From afee989ee50c6bd340e55c6d404afc84b81e05ea Mon Sep 17 00:00:00 2001 From: teastep Date: Sat, 31 Jan 2004 03:24:02 +0000 Subject: [PATCH] Shorewall 1.4.10 git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1099 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- STABLE/action.template | 6 +- STABLE/changelog.txt | 26 +- STABLE/fallback.sh | 2 +- STABLE/firewall | 212 +++++++-- STABLE/install.sh | 2 +- STABLE/interfaces | 7 + STABLE/masq | 9 +- STABLE/releasenotes.txt | 117 ++--- STABLE/rfc1918 | 2 +- STABLE/shorewall.spec | 10 +- STABLE/tcrules | 17 +- STABLE/uninstall.sh | 2 +- Shorewall-docs/FAQ.xml | 605 ++++-------------------- Shorewall-docs/Introduction.xml | 80 +++- Shorewall-docs/User_defined_Actions.xml | 104 ++-- Shorewall-docs/ports.xml | 21 +- Shorewall-docs/two-interface.xml | 10 +- Shorewall/fallback.sh | 2 +- Shorewall/install.sh | 2 +- Shorewall/shorewall.spec | 4 +- Shorewall/uninstall.sh | 2 +- 21 files changed, 540 insertions(+), 702 deletions(-) diff --git a/STABLE/action.template b/STABLE/action.template index b54419b65..2a4df614a 100644 --- a/STABLE/action.template +++ b/STABLE/action.template @@ -92,7 +92,7 @@ # Otherwise, a separate rule will be generated for each # port. # -# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted, +# SOURCE PORT(S) (Optional) Port(s) used by the client. If omitted, # any source port is acceptable. Specified as a comma- # separated list of port names, port numbers or port # ranges. @@ -126,6 +126,6 @@ # place a similar limit in the TARGET column. # ###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE -# PORT PORT(S) DEST LIMIT +#TARGET SOURCE DEST PROTO DEST SOURCE RATE +# PORT PORT(S) LIMIT #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/STABLE/changelog.txt b/STABLE/changelog.txt index 0e06751d8..057607ed3 100644 --- a/STABLE/changelog.txt +++ b/STABLE/changelog.txt @@ -1,23 +1,23 @@ -Changes since 1.4.8 +Changes since 1.4.9 -1) Replace "Static NAT" with "One-to-one NAT". +1) Implement destination list in masq file. -2) Change SMB common rules to DROP. +2) Appled Frédéric LESPEZ's patch for packet marking by user/group id. -3) Change wording in release notes. +3) Correct column headings in action.template -4) Move ip_forward handling to a function. +4) Handle IPV6 addresses correctly with ADD_IP_ALIASES=Yes or + ADD_SNAT_ALIASES=Yes. -5) Change 'norfc1918' logging to log out of chains named 'rfc1918'. +5) Implement "detectnets" option. -6) Reword the description of NEWNOTSYN in shorewall.conf. +6) Correct the CONTINUE target and fix a couple of bugs in rate + limiting (with an assist from Steven Jan Springl). -7) Added MODULE_SUFFIX option to shorewall.conf. +7) Silently drop smurfs and broadcasts in the 'reject' chain. -8) Add /etc/shorewall/actions and /etc/shorewall/action.template +8) Add multicast to 'detectnets' zones. -9) Fix SNAT handling in DNAT rules. +9) Don't add broadcasts to /0 groups. -10) Change default to NEWNOTSYN=Yes - -11) Add rule to drop null source addressed ICMPs. +10) Fix "-" in PROTO column of an action file. diff --git a/STABLE/fallback.sh b/STABLE/fallback.sh index 7b41b29b5..73fd7a036 100755 --- a/STABLE/fallback.sh +++ b/STABLE/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=1.4.9 +VERSION=1.4.10 usage() # $1 = exit status { diff --git a/STABLE/firewall b/STABLE/firewall index 04935f011..44f28095e 100755 --- a/STABLE/firewall +++ b/STABLE/firewall @@ -564,11 +564,21 @@ determine_hosts() { eval interfaces=\$${zone}_interfaces for interface in $interfaces; do - if [ -z "$hosts" ]; then - hosts=$interface:0.0.0.0/0 + eval options=\$`chain_base ${interface}`_options + + if list_search detectnets $options; then + subnets=`get_routed_subnets $interface` else - hosts="$hosts $interface:0.0.0.0/0" + subnets=0.0.0.0/0 fi + + for subnet in $subnets; do + if [ -z "$hosts" ]; then + hosts=$interface:$subnet + else + hosts="$hosts $interface:$subnet" + fi + done done interfaces= @@ -611,6 +621,8 @@ validate_zone() # $1 = zone # Validate the zone names and options in the interfaces file # validate_interfaces_file() { + local wildcard + while read z interface subnet options; do expandv z interface subnet options r="$z $interface $subnet $options" @@ -628,10 +640,15 @@ validate_interfaces_file() { list_search $interface $all_interfaces && \ startup_error "Duplicate Interface $interface" + wildcard= + case $interface in *:*) startup_error "Invalid Interface Name: $interface" ;; + *+*) + wildcard=Yes + ;; esac all_interfaces="$all_interfaces $interface" @@ -646,6 +663,10 @@ validate_interfaces_file() { case $option in dhcp|norfc1918|tcpflags|newnotsyn|arp_filter|routefilter|blacklist|proxyarp|maclist|-) ;; + detectnets) + [ -n "$wildcard" ] && \ + startup_error "The \"detectnets\" option may not be used with a wild-card interface" + ;; dropunclean|logunclean) error_message \ "Warning: The 'dropunclean' and 'logunclean' options will be removed in a future release" @@ -1709,6 +1730,25 @@ process_tc_rule() esac fi + if [ "x$user" != "x-" ]; then + + [ "$chain" != tcout ] && \ + fatal_error "Invalid use of a user/group: rule \"$rule\"" + + case "$user" in + *:*) + r="$r-m owner" + temp="${user%:*}" + [ -n "$temp" ] && r="$r --uid-owner $temp " + temp="${user#*:}" + [ -n "$temp" ] && r="$r --gid-owner $temp " + ;; + *) + r="$r-m owner --uid-owner $user " + ;; + esac + fi + [ "x$dest" = "x-" ] || r="${r}-d $dest " [ "$proto" = "all" ] || r="${r}-p $proto " [ "x$port" = "x-" ] || r="${r}--dport $port " @@ -1767,9 +1807,9 @@ setup_tc1() { # strip_file tcrules - while read mark sources dests