extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-22 15:43:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Obsoleting Shorewall2/ tree

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2270 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
paulgear 2005-07-09 06:14:45 +00:00
parent 4f8bbb5866
commit c08eb4056e
82 changed files with 3 additions and 17524 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

340
Shorewall2/COPYING
View File

@ -1,340 +0,0 @@
GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users. This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by
the GNU Library General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it
if you want it, that you can change the software or use pieces of it
in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid
anyone to deny you these rights or to ask you to surrender the rights.
These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must give the recipients all the rights that
you have. You must make sure that they, too, receive or can get the
source code. And you must show them these terms so they know their
rights.
We protect your rights with two steps: (1) copyright the software, and
(2) offer you this license which gives you legal permission to copy,
distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain
that everyone understands that there is no warranty for this free
software. If the software is modified by someone else and passed on, we
want its recipients to know that what they have is not the original, so
that any problems introduced by others will not reflect on the original
authors' reputations.
Finally, any free program is threatened constantly by software
patents. We wish to avoid the danger that redistributors of a free
program will individually obtain patent licenses, in effect making the
program proprietary. To prevent this, we have made it clear that any
patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and
modification follow.
GNU GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains
a notice placed by the copyright holder saying it may be distributed
under the terms of this General Public License. The "Program", below,
refers to any such program or work, and a "work based on the Program"
means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it,
either verbatim or with modifications and/or translated into another
language. (Hereinafter, translation is included without limitation in
the term "modification".) Each licensee is addressed as "you".
Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running the Program is not restricted, and the output from the Program
is covered only if its contents constitute a work based on the
Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.
You may charge a fee for the physical act of transferring a copy, and
you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices
stating that you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the Program or any
part thereof, to be licensed as a whole at no charge to all third
parties under the terms of this License.
c) If the modified program normally reads commands interactively
when run, you must cause it, when started running for such
interactive use in the most ordinary way, to print or display an
announcement including an appropriate copyright notice and a
notice that there is no warranty (or else, saying that you provide
a warranty) and that users may redistribute the program under
these conditions, and telling the user how to view a copy of this
License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on
the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the Program,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based
on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Program.
In addition, mere aggregation of another work not based on the Program
with the Program (or with a work based on the Program) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.
3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections
1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer
to distribute corresponding source code. (This alternative is
allowed only for noncommercial distribution and only if you
received the program in object code or executable form with such
an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source
code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to
control compilation and installation of the executable. However, as a
special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.
If distribution of executable or object code is made by offering
access to copy from a designated place, then offering equivalent
access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not
compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program
except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense or distribute the Program is
void, and will automatically terminate your rights under this License.
However, parties who have received copies, or rights, from you under
this License will not have their licenses terminated so long as such
parties remain in full compliance.
5. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to modify or
distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by
modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License.
7. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all. For example, if a patent
license would not permit royalty-free redistribution of the Program by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under
any particular circumstance, the balance of the section is intended to
apply and the section as a whole is intended to apply in other
circumstances.
It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system, which is
implemented by public license practices. Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.
This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Program under this License
may add an explicit geographical distribution limitation excluding
those countries, so that distribution is permitted only in or among
countries not thus excluded. In such case, this License incorporates
the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions
of the General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the Program
specifies a version number of this License which applies to it and "any
later version", you have the option of following the terms and conditions
either of that version or of any later version published by the Free
Software Foundation. If the Program does not specify a version number of
this License, you may choose any version ever published by the Free Software
Foundation.
10. If you wish to incorporate parts of the Program into other free
programs whose distribution conditions are different, write to the author
to ask for permission. For software which is copyrighted by the Free
Software Foundation, write to the Free Software Foundation; we sometimes
make exceptions for this. Our decision will be guided by the two goals
of preserving the free status of all derivatives of our free software and
of promoting the sharing and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
convey the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) 19yy <name of author>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Also add information on how to contact you by electronic and paper mail.
If the program is interactive, make it output a short notice like this
when it starts in an interactive mode:
Gnomovision version 69, Copyright (C) 19yy name of author
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, the commands you use may
be called something other than `show w' and `show c'; they could even be
mouse-clicks or menu items--whatever suits your program.
You should also get your employer (if you work as a programmer) or your
school, if any, to sign a "copyright disclaimer" for the program, if
necessary. Here is a sample; alter the names:
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
`Gnomovision' (which makes passes at compilers) written by James Hacker.
<signature of Ty Coon>, 1 April 1989
Ty Coon, President of Vice
This General Public License does not permit incorporating your program into
proprietary programs. If your program is a subroutine library, you may
consider it more useful to permit linking proprietary applications with the
library. If this is what you want to do, use the GNU Library General
Public License instead of this License.

52
Shorewall2/INSTALL
View File

@ -1,52 +0,0 @@
Shoreline Firewall (Shorewall) Version 2.4
----- ----
-----------------------------------------------------------------------------
This program is free software; you can redistribute it and/or modify
it under the terms of Version 2 of the GNU General Public License
as published by the Free Software Foundation.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
---------------------------------------------------------------------------
If your system supports rpm, I recommend that you install the Shorewall
.rpm. If you want to install from the tarball:
o Unpack the tarball
o cd to the shorewall-<version> directory
o If you have an earlier version of Shoreline Firewall installed,see the
upgrade instructions below
o Edit the configuration files to fit your environment.
To do this, I strongly advise you to follow the instructions at:
http://www.shorewall.net/shorewall_quickstart_guide.htm
o Slackware users type:
DEST=/etc/rc.d INIT=rc.firewall ./install.sh
All other users type:
./install.sh
o Start the firewall by typing "shorewall start"
o If the install script was unable to configure Shoreline Firewall to
start automatically at boot, you will have to used your
distribution's runlevel editor to configure Shorewall manually.
Upgrade:
o run the install script as described above.
o "shorewall check" and correct any errors found.
o "shorewall restart"

3
Shorewall2/README.txt Normal file
View File

@ -0,0 +1,3 @@
The Shorewall2 tree is no longer used. All Shorewall code now resides in
the Shorewall tree. See http://devel.shorewall.net/status/cvs for
details.

97
Shorewall2/accounting
View File

@ -1,97 +0,0 @@
#
# Shorewall version 2.4 - Accounting File
#
# /etc/shorewall/accounting
#
# Accounting rules exist simply to count packets and bytes in categories
# that you define in this file. You may display these rules and their
# packet and byte counters using the "shorewall show accounting" command.
#
# Please see http://shorewall.net/Accounting.html for examples and
# additional information about how to use this file.
#
#
# Columns are:
#
# ACTION - What to do when a match is found.
#
# COUNT - Simply count the match and continue
# with the next rule
# DONE - Count the match and don't attempt
# to match any other accounting rules
# in the chain specified in the CHAIN
# column.
# <chain>[:COUNT]
# - Where <chain> is the name of
# a chain. Shorewall will create
# the chain automatically if it
# doesn't already exist. Causes
# a jump to that chain. If :COUNT
# is including, a counting rule
# matching this record will be
# added to <chain>
#
# CHAIN - The name of a chain. If specified as "-" the
# 'accounting' chain is assumed. This is the chain
# where the accounting rule is added. The chain will
# be created if it doesn't already exist.
#
# SOURCE - Packet Source
#
# The name of an interface, an address (host or net) or
# an interface name followed by ":"
# and a host or net address.
#
# DESTINATION - Packet Destination
#
# Format the same as the SOURCE column.
#
# PROTOCOL A protocol name (from /etc/protocols), a protocol
# number, or "ipp2p"
#
# DEST PORT Destination Port number. If the PROTOCOL is "ipp2p" then
# this column must contain an ipp2p option ("iptables -m
# ipp2p --help") without the leading "--". If no option
# is given in this column, "ipp2p" is assumed.
#
# Service name from /etc/services or port number. May
# only be specified if the protocol is TCP or UDP (6
# or 17).
#
# SOURCE PORT Source Port number
#
# Service name from /etc/services or port number. May
# only be specified if the protocol is TCP or UDP (6
# or 17).
#
# USER/GROUP This column may only be non-empty if the CHAIN is
# OUTPUT.
#
# The column may contain:
#
# [!][<user name or number>][:<group name or number>][+<program name>]
#
# When this column is non-empty, the rule applies only
# if the program generating the output is running under
# the effective <user> and/or <group> specified (or is
# NOT running under that id if "!" is given).
#
# Examples:
#
# joe #program must be run by joe
# :kids #program must be run by a member of
# #the 'kids' group
# !:kids #program must not be run by a member
# #of the 'kids' group
# +upnpd #program named upnpd
#
# In all of the above columns except ACTION and CHAIN, the values "-",
# "any" and "all" may be used as wildcards
#
# Please see http://shorewall.net/Accounting.html for examples and
# additional information about how to use this file.
#
#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/
# PORT PORT GROUP
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Shorewall2/action.AllowAuth
View File

@ -1,10 +0,0 @@
#
# Shorewall 2.4 /usr/share/shorewall/action.AllowAuth
#
# This action accepts Auth (identd) traffic.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 113
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

11
Shorewall2/action.AllowDNS
View File

@ -1,11 +0,0 @@
#
# Shorewall 2.4 /usr/share/shorewall/action.AllowDNS
#
# This action accepts DNS traffic.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - udp 53
ACCEPT - - tcp 53
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

11
Shorewall2/action.AllowFTP
View File

@ -1,11 +0,0 @@
#
# Shorewall 2.4 /usr/share/shorewall/action.AllowFTP
#
# This action accepts FTP traffic. See
# http://www.shorewall.net/FTP.html for additional considerations.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 21
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

11
Shorewall2/action.AllowICMPs
View File

@ -1,11 +0,0 @@
#
# Shorewall 2.4 /usr/share/shorewall/action.AllowICMPs
#
# ACCEPT needed ICMP types
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
#
ACCEPT - - icmp fragmentation-needed
ACCEPT - - icmp time-exceeded

11
Shorewall2/action.AllowIMAP
View File

@ -1,11 +0,0 @@
#
# Shorewall 2.4 /usr/share/shorewall/action.AllowIMAP
#
# This action accepts IMAP traffic (secure and insecure):
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 143 #Unsecure IMAP
ACCEPT - - tcp 993 #Secure IMAP
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

11
Shorewall2/action.AllowNNTP
View File

@ -1,11 +0,0 @@
#
# Shorewall 2.4 /usr/share/shorewall/action.AllowNNTP
#
# This action accepts NNTP traffic (Usenet) and encrypted NNTP (NNTPS)
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 119
ACCEPT - - tcp 563
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

11
Shorewall2/action.AllowNTP
View File

@ -1,11 +0,0 @@
#
# Shorewall 2.4 /usr/share/shorewall/action.AllowNTP
#
# This action accepts NTP traffic (ntpd).
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# PORT PORT(S) DEST LIMIT
ACCEPT - - udp 123
ACCEPT - - udp 1024: 123
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

11
Shorewall2/action.AllowPCA
View File

@ -1,11 +0,0 @@
#
# Shorewall 2.4 /usr/share/shorewall/action.AllowPCA
#
# This action accepts PCAnywere (tm)
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - udp 5632
ACCEPT - - tcp 5631
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

11
Shorewall2/action.AllowPOP3
View File

@ -1,11 +0,0 @@
#
# Shorewall 2.4 /usr/share/shorewall/action.AllowPOP3
#
# This action accepts POP3 traffic (secure and insecure):
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# PORT PORT(S) DEST LIMIT
ACCEPT - - tcp 110 #Unsecure POP3
ACCEPT - - tcp 995 #Secure POP3
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Shorewall2/action.AllowPing
View File

@ -1,10 +0,0 @@
#
# Shorewall 2.4 /usr/share/shorewall/action.AllowPing
#
# This action accepts 'ping' requests.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - icmp 8
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Shorewall2/action.AllowRdate
View File

@ -1,10 +0,0 @@
#
# Shorewall 2.4 /usr/share/shorewall/action.AllowRdate
#
# This action accepts remote time retrieval (rdate).
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 37
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

14
Shorewall2/action.AllowSMB
View File

@ -1,14 +0,0 @@
#
# Shorewall 2.4 /usr/share/shorewall/action.AllowSMB
#
# Allow Microsoft SMB traffic. You need to invoke this action in
# both directions.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - udp 135,445
ACCEPT - - udp 137:139
ACCEPT - - udp 1024: 137
ACCEPT - - tcp 135,139,445
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

15
Shorewall2/action.AllowSMTP
View File

@ -1,15 +0,0 @@
#
# Shorewall 2.4 /usr/share/shorewall/action.AllowSMTP
#
# This action accepts SMTP (email) traffic.
#
# Note: This action allows traffic between an MUA (Email client)
# and an MTA (mail server) or between MTAs. It does not enable
# reading of email via POP3 or IMAP. For those you need to use
# the AllowPOP3 or AllowIMAP actions.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 25
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

11
Shorewall2/action.AllowSNMP
View File

@ -1,11 +0,0 @@
#
# Shorewall 2.4 /usr/share/shorewall/action.AllowSNMP
#
# This action accepts SNMP traffic (including traps):
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - udp 161:162
ACCEPT - - tcp 161
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Shorewall2/action.AllowSSH
View File

@ -1,10 +0,0 @@
#
# Shorewall 2.4 /usr/share/shorewall/action.AllowSSH
#
# This action accepts secure shell (SSH) traffic.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 22
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

11
Shorewall2/action.AllowTelnet
View File

@ -1,11 +0,0 @@
#
# Shorewall 2.4 /usr/share/shorewall/action.AllowTelnet
#
# This action accepts Telnet traffic. For traffic over the
# internet, telnet is inappropriate; use SSH instead
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 23
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

11
Shorewall2/action.AllowTrcrt
View File

@ -1,11 +0,0 @@
#
# Shorewall 2.4 /usr/share/shorewall/action.AllowTrcrt
#
# This action accepts Traceroute (for up to 30 hops):
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - udp 33434:33524 #UDP Traceroute
ACCEPT - - icmp 8 #ICMP Traceroute
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Shorewall2/action.AllowVNC
View File

@ -1,10 +0,0 @@
#
# Shorewall 2.4 /usr/share/shorewall/action.AllowVNC
#
# This action accepts VNC traffic for VNC display's 0 - 9.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 5900:5909
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Shorewall2/action.AllowVNCL
View File

@ -1,10 +0,0 @@
#
# Shorewall 2.4 /usr/share/shorewall/action.AllowVNCL
#
# This action accepts VNC traffic from Vncservers to Vncviewers in listen mode.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 5500
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

11
Shorewall2/action.AllowWeb
View File

@ -1,11 +0,0 @@
#
# Shorewall 2.4 /usr/share/shorewall/action.AllowWeb
#
# This action accepts WWW traffic (secure and insecure):
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 80
ACCEPT - - tcp 443
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

49
Shorewall2/action.Drop
View File

@ -1,49 +0,0 @@
#
# Shorewall 2.4 /usr/share/shorewall/action.Drop
#
# The default DROP common rules
#
# This action is invoked before a DROP policy is enforced. The purpose of the action
# is:
#
# a) Avoid logging lots of useless cruft.
# b) Ensure that 'auth' requests are rejected, even if the policy is DROP.
# Otherwise, you may experience problems establishing connections with
# servers that use auth.
# c) Ensure that certain ICMP packets that are necessary for successful
# internet operation are always ACCEPTed.
#
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!!!!
######################################################################################
#TARGET SOURCE DEST PROTO
#
# Reject 'auth'
#
RejectAuth
#
# Don't log broadcasts
#
dropBcast
#
# ACCEPT critical ICMP types
#
AllowICMPs - - icmp
#
# Drop packets that in the INVALID state -- these are usually ICMP packets and just
# confuse people when they appear in the log.
#
dropInvalid
#
# Drop Microsoft noise so that it doesn't clutter up the log.
#
DropSMB
DropUPnP
#
# Drop 'newnotsyn' traffic so that it doesn't get logged.
#
dropNotSyn - - tcp
#
# Drop late-arriving DNS replies. These are just a nuisance and clutter up the log.
#
DropDNSrep
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Shorewall2/action.DropDNSrep
View File

@ -1,10 +0,0 @@
#
# Shorewall 2.4 /usr/share/shorewall/action.DropDNSrep
#
# This action silently drops DNS UDP replies
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
DROP - - udp - 53
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Shorewall2/action.DropPing
View File

@ -1,10 +0,0 @@
#
# Shorewall 2.4 /usr/share/shorewall/action.DropPing
#
# This action silently drops 'ping' requests.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
DROP - - icmp 8
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

15
Shorewall2/action.DropSMB
View File

@ -1,15 +0,0 @@
#
# Shorewall 2.4 /usr/share/shorewall/action.DropSMB
#
# This action silently drops Microsoft SMB traffic
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
DROP - - udp 135
DROP - - udp 137:139
DROP - - udp 445
DROP - - tcp 135
DROP - - tcp 139
DROP - - tcp 445
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Shorewall2/action.DropUPnP
View File

@ -1,10 +0,0 @@
#
# Shorewall 2.4 /usr/share/shorewall/action.DropUPnP
#
# This action silently drops UPnP probes on UDP port 1900
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
DROP - - udp 1900
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

46
Shorewall2/action.Reject
View File

@ -1,46 +0,0 @@
#
# Shorewall 2.4 /usr/share/shorewall/action.Reject
#
# The default REJECT action common rules
#
# This action is invoked before a REJECT policy is enforced. The purpose of the action
# is:
#
# a) Avoid logging lots of useless cruft.
# b) Ensure that certain ICMP packets that are necessary for successful
# internet operation are always ACCEPTed.
#
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!!!!
######################################################################################
#TARGET SOURCE DEST PROTO
#
# Don't log 'auth' REJECT
#
RejectAuth
#
# Drop Broadcasts so they don't clutter up the log (broadcasts must *not* be rejected).
#
dropBcast
#
# ACCEPT critical ICMP types
#
AllowICMPs - - icmp
#
# Drop packets that in the INVALID state -- these are usually ICMP packets and just
# confuse people when they appear in the log (these ICMPs cannot be rejected).
#
dropInvalid
#
# Drop Microsoft noise so that it doesn't clutter up the lot.
#
RejectSMB
DropUPnP
#
# Drop 'newnotsyn' traffic so that it doesn't get logged.
#
dropNotSyn - - tcp
#
# Drop late-arriving DNS replies. These are just a nuisance and clutter up the log.
#
DropDNSrep
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Shorewall2/action.RejectAuth
View File

@ -1,10 +0,0 @@
#
# Shorewall 2.4 /usr/share/shorewall/action.RejectAuth
#
# This action silently rejects Auth (tcp 113) traffic
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
REJECT - - tcp 113
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

15
Shorewall2/action.RejectSMB
View File

@ -1,15 +0,0 @@
#
# Shorewall 2.4 /usr/share/shorewall/action.RejectSMB
#
# This action silently rejects Microsoft SMB traffic
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
REJECT - - udp 135
REJECT - - udp 137:139
REJECT - - udp 445
REJECT - - tcp 135
REJECT - - tcp 139
REJECT - - tcp 445
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

179
Shorewall2/action.template
View File

@ -1,179 +0,0 @@
#
# Shorewall 2.4 /etc/shorewall/action.template
#
# This file is a template for files with names of the form
# /etc/shorewall/action.<action-name> where <action> is an
# ACTION defined in /etc/shorewall/actions.
#
# To define a new action:
#
# 1. Add the <action name> to /etc/shorewall/actions
# 2. Copy this file to /etc/shorewall/action.<action name>
# 3. Add the desired rules to that file.
#
# Please see http://shorewall.net/Actions.html for additional
# information.
#
# Columns are:
#
#
# TARGET ACCEPT, DROP, REJECT, LOG, QUEUE or a
# previously-defined <action>
#
# ACCEPT -- allow the connection request
# DROP -- ignore the request
# REJECT -- disallow the request and return an
# icmp-unreachable or an RST packet.
# LOG -- Simply log the packet and continue.
# QUEUE -- Queue the packet to a user-space
# application such as p2pwall.
# CONTINUE -- Discontinue processing this action
# and return to the point where the
# action was invoked.
# <action> -- An <action> defined in
# /etc/shorewall/actions. The <action>
# must appear in that file BEFORE the
# one being defined in this file.
#
# The TARGET may optionally be followed
# by ":" and a syslog log level (e.g, REJECT:info or
# ACCEPT:debugging). This causes the packet to be
# logged at the specified level.
#
# The special log level 'none' does not result in logging
# but rather exempts the rule from being overridden by a
# non-forcing log level when the action is invoked.
#
# You may also specify ULOG (must be in upper case) as a
# log level.This will log to the ULOG target for routing
# to a separate log through use of ulogd
# (http://www.gnumonks.org/projects/ulogd).
#
# Actions specifying logging may be followed by a
# log tag (a string of alphanumeric characters)
# are appended to the string generated by the
# LOGPREFIX (in /etc/shorewall/shorewall.conf).
#
# Example: ACCEPT:info:ftp would include 'ftp '
# at the end of the log prefix generated by the
# LOGPREFIX setting.
#
# SOURCE Source hosts to which the rule applies.
# A comma-separated list of subnets
# and/or hosts. Hosts may be specified by IP or MAC
# address; mac addresses must begin with "~" and must use
# "-" as a separator.
#
# 192.168.2.2 Host 192.168.2.2
#
# 155.186.235.0/24 Subnet 155.186.235.0/24
#
# 10.0.0.4-10.0.0.9 Range of IP addresses; your
# kernel and iptables must have
# iprange match support.
#
# +remote The name of an ipset prefaced
# by "+". Your kernel and
# iptables must have set match
# support
#
# +remote[4] The name of the ipset may
# followed by a number of
# levels of ipset bindings
# enclosed in square brackets.
#
# 192.168.1.1,192.168.1.2
# Hosts 192.168.1.1 and
# 192.168.1.2.
# ~00-A0-C9-15-39-78 Host with
# MAC address 00:A0:C9:15:39:78.
#
# Alternatively, clients may be specified by interface
# name. For example, eth1 specifies a
# client that communicates with the firewall system
# through eth1. This may be optionally followed by
# another colon (":") and an IP/MAC/subnet address
# as described above (e.g., eth1:192.168.1.5).
#
# DEST Location of destination host. Same as above with the exception that
# MAC addresses are not allowed and that you cannot specify
# an ipset name in both the SOURCE and DEST columns.
#
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or
# "all".
#
# DEST PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port
# ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s).
#
# A port range is expressed as <low port>:<high port>.
#
# This column is ignored if PROTOCOL = all but must be
# entered if any of the following fields are supplied.
# In that case, it is suggested that this field contain
# "-"
#
# If your kernel contains multi-port match support, then
# only a single Netfilter rule will be generated if in
# this list and the CLIENT PORT(S) list below:
# 1. There are 15 or less ports listed.
# 2. No port ranges are included.
# Otherwise, a separate rule will be generated for each
# port.
#
# SOURCE PORT(S) (Optional) Port(s) used by the client. If omitted,
# any source port is acceptable. Specified as a comma-
# separated list of port names, port numbers or port
# ranges.
#
# If you don't want to restrict client ports but need to
# specify an ADDRESS in the next column, then place "-"
# in this column.
#
# If your kernel contains multi-port match support, then
# only a single Netfilter rule will be generated if in
# this list and the DEST PORT(S) list above:
# 1. There are 15 or less ports listed.
# 2. No port ranges are included.
# Otherwise, a separate rule will be generated for each
# port.
#
# RATE LIMIT You may rate-limit the rule by placing a value in
# this column:
#
# <rate>/<interval>[:<burst>]
#
# where <rate> is the number of connections per
# <interval> ("sec" or "min") and <burst> is the
# largest burst permitted. If no <burst> is given,
# a value of 5 is assumed. There may be no
# no whitespace embedded in the specification.
#
# Example: 10/sec:20
#
# USER/GROUP This column may only be non-empty if the SOURCE is
# the firewall itself.
#
# The column may contain:
#
# [!][<user name or number>][:<group name or number>][+<program name>]
#
# When this column is non-empty, the rule applies only
# if the program generating the output is running under
# the effective <user> and/or <group> specified (or is
# NOT running under that id if "!" is given).
#
# Examples:
#
# joe #program must be run by joe
# :kids #program must be run by a member of
# #the 'kids' group
# !:kids #program must not be run by a member
# #of the 'kids' group
# +upnpd #program named upnpd
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

32
Shorewall2/actions
View File

@ -1,32 +0,0 @@
#
# Shorewall 2.4 /etc/shorewall/actions
#
# This file allows you to define new ACTIONS for use in rules
# (/etc/shorewall/rules). You define the iptables rules to
# be performed in an ACTION in
# /etc/shorewall/action.<action-name>.
#
# ACTION names should begin with an upper-case letter to
# distinguish them from Shorewall-generated chain names and
# they must meet the requirements of a Netfilter chain. If
# you intend to log from the action then the name must be
# no longer than 11 character in length. Names must also
# meet the requirements for a Bourne Shell identifier (must
# begin with a letter and be composed of letters, digits and
# underscore characters).
#
# If you follow the action name with ":DROP", ":REJECT" or
# :ACCEPT then the action will be taken before a DROP, REJECT or
# ACCEPT policy respectively is enforced. If you specify ":DROP",
# ":REJECT" or ":ACCEPT" on more than one action then only the
# last such action will be taken.
#
# If you specify ":DROP", ":REJECT" or ":ACCEPT" on a line by
# itself, the associated policy will have no common action.
#
# Please see http://shorewall.net/Actions.html for additional
# information.
#
#ACTION
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

55
Shorewall2/actions.std
View File

@ -1,55 +0,0 @@
#
# Shorewall 2.4 /usr/share/shorewall/actions.std
#
# Please see http://shorewall.net/Actions.html for additional
# information.
#
# Builtin Actions are:
#
# allowBcast #Silently Allow Broadcast/multicast
# dropBcast #Silently Drop Broadcast/multicast
# dropNotSyn #Silently Drop Non-syn TCP packets
# rejNotSyn #Silently Reject Non-syn TCP packets
# dropInvalid #Silently Drop packets that are in the INVALID
# #conntrack state.
# allowInvalid #Accept packets that are in the INVALID
# #conntrack state.
# allowoutUPnP #Allow traffic from local command 'upnpd'
# allowinUPnP #Allow UPnP inbound (to firewall) traffic
# forwardUPnP #Allow traffic that upnpd has redirected from
# #'upnp' interfaces.
#
#ACTION
DropSMB #Silently Drops Microsoft SMB Traffic
RejectSMB #Silently Reject Microsoft SMB Traffic
DropUPnP #Silently Drop UPnP Probes
RejectAuth #Silently Reject Auth
DropPing #Silently Drop Ping
DropDNSrep #Silently Drop DNS Replies
AllowPing #Accept Ping
AllowFTP #Accept FTP
AllowDNS #Accept DNS
AllowSSH #Accept SSH
AllowWeb #Allow Web Browsing
AllowSMB #Allow MS Networking
AllowAuth #Allow Auth (identd)
AllowSMTP #Allow SMTP (Email)
AllowPOP3 #Allow reading mail via POP3
AllowICMPs #Allows critical ICMP types
AllowIMAP #Allow reading mail via IMAP
AllowTelnet #Allow Telnet Access (not recommended for use over the
#Internet)
AllowVNC #Allow VNC viewer->server, Displays 0-9
AllowVNCL #Allow VNC server->viewer in listening mode
AllowNTP #Allow Network Time Protocol (ntpd)
AllowRdate #Allow remote time (rdate).
AllowNNTP #Allow network news (Usenet).
AllowTrcrt #Allows Traceroute (20 hops)
AllowSNMP #Allows SNMP (including traps)
AllowPCA #Allows PCAnywhere (tm)
Drop:DROP #Common Action for DROP policy
Reject:REJECT #Common Action for REJECT policy
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

56
Shorewall2/blacklist
View File

@ -1,56 +0,0 @@
#
# Shorewall 2.4 -- Blacklist File
#
# /etc/shorewall/blacklist
#
# This file contains a list of IP addresses, MAC addresses and/or subnetworks.
#
# Columns are:
#
# ADDRESS/SUBNET - Host address, subnetwork, MAC address, IP address
# range (if your kernel and iptables contain iprange
# match support) or ipset name prefaced by "+" (if
# your kernel supports ipset match).
#
# MAC addresses must be prefixed with "~" and use "-"
# as a separator.
#
# Example: ~00-A0-C9-15-39-78
#
# PROTOCOL - Optional. If specified, must be a protocol number
# or a protocol name from /etc/protocols.
#
# PORTS - Optional. May only be specified if the protocol
# is TCP (6) or UDP (17). A comma-separated list
# of port numbers or service names from /etc/services.
#
# When a packet arrives on an interface that has the 'blacklist' option
# specified in /etc/shorewall/interfaces, its source IP address is checked
# against this file and disposed of according to the BLACKLIST_DISPOSITION and
# BLACKLIST_LOGLEVEL variables in /etc/shorewall/shorewall.conf
#
# If PROTOCOL or PROTOCOL and PORTS are supplied, only packets matching
# the protocol (and one of the ports if PORTS supplied) are blocked.
#
# Example:
#
# To block DNS queries from address 192.0.2.126:
#
# ADDRESS/SUBNET PROTOCOL PORT
# 192.0.2.126 udp 53
#
# Example:
#
# To block DNS queries from addresses in the ipset 'dnsblack':
#
# ADDRESS/SUBNET PROTOCOL PORT
# +dnsblack udp 53
#
# Please see http://shorewall.net/blacklisting_support.htm for additional
# information.
#
###############################################################################
#ADDRESS/SUBNET PROTOCOL PORT
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

65
Shorewall2/bogons
View File

@ -1,65 +0,0 @@
#
# Shorewall 2.4 -- Bogons File
#
# /etc/shorewall/bogons
#
# Lists the subnetworks that are blocked by the 'nobogons' interface option.
#
# The default list includes those those ip ADDRESSES listed
# as 'reserved' by the IANA, the DHCP Autoconfig class B, and the class C
# reserved for use in documentation and examples.
#
# DO NOT MODIFY THIS FILE. IF YOU NEED TO MAKE CHANGES, COPY THE FILE
# TO /etc/shorewall AND MODIFY THE COPY.
#
# Columns are:
#
# SUBNET The subnet (host addresses also allowed as are IP
# address ranges provided that your kernel and iptables
# include iprange match support).
# TARGET Where to send packets to/from this subnet
# RETURN - let the packet be processed normally
# DROP - silently drop the packet
# logdrop - log then drop
#
###############################################################################
#SUBNET TARGET
0.0.0.0 RETURN # Stop the DHCP whining
255.255.255.255 RETURN # We need to allow limited broadcast
169.254.0.0/16 DROP # DHCP autoconfig
192.0.2.0/24 logdrop # Example addresses (RFC 3330)
#
# The following are generated with the help of the Python program found at:
#
# http://www.shorewall.net/pub/shorewall/contrib/iana_reserved/
#
# The program was contributed by Andy Wiggin
#
0.0.0.0/7 logdrop # Reserved
2.0.0.0/8 logdrop # Reserved
5.0.0.0/8 logdrop # Reserved
7.0.0.0/8 logdrop # Reserved
23.0.0.0/8 logdrop # Reserved
27.0.0.0/8 logdrop # Reserved
31.0.0.0/8 logdrop # Reserved
36.0.0.0/7 logdrop # Reserved
39.0.0.0/8 logdrop # Reserved
42.0.0.0/8 logdrop # Reserved
77.0.0.0/8 logdrop # Reserved
78.0.0.0/7 logdrop # Reserved
92.0.0.0/6 logdrop # Reserved
96.0.0.0/4 logdrop # Reserved
112.0.0.0/5 logdrop # Reserved
120.0.0.0/6 logdrop # Reserved
127.0.0.0/8 logdrop # Reserved
173.0.0.0/8 logdrop # Reserved
174.0.0.0/7 logdrop # Reserved
176.0.0.0/5 logdrop # Reserved
184.0.0.0/6 logdrop # Reserved
197.0.0.0/8 logdrop # Reserved
223.0.0.0/8 logdrop # Reserved
240.0.0.0/4 logdrop # Reserved
#
# End of generated entries
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

50
Shorewall2/changelog.txt
View File

@ -1,50 +0,0 @@
Changes in 2.4.0-Final
1) Add the ability to specify a weight in the balance option.
2) Remove "ipp2p" support in the rules file.
3) Fix duplicate routing table listings from "shorewall status"
Changes in 2.4.0-RC2
1) Relax "detect" restriction.
2) Fix detection via 'nexthop' so it will work with BusyBox
3) Merge Tuomo Soini's fix for "shorewall add"
Changes in 2.4.0-RC1
1) Fix output from firewall itself vis-a-vis multiple providers.
2) Merge and tweak Lorenzo Martignoni's 'safe-restart' patch.
Changes in 2.3.2
1) Add support for -j ROUTE
2) Add TEST column to /etc/shorewall/routes
3) Add support for different providers.
4) Merge patch from Juan Jesús Prieto.
5) Implement 'loose' routestopped option.
6) Change 'loose' to 'source' and 'dest'
7) Fix routing of connections from the firewall with multiple ISPs.
Changes in 2.3.1
1) Change the behavior of SAVE_IPSETS and allow 'ipsets' files in
Shorewall configuration directories.
Changes in 2.3.0
1) Implement support for --cmd-owner
2) Implement support for ipsets.

7
Shorewall2/configpath
View File

@ -1,7 +0,0 @@
#
# Shorewall version 2.4 - Default Config Path
#
# /usr/share/shorewall/configpath
#
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall

8
Shorewall2/continue
View File

@ -1,8 +0,0 @@
############################################################################
# Shorewall 2.4 -- /etc/shorewall/continue
#
# Add commands below that you want to be executed after shorewall has
# cleared any existing Netfilter rules and has enabled existing connections.
#
# For additional information, see http://shorewall.net/shorewall_extension_scripts.htm
#

18
Shorewall2/default.debian
View File

@ -1,18 +0,0 @@
# prevent startup with default configuration
# set the following varible to 1 in order to allow Shorewall to start
startup=0
# if your Shorewall configuration requires detection of the ip address of a ppp
# interface, you must list such interfaces in "wait_interface" to get Shorewall to
# wait until the interface is configured. Otherwise the script will fail because
# it won't be able to detect the IP address.
#
# Example:
# wait_interface="ppp0"
# or
# wait_interface="ppp0 ppp1"
# or, if you have defined in /etc/shorewall/params
# wait_interface=
# EOF

22
Shorewall2/ecn
View File

@ -1,22 +0,0 @@
#
# Shorewall 2.4 - /etc/shorewall/ecn
#
# Use this file to list the destinations for which you want to
# disable ECN.
#
# This feature requires kernel 2.4.20 or later. If you run 2.4.20,
# you also need the patch found at http://www.shorewall.net/ecn/patch.
# That patch is included in kernels 2.4.21 and later.
#
# INTERFACE - Interface through which host(s) communicate with
# the firewall
# HOST(S) - (Optional) Comma-separated list of IP/subnet
# If left empty or supplied as "-",
# 0.0.0.0/0 is assumed. If your kernel and iptables
# include iprange match support then IP address ranges
# are also permitted.
#
# For additional information, see http://shorewall.net/Documentation.htm#ECN
##############################################################################
#INTERFACE HOST(S)
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

153
Shorewall2/fallback.sh
View File

@ -1,153 +0,0 @@
#!/bin/sh
#
# Script to back out the installation of Shoreline Firewall and to restore the previous version of
# the program
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# (c) 2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
#
# Shorewall documentation is available at http://seattlefirewall.dyndns.org
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
#
# Usage:
#
# You may only use this script to back out the installation of the version
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=2.4.0
usage() # $1 = exit status
{
echo "usage: $(basename $0)"
exit $1
}
restore_file() # $1 = file to restore
{
if [ -f ${1}-${VERSION}.bkout -o -L ${1}-${VERSION}.bkout ]; then
if (mv -f ${1}-${VERSION}.bkout $1); then
echo
echo "$1 restored"
else
echo "ERROR: Could not restore $1"
exit 1
fi
fi
}
if [ ! -f /usr/share/shorewall/version-${VERSION}.bkout ]; then
echo "Shorewall Version $VERSION is not installed"
exit 1
fi
echo "Backing Out Installation of Shorewall $VERSION"
if [ -L /usr/share/shorewall/init ]; then
FIREWALL=$(ls -l /usr/share/shorewall/firewall | sed 's/^.*> //')
restore_file $FIREWALL
else
restore_file /etc/init.d/shorewall
fi
restore_file /usr/share/shorewall/firewall
restore_file /sbin/shorewall
restore_file /etc/shorewall/shorewall.conf
restore_file /etc/shorewall/functions
restore_file /usr/lib/shorewall/functions
restore_file /var/lib/shorewall/functions
restore_file /usr/lib/shorewall/firewall
restore_file /usr/lib/shorewall/help
restore_file /etc/shorewall/common.def
restore_file /etc/shorewall/icmp.def
restore_file /etc/shorewall/zones
restore_file /etc/shorewall/policy
restore_file /etc/shorewall/interfaces
restore_file /etc/shorewall/ipsec
restore_file /etc/shorewall/hosts
restore_file /etc/shorewall/rules
restore_file /etc/shorewall/nat
restore_file /etc/shorewall/netmap
restore_file /etc/shorewall/params
restore_file /etc/shorewall/proxyarp
restore_file /etc/shorewall/routestopped
restore_file /etc/shorewall/maclist
restore_file /etc/shorewall/masq
restore_file /etc/shorewall/modules
restore_file /etc/shorewall/tcrules
restore_file /etc/shorewall/tos
restore_file /etc/shorewall/tunnels
restore_file /etc/shorewall/blacklist
restore_file /etc/shorewall/whitelist
restore_file /etc/shorewall/rfc1918
restore_file /usr/share/shorewall/rfc1918
restore_file /usr/share/shorewall/bogons
restore_file /usr/share/shorewall/configpath
restore_file /etc/shorewall/init
restore_file /etc/shorewall/initdone
restore_file /etc/shorewall/start
restore_file /etc/shorewall/stop
restore_file /etc/shorewall/stopped
restore_file /etc/shorewall/ecn
restore_file /etc/shorewall/accounting
restore_file /etc/shorewall/actions.std
restore_file /etc/shorewall/actions
for f in /usr/share/shorewall/action.*-${VERSION}.bkout; do
restore_file $(echo $f | sed "s/-${VERSION}.bkout//")
done
restore_file /usr/share/shorewall/version
echo "Shorewall Restored to Version $oldversion"

8456
Shorewall2/firewall
View File

File diff suppressed because it is too large Load Diff

865
Shorewall2/functions
View File

@ -1,865 +0,0 @@
#!/bin/sh
#
# Shorewall 2.4 -- /usr/share/shorewall/functions
# Function to truncate a string -- It uses 'cut -b -<n>'
# rather than ${v:first:last} because light-weight shells like ash and
# dash do not support that form of expansion.
#
truncate() # $1 = length
{
cut -b -${1}
}
#
# Split a colon-separated list into a space-separated list
#
split() {
local ifs=$IFS
IFS=:
set -- $1
echo $*
IFS=$ifs
}
#
# Search a list looking for a match -- returns zero if a match found
# 1 otherwise
#
list_search() # $1 = element to search for , $2-$n = list
{
local e=$1
while [ $# -gt 1 ]; do
shift
[ "x$e" = "x$1" ] && return 0
done
return 1
}
#
# Functions to count list elements
# - - - - - - - - - - - - - - - -
# Whitespace-separated list
#
list_count1() {
echo $#
}
#
# Comma-separated list
#
list_count() {
list_count1 $(separate_list $1)
}
#
# Conditionally produce message
#
progress_message() # $* = Message
{
[ -n "$QUIET" ] || echo "$@"
}
#
# Suppress all output for a command
#
qt()
{
"$@" >/dev/null 2>&1
}
#
# Perform variable substitution on the passed argument and echo the result
#
expand() # $@ = contents of variable which may be the name of another variable
{
eval echo \"$@\"
}
#
# Perform variable substitition on the values of the passed list of variables
#
expandv() # $* = list of variable names
{
local varval
while [ $# -gt 0 ]; do
eval varval=\$${1}
eval $1=\"$varval\"
shift
done
}
#
# Replace all leading "!" with "! " in the passed argument list
#
fix_bang() {
local i;
for i in $@; do
case $i in
!*)
echo "! ${i#!}"
;;
*)
echo $i
;;
esac
done
}
#
# Set default config path
#
ensure_config_path() {
local F=/usr/share/shorewall/configpath
if [ -z "$CONFIG_PATH" ]; then
[ -f $F ] || { echo " ERROR: $F does not exist"; exit 2; }
. $F
fi
}
#
# Find a File -- For relative file name, look first in $SHOREWALL_DIR then in /etc/shorewall
#
find_file()
{
local saveifs= directory
case $1 in
/*)
echo $1
;;
*)
if [ -n "$SHOREWALL_DIR" -a -f $SHOREWALL_DIR/$1 ]; then
echo $SHOREWALL_DIR/$1
else
saveifs=$IFS
IFS=:
for directory in $CONFIG_PATH; do
if [ -f $directory/$1 ]; then
echo $directory/$1
IFS=$saveifs
return
fi
done
IFS=$saveifs
echo /etc/shorewall/$1
fi
;;
esac
}
#
# Replace commas with spaces and echo the result
#
separate_list() {
local list="$@"
local part
local newlist
local firstpart
local lastpart
local enclosure
#
# There's been whining about us not catching embedded white space in
# comma-separated lists. This is an attempt to snag some of the cases.
#
# The 'terminator' function will be set by the 'firewall' script to
# either 'startup_error' or 'fatal_error' depending on the command and
# command phase
#
case "$list" in
*,|,*|*,,*|*[[:space:]]*)
[ -n "$terminator" ] && \
$terminator "Invalid comma-separated list \"$@\""
echo "Warning -- invalid comma-separated list \"$@\"" >&2
;;
*\[*\]*)
#
# Where we need to embed comma-separated lists within lists, we enclose them
# within square brackets
#
firstpart=${list%%\[*}
lastpart=${list#*\[}
enclosure=${lastpart%\]*}
lastpart=${lastpart#*\]}
case $lastpart in
\,*)
echo "$(separate_list $firstpart)[$enclosure] $(separate_list ${lastpart#,})"
;;
*)
echo "$(separate_list $firstpart)[$enclosure]$(separate_list $lastpart)"
;;
esac
return
;;
esac
list="$@"
part="${list%%,*}"
newlist="$part"
while [ "x$part" != "x$list" ]; do
list="${list#*,}";
part="${list%%,*}";
newlist="$newlist $part";
done
echo "$newlist"
}
#
# Load a Kernel Module
#
loadmodule() # $1 = module name, $2 - * arguments
{
local modulename=$1
local modulefile
local suffix
moduleloader=modprobe
if ! qt which modprobe; then
moduleloader=insmod
fi
if [ -z "$(lsmod | grep $modulename)" ]; then
shift
for suffix in $MODULE_SUFFIX ; do
modulefile=$MODULESDIR/${modulename}.${suffix}
if [ -f $modulefile ]; then
case $moduleloader in
insmod)
insmod $modulefile $*
;;
*)
modprobe $modulename $*
;;
esac
return
fi
done
fi
}
#
# Reload the Modules
#
reload_kernel_modules() {
[ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
while read command; do
eval $command
done
}
#
# Find the zones
#
find_zones() # $1 = name of the zone file
{
while read zone display comments; do
expandv zone display
[ -n "$zone" ] && case "$zone" in
[0-9*])
echo " Warning: Illegal zone name \"$zone\" in zones file ignored" 2>&2
;;
\#*)
;;
$FW|all|none)
echo " Warning: Reserved zone name \"$zone\" in zones file ignored" >&2
;;
*)
echo $zone
;;
esac
done < $1
}
find_display() # $1 = zone, $2 = name of the zone file
{
grep ^$1 $2 | while read z display comments; do
[ "x$1" = "x$z" ] && echo $display
done
}
#
# This function assumes that the TMP_DIR variable is set and that
# its value named an existing directory.
#
determine_zones()
{
local zonefile=$(find_file zones)
multi_display=Multi-zone
strip_file zones $zonefile
zones=$(find_zones $TMP_DIR/zones)
newzones=
for zone in $zones; do
dsply=$(find_display $zone $TMP_DIR/zones)
[ ${#zone} -gt 5 ] && echo " Warning: Zone name longer than 5 characters: $zone" >&2
eval ${zone}_display=\$dsply
newzones="$newzones $zone"
done
zones=${newzones# }
}
#
# The following functions may be used by apps that wish to ensure that
# the state of Shorewall isn't changing
#
# This function loads the STATEDIR variable (directory where Shorewall is to
# store state files). If your application supports alternate Shorewall
# configurations then the name of the alternate configuration directory should
# be in $SHOREWALL_DIR at the time of the call.
#
# If the shorewall.conf file does not exist, this function does not return
#
get_statedir()
{
MUTEX_TIMEOUT=
local config=$(find_file shorewall.conf)
if [ -f $config ]; then
. $config
else
echo "/etc/shorewall/shorewall.conf does not exist!" >&2
exit 2
fi
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
}
#
# Call this function to assert MUTEX with Shorewall. If you invoke the
# /sbin/shorewall program while holding MUTEX, you should pass "nolock" as
# the first argument. Example "shorewall nolock refresh"
#
# This function uses the lockfile utility from procmail if it exists.
# Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the
# behavior of lockfile.
#
mutex_on()
{
local try=0
local lockf=$STATEDIR/lock
MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}
if [ $MUTEX_TIMEOUT -gt 0 ]; then
[ -d $STATEDIR ] || mkdir -p $STATEDIR
if qt which lockfile; then
lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
else
while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
sleep 1
try=$((${try} + 1))
done
if [ ${try} -lt ${MUTEX_TIMEOUT} ] ; then
# Create the lockfile
echo $$ > ${lockf}
else
echo "Giving up on lock file ${lockf}" >&2
fi
fi
fi
}
#
# Call this function to release MUTEX
#
mutex_off()
{
rm -f $STATEDIR/lock
}
#
# Determine which version of mktemp is present (if any) and set MKTEMP accortingly:
#
# None - No mktemp
# BSD - BSD mktemp (Mandrake)
# STD - mktemp.org mktemp
#
find_mktemp() {
local mktemp=`which mktemp 2> /dev/null`
if [ -n "$mktemp" ]; then
if qt mktemp -V ; then
MKTEMP=STD
else
MKTEMP=BSD
fi
else
MKTEMP=None
fi
}
#
# create a temporary file. If a directory name is passed, the file will be created in
# that directory. Otherwise, it will be created in a temporary directory.
#
mktempfile() {
[ -z "$MKTEMP" ] && find_mktemp
if [ $# -gt 0 ]; then
case "$MKTEMP" in
BSD)
mktemp $1/shorewall.XXXXXX
;;
STD)
mktemp -p $1 shorewall.XXXXXX
;;
None)
> $1/shorewall-$$ && echo $1/shorewall-$$
;;
*)
echo " ERROR:Internal error in mktempfile" >&2
;;
esac
else
case "$MKTEMP" in
BSD)
mktemp /tmp/shorewall.XXXXXX
;;
STD)
mktemp -t shorewall.XXXXXX
;;
None)
rm -f /tmp/shorewall-$$
> /tmp/shorewall-$$ && echo /tmp/shorewall-$$
;;
*)
echo " ERROR:Internal error in mktempfile" >&2
;;
esac
fi
}
#
# create a temporary directory
#
mktempdir() {
[ -z "$MKTEMP" ] && find_mktemp
case "$MKTEMP" in
STD)
mktemp -td shorewall.XXXXXX
;;
None|BSD)
#
# Not all versions of the BSD mktemp support the -d option under Linux
#
mkdir /tmp/shorewall-$$ && chmod 700 /tmp/shorewall-$$ && echo /tmp/shorewall-$$
;;
*)
echo " ERROR:Internal error in mktempdir" >&2
;;
esac
}
#
# Read a file and handle "INCLUDE" directives
#
read_file() # $1 = file name, $2 = nest count
{
local first rest
if [ -f $1 ]; then
while read first rest; do
if [ "x$first" = "xINCLUDE" ]; then
if [ $2 -lt 4 ]; then
read_file $(find_file $(expand ${rest%#*})) $(($2 + 1))
else
echo " WARNING: INCLUDE in $1 ignored (nested too deeply)" >&2
fi
else
echo "$first $rest"
fi
done < $1
else
[ -n "$terminator" ] && $terminator "No such file: $1"
echo "Warning -- No such file: $1"
fi
}
#
# Function for including one file into another
#
INCLUDE() {
. $(find_file $(expand $@))
}
#
# Strip comments and blank lines from a file and place the result in the
# temporary directory
#
strip_file() # $1 = Base Name of the file, $2 = Full Name of File (optional)
{
local fname
[ $# = 1 ] && fname=$(find_file $1) || fname=$2
if [ -f $fname ]; then
read_file $fname 0 | cut -d'#' -f1 | grep -v '^[[:space:]]*$' > $TMP_DIR/$1
else
> $TMP_DIR/$1
fi
}
#
# Note: The following set of IP address manipulation functions have anomalous
# behavior when the shell only supports 32-bit signed arithmatic and
# the IP address is 128.0.0.0 or 128.0.0.1.
#
#
# So that emacs doesn't get lost, we use $LEFTSHIFT rather than <<
#
LEFTSHIFT='<<'
#
# Convert an IP address in dot quad format to an integer
#
decodeaddr() {
local x
local temp=0
local ifs=$IFS
IFS=.
for x in $1; do
temp=$(( $(( $temp $LEFTSHIFT 8 )) | $x ))
done
echo $temp
IFS=$ifs
}
#
# convert an integer to dot quad format
#
encodeaddr() {
addr=$1
local x
local y=$(($addr & 255))
for x in 1 2 3 ; do
addr=$(($addr >> 8))
y=$(($addr & 255)).$y
done
echo $y
}
#
# Enumerate the members of an IP range -- When using a shell supporting only
# 32-bit signed arithmetic, the range cannot span 128.0.0.0.
#
# Comes in two flavors:
#
# ip_range() - produces a mimimal list of network/host addresses that spans
# the range.
#
# ip_range_explicit() - explicitly enumerates the range.
#
ip_range() {
local first last l x y z vlsm
case $1 in
!*)
#
# Let iptables complain if it's a range
#
echo $1
return
;;
[0-9]*.*.*.*-*.*.*.*)
;;
*)
echo $1
return
;;
esac
first=$(decodeaddr ${1%-*})
last=$(decodeaddr ${1#*-})
if [ $first -gt $last ]; then
fatal_error "Invalid IP address range: $1"
fi
l=$(( $last + 1 ))
while [ $first -le $last ]; do
vlsm=
x=31
y=2
z=1
while [ $(( $first % $y )) -eq 0 -a $(( $first + $y )) -le $l ]; do
vlsm=/$x
x=$(( $x - 1 ))
z=$y
y=$(( $y * 2 ))
done
echo $(encodeaddr $first)$vlsm
first=$(($first + $z))
done
}
ip_range_explicit() {
local first last
case $1 in
[0-9]*.*.*.*-*.*.*.*)
;;
*)
echo $1
return
;;
esac
first=$(decodeaddr ${1%-*})
last=$(decodeaddr ${1#*-})
if [ $first -gt $last ]; then
fatal_error "Invalid IP address range: $1"
fi
while [ $first -le $last ]; do
echo $(encodeaddr $first)
first=$(($first + 1))
done
}
#
# Netmask from CIDR
#
ip_netmask() {
local vlsm=${1#*/}
[ $vlsm -eq 0 ] && echo 0 || echo $(( -1 $LEFTSHIFT $(( 32 - $vlsm )) ))
}
#
# Network address from CIDR
#
ip_network() {
local decodedaddr=$(decodeaddr ${1%/*})
local netmask=$(ip_netmask $1)
echo $(encodeaddr $(($decodedaddr & $netmask)))
}
#
# The following hack is supplied to compensate for the fact that many of
# the popular light-weight Bourne shell derivatives don't support XOR ("^").
#
ip_broadcast() {
local x=$(( 32 - ${1#*/} ))
[ $x -eq 0 ] && echo -1 || echo $(( $(( 1 $LEFTSHIFT $x )) - 1 ))
}
#
# Calculate broadcast address from CIDR
#
broadcastaddress() {
local decodedaddr=$(decodeaddr ${1%/*})
local netmask=$(ip_netmask $1)
local broadcast=$(ip_broadcast $1)
echo $(encodeaddr $(( $(($decodedaddr & $netmask)) | $broadcast )))
}
#
# Test for network membership
#
in_network() # $1 = IP address, $2 = CIDR network
{
local netmask=$(ip_netmask $2)
test $(( $(decodeaddr $1) & $netmask)) -eq $(( $(decodeaddr ${2%/*}) & $netmask ))
}
#
# Netmask to VLSM
#
ip_vlsm() {
local mask=$(decodeaddr $1)
local vlsm=0
local x=$(( 128 $LEFTSHIFT 24 )) # 0x80000000
while [ $(( $x & $mask )) -ne 0 ]; do
[ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Not all shells shift 0x80000000 left properly.
vlsm=$(($vlsm + 1))
done
if [ $(( $mask & 2147483647 )) -ne 0 ]; then # 2147483647 = 0x7fffffff
echo "Invalid net mask: $1" >&2
else
echo $vlsm
fi
}
#
# Chain name base for an interface -- replace all periods with underscores in the passed name.
# The result is echoed (less trailing "+").
#
chain_base() #$1 = interface
{
local c=${1%%+}
while true; do
case $c in
*.*)
c="${c%.*}_${c##*.}"
;;
*-*)
c="${c%-*}_${c##*-}"
;;
*%*)
c="${c%\%*}_${c##*%}"
;;
*)
echo ${c:=common}
return
;;
esac
done
}
#
# Loosly Match the name of an interface
#
if_match() # $1 = Name in interfaces file - may end in "+"
# $2 = Full interface name - may also end in "+"
{
local pattern=${1%+}
case $1 in
*+)
test "x$(echo $2 | truncate ${#pattern} )" = "x${pattern}"
;;
*)
test "x$1" = "x$2"
;;
esac
}
#
# Find the value 'dev' in the passed arguments then echo the next value
#
find_device() {
while [ $# -gt 1 ]; do
[ "x$1" = xdev ] && echo $2 && return
shift
done
}
#
# Find the value 'via' in the passed arguments then echo the next value
#
find_gateway() {
while [ $# -gt 1 ]; do
[ "x$1" = xvia ] && echo $2 && return
shift
done
}
#
# Find the value 'peer' in the passed arguments then echo the next value up to
# "/"
#
find_peer() {
while [ $# -gt 1 ]; do
[ "x$1" = xpeer ] && echo ${2%/*} && return
shift
done
}
#
# Find the interfaces that have a route to the passed address - the default
# route is not used.
#
find_rt_interface() {
ip route ls | while read addr rest; do
case $addr in
*/*)
in_network ${1%/*} $addr && echo $(find_device $rest)
;;
default)
;;
*)
if [ "$addr" = "$1" -o "$addr/32" = "$1" ]; then
echo $(find_device $rest)
fi
;;
esac
done
}
#
# Try to find the gateway through an interface looking for 'nexthop'
find_nexthop() # $1 = interface
{
echo $(find_gateway `ip route ls | grep "[[:space:]]nexthop.* $1"`)
}
#
# Find the default route's interface
#
find_default_interface() {
ip route ls | while read first rest; do
[ "$first" = default ] && echo $(find_device $rest) && return
done
}
#
# Echo the name of the interface(s) that will be used to send to the
# passed address
#
find_interface_by_address() {
local dev="$(find_rt_interface $1)"
local first rest
[ -z "$dev" ] && dev=$(find_default_interface)
[ -n "$dev" ] && echo $dev
}
#
# Find interface addresses--returns the set of addresses assigned to the passed
# device
#
find_interface_addresses() # $1 = interface
{
ip -f inet addr show $1 | grep inet | sed 's/inet //;s/\/.*//;s/ peer.*//'
}

