diff --git a/Shorewall/INSTALL b/Shorewall/INSTALL index 9be61b23c..be049bb5d 100644 --- a/Shorewall/INSTALL +++ b/Shorewall/INSTALL @@ -1,4 +1,4 @@ -Shoreline Firewall (Shorewall) Version 2.4 +Shoreline Firewall (Shorewall) Version 2.6 ----- ---- ----------------------------------------------------------------------------- diff --git a/Shorewall/Makefile b/Shorewall/Makefile new file mode 100644 index 000000000..f5d7afed3 --- /dev/null +++ b/Shorewall/Makefile @@ -0,0 +1,16 @@ +# Shorewall Makefile to restart if config-files are newer than last restart +VARDIR=/var/lib/shorewall +CONFDIR=/etc/shorewall +all: $(VARDIR)/restarted + +$(VARDIR)/restarted: $(CONFDIR)/* + @/sbin/shorewall -q save >/dev/null; \ + if \ + /sbin/shorewall -q restart >/dev/null 2>&1; \ + then \ + /sbin/shorewall -q save >/dev/null; \ + else \ + /sbin/shorewall -q restart 2>&1 | tail >&2; \ + fi + +# EOF diff --git a/Shorewall/README.txt b/Shorewall/README.txt index 416095199..38f37f645 100644 --- a/Shorewall/README.txt +++ b/Shorewall/README.txt @@ -1 +1,5 @@ -This is the Shorewall development branch of CVS. +This is the Shorewall EXPERIMENTAL branch of CVS. + +The Shorewall EXPERIMENTAL branch is NOT SUPPORTED in any way. +YOU MIGHT BREAK YOUR FIREWALL BY USING THIS CODE!! If so, don't +come complaining to us! diff --git a/Shorewall/accounting b/Shorewall/accounting index 849cb043b..f46c8344d 100755 --- a/Shorewall/accounting +++ b/Shorewall/accounting @@ -1,5 +1,5 @@ # -# Shorewall version 2.4 - Accounting File +# Shorewall version 2.6 - Accounting File # # /etc/shorewall/accounting # diff --git a/Shorewall/action.AllowAmanda b/Shorewall/action.AllowAmanda deleted file mode 100644 index 0abd8ee21..000000000 --- a/Shorewall/action.AllowAmanda +++ /dev/null @@ -1,13 +0,0 @@ -# -# Shorewall action.AllowAmanda -# -# This action accepts connections to the AMANDA backup system. -# -################################################################################ -#TARGET SOURCE DEST PROTO DEST SOURCE RATE -# PORT PORT(S) LIMIT -ACCEPT - - udp 10080 -# Not sure why this is necessary - using ip_conntrack_amanda along with -# the above should be sufficient. -#ACCEPT - - tcp 50000:50100 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.AllowIMAP b/Shorewall/action.AllowIMAP deleted file mode 100644 index 1bb9bed72..000000000 --- a/Shorewall/action.AllowIMAP +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall 2.4 /usr/share/shorewall/action.AllowIMAP -# -# This action accepts IMAP traffic (secure and insecure): -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 143 #Unsecure IMAP -ACCEPT - - tcp 993 #Secure IMAP -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.AllowLDAP b/Shorewall/action.AllowLDAP deleted file mode 100644 index 2fc07a6a6..000000000 --- a/Shorewall/action.AllowLDAP +++ /dev/null @@ -1,12 +0,0 @@ -# -# Shorewall action.AllowLDAP -# -# This action accepts LDAP traffic. -# -################################################################################ -#TARGET SOURCE DEST PROTO DEST SOURCE RATE -# PORT PORT(S) LIMIT -ACCEPT - - tcp 389 -# This is LDAPS - should it be included? -#ACCEPT - - tcp 636 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.AllowNNTP b/Shorewall/action.AllowNNTP deleted file mode 100644 index 92246ce51..000000000 --- a/Shorewall/action.AllowNNTP +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall 2.4 /usr/share/shorewall/action.AllowNNTP -# -# This action accepts NNTP traffic (Usenet) and encrypted NNTP (NNTPS) -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 119 -ACCEPT - - tcp 563 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.AllowPostgreSQL b/Shorewall/action.AllowPostgreSQL deleted file mode 100644 index d5b5641e0..000000000 --- a/Shorewall/action.AllowPostgreSQL +++ /dev/null @@ -1,10 +0,0 @@ -# -# Shorewall action.AllowPostgreSQL -# -# This action accepts connections to the PostgreSQL server. -# -################################################################################ -#TARGET SOURCE DEST PROTO DEST SOURCE RATE -# PORT PORT(S) LIMIT -ACCEPT - - tcp 5432 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.AllowRdate b/Shorewall/action.AllowRdate deleted file mode 100644 index 14e961d22..000000000 --- a/Shorewall/action.AllowRdate +++ /dev/null @@ -1,10 +0,0 @@ -# -# Shorewall 2.4 /usr/share/shorewall/action.AllowRdate -# -# This action accepts remote time retrieval (rdate). -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 37 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.AllowRsync b/Shorewall/action.AllowRsync deleted file mode 100644 index 1e421c4ab..000000000 --- a/Shorewall/action.AllowRsync +++ /dev/null @@ -1,10 +0,0 @@ -# -# Shorewall action.AllowRsync -# -# This action accepts connections to the rsync server. -# -################################################################################ -#TARGET SOURCE DEST PROTO DEST SOURCE RATE -# PORT PORT(S) LIMIT -ACCEPT - - tcp 873 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.AllowSMB b/Shorewall/action.AllowSMB deleted file mode 100644 index b8d55add0..000000000 --- a/Shorewall/action.AllowSMB +++ /dev/null @@ -1,14 +0,0 @@ -# -# Shorewall 2.4 /usr/share/shorewall/action.AllowSMB -# -# Allow Microsoft SMB traffic. You need to invoke this action in -# both directions. -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - udp 135,445 -ACCEPT - - udp 137:139 -ACCEPT - - udp 1024: 137 -ACCEPT - - tcp 135,139,445 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.AllowSNMP b/Shorewall/action.AllowSNMP deleted file mode 100644 index 69258bc4b..000000000 --- a/Shorewall/action.AllowSNMP +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall 2.4 /usr/share/shorewall/action.AllowSNMP -# -# This action accepts SNMP traffic (including traps): -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - udp 161:162 -ACCEPT - - tcp 161 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.AllowSVN b/Shorewall/action.AllowSVN deleted file mode 100644 index 3b075dc07..000000000 --- a/Shorewall/action.AllowSVN +++ /dev/null @@ -1,10 +0,0 @@ -# -# Shorewall action.AllowSVN -# -# This action accepts connections to the Subversion server. -# -################################################################################ -#TARGET SOURCE DEST PROTO DEST SOURCE RATE -# PORT PORT(S) LIMIT -ACCEPT - - tcp 3690 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.AllowTrcrt b/Shorewall/action.AllowTrcrt deleted file mode 100644 index 3c6dd46df..000000000 --- a/Shorewall/action.AllowTrcrt +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall 2.4 /usr/share/shorewall/action.AllowTrcrt -# -# This action accepts Traceroute (for up to 30 hops): -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - udp 33434:33524 #UDP Traceroute -ACCEPT - - icmp 8 #ICMP Traceroute -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.AllowVNC b/Shorewall/action.AllowVNC deleted file mode 100644 index 44724991c..000000000 --- a/Shorewall/action.AllowVNC +++ /dev/null @@ -1,10 +0,0 @@ -# -# Shorewall 2.4 /usr/share/shorewall/action.AllowVNC -# -# This action accepts VNC traffic for VNC display's 0 - 9. -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 5900:5909 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.AllowVNCL b/Shorewall/action.AllowVNCL deleted file mode 100644 index 33b2d258e..000000000 --- a/Shorewall/action.AllowVNCL +++ /dev/null @@ -1,10 +0,0 @@ -# -# Shorewall 2.4 /usr/share/shorewall/action.AllowVNCL -# -# This action accepts VNC traffic from Vncservers to Vncviewers in listen mode. -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 5500 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.AllowWeb b/Shorewall/action.AllowWeb deleted file mode 100644 index a8c2693d7..000000000 --- a/Shorewall/action.AllowWeb +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall 2.4 /usr/share/shorewall/action.AllowWeb -# -# This action accepts WWW traffic (secure and insecure): -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 80 -ACCEPT - - tcp 443 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.Drop b/Shorewall/action.Drop index 4a6acab08..52f8c4c73 100644 --- a/Shorewall/action.Drop +++ b/Shorewall/action.Drop @@ -1,5 +1,5 @@ # -# Shorewall 2.4 /usr/share/shorewall/action.Drop +# Shorewall 2.6 /usr/share/shorewall/action.Drop # # The default DROP common rules # @@ -15,11 +15,11 @@ # # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!!!! ###################################################################################### -#TARGET SOURCE DEST PROTO +#TARGET SOURCE DEST PROTO DPORT SPORT # # Reject 'auth' # -RejectAuth +Auth/REJECT # # Don't log broadcasts # @@ -36,7 +36,7 @@ dropInvalid # # Drop Microsoft noise so that it doesn't clutter up the log. # -DropSMB +SMB/DROP DropUPnP # # Drop 'newnotsyn' traffic so that it doesn't get logged. diff --git a/Shorewall/action.DropGnutella b/Shorewall/action.DropGnutella deleted file mode 100644 index aeec861cd..000000000 --- a/Shorewall/action.DropGnutella +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall action.DropGnutella -# -# This action silently drops Gnutella traffic. -# -################################################################################ -#TARGET SOURCE DEST PROTO DEST SOURCE RATE -# PORT PORT(S) LIMIT -DROP - - tcp 6346 -DROP - - udp 6346 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.DropPing b/Shorewall/action.DropPing deleted file mode 100644 index 5efb6872b..000000000 --- a/Shorewall/action.DropPing +++ /dev/null @@ -1,10 +0,0 @@ -# -# Shorewall 2.4 /usr/share/shorewall/action.DropPing -# -# This action silently drops 'ping' requests. -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -DROP - - icmp 8 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.DropSMB b/Shorewall/action.DropSMB deleted file mode 100644 index 336e77602..000000000 --- a/Shorewall/action.DropSMB +++ /dev/null @@ -1,15 +0,0 @@ -# -# Shorewall 2.4 /usr/share/shorewall/action.DropSMB -# -# This action silently drops Microsoft SMB traffic -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -DROP - - udp 135 -DROP - - udp 137:139 -DROP - - udp 445 -DROP - - tcp 135 -DROP - - tcp 139 -DROP - - tcp 445 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.Reject b/Shorewall/action.Reject index d12fb66a9..2efe39266 100644 --- a/Shorewall/action.Reject +++ b/Shorewall/action.Reject @@ -1,5 +1,5 @@ # -# Shorewall 2.4 /usr/share/shorewall/action.Reject +# Shorewall 2.6 /usr/share/shorewall/action.Reject # # The default REJECT action common rules # @@ -16,7 +16,7 @@ # # Don't log 'auth' REJECT # -RejectAuth +Auth/REJECT # # Drop Broadcasts so they don't clutter up the log (broadcasts must *not* be rejected). # @@ -33,7 +33,7 @@ dropInvalid # # Drop Microsoft noise so that it doesn't clutter up the lot. # -RejectSMB +SMB/REJECT DropUPnP # # Drop 'newnotsyn' traffic so that it doesn't get logged. diff --git a/Shorewall/action.RejectAuth b/Shorewall/action.RejectAuth deleted file mode 100644 index 802e71ab7..000000000 --- a/Shorewall/action.RejectAuth +++ /dev/null @@ -1,10 +0,0 @@ -# -# Shorewall 2.4 /usr/share/shorewall/action.RejectAuth -# -# This action silently rejects Auth (tcp 113) traffic -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -REJECT - - tcp 113 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.RejectSMB b/Shorewall/action.RejectSMB deleted file mode 100644 index 719b5e3e8..000000000 --- a/Shorewall/action.RejectSMB +++ /dev/null @@ -1,15 +0,0 @@ -# -# Shorewall 2.4 /usr/share/shorewall/action.RejectSMB -# -# This action silently rejects Microsoft SMB traffic -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -REJECT - - udp 135 -REJECT - - udp 137:139 -REJECT - - udp 445 -REJECT - - tcp 135 -REJECT - - tcp 139 -REJECT - - tcp 445 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.template b/Shorewall/action.template index f2c7ef97a..3c06098c9 100644 --- a/Shorewall/action.template +++ b/Shorewall/action.template @@ -1,5 +1,5 @@ # -# Shorewall 2.4 /etc/shorewall/action.template +# Shorewall 2.6 /etc/shorewall/action.template # # This file is a template for files with names of the form # /etc/shorewall/action. where is an diff --git a/Shorewall/actions b/Shorewall/actions index 41becaac4..5cb360fd1 100644 --- a/Shorewall/actions +++ b/Shorewall/actions @@ -1,5 +1,5 @@ # -# Shorewall 2.4 /etc/shorewall/actions +# Shorewall 2.6 /etc/shorewall/actions # # This file allows you to define new ACTIONS for use in rules # (/etc/shorewall/rules). You define the iptables rules to diff --git a/Shorewall/actions.std b/Shorewall/actions.std index c5b5d9480..d6e704cbf 100644 --- a/Shorewall/actions.std +++ b/Shorewall/actions.std @@ -1,5 +1,5 @@ # -# Shorewall 2.4 /usr/share/shorewall/actions.std +# Shorewall 2.6 /usr/share/shorewall/actions.std # # Please see http://shorewall.net/Actions.html for additional # information. @@ -21,54 +21,7 @@ # #ACTION -DropSMB #Silently Drops Microsoft SMB Traffic -RejectSMB #Silently Reject Microsoft SMB Traffic -DropUPnP #Silently Drop UPnP Probes -RejectAuth #Silently Reject Auth -DropPing #Silently Drop Ping -DropDNSrep #Silently Drop DNS Replies -DropEdonkey # silently drop edonkey traffic -DropGnutella # silently drop gnutella traffic - -AllowPing #Accept Ping -AllowFTP #Accept FTP -AllowDNS #Accept DNS -AllowSSH #Accept SSH -AllowWeb #Allow Web Browsing -AllowSMB #Allow MS Networking -AllowAuth #Allow Auth (identd) -AllowSMTP #Allow SMTP (Email) -AllowPOP3 #Allow reading mail via POP3 -AllowICMPs #Allows critical ICMP types -AllowIMAP #Allow reading mail via IMAP -AllowTelnet #Allow Telnet Access (not recommended for use over the Internet) -AllowVNC #Allow VNC viewer->server, Displays 0-9 -AllowVNCL #Allow VNC server->viewer in listening mode -AllowNTP #Allow Network Time Protocol (ntpd) -AllowRdate #Allow remote time (rdate). -AllowNNTP #Allow network news (Usenet). -AllowTrcrt #Allows Traceroute (20 hops) -AllowSNMP #Allows SNMP (including traps) -AllowPCA #Allows PCAnywhere (tm) - -# Added in Debian Packaging -AllowSPAMD #Allows SpamAssassin daemon -AllowSyslog #Allows syslog udp traffic -AllowAmanda # Allow connections required by the Amanda backup system -AllowLDAP # accepts LDAP traffic -AllowICQ # Accepts ICQ traffic -AllowBitTorrent # Accepts BitTorrent traffic -AllowSMBswat # Allows Samba Swat -DropSMTP # silently drops SMTP traffic -AllowCVS # accept cvs pserver traffic -AllowSVN # accept Subversion traffic -AllowMySQL # accept MySQL traffic -AllowPostgreSQL # accept PostgreSQL traffic -AllowRsync # accept rsync traffic -AllowDistcc # accept Distributed Compiler traffic -AllowEdonkey # accept edonkey traffic -AllowGnutella # accept edonkey traffic - Drop:DROP #Common Action for DROP policy Reject:REJECT #Common Action for REJECT policy + #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/Shorewall/blacklist b/Shorewall/blacklist index 1b587e45b..d3b21f8e7 100755 --- a/Shorewall/blacklist +++ b/Shorewall/blacklist @@ -1,5 +1,5 @@ # -# Shorewall 2.4 -- Blacklist File +# Shorewall 2.6 -- Blacklist File # # /etc/shorewall/blacklist # diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index b142d9deb..87e0de0f5 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -1,50 +1,29 @@ -Changes in 2.4.0-Final +Changes in 2.5.1ex -1) Add the ability to specify a weight in the balance option. +1) Clean up handling of zones -2) Remove "ipp2p" support in the rules file. +2) Make the removal of the ipsec file upward compatible. -3) Fix duplicate routing table listings from "shorewall status" +3) Improve CONTINUE policy handling. -Changes in 2.4.0-RC2 +4) Implement arp_ignore support. -1) Relax "detect" restriction. +Changes in 2.5.0ex -2) Fix detection via 'nexthop' so it will work with BusyBox +1) Make warning and error messages easier to find by using + capitalization. -3) Merge Tuomo Soini's fix for "shorewall add" +2) Remove /etc/shorewall/ipsec and merge it's function with + /etc/shorewall/zones. -Changes in 2.4.0-RC1 +3) Apply small fix to the above patch. -1) Fix output from firewall itself vis-a-vis multiple providers. +4) Remove dynamic zone support. -2) Merge and tweak Lorenzo Martignoni's 'safe-restart' patch. +5) Add "established policy" support. -Changes in 2.3.2 - -1) Add support for -j ROUTE - -2) Add TEST column to /etc/shorewall/routes - -3) Add support for different providers. - -4) Merge patch from Juan Jesús Prieto. - -5) Implement 'loose' routestopped option. - -6) Change 'loose' to 'source' and 'dest' - -7) Fix routing of connections from the firewall with multiple ISPs. - -Changes in 2.3.1 - -1) Change the behavior of SAVE_IPSETS and allow 'ipsets' files in - Shorewall configuration directories. - -Changes in 2.3.0 - -1) Implement support for --cmd-owner - -2) Implement support for ipsets. +6) Add CRITICALHOSTS support. +7) Remove 'bogon' stuff. +8) Implement Macros. diff --git a/Shorewall/configpath b/Shorewall/configpath index c31607581..8e4a04088 100644 --- a/Shorewall/configpath +++ b/Shorewall/configpath @@ -1,5 +1,5 @@ # -# Shorewall version 2.4 - Default Config Path +# Shorewall version 2.6 - Default Config Path # # /usr/share/shorewall/configpath # diff --git a/Shorewall/continue b/Shorewall/continue index e65e2c901..914293e2c 100644 --- a/Shorewall/continue +++ b/Shorewall/continue @@ -1,5 +1,5 @@ ############################################################################ -# Shorewall 2.4 -- /etc/shorewall/continue +# Shorewall 2.6 -- /etc/shorewall/continue # # Add commands below that you want to be executed after shorewall has # cleared any existing Netfilter rules and has enabled existing connections. diff --git a/Shorewall/ecn b/Shorewall/ecn index f3b43d7ad..dad842aa1 100644 --- a/Shorewall/ecn +++ b/Shorewall/ecn @@ -1,5 +1,5 @@ # -# Shorewall 2.4 - /etc/shorewall/ecn +# Shorewall 2.6 - /etc/shorewall/ecn # # Use this file to list the destinations for which you want to # disable ECN. diff --git a/Shorewall/fallback.sh b/Shorewall/fallback.sh index 438ff4608..d463c56d6 100755 --- a/Shorewall/fallback.sh +++ b/Shorewall/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=2.4.0 +VERSION=2.5.0 usage() # $1 = exit status { diff --git a/Shorewall/firewall b/Shorewall/firewall index fd7805f76..4d5b3d55d 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -1,6 +1,6 @@ #!