From b66929a65e48cdafa62fcc81dc64fdb4af58bab7 Mon Sep 17 00:00:00 2001 From: teastep Date: Mon, 25 Jul 2005 23:08:09 +0000 Subject: [PATCH] Large merge of function from EXPERIMENTAL to HEAD. 1) Elimination of the "shorewall monitor" command. 2) The /etc/shorewall/ipsec and /etc/shorewall/zones file are combined into a single /etc/shorewall/zones file. This is done in an upwardly-compatible way so that current users can continue to use their existing files. 3) Support has been added for the arp_ignore interface option. 4) DROPINVALID has been removed from shorewall.conf. Behavior is as if DROPINVALID=No was specified. 5) The 'nobogons' option and BOGON_LOG_LEVEL are removed. 6) Error and warning messages have been made easier to spot by using capitalization (e.g., ERROR: and WARNING:). 7) The /etc/shorewall/policy file now contains a new connection policy and a policy for ESTABLISHED packets. Useful for users of snort-inline who want to pass all packets to the QUEUE target. 8) A new 'critical' option has been added to /etc/shorewall/routestopped. Shorewall insures communication between the firewall and 'critical' hosts throughout start, restart, stop and clear. Useful for diskless firewall's with NFS-mounted file systems, LDAP servers, Crossbow, etc. 9) Macros. Macros are very similar to actions but are easier to use, allow parameter substitution and are more efficient. Almost all of the standard actions have been converted to macros in the EXPERIMENTAL branch. 10) The default value of ADD_IP_ALIASES in shorewall.conf is changed to No. 11) If you have 'make' installed on your firewall, then when you use the '-f' option to 'shorewall start' (as happens when you reboot), if your /etc/shorewall/ directory contains files that were modified after Shorewall was last restarted then Shorewall is started using the config files rather than using the saved configuration. git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2409 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/INSTALL | 2 +- Shorewall/Makefile | 16 + Shorewall/README.txt | 6 +- Shorewall/accounting | 2 +- Shorewall/action.AllowAmanda | 13 - Shorewall/action.AllowIMAP | 11 - Shorewall/action.AllowLDAP | 12 - Shorewall/action.AllowNNTP | 11 - Shorewall/action.AllowPostgreSQL | 10 - Shorewall/action.AllowRdate | 10 - Shorewall/action.AllowRsync | 10 - Shorewall/action.AllowSMB | 14 - Shorewall/action.AllowSNMP | 11 - Shorewall/action.AllowSVN | 10 - Shorewall/action.AllowTrcrt | 11 - Shorewall/action.AllowVNC | 10 - Shorewall/action.AllowVNCL | 10 - Shorewall/action.AllowWeb | 11 - Shorewall/action.Drop | 8 +- Shorewall/action.DropGnutella | 11 - Shorewall/action.DropPing | 10 - Shorewall/action.DropSMB | 15 - Shorewall/action.Reject | 6 +- Shorewall/action.RejectAuth | 10 - Shorewall/action.RejectSMB | 15 - Shorewall/action.template | 2 +- Shorewall/actions | 2 +- Shorewall/actions.std | 51 +- Shorewall/blacklist | 2 +- Shorewall/changelog.txt | 53 +- Shorewall/configpath | 2 +- Shorewall/continue | 2 +- Shorewall/ecn | 2 +- Shorewall/fallback.sh | 2 +- Shorewall/firewall | 1295 +++++++++++------ Shorewall/functions | 87 +- Shorewall/help | 13 +- Shorewall/hosts | 2 +- Shorewall/init | 2 +- Shorewall/initdone | 2 +- Shorewall/install.sh | 29 +- Shorewall/interfaces | 35 +- Shorewall/ipsec | 60 +- Shorewall/maclist | 2 +- .../{action.AllowICMPs => macro.AllowICMPs} | 2 +- .../{action.AllowBitTorrent => macro.Amanda} | 6 +- .../{action.AllowGnutella => macro.Auth} | 7 +- Shorewall/macro.BitTorrent | 10 + Shorewall/{action.DropSMTP => macro.CVS} | 6 +- Shorewall/{action.AllowPCA => macro.DNS} | 8 +- .../{action.DropDNSrep => macro.DropDNSrep} | 4 +- Shorewall/{action.DropUPnP => macro.DropUPnP} | 4 +- .../{action.AllowEdonkey => macro.Edonkey} | 8 +- Shorewall/{action.AllowSPAMD => macro.FTP} | 6 +- Shorewall/{action.AllowSSH => macro.Gnutella} | 7 +- Shorewall/{action.AllowICQ => macro.ICQ} | 6 +- Shorewall/macro.IMAP | 11 + Shorewall/{action.AllowDistcc => macro.LDAP} | 8 +- Shorewall/macro.NNTP | 11 + Shorewall/{action.AllowNTP => macro.NTP} | 8 +- Shorewall/{action.AllowPing => macro.PCA} | 7 +- Shorewall/{action.AllowPOP3 => macro.POP3} | 8 +- Shorewall/macro.Ping | 10 + .../{action.AllowMySQL => macro.PostgreSQL} | 6 +- Shorewall/macro.Rdate | 10 + Shorewall/{action.AllowSyslog => macro.Rsync} | 6 +- Shorewall/macro.SMB | 14 + .../{action.AllowSMBswat => macro.SMBswat} | 6 +- Shorewall/{action.AllowSMTP => macro.SMTP} | 10 +- Shorewall/macro.SNMP | 11 + Shorewall/macro.SPAMD | 10 + Shorewall/macro.SSH | 10 + Shorewall/macro.SVN | 10 + .../{action.DropEdonkey => macro.Syslog} | 7 +- .../{action.AllowTelnet => macro.Telnet} | 6 +- Shorewall/{action.AllowFTP => macro.Trcrt} | 8 +- Shorewall/{action.AllowDNS => macro.VNC} | 7 +- Shorewall/macro.VNCL | 10 + Shorewall/macro.Web | 11 + Shorewall/macro.template | 69 + Shorewall/masq | 2 +- Shorewall/modules | 2 +- Shorewall/nat | 2 +- Shorewall/netmap | 2 +- Shorewall/params | 2 +- Shorewall/policy | 9 +- Shorewall/providers | 2 +- Shorewall/proxyarp | 2 +- Shorewall/releasenotes.txt | 548 +++---- Shorewall/rfc1918 | 2 +- Shorewall/routes | 94 -- Shorewall/routestopped | 9 +- Shorewall/rules | 2 +- Shorewall/shorewall | 293 +--- Shorewall/shorewall.conf | 84 +- Shorewall/shorewall.spec | 76 +- Shorewall/start | 2 +- Shorewall/started | 2 +- Shorewall/stop | 2 +- Shorewall/stopped | 2 +- Shorewall/tcrules | 2 +- Shorewall/tos | 2 +- Shorewall/tunnel | 2 +- Shorewall/uninstall.sh | 4 +- Shorewall/zones | 65 +- 105 files changed, 1639 insertions(+), 1823 deletions(-) create mode 100644 Shorewall/Makefile delete mode 100644 Shorewall/action.AllowAmanda delete mode 100644 Shorewall/action.AllowIMAP delete mode 100644 Shorewall/action.AllowLDAP delete mode 100644 Shorewall/action.AllowNNTP delete mode 100644 Shorewall/action.AllowPostgreSQL delete mode 100644 Shorewall/action.AllowRdate delete mode 100644 Shorewall/action.AllowRsync delete mode 100644 Shorewall/action.AllowSMB delete mode 100644 Shorewall/action.AllowSNMP delete mode 100644 Shorewall/action.AllowSVN delete mode 100644 Shorewall/action.AllowTrcrt delete mode 100644 Shorewall/action.AllowVNC delete mode 100644 Shorewall/action.AllowVNCL delete mode 100644 Shorewall/action.AllowWeb delete mode 100644 Shorewall/action.DropGnutella delete mode 100644 Shorewall/action.DropPing delete mode 100644 Shorewall/action.DropSMB delete mode 100644 Shorewall/action.RejectAuth delete mode 100644 Shorewall/action.RejectSMB rename Shorewall/{action.AllowICMPs => macro.AllowICMPs} (85%) rename Shorewall/{action.AllowBitTorrent => macro.Amanda} (65%) rename Shorewall/{action.AllowGnutella => macro.Auth} (70%) create mode 100644 Shorewall/macro.BitTorrent rename Shorewall/{action.DropSMTP => macro.CVS} (67%) rename Shorewall/{action.AllowPCA => macro.DNS} (66%) rename Shorewall/{action.DropDNSrep => macro.DropDNSrep} (76%) rename Shorewall/{action.DropUPnP => macro.DropUPnP} (74%) rename Shorewall/{action.AllowEdonkey => macro.Edonkey} (89%) rename Shorewall/{action.AllowSPAMD => macro.FTP} (69%) rename Shorewall/{action.AllowSSH => macro.Gnutella} (69%) rename Shorewall/{action.AllowICQ => macro.ICQ} (69%) create mode 100644 Shorewall/macro.IMAP rename Shorewall/{action.AllowDistcc => macro.LDAP} (58%) create mode 100644 Shorewall/macro.NNTP rename Shorewall/{action.AllowNTP => macro.NTP} (64%) rename Shorewall/{action.AllowPing => macro.PCA} (67%) rename Shorewall/{action.AllowPOP3 => macro.POP3} (61%) create mode 100644 Shorewall/macro.Ping rename Shorewall/{action.AllowMySQL => macro.PostgreSQL} (66%) create mode 100644 Shorewall/macro.Rdate rename Shorewall/{action.AllowSyslog => macro.Rsync} (67%) create mode 100644 Shorewall/macro.SMB rename Shorewall/{action.AllowSMBswat => macro.SMBswat} (64%) rename Shorewall/{action.AllowSMTP => macro.SMTP} (65%) create mode 100644 Shorewall/macro.SNMP create mode 100644 Shorewall/macro.SPAMD create mode 100644 Shorewall/macro.SSH create mode 100644 Shorewall/macro.SVN rename Shorewall/{action.DropEdonkey => macro.Syslog} (68%) rename Shorewall/{action.AllowTelnet => macro.Telnet} (68%) rename Shorewall/{action.AllowFTP => macro.Trcrt} (57%) rename Shorewall/{action.AllowDNS => macro.VNC} (64%) create mode 100644 Shorewall/macro.VNCL create mode 100644 Shorewall/macro.Web create mode 100644 Shorewall/macro.template delete mode 100755 Shorewall/routes diff --git a/Shorewall/INSTALL b/Shorewall/INSTALL index 9be61b23c..be049bb5d 100644 --- a/Shorewall/INSTALL +++ b/Shorewall/INSTALL @@ -1,4 +1,4 @@ -Shoreline Firewall (Shorewall) Version 2.4 +Shoreline Firewall (Shorewall) Version 2.6 ----- ---- ----------------------------------------------------------------------------- diff --git a/Shorewall/Makefile b/Shorewall/Makefile new file mode 100644 index 000000000..f5d7afed3 --- /dev/null +++ b/Shorewall/Makefile @@ -0,0 +1,16 @@ +# Shorewall Makefile to restart if config-files are newer than last restart +VARDIR=/var/lib/shorewall +CONFDIR=/etc/shorewall +all: $(VARDIR)/restarted + +$(VARDIR)/restarted: $(CONFDIR)/* + @/sbin/shorewall -q save >/dev/null; \ + if \ + /sbin/shorewall -q restart >/dev/null 2>&1; \ + then \ + /sbin/shorewall -q save >/dev/null; \ + else \ + /sbin/shorewall -q restart 2>&1 | tail >&2; \ + fi + +# EOF diff --git a/Shorewall/README.txt b/Shorewall/README.txt index 416095199..38f37f645 100644 --- a/Shorewall/README.txt +++ b/Shorewall/README.txt @@ -1 +1,5 @@ -This is the Shorewall development branch of CVS. +This is the Shorewall EXPERIMENTAL branch of CVS. + +The Shorewall EXPERIMENTAL branch is NOT SUPPORTED in any way. +YOU MIGHT BREAK YOUR FIREWALL BY USING THIS CODE!! If so, don't +come complaining to us! diff --git a/Shorewall/accounting b/Shorewall/accounting index 849cb043b..f46c8344d 100755 --- a/Shorewall/accounting +++ b/Shorewall/accounting @@ -1,5 +1,5 @@ # -# Shorewall version 2.4 - Accounting File +# Shorewall version 2.6 - Accounting File # # /etc/shorewall/accounting # diff --git a/Shorewall/action.AllowAmanda b/Shorewall/action.AllowAmanda deleted file mode 100644 index 0abd8ee21..000000000 --- a/Shorewall/action.AllowAmanda +++ /dev/null @@ -1,13 +0,0 @@ -# -# Shorewall action.AllowAmanda -# -# This action accepts connections to the AMANDA backup system. -# -################################################################################ -#TARGET SOURCE DEST PROTO DEST SOURCE RATE -# PORT PORT(S) LIMIT -ACCEPT - - udp 10080 -# Not sure why this is necessary - using ip_conntrack_amanda along with -# the above should be sufficient. -#ACCEPT - - tcp 50000:50100 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.AllowIMAP b/Shorewall/action.AllowIMAP deleted file mode 100644 index 1bb9bed72..000000000 --- a/Shorewall/action.AllowIMAP +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall 2.4 /usr/share/shorewall/action.AllowIMAP -# -# This action accepts IMAP traffic (secure and insecure): -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 143 #Unsecure IMAP -ACCEPT - - tcp 993 #Secure IMAP -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.AllowLDAP b/Shorewall/action.AllowLDAP deleted file mode 100644 index 2fc07a6a6..000000000 --- a/Shorewall/action.AllowLDAP +++ /dev/null @@ -1,12 +0,0 @@ -# -# Shorewall action.AllowLDAP -# -# This action accepts LDAP traffic. -# -################################################################################ -#TARGET SOURCE DEST PROTO DEST SOURCE RATE -# PORT PORT(S) LIMIT -ACCEPT - - tcp 389 -# This is LDAPS - should it be included? -#ACCEPT - - tcp 636 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.AllowNNTP b/Shorewall/action.AllowNNTP deleted file mode 100644 index 92246ce51..000000000 --- a/Shorewall/action.AllowNNTP +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall 2.4 /usr/share/shorewall/action.AllowNNTP -# -# This action accepts NNTP traffic (Usenet) and encrypted NNTP (NNTPS) -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 119 -ACCEPT - - tcp 563 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.AllowPostgreSQL b/Shorewall/action.AllowPostgreSQL deleted file mode 100644 index d5b5641e0..000000000 --- a/Shorewall/action.AllowPostgreSQL +++ /dev/null @@ -1,10 +0,0 @@ -# -# Shorewall action.AllowPostgreSQL -# -# This action accepts connections to the PostgreSQL server. -# -################################################################################ -#TARGET SOURCE DEST PROTO DEST SOURCE RATE -# PORT PORT(S) LIMIT -ACCEPT - - tcp 5432 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.AllowRdate b/Shorewall/action.AllowRdate deleted file mode 100644 index 14e961d22..000000000 --- a/Shorewall/action.AllowRdate +++ /dev/null @@ -1,10 +0,0 @@ -# -# Shorewall 2.4 /usr/share/shorewall/action.AllowRdate -# -# This action accepts remote time retrieval (rdate). -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 37 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.AllowRsync b/Shorewall/action.AllowRsync deleted file mode 100644 index 1e421c4ab..000000000 --- a/Shorewall/action.AllowRsync +++ /dev/null @@ -1,10 +0,0 @@ -# -# Shorewall action.AllowRsync -# -# This action accepts connections to the rsync server. -# -################################################################################ -#TARGET SOURCE DEST PROTO DEST SOURCE RATE -# PORT PORT(S) LIMIT -ACCEPT - - tcp 873 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.AllowSMB b/Shorewall/action.AllowSMB deleted file mode 100644 index b8d55add0..000000000 --- a/Shorewall/action.AllowSMB +++ /dev/null @@ -1,14 +0,0 @@ -# -# Shorewall 2.4 /usr/share/shorewall/action.AllowSMB -# -# Allow Microsoft SMB traffic. You need to invoke this action in -# both directions. -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - udp 135,445 -ACCEPT - - udp 137:139 -ACCEPT - - udp 1024: 137 -ACCEPT - - tcp 135,139,445 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.AllowSNMP b/Shorewall/action.AllowSNMP deleted file mode 100644 index 69258bc4b..000000000 --- a/Shorewall/action.AllowSNMP +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall 2.4 /usr/share/shorewall/action.AllowSNMP -# -# This action accepts SNMP traffic (including traps): -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - udp 161:162 -ACCEPT - - tcp 161 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.AllowSVN b/Shorewall/action.AllowSVN deleted file mode 100644 index 3b075dc07..000000000 --- a/Shorewall/action.AllowSVN +++ /dev/null @@ -1,10 +0,0 @@ -# -# Shorewall action.AllowSVN -# -# This action accepts connections to the Subversion server. -# -################################################################################ -#TARGET SOURCE DEST PROTO DEST SOURCE RATE -# PORT PORT(S) LIMIT -ACCEPT - - tcp 3690 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.AllowTrcrt b/Shorewall/action.AllowTrcrt deleted file mode 100644 index 3c6dd46df..000000000 --- a/Shorewall/action.AllowTrcrt +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall 2.4 /usr/share/shorewall/action.AllowTrcrt -# -# This action accepts Traceroute (for up to 30 hops): -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - udp 33434:33524 #UDP Traceroute -ACCEPT - - icmp 8 #ICMP Traceroute -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.AllowVNC b/Shorewall/action.AllowVNC deleted file mode 100644 index 44724991c..000000000 --- a/Shorewall/action.AllowVNC +++ /dev/null @@ -1,10 +0,0 @@ -# -# Shorewall 2.4 /usr/share/shorewall/action.AllowVNC -# -# This action accepts VNC traffic for VNC display's 0 - 9. -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 5900:5909 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.AllowVNCL b/Shorewall/action.AllowVNCL deleted file mode 100644 index 33b2d258e..000000000 --- a/Shorewall/action.AllowVNCL +++ /dev/null @@ -1,10 +0,0 @@ -# -# Shorewall 2.4 /usr/share/shorewall/action.AllowVNCL -# -# This action accepts VNC traffic from Vncservers to Vncviewers in listen mode. -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 5500 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.AllowWeb b/Shorewall/action.AllowWeb deleted file mode 100644 index a8c2693d7..000000000 --- a/Shorewall/action.AllowWeb +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall 2.4 /usr/share/shorewall/action.AllowWeb -# -# This action accepts WWW traffic (secure and insecure): -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 80 -ACCEPT - - tcp 443 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.Drop b/Shorewall/action.Drop index 4a6acab08..52f8c4c73 100644 --- a/Shorewall/action.Drop +++ b/Shorewall/action.Drop @@ -1,5 +1,5 @@ # -# Shorewall 2.4 /usr/share/shorewall/action.Drop +# Shorewall 2.6 /usr/share/shorewall/action.Drop # # The default DROP common rules # @@ -15,11 +15,11 @@ # # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!!!! ###################################################################################### -#TARGET SOURCE DEST PROTO +#TARGET SOURCE DEST PROTO DPORT SPORT # # Reject 'auth' # -RejectAuth +Auth/REJECT # # Don't log broadcasts # @@ -36,7 +36,7 @@ dropInvalid # # Drop Microsoft noise so that it doesn't clutter up the log. # -DropSMB +SMB/DROP DropUPnP # # Drop 'newnotsyn' traffic so that it doesn't get logged. diff --git a/Shorewall/action.DropGnutella b/Shorewall/action.DropGnutella deleted file mode 100644 index aeec861cd..000000000 --- a/Shorewall/action.DropGnutella +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall action.DropGnutella -# -# This action silently drops Gnutella traffic. -# -################################################################################ -#TARGET SOURCE DEST PROTO DEST SOURCE RATE -# PORT PORT(S) LIMIT -DROP - - tcp 6346 -DROP - - udp 6346 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.DropPing b/Shorewall/action.DropPing deleted file mode 100644 index 5efb6872b..000000000 --- a/Shorewall/action.DropPing +++ /dev/null @@ -1,10 +0,0 @@ -# -# Shorewall 2.4 /usr/share/shorewall/action.DropPing -# -# This action silently drops 'ping' requests. -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -DROP - - icmp 8 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.DropSMB b/Shorewall/action.DropSMB deleted file mode 100644 index 336e77602..000000000 --- a/Shorewall/action.DropSMB +++ /dev/null @@ -1,15 +0,0 @@ -# -# Shorewall 2.4 /usr/share/shorewall/action.DropSMB -# -# This action silently drops Microsoft SMB traffic -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -DROP - - udp 135 -DROP - - udp 137:139 -DROP - - udp 445 -DROP - - tcp 135 -DROP - - tcp 139 -DROP - - tcp 445 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.Reject b/Shorewall/action.Reject index d12fb66a9..2efe39266 100644 --- a/Shorewall/action.Reject +++ b/Shorewall/action.Reject @@ -1,5 +1,5 @@ # -# Shorewall 2.4 /usr/share/shorewall/action.Reject +# Shorewall 2.6 /usr/share/shorewall/action.Reject # # The default REJECT action common rules # @@ -16,7 +16,7 @@ # # Don't log 'auth' REJECT # -RejectAuth +Auth/REJECT # # Drop Broadcasts so they don't clutter up the log (broadcasts must *not* be rejected). # @@ -33,7 +33,7 @@ dropInvalid # # Drop Microsoft noise so that it doesn't clutter up the lot. # -RejectSMB +SMB/REJECT DropUPnP # # Drop 'newnotsyn' traffic so that it doesn't get logged. diff --git a/Shorewall/action.RejectAuth b/Shorewall/action.RejectAuth deleted file mode 100644 index 802e71ab7..000000000 --- a/Shorewall/action.RejectAuth +++ /dev/null @@ -1,10 +0,0 @@ -# -# Shorewall 2.4 /usr/share/shorewall/action.RejectAuth -# -# This action silently rejects Auth (tcp 113) traffic -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -REJECT - - tcp 113 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.RejectSMB b/Shorewall/action.RejectSMB deleted file mode 100644 index 719b5e3e8..000000000 --- a/Shorewall/action.RejectSMB +++ /dev/null @@ -1,15 +0,0 @@ -# -# Shorewall 2.4 /usr/share/shorewall/action.RejectSMB -# -# This action silently rejects Microsoft SMB traffic -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -REJECT - - udp 135 -REJECT - - udp 137:139 -REJECT - - udp 445 -REJECT - - tcp 135 -REJECT - - tcp 139 -REJECT - - tcp 445 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.template b/Shorewall/action.template index f2c7ef97a..3c06098c9 100644 --- a/Shorewall/action.template +++ b/Shorewall/action.template @@ -1,5 +1,5 @@ # -# Shorewall 2.4 /etc/shorewall/action.template +# Shorewall 2.6 /etc/shorewall/action.template # # This file is a template for files with names of the form # /etc/shorewall/action. where is an diff --git a/Shorewall/actions b/Shorewall/actions index 41becaac4..5cb360fd1 100644 --- a/Shorewall/actions +++ b/Shorewall/actions @@ -1,5 +1,5 @@ # -# Shorewall 2.4 /etc/shorewall/actions +# Shorewall 2.6 /etc/shorewall/actions # # This file allows you to define new ACTIONS for use in rules # (/etc/shorewall/rules). You define the iptables rules to diff --git a/Shorewall/actions.std b/Shorewall/actions.std index c5b5d9480..d6e704cbf 100644 --- a/Shorewall/actions.std +++ b/Shorewall/actions.std @@ -1,5 +1,5 @@ # -# Shorewall 2.4 /usr/share/shorewall/actions.std +# Shorewall 2.6 /usr/share/shorewall/actions.std # # Please see http://shorewall.net/Actions.html for additional # information. @@ -21,54 +21,7 @@ # #ACTION -DropSMB #Silently Drops Microsoft SMB Traffic -RejectSMB #Silently Reject Microsoft SMB Traffic -DropUPnP #Silently Drop UPnP Probes -RejectAuth #Silently Reject Auth -DropPing #Silently Drop Ping -DropDNSrep #Silently Drop DNS Replies -DropEdonkey # silently drop edonkey traffic -DropGnutella # silently drop gnutella traffic - -AllowPing #Accept Ping -AllowFTP #Accept FTP -AllowDNS #Accept DNS -AllowSSH #Accept SSH -AllowWeb #Allow Web Browsing -AllowSMB #Allow MS Networking -AllowAuth #Allow Auth (identd) -AllowSMTP #Allow SMTP (Email) -AllowPOP3 #Allow reading mail via POP3 -AllowICMPs #Allows critical ICMP types -AllowIMAP #Allow reading mail via IMAP -AllowTelnet #Allow Telnet Access (not recommended for use over the Internet) -AllowVNC #Allow VNC viewer->server, Displays 0-9 -AllowVNCL #Allow VNC server->viewer in listening mode -AllowNTP #Allow Network Time Protocol (ntpd) -AllowRdate #Allow remote time (rdate). -AllowNNTP #Allow network news (Usenet). -AllowTrcrt #Allows Traceroute (20 hops) -AllowSNMP #Allows SNMP (including traps) -AllowPCA #Allows PCAnywhere (tm) - -# Added in Debian Packaging -AllowSPAMD #Allows SpamAssassin daemon -AllowSyslog #Allows syslog udp traffic -AllowAmanda # Allow connections required by the Amanda backup system -AllowLDAP # accepts LDAP traffic -AllowICQ # Accepts ICQ traffic -AllowBitTorrent # Accepts BitTorrent traffic -AllowSMBswat # Allows Samba Swat -DropSMTP # silently drops SMTP traffic -AllowCVS # accept cvs pserver traffic -AllowSVN # accept Subversion traffic -AllowMySQL # accept MySQL traffic -AllowPostgreSQL # accept PostgreSQL traffic -AllowRsync # accept rsync traffic -AllowDistcc # accept Distributed Compiler traffic -AllowEdonkey # accept edonkey traffic -AllowGnutella # accept edonkey traffic - Drop:DROP #Common Action for DROP policy Reject:REJECT #Common Action for REJECT policy + #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/Shorewall/blacklist b/Shorewall/blacklist index 1b587e45b..d3b21f8e7 100755 --- a/Shorewall/blacklist +++ b/Shorewall/blacklist @@ -1,5 +1,5 @@ # -# Shorewall 2.4 -- Blacklist File +# Shorewall 2.6 -- Blacklist File # # /etc/shorewall/blacklist # diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index b142d9deb..87e0de0f5 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -1,50 +1,29 @@ -Changes in 2.4.0-Final +Changes in 2.5.1ex -1) Add the ability to specify a weight in the balance option. +1) Clean up handling of zones -2) Remove "ipp2p" support in the rules file. +2) Make the removal of the ipsec file upward compatible. -3) Fix duplicate routing table listings from "shorewall status" +3) Improve CONTINUE policy handling. -Changes in 2.4.0-RC2 +4) Implement arp_ignore support. -1) Relax "detect" restriction. +Changes in 2.5.0ex -2) Fix detection via 'nexthop' so it will work with BusyBox +1) Make warning and error messages easier to find by using + capitalization. -3) Merge Tuomo Soini's fix for "shorewall add" +2) Remove /etc/shorewall/ipsec and merge it's function with + /etc/shorewall/zones. -Changes in 2.4.0-RC1 +3) Apply small fix to the above patch. -1) Fix output from firewall itself vis-a-vis multiple providers. +4) Remove dynamic zone support. -2) Merge and tweak Lorenzo Martignoni's 'safe-restart' patch. +5) Add "established policy" support. -Changes in 2.3.2 - -1) Add support for -j ROUTE - -2) Add TEST column to /etc/shorewall/routes - -3) Add support for different providers. - -4) Merge patch from Juan Jesús Prieto. - -5) Implement 'loose' routestopped option. - -6) Change 'loose' to 'source' and 'dest' - -7) Fix routing of connections from the firewall with multiple ISPs. - -Changes in 2.3.1 - -1) Change the behavior of SAVE_IPSETS and allow 'ipsets' files in - Shorewall configuration directories. - -Changes in 2.3.0 - -1) Implement support for --cmd-owner - -2) Implement support for ipsets. +6) Add CRITICALHOSTS support. +7) Remove 'bogon' stuff. +8) Implement Macros. diff --git a/Shorewall/configpath b/Shorewall/configpath index c31607581..8e4a04088 100644 --- a/Shorewall/configpath +++ b/Shorewall/configpath @@ -1,5 +1,5 @@ # -# Shorewall version 2.4 - Default Config Path +# Shorewall version 2.6 - Default Config Path # # /usr/share/shorewall/configpath # diff --git a/Shorewall/continue b/Shorewall/continue index e65e2c901..914293e2c 100644 --- a/Shorewall/continue +++ b/Shorewall/continue @@ -1,5 +1,5 @@ ############################################################################ -# Shorewall 2.4 -- /etc/shorewall/continue +# Shorewall 2.6 -- /etc/shorewall/continue # # Add commands below that you want to be executed after shorewall has # cleared any existing Netfilter rules and has enabled existing connections. diff --git a/Shorewall/ecn b/Shorewall/ecn index f3b43d7ad..dad842aa1 100644 --- a/Shorewall/ecn +++ b/Shorewall/ecn @@ -1,5 +1,5 @@ # -# Shorewall 2.4 - /etc/shorewall/ecn +# Shorewall 2.6 - /etc/shorewall/ecn # # Use this file to list the destinations for which you want to # disable ECN. diff --git a/Shorewall/fallback.sh b/Shorewall/fallback.sh index 438ff4608..d463c56d6 100755 --- a/Shorewall/fallback.sh +++ b/Shorewall/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=2.4.0 +VERSION=2.5.0 usage() # $1 = exit status { diff --git a/Shorewall/firewall b/Shorewall/firewall index fd7805f76..4d5b3d55d 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -1,6 +1,6 @@ #!/bin/sh # -# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V2.4 +# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V2.6 # # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # @@ -64,7 +64,7 @@ error_message() # $* = Error Message # fatal_error() # $* = Error Message { - echo " Error: $@" >&2 + echo " ERROR: $@" >&2 if [ $COMMAND = check ]; then [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR else @@ -79,7 +79,7 @@ fatal_error() # $* = Error Message # startup_error() # $* = Error Message { - echo " Error: $@" >&2 + echo " ERROR: $@" >&2 my_mutex_off [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR [ -n "$RESTOREBASE" ] && rm -f $RESTOREBASE @@ -139,12 +139,12 @@ ensure_and_save_command() } # -# Append a file in $STATEDIR to $RESTOREBASE +# Append a file in /var/lib/shorewall to $RESTOREBASE # append_file() # $1 = File Name { - save_command "cat > $STATEDIR/$1 << __EOF__" - cat $STATEDIR/$1 >> $RESTOREBASE + save_command "cat > /var/lib/shorewall/$1 << __EOF__" + cat /var/lib/shorewall/$1 >> $RESTOREBASE save_command __EOF__ } @@ -239,14 +239,13 @@ run_ipset() { # variable exists_${1} and set its value to Yes to indicate that the chain now # exists. # -createchain() # $1 = chain name, $2 = If "yes", create default rules +createchain() # $1 = chain name, $2 = If "yes", create newnotsyn rule { local c=$(chain_base $1) run_iptables -N $1 if [ $2 = yes ]; then - run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT [ -z "$NEWNOTSYN" ] && \ run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn fi @@ -261,7 +260,6 @@ createchain2() # $1 = chain name, $2 = If "yes", create default rules if $IPTABLES -N $1; then if [ $2 = yes ]; then - run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT [ -z "$NEWNOTSYN" ] && \ run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn fi @@ -418,6 +416,53 @@ flushmangle() # $1 = name of chain run_iptables -t mangle -F $1 } +# +# Find the zones +# +find_zones() # $1 = name of the zone file +{ + local zone rest + + while read zone rest; do + expandv zone + + [ ${#zone} -gt 5 ] && startup_error "Zone name longer than 5 characters: $zone" + + case "$zone" in + [0-9*]) + startup_error "Illegal zone name \"$zone\" in zones file" + ;; + $FW|all|none) + startup_error "Reserved zone name \"$zone\" in zones file ignored" + ;; + *) + echo $zone + ;; + esac + done < $1 +} + +# +# This function assumes that the TMP_DIR variable is set and that +# its value named an existing directory. +# +determine_zones() +{ + local zonefile=$(find_file zones) zones= + + strip_file zones $zonefile + + ZONES= + zones=$(find_zones $TMP_DIR/zones) + + for zone in $zones; do + list_search $zone $ZONES && startup_error "Zone $zone is defined more than once" + ZONES="$ZONES $zone" + done + + [ -z "$ZONES" ] && startup_error "ERROR: No Zones Defined" +} + # # Find interfaces to a given zone # @@ -477,6 +522,11 @@ mac_chain() # $1 = interface echo $(chain_base $1)_mac } +macrecent_target() # $1 - interface +{ + [ -n "$MACLIST_TTL" ] && echo $(chain_base $1)_rec || echo RETURN +} + # # Functions for creating dynamic zone rules # @@ -502,11 +552,6 @@ dynamic_chains() #$1 = interface echo ${c}_dyni ${c}_dynf ${c}_dyno } -macrecent_target() # $1 - interface -{ - [ -n "$MACLIST_TTL" ] && echo $(chain_base $1)_rec || echo RETURN -} - # # DNAT Chain from a zone # @@ -852,17 +897,6 @@ find_hosts() # $1 = host zone done < $TMP_DIR/hosts } -# -# Check for duplicate zone definitions -# -check_duplicate_zones() { - local localzones= - - for zone in $zones; do - list_search $zone $localzones && startup_error "Zone $zone is defined more than once" - localzones="$localzones $zone" - done -} # # Determine the interfaces on the firewall # @@ -870,7 +904,7 @@ check_duplicate_zones() { # variable contains a space-separated list of interfaces to the zone # determine_interfaces() { - for zone in $zones; do + for zone in $ZONES; do interfaces=$(find_interfaces $zone) interfaces=$(echo $interfaces) # Remove extra trash eval ${zone}_interfaces=\"\$interfaces\" @@ -893,8 +927,7 @@ interface_has_option() # $1 = interface, #2 = option # Determine the defined hosts in each zone and generate report # determine_hosts() { - - for zone in $zones; do + for zone in $ZONES; do hosts=$(find_hosts $zone) hosts=$(echo $hosts) # Remove extra trash @@ -943,10 +976,9 @@ determine_hosts() { eval ${zone}_hosts="\$hosts" if [ -n "$hosts" ]; then - eval display=\$${zone}_display - display_list "$display Zone:" $hosts + display_list "$zone Zone:" $hosts else - error_message "Warning: Zone $zone is empty" + error_message "WARNING: Zone $zone is empty" fi done } @@ -956,14 +988,14 @@ determine_hosts() { # validate_zone() # $1 = zone { - list_search $1 $zones $FW + list_search $1 $ZONES $FW } # # Ensure that the passed zone is defined in the zones file. # validate_zone1() # $1 = zone { - list_search $1 $zones + list_search $1 $ZONES } # @@ -1010,7 +1042,13 @@ validate_interfaces_file() { case $option in -) ;; - dhcp|norfc1918|nobogons|tcpflags|newnotsyn|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|maclist|nosmurfs|upnp|-) + dhcp|norfc1918|tcpflags|newnotsyn|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|maclist|nosmurfs|upnp|-) + ;; + arp_ignore=*) + eval ${iface}_arp_ignore=${option#*=} + ;; + arp_ignore) + eval ${iface}_arp_ignore=1 ;; detectnets) [ -n "$wildcard" ] && \ @@ -1020,7 +1058,7 @@ validate_interfaces_file() { [ -n "$z" ] || startup_error "The routeback option may not be specified on a multi-zone interface" ;; *) - error_message "Warning: Invalid option ($option) in record \"$r\"" + error_message "WARNING: Invalid option ($option) in record \"$r\"" ;; esac done @@ -1157,25 +1195,25 @@ setup_providers() balance) DEFAULT_ROUTE="$DEFAULT_ROUTE nexthop via $gateway dev $interface weight 1" ;; - loose) - loose=Yes - ;; + loose) + loose=Yes + ;; *) - error_message " Warning: Invalid option ($option) ignored in provider \"$provider\"" + error_message " WARNING: Invalid option ($option) ignored in provider \"$provider\"" ;; esac done rulenum=0 - find_interface_addresses $interface | while read address; do - run_and_save_command qt ip rule del from $address - if [ -z "$loose" ]; then - pref=$((20000 + $rulenum * 1000 + $mark )) - rulenum=$(($rulenum + 1)) - ensure_and_save_command ip rule add from $address pref $pref table $number - fi - done + find_interface_addresses $interface | while read address; do + run_and_save_command qt ip rule del from $address + if [ -z "$loose" ]; then + pref=$((20000 + $rulenum * 1000 + $mark )) + rulenum=$(($rulenum + 1)) + ensure_and_save_command ip rule add from $address pref $pref table $number + fi + done } strip_file providers $1 @@ -1275,7 +1313,7 @@ validate_hosts_file() { *.*.*.*) ;; +*) - eval ${z}_is_complex=Yes + eval ${z}_is_complex=Yes ;; *) known_interface $host && \ @@ -1293,7 +1331,7 @@ validate_hosts_file() { for option in $(separate_list $options) ; do case $option in - maclist|norfc1918|nobogons|blacklist|tcpflags|nosmurfs|newnotsyn|-) + maclist|norfc1918|blacklist|tcpflags|nosmurfs|newnotsyn|-) ;; ipsec) [ -n "$POLICY_MATCH" ] || \ @@ -1306,7 +1344,7 @@ validate_hosts_file() { eval ${z}_routeback=\"$interface:$host \$${z}_routeback\" ;; *) - error_message "Warning: Invalid option ($option) in record \"$r\"" + error_message "WARNING: Invalid option ($option) in record \"$r\"" ;; esac done @@ -1386,6 +1424,24 @@ validate_policy() fi esac + case $policy in + *:*) + epolicy=${policy#*:} + policy=${policy%:*} + + case $epolicy in + ACCEPT|QUEUE) + ;; + *) + startup_error " $client $server $policy $loglevel $synparams: Invalid ESTABLISHED/RELATED policy: $epolicy" + ;; + esac + ;; + *) + epolicy=ACCEPT + ;; + esac + case $policy in ACCEPT|REJECT|DROP|CONTINUE|QUEUE) ;; @@ -1407,7 +1463,9 @@ validate_policy() startup_error "Duplicate policy $policy" fi - [ "x$loglevel" = "x-" ] && loglevel= + [ "x$loglevel" = "x-" ] && loglevel= + [ "x$synparms" = "x-" ] && synparms= + [ "x$epolicy" = "x-" ] && epolicy= [ $policy = NONE ] || all_policy_chains="$all_policy_chains $chain" @@ -1415,11 +1473,12 @@ validate_policy() eval ${chain}_policy=$policy eval ${chain}_loglevel=$loglevel eval ${chain}_synparams=$synparams + eval ${chain}_epolicy=$epolicy if [ -n "${clientwild}" ]; then if [ -n "${serverwild}" ]; then - for zone in $zones $FW all; do - for zone1 in $zones $FW all; do + for zone in $ZONES $FW all; do + for zone1 in $ZONES $FW all; do eval pc=\$${zone}2${zone1}_policychain if [ -z "$pc" ]; then @@ -1430,7 +1489,7 @@ validate_policy() done done else - for zone in $zones $FW all; do + for zone in $ZONES $FW all; do eval pc=\$${zone}2${server}_policychain if [ -z "$pc" ]; then @@ -1441,7 +1500,7 @@ validate_policy() done fi elif [ -n "$serverwild" ]; then - for zone in $zones $FW all; do + for zone in $ZONES $FW all; do eval pc=\$${client}2${zone}_policychain if [ -z "$pc" ]; then @@ -1504,6 +1563,25 @@ find_interfaces_by_option() # $1 = option done } +# +# This slightly slower version is used to find both the option and option followed +# by equal sign ("=") and a value +# +find_interfaces_by_option1() # $1 = option +{ + local options option + + for interface in $ALL_INTERFACES; do + eval options=\$$(chain_base $interface)_options + for option in $options; do + if [ "${option%=*}" = "$1" ]; then + echo $interface + break + fi + done + done +} + # # Find hosts with the passed option # @@ -1590,7 +1668,7 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = dispositi if [ ${#prefix} -gt 29 ]; then prefix="$(echo $prefix | truncate 29)" - error_message "Warning: Log Prefix shortened to \"$prefix\"" + error_message "WARNING: Log Prefix shortened to \"$prefix\"" fi case $level in @@ -1704,7 +1782,7 @@ process_routestopped() # $1 = command case $option in routeback) if [ -n "$routeback" ]; then - error_message "Warning: Duplicate routestopped option ignored: routeback" + error_message "WARNING: Duplicate routestopped option ignored: routeback" else routeback=Yes for h in $(separate_list $host); do @@ -1722,8 +1800,10 @@ process_routestopped() # $1 = command dest="$dest $interface:$h" done ;; + critical) + ;; *) - error_message "Warning: Unknown routestopped option ignored: $option" + error_message "WARNING: Unknown routestopped option ignored: $option" ;; esac done @@ -1759,6 +1839,70 @@ process_routestopped() # $1 = command done } +process_criticalhosts() +{ + local hosts= interface host h options networks criticalhosts= + + [ -f $TMP_DIR/routestopped ] || strip_file routestopped + + while read interface host options; do + expandv interface host options + + [ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0 || host=$(separate_list $host) + + if [ -n "$options" ]; then + for option in $(separate_list $options); do + case $option in + routeback|source|dest) + ;; + critical) + for h in $host; do + criticalhosts="$criticalhosts $interface:$h" + done + ;; + *) + error_message "WARNING: Unknown routestopped option ignored: $option" + ;; + esac + done + fi + done < $TMP_DIR/routestopped + + if [ -n "$criticalhosts" ]; then + CRITICALHOSTS=$criticalhosts + progress_message "Critical Hosts are:$CRITICALHOSTS" + fi + +} + +# +# For each entry in the CRITICALHOSTS global list, add INPUT and OUTPUT rules to +# enable traffic to/from those hosts. +# +enable_critical_hosts() +{ + for host in $CRITICALHOSTS; do + interface=${host%:*} + networks=${host#*:} + $IPTABLES -A INPUT -i $interface $(source_ip_range $networks) -j ACCEPT + $IPTABLES -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT + done +} + +# +# For each entry in the CRITICALHOSTS global list, delete the INPUT and OUTPUT rules that +# enable traffic to/from those hosts. +# +disable_critical_hosts() +{ + for host in $CRITICALHOSTS; do + interface=${host%:*} + networks=${host#*:} + $IPTABLES -D INPUT -i $interface $(source_ip_range $networks) -j ACCEPT + $IPTABLES -D OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT + done +} + # # Stop the Firewall # @@ -1824,7 +1968,41 @@ stop_firewall() { [ -n "$DISABLE_IPV6" ] && disable_ipv6_1 - if [ -z "$ADMINISABSENTMINDED" ]; then + process_criticalhosts + + if [ -n "$CRITICALHOSTS" ]; then + if [ -z "$ADMINISABSENTMINDED" ]; then + for chain in INPUT OUTPUT; do + setpolicy $chain ACCEPT + done + + setpolicy FORWARD DROP + + deleteallchains + + enable_critical_hosts + + for chain in INPUT OUTPUT; do + setpolicy $chain DROP + done + else + for chain in INPUT OUTPUT; do + setpolicy $chain ACCEPT + done + + setpolicy FORWARD DROP + + deleteallchains + + enable_critical_hosts + + setpolicy INPUT DROP + + for chain in INPUT FORWARD; do + setcontinue $chain + done + fi + elif [ -z "$ADMINISABSENTMINDED" ]; then for chain in INPUT OUTPUT FORWARD; do setpolicy $chain DROP done @@ -1844,10 +2022,6 @@ stop_firewall() { done fi - hosts= - - [ -f $TMP_DIR/routestopped ] || strip_file routestopped - process_routestopped -A $IPTABLES -A INPUT -i lo -j ACCEPT @@ -2057,7 +2231,7 @@ setup_tunnels() # $1 = name of tunnels file addrule ${FW}2${z} -p $protocol $p -j ACCEPT addrule ${z}2${FW} -p $protocol $p -j ACCEPT else - error_message "Warning: Invalid gateway zone ($z)" \ + error_message "WARNING: Invalid gateway zone ($z)" \ " -- Tunnel \"$tunnel\" may encounter problems" fi done @@ -2115,10 +2289,10 @@ setup_tunnels() # $1 = name of tunnels file } # -# Process the ipsec file +# Process the ipsec information in the zones file # setup_ipsec() { - local zone + local zone using_ipsec= # # Add a --set-mss rule to the passed chain # @@ -2141,7 +2315,7 @@ setup_ipsec() { set_mss() # $1 = MSS value, $2 = _in, _out or "" { if [ $COMMAND != check ]; then - for z in $zones; do + for z in $ZONES; do case $2 in _in) set_mss1 ${zone}2${z} $1 @@ -2157,7 +2331,7 @@ setup_ipsec() { done fi } - + do_options() # $1 = _in, _out or "" - $2 = option list { local option opts newoptions= val @@ -2190,40 +2364,55 @@ setup_ipsec() { done if [ -n "$newoptions" ]; then + [ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match" eval ${zone}_is_complex=Yes eval ${zone}_ipsec${1}_options=\"${newoptions# }\" fi } - strip_file ipsec $1 - + case $IPSECFILE in + zones) + f=zones + progress_message "Setting up IPSEC..." + ;; + *) + f=$IPSECFILE + strip_file $f + progress_message "Processing $f..." + using_ipsec=Yes + ;; + esac + while read zone ipsec options in_options out_options mss; do expandv zone ipsec options in_options out_options mss - [ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match" + if [ -n "$using_ipsec" ]; then + validate_zone1 $zone || fatal_error "Unknown zone: $zone" + fi - validate_zone1 $zone || fatal_error "Unknown zone: $zone" - - case $ipsec in - -|No|no) - ;; - Yes|yes) - eval ${zone}_is_ipsec=Yes - eval ${zone}_is_complex=Yes - ;; - *) - fatal_error "Invalid IPSEC column value: $ipsec" - ;; - esac - - do_options "" $options - do_options "_in" $in_options - do_options "_out" $out_options + if [ -n "$ipsec" ]; then + case $ipsec in + -|No|no) + ;; + Yes|yes) + [ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match" + eval ${zone}_is_ipsec=Yes + eval ${zone}_is_complex=Yes + ;; + *) + fatal_error "Invalid IPSEC column value: $ipsec" + ;; + esac - done < $TMP_DIR/ipsec + do_options "" $options + do_options "_in" $in_options + do_options "_out" $out_options + fi + + done < $TMP_DIR/$f } -# +## # Setup Proxy ARP # setup_proxy_arp() { @@ -2283,12 +2472,12 @@ setup_proxy_arp() { ensure_and_save_command arp -i $external -Ds $address $external pub - echo $address $interface $external $haveroute >> ${STATEDIR}/proxyarp + echo $address $interface $external $haveroute >> /var/lib/shorewall/proxyarp progress_message " Host $address connected to $interface added to ARP on $external" } - > ${STATEDIR}/proxyarp + > /var/lib/shorewall/proxyarp save_progress_message "Restoring Proxy ARP..." @@ -2315,7 +2504,7 @@ setup_proxy_arp() { progress_message " Enabled proxy ARP on $interface" save_command "echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" else - error_message "Warning: Unable to enable proxy ARP on $interface" + error_message "WARNING: Unable to enable proxy ARP on $interface" fi done } @@ -2335,7 +2524,6 @@ setup_mac_lists() { local hosts local ipsec local policy= - local options # # Generate the list of interfaces having MAC verification # @@ -2481,7 +2669,7 @@ setup_syn_flood_chain () # enable_syn_flood_protection() # $1 = chain, $2 = protection chain { - run_iptables -I $1 2 -p tcp --syn -j @$2 + run_iptables -I $1 -p tcp --syn -j @$2 progress_message " Enabled SYN flood protection" } @@ -2489,16 +2677,16 @@ enable_syn_flood_protection() # $1 = chain, $2 = protection chain # Delete existing Proxy ARP # delete_proxy_arp() { - if [ -f ${STATEDIR}/proxyarp ]; then + if [ -f /var/lib/shorewall/proxyarp ]; then while read address interface external haveroute; do qt arp -i $external -d $address pub [ -z "$haveroute" ] && qt ip route del $address dev $interface - done < ${STATEDIR}/proxyarp + done < /var/lib/shorewall/proxyarp - rm -f ${STATEDIR}/proxyarp + rm -f /var/lib/shorewall/proxyarp fi - [ -d ${STATEDIR} ] && touch ${STATEDIR}/proxyarp + [ -d /var/lib/shorewall ] && touch /var/lib/shorewall/proxyarp for f in /proc/sys/net/ipv4/conf/*; do [ -f $f/proxy_arp ] && echo 0 > $f/proxy_arp @@ -2565,7 +2753,7 @@ setup_nat() { # # At this point, we're just interested in the network translation # - > ${STATEDIR}/nat + > /var/lib/shorewall/nat if [ -n "$POLICY_MATCH" ]; then policyin="-m policy --pol none --dir in" @@ -2590,15 +2778,15 @@ delete_nat() { run_iptables -t nat -F run_iptables -t nat -X - if [ -f ${STATEDIR}/nat ]; then + if [ -f /var/lib/shorewall/nat ]; then while read external interface; do qt ip addr del $external dev $interface - done < ${STATEDIR}/nat + done < /var/lib/shorewall/nat - rm -f {$STATEDIR}/nat + rm -f {/var/lib/shorewall}/nat fi - [ -d ${STATEDIR} ] && touch ${STATEDIR}/nat + [ -d /var/lib/shorewall ] && touch /var/lib/shorewall/nat } # @@ -3003,11 +3191,11 @@ process_accounting_rule() { user1= accounting_error() { - error_message "Warning: Invalid Accounting rule" $action $chain $source $dest $proto $port $sport $user + error_message "WARNING: Invalid Accounting rule" $action $chain $source $dest $proto $port $sport $user } accounting_interface_error() { - error_message "Warning: Unknown interface $1 in " $action $chain $source $dest $proto $port $sport $user + error_message "WARNING: Unknown interface $1 in " $action $chain $source $dest $proto $port $sport $user } accounting_interface_verify() { @@ -3226,23 +3414,16 @@ check_config() { [ "$MACLIST_TTL" = "0" ] && MACLIST_TTL= if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then - startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables" + startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables" fi echo "Determining Zones..." determine_zones - check_duplicate_zones - [ -z "$zones" ] && startup_error "ERROR: No Zones Defined" + display_list "Zones:" $ZONES - display_list "Zones:" $zones - - ipsecfile=$(find_file ipsec) - - [ -f $ipsecfile ] && \ - echo "Validating ipsec file..." && \ - setup_ipsec $ipsecfile + setup_ipsec echo "Validating interfaces file..." @@ -3867,6 +4048,75 @@ merge_levels() # $1=level at which superior action is called, $2=level at which esac } +# This function substitutes the second argument for the first part of the first argument up to the first colon (":") +# +# Example: +# +# substitute_action DNAT PARAM:info:FTP +# +# produces "DNAT:info:FTP" +# +substitute_action() # $1 = parameter, $2 = action +{ + local logpart=${2%%:*} + + case $2 in + *:*) + echo $1:${logpart%/} + ;; + *) + echo $1 + ;; + esac +} + +# +# This function maps old action names into their new macro equivalents +# +map_old_action() # $1 = Potential Old Action +{ + local macro= aktion + + if [ -n "$MAPOLDACTIONS" ]; then + case $1 in + */*) + echo $1 + return + ;; + *) + if [ -f $(find_file $1) ]; then + echo $1 + return + fi + + case $1 in + Allow*) + macro=${1#*w} + aktion=ACCEPT + ;; + Drop*) + macro=${1#*p} + aktion=DROP + ;; + Reject*) + macro=${1#*t} + aktion=REJECT + ;; + *) + echo $1 + return + ;; + esac + esac + + if [ -f $(find_file macro.$macro) ]; then + echo $macro/$aktion + fi + fi + + echo $1 +} + # # The next three functions implement the three phases of action processing. # @@ -3946,10 +4196,53 @@ process_actions1() { ;; *) if list_search $temp $ACTIONS; then - eval requiredby_${xaction}=\"\$requiredby_${xaction} $xtarget\" + eval requiredby=\"\$requiredby_${xaction}\" + list_search $xtarget $requiredby || eval requiredby_${xaction}=\"$requiredby $xtarget\" else - rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec)" - startup_error "Invalid TARGET in rule \"$rule\"" + temp=$(map_old_action $temp) + + case $temp in + */*) + param=${temp#*/} + case $param in + ACCEPT|DROP|REJECT|LOG|QUEUE|CONTINUE) + ;; + *) + rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec" + startup_error "Invalid Macro Parameter in rule \"$rule\"" + ;; + esac + temp=${temp%%/*} + ;; + esac + + f1=macro.${temp} + fn=$(find_file $f1) + + if [ ! -f $TMP_DIR/$f1 ]; then + if [ -f $fn ]; then + strip_file $f1 $fn + else + rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec" + startup_error "Invalid TARGET in rule \"$rule\"" + fi + + progress_message " ..Expanding Macro $fn..." + + while read mtarget mclients mservers mprotocol mports mcports mratelimit muserspec; do + expandv mtarget + temp="${mtarget%%:*}" + case "$temp" in + ACCEPT|DROP|REJECT|LOG|QUEUE|CONTINUE|PARAM) + ;; + *) + rule="$mtarget $mclients $mservers $mprotocol $mports $mcports $mratelimit $muserspec" + startup_error "Invalid TARGET in rule \"$rule\"" + esac + done < $TMP_DIR/$f1 + + progress_message " ..End Macro" + fi fi ;; @@ -3967,11 +4260,11 @@ process_actions1() { process_actions2() { - local interfaces="$(find_interfaces_by_option upnp)" + local interfaces="$(find_interfaces_by_option upnp)" if [ -n "$interfaces" ]; then if ! list_search forwardUPnP $USEDACTIONS; then - error_message "Warning:Missing forwardUPnP rule (required by 'upnp' interface option on $interfaces)" + error_message "WARNING:Missing forwardUPnP rule (required by 'upnp' interface option on $interfaces)" USEDACTIONS="$USEDACTIONS forwardUPnP" fi fi @@ -3985,7 +4278,7 @@ process_actions2() { for xaction in $USEDACTIONS; do eval required=\"\$requiredby_${xaction%%:*}\" - + for xaction1 in $required; do # # Generate the action that will be passed to process_action by merging the @@ -4162,29 +4455,98 @@ process_actions3() { # xaction2=$(merge_levels $xaction $xtarget) - case ${xaction2%%:*} in + is_macro= + param= + + xtarget1=${xaction2%%:*} + + case $xtarget1 in ACCEPT|DROP|REJECT|LOG|QUEUE|CONTINUE) # # Builtin target -- Nothing to do # ;; *) - # - # Not a builtin target -- Replace the target from the file - # -- with the one generated above - xtarget=$xaction2 - # - # And locate the chain for that action:level:tag - # - xaction2=$(find_logactionchain $xtarget) + if list_search $xtarget1 $ACTIONS ; then + # + # An Action -- Replace the target from the file + # -- with the one generated above + xtarget=$xaction2 + # + # And locate the chain for that action:level:tag + # + xaction2=$(find_logactionchain $xtarget) + else + is_macro=yes + fi ;; esac expandv xclients xservers xprotocol xports xcports xratelimit xuserspec - rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec)" - process_action $xchain $xaction1 $xaction2 $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec + if [ -n "$is_macro" ]; then + xtarget1=$(map_old_action $xtarget1) + + case $xtarget1 in + */*) + param=${xtarget1#*/} + xtarget1=${xtarget1%%/*} + ;; + esac + + progress_message "..Expanding Macro $(find_file macro.$xtarget1)..." + while read mtarget mclients mservers mprotocol mports mcports mratelimit muserspec; do + expandv mtarget mclients mservers mprotocol mports mcports mratelimit muserspec + + mtarget=$(merge_levels $xaction2 $mtarget) + + case $mtarget in + PARAM|PARAM:*) + [ -n "$param" ] && mtarget=$(substitute_action $param $mtarget) || fatal_error "PARAM requires that a parameter be supplied in macro invocation" + ;; + esac + + if [ -n "$mclients" ]; then + case $mclients in + -) + mclients=${xclients} + ;; + *) + mclients=${mclients}:${xclients} + ;; + esac + else + mclients=${xclients} + fi + + if [ -n "$mservers" ]; then + case $mservers in + -) + mservers=${xservers} + ;; + *) + mservers=${mservers}:${xservers} + ;; + esac + else + mservers=${xserverss} + fi + + [ -n "$xprotocol" ] && [ "x${xprotocol}" != x- ] && mprotocol=$xprotocol + [ -n "$xports" ] && [ "x${xports}" != x- ] && mports=$xports + [ -n "$xcports" ] && [ "x${xcports}" != x- ] && mcports=$xcports + [ -n "$xratelimit" ] && [ "x${xratelimit}" != x- ] && mratelimit=$xratelimit + [ -n "$xuserspec" ] && [ "x${xuserspec}" != x- ] && muserspec=$xuserspec + + rule="$mtarget ${mclients:=-} ${mservers:=-} ${mprotocol:=-} ${mports:=-} ${mcports:=-} ${mratelimit:-} ${muserspec:=-}" + process_action $xchain $xaction1 $mtarget $mclients $mservers $mprotocol $mports $mcports $mratelimit $muserspec + done < $TMP_DIR/macro.$xtarget1 + progress_message "..End Macro" + else + rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec" + process_action $xchain $xaction1 $xaction2 $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec + fi done < $TMP_DIR/$f ;; esac @@ -4808,6 +5170,13 @@ process_rule() # $1 = target clients="${clients#*:}" [ -z "$clientzone" -o -z "$clients" ] && \ fatal_error "Empty source zone or qualifier: rule \"$rule\"" + if [ $(list_count $clients) -gt 1 ]; then + case $clients in + !*) + fatal_error "Exclude lists not supported in the SOURCE column" + ;; + esac + fi fi if [ "$clientzone" = "${clientzone%!*}" ]; then @@ -4851,6 +5220,13 @@ process_rule() # $1 = target servers="${servers%:*}" [ -z "$serverzone" -o -z "$serverport" ] && \ fatal_error "Empty destination zone or server port: rule \"$rule\"" + if [ $(list_count $servers) -gt 1 ]; then + case $servers in + !*) + fatal_error "Exclude lists not supported in the DEST column" + ;; + esac + fi else serverport= [ -z "$serverzone" -o -z "$servers" ] && \ @@ -5012,10 +5388,90 @@ process_rule() # $1 = target fi } +# +# Process a macro invocation in the rules file +# + +process_macro() # $1 = target + # $2 = param + # $2 = clients + # $3 = servers + # $4 = protocol + # $5 = ports + # $6 = cports + # $7 = address + # $8 = ratelimit + # $9 = userspec +{ + local itarget="$1" + local param="$2" + local iclients="$3" + local iservers="$4" + local iprotocol="$5" + local iports="$6" + local icports="$7" + local iaddress="$8" + local iratelimit="$9" + local iuserspec="${10}" + + progress_message "..Expanding Macro $(find_file macro.${itarget%%:*})..." + + while read mtarget mclients mservers mprotocol mports mcports mratelimit muserspec; do + expandv mtarget mclients mservers mprotocol mports mcports mratelimit muserspec + + mtarget=$(merge_levels $itarget $mtarget) + + case $mtarget in + PARAM|PARAM:*) + [ -n "$param" ] && mtarget=$(substitute_action $param $mtarget) || fatal_error "PARAM requires that a parameter be supplied in macro invocation" + ;; + esac + + if [ -n "$mclients" ]; then + case $mclients in + -) + mclients=${iclients} + ;; + *) + mclients=${mclients}:${iclients} + ;; + esac + else + mclients=${iclients} + fi + + if [ -n "$mservers" ]; then + case $mservers in + -) + mservers=${iservers} + ;; + *) + mservers=${mservers}:${iservers} + ;; + esac + else + mservers=${iserverss} + fi + + [ -n "$iprotocol" ] && [ "x${iprotocol}" != x- ] && mprotocol=$iprotocol + [ -n "$iports" ] && [ "x${iports}" != x- ] && mports=$iports + [ -n "$icports" ] && [ "x${icports}" != x- ] && mcports=$icports + [ -n "$iratelimit" ] && [ "x${iratelimit}" != x- ] && mratelimit=$iratelimit + [ -n "$iuserspec" ] && [ "x${iuserspec}" != x- ] && muserspec=$iuserspec + + rule="$mtarget ${mclients=-} ${mservers:=-} ${mprotocol:=-} ${mports:=-} ${mcports:=-} ${xaddress:=-} ${mratelimit:=-} ${muserspec:=-}" + process_rule $mtarget $mclients $mservers $mprotocol $mports $mcports ${iaddress:=-} $mratelimit $muserspec + + done < $TMP_DIR/macro.${itarget%%:*} + + progress_message "..End Macro" + +} + # # Process the rules file for the 'start', 'restart' or 'check' command. # -process_rules() +process_rules() # $1 = "Yes" if the target is a macro. { # # Process a rule where the source or destination is "all" @@ -5030,48 +5486,57 @@ process_rules() if [ "${ysourcezone}" != "${ydestzone}" ] ; then eval ypolicy=\$${ysourcezone}2${ydestzone}_policy if [ "$ypolicy" != NONE ] ; then - rule="$(echo $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)" - process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec + if [ "$1" = Yes ]; then + process_macro $xtarget "$xparam" $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec + else + rule="$xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec" + process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec + fi fi fi done done } - do_it() { + do_it() # $1 = "Yes" if the target is a macro. + { expandv xprotocol xports xcports xaddress xratelimit xuserspec if [ "x$xclients" = xall ]; then - xclients="$zones $FW" + xclients="$ZONES $FW" if [ "x$xservers" = xall ]; then - xservers="$zones $FW" + xservers="$ZONES $FW" fi - process_wildcard_rule + process_wildcard_rule $1 return fi if [ "x$xservers" = xall ]; then - xservers="$zones $FW" - process_wildcard_rule + xservers="$ZONES $FW" + process_wildcard_rule $1 return fi - - rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)" - process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec + + if [ "$1" = Yes ]; then + process_macro $xtarget "$xparam" $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec + else + rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec" + process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec + fi } while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec; do expandv xtarget xclients xservers if [ "x$xclients" = xnone -o "x$servers" = xnone ]; then - rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)" + rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec" progress_message " Rule \"$rule\" ignored." continue fi case "${xtarget%%:*}" in ACCEPT|ACCEPT+|NONAT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE|SAME|SAME-) - do_it + do_it No ;; *) if list_search ${xtarget%%:*} $ACTIONS; then @@ -5081,10 +5546,36 @@ process_rules() fi xtarget=$(find_logactionchain $xtarget) - do_it + do_it No else - rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)" - fatal_error "Invalid Action in rule \"$rule\"" + xtarget1=$(map_old_action ${xtarget%%:*}) + + case $xtarget1 in + */*) + xparam=${xtarget1#*/} + xtarget1=${xtarget1%%/*} + xtarget=$(substitute_action $xtarget1 $xtarget) + ;; + *) + xparam= + ;; + esac + + f=macro.$xtarget1 + + if [ -f $TMP_DIR/$f ]; then + do_it Yes + else + fn=$(find_file $f) + + if [ -f $fn ]; then + strip_file $f $fn + do_it Yes + else + rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec" + fatal_error "Invalid Action in rule \"$rule\"" + fi + fi fi ;; @@ -5123,7 +5614,7 @@ process_tos_rule() { elif [ "$srczone" = "all" ]; then source="all" else - error_message "Warning: Undefined Source Zone - rule \"$rule\" ignored" + error_message "WARNING: Undefined Source Zone - rule \"$rule\" ignored" return fi @@ -5142,7 +5633,7 @@ process_tos_rule() { # Assume that this is a device name # if ! verify_interface $src ; then - error_message "Warning: Unknown Interface in rule \"$rule\" ignored" + error_message "WARNING: Unknown Interface in rule \"$rule\" ignored" return fi @@ -5171,7 +5662,7 @@ process_tos_rule() { dest="all" else error_message \ - "Warning: Undefined Destination Zone - rule \"$rule\" ignored" + "WARNING: Undefined Destination Zone - rule \"$rule\" ignored" return fi @@ -5186,7 +5677,7 @@ process_tos_rule() { # Assume that this is a device name # error_message \ - "Warning: Invalid Destination - rule \"$rule\" ignored" + "WARNING: Invalid Destination - rule \"$rule\" ignored" return ;; esac @@ -5293,15 +5784,23 @@ display_list() # $1 = List Title, rest of $* = list to display [ $# -gt 1 ] && echo " $*" } -# -# Add policy rule ( and possibly logging rule) to the passed chain -# policy_rules() # $1 = chain to add rules to # $2 = policy - # $3 = loglevel + # $3 = E/R Policy + # $4 = loglevel { local target="$2" + case $3 in + QUEUE) + run_iptables -I $1 -m state --state RELATED -j ACCEPT + run_iptables -I $1 -m state --state ESTABLISHED -j QUEUE + ;; + ACCEPT) + run_iptables -I $1 -m state --state ESTABLISHED,RELATED -j ACCEPT + ;; + esac + case "$target" in ACCEPT) [ -n "$ACCEPT_common" ] && run_iptables -A $1 -j $ACCEPT_common @@ -5324,8 +5823,8 @@ policy_rules() # $1 = chain to add rules to ;; esac - if [ $# -eq 3 -a "x${3}" != "x-" ]; then - log_rule $3 $1 $2 + if [ $# -eq 4 -a "x${4}" != "x-" ]; then + log_rule $4 $1 $2 fi [ -n "$target" ] && run_iptables -A $1 -j $target @@ -5349,10 +5848,23 @@ default_policy() # $1 = client $2 = server local chain1 jump_to_policy_chain() { + # + # Insert a rule of ESTABLISHED,RELATED packets at the head of the + # canonical chain. # # Add a jump to from the canonical chain to the policy chain. On return, # $chain is set to the name of the policy chain # + case $epolicy in + QUEUE) + run_iptables -I $chain -m state --state RELATED -j ACCEPT + run_iptables -I $chain -m state --state ESTABLISHED -j QUEUE + ;; + ACCEPT) + run_iptables -I $chain -m state --state ESTABLISHED,RELATED -j ACCEPT + ;; + esac + run_iptables -A $chain -j $chain1 chain=$chain1 } @@ -5364,7 +5876,8 @@ default_policy() # $1 = client $2 = server # eval policy=\$${chain1}_policy eval loglevel=\$${chain1}_loglevel - eval synparams=\$${chain1}_synparams + eval synparams=\$${chain1}_synparams + eval epolicy=\$${chain1}_epolicy # # Add the appropriate rules to the canonical chain ($chain) to enforce # the specified policy @@ -5374,7 +5887,7 @@ default_policy() # $1 = client $2 = server # The policy chain is the canonical chain; add policy rule to it # The syn flood jump has already been added if required. # - policy_rules $chain $policy $loglevel + policy_rules $chain $policy $epolicy $loglevel else # # The policy chain is different from the canonical chain -- approach @@ -5388,7 +5901,7 @@ default_policy() # $1 = client $2 = server # in this chain. # enable_syn_flood_protection $chain $chain1 - policy_rules $chain $policy $loglevel + policy_rules $chain $policy $epolicy $loglevel else # # No problem with double-counting so just jump to the @@ -5404,7 +5917,7 @@ default_policy() # $1 = client $2 = server # [ -n "$synparams" ] && \ enable_syn_flood_protection $chain $chain1 - policy_rules $chain $policy $loglevel + policy_rules $chain $policy $epolicy $loglevel ;; *) # @@ -5452,10 +5965,11 @@ complete_standard_chain() # $1 = chain, $2 = source zone, $3 = destination zone if [ -n "$policychain" ]; then eval policy=\$${policychain}_policy eval loglevel=\$${policychain}_loglevel + eval - policy_rules $1 $policy $loglevel + policy_rules $1 $policy NONE $loglevel else - policy_rules $1 DROP INFO + policy_rules $1 DROP NONE INFO fi } @@ -5468,7 +5982,7 @@ complete_standard_chain() # $1 = chain, $2 = source zone, $3 = destination zone # rules_chain() # $1 = source zone, $2 = destination zone { - local chain=${1}2${2} + local chain=${1}2${2} local policy havechain $chain && { echo $chain; return; } @@ -5476,9 +5990,12 @@ rules_chain() # $1 = source zone, $2 = destination zone eval chain=\$${chain}_policychain - [ -n "$chain" ] && { echo $chain; return; } + eval policy=\$${chain}_policy - fatal_error "No policy defined for zone $1 to zone $2" + if [ "$policy" != CONTINUE ] ; then + [ -n "$chain" ] && { echo $chain; return; } + fatal_error "No policy defined for zone $1 to zone $2" + fi } # @@ -5492,7 +6009,7 @@ get_routed_networks() # $1 = interface name ip route show dev $1 2> /dev/null | while read address rest; do if [ "x$address" = xdefault ]; then - error_message "Warning: default route ignored on interface $1" + error_message "WARNING: default route ignored on interface $1" else [ "$address" = "${address%/*}" ] && address="${address}/32" echo $address @@ -5500,173 +6017,26 @@ get_routed_networks() # $1 = interface name done } -# -# Add a route from /etc/shorewall/routes -# -add_a_route() -{ - local r= - local chain=routefwd - local marktest= - - if [ "x$source" != "x-" ]; then - case ${source} in - $FW:*) - chain=routeout - r="$(source_ip_range ${source%:*}) " - ;; - *:*) - r="$(match_source_dev ${source%:*}) $(source_ip_range ${source#*:}) " - ;; - *.*.*|+*|!+*) - r="$(source_ip_range $source) " - ;; - ~*) - r="$(mac_match $source) " - ;; - $FW) - chain=routeout - ;; - *) - verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\"" - r="$(match_source_dev) $source " - ;; - esac - fi - - if [ "x$dest" != "x-" ]; then - case $dest in - *:*) - verify_interface ${dest%:*} || fatal_error "Unknown interface ${dest%:*} in rule \"$rule\"" - r="$(match_dest_dev ${dest%:*}) $(dest_ip_range ${dest#*:}) " - ;; - *.*.*|+*|!+*) - r="${r}$(dest_ip_range $dest) " - ;; - *) - verify_interface $dest || fatal_error "Unknown interface $dest in rule \"$rule\"" - r="${r}$(match_dest_dev $dest) " - ;; - esac - fi - - if [ "x$proto" = xipp2p ]; then - [ "x$port" = "x-" ] && port="ipp2p" - r="${r}-p tcp -m ipp2p --${port} " - else - [ "x$proto" = "x-" ] && proto=all - [ "x$proto" = "x" ] && proto=all - [ "$proto" = "all" ] || r="${r}-p $proto " - [ "x$port" = "x-" ] || r="${r}-m multiport --dports $port " - fi - - if [ "x${sport:--}" != "x-" ]; then - [ "x$port" = "x-" ] && r="${r}-m multiport " - r="${r}--sports $sport " - fi - - case $testval in - -) - testval= - ;; - !*:C) - marktest="connmark ! " - testval=${testval%:*} - testval=${testval#!} - ;; - *:C) - marktest="connmark " - testval=${testval%:*} - ;; - !*) - marktest="mark ! " - testval=${testval#!} - ;; - *) - [ -n "$testval" ] && marktest="mark " - ;; - esac - - if [ -n "$testval" ] ; then - case $testval in - */*) - verify_mark ${testval%/*} - verify_mark ${testval#*/} - ;; - *) - verify_mark $testval - testval=$testval/255 - ;; - esac - fi - - [ -n "$marktest" ] && r="${r}-m ${marktest}--mark $testval " - - r="${r}-j ROUTE " - - [ "x${interface:--}" != x- ] && r="${r}--oif $interface " - - [ "x${gateway:--}" != x- ] && r="${r}--gw $gateway" - - run_iptables2 -t mangle -A $chain $r --continue - - progress_message " Routing Rule \"$rule\" Added." -} - - # # Set up Routing # -setup_routes() # $1 = file name +setup_routes() { - local created_chains= - # - # Create routing chains - # - create_routing_chains() - { - if [ -z "$created_chains" ]; then - run_iptables -t mangle -N routefwd - run_iptables -t mangle -A FORWARD -j routefwd - run_iptables -t mangle -N routeout - run_iptables -t mangle -A OUTPUT -j routeout - run_iptables -t mangle -A PREROUTING -m connmark ! --mark 0 -j CONNMARK --restore-mark - created_chains=Yes - fi - } - strip_file routes $1 + run_iptables -t mangle -A PREROUTING -m connmark ! --mark 0 -j CONNMARK --restore-mark + run_iptables -t mangle -N routemark - if [ -s $TMP_DIR/routes ]; then - echo "Processing $1..." - [ -n "$ROUTE_TARGET" ] || \ - fatal_error "Entries in /etc/shorewall/routes requires that your kernel and iptables have ROUTE target support" - create_routing_chains + for interface in $ROUTEMARK_INTERFACES ; do + + iface=$(chain_base $interface) + eval mark_value=\$${iface}_routemark - while read source dest proto port sport testval interface gateway; do - expandv source dest proto port sport testval interface gateway - rule="$source $dest $proto $port $sport testval $interface $gateway" - add_a_route - done < $TMP_DIR/routes - fi + run_iptables -t mangle -A PREROUTING -i $interface -m mark --mark 0 -j routemark + run_iptables -t mangle -A routemark -i $interface -j MARK --set-mark $mark_value - if [ -n "$ROUTEMARK_INTERFACES" ]; then - create_routing_chains + done - run_iptables -t mangle -N routemark - - for interface in $ROUTEMARK_INTERFACES ; do - - iface=$(chain_base $interface) - eval mark_value=\$${iface}_routemark - - run_iptables -t mangle -A PREROUTING -i $interface -m mark --mark 0 -j routemark - run_iptables -t mangle -A routemark -i $interface -j MARK --set-mark $mark_value - - done - - run_iptables -t mangle -A routemark -m mark ! --mark 0 -j CONNMARK --save-mark --mask 255 - fi + run_iptables -t mangle -A routemark -m mark ! --mark 0 -j CONNMARK --save-mark --mask 255 } @@ -6005,7 +6375,7 @@ setup_masq() while read fullinterface networks addresses proto ports ipsec; do expandv fullinterface networks addresses proto ports ipsec [ -n "$NAT_ENABLED" ] && setup_one || \ - error_message "Warning: NAT disabled; masq rule ignored" + error_message "WARNING: NAT disabled; masq rule ignored" done < $TMP_DIR/masq } @@ -6254,7 +6624,7 @@ add_ip_aliases() ensure_and_save_command ip addr add ${external}${val} dev $interface $label fi - echo "$external $interface" >> ${STATEDIR}/nat + echo "$external $interface" >> /var/lib/shorewall/nat [ -n "$label" ] && label="with $label" progress_message " IP Address $external added to interface $interface $label" } @@ -6436,7 +6806,7 @@ initialize_netfilter () { [ "$MACLIST_TTL" = "0" ] && MACLIST_TTL= if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then - startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables" + startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables" fi [ -n "$RFC1918_STRICT" -a -z "$CONNTRACK_MATCH" ] && \ @@ -6445,11 +6815,8 @@ initialize_netfilter () { echo "Determining Zones..." determine_zones - check_duplicate_zones - [ -z "$zones" ] && startup_error "No Zones Defined" - - display_list "Zones:" $zones + display_list "Zones:" $ZONES echo "Validating interfaces file..." @@ -6505,15 +6872,36 @@ initialize_netfilter () { exists_OUTPUT=Yes exists_FORWARD=Yes - setpolicy INPUT DROP - setpolicy OUTPUT DROP - setpolicy FORWARD DROP + process_criticalhosts + + if [ -n "$CRITICALHOSTS" ]; then + + setpolicy INPUT ACCEPT + setpolicy OUTPUT ACCEPT + setpolicy FORWARD DROP - deleteallchains + deleteallchains + + enable_critical_hosts - setcontinue FORWARD - setcontinue INPUT - setcontinue OUTPUT + setpolicy INPUT DROP + setpolicy OUTPUT DROP + + setcontinue FORWARD + setcontinue INPUT + setcontinue OUTPUT + else + + setpolicy INPUT DROP + setpolicy OUTPUT DROP + setpolicy FORWARD DROP + + deleteallchains + + setcontinue FORWARD + setcontinue INPUT + setcontinue OUTPUT + fi f=$(find_file ipsets) @@ -6550,8 +6938,6 @@ initialize_netfilter () { for chain in INPUT OUTPUT FORWARD; do run_iptables -A $chain -p udp --dport 53 -j ACCEPT - [ -n "$DROPINVALID" ] && \ - run_iptables -A $chain -p ! icmp -m state --state INVALID -j DROP done if [ -n "$CLAMPMSS" ]; then @@ -6828,53 +7214,6 @@ add_common_rules() { run_iptables -t mangle -A PREROUTING -m state --state NEW -i $interface $(match_source_hosts $networks) -j man1918 done fi - # - # Bogons - # - hosts="$(find_hosts_by_option nobogons)" - - if [ -n "$hosts" ]; then - echo "Enabling Bogon Filtering" - - strip_file bogons - - createchain nobogons no - - createchain bogons no - - log_rule $BOGON_LOG_LEVEL bogons DROP - - run_iptables -A bogons -j DROP - - while read networks target; do - case $target in - logdrop) - target=bogons - ;; - DROP|RETURN) - ;; - *) - fatal_error "Invalid target ($target) for $networks" - ;; - esac - - run_iptables2 -A nobogons $(source_ip_range $networks) -j $target - - done < $TMP_DIR/bogons - - for host in $hosts; do - ipsec=${host%^*} - host=${host#*^} - [ -n "$POLICY_MATCH" ] && policy="-m policy --pol $ipsec --dir in" || policy= - interface=${host%%:*} - network=${host#*:} - - for chain in $(first_chains $interface); do - run_iptables -A $chain -m state --state NEW $(match_source_hosts $network) -j nobogons - done - done - - fi hosts=$(find_hosts_by_option tcpflags) @@ -6938,11 +7277,13 @@ add_common_rules() { for f in /proc/sys/net/ipv4/conf/*; do run_and_save_command "[ -f $f/arp_filter ] && echo 0 > $f/arp_filter" + run_and_save_command "[ -f $f/arp_filter ] && echo 0 > $f/arp_ignore" done interfaces=$(find_interfaces_by_option arp_filter) + interfaces1=$(find_interfaces_by_option1 arp_ignore) - if [ -n "$interfaces" ]; then + if [ -n "${interfaces}${interfaces1}" ]; then echo "Setting up ARP Filtering..." for interface in $interfaces; do @@ -6951,7 +7292,18 @@ add_common_rules() { run_and_save_command "echo 1 > $file" else error_message \ - "Warning: Cannot set ARP filtering on $interface" + "WARNING: Cannot set ARP filtering on $interface" + fi + done + + for interface in $interfaces1; do + file=/proc/sys/net/ipv4/conf/$interface/arp_ignore + if [ -f $file ]; then + eval command="\"echo \$$(chain_base $interface)_arp_ignore > $file\"" + run_and_save_command "$command" + else + error_message \ + "WARNING: Cannot set ARP filtering on $interface" fi done fi @@ -6975,7 +7327,7 @@ add_common_rules() { run_and_save_command "echo 1 > $file" else error_message \ - "Warning: Cannot set route filtering on $interface" + "WARNING: Cannot set route filtering on $interface" fi done @@ -7009,7 +7361,7 @@ add_common_rules() { run_and_save_command "echo 1 > $file" else error_message \ - "Warning: Cannot set Martian logging on $interface" + "WARNING: Cannot set Martian logging on $interface" fi done @@ -7040,7 +7392,7 @@ add_common_rules() { run_and_save_command "echo 1 > $file" else error_message \ - "Warning: Cannot set Accept Source Routing on $interface" + "WARNING: Cannot set Accept Source Routing on $interface" fi done fi @@ -7091,22 +7443,19 @@ apply_policy_rules() { eval policy=\$${chain}_policy eval loglevel=\$${chain}_loglevel eval synparams=\$${chain}_synparams + eval epolicy=\$${chain}_epolicy [ -n "$synparams" ] && setup_syn_flood_chain $chain $synparams $loglevel if havechain $chain; then + [ "$epolicy" = ACCEPT ] && ordinal=2 || ordinal=3 [ -n "$synparams" ] && \ - run_iptables -I $chain 2 -p tcp --syn -j @$chain - else + run_iptables -I $chain $ordinal -p tcp --syn -j @$chain + elif [ "$policy" != CONTINUE ]; then # # The chain doesn't exist. Create the chain and add policy # rules # - # We must include the ESTABLISHED and RELATED state - # rule here to account for replys and reverse - # related sessions associated with sessions going - # in the other direction - # createchain $chain yes # @@ -7116,19 +7465,19 @@ apply_policy_rules() { # Otherwise, this is a canonical chain which will be handled in # the for loop below # - case $chain in - all2*|*2all) - policy_rules $chain $policy $loglevel - ;; - esac - if [ -n "$synparams" ]; then case $policy in ACCEPT|CONTINUE|QUEUE) - run_iptables -I $chain 2 -p tcp --syn -j @$chain + run_iptables -I $chain -p tcp --syn -j @$chain ;; esac fi + + case $chain in + all2*|*2all) + policy_rules $chain $policy $epolicy $loglevel + ;; + esac fi done @@ -7136,8 +7485,8 @@ apply_policy_rules() { # # Add policy rules to canonical chains # - for zone in $FW $zones; do - for zone1 in $FW $zones; do + for zone in $FW $ZONES; do + for zone1 in $FW $ZONES; do chain=${zone}2${zone1} if havechain $chain; then run_user_exit $chain @@ -7149,7 +7498,7 @@ apply_policy_rules() { # # Activate the rules -# +# activate_rules() { local PREROUTING_rule=1 @@ -7215,17 +7564,22 @@ activate_rules() addnatjump POSTROUTING $(output_chain $interface) -o $interface done - > ${STATEDIR}/chains - > ${STATEDIR}/zones + > /var/lib/shorewall/chains + > /var/lib/shorewall/zones # # Create forwarding chains for complex zones and generate jumps for IPSEC source hosts to that chain. # - for zone in $zones; do + for zone in $ZONES; do if eval test -n \"\$${zone}_is_complex\" ; then frwd_chain=${zone}_frwd createchain $frwd_chain No if [ -n "$POLICY_MATCH" ]; then + # + # Because policy match only matches an 'in' or an 'out' policy (but not both), we have to place the + # '--pol ipsec --dir in' rules at the front of the interface forwarding chains. Otherwise, decrypted packets + # can match '--pol none --dir out' rules and send the packets down the wrong rules chain. + # eval is_ipsec=\$${zone}_is_ipsec if [ -n "$is_ipsec" ]; then @@ -7248,7 +7602,7 @@ activate_rules() fi done - for zone in $zones; do + for zone in $ZONES; do eval source_hosts=\$${zone}_hosts chain1=$(rules_chain $FW $zone) @@ -7258,11 +7612,11 @@ activate_rules() [ -n "$complex" ] && frwd_chain=${zone}_frwd - echo $zone $source_hosts >> ${STATEDIR}/zones - + echo $zone $source_hosts >> /var/lib/shorewall/zones + if [ -n "$DYNAMIC_ZONES" ]; then - echo "$FW $zone $chain1" >> ${STATEDIR}/chains - echo "$zone $FW $chain2" >> ${STATEDIR}/chains + echo "$FW $zone $chain1" >> /var/lib/shorewall/chains + echo "$zone $FW $chain2" >> /var/lib/shorewall/chains fi need_broadcast= @@ -7271,7 +7625,7 @@ activate_rules() interface=${host%%:*} networks=${host#*:} - run_iptables2 -A OUTPUT -o $interface $(match_dest_hosts $networks) $(match_ipsec_out $zone $host) -j $chain1 + [ -n "$chain1" ] && run_iptables2 -A OUTPUT -o $interface $(match_dest_hosts $networks) $(match_ipsec_out $zone $host) -j $chain1 # # Add jumps from the builtin chains for DNAT and SNAT rules @@ -7279,7 +7633,7 @@ activate_rules() addrulejump PREROUTING $(dnat_chain $zone) -i $interface $(match_source_hosts $networks) $(match_ipsec_in $zone $host) addrulejump POSTROUTING $(snat_chain $zone) -o $interface $(match_dest_hosts $networks) $(match_ipsec_out $zone $host) - run_iptables2 -A $(input_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $chain2 + [ -n "$chain2" ] && run_iptables2 -A $(input_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $chain2 if [ -n "$complex" ] && ! is_ipsec_host $zone $host ; then run_iptables2 -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain @@ -7296,12 +7650,14 @@ activate_rules() esac done - for interface in $need_broadcast ; do - run_iptables -A OUTPUT -o $interface -d 255.255.255.255 -j $chain1 - run_iptables -A OUTPUT -o $interface -d 224.0.0.0/4 -j $chain1 - done - - for zone1 in $zones; do + if [ -n "$chain1" ]; then + for interface in $need_broadcast ; do + run_iptables -A OUTPUT -o $interface -d 255.255.255.255 -j $chain1 + run_iptables -A OUTPUT -o $interface -d 224.0.0.0/4 -j $chain1 + done + fi + + for zone1 in $ZONES; do eval policy=\$${zone}2${zone1}_policy @@ -7311,7 +7667,9 @@ activate_rules() chain="$(rules_chain $zone $zone1)" - [ -n "$DYNAMIC_ZONES" ] && echo "$zone $zone1 $chain" >> ${STATEDIR}/chains + [ -z "$chain" ] && continue # CONTINUE policy and there is no canonical chain. + + [ -n "$DYNAMIC_ZONES" ] && echo "$zone $zone1 $chain" >> /var/lib/shorewall/chains if [ $zone = $zone1 ]; then # @@ -7355,14 +7713,14 @@ activate_rules() interface=${host%%:*} networks=${host#*:} - chain1=$(forward_chain $interface) + chain3=$(forward_chain $interface) for host1 in $dest_hosts; do interface1=${host1%%:*} networks1=${host1#*:} if [ "$host" != "$host1" ] || list_search $host $routeback; then - run_iptables2 -A $chain1 $(match_source_hosts $networks) -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain + run_iptables2 -A $chain3 $(match_source_hosts $networks) -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain fi done done @@ -7405,6 +7763,8 @@ activate_rules() # # Remove rules added to keep the firewall alive during [re]start" # + disable_critical_hosts + for chain in INPUT OUTPUT FORWARD; do run_iptables -D $chain -m state --state ESTABLISHED,RELATED -j ACCEPT run_iptables -D $chain -p udp --dport 53 -j ACCEPT @@ -7491,7 +7851,8 @@ define_firewall() # $1 = Command (Start or Restart) # [re]-Establish routing # setup_providers $(find_file providers) - setup_routes $(find_file routes) + [ -n "$ROUTEMARK_INTERFACES" ] && setup_routes + echo "Setting up NAT..."; setup_nat echo "Setting up NETMAP..."; setup_netmap @@ -7501,9 +7862,7 @@ define_firewall() # $1 = Command (Start or Restart) [ -f $tunnels ] && \ echo "Processing $tunnels..." && setup_tunnels $tunnels - ipsecfile=$(find_file ipsec) - [ -f $ipsecfile ] && \ - echo "Processing $ipsecfile..." && setup_ipsec $ipsecfile + setup_ipsec maclist_hosts=$(find_hosts_by_option maclist) [ -n "$maclist_hosts" ] && setup_mac_lists @@ -7546,8 +7905,7 @@ define_firewall() # $1 = Command (Start or Restart) save_command "#" save_command "# Restore tail file generated by Shorewall $version - $(date)" save_command "#" - save_command "date > $STATEDIR/restarted" - save_command "#" + save_command "date > /var/lib/shorewall/restarted" run_user_exit start @@ -7555,7 +7913,7 @@ define_firewall() # $1 = Command (Start or Restart) createchain shorewall no - date > $STATEDIR/restarted + date > /var/lib/shorewall/restarted report "Shorewall ${1}ed" @@ -7565,7 +7923,6 @@ define_firewall() # $1 = Command (Start or Restart) mv -f /var/lib/shorewall/restore-base-$$ /var/lib/shorewall/restore-base mv -f $RESTOREBASE /var/lib/shorewall/restore-tail - } # @@ -7581,8 +7938,6 @@ refresh_firewall() validate_interfaces_file - [ -z "$zones" ] && startup_error "No Zones Defined" - determine_interfaces run_user_exit refresh @@ -7687,12 +8042,12 @@ add_to_zone() # $1...${n-1} = [:] $n = zone # # Be sure that Shorewall has been restarted using a DZ-aware version of the code # - [ -f ${STATEDIR}/chains ] || startup_error "${STATEDIR}/chains -- file not found" - [ -f ${STATEDIR}/zones ] || startup_error "${STATEDIR}/zones -- file not found" + [ -f /var/lib/shorewall/chains ] || startup_error "/var/lib/shorewall/chains -- file not found" + [ -f /var/lib/shorewall/zones ] || startup_error "/var/lib/shorewall/zones -- file not found" # # Check for duplicates and create a new zone state file # - > ${STATEDIR}/zones_$$ + > /var/lib/shorewall/zones_$$ while read z hosts; do if [ "$z" = "$zone" ]; then @@ -7710,10 +8065,10 @@ add_to_zone() # $1...${n-1} = [:] $n = zone eval ${z}_hosts=\"$hosts\" - echo "$z $hosts" >> ${STATEDIR}/zones_$$ - done < ${STATEDIR}/zones + echo "$z $hosts" >> /var/lib/shorewall/zones_$$ + done < /var/lib/shorewall/zones - mv -f ${STATEDIR}/zones_$$ ${STATEDIR}/zones + mv -f /var/lib/shorewall/zones_$$ /var/lib/shorewall/zones terminator=fatal_error # @@ -7783,7 +8138,7 @@ add_to_zone() # $1...${n-1} = [:] $n = zone done fi fi - done < ${STATEDIR}/chains + done < /var/lib/shorewall/chains progress_message "$newhost added to zone $zone" @@ -7859,12 +8214,12 @@ delete_from_zone() # $1 = [:] $2 = zone # # Be sure that Shorewall has been restarted using a DZ-aware version of the code # - [ -f ${STATEDIR}/chains ] || startup_error "${STATEDIR}/chains -- file not found" - [ -f ${STATEDIR}/zones ] || startup_error "${STATEDIR}/zones -- file not found" + [ -f /var/lib/shorewall/chains ] || startup_error "/var/lib/shorewall/chains -- file not found" + [ -f /var/lib/shorewall/zones ] || startup_error "/var/lib/shorewall/zones -- file not found" # # Delete the passed hosts from the zone state file # - > ${STATEDIR}/zones_$$ + > /var/lib/shorewall/zones_$$ while read z hosts; do if [ "$z" = "$zone" ]; then @@ -7898,10 +8253,10 @@ delete_from_zone() # $1 = [:] $2 = zone eval ${z}_hosts=\"$hosts\" - echo "$z $hosts" >> ${STATEDIR}/zones_$$ - done < ${STATEDIR}/zones + echo "$z $hosts" >> /var/lib/shorewall/zones_$$ + done < /var/lib/shorewall/zones - mv -f ${STATEDIR}/zones_$$ ${STATEDIR}/zones + mv -f /var/lib/shorewall/zones_$$ /var/lib/shorewall/zones terminator=fatal_error @@ -7958,7 +8313,7 @@ delete_from_zone() # $1 = [:] $2 = zone done fi fi - done < ${STATEDIR}/chains + done < /var/lib/shorewall/chains progress_message "$delhost removed from zone $zone" @@ -8039,7 +8394,6 @@ do_initialize() { IPTABLES= FW= SUBSYSLOCK= - STATEDIR= ALLOWRELATED=Yes LOGRATE= LOGBURST= @@ -8063,7 +8417,6 @@ do_initialize() { TCP_FLAGS_DISPOSITION= TCP_FLAGS_LOG_LEVEL= RFC1918_LOG_LEVEL= - BOGON_LOG_LEVEL= MARK_IN_FORWARD_CHAIN= SHARED_DIR=/usr/share/shorewall FUNCTIONS= @@ -8084,11 +8437,11 @@ do_initialize() { DELAYBLACKLISTLOAD= LOGTAGONLY= LOGALLNEW= - DROPINVALID= RFC1918_STRICT= MACLIST_TTL= SAVE_IPSETS= RESTOREFILE= + MAPOLDACTIONS= RESTOREBASE= TMP_DIR= @@ -8096,6 +8449,8 @@ do_initialize() { ROUTEMARK_INTERFACES= ROUTEMARK=256 PROVIDERS= + CRITICALHOSTS= + IPSECFILE= stopping= have_mutex= @@ -8166,9 +8521,7 @@ do_initialize() { determine_capabilities - [ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall - - [ -d $STATEDIR ] || mkdir -p $STATEDIR + [ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall [ -z "$FW" ] && FW=fw @@ -8253,7 +8606,6 @@ do_initialize() { fi [ -z "$RFC1918_LOG_LEVEL" ] && RFC1918_LOG_LEVEL=info - [ -z "$BOGON_LOG_LEVEL" ] && BOGON_LOG_LEVEL=info MARK_IN_FORWARD_CHAIN=$(added_param_value_no MARK_IN_FORWARD_CHAIN $MARK_IN_FORWARD_CHAIN) [ -n "$MARK_IN_FORWARD_CHAIN" ] && MARKING_CHAIN=tcfor || MARKING_CHAIN=tcpre @@ -8290,9 +8642,20 @@ do_initialize() { RETAIN_ALIASES=$(added_param_value_no RETAIN_ALIASES $RETAIN_ALIASES) DELAYBLACKLISTLOAD=$(added_param_value_no DELAYBLACKLISTLOAD $DELAYBLACKLISTLOAD) LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY) - DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID) RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT) - SAVE_IPSETS=$(added_param_value_no SAVE_IPSETS $SAVE_IPSETS) + SAVE_IPSETS=$(added_param_value_no SAVE_IPSETS $SAVE_IPSETS) + MAPOLDACTIONS=$(added_param_value_yes MAPOLDACTIONS $MAPOLDACTIONS) + + case ${IPSECFILE:=ipsec} in + ipsec|zones) + ;; + *) + startup_error "Invalid value ($IPSECFILE) for IPSECFILE option" + ;; + esac + + [ "x${SHOREWALL_DIR}" = "x." ] && SHOREWALL_DIR="$PWD" + # # Strip the files that we use often # @@ -8403,7 +8766,7 @@ case "$COMMAND" in $IPTABLES -t nat -Z $IPTABLES -t mangle -Z report "Shorewall Counters Reset" - date > $STATEDIR/restarted + date > /var/lib/shorewall/restarted my_mutex_off ;; diff --git a/Shorewall/functions b/Shorewall/functions index 738dae7c2..181ff47e1 100755 --- a/Shorewall/functions +++ b/Shorewall/functions @@ -1,6 +1,6 @@ #!/bin/sh # -# Shorewall 2.4 -- /usr/share/shorewall/functions +# Shorewall 2.6 -- /usr/share/shorewall/functions # Function to truncate a string -- It uses 'cut -b -' # rather than ${v:first:last} because light-weight shells like ash and @@ -262,85 +262,6 @@ reload_kernel_modules() { } -# -# Find the zones -# -find_zones() # $1 = name of the zone file -{ - while read zone display comments; do - expandv zone display - [ -n "$zone" ] && case "$zone" in - [0-9*]) - echo " Warning: Illegal zone name \"$zone\" in zones file ignored" 2>&2 - ;; - \#*) - ;; - $FW|all|none) - echo " Warning: Reserved zone name \"$zone\" in zones file ignored" >&2 - ;; - *) - echo $zone - ;; - esac - done < $1 -} - -find_display() # $1 = zone, $2 = name of the zone file -{ - grep ^$1 $2 | while read z display comments; do - [ "x$1" = "x$z" ] && echo $display - done -} -# -# This function assumes that the TMP_DIR variable is set and that -# its value named an existing directory. -# -determine_zones() -{ - local zonefile=$(find_file zones) - - multi_display=Multi-zone - strip_file zones $zonefile - zones=$(find_zones $TMP_DIR/zones) - newzones= - - for zone in $zones; do - dsply=$(find_display $zone $TMP_DIR/zones) - [ ${#zone} -gt 5 ] && echo " Warning: Zone name longer than 5 characters: $zone" >&2 - eval ${zone}_display=\$dsply - newzones="$newzones $zone" - done - - zones=${newzones# } -} - -# -# The following functions may be used by apps that wish to ensure that -# the state of Shorewall isn't changing -# -# This function loads the STATEDIR variable (directory where Shorewall is to -# store state files). If your application supports alternate Shorewall -# configurations then the name of the alternate configuration directory should -# be in $SHOREWALL_DIR at the time of the call. -# -# If the shorewall.conf file does not exist, this function does not return -# -get_statedir() -{ - MUTEX_TIMEOUT= - - local config=$(find_file shorewall.conf) - - if [ -f $config ]; then - . $config - else - echo "/etc/shorewall/shorewall.conf does not exist!" >&2 - exit 2 - fi - - [ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall -} - # # Call this function to assert MUTEX with Shorewall. If you invoke the # /sbin/shorewall program while holding MUTEX, you should pass "nolock" as @@ -353,13 +274,13 @@ get_statedir() mutex_on() { local try=0 - local lockf=$STATEDIR/lock + local lockf=/var/lib/shorewall/lock MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60} if [ $MUTEX_TIMEOUT -gt 0 ]; then - [ -d $STATEDIR ] || mkdir -p $STATEDIR + [ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall if qt which lockfile; then lockfile -${MUTEX_TIMEOUT} -r1 ${lockf} @@ -384,7 +305,7 @@ mutex_on() # mutex_off() { - rm -f $STATEDIR/lock + rm -f /var/lib/shorewall/lock } # diff --git a/Shorewall/help b/Shorewall/help index 60c21a5f1..437a08ff7 100755 --- a/Shorewall/help +++ b/Shorewall/help @@ -1,6 +1,6 @@ #!/bin/sh # -# Shorewall help subsystem - V2.4 +# Shorewall help subsystem - V2.6 # # # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] @@ -172,17 +172,6 @@ logwatch) and produces an audible alarm when new Shorewall messages are logged." ;; -monitor) - echo "monitor: monitor [] - - shorewall [-x] monitor [] - - Continuously display the firewall status, last 20 log entries and nat. - When the log entry display changes, an audible alarm is sounded. - - When -x is given, that option is also passed to iptables to display actual packet and byte counts." - ;; - refresh) echo "refresh: [ -q ] refresh The rules involving the broadcast addresses of firewall interfaces, diff --git a/Shorewall/hosts b/Shorewall/hosts index 673561a04..a34a002c5 100644 --- a/Shorewall/hosts +++ b/Shorewall/hosts @@ -1,5 +1,5 @@ # -# Shorewall 2.4 - /etc/shorewall/hosts +# Shorewall 2.6 - /etc/shorewall/hosts # # THE ONLY TIME YOU NEED THIS FILE IS WHERE YOU HAVE MORE THAN # ONE ZONE CONNECTED THROUGH A SINGLE INTERFACE. diff --git a/Shorewall/init b/Shorewall/init index 41c49e614..4abff4c54 100644 --- a/Shorewall/init +++ b/Shorewall/init @@ -1,5 +1,5 @@ ############################################################################ -# Shorewall 2.4 -- /etc/shorewall/init +# Shorewall 2.6 -- /etc/shorewall/init # # Add commands below that you want to be executed at the beginning of # a "shorewall start" or "shorewall restart" command. diff --git a/Shorewall/initdone b/Shorewall/initdone index cec87fe90..080bc7757 100755 --- a/Shorewall/initdone +++ b/Shorewall/initdone @@ -1,5 +1,5 @@ ############################################################################ -# Shorewall 2.4 -- /etc/shorewall/initdone +# Shorewall 2.6 -- /etc/shorewall/initdone # # Add commands below that you want to be executed during # "shorewall start" or "shorewall restart" commands at the point where diff --git a/Shorewall/install.sh b/Shorewall/install.sh index 3471ae284..dc2da9e6b 100755 --- a/Shorewall/install.sh +++ b/Shorewall/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # -VERSION=2.4.0 +VERSION=2.5.0 usage() # $1 = exit status { @@ -264,8 +264,9 @@ if [ -f ${PREFIX}/etc/shorewall/ipsec ]; then else run_install $OWNERSHIP -m 0600 ipsec ${PREFIX}/etc/shorewall/ipsec echo - echo "Ipsec file installed as ${PREFIX}/etc/shorewall/ipsec" + echo "Dummy IPSEC file installed as ${PREFIX}/etc/shorewall/ipsec" fi + # # Install the hosts file # @@ -408,15 +409,9 @@ else echo "Blacklist file installed as ${PREFIX}/etc/shorewall/blacklist" fi # -# Install the Routes file +# Delete the Routes file # -if [ -f ${PREFIX}/etc/shorewall/routes ]; then - backup_file /etc/shorewall/routes -else - run_install $OWNERSHIP -m 0600 routes ${PREFIX}/etc/shorewall/routes - echo - echo "Routes file installed as ${PREFIX}/etc/shorewall/routes" -fi +delete_file /etc/shorewall/routes # # Install the Providers file @@ -443,12 +438,6 @@ install_file_with_backup rfc1918 ${PREFIX}/usr/share/shorewall/rfc1918 0600 echo echo "RFC 1918 file installed as ${PREFIX}/usr/share/shorewall/rfc1918" # -# Install the bogons file -# -install_file_with_backup bogons ${PREFIX}/usr/share/shorewall/bogons 0600 -echo -echo "Bogon file installed as ${PREFIX}/usr/share/shorewall/bogons" -# # Install the default config path file # install_file_with_backup configpath ${PREFIX}/usr/share/shorewall/configpath 0600 @@ -570,6 +559,14 @@ for f in action.* ; do echo "Action ${f#*.} file installed as ${PREFIX}/usr/share/shorewall/$f" done # +# Install the Macro files +# +for f in macro.* ; do + install_file_with_backup $f ${PREFIX}/usr/share/shorewall/$f 0600 + echo + echo "Macro ${f#*.} file installed as ${PREFIX}/usr/share/shorewall/$f" +done +# # Backup the version file # if [ -z "$PREFIX" ]; then diff --git a/Shorewall/interfaces b/Shorewall/interfaces index 6c387123a..0b2081b52 100644 --- a/Shorewall/interfaces +++ b/Shorewall/interfaces @@ -1,5 +1,5 @@ # -# Shorewall 2.4 -- Interfaces File +# Shorewall 2.6 -- Interfaces File # # /etc/shorewall/interfaces # @@ -155,6 +155,37 @@ # interface. The interface must be up # when Shorewall is started. # +# arp_ignore[=] +# - If specified, this interface will +# respond to arp requests based on the +# value of . +# +# 1 - reply only if the target IP address +# is local address configured on the +# incoming interface +# +# 2 - reply only if the target IP address +# is local address configured on the +# incoming interface and both with the +# sender's IP address are part from same +# subnet on this interface +# +# 3 - do not reply for local addresses +# configured with scope host, only +# resolutions for global and link +# addresses are replied +# +# 4-7 - reserved +# +# 8 - do not reply for all local +# addresses +# +# If no is given then the value +# 1 is assumed +# +# WARNING -- DO NOT SPECIFY arp_ignore +# FOR ANY INTERFACE INVOLVED IN PROXY ARP. +# # nosmurfs - Filter packets for smurfs # (packets with a broadcast # address as the source). @@ -164,7 +195,7 @@ # shorewall.conf. After logging, the # packets are dropped. # -# detectnets - Automatically tailors the zone named +# detectnets - Automatically taylors the zone named # in the ZONE column to include only those # hosts routed through the interface. # diff --git a/Shorewall/ipsec b/Shorewall/ipsec index ddd44f712..8ec38bf90 100644 --- a/Shorewall/ipsec +++ b/Shorewall/ipsec @@ -1,59 +1,7 @@ # -# Shorewall 2.4 - /etc/shorewall/ipsec +# The /etc/shorewall/ipsec file is obsolete -- the information +# previously contained in this file is now placed in the +# /etc/shorewall/zones file. # -# This file defines the attributes of zones with respect to -# IPSEC. To use this file for any purpose except for setting mss, -# you must be running a 2.6 kernel and both your kernel and iptables -# must include Policy Match Support. -# -# The columns are: -# -# ZONE The name of a zone defined in /etc/shorewall/zones. The -# $FW zone may not be listed. -# -# IPSEC Yes -- Communication with all zone hosts is encrypted -# ONLY No -- Communication with some zone hosts is encrypted. -# Encrypted hosts are designated using the 'ipsec' -# option in /etc/shorewall/hosts. -# -# OPTIONS, A comma-separated list of options as follows: -# IN OPTIONS, -# OUT OPTIONS reqid= where is specified -# using setkey(8) using the 'unique: -# option for the SPD level. -# -# spi= where is the SPI of -# the SA used to encrypt/decrypt packets. -# -# proto=ah|esp|ipcomp -# -# mss= (sets the MSS field in TCP packets) -# -# mode=transport|tunnel -# -# tunnel-src=
[/] (only -# available with mode=tunnel) -# -# tunnel-dst=
[/] (only -# available with mode=tunnel) -# -# strict Means that packets must match all rules. -# -# next Separates rules; can only be used with -# strict.. -# -# Example: -# mode=transport,reqid=44 -# -# The options in the OPTIONS column are applied to both incoming -# and outgoing traffic. The IN OPTIONS are applied to incoming -# traffic (in addition to OPTIONS) and the OUT OPTIONS are -# applied to outgoing traffic. -# -# If you wish to leave a column empty but need to make an entry -# in a following column, use "-". -################################################################################### -#ZONE IPSEC OPTIONS IN OUT -# ONLY OPTIONS OPTIONS -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE +# See the IPSECFILE option in shorewall.conf for further information. diff --git a/Shorewall/maclist b/Shorewall/maclist index 0835985f1..bed3465e4 100644 --- a/Shorewall/maclist +++ b/Shorewall/maclist @@ -1,5 +1,5 @@ # -# Shorewall 2.4 - MAC list file +# Shorewall 2.6 - MAC list file # # This file is used to define the MAC addresses and optionally their # associated IP addresses to be allowed to use the specified interface. diff --git a/Shorewall/action.AllowICMPs b/Shorewall/macro.AllowICMPs similarity index 85% rename from Shorewall/action.AllowICMPs rename to Shorewall/macro.AllowICMPs index 4269d3844..81207766f 100644 --- a/Shorewall/action.AllowICMPs +++ b/Shorewall/macro.AllowICMPs @@ -1,5 +1,5 @@ # -# Shorewall 2.4 /usr/share/shorewall/action.AllowICMPs +# Shorewall 2.6 /usr/share/shorewall/macro.AllowICMPs # # ACCEPT needed ICMP types # diff --git a/Shorewall/action.AllowBitTorrent b/Shorewall/macro.Amanda similarity index 65% rename from Shorewall/action.AllowBitTorrent rename to Shorewall/macro.Amanda index aabf3bd3d..15a78c0ba 100644 --- a/Shorewall/action.AllowBitTorrent +++ b/Shorewall/macro.Amanda @@ -1,10 +1,10 @@ # -# Shorewall action.AllowBitTorrent +# Shorewall macro.Amanda # -# This action accepts BitTorrent traffic. +# This macro handles connections to the AMANDA backup system. # ################################################################################ #TARGET SOURCE DEST PROTO DEST SOURCE RATE # PORT PORT(S) LIMIT -ACCEPT - - tcp 6881:6889 +PARAM - - udp 10080 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.AllowGnutella b/Shorewall/macro.Auth similarity index 70% rename from Shorewall/action.AllowGnutella rename to Shorewall/macro.Auth index be2fa489b..d27667026 100644 --- a/Shorewall/action.AllowGnutella +++ b/Shorewall/macro.Auth @@ -1,11 +1,10 @@ # -# Shorewall action.AllowGnutella +# Shorewall 2.6 /usr/share/shorewall/macro.Auth # -# This action accepts gnutella traffic. +# This macro handles Auth (identd) traffic. # ###################################################################################### #TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 6346 -ACCEPT - - udp 6346 +PARAM - - tcp 113 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.BitTorrent b/Shorewall/macro.BitTorrent new file mode 100644 index 000000000..173078cec --- /dev/null +++ b/Shorewall/macro.BitTorrent @@ -0,0 +1,10 @@ +# +# Shorewall macro.BitTorrent +# +# This macro handles BitTorrent traffic. +# +################################################################################ +#TARGET SOURCE DEST PROTO DEST SOURCE RATE +# PORT PORT(S) LIMIT +PARAM - - tcp 6881:6889 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.DropSMTP b/Shorewall/macro.CVS similarity index 67% rename from Shorewall/action.DropSMTP rename to Shorewall/macro.CVS index 9ea190c9d..27e237cfc 100644 --- a/Shorewall/action.DropSMTP +++ b/Shorewall/macro.CVS @@ -1,10 +1,10 @@ # -# Shorewall action.DropSMTP +# Shorewall macro.CVS # -# This action silently drops SMTP traffic. +# This macro handles connections to the CVS pserver. # ################################################################################ #TARGET SOURCE DEST PROTO DEST SOURCE RATE # PORT PORT(S) LIMIT -DROP - - tcp 25 +PARAM - - tcp 2401 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.AllowPCA b/Shorewall/macro.DNS similarity index 66% rename from Shorewall/action.AllowPCA rename to Shorewall/macro.DNS index 3284a9150..8d8cda0a6 100644 --- a/Shorewall/action.AllowPCA +++ b/Shorewall/macro.DNS @@ -1,11 +1,11 @@ # -# Shorewall 2.4 /usr/share/shorewall/action.AllowPCA +# Shorewall 2.6 /usr/share/shorewall/macro.DNS # -# This action accepts PCAnywere (tm) +# This macro handles DNS traffic. # ###################################################################################### #TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT PORT(S) LIMIT GROUP -ACCEPT - - udp 5632 -ACCEPT - - tcp 5631 +PARAM - - udp 53 +PARAM - - tcp 53 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.DropDNSrep b/Shorewall/macro.DropDNSrep similarity index 76% rename from Shorewall/action.DropDNSrep rename to Shorewall/macro.DropDNSrep index 89342d4ff..56d793eb5 100644 --- a/Shorewall/action.DropDNSrep +++ b/Shorewall/macro.DropDNSrep @@ -1,7 +1,7 @@ # -# Shorewall 2.4 /usr/share/shorewall/action.DropDNSrep +# Shorewall 2.6 /usr/share/shorewall/macro.DropDNSrep # -# This action silently drops DNS UDP replies +# This macro silently drops DNS UDP replies # ###################################################################################### #TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ diff --git a/Shorewall/action.DropUPnP b/Shorewall/macro.DropUPnP similarity index 74% rename from Shorewall/action.DropUPnP rename to Shorewall/macro.DropUPnP index 68d27acfe..6f8b3bdb5 100644 --- a/Shorewall/action.DropUPnP +++ b/Shorewall/macro.DropUPnP @@ -1,7 +1,7 @@ # -# Shorewall 2.4 /usr/share/shorewall/action.DropUPnP +# Shorewall 2.6 /usr/share/shorewall/macro.DropUPnP # -# This action silently drops UPnP probes on UDP port 1900 +# This macro silently drops UPnP probes on UDP port 1900 # ###################################################################################### #TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ diff --git a/Shorewall/action.AllowEdonkey b/Shorewall/macro.Edonkey similarity index 89% rename from Shorewall/action.AllowEdonkey rename to Shorewall/macro.Edonkey index e04a0b3dc..7ac7f0517 100644 --- a/Shorewall/action.AllowEdonkey +++ b/Shorewall/macro.Edonkey @@ -1,13 +1,13 @@ # -# Shorewall action.AllowEdonkey +# Shorewall macro.Edonkey # -# This action accepts Edonkey traffic. +# This macro handles Edonkey traffic. # ###################################################################################### #TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 4662 -ACCEPT - - udp 4665 +PARAM - - tcp 4662 +PARAM - - udp 4665 # # http://www.portforward.com/english/routers/port_forwarding/2wire/1000s/eDonkey.htm # says to use udp 5737 rather than 4665 diff --git a/Shorewall/action.AllowSPAMD b/Shorewall/macro.FTP similarity index 69% rename from Shorewall/action.AllowSPAMD rename to Shorewall/macro.FTP index cab4cc097..15a2811bb 100644 --- a/Shorewall/action.AllowSPAMD +++ b/Shorewall/macro.FTP @@ -1,10 +1,10 @@ # -# Shorewall action.AllowSPAMD +# Shorewall 2.6 /usr/share/shorewall/macro.FTP # -# This action accepts Spam Assassin SPAMD traffic. +# This macro handles FTP traffic. # ###################################################################################### #TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 783 +PARAM - - tcp 21 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.AllowSSH b/Shorewall/macro.Gnutella similarity index 69% rename from Shorewall/action.AllowSSH rename to Shorewall/macro.Gnutella index 31e26266f..43a402d39 100644 --- a/Shorewall/action.AllowSSH +++ b/Shorewall/macro.Gnutella @@ -1,10 +1,11 @@ # -# Shorewall 2.4 /usr/share/shorewall/action.AllowSSH +# Shorewall macro.Gnutella # -# This action accepts secure shell (SSH) traffic. +# This macro handles gnutella traffic. # ###################################################################################### #TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 22 +PARAM - - tcp 6346 +PARAM - - udp 6346 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.AllowICQ b/Shorewall/macro.ICQ similarity index 69% rename from Shorewall/action.AllowICQ rename to Shorewall/macro.ICQ index 8a1496975..c2bf4987a 100644 --- a/Shorewall/action.AllowICQ +++ b/Shorewall/macro.ICQ @@ -1,10 +1,10 @@ # -# Shorewall action.AllowICQ +# Shorewall macro.ICQ # -# This action accepts ICQ traffic. +# This macro handles ICQ traffic. # ################################################################################ #TARGET SOURCE DEST PROTO DEST SOURCE RATE # PORT PORT(S) LIMIT -ACCEPT - - tcp 5190 +PARAM - - tcp 5190 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.IMAP b/Shorewall/macro.IMAP new file mode 100644 index 000000000..e95832f67 --- /dev/null +++ b/Shorewall/macro.IMAP @@ -0,0 +1,11 @@ +# +# Shorewall 2.6 /usr/share/shorewall/macro.IMAP +# +# This macro handles IMAP traffic (secure and insecure): +# +###################################################################################### +#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP +PARAM - - tcp 143 #Unsecure IMAP +PARAM - - tcp 993 #Secure IMAP +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.AllowDistcc b/Shorewall/macro.LDAP similarity index 58% rename from Shorewall/action.AllowDistcc rename to Shorewall/macro.LDAP index d1fdb4ada..c25d54cbd 100644 --- a/Shorewall/action.AllowDistcc +++ b/Shorewall/macro.LDAP @@ -1,11 +1,11 @@ # -# Shorewall action.AllowDistcc +# Shorewall macro.LDAP # -# This action accepts connections to the Distributed Compiler -# service. +# This macro handles LDAP traffic (secure and insecure) # ################################################################################ #TARGET SOURCE DEST PROTO DEST SOURCE RATE # PORT PORT(S) LIMIT -ACCEPT - - tcp 3632 +PARAM - - tcp 389 +PARAM - - tcp 636 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.NNTP b/Shorewall/macro.NNTP new file mode 100644 index 000000000..1e1033df8 --- /dev/null +++ b/Shorewall/macro.NNTP @@ -0,0 +1,11 @@ +# +# Shorewall 2.6 /usr/share/shorewall/macro.NNTP +# +# This macro handles NNTP traffic (Usenet) and encrypted NNTP (NNTPS) +# +###################################################################################### +#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP +PARAM - - tcp 119 +PARAM - - tcp 563 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.AllowNTP b/Shorewall/macro.NTP similarity index 64% rename from Shorewall/action.AllowNTP rename to Shorewall/macro.NTP index de9a57909..2e756121f 100644 --- a/Shorewall/action.AllowNTP +++ b/Shorewall/macro.NTP @@ -1,11 +1,11 @@ # -# Shorewall 2.4 /usr/share/shorewall/action.AllowNTP +# Shorewall 2.6 /usr/share/shorewall/macro.NTP # -# This action accepts NTP traffic (ntpd). +# This macro handles NTP traffic (ntpd). # ###################################################################################### #TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE # PORT PORT(S) DEST LIMIT -ACCEPT - - udp 123 -ACCEPT - - udp 1024: 123 +PARAM - - udp 123 +PARAM - - udp 1024: 123 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.AllowPing b/Shorewall/macro.PCA similarity index 67% rename from Shorewall/action.AllowPing rename to Shorewall/macro.PCA index 8d7d358c3..c34cfaa08 100644 --- a/Shorewall/action.AllowPing +++ b/Shorewall/macro.PCA @@ -1,10 +1,11 @@ # -# Shorewall 2.4 /usr/share/shorewall/action.AllowPing +# Shorewall 2.6 /usr/share/shorewall/macro.PCA # -# This action accepts 'ping' requests. +# This macro handles PCAnywere (tm) # ###################################################################################### #TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT PORT(S) LIMIT GROUP -ACCEPT - - icmp 8 +PARAM - - udp 5632 +PARAM - - tcp 5631 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.AllowPOP3 b/Shorewall/macro.POP3 similarity index 61% rename from Shorewall/action.AllowPOP3 rename to Shorewall/macro.POP3 index c478ca9ea..07b5e3e6d 100644 --- a/Shorewall/action.AllowPOP3 +++ b/Shorewall/macro.POP3 @@ -1,11 +1,11 @@ # -# Shorewall 2.4 /usr/share/shorewall/action.AllowPOP3 +# Shorewall 2.6 /usr/share/shorewall/macro.POP3 # -# This action accepts POP3 traffic (secure and insecure): +# This macro handles POP3 traffic (secure and insecure): # ###################################################################################### #TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE # PORT PORT(S) DEST LIMIT -ACCEPT - - tcp 110 #Unsecure POP3 -ACCEPT - - tcp 995 #Secure POP3 +PARAM - - tcp 110 #Unsecure POP3 +PARAM - - tcp 995 #Secure POP3 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.Ping b/Shorewall/macro.Ping new file mode 100644 index 000000000..5177756f2 --- /dev/null +++ b/Shorewall/macro.Ping @@ -0,0 +1,10 @@ +# +# Shorewall 2.6 /usr/share/shorewall/macro.Ping +# +# This macro handles 'ping' requests. +# +###################################################################################### +#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP +PARAM - - icmp 8 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.AllowMySQL b/Shorewall/macro.PostgreSQL similarity index 66% rename from Shorewall/action.AllowMySQL rename to Shorewall/macro.PostgreSQL index cfa15b53b..02e962904 100644 --- a/Shorewall/action.AllowMySQL +++ b/Shorewall/macro.PostgreSQL @@ -1,10 +1,10 @@ # -# Shorewall action.AllowMySQL +# Shorewall macro.PostgreSQL # -# This action accepts connections to the MySQL server. +# This macro handles connections to the PostgreSQL server. # ################################################################################ #TARGET SOURCE DEST PROTO DEST SOURCE RATE # PORT PORT(S) LIMIT -ACCEPT - - tcp 3306 +PARAM - - tcp 5432 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.Rdate b/Shorewall/macro.Rdate new file mode 100644 index 000000000..487cab8bc --- /dev/null +++ b/Shorewall/macro.Rdate @@ -0,0 +1,10 @@ +# +# Shorewall 2.6 /usr/share/shorewall/macro.Rdate +# +# This macro handles remote time retrieval (rdate). +# +###################################################################################### +#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP +PARAM - - tcp 37 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.AllowSyslog b/Shorewall/macro.Rsync similarity index 67% rename from Shorewall/action.AllowSyslog rename to Shorewall/macro.Rsync index 69eb86252..214fa2d18 100644 --- a/Shorewall/action.AllowSyslog +++ b/Shorewall/macro.Rsync @@ -1,10 +1,10 @@ # -# Shorewall action.AllowSyslog +# Shorewall macro.Rsync # -# This action accepts syslog UDP traffic. +# This macro handles connections to the rsync server. # ################################################################################ #TARGET SOURCE DEST PROTO DEST SOURCE RATE # PORT PORT(S) LIMIT -ACCEPT - - udp 514 +PARAM - - tcp 873 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.SMB b/Shorewall/macro.SMB new file mode 100644 index 000000000..456cdc3e6 --- /dev/null +++ b/Shorewall/macro.SMB @@ -0,0 +1,14 @@ +# +# Shorewall 2.6 /usr/share/shorewall/macro.SMB +# +# Handle Microsoft SMB traffic. You need to invoke this macro in +# both directions. +# +###################################################################################### +#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP +PARAM - - udp 135,445 +PARAM - - udp 137:139 +PARAM - - udp 1024: 137 +PARAM - - tcp 135,139,445 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.AllowSMBswat b/Shorewall/macro.SMBswat similarity index 64% rename from Shorewall/action.AllowSMBswat rename to Shorewall/macro.SMBswat index a3be8eb37..bf1bb8a69 100644 --- a/Shorewall/action.AllowSMBswat +++ b/Shorewall/macro.SMBswat @@ -1,11 +1,11 @@ # -# Shorewall action.AllowSMBswat +# Shorewall macro.SMBswat # -# This action accepts connections to the Samba Web Administration +# This macro handles connections to the Samba Web Administration # Tool (SWAT). # ################################################################################ #TARGET SOURCE DEST PROTO DEST SOURCE RATE # PORT PORT(S) LIMIT -ACCEPT - - tcp 901 +PARAM - - tcp 901 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.AllowSMTP b/Shorewall/macro.SMTP similarity index 65% rename from Shorewall/action.AllowSMTP rename to Shorewall/macro.SMTP index d7d8a86c9..f048724b8 100644 --- a/Shorewall/action.AllowSMTP +++ b/Shorewall/macro.SMTP @@ -1,15 +1,15 @@ # -# Shorewall 2.4 /usr/share/shorewall/action.AllowSMTP +# Shorewall 2.6 /usr/share/shorewall/macro.SMTP # -# This action accepts SMTP (email) traffic. +# This macro handles SMTP (email) traffic. # -# Note: This action allows traffic between an MUA (Email client) +# Note: This macro handles traffic between an MUA (Email client) # and an MTA (mail server) or between MTAs. It does not enable # reading of email via POP3 or IMAP. For those you need to use -# the AllowPOP3 or AllowIMAP actions. +# the POP3 or IMAP macros. # ###################################################################################### #TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 25 +PARAM - - tcp 25 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.SNMP b/Shorewall/macro.SNMP new file mode 100644 index 000000000..2240ebdcd --- /dev/null +++ b/Shorewall/macro.SNMP @@ -0,0 +1,11 @@ +# +# Shorewall 2.6 /usr/share/shorewall/macro.SNMP +# +# This macro accepts SNMP traffic (including traps): +# +###################################################################################### +#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP +PARAM - - udp 161:162 +PARAM - - tcp 161 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.SPAMD b/Shorewall/macro.SPAMD new file mode 100644 index 000000000..c59b42ad8 --- /dev/null +++ b/Shorewall/macro.SPAMD @@ -0,0 +1,10 @@ +# +# Shorewall macro.SPAMD +# +# This macro handles Spam Assassin SPAMD traffic. +# +###################################################################################### +#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP +PARAM - - tcp 783 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.SSH b/Shorewall/macro.SSH new file mode 100644 index 000000000..1a64367ed --- /dev/null +++ b/Shorewall/macro.SSH @@ -0,0 +1,10 @@ +# +# Shorewall 2.6 /usr/share/shorewall/macro.SSH +# +# This macro handles secure shell (SSH) traffic. +# +###################################################################################### +#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP +PARAM - - tcp 22 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.SVN b/Shorewall/macro.SVN new file mode 100644 index 000000000..89de62af6 --- /dev/null +++ b/Shorewall/macro.SVN @@ -0,0 +1,10 @@ +# +# Shorewall macro.SVN +# +# This macro handles connections to the Subversion server. +# +################################################################################ +#TARGET SOURCE DEST PROTO DEST SOURCE RATE +# PORT PORT(S) LIMIT +PARAM - - tcp 3690 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.DropEdonkey b/Shorewall/macro.Syslog similarity index 68% rename from Shorewall/action.DropEdonkey rename to Shorewall/macro.Syslog index 8e76e6148..ebf89dacf 100644 --- a/Shorewall/action.DropEdonkey +++ b/Shorewall/macro.Syslog @@ -1,11 +1,10 @@ # -# Shorewall action.DropEdonkey +# Shorewall macro.Syslog # -# This action silently drops Edonkey Traffic. +# This macro handles syslog UDP traffic. # ################################################################################ #TARGET SOURCE DEST PROTO DEST SOURCE RATE # PORT PORT(S) LIMIT -DROP - - tcp 4662 -DROP - - udp 4665 +PARAM - - udp 514 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.AllowTelnet b/Shorewall/macro.Telnet similarity index 68% rename from Shorewall/action.AllowTelnet rename to Shorewall/macro.Telnet index d0e141e59..17971c4db 100644 --- a/Shorewall/action.AllowTelnet +++ b/Shorewall/macro.Telnet @@ -1,11 +1,11 @@ # -# Shorewall 2.4 /usr/share/shorewall/action.AllowTelnet +# Shorewall 2.6 /usr/share/shorewall/macro.Telnet # -# This action accepts Telnet traffic. For traffic over the +# This macro handles Telnet traffic. For traffic over the # internet, telnet is inappropriate; use SSH instead # ###################################################################################### #TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 23 +PARAM - - tcp 23 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.AllowFTP b/Shorewall/macro.Trcrt similarity index 57% rename from Shorewall/action.AllowFTP rename to Shorewall/macro.Trcrt index da51ece0a..ed9b63fbc 100644 --- a/Shorewall/action.AllowFTP +++ b/Shorewall/macro.Trcrt @@ -1,11 +1,11 @@ # -# Shorewall 2.4 /usr/share/shorewall/action.AllowFTP +# Shorewall 2.6 /usr/share/shorewall/macro.Trcrt # -# This action accepts FTP traffic. See -# http://www.shorewall.net/FTP.html for additional considerations. +# This macro handles Traceroute (for up to 30 hops): # ###################################################################################### #TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 21 +PARAM - - udp 33434:33524 #UDP Traceroute +PARAM - - icmp 8 #ICMP Traceroute #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.AllowDNS b/Shorewall/macro.VNC similarity index 64% rename from Shorewall/action.AllowDNS rename to Shorewall/macro.VNC index be8c9defb..defad75e4 100644 --- a/Shorewall/action.AllowDNS +++ b/Shorewall/macro.VNC @@ -1,11 +1,10 @@ # -# Shorewall 2.4 /usr/share/shorewall/action.AllowDNS +# Shorewall 2.6 /usr/share/shorewall/macro.VNC # -# This action accepts DNS traffic. +# This macro handles VNC traffic for VNC display's 0 - 9. # ###################################################################################### #TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT PORT(S) LIMIT GROUP -ACCEPT - - udp 53 -ACCEPT - - tcp 53 +PARAM - - tcp 5900:5909 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.VNCL b/Shorewall/macro.VNCL new file mode 100644 index 000000000..86c59b63d --- /dev/null +++ b/Shorewall/macro.VNCL @@ -0,0 +1,10 @@ +# +# Shorewall 2.6 /usr/share/shorewall/macro.VNCL +# +# This macro handles VNC traffic from Vncservers to Vncviewers in listen mode. +# +###################################################################################### +#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP +PARAM - - tcp 5500 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.Web b/Shorewall/macro.Web new file mode 100644 index 000000000..783d66471 --- /dev/null +++ b/Shorewall/macro.Web @@ -0,0 +1,11 @@ +# +# Shorewall 2.6 /usr/share/shorewall/macro.Web +# +# This macro handles WWW traffic (secure and insecure): +# +###################################################################################### +#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP +PARAM - - tcp 80 +PARAM - - tcp 443 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.template b/Shorewall/macro.template new file mode 100644 index 000000000..e345f34d2 --- /dev/null +++ b/Shorewall/macro.template @@ -0,0 +1,69 @@ +# +# Shorewall version 2.6 - Macro Template File +# +# /usr/share/shorewall/macro.template +# +# Macro files are similar to template files with the following exceptions: +# +# - A macro file is not processed unless the marcro that it defines is referenced in the +# /etc/shorewall/rules file or in an action definition file. +# +# - Macros are translated directly into one or more rules whereas actions become their own +# chain. +# +# - All entries in a macro undergo substitution when the macro is invoked in the rules file. +# +# - Macros may not invoke other macros. +# +# The columns in a macro definition are the same as those in the action.template file. +# A few examples should help show how Macros work. +# +# /etc/shorewall/macro.FwdFTP: +# +# #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# # PORT PORT(S) LIMIT GROUP +# DNAT - - tcp 21 +# +# /etc/shorewall/rules: +# +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# # PORT PORT(S) DEST LIMIT GROUP +# FwdFTP net loc:192.168.1.5 +# +# The result is equivalent to: +# +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# # PORT PORT(S) DEST LIMIT GROUP +# DNAT net loc:192.168.1.5 tcp 21 +# +# The substitution rules are as follows: +# +# ACTION column If in the invocation of the macro, the macro name is followed by +# slash ("/") and a second name, the second name is substituted for +# each entry in the macro whose ACTION is PARAM +# +# For example, if macro FOO is invoked as FOO/ACCEPT then when +# expanding macro.FOO, Shorewall will substitute ACCEPT in each +# entry in macro.FOO whose ACTION column contains PARAM. PARAM may +# be optionally followed by a colon and a log level. +# +# Any logging specified when the macro is invoked is applied to each +# entry in the macros. +# +# SOURCE and DEST If the column in the macro is empty then the value in the rules +# columns file is used. If the column in the macro is non-empty then any +# value in the rules file is appended with a ":" separator. +# +# Example: Macro File DNAT net loc tcp 21 +# rules File FwdFTP - 192.168.1.5 +# Result DNAT net loc:192.168.1.5 tcp 21 +# +# Remaining Any value in the rules file REPLACES the value given in the macro +# columns file. +# +# +# +#################################################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/masq b/Shorewall/masq index cc96de934..e41211a3f 100755 --- a/Shorewall/masq +++ b/Shorewall/masq @@ -1,5 +1,5 @@ # -# Shorewall 2.4 - Masquerade file +# Shorewall 2.6 - Masquerade file # # /etc/shorewall/masq # diff --git a/Shorewall/modules b/Shorewall/modules index 6846bc688..124dd0709 100644 --- a/Shorewall/modules +++ b/Shorewall/modules @@ -1,5 +1,5 @@ ############################################################################## -# Shorewall 2.4 /etc/shorewall/modules +# Shorewall 2.6 /etc/shorewall/modules # # This file loads the modules needed by the firewall. # diff --git a/Shorewall/nat b/Shorewall/nat index 2b8b0e87e..3de32e577 100755 --- a/Shorewall/nat +++ b/Shorewall/nat @@ -1,6 +1,6 @@ ############################################################################## # -# Shorewall 2.4 -- Network Address Translation Table +# Shorewall 2.6 -- Network Address Translation Table # # /etc/shorewall/nat # diff --git a/Shorewall/netmap b/Shorewall/netmap index f9be759df..96aaa8ee1 100644 --- a/Shorewall/netmap +++ b/Shorewall/netmap @@ -1,6 +1,6 @@ ############################################################################## # -# Shorewall 2.4 -- Network Mapping Table +# Shorewall 2.6 -- Network Mapping Table # # /etc/shorewall/netmap # diff --git a/Shorewall/params b/Shorewall/params index 79e2fda61..fe67d793f 100644 --- a/Shorewall/params +++ b/Shorewall/params @@ -1,5 +1,5 @@ # -# Shorewall 2.4 /etc/shorewall/params +# Shorewall 2.6 /etc/shorewall/params # # Assign any variables that you need here. # diff --git a/Shorewall/policy b/Shorewall/policy index 6327c596a..04a7e3d7f 100644 --- a/Shorewall/policy +++ b/Shorewall/policy @@ -1,5 +1,5 @@ # -# Shorewall 2.4 -- Policy File +# Shorewall 2.6 -- Policy File # # /etc/shorewall/policy # @@ -50,6 +50,13 @@ # then that action will be invoked before the policy named in # this column is inforced. # +# The policy determined the default treatment of new +# connection requests and may optionally be followed by ":" +# and an ESTABLISHED policy which determines what +# is to be done with packets that are part of an established +# connection. The choices are ACCEPT (the default) and QUEUE +# (to queue the packet to a user-space filter like Snort Inline). +# # LOG LEVEL If supplied, each connection handled under the default # POLICY is logged at that level. If not supplied, no # log message is generated. See syslog.conf(5) for a diff --git a/Shorewall/providers b/Shorewall/providers index da19c2839..a5a3c2206 100755 --- a/Shorewall/providers +++ b/Shorewall/providers @@ -1,6 +1,6 @@ ############################################################################## # -# Shorewall 2.4 -- Internet Service Providers +# Shorewall 2.6 -- Internet Service Providers # # /etc/shorewall/providers # diff --git a/Shorewall/proxyarp b/Shorewall/proxyarp index d9e508976..74cce43c5 100644 --- a/Shorewall/proxyarp +++ b/Shorewall/proxyarp @@ -1,6 +1,6 @@ ############################################################################## # -# Shorewall 2.4 -- Proxy ARP +# Shorewall 2.6 -- Proxy ARP # # /etc/shorewall/proxyarp # diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 129de5222..964aae15b 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -1,367 +1,275 @@ -Shorewall 2.4.0 +Shorewall 2.5.0 ------------------------------------------------------------------------ -Problems Corrected since 2.4.0-RC2 +Problems Corrected: -1) Previously, "shorewall status" could list the same routing table's - contents more than once. +1) The behavior of CONTINUE policies has been improved. Shorewall no + longer generates a useless policy chain corresponding to these + policies. ------------------------------------------------------------------------ -Upgrade Issues when moving to 2.4.0 +2) The combining of the zones and ipsec files has now been made upward + compatible provided that the user doesn't do something idiotic such + as install the new shorewall.conf file then manually update it + with exactly the changes that had been applied to the old file. -1) Shorewall now enforces the restriction that mark values used in - /etc/shorewall/tcrules are less than 256. If you are using mark - values >= 256, you must change your configuration before you - upgrade. +Migration Considerations: -2) The value "ipp2p" is no longer accepted in the PROTO column of the - rules file. This support has never worked as intended and filtering - P2P applications this way is a bad idea to begin with (you should be - using a proxy). +1) The "monitor" command has been eliminated. -3) LEAF/Bering packages for version 2.4.0 and later will not be - available from shorewall.net. See http://leaf.sf.net for the lastest - version of Shorewall for LEAF variants. ------------------------------------------------------------------------ -New Features in version 2.4.0 +2) The "DISPLAY" and "COMMENTS" columns in the /etc/shorewall/zones + file have been removed and have been replaced by the former + columns of the /etc/shorewall/ipsec file. The latter file has been + removed. As a result, the columns in the /etc/shorewall/zones file + are now as follows: -1) Shorewall 2.4.0 includes support for multiple internet interfaces to - different ISPs. + ZONE Short name of the zone (5 Characters or less in + length). - The file /etc/shorewall/providers may be used to define the - different providers. It can actually be used to define alternate - routing tables so uses like transparent proxy can use the file as - well. + The names "all" and "none" are reserved and may + not beused as zone names. - Columns are: + IPSEC Yes -- Communication with all zone hosts is + ONLY encrypted. Your kernel and iptables + must include policy match support. + No -- Communication with some zone hosts may + be encrypted. Encrypted hosts are + designated using the 'ipsec' option in + /etc/shorewall/hosts. - NAME The provider name. + OPTIONS, A comma-separated list of options as + IN OPTIONS, follows: + OUT OPTIONS + reqid= where is + specified using setkey(8) using the + 'unique: option for the SPD + level. + + spi= where is the SPI + of the SA used to encrypt/decrypt + packets. + + proto=ah|esp|ipcomp + + mss= (sets the MSS field in TCP + packets) + + mode=transport|tunnel + + tunnel-src=
[/] (only + available with mode=tunnel) + + tunnel-dst=
[/] (only + available with mode=tunnel) + + + strict Means that packets must match + all rules. + + + next Separates rules; can only be + used with strict.. + + Example: + mode=transport,reqid=44 + + The options in the OPTIONS column are applied to both + incoming and outgoing traffic. The IN OPTIONS are + applied to incoming traffic (in addition to OPTIONS) + and the OUT OPTIONS are applied to outgoing traffic. - NUMBER The provider number -- a number between 1 and 15 + If you wish to leave a column empty but need to make an + entry in a following column, use "-". + + THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE + NESTED OR OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts. + + To attempt to adhere to the principle of least astonishment, the + old /etc/shorewall/ipsec file will continue to be supported. A new + IPSECFILE variable in /etc/shorewall/shorewall.conf determines the + name of the file that Shorewall looks in for IPSEC information. If + that variable is not set or is set to the empty value then + IPSECFILE=ipsec is assumed. So if you simply upgrade and don't do + something idiotic like replace your current shorewall.conf file with + the new one, your old configuration will continue to work. A dummy + 'ipsec' file is included in the release so that your package manager + (e.g., rpm) won't remove your existing file. - MARK A FWMARK value used in your - /etc/shorewall/tcrules file to direct packets to - this provider. + The shorewall.conf file included in this release sets + IPSECFILE=zones so that new users are expected to use the new zone + file format. - DUPLICATE The name of an existing table to duplicate. May - be 'main' or the name of a previous provider. - - INTERFACE The name of the network interface to the - provider. Must be listed in - /etc/shorewall/interfaces. - - GATEWAY The IP address of the provider's gateway router. - If you enter "detect" here then Shorewall will - attempt to determine the gateway IP address - automatically. - - OPTIONS A comma-separated list selected from the - following: - track If specified, connections FROM this interface are - to be tracked so that responses may be routed - back out this same interface. +3) The DROPINVALID option has been removed from shorewall.conf. The + behavior will be as if DROPINVALID=No had been specified. If you + wish to drop invalid state packets, use the dropInvalid built-in + action. + +4) The 'nobogons' interface and hosts option as well as the + BOGON_LOG_LEVEL option have been eliminated. + +5) Most of the standard actions have been replaced by parameterized + macros (see below). So for example, the action.AllowSMTP and + action.DropSMTP have been removed an a parameterized macro + macro.SMTP has been added to replace them. + + In order that current users don't have to immediately update their + rules and user-defined actions, Shorewall can substitute an + invocation of the a new macro for an existing invocation of one of + the old actions. So if your rules file calls AllowSMTP, Shorewall + will replace that call with SMTP/ACCEPT. Because this substitution + is expensive, it is conditional based on the setting of + MAPOLDACTIONS in shorewall.conf. If this option is set to YES or if + it is not set (such as if you are using your old shorewall.conf + file) then Shorewall will perform the substitution. Once you have + converted to use the new macros, you can set MAPOLDACTIONS=No and + invocations of those actions will go much quicker during 'shorewall + [re]start'. + +6) The STATEDIR variable in /etc/shorewall/shorewall.conf has been + removed. STATEDIR is now fixed at /var/lib/shorewall. If you have + previously set STATEDIR to another directory, please copy the files + from that directory to /var/lib/shorewall/ before [re]starting + Shorewall after the upgrade to this version. + +New Features in Shorewall 2.5.0 - You want specify 'track' if internet hosts will be - connecting to local servers through this - provider. +1) Error and warning messages are made easier to spot by using + capitalization (e.g., ERROR: and WARNING:). - Because of limitations in the 'ip' utility and - policy routing, you may not use the SAVE or - RESTORE tcrules options or use connection - marking on any traffic to or from this - interface. For traffic control purposes, you - must mark packets in the FORWARD chain (or - better yet, use the CLASSIFY target). +2) Beginning with this version, the POLICY column in + /etc/shorewall/policy to potentially contain two policies separated + by ":". The first policy is the policy for new connections (the only + policy that you can currently configure). The second policy is for + ESTABLISHED packets (those that are part of an established + connection) and must be either ACCEPT (the default) or QUEUE. So if + the policy column contains DROP:QUEUE then new connection requests + are dropped by default but packets that are