347
Shorewall2/help
View File

@ -1,347 +0,0 @@
#!/bin/sh
#
# Shorewall help subsystem - V2.4
#
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# (c) 2003-2005 - Tom Eastep (teastep@shorewall.net)
# Steve Herber (herber@thing.com)
#
# This file should be placed in /usr/share/shorewall/help
#
# Shorewall documentation is available at http://shorewall.sourceforge.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
##################################################################################
case $1 in
add)
echo "add: add <interface>[:<host-list>] ... <zone>
Adds a list of hosts or subnets to a dynamic zone usually used with VPN's.
shorewall add interface:host-list ... zone - Adds the specified interface
(and host-list if included) to the specified zone.
A host-list is a comma-separated list whose elements are:
A host or network address
The name of a bridge port
The name of a bridge port followed by a colon (":") and a host or
network address.
Example:
shorewall add ipsec0:192.0.2.24 vpn1 -- adds the address 192.0.2.24
from interface ipsec0 to the zone vpn1.
See also \"help host\""
;;
address|host)
echo "<$1>:
May be either a host IP address such as 192.168.1.4 or a network address in
CIDR format like 192.168.1.0/24. If your kernel and iptables contain iprange
match support then IP address ranges of the form <low address>-<high address>
are also permitted. If your kernel and iptables contain ipset match support
then you may specify the name of an ipset prefaced by "+". The name of the
ipsec may be optionally followed by a number of levels of ipset bindings
(1 - 6) that are to be followed"
;;
allow)
echo "allow: allow <address> ...
Re-enables receipt of packets from hosts previously blacklisted
by a drop or reject command.
Shorewall allow, drop, rejct and save implement dynamic blacklisting.
See also \"help address\""
;;
check)
echo "check: check [ <configuration-directory> ]
Performs a cursory validation of the zones, interfaces, hosts,
rules and policy files. Use this if you are unsure of any edits
you have made to the shorewall configuration. See the try command
examples for a recommended way to make changes."
;;
clear)
echo "clear: clear
Clear will remove all rules and chains installed by Shoreline.
The firewall is then wide open and unprotected. Existing
connections are untouched. Clear is often used to see if the
firewall is causing connection problems."
;;
debug)
echo "debug: debug
If you include the keyword debug as the first argument to any
of these commands:
start|stop|restart|reset|clear|refresh|check|add|delete
then a shell trace of the command is produced. For example:
shorewall debug start 2> /tmp/trace
The above command would trace the 'start' command and
place the trace information in the file /tmp/trace.
The word 'trace' is a synonym for 'debug'."
;;
delete)
echo "delete: delete <interface>[:<host-list>] ... <zone>
Deletes a list of hosts or networks from a dynamic zone usually used with VPN's.
shorewall delete interface[:host-list] ... zone - Deletes the specified
interfaces (and host list if included) from the specified zone.
A host-list is a comma-separated list whose elements are:
A host or network address
The name of a bridge port
The name of a bridge port followed by a colon (":") and a host or
network address.
Example:
shorewall delete ipsec0:192.0.2.24 vpn1 -- deletes the address
192.0.2.24 from interface ipsec0 from zone vpn1
See also \"help host\""
;;
drop)
echo "$1: $1 <address> ...
Causes packets from the specified <address> to be ignored
Shorewall allow, drop, rejct and save implement dynamic blacklisting.
See also \"help address\""
;;
forget)
echo "forget: forget [ <file name> ]
Deletes /var/lib/shorewall/<file name>. If no <file name> is given then
the file specified by RESTOREFILE in shorewall.conf is removed.
See also \"help save\""
;;
help)
echo "help: help [<command> | host | address ]
Display helpful information about the shorewall commands."
;;
hits)
echo "hits: hits
Produces several reports about the Shorewall packet log messages
in the current /var/log/messages file."
;;
ipcalc)
echo "ipcalc: ipcalc [ address mask | address/vlsm ]
Ipcalc displays the network address, broadcast address,
network in CIDR notation and netmask corresponding to the input[s]."
;;
iprange)
echo "iprange: iprange address1-address2
Iprange decomposes the specified range of IP addresses into the
equivalent list of network/host addresses."
;;
logwatch)
echo "logwatch: logwatch [<refresh interval>]
Monitors the LOGFILE, $LOGFILE,
and produces an audible alarm when new Shorewall messages are logged."
;;
monitor)
echo "monitor: monitor [<refresh_interval>]
shorewall [-x] monitor [<refresh_interval>]
Continuously display the firewall status, last 20 log entries and nat.
When the log entry display changes, an audible alarm is sounded.
When -x is given, that option is also passed to iptables to display actual packet and byte counts."
;;
refresh)
echo "refresh: [ -q ] refresh
The rules involving the broadcast addresses of firewall interfaces,
the black list, traffic control rules and ECN control rules are recreated
to reflect any changes made. Existing connections are untouched
If \"-q\" is specified, less detain is displayed making it easier to spot warnings"
;;
reject)
echo "$1: $1 <address> ...
Causes packets from the specified <address> to be rejected
Shorewall allow, drop, rejct and save implement dynamic blacklisting.
See also \"help address\""
;;
reset)
echo "reset: reset
All the packet and byte counters in the firewall are reset."
;;
restart)
echo "restart: [ -q ] restart [ <configuration-directory> ]
Restart is the same as a shorewall stop && shorewall start.
Existing connections are maintained.
If \"-q\" is specified, less detain is displayed making it easier to spot warnings"
;;
safe-restart)
echo "safe-restart: safe-restart
Restart the same way as a shorewall restart except that previous firewall
configuration is backed up and will be restored if you notice any anomalies
or you are not able to reach the firewall any more."
;;
safe-start)
echo "safe-start: safe-start
Start the same way as a shorewall start except that in case of anomalies
shorewall clear is issued. "
;;
restore)
echo "restore: restore [ <file name> ]
Restore Shorewall to a state saved using the 'save' command
Existing connections are maintained. The <file name> names a restore file in
/var/lib/shorewall created using "shorewall save"; if no <file name> is given
then Shorewall will be restored from the file specified by the RESTOREFILE
option in shorewall.conf.
See also \"help save\" and \"help forget\""
;;
save)
echo "save: save [ <file name> ]
The dynamic data is stored in /var/lib/shorewall/save. The state of the
firewall is stored in /var/lib/shorewall/<file name> for use by the 'shorewall restore'
and 'shorewall -f start' commands. If <file name> is not given then the state is saved
in the file specified by the RESTOREFILE option in shorewall.conf.
Shorewall allow, drop, rejct and save implement dynamic blacklisting.
See also \"help restore\" and \"help forget\""
;;
show)
echo "show: show [ <chain> [ <chain> ...] |classifiers|connections|log|nat|tc|tos|zones]
shorewall [-x] show <chain> [ <chain> ... ] - produce a verbose report about the IPtable chain(s).
(iptables -L chain -n -v)
shorewall [-x] show nat - produce a verbose report about the nat table.
(iptables -t nat -L -n -v)
shorewall [-x] show tos - produce a verbose report about the mangle table.
(iptables -t mangle -L -n -v)
shorewall show log - display the last 20 packet log entries.
shorewall show connections - displays the IP connections currently
being tracked by the firewall.
shorewall show tc - displays information about the traffic
control/shaping configuration.
shorewall show zones - displays the contents of all zones.
shorewall show capabilities - displays your kernel/iptables capabilities
When -x is given, that option is also passed to iptables to display actual packet and byte counts."
;;
start)
echo "start: [ -q ] [ -f ] start [ <configuration-directory> ]
Start shorewall. Existing connections through shorewall managed
interfaces are untouched. New connections will be allowed only
if they are allowed by the firewall rules or policies.
If \"-q\" is specified, less detail is displayed making it easier to spot warnings
If \"-f\" is specified, the saved configuration specified by the RESTOREFILE option
in shorewall.conf will be restored if that saved configuration exists. In that
case, a <configuration-directory> may not be specified".
;;
stop)
echo "stop: stop
Stops the firewall. All existing connections, except those
listed in /etc/shorewall/routestopped, are taken down.
The only new traffic permitted through the firewall
is from systems listed in /etc/shorewall/routestopped."
;;
status)
echo "status: status
shorewall [-x] status
Produce a verbose report about the firewall.
(iptables -L -n -)
When -x is given, that option is also passed to iptables to display actual packet and byte counts."
;;
trace)
echo "trace: trace
If you include the keyword trace as the first argument to any
of these commands:
start|stop|restart|reset|clear|refresh|check|add|delete
then a shell trace of the command is produced. For example:
shorewall trace start 2> /tmp/trace
The above command would trace the 'start' command and
place the trace information in the file /tmp/trace.
The word 'debug' is a synonym for 'trace'."
;;
try)
echo "try: try <configuration-directory> [ <timeout> ]
Restart shorewall using the specified configuration. If an error
occurs during the restart, then another shorewall restart is performed
using the default configuration. If a timeout is specified then
the restart is always performed after the timeout occurs and uses
the default configuration."
;;
version)
echo "version: version
Show the current shorewall version which is: $version"
;;
*)
echo "$1: $1 is not recognized by the help command"
;;
esac
exit 0 # always ok

141
Shorewall2/hosts
View File

@ -1,141 +0,0 @@
#
# Shorewall 2.4 - /etc/shorewall/hosts
#
# THE ONLY TIME YOU NEED THIS FILE IS WHERE YOU HAVE MORE THAN
# ONE ZONE CONNECTED THROUGH A SINGLE INTERFACE.
#
# IF YOU DON'T HAVE THAT SITUATION THEN DON'T TOUCH THIS FILE.
#------------------------------------------------------------------------------
# IF YOU HAVE AN ENTRY FOR A ZONE AND INTERFACE IN
# /etc/shorewall/interfaces THEN DO NOT ADD ANY ENTRIES FOR THAT
# ZONE AND INTERFACE IN THIS FILE.
#------------------------------------------------------------------------------
# This file is used to define zones in terms of subnets and/or
# individual IP addresses. Most simple setups don't need to
# (should not) place anything in this file.
#
# The order of entries in this file is not significant in
# determining zone composition. Rather, the order that the zones
# are defined in /etc/shorewall/zones determines the order in
# which the records in this file are interpreted.
#
# ZONE - The name of a zone defined in /etc/shorewall/zones
#
# HOST(S) - The name of an interface defined in the
# /etc/shorewall/interfaces file followed by a colon (":") and
# a comma-separated list whose elements are either:
#
# a) The IP address of a host
# b) A subnetwork in the form
# <subnet-address>/<mask width>
# c) An IP address range of the form <low address>-<high
# address>. Your kernel and iptables must have iprange
# match support.
# d) A physical port name; only allowed when the
# interface names a bridge created by the
# brctl addbr command. This port must not
# be defined in /etc/shorewall/interfaces and may
# optionally followed by a colon (":") and a
# host or network IP or a range.
# See http://www.shorewall.net/Bridge.html for details.
#
# Examples:
#
# eth1:192.168.1.3
# eth2:192.168.2.0/24
# eth3:192.168.2.0/24,192.168.3.1
# br0:eth4
# br0:eth0:192.168.1.16/28
# eth4:192.168.1.44-192.168.1.49
#
# OPTIONS - A comma-separated list of options. Currently-defined
# options are:
#
# maclist - Connection requests from these hosts
# are compared against the contents of
# /etc/shorewall/maclist. If this option
# is specified, the interface must be
# an ethernet NIC and must be up before
# Shorewall is started.
#
# routeback - Shorewall should set up the infrastructure
# to pass packets from this/these
# address(es) back to themselves. This is
# necessary if hosts in this group use the
# services of a transparent proxy that is
# a member of the group or if DNAT is used
# to send requests originating from this
# group to a server in the group.
#
# norfc1918 - This option only makes sense for ports
# on a bridge.
#
# The port should not accept
# any packets whose source is in one
# of the ranges reserved by RFC 1918
# (i.e., private or "non-routable"
# addresses. If packet mangling or
# connection-tracking match is enabled in
# your kernel, packets whose destination
# addresses are reserved by RFC 1918 are
# also rejected.
#
# nobogons - This option only makes sense for ports
# on a bridge.
#
# This port should not accept
# any packets whose source is in one
# of the ranges reserved by IANA (this
# option does not cover those ranges
# reserved by RFC 1918 -- see
# 'norfc1918' above).
#
# blacklist - This option only makes sense for ports
# on a bridge.
#
# Check packets arriving on this port
# against the /etc/shorewall/blacklist
# file.
#
# tcpflags - Packets arriving from these hosts are
# checked for certain illegal combinations
# of TCP flags. Packets found to have
# such a combination of flags are handled
# according to the setting of
# TCP_FLAGS_DISPOSITION after having been
# logged according to the setting of
# TCP_FLAGS_LOG_LEVEL.
#
# nosmurfs - This option only makes sense for ports
# on a bridge.
#
# Filter packets for smurfs
# (packets with a broadcast
# address as the source).
#
# Smurfs will be optionally logged based
# on the setting of SMURF_LOG_LEVEL in
# shorewall.conf. After logging, the
# packets are dropped.
#
# newnotsyn - TCP packets that don't have the SYN
# flag set and which are not part of an
# established connection will be accepted
# from these hosts, even if
# NEWNOTSYN=No has been specified in
# /etc/shorewall/shorewall.conf.
#
# This option has no effect if
# NEWNOTSYN=Yes.
#
# ipsec - The zone is accessed via a
# kernel 2.6 ipsec SA. Note that if the
# zone named in the ZONE column is
# specified as an IPSEC zone in the
# /etc/shorewall/ipsec file then you do NOT
# need to specify the 'ipsec' option here.
#
# For additional information, see http://shorewall.net/Documentation.htm#Hosts
#
#ZONE HOST(S) OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

8
Shorewall2/init
View File

@ -1,8 +0,0 @@
############################################################################
# Shorewall 2.4 -- /etc/shorewall/init
#
# Add commands below that you want to be executed at the beginning of
# a "shorewall start" or "shorewall restart" command.
#
# For additional information, see http://shorewall.net/shorewall_extension_scripts.htm
#

130
Shorewall2/init.debian.sh
View File

@ -1,130 +0,0 @@
#!/bin/sh
SRWL=/sbin/shorewall
WAIT_FOR_IFUP=/usr/share/shorewall/wait4ifup
# Note, set INITLOG to /dev/null if you do not want to
# keep logs of the firewall (not recommended)
INITLOG=/var/log/shorewall-init.log
OPTIONS="-f"
test -x $SRWL || exit 0
test -n $INITLOG || {
echo "INITLOG cannot be empty, please configure $0" ;
exit 1;
}
if [ "$(id -u)" != "0" ]
then
echo "You must be root to start, stop or restart \"Shorewall firewall\"."
exit 1
fi
echo_notdone () {
if [ "$INITLOG" = "/dev/null" ] ; then
"not done."
else
"not done (check $INITLOG)."
fi
}
not_configured () {
echo "#### WARNING ####"
echo "the firewall won't be started/stopped unless it is configured"
if [ "$1" != "stop" ]
then
echo ""
echo "please configure it and then edit /etc/default/shorewall"
echo "and set the \"startup\" variable to 1 in order to allow "
echo "shorewall to start"
fi
echo "#################"
exit 0
}
# parse the shorewall params file in order to use params in
# /etc/default/shorewall
if [ -f "/etc/shorewall/params" ]
then
. /etc/shorewall/params
fi
# check if shorewall is configured or not
if [ -f "/etc/default/shorewall" ]
then
. /etc/default/shorewall
if [ "$startup" != "1" ]
then
not_configured
fi
else
not_configured
fi
# wait an unconfigured interface
wait_for_pppd () {
if [ "$wait_interface" != "" ]
then
if [ -f $WAIT_FOR_IFUP ]
then
for i in $wait_interface
do
$WAIT_FOR_IFUP $i 90
done
else
echo "$WAIT_FOR_IFUP: File not found" >> $INITLOG
echo_notdone
exit 2
fi
fi
}
# start the firewall
shorewall_start () {
echo -n "Starting \"Shorewall firewall\": "
wait_for_pppd
$SRWL $OPTIONS start >> $INITLOG 2>&1 && echo "done." || echo_notdone
return 0
}
# stop the firewall
shorewall_stop () {
echo -n "Stopping \"Shorewall firewall\": "
$SRWL stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
return 0
}
# restart the firewall
shorewall_restart () {
echo -n "Restarting \"Shorewall firewall\": "
$SRWL restart >> $INITLOG 2>&1 && echo "done." || echo_notdone
return 0
}
# refresh the firewall
shorewall_refresh () {
echo -n "Refreshing \"Shorewall firewall\": "
$SRWL refresh >> $INITLOG 2>&1 && echo "done." || echo_notdone
return 0
}
case "$1" in
start)
shorewall_start
;;
stop)
shorewall_stop
;;
refresh)
shorewall_refresh
;;
force-reload|restart)
shorewall_restart
;;
*)
echo "Usage: /etc/init.d/shorewall {start|stop|refresh|restart|force-reload}"
exit 1
esac
exit 0

89
Shorewall2/init.sh
View File

@ -1,89 +0,0 @@
#!/bin/sh
RCDLINKS="2,S41 3,S41 6,K41"
#
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V2.4
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
#
# On most distributions, this file should be called /etc/init.d/shorewall.
#
# Complete documentation is available at http://shorewall.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
#
# If an error occurs while starting or restarting the firewall, the
# firewall is automatically stopped.
#
# Commands are:
#
# shorewall start Starts the firewall
# shorewall restart Restarts the firewall
# shorewall stop Stops the firewall
# shorewall status Displays firewall status
#
# chkconfig: 2345 25 90
# description: Packet filtering firewall
### BEGIN INIT INFO
# Provides: shorewall
# Required-Start: $network
# Required-Stop:
# Default-Start: 2 3 5
# Default-Stop: 0 1 6
# Description: starts and stops the shorewall firewall
### END INIT INFO
################################################################################
# Give Usage Information #
################################################################################
usage() {
echo "Usage: $0 start|stop|restart|status"
exit 1
}
################################################################################
# Get startup options (override default)
################################################################################
OPTIONS="-f"
if [ -f /etc/sysconfig/shorewall ]; then
. /etc/sysconfig/shorewall
elif [ -f /etc/default/shorewall ] ; then
. /etc/default/shorewall
fi
################################################################################
# E X E C U T I O N B E G I N S H E R E #
################################################################################
command="$1"
case "$command" in
start)
exec /sbin/shorewall $OPTIONS start
;;
stop|restart|status)
exec /sbin/shorewall $@
;;
*)
usage
;;
esac

9
Shorewall2/initdone
View File

@ -1,9 +0,0 @@
############################################################################
# Shorewall 2.4 -- /etc/shorewall/initdone
#
# Add commands below that you want to be executed during
# "shorewall start" or "shorewall restart" commands at the point where
# Shorewall has not yet added any perminent rules to the builtin chains.
#
# For additional information, see http://shorewall.net/shorewall_extension_scripts.htm
#

642
Shorewall2/install.sh
View File

@ -1,642 +0,0 @@
#!/bin/sh
#
# Script to install Shoreline Firewall
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# (c) 2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
#
# Shorewall documentation is available at http://shorewall.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
#
VERSION=2.4.0
usage() # $1 = exit status
{
ME=$(basename $0)
echo "usage: $ME"
echo " $ME -v"
echo " $ME -h"
exit $1
}
run_install()
{
if ! install $*; then
echo
echo "ERROR: Failed to install $*"
exit 1
fi
}
cant_autostart()
{
echo
echo "WARNING: Unable to configure shorewall to start"
echo " automatically at boot"
}
backup_file() # $1 = file to backup
{
if [ -z "$PREFIX" -a -f $1 -a ! -f ${1}-${VERSION}.bkout ]; then
if (cp $1 ${1}-${VERSION}.bkout); then
echo
echo "$1 saved to ${1}-${VERSION}.bkout"
else
exit 1
fi
fi
}
delete_file() # $1 = file to delete
{
if [ -z "$PREFIX" -a -f $1 -a ! -f ${1}-${VERSION}.bkout ]; then
if (mv $1 ${1}-${VERSION}.bkout); then
echo
echo "$1 moved to ${1}-${VERSION}.bkout"
else
exit 1
fi
fi
}
install_file_with_backup() # $1 = source $2 = target $3 = mode
{
backup_file $2
run_install $OWNERSHIP -m $3 $1 ${2}
}
#
# Parse the run line
#
# DEST is the SysVInit script directory
# INIT is the name of the script in the $DEST directory
# RUNLEVELS is the chkconfig parmeters for firewall
# ARGS is "yes" if we've already parsed an argument
#
ARGS=""
if [ -z "$DEST" ] ; then
DEST="/etc/init.d"
fi
if [ -z "$INIT" ] ; then
INIT="shorewall"
fi
if [ -z "$RUNLEVELS" ] ; then
RUNLEVELS=""
fi
if [ -z "$OWNER" ] ; then
OWNER=root
fi
if [ -z "$GROUP" ] ; then
GROUP=root
fi
while [ $# -gt 0 ] ; do
case "$1" in
-h|help|?)
usage 0
;;
-v)
echo "Shorewall Firewall Installer Version $VERSION"
exit 0
;;
*)
usage 1
;;
esac
shift
ARGS="yes"
done
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
#
# Determine where to install the firewall script
#
DEBIAN=
OWNERSHIP="-o $OWNER -g $GROUP"
if [ -n "$PREFIX" ]; then
if [ `id -u` != 0 ] ; then
echo "Not setting file owner/group permissions, not running as root."
OWNERSHIP=""
fi
install -d $OWNERSHIP -m 755 ${PREFIX}/sbin
install -d $OWNERSHIP -m 755 ${PREFIX}${DEST}
elif [ -d /etc/apt -a -e /usr/bin/dpkg ]; then
DEBIAN=yes
elif [ -f /etc/slackware-version ] ; then
DEST="/etc/rc.d"
INIT="rc.firewall"
fi
#
# Change to the directory containing this script
#
cd "$(dirname $0)"
echo "Installing Shorewall Version $VERSION"
#
# Check for /etc/shorewall
#
if [ -d ${PREFIX}/etc/shorewall ]; then
first_install=""
else
first_install="Yes"
fi
install_file_with_backup shorewall ${PREFIX}/sbin/shorewall 0544
echo
echo "shorewall control program installed in ${PREFIX}/sbin/shorewall"
#
# Install the Firewall Script
#
if [ -n "$DEBIAN" ]; then
install_file_with_backup init.debian.sh /etc/init.d/shorewall 0544
else
install_file_with_backup init.sh ${PREFIX}${DEST}/$INIT 0544
fi
echo
echo "Shorewall script installed in ${PREFIX}${DEST}/$INIT"
#
# Create /etc/shorewall, /usr/share/shorewall and /var/shorewall if needed
#
mkdir -p ${PREFIX}/etc/shorewall
mkdir -p ${PREFIX}/usr/share/shorewall
mkdir -p ${PREFIX}/var/lib/shorewall
#
# Install the config file
#
if [ -f ${PREFIX}/etc/shorewall/shorewall.conf ]; then
backup_file /etc/shorewall/shorewall.conf
else
run_install $OWNERSHIP -m 0744 shorewall.conf ${PREFIX}/etc/shorewall/shorewall.conf
echo
echo "Config file installed as ${PREFIX}/etc/shorewall/shorewall.conf"
fi
#
# Install the zones file
#
if [ -f ${PREFIX}/etc/shorewall/zones ]; then
backup_file /etc/shorewall/zones
else
run_install $OWNERSHIP -m 0744 zones ${PREFIX}/etc/shorewall/zones
echo
echo "Zones file installed as ${PREFIX}/etc/shorewall/zones"
fi
#
# Install the functions file
#
if [ -f ${PREFIX}/etc/shorewall/functions ]; then
backup_file ${PREFIX}/etc/shorewall/functions
rm -f ${PREFIX}/etc/shorewall/functions
fi
install_file_with_backup functions ${PREFIX}/usr/share/shorewall/functions 0444
echo
echo "Common functions installed in ${PREFIX}/usr/share/shorewall/functions"
#
# Install the Help file
#
install_file_with_backup help ${PREFIX}/usr/share/shorewall/help 0544
echo
echo "Help command executor installed in ${PREFIX}/usr/share/shorewall/help"
#
# Delete the icmp.def file
#
delete_file icmp.def
#
# Install the policy file
#
if [ -f ${PREFIX}/etc/shorewall/policy ]; then
backup_file /etc/shorewall/policy
else
run_install $OWNERSHIP -m 0600 policy ${PREFIX}/etc/shorewall/policy
echo
echo "Policy file installed as ${PREFIX}/etc/shorewall/policy"
fi
#
# Install the interfaces file
#
if [ -f ${PREFIX}/etc/shorewall/interfaces ]; then
backup_file /etc/shorewall/interfaces
else
run_install $OWNERSHIP -m 0600 interfaces ${PREFIX}/etc/shorewall/interfaces
echo
echo "Interfaces file installed as ${PREFIX}/etc/shorewall/interfaces"
fi
#
# Install the ipsec file
#
if [ -f ${PREFIX}/etc/shorewall/ipsec ]; then
backup_file /etc/shorewall/ipsec
else
run_install $OWNERSHIP -m 0600 ipsec ${PREFIX}/etc/shorewall/ipsec
echo
echo "Ipsec file installed as ${PREFIX}/etc/shorewall/ipsec"
fi
#
# Install the hosts file
#
if [ -f ${PREFIX}/etc/shorewall/hosts ]; then
backup_file /etc/shorewall/hosts
else
run_install $OWNERSHIP -m 0600 hosts ${PREFIX}/etc/shorewall/hosts
echo
echo "Hosts file installed as ${PREFIX}/etc/shorewall/hosts"
fi
#
# Install the rules file
#
if [ -f ${PREFIX}/etc/shorewall/rules ]; then
backup_file /etc/shorewall/rules
else
run_install $OWNERSHIP -m 0600 rules ${PREFIX}/etc/shorewall/rules
echo
echo "Rules file installed as ${PREFIX}/etc/shorewall/rules"
fi
#
# Install the NAT file
#
if [ -f ${PREFIX}/etc/shorewall/nat ]; then
backup_file /etc/shorewall/nat
else
run_install $OWNERSHIP -m 0600 nat ${PREFIX}/etc/shorewall/nat
echo
echo "NAT file installed as ${PREFIX}/etc/shorewall/nat"
fi
#
# Install the NETMAP file
#
if [ -f ${PREFIX}/etc/shorewall/netmap ]; then
backup_file /etc/shorewall/netmap
else
run_install $OWNERSHIP -m 0600 netmap ${PREFIX}/etc/shorewall/netmap
echo
echo "NETMAP file installed as ${PREFIX}/etc/shorewall/netmap"
fi
#
# Install the Parameters file
#
if [ -f ${PREFIX}/etc/shorewall/params ]; then
backup_file /etc/shorewall/params
else
run_install $OWNERSHIP -m 0600 params ${PREFIX}/etc/shorewall/params
echo
echo "Parameter file installed as ${PREFIX}/etc/shorewall/params"
fi
#
# Install the proxy ARP file
#
if [ -f ${PREFIX}/etc/shorewall/proxyarp ]; then
backup_file /etc/shorewall/proxyarp
else
run_install $OWNERSHIP -m 0600 proxyarp ${PREFIX}/etc/shorewall/proxyarp
echo
echo "Proxy ARP file installed as ${PREFIX}/etc/shorewall/proxyarp"
fi
#
# Install the Stopped Routing file
#
if [ -f ${PREFIX}/etc/shorewall/routestopped ]; then
backup_file /etc/shorewall/routestopped
else
run_install $OWNERSHIP -m 0600 routestopped ${PREFIX}/etc/shorewall/routestopped
echo
echo "Stopped Routing file installed as ${PREFIX}/etc/shorewall/routestopped"
fi
#
# Install the Mac List file
#
if [ -f ${PREFIX}/etc/shorewall/maclist ]; then
backup_file /etc/shorewall/maclist
else
run_install $OWNERSHIP -m 0600 maclist ${PREFIX}/etc/shorewall/maclist
echo
echo "MAC list file installed as ${PREFIX}/etc/shorewall/maclist"
fi
#
# Install the Masq file
#
if [ -f ${PREFIX}/etc/shorewall/masq ]; then
backup_file /etc/shorewall/masq
else
run_install $OWNERSHIP -m 0600 masq ${PREFIX}/etc/shorewall/masq
echo
echo "Masquerade file installed as ${PREFIX}/etc/shorewall/masq"
fi
#
# Install the Modules file
#
if [ -f ${PREFIX}/etc/shorewall/modules ]; then
backup_file /etc/shorewall/modules
else
run_install $OWNERSHIP -m 0600 modules ${PREFIX}/etc/shorewall/modules
echo
echo "Modules file installed as ${PREFIX}/etc/shorewall/modules"
fi
#
# Install the TC Rules file
#
if [ -f ${PREFIX}/etc/shorewall/tcrules ]; then
backup_file /etc/shorewall/tcrules
else
run_install $OWNERSHIP -m 0600 tcrules ${PREFIX}/etc/shorewall/tcrules
echo
echo "TC Rules file installed as ${PREFIX}/etc/shorewall/tcrules"
fi
#
# Install the TOS file
#
if [ -f ${PREFIX}/etc/shorewall/tos ]; then
backup_file /etc/shorewall/tos
else
run_install $OWNERSHIP -m 0600 tos ${PREFIX}/etc/shorewall/tos
echo
echo "TOS file installed as ${PREFIX}/etc/shorewall/tos"
fi
#
# Install the Tunnels file
#
if [ -f ${PREFIX}/etc/shorewall/tunnels ]; then
backup_file /etc/shorewall/tunnels
else
run_install $OWNERSHIP -m 0600 tunnels ${PREFIX}/etc/shorewall/tunnels
echo
echo "Tunnels file installed as ${PREFIX}/etc/shorewall/tunnels"
fi
#
# Install the blacklist file
#
if [ -f ${PREFIX}/etc/shorewall/blacklist ]; then
backup_file /etc/shorewall/blacklist
else
run_install $OWNERSHIP -m 0600 blacklist ${PREFIX}/etc/shorewall/blacklist
echo
echo "Blacklist file installed as ${PREFIX}/etc/shorewall/blacklist"
fi
#
# Install the Routes file
#
if [ -f ${PREFIX}/etc/shorewall/routes ]; then
backup_file /etc/shorewall/routes
else
run_install $OWNERSHIP -m 0600 routes ${PREFIX}/etc/shorewall/routes
echo
echo "Routes file installed as ${PREFIX}/etc/shorewall/routes"
fi
#
# Install the Providers file
#
if [ -f ${PREFIX}/etc/shorewall/providers ]; then
backup_file /etc/shorewall/providers
else
run_install $OWNERSHIP -m 0600 providers ${PREFIX}/etc/shorewall/providers
echo
echo "Providers file installed as ${PREFIX}/etc/shorewall/providers"
fi
#
# Backup and remove the whitelist file
#
if [ -f ${PREFIX}/etc/shorewall/whitelist ]; then
backup_file /etc/shorewall/whitelist
rm -f ${PREFIX}/etc/shorewall/whitelist
fi
#
# Install the rfc1918 file
#
install_file_with_backup rfc1918 ${PREFIX}/usr/share/shorewall/rfc1918 0600
echo
echo "RFC 1918 file installed as ${PREFIX}/usr/share/shorewall/rfc1918"
#
# Install the bogons file
#
install_file_with_backup bogons ${PREFIX}/usr/share/shorewall/bogons 0600
echo
echo "Bogon file installed as ${PREFIX}/usr/share/shorewall/bogons"
#
# Install the default config path file
#
install_file_with_backup configpath ${PREFIX}/usr/share/shorewall/configpath 0600
echo
echo " Default config path file installed as ${PREFIX}/usr/share/shorewall/configpath"
#
# Install the init file
#
if [ -f ${PREFIX}/etc/shorewall/init ]; then
backup_file /etc/shorewall/init
else
run_install $OWNERSHIP -m 0600 init ${PREFIX}/etc/shorewall/init
echo
echo "Init file installed as ${PREFIX}/etc/shorewall/init"
fi
#
# Install the initdone file
#
if [ -f ${PREFIX}/etc/shorewall/initdone ]; then
backup_file /etc/shorewall/initdone
else
run_install $OWNERSHIP -m 0600 initdone ${PREFIX}/etc/shorewall/initdone
echo
echo "Initdone file installed as ${PREFIX}/etc/shorewall/initdone"
fi
#
# Install the start file
#
if [ -f ${PREFIX}/etc/shorewall/start ]; then
backup_file /etc/shorewall/start
else
run_install $OWNERSHIP -m 0600 start ${PREFIX}/etc/shorewall/start
echo
echo "Start file installed as ${PREFIX}/etc/shorewall/start"
fi
#
# Install the stop file
#
if [ -f ${PREFIX}/etc/shorewall/stop ]; then
backup_file /etc/shorewall/stop
else
run_install $OWNERSHIP -m 0600 stop ${PREFIX}/etc/shorewall/stop
echo
echo "Stop file installed as ${PREFIX}/etc/shorewall/stop"
fi
#
# Install the stopped file
#
if [ -f ${PREFIX}/etc/shorewall/stopped ]; then
backup_file /etc/shorewall/stopped
else
run_install $OWNERSHIP -m 0600 stopped ${PREFIX}/etc/shorewall/stopped
echo
echo "Stopped file installed as ${PREFIX}/etc/shorewall/stopped"
fi
#
# Install the ECN file
#
if [ -f ${PREFIX}/etc/shorewall/ecn ]; then
backup_file /etc/shorewall/ecn
else
run_install $OWNERSHIP -m 0600 ecn ${PREFIX}/etc/shorewall/ecn
echo
echo "ECN file installed as ${PREFIX}/etc/shorewall/ecn"
fi
#
# Install the Accounting file
#
if [ -f ${PREFIX}/etc/shorewall/accounting ]; then
backup_file /etc/shorewall/accounting
else
run_install $OWNERSHIP -m 0600 accounting ${PREFIX}/etc/shorewall/accounting
echo
echo "Accounting file installed as ${PREFIX}/etc/shorewall/accounting"
fi
#
# Install the Continue file
#
if [ -f ${PREFIX}/etc/shorewall/continue ]; then
backup_file /etc/shorewall/continue
else
run_install $OWNERSHIP -m 0600 continue ${PREFIX}/etc/shorewall/continue
echo
echo "Continue file installed as ${PREFIX}/etc/shorewall/continue"
fi
#
# Install the Started file
#
if [ -f ${PREFIX}/etc/shorewall/started ]; then
backup_file /etc/shorewall/started
else
run_install $OWNERSHIP -m 0600 started ${PREFIX}/etc/shorewall/started
echo
echo "Started file installed as ${PREFIX}/etc/shorewall/started"
fi
#
# Install the Standard Actions file
#
install_file_with_backup actions.std ${PREFIX}/usr/share/shorewall/actions.std 0600
echo
echo "Standard actions file installed as ${PREFIX}/etc/shorewall/actions.std"
#
# Install the Actions file
#
if [ -f ${PREFIX}/etc/shorewall/actions ]; then
backup_file /etc/shorewall/actions
else
run_install $OWNERSHIP -m 0600 actions ${PREFIX}/etc/shorewall/actions
echo
echo "Actions file installed as ${PREFIX}/etc/shorewall/actions"
fi
#
# Install the Action files
#
for f in action.* ; do
install_file_with_backup $f ${PREFIX}/usr/share/shorewall/$f 0600
echo
echo "Action ${f#*.} file installed as ${PREFIX}/usr/share/shorewall/$f"
done
#
# Backup the version file
#
if [ -z "$PREFIX" ]; then
if [ -f /usr/share/shorewall/version ]; then
backup_file /usr/share/shorewall/version
fi
fi
#
# Create the version file
#
echo "$VERSION" > ${PREFIX}/usr/share/shorewall/version
chmod 644 ${PREFIX}/usr/share/shorewall/version
#
# Remove and create the symbolic link to the init script
#
if [ -z "$PREFIX" ]; then
rm -f /usr/share/shorewall/init
ln -s ${DEST}/${INIT} /usr/share/shorewall/init
fi
#
# Install the firewall script
#
install_file_with_backup firewall ${PREFIX}/usr/share/shorewall/firewall 0544
if [ -z "$PREFIX" -a -n "$first_install" ]; then
if [ -n "$DEBIAN" ]; then
run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall
ln -s ../init.d/shorewall /etc/rcS.d/S40shorewall
echo
echo "shorewall will start automatically at boot"
echo "Set startup=1 in /etc/default/shorewall to enable"
else
if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
if insserv /etc/init.d/shorewall ; then
echo
echo "shorewall will start automatically at boot"
echo "Set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf to enable"
else
cant_autostart
fi
elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
if chkconfig --add shorewall ; then
echo
echo "shorewall will start automatically in run levels as follows:"
echo "Set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf to enable"
chkconfig --list shorewall
else
cant_autostart
fi
elif [ -x /sbin/rc-update ]; then
if rc-update add shorewall default; then
echo
echo "shorewall will start automatically at boot"
echo "Set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf to enable"
else
cant_autostart
fi
elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
cant_autostart
fi
fi
fi
#
# Report Success
#
echo
echo "shorewall Version $VERSION Installed"

217
Shorewall2/interfaces
View File

@ -1,217 +0,0 @@
#
# Shorewall 2.4 -- Interfaces File
#
# /etc/shorewall/interfaces
#
# You must add an entry in this file for each network interface on your
# firewall system.
#
# Columns are:
#
# ZONE Zone for this interface. Must match the short name
# of a zone defined in /etc/shorewall/zones.
#
# If the interface serves multiple zones that will be
# defined in the /etc/shorewall/hosts file, you should
# place "-" in this column.
#
# INTERFACE Name of interface. Each interface may be listed only
# once in this file. You may NOT specify the name of
# an alias (e.g., eth0:0) here; see
# http://www.shorewall.net/FAQ.htm#faq18
#
# You may specify wildcards here. For example, if you
# want to make an entry that applies to all PPP
# interfaces, use 'ppp+'.
#
# There is no need to define the loopback interface (lo)
# in this file.
#
# BROADCAST The broadcast address for the subnetwork to which the
# interface belongs. For P-T-P interfaces, this
# column is left blank.If the interface has multiple
# addresses on multiple subnets then list the broadcast
# addresses as a comma-separated list.
#
# If you use the special value "detect", the firewall
# will detect the broadcast address for you. If you
# select this option, the interface must be up before
# the firewall is started, you must have iproute
# installed.
#
# If you don't want to give a value for this column but
# you want to enter a value in the OPTIONS column, enter
# "-" in this column.
#
# OPTIONS A comma-separated list of options including the
# following:
#
# dhcp - Specify this option when any of
# the following are true:
# 1. the interface gets its IP address
# via DHCP
# 2. the interface is used by
# a DHCP server running on the firewall
# 3. you have a static IP but are on a LAN
# segment with lots of Laptop DHCP
# clients.
# 4. the interface is a bridge with
# a DHCP server on one port and DHCP
# clients on another port.
#
# norfc1918 - This interface should not receive
# any packets whose source is in one
# of the ranges reserved by RFC 1918
# (i.e., private or "non-routable"
# addresses. If packet mangling or
# connection-tracking match is enabled in
# your kernel, packets whose destination
# addresses are reserved by RFC 1918 are
# also rejected.
#
# nobogons - This interface should not receive
# any packets whose source is in one
# of the ranges reserved by IANA (this
# option does not cover those ranges
# reserved by RFC 1918 -- see above).
#
# I PERSONALLY RECOMMEND AGAINST USING
# THE 'nobogons' OPTION.
#
# routefilter - turn on kernel route filtering for this
# interface (anti-spoofing measure). This
# option can also be enabled globally in
# the /etc/shorewall/shorewall.conf file.
#
# logmartians - turn on kernel martian logging (logging
# of packets with impossible source
# addresses. It is suggested that if you
# set routefilter on an interface that
# you also set logmartians. This option
# may also be enabled globally in the
# /etc/shorewall/shorewall.conf file.
#
# blacklist - Check packets arriving on this interface
# against the /etc/shorewall/blacklist
# file.
#
# maclist - Connection requests from this interface
# are compared against the contents of
# /etc/shorewall/maclist. If this option
# is specified, the interface must be
# an ethernet NIC and must be up before
# Shorewall is started.
#
# tcpflags - Packets arriving on this interface are
# checked for certain illegal combinations
# of TCP flags. Packets found to have
# such a combination of flags are handled
# according to the setting of
# TCP_FLAGS_DISPOSITION after having been
# logged according to the setting of
# TCP_FLAGS_LOG_LEVEL.
#
# proxyarp -
# Sets
# /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
# Do NOT use this option if you are
# employing Proxy ARP through entries in
# /etc/shorewall/proxyarp. This option is
# intended soley for use with Proxy ARP
# sub-networking as described at:
# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
#
# newnotsyn - TCP packets that don't have the SYN
# flag set and which are not part of an
# established connection will be accepted
# from this interface, even if
# NEWNOTSYN=No has been specified in
# /etc/shorewall/shorewall.conf. In other
# words, packets coming in on this interface
# are processed as if NEWNOTSYN=Yes had been
# specified in /etc/shorewall/shorewall.conf.
#
# This option has no effect if
# NEWNOTSYN=Yes.
#
# It is the opinion of the author that
# NEWNOTSYN=No creates more problems than
# it solves and I recommend against using
# that setting in shorewall.conf (hence
# making the use of the 'newnotsyn'
# interface option unnecessary).
#
# routeback - If specified, indicates that Shorewall
# should include rules that allow filtering
# traffic arriving on this interface back
# out that same interface.
#
# arp_filter - If specified, this interface will only
# respond to ARP who-has requests for IP
# addresses configured on the interface.
# If not specified, the interface can
# respond to ARP who-has requests for
# IP addresses on any of the firewall's
# interface. The interface must be up
# when Shorewall is started.
#
# nosmurfs - Filter packets for smurfs
# (packets with a broadcast
# address as the source).
#
# Smurfs will be optionally logged based
# on the setting of SMURF_LOG_LEVEL in
# shorewall.conf. After logging, the
# packets are dropped.
#
# detectnets - Automatically taylors the zone named
# in the ZONE column to include only those
# hosts routed through the interface.
#
# upnp - Incoming requests from this interface may
# be remapped via UPNP (upnpd).
#
# WARNING: DO NOT SET THE detectnets OPTION ON YOUR
# INTERNET INTERFACE.
#
# The order in which you list the options is not
# significant but the list should have no embedded white
# space.
#
# GATEWAY This column is only meaningful if the 'default' OPTION
# is given -- it is ignored otherwise. You may specify
# the default gateway IP address for this interface here
# and Shorewall will use that IP address rather than any
# that it finds in the main routing table.
#
# Example 1: Suppose you have eth0 connected to a DSL modem and
# eth1 connected to your local network and that your
# local subnet is 192.168.1.0/24. The interface gets
# it's IP address via DHCP from subnet
# 206.191.149.192/27. You have a DMZ with subnet
# 192.168.2.0/24 using eth2.
#
# Your entries for this setup would look like:
#
# net eth0 206.191.149.223 dhcp
# local eth1 192.168.1.255
# dmz eth2 192.168.2.255
#
# Example 2: The same configuration without specifying broadcast
# addresses is:
#
# net eth0 detect dhcp
# loc eth1 detect
# dmz eth2 detect
#
# Example 3: You have a simple dial-in system with no ethernet
# connections.
#
# net ppp0 -
#
# For additional information, see http://shorewall.net/Documentation.htm#Interfaces
#
##############################################################################
#ZONE INTERFACE BROADCAST OPTIONS GATEWAY
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

59
Shorewall2/ipsec
View File

@ -1,59 +0,0 @@
#
# Shorewall 2.4 - /etc/shorewall/ipsec
#
# This file defines the attributes of zones with respect to
# IPSEC. To use this file for any purpose except for setting mss,
# you must be running a 2.6 kernel and both your kernel and iptables
# must include Policy Match Support.
#
# The columns are:
#
# ZONE The name of a zone defined in /etc/shorewall/zones. The
# $FW zone may not be listed.
#
# IPSEC Yes -- Communication with all zone hosts is encrypted
# ONLY No -- Communication with some zone hosts is encrypted.
# Encrypted hosts are designated using the 'ipsec'
# option in /etc/shorewall/hosts.
#
# OPTIONS, A comma-separated list of options as follows:
# IN OPTIONS,
# OUT OPTIONS reqid=<number> where <number> is specified
# using setkey(8) using the 'unique:<number>
# option for the SPD level.
#
# spi=<number> where <number> is the SPI of
# the SA used to encrypt/decrypt packets.
#
# proto=ah|esp|ipcomp
#
# mss=<number> (sets the MSS field in TCP packets)
#
# mode=transport|tunnel
#
# tunnel-src=<address>[/<mask>] (only
# available with mode=tunnel)
#
# tunnel-dst=<address>[/<mask>] (only
# available with mode=tunnel)
#
# strict Means that packets must match all rules.
#
# next Separates rules; can only be used with
# strict..
#
# Example:
# mode=transport,reqid=44
#
# The options in the OPTIONS column are applied to both incoming
# and outgoing traffic. The IN OPTIONS are applied to incoming
# traffic (in addition to OPTIONS) and the OUT OPTIONS are
# applied to outgoing traffic.
#
# If you wish to leave a column empty but need to make an entry
# in a following column, use "-".
###################################################################################
#ZONE IPSEC OPTIONS IN OUT
# ONLY OPTIONS OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

296
Shorewall2/ipsecvpn
View File

@ -1,296 +0,0 @@
#!/bin/sh
################################################################################
#
# ipsecvpn -- script for use on a roadwarrior to start/stop a tunnel-mode
# IPSEC connection
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# (c) 2004,2005 - Tom Eastep (teastep@shorewall.net)
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
RCDLINKS="2,S42 3,S42 6,K42"
#### BEGIN INIT INFO
# Provides: ipsecvpn
# Required-Start: $shorewall
# Required-Stop:
# Default-Start: 2 3 5
# Default-Stop: 0 1 6
# Description: starts and stops a tunnel-mode VPN connection
### END INIT INFO
# chkconfig: 2345 26 89
# description: IPSEC tunnel-mode connection
#
################################################################################
#
# External Interface
#
INTERFACE=eth0
#
# Remote IPSEC Gateway
#
GATEWAY=1.2.3.4
#
# Networks behind the remote gateway (space-separated list)
#
NETWORKS="192.168.1.0/24"
#
# Directory where X.509 certificates are stored.
#
CERTS=/etc/certs
#
# Certificate to be used for this connection. The cert
# directory must contain:
#
# ${CERT}.pem - the certificate
# ${CERT}_key.pem - the certificates's key
#
CERT=roadwarrior
#
# The setkey binary
#
SETKEY=/usr/sbin/setkey
#
# The racoon binary
#
RACOON=/usr/sbin/racoon
#
# Message to stderr
#
error_message() # $* = Error Message
{
echo " $@" >&2
}
#
# Fatal error -- stops the firewall after issuing the error message
#
fatal_error() # $* = Error Message
{
echo " Error: $@" >&2
exit 2
}
#
# Find interface address--returns the first IP address assigned to the passed
# device
#
find_first_interface_address() # $1 = interface
{
#
# get the line of output containing the first IP address
#
addr=$(ip -f inet addr show $1 2> /dev/null | grep inet | head -n1)
#
# If there wasn't one, bail out now
#
[ -n "$addr" ] || fatal_error "Can't determine the IP address of $1"
#
# Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
# along with everything else on the line
#
echo $addr | sed 's/inet //;s/\/.*//;s/ peer.*//'
}
#
# Create a Racoon configuration file using the variables above
#
make_racoon_conf() {
echo "path certificate \"$CERTS\";"
echo
echo "listen"
echo "{"
echo " isakmp $IPADDR;"
echo "}"
echo
echo "remote $GATEWAY"
echo "{"
echo " exchange_mode main;"
echo " certificate_type x509 \"$CERT.pem\" \"${CERT}_key.pem\";"
echo " verify_cert on;"
echo " my_identifier asn1dn ;"
echo " peers_identifier asn1dn ;"
echo " verify_identifier on ;"
echo " lifetime time 24 hour ;"
echo " proposal {"
echo " encryption_algorithm blowfish;"
echo " hash_algorithm sha1;"
echo " authentication_method rsasig ;"
echo " dh_group 2 ;"
echo " }"
echo "}"
echo
for network in $NETWORKS; do
echo "sainfo address $IPADDR/32 any address $network any"
echo "{"
echo " pfs_group 2;"
echo " lifetime time 12 hour ;"
echo " encryption_algorithm blowfish ;"
echo " authentication_algorithm hmac_sha1, hmac_md5 ;"
echo " compression_algorithm deflate ;"
echo "}"
echo
echo "sainfo address $network any address $IPADDR/32 any"
echo "{"
echo " pfs_group 2;"
echo " lifetime time 12 hour ;"
echo " encryption_algorithm blowfish ;"
echo " authentication_algorithm hmac_sha1, hmac_md5 ;"
echo " compression_algorithm deflate ;"
echo "}"
done
echo "sainfo address $IPADDR/32 any address $GATEWAY/32 any"
echo "{"
echo " pfs_group 2;"
echo " lifetime time 12 hour ;"
echo " encryption_algorithm blowfish ;"
echo " authentication_algorithm hmac_sha1, hmac_md5 ;"
echo " compression_algorithm deflate ;"
echo "}"
echo
echo "sainfo address $GATEWAY/32 any address $IPADDR/32 any"
echo "{"
echo " pfs_group 2;"
echo " lifetime time 12 hour ;"
echo " encryption_algorithm blowfish ;"
echo " authentication_algorithm hmac_sha1, hmac_md5 ;"
echo " compression_algorithm deflate ;"
echo "}"
}
#
# Make a setkey configuration file using the variables above
#
make_setkey_conf()
{
echo "flush;"
echo "spdflush;"
echo "spdadd $IPADDR/32 $GATEWAY/32 any -P out ipsec esp/tunnel/${IPADDR}-${GATEWAY}/require;"
echo "spdadd $GATEWAY/32 $IPADDR/32 any -P in ipsec esp/tunnel/${GATEWAY}-${IPADDR}/require;"
for network in $NETWORKS; do
echo "spdadd $IPADDR/32 $network any -P out ipsec esp/tunnel/${IPADDR}-${GATEWAY}/require;"
echo "spdadd $network $IPADDR/32 any -P in ipsec esp/tunnel/${GATEWAY}-${IPADDR}/require;"
done
}
#
# Start the Tunnel
#
start()
{
#
# Get the first IP address configured on the device in INTERFACE
#
IPADDR=$(find_first_interface_address $INTERFACE)
#
# Create the name of the setkey temporary file
#
TEMPFILE=$(mktemp /tmp/$(basename $0).XXXXXXXX)
[ $? -eq 0 ] || fatal_error "Can't create temporary file name"
#
# Create the file
#
make_setkey_conf > $TEMPFILE
#
# Create the SPD
#
$SETKEY -f $TEMPFILE
#
# We can now remove the file
#
rm -f $TEMPFILE
#
# Create another name -- make this distict to aid debugging
# (just comment out the 'rm' commands)
#
TEMPFILE=$(mktemp /tmp/$(basename $0).XXXXXXXX)
[ $? -eq 0 ] || fatal_error "Can't create temporary file name"
#
# Create the file
#
make_racoon_conf > $TEMPFILE
#
# Start Racoon Daemon
#
$RACOON -4 -f $TEMPFILE
#
# Once the Daemon is running, we can remove the file
#
rm -f $TEMPFILE
}
#
# Stop the Tunnel
#
stop()
{
#
# Kill any racoon daemons
#
killall racoon
#
# Purge the SAD and SPD
#
setkey -F -FP
}
#
# Display command syntax and abend
#
usage()
{
error_message "usage: $(basename $0) [start|stop|restart]"
exit 1
}
################################################################################
# C O D E S T A R T S H E R E
################################################################################
[ $# -eq 1 ] || usage
case $1 in
start)
start
;;
stop)
stop
;;
restart)
stop
sleep 2
start
;;
*)
usage
;;
esac

31
Shorewall2/maclist
View File

@ -1,31 +0,0 @@
#
# Shorewall 2.4 - MAC list file
#
# This file is used to define the MAC addresses and optionally their
# associated IP addresses to be allowed to use the specified interface.
# The feature is enabled by using the maclist option in the interfaces
# or hosts configuration file.
#
# /etc/shorewall/maclist
#
# Columns are:
#
# INTERFACE Network interface to a host. If the interface
# names a bridge, it may be optionally followed by
# a colon (":") and a physical port name (e.g.,
# br0:eth4).
#
# MAC MAC address of the host -- you do not need to use
# the Shorewall format for MAC addresses here
#
# IP ADDRESSES Optional -- if specified, both the MAC and IP address
# must match. This column can contain a comma-separated
# list of host and/or subnet addresses. If your kernel
# and iptables have iprange match support then IP
# address ranges are also allowed.
#
# For additional information, see http://shorewall.net/MAC_Validation.html
#
##############################################################################
#INTERFACE MAC IP ADDRESSES (Optional)
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

216
Shorewall2/masq
View File

@ -1,216 +0,0 @@
#
# Shorewall 2.4 - Masquerade file
#
# /etc/shorewall/masq
#
# Use this file to define dynamic NAT (Masquerading) and to define Source NAT
# (SNAT).
#
# Columns are:
#
# INTERFACE -- Outgoing interface. This is usually your internet
# interface. If ADD_SNAT_ALIASES=Yes in
# /etc/shorewall/shorewall.conf, you may add ":" and
# a digit to indicate that you want the alias added with
# that name (e.g., eth0:0). This will allow the alias to
# be displayed with ifconfig. THAT IS THE ONLY USE FOR
# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER
# PLACE IN YOUR SHOREWALL CONFIGURATION.
#
# This may be qualified by adding the character
# ":" followed by a destination host or subnet.
#
# If you wish to inhibit the action of ADD_SNAT_ALIASES
# for this entry then include the ":" but omit the digit:
#
# eth0:
# eth2::192.0.2.32/27
#
# Normally Masq/SNAT rules are evaluated after those for
# one-to-one NAT (/etc/shorewall/nat file). If you want
# the rule to be applied before one-to-one NAT rules,
# prefix the interface name with "+":
#
# +eth0
# +eth0:192.0.2.32/27
# +eth0:2
#
# This feature should only be required if you need to
# insert rules in this file that preempt entries in
# /etc/shorewall/nat.
#
# SUBNET -- Subnet that you wish to masquerade. You can specify this as
# a subnet or as an interface. If you give the name of an
# interface, you must have iproute installed and the interface
# must be up before you start the firewall.
#
# In order to exclude a subset of the specified SUBNET, you
# may append "!" and a comma-separated list of IP addresses
# and/or subnets that you wish to exclude.
#
# Example: eth1!192.168.1.4,192.168.32.0/27
#
# In that example traffic from eth1 would be masqueraded unless
# it came from 192.168.1.4 or 196.168.32.0/27
#
# ADDRESS -- (Optional). If you specify an address here, SNAT will be
# used and this will be the source address. If
# ADD_SNAT_ALIASES is set to Yes or yes in
# /etc/shorewall/shorewall.conf then Shorewall
# will automatically add this address to the
# INTERFACE named in the first column.
#
# You may also specify a range of up to 256
# IP addresses if you want the SNAT address to
# be assigned from that range in a round-robin
# range by connection. The range is specified by
# <first ip in range>-<last ip in range>.
#
# Example: 206.124.146.177-206.124.146.180
#
# Finally, you may also specify a comma-separated
# list of ranges and/or addresses in this column.
#
# This column may not contain DNS Names.
#
# Normally, Netfilter will attempt to retain
# the source port number. You may cause
# netfilter to remap the source port by following
# an address or range (if any) by ":" and
# a port range with the format <low port>-
# <high port>. If this is done, you must
# specify "tcp" or "udp" in the PROTO column.
#
# Examples:
#
# 192.0.2.4:5000-6000
# :4000-5000
#
# You can invoke the SAME target using the
# following in this column:
#
# SAME:[nodst:]<address-range>[,<address-range>...]
#
# The <address-ranges> may be single addresses.
#
# SAME works like SNAT with the exception that the
# same local IP address is assigned to each connection
# from a local address to a given remote address. If
# the 'nodst:' option is included, then the same source
# address is used for a given internal system regardless
# of which remote system is involved.
#
# If you want to leave this column empty
# but you need to specify the next column then
# place a hyphen ("-") here.
#
# PROTO -- (Optional) If you wish to restrict this entry to a
# particular protocol then enter the protocol
# name (from /etc/protocols) or number here.
#
# PORT(S) -- (Optional) If the PROTO column specifies TCP (protocol 6)
# or UDP (protocol 17) then you may list one
# or more port numbers (or names from
# /etc/services) separated by commas or you
# may list a single port range
# (<low port>:<high port>).
#
# Where a comma-separated list is given, your
# kernel and iptables must have multiport match
# support and a maximum of 15 ports may be
# listed.
#
# IPSEC -- (Optional) If you specify a value other than "-" in this
# column, you must be running kernel 2.6 and
# your kernel and iptables must include policy
# match support.
#
# Comma-separated list of options from the following.
# Only packets that will be encrypted via an SA that
# matches these options will have their source address
# changed.
#
# Yes or yes -- must be the only option listed
# and matches all outbound traffic that will be
# encrypted.
#
# reqid=<number> where <number> is specified
# using setkey(8) using the 'unique:<number>
# option for the SPD level.
#
# spi=<number> where <number> is the SPI of
# the SA.
#
# proto=ah|esp|ipcomp
#
# mode=transport|tunnel
#
# tunnel-src=<address>[/<mask>] (only
# available with mode=tunnel)
#
# tunnel-dst=<address>[/<mask>] (only
# available with mode=tunnel)
#
# strict Means that packets must match all
# rules.
#
# next Separates rules; can only be used
# with strict..
#
# Example 1:
#
# You have a simple masquerading setup where eth0 connects to
# a DSL or cable modem and eth1 connects to your local network
# with subnet 192.168.0.0/24.
#
# Your entry in the file can be either:
#
# eth0 eth1
#
# or
#
# eth0 192.168.0.0/24
#
# Example 2:
#
# You add a router to your local network to connect subnet
# 192.168.1.0/24 which you also want to masquerade. You then
# add a second entry for eth0 to this file:
#
# eth0 192.168.1.0/24
#
# Example 3:
#
# You have an IPSEC tunnel through ipsec0 and you want to
# masquerade packets coming from 192.168.1.0/24 but only if
# these packets are destined for hosts in 10.1.1.0/24:
#
# ipsec0:10.1.1.0/24 196.168.1.0/24
#
# Example 4:
#
# You want all outgoing traffic from 192.168.1.0/24 through
# eth0 to use source address 206.124.146.176 which is NOT the
# primary address of eth0. You want 206.124.146.176 added to
# be added to eth0 with name eth0:0.
#
# eth0:0 192.168.1.0/24 206.124.146.176
#
# Example 5:
#
# You want all outgoing SMTP traffic entering the firewall
# on eth1 to be sent from eth0 with source IP address
# 206.124.146.177. You want all other outgoing traffic
# from eth1 to be sent from eth0 with source IP address
# 206.124.146.176.
#
# eth0 eth1 206.124.146.177 tcp smtp
# eth0 eth1 206.124.146.176
#
# THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!!
#
# For additional information, see http://shorewall.net/Documentation.htm#Masq
#
###############################################################################
#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

27
Shorewall2/modules
View File

@ -1,27 +0,0 @@
##############################################################################
# Shorewall 2.4 /etc/shorewall/modules
#
# This file loads the modules needed by the firewall.
#
# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
# dependency order. i.e., if M2 depends on M1 then you must load M1 before
# you load M2.
#
# For additional information, see http://shorewall.net/Documentation.htm#modules
loadmodule ip_tables
loadmodule iptable_filter
loadmodule ip_conntrack
loadmodule ip_conntrack_ftp
loadmodule ip_conntrack_tftp
loadmodule ip_conntrack_irc
loadmodule iptable_nat
loadmodule ip_nat_ftp
loadmodule ip_nat_tftp
loadmodule ip_nat_irc
loadmodule ip_set
loadmodule ip_set_iphash
loadmodule ip_set_ipmap
loadmodule ip_set_macipmap
loadmodule ip_set_portmap

47
Shorewall2/nat
View File

@ -1,47 +0,0 @@
##############################################################################
#
# Shorewall 2.4 -- Network Address Translation Table
#
# /etc/shorewall/nat
#
# This file is used to define one-to-one Network Address Translation
# (NAT).
#
# WARNING: If all you want to do is simple port forwarding, do NOT use this
# file. See http://www.shorewall.net/FAQ.htm#faq1. Also, in most
# cases, Proxy ARP is a better solution that one-to-one NAT.
#
# Columns must be separated by white space and are:
#
# EXTERNAL External IP Address - this should NOT be the primary
# IP address of the interface named in the next
# column and must not be a DNS Name.
#
# INTERFACE Interface that you want to EXTERNAL address to appear
# on. If ADD_IP_ALIASES=Yes in shorewall.conf, you may
# follow the interface name with ":" and a digit to
# indicate that you want Shorewall to add the alias
# with this name (e.g., "eth0:0"). That allows you to
# see the alias with ifconfig. THAT IS THE ONLY THING
# THAT THIS NAME IS GOOD FOR -- YOU CANNOT USE IT
# ANYWHERE ELSE IN YOUR SHORWALL CONFIGURATION.
#
# If you want to override ADD_IP_ALIASES=Yes for a
# particular entry, follow the interface name with
# ":" and no digit (e.g., "eth0:").
# INTERNAL Internal Address (must not be a DNS Name).
#
# ALL INTERFACES If Yes or yes, NAT will be effective from all hosts.
# If No or no (or left empty) then NAT will be effective
# only through the interface named in the INTERFACE
# column
#
# LOCAL If Yes or yes, NAT will be effective from the firewall
# system
#
# For additional information, see http://shorewall.net/NAT.htm
##############################################################################
#EXTERNAL INTERFACE INTERNAL ALL LOCAL
# INTERFACES
#
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

38
Shorewall2/netmap
View File

@ -1,38 +0,0 @@
##############################################################################
#
# Shorewall 2.4 -- Network Mapping Table
#
# /etc/shorewall/netmap
#
# This file is used to map addresses in one network to corresponding
# addresses in a second network.
#
# WARNING: To use this file, your kernel and iptables must have
# NETMAP support included.
#
# Columns must be separated by white space and are:
#
# TYPE Must be DNAT or SNAT.
#
# If DNAT, traffic entering INTERFACE and addressed to
# NET1 has it's destination address rewritten to the
# corresponding address in NET2.
#
# If SNAT, traffic leaving INTERFACE with a source
# address in NET1 has it's source address rewritten to
# the corresponding address in NET2.
#
# NET1 Network in CIDR format (e.g., 192.168.1.0/24)
#
# INTERFACE The name of a network interface. The interface must
# be defined in /etc/shorewall/interfaces.
#
# NET2 Network in CIDR format
#
# See http://shorewall.net/netmap.html for an example and usage
# information.
#
##############################################################################
#TYPE NET1 INTERFACE NET2
#
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

25
Shorewall2/params
View File

@ -1,25 +0,0 @@
#
# Shorewall 2.4 /etc/shorewall/params
#
# Assign any variables that you need here.
#
# It is suggested that variable names begin with an upper case letter
# to distinguish them from variables used internally within the
# Shorewall programs
#
# Example:
#
# NET_IF=eth0
# NET_BCAST=130.252.100.255
# NET_OPTIONS=routefilter,norfc1918
#
# Example (/etc/shorewall/interfaces record):
#
# net $NET_IF $NET_BCAST $NET_OPTIONS
#
# The result will be the same as if the record had been written
#
# net eth0 130.252.100.255 routefilter,norfc1918
#
##############################################################################
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

92
Shorewall2/policy
View File

@ -1,92 +0,0 @@
#
# Shorewall 2.4 -- Policy File
#
# /etc/shorewall/policy
#
# THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT
#
# This file determines what to do with a new connection request if we
# don't get a match from the /etc/shorewall/rules file . For each
# source/destination pair, the file is processed in order until a
# match is found ("all" will match any client or server).
#
# Columns are:
#
# SOURCE Source zone. Must be the name of a zone defined
# in /etc/shorewall/zones, $FW or "all".
#
# DEST Destination zone. Must be the name of a zone defined
# in /etc/shorewall/zones, $FW or "all"
#
# POLICY Policy if no match from the rules file is found. Must
# be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE".
#
# ACCEPT - Accept the connection
# DROP - Ignore the connection request
# REJECT - For TCP, send RST. For all other, send
# "port unreachable" ICMP.
# QUEUE - Send the request to a user-space
# application using the QUEUE target.
# CONTINUE - Pass the connection request past
# any other rules that it might also
# match (where the source or destination
# zone in those rules is a superset of
# the SOURCE or DEST in this policy).
# NONE - Assume that there will never be any
# packets from this SOURCE
# to this DEST. Shorewall will not set up
# any infrastructure to handle such
# packets and you may not have any rules
# with this SOURCE and DEST in the
# /etc/shorewall/rules file. If such a
# packet _is_ received, the result is
# undefined. NONE may not be used if the
# SOURCE or DEST columns contain the
# firewall zone ($FW) or "all".
#
# If this column contains ACCEPT, DROP or REJECT and a
# corresponding common action is defined in
# /etc/shorewall/actions (or /usr/share/shorewall/actions.std)
# then that action will be invoked before the policy named in
# this column is inforced.
#
# LOG LEVEL If supplied, each connection handled under the default
# POLICY is logged at that level. If not supplied, no
# log message is generated. See syslog.conf(5) for a
# description of log levels.
#
# Beginning with Shorewall version 1.3.12, you may
# also specify ULOG (must be in upper case). This will
# log to the ULOG target and sent to a separate log
# through use of ulogd
# (http://www.gnumonks.org/projects/ulogd).
#
# If you don't want to log but need to specify the
# following column, place "-" here.
#
# LIMIT:BURST If passed, specifies the maximum TCP connection rate
# and the size of an acceptable burst. If not specified,
# TCP connections are not limited.
#
# Example:
#
# a) All connections from the local network to the internet are allowed
# b) All connections from the internet are ignored but logged at syslog
# level KERNEL.INFO.
# d) All other connection requests are rejected and logged at level
# KERNEL.INFO.
#
# #SOURCE DEST POLICY LOG
# # LEVEL
# loc net ACCEPT
# net all DROP info
# #
# # THE FOLLOWING POLICY MUST BE LAST
# #
# all all REJECT info
#
# See http://shorewall.net/Documentation.htm#Policy for additional information.
###############################################################################
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
#LAST LINE -- DO NOT REMOVE

76
Shorewall2/providers
View File

@ -1,76 +0,0 @@
##############################################################################
#
# Shorewall 2.4 -- Internet Service Providers
#
# /etc/shorewall/providers
#
# This file is used to define additional routing tables. You will
# want to define an additional table if:
#
# - You have connections to more than one ISP or multiple connections
# to the same ISP
#
# - You run Squid as a transparent proxy on a host other than the
# firewall.
#
# To omit a column, enter "-".
#
# Columns must be separated by white space and are:
#
# NAME The provider name.
#
# NUMBER The provider number -- a number between 1 and 15
#
# MARK A FWMARK value used in your /etc/shorewall/tcrules
# file to direct packets to this provider.
#
# DUPLICATE The name of an existing table to duplicate. May be
# 'main' or the name of a previous provider.
#
# INTERFACE The name of the network interface to the provider.
# Must be listed in /etc/shorewall/interfaces.
#
# GATEWAY The IP address of the provider's gateway router.
#
# You can enter "detect" here and Shorewall will
# attempt to detect the gateway automatically.
#
# OPTIONS A comma-separated list selected from the following:
#
# track If specified, connections FROM this interface are
# to be tracked so that responses may be routed back
# out this same interface.
#
# You want specify 'track' if internet hosts will be
# connecting to local servers through this provider.
#
# balance The providers that have 'default' specified will
# get outbound traffic load-balanced among them. By
# default, all interfaces with 'balance' specified
# will have the same weight (1). You can change the
# weight of an interface by specifiying balance=<weight>
# where <weight> is the weight of the route out of
# this interface.
#
# Example: You run squid in your DMZ on IP address 192.168.2.99. Your DMZ
# interface is eth2
#
# #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS
# Squid 1 1 - eth2 192.168.2.99 -
#
# Example:
#
# eth0 connects to ISP 1. The IP address of eth0 is 206.124.146.176 and
# the ISP's gateway router has IP address 206.124.146.254.
#
# eth1 connects to ISP 2. The IP address of eth1 is 130.252.99.27 and the
# ISP's gateway router has IP address 130.252.99.254.
#
# #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS
# ISP1 1 1 main eth0 206.124.146.254 track,balance
# ISP2 2 2 main eth1 130.252.99.254 track,balance
#
# For additional information, see http://shorewall.net/Shorewall_and_Routing.html
##############################################################################
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

46
Shorewall2/proxyarp
View File

@ -1,46 +0,0 @@
##############################################################################
#
# Shorewall 2.4 -- Proxy ARP
#
# /etc/shorewall/proxyarp
#
# This file is used to define Proxy ARP.
#
# Columns must be separated by white space and are:
#
# ADDRESS IP Address
#
# INTERFACE Local interface where system is connected. If the
# local interface is obvious from the subnetting,
# you may enter "-" in this column.
#
# EXTERNAL External Interface to be used to access this system
#
# HAVEROUTE If there is already a route from the firewall to
# the host whose address is given, enter "Yes" or "yes"
# in this column. Otherwise, entry "no", "No" or leave
# the column empty and Shorewall will add the route for
# you. If Shorewall adds the route,the route will be
# persistent if the PERSISTENT column contains Yes;
# otherwise, "shorewall stop" or "shorewall clear" will
# delete the route.
#
# PERSISTENT If HAVEROUTE is No or "no", then the value of this
# column determines if the route added by Shorewall
# persists after a "shorewall stop" or a "shorewall
# clear". If this column contains "Yes" or "yes" then
# the route persists; If the column is empty or contains
# "No"or "no" then the route is deleted at "shorewall
# stop" or "shorewall clear".
#
# Example: Host with IP 155.186.235.6 is connected to
# interface eth1 and we want hosts attached via eth0
# to be able to access it using that address.
#
# #ADDRESS INTERFACE EXTERNAL
# 155.186.235.6 eth1 eth0
#
# See http://shorewall.net/ProxyARP.htm for additional information.
##############################################################################
#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

367
Shorewall2/releasenotes.txt
View File

@ -1,367 +0,0 @@
Shorewall 2.4.0
-----------------------------------------------------------------------
Problems Corrected since 2.4.0-RC2
1) Previously, "shorewall status" could list the same routing table's
contents more than once.
-----------------------------------------------------------------------
Upgrade Issues when moving to 2.4.0
1) Shorewall now enforces the restriction that mark values used in
/etc/shorewall/tcrules are less than 256. If you are using mark
values >= 256, you must change your configuration before you
upgrade.
2) The value "ipp2p" is no longer accepted in the PROTO column of the
rules file. This support has never worked as intended and filtering
P2P applications this way is a bad idea to begin with (you should be
using a proxy).
3) LEAF/Bering packages for version 2.4.0 and later will not be
available from shorewall.net. See http://leaf.sf.net for the lastest
version of Shorewall for LEAF variants.
-----------------------------------------------------------------------
New Features in version 2.4.0
1) Shorewall 2.4.0 includes support for multiple internet interfaces to
different ISPs.
The file /etc/shorewall/providers may be used to define the
different providers. It can actually be used to define alternate
routing tables so uses like transparent proxy can use the file as
well.
Columns are:
NAME The provider name.
NUMBER The provider number -- a number between 1 and 15
MARK A FWMARK value used in your
/etc/shorewall/tcrules file to direct packets to
this provider.
DUPLICATE The name of an existing table to duplicate. May
be 'main' or the name of a previous provider.
INTERFACE The name of the network interface to the
provider. Must be listed in
/etc/shorewall/interfaces.
GATEWAY The IP address of the provider's gateway router.
If you enter "detect" here then Shorewall will
attempt to determine the gateway IP address
automatically.
OPTIONS A comma-separated list selected from the
following:
track If specified, connections FROM this interface are
to be tracked so that responses may be routed
back out this same interface.
You want specify 'track' if internet hosts will be
connecting to local servers through this
provider.
Because of limitations in the 'ip' utility and
policy routing, you may not use the SAVE or
RESTORE tcrules options or use connection
marking on any traffic to or from this
interface. For traffic control purposes, you
must mark packets in the FORWARD chain (or
better yet, use the CLASSIFY target).
balance The providers that have 'balance' specified will
get outbound traffic load-balanced among them. By
default, all interfaces with 'balance' specified
will have the same weight (1). You can change the
weight of the route out of the interface by
specifiying balance=<weight> where <weight> is
the desired route weight.
Example: You run squid in your DMZ on IP address
192.168.2.99. Your DMZ interface is eth2
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS
Squid 1 1 - eth2 192.168.2.99 -
Use of this feature requires that your kernel and iptables
support CONNMARK target and conntrack match support. It does NOT
require the ROUTE target extension.
WARNING: The current version of iptables (1.3.1) is broken with
respect to CONNMARK and iptables-save/iptables-restore. This means
that if you configure multiple ISPs, "shorewall restore" will
fail. You must patch your iptables using the patch at
http://shorewall.net/pub/shorewall/contrib/iptables/CONNMARK.diff.
2) Shorewall 2.3.0 supports the 'cmd-owner' option of the owner match
facility in Netfilter. Like all owner match options, 'cmd-owner' may
only be applied to traffic that originates on the firewall.
The syntax of the USER/GROUP column in the following files has been
extended:
/etc/shorewall/accounting
/etc/shorewall/rules
/etc/shorewall/tcrules
/usr/share/shorewall/action.template
To specify a command, prefix the command name with "+".
Examples:
+mozilla-bin #The program is named "mozilla-bin"
joe+mozilla-bin #The program is named "mozilla-bin" and
#is being run by user "joe"
joe:users+mozilla-bin #The program is named "mozilla-bin" and
#is being run by user "joe" with
#effective group "users".
Note that this is not a particularly robust feature and I would
never advertise it as a "Personal Firewall" equivalent. Using
symbolic links, it's easy to alias command names to be anything you
want.
3) Support has been added for ipsets
(see http://people.netfilter.org/kadlec/ipset/).
In most places where a host or network address may be used, you may
also use the name of an ipset prefaced by "+".
Example: "+Mirrors"
The name of the set may be optionally followed by:
a) a number from 1 to 6 enclosed in square brackets ([]) -- this
number indicates the maximum number of ipset binding levels that
are to be matched. Depending on the context where the ipset name
is used, either all "src" or all "dst" matches will be used.
Example: "+Mirrors[4]"
b) a series of "src" and "dst" options separated by commas and
inclosed in square brackets ([]). These will be passed directly
to iptables in the generated --set clause. See the ipset
documentation for details.
Example: "+Mirrors[src,dst,src]"
Note that "+Mirrors[4]" used in the SOURCE column of the rules
file is equivalent to "+Mirrors[src,src,src,src]".
To generate a negative match, prefix the "+" with "!" as in
"!+Mirrors".
Example 1: Blacklist all hosts in an ipset named "blacklist"
/etc/shorewall/blacklist
#ADDRESS/SUBNET PROTOCOL PORT
+blacklist
Example 2: Allow SSH from all hosts in an ipset named "sshok:
/etc/shorewall/rules
#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT +sshok fw tcp 22
Shorewall can automatically capture the contents of your ipsets for
you. If you specify SAVE_IPSETS=Yes in /etc/shorewall/shorewall.conf
then "shorewall save" will save the contents of your ipsets. The file
where the sets are saved is formed by taking the name where the
Shorewall configuration is stored and appending "-ipsets". So if you
enter the command "shorewall save standard" then your Shorewall
configuration will be saved in /var/lib/shorewall/standard and your
ipset contents will be saved in /var/lib/shorewall/standard-ipsets.
Assuming the default RESTOREFILE setting, if you just enter
"shorewall save" then your Shorewall configuration will be saved in
/var/lib/shorewall/restore and your ipset contents will be saved in
/var/lib/shorewall/restore-ipsets.
Regardless of the setting of SAVE_IPSETS, the "shorewall -f start"
and "shorewall restore" commands will restore the ipset contents
corresponding to the Shorewall configuration restored provided that
the saved Shorewall configuration specified exists.
For example, "shorewall restore standard" would restore the ipset
contents from /var/lib/shorewall/standard-ipsets provided that
/var/lib/shorewall/standard exists and is executable and that
/var/lib/shorewall/standard-ipsets exists and is executable.
Also regardless of the setting of SAVE_IPSETS, the "shorewall forget"
command will purge the saved ipset information (if any) associated
with the saved shorewall configuration being removed.
You can also associate ipset contents with Shorewall configuration
directories using the following command:
ipset -S > <config directory>/ipsets
Example:
ipset -S > /etc/shorewall/ipsets
When you start or restart Shorewall (including using the 'try'
command) from the configuration directory, your ipsets will be
configured from the saved ipsets file. Once again, this behavior is
independent of the setting of SAVE_IPSETS.
Ipsets are well suited for large blacklists. You can maintain your
blacklist using the 'ipset' utility without ever having to restart
or refresh Shorewall. If you use the SAVE_IPSETS=Yes feature just be
sure to "shorewall save" after altering the blacklist ipset(s).
Example /etc/shorewall/blacklist:
#ADDRESS/SUBNET PROTOCOL PORT
+Blacklist[src,dst]
+Blacklistnets[src,dst]
Create the blacklist ipsets using:
ipset -N Blacklist iphash
ipset -N Blacklistnets nethash
Add entries
ipset -A Blacklist 206.124.146.177
ipset -A Blacklistnets 206.124.146.0/24
To allow entries for individual ports
ipset -N SMTP portmap --from 1 --to 31
ipset -A SMTP 25
ipset -A Blacklist 206.124.146.177
ipset -B Blacklist 206.124.146.177 -b SMTP
Now only port 25 will be blocked from 206.124.146.177.
4) Shorewall 2.4.0 can now configure routing if your kernel and
iptables support the ROUTE target extension. This extension is
available in Patch-O-Matic-ng. This feature is *EXPERIMENTAL* since
the Netfilter team have no intention of ever releasing the ROUTE
target extension to kernel.org.
Routing is configured using the /etc/shorewall/routes file. Columns
in the file are as follows:
SOURCE Source of the packet. May be any of the
following:
- A host or network address
- A network interface name.
- The name of an ipset prefaced with "+"
- $FW (for packets originating on the firewall)
- A MAC address in Shorewall format
- A range of IP addresses (assuming that your
kernel and iptables support range match)
- A network interface name followed by ":"
and an address or address range.
DEST Destination of the packet. May be any of the
following:
- A host or network address
- A network interface name (determined from
routing table(s))
- The name of an ipset prefaced with "+"
- A network interface name followed by ":"
and an address or address range.
PROTO Protocol - Must be "tcp", "udp", "icmp",
"ipp2p", a number, or "all". "ipp2p" requires
ipp2p match support in your kernel and
iptables.
PORT(S) Destination Ports. A comma-separated list of
Port names (from /etc/services), port numbers
or port ranges; if the protocol is "icmp", this
column is interpreted as the destination
icmp-type(s).
If the protocol is ipp2p, this column is
interpreted as an ipp2p option without the
leading "--" (example "bit" for bit-torrent).
If no PORT is given, "ipp2p" is assumed.
This column is ignored if PROTOCOL = all but
must be entered if any of the following field
is supplied. In that case, it is suggested that
this field contain "-"
SOURCE PORT(S) (Optional) Source port(s). If omitted,
any source port is acceptable. Specified as a
comma-separated list of port names, port
numbers or port ranges.
TEST Defines a test on the existing packet or
connection mark.
The rule will match only if the test returns
true. Tests have the format
[!]<value>[/<mask>][:C]
Where:
! Inverts the test (not equal)
<value> Value of the packet or
connection mark.
<mask> A mask to be applied to the
mark before testing
:C Designates a connection
mark. If omitted, the packet
mark's value is tested.
INTERFACE The interface that the packet is to be routed
out of. If you do not specify this field then
you must place "-" in this column and enter an
IP address in the GATEWAY column.
GATEWAY The gateway that the packet is to be forewarded
through.
5) Normally when Shorewall is stopped, starting or restarting then
connections are allowed from hosts listed in
/etc/shorewall/routestopped to the firewall and to other hosts
listed in /etc/shorewall/routestopped.
A new 'source' option is added for entries in that file which will
cause Shorewall to allow traffic from the host listed in the entry
to ANY other host. When 'source' is specified in an entry, it is
unnecessary to also specify 'routeback'.
Similarly, a new 'dest' option is added which will cause Shorewall
to allow traffic to the host listed in the entry from ANY other
host. When 'source' is specified in an entry, it is unnecessary to
also specify 'routeback'.
6) This change was implemented by Lorenzo Martignoni. It provides two
new commands: "safe-start" and "safe-restart".
safe-start starts Shorewall then prompts you to ask you if
everything looks ok. If you answer "no" or if you don't answer
within 60 seconds, a "shorewall clear" is executed.
safe-restart saves your current configuration to
/var/lib/shorewall/safe-restart then issues a "shorewall restart";
It then prompts you to ask if you if you want to accept the new
configuration. If you answer "no" or if you don't answer within 60
seconds, the configuration is restored to its prior state.
These new commands require either that your /bin/sh supports the
"-t" option to the 'read' command or that you have /bin/bash
installed.

45
Shorewall2/rfc1918
View File

@ -1,45 +0,0 @@
#
# Shorewall 2.4 -- RFC1918 File
#
# /etc/shorewall/rfc1918
#
# Lists the subnetworks that are blocked by the 'norfc1918' interface option.
#
# The default list includes those IP addresses listed in RFC 1918.
#
# DO NOT MODIFY THIS FILE. IF YOU NEED TO MAKE CHANGES, COPY THE FILE
# TO /etc/shorewall AND MODIFY THE COPY.
#
# Columns are:
#
# SUBNETS A comma-separated list of subnet addresses
# (host addresses also allowed as are IP
# address ranges provided that your kernel and iptables
# have iprange match support).
# TARGET Where to send packets to/from this subnet
# RETURN - let the packet be processed normally
# DROP - silently drop the packet
# logdrop - log then drop
#
# By default, the RETURN target causes 'norfc1918' processing to cease for a
# packet if the packet's source IP address matches the rule. Thus, if you have:
#
# SUBNETS TARGET
# 192.168.1.0/24 RETURN
#
# then traffic from 192.168.1.4 to 10.0.3.9 will be accepted even though you
# also have:
#
# SUBNETS TARGET
# 10.0.0.0/8 logdrop
#
# Setting RFC1918_STRICT=Yes in shorewall.conf will cause such traffic to be
# logged and dropped since while the packet's source matches the RETURN rule,
# the packet's destination matches the 'logdrop' rule.
#
################################################################################
#SUBNETS TARGET
172.16.0.0/12 logdrop # RFC 1918
192.168.0.0/16 logdrop # RFC 1918
10.0.0.0/8 logdrop # RFC 1918
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

94
Shorewall2/routes
View File

@ -1,94 +0,0 @@
#
# Shorewall version 2.4 - Routing Rules
#
# /etc/shorewall/routes
#
# Entries in this file cause packets to be routed in non-standard
# ways.
#
# I M P O R T A N T ! ! ! !
#
# In order to use entries in this file, your kernel and iptables must
# have ROUTE target support (see the output of "shorewall show
# capabilities").
#
# This facility is *EXPERIMENTAL* -- the Netfilter team have no intention
# of ever submitting the ROUTE target patch to kernel.org.
#
# To omit any column, enter "-" in that column.
#
# Columns are:
#
#
# SOURCE Source of the packet. May be any of the following:
#
# - A host or network address
# - A network interface name.
# - The name of an ipset prefaced with "+"
# - $FW (for packets originating on the firewall)
# - A MAC address in Shorewall format
# - A range of IP addresses (assuming that your
# kernel and iptables support range match)
# - A network interface name followed by ":"
# and an address or address range.
#
# DEST Destination of the packet. May be any of the
# following:
#
# - A host or network address
# - A network interface name (determined from
# routing table(s))
# - The name of an ipset prefaced with "+"
# - A network interface name followed by ":"
# and an address or address range.
#
# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
# a number, or "all". "ipp2p" requires ipp2p match
# support in your kernel and iptables.
#
# PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port
# ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s).
#
# Port ranges are allowed in a list only if your
# kernel and iptables support Extended Multi-port
# match (see the output of "shorewall show capabilities").
#
# If the protocol is ipp2p, this column is interpreted
# as an ipp2p option without the leading "--" (example "bit"
# for bit-torrent). If no PORT is given, "ipp2p" is
# assumed.
#
# SOURCE PORT(S) Source port(s). If omitted, any source port is acceptable.
# Specified as a comma-separated list of port names, port
# numbers or port ranges.
#
# Port ranges are allowed in a list only if your
# kernel and iptables support Extended Multi-port
# match (see the output of "shorewall show capabilities").
#
# TEST Defines a test on the existing packet or connection mark.
# The rule will match only if the test returns true. Tests
# have the format [!]<value>[/<mask>][:C]
#
# Where:
#
# ! Inverts the test (not equal)
# <value> Value of the packet or connection mark.
# <mask> A mask to be applied to the mark before
# testing
# :C Designates a connection mark. If omitted,
# the packet mark's value is tested.
#
# INTERFACE The interface that the packet is to be routed out of.
# If you specify "-" here, then you must enter the IP address
# of a gateway in the GATEWAY column.
#
# GATEWAY The gateway that the packet is to be forewarded through.
#
# See http://shorewall.net/Shorewall_and_Routing.html for additional information.
#######################################################################################
#SOURCE DEST PROTO PORT(S) SOURCE TEST INTERFACE GATEWAY
# PORT(S)
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

53
Shorewall2/routestopped
View File

@ -1,53 +0,0 @@
##############################################################################
#
# Shorewall 2.4 -- Hosts Accessible when the Firewall is Stopped
#
# /etc/shorewall/routestopped
#
# This file is used to define the hosts that are accessible when the
# firewall is stopped or when it is in the process of being
# [re]started.
#
# Columns must be separated by white space and are:
#
# INTERFACE - Interface through which host(s) communicate with
# the firewall
# HOST(S) - (Optional) Comma-separated list of IP/subnet
# addresses. If your kernel and iptables include
# iprange match support, IP address ranges are also
# allowed.
#
# If left empty or supplied as "-",
# 0.0.0.0/0 is assumed.
# OPTIONS - (Optional) A comma-separated list of
# options. The currently-supported options are:
#
# routeback - Set up a rule to ACCEPT traffic from
# these hosts back to themselves.
#
# source - Allow traffic from these hosts to ANY
# destination. Without this option or the 'dest'
# option, only traffic from this host to other
# listed hosts (and the firewall) is allowed. If
# 'source' is specified then 'routeback' is redundent.
#
# dest - Allow traffic to these hosts from ANY
# source. Without this option or the 'source'
# option, only traffic from this host to other
# listed hosts (and the firewall) is allowed. If
# 'dest' is specified then 'routeback' is redundent.
#
# Example:
#
# INTERFACE HOST(S) OPTIONS
# eth2 192.168.1.0/24
# eth0 192.0.2.44
# br0 - routeback
# eth3 - source
#
# See http://shorewall.net/Documentation.htm#Routestopped and
# http://shorewall.net/starting_and_stopping_shorewall.htm for additional
# information.
##############################################################################
#INTERFACE HOST(S) OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

371
Shorewall2/rules
View File

@ -1,371 +0,0 @@
#
# Shorewall version 2.4 - Rules File
#
# /etc/shorewall/rules
#
# Rules in this file govern connection establishment. Requests and
# responses are automatically allowed using connection tracking. For any
# particular (source,dest) pair of zones, the rules are evaluated in the
# order in which they appear in this file and the first match is the one
# that determines the disposition of the request.
#
# In most places where an IP address or subnet is allowed, you
# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
# indicate that the rule matches all addresses except the address/subnet
# given. Notice that no white space is permitted between "!" and the
# address/subnet.
#------------------------------------------------------------------------------
# WARNING: If you masquerade or use SNAT from a local system to the internet,
# you cannot use an ACCEPT rule to allow traffic from the internet to
# that system. You *must* use a DNAT rule instead.
#-------------------------------------------------------------------------------#
# Columns are:
#
# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
# LOG, QUEUE or an <action>.
#
# ACCEPT -- allow the connection request
# ACCEPT+ -- like ACCEPT but also excludes the
# connection from any subsequent
# DNAT[-] or REDIRECT[-] rules
# NONAT -- Excludes the connection from any
# subsequent DNAT[-] or REDIRECT[-]
# rules but doesn't generate a rule
# to accept the traffic.
# DROP -- ignore the request
# REJECT -- disallow the request and return an
# icmp-unreachable or an RST packet.
# DNAT -- Forward the request to another
# system (and optionally another
# port).
# DNAT- -- Advanced users only.
# Like DNAT but only generates the
# DNAT iptables rule and not
# the companion ACCEPT rule.
# SAME -- Similar to DNAT except that the
# port may not be remapped and when
# multiple server addresses are
# listed, all requests from a given
# remote system go to the same
# server.
# SAME- -- Advanced users only.
# Like SAME but only generates the
# NAT iptables rule and not
# the companion ACCEPT rule.
# REDIRECT -- Redirect the request to a local
# port on the firewall.
# REDIRECT-
# -- Advanced users only.
# Like REDIRET but only generates the
# REDIRECT iptables rule and not
# the companion ACCEPT rule.
#
# CONTINUE -- (For experts only). Do not process
# any of the following rules for this
# (source zone,destination zone). If
# The source and/or destination IP
# address falls into a zone defined
# later in /etc/shorewall/zones, this
# connection request will be passed
# to the rules defined for that
# (those) zone(s).
# LOG -- Simply log the packet and continue.
# QUEUE -- Queue the packet to a user-space
# application such as ftwall
# (http://p2pwall.sf.net).
# <action> -- The name of an action defined in
# /etc/shorewall/actions or in
# /usr/share/shorewall/actions.std.
#
# The ACTION may optionally be followed
# by ":" and a syslog log level (e.g, REJECT:info or
# DNAT:debug). This causes the packet to be
# logged at the specified level.
#
# If the ACTION names an action defined in
# /etc/shorewall/actions or in
# /usr/share/shorewall/actions.std then:
#
# - If the log level is followed by "!' then all rules
# in the action are logged at the log level.
#
# - If the log level is not followed by "!" then only
# those rules in the action that do not specify
# logging are logged at the specified level.
#
# - The special log level 'none!' suppresses logging
# by the action.
#
# You may also specify ULOG (must be in upper case) as a
# log level.This will log to the ULOG target for routing
# to a separate log through use of ulogd
# (http://www.gnumonks.org/projects/ulogd).
#
# Actions specifying logging may be followed by a
# log tag (a string of alphanumeric characters)
# are appended to the string generated by the
# LOGPREFIX (in /etc/shorewall/shorewall.conf).
#
# Example: ACCEPT:info:ftp would include 'ftp '
# at the end of the log prefix generated by the
# LOGPREFIX setting.
#
# SOURCE Source hosts to which the rule applies. May be a zone
# defined in /etc/shorewall/zones, $FW to indicate the
# firewall itself, "all" or "none" If the ACTION is DNAT or
# REDIRECT, sub-zones of the specified zone may be
# excluded from the rule by following the zone name with
# "!' and a comma-separated list of sub-zone names.
#
# When "none" is used either in the SOURCE or DEST column,
# the rule is ignored.
#
# When "all" is used either in the SOURCE or DEST column
# intra-zone traffic is not affected. You must add
# separate rules to handle that traffic.
#
# Except when "all" is specified, clients may be further
# restricted to a list of subnets and/or hosts by
# appending ":" and a comma-separated list of subnets
# and/or hosts. Hosts may be specified by IP or MAC
# address; mac addresses must begin with "~" and must use
# "-" as a separator.
#
# Hosts may be specified as an IP address range using the
# syntax <low address>-<high address>. This requires that
# your kernel and iptables contain iprange match support.
# If you kernel and iptables have ipset match support then
# you may give the name of an ipset prefaced by "+". The
# ipset name may be optionally followed by a number from
# 1 to 6 enclosed in square brackets ([]) to indicate the
# number of levels of source bindings to be matched.
#
# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ
#
# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the
# Internet
#
# loc:192.168.1.1,192.168.1.2
# Hosts 192.168.1.1 and
# 192.168.1.2 in the local zone.
# loc:~00-A0-C9-15-39-78 Host in the local zone with
# MAC address 00:A0:C9:15:39:78.
#
# net:192.0.2.11-192.0.2.17
# Hosts 192.0.2.11-192.0.2.17 in
# the net zone.
#
# Alternatively, clients may be specified by interface
# by appending ":" to the zone name followed by the
# interface name. For example, loc:eth1 specifies a
# client that communicates with the firewall system
# through eth1. This may be optionally followed by
# another colon (":") and an IP/MAC/subnet address
# as described above (e.g., loc:eth1:192.168.1.5).
#
# DEST Location of Server. May be a zone defined in
# /etc/shorewall/zones, $FW to indicate the firewall
# itself, "all" or "none".
#
# When "none" is used either in the SOURCE or DEST column,
# the rule is ignored.
#
# When "all" is used either in the SOURCE or DEST column
# intra-zone traffic is not affected. You must add
# separate rules to handle that traffic.
#
# Except when "all" is specified, the server may be
# further restricted to a particular subnet, host or
# interface by appending ":" and the subnet, host or
# interface. See above.
#
# Restrictions:
#
# 1. MAC addresses are not allowed.
# 2. In DNAT rules, only IP addresses are
# allowed; no FQDNs or subnet addresses
# are permitted.
# 3. You may not specify both an interface and
# an address.
#
# Like in the SOURCE column, you may specify a range of
# up to 256 IP addresses using the syntax
# <first ip>-<last ip>. When the ACTION is DNAT or DNAT-,
# the connections will be assigned to addresses in the
# range in a round-robin fashion.
#
# If you kernel and iptables have ipset match support then
# you may give the name of an ipset prefaced by "+". The
# ipset name may be optionally followed by a number from
# 1 to 6 enclosed in square brackets ([]) to indicate the
# number of levels of destination bindings to be matched.
# Only one of the SOURCE and DEST columns may specify an
# ipset name.
#
# The port that the server is listening on may be
# included and separated from the server's IP address by
# ":". If omitted, the firewall will not modifiy the
# destination port. A destination port may only be
# included if the ACTION is DNAT or REDIRECT.
#
# Example: loc:192.168.1.3:3128 specifies a local
# server at IP address 192.168.1.3 and listening on port
# 3128. The port number MUST be specified as an integer
# and not as a name from /etc/services.
#
# if the ACTION is REDIRECT, this column needs only to
# contain the port number on the firewall that the
# request should be redirected to.
#
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or
# "all".
#
# DEST PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port
# ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s).
#
# A port range is expressed as <low port>:<high port>.
#
# This column is ignored if PROTOCOL = all but must be
# entered if any of the following ields are supplied.
# In that case, it is suggested that this field contain
# "-"
#
# If your kernel contains multi-port match support, then
# only a single Netfilter rule will be generated if in
# this list and the CLIENT PORT(S) list below:
# 1. There are 15 or less ports listed.
# 2. No port ranges are included.
# Otherwise, a separate rule will be generated for each
# port.
#
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
# any source port is acceptable. Specified as a comma-
# separated list of port names, port numbers or port
# ranges.
#
# If you don't want to restrict client ports but need to
# specify an ORIGINAL DEST in the next column, then place
# "-" in this column.
#
# If your kernel contains multi-port match support, then
# only a single Netfilter rule will be generated if in
# this list and the DEST PORT(S) list above:
# 1. There are 15 or less ports listed.
# 2. No port ranges are included.
# Otherwise, a separate rule will be generated for each
# port.
#
# ORIGINAL DEST (0ptional) -- If ACTION is DNAT[-] or REDIRECT[-] then
# if included and different from the IP
# address given in the SERVER column, this is an address
# on some interface on the firewall and connections to
# that address will be forwarded to the IP and port
# specified in the DEST column.
#
# A comma-separated list of addresses may also be used.
# This is usually most useful with the REDIRECT target
# where you want to redirect traffic destined for
# particular set of hosts.
#
# Finally, if the list of addresses begins with "!" then
# the rule will be followed only if the original
# destination address in the connection request does not
# match any of the addresses listed.
#
# For other actions, this column may be included and may
# contain one or more addresses (host or network)
# separated by commas. Address ranges are not allowed.
# When this column is supplied, rules are generated
# that require that the original destination address matches
# one of the listed addresses. This feature is most useful when
# you want to generate a filter rule that corresponds to a
# DNAT- or REDIRECT- rule. In this usage, the list of
# addresses should not begin with "!".
#
# See http://shorewall.net/PortKnocking.html for an
# example of using an entry in this column with a
# user-defined action rule.
#
# RATE LIMIT You may rate-limit the rule by placing a value in
# this colume:
#
# <rate>/<interval>[:<burst>]
#
# where <rate> is the number of connections per
# <interval> ("sec" or "min") and <burst> is the
# largest burst permitted. If no <burst> is given,
# a value of 5 is assumed. There may be no
# no whitespace embedded in the specification.
#
# Example: 10/sec:20
#
# USER/GROUP This column may only be non-empty if the SOURCE is
# the firewall itself.
#
# The column may contain:
#
# [!][<user name or number>][:<group name or number>][+<program name>]
#
# When this column is non-empty, the rule applies only
# if the program generating the output is running under
# the effective <user> and/or <group> specified (or is
# NOT running under that id if "!" is given).
#
# Examples:
#
# joe #program must be run by joe
# :kids #program must be run by a member of
# #the 'kids' group
# !:kids #program must not be run by a member
# #of the 'kids' group
# +upnpd #program named 'upnpd'
#
# Example: Accept SMTP requests from the DMZ to the internet
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# ACCEPT dmz net tcp smtp
#
# Example: Forward all ssh and http connection requests from the internet
# to local system 192.168.1.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# DNAT net loc:192.168.1.3 tcp ssh,http
#
# Example: Forward all http connection requests from the internet
# to local system 192.168.1.3 with a limit of 3 per second and
# a maximum burst of 10
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# # PORT PORT(S) DEST LIMIT
# DNAT net loc:192.168.1.3 tcp http - - 3/sec:10
#
# Example: Redirect all locally-originating www connection requests to
# port 3128 on the firewall (Squid running on the firewall
# system) except when the destination address is 192.168.2.2
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# REDIRECT loc 3128 tcp www - !192.168.2.2
#
# Example: All http requests from the internet to address
# 130.252.100.69 are to be forwarded to 192.168.1.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
#
# Example: You want to accept SSH connections to your firewall only
# from internet IP addresses 130.252.100.69 and 130.252.100.70
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# ACCEPT net:130.252.100.69,130.252.100.70 fw \
# tcp 22
####################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

1505
Shorewall2/shorewall
View File

File diff suppressed because it is too large Load Diff

854
Shorewall2/shorewall.conf
View File

@ -1,854 +0,0 @@
##############################################################################
# /etc/shorewall/shorewall.conf V2.4 - Change the following variables to
# match your setup
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# This file should be placed in /etc/shorewall
#
# (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
##############################################################################
# S T A R T U P E N A B L E D
##############################################################################
# Once you have configured Shorewall, you may change the setting of
# this variable to 'Yes'
STARTUP_ENABLED=No
##############################################################################
# L O G G I N G
##############################################################################
#
# General note about log levels. Log levels are a method of describing
# to syslog (8) the importance of a message and a number of parameters
# in this file have log levels as their value.
#
# These levels are defined by syslog and are used to determine the destination
# of the messages through entries in /etc/syslog.conf (5). The syslog
# documentation refers to these as "priorities"; Netfilter calls them "levels"
# and Shorewall also uses that term.
#
# Valid levels are:
#
# 7 debug
# 6 info
# 5 notice
# 4 warning
# 3 err
# 2 crit
# 1 alert
# 0 emerg
#
# For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall
# log messages are generated by NetFilter and are logged using facility
# 'kern' and the level that you specifify. If you are unsure of the level
# to choose, 6 (info) is a safe bet. You may specify levels by name or by
# number.
#
# If you have built your kernel with ULOG target support, you may also
# specify a log level of ULOG (must be all caps). Rather than log its
# messages to syslogd, Shorewall will direct netfilter to log the messages
# via the ULOG target which will send them to a process called 'ulogd'.
# ulogd is available with most Linux distributions (although it probably isn't
# installed by default). Ulogd is also available from
# http://www.gnumonks.org/projects/ulogd and can be configured to log all
# Shorewall message to their own log file
################################################################################
#
# LOG FILE LOCATION
#
# This variable tells the /sbin/shorewall program where to look for Shorewall
# log messages. If not set or set to an empty string (e.g., LOGFILE="") then
# /var/log/messages is assumed.
#
# WARNING: The LOGFILE variable simply tells the 'shorewall' program where to
# look for Shorewall messages.It does NOT control the destination for
# these messages. For information about how to do that, see
#
# http://www.shorewall.net/shorewall_logging.html
LOGFILE=/var/log/messages
#
# LOG FORMAT
#
# Shell 'printf' Formatting template for the --log-prefix value in log messages
# generated by Shorewall to identify Shorewall log messages. The supplied
# template is expected to accept either two or three arguments; the first is
# the chain name, the second (optional) is the logging rule number within that
# chain and the third is the ACTION specifying the disposition of the packet
# being logged. You must use the %d formatting type for the rule number; if your
# template does not contain %d then the rule number will not be included.
#
# If you want to integrate Shorewall with fireparse, then set LOGFORMAT as:
#
# LOGFORMAT="fp=%s:%d a=%s "
#
# If not specified or specified as empty (LOGFORMAT="") then the value
# "Shorewall:%s:%s:" is assumed.
#
# CAUTION: /sbin/shorewall uses the leading part of the LOGFORMAT string (up
# to but not including the first '%') to find log messages in the 'show log',
# 'status' and 'hits' commands. This part should not be omitted (the
# LOGFORMAT should not begin with "%") and the leading part should be
# sufficiently unique for /sbin/shorewall to identify Shorewall messages.
LOGFORMAT="Shorewall:%s:%s:"
#
# LOG FORMAT Continued
#
# Using the default LOGFORMAT, chain names may not exceed 11 characters or
# truncation of the log prefix may occur. Longer chain names may be used with
# log tags if you set LOGTAGONLY=Yes. With LOGTAGONLY=Yes, if a log tag is
# specified then the tag is included in the log prefix in place of the chain
# name.
#
LOGTAGONLY=No
#
# LOG RATE LIMITING
#
# The next two variables can be used to control the amount of log output
# generated. LOGRATE is expressed as a number followed by an optional
# `/second', `/minute', `/hour', or `/day' suffix and specifies the maximum
# rate at which a particular message will occur. LOGBURST determines the
# maximum initial burst size that will be logged. If set empty, the default
# value of 5 will be used.
#
# If BOTH variables are set empty then logging will not be rate-limited.
#
# Example:
#
# LOGRATE=10/minute
# LOGBURST=5
#
# For each logging rule, the first time the rule is reached, the packet
# will be logged; in fact, since the burst is 5, the first five packets
# will be logged. After this, it will be 6 seconds (1 minute divided by
# the rate of 10) before a message will be logged from the rule, regardless
# of how many packets reach it. Also, every 6 seconds which passes without
# matching a packet, one of the bursts will be regained; if no packets hit
# the rule for 30 seconds, the burst will be fully recharged; back where
# we started.
#
LOGRATE=
LOGBURST=
#
# LOG ALL NEW
#
# This option should only be used when you are trying to analyze a problem.
# It causes all packets in the Netfilter NEW state to be logged as the
# first rule in each builtin chain. To use this option, set LOGALLNEW to
# the log level that you want these packets logged at (e.g.,
# LOGALLNEW=debug).
#
LOGALLNEW=
#
# BLACKLIST LOG LEVEL
#
# Set this variable to the syslogd level that you want blacklist packets logged
# (beware of DOS attacks resulting from such logging). If not set, no logging
# of blacklist packets occurs.
#
# See the comment at the top of this section for a description of log levels
#
BLACKLIST_LOGLEVEL=
#
# LOGGING 'New not SYN' rejects
#
# This variable only has an effect when NEWNOTSYN=No (see below).
#
# When a TCP packet that does not have the SYN flag set and the ACK and RST
# flags clear then unless the packet is part of an established connection,
# it will be rejected by the firewall. If you want these rejects logged,
# then set LOGNEWNOTSYN to the syslog log level at which you want them logged.
#
# See the comment at the top of this section for a description of log levels
#
# Example: LOGNEWNOTSYN=debug
LOGNEWNOTSYN=info
#
# MAC List Log Level
#
# Specifies the logging level for connection requests that fail MAC
# verification. If set to the empty value (MACLIST_LOG_LEVEL="") then
# such connection requests will not be logged.
#
# See the comment at the top of this section for a description of log levels
#
MACLIST_LOG_LEVEL=info
#
# TCP FLAGS Log Level
#
# Specifies the logging level for packets that fail TCP Flags
# verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then
# such packets will not be logged.
#
# See the comment at the top of this section for a description of log levels
#
TCP_FLAGS_LOG_LEVEL=info
#
# RFC1918 Log Level
#
# Specifies the logging level for packets that fail RFC 1918
# verification. If set to the empty value (RFC1918_LOG_LEVEL="") then
# RFC1918_LOG_LEVEL=info is assumed.
#
# See the comment at the top of this section for a description of log levels
#
RFC1918_LOG_LEVEL=info
#
# SMURF Log Level
#
# Specifies the logging level for smurf packets dropped by the
#'nosmurfs' interface option in /etc/shorewall/interfaces and in
# /etc/shorewall/hosts. If set to the empty value ( SMURF_LOG_LEVEL=""
# ) then dropped smurfs are not logged.
#
# See the comment at the top of this section for a description of log levels
#
SMURF_LOG_LEVEL=info
#
# BOGON Log Level
#
# Specifies the logging level for bogon packets dropped by the
#'nobogons' interface option in /etc/shorewall/interfaces and in
# /etc/shorewall/hosts. If set to the empty value
# ( BOGON_LOG_LEVEL="" ) then packets whose TARGET is 'logdrop'
# in /usr/share/shorewall/bogons are logged at the 'info' level.
#
# See the comment at the top of this section for a description of log levels
#
BOGON_LOG_LEVEL=info
#
# MARTIAN LOGGING
#
# Setting LOG_MARTIANS=Yes will enable kernel logging of all received packets
# that have impossible source IP addresses. This logging may be enabled
# on individual interfaces by using the 'logmartians' option in
# /etc/shorewall/interfaces.
#
LOG_MARTIANS=No
################################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
################################################################################
#
# IPTABLES
#
# Full path to iptables executable Shorewall uses to build the firewall. If
# not specified or if specified with an empty value (e.g., IPTABLES="") then
# the iptables executable located via the PATH setting below is used.
#
IPTABLES=
#
# PATH - Change this if you want to change the order in which Shorewall
# searches directories for executable files.
#
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
#
# SHELL
#
# The firewall script is normally interpreted by /bin/sh. If you wish to change
# the shell used to interpret that script, specify the shell here.
SHOREWALL_SHELL=/bin/sh
# SUBSYSTEM LOCK FILE
#
# Set this to the name of the lock file expected by your init scripts. For
# RedHat, this should be /var/lock/subsys/shorewall. If your init scripts don't
# use lock files, set this to "".
#
SUBSYSLOCK=/var/lock/subsys/shorewall
#
# SHOREWALL TEMPORARY STATE DIRECTORY
#
# This is the directory where the firewall maintains state information while
# it is running
#
STATEDIR=/var/lib/shorewall
#
# KERNEL MODULE DIRECTORY
#
# If your netfilter kernel modules are in a directory other than
# /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter then specify that
# directory in this variable. Example: MODULESDIR=/etc/modules.
MODULESDIR=
#
# CONFIGURATION SEARCH PATH
#
# This option holds a list of directory names separated by colons
# (":"). Shorewall will search each directory in turn when looking for a
# configuration file. When processing a 'try' command or a command
# containing the "-c" option or that specifies a configuration directory,
# Shorewall will automatically add the directory specified in the command
# to the front of this list.
#
# If not specified or specified as null ("CONFIG_PATH=""),
# CONFIG_PATH=/etc/shorewall:/usr/share/shorewall is assumed.
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
#
# RESTORE SCRIPT
#
# This option determines the script to be run in the following cases:
#
# shorewall -f start
# shorewall restore
# shorewall save
# shorewall forget
# Failure of shorewall start or shorewall restart
#
# The value of the option must be the name of an executable file in the
# directory /var/lib/shorewall. If this option is not set or if it is
# set to the empty value (RESTOREFILE="") then RESTOREFILE=restore is
# assumed.
RESTOREFILE=
################################################################################
# F I R E W A L L O P T I O N S
################################################################################
# NAME OF THE FIREWALL ZONE
#
# Name of the firewall zone -- if not set or if set to an empty string, "fw"
# is assumed.
#
FW=fw
#
# ENABLE IP FORWARDING
#
# If you say "On" or "on" here, IPV4 Packet Forwarding is enabled. If you
# say "Off" or "off", packet forwarding will be disabled. You would only want
# to disable packet forwarding if you are installing Shorewall on a
# standalone system or if you want all traffic through the Shorewall system
# to be handled by proxies.
#
# If you set this variable to "Keep" or "keep", Shorewall will neither
# enable nor disable packet forwarding.
#
IP_FORWARDING=On
#
# AUTOMATICALLY ADD NAT IP ADDRESSES
#
# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses
# for each NAT external address that you give in /etc/shorewall/nat. If you say
# "No" or "no", you must add these aliases youself.
#
ADD_IP_ALIASES=Yes
#
# AUTOMATICALLY ADD SNAT IP ADDRESSES
#
# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses
# for each SNAT external address that you give in /etc/shorewall/masq. If you say
# "No" or "no", you must add these aliases youself. LEAVE THIS SET TO "No" unless
# you are sure that you need it -- most people don't!!!
#
ADD_SNAT_ALIASES=No
#
# RETAIN EXISTING ALIASES/IP ADDRESSES
#
# Normally, when ADD_IP_ALIASES=Yes and/or ADD_SNAT_ALIASES=Yes then Shorewall
# will first delete the address then re-add it. This is to ensure that the
# address is added with the specified label. Unfortunately, this can cause
# problems if it results in the deletion of the last IP address on an
# interface because then all routes through the interface are automatically
# removed.
#
# You can cause Shorewall to retain existing addresses by setting
# RETAIN_ALIASES=Yes.
#
RETAIN_ALIASES=No
#
# ENABLE TRAFFIC SHAPING
#
# If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If
# you say "No" or "no" then traffic shaping is not enabled. If you enable traffic
# shaping you must have iproute[2] installed (the "ip" and "tc" utilities).
TC_ENABLED=No
#
# Clear Traffic Shapping/Control
#
# If this option is set to 'No' then Shorewall won't clear the current
# traffic control rules during [re]start. This setting is intended
# for use by people that prefer to configure traffic shaping when
# the network interfaces come up rather than when the firewall
# is started. If that is what you want to do, set TC_ENABLED=Yes and
# CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That
# way, your traffic shaping rules can still use the 'fwmark'
# classifier based on packet marking defined in /etc/shorewall/tcrules.
#
# If omitted, CLEAR_TC=Yes is assumed.
CLEAR_TC=Yes
#
# Mark Packets in the forward chain
#
# When processing the tcrules file, Shorewall normally marks packets in the
# PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set
# this to "Yes". If not specified or if set to the empty value (e.g.,
# MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed.
#
# Marking packets in the FORWARD chain has the advantage that inbound
# packets destined for Masqueraded/SNATed local hosts have had their destination
# address rewritten so they can be marked based on their destination. When
# packets are marked in the PREROUTING chain, packets destined for
# Masqueraded/SNATed local hosts still have a destination address corresponding
# to the firewall's external interface.
#
# Note: Older kernels do not support marking packets in the FORWARD chain and
# setting this variable to Yes may cause startup problems.
MARK_IN_FORWARD_CHAIN=No
#
# MSS CLAMPING
#
# Set this variable to "Yes" or "yes" if you want the TCP "Clamp MSS to PMTU"
# option. This option is most commonly required when your internet
# interface is some variant of PPP (PPTP or PPPoE). Your kernel must
# have CONFIG_IP_NF_TARGET_TCPMSS set.
#
# [From the kernel help:
#
# This option adds a `TCPMSS' target, which allows you to alter the
# MSS value of TCP SYN packets, to control the maximum size for that
# connection (usually limiting it to your outgoing interface's MTU
# minus 40).
#
# This is used to overcome criminally braindead ISPs or servers which
# block ICMP Fragmentation Needed packets. The symptoms of this
# problem are that everything works fine from your Linux
# firewall/router, but machines behind it can never exchange large
# packets:
# 1) Web browsers connect, then hang with no data received.
# 2) Small mail works fine, but large emails hang.
# 3) ssh works fine, but scp hangs after initial handshaking.
# ]
#
# If left blank, or set to "No" or "no", the option is not enabled.
#
# You may also set this option to a numeric value in which case Shorewall will
# set up a rule to modify the MSS value in SYN packets to the value that
# you specify.
#
# Example:
#
# CLAMPMSS=1400
#
CLAMPMSS=No
#
# ROUTE FILTERING
#
# Set this variable to "Yes" or "yes" if you want kernel route filtering on all
# interfaces started while Shorewall is started (anti-spoofing measure).
#
# If this variable is not set or is set to the empty value, "No" is assumed.
# Regardless of the setting of ROUTE_FILTER, you can still enable route filtering
# on individual interfaces using the 'routefilter' option in the
# /etc/shorewall/interfaces file.
ROUTE_FILTER=No
# DNAT IP ADDRESS DETECTION
#
# Normally when Shorewall encounters the following rule:
#
# DNAT net loc:192.168.1.3 tcp 80
#
# it will forward TCP port 80 connections from the net to 192.168.1.3
# REGARDLESS OF THE ORIGINAL DESTINATION ADDRESS. This behavior is
# convenient for two reasons:
#
# a) If the the network interface has a dynamic IP address, the
# firewall configuration will work even when the address
# changes.
#
# b) It saves having to configure the IP address in the rule
# while still allowing the firewall to be started before the
# internet interface is brought up.
#
# This default behavior can also have a negative effect. If the
# internet interface has more than one IP address then the above
# rule will forward connection requests on all of these addresses;
# that may not be what is desired.
#
# By setting DETECT_DNAT_IPADDRS=Yes, rules such as the above will apply
# only if the original destination address is the primary IP address of
# one of the interfaces associated with the source zone. Note that this
# requires all interfaces to the source zone to be up when the firewall
# is [re]started.
DETECT_DNAT_IPADDRS=No
#
# MUTEX TIMEOUT
#
# The value of this variable determines the number of seconds that programs
# will wait for exclusive access to the Shorewall lock file. After the number
# of seconds corresponding to the value of this variable, programs will assume
# that the last program to hold the lock died without releasing the lock.
#
# If not set or set to the empty value, a value of 60 (60 seconds) is assumed.
#
# An appropriate value for this parameter would be twice the length of time
# that it takes your firewall system to process a "shorewall restart" command.
MUTEX_TIMEOUT=60
#
# NEWNOTSYN
#
# TCP connections are established using the familiar three-way "handshake":
#
# CLIENT SERVER
#
# SYN-------------------->
# <------------------SYN,ACK
# ACK-------------------->
#
# The first packet in that exchange (packet with the SYN flag on and the ACK
# and RST flags off) is referred to in Netfilter terminology as a "syn" packet.
# A packet is said to be NEW if it is not part of or related to an already
# established connection.
#
# The NEWNOTSYN option determines the handling of non-SYN packets (those with
# SYN off or with ACK or RST on) that are not associated with an already
# established connection.
#
# If NEWNOTSYN is set to "No" or "no", then non-SYN packets that are not
# part of an already established connection will be dropped by the
# firewall. The setting of LOGNEWNOTSYN above determines if these packets are
# logged before they are dropped.
#
# If NEWNOTSYN is set to "Yes" or "yes" then such packets will not be
# dropped but will pass through the normal rule/policy processing.
#
# Users with a High-availability setup with two firewall's and one acting
# as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may
# also need to select NEWNOTSYN=Yes.
#
# The behavior of NEWNOTSYN=Yes may also be enabled on a per-interface basis
# using the 'newnotsyn' option in /etc/shorewall/interfaces and on a
# network or host basis using the same option in /etc/shorewall/hosts.
#
# I find that NEWNOTSYN=No tends to result in lots of "stuck"
# connections because any network timeout during TCP session tear down
# results in retries being dropped (Netfilter has removed the
# connection from the conntrack table but the end-points haven't
# completed shutting down the connection). I therefore have chosen
# NEWNOTSYN=Yes as the default value.
NEWNOTSYN=Yes
#
# FOR ADMINS THAT REPEATEDLY SHOOT THEMSELVES IN THE FOOT
#
# Normally, when a "shorewall stop" command is issued or an error occurs during
# the execution of another shorewall command, Shorewall puts the firewall into
# a state where only traffic to/from the hosts listed in
# /etc/shorewall/routestopped is accepted.
#
# When performing remote administration on a Shorewall firewall, it is
# therefore recommended that the IP address of the computer being used for
# administration be added to the firewall's /etc/shorewall/routestopped file.
#
# Some administrators have a hard time remembering to do this with the result
# that they get to drive across town in the middle of the night to restart
# a remote firewall (or worse, they have to get someone out of bed to drive
# across town to restart a very remote firewall).
#
# For those administrators, we offer ADMINISABSENTMINDED=Yes. With this setting,
# when the firewall enters the 'stopped' state:
#
# All traffic that is part of or related to established connections is still
# allowed and all OUTPUT traffic is allowed. This is in addition to traffic
# to and from hosts listed in /etc/shorewall/routestopped.
#
# If this variable is not set or it is set to the null value then
# ADMINISABSENTMINDED=No is assumed.
#
ADMINISABSENTMINDED=Yes
#
# BLACKLIST Behavior
#
# Shorewall offers two types of blacklisting:
#
# - static blacklisting through the /etc/shorewall/blacklist file together
# with the 'blacklist' interface option.
# - dynamic blacklisting using the 'drop', 'reject' and 'allow' commands.
#
# The following variable determines whether the blacklist is checked for each
# packet or for each new connection.
#
# BLACKLISTNEWONLY=Yes Only consult blacklists for new connection
# requests
#
# BLACKLISTNEWONLY=No Consult blacklists for all packets.
#
# If the BLACKLISTNEWONLY option is not set or is set to the empty value then
# BLACKLISTNEWONLY=No is assumed.
#
BLACKLISTNEWONLY=Yes
#
# Users with a large blacklist find that "shorwall [re]start" takes a long
# time and that new connections are disabled during that time. By setting
# DELAYBLACKLISTLOAD=Yes, you can cause Shorewall to enable new connections
# before loading the blacklist.
DELAYBLACKLISTLOAD=No
# MODULE NAME SUFFIX
#
# When loading a module named in /etc/shorewall/modules, Shorewall normally
# looks in the MODULES DIRECTORY (see MODULESDIR above) for files whose names
# end in ".o", ".ko", ".gz", "o.gz" or "ko.gz" . If your distribution uses a
# different naming convention then you can specify the suffix (extension) for
# module names in this variable.
#
# To see what suffix is used by your distribution:
#
# ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
#
# All of the file names listed should have the same suffix (extension). Set
# MODULE_SUFFIX to that suffix.
#
# Examples:
#
# If all file names end with ".kzo" then set MODULE_SUFFIX="kzo"
# If all file names end with ".kz.o" then set MODULE_SUFFIX="kz.o"
#
MODULE_SUFFIX=
#
# DISABLE IPV6
#
# Distributions (notably SuSE) are beginning to ship with IPV6
# enabled. If you are not using IPV6, you are at risk of being
# exploited by users who do. Setting DISABLE_IPV6=Yes will cause
# Shorewall to disable IPV6 traffic to/from and through your
# firewall system. This requires that you have ip6tables installed.
DISABLE_IPV6=Yes
#
# BRIDGING
#
# If you wish to control traffic through a bridge (see http://bridge.sf.net),
# then set BRIDGING=Yes. Your kernel must have the physdev match option
# enabled; that option is available at the above URL for 2.4 kernels and
# is included as a standard part of the 2.6 series kernels. If not
# specified or specified as empty (BRIDGING="") then "No" is assumed.
#
BRIDGING=No
#
# DYNAMIC ZONES
#
# If you need to be able to add and delete hosts from zones dynamically then
# set DYNAMIC_ZONES=Yes. Otherwise, set DYNAMIC_ZONES=No.
DYNAMIC_ZONES=No
#
# USE PKTTYPE MATCH
#
# Some users have reported problems with the PKTTYPE match extension not being
# able to match certain broadcast packets. If you set PKTTYPE=No then Shorewall
# will use IP addresses to detect broadcasts rather than pkttype. If not given
# or if given as empty (PKTTYPE="") then PKTTYPE=Yes is assumed.
PKTTYPE=Yes
#
# DROP INVALID PACKETS
#
# Netfilter classifies packets relative to its connection tracking table into
# four states:
#
# NEW - thes packet initiates a new connection
# ESTABLISHED - thes packet is part of an established connection
# RELATED - thes packet is related to an established connection; it may
# establish a new connection
# INVALID - the packet does not related to the table in any sensible way.
#
# Recent 2.6 kernels include code that evaluates TCP packets based on TCP
# Window analysis. This can cause packets that were previously classified as
# NEW or ESTABLISHED to be classified as INVALID.
#
# The new kernel code can be disabled by including this command in your
# /etc/shorewall/init file:
#
# echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
#
# Additional kernel logging about INVALID TCP packets may be obtained by
# adding this command to /etc/shorewall/init:
#
# echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid
#
# Traditionally, Shorewall has dropped INVALID TCP packets early. The DROPINVALID
# option allows INVALID packets to be passed through the normal rules chains by
# setting DROPINVALID=No.
#
# If not specified or if specified as empty (e.g., DROPINVALID="") then
# DROPINVALID=Yes is assumed.
DROPINVALID=No
#
# RFC 1918 BEHAVIOR
#
# Traditionally, the RETURN target in the 'rfc1918' file has caused 'norfc1918'
# processing to cease for a packet if the packet's source IP address matches
# the rule. Thus, if you have:
#
# SUBNETS TARGET
# 192.168.1.0/24 RETURN
#
# then traffic from 192.168.1.4 to 10.0.3.9 will be accepted even though you
# also have:
#
# SUBNETS TARGET
# 10.0.0.0/8 logdrop
#
# Setting RFC1918_STRICT=Yes will cause such traffic to be logged and dropped
# since while the packet's source matches the RETURN rule, the packet's
# destination matches the 'logdrop' rule.
#
# If not specified or specified as empty (e.g., RFC1918_STRICT="") then
# RFC1918_STRICT=No is assumed.
#
# WARNING: RFC1918_STRICT=Yes requires that your kernel and iptables support
# 'conntrack state' match.
RFC1918_STRICT=No
#
# MACLIST caching
#
# If your iptables and kernel support the "Recent Match" (see the output of
# "shorewall check" near the top), you can cache the results of a 'maclist'
# file lookup and thus reduce the overhead associated with MAC Verification
# (/etc/shorewall/maclist).
#
# When a new connection arrives from a 'maclist' interface, the packet passes
# through then list of entries for that interface in /etc/shorewall/maclist. If
# there is a match then the source IP address is added to the 'Recent' set for
# that interface. Subsequent connection attempts from that IP address occuring
# within $MACLIST_TTL seconds will be accepted without having to scan all of
# the entries. After $MACLIST_TTL from the first accepted connection request,
# the next connection request from that IP address will be checked against
# the entire list.
#
# If MACLIST_TTL is not specified or is specified as empty (e.g,
# MACLIST_TTL="" or is specified as zero then 'maclist' lookups will not
# be cached.
MACLIST_TTL=
#
# Save/Restore IPSETS
#
# If SAVE_IPSETS=Yes then Shorewall will:
#
# Restore the last saved ipset contents during "shorewall [re]start"
# Save the current ipset contents during "shorewall save"
#
# Regardless of the setting of SAVE_IPSETS, if ipset contents were
# saved during a "shorewall save" then they will be restored during
# a subsequent "shorewall restore".
SAVE_IPSETS=No
################################################################################
# P A C K E T D I S P O S I T I O N
################################################################################
#
# BLACKLIST DISPOSITION
#
# Set this variable to the action that you want to perform on packets from
# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty,
# DROP is assumed.
#
BLACKLIST_DISPOSITION=DROP
#
# MAC List Disposition
#
# This variable determines the disposition of connection requests arriving
# on interfaces that have the 'maclist' option and that are from a device
# that is not listed for that interface in /etc/shorewall/maclist. Valid
# values are ACCEPT, DROP and REJECT. If not specified or specified as
# empty (MACLIST_DISPOSITION="") then REJECT is assumed
MACLIST_DISPOSITION=REJECT
#
# TCP FLAGS Disposition
#
# This variable determins the disposition of packets having an invalid
# combination of TCP flags that are received on interfaces having the
# 'tcpflags' option specified in /etc/shorewall/interfaces or in
# /etc/shorewall/hosts. If not specified or specified as empty
# (TCP_FLAGS_DISPOSITION="") then DROP is assumed.
TCP_FLAGS_DISPOSITION=DROP
#LAST LINE -- DO NOT REMOVE

194
Shorewall2/shorewall.spec
View File

@ -1,194 +0,0 @@
%define name shorewall
%define version 2.4.0
%define release 1
%define prefix /usr
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
Name: %{name}
Version: %{version}
Release: %{release}
Prefix: %{prefix}
License: GPL
Packager: Tom Eastep <teastep@shorewall.net>
Group: Networking/Utilities
Source: %{name}-%{version}.tgz
URL: http://www.shorewall.net/
BuildArch: noarch
BuildRoot: %{_tmppath}/%{name}-%{version}-root
Requires: iptables iproute
%description
The Shoreline Firewall, more commonly known as "Shorewall", is a Netfilter
(iptables) based firewall that can be used on a dedicated firewall system,
a multi-function gateway/ router/server or on a standalone GNU/Linux system.
%prep
%setup
%build
%install
export PREFIX=$RPM_BUILD_ROOT ; \
export OWNER=`id -n -u` ; \
export GROUP=`id -n -g` ;\
./install.sh
%clean
rm -rf $RPM_BUILD_ROOT
%post
if [ $1 -eq 1 ]; then
if [ -x /sbin/insserv ]; then
/sbin/insserv /etc/rc.d/shorewall
elif [ -x /sbin/chkconfig ]; then
/sbin/chkconfig --add shorewall;
fi
fi
%preun
if [ $1 = 0 ]; then
if [ -x /sbin/insserv ]; then
/sbin/insserv -r /etc/init.d/shorewall
elif [ -x /sbin/chkconfig ]; then
/sbin/chkconfig --del shorewall
fi
rm -f /etc/shorewall/startup_disabled
fi
%files
%attr(0544,root,root) /etc/init.d/shorewall
%attr(0700,root,root) %dir /etc/shorewall
%attr(0700,root,root) %dir /usr/share/shorewall
%attr(0700,root,root) %dir /var/lib/shorewall
%attr(0600,root,root) %config(noreplace) /etc/shorewall/shorewall.conf
%attr(0600,root,root) %config(noreplace) /etc/shorewall/zones
%attr(0600,root,root) %config(noreplace) /etc/shorewall/policy
%attr(0600,root,root) %config(noreplace) /etc/shorewall/interfaces
%attr(0600,root,root) %config(noreplace) /etc/shorewall/ipsec
%attr(0600,root,root) %config(noreplace) /etc/shorewall/rules
%attr(0600,root,root) %config(noreplace) /etc/shorewall/nat
%attr(0600,root,root) %config(noreplace) /etc/shorewall/netmap
%attr(0600,root,root) %config(noreplace) /etc/shorewall/params
%attr(0600,root,root) %config(noreplace) /etc/shorewall/proxyarp
%attr(0600,root,root) %config(noreplace) /etc/shorewall/routestopped
%attr(0600,root,root) %config(noreplace) /etc/shorewall/maclist
%attr(0600,root,root) %config(noreplace) /etc/shorewall/masq
%attr(0600,root,root) %config(noreplace) /etc/shorewall/modules
%attr(0600,root,root) %config(noreplace) /etc/shorewall/tcrules
%attr(0600,root,root) %config(noreplace) /etc/shorewall/tos
%attr(0600,root,root) %config(noreplace) /etc/shorewall/tunnels
%attr(0600,root,root) %config(noreplace) /etc/shorewall/hosts
%attr(0600,root,root) %config(noreplace) /etc/shorewall/blacklist
%attr(0600,root,root) %config(noreplace) /etc/shorewall/init
%attr(0600,root,root) %config(noreplace) /etc/shorewall/initdone
%attr(0600,root,root) %config(noreplace) /etc/shorewall/start
%attr(0600,root,root) %config(noreplace) /etc/shorewall/stop
%attr(0600,root,root) %config(noreplace) /etc/shorewall/stopped
%attr(0600,root,root) %config(noreplace) /etc/shorewall/ecn
%attr(0600,root,root) %config(noreplace) /etc/shorewall/accounting
%attr(0600,root,root) %config(noreplace) /etc/shorewall/actions
%attr(0600,root,root) %config(noreplace) /etc/shorewall/continue
%attr(0600,root,root) %config(noreplace) /etc/shorewall/started
%attr(0600,root,root) %config(noreplace) /etc/shorewall/routes
%attr(0600,root,root) %config(noreplace) /etc/shorewall/providers
%attr(0544,root,root) /sbin/shorewall
%attr(0600,root,root) /usr/share/shorewall/version
%attr(0600,root,root) /usr/share/shorewall/actions.std
%attr(0600,root,root) /usr/share/shorewall/action.AllowAuth
%attr(0600,root,root) /usr/share/shorewall/action.AllowDNS
%attr(0600,root,root) /usr/share/shorewall/action.AllowFTP
%attr(0600,root,root) /usr/share/shorewall/action.AllowICMPs
%attr(0600,root,root) /usr/share/shorewall/action.AllowIMAP
%attr(0600,root,root) /usr/share/shorewall/action.AllowNNTP
%attr(0600,root,root) /usr/share/shorewall/action.AllowNTP
%attr(0600,root,root) /usr/share/shorewall/action.AllowPCA
%attr(0600,root,root) /usr/share/shorewall/action.AllowPing
%attr(0600,root,root) /usr/share/shorewall/action.AllowPOP3
%attr(0600,root,root) /usr/share/shorewall/action.AllowRdate
%attr(0600,root,root) /usr/share/shorewall/action.AllowSMB
%attr(0600,root,root) /usr/share/shorewall/action.AllowSMTP
%attr(0600,root,root) /usr/share/shorewall/action.AllowSNMP
%attr(0600,root,root) /usr/share/shorewall/action.AllowSSH
%attr(0600,root,root) /usr/share/shorewall/action.AllowTelnet
%attr(0600,root,root) /usr/share/shorewall/action.AllowTrcrt
%attr(0600,root,root) /usr/share/shorewall/action.AllowVNC
%attr(0600,root,root) /usr/share/shorewall/action.AllowVNCL
%attr(0600,root,root) /usr/share/shorewall/action.AllowWeb
%attr(0600,root,root) /usr/share/shorewall/action.Drop
%attr(0600,root,root) /usr/share/shorewall/action.DropDNSrep
%attr(0600,root,root) /usr/share/shorewall/action.DropPing
%attr(0600,root,root) /usr/share/shorewall/action.DropSMB
%attr(0600,root,root) /usr/share/shorewall/action.DropUPnP
%attr(0600,root,root) /usr/share/shorewall/action.Reject
%attr(0600,root,root) /usr/share/shorewall/action.RejectAuth
%attr(0600,root,root) /usr/share/shorewall/action.RejectSMB
%attr(0600,root,root) /usr/share/shorewall/action.template
%attr(0444,root,root) /usr/share/shorewall/functions
%attr(0544,root,root) /usr/share/shorewall/firewall
%attr(0544,root,root) /usr/share/shorewall/help
%attr(0600,root,root) /usr/share/shorewall/rfc1918
%attr(0600,root,root) /usr/share/shorewall/bogons
%attr(0600,root,root) /usr/share/shorewall/configpath
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn
%changelog
* Thu Jun 02 2005 Tom Eastep tom@shorewall.net
- Updated to 2.4.0-1
* Sun May 30 2005 Tom Eastep tom@shorewall.net
- Updated to 2.4.0-0RC2
* Thu May 19 2005 Tom Eastep tom@shorewall.net
- Updated to 2.4.0-0RC1
* Thu May 19 2005 Tom Eastep tom@shorewall.net
- Updated to 2.3.2-1
* Sun May 15 2005 Tom Eastep tom@shorewall.net
- Updated to 2.3.1-1
* Mon Apr 11 2005 Tom Eastep tom@shorewall.net
- Updated to 2.2.4-1
* Fri Apr 08 2005 Tom Eastep tom@shorewall.net
- Added /etc/shorewall/started
* Tue Apr 05 2005 Tom Eastep tom@shorewall.net
- Updated to 2.2.3-1
* Mon Mar 07 2005 Tom Eastep tom@shorewall.net
- Updated to 2.2.2-1
* Mon Jan 24 2005 Tom Eastep tom@shorewall.net
- Updated to 2.2.1-1
* Mon Jan 24 2005 Tom Eastep tom@shorewall.net
- Updated to 2.2.0-1
* Mon Jan 17 2005 Tom Eastep tom@shorewall.net
- Updated to 2.2.0-0RC5
* Thu Jan 06 2005 Tom Eastep tom@shorewall.net
- Updated to 2.2.0-0RC4
* Thu Dec 30 2004 Tom Eastep tom@shorewall.net
- Updated to 2.2.0-0RC3
* Fri Dec 24 2004 Tom Eastep tom@shorewall.net
- Updated to 2.2.0-0RC2
* Sun Dec 19 2004 Tom Eastep tom@shorewall.net
- Updated to 2.2.0-0RC1
- Added ipsecvpn file
* Sat Dec 11 2004 Tom Eastep tom@shorewall.net
- Updated to 2.2.0-0Beta8
* Mon Nov 29 2004 Tom Eastep tom@shorewall.net
- Updated to 2.2.0-0Beta7
* Fri Nov 26 2004 Tom Eastep tom@shorewall.net
- Updated to 2.2.0-0Beta6
* Fri Nov 26 2004 Tom Eastep tom@shorewall.net
- Updated to 2.2.0-0Beta5
* Fri Nov 19 2004 Tom Eastep tom@shorewall.net
- Updated to 2.2.0-0Beta4
* Tue Nov 09 2004 Tom Eastep tom@shorewall.net
- Updated to 2.2.0-0Beta3
* Tue Nov 02 2004 Tom Eastep tom@shorewall.net
- Updated to 2.2.0-0Beta2
* Fri Oct 22 2004 Tom Eastep tom@shorewall.net
- Updated to 2.2.0-0Beta1

8
Shorewall2/start
View File

@ -1,8 +0,0 @@
############################################################################
# Shorewall 2.4 -- /etc/shorewall/start
#
# Add commands below that you want to be executed after shorewall has
# been started or restarted.
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information.

15
Shorewall2/started
View File

@ -1,15 +0,0 @@
############################################################################
# Shorewall 2.4 -- /etc/shorewall/started
#
# Add commands below that you want to be executed after shorewall has
# been completely started or restarted. The difference between this
# extension script and /etc/shorewall/start is that this one is invoked
# after delayed loading of the blacklist (DELAYBLACKLISTLOAD=Yes) and
# after the 'shorewall' chain has been created (thus signaling that the
# firewall is completely up.
#
# This script should not change the firewall configuration directly but may
# do so indirectly by running /sbin/shorewall with the 'nolock' option.
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information.

8
Shorewall2/stop
View File

@ -1,8 +0,0 @@
############################################################################
# Shorewall 2.4 -- /etc/shorewall/stop
#
# Add commands below that you want to be executed at the beginning of a
# "shorewall stop" command.
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information.

8
Shorewall2/stopped
View File

@ -1,8 +0,0 @@
############################################################################
# Shorewall 2.4 -- /etc/shorewall/stopped
#
# Add commands below that you want to be executed at the completion of a
# "shorewall stop" command.
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information.

160
Shorewall2/tcrules
View File

@ -1,160 +0,0 @@
#
# Shorewall version 2.4 - Traffic Control Rules File
#
# /etc/shorewall/tcrules
#
# Entries in this file cause packets to be marked as a means of
# classifying them for traffic control or policy routing.
#
# I M P O R T A N T ! ! ! !
#
# FOR ENTRIES IN THIS FILE TO HAVE ANY EFFECT, YOU MUST SET
# TC_ENABLED=Yes in /etc/shorewall/shorewall.conf
#
# Unlike rules in the /etc/shorewall/rules file, evaluation
# of rules in this file will continue after a match. So the
# final mark for each packet will be the one assigned by the
# LAST tcrule that matches.
#
# If you use multiple internet providers with the 'track' option,
# in /etc/shorewall/providers be sure to read the restrictions at
# http://shorewall.net/Shorewall_and_Routing.html.
#
# Columns are:
#
#
# MARK/ a) A mark value which is an integer in the range 1-255
# CLASSIFY
# May optionally be followed by ":P" or ":F"
# where ":P" indicates that marking should occur in
# the PREROUTING chain and ":F" indicates that marking
# should occur in the FORWARD chain. If neither
# ":P" nor ":F" follow the mark value then the chain is
# determined by the setting of MARK_IN_FORWARD_CHAIN in
# /etc/shorewall/shorewall.conf.
#
# If your kernel and iptables include CONNMARK support
# then you can also mark the connection rather than
# the packet.
#
# The mark value may be optionally followed by "/"
# and a mask value (used to determine those bits of
# the connection mark to actually be set). The
# mark and optional mask are then followed by one of:
#
# C - Mark the connection in the chain determined
# by the setting of MARK_IN_FORWARD_CHAIN
#
# CF: Mark the connection in the FORWARD chain
#
# CP: Mark the connection in the PREROUTING chain.
#
# b) A classification of the form <major>:<minor> where
# <major> and <minor> are integers. Corresponds to
# the 'class' specification in these traffic shaping
# modules:
#
# - atm
# - cbq
# - dsmark
# - pfifo_fast
# - htb
# - prio
#
# Classify always occurs in the POSTROUTING chain.
#
# c) RESTORE[/mask] -- restore the packet's mark from the
# connection's mark using the supplied mask if any.
# Your kernel and iptables must include CONNMARK support.
# As in a) above, may be followed by ":P" or ":F
#
# c) SAVE[/mask] -- save the packet's mark to the
# connection's mark using the supplied mask if any.
# Your kernel and iptables must include CONNMARK support.
# As in a) above, may be followed by ":P" or ":F
#
# d) CONTINUE -- don't process any more marking rules in
# the table. As in a) above, may be followed by ":P" or
# ":F".
#
# SOURCE Source of the packet. A comma-separated list of
# interface names, IP addresses, MAC addresses
# and/or subnets. If your kernel and iptables include
# iprange match support, IP address ranges are also
# allowed. Use $FW if the packet originates on
# the firewall in which case the MARK column may NOT
# specify either ":P" or ":F" (marking always occurs
# in the OUTPUT chain). $FW may be optionally followed
# by ":" and a host/network address.
#
# MAC addresses must be prefixed with "~" and use
# "-" as a separator.
#
# Example: ~00-A0-C9-15-39-78
#
# DEST Destination of the packet. Comma separated list of
# IP addresses and/or subnets. If your kernel and
# iptables include iprange match support, IP address
# ranges are also allowed.
#
# If the MARK column specificies a classification of
# the form <major>:<minor> then this column may also
# contain an interface name.
#
# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
# a number, or "all". "ipp2p" requires ipp2p match
# support in your kernel and iptables.
#
# PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port
# ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s).
#
# If the protocol is ipp2p, this column is interpreted
# as an ipp2p option without the leading "--" (example "bit"
# for bit-torrent). If no PORT is given, "ipp2p" is
# assumed.
#
# This column is ignored if PROTOCOL = all but must be
# entered if any of the following field is supplied.
# In that case, it is suggested that this field contain
# "-"
#
# SOURCE PORT(S) (Optional) Source port(s). If omitted,
# any source port is acceptable. Specified as a comma-
# separated list of port names, port numbers or port
# ranges.
#
# USER This column may only be non-empty if the SOURCE is
# the firewall itself.
#
# When this column is non-empty, the rule applies only
# if the program generating the output is running under
# the effective user and/or group.
#
# It may contain :
#
# [<user name or number>]:[<group name or number>][+<program name>]
#
# The colon is optionnal when specifying only a user
# or a program name.
# Examples : john: , john , :users , john:users , +mozilla-bin
#
# TEST Defines a test on the existing packet or connection mark.
# The rule will match only if the test returns true. Tests
# have the format [!]<value>[/<mask>][:C]
#
# Where:
#
# ! Inverts the test (not equal)
# <value> Value of the packet or connection mark.
# <mask> A mask to be applied to the mark before
# testing
# :C Designates a connection mark. If omitted,
# the packet mark's value is tested.
#
# See http://shorewall.net/traffic_shaping.htm for additional information.
##############################################################################
#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
# PORT(S)
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

46
Shorewall2/tos
View File

@ -1,46 +0,0 @@
#
# Shorewall 2.4 -- /etc/shorewall/tos
#
# This file defines rules for setting Type Of Service (TOS)
#
# Columns are:
#
# SOURCE Name of a zone declared in /etc/shorewall/zones, "all"
# or $FW.
#
# If not "all" or $FW, may optionally be followed by
# ":" and an IP address, a MAC address, a subnet
# specification or the name of an interface.
#
# Example: loc:192.168.2.3
#
# MAC addresses must be prefixed with "~" and use
# "-" as a separator.
#
# Example: ~00-A0-C9-15-39-78
#
# DEST Name of a zone declared in /etc/shorewall/zones, "all"
# or $FW.
#
# If not "all" or $FW, may optionally be followed by
# ":" and an IP address or a subnet specification
#
# Example: loc:192.168.2.3
#
# PROTOCOL Protocol.
#
# SOURCE PORTS Source port or port range. If all ports, use "-".
#
# DEST PORTS Destination port or port range. If all ports, use "-"
#
# TOS Type of service. Must be one of the following:
#
# Minimize-Delay (16)
# Maximize-Throughput (8)
# Maximize-Reliability (4)
# Minimize-Cost (2)
# Normal-Service (0)
#
##############################################################################
#SOURCE DEST PROTOCOL SOURCE PORTS DEST PORTS TOS
#LAST LINE -- Add your entries above -- DO NOT REMOVE

166
Shorewall2/tunnel
View File

@ -1,166 +0,0 @@
#!/bin/sh
RCDLINKS="2,S45 3,S45 6,K45"
################################################################################
# Script to create a gre or ipip tunnel -- Shorewall 2.4
#
# Modified - Steve Cowles 5/9/2000
# Incorporated init {start|stop} syntax and iproute2 usage
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# (c) 2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
#
# Modify the following variables to match your configuration
#
# chkconfig: 2345 26 89
# description: GRE/IP Tunnel
#
################################################################################
#
# Type of tunnel (gre or ipip)
#
tunnel_type=gre
# Name of the tunnel
#
tunnel="dfwbos"
#
# Address of your External Interface (only required for gre tunnels)
#
myrealip="x.x.x.x"
# Address of the local system -- this is the address of one of your
# local interfaces (or for a mobile host, the address that this system has
# when attached to the local network).
#
myip="192.168.1.254"
# Address of the Remote system -- this is the address of one of the
# remote system's local interfaces (or if the remote system is a mobile host,
# the address that it uses when attached to the local network).
hisip="192.168.9.1"
# Internet address of the Remote system
#
gateway="x.x.x.x"
# Remote sub-network -- if the remote system is a gateway for a
# private subnetwork that you wish to
# access, enter it here. If the remote
# system is a stand-alone/mobile host, leave this
# empty
subnet="192.168.9.0/24"
# GRE Key -- set this to a number or to a dotted quad if you want
# a keyed GRE tunnel. You must specify a KEY if you
# intend to load ip_conntrack_proto_gre on either
# gateway system
key=
PATH=$PATH:/sbin:/usr/sbin:/usr/local/sbin
load_modules () {
case $tunnel_type in
ipip)
echo "Loading IP-ENCAP Module"
modprobe ipip
;;
gre)
echo "Loading GRE Module"
modprobe ip_gre
;;
esac
}
do_stop() {
if [ -n "`ip link show $tunnel 2>/dev/null`" ]; then
echo "Stopping $tunnel"
ip link set dev $tunnel down
fi
if [ -n "`ip addr show $tunnel 2>/dev/null`" ]; then
echo "Deleting $tunnel"
ip tunnel del $tunnel
fi
}
do_start() {
#NOTE: Comment out the next line if you have built gre/ipip into your kernel
load_modules
if [ -n "`ip link show $tunnel 2>/dev/null`" ]; then
do_stop
fi
echo "Adding $tunnel"
case $tunnel_type in
gre)
ip tunnel add $tunnel mode gre remote $gateway local $myrealip ttl 255 ${key:+key $key}
;;
*)
ip tunnel add $tunnel mode ipip remote $gateway
;;
esac
echo "Starting $tunnel"
ip link set dev $tunnel up
case $tunnel_type in
gre)
ip addr add $myip dev $tunnel
;;
*)
ip addr add $myip peer $hisip dev $tunnel
;;
esac
#
# As with all interfaces, the 2.4 kernels will add the obvious host
# route for this point-to-point interface
#
if [ -n "$subnet" ]; then
echo "Adding Routes"
case $tunnel_type in
gre)
ip route add $subnet dev $tunnel
;;
ipip)
ip route add $subnet via $gateway dev $tunnel onlink
;;
esac
fi
}
case "$1" in
start)
do_start
;;
stop)
do_stop
;;
restart)
do_stop
sleep 1
do_start
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0

117
Shorewall2/tunnels
View File

@ -1,117 +0,0 @@
#
# Shorewall 2.4 - /etc/shorewall/tunnels
#
# This file defines IPSEC, GRE, IPIP and OPENVPN tunnels.
#
# IPIP, GRE and OPENVPN tunnels must be configured on the
# firewall/gateway itself. IPSEC endpoints may be defined
# on the firewall/gateway or on an internal system.
#
# The columns are:
#
# TYPE -- must start in column 1 and be "ipsec", "ipsecnat","ipip"
# "gre", "6to4", "pptpclient", "pptpserver", "openvpn" or
# "generic"
#
# If the type is "ipsec" or "ipsecnat", it may be followed
# by ":noah" to indicate that the Authentication Header
# protocol (51) is not used by the tunnel.
#
# If type is "openvpn", it may optionally be followed
# by ":" and the port number used by the tunnel. if no
# ":" and port number are included, then the default port
# of 5000 will be used
#
# If type is "generic", it must be followed by ":" and
# a protocol name (from /etc/protocols) or a protocol
# number. If the protocol is "tcp" or "udp" (6 or 17),
# then it may optionally be followed by ":" and a
# port number.
#
# ZONE -- The zone of the physical interface through which
# tunnel traffic passes. This is normally your internet
# zone.
#
# GATEWAY -- The IP address of the remote tunnel gateway. If the
# remote getway has no fixed address (Road Warrior)
# then specify the gateway as 0.0.0.0/0. May be
# specified as a network address and if your kernel and
# iptables include iprange match support then IP address
# ranges are also allowed.
#
# GATEWAY
# ZONES -- Optional. If the gateway system specified in the third
# column is a standalone host then this column should
# contain a comma-separated list of the names of the
# zones that the host might be in. This column only
# applies to IPSEC and generic tunnels.
#
# Example 1:
#
# IPSec tunnel. The remote gateway is 4.33.99.124 and
# the remote subnet is 192.168.9.0/24. The tunnel does
# not use the AH protocol
#
# ipsec:noah net 4.33.99.124
#
# Example 2:
#
# Road Warrior (LapTop that may connect from anywhere)
# where the "gw" zone is used to represent the remote
# LapTop.
#
# ipsec net 0.0.0.0/0 gw
#
# Example 3:
#
# Host 4.33.99.124 is a standalone system connected
# via an ipsec tunnel to the firewall system. The host
# is in zone gw.
#
# ipsec net 4.33.99.124 gw
#
# Example 4:
#
# Road Warriors that may belong to zones vpn1, vpn2 or
# vpn3. The FreeS/Wan _updown script will add the
# host to the appropriate zone using the "shorewall add"
# command on connect and will remove the host from the
# zone at disconnect time.
#
# ipsec net 0.0.0.0/0 vpn1,vpn2,vpn3
#
# Example 5:
#
# You run the Linux PPTP client on your firewall and
# connect to server 192.0.2.221.
#
# pptpclient net 192.0.2.221
#
# Example 6:
#
# You run a PPTP server on your firewall.
#
# pptpserver net
#
# Example 7:
#
# OPENVPN tunnel. The remote gateway is 4.33.99.124 and
# openvpn uses port 7777.
#
# openvpn:7777 net 4.33.99.124
#
# Example 8:
#
# You have a tunnel that is not one of the supported types.
# Your tunnel uses UDP port 4444. The other end of the
# tunnel is 4.3.99.124.
#
# generic:udp:4444 net 4.3.99.124
#
#
# See http://shorewall.net/Documentation.htm#Tunnels for additional information.
#
# TYPE ZONE GATEWAY GATEWAY
# ZONE
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

109
Shorewall2/uninstall.sh
View File

@ -1,109 +0,0 @@
#!/bin/sh
#
# Script to back uninstall Shoreline Firewall
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# (c) 2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
#
# Shorewall documentation is available at http://shorewall.sourceforge.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
#
# Usage:
#
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall
VERSION=2.4.0
usage() # $1 = exit status
{
ME=$(basename $0)
echo "usage: $ME"
exit $1
}
qt()
{
"$@" >/dev/null 2>&1
}
restore_file() # $1 = file to restore
{
if [ -f ${1}-shorewall.bkout ]; then
if (mv -f ${1}-shorewall.bkout $1); then
echo
echo "$1 restored"
else
exit 1
fi
fi
}
remove_file() # $1 = file to restore
{
if [ -f $1 -o -L $1 ] ; then
rm -f $1
echo "$1 Removed"
fi
}
if [ -f /usr/share/shorewall/version ]; then
INSTALLED_VERSION="$(cat /usr/share/shorewall/version)"
if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
echo "WARNING: Shorewall Version $INSTALLED_VERSION is installed"
echo " and this is the $VERSION uninstaller."
VERSION="$INSTALLED_VERSION"
fi
else
echo "WARNING: Shorewall Version $VERSION is not installed"
VERSION=""
fi
echo "Uninstalling shorewall $VERSION"
if qt iptables -L shorewall -n; then
/sbin/shorewall clear
fi
if [ -L /usr/share/shorewall/init ]; then
FIREWALL=$(ls -l /usr/share/shorewall/init | sed 's/^.*> //')
else
FIREWALL=/etc/init.d/shorewall
fi
if [ -n "$FIREWALL" ]; then
if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
insserv -r $FIREWALL
elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
chkconfig --del $(basename $FIREWALL)
else
rm -f /etc/rc*.d/*$(basename $FIREWALL)
fi
remove_file $FIREWALL
rm -f ${FIREWALL}-*.bkout
fi
rm -f /sbin/shorewall
rm -f /sbin/shorewall-*.bkout
rm -rf /etc/shorewall
rm -rf /var/lib/shorewall
rm -rf /usr/share/shorewall
echo "Shorewall Uninstalled"

27
Shorewall2/zones
View File

@ -1,27 +0,0 @@
#
# Shorewall 2.4 /etc/shorewall/zones
#
# This file determines your network zones. Columns are:
#
# ZONE Short name of the zone (5 Characters or less in length).
# The names "all" and "none" are reserved and may not be
# used as zone names.
# DISPLAY Display name of the zone
# COMMENTS Comments about the zone
#
# THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED OR
# OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts.
#
# See http://www.shorewall.net/Documentation.htm#Nested
#--------------------------------------------------------------------------------
# Example zones:
#
# You have a three interface firewall with internet, local and DMZ interfaces.
#
# #ZONE DISPLAY COMMENTS
# net Internet The big bad Internet
# loc Local Local Network
# dmz DMZ Demilitarized zone.
#
#ZONE DISPLAY COMMENTS
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE