From ae9d76b881b18bee89038012075c5d268172169d Mon Sep 17 00:00:00 2001 From: teastep Date: Sat, 3 Jun 2006 15:16:21 +0000 Subject: [PATCH] Add Shorewall Lite git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3971 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-lite/COPYING | 340 +++++ Shorewall-lite/INSTALL | 48 + Shorewall-lite/README.txt | 1 + Shorewall-lite/changelog.txt | 3 + Shorewall-lite/fallback.sh | 103 ++ Shorewall-lite/functions | 2202 ++++++++++++++++++++++++++++++ Shorewall-lite/help | 414 ++++++ Shorewall-lite/init.archlinux.sh | 58 + Shorewall-lite/init.debian.sh | 130 ++ Shorewall-lite/init.sh | 89 ++ Shorewall-lite/install.sh | 645 +++++++++ Shorewall-lite/releasenotes.txt | 52 + Shorewall-lite/shorecap | 348 +++++ Shorewall-lite/shorewall | 1648 ++++++++++++++++++++++ Shorewall-lite/shorewall.conf | 148 ++ Shorewall-lite/shorewall.spec | 313 +++++ Shorewall-lite/uninstall.sh | 112 ++ Shorewall/install.sh | 4 +- docs/traffic_shaping.xml | 2 +- tools/build/makeshorewall | 4 +- 20 files changed, 6659 insertions(+), 5 deletions(-) create mode 100644 Shorewall-lite/COPYING create mode 100644 Shorewall-lite/INSTALL create mode 100644 Shorewall-lite/README.txt create mode 100644 Shorewall-lite/changelog.txt create mode 100755 Shorewall-lite/fallback.sh create mode 100644 Shorewall-lite/functions create mode 100755 Shorewall-lite/help create mode 100755 Shorewall-lite/init.archlinux.sh create mode 100755 Shorewall-lite/init.debian.sh create mode 100755 Shorewall-lite/init.sh create mode 100755 Shorewall-lite/install.sh create mode 100644 Shorewall-lite/releasenotes.txt create mode 100755 Shorewall-lite/shorecap create mode 100755 Shorewall-lite/shorewall create mode 100644 Shorewall-lite/shorewall.conf create mode 100644 Shorewall-lite/shorewall.spec create mode 100755 Shorewall-lite/uninstall.sh diff --git a/Shorewall-lite/COPYING b/Shorewall-lite/COPYING new file mode 100644 index 000000000..2ba72d57f --- /dev/null +++ b/Shorewall-lite/COPYING @@ -0,0 +1,340 @@ + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc. + 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Library General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) 19yy + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) 19yy name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + , 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Library General +Public License instead of this License. diff --git a/Shorewall-lite/INSTALL b/Shorewall-lite/INSTALL new file mode 100644 index 000000000..9e257bc53 --- /dev/null +++ b/Shorewall-lite/INSTALL @@ -0,0 +1,48 @@ +Shoreline Firewall (Shorewall) Version 3.2 +----- ---- + +----------------------------------------------------------------------------- + + This program is free software; you can redistribute it and/or modify + it under the terms of Version 2 of the GNU General Public License + as published by the Free Software Foundation. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA + +--------------------------------------------------------------------------- +If your system supports rpm, I recommend that you install the Shorewall +.rpm. If you want to install from the tarball: + +o Unpack the tarball +o cd to the shorewall- directory +o If you have an earlier version of Shoreline Firewall installed,see the + upgrade instructions below +o Edit the configuration files to fit your environment. + + To do this, I strongly advise you to follow the instructions at: + + http://www.shorewall.net/shorewall_quickstart_guide.htm + +o Type: + + ./install.sh + +o Start the firewall by typing "shorewall start" +o If the install script was unable to configure Shoreline Firewall to + start automatically at boot, you will have to used your + distribution's runlevel editor to configure Shorewall manually. + +Upgrade: + +o run the install script as described above. +o "shorewall check" and correct any errors found. +o "shorewall restart" + + diff --git a/Shorewall-lite/README.txt b/Shorewall-lite/README.txt new file mode 100644 index 000000000..582dd47d1 --- /dev/null +++ b/Shorewall-lite/README.txt @@ -0,0 +1 @@ +This is the Shorewall Development 3.2 branch of CVS. diff --git a/Shorewall-lite/changelog.txt b/Shorewall-lite/changelog.txt new file mode 100644 index 000000000..15b989a7a --- /dev/null +++ b/Shorewall-lite/changelog.txt @@ -0,0 +1,3 @@ +Changes in 3.2.0 RC 1 + +1) First Release. diff --git a/Shorewall-lite/fallback.sh b/Shorewall-lite/fallback.sh new file mode 100755 index 000000000..ae0d01a02 --- /dev/null +++ b/Shorewall-lite/fallback.sh @@ -0,0 +1,103 @@ +#!/bin/sh +# +# Script to back out the installation of Shorewall Lite and to restore the previous version of +# the program +# +# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] +# +# (c) 2006 - Tom Eastep (teastep@shorewall.net) +# +# Shorewall documentation is available at http://shorewall.net +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of Version 2 of the GNU General Public License +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA +# +# Usage: +# +# You may only use this script to back out the installation of the version +# shown below. Simply run this script to revert to your prior version of +# Shoreline Firewall. + +VERSION=3.2.0-RC1 + +usage() # $1 = exit status +{ + echo "usage: $(basename $0)" + exit $1 +} + +restore_directory() # $1 = directory to restore +{ + if [ -d ${1}-${VERSION}.bkout ]; then + if mv -f $1 ${1}-${VERSION} && mv ${1}-${VERSION}.bkout $1; then + echo + echo "$1 restored" + rm -rf ${1}-${VERSION} + else + echo "ERROR: Could not restore $1" + exit 1 + fi + fi +} + +restore_file() # $1 = file to restore, $2 = (Optional) Directory to restore from +{ + if [ -n "$2" ]; then + local file=$(basename $1) + + if [ -f $2/$file ]; then + if mv -f $2/$file $1 ; then + echo + echo "$1 restored" + return + fi + + echo "ERROR: Could not restore $1" + exit 1 + fi + fi + + if [ -f ${1}-${VERSION}.bkout -o -L ${1}-${VERSION}.bkout ]; then + if (mv -f ${1}-${VERSION}.bkout $1); then + echo + echo "$1 restored" + else + echo "ERROR: Could not restore $1" + exit 1 + fi + fi +} + +if [ ! -f /usr/share/shorewall-${VERSION}.bkout/version ]; then + echo "Shorewall Version $VERSION is not installed" + exit 1 +fi + +echo "Backing Out Installation of Shorewall $VERSION" + +if [ -L /usr/share/shorewall/init ]; then + FIREWALL=$(ls -l /usr/share/shorewall/init | sed 's/^.*> //') + restore_file $FIREWALL /usr/share/shorewall-${VERSION}.bkout +else + restore_file /etc/init.d/shorewall /usr/share/shorewall-${VERSION}.bkout +fi + +restore_file /sbin/shorewall /var/lib/shorewall-${VERSION}.bkout + +restore_directory /etc/shorewall +restore_directory /usr/share/shorewall +restore_directory /var/lib/shorewall + +echo "Shorewall Lite Restored to Version $(cat /usr/share/shorewall/version)" + + diff --git a/Shorewall-lite/functions b/Shorewall-lite/functions new file mode 100644 index 000000000..e8afb45c1 --- /dev/null +++ b/Shorewall-lite/functions @@ -0,0 +1,2202 @@ +#!/bin/sh +# +# Shorewall 3.2 -- /usr/share/shorewall/functions +# +# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] +# +# (c) 1999,2000,2001,2002,2003,2004,2005,2006 - Tom Eastep (teastep@shorewall.net) +# +# tcstart from tc4shorewall Version 0.5 +# (c) 2005 Arne Bernin +# Modified by Tom Eastep for integration into the Shorewall distribution +# published under GPL Version 2# +# +# Complete documentation is available at http://shorewall.net +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of Version 2 of the GNU General Public License +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA + +LIBVERSION=30191 + +# +# Message to stderr +# +error_message() # $* = Error Message +{ + echo " $@" >&2 +} + +# Function to truncate a string -- It uses 'cut -b -' +# rather than ${v:first:last} because light-weight shells like ash and +# dash do not support that form of expansion. +# + +truncate() # $1 = length +{ + cut -b -${1} +} + +# +# Split a colon-separated list into a space-separated list +# +split() { + local ifs=$IFS + IFS=: + set -- $1 + echo $* + IFS=$ifs +} + +# +# Search a list looking for a match -- returns zero if a match found +# 1 otherwise +# +list_search() # $1 = element to search for , $2-$n = list +{ + local e=$1 + + while [ $# -gt 1 ]; do + shift + [ "x$e" = "x$1" ] && return 0 + done + + return 1 +} + +# +# Return a space separated list of values matching +# +list_walk() # $1 = element to search for, $2-$n = list +{ + local e=$1 result= + + while [ $# -gt 1 ]; do + shift + case $1 in + $e*) + result="$result ${1##$e}" + ;; + esac + done + echo $result +} + +# +# Functions to count list elements +# - - - - - - - - - - - - - - - - +# Whitespace-separated list +# +list_count1() { + echo $# +} +# +# Comma-separated list +# +list_count() { + list_count1 $(separate_list $1) +} + +# +# Conditionally produce message +# +progress_message() # $* = Message +{ + local timestamp= + + if [ $VERBOSE -gt 1 ]; then + [ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) " + echo "${timestamp}$@" + fi +} + +progress_message2() # $* = Message +{ + local timestamp= + + if [ $VERBOSE -gt 0 ]; then + [ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) " + echo "${timestamp}$@" + fi +} + +progress_message3() # $* = Message +{ + local timestamp= + + if [ $VERBOSE -ge 0 ]; then + [ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) " + echo "${timestamp}$@" + fi +} + +# +# Suppress all output for a command +# +qt() +{ + "$@" >/dev/null 2>&1 +} + +# +# Determine if Shorewall is "running" +# +shorewall_is_started() { + qt $IPTABLES -L shorewall -n +} + +# +# Perform variable substitution on the passed argument and echo the result +# +expand() # $@ = contents of variable which may be the name of another variable +{ + eval echo \"$@\" +} + +# +# Perform variable substitition on the values of the passed list of variables +# +expandv() # $* = list of variable names +{ + local varval + + while [ $# -gt 0 ]; do + eval varval=\$${1} + eval $1=\"$varval\" + shift + done +} + +# +# Add whitespace after "!" +# +fix_bang() +{ + local result= + + while [ $# -gt 0 ]; do + case $1 in + !*) + result="$result ! ${1#!}" + ;; + *) + result="$result $1" + ;; + esac + shift + done + + echo $result +} + +# +# Echos the fully-qualified name of the calling shell program +# +my_pathname() { + cd $(dirname $0) + echo $PWD/$(basename $0) +} + +# +# Set default config path +# +ensure_config_path() { + local F=/usr/share/shorewall/configpath + if [ -z "$CONFIG_PATH" ]; then + [ -f $F ] || { echo " ERROR: $F does not exist"; exit 2; } + . $F + fi +} + +# +# Find a File -- For relative file name, look first in $SHOREWALL_DIR then in /etc/shorewall +# +find_file() +{ + local saveifs= directory + + case $1 in + /*) + echo $1 + ;; + *) + if [ -n "$SHOREWALL_DIR" -a -f $SHOREWALL_DIR/$1 ]; then + echo $SHOREWALL_DIR/$1 + else + saveifs=$IFS + IFS=: + for directory in $CONFIG_PATH; do + if [ -f $directory/$1 ]; then + echo $directory/$1 + IFS=$saveifs + return + fi + done + + IFS=$saveifs + + echo /etc/shorewall/$1 + fi + ;; + esac +} + +# +# Get fully-qualified name of file +# +resolve_file() # $1 = file name +{ + local pwd=$PWD + + case $1 in + /*) + echo $1 + ;; + ./*) + echo ${pwd}${1#.} + ;; + ../*) + cd .. + echo ${PWD}${1#..} + cd $pwd + ;; + *) + echo $pwd/$1 + ;; + esac +} + +## +# Source a user exit file if it exists +# +run_user_exit() # $1 = file name +{ + local user_exit=$(find_file $1) + + if [ -f $user_exit ]; then + progress_message "Processing $user_exit ..." + . $user_exit + fi +} + +# +# Replace commas with spaces and echo the result +# +separate_list() { + local list="$@" + local part + local newlist + local firstpart + local lastpart + local enclosure + + case "$list" in + *,|,*|*,,*|*[[:space:]]*) + # + # There's been whining about us not catching embedded white space in + # comma-separated lists. This is an attempt to snag some of the cases. + # + # The 'TERMINATOR' function will be set by the 'firewall' script to + # either 'startup_error' or 'fatal_error' depending on the command and + # command phase + # + [ -n "$TERMINATOR" ] && \ + $TERMINATOR "Invalid comma-separated list \"$@\"" + echo "WARNING -- invalid comma-separated list \"$@\"" >&2 + ;; + *\[*\]*) + # + # Where we need to embed comma-separated lists within lists, we enclose them + # within square brackets (extra 'evals' are to keep my text editor (kate) from getting lost). + # + eval 'firstpart=${list%%\[*}' + eval 'lastpart=${list#*\[}' + eval 'enclosure=${lastpart%%\]*}' + eval 'lastpart=${lastpart#*\]}' + case $lastpart in + \,*) + case $firstpart in + *\,) + echo "$(separate_list ${firstpart%,}) [$enclosure] $(separate_list ${lastpart#,})" + ;; + *) + echo "$(separate_list $firstpart)[$enclosure] $(separate_list ${lastpart#,})" + ;; + esac + ;; + *) + case $firstpart in + *\,) + echo "$(separate_list ${firstpart%,}) [$enclosure]$(separate_list $lastpart)" + ;; + *) + echo "$(separate_list $firstpart)[$enclosure]$(separate_list $lastpart)" + ;; + esac + ;; + esac + return + ;; + esac + + list="$@" + part="${list%%,*}" + newlist="$part" + + while [ "x$part" != "x$list" ]; do + list="${list#*,}"; + part="${list%%,*}"; + newlist="$newlist $part"; + done + + echo "$newlist" +} + +# +# Load a Kernel Module +# +loadmodule() # $1 = module name, $2 - * arguments +{ + local modulename=$1 + local modulefile + local suffix + moduleloader=modprobe + + if ! qt mywhich modprobe; then + moduleloader=insmod + fi + + if ! list_search $modulename $MODULES ; then + shift + + for suffix in $MODULE_SUFFIX ; do + modulefile=$MODULESDIR/${modulename}.${suffix} + + if [ -f $modulefile ]; then + case $moduleloader in + insmod) + insmod $modulefile $* + ;; + *) + modprobe $modulename $* + ;; + esac + + MODULES=$(lsmod | cut -d ' ' -f1) + break + fi + done + fi +} + +# +# Reload the Modules +# +reload_kernel_modules() { + + [ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter + MODULES=$(lsmod | cut -d ' ' -f1) + + while read command; do + eval $command + done + +} + +# +# Load kernel modules required for Shorewall +# +load_kernel_modules() +{ + save_modules_dir=$MODULESDIR + + [ -z "$MODULESDIR" ] && \ + MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter + + modules=$(find_file modules) + + if [ -f $modules -a -d $MODULESDIR ]; then + MODULES=$(lsmod | cut -d ' ' -f1) + progress_message "Loading Modules..." + . $modules + fi + + MODULESDIR=$save_modules_dir +} + +# +# Call this function to assert MUTEX with Shorewall. If you invoke the +# /sbin/shorewall program while holding MUTEX, you should pass "nolock" as +# the first argument. Example "shorewall nolock refresh" +# +# This function uses the lockfile utility from procmail if it exists. +# Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the +# behavior of lockfile. +# +mutex_on() +{ + local try=0 + local lockf=/var/lib/shorewall/lock + + MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60} + + if [ $MUTEX_TIMEOUT -gt 0 ]; then + + [ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall + + if qt mywhich lockfile; then + lockfile -${MUTEX_TIMEOUT} -r1 ${lockf} + else + while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do + sleep 1 + try=$((${try} + 1)) + done + + if [ ${try} -lt ${MUTEX_TIMEOUT} ] ; then + # Create the lockfile + echo $$ > ${lockf} + else + echo "Giving up on lock file ${lockf}" >&2 + fi + fi + fi +} + +# +# Call this function to release MUTEX +# +mutex_off() +{ + rm -f /var/lib/shorewall/lock +} + +# +# Determine which version of mktemp is present (if any) and set MKTEMP accortingly: +# +# None - No mktemp +# BSD - BSD mktemp (Mandrake) +# STD - mktemp.org mktemp +# +find_mktemp() { + local mktemp=`mywhich mktemp 2> /dev/null` + + if [ -n "$mktemp" ]; then + if qt mktemp -V ; then + MKTEMP=STD + else + MKTEMP=BSD + fi + else + MKTEMP=None + fi +} + +# +# create a temporary file. If a directory name is passed, the file will be created in +# that directory. Otherwise, it will be created in a temporary directory. +# +mktempfile() { + + [ -z "$MKTEMP" ] && find_mktemp + + if [ $# -gt 0 ]; then + case "$MKTEMP" in + BSD) + mktemp $1/shorewall.XXXXXX + ;; + STD) + mktemp -p $1 shorewall.XXXXXX + ;; + None) + > $1/shorewall-$$ && echo $1/shorewall-$$ + ;; + *) + error_message "ERROR:Internal error in mktempfile" + ;; + esac + else + case "$MKTEMP" in + BSD) + mktemp /tmp/shorewall.XXXXXX + ;; + STD) + mktemp -t shorewall.XXXXXX + ;; + None) + rm -f /tmp/shorewall-$$ + > /tmp/shorewall-$$ && echo /tmp/shorewall-$$ + ;; + *) + error_message "ERROR:Internal error in mktempfile" + ;; + esac + fi +} + +# +# create a temporary directory +# +mktempdir() { + + [ -z "$MKTEMP" ] && find_mktemp + + case "$MKTEMP" in + STD) + mktemp -td shorewall.XXXXXX + ;; + None|BSD) + # + # Not all versions of the BSD mktemp support the -d option under Linux + # + qt rm -rf /tmp/shorewall-$$ + mkdir -p /tmp/shorewall-$$ chmod 700 /tmp/shorewall-$$ && echo /tmp/shorewall-$$ + ;; + *) + error_message "ERROR:Internal error in mktempdir" + ;; + esac +} + +# +# Read a file and handle "INCLUDE" directives +# + +read_file() # $1 = file name, $2 = nest count +{ + local first rest + + if [ -f $1 ]; then + while read first rest; do + if [ "x$first" = "xINCLUDE" ]; then + if [ $2 -lt 4 ]; then + read_file $(find_file $(expand ${rest%#*})) $(($2 + 1)) + else + error_message "WARNING: INCLUDE in $1 ignored (nested too deeply)" + fi + else + echo "$first $rest" + fi + done < $1 + else + [ -n "$TERMINATOR" ] && $TERMINATOR "No such file: $1" + echo "WARNING -- No such file: $1" + fi +} + +# +# Function for including one file into another +# +INCLUDE() { + . $(find_file $(expand $@)) +} + +# +# Strip comments and blank lines from a file and place the result in the +# temporary directory +# +strip_file() # $1 = Base Name of the file, $2 = Full Name of File (optional) +{ + local fname + + [ $# = 1 ] && fname=$(find_file $1) || fname=$2 + + if [ -f $fname ]; then + read_file $fname 0 | cut -d'#' -f1 | grep -v '^[[:space:]]*$' > $TMP_DIR/$1 + else + > $TMP_DIR/$1 + fi +} + +# +# Note: The following set of IP address manipulation functions have anomalous +# behavior when the shell only supports 32-bit signed arithmatic and +# the IP address is 128.0.0.0 or 128.0.0.1. +# + +LEFTSHIFT='<<' + + +# +# Convert an IP address in dot quad format to an integer +# +decodeaddr() { + local x + local temp=0 + local ifs=$IFS + + IFS=. + + for x in $1; do + temp=$(( $(( $temp $LEFTSHIFT 8 )) | $x )) + done + + echo $temp + + IFS=$ifs +} + +# +# convert an integer to dot quad format +# +encodeaddr() { + addr=$1 + local x + local y=$(($addr & 255)) + + for x in 1 2 3 ; do + addr=$(($addr >> 8)) + y=$(($addr & 255)).$y + done + + echo $y +} + +# +# Enumerate the members of an IP range -- When using a shell supporting only +# 32-bit signed arithmetic, the range cannot span 128.0.0.0. +# +# Comes in two flavors: +# +# ip_range() - produces a mimimal list of network/host addresses that spans +# the range. +# +# ip_range_explicit() - explicitly enumerates the range. +# +ip_range() { + local first last l x y z vlsm + + case $1 in + !*) + # + # Let iptables complain if it's a range + # + echo $1 + return + ;; + [0-9]*.