diff --git a/Lrp2/etc/shorewall/tcrules b/Lrp2/etc/shorewall/tcrules
index 94d686e96..41c132641 100644
--- a/Lrp2/etc/shorewall/tcrules
+++ b/Lrp2/etc/shorewall/tcrules
@@ -80,7 +80,8 @@
# allowed. Use $FW if the packet originates on
# the firewall in which case the MARK column may NOT
# specify either ":P" or ":F" (marking always occurs
-# in the OUTPUT chain).
+# in the OUTPUT chain). $FW may be optionally followed
+# by ":" and a host/network address.
#
# MAC addresses must be prefixed with "~" and use
# "-" as a separator.
diff --git a/Lrp2/sbin/shorewall b/Lrp2/sbin/shorewall
index fd1d8ac0c..3e75a61ea 100755
--- a/Lrp2/sbin/shorewall
+++ b/Lrp2/sbin/shorewall
@@ -4,7 +4,7 @@
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
-# (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
+# (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
#
# This file should be placed in /sbin/shorewall.
#
@@ -220,6 +220,13 @@ get_config() {
}
+#
+# Clear descriptor 1 if it is a terminal
+#
+clear_term() {
+ [ -t 1 ] && clear
+}
+
#
# Display IPTABLES rules -- we used to store them in a variable but ash
# dies when trying to display large sets of rules
@@ -238,7 +245,7 @@ display_chains()
$IPTABLES -L $IPT_OPTIONS >> $TMPFILE
- clear
+ clear_term
echo "$banner $(date)"
echo
echo "Standard Chains"
@@ -250,7 +257,7 @@ display_chains()
timed_read
- clear
+ clear_term
echo "$banner $(date)"
echo
firstchain=Yes
@@ -268,7 +275,7 @@ display_chains()
for zone in $zones; do
if [ -n "$(grep "^Chain \.*${zone}" $TMPFILE)" ] ; then
- clear
+ clear_term
echo "$banner $(date)"
echo
firstchain=Yes
@@ -287,7 +294,7 @@ display_chains()
fi
done
- clear
+ clear_term
echo "$banner $(date)"
echo
firstchain=Yes
@@ -308,7 +315,7 @@ display_chains()
timed_read
- clear
+ clear_term
echo "$banner $(date)"
echo
firstchain=Yes
@@ -443,7 +450,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
while true; do
display_chains
- clear
+ clear_term
echo "$banner $(date)"
echo
@@ -474,7 +481,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
timed_read
fi
- clear
+ clear_term
echo "$banner $(date)"
echo
echo "NAT Status"
@@ -482,7 +489,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
$IPTABLES -t nat -L $IPT_OPTIONS
timed_read
- clear
+ clear_term
echo "$banner $(date)"
echo
echo
@@ -491,7 +498,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
$IPTABLES -t mangle -L $IPT_OPTIONS
timed_read
- clear
+ clear_term
echo "$banner $(date)"
echo
echo
@@ -500,7 +507,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
cat /proc/net/ip_conntrack
timed_read
- clear
+ clear_term
echo "$banner $(date)"
echo
echo
@@ -509,7 +516,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
show_tc
timed_read
- clear
+ clear_term
echo "$banner $(date)"
echo
echo
@@ -541,7 +548,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
qt which awk && haveawk=Yes || haveawk=
while true; do
- clear
+ clear_term
echo "$banner $(date)"
echo
@@ -960,7 +967,7 @@ case "$1" in
status)
[ -n "$debugging" ] && set -x
[ $# -eq 1 ] || usage 1
- clear
+ clear_term
echo "Shorewall-$version Status at $HOSTNAME - $(date)"
echo
show_reset
@@ -1019,6 +1026,11 @@ case "$1" in
ip route ls table $table
done
+ echo
+ echo "ARP"
+ echo
+ arp -na
+
if qt which lsmod; then
echo
echo "Modules"
@@ -1029,7 +1041,7 @@ case "$1" in
hits)
[ -n "$debugging" ] && set -x
[ $# -eq 1 ] || usage 1
- clear
+ clear_term
echo "Shorewall-$version Hits at $HOSTNAME - $(date)"
echo
diff --git a/Lrp2/usr/share/shorewall/firewall b/Lrp2/usr/share/shorewall/firewall
index 4744bac36..76c3b069f 100755
--- a/Lrp2/usr/share/shorewall/firewall
+++ b/Lrp2/usr/share/shorewall/firewall
@@ -30,7 +30,7 @@
# shorewall restart Restarts the firewall
# shorewall stop Stops the firewall
# shorewall status Displays firewall status
-# shorewall reset Resets iptabless packet and
+# shorewall reset Resets iptables packet and
# byte counts
# shorewall clear Remove all Shorewall chains
# and rules/policies.
@@ -1303,10 +1303,10 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = dispositi
case $level in
ULOG)
- $IPTABLES $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix"
+ run_iptables $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix"
;;
*)
- $IPTABLES $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix"
+ run_iptables $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix"
;;
esac
@@ -2333,16 +2333,19 @@ process_tc_rule()
if [ "x$source" != "x-" ]; then
case $source in
*.*.*)
- r="-s $source "
+ r="$(source_ip_range $source) "
;;
~*)
r="$(mac_match $source) "
;;
+ $FW:*)
+ chain=tcout
+ r="$(source_ip_range ${source%:*}) "
+ ;;
$FW)
chain=tcout
;;
- *)
-
+ *)
verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\""
r="$(match_source_dev) $source "
;;
@@ -2763,13 +2766,14 @@ check_config() {
disclaimer() {
echo
- echo "Notice: The 'check' command is unsupported and problem"
- echo " reports complaining about errors that it didn't catch"
- echo " will not be accepted"
+ echo "Notice: The 'check' command is provided to catch"
+ echo " obvious errors in a Shorewall configuration."
+ echo " It is not designed to catch all possible errors"
+ echo " so please don't submit problem reports about"
+ echo " error conditions that 'check' doesn't find"
echo
}
- disclaimer
report_capabilities
@@ -3148,7 +3152,27 @@ process_action() # $1 = chain (Chain to add the rules to)
[ "x$protocol" = "x-" ] && protocol=all || protocol=${protocol:=all}
- if [ -n "$MULTIPORT" ] && \
+ if [ -n "$XMULTIPORT" ] && \
+ ! list_search $protocol "icmp" "ICMP" "1" && \
+ [ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \
+ $(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16 ]
+ then
+ #
+ # Extended MULTIPORT is enabled, and less than
+ # 16 ports are listed (port ranges count as two ports) - use multiport match.
+ #
+ multioption="-m multiport"
+ for client in $(separate_list ${clients:=-}); do
+ for server in $(separate_list ${servers:=-}); do
+ #
+ # add_an_action() modifies these so we must set their values each time
+ #
+ port=${ports:=-}
+ cport=${cports:=-}
+ add_an_action
+ done
+ done
+ elif [ -n "$MULTIPORT" ] && \
! list_search $protocol "icmp" "ICMP" "1" && \
[ "$ports" = "${ports%:*}" -a \
"$cports" = "${cports%:*}" -a \
@@ -3242,7 +3266,11 @@ createlogactionchain() # $1 = Action Name, $2 = Log Level [: Log Tag ]
if [ $COMMAND != check ]; then
createchain $CHAIN No
LEVEL=${level%:*}
- TAG=${level#*:}
+ if [ "$LEVEL" != "$level" ]; then
+ TAG=${level#*:}
+ else
+ TAG=
+ fi
run_user_exit $1
fi
@@ -4318,7 +4346,26 @@ process_rule() # $1 = target
case $logtarget in
DNAT*)
- if [ -n "$MULTIPORT" ] && \
+ if [ -n "$XMULTIPORT" ] && \
+ ! list_search $protocol "icmp" "ICMP" "1" && \
+ [ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \
+ $(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16 ]
+ then
+ #
+ # Extended MULTIPORT is enabled, and less than
+ # 16 ports are listed (port ranges count as two ports) - use multiport match.
+ #
+ multioption="-m multiport"
+ for client in $(separate_list ${clients:=-}); do
+ #
+ # add_a_rule() modifies these so we must set their values each time
+ #
+ server=${servers:=-}
+ port=${ports:=-}
+ cport=${cports:=-}
+ add_a_rule
+ done
+ elif [ -n "$MULTIPORT" ] && \
! list_search $protocol "icmp" "ICMP" "1" && \
[ "$ports" = "${ports%:*}" -a \
"$cports" = "${cports%:*}" -a \
@@ -4356,7 +4403,27 @@ process_rule() # $1 = target
;;
*)
- if [ -n "$MULTIPORT" ] && \
+ if [ -n "$XMULTIPORT" ] && \
+ ! list_search $protocol "icmp" "ICMP" "1" && \
+ [ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \
+ $(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16 ]
+ then
+ #
+ # Extended MULTIPORT is enabled, and less than
+ # 16 ports are listed (port ranges count as two ports) - use multiport match.
+ #
+ multioption="-m multiport"
+ for client in $(separate_list ${clients:=-}); do
+ for server in $(separate_list ${servers:=-}); do
+ #
+ # add_a_rule() modifies these so we must set their values each time
+ #
+ port=${ports:=-}
+ cport=${cports:=-}
+ add_a_rule
+ done
+ done
+ elif [ -n "$MULTIPORT" ] && \
! list_search $protocol "icmp" "ICMP" "1" && \
[ "$ports" = "${ports%:*}" -a \
"$cports" = "${cports%:*}" -a \
@@ -4423,6 +4490,7 @@ process_rules()
if [ "${ysourcezone}" != "${ydestzone}" ] ; then
eval ypolicy=\$${ysourcezone}2${ydestzone}_policy
if [ "$ypolicy" != NONE ] ; then
+ rule="$(echo $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec
fi
fi
@@ -4448,11 +4516,11 @@ process_rules()
continue
fi
+ rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec
}
while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec; do
- rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
expandv xtarget
case "${xtarget%%:*}" in
@@ -4469,6 +4537,7 @@ process_rules()
xtarget=$(find_logactionchain $xtarget)
do_it
else
+ rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
fatal_error "Invalid Action in rule \"$rule\""
fi
;;
@@ -5039,7 +5108,15 @@ setup_masq()
if [ $listcount -gt 1 ]; then
case $ports in
*:*)
- fatal_error "Port Range not allowed in list ($ports)"
+ if [ -n "$XMULTIPORT" ]; then
+ if [ $(($listcount + $(list_count1 $(split $ports) ) )) -le 16 ]; then
+ ports="-m multiport --dports $ports"
+ else
+ fatal_error "More than 15 entries in port list ($ports)"
+ fi
+ else
+ fatal_error "Port Range not allowed in list ($ports)"
+ fi
;;
*)
if [ -n "$MULTIPORT" ]; then
@@ -5475,6 +5552,7 @@ save_load_kernel_modules()
done < $modules
save_command __EOF__
+ save_command ""
}
@@ -5494,6 +5572,7 @@ determine_capabilities() {
CONNTRACK_MATCH=
MULTIPORT=
+ XMULTIPORT=
POLICY_MATCH=
PHYSDEV_MATCH=
IPRANGE_MATCH=
@@ -5501,6 +5580,7 @@ determine_capabilities() {
qt $IPTABLES -N fooX1234
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
+ qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes
qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes
qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes
qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
@@ -5514,25 +5594,26 @@ determine_capabilities() {
qt $IPTABLES -X fooX1234
}
-report_capability() # $1 = Capability Name, $2 Capability Setting (if any)
+report_capability() # $1 = Capability Description , $2 Capability Setting (if any)
{
local setting=
- [ "x$1" = "xYes" ] && { setting="Available"; shift; } || setting="Not available"
+ [ "x$2" = "xYes" ] && setting="Available" || setting="Not available"
- echo " " $@: $setting
+ echo " " $1: $setting
}
report_capabilities() {
echo "Shorewall has detected the following iptables/netfilter capabilities:"
- report_capability $NAT_ENABLED "NAT"
- report_capability $MANGLE_ENABLED "Packet Mangling"
- report_capability $MULTIPORT "Multi-port Match"
- report_capability $CONNTRACK_MATCH "Connection Tracking Match"
- report_capability $PKTTYPE "Packet Type Match"
- report_capability $POLICY_MATCH "Policy Match"
- report_capability $PHYSDEV_MATCH "Physdev Match"
- report_capability $IPRANGE_MATCH "IP range Match"
+ report_capability "NAT" $NAT_ENABLED
+ report_capability "Packet Mangling" $MANGLE_ENABLED
+ report_capability "Multi-port Match" $MULTIPORT
+ [ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT
+ report_capability "Connection Tracking Match" $CONNTRACK_MATCH
+ report_capability "Packet Type Match" $PKTTYPE
+ report_capability "Policy Match" $POLICY_MATCH
+ report_capability "Physdev Match" $PHYSDEV_MATCH
+ report_capability "IP range Match" $IPRANGE_MATCH
}
#
diff --git a/Lrp2/usr/share/shorewall/version b/Lrp2/usr/share/shorewall/version
index c043eea77..b1b25a5ff 100644
--- a/Lrp2/usr/share/shorewall/version
+++ b/Lrp2/usr/share/shorewall/version
@@ -1 +1 @@
-2.2.1
+2.2.2
diff --git a/STABLE2/changelog.txt b/STABLE2/changelog.txt
index 6e8e52db2..a901c96f2 100644
--- a/STABLE2/changelog.txt
+++ b/STABLE2/changelog.txt
@@ -1,11 +1,28 @@
+Changes in 2.2.2
+
+1) The 'check' command disclaimer is toned down further and only
+ appears once in the 'check' output.
+
+2) Enhanced support in the SOURCE column of /etc/shorewall/tcrules.
+
+3) All calls to 'clear' are now conditional on the output device being
+ a terminal.
+
+4) Apply Juergen Kreileder's patch for logging.
+
+5) Add the output of 'arp -na' to the 'shorewall status' display.
+
+6) Provide support for the Extended multiport match available in
+ 2.6.11.
+
+7) Fix logging rule generation.
+
Changes in 2.2.1
1) Add examples to the zones and policy files.
2) Simon Matter's patch for umask.
-3) Apply Juergen Kreileder's patch for logging.
-
Changes since 2.0.3
1) Fix security vulnerability involving temporary files/directories.
diff --git a/STABLE2/fallback.sh b/STABLE2/fallback.sh
index f69252b6b..53936aa6c 100755
--- a/STABLE2/fallback.sh
+++ b/STABLE2/fallback.sh
@@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
-VERSION=2.2.1
+VERSION=2.2.2
usage() # $1 = exit status
{
diff --git a/STABLE2/firewall b/STABLE2/firewall
index 4744bac36..76c3b069f 100755
--- a/STABLE2/firewall
+++ b/STABLE2/firewall
@@ -30,7 +30,7 @@
# shorewall restart Restarts the firewall
# shorewall stop Stops the firewall
# shorewall status Displays firewall status
-# shorewall reset Resets iptabless packet and
+# shorewall reset Resets iptables packet and
# byte counts
# shorewall clear Remove all Shorewall chains
# and rules/policies.
@@ -1303,10 +1303,10 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = dispositi
case $level in
ULOG)
- $IPTABLES $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix"
+ run_iptables $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix"
;;
*)
- $IPTABLES $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix"
+ run_iptables $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix"
;;
esac
@@ -2333,16 +2333,19 @@ process_tc_rule()
if [ "x$source" != "x-" ]; then
case $source in
*.*.*)
- r="-s $source "
+ r="$(source_ip_range $source) "
;;
~*)
r="$(mac_match $source) "
;;
+ $FW:*)
+ chain=tcout
+ r="$(source_ip_range ${source%:*}) "
+ ;;
$FW)
chain=tcout
;;
- *)
-
+ *)
verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\""
r="$(match_source_dev) $source "
;;
@@ -2763,13 +2766,14 @@ check_config() {
disclaimer() {
echo
- echo "Notice: The 'check' command is unsupported and problem"
- echo " reports complaining about errors that it didn't catch"
- echo " will not be accepted"
+ echo "Notice: The 'check' command is provided to catch"
+ echo " obvious errors in a Shorewall configuration."
+ echo " It is not designed to catch all possible errors"
+ echo " so please don't submit problem reports about"
+ echo " error conditions that 'check' doesn't find"
echo
}
- disclaimer
report_capabilities
@@ -3148,7 +3152,27 @@ process_action() # $1 = chain (Chain to add the rules to)
[ "x$protocol" = "x-" ] && protocol=all || protocol=${protocol:=all}
- if [ -n "$MULTIPORT" ] && \
+ if [ -n "$XMULTIPORT" ] && \
+ ! list_search $protocol "icmp" "ICMP" "1" && \
+ [ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \
+ $(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16 ]
+ then
+ #
+ # Extended MULTIPORT is enabled, and less than
+ # 16 ports are listed (port ranges count as two ports) - use multiport match.
+ #
+ multioption="-m multiport"
+ for client in $(separate_list ${clients:=-}); do
+ for server in $(separate_list ${servers:=-}); do
+ #
+ # add_an_action() modifies these so we must set their values each time
+ #
+ port=${ports:=-}
+ cport=${cports:=-}
+ add_an_action
+ done
+ done
+ elif [ -n "$MULTIPORT" ] && \
! list_search $protocol "icmp" "ICMP" "1" && \
[ "$ports" = "${ports%:*}" -a \
"$cports" = "${cports%:*}" -a \
@@ -3242,7 +3266,11 @@ createlogactionchain() # $1 = Action Name, $2 = Log Level [: Log Tag ]
if [ $COMMAND != check ]; then
createchain $CHAIN No
LEVEL=${level%:*}
- TAG=${level#*:}
+ if [ "$LEVEL" != "$level" ]; then
+ TAG=${level#*:}
+ else
+ TAG=
+ fi
run_user_exit $1
fi
@@ -4318,7 +4346,26 @@ process_rule() # $1 = target
case $logtarget in
DNAT*)
- if [ -n "$MULTIPORT" ] && \
+ if [ -n "$XMULTIPORT" ] && \
+ ! list_search $protocol "icmp" "ICMP" "1" && \
+ [ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \
+ $(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16 ]
+ then
+ #
+ # Extended MULTIPORT is enabled, and less than
+ # 16 ports are listed (port ranges count as two ports) - use multiport match.
+ #
+ multioption="-m multiport"
+ for client in $(separate_list ${clients:=-}); do
+ #
+ # add_a_rule() modifies these so we must set their values each time
+ #
+ server=${servers:=-}
+ port=${ports:=-}
+ cport=${cports:=-}
+ add_a_rule
+ done
+ elif [ -n "$MULTIPORT" ] && \
! list_search $protocol "icmp" "ICMP" "1" && \
[ "$ports" = "${ports%:*}" -a \
"$cports" = "${cports%:*}" -a \
@@ -4356,7 +4403,27 @@ process_rule() # $1 = target
;;
*)
- if [ -n "$MULTIPORT" ] && \
+ if [ -n "$XMULTIPORT" ] && \
+ ! list_search $protocol "icmp" "ICMP" "1" && \
+ [ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \
+ $(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16 ]
+ then
+ #
+ # Extended MULTIPORT is enabled, and less than
+ # 16 ports are listed (port ranges count as two ports) - use multiport match.
+ #
+ multioption="-m multiport"
+ for client in $(separate_list ${clients:=-}); do
+ for server in $(separate_list ${servers:=-}); do
+ #
+ # add_a_rule() modifies these so we must set their values each time
+ #
+ port=${ports:=-}
+ cport=${cports:=-}
+ add_a_rule
+ done
+ done
+ elif [ -n "$MULTIPORT" ] && \
! list_search $protocol "icmp" "ICMP" "1" && \
[ "$ports" = "${ports%:*}" -a \
"$cports" = "${cports%:*}" -a \
@@ -4423,6 +4490,7 @@ process_rules()
if [ "${ysourcezone}" != "${ydestzone}" ] ; then
eval ypolicy=\$${ysourcezone}2${ydestzone}_policy
if [ "$ypolicy" != NONE ] ; then
+ rule="$(echo $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec
fi
fi
@@ -4448,11 +4516,11 @@ process_rules()
continue
fi
+ rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec
}
while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec; do
- rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
expandv xtarget
case "${xtarget%%:*}" in
@@ -4469,6 +4537,7 @@ process_rules()
xtarget=$(find_logactionchain $xtarget)
do_it
else
+ rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
fatal_error "Invalid Action in rule \"$rule\""
fi
;;
@@ -5039,7 +5108,15 @@ setup_masq()
if [ $listcount -gt 1 ]; then
case $ports in
*:*)
- fatal_error "Port Range not allowed in list ($ports)"
+ if [ -n "$XMULTIPORT" ]; then
+ if [ $(($listcount + $(list_count1 $(split $ports) ) )) -le 16 ]; then
+ ports="-m multiport --dports $ports"
+ else
+ fatal_error "More than 15 entries in port list ($ports)"
+ fi
+ else
+ fatal_error "Port Range not allowed in list ($ports)"
+ fi
;;
*)
if [ -n "$MULTIPORT" ]; then
@@ -5475,6 +5552,7 @@ save_load_kernel_modules()
done < $modules
save_command __EOF__
+ save_command ""
}
@@ -5494,6 +5572,7 @@ determine_capabilities() {
CONNTRACK_MATCH=
MULTIPORT=
+ XMULTIPORT=
POLICY_MATCH=
PHYSDEV_MATCH=
IPRANGE_MATCH=
@@ -5501,6 +5580,7 @@ determine_capabilities() {
qt $IPTABLES -N fooX1234
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
+ qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes
qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes
qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes
qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
@@ -5514,25 +5594,26 @@ determine_capabilities() {
qt $IPTABLES -X fooX1234
}
-report_capability() # $1 = Capability Name, $2 Capability Setting (if any)
+report_capability() # $1 = Capability Description , $2 Capability Setting (if any)
{
local setting=
- [ "x$1" = "xYes" ] && { setting="Available"; shift; } || setting="Not available"
+ [ "x$2" = "xYes" ] && setting="Available" || setting="Not available"
- echo " " $@: $setting
+ echo " " $1: $setting
}
report_capabilities() {
echo "Shorewall has detected the following iptables/netfilter capabilities:"
- report_capability $NAT_ENABLED "NAT"
- report_capability $MANGLE_ENABLED "Packet Mangling"
- report_capability $MULTIPORT "Multi-port Match"
- report_capability $CONNTRACK_MATCH "Connection Tracking Match"
- report_capability $PKTTYPE "Packet Type Match"
- report_capability $POLICY_MATCH "Policy Match"
- report_capability $PHYSDEV_MATCH "Physdev Match"
- report_capability $IPRANGE_MATCH "IP range Match"
+ report_capability "NAT" $NAT_ENABLED
+ report_capability "Packet Mangling" $MANGLE_ENABLED
+ report_capability "Multi-port Match" $MULTIPORT
+ [ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT
+ report_capability "Connection Tracking Match" $CONNTRACK_MATCH
+ report_capability "Packet Type Match" $PKTTYPE
+ report_capability "Policy Match" $POLICY_MATCH
+ report_capability "Physdev Match" $PHYSDEV_MATCH
+ report_capability "IP range Match" $IPRANGE_MATCH
}
#
diff --git a/STABLE2/install.sh b/STABLE2/install.sh
index d5b90a5d2..3ed86d1c7 100755
--- a/STABLE2/install.sh
+++ b/STABLE2/install.sh
@@ -22,7 +22,7 @@
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
#
-VERSION=2.2.1
+VERSION=2.2.2
usage() # $1 = exit status
{
diff --git a/STABLE2/releasenotes.txt b/STABLE2/releasenotes.txt
index 8b67acff6..323ee74c3 100644
--- a/STABLE2/releasenotes.txt
+++ b/STABLE2/releasenotes.txt
@@ -1,4 +1,43 @@
-Shorewall 2.2.1
+Shorewall 2.2.2
+
+-----------------------------------------------------------------------
+Problems corrected in version 2.2.2
+
+1) The SOURCE column in the /etc/shorewall/tcrules file now allows IP
+ ranges (assuming that your iptables and kernel support ranges).
+
+2) If A is a user-defined action and you have file /etc/shorewall/A
+ then when that file is invoked, the $TAG value may be incorrect.
+
+3) Previously, if an iptables command generating a logging rule
+ failed, the Shorewall [re]start was still successful. This error
+ is now considered fatal and Shorewall will be either restored from
+ the last save (if any) or it will be stopped.
