extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-11 08:08:12 +01:00
Code Issues Packages Projects Releases Wiki Activity

Shorewall 2.2.2

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1986 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-03-07 22:32:05 +00:00
parent cefa44418d
commit bea55d93d1
18 changed files with 356 additions and 572 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Lrp2/etc/shorewall/tcrules
View File

@ -80,7 +80,8 @@
# allowed. Use $FW if the packet originates on # allowed. Use $FW if the packet originates on
# the firewall in which case the MARK column may NOT # the firewall in which case the MARK column may NOT
# specify either ":P" or ":F" (marking always occurs # specify either ":P" or ":F" (marking always occurs
# in the OUTPUT chain). # in the OUTPUT chain). $FW may be optionally followed
# by ":" and a host/network address.
# #
# MAC addresses must be prefixed with "~" and use # MAC addresses must be prefixed with "~" and use
# "-" as a separator. # "-" as a separator.

42
Lrp2/sbin/shorewall
View File

@ -4,7 +4,7 @@
# #
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
# #
# (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net) # (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
# #
# This file should be placed in /sbin/shorewall. # This file should be placed in /sbin/shorewall.
# #
@ -220,6 +220,13 @@ get_config() {
} }
#
# Clear descriptor 1 if it is a terminal
#
clear_term() {
[ -t 1 ] && clear
}
# #
# Display IPTABLES rules -- we used to store them in a variable but ash # Display IPTABLES rules -- we used to store them in a variable but ash
# dies when trying to display large sets of rules # dies when trying to display large sets of rules
@ -238,7 +245,7 @@ display_chains()
$IPTABLES -L $IPT_OPTIONS >> $TMPFILE $IPTABLES -L $IPT_OPTIONS >> $TMPFILE
clear clear_term
echo "$banner $(date)" echo "$banner $(date)"
echo echo
echo "Standard Chains" echo "Standard Chains"
@ -250,7 +257,7 @@ display_chains()
timed_read timed_read
clear clear_term
echo "$banner $(date)" echo "$banner $(date)"
echo echo
firstchain=Yes firstchain=Yes
@ -268,7 +275,7 @@ display_chains()
for zone in $zones; do for zone in $zones; do
if [ -n "$(grep "^Chain \.*${zone}" $TMPFILE)" ] ; then if [ -n "$(grep "^Chain \.*${zone}" $TMPFILE)" ] ; then
clear clear_term
echo "$banner $(date)" echo "$banner $(date)"
echo echo
firstchain=Yes firstchain=Yes
@ -287,7 +294,7 @@ display_chains()
fi fi
done done
clear clear_term
echo "$banner $(date)" echo "$banner $(date)"
echo echo
firstchain=Yes firstchain=Yes
@ -308,7 +315,7 @@ display_chains()
timed_read timed_read
clear clear_term
echo "$banner $(date)" echo "$banner $(date)"
echo echo
firstchain=Yes firstchain=Yes
@ -443,7 +450,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
while true; do while true; do
display_chains display_chains
clear clear_term
echo "$banner $(date)" echo "$banner $(date)"
echo echo
@ -474,7 +481,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
timed_read timed_read
fi fi
clear clear_term
echo "$banner $(date)" echo "$banner $(date)"
echo echo
echo "NAT Status" echo "NAT Status"
@ -482,7 +489,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
$IPTABLES -t nat -L $IPT_OPTIONS $IPTABLES -t nat -L $IPT_OPTIONS
timed_read timed_read
clear clear_term
echo "$banner $(date)" echo "$banner $(date)"
echo echo
echo echo
@ -491,7 +498,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
$IPTABLES -t mangle -L $IPT_OPTIONS $IPTABLES -t mangle -L $IPT_OPTIONS
timed_read timed_read
clear clear_term
echo "$banner $(date)" echo "$banner $(date)"
echo echo
echo echo
@ -500,7 +507,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
cat /proc/net/ip_conntrack cat /proc/net/ip_conntrack
timed_read timed_read
clear clear_term
echo "$banner $(date)" echo "$banner $(date)"
echo echo
echo echo
@ -509,7 +516,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
show_tc show_tc
timed_read timed_read
clear clear_term
echo "$banner $(date)" echo "$banner $(date)"
echo echo
echo echo
@ -541,7 +548,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
qt which awk && haveawk=Yes || haveawk= qt which awk && haveawk=Yes || haveawk=
while true; do while true; do
clear clear_term
echo "$banner $(date)" echo "$banner $(date)"
echo echo
@ -960,7 +967,7 @@ case "$1" in
status) status)
[ -n "$debugging" ] && set -x [ -n "$debugging" ] && set -x
[ $# -eq 1 ] || usage 1 [ $# -eq 1 ] || usage 1
clear clear_term
echo "Shorewall-$version Status at $HOSTNAME - $(date)" echo "Shorewall-$version Status at $HOSTNAME - $(date)"
echo echo
show_reset show_reset
@ -1019,6 +1026,11 @@ case "$1" in
ip route ls table $table ip route ls table $table
done done
echo
echo "ARP"
echo
arp -na
if qt which lsmod; then if qt which lsmod; then
echo echo
echo "Modules" echo "Modules"
@ -1029,7 +1041,7 @@ case "$1" in
hits) hits)
[ -n "$debugging" ] && set -x [ -n "$debugging" ] && set -x
[ $# -eq 1 ] || usage 1 [ $# -eq 1 ] || usage 1
clear clear_term
echo "Shorewall-$version Hits at $HOSTNAME - $(date)" echo "Shorewall-$version Hits at $HOSTNAME - $(date)"
echo echo

129
Lrp2/usr/share/shorewall/firewall
View File

@ -30,7 +30,7 @@
# shorewall restart Restarts the firewall # shorewall restart Restarts the firewall
# shorewall stop Stops the firewall # shorewall stop Stops the firewall
# shorewall status Displays firewall status # shorewall status Displays firewall status
# shorewall reset Resets iptabless packet and # shorewall reset Resets iptables packet and
# byte counts # byte counts
# shorewall clear Remove all Shorewall chains # shorewall clear Remove all Shorewall chains
# and rules/policies. # and rules/policies.
@ -1303,10 +1303,10 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = dispositi
case $level in case $level in
ULOG) ULOG)
$IPTABLES $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix" run_iptables $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix"
;; ;;
*) *)
$IPTABLES $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix" run_iptables $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix"
;; ;;
esac esac
@ -2333,16 +2333,19 @@ process_tc_rule()
if [ "x$source" != "x-" ]; then if [ "x$source" != "x-" ]; then
case $source in case $source in
*.*.*) *.*.*)
r="-s $source " r="$(source_ip_range $source) "
;; ;;
~*) ~*)
r="$(mac_match $source) " r="$(mac_match $source) "
;; ;;
$FW:*)
chain=tcout
r="$(source_ip_range ${source%:*}) "
;;
$FW) $FW)
chain=tcout chain=tcout
;; ;;
*) *)
verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\"" verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\""
r="$(match_source_dev) $source " r="$(match_source_dev) $source "
;; ;;
@ -2763,13 +2766,14 @@ check_config() {
disclaimer() { disclaimer() {
echo echo
echo "Notice: The 'check' command is unsupported and problem" echo "Notice: The 'check' command is provided to catch"
echo " reports complaining about errors that it didn't catch" echo " obvious errors in a Shorewall configuration."
echo " will not be accepted" echo " It is not designed to catch all possible errors"
echo " so please don't submit problem reports about"
echo " error conditions that 'check' doesn't find"
echo echo
} }
disclaimer
report_capabilities report_capabilities
@ -3148,7 +3152,27 @@ process_action() # $1 = chain (Chain to add the rules to)
[ "x$protocol" = "x-" ] && protocol=all || protocol=${protocol:=all} [ "x$protocol" = "x-" ] && protocol=all || protocol=${protocol:=all}
if [ -n "$MULTIPORT" ] && \ if [ -n "$XMULTIPORT" ] && \
! list_search $protocol "icmp" "ICMP" "1" && \
[ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \
$(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16 ]
then
#
# Extended MULTIPORT is enabled, and less than
# 16 ports are listed (port ranges count as two ports) - use multiport match.
#
multioption="-m multiport"
for client in $(separate_list ${clients:=-}); do
for server in $(separate_list ${servers:=-}); do
#
# add_an_action() modifies these so we must set their values each time
#
port=${ports:=-}
cport=${cports:=-}
add_an_action
done
done
elif [ -n "$MULTIPORT" ] && \
! list_search $protocol "icmp" "ICMP" "1" && \ ! list_search $protocol "icmp" "ICMP" "1" && \
[ "$ports" = "${ports%:*}" -a \ [ "$ports" = "${ports%:*}" -a \
"$cports" = "${cports%:*}" -a \ "$cports" = "${cports%:*}" -a \
@ -3242,7 +3266,11 @@ createlogactionchain() # $1 = Action Name, $2 = Log Level [: Log Tag ]
if [ $COMMAND != check ]; then if [ $COMMAND != check ]; then
createchain $CHAIN No createchain $CHAIN No
LEVEL=${level%:*} LEVEL=${level%:*}
if [ "$LEVEL" != "$level" ]; then
TAG=${level#*:} TAG=${level#*:}
else
TAG=
fi
run_user_exit $1 run_user_exit $1
fi fi
@ -4318,7 +4346,26 @@ process_rule() # $1 = target
case $logtarget in case $logtarget in
DNAT*) DNAT*)
if [ -n "$MULTIPORT" ] && \ if [ -n "$XMULTIPORT" ] && \
! list_search $protocol "icmp" "ICMP" "1" && \
[ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \
$(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16 ]
then
#
# Extended MULTIPORT is enabled, and less than
# 16 ports are listed (port ranges count as two ports) - use multiport match.
#
multioption="-m multiport"
for client in $(separate_list ${clients:=-}); do
#
# add_a_rule() modifies these so we must set their values each time
#
server=${servers:=-}
port=${ports:=-}
cport=${cports:=-}
add_a_rule
done
elif [ -n "$MULTIPORT" ] && \
! list_search $protocol "icmp" "ICMP" "1" && \ ! list_search $protocol "icmp" "ICMP" "1" && \
[ "$ports" = "${ports%:*}" -a \ [ "$ports" = "${ports%:*}" -a \
"$cports" = "${cports%:*}" -a \ "$cports" = "${cports%:*}" -a \
@ -4356,7 +4403,27 @@ process_rule() # $1 = target
;; ;;
*) *)
if [ -n "$MULTIPORT" ] && \ if [ -n "$XMULTIPORT" ] && \
! list_search $protocol "icmp" "ICMP" "1" && \
[ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \
$(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16 ]
then
#
# Extended MULTIPORT is enabled, and less than
# 16 ports are listed (port ranges count as two ports) - use multiport match.
#
multioption="-m multiport"
for client in $(separate_list ${clients:=-}); do
for server in $(separate_list ${servers:=-}); do
#
# add_a_rule() modifies these so we must set their values each time
#
port=${ports:=-}
cport=${cports:=-}
add_a_rule
done
done
elif [ -n "$MULTIPORT" ] && \
! list_search $protocol "icmp" "ICMP" "1" && \ ! list_search $protocol "icmp" "ICMP" "1" && \
[ "$ports" = "${ports%:*}" -a \ [ "$ports" = "${ports%:*}" -a \
"$cports" = "${cports%:*}" -a \ "$cports" = "${cports%:*}" -a \
@ -4423,6 +4490,7 @@ process_rules()
if [ "${ysourcezone}" != "${ydestzone}" ] ; then if [ "${ysourcezone}" != "${ydestzone}" ] ; then
eval ypolicy=\$${ysourcezone}2${ydestzone}_policy eval ypolicy=\$${ysourcezone}2${ydestzone}_policy
if [ "$ypolicy" != NONE ] ; then if [ "$ypolicy" != NONE ] ; then
rule="$(echo $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec
fi fi
fi fi
@ -4448,11 +4516,11 @@ process_rules()
continue continue
fi fi
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec
} }
while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec; do while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec; do
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
expandv xtarget expandv xtarget
case "${xtarget%%:*}" in case "${xtarget%%:*}" in
@ -4469,6 +4537,7 @@ process_rules()
xtarget=$(find_logactionchain $xtarget) xtarget=$(find_logactionchain $xtarget)
do_it do_it
else else
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
fatal_error "Invalid Action in rule \"$rule\"" fatal_error "Invalid Action in rule \"$rule\""
fi fi
;; ;;
@ -5039,7 +5108,15 @@ setup_masq()
if [ $listcount -gt 1 ]; then if [ $listcount -gt 1 ]; then
case $ports in case $ports in
*:*) *:*)
if [ -n "$XMULTIPORT" ]; then
if [ $(($listcount + $(list_count1 $(split $ports) ) )) -le 16 ]; then
ports="-m multiport --dports $ports"
else
fatal_error "More than 15 entries in port list ($ports)"
fi
else
fatal_error "Port Range not allowed in list ($ports)" fatal_error "Port Range not allowed in list ($ports)"
fi
;; ;;
*) *)
if [ -n "$MULTIPORT" ]; then if [ -n "$MULTIPORT" ]; then
@ -5475,6 +5552,7 @@ save_load_kernel_modules()
done < $modules done < $modules
save_command __EOF__ save_command __EOF__
save_command ""
} }
@ -5494,6 +5572,7 @@ determine_capabilities() {
CONNTRACK_MATCH= CONNTRACK_MATCH=
MULTIPORT= MULTIPORT=
XMULTIPORT=
POLICY_MATCH= POLICY_MATCH=
PHYSDEV_MATCH= PHYSDEV_MATCH=
IPRANGE_MATCH= IPRANGE_MATCH=
@ -5501,6 +5580,7 @@ determine_capabilities() {
qt $IPTABLES -N fooX1234 qt $IPTABLES -N fooX1234
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes
qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes
qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes
qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
@ -5514,25 +5594,26 @@ determine_capabilities() {
qt $IPTABLES -X fooX1234 qt $IPTABLES -X fooX1234
} }
report_capability() # $1 = Capability Name, $2 Capability Setting (if any) report_capability() # $1 = Capability Description , $2 Capability Setting (if any)
{ {
local setting= local setting=
[ "x$1" = "xYes" ] && { setting="Available"; shift; } || setting="Not available" [ "x$2" = "xYes" ] && setting="Available" || setting="Not available"
echo " " $@: $setting echo " " $1: $setting
} }
report_capabilities() { report_capabilities() {
echo "Shorewall has detected the following iptables/netfilter capabilities:" echo "Shorewall has detected the following iptables/netfilter capabilities:"
report_capability $NAT_ENABLED "NAT" report_capability "NAT" $NAT_ENABLED
report_capability $MANGLE_ENABLED "Packet Mangling" report_capability "Packet Mangling" $MANGLE_ENABLED
report_capability $MULTIPORT "Multi-port Match" report_capability "Multi-port Match" $MULTIPORT
report_capability $CONNTRACK_MATCH "Connection Tracking Match" [ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT
report_capability $PKTTYPE "Packet Type Match" report_capability "Connection Tracking Match" $CONNTRACK_MATCH
report_capability $POLICY_MATCH "Policy Match" report_capability "Packet Type Match" $PKTTYPE
report_capability $PHYSDEV_MATCH "Physdev Match" report_capability "Policy Match" $POLICY_MATCH
report_capability $IPRANGE_MATCH "IP range Match" report_capability "Physdev Match" $PHYSDEV_MATCH
report_capability "IP range Match" $IPRANGE_MATCH
} }
# #

2
Lrp2/usr/share/shorewall/version
View File

@ -1 +1 @@
2.2.1 2.2.2

21
STABLE2/changelog.txt
View File

@ -1,11 +1,28 @@
Changes in 2.2.2
1) The 'check' command disclaimer is toned down further and only
appears once in the 'check' output.
2) Enhanced support in the SOURCE column of /etc/shorewall/tcrules.
3) All calls to 'clear' are now conditional on the output device being
a terminal.
4) Apply Juergen Kreileder's patch for logging.
5) Add the output of 'arp -na' to the 'shorewall status' display.
6) Provide support for the Extended multiport match available in
2.6.11.
7) Fix logging rule generation.
Changes in 2.2.1 Changes in 2.2.1
1) Add examples to the zones and policy files. 1) Add examples to the zones and policy files.
2) Simon Matter's patch for umask. 2) Simon Matter's patch for umask.
3) Apply Juergen Kreileder's patch for logging.
Changes since 2.0.3 Changes since 2.0.3
1) Fix security vulnerability involving temporary files/directories. 1) Fix security vulnerability involving temporary files/directories.

2
STABLE2/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of # shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall. # Shoreline Firewall.
VERSION=2.2.1 VERSION=2.2.2
usage() # $1 = exit status usage() # $1 = exit status
{ {

