extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-08 08:44:05 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch '4.5.21'

Browse Source 
Conflicts:
	Shorewall/manpages/shorewall.conf.xml
	Shorewall6/manpages/shorewall6.conf.xml

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2014-03-05 09:00:34 -08:00
commit c9d7370fb4
9 changed files with 195 additions and 95 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -690,7 +690,13 @@ sub process_stoppedrules() {
my $result;
if ( my $fn = open_file 'stoppedrules' , 1, 1 ) {
first_entry "$doing $fn...";
first_entry sub() {
progress_message2("$doing $fn...");
unless ( $config{ADMINISABSENTMINDED} ) {
warning_message("Entries in the routestopped file are processed as if ADMINISABSENTMINDED=Yes");
$config{ADMINISABSENTMINDED} = 'Yes';
}
};
while ( read_a_line( NORMAL_READ ) ) {
@ -2526,9 +2532,9 @@ EOF
"restore_default_route $config{USE_DEFAULT_RT}"
);
my @chains = $config{ADMINISABSENTMINDED} ? qw/INPUT FORWARD/ : qw/INPUT OUTPUT FORWARD/;
add_ijump $filter_table ->{$_}, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' for @chains;
if ( $config{ADMINISABSENTMINDED} ) {
add_ijump $filter_table ->{$_}, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' for qw/INPUT FORWARD/;
}
if ( $family == F_IPV6 ) {
add_ijump $input, j => 'ACCEPT', s => IPv6_LINKLOCAL;

12
Shorewall/configfiles/rules
View File

@ -9,9 +9,9 @@
######################################################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
# PORT PORT(S) DEST LIMIT GROUP
#?SECTION ALL
#?SECTION ESTABLISHED
#?SECTION RELATED
#?SECTION INVALID
#?SECTION UNTRACKED
?SECTION NEW
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
#SECTION INVALID
#SECTION UNTRACKED
SECTION NEW

9
Shorewall/manpages/shorewall-routestopped.xml
View File

@ -120,7 +120,7 @@
</varlistentry>
<varlistentry>
<term>notrack</term>
<term><emphasis role="bold">notrack</emphasis></term>
<listitem>
<para>The traffic will be exempted from connection
@ -128,6 +128,13 @@
</listitem>
</varlistentry>
</variablelist>
<note>
<para>The <emphasis role="bold">source</emphasis> and <emphasis
role="bold">dest</emphasis> options work best when used in
conjunction with ADMINISABSENTMINDED=Yes in <ulink
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
</note>
</listitem>
</varlistentry>

51
Shorewall/manpages/shorewall.conf.xml
View File

@ -283,15 +283,48 @@
<listitem>
<para>The value of this variable affects Shorewall's stopped state.
When ADMINISABSENTMINDED=No, only traffic to/from those addresses
listed in <ulink
url="/manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
is accepted when Shorewall is stopped. When ADMINISABSENTMINDED=Yes,
in addition to traffic to/from addresses in <ulink
url="/manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>(5),
connections that were active when Shorewall stopped continue to work
and all new connections from the firewall system itself are allowed.
If this variable is not set or is given the empty value then
The behavior differs depending on whether <ulink
url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
or <ulink
url="shorewall-stoppedrules.html">shorewall-stoppedrules</ulink>(5)
is used:</para>
<variablelist>
<varlistentry>
<term>routestopped</term>
<listitem>
<para>When ADMINISABSENTMINDED=No, only traffic to/from those
addresses listed in <filename>routestopped</filename> is
accepted when Shorewall is stopped. When
ADMINISABSENTMINDED=Yes, in addition to traffic to/from
addresses in <filename>routestopped</filename>, connections
that were active when Shorewall stopped continue to work and
all new connections from the firewall system itself are
allowed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>stoppedrules</term>
<listitem>
<para>If ADMINISABSENTMINDED=No, a warning message is issued
and the setting is ignored.</para>
<para>In addition to connections matching entries in
<filename>stoppedrules</filename>, existing connections
continue to work and all new connections from the firewall
system itself are allowed. To sever all existing connections
when the firewall is stopped, install the conntrack utility
and place the command <command>conntrack -F</command> in the
stopped user exit
(<filename>/etc/shorewall/stopped</filename>).</para>
</listitem>
</varlistentry>
</variablelist>
<para> If this variable is not set or is given the empty value then
ADMINISABSENTMINDED=No is assumed.</para>
</listitem>
</varlistentry>

25
Shorewall6/manpages/shorewall6-routestopped.xml
View File

@ -116,30 +116,11 @@
</varlistentry>
<varlistentry>
<term><emphasis role="bold">critical</emphasis></term>
<term><emphasis role="bold">notrack</emphasis></term>
<listitem>
<para>Allow traffic between the firewall and these hosts
throughout '[re]start', 'stop' and 'clear'. Specifying
<emphasis role="bold">critical</emphasis> on one or more
entries will cause your firewall to be "totally open" for a
brief window during each of those operations. Examples of
where you might want to use this are:</para>
<itemizedlist>
<listitem>
<para>'Ping' nodes with heartbeat.</para>
</listitem>
<listitem>
<para>LDAP server(s) if you use LDAP Authentication</para>
</listitem>
<listitem>
<para>NFS Server if you have an NFS-mounted root
filesystem.</para>
</listitem>
</itemizedlist>
<para>The traffic will be exempted from connection
tracking.</para>
</listitem>
</varlistentry>
</variablelist>

56
Shorewall6/manpages/shorewall6.conf.xml
View File

@ -218,18 +218,50 @@
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem>
<para>The value of this variable affects Shorewall6's stopped state.
When ADMINISABSENTMINDED=No, only traffic to/from those addresses
listed in <ulink
url="/manpages6/shorewall6-routestopped.html">shorewall6-routestopped</ulink>(5)
is accepted when Shorewall6 is stopped. When
ADMINISABSENTMINDED=Yes, in addition to traffic to/from addresses in
<ulink
url="/manpages6/shorewall6-routestopped.html">shorewall6-routestopped</ulink>(5),
connections that were active when Shorewall6 stopped continue to
work and all new connections from the firewall system itself are
allowed. If this variable is not set or is given the empty value
then ADMINISABSENTMINDED=No is assumed.</para>
<para>The value of this variable affects Shorewall's stopped state.
The behavior differs depending on whether <ulink
url="shorewall-routestopped.html">shorewall6-routestopped</ulink>(5)
or <ulink
url="shorewall-stoppedrules.html">shorewall6-stoppedrules</ulink>(5)
is used:</para>
<variablelist>
<varlistentry>
<term>routestopped</term>
<listitem>
<para>When ADMINISABSENTMINDED=No, only traffic to/from those
addresses listed in <filename>routestopped</filename> is
accepted when Shorewall is stopped. When
ADMINISABSENTMINDED=Yes, in addition to traffic to/from
addresses in <filename>routestopped</filename>, connections
that were active when Shorewall stopped continue to work and
all new connections from the firewall system itself are
allowed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>stoppedrules</term>
<listitem>
<para>If ADMINISABSENTMINDED=No, a warning message is issued
and the setting is ignored.</para>
<para>In addition to connections matching entries in
<filename>stoppedrules</filename>, existing connections
continue to work and all new connections from the firewall
system itself are allowed. To sever all existing connections
when the firewall is stopped, install the conntrack utility
and place the command <command>conntrack -F</command> in the
stopped user exit
(<filename>/etc/shorewall6/stopped</filename>).</para>
</listitem>
</varlistentry>
</variablelist>
<para>If this variable is not set or is given the empty value then
ADMINISABSENTMINDED=No is assumed.</para>
</listitem>
</varlistentry>

40
docs/standalone.xml
View File

@ -515,15 +515,16 @@ root@lists:~# </programlisting>
<para>If you wish to enable connections from the Internet to your firewall
and you find an appropriate macro in
<filename>/etc/shorewall/macro.*</filename>, the general format of a rule
in <filename>/etc/shorewall/rules</filename> is:</para>
<filename>/usr/share/shorewall/macro.*</filename>, the general format of a
rule in <filename>/etc/shorewall/rules</filename> is:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
&lt;<emphasis>macro</emphasis>&gt;(ACCEPT) net $FW</programlisting>
<important>
<para>Be sure to add your rules after the line that reads <emphasis
role="bold">SECTION NEW.</emphasis></para>
role="bold">SECTION NEW</emphasis> (?SECTION NEW in Shorewall 4.6.0 and
later).</para>
</important>
<example id="Example1">
@ -605,19 +606,34 @@ SSH(ACCEPT) net $FW </programlisting>
<quote><command>shorewall stop</command></quote>. When the firewall is
stopped, routing is enabled on those hosts that have an entry in
<filename><ulink
url="manpages/shorewall-routestopped.html">/etc/shorewall/routestopped</ulink></filename>.
A running firewall may be restarted using the <quote><command>shorewall
restart</command></quote> command. If you want to totally remove any trace
of Shorewall from your Netfilter configuration, use
<quote><command>shorewall clear</command></quote>.</para>
url="manpages/shorewall-stoppedrules.html">/etc/shorewall/stoppedrules</ulink></filename>
(<filename><ulink
url="manpages/shorewall-routestopped.html">/etc/shorewall/routestopped</ulink></filename>
in Shorewall 4.5.7 and earlier). A running firewall may be restarted using
the <quote><command>shorewall restart</command></quote> command. If you
want to totally remove any trace of Shorewall from your Netfilter
configuration, use <quote><command>shorewall
clear</command></quote>.</para>
<warning>
<para>If you are connected to your firewall from the Internet, do not
issue a <quote><command>shorewall stop</command></quote> command unless
you have added an entry for the IP address that you are connected from
to <ulink
url="manpages/shorewall-routestopped.html"><filename>/etc/shorewall/routestopped</filename></ulink>.
Also, I don't recommend using <quote><command>shorewall
you have either:</para>
<orderedlist>
<listitem>
<para>Used ADMINISABSENTMINDED=Yes in
<filename>/etc/shorewall/shorewall.conf</filename> or</para>
</listitem>
<listitem>
<para>added an entry for the IP address that you are connected from
to <ulink
url="manpages/shorewall-routestopped.html"><filename>/etc/shorewall/routestopped</filename></ulink>.</para>
</listitem>
</orderedlist>
<para>Also, I don't recommend using <quote><command>shorewall
restart</command></quote>; it is better to create an <emphasis><ulink
url="configuration_file_basics.htm#Configs">alternate
configuration</ulink></emphasis> and test it using the <ulink

49
docs/three-interface.xml
View File

@ -193,7 +193,6 @@
/usr/share/doc/packages/shorewall/Samples/three-interfaces/interfaces
/usr/share/doc/packages/shorewall/Samples/three-interfaces/masq
/usr/share/doc/packages/shorewall/Samples/three-interfaces/policy
/usr/share/doc/packages/shorewall/Samples/three-interfaces/routestopped
/usr/share/doc/packages/shorewall/Samples/three-interfaces/rules
/usr/share/doc/packages/shorewall/Samples/three-interfaces/zones
~#</programlisting>
@ -954,8 +953,8 @@ DNS(ACCEPT) $FW dmz:10.10.11.1 </programlisting></para>
a <emphasis>defined macro</emphasis>. Shorewall includes a number of
defined macros and <ulink url="Macros.html">you can add your own</ulink>.
To see the list of macros included with your version of Shorewall, run the
command <command>ls
<filename>/usr/share/shorewall/macro.*</filename></command>.</para>
command <command>shorewall show
<filename>macros</filename></command>.</para>
<para>You don't have to use defined macros when coding a rule in
<filename>/etc/shorewall/rules</filename>. The first example above (name
@ -1128,12 +1127,14 @@ ACCEPT net $FW tcp 80 </programlisting><it
<para>The firewall is started using the <command>shorewall start</command>
command and stopped using <command>shorewall stop</command>. When the
firewall is stopped, routing is enabled on those hosts that have an entry
in <ulink
url="manpages/shorewall-routestopped.html"><filename>/etc/shorewall/routestopped</filename></ulink>.
A running firewall may be restarted using the <command>shorewall
restart</command> command. If you want to totally remove any trace of
Shorewall from your Netfilter configuration, use <command>shorewall
clear</command>.</para>
in <filename><ulink
url="manpages/shorewall-stoppedrules.html">/etc/shorewall/stoppedrules</ulink></filename>
(<ulink
url="manpages/shorewall-routestopped.html"><filename>/etc/shorewall/routestopped</filename></ulink>
on Shorewall 4.5.7 and earlier). A running firewall may be restarted using
the <command>shorewall restart</command> command. If you want to totally
remove any trace of Shorewall from your Netfilter configuration, use
<command>shorewall clear</command>.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
@ -1144,16 +1145,26 @@ ACCEPT net $FW tcp 80 </programlisting><it
DMZ or if you want to enable a different set of hosts, modify
<filename>/etc/shorewall/routestopped</filename> accordingly. <warning>
<para>If you are connected to your firewall from the Internet, do not
issue a <command>shorewall stop</command> command unless you have
added an entry for the IP address that you are connected from to
<ulink
url="manpages/shorewall-routestopped.html"><filename>/etc/shorewall/routestopped</filename></ulink>.
Also, I don't recommend using <command>shorewall restart</command>; it
is better to create an <ulink
url="configuration_file_basics.htm#Levels">alternate
configuration</ulink> and test it using the <ulink
url="starting_and_stopping_shorewall.htm"><command>shorewall
try</command> command</ulink>.</para>
issue a <quote><command>shorewall stop</command></quote> command
unless you have either:</para>
<orderedlist>
<listitem>
<para>Used ADMINISABSENTMINDED=Yes in
<filename>/etc/shorewall/shorewall.conf</filename>; or</para>
</listitem>
<listitem>
<para>added an entry for the <acronym>IP</acronym> address that
you are connected from to <filename
class="directory">/etc/shorewall/</filename><filename>routestopped</filename>.</para>
</listitem>
</orderedlist>
<para>Also, I don't recommend using <quote><command>shorewall
restart</command></quote>; it is better to create an alternate
configuration and test it using the <quote><command>shorewall
try</command></quote> command.</para>
</warning></para>
<para>The firewall will start after your network interfaces have been

34
docs/two-interface.xml
View File

@ -171,7 +171,6 @@
/usr/share/doc/packages/shorewall/Samples/two-interfaces/interfaces
/usr/share/doc/packages/shorewall/Samples/two-interfaces/masq
/usr/share/doc/packages/shorewall/Samples/two-interfaces/policy
/usr/share/doc/packages/shorewall/Samples/two-interfaces/routestopped
/usr/share/doc/packages/shorewall/Samples/two-interfaces/rules
/usr/share/doc/packages/shorewall/Samples/two-interfaces/zones
~#</programlisting>
@ -203,8 +202,9 @@
<para>If you install using the .deb, you will find that your
<filename class="directory">/etc/shorewall</filename> directory
is empty. This is intentional. The released configuration file
skeletons may be found on your system in the directory <filename
is practially empty. This is intentional. The released
configuration file skeletons may be found on your system in the
directory <filename
class="directory">/usr/share/doc/shorewall/default-config</filename>.
Simply copy the files you need from that directory to <filename
class="directory">/etc/shorewall</filename> and modify the
@ -910,8 +910,8 @@ DNS(ACCEPT) $FW net</programlisting>This rule allows
<para>In the rule shown above, <quote>DNS</quote>(ACCEPT)is an example of
a <emphasis>macro invocation</emphasis>. Shorewall includes a number of
macros (see <filename>/usr/share/shorewall/macro.*</filename>) and <ulink
url="Macros.html">you can add your own</ulink>.</para>
macros (command <emphasis role="bold">shorewall show macros</emphasis>)
and <ulink url="Macros.html">you can add your own</ulink>.</para>
<para>You don't have to use defined macros when coding a rule in
<filename>/etc/shorewall/rules</filename>; Shorewall will start slightly
@ -1046,7 +1046,9 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
<quote><command>shorewall stop</command></quote>. When the firewall is
stopped, routing is enabled on those hosts that have an entry in <filename
class="directory">/etc/shorewall/</filename><filename><ulink
url="manpages/shorewall-routestopped.html">routestopped</ulink></filename>.
url="manpages/shorewall-routestopped.html">routestopped</ulink></filename>
(Shorewall 4.5.7 and earlier) or in<filename> <ulink
url="manpages/shorewall-stoppedrules.html">/etc/shorewall/stoppedrules</ulink></filename>.
A running firewall may be restarted using the <quote><command>shorewall
restart</command></quote> command. If you want to totally remove any trace
of Shorewall from your Netfilter configuration, use
@ -1063,10 +1065,22 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
accordingly. <warning>
<para>If you are connected to your firewall from the Internet, do not
issue a <quote><command>shorewall stop</command></quote> command
unless you have added an entry for the <acronym>IP</acronym> address
that you are connected from to <filename
class="directory">/etc/shorewall/</filename><filename>routestopped</filename>.
Also, I don't recommend using <quote><command>shorewall
unless you have either:</para>
<orderedlist>
<listitem>
<para>Used ADMINISABSENTMINDED=Yes in
<filename>/etc/shorewall/shorewall.conf</filename>; or</para>
</listitem>
<listitem>
<para>added an entry for the <acronym>IP</acronym> address that
you are connected from to <filename
class="directory">/etc/shorewall/</filename><filename>routestopped</filename>.</para>
</listitem>
</orderedlist>
<para> Also, I don't recommend using <quote><command>shorewall
restart</command></quote>; it is better to create an alternate
configuration and test it using the <quote><command>shorewall
try</command></quote> command.</para>