proto ports sports; do - expandv mark sources dests proto ports sports - rule=`echo "$mark $sources $dests $proto $ports $sports"` + while read mark sources dests proto ports sports user; do + expandv mark sources dests proto ports sports user + rule=`echo "$mark $sources $dests $proto $ports $sports $user"` process_tc_rule done < $TMP_DIR/tcrules # @@ -2335,7 +2375,7 @@ process_action() # $1 = action # Generate Netfilter rule(s) - protocol=${protocol:=all} + [ "x$protocol" = "x-" ] && protocol=all || protocol=${protocol:=all} if [ -n "$MULTIPORT" ] && \ ! list_search $protocol "icmp" "ICMP" "1" && \ @@ -2904,6 +2944,8 @@ process_rule() # $1 = target # Function Body - isolate rate limit + [ "x$ratelimit" = "x-" ] && ratelimit= + if [ -z "$ratelimit" ]; then if [ "$target" != "${target%<*}" ]; then ratelimit="${target#*<}" @@ -2915,9 +2957,6 @@ process_rule() # $1 = target if [ -n "$ratelimit" ]; then case $ratelimit in - -) - ratelimit= - ;; *:*) ratelimit="-m limit --limit ${ratelimit%:*} --limit-burst ${ratelimit#*:}" ;; @@ -2955,7 +2994,11 @@ process_rule() # $1 = target case "$userset" in *:*) case $target in - ACCEPT|REJECT|DROP) + ACCEPT) + ;; + REJECT|DROP) + [ -n "$ratelimit" ] && fatal_error \ + "Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and LOG" ;; *) fatal_error ": may only be specified in ACCEPT, REJECT and DROP rules: rule \"$rule\"" @@ -2981,9 +3024,13 @@ process_rule() # $1 = target target=`accept_chain $userset` ;; DROP) + [ -n "$ratelimit" ] && fatal_error \ + "Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and LOG" target=`drop_chain $userset` ;; REJECT) + [ -n "$ratelimit" ] && fatal_error \ + "Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and LOG" target=`reject_chain $userset` ;; *) @@ -2999,8 +3046,15 @@ process_rule() # $1 = target ACCEPT|LOG) ;; REJECT) + [ -n "$ratelimit" ] && fatal_error \ + "Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and LOG" target=reject ;; + CONTINUE) + [ -n "$ratelimit" ] && fatal_error \ + "Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and LOG" + target=RETURN + ;; DNAT) target=ACCEPT address=${address:=detect} @@ -3735,7 +3789,7 @@ setup_masq() case $fullinterface in *:*:*) # Both alias name and subnet - destnet="${fullinterface##*:}" + destnets="${fullinterface##*:}" fullinterface="${fullinterface%:*}" ;; *:*) @@ -3743,17 +3797,17 @@ setup_masq() case ${fullinterface#*:} in *.*) # It's a subnet - destnet="${fullinterface#*:}" + destnets="${fullinterface#*:}" fullinterface="${fullinterface%:*}" ;; *) #it's an alias name - destnet="0.0.0.0/0" + destnets="0.0.0.0/0" ;; esac ;; *) - destnet="0.0.0.0/0" + destnets="0.0.0.0/0" ;; esac @@ -3770,7 +3824,6 @@ setup_masq() subnet="${subnet%!*}" fi - chain=`masq_chain $interface` source="$subnet" @@ -3799,33 +3852,70 @@ setup_masq() done fi - destination=$destnet + destination=$destnets - if [ -n "$nomasq" ]; then - newchain=masq${masq_seq} - createnatchain $newchain + chain=`masq_chain $interface` - if [ -n "$subnet" ]; then - for s in $subnet; do - addnatrule $chain -d $destnet -s $s -j $newchain + case $destnets in + !*) + newchain=masq${masq_seq} + createnatchain $newchain + destnets=${destnets#!} + + for destnet in $(separate_list $destnets); do + addnatrule $newchain -d $destnet -j RETURN done - else - addnatrule $chain -d $destnet -j $newchain - fi - masq_seq=$(($masq_seq + 1)) - chain=$newchain - subnet= - destnet= + if [ -n "$subnet" ]; then + for s in $subnet; do + addnatrule $chain -s $s -j $newchain + done + subnet= + else + addnatrule $chain -j $newchain + fi - for addr in `separate_list $nomasq`; do - addnatrule $chain -s $addr -j RETURN - done + masq_seq=$(($masq_seq + 1)) + chain=$newchain + destnets=0.0.0.0/0 - source="$source except $nomasq" - else - destnet="-d $destnet" - fi + if [ -n "$nonmasq" ]; then + for addr in `separate_list $nomasq`; do + addnatrule $chain -s $addr -j RETURN + done + source="$source except $nomasq" + fi + ;; + *) + if [ -n "$nomasq" ]; then + newchain=masq${masq_seq} + createnatchain $newchain + + if [ -n "$subnet" ]; then + for s in $subnet; do + for destnet in $(separate_list $destnets); do + addnatrule $chain -d $destnet -s $s -j $newchain + done + done + else + for destnet in $(separate_list $destnets); do + addnatrule $chain -d $destnet -j $newchain + done + fi + + masq_seq=$(($masq_seq + 1)) + chain=$newchain + subnet= + destnets=0.0.0.0/0 + + for addr in `separate_list $nomasq`; do + addnatrule $chain -s $addr -j RETURN + done + + source="$source except $nomasq" + fi + ;; + esac if [ -n "$addresses" ]; then temp= @@ -3837,18 +3927,26 @@ setup_masq() if [ -n "$subnet" ]; then for s in $subnet; do if [ -n "$addresses" ]; then - addnatrule $chain -s $s $destnet -j SNAT $temp + for destnet in $(separate_list $destnets); do + addnatrule $chain -s $s -d $destnet -j SNAT $temp + done echo " To $destination from $s through ${interface} using $addresses" else - addnatrule $chain -s $s $destnet -j MASQUERADE + for destnet in $(separate_list $destnets); do + addnatrule $chain -s $s -d $destnet -j MASQUERADE + done echo " To $destination from $s through ${interface}" fi done elif [ -n "$address" ]; then - addnatrule $chain $destnet -j SNAT $temp + for destnet in $(separate_list $destnets); do + addnatrule $chain -d $destnet -j SNAT $temp + done echo " To $destination from $source through ${interface} using $addresses" else - addnatrule $chain $destnet -j MASQUERADE + for destnet in $(separate_list $destnets); do + addnatrule $chain -d $destnet -j MASQUERADE + done echo " To $destination from $source through ${interface}" fi @@ -4345,9 +4443,26 @@ build_common_chain() { # add_common_rules() { local savelogparms="$LOGPARMS" + local broadcasts="$(find_broadcasts) 255.255.255.255 224.0.0.0/4" # - # Reject Rules + # Reject Rules -- Don't respond to broadcasts with an ICMP # + qt iptables -A reject -m pkttype --pkt-type broadcast -j DROP + if ! qt iptables -A reject -m pkttype --pkt-type multicast -j DROP; then + # + # No pkttype support -- do it the hard way + # + for address in $broadcasts ; do + run_iptables -A reject -d $address -j DROP + done + fi + # + # Don't feed the smurfs + # + for address in $broadcasts ; do + run_iptables -A reject -s $address -j DROP + done + run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset run_iptables -A reject -p udp -j REJECT # @@ -4754,6 +4869,8 @@ activate_rules() echo "$FW $zone $chain1" >> ${STATEDIR}/chains echo "$zone $FW $chain2" >> ${STATEDIR}/chains + need_broadcast= + for host in $source_hosts; do interface=${host%:*} subnet=${host#*:} @@ -4771,8 +4888,19 @@ activate_rules() [ -n "$complex" ] && \ run_iptables -A `forward_chain $interface` -s $subnet -j $frwd_chain + if [ "$subnet" != 0.0.0.0/0 ]; then + if ! list_search $interface $need_broadcast ; then + eval options=\$`chain_base ${interface}`_options + list_search detectnets $options && need_broadcast="$need_broadcast $interface" + fi + fi done + for interface in $need_broadcast ; do + run_iptables -A OUTPUT -o $interface -d 255.255.255.255 -j $chain1 + run_iptables -A OUTPUT -o $interface -d 224.0.0.0/4 -j $chain1 + done + for zone1 in $zones; do eval policy=\$${zone}2${zone1}_policy diff --git a/STABLE/install.sh b/STABLE/install.sh index 8506989c7..4a57e747c 100755 --- a/STABLE/install.sh +++ b/STABLE/install.sh @@ -54,7 +54,7 @@ # /etc/rc.d/rc.local file is modified to start the firewall. # -VERSION=1.4.9 +VERSION=1.4.10 usage() # $1 = exit status { diff --git a/STABLE/interfaces b/STABLE/interfaces index 03d5a1df7..b5bc8c799 100644 --- a/STABLE/interfaces +++ b/STABLE/interfaces @@ -117,6 +117,13 @@ # interface. The interface must be up # when Shorewall is started. # +# detectnets - Automatically taylors the zone named +# in the ZONE column to include only those +# hosts routed through the interface. +# +# WARNING: DO NOT SET THE detectnets OPTION ON YOUR +# INTERNET INTERFACE! +# # The order in which you list the options is not # significant but the list should have no embedded white # space. diff --git a/STABLE/masq b/STABLE/masq index 2a1460afb..4dd27564f 100644 --- a/STABLE/masq +++ b/STABLE/masq @@ -18,7 +18,12 @@ # PLACE IN YOUR SHOREWALL CONFIGURATION. # # This may be qualified by adding the character -# ":" followed by a destination host or subnet. +# ":" followed by a comma-separed list of +# destination hosts or subnets. If this list begins with +# "!" then masquerading will occur if and only if the +# connection destination is NOT included in the list. +# Otherwise, the masquerading will occur if and only if +# the destination IS included in the list. # # # SUBNET -- Subnet that you wish to masquerade. You can specify this as @@ -89,7 +94,7 @@ # # You want all outgoing traffic from 192.168.1.0/24 through # eth0 to use source address 206.124.146.176 which is NOT the -# primary address of eth0. You want 206.124.146.176 added to +# primary address of eth0. You want 206.124.146.176 to # be added to eth0 with name eth0:0. # # eth0:0 192.168.1.0/24 206.124.146.176 diff --git a/STABLE/releasenotes.txt b/STABLE/releasenotes.txt index 0ef99088c..fe4240573 100644 --- a/STABLE/releasenotes.txt +++ b/STABLE/releasenotes.txt @@ -1,24 +1,23 @@ This is a minor release of Shorewall. -Problems Corrected since version 1.4.8: +Problems Corrected since version 1.4.9: -1) There has been a low continuing level of confusion over the terms - "Source NAT" (SNAT) and "Static NAT". To avoid future confusion, all - instances of "Static NAT" have been replaced with "One-to-one NAT" - in the documentation and configuration files. +1. The column descriptions in the action.template file did not match + the column headings. That has been corrected. -2) The description of NEWNOTSYN in shorewall.conf has been reworded for - clarity. +2. The presence of IPV6 addresses on devices generates error messages + during [re]start if ADD_IP_ALIASES=Yes or ADD_SNAT_ALIASES=Yes are + specified in /etc/shorewall/shorewall.conf. -3) Wild-card rules (those involving "all" as SOURCE or DEST) will no - longer produce an error if they attempt to add a rule that would - override a NONE policy. The logic for expanding these wild-card - rules now simply skips those (SOURCE,DEST) pairs that have a NONE - policy. +3. The CONTINUE action in /etc/shorewall/rules now works correctly. A + couple of problems involving rate limiting have been + corrected. These bug fixes courtesy of Steven Jan Springl. -4) DNAT rules that also specified SNAT now work reliably. Previously, - there were cases where the SNAT specification was effectively - ignored. +4. Shorewall now tries to avoid sending an ICMP response to broadcasts + and smurfs. + +5. Specifying "-" or "all" in the PROTO column of an action no longer + causes a startup error. Migration Issues: @@ -26,79 +25,37 @@ None. New Features: -1) The documentation has been completely rebased to Docbook XML. The - documentation is now released as separate HTML and XML packages. +1) The INTERFACE column in the /etc/shorewall/masq file may now + specify a destination list. -2) To cut down on the number of "Why are these ports closed rather than - stealthed?" questions, the SMB-related rules in - /etc/shorewall/common.def have been changed from 'reject' to 'DROP'. + Example: -3) For easier identification, packets logged under the 'norfc1918' - interface option are now logged out of chains named - 'rfc1918'. Previously, such packets were logged under chains named - 'logdrop'. + #INTERFACE SUBNET ADDRESS + eth0:192.0.2.3,192.0.2.16/28 eth1 -4) Distributors and developers seem to be regularly inventing new - naming conventions for kernel modules. To avoid the need to change - Shorewall code for each new convention, the MODULE_SUFFIX option has - been added to shorewall.conf. MODULE_SUFFIX may be set to the suffix - for module names in your particular distribution. If MODULE_SUFFIX - is not set in shorewall.conf, Shorewall will use the list "o gz ko - o.gz". + If the list begins with "!" then SNAT will occur only if the + destination IP address is NOT included in the list. - To see what suffix is used by your distribution: +2) Output traffic control rules (those with the firewall as the source) + may now be qualified by the effective userid and/or effective group + id of the program generating the output. This feature is courtesy of + Frédéric LESPEZ. - ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter + A new USER column has been added to /etc/shorewall/tcrules. - All of the files listed should have the same suffix (extension). Set - MODULE_SUFFIX to that suffix. + It may contain : - Examples: + []:[] - If all files end in ".kzo" then set MODULE_SUFFIX="kzo" - If all files end in ".kz.o" then set MODULE_SUFFIX="kz.o" + The colon is optionnal when specifying only a user. -5) Support for user defined rule ACTIONS has been implemented through - two new files: + Examples : john: / john / :users / john:users - /etc/shorewall/actions - used to list the user-defined ACTIONS. - /etc/shorewall/action.template - For each user defined , copy - this file to - /etc/shorewall/action. and - add the appropriate rules for that - . - Once an has been defined, it may be used like any of the - builtin ACTIONS (ACCEPT, DROP, etc.) in /etc/shorewall/rules. +3) A "detectnets" interface option has been added for entries in + /etc/shorewall/interfaces. This option automatically taylors the + definition of the zone named in the ZONE column to include just + those hosts that have routes through the interface named in the + INTERFACE column. The named interface must be UP when + Shorewall is [re]started. - Example: You want an action that logs a packet at the 'info' level - and accepts the connection. - - In /etc/shorewall/actions, you would add: - - LogAndAccept - - You would then copy /etc/shorewall/action.template to - /etc/shorewall/action.LogAndAccept and in that file, you would add the two - rules: - - LOG:info - ACCEPT - -6) The default value for NEWNOTSYN in shorewall.conf is now "Yes" - (non-syn TCP packets that are not part of an existing connection are - filtered according to the rules and policies rather than being - dropped). I have made this change for two reasons: - - a) NEWNOTSYN=No tends to result in lots of "stuck" connections since - any timeout during TCP session tear down results in the firewall - dropping all of the retries. - - b) The old default of NEWNOTSYN=No and LOGNEWNOTSYN=info resulted in - lots of confusing messages when a connection got "stuck". While I - could have changed the default value of LOGNEWNOTSYN to suppress - logging, I dislike defaults that silently throw away packets. - -7) The common.def file now contains an entry that silently drops ICMP - packets with a null source address. Ad Koster reported a case where - these were occuring frequently as a result of a broken system on his - external network. + WARNING: DO NOT SET THIS OPTION ON YOUR INTERNET INTERFACE! diff --git a/STABLE/rfc1918 b/STABLE/rfc1918 index 404e78cdf..ae9010d9c 100644 --- a/STABLE/rfc1918 +++ b/STABLE/rfc1918 @@ -46,7 +46,7 @@ 49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98 50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98 58.0.0.0/7 logdrop # Reserved -70.0.0.0/7 logdrop # Reserved +71.0.0.0/8 logdrop # Reserved 72.0.0.0/5 logdrop # Reserved 85.0.0.0/8 logdrop # Reserved 86.0.0.0/7 logdrop # Reserved diff --git a/STABLE/shorewall.spec b/STABLE/shorewall.spec index bbf1a1854..4304af0fb 100644 --- a/STABLE/shorewall.spec +++ b/STABLE/shorewall.spec @@ -1,5 +1,5 @@ %define name shorewall -%define version 1.4.9 +%define version 1.4.10 %define release 1 %define prefix /usr @@ -109,6 +109,14 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %changelog +* Fri Jan 30 2004 Tom Eastep +- Changed version to 1.4.10-1 +* Tue Jan 27 2004 Tom Eastep +- Changed version to 1.4.10-RC3 +* Sat Jan 24 2004 Tom Eastep +- Changed version to 1.4.10-RC2 +* Thu Jan 22 2004 Tom Eastep +- Changed version to 1.4.10-RC1 * Tue Jan 13 2004 Tom Eastep - Changed version to 1.4.9 * Mon Dec 29 2003 Tom Eastep diff --git a/STABLE/tcrules b/STABLE/tcrules index 7ae8f7d7a..e15a68d80 100644 --- a/STABLE/tcrules +++ b/STABLE/tcrules @@ -57,7 +57,22 @@ # any source port is acceptable. Specified as a comma- # separated list of port names, port numbers or port # ranges. +# +# USER This column may only be non-empty if the SOURCE is +# the firewall itself. +# +# When this column is non-empty, the rule applies only +# if the program generating the output is running under +# the effective user and/or group. +# +# It may contain : +# +# []:[] +# +# The colon is optionnal when specifying only a user. +# Examples : john: / john / :users / john:users +# ############################################################################## -#MARK SOURCE DEST PROTO PORT(S) CLIENT +#MARK SOURCE DEST PROTO PORT(S) CLIENT USER # PORT(S) #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/STABLE/uninstall.sh b/STABLE/uninstall.sh index f21e230cd..0fd0ed07d 100755 --- a/STABLE/uninstall.sh +++ b/STABLE/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Seattle Firewall -VERSION=1.4.9 +VERSION=1.4.10 usage() # $1 = exit status { diff --git a/Shorewall-docs/FAQ.xml b/Shorewall-docs/FAQ.xml index 23d56a50e..5ee39a4a2 100644 --- a/Shorewall-docs/FAQ.xml +++ b/Shorewall-docs/FAQ.xml @@ -17,7 +17,7 @@ - 2004-01-24 + 2004-01-25 2001-2004 @@ -60,132 +60,22 @@ shows how to do port forwarding under Shorewall. The format of a port-forwarding rule to a local system is as follows: - - - - - ACTION - - SOURCE - - DESTINATION - - PROTOCOL - - PORT - - SOURCE PORT - - ORIG. DEST. - - - - - - DNAT - - net - - loc:<local IP address>[:<local port>] - - <protocol> - - <port #> - - - - - - - - + #ACTION SOURCE DEST PROTO DEST PORT +DNAT net loc:<local IP address>[:<local port>] <protocol> <port #> So to forward UDP port 7777 to internal system 192.168.1.5, the rule is: - - - - - ACTION - - SOURCE - - DESTINATION - - PROTOCOL - - PORT - - SOURCE PORT - - ORIG. DEST. - - - - - - DNAT - - net - - loc:192.168.1.5 - - udp - - 7777 - - - - - - - - + #ACTION SOURCE DEST PROTO DEST PORT +DNAT net loc:192.168.1.5 udp 7777 If you want to forward requests directed to a particular address ( <external IP> ) on your firewall to an internal system: - - - - - ACTION - - SOURCE - - DESTINATION - - PROTOCOL - - PORT - - SOURCE PORT - - ORIG. DEST. - - - - - - DNAT - - net - - loc:<local IP address>[:<local port>] - - <protocol> - - <port #> - - - - - <external IP> - - - - + #ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL +# PORT DEST. +DNAT net loc:<local IP address>[:<local port>] <protocol> <port #> - <external IP> Finally, if you need to forward a range of ports, in the PORT column specify the range as <low-port>:<high-port>. @@ -235,8 +125,8 @@ - As root, type iptables -t nat -Z. This clears - the NetFilter counters in the nat table. + As root, type iptables -t nat -Z. + This clears the NetFilter counters in the nat table. @@ -244,7 +134,7 @@ - As root type shorewall show nat + As root type shorewall show nat @@ -295,47 +185,10 @@ my firewall and have the firewall forward the connection to port 22 on local system 192.168.1.3. How do I do that? - In /etc/shorewall/rules: + In /etc/shorewall/rules: - - - - - ACTION - - SOURCE - - DESTINATION - - PROTOCOL - - PORT - - SOURCE PORT - - ORIG. DEST. - - - - - - DNAT - - net - - loc:192.168.1.3:22 - - tcp - - 1022 - - - - - - - - + #ACTION SOURCE DEST PROTO DEST PORT +DNAT net loc:192.168.3:22 tcp 1022 @@ -407,127 +260,30 @@ - In /etc/shorewall/interfaces: + In /etc/shorewall/interfaces: - - - - - ZONE - - INTERFACE - - BROADCAST - - OPTIONS - - - - - - loc - - eth1 - - detect - - routeback - - - - + #ZONE INTERFACE BROADCAST OPTIONS +loc eth1 detect routeback - In /etc/shorewall/rules: + In /etc/shorewall/rules: - - - - - ACTION - - SOURCE - - DESTINATION - - PROTOCOL - - PORT - - SOURCE PORT - - ORIG. DEST. - - - - - - DNAT - - loc - - web:192.168.1.5 - - tcp - - www - - - - - 130.151.100.69:192.168.1.254 - - - - + #ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL +# PORT DEST. +DNAT loc loc:192.168.1.5 tcp www - 130.151.100.69:192.168.1.254 That rule only works of course if you have a static external IP address. If you have a dynamic IP address and are running - Shorewall 1.3.4 or later then include this in /etc/shorewall/init: + Shorewall 1.3.4 or later then include this in /etc/shorewall/init: - ETH0_IP=`find_interface_address eth0` + ETH0_IP=`find_interface_address eth0` and make your DNAT rule: - - - - - ACTION - - SOURCE - - DESTINATION - - PROTOCOL - - PORT - - SOURCE PORT - - ORIG. DEST. - - - - - - DNAT - - loc - - web:192.168.1.5 - - tcp - - www - - - - - $ETH0_IP:192.168.1.254 - - - - + #ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL +# PORT DEST. +DNAT loc loc:192.168.1.5 tcp www - $ETH0_IP:192.168.1.254 Using this technique, you will want to configure your DHCP/PPPoE client to automatically restart Shorewall each time that @@ -597,94 +353,23 @@ Zone: dmz Interface: eth2 Subnet: 192.168.2.0/24 - In /etc/shorewall/interfaces: + In /etc/shorewall/interfaces: - - - - - ZONE + #ZONE INTERFACE BROADCAST OPTIONS +loc eth2 192.168.2.255 routeback - INTERFACE + In /etc/shorewall/policy: - BROADCAST + #SOURCE DESTINATION POLICY LIMIT:BURST +dmz dmz ACCEPT - OPTIONS - - + In /etc/shorewall/masq: - - - dmz + #INTERFACE SUBNET ADDRESS +eth2 192.168.2.0/24 - eth2 - - 192.168.2.255 - - routeback - - - - - - In /etc/shorewall/policy: - - - - - - SOURCE - - DESTINATION - - POLICY - - LIMIT:BURST - - - - - - dmz - - dmz - - ACCEPT - - - - - - - - In /etc/shorewall/masq: - - - - - - INTERFACE - - SUBNET - - ADDRESS - - - - - - eth2 - - 192.168.2.0/24 - - - - - - - - In /etc/shorewall/nat, be sure that you have Yes - in the ALL INTERFACES column. + In /etc/shorewall/nat, be sure that you + have Yes in the ALL INTERFACES column. @@ -791,18 +476,19 @@ - Create /etc/shorewall/common if it doesn't already exist. + Create /etc/shorewall/common if it + doesn't already exist. Be sure that the first command in the file is . - /etc/shorewall/common.def + /etc/shorewall/common.def - Add the following to /etc/shorewall/common + Add the following to /etc/shorewall/common - run_iptables -A icmpdef -p ICMP --icmp-type echo-request -j ACCEPT + run_iptables -A icmpdef -p ICMP --icmp-type echo-request -j ACCEPT @@ -859,14 +545,15 @@ see man syslog) in your policies and rules. The destination for - messaged logged by syslog is controlled by /etc/syslog.conf (see - man syslog.conf). When you have changed /etc/syslog.conf, - be sure to restart syslogd (on a RedHat system, service syslog - restart). + messaged logged by syslog is controlled by /etc/syslog.conf + (see man syslog.conf). When you have changed + /etc/syslog.conf, be sure to restart syslogd (on a RedHat system, + service syslog restart). By default, older versions of Shorewall ratelimited log messages through settings in - /etc/shorewall/shorewall.conf -- If you want to log all messages, set: + /etc/shorewall/shorewall.conf -- If you want to log + all messages, set: LOGLIMIT="" LOGBURST="" @@ -929,20 +616,21 @@ url="http://www.shorewall.net/pub/shorewall/parsefw/">http://www.shorewall.net/p You can distinguish the difference by setting the logunclean option (/etc/shorewall/interfaces) + role="bold">logunclean option (/etc/shorewall/interfaces) on your external interface (eth0 in the above example). If they get logged twice, they are corrupted. I solve this problem by using an /etc/shorewall/common file like this: # # Include the standard common.def file -# . /etc/shorewall/common.def +# +. /etc/shorewall/common.def # # The following rule is non-standard and compensates for tardy # DNS replies # -run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP +run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP The above file is also include in all of my sample configurations available in the Under Debian, you can set KLOGD=-c 5 in - /etc/init.d/klogd to suppress info (log level 6) messages on the - console. + /etc/init.d/klogd to suppress info (log level 6) + messages on the console. @@ -1034,9 +722,9 @@ run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROPman1918 or logdrop - The destination address is listed in /etc/shorewall/rfc1918 + The destination address is listed in /etc/shorewall/rfc1918 with a logdrop target -- see - /etc/shorewall/rfc1918. + /etc/shorewall/rfc1918. @@ -1044,9 +732,9 @@ run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROPrfc1918 or logdrop - The source address is listed in /etc/shorewall/rfc1918 with - a logdrop target -- see /etc/shorewall/rfc1918. + The source address is listed in /etc/shorewall/rfc1918 + with a logdrop target -- see + /etc/shorewall/rfc1918. @@ -1099,7 +787,7 @@ run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROPThe packet is being logged under the dropunclean interface option as specified in the LOGUNCLEAN - setting in /etc/shorewall/shorewall.conf. + setting in /etc/shorewall/shorewall.conf. @@ -1108,7 +796,8 @@ run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP The packet is being logged because the source IP is - blacklisted in the /etc/shorewall/blacklist + blacklisted in the /etc/shorewall/blacklist file. @@ -1121,7 +810,7 @@ run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROPNEWNOTSYN and LOGNEWNOTSYN - in /etc/shorewall/shorewall.conf. + in /etc/shorewall/shorewall.conf. @@ -1290,78 +979,29 @@ run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROPSetting this up in Shorewall is easy; setting up the routing is a bit harder. - Assuming that eth0 and eth1 are the interfaces to the two ISPs - then: + Assuming that eth0 and + eth1 are the interfaces to the + two ISPs then: - /etc/shorewall/interfaces: + /etc/shorewall/interfaces: - - - - - ZONE + #ZONE INTERFACE BROADCAST OPTIONS +net eth0 detect +net eth1 detect - INTERFACE + /etc/shorewall/policy: - BROADCAST + #SOURCE DESTINATION POLICY LIMIT:BURST +net net DROP - OPTIONS - - + If you have masqueraded hosts, be sure to update + /etc/shorewall/masq to masquerade to both ISPs. For + example, if you masquerade all hosts connected to eth2 then: - - - net - - eth0 - - detect - - ... - - - - net - - eth1 - - detect - - ... - - - - - - /etc/shorewall/policy: - - - - - - SOURCE - - DESTINATION - - POLICY - - LIMIT:BURST - - - - - - net - - net - - DROP - - - - - - + #INTERFACE SUBNET ADDRESS +eth0 eth2 +eth1 eth2 There was an article in SysAdmin covering this topic. It may be found at (FAQ 7) When I stop Shorewall using <quote>shorewall stop</quote>, I can't connect to anything. Why doesn't that command work? - The stop command is intended to place your firewall - into a safe state whereby only those hosts listed in - /etc/shorewall/routestopped' are activated. If you want to totally - open up your firewall, you must use the shorewall clear - command. + The stop command is intended to + place your firewall into a safe state whereby only those hosts listed in + /etc/shorewall/routestopped' are activated. If + you want to totally open up your firewall, you must use the + shorewall clear command.
@@ -1590,12 +1230,13 @@ Creating input Chains... Answer: The above output is perfectly normal. The Net zone is defined as all hosts that are connected through eth0 and the local zone is defined as all hosts - connected through eth1. If you are running Shorewall 1.4.10 or later, - you can consider setting the detectnets interface option on your local - interface (eth1 in the above example). That will cause Shorewall to - restrict the local zone to only those networks routed through that - interface. + connected through eth1. If you + are running Shorewall 1.4.10 or later, you can consider setting the + detectnets + interface option on your local interface (eth1 in the above example). That will + cause Shorewall to restrict the local zone to only those networks routed + through that interface.
@@ -1665,7 +1306,7 @@ Creating input Chains... At the shell prompt, type: - /sbin/shorewall version + /sbin/shorewall version
@@ -1745,32 +1386,15 @@ Creating input Chains... version of Shorewall earlier than 1.3.1, create /etc/shorewall/start and in it, place the following: - run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT + run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT If you are running version 1.3.1 or later, simply add the following to /etc/shorewall/rfc1918: Be sure that you add the entry ABOVE the entry for 192.168.0.0/16. - - - - - SUBNET - - TARGET - - - - - - 192.168.100.1 - - RETURN - - - - + #SUBNET TARGET +192.168.100.1 RETURN If you add a second IP address to your external firewall @@ -1779,31 +1403,9 @@ Creating input Chains... configure the address 192.168.100.2 on your firewall, then you would add two entries to /etc/shorewall/rfc1918: - - - - - SUBNET - - TARGET - - - - - - 192.168.100.1 - - RETURN - - - - 192.168.100.2 - - RETURN - - - - + #SUBNET TARGET +192.168.100.1 RETURN +192.168.100.2 RETURN
@@ -1883,7 +1485,7 @@ Creating input Chains... Add this command to your /etc/shorewall/start file: - run_iptables -D OUTPUT -p ! icmp -m state --state INVALID -j DROP + run_iptables -D OUTPUT -p ! icmp -m state --state INVALID -j DROP
@@ -1941,8 +1543,9 @@ iptables: Invalid argument Revision History - 1.142004-01-24TEAdded - FAQ 27a regarding kernel/iptables incompatibility.1.132004-01-24TEAdd + 1.152004-01-25TEUpdated + FAQ 32 to mention masquerading. Remove tables.1.142004-01-24TEAdded + FAQ 27a regarding kernel/iptables incompatibility.1.132004-01-24TEAdd a note about the detectnets interface option in FAQ 9.1.122004-01-20TEImprove FAQ 16 answer.1.112004-01-14TECorrected diff --git a/Shorewall-docs/Introduction.xml b/Shorewall-docs/Introduction.xml index 9e8136d45..1f99d50ee 100644 --- a/Shorewall-docs/Introduction.xml +++ b/Shorewall-docs/Introduction.xml @@ -13,10 +13,10 @@ Eastep - 2003/12/23 + 2004-01-26 - 2003 + 2003-2004 Thomas M. Eastep @@ -98,6 +98,82 @@ +
+ Shorewall Concepts + + The configuration files for Shorewall are contained in the directory + /etc/shorewall -- for simple + setups, you will only need to deal with a few of them. + + Shorewall views the network where it is running as being composed of + a set of zones. In the three-interface + sample configuration for example, the following zone names are + used: NameDescriptionnetThe InternetlocYour Local + NetworkdmzDemilitarized ZoneZones + are defined in the /etc/shorewall/zones + file. + + Shorewall also recognizes the firewall system as its own zone - by + default, the firewall itself is known as fw. + + Rules about what traffic to allow and what traffic to deny are + expressed in terms of zones. You + express your default policy for connections from one zone to another zone + in the /etc/shorewall/policy + file.You define exceptions to those + default policies in the /etc/shorewall/rules + file.For each connection request entering + the firewall, the request is first checked against the /etc/shorewall/rules + file. If no rule in that file matches the connection request then the + first policy in /etc/shorewall/policy + that matches the request is applied. If that policy is REJECT + or DROP the request is first checked against the rules + in /etc/shorewall/common + if that file exists; otherwise the rules in /etc/shorewall/common.def + are checked. + + The /etc/shorewall/policy + file included with the three-interface sample has the following policies: + #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST +loc net ACCEPT +net all DROP info +all all REJECT infoIn the three-interface + sample, the line below is included but commented out. If you want your + firewall system to have full access to servers on the internet, uncomment + that line. #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST +fw net ACCEPT The above policy will: + Allow all connection requests from your + local network to the internetDrop + (ignore) all connection requests from the internet to your firewall or + local networkOptionally accept all + connection requests from the firewall to the internet (if you uncomment + the additional policy)reject all other + connection requests. + + The simplest way to define a zone is to associate the zone with a + network interface using the /etc/shorewall/interfaces + file. In the three-interface sample, the three zones are defined using + that file as follows: + + #ZONE INTERFACE BROADCAST OPTIONS +net eth0 detect dhcp,routefilter,norfc1918 +loc eth1 detect +dmz eth2 detect + + The above file defines the net zone as all hosts interfacing to the + firewall through eth0, the loc zone as all hosts interfacing through eth1 + and the dmz as all hosts interfacing through eth2. +
+
License diff --git a/Shorewall-docs/User_defined_Actions.xml b/Shorewall-docs/User_defined_Actions.xml index 8130b7736..65b0a0d0f 100755 --- a/Shorewall-docs/User_defined_Actions.xml +++ b/Shorewall-docs/User_defined_Actions.xml @@ -15,14 +15,10 @@ - 2003-12-09 + 2003-01-29 - 2001 - - 2002 - - 2003 + 2003-2004 Thomas M. Eastep @@ -37,8 +33,8 @@ - Prior to Shorewall version 1.4.9, rules in /etc/shorewall/rules were - limited to those defined by Netfilter (ACCEPT, DROP, REJECT, etc.). + Prior to Shorewall version 1.4.9, rules in /etc/shorewall/rules + were limited to those defined by Netfilter (ACCEPT, DROP, REJECT, etc.). Beginning with Shorewall version 1.4.9, users may use sequences of these elementary operations to define more complex actions. @@ -46,18 +42,19 @@ - Add a line to /etc/shorewall/actions that names your new action. - Action names must be valid shell variable names as well as valid - Netfilter chain names. It is recommended that the name you select for a - new action begins with with a capital letter; that way, the name - won't conflict with a Shorewall-defined chain name. + Add a line to /etc/shorewall/actions + that names your new action. Action names must be valid shell variable + names as well as valid Netfilter chain names. It is recommended that the + name you select for a new action begins with with a capital letter; that + way, the name won't conflict with a Shorewall-defined chain name. Once you have defined your new action name (ActionName), then copy - /etc/shorewall/action.template to /etc/shorewall/action.ActionName (for - example, if your new action name is Foo then copy - /etc/shorewall/action.template to /etc/shorewall/action.foo). + /etc/shorewall/action.template to /etc/shorewall/action.ActionName + (for example, if your new action name is Foo then copy + /etc/shorewall/action.template to + /etc/shorewall/action.Foo). @@ -70,13 +67,15 @@ TARGET - Must be ACCEPT, DROP, REJECT, LOG, QUEUE or - <action> where <action> is a previously-defined action. - The TARGET may optionally be followed by a colon (:) and - a syslog log level (e.g, REJECT:info or ACCEPT:debugging). This causes - the packet to be logged at the specified level. You may also specify - ULOG (must be in upper case) as a log level.This will log to the ULOG - target for routing to a separate log through use of ulogd - (http://www.gnumonks.org/projects/ulogd). + <action> where <action> is a previously-defined action + (that is, it must precede the action being defined in this file in your + /etc/shorewall/actions file). The TARGET may + optionally be followed by a colon (:) and a syslog log + level (e.g, REJECT:info or ACCEPT:debugging). This causes the packet to + be logged at the specified level. You may also specify ULOG (must be in + upper case) as a log level.This will log to the ULOG target for routing + to a separate log through use of ulogd (http://www.gnumonks.org/projects/ulogd). @@ -97,7 +96,8 @@ MAC addresses are not allowed. Unlike in the SOURCE column, you may specify a range of up to 256 - IP addresses using the syntax <first ip>-<last ip>. + IP addresses using the syntax <first ip>-<last + ip>. @@ -107,20 +107,45 @@ DEST PORT(S) - Destination Ports. A comma-separated list of Port - names (from /etc/services), port numbers or port ranges; if the protocol - is icmp, this column is interpreted as the destination - icmp-type(s). + names (from /etc/services), port numbers or port + ranges; if the protocol is icmp, this column is + interpreted as the destination icmp-type(s). - A port range is expressed as <low port>:<high - port>. + A port range is expressed as <low port>:<high + port>. This column is ignored if PROTOCOL = all but must be entered if any of the following ields are supplied. In that case, it is suggested that this field contain -. If your kernel contains multi-port match support, then only a - single Netfilter rule will be generated if in this list and the CLIENT - PORT(S) list below: + single Netfilter rule will be generated if in this list and in the + CLIENT PORT(S) list below: + + + + There are 15 or less ports listed. + + + + No port ranges are included. + + + + Otherwise, a separate rule will be generated for each port. + + + + SOURCE PORT(S) - Port(s) used by the client. If omitted, any + source port is acceptable. Specified as a comma-separated list of port + names, port numbers or port ranges. + + If you don't want to restrict client ports but need to specify + an ADDRESS in the next column, then place "-" in this column. + + If your kernel contains multi-port match support, then only a + single Netfilter rule will be generated if in this list and in the DEST + PORT(S) list above: @@ -139,11 +164,13 @@ RATE LIMIT - You may rate-limit the rule by placing a value in this column: - <rate>/<interval>[:<burst>]where - <rate> is the number of connections per <interval> (sec - or min) and <burst> is the largest burst - permitted. If no <burst> is given, a value of 5 is assumed. - There may be no whitespace embedded in the specification. + <rate>/<interval>[:<burst>]where + <rate> is the number of connections per + <interval> (sec or + min) and <burst> is the + largest burst permitted. If no <burst> is + given, a value of 5 is assumed. There may be no whitespace embedded in + the specification. Example: 10/sec:20 @@ -151,9 +178,8 @@ Example: - /etc/shorewall/actions: + /etc/shorewall/actions: - LogAndAccept/etc/shorewall/action.LogAndAccept LOG:info + LogAndAccept/etc/shorewall/action.LogAndAccept LOG:info ACCEPT \ No newline at end of file diff --git a/Shorewall-docs/ports.xml b/Shorewall-docs/ports.xml index 45778cff5..0fe355739 100644 --- a/Shorewall-docs/ports.xml +++ b/Shorewall-docs/ports.xml @@ -13,7 +13,7 @@ - 2004-01-04 + 2004-01-26 2001-2002 @@ -44,6 +44,17 @@ In the rules that are shown in this document, the ACTION is shown as ACCEPT. You may need to use DNAT (see FAQ 30) or you may want DROP or REJECT if you are trying to block the application. + + Example: You want to port forward FTP from the net to your server at + 192.168.1.4 in your DMZ. The FTP section below gives you: + + #ACTION SOURCE DESTINATION PROTO DEST PORT(S) +ACCEPT <source> <destination> tcp 21 + + You would code your rule as follows: + + #ACTION SOURCE DESTINATION PROTO DEST PORT(S) +DNAT net dmz:192.168.1.4 tcp 21
@@ -75,7 +86,7 @@ ACCEPT <source> <destination> #ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> udp 4000 -ACCEPT <source> <destination> tcp 53 +ACCEPT <source> <destination> tcp 4000:4100 UDP Port 4000. You will also need to open a range of TCP ports which you can specify to your ICQ client. By default, clients use 4000-4100. @@ -108,7 +119,8 @@ ACCEPT <destination> <source> NFS I personally use the following rules for opening access from zone z1 - to a server with IP address a.b.c.d in zone z2: + to a server with IP address a.b.c.d in zone z2. I have found though that + different distributions behave differently so your milage may vary. #ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <z1> <z2>:a.b.c.d tcp 111 @@ -237,7 +249,8 @@ ACCEPT <source> <destination> Revision History - 1.32004-01-04TEAlphabetize1.22004-01-03TEAdd + 1.42004-01-26TECorrect + ICQ.1.32004-01-04TEAlphabetize1.22004-01-03TEAdd rules file entries.1.12002-07-30TEInitial version converted to Docbook XML diff --git a/Shorewall-docs/two-interface.xml b/Shorewall-docs/two-interface.xml index 748371275..b6c06dee7 100644 --- a/Shorewall-docs/two-interface.xml +++ b/Shorewall-docs/two-interface.xml @@ -12,7 +12,7 @@ Eastep - 2003-01-06 + 2003-01-26 2002 @@ -164,14 +164,12 @@ valign="middle">netThe InternetlocYour Local - NetworkdmzDemilitarized Zone - Zones are defined in the /etc/shorewall/zones + Network Zones are defined + in the /etc/shorewall/zones file. Shorewall also recognizes the firewall system as its own zone - by - default, the firewall itself is known as fw. + default, the firewall itself is known as fw. Rules about what traffic to allow and what traffic to deny are expressed in terms of zones. You diff --git a/Shorewall/fallback.sh b/Shorewall/fallback.sh index 1acbefe7c..73fd7a036 100755 --- a/Shorewall/fallback.sh +++ b/Shorewall/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=1.4.10-RC3 +VERSION=1.4.10 usage() # $1 = exit status { diff --git a/Shorewall/install.sh b/Shorewall/install.sh index 136fb2c91..4a57e747c 100755 --- a/Shorewall/install.sh +++ b/Shorewall/install.sh @@ -54,7 +54,7 @@ # /etc/rc.d/rc.local file is modified to start the firewall. # -VERSION=1.4.10-RC3 +VERSION=1.4.10 usage() # $1 = exit status { diff --git a/Shorewall/shorewall.spec b/Shorewall/shorewall.spec index ef4f46e8f..4304af0fb 100644 --- a/Shorewall/shorewall.spec +++ b/Shorewall/shorewall.spec @@ -1,6 +1,6 @@ %define name shorewall %define version 1.4.10 -%define release 0RC3 +%define release 1 %define prefix /usr Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. @@ -109,6 +109,8 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %changelog +* Fri Jan 30 2004 Tom Eastep +- Changed version to 1.4.10-1 * Tue Jan 27 2004 Tom Eastep - Changed version to 1.4.10-RC3 * Sat Jan 24 2004 Tom Eastep diff --git a/Shorewall/uninstall.sh b/Shorewall/uninstall.sh index 14f80d6b5..0fd0ed07d 100755 --- a/Shorewall/uninstall.sh +++ b/Shorewall/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Seattle Firewall -VERSION=1.4.10-RC3 +VERSION=1.4.10 usage() # $1 = exit status {