*.*.*-*.*.*.*) + ;; + *) + echo $1 + return + ;; + esac + + first=$(decodeaddr ${1%-*}) + last=$(decodeaddr ${1#*-}) + + if [ $first -gt $last ]; then + fatal_error "Invalid IP address range: $1" + fi + + l=$(( $last + 1 )) + + while [ $first -le $last ]; do + vlsm= + x=31 + y=2 + z=1 + + while [ $(( $first % $y )) -eq 0 -a $(( $first + $y )) -le $l ]; do + vlsm=/$x + x=$(( $x - 1 )) + z=$y + y=$(( $y * 2 )) + done + + echo $(encodeaddr $first)$vlsm + first=$(($first + $z)) + done +} + +ip_range_explicit() { + local first last + + case $1 in + [0-9]*.*.*.*-*.*.*.*) + ;; + *) + echo $1 + return + ;; + esac + + first=$(decodeaddr ${1%-*}) + last=$(decodeaddr ${1#*-}) + + if [ $first -gt $last ]; then + fatal_error "Invalid IP address range: $1" + fi + + while [ $first -le $last ]; do + echo $(encodeaddr $first) + first=$(($first + 1)) + done +} + +# +# Netmask from CIDR +# +ip_netmask() { + local vlsm=${1#*/} + + [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 $LEFTSHIFT $(( 32 - $vlsm )) )) +} + +# +# Network address from CIDR +# +ip_network() { + local decodedaddr=$(decodeaddr ${1%/*}) + local netmask=$(ip_netmask $1) + + echo $(encodeaddr $(($decodedaddr & $netmask))) +} + +# +# The following hack is supplied to compensate for the fact that many of +# the popular light-weight Bourne shell derivatives don't support XOR ("^"). +# + +ip_broadcast() { + local x=$(( 32 - ${1#*/} )) + + [ $x -eq 0 ] && echo -1 || echo $(( $(( 1 $LEFTSHIFT $x )) - 1 )) +} + +# +# Calculate broadcast address from CIDR +# +broadcastaddress() { + local decodedaddr=$(decodeaddr ${1%/*}) + local netmask=$(ip_netmask $1) + local broadcast=$(ip_broadcast $1) + + echo $(encodeaddr $(( $(($decodedaddr & $netmask)) | $broadcast ))) +} + +# +# Test for network membership +# +in_network() # $1 = IP address, $2 = CIDR network +{ + local netmask=$(ip_netmask $2) + + test $(( $(decodeaddr $1) & $netmask)) -eq $(( $(decodeaddr ${2%/*}) & $netmask )) +} + +# +# Netmask to VLSM +# +ip_vlsm() { + local mask=$(decodeaddr $1) + local vlsm=0 + local x=$(( 128 << 24 )) # 0x80000000 + + while [ $(( $x & $mask )) -ne 0 ]; do + [ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Not all shells shift 0x80000000 left properly. + vlsm=$(($vlsm + 1)) + done + + if [ $(( $mask & 2147483647 )) -ne 0 ]; then # 2147483647 = 0x7fffffff + echo "Invalid net mask: $1" >&2 + else + echo $vlsm + fi +} + + +# +# Chain name base for an interface -- replace all periods with underscores in the passed name. +# The result is echoed (less trailing "+"). +# +chain_base() #$1 = interface +{ + local c=${1%%+} + + while true; do + case $c in + *.*) + c="${c%.*}_${c##*.}" + ;; + *-*) + c="${c%-*}_${c##*-}" + ;; + *%*) + c="${c%\%*}_${c##*%}" + ;; + *) + echo ${c:=common} + return + ;; + esac + done +} + +# +# Loosly Match the name of an interface +# + +if_match() # $1 = Name in interfaces file - may end in "+" + # $2 = Full interface name - may also end in "+" +{ + local pattern=${1%+} + + case $1 in + *+) + test "x$(echo $2 | truncate ${#pattern} )" = "x${pattern}" + ;; + *) + test "x$1" = "x$2" + ;; + esac +} + +# +# Source IP range +# +source_ip_range() # $1 = Address or Address Range +{ + [ $# -gt 0 ] && case $1 in + *.*.*.*-*.*.*.*) + case $1 in + !*) + iprange_echo "! --src-range ${1#!}" + ;; + *) + iprange_echo "--src-range $1" + ;; + esac + ;; + !+*) + echo "-m set ! $(get_set_flags ${1#!} src)" + ;; + +*) + echo "-m set $(get_set_flags $1 src)" + ;; + *) + echo "-s $1" + ;; + esac +} + +# +# Destination IP range +# +dest_ip_range() # $1 = Address or Address Range +{ + [ $# -gt 0 ] && case $1 in + *.*.*.*-*.*.*.*) + case $1 in + !*) + iprange_echo "! --dst-range ${1#!}" + ;; + *) + iprange_echo "--dst-range $1" + ;; + esac + ;; + !+*) + echo "-m set ! $(get_set_flags ${1#!} dst)" + ;; + +*) + echo "-m set $(get_set_flags $1 dst)" + ;; + *) + echo "-d $1" + ;; + esac +} + +both_ip_ranges() # $1 = Source address or range, $2 = dest address or range +{ + local rangeprefix= setprefix= rangematch= setmatch= + + case $1 in + *.*.*.*-*.*.*.*) + rangeprefix="-m iprange" + rangematch="--src-range $1" + ;; + !+*) + setprefix="-m set" + setmatch="! $(get_set_flags ${1#!} src)" + ;; + +*) + setprefix="-m set" + setmatch="$(get_set_flags $1 src)" + ;; + *) + rangematch="-s $1" + ;; + esac + + case $2 in + *.*.*.*-*.*.*.*) + rangeprefix="-m iprange" + rangematch="$rangematch --dst-range $2" + ;; + !+*) + setprefix="-m set" + match="$setmatch ! $(get_set_flags ${2#!} dst)" + ;; + +*) + setprefix="-m set" + setmatch="$setmatch $(get_set_flags $2 dst)" + ;; + *) + rangematch="$rangematch -d $2" + ;; + esac + + echo "$rangeprefix $rangematch $setprefix $setmatch" +} + +# +# Find the value 'dev' in the passed arguments then echo the next value +# + +find_device() { + while [ $# -gt 1 ]; do + [ "x$1" = xdev ] && echo $2 && return + shift + done +} + +# +# Find the value 'via' in the passed arguments then echo the next value +# + +find_gateway() { + while [ $# -gt 1 ]; do + [ "x$1" = xvia ] && echo $2 && return + shift + done +} + +# +# Find the value 'mtu' in the passed arguments then echo the next value +# + +find_mtu() { + while [ $# -gt 1 ]; do + [ "x$1" = xmtu ] && echo $2 && return + shift + done +} + +# +# Find the value 'peer' in the passed arguments then echo the next value up to +# "/" +# + +find_peer() { + while [ $# -gt 1 ]; do + [ "x$1" = xpeer ] && echo ${2%/*} && return + shift + done +} + +# +# Find the interfaces that have a route to the passed address - the default +# route is not used. +# + +find_rt_interface() { + ip route ls | while read addr rest; do + case $addr in + */*) + in_network ${1%/*} $addr && echo $(find_device $rest) + ;; + default) + ;; + *) + if [ "$addr" = "$1" -o "$addr/32" = "$1" ]; then + echo $(find_device $rest) + fi + ;; + esac + done +} + +# +# Try to find the gateway through an interface looking for 'nexthop' + +find_nexthop() # $1 = interface +{ + echo $(find_gateway `ip route ls | grep "[[:space:]]nexthop.* $1"`) +} + +# +# Find the default route's interface +# +find_default_interface() { + ip route ls | while read first rest; do + [ "$first" = default ] && echo $(find_device $rest) && return + done +} + +# +# Echo the name of the interface(s) that will be used to send to the +# passed address +# + +find_interface_by_address() { + local dev="$(find_rt_interface $1)" + local first rest + + [ -z "$dev" ] && dev=$(find_default_interface) + + [ -n "$dev" ] && echo $dev +} + +# +# Find the interface with the passed MAC address +# + +find_interface_by_mac() { + local mac=$1 first second rest dev + + ip link ls | while read first second rest; do + case $first in + *:) + dev=$second + ;; + *) + if [ "$second" = $mac ]; then + echo ${dev%:} + return + fi + esac + done +} + +# +# Find interface address--returns the first IP address assigned to the passed +# device +# +find_first_interface_address() # $1 = interface +{ + # + # get the line of output containing the first IP address + # + addr=$(ip -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1) + # + # If there wasn't one, bail out now + # + [ -n "$addr" ] || fatal_error "Can't determine the IP address of $1" + # + # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link) + # along with everything else on the line + # + echo $addr | sed 's/inet //;s/\/.*//;s/ peer.*//' +} + +find_first_interface_address_if_any() # $1 = interface +{ + # + # get the line of output containing the first IP address + # + addr=$(ip -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1) + # + # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link) + # along with everything else on the line + # + [ -n "$addr" ] && echo $addr | sed 's/inet //;s/\/.*//;s/ peer.*//' || echo 0.0.0.0 +} + +# +# Find interface addresses--returns the set of addresses assigned to the passed +# device +# +find_interface_addresses() # $1 = interface +{ + ip -f inet addr show $1 | grep inet\ | sed 's/inet //;s/\/.*//;s/ peer.*//' +} + +# +# echo the list of networks routed out of a given interface +# +get_routed_networks() # $1 = interface name +{ + local address + local rest + + ip route show dev $1 2> /dev/null | + while read address rest; do + if [ "x$address" = xdefault ]; then + error_message "WARNING: default route ignored on interface $1" + else + [ "$address" = "${address%/*}" ] && address="${address}/32" + echo $address + fi + done +} + +# +# Internal version of 'which' +# +mywhich() { + local dir + + for dir in $(split $PATH); do + if [ -x $dir/$1 ]; then + echo $dir/$1 + return 0 + fi + done + + return 2 +} + +# +# Set the Shorewall state +# +set_state () # $1 = state +{ + echo "$1 ($(date))" > /var/lib/shorewall/state +} + +# +# Determine which optional facilities are supported by iptables/netfilter +# +determine_capabilities() { + qt $IPTABLES -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED= + qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED= + + CONNTRACK_MATCH= + MULTIPORT= + XMULTIPORT= + POLICY_MATCH= + PHYSDEV_MATCH= + IPRANGE_MATCH= + RECENT_MATCH= + OWNER_MATCH= + IPSET_MATCH= + CONNMARK= + XCONNMARK= + CONNMARK_MATCH= + XCONNMARK_MATCH= + RAW_TABLE= + IPP2P_MATCH= + LENGTH_MATCH= + CLASSIFY_TARGET= + ENHANCED_REJECT= + USEPKTTYPE= + KLUDGEFREE= + MARK= + XMARK= + MANGLE_FORWARD= + + qt $IPTABLES -N fooX1234 + qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes + qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes + qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes + qt $IPTABLES -A fooX1234 -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT && POLICY_MATCH=Yes + + if qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT; then + PHYSDEV_MATCH=Yes + qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth1 -m physdev --physdev-out eth1 -j ACCEPT && KLUDGEFREE=Yes + fi + + if qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT; then + IPRANGE_MATCH=Yes + if [ -z "${KLUDGEFREE}${PHYSDEV_MATCH}" ]; then + qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT && KLUDGEFREE=Yes + fi + fi + + qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes + qt $IPTABLES -A fooX1234 -m owner --uid-owner 0 -j ACCEPT && OWNER_MATCH=Yes + + if qt $IPTABLES -A fooX1234 -m connmark --mark 2 -j ACCEPT; then + CONNMARK_MATCH=Yes + qt $IPTABLES -A fooX1234 -m connmark --mark 2/0xFF -j ACCEPT && XCONNMARK_MATCH=Yes + fi + + qt $IPTABLES -A fooX1234 -p tcp -m ipp2p --ipp2p -j ACCEPT && IPP2P_MATCH=Yes + qt $IPTABLES -A fooX1234 -m length --length 10:20 -j ACCEPT && LENGTH_MATCH=Yes + qt $IPTABLES -A fooX1234 -j REJECT --reject-with icmp-host-prohibited && ENHANCED_REJECT=Yes + + if [ -n "$MANGLE_ENABLED" ]; then + qt $IPTABLES -t mangle -N fooX1234 + + if qt $IPTABLES -t mangle -A fooX1234 -j MARK --set-mark 1; then + MARK=Yes + qt $IPTABLES -t mangle -A fooX1234 -j MARK --and-mark 0xFF && XMARK=Yes + fi + + if qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark; then + CONNMARK=Yes + qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark --mask 0xFF && XCONNMARK=Yes + fi + + qt $IPTABLES -t mangle -A fooX1234 -j CLASSIFY --set-class 1:1 && CLASSIFY_TARGET=Yes + qt $IPTABLES -t mangle -F fooX1234 + qt $IPTABLES -t mangle -X fooX1234 + qt $IPTABLES -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes + fi + + qt $IPTABLES -t raw -L -n && RAW_TABLE=Yes + + if qt mywhich ipset; then + qt ipset -X fooX1234 # Just in case something went wrong the last time + + if qt ipset -N fooX1234 iphash ; then + if qt $IPTABLES -A fooX1234 -m set --set fooX1234 src -j ACCEPT; then + qt $IPTABLES -D fooX1234 -m set --set fooX1234 src -j ACCEPT + IPSET_MATCH=Yes + fi + qt ipset -X fooX1234 + fi + fi + + qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes + + qt $IPTABLES -F fooX1234 + qt $IPTABLES -X fooX1234 +} + +report_capability() # $1 = Capability Description , $2 Capability Setting (if any) +{ + local setting= + + [ "x$2" = "xYes" ] && setting="Available" || setting="Not available" + + echo " " $1: $setting +} + +report_capabilities() { + if [ $VERBOSE -gt 1 ]; then + echo "Shorewall has detected the following iptables/netfilter capabilities:" + report_capability "NAT" $NAT_ENABLED + report_capability "Packet Mangling" $MANGLE_ENABLED + report_capability "Multi-port Match" $MULTIPORT + [ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT + report_capability "Connection Tracking Match" $CONNTRACK_MATCH + report_capability "Packet Type Match" $USEPKTTYPE + report_capability "Policy Match" $POLICY_MATCH + report_capability "Physdev Match" $PHYSDEV_MATCH + report_capability "Packet length Match" $LENGTH_MATCH + report_capability "IP range Match" $IPRANGE_MATCH + report_capability "Recent Match" $RECENT_MATCH + report_capability "Owner Match" $OWNER_MATCH + report_capability "Ipset Match" $IPSET_MATCH + report_capability "CONNMARK Target" $CONNMARK + [ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target" $XCONNMARK + report_capability "Connmark Match" $CONNMARK_MATCH + [ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match" $XCONNMARK_MATCH + report_capability "Raw Table" $RAW_TABLE + report_capability "IPP2P Match" $IPP2P_MATCH + report_capability "CLASSIFY Target" $CLASSIFY_TARGET + report_capability "Extended REJECT" $ENHANCED_REJECT + report_capability "Repeat match" $KLUDGEFREE + report_capability "MARK Target" $MARK + [ -n "$MARK" ] && report_capability "Extended MARK Target" $XMARK + report_capability "Mangle FORWARD Chain" $MANGLE_FORWARD + fi + + [ -n "$PKTTYPE" ] || USEPKTTYPE= + +} + + +# +# Delete IP address +# +del_ip_addr() # $1 = address, $2 = interface +{ + [ $(find_first_interface_address_if_any $2) = $1 ] || qt ip addr del $1 dev $2 +} + +# Add IP Aliases +# +add_ip_aliases() # $* = List of addresses +{ + local addresses external interface inet cidr rest val arping=$(mywhich arping) + + address_details() + { + # + # Folks feel uneasy if they don't see all of the same + # decoration on these IP addresses that they see when their + # distro's net config tool adds them. In an attempt to reduce + # the anxiety level, we have the following code which sets + # the VLSM and BRD from an existing address in the same networks + # + # Get all of the lines that contain inet addresses with broadcast + # + ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | while read inet cidr rest ; do + case $cidr in + */*) + if in_network $external $cidr; then + echo "/${cidr#*/} brd $(broadcastaddress $cidr)" + break + fi + ;; + esac + done + } + + do_one() + { + val=$(address_details) + + ip addr add ${external}${val} dev $interface $label + [ -n "$arping" ] && qt $arping -U -c 2 -I $interface $external + echo "$external $interface" >> $STATEDIR/nat + [ -n "$label" ] && label="with $label" + progress_message " IP Address $external added to interface $interface $label" + } + + progress_message "Adding IP Addresses..." + + while [ $# -gt 0 ]; do + external=$1 + interface=$2 + label= + + if [ "$interface" != "${interface%:*}" ]; then + label="${interface#*:}" + interface="${interface%:*}" + label="label $interface:$label" + fi + + shift 2 + + list_search $external $(find_interface_addresses $interface) || do_one + done +} + +detect_gateway() # $1 = interface +{ + local interface=$1 + # + # First assume that this is some sort of point-to-point interface + # + gateway=$( find_peer $(ip addr ls $interface ) ) + # + # Maybe there's a default route through this gateway already + # + [ -n "$gateway" ] || gateway=$(find_gateway $(ip route ls dev $interface)) + # + # Last hope -- is there a load-balancing route through the interface? + # + [ -n "$gateway" ] || gateway=$(find_nexthop $interface) + # + # Be sure we found one + # + [ -n "$gateway" ] && echo $gateway +} + +# +# Disable IPV6 +# +disable_ipv6() { + local foo="$(ip -f inet6 addr ls 2> /dev/null)" + + if [ -n "$foo" ]; then + if qt mywhich ip6tables; then + ip6tables -P FORWARD DROP + ip6tables -P INPUT DROP + ip6tables -P OUTPUT DROP + ip6tables -F + ip6tables -X + ip6tables -A OUTPUT -o lo -j ACCEPT + ip6tables -A INPUT -i lo -j ACCEPT + else + error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables" + fi + fi +} + +# +# Add a logging rule. +# +log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = disposition , $5 = rate limit $6=log tag $7=command $... = predicates for the rule +{ + local level=$1 + local chain=$2 + local displayChain=$3 + local disposition=$4 + local rulenum= + local limit="${5:-$LOGLIMIT}" + local tag=${6:+$6 } + local command=${7:--A} + local prefix + local base=$(chain_base $displayChain) + + shift 7 + + if [ -n "$tag" -a -n "$LOGTAGONLY" ]; then + displayChain=$tag + tag= + fi + + if [ -n "$LOGRULENUMBERS" ]; then + eval rulenum=\$${base}_logrules + + rulenum=${rulenum:-1} + + prefix="$(printf "$LOGFORMAT" $displayChain $rulenum $disposition)${tag}" + + rulenum=$(($rulenum + 1)) + eval ${base}_logrules=$rulenum + else + prefix="$(printf "$LOGFORMAT" $displayChain $disposition)${tag}" + fi + + if [ ${#prefix} -gt 29 ]; then + prefix="$(echo $prefix | truncate 29)" + error_message "WARNING: Log Prefix shortened to \"$prefix\"" + fi + + case $level in + ULOG) + run_iptables $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix" + ;; + *) + run_iptables $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix" + ;; + esac + + if [ $? -ne 0 ] ; then + [ -z "$STOPPING" ] && { stop_firewall; exit 2; } + fi +} + +log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates for the rule +{ + local level=$1 + local chain=$2 + local disposition=$3 + + shift 3 + + log_rule_limit $level $chain $chain $disposition "$LOGLIMIT" "" -A $@ +} + +# +# Check that a mark value or mask is less that 256 or that it is less than 65536 and +# that it's lower 8 bits are zero. +# +verify_mark() # $1 = value to test +{ + verify_mark2() + { + case $1 in + 0*) + [ $(($1)) -lt 256 ] && return 0 + [ -n "$HIGH_ROUTE_MARKS" ] || return 1 + [ $(($1)) -gt 65535 ] && return 1 + return $(($1 & 0xFF)) + ;; + [1-9]*) + [ $1 -lt 256 ] && return 0 + [ -n "$HIGH_ROUTE_MARKS" ] || return 1 + [ $1 -gt 65535 ] && return 1 + return $(($1 & 0xFF)) + ;; + *) + return 2 + ;; + esac + } + + verify_mark2 $1 || fatal_error "Invalid Mark or Mask value: $1" +} + +# +# Detect a device's MTU +# +get_device_mtu() # $1 = device +{ + local output="$(ip link ls dev $1 2> /dev/null)" # quotes required for /bin/ash + + if [ -n "$output" ]; then + echo $(find_mtu $output) + else + echo 1500 + fi +} + +# +# Arne Bernin's 'tc4shorewall' +# +setup_traffic_shaping() +{ + local mtu r2q tc_all_devices device mark rate ceil prio options devfile=$(find_file tcdevices) classfile=$(find_file tcclasses) devnum=1 last_device= + r2q=10 + + rate_to_kbit() { + local rateunit rate + rate=$1 + rateunit=$( echo $rate | sed -e 's/[0-9]*//') + rate=$( echo $rate | sed -e 's/[a-z]*//g') + + case $rateunit in + kbit) + rate=$rate + ;; + mbit) + rate=$(expr $rate \* 1024) + ;; + mbps) + rate=$(expr $rate \* 8192) + ;; + kbps) + rate=$(expr $rate \* 8) + ;; + *) + rate=$(expr $rate / 128) + ;; + esac + echo $rate + } + + calculate_quantum() { + local rate=$(rate_to_kbit $1) + echo $(( $rate * ( 128 / $r2q ) )) + } + + # get given outbandwidth for device + get_outband_for_dev() { + local device inband outband + while read device inband outband; do + expandv device inband outband + tcdev="$device $inband $outband" + if [ "$1" = "$device" ] ; then + echo $outband + return + fi + done < $TMP_DIR/tcdevices + } + + check_tcclasses_options() { + while [ $# -gt 1 ]; do + shift + case $1 in + default|tcp-ack|tos-minimize-delay|tos-maximize-throughput|tos-maximize-reliability|tos-minimize-cost|tos-normal-service) + ;; + tos=0x[0-9a-f][0-9a-f]|tos=0x[0-9a-f][0-9a-f]/0x[0-9a-f][0-9a-f]) + ;; + *) + echo $1 + return 1 + ;; + esac + done + return 0 + } + + get_defmark_for_dev() { + local searchdev searchmark device ceil prio options + searchdev=$1 + + while read device mark rate ceil prio options; do + expandv device mark rate ceil prio options + options=$(separate_list $options | tr '[A-Z]' '[a-z]') + tcdev="$device $mark $rate $ceil $prio $options" + if [ "$searchdev" = "$device" ] ; then + list_search "default" $options && echo $mark &&return 0 + fi + done < $TMP_DIR/tcclasses + + return 1 + } + + check_defmark_for_dev() { + get_defmark_for_dev $1 >/dev/null + } + + validate_tcdevices_file() { + progress_message2 "Validating $devfile..." + local device local device inband outband + while read device inband outband; do + expandv device inband outband + tcdev="$device $inband $outband" + check_defmark_for_dev $device || fatal_error "Option default is not defined for any class in tcclasses for interface $device" + case $interface in + *:*|+) + fatal_error "Invalid Interface Name: $interface" + ;; + esac + list_search $device $devices && fatal_error "Interface $device is defined more than once in tcdevices" + tc_all_devices="$tc_all_devices $device" + done < $TMP_DIR/tcdevices + } + + validate_tcclasses_file() { + progress_message2 "Validating $classfile..." + local classlist device mark rate ceil prio bandw wrongopt allopts opt + allopts="" + while read device mark rate ceil prio options; do + expandv device mark rate ceil prio options + tcdev="$device $mark $rate $ceil $prio $options" + ratew=$(get_outband_for_dev $device) + options=$(separate_list $options | tr '[A-Z]' '[a-z]') + for opt in $options; do + case $opt in + tos=0x??) + opt="$opt/0xff" + ;; + esac + list_search "$device-$opt" $allopts && fatal_error "option $opt already defined in a chain for interface $device in tcclasses" + allopts="$allopts $device-$opt" + done + wrongopt=$(check_tcclasses_options $options) || fatal_error "unknown option $wrongopt for class iface $device mark $mark in tcclasses file" + if [ -z "$ratew" ] ; then + fatal_error "device $device seems not to be configured in tcdevices" + fi + list_search "$device-$mark" $classlist && fatal_error "Mark $mark for interface $device defined more than once in tcclasses" + # + # Convert HEX/OCTAL mark representation to decimal + # + mark=$(($mark)) + verify_mark $mark + [ $mark -lt 256 ] || fatal_error "Invalid Mark Value" + classlist="$classlist $device-$mark" + done < $TMP_DIR/tcclasses + } + + add_root_tc() { + local defmark dev indent + + dev=$(chain_base $device) + + if [ $COMMAND = compile ]; then + save_command "if qt ip link ls dev $device; then" + indent="$INDENT" + INDENT="$INDENT " + save_command ${dev}_exists=Yes + save_command qt tc qdisc del dev $device root + save_command qt tc qdisc del dev $device ingress + elif ! qt ip link ls dev $device; then + error_message "WARNING: Device $device not found -- traffic-shaping configuration skipped" + return 1 + fi + + defmark=$(get_defmark_for_dev $device) + + run_tc qdisc add dev $device root handle $devnum: htb default 1$defmark + + if [ $COMMAND = compile ]; then + save_command "${dev}_mtu=\$(get_device_mtu $device)" + run_tc "class add dev $device parent $devnum: classid $devnum:1 htb rate $outband mtu \$${dev}_mtu" + else + run_tc class add dev $device parent $devnum: classid $devnum:1 htb rate $outband mtu $(get_device_mtu $device) + fi + + run_tc qdisc add dev $device handle ffff: ingress + run_tc filter add dev $device parent ffff: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate ${inband} burst 10k drop flowid :1 + eval ${dev}_devnum=$devnum + devnum=$(($devnum + 1)) + + if [ $COMMAND = compile ]; then + save_progress_message_short " TC Device $tcdev defined." + INDENT="$indent" + save_command else + INDENT="$INDENT " + save_command error_message "\"WARNING: Device $device not found -- traffic-shaping configuration skipped\"" + save_command "${dev}_exists=" + INDENT="$indent" + save_command "fi" + save_command + fi + + return 0 + } + + add_tc_class() { + local full classid tospair tosmask quantum indent + + dev=$(chain_base $device) + + if [ $COMMAND = compile ]; then + save_command "if [ -n \"\$${dev}_exists\" ] ; then" + indent="$INDENT" + INDENT="$INDENT " + else + qt ip link ls dev $device || return 1 + fi + + full=$(get_outband_for_dev $device) + full=$(rate_to_kbit $full) + + if [ -z "$prio" ] ; then + prio=1 + fi + + case $rate in + *full*) + rate=$(echo $rate | sed -e "s/full/$full/") + rate="$(($rate))kbit" + ;; + esac + + case $ceil in + *full*) + ceil=$(echo $ceil | sed -e "s/full/$full/") + ceil="$(($ceil))kbit" + ;; + esac + + eval devnum=\$${dev}_devnum + # + # Convert HEX/OCTAL mark representation to decimal + # + mark=$(($mark)) + + classid=$devnum:1$mark + + [ -n "$devnum" ] || fatal_error "Device $device not defined in $devfile" + + quantum=$(calculate_quantum $rate) + + if [ $COMMAND = compile ]; then + save_command "[ \$${dev}_mtu -gt $quantum ] && quantum=\$${dev}_mtu || quantum=$quantum" + run_tc "class add dev $device parent $devnum:1 classid $classid htb rate $rate ceil $ceil prio $prio mtu \$${dev}_mtu quantum \$quantum" + else + [ "$last_device" = $device ] || mtu=$(get_device_mtu $device) + [ $mtu -gt $quantum ] && quantum=$mtu + run_tc class add dev $device parent $devnum:1 classid $classid htb rate $rate ceil $ceil prio $prio mtu $mtu quantum $quantum + fi + + run_tc qdisc add dev $device parent $classid handle 1$mark: sfq perturb 10 + # add filters + if [ -n "$CLASSIFY_TARGET" ]; then + run_iptables -t mangle -A tcpost $(match_dest_dev $device) -m mark --mark $mark/0xFF -j CLASSIFY --set-class $classid + else + run_tc filter add dev $device protocol ip parent $devnum:0 prio 1 handle $mark fw classid $classid + fi + #options + list_search "tcp-ack" $options && run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid $classid + list_search "tos-minimize-delay" $options && options="$options tos=0x10/0x10" + list_search "tos-maximize-throughput" $options && options="$options tos=0x08/0x08" + list_search "tos-maximize-reliability" $options && options="$options tos=0x04/0x04" + list_search "tos-minimize-cost" $options && options="$options tos=0x02/0x02" + list_search "tos-normal-service" $options && options="$options tos=0x00/0x1e" + + for tospair in $(list_walk "tos=" $options) ; do + case $tospair in + */*) + tosmask=${tospair##*/} + ;; + *) + tosmask=0xff + ;; + esac + run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip tos ${tospair%%/*} $tosmask flowid $classid + done + + if [ $COMMAND = compile ]; then + save_progress_message_short " TC Class $tcdev defined." + INDENT="$indent" + save_command fi + save_command + fi + + return 0 + } + + strip_file tcdevices $devfile + strip_file tcclasses $classfile + + validate_tcdevices_file + validate_tcclasses_file + + if [ -s $TMP_DIR/tcdevices ]; then + [ $COMMAND = compile ] && save_progress_message "Setting up Traffic Control..." + progress_message2 "$DOING $devfile..." + + while read device inband outband; do + expandv device inband outband + tcdev="$device $inband $outband" + add_root_tc && progress_message " TC Device $tcdev defined." + done < $TMP_DIR/tcdevices + fi + + if [ -s $TMP_DIR/tcclasses ]; then + progress_message2 "$DOING $classfile..." + + while read device mark rate ceil prio options; do + expandv device mark rate ceil prio options + tcdev="$device $mark $rate $ceil $prio $options" + options=$(separate_list $options | tr '[A-Z]' '[a-z]') + add_tc_class && progress_message " TC Class $tcdev defined." + last_device=$device + done < $TMP_DIR/tcclasses + fi +} + +# +# Process a TC Rule - $MARKING_CHAIN is assumed to contain the name of the +# default marking chain +# +process_tc_rule() +{ + local did_connmark= + + chain=$MARKING_CHAIN target="MARK --set-mark" marktest= + + verify_designator() { + [ "$chain" = tcout ] && \ + fatal_error "Chain designator not allowed when source is \$FW; rule \"$rule\"" + chain=$1 + mark="${mark%:*}" + } + + do_ipp2p() + { + [ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\"" + [ "x$port" = "x-" ] && port="ipp2p" + + case $proto in + *:*) + proto=${proto#*:} + ;; + *) + proto=tcp + ;; + esac + + r="${r}-p $proto -m ipp2p --${port} " + } + + verify_small_mark() + { + verify_mark $1 + [ $(($1)) -lt 256 ] || fatal_error "Mark Value ($1) too larg, rule \"$rule\"" + } + + do_connmark() + { + target="CONNMARK --set-mark" + mark=$mark/0xff + did_connmark=Yes + } + + validate_mark() + { + case $1 in + */*) + verify_mark ${1%/*} + verify_mark ${1#*/} + ;; + *) + verify_mark $1 + ;; + esac + } + + add_a_tc_rule() { + r= + + if [ "x$source" != "x-" ]; then + case $source in + $FW:*) + [ $chain = tcpost ] || chain=tcout + r="$(source_ip_range ${source#*:}) " + ;; + *:*) + interface=${source%:*} + verify_interface $interface || fatal_error "Unknown interface $interface in rule \"$rule\"" + r="$(match_source_dev $interface) $(source_ip_range ${source#*:}) " + ;; + *.*.*|+*|!+*) + r="$(source_ip_range $source) " + ;; + ~*) + r="$(mac_match $source) " + ;; + $FW) + [ $chain = tcpost ] || chain=tcout + ;; + *) + verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\"" + r="$(match_source_dev $source) " + ;; + esac + fi + + if [ "x${user:--}" != "x-" ]; then + + [ "$chain" != tcout ] && \ + fatal_error "Invalid use of a user/group: rule \"$rule\"" + + r="$r-m owner" + + case "$user" in + *+*) + r="$r --cmd-owner ${user#*+} " + user=${user%+*} + ;; + esac + + case "$user" in + *:*) + temp="${user%:*}" + [ -n "$temp" ] && r="$r --uid-owner $temp " + temp="${user#*:}" + [ -n "$temp" ] && r="$r --gid-owner $temp " + ;; + *) + [ -n "$user" ] && r="$r --uid-owner $user " + ;; + esac + fi + + + [ -n "$marktest" ] && r="${r}-m ${marktest}--mark $testval " + + if [ "x$dest" != "x-" ]; then + case $dest in + *:*) + [ "$chain" = tcpre ] && fatal_error "Destination interface is not allowed in the PREROUTING chain - rule \"$rule\"" + interface=${dest%:*} + verify_interface $interface || fatal_error "Unknown interface $interface in rule \"$rule\"" + r="$(match_dest_dev $interface) $(dest_ip_range ${dest#*:}) " + ;; + *.*.*|+*|!+*) + r="${r}$(dest_ip_range $dest) " + ;; + *) + [ "$chain" = tcpre ] && fatal_error "Destination interface is not allowed in the PREROUTING chain - rule \"$rule\"" + verify_interface $dest || fatal_error "Unknown interface $dest in rule \"$rule\"" + r="${r}$(match_dest_dev $dest) " + ;; + esac + fi + + if [ "x${length:=-}" != "x-" ]; then + [ -n "$LENGTH_MATCH" ] || fatal_error "Your kernel and/or iptables does not have length match support. Rule: \"$rule\"" + r="${r}-m length --length ${length} " + fi + + if [ "x${tos:=-}" != "x-" ]; then + r="${r}-m tos --tos ${tos} " + fi + + multiport= + + case $proto in + ipp2p|IPP2P|ipp2p:*|IPP2P:*) + do_ipp2p + ;; + icmp|ICMP|1) + r="${r}-p icmp " + [ "x$port" = "x-" ] || r="${r}--icmp-type $port" + ;; + *) + [ "x$proto" = "x-" ] && proto=all + [ "x$proto" = "x" ] && proto=all + [ "$proto" = "all" ] || r="${r}-p $proto " + [ "x$port" = "x-" ] || r="${r}--dport $port " + ;; + esac + + [ "x$sport" = "x-" ] || r="${r}--sport $sport " + + if [ -n "${excludesources}${excludedests}" ]; then + build_exclusion_chain chain1 mangle "$excludesources" "$excludedests" + + run_iptables2 -t mangle -A $chain $r -j $chain1 + + run_iptables -t mangle -A $chain1 -j $target $mark + else + run_iptables2 -t mangle -A $chain $r -j $target $mark + fi + + } + + if [ "$mark" != "${mark%:*}" ]; then + case "${mark#*:}" in + p|P) + verify_designator tcpre + ;; + cp|CP) + verify_designator tcpre + do_connmark + ;; + f|F) + verify_designator tcfor + ;; + cf|CF) + verify_designator tcfor + do_connmark + ;; + c|C) + mark=${mark%:*} + do_connmark + ;; + *) + chain=tcpost + target="CLASSIFY --set-class" + ;; + esac + + fi + + mask=0xffff + + case $mark in + SAVE) + [ -n "$did_connmark" ] && fatal_error "SAVE not valid with :C[FP]" + target="CONNMARK --save-mark --mask 0xFF" + mark= + ;; + SAVE/*) + [ -n "$did_connmark" ] && fatal_error "SAVE not valid with :C[FP]" + target="CONNMARK --save-mark --mask" + mark=${mark#*/} + verify_small_mark $mark + ;; + RESTORE) + [ -n "$did_connmark" ] && fatal_error "RESTORE not valid with :C[FP]" + target="CONNMARK --restore-mark --mask 0xFF" + mark= + ;; + RESTORE/*) + [ -n "$did_connmark" ] && fatal_error "RESTORE not valid with :C[FP]" + target="CONNMARK --restore-mark --mask" + mark=${mark#*/} + verify_small_mark $mark + ;; + CONTINUE) + [ -n "$did_connmark" ] && fatal_error "CONTINUE not valid with :C[FP]" + target=RETURN + mark= + ;; + *) + if [ "$chain" != tcpost ]; then + validate_mark $mark + if [ $((${mark%/*})) -gt 255 ]; then + case $chain in + tcpre|tcout) + target="MARK --or-mark" + ;; + *) + fatal_error "Invalid mark value ($mark) in rule \"$rule\"" + ;; + esac + elif [ $((${mark%/*})) -ne 0 -a -n "$HIGH_ROUTE_MARKS" -a $chain = tcpre ]; then + fatal_error "Marks < 256 may not be set in the PREROUTING chain when HIGH_ROUTE_MARKS=Yes" + fi + fi + ;; + esac + + case $testval in + -) + ;; + !*:C) + marktest="connmark ! " + testval=${testval%:*} + testval=${testval#!} + ;; + *:C) + marktest="connmark " + testval=${testval%:*} + ;; + !*) + marktest="mark ! " + testval=${testval#!} + ;; + *) + [ -n "$testval" ] && marktest="mark " + ;; + esac + + if [ -n "$marktest" ] ; then + case $testval in + */*) + verify_mark ${testval%/*} + verify_mark ${testval#*/} + ;; + *) + verify_mark $testval + testval=$testval/$mask + ;; + esac + fi + + excludesources= + + case ${sources:=-} in + *!*!*) + fatal_error "Invalid SOURCE in rule \"$rule\"" + ;; + !*) + if [ $(list_count $sourcess) -gt 1 ]; then + excludesources=${sources#!} + sources=- + fi + ;; + *!*) + excludesources=${sources#*!} + sources=${sources%!*} + ;; + esac + + excludedests= + + case ${dests:=-} in + *!*!*) + fatal_error "Invalid DEST in rule \"$rule\"" + ;; + !*) + if [ $(list_count $dests) -gt 1 ]; then + excludedests=${dests#*!} + dests=- + fi + ;; + *!*) + excludedests=${dests#*!} + dests=${dests%!*} + ;; + esac + + for source in $(separate_list $sources); do + for dest in $(separate_list $dests); do + for port in $(separate_list ${ports:=-}); do + for sport in $(separate_list ${sports:=-}); do + add_a_tc_rule + done + done + done + done + + progress_message " TC Rule \"$rule\" $DONE" + [ $COMMAND = compile ] && save_progress_message " TC Rule \"$rule\" Added" +} + +delete_tc1() +{ + clear_one_tc() { + tc qdisc del dev $1 root 2> /dev/null + tc qdisc del dev $1 ingress 2> /dev/null + + } + + run_user_exit tcclear + + run_ip link list | \ + while read inx interface details; do + case $inx in + [0-9]*) + clear_one_tc ${interface%:} + ;; + *) + ;; + esac + done +} + +SHOREWALL_LIBRARY=Loaded diff --git a/Shorewall-lite/help b/Shorewall-lite/help new file mode 100755 index 000000000..541aeb515 --- /dev/null +++ b/Shorewall-lite/help @@ -0,0 +1,414 @@ +#!/bin/sh +# +# Shorewall help subsystem - V3.2 +# +# +# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] +# +# (c) 2003-2006 - Tom Eastep (teastep@shorewall.net) +# Steve Herber (herber@thing.com) +# +# This file should be placed in /usr/share/shorewall/help +# +# Shorewall documentation is available at http://shorewall.sourceforge.net +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of Version 2 of the GNU General Public License +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA +################################################################################## + +case $1 in + +add) + echo "add: add [:] ... + Adds a list of hosts or subnets to a dynamic zone usually used with VPN's. + + shorewall add interface:host-list ... zone - Adds the specified interface + (and host-list if included) to the specified zone. + + A host-list is a comma-separated list whose elements are: + + A host or network address + The name of a bridge port + The name of a bridge port followed by a colon (":") and a host or + network address. + + Example: + + shorewall add ipsec0:192.0.2.24 vpn1 -- adds the address 192.0.2.24 + from interface ipsec0 to the zone vpn1. + + See also \"help host\"" + ;; + +address|host) + echo "<$1>: + May be either a host IP address such as 192.168.1.4 or a network address in + CIDR format like 192.168.1.0/24. If your kernel and iptables contain iprange + match support then IP address ranges of the form - + are also permitted. If your kernel and iptables contain ipset match support + then you may specify the name of an ipset prefaced by "+". The name of the + ipsec may be optionally followed by a number of levels of ipset bindings + (1 - 6) that are to be followed" + ;; + +allow) + echo "allow: allow
... + Re-enables receipt of packets from hosts previously blacklisted + by a drop or reject command. + + Shorewall allow, drop, rejct and save implement dynamic blacklisting. + + See also \"help address\"" + ;; + +check) + echo "check: check [ -e ] [ ] + Performs a cursory validation of the zones, interfaces, hosts, + rules, policy, masq, blacklist, proxyarp, nat and provider files. Use this + if you are unsure of any edits you have made to the shorewall configuration. + See the try command examples for a recommended way to make changes. + + The \"-e\" option causes Shorewall to use the /etc/shorewall/capabilities + file to determine the capabilities of the target system rather than probing + for them on the local system." + ;; + +clear) + echo "clear: clear + Clear will remove all rules and chains installed by Shoreline. + The firewall is then wide open and unprotected. Existing + connections are untouched. Clear is often used to see if the + firewall is causing connection problems." + ;; + +compile) + echo "compile: compile [ -e ] [ -d ] [ ] + Compiles the current configuration into the executable file + . If names a file in /var/lib/shorewall then + the file may be executed using the \"restore\" command. + + When -e is specified, the compilation is being performed on a system + other than where the compiled script will run. This option disables + certain configuration options that require the script to be compiled + where it is to be run. + + When -d is given, the script is built for execution + on the distribution specified by . Currently supported + distributions are: + + suse + redhat (which is also appropriate for Fedora Core and CentOS). + + Usually specified together with -e. + + Example: + + shorewall compile -ed redhat foo + + Additional distributions are expected to be supported shortly." + ;; + +debug) + echo "debug: debug + If you include the keyword debug as the first argument to any + of these commands: + + start|stop|restart|reset|clear|refresh|check|add|delete + + then a shell trace of the command is produced. For example: + + shorewall debug start 2> /tmp/trace + + The above command would trace the 'start' command and + place the trace information in the file /tmp/trace. + + The word 'trace' is a synonym for 'debug'." + ;; + +delete) + echo "delete: delete [:] ... + Deletes a list of hosts or networks from a dynamic zone usually used with VPN's. + + shorewall delete interface[:host-list] ... zone - Deletes the specified + interfaces (and host list if included) from the specified zone. + + A host-list is a comma-separated list whose elements are: + + A host or network address + The name of a bridge port + The name of a bridge port followed by a colon (":") and a host or + network address. + + Example: + + shorewall delete ipsec0:192.0.2.24 vpn1 -- deletes the address + 192.0.2.24 from interface ipsec0 from zone vpn1 + + See also \"help host\"" + ;; + +drop) + echo "$1: $1
