Shorewall 1.4.10

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1100 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-06-24 19:51:40 +02:00 · 2004-01-31 03:29:56 +00:00 · 2004-01-31 03:29:56 +00:00 · b222c76e33
commit b222c76e33
parent afee989ee5
14 changed files with 1109 additions and 125 deletions
--- a/Lrp/etc/shorewall/action.template
+++ b/Lrp/etc/shorewall/action.template
@ -0,0 +1,131 @@
 #
 # Shorewall 1.4 /etc/shorewall/action.template
 #
 #	This file is a template for files with names of the form 
 #	/etc/shorewall/action.<action-name> where <action> is an
 #	ACTION defined in /etc/shorewall/actions.
 #
 #	To define a new action:
 #
 #	1. Add the <action name> to /etc/shorewall/actions
 #	2. Copy this file to /etc/shorewall/action.<action name>
 #	3. Add the desired rules to that file.
 #
 # Columns are:
 #
 #
 #	TARGET		ACCEPT, DROP, REJECT, LOG, QUEUE or a
 #			previously-defined <action>
 #
 #				ACCEPT   -- allow the connection request
 #				DROP     -- ignore the request
 #				REJECT   -- disallow the request and return an
 #					    icmp-unreachable or an RST packet.
 #				LOG      -- Simply log the packet and continue.
 #				QUEUE	 -- Queue the packet to a user-space
 #					    application such as p2pwall.
 #				<action> -- An <action> defined in
 #					    /etc/shorewall/actions. The <action>
 #					    must appear in that file BEFORE the
 #					    one being defined in this file.
 #
 #			The TARGET may optionally be followed
 #			by ":" and a syslog log level (e.g, REJECT:info or
 #			ACCEPT:debugging). This causes the packet to be
 #			logged at the specified level.
 #
 #			You may also specify ULOG (must be in upper case) as a
 #			log level.This will log to the ULOG target for routing
 #			to a separate log through use of ulogd
 #			(http://www.gnumonks.org/projects/ulogd).
 #
 #	SOURCE		Source hosts to which the rule applies. 
 #			A comma-separated list of subnets
 #			and/or hosts. Hosts may be specified by IP or MAC
 #			address; mac addresses must begin with "~" and must use
 #			"-" as a separator.
 #
 #			192.168.2.2		Host 192.168.2.2
 #
 #			155.186.235.0/24	Subnet 155.186.235.0/24
 #
 #			192.168.1.1,192.168.1.2
 #						Hosts 192.168.1.1 and
 #						192.168.1.2.
 #			~00-A0-C9-15-39-78      Host with
 #                                               MAC address 00:A0:C9:15:39:78.
 #
 #			Alternatively, clients may be specified by interface
 #			name. For example, eth1 specifies a
 #			client that communicates with the firewall system
 #			through eth1. This may be optionally followed by
 #			another colon (":") and an IP/MAC/subnet address
 #			as described above (e.g., eth1:192.168.1.5).
 #
 #	DEST		Location of Server. Same as above with the exception that
 #			MAC addresses are not allowed.
 #
 #			Unlike in the SOURCE column, you may specify a range of
 #			up to 256 IP addresses using the syntax
 #			<first ip>-<last ip>.
 #
 #	PROTO		Protocol - Must be "tcp", "udp", "icmp", a number, or
 #			"all".
 #
 #	DEST PORT(S)    Destination Ports. A comma-separated list of Port
 #			names (from /etc/services), port numbers or port
 #			ranges; if the protocol is "icmp", this column is
 #			interpreted as the destination icmp-type(s).
 #
 #			A port range is expressed as <low port>:<high port>.
 #
 #			This column is ignored if PROTOCOL = all but must be
 #			entered if any of the following ields are supplied.
 #			In that case, it is suggested that this field contain
 #			 "-"
 #
 #			If your kernel contains multi-port match support, then
 #			only a single Netfilter rule will be generated if in
 #			this list and the CLIENT PORT(S) list below:
 #			1. There are 15 or less ports listed.
 #			2. No port ranges are included.
 #			Otherwise, a separate rule will be generated for each
 #			port.
 #
 #	CLIENT PORT(S)	(Optional) Port(s) used by the client. If omitted,
 #			any source port is acceptable. Specified as a comma-
 #			separated list of port names, port numbers or port
 #			ranges.
 #
 #			If you don't want to restrict client ports but need to
 #			specify an ADDRESS in the next column, then place "-"
 #			in this column.
 #
 #			If your kernel contains multi-port match support, then
 #			only a single Netfilter rule will be generated if in
 #			this list and the DEST PORT(S) list above:
 #			1. There are 15 or less ports listed.
 #			2. No port ranges are included.
 #			Otherwise, a separate rule will be generated for each
 #			port.
 #
 #	RATE LIMIT	You may rate-limit the rule by placing a value in 
 #			this column:
 # 
 #				<rate>/<interval>[:<burst>]
 #
 #			where <rate> is the number of connections per 
 #			<interval> ("sec" or "min") and <burst> is the
 #			largest burst permitted. If no <burst> is given,
 #			a value of 5 is assumed. There may be no
 #			no whitespace embedded in the specification.
 #
 #				Example: 10/sec:20
 #
 #			If you place a rate limit in this column, you may not
 #			place a similar limit in the TARGET column.
 #
 ######################################################################################
 #TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	   ORIGINAL	RATE
 #                       	        	PORT    PORT(S)    DEST		LIMIT
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/Lrp/etc/shorewall/actions
+++ b/Lrp/etc/shorewall/actions
@ -0,0 +1,16 @@
 #
 # Shorewall 1.4 /etc/shorewall/actions
 #
 #	This file allows you to define new ACTIONS for use in rules 
 #	(/etc/shorewall/rules). You define the iptables rules to
 #	be performed in an ACTION in
 #	/etc/shorewall/action.<action-name>.
 #
 #	ACTION names should begin with an upper-case letter to
 #	distinguish them from Shorewall-generated chain names and
 #	they must need the requirements of a Netfilter chain
 #	name. 
 #
 #ACTION
 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
--- a/Lrp/etc/shorewall/common.def
+++ b/Lrp/etc/shorewall/common.def
@ -16,12 +16,12 @@ run_iptables -A common -p icmp -j icmpdef
 ############################################################################
 # NETBIOS chatter
 #
-run_iptables -A common -p udp --dport 135	  -j reject
+run_iptables -A common -p udp --dport 135	  -j DROP
-run_iptables -A common -p udp --dport 137:139     -j reject
+run_iptables -A common -p udp --dport 137:139     -j DROP
-run_iptables -A common -p udp --dport 445         -j reject
+run_iptables -A common -p udp --dport 445         -j DROP
-run_iptables -A common -p tcp --dport 139         -j reject
+run_iptables -A common -p tcp --dport 139         -j DROP
-run_iptables -A common -p tcp --dport 445         -j reject
+run_iptables -A common -p tcp --dport 445         -j DROP
-run_iptables -A common -p tcp --dport 135	  -j reject
+run_iptables -A common -p tcp --dport 135	  -j DROP
 ############################################################################
 # UPnP
 #
@ -37,7 +37,13 @@ run_iptables -A common -d 224.0.0.0/4     -j DROP
 run_iptables -A common -p tcp --dport 113 -j reject
 ############################################################################
 # DNS -- Silenty drop late replies
 #
 run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
 ############################################################################
 # ICMP -- Silently drop null-address ICMPs
 #
 run_iptables -A common -p icmp -s 0.0.0.0 -j DROP
 run_iptables -A common -p icmp -d 0.0.0.0 -j DROP
--- a/Lrp/etc/shorewall/interfaces
+++ b/Lrp/etc/shorewall/interfaces
@ -103,6 +103,11 @@
 #				       This option has no effect if 
 #				       NEWNOTSYN=Yes.
 #
 #			routeback    - If specified, indicates that Shorewall
 #				       should include rules that allow filtering
 #				       traffic arriving on this interface back
 #				       out that same interface.
 #
 #			arp_filter   - If specified, this interface will only
 #				       respond to ARP who-has requests for IP
 #				       addresses configured on the interface.
@ -112,6 +117,13 @@
 #                                      interface. The interface must be up
 #				       when Shorewall is started.
 #
 #			detectnets   - Automatically taylors the zone named
 #				       in the ZONE column to include only those
 #				       hosts routed through the interface.
 #
 #		        WARNING: DO NOT SET THE detectnets OPTION ON YOUR
 #			         INTERNET INTERFACE!
 #
 #			The order in which you list the options is not
 #			significant but the list should have no embedded white
 #			space.
--- a/Lrp/etc/shorewall/masq
+++ b/Lrp/etc/shorewall/masq
@ -18,7 +18,12 @@
 #		     PLACE IN YOUR SHOREWALL CONFIGURATION.
 #
 #		     This may be qualified by adding the character
-#                    ":" followed by a destination host or subnet.
+#                    ":" followed by a comma-separed list of
 #                    destination hosts or subnets. If this list begins with
 #		     "!" then masquerading will occur if and only if the
 #		     connection destination is NOT included in the list. 
 #		     Otherwise, the masquerading will occur if and only if
 #		     the destination IS included in the list.
 #
 #
 #	SUBNET -- Subnet that you wish to masquerade. You can specify this as
--- a/Lrp/etc/shorewall/rfc1918
+++ b/Lrp/etc/shorewall/rfc1918
@ -48,14 +48,13 @@
 58.0.0.0/7		logdrop		# Reserved
 70.0.0.0/7		logdrop		# Reserved
 72.0.0.0/5		logdrop		# Reserved
-83.0.0.0/8		logdrop		# Reserved
+85.0.0.0/8		logdrop		# Reserved
-84.0.0.0/6		logdrop		# Reserved
+86.0.0.0/7		logdrop		# Reserved
 88.0.0.0/5		logdrop		# Reserved
 96.0.0.0/3		logdrop		# Reserved
 127.0.0.0/8		logdrop		# Loopback
 197.0.0.0/8		logdrop		# Reserved
 198.18.0.0/15		logdrop		# Reserved
 201.0.0.0/8		logdrop		# Reserved - Central & South America
 223.0.0.0/8		logdrop		# Reserved - Returned by APNIC in 2003
 240.0.0.0/4		logdrop		# Reserved
 #
--- a/Lrp/etc/shorewall/rules
+++ b/Lrp/etc/shorewall/rules
@ -15,8 +15,8 @@
 # Columns are:
 #
 #
-#	ACTION		ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE
+#	ACTION		ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
-#			or LOG.
+#			LOG or an <action>.
 #
 #				ACCEPT   -- allow the connection request
 #				DROP     -- ignore the request
@ -48,6 +48,8 @@
 #				LOG      -- Simply log the packet and continue.
 #				QUEUE	 -- Queue the packet to a user-space
 #					    application such as p2pwall.
 #				<action> -- The name of an action defined in
 #					    /etc/shorewall/actions.
 #
 #			You may rate-limit the rule by optionally
 #			following ACCEPT, DNAT[-], REDIRECT[-] or LOG with
--- a/Lrp/etc/shorewall/shorewall.conf
+++ b/Lrp/etc/shorewall/shorewall.conf
@ -202,9 +202,8 @@ SHOREWALL_SHELL=/bin/sh
 # SUBSYSTEM LOCK FILE
 #
 # Set this to the name of the lock file expected by your init scripts. For
-# RedHat, this should be /var/lock/subsys/shorewall. On Debian, it
+# RedHat, this should be /var/lock/subsys/shorewall. If your init scripts don't
-# should be /var/state/shorewall. If your init scripts don't use lock files,
+# use lock files, set this to "".
 # set this to "".
 #
 SUBSYSLOCK=/var/run/shorewall
@ -222,7 +221,7 @@ STATEDIR=/tmp/shorewall
 # KERNEL MODULE DIRECTORY
 #
 # If your netfilter kernel modules are in a directory other than
-# /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that
+# /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter then specify that
 # directory in this variable. Example: MODULESDIR=/etc/modules.
 MODULESDIR=
@ -418,13 +417,30 @@ MUTEX_TIMEOUT=60
 #
 # NEWNOTSYN
 #
-# If this variable is set to "No" or "no", then when a TCP packet that does
+# TCP connections are established using the familiar three-way "handshake":
 # not have the SYN flag set and the ACK and RST flags clear then unless the
 # packet is part of an established connection, it will be dropped by the
 # firewall
 #
-# If this variable is set to "Yes" or "yes" then such packets will not be
+#	CLIENT			SERVER
-# dropped but will pass through the normal rule processing.
+#
 #	SYN-------------------->
 #            <------------------SYN,ACK
 #       ACK-------------------->
 #
 # The first packet in that exchange (packet with the SYN flag on and the ACK
 # and RST flags off) is referred to in Netfilter terminology as a "syn" packet.
 # A packet is said to be NEW if it is not part of or related to an already
 # established connection.
 #
 # The NETNOTSYN option determines the handling of non-SYN packets (those with
 # SYN off or with ACK or RST on) that are not associated with an already
 # established connection.
 # 
 # If NEWNOTSYN is set to "No" or "no", then non-SYN packets that are not
 # part of an already established connection, it will be dropped by the
 # firewall. The setting of LOGNEWNOTSYN above determines if these packets are
 # logged before they are dropped.
 #
 # If NEWNOTSYN is set to "Yes" or "yes" then such packets will not be
 # dropped but will pass through the normal rule/policy processing.
 #
 # Users with a High-availability setup with two firewall's and one acting
 # as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may
@ -432,8 +448,15 @@ MUTEX_TIMEOUT=60
 #
 # The behavior of NEWNOTSYN=Yes may also be enabled on a per-interface basis 
 # using the 'newnotsyn' option in /etc/shorewall/interfaces.
 #
 # I find that NEWNOTSYN=No tends to result in lots of "stuck"
 # connections because any network timeout during TCP session tear down
 # results in retries being dropped (Netfilter has removed the
 # connection from the conntrack table but the end-points haven't
 # completed shutting down the connection).  I therefore have chosen
 # NEWNOTSYN=Yes as the default value.
-NEWNOTSYN=No
+NEWNOTSYN=Yes
 #
 # FOR ADMINS THAT REPEATEDLY SHOOT THEMSELVES IN THE FOOT
@ -486,6 +509,29 @@ ADMINISABSENTMINDED=Yes
 #
 BLACKLISTNEWONLY=Yes
 # MODULE NAME SUFFIX
 #
 # When loading a module named in /etc/shorewall/modules, Shorewall normally
 # looks in the MODULES DIRECTORY (see MODULESDIR above) for files whose names
 # end in ".o", ".ko", ".gz" or "o.gz". If your distribution uses a different
 # naming convention then you can specify the suffix (extension) for module 
 # names in this variable.
 #
 # To see what suffix is used by your distribution:
 #
 #     ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
 #
 # All of the file names listed should have the same suffix (extension). Set
 # MODULE_SUFFIX to that suffix.
 #
 # Examples: 
 #
 #	If all file names end with ".kzo" then set MODULE_SUFFIX="kzo"
 #	If all file names end with ".kz.o" then set MODULE_SUFFIX="kz.o"
 #
 MODULE_SUFFIX=
 ################################################################################
 #                       P A C K E T   D I S P O S I T I O N
 ################################################################################
--- a/Lrp/etc/shorewall/tcrules
+++ b/Lrp/etc/shorewall/tcrules
@ -57,7 +57,22 @@
 #			any source port is acceptable. Specified as a comma-
 #			separated list of port names, port numbers or port
 #			ranges.
 #
 #	USER		This column may only be non-empty if the SOURCE is
 #			the firewall itself.
 #
 #			When this column is non-empty, the rule applies only
 #			if the program generating the output is running under
 #			the effective user and/or group.
 #
 #			It may contain :
 #
 #			   [<user name or number>]:[<group name or number>]
 #
 #			The colon is optionnal when specifying only a user.
 #			Examples : john: / john / :users / john:users	
 #
 ##############################################################################
-#MARK		SOURCE 		DEST		PROTO	PORT(S)	CLIENT
+#MARK		SOURCE 		DEST		PROTO	PORT(S)	CLIENT	USER
 #								PORT(S)
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/Lrp/usr/share/shorewall/firewall
+++ b/Lrp/usr/share/shorewall/firewall
@ -564,11 +564,21 @@ determine_hosts() {
 	eval interfaces=\$${zone}_interfaces
 	for interface in $interfaces; do
-	    if [ -z "$hosts" ]; then
+	    eval options=\$`chain_base ${interface}`_options
-		hosts=$interface:0.0.0.0/0
+
 	    if list_search detectnets $options; then
 		subnets=`get_routed_subnets $interface`
 	    else
-		hosts="$hosts $interface:0.0.0.0/0"
+		subnets=0.0.0.0/0
 	    fi
 	    for subnet in $subnets; do
 		if [ -z "$hosts" ]; then
 		    hosts=$interface:$subnet
 		else
 		    hosts="$hosts $interface:$subnet"
 		fi
 	    done
 	done
 	interfaces=
@ -611,6 +621,8 @@ validate_zone() # $1 = zone
 # Validate the zone names and options in the interfaces file
 #
 validate_interfaces_file() {
    local wildcard
    while read z interface subnet options; do
 	expandv z interface subnet options
 	r="$z $interface $subnet $options"
@ -628,10 +640,15 @@ validate_interfaces_file() {
 	list_search $interface $all_interfaces && \
 	    startup_error "Duplicate Interface $interface"
 	wildcard=
 	case $interface in
 	    *:*)
 		startup_error "Invalid Interface Name: $interface"
 		;;
 	    *+*)
 		wildcard=Yes
 		;;
 	esac
 	all_interfaces="$all_interfaces $interface"
@ -646,6 +663,10 @@ validate_interfaces_file() {
 	    case $option in
 		dhcp|norfc1918|tcpflags|newnotsyn|arp_filter|routefilter|blacklist|proxyarp|maclist|-)
 		    ;;
 		detectnets)
 		    [ -n "$wildcard" ] && \
 			startup_error "The \"detectnets\" option may not be used with a wild-card interface"
 		    ;;
 		dropunclean|logunclean)
 		    error_message \
 			"Warning: The 'dropunclean' and 'logunclean' options will be removed in a future release"
@ -844,7 +865,7 @@ find_broadcasts() {
    for interface in $all_interfaces; do
 	eval bcast=\$`chain_base $interface`_broadcast
 	if [ "x$bcast" = "xdetect" ]; then
-	    addr="`ip addr show $interface 2> /dev/null`"
+	    addr="`ip -f inet addr show $interface 2> /dev/null`"
 	    if [ -n "`echo "$addr" | grep 'inet.*brd '`" ]; then
 		addr="`echo "$addr" | \
 		grep "inet " | sed 's/^.* inet.*brd //;s/scope.*//'`"
@ -1027,6 +1048,22 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo
    log_rule_limit $level $chain $disposition "$LOGLIMIT" $@
 }
 #
 # Set /proc/sys/net/ipv4/ip_forward based on $IP_FORWARDING
 #
 setup_forwarding() {
    case "$IP_FORWARDING" in
    [Oo][Nn])
 	echo 1 > /proc/sys/net/ipv4/ip_forward
 	echo "IP Forwarding Enabled"
 	;;
    [Oo][Ff][Ff])
 	echo 0 > /proc/sys/net/ipv4/ip_forward
 	echo "IP Forwarding Disabled!"
 	;;
    esac
 }
 #
 # Stop the Firewall
 #
@ -1118,14 +1155,7 @@ stop_firewall() {
 	    iptables -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT
    done
-    case "$IP_FORWARDING" in
+    setup_forwarding
    [Oo][Nn])
 	echo 1 > /proc/sys/net/ipv4/ip_forward
 	;;
    [Oo][Ff][Ff])
 	echo 0 > /proc/sys/net/ipv4/ip_forward
 	;;
    esac
    run_user_exit stopped
@ -1700,6 +1730,25 @@ process_tc_rule()
 	    esac
 	fi
 	if [ "x$user" != "x-" ]; then
 	    [ "$chain" != tcout ] && \
 		fatal_error "Invalid use of a user/group: rule \"$rule\""
 	    case "$user" in
 		*:*)
 		    r="$r-m owner"
 		    temp="${user%:*}"
 		    [ -n "$temp" ] && r="$r --uid-owner $temp " 
 		    temp="${user#*:}"
 		    [ -n "$temp" ] && r="$r --gid-owner $temp "
 		    ;;
 		*)
 		    r="$r-m owner --uid-owner $user "
 		    ;;
 	    esac
 	fi
 	[ "x$dest"   = "x-"  ] || r="${r}-d $dest "
 	[ "$proto"   = "all" ] || r="${r}-p $proto "
 	[ "x$port"   = "x-"  ] || r="${r}--dport $port "
@ -1758,9 +1807,9 @@ setup_tc1() {
    #
    strip_file tcrules
-    while read mark sources dests proto ports sports; do
+    while read mark sources dests proto ports sports user; do
-	expandv mark sources dests proto ports sports
+	expandv mark sources dests proto ports sports user
-	rule=`echo "$mark $sources $dests $proto $ports $sports"`
+	rule=`echo "$mark $sources $dests $proto $ports $sports $user"`
 	process_tc_rule
    done < $TMP_DIR/tcrules
    #
@ -2063,6 +2112,10 @@ check_config() {
    validate_policy
    echo "Validating Actions..."
    process_actions
    echo "Validating rules file..."
    rules=`find_file rules`
@ -2113,6 +2166,349 @@ refresh_tc() {
 }
 #
 # Add one Filter Rule from an action -- Helper function for the action file processor
 #
 # The caller has established the following variables:
 #    check       = current command. If 'check', we're executing a 'check'
 #                  which only goes through the motions.
 #    client	 = SOURCE IP or MAC
 #    server	 = DESTINATION IP or interface
 #    protocol	 = Protocol
 #    address	 = Original Destination Address
 #    port	 = Destination Port
 #    cport	 = Source Port
 #    multioption = String to invoke multiport match if appropriate
 #    action	 = The chain for this rule
 #    ratelimit   = Optional rate limiting clause
 #
 add_an_action()
 {
    do_ports() {
 	if [ -n "$port" ]; then
 	    dports="--dport"
 	    if [ -n "$multioption" -a "$port" != "${port%,*}" ]; then
 		multiport="$multioption"
 		dports="--dports"
 	    fi
 	    dports="$dports $port"
 	fi
 	if [ -n "$cport" ]; then
 	    sports="--sport"
 	    if [ -n "$multioption" -a "$cport" != "${cport%,*}" ]; then
 		multiport="$multioption"
 		sports="--sports"
 	    fi
 	    sports="$sports $cport"
 	fi
    }
    # Set source variables. The 'cli' variable will hold the client match predicate(s).
    cli=
    case "$client" in
    -)
 	;;
    *:*)
 	cli="-i ${client%:*} -s ${client#*:}"
 	;;
    *.*.*)
 	cli="-s $client"
 	;;
    ~*)
 	cli=`mac_match $client`
 	;;
    *)
 	[ -n "$client" ] && cli="-i $client"
 	;;
    esac
    # Set destination variables - 'serv' and 'dest_interface' hold the server match predicate(s).
    dest_interface=
    serv=
    case "$server" in
    -)
 	;;
    *.*.*)
 	serv=$server
 	;;
    ~*)
 	fatal_error "Rule \"$rule\" - Destination may not be specified by MAC Address"
 	;;
    *)
 	[ -n "$server" ] && dest_interface="-o $server"
 	;;
    esac
    # Setup protocol and port variables
    sports=
    dports=
    state="-m state --state NEW"
    proto=$protocol
    servport=$serverport
    multiport=
    [ x$port  = x- ] && port=
    [ x$cport = x- ] && cport=
    case $proto in
 	tcp|TCP|6)
 	    do_ports
 	    [ "$target" = QUEUE ] && proto="$proto --syn"
 	    ;;
 	udp|UDP|17)
 	    do_ports
 	    ;;
 	icmp|ICMP|1)
 	    [ -n "$port" ]  && 	dports="--icmp-type $port"
 	    state=
 	    ;;
 	all|ALL)
 	    [ -n "$port" ] && \
 		fatal_error "Port number not allowed with protocol \"all\"; rule: \"$rule\""
 	    proto=
 	    ;;
 	*)
 	    state=
 	    [ -n "$port" ] && \
 		fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\""
 	    ;;
    esac
    proto="${proto:+-p $proto}"
    # Some misc. setup
    case "$logtarget" in
 	LOG)
 	    [ -z "$loglevel" ] && fatal_error "LOG requires log level"
 	    ;;
    esac
    if [ $command != check ]; then
       if [ -n "${serv}" ]; then
 	    for serv1 in `separate_list $serv`; do
 		for srv in `ip_range $serv1`; do
 		    if [ -n "$loglevel" ]; then
 			log_rule_limit $loglevel $action $logtarget "$ratelimit" \
 			    `fix_bang $proto $sports $multiport $state $cli -d $srv $dports`
 		    fi
 		    run_iptables2 -A $action $proto $multiport $state $cli $sports \
 			-d $srv $dports $ratelimit -j $target
 		done
 	    done
 	else
 	    if [ -n "$loglevel" ]; then
 		log_rule_limit $loglevel $action $logtarget "$ratelimit" \
 		    `fix_bang $proto $sports $multiport $state $cli $dports`
 	    fi
 	    run_iptables2 -A $action $proto $multiport $state $cli $sports \
 		$dports $ratelimit -j $target
 	fi
    fi
 }
 #
 # Process a record from an action file for the 'start', 'restart' or 'check' commands
 #
 process_action() # $1 = action
                 # $1 = target
                 # $2 = clients
                 # $3 = servers
                 # $4 = protocol
                 # $5 = ports
                 # $6 = cports
                 # $7 = ratelimit
 {
    local action="$1"
    local target="$2"
    local clients="$3"
    local servers="$4"
    local protocol="$5"
    local ports="$6"
    local cports="$7"
    local ratelimit="$8"
    local rule="`echo $target $clients $servers $protocol $ports $cports $ratelimit`"
    if [ -n "$ratelimit" ]; then
 	case $ratelimit in
 	    -)
 		ratelimit=
 		;;
 	    *:*)
 		ratelimit="-m limit --limit ${ratelimit%:*} --limit-burst ${ratelimit#*:}"
 		;;
 	    *)
 		ratelimit="-m limit --limit $ratelimit"
 		;;
 	esac
    fi
    # Isolate log level
    if [ "$target" = "${target%:*}" ]; then
 	loglevel=
    else
 	loglevel="${target#*:}"
 	target="${target%:*}"
 	expandv loglevel
    fi
    logtarget="$target"
    case $target in
 	ACCEPT|LOG)
 	    ;;
 	REJECT)
 	    target=reject
 	    ;;
 	*)
 	    ;;
 	esac
    # Generate Netfilter rule(s)
    [ "x$protocol" = "x-" ] && protocol=all || protocol=${protocol:=all}
    if [ -n "$MULTIPORT" ] && \
 	! list_search $protocol "icmp" "ICMP" "1" && \
 	[ "$ports" = "${ports%:*}" -a \
 	"$cports" = "${cports%:*}" -a \
 	`list_count $ports` -le 15 -a \
 	`list_count $cports` -le 15 ]
 	then
 	#
 	# MULTIPORT is enabled, there are no port ranges in the rule and less than
 	# 16 ports are listed - use multiport match.
 	#
 	multioption="-m multiport"
 	for client in `separate_list ${clients:=-}`; do
 	    for server in `separate_list ${servers:=-}`; do
 		#
 		# add_a_rule() modifies these so we must set their values each time
 		#
 		port=${ports:=-}
 		cport=${cports:=-}
 		add_an_action
 	    done
 	done
    else
 	#
 	# MULTIPORT is disabled or the rule isn't compatible with multiport match
 	#
 	multioption=
 	for client in `separate_list ${clients:=-}`; do
 	    for server in `separate_list ${servers:=-}`; do
 		for port in `separate_list ${ports:=-}`; do
 		    for cport in `separate_list ${cports:=-}`; do
 			add_an_action
 		    done
 		done
 	    done
 	done
    fi
    #
    # Report Result
    #
    if [ $command = check ]; then
 	echo "   Rule \"$rule\" checked."
    else
 	echo "   Rule \"$rule\" added."
    fi
 }
 #
 # Read /etc/shorewall/actions and for each defined <action>, process 
 # /etc/shorewall/action.<action>
 #
 process_actions() {
    #
    # Process a rule where the source or destination is "all"
    #
    process_wildcard_rule() {
 	local yclients yservers ysourcezone ydestzone ypolicy
 	for yclients in $xclients; do
 	    for yservers in $xservers; do
 		ysourcezone=${yclients%%:*}
 		ydestzone=${yservers%%:*}
 		if [ "${ysourcezone}" != "${ydestzone}" ] ; then
 		    eval ypolicy=\$${ysourcezone}2${ydestzone}_policy
 		    if [ "$ypolicy" != NONE ] ; then
 			process_action $xaction $xtarget $yclients $yservers $xprotocol $xports $xcports $xratelimit
 		    fi
 		fi
 	    done
 	done
    }
    do_it() {
 	expandv xclients xservers xprotocol xports xcports xratelimit
 	if [ "x$xclients" = xall ]; then
 	    xclients="$zones $FW"
 	    if [ "x$xservers" = xall ]; then
 		xservers="$zones $FW"
 	    fi
 	    process_wildcard_rule
 	    continue
 	fi
 	if [ "x$xservers" = xall ]; then
 	    xservers="$zones $FW"
 	    process_wildcard_rule
 	    continue
 	fi
 	process_action $xaction $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit
    }
    strip_file actions
    while read xaction rest; do
 	[ "x$rest" = x ] || fatal_error "Invalid Action: $xaction $rest"
 	[ "$command" = check ] || createchain $xaction No
 	f=action.$xaction
 	fn=`find_file $f`
 	if [ -f $fn ]; then
 	    echo "Processing $fn..."
 	    strip_file $f $fn
 	    while read xtarget xclients xservers xprotocol xports xcports xratelimit ; do
 		expandv xtarget
 		temp="${xtarget%:*}"
 		case "${temp%<*}" in
 		    ACCEPT|DROP|REJECT|LOG|QUEUE)
 			do_it
 			;;
 		    *)
 			if list_search $temp $ACTIONS; then
 			    do_it
 			else
 			    rule="`echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit`"
 			    fatal_error "Invalid TARGET in rule \"$rule\""
 			fi
 			;;
 		esac
 	    done < $TMP_DIR/$f
 	else
 	    fatal_error "Missing Action File: $f"
 	fi
 	ACTIONS="$ACTIONS $xaction"
    done < $TMP_DIR/actions
 }
 #
 # Add a NAT rule - Helper function for the rules file processor
 #
@ -2548,6 +2944,8 @@ process_rule() # $1 = target
    # Function Body - isolate rate limit
    [ "x$ratelimit" = "x-" ] && ratelimit=
    if [ -z "$ratelimit" ]; then
 	if [ "$target" != "${target%<*}" ]; then
 	    ratelimit="${target#*<}"
@ -2559,9 +2957,6 @@ process_rule() # $1 = target
    if [ -n "$ratelimit" ]; then
 	case $ratelimit in
 	    -)
 		ratelimit=
 		;;
 	    *:*)
 		ratelimit="-m limit --limit ${ratelimit%:*} --limit-burst ${ratelimit#*:}"
 		;;
@ -2599,7 +2994,11 @@ process_rule() # $1 = target
 	case "$userset" in
 	    *:*)
 		case $target in 
-		    ACCEPT|REJECT|DROP)
+		    ACCEPT)
 			;;
 		    REJECT|DROP)
 			[ -n "$ratelimit" ] && fatal_error \
 			    "Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and LOG"
 			;;
 		    *)
 			fatal_error "<user>:<group> may only be specified in ACCEPT, REJECT and DROP rules: rule \"$rule\""
@ -2625,9 +3024,13 @@ process_rule() # $1 = target
 			target=`accept_chain $userset`
 			;;
 		    DROP)
 			[ -n "$ratelimit" ] && fatal_error \
 			    "Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and LOG"
 			target=`drop_chain $userset`
 			;;
 		    REJECT)
 			[ -n "$ratelimit" ] && fatal_error \
 			    "Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and LOG"
 			target=`reject_chain $userset`
 			;;
 		    *)
@ -2643,8 +3046,15 @@ process_rule() # $1 = target
 	    ACCEPT|LOG)
 		;;
 	    REJECT)
 		[ -n "$ratelimit" ] && fatal_error \
 		    "Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and LOG"
 		target=reject
 		;;
 	    CONTINUE)
 		[ -n "$ratelimit" ] && fatal_error \
 		    "Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and LOG"
 		target=RETURN
 		;;
 	    DNAT)
 		target=ACCEPT
 		address=${address:=detect}
@ -2711,9 +3121,11 @@ process_rule() # $1 = target
    source=$clientzone
    if [ $source = $FW ]; then
-	source_hosts= || eval source_hosts=\"\$${source}_hosts\"
+	source_hosts=
    elif [ -n "$userset" ]; then
 	fatal_error "Invalid use of a user set: rule \"$rule\""
    else
 	eval source_hosts=\"\$${source}_hosts\"
    fi
    if [ "$servers" = "${servers%:*}" ] ; then
@ -2876,19 +3288,23 @@ process_rules()
    # Process a rule where the source or destination is "all"
    #
    process_wildcard_rule() {
 	local yclients yservers ysourcezone ydestzone ypolicy
 	for yclients in $xclients; do
 	    for yservers in $xservers; do
-		if [ "${yclients}" != "${yservers}" ] ; then
+		ysourcezone=${yclients%%:*}
 		ydestzone=${yservers%%:*}
 		if [ "${ysourcezone}" != "${ydestzone}" ] ; then
 		    eval ypolicy=\$${ysourcezone}2${ydestzone}_policy
 		    if [ "$ypolicy" != NONE ] ; then
 			process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserset
 		    fi
 		fi
 	    done
 	done
    }
-    while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserset; do
+    do_it() {
 	temp="${xtarget%:*}"
 	case "${temp%<*}" in
 	    ACCEPT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE)
 	expandv xclients xservers xprotocol xports xcports xaddress xratelimit xuserset
 	if [ "x$xclients" = xall ]; then
@ -2907,10 +3323,21 @@ process_rules()
 	fi
 	process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserset
    }
    while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserset; do
 	temp="${xtarget%:*}"
 	case "${temp%<*}" in
 	    ACCEPT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE)
 		do_it
 		;;
 	    *)
 		if list_search $temp $ACTIONS; then
 		    do_it
 		else
 		    rule="`echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserset`"
 		    fatal_error "Invalid Action in rule \"$rule\""
 		fi
 		;;
 	esac
@ -3115,7 +3542,7 @@ loadmodule() # $1 = module name, $2 - * arguments
    if [ -z "`lsmod | grep $modulename`" ]; then
 	shift
-	for suffix in o gz ko o.gz ; do
+	for suffix in $MODULE_SUFFIX ; do
 	    modulefile=$MODULESDIR/${modulename}.${suffix}
 	    if [ -f $modulefile ]; then
@ -3362,7 +3789,7 @@ setup_masq()
 	case $fullinterface in
 	    *:*:*)
 		# Both alias name and subnet
-		destnet="${fullinterface##*:}"
+		destnets="${fullinterface##*:}"
 		fullinterface="${fullinterface%:*}"
 		;;
 	    *:*)
@ -3370,17 +3797,17 @@ setup_masq()
 		case ${fullinterface#*:} in
 		    *.*)
 			# It's a subnet
-			destnet="${fullinterface#*:}"
+			destnets="${fullinterface#*:}"
 			fullinterface="${fullinterface%:*}"
 			;;
 		    *)
 			#it's an alias name
-			destnet="0.0.0.0/0"
+			destnets="0.0.0.0/0"
 			;;
 		esac
 		;;
 	    *)
-		destnet="0.0.0.0/0"
+		destnets="0.0.0.0/0"
 		;;
 	esac
@ -3397,7 +3824,6 @@ setup_masq()
 	    subnet="${subnet%!*}"
 	fi
 	chain=`masq_chain $interface`
 	source="$subnet"
@ -3426,33 +3852,70 @@ setup_masq()
 	    done
 	fi
-	destination=$destnet
+	destination=$destnets
 	chain=`masq_chain $interface`
 	case $destnets in
 	    !*)
 		newchain=masq${masq_seq}
 		createnatchain $newchain
 		destnets=${destnets#!}
 		for destnet in $(separate_list $destnets); do
 		    addnatrule $newchain -d $destnet -j RETURN
 		done
 		if [ -n "$subnet" ]; then
 		    for s in $subnet; do
 			addnatrule $chain -s $s -j $newchain
 		    done
 		    subnet=
 		else
 		    addnatrule $chain -j $newchain
 		fi
 		masq_seq=$(($masq_seq + 1))
 		chain=$newchain
 		destnets=0.0.0.0/0
 		if [ -n "$nonmasq" ]; then
 		    for addr in `separate_list $nomasq`; do
 			addnatrule $chain -s $addr -j RETURN
 		    done
 		    source="$source except $nomasq"
 		fi
 		;;
 	    *)
 		if [ -n "$nomasq" ]; then
 		    newchain=masq${masq_seq}
 		    createnatchain $newchain
 		    if [ -n "$subnet" ]; then
 			for s in $subnet; do
 			    for destnet in $(separate_list $destnets); do
 				addnatrule $chain -d $destnet -s $s -j $newchain
 			    done
 			done
 		    else
 			for destnet in $(separate_list $destnets); do
 			    addnatrule $chain -d $destnet -j $newchain
 			done
 		    fi
 		    masq_seq=$(($masq_seq + 1))
 		    chain=$newchain
 		    subnet=
-	    destnet=
+		    destnets=0.0.0.0/0
 		    for addr in `separate_list $nomasq`; do
 			addnatrule $chain -s $addr -j RETURN
 		    done
 		    source="$source except $nomasq"
 	else
 	    destnet="-d $destnet"
 		fi
 		;;
 	esac
 	if [ -n "$addresses" ]; then
 	    temp=
@ -3464,18 +3927,26 @@ setup_masq()
 	if [ -n "$subnet" ]; then
 	    for s in $subnet; do
 		if [ -n "$addresses" ]; then
-		    addnatrule $chain -s $s $destnet -j SNAT $temp
+		    for destnet in $(separate_list $destnets); do
 			addnatrule $chain -s $s -d $destnet -j SNAT $temp
 		    done
 		    echo "   To $destination from $s through ${interface} using $addresses"
 		else
-		    addnatrule $chain -s $s $destnet -j MASQUERADE
+		    for destnet in $(separate_list $destnets); do
 			addnatrule $chain -s $s -d $destnet -j MASQUERADE
 		    done
 		    echo "   To $destination from $s through ${interface}"
 		fi
 	    done
 	elif [ -n "$address" ]; then
-	    addnatrule $chain $destnet -j SNAT $temp
+	    for destnet in $(separate_list $destnets); do
 		addnatrule $chain -d $destnet -j SNAT $temp
 	    done
 	    echo "   To $destination from $source through ${interface} using $addresses"
 	else
-	    addnatrule $chain $destnet -j MASQUERADE
+	    for destnet in $(separate_list $destnets); do
 		addnatrule $chain -d $destnet -j MASQUERADE
 	    done
 	    echo "   To $destination from $source through ${interface}"
 	fi
@ -3677,7 +4148,7 @@ add_ip_aliases()
 	#
 	# Get all of the lines that contain inet addresses 
 	#
-	ip addr show $interface 2> /dev/null | grep 'inet' | while read inet cidr rest ; do
+	ip -f inet addr show $interface 2> /dev/null | grep 'inet' | while read inet cidr rest ; do
 	    case $cidr in
 		*/*)
 		    if in_subnet $external $cidr; then
@ -3972,9 +4443,26 @@ build_common_chain() {
 #
 add_common_rules() {
    local savelogparms="$LOGPARMS"
    local broadcasts="$(find_broadcasts) 255.255.255.255 224.0.0.0/4"
    #
-    # Reject Rules
+    # Reject Rules -- Don't respond to broadcasts with an ICMP
    #
    qt iptables -A reject -m pkttype --pkt-type broadcast -j DROP
    if ! qt iptables -A reject -m pkttype --pkt-type multicast -j DROP; then
 	#
 	# No pkttype support -- do it the hard way
 	#
 	for address in $broadcasts ; do
 	    run_iptables -A reject -d $address -j DROP
 	done
    fi
    #
    # Don't feed the smurfs
    #
    for address in $broadcasts ; do
 	run_iptables -A reject -s $address -j DROP
    done
    run_iptables -A reject -p tcp  -j REJECT --reject-with tcp-reset
    run_iptables -A reject -p udp  -j REJECT
    #
@ -4079,13 +4567,13 @@ add_common_rules() {
 	strip_file rfc1918
 	createchain norfc1918 no
 	createchain rfc1918 no
-	createchain logdrop no
+	log_rule $RFC1918_LOG_LEVEL rfc1918 DROP
-	log_rule $RFC1918_LOG_LEVEL logdrop DROP
+	run_iptables -A rfc1918 -j DROP
 	run_iptables -A logdrop -j DROP
 	if [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ]; then
 	    #
@ -4097,27 +4585,30 @@ add_common_rules() {
 	    # Also add a chain to log and drop any RFC1918 packets that we find
 	    #
 	    run_iptables -t mangle -N man1918
-	    run_iptables -t mangle -N logdrop
+	    run_iptables -t mangle -N rfc1918
-	    log_rule $RFC1918_LOG_LEVEL logdrop DROP -t mangle
+	    log_rule $RFC1918_LOG_LEVEL rfc1918 DROP -t mangle
-	    run_iptables -t mangle -A logdrop -j DROP
+	    run_iptables -t mangle -A rfc1918 -j DROP
 	fi
 	while read subnet target; do
 	    case $target in
-		logdrop|DROP|RETURN)
+		logdrop)
 		    target=rfc1918
 		    ;;
 		DROP|RETURN)
 		    ;;
 		*)
 		    fatal_error "Invalid target ($target) for $subnet"
 		    ;;
 	    esac
-	    run_iptables2 -A rfc1918 -s $subnet -j $target
+	    run_iptables2 -A norfc1918 -s $subnet -j $target
 	    if [ -n "$CONNTRACK_MATCH" ]; then
 		#
 		# We have connection tracking match -- match on the original destination
 		#
-		run_iptables2 -A rfc1918 -m conntrack --ctorigdst $subnet -j $target
+		run_iptables2 -A norfc1918 -m conntrack --ctorigdst $subnet -j $target
 	    elif [ -n "$MANGLE_ENABLED" ]; then
 		#
 		# No connection tracking match but we have mangling -- add a rule to
@ -4129,7 +4620,7 @@ add_common_rules() {
 	for interface in $norfc1918_interfaces; do
 	    for chain in `first_chains $interface`; do
-		run_iptables -A $chain -m state --state NEW -j rfc1918
+		run_iptables -A $chain -m state --state NEW -j norfc1918
 	    done
 	    [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ] && \
@ -4235,19 +4726,8 @@ add_common_rules() {
 	[ -n "$ROUTE_FILTER" ] && echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
 	run_ip route flush cache
    fi
-    #
+
-    # IP Forwarding
+    setup_forwarding
    #
    case "$IP_FORWARDING" in
    [Oo][Nn])
 	echo 1 > /proc/sys/net/ipv4/ip_forward
 	echo "IP Forwarding Enabled"
 	;;
    [Oo][Ff][Ff])
 	echo 0 > /proc/sys/net/ipv4/ip_forward
 	echo "IP Forwarding Disabled!"
 	;;
    esac
 }
 #
@ -4389,6 +4869,8 @@ activate_rules()
 	echo "$FW $zone $chain1" >> ${STATEDIR}/chains
 	echo "$zone $FW $chain2" >> ${STATEDIR}/chains
 	need_broadcast=
 	for host in $source_hosts; do
 	    interface=${host%:*}
 	    subnet=${host#*:}
@ -4406,6 +4888,17 @@ activate_rules()
 	    [ -n "$complex" ] && \
 		run_iptables -A `forward_chain $interface` -s $subnet -j $frwd_chain
 	    if [ "$subnet" != 0.0.0.0/0 ]; then
 		if ! list_search $interface $need_broadcast ; then
 		    eval options=\$`chain_base ${interface}`_options
 		    list_search detectnets $options && need_broadcast="$need_broadcast $interface"
 		fi
 	    fi
 	done
 	for interface in $need_broadcast ; do
 	    run_iptables -A OUTPUT -o $interface -d 255.255.255.255 -j $chain1
 	    run_iptables -A OUTPUT -o $interface -d 224.0.0.0/4     -j $chain1
 	done
 	for zone1 in $zones; do
@ -4473,6 +4966,7 @@ activate_rules()
 	run_iptables -D $chain -m state --state ESTABLISHED,RELATED -j ACCEPT
 	run_iptables -D $chain -p udp --dport 53 -j ACCEPT
    done
 }
 #
@ -4532,6 +5026,10 @@ define_firewall() # $1 = Command (Start or Restart)
    rules=`find_file rules`
    echo "Processing Actions..."
    process_actions
    echo "Processing $rules..."
    process_rules
@ -5057,6 +5555,8 @@ do_initialize() {
    LOGRULENUMBERS=
    ADMINISABSENTMINDED=
    BLACKLISTNEWONLY=
    MODULE_SUFFIX=
    ACTIONS=
    stopping=
    have_mutex=
@ -5207,6 +5707,8 @@ do_initialize() {
    fi
    ADMINISABSENTMINDED=`added_param_value_no ADMINISABSENTMINDED $ADMINISABSENTMINDED`
    BLACKLISTNEWONLY=`added_param_value_no BLACKLISTNEWONLY $BLACKLISTNEWONLY`
    [ -n "$MODULE_SUFFIX" ] || MODULE_SUFFIX="o gz ko o.gz"
    #
    # Strip the files that we use often
    #
--- a/Lrp/usr/share/shorewall/help
+++ b/Lrp/usr/share/shorewall/help
@ -0,0 +1,248 @@
 #!/bin/sh
 #
 # Shorewall help subsystem - V1.4 - 3/14/2003
 #
 #
 #     This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
 #
 #     (c) 2003 - Tom Eastep (teastep@shorewall.net)
 #                Steve Herber (herber@thing.com)
 #
 #	This file should be placed in /usr/share/shorewall/help
 #
 #	Shorewall documentation is available at http://shorewall.sourceforge.net
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of Version 2 of the GNU General Public License
 #	as published by the Free Software Foundation.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
 #	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
 ##################################################################################
 case $1 in
 add)
 	echo "add: add <interface>[:<host>] <zone>
    Adds a host or subnet to a dynamic zone usually used with VPN's.
    shorewall add interface[:host] zone - Adds the specified interface
    (and host if included) to the specified zone.
    Example:
    shorewall add ipsec0:192.0.2.24 vpn1 -- adds the address 192.0.2.24
    from interface ipsec0 to the zone vpn1.
    See also \"help host\""
 	;;
 address|host)
        echo "<$1>: 
    May be either a host IP address such as 192.168.1.4 or a network address in
    CIDR format like 192.168.1.0/24"
 	;;
 allow)
 	echo "allow: allow <address> ...
    Re-enables receipt of packets from hosts previously blacklisted
    by a drop or reject command.
    Shorewall allow, drop, rejct and save implement dynamic blacklisting.
    See also \"help address\""
 	;;
 check)
 	echo "check: check [ -c <configuration-directory> ]
   Performs a cursory validation of the zones, interfaces, hosts,
   rules and policy files.  Use this if you are unsure of any edits
   you have made to the shorewall configuration.  See the try command
   examples for a recommended way to make changes."
 	;;
 clear)
 	echo "clear: clear
    Clear will remove all rules and chains installed by Shoreline.
    The firewall is then wide open and unprotected.  Existing
    connections are untouched.  Clear is often used to see if the
    firewall is causing connection problems."
 	;;
 debug)
 	echo "debug: debug
    If you include the keyword debug as the first argument to any
    of these commands:
 	start|stop|restart|reset|clear|refresh|check|add|delete
    then a shell trace of the command is produced.  For example:
 	shorewall debug start 2> /tmp/trace
    The above command would trace the 'start' command and
    place the trace information in the file /tmp/trace."
 	;;
 delete)
 	echo "delete: delete <interface>[:<host>] <zone>
    Deletes a host or subnet from a dynamic zone usually used with VPN's.
    shorewall delete interface[:host] zone - Deletes the specified
    interface (and host if included) from the specified zone.
    Example:
    shorewall delete ipsec0:192.0.2.24 vpn1 -- deletes the address
    192.0.2.24 from interface ipsec0 from zone vpn1
    See also \"help host\""
 	;;
 drop)
 	echo "$1: $1 <address> ...
    Causes packets from the specified <address> to be ignored
    Shorewall allow, drop, rejct and save implement dynamic blacklisting.
    See also \"help address\""
 	;;
 help)
 	echo "help: help [<command> | host | address ]
    Display helpful information about the shorewall commands."
 	;;
 hits)
    echo "hits: hits
    Produces several reports about the Shorewall packet log messages
    in the current /var/log/messages file."
 	;;
 ipcalc)
 	echo "ipcalc: ipcalc [ address mask | address/vlsm ]
    Ipcalc displays the network address, broadcast address,
    network in CIDR notation and netmask corresponding to the input[s]."
 	;;
 iprange)
 	echo "iprange: iprange address1-address2
    Iprange decomposes the specified range of IP addresses into the
    equivalent list of network/host addresses."
 	;;
 logwatch)
 	echo "logwatch: logwatch [<refresh interval>]
    Monitors the LOGFILE, $LOGFILE,
    and produces an audible alarm when new Shorewall messages are logged."
 	;;
 monitor)
 	echo "monitor: monitor [<refresh_interval>]
    Continuously display the firewall status, last 20 log entries and nat.
    When the log entry display changes, an audible alarm is sounded."
 	;;
 refresh)
 	echo "refresh: refresh
    The rules involving the broadcast addresses of firewall interfaces,
    the black list, traffic control rules and ECN control rules are recreated
    to reflect any changes made.  Existing connections are untouched"
 	;;
 reject)
 	echo "$1: $1 <address> ...
    Causes packets from the specified <address> to be rejected
    Shorewall allow, drop, rejct and save implement dynamic blacklisting.
    See also \"help address\""
 	;;
 reset)
 	echo "reset: reset
    All the packet and byte counters in the firewall are reset."
 	;;
 restart)
 	echo "restart: restart [ -c <configuration-directory> ]
    Restart is the same as a shorewall stop && shorewall start.
    Existing connections are dropped."
 	;;
 save)
 	echo "save: save
    The dynamic data is stored in /var/lib/shorewall/save
    Shorewall allow, drop, rejct and save implement dynamic blacklisting."
 	;;
 show)
 	echo "show: show [<chain> [ <chain> ...] |classifiers|connections|log|nat|tc|tos]
    shorewall show <chain> [ <chain> ... ]  - produce a verbose report about the IPtable chain(s).
    (iptables -L chain -n -v)
    shorewall show nat - produce a verbose report about the nat table.
    (iptables -t nat -L -n -v)
    shorewall show tos - produce a verbose report about the mangle table.
    (iptables -t mangle -L -n -v)
    shorewall show log - display the last 20 packet log entries.
    shorewall show connections - displays the IP connections currently
 	being tracked by the firewall.
    shorewall show tc - displays information about the traffic
 	control/shaping configuration."
 	;;
 start)
 	echo "start: start [ -c <configuration-directory> ]
    Start shorewall.  Existing connections through shorewall managed
    interfaces are untouched.  New connections will be allowed only
    if they are allowed by the firewall rules or policies."
 	;;
 stop)
 	echo "stop: stop
    Stops the firewall.  All existing connections, except those
    listed in /etc/shorewall/routestopped, are taken down.
    The only new traffic permitted through the firewall
    is from systems listed in /etc/shorewall/routestopped."
 	;;
 status)
 	echo "status: status
    Produce a verbose report about the firewall.
    (iptables -L -n -v)"
 	;;
 try)
 	echo "try: try <configuration-directory> [ <timeout> ]
    Restart shorewall using the specified configuration.  If an error
    occurs during the restart, then another shorewall restart is performed
    using the default configuration.  If a timeout is specified then
    the restart is always performed after the timeout occurs and uses
    the default configuration."
 	;;
 version)
 	echo "version: version
    Show the current shorewall version which is: $version"
 	;;
 *)
 	echo "$1: $1 is not recognized by the help command"
 	;;
 esac
 exit 0	# always ok
--- a/Lrp/usr/share/shorewall/version
+++ b/Lrp/usr/share/shorewall/version
@ -1 +1 @@
-1.4.8
+1.4.10
--- a/Lrp/var/lib/lrpkg/shorwall.conf
+++ b/Lrp/var/lib/lrpkg/shorwall.conf
@ -24,3 +24,5 @@
 /etc/shorewall/accounting	Account   Traffic Accounting Rules
 /etc/shorewall/usersets		UserSets  User Set definitions
 /etc/shorewall/users		Users       "   "      "
 /etc/shorewall/actions		Actions   Define user actions
 /etc/shorewall/action.templage	Template  Template for user-defined actions
--- a/Lrp/var/lib/lrpkg/shorwall.version
+++ b/Lrp/var/lib/lrpkg/shorwall.version
@ -1 +1 @@
-1.4.8
+1.4.10