/bin/sh # -# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V2.4 +# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V2.6 # # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # @@ -64,7 +64,7 @@ error_message() # $* = Error Message # fatal_error() # $* = Error Message { - echo " Error: $@" >&2 + echo " ERROR: $@" >&2 if [ $COMMAND = check ]; then [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR else @@ -79,7 +79,7 @@ fatal_error() # $* = Error Message # startup_error() # $* = Error Message { - echo " Error: $@" >&2 + echo " ERROR: $@" >&2 my_mutex_off [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR [ -n "$RESTOREBASE" ] && rm -f $RESTOREBASE @@ -139,12 +139,12 @@ ensure_and_save_command() } # -# Append a file in $STATEDIR to $RESTOREBASE +# Append a file in /var/lib/shorewall to $RESTOREBASE # append_file() # $1 = File Name { - save_command "cat > $STATEDIR/$1 << __EOF__" - cat $STATEDIR/$1 >> $RESTOREBASE + save_command "cat > /var/lib/shorewall/$1 << __EOF__" + cat /var/lib/shorewall/$1 >> $RESTOREBASE save_command __EOF__ } @@ -239,14 +239,13 @@ run_ipset() { # variable exists_${1} and set its value to Yes to indicate that the chain now # exists. # -createchain() # $1 = chain name, $2 = If "yes", create default rules +createchain() # $1 = chain name, $2 = If "yes", create newnotsyn rule { local c=$(chain_base $1) run_iptables -N $1 if [ $2 = yes ]; then - run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT [ -z "$NEWNOTSYN" ] && \ run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn fi @@ -261,7 +260,6 @@ createchain2() # $1 = chain name, $2 = If "yes", create default rules if $IPTABLES -N $1; then if [ $2 = yes ]; then - run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT [ -z "$NEWNOTSYN" ] && \ run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn fi @@ -418,6 +416,53 @@ flushmangle() # $1 = name of chain run_iptables -t mangle -F $1 } +# +# Find the zones +# +find_zones() # $1 = name of the zone file +{ + local zone rest + + while read zone rest; do + expandv zone + + [ ${#zone} -gt 5 ] && startup_error "Zone name longer than 5 characters: $zone" + + case "$zone" in + [0-9*]) + startup_error "Illegal zone name \"$zone\" in zones file" + ;; + $FW|all|none) + startup_error "Reserved zone name \"$zone\" in zones file ignored" + ;; + *) + echo $zone + ;; + esac + done < $1 +} + +# +# This function assumes that the TMP_DIR variable is set and that +# its value named an existing directory. +# +determine_zones() +{ + local zonefile=$(find_file zones) zones= + + strip_file zones $zonefile + + ZONES= + zones=$(find_zones $TMP_DIR/zones) + + for zone in $zones; do + list_search $zone $ZONES && startup_error "Zone $zone is defined more than once" + ZONES="$ZONES $zone" + done + + [ -z "$ZONES" ] && startup_error "ERROR: No Zones Defined" +} + # # Find interfaces to a given zone # @@ -477,6 +522,11 @@ mac_chain() # $1 = interface echo $(chain_base $1)_mac } +macrecent_target() # $1 - interface +{ + [ -n "$MACLIST_TTL" ] && echo $(chain_base $1)_rec || echo RETURN +} + # # Functions for creating dynamic zone rules # @@ -502,11 +552,6 @@ dynamic_chains() #$1 = interface echo ${c}_dyni ${c}_dynf ${c}_dyno } -macrecent_target() # $1 - interface -{ - [ -n "$MACLIST_TTL" ] && echo $(chain_base $1)_rec || echo RETURN -} - # # DNAT Chain from a zone # @@ -852,17 +897,6 @@ find_hosts() # $1 = host zone done < $TMP_DIR/hosts } -# -# Check for duplicate zone definitions -# -check_duplicate_zones() { - local localzones= - - for zone in $zones; do - list_search $zone $localzones && startup_error "Zone $zone is defined more than once" - localzones="$localzones $zone" - done -} # # Determine the interfaces on the firewall # @@ -870,7 +904,7 @@ check_duplicate_zones() { # variable contains a space-separated list of interfaces to the zone # determine_interfaces() { - for zone in $zones; do + for zone in $ZONES; do interfaces=$(find_interfaces $zone) interfaces=$(echo $interfaces) # Remove extra trash eval ${zone}_interfaces=\"\$interfaces\" @@ -893,8 +927,7 @@ interface_has_option() # $1 = interface, #2 = option # Determine the defined hosts in each zone and generate report # determine_hosts() { - - for zone in $zones; do + for zone in $ZONES; do hosts=$(find_hosts $zone) hosts=$(echo $hosts) # Remove extra trash @@ -943,10 +976,9 @@ determine_hosts() { eval ${zone}_hosts="\$hosts" if [ -n "$hosts" ]; then - eval display=\$${zone}_display - display_list "$display Zone:" $hosts + display_list "$zone Zone:" $hosts else - error_message "Warning: Zone $zone is empty" + error_message "WARNING: Zone $zone is empty" fi done } @@ -956,14 +988,14 @@ determine_hosts() { # validate_zone() # $1 = zone { - list_search $1 $zones $FW + list_search $1 $ZONES $FW } # # Ensure that the passed zone is defined in the zones file. # validate_zone1() # $1 = zone { - list_search $1 $zones + list_search $1 $ZONES } # @@ -1010,7 +1042,13 @@ validate_interfaces_file() { case $option in -) ;; - dhcp|norfc1918|nobogons|tcpflags|newnotsyn|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|maclist|nosmurfs|upnp|-) + dhcp|norfc1918|tcpflags|newnotsyn|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|maclist|nosmurfs|upnp|-) + ;; + arp_ignore=*) + eval ${iface}_arp_ignore=${option#*=} + ;; + arp_ignore) + eval ${iface}_arp_ignore=1 ;; detectnets) [ -n "$wildcard" ] && \ @@ -1020,7 +1058,7 @@ validate_interfaces_file() { [ -n "$z" ] || startup_error "The routeback option may not be specified on a multi-zone interface" ;; *) - error_message "Warning: Invalid option ($option) in record \"$r\"" + error_message "WARNING: Invalid option ($option) in record \"$r\"" ;; esac done @@ -1157,25 +1195,25 @@ setup_providers() balance) DEFAULT_ROUTE="$DEFAULT_ROUTE nexthop via $gateway dev $interface weight 1" ;; - loose) - loose=Yes - ;; + loose) + loose=Yes + ;; *) - error_message " Warning: Invalid option ($option) ignored in provider \"$provider\"" + error_message " WARNING: Invalid option ($option) ignored in provider \"$provider\"" ;; esac done rulenum=0 - find_interface_addresses $interface | while read address; do - run_and_save_command qt ip rule del from $address - if [ -z "$loose" ]; then - pref=$((20000 + $rulenum * 1000 + $mark )) - rulenum=$(($rulenum + 1)) - ensure_and_save_command ip rule add from $address pref $pref table $number - fi - done + find_interface_addresses $interface | while read address; do + run_and_save_command qt ip rule del from $address + if [ -z "$loose" ]; then + pref=$((20000 + $rulenum * 1000 + $mark )) + rulenum=$(($rulenum + 1)) + ensure_and_save_command ip rule add from $address pref $pref table $number + fi + done } strip_file providers $1 @@ -1275,7 +1313,7 @@ validate_hosts_file() { *.*.*.*) ;; +*) - eval ${z}_is_complex=Yes + eval ${z}_is_complex=Yes ;; *) known_interface $host && \ @@ -1293,7 +1331,7 @@ validate_hosts_file() { for option in $(separate_list $options) ; do case $option in - maclist|norfc1918|nobogons|blacklist|tcpflags|nosmurfs|newnotsyn|-) + maclist|norfc1918|blacklist|tcpflags|nosmurfs|newnotsyn|-) ;; ipsec) [ -n "$POLICY_MATCH" ] || \ @@ -1306,7 +1344,7 @@ validate_hosts_file() { eval ${z}_routeback=\"$interface:$host \$${z}_routeback\" ;; *) - error_message "Warning: Invalid option ($option) in record \"$r\"" + error_message "WARNING: Invalid option ($option) in record \"$r\"" ;; esac done @@ -1386,6 +1424,24 @@ validate_policy() fi esac + case $policy in + *:*) + epolicy=${policy#*:} + policy=${policy%:*} + + case $epolicy in + ACCEPT|QUEUE) + ;; + *) + startup_error " $client $server $policy $loglevel $synparams: Invalid ESTABLISHED/RELATED policy: $epolicy" + ;; + esac + ;; + *) + epolicy=ACCEPT + ;; + esac + case $policy in ACCEPT|REJECT|DROP|CONTINUE|QUEUE) ;; @@ -1407,7 +1463,9 @@ validate_policy() startup_error "Duplicate policy $policy" fi - [ "x$loglevel" = "x-" ] && loglevel= + [ "x$loglevel" = "x-" ] && loglevel= + [ "x$synparms" = "x-" ] && synparms= + [ "x$epolicy" = "x-" ] && epolicy= [ $policy = NONE ] || all_policy_chains="$all_policy_chains $chain" @@ -1415,11 +1473,12 @@ validate_policy() eval ${chain}_policy=$policy eval ${chain}_loglevel=$loglevel eval ${chain}_synparams=$synparams + eval ${chain}_epolicy=$epolicy if [ -n "${clientwild}" ]; then if [ -n "${serverwild}" ]; then - for zone in $zones $FW all; do - for zone1 in $zones $FW all; do + for zone in $ZONES $FW all; do + for zone1 in $ZONES $FW all; do eval pc=\$${zone}2${zone1}_policychain if [ -z "$pc" ]; then @@ -1430,7 +1489,7 @@ validate_policy() done done else - for zone in $zones $FW all; do + for zone in $ZONES $FW all; do eval pc=\$${zone}2${server}_policychain if [ -z "$pc" ]; then @@ -1441,7 +1500,7 @@ validate_policy() done fi elif [ -n "$serverwild" ]; then - for zone in $zones $FW all; do + for zone in $ZONES $FW all; do eval pc=\$${client}2${zone}_policychain if [ -z "$pc" ]; then @@ -1504,6 +1563,25 @@ find_interfaces_by_option() # $1 = option done } +# +# This slightly slower version is used to find both the option and option followed +# by equal sign ("=") and a value +# +find_interfaces_by_option1() # $1 = option +{ + local options option + + for interface in $ALL_INTERFACES; do + eval options=\$$(chain_base $interface)_options + for option in $options; do + if [ "${option%=*}" = "$1" ]; then + echo $interface + break + fi + done + done +} + # # Find hosts with the passed option # @@ -1590,7 +1668,7 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = dispositi if [ ${#prefix} -gt 29 ]; then prefix="$(echo $prefix | truncate 29)" - error_message "Warning: Log Prefix shortened to \"$prefix\"" + error_message "WARNING: Log Prefix shortened to \"$prefix\"" fi case $level in @@ -1704,7 +1782,7 @@ process_routestopped() # $1 = command case $option in routeback) if [ -n "$routeback" ]; then - error_message "Warning: Duplicate routestopped option ignored: routeback" + error_message "WARNING: Duplicate routestopped option ignored: routeback" else routeback=Yes for h in $(separate_list $host); do @@ -1722,8 +1800,10 @@ process_routestopped() # $1 = command dest="$dest $interface:$h" done ;; + critical) + ;; *) - error_message "Warning: Unknown routestopped option ignored: $option" + error_message "WARNING: Unknown routestopped option ignored: $option" ;; esac done @@ -1759,6 +1839,70 @@ process_routestopped() # $1 = command done } +process_criticalhosts() +{ + local hosts= interface host h options networks criticalhosts= + + [ -f $TMP_DIR/routestopped ] || strip_file routestopped + + while read interface host options; do + expandv interface host options + + [ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0 || host=$(separate_list $host) + + if [ -n "$options" ]; then + for option in $(separate_list $options); do + case $option in + routeback|source|dest) + ;; + critical) + for h in $host; do + criticalhosts="$criticalhosts $interface:$h" + done + ;; + *) + error_message "WARNING: Unknown routestopped option ignored: $option" + ;; + esac + done + fi + done < $TMP_DIR/routestopped + + if [ -n "$criticalhosts" ]; then + CRITICALHOSTS=$criticalhosts + progress_message "Critical Hosts are:$CRITICALHOSTS" + fi + +} + +# +# For each entry in the CRITICALHOSTS global list, add INPUT and OUTPUT rules to +# enable traffic to/from those hosts. +# +enable_critical_hosts() +{ + for host in $CRITICALHOSTS; do + interface=${host%:*} + networks=${host#*:} + $IPTABLES -A INPUT -i $interface $(source_ip_range $networks) -j ACCEPT + $IPTABLES -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT + done +} + +# +# For each entry in the CRITICALHOSTS global list, delete the INPUT and OUTPUT rules that +# enable traffic to/from those hosts. +# +disable_critical_hosts() +{ + for host in $CRITICALHOSTS; do + interface=${host%:*} + networks=${host#*:} + $IPTABLES -D INPUT -i $interface $(source_ip_range $networks) -j ACCEPT + $IPTABLES -D OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT + done +} + # # Stop the Firewall # @@ -1824,7 +1968,41 @@ stop_firewall() { [ -n "$DISABLE_IPV6" ] && disable_ipv6_1 - if [ -z "$ADMINISABSENTMINDED" ]; then + process_criticalhosts + + if [ -n "$CRITICALHOSTS" ]; then + if [ -z "$ADMINISABSENTMINDED" ]; then + for chain in INPUT OUTPUT; do + setpolicy $chain ACCEPT + done + + setpolicy FORWARD DROP + + deleteallchains + + enable_critical_hosts + + for chain in INPUT OUTPUT; do + setpolicy $chain DROP + done + else + for chain in INPUT OUTPUT; do + setpolicy $chain ACCEPT + done + + setpolicy FORWARD DROP + + deleteallchains + + enable_critical_hosts + + setpolicy INPUT DROP + + for chain in INPUT FORWARD; do + setcontinue $chain + done + fi + elif [ -z "$ADMINISABSENTMINDED" ]; then for chain in INPUT OUTPUT FORWARD; do setpolicy $chain DROP done @@ -1844,10 +2022,6 @@ stop_firewall() { done fi - hosts= - - [ -f $TMP_DIR/routestopped ] || strip_file routestopped - process_routestopped -A $IPTABLES -A INPUT -i lo -j ACCEPT @@ -2057,7 +2231,7 @@ setup_tunnels() # $1 = name of tunnels file addrule ${FW}2${z} -p $protocol $p -j ACCEPT addrule ${z}2${FW} -p $protocol $p -j ACCEPT else - error_message "Warning: Invalid gateway zone ($z)" \ + error_message "WARNING: Invalid gateway zone ($z)" \ " -- Tunnel \"$tunnel\" may encounter problems" fi done @@ -2115,10 +2289,10 @@ setup_tunnels() # $1 = name of tunnels file } # -# Process the ipsec file +# Process the ipsec information in the zones file # setup_ipsec() { - local zone + local zone using_ipsec= # # Add a --set-mss rule to the passed chain # @@ -2141,7 +2315,7 @@ setup_ipsec() { set_mss() # $1 = MSS value, $2 = _in, _out or "" { if [ $COMMAND != check ]; then - for z in $zones; do + for z in $ZONES; do case $2 in _in) set_mss1 ${zone}2${z} $1 @@ -2157,7 +2331,7 @@ setup_ipsec() { done fi } - + do_options() # $1 = _in, _out or "" - $2 = option list { local option opts newoptions= val @@ -2190,40 +2364,55 @@ setup_ipsec() { done if [ -n "$newoptions" ]; then + [ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match" eval ${zone}_is_complex=Yes eval ${zone}_ipsec${1}_options=\"${newoptions# }\" fi } - strip_file ipsec $1 - + case $IPSECFILE in + zones) + f=zones + progress_message "Setting up IPSEC..." + ;; + *) + f=$IPSECFILE + strip_file $f + progress_message "Processing $f..." + using_ipsec=Yes + ;; + esac + while read zone ipsec options in_options out_options mss; do expandv zone ipsec options in_options out_options mss - [ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match" + if [ -n "$using_ipsec" ]; then + validate_zone1 $zone || fatal_error "Unknown zone: $zone" + fi - validate_zone1 $zone || fatal_error "Unknown zone: $zone" - - case $ipsec in - -|No|no) - ;; - Yes|yes) - eval ${zone}_is_ipsec=Yes - eval ${zone}_is_complex=Yes - ;; - *) - fatal_error "Invalid IPSEC column value: $ipsec" - ;; - esac - - do_options "" $options - do_options "_in" $in_options - do_options "_out" $out_options + if [ -n "$ipsec" ]; then + case $ipsec in + -|No|no) + ;; + Yes|yes) + [ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match" + eval ${zone}_is_ipsec=Yes + eval ${zone}_is_complex=Yes + ;; + *) + fatal_error "Invalid IPSEC column value: $ipsec" + ;; + esac - done < $TMP_DIR/ipsec + do_options "" $options + do_options "_in" $in_options + do_options "_out" $out_options + fi + + done < $TMP_DIR/$f } -# +## # Setup Proxy ARP # setup_proxy_arp() { @@ -2283,12 +2472,12 @@ setup_proxy_arp() { ensure_and_save_command arp -i $external -Ds $address $external pub - echo $address $interface $external $haveroute >> ${STATEDIR}/proxyarp + echo $address $interface $external $haveroute >> /var/lib/shorewall/proxyarp progress_message " Host $address connected to $interface added to ARP on $external" } - > ${STATEDIR}/proxyarp + > /var/lib/shorewall/proxyarp save_progress_message "Restoring Proxy ARP..." @@ -2315,7 +2504,7 @@ setup_proxy_arp() { progress_message " Enabled proxy ARP on $interface" save_command "echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" else - error_message "Warning: Unable to enable proxy ARP on $interface" + error_message "WARNING: Unable to enable proxy ARP on $interface" fi done } @@ -2335,7 +2524,6 @@ setup_mac_lists() { local hosts local ipsec local policy= - local options # # Generate the list of interfaces having MAC verification # @@ -2481,7 +2669,7 @@ setup_syn_flood_chain () # enable_syn_flood_protection() # $1 = chain, $2 = protection chain { - run_iptables -I $1 2 -p tcp --syn -j @$2 + run_iptables -I $1 -p tcp --syn -j @$2 progress_message " Enabled SYN flood protection" } @@ -2489,16 +2677,16 @@ enable_syn_flood_protection() # $1 = chain, $2 = protection chain # Delete existing Proxy ARP # delete_proxy_arp() { - if [ -f ${STATEDIR}/proxyarp ]; then + if [ -f /var/lib/shorewall/proxyarp ]; then while read address interface external haveroute; do qt arp -i $external -d $address pub [ -z "$haveroute" ] && qt ip route del $address dev $interface - done < ${STATEDIR}/proxyarp + done < /var/lib/shorewall/proxyarp - rm -f ${STATEDIR}/proxyarp + rm -f /var/lib/shorewall/proxyarp fi - [ -d ${STATEDIR} ] && touch ${STATEDIR}/proxyarp + [ -d /var/lib/shorewall ] && touch /var/lib/shorewall/proxyarp for f in /proc/sys/net/ipv4/conf/*; do [ -f $f/proxy_arp ] && echo 0 > $f/proxy_arp @@ -2565,7 +2753,7 @@ setup_nat() { # # At this point, we're just interested in the network translation # - > ${STATEDIR}/nat + > /var/lib/shorewall/nat if [ -n "$POLICY_MATCH" ]; then policyin="-m policy --pol none --dir in" @@ -2590,15 +2778,15 @@ delete_nat() { run_iptables -t nat -F run_iptables -t nat -X - if [ -f ${STATEDIR}/nat ]; then + if [ -f /var/lib/shorewall/nat ]; then while read external interface; do qt ip addr del $external dev $interface - done < ${STATEDIR}/nat + done < /var/lib/shorewall/nat - rm -f {$STATEDIR}/nat + rm -f {/var/lib/shorewall}/nat fi - [ -d ${STATEDIR} ] && touch ${STATEDIR}/nat + [ -d /var/lib/shorewall ] && touch /var/lib/shorewall/nat } # @@ -3003,11 +3191,11 @@ process_accounting_rule() { user1= accounting_error() { - error_message "Warning: Invalid Accounting rule" $action $chain $source $dest $proto $port $sport $user + error_message "WARNING: Invalid Accounting rule" $action $chain $source $dest $proto $port $sport $user } accounting_interface_error() { - error_message "Warning: Unknown interface $1 in " $action $chain $source $dest $proto $port $sport $user + error_message "WARNING: Unknown interface $1 in " $action $chain $source $dest $proto $port $sport $user } accounting_interface_verify() { @@ -3226,23 +3414,16 @@ check_config() { [ "$MACLIST_TTL" = "0" ] && MACLIST_TTL= if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then - startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables" + startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables" fi echo "Determining Zones..." determine_zones - check_duplicate_zones - [ -z "$zones" ] && startup_error "ERROR: No Zones Defined" + display_list "Zones:" $ZONES - display_list "Zones:" $zones - - ipsecfile=$(find_file ipsec) - - [ -f $ipsecfile ] && \ - echo "Validating ipsec file..." && \ - setup_ipsec $ipsecfile + setup_ipsec echo "Validating interfaces file..." @@ -3867,6 +4048,75 @@ merge_levels() # $1=level at which superior action is called, $2=level at which esac } +# This function substitutes the second argument for the first part of the first argument up to the first colon (":") +# +# Example: +# +# substitute_action DNAT PARAM:info:FTP +# +# produces "DNAT:info:FTP" +# +substitute_action() # $1 = parameter, $2 = action +{ + local logpart=${2%%:*} + + case $2 in + *:*) + echo $1:${logpart%/} + ;; + *) + echo $1 + ;; + esac +} + +# +# This function maps old action names into their new macro equivalents +# +map_old_action() # $1 = Potential Old Action +{ + local macro= aktion + + if [ -n "$MAPOLDACTIONS" ]; then + case $1 in + */*) + echo $1 + return + ;; + *) + if [ -f $(find_file $1) ]; then + echo $1 + return + fi + + case $1 in + Allow*) + macro=${1#*w} + aktion=ACCEPT + ;; + Drop*) + macro=${1#*p} + aktion=DROP + ;; + Reject*) + macro=${1#*t} + aktion=REJECT + ;; + *) + echo $1 + return + ;; + esac + esac + + if [ -f $(find_file macro.$macro) ]; then + echo $macro/$aktion + fi + fi + + echo $1 +} + # # The next three functions implement the three phases of action processing. # @@ -3946,10 +4196,53 @@ process_actions1() { ;; *) if list_search $temp $ACTIONS; then - eval requiredby_${xaction}=\"\$requiredby_${xaction} $xtarget\" + eval requiredby=\"\$requiredby_${xaction}\" + list_search $xtarget $requiredby || eval requiredby_${xaction}=\"$requiredby $xtarget\" else - rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec)" - startup_error "Invalid TARGET in rule \"$rule\"" + temp=$(map_old_action $temp) + + case $temp in + */*) + param=${temp#*/} + case $param in + ACCEPT|DROP|REJECT|LOG|QUEUE|CONTINUE) + ;; + *) + rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec" + startup_error "Invalid Macro Parameter in rule \"$rule\"" + ;; + esac + temp=${temp%%/*} + ;; + esac + + f1=macro.${temp} + fn=$(find_file $f1) + + if [ ! -f $TMP_DIR/$f1 ]; then + if [ -f $fn ]; then + strip_file $f1 $fn + else + rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec" + startup_error "Invalid TARGET in rule \"$rule\"" + fi + + progress_message " ..Expanding Macro $fn..." + + while read mtarget mclients mservers mprotocol mports mcports mratelimit muserspec; do + expandv mtarget + temp="${mtarget%%:*}" + case "$temp" in + ACCEPT|DROP|REJECT|LOG|QUEUE|CONTINUE|PARAM) + ;; + *) + rule="$mtarget $mclients $mservers $mprotocol $mports $mcports $mratelimit $muserspec" + startup_error "Invalid TARGET in rule \"$rule\"" + esac + done < $TMP_DIR/$f1 + + progress_message " ..End Macro" + fi fi ;; @@ -3967,11 +4260,11 @@ process_actions1() { process_actions2() { - local interfaces="$(find_interfaces_by_option upnp)" + local interfaces="$(find_interfaces_by_option upnp)" if [ -n "$interfaces" ]; then if ! list_search forwardUPnP $USEDACTIONS; then - error_message "Warning:Missing forwardUPnP rule (required by 'upnp' interface option on $interfaces)" + error_message "WARNING:Missing forwardUPnP rule (required by 'upnp' interface option on $interfaces)" USEDACTIONS="$USEDACTIONS forwardUPnP" fi fi @@ -3985,7 +4278,7 @@ process_actions2() { for xaction in $USEDACTIONS; do eval required=\"\$requiredby_${xaction%%:*}\" - + for xaction1 in $required; do # # Generate the action that will be passed to process_action by merging the @@ -4162,29 +4455,98 @@ process_actions3() { # xaction2=$(merge_levels $xaction $xtarget) - case ${xaction2%%:*} in + is_macro= + param= + + xtarget1=${xaction2%%:*} + + case $xtarget1 in ACCEPT|DROP|REJECT|LOG|QUEUE|CONTINUE) # # Builtin target -- Nothing to do # ;; *) - # - # Not a builtin target -- Replace the target from the file - # -- with the one generated above - xtarget=$xaction2 - # - # And locate the chain for that action:level:tag - # - xaction2=$(find_logactionchain $xtarget) + if list_search $xtarget1 $ACTIONS ; then + # + # An Action -- Replace the target from the file + # -- with the one generated above + xtarget=$xaction2 + # + # And locate the chain for that action:level:tag + # + xaction2=$(find_logactionchain $xtarget) + else + is_macro=yes + fi ;; esac expandv xclients xservers xprotocol xports xcports xratelimit xuserspec - rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec)" - process_action $xchain $xaction1 $xaction2 $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec + if [ -n "$is_macro" ]; then + xtarget1=$(map_old_action $xtarget1) + + case $xtarget1 in + */*) + param=${xtarget1#*/} + xtarget1=${xtarget1%%/*} + ;; + esac + + progress_message "..Expanding Macro $(find_file macro.$xtarget1)..." + while read mtarget mclients mservers mprotocol mports mcports mratelimit muserspec; do + expandv mtarget mclients mservers mprotocol mports mcports mratelimit muserspec + + mtarget=$(merge_levels $xaction2 $mtarget) + + case $mtarget in + PARAM|PARAM:*) + [ -n "$param" ] && mtarget=$(substitute_action $param $mtarget) || fatal_error "PARAM requires that a parameter be supplied in macro invocation" + ;; + esac + + if [ -n "$mclients" ]; then + case $mclients in + -) + mclients=${xclients} + ;; + *) + mclients=${mclients}:${xclients} + ;; + esac + else + mclients=${xclients} + fi + + if [ -n "$mservers" ]; then + case $mservers in + -) + mservers=${xservers} + ;; + *) + mservers=${mservers}:${xservers} + ;; + esac + else + mservers=${xserverss} + fi + + [ -n "$xprotocol" ] && [ "x${xprotocol}" != x- ] && mprotocol=$xprotocol + [ -n "$xports" ] && [ "x${xports}" != x- ] && mports=$xports + [ -n "$xcports" ] && [ "x${xcports}" != x- ] && mcports=$xcports + [ -n "$xratelimit" ] && [ "x${xratelimit}" != x- ] && mratelimit=$xratelimit + [ -n "$xuserspec" ] && [ "x${xuserspec}" != x- ] && muserspec=$xuserspec + + rule="$mtarget ${mclients:=-} ${mservers:=-} ${mprotocol:=-} ${mports:=-} ${mcports:=-} ${mratelimit:-} ${muserspec:=-}" + process_action $xchain $xaction1 $mtarget $mclients $mservers $mprotocol $mports $mcports $mratelimit $muserspec + done < $TMP_DIR/macro.$xtarget1 + progress_message "..End Macro" + else + rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec" + process_action $xchain $xaction1 $xaction2 $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec + fi done < $TMP_DIR/$f ;; esac @@ -4808,6 +5170,13 @@ process_rule() # $1 = target clients="${clients#*:}" [ -z "$clientzone" -o -z "$clients" ] && \ fatal_error "Empty source zone or qualifier: rule \"$rule\"" + if [ $(list_count $clients) -gt 1 ]; then + case $clients in + !*) + fatal_error "Exclude lists not supported in the SOURCE column" + ;; + esac + fi fi if [ "$clientzone" = "${clientzone%!*}" ]; then @@ -4851,6 +5220,13 @@ process_rule() # $1 = target servers="${servers%:*}" [ -z "$serverzone" -o -z "$serverport" ] && \ fatal_error "Empty destination zone or server port: rule \"$rule\"" + if [ $(list_count $servers) -gt 1 ]; then + case $servers in + !*) + fatal_error "Exclude lists not supported in the DEST column" + ;; + esac + fi else serverport= [ -z "$serverzone" -o -z "$servers" ] && \ @@ -5012,10 +5388,90 @@ process_rule() # $1 = target fi } +# +# Process a macro invocation in the rules file +# + +process_macro() # $1 = target + # $2 = param + # $2 = clients + # $3 = servers + # $4 = protocol + # $5 = ports + # $6 = cports + # $7 = address + # $8 = ratelimit + # $9 = userspec +{ + local itarget="$1" + local param="$2" + local iclients="$3" + local iservers="$4" + local iprotocol="$5" + local iports="$6" + local icports="$7" + local iaddress="$8" + local iratelimit="$9" + local iuserspec="${10}" + + progress_message "..Expanding Macro $(find_file macro.${itarget%%:*})..." + + while read mtarget mclients mservers mprotocol mports mcports mratelimit muserspec; do + expandv mtarget mclients mservers mprotocol mports mcports mratelimit muserspec + + mtarget=$(merge_levels $itarget $mtarget) + + case $mtarget in + PARAM|PARAM:*) + [ -n "$param" ] && mtarget=$(substitute_action $param $mtarget) || fatal_error "PARAM requires that a parameter be supplied in macro invocation" + ;; + esac + + if [ -n "$mclients" ]; then + case $mclients in + -) + mclients=${iclients} + ;; + *) + mclients=${mclients}:${iclients} + ;; + esac + else + mclients=${iclients} + fi + + if [ -n "$mservers" ]; then + case $mservers in + -) + mservers=${iservers} + ;; + *) + mservers=${mservers}:${iservers} + ;; + esac + else + mservers=${iserverss} + fi + + [ -n "$iprotocol" ] && [ "x${iprotocol}" != x- ] && mprotocol=$iprotocol + [ -n "$iports" ] && [ "x${iports}" != x- ] && mports=$iports + [ -n "$icports" ] && [ "x${icports}" != x- ] && mcports=$icports + [ -n "$iratelimit" ] && [ "x${iratelimit}" != x- ] && mratelimit=$iratelimit + [ -n "$iuserspec" ] && [ "x${iuserspec}" != x- ] && muserspec=$iuserspec + + rule="$mtarget ${mclients=-} ${mservers:=-} ${mprotocol:=-} ${mports:=-} ${mcports:=-} ${xaddress:=-} ${mratelimit:=-} ${muserspec:=-}" + process_rule $mtarget $mclients $mservers $mprotocol $mports $mcports ${iaddress:=-} $mratelimit $muserspec + + done < $TMP_DIR/macro.${itarget%%:*} + + progress_message "..End Macro" + +} + # # Process the rules file for the 'start', 'restart' or 'check' command. # -process_rules() +process_rules() # $1 = "Yes" if the target is a macro. { # # Process a rule where the source or destination is "all" @@ -5030,48 +5486,57 @@ process_rules() if [ "${ysourcezone}" != "${ydestzone}" ] ; then eval ypolicy=\$${ysourcezone}2${ydestzone}_policy if [ "$ypolicy" != NONE ] ; then - rule="$(echo $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)" - process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec + if [ "$1" = Yes ]; then + process_macro $xtarget "$xparam" $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec + else + rule="$xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec" + process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec + fi fi fi done done } - do_it() { + do_it() # $1 = "Yes" if the target is a macro. + { expandv xprotocol xports xcports xaddress xratelimit xuserspec if [ "x$xclients" = xall ]; then - xclients="$zones $FW" + xclients="$ZONES $FW" if [ "x$xservers" = xall ]; then - xservers="$zones $FW" + xservers="$ZONES $FW" fi - process_wildcard_rule + process_wildcard_rule $1 return fi if [ "x$xservers" = xall ]; then - xservers="$zones $FW" - process_wildcard_rule + xservers="$ZONES $FW" + process_wildcard_rule $1 return fi - - rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)" - process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec + + if [ "$1" = Yes ]; then + process_macro $xtarget "$xparam" $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec + else + rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec" + process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec + fi } while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec; do expandv xtarget xclients xservers if [ "x$xclients" = xnone -o "x$servers" = xnone ]; then - rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)" + rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec" progress_message " Rule \"$rule\" ignored." continue fi case "${xtarget%%:*}" in ACCEPT|ACCEPT+|NONAT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE|SAME|SAME-) - do_it + do_it No ;; *) if list_search ${xtarget%%:*} $ACTIONS; then @@ -5081,10 +5546,36 @@ process_rules() fi xtarget=$(find_logactionchain $xtarget) - do_it + do_it No else - rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)" - fatal_error "Invalid Action in rule \"$rule\"" + xtarget1=$(map_old_action ${xtarget%%:*}) + + case $xtarget1 in + */*) + xparam=${xtarget1#*/} + xtarget1=${xtarget1%%/*} + xtarget=$(substitute_action $xtarget1 $xtarget) + ;; + *) + xparam= + ;; + esac + + f=macro.$xtarget1 + + if [ -f $TMP_DIR/$f ]; then + do_it Yes + else + fn=$(find_file $f) + + if [ -f $fn ]; then + strip_file $f $fn + do_it Yes + else + rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec" + fatal_error "Invalid Action in rule \"$rule\"" + fi + fi fi ;; @@ -5123,7 +5614,7 @@ process_tos_rule() { elif [ "$srczone" = "all" ]; then source="all" else - error_message "Warning: Undefined Source Zone - rule \"$rule\" ignored" + error_message "WARNING: Undefined Source Zone - rule \"$rule\" ignored" return fi @@ -5142,7 +5633,7 @@ process_tos_rule() { # Assume that this is a device name # if ! verify_interface $src ; then - error_message "Warning: Unknown Interface in rule \"$rule\" ignored" + error_message "WARNING: Unknown Interface in rule \"$rule\" ignored" return fi @@ -5171,7 +5662,7 @@ process_tos_rule() { dest="all" else error_message \ - "Warning: Undefined Destination Zone - rule \"$rule\" ignored" + "WARNING: Undefined Destination Zone - rule \"$rule\" ignored" return fi @@ -5186,7 +5677,7 @@ process_tos_rule() { # Assume that this is a device name # error_message \ - "Warning: Invalid Destination - rule \"$rule\" ignored" + "WARNING: Invalid Destination - rule \"$rule\" ignored" return ;; esac @@ -5293,15 +5784,23 @@ display_list() # $1 = List Title, rest of $* = list to display [ $# -gt 1 ] && echo " $*" } -# -# Add policy rule ( and possibly logging rule) to the passed chain -# policy_rules() # $1 = chain to add rules to # $2 = policy - # $3 = loglevel + # $3 = E/R Policy + # $4 = loglevel { local target="$2" + case $3 in + QUEUE) + run_iptables -I $1 -m state --state RELATED -j ACCEPT + run_iptables -I $1 -m state --state ESTABLISHED -j QUEUE + ;; + ACCEPT) + run_iptables -I $1 -m state --state ESTABLISHED,RELATED -j ACCEPT + ;; + esac + case "$target" in ACCEPT) [ -n "$ACCEPT_common" ] && run_iptables -A $1 -j $ACCEPT_common @@ -5324,8 +5823,8 @@ policy_rules() # $1 = chain to add rules to ;; esac - if [ $# -eq 3 -a "x${3}" != "x-" ]; then - log_rule $3 $1 $2 + if [ $# -eq 4 -a "x${4}" != "x-" ]; then + log_rule $4 $1 $2 fi [ -n "$target" ] && run_iptables -A $1 -j $target @@ -5349,10 +5848,23 @@ default_policy() # $1 = client $2 = server local chain1 jump_to_policy_chain() { + # + # Insert a rule of ESTABLISHED,RELATED packets at the head of the + # canonical chain. # # Add a jump to from the canonical chain to the policy chain. On return, # $chain is set to the name of the policy chain # + case $epolicy in + QUEUE) + run_iptables -I $chain -m state --state RELATED -j ACCEPT + run_iptables -I $chain -m state --state ESTABLISHED -j QUEUE + ;; + ACCEPT) + run_iptables -I $chain -m state --state ESTABLISHED,RELATED -j ACCEPT + ;; + esac + run_iptables -A $chain -j $chain1 chain=$chain1 } @@ -5364,7 +5876,8 @@ default_policy() # $1 = client $2 = server # eval policy=\$${chain1}_policy eval loglevel=\$${chain1}_loglevel - eval synparams=\$${chain1}_synparams + eval synparams=\$${chain1}_synparams + eval epolicy=\$${chain1}_epolicy # # Add the appropriate rules to the canonical chain ($chain) to enforce # the specified policy @@ -5374,7 +5887,7 @@ default_policy() # $1 = client $2 = server # The policy chain is the canonical chain; add policy rule to it # The syn flood jump has already been added if required. # - policy_rules $chain $policy $loglevel + policy_rules $chain $policy $epolicy $loglevel else # # The policy chain is different from the canonical chain -- approach @@ -5388,7 +5901,7 @@ default_policy() # $1 = client $2 = server # in this chain. # enable_syn_flood_protection $chain $chain1 - policy_rules $chain $policy $loglevel + policy_rules $chain $policy $epolicy $loglevel else # # No problem with double-counting so just jump to the @@ -5404,7 +5917,7 @@ default_policy() # $1 = client $2 = server # [ -n "$synparams" ] && \ enable_syn_flood_protection $chain $chain1 - policy_rules $chain $policy $loglevel + policy_rules $chain $policy $epolicy $loglevel ;; *) # @@ -5452,10 +5965,11 @@ complete_standard_chain() # $1 = chain, $2 = source zone, $3 = destination zone if [ -n "$policychain" ]; then eval policy=\$${policychain}_policy eval loglevel=\$${policychain}_loglevel + eval - policy_rules $1 $policy $loglevel + policy_rules $1 $policy NONE $loglevel else - policy_rules $1 DROP INFO + policy_rules $1 DROP NONE INFO fi } @@ -5468,7 +5982,7 @@ complete_standard_chain() # $1 = chain, $2 = source zone, $3 = destination zone # rules_chain() # $1 = source zone, $2 = destination zone { - local chain=${1}2${2} + local chain=${1}2${2} local policy havechain $chain && { echo $chain; return; } @@ -5476,9 +5990,12 @@ rules_chain() # $1 = source zone, $2 = destination zone eval chain=\$${chain}_policychain - [ -n "$chain" ] && { echo $chain; return; } + eval policy=\$${chain}_policy - fatal_error "No policy defined for zone $1 to zone $2" + if [ "$policy" != CONTINUE ] ; then + [ -n "$chain" ] && { echo $chain; return; } + fatal_error "No policy defined for zone $1 to zone $2" + fi } # @@ -5492,7 +6009,7 @@ get_routed_networks() # $1 = interface name ip route show dev $1 2> /dev/null | while read address rest; do if [ "x$address" = xdefault ]; then - error_message "Warning: default route ignored on interface $1" + error_message "WARNING: default route ignored on interface $1" else [ "$address" = "${address%/*}" ] && address="${address}/32" echo $address @@ -5500,173 +6017,26 @@ get_routed_networks() # $1 = interface name done } -# -# Add a route from /etc/shorewall/routes -# -add_a_route() -{ - local r= - local chain=routefwd - local marktest= - - if [ "x$source" != "x-" ]; then - case ${source} in - $FW:*) - chain=routeout - r="$(source_ip_range ${source%:*}) " - ;; - *:*) - r="$(match_source_dev ${source%:*}) $(source_ip_range ${source#*:}) " - ;; - *.*.*|+*|!+*) - r="$(source_ip_range $source) " - ;; - ~*) - r="$(mac_match $source) " - ;; - $FW) - chain=routeout - ;; - *) - verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\"" - r="$(match_source_dev) $source " - ;; - esac - fi - - if [ "x$dest" != "x-" ]; then - case $dest in - *:*) - verify_interface ${dest%:*} || fatal_error "Unknown interface ${dest%:*} in rule \"$rule\"" - r="$(match_dest_dev ${dest%:*}) $(dest_ip_range ${dest#*:}) " - ;; - *.*.*|+*|!+*) - r="${r}$(dest_ip_range $dest) " - ;; - *) - verify_interface $dest || fatal_error "Unknown interface $dest in rule \"$rule\"" - r="${r}$(match_dest_dev $dest) " - ;; - esac - fi - - if [ "x$proto" = xipp2p ]; then - [ "x$port" = "x-" ] && port="ipp2p" - r="${r}-p tcp -m ipp2p --${port} " - else - [ "x$proto" = "x-" ] && proto=all - [ "x$proto" = "x" ] && proto=all - [ "$proto" = "all" ] || r="${r}-p $proto " - [ "x$port" = "x-" ] || r="${r}-m multiport --dports $port " - fi - - if [ "x${sport:--}" != "x-" ]; then - [ "x$port" = "x-" ] && r="${r}-m multiport " - r="${r}--sports $sport " - fi - - case $testval in - -) - testval= - ;; - !*:C) - marktest="connmark ! " - testval=${testval%:*} - testval=${testval#!} - ;; - *:C) - marktest="connmark " - testval=${testval%:*} - ;; - !*) - marktest="mark ! " - testval=${testval#!} - ;; - *) - [ -n "$testval" ] && marktest="mark " - ;; - esac - - if [ -n "$testval" ] ; then - case $testval in - */*) - verify_mark ${testval%/*} - verify_mark ${testval#*/} - ;; - *) - verify_mark $testval - testval=$testval/255 - ;; - esac - fi - - [ -n "$marktest" ] && r="${r}-m ${marktest}--mark $testval " - - r="${r}-j ROUTE " - - [ "x${interface:--}" != x- ] && r="${r}--oif $interface " - - [ "x${gateway:--}" != x- ] && r="${r}--gw $gateway" - - run_iptables2 -t mangle -A $chain $r --continue - - progress_message " Routing Rule \"$rule\" Added." -} - - # # Set up Routing # -setup_routes() # $1 = file name +setup_routes() { - local created_chains= - # - # Create routing chains - # - create_routing_chains() - { - if [ -z "$created_chains" ]; then - run_iptables -t mangle -N routefwd - run_iptables -t mangle -A FORWARD -j routefwd - run_iptables -t mangle -N routeout - run_iptables -t mangle -A OUTPUT -j routeout - run_iptables -t mangle -A PREROUTING -m connmark ! --mark 0 -j CONNMARK --restore-mark - created_chains=Yes - fi - } - strip_file routes $1 + run_iptables -t mangle -A PREROUTING -m connmark ! --mark 0 -j CONNMARK --restore-mark + run_iptables -t mangle -N routemark - if [ -s $TMP_DIR/routes ]; then - echo "Processing $1..." - [ -n "$ROUTE_TARGET" ] || \ - fatal_error "Entries in /etc/shorewall/routes requires that your kernel and iptables have ROUTE target support" - create_routing_chains + for interface in $ROUTEMARK_INTERFACES ; do + + iface=$(chain_base $interface) + eval mark_value=\$${iface}_routemark - while read source dest proto port sport testval interface gateway; do - expandv source dest proto port sport testval interface gateway - rule="$source $dest $proto $port $sport testval $interface $gateway" - add_a_route - done < $TMP_DIR/routes - fi + run_iptables -t mangle -A PREROUTING -i $interface -m mark --mark 0 -j routemark + run_iptables -t mangle -A routemark -i $interface -j MARK --set-mark $mark_value - if [ -n "$ROUTEMARK_INTERFACES" ]; then - create_routing_chains + done - run_iptables -t mangle -N routemark - - for interface in $ROUTEMARK_INTERFACES ; do - - iface=$(chain_base $interface) - eval mark_value=\$${iface}_routemark - - run_iptables -t mangle -A PREROUTING -i $interface -m mark --mark 0 -j routemark - run_iptables -t mangle -A routemark -i $interface -j MARK --set-mark $mark_value - - done - - run_iptables -t mangle -A routemark -m mark ! --mark 0 -j CONNMARK --save-mark --mask 255 - fi + run_iptables -t mangle -A routemark -m mark ! --mark 0 -j CONNMARK --save-mark --mask 255 } @@ -6005,7 +6375,7 @@ setup_masq() while read fullinterface networks addresses proto ports ipsec; do expandv fullinterface networks addresses proto ports ipsec [ -n "$NAT_ENABLED" ] && setup_one || \ - error_message "Warning: NAT disabled; masq rule ignored" + error_message "WARNING: NAT disabled; masq rule ignored" done < $TMP_DIR/masq } @@ -6254,7 +6624,7 @@ add_ip_aliases() ensure_and_save_command ip addr add ${external}${val} dev $interface $label fi - echo "$external $interface" >> ${STATEDIR}/nat + echo "$external $interface" >> /var/lib/shorewall/nat [ -n "$label" ] && label="with $label" progress_message " IP Address $external added to interface $interface $label" } @@ -6436,7 +6806,7 @@ initialize_netfilter () { [ "$MACLIST_TTL" = "0" ] && MACLIST_TTL= if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then - startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables" + startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables" fi [ -n "$RFC1918_STRICT" -a -z "$CONNTRACK_MATCH" ] && \ @@ -6445,11 +6815,8 @@ initialize_netfilter () { echo "Determining Zones..." determine_zones - check_duplicate_zones - [ -z "$zones" ] && startup_error "No Zones Defined" - - display_list "Zones:" $zones + display_list "Zones:" $ZONES echo "Validating interfaces file..." @@ -6505,15 +6872,36 @@ initialize_netfilter () { exists_OUTPUT=Yes exists_FORWARD=Yes - setpolicy INPUT DROP - setpolicy OUTPUT DROP - setpolicy FORWARD DROP + process_criticalhosts + + if [ -n "$CRITICALHOSTS" ]; then + + setpolicy INPUT ACCEPT + setpolicy OUTPUT ACCEPT + setpolicy FORWARD DROP - deleteallchains + deleteallchains + + enable_critical_hosts - setcontinue FORWARD - setcontinue INPUT - setcontinue OUTPUT + setpolicy INPUT DROP + setpolicy OUTPUT DROP + + setcontinue FORWARD + setcontinue INPUT + setcontinue OUTPUT + else + + setpolicy INPUT DROP + setpolicy OUTPUT DROP + setpolicy FORWARD DROP + + deleteallchains + + setcontinue FORWARD + setcontinue INPUT + setcontinue OUTPUT + fi f=$(find_file ipsets) @@ -6550,8 +6938,6 @@ initialize_netfilter () { for chain in INPUT OUTPUT FORWARD; do run_iptables -A $chain -p udp --dport 53 -j ACCEPT - [ -n "$DROPINVALID" ] && \ - run_iptables -A $chain -p ! icmp -m state --state INVALID -j DROP done if [ -n "$CLAMPMSS" ]; then @@ -6828,53 +7214,6 @@ add_common_rules() { run_iptables -t mangle -A PREROUTING -m state --state NEW -i $interface $(match_source_hosts $networks) -j man1918 done fi - # - # Bogons - # - hosts="$(find_hosts_by_option nobogons)" - - if [ -n "$hosts" ]; then - echo "Enabling Bogon Filtering" - - strip_file bogons - - createchain nobogons no - - createchain bogons no - - log_rule $BOGON_LOG_LEVEL bogons DROP - - run_iptables -A bogons -j DROP - - while read networks target; do - case $target in - logdrop) - target=bogons - ;; - DROP|RETURN) - ;; - *) - fatal_error "Invalid target ($target) for $networks" - ;; - esac - - run_iptables2 -A nobogons $(source_ip_range $networks) -j $target - - done < $TMP_DIR/bogons - - for host in $hosts; do - ipsec=${host%^*} - host=${host#*^} - [ -n "$POLICY_MATCH" ] && policy="-m policy --pol $ipsec --dir in" || policy= - interface=${host%%:*} - network=${host#*:} - - for chain in $(first_chains $interface); do - run_iptables -A $chain -m state --state NEW $(match_source_hosts $network) -j nobogons - done - done - - fi hosts=$(find_hosts_by_option tcpflags) @@ -6938,11 +7277,13 @@ add_common_rules() { for f in /proc/sys/net/ipv4/conf/*; do run_and_save_command "[ -f $f/arp_filter ] && echo 0 > $f/arp_filter" + run_and_save_command "[ -f $f/arp_filter ] && echo 0 > $f/arp_ignore" done interfaces=$(find_interfaces_by_option arp_filter) + interfaces1=$(find_interfaces_by_option1 arp_ignore) - if [ -n "$interfaces" ]; then + if [ -n "${interfaces}${interfaces1}" ]; then echo "Setting up ARP Filtering..." for interface in $interfaces; do @@ -6951,7 +7292,18 @@ add_common_rules() { run_and_save_command "echo 1 > $file" else error_message \ - "Warning: Cannot set ARP filtering on $interface" + "WARNING: Cannot set ARP filtering on $interface" + fi + done + + for interface in $interfaces1; do + file=/proc/sys/net/ipv4/conf/$interface/arp_ignore + if [ -f $file ]; then + eval command="\"echo \$$(chain_base $interface)_arp_ignore > $file\"" + run_and_save_command "$command" + else + error_message \ + "WARNING: Cannot set ARP filtering on $interface" fi done fi @@ -6975,7 +7327,7 @@ add_common_rules() { run_and_save_command "echo 1 > $file" else error_message \ - "Warning: Cannot set route filtering on $interface" + "WARNING: Cannot set route filtering on $interface" fi done @@ -7009,7 +7361,7 @@ add_common_rules() { run_and_save_command "echo 1 > $file" else error_message \ - "Warning: Cannot set Martian logging on $interface" + "WARNING: Cannot set Martian logging on $interface" fi done @@ -7040,7 +7392,7 @@ add_common_rules() { run_and_save_command "echo 1 > $file" else error_message \ - "Warning: Cannot set Accept Source Routing on $interface" + "WARNING: Cannot set Accept Source Routing on $interface" fi done fi @@ -7091,22 +7443,19 @@ apply_policy_rules() { eval policy=\$${chain}_policy eval loglevel=\$${chain}_loglevel eval synparams=\$${chain}_synparams + eval epolicy=\$${chain}_epolicy [ -n "$synparams" ] && setup_syn_flood_chain $chain $synparams $loglevel if havechain $chain; then + [ "$epolicy" = ACCEPT ] && ordinal=2 || ordinal=3 [ -n "$synparams" ] && \ - run_iptables -I $chain 2 -p tcp --syn -j @$chain - else + run_iptables -I $chain $ordinal -p tcp --syn -j @$chain + elif [ "$policy" != CONTINUE ]; then # # The chain doesn't exist. Create the chain and add policy # rules # - # We must include the ESTABLISHED and RELATED state - # rule here to account for replys and reverse - # related sessions associated with sessions going - # in the other direction - # createchain $chain yes # @@ -7116,19 +7465,19 @@ apply_policy_rules() { # Otherwise, this is a canonical chain which will be handled in # the for loop below # - case $chain in - all2*|*2all) - policy_rules $chain $policy $loglevel - ;; - esac - if [ -n "$synparams" ]; then case $policy in ACCEPT|CONTINUE|QUEUE) - run_iptables -I $chain 2 -p tcp --syn -j @$chain + run_iptables -I $chain -p tcp --syn -j @$chain ;; esac fi + + case $chain in + all2*|*2all) + policy_rules $chain $policy $epolicy $loglevel + ;; + esac fi done @@ -7136,8 +7485,8 @@ apply_policy_rules() { # # Add policy rules to canonical chains # - for zone in $FW $zones; do - for zone1 in $FW $zones; do + for zone in $FW $ZONES; do + for zone1 in $FW $ZONES; do chain=${zone}2${zone1} if havechain $chain; then run_user_exit $chain @@ -7149,7 +7498,7 @@ apply_policy_rules() { # # Activate the rules -# +# activate_rules() { local PREROUTING_rule=1 @@ -7215,17 +7564,22 @@ activate_rules() addnatjump POSTROUTING $(output_chain $interface) -o $interface done - > ${STATEDIR}/chains - > ${STATEDIR}/zones + > /var/lib/shorewall/chains + > /var/lib/shorewall/zones # # Create forwarding chains for complex zones and generate jumps for IPSEC source hosts to that chain. # - for zone in $zones; do + for zone in $ZONES; do if eval test -n \"\$${zone}_is_complex\" ; then frwd_chain=${zone}_frwd createchain $frwd_chain No if [ -n "$POLICY_MATCH" ]; then + # + # Because policy match only matches an 'in' or an 'out' policy (but not both), we have to place the + # '--pol ipsec --dir in' rules at the front of the interface forwarding chains. Otherwise, decrypted packets + # can match '--pol none --dir out' rules and send the packets down the wrong rules chain. + # eval is_ipsec=\$${zone}_is_ipsec if [ -n "$is_ipsec" ]; then @@ -7248,7 +7602,7 @@ activate_rules() fi done - for zone in $zones; do + for zone in $ZONES; do eval source_hosts=\$${zone}_hosts chain1=$(rules_chain $FW $zone) @@ -7258,11 +7612,11 @@ activate_rules() [ -n "$complex" ] && frwd_chain=${zone}_frwd - echo $zone $source_hosts >> ${STATEDIR}/zones - + echo $zone $source_hosts >> /var/lib/shorewall/zones + if [ -n "$DYNAMIC_ZONES" ]; then - echo "$FW $zone $chain1" >> ${STATEDIR}/chains - echo "$zone $FW $chain2" >> ${STATEDIR}/chains + echo "$FW $zone $chain1" >> /var/lib/shorewall/chains + echo "$zone $FW $chain2" >> /var/lib/shorewall/chains fi need_broadcast= @@ -7271,7 +7625,7 @@ activate_rules() interface=${host%%:*} networks=${host#*:} - run_iptables2 -A OUTPUT -o $interface $(match_dest_hosts $networks) $(match_ipsec_out $zone $host) -j $chain1 + [ -n "$chain1" ] && run_iptables2 -A OUTPUT -o $interface $(match_dest_hosts $networks) $(match_ipsec_out $zone $host) -j $chain1 # # Add jumps from the builtin chains for DNAT and SNAT rules @@ -7279,7 +7633,7 @@ activate_rules() addrulejump PREROUTING $(dnat_chain $zone) -i $interface $(match_source_hosts $networks) $(match_ipsec_in $zone $host) addrulejump POSTROUTING $(snat_chain $zone) -o $interface $(match_dest_hosts $networks) $(match_ipsec_out $zone $host) - run_iptables2 -A $(input_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $chain2 + [ -n "$chain2" ] && run_iptables2 -A $(input_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $chain2 if [ -n "$complex" ] && ! is_ipsec_host $zone $host ; then run_iptables2 -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain @@ -7296,12 +7650,14 @@ activate_rules() esac done - for interface in $need_broadcast ; do - run_iptables -A OUTPUT -o $interface -d 255.255.255.255 -j $chain1 - run_iptables -A OUTPUT -o $interface -d 224.0.0.0/4 -j $chain1 - done - - for zone1 in $zones; do + if [ -n "$chain1" ]; then + for interface in $need_broadcast ; do + run_iptables -A OUTPUT -o $interface -d 255.255.255.255 -j $chain1 + run_iptables -A OUTPUT -o $interface -d 224.0.0.0/4 -j $chain1 + done + fi + + for zone1 in $ZONES; do eval policy=\$${zone}2${zone1}_policy @@ -7311,7 +7667,9 @@ activate_rules() chain="$(rules_chain $zone $zone1)" - [ -n "$DYNAMIC_ZONES" ] && echo "$zone $zone1 $chain" >> ${STATEDIR}/chains + [ -z "$chain" ] && continue # CONTINUE policy and there is no canonical chain. + + [ -n "$DYNAMIC_ZONES" ] && echo "$zone $zone1 $chain" >> /var/lib/shorewall/chains if [ $zone = $zone1 ]; then # @@ -7355,14 +7713,14 @@ activate_rules() interface=${host%%:*} networks=${host#*:} - chain1=$(forward_chain $interface) + chain3=$(forward_chain $interface) for host1 in $dest_hosts; do interface1=${host1%%:*} networks1=${host1#*:} if [ "$host" != "$host1" ] || list_search $host $routeback; then - run_iptables2 -A $chain1 $(match_source_hosts $networks) -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain + run_iptables2 -A $chain3 $(match_source_hosts $networks) -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain fi done done @@ -7405,6 +7763,8 @@ activate_rules() # # Remove rules added to keep the firewall alive during [re]start" # + disable_critical_hosts + for chain in INPUT OUTPUT FORWARD; do run_iptables -D $chain -m state --state ESTABLISHED,RELATED -j ACCEPT run_iptables -D $chain -p udp --dport 53 -j ACCEPT @@ -7491,7 +7851,8 @@ define_firewall() # $1 = Command (Start or Restart) # [re]-Establish routing # setup_providers $(find_file providers) - setup_routes $(find_file routes) + [ -n "$ROUTEMARK_INTERFACES" ] && setup_routes + echo "Setting up NAT..."; setup_nat echo "Setting up NETMAP..."; setup_netmap @@ -7501,9 +7862,7 @@ define_firewall() # $1 = Command (Start or Restart) [ -f $tunnels ] && \ echo "Processing $tunnels..." && setup_tunnels $tunnels - ipsecfile=$(find_file ipsec) - [ -f $ipsecfile ] && \ - echo "Processing $ipsecfile..." && setup_ipsec $ipsecfile + setup_ipsec maclist_hosts=$(find_hosts_by_option maclist) [ -n "$maclist_hosts" ] && setup_mac_lists @@ -7546,8 +7905,7 @@ define_firewall() # $1 = Command (Start or Restart) save_command "#" save_command "# Restore tail file generated by Shorewall $version - $(date)" save_command "#" - save_command "date > $STATEDIR/restarted" - save_command "#" + save_command "date > /var/lib/shorewall/restarted" run_user_exit start @@ -7555,7 +7913,7 @@ define_firewall() # $1 = Command (Start or Restart) createchain shorewall no - date > $STATEDIR/restarted + date > /var/lib/shorewall/restarted report "Shorewall ${1}ed" @@ -7565,7 +7923,6 @@ define_firewall() # $1 = Command (Start or Restart) mv -f /var/lib/shorewall/restore-base-$$ /var/lib/shorewall/restore-base mv -f $RESTOREBASE /var/lib/shorewall/restore-tail - } # @@ -7581,8 +7938,6 @@ refresh_firewall() validate_interfaces_file - [ -z "$zones" ] && startup_error "No Zones Defined" - determine_interfaces run_user_exit refresh @@ -7687,12 +8042,12 @@ add_to_zone() # $1...${n-1} = [:] $n = zone # # Be sure that Shorewall has been restarted using a DZ-aware version of the code # - [ -f ${STATEDIR}/chains ] || startup_error "${STATEDIR}/chains -- file not found" - [ -f ${STATEDIR}/zones ] || startup_error "${STATEDIR}/zones -- file not found" + [ -f /var/lib/shorewall/chains ] || startup_error "/var/lib/shorewall/chains -- file not found" + [ -f /var/lib/shorewall/zones ] || startup_error "/var/lib/shorewall/zones -- file not found" # # Check for duplicates and create a new zone state file # - > ${STATEDIR}/zones_$$ + > /var/lib/shorewall/zones_$$ while read z hosts; do if [ "$z" = "$zone" ]; then @@ -7710,10 +8065,10 @@ add_to_zone() # $1...${n-1} = [:] $n = zone eval ${z}_hosts=\"$hosts\" - echo "$z $hosts" >> ${STATEDIR}/zones_$$ - done < ${STATEDIR}/zones + echo "$z $hosts" >> /var/lib/shorewall/zones_$$ + done < /var/lib/shorewall/zones - mv -f ${STATEDIR}/zones_$$ ${STATEDIR}/zones + mv -f /var/lib/shorewall/zones_$$ /var/lib/shorewall/zones terminator=fatal_error # @@ -7783,7 +8138,7 @@ add_to_zone() # $1...${n-1} = [:] $n = zone done fi fi - done < ${STATEDIR}/chains + done < /var/lib/shorewall/chains progress_message "$newhost added to zone $zone" @@ -7859,12 +8214,12 @@ delete_from_zone() # $1 = [:] $2 = zone # # Be sure that Shorewall has been restarted using a DZ-aware version of the code # - [ -f ${STATEDIR}/chains ] || startup_error "${STATEDIR}/chains -- file not found" - [ -f ${STATEDIR}/zones ] || startup_error "${STATEDIR}/zones -- file not found" + [ -f /var/lib/shorewall/chains ] || startup_error "/var/lib/shorewall/chains -- file not found" + [ -f /var/lib/shorewall/zones ] || startup_error "/var/lib/shorewall/zones -- file not found" # # Delete the passed hosts from the zone state file # - > ${STATEDIR}/zones_$$ + > /var/lib/shorewall/zones_$$ while read z hosts; do if [ "$z" = "$zone" ]; then @@ -7898,10 +8253,10 @@ delete_from_zone() # $1 = [:] $2 = zone eval ${z}_hosts=\"$hosts\" - echo "$z $hosts" >> ${STATEDIR}/zones_$$ - done < ${STATEDIR}/zones + echo "$z $hosts" >> /var/lib/shorewall/zones_$$ + done < /var/lib/shorewall/zones - mv -f ${STATEDIR}/zones_$$ ${STATEDIR}/zones + mv -f /var/lib/shorewall/zones_$$ /var/lib/shorewall/zones terminator=fatal_error @@ -7958,7 +8313,7 @@ delete_from_zone() # $1 = [:] $2 = zone done fi fi - done < ${STATEDIR}/chains + done < /var/lib/shorewall/chains progress_message "$delhost removed from zone $zone" @@ -8039,7 +8394,6 @@ do_initialize() { IPTABLES= FW= SUBSYSLOCK= - STATEDIR= ALLOWRELATED=Yes LOGRATE= LOGBURST= @@ -8063,7 +8417,6 @@ do_initialize() { TCP_FLAGS_DISPOSITION= TCP_FLAGS_LOG_LEVEL= RFC1918_LOG_LEVEL= - BOGON_LOG_LEVEL= MARK_IN_FORWARD_CHAIN= SHARED_DIR=/usr/share/shorewall FUNCTIONS= @@ -8084,11 +8437,11 @@ do_initialize() { DELAYBLACKLISTLOAD= LOGTAGONLY= LOGALLNEW= - DROPINVALID= RFC1918_STRICT= MACLIST_TTL= SAVE_IPSETS= RESTOREFILE= + MAPOLDACTIONS= RESTOREBASE= TMP_DIR= @@ -8096,6 +8449,8 @@ do_initialize() { ROUTEMARK_INTERFACES= ROUTEMARK=256 PROVIDERS= + CRITICALHOSTS= + IPSECFILE= stopping= have_mutex= @@ -8166,9 +8521,7 @@ do_initialize() { determine_capabilities - [ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall - - [ -d $STATEDIR ] || mkdir -p $STATEDIR + [ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall [ -z "$FW" ] && FW=fw @@ -8253,7 +8606,6 @@ do_initialize() { fi [ -z "$RFC1918_LOG_LEVEL" ] && RFC1918_LOG_LEVEL=info - [ -z "$BOGON_LOG_LEVEL" ] && BOGON_LOG_LEVEL=info MARK_IN_FORWARD_CHAIN=$(added_param_value_no MARK_IN_FORWARD_CHAIN $MARK_IN_FORWARD_CHAIN) [ -n "$MARK_IN_FORWARD_CHAIN" ] && MARKING_CHAIN=tcfor || MARKING_CHAIN=tcpre @@ -8290,9 +8642,20 @@ do_initialize() { RETAIN_ALIASES=$(added_param_value_no RETAIN_ALIASES $RETAIN_ALIASES) DELAYBLACKLISTLOAD=$(added_param_value_no DELAYBLACKLISTLOAD $DELAYBLACKLISTLOAD) LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY) - DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID) RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT) - SAVE_IPSETS=$(added_param_value_no SAVE_IPSETS $SAVE_IPSETS) + SAVE_IPSETS=$(added_param_value_no SAVE_IPSETS $SAVE_IPSETS) + MAPOLDACTIONS=$(added_param_value_yes MAPOLDACTIONS $MAPOLDACTIONS) + + case ${IPSECFILE:=ipsec} in + ipsec|zones) + ;; + *) + startup_error "Invalid value ($IPSECFILE) for IPSECFILE option" + ;; + esac + + [ "x${SHOREWALL_DIR}" = "x." ] && SHOREWALL_DIR="$PWD" + # # Strip the files that we use often # @@ -8403,7 +8766,7 @@ case "$COMMAND" in $IPTABLES -t nat -Z $IPTABLES -t mangle -Z report "Shorewall Counters Reset" - date > $STATEDIR/restarted + date > /var/lib/shorewall/restarted my_mutex_off ;; diff --git a/Shorewall/functions b/Shorewall/functions index 738dae7c2..181ff47e1 100755 --- a/Shorewall/functions +++ b/Shorewall/functions @@ -1,6 +1,6 @@ #!/bin/sh # -# Shorewall 2.4 -- /usr/share/shorewall/functions +# Shorewall 2.6 -- /usr/share/shorewall/functions # Function to truncate a string -- It uses 'cut -b -' # rather than ${v:first:last} because light-weight shells like ash and @@ -262,85 +262,6 @@ reload_kernel_modules() { } -# -# Find the zones -# -find_zones() # $1 = name of the zone file -{ - while read zone display comments; do - expandv zone display - [ -n "$zone" ] && case "$zone" in - [0-9*]) - echo " Warning: Illegal zone name \"$zone\" in zones file ignored" 2>&2 - ;; - \#*) - ;; - $FW|all|none) - echo " Warning: Reserved zone name \"$zone\" in zones file ignored" >&2 - ;; - *) - echo $zone - ;; - esac - done < $1 -} - -find_display() # $1 = zone, $2 = name of the zone file -{ - grep ^$1 $2 | while read z display comments; do - [ "x$1" = "x$z" ] && echo $display - done -} -# -# This function assumes that the TMP_DIR variable is set and that -# its value named an existing directory. -# -determine_zones() -{ - local zonefile=$(find_file zones) - - multi_display=Multi-zone - strip_file zones $zonefile - zones=$(find_zones $TMP_DIR/zones) - newzones= - - for zone in $zones; do - dsply=$(find_display $zone $TMP_DIR/zones) - [ ${#zone} -gt 5 ] && echo " Warning: Zone name longer than 5 characters: $zone" >&2 - eval ${zone}_display=\$dsply - newzones="$newzones $zone" - done - - zones=${newzones# } -} - -# -# The following functions may be used by apps that wish to ensure that -# the state of Shorewall isn't changing -# -# This function loads the STATEDIR variable (directory where Shorewall is to -# store state files). If your application supports alternate Shorewall -# configurations then the name of the alternate configuration directory should -# be in $SHOREWALL_DIR at the time of the call. -# -# If the shorewall.conf file does not exist, this function does not return -# -get_statedir() -{ - MUTEX_TIMEOUT= - - local config=$(find_file shorewall.conf) - - if [ -f $config ]; then - . $config - else - echo "/etc/shorewall/shorewall.conf does not exist!" >&2 - exit 2 - fi - - [ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall -} - # # Call this function to assert MUTEX with Shorewall. If you invoke the # /sbin/shorewall program while holding MUTEX, you should pass "nolock" as @@ -353,13 +274,13 @@ get_statedir() mutex_on() { local try=0 - local lockf=$STATEDIR/lock + local lockf=/var/lib/shorewall/lock MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60} if [ $MUTEX_TIMEOUT -gt 0 ]; then - [ -d $STATEDIR ] || mkdir -p $STATEDIR + [ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall if qt which lockfile; then lockfile -${MUTEX_TIMEOUT} -r1 ${lockf} @@ -384,7 +305,7 @@ mutex_on() # mutex_off() { - rm -f $STATEDIR/lock + rm -f /var/lib/shorewall/lock } # diff --git a/Shorewall/help b/Shorewall/help index 60c21a5f1..437a08ff7 100755 --- a/Shorewall/help +++ b/Shorewall/help @@ -1,6 +1,6 @@ #!/bin/sh # -# Shorewall help subsystem - V2.4 +# Shorewall help subsystem - V2.6 # # # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] @@ -172,17 +172,6 @@ logwatch) and produces an audible alarm when new Shorewall messages are logged." ;; -monitor) - echo "monitor: monitor [] - - shorewall [-x] monitor [] - - Continuously display the firewall status, last 20 log entries and nat. - When the log entry display changes, an audible alarm is sounded. - - When -x is given, that option is also passed to iptables to display actual packet and byte counts." - ;; - refresh) echo "refresh: [ -q ] refresh The rules involving the broadcast addresses of firewall interfaces, diff --git a/Shorewall/hosts b/Shorewall/hosts index 673561a04..a34a002c5 100644 --- a/Shorewall/hosts +++ b/Shorewall/hosts @@ -1,5 +1,5 @@ # -# Shorewall 2.4 - /etc/shorewall/hosts +# Shorewall 2.6 - /etc/shorewall/hosts # # THE ONLY TIME YOU NEED THIS FILE IS WHERE YOU HAVE MORE THAN # ONE ZONE CONNECTED THROUGH A SINGLE INTERFACE. diff --git a/Shorewall/init b/Shorewall/init index 41c49e614..4abff4c54 100644 --- a/Shorewall/init +++ b/Shorewall/init @@ -1,5 +1,5 @@ ############################################################################ -# Shorewall 2.4 -- /etc/shorewall/init +# Shorewall 2.6 -- /etc/shorewall/init # # Add commands below that you want to be executed at the beginning of # a "shorewall start" or "shorewall restart" command. diff --git a/Shorewall/initdone b/Shorewall/initdone index cec87fe90..080bc7757 100755 --- a/Shorewall/initdone +++ b/Shorewall/initdone @@ -1,5 +1,5 @@ ############################################################################ -# Shorewall 2.4 -- /etc/shorewall/initdone +# Shorewall 2.6 -- /etc/shorewall/initdone # # Add commands below that you want to be executed during # "shorewall start" or "shorewall restart" commands at the point where diff --git a/Shorewall/install.sh b/Shorewall/install.sh index 3471ae284..dc2da9e6b 100755 --- a/Shorewall/install.sh +++ b/Shorewall/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # -VERSION=2.4.0 +VERSION=2.5.0 usage() # $1 = exit status { @@ -264,8 +264,9 @@ if [ -f ${PREFIX}/etc/shorewall/ipsec ]; then else run_install $OWNERSHIP -m 0600 ipsec ${PREFIX}/etc/shorewall/ipsec echo - echo "Ipsec file installed as ${PREFIX}/etc/shorewall/ipsec" + echo "Dummy IPSEC file installed as ${PREFIX}/etc/shorewall/ipsec" fi + # # Install the hosts file # @@ -408,15 +409,9 @@ else echo "Blacklist file installed as ${PREFIX}/etc/shorewall/blacklist" fi # -# Install the Routes file +# Delete the Routes file # -if [ -f ${PREFIX}/etc/shorewall/routes ]; then - backup_file /etc/shorewall/routes -else - run_install $OWNERSHIP -m 0600 routes ${PREFIX}/etc/shorewall/routes - echo - echo "Routes file installed as ${PREFIX}/etc/shorewall/routes" -fi +delete_file /etc/shorewall/routes # # Install the Providers file @@ -443,12 +438,6 @@ install_file_with_backup rfc1918 ${PREFIX}/usr/share/shorewall/rfc1918 0600 echo echo "RFC 1918 file installed as ${PREFIX}/usr/share/shorewall/rfc1918" # -# Install the bogons file -# -install_file_with_backup bogons ${PREFIX}/usr/share/shorewall/bogons 0600 -echo -echo "Bogon file installed as ${PREFIX}/usr/share/shorewall/bogons" -# # Install the default config path file # install_file_with_backup configpath ${PREFIX}/usr/share/shorewall/configpath 0600 @@ -570,6 +559,14 @@ for f in action.* ; do echo "Action ${f#*.} file installed as ${PREFIX}/usr/share/shorewall/$f" done # +# Install the Macro files +# +for f in macro.* ; do + install_file_with_backup $f ${PREFIX}/usr/share/shorewall/$f 0600 + echo + echo "Macro ${f#*.} file installed as ${PREFIX}/usr/share/shorewall/$f" +done +# # Backup the version file # if [ -z "$PREFIX" ]; then diff --git a/Shorewall/interfaces b/Shorewall/interfaces index 6c387123a..0b2081b52 100644 --- a/Shorewall/interfaces +++ b/Shorewall/interfaces @@ -1,5 +1,5 @@ # -# Shorewall 2.4 -- Interfaces File +# Shorewall 2.6 -- Interfaces File # # /etc/shorewall/interfaces # @@ -155,6 +155,37 @@ # interface. The interface must be up # when Shorewall is started. # +# arp_ignore[=] +# - If specified, this interface will +# respond to arp requests based on the +# value of . +# +# 1 - reply only if the target IP address +# is local address configured on the +# incoming interface +# +# 2 - reply only if the target IP address +# is local address configured on the +# incoming interface and both with the +# sender's IP address are part from same +# subnet on this interface +# +# 3 - do not reply for local addresses +# configured with scope host, only +# resolutions for global and link +# addresses are replied +# +# 4-7 - reserved +# +# 8 - do not reply for all local +# addresses +# +# If no is given then the value +# 1 is assumed +# +# WARNING -- DO NOT SPECIFY arp_ignore +# FOR ANY INTERFACE INVOLVED IN PROXY ARP. +# # nosmurfs - Filter packets for smurfs # (packets with a broadcast # address as the source). @@ -164,7 +195,7 @@ # shorewall.conf. After logging, the # packets are dropped. # -# detectnets - Automatically tailors the zone named +# detectnets - Automatically taylors the zone named # in the ZONE column to include only those # hosts routed through the interface. # diff --git a/Shorewall/ipsec b/Shorewall/ipsec index ddd44f712..8ec38bf90 100644 --- a/Shorewall/ipsec +++ b/Shorewall/ipsec @@ -1,59 +1,7 @@ # -# Shorewall 2.4 - /etc/shorewall/ipsec +# The /etc/shorewall/ipsec file is obsolete -- the information +# previously contained in this file is now placed in the +# /etc/shorewall/zones file. # -# This file defines the attributes of zones with respect to -# IPSEC. To use this file for any purpose except for setting mss, -# you must be running a 2.6 kernel and both your kernel and iptables -# must include Policy Match Support. -# -# The columns are: -# -# ZONE The name of a zone defined in /etc/shorewall/zones. The -# $FW zone may not be listed. -# -# IPSEC Yes -- Communication with all zone hosts is encrypted -# ONLY No -- Communication with some zone hosts is encrypted. -# Encrypted hosts are designated using the 'ipsec' -# option in /etc/shorewall/hosts. -# -# OPTIONS, A comma-separated list of options as follows: -# IN OPTIONS, -# OUT OPTIONS reqid= where is specified -# using setkey(8) using the 'unique: -# option for the SPD level. -# -# spi= where is the SPI of -# the SA used to encrypt/decrypt packets. -# -# proto=ah|esp|ipcomp -# -# mss= (sets the MSS field in TCP packets) -# -# mode=transport|tunnel -# -# tunnel-src=
[/] (only -# available with mode=tunnel) -# -# tunnel-dst=
[/] (only -# available with mode=tunnel) -# -# strict Means that packets must match all rules. -# -# next Separates rules; can only be used with -# strict.. -# -# Example: -# mode=transport,reqid=44 -# -# The options in the OPTIONS column are applied to both incoming -# and outgoing traffic. The IN OPTIONS are applied to incoming -# traffic (in addition to OPTIONS) and the OUT OPTIONS are -# applied to outgoing traffic. -# -# If you wish to leave a column empty but need to make an entry -# in a following column, use "-". -################################################################################### -#ZONE IPSEC OPTIONS IN OUT -# ONLY OPTIONS OPTIONS -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE +# See the IPSECFILE option in shorewall.conf for further information. diff --git a/Shorewall/maclist b/Shorewall/maclist index 0835985f1..bed3465e4 100644 --- a/Shorewall/maclist +++ b/Shorewall/maclist @@ -1,5 +1,5 @@ # -# Shorewall 2.4 - MAC list file +# Shorewall 2.6 - MAC list file # # This file is used to define the MAC addresses and optionally their # associated IP addresses to be allowed to use the specified interface. diff --git a/Shorewall/action.AllowICMPs b/Shorewall/macro.AllowICMPs similarity index 85% rename from Shorewall/action.AllowICMPs rename to Shorewall/macro.AllowICMPs index 4269d3844..81207766f 100644 --- a/Shorewall/action.AllowICMPs +++ b/Shorewall/macro.AllowICMPs @@ -1,5 +1,5 @@ # -# Shorewall 2.4 /usr/share/shorewall/action.AllowICMPs +# Shorewall 2.6 /usr/share/shorewall/macro.AllowICMPs # # ACCEPT needed ICMP types # diff --git a/Shorewall/action.AllowBitTorrent b/Shorewall/macro.Amanda similarity index 65% rename from Shorewall/action.AllowBitTorrent rename to Shorewall/macro.Amanda index aabf3bd3d..15a78c0ba 100644 --- a/Shorewall/action.AllowBitTorrent +++ b/Shorewall/macro.Amanda @@ -1,10 +1,10 @@ # -# Shorewall action.AllowBitTorrent +# Shorewall macro.Amanda # -# This action accepts BitTorrent traffic. +# This macro handles connections to the AMANDA backup system. # ################################################################################ #TARGET SOURCE DEST PROTO DEST SOURCE RATE # PORT PORT(S) LIMIT -ACCEPT - - tcp 6881:6889 +PARAM - - udp 10080 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.AllowGnutella b/Shorewall/macro.Auth similarity index 70% rename from Shorewall/action.AllowGnutella rename to Shorewall/macro.Auth index be2fa489b..d27667026 100644 --- a/Shorewall/action.AllowGnutella +++ b/Shorewall/macro.Auth @@ -1,11 +1,10 @@ # -# Shorewall action.AllowGnutella +# Shorewall 2.6 /usr/share/shorewall/macro.Auth # -# This action accepts gnutella traffic. +# This macro handles Auth (identd) traffic. # ###################################################################################### #TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 6346 -ACCEPT - - udp 6346 +PARAM - - tcp 113 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.BitTorrent b/Shorewall/macro.BitTorrent new file mode 100644 index 000000000..173078cec --- /dev/null +++ b/Shorewall/macro.BitTorrent @@ -0,0 +1,10 @@ +# +# Shorewall macro.BitTorrent +# +# This macro handles BitTorrent traffic. +# +################################################################################ +#TARGET SOURCE DEST PROTO DEST SOURCE RATE +# PORT PORT(S) LIMIT +PARAM - - tcp 6881:6889 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.DropSMTP b/Shorewall/macro.CVS similarity index 67% rename from Shorewall/action.DropSMTP rename to Shorewall/macro.CVS index 9ea190c9d..27e237cfc 100644 --- a/Shorewall/action.DropSMTP +++ b/Shorewall/macro.CVS @@ -1,10 +1,10 @@ # -# Shorewall action.DropSMTP +# Shorewall macro.CVS # -# This action silently drops SMTP traffic. +# This macro handles connections to the CVS pserver. # ################################################################################ #TARGET SOURCE DEST PROTO DEST SOURCE RATE # PORT PORT(S) LIMIT -DROP - - tcp 25 +PARAM - - tcp 2401 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.AllowPCA b/Shorewall/macro.DNS similarity index 66% rename from Shorewall/action.AllowPCA rename to Shorewall/macro.DNS index 3284a9150..8d8cda0a6 100644 --- a/Shorewall/action.AllowPCA +++ b/Shorewall/macro.DNS @@ -1,11 +1,11 @@ # -# Shorewall 2.4 /usr/share/shorewall/action.AllowPCA +# Shorewall 2.6 /usr/share/shorewall/macro.DNS # -# This action accepts PCAnywere (tm) +# This macro handles DNS traffic. # ###################################################################################### #TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT PORT(S) LIMIT GROUP -ACCEPT - - udp 5632 -ACCEPT - - tcp 5631 +PARAM - - udp 53 +PARAM - - tcp 53 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.DropDNSrep b/Shorewall/macro.DropDNSrep similarity index 76% rename from Shorewall/action.DropDNSrep rename to Shorewall/macro.DropDNSrep index 89342d4ff..56d793eb5 100644 --- a/Shorewall/action.DropDNSrep +++ b/Shorewall/macro.DropDNSrep @@ -1,7 +1,7 @@ # -# Shorewall 2.4 /usr/share/shorewall/action.DropDNSrep +# Shorewall 2.6 /usr/share/shorewall/macro.DropDNSrep # -# This action silently drops DNS UDP replies +# This macro silently drops DNS UDP replies # ###################################################################################### #TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ diff --git a/Shorewall/action.DropUPnP b/Shorewall/macro.DropUPnP similarity index 74% rename from Shorewall/action.DropUPnP rename to Shorewall/macro.DropUPnP index 68d27acfe..6f8b3bdb5 100644 --- a/Shorewall/action.DropUPnP +++ b/Shorewall/macro.DropUPnP @@ -1,7 +1,7 @@ # -# Shorewall 2.4 /usr/share/shorewall/action.DropUPnP +# Shorewall 2.6 /usr/share/shorewall/macro.DropUPnP # -# This action silently drops UPnP probes on UDP port 1900 +# This macro silently drops UPnP probes on UDP port 1900 # ###################################################################################### #TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ diff --git a/Shorewall/action.AllowEdonkey b/Shorewall/macro.Edonkey similarity index 89% rename from Shorewall/action.AllowEdonkey rename to Shorewall/macro.Edonkey index e04a0b3dc..7ac7f0517 100644 --- a/Shorewall/action.AllowEdonkey +++ b/Shorewall/macro.Edonkey @@ -1,13 +1,13 @@ # -# Shorewall action.AllowEdonkey +# Shorewall macro.Edonkey # -# This action accepts Edonkey traffic. +# This macro handles Edonkey traffic. # ###################################################################################### #TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 4662 -ACCEPT - - udp 4665 +PARAM - - tcp 4662 +PARAM - - udp 4665 # # http://www.portforward.com/english/routers/port_forwarding/2wire/1000s/eDonkey.htm # says to use udp 5737 rather than 4665 diff --git a/Shorewall/action.AllowSPAMD b/Shorewall/macro.FTP similarity index 69% rename from Shorewall/action.AllowSPAMD rename to Shorewall/macro.FTP index cab4cc097..15a2811bb 100644 --- a/Shorewall/action.AllowSPAMD +++ b/Shorewall/macro.FTP @@ -1,10 +1,10 @@ # -# Shorewall action.AllowSPAMD +# Shorewall 2.6 /usr/share/shorewall/macro.FTP # -# This action accepts Spam Assassin SPAMD traffic. +# This macro handles FTP traffic. # ###################################################################################### #TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 783 +PARAM - - tcp 21 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.AllowSSH b/Shorewall/macro.Gnutella similarity index 69% rename from Shorewall/action.AllowSSH rename to Shorewall/macro.Gnutella index 31e26266f..43a402d39 100644 --- a/Shorewall/action.AllowSSH +++ b/Shorewall/macro.Gnutella @@ -1,10 +1,11 @@ # -# Shorewall 2.4 /usr/share/shorewall/action.AllowSSH +# Shorewall macro.Gnutella # -# This action accepts secure shell (SSH) traffic. +# This macro handles gnutella traffic. # ###################################################################################### #TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 22 +PARAM - - tcp 6346 +PARAM - - udp 6346 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.AllowICQ b/Shorewall/macro.ICQ similarity index 69% rename from Shorewall/action.AllowICQ rename to Shorewall/macro.ICQ index 8a1496975..c2bf4987a 100644 --- a/Shorewall/action.AllowICQ +++ b/Shorewall/macro.ICQ @@ -1,10 +1,10 @@ # -# Shorewall action.AllowICQ +# Shorewall macro.ICQ # -# This action accepts ICQ traffic. +# This macro handles ICQ traffic. # ################################################################################ #TARGET SOURCE DEST PROTO DEST SOURCE RATE # PORT PORT(S) LIMIT -ACCEPT - - tcp 5190 +PARAM - - tcp 5190 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.IMAP b/Shorewall/macro.IMAP new file mode 100644 index 000000000..e95832f67 --- /dev/null +++ b/Shorewall/macro.IMAP @@ -0,0 +1,11 @@ +# +# Shorewall 2.6 /usr/share/shorewall/macro.IMAP +# +# This macro handles IMAP traffic (secure and insecure): +# +###################################################################################### +#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP +PARAM - - tcp 143 #Unsecure IMAP +PARAM - - tcp 993 #Secure IMAP +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.AllowDistcc b/Shorewall/macro.LDAP similarity index 58% rename from Shorewall/action.AllowDistcc rename to Shorewall/macro.LDAP index d1fdb4ada..c25d54cbd 100644 --- a/Shorewall/action.AllowDistcc +++ b/Shorewall/macro.LDAP @@ -1,11 +1,11 @@ # -# Shorewall action.AllowDistcc +# Shorewall macro.LDAP # -# This action accepts connections to the Distributed Compiler -# service. +# This macro handles LDAP traffic (secure and insecure) # ################################################################################ #TARGET SOURCE DEST PROTO DEST SOURCE RATE # PORT PORT(S) LIMIT -ACCEPT - - tcp 3632 +PARAM - - tcp 389 +PARAM - - tcp 636 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.NNTP b/Shorewall/macro.NNTP new file mode 100644 index 000000000..1e1033df8 --- /dev/null +++ b/Shorewall/macro.NNTP @@ -0,0 +1,11 @@ +# +# Shorewall 2.6 /usr/share/shorewall/macro.NNTP +# +# This macro handles NNTP traffic (Usenet) and encrypted NNTP (NNTPS) +# +###################################################################################### +#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP +PARAM - - tcp 119 +PARAM - - tcp 563 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.AllowNTP b/Shorewall/macro.NTP similarity index 64% rename from Shorewall/action.AllowNTP rename to Shorewall/macro.NTP index de9a57909..2e756121f 100644 --- a/Shorewall/action.AllowNTP +++ b/Shorewall/macro.NTP @@ -1,11 +1,11 @@ # -# Shorewall 2.4 /usr/share/shorewall/action.AllowNTP +# Shorewall 2.6 /usr/share/shorewall/macro.NTP # -# This action accepts NTP traffic (ntpd). +# This macro handles NTP traffic (ntpd). # ###################################################################################### #TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE # PORT PORT(S) DEST LIMIT -ACCEPT - - udp 123 -ACCEPT - - udp 1024: 123 +PARAM - - udp 123 +PARAM - - udp 1024: 123 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.AllowPing b/Shorewall/macro.PCA similarity index 67% rename from Shorewall/action.AllowPing rename to Shorewall/macro.PCA index 8d7d358c3..c34cfaa08 100644 --- a/Shorewall/action.AllowPing +++ b/Shorewall/macro.PCA @@ -1,10 +1,11 @@ # -# Shorewall 2.4 /usr/share/shorewall/action.AllowPing +# Shorewall 2.6 /usr/share/shorewall/macro.PCA # -# This action accepts 'ping' requests. +# This macro handles PCAnywere (tm) # ###################################################################################### #TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT PORT(S) LIMIT GROUP -ACCEPT - - icmp 8 +PARAM - - udp 5632 +PARAM - - tcp 5631 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.AllowPOP3 b/Shorewall/macro.POP3 similarity index 61% rename from Shorewall/action.AllowPOP3 rename to Shorewall/macro.POP3 index c478ca9ea..07b5e3e6d 100644 --- a/Shorewall/action.AllowPOP3 +++ b/Shorewall/macro.POP3 @@ -1,11 +1,11 @@ # -# Shorewall 2.4 /usr/share/shorewall/action.AllowPOP3 +# Shorewall 2.6 /usr/share/shorewall/macro.POP3 # -# This action accepts POP3 traffic (secure and insecure): +# This macro handles POP3 traffic (secure and insecure): # ###################################################################################### #TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE # PORT PORT(S) DEST LIMIT -ACCEPT - - tcp 110 #Unsecure POP3 -ACCEPT - - tcp 995 #Secure POP3 +PARAM - - tcp 110 #Unsecure POP3 +PARAM - - tcp 995 #Secure POP3 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.Ping b/Shorewall/macro.Ping new file mode 100644 index 000000000..5177756f2 --- /dev/null +++ b/Shorewall/macro.Ping @@ -0,0 +1,10 @@ +# +# Shorewall 2.6 /usr/share/shorewall/macro.Ping +# +# This macro handles 'ping' requests. +# +###################################################################################### +#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP +PARAM - - icmp 8 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.AllowMySQL b/Shorewall/macro.PostgreSQL similarity index 66% rename from Shorewall/action.AllowMySQL rename to Shorewall/macro.PostgreSQL index cfa15b53b..02e962904 100644 --- a/Shorewall/action.AllowMySQL +++ b/Shorewall/macro.PostgreSQL @@ -1,10 +1,10 @@ # -# Shorewall action.AllowMySQL +# Shorewall macro.PostgreSQL # -# This action accepts connections to the MySQL server. +# This macro handles connections to the PostgreSQL server. # ################################################################################ #TARGET SOURCE DEST PROTO DEST SOURCE RATE # PORT PORT(S) LIMIT -ACCEPT - - tcp 3306 +PARAM - - tcp 5432 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.Rdate b/Shorewall/macro.Rdate new file mode 100644 index 000000000..487cab8bc --- /dev/null +++ b/Shorewall/macro.Rdate @@ -0,0 +1,10 @@ +# +# Shorewall 2.6 /usr/share/shorewall/macro.Rdate +# +# This macro handles remote time retrieval (rdate). +# +###################################################################################### +#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP +PARAM - - tcp 37 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.AllowSyslog b/Shorewall/macro.Rsync similarity index 67% rename from Shorewall/action.AllowSyslog rename to Shorewall/macro.Rsync index 69eb86252..214fa2d18 100644 --- a/Shorewall/action.AllowSyslog +++ b/Shorewall/macro.Rsync @@ -1,10 +1,10 @@ # -# Shorewall action.AllowSyslog +# Shorewall macro.Rsync # -# This action accepts syslog UDP traffic. +# This macro handles connections to the rsync server. # ################################################################################ #TARGET SOURCE DEST PROTO DEST SOURCE RATE # PORT PORT(S) LIMIT -ACCEPT - - udp 514 +PARAM - - tcp 873 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.SMB b/Shorewall/macro.SMB new file mode 100644 index 000000000..456cdc3e6 --- /dev/null +++ b/Shorewall/macro.SMB @@ -0,0 +1,14 @@ +# +# Shorewall 2.6 /usr/share/shorewall/macro.SMB +# +# Handle Microsoft SMB traffic. You need to invoke this macro in +# both directions. +# +###################################################################################### +#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP +PARAM - - udp 135,445 +PARAM - - udp 137:139 +PARAM - - udp 1024: 137 +PARAM - - tcp 135,139,445 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.AllowSMBswat b/Shorewall/macro.SMBswat similarity index 64% rename from Shorewall/action.AllowSMBswat rename to Shorewall/macro.SMBswat index a3be8eb37..bf1bb8a69 100644 --- a/Shorewall/action.AllowSMBswat +++ b/Shorewall/macro.SMBswat @@ -1,11 +1,11 @@ # -# Shorewall action.AllowSMBswat +# Shorewall macro.SMBswat # -# This action accepts connections to the Samba Web Administration +# This macro handles connections to the Samba Web Administration # Tool (SWAT). # ################################################################################ #TARGET SOURCE DEST PROTO DEST SOURCE RATE # PORT PORT(S) LIMIT -ACCEPT - - tcp 901 +PARAM - - tcp 901 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.AllowSMTP b/Shorewall/macro.SMTP similarity index 65% rename from Shorewall/action.AllowSMTP rename to Shorewall/macro.SMTP index d7d8a86c9..f048724b8 100644 --- a/Shorewall/action.AllowSMTP +++ b/Shorewall/macro.SMTP @@ -1,15 +1,15 @@ # -# Shorewall 2.4 /usr/share/shorewall/action.AllowSMTP +# Shorewall 2.6 /usr/share/shorewall/macro.SMTP # -# This action accepts SMTP (email) traffic. +# This macro handles SMTP (email) traffic. # -# Note: This action allows traffic between an MUA (Email client) +# Note: This macro handles traffic between an MUA (Email client) # and an MTA (mail server) or between MTAs. It does not enable # reading of email via POP3 or IMAP. For those you need to use -# the AllowPOP3 or AllowIMAP actions. +# the POP3 or IMAP macros. # ###################################################################################### #TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 25 +PARAM - - tcp 25 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.SNMP b/Shorewall/macro.SNMP new file mode 100644 index 000000000..2240ebdcd --- /dev/null +++ b/Shorewall/macro.SNMP @@ -0,0 +1,11 @@ +# +# Shorewall 2.6 /usr/share/shorewall/macro.SNMP +# +# This macro accepts SNMP traffic (including traps): +# +###################################################################################### +#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP +PARAM - - udp 161:162 +PARAM - - tcp 161 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.SPAMD b/Shorewall/macro.SPAMD new file mode 100644 index 000000000..c59b42ad8 --- /dev/null +++ b/Shorewall/macro.SPAMD @@ -0,0 +1,10 @@ +# +# Shorewall macro.SPAMD +# +# This macro handles Spam Assassin SPAMD traffic. +# +###################################################################################### +#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP +PARAM - - tcp 783 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.SSH b/Shorewall/macro.SSH new file mode 100644 index 000000000..1a64367ed --- /dev/null +++ b/Shorewall/macro.SSH @@ -0,0 +1,10 @@ +# +# Shorewall 2.6 /usr/share/shorewall/macro.SSH +# +# This macro handles secure shell (SSH) traffic. +# +###################################################################################### +#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP +PARAM - - tcp 22 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.SVN b/Shorewall/macro.SVN new file mode 100644 index 000000000..89de62af6 --- /dev/null +++ b/Shorewall/macro.SVN @@ -0,0 +1,10 @@ +# +# Shorewall macro.SVN +# +# This macro handles connections to the Subversion server. +# +################################################################################ +#TARGET SOURCE DEST PROTO DEST SOURCE RATE +# PORT PORT(S) LIMIT +PARAM - - tcp 3690 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.DropEdonkey b/Shorewall/macro.Syslog similarity index 68% rename from Shorewall/action.DropEdonkey rename to Shorewall/macro.Syslog index 8e76e6148..ebf89dacf 100644 --- a/Shorewall/action.DropEdonkey +++ b/Shorewall/macro.Syslog @@ -1,11 +1,10 @@ # -# Shorewall action.DropEdonkey +# Shorewall macro.Syslog # -# This action silently drops Edonkey Traffic. +# This macro handles syslog UDP traffic. # ################################################################################ #TARGET SOURCE DEST PROTO DEST SOURCE RATE # PORT PORT(S) LIMIT -DROP - - tcp 4662 -DROP - - udp 4665 +PARAM - - udp 514 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.AllowTelnet b/Shorewall/macro.Telnet similarity index 68% rename from Shorewall/action.AllowTelnet rename to Shorewall/macro.Telnet index d0e141e59..17971c4db 100644 --- a/Shorewall/action.AllowTelnet +++ b/Shorewall/macro.Telnet @@ -1,11 +1,11 @@ # -# Shorewall 2.4 /usr/share/shorewall/action.AllowTelnet +# Shorewall 2.6 /usr/share/shorewall/macro.Telnet # -# This action accepts Telnet traffic. For traffic over the +# This macro handles Telnet traffic. For traffic over the # internet, telnet is inappropriate; use SSH instead # ###################################################################################### #TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 23 +PARAM - - tcp 23 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.AllowFTP b/Shorewall/macro.Trcrt similarity index 57% rename from Shorewall/action.AllowFTP rename to Shorewall/macro.Trcrt index da51ece0a..ed9b63fbc 100644 --- a/Shorewall/action.AllowFTP +++ b/Shorewall/macro.Trcrt @@ -1,11 +1,11 @@ # -# Shorewall 2.4 /usr/share/shorewall/action.AllowFTP +# Shorewall 2.6 /usr/share/shorewall/macro.Trcrt # -# This action accepts FTP traffic. See -# http://www.shorewall.net/FTP.html for additional considerations. +# This macro handles Traceroute (for up to 30 hops): # ###################################################################################### #TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 21 +PARAM - - udp 33434:33524 #UDP Traceroute +PARAM - - icmp 8 #ICMP Traceroute #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.AllowDNS b/Shorewall/macro.VNC similarity index 64% rename from Shorewall/action.AllowDNS rename to Shorewall/macro.VNC index be8c9defb..defad75e4 100644 --- a/Shorewall/action.AllowDNS +++ b/Shorewall/macro.VNC @@ -1,11 +1,10 @@ # -# Shorewall 2.4 /usr/share/shorewall/action.AllowDNS +# Shorewall 2.6 /usr/share/shorewall/macro.VNC # -# This action accepts DNS traffic. +# This macro handles VNC traffic for VNC display's 0 - 9. # ###################################################################################### #TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT PORT(S) LIMIT GROUP -ACCEPT - - udp 53 -ACCEPT - - tcp 53 +PARAM - - tcp 5900:5909 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.VNCL b/Shorewall/macro.VNCL new file mode 100644 index 000000000..86c59b63d --- /dev/null +++ b/Shorewall/macro.VNCL @@ -0,0 +1,10 @@ +# +# Shorewall 2.6 /usr/share/shorewall/macro.VNCL +# +# This macro handles VNC traffic from Vncservers to Vncviewers in listen mode. +# +###################################################################################### +#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP +PARAM - - tcp 5500 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.Web b/Shorewall/macro.Web new file mode 100644 index 000000000..783d66471 --- /dev/null +++ b/Shorewall/macro.Web @@ -0,0 +1,11 @@ +# +# Shorewall 2.6 /usr/share/shorewall/macro.Web +# +# This macro handles WWW traffic (secure and insecure): +# +###################################################################################### +#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP +PARAM - - tcp 80 +PARAM - - tcp 443 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.template b/Shorewall/macro.template new file mode 100644 index 000000000..e345f34d2 --- /dev/null +++ b/Shorewall/macro.template @@ -0,0 +1,69 @@ +# +# Shorewall version 2.6 - Macro Template File +# +# /usr/share/shorewall/macro.template +# +# Macro files are similar to template files with the following exceptions: +# +# - A macro file is not processed unless the marcro that it defines is referenced in the +# /etc/shorewall/rules file or in an action definition file. +# +# - Macros are translated directly into one or more rules whereas actions become their own +# chain. +# +# - All entries in a macro undergo substitution when the macro is invoked in the rules file. +# +# - Macros may not invoke other macros. +# +# The columns in a macro definition are the same as those in the action.template file. +# A few examples should help show how Macros work. +# +# /etc/shorewall/macro.FwdFTP: +# +# #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# # PORT PORT(S) LIMIT GROUP +# DNAT - - tcp 21 +# +# /etc/shorewall/rules: +# +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# # PORT PORT(S) DEST LIMIT GROUP +# FwdFTP net loc:192.168.1.5 +# +# The result is equivalent to: +# +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# # PORT PORT(S) DEST LIMIT GROUP +# DNAT net loc:192.168.1.5 tcp 21 +# +# The substitution rules are as follows: +# +# ACTION column If in the invocation of the macro, the macro name is followed by +# slash ("/") and a second name, the second name is substituted for +# each entry in the macro whose ACTION is PARAM +# +# For example, if macro FOO is invoked as FOO/ACCEPT then when +# expanding macro.FOO, Shorewall will substitute ACCEPT in each +# entry in macro.FOO whose ACTION column contains PARAM. PARAM may +# be optionally followed by a colon and a log level. +# +# Any logging specified when the macro is invoked is applied to each +# entry in the macros. +# +# SOURCE and DEST If the column in the macro is empty then the value in the rules +# columns file is used. If the column in the macro is non-empty then any +# value in the rules file is appended with a ":" separator. +# +# Example: Macro File DNAT net loc tcp 21 +# rules File FwdFTP - 192.168.1.5 +# Result DNAT net loc:192.168.1.5 tcp 21 +# +# Remaining Any value in the rules file REPLACES the value given in the macro +# columns file. +# +# +# +#################################################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/masq b/Shorewall/masq index cc96de934..e41211a3f 100755 --- a/Shorewall/masq +++ b/Shorewall/masq @@ -1,5 +1,5 @@ # -# Shorewall 2.4 - Masquerade file +# Shorewall 2.6 - Masquerade file # # /etc/shorewall/masq # diff --git a/Shorewall/modules b/Shorewall/modules index 6846bc688..124dd0709 100644 --- a/Shorewall/modules +++ b/Shorewall/modules @@ -1,5 +1,5 @@ ############################################################################## -# Shorewall 2.4 /etc/shorewall/modules +# Shorewall 2.6 /etc/shorewall/modules # # This file loads the modules needed by the firewall. # diff --git a/Shorewall/nat b/Shorewall/nat index 2b8b0e87e..3de32e577 100755 --- a/Shorewall/nat +++ b/Shorewall/nat @@ -1,6 +1,6 @@ ############################################################################## # -# Shorewall 2.4 -- Network Address Translation Table +# Shorewall 2.6 -- Network Address Translation Table # # /etc/shorewall/nat # diff --git a/Shorewall/netmap b/Shorewall/netmap index f9be759df..96aaa8ee1 100644 --- a/Shorewall/netmap +++ b/Shorewall/netmap @@ -1,6 +1,6 @@ ############################################################################## # -# Shorewall 2.4 -- Network Mapping Table +# Shorewall 2.6 -- Network Mapping Table # # /etc/shorewall/netmap # diff --git a/Shorewall/params b/Shorewall/params index 79e2fda61..fe67d793f 100644 --- a/Shorewall/params +++ b/Shorewall/params @@ -1,5 +1,5 @@ # -# Shorewall 2.4 /etc/shorewall/params +# Shorewall 2.6 /etc/shorewall/params # # Assign any variables that you need here. # diff --git a/Shorewall/policy b/Shorewall/policy index 6327c596a..04a7e3d7f 100644 --- a/Shorewall/policy +++ b/Shorewall/policy @@ -1,5 +1,5 @@ # -# Shorewall 2.4 -- Policy File +# Shorewall 2.6 -- Policy File # # /etc/shorewall/policy # @@ -50,6 +50,13 @@ # then that action will be invoked before the policy named in # this column is inforced. # +# The policy determined the default treatment of new +# connection requests and may optionally be followed by ":" +# and an ESTABLISHED policy which determines what +# is to be done with packets that are part of an established +# connection. The choices are ACCEPT (the default) and QUEUE +# (to queue the packet to a user-space filter like Snort Inline). +# # LOG LEVEL If supplied, each connection handled under the default # POLICY is logged at that level. If not supplied, no # log message is generated. See syslog.conf(5) for a diff --git a/Shorewall/providers b/Shorewall/providers index da19c2839..a5a3c2206 100755 --- a/Shorewall/providers +++ b/Shorewall/providers @@ -1,6 +1,6 @@ ############################################################################## # -# Shorewall 2.4 -- Internet Service Providers +# Shorewall 2.6 -- Internet Service Providers # # /etc/shorewall/providers # diff --git a/Shorewall/proxyarp b/Shorewall/proxyarp index d9e508976..74cce43c5 100644 --- a/Shorewall/proxyarp +++ b/Shorewall/proxyarp @@ -1,6 +1,6 @@ ############################################################################## # -# Shorewall 2.4 -- Proxy ARP +# Shorewall 2.6 -- Proxy ARP # # /etc/shorewall/proxyarp # diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 129de5222..964aae15b 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -1,367 +1,275 @@ -Shorewall 2.4.0 +Shorewall 2.5.0 ------------------------------------------------------------------------ -Problems Corrected since 2.4.0-RC2 +Problems Corrected: -1) Previously, "shorewall status" could list the same routing table's - contents more than once. +1) The behavior of CONTINUE policies has been improved. Shorewall no + longer generates a useless policy chain corresponding to these + policies. ------------------------------------------------------------------------ -Upgrade Issues when moving to 2.4.0 +2) The combining of the zones and ipsec files has now been made upward + compatible provided that the user doesn't do something idiotic such + as install the new shorewall.conf file then manually update it + with exactly the changes that had been applied to the old file. -1) Shorewall now enforces the restriction that mark values used in - /etc/shorewall/tcrules are less than 256. If you are using mark - values >= 256, you must change your configuration before you - upgrade. +Migration Considerations: -2) The value "ipp2p" is no longer accepted in the PROTO column of the - rules file. This support has never worked as intended and filtering - P2P applications this way is a bad idea to begin with (you should be - using a proxy). +1) The "monitor" command has been eliminated. -3) LEAF/Bering packages for version 2.4.0 and later will not be - available from shorewall.net. See http://leaf.sf.net for the lastest - version of Shorewall for LEAF variants. ------------------------------------------------------------------------ -New Features in version 2.4.0 +2) The "DISPLAY" and "COMMENTS" columns in the /etc/shorewall/zones + file have been removed and have been replaced by the former + columns of the /etc/shorewall/ipsec file. The latter file has been + removed. As a result, the columns in the /etc/shorewall/zones file + are now as follows: -1) Shorewall 2.4.0 includes support for multiple internet interfaces to - different ISPs. + ZONE Short name of the zone (5 Characters or less in + length). - The file /etc/shorewall/providers may be used to define the - different providers. It can actually be used to define alternate - routing tables so uses like transparent proxy can use the file as - well. + The names "all" and "none" are reserved and may + not beused as zone names. - Columns are: + IPSEC Yes -- Communication with all zone hosts is + ONLY encrypted. Your kernel and iptables + must include policy match support. + No -- Communication with some zone hosts may + be encrypted. Encrypted hosts are + designated using the 'ipsec' option in + /etc/shorewall/hosts. - NAME The provider name. + OPTIONS, A comma-separated list of options as + IN OPTIONS, follows: + OUT OPTIONS + reqid= where is + specified using setkey(8) using the + 'unique: option for the SPD + level. + + spi= where is the SPI + of the SA used to encrypt/decrypt + packets. + + proto=ah|esp|ipcomp + + mss= (sets the MSS field in TCP + packets) + + mode=transport|tunnel + + tunnel-src=
[/] (only + available with mode=tunnel) + + tunnel-dst=
[/] (only + available with mode=tunnel) + + + strict Means that packets must match + all rules. + + + next Separates rules; can only be + used with strict.. + + Example: + mode=transport,reqid=44 + + The options in the OPTIONS column are applied to both + incoming and outgoing traffic. The IN OPTIONS are + applied to incoming traffic (in addition to OPTIONS) + and the OUT OPTIONS are applied to outgoing traffic. - NUMBER The provider number -- a number between 1 and 15 + If you wish to leave a column empty but need to make an + entry in a following column, use "-". + + THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE + NESTED OR OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts. + + To attempt to adhere to the principle of least astonishment, the + old /etc/shorewall/ipsec file will continue to be supported. A new + IPSECFILE variable in /etc/shorewall/shorewall.conf determines the + name of the file that Shorewall looks in for IPSEC information. If + that variable is not set or is set to the empty value then + IPSECFILE=ipsec is assumed. So if you simply upgrade and don't do + something idiotic like replace your current shorewall.conf file with + the new one, your old configuration will continue to work. A dummy + 'ipsec' file is included in the release so that your package manager + (e.g., rpm) won't remove your existing file. - MARK A FWMARK value used in your - /etc/shorewall/tcrules file to direct packets to - this provider. + The shorewall.conf file included in this release sets + IPSECFILE=zones so that new users are expected to use the new zone + file format. - DUPLICATE The name of an existing table to duplicate. May - be 'main' or the name of a previous provider. - - INTERFACE The name of the network interface to the - provider. Must be listed in - /etc/shorewall/interfaces. - - GATEWAY The IP address of the provider's gateway router. - If you enter "detect" here then Shorewall will - attempt to determine the gateway IP address - automatically. - - OPTIONS A comma-separated list selected from the - following: - track If specified, connections FROM this interface are - to be tracked so that responses may be routed - back out this same interface. +3) The DROPINVALID option has been removed from shorewall.conf. The + behavior will be as if DROPINVALID=No had been specified. If you + wish to drop invalid state packets, use the dropInvalid built-in + action. + +4) The 'nobogons' interface and hosts option as well as the + BOGON_LOG_LEVEL option have been eliminated. + +5) Most of the standard actions have been replaced by parameterized + macros (see below). So for example, the action.AllowSMTP and + action.DropSMTP have been removed an a parameterized macro + macro.SMTP has been added to replace them. + + In order that current users don't have to immediately update their + rules and user-defined actions, Shorewall can substitute an + invocation of the a new macro for an existing invocation of one of + the old actions. So if your rules file calls AllowSMTP, Shorewall + will replace that call with SMTP/ACCEPT. Because this substitution + is expensive, it is conditional based on the setting of + MAPOLDACTIONS in shorewall.conf. If this option is set to YES or if + it is not set (such as if you are using your old shorewall.conf + file) then Shorewall will perform the substitution. Once you have + converted to use the new macros, you can set MAPOLDACTIONS=No and + invocations of those actions will go much quicker during 'shorewall + [re]start'. + +6) The STATEDIR variable in /etc/shorewall/shorewall.conf has been + removed. STATEDIR is now fixed at /var/lib/shorewall. If you have + previously set STATEDIR to another directory, please copy the files + from that directory to /var/lib/shorewall/ before [re]starting + Shorewall after the upgrade to this version. + +New Features in Shorewall 2.5.0 - You want specify 'track' if internet hosts will be - connecting to local servers through this - provider. +1) Error and warning messages are made easier to spot by using + capitalization (e.g., ERROR: and WARNING:). - Because of limitations in the 'ip' utility and - policy routing, you may not use the SAVE or - RESTORE tcrules options or use connection - marking on any traffic to or from this - interface. For traffic control purposes, you - must mark packets in the FORWARD chain (or - better yet, use the CLASSIFY target). +2) Beginning with this version, the POLICY column in + /etc/shorewall/policy to potentially contain two policies separated + by ":". The first policy is the policy for new connections (the only + policy that you can currently configure). The second policy is for + ESTABLISHED packets (those that are part of an established + connection) and must be either ACCEPT (the default) or QUEUE. So if + the policy column contains DROP:QUEUE then new connection requests + are dropped by default but packets that are part of an established + connection are sent to the QUEUE target. RELATED state packets are + always ACCEPTED so that ICMPs (which are almost always RELATED) + won't go through QUEUE. - balance The providers that have 'balance' specified will - get outbound traffic load-balanced among them. By - default, all interfaces with 'balance' specified - will have the same weight (1). You can change the - weight of the route out of the interface by - specifiying balance= where is - the desired route weight. - - Example: You run squid in your DMZ on IP address - 192.168.2.99. Your DMZ interface is eth2 +3) A new option 'critical' has been added to + /etc/shorewall/routestopped. This option can be used to enable + communication with a host or set of hosts during the entire + "shorewall [re]start/stop" process. Listing a host with this option + differs from listing it without the option in several ways: - #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS - Squid 1 1 - eth2 192.168.2.99 - + a) The option only affect traffic between the listed host(s) and the + firewall itself. - Use of this feature requires that your kernel and iptables - support CONNMARK target and conntrack match support. It does NOT - require the ROUTE target extension. - - WARNING: The current version of iptables (1.3.1) is broken with - respect to CONNMARK and iptables-save/iptables-restore. This means - that if you configure multiple ISPs, "shorewall restore" will - fail. You must patch your iptables using the patch at - http://shorewall.net/pub/shorewall/contrib/iptables/CONNMARK.diff. - -2) Shorewall 2.3.0 supports the 'cmd-owner' option of the owner match - facility in Netfilter. Like all owner match options, 'cmd-owner' may - only be applied to traffic that originates on the firewall. + b) If there are any entries with 'critical', the firewall + will be completely opened briefly during start, restart and stop but + there will be no chance of any packets to/from the listed host(s) + being dropped or rejected. - The syntax of the USER/GROUP column in the following files has been - extended: + Possible uses for this option are: + + a) Root fileset is NFS mounted. You will want to list the NFS server + in the 'critical' option. + + b) You are running Shorewall in a Crossbeam environment + (www.crossbeam.com). You will want to list the Crossbeam interface + in this option + +4) A new 'macro' feature has been added. + + Macros are very similar to actions and can be used in similar + ways. The differences between actions and macros are as follows: - /etc/shorewall/accounting - /etc/shorewall/rules - /etc/shorewall/tcrules - /usr/share/shorewall/action.template - - To specify a command, prefix the command name with "+". + a) An action creates a separate chain with the same name as the + action (when logging is specified on the invocation of an action, + a chain beginning with "%" followed by the name of the action and + possibly followed by a number is created). When a macro is + invoked, it is expanded in-line and no new chain is created. + + b) An action may be specified as the default action for a policy; + macros cannot be specified this way. + + c) Actions must be listed in either /usr/share/shorewall/actions.std + or in /etc/shorewall/actions. Macros are defined simply by + placing their definition file in the CONFIG_PATH. - Examples: + d) Actions are defined in a file with a name beginning with + "action." and followed by the name of the action. Macro files are + defined in a file with a name beginning with "macro.". - +mozilla-bin #The program is named "mozilla-bin" - joe+mozilla-bin #The program is named "mozilla-bin" and - #is being run by user "joe" - joe:users+mozilla-bin #The program is named "mozilla-bin" and - #is being run by user "joe" with - #effective group "users". + e) Actions may invoke other actions. Macros may not directly invoke + other macros although they may invoke other macros indirectly + through an action. - Note that this is not a particularly robust feature and I would - never advertise it as a "Personal Firewall" equivalent. Using - symbolic links, it's easy to alias command names to be anything you - want. + f) DNAT[-] and REDIRECT[-] rules may not appear in an action. They + are allowed in a macro with the restriction that the a macro + containing one of these rules may not be invoked from an action. -3) Support has been added for ipsets - (see http://people.netfilter.org/kadlec/ipset/). + g) The values specified in the various columns when you invoke a + macro are substituted in the corresponding column in each rule in + the macro. The first three columns get special treatment: - In most places where a host or network address may be used, you may - also use the name of an ipset prefaced by "+". + TARGET If you code PARAM as the target in a macro then + when you invoke the macro, you can include the + name of the macro followed by a slash ("/") and + an ACTION (either builtin or user-defined. All + instances of PARAM in the body of the macro will be + replaced with the ACTION. - Example: "+Mirrors" + Any logging applied when the action is invoked is + applied following the same rules as for actions. - The name of the set may be optionally followed by: - - a) a number from 1 to 6 enclosed in square brackets ([]) -- this - number indicates the maximum number of ipset binding levels that - are to be matched. Depending on the context where the ipset name - is used, either all "src" or all "dst" matches will be used. - - Example: "+Mirrors[4]" + SOURCE and + DEST If the rule in the macro file specifies a value and + the invocation of the rule also specifies a value then + the value in the invocation is appended to the value + in the rule using ":" as a separator. - b) a series of "src" and "dst" options separated by commas and - inclosed in square brackets ([]). These will be passed directly - to iptables in the generated --set clause. See the ipset - documentation for details. + Example: - Example: "+Mirrors[src,dst,src]" - - Note that "+Mirrors[4]" used in the SOURCE column of the rules - file is equivalent to "+Mirrors[src,src,src,src]". + /etc/shorewall/macro.SMTP - To generate a negative match, prefix the "+" with "!" as in - "!+Mirrors". + PARAM - loc tcp 25 - Example 1: Blacklist all hosts in an ipset named "blacklist" + /etc/shorewall/rules: - /etc/shorewall/blacklist + SMTP/DNAT:info net 192.168.1.5 - #ADDRESS/SUBNET PROTOCOL PORT - +blacklist + Would be equivalent to the following in the rules file: - Example 2: Allow SSH from all hosts in an ipset named "sshok: + DNAT:info net loc:192.168.1.5 tcp 25 - /etc/shorewall/rules + Rest Any value in the invocation replaces the value in the + rule in the macro. - #ACTION SOURCE DEST PROTO DEST PORT(S) - ACCEPT +sshok fw tcp 22 + One additional restriction applies to the mixing of macros and + actions. Macros that are invoked from actions cannot themselves + invoke other actions. - Shorewall can automatically capture the contents of your ipsets for - you. If you specify SAVE_IPSETS=Yes in /etc/shorewall/shorewall.conf - then "shorewall save" will save the contents of your ipsets. The file - where the sets are saved is formed by taking the name where the - Shorewall configuration is stored and appending "-ipsets". So if you - enter the command "shorewall save standard" then your Shorewall - configuration will be saved in /var/lib/shorewall/standard and your - ipset contents will be saved in /var/lib/shorewall/standard-ipsets. - Assuming the default RESTOREFILE setting, if you just enter - "shorewall save" then your Shorewall configuration will be saved in - /var/lib/shorewall/restore and your ipset contents will be saved in - /var/lib/shorewall/restore-ipsets. +5) If you have 'make' installed on your firewall, then when you use + the '-f' option to 'shorewall start' (as happens when you reboot), + if your /etc/shorewall/ directory contains files that were modified + after Shorewall was last restarted then Shorewall is started using + the config files rather than using the saved configuration. - Regardless of the setting of SAVE_IPSETS, the "shorewall -f start" - and "shorewall restore" commands will restore the ipset contents - corresponding to the Shorewall configuration restored provided that - the saved Shorewall configuration specified exists. +6) The 'arp_ignore' option has been added to /etc/shorewall/interfaces + entries. This option sets + /proc/sys/net/ipv4/conf//arp_ignore. By default, the + option sets the value to 1. You can also write arp_ignore= + where value is one of the following: - For example, "shorewall restore standard" would restore the ipset - contents from /var/lib/shorewall/standard-ipsets provided that - /var/lib/shorewall/standard exists and is executable and that - /var/lib/shorewall/standard-ipsets exists and is executable. + 1 - reply only if the target IP address is local address + configured on the incoming interface - Also regardless of the setting of SAVE_IPSETS, the "shorewall forget" - command will purge the saved ipset information (if any) associated - with the saved shorewall configuration being removed. - - You can also associate ipset contents with Shorewall configuration - directories using the following command: - - ipset -S > /ipsets - - Example: - - ipset -S > /etc/shorewall/ipsets - - When you start or restart Shorewall (including using the 'try' - command) from the configuration directory, your ipsets will be - configured from the saved ipsets file. Once again, this behavior is - independent of the setting of SAVE_IPSETS. - - Ipsets are well suited for large blacklists. You can maintain your - blacklist using the 'ipset' utility without ever having to restart - or refresh Shorewall. If you use the SAVE_IPSETS=Yes feature just be - sure to "shorewall save" after altering the blacklist ipset(s). - - Example /etc/shorewall/blacklist: - - #ADDRESS/SUBNET PROTOCOL PORT - +Blacklist[src,dst] - +Blacklistnets[src,dst] - - Create the blacklist ipsets using: - - ipset -N Blacklist iphash - ipset -N Blacklistnets nethash - - Add entries - - ipset -A Blacklist 206.124.146.177 - ipset -A Blacklistnets 206.124.146.0/24 - - To allow entries for individual ports - - ipset -N SMTP portmap --from 1 --to 31 - ipset -A SMTP 25 - - ipset -A Blacklist 206.124.146.177 - ipset -B Blacklist 206.124.146.177 -b SMTP - - Now only port 25 will be blocked from 206.124.146.177. - -4) Shorewall 2.4.0 can now configure routing if your kernel and - iptables support the ROUTE target extension. This extension is - available in Patch-O-Matic-ng. This feature is *EXPERIMENTAL* since - the Netfilter team have no intention of ever releasing the ROUTE - target extension to kernel.org. - - Routing is configured using the /etc/shorewall/routes file. Columns - in the file are as follows: - - SOURCE Source of the packet. May be any of the - following: - - - - A host or network address - - A network interface name. - - The name of an ipset prefaced with "+" - - $FW (for packets originating on the firewall) - - A MAC address in Shorewall format - - A range of IP addresses (assuming that your - kernel and iptables support range match) - - A network interface name followed by ":" - and an address or address range. - - DEST Destination of the packet. May be any of the - following: - - - A host or network address - - A network interface name (determined from - routing table(s)) - - The name of an ipset prefaced with "+" - - A network interface name followed by ":" - and an address or address range. - - PROTO Protocol - Must be "tcp", "udp", "icmp", - "ipp2p", a number, or "all". "ipp2p" requires - ipp2p match support in your kernel and - iptables. - - PORT(S) Destination Ports. A comma-separated list of - Port names (from /etc/services), port numbers - or port ranges; if the protocol is "icmp", this - column is interpreted as the destination - icmp-type(s). - - If the protocol is ipp2p, this column is - interpreted as an ipp2p option without the - leading "--" (example "bit" for bit-torrent). - If no PORT is given, "ipp2p" is assumed. - - This column is ignored if PROTOCOL = all but - must be entered if any of the following field - is supplied. In that case, it is suggested that - this field contain "-" - - SOURCE PORT(S) (Optional) Source port(s). If omitted, - any source port is acceptable. Specified as a - comma-separated list of port names, port - numbers or port ranges. - - TEST Defines a test on the existing packet or - connection mark. - - The rule will match only if the test returns - true. Tests have the format - [!][/][:C] - - Where: - - ! Inverts the test (not equal) - Value of the packet or - connection mark. - - A mask to be applied to the - mark before testing - :C Designates a connection - mark. If omitted, the packet - mark's value is tested. - - INTERFACE The interface that the packet is to be routed - out of. If you do not specify this field then - you must place "-" in this column and enter an - IP address in the GATEWAY column. - - GATEWAY The gateway that the packet is to be forewarded - through. - -5) Normally when Shorewall is stopped, starting or restarting then - connections are allowed from hosts listed in - /etc/shorewall/routestopped to the firewall and to other hosts - listed in /etc/shorewall/routestopped. - - A new 'source' option is added for entries in that file which will - cause Shorewall to allow traffic from the host listed in the entry - to ANY other host. When 'source' is specified in an entry, it is - unnecessary to also specify 'routeback'. - - Similarly, a new 'dest' option is added which will cause Shorewall - to allow traffic to the host listed in the entry from ANY other - host. When 'source' is specified in an entry, it is unnecessary to - also specify 'routeback'. - -6) This change was implemented by Lorenzo Martignoni. It provides two - new commands: "safe-start" and "safe-restart". - - safe-start starts Shorewall then prompts you to ask you if - everything looks ok. If you answer "no" or if you don't answer - within 60 seconds, a "shorewall clear" is executed. - - safe-restart saves your current configuration to - /var/lib/shorewall/safe-restart then issues a "shorewall restart"; - It then prompts you to ask if you if you want to accept the new - configuration. If you answer "no" or if you don't answer within 60 - seconds, the configuration is restored to its prior state. - - These new commands require either that your /bin/sh supports the - "-t" option to the 'read' command or that you have /bin/bash - installed. + 2 - reply only if the target IP address is local address + configured on the incoming interface and both with the sender's + IP address are part from same subnet on this interface + 3 - do not reply for local addresses configured with scope + host, only resolutions for global and link addresses are + replied + 4-7 - reserved + 8 - do not reply for all local addresses + WARNING -- DO NOT SPECIFY arp_ignore FOR ANY INTERFACE INVOLVED IN + PROXY ARP. + diff --git a/Shorewall/rfc1918 b/Shorewall/rfc1918 index 306efccbf..7542760ab 100644 --- a/Shorewall/rfc1918 +++ b/Shorewall/rfc1918 @@ -1,5 +1,5 @@ # -# Shorewall 2.4 -- RFC1918 File +# Shorewall 2.6 -- RFC1918 File # # /etc/shorewall/rfc1918 # diff --git a/Shorewall/routes b/Shorewall/routes deleted file mode 100755 index b15fc76a4..000000000 --- a/Shorewall/routes +++ /dev/null @@ -1,94 +0,0 @@ -# -# Shorewall version 2.4 - Routing Rules -# -# /etc/shorewall/routes -# -# Entries in this file cause packets to be routed in non-standard -# ways. -# -# I M P O R T A N T ! ! ! ! -# -# In order to use entries in this file, your kernel and iptables must -# have ROUTE target support (see the output of "shorewall show -# capabilities"). -# -# This facility is *EXPERIMENTAL* -- the Netfilter team have no intention -# of ever submitting the ROUTE target patch to kernel.org. -# -# To omit any column, enter "-" in that column. -# -# Columns are: -# -# -# SOURCE Source of the packet. May be any of the following: -# -# - A host or network address -# - A network interface name. -# - The name of an ipset prefaced with "+" -# - $FW (for packets originating on the firewall) -# - A MAC address in Shorewall format -# - A range of IP addresses (assuming that your -# kernel and iptables support range match) -# - A network interface name followed by ":" -# and an address or address range. -# -# DEST Destination of the packet. May be any of the -# following: -# -# - A host or network address -# - A network interface name (determined from -# routing table(s)) -# - The name of an ipset prefaced with "+" -# - A network interface name followed by ":" -# and an address or address range. -# -# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p", -# a number, or "all". "ipp2p" requires ipp2p match -# support in your kernel and iptables. -# -# PORT(S) Destination Ports. A comma-separated list of Port -# names (from /etc/services), port numbers or port -# ranges; if the protocol is "icmp", this column is -# interpreted as the destination icmp-type(s). -# -# Port ranges are allowed in a list only if your -# kernel and iptables support Extended Multi-port -# match (see the output of "shorewall show capabilities"). -# -# If the protocol is ipp2p, this column is interpreted -# as an ipp2p option without the leading "--" (example "bit" -# for bit-torrent). If no PORT is given, "ipp2p" is -# assumed. -# -# SOURCE PORT(S) Source port(s). If omitted, any source port is acceptable. -# Specified as a comma-separated list of port names, port -# numbers or port ranges. -# -# Port ranges are allowed in a list only if your -# kernel and iptables support Extended Multi-port -# match (see the output of "shorewall show capabilities"). -# -# TEST Defines a test on the existing packet or connection mark. -# The rule will match only if the test returns true. Tests -# have the format [!][/][:C] -# -# Where: -# -# ! Inverts the test (not equal) -# Value of the packet or connection mark. -# A mask to be applied to the mark before -# testing -# :C Designates a connection mark. If omitted, -# the packet mark's value is tested. -# -# INTERFACE The interface that the packet is to be routed out of. -# If you specify "-" here, then you must enter the IP address -# of a gateway in the GATEWAY column. -# -# GATEWAY The gateway that the packet is to be forewarded through. -# -# See http://shorewall.net/Shorewall_and_Routing.html for additional information. -####################################################################################### -#SOURCE DEST PROTO PORT(S) SOURCE TEST INTERFACE GATEWAY -# PORT(S) -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/routestopped b/Shorewall/routestopped index ec3dffc32..38e1198b4 100644 --- a/Shorewall/routestopped +++ b/Shorewall/routestopped @@ -1,6 +1,6 @@ ############################################################################## # -# Shorewall 2.4 -- Hosts Accessible when the Firewall is Stopped +# Shorewall 2.6 -- Hosts Accessible when the Firewall is Stopped # # /etc/shorewall/routestopped # @@ -37,6 +37,13 @@ # listed hosts (and the firewall) is allowed. If # 'dest' is specified then 'routeback' is redundent. # +# critical - Allow traffic between the firewall and +# these hosts throughout '[re]start', 'stop' and +# 'clear'. Specifying 'critical' on one or more +# entries will cause your firewall to be "totally +# open" for a brief window during each of those +# operations. +# # Example: # # INTERFACE HOST(S) OPTIONS diff --git a/Shorewall/rules b/Shorewall/rules index 1ab6c7b6c..1232f8423 100755 --- a/Shorewall/rules +++ b/Shorewall/rules @@ -1,5 +1,5 @@ # -# Shorewall version 2.4 - Rules File +# Shorewall version 2.6 - Rules File # # /etc/shorewall/rules # diff --git a/Shorewall/shorewall b/Shorewall/shorewall index 41f7cb6df..102a24378 100755 --- a/Shorewall/shorewall +++ b/Shorewall/shorewall @@ -1,6 +1,6 @@ #!/bin/sh # -# Shorewall Packet Filtering Firewall Control Program - V2.4 +# Shorewall Packet Filtering Firewall Control Program - V2.6 # # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # @@ -158,7 +158,7 @@ iptablesbug() /--mask ff/ { sub( /--mask ff/, "--mask 0xff" ) };\ {print ; sline="" }' else - echo " Warning: You don't have 'awk' on this system so the output of the save command may be unusable" >&2 + echo " WARNING: You don't have 'awk' on this system so the output of the save command may be unusable" >&2 cat fi } @@ -234,6 +234,7 @@ get_config() { echo " WARNING: Shorewall startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf" >&2 ;; esac + } # @@ -243,112 +244,6 @@ clear_term() { [ -t 1 ] && clear } -# -# Display IPTABLES rules -- we used to store them in a variable but ash -# dies when trying to display large sets of rules -# -display_chains() -{ - trap "rm -f /tmp/chains-$$; exit 1" 1 2 3 4 5 6 9 - - if [ "$haveawk" = "Yes" ]; then - # - # Send the output to a temporary file since ash craps if we try to store - # the output in a variable. - # - TMPFILE=$(mktempfile) - [ -n "$TMPFILE" ] || { echo " ERROR:Cannot create temporary file" >&2; exit 1; } - - $IPTABLES -L $IPT_OPTIONS >> $TMPFILE - - clear_term - echo "$banner $(date)" - echo - echo "Standard Chains" - echo - firstchain="Yes" - showchain INPUT - showchain OUTPUT - showchain FORWARD - - timed_read - - clear_term - echo "$banner $(date)" - echo - firstchain=Yes - echo "Input Chains" - echo - - chains=$(grep '^Chain.*_[in|fwd]' $TMPFILE | cut -d' ' -f 2) - - for chain in $chains; do - showchain $chain - done - - timed_read - - for zone in $zones; do - - if [ -n "$(grep "^Chain \.*${zone}" $TMPFILE)" ] ; then - clear_term - echo "$banner $(date)" - echo - firstchain=Yes - eval display=\$${zone}_display - echo "$display Chains" - echo - for zone1 in $FW $zones; do - showchain ${zone}2$zone1 - showchain @${zone}2$zone1 - [ "$zone" != "$zone1" ] && \ - showchain ${zone1}2${zone} && \ - showchain @${zone1}2${zone} - done - - timed_read - fi - done - - clear_term - echo "$banner $(date)" - echo - firstchain=Yes - echo "Policy Chains" - echo - showchain common - showchain badpkt - showchain icmpdef - showchain rfc1918 - showchain blacklst - showchain reject - showchain newnotsyn - for zone in $zones all; do - showchain ${zone}2all - showchain @${zone}2all - [ "$zone" = "all" ] || { showchain all2${zone}; showchain @all2${zone}; } - done - - timed_read - - clear_term - echo "$banner $(date)" - echo - firstchain=Yes - echo "Dynamic Chain" - echo - showchain dynamic - timed_read - - qt rm -f $TMPFILE - else - $IPTABLES -L -n -v - timed_read - fi - trap - 1 2 3 4 5 6 9 - -} - # # Delay $timeout seconds -- if we're running on a recent bash2 then allow # to terminate the delay @@ -441,114 +336,6 @@ show_classifiers() { done } -# -# Monitor the Firewall -# -monitor_firewall() # $1 = timeout -- if negative, prompt each time that - # an 'interesting' packet count changes -{ - - host=$(echo $HOSTNAME | sed 's/\..*$//') - oldrejects=$($IPTABLES -L -v -n | grep 'LOG') - - if [ $1 -lt 0 ]; then - let "timeout=- $1" - pause="Yes" - else - pause="No" - timeout=$1 - fi - - - if qt which awk; then - TMP_DIR=$(mktempdir) - [ -n "$TMP_DIR" ] || { echo " ERROR:Cannot create temporary directory" >&2; exit 1; } - haveawk=Yes - determine_zones - rm -rf $TMP_DIR - else - haveawk= - fi - - while true; do - display_chains - - clear_term - echo "$banner $(date)" - echo - - echo "Dropped/Rejected Packet Log" - echo - - show_reset - - rejects=$($IPTABLES -L -v -n | grep 'LOG') - - if [ "$rejects" != "$oldrejects" ]; then - oldrejects="$rejects" - - $RING_BELL - - packet_log 20 - - if [ "$pause" = "Yes" ]; then - echo - echo $ECHO_N 'Enter any character to continue: ' - read foo - else - timed_read - fi - else - echo - packet_log 20 - timed_read - fi - - clear_term - echo "$banner $(date)" - echo - echo "NAT Status" - echo - $IPTABLES -t nat -L $IPT_OPTIONS - timed_read - - clear_term - echo "$banner $(date)" - echo - echo - echo "TOS/MARK Status" - echo - $IPTABLES -t mangle -L $IPT_OPTIONS - timed_read - - clear_term - echo "$banner $(date)" - echo - echo - echo "Tracked Connections" - echo - cat /proc/net/ip_conntrack - timed_read - - clear_term - echo "$banner $(date)" - echo - echo - echo "Traffic Shaping/Control" - echo - show_tc - timed_read - - clear_term - echo "$banner $(date)" - echo - echo - echo "Packet Classifiers" - echo - show_classifiers - timed_read - done -} # # Watch the Firewall Log @@ -714,7 +501,6 @@ usage() # $1 = exit status echo " ipcalc [
/ |
]" echo " iprange
-
" echo " logwatch []" - echo " monitor []" echo " refresh" echo " reject
..." echo " reset" @@ -737,8 +523,8 @@ usage() # $1 = exit status # Display the time that the counters were last reset # show_reset() { - [ -f $STATEDIR/restarted ] && \ - echo "Counters reset $(cat $STATEDIR/restarted)" && \ + [ -f /var/lib/shorewall/restarted ] && \ + echo "Counters reset $(cat /var/lib/shorewall/restarted)" && \ echo } @@ -896,8 +682,6 @@ export CONFIG_PATH get_config -[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall - if [ ! -f $FIREWALL ]; then echo "ERROR: Shorewall is not properly installed" if [ -L $FIREWALL ]; then @@ -953,7 +737,7 @@ case "$1" in echo "Directory $2 does not exist" >&2 && exit 2 fi fi - + SHOREWALL_DIR=$2 export SHOREWALL_DIR ;; @@ -963,29 +747,37 @@ case "$1" in esac if [ -n "$FAST" ]; then - - RESTOREPATH=/var/lib/shorewall/$RESTOREFILE + if qt which make; then + make -qf /etc/shorewall/Makefile || FAST= + fi - if [ -x $RESTOREPATH ]; then - if [ -x ${RESTOREPATH}-ipsets ]; then - echo Restoring Ipsets... - # - # We must purge iptables to be sure that there are no - # references to ipsets - # - iptables -F - iptables -X - ${RESTOREPATH}-ipsets + if [ -n "$FAST" ]; then + + RESTOREPATH=/var/lib/shorewall/$RESTOREFILE + + if [ -x $RESTOREPATH ]; then + if [ -x ${RESTOREPATH}-ipsets ]; then + echo Restoring Ipsets... + # + # We must purge iptables to be sure that there are no + # references to ipsets + # + iptables -F + iptables -X + ${RESTOREPATH}-ipsets + fi + + echo Restoring Shorewall... + $RESTOREPATH + date > /var/lib/shorewall/restarted + echo Shorewall restored from $RESTOREPATH + else + exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start fi - - echo Restoring Shorewall... - $RESTOREPATH - date > $STATEDIR/restarted - echo Shorewall restored from $RESTOREPATH else exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start fi - else + else exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start fi ;; @@ -1066,8 +858,7 @@ case "$1" in ;; zones) [ $# -gt 2 ] && usage 1 - [ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall - if [ -f $STATEDIR/zones ]; then + if [ -f /var/lib/shorewall/zones ]; then echo "Shorewall-$version Zones at $HOSTNAME - $(date)" echo while read zone hosts; do @@ -1075,10 +866,10 @@ case "$1" in for host in $hosts; do echo " $host" done - done < $STATEDIR/zones + done < /var/lib/shorewall/zones echo else - echo " ERROR: $STATEDIR/zones does not exist" >&2 + echo " ERROR: /var/lib/shorewall/zones does not exist" >&2 exit 1 fi ;; @@ -1113,16 +904,6 @@ case "$1" in ;; esac ;; - monitor) - [ -n "$debugging" ] && set -x - if [ $# -eq 2 ]; then - monitor_firewall $2 - elif [ $# -eq 1 ]; then - monitor_firewall 30 - else - usage 1 - fi - ;; status) [ -n "$debugging" ] && set -x [ $# -eq 1 ] || usage 1 @@ -1168,7 +949,7 @@ case "$1" in show_proc /proc/sys/net/ipv4/icmp_echo_ignore_all for directory in /proc/sys/net/ipv4/conf/*; do - for file in proxy_arp arp_filter rp_filter log_martians; do + for file in proxy_arp arp_filter arp_ignore rp_filter log_martians; do show_proc $directory/$file done done @@ -1252,7 +1033,7 @@ case "$1" in echo $version ;; try) - [ -n "$SHOREWALL_DIR" ] && startup_error "Error: -c option may not be used with \"try\"" + [ -n "$SHOREWALL_DIR" ] && startup_error "ERROR: -c option may not be used with \"try\"" [ $# -lt 2 -o $# -gt 3 ] && usage 1 if ! $0 $debugging -c $2 restart; then if ! $IPTABLES -L shorewall > /dev/null 2> /dev/null; then diff --git a/Shorewall/shorewall.conf b/Shorewall/shorewall.conf index 6c170fa4a..19ea3a10f 100755 --- a/Shorewall/shorewall.conf +++ b/Shorewall/shorewall.conf @@ -1,5 +1,5 @@ ############################################################################## -# /etc/shorewall/shorewall.conf V2.4 - Change the following variables to +# /etc/shorewall/shorewall.conf V2.6 - Change the following variables to # match your setup # # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] @@ -227,20 +227,6 @@ RFC1918_LOG_LEVEL=info SMURF_LOG_LEVEL=info -# -# BOGON Log Level -# -# Specifies the logging level for bogon packets dropped by the -#'nobogons' interface option in /etc/shorewall/interfaces and in -# /etc/shorewall/hosts. If set to the empty value -# ( BOGON_LOG_LEVEL="" ) then packets whose TARGET is 'logdrop' -# in /usr/share/shorewall/bogons are logged at the 'info' level. -# -# See the comment at the top of this section for a description of log levels -# - -BOGON_LOG_LEVEL=info - # # MARTIAN LOGGING # @@ -289,15 +275,6 @@ SHOREWALL_SHELL=/bin/sh SUBSYSLOCK=/var/lock/subsys/shorewall -# -# SHOREWALL TEMPORARY STATE DIRECTORY -# -# This is the directory where the firewall maintains state information while -# it is running -# - -STATEDIR=/var/lib/shorewall - # # KERNEL MODULE DIRECTORY # @@ -340,6 +317,17 @@ CONFIG_PATH=/etc/shorewall:/usr/share/shorewall RESTOREFILE= +# +# OLD ZONE FILE FORMAT +# +# Previous versions of Shorewall had both a 'zones' file and an 'ipsec' file. +# Beginning with 2.5.0, those files were combined. For users who haven't +# converted, we offer this variable that sets the name of the file for ipsec +# information. This option must take the value "zones" or "ipsec". If the option +# is not set or is set to the empty value (IPSECFILE="") then "ipsec" is assumed. + +IPSECFILE=zones + ################################################################################ # F I R E W A L L O P T I O N S ################################################################################ @@ -375,7 +363,7 @@ IP_FORWARDING=On # "No" or "no", you must add these aliases youself. # -ADD_IP_ALIASES=No +ADD_IP_ALIASES=Yes # # AUTOMATICALLY ADD SNAT IP ADDRESSES @@ -716,41 +704,6 @@ DYNAMIC_ZONES=No PKTTYPE=Yes -# -# DROP INVALID PACKETS -# -# Netfilter classifies packets relative to its connection tracking table into -# four states: -# -# NEW - thes packet initiates a new connection -# ESTABLISHED - thes packet is part of an established connection -# RELATED - thes packet is related to an established connection; it may -# establish a new connection -# INVALID - the packet does not related to the table in any sensible way. -# -# Recent 2.6 kernels include code that evaluates TCP packets based on TCP -# Window analysis. This can cause packets that were previously classified as -# NEW or ESTABLISHED to be classified as INVALID. -# -# The new kernel code can be disabled by including this command in your -# /etc/shorewall/init file: -# -# echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal -# -# Additional kernel logging about INVALID TCP packets may be obtained by -# adding this command to /etc/shorewall/init: -# -# echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid -# -# Traditionally, Shorewall has dropped INVALID TCP packets early. The DROPINVALID -# option allows INVALID packets to be passed through the normal rules chains by -# setting DROPINVALID=No. -# -# If not specified or if specified as empty (e.g., DROPINVALID="") then -# DROPINVALID=Yes is assumed. - -DROPINVALID=No - # # RFC 1918 BEHAVIOR # @@ -816,6 +769,17 @@ MACLIST_TTL= SAVE_IPSETS=No +# +# Map Old Actions +# +# Previously, Shorewall included a large number of standard actions (AllowPing, +# AllowFTP, ...). These have been replaced with parameterized macros. For +# compatibility, Shorewall can map the old names into invocations of the new +# macros if you set MAPOLDACTIONS=Yes. If this option is not set or is set to +# the empty value (MAPOLDACTIONS="") then MAPOLDACTIONS=Yes is assumed + +MAPOLDACTIONS=No + ################################################################################ # P A C K E T D I S P O S I T I O N ################################################################################ diff --git a/Shorewall/shorewall.spec b/Shorewall/shorewall.spec index dd0e38d04..45eea4679 100644 --- a/Shorewall/shorewall.spec +++ b/Shorewall/shorewall.spec @@ -1,5 +1,5 @@ %define name shorewall -%define version 2.4.0 +%define version 2.5.0 %define release 1 %define prefix /usr @@ -95,52 +95,70 @@ fi %attr(0600,root,root) %config(noreplace) /etc/shorewall/actions %attr(0600,root,root) %config(noreplace) /etc/shorewall/continue %attr(0600,root,root) %config(noreplace) /etc/shorewall/started -%attr(0600,root,root) %config(noreplace) /etc/shorewall/routes %attr(0600,root,root) %config(noreplace) /etc/shorewall/providers %attr(0544,root,root) /sbin/shorewall %attr(0600,root,root) /usr/share/shorewall/version %attr(0600,root,root) /usr/share/shorewall/actions.std -%attr(0600,root,root) /usr/share/shorewall/action.AllowAuth -%attr(0600,root,root) /usr/share/shorewall/action.AllowDNS -%attr(0600,root,root) /usr/share/shorewall/action.AllowFTP -%attr(0600,root,root) /usr/share/shorewall/action.AllowICMPs -%attr(0600,root,root) /usr/share/shorewall/action.AllowIMAP -%attr(0600,root,root) /usr/share/shorewall/action.AllowNNTP -%attr(0600,root,root) /usr/share/shorewall/action.AllowNTP -%attr(0600,root,root) /usr/share/shorewall/action.AllowPCA -%attr(0600,root,root) /usr/share/shorewall/action.AllowPing -%attr(0600,root,root) /usr/share/shorewall/action.AllowPOP3 -%attr(0600,root,root) /usr/share/shorewall/action.AllowRdate -%attr(0600,root,root) /usr/share/shorewall/action.AllowSMB -%attr(0600,root,root) /usr/share/shorewall/action.AllowSMTP -%attr(0600,root,root) /usr/share/shorewall/action.AllowSNMP -%attr(0600,root,root) /usr/share/shorewall/action.AllowSSH -%attr(0600,root,root) /usr/share/shorewall/action.AllowTelnet -%attr(0600,root,root) /usr/share/shorewall/action.AllowTrcrt -%attr(0600,root,root) /usr/share/shorewall/action.AllowVNC -%attr(0600,root,root) /usr/share/shorewall/action.AllowVNCL -%attr(0600,root,root) /usr/share/shorewall/action.AllowWeb %attr(0600,root,root) /usr/share/shorewall/action.Drop -%attr(0600,root,root) /usr/share/shorewall/action.DropDNSrep -%attr(0600,root,root) /usr/share/shorewall/action.DropPing -%attr(0600,root,root) /usr/share/shorewall/action.DropSMB -%attr(0600,root,root) /usr/share/shorewall/action.DropUPnP %attr(0600,root,root) /usr/share/shorewall/action.Reject -%attr(0600,root,root) /usr/share/shorewall/action.RejectAuth -%attr(0600,root,root) /usr/share/shorewall/action.RejectSMB %attr(0600,root,root) /usr/share/shorewall/action.template %attr(0444,root,root) /usr/share/shorewall/functions %attr(0544,root,root) /usr/share/shorewall/firewall %attr(0544,root,root) /usr/share/shorewall/help +%attr(0600,root,root) /usr/share/shorewall/macro.AllowAuth +%attr(0600,root,root) /usr/share/shorewall/macro.AllowDNS +%attr(0600,root,root) /usr/share/shorewall/macro.AllowFTP +%attr(0600,root,root) /usr/share/shorewall/macro.AllowICMPs +%attr(0600,root,root) /usr/share/shorewall/macro.AllowIMAP +%attr(0600,root,root) /usr/share/shorewall/macro.AllowNNTP +%attr(0600,root,root) /usr/share/shorewall/macro.AllowNTP +%attr(0600,root,root) /usr/share/shorewall/macro.AllowPCA +%attr(0600,root,root) /usr/share/shorewall/macro.AllowPing +%attr(0600,root,root) /usr/share/shorewall/macro.AllowPOP3 +%attr(0600,root,root) /usr/share/shorewall/macro.AllowRdate +%attr(0600,root,root) /usr/share/shorewall/macro.AllowSMTP +%attr(0600,root,root) /usr/share/shorewall/macro.AllowSNMP +%attr(0600,root,root) /usr/share/shorewall/macro.AllowSMB +%attr(0600,root,root) /usr/share/shorewall/macro.AllowSSH +%attr(0600,root,root) /usr/share/shorewall/macro.AllowTelnet +%attr(0600,root,root) /usr/share/shorewall/macro.AllowTrcrt +%attr(0600,root,root) /usr/share/shorewall/macro.AllowVNC +%attr(0600,root,root) /usr/share/shorewall/macro.AllowVNCL +%attr(0600,root,root) /usr/share/shorewall/macro.AllowWeb +%attr(0600,root,root) /usr/share/shorewall/macro.DropDNSrep +%attr(0600,root,root) /usr/share/shorewall/macro.DropPing +%attr(0600,root,root) /usr/share/shorewall/macro.DropSMB +%attr(0600,root,root) /usr/share/shorewall/macro.RejectSMB +%attr(0600,root,root) /usr/share/shorewall/macro.DropUPnP +%attr(0600,root,root) /usr/share/shorewall/macro.FwdAuth +%attr(0600,root,root) /usr/share/shorewall/macro.FwdDNS +%attr(0600,root,root) /usr/share/shorewall/macro.FwdFTP +%attr(0600,root,root) /usr/share/shorewall/macro.FwdIMAP +%attr(0600,root,root) /usr/share/shorewall/macro.FwdNNTP +%attr(0600,root,root) /usr/share/shorewall/macro.FwdPCA +%attr(0600,root,root) /usr/share/shorewall/macro.FwdPing +%attr(0600,root,root) /usr/share/shorewall/macro.FwdPOP3 +%attr(0600,root,root) /usr/share/shorewall/macro.FwdRdate +%attr(0600,root,root) /usr/share/shorewall/macro.FwdSMTP +%attr(0600,root,root) /usr/share/shorewall/macro.FwdSNMP +%attr(0600,root,root) /usr/share/shorewall/macro.FwdSSH +%attr(0600,root,root) /usr/share/shorewall/macro.FwdTelnet +%attr(0600,root,root) /usr/share/shorewall/macro.FwdVNC +%attr(0600,root,root) /usr/share/shorewall/macro.FwdVNCL +%attr(0600,root,root) /usr/share/shorewall/macro.FwdWeb +%attr(0600,root,root) /usr/share/shorewall/macro.RejectAuth +%attr(0600,root,root) /usr/share/shorewall/macro.template %attr(0600,root,root) /usr/share/shorewall/rfc1918 -%attr(0600,root,root) /usr/share/shorewall/bogons %attr(0600,root,root) /usr/share/shorewall/configpath %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn %changelog +* Mon Jul 25 2005 Tom Eastep tom@shorewall.net +- Updated to 2.5.0-1 +- Add macros and convert most actions to macros * Thu Jun 02 2005 Tom Eastep tom@shorewall.net - Updated to 2.4.0-1 * Sun May 30 2005 Tom Eastep tom@shorewall.net diff --git a/Shorewall/start b/Shorewall/start index 10f1655ad..8598d535a 100644 --- a/Shorewall/start +++ b/Shorewall/start @@ -1,5 +1,5 @@ ############################################################################ -# Shorewall 2.4 -- /etc/shorewall/start +# Shorewall 2.6 -- /etc/shorewall/start # # Add commands below that you want to be executed after shorewall has # been started or restarted. diff --git a/Shorewall/started b/Shorewall/started index 88dfe5d72..cb136c81c 100644 --- a/Shorewall/started +++ b/Shorewall/started @@ -1,5 +1,5 @@ ############################################################################ -# Shorewall 2.4 -- /etc/shorewall/started +# Shorewall 2.6 -- /etc/shorewall/started # # Add commands below that you want to be executed after shorewall has # been completely started or restarted. The difference between this diff --git a/Shorewall/stop b/Shorewall/stop index b12ea8d9b..7ebe2cf2d 100644 --- a/Shorewall/stop +++ b/Shorewall/stop @@ -1,5 +1,5 @@ ############################################################################ -# Shorewall 2.4 -- /etc/shorewall/stop +# Shorewall 2.6 -- /etc/shorewall/stop # # Add commands below that you want to be executed at the beginning of a # "shorewall stop" command. diff --git a/Shorewall/stopped b/Shorewall/stopped index 997f46755..3af813268 100644 --- a/Shorewall/stopped +++ b/Shorewall/stopped @@ -1,5 +1,5 @@ ############################################################################ -# Shorewall 2.4 -- /etc/shorewall/stopped +# Shorewall 2.6 -- /etc/shorewall/stopped # # Add commands below that you want to be executed at the completion of a # "shorewall stop" command. diff --git a/Shorewall/tcrules b/Shorewall/tcrules index 69f8f2222..34c27774b 100755 --- a/Shorewall/tcrules +++ b/Shorewall/tcrules @@ -1,5 +1,5 @@ # -# Shorewall version 2.4 - Traffic Control Rules File +# Shorewall version 2.6 - Traffic Control Rules File # # /etc/shorewall/tcrules # diff --git a/Shorewall/tos b/Shorewall/tos index 2b37ddd57..147bfc0a7 100755 --- a/Shorewall/tos +++ b/Shorewall/tos @@ -1,5 +1,5 @@ # -# Shorewall 2.4 -- /etc/shorewall/tos +# Shorewall 2.6 -- /etc/shorewall/tos # # This file defines rules for setting Type Of Service (TOS) # diff --git a/Shorewall/tunnel b/Shorewall/tunnel index 1f5527b5d..2580b88b3 100755 --- a/Shorewall/tunnel +++ b/Shorewall/tunnel @@ -2,7 +2,7 @@ RCDLINKS="2,S45 3,S45 6,K45" ################################################################################ -# Script to create a gre or ipip tunnel -- Shorewall 2.4 +# Script to create a gre or ipip tunnel -- Shorewall 2.6 # # Modified - Steve Cowles 5/9/2000 # Incorporated init {start|stop} syntax and iproute2 usage diff --git a/Shorewall/uninstall.sh b/Shorewall/uninstall.sh index ec5a366c1..db7c94bee 100755 --- a/Shorewall/uninstall.sh +++ b/Shorewall/uninstall.sh @@ -24,9 +24,9 @@ # Usage: # # You may only use this script to uninstall the version -# shown below. Simply run this script to remove Shoreline Firewall +# shown below. Simply run this script to remove Shorewall Firewall -VERSION=2.4.0 +VERSION=2.5.0 usage() # $1 = exit status { diff --git a/Shorewall/zones b/Shorewall/zones index d0fe7705e..f8c0ef503 100644 --- a/Shorewall/zones +++ b/Shorewall/zones @@ -1,13 +1,55 @@ # -# Shorewall 2.4 /etc/shorewall/zones +# Shorewall 2.6 /etc/shorewall/zones # # This file determines your network zones. Columns are: # -# ZONE Short name of the zone (5 Characters or less in length). -# The names "all" and "none" are reserved and may not be -# used as zone names. -# DISPLAY Display name of the zone -# COMMENTS Comments about the zone +# ZONE Short name of the zone (5 Characters or less in length). +# The names "all" and "none" are reserved and may not be +# used as zone names. +# +# IPSEC Yes -- Communication with all zone hosts is encrypted +# ONLY Your kernel and iptables must include policy +# match support. +# No -- Communication with some zone hosts may be encrypted. +# Encrypted hosts are designated using the 'ipsec' +# option in /etc/shorewall/hosts. +# +# OPTIONS, A comma-separated list of options as follows: +# IN OPTIONS, +# OUT OPTIONS reqid= where is specified +# using setkey(8) using the 'unique: +# option for the SPD level. +# +# spi= where is the SPI of +# the SA used to encrypt/decrypt packets. +# +# proto=ah|esp|ipcomp +# +# mss= (sets the MSS field in TCP packets) +# +# mode=transport|tunnel +# +# tunnel-src=
[/] (only +# available with mode=tunnel) +# +# tunnel-dst=
[/] (only +# available with mode=tunnel) +# +# strict Means that packets must match all rules. +# +# next Separates rules; can only be used with +# strict.. +# +# Example: +# mode=transport,reqid=44 +# +# The options in the OPTIONS column are applied to both incoming +# and outgoing traffic. The IN OPTIONS are applied to incoming +# traffic (in addition to OPTIONS) and the OUT OPTIONS are +# applied to outgoing traffic. +# +# If you wish to leave a column empty but need to make an entry +# in a following column, use "-". # # THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED OR # OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts. @@ -18,10 +60,11 @@ # # You have a three interface firewall with internet, local and DMZ interfaces. # -# #ZONE DISPLAY COMMENTS -# net Internet The big bad Internet -# loc Local Local Network -# dmz DMZ Demilitarized zone. +# #ZONE IPSEC OPTIONS IN OUT +# net +# loc +# dmz # -#ZONE DISPLAY COMMENTS +#ZONE IPSEC OPTIONS IN OUT +# ONLY OPTIONS OPTIONS #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE