From 6be802aa7cdc1818479a1e93f8d41ec5a33786fc Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 8 Jun 2015 09:46:51 -0700 Subject: [PATCH 1/9] Update the Shorewall 4 article Signed-off-by: Tom Eastep --- docs/Shorewall-4.xml | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/docs/Shorewall-4.xml b/docs/Shorewall-4.xml index 33c158969..c02bdea5e 100644 --- a/docs/Shorewall-4.xml +++ b/docs/Shorewall-4.xml @@ -22,6 +22,8 @@ 2009 + 2015 + Thomas M. Eastep @@ -97,11 +99,12 @@
Shorewall 4.4 - Shorewall 4.4 discontinues the availability of the legacy + Shorewall 4.4 discontinued the availability of the legacy shell-based compiler. All users must migrate to the perl-based compiler - before or during an upgrade to Shorewall version 4.4. We highly recommend - that current users of the shell-based compiler migrate before upgrading to - 4.4 so that both compilers are available during the migration. + before or during an upgrade to Shorewall version 4.4 or later. We highly + recommend that current users of the shell-based compiler migrate before + upgrading to 4.4 or later so that both compilers are available during the + migration. Shorewall 4.4 contains five packages: @@ -161,11 +164,12 @@ - Perl (I use Perl 5.8.10 but other 5.8 versions should work - fine). + Perl (I use Perl 5.14.2 but other 5.8 or later versions should + work fine). If you want to be able to use DNS names in your Shorewall6 - configuration files, then Perl 5.10 is required together with the - Perl Socket6 module. + configuration files, then Perl 5.10 or later is required together + with the Perl Socket6 + module. From f6b77c17acc611699297f834e2b5c42d5318b002 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 8 Jun 2015 10:28:18 -0700 Subject: [PATCH 2/9] Correct a couple of blunders in the Introductory article. Signed-off-by: Tom Eastep --- docs/Introduction.xml | 20 +++++--------------- 1 file changed, 5 insertions(+), 15 deletions(-) diff --git a/docs/Introduction.xml b/docs/Introduction.xml index 4895a3264..366465afb 100644 --- a/docs/Introduction.xml +++ b/docs/Introduction.xml @@ -16,7 +16,7 @@ - 2003-2014 + 2003-2015 Thomas M. Eastep @@ -145,18 +145,8 @@ setups, you will only need to deal with a few of them. Shorewall views the network where it is running as being composed of - a set of zones. In the three-interface sample configuration for - example, the following zone names are used: - - #NAME DESCRIPTION -fw The firewall itself -net The Internet -loc Your Local Network -dmz Demilitarized Zone - - Zones are declared and given a type in the zones. Zones are declared and given a type + in the /etc/shorewall/zones file.Here is the /etc/shorewall/zones @@ -433,8 +423,8 @@ ACCEPT net $FW tcp 22 Shorewall-init. May be installed with any of the other firewall packages. Allows the firewall - to be close prior to bringing up network interfaces. It can also react - to interface up/down events. + to be closed prior to bringing up network interfaces. It can also + react to interface up/down events.
From 116e85e0405476ab5fc22b4c2bfb2950bfab764c Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 8 Jun 2015 11:27:37 -0700 Subject: [PATCH 3/9] Cosmetic cleanup of the Compiler module Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Compiler.pm | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index 353c152a7..301d49ae0 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -529,14 +529,12 @@ EOF emit( ' run_refreshed_exit', ' do_iptables -N shorewall' ); - emit ( ' do_iptables -A shorewall -m recent --set --name %CURRENTTIME' ) if have_capability 'RECENT_MATCH'; + emit( ' do_iptables -A shorewall -m recent --set --name %CURRENTTIME' ) if have_capability 'RECENT_MATCH'; - emit( - " set_state Started $config_dir", - ' [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall', - 'else', - ' setup_netfilter' - ); + emit( " set_state Started $config_dir", + ' [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall', + 'else', + ' setup_netfilter' ); push_indent; emit 'setup_arptables' if $have_arptables; @@ -604,12 +602,12 @@ sub compiler { sub validate_boolean( $ ) { my $val = numeric_value( shift ); defined($val) && ($val >= 0) && ($val < 2); - } + } sub validate_verbosity( $ ) { my $val = numeric_value( shift ); defined($val) && ($val >= MIN_VERBOSITY) && ($val <= MAX_VERBOSITY); - } + } sub validate_family( $ ) { my $val = numeric_value( shift ); @@ -852,7 +850,7 @@ sub compiler { # setup_tunnels; # - # Clear the current filename + # Clear the current filename so that the last one processed doesn't appear in error and warning messages # clear_currentfilename; # From e96fcde678395e7c3b6a528859a4eb61c94fbfc2 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 8 Jun 2015 22:10:21 +0300 Subject: [PATCH 4/9] shorewall-init: use consitent indent Signed-off-by: Tuomo Soini --- Shorewall-init/shorewall-init | 123 +++++++++++++++++----------------- 1 file changed, 62 insertions(+), 61 deletions(-) diff --git a/Shorewall-init/shorewall-init b/Shorewall-init/shorewall-init index 65a5befb7..8f2f4e03d 100644 --- a/Shorewall-init/shorewall-init +++ b/Shorewall-init/shorewall-init @@ -1,18 +1,19 @@ -#! /bin/bash -# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5 +#!/bin/bash +# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.6 # -# (c) 2012-2014 - Tom Eastep (teastep@shorewall.net) +# (c) 2012-2014 - Tom Eastep (teastep@shorewall.net) # -# On most distributions, this file should be called /etc/init.d/shorewall. +# On most distributions, this file should be called +# /etc/init.d/shorewall. # -# Complete documentation is available at http://shorewall.net +# Complete documentation is available at http://shorewall.net # -# This program is part of Shorewall. +# This program is part of Shorewall. # # This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by the -# Free Software Foundation, either version 2 of the license or, at your -# option, any later version. +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 2 of the license or, +# at your option, any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of @@ -22,7 +23,7 @@ # You should have received a copy of the GNU General Public License # along with this program; if not, see . # -######################################################################################### +############################################################################### # set the STATEDIR variable setstatedir() { local statedir @@ -46,7 +47,7 @@ setstatedir() { if [ -f "$SYSCONFDIR/shorewall-init" ]; then . $SYSCONFDIR/shorewall-init if [ -z "$PRODUCTS" ]; then - echo "ERROR: No products configured" >&2 + echo "ERROR: No products configured" >&2 exit 1 fi else @@ -56,71 +57,71 @@ fi # Initialize the firewall shorewall_start () { - local PRODUCT - local STATEDIR + local PRODUCT + local STATEDIR - echo -n "Initializing \"Shorewall-based firewalls\": " - for PRODUCT in $PRODUCTS; do - setstatedir + echo -n "Initializing \"Shorewall-based firewalls\": " + for PRODUCT in $PRODUCTS; do + setstatedir - if [ -x ${STATEDIR}/firewall ]; then - # - # Run in a sub-shell to avoid name collisions - # - ( - if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then - ${STATEDIR}/firewall ${OPTIONS} stop || exit 1 - else - exit 1 - fi - ) - else - echo ERROR: ${STATEDIR}/firewall does not exist or is not executable! - exit 1 - fi - done + if [ -x ${STATEDIR}/firewall ]; then + # + # Run in a sub-shell to avoid name collisions + # + ( + if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then + ${STATEDIR}/firewall ${OPTIONS} stop || exit 1 + else + exit 1 + fi + ) + else + echo ERROR: ${STATEDIR}/firewall does not exist or is not executable! + exit 1 + fi + done - if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then - ipset -R < "$SAVE_IPSETS" - fi + if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then + ipset -R < "$SAVE_IPSETS" + fi - return 0 + return 0 } # Clear the firewall shorewall_stop () { - local PRODUCT - local STATEDIR + local PRODUCT + local STATEDIR - echo -n "Clearing \"Shorewall-based firewalls\": " - for PRODUCT in $PRODUCTS; do - setstatedir + echo -n "Clearing \"Shorewall-based firewalls\": " + for PRODUCT in $PRODUCTS; do + setstatedir - if [ -x ${STATEDIR}/firewall ]; then - ${STATEDIR}/firewall ${OPTIONS} clear || exit 1 - fi - done + if [ -x ${STATEDIR}/firewall ]; then + ${STATEDIR}/firewall ${OPTIONS} clear || exit 1 + fi + done - if [ -n "$SAVE_IPSETS" ]; then - mkdir -p $(dirname "$SAVE_IPSETS") - if ipset -S > "${SAVE_IPSETS}.tmp"; then - grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" - fi - fi + if [ -n "$SAVE_IPSETS" ]; then + mkdir -p $(dirname "$SAVE_IPSETS") + if ipset -S > "${SAVE_IPSETS}.tmp"; then + grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" + fi + fi - return 0 + return 0 } case "$1" in - start) - shorewall_start - ;; - stop) - shorewall_stop - ;; - *) - echo "Usage: $0 {start|stop}" - exit 1 + start) + shorewall_start + ;; + stop) + shorewall_stop + ;; + *) + echo "Usage: $0 {start|stop}" + exit 1 esac exit 0 From 8bc62d1474d1848acd9d1d6820f1c41c584a7db2 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 8 Jun 2015 22:15:35 +0300 Subject: [PATCH 5/9] Complete Shorewall-init improvements completes 548c0558c15f1ec10b3782014cefa996c58db03f Signed-off-by: Tuomo Soini --- Shorewall-init/shorewall-init | 39 ++++++++++++++++------------------- 1 file changed, 18 insertions(+), 21 deletions(-) diff --git a/Shorewall-init/shorewall-init b/Shorewall-init/shorewall-init index 8f2f4e03d..5b6e9ebc8 100644 --- a/Shorewall-init/shorewall-init +++ b/Shorewall-init/shorewall-init @@ -34,7 +34,9 @@ setstatedir() { [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT} if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then - ${SBINDIR}/$PRODUCT ${OPTIONS} compile -c || exit 1 + ${SBINDIR}/$PRODUCT ${OPTIONS} compile -c + else + return 0 fi } @@ -62,22 +64,17 @@ shorewall_start () { echo -n "Initializing \"Shorewall-based firewalls\": " for PRODUCT in $PRODUCTS; do - setstatedir - - if [ -x ${STATEDIR}/firewall ]; then - # - # Run in a sub-shell to avoid name collisions - # - ( - if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then - ${STATEDIR}/firewall ${OPTIONS} stop || exit 1 - else - exit 1 - fi - ) - else - echo ERROR: ${STATEDIR}/firewall does not exist or is not executable! - exit 1 + if setstatedir; then + if [ -x ${STATEDIR}/firewall ]; then + # + # Run in a sub-shell to avoid name collisions + # + ( + if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then + ${STATEDIR}/firewall ${OPTIONS} stop + fi + ) + fi fi done @@ -95,10 +92,10 @@ shorewall_stop () { echo -n "Clearing \"Shorewall-based firewalls\": " for PRODUCT in $PRODUCTS; do - setstatedir - - if [ -x ${STATEDIR}/firewall ]; then - ${STATEDIR}/firewall ${OPTIONS} clear || exit 1 + if setstatedir; then + if [ -x ${STATEDIR}/firewall ]; then + ${STATEDIR}/firewall ${OPTIONS} clear + fi fi done From 5221c92d7fca94bbba7c5ce5ce35246930251167 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 8 Jun 2015 22:18:01 +0300 Subject: [PATCH 6/9] Add to lib.common a new function not_configured() Signed-off-by: Tuomo Soini --- Shorewall-core/lib.common | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/Shorewall-core/lib.common b/Shorewall-core/lib.common index 5d0ec7ca1..3fbe95f83 100644 --- a/Shorewall-core/lib.common +++ b/Shorewall-core/lib.common @@ -79,6 +79,15 @@ fatal_error() # $@ = Message exit 2 } +# +# Not configured Error +# +not_configured() # $@ = Message +{ + echo " ERROR: $@" >&2 + exit 6 +} + # # Get the Shorewall version of the passed script # From 15276b1f89351f5aae0dc48e2b45a50510069630 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 8 Jun 2015 22:23:38 +0300 Subject: [PATCH 7/9] Set exit code to 6 when startup is disabled Handles cases missed by 4b27c72c7944043a73261f1f8310fe5c1e89daec Signed-off-by: Tuomo Soini --- Shorewall/lib.cli-std | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/Shorewall/lib.cli-std b/Shorewall/lib.cli-std index 5325721e2..bdff92a91 100644 --- a/Shorewall/lib.cli-std +++ b/Shorewall/lib.cli-std @@ -162,14 +162,13 @@ get_config() { if [ "$2" = Yes ]; then case $STARTUP_ENABLED in No|no|NO) - fatal_error "$g_product startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in ${g_confdir}/${g_program}.conf" + not_configured "$g_product startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in ${g_confdir}/${g_program}.conf" ;; Yes|yes|YES) ;; *) if [ -n "$STARTUP_ENABLED" ]; then - fatal_error "Invalid Value for STARTUP_ENABLED: $STARTUP_ENABLED" - exit 6 + not_configured "Invalid Value for STARTUP_ENABLED: $STARTUP_ENABLED" fi ;; esac @@ -510,7 +509,7 @@ start_command() { exit 0 fi - [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled" + [ -n "$STARTUP_ENABLED" ] || not_configured "Startup is disabled" while [ $finished -eq 0 -a $# -gt 0 ]; do option=$1 @@ -1002,7 +1001,7 @@ restart_command() { ;; esac - [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled" + [ -n "$STARTUP_ENABLED" ] || not_configured "Startup is disabled" if [ -z "$g_fast" -a -n "$AUTOMAKE" ]; then uptodate ${VARDIR}/firewall && g_fast=Yes @@ -1101,7 +1100,7 @@ refresh_command() { product_is_started || fatal_error "$g_product is not running" - [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled" + [ -n "$STARTUP_ENABLED" ] || not_configured "Startup is disabled" if compiler $g_debugging $nolock compile ${VARDIR}/.refresh; then run_postcompile ${VARDIR}/.refresh @@ -1190,7 +1189,7 @@ safe_commands() { ;; esac - [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled" + [ -n "$STARTUP_ENABLED" ] || not_configured "Startup is disabled" if product_is_started; then running=Yes @@ -1327,7 +1326,7 @@ try_command() { ;; esac - [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled" + [ -n "$STARTUP_ENABLED" ] || not_configured "Startup is disabled" if product_is_started; then running=Yes From f8d95d1ee973b4d96c1a33aceb1097af400b7d78 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Tue, 9 Jun 2015 20:29:45 +0300 Subject: [PATCH 8/9] rename not_configured() to not_configured_error() Signed-off-by: Tuomo Soini --- Shorewall-core/lib.common | 2 +- Shorewall/lib.cli-std | 14 +++++++------- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/Shorewall-core/lib.common b/Shorewall-core/lib.common index 3fbe95f83..28b0d5356 100644 --- a/Shorewall-core/lib.common +++ b/Shorewall-core/lib.common @@ -82,7 +82,7 @@ fatal_error() # $@ = Message # # Not configured Error # -not_configured() # $@ = Message +not_configured_error() # $@ = Message { echo " ERROR: $@" >&2 exit 6 diff --git a/Shorewall/lib.cli-std b/Shorewall/lib.cli-std index bdff92a91..b2987e5c7 100644 --- a/Shorewall/lib.cli-std +++ b/Shorewall/lib.cli-std @@ -162,13 +162,13 @@ get_config() { if [ "$2" = Yes ]; then case $STARTUP_ENABLED in No|no|NO) - not_configured "$g_product startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in ${g_confdir}/${g_program}.conf" + not_configured_error "$g_product startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in ${g_confdir}/${g_program}.conf" ;; Yes|yes|YES) ;; *) if [ -n "$STARTUP_ENABLED" ]; then - not_configured "Invalid Value for STARTUP_ENABLED: $STARTUP_ENABLED" + not_configured_error "Invalid Value for STARTUP_ENABLED: $STARTUP_ENABLED" fi ;; esac @@ -509,7 +509,7 @@ start_command() { exit 0 fi - [ -n "$STARTUP_ENABLED" ] || not_configured "Startup is disabled" + [ -n "$STARTUP_ENABLED" ] || not_configured_error "Startup is disabled" while [ $finished -eq 0 -a $# -gt 0 ]; do option=$1 @@ -1001,7 +1001,7 @@ restart_command() { ;; esac - [ -n "$STARTUP_ENABLED" ] || not_configured "Startup is disabled" + [ -n "$STARTUP_ENABLED" ] || not_configured_error "Startup is disabled" if [ -z "$g_fast" -a -n "$AUTOMAKE" ]; then uptodate ${VARDIR}/firewall && g_fast=Yes @@ -1100,7 +1100,7 @@ refresh_command() { product_is_started || fatal_error "$g_product is not running" - [ -n "$STARTUP_ENABLED" ] || not_configured "Startup is disabled" + [ -n "$STARTUP_ENABLED" ] || not_configured_error "Startup is disabled" if compiler $g_debugging $nolock compile ${VARDIR}/.refresh; then run_postcompile ${VARDIR}/.refresh @@ -1189,7 +1189,7 @@ safe_commands() { ;; esac - [ -n "$STARTUP_ENABLED" ] || not_configured "Startup is disabled" + [ -n "$STARTUP_ENABLED" ] || not_configured_error "Startup is disabled" if product_is_started; then running=Yes @@ -1326,7 +1326,7 @@ try_command() { ;; esac - [ -n "$STARTUP_ENABLED" ] || not_configured "Startup is disabled" + [ -n "$STARTUP_ENABLED" ] || not_configured_error "Startup is disabled" if product_is_started; then running=Yes From d9e4273e6bcd0120662565bfe90d66df3eea6e76 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 19 Jun 2015 10:00:05 -0700 Subject: [PATCH 9/9] Clarify the Universal configuration Signed-off-by: Tom Eastep --- docs/GettingStarted.xml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/docs/GettingStarted.xml b/docs/GettingStarted.xml index 7a0692401..82880363a 100644 --- a/docs/GettingStarted.xml +++ b/docs/GettingStarted.xml @@ -67,6 +67,12 @@ Universal configuration -- requires no configuration to protect a single system. + + + This configuration places all interfaces in the net zone. If you + add another interface or VPN, you will want to select a different + QuickStart Guide. + @@ -182,7 +188,7 @@ url="configuration_file_basics.htm#Ranges">Port Ranges - +