129
STABLE2/firewall
View File

@ -30,7 +30,7 @@
# shorewall restart Restarts the firewall # shorewall restart Restarts the firewall
# shorewall stop Stops the firewall # shorewall stop Stops the firewall
# shorewall status Displays firewall status # shorewall status Displays firewall status
# shorewall reset Resets iptabless packet and # shorewall reset Resets iptables packet and
# byte counts # byte counts
# shorewall clear Remove all Shorewall chains # shorewall clear Remove all Shorewall chains
# and rules/policies. # and rules/policies.
@ -1303,10 +1303,10 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = dispositi
case $level in case $level in
ULOG) ULOG)
$IPTABLES $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix" run_iptables $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix"
;; ;;
*) *)
$IPTABLES $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix" run_iptables $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix"
;; ;;
esac esac
@ -2333,16 +2333,19 @@ process_tc_rule()
if [ "x$source" != "x-" ]; then if [ "x$source" != "x-" ]; then
case $source in case $source in
*.*.*) *.*.*)
r="-s $source " r="$(source_ip_range $source) "
;; ;;
~*) ~*)
r="$(mac_match $source) " r="$(mac_match $source) "
;; ;;
$FW:*)
chain=tcout
r="$(source_ip_range ${source%:*}) "
;;
$FW) $FW)
chain=tcout chain=tcout
;; ;;
*) *)
verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\"" verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\""
r="$(match_source_dev) $source " r="$(match_source_dev) $source "
;; ;;
@ -2763,13 +2766,14 @@ check_config() {
disclaimer() { disclaimer() {
echo echo
echo "Notice: The 'check' command is unsupported and problem" echo "Notice: The 'check' command is provided to catch"
echo " reports complaining about errors that it didn't catch" echo " obvious errors in a Shorewall configuration."
echo " will not be accepted" echo " It is not designed to catch all possible errors"
echo " so please don't submit problem reports about"
echo " error conditions that 'check' doesn't find"
echo echo
} }
disclaimer
report_capabilities report_capabilities
@ -3148,7 +3152,27 @@ process_action() # $1 = chain (Chain to add the rules to)
[ "x$protocol" = "x-" ] && protocol=all || protocol=${protocol:=all} [ "x$protocol" = "x-" ] && protocol=all || protocol=${protocol:=all}
if [ -n "$MULTIPORT" ] && \ if [ -n "$XMULTIPORT" ] && \
! list_search $protocol "icmp" "ICMP" "1" && \
[ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \
$(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16 ]
then
#
# Extended MULTIPORT is enabled, and less than
# 16 ports are listed (port ranges count as two ports) - use multiport match.
#
multioption="-m multiport"
for client in $(separate_list ${clients:=-}); do
for server in $(separate_list ${servers:=-}); do
#
# add_an_action() modifies these so we must set their values each time
#
port=${ports:=-}
cport=${cports:=-}
add_an_action
done
done
elif [ -n "$MULTIPORT" ] && \
! list_search $protocol "icmp" "ICMP" "1" && \ ! list_search $protocol "icmp" "ICMP" "1" && \
[ "$ports" = "${ports%:*}" -a \ [ "$ports" = "${ports%:*}" -a \
"$cports" = "${cports%:*}" -a \ "$cports" = "${cports%:*}" -a \
@ -3242,7 +3266,11 @@ createlogactionchain() # $1 = Action Name, $2 = Log Level [: Log Tag ]
if [ $COMMAND != check ]; then if [ $COMMAND != check ]; then
createchain $CHAIN No createchain $CHAIN No
LEVEL=${level%:*} LEVEL=${level%:*}
if [ "$LEVEL" != "$level" ]; then
TAG=${level#*:} TAG=${level#*:}
else
TAG=
fi
run_user_exit $1 run_user_exit $1
fi fi
@ -4318,7 +4346,26 @@ process_rule() # $1 = target
case $logtarget in case $logtarget in
DNAT*) DNAT*)
if [ -n "$MULTIPORT" ] && \ if [ -n "$XMULTIPORT" ] && \
! list_search $protocol "icmp" "ICMP" "1" && \
[ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \
$(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16 ]
then
#
# Extended MULTIPORT is enabled, and less than
# 16 ports are listed (port ranges count as two ports) - use multiport match.
#
multioption="-m multiport"
for client in $(separate_list ${clients:=-}); do
#
# add_a_rule() modifies these so we must set their values each time
#
server=${servers:=-}
port=${ports:=-}
cport=${cports:=-}
add_a_rule
done
elif [ -n "$MULTIPORT" ] && \
! list_search $protocol "icmp" "ICMP" "1" && \ ! list_search $protocol "icmp" "ICMP" "1" && \
[ "$ports" = "${ports%:*}" -a \ [ "$ports" = "${ports%:*}" -a \
"$cports" = "${cports%:*}" -a \ "$cports" = "${cports%:*}" -a \
@ -4356,7 +4403,27 @@ process_rule() # $1 = target
;; ;;
*) *)
if [ -n "$MULTIPORT" ] && \ if [ -n "$XMULTIPORT" ] && \
! list_search $protocol "icmp" "ICMP" "1" && \
[ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \
$(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16 ]
then
#
# Extended MULTIPORT is enabled, and less than
# 16 ports are listed (port ranges count as two ports) - use multiport match.
#
multioption="-m multiport"
for client in $(separate_list ${clients:=-}); do
for server in $(separate_list ${servers:=-}); do
#
# add_a_rule() modifies these so we must set their values each time
#
port=${ports:=-}
cport=${cports:=-}
add_a_rule
done
done
elif [ -n "$MULTIPORT" ] && \
! list_search $protocol "icmp" "ICMP" "1" && \ ! list_search $protocol "icmp" "ICMP" "1" && \
[ "$ports" = "${ports%:*}" -a \ [ "$ports" = "${ports%:*}" -a \
"$cports" = "${cports%:*}" -a \ "$cports" = "${cports%:*}" -a \
@ -4423,6 +4490,7 @@ process_rules()
if [ "${ysourcezone}" != "${ydestzone}" ] ; then if [ "${ysourcezone}" != "${ydestzone}" ] ; then
eval ypolicy=\$${ysourcezone}2${ydestzone}_policy eval ypolicy=\$${ysourcezone}2${ydestzone}_policy
if [ "$ypolicy" != NONE ] ; then if [ "$ypolicy" != NONE ] ; then
rule="$(echo $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec
fi fi
fi fi
@ -4448,11 +4516,11 @@ process_rules()
continue continue
fi fi
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec
} }
while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec; do while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec; do
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
expandv xtarget expandv xtarget
case "${xtarget%%:*}" in case "${xtarget%%:*}" in
@ -4469,6 +4537,7 @@ process_rules()
xtarget=$(find_logactionchain $xtarget) xtarget=$(find_logactionchain $xtarget)
do_it do_it
else else
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
fatal_error "Invalid Action in rule \"$rule\"" fatal_error "Invalid Action in rule \"$rule\""
fi fi
;; ;;
@ -5039,7 +5108,15 @@ setup_masq()
if [ $listcount -gt 1 ]; then if [ $listcount -gt 1 ]; then
case $ports in case $ports in
*:*) *:*)
if [ -n "$XMULTIPORT" ]; then
if [ $(($listcount + $(list_count1 $(split $ports) ) )) -le 16 ]; then
ports="-m multiport --dports $ports"
else
fatal_error "More than 15 entries in port list ($ports)"
fi
else
fatal_error "Port Range not allowed in list ($ports)" fatal_error "Port Range not allowed in list ($ports)"
fi
;; ;;
*) *)
if [ -n "$MULTIPORT" ]; then if [ -n "$MULTIPORT" ]; then
@ -5475,6 +5552,7 @@ save_load_kernel_modules()
done < $modules done < $modules
save_command __EOF__ save_command __EOF__
save_command ""
} }
@ -5494,6 +5572,7 @@ determine_capabilities() {
CONNTRACK_MATCH= CONNTRACK_MATCH=
MULTIPORT= MULTIPORT=
XMULTIPORT=
POLICY_MATCH= POLICY_MATCH=
PHYSDEV_MATCH= PHYSDEV_MATCH=
IPRANGE_MATCH= IPRANGE_MATCH=
@ -5501,6 +5580,7 @@ determine_capabilities() {
qt $IPTABLES -N fooX1234 qt $IPTABLES -N fooX1234
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes
qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes
qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes
qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
@ -5514,25 +5594,26 @@ determine_capabilities() {
qt $IPTABLES -X fooX1234 qt $IPTABLES -X fooX1234
} }
report_capability() # $1 = Capability Name, $2 Capability Setting (if any) report_capability() # $1 = Capability Description , $2 Capability Setting (if any)
{ {
local setting= local setting=
[ "x$1" = "xYes" ] && { setting="Available"; shift; } || setting="Not available" [ "x$2" = "xYes" ] && setting="Available" || setting="Not available"
echo " " $@: $setting echo " " $1: $setting
} }
report_capabilities() { report_capabilities() {
echo "Shorewall has detected the following iptables/netfilter capabilities:" echo "Shorewall has detected the following iptables/netfilter capabilities:"
report_capability $NAT_ENABLED "NAT" report_capability "NAT" $NAT_ENABLED
report_capability $MANGLE_ENABLED "Packet Mangling" report_capability "Packet Mangling" $MANGLE_ENABLED
report_capability $MULTIPORT "Multi-port Match" report_capability "Multi-port Match" $MULTIPORT
report_capability $CONNTRACK_MATCH "Connection Tracking Match" [ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT
report_capability $PKTTYPE "Packet Type Match" report_capability "Connection Tracking Match" $CONNTRACK_MATCH
report_capability $POLICY_MATCH "Policy Match" report_capability "Packet Type Match" $PKTTYPE
report_capability $PHYSDEV_MATCH "Physdev Match" report_capability "Policy Match" $POLICY_MATCH
report_capability $IPRANGE_MATCH "IP range Match" report_capability "Physdev Match" $PHYSDEV_MATCH
report_capability "IP range Match" $IPRANGE_MATCH
} }
# #

2
STABLE2/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
# #
VERSION=2.2.1 VERSION=2.2.2
usage() # $1 = exit status usage() # $1 = exit status
{ {

41
STABLE2/releasenotes.txt
View File

@ -1,4 +1,43 @@
Shorewall 2.2.1 Shorewall 2.2.2
-----------------------------------------------------------------------
Problems corrected in version 2.2.2
1) The SOURCE column in the /etc/shorewall/tcrules file now allows IP
ranges (assuming that your iptables and kernel support ranges).
2) If A is a user-defined action and you have file /etc/shorewall/A
then when that file is invoked, the $TAG value may be incorrect.
3) Previously, if an iptables command generating a logging rule
failed, the Shorewall [re]start was still successful. This error
is now considered fatal and Shorewall will be either restored from
the last save (if any) or it will be stopped.
-----------------------------------------------------------------------
New Features in version 2.2.2
1) The SOURCE column in the /etc/shorewall/tcrules file now allows $FW
to be optionally followed by ":" and a host/network address or
address range.
2) Shorewall now clears the output device only if it is a
terminal. This avoids ugly control sequences being placed in files
when /sbin/shorewall output is redirected.
3) The output from 'arp -na' has been added to the 'shorewall status'
display.
4) The 2.6.11 Linux kernel and iptables 1.3.0 now allow port ranges
to appear in port lists handled by "multiport match". If Shorewall
detects this capability, it will use "multiport match" for port
lists containing port ranges. Be cautioned that each port range
counts for TWO ports and a port list handled with "multiport match"
can still specify a maximum of 15 ports.
As always, if a port list in /etc/shorewall/rules is incompatible
with "multiport match", a separate iptables rule will be generated
for each element in the list.
----------------------------------------------------------------------- -----------------------------------------------------------------------
Problems corrected in version 2.2.1 Problems corrected in version 2.2.1

40
STABLE2/shorewall
View File

@ -220,6 +220,13 @@ get_config() {
} }
#
# Clear descriptor 1 if it is a terminal
#
clear_term() {
[ -t 1 ] && clear
}
# #
# Display IPTABLES rules -- we used to store them in a variable but ash # Display IPTABLES rules -- we used to store them in a variable but ash
# dies when trying to display large sets of rules # dies when trying to display large sets of rules
@ -238,7 +245,7 @@ display_chains()
$IPTABLES -L $IPT_OPTIONS >> $TMPFILE $IPTABLES -L $IPT_OPTIONS >> $TMPFILE
clear clear_term
echo "$banner $(date)" echo "$banner $(date)"
echo echo
echo "Standard Chains" echo "Standard Chains"
@ -250,7 +257,7 @@ display_chains()
timed_read timed_read
clear clear_term
echo "$banner $(date)" echo "$banner $(date)"
echo echo
firstchain=Yes firstchain=Yes
@ -268,7 +275,7 @@ display_chains()
for zone in $zones; do for zone in $zones; do
if [ -n "$(grep "^Chain \.*${zone}" $TMPFILE)" ] ; then if [ -n "$(grep "^Chain \.*${zone}" $TMPFILE)" ] ; then
clear clear_term
echo "$banner $(date)" echo "$banner $(date)"
echo echo
firstchain=Yes firstchain=Yes
@ -287,7 +294,7 @@ display_chains()
fi fi
done done
clear clear_term
echo "$banner $(date)" echo "$banner $(date)"
echo echo
firstchain=Yes firstchain=Yes
@ -308,7 +315,7 @@ display_chains()
timed_read timed_read
clear clear_term
echo "$banner $(date)" echo "$banner $(date)"
echo echo
firstchain=Yes firstchain=Yes
@ -443,7 +450,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
while true; do while true; do
display_chains display_chains
clear clear_term
echo "$banner $(date)" echo "$banner $(date)"
echo echo
@ -474,7 +481,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
timed_read timed_read
fi fi
clear clear_term
echo "$banner $(date)" echo "$banner $(date)"
echo echo
echo "NAT Status" echo "NAT Status"
@ -482,7 +489,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
$IPTABLES -t nat -L $IPT_OPTIONS $IPTABLES -t nat -L $IPT_OPTIONS
timed_read timed_read
clear clear_term
echo "$banner $(date)" echo "$banner $(date)"
echo echo
echo echo
@ -491,7 +498,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
$IPTABLES -t mangle -L $IPT_OPTIONS $IPTABLES -t mangle -L $IPT_OPTIONS
timed_read timed_read
clear clear_term
echo "$banner $(date)" echo "$banner $(date)"
echo echo
echo echo
@ -500,7 +507,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
cat /proc/net/ip_conntrack cat /proc/net/ip_conntrack
timed_read timed_read
clear clear_term
echo "$banner $(date)" echo "$banner $(date)"
echo echo
echo echo
@ -509,7 +516,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
show_tc show_tc
timed_read timed_read
clear clear_term
echo "$banner $(date)" echo "$banner $(date)"
echo echo
echo echo
@ -541,7 +548,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
qt which awk && haveawk=Yes || haveawk= qt which awk && haveawk=Yes || haveawk=
while true; do while true; do
clear clear_term
echo "$banner $(date)" echo "$banner $(date)"
echo echo
@ -960,7 +967,7 @@ case "$1" in
status) status)
[ -n "$debugging" ] && set -x [ -n "$debugging" ] && set -x
[ $# -eq 1 ] || usage 1 [ $# -eq 1 ] || usage 1
clear clear_term
echo "Shorewall-$version Status at $HOSTNAME - $(date)" echo "Shorewall-$version Status at $HOSTNAME - $(date)"
echo echo
show_reset show_reset
@ -1019,6 +1026,11 @@ case "$1" in
ip route ls table $table ip route ls table $table
done done
echo
echo "ARP"
echo
arp -na
if qt which lsmod; then if qt which lsmod; then
echo echo
echo "Modules" echo "Modules"
@ -1029,7 +1041,7 @@ case "$1" in
hits) hits)
[ -n "$debugging" ] && set -x [ -n "$debugging" ] && set -x
[ $# -eq 1 ] || usage 1 [ $# -eq 1 ] || usage 1
clear clear_term
echo "Shorewall-$version Hits at $HOSTNAME - $(date)" echo "Shorewall-$version Hits at $HOSTNAME - $(date)"
echo echo

4
STABLE2/shorewall.spec
View File

@ -1,5 +1,5 @@
%define name shorewall %define name shorewall
%define version 2.2.1 %define version 2.2.2
%define release 1 %define release 1
%define prefix /usr %define prefix /usr
@ -137,6 +137,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn
%changelog %changelog
* Mon Mar 07 2005 Tom Eastep tom@shorewall.net
- Updated to 2.2.2-1
* Mon Jan 24 2005 Tom Eastep tom@shorewall.net * Mon Jan 24 2005 Tom Eastep tom@shorewall.net
- Updated to 2.2.1-1 - Updated to 2.2.1-1
* Mon Jan 24 2005 Tom Eastep tom@shorewall.net * Mon Jan 24 2005 Tom Eastep tom@shorewall.net

3
STABLE2/tcrules
View File

@ -80,7 +80,8 @@
# allowed. Use $FW if the packet originates on # allowed. Use $FW if the packet originates on
# the firewall in which case the MARK column may NOT # the firewall in which case the MARK column may NOT
# specify either ":P" or ":F" (marking always occurs # specify either ":P" or ":F" (marking always occurs
# in the OUTPUT chain). # in the OUTPUT chain). $FW may be optionally followed
# by ":" and a host/network address.
# #
# MAC addresses must be prefixed with "~" and use # MAC addresses must be prefixed with "~" and use
# "-" as a separator. # "-" as a separator.

2
STABLE2/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall # shown below. Simply run this script to remove Seattle Firewall
VERSION=2.2.1 VERSION=2.2.2
usage() # $1 = exit status usage() # $1 = exit status
{ {

486
Shorewall-docs2/FAQ.xml
View File

@ -17,7 +17,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2005-03-01</pubdate> <pubdate>2005-03-07</pubdate>
<copyright> <copyright>
<year>2001-2004</year> <year>2001-2004</year>
@ -294,9 +294,14 @@ DNAT net loc:192.168.1.3:22 tcp 1022</programlisting>
</itemizedlist> </itemizedlist>
<para>If you insist on an IP solution to the accessibility problem <para>If you insist on an IP solution to the accessibility problem
rather than a DNS solution, then assuming that your external interface rather than a DNS solution, then if you are running Shorewall 2.0.0 or
is eth0 and your internal interface is eth1 and that eth1 has IP address 2.0.1 then please see the <ulink
192.168.1.254 with subnet 192.168.1.0/24:<warning> url="http://www.shorewall.net/1.4/FAQ.htm#faq2">Shorewall 1.4
FAQ</ulink>.</para>
<para>Otherwise, assuming that your external interface is eth0 and your
internal interface is eth1 and that eth1 has IP address 192.168.1.254
with subnet 192.168.1.0/24, then:<warning>
<para>All traffic redirected through use of this hack will look to <para>All traffic redirected through use of this hack will look to
the server as if it came from the firewall (192.168.1.254) rather the server as if it came from the firewall (192.168.1.254) rather
than from the original client!</para> than from the original client!</para>
@ -1690,8 +1695,8 @@ alias ipt_pkttype off</programlisting>
how can you not support that version?</title> how can you not support that version?</title>
<para>The first release of Shorewall was in March of 2001. Shorewall <para>The first release of Shorewall was in March of 2001. Shorewall
1.2.12 was released in May of 2002. It is now the year 2004 and 1.2.12 was released in May of 2002. It is now the year 2005 and
Shorewall 2.0 is available. Shorewall 1.2.12 is poorly documented and is Shorewall 2.2 is available. Shorewall 1.2.12 is poorly documented and is
missing many of the features that Shorewall users find essential today missing many of the features that Shorewall users find essential today
and it is silly to continue to run it simply because it is bundled with and it is silly to continue to run it simply because it is bundled with
an ancient Debian release.</para> an ancient Debian release.</para>
@ -2045,473 +2050,4 @@ Verifying Configuration...
...</programlisting> ...</programlisting>
</section> </section>
</section> </section>
<appendix>
<title>Revision History</title>
<para><revhistory>
<revision>
<revnumber>1.43</revnumber>
<date>2005-03-01</date>
<authorinitials>TE</authorinitials>
<revremark>Added FAQ 14b.</revremark>
</revision>
<revision>
<revnumber>1.42</revnumber>
<date>2004-12-31</date>
<authorinitials>TE</authorinitials>
<revremark>Added FAQ 44.</revremark>
</revision>
<revision>
<revnumber>1.41</revnumber>
<date>2004-12-26</date>
<authorinitials>TE</authorinitials>
<revremark>Added FAQ 43.</revremark>
</revision>
<revision>
<revnumber>1.40</revnumber>
<date>2004-12-22</date>
<authorinitials>TE</authorinitials>
<revremark>Correct action directory name if FAQ 4.</revremark>
</revision>
<revision>
<revnumber>1.39</revnumber>
<date>2004-12-12</date>
<authorinitials>TE</authorinitials>
<revremark>Updated Debian information. Revised the answer to FAQ
2a.</revremark>
</revision>
<revision>
<revnumber>1.38</revnumber>
<date>2004-11-18</date>
<authorinitials>TE</authorinitials>
<revremark>Added FAQ 42.</revremark>
</revision>
<revision>
<revnumber>1.37</revnumber>
<date>2004-11-05</date>
<authorinitials>TE</authorinitials>
<revremark>Added second title to FAQ 17.</revremark>
</revision>
<revision>
<revnumber>1.36</revnumber>
<date>2004-11-04</date>
<authorinitials>TE</authorinitials>
<revremark>Add note about Gnome Terminal.</revremark>
</revision>
<revision>
<revnumber>1.35</revnumber>
<date>2004-10-30</date>
<authorinitials>TE</authorinitials>
<revremark>Add FAQ 41.</revremark>
</revision>
<revision>
<revnumber>1.34</revnumber>
<date>2004-10-12</date>
<authorinitials>TE</authorinitials>
<revremark>Add FAQ 40.</revremark>
</revision>
<revision>
<revnumber>1.33</revnumber>
<date>2004-10-01</date>
<authorinitials>TE</authorinitials>
<revremark>Add FAQ 39.</revremark>
</revision>
<revision>
<revnumber>1.32</revnumber>
<date>2004-09-23</date>
<authorinitials>TE</authorinitials>
<revremark>Add link to simple bridge documentation from FAQ
35.</revremark>
</revision>
<revision>
<revnumber>1.31</revnumber>
<date>2004-09-12</date>
<authorinitials>TE</authorinitials>
<revremark>Rename FAQ 17.</revremark>
</revision>
<revision>
<revnumber>1.30</revnumber>
<date>2004-08-26</date>
<authorinitials>TE</authorinitials>
<revremark>Update FAQ 2 with information about Shorewall
2.1.</revremark>
</revision>
<revision>
<revnumber>1.29</revnumber>
<date>2004-08-19</date>
<authorinitials>TE</authorinitials>
<revremark>Reword FAQ 27a to include downloaded kernels.</revremark>
</revision>
<revision>
<revnumber>1.28</revnumber>
<date>2004-07-14</date>
<authorinitials>TE</authorinitials>
<revremark>Insert link to Ian Allen's DNAT paper (FAQ
38)</revremark>
</revision>
<revision>
<revnumber>1.27</revnumber>
<date>2004-06-18</date>
<authorinitials>TE</authorinitials>
<revremark>Correct formatting in H323 quote.</revremark>
</revision>
<revision>
<revnumber>1.26</revnumber>
<date>2004-05-18</date>
<authorinitials>TE</authorinitials>
<revremark>Delete obsolete ping information.</revremark>
</revision>
<revision>
<revnumber>1.25</revnumber>
<date>2004-05-18</date>
<authorinitials>TE</authorinitials>
<revremark>Empty /etc/shorewall on Debian.</revremark>
</revision>
<revision>
<revnumber>1.25</revnumber>
<date>2004-05-08</date>
<authorinitials>TE</authorinitials>
<revremark>Update for Shorewall 2.0.2</revremark>
</revision>
<revision>
<revnumber>1.24</revnumber>
<date>2004-04-25</date>
<authorinitials>TE</authorinitials>
<revremark>Add MA Brown's notes on multi-ISP routing.</revremark>
</revision>
<revision>
<revnumber>1.23</revnumber>
<date>2004-04-22</date>
<authorinitials>TE</authorinitials>
<revremark>Refined SNAT rule in FAQ #2.</revremark>
</revision>
<revision>
<revnumber>1.22</revnumber>
<date>2004-04-06</date>
<authorinitials>TE</authorinitials>
<revremark>Added FAQ 36.</revremark>
</revision>
<revision>
<revnumber>1.21</revnumber>
<date>2004-03-05</date>
<authorinitials>TE</authorinitials>
<revremark>Added Bridging link.</revremark>
</revision>
<revision>
<revnumber>1.20</revnumber>
<date>2004-02-27</date>
<authorinitials>TE</authorinitials>
<revremark>Added FAQ 35.</revremark>
</revision>
<revision>
<revnumber>1.19</revnumber>
<date>2004-02-22</date>
<authorinitials>TE</authorinitials>
<revremark>Added mention of nosmurfs option under FAQ
31.</revremark>
</revision>
<revision>
<revnumber>1.18</revnumber>
<date>2004-02-15</date>
<authorinitials>TE</authorinitials>
<revremark>Added FAQ 34.</revremark>
</revision>
<revision>
<revnumber>1.17</revnumber>
<date>2004-02-11</date>
<authorinitials>TE</authorinitials>
<revremark>Added FAQ 33.</revremark>
</revision>
<revision>
<revnumber>1.16</revnumber>
<date>2004-02-03</date>
<authorinitials>TE</authorinitials>
<revremark>Updated for Shorewall 2.0.</revremark>
</revision>
<revision>
<revnumber>1.15</revnumber>
<date>2004-01-25</date>
<authorinitials>TE</authorinitials>
<revremark>Updated FAQ 32 to mention masquerading. Remove
tables.</revremark>
</revision>
<revision>
<revnumber>1.14</revnumber>
<date>2004-01-24</date>
<authorinitials>TE</authorinitials>
<revremark>Added FAQ 27a regarding kernel/iptables
incompatibility.</revremark>
</revision>
<revision>
<revnumber>1.13</revnumber>
<date>2004-01-24</date>
<authorinitials>TE</authorinitials>
<revremark>Add a note about the <emphasis
role="bold">detectnets</emphasis> interface option in FAQ
9.</revremark>
</revision>
<revision>
<revnumber>1.12</revnumber>
<date>2004-01-20</date>
<authorinitials>TE</authorinitials>
<revremark>Improve FAQ 16 answer.</revremark>
</revision>
<revision>
<revnumber>1.11</revnumber>
<date>2004-01-14</date>
<authorinitials>TE</authorinitials>
<revremark>Corrected broken link</revremark>
</revision>
<revision>
<revnumber>1.10</revnumber>
<date>2004-01-09</date>
<authorinitials>TE</authorinitials>
<revremark>Added a couple of more legacy FAQ numbers.</revremark>
</revision>
<revision>
<revnumber>1.9</revnumber>
<date>2004-01-08</date>
<authorinitials>TE</authorinitials>
<revremark>Corrected typo in FAQ 26a. Added warning to FAQ 2
regarding source address of redirected requests.</revremark>
</revision>
<revision>
<revnumber>1.8</revnumber>
<date>2003-12-31</date>
<authorinitials>TE</authorinitials>
<revremark>Additions to FAQ 4.</revremark>
</revision>
<revision>
<revnumber>1.7</revnumber>
<date>2003-12-30</date>
<authorinitials>TE</authorinitials>
<revremark>Remove dead link from FAQ 1.</revremark>
</revision>
<revision>
<revnumber>1.6</revnumber>
<date>2003.12-18</date>
<authorinitials>TE</authorinitials>
<revremark>Add external link reference to FAQ 17.</revremark>
</revision>
<revision>
<revnumber>1.5</revnumber>
<date>2003-12-16</date>
<authorinitials>TE</authorinitials>
<revremark>Added a link to a Sys Admin article about multiple
internet interfaces. Added Legal Notice. Moved "abstract" to the
body of the document. Moved Revision History to this
Appendix.</revremark>
</revision>
<revision>
<revnumber>1.4</revnumber>
<date>2003-12-13</date>
<authorinitials>TE</authorinitials>
<revremark>Corrected formatting problems</revremark>
</revision>
<revision>
<revnumber>1.3</revnumber>
<date>2003-12-10</date>
<authorinitials>TE</authorinitials>
<revremark>Changed the title of FAQ 17</revremark>
</revision>
<revision>
<revnumber>1.2</revnumber>
<date>2003-12-09</date>
<authorinitials>TE</authorinitials>
<revremark>Added Copyright and legacy FAQ numbers</revremark>
</revision>
<revision>
<revnumber>1.1</revnumber>
<date>2003-12-04</date>
<authorinitials>MN</authorinitials>
<revremark>Converted to Simplified DocBook XML</revremark>
</revision>
<revision>
<revnumber>1.0</revnumber>
<date>2002-08-13</date>
<authorinitials>TE</authorinitials>
<revremark>Initial revision</revremark>
</revision>
</revhistory></para>
</appendix>
</article> </article>

2
Shorewall2/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of # shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall. # Shoreline Firewall.
VERSION=2.2.1 VERSION=2.2.2
usage() # $1 = exit status usage() # $1 = exit status
{ {

2
Shorewall2/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
# #
VERSION=2.2.1 VERSION=2.2.2
usage() # $1 = exit status usage() # $1 = exit status
{ {

4
Shorewall2/shorewall.spec
View File

@ -1,5 +1,5 @@
%define name shorewall %define name shorewall
%define version 2.2.1 %define version 2.2.2
%define release 1 %define release 1
%define prefix /usr %define prefix /usr
@ -137,6 +137,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn
%changelog %changelog
* Mon Mar 07 2005 Tom Eastep tom@shorewall.net
- Updated to 2.2.2-1
* Mon Jan 24 2005 Tom Eastep tom@shorewall.net * Mon Jan 24 2005 Tom Eastep tom@shorewall.net
- Updated to 2.2.1-1 - Updated to 2.2.1-1
* Mon Jan 24 2005 Tom Eastep tom@shorewall.net * Mon Jan 24 2005 Tom Eastep tom@shorewall.net

2
Shorewall2/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall # shown below. Simply run this script to remove Seattle Firewall
VERSION=2.2.1 VERSION=2.2.2
usage() # $1 = exit status usage() # $1 = exit status
{ {