... + Causes packets from the specified
to be ignored + + Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting. + + See also \"help address\"" + ;; + +dump) + echo "dump: dump + + shorewall [-x] dump + + Produce a verbose report about the firewall for problem analysis. + + (iptables -L -n -) + + When -x is given, that option is also passed to iptables to display actual packet and byte counts." + ;; + +forget) + echo "forget: forget [ ] + Deletes /var/lib/shorewall/. If no is given then + the file specified by RESTOREFILE in shorewall.conf is removed. + + See also \"help save\"" + ;; + +help) + echo "help: help [ | host | address ] + Display helpful information about the shorewall commands." + ;; + +hits) + echo "hits: hits + Produces several reports about the Shorewall packet log messages + in the current /var/log/messages file." + ;; + +ipcalc) + echo "ipcalc: ipcalc { address mask | address/vlsm } + Ipcalc displays the network address, broadcast address, + network in CIDR notation and netmask corresponding to the input[s]." + ;; + +ipdecimal) + echo "ipdecimal: ipdecimal { | } + Converts an IP address into its 32-bit decimal equivalent and + vice versa" + ;; + +iprange) + echo "iprange: iprange address1-address2 + Iprange decomposes the specified range of IP addresses into the + equivalent list of network/host addresses." + ;; + +logdrop) + echo "$1: $1
... + Causes packets from the specified
to be ignored and loged. + + Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting. + + See also \"help address\"" + ;; + +logwatch) + echo "logwatch: logwatch [ -m ] [] + Monitors the LOGFILE, $LOGFILE, + and produces an audible alarm when new Shorewall messages are logged. + If \"-m\" is specified, then MAC addresses in the log entries (if any) are displayed." + ;; + +logreject) + echo "$1: $1
... + Causes packets from the specified
to be rejected and logged. + + Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting. + + See also \"help address\"" + ;; + +refresh) + echo "refresh: refresh + The rules involving the broadcast addresses of firewall interfaces, + the black list, and ECN control rules are recreated to reflect any + changes made. Existing connections are untouched." + ;; + +reject) + echo "$1: $1
... + Causes packets from the specified
to be rejected + + Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting. + + See also \"help address\"" + ;; + +reset) + echo "reset: reset + All the packet and byte counters in the firewall are reset." + ;; + +restart) + echo "restart: restart [ -n ] [ ] + Restart is the same as a shorewall stop && shorewall start. + Existing connections are maintained. + + If \"-n\" is specified, no changes to routing will be made" + ;; + +safe-restart) + echo "safe-restart: safe-restart + Restart the same way as a shorewall restart except that previous firewall + configuration is backed up and will be restored if you notice any anomalies + or you are not able to reach the firewall any more." + ;; + +safe-start) + echo "safe-start: safe-start + Start the same way as a shorewall start except that in case of anomalies + shorewall clear is issued. " + ;; + +restore) + echo "restore: restore [ -n ] [ ] + Restore Shorewall to a state saved using the 'save' command + Existing connections are maintained. The names a restore file in + /var/lib/shorewall created using \"shorewall save\"; if no is given + then Shorewall will be restored from the file specified by the RESTOREFILE + option in shorewall.conf. + + If \"-n\" is specified, no changes to routing will be made. + + See also \"help save\", \"help compile\" and \"help forget\"" + ;; + +save) + echo "save: save [ ] + The dynamic data is stored in /var/lib/shorewall/save. The state of the + firewall is stored in /var/lib/shorewall/ for use by the 'shorewall restore' + and 'shorewall -f start' commands. If is not given then the state is saved + in the file specified by the RESTOREFILE option in shorewall.conf. + + Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting. + + See also \"help restore\" and \"help forget\"" + ;; + +show) + echo "show: show [ [ ...] |actions|classifiers|connections|log|macros|mangle|nat|tc|zones] + + shorewall [-x] show [ ... ] - produce a verbose report about the IPtable chain(s). + (iptables -L chain -n -v) + + shorewall show actions - produce a list of builtin actions and actions defined in /usr/share/shorewall/actions.std and /etc/shorewall + + shorewall [-x] show mangle - produce a verbose report about the mangle table. + (iptables -t mangle -L -n -v) + + shorewall [-x] show nat - produce a verbose report about the nat table. + (iptables -t nat -L -n -v) + + shorewall show [ -m ] log - display the last 20 packet log entries. If \"-m\" is specified, then + MAC addresses in the log entries (if any) are displayed. + + shorewall show macros -- displays the standard macros. + + shorewall show connections - displays the IP connections currently + being tracked by the firewall. + + shorewall show tc - displays information about the traffic + control/shaping configuration. + + shorewall show zones - displays the contents of all zones. + + shorewall show capabilities - displays your kernel/iptables capabilities + + When -x is given, that option is also passed to iptables to display actual packet and byte counts." + ;; + +start) + echo "start: start [ -f ] [ -n ] [ ] + Start shorewall. Existing connections through shorewall managed + interfaces are untouched. New connections will be allowed only + if they are allowed by the firewall rules or policies. + If \"-f\" is specified, the saved configuration specified by the RESTOREFILE option + in shorewall.conf will be restored if that saved configuration exists. In that + case, a may not be specified. + If \"-n\" is specified, no changes to routing will be made." + ;; + +stop) + echo "stop: stop + Stops the firewall. All existing connections, except those + listed in /etc/shorewall/routestopped, are taken down. + The only new traffic permitted through the firewall + is from systems listed in /etc/shorewall/routestopped." + ;; + +status) + echo "status: status + + shorewall status + + Displays the Shorewall status (running/not-running). + + Also displays the Shorewall state as shown in the state diagram at + http://www.shorewall.net/starting_and_stopping_shorewall. The time and + date when that state was reached is also displayed." + ;; + +trace) + echo "trace: trace + If you include the keyword trace as the first argument to any + of these commands: + + start|stop|restart|reset|clear|refresh|check|add|delete + + then a shell trace of the command is produced. For example: + + shorewall trace start 2> /tmp/trace + + The above command would trace the 'start' command and + place the trace information in the file /tmp/trace. + + The word 'debug' is a synonym for 'trace'." + ;; + +try) + echo "try: try [ -n ] [ ] + Restart shorewall using the specified configuration. If an error + occurs during the restart, then another shorewall restart is performed + using the default configuration. If a timeout is specified then + the restart is always performed after the timeout occurs and uses + the default configuration. + + The \"-n\" option will be passed down to the underlying commands (see + 'start', 'restart' and 'restore')" + ;; + +version) + echo "version: version + Show the current shorewall version which is: $version" + ;; + +*) + echo "$1: $1 is not recognized by the help command" + ;; + +esac + +exit 0 # always ok + diff --git a/Shorewall-lite/init.archlinux.sh b/Shorewall-lite/init.archlinux.sh new file mode 100755 index 000000000..91040787c --- /dev/null +++ b/Shorewall-lite/init.archlinux.sh @@ -0,0 +1,58 @@ +#!/bin/bash + +OPTIONS="-f" + +if [ -f /etc/sysconfig/shorewall ] ; then + . /etc/sysconfig/shorewall +elif [ -f /etc/default/shorewall ] ; then + . /etc/default/shorewall +fi + +# if you want to override options, do so in /etc/sysconfig/shorewall or +# in /etc/default/shorewall -- +# i strongly encourage you use the latter, since /etc/sysconfig/ does not exist. + +. /etc/rc.conf +. /etc/rc.d/functions + +DAEMON_NAME="shorewall" # of course shorewall is NOT a deamon. + +case "$1" in + start) + stat_busy "Starting $DAEMON_NAME" + /sbin/shorewall $OPTIONS start &>/dev/null + if [ $? -gt 0 ]; then + stat_fail + else + add_daemon $DAEMON_NAME + stat_done + fi + ;; + + + stop) + stat_busy "Stopping $DAEMON_NAME" + /sbin/shorewall stop &>/dev/null + if [ $? -gt 0 ]; then + stat_fail + else + rm_daemon $DAEMON_NAME + stat_done + fi + ;; + + restart|reload) + stat_busy "Restarting $DAEMON_NAME" + /sbin/shorewall restart &>/dev/null + if [ $? -gt 0 ]; then + stat_fail + else + stat_done + fi + ;; + + *) + echo "usage: $0 {start|stop|restart}" +esac +exit 0 + diff --git a/Shorewall-lite/init.debian.sh b/Shorewall-lite/init.debian.sh new file mode 100755 index 000000000..232736a47 --- /dev/null +++ b/Shorewall-lite/init.debian.sh @@ -0,0 +1,130 @@ +#!/bin/sh + +SRWL=/sbin/shorewall +WAIT_FOR_IFUP=/usr/share/shorewall/wait4ifup +# Note, set INITLOG to /dev/null if you do not want to +# keep logs of the firewall (not recommended) +INITLOG=/var/log/shorewall-init.log +OPTIONS="-f" + +test -x $SRWL || exit 0 +test -n $INITLOG || { + echo "INITLOG cannot be empty, please configure $0" ; + exit 1; +} + +if [ "$(id -u)" != "0" ] +then + echo "You must be root to start, stop or restart \"Shorewall firewall\"." + exit 1 +fi + +echo_notdone () { + + if [ "$INITLOG" = "/dev/null" ] ; then + "not done." + else + "not done (check $INITLOG)." + fi + +} + +not_configured () { + echo "#### WARNING ####" + echo "the firewall won't be started/stopped unless it is configured" + if [ "$1" != "stop" ] + then + echo "" + echo "please configure it and then edit /etc/default/shorewall" + echo "and set the \"startup\" variable to 1 in order to allow " + echo "shorewall to start" + fi + echo "#################" + exit 0 +} + +# parse the shorewall params file in order to use params in +# /etc/default/shorewall +if [ -f "/etc/shorewall/params" ] +then + . /etc/shorewall/params +fi + +# check if shorewall is configured or not +if [ -f "/etc/default/shorewall" ] +then + . /etc/default/shorewall + if [ "$startup" != "1" ] + then + not_configured + fi +else + not_configured +fi + +# wait an unconfigured interface +wait_for_pppd () { + if [ "$wait_interface" != "" ] + then + if [ -f $WAIT_FOR_IFUP ] + then + for i in $wait_interface + do + $WAIT_FOR_IFUP $i 90 + done + else + echo "$WAIT_FOR_IFUP: File not found" >> $INITLOG + echo_notdone + exit 2 + fi + fi +} + +# start the firewall +shorewall_start () { + echo -n "Starting \"Shorewall firewall\": " + wait_for_pppd + $SRWL $OPTIONS start >> $INITLOG 2>&1 && echo "done." || echo_notdone + return 0 +} + +# stop the firewall +shorewall_stop () { + echo -n "Stopping \"Shorewall firewall\": " + $SRWL stop >> $INITLOG 2>&1 && echo "done." || echo_notdone + return 0 +} + +# restart the firewall +shorewall_restart () { + echo -n "Restarting \"Shorewall firewall\": " + $SRWL restart >> $INITLOG 2>&1 && echo "done." || echo_notdone + return 0 +} + +# refresh the firewall +shorewall_refresh () { + echo -n "Refreshing \"Shorewall firewall\": " + $SRWL refresh >> $INITLOG 2>&1 && echo "done." || echo_notdone + return 0 +} + +case "$1" in + start) + shorewall_start + ;; + stop) + shorewall_stop + ;; + refresh) + shorewall_refresh + ;; + force-reload|restart) + shorewall_restart + ;; + *) + echo "Usage: /etc/init.d/shorewall {start|stop|refresh|restart|force-reload}" + exit 1 +esac + +exit 0 diff --git a/Shorewall-lite/init.sh b/Shorewall-lite/init.sh new file mode 100755 index 000000000..aa1200f66 --- /dev/null +++ b/Shorewall-lite/init.sh @@ -0,0 +1,89 @@ +#!/bin/sh +RCDLINKS="2,S41 3,S41 6,K41" +# +# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V3.2 +# +# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] +# +# (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net) +# +# On most distributions, this file should be called /etc/init.d/shorewall. +# +# Complete documentation is available at http://shorewall.net +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of Version 2 of the GNU General Public License +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA +# +# If an error occurs while starting or restarting the firewall, the +# firewall is automatically stopped. +# +# Commands are: +# +# shorewall start Starts the firewall +# shorewall restart Restarts the firewall +# shorewall reload Reload the firewall +# (same as restart) +# shorewall stop Stops the firewall +# shorewall status Displays firewall status +# + +# chkconfig: 2345 25 90 +# description: Packet filtering firewall + +### BEGIN INIT INFO +# Provides: shorewall +# Required-Start: $network +# Required-Stop: +# Default-Start: 2 3 5 +# Default-Stop: 0 1 6 +# Description: starts and stops the shorewall firewall +### END INIT INFO + +################################################################################ +# Give Usage Information # +################################################################################ +usage() { + echo "Usage: $0 start|stop|reload|restart|status" + exit 1 +} + +################################################################################ +# Get startup options (override default) +################################################################################ +OPTIONS="-f" +if [ -f /etc/sysconfig/shorewall ]; then + . /etc/sysconfig/shorewall +elif [ -f /etc/default/shorewall ] ; then + . /etc/default/shorewall +fi + +################################################################################ +# E X E C U T I O N B E G I N S H E R E # +################################################################################ +command="$1" + +case "$command" in + start) + exec /sbin/shorewall $OPTIONS $@ + ;; + stop|restart|status) + exec /sbin/shorewall $@ + ;; + reload) + shift + exec /sbin/shorewall restart $@ + ;; + *) + usage + ;; +esac diff --git a/Shorewall-lite/install.sh b/Shorewall-lite/install.sh new file mode 100755 index 000000000..573da7187 --- /dev/null +++ b/Shorewall-lite/install.sh @@ -0,0 +1,645 @@ +#!/bin/sh +# +# Script to install Shoreline Firewall +# +# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] +# +# (c) 2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net) +# +# Shorewall documentation is available at http://shorewall.net +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of Version 2 of the GNU General Public License +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA +# + +VERSION=3.2.0-RC1 + +usage() # $1 = exit status +{ + ME=$(basename $0) + echo "usage: $ME" + echo " $ME -v" + echo " $ME -h" + exit $1 +} + +split() { + local ifs=$IFS + IFS=: + set -- $1 + echo $* + IFS=$ifs +} + +qt() +{ + "$@" >/dev/null 2>&1 +} + +mywhich() { + local dir + + for dir in $(split $PATH); do + if [ -x $dir/$1 ]; then + echo $dir/$1 + return 0 + fi + done + + return 2 +} + +run_install() +{ + if ! install $*; then + echo + echo "ERROR: Failed to install $*" >&2 + exit 1 + fi +} + +cant_autostart() +{ + echo + echo "WARNING: Unable to configure shorewall to start automatically at boot" >&2 +} + +backup_directory() # $1 = directory to backup +{ + if [ -d $1 ]; then + if cp -a $1 ${1}-${VERSION}.bkout ; then + echo + echo "$1 saved to ${1}-${VERSION}.bkout" + else + exit 1 + fi + fi +} + +backup_file() # $1 = file to backup, $2 = (optional) Directory in which to create the backup +{ + if [ -z "$PREFIX" ]; then + if [ -f $1 -a ! -f ${1}-${VERSION}.bkout ]; then + if [ -n "$2" ]; then + if [ -d $2 ]; then + if cp -f $1 $2 ; then + echo + echo "$1 saved to $2/$(basename $1)" + else + exit 1 + fi + fi + elif cp $1 ${1}-${VERSION}.bkout; then + echo + echo "$1 saved to ${1}-${VERSION}.bkout" + else + exit 1 + fi + fi + fi +} + +delete_file() # $1 = file to delete +{ + rm -f $1 +} + +install_file() # $1 = source $2 = target $3 = mode +{ + run_install $OWNERSHIP -m $3 $1 ${2} +} + +install_file_with_backup() # $1 = source $2 = target $3 = mode $4 = (optional) backup directory +{ + backup_file $2 $4 + run_install $OWNERSHIP -m $3 $1 ${2} +} + +# +# Parse the run line +# +# DEST is the SysVInit script directory +# INIT is the name of the script in the $DEST directory +# RUNLEVELS is the chkconfig parmeters for firewall +# ARGS is "yes" if we've already parsed an argument +# +ARGS="" + +if [ -z "$DEST" ] ; then + DEST="/etc/init.d" +fi + +if [ -z "$INIT" ] ; then + INIT="shorewall" +fi + +if [ -z "$RUNLEVELS" ] ; then + RUNLEVELS="" +fi + +if [ -z "$OWNER" ] ; then + OWNER=root +fi + +if [ -z "$GROUP" ] ; then + GROUP=root +fi + +while [ $# -gt 0 ] ; do + case "$1" in + -h|help|?) + usage 0 + ;; + -v) + echo "Shorewall Firewall Installer Version $VERSION" + exit 0 + ;; + *) + usage 1 + ;; + esac + shift + ARGS="yes" +done + +PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin + +# +# Determine where to install the firewall script +# +DEBIAN= + +OWNERSHIP="-o $OWNER -g $GROUP" + +if [ -n "$PREFIX" ]; then + if [ `id -u` != 0 ] ; then + echo "Not setting file owner/group permissions, not running as root." + OWNERSHIP="" + fi + + install -d $OWNERSHIP -m 755 ${PREFIX}/sbin + install -d $OWNERSHIP -m 755 ${PREFIX}${DEST} +elif [ -d /etc/apt -a -e /usr/bin/dpkg ]; then + DEBIAN=yes +elif [ -f /etc/slackware-version ] ; then + DEST="/etc/rc.d" + INIT="rc.firewall" +elif [ -f /etc/arch-release ] ; then + DEST="/etc/rc.d" + INIT="shorewall" + ARCHLINUX=yes +fi + +# +# Change to the directory containing this script +# +cd "$(dirname $0)" + +echo "Installing Shorewall Version $VERSION" + +# +# First do Backups +# + +# +# Check for /etc/shorewall +# +if [ -d ${PREFIX}/etc/shorewall ]; then + first_install="" + backup_directory ${PREFIX}/etc/shorewall + backup_directory ${PREFIX}/usr/share/shorewall + backup_directory ${PREFIX}/var/lib/shorewall +else + first_install="Yes" +fi + +install_file_with_backup shorewall ${PREFIX}/sbin/shorewall 0544 ${PREFIX}/var/lib/shorewall-${VERSION}.bkout + +echo "shorewall control program installed in ${PREFIX}/sbin/shorewall" + +# +# Install the Firewall Script +# +if [ -n "$DEBIAN" ]; then + install_file_with_backup init.debian.sh /etc/init.d/shorewall 0544 ${PREFIX}/usr/share/shorewall-${VERSION}.bkout +elif [ -n "$ARCHLINUX" ]; then + install_file_with_backup init.archlinux.sh ${PREFIX}${DEST}/$INIT 0544 ${PREFIX}/usr/share/shorewall-${VERSION}.bkout + +else + install_file_with_backup init.sh ${PREFIX}${DEST}/$INIT 0544 ${PREFIX}/usr/share/shorewall-${VERSION}.bkout +fi + +echo "Shorewall script installed in ${PREFIX}${DEST}/$INIT" + +# +# Create /etc/shorewall, /usr/share/shorewall and /var/shorewall if needed +# +mkdir -p ${PREFIX}/etc/shorewall +mkdir -p ${PREFIX}/usr/share/shorewall +mkdir -p ${PREFIX}/var/lib/shorewall + +chmod 755 ${PREFIX}/etc/shorewall +chmod 755 ${PREFIX}/usr/share/shorewall + +# +# Install the config file +# +if [ ! -f ${PREFIX}/etc/shorewall/shorewall.conf ]; then + run_install $OWNERSHIP -m 0744 shorewall.conf ${PREFIX}/etc/shorewall/shorewall.conf + echo "Config file installed as ${PREFIX}/etc/shorewall/shorewall.conf" +fi + +if [ -n "$ARCHLINUX" ] ; then + sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${PREFIX}/etc/shorewall/shorewall.conf +fi +# +# Install the zones file +# +if [ ! -f ${PREFIX}/etc/shorewall/zones ]; then + run_install $OWNERSHIP -m 0744 zones ${PREFIX}/etc/shorewall/zones + echo "Zones file installed as ${PREFIX}/etc/shorewall/zones" +fi + +# +# Install the functions file +# + +install_file functions ${PREFIX}/usr/share/shorewall/functions 0444 + +echo "Common functions installed in ${PREFIX}/usr/share/shorewall/functions" + +# +# Install the Compiler +# + +install_file compiler ${PREFIX}/usr/share/shorewall/compiler 0555 + +echo +echo "Compiler installed in ${PREFIX}/usr/share/shorewall/compiler" + +# +# Install Shorecap +# + +install_file shorecap ${PREFIX}/usr/share/shorewall/shorecap 0555 + +echo +echo "Capability file builder installed in ${PREFIX}/usr/share/shorewall/shorecap" + + +# Install the Help file +# +install_file help ${PREFIX}/usr/share/shorewall/help 0544 + +echo "Help command executor installed in ${PREFIX}/usr/share/shorewall/help" + +# +# Install the policy file +# +if [ ! -f ${PREFIX}/etc/shorewall/policy ]; then + run_install $OWNERSHIP -m 0600 policy ${PREFIX}/etc/shorewall/policy + echo "Policy file installed as ${PREFIX}/etc/shorewall/policy" +fi +# +# Install the interfaces file +# +if [ ! -f ${PREFIX}/etc/shorewall/interfaces ]; then + run_install $OWNERSHIP -m 0600 interfaces ${PREFIX}/etc/shorewall/interfaces + echo "Interfaces file installed as ${PREFIX}/etc/shorewall/interfaces" +fi +# +# Install the ipsec file +# +if [ ! -f ${PREFIX}/etc/shorewall/ipsec ]; then + run_install $OWNERSHIP -m 0600 ipsec ${PREFIX}/etc/shorewall/ipsec + echo "Dummy IPSEC file installed as ${PREFIX}/etc/shorewall/ipsec" +fi + +# +# Install the hosts file +# +if [ ! -f ${PREFIX}/etc/shorewall/hosts ]; then + run_install $OWNERSHIP -m 0600 hosts ${PREFIX}/etc/shorewall/hosts + echo "Hosts file installed as ${PREFIX}/etc/shorewall/hosts" +fi +# +# Install the rules file +# +if [ ! -f ${PREFIX}/etc/shorewall/rules ]; then + run_install $OWNERSHIP -m 0600 rules ${PREFIX}/etc/shorewall/rules + echo "Rules file installed as ${PREFIX}/etc/shorewall/rules" +fi +# +# Install the NAT file +# +if [ ! -f ${PREFIX}/etc/shorewall/nat ]; then + run_install $OWNERSHIP -m 0600 nat ${PREFIX}/etc/shorewall/nat + echo "NAT file installed as ${PREFIX}/etc/shorewall/nat" +fi +# +# Install the NETMAP file +# +if [ ! -f ${PREFIX}/etc/shorewall/netmap ]; then + run_install $OWNERSHIP -m 0600 netmap ${PREFIX}/etc/shorewall/netmap + echo "NETMAP file installed as ${PREFIX}/etc/shorewall/netmap" +fi +# +# Install the Parameters file +# +if [ ! -f ${PREFIX}/etc/shorewall/params ]; then + run_install $OWNERSHIP -m 0600 params ${PREFIX}/etc/shorewall/params + echo "Parameter file installed as ${PREFIX}/etc/shorewall/params" +fi +# +# Install the proxy ARP file +# +if [ ! -f ${PREFIX}/etc/shorewall/proxyarp ]; then + run_install $OWNERSHIP -m 0600 proxyarp ${PREFIX}/etc/shorewall/proxyarp + echo "Proxy ARP file installed as ${PREFIX}/etc/shorewall/proxyarp" +fi +# +# Install the Stopped Routing file +# +if [ ! -f ${PREFIX}/etc/shorewall/routestopped ]; then + run_install $OWNERSHIP -m 0600 routestopped ${PREFIX}/etc/shorewall/routestopped + echo "Stopped Routing file installed as ${PREFIX}/etc/shorewall/routestopped" +fi +# +# Install the Mac List file +# +if [ ! -f ${PREFIX}/etc/shorewall/maclist ]; then + run_install $OWNERSHIP -m 0600 maclist ${PREFIX}/etc/shorewall/maclist + echo "MAC list file installed as ${PREFIX}/etc/shorewall/maclist" +fi +# +# Install the Masq file +# +if [ ! -f ${PREFIX}/etc/shorewall/masq ]; then + run_install $OWNERSHIP -m 0600 masq ${PREFIX}/etc/shorewall/masq + echo "Masquerade file installed as ${PREFIX}/etc/shorewall/masq" +fi +# +# Install the Modules file +# +if [ ! -f ${PREFIX}/etc/shorewall/modules ]; then + run_install $OWNERSHIP -m 0600 modules ${PREFIX}/etc/shorewall/modules + echo "Modules file installed as ${PREFIX}/etc/shorewall/modules" +fi +# +# Install the TC Rules file +# +if [ ! -f ${PREFIX}/etc/shorewall/tcrules ]; then + run_install $OWNERSHIP -m 0600 tcrules ${PREFIX}/etc/shorewall/tcrules + echo "TC Rules file installed as ${PREFIX}/etc/shorewall/tcrules" +fi + +# +# Install the TOS file +# +if [ ! -f ${PREFIX}/etc/shorewall/tos ]; then + run_install $OWNERSHIP -m 0600 tos ${PREFIX}/etc/shorewall/tos + echo "TOS file installed as ${PREFIX}/etc/shorewall/tos" +fi +# +# Install the Tunnels file +# +if [ ! -f ${PREFIX}/etc/shorewall/tunnels ]; then + run_install $OWNERSHIP -m 0600 tunnels ${PREFIX}/etc/shorewall/tunnels + echo "Tunnels file installed as ${PREFIX}/etc/shorewall/tunnels" +fi +# +# Install the blacklist file +# +if [ ! -f ${PREFIX}/etc/shorewall/blacklist ]; then + run_install $OWNERSHIP -m 0600 blacklist ${PREFIX}/etc/shorewall/blacklist + echo "Blacklist file installed as ${PREFIX}/etc/shorewall/blacklist" +fi +# +# Delete the Routes file +# +delete_file ${PREFIX}/etc/shorewall/routes +# +# Delete the tcstart file +# + +delete_file ${PREFIX}/usr/share/shorewall/tcstart + +# +# Install the Providers file +# +if [ ! -f ${PREFIX}/etc/shorewall/providers ]; then + run_install $OWNERSHIP -m 0600 providers ${PREFIX}/etc/shorewall/providers + echo "Providers file installed as ${PREFIX}/etc/shorewall/providers" +fi + +# +# Install the Route Rules file +# +if [ ! -f ${PREFIX}/etc/shorewall/route_rules ]; then + run_install $OWNERSHIP -m 0600 route_rules ${PREFIX}/etc/shorewall/route_rules + echo "Routing rules file installed as ${PREFIX}/etc/shorewall/route_rules" +fi + +# +# Install the tcclasses file +# +if [ ! -f ${PREFIX}/etc/shorewall/tcclasses ]; then + run_install $OWNERSHIP -m 0600 tcclasses ${PREFIX}/etc/shorewall/tcclasses + echo "TC Classes file installed as ${PREFIX}/etc/shorewall/tcclasses" +fi + +# +# Install the tcdevices file +# +if [ ! -f ${PREFIX}/etc/shorewall/tcdevices ]; then + run_install $OWNERSHIP -m 0600 tcdevices ${PREFIX}/etc/shorewall/tcdevices + echo "TC Devices file installed as ${PREFIX}/etc/shorewall/tcdevices" +fi + +# +# Install the rfc1918 file +# +install_file rfc1918 ${PREFIX}/usr/share/shorewall/rfc1918 0600 +echo "RFC 1918 file installed as ${PREFIX}/usr/share/shorewall/rfc1918" +# +# Install the default config path file +# +install_file configpath ${PREFIX}/usr/share/shorewall/configpath 0600 +echo "Default config path file installed as ${PREFIX}/usr/share/shorewall/configpath" +# +# Install the init file +# +if [ ! -f ${PREFIX}/etc/shorewall/init ]; then + run_install $OWNERSHIP -m 0600 init ${PREFIX}/etc/shorewall/init + echo "Init file installed as ${PREFIX}/etc/shorewall/init" +fi +# +# Install the initdone file +# +if [ ! -f ${PREFIX}/etc/shorewall/initdone ]; then + run_install $OWNERSHIP -m 0600 initdone ${PREFIX}/etc/shorewall/initdone + echo "Initdone file installed as ${PREFIX}/etc/shorewall/initdone" +fi +# +# Install the start file +# +if [ ! -f ${PREFIX}/etc/shorewall/start ]; then + run_install $OWNERSHIP -m 0600 start ${PREFIX}/etc/shorewall/start + echo "Start file installed as ${PREFIX}/etc/shorewall/start" +fi +# +# Install the stop file +# +if [ ! -f ${PREFIX}/etc/shorewall/stop ]; then + run_install $OWNERSHIP -m 0600 stop ${PREFIX}/etc/shorewall/stop + echo "Stop file installed as ${PREFIX}/etc/shorewall/stop" +fi +# +# Install the stopped file +# +if [ ! -f ${PREFIX}/etc/shorewall/stopped ]; then + run_install $OWNERSHIP -m 0600 stopped ${PREFIX}/etc/shorewall/stopped + echo "Stopped file installed as ${PREFIX}/etc/shorewall/stopped" +fi +# +# Install the ECN file +# +if [ ! -f ${PREFIX}/etc/shorewall/ecn ]; then + run_install $OWNERSHIP -m 0600 ecn ${PREFIX}/etc/shorewall/ecn + echo "ECN file installed as ${PREFIX}/etc/shorewall/ecn" +fi +# +# Install the Accounting file +# +if [ ! -f ${PREFIX}/etc/shorewall/accounting ]; then + run_install $OWNERSHIP -m 0600 accounting ${PREFIX}/etc/shorewall/accounting + echo "Accounting file installed as ${PREFIX}/etc/shorewall/accounting" +fi +# +# Install the Continue file +# +if [ ! -f ${PREFIX}/etc/shorewall/continue ]; then + run_install $OWNERSHIP -m 0600 continue ${PREFIX}/etc/shorewall/continue + echo "Continue file installed as ${PREFIX}/etc/shorewall/continue" +fi +# +# Install the Started file +# +if [ ! -f ${PREFIX}/etc/shorewall/started ]; then + run_install $OWNERSHIP -m 0600 started ${PREFIX}/etc/shorewall/started + echo "Started file installed as ${PREFIX}/etc/shorewall/started" +fi +# +# Install the Standard Actions file +# +install_file actions.std ${PREFIX}/usr/share/shorewall/actions.std 0644 +echo "Standard actions file installed as ${PREFIX}/etc/shorewall/actions.std" + +# +# Install the Actions file +# +if [ ! -f ${PREFIX}/etc/shorewall/actions ]; then + run_install $OWNERSHIP -m 0644 actions ${PREFIX}/etc/shorewall/actions + echo "Actions file installed as ${PREFIX}/etc/shorewall/actions" +fi + +# +# Install the Makefile +# +run_install $OWNERSHIP -m 0600 Makefile ${PREFIX}/etc/shorewall/Makefile +echo "Makefile installed as ${PREFIX}/etc/shorewall/Makefile" + +# +# Install the Action files +# +for f in action.* ; do + install_file $f ${PREFIX}/usr/share/shorewall/$f 0644 + echo "Action ${f#*.} file installed as ${PREFIX}/usr/share/shorewall/$f" +done + +install_file Limit ${PREFIX}/usr/share/shorewall/Limit 0600 +echo "Limit action extension script installed as ${PREFIX}/usr/share/shorewall/Limit" +# +# Install the Macro files +# +for f in macro.* ; do + install_file $f ${PREFIX}/usr/share/shorewall/$f 0644 + echo "Macro ${f#*.} file installed as ${PREFIX}/usr/share/shorewall/$f" +done +# +# Install the program skeleton files +# +for f in prog.* ; do + install_file $f ${PREFIX}/usr/share/shorewall/$f 0644 + echo "Program skeleton file ${f#*.} installed as ${PREFIX}/usr/share/shorewall/$f" +done +# +# Create the version file +# +echo "$VERSION" > ${PREFIX}/usr/share/shorewall/version +chmod 644 ${PREFIX}/usr/share/shorewall/version +# +# Remove and create the symbolic link to the init script +# + +if [ -z "$PREFIX" ]; then + rm -f /usr/share/shorewall/init + ln -s ${DEST}/${INIT} /usr/share/shorewall/init +fi + +# +# Install the firewall script +# +install_file firewall ${PREFIX}/usr/share/shorewall/firewall 0544 + +if [ -z "$PREFIX" -a -n "$first_install" ]; then + if [ -n "$DEBIAN" ]; then + run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall + ln -s ../init.d/shorewall /etc/rcS.d/S40shorewall + echo "shorewall will start automatically at boot" + echo "Set startup=1 in /etc/default/shorewall to enable" + touch /var/log/shorewall-init.log + qt mywhich perl && perl -p -w -i -e 's/^STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/;s/^IP_FORWARDING=On/IP_FORWARDING=Keep/' /etc/shorewall/shorewall.conf + else + if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then + if insserv /etc/init.d/shorewall ; then + echo "shorewall will start automatically at boot" + echo "Set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf to enable" + else + cant_autostart + fi + elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then + if chkconfig --add shorewall ; then + echo "shorewall will start automatically in run levels as follows:" + echo "Set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf to enable" + chkconfig --list shorewall + else + cant_autostart + fi + elif [ -x /sbin/rc-update ]; then + if rc-update add shorewall default; then + echo "shorewall will start automatically at boot" + echo "Set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf to enable" + else + cant_autostart + fi + elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically + cant_autostart + fi + fi +fi + +# +# Report Success +# +echo "shorewall Version $VERSION Installed" diff --git a/Shorewall-lite/releasenotes.txt b/Shorewall-lite/releasenotes.txt new file mode 100644 index 000000000..b28161875 --- /dev/null +++ b/Shorewall-lite/releasenotes.txt @@ -0,0 +1,52 @@ +Shorewall Lite 3.2.0 RC 1 + +Problems Corrected in 3.2.0 RC 1 + +None. + +Other changes in 3.2.0 RC 1 + +None. + +New Features: + +Shorewall Lite is a companion product to Shorewall and is designed to +allow you to maintain all Shorewall configuration information on a +single system within your network. + +a) You install the full Shorewall release on one system within your +network. You need not configure Shorewall there and you may totally +disable startup of Shorewall in your init scripts. For ease of +reference, we call this system the 'administrative system'. + +b) On each system where you wish to run a Shorewall-generated firewall, +you install Shorewall Lite. For ease of reference, we will call these +systems the 'firewall systems'. + +c) On the administrative system you create a separete 'configuration +directory' for each firewall system. You copy the contents of +/usr/share/shorewall/configfiles into each configuration directory. + +d) On each firewall system, you run: + + /usr/share/shorewall/shorecap > capabilities + + The 'capabilities' file is then copied to the corresponding + configuration directory on the administrative system. + +e) On the administrative system, for each firewall system you: + + 1) modify the files in the corresponding configuration + directory appropriately. + + 2) As a non-root user: + + cd + /sbin/shorewall compile . firewall + + Then copy the compiled 'firewall' script to + /usr/share/shorewall/firewall on the corresponding firewall + system. + + 3) On the firewall system, 'shorewall start'. + diff --git a/Shorewall-lite/shorecap b/Shorewall-lite/shorecap new file mode 100755 index 000000000..11638bb14 --- /dev/null +++ b/Shorewall-lite/shorecap @@ -0,0 +1,348 @@ +#!/bin/sh +# +# Shorewall Packet Filtering Firewall Capabilities Detector +# +# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] +# +# (c) 2006 - Tom Eastep (teastep@shorewall.net) +# +# This file should be placed in /sbin/shorewall. +# +# Shorewall documentation is available at http://shorewall.sourceforge.net +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of Version 2 of the GNU General Public License +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA +# +# +# This program may be used to create a /etc/shorewall/capabilities file for +# use in compiling Shorewall firewalls on another system. +# +# On the target system (the system where the firewall program is to run): +# +# [ IPTABLES= ] [ MODULESDIR= ] shorecap > capabilities +# +# Now move the capabilities file to the compilation system. The file must +# be placed in a directory on the CONFIG_PATH to be used when compiling firewalls +# for the target system. +# +# Default values for the two variables are: +# +# IPTABLES - iptables +# MODULESDIR - /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter +# +# Shorewall need not be installed on the target system to run shorecap. If the '-e' flag is +# used during firewall compilation, then the generated firewall program will likewise not +# require Shorewall to be installed. + +VERSION=3.2.0-RC1 + +# +# Suppress all output for a command +# +qt() +{ + "$@" >/dev/null 2>&1 +} + +# +# Split a colon-separated list into a space-separated list +# +split() { + local ifs=$IFS + IFS=: + set -- $1 + echo $* + IFS=$ifs +} + +# +# Internal version of 'which' +# +mywhich() { + local dir + + for dir in $(split $PATH); do + if [ -x $dir/$1 ]; then + echo $dir/$1 + return 0 + fi + done + + return 2 +} + +# +# Load a Kernel Module +# +loadmodule() # $1 = module name, $2 - * arguments +{ + local modulename=$1 + local modulefile + local suffix + moduleloader=modprobe + + if ! qt mywhich modprobe; then + moduleloader=insmod + fi + + if [ -z "$(lsmod | grep $modulename)" ]; then + shift + + for suffix in $MODULE_SUFFIX ; do + modulefile=$MODULESDIR/${modulename}.${suffix} + + if [ -f $modulefile ]; then + case $moduleloader in + insmod) + insmod $modulefile $* + ;; + *) + modprobe $modulename $* + ;; + esac + + return + fi + done + fi +} + +# +# Load kernel modules required for Shorewall +# +load_kernel_modules() +{ + [ -z "$MODULESDIR" ] && \ + MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter + + # + # Essential Modules + # + loadmodule ip_tables + loadmodule iptable_filter + loadmodule ip_conntrack + # + # Helpers + # + loadmodule ip_conntrack_ftp + loadmodule ip_conntrack_tftp + loadmodule ip_conntrack_irc + loadmodule iptable_nat + loadmodule ip_nat_ftp + loadmodule ip_nat_tftp + loadmodule ip_nat_irc + loadmodule ip_set + loadmodule ip_set_iphash + loadmodule ip_set_ipmap + loadmodule ip_set_macipmap + loadmodule ip_set_portmap + # + # Traffic Shaping + # + loadmodule sch_sfq + loadmodule sch_ingress + loadmodule sch_htb + loadmodule cls_u32 + # + # Extensions + # + loadmodule ipt_addrtype + loadmodule ipt_ah + loadmodule ipt_CLASSIFY + loadmodule ipt_CLUSTERIP + loadmodule ipt_comment + loadmodule ipt_connmark + loadmodule ipt_CONNMARK + loadmodule ipt_conntrack + loadmodule ipt_dscp + loadmodule ipt_DSCP + loadmodule ipt_ecn + loadmodule ipt_ECN + loadmodule ipt_esp + loadmodule ipt_hashlimit + loadmodule ipt_helper + loadmodule ipt_ipp2p + loadmodule ipt_iprange + loadmodule ipt_length + loadmodule ipt_limit + loadmodule ipt_LOG + loadmodule ipt_mac + loadmodule ipt_mark + loadmodule ipt_MARK + loadmodule ipt_MASQUERADE + loadmodule ipt_multiport + loadmodule ipt_NETMAP + loadmodule ipt_NOTRACK + loadmodule ipt_owner + loadmodule ipt_physdev + loadmodule ipt_pkttype + loadmodule ipt_policy + loadmodule ipt_realm + loadmodule ipt_recent + loadmodule ipt_REDIRECT + loadmodule ipt_REJECT + loadmodule ipt_SAME + loadmodule ipt_sctp + loadmodule ipt_set + loadmodule ipt_state + loadmodule ipt_tcpmss + loadmodule ipt_TCPMSS + loadmodule ipt_tos + loadmodule ipt_TOS + loadmodule ipt_ttl + loadmodule ipt_TTL + loadmodule ipt_ULOG + +} + +# +# Determine which optional facilities are supported by iptables/netfilter +# +determine_capabilities() { + [ -z "$IPTABLES" ] && IPTABLES=$(mywhich iptables) + + [ -z "$IPTABLES" ] && { echo "ERROR: Can't find IPTABLES executable" ; exit 2; } + + qt $IPTABLES -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED= + qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED= + + CONNTRACK_MATCH= + MULTIPORT= + XMULTIPORT= + POLICY_MATCH= + PHYSDEV_MATCH= + IPRANGE_MATCH= + RECENT_MATCH= + OWNER_MATCH= + IPSET_MATCH= + CONNMARK= + CONNMARK_MATCH= + RAW_TABLE= + IPP2P_MATCH= + LENGTH_MATCH= + CLASSIFY_TARGET= + ENHANCED_REJECT= + USEPKTTYPE= + KLUDGEFREE= + MARK= + XMARK= + MANGLE_FORWARD= + + qt $IPTABLES -N fooX1234 + qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes + qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes + qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes + qt $IPTABLES -A fooX1234 -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT && POLICY_MATCH=Yes + + if qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT; then + PHYSDEV_MATCH=Yes + qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth1 -m physdev --physdev-out eth1 -j ACCEPT && KLUDGEFREE=Yes + fi + + if qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT; then + IPRANGE_MATCH=Yes + if [ -z "${KLUDGEFREE}${PHYSDEV_MATCH}" ]; then + qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT && KLUDGEFREE=Yes + fi + fi + + qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes + qt $IPTABLES -A fooX1234 -m owner --uid-owner 0 -j ACCEPT && OWNER_MATCH=Yes + + if qt $IPTABLES -A fooX1234 -m connmark --mark 2 -j ACCEPT; then + CONNMARK_MATCH=Yes + qt $IPTABLES -A fooX1234 -m connmark --mark 2/0xFF -j ACCEPT && XCONNMARK_MATCH=Yes + fi + + qt $IPTABLES -A fooX1234 -p tcp -m ipp2p --ipp2p -j ACCEPT && IPP2P_MATCH=Yes + qt $IPTABLES -A fooX1234 -m length --length 10:20 -j ACCEPT && LENGTH_MATCH=Yes + qt $IPTABLES -A fooX1234 -j REJECT --reject-with icmp-host-prohibited && ENHANCED_REJECT=Yes + + if [ -n "$MANGLE_ENABLED" ]; then + qt $IPTABLES -t mangle -N fooX1234 + + if qt $IPTABLES -t mangle -A fooX1234 -j MARK --set-mark 1; then + MARK=Yes + qt $IPTABLES -t mangle -A fooX1234 -j MARK --and-mark 0xFF && XMARK=Yes + fi + + if qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark; then + CONNMARK=Yes + qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark --mask 0xFF && XCONNMARK=Yes + fi + + qt $IPTABLES -t mangle -A fooX1234 -j CLASSIFY --set-class 1:1 && CLASSIFY_TARGET=Yes + qt $IPTABLES -t mangle -F fooX1234 + qt $IPTABLES -t mangle -X fooX1234 + qt $IPTABLES -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes + fi + + qt $IPTABLES -t raw -L -n && RAW_TABLE=Yes + + if qt mywhich ipset; then + qt ipset -X fooX1234 # Just in case something went wrong the last time + + if qt ipset -N fooX1234 iphash ; then + if qt $IPTABLES -A fooX1234 -m set --set fooX1234 src -j ACCEPT; then + qt $IPTABLES -D fooX1234 -m set --set fooX1234 src -j ACCEPT + IPSET_MATCH=Yes + fi + qt ipset -X fooX1234 + fi + fi + + qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes + + qt $IPTABLES -F fooX1234 + qt $IPTABLES -X fooX1234 +} + +report_capability() # $1 = Capability +{ + eval echo $1=\$$1 +} + +report_capabilities() { + echo "#" + echo "# Shorewall $VERSION detected the following iptables/netfilter capabilities - $(date)" + echo "#" + report_capability NAT_ENABLED + report_capability MANGLE_ENABLED + report_capability MULTIPORT + report_capability XMULTIPORT + report_capability CONNTRACK_MATCH + report_capability USEPKTTYPE + report_capability POLICY_MATCH + report_capability PHYSDEV_MATCH + report_capability LENGTH_MATCH + report_capability IPRANGE_MATCH + report_capability RECENT_MATCH + report_capability OWNER_MATCH + report_capability IPSET_MATCH + report_capability CONNMARK + report_capability XCONNMARK + report_capability CONNMARK_MATCH + report_capability XCONNMARK_MATCH + report_capability RAW_TABLE + report_capability IPP2P_MATCH + report_capability CLASSIFY_TARGET + report_capability ENHANCED_REJECT + report_capability KLUDGEFREE + report_capability MARK + report_capability XMARK + report_capability MANGLE_FORWARD +} + +load_kernel_modules +determine_capabilities +report_capabilities diff --git a/Shorewall-lite/shorewall b/Shorewall-lite/shorewall new file mode 100755 index 000000000..d3e8388df --- /dev/null +++ b/Shorewall-lite/shorewall @@ -0,0 +1,1648 @@ +#!/bin/sh +# +# Shorewall Packet Filtering Firewall Control Program - V3.2 +# +# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] +# +# (c) 1999,2000,2001,2002,2003,2004,2005,2006 - Tom Eastep (teastep@shorewall.net) +# +# This file should be placed in /sbin/shorewall. +# +# Shorewall documentation is available at http://shorewall.sourceforge.net +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of Version 2 of the GNU General Public License +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA +# +# If an error occurs while starting or restarting the firewall, the +# firewall is automatically stopped. +# +# The firewall uses configuration files in /etc/shorewall/ - skeleton +# files is included with the firewall. +# +# Commands are: +# +# shorewall dump Dumps all Shorewall-related information +# for problem analysis +# shorewall start Starts the firewall +# shorewall restart Restarts the firewall +# shorewall stop Stops the firewall +# shorewall status Displays firewall status +# shorewall reset Resets iptables packet and +# byte counts +# shorewall clear Open the floodgates by +# removing all iptables rules +# and setting the three permanent +# chain policies to ACCEPT +# shorewall show [ ... ] Display the rules in each listed +# shorewall show log Print the last 20 log messages +# shorewall show connections Show the kernel's connection +# tracking table +# shorewall show nat Display the rules in the nat table +# shorewall show {mangle|tos} Display the rules in the mangle table +# shorewall show tc Display traffic control info +# shorewall show classifiers Display classifiers +# shorewall show capabilities Display iptables/kernel capabilities +# shorewall version Display the installed version id +# shorewall logwatch [ refresh-interval ] Monitor the local log for Shorewall +# messages. +# shorewall drop
... Temporarily drop all packets from the +# listed address(es) +# shorewall reject
... Temporarily reject all packets from the +# listed address(es) +# shorewall allow
... Reenable address(es) previously +# disabled with "drop" or "reject" +# shorewall save [ ] Save the list of "rejected" and +# "dropped" addresses so that it will +# be automatically reinstated the +# next time that Shorewall starts. +# Save the current state so that 'shorewall +# restore' can be used. +# +# shorewall forget [ ] Discard the data saved by 'shorewall save' +# +# shorewall restore [ ] Restore the state of the firewall from +# previously saved information. +# +# shorewall ipaddr {
/ |
} +# +# Displays information about the network +# defined by the argument[s] +# +# shorewall iprange
-
Decomposes a range of IP addresses into +# a list of network/host addresses. +# +# shorewall ipdecimal {
| } +# +# Displays the decimal equivalent of an IP +# address and vice versa. +# +# Fatal Error +# +fatal_error() # $@ = Message +{ + echo " $@" >&2 + exit 2 +} + +# Display a chain if it exists +# + +showfirstchain() # $1 = name of chain +{ + awk \ + 'BEGIN {prnt=0; rslt=1; }; \ + /^$/ { next; };\ + /^Chain/ {if ( prnt == 1 ) { rslt=0; exit 0; }; };\ + /Chain '$1'/ { prnt=1; }; \ + { if (prnt == 1) print; };\ + END { exit rslt; }' $TMPFILE +} + +showchain() # $1 = name of chain +{ + if [ "$firstchain" = "Yes" ]; then + if showfirstchain $1; then + firstchain= + fi + else + awk \ + 'BEGIN {prnt=0;};\ + /^$|^ pkts/ { next; };\ + /^Chain/ {if ( prnt == 1 ) exit; };\ + /Chain '$1'/ { prnt=1; };\ + { if (prnt == 1) print; }' $TMPFILE + fi +} + +# +# The 'awk' hack that compensates for bugs in iptables-save (or rather in the extension modules). +# + +iptablesbug() +{ + if qt mywhich awk ; then + awk 'BEGIN {sline=""; };\ + /^-j/ { print sline $0; next };\ + /-m policy.*-j/ { print $0; next };\ + /-m policy/ { sline=$0; next };\ + /--mask ff/ { sub( /--mask ff/, "--mask 0xff" ) };\ + {print ; sline="" }' + else + echo " WARNING: You don't have 'awk' on this system so the output of the save command may be unusable" >&2 + cat + fi +} + +# +# Validate the value of RESTOREFILE +# +validate_restorefile() # $* = label +{ + case $RESTOREFILE in + */*) + error_message "ERROR: $@ must specify a simple file name: $RESTOREFILE" + exit 2 + ;; + .*) + error_message "ERROR: Reserved File Name: $RESTOREFILE" + exit 2 + ;; + esac +} + +# +# Set the configuration variables from shorewall.conf +# +get_config() { + + [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages + + if [ ! -f $LOGFILE ]; then + echo "LOGFILE ($LOGFILE) does not exist!" >&2 + exit 2 + fi + # + # See if we have a real version of "tail" -- use separate redirection so + # that ash (aka /bin/sh on LRP) doesn't crap + # + if ( tail -n5 $LOGFILE > /dev/null 2> /dev/null ) ; then + realtail="Yes" + else + realtail="" + fi + + [ -n "$FW" ] || FW=fw + + [ -n "LOGFORMAT" ] && LOGFORMAT="${LOGFORMAT%%%*}" + + [ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:" + + if [ -n "$IPTABLES" ]; then + if [ ! -e "$IPTABLES" ]; then + echo " ERROR: The program specified in IPTABLES does not exist or is not executable" >&2 + exit 2 + fi + else + IPTABLES=$(mywhich iptables 2> /dev/null) + if [ -z "$IPTABLES" ] ; then + echo " ERROR: Can't find iptables executable" >&2 + exit 2 + fi + fi + + if [ -n "$SHOREWALL_SHELL" ]; then + if [ ! -e "$SHOREWALL_SHELL" ]; then + echo " ERROR: The program specified in SHOREWALL_SHELL does not exist or is not executable" >&2 + exit 2 + fi + fi + + [ -n "$RESTOREFILE" ] || RESTOREFILE=restore + + validate_restorefile RESTOREFILE + + export RESTOREFILE + + [ -n "${VERBOSITY:=2}" ] + + VERBOSE=$(($VERBOSE_OFFSET + $VERBOSITY)) + + export VERBOSE + +} + +# +# Clear descriptor 1 if it is a terminal +# +clear_term() { + [ -t 1 ] && clear +} + +# +# Delay $timeout seconds -- if we're running on a recent bash2 then allow +# to terminate the delay +# +timed_read () +{ + read -t $timeout foo 2> /dev/null + + test $? -eq 2 && sleep $timeout +} + +# +# Display the last $1 packets logged +# +packet_log() # $1 = number of messages +{ + local options + + [ -n "$realtail" ] && options="-n$1" + + if [ -n "$SHOWMACS" -o $VERBOSE -gt 2 ]; then + grep "${LOGFORMAT}" $LOGFILE | \ + sed s/" kernel:"// | \ + sed s/" $host $LOGFORMAT"/" "/ | \ + tail $options + else + grep "${LOGFORMAT}" $LOGFILE | \ + sed s/" kernel:"// | \ + sed s/" $host $LOGFORMAT"/" "/ | \ + sed 's/MAC=.* SRC=/SRC=/' | \ + tail $options + fi +} + +# +# Show traffic control information +# +show_tc() { + + show_one_tc() { + local device=${1%@*} + qdisc=$(tc qdisc list dev $device) + + if [ -n "$qdisc" ]; then + echo Device $device: + tc -s -d qdisc show dev $device + tc -s -d class show dev $device + echo + fi + } + + ip link list | \ + while read inx interface details; do + case $inx in + [0-9]*) + show_one_tc ${interface%:} + ;; + *) + ;; + esac + done + +} + +# +# Show classifier information +# +show_classifiers() { + + show_one_classifier() { + local device=${1%@*} + qdisc=$(tc qdisc list dev $device) + + if [ -n "$qdisc" ]; then + echo Device $device: + tc -s filter ls dev $device + echo + fi + } + + ip link list | \ + while read inx interface details; do + case $inx in + [0-9]*) + show_one_classifier ${interface%:} + ;; + *) + ;; + esac + done + +} + +# +# Watch the Firewall Log +# +logwatch() # $1 = timeout -- if negative, prompt each time that + # an 'interesting' packet count changes +{ + + host=$(echo $HOSTNAME | sed 's/\..*$//') + oldrejects=$($IPTABLES -L -v -n | grep 'LOG') + + if [ $1 -lt 0 ]; then + timeout=$((- $1)) + pause="Yes" + else + pause="No" + timeout=$1 + fi + + qt mywhich awk && haveawk=Yes || haveawk= + + while true; do + clear_term + echo "$banner $(date)" + echo + + echo "Dropped/Rejected Packet Log" + echo + + show_reset + + rejects=$($IPTABLES -L -v -n | grep 'LOG') + + if [ "$rejects" != "$oldrejects" ]; then + oldrejects="$rejects" + + $RING_BELL + + packet_log 40 + + if [ "$pause" = "Yes" ]; then + echo + echo $ECHO_N 'Enter any character to continue: ' + read foo + else + timed_read + fi + else + echo + packet_log 40 + timed_read + fi + done +} + +# +# Save currently running configuration +# +save_config() { + if shorewall_is_started ; then + [ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall + + if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then + echo " ERROR: $RESTOREPATH exists and is not a saved Shorewall configuration" + else + case $RESTOREFILE in + save|restore-base) + echo " ERROR: Reserved file name: $RESTOREFILE" + ;; + *) + if $IPTABLES -L dynamic -n > /var/lib/shorewall/save; then + echo " Dynamic Rules Saved" + if [ -f /var/lib/shorewall/.restore ]; then + if iptables-save | iptablesbug > /var/lib/shorewall/restore-$$; then + cp -f /var/lib/shorewall/.restore $RESTOREPATH + mv -f /var/lib/shorewall/restore-$$ ${RESTOREPATH}-iptables + chmod +x $RESTOREPATH + echo " Currently-running Configuration Saved to $RESTOREPATH" + + rm -f ${RESTOREPATH}-ipsets + + case ${SAVE_IPSETS:-No} in + [Yy][Ee][Ss]) + RESTOREPATH=${RESTOREPATH}-ipsets + + f=/var/lib/shorewall/restore-$$ + + echo "#!/bin/sh" > $f + echo "#This ipset restore file generated $(date) by Shorewall $version" >> $f + echo >> $f + echo ". /usr/share/shorewall/functions" >> $f + echo >> $f + grep '^MODULE' /var/lib/shorewall/restore-base >> $f + echo "reload_kernel_modules << __EOF__" >> $f + grep 'loadmodule ip_set' /var/lib/shorewall/restore-base >> $f + echo "__EOF__" >> $f + echo >> $f + echo "ipset -U :all: :all:" >> $f + echo "ipset -F" >> $f + echo "ipset -X" >> $f + echo "ipset -R << __EOF__" >> $f + ipset -S >> $f + echo "__EOF__" >> $f + mv -f $f $RESTOREPATH + chmod +x $RESTOREPATH + echo " Current Ipset Contents Saved to $RESTOREPATH" + ;; + [Nn][Oo]) + ;; + *) + echo " WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS. Ipset contents not saved" + ;; + esac + else + rm -f /var/lib/shorewall/restore-$$ + echo " ERROR: Currently-running Configuration Not Saved" + fi + else + echo " ERROR: /var/lib/shorewall/.restored oes not exist" + fi + else + echo "Error Saving the Dynamic Rules" + fi + ;; + esac + fi + else + echo "Shorewall isn't started" + fi + +} + +# +# Start Command Executor +# +start_command() { + local finished=0 + + do_it() { + [ -n "$nolock" ] || mutex_on + + if [ -x /usr/share/shorewall/firewall ]; then + /usr/share/shorewall/firewall $debugging start + else + error_message "/etc/shorewall/firewall is missing or is not executable" + fi + + [ -n "$nolock" ] || mutex_off + } + + if shorewall_is_started; then + error_message "Shorewall is already running" + exit 1 + fi + + while [ $finished -eq 0 -a $# -gt 0 ]; do + option=$1 + case $option in + -*) + option=${option#-} + + while [ -n "$option" ]; do + case $option in + -) + finished=1 + option= + ;; + f*) + FAST=Yes + option=${option#f} + ;; + *) + usage 1 + ;; + esac + done + shift + ;; + *) + finished=1 + ;; + esac + done + + case $# in + 0) + ;; + 1) + [ -n "$SHOREWALL_DIR" -o -n "$FAST" ] && usage 2 + + if [ ! -d $1 ]; then + if [ -e $1 ]; then + echo "$1 is not a directory" >&2 && exit 2 + else + echo "Directory $1 does not exist" >&2 && exit 2 + fi + fi + + SHOREWALL_DIR=$ + export SHOREWALL_DIR + ;; + *) + usage 1 + ;; + esac + + export NOROUTES + + if [ -n "$FAST" ]; then + if qt mywhich make; then + # + # RESTOREFILE is exported by get_config() + # + make -qf /etc/shorewall/Makefile || FAST= + fi + + if [ -n "$FAST" ]; then + + RESTOREPATH=/var/lib/shorewall/$RESTOREFILE + + if [ -x $RESTOREPATH ]; then + if [ -x ${RESTOREPATH}-ipsets ]; then + echo Restoring Ipsets... + # + # We must purge iptables to be sure that there are no + # references to ipsets + # + iptables -F + iptables -X + ${RESTOREPATH}-ipsets + fi + + echo Restoring Shorewall... + $SHOREWALL_SHELL $RESTOREPATH restore + date > /var/lib/shorewall/restarted + progress_message3 Shorewall restored from $RESTOREPATH + else + do_it + fi + else + do_it + fi + else + do_it + fi +} + +# +# Restart Command Executor +# +restart_command() { + local finished=0 + + while [ $finished -eq 0 -a $# -gt 0 ]; do + option=$1 + case $option in + -*) + option=${option#-} + + while [ -n "$option" ]; do + case $option in + -) + finished=1 + option= + ;; + n*) + NOROUTES=Yes + option=${option#n} + ;; + *) + usage 1 + ;; + esac + done + shift + ;; + *) + finished=1 + ;; + esac + done + + case $# in + 0) + ;; + 1) + [ -n "$SHOREWALL_DIR" ] && usage 2 + + if [ ! -d $1 ]; then + if [ -e $1 ]; then + echo "$1 is not a directory" >&2 && exit 2 + else + echo "Directory $1 does not exist" >&2 && exit 2 + fi + fi + + SHOREWALL_DIR=$1 + export SHOREWALL_DIR + ;; + *) + usage 1 + ;; + esac + + export NOROUTES + + [ -n "$nolock" ] || mutex_on + + if [ -x /usr/share/shorewall/firewall ]; then + $SHOREWALL_SHELL /usr/share/shorewall/firewall $debugging restart + else + error_message "/etc/shorewall/firewall is missing or is not executable" + fi + + [ -n "$nolock" ] || mutex_off +} + +# +# Show Command Executor +# +show_command() { + local finished=0 + + while [ $finished -eq 0 -a $# -gt 0 ]; do + option=$1 + case $option in + -*) + option=${option#-} + + while [ -n "$option" ]; do + case $option in + -) + finished=1 + option= + ;; + v*) + VERBOSE=$(($VERBOSE + 1 )) + option=${option#v} + ;; + x*) + IPT_OPTIONS="-xnv" + option=${option#x} + ;; + m*) + SHOWMACS=Yes + option=${option#m} + ;; + *) + usage 1 + ;; + esac + done + shift + ;; + *) + finished=1 + ;; + esac + done + + [ -n "$debugging" ] && set -x + case "$1" in + connections) + [ $# -gt 1 ] && usage 1 + echo "Shorewall-$version Connections at $HOSTNAME - $(date)" + echo + cat /proc/net/ip_conntrack + ;; + nat) + [ $# -gt 1 ] && usage 1 + echo "Shorewall-$version NAT Table at $HOSTNAME - $(date)" + echo + show_reset + $IPTABLES -t nat -L $IPT_OPTIONS + ;; + tos|mangle) + [ $# -gt 1 ] && usage 1 + echo "Shorewall-$version Mangle Table at $HOSTNAME - $(date)" + echo + show_reset + $IPTABLES -t mangle -L $IPT_OPTIONS + ;; + log) + [ $# -gt 1 ] && usage 1 + echo "Shorewall-$version Log at $HOSTNAME - $(date)" + echo + show_reset + host=$(echo $HOSTNAME | sed 's/\..*$//') + packet_log 20 + ;; + tc) + [ $# -gt 1 ] && usage 1 + echo "Shorewall-$version Traffic Control at $HOSTNAME - $(date)" + echo + show_tc + ;; + classifiers) + [ $# -gt 1 ] && usage 1 + echo "Shorewall-$version Clasifiers at $HOSTNAME - $(date)" + echo + show_classifiers + ;; + zones) + [ $# -gt 1 ] && usage 1 + if [ -f /var/lib/shorewall/zones ]; then + echo "Shorewall-$version Zones at $HOSTNAME - $(date)" + echo + while read zone type hosts; do + echo "$zone ($type)" + for host in $hosts; do + echo " $host" + done + done < /var/lib/shorewall/zones + echo + else + echo " ERROR: /var/lib/shorewall/zones does not exist" >&2 + exit 1 + fi + ;; + capabilities) + [ $# -gt 1 ] && usage 1 + determine_capabilities + VERBOSE=2 + report_capabilities + ;; + *) + echo "Shorewall-$version $([ $# -gt 0 ] && echo Chains || echo Chain) $* at $HOSTNAME - $(date)" + echo + show_reset + if [ $# -gt 0 ]; then + for chain in $*; do + $IPTABLES -L $chain $IPT_OPTIONS + done + else + $IPTABLES -L $IPT_OPTIONS + fi + ;; + esac +} +# +# Dump Command Executor +# +dump_command() { + local finished=0 + + while [ $finished -eq 0 -a $# -gt 0 ]; do + option=$1 + case $option in + -*) + option=${option#-} + + while [ -n "$option" ]; do + case $option in + -) + finished=1 + option= + ;; + x*) + IPT_OPTIONS="-xnv" + option=${option#x} + ;; + *) + usage 1 + ;; + esac + done + shift + ;; + *) + finished=1 + ;; + esac + done + + [ -n "$debugging" ] && set -x + [ $# -eq 0 ] || usage 1 + clear_term + echo "Shorewall-$version Dump at $HOSTNAME - $(date)" + echo + show_reset + host=$(echo $HOSTNAME | sed 's/\..*$//') + $IPTABLES -L $IPT_OPTIONS + + heading "Log ($LOGFILE)" + packet_log 20 + + heading "NAT Table" + $IPTABLES -t nat -L $IPT_OPTIONS + + heading "Mangle Table" + $IPTABLES -t mangle -L $IPT_OPTIONS + + heading "Conntrack Table" + cat /proc/net/ip_conntrack + + heading "IP Configuration" + ip addr ls + + heading "IP Stats" + ip -stat link ls + + if qt mywhich brctl; then + heading "Bridges" + brctl show + fi + + heading "/proc" + show_proc /proc/version + show_proc /proc/sys/net/ipv4/ip_forward + show_proc /proc/sys/net/ipv4/icmp_echo_ignore_all + + for directory in /proc/sys/net/ipv4/conf/*; do + for file in proxy_arp arp_filter arp_ignore rp_filter log_martians; do + show_proc $directory/$file + done + done + + if [ -n "$(ip rule ls)" ]; then + heading "Routing Rules" + ip rule ls + ip rule ls | while read rule; do + echo ${rule##* } + done | sort -u | while read table; do + heading "Table $table:" + ip route ls table $table + done + else + heading "Routing Table" + ip route ls + fi + + heading "ARP" + arp -na + + if qt mywhich lsmod; then + heading "Modules" + lsmod | grep -E '^ip_|^ipt_|^iptable_' + fi + + determine_capabilities + echo + report_capabilities + + if [ -n "$TC_ENABLED" ]; then + heading "Traffic Control" + show_tc + heading "TC Filters" + show_classifiers + fi +} + +# +# Restore Comand Executor +# +restore_command() { + local finished=0 + + while [ $finished -eq 0 -a $# -gt 0 ]; do + option=$1 + case $option in + -*) + option=${option#-} + + while [ -n "$option" ]; do + case $option in + -) + finished=1 + option= + ;; + n*) + NOROUTES=Yes + option=${option#n} + ;; + *) + usage 1 + ;; + esac + done + shift + ;; + *) + finished=1 + ;; + esac + done + + case $# in + 0) + ;; + 1) + RESTOREFILE="$1" + validate_restorefile '' + ;; + *) + usage 1 + ;; + esac + + if [ -z "$STARTUP_ENABLED" ]; then + error_message "ERROR: Startup is disabled" + exit 2 + fi + + RESTOREPATH=/var/lib/shorewall/$RESTOREFILE + + export NOROUTES + + [ -n "$nolock" ] || mutex_on + + if [ -x $RESTOREPATH ]; then + if [ -x ${RESTOREPATH}-ipsets ] ; then + echo Restoring Ipsets... + iptables -F + iptables -X + ${RESTOREPATH}-ipsets + fi + + progress_message3 "Restoring Shorewall..." + $RESTOREPATH restore && echo "Shorewall restored from /var/lib/shorewall/$RESTOREFILE" + [ -n "$nolock" ] || mutex_off + else + echo "File /var/lib/shorewall/$RESTOREFILE: file not found" + [ -n "$nolock" ] || mutex_off + exit 2 + fi +} +# +# Help information +# +help() +{ + [ -x $HELP ] && { export version; exec $HELP $*; } + echo "Help subsystem is not installed at $HELP" +} + +# +# Give Usage Information +# +usage() # $1 = exit status +{ + echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v ] [ -t ] " + echo "where is one of:" + echo " add [:] ... " + echo " allow
..." + echo " check [ -e ] [ ]" + echo " clear" + echo " compile [ -e ] [ -d ] [ ] " + echo " delete [:] ... " + echo " drop
..." + echo " dump [ -x ]" + echo " forget [ ]" + echo " help [ | host | address ]" + echo " hits" + echo " ipcalc {
/ |
}" + echo " ipdecimal {
| }" + echo " iprange
-
" + echo " logdrop
..." + echo " logreject
..." + echo " logwatch []" + echo " refresh" + echo " reject
..." + echo " reset" + echo " restart [ -n ] [ ]" + echo " restore [ -n ] [ ]" + echo " save [ ]" + echo " show [ -x ] [ -m ] [ [ ... ]|actions|capabilities|classifiers|connections|log|macros|mangle|nat|tc|zones]" + echo " start [ -f ] [ -n ] [ ]" + echo " stop" + echo " status" + echo " try [ ]" + echo " version" + echo + exit $1 +} + +# +# Display the time that the counters were last reset +# +show_reset() { + [ -f /var/lib/shorewall/restarted ] && \ + echo "Counters reset $(cat /var/lib/shorewall/restarted)" && \ + echo +} + +# +# Display's the passed file name followed by "=" and the file's contents. +# +show_proc() # $1 = name of a file +{ + [ -f $1 ] && echo " $1 = $(cat $1)" +} + +read_yesno_with_timeout() { + read -t 60 yn 2> /dev/null + if [ $? -eq 2 ] + then + # read doesn't support timeout + test -x /bin/bash || return 2 # bash is not installed so the feature is not available + /bin/bash -c 'read -t 60 yn ; if [ "$yn" == "y" ] ; then exit 0 ; else exit 1 ; fi' # invoke bash and use its version of read + return $? + else + # read supports timeout + case "$yn" in + y|Y) + return 0 + ;; + *) + return 1 + ;; + esac + fi +} + +# +# Print a heading with leading and trailing black lines +# +heading() { + echo + echo "$@" + echo +} + +# +# Create the appropriate -q option to pass onward +# +make_verbose() { + local v=$VERBOSE_OFFSET option=- + + if [ $VERBOSE_OFFSET -gt 0 ]; then + while [ $v -gt 0 ]; do + option="${option}v" + v=$(($v - 1)) + done + + echo $option + elif [ $VERBOSE_OFFSET -lt 0 ]; then + while [ $v -lt 0 ]; do + option="${option}q" + v=$(($v + 1)) + done + + echo $option + fi +} + +# +# Execution begins here +# +debugging= + +if [ $# -gt 0 ] && [ "$1" = "debug" -o "$1" = "trace" ]; then + debugging=debug + shift +fi + +nolock= + +if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then + nolock=nolock + shift +fi + +SHOREWALL_DIR= +IPT_OPTIONS="-nv" +FAST= +VERBOSE_OFFSET=0 +NOROUTES= +EXPORT= +export TIMESTAMP= +noroutes= + +finished=0 + +while [ $finished -eq 0 ]; do + [ $# -eq 0 ] && usage 1 + option=$1 + case $option in + -) + finished=1 + ;; + -*) + option=${option#-} + + [ -z "$option" ] && usage 1 + + while [ -n "$option" ]; do + case $option in + c) + [ $# -eq 1 ] && usage 1 + + if [ ! -d $2 ]; then + if [ -e $2 ]; then + echo "$2 is not a directory" >&2 && exit 2 + else + echo "Directory $2 does not exist" >&2 && exit 2 + fi + fi + + SHOREWALL_DIR=$2 + option= + shift + ;; + e*) + EXPORT=Yes + option=${option#e} + ;; + x*) + IPT_OPTIONS="-xnv" + option=${option#x} + ;; + q*) + VERBOSE_OFFSET=$(($VERBOSE_OFFSET - 1 )) + option=${option#q} + ;; + f*) + FAST=Yes + option=${option#f} + ;; + v*) + VERBOSE_OFFSET=$(($VERBOSE_OFFSET + 1 )) + option=${option#v} + ;; + n*) + NOROUTES=Yes + option=${option#n} + ;; + t*) + TIMESTAMP=Yes + option=${option#t} + ;; + -) + finished=1 + option= + ;; + *) + usage 1 + ;; + esac + done + shift + ;; + *) + finished=1 + ;; + esac +done + +if [ $# -eq 0 ]; then + usage 1 +fi + +[ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR +PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin +MUTEX_TIMEOUT= + +SHARED_DIR=/usr/share/shorewall +FIREWALL=$SHARED_DIR/firewall +FUNCTIONS=$SHARED_DIR/functions +VERSION_FILE=$SHARED_DIR/version +HELP=$SHARED_DIR/help + +if [ -f $FUNCTIONS ]; then + . $FUNCTIONS +else + echo "$FUNCTIONS does not exist!" >&2 + exit 2 +fi + +ensure_config_path + +config=$(find_file shorewall.conf) + +if [ -f $config ]; then + if [ -r $config ]; then + . $config + else + echo "Cannot read $config! (Hint: Are you root?)" >&2 + exit 1 + fi +else + echo "$config does not exist!" >&2 + exit 2 +fi + +ensure_config_path +export CONFIG_PATH + +get_config + +if [ ! -f $FIREWALL ]; then + echo "ERROR: Shorewall is not properly installed" + if [ -L $FIREWALL ]; then + echo " $FIREWALL is a symbolic link to a" + echo " non-existant file" + else + echo " The file $FIREWALL does not exist" + fi + + exit 2 +fi + +if [ -f $VERSION_FILE ]; then + version=$(cat $VERSION_FILE) +else + echo "ERROR: Shorewall is not properly installed" + echo " The file $VERSION_FILE does not exist" + exit 1 +fi + +banner="Shorewall-$version Status at $HOSTNAME -" + +case $(echo -e) in + -e*) + RING_BELL="echo \a" + ;; + *) + RING_BELL="echo -e \a" + ;; +esac + +case $(echo -n "Testing") in + -n*) + ECHO_N= + ;; + *) + ECHO_N=-n + ;; +esac + +COMMAND=$1 + +case "$COMMAND" in + start) + shift + + start_command $@ + + ;; + stop|reset|clear|refresh) + [ $# -ne 1 ] && usage 1 + export NOROUTES + exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $COMMAND + ;; + compile) + shift + + compile_command $@ + + ;; + restart) + shift + + restart_command $@ + + ;; + check) + shift + + check_command $@ + + ;; + add|delete) + [ $# -lt 3 ] && usage 1 + exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $@ + ;; + show|list) + shift + + show_command $@ + + ;; + status) + [ $# -eq 1 ] || usage 1 + echo "Shorewall-$version Status at $HOSTNAME - $(date)" + echo + if shorewall_is_started ; then + echo "Shorewall is running" + status=0 + else + echo "Shorewall is stopped" + status=4 + fi + + if [ -f /var/lib/shorewall/state ]; then + state="$(cat /var/lib/shorewall/state)" + case $state in + Stopped*|Clear*) + status=3 + ;; + esac + else + state=Unknown + fi + echo "State:$state" + echo + exit $status + ;; + dump) + shift + + dump_command $@ + + ;; + hits) + [ -n "$debugging" ] && set -x + [ $# -eq 1 ] || usage 1 + clear_term + echo "Shorewall-$version Hits at $HOSTNAME - $(date)" + echo + + timeout=30 + + if [ $(grep -c "$LOGFORMAT" $LOGFILE ) -gt 0 ] ; then + echo " HITS IP DATE" + echo " ---- --------------- ------" + grep "$LOGFORMAT" $LOGFILE | sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\3 \1/' | sort | uniq -c | sort -rn + echo "" + + echo " HITS IP PORT" + echo " ---- --------------- -----" + grep "$LOGFORMAT" $LOGFILE | sed 's/\(.*SRC=\)\(.*\)\( DST=.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2 \4/ + t + s/\(.*SRC=\)\(.*\)\( DST=.*\)/\2/' | sort | uniq -c | sort -rn + echo "" + + echo " HITS DATE" + echo " ---- ------" + grep "$LOGFORMAT" $LOGFILE | sed 's/\(.\{6\}\)\(.*\)/\1/' | sort | uniq -c | sort -rn + echo "" + + echo " HITS PORT SERVICE(S)" + echo " ---- ----- ----------" + grep "$LOGFORMAT.*DPT" $LOGFILE | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | \ + while read count port ; do + # List all services defined for the given port + srv=$(grep "^[^#].*\\b$port/" /etc/services | cut -f 1 | sort -u) + srv=$(echo $srv | sed 's/ /,/g') + + if [ -n "$srv" ] ; then + printf '%7d %5d %s\n' $count $port $srv + else + printf '%7d %5d\n' $count $port + fi + done + fi + ;; + version) + echo $version + ;; + try) + [ -n "$SHOREWALL_DIR" ] && startup_error "ERROR: -c option may not be used with \"try\"" + [ $# -lt 2 -o $# -gt 3 ] && usage 1 + VERBOSE=$(make_verbose) + [ -n "$NOROUTES" ] && NOROUTES=-n + if ! $0 $debugging $VERBOSE -c $2 restart; then + if ! $IPTABLES -L shorewall > /dev/null 2> /dev/null; then + $0 $VERBOSE $NOROUTES start + fi + elif ! $IPTABLES -L shorewall > /dev/null 2> /dev/null; then + $0 $VERBOSE $NOROUTES start + elif [ $# -eq 3 ]; then + sleep $3 + $0 $VERBOSE $NOROUTES restart + fi + ;; + logwatch) + shift + + finished=0 + + while [ $finished -eq 0 -a $# -ne 0 ]; do + option=$1 + case $option in + -*) + option=${option#-} + + [ -z "$option" ] && usage 1 + + while [ -n "$option" ]; do + case $option in + v*) + VERBOSE=$(($VERBOSE + 1 )) + option=${option#v} + ;; + q*) + VERBOSE=$(($VERBOSE - 1 )) + option=${option#q} + ;; + m*) + SHOWMACS=Yes + option=${option#m} + ;; + -) + finished=1 + option= + ;; + *) + usage 1 + ;; + esac + done + shift + ;; + *) + finished=1 + ;; + esac + done + + [ -n "$debugging" ] && set -x + + if [ $# -eq 1 ]; then + logwatch $1 + elif [ $# -eq 0 ]; then + logwatch 30 + else + usage 1 + fi + ;; + drop) + [ -n "$debugging" ] && set -x + [ $# -eq 1 ] && usage 1 + if shorewall_is_started ; then + mutex_on + while [ $# -gt 1 ]; do + shift + qt $IPTABLES -D dynamic -s $1 -j reject + qt $IPTABLES -D dynamic -s $1 -j DROP + qt $IPTABLES -D dynamic -s $1 -j logreject + qt $IPTABLES -D dynamic -s $1 -j logdrop + $IPTABLES -A dynamic -s $1 -j DROP || break 1 + echo "$1 Dropped" + done + mutex_off + else + error_message "ERROR: Shorewall is not started" + exit 2 + fi + ;; + logdrop) + [ -n "$debugging" ] && set -x + [ $# -eq 1 ] && usage 1 + if shorewall_is_started ; then + mutex_on + while [ $# -gt 1 ]; do + shift + qt $IPTABLES -D dynamic -s $1 -j reject + qt $IPTABLES -D dynamic -s $1 -j DROP + qt $IPTABLES -D dynamic -s $1 -j logreject + qt $IPTABLES -D dynamic -s $1 -j logdrop + $IPTABLES -A dynamic -s $1 -j logdrop || break 1 + echo "$1 Dropped" + done + mutex_off + else + error_message "ERROR: Shorewall is not started" + exit 2 + fi + ;; + reject|logreject) + [ -n "$debugging" ] && set -x + [ $# -eq 1 ] && usage 1 + if shorewall_is_started ; then + mutex_on + while [ $# -gt 1 ]; do + shift + qt $IPTABLES -D dynamic -s $1 -j reject + qt $IPTABLES -D dynamic -s $1 -j DROP + qt $IPTABLES -D dynamic -s $1 -j logreject + qt $IPTABLES -D dynamic -s $1 -j logdrop + $IPTABLES -A dynamic -s $1 -j $COMMAND || break 1 + echo "$1 Rejected" + done + mutex_off + else + error_message "ERROR: Shorewall is not started" + exit 2 + fi + ;; + allow) + [ -n "$debugging" ] && set -x + [ $# -eq 1 ] && usage 1 + if shorewall_is_started ; then + mutex_on + while [ $# -gt 1 ]; do + shift + if qt $IPTABLES -D dynamic -s $1 -j reject ||\ + qt $IPTABLES -D dynamic -s $1 -j DROP ||\ + qt $IPTABLES -D dynamic -s $1 -j logdrop ||\ + qt $IPTABLES -D dynamic -s $1 -j logreject + then + echo "$1 Allowed" + else + echo "$1 Not Dropped or Rejected" + fi + done + mutex_off + else + error_message "ERROR: Shorewall is not started" + exit 2 + fi + ;; + save) + [ -n "$debugging" ] && set -x + + case $# in + 1) + ;; + 2) + RESTOREFILE="$2" + validate_restorefile '' + ;; + *) + usage 1 + ;; + esac + + RESTOREPATH=/var/lib/shorewall/$RESTOREFILE + + [ "$nolock" ] || mutex_on + + save_config + + [ "$nolock" ] || mutex_off + ;; + forget) + case $# in + 1) + ;; + 2) + RESTOREFILE="$2" + validate_restorefile '' + ;; + *) + usage 1 + ;; + esac + + + RESTOREPATH=/var/lib/shorewall/$RESTOREFILE + + if [ -x $RESTOREPATH ]; then + + if [ -x ${RESTOREPATH}-ipsets ]; then + rm -f ${RESTOREPATH}-ipsets + echo " ${RESTOREPATH}-ipsets removed" + fi + + rm -f $RESTOREPATH + rm -f ${RESTOREPATH}-iptables + echo " $RESTOREPATH removed" + elif [ -f $RESTOREPATH ]; then + echo " $RESTOREPATH exists and is not a saved Shorewall configuration" + fi + rm -f /var/lib/shorewall/save + ;; + ipcalc) + [ -n "$debugging" ] && set -x + if [ $# -eq 2 ]; then + address=${2%/*} + vlsm=${2#*/} + elif [ $# -eq 3 ]; then + address=$2 + vlsm=$(ip_vlsm $3) + else + usage 1 + fi + + [ -z "$vlsm" ] && exit 2 + [ "x$address" = "x$vlsm" ] && usage 2 + [ $vlsm -gt 32 ] && echo "Invalid VLSM: /$vlsm" >&2 && exit 2 + + address=$address/$vlsm + + echo " CIDR=$address" + temp=$(ip_netmask $address); echo " NETMASK=$(encodeaddr $temp)" + temp=$(ip_network $address); echo " NETWORK=$temp" + temp=$(broadcastaddress $address); echo " BROADCAST=$temp" + ;; + + iprange) + [ -n "$debugging" ] && set -x + case $2 in + *.*.*.*-*.*.*.*) + ip_range $2 + ;; + *) + usage 1 + ;; + esac + ;; + ipdecimal) + [ -n "$debugging" ] && set -x + case $2 in + *.*.*.*) + echo " $(decodeaddr $2)" + ;; + *) + echo " $(encodeaddr $2)" + ;; + esac + ;; + restore) + shift + + restore_command $@ + + ;; + call) + [ -n "$debugging" ] && set -x + # + # Undocumented way to call functions in /usr/share/shorewall/functions directly + # + shift + $@ + ;; + help) + shift + [ $# -ne 1 ] && usage 1 + help $@ + ;; + *) + usage 1 + ;; + +esac diff --git a/Shorewall-lite/shorewall.conf b/Shorewall-lite/shorewall.conf new file mode 100644 index 000000000..5a3ce3ca7 --- /dev/null +++ b/Shorewall-lite/shorewall.conf @@ -0,0 +1,148 @@ +############################################################################### +# /etc/shorewall/shorewall.conf V3.0 - Change the following variables to +# match your setup +# +# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] +# +# This file should be placed in /etc/shorewall +# +# (c) 2006 - Tom Eastep (teastep@shorewall.net) +# +############################################################################### +# V E R B O S I T Y +############################################################################### +# +# Shorewall has traditionally been very noisy. You may now set the default +# level of verbosity here. +# +# Values are: +# +# 0 -- Silent. You may make it more verbose using the -v option +# 1 -- Major progress messages displayed +# 2 -- All progress messages displayed (old default behavior) +# +# If not specified, then 2 is assumed + +VERBOSITY=1 + +############################################################################### +# L O G G I N G +############################################################################### +# +# General note about log levels. Log levels are a method of describing +# to syslog (8) the importance of a message and a number of parameters +# in this file have log levels as their value. +# +# These levels are defined by syslog and are used to determine the destination +# of the messages through entries in /etc/syslog.conf (5). The syslog +# documentation refers to these as "priorities"; Netfilter calls them "levels" +# and Shorewall also uses that term. +# +# Valid levels are: +# +# 7 debug +# 6 info +# 5 notice +# 4 warning +# 3 err +# 2 crit +# 1 alert +# 0 emerg +# +# For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall +# log messages are generated by NetFilter and are logged using facility +# 'kern' and the level that you specifify. If you are unsure of the level +# to choose, 6 (info) is a safe bet. You may specify levels by name or by +# number. +# +# If you have built your kernel with ULOG target support, you may also +# specify a log level of ULOG (must be all caps). Rather than log its +# messages to syslogd, Shorewall will direct netfilter to log the messages +# via the ULOG target which will send them to a process called 'ulogd'. +# ulogd is available with most Linux distributions (although it probably isn't +# installed by default). Ulogd is also available from +# http://www.gnumonks.org/projects/ulogd and can be configured to log all +# Shorewall message to their own log file +############################################################################### +# +# LOG FILE LOCATION +# +# This variable tells the /sbin/shorewall program where to look for Shorewall +# log messages. If not set or set to an empty string (e.g., LOGFILE="") then +# /var/log/messages is assumed. +# +# WARNING: The LOGFILE variable simply tells the 'shorewall' program where to +# look for Shorewall messages.It does NOT control the destination for +# these messages. For information about how to do that, see +# +# http://www.shorewall.net/shorewall_logging.html +# + +LOGFILE=/var/log/messages + +# +# LOG FORMAT +# +# Shell 'printf' Formatting template for the --log-prefix value in log messages +# generated by Shorewall to identify Shorewall log messages. The supplied +# template is expected to accept either two or three arguments; the first is +# the chain name, the second (optional) is the logging rule number within that +# chain and the third is the ACTION specifying the disposition of the packet +# being logged. You must use the %d formatting type for the rule number; if +# your template does not contain %d then the rule number will not be included. +# +# If you want to integrate Shorewall with fireparse, then set LOGFORMAT as: +# +# LOGFORMAT="fp=%s:%d a=%s " +# +# If not specified or specified as empty (LOGFORMAT="") then the value +# "Shorewall:%s:%s:" is assumed. +# +# CAUTION: /sbin/shorewall uses the leading part of the LOGFORMAT string (up +# to but not including the first '%') to find log messages in the 'show log', +# 'status' and 'hits' commands. This part should not be omitted (the +# LOGFORMAT should not begin with "%") and the leading part should be +# sufficiently unique for /sbin/shorewall to identify Shorewall messages. +# + +LOGFORMAT="Shorewall:%s:%s:" + +############################################################################### +# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S +############################################################################### +# +# IPTABLES +# +# Full path to iptables executable Shorewall uses to build the firewall. If +# not specified or if specified with an empty value (e.g., IPTABLES="") then +# the iptables executable located via the PATH setting below is used. +# + +IPTABLES= + +# +# PATH - Change this if you want to change the order in which Shorewall +# searches directories for executable files. +# + +PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin + +# +# SHELL +# +# The firewall script is normally interpreted by /bin/sh. If you wish to change +# the shell used to interpret that script, specify the shell here. +# + +SHOREWALL_SHELL=/bin/sh + +# SUBSYSTEM LOCK FILE +# +# Set this to the name of the lock file expected by your init scripts. For +# RedHat, this should be /var/lock/subsys/shorewall. If your init scripts don't +# use lock files, set this to "". +# + +SUBSYSLOCK=/var/lock/subsys/shorewall + +#LAST LINE -- DO NOT REMOVE diff --git a/Shorewall-lite/shorewall.spec b/Shorewall-lite/shorewall.spec new file mode 100644 index 000000000..6aa42d514 --- /dev/null +++ b/Shorewall-lite/shorewall.spec @@ -0,0 +1,313 @@ +%define name shorewall +%define version 3.2.0 +%define release 0Beta4 +%define prefix /usr + +Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. +Name: %{name} +Version: %{version} +Release: %{release} +Prefix: %{prefix} +License: GPL +Packager: Tom Eastep +Group: Networking/Utilities +Source: %{name}-%{version}.tgz +URL: http://www.shorewall.net/ +BuildArch: noarch +BuildRoot: %{_tmppath}/%{name}-%{version}-root +Requires: iptables iproute + +%description + +The Shoreline Firewall, more commonly known as "Shorewall", is a Netfilter +(iptables) based firewall that can be used on a dedicated firewall system, +a multi-function gateway/ router/server or on a standalone GNU/Linux system. + +%prep + +%setup + +%build + +%install +export PREFIX=$RPM_BUILD_ROOT ; \ +export OWNER=`id -n -u` ; \ +export GROUP=`id -n -g` ;\ +./install.sh + +%clean +rm -rf $RPM_BUILD_ROOT + +%post + +if [ $1 -eq 1 ]; then + if [ -x /sbin/insserv ]; then + /sbin/insserv /etc/rc.d/shorewall + elif [ -x /sbin/chkconfig ]; then + /sbin/chkconfig --add shorewall; + fi +fi + +%preun + +if [ $1 = 0 ]; then + if [ -x /sbin/insserv ]; then + /sbin/insserv -r /etc/init.d/shorewall + elif [ -x /sbin/chkconfig ]; then + /sbin/chkconfig --del shorewall + fi + + rm -f /etc/shorewall/startup_disabled + +fi + +%files +%defattr(0644,root,root,0755) +%attr(0544,root,root) /etc/init.d/shorewall +%attr(0755,root,root) %dir /etc/shorewall +%attr(0755,root,root) %dir /usr/share/shorewall +%attr(0700,root,root) %dir /var/lib/shorewall +%attr(0644,root,root) %config(noreplace) /etc/shorewall/shorewall.conf +%attr(0600,root,root) %config(noreplace) /etc/shorewall/zones +%attr(0600,root,root) %config(noreplace) /etc/shorewall/policy +%attr(0600,root,root) %config(noreplace) /etc/shorewall/interfaces +%attr(0600,root,root) %config(noreplace) /etc/shorewall/ipsec +%attr(0600,root,root) %config(noreplace) /etc/shorewall/rules +%attr(0600,root,root) %config(noreplace) /etc/shorewall/nat +%attr(0600,root,root) %config(noreplace) /etc/shorewall/netmap +%attr(0600,root,root) %config(noreplace) /etc/shorewall/params +%attr(0600,root,root) %config(noreplace) /etc/shorewall/proxyarp +%attr(0600,root,root) %config(noreplace) /etc/shorewall/routestopped +%attr(0600,root,root) %config(noreplace) /etc/shorewall/maclist +%attr(0600,root,root) %config(noreplace) /etc/shorewall/masq +%attr(0600,root,root) %config(noreplace) /etc/shorewall/modules +%attr(0600,root,root) %config(noreplace) /etc/shorewall/tcrules +%attr(0600,root,root) %config(noreplace) /etc/shorewall/tos +%attr(0600,root,root) %config(noreplace) /etc/shorewall/tunnels +%attr(0600,root,root) %config(noreplace) /etc/shorewall/hosts +%attr(0600,root,root) %config(noreplace) /etc/shorewall/blacklist +%attr(0600,root,root) %config(noreplace) /etc/shorewall/init +%attr(0600,root,root) %config(noreplace) /etc/shorewall/initdone +%attr(0600,root,root) %config(noreplace) /etc/shorewall/start +%attr(0600,root,root) %config(noreplace) /etc/shorewall/stop +%attr(0600,root,root) %config(noreplace) /etc/shorewall/stopped +%attr(0600,root,root) %config(noreplace) /etc/shorewall/ecn +%attr(0600,root,root) %config(noreplace) /etc/shorewall/accounting +%attr(0600,root,root) %config(noreplace) /etc/shorewall/actions +%attr(0600,root,root) %config(noreplace) /etc/shorewall/continue +%attr(0600,root,root) %config(noreplace) /etc/shorewall/started +%attr(0600,root,root) %config(noreplace) /etc/shorewall/providers +%attr(0600,root,root) %config(noreplace) /etc/shorewall/route_rules +%attr(0600,root,root) %config(noreplace) /etc/shorewall/tcclasses +%attr(0600,root,root) %config(noreplace) /etc/shorewall/tcdevices +%attr(0600,root,root) /etc/shorewall/Makefile + +%attr(0555,root,root) /sbin/shorewall + +%attr(0644,root,root) /usr/share/shorewall/version +%attr(0644,root,root) /usr/share/shorewall/actions.std +%attr(0644,root,root) /usr/share/shorewall/action.Drop +%attr(0644,root,root) /usr/share/shorewall/action.Limit +%attr(0644,root,root) /usr/share/shorewall/action.Reject +%attr(0644,root,root) /usr/share/shorewall/action.template +%attr(0555,root,root) /usr/share/shorewall/compiler +%attr(0444,root,root) /usr/share/shorewall/functions +%attr(0544,root,root) /usr/share/shorewall/firewall +%attr(0544,root,root) /usr/share/shorewall/shorecap +%attr(0544,root,root) /usr/share/shorewall/help +%attr(0644,root,root) /usr/share/shorewall/Limit +%attr(0644,root,root) /usr/share/shorewall/macro.AllowICMPs +%attr(0644,root,root) /usr/share/shorewall/macro.Amanda +%attr(0644,root,root) /usr/share/shorewall/macro.Auth +%attr(0644,root,root) /usr/share/shorewall/macro.BitTorrent +%attr(0644,root,root) /usr/share/shorewall/macro.CVS +%attr(0644,root,root) /usr/share/shorewall/macro.Distcc +%attr(0644,root,root) /usr/share/shorewall/macro.DNS +%attr(0644,root,root) /usr/share/shorewall/macro.DropDNSrep +%attr(0644,root,root) /usr/share/shorewall/macro.DropUPnP +%attr(0644,root,root) /usr/share/shorewall/macro.Edonkey +%attr(0644,root,root) /usr/share/shorewall/macro.FTP +%attr(0644,root,root) /usr/share/shorewall/macro.Gnutella +%attr(0644,root,root) /usr/share/shorewall/macro.HTTP +%attr(0644,root,root) /usr/share/shorewall/macro.HTTPS +%attr(0644,root,root) /usr/share/shorewall/macro.ICQ +%attr(0644,root,root) /usr/share/shorewall/macro.IMAP +%attr(0644,root,root) /usr/share/shorewall/macro.IMAPS +%attr(0644,root,root) /usr/share/shorewall/macro.LDAP +%attr(0644,root,root) /usr/share/shorewall/macro.LDAPS +%attr(0644,root,root) /usr/share/shorewall/macro.MySQL +%attr(0644,root,root) /usr/share/shorewall/macro.NNTP +%attr(0644,root,root) /usr/share/shorewall/macro.NNTPS +%attr(0644,root,root) /usr/share/shorewall/macro.NTP +%attr(0644,root,root) /usr/share/shorewall/macro.NTPbrd +%attr(0644,root,root) /usr/share/shorewall/macro.PCA +%attr(0644,root,root) /usr/share/shorewall/macro.Ping +%attr(0644,root,root) /usr/share/shorewall/macro.POP3 +%attr(0644,root,root) /usr/share/shorewall/macro.POP3S +%attr(0644,root,root) /usr/share/shorewall/macro.PostgreSQL +%attr(0644,root,root) /usr/share/shorewall/macro.Rdate +%attr(0644,root,root) /usr/share/shorewall/macro.Rsync +%attr(0644,root,root) /usr/share/shorewall/macro.SMB +%attr(0644,root,root) /usr/share/shorewall/macro.SMBBI +%attr(0644,root,root) /usr/share/shorewall/macro.SMBswat +%attr(0644,root,root) /usr/share/shorewall/macro.SMTP +%attr(0644,root,root) /usr/share/shorewall/macro.SMTPS +%attr(0644,root,root) /usr/share/shorewall/macro.SNMP +%attr(0644,root,root) /usr/share/shorewall/macro.SPAMD +%attr(0644,root,root) /usr/share/shorewall/macro.SSH +%attr(0644,root,root) /usr/share/shorewall/macro.Submission +%attr(0644,root,root) /usr/share/shorewall/macro.SVN +%attr(0644,root,root) /usr/share/shorewall/macro.Syslog +%attr(0644,root,root) /usr/share/shorewall/macro.Telnet +%attr(0644,root,root) /usr/share/shorewall/macro.template +%attr(0644,root,root) /usr/share/shorewall/macro.Trcrt +%attr(0644,root,root) /usr/share/shorewall/macro.VNC +%attr(0644,root,root) /usr/share/shorewall/macro.VNCL +%attr(0644,root,root) /usr/share/shorewall/macro.Web +%attr(0644,root,root) /usr/share/shorewall/macro.Webmin +%attr(0644,root,root) /usr/share/shorewall/macro.Whois +%attr(0644,root,root) /usr/share/shorewall/prog.footer +%attr(0644,root,root) /usr/share/shorewall/prog.header +%attr(0644,root,root) /usr/share/shorewall/prog.footer.debian +%attr(0644,root,root) /usr/share/shorewall/prog.header.debian +%attr(0644,root,root) /usr/share/shorewall/prog.footer.redhat +%attr(0644,root,root) /usr/share/shorewall/prog.header.redhat +%attr(0644,root,root) /usr/share/shorewall/prog.footer.suse +%attr(0644,root,root) /usr/share/shorewall/prog.header.suse +%attr(0644,root,root) /usr/share/shorewall/rfc1918 +%attr(0644,root,root) /usr/share/shorewall/configpath + +%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples + +%changelog +* Fri Apr 14 2006 Tom Eastep tom@shorewall.net +- Renamed rtrules to route_rules +* Sun Apr 02 2006 Tom Eastep tom@shorewall.net +- Added rtrules file +- Updated to 3.2.0-0Beta4 +* Mon Mar 27 2006 Tom Eastep tom@shorewall.net +- Updated to 3.2.0-0Beta3 +* Sat Mar 25 2006 Tom Eastep tom@shorewall.net +- Remove '%config' from Makefile +* Thu Mar 23 2006 Tom Eastep tom@shorewall.net +- Updated to 3.2.0-0Beta2 +* Thu Mar 09 2006 Tom Eastep tom@shorewall.net +- Updated to 3.2.0-0Beta1 +* Sat Mar 04 2006 Tom Eastep tom@shorewall.net +- Updated to 3.1.9-1 +- Added debian and redhat prog header/footers +* Wed Mar 01 2006 Tom Eastep tom@shorewall.net +- Moved shorecap to /usr/share/shorewall +* Fri Feb 24 2006 Tom Eastep tom@shorewall.net +- Updated to 3.1.8-1 +* Fri Feb 10 2006 Tom Eastep tom@shorewall.net +- Updated to 3.1.7-1 +* Fri Feb 10 2006 Tom Eastep tom@shorewall.net +- Added shorecap +- Updated to 3.1.6-1 +* Fri Feb 03 2006 Tom Eastep tom@shorewall.net +- Updated to 3.1.5-1 +- Added new program header/footer files +* Sun Jan 29 2006 Tom Eastep tom@shorewall.net +- Updated to 3.1.4-1 +- Added new Macros +* Fri Jan 20 2006 Tom Eastep tom@shorewall.net +- Change permissions for compile by ordinary user +* Fri Jan 20 2006 Tom Eastep tom@shorewall.net +- Updated to 3.1.3-1 +* Tue Jan 17 2006 Tom Eastep tom@shorewall.net +- Added program skeleton Files +* Sun Jan 15 2006 Tom Eastep tom@shorewall.net +- Updated to 3.1.2-1 +* Thu Jan 12 2006 Tom Eastep tom@shorewall.net +- Updated to 3.1.1-1 +* Sat Dec 24 2005 Tom Eastep tom@shorewall.net +- Updated to 3.1.0-1 +* Thu Dec 15 2005 Tom Eastep tom@shorewall.net +- Add Limit action +* Mon Dec 12 2005 Tom Eastep tom@shorewall.net +- Updated to 3.0.3-1 +* Tue Nov 22 2005 Tom Eastep tom@shorewall.net +- Updated to 3.0.2-1 +* Thu Nov 17 2005 Tom Eastep tom@shorewall.net +- Updated to 3.0.1-1 +* Wed Nov 03 2005 Tom Eastep tom@shorewall.net +- Updated to 3.0.0-1 +* Wed Nov 02 2005 Tom Eastep tom@shorewall.net +- Updated to 3.0.0-0RC3 + Sat Oct 22 2005 Tom Eastep tom@shorewall.net +- Updated to 3.0.0-0RC2 +* Mon Oct 17 2005 Tom Eastep tom@shorewall.net +- Updated to 3.0.0-0RC1 +* Sun Oct 09 2005 Tom Eastep tom@shorewall.net +- Updated to 3.0.0-0Beta1 +* Fri Oct 07 2005 Tom Eastep tom@shorewall.net +- Updated to 2.5.7-1 +* Tue Oct 04 2005 Tom Eastep tom@shorewall.net +- Updated to 2.5.7-1 +* Sat Sep 17 2005 Tom Eastep tom@shorewall.net +- Updated to 2.5.6-1 +* Tue Aug 30 2005 Tom Eastep tom@shorewall.net +- Updated to 2.5.4-1 +* Fri Aug 26 2005 Tom Eastep tom@shorewall.net +- Updated to 2.5.3-1 +* Tue Aug 16 2005 Tom Eastep tom@shorewall.net +- Updated to 2.5.2-1 +* Sun Aug 07 2005 Tom Eastep tom@shorewall.net +- Updated to 2.5.1-1 +* Tue Jul 26 2005 Tom Eastep tom@shorewall.net +- Fix omissions/errors +* Mon Jul 25 2005 Tom Eastep tom@shorewall.net +- Updated to 2.5.0-1 +- Add macros and convert most actions to macros +* Thu Jun 02 2005 Tom Eastep tom@shorewall.net +- Updated to 2.4.0-1 +* Sun May 30 2005 Tom Eastep tom@shorewall.net +- Updated to 2.4.0-0RC2 +* Thu May 19 2005 Tom Eastep tom@shorewall.net +- Updated to 2.4.0-0RC1 +* Thu May 19 2005 Tom Eastep tom@shorewall.net +- Updated to 2.3.2-1 +* Sun May 15 2005 Tom Eastep tom@shorewall.net +- Updated to 2.3.1-1 +* Mon Apr 11 2005 Tom Eastep tom@shorewall.net +- Updated to 2.2.4-1 +* Fri Apr 08 2005 Tom Eastep tom@shorewall.net +- Added /etc/shorewall/started +* Tue Apr 05 2005 Tom Eastep tom@shorewall.net +- Updated to 2.2.3-1 +* Mon Mar 07 2005 Tom Eastep tom@shorewall.net +- Updated to 2.2.2-1 +* Mon Jan 24 2005 Tom Eastep tom@shorewall.net +- Updated to 2.2.1-1 +* Mon Jan 24 2005 Tom Eastep tom@shorewall.net +- Updated to 2.2.0-1 +* Mon Jan 17 2005 Tom Eastep tom@shorewall.net +- Updated to 2.2.0-0RC5 +* Thu Jan 06 2005 Tom Eastep tom@shorewall.net +- Updated to 2.2.0-0RC4 +* Thu Dec 30 2004 Tom Eastep tom@shorewall.net +- Updated to 2.2.0-0RC3 +* Fri Dec 24 2004 Tom Eastep tom@shorewall.net +- Updated to 2.2.0-0RC2 +* Sun Dec 19 2004 Tom Eastep tom@shorewall.net +- Updated to 2.2.0-0RC1 +- Added ipsecvpn file +* Sat Dec 11 2004 Tom Eastep tom@shorewall.net +- Updated to 2.2.0-0Beta8 +* Mon Nov 29 2004 Tom Eastep tom@shorewall.net +- Updated to 2.2.0-0Beta7 +* Fri Nov 26 2004 Tom Eastep tom@shorewall.net +- Updated to 2.2.0-0Beta6 +* Fri Nov 26 2004 Tom Eastep tom@shorewall.net +- Updated to 2.2.0-0Beta5 +* Fri Nov 19 2004 Tom Eastep tom@shorewall.net +- Updated to 2.2.0-0Beta4 +* Tue Nov 09 2004 Tom Eastep tom@shorewall.net +- Updated to 2.2.0-0Beta3 +* Tue Nov 02 2004 Tom Eastep tom@shorewall.net +- Updated to 2.2.0-0Beta2 +* Fri Oct 22 2004 Tom Eastep tom@shorewall.net +- Updated to 2.2.0-0Beta1 + + diff --git a/Shorewall-lite/uninstall.sh b/Shorewall-lite/uninstall.sh new file mode 100755 index 000000000..b1eedfd3d --- /dev/null +++ b/Shorewall-lite/uninstall.sh @@ -0,0 +1,112 @@ +#!/bin/sh +# +# Script to back uninstall Shoreline Firewall +# +# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] +# +# (c) 2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net) +# +# Shorewall documentation is available at http://shorewall.sourceforge.net +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of Version 2 of the GNU General Public License +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA +# +# Usage: +# +# You may only use this script to uninstall the version +# shown below. Simply run this script to remove Shorewall Firewall + +VERSION=3.2.0-RC1 + +usage() # $1 = exit status +{ + ME=$(basename $0) + echo "usage: $ME" + exit $1 +} + +qt() +{ + "$@" >/dev/null 2>&1 +} + +restore_file() # $1 = file to restore +{ + if [ -f ${1}-shorewall.bkout ]; then + if (mv -f ${1}-shorewall.bkout $1); then + echo + echo "$1 restored" + else + exit 1 + fi + fi +} + +remove_file() # $1 = file to restore +{ + if [ -f $1 -o -L $1 ] ; then + rm -f $1 + echo "$1 Removed" + fi +} + +if [ -f /usr/share/shorewall/version ]; then + INSTALLED_VERSION="$(cat /usr/share/shorewall/version)" + if [ "$INSTALLED_VERSION" != "$VERSION" ]; then + echo "WARNING: Shorewall Version $INSTALLED_VERSION is installed" + echo " and this is the $VERSION uninstaller." + VERSION="$INSTALLED_VERSION" + fi +else + echo "WARNING: Shorewall Version $VERSION is not installed" + VERSION="" +fi + +echo "Uninstalling shorewall $VERSION" + +if qt iptables -L shorewall -n; then + /sbin/shorewall clear +fi + +if [ -L /usr/share/shorewall/init ]; then + FIREWALL=$(ls -l /usr/share/shorewall/init | sed 's/^.*> //') +else + FIREWALL=/etc/init.d/shorewall +fi + +if [ -n "$FIREWALL" ]; then + if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then + insserv -r $FIREWALL + elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then + chkconfig --del $(basename $FIREWALL) + else + rm -f /etc/rc*.d/*$(basename $FIREWALL) + fi + + remove_file $FIREWALL + rm -f ${FIREWALL}-*.bkout +fi + +rm -f /sbin/shorewall +rm -f /sbin/shorewall-*.bkout + +rm -rf /etc/shorewall +rm -rf /etc/shorewall-*.bkout +rm -rf /var/lib/shorewall +rm -rf /var/lib/shorewall-*.bkout +rm -rf /usr/share/shorewall +rm -rf /usr/share/shorewall-*.bkout + +echo "Shorewall Uninstalled" + + diff --git a/Shorewall/install.sh b/Shorewall/install.sh index 132bfd10f..72877fb0a 100755 --- a/Shorewall/install.sh +++ b/Shorewall/install.sh @@ -223,7 +223,7 @@ else first_install="Yes" fi -install_file_with_backup shorewall ${PREFIX}/sbin/shorewall 0544 ${PREFIX}/var/lib/shorewall-${VERSION}.bkout +install_file_with_backup shorewall ${PREFIX}/sbin/shorewall 0555 ${PREFIX}/var/lib/shorewall-${VERSION}.bkout echo "shorewall control program installed in ${PREFIX}/sbin/shorewall" @@ -527,7 +527,7 @@ echo "RFC 1918 file installed as ${PREFIX}/usr/share/shorewall/rfc1918" # # Install the default config path file # -install_file configpath ${PREFIX}/usr/share/shorewall/configpath 0600 +install_file configpath ${PREFIX}/usr/share/shorewall/configpath 0644 echo "Default config path file installed as ${PREFIX}/usr/share/shorewall/configpath" # # Install the init file diff --git a/docs/traffic_shaping.xml b/docs/traffic_shaping.xml index 428ca1ee7..925cce73c 100644 --- a/docs/traffic_shaping.xml +++ b/docs/traffic_shaping.xml @@ -307,7 +307,7 @@ column must exist at the time that Shorewall is started, restarted or refreshed. Beginning with Shorewall 3.0.8 and 3.2.0 Beta 8, Shorewall will determine if the device exists and will only - configure the device if it exists. If it doesn't exist, the + configure the device if it does exist. If it doesn't exist, the following warning is issued: WARNING: Device <device name> not diff --git a/tools/build/makeshorewall b/tools/build/makeshorewall index 0b34a5ea9..2bbffb094 100755 --- a/tools/build/makeshorewall +++ b/tools/build/makeshorewall @@ -42,7 +42,7 @@ # # XSL Stylesheet to use for XML->HTML conversion # -STYLESHEET=/usr/share/xml/docbook/stylesheet/nwalsh/current/xhtml/docbook.xsl +STYLESHEET=/usr/share/xml/docbook/stylesheet/nwalsh/xhtml/docbook.xsl # # Directory where the build log will be placed. The log has the name # shorewall_build_.log @@ -196,7 +196,7 @@ esac VERSION=$1 LOGFILE=$LOGDIR/shorewall_build_${VERSION}.log # location and options for GnuPG -GPG="/usr/bin/gpg -ab --batch --comment 'To verify this, you can download our public key at https://lists.shorewall.net/shorewall.gpg.key'" +GPG="/usr/bin/gpg -ab --no-use-agent --comment 'To verify this, you can download our public key at https://lists.shorewall.net/shorewall.gpg.key'" touch $LOGFILE progress_message "Build of Shorewall $VERSION on $(date)"