From bea55d93d1a164dcd8a1d50bfb3bcd87bd307436 Mon Sep 17 00:00:00 2001 From: teastep Date: Mon, 7 Mar 2005 22:32:05 +0000 Subject: [PATCH] Shorewall 2.2.2 git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1986 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Lrp2/etc/shorewall/tcrules | 3 +- Lrp2/sbin/shorewall | 42 ++- Lrp2/usr/share/shorewall/firewall | 135 +++++++-- Lrp2/usr/share/shorewall/version | 2 +- STABLE2/changelog.txt | 21 +- STABLE2/fallback.sh | 2 +- STABLE2/firewall | 135 +++++++-- STABLE2/install.sh | 2 +- STABLE2/releasenotes.txt | 41 ++- STABLE2/shorewall | 40 ++- STABLE2/shorewall.spec | 4 +- STABLE2/tcrules | 3 +- STABLE2/uninstall.sh | 2 +- Shorewall-docs2/FAQ.xml | 486 +----------------------------- Shorewall2/fallback.sh | 2 +- Shorewall2/install.sh | 2 +- Shorewall2/shorewall.spec | 4 +- Shorewall2/uninstall.sh | 2 +- 18 files changed, 356 insertions(+), 572 deletions(-) diff --git a/Lrp2/etc/shorewall/tcrules b/Lrp2/etc/shorewall/tcrules index 94d686e96..41c132641 100644 --- a/Lrp2/etc/shorewall/tcrules +++ b/Lrp2/etc/shorewall/tcrules @@ -80,7 +80,8 @@ # allowed. Use $FW if the packet originates on # the firewall in which case the MARK column may NOT # specify either ":P" or ":F" (marking always occurs -# in the OUTPUT chain). +# in the OUTPUT chain). $FW may be optionally followed +# by ":" and a host/network address. # # MAC addresses must be prefixed with "~" and use # "-" as a separator. diff --git a/Lrp2/sbin/shorewall b/Lrp2/sbin/shorewall index fd1d8ac0c..3e75a61ea 100755 --- a/Lrp2/sbin/shorewall +++ b/Lrp2/sbin/shorewall @@ -4,7 +4,7 @@ # # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # -# (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net) +# (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net) # # This file should be placed in /sbin/shorewall. # @@ -220,6 +220,13 @@ get_config() { } +# +# Clear descriptor 1 if it is a terminal +# +clear_term() { + [ -t 1 ] && clear +} + # # Display IPTABLES rules -- we used to store them in a variable but ash # dies when trying to display large sets of rules @@ -238,7 +245,7 @@ display_chains() $IPTABLES -L $IPT_OPTIONS >> $TMPFILE - clear + clear_term echo "$banner $(date)" echo echo "Standard Chains" @@ -250,7 +257,7 @@ display_chains() timed_read - clear + clear_term echo "$banner $(date)" echo firstchain=Yes @@ -268,7 +275,7 @@ display_chains() for zone in $zones; do if [ -n "$(grep "^Chain \.*${zone}" $TMPFILE)" ] ; then - clear + clear_term echo "$banner $(date)" echo firstchain=Yes @@ -287,7 +294,7 @@ display_chains() fi done - clear + clear_term echo "$banner $(date)" echo firstchain=Yes @@ -308,7 +315,7 @@ display_chains() timed_read - clear + clear_term echo "$banner $(date)" echo firstchain=Yes @@ -443,7 +450,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that while true; do display_chains - clear + clear_term echo "$banner $(date)" echo @@ -474,7 +481,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that timed_read fi - clear + clear_term echo "$banner $(date)" echo echo "NAT Status" @@ -482,7 +489,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that $IPTABLES -t nat -L $IPT_OPTIONS timed_read - clear + clear_term echo "$banner $(date)" echo echo @@ -491,7 +498,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that $IPTABLES -t mangle -L $IPT_OPTIONS timed_read - clear + clear_term echo "$banner $(date)" echo echo @@ -500,7 +507,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that cat /proc/net/ip_conntrack timed_read - clear + clear_term echo "$banner $(date)" echo echo @@ -509,7 +516,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that show_tc timed_read - clear + clear_term echo "$banner $(date)" echo echo @@ -541,7 +548,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that qt which awk && haveawk=Yes || haveawk= while true; do - clear + clear_term echo "$banner $(date)" echo @@ -960,7 +967,7 @@ case "$1" in status) [ -n "$debugging" ] && set -x [ $# -eq 1 ] || usage 1 - clear + clear_term echo "Shorewall-$version Status at $HOSTNAME - $(date)" echo show_reset @@ -1019,6 +1026,11 @@ case "$1" in ip route ls table $table done + echo + echo "ARP" + echo + arp -na + if qt which lsmod; then echo echo "Modules" @@ -1029,7 +1041,7 @@ case "$1" in hits) [ -n "$debugging" ] && set -x [ $# -eq 1 ] || usage 1 - clear + clear_term echo "Shorewall-$version Hits at $HOSTNAME - $(date)" echo diff --git a/Lrp2/usr/share/shorewall/firewall b/Lrp2/usr/share/shorewall/firewall index 4744bac36..76c3b069f 100755 --- a/Lrp2/usr/share/shorewall/firewall +++ b/Lrp2/usr/share/shorewall/firewall @@ -30,7 +30,7 @@ # shorewall restart Restarts the firewall # shorewall stop Stops the firewall # shorewall status Displays firewall status -# shorewall reset Resets iptabless packet and +# shorewall reset Resets iptables packet and # byte counts # shorewall clear Remove all Shorewall chains # and rules/policies. @@ -1303,10 +1303,10 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = dispositi case $level in ULOG) - $IPTABLES $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix" + run_iptables $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix" ;; *) - $IPTABLES $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix" + run_iptables $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix" ;; esac @@ -2333,16 +2333,19 @@ process_tc_rule() if [ "x$source" != "x-" ]; then case $source in *.*.*) - r="-s $source " + r="$(source_ip_range $source) " ;; ~*) r="$(mac_match $source) " ;; + $FW:*) + chain=tcout + r="$(source_ip_range ${source%:*}) " + ;; $FW) chain=tcout ;; - *) - + *) verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\"" r="$(match_source_dev) $source " ;; @@ -2763,13 +2766,14 @@ check_config() { disclaimer() { echo - echo "Notice: The 'check' command is unsupported and problem" - echo " reports complaining about errors that it didn't catch" - echo " will not be accepted" + echo "Notice: The 'check' command is provided to catch" + echo " obvious errors in a Shorewall configuration." + echo " It is not designed to catch all possible errors" + echo " so please don't submit problem reports about" + echo " error conditions that 'check' doesn't find" echo } - disclaimer report_capabilities @@ -3148,7 +3152,27 @@ process_action() # $1 = chain (Chain to add the rules to) [ "x$protocol" = "x-" ] && protocol=all || protocol=${protocol:=all} - if [ -n "$MULTIPORT" ] && \ + if [ -n "$XMULTIPORT" ] && \ + ! list_search $protocol "icmp" "ICMP" "1" && \ + [ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \ + $(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16 ] + then + # + # Extended MULTIPORT is enabled, and less than + # 16 ports are listed (port ranges count as two ports) - use multiport match. + # + multioption="-m multiport" + for client in $(separate_list ${clients:=-}); do + for server in $(separate_list ${servers:=-}); do + # + # add_an_action() modifies these so we must set their values each time + # + port=${ports:=-} + cport=${cports:=-} + add_an_action + done + done + elif [ -n "$MULTIPORT" ] && \ ! list_search $protocol "icmp" "ICMP" "1" && \ [ "$ports" = "${ports%:*}" -a \ "$cports" = "${cports%:*}" -a \ @@ -3242,7 +3266,11 @@ createlogactionchain() # $1 = Action Name, $2 = Log Level [: Log Tag ] if [ $COMMAND != check ]; then createchain $CHAIN No LEVEL=${level%:*} - TAG=${level#*:} + if [ "$LEVEL" != "$level" ]; then + TAG=${level#*:} + else + TAG= + fi run_user_exit $1 fi @@ -4318,7 +4346,26 @@ process_rule() # $1 = target case $logtarget in DNAT*) - if [ -n "$MULTIPORT" ] && \ + if [ -n "$XMULTIPORT" ] && \ + ! list_search $protocol "icmp" "ICMP" "1" && \ + [ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \ + $(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16 ] + then + # + # Extended MULTIPORT is enabled, and less than + # 16 ports are listed (port ranges count as two ports) - use multiport match. + # + multioption="-m multiport" + for client in $(separate_list ${clients:=-}); do + # + # add_a_rule() modifies these so we must set their values each time + # + server=${servers:=-} + port=${ports:=-} + cport=${cports:=-} + add_a_rule + done + elif [ -n "$MULTIPORT" ] && \ ! list_search $protocol "icmp" "ICMP" "1" && \ [ "$ports" = "${ports%:*}" -a \ "$cports" = "${cports%:*}" -a \ @@ -4356,7 +4403,27 @@ process_rule() # $1 = target ;; *) - if [ -n "$MULTIPORT" ] && \ + if [ -n "$XMULTIPORT" ] && \ + ! list_search $protocol "icmp" "ICMP" "1" && \ + [ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \ + $(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16 ] + then + # + # Extended MULTIPORT is enabled, and less than + # 16 ports are listed (port ranges count as two ports) - use multiport match. + # + multioption="-m multiport" + for client in $(separate_list ${clients:=-}); do + for server in $(separate_list ${servers:=-}); do + # + # add_a_rule() modifies these so we must set their values each time + # + port=${ports:=-} + cport=${cports:=-} + add_a_rule + done + done + elif [ -n "$MULTIPORT" ] && \ ! list_search $protocol "icmp" "ICMP" "1" && \ [ "$ports" = "${ports%:*}" -a \ "$cports" = "${cports%:*}" -a \ @@ -4423,6 +4490,7 @@ process_rules() if [ "${ysourcezone}" != "${ydestzone}" ] ; then eval ypolicy=\$${ysourcezone}2${ydestzone}_policy if [ "$ypolicy" != NONE ] ; then + rule="$(echo $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)" process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec fi fi @@ -4448,11 +4516,11 @@ process_rules() continue fi + rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)" process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec } while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec; do - rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)" expandv xtarget case "${xtarget%%:*}" in @@ -4469,6 +4537,7 @@ process_rules() xtarget=$(find_logactionchain $xtarget) do_it else + rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)" fatal_error "Invalid Action in rule \"$rule\"" fi ;; @@ -5039,7 +5108,15 @@ setup_masq() if [ $listcount -gt 1 ]; then case $ports in *:*) - fatal_error "Port Range not allowed in list ($ports)" + if [ -n "$XMULTIPORT" ]; then + if [ $(($listcount + $(list_count1 $(split $ports) ) )) -le 16 ]; then + ports="-m multiport --dports $ports" + else + fatal_error "More than 15 entries in port list ($ports)" + fi + else + fatal_error "Port Range not allowed in list ($ports)" + fi ;; *) if [ -n "$MULTIPORT" ]; then @@ -5475,6 +5552,7 @@ save_load_kernel_modules() done < $modules save_command __EOF__ + save_command "" } @@ -5494,6 +5572,7 @@ determine_capabilities() { CONNTRACK_MATCH= MULTIPORT= + XMULTIPORT= POLICY_MATCH= PHYSDEV_MATCH= IPRANGE_MATCH= @@ -5501,6 +5580,7 @@ determine_capabilities() { qt $IPTABLES -N fooX1234 qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes + qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes @@ -5514,25 +5594,26 @@ determine_capabilities() { qt $IPTABLES -X fooX1234 } -report_capability() # $1 = Capability Name, $2 Capability Setting (if any) +report_capability() # $1 = Capability Description , $2 Capability Setting (if any) { local setting= - [ "x$1" = "xYes" ] && { setting="Available"; shift; } || setting="Not available" + [ "x$2" = "xYes" ] && setting="Available" || setting="Not available" - echo " " $@: $setting + echo " " $1: $setting } report_capabilities() { echo "Shorewall has detected the following iptables/netfilter capabilities:" - report_capability $NAT_ENABLED "NAT" - report_capability $MANGLE_ENABLED "Packet Mangling" - report_capability $MULTIPORT "Multi-port Match" - report_capability $CONNTRACK_MATCH "Connection Tracking Match" - report_capability $PKTTYPE "Packet Type Match" - report_capability $POLICY_MATCH "Policy Match" - report_capability $PHYSDEV_MATCH "Physdev Match" - report_capability $IPRANGE_MATCH "IP range Match" + report_capability "NAT" $NAT_ENABLED + report_capability "Packet Mangling" $MANGLE_ENABLED + report_capability "Multi-port Match" $MULTIPORT + [ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT + report_capability "Connection Tracking Match" $CONNTRACK_MATCH + report_capability "Packet Type Match" $PKTTYPE + report_capability "Policy Match" $POLICY_MATCH + report_capability "Physdev Match" $PHYSDEV_MATCH + report_capability "IP range Match" $IPRANGE_MATCH } # diff --git a/Lrp2/usr/share/shorewall/version b/Lrp2/usr/share/shorewall/version index c043eea77..b1b25a5ff 100644 --- a/Lrp2/usr/share/shorewall/version +++ b/Lrp2/usr/share/shorewall/version @@ -1 +1 @@ -2.2.1 +2.2.2 diff --git a/STABLE2/changelog.txt b/STABLE2/changelog.txt index 6e8e52db2..a901c96f2 100644 --- a/STABLE2/changelog.txt +++ b/STABLE2/changelog.txt @@ -1,11 +1,28 @@ +Changes in 2.2.2 + +1) The 'check' command disclaimer is toned down further and only + appears once in the 'check' output. + +2) Enhanced support in the SOURCE column of /etc/shorewall/tcrules. + +3) All calls to 'clear' are now conditional on the output device being + a terminal. + +4) Apply Juergen Kreileder's patch for logging. + +5) Add the output of 'arp -na' to the 'shorewall status' display. + +6) Provide support for the Extended multiport match available in + 2.6.11. + +7) Fix logging rule generation. + Changes in 2.2.1 1) Add examples to the zones and policy files. 2) Simon Matter's patch for umask. -3) Apply Juergen Kreileder's patch for logging. - Changes since 2.0.3 1) Fix security vulnerability involving temporary files/directories. diff --git a/STABLE2/fallback.sh b/STABLE2/fallback.sh index f69252b6b..53936aa6c 100755 --- a/STABLE2/fallback.sh +++ b/STABLE2/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=2.2.1 +VERSION=2.2.2 usage() # $1 = exit status { diff --git a/STABLE2/firewall b/STABLE2/firewall index 4744bac36..76c3b069f 100755 --- a/STABLE2/firewall +++ b/STABLE2/firewall @@ -30,7 +30,7 @@ # shorewall restart Restarts the firewall # shorewall stop Stops the firewall # shorewall status Displays firewall status -# shorewall reset Resets iptabless packet and +# shorewall reset Resets iptables packet and # byte counts # shorewall clear Remove all Shorewall chains # and rules/policies. @@ -1303,10 +1303,10 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = dispositi case $level in ULOG) - $IPTABLES $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix" + run_iptables $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix" ;; *) - $IPTABLES $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix" + run_iptables $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix" ;; esac @@ -2333,16 +2333,19 @@ process_tc_rule() if [ "x$source" != "x-" ]; then case $source in *.*.*) - r="-s $source " + r="$(source_ip_range $source) " ;; ~*) r="$(mac_match $source) " ;; + $FW:*) + chain=tcout + r="$(source_ip_range ${source%:*}) " + ;; $FW) chain=tcout ;; - *) - + *) verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\"" r="$(match_source_dev) $source " ;; @@ -2763,13 +2766,14 @@ check_config() { disclaimer() { echo - echo "Notice: The 'check' command is unsupported and problem" - echo " reports complaining about errors that it didn't catch" - echo " will not be accepted" + echo "Notice: The 'check' command is provided to catch" + echo " obvious errors in a Shorewall configuration." + echo " It is not designed to catch all possible errors" + echo " so please don't submit problem reports about" + echo " error conditions that 'check' doesn't find" echo } - disclaimer report_capabilities @@ -3148,7 +3152,27 @@ process_action() # $1 = chain (Chain to add the rules to) [ "x$protocol" = "x-" ] && protocol=all || protocol=${protocol:=all} - if [ -n "$MULTIPORT" ] && \ + if [ -n "$XMULTIPORT" ] && \ + ! list_search $protocol "icmp" "ICMP" "1" && \ + [ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \ + $(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16 ] + then + # + # Extended MULTIPORT is enabled, and less than + # 16 ports are listed (port ranges count as two ports) - use multiport match. + # + multioption="-m multiport" + for client in $(separate_list ${clients:=-}); do + for server in $(separate_list ${servers:=-}); do + # + # add_an_action() modifies these so we must set their values each time + # + port=${ports:=-} + cport=${cports:=-} + add_an_action + done + done + elif [ -n "$MULTIPORT" ] && \ ! list_search $protocol "icmp" "ICMP" "1" && \ [ "$ports" = "${ports%:*}" -a \ "$cports" = "${cports%:*}" -a \ @@ -3242,7 +3266,11 @@ createlogactionchain() # $1 = Action Name, $2 = Log Level [: Log Tag ] if [ $COMMAND != check ]; then createchain $CHAIN No LEVEL=${level%:*} - TAG=${level#*:} + if [ "$LEVEL" != "$level" ]; then + TAG=${level#*:} + else + TAG= + fi run_user_exit $1 fi @@ -4318,7 +4346,26 @@ process_rule() # $1 = target case $logtarget in DNAT*) - if [ -n "$MULTIPORT" ] && \ + if [ -n "$XMULTIPORT" ] && \ + ! list_search $protocol "icmp" "ICMP" "1" && \ + [ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \ + $(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16 ] + then + # + # Extended MULTIPORT is enabled, and less than + # 16 ports are listed (port ranges count as two ports) - use multiport match. + # + multioption="-m multiport" + for client in $(separate_list ${clients:=-}); do + # + # add_a_rule() modifies these so we must set their values each time + # + server=${servers:=-} + port=${ports:=-} + cport=${cports:=-} + add_a_rule + done + elif [ -n "$MULTIPORT" ] && \ ! list_search $protocol "icmp" "ICMP" "1" && \ [ "$ports" = "${ports%:*}" -a \ "$cports" = "${cports%:*}" -a \ @@ -4356,7 +4403,27 @@ process_rule() # $1 = target ;; *) - if [ -n "$MULTIPORT" ] && \ + if [ -n "$XMULTIPORT" ] && \ + ! list_search $protocol "icmp" "ICMP" "1" && \ + [ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \ + $(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16 ] + then + # + # Extended MULTIPORT is enabled, and less than + # 16 ports are listed (port ranges count as two ports) - use multiport match. + # + multioption="-m multiport" + for client in $(separate_list ${clients:=-}); do + for server in $(separate_list ${servers:=-}); do + # + # add_a_rule() modifies these so we must set their values each time + # + port=${ports:=-} + cport=${cports:=-} + add_a_rule + done + done + elif [ -n "$MULTIPORT" ] && \ ! list_search $protocol "icmp" "ICMP" "1" && \ [ "$ports" = "${ports%:*}" -a \ "$cports" = "${cports%:*}" -a \ @@ -4423,6 +4490,7 @@ process_rules() if [ "${ysourcezone}" != "${ydestzone}" ] ; then eval ypolicy=\$${ysourcezone}2${ydestzone}_policy if [ "$ypolicy" != NONE ] ; then + rule="$(echo $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)" process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec fi fi @@ -4448,11 +4516,11 @@ process_rules() continue fi + rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)" process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec } while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec; do - rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)" expandv xtarget case "${xtarget%%:*}" in @@ -4469,6 +4537,7 @@ process_rules() xtarget=$(find_logactionchain $xtarget) do_it else + rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)" fatal_error "Invalid Action in rule \"$rule\"" fi ;; @@ -5039,7 +5108,15 @@ setup_masq() if [ $listcount -gt 1 ]; then case $ports in *:*) - fatal_error "Port Range not allowed in list ($ports)" + if [ -n "$XMULTIPORT" ]; then + if [ $(($listcount + $(list_count1 $(split $ports) ) )) -le 16 ]; then + ports="-m multiport --dports $ports" + else + fatal_error "More than 15 entries in port list ($ports)" + fi + else + fatal_error "Port Range not allowed in list ($ports)" + fi ;; *) if [ -n "$MULTIPORT" ]; then @@ -5475,6 +5552,7 @@ save_load_kernel_modules() done < $modules save_command __EOF__ + save_command "" } @@ -5494,6 +5572,7 @@ determine_capabilities() { CONNTRACK_MATCH= MULTIPORT= + XMULTIPORT= POLICY_MATCH= PHYSDEV_MATCH= IPRANGE_MATCH= @@ -5501,6 +5580,7 @@ determine_capabilities() { qt $IPTABLES -N fooX1234 qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes + qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes @@ -5514,25 +5594,26 @@ determine_capabilities() { qt $IPTABLES -X fooX1234 } -report_capability() # $1 = Capability Name, $2 Capability Setting (if any) +report_capability() # $1 = Capability Description , $2 Capability Setting (if any) { local setting= - [ "x$1" = "xYes" ] && { setting="Available"; shift; } || setting="Not available" + [ "x$2" = "xYes" ] && setting="Available" || setting="Not available" - echo " " $@: $setting + echo " " $1: $setting } report_capabilities() { echo "Shorewall has detected the following iptables/netfilter capabilities:" - report_capability $NAT_ENABLED "NAT" - report_capability $MANGLE_ENABLED "Packet Mangling" - report_capability $MULTIPORT "Multi-port Match" - report_capability $CONNTRACK_MATCH "Connection Tracking Match" - report_capability $PKTTYPE "Packet Type Match" - report_capability $POLICY_MATCH "Policy Match" - report_capability $PHYSDEV_MATCH "Physdev Match" - report_capability $IPRANGE_MATCH "IP range Match" + report_capability "NAT" $NAT_ENABLED + report_capability "Packet Mangling" $MANGLE_ENABLED + report_capability "Multi-port Match" $MULTIPORT + [ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT + report_capability "Connection Tracking Match" $CONNTRACK_MATCH + report_capability "Packet Type Match" $PKTTYPE + report_capability "Policy Match" $POLICY_MATCH + report_capability "Physdev Match" $PHYSDEV_MATCH + report_capability "IP range Match" $IPRANGE_MATCH } # diff --git a/STABLE2/install.sh b/STABLE2/install.sh index d5b90a5d2..3ed86d1c7 100755 --- a/STABLE2/install.sh +++ b/STABLE2/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # -VERSION=2.2.1 +VERSION=2.2.2 usage() # $1 = exit status { diff --git a/STABLE2/releasenotes.txt b/STABLE2/releasenotes.txt index 8b67acff6..323ee74c3 100644 --- a/STABLE2/releasenotes.txt +++ b/STABLE2/releasenotes.txt @@ -1,4 +1,43 @@ -Shorewall 2.2.1 +Shorewall 2.2.2 + +----------------------------------------------------------------------- +Problems corrected in version 2.2.2 + +1) The SOURCE column in the /etc/shorewall/tcrules file now allows IP + ranges (assuming that your iptables and kernel support ranges). + +2) If A is a user-defined action and you have file /etc/shorewall/A + then when that file is invoked, the $TAG value may be incorrect. + +3) Previously, if an iptables command generating a logging rule + failed, the Shorewall [re]start was still successful. This error + is now considered fatal and Shorewall will be either restored from + the last save (if any) or it will be stopped. + +----------------------------------------------------------------------- +New Features in version 2.2.2 + +1) The SOURCE column in the /etc/shorewall/tcrules file now allows $FW + to be optionally followed by ":" and a host/network address or + address range. + +2) Shorewall now clears the output device only if it is a + terminal. This avoids ugly control sequences being placed in files + when /sbin/shorewall output is redirected. + +3) The output from 'arp -na' has been added to the 'shorewall status' + display. + +4) The 2.6.11 Linux kernel and iptables 1.3.0 now allow port ranges + to appear in port lists handled by "multiport match". If Shorewall + detects this capability, it will use "multiport match" for port + lists containing port ranges. Be cautioned that each port range + counts for TWO ports and a port list handled with "multiport match" + can still specify a maximum of 15 ports. + + As always, if a port list in /etc/shorewall/rules is incompatible + with "multiport match", a separate iptables rule will be generated + for each element in the list. ----------------------------------------------------------------------- Problems corrected in version 2.2.1 diff --git a/STABLE2/shorewall b/STABLE2/shorewall index 6da5f1245..3e75a61ea 100755 --- a/STABLE2/shorewall +++ b/STABLE2/shorewall @@ -220,6 +220,13 @@ get_config() { } +# +# Clear descriptor 1 if it is a terminal +# +clear_term() { + [ -t 1 ] && clear +} + # # Display IPTABLES rules -- we used to store them in a variable but ash # dies when trying to display large sets of rules @@ -238,7 +245,7 @@ display_chains() $IPTABLES -L $IPT_OPTIONS >> $TMPFILE - clear + clear_term echo "$banner $(date)" echo echo "Standard Chains" @@ -250,7 +257,7 @@ display_chains() timed_read - clear + clear_term echo "$banner $(date)" echo firstchain=Yes @@ -268,7 +275,7 @@ display_chains() for zone in $zones; do if [ -n "$(grep "^Chain \.*${zone}" $TMPFILE)" ] ; then - clear + clear_term echo "$banner $(date)" echo firstchain=Yes @@ -287,7 +294,7 @@ display_chains() fi done - clear + clear_term echo "$banner $(date)" echo firstchain=Yes @@ -308,7 +315,7 @@ display_chains() timed_read - clear + clear_term echo "$banner $(date)" echo firstchain=Yes @@ -443,7 +450,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that while true; do display_chains - clear + clear_term echo "$banner $(date)" echo @@ -474,7 +481,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that timed_read fi - clear + clear_term echo "$banner $(date)" echo echo "NAT Status" @@ -482,7 +489,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that $IPTABLES -t nat -L $IPT_OPTIONS timed_read - clear + clear_term echo "$banner $(date)" echo echo @@ -491,7 +498,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that $IPTABLES -t mangle -L $IPT_OPTIONS timed_read - clear + clear_term echo "$banner $(date)" echo echo @@ -500,7 +507,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that cat /proc/net/ip_conntrack timed_read - clear + clear_term echo "$banner $(date)" echo echo @@ -509,7 +516,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that show_tc timed_read - clear + clear_term echo "$banner $(date)" echo echo @@ -541,7 +548,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that qt which awk && haveawk=Yes || haveawk= while true; do - clear + clear_term echo "$banner $(date)" echo @@ -960,7 +967,7 @@ case "$1" in status) [ -n "$debugging" ] && set -x [ $# -eq 1 ] || usage 1 - clear + clear_term echo "Shorewall-$version Status at $HOSTNAME - $(date)" echo show_reset @@ -1019,6 +1026,11 @@ case "$1" in ip route ls table $table done + echo + echo "ARP" + echo + arp -na + if qt which lsmod; then echo echo "Modules" @@ -1029,7 +1041,7 @@ case "$1" in hits) [ -n "$debugging" ] && set -x [ $# -eq 1 ] || usage 1 - clear + clear_term echo "Shorewall-$version Hits at $HOSTNAME - $(date)" echo diff --git a/STABLE2/shorewall.spec b/STABLE2/shorewall.spec index d9f79698a..eaa8817ec 100644 --- a/STABLE2/shorewall.spec +++ b/STABLE2/shorewall.spec @@ -1,5 +1,5 @@ %define name shorewall -%define version 2.2.1 +%define version 2.2.2 %define release 1 %define prefix /usr @@ -137,6 +137,8 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn %changelog +* Mon Mar 07 2005 Tom Eastep tom@shorewall.net +- Updated to 2.2.2-1 * Mon Jan 24 2005 Tom Eastep tom@shorewall.net - Updated to 2.2.1-1 * Mon Jan 24 2005 Tom Eastep tom@shorewall.net diff --git a/STABLE2/tcrules b/STABLE2/tcrules index 94d686e96..41c132641 100644 --- a/STABLE2/tcrules +++ b/STABLE2/tcrules @@ -80,7 +80,8 @@ # allowed. Use $FW if the packet originates on # the firewall in which case the MARK column may NOT # specify either ":P" or ":F" (marking always occurs -# in the OUTPUT chain). +# in the OUTPUT chain). $FW may be optionally followed +# by ":" and a host/network address. # # MAC addresses must be prefixed with "~" and use # "-" as a separator. diff --git a/STABLE2/uninstall.sh b/STABLE2/uninstall.sh index 94ed22041..71fde0ee4 100755 --- a/STABLE2/uninstall.sh +++ b/STABLE2/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Seattle Firewall -VERSION=2.2.1 +VERSION=2.2.2 usage() # $1 = exit status { diff --git a/Shorewall-docs2/FAQ.xml b/Shorewall-docs2/FAQ.xml index 8821a9b05..31cd929bb 100644 --- a/Shorewall-docs2/FAQ.xml +++ b/Shorewall-docs2/FAQ.xml @@ -17,7 +17,7 @@ - 2005-03-01 + 2005-03-07 2001-2004 @@ -294,9 +294,14 @@ DNAT net loc:192.168.1.3:22 tcp 1022 If you insist on an IP solution to the accessibility problem - rather than a DNS solution, then assuming that your external interface - is eth0 and your internal interface is eth1 and that eth1 has IP address - 192.168.1.254 with subnet 192.168.1.0/24: + rather than a DNS solution, then if you are running Shorewall 2.0.0 or + 2.0.1 then please see the Shorewall 1.4 + FAQ. + + Otherwise, assuming that your external interface is eth0 and your + internal interface is eth1 and that eth1 has IP address 192.168.1.254 + with subnet 192.168.1.0/24, then: All traffic redirected through use of this hack will look to the server as if it came from the firewall (192.168.1.254) rather than from the original client! @@ -1690,8 +1695,8 @@ alias ipt_pkttype off how can you not support that version? The first release of Shorewall was in March of 2001. Shorewall - 1.2.12 was released in May of 2002. It is now the year 2004 and - Shorewall 2.0 is available. Shorewall 1.2.12 is poorly documented and is + 1.2.12 was released in May of 2002. It is now the year 2005 and + Shorewall 2.2 is available. Shorewall 1.2.12 is poorly documented and is missing many of the features that Shorewall users find essential today and it is silly to continue to run it simply because it is bundled with an ancient Debian release. @@ -2045,473 +2050,4 @@ Verifying Configuration... ... - - - Revision History - - - - 1.43 - - 2005-03-01 - - TE - - Added FAQ 14b. - - - - 1.42 - - 2004-12-31 - - TE - - Added FAQ 44. - - - - 1.41 - - 2004-12-26 - - TE - - Added FAQ 43. - - - - 1.40 - - 2004-12-22 - - TE - - Correct action directory name if FAQ 4. - - - - 1.39 - - 2004-12-12 - - TE - - Updated Debian information. Revised the answer to FAQ - 2a. - - - - 1.38 - - 2004-11-18 - - TE - - Added FAQ 42. - - - - 1.37 - - 2004-11-05 - - TE - - Added second title to FAQ 17. - - - - 1.36 - - 2004-11-04 - - TE - - Add note about Gnome Terminal. - - - - 1.35 - - 2004-10-30 - - TE - - Add FAQ 41. - - - - 1.34 - - 2004-10-12 - - TE - - Add FAQ 40. - - - - 1.33 - - 2004-10-01 - - TE - - Add FAQ 39. - - - - 1.32 - - 2004-09-23 - - TE - - Add link to simple bridge documentation from FAQ - 35. - - - - 1.31 - - 2004-09-12 - - TE - - Rename FAQ 17. - - - - 1.30 - - 2004-08-26 - - TE - - Update FAQ 2 with information about Shorewall - 2.1. - - - - 1.29 - - 2004-08-19 - - TE - - Reword FAQ 27a to include downloaded kernels. - - - - 1.28 - - 2004-07-14 - - TE - - Insert link to Ian Allen's DNAT paper (FAQ - 38) - - - - 1.27 - - 2004-06-18 - - TE - - Correct formatting in H323 quote. - - - - 1.26 - - 2004-05-18 - - TE - - Delete obsolete ping information. - - - - 1.25 - - 2004-05-18 - - TE - - Empty /etc/shorewall on Debian. - - - - 1.25 - - 2004-05-08 - - TE - - Update for Shorewall 2.0.2 - - - - 1.24 - - 2004-04-25 - - TE - - Add MA Brown's notes on multi-ISP routing. - - - - 1.23 - - 2004-04-22 - - TE - - Refined SNAT rule in FAQ #2. - - - - 1.22 - - 2004-04-06 - - TE - - Added FAQ 36. - - - - 1.21 - - 2004-03-05 - - TE - - Added Bridging link. - - - - 1.20 - - 2004-02-27 - - TE - - Added FAQ 35. - - - - 1.19 - - 2004-02-22 - - TE - - Added mention of nosmurfs option under FAQ - 31. - - - - 1.18 - - 2004-02-15 - - TE - - Added FAQ 34. - - - - 1.17 - - 2004-02-11 - - TE - - Added FAQ 33. - - - - 1.16 - - 2004-02-03 - - TE - - Updated for Shorewall 2.0. - - - - 1.15 - - 2004-01-25 - - TE - - Updated FAQ 32 to mention masquerading. Remove - tables. - - - - 1.14 - - 2004-01-24 - - TE - - Added FAQ 27a regarding kernel/iptables - incompatibility. - - - - 1.13 - - 2004-01-24 - - TE - - Add a note about the detectnets interface option in FAQ - 9. - - - - 1.12 - - 2004-01-20 - - TE - - Improve FAQ 16 answer. - - - - 1.11 - - 2004-01-14 - - TE - - Corrected broken link - - - - 1.10 - - 2004-01-09 - - TE - - Added a couple of more legacy FAQ numbers. - - - - 1.9 - - 2004-01-08 - - TE - - Corrected typo in FAQ 26a. Added warning to FAQ 2 - regarding source address of redirected requests. - - - - 1.8 - - 2003-12-31 - - TE - - Additions to FAQ 4. - - - - 1.7 - - 2003-12-30 - - TE - - Remove dead link from FAQ 1. - - - - 1.6 - - 2003.12-18 - - TE - - Add external link reference to FAQ 17. - - - - 1.5 - - 2003-12-16 - - TE - - Added a link to a Sys Admin article about multiple - internet interfaces. Added Legal Notice. Moved "abstract" to the - body of the document. Moved Revision History to this - Appendix. - - - - 1.4 - - 2003-12-13 - - TE - - Corrected formatting problems - - - - 1.3 - - 2003-12-10 - - TE - - Changed the title of FAQ 17 - - - - 1.2 - - 2003-12-09 - - TE - - Added Copyright and legacy FAQ numbers - - - - 1.1 - - 2003-12-04 - - MN - - Converted to Simplified DocBook XML - - - - 1.0 - - 2002-08-13 - - TE - - Initial revision - - - \ No newline at end of file diff --git a/Shorewall2/fallback.sh b/Shorewall2/fallback.sh index f69252b6b..53936aa6c 100755 --- a/Shorewall2/fallback.sh +++ b/Shorewall2/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=2.2.1 +VERSION=2.2.2 usage() # $1 = exit status { diff --git a/Shorewall2/install.sh b/Shorewall2/install.sh index d5b90a5d2..3ed86d1c7 100755 --- a/Shorewall2/install.sh +++ b/Shorewall2/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # -VERSION=2.2.1 +VERSION=2.2.2 usage() # $1 = exit status { diff --git a/Shorewall2/shorewall.spec b/Shorewall2/shorewall.spec index d9f79698a..eaa8817ec 100644 --- a/Shorewall2/shorewall.spec +++ b/Shorewall2/shorewall.spec @@ -1,5 +1,5 @@ %define name shorewall -%define version 2.2.1 +%define version 2.2.2 %define release 1 %define prefix /usr @@ -137,6 +137,8 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn %changelog +* Mon Mar 07 2005 Tom Eastep tom@shorewall.net +- Updated to 2.2.2-1 * Mon Jan 24 2005 Tom Eastep tom@shorewall.net - Updated to 2.2.1-1 * Mon Jan 24 2005 Tom Eastep tom@shorewall.net diff --git a/Shorewall2/uninstall.sh b/Shorewall2/uninstall.sh index 94ed22041..71fde0ee4 100755 --- a/Shorewall2/uninstall.sh +++ b/Shorewall2/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Seattle Firewall -VERSION=2.2.1 +VERSION=2.2.2 usage() # $1 = exit status {