr/share/shorewall/macro.SSH
%attr(0644,root,root) /usr/share/shorewall/macro.Submission
%attr(0644,root,root) /usr/share/shorewall/macro.SVN
%attr(0644,root,root) /usr/share/shorewall/macro.Syslog
%attr(0644,root,root) /usr/share/shorewall/macro.Telnet
%attr(0644,root,root) /usr/share/shorewall/macro.template
%attr(0644,root,root) /usr/share/shorewall/macro.Trcrt
%attr(0644,root,root) /usr/share/shorewall/macro.VNC
%attr(0644,root,root) /usr/share/shorewall/macro.VNCL
%attr(0644,root,root) /usr/share/shorewall/macro.Web
%attr(0644,root,root) /usr/share/shorewall/macro.Webmin
%attr(0644,root,root) /usr/share/shorewall/macro.Whois
%attr(0644,root,root) /usr/share/shorewall/prog.footer
%attr(0644,root,root) /usr/share/shorewall/prog.header
%attr(0644,root,root) /usr/share/shorewall/prog.footer.debian
%attr(0644,root,root) /usr/share/shorewall/prog.header.debian
%attr(0644,root,root) /usr/share/shorewall/prog.footer.redhat
%attr(0644,root,root) /usr/share/shorewall/prog.header.redhat
%attr(0644,root,root) /usr/share/shorewall/prog.footer.suse
%attr(0644,root,root) /usr/share/shorewall/prog.header.suse
%attr(0644,root,root) /usr/share/shorewall/rfc1918
%attr(0644,root,root) /usr/share/shorewall/configpath
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples
%changelog
* Fri Apr 14 2006 Tom Eastep tom@shorewall.net
- Renamed rtrules to route_rules
* Sun Apr 02 2006 Tom Eastep tom@shorewall.net
- Added rtrules file
- Updated to 3.2.0-0Beta4
* Mon Mar 27 2006 Tom Eastep tom@shorewall.net
- Updated to 3.2.0-0Beta3
* Sat Mar 25 2006 Tom Eastep tom@shorewall.net
- Remove '%config' from Makefile
* Thu Mar 23 2006 Tom Eastep tom@shorewall.net
- Updated to 3.2.0-0Beta2
* Thu Mar 09 2006 Tom Eastep tom@shorewall.net
- Updated to 3.2.0-0Beta1
* Sat Mar 04 2006 Tom Eastep tom@shorewall.net
- Updated to 3.1.9-1
- Added debian and redhat prog header/footers
* Wed Mar 01 2006 Tom Eastep tom@shorewall.net
- Moved shorecap to /usr/share/shorewall
* Fri Feb 24 2006 Tom Eastep tom@shorewall.net
- Updated to 3.1.8-1
* Fri Feb 10 2006 Tom Eastep tom@shorewall.net
- Updated to 3.1.7-1
* Fri Feb 10 2006 Tom Eastep tom@shorewall.net
- Added shorecap
- Updated to 3.1.6-1
* Fri Feb 03 2006 Tom Eastep tom@shorewall.net
- Updated to 3.1.5-1
- Added new program header/footer files
* Sun Jan 29 2006 Tom Eastep tom@shorewall.net
- Updated to 3.1.4-1
- Added new Macros
* Fri Jan 20 2006 Tom Eastep tom@shorewall.net
- Change permissions for compile by ordinary user
* Fri Jan 20 2006 Tom Eastep tom@shorewall.net
- Updated to 3.1.3-1
* Tue Jan 17 2006 Tom Eastep tom@shorewall.net
- Added program skeleton Files
* Sun Jan 15 2006 Tom Eastep tom@shorewall.net
- Updated to 3.1.2-1
* Thu Jan 12 2006 Tom Eastep tom@shorewall.net
- Updated to 3.1.1-1
* Sat Dec 24 2005 Tom Eastep tom@shorewall.net
- Updated to 3.1.0-1
* Thu Dec 15 2005 Tom Eastep tom@shorewall.net
- Add Limit action
* Mon Dec 12 2005 Tom Eastep tom@shorewall.net
- Updated to 3.0.3-1
* Tue Nov 22 2005 Tom Eastep tom@shorewall.net
- Updated to 3.0.2-1
* Thu Nov 17 2005 Tom Eastep tom@shorewall.net
- Updated to 3.0.1-1
* Wed Nov 03 2005 Tom Eastep tom@shorewall.net
- Updated to 3.0.0-1
* Wed Nov 02 2005 Tom Eastep tom@shorewall.net
- Updated to 3.0.0-0RC3
Sat Oct 22 2005 Tom Eastep tom@shorewall.net
- Updated to 3.0.0-0RC2
* Mon Oct 17 2005 Tom Eastep tom@shorewall.net
- Updated to 3.0.0-0RC1
* Sun Oct 09 2005 Tom Eastep tom@shorewall.net
- Updated to 3.0.0-0Beta1
* Fri Oct 07 2005 Tom Eastep tom@shorewall.net
- Updated to 2.5.7-1
* Tue Oct 04 2005 Tom Eastep tom@shorewall.net
- Updated to 2.5.7-1
* Sat Sep 17 2005 Tom Eastep tom@shorewall.net
- Updated to 2.5.6-1
* Tue Aug 30 2005 Tom Eastep tom@shorewall.net
- Updated to 2.5.4-1
* Fri Aug 26 2005 Tom Eastep tom@shorewall.net
- Updated to 2.5.3-1
* Tue Aug 16 2005 Tom Eastep tom@shorewall.net
- Updated to 2.5.2-1
* Sun Aug 07 2005 Tom Eastep tom@shorewall.net
- Updated to 2.5.1-1
* Tue Jul 26 2005 Tom Eastep tom@shorewall.net
- Fix omissions/errors
* Mon Jul 25 2005 Tom Eastep tom@shorewall.net
- Updated to 2.5.0-1
- Add macros and convert most actions to macros
* Thu Jun 02 2005 Tom Eastep tom@shorewall.net
- Updated to 2.4.0-1
* Sun May 30 2005 Tom Eastep tom@shorewall.net
- Updated to 2.4.0-0RC2
* Thu May 19 2005 Tom Eastep tom@shorewall.net
- Updated to 2.4.0-0RC1
* Thu May 19 2005 Tom Eastep tom@shorewall.net
- Updated to 2.3.2-1
* Sun May 15 2005 Tom Eastep tom@shorewall.net
- Updated to 2.3.1-1
* Mon Apr 11 2005 Tom Eastep tom@shorewall.net
- Updated to 2.2.4-1
* Fri Apr 08 2005 Tom Eastep tom@shorewall.net
- Added /etc/shorewall/started
* Tue Apr 05 2005 Tom Eastep tom@shorewall.net
- Updated to 2.2.3-1
* Mon Mar 07 2005 Tom Eastep tom@shorewall.net
- Updated to 2.2.2-1
* Mon Jan 24 2005 Tom Eastep tom@shorewall.net
- Updated to 2.2.1-1
* Mon Jan 24 2005 Tom Eastep tom@shorewall.net
- Updated to 2.2.0-1
* Mon Jan 17 2005 Tom Eastep tom@shorewall.net
- Updated to 2.2.0-0RC5
* Thu Jan 06 2005 Tom Eastep tom@shorewall.net
- Updated to 2.2.0-0RC4
* Thu Dec 30 2004 Tom Eastep tom@shorewall.net
- Updated to 2.2.0-0RC3
* Fri Dec 24 2004 Tom Eastep tom@shorewall.net
- Updated to 2.2.0-0RC2
* Sun Dec 19 2004 Tom Eastep tom@shorewall.net
- Updated to 2.2.0-0RC1
- Added ipsecvpn file
* Sat Dec 11 2004 Tom Eastep tom@shorewall.net
- Updated to 2.2.0-0Beta8
* Mon Nov 29 2004 Tom Eastep tom@shorewall.net
- Updated to 2.2.0-0Beta7
* Fri Nov 26 2004 Tom Eastep tom@shorewall.net
- Updated to 2.2.0-0Beta6
* Fri Nov 26 2004 Tom Eastep tom@shorewall.net
- Updated to 2.2.0-0Beta5
* Fri Nov 19 2004 Tom Eastep tom@shorewall.net
- Updated to 2.2.0-0Beta4
* Tue Nov 09 2004 Tom Eastep tom@shorewall.net
- Updated to 2.2.0-0Beta3
* Tue Nov 02 2004 Tom Eastep tom@shorewall.net
- Updated to 2.2.0-0Beta2
* Fri Oct 22 2004 Tom Eastep tom@shorewall.net
- Updated to 2.2.0-0Beta1

112
Shorewall-lite/uninstall.sh Executable file
View File

@ -0,0 +1,112 @@
#!/bin/sh
#
# Script to back uninstall Shoreline Firewall
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# (c) 2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
#
# Shorewall documentation is available at http://shorewall.sourceforge.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
#
# Usage:
#
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
VERSION=3.2.0-RC1
usage() # $1 = exit status
{
ME=$(basename $0)
echo "usage: $ME"
exit $1
}
qt()
{
"$@" >/dev/null 2>&1
}
restore_file() # $1 = file to restore
{
if [ -f ${1}-shorewall.bkout ]; then
if (mv -f ${1}-shorewall.bkout $1); then
echo
echo "$1 restored"
else
exit 1
fi
fi
}
remove_file() # $1 = file to restore
{
if [ -f $1 -o -L $1 ] ; then
rm -f $1
echo "$1 Removed"
fi
}
if [ -f /usr/share/shorewall/version ]; then
INSTALLED_VERSION="$(cat /usr/share/shorewall/version)"
if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
echo "WARNING: Shorewall Version $INSTALLED_VERSION is installed"
echo " and this is the $VERSION uninstaller."
VERSION="$INSTALLED_VERSION"
fi
else
echo "WARNING: Shorewall Version $VERSION is not installed"
VERSION=""
fi
echo "Uninstalling shorewall $VERSION"
if qt iptables -L shorewall -n; then
/sbin/shorewall clear
fi
if [ -L /usr/share/shorewall/init ]; then
FIREWALL=$(ls -l /usr/share/shorewall/init | sed 's/^.*> //')
else
FIREWALL=/etc/init.d/shorewall
fi
if [ -n "$FIREWALL" ]; then
if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
insserv -r $FIREWALL
elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
chkconfig --del $(basename $FIREWALL)
else
rm -f /etc/rc*.d/*$(basename $FIREWALL)
fi
remove_file $FIREWALL
rm -f ${FIREWALL}-*.bkout
fi
rm -f /sbin/shorewall
rm -f /sbin/shorewall-*.bkout
rm -rf /etc/shorewall
rm -rf /etc/shorewall-*.bkout
rm -rf /var/lib/shorewall
rm -rf /var/lib/shorewall-*.bkout
rm -rf /usr/share/shorewall
rm -rf /usr/share/shorewall-*.bkout
echo "Shorewall Uninstalled"

4
Shorewall/install.sh
View File

@ -223,7 +223,7 @@ else
first_install="Yes"
fi
install_file_with_backup shorewall ${PREFIX}/sbin/shorewall 0544 ${PREFIX}/var/lib/shorewall-${VERSION}.bkout
install_file_with_backup shorewall ${PREFIX}/sbin/shorewall 0555 ${PREFIX}/var/lib/shorewall-${VERSION}.bkout
echo "shorewall control program installed in ${PREFIX}/sbin/shorewall"
@ -527,7 +527,7 @@ echo "RFC 1918 file installed as ${PREFIX}/usr/share/shorewall/rfc1918"
#
# Install the default config path file
#
install_file configpath ${PREFIX}/usr/share/shorewall/configpath 0600
install_file configpath ${PREFIX}/usr/share/shorewall/configpath 0644
echo "Default config path file installed as ${PREFIX}/usr/share/shorewall/configpath"
#
# Install the init file

2
docs/traffic_shaping.xml
View File

@ -307,7 +307,7 @@
column must exist at the time that Shorewall is started, restarted
or refreshed. Beginning with Shorewall 3.0.8 and 3.2.0 Beta 8,
Shorewall will determine if the device exists and will only
configure the device if it exists. If it doesn't exist, the
configure the device if it does exist. If it doesn't exist, the
following warning is issued:</para>
<para><emphasis role="bold">WARNING: Device &lt;device name&gt; not

4
tools/build/makeshorewall
View File

@ -42,7 +42,7 @@
#
# XSL Stylesheet to use for XML->HTML conversion
#
STYLESHEET=/usr/share/xml/docbook/stylesheet/nwalsh/current/xhtml/docbook.xsl
STYLESHEET=/usr/share/xml/docbook/stylesheet/nwalsh/xhtml/docbook.xsl
#
# Directory where the build log will be placed. The log has the name
# shorewall_build_<version>.log
@ -196,7 +196,7 @@ esac
VERSION=$1
LOGFILE=$LOGDIR/shorewall_build_${VERSION}.log
# location and options for GnuPG
GPG="/usr/bin/gpg -ab --batch --comment 'To verify this, you can download our public key at https://lists.shorewall.net/shorewall.gpg.key'"
GPG="/usr/bin/gpg -ab --no-use-agent --comment 'To verify this, you can download our public key at https://lists.shorewall.net/shorewall.gpg.key'"
touch $LOGFILE
progress_message "Build of Shorewall $VERSION on $(date)"