part of an established + connection are sent to the QUEUE target. RELATED state packets are + always ACCEPTED so that ICMPs (which are almost always RELATED) + won't go through QUEUE. - balance The providers that have 'balance' specified will - get outbound traffic load-balanced among them. By - default, all interfaces with 'balance' specified - will have the same weight (1). You can change the - weight of the route out of the interface by - specifiying balance= where is - the desired route weight. - - Example: You run squid in your DMZ on IP address - 192.168.2.99. Your DMZ interface is eth2 +3) A new option 'critical' has been added to + /etc/shorewall/routestopped. This option can be used to enable + communication with a host or set of hosts during the entire + "shorewall [re]start/stop" process. Listing a host with this option + differs from listing it without the option in several ways: - #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS - Squid 1 1 - eth2 192.168.2.99 - + a) The option only affect traffic between the listed host(s) and the + firewall itself. - Use of this feature requires that your kernel and iptables - support CONNMARK target and conntrack match support. It does NOT - require the ROUTE target extension. - - WARNING: The current version of iptables (1.3.1) is broken with - respect to CONNMARK and iptables-save/iptables-restore. This means - that if you configure multiple ISPs, "shorewall restore" will - fail. You must patch your iptables using the patch at - http://shorewall.net/pub/shorewall/contrib/iptables/CONNMARK.diff. - -2) Shorewall 2.3.0 supports the 'cmd-owner' option of the owner match - facility in Netfilter. Like all owner match options, 'cmd-owner' may - only be applied to traffic that originates on the firewall. + b) If there are any entries with 'critical', the firewall + will be completely opened briefly during start, restart and stop but + there will be no chance of any packets to/from the listed host(s) + being dropped or rejected. - The syntax of the USER/GROUP column in the following files has been - extended: + Possible uses for this option are: + + a) Root fileset is NFS mounted. You will want to list the NFS server + in the 'critical' option. + + b) You are running Shorewall in a Crossbeam environment + (www.crossbeam.com). You will want to list the Crossbeam interface + in this option + +4) A new 'macro' feature has been added. + + Macros are very similar to actions and can be used in similar + ways. The differences between actions and macros are as follows: - /etc/shorewall/accounting - /etc/shorewall/rules - /etc/shorewall/tcrules - /usr/share/shorewall/action.template - - To specify a command, prefix the command name with "+". + a) An action creates a separate chain with the same name as the + action (when logging is specified on the invocation of an action, + a chain beginning with "%" followed by the name of the action and + possibly followed by a number is created). When a macro is + invoked, it is expanded in-line and no new chain is created. + + b) An action may be specified as the default action for a policy; + macros cannot be specified this way. + + c) Actions must be listed in either /usr/share/shorewall/actions.std + or in /etc/shorewall/actions. Macros are defined simply by + placing their definition file in the CONFIG_PATH. - Examples: + d) Actions are defined in a file with a name beginning with + "action." and followed by the name of the action. Macro files are + defined in a file with a name beginning with "macro.". - +mozilla-bin #The program is named "mozilla-bin" - joe+mozilla-bin #The program is named "mozilla-bin" and - #is being run by user "joe" - joe:users+mozilla-bin #The program is named "mozilla-bin" and - #is being run by user "joe" with - #effective group "users". + e) Actions may invoke other actions. Macros may not directly invoke + other macros although they may invoke other macros indirectly + through an action. - Note that this is not a particularly robust feature and I would - never advertise it as a "Personal Firewall" equivalent. Using - symbolic links, it's easy to alias command names to be anything you - want. + f) DNAT[-] and REDIRECT[-] rules may not appear in an action. They + are allowed in a macro with the restriction that the a macro + containing one of these rules may not be invoked from an action. -3) Support has been added for ipsets - (see http://people.netfilter.org/kadlec/ipset/). + g) The values specified in the various columns when you invoke a + macro are substituted in the corresponding column in each rule in + the macro. The first three columns get special treatment: - In most places where a host or network address may be used, you may - also use the name of an ipset prefaced by "+". + TARGET If you code PARAM as the target in a macro then + when you invoke the macro, you can include the + name of the macro followed by a slash ("/") and + an ACTION (either builtin or user-defined. All + instances of PARAM in the body of the macro will be + replaced with the ACTION. - Example: "+Mirrors" + Any logging applied when the action is invoked is + applied following the same rules as for actions. - The name of the set may be optionally followed by: - - a) a number from 1 to 6 enclosed in square brackets ([]) -- this - number indicates the maximum number of ipset binding levels that - are to be matched. Depending on the context where the ipset name - is used, either all "src" or all "dst" matches will be used. - - Example: "+Mirrors[4]" + SOURCE and + DEST If the rule in the macro file specifies a value and + the invocation of the rule also specifies a value then + the value in the invocation is appended to the value + in the rule using ":" as a separator. - b) a series of "src" and "dst" options separated by commas and - inclosed in square brackets ([]). These will be passed directly - to iptables in the generated --set clause. See the ipset - documentation for details. + Example: - Example: "+Mirrors[src,dst,src]" - - Note that "+Mirrors[4]" used in the SOURCE column of the rules - file is equivalent to "+Mirrors[src,src,src,src]". + /etc/shorewall/macro.SMTP - To generate a negative match, prefix the "+" with "!" as in - "!+Mirrors". + PARAM - loc tcp 25 - Example 1: Blacklist all hosts in an ipset named "blacklist" + /etc/shorewall/rules: - /etc/shorewall/blacklist + SMTP/DNAT:info net 192.168.1.5 - #ADDRESS/SUBNET PROTOCOL PORT - +blacklist + Would be equivalent to the following in the rules file: - Example 2: Allow SSH from all hosts in an ipset named "sshok: + DNAT:info net loc:192.168.1.5 tcp 25 - /etc/shorewall/rules + Rest Any value in the invocation replaces the value in the + rule in the macro. - #ACTION SOURCE DEST PROTO DEST PORT(S) - ACCEPT +sshok fw tcp 22 + One additional restriction applies to the mixing of macros and + actions. Macros that are invoked from actions cannot themselves + invoke other actions. - Shorewall can automatically capture the contents of your ipsets for - you. If you specify SAVE_IPSETS=Yes in /etc/shorewall/shorewall.conf - then "shorewall save" will save the contents of your ipsets. The file - where the sets are saved is formed by taking the name where the - Shorewall configuration is stored and appending "-ipsets". So if you - enter the command "shorewall save standard" then your Shorewall - configuration will be saved in /var/lib/shorewall/standard and your - ipset contents will be saved in /var/lib/shorewall/standard-ipsets. - Assuming the default RESTOREFILE setting, if you just enter - "shorewall save" then your Shorewall configuration will be saved in - /var/lib/shorewall/restore and your ipset contents will be saved in - /var/lib/shorewall/restore-ipsets. +5) If you have 'make' installed on your firewall, then when you use + the '-f' option to 'shorewall start' (as happens when you reboot), + if your /etc/shorewall/ directory contains files that were modified + after Shorewall was last restarted then Shorewall is started using + the config files rather than using the saved configuration. - Regardless of the setting of SAVE_IPSETS, the "shorewall -f start" - and "shorewall restore" commands will restore the ipset contents - corresponding to the Shorewall configuration restored provided that - the saved Shorewall configuration specified exists. +6) The 'arp_ignore' option has been added to /etc/shorewall/interfaces + entries. This option sets + /proc/sys/net/ipv4/conf//arp_ignore. By default, the + option sets the value to 1. You can also write arp_ignore= + where value is one of the following: - For example, "shorewall restore standard" would restore the ipset - contents from /var/lib/shorewall/standard-ipsets provided that - /var/lib/shorewall/standard exists and is executable and that - /var/lib/shorewall/standard-ipsets exists and is executable. + 1 - reply only if the target IP address is local address + configured on the incoming interface - Also regardless of the setting of SAVE_IPSETS, the "shorewall forget" - command will purge the saved ipset information (if any) associated - with the saved shorewall configuration being removed. - - You can also associate ipset contents with Shorewall configuration - directories using the following command: - - ipset -S > /ipsets - - Example: - - ipset -S > /etc/shorewall/ipsets - - When you start or restart Shorewall (including using the 'try' - command) from the configuration directory, your ipsets will be - configured from the saved ipsets file. Once again, this behavior is - independent of the setting of SAVE_IPSETS. - - Ipsets are well suited for large blacklists. You can maintain your - blacklist using the 'ipset' utility without ever having to restart - or refresh Shorewall. If you use the SAVE_IPSETS=Yes feature just be - sure to "shorewall save" after altering the blacklist ipset(s). - - Example /etc/shorewall/blacklist: - - #ADDRESS/SUBNET PROTOCOL PORT - +Blacklist[src,dst] - +Blacklistnets[src,dst] - - Create the blacklist ipsets using: - - ipset -N Blacklist iphash - ipset -N Blacklistnets nethash - - Add entries - - ipset -A Blacklist 206.124.146.177 - ipset -A Blacklistnets 206.124.146.0/24 - - To allow entries for individual ports - - ipset -N SMTP portmap --from 1 --to 31 - ipset -A SMTP 25 - - ipset -A Blacklist 206.124.146.177 - ipset -B Blacklist 206.124.146.177 -b SMTP - - Now only port 25 will be blocked from 206.124.146.177. - -4) Shorewall 2.4.0 can now configure routing if your kernel and - iptables support the ROUTE target extension. This extension is - available in Patch-O-Matic-ng. This feature is *EXPERIMENTAL* since - the Netfilter team have no intention of ever releasing the ROUTE - target extension to kernel.org. - - Routing is configured using the /etc/shorewall/routes file. Columns - in the file are as follows: - - SOURCE Source of the packet. May be any of the - following: - - - - A host or network address - - A network interface name. - - The name of an ipset prefaced with "+" - - $FW (for packets originating on the firewall) - - A MAC address in Shorewall format - - A range of IP addresses (assuming that your - kernel and iptables support range match) - - A network interface name followed by ":" - and an address or address range. - - DEST Destination of the packet. May be any of the - following: - - - A host or network address - - A network interface name (determined from - routing table(s)) - - The name of an ipset prefaced with "+" - - A network interface name followed by ":" - and an address or address range. - - PROTO Protocol - Must be "tcp", "udp", "icmp", - "ipp2p", a number, or "all". "ipp2p" requires - ipp2p match support in your kernel and - iptables. - - PORT(S) Destination Ports. A comma-separated list of - Port names (from /etc/services), port numbers - or port ranges; if the protocol is "icmp", this - column is interpreted as the destination - icmp-type(s). - - If the protocol is ipp2p, this column is - interpreted as an ipp2p option without the - leading "--" (example "bit" for bit-torrent). - If no PORT is given, "ipp2p" is assumed. - - This column is ignored if PROTOCOL = all but - must be entered if any of the following field - is supplied. In that case, it is suggested that - this field contain "-" - - SOURCE PORT(S) (Optional) Source port(s). If omitted, - any source port is acceptable. Specified as a - comma-separated list of port names, port - numbers or port ranges. - - TEST Defines a test on the existing packet or - connection mark. - - The rule will match only if the test returns - true. Tests have the format - [!][/][:C] - - Where: - - ! Inverts the test (not equal) - Value of the packet or - connection mark. - - A mask to be applied to the - mark before testing - :C Designates a connection - mark. If omitted, the packet - mark's value is tested. - - INTERFACE The interface that the packet is to be routed - out of. If you do not specify this field then - you must place "-" in this column and enter an - IP address in the GATEWAY column. - - GATEWAY The gateway that the packet is to be forewarded - through. - -5) Normally when Shorewall is stopped, starting or restarting then - connections are allowed from hosts listed in - /etc/shorewall/routestopped to the firewall and to other hosts - listed in /etc/shorewall/routestopped. - - A new 'source' option is added for entries in that file which will - cause Shorewall to allow traffic from the host listed in the entry - to ANY other host. When 'source' is specified in an entry, it is - unnecessary to also specify 'routeback'. - - Similarly, a new 'dest' option is added which will cause Shorewall - to allow traffic to the host listed in the entry from ANY other - host. When 'source' is specified in an entry, it is unnecessary to - also specify 'routeback'. - -6) This change was implemented by Lorenzo Martignoni. It provides two - new commands: "safe-start" and "safe-restart". - - safe-start starts Shorewall then prompts you to ask you if - everything looks ok. If you answer "no" or if you don't answer - within 60 seconds, a "shorewall clear" is executed. - - safe-restart saves your current configuration to - /var/lib/shorewall/safe-restart then issues a "shorewall restart"; - It then prompts you to ask if you if you want to accept the new - configuration. If you answer "no" or if you don't answer within 60 - seconds, the configuration is restored to its prior state. - - These new commands require either that your /bin/sh supports the - "-t" option to the 'read' command or that you have /bin/bash - installed. + 2 - reply only if the target IP address is local address + configured on the incoming interface and both with the sender's + IP address are part from same subnet on this interface + 3 - do not reply for local addresses configured with scope + host, only resolutions for global and link addresses are + replied + 4-7 - reserved + 8 - do not reply for all local addresses + WARNING -- DO NOT SPECIFY arp_ignore FOR ANY INTERFACE INVOLVED IN + PROXY ARP. + diff --git a/Shorewall/rfc1918 b/Shorewall/rfc1918 index 306efccbf..7542760ab 100644 --- a/Shorewall/rfc1918 +++ b/Shorewall/rfc1918 @@ -1,5 +1,5 @@ # -# Shorewall 2.4 -- RFC1918 File +# Shorewall 2.6 -- RFC1918 File # # /etc/shorewall/rfc1918 # diff --git a/Shorewall/routes b/Shorewall/routes deleted file mode 100755 index b15fc76a4..000000000 --- a/Shorewall/routes +++ /dev/null @@ -1,94 +0,0 @@ -# -# Shorewall version 2.4 - Routing Rules -# -# /etc/shorewall/routes -# -# Entries in this file cause packets to be routed in non-standard -# ways. -# -# I M P O R T A N T ! ! ! ! -# -# In order to use entries in this file, your kernel and iptables must -# have ROUTE target support (see the output of "shorewall show -# capabilities"). -# -# This facility is *EXPERIMENTAL* -- the Netfilter team have no intention -# of ever submitting the ROUTE target patch to kernel.org. -# -# To omit any column, enter "-" in that column. -# -# Columns are: -# -# -# SOURCE Source of the packet. May be any of the following: -# -# - A host or network address -# - A network interface name. -# - The name of an ipset prefaced with "+" -# - $FW (for packets originating on the firewall) -# - A MAC address in Shorewall format -# - A range of IP addresses (assuming that your -# kernel and iptables support range match) -# - A network interface name followed by ":" -# and an address or address range. -# -# DEST Destination of the packet. May be any of the -# following: -# -# - A host or network address -# - A network interface name (determined from -# routing table(s)) -# - The name of an ipset prefaced with "+" -# - A network interface name followed by ":" -# and an address or address range. -# -# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p", -# a number, or "all". "ipp2p" requires ipp2p match -# support in your kernel and iptables. -# -# PORT(S) Destination Ports. A comma-separated list of Port -# names (from /etc/services), port numbers or port -# ranges; if the protocol is "icmp", this column is -# interpreted as the destination icmp-type(s). -# -# Port ranges are allowed in a list only if your -# kernel and iptables support Extended Multi-port -# match (see the output of "shorewall show capabilities"). -# -# If the protocol is ipp2p, this column is interpreted -# as an ipp2p option without the leading "--" (example "bit" -# for bit-torrent). If no PORT is given, "ipp2p" is -# assumed. -# -# SOURCE PORT(S) Source port(s). If omitted, any source port is acceptable. -# Specified as a comma-separated list of port names, port -# numbers or port ranges. -# -# Port ranges are allowed in a list only if your -# kernel and iptables support Extended Multi-port -# match (see the output of "shorewall show capabilities"). -# -# TEST Defines a test on the existing packet or connection mark. -# The rule will match only if the test returns true. Tests -# have the format [!][/][:C] -# -# Where: -# -# ! Inverts the test (not equal) -# Value of the packet or connection mark. -# A mask to be applied to the mark before -# testing -# :C Designates a connection mark. If omitted, -# the packet mark's value is tested. -# -# INTERFACE The interface that the packet is to be routed out of. -# If you specify "-" here, then you must enter the IP address -# of a gateway in the GATEWAY column. -# -# GATEWAY The gateway that the packet is to be forewarded through. -# -# See http://shorewall.net/Shorewall_and_Routing.html for additional information. -####################################################################################### -#SOURCE DEST PROTO PORT(S) SOURCE TEST INTERFACE GATEWAY -# PORT(S) -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/routestopped b/Shorewall/routestopped index ec3dffc32..38e1198b4 100644 --- a/Shorewall/routestopped +++ b/Shorewall/routestopped @@ -1,6 +1,6 @@ ############################################################################## # -# Shorewall 2.4 -- Hosts Accessible when the Firewall is Stopped +# Shorewall 2.6 -- Hosts Accessible when the Firewall is Stopped # # /etc/shorewall/routestopped # @@ -37,6 +37,13 @@ # listed hosts (and the firewall) is allowed. If # 'dest' is specified then 'routeback' is redundent. # +# critical - Allow traffic between the firewall and +# these hosts throughout '[re]start', 'stop' and +# 'clear'. Specifying 'critical' on one or more +# entries will cause your firewall to be "totally +# open" for a brief window during each of those +# operations. +# # Example: # # INTERFACE HOST(S) OPTIONS diff --git a/Shorewall/rules b/Shorewall/rules index 1ab6c7b6c..1232f8423 100755 --- a/Shorewall/rules +++ b/Shorewall/rules @@ -1,5 +1,5 @@ # -# Shorewall version 2.4 - Rules File +# Shorewall version 2.6 - Rules File # # /etc/shorewall/rules # diff --git a/Shorewall/shorewall b/Shorewall/shorewall index 41f7cb6df..102a24378 100755 --- a/Shorewall/shorewall +++ b/Shorewall/shorewall @@ -1,6 +1,6 @@ #!/bin/sh # -# Shorewall Packet Filtering Firewall Control Program - V2.4 +# Shorewall Packet Filtering Firewall Control Program - V2.6 # # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # @@ -158,7 +158,7 @@ iptablesbug() /--mask ff/ { sub( /--mask ff/, "--mask 0xff" ) };\ {print ; sline="" }' else - echo " Warning: You don't have 'awk' on this system so the output of the save command may be unusable" >&2 + echo " WARNING: You don't have 'awk' on this system so the output of the save command may be unusable" >&2 cat fi } @@ -234,6 +234,7 @@ get_config() { echo " WARNING: Shorewall startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf" >&2 ;; esac + } # @@ -243,112 +244,6 @@ clear_term() { [ -t 1 ] && clear } -# -# Display IPTABLES rules -- we used to store them in a variable but ash -# dies when trying to display large sets of rules -# -display_chains() -{ - trap "rm -f /tmp/chains-$$; exit 1" 1 2 3 4 5 6 9 - - if [ "$haveawk" = "Yes" ]; then - # - # Send the output to a temporary file since ash craps if we try to store - # the output in a variable. - # - TMPFILE=$(mktempfile) - [ -n "$TMPFILE" ] || { echo " ERROR:Cannot create temporary file" >&2; exit 1; } - - $IPTABLES -L $IPT_OPTIONS >> $TMPFILE - - clear_term - echo "$banner $(date)" - echo - echo "Standard Chains" - echo - firstchain="Yes" - showchain INPUT - showchain OUTPUT - showchain FORWARD - - timed_read - - clear_term - echo "$banner $(date)" - echo - firstchain=Yes - echo "Input Chains" - echo - - chains=$(grep '^Chain.*_[in|fwd]' $TMPFILE | cut -d' ' -f 2) - - for chain in $chains; do - showchain $chain - done - - timed_read - - for zone in $zones; do - - if [ -n "$(grep "^Chain \.*${zone}" $TMPFILE)" ] ; then - clear_term - echo "$banner $(date)" - echo - firstchain=Yes - eval display=\$${zone}_display - echo "$display Chains" - echo - for zone1 in $FW $zones; do - showchain ${zone}2$zone1 - showchain @${zone}2$zone1 - [ "$zone" != "$zone1" ] && \ - showchain ${zone1}2${zone} && \ - showchain @${zone1}2${zone} - done - - timed_read - fi - done - - clear_term - echo "$banner $(date)" - echo - firstchain=Yes - echo "Policy Chains" - echo - showchain common - showchain badpkt - showchain icmpdef - showchain rfc1918 - showchain blacklst - showchain reject - showchain newnotsyn - for zone in $zones all; do - showchain ${zone}2all - showchain @${zone}2all - [ "$zone" = "all" ] || { showchain all2${zone}; showchain @all2${zone}; } - done - - timed_read - - clear_term - echo "$banner $(date)" - echo - firstchain=Yes - echo "Dynamic Chain" - echo - showchain dynamic - timed_read - - qt rm -f $TMPFILE - else - $IPTABLES -L -n -v - timed_read - fi - trap - 1 2 3 4 5 6 9 - -} - # # Delay $timeout seconds -- if we're running on a recent bash2 then allow # to terminate the delay @@ -441,114 +336,6 @@ show_classifiers() { done } -# -# Monitor the Firewall -# -monitor_firewall() # $1 = timeout -- if negative, prompt each time that - # an 'interesting' packet count changes -{ - - host=$(echo $HOSTNAME | sed 's/\..*$//') - oldrejects=$($IPTABLES -L -v -n | grep 'LOG') - - if [ $1 -lt 0 ]; then - let "timeout=- $1" - pause="Yes" - else - pause="No" - timeout=$1 - fi - - - if qt which awk; then - TMP_DIR=$(mktempdir) - [ -n "$TMP_DIR" ] || { echo " ERROR:Cannot create temporary directory" >&2; exit 1; } - haveawk=Yes - determine_zones - rm -rf $TMP_DIR - else - haveawk= - fi - - while true; do - display_chains - - clear_term - echo "$banner $(date)" - echo - - echo "Dropped/Rejected Packet Log" - echo - - show_reset - - rejects=$($IPTABLES -L -v -n | grep 'LOG') - - if [ "$rejects" != "$oldrejects" ]; then - oldrejects="$rejects" - - $RING_BELL - - packet_log 20 - - if [ "$pause" = "Yes" ]; then - echo - echo $ECHO_N 'Enter any character to continue: ' - read foo - else - timed_read - fi - else - echo - packet_log 20 - timed_read - fi - - clear_term - echo "$banner $(date)" - echo - echo "NAT Status" - echo - $IPTABLES -t nat -L $IPT_OPTIONS - timed_read - - clear_term - echo "$banner $(date)" - echo - echo - echo "TOS/MARK Status" - echo - $IPTABLES -t mangle -L $IPT_OPTIONS - timed_read - - clear_term - echo "$banner $(date)" - echo - echo - echo "Tracked Connections" - echo - cat /proc/net/ip_conntrack - timed_read - - clear_term - echo "$banner $(date)" - echo - echo - echo "Traffic Shaping/Control" - echo - show_tc - timed_read - - clear_term - echo "$banner $(date)" - echo - echo - echo "Packet Classifiers" - echo - show_classifiers - timed_read - done -} # # Watch the Firewall Log @@ -714,7 +501,6 @@ usage() # $1 = exit status echo " ipcalc [
/ |
]" echo " iprange
-
" echo " logwatch []" - echo " monitor []" echo " refresh" echo " reject
..." echo " reset" @@ -737,8 +523,8 @@ usage() # $1 = exit status # Display the time that the counters were last reset # show_reset() { - [ -f $STATEDIR/restarted ] && \ - echo "Counters reset $(cat $STATEDIR/restarted)" && \ + [ -f /var/lib/shorewall/restarted ] && \ + echo "Counters reset $(cat /var/lib/shorewall/restarted)" && \ echo } @@ -896,8 +682,6 @@ export CONFIG_PATH get_config -[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall - if [ ! -f $FIREWALL ]; then echo "ERROR: Shorewall is not properly installed" if [ -L $FIREWALL ]; then @@ -953,7 +737,7 @@ case "$1" in echo "Directory $2 does not exist" >&2 && exit 2 fi fi - + SHOREWALL_DIR=$2 export SHOREWALL_DIR ;; @@ -963,29 +747,37 @@ case "$1" in esac if [ -n "$FAST" ]; then - - RESTOREPATH=/var/lib/shorewall/$RESTOREFILE + if qt which make; then + make -qf /etc/shorewall/Makefile || FAST= + fi - if [ -x $RESTOREPATH ]; then - if [ -x ${RESTOREPATH}-ipsets ]; then - echo Restoring Ipsets... - # - # We must purge iptables to be sure that there are no - # references to ipsets - # - iptables -F - iptables -X - ${RESTOREPATH}-ipsets + if [ -n "$FAST" ]; then + + RESTOREPATH=/var/lib/shorewall/$RESTOREFILE + + if [ -x $RESTOREPATH ]; then + if [ -x ${RESTOREPATH}-ipsets ]; then + echo Restoring Ipsets... + # + # We must purge iptables to be sure that there are no + # references to ipsets + # + iptables -F + iptables -X + ${RESTOREPATH}-ipsets + fi + + echo Restoring Shorewall... + $RESTOREPATH + date > /var/lib/shorewall/restarted + echo Shorewall restored from $RESTOREPATH + else + exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start fi - - echo Restoring Shorewall... - $RESTOREPATH - date > $STATEDIR/restarted - echo Shorewall restored from $RESTOREPATH else exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start fi - else + else exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start fi ;; @@ -1066,8 +858,7 @@ case "$1" in ;; zones) [ $# -gt 2 ] && usage 1 - [ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall - if [ -f $STATEDIR/zones ]; then + if [ -f /var/lib/shorewall/zones ]; then echo "Shorewall-$version Zones at $HOSTNAME - $(date)" echo while read zone hosts; do @@ -1075,10 +866,10 @@ case "$1" in for host in $hosts; do echo " $host" done - done < $STATEDIR/zones + done < /var/lib/shorewall/zones echo else - echo " ERROR: $STATEDIR/zones does not exist" >&2 + echo " ERROR: /var/lib/shorewall/zones does not exist" >&2 exit 1 fi ;; @@ -1113,16 +904,6 @@ case "$1" in ;; esac ;; - monitor) - [ -n "$debugging" ] && set -x - if [ $# -eq 2 ]; then - monitor_firewall $2 - elif [ $# -eq 1 ]; then - monitor_firewall 30 - else - usage 1 - fi - ;; status) [ -n "$debugging" ] && set -x [ $# -eq 1 ] || usage 1 @@ -1168,7 +949,7 @@ case "$1" in show_proc /proc/sys/net/ipv4/icmp_echo_ignore_all for directory in /proc/sys/net/ipv4/conf/*; do - for file in proxy_arp arp_filter rp_filter log_martians; do + for file in proxy_arp arp_filter arp_ignore rp_filter log_martians; do show_proc $directory/$file done done @@ -1252,7 +1033,7 @@ case "$1" in echo $version ;; try) - [ -n "$SHOREWALL_DIR" ] && startup_error "Error: -c option may not be used with \"try\"" + [ -n "$SHOREWALL_DIR" ] && startup_error "ERROR: -c option may not be used with \"try\"" [ $# -lt 2 -o $# -gt 3 ] && usage 1 if ! $0 $debugging -c $2 restart; then if ! $IPTABLES -L shorewall > /dev/null 2> /dev/null; then diff --git a/Shorewall/shorewall.conf b/Shorewall/shorewall.conf index 6c170fa4a..19ea3a10f 100755 --- a/Shorewall/shorewall.conf +++ b/Shorewall/shorewall.conf @@ -1,5 +1,5 @@ ############################################################################## -# /etc/shorewall/shorewall.conf V2.4 - Change the following variables to +# /etc/shorewall/shorewall.conf V2.6 - Change the following variables to # match your setup # # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] @@ -227,20 +227,6 @@ RFC1918_LOG_LEVEL=info SMURF_LOG_LEVEL=info -# -# BOGON Log Level -# -# Specifies the logging level for bogon packets dropped by the -#'nobogons' interface option in /etc/shorewall/interfaces and in -# /etc/shorewall/hosts. If set to the empty value -# ( BOGON_LOG_LEVEL="" ) then packets whose TARGET is 'logdrop' -# in /usr/share/shorewall/bogons are logged at the 'info' level. -# -# See the comment at the top of this section for a description of log levels -# - -BOGON_LOG_LEVEL=info - # # MARTIAN LOGGING # @@ -289,15 +275,6 @@ SHOREWALL_SHELL=/bin/sh SUBSYSLOCK=/var/lock/subsys/shorewall -# -# SHOREWALL TEMPORARY STATE DIRECTORY -# -# This is the directory where the firewall maintains state information while -# it is running -# - -STATEDIR=/var/lib/shorewall - # # KERNEL MODULE DIRECTORY # @@ -340,6 +317,17 @@ CONFIG_PATH=/etc/shorewall:/usr/share/shorewall RESTOREFILE= +# +# OLD ZONE FILE FORMAT +# +# Previous versions of Shorewall had both a 'zones' file and an 'ipsec' file. +# Beginning with 2.5.0, those files were combined. For users who haven't +# converted, we offer this variable that sets the name of the file for ipsec +# information. This option must take the value "zones" or "ipsec". If the option +# is not set or is set to the empty value (IPSECFILE="") then "ipsec" is assumed. + +IPSECFILE=zones + ################################################################################ # F I R E W A L L O P T I O N S ################################################################################ @@ -375,7 +363,7 @@ IP_FORWARDING=On # "No" or "no", you must add these aliases youself. # -ADD_IP_ALIASES=No +ADD_IP_ALIASES=Yes # # AUTOMATICALLY ADD SNAT IP ADDRESSES @@ -716,41 +704,6 @@ DYNAMIC_ZONES=No PKTTYPE=Yes -# -# DROP INVALID PACKETS -# -# Netfilter classifies packets relative to its connection tracking table into -# four states: -# -# NEW - thes packet initiates a new connection -# ESTABLISHED - thes packet is part of an established connection -# RELATED - thes packet is related to an established connection; it may -# establish a new connection -# INVALID - the packet does not related to the table in any sensible way. -# -# Recent 2.6 kernels include code that evaluates TCP packets based on TCP -# Window analysis. This can cause packets that were previously classified as -# NEW or ESTABLISHED to be classified as INVALID. -# -# The new kernel code can be disabled by including this command in your -# /etc/shorewall/init file: -# -# echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal -# -# Additional kernel logging about INVALID TCP packets may be obtained by -# adding this command to /etc/shorewall/init: -# -# echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid -# -# Traditionally, Shorewall has dropped INVALID TCP packets early. The DROPINVALID -# option allows INVALID packets to be passed through the normal rules chains by -# setting DROPINVALID=No. -# -# If not specified or if specified as empty (e.g., DROPINVALID="") then -# DROPINVALID=Yes is assumed. - -DROPINVALID=No - # # RFC 1918 BEHAVIOR # @@ -816,6 +769,17 @@ MACLIST_TTL= SAVE_IPSETS=No +# +# Map Old Actions +# +# Previously, Shorewall included a large number of standard actions (AllowPing, +# AllowFTP, ...). These have been replaced with parameterized macros. For +# compatibility, Shorewall can map the old names into invocations of the new +# macros if you set MAPOLDACTIONS=Yes. If this option is not set or is set to +# the empty value (MAPOLDACTIONS="") then MAPOLDACTIONS=Yes is assumed + +MAPOLDACTIONS=No + ################################################################################ # P A C K E T D I S P O S I T I O N ################################################################################ diff --git a/Shorewall/shorewall.spec b/Shorewall/shorewall.spec index dd0e38d04..45eea4679 100644 --- a/Shorewall/shorewall.spec +++ b/Shorewall/shorewall.spec @@ -1,5 +1,5 @@ %define name shorewall -%define version 2.4.0 +%define version 2.5.0 %define release 1 %define prefix /usr @@ -95,52 +95,70 @@ fi %attr(0600,root,root) %config(noreplace) /etc/shorewall/actions %attr(0600,root,root) %config(noreplace) /etc/shorewall/continue %attr(0600,root,root) %config(noreplace) /etc/shorewall/started -%attr(0600,root,root) %config(noreplace) /etc/shorewall/routes %attr(0600,root,root) %config(noreplace) /etc/shorewall/providers %attr(0544,root,root) /sbin/shorewall %attr(0600,root,root) /usr/share/shorewall/version %attr(0600,root,root) /usr/share/shorewall/actions.std -%attr(0600,root,root) /usr/share/shorewall/action.AllowAuth -%attr(0600,root,root) /usr/share/shorewall/action.AllowDNS -%attr(0600,root,root) /usr/share/shorewall/action.AllowFTP -%attr(0600,root,root) /usr/share/shorewall/action.AllowICMPs -%attr(0600,root,root) /usr/share/shorewall/action.AllowIMAP -%attr(0600,root,root) /usr/share/shorewall/action.AllowNNTP -%attr(0600,root,root) /usr/share/shorewall/action.AllowNTP -%attr(0600,root,root) /usr/share/shorewall/action.AllowPCA -%attr(0600,root,root) /usr/share/shorewall/action.AllowPing -%attr(0600,root,root) /usr/share/shorewall/action.AllowPOP3 -%attr(0600,root,root) /usr/share/shorewall/action.AllowRdate -%attr(0600,root,root) /usr/share/shorewall/action.AllowSMB -%attr(0600,root,root) /usr/share/shorewall/action.AllowSMTP -%attr(0600,root,root) /usr/share/shorewall/action.AllowSNMP -%attr(0600,root,root) /usr/share/shorewall/action.AllowSSH -%attr(0600,root,root) /usr/share/shorewall/action.AllowTelnet -%attr(0600,root,root) /usr/share/shorewall/action.AllowTrcrt -%attr(0600,root,root) /usr/share/shorewall/action.AllowVNC -%attr(0600,root,root) /usr/share/shorewall/action.AllowVNCL -%attr(0600,root,root) /usr/share/shorewall/action.AllowWeb %attr(0600,root,root) /usr/share/shorewall/action.Drop -%attr(0600,root,root) /usr/share/shorewall/action.DropDNSrep -%attr(0600,root,root) /usr/share/shorewall/action.DropPing -%attr(0600,root,root) /usr/share/shorewall/action.DropSMB -%attr(0600,root,root) /usr/share/shorewall/action.DropUPnP %attr(0600,root,root) /usr/share/shorewall/action.Reject -%attr(0600,root,root) /usr/share/shorewall/action.RejectAuth -%attr(0600,root,root) /usr/share/shorewall/action.RejectSMB %attr(0600,root,root) /usr/share/shorewall/action.template %attr(0444,root,root) /usr/share/shorewall/functions %attr(0544,root,root) /usr/share/shorewall/firewall %attr(0544,root,root) /usr/share/shorewall/help +%attr(0600,root,root) /usr/share/shorewall/macro.AllowAuth +%attr(0600,root,root) /usr/share/shorewall/macro.AllowDNS +%attr(0600,root,root) /usr/share/shorewall/macro.AllowFTP +%attr(0600,root,root) /usr/share/shorewall/macro.AllowICMPs +%attr(0600,root,root) /usr/share/shorewall/macro.AllowIMAP +%attr(0600,root,root) /usr/share/shorewall/macro.AllowNNTP +%attr(0600,root,root) /usr/share/shorewall/macro.AllowNTP +%attr(0600,root,root) /usr/share/shorewall/macro.AllowPCA +%attr(0600,root,root) /usr/share/shorewall/macro.AllowPing +%attr(0600,root,root) /usr/share/shorewall/macro.AllowPOP3 +%attr(0600,root,root) /usr/share/shorewall/macro.AllowRdate +%attr(0600,root,root) /usr/share/shorewall/macro.AllowSMTP +%attr(0600,root,root) /usr/share/shorewall/macro.AllowSNMP +%attr(0600,root,root) /usr/share/shorewall/macro.AllowSMB +%attr(0600,root,root) /usr/share/shorewall/macro.AllowSSH +%attr(0600,root,root) /usr/share/shorewall/macro.AllowTelnet +%attr(0600,root,root) /usr/share/shorewall/macro.AllowTrcrt +%attr(0600,root,root) /usr/share/shorewall/macro.AllowVNC +%attr(0600,root,root) /usr/share/shorewall/macro.AllowVNCL +%attr(0600,root,root) /usr/share/shorewall/macro.AllowWeb +%attr(0600,root,root) /usr/share/shorewall/macro.DropDNSrep +%attr(0600,root,root) /usr/share/shorewall/macro.DropPing +%attr(0600,root,root) /usr/share/shorewall/macro.DropSMB +%attr(0600,root,root) /usr/share/shorewall/macro.RejectSMB +%attr(0600,root,root) /usr/share/shorewall/macro.DropUPnP +%attr(0600,root,root) /usr/share/shorewall/macro.FwdAuth +%attr(0600,root,root) /usr/share/shorewall/macro.FwdDNS +%attr(0600,root,root) /usr/share/shorewall/macro.FwdFTP +%attr(0600,root,root) /usr/share/shorewall/macro.FwdIMAP +%attr(0600,root,root) /usr/share/shorewall/macro.FwdNNTP +%attr(0600,root,root) /usr/share/shorewall/macro.FwdPCA +%attr(0600,root,root) /usr/share/shorewall/macro.FwdPing +%attr(0600,root,root) /usr/share/shorewall/macro.FwdPOP3 +%attr(0600,root,root) /usr/share/shorewall/macro.FwdRdate +%attr(0600,root,root) /usr/share/shorewall/macro.FwdSMTP +%attr(0600,root,root) /usr/share/shorewall/macro.FwdSNMP +%attr(0600,root,root) /usr/share/shorewall/macro.FwdSSH +%attr(0600,root,root) /usr/share/shorewall/macro.FwdTelnet +%attr(0600,root,root) /usr/share/shorewall/macro.FwdVNC +%attr(0600,root,root) /usr/share/shorewall/macro.FwdVNCL +%attr(0600,root,root) /usr/share/shorewall/macro.FwdWeb +%attr(0600,root,root) /usr/share/shorewall/macro.RejectAuth +%attr(0600,root,root) /usr/share/shorewall/macro.template %attr(0600,root,root) /usr/share/shorewall/rfc1918 -%attr(0600,root,root) /usr/share/shorewall/bogons %attr(0600,root,root) /usr/share/shorewall/configpath %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn %changelog +* Mon Jul 25 2005 Tom Eastep tom@shorewall.net +- Updated to 2.5.0-1 +- Add macros and convert most actions to macros * Thu Jun 02 2005 Tom Eastep tom@shorewall.net - Updated to 2.4.0-1 * Sun May 30 2005 Tom Eastep tom@shorewall.net diff --git a/Shorewall/start b/Shorewall/start index 10f1655ad..8598d535a 100644 --- a/Shorewall/start +++ b/Shorewall/start @@ -1,5 +1,5 @@ ############################################################################ -# Shorewall 2.4 -- /etc/shorewall/start +# Shorewall 2.6 -- /etc/shorewall/start # # Add commands below that you want to be executed after shorewall has # been started or restarted. diff --git a/Shorewall/started b/Shorewall/started index 88dfe5d72..cb136c81c 100644 --- a/Shorewall/started +++ b/Shorewall/started @@ -1,5 +1,5 @@ ############################################################################ -# Shorewall 2.4 -- /etc/shorewall/started +# Shorewall 2.6 -- /etc/shorewall/started # # Add commands below that you want to be executed after shorewall has # been completely started or restarted. The difference between this diff --git a/Shorewall/stop b/Shorewall/stop index b12ea8d9b..7ebe2cf2d 100644 --- a/Shorewall/stop +++ b/Shorewall/stop @@ -1,5 +1,5 @@ ############################################################################ -# Shorewall 2.4 -- /etc/shorewall/stop +# Shorewall 2.6 -- /etc/shorewall/stop # # Add commands below that you want to be executed at the beginning of a # "shorewall stop" command. diff --git a/Shorewall/stopped b/Shorewall/stopped index 997f46755..3af813268 100644 --- a/Shorewall/stopped +++ b/Shorewall/stopped @@ -1,5 +1,5 @@ ############################################################################ -# Shorewall 2.4 -- /etc/shorewall/stopped +# Shorewall 2.6 -- /etc/shorewall/stopped # # Add commands below that you want to be executed at the completion of a # "shorewall stop" command. diff --git a/Shorewall/tcrules b/Shorewall/tcrules index 69f8f2222..34c27774b 100755 --- a/Shorewall/tcrules +++ b/Shorewall/tcrules @@ -1,5 +1,5 @@ # -# Shorewall version 2.4 - Traffic Control Rules File +# Shorewall version 2.6 - Traffic Control Rules File # # /etc/shorewall/tcrules # diff --git a/Shorewall/tos b/Shorewall/tos index 2b37ddd57..147bfc0a7 100755 --- a/Shorewall/tos +++ b/Shorewall/tos @@ -1,5 +1,5 @@ # -# Shorewall 2.4 -- /etc/shorewall/tos +# Shorewall 2.6 -- /etc/shorewall/tos # # This file defines rules for setting Type Of Service (TOS) # diff --git a/Shorewall/tunnel b/Shorewall/tunnel index 1f5527b5d..2580b88b3 100755 --- a/Shorewall/tunnel +++ b/Shorewall/tunnel @@ -2,7 +2,7 @@ RCDLINKS="2,S45 3,S45 6,K45" ################################################################################ -# Script to create a gre or ipip tunnel -- Shorewall 2.4 +# Script to create a gre or ipip tunnel -- Shorewall 2.6 # # Modified - Steve Cowles 5/9/2000 # Incorporated init {start|stop} syntax and iproute2 usage diff --git a/Shorewall/uninstall.sh b/Shorewall/uninstall.sh index ec5a366c1..db7c94bee 100755 --- a/Shorewall/uninstall.sh +++ b/Shorewall/uninstall.sh @@ -24,9 +24,9 @@ # Usage: # # You may only use this script to uninstall the version -# shown below. Simply run this script to remove Shoreline Firewall +# shown below. Simply run this script to remove Shorewall Firewall -VERSION=2.4.0 +VERSION=2.5.0 usage() # $1 = exit status { diff --git a/Shorewall/zones b/Shorewall/zones index d0fe7705e..f8c0ef503 100644 --- a/Shorewall/zones +++ b/Shorewall/zones @@ -1,13 +1,55 @@ # -# Shorewall 2.4 /etc/shorewall/zones +# Shorewall 2.6 /etc/shorewall/zones # # This file determines your network zones. Columns are: # -# ZONE Short name of the zone (5 Characters or less in length). -# The names "all" and "none" are reserved and may not be -# used as zone names. -# DISPLAY Display name of the zone -# COMMENTS Comments about the zone +# ZONE Short name of the zone (5 Characters or less in length). +# The names "all" and "none" are reserved and may not be +# used as zone names. +# +# IPSEC Yes -- Communication with all zone hosts is encrypted +# ONLY Your kernel and iptables must include policy +# match support. +# No -- Communication with some zone hosts may be encrypted. +# Encrypted hosts are designated using the 'ipsec' +# option in /etc/shorewall/hosts. +# +# OPTIONS, A comma-separated list of options as follows: +# IN OPTIONS, +# OUT OPTIONS reqid= where is specified +# using setkey(8) using the 'unique: +# option for the SPD level. +# +# spi= where is the SPI of +# the SA used to encrypt/decrypt packets. +# +# proto=ah|esp|ipcomp +# +# mss= (sets the MSS field in TCP packets) +# +# mode=transport|tunnel +# +# tunnel-src=
[/] (only +# available with mode=tunnel) +# +# tunnel-dst=
[/] (only +# available with mode=tunnel) +# +# strict Means that packets must match all rules. +# +# next Separates rules; can only be used with +# strict.. +# +# Example: +# mode=transport,reqid=44 +# +# The options in the OPTIONS column are applied to both incoming +# and outgoing traffic. The IN OPTIONS are applied to incoming +# traffic (in addition to OPTIONS) and the OUT OPTIONS are +# applied to outgoing traffic. +# +# If you wish to leave a column empty but need to make an entry +# in a following column, use "-". # # THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED OR # OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts. @@ -18,10 +60,11 @@ # # You have a three interface firewall with internet, local and DMZ interfaces. # -# #ZONE DISPLAY COMMENTS -# net Internet The big bad Internet -# loc Local Local Network -# dmz DMZ Demilitarized zone. +# #ZONE IPSEC OPTIONS IN OUT +# net +# loc +# dmz # -#ZONE DISPLAY COMMENTS +#ZONE IPSEC OPTIONS IN OUT +# ONLY OPTIONS OPTIONS #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE