extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-12-23 14:48:51 +01:00
Code Issues Packages Projects Releases Wiki Activity

Shorewall 1.4.10

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1100 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-01-31 03:29:56 +00:00
parent afee989ee5
commit b222c76e33
14 changed files with 1109 additions and 125 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

131
Lrp/etc/shorewall/action.template Normal file
View File

@ -0,0 +1,131 @@
#
# Shorewall 1.4 /etc/shorewall/action.template
#
# This file is a template for files with names of the form
# /etc/shorewall/action.<action-name> where <action> is an
# ACTION defined in /etc/shorewall/actions.
#
# To define a new action:
#
# 1. Add the <action name> to /etc/shorewall/actions
# 2. Copy this file to /etc/shorewall/action.<action name>
# 3. Add the desired rules to that file.
#
# Columns are:
#
#
# TARGET ACCEPT, DROP, REJECT, LOG, QUEUE or a
# previously-defined <action>
#
# ACCEPT -- allow the connection request
# DROP -- ignore the request
# REJECT -- disallow the request and return an
# icmp-unreachable or an RST packet.
# LOG -- Simply log the packet and continue.
# QUEUE -- Queue the packet to a user-space
# application such as p2pwall.
# <action> -- An <action> defined in
# /etc/shorewall/actions. The <action>
# must appear in that file BEFORE the
# one being defined in this file.
#
# The TARGET may optionally be followed
# by ":" and a syslog log level (e.g, REJECT:info or
# ACCEPT:debugging). This causes the packet to be
# logged at the specified level.
#
# You may also specify ULOG (must be in upper case) as a
# log level.This will log to the ULOG target for routing
# to a separate log through use of ulogd
# (http://www.gnumonks.org/projects/ulogd).
#
# SOURCE Source hosts to which the rule applies.
# A comma-separated list of subnets
# and/or hosts. Hosts may be specified by IP or MAC
# address; mac addresses must begin with "~" and must use
# "-" as a separator.
#
# 192.168.2.2 Host 192.168.2.2
#
# 155.186.235.0/24 Subnet 155.186.235.0/24
#
# 192.168.1.1,192.168.1.2
# Hosts 192.168.1.1 and
# 192.168.1.2.
# ~00-A0-C9-15-39-78 Host with
# MAC address 00:A0:C9:15:39:78.
#
# Alternatively, clients may be specified by interface
# name. For example, eth1 specifies a
# client that communicates with the firewall system
# through eth1. This may be optionally followed by
# another colon (":") and an IP/MAC/subnet address
# as described above (e.g., eth1:192.168.1.5).
#
# DEST Location of Server. Same as above with the exception that
# MAC addresses are not allowed.
#
# Unlike in the SOURCE column, you may specify a range of
# up to 256 IP addresses using the syntax
# <first ip>-<last ip>.
#
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or
# "all".
#
# DEST PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port
# ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s).
#
# A port range is expressed as <low port>:<high port>.
#
# This column is ignored if PROTOCOL = all but must be
# entered if any of the following ields are supplied.
# In that case, it is suggested that this field contain
# "-"
#
# If your kernel contains multi-port match support, then
# only a single Netfilter rule will be generated if in
# this list and the CLIENT PORT(S) list below:
# 1. There are 15 or less ports listed.
# 2. No port ranges are included.
# Otherwise, a separate rule will be generated for each
# port.
#
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
# any source port is acceptable. Specified as a comma-
# separated list of port names, port numbers or port
# ranges.
#
# If you don't want to restrict client ports but need to
# specify an ADDRESS in the next column, then place "-"
# in this column.
#
# If your kernel contains multi-port match support, then
# only a single Netfilter rule will be generated if in
# this list and the DEST PORT(S) list above:
# 1. There are 15 or less ports listed.
# 2. No port ranges are included.
# Otherwise, a separate rule will be generated for each
# port.
#
# RATE LIMIT You may rate-limit the rule by placing a value in
# this column:
#
# <rate>/<interval>[:<burst>]
#
# where <rate> is the number of connections per
# <interval> ("sec" or "min") and <burst> is the
# largest burst permitted. If no <burst> is given,
# a value of 5 is assumed. There may be no
# no whitespace embedded in the specification.
#
# Example: 10/sec:20
#
# If you place a rate limit in this column, you may not
# place a similar limit in the TARGET column.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# PORT PORT(S) DEST LIMIT
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

16
Lrp/etc/shorewall/actions Normal file
View File

@ -0,0 +1,16 @@
#
# Shorewall 1.4 /etc/shorewall/actions
#
# This file allows you to define new ACTIONS for use in rules
# (/etc/shorewall/rules). You define the iptables rules to
# be performed in an ACTION in
# /etc/shorewall/action.<action-name>.
#
# ACTION names should begin with an upper-case letter to
# distinguish them from Shorewall-generated chain names and
# they must need the requirements of a Netfilter chain
# name.
#
#ACTION
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

18
Lrp/etc/shorewall/common.def
View File

@ -16,12 +16,12 @@ run_iptables -A common -p icmp -j icmpdef
############################################################################
# NETBIOS chatter
#
run_iptables -A common -p udp --dport 135 -j reject
run_iptables -A common -p udp --dport 137:139 -j reject
run_iptables -A common -p udp --dport 445 -j reject
run_iptables -A common -p tcp --dport 139 -j reject
run_iptables -A common -p tcp --dport 445 -j reject
run_iptables -A common -p tcp --dport 135 -j reject
run_iptables -A common -p udp --dport 135 -j DROP
run_iptables -A common -p udp --dport 137:139 -j DROP
run_iptables -A common -p udp --dport 445 -j DROP
run_iptables -A common -p tcp --dport 139 -j DROP
run_iptables -A common -p tcp --dport 445 -j DROP
run_iptables -A common -p tcp --dport 135 -j DROP
############################################################################
# UPnP
#
@ -37,7 +37,13 @@ run_iptables -A common -d 224.0.0.0/4 -j DROP
run_iptables -A common -p tcp --dport 113 -j reject
############################################################################
# DNS -- Silenty drop late replies
#
run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
############################################################################
# ICMP -- Silently drop null-address ICMPs
#
run_iptables -A common -p icmp -s 0.0.0.0 -j DROP
run_iptables -A common -p icmp -d 0.0.0.0 -j DROP

12
Lrp/etc/shorewall/interfaces
View File

@ -103,6 +103,11 @@
# This option has no effect if
# NEWNOTSYN=Yes.
#
# routeback - If specified, indicates that Shorewall
# should include rules that allow filtering
# traffic arriving on this interface back
# out that same interface.
#
# arp_filter - If specified, this interface will only
# respond to ARP who-has requests for IP
# addresses configured on the interface.
@ -112,6 +117,13 @@
# interface. The interface must be up
# when Shorewall is started.
#
# detectnets - Automatically taylors the zone named
# in the ZONE column to include only those
# hosts routed through the interface.
#
# WARNING: DO NOT SET THE detectnets OPTION ON YOUR
# INTERNET INTERFACE!
#
# The order in which you list the options is not
# significant but the list should have no embedded white
# space.

7
Lrp/etc/shorewall/masq
View File

@ -18,7 +18,12 @@
# PLACE IN YOUR SHOREWALL CONFIGURATION.
#
# This may be qualified by adding the character
# ":" followed by a destination host or subnet.
# ":" followed by a comma-separed list of
# destination hosts or subnets. If this list begins with
# "!" then masquerading will occur if and only if the
# connection destination is NOT included in the list.
# Otherwise, the masquerading will occur if and only if
# the destination IS included in the list.
#
#
# SUBNET -- Subnet that you wish to masquerade. You can specify this as

5
Lrp/etc/shorewall/rfc1918
View File

@ -48,14 +48,13 @@
58.0.0.0/7 logdrop # Reserved
70.0.0.0/7 logdrop # Reserved
72.0.0.0/5 logdrop # Reserved
83.0.0.0/8 logdrop # Reserved
84.0.0.0/6 logdrop # Reserved
85.0.0.0/8 logdrop # Reserved
86.0.0.0/7 logdrop # Reserved
88.0.0.0/5 logdrop # Reserved
96.0.0.0/3 logdrop # Reserved
127.0.0.0/8 logdrop # Loopback
197.0.0.0/8 logdrop # Reserved
198.18.0.0/15 logdrop # Reserved
201.0.0.0/8 logdrop # Reserved - Central & South America
223.0.0.0/8 logdrop # Reserved - Returned by APNIC in 2003
240.0.0.0/4 logdrop # Reserved
#

6
Lrp/etc/shorewall/rules
View File

@ -15,8 +15,8 @@
# Columns are:
#
#
# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE
# or LOG.
# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
# LOG or an <action>.
#
# ACCEPT -- allow the connection request
# DROP -- ignore the request
@ -48,6 +48,8 @@
# LOG -- Simply log the packet and continue.
# QUEUE -- Queue the packet to a user-space
# application such as p2pwall.
# <action> -- The name of an action defined in
# /etc/shorewall/actions.
#
# You may rate-limit the rule by optionally
# following ACCEPT, DNAT[-], REDIRECT[-] or LOG with

68
Lrp/etc/shorewall/shorewall.conf
View File

@ -202,9 +202,8 @@ SHOREWALL_SHELL=/bin/sh
# SUBSYSTEM LOCK FILE
#
# Set this to the name of the lock file expected by your init scripts. For
# RedHat, this should be /var/lock/subsys/shorewall. On Debian, it
# should be /var/state/shorewall. If your init scripts don't use lock files,
# set this to "".
# RedHat, this should be /var/lock/subsys/shorewall. If your init scripts don't
# use lock files, set this to "".
#
SUBSYSLOCK=/var/run/shorewall
@ -222,7 +221,7 @@ STATEDIR=/tmp/shorewall
# KERNEL MODULE DIRECTORY
#
# If your netfilter kernel modules are in a directory other than
# /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that
# /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter then specify that
# directory in this variable. Example: MODULESDIR=/etc/modules.
MODULESDIR=
@ -418,13 +417,30 @@ MUTEX_TIMEOUT=60
#
# NEWNOTSYN
#
# If this variable is set to "No" or "no", then when a TCP packet that does
# not have the SYN flag set and the ACK and RST flags clear then unless the
# packet is part of an established connection, it will be dropped by the
# firewall
# TCP connections are established using the familiar three-way "handshake":
#
# If this variable is set to "Yes" or "yes" then such packets will not be
# dropped but will pass through the normal rule processing.
# CLIENT SERVER
#
# SYN-------------------->
# <------------------SYN,ACK
# ACK-------------------->
#
# The first packet in that exchange (packet with the SYN flag on and the ACK
# and RST flags off) is referred to in Netfilter terminology as a "syn" packet.
# A packet is said to be NEW if it is not part of or related to an already
# established connection.
#
# The NETNOTSYN option determines the handling of non-SYN packets (those with
# SYN off or with ACK or RST on) that are not associated with an already
# established connection.
#
# If NEWNOTSYN is set to "No" or "no", then non-SYN packets that are not
# part of an already established connection, it will be dropped by the
# firewall. The setting of LOGNEWNOTSYN above determines if these packets are
# logged before they are dropped.
#
# If NEWNOTSYN is set to "Yes" or "yes" then such packets will not be
# dropped but will pass through the normal rule/policy processing.
#
# Users with a High-availability setup with two firewall's and one acting
# as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may
@ -432,8 +448,15 @@ MUTEX_TIMEOUT=60
#
# The behavior of NEWNOTSYN=Yes may also be enabled on a per-interface basis
# using the 'newnotsyn' option in /etc/shorewall/interfaces.
#
# I find that NEWNOTSYN=No tends to result in lots of "stuck"
# connections because any network timeout during TCP session tear down
# results in retries being dropped (Netfilter has removed the
# connection from the conntrack table but the end-points haven't
# completed shutting down the connection). I therefore have chosen
# NEWNOTSYN=Yes as the default value.
NEWNOTSYN=No
NEWNOTSYN=Yes
#
# FOR ADMINS THAT REPEATEDLY SHOOT THEMSELVES IN THE FOOT
@ -486,6 +509,29 @@ ADMINISABSENTMINDED=Yes
#
BLACKLISTNEWONLY=Yes
# MODULE NAME SUFFIX
#
# When loading a module named in /etc/shorewall/modules, Shorewall normally
# looks in the MODULES DIRECTORY (see MODULESDIR above) for files whose names
# end in ".o", ".ko", ".gz" or "o.gz". If your distribution uses a different
# naming convention then you can specify the suffix (extension) for module
# names in this variable.
#
# To see what suffix is used by your distribution:
#
# ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
#
# All of the file names listed should have the same suffix (extension). Set
# MODULE_SUFFIX to that suffix.
#
# Examples:
#
# If all file names end with ".kzo" then set MODULE_SUFFIX="kzo"
# If all file names end with ".kz.o" then set MODULE_SUFFIX="kz.o"
#
MODULE_SUFFIX=
################################################################################
# P A C K E T D I S P O S I T I O N
################################################################################

17
Lrp/etc/shorewall/tcrules
View File

@ -57,7 +57,22 @@
# any source port is acceptable. Specified as a comma-
# separated list of port names, port numbers or port
# ranges.
#
# USER This column may only be non-empty if the SOURCE is
# the firewall itself.
#
# When this column is non-empty, the rule applies only
# if the program generating the output is running under
# the effective user and/or group.
#
# It may contain :
#
# [<user name or number>]:[<group name or number>]
#
# The colon is optionnal when specifying only a user.
# Examples : john: / john / :users / john:users
#
##############################################################################
#MARK SOURCE DEST PROTO PORT(S) CLIENT
#MARK SOURCE DEST PROTO PORT(S) CLIENT USER
# PORT(S)
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

632
Lrp/usr/share/shorewall/firewall
View File

@ -564,11 +564,21 @@ determine_hosts() {
eval interfaces=\$${zone}_interfaces
for interface in $interfaces; do
if [ -z "$hosts" ]; then
hosts=$interface:0.0.0.0/0
eval options=\$`chain_base ${interface}`_options
if list_search detectnets $options; then
subnets=`get_routed_subnets $interface`
else
hosts="$hosts $interface:0.0.0.0/0"
subnets=0.0.0.0/0
fi
for subnet in $subnets; do
if [ -z "$hosts" ]; then
hosts=$interface:$subnet
else
hosts="$hosts $interface:$subnet"
fi
done
done
interfaces=
@ -611,6 +621,8 @@ validate_zone() # $1 = zone
# Validate the zone names and options in the interfaces file
#
validate_interfaces_file() {
local wildcard
while read z interface subnet options; do
expandv z interface subnet options
r="$z $interface $subnet $options"
@ -628,10 +640,15 @@ validate_interfaces_file() {
list_search $interface $all_interfaces && \
startup_error "Duplicate Interface $interface"
wildcard=
case $interface in
*:*)
startup_error "Invalid Interface Name: $interface"
;;
*+*)
wildcard=Yes
;;
esac
all_interfaces="$all_interfaces $interface"
@ -646,6 +663,10 @@ validate_interfaces_file() {
case $option in
dhcp|norfc1918|tcpflags|newnotsyn|arp_filter|routefilter|blacklist|proxyarp|maclist|-)
;;
detectnets)
[ -n "$wildcard" ] && \
startup_error "The \"detectnets\" option may not be used with a wild-card interface"
;;
dropunclean|logunclean)
error_message \
"Warning: The 'dropunclean' and 'logunclean' options will be removed in a future release"
@ -844,7 +865,7 @@ find_broadcasts() {
for interface in $all_interfaces; do
eval bcast=\$`chain_base $interface`_broadcast
if [ "x$bcast" = "xdetect" ]; then
addr="`ip addr show $interface 2> /dev/null`"
addr="`ip -f inet addr show $interface 2> /dev/null`"
if [ -n "`echo "$addr" | grep 'inet.*brd '`" ]; then
addr="`echo "$addr" | \
grep "inet " | sed 's/^.* inet.*brd //;s/scope.*//'`"
@ -1027,6 +1048,22 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo
log_rule_limit $level $chain $disposition "$LOGLIMIT" $@
}
#
# Set /proc/sys/net/ipv4/ip_forward based on $IP_FORWARDING
#
setup_forwarding() {
case "$IP_FORWARDING" in
[Oo][Nn])
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "IP Forwarding Enabled"
;;
[Oo][Ff][Ff])
echo 0 > /proc/sys/net/ipv4/ip_forward
echo "IP Forwarding Disabled!"
;;
esac
}
#
# Stop the Firewall
#
@ -1118,14 +1155,7 @@ stop_firewall() {
iptables -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT
done
case "$IP_FORWARDING" in
[Oo][Nn])
echo 1 > /proc/sys/net/ipv4/ip_forward
;;
[Oo][Ff][Ff])
echo 0 > /proc/sys/net/ipv4/ip_forward
;;
esac
setup_forwarding
run_user_exit stopped
@ -1700,6 +1730,25 @@ process_tc_rule()
esac
fi
if [ "x$user" != "x-" ]; then
[ "$chain" != tcout ] && \
fatal_error "Invalid use of a user/group: rule \"$rule\""
case "$user" in
*:*)
r="$r-m owner"
temp="${user%:*}"
[ -n "$temp" ] && r="$r --uid-owner $temp "
temp="${user#*:}"
[ -n "$temp" ] && r="$r --gid-owner $temp "
;;
*)
r="$r-m owner --uid-owner $user "
;;
esac
fi
[ "x$dest" = "x-" ] || r="${r}-d $dest "
[ "$proto" = "all" ] || r="${r}-p $proto "
[ "x$port" = "x-" ] || r="${r}--dport $port "
@ -1758,9 +1807,9 @@ setup_tc1() {
#
strip_file tcrules
while read mark sources dests proto ports sports; do
expandv mark sources dests proto ports sports
rule=`echo "$mark $sources $dests $proto $ports $sports"`
while read mark sources dests proto ports sports user; do
expandv mark sources dests proto ports sports user
rule=`echo "$mark $sources $dests $proto $ports $sports $user"`
process_tc_rule
done < $TMP_DIR/tcrules
#
@ -2063,6 +2112,10 @@ check_config() {
validate_policy
echo "Validating Actions..."
process_actions
echo "Validating rules file..."
rules=`find_file rules`
@ -2113,6 +2166,349 @@ refresh_tc() {
}
#
# Add one Filter Rule from an action -- Helper function for the action file processor
#
# The caller has established the following variables:
# check = current command. If 'check', we're executing a 'check'
# which only goes through the motions.
# client = SOURCE IP or MAC
# server = DESTINATION IP or interface
# protocol = Protocol
# address = Original Destination Address
# port = Destination Port
# cport = Source Port
# multioption = String to invoke multiport match if appropriate
# action = The chain for this rule
# ratelimit = Optional rate limiting clause
#
add_an_action()
{
do_ports() {
if [ -n "$port" ]; then
dports="--dport"
if [ -n "$multioption" -a "$port" != "${port%,*}" ]; then
multiport="$multioption"
dports="--dports"
fi
dports="$dports $port"
fi
if [ -n "$cport" ]; then
sports="--sport"
if [ -n "$multioption" -a "$cport" != "${cport%,*}" ]; then
multiport="$multioption"
sports="--sports"
fi
sports="$sports $cport"
fi
}
# Set source variables. The 'cli' variable will hold the client match predicate(s).
cli=
case "$client" in
-)
;;
*:*)
cli="-i ${client%:*} -s ${client#*:}"
;;
*.*.*)
cli="-s $client"
;;
~*)
cli=`mac_match $client`
;;
*)
[ -n "$client" ] && cli="-i $client"
;;
esac
# Set destination variables - 'serv' and 'dest_interface' hold the server match predicate(s).
dest_interface=
serv=
case "$server" in
-)
;;
*.*.*)
serv=$server
;;
~*)
fatal_error "Rule \"$rule\" - Destination may not be specified by MAC Address"
;;
*)
[ -n "$server" ] && dest_interface="-o $server"
;;
esac
# Setup protocol and port variables
sports=
dports=
state="-m state --state NEW"
proto=$protocol
servport=$serverport
multiport=
[ x$port = x- ] && port=
[ x$cport = x- ] && cport=
case $proto in
tcp|TCP|6)
do_ports
[ "$target" = QUEUE ] && proto="$proto --syn"
;;
udp|UDP|17)
do_ports
;;
icmp|ICMP|1)
[ -n "$port" ] && dports="--icmp-type $port"
state=
;;
all|ALL)
[ -n "$port" ] && \
fatal_error "Port number not allowed with protocol \"all\"; rule: \"$rule\""
proto=
;;
*)
state=
[ -n "$port" ] && \
fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\""
;;
esac
proto="${proto:+-p $proto}"
# Some misc. setup
case "$logtarget" in
LOG)
[ -z "$loglevel" ] && fatal_error "LOG requires log level"
;;
esac
if [ $command != check ]; then
if [ -n "${serv}" ]; then
for serv1 in `separate_list $serv`; do
for srv in `ip_range $serv1`; do
if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $action $logtarget "$ratelimit" \
`fix_bang $proto $sports $multiport $state $cli -d $srv $dports`
fi
run_iptables2 -A $action $proto $multiport $state $cli $sports \
-d $srv $dports $ratelimit -j $target
done
done
else
if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $action $logtarget "$ratelimit" \
`fix_bang $proto $sports $multiport $state $cli $dports`
fi
run_iptables2 -A $action $proto $multiport $state $cli $sports \
$dports $ratelimit -j $target
fi
fi
}
#
# Process a record from an action file for the 'start', 'restart' or 'check' commands
#
process_action() # $1 = action
# $1 = target
# $2 = clients
# $3 = servers
# $4 = protocol
# $5 = ports
# $6 = cports
# $7 = ratelimit
{
local action="$1"
local target="$2"
local clients="$3"
local servers="$4"
local protocol="$5"
local ports="$6"
local cports="$7"
local ratelimit="$8"
local rule="`echo $target $clients $servers $protocol $ports $cports $ratelimit`"
if [ -n "$ratelimit" ]; then
case $ratelimit in
-)
ratelimit=
;;
*:*)
ratelimit="-m limit --limit ${ratelimit%:*} --limit-burst ${ratelimit#*:}"
;;
*)
ratelimit="-m limit --limit $ratelimit"
;;
esac
fi
# Isolate log level
if [ "$target" = "${target%:*}" ]; then
loglevel=
else
loglevel="${target#*:}"
target="${target%:*}"
expandv loglevel
fi
logtarget="$target"
case $target in
ACCEPT|LOG)
;;
REJECT)
target=reject
;;
*)
;;
esac
# Generate Netfilter rule(s)
[ "x$protocol" = "x-" ] && protocol=all || protocol=${protocol:=all}
if [ -n "$MULTIPORT" ] && \
! list_search $protocol "icmp" "ICMP" "1" && \
[ "$ports" = "${ports%:*}" -a \
"$cports" = "${cports%:*}" -a \
`list_count $ports` -le 15 -a \
`list_count $cports` -le 15 ]
then
#
# MULTIPORT is enabled, there are no port ranges in the rule and less than
# 16 ports are listed - use multiport match.
#
multioption="-m multiport"
for client in `separate_list ${clients:=-}`; do
for server in `separate_list ${servers:=-}`; do
#
# add_a_rule() modifies these so we must set their values each time
#
port=${ports:=-}
cport=${cports:=-}
add_an_action
done
done
else
#
# MULTIPORT is disabled or the rule isn't compatible with multiport match
#
multioption=
for client in `separate_list ${clients:=-}`; do
for server in `separate_list ${servers:=-}`; do
for port in `separate_list ${ports:=-}`; do
for cport in `separate_list ${cports:=-}`; do
add_an_action
done
done
done
done
fi
#
# Report Result
#
if [ $command = check ]; then
echo " Rule \"$rule\" checked."
else
echo " Rule \"$rule\" added."
fi
}
#
# Read /etc/shorewall/actions and for each defined <action>, process
# /etc/shorewall/action.<action>
#
process_actions() {
#
# Process a rule where the source or destination is "all"
#
process_wildcard_rule() {
local yclients yservers ysourcezone ydestzone ypolicy
for yclients in $xclients; do
for yservers in $xservers; do
ysourcezone=${yclients%%:*}
ydestzone=${yservers%%:*}
if [ "${ysourcezone}" != "${ydestzone}" ] ; then
eval ypolicy=\$${ysourcezone}2${ydestzone}_policy
if [ "$ypolicy" != NONE ] ; then
process_action $xaction $xtarget $yclients $yservers $xprotocol $xports $xcports $xratelimit
fi
fi
done
done
}
do_it() {
expandv xclients xservers xprotocol xports xcports xratelimit
if [ "x$xclients" = xall ]; then
xclients="$zones $FW"
if [ "x$xservers" = xall ]; then
xservers="$zones $FW"
fi
process_wildcard_rule
continue
fi
if [ "x$xservers" = xall ]; then
xservers="$zones $FW"
process_wildcard_rule
continue
fi
process_action $xaction $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit
}
strip_file actions
while read xaction rest; do
[ "x$rest" = x ] || fatal_error "Invalid Action: $xaction $rest"
[ "$command" = check ] || createchain $xaction No
f=action.$xaction
fn=`find_file $f`
if [ -f $fn ]; then
echo "Processing $fn..."
strip_file $f $fn
while read xtarget xclients xservers xprotocol xports xcports xratelimit ; do
expandv xtarget
temp="${xtarget%:*}"
case "${temp%<*}" in
ACCEPT|DROP|REJECT|LOG|QUEUE)
do_it
;;
*)
if list_search $temp $ACTIONS; then
do_it
else
rule="`echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit`"
fatal_error "Invalid TARGET in rule \"$rule\""
fi
;;
esac
done < $TMP_DIR/$f
else
fatal_error "Missing Action File: $f"
fi
ACTIONS="$ACTIONS $xaction"
done < $TMP_DIR/actions
}
#
# Add a NAT rule - Helper function for the rules file processor
#
@ -2548,6 +2944,8 @@ process_rule() # $1 = target
# Function Body - isolate rate limit
[ "x$ratelimit" = "x-" ] && ratelimit=
if [ -z "$ratelimit" ]; then
if [ "$target" != "${target%<*}" ]; then
ratelimit="${target#*<}"
@ -2559,9 +2957,6 @@ process_rule() # $1 = target
if [ -n "$ratelimit" ]; then
case $ratelimit in
-)
ratelimit=
;;
*:*)
ratelimit="-m limit --limit ${ratelimit%:*} --limit-burst ${ratelimit#*:}"
;;
@ -2599,7 +2994,11 @@ process_rule() # $1 = target
case "$userset" in
*:*)
case $target in
ACCEPT|REJECT|DROP)
ACCEPT)
;;
REJECT|DROP)
[ -n "$ratelimit" ] && fatal_error \
"Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and LOG"
;;
*)
fatal_error "<user>:<group> may only be specified in ACCEPT, REJECT and DROP rules: rule \"$rule\""
@ -2625,9 +3024,13 @@ process_rule() # $1 = target
target=`accept_chain $userset`
;;
DROP)
[ -n "$ratelimit" ] && fatal_error \
"Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and LOG"
target=`drop_chain $userset`
;;
REJECT)
[ -n "$ratelimit" ] && fatal_error \
"Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and LOG"
target=`reject_chain $userset`
;;
*)
@ -2643,8 +3046,15 @@ process_rule() # $1 = target
ACCEPT|LOG)
;;
REJECT)
[ -n "$ratelimit" ] && fatal_error \
"Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and LOG"
target=reject
;;
CONTINUE)
[ -n "$ratelimit" ] && fatal_error \
"Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and LOG"
target=RETURN
;;
DNAT)
target=ACCEPT
address=${address:=detect}
@ -2711,9 +3121,11 @@ process_rule() # $1 = target
source=$clientzone
if [ $source = $FW ]; then
source_hosts= || eval source_hosts=\"\$${source}_hosts\"
source_hosts=
elif [ -n "$userset" ]; then
fatal_error "Invalid use of a user set: rule \"$rule\""
else
eval source_hosts=\"\$${source}_hosts\"
fi
if [ "$servers" = "${servers%:*}" ] ; then
@ -2876,19 +3288,23 @@ process_rules()
# Process a rule where the source or destination is "all"
#
process_wildcard_rule() {
local yclients yservers ysourcezone ydestzone ypolicy
for yclients in $xclients; do
for yservers in $xservers; do
if [ "${yclients}" != "${yservers}" ] ; then
ysourcezone=${yclients%%:*}
ydestzone=${yservers%%:*}
if [ "${ysourcezone}" != "${ydestzone}" ] ; then
eval ypolicy=\$${ysourcezone}2${ydestzone}_policy
if [ "$ypolicy" != NONE ] ; then
process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserset
fi
fi
done
done
}
while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserset; do
temp="${xtarget%:*}"
case "${temp%<*}" in
ACCEPT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE)
do_it() {
expandv xclients xservers xprotocol xports xcports xaddress xratelimit xuserset
if [ "x$xclients" = xall ]; then
@ -2907,10 +3323,21 @@ process_rules()
fi
process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserset
}
while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserset; do
temp="${xtarget%:*}"
case "${temp%<*}" in
ACCEPT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE)
do_it
;;
*)
if list_search $temp $ACTIONS; then
do_it
else
rule="`echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserset`"
fatal_error "Invalid Action in rule \"$rule\""
fi
;;
esac
@ -3115,7 +3542,7 @@ loadmodule() # $1 = module name, $2 - * arguments
if [ -z "`lsmod | grep $modulename`" ]; then
shift
for suffix in o gz ko o.gz ; do
for suffix in $MODULE_SUFFIX ; do
modulefile=$MODULESDIR/${modulename}.${suffix}
if [ -f $modulefile ]; then
@ -3362,7 +3789,7 @@ setup_masq()
case $fullinterface in
*:*:*)
# Both alias name and subnet
destnet="${fullinterface##*:}"
destnets="${fullinterface##*:}"
fullinterface="${fullinterface%:*}"
;;
*:*)
@ -3370,17 +3797,17 @@ setup_masq()
case ${fullinterface#*:} in
*.*)
# It's a subnet
destnet="${fullinterface#*:}"
destnets="${fullinterface#*:}"
fullinterface="${fullinterface%:*}"
;;
*)
#it's an alias name
destnet="0.0.0.0/0"
destnets="0.0.0.0/0"
;;
esac
;;
*)
destnet="0.0.0.0/0"
destnets="0.0.0.0/0"
;;
esac
@ -3397,7 +3824,6 @@ setup_masq()
subnet="${subnet%!*}"
fi
chain=`masq_chain $interface`
source="$subnet"
@ -3426,33 +3852,70 @@ setup_masq()
done
fi
destination=$destnet
destination=$destnets
chain=`masq_chain $interface`
case $destnets in
!*)
newchain=masq${masq_seq}
createnatchain $newchain
destnets=${destnets#!}
for destnet in $(separate_list $destnets); do
addnatrule $newchain -d $destnet -j RETURN
done
if [ -n "$subnet" ]; then
for s in $subnet; do
addnatrule $chain -s $s -j $newchain
done
subnet=
else
addnatrule $chain -j $newchain
fi
masq_seq=$(($masq_seq + 1))
chain=$newchain
destnets=0.0.0.0/0
if [ -n "$nonmasq" ]; then
for addr in `separate_list $nomasq`; do
addnatrule $chain -s $addr -j RETURN
done
source="$source except $nomasq"
fi
;;
*)
if [ -n "$nomasq" ]; then
newchain=masq${masq_seq}
createnatchain $newchain
if [ -n "$subnet" ]; then
for s in $subnet; do
for destnet in $(separate_list $destnets); do
addnatrule $chain -d $destnet -s $s -j $newchain
done
done
else
for destnet in $(separate_list $destnets); do
addnatrule $chain -d $destnet -j $newchain
done
fi
masq_seq=$(($masq_seq + 1))
chain=$newchain
subnet=
destnet=
destnets=0.0.0.0/0
for addr in `separate_list $nomasq`; do
addnatrule $chain -s $addr -j RETURN
done
source="$source except $nomasq"
else
destnet="-d $destnet"
fi
;;
esac
if [ -n "$addresses" ]; then
temp=
@ -3464,18 +3927,26 @@ setup_masq()
if [ -n "$subnet" ]; then
for s in $subnet; do
if [ -n "$addresses" ]; then
addnatrule $chain -s $s $destnet -j SNAT $temp
for destnet in $(separate_list $destnets); do
addnatrule $chain -s $s -d $destnet -j SNAT $temp
done
echo " To $destination from $s through ${interface} using $addresses"
else
addnatrule $chain -s $s $destnet -j MASQUERADE
for destnet in $(separate_list $destnets); do
addnatrule $chain -s $s -d $destnet -j MASQUERADE
done
echo " To $destination from $s through ${interface}"
fi
done
elif [ -n "$address" ]; then
addnatrule $chain $destnet -j SNAT $temp
for destnet in $(separate_list $destnets); do
addnatrule $chain -d $destnet -j SNAT $temp
done
echo " To $destination from $source through ${interface} using $addresses"
else
addnatrule $chain $destnet -j MASQUERADE
for destnet in $(separate_list $destnets); do
addnatrule $chain -d $destnet -j MASQUERADE
done
echo " To $destination from $source through ${interface}"
fi
@ -3677,7 +4148,7 @@ add_ip_aliases()
#
# Get all of the lines that contain inet addresses
#
ip addr show $interface 2> /dev/null | grep 'inet' | while read inet cidr rest ; do
ip -f inet addr show $interface 2> /dev/null | grep 'inet' | while read inet cidr rest ; do
case $cidr in
*/*)
if in_subnet $external $cidr; then
@ -3972,9 +4443,26 @@ build_common_chain() {
#
add_common_rules() {
local savelogparms="$LOGPARMS"
local broadcasts="$(find_broadcasts) 255.255.255.255 224.0.0.0/4"
#
# Reject Rules
# Reject Rules -- Don't respond to broadcasts with an ICMP
#
qt iptables -A reject -m pkttype --pkt-type broadcast -j DROP
if ! qt iptables -A reject -m pkttype --pkt-type multicast -j DROP; then
#
# No pkttype support -- do it the hard way
#
for address in $broadcasts ; do
run_iptables -A reject -d $address -j DROP
done
fi
#
# Don't feed the smurfs
#
for address in $broadcasts ; do
run_iptables -A reject -s $address -j DROP
done
run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset
run_iptables -A reject -p udp -j REJECT
#
@ -4079,13 +4567,13 @@ add_common_rules() {
strip_file rfc1918
createchain norfc1918 no
createchain rfc1918 no
createchain logdrop no
log_rule $RFC1918_LOG_LEVEL rfc1918 DROP
log_rule $RFC1918_LOG_LEVEL logdrop DROP
run_iptables -A logdrop -j DROP
run_iptables -A rfc1918 -j DROP
if [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ]; then
#
@ -4097,27 +4585,30 @@ add_common_rules() {
# Also add a chain to log and drop any RFC1918 packets that we find
#
run_iptables -t mangle -N man1918
run_iptables -t mangle -N logdrop
log_rule $RFC1918_LOG_LEVEL logdrop DROP -t mangle
run_iptables -t mangle -A logdrop -j DROP
run_iptables -t mangle -N rfc1918
log_rule $RFC1918_LOG_LEVEL rfc1918 DROP -t mangle
run_iptables -t mangle -A rfc1918 -j DROP
fi
while read subnet target; do
case $target in
logdrop|DROP|RETURN)
logdrop)
target=rfc1918
;;
DROP|RETURN)
;;
*)
fatal_error "Invalid target ($target) for $subnet"
;;
esac
run_iptables2 -A rfc1918 -s $subnet -j $target
run_iptables2 -A norfc1918 -s $subnet -j $target
if [ -n "$CONNTRACK_MATCH" ]; then
#
# We have connection tracking match -- match on the original destination
#
run_iptables2 -A rfc1918 -m conntrack --ctorigdst $subnet -j $target
run_iptables2 -A norfc1918 -m conntrack --ctorigdst $subnet -j $target
elif [ -n "$MANGLE_ENABLED" ]; then
#
# No connection tracking match but we have mangling -- add a rule to
@ -4129,7 +4620,7 @@ add_common_rules() {
for interface in $norfc1918_interfaces; do
for chain in `first_chains $interface`; do
run_iptables -A $chain -m state --state NEW -j rfc1918
run_iptables -A $chain -m state --state NEW -j norfc1918
done
[ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ] && \
@ -4235,19 +4726,8 @@ add_common_rules() {
[ -n "$ROUTE_FILTER" ] && echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
run_ip route flush cache
fi
#
# IP Forwarding
#
case "$IP_FORWARDING" in
[Oo][Nn])
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "IP Forwarding Enabled"
;;
[Oo][Ff][Ff])
echo 0 > /proc/sys/net/ipv4/ip_forward
echo "IP Forwarding Disabled!"
;;
esac
setup_forwarding
}
#
@ -4389,6 +4869,8 @@ activate_rules()
echo "$FW $zone $chain1" >> ${STATEDIR}/chains
echo "$zone $FW $chain2" >> ${STATEDIR}/chains
need_broadcast=
for host in $source_hosts; do
interface=${host%:*}
subnet=${host#*:}
@ -4406,6 +4888,17 @@ activate_rules()
[ -n "$complex" ] && \
run_iptables -A `forward_chain $interface` -s $subnet -j $frwd_chain
if [ "$subnet" != 0.0.0.0/0 ]; then
if ! list_search $interface $need_broadcast ; then
eval options=\$`chain_base ${interface}`_options
list_search detectnets $options && need_broadcast="$need_broadcast $interface"
fi
fi
done
for interface in $need_broadcast ; do
run_iptables -A OUTPUT -o $interface -d 255.255.255.255 -j $chain1
run_iptables -A OUTPUT -o $interface -d 224.0.0.0/4 -j $chain1
done
for zone1 in $zones; do
@ -4473,6 +4966,7 @@ activate_rules()
run_iptables -D $chain -m state --state ESTABLISHED,RELATED -j ACCEPT
run_iptables -D $chain -p udp --dport 53 -j ACCEPT
done
}
#
@ -4532,6 +5026,10 @@ define_firewall() # $1 = Command (Start or Restart)
rules=`find_file rules`
echo "Processing Actions..."
process_actions
echo "Processing $rules..."
process_rules
@ -5057,6 +5555,8 @@ do_initialize() {
LOGRULENUMBERS=
ADMINISABSENTMINDED=
BLACKLISTNEWONLY=
MODULE_SUFFIX=
ACTIONS=
stopping=
have_mutex=
@ -5207,6 +5707,8 @@ do_initialize() {
fi
ADMINISABSENTMINDED=`added_param_value_no ADMINISABSENTMINDED $ADMINISABSENTMINDED`
BLACKLISTNEWONLY=`added_param_value_no BLACKLISTNEWONLY $BLACKLISTNEWONLY`
[ -n "$MODULE_SUFFIX" ] || MODULE_SUFFIX="o gz ko o.gz"
#
# Strip the files that we use often
#

248
Lrp/usr/share/shorewall/help Executable file
View File

@ -0,0 +1,248 @@
#!/bin/sh
#
# Shorewall help subsystem - V1.4 - 3/14/2003
#
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# (c) 2003 - Tom Eastep (teastep@shorewall.net)
# Steve Herber (herber@thing.com)
#
# This file should be placed in /usr/share/shorewall/help
#
# Shorewall documentation is available at http://shorewall.sourceforge.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
##################################################################################
case $1 in
add)
echo "add: add <interface>[:<host>] <zone>
Adds a host or subnet to a dynamic zone usually used with VPN's.
shorewall add interface[:host] zone - Adds the specified interface
(and host if included) to the specified zone.
Example:
shorewall add ipsec0:192.0.2.24 vpn1 -- adds the address 192.0.2.24
from interface ipsec0 to the zone vpn1.
See also \"help host\""
;;
address|host)
echo "<$1>:
May be either a host IP address such as 192.168.1.4 or a network address in
CIDR format like 192.168.1.0/24"
;;
allow)
echo "allow: allow <address> ...
Re-enables receipt of packets from hosts previously blacklisted
by a drop or reject command.
Shorewall allow, drop, rejct and save implement dynamic blacklisting.
See also \"help address\""
;;
check)
echo "check: check [ -c <configuration-directory> ]
Performs a cursory validation of the zones, interfaces, hosts,
rules and policy files. Use this if you are unsure of any edits
you have made to the shorewall configuration. See the try command
examples for a recommended way to make changes."
;;
clear)
echo "clear: clear
Clear will remove all rules and chains installed by Shoreline.
The firewall is then wide open and unprotected. Existing
connections are untouched. Clear is often used to see if the
firewall is causing connection problems."
;;
debug)
echo "debug: debug
If you include the keyword debug as the first argument to any
of these commands:
start|stop|restart|reset|clear|refresh|check|add|delete
then a shell trace of the command is produced. For example:
shorewall debug start 2> /tmp/trace
The above command would trace the 'start' command and
place the trace information in the file /tmp/trace."
;;
delete)
echo "delete: delete <interface>[:<host>] <zone>
Deletes a host or subnet from a dynamic zone usually used with VPN's.
shorewall delete interface[:host] zone - Deletes the specified
interface (and host if included) from the specified zone.
Example:
shorewall delete ipsec0:192.0.2.24 vpn1 -- deletes the address
192.0.2.24 from interface ipsec0 from zone vpn1
See also \"help host\""
;;
drop)
echo "$1: $1 <address> ...
Causes packets from the specified <address> to be ignored
Shorewall allow, drop, rejct and save implement dynamic blacklisting.
See also \"help address\""
;;
help)
echo "help: help [<command> | host | address ]
Display helpful information about the shorewall commands."
;;
hits)
echo "hits: hits
Produces several reports about the Shorewall packet log messages
in the current /var/log/messages file."
;;
ipcalc)
echo "ipcalc: ipcalc [ address mask | address/vlsm ]
Ipcalc displays the network address, broadcast address,
network in CIDR notation and netmask corresponding to the input[s]."
;;
iprange)
echo "iprange: iprange address1-address2
Iprange decomposes the specified range of IP addresses into the
equivalent list of network/host addresses."
;;
logwatch)
echo "logwatch: logwatch [<refresh interval>]
Monitors the LOGFILE, $LOGFILE,
and produces an audible alarm when new Shorewall messages are logged."
;;
monitor)
echo "monitor: monitor [<refresh_interval>]
Continuously display the firewall status, last 20 log entries and nat.
When the log entry display changes, an audible alarm is sounded."
;;
refresh)
echo "refresh: refresh
The rules involving the broadcast addresses of firewall interfaces,
the black list, traffic control rules and ECN control rules are recreated
to reflect any changes made. Existing connections are untouched"
;;
reject)
echo "$1: $1 <address> ...
Causes packets from the specified <address> to be rejected
Shorewall allow, drop, rejct and save implement dynamic blacklisting.
See also \"help address\""
;;
reset)
echo "reset: reset
All the packet and byte counters in the firewall are reset."
;;
restart)
echo "restart: restart [ -c <configuration-directory> ]
Restart is the same as a shorewall stop && shorewall start.
Existing connections are dropped."
;;
save)
echo "save: save
The dynamic data is stored in /var/lib/shorewall/save
Shorewall allow, drop, rejct and save implement dynamic blacklisting."
;;
show)
echo "show: show [<chain> [ <chain> ...] |classifiers|connections|log|nat|tc|tos]
shorewall show <chain> [ <chain> ... ] - produce a verbose report about the IPtable chain(s).
(iptables -L chain -n -v)
shorewall show nat - produce a verbose report about the nat table.
(iptables -t nat -L -n -v)
shorewall show tos - produce a verbose report about the mangle table.
(iptables -t mangle -L -n -v)
shorewall show log - display the last 20 packet log entries.
shorewall show connections - displays the IP connections currently
being tracked by the firewall.
shorewall show tc - displays information about the traffic
control/shaping configuration."
;;
start)
echo "start: start [ -c <configuration-directory> ]
Start shorewall. Existing connections through shorewall managed
interfaces are untouched. New connections will be allowed only
if they are allowed by the firewall rules or policies."
;;
stop)
echo "stop: stop
Stops the firewall. All existing connections, except those
listed in /etc/shorewall/routestopped, are taken down.
The only new traffic permitted through the firewall
is from systems listed in /etc/shorewall/routestopped."
;;
status)
echo "status: status
Produce a verbose report about the firewall.
(iptables -L -n -v)"
;;
try)
echo "try: try <configuration-directory> [ <timeout> ]
Restart shorewall using the specified configuration. If an error
occurs during the restart, then another shorewall restart is performed
using the default configuration. If a timeout is specified then
the restart is always performed after the timeout occurs and uses
the default configuration."
;;
version)
echo "version: version
Show the current shorewall version which is: $version"
;;
*)
echo "$1: $1 is not recognized by the help command"
;;
esac
exit 0 # always ok

2
Lrp/usr/share/shorewall/version
View File

@ -1 +1 @@
1.4.8
1.4.10

2
Lrp/var/lib/lrpkg/shorwall.conf
View File

@ -24,3 +24,5 @@
/etc/shorewall/accounting Account Traffic Accounting Rules
/etc/shorewall/usersets UserSets User Set definitions
/etc/shorewall/users Users " " "
/etc/shorewall/actions Actions Define user actions
/etc/shorewall/action.templage Template Template for user-defined actions

2
Lrp/var/lib/lrpkg/shorwall.version
View File

@ -1 +1 @@
1.4.8
1.4.10