Shorewall 2.2.2

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1986 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-03-07 22:32:05 +00:00
parent cefa44418d
commit bea55d93d1
18 changed files with 356 additions and 572 deletions

View File

@ -80,7 +80,8 @@
# allowed. Use $FW if the packet originates on
# the firewall in which case the MARK column may NOT
# specify either ":P" or ":F" (marking always occurs
# in the OUTPUT chain).
# in the OUTPUT chain). $FW may be optionally followed
# by ":" and a host/network address.
#
# MAC addresses must be prefixed with "~" and use
# "-" as a separator.

View File

@ -4,7 +4,7 @@
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
# (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
#
# This file should be placed in /sbin/shorewall.
#
@ -220,6 +220,13 @@ get_config() {
}
#
# Clear descriptor 1 if it is a terminal
#
clear_term() {
[ -t 1 ] && clear
}
#
# Display IPTABLES rules -- we used to store them in a variable but ash
# dies when trying to display large sets of rules
@ -238,7 +245,7 @@ display_chains()
$IPTABLES -L $IPT_OPTIONS >> $TMPFILE
clear
clear_term
echo "$banner $(date)"
echo
echo "Standard Chains"
@ -250,7 +257,7 @@ display_chains()
timed_read
clear
clear_term
echo "$banner $(date)"
echo
firstchain=Yes
@ -268,7 +275,7 @@ display_chains()
for zone in $zones; do
if [ -n "$(grep "^Chain \.*${zone}" $TMPFILE)" ] ; then
clear
clear_term
echo "$banner $(date)"
echo
firstchain=Yes
@ -287,7 +294,7 @@ display_chains()
fi
done
clear
clear_term
echo "$banner $(date)"
echo
firstchain=Yes
@ -308,7 +315,7 @@ display_chains()
timed_read
clear
clear_term
echo "$banner $(date)"
echo
firstchain=Yes
@ -443,7 +450,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
while true; do
display_chains
clear
clear_term
echo "$banner $(date)"
echo
@ -474,7 +481,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
timed_read
fi
clear
clear_term
echo "$banner $(date)"
echo
echo "NAT Status"
@ -482,7 +489,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
$IPTABLES -t nat -L $IPT_OPTIONS
timed_read
clear
clear_term
echo "$banner $(date)"
echo
echo
@ -491,7 +498,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
$IPTABLES -t mangle -L $IPT_OPTIONS
timed_read
clear
clear_term
echo "$banner $(date)"
echo
echo
@ -500,7 +507,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
cat /proc/net/ip_conntrack
timed_read
clear
clear_term
echo "$banner $(date)"
echo
echo
@ -509,7 +516,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
show_tc
timed_read
clear
clear_term
echo "$banner $(date)"
echo
echo
@ -541,7 +548,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
qt which awk && haveawk=Yes || haveawk=
while true; do
clear
clear_term
echo "$banner $(date)"
echo
@ -960,7 +967,7 @@ case "$1" in
status)
[ -n "$debugging" ] && set -x
[ $# -eq 1 ] || usage 1
clear
clear_term
echo "Shorewall-$version Status at $HOSTNAME - $(date)"
echo
show_reset
@ -1019,6 +1026,11 @@ case "$1" in
ip route ls table $table
done
echo
echo "ARP"
echo
arp -na
if qt which lsmod; then
echo
echo "Modules"
@ -1029,7 +1041,7 @@ case "$1" in
hits)
[ -n "$debugging" ] && set -x
[ $# -eq 1 ] || usage 1
clear
clear_term
echo "Shorewall-$version Hits at $HOSTNAME - $(date)"
echo

View File

@ -30,7 +30,7 @@
# shorewall restart Restarts the firewall
# shorewall stop Stops the firewall
# shorewall status Displays firewall status
# shorewall reset Resets iptabless packet and
# shorewall reset Resets iptables packet and
# byte counts
# shorewall clear Remove all Shorewall chains
# and rules/policies.
@ -1303,10 +1303,10 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = dispositi
case $level in
ULOG)
$IPTABLES $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix"
run_iptables $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix"
;;
*)
$IPTABLES $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix"
run_iptables $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix"
;;
esac
@ -2333,16 +2333,19 @@ process_tc_rule()
if [ "x$source" != "x-" ]; then
case $source in
*.*.*)
r="-s $source "
r="$(source_ip_range $source) "
;;
~*)
r="$(mac_match $source) "
;;
$FW:*)
chain=tcout
r="$(source_ip_range ${source%:*}) "
;;
$FW)
chain=tcout
;;
*)
verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\""
r="$(match_source_dev) $source "
;;
@ -2763,13 +2766,14 @@ check_config() {
disclaimer() {
echo
echo "Notice: The 'check' command is unsupported and problem"
echo " reports complaining about errors that it didn't catch"
echo " will not be accepted"
echo "Notice: The 'check' command is provided to catch"
echo " obvious errors in a Shorewall configuration."
echo " It is not designed to catch all possible errors"
echo " so please don't submit problem reports about"
echo " error conditions that 'check' doesn't find"
echo
}
disclaimer
report_capabilities
@ -3148,7 +3152,27 @@ process_action() # $1 = chain (Chain to add the rules to)
[ "x$protocol" = "x-" ] && protocol=all || protocol=${protocol:=all}
if [ -n "$MULTIPORT" ] && \
if [ -n "$XMULTIPORT" ] && \
! list_search $protocol "icmp" "ICMP" "1" && \
[ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \
$(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16 ]
then
#
# Extended MULTIPORT is enabled, and less than
# 16 ports are listed (port ranges count as two ports) - use multiport match.
#
multioption="-m multiport"
for client in $(separate_list ${clients:=-}); do
for server in $(separate_list ${servers:=-}); do
#
# add_an_action() modifies these so we must set their values each time
#
port=${ports:=-}
cport=${cports:=-}
add_an_action
done
done
elif [ -n "$MULTIPORT" ] && \
! list_search $protocol "icmp" "ICMP" "1" && \
[ "$ports" = "${ports%:*}" -a \
"$cports" = "${cports%:*}" -a \
@ -3242,7 +3266,11 @@ createlogactionchain() # $1 = Action Name, $2 = Log Level [: Log Tag ]
if [ $COMMAND != check ]; then
createchain $CHAIN No
LEVEL=${level%:*}
TAG=${level#*:}
if [ "$LEVEL" != "$level" ]; then
TAG=${level#*:}
else
TAG=
fi
run_user_exit $1
fi
@ -4318,7 +4346,26 @@ process_rule() # $1 = target
case $logtarget in
DNAT*)
if [ -n "$MULTIPORT" ] && \
if [ -n "$XMULTIPORT" ] && \
! list_search $protocol "icmp" "ICMP" "1" && \
[ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \
$(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16 ]
then
#
# Extended MULTIPORT is enabled, and less than
# 16 ports are listed (port ranges count as two ports) - use multiport match.
#
multioption="-m multiport"
for client in $(separate_list ${clients:=-}); do
#
# add_a_rule() modifies these so we must set their values each time
#
server=${servers:=-}
port=${ports:=-}
cport=${cports:=-}
add_a_rule
done
elif [ -n "$MULTIPORT" ] && \
! list_search $protocol "icmp" "ICMP" "1" && \
[ "$ports" = "${ports%:*}" -a \
"$cports" = "${cports%:*}" -a \
@ -4356,7 +4403,27 @@ process_rule() # $1 = target
;;
*)
if [ -n "$MULTIPORT" ] && \
if [ -n "$XMULTIPORT" ] && \
! list_search $protocol "icmp" "ICMP" "1" && \
[ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \
$(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16 ]
then
#
# Extended MULTIPORT is enabled, and less than
# 16 ports are listed (port ranges count as two ports) - use multiport match.
#
multioption="-m multiport"
for client in $(separate_list ${clients:=-}); do
for server in $(separate_list ${servers:=-}); do
#
# add_a_rule() modifies these so we must set their values each time
#
port=${ports:=-}
cport=${cports:=-}
add_a_rule
done
done
elif [ -n "$MULTIPORT" ] && \
! list_search $protocol "icmp" "ICMP" "1" && \
[ "$ports" = "${ports%:*}" -a \
"$cports" = "${cports%:*}" -a \
@ -4423,6 +4490,7 @@ process_rules()
if [ "${ysourcezone}" != "${ydestzone}" ] ; then
eval ypolicy=\$${ysourcezone}2${ydestzone}_policy
if [ "$ypolicy" != NONE ] ; then
rule="$(echo $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec
fi
fi
@ -4448,11 +4516,11 @@ process_rules()
continue
fi
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec
}
while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec; do
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
expandv xtarget
case "${xtarget%%:*}" in
@ -4469,6 +4537,7 @@ process_rules()
xtarget=$(find_logactionchain $xtarget)
do_it
else
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
fatal_error "Invalid Action in rule \"$rule\""
fi
;;
@ -5039,7 +5108,15 @@ setup_masq()
if [ $listcount -gt 1 ]; then
case $ports in
*:*)
fatal_error "Port Range not allowed in list ($ports)"
if [ -n "$XMULTIPORT" ]; then
if [ $(($listcount + $(list_count1 $(split $ports) ) )) -le 16 ]; then
ports="-m multiport --dports $ports"
else
fatal_error "More than 15 entries in port list ($ports)"
fi
else
fatal_error "Port Range not allowed in list ($ports)"
fi
;;
*)
if [ -n "$MULTIPORT" ]; then
@ -5475,6 +5552,7 @@ save_load_kernel_modules()
done < $modules
save_command __EOF__
save_command ""
}
@ -5494,6 +5572,7 @@ determine_capabilities() {
CONNTRACK_MATCH=
MULTIPORT=
XMULTIPORT=
POLICY_MATCH=
PHYSDEV_MATCH=
IPRANGE_MATCH=
@ -5501,6 +5580,7 @@ determine_capabilities() {
qt $IPTABLES -N fooX1234
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes
qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes
qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes
qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
@ -5514,25 +5594,26 @@ determine_capabilities() {
qt $IPTABLES -X fooX1234
}
report_capability() # $1 = Capability Name, $2 Capability Setting (if any)
report_capability() # $1 = Capability Description , $2 Capability Setting (if any)
{
local setting=
[ "x$1" = "xYes" ] && { setting="Available"; shift; } || setting="Not available"
[ "x$2" = "xYes" ] && setting="Available" || setting="Not available"
echo " " $@: $setting
echo " " $1: $setting
}
report_capabilities() {
echo "Shorewall has detected the following iptables/netfilter capabilities:"
report_capability $NAT_ENABLED "NAT"
report_capability $MANGLE_ENABLED "Packet Mangling"
report_capability $MULTIPORT "Multi-port Match"
report_capability $CONNTRACK_MATCH "Connection Tracking Match"
report_capability $PKTTYPE "Packet Type Match"
report_capability $POLICY_MATCH "Policy Match"
report_capability $PHYSDEV_MATCH "Physdev Match"
report_capability $IPRANGE_MATCH "IP range Match"
report_capability "NAT" $NAT_ENABLED
report_capability "Packet Mangling" $MANGLE_ENABLED
report_capability "Multi-port Match" $MULTIPORT
[ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT
report_capability "Connection Tracking Match" $CONNTRACK_MATCH
report_capability "Packet Type Match" $PKTTYPE
report_capability "Policy Match" $POLICY_MATCH
report_capability "Physdev Match" $PHYSDEV_MATCH
report_capability "IP range Match" $IPRANGE_MATCH
}
#

View File

@ -1 +1 @@
2.2.1
2.2.2

View File

@ -1,11 +1,28 @@
Changes in 2.2.2
1) The 'check' command disclaimer is toned down further and only
appears once in the 'check' output.
2) Enhanced support in the SOURCE column of /etc/shorewall/tcrules.
3) All calls to 'clear' are now conditional on the output device being
a terminal.
4) Apply Juergen Kreileder's patch for logging.
5) Add the output of 'arp -na' to the 'shorewall status' display.
6) Provide support for the Extended multiport match available in
2.6.11.
7) Fix logging rule generation.
Changes in 2.2.1
1) Add examples to the zones and policy files.
2) Simon Matter's patch for umask.
3) Apply Juergen Kreileder's patch for logging.
Changes since 2.0.3
1) Fix security vulnerability involving temporary files/directories.

View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=2.2.1
VERSION=2.2.2
usage() # $1 = exit status
{

View File

@ -30,7 +30,7 @@
# shorewall restart Restarts the firewall
# shorewall stop Stops the firewall
# shorewall status Displays firewall status
# shorewall reset Resets iptabless packet and
# shorewall reset Resets iptables packet and
# byte counts
# shorewall clear Remove all Shorewall chains
# and rules/policies.
@ -1303,10 +1303,10 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = dispositi
case $level in
ULOG)
$IPTABLES $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix"
run_iptables $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix"
;;
*)
$IPTABLES $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix"
run_iptables $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix"
;;
esac
@ -2333,16 +2333,19 @@ process_tc_rule()
if [ "x$source" != "x-" ]; then
case $source in
*.*.*)
r="-s $source "
r="$(source_ip_range $source) "
;;
~*)
r="$(mac_match $source) "
;;
$FW:*)
chain=tcout
r="$(source_ip_range ${source%:*}) "
;;
$FW)
chain=tcout
;;
*)
verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\""
r="$(match_source_dev) $source "
;;
@ -2763,13 +2766,14 @@ check_config() {
disclaimer() {
echo
echo "Notice: The 'check' command is unsupported and problem"
echo " reports complaining about errors that it didn't catch"
echo " will not be accepted"
echo "Notice: The 'check' command is provided to catch"
echo " obvious errors in a Shorewall configuration."
echo " It is not designed to catch all possible errors"
echo " so please don't submit problem reports about"
echo " error conditions that 'check' doesn't find"
echo
}
disclaimer
report_capabilities
@ -3148,7 +3152,27 @@ process_action() # $1 = chain (Chain to add the rules to)
[ "x$protocol" = "x-" ] && protocol=all || protocol=${protocol:=all}
if [ -n "$MULTIPORT" ] && \
if [ -n "$XMULTIPORT" ] && \
! list_search $protocol "icmp" "ICMP" "1" && \
[ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \
$(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16 ]
then
#
# Extended MULTIPORT is enabled, and less than
# 16 ports are listed (port ranges count as two ports) - use multiport match.
#
multioption="-m multiport"
for client in $(separate_list ${clients:=-}); do
for server in $(separate_list ${servers:=-}); do
#
# add_an_action() modifies these so we must set their values each time
#
port=${ports:=-}
cport=${cports:=-}
add_an_action
done
done
elif [ -n "$MULTIPORT" ] && \
! list_search $protocol "icmp" "ICMP" "1" && \
[ "$ports" = "${ports%:*}" -a \
"$cports" = "${cports%:*}" -a \
@ -3242,7 +3266,11 @@ createlogactionchain() # $1 = Action Name, $2 = Log Level [: Log Tag ]
if [ $COMMAND != check ]; then
createchain $CHAIN No
LEVEL=${level%:*}
TAG=${level#*:}
if [ "$LEVEL" != "$level" ]; then
TAG=${level#*:}
else
TAG=
fi
run_user_exit $1
fi
@ -4318,7 +4346,26 @@ process_rule() # $1 = target
case $logtarget in
DNAT*)
if [ -n "$MULTIPORT" ] && \
if [ -n "$XMULTIPORT" ] && \
! list_search $protocol "icmp" "ICMP" "1" && \
[ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \
$(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16 ]
then
#
# Extended MULTIPORT is enabled, and less than
# 16 ports are listed (port ranges count as two ports) - use multiport match.
#
multioption="-m multiport"
for client in $(separate_list ${clients:=-}); do
#
# add_a_rule() modifies these so we must set their values each time
#
server=${servers:=-}
port=${ports:=-}
cport=${cports:=-}
add_a_rule
done
elif [ -n "$MULTIPORT" ] && \
! list_search $protocol "icmp" "ICMP" "1" && \
[ "$ports" = "${ports%:*}" -a \
"$cports" = "${cports%:*}" -a \
@ -4356,7 +4403,27 @@ process_rule() # $1 = target
;;
*)
if [ -n "$MULTIPORT" ] && \
if [ -n "$XMULTIPORT" ] && \
! list_search $protocol "icmp" "ICMP" "1" && \
[ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \
$(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16 ]
then
#
# Extended MULTIPORT is enabled, and less than
# 16 ports are listed (port ranges count as two ports) - use multiport match.
#
multioption="-m multiport"
for client in $(separate_list ${clients:=-}); do
for server in $(separate_list ${servers:=-}); do
#
# add_a_rule() modifies these so we must set their values each time
#
port=${ports:=-}
cport=${cports:=-}
add_a_rule
done
done
elif [ -n "$MULTIPORT" ] && \
! list_search $protocol "icmp" "ICMP" "1" && \
[ "$ports" = "${ports%:*}" -a \
"$cports" = "${cports%:*}" -a \
@ -4423,6 +4490,7 @@ process_rules()
if [ "${ysourcezone}" != "${ydestzone}" ] ; then
eval ypolicy=\$${ysourcezone}2${ydestzone}_policy
if [ "$ypolicy" != NONE ] ; then
rule="$(echo $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec
fi
fi
@ -4448,11 +4516,11 @@ process_rules()
continue
fi
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec
}
while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec; do
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
expandv xtarget
case "${xtarget%%:*}" in
@ -4469,6 +4537,7 @@ process_rules()
xtarget=$(find_logactionchain $xtarget)
do_it
else
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
fatal_error "Invalid Action in rule \"$rule\""
fi
;;
@ -5039,7 +5108,15 @@ setup_masq()
if [ $listcount -gt 1 ]; then
case $ports in
*:*)
fatal_error "Port Range not allowed in list ($ports)"
if [ -n "$XMULTIPORT" ]; then
if [ $(($listcount + $(list_count1 $(split $ports) ) )) -le 16 ]; then
ports="-m multiport --dports $ports"
else
fatal_error "More than 15 entries in port list ($ports)"
fi
else
fatal_error "Port Range not allowed in list ($ports)"
fi
;;
*)
if [ -n "$MULTIPORT" ]; then
@ -5475,6 +5552,7 @@ save_load_kernel_modules()
done < $modules
save_command __EOF__
save_command ""
}
@ -5494,6 +5572,7 @@ determine_capabilities() {
CONNTRACK_MATCH=
MULTIPORT=
XMULTIPORT=
POLICY_MATCH=
PHYSDEV_MATCH=
IPRANGE_MATCH=
@ -5501,6 +5580,7 @@ determine_capabilities() {
qt $IPTABLES -N fooX1234
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes
qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes
qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes
qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
@ -5514,25 +5594,26 @@ determine_capabilities() {
qt $IPTABLES -X fooX1234
}
report_capability() # $1 = Capability Name, $2 Capability Setting (if any)
report_capability() # $1 = Capability Description , $2 Capability Setting (if any)
{
local setting=
[ "x$1" = "xYes" ] && { setting="Available"; shift; } || setting="Not available"
[ "x$2" = "xYes" ] && setting="Available" || setting="Not available"
echo " " $@: $setting
echo " " $1: $setting
}
report_capabilities() {
echo "Shorewall has detected the following iptables/netfilter capabilities:"
report_capability $NAT_ENABLED "NAT"
report_capability $MANGLE_ENABLED "Packet Mangling"
report_capability $MULTIPORT "Multi-port Match"
report_capability $CONNTRACK_MATCH "Connection Tracking Match"
report_capability $PKTTYPE "Packet Type Match"
report_capability $POLICY_MATCH "Policy Match"
report_capability $PHYSDEV_MATCH "Physdev Match"
report_capability $IPRANGE_MATCH "IP range Match"
report_capability "NAT" $NAT_ENABLED
report_capability "Packet Mangling" $MANGLE_ENABLED
report_capability "Multi-port Match" $MULTIPORT
[ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT
report_capability "Connection Tracking Match" $CONNTRACK_MATCH
report_capability "Packet Type Match" $PKTTYPE
report_capability "Policy Match" $POLICY_MATCH
report_capability "Physdev Match" $PHYSDEV_MATCH
report_capability "IP range Match" $IPRANGE_MATCH
}
#

View File

@ -22,7 +22,7 @@
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
#
VERSION=2.2.1
VERSION=2.2.2
usage() # $1 = exit status
{

View File

@ -1,4 +1,43 @@
Shorewall 2.2.1
Shorewall 2.2.2
-----------------------------------------------------------------------
Problems corrected in version 2.2.2
1) The SOURCE column in the /etc/shorewall/tcrules file now allows IP
ranges (assuming that your iptables and kernel support ranges).
2) If A is a user-defined action and you have file /etc/shorewall/A
then when that file is invoked, the $TAG value may be incorrect.
3) Previously, if an iptables command generating a logging rule
failed, the Shorewall [re]start was still successful. This error
is now considered fatal and Shorewall will be either restored from
the last save (if any) or it will be stopped.
-----------------------------------------------------------------------
New Features in version 2.2.2
1) The SOURCE column in the /etc/shorewall/tcrules file now allows $FW
to be optionally followed by ":" and a host/network address or
address range.
2) Shorewall now clears the output device only if it is a
terminal. This avoids ugly control sequences being placed in files
when /sbin/shorewall output is redirected.
3) The output from 'arp -na' has been added to the 'shorewall status'
display.
4) The 2.6.11 Linux kernel and iptables 1.3.0 now allow port ranges
to appear in port lists handled by "multiport match". If Shorewall
detects this capability, it will use "multiport match" for port
lists containing port ranges. Be cautioned that each port range
counts for TWO ports and a port list handled with "multiport match"
can still specify a maximum of 15 ports.
As always, if a port list in /etc/shorewall/rules is incompatible
with "multiport match", a separate iptables rule will be generated
for each element in the list.
-----------------------------------------------------------------------
Problems corrected in version 2.2.1

View File

@ -220,6 +220,13 @@ get_config() {
}
#
# Clear descriptor 1 if it is a terminal
#
clear_term() {
[ -t 1 ] && clear
}
#
# Display IPTABLES rules -- we used to store them in a variable but ash
# dies when trying to display large sets of rules
@ -238,7 +245,7 @@ display_chains()
$IPTABLES -L $IPT_OPTIONS >> $TMPFILE
clear
clear_term
echo "$banner $(date)"
echo
echo "Standard Chains"
@ -250,7 +257,7 @@ display_chains()
timed_read
clear
clear_term
echo "$banner $(date)"
echo
firstchain=Yes
@ -268,7 +275,7 @@ display_chains()
for zone in $zones; do
if [ -n "$(grep "^Chain \.*${zone}" $TMPFILE)" ] ; then
clear
clear_term
echo "$banner $(date)"
echo
firstchain=Yes
@ -287,7 +294,7 @@ display_chains()
fi
done
clear
clear_term
echo "$banner $(date)"
echo
firstchain=Yes
@ -308,7 +315,7 @@ display_chains()
timed_read
clear
clear_term
echo "$banner $(date)"
echo
firstchain=Yes
@ -443,7 +450,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
while true; do
display_chains
clear
clear_term
echo "$banner $(date)"
echo
@ -474,7 +481,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
timed_read
fi
clear
clear_term
echo "$banner $(date)"
echo
echo "NAT Status"
@ -482,7 +489,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
$IPTABLES -t nat -L $IPT_OPTIONS
timed_read
clear
clear_term
echo "$banner $(date)"
echo
echo
@ -491,7 +498,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
$IPTABLES -t mangle -L $IPT_OPTIONS
timed_read
clear
clear_term
echo "$banner $(date)"
echo
echo
@ -500,7 +507,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
cat /proc/net/ip_conntrack
timed_read
clear
clear_term
echo "$banner $(date)"
echo
echo
@ -509,7 +516,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
show_tc
timed_read
clear
clear_term
echo "$banner $(date)"
echo
echo
@ -541,7 +548,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
qt which awk && haveawk=Yes || haveawk=
while true; do
clear
clear_term
echo "$banner $(date)"
echo
@ -960,7 +967,7 @@ case "$1" in
status)
[ -n "$debugging" ] && set -x
[ $# -eq 1 ] || usage 1
clear
clear_term
echo "Shorewall-$version Status at $HOSTNAME - $(date)"
echo
show_reset
@ -1019,6 +1026,11 @@ case "$1" in
ip route ls table $table
done
echo
echo "ARP"
echo
arp -na
if qt which lsmod; then
echo
echo "Modules"
@ -1029,7 +1041,7 @@ case "$1" in
hits)
[ -n "$debugging" ] && set -x
[ $# -eq 1 ] || usage 1
clear
clear_term
echo "Shorewall-$version Hits at $HOSTNAME - $(date)"
echo

View File

@ -1,5 +1,5 @@
%define name shorewall
%define version 2.2.1
%define version 2.2.2
%define release 1
%define prefix /usr
@ -137,6 +137,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn
%changelog
* Mon Mar 07 2005 Tom Eastep tom@shorewall.net
- Updated to 2.2.2-1
* Mon Jan 24 2005 Tom Eastep tom@shorewall.net
- Updated to 2.2.1-1
* Mon Jan 24 2005 Tom Eastep tom@shorewall.net

View File

@ -80,7 +80,8 @@
# allowed. Use $FW if the packet originates on
# the firewall in which case the MARK column may NOT
# specify either ":P" or ":F" (marking always occurs
# in the OUTPUT chain).
# in the OUTPUT chain). $FW may be optionally followed
# by ":" and a host/network address.
#
# MAC addresses must be prefixed with "~" and use
# "-" as a separator.

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall
VERSION=2.2.1
VERSION=2.2.2
usage() # $1 = exit status
{

View File

@ -17,7 +17,7 @@
</author>
</authorgroup>
<pubdate>2005-03-01</pubdate>
<pubdate>2005-03-07</pubdate>
<copyright>
<year>2001-2004</year>
@ -294,9 +294,14 @@ DNAT net loc:192.168.1.3:22 tcp 1022</programlisting>
</itemizedlist>
<para>If you insist on an IP solution to the accessibility problem
rather than a DNS solution, then assuming that your external interface
is eth0 and your internal interface is eth1 and that eth1 has IP address
192.168.1.254 with subnet 192.168.1.0/24:<warning>
rather than a DNS solution, then if you are running Shorewall 2.0.0 or
2.0.1 then please see the <ulink
url="http://www.shorewall.net/1.4/FAQ.htm#faq2">Shorewall 1.4
FAQ</ulink>.</para>
<para>Otherwise, assuming that your external interface is eth0 and your
internal interface is eth1 and that eth1 has IP address 192.168.1.254
with subnet 192.168.1.0/24, then:<warning>
<para>All traffic redirected through use of this hack will look to
the server as if it came from the firewall (192.168.1.254) rather
than from the original client!</para>
@ -1690,8 +1695,8 @@ alias ipt_pkttype off</programlisting>
how can you not support that version?</title>
<para>The first release of Shorewall was in March of 2001. Shorewall
1.2.12 was released in May of 2002. It is now the year 2004 and
Shorewall 2.0 is available. Shorewall 1.2.12 is poorly documented and is
1.2.12 was released in May of 2002. It is now the year 2005 and
Shorewall 2.2 is available. Shorewall 1.2.12 is poorly documented and is
missing many of the features that Shorewall users find essential today
and it is silly to continue to run it simply because it is bundled with
an ancient Debian release.</para>
@ -2045,473 +2050,4 @@ Verifying Configuration...
...</programlisting>
</section>
</section>
<appendix>
<title>Revision History</title>
<para><revhistory>
<revision>
<revnumber>1.43</revnumber>
<date>2005-03-01</date>
<authorinitials>TE</authorinitials>
<revremark>Added FAQ 14b.</revremark>
</revision>
<revision>
<revnumber>1.42</revnumber>
<date>2004-12-31</date>
<authorinitials>TE</authorinitials>
<revremark>Added FAQ 44.</revremark>
</revision>
<revision>
<revnumber>1.41</revnumber>
<date>2004-12-26</date>
<authorinitials>TE</authorinitials>
<revremark>Added FAQ 43.</revremark>
</revision>
<revision>
<revnumber>1.40</revnumber>
<date>2004-12-22</date>
<authorinitials>TE</authorinitials>
<revremark>Correct action directory name if FAQ 4.</revremark>
</revision>
<revision>
<revnumber>1.39</revnumber>
<date>2004-12-12</date>
<authorinitials>TE</authorinitials>
<revremark>Updated Debian information. Revised the answer to FAQ
2a.</revremark>
</revision>
<revision>
<revnumber>1.38</revnumber>
<date>2004-11-18</date>
<authorinitials>TE</authorinitials>
<revremark>Added FAQ 42.</revremark>
</revision>
<revision>
<revnumber>1.37</revnumber>
<date>2004-11-05</date>
<authorinitials>TE</authorinitials>
<revremark>Added second title to FAQ 17.</revremark>
</revision>
<revision>
<revnumber>1.36</revnumber>
<date>2004-11-04</date>
<authorinitials>TE</authorinitials>
<revremark>Add note about Gnome Terminal.</revremark>
</revision>
<revision>
<revnumber>1.35</revnumber>
<date>2004-10-30</date>
<authorinitials>TE</authorinitials>
<revremark>Add FAQ 41.</revremark>
</revision>
<revision>
<revnumber>1.34</revnumber>
<date>2004-10-12</date>
<authorinitials>TE</authorinitials>
<revremark>Add FAQ 40.</revremark>
</revision>
<revision>
<revnumber>1.33</revnumber>
<date>2004-10-01</date>
<authorinitials>TE</authorinitials>
<revremark>Add FAQ 39.</revremark>
</revision>
<revision>
<revnumber>1.32</revnumber>
<date>2004-09-23</date>
<authorinitials>TE</authorinitials>
<revremark>Add link to simple bridge documentation from FAQ
35.</revremark>
</revision>
<revision>
<revnumber>1.31</revnumber>
<date>2004-09-12</date>
<authorinitials>TE</authorinitials>
<revremark>Rename FAQ 17.</revremark>
</revision>
<revision>
<revnumber>1.30</revnumber>
<date>2004-08-26</date>
<authorinitials>TE</authorinitials>
<revremark>Update FAQ 2 with information about Shorewall
2.1.</revremark>
</revision>
<revision>
<revnumber>1.29</revnumber>
<date>2004-08-19</date>
<authorinitials>TE</authorinitials>
<revremark>Reword FAQ 27a to include downloaded kernels.</revremark>
</revision>
<revision>
<revnumber>1.28</revnumber>
<date>2004-07-14</date>
<authorinitials>TE</authorinitials>
<revremark>Insert link to Ian Allen's DNAT paper (FAQ
38)</revremark>
</revision>
<revision>
<revnumber>1.27</revnumber>
<date>2004-06-18</date>
<authorinitials>TE</authorinitials>
<revremark>Correct formatting in H323 quote.</revremark>
</revision>
<revision>
<revnumber>1.26</revnumber>
<date>2004-05-18</date>
<authorinitials>TE</authorinitials>
<revremark>Delete obsolete ping information.</revremark>
</revision>
<revision>
<revnumber>1.25</revnumber>
<date>2004-05-18</date>
<authorinitials>TE</authorinitials>
<revremark>Empty /etc/shorewall on Debian.</revremark>
</revision>
<revision>
<revnumber>1.25</revnumber>
<date>2004-05-08</date>
<authorinitials>TE</authorinitials>
<revremark>Update for Shorewall 2.0.2</revremark>
</revision>
<revision>
<revnumber>1.24</revnumber>
<date>2004-04-25</date>
<authorinitials>TE</authorinitials>
<revremark>Add MA Brown's notes on multi-ISP routing.</revremark>
</revision>
<revision>
<revnumber>1.23</revnumber>
<date>2004-04-22</date>
<authorinitials>TE</authorinitials>
<revremark>Refined SNAT rule in FAQ #2.</revremark>
</revision>
<revision>
<revnumber>1.22</revnumber>
<date>2004-04-06</date>
<authorinitials>TE</authorinitials>
<revremark>Added FAQ 36.</revremark>
</revision>
<revision>
<revnumber>1.21</revnumber>
<date>2004-03-05</date>
<authorinitials>TE</authorinitials>
<revremark>Added Bridging link.</revremark>
</revision>
<revision>
<revnumber>1.20</revnumber>
<date>2004-02-27</date>
<authorinitials>TE</authorinitials>
<revremark>Added FAQ 35.</revremark>
</revision>
<revision>
<revnumber>1.19</revnumber>
<date>2004-02-22</date>
<authorinitials>TE</authorinitials>
<revremark>Added mention of nosmurfs option under FAQ
31.</revremark>
</revision>
<revision>
<revnumber>1.18</revnumber>
<date>2004-02-15</date>
<authorinitials>TE</authorinitials>
<revremark>Added FAQ 34.</revremark>
</revision>
<revision>
<revnumber>1.17</revnumber>
<date>2004-02-11</date>
<authorinitials>TE</authorinitials>
<revremark>Added FAQ 33.</revremark>
</revision>
<revision>
<revnumber>1.16</revnumber>
<date>2004-02-03</date>
<authorinitials>TE</authorinitials>
<revremark>Updated for Shorewall 2.0.</revremark>
</revision>
<revision>
<revnumber>1.15</revnumber>
<date>2004-01-25</date>
<authorinitials>TE</authorinitials>
<revremark>Updated FAQ 32 to mention masquerading. Remove
tables.</revremark>
</revision>
<revision>
<revnumber>1.14</revnumber>
<date>2004-01-24</date>
<authorinitials>TE</authorinitials>
<revremark>Added FAQ 27a regarding kernel/iptables
incompatibility.</revremark>
</revision>
<revision>
<revnumber>1.13</revnumber>
<date>2004-01-24</date>
<authorinitials>TE</authorinitials>
<revremark>Add a note about the <emphasis
role="bold">detectnets</emphasis> interface option in FAQ
9.</revremark>
</revision>
<revision>
<revnumber>1.12</revnumber>
<date>2004-01-20</date>
<authorinitials>TE</authorinitials>
<revremark>Improve FAQ 16 answer.</revremark>
</revision>
<revision>
<revnumber>1.11</revnumber>
<date>2004-01-14</date>
<authorinitials>TE</authorinitials>
<revremark>Corrected broken link</revremark>
</revision>
<revision>
<revnumber>1.10</revnumber>
<date>2004-01-09</date>
<authorinitials>TE</authorinitials>
<revremark>Added a couple of more legacy FAQ numbers.</revremark>
</revision>
<revision>
<revnumber>1.9</revnumber>
<date>2004-01-08</date>
<authorinitials>TE</authorinitials>
<revremark>Corrected typo in FAQ 26a. Added warning to FAQ 2
regarding source address of redirected requests.</revremark>
</revision>
<revision>
<revnumber>1.8</revnumber>
<date>2003-12-31</date>
<authorinitials>TE</authorinitials>
<revremark>Additions to FAQ 4.</revremark>
</revision>
<revision>
<revnumber>1.7</revnumber>
<date>2003-12-30</date>
<authorinitials>TE</authorinitials>
<revremark>Remove dead link from FAQ 1.</revremark>
</revision>
<revision>
<revnumber>1.6</revnumber>
<date>2003.12-18</date>
<authorinitials>TE</authorinitials>
<revremark>Add external link reference to FAQ 17.</revremark>
</revision>
<revision>
<revnumber>1.5</revnumber>
<date>2003-12-16</date>
<authorinitials>TE</authorinitials>
<revremark>Added a link to a Sys Admin article about multiple
internet interfaces. Added Legal Notice. Moved "abstract" to the
body of the document. Moved Revision History to this
Appendix.</revremark>
</revision>
<revision>
<revnumber>1.4</revnumber>
<date>2003-12-13</date>
<authorinitials>TE</authorinitials>
<revremark>Corrected formatting problems</revremark>
</revision>
<revision>
<revnumber>1.3</revnumber>
<date>2003-12-10</date>
<authorinitials>TE</authorinitials>
<revremark>Changed the title of FAQ 17</revremark>
</revision>
<revision>
<revnumber>1.2</revnumber>
<date>2003-12-09</date>
<authorinitials>TE</authorinitials>
<revremark>Added Copyright and legacy FAQ numbers</revremark>
</revision>
<revision>
<revnumber>1.1</revnumber>
<date>2003-12-04</date>
<authorinitials>MN</authorinitials>
<revremark>Converted to Simplified DocBook XML</revremark>
</revision>
<revision>
<revnumber>1.0</revnumber>
<date>2002-08-13</date>
<authorinitials>TE</authorinitials>
<revremark>Initial revision</revremark>
</revision>
</revhistory></para>
</appendix>
</article>

View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=2.2.1
VERSION=2.2.2
usage() # $1 = exit status
{

View File

@ -22,7 +22,7 @@
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
#
VERSION=2.2.1
VERSION=2.2.2
usage() # $1 = exit status
{

View File

@ -1,5 +1,5 @@
%define name shorewall
%define version 2.2.1
%define version 2.2.2
%define release 1
%define prefix /usr
@ -137,6 +137,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn
%changelog
* Mon Mar 07 2005 Tom Eastep tom@shorewall.net
- Updated to 2.2.2-1
* Mon Jan 24 2005 Tom Eastep tom@shorewall.net
- Updated to 2.2.1-1
* Mon Jan 24 2005 Tom Eastep tom@shorewall.net

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall
VERSION=2.2.1
VERSION=2.2.2
usage() # $1 = exit status
{