From b222c76e33083af4da5ad6d57b05724eac06d656 Mon Sep 17 00:00:00 2001 From: teastep Date: Sat, 31 Jan 2004 03:29:56 +0000 Subject: [PATCH] Shorewall 1.4.10 git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1100 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Lrp/etc/shorewall/action.template | 131 ++++++ Lrp/etc/shorewall/actions | 16 + Lrp/etc/shorewall/common.def | 18 +- Lrp/etc/shorewall/interfaces | 12 + Lrp/etc/shorewall/masq | 7 +- Lrp/etc/shorewall/rfc1918 | 5 +- Lrp/etc/shorewall/rules | 6 +- Lrp/etc/shorewall/shorewall.conf | 68 ++- Lrp/etc/shorewall/tcrules | 17 +- Lrp/usr/share/shorewall/firewall | 700 +++++++++++++++++++++++++---- Lrp/usr/share/shorewall/help | 248 ++++++++++ Lrp/usr/share/shorewall/version | 2 +- Lrp/var/lib/lrpkg/shorwall.conf | 2 + Lrp/var/lib/lrpkg/shorwall.version | 2 +- 14 files changed, 1109 insertions(+), 125 deletions(-) create mode 100644 Lrp/etc/shorewall/action.template create mode 100644 Lrp/etc/shorewall/actions create mode 100755 Lrp/usr/share/shorewall/help diff --git a/Lrp/etc/shorewall/action.template b/Lrp/etc/shorewall/action.template new file mode 100644 index 000000000..b54419b65 --- /dev/null +++ b/Lrp/etc/shorewall/action.template @@ -0,0 +1,131 @@ +# +# Shorewall 1.4 /etc/shorewall/action.template +# +# This file is a template for files with names of the form +# /etc/shorewall/action. where is an +# ACTION defined in /etc/shorewall/actions. +# +# To define a new action: +# +# 1. Add the to /etc/shorewall/actions +# 2. Copy this file to /etc/shorewall/action. +# 3. Add the desired rules to that file. +# +# Columns are: +# +# +# TARGET ACCEPT, DROP, REJECT, LOG, QUEUE or a +# previously-defined +# +# ACCEPT -- allow the connection request +# DROP -- ignore the request +# REJECT -- disallow the request and return an +# icmp-unreachable or an RST packet. +# LOG -- Simply log the packet and continue. +# QUEUE -- Queue the packet to a user-space +# application such as p2pwall. +# -- An defined in +# /etc/shorewall/actions. The +# must appear in that file BEFORE the +# one being defined in this file. +# +# The TARGET may optionally be followed +# by ":" and a syslog log level (e.g, REJECT:info or +# ACCEPT:debugging). This causes the packet to be +# logged at the specified level. +# +# You may also specify ULOG (must be in upper case) as a +# log level.This will log to the ULOG target for routing +# to a separate log through use of ulogd +# (http://www.gnumonks.org/projects/ulogd). +# +# SOURCE Source hosts to which the rule applies. +# A comma-separated list of subnets +# and/or hosts. Hosts may be specified by IP or MAC +# address; mac addresses must begin with "~" and must use +# "-" as a separator. +# +# 192.168.2.2 Host 192.168.2.2 +# +# 155.186.235.0/24 Subnet 155.186.235.0/24 +# +# 192.168.1.1,192.168.1.2 +# Hosts 192.168.1.1 and +# 192.168.1.2. +# ~00-A0-C9-15-39-78 Host with +# MAC address 00:A0:C9:15:39:78. +# +# Alternatively, clients may be specified by interface +# name. For example, eth1 specifies a +# client that communicates with the firewall system +# through eth1. This may be optionally followed by +# another colon (":") and an IP/MAC/subnet address +# as described above (e.g., eth1:192.168.1.5). +# +# DEST Location of Server. Same as above with the exception that +# MAC addresses are not allowed. +# +# Unlike in the SOURCE column, you may specify a range of +# up to 256 IP addresses using the syntax +# -. +# +# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or +# "all". +# +# DEST PORT(S) Destination Ports. A comma-separated list of Port +# names (from /etc/services), port numbers or port +# ranges; if the protocol is "icmp", this column is +# interpreted as the destination icmp-type(s). +# +# A port range is expressed as :. +# +# This column is ignored if PROTOCOL = all but must be +# entered if any of the following ields are supplied. +# In that case, it is suggested that this field contain +# "-" +# +# If your kernel contains multi-port match support, then +# only a single Netfilter rule will be generated if in +# this list and the CLIENT PORT(S) list below: +# 1. There are 15 or less ports listed. +# 2. No port ranges are included. +# Otherwise, a separate rule will be generated for each +# port. +# +# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted, +# any source port is acceptable. Specified as a comma- +# separated list of port names, port numbers or port +# ranges. +# +# If you don't want to restrict client ports but need to +# specify an ADDRESS in the next column, then place "-" +# in this column. +# +# If your kernel contains multi-port match support, then +# only a single Netfilter rule will be generated if in +# this list and the DEST PORT(S) list above: +# 1. There are 15 or less ports listed. +# 2. No port ranges are included. +# Otherwise, a separate rule will be generated for each +# port. +# +# RATE LIMIT You may rate-limit the rule by placing a value in +# this column: +# +# /[:] +# +# where is the number of connections per +# ("sec" or "min") and is the +# largest burst permitted. If no is given, +# a value of 5 is assumed. There may be no +# no whitespace embedded in the specification. +# +# Example: 10/sec:20 +# +# If you place a rate limit in this column, you may not +# place a similar limit in the TARGET column. +# +###################################################################################### +#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE +# PORT PORT(S) DEST LIMIT +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp/etc/shorewall/actions b/Lrp/etc/shorewall/actions new file mode 100644 index 000000000..d48927a96 --- /dev/null +++ b/Lrp/etc/shorewall/actions @@ -0,0 +1,16 @@ +# +# Shorewall 1.4 /etc/shorewall/actions +# +# This file allows you to define new ACTIONS for use in rules +# (/etc/shorewall/rules). You define the iptables rules to +# be performed in an ACTION in +# /etc/shorewall/action.. +# +# ACTION names should begin with an upper-case letter to +# distinguish them from Shorewall-generated chain names and +# they must need the requirements of a Netfilter chain +# name. +# +#ACTION + +#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/Lrp/etc/shorewall/common.def b/Lrp/etc/shorewall/common.def index 5e1ce0657..ea3abeb35 100644 --- a/Lrp/etc/shorewall/common.def +++ b/Lrp/etc/shorewall/common.def @@ -16,12 +16,12 @@ run_iptables -A common -p icmp -j icmpdef ############################################################################ # NETBIOS chatter # -run_iptables -A common -p udp --dport 135 -j reject -run_iptables -A common -p udp --dport 137:139 -j reject -run_iptables -A common -p udp --dport 445 -j reject -run_iptables -A common -p tcp --dport 139 -j reject -run_iptables -A common -p tcp --dport 445 -j reject -run_iptables -A common -p tcp --dport 135 -j reject +run_iptables -A common -p udp --dport 135 -j DROP +run_iptables -A common -p udp --dport 137:139 -j DROP +run_iptables -A common -p udp --dport 445 -j DROP +run_iptables -A common -p tcp --dport 139 -j DROP +run_iptables -A common -p tcp --dport 445 -j DROP +run_iptables -A common -p tcp --dport 135 -j DROP ############################################################################ # UPnP # @@ -37,7 +37,13 @@ run_iptables -A common -d 224.0.0.0/4 -j DROP run_iptables -A common -p tcp --dport 113 -j reject ############################################################################ # DNS -- Silenty drop late replies +# run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP +############################################################################ +# ICMP -- Silently drop null-address ICMPs +# +run_iptables -A common -p icmp -s 0.0.0.0 -j DROP +run_iptables -A common -p icmp -d 0.0.0.0 -j DROP diff --git a/Lrp/etc/shorewall/interfaces b/Lrp/etc/shorewall/interfaces index 7cc373f74..b5bc8c799 100644 --- a/Lrp/etc/shorewall/interfaces +++ b/Lrp/etc/shorewall/interfaces @@ -103,6 +103,11 @@ # This option has no effect if # NEWNOTSYN=Yes. # +# routeback - If specified, indicates that Shorewall +# should include rules that allow filtering +# traffic arriving on this interface back +# out that same interface. +# # arp_filter - If specified, this interface will only # respond to ARP who-has requests for IP # addresses configured on the interface. @@ -112,6 +117,13 @@ # interface. The interface must be up # when Shorewall is started. # +# detectnets - Automatically taylors the zone named +# in the ZONE column to include only those +# hosts routed through the interface. +# +# WARNING: DO NOT SET THE detectnets OPTION ON YOUR +# INTERNET INTERFACE! +# # The order in which you list the options is not # significant but the list should have no embedded white # space. diff --git a/Lrp/etc/shorewall/masq b/Lrp/etc/shorewall/masq index 2a1460afb..edffdce7d 100644 --- a/Lrp/etc/shorewall/masq +++ b/Lrp/etc/shorewall/masq @@ -18,7 +18,12 @@ # PLACE IN YOUR SHOREWALL CONFIGURATION. # # This may be qualified by adding the character -# ":" followed by a destination host or subnet. +# ":" followed by a comma-separed list of +# destination hosts or subnets. If this list begins with +# "!" then masquerading will occur if and only if the +# connection destination is NOT included in the list. +# Otherwise, the masquerading will occur if and only if +# the destination IS included in the list. # # # SUBNET -- Subnet that you wish to masquerade. You can specify this as diff --git a/Lrp/etc/shorewall/rfc1918 b/Lrp/etc/shorewall/rfc1918 index 26d707fcd..404e78cdf 100644 --- a/Lrp/etc/shorewall/rfc1918 +++ b/Lrp/etc/shorewall/rfc1918 @@ -48,14 +48,13 @@ 58.0.0.0/7 logdrop # Reserved 70.0.0.0/7 logdrop # Reserved 72.0.0.0/5 logdrop # Reserved -83.0.0.0/8 logdrop # Reserved -84.0.0.0/6 logdrop # Reserved +85.0.0.0/8 logdrop # Reserved +86.0.0.0/7 logdrop # Reserved 88.0.0.0/5 logdrop # Reserved 96.0.0.0/3 logdrop # Reserved 127.0.0.0/8 logdrop # Loopback 197.0.0.0/8 logdrop # Reserved 198.18.0.0/15 logdrop # Reserved -201.0.0.0/8 logdrop # Reserved - Central & South America 223.0.0.0/8 logdrop # Reserved - Returned by APNIC in 2003 240.0.0.0/4 logdrop # Reserved # diff --git a/Lrp/etc/shorewall/rules b/Lrp/etc/shorewall/rules index 463368608..77ced5bb1 100644 --- a/Lrp/etc/shorewall/rules +++ b/Lrp/etc/shorewall/rules @@ -15,8 +15,8 @@ # Columns are: # # -# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE -# or LOG. +# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE, +# LOG or an . # # ACCEPT -- allow the connection request # DROP -- ignore the request @@ -48,6 +48,8 @@ # LOG -- Simply log the packet and continue. # QUEUE -- Queue the packet to a user-space # application such as p2pwall. +# -- The name of an action defined in +# /etc/shorewall/actions. # # You may rate-limit the rule by optionally # following ACCEPT, DNAT[-], REDIRECT[-] or LOG with diff --git a/Lrp/etc/shorewall/shorewall.conf b/Lrp/etc/shorewall/shorewall.conf index b67a9d9bc..997e58d5e 100644 --- a/Lrp/etc/shorewall/shorewall.conf +++ b/Lrp/etc/shorewall/shorewall.conf @@ -202,9 +202,8 @@ SHOREWALL_SHELL=/bin/sh # SUBSYSTEM LOCK FILE # # Set this to the name of the lock file expected by your init scripts. For -# RedHat, this should be /var/lock/subsys/shorewall. On Debian, it -# should be /var/state/shorewall. If your init scripts don't use lock files, -# set this to "". +# RedHat, this should be /var/lock/subsys/shorewall. If your init scripts don't +# use lock files, set this to "". # SUBSYSLOCK=/var/run/shorewall @@ -222,7 +221,7 @@ STATEDIR=/tmp/shorewall # KERNEL MODULE DIRECTORY # # If your netfilter kernel modules are in a directory other than -# /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that +# /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter then specify that # directory in this variable. Example: MODULESDIR=/etc/modules. MODULESDIR= @@ -418,13 +417,30 @@ MUTEX_TIMEOUT=60 # # NEWNOTSYN # -# If this variable is set to "No" or "no", then when a TCP packet that does -# not have the SYN flag set and the ACK and RST flags clear then unless the -# packet is part of an established connection, it will be dropped by the -# firewall +# TCP connections are established using the familiar three-way "handshake": # -# If this variable is set to "Yes" or "yes" then such packets will not be -# dropped but will pass through the normal rule processing. +# CLIENT SERVER +# +# SYN--------------------> +# <------------------SYN,ACK +# ACK--------------------> +# +# The first packet in that exchange (packet with the SYN flag on and the ACK +# and RST flags off) is referred to in Netfilter terminology as a "syn" packet. +# A packet is said to be NEW if it is not part of or related to an already +# established connection. +# +# The NETNOTSYN option determines the handling of non-SYN packets (those with +# SYN off or with ACK or RST on) that are not associated with an already +# established connection. +# +# If NEWNOTSYN is set to "No" or "no", then non-SYN packets that are not +# part of an already established connection, it will be dropped by the +# firewall. The setting of LOGNEWNOTSYN above determines if these packets are +# logged before they are dropped. +# +# If NEWNOTSYN is set to "Yes" or "yes" then such packets will not be +# dropped but will pass through the normal rule/policy processing. # # Users with a High-availability setup with two firewall's and one acting # as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may @@ -432,8 +448,15 @@ MUTEX_TIMEOUT=60 # # The behavior of NEWNOTSYN=Yes may also be enabled on a per-interface basis # using the 'newnotsyn' option in /etc/shorewall/interfaces. +# +# I find that NEWNOTSYN=No tends to result in lots of "stuck" +# connections because any network timeout during TCP session tear down +# results in retries being dropped (Netfilter has removed the +# connection from the conntrack table but the end-points haven't +# completed shutting down the connection). I therefore have chosen +# NEWNOTSYN=Yes as the default value. -NEWNOTSYN=No +NEWNOTSYN=Yes # # FOR ADMINS THAT REPEATEDLY SHOOT THEMSELVES IN THE FOOT @@ -486,6 +509,29 @@ ADMINISABSENTMINDED=Yes # BLACKLISTNEWONLY=Yes +# MODULE NAME SUFFIX +# +# When loading a module named in /etc/shorewall/modules, Shorewall normally +# looks in the MODULES DIRECTORY (see MODULESDIR above) for files whose names +# end in ".o", ".ko", ".gz" or "o.gz". If your distribution uses a different +# naming convention then you can specify the suffix (extension) for module +# names in this variable. +# +# To see what suffix is used by your distribution: +# +# ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter +# +# All of the file names listed should have the same suffix (extension). Set +# MODULE_SUFFIX to that suffix. +# +# Examples: +# +# If all file names end with ".kzo" then set MODULE_SUFFIX="kzo" +# If all file names end with ".kz.o" then set MODULE_SUFFIX="kz.o" +# + +MODULE_SUFFIX= + ################################################################################ # P A C K E T D I S P O S I T I O N ################################################################################ diff --git a/Lrp/etc/shorewall/tcrules b/Lrp/etc/shorewall/tcrules index 7ae8f7d7a..e15a68d80 100644 --- a/Lrp/etc/shorewall/tcrules +++ b/Lrp/etc/shorewall/tcrules @@ -57,7 +57,22 @@ # any source port is acceptable. Specified as a comma- # separated list of port names, port numbers or port # ranges. +# +# USER This column may only be non-empty if the SOURCE is +# the firewall itself. +# +# When this column is non-empty, the rule applies only +# if the program generating the output is running under +# the effective user and/or group. +# +# It may contain : +# +# []:[] +# +# The colon is optionnal when specifying only a user. +# Examples : john: / john / :users / john:users +# ############################################################################## -#MARK SOURCE DEST PROTO PORT(S) CLIENT +#MARK SOURCE DEST PROTO PORT(S) CLIENT USER # PORT(S) #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp/usr/share/shorewall/firewall b/Lrp/usr/share/shorewall/firewall index 482d17f68..44f28095e 100755 --- a/Lrp/usr/share/shorewall/firewall +++ b/Lrp/usr/share/shorewall/firewall @@ -564,11 +564,21 @@ determine_hosts() { eval interfaces=\$${zone}_interfaces for interface in $interfaces; do - if [ -z "$hosts" ]; then - hosts=$interface:0.0.0.0/0 + eval options=\$`chain_base ${interface}`_options + + if list_search detectnets $options; then + subnets=`get_routed_subnets $interface` else - hosts="$hosts $interface:0.0.0.0/0" + subnets=0.0.0.0/0 fi + + for subnet in $subnets; do + if [ -z "$hosts" ]; then + hosts=$interface:$subnet + else + hosts="$hosts $interface:$subnet" + fi + done done interfaces= @@ -611,6 +621,8 @@ validate_zone() # $1 = zone # Validate the zone names and options in the interfaces file # validate_interfaces_file() { + local wildcard + while read z interface subnet options; do expandv z interface subnet options r="$z $interface $subnet $options" @@ -628,10 +640,15 @@ validate_interfaces_file() { list_search $interface $all_interfaces && \ startup_error "Duplicate Interface $interface" + wildcard= + case $interface in *:*) startup_error "Invalid Interface Name: $interface" ;; + *+*) + wildcard=Yes + ;; esac all_interfaces="$all_interfaces $interface" @@ -646,6 +663,10 @@ validate_interfaces_file() { case $option in dhcp|norfc1918|tcpflags|newnotsyn|arp_filter|routefilter|blacklist|proxyarp|maclist|-) ;; + detectnets) + [ -n "$wildcard" ] && \ + startup_error "The \"detectnets\" option may not be used with a wild-card interface" + ;; dropunclean|logunclean) error_message \ "Warning: The 'dropunclean' and 'logunclean' options will be removed in a future release" @@ -844,7 +865,7 @@ find_broadcasts() { for interface in $all_interfaces; do eval bcast=\$`chain_base $interface`_broadcast if [ "x$bcast" = "xdetect" ]; then - addr="`ip addr show $interface 2> /dev/null`" + addr="`ip -f inet addr show $interface 2> /dev/null`" if [ -n "`echo "$addr" | grep 'inet.*brd '`" ]; then addr="`echo "$addr" | \ grep "inet " | sed 's/^.* inet.*brd //;s/scope.*//'`" @@ -1027,6 +1048,22 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo log_rule_limit $level $chain $disposition "$LOGLIMIT" $@ } +# +# Set /proc/sys/net/ipv4/ip_forward based on $IP_FORWARDING +# +setup_forwarding() { + case "$IP_FORWARDING" in + [Oo][Nn]) + echo 1 > /proc/sys/net/ipv4/ip_forward + echo "IP Forwarding Enabled" + ;; + [Oo][Ff][Ff]) + echo 0 > /proc/sys/net/ipv4/ip_forward + echo "IP Forwarding Disabled!" + ;; + esac +} + # # Stop the Firewall # @@ -1118,14 +1155,7 @@ stop_firewall() { iptables -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT done - case "$IP_FORWARDING" in - [Oo][Nn]) - echo 1 > /proc/sys/net/ipv4/ip_forward - ;; - [Oo][Ff][Ff]) - echo 0 > /proc/sys/net/ipv4/ip_forward - ;; - esac + setup_forwarding run_user_exit stopped @@ -1700,6 +1730,25 @@ process_tc_rule() esac fi + if [ "x$user" != "x-" ]; then + + [ "$chain" != tcout ] && \ + fatal_error "Invalid use of a user/group: rule \"$rule\"" + + case "$user" in + *:*) + r="$r-m owner" + temp="${user%:*}" + [ -n "$temp" ] && r="$r --uid-owner $temp " + temp="${user#*:}" + [ -n "$temp" ] && r="$r --gid-owner $temp " + ;; + *) + r="$r-m owner --uid-owner $user " + ;; + esac + fi + [ "x$dest" = "x-" ] || r="${r}-d $dest " [ "$proto" = "all" ] || r="${r}-p $proto " [ "x$port" = "x-" ] || r="${r}--dport $port " @@ -1758,9 +1807,9 @@ setup_tc1() { # strip_file tcrules - while read mark sources dests proto ports sports; do - expandv mark sources dests proto ports sports - rule=`echo "$mark $sources $dests $proto $ports $sports"` + while read mark sources dests proto ports sports user; do + expandv mark sources dests proto ports sports user + rule=`echo "$mark $sources $dests $proto $ports $sports $user"` process_tc_rule done < $TMP_DIR/tcrules # @@ -2063,6 +2112,10 @@ check_config() { validate_policy + echo "Validating Actions..." + + process_actions + echo "Validating rules file..." rules=`find_file rules` @@ -2113,6 +2166,349 @@ refresh_tc() { } +# +# Add one Filter Rule from an action -- Helper function for the action file processor +# +# The caller has established the following variables: +# check = current command. If 'check', we're executing a 'check' +# which only goes through the motions. +# client = SOURCE IP or MAC +# server = DESTINATION IP or interface +# protocol = Protocol +# address = Original Destination Address +# port = Destination Port +# cport = Source Port +# multioption = String to invoke multiport match if appropriate +# action = The chain for this rule +# ratelimit = Optional rate limiting clause +# +add_an_action() +{ + do_ports() { + if [ -n "$port" ]; then + dports="--dport" + if [ -n "$multioption" -a "$port" != "${port%,*}" ]; then + multiport="$multioption" + dports="--dports" + fi + dports="$dports $port" + fi + + if [ -n "$cport" ]; then + sports="--sport" + if [ -n "$multioption" -a "$cport" != "${cport%,*}" ]; then + multiport="$multioption" + sports="--sports" + fi + sports="$sports $cport" + fi + } + + # Set source variables. The 'cli' variable will hold the client match predicate(s). + + cli= + + case "$client" in + -) + ;; + *:*) + cli="-i ${client%:*} -s ${client#*:}" + ;; + *.*.*) + cli="-s $client" + ;; + ~*) + cli=`mac_match $client` + ;; + *) + [ -n "$client" ] && cli="-i $client" + ;; + esac + + # Set destination variables - 'serv' and 'dest_interface' hold the server match predicate(s). + + dest_interface= + serv= + + case "$server" in + -) + ;; + *.*.*) + serv=$server + ;; + ~*) + fatal_error "Rule \"$rule\" - Destination may not be specified by MAC Address" + ;; + *) + [ -n "$server" ] && dest_interface="-o $server" + ;; + esac + + # Setup protocol and port variables + + sports= + dports= + state="-m state --state NEW" + proto=$protocol + servport=$serverport + multiport= + + [ x$port = x- ] && port= + [ x$cport = x- ] && cport= + + case $proto in + tcp|TCP|6) + do_ports + [ "$target" = QUEUE ] && proto="$proto --syn" + ;; + udp|UDP|17) + do_ports + ;; + icmp|ICMP|1) + [ -n "$port" ] && dports="--icmp-type $port" + state= + ;; + all|ALL) + [ -n "$port" ] && \ + fatal_error "Port number not allowed with protocol \"all\"; rule: \"$rule\"" + proto= + ;; + *) + state= + [ -n "$port" ] && \ + fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\"" + ;; + esac + + proto="${proto:+-p $proto}" + + # Some misc. setup + + case "$logtarget" in + LOG) + [ -z "$loglevel" ] && fatal_error "LOG requires log level" + ;; + esac + + if [ $command != check ]; then + if [ -n "${serv}" ]; then + for serv1 in `separate_list $serv`; do + for srv in `ip_range $serv1`; do + if [ -n "$loglevel" ]; then + log_rule_limit $loglevel $action $logtarget "$ratelimit" \ + `fix_bang $proto $sports $multiport $state $cli -d $srv $dports` + fi + + run_iptables2 -A $action $proto $multiport $state $cli $sports \ + -d $srv $dports $ratelimit -j $target + done + done + else + if [ -n "$loglevel" ]; then + log_rule_limit $loglevel $action $logtarget "$ratelimit" \ + `fix_bang $proto $sports $multiport $state $cli $dports` + fi + + run_iptables2 -A $action $proto $multiport $state $cli $sports \ + $dports $ratelimit -j $target + fi + fi +} + +# +# Process a record from an action file for the 'start', 'restart' or 'check' commands +# +process_action() # $1 = action + # $1 = target + # $2 = clients + # $3 = servers + # $4 = protocol + # $5 = ports + # $6 = cports + # $7 = ratelimit +{ + local action="$1" + local target="$2" + local clients="$3" + local servers="$4" + local protocol="$5" + local ports="$6" + local cports="$7" + local ratelimit="$8" + local rule="`echo $target $clients $servers $protocol $ports $cports $ratelimit`" + + if [ -n "$ratelimit" ]; then + case $ratelimit in + -) + ratelimit= + ;; + *:*) + ratelimit="-m limit --limit ${ratelimit%:*} --limit-burst ${ratelimit#*:}" + ;; + *) + ratelimit="-m limit --limit $ratelimit" + ;; + esac + fi + + # Isolate log level + + if [ "$target" = "${target%:*}" ]; then + loglevel= + else + loglevel="${target#*:}" + target="${target%:*}" + expandv loglevel + fi + + logtarget="$target" + + case $target in + ACCEPT|LOG) + ;; + REJECT) + target=reject + ;; + *) + ;; + esac + + # Generate Netfilter rule(s) + + [ "x$protocol" = "x-" ] && protocol=all || protocol=${protocol:=all} + + if [ -n "$MULTIPORT" ] && \ + ! list_search $protocol "icmp" "ICMP" "1" && \ + [ "$ports" = "${ports%:*}" -a \ + "$cports" = "${cports%:*}" -a \ + `list_count $ports` -le 15 -a \ + `list_count $cports` -le 15 ] + then + # + # MULTIPORT is enabled, there are no port ranges in the rule and less than + # 16 ports are listed - use multiport match. + # + multioption="-m multiport" + for client in `separate_list ${clients:=-}`; do + for server in `separate_list ${servers:=-}`; do + # + # add_a_rule() modifies these so we must set their values each time + # + port=${ports:=-} + cport=${cports:=-} + add_an_action + done + done + else + # + # MULTIPORT is disabled or the rule isn't compatible with multiport match + # + multioption= + for client in `separate_list ${clients:=-}`; do + for server in `separate_list ${servers:=-}`; do + for port in `separate_list ${ports:=-}`; do + for cport in `separate_list ${cports:=-}`; do + add_an_action + done + done + done + done + fi + # + # Report Result + # + if [ $command = check ]; then + echo " Rule \"$rule\" checked." + else + echo " Rule \"$rule\" added." + fi +} + +# +# Read /etc/shorewall/actions and for each defined , process +# /etc/shorewall/action. +# + +process_actions() { + # + # Process a rule where the source or destination is "all" + # + process_wildcard_rule() { + local yclients yservers ysourcezone ydestzone ypolicy + + for yclients in $xclients; do + for yservers in $xservers; do + ysourcezone=${yclients%%:*} + ydestzone=${yservers%%:*} + if [ "${ysourcezone}" != "${ydestzone}" ] ; then + eval ypolicy=\$${ysourcezone}2${ydestzone}_policy + if [ "$ypolicy" != NONE ] ; then + process_action $xaction $xtarget $yclients $yservers $xprotocol $xports $xcports $xratelimit + fi + fi + done + done + } + + do_it() { + expandv xclients xservers xprotocol xports xcports xratelimit + + if [ "x$xclients" = xall ]; then + xclients="$zones $FW" + if [ "x$xservers" = xall ]; then + xservers="$zones $FW" + fi + process_wildcard_rule + continue + fi + + if [ "x$xservers" = xall ]; then + xservers="$zones $FW" + process_wildcard_rule + continue + fi + + process_action $xaction $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit + } + + strip_file actions + + while read xaction rest; do + [ "x$rest" = x ] || fatal_error "Invalid Action: $xaction $rest" + [ "$command" = check ] || createchain $xaction No + + f=action.$xaction + fn=`find_file $f` + + if [ -f $fn ]; then + echo "Processing $fn..." + strip_file $f $fn + while read xtarget xclients xservers xprotocol xports xcports xratelimit ; do + expandv xtarget + temp="${xtarget%:*}" + case "${temp%<*}" in + ACCEPT|DROP|REJECT|LOG|QUEUE) + do_it + ;; + *) + if list_search $temp $ACTIONS; then + do_it + else + rule="`echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit`" + fatal_error "Invalid TARGET in rule \"$rule\"" + fi + ;; + + esac + done < $TMP_DIR/$f + else + fatal_error "Missing Action File: $f" + fi + + ACTIONS="$ACTIONS $xaction" + done < $TMP_DIR/actions +} + # # Add a NAT rule - Helper function for the rules file processor # @@ -2548,6 +2944,8 @@ process_rule() # $1 = target # Function Body - isolate rate limit + [ "x$ratelimit" = "x-" ] && ratelimit= + if [ -z "$ratelimit" ]; then if [ "$target" != "${target%<*}" ]; then ratelimit="${target#*<}" @@ -2559,9 +2957,6 @@ process_rule() # $1 = target if [ -n "$ratelimit" ]; then case $ratelimit in - -) - ratelimit= - ;; *:*) ratelimit="-m limit --limit ${ratelimit%:*} --limit-burst ${ratelimit#*:}" ;; @@ -2599,7 +2994,11 @@ process_rule() # $1 = target case "$userset" in *:*) case $target in - ACCEPT|REJECT|DROP) + ACCEPT) + ;; + REJECT|DROP) + [ -n "$ratelimit" ] && fatal_error \ + "Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and LOG" ;; *) fatal_error ": may only be specified in ACCEPT, REJECT and DROP rules: rule \"$rule\"" @@ -2625,9 +3024,13 @@ process_rule() # $1 = target target=`accept_chain $userset` ;; DROP) + [ -n "$ratelimit" ] && fatal_error \ + "Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and LOG" target=`drop_chain $userset` ;; REJECT) + [ -n "$ratelimit" ] && fatal_error \ + "Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and LOG" target=`reject_chain $userset` ;; *) @@ -2643,8 +3046,15 @@ process_rule() # $1 = target ACCEPT|LOG) ;; REJECT) + [ -n "$ratelimit" ] && fatal_error \ + "Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and LOG" target=reject ;; + CONTINUE) + [ -n "$ratelimit" ] && fatal_error \ + "Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and LOG" + target=RETURN + ;; DNAT) target=ACCEPT address=${address:=detect} @@ -2711,9 +3121,11 @@ process_rule() # $1 = target source=$clientzone if [ $source = $FW ]; then - source_hosts= || eval source_hosts=\"\$${source}_hosts\" + source_hosts= elif [ -n "$userset" ]; then fatal_error "Invalid use of a user set: rule \"$rule\"" + else + eval source_hosts=\"\$${source}_hosts\" fi if [ "$servers" = "${servers%:*}" ] ; then @@ -2876,41 +3288,56 @@ process_rules() # Process a rule where the source or destination is "all" # process_wildcard_rule() { + local yclients yservers ysourcezone ydestzone ypolicy + for yclients in $xclients; do for yservers in $xservers; do - if [ "${yclients}" != "${yservers}" ] ; then - process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserset + ysourcezone=${yclients%%:*} + ydestzone=${yservers%%:*} + if [ "${ysourcezone}" != "${ydestzone}" ] ; then + eval ypolicy=\$${ysourcezone}2${ydestzone}_policy + if [ "$ypolicy" != NONE ] ; then + process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserset + fi fi done done } + do_it() { + expandv xclients xservers xprotocol xports xcports xaddress xratelimit xuserset + + if [ "x$xclients" = xall ]; then + xclients="$zones $FW" + if [ "x$xservers" = xall ]; then + xservers="$zones $FW" + fi + process_wildcard_rule + continue + fi + + if [ "x$xservers" = xall ]; then + xservers="$zones $FW" + process_wildcard_rule + continue + fi + + process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserset + } + while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserset; do temp="${xtarget%:*}" case "${temp%<*}" in ACCEPT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE) - expandv xclients xservers xprotocol xports xcports xaddress xratelimit xuserset - - if [ "x$xclients" = xall ]; then - xclients="$zones $FW" - if [ "x$xservers" = xall ]; then - xservers="$zones $FW" - fi - process_wildcard_rule - continue - fi - - if [ "x$xservers" = xall ]; then - xservers="$zones $FW" - process_wildcard_rule - continue - fi - - process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserset + do_it ;; *) - rule="`echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserset`" - fatal_error "Invalid Action in rule \"$rule\"" + if list_search $temp $ACTIONS; then + do_it + else + rule="`echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserset`" + fatal_error "Invalid Action in rule \"$rule\"" + fi ;; esac @@ -3115,7 +3542,7 @@ loadmodule() # $1 = module name, $2 - * arguments if [ -z "`lsmod | grep $modulename`" ]; then shift - for suffix in o gz ko o.gz ; do + for suffix in $MODULE_SUFFIX ; do modulefile=$MODULESDIR/${modulename}.${suffix} if [ -f $modulefile ]; then @@ -3362,7 +3789,7 @@ setup_masq() case $fullinterface in *:*:*) # Both alias name and subnet - destnet="${fullinterface##*:}" + destnets="${fullinterface##*:}" fullinterface="${fullinterface%:*}" ;; *:*) @@ -3370,17 +3797,17 @@ setup_masq() case ${fullinterface#*:} in *.*) # It's a subnet - destnet="${fullinterface#*:}" + destnets="${fullinterface#*:}" fullinterface="${fullinterface%:*}" ;; *) #it's an alias name - destnet="0.0.0.0/0" + destnets="0.0.0.0/0" ;; esac ;; *) - destnet="0.0.0.0/0" + destnets="0.0.0.0/0" ;; esac @@ -3397,7 +3824,6 @@ setup_masq() subnet="${subnet%!*}" fi - chain=`masq_chain $interface` source="$subnet" @@ -3426,33 +3852,70 @@ setup_masq() done fi - destination=$destnet + destination=$destnets - if [ -n "$nomasq" ]; then - newchain=masq${masq_seq} - createnatchain $newchain + chain=`masq_chain $interface` - if [ -n "$subnet" ]; then - for s in $subnet; do - addnatrule $chain -d $destnet -s $s -j $newchain + case $destnets in + !*) + newchain=masq${masq_seq} + createnatchain $newchain + destnets=${destnets#!} + + for destnet in $(separate_list $destnets); do + addnatrule $newchain -d $destnet -j RETURN done - else - addnatrule $chain -d $destnet -j $newchain - fi - masq_seq=$(($masq_seq + 1)) - chain=$newchain - subnet= - destnet= + if [ -n "$subnet" ]; then + for s in $subnet; do + addnatrule $chain -s $s -j $newchain + done + subnet= + else + addnatrule $chain -j $newchain + fi - for addr in `separate_list $nomasq`; do - addnatrule $chain -s $addr -j RETURN - done + masq_seq=$(($masq_seq + 1)) + chain=$newchain + destnets=0.0.0.0/0 - source="$source except $nomasq" - else - destnet="-d $destnet" - fi + if [ -n "$nonmasq" ]; then + for addr in `separate_list $nomasq`; do + addnatrule $chain -s $addr -j RETURN + done + source="$source except $nomasq" + fi + ;; + *) + if [ -n "$nomasq" ]; then + newchain=masq${masq_seq} + createnatchain $newchain + + if [ -n "$subnet" ]; then + for s in $subnet; do + for destnet in $(separate_list $destnets); do + addnatrule $chain -d $destnet -s $s -j $newchain + done + done + else + for destnet in $(separate_list $destnets); do + addnatrule $chain -d $destnet -j $newchain + done + fi + + masq_seq=$(($masq_seq + 1)) + chain=$newchain + subnet= + destnets=0.0.0.0/0 + + for addr in `separate_list $nomasq`; do + addnatrule $chain -s $addr -j RETURN + done + + source="$source except $nomasq" + fi + ;; + esac if [ -n "$addresses" ]; then temp= @@ -3464,18 +3927,26 @@ setup_masq() if [ -n "$subnet" ]; then for s in $subnet; do if [ -n "$addresses" ]; then - addnatrule $chain -s $s $destnet -j SNAT $temp + for destnet in $(separate_list $destnets); do + addnatrule $chain -s $s -d $destnet -j SNAT $temp + done echo " To $destination from $s through ${interface} using $addresses" else - addnatrule $chain -s $s $destnet -j MASQUERADE + for destnet in $(separate_list $destnets); do + addnatrule $chain -s $s -d $destnet -j MASQUERADE + done echo " To $destination from $s through ${interface}" fi done elif [ -n "$address" ]; then - addnatrule $chain $destnet -j SNAT $temp + for destnet in $(separate_list $destnets); do + addnatrule $chain -d $destnet -j SNAT $temp + done echo " To $destination from $source through ${interface} using $addresses" else - addnatrule $chain $destnet -j MASQUERADE + for destnet in $(separate_list $destnets); do + addnatrule $chain -d $destnet -j MASQUERADE + done echo " To $destination from $source through ${interface}" fi @@ -3677,7 +4148,7 @@ add_ip_aliases() # # Get all of the lines that contain inet addresses # - ip addr show $interface 2> /dev/null | grep 'inet' | while read inet cidr rest ; do + ip -f inet addr show $interface 2> /dev/null | grep 'inet' | while read inet cidr rest ; do case $cidr in */*) if in_subnet $external $cidr; then @@ -3972,9 +4443,26 @@ build_common_chain() { # add_common_rules() { local savelogparms="$LOGPARMS" + local broadcasts="$(find_broadcasts) 255.255.255.255 224.0.0.0/4" # - # Reject Rules + # Reject Rules -- Don't respond to broadcasts with an ICMP # + qt iptables -A reject -m pkttype --pkt-type broadcast -j DROP + if ! qt iptables -A reject -m pkttype --pkt-type multicast -j DROP; then + # + # No pkttype support -- do it the hard way + # + for address in $broadcasts ; do + run_iptables -A reject -d $address -j DROP + done + fi + # + # Don't feed the smurfs + # + for address in $broadcasts ; do + run_iptables -A reject -s $address -j DROP + done + run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset run_iptables -A reject -p udp -j REJECT # @@ -4079,13 +4567,13 @@ add_common_rules() { strip_file rfc1918 - createchain rfc1918 no + createchain norfc1918 no - createchain logdrop no + createchain rfc1918 no - log_rule $RFC1918_LOG_LEVEL logdrop DROP + log_rule $RFC1918_LOG_LEVEL rfc1918 DROP - run_iptables -A logdrop -j DROP + run_iptables -A rfc1918 -j DROP if [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ]; then # @@ -4097,27 +4585,30 @@ add_common_rules() { # Also add a chain to log and drop any RFC1918 packets that we find # run_iptables -t mangle -N man1918 - run_iptables -t mangle -N logdrop - log_rule $RFC1918_LOG_LEVEL logdrop DROP -t mangle - run_iptables -t mangle -A logdrop -j DROP + run_iptables -t mangle -N rfc1918 + log_rule $RFC1918_LOG_LEVEL rfc1918 DROP -t mangle + run_iptables -t mangle -A rfc1918 -j DROP fi while read subnet target; do case $target in - logdrop|DROP|RETURN) + logdrop) + target=rfc1918 + ;; + DROP|RETURN) ;; *) fatal_error "Invalid target ($target) for $subnet" ;; esac - run_iptables2 -A rfc1918 -s $subnet -j $target + run_iptables2 -A norfc1918 -s $subnet -j $target if [ -n "$CONNTRACK_MATCH" ]; then # # We have connection tracking match -- match on the original destination # - run_iptables2 -A rfc1918 -m conntrack --ctorigdst $subnet -j $target + run_iptables2 -A norfc1918 -m conntrack --ctorigdst $subnet -j $target elif [ -n "$MANGLE_ENABLED" ]; then # # No connection tracking match but we have mangling -- add a rule to @@ -4129,7 +4620,7 @@ add_common_rules() { for interface in $norfc1918_interfaces; do for chain in `first_chains $interface`; do - run_iptables -A $chain -m state --state NEW -j rfc1918 + run_iptables -A $chain -m state --state NEW -j norfc1918 done [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ] && \ @@ -4235,19 +4726,8 @@ add_common_rules() { [ -n "$ROUTE_FILTER" ] && echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter run_ip route flush cache fi - # - # IP Forwarding - # - case "$IP_FORWARDING" in - [Oo][Nn]) - echo 1 > /proc/sys/net/ipv4/ip_forward - echo "IP Forwarding Enabled" - ;; - [Oo][Ff][Ff]) - echo 0 > /proc/sys/net/ipv4/ip_forward - echo "IP Forwarding Disabled!" - ;; - esac + + setup_forwarding } # @@ -4389,6 +4869,8 @@ activate_rules() echo "$FW $zone $chain1" >> ${STATEDIR}/chains echo "$zone $FW $chain2" >> ${STATEDIR}/chains + need_broadcast= + for host in $source_hosts; do interface=${host%:*} subnet=${host#*:} @@ -4406,8 +4888,19 @@ activate_rules() [ -n "$complex" ] && \ run_iptables -A `forward_chain $interface` -s $subnet -j $frwd_chain + if [ "$subnet" != 0.0.0.0/0 ]; then + if ! list_search $interface $need_broadcast ; then + eval options=\$`chain_base ${interface}`_options + list_search detectnets $options && need_broadcast="$need_broadcast $interface" + fi + fi done + for interface in $need_broadcast ; do + run_iptables -A OUTPUT -o $interface -d 255.255.255.255 -j $chain1 + run_iptables -A OUTPUT -o $interface -d 224.0.0.0/4 -j $chain1 + done + for zone1 in $zones; do eval policy=\$${zone}2${zone1}_policy @@ -4473,6 +4966,7 @@ activate_rules() run_iptables -D $chain -m state --state ESTABLISHED,RELATED -j ACCEPT run_iptables -D $chain -p udp --dport 53 -j ACCEPT done + } # @@ -4532,6 +5026,10 @@ define_firewall() # $1 = Command (Start or Restart) rules=`find_file rules` + echo "Processing Actions..." + + process_actions + echo "Processing $rules..." process_rules @@ -5057,6 +5555,8 @@ do_initialize() { LOGRULENUMBERS= ADMINISABSENTMINDED= BLACKLISTNEWONLY= + MODULE_SUFFIX= + ACTIONS= stopping= have_mutex= @@ -5207,6 +5707,8 @@ do_initialize() { fi ADMINISABSENTMINDED=`added_param_value_no ADMINISABSENTMINDED $ADMINISABSENTMINDED` BLACKLISTNEWONLY=`added_param_value_no BLACKLISTNEWONLY $BLACKLISTNEWONLY` + [ -n "$MODULE_SUFFIX" ] || MODULE_SUFFIX="o gz ko o.gz" + # # Strip the files that we use often # diff --git a/Lrp/usr/share/shorewall/help b/Lrp/usr/share/shorewall/help new file mode 100755 index 000000000..f3a0c8927 --- /dev/null +++ b/Lrp/usr/share/shorewall/help @@ -0,0 +1,248 @@ +#!/bin/sh +# +# Shorewall help subsystem - V1.4 - 3/14/2003 +# +# +# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] +# +# (c) 2003 - Tom Eastep (teastep@shorewall.net) +# Steve Herber (herber@thing.com) +# +# This file should be placed in /usr/share/shorewall/help +# +# Shorewall documentation is available at http://shorewall.sourceforge.net +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of Version 2 of the GNU General Public License +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA +################################################################################## + +case $1 in + +add) + echo "add: add [:] + Adds a host or subnet to a dynamic zone usually used with VPN's. + + shorewall add interface[:host] zone - Adds the specified interface + (and host if included) to the specified zone. + + Example: + + shorewall add ipsec0:192.0.2.24 vpn1 -- adds the address 192.0.2.24 + from interface ipsec0 to the zone vpn1. + + See also \"help host\"" + ;; + +address|host) + echo "<$1>: + May be either a host IP address such as 192.168.1.4 or a network address in + CIDR format like 192.168.1.0/24" + ;; + +allow) + echo "allow: allow
... + Re-enables receipt of packets from hosts previously blacklisted + by a drop or reject command. + + Shorewall allow, drop, rejct and save implement dynamic blacklisting. + + See also \"help address\"" + ;; + +check) + echo "check: check [ -c ] + Performs a cursory validation of the zones, interfaces, hosts, + rules and policy files. Use this if you are unsure of any edits + you have made to the shorewall configuration. See the try command + examples for a recommended way to make changes." + ;; + +clear) + echo "clear: clear + Clear will remove all rules and chains installed by Shoreline. + The firewall is then wide open and unprotected. Existing + connections are untouched. Clear is often used to see if the + firewall is causing connection problems." + ;; + +debug) + echo "debug: debug + If you include the keyword debug as the first argument to any + of these commands: + + start|stop|restart|reset|clear|refresh|check|add|delete + + then a shell trace of the command is produced. For example: + + shorewall debug start 2> /tmp/trace + + The above command would trace the 'start' command and + place the trace information in the file /tmp/trace." + ;; + +delete) + echo "delete: delete [:] + Deletes a host or subnet from a dynamic zone usually used with VPN's. + + shorewall delete interface[:host] zone - Deletes the specified + interface (and host if included) from the specified zone. + + Example: + + shorewall delete ipsec0:192.0.2.24 vpn1 -- deletes the address + 192.0.2.24 from interface ipsec0 from zone vpn1 + + See also \"help host\"" + ;; + +drop) + echo "$1: $1
... + Causes packets from the specified
to be ignored + + Shorewall allow, drop, rejct and save implement dynamic blacklisting. + + See also \"help address\"" + ;; + +help) + echo "help: help [ | host | address ] + Display helpful information about the shorewall commands." + ;; + +hits) + echo "hits: hits + Produces several reports about the Shorewall packet log messages + in the current /var/log/messages file." + ;; + +ipcalc) + echo "ipcalc: ipcalc [ address mask | address/vlsm ] + Ipcalc displays the network address, broadcast address, + network in CIDR notation and netmask corresponding to the input[s]." + ;; + +iprange) + echo "iprange: iprange address1-address2 + Iprange decomposes the specified range of IP addresses into the + equivalent list of network/host addresses." + ;; + +logwatch) + echo "logwatch: logwatch [] + Monitors the LOGFILE, $LOGFILE, + and produces an audible alarm when new Shorewall messages are logged." + ;; + +monitor) + echo "monitor: monitor [] + Continuously display the firewall status, last 20 log entries and nat. + When the log entry display changes, an audible alarm is sounded." + ;; + +refresh) + echo "refresh: refresh + The rules involving the broadcast addresses of firewall interfaces, + the black list, traffic control rules and ECN control rules are recreated + to reflect any changes made. Existing connections are untouched" + ;; + +reject) + echo "$1: $1
... + Causes packets from the specified
to be rejected + + Shorewall allow, drop, rejct and save implement dynamic blacklisting. + + See also \"help address\"" + ;; + +reset) + echo "reset: reset + All the packet and byte counters in the firewall are reset." + ;; + +restart) + echo "restart: restart [ -c ] + Restart is the same as a shorewall stop && shorewall start. + Existing connections are dropped." + ;; + +save) + echo "save: save + The dynamic data is stored in /var/lib/shorewall/save + Shorewall allow, drop, rejct and save implement dynamic blacklisting." + ;; + +show) + echo "show: show [ [ ...] |classifiers|connections|log|nat|tc|tos] + shorewall show [ ... ] - produce a verbose report about the IPtable chain(s). + (iptables -L chain -n -v) + + shorewall show nat - produce a verbose report about the nat table. + (iptables -t nat -L -n -v) + + shorewall show tos - produce a verbose report about the mangle table. + (iptables -t mangle -L -n -v) + + shorewall show log - display the last 20 packet log entries. + + shorewall show connections - displays the IP connections currently + being tracked by the firewall. + + shorewall show tc - displays information about the traffic + control/shaping configuration." + ;; + +start) + echo "start: start [ -c ] + Start shorewall. Existing connections through shorewall managed + interfaces are untouched. New connections will be allowed only + if they are allowed by the firewall rules or policies." + ;; + +stop) + echo "stop: stop + Stops the firewall. All existing connections, except those + listed in /etc/shorewall/routestopped, are taken down. + The only new traffic permitted through the firewall + is from systems listed in /etc/shorewall/routestopped." + ;; + +status) + echo "status: status + Produce a verbose report about the firewall. + + (iptables -L -n -v)" + ;; + +try) + echo "try: try [ ] + Restart shorewall using the specified configuration. If an error + occurs during the restart, then another shorewall restart is performed + using the default configuration. If a timeout is specified then + the restart is always performed after the timeout occurs and uses + the default configuration." + ;; + +version) + echo "version: version + Show the current shorewall version which is: $version" + ;; + +*) + echo "$1: $1 is not recognized by the help command" + ;; + +esac + +exit 0 # always ok + diff --git a/Lrp/usr/share/shorewall/version b/Lrp/usr/share/shorewall/version index b2e46d185..ac9f79cab 100644 --- a/Lrp/usr/share/shorewall/version +++ b/Lrp/usr/share/shorewall/version @@ -1 +1 @@ -1.4.8 +1.4.10 diff --git a/Lrp/var/lib/lrpkg/shorwall.conf b/Lrp/var/lib/lrpkg/shorwall.conf index 35d6142ba..867c9cf66 100644 --- a/Lrp/var/lib/lrpkg/shorwall.conf +++ b/Lrp/var/lib/lrpkg/shorwall.conf @@ -24,3 +24,5 @@ /etc/shorewall/accounting Account Traffic Accounting Rules /etc/shorewall/usersets UserSets User Set definitions /etc/shorewall/users Users " " " +/etc/shorewall/actions Actions Define user actions +/etc/shorewall/action.templage Template Template for user-defined actions diff --git a/Lrp/var/lib/lrpkg/shorwall.version b/Lrp/var/lib/lrpkg/shorwall.version index b2e46d185..ac9f79cab 100644 --- a/Lrp/var/lib/lrpkg/shorwall.version +++ b/Lrp/var/lib/lrpkg/shorwall.version @@ -1 +1 @@ -1.4.8 +1.4.10