mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-23 06:38:53 +01:00
Shorewall 2.2.2
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1986 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
cefa44418d
commit
bea55d93d1
@ -80,7 +80,8 @@
|
||||
# allowed. Use $FW if the packet originates on
|
||||
# the firewall in which case the MARK column may NOT
|
||||
# specify either ":P" or ":F" (marking always occurs
|
||||
# in the OUTPUT chain).
|
||||
# in the OUTPUT chain). $FW may be optionally followed
|
||||
# by ":" and a host/network address.
|
||||
#
|
||||
# MAC addresses must be prefixed with "~" and use
|
||||
# "-" as a separator.
|
||||
|
@ -4,7 +4,7 @@
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# This file should be placed in /sbin/shorewall.
|
||||
#
|
||||
@ -220,6 +220,13 @@ get_config() {
|
||||
|
||||
}
|
||||
|
||||
#
|
||||
# Clear descriptor 1 if it is a terminal
|
||||
#
|
||||
clear_term() {
|
||||
[ -t 1 ] && clear
|
||||
}
|
||||
|
||||
#
|
||||
# Display IPTABLES rules -- we used to store them in a variable but ash
|
||||
# dies when trying to display large sets of rules
|
||||
@ -238,7 +245,7 @@ display_chains()
|
||||
|
||||
$IPTABLES -L $IPT_OPTIONS >> $TMPFILE
|
||||
|
||||
clear
|
||||
clear_term
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
echo "Standard Chains"
|
||||
@ -250,7 +257,7 @@ display_chains()
|
||||
|
||||
timed_read
|
||||
|
||||
clear
|
||||
clear_term
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
firstchain=Yes
|
||||
@ -268,7 +275,7 @@ display_chains()
|
||||
for zone in $zones; do
|
||||
|
||||
if [ -n "$(grep "^Chain \.*${zone}" $TMPFILE)" ] ; then
|
||||
clear
|
||||
clear_term
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
firstchain=Yes
|
||||
@ -287,7 +294,7 @@ display_chains()
|
||||
fi
|
||||
done
|
||||
|
||||
clear
|
||||
clear_term
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
firstchain=Yes
|
||||
@ -308,7 +315,7 @@ display_chains()
|
||||
|
||||
timed_read
|
||||
|
||||
clear
|
||||
clear_term
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
firstchain=Yes
|
||||
@ -443,7 +450,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
||||
while true; do
|
||||
display_chains
|
||||
|
||||
clear
|
||||
clear_term
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
|
||||
@ -474,7 +481,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
||||
timed_read
|
||||
fi
|
||||
|
||||
clear
|
||||
clear_term
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
echo "NAT Status"
|
||||
@ -482,7 +489,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
||||
$IPTABLES -t nat -L $IPT_OPTIONS
|
||||
timed_read
|
||||
|
||||
clear
|
||||
clear_term
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
echo
|
||||
@ -491,7 +498,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
||||
$IPTABLES -t mangle -L $IPT_OPTIONS
|
||||
timed_read
|
||||
|
||||
clear
|
||||
clear_term
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
echo
|
||||
@ -500,7 +507,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
||||
cat /proc/net/ip_conntrack
|
||||
timed_read
|
||||
|
||||
clear
|
||||
clear_term
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
echo
|
||||
@ -509,7 +516,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
||||
show_tc
|
||||
timed_read
|
||||
|
||||
clear
|
||||
clear_term
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
echo
|
||||
@ -541,7 +548,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
|
||||
qt which awk && haveawk=Yes || haveawk=
|
||||
|
||||
while true; do
|
||||
clear
|
||||
clear_term
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
|
||||
@ -960,7 +967,7 @@ case "$1" in
|
||||
status)
|
||||
[ -n "$debugging" ] && set -x
|
||||
[ $# -eq 1 ] || usage 1
|
||||
clear
|
||||
clear_term
|
||||
echo "Shorewall-$version Status at $HOSTNAME - $(date)"
|
||||
echo
|
||||
show_reset
|
||||
@ -1019,6 +1026,11 @@ case "$1" in
|
||||
ip route ls table $table
|
||||
done
|
||||
|
||||
echo
|
||||
echo "ARP"
|
||||
echo
|
||||
arp -na
|
||||
|
||||
if qt which lsmod; then
|
||||
echo
|
||||
echo "Modules"
|
||||
@ -1029,7 +1041,7 @@ case "$1" in
|
||||
hits)
|
||||
[ -n "$debugging" ] && set -x
|
||||
[ $# -eq 1 ] || usage 1
|
||||
clear
|
||||
clear_term
|
||||
echo "Shorewall-$version Hits at $HOSTNAME - $(date)"
|
||||
echo
|
||||
|
||||
|
@ -30,7 +30,7 @@
|
||||
# shorewall restart Restarts the firewall
|
||||
# shorewall stop Stops the firewall
|
||||
# shorewall status Displays firewall status
|
||||
# shorewall reset Resets iptabless packet and
|
||||
# shorewall reset Resets iptables packet and
|
||||
# byte counts
|
||||
# shorewall clear Remove all Shorewall chains
|
||||
# and rules/policies.
|
||||
@ -1303,10 +1303,10 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = dispositi
|
||||
|
||||
case $level in
|
||||
ULOG)
|
||||
$IPTABLES $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix"
|
||||
run_iptables $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix"
|
||||
;;
|
||||
*)
|
||||
$IPTABLES $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix"
|
||||
run_iptables $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix"
|
||||
;;
|
||||
esac
|
||||
|
||||
@ -2333,16 +2333,19 @@ process_tc_rule()
|
||||
if [ "x$source" != "x-" ]; then
|
||||
case $source in
|
||||
*.*.*)
|
||||
r="-s $source "
|
||||
r="$(source_ip_range $source) "
|
||||
;;
|
||||
~*)
|
||||
r="$(mac_match $source) "
|
||||
;;
|
||||
$FW:*)
|
||||
chain=tcout
|
||||
r="$(source_ip_range ${source%:*}) "
|
||||
;;
|
||||
$FW)
|
||||
chain=tcout
|
||||
;;
|
||||
*)
|
||||
|
||||
*)
|
||||
verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\""
|
||||
r="$(match_source_dev) $source "
|
||||
;;
|
||||
@ -2763,13 +2766,14 @@ check_config() {
|
||||
|
||||
disclaimer() {
|
||||
echo
|
||||
echo "Notice: The 'check' command is unsupported and problem"
|
||||
echo " reports complaining about errors that it didn't catch"
|
||||
echo " will not be accepted"
|
||||
echo "Notice: The 'check' command is provided to catch"
|
||||
echo " obvious errors in a Shorewall configuration."
|
||||
echo " It is not designed to catch all possible errors"
|
||||
echo " so please don't submit problem reports about"
|
||||
echo " error conditions that 'check' doesn't find"
|
||||
echo
|
||||
}
|
||||
|
||||
disclaimer
|
||||
|
||||
report_capabilities
|
||||
|
||||
@ -3148,7 +3152,27 @@ process_action() # $1 = chain (Chain to add the rules to)
|
||||
|
||||
[ "x$protocol" = "x-" ] && protocol=all || protocol=${protocol:=all}
|
||||
|
||||
if [ -n "$MULTIPORT" ] && \
|
||||
if [ -n "$XMULTIPORT" ] && \
|
||||
! list_search $protocol "icmp" "ICMP" "1" && \
|
||||
[ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \
|
||||
$(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16 ]
|
||||
then
|
||||
#
|
||||
# Extended MULTIPORT is enabled, and less than
|
||||
# 16 ports are listed (port ranges count as two ports) - use multiport match.
|
||||
#
|
||||
multioption="-m multiport"
|
||||
for client in $(separate_list ${clients:=-}); do
|
||||
for server in $(separate_list ${servers:=-}); do
|
||||
#
|
||||
# add_an_action() modifies these so we must set their values each time
|
||||
#
|
||||
port=${ports:=-}
|
||||
cport=${cports:=-}
|
||||
add_an_action
|
||||
done
|
||||
done
|
||||
elif [ -n "$MULTIPORT" ] && \
|
||||
! list_search $protocol "icmp" "ICMP" "1" && \
|
||||
[ "$ports" = "${ports%:*}" -a \
|
||||
"$cports" = "${cports%:*}" -a \
|
||||
@ -3242,7 +3266,11 @@ createlogactionchain() # $1 = Action Name, $2 = Log Level [: Log Tag ]
|
||||
if [ $COMMAND != check ]; then
|
||||
createchain $CHAIN No
|
||||
LEVEL=${level%:*}
|
||||
TAG=${level#*:}
|
||||
if [ "$LEVEL" != "$level" ]; then
|
||||
TAG=${level#*:}
|
||||
else
|
||||
TAG=
|
||||
fi
|
||||
run_user_exit $1
|
||||
fi
|
||||
|
||||
@ -4318,7 +4346,26 @@ process_rule() # $1 = target
|
||||
|
||||
case $logtarget in
|
||||
DNAT*)
|
||||
if [ -n "$MULTIPORT" ] && \
|
||||
if [ -n "$XMULTIPORT" ] && \
|
||||
! list_search $protocol "icmp" "ICMP" "1" && \
|
||||
[ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \
|
||||
$(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16 ]
|
||||
then
|
||||
#
|
||||
# Extended MULTIPORT is enabled, and less than
|
||||
# 16 ports are listed (port ranges count as two ports) - use multiport match.
|
||||
#
|
||||
multioption="-m multiport"
|
||||
for client in $(separate_list ${clients:=-}); do
|
||||
#
|
||||
# add_a_rule() modifies these so we must set their values each time
|
||||
#
|
||||
server=${servers:=-}
|
||||
port=${ports:=-}
|
||||
cport=${cports:=-}
|
||||
add_a_rule
|
||||
done
|
||||
elif [ -n "$MULTIPORT" ] && \
|
||||
! list_search $protocol "icmp" "ICMP" "1" && \
|
||||
[ "$ports" = "${ports%:*}" -a \
|
||||
"$cports" = "${cports%:*}" -a \
|
||||
@ -4356,7 +4403,27 @@ process_rule() # $1 = target
|
||||
;;
|
||||
*)
|
||||
|
||||
if [ -n "$MULTIPORT" ] && \
|
||||
if [ -n "$XMULTIPORT" ] && \
|
||||
! list_search $protocol "icmp" "ICMP" "1" && \
|
||||
[ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \
|
||||
$(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16 ]
|
||||
then
|
||||
#
|
||||
# Extended MULTIPORT is enabled, and less than
|
||||
# 16 ports are listed (port ranges count as two ports) - use multiport match.
|
||||
#
|
||||
multioption="-m multiport"
|
||||
for client in $(separate_list ${clients:=-}); do
|
||||
for server in $(separate_list ${servers:=-}); do
|
||||
#
|
||||
# add_a_rule() modifies these so we must set their values each time
|
||||
#
|
||||
port=${ports:=-}
|
||||
cport=${cports:=-}
|
||||
add_a_rule
|
||||
done
|
||||
done
|
||||
elif [ -n "$MULTIPORT" ] && \
|
||||
! list_search $protocol "icmp" "ICMP" "1" && \
|
||||
[ "$ports" = "${ports%:*}" -a \
|
||||
"$cports" = "${cports%:*}" -a \
|
||||
@ -4423,6 +4490,7 @@ process_rules()
|
||||
if [ "${ysourcezone}" != "${ydestzone}" ] ; then
|
||||
eval ypolicy=\$${ysourcezone}2${ydestzone}_policy
|
||||
if [ "$ypolicy" != NONE ] ; then
|
||||
rule="$(echo $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
|
||||
process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec
|
||||
fi
|
||||
fi
|
||||
@ -4448,11 +4516,11 @@ process_rules()
|
||||
continue
|
||||
fi
|
||||
|
||||
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
|
||||
process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec
|
||||
}
|
||||
|
||||
while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec; do
|
||||
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
|
||||
expandv xtarget
|
||||
|
||||
case "${xtarget%%:*}" in
|
||||
@ -4469,6 +4537,7 @@ process_rules()
|
||||
xtarget=$(find_logactionchain $xtarget)
|
||||
do_it
|
||||
else
|
||||
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
|
||||
fatal_error "Invalid Action in rule \"$rule\""
|
||||
fi
|
||||
;;
|
||||
@ -5039,7 +5108,15 @@ setup_masq()
|
||||
if [ $listcount -gt 1 ]; then
|
||||
case $ports in
|
||||
*:*)
|
||||
fatal_error "Port Range not allowed in list ($ports)"
|
||||
if [ -n "$XMULTIPORT" ]; then
|
||||
if [ $(($listcount + $(list_count1 $(split $ports) ) )) -le 16 ]; then
|
||||
ports="-m multiport --dports $ports"
|
||||
else
|
||||
fatal_error "More than 15 entries in port list ($ports)"
|
||||
fi
|
||||
else
|
||||
fatal_error "Port Range not allowed in list ($ports)"
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
if [ -n "$MULTIPORT" ]; then
|
||||
@ -5475,6 +5552,7 @@ save_load_kernel_modules()
|
||||
done < $modules
|
||||
|
||||
save_command __EOF__
|
||||
save_command ""
|
||||
|
||||
}
|
||||
|
||||
@ -5494,6 +5572,7 @@ determine_capabilities() {
|
||||
|
||||
CONNTRACK_MATCH=
|
||||
MULTIPORT=
|
||||
XMULTIPORT=
|
||||
POLICY_MATCH=
|
||||
PHYSDEV_MATCH=
|
||||
IPRANGE_MATCH=
|
||||
@ -5501,6 +5580,7 @@ determine_capabilities() {
|
||||
qt $IPTABLES -N fooX1234
|
||||
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
|
||||
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
|
||||
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes
|
||||
qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes
|
||||
qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes
|
||||
qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
|
||||
@ -5514,25 +5594,26 @@ determine_capabilities() {
|
||||
qt $IPTABLES -X fooX1234
|
||||
}
|
||||
|
||||
report_capability() # $1 = Capability Name, $2 Capability Setting (if any)
|
||||
report_capability() # $1 = Capability Description , $2 Capability Setting (if any)
|
||||
{
|
||||
local setting=
|
||||
|
||||
[ "x$1" = "xYes" ] && { setting="Available"; shift; } || setting="Not available"
|
||||
[ "x$2" = "xYes" ] && setting="Available" || setting="Not available"
|
||||
|
||||
echo " " $@: $setting
|
||||
echo " " $1: $setting
|
||||
}
|
||||
|
||||
report_capabilities() {
|
||||
echo "Shorewall has detected the following iptables/netfilter capabilities:"
|
||||
report_capability $NAT_ENABLED "NAT"
|
||||
report_capability $MANGLE_ENABLED "Packet Mangling"
|
||||
report_capability $MULTIPORT "Multi-port Match"
|
||||
report_capability $CONNTRACK_MATCH "Connection Tracking Match"
|
||||
report_capability $PKTTYPE "Packet Type Match"
|
||||
report_capability $POLICY_MATCH "Policy Match"
|
||||
report_capability $PHYSDEV_MATCH "Physdev Match"
|
||||
report_capability $IPRANGE_MATCH "IP range Match"
|
||||
report_capability "NAT" $NAT_ENABLED
|
||||
report_capability "Packet Mangling" $MANGLE_ENABLED
|
||||
report_capability "Multi-port Match" $MULTIPORT
|
||||
[ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT
|
||||
report_capability "Connection Tracking Match" $CONNTRACK_MATCH
|
||||
report_capability "Packet Type Match" $PKTTYPE
|
||||
report_capability "Policy Match" $POLICY_MATCH
|
||||
report_capability "Physdev Match" $PHYSDEV_MATCH
|
||||
report_capability "IP range Match" $IPRANGE_MATCH
|
||||
}
|
||||
|
||||
#
|
||||
|
@ -1 +1 @@
|
||||
2.2.1
|
||||
2.2.2
|
||||
|
@ -1,11 +1,28 @@
|
||||
Changes in 2.2.2
|
||||
|
||||
1) The 'check' command disclaimer is toned down further and only
|
||||
appears once in the 'check' output.
|
||||
|
||||
2) Enhanced support in the SOURCE column of /etc/shorewall/tcrules.
|
||||
|
||||
3) All calls to 'clear' are now conditional on the output device being
|
||||
a terminal.
|
||||
|
||||
4) Apply Juergen Kreileder's patch for logging.
|
||||
|
||||
5) Add the output of 'arp -na' to the 'shorewall status' display.
|
||||
|
||||
6) Provide support for the Extended multiport match available in
|
||||
2.6.11.
|
||||
|
||||
7) Fix logging rule generation.
|
||||
|
||||
Changes in 2.2.1
|
||||
|
||||
1) Add examples to the zones and policy files.
|
||||
|
||||
2) Simon Matter's patch for umask.
|
||||
|
||||
3) Apply Juergen Kreileder's patch for logging.
|
||||
|
||||
Changes since 2.0.3
|
||||
|
||||
1) Fix security vulnerability involving temporary files/directories.
|
||||
|
@ -28,7 +28,7 @@
|
||||
# shown below. Simply run this script to revert to your prior version of
|
||||
# Shoreline Firewall.
|
||||
|
||||
VERSION=2.2.1
|
||||
VERSION=2.2.2
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
135
STABLE2/firewall
135
STABLE2/firewall
@ -30,7 +30,7 @@
|
||||
# shorewall restart Restarts the firewall
|
||||
# shorewall stop Stops the firewall
|
||||
# shorewall status Displays firewall status
|
||||
# shorewall reset Resets iptabless packet and
|
||||
# shorewall reset Resets iptables packet and
|
||||
# byte counts
|
||||
# shorewall clear Remove all Shorewall chains
|
||||
# and rules/policies.
|
||||
@ -1303,10 +1303,10 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = dispositi
|
||||
|
||||
case $level in
|
||||
ULOG)
|
||||
$IPTABLES $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix"
|
||||
run_iptables $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix"
|
||||
;;
|
||||
*)
|
||||
$IPTABLES $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix"
|
||||
run_iptables $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix"
|
||||
;;
|
||||
esac
|
||||
|
||||
@ -2333,16 +2333,19 @@ process_tc_rule()
|
||||
if [ "x$source" != "x-" ]; then
|
||||
case $source in
|
||||
*.*.*)
|
||||
r="-s $source "
|
||||
r="$(source_ip_range $source) "
|
||||
;;
|
||||
~*)
|
||||
r="$(mac_match $source) "
|
||||
;;
|
||||
$FW:*)
|
||||
chain=tcout
|
||||
r="$(source_ip_range ${source%:*}) "
|
||||
;;
|
||||
$FW)
|
||||
chain=tcout
|
||||
;;
|
||||
*)
|
||||
|
||||
*)
|
||||
verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\""
|
||||
r="$(match_source_dev) $source "
|
||||
;;
|
||||
@ -2763,13 +2766,14 @@ check_config() {
|
||||
|
||||
disclaimer() {
|
||||
echo
|
||||
echo "Notice: The 'check' command is unsupported and problem"
|
||||
echo " reports complaining about errors that it didn't catch"
|
||||
echo " will not be accepted"
|
||||
echo "Notice: The 'check' command is provided to catch"
|
||||
echo " obvious errors in a Shorewall configuration."
|
||||
echo " It is not designed to catch all possible errors"
|
||||
echo " so please don't submit problem reports about"
|
||||
echo " error conditions that 'check' doesn't find"
|
||||
echo
|
||||
}
|
||||
|
||||
disclaimer
|
||||
|
||||
report_capabilities
|
||||
|
||||
@ -3148,7 +3152,27 @@ process_action() # $1 = chain (Chain to add the rules to)
|
||||
|
||||
[ "x$protocol" = "x-" ] && protocol=all || protocol=${protocol:=all}
|
||||
|
||||
if [ -n "$MULTIPORT" ] && \
|
||||
if [ -n "$XMULTIPORT" ] && \
|
||||
! list_search $protocol "icmp" "ICMP" "1" && \
|
||||
[ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \
|
||||
$(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16 ]
|
||||
then
|
||||
#
|
||||
# Extended MULTIPORT is enabled, and less than
|
||||
# 16 ports are listed (port ranges count as two ports) - use multiport match.
|
||||
#
|
||||
multioption="-m multiport"
|
||||
for client in $(separate_list ${clients:=-}); do
|
||||
for server in $(separate_list ${servers:=-}); do
|
||||
#
|
||||
# add_an_action() modifies these so we must set their values each time
|
||||
#
|
||||
port=${ports:=-}
|
||||
cport=${cports:=-}
|
||||
add_an_action
|
||||
done
|
||||
done
|
||||
elif [ -n "$MULTIPORT" ] && \
|
||||
! list_search $protocol "icmp" "ICMP" "1" && \
|
||||
[ "$ports" = "${ports%:*}" -a \
|
||||
"$cports" = "${cports%:*}" -a \
|
||||
@ -3242,7 +3266,11 @@ createlogactionchain() # $1 = Action Name, $2 = Log Level [: Log Tag ]
|
||||
if [ $COMMAND != check ]; then
|
||||
createchain $CHAIN No
|
||||
LEVEL=${level%:*}
|
||||
TAG=${level#*:}
|
||||
if [ "$LEVEL" != "$level" ]; then
|
||||
TAG=${level#*:}
|
||||
else
|
||||
TAG=
|
||||
fi
|
||||
run_user_exit $1
|
||||
fi
|
||||
|
||||
@ -4318,7 +4346,26 @@ process_rule() # $1 = target
|
||||
|
||||
case $logtarget in
|
||||
DNAT*)
|
||||
if [ -n "$MULTIPORT" ] && \
|
||||
if [ -n "$XMULTIPORT" ] && \
|
||||
! list_search $protocol "icmp" "ICMP" "1" && \
|
||||
[ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \
|
||||
$(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16 ]
|
||||
then
|
||||
#
|
||||
# Extended MULTIPORT is enabled, and less than
|
||||
# 16 ports are listed (port ranges count as two ports) - use multiport match.
|
||||
#
|
||||
multioption="-m multiport"
|
||||
for client in $(separate_list ${clients:=-}); do
|
||||
#
|
||||
# add_a_rule() modifies these so we must set their values each time
|
||||
#
|
||||
server=${servers:=-}
|
||||
port=${ports:=-}
|
||||
cport=${cports:=-}
|
||||
add_a_rule
|
||||
done
|
||||
elif [ -n "$MULTIPORT" ] && \
|
||||
! list_search $protocol "icmp" "ICMP" "1" && \
|
||||
[ "$ports" = "${ports%:*}" -a \
|
||||
"$cports" = "${cports%:*}" -a \
|
||||
@ -4356,7 +4403,27 @@ process_rule() # $1 = target
|
||||
;;
|
||||
*)
|
||||
|
||||
if [ -n "$MULTIPORT" ] && \
|
||||
if [ -n "$XMULTIPORT" ] && \
|
||||
! list_search $protocol "icmp" "ICMP" "1" && \
|
||||
[ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \
|
||||
$(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16 ]
|
||||
then
|
||||
#
|
||||
# Extended MULTIPORT is enabled, and less than
|
||||
# 16 ports are listed (port ranges count as two ports) - use multiport match.
|
||||
#
|
||||
multioption="-m multiport"
|
||||
for client in $(separate_list ${clients:=-}); do
|
||||
for server in $(separate_list ${servers:=-}); do
|
||||
#
|
||||
# add_a_rule() modifies these so we must set their values each time
|
||||
#
|
||||
port=${ports:=-}
|
||||
cport=${cports:=-}
|
||||
add_a_rule
|
||||
done
|
||||
done
|
||||
elif [ -n "$MULTIPORT" ] && \
|
||||
! list_search $protocol "icmp" "ICMP" "1" && \
|
||||
[ "$ports" = "${ports%:*}" -a \
|
||||
"$cports" = "${cports%:*}" -a \
|
||||
@ -4423,6 +4490,7 @@ process_rules()
|
||||
if [ "${ysourcezone}" != "${ydestzone}" ] ; then
|
||||
eval ypolicy=\$${ysourcezone}2${ydestzone}_policy
|
||||
if [ "$ypolicy" != NONE ] ; then
|
||||
rule="$(echo $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
|
||||
process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec
|
||||
fi
|
||||
fi
|
||||
@ -4448,11 +4516,11 @@ process_rules()
|
||||
continue
|
||||
fi
|
||||
|
||||
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
|
||||
process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec
|
||||
}
|
||||
|
||||
while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec; do
|
||||
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
|
||||
expandv xtarget
|
||||
|
||||
case "${xtarget%%:*}" in
|
||||
@ -4469,6 +4537,7 @@ process_rules()
|
||||
xtarget=$(find_logactionchain $xtarget)
|
||||
do_it
|
||||
else
|
||||
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
|
||||
fatal_error "Invalid Action in rule \"$rule\""
|
||||
fi
|
||||
;;
|
||||
@ -5039,7 +5108,15 @@ setup_masq()
|
||||
if [ $listcount -gt 1 ]; then
|
||||
case $ports in
|
||||
*:*)
|
||||
fatal_error "Port Range not allowed in list ($ports)"
|
||||
if [ -n "$XMULTIPORT" ]; then
|
||||
if [ $(($listcount + $(list_count1 $(split $ports) ) )) -le 16 ]; then
|
||||
ports="-m multiport --dports $ports"
|
||||
else
|
||||
fatal_error "More than 15 entries in port list ($ports)"
|
||||
fi
|
||||
else
|
||||
fatal_error "Port Range not allowed in list ($ports)"
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
if [ -n "$MULTIPORT" ]; then
|
||||
@ -5475,6 +5552,7 @@ save_load_kernel_modules()
|
||||
done < $modules
|
||||
|
||||
save_command __EOF__
|
||||
save_command ""
|
||||
|
||||
}
|
||||
|
||||
@ -5494,6 +5572,7 @@ determine_capabilities() {
|
||||
|
||||
CONNTRACK_MATCH=
|
||||
MULTIPORT=
|
||||
XMULTIPORT=
|
||||
POLICY_MATCH=
|
||||
PHYSDEV_MATCH=
|
||||
IPRANGE_MATCH=
|
||||
@ -5501,6 +5580,7 @@ determine_capabilities() {
|
||||
qt $IPTABLES -N fooX1234
|
||||
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
|
||||
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
|
||||
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes
|
||||
qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes
|
||||
qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes
|
||||
qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
|
||||
@ -5514,25 +5594,26 @@ determine_capabilities() {
|
||||
qt $IPTABLES -X fooX1234
|
||||
}
|
||||
|
||||
report_capability() # $1 = Capability Name, $2 Capability Setting (if any)
|
||||
report_capability() # $1 = Capability Description , $2 Capability Setting (if any)
|
||||
{
|
||||
local setting=
|
||||
|
||||
[ "x$1" = "xYes" ] && { setting="Available"; shift; } || setting="Not available"
|
||||
[ "x$2" = "xYes" ] && setting="Available" || setting="Not available"
|
||||
|
||||
echo " " $@: $setting
|
||||
echo " " $1: $setting
|
||||
}
|
||||
|
||||
report_capabilities() {
|
||||
echo "Shorewall has detected the following iptables/netfilter capabilities:"
|
||||
report_capability $NAT_ENABLED "NAT"
|
||||
report_capability $MANGLE_ENABLED "Packet Mangling"
|
||||
report_capability $MULTIPORT "Multi-port Match"
|
||||
report_capability $CONNTRACK_MATCH "Connection Tracking Match"
|
||||
report_capability $PKTTYPE "Packet Type Match"
|
||||
report_capability $POLICY_MATCH "Policy Match"
|
||||
report_capability $PHYSDEV_MATCH "Physdev Match"
|
||||
report_capability $IPRANGE_MATCH "IP range Match"
|
||||
report_capability "NAT" $NAT_ENABLED
|
||||
report_capability "Packet Mangling" $MANGLE_ENABLED
|
||||
report_capability "Multi-port Match" $MULTIPORT
|
||||
[ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT
|
||||
report_capability "Connection Tracking Match" $CONNTRACK_MATCH
|
||||
report_capability "Packet Type Match" $PKTTYPE
|
||||
report_capability "Policy Match" $POLICY_MATCH
|
||||
report_capability "Physdev Match" $PHYSDEV_MATCH
|
||||
report_capability "IP range Match" $IPRANGE_MATCH
|
||||
}
|
||||
|
||||
#
|
||||
|
@ -22,7 +22,7 @@
|
||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||
#
|
||||
|
||||
VERSION=2.2.1
|
||||
VERSION=2.2.2
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -1,4 +1,43 @@
|
||||
Shorewall 2.2.1
|
||||
Shorewall 2.2.2
|
||||
|
||||
-----------------------------------------------------------------------
|
||||
Problems corrected in version 2.2.2
|
||||
|
||||
1) The SOURCE column in the /etc/shorewall/tcrules file now allows IP
|
||||
ranges (assuming that your iptables and kernel support ranges).
|
||||
|
||||
2) If A is a user-defined action and you have file /etc/shorewall/A
|
||||
then when that file is invoked, the $TAG value may be incorrect.
|
||||
|
||||
3) Previously, if an iptables command generating a logging rule
|
||||
failed, the Shorewall [re]start was still successful. This error
|
||||
is now considered fatal and Shorewall will be either restored from
|
||||
the last save (if any) or it will be stopped.
|
||||
|
||||
-----------------------------------------------------------------------
|
||||
New Features in version 2.2.2
|
||||
|
||||
1) The SOURCE column in the /etc/shorewall/tcrules file now allows $FW
|
||||
to be optionally followed by ":" and a host/network address or
|
||||
address range.
|
||||
|
||||
2) Shorewall now clears the output device only if it is a
|
||||
terminal. This avoids ugly control sequences being placed in files
|
||||
when /sbin/shorewall output is redirected.
|
||||
|
||||
3) The output from 'arp -na' has been added to the 'shorewall status'
|
||||
display.
|
||||
|
||||
4) The 2.6.11 Linux kernel and iptables 1.3.0 now allow port ranges
|
||||
to appear in port lists handled by "multiport match". If Shorewall
|
||||
detects this capability, it will use "multiport match" for port
|
||||
lists containing port ranges. Be cautioned that each port range
|
||||
counts for TWO ports and a port list handled with "multiport match"
|
||||
can still specify a maximum of 15 ports.
|
||||
|
||||
As always, if a port list in /etc/shorewall/rules is incompatible
|
||||
with "multiport match", a separate iptables rule will be generated
|
||||
for each element in the list.
|
||||
|
||||
-----------------------------------------------------------------------
|
||||
Problems corrected in version 2.2.1
|
||||
|
@ -220,6 +220,13 @@ get_config() {
|
||||
|
||||
}
|
||||
|
||||
#
|
||||
# Clear descriptor 1 if it is a terminal
|
||||
#
|
||||
clear_term() {
|
||||
[ -t 1 ] && clear
|
||||
}
|
||||
|
||||
#
|
||||
# Display IPTABLES rules -- we used to store them in a variable but ash
|
||||
# dies when trying to display large sets of rules
|
||||
@ -238,7 +245,7 @@ display_chains()
|
||||
|
||||
$IPTABLES -L $IPT_OPTIONS >> $TMPFILE
|
||||
|
||||
clear
|
||||
clear_term
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
echo "Standard Chains"
|
||||
@ -250,7 +257,7 @@ display_chains()
|
||||
|
||||
timed_read
|
||||
|
||||
clear
|
||||
clear_term
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
firstchain=Yes
|
||||
@ -268,7 +275,7 @@ display_chains()
|
||||
for zone in $zones; do
|
||||
|
||||
if [ -n "$(grep "^Chain \.*${zone}" $TMPFILE)" ] ; then
|
||||
clear
|
||||
clear_term
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
firstchain=Yes
|
||||
@ -287,7 +294,7 @@ display_chains()
|
||||
fi
|
||||
done
|
||||
|
||||
clear
|
||||
clear_term
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
firstchain=Yes
|
||||
@ -308,7 +315,7 @@ display_chains()
|
||||
|
||||
timed_read
|
||||
|
||||
clear
|
||||
clear_term
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
firstchain=Yes
|
||||
@ -443,7 +450,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
||||
while true; do
|
||||
display_chains
|
||||
|
||||
clear
|
||||
clear_term
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
|
||||
@ -474,7 +481,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
||||
timed_read
|
||||
fi
|
||||
|
||||
clear
|
||||
clear_term
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
echo "NAT Status"
|
||||
@ -482,7 +489,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
||||
$IPTABLES -t nat -L $IPT_OPTIONS
|
||||
timed_read
|
||||
|
||||
clear
|
||||
clear_term
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
echo
|
||||
@ -491,7 +498,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
||||
$IPTABLES -t mangle -L $IPT_OPTIONS
|
||||
timed_read
|
||||
|
||||
clear
|
||||
clear_term
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
echo
|
||||
@ -500,7 +507,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
||||
cat /proc/net/ip_conntrack
|
||||
timed_read
|
||||
|
||||
clear
|
||||
clear_term
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
echo
|
||||
@ -509,7 +516,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
||||
show_tc
|
||||
timed_read
|
||||
|
||||
clear
|
||||
clear_term
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
echo
|
||||
@ -541,7 +548,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
|
||||
qt which awk && haveawk=Yes || haveawk=
|
||||
|
||||
while true; do
|
||||
clear
|
||||
clear_term
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
|
||||
@ -960,7 +967,7 @@ case "$1" in
|
||||
status)
|
||||
[ -n "$debugging" ] && set -x
|
||||
[ $# -eq 1 ] || usage 1
|
||||
clear
|
||||
clear_term
|
||||
echo "Shorewall-$version Status at $HOSTNAME - $(date)"
|
||||
echo
|
||||
show_reset
|
||||
@ -1019,6 +1026,11 @@ case "$1" in
|
||||
ip route ls table $table
|
||||
done
|
||||
|
||||
echo
|
||||
echo "ARP"
|
||||
echo
|
||||
arp -na
|
||||
|
||||
if qt which lsmod; then
|
||||
echo
|
||||
echo "Modules"
|
||||
@ -1029,7 +1041,7 @@ case "$1" in
|
||||
hits)
|
||||
[ -n "$debugging" ] && set -x
|
||||
[ $# -eq 1 ] || usage 1
|
||||
clear
|
||||
clear_term
|
||||
echo "Shorewall-$version Hits at $HOSTNAME - $(date)"
|
||||
echo
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
%define name shorewall
|
||||
%define version 2.2.1
|
||||
%define version 2.2.2
|
||||
%define release 1
|
||||
%define prefix /usr
|
||||
|
||||
@ -137,6 +137,8 @@ fi
|
||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn
|
||||
|
||||
%changelog
|
||||
* Mon Mar 07 2005 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.2.2-1
|
||||
* Mon Jan 24 2005 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.2.1-1
|
||||
* Mon Jan 24 2005 Tom Eastep tom@shorewall.net
|
||||
|
@ -80,7 +80,8 @@
|
||||
# allowed. Use $FW if the packet originates on
|
||||
# the firewall in which case the MARK column may NOT
|
||||
# specify either ":P" or ":F" (marking always occurs
|
||||
# in the OUTPUT chain).
|
||||
# in the OUTPUT chain). $FW may be optionally followed
|
||||
# by ":" and a host/network address.
|
||||
#
|
||||
# MAC addresses must be prefixed with "~" and use
|
||||
# "-" as a separator.
|
||||
|
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Seattle Firewall
|
||||
|
||||
VERSION=2.2.1
|
||||
VERSION=2.2.2
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -17,7 +17,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2005-03-01</pubdate>
|
||||
<pubdate>2005-03-07</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2004</year>
|
||||
@ -294,9 +294,14 @@ DNAT net loc:192.168.1.3:22 tcp 1022</programlisting>
|
||||
</itemizedlist>
|
||||
|
||||
<para>If you insist on an IP solution to the accessibility problem
|
||||
rather than a DNS solution, then assuming that your external interface
|
||||
is eth0 and your internal interface is eth1 and that eth1 has IP address
|
||||
192.168.1.254 with subnet 192.168.1.0/24:<warning>
|
||||
rather than a DNS solution, then if you are running Shorewall 2.0.0 or
|
||||
2.0.1 then please see the <ulink
|
||||
url="http://www.shorewall.net/1.4/FAQ.htm#faq2">Shorewall 1.4
|
||||
FAQ</ulink>.</para>
|
||||
|
||||
<para>Otherwise, assuming that your external interface is eth0 and your
|
||||
internal interface is eth1 and that eth1 has IP address 192.168.1.254
|
||||
with subnet 192.168.1.0/24, then:<warning>
|
||||
<para>All traffic redirected through use of this hack will look to
|
||||
the server as if it came from the firewall (192.168.1.254) rather
|
||||
than from the original client!</para>
|
||||
@ -1690,8 +1695,8 @@ alias ipt_pkttype off</programlisting>
|
||||
how can you not support that version?</title>
|
||||
|
||||
<para>The first release of Shorewall was in March of 2001. Shorewall
|
||||
1.2.12 was released in May of 2002. It is now the year 2004 and
|
||||
Shorewall 2.0 is available. Shorewall 1.2.12 is poorly documented and is
|
||||
1.2.12 was released in May of 2002. It is now the year 2005 and
|
||||
Shorewall 2.2 is available. Shorewall 1.2.12 is poorly documented and is
|
||||
missing many of the features that Shorewall users find essential today
|
||||
and it is silly to continue to run it simply because it is bundled with
|
||||
an ancient Debian release.</para>
|
||||
@ -2045,473 +2050,4 @@ Verifying Configuration...
|
||||
...</programlisting>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<appendix>
|
||||
<title>Revision History</title>
|
||||
|
||||
<para><revhistory>
|
||||
<revision>
|
||||
<revnumber>1.43</revnumber>
|
||||
|
||||
<date>2005-03-01</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Added FAQ 14b.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.42</revnumber>
|
||||
|
||||
<date>2004-12-31</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Added FAQ 44.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.41</revnumber>
|
||||
|
||||
<date>2004-12-26</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Added FAQ 43.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.40</revnumber>
|
||||
|
||||
<date>2004-12-22</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Correct action directory name if FAQ 4.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.39</revnumber>
|
||||
|
||||
<date>2004-12-12</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Updated Debian information. Revised the answer to FAQ
|
||||
2a.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.38</revnumber>
|
||||
|
||||
<date>2004-11-18</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Added FAQ 42.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.37</revnumber>
|
||||
|
||||
<date>2004-11-05</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Added second title to FAQ 17.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.36</revnumber>
|
||||
|
||||
<date>2004-11-04</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Add note about Gnome Terminal.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.35</revnumber>
|
||||
|
||||
<date>2004-10-30</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Add FAQ 41.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.34</revnumber>
|
||||
|
||||
<date>2004-10-12</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Add FAQ 40.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.33</revnumber>
|
||||
|
||||
<date>2004-10-01</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Add FAQ 39.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.32</revnumber>
|
||||
|
||||
<date>2004-09-23</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Add link to simple bridge documentation from FAQ
|
||||
35.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.31</revnumber>
|
||||
|
||||
<date>2004-09-12</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Rename FAQ 17.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.30</revnumber>
|
||||
|
||||
<date>2004-08-26</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Update FAQ 2 with information about Shorewall
|
||||
2.1.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.29</revnumber>
|
||||
|
||||
<date>2004-08-19</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Reword FAQ 27a to include downloaded kernels.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.28</revnumber>
|
||||
|
||||
<date>2004-07-14</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Insert link to Ian Allen's DNAT paper (FAQ
|
||||
38)</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.27</revnumber>
|
||||
|
||||
<date>2004-06-18</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Correct formatting in H323 quote.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.26</revnumber>
|
||||
|
||||
<date>2004-05-18</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Delete obsolete ping information.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.25</revnumber>
|
||||
|
||||
<date>2004-05-18</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Empty /etc/shorewall on Debian.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.25</revnumber>
|
||||
|
||||
<date>2004-05-08</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Update for Shorewall 2.0.2</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.24</revnumber>
|
||||
|
||||
<date>2004-04-25</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Add MA Brown's notes on multi-ISP routing.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.23</revnumber>
|
||||
|
||||
<date>2004-04-22</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Refined SNAT rule in FAQ #2.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.22</revnumber>
|
||||
|
||||
<date>2004-04-06</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Added FAQ 36.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.21</revnumber>
|
||||
|
||||
<date>2004-03-05</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Added Bridging link.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.20</revnumber>
|
||||
|
||||
<date>2004-02-27</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Added FAQ 35.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.19</revnumber>
|
||||
|
||||
<date>2004-02-22</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Added mention of nosmurfs option under FAQ
|
||||
31.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.18</revnumber>
|
||||
|
||||
<date>2004-02-15</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Added FAQ 34.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.17</revnumber>
|
||||
|
||||
<date>2004-02-11</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Added FAQ 33.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.16</revnumber>
|
||||
|
||||
<date>2004-02-03</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Updated for Shorewall 2.0.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.15</revnumber>
|
||||
|
||||
<date>2004-01-25</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Updated FAQ 32 to mention masquerading. Remove
|
||||
tables.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.14</revnumber>
|
||||
|
||||
<date>2004-01-24</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Added FAQ 27a regarding kernel/iptables
|
||||
incompatibility.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.13</revnumber>
|
||||
|
||||
<date>2004-01-24</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Add a note about the <emphasis
|
||||
role="bold">detectnets</emphasis> interface option in FAQ
|
||||
9.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.12</revnumber>
|
||||
|
||||
<date>2004-01-20</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Improve FAQ 16 answer.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.11</revnumber>
|
||||
|
||||
<date>2004-01-14</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Corrected broken link</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.10</revnumber>
|
||||
|
||||
<date>2004-01-09</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Added a couple of more legacy FAQ numbers.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.9</revnumber>
|
||||
|
||||
<date>2004-01-08</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Corrected typo in FAQ 26a. Added warning to FAQ 2
|
||||
regarding source address of redirected requests.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.8</revnumber>
|
||||
|
||||
<date>2003-12-31</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Additions to FAQ 4.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.7</revnumber>
|
||||
|
||||
<date>2003-12-30</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Remove dead link from FAQ 1.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.6</revnumber>
|
||||
|
||||
<date>2003.12-18</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Add external link reference to FAQ 17.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.5</revnumber>
|
||||
|
||||
<date>2003-12-16</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Added a link to a Sys Admin article about multiple
|
||||
internet interfaces. Added Legal Notice. Moved "abstract" to the
|
||||
body of the document. Moved Revision History to this
|
||||
Appendix.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.4</revnumber>
|
||||
|
||||
<date>2003-12-13</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Corrected formatting problems</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.3</revnumber>
|
||||
|
||||
<date>2003-12-10</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Changed the title of FAQ 17</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.2</revnumber>
|
||||
|
||||
<date>2003-12-09</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Added Copyright and legacy FAQ numbers</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.1</revnumber>
|
||||
|
||||
<date>2003-12-04</date>
|
||||
|
||||
<authorinitials>MN</authorinitials>
|
||||
|
||||
<revremark>Converted to Simplified DocBook XML</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.0</revnumber>
|
||||
|
||||
<date>2002-08-13</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Initial revision</revremark>
|
||||
</revision>
|
||||
</revhistory></para>
|
||||
</appendix>
|
||||
</article>
|
@ -28,7 +28,7 @@
|
||||
# shown below. Simply run this script to revert to your prior version of
|
||||
# Shoreline Firewall.
|
||||
|
||||
VERSION=2.2.1
|
||||
VERSION=2.2.2
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -22,7 +22,7 @@
|
||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||
#
|
||||
|
||||
VERSION=2.2.1
|
||||
VERSION=2.2.2
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -1,5 +1,5 @@
|
||||
%define name shorewall
|
||||
%define version 2.2.1
|
||||
%define version 2.2.2
|
||||
%define release 1
|
||||
%define prefix /usr
|
||||
|
||||
@ -137,6 +137,8 @@ fi
|
||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn
|
||||
|
||||
%changelog
|
||||
* Mon Mar 07 2005 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.2.2-1
|
||||
* Mon Jan 24 2005 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.2.1-1
|
||||
* Mon Jan 24 2005 Tom Eastep tom@shorewall.net
|
||||
|
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Seattle Firewall
|
||||
|
||||
VERSION=2.2.1
|
||||
VERSION=2.2.2
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
Loading…
Reference in New Issue
Block a user