+
+-----------------------------------------------------------------------
+New Features in version 2.2.2
+
+1) The SOURCE column in the /etc/shorewall/tcrules file now allows $FW
+ to be optionally followed by ":" and a host/network address or
+ address range.
+
+2) Shorewall now clears the output device only if it is a
+ terminal. This avoids ugly control sequences being placed in files
+ when /sbin/shorewall output is redirected.
+
+3) The output from 'arp -na' has been added to the 'shorewall status'
+ display.
+
+4) The 2.6.11 Linux kernel and iptables 1.3.0 now allow port ranges
+ to appear in port lists handled by "multiport match". If Shorewall
+ detects this capability, it will use "multiport match" for port
+ lists containing port ranges. Be cautioned that each port range
+ counts for TWO ports and a port list handled with "multiport match"
+ can still specify a maximum of 15 ports.
+
+ As always, if a port list in /etc/shorewall/rules is incompatible
+ with "multiport match", a separate iptables rule will be generated
+ for each element in the list.
-----------------------------------------------------------------------
Problems corrected in version 2.2.1
diff --git a/STABLE2/shorewall b/STABLE2/shorewall
index 6da5f1245..3e75a61ea 100755
--- a/STABLE2/shorewall
+++ b/STABLE2/shorewall
@@ -220,6 +220,13 @@ get_config() {
}
+#
+# Clear descriptor 1 if it is a terminal
+#
+clear_term() {
+ [ -t 1 ] && clear
+}
+
#
# Display IPTABLES rules -- we used to store them in a variable but ash
# dies when trying to display large sets of rules
@@ -238,7 +245,7 @@ display_chains()
$IPTABLES -L $IPT_OPTIONS >> $TMPFILE
- clear
+ clear_term
echo "$banner $(date)"
echo
echo "Standard Chains"
@@ -250,7 +257,7 @@ display_chains()
timed_read
- clear
+ clear_term
echo "$banner $(date)"
echo
firstchain=Yes
@@ -268,7 +275,7 @@ display_chains()
for zone in $zones; do
if [ -n "$(grep "^Chain \.*${zone}" $TMPFILE)" ] ; then
- clear
+ clear_term
echo "$banner $(date)"
echo
firstchain=Yes
@@ -287,7 +294,7 @@ display_chains()
fi
done
- clear
+ clear_term
echo "$banner $(date)"
echo
firstchain=Yes
@@ -308,7 +315,7 @@ display_chains()
timed_read
- clear
+ clear_term
echo "$banner $(date)"
echo
firstchain=Yes
@@ -443,7 +450,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
while true; do
display_chains
- clear
+ clear_term
echo "$banner $(date)"
echo
@@ -474,7 +481,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
timed_read
fi
- clear
+ clear_term
echo "$banner $(date)"
echo
echo "NAT Status"
@@ -482,7 +489,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
$IPTABLES -t nat -L $IPT_OPTIONS
timed_read
- clear
+ clear_term
echo "$banner $(date)"
echo
echo
@@ -491,7 +498,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
$IPTABLES -t mangle -L $IPT_OPTIONS
timed_read
- clear
+ clear_term
echo "$banner $(date)"
echo
echo
@@ -500,7 +507,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
cat /proc/net/ip_conntrack
timed_read
- clear
+ clear_term
echo "$banner $(date)"
echo
echo
@@ -509,7 +516,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
show_tc
timed_read
- clear
+ clear_term
echo "$banner $(date)"
echo
echo
@@ -541,7 +548,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
qt which awk && haveawk=Yes || haveawk=
while true; do
- clear
+ clear_term
echo "$banner $(date)"
echo
@@ -960,7 +967,7 @@ case "$1" in
status)
[ -n "$debugging" ] && set -x
[ $# -eq 1 ] || usage 1
- clear
+ clear_term
echo "Shorewall-$version Status at $HOSTNAME - $(date)"
echo
show_reset
@@ -1019,6 +1026,11 @@ case "$1" in
ip route ls table $table
done
+ echo
+ echo "ARP"
+ echo
+ arp -na
+
if qt which lsmod; then
echo
echo "Modules"
@@ -1029,7 +1041,7 @@ case "$1" in
hits)
[ -n "$debugging" ] && set -x
[ $# -eq 1 ] || usage 1
- clear
+ clear_term
echo "Shorewall-$version Hits at $HOSTNAME - $(date)"
echo
diff --git a/STABLE2/shorewall.spec b/STABLE2/shorewall.spec
index d9f79698a..eaa8817ec 100644
--- a/STABLE2/shorewall.spec
+++ b/STABLE2/shorewall.spec
@@ -1,5 +1,5 @@
%define name shorewall
-%define version 2.2.1
+%define version 2.2.2
%define release 1
%define prefix /usr
@@ -137,6 +137,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn
%changelog
+* Mon Mar 07 2005 Tom Eastep tom@shorewall.net
+- Updated to 2.2.2-1
* Mon Jan 24 2005 Tom Eastep tom@shorewall.net
- Updated to 2.2.1-1
* Mon Jan 24 2005 Tom Eastep tom@shorewall.net
diff --git a/STABLE2/tcrules b/STABLE2/tcrules
index 94d686e96..41c132641 100644
--- a/STABLE2/tcrules
+++ b/STABLE2/tcrules
@@ -80,7 +80,8 @@
# allowed. Use $FW if the packet originates on
# the firewall in which case the MARK column may NOT
# specify either ":P" or ":F" (marking always occurs
-# in the OUTPUT chain).
+# in the OUTPUT chain). $FW may be optionally followed
+# by ":" and a host/network address.
#
# MAC addresses must be prefixed with "~" and use
# "-" as a separator.
diff --git a/STABLE2/uninstall.sh b/STABLE2/uninstall.sh
index 94ed22041..71fde0ee4 100755
--- a/STABLE2/uninstall.sh
+++ b/STABLE2/uninstall.sh
@@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall
-VERSION=2.2.1
+VERSION=2.2.2
usage() # $1 = exit status
{
diff --git a/Shorewall-docs2/FAQ.xml b/Shorewall-docs2/FAQ.xml
index 8821a9b05..31cd929bb 100644
--- a/Shorewall-docs2/FAQ.xml
+++ b/Shorewall-docs2/FAQ.xml
@@ -17,7 +17,7 @@
- 2005-03-01
+ 2005-03-07
2001-2004
@@ -294,9 +294,14 @@ DNAT net loc:192.168.1.3:22 tcp 1022
If you insist on an IP solution to the accessibility problem
- rather than a DNS solution, then assuming that your external interface
- is eth0 and your internal interface is eth1 and that eth1 has IP address
- 192.168.1.254 with subnet 192.168.1.0/24:
+ rather than a DNS solution, then if you are running Shorewall 2.0.0 or
+ 2.0.1 then please see the Shorewall 1.4
+ FAQ.
+
+ Otherwise, assuming that your external interface is eth0 and your
+ internal interface is eth1 and that eth1 has IP address 192.168.1.254
+ with subnet 192.168.1.0/24, then:
All traffic redirected through use of this hack will look to
the server as if it came from the firewall (192.168.1.254) rather
than from the original client!
@@ -1690,8 +1695,8 @@ alias ipt_pkttype off
how can you not support that version?
The first release of Shorewall was in March of 2001. Shorewall
- 1.2.12 was released in May of 2002. It is now the year 2004 and
- Shorewall 2.0 is available. Shorewall 1.2.12 is poorly documented and is
+ 1.2.12 was released in May of 2002. It is now the year 2005 and
+ Shorewall 2.2 is available. Shorewall 1.2.12 is poorly documented and is
missing many of the features that Shorewall users find essential today
and it is silly to continue to run it simply because it is bundled with
an ancient Debian release.
@@ -2045,473 +2050,4 @@ Verifying Configuration...
...
-
-
- Revision History
-
-
-
- 1.43
-
- 2005-03-01
-
- TE
-
- Added FAQ 14b.
-
-
-
- 1.42
-
- 2004-12-31
-
- TE
-
- Added FAQ 44.
-
-
-
- 1.41
-
- 2004-12-26
-
- TE
-
- Added FAQ 43.
-
-
-
- 1.40
-
- 2004-12-22
-
- TE
-
- Correct action directory name if FAQ 4.
-
-
-
- 1.39
-
- 2004-12-12
-
- TE
-
- Updated Debian information. Revised the answer to FAQ
- 2a.
-
-
-
- 1.38
-
- 2004-11-18
-
- TE
-
- Added FAQ 42.
-
-
-
- 1.37
-
- 2004-11-05
-
- TE
-
- Added second title to FAQ 17.
-
-
-
- 1.36
-
- 2004-11-04
-
- TE
-
- Add note about Gnome Terminal.
-
-
-
- 1.35
-
- 2004-10-30
-
- TE
-
- Add FAQ 41.
-
-
-
- 1.34
-
- 2004-10-12
-
- TE
-
- Add FAQ 40.
-
-
-
- 1.33
-
- 2004-10-01
-
- TE
-
- Add FAQ 39.
-
-
-
- 1.32
-
- 2004-09-23
-
- TE
-
- Add link to simple bridge documentation from FAQ
- 35.
-
-
-
- 1.31
-
- 2004-09-12
-
- TE
-
- Rename FAQ 17.
-
-
-
- 1.30
-
- 2004-08-26
-
- TE
-
- Update FAQ 2 with information about Shorewall
- 2.1.
-
-
-
- 1.29
-
- 2004-08-19
-
- TE
-
- Reword FAQ 27a to include downloaded kernels.
-
-
-
- 1.28
-
- 2004-07-14
-
- TE
-
- Insert link to Ian Allen's DNAT paper (FAQ
- 38)
-
-
-
- 1.27
-
- 2004-06-18
-
- TE
-
- Correct formatting in H323 quote.
-
-
-
- 1.26
-
- 2004-05-18
-
- TE
-
- Delete obsolete ping information.
-
-
-
- 1.25
-
- 2004-05-18
-
- TE
-
- Empty /etc/shorewall on Debian.
-
-
-
- 1.25
-
- 2004-05-08
-
- TE
-
- Update for Shorewall 2.0.2
-
-
-
- 1.24
-
- 2004-04-25
-
- TE
-
- Add MA Brown's notes on multi-ISP routing.
-
-
-
- 1.23
-
- 2004-04-22
-
- TE
-
- Refined SNAT rule in FAQ #2.
-
-
-
- 1.22
-
- 2004-04-06
-
- TE
-
- Added FAQ 36.
-
-
-
- 1.21
-
- 2004-03-05
-
- TE
-
- Added Bridging link.
-
-
-
- 1.20
-
- 2004-02-27
-
- TE
-
- Added FAQ 35.
-
-
-
- 1.19
-
- 2004-02-22
-
- TE
-
- Added mention of nosmurfs option under FAQ
- 31.
-
-
-
- 1.18
-
- 2004-02-15
-
- TE
-
- Added FAQ 34.
-
-
-
- 1.17
-
- 2004-02-11
-
- TE
-
- Added FAQ 33.
-
-
-
- 1.16
-
- 2004-02-03
-
- TE
-
- Updated for Shorewall 2.0.
-
-
-
- 1.15
-
- 2004-01-25
-
- TE
-
- Updated FAQ 32 to mention masquerading. Remove
- tables.
-
-
-
- 1.14
-
- 2004-01-24
-
- TE
-
- Added FAQ 27a regarding kernel/iptables
- incompatibility.
-
-
-
- 1.13
-
- 2004-01-24
-
- TE
-
- Add a note about the detectnets interface option in FAQ
- 9.
-
-
-
- 1.12
-
- 2004-01-20
-
- TE
-
- Improve FAQ 16 answer.
-
-
-
- 1.11
-
- 2004-01-14
-
- TE
-
- Corrected broken link
-
-
-
- 1.10
-
- 2004-01-09
-
- TE
-
- Added a couple of more legacy FAQ numbers.
-
-
-
- 1.9
-
- 2004-01-08
-
- TE
-
- Corrected typo in FAQ 26a. Added warning to FAQ 2
- regarding source address of redirected requests.
-
-
-
- 1.8
-
- 2003-12-31
-
- TE
-
- Additions to FAQ 4.
-
-
-
- 1.7
-
- 2003-12-30
-
- TE
-
- Remove dead link from FAQ 1.
-
-
-
- 1.6
-
- 2003.12-18
-
- TE
-
- Add external link reference to FAQ 17.
-
-
-
- 1.5
-
- 2003-12-16
-
- TE
-
- Added a link to a Sys Admin article about multiple
- internet interfaces. Added Legal Notice. Moved "abstract" to the
- body of the document. Moved Revision History to this
- Appendix.
-
-
-
- 1.4
-
- 2003-12-13
-
- TE
-
- Corrected formatting problems
-
-
-
- 1.3
-
- 2003-12-10
-
- TE
-
- Changed the title of FAQ 17
-
-
-
- 1.2
-
- 2003-12-09
-
- TE
-
- Added Copyright and legacy FAQ numbers
-
-
-
- 1.1
-
- 2003-12-04
-
- MN
-
- Converted to Simplified DocBook XML
-
-
-
- 1.0
-
- 2002-08-13
-
- TE
-
- Initial revision
-
-
-
\ No newline at end of file
diff --git a/Shorewall2/fallback.sh b/Shorewall2/fallback.sh
index f69252b6b..53936aa6c 100755
--- a/Shorewall2/fallback.sh
+++ b/Shorewall2/fallback.sh
@@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
-VERSION=2.2.1
+VERSION=2.2.2
usage() # $1 = exit status
{
diff --git a/Shorewall2/install.sh b/Shorewall2/install.sh
index d5b90a5d2..3ed86d1c7 100755
--- a/Shorewall2/install.sh
+++ b/Shorewall2/install.sh
@@ -22,7 +22,7 @@
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
#
-VERSION=2.2.1
+VERSION=2.2.2
usage() # $1 = exit status
{
diff --git a/Shorewall2/shorewall.spec b/Shorewall2/shorewall.spec
index d9f79698a..eaa8817ec 100644
--- a/Shorewall2/shorewall.spec
+++ b/Shorewall2/shorewall.spec
@@ -1,5 +1,5 @@
%define name shorewall
-%define version 2.2.1
+%define version 2.2.2
%define release 1
%define prefix /usr
@@ -137,6 +137,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn
%changelog
+* Mon Mar 07 2005 Tom Eastep tom@shorewall.net
+- Updated to 2.2.2-1
* Mon Jan 24 2005 Tom Eastep tom@shorewall.net
- Updated to 2.2.1-1
* Mon Jan 24 2005 Tom Eastep tom@shorewall.net
diff --git a/Shorewall2/uninstall.sh b/Shorewall2/uninstall.sh
index 94ed22041..71fde0ee4 100755
--- a/Shorewall2/uninstall.sh
+++ b/Shorewall2/uninstall.sh
@@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall
-VERSION=2.2.1
+VERSION=2.2.2
usage() # $1 = exit status
{