Move 2.0.16 to STABLE

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1938 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-02-02 21:04:59 +00:00
parent 52aed7f6a5
commit d356631782
73 changed files with 4365 additions and 2026 deletions

View File

@ -1,4 +1,4 @@
Shoreline Firewall (Shorewall) Version 1.4 - 3/14/2003
Shoreline Firewall (Shorewall) Version 2.0 - 2/14/2004
----- ----
-----------------------------------------------------------------------------
@ -30,18 +30,23 @@ o Edit the configuration files to fit your environment.
http://www.shorewall.net/shorewall_quickstart_guide.htm
o If you are using Caldera, Redhat, Mandrake, Corel, Slackware, SuSE or
Debian, then type "./install.sh".
o For other distributions, determine where your distribution installs
init scripts and type "./install.sh <init script directory>"
o Slackware users type:
DEST=/etc/rc.d INIT=rc.firewall ./install.sh
All other users type:
./install.sh
o Start the firewall by typing "shorewall start"
o If the install script was unable to configure Shoreline Firewall to
start automatically at boot, see the HTML documentation contains in the
"documentation" directory.
start automatically at boot, you will have to used your
distribution's runlevel editor to configure Shorewall manually.
Upgrade:
o run the install script as described above.
o shorewall restart
o "shorewall check" and correct any errors found.
o "shorewall restart"

View File

@ -1,5 +1,5 @@
#
# Shorewall version 1.4 - Accounting File
# Shorewall version 2.0 - Accounting File
#
# /etc/shorewall/accounting
#

10
STABLE/action.AllowAuth Normal file
View File

@ -0,0 +1,10 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowAuth
#
# This action accepts Auth (identd) traffic.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 113
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

11
STABLE/action.AllowDNS Normal file
View File

@ -0,0 +1,11 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowDNS
#
# This action accepts DNS traffic.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - udp 53
ACCEPT - - tcp 53
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

11
STABLE/action.AllowFTP Normal file
View File

@ -0,0 +1,11 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowFTP
#
# This action accepts FTP traffic. See
# http://www.shorewall.net/FTP.html for additional considerations.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 21
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

11
STABLE/action.AllowIMAP Normal file
View File

@ -0,0 +1,11 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowIMAP
#
# This action accepts IMAP traffic (secure and insecure):
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 143 #Unsecure IMAP
ACCEPT - - tcp 993 #Secure IMAP
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

11
STABLE/action.AllowNNTP Normal file
View File

@ -0,0 +1,11 @@
#
# Shorewall 2.0 /usr/share/shorewall/action.AllowNNTP
#
# This action accepts NNTP traffic (Usenet) and encrypted NNTP (NNTPS)
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 119
ACCEPT - - tcp 563
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
STABLE/action.AllowNTP Normal file
View File

@ -0,0 +1,10 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowNTP
#
# This action accepts NTP traffic (ntpd).
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# PORT PORT(S) DEST LIMIT
ACCEPT - - udp 123
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

11
STABLE/action.AllowPCA Normal file
View File

@ -0,0 +1,11 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowPCA
#
# This action accepts PCAnywere (tm)
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - udp 5631
ACCEPT - - tcp 5632
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

11
STABLE/action.AllowPOP3 Normal file
View File

@ -0,0 +1,11 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowPOP3
#
# This action accepts POP3 traffic (secure and insecure):
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# PORT PORT(S) DEST LIMIT
ACCEPT - - tcp 110 #Unsecure POP3
ACCEPT - - tcp 995 #Secure POP3
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
STABLE/action.AllowPing Normal file
View File

@ -0,0 +1,10 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowPing
#
# This action accepts 'ping' requests.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - icmp 8
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
STABLE/action.AllowRdate Normal file
View File

@ -0,0 +1,10 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowRdate
#
# This action accepts remote time retrieval (rdate).
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 37
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

14
STABLE/action.AllowSMB Normal file
View File

@ -0,0 +1,14 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowSMB
#
# Allow Microsoft SMB traffic. You need to invoke this action in
# both directions.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - udp 135,445
ACCEPT - - udp 137:139
ACCEPT - - udp 1024: 137
ACCEPT - - tcp 135,139,445
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

15
STABLE/action.AllowSMTP Normal file
View File

@ -0,0 +1,15 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowSMTP
#
# This action accepts SMTP (email) traffic.
#
# Note: This action allows traffic between an MUA (Email client)
# and an MTA (mail server) or between MTAs. It does not enable
# reading of email via POP3 or IMAP. For those you need to use
# the AllowPOP3 or AllowIMAP actions.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 25
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

11
STABLE/action.AllowSNMP Normal file
View File

@ -0,0 +1,11 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowSNMP
#
# This action accepts SNMP traffic (including traps):
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - udp 161:162
ACCEPT - - tcp 161
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
STABLE/action.AllowSSH Normal file
View File

@ -0,0 +1,10 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowSSH
#
# This action accepts secure shell (SSH) traffic.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 22
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

11
STABLE/action.AllowTelnet Normal file
View File

@ -0,0 +1,11 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowTelnet
#
# This action accepts Telnet traffic. For traffic over the
# internet, telnet is inappropriate; use SSH instead
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 23
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

11
STABLE/action.AllowTrcrt Normal file
View File

@ -0,0 +1,11 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowTrcrt
#
# This action accepts Traceroute (for up to 30 hops):
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - udp 33434:33524 #UDP Traceroute
ACCEPT - - icmp 8 #ICMP Traceroute
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
STABLE/action.AllowVNC Normal file
View File

@ -0,0 +1,10 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowVNC
#
# This action accepts VNC traffic for VNC display's 0 - 9.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 5900:5909
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
STABLE/action.AllowVNCL Normal file
View File

@ -0,0 +1,10 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowVNC
#
# This action accepts VNC traffic from Vncservers to Vncviewers in listen mode.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 5500
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

11
STABLE/action.AllowWeb Normal file
View File

@ -0,0 +1,11 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowWeb
#
# This action accepts WWW traffic (secure and insecure):
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 80
ACCEPT - - TCP 443
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

16
STABLE/action.Drop Normal file
View File

@ -0,0 +1,16 @@
#
# Shorewall 2.0 /etc/shorewall/action.Drop
#
# The default DROP common rules
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
RejectAuth
dropBcast
dropInvalid
DropSMB
DropUPnP
dropNotSyn
DropDNSrep
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
STABLE/action.DropDNSrep Normal file
View File

@ -0,0 +1,10 @@
#
# Shorewall 2.0 /etc/shorewall/action.DropDNSrep
#
# This action silently drops DNS UDP replies
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
DROP - - udp - 53
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
STABLE/action.DropPing Normal file
View File

@ -0,0 +1,10 @@
#
# Shorewall 2.0 /etc/shorewall/action.DropPing
#
# This action silently drops 'ping' requests.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
DROP - - icmp 8
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

15
STABLE/action.DropSMB Normal file
View File

@ -0,0 +1,15 @@
#
# Shorewall 2.0 /etc/shorewall/action.DropSMB
#
# This action silently drops Microsoft SMB traffic
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
DROP - - udp 135
DROP - - udp 137:139
DROP - - udp 445
DROP - - tcp 135
DROP - - tcp 139
DROP - - tcp 445
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
STABLE/action.DropUPnP Normal file
View File

@ -0,0 +1,10 @@
#
# Shorewall 2.0 /etc/shorewall/action.DropUPnP
#
# This action silently drops UPnP probes on UDP port 1900
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
DROP - - udp 1900
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

16
STABLE/action.Reject Normal file
View File

@ -0,0 +1,16 @@
#
# Shorewall 2.0 /etc/shorewall/action.Reject
#
# The default REJECT action common rules
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
RejectAuth
dropBcast
dropInvalid
RejectSMB
DropUPnP
dropNotSyn
DropDNSrep
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
STABLE/action.RejectAuth Normal file
View File

@ -0,0 +1,10 @@
#
# Shorewall 2.0 /etc/shorewall/action.RejectAuth
#
# This action silently rejects Auth (tcp 113) traffic
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
REJECT - - tcp 113
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

15
STABLE/action.RejectSMB Normal file
View File

@ -0,0 +1,15 @@
#
# Shorewall 2.0 /etc/shorewall/action.RejectSMB
#
# This action silently rejects Microsoft SMB traffic
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
REJECT - - udp 135
REJECT - - udp 137:139
REJECT - - udp 445
REJECT - - tcp 135
REJECT - - tcp 139
REJECT - - tcp 445
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

View File

@ -1,5 +1,5 @@
#
# Shorewall 1.4 /etc/shorewall/action.template
# Shorewall 2.0 /etc/shorewall/action.template
#
# This file is a template for files with names of the form
# /etc/shorewall/action.<action-name> where <action> is an
@ -24,6 +24,9 @@
# LOG -- Simply log the packet and continue.
# QUEUE -- Queue the packet to a user-space
# application such as p2pwall.
# CONTINUE -- Discontinue processing this action
# and return to the point where the
# action was invoked.
# <action> -- An <action> defined in
# /etc/shorewall/actions. The <action>
# must appear in that file BEFORE the
@ -39,6 +42,15 @@
# to a separate log through use of ulogd
# (http://www.gnumonks.org/projects/ulogd).
#
# Actions specifying logging may be followed by a
# log tag (a string of alphanumeric characters)
# are appended to the string generated by the
# LOGPREFIX (in /etc/shorewall/shorewall.conf).
#
# Example: ACCEPT:info:ftp would include 'ftp '
# at the end of the log prefix generated by the
# LOGPREFIX setting.
#
# SOURCE Source hosts to which the rule applies.
# A comma-separated list of subnets
# and/or hosts. Hosts may be specified by IP or MAC
@ -80,7 +92,7 @@
# A port range is expressed as <low port>:<high port>.
#
# This column is ignored if PROTOCOL = all but must be
# entered if any of the following ields are supplied.
# entered if any of the following fields are supplied.
# In that case, it is suggested that this field contain
# "-"
#
@ -122,8 +134,25 @@
#
# Example: 10/sec:20
#
# If you place a rate limit in this column, you may not
# place a similar limit in the TARGET column.
# USER/GROUP This column may only be non-empty if the SOURCE is
# the firewall itself.
#
# The column may contain:
#
# [!][<user name or number>][:<group name or number>]
#
# When this column is non-empty, the rule applies only
# if the program generating the output is running under
# the effective <user> and/or <group> specified (or is
# NOT running under that id if "!" is given).
#
# Examples:
#
# joe #program must be run by joe
# :kids #program must be run by a member of
# #the 'kids' group
# !:kids #program must not be run by a member
# #of the 'kids' group
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE

View File

@ -1,5 +1,5 @@
#
# Shorewall 1.4 /etc/shorewall/actions
# Shorewall 2.0 /etc/shorewall/actions
#
# This file allows you to define new ACTIONS for use in rules
# (/etc/shorewall/rules). You define the iptables rules to
@ -8,8 +8,21 @@
#
# ACTION names should begin with an upper-case letter to
# distinguish them from Shorewall-generated chain names and
# they must need the requirements of a Netfilter chain
# name.
# they must need the requirements of a Netfilter chain. If
# you intend to log from the action then the name must be
# no longer than 11 character in length. Names must also
# meet the requirements for a Bourne Shell identifier (must
# begin with a letter and be composed of letters, digits and
# underscore characters).
#
# If you follow the action name with ":DROP", ":REJECT" or
# :ACCEPT then the action will be taken before a DROP, REJECT or
# ACCEPT policy respectively is enforced. If you specify ":DROP",
# ":REJECT" or ":ACCEPT" on more than one action then only the
# last such action will be taken.
#
# If you specify ":DROP", ":REJECT" or ":ACCEPT" on a line by
# itself, the associated policy will have no common action.
#
#ACTION

53
STABLE/actions.std Normal file
View File

@ -0,0 +1,53 @@
#
# Shorewall 2.0 /usr/share/shorewall/actions.std
#
#
# Builtin Actions are:
#
# dropBcast #Silently Drop Broadcast/multicast
# dropNonSyn #Silently Drop Non-syn TCP packets
# rejNonSyn #Silently Reject Non-syn TCP packets
# logNonSyn #Log Non-syn TCP packets with disposition LOG
# dLogNonSyn #Log Non-syn TCP packets with disposition DROP
# rLogNonSyn #Log Non-syn TCP packets with disposition REJECT
# dropInvalid #Silently Drop packets that are in the INVALID
# #conntrack state.
# allowInvalid #Accept packets that are in the INVALID conntrack
# #state
#
# The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in
# shorewall.conf. If that option isn't specified then 'info' is used.
#
#ACTION
DropSMB #Silently Drops Microsoft SMB Traffic
RejectSMB #Silently Reject Microsoft SMB Traffic
DropUPnP #Silently Drop UPnP Probes
RejectAuth #Silently Reject Auth
DropPing #Silently Drop Ping
DropDNSrep #Silently Drop DNS Replies
AllowPing #Accept Ping
AllowFTP #Accept FTP
AllowDNS #Accept DNS
AllowSSH #Accept SSH
AllowWeb #Allow Web Browsing
AllowSMB #Allow MS Networking
AllowAuth #Allow Auth (identd)
AllowSMTP #Allow SMTP (Email)
AllowPOP3 #Allow reading mail via POP3
AllowIMAP #Allow reading mail via IMAP
AllowTelnet #Allow Telnet Access (not recommended for use over the
#Internet)
AllowVNC #Allow VNC viewer->server, Displays 0-9
AllowVNCL #Allow VNC server->viewer in listening mode
AllowNTP #Allow Network Time Protocol (ntpd)
AllowRdate #Allow remote time (rdate).
AllowNNTP #Allow network news (Usenet).
AllowTrcrt #Allows Traceroute (20 hops)
AllowSNMP #Allows SNMP (including traps)
AllowPCA #Allows PCAnywhere (tm)
Drop:DROP #Common Action for DROP policy
Reject:REJECT #Common Action for REJECT policy
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

View File

@ -1,5 +1,5 @@
#
# Shorewall 1.4 -- Blacklist File
# Shorewall 2.0 -- Blacklist File
#
# /etc/shorewall/blacklist
#

70
STABLE/bogons Normal file
View File

@ -0,0 +1,70 @@
#
# Shorewall 2.0-- Bogons File
#
# /etc/shorewall/bogons
#
# Lists the subnetworks that are blocked by the 'nobogons' interface option.
#
# The default list includes those those ip ADDRESSES listed
# as 'reserved' by the IANA, the DHCP Autoconfig class B, and the class C
# reserved for use in documentation and examples.
#
# DO NOT MODIFY THIS FILE. IF YOU NEED TO MAKE CHANGES, COPY THE FILE
# TO /etc/shorewall AND MODIFY THE COPY.
#
# Columns are:
#
# SUBNET The subnet (host addresses also allowed)
# TARGET Where to send packets to/from this subnet
# RETURN - let the packet be processed normally
# DROP - silently drop the packet
# logdrop - log then drop
#
###############################################################################
#SUBNET TARGET
0.0.0.0 RETURN # Stop the DHCP whining
255.255.255.255 RETURN # We need to allow limited broadcast
169.254.0.0/16 DROP # DHCP autoconfig
192.0.2.0/24 logdrop # Example addresses (RFC 3330)
#
# The following are generated with the help of the Python program found at:
#
# http://www.shorewall.net/pub/shorewall/contrib/iana_reserved/
#
# The program was contributed by Andy Wiggin
#
0.0.0.0/7 logdrop # Reserved
2.0.0.0/8 logdrop # Reserved
5.0.0.0/8 logdrop # Reserved
7.0.0.0/8 logdrop # Reserved
23.0.0.0/8 logdrop # Reserved
27.0.0.0/8 logdrop # Reserved
31.0.0.0/8 logdrop # Reserved
36.0.0.0/7 logdrop # Reserved
39.0.0.0/8 logdrop # Reserved
41.0.0.0/8 logdrop # Reserved
42.0.0.0/8 logdrop # Reserved
49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
73.0.0.0/8 logdrop # Reserved
74.0.0.0/7 logdrop # Reserved
76.0.0.0/6 logdrop # Reserved
89.0.0.0/8 logdrop # Reserved
90.0.0.0/7 logdrop # Reserved
92.0.0.0/6 logdrop # Reserved
96.0.0.0/3 logdrop # Reserved
127.0.0.0/8 logdrop # Loopback
173.0.0.0/8 logdrop # Reserved
174.0.0.0/7 logdrop # Reserved
176.0.0.0/5 logdrop # Reserved
184.0.0.0/6 logdrop # Reserved
189.0.0.0/8 logdrop # Reserved
190.0.0.0/8 logdrop # Reserved
197.0.0.0/8 logdrop # Reserved
198.18.0.0/15 logdrop # Reserved
223.0.0.0/8 logdrop # Reserved - Returned by APNIC in 2003
240.0.0.0/4 logdrop # Reserved
#
# End of generated entries
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

View File

@ -1,4 +1,121 @@
Changes since 1.4.10g
Changes in 2.0.4
1) Fix installer to not give zones and shorewall.conf execute
permission.
1) Fix DNAT logging with 'fw' as the source zone.
Change in 2.0.5
1) Eradicate more RESTOREBASE messages.
2) Remove 'mangle' reference from shorewall.conf.
Change in 2.0.6
1) Add PKTTYPE option.
shorewall.conf
firewall
2) Sanitized some correct but confusing code in determine_hosts().
There was a loop:
for networks in $networks
...
It now reads:
for network in $networks
...
3) Don't give shorewall.conf and zones execute permission.
4) Backport 'dropInvalid' from 2.1
Changes in 2.0.7
1) Include output of "ip rule ls" and "ip route ls" in "shorewall
status".
2) Consult PKTTYPE when generating 'REJECT' rules.
3) Enhance IP/Routing output in "shorewall status".
4) Correct handling of multiple 'blacklist' interfaces.
5) Add "0.0.0.0 RETURN" to nobogons.
Changes in 2.0.8
1) Removed dead code from process_actions2()
2) Corrected read command in process_actions2() (userspec)
Changes in 2.0.9
1) Corrected setup_tc1() handling of the PROTO column.
2) Added warning about ADD_SNAT_ALIASES in the masq file.
3) Added "brctl show" to the status command.
Changes in 2.0.10
1) Corrected GATEWAY handling for 'pptpserver's
2) Correct log rule number generation.
3) Add clarification to /etc/shorewall/tcrules.
4) Apply part of Ian Allen's fix for down interface in the SUBNET
column of /etc/shorewall/masq.
5) Add key /proc settings to "shorewall status" output.
Changes in 2.0.11
1) Add note for Slackware users to INSTALL.
2) Correct bogons file.
3) Replace service names by port numbers in /etc/shorewall/tos.
4) Added NNTPS to action.AllowNNTP.
5) Fix install.sh
Changes in 2.0.12
1) Correct typo in shorewall.conf.
2) Fix "shorewall add" and "shorewall delete" with bridging.
3) Implement variable expansion in INCLUDE directives
4) Split restore-base into two files.
5) Correct dynamic zone OUTPUT handling.
Changes in 2.0.13
1) Correct typo in "shorewall add" code.
Changes in 2.0.14
1) Log drops due to policy rate limiting.
2) Fix typo in interfaces file.
3) Eliminate "bad variable" errors during stop/clear.
4) Fix typo in tunnels file.
Changes in 2.0.15
1) Increased port range for Traceroute.
2) Corrected port of rate-limit logging change.
Changes in 2.0.16
1) Backport DROPINVALID from 2.2.0.

7
STABLE/configpath Normal file
View File

@ -0,0 +1,7 @@
#
# Shorewall version 2.0 - Default Config Path
#
# /usr/share/shorewall/configpath
#
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall

18
STABLE/default.debian Normal file
View File

@ -0,0 +1,18 @@
# prevent startup with default configuration
# set the following varible to 1 in order to allow Shorewall to start
startup=0
# if your Shorewall configuration requires detection of the ip address of a ppp
# interface, you must list such interfaces in "wait_interface" to get Shorewall to
# wait until the interface is configured. Otherwise the script will fail because
# it won't be able to detect the IP address.
#
# Example:
# wait_interface="ppp0"
# or
# wait_interface="ppp0 ppp1"
# or, if you have defined in /etc/shorewall/params
# wait_interface=
# EOF

View File

@ -1,5 +1,5 @@
#
# Shorewall 1.4 - /etc/shorewall/ecn
# Shorewall 2.0 - /etc/shorewall/ecn
#
# Use this file to list the destinations for which you want to
# disable ECN.

View File

@ -5,7 +5,7 @@
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# (c) 2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
# (c) 2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
#
# Shorewall documentation is available at http://seattlefirewall.dyndns.org
#
@ -28,11 +28,11 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=1.4.11
VERSION=2.0.16
usage() # $1 = exit status
{
echo "usage: `basename $0`"
echo "usage: $(basename $0)"
exit $1
}
@ -57,30 +57,19 @@ fi
echo "Backing Out Installation of Shorewall $VERSION"
if [ -L /usr/share/shorewall/init ]; then
FIREWALL=`ls -l /usr/share/shorewall/firewall | sed 's/^.*> //'`
FIREWALL=$(ls -l /usr/share/shorewall/firewall | sed 's/^.*> //')
restore_file $FIREWALL
restore_file /usr/share/shorewall/firewall
elif [ -L /usr/lib/shorewall/firewall ]; then
FIREWALL=`ls -l /usr/lib/shorewall/firewall | sed 's/^.*> //'`
restore_file $FIREWALL
elif [ -L /var/lib/shorewall/firewall ]; then
FIREWALL=`ls -l /var/lib/shorewall/firewall | sed 's/^.*> //'`
restore_file $FIREWALL
elif [ -L /usr/lib/shorewall/init ]; then
FIREWALL=`ls -l /usr/lib/shorewall/init | sed 's/^.*> //'`
restore_file $FIREWALL
restore_file /usr/lib/shorewall/firewall
else
restore_file /etc/init.d/shorewall
fi
restore_file /sbin/shorewall
restore_file /usr/share/shorewall/firewall
[ -f /etc/shorewall.conf.$VERSION ] && rm -f /etc/shorewall.conf.$VERSION
restore_file /sbin/shorewall
restore_file /etc/shorewall/shorewall.conf
restore_file /etc/shorewall/functions
restore_file /usr/share/shorewall/functions
restore_file /usr/share/shorewall/firewall
restore_file /usr/lib/shorewall/functions
restore_file /var/lib/shorewall/functions
restore_file /usr/lib/shorewall/firewall
@ -102,6 +91,8 @@ restore_file /etc/shorewall/rules
restore_file /etc/shorewall/nat
restore_file /etc/shorewall/netmap
restore_file /etc/shorewall/params
restore_file /etc/shorewall/proxyarp
@ -125,9 +116,16 @@ restore_file /etc/shorewall/blacklist
restore_file /etc/shorewall/whitelist
restore_file /etc/shorewall/rfc1918
restore_file /usr/share/shorewall/rfc1918
restore_file /usr/share/shorewall/bogons
restore_file /usr/share/shorewall/configpath
restore_file /etc/shorewall/init
restore_file /etc/shorewall/initdone
restore_file /etc/shorewall/start
restore_file /etc/shorewall/stop
@ -138,27 +136,15 @@ restore_file /etc/shorewall/ecn
restore_file /etc/shorewall/accounting
restore_file /etc/shorewall/usersets
restore_file /etc/shorewall/users
restore_file /etc/shorewall/actions.std
restore_file /etc/shorewall/actions
restore_file /etc/shorewall/action.template
for f in /usr/share/shorewall/action.*-${VERSION}.bkout; do
restore_file $(echo $f | sed "s/-${VERSION}.bkout//")
done
if [ -f /usr/share/shorewall/version-${VERSION}.bkout ]; then
restore_file /usr/share/shorewall/version
oldversion="`cat /usr/share/shorewall/version`"
elif [ -f /usr/lib/shorewall/version-${VERSION}.bkout ]; then
restore_file /usr/lib/shorewall/version
oldversion="`cat /usr/lib/shorewall/version`"
elif [ -f /var/lib/shorewall/version-${VERSION}.bkout ]; then
restore_file /var/lib/shorewall/version
oldversion="`cat /var/lib/shorewall/version`"
else
restore_file /etc/shorewall/version
oldversion="`cat /etc/shorewall/version`"
fi
restore_file /usr/share/shorewall/version
echo "Shorewall Restored to Version $oldversion"

File diff suppressed because it is too large Load Diff

View File

@ -1,6 +1,45 @@
#!/bin/sh
#
# Shorewall 1.4 -- /usr/lib/shorewall/functions
# Shorewall 2.0 -- /usr/share/shorewall/functions
#
# Search a list looking for a match -- returns zero if a match found
# 1 otherwise
#
list_search() # $1 = element to search for , $2-$n = list
{
local e=$1
while [ $# -gt 1 ]; do
shift
[ "x$e" = "x$1" ] && return 0
done
return 1
}
#
# Functions to count list elements
# - - - - - - - - - - - - - - - -
# Whitespace-separated list
#
list_count1() {
echo $#
}
#
# Comma-separated list
#
list_count() {
list_count1 $(separate_list $1)
}
#
# Conditionally produce message
#
progress_message() # $* = Message
{
[ -n "$QUIET" ] || echo "$@"
}
#
# Suppress all output for a command
@ -11,15 +50,88 @@ qt()
}
#
# Find a File -- Look first in $SHOREWALL_DIR then in /etc/shorewall
# Perform variable substitution on the passed argument and echo the result
#
expand() # $@ = contents of variable which may be the name of another variable
{
eval echo \"$@\"
}
#
# Perform variable substitition on the values of the passed list of variables
#
expandv() # $* = list of variable names
{
local varval
while [ $# -gt 0 ]; do
eval varval=\$${1}
eval $1=\"$varval\"
shift
done
}
#
# Replace all leading "!" with "! " in the passed argument list
#
fix_bang() {
local i;
for i in $@; do
case $i in
!*)
echo "! ${i#!}"
;;
*)
echo $i
;;
esac
done
}
#
# Set default config path
#
ensure_config_path() {
local F=/usr/share/shorewall/configpath
if [ -z "$CONFIG_PATH" ]; then
[ -f $F ] || { echo " ERROR: $F does not exist"; exit 2; }
. $F
fi
}
#
# Find a File -- For relative file name, look first in $SHOREWALL_DIR then in /etc/shorewall
#
find_file()
{
if [ -n "$SHOREWALL_DIR" -a -f $SHOREWALL_DIR/$1 ]; then
echo $SHOREWALL_DIR/$1
else
echo /etc/shorewall/$1
fi
local saveifs= directory
case $1 in
/*)
echo $1
;;
*)
if [ -n "$SHOREWALL_DIR" -a -f $SHOREWALL_DIR/$1 ]; then
echo $SHOREWALL_DIR/$1
else
saveifs=$IFS
IFS=:
for directory in $CONFIG_PATH; do
if [ -f $directory/$1 ]; then
echo $directory/$1
IFS=$saveifs
return
fi
done
IFS=$saveifs
echo /etc/shorewall/$1
fi
;;
esac
}
#
@ -58,6 +170,55 @@ separate_list() {
echo "$newlist"
}
#
# Load a Kernel Module
#
loadmodule() # $1 = module name, $2 - * arguments
{
local modulename=$1
local modulefile
local suffix
moduleloader=modprobe
if ! qt which modprobe; then
moduleloader=insmod
fi
if [ -z "$(lsmod | grep $modulename)" ]; then
shift
for suffix in $MODULE_SUFFIX ; do
modulefile=$MODULESDIR/${modulename}.${suffix}
if [ -f $modulefile ]; then
case $moduleloader in
insmod)
insmod $modulefile $*
;;
*)
modprobe $modulename $*
;;
esac
return
fi
done
fi
}
#
# Reload the Modules
#
reload_kernel_modules() {
[ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
while read command; do
eval $command
done
}
#
# Find the zones
#
@ -67,7 +228,7 @@ find_zones() # $1 = name of the zone file
[ -n "$zone" ] && case "$zone" in
\#*)
;;
$FW|multi)
$FW)
echo "Reserved zone name \"$zone\" in zones file ignored" >&2
;;
*)
@ -89,15 +250,15 @@ find_display() # $1 = zone, $2 = name of the zone file
#
determine_zones()
{
local zonefile=`find_file zones`
local zonefile=$(find_file zones)
multi_display=Multi-zone
strip_file zones $zonefile
zones=`find_zones $TMP_DIR/zones`
zones=`echo $zones` # Remove extra trash
zones=$(find_zones $TMP_DIR/zones)
zones=$(echo $zones) # Remove extra trash
for zone in $zones; do
dsply=`find_display $zone $TMP_DIR/zones`
dsply=$(find_display $zone $TMP_DIR/zones)
eval ${zone}_display=\$dsply
done
}
@ -117,7 +278,7 @@ get_statedir()
{
MUTEX_TIMEOUT=
local config=`find_file shorewall.conf`
local config=$(find_file shorewall.conf)
if [ -f $config ]; then
. $config
@ -238,7 +399,6 @@ mktempfile() {
fi
}
#
# create a temporary directory
#
@ -260,8 +420,7 @@ mktempdir() {
echo " ERROR:Internal error in mktempdir"
;;
esac
}
}
#
# Read a file and handle "INCLUDE" directives
@ -271,24 +430,29 @@ read_file() # $1 = file name, $2 = nest count
{
local first rest
while read first rest; do
if [ "x$first" = "xINCLUDE" ]; then
if [ $2 -lt 4 ]; then
read_file `find_file ${rest%#*}` $(($2 + 1))
if [ -f $1 ]; then
while read first rest; do
if [ "x$first" = "xINCLUDE" ]; then
if [ $2 -lt 4 ]; then
read_file $(find_file $(expand ${rest%#*})) $(($2 + 1))
else
echo " WARNING: INCLUDE in $1 ignored (nested too deeply)" >&2
fi
else
echo " WARNING: INCLUDE in $1 ignored (nested too deeply)" >&2
echo "$first $rest"
fi
else
echo "$first $rest"
fi
done < $1
done < $1
else
[ -n "$terminator" ] && $terminator "No such file: $1"
echo "Warning -- No such file: $1"
fi
}
#
# Function for including one file into another
#
INCLUDE() {
. `find_file $@`
. $(find_file $(expand $@))
}
#
@ -299,7 +463,7 @@ strip_file() # $1 = Base Name of the file, $2 = Full Name of File (optional)
{
local fname
[ $# = 1 ] && fname=`find_file $1` || fname=$2
[ $# = 1 ] && fname=$(find_file $1) || fname=$2
if [ -f $fname ]; then
read_file $fname 0 | cut -d'#' -f1 | grep -v '^[[:space:]]*$' > $TMP_DIR/$1
@ -376,8 +540,8 @@ ip_range() {
;;
esac
first=`decodeaddr ${1%-*}`
last=`decodeaddr ${1#*-}`
first=$(decodeaddr ${1%-*})
last=$(decodeaddr ${1#*-})
if [ $first -gt $last ]; then
fatal_error "Invalid IP address range: $1"
@ -398,7 +562,7 @@ ip_range() {
y=$(( $y * 2 ))
done
echo `encodeaddr $first`$vlsm
echo $(encodeaddr $first)$vlsm
first=$(($first + $z))
done
}
@ -415,15 +579,15 @@ ip_range_explicit() {
;;
esac
first=`decodeaddr ${1%-*}`
last=`decodeaddr ${1#*-}`
first=$(decodeaddr ${1%-*})
last=$(decodeaddr ${1#*-})
if [ $first -gt $last ]; then
fatal_error "Invalid IP address range: $1"
fi
while [ $first -le $last ]; do
echo `encodeaddr $first`
echo $(encodeaddr $first)
first=$(($first + 1))
done
}
@ -441,10 +605,10 @@ ip_netmask() {
# Network address from CIDR
#
ip_network() {
local decodedaddr=`decodeaddr ${1%/*}`
local netmask=`ip_netmask $1`
local decodedaddr=$(decodeaddr ${1%/*})
local netmask=$(ip_netmask $1)
echo `encodeaddr $(($decodedaddr & $netmask))`
echo $(encodeaddr $(($decodedaddr & $netmask)))
}
#
@ -462,37 +626,37 @@ ip_broadcast() {
# Calculate broadcast address from CIDR
#
broadcastaddress() {
local decodedaddr=`decodeaddr ${1%/*}`
local netmask=`ip_netmask $1`
local broadcast=`ip_broadcast $1`
local decodedaddr=$(decodeaddr ${1%/*})
local netmask=$(ip_netmask $1)
local broadcast=$(ip_broadcast $1)
echo `encodeaddr $(( $(($decodedaddr & $netmask)) | $broadcast ))`
echo $(encodeaddr $(( $(($decodedaddr & $netmask)) | $broadcast )))
}
#
# Test for subnet membership
# Test for network membership
#
in_subnet() # $1 = IP address, $2 = CIDR network
in_network() # $1 = IP address, $2 = CIDR network
{
local netmask=`ip_netmask $2`
local netmask=$(ip_netmask $2)
test $(( `decodeaddr $1` & $netmask)) -eq $(( `decodeaddr ${2%/*}` & $netmask ))
test $(( $(decodeaddr $1) & $netmask)) -eq $(( $(decodeaddr ${2%/*}) & $netmask ))
}
#
# Netmask to VLSM
#
ip_vlsm() {
local mask=`decodeaddr $1`
local mask=$(decodeaddr $1)
local vlsm=0
local x=$(( 128 $LEFTSHIFT 24 ))
local x=$(( 128 $LEFTSHIFT 24 )) # 0x80000000
while [ $(( $x & $mask )) -ne 0 ]; do
[ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Don't Ask...
[ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Not all shells shift 0x80000000 left properly.
vlsm=$(($vlsm + 1))
done
if [ $(( $mask & 2147483647)) -ne 0 ]; then
if [ $(( $mask & 2147483647 )) -ne 0 ]; then # 2147483647 = 0x7fffffff
echo "Invalid net mask: $1" >&2
else
echo $vlsm
@ -502,11 +666,11 @@ ip_vlsm() {
#
# Chain name base for an interface -- replace all periods with underscores in the passed name.
# The result is echoed (less "+" and anything following).
# The result is echoed (less trailing "+").
#
chain_base() #$1 = interface
{
local c=${1%%+*}
local c=${1%%+}
while true; do
case $c in
@ -524,29 +688,25 @@ chain_base() #$1 = interface
done
}
#
# Remove trailing digits from a name
#
strip_trailing_digits() {
echo $1 | sed s'/[0-9].*$//'
}
#
# Loosly Match the name of an interface
#
if_match() # $1 = Name in interfaces file - may end in "+"
# $2 = Name from routing table
# $2 = Full interface name - may also end in "+"
{
local if_file=$1
local rt_table=$2
case $if_file in
local pattern=${1%+}
case $1 in
*+)
test "`strip_trailing_digits $rt_table`" = "${if_file%+}"
#
# Can't use ${2:0:${#pattern}} because ash and dash don't support that flavor of
# variable expansion :-(
#
test "x$(echo $2 | cut -b -${#pattern} )" = "x${pattern}"
;;
*)
test "$rt_table" = "$if_file"
test "x$1" = "x$2"
;;
esac
}
@ -571,13 +731,13 @@ find_rt_interface() {
ip route ls | while read addr rest; do
case $addr in
*/*)
in_subnet ${1%/*} $addr && echo `find_device $rest`
in_network ${1%/*} $addr && echo $(find_device $rest)
;;
default)
;;
*)
if [ "$addr" = "$1" -o "$addr/32" = "$1" ]; then
echo `find_device $rest`
echo $(find_device $rest)
fi
;;
esac
@ -589,7 +749,7 @@ find_rt_interface() {
#
find_default_interface() {
ip route ls | while read first rest; do
[ "$first" = default ] && echo `find_device $rest` && return
[ "$first" = default ] && echo $(find_device $rest) && return
done
}
@ -599,10 +759,10 @@ find_default_interface() {
#
find_interface_by_address() {
local dev="`find_rt_interface $1`"
local dev="$(find_rt_interface $1)"
local first rest
[ -z "$dev" ] && dev=`find_default_interface`
[ -z "$dev" ] && dev=$(find_default_interface)
[ -n "$dev" ] && echo $dev
}

View File

@ -1,12 +1,12 @@
#!/bin/sh
#
# Shorewall help subsystem - V1.4 - 3/14/2003
# Shorewall help subsystem - V2.0 - 2/14/2004
#
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# (c) 2003 - Tom Eastep (teastep@shorewall.net)
# Steve Herber (herber@thing.com)
# (c) 2003-2004 - Tom Eastep (teastep@shorewall.net)
# Steve Herber (herber@thing.com)
#
# This file should be placed in /usr/share/shorewall/help
#
@ -29,11 +29,11 @@
case $1 in
add)
echo "add: add <interface>[:<host>] <zone>
echo "add: add <interface>[:<bridge-port>][:<host>] <zone>
Adds a host or subnet to a dynamic zone usually used with VPN's.
shorewall add interface[:host] zone - Adds the specified interface
(and host if included) to the specified zone.
shorewall add interface[:port][:host] zone - Adds the specified interface
(and bridge port/host if included) to the specified zone.
Example:
@ -87,15 +87,17 @@ debug)
shorewall debug start 2> /tmp/trace
The above command would trace the 'start' command and
place the trace information in the file /tmp/trace."
place the trace information in the file /tmp/trace.
The word 'trace' is a synonym for 'debug'."
;;
delete)
echo "delete: delete <interface>[:<host>] <zone>
echo "delete: delete <interface>[:<bridge-port>][:<host>] <zone>
Deletes a host or subnet from a dynamic zone usually used with VPN's.
shorewall delete interface[:host] zone - Deletes the specified
interface (and host if included) from the specified zone.
shorewall delete interface[:port][:host] zone - Deletes the specified
interface (and bridge port/host if included) from the specified zone.
Example:
@ -114,6 +116,14 @@ drop)
See also \"help address\""
;;
forget)
echo "forget: forget [ <file name> ]
Deletes /var/lib/shorewall/<file name>. If no <file name> is given then
the file specified by RESTOREFILE in shorewall.conf is removed.
See also \"help save\""
;;
help)
echo "help: help [<command> | host | address ]
Display helpful information about the shorewall commands."
@ -145,15 +155,21 @@ logwatch)
monitor)
echo "monitor: monitor [<refresh_interval>]
shorewall [-x] monitor [<refresh_interval>]
Continuously display the firewall status, last 20 log entries and nat.
When the log entry display changes, an audible alarm is sounded."
When the log entry display changes, an audible alarm is sounded.
When -x is given, that option is also passed to iptables to display actual packet and byte counts."
;;
refresh)
echo "refresh: refresh
echo "refresh: [ -q ] refresh
The rules involving the broadcast addresses of firewall interfaces,
the black list, traffic control rules and ECN control rules are recreated
to reflect any changes made. Existing connections are untouched"
to reflect any changes made. Existing connections are untouched
If \"-q\" is specified, less detain is displayed making it easier to spot warnings"
;;
reject)
@ -171,26 +187,45 @@ reset)
;;
restart)
echo "restart: restart [ -c <configuration-directory> ]
echo "restart: restart [ -q ] [ -c <configuration-directory> ]
Restart is the same as a shorewall stop && shorewall start.
Existing connections are dropped."
Existing connections are maintained.
If \"-q\" is specified, less detain is displayed making it easier to spot warnings"
;;
restore)
echo "restore: restore [ <file name> ]
Restore Shorewall to a state saved using the 'save' command
Existing connections are maintained. The <file name> names a restore file in
/var/lib/shorewall created using "shorewall save"; if no <file name> is given
then Shorewall will be restored from the file specified by the RESTOREFILE
option in shorewall.conf.
See also \"help save\" and \"help forget\""
;;
save)
echo "save: save
The dynamic data is stored in /var/lib/shorewall/save
Shorewall allow, drop, rejct and save implement dynamic blacklisting."
echo "save: save [ <file name> ]
The dynamic data is stored in /var/lib/shorewall/save. The state of the
firewall is stored in /var/lib/shorewall/<file name> for use by the 'shorewall restore'
and 'shorewall -f start' commands. If <file name> is not given then the state is saved
in the file specified by the RESTOREFILE option in shorewall.conf.
Shorewall allow, drop, rejct and save implement dynamic blacklisting.
See also \"help restore\" and \"help forget\""
;;
show)
echo "show: show [<chain> [ <chain> ...] |classifiers|connections|log|nat|tc|tos]
shorewall show <chain> [ <chain> ... ] - produce a verbose report about the IPtable chain(s).
echo "show: show [ <chain> [ <chain> ...] |classifiers|connections|log|nat|tc|tos]
shorewall [-x] show <chain> [ <chain> ... ] - produce a verbose report about the IPtable chain(s).
(iptables -L chain -n -v)
shorewall show nat - produce a verbose report about the nat table.
shorewall [-x] show nat - produce a verbose report about the nat table.
(iptables -t nat -L -n -v)
shorewall show tos - produce a verbose report about the mangle table.
shorewall [-x] show tos - produce a verbose report about the mangle table.
(iptables -t mangle -L -n -v)
shorewall show log - display the last 20 packet log entries.
@ -199,14 +234,19 @@ show)
being tracked by the firewall.
shorewall show tc - displays information about the traffic
control/shaping configuration."
control/shaping configuration.
When -x is given, that option is also passed to iptables to display actual packet and byte counts."
;;
start)
echo "start: start [ -c <configuration-directory> ]
echo "start: [ -q ] [ -f ] [ -c <configuration-directory> ] start
Start shorewall. Existing connections through shorewall managed
interfaces are untouched. New connections will be allowed only
if they are allowed by the firewall rules or policies."
if they are allowed by the firewall rules or policies.
If \"-q\" is specified, less detail is displayed making it easier to spot warnings
If \"-f\" is specified, the saved configuration specified by the RESTOREFILE option
in shorewall.conf will be restored if that saved configuration exists"
;;
stop)
@ -219,9 +259,31 @@ stop)
status)
echo "status: status
shorewall [-x] status
Produce a verbose report about the firewall.
(iptables -L -n -v)"
(iptables -L -n -)
When -x is given, that option is also passed to iptables to display actual packet and byte counts."
;;
trace)
echo "trace: trace
If you include the keyword trace as the first argument to any
of these commands:
start|stop|restart|reset|clear|refresh|check|add|delete
then a shell trace of the command is produced. For example:
shorewall trace start 2> /tmp/trace
The above command would trace the 'start' command and
place the trace information in the file /tmp/trace.
The word 'debug' is a synonym for 'trace'."
;;
try)

View File

@ -1,39 +1,48 @@
#
# Shorewall 1.4 - /etc/shorewall/hosts
# Shorewall 2.0 - /etc/shorewall/hosts
#
# THERE ARE TWO CASES WHERE YOU NEED THIS FILE:
#
# 1) YOU HAVE MULTIPLE NETWORKS IN THE SAME ZONE CONNECTED TO
# A SINGLE INTERFACE AND YOU WANT THE SHOREWALL BOX TO ROUTE
# BETWEEN THESE NETWORKS.
#
# 2) YOU HAVE MORE THAN ONE ZONE CONNECTED THROUGH A SINGLE
# INTERFACE.
#
# IF YOU DON'T HAVE EITHER OF THESE SITUATIONS THEN DON'T TOUCH
# THIS FILE.
# THE ONLY TIME YOU NEED THIS FILE IS WHERE YOU HAVE MORE THAN
# ONE ZONE CONNECTED THROUGH A SINGLE INTERFACE.
#
# IF YOU DON'T HAVE THAT SITUATION THEN DON'T TOUCH THIS FILE.
#------------------------------------------------------------------------------
# IF YOU HAVE AN ENTRY FOR A ZONE AND INTERFACE IN
# /etc/shorewall/interfaces THEN DO NOT ADD ANY ENTRIES FOR THAT
# ZONE AND INTERFACE IN THIS FILE.
#------------------------------------------------------------------------------
# This file is used to define zones in terms of subnets and/or
# individual IP addresses. Most simple setups don't need to
# (should not) place anything in this file.
#
# The order of entries in this file is not significant in
# determining zone composition. Rather, the order that the zones
# are defined in /etc/shorewall/zones determines the order in
# which the records in this file are interpreted.
#
# ZONE - The name of a zone defined in /etc/shorewall/zones
#
# HOST(S) - The name of an interface followed by a colon (":") and
# HOST(S) - The name of an interface defined in the
# /etc/shorewall/interfaces file followed by a colon (":") and
# a comma-separated list whose elements are either:
#
# a) The IP address of a host
# b) A subnetwork in the form
# <subnet-address>/<mask width>
#
# The interface must be defined in the
# /etc/shorewall/interfaces file.
# c) A physical port name; only allowed when the
# interface names a bridge created by the
# brctl addbr command. This port must not
# be defined in /etc/shorewall/interfaces and may
# optionally followed by a colon (":") and a
# host or network IP.
# See http://www.shorewall.net/Bridge.html for details.
#
# Examples:
#
# eth1:192.168.1.3
# eth2:192.168.2.0/24
# eth3:192.168.2.0/24,192.168.3.1
# br0:eth4
# br0:eth0:192.168.1.16/28
#
# OPTIONS - A comma-separated list of options. Currently-defined
# options are:
@ -45,15 +54,75 @@
# an ethernet NIC and must be up before
# Shorewall is started.
#
# routeback - Shorewall show set up the infrastructure
# routeback - Shorewall should set up the infrastructure
# to pass packets from this/these
# address(es) back to themselves. This is
# necessary of hosts in this group use the
# necessary if hosts in this group use the
# services of a transparent proxy that is
# a member of the group or if DNAT is used
# to send requests originating from this
# group to a server in the group.
#
# norfc1918 - This option only makes sense for ports
# on a bridge.
#
# The port should not accept
# any packets whose source is in one
# of the ranges reserved by RFC 1918
# (i.e., private or "non-routable"
# addresses. If packet mangling or
# connection-tracking match is enabled in
# your kernel, packets whose destination
# addresses are reserved by RFC 1918 are
# also rejected.
#
# nobogons - This option only makes sense for ports
# on a bridge.
#
# This port should not accept
# any packets whose source is in one
# of the ranges reserved by IANA (this
# option does not cover those ranges
# reserved by RFC 1918 -- see
# 'norfc1918' above).
#
# blacklist - This option only makes sense for ports
# on a bridge.
#
# Check packets arriving on this port
# against the /etc/shorewall/blacklist
# file.
#
# tcpflags - Packets arriving from these hosts are
# checked for certain illegal combinations
# of TCP flags. Packets found to have
# such a combination of flags are handled
# according to the setting of
# TCP_FLAGS_DISPOSITION after having been
# logged according to the setting of
# TCP_FLAGS_LOG_LEVEL.
#
# nosmurfs - This option only makes sense for ports
# on a bridge.
#
# Filter packets for smurfs
# (packets with a broadcast
# address as the source).
#
# Smurfs will be optionally logged based
# on the setting of SMURF_LOG_LEVEL in
# shorewall.conf. After logging, the
# packets are dropped.
#
# newnotsyn - TCP packets that don't have the SYN
# flag set and which are not part of an
# established connection will be accepted
# from these hosts, even if
# NEWNOTSYN=No has been specified in
# /etc/shorewall/shorewall.conf.
#
# This option has no effect if
# NEWNOTSYN=Yes.
#
#ZONE HOST(S) OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

View File

@ -1,5 +1,5 @@
############################################################################
# Shorewall 1.4 -- /etc/shorewall/init
# Shorewall 2.0 -- /etc/shorewall/init
#
# Add commands below that you want to be executed at the beginning of
# a "shorewall start" or "shorewall restart" command.

129
STABLE/init.debian.sh Executable file
View File

@ -0,0 +1,129 @@
#!/bin/sh
SRWL=/sbin/shorewall
WAIT_FOR_IFUP=/usr/share/shorewall/wait4ifup
# Note, set INITLOG to /dev/null if you do not want to
# keep logs of the firewall (not recommended)
INITLOG=/var/log/shorewall-init.log
test -x $SRWL || exit 0
test -n $INITLOG || {
echo "INITLOG cannot be empty, please configure $0" ;
exit 1;
}
if [ "$(id -u)" != "0" ]
then
echo "You must be root to start, stop or restart \"Shorewall firewall\"."
exit 1
fi
echo_notdone () {
if [ "$INITLOG" = "/dev/null" ] ; then
"not done."
else
"not done (check $INITLOG)."
fi
}
not_configured () {
echo "#### WARNING ####"
echo "the firewall won't be started/stopped unless it is configured"
if [ "$1" != "stop" ]
then
echo ""
echo "please configure it and then edit /etc/default/shorewall"
echo "and set the \"startup\" variable to 1 in order to allow "
echo "shorewall to start"
fi
echo "#################"
exit 0
}
# parse the shorewall params file in order to use params in
# /etc/default/shorewall
if [ -f "/etc/shorewall/params" ]
then
. /etc/shorewall/params
fi
# check if shorewall is configured or not
if [ -f "/etc/default/shorewall" ]
then
. /etc/default/shorewall
if [ "$startup" != "1" ]
then
not_configured
fi
else
not_configured
fi
# wait an unconfigured interface
wait_for_pppd () {
if [ "$wait_interface" != "" ]
then
if [ -f $WAIT_FOR_IFUP ]
then
for i in $wait_interface
do
$WAIT_FOR_IFUP $i 90
done
else
echo "$WAIT_FOR_IFUP: File not found" >> $INITLOG
echo_notdone
exit 2
fi
fi
}
# start the firewall
shorewall_start () {
echo -n "Starting \"Shorewall firewall\": "
wait_for_pppd
$SRWL -f start >> $INITLOG 2>&1 && echo "done." || echo_notdone
return 0
}
# stop the firewall
shorewall_stop () {
echo -n "Stopping \"Shorewall firewall\": "
$SRWL stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
return 0
}
# restart the firewall
shorewall_restart () {
echo -n "Restarting \"Shorewall firewall\": "
$SRWL restart >> $INITLOG 2>&1 && echo "done." || echo_notdone
return 0
}
# refresh the firewall
shorewall_refresh () {
echo -n "Refreshing \"Shorewall firewall\": "
$SRWL refresh >> $INITLOG 2>&1 && echo "done." || echo_notdone
return 0
}
case "$1" in
start)
shorewall_start
;;
stop)
shorewall_stop
;;
refresh)
shorewall_refresh
;;
force-reload|restart)
shorewall_restart
;;
*)
echo "Usage: /etc/init.d/shorewall {start|stop|refresh|restart|force-reload}"
exit 1
esac
exit 0

View File

@ -1,14 +1,13 @@
#!/bin/sh
RCDLINKS="2,S41 3,S41 6,K41"
#
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V1.4 3/14/2003
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V2.0 3/14/2003
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
# (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
#
# On most distributions, this file should be called:
# /etc/rc.d/init.d/shorewall or /etc/init.d/shorewall
# On most distributions, this file should be called /etc/init.d/shorewall.
#
# Complete documentation is available at http://shorewall.net
#
@ -63,7 +62,12 @@ command="$1"
case "$command" in
stop|start|restart|status)
start)
exec /sbin/shorewall -f start
;;
stop|restart|status)
exec /sbin/shorewall $@
;;

7
STABLE/initdone Executable file
View File

@ -0,0 +1,7 @@
############################################################################
# Shorewall 2.0 -- /etc/shorewall/initdone
#
# Add commands below that you want to be executed during
# "shorewall start" or "shorewall restart" commands at the point where
# Shorewall has not yet added any perminent rules to the builtin chains.
#

View File

@ -4,9 +4,9 @@
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# (c) 2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
# (c) 2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
#
# Seawall documentation is available at http://seawall.sourceforge.net
# Shorewall documentation is available at http://shorewall.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
@ -21,47 +21,15 @@
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
#
# Usage:
#
# If you are running a distribution that has a directory called /etc/rc.d/init.d or one
# called /etc/init.d or you are running Slackware then simply cd to the directory
# containing this script and run it.
#
# ./install.sh
#
# If you don't have either of those directories, you will need to determine where the
# SysVInit scripts are kept on your system and pass the name of that directory.
#
# ./install.sh /etc/rc.d/scripts
#
# The default is that the firewall will be started in run levels 2-5 starting at
# position 15 and stopping at position 90. This is correct RedHat/Mandrake, Debian,
# Caldera and Corel.
#
# If you wish to change that, you can pass -r "<levels startpos stoppos>".
#
# Example 1: You wish to start your firewall in runlevels 2 and three, start at position
# 15 and stop at position 90
#
# ./install.sh -r "23 15 90"
#
# Example 2: You wish to start your firewall only in run level 3, start at position 5
# and stop at position 95.
#
# ./install.sh -r "3 5 95" /etc/rc.d/scripts
#
# For distributions that don't include chkconfig (Slackware, for example), the
# /etc/rc.d/rc.local file is modified to start the firewall.
#
VERSION=1.4.11
VERSION=2.0.16
usage() # $1 = exit status
{
ME=`basename $0`
echo "usage: $ME [ -r \"<chkconfig parameters>\" ] [ <init scripts directory> ]"
echo " $ME [ -v ]"
echo " $ME [ -h ]"
ME=$(basename $0)
echo "usage: $ME"
echo " $ME -v"
echo " $ME -h"
exit $1
}
@ -77,7 +45,7 @@ run_install()
cant_autostart()
{
echo
echo "WARNING: Unable to configure Shorewall to start"
echo "WARNING: Unable to configure shorewall to start"
echo " automatically at boot"
}
@ -105,20 +73,6 @@ delete_file() # $1 = file to delete
fi
}
modify_rclocal()
{
if [ -f /etc/rc.d/rc.local ]; then
if [ -z "`grep shorewall /etc/rc.d/rc.local`" ]; then
cp -f /etc/rc.d/rc.local /etc/rc.d/rc.local-shorewall.bkout
echo >> /etc/rc.d/rc.local
echo "/sbin/shorewall start" >> /etc/rc.d/rc.local
echo "/etc/rc.d/rc.local modified to start Shorewall"
fi
else
cant_autostart
fi
}
install_file_with_backup() # $1 = source $2 = target $3 = mode
{
backup_file $2
@ -129,13 +83,24 @@ install_file_with_backup() # $1 = source $2 = target $3 = mode
# Parse the run line
#
# DEST is the SysVInit script directory
# INIT is the name of the script in the $DEST directory
# RUNLEVELS is the chkconfig parmeters for firewall
# ARGS is "yes" if we've already parsed an argument
#
DEST=""
RUNLEVELS=""
ARGS=""
if [ -z "$DEST" ] ; then
DEST="/etc/init.d"
fi
if [ -z "$INIT" ] ; then
INIT="shorewall"
fi
if [ -z "$RUNLEVELS" ] ; then
RUNLEVELS=""
fi
if [ -z "$OWNER" ] ; then
OWNER=root
fi
@ -147,34 +112,14 @@ fi
while [ $# -gt 0 ] ; do
case "$1" in
-h|help|?)
if [ -n "$ARGS" ]; then
usage 1
fi
usage 0
;;
-r)
if [ -n "$RUNLEVELS" -o $# -eq 1 ]; then
usage 1
fi
RUNLEVELS="$2";
shift
;;
-v)
if [ -n "$ARGS" ]; then
usage 1
fi
echo "Shorewall Firewall Installer Version $VERSION"
exit 0
;;
*)
if [ -n "$DEST" ]; then
usage 1
fi
DEST="$1"
usage 1
;;
esac
shift
@ -186,44 +131,19 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
#
# Determine where to install the firewall script
#
DEBIAN=
if [ -n "$PREFIX" ]; then
install -d -o $OWNER -g $GROUP -m 755 ${PREFIX}/sbin
install -d -o $OWNER -g $GROUP -m 755 ${PREFIX}${DEST}
fi
FIREWALL="shorewall"
if [ -z "$DEST" ]; then
#
# We make this first test so that on RedHat systems that have Seawall installed,
# we can still use PREFIX (the code that reads the existing symbolic link
# fails dreadfully if the link is relative and PREFIX is non-null).
#
if [ -x /etc/rc.d/init.d/firewall ]; then
DEST=/etc/rc.d/init.d
elif [ -L /etc/shorewall/firewall ]; then
TEMP=`ls -l /etc/shorewall/firewall | sed 's/^.*> //'`
DEST=`dirname $TEMP`
FIREWALL=`basename $TEMP`
elif [ -d /etc/rc.d/init.d ]; then
DEST=/etc/rc.d/init.d
elif [ -d /etc/init.d ]; then
DEST=/etc/init.d
elif [ -f /etc/rc.d/rc.local ]; then
DEST=/etc/rc.d
FIREWALL="rc.shorewall"
else
echo "ERROR: Can't determine where to install the firewall script"
echo " Rerun $0 passing the name of the SysVInit script directory"
echo " on your system"
exit 1
fi
elif [ -d /etc/apt -a -e /usr/bin/dpkg ]; then
DEBIAN=yes
fi
#
# Change to the directory containing this script
#
cd "`dirname $0`"
cd "$(dirname $0)"
echo "Installing Shorewall Version $VERSION"
@ -239,45 +159,26 @@ fi
install_file_with_backup shorewall ${PREFIX}/sbin/shorewall 0544
echo
echo "Shorewall control program installed in ${PREFIX}/sbin/shorewall"
echo "shorewall control program installed in ${PREFIX}/sbin/shorewall"
#
# Install the Firewall Script
#
if [ -n "$RUNLEVELS" ]; then
#
# User specified chkconfig parameters -- build an awk script to install them
# in the firewall script
#
echo "/# chkconfig/ { print \"# chkconfig: $RUNLEVELS\" ; next }" > awk.temp
echo "{ print }" >> awk.temp
awk -f awk.temp init.sh > init.temp
if [ $? -ne 0 ]; then
echo
echo "ERROR: Error running awk."
echo " You must run `basename $0` without the "-r" option then edit"
echo " $DEST/$FIREWALL manually (line beginning '# chkconfig:')"
exit 1
fi
install_file_with_backup init.temp ${PREFIX}${DEST}/$FIREWALL 0544
rm -f init.temp awk.tmp
if [ -n "$DEBIAN" ]; then
install_file_with_backup init.debian.sh /etc/init.d/shorewall 0544
else
install_file_with_backup init.sh ${PREFIX}${DEST}/$FIREWALL 0544
install_file_with_backup init.sh ${PREFIX}${DEST}/$INIT 0544
fi
echo
echo "Shorewall script installed in ${PREFIX}${DEST}/$FIREWALL"
echo "Shorewall script installed in ${PREFIX}${DEST}/$INIT"
#
# Create /etc/shorewall, /usr/share/shorewall and /var/shorewall if needed
#
mkdir -p ${PREFIX}/etc/shorewall
mkdir -p ${PREFIX}/usr/share/shorewall
mkdir -p ${PREFIX}/var/lib/shorewall
mkdir -p ${PREFIX}/etc/shorewall && chmod 700 ${PREFIX}/etc/shorewall
mkdir -p ${PREFIX}/usr/share/shorewall && chmod 700 ${PREFIX}/usr/share/shorewall
mkdir -p ${PREFIX}/var/lib/shorewall && chmod 700 ${PREFIX}/var/lib/shorewall
#
# Install the config file
#
@ -307,11 +208,6 @@ if [ -f ${PREFIX}/etc/shorewall/functions ]; then
rm -f ${PREFIX}/etc/shorewall/functions
fi
if [ -f ${PREFIX}/var/lib/shorewall/functions ]; then
backup_file ${PREFIX}/var/lib/shorewall/functions
rm -f ${PREFIX}/var/lib/shorewall/functions
fi
install_file_with_backup functions ${PREFIX}/usr/share/shorewall/functions 0444
echo
@ -324,13 +220,6 @@ install_file_with_backup help ${PREFIX}/usr/share/shorewall/help 0544
echo
echo "Help command executor installed in ${PREFIX}/usr/share/shorewall/help"
#
# Install the common.def file
#
install_file_with_backup common.def ${PREFIX}/etc/shorewall/common.def 0444
echo
echo "Common rules installed in ${PREFIX}/etc/shorewall/common.def"
#
# Delete the icmp.def file
@ -388,6 +277,16 @@ else
echo "NAT file installed as ${PREFIX}/etc/shorewall/nat"
fi
#
# Install the NETMAP file
#
if [ -f ${PREFIX}/etc/shorewall/netmap ]; then
backup_file /etc/shorewall/netmap
else
run_install -o $OWNER -g $GROUP -m 0600 netmap ${PREFIX}/etc/shorewall/netmap
echo
echo "NETMAP file installed as ${PREFIX}/etc/shorewall/netmap"
fi
#
# Install the Parameters file
#
if [ -f ${PREFIX}/etc/shorewall/params ]; then
@ -498,13 +397,21 @@ fi
#
# Install the rfc1918 file
#
if [ -f ${PREFIX}/etc/shorewall/rfc1918 ]; then
backup_file /etc/shorewall/rfc1918
else
run_install -o $OWNER -g $GROUP -m 0600 rfc1918 ${PREFIX}/etc/shorewall/rfc1918
echo
echo "RFC 1918 file installed as ${PREFIX}/etc/shorewall/rfc1918"
fi
install_file_with_backup rfc1918 ${PREFIX}/usr/share/shorewall/rfc1918 0600
echo
echo "RFC 1918 file installed as ${PREFIX}/usr/share/shorewall/rfc1918"
#
# Install the bogons file
#
install_file_with_backup bogons ${PREFIX}/usr/share/shorewall/bogons 0600
echo
echo "Bogon file installed as ${PREFIX}/usr/share/shorewall/bogons"
#
# Install the default config path file
#
install_file_with_backup configpath ${PREFIX}/usr/share/shorewall/configpath 0600
echo
echo " Default config path file installed as ${PREFIX}/usr/share/shorewall/configpath"
#
# Install the init file
#
@ -516,6 +423,16 @@ else
echo "Init file installed as ${PREFIX}/etc/shorewall/init"
fi
#
# Install the initdone file
#
if [ -f ${PREFIX}/etc/shorewall/initdone ]; then
backup_file /etc/shorewall/initdone
else
run_install -o $OWNER -g $GROUP -m 0600 initdone ${PREFIX}/etc/shorewall/initdone
echo
echo "Initdone file installed as ${PREFIX}/etc/shorewall/initdone"
fi
#
# Install the start file
#
if [ -f ${PREFIX}/etc/shorewall/start ]; then
@ -566,25 +483,13 @@ else
echo "Accounting file installed as ${PREFIX}/etc/shorewall/accounting"
fi
#
# Install the User Sets file
#
if [ -f ${PREFIX}/etc/shorewall/usersets ]; then
backup_file /etc/shorewall/usersets
else
run_install -o $OWNER -g $GROUP -m 0600 usersets ${PREFIX}/etc/shorewall/usersets
echo
echo "User Sets file installed as ${PREFIX}/etc/shorewall/usersets"
fi
# Install the Standard Actions file
#
# Install the User file
#
if [ -f ${PREFIX}/etc/shorewall/users ]; then
backup_file /etc/shorewall/users
else
run_install -o $OWNER -g $GROUP -m 0600 users ${PREFIX}/etc/shorewall/users
echo
echo "Users file installed as ${PREFIX}/etc/shorewall/users"
fi
install_file_with_backup actions.std ${PREFIX}/usr/share/shorewall/actions.std 0600
echo
echo "Standard actions file installed as ${PREFIX}/etc/shorewall/actions.std"
#
# Install the Actions file
#
@ -596,27 +501,23 @@ else
echo "Actions file installed as ${PREFIX}/etc/shorewall/actions"
fi
#
# Install the Action Template file
# Install the Action files
#
if [ -f ${PREFIX}/etc/shorewall/action.template ]; then
backup_file /etc/shorewall/action.template
else
run_install -o $OWNER -g $GROUP -m 0600 action.template ${PREFIX}/etc/shorewall/action.template
echo
echo "Action Template file installed as ${PREFIX}/etc/shorewall/action.template"
fi
for f in action.* ; do
if [ -f ${PREFIX}/usr/share/shorewall/$f ]; then
backup_file /usr/share/shorewall/$f
else
run_install -o $OWNER -g $GROUP -m 0600 $f ${PREFIX}/usr/share/shorewall/$f
echo
echo "Action ${f#*.} file installed as ${PREFIX}/usr/share/shorewall/$f"
fi
done
#
# Backup the version file
#
if [ -z "$PREFIX" ]; then
if [ -f /usr/share/shorewall/version ]; then
backup_file /usr/share/shorewall/version
elif [ -f /usr/lib/shorewall/version ]; then
backup_file /usr/lib/shorewall/version
elif [ -n "$oldversion" ]; then
echo $oldversion > /usr/lib/shorewall/version-${VERSION}.bkout
else
echo "Unknown" > /usr/lib/shorewall/version-${VERSION}.bkout
fi
fi
#
@ -629,54 +530,64 @@ chmod 644 ${PREFIX}/usr/share/shorewall/version
#
if [ -z "$PREFIX" ]; then
rm -f /etc/shorewall/firewall
rm -f /var/lib/shorewall/firewall
[ -L /usr/lib/shorewall/firewall ] && \
mv -f /usr/lib/shorewall/firewall /usr/lib/shorewall/firewall-${VERSION}.bkout
rm -f /usr/lib/shorewall/init
rm -f /usr/share/shorewall/init
ln -s ${DEST}/${FIREWALL} /usr/share/shorewall/init
ln -s ${DEST}/${INIT} /usr/share/shorewall/init
fi
#
# Install the firewall script
#
install_file_with_backup firewall ${PREFIX}/usr/share/shorewall/firewall 0544
if [ -z "$PREFIX" -a -n "$first_install" ]; then
if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
if insserv /etc/init.d/shorewall ; then
if [ -z "$PREFIX" ]; then
if [ -n "$first_install" ]; then
if [ -n "$DEBIAN" ]; then
run_install -o $OWNER -g $GROUP -m 0644 default.debian /etc/default/shorewall
ln -s ../init.d/shorewall /etc/rcS.d/S40shorewall
echo
echo "Firewall will start automatically at boot"
echo "shorewall will start automatically at boot"
echo "Set startup=1 in /etc/default/shorewall to enable"
else
cant_autostart
fi
elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
if chkconfig --add $FIREWALL ; then
echo
echo "Firewall will start automatically in run levels as follows:"
chkconfig --list $FIREWALL
else
cant_autostart
fi
elif [ -x /sbin/rc-update ]; then
if rc-update add shorewall default; then
echo
echo "Firewall will start automatically at boot"
else
cant_autostart
fi
else
modify_rclocal
fi
echo \
if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
if insserv /etc/init.d/shorewall ; then
echo
echo "shorewall will start automatically at boot"
echo "Remove /etc/shorewall/startup_disabled in /etc/default/shorewall to enable"
else
cant_autostart
fi
elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
if chkconfig --add shorewall ; then
echo
echo "shorewall will start automatically in run levels as follows:"
echo "Remove /etc/shorewall/startup_disabled in /etc/default/shorewall to enable"
chkconfig --list shorewall
else
cant_autostart
fi
elif [ -x /sbin/rc-update ]; then
if rc-update add shorewall default; then
echo
echo "shorewall will start automatically at boot"
echo "Remove /etc/shorewall/startup_disabled in /etc/default/shorewall to enable"
else
cant_autostart
fi
elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
cant_autostart
fi
echo \
"########################################################################
# REMOVE THIS FILE AFTER YOU HAVE CONFIGURED SHOREWALL #
########################################################################" > /etc/shorewall/startup_disabled
fi
fi
elif [ -n "$DEBIAN" -a ! -f /etc/default/shorewall ]; then
run_install -o $OWNER -g $GROUP -m 0644 default.debian /etc/default/shorewall
fi
fi
#
# Report Success
#
echo
echo "Shorewall Version $VERSION Installed"
echo "shorewall Version $VERSION Installed"

View File

@ -1,5 +1,5 @@
#
# Shorewall 1.4 -- Interfaces File
# Shorewall 2.0 -- Interfaces File
#
# /etc/shorewall/interfaces
#
@ -24,11 +24,12 @@
# want to make an entry that applies to all PPP
# interfaces, use 'ppp+'.
#
# DO NOT DEFINE THE LOOPBACK INTERFACE (lo) IN THIS FILE.
# There is no need to define the loopback interface (lo)
# in this file.
#
# BROADCAST The broadcast address for the subnetwork to which the
# interface belongs. For P-T-P interfaces, this
# column is left black.If the interface has multiple
# column is left blank.If the interface has multiple
# addresses on multiple subnets then list the broadcast
# addresses as a comma-separated list.
#
@ -36,8 +37,7 @@
# will detect the broadcast address for you. If you
# select this option, the interface must be up before
# the firewall is started, you must have iproute
# installed and the interface must only be associated
# with a single subnet.
# installed.
#
# If you don't want to give a value for this column but
# you want to enter a value in the OPTIONS column, enter
@ -46,38 +46,51 @@
# OPTIONS A comma-separated list of options including the
# following:
#
# dhcp - interface is managed by DHCP or used by
# a DHCP server running on the firewall or
# you have a static IP but are on a LAN
# segment with lots of Laptop DHCP clients.
# dhcp - Specify this option when any of
# the following are true:
# 1. the interface gets its IP address
# via DHCP
# 2. the interface is used by
# a DHCP server running on the firewall
# 3. you have a static IP but are on a LAN
# segment with lots of Laptop DHCP
# clients.
# 4. the interface is a bridge with
# a DHCP server on one port and DHCP
# clients on another port.
#
# norfc1918 - This interface should not receive
# any packets whose source is in one
# of the ranges reserved by RFC 1918
# (i.e., private or "non-routable"
# addresses. If packet mangling is
# enabled in shorewall.conf, packets
# whose destination addresses are
# reserved by RFC 1918 are also rejected.
# addresses. If packet mangling or
# connection-tracking match is enabled in
# your kernel, packets whose destination
# addresses are reserved by RFC 1918 are
# also rejected.
#
# nobogons - This interface should not receive
# any packets whose source is in one
# of the ranges reserved by IANA (this
# option does not cover those ranges
# reserved by RFC 1918 -- see above).
#
# routefilter - turn on kernel route filtering for this
# interface (anti-spoofing measure). This
# option can also be enabled globally in
# the /etc/shorewall/shorewall.conf file.
# dropunclean - Logs and drops mangled/invalid
# packets. USE OF THIS OPTION IS
# NOT RECOMMENDED. It will be removed in
# Shorewall 2.0.
# logunclean - Logs mangled/invalid packets but does
# not drop them. This option will be
# removed in Shorewall 2.0.
#
# . . blacklist - Check packets arriving on this interface
# against the /etc/shorewall/blacklist
# file.
#
# maclist - Connection requests from this interface
# are compared against the contents of
# /etc/shorewall/maclist. If this option
# is specified, the interface must be
# an ethernet NIC and must be up before
# Shorewall is started.
#
# tcpflags - Packets arriving on this interface are
# checked for certain illegal combinations
# of TCP flags. Packets found to have
@ -86,6 +99,7 @@
# TCP_FLAGS_DISPOSITION after having been
# logged according to the setting of
# TCP_FLAGS_LOG_LEVEL.
#
# proxyarp -
# Sets
# /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
@ -101,11 +115,21 @@
# established connection will be accepted
# from this interface, even if
# NEWNOTSYN=No has been specified in
# /etc/shorewall/shorewall.conf.
# /etc/shorewall/shorewall.conf. In other
# words, packets coming in on this interface
# are processed as if NEWNOTSYN=Yes had been
# specified in /etc/shorewall/shorewall.conf.
#
# This option has no effect if
# NEWNOTSYN=Yes.
#
# It is the opinion of the author that
# NEWNOTSYN=No creates more problems than
# it solves and I recommend against using
# that setting in shorewall.conf (hence
# making the use of the 'newnotsyn'
# interface option unnecessary).
#
# routeback - If specified, indicates that Shorewall
# should include rules that allow filtering
# traffic arriving on this interface back
@ -120,12 +144,21 @@
# interface. The interface must be up
# when Shorewall is started.
#
# nosmurfs - Filter packets for smurfs
# (packets with a broadcast
# address as the source).
#
# Smurfs will be optionally logged based
# on the setting of SMURF_LOG_LEVEL in
# shorewall.conf. After logging, the
# packets are dropped.
#
# detectnets - Automatically taylors the zone named
# in the ZONE column to include only those
# hosts routed through the interface.
#
# WARNING: DO NOT SET THE detectnets OPTION ON YOUR
# INTERNET INTERFACE!
# INTERNET INTERFACE.
#
# The order in which you list the options is not
# significant but the list should have no embedded white
@ -157,4 +190,5 @@
# net ppp0 -
##############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

View File

@ -1,11 +1,14 @@
#
# Shorewall 1.4 - MAC list file
# Shorewall 2.0 - MAC list file
#
# /etc/shorewall/maclist
#
# Columns are:
#
# INTERFACE Network interface to a host
# INTERFACE Network interface to a host. If the interface
# names a bridge, it may be optionally followed by
# a colon (":") and a physical port name (e.g.,
# br0:eth4).
#
# MAC MAC address of the host -- you do not need to use
# the Shorewall format for MAC addresses here

View File

@ -1,5 +1,5 @@
#
# Shorewall 1.4 - Masquerade file
# Shorewall 2.0 - Masquerade file
#
# /etc/shorewall/masq
#
@ -18,12 +18,7 @@
# PLACE IN YOUR SHOREWALL CONFIGURATION.
#
# This may be qualified by adding the character
# ":" followed by a comma-separed list of
# destination hosts or subnets. If this list begins with
# "!" then masquerading will occur if and only if the
# connection destination is NOT included in the list.
# Otherwise, the masquerading will occur if and only if
# the destination IS included in the list.
# ":" followed by a destination host or subnet.
#
#
# SUBNET -- Subnet that you wish to masquerade. You can specify this as
@ -47,6 +42,13 @@
# will automatically add this address to the
# INTERFACE named in the first column.
#
# If you have set ADD_SNAT_ALIASES=Yes in
# /etc/shorewall/shorewall.conf then DO NOT
# PLACE YOUR EXTERNAL INTERFACE'S PRIMARY IP
# ADDRESS IN THIS COLUMN -- If you do so, you
# will loose your default route when Shorewall
# starts.
#
# You may also specify a range of up to 256
# IP addresses if you want the SNAT address to
# be assigned from that range in a round-robin
@ -60,6 +62,27 @@
#
# This column may not contain DNS Names.
#
# If you want to leave this column empty
# but you need to specify the next column then
# place a hyphen ("-") here.
#
# PROTO -- (Optional) If you wish to restrict this entry to a
# particular protocol then enter the protocol
# name (from /etc/protocols) or number here.
#
# PORT(S) -- (Optional) If the PROTO column specifies TCP (protocol 6)
# or UDP (protocol 17) then you may list one
# or more port numbers (or names from
# /etc/services) separated by commas or you
# may list a single port range
# (<low port>:<high port>).
#
# Where a comma-separated list is given, your
# kernel and iptables must have multiport match
# support and a maximum of 15 ports may be
# listed.
#
#
# Example 1:
#
# You have a simple masquerading setup where eth0 connects to
@ -94,11 +117,24 @@
#
# You want all outgoing traffic from 192.168.1.0/24 through
# eth0 to use source address 206.124.146.176 which is NOT the
# primary address of eth0. You want 206.124.146.176 to
# primary address of eth0. You want 206.124.146.176 added to
# be added to eth0 with name eth0:0.
#
# eth0:0 192.168.1.0/24 206.124.146.176
#
##############################################################################
#INTERFACE SUBNET ADDRESS
# Example 5:
#
# You want all outgoing SMTP traffic entering the firewall
# on eth1 to be sent from eth0 with source IP address
# 206.124.146.177. You want all other outgoing traffic
# from eth1 to be sent from eth0 with source IP address
# 206.124.146.176.
#
# eth0 eth1 206.124.146.177 tcp smtp
# eth0 eth1 206.124.146.176
#
# THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!!
#
###############################################################################
#INTERFACE SUBNET ADDRESS PROTO PORT(S)
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

View File

@ -1,5 +1,5 @@
##############################################################################
# Shorewall 1.4 /etc/shorewall/modules
# Shorewall 2.0 /etc/shorewall/modules
#
# This file loads the modules needed by the firewall.
#

View File

@ -1,6 +1,6 @@
##############################################################################
#
# Shorewall 1.4 -- Network Address Translation Table
# Shorewall 2.0 -- Network Address Translation Table
#
# /etc/shorewall/nat
#
@ -16,7 +16,7 @@
# EXTERNAL External IP Address - this should NOT be the primary
# IP address of the interface named in the next
# column and must not be a DNS Name.
# INTERFACE Interface that we want to EXTERNAL address to appear
# INTERFACE Interface that you want to EXTERNAL address to appear
# on. If ADD_IP_ALIASES=Yes in shorewall.conf, you may
# follow the interface name with ":" and a digit to
# indicate that you want Shorewall to add the alias
@ -25,12 +25,11 @@
# THAT THIS NAME IS GOOD FOR -- YOU CANNOT USE IT
# ANYWHERE ELSE IN YOUR SHORWALL CONFIGURATION.
# INTERNAL Internal Address (must not be a DNS Name).
# ALL INTERFACES If Yes or yes (or left empty), NAT will be effective
# from all hosts. If No or no then NAT will be effective
# ALL INTERFACES If Yes or yes, NAT will be effective from all hosts.
# If No or no (or left empty) then NAT will be effective
# only through the interface named in the INTERFACE
# column
# LOCAL If Yes or yes and the ALL INTERFACES column contains
# Yes or yes, NAT will be effective from the firewall
# LOCAL If Yes or yes, NAT will be effective from the firewall
# system
##############################################################################
#EXTERNAL INTERFACE INTERNAL ALL LOCAL

38
STABLE/netmap Normal file
View File

@ -0,0 +1,38 @@
##############################################################################
#
# Shorewall 2.0 -- Network Mapping Table
#
# /etc/shorewall/netmap
#
# This file is used to map addresses in one network to corresponding
# addresses in a second network.
#
# WARNING: To use this file, your kernel and iptables must have
# NETMAP support included.
#
# Columns must be separated by white space and are:
#
# TYPE Must be DNAT or SNAT.
#
# If DNAT, traffic entering INTERFACE and addressed to
# NET1 has it's destination address rewritten to the
# corresponding address in NET2.
#
# If SNAT, traffic leaving INTERFACE with a source
# address in NET1 has it's source address rewritten to
# the corresponding address in NET2.
#
# NET1 Network in CIDR format (e.g., 192.168.1.0/24)
#
# INTERFACE The name of a network interface. The interface must
# be defined in /etc/shorewall/interfaces.
#
# NET2 Network in CIDR format
#
# See http://shorewall.net/netmap.html for an example and usage
# information.
#
##############################################################################
#TYPE NET1 INTERFACE NET2
#
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

View File

@ -1,5 +1,5 @@
#
# Shorewall 1.4 /etc/shorewall/params
# Shorewall 2.0 /etc/shorewall/params
#
# Assign any variables that you need here.
#

View File

@ -1,15 +1,14 @@
#
# Shorewall 1.4 -- Policy File
# Shorewall 2.0 -- Policy File
#
# /etc/shorewall/policy
#
# THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT
#
# This file determines what to do with a new connection request if we
# don't get a match from the /etc/shorewall/rules file or from the
# /etc/shorewall/common[.def] file. For each source/destination pair, the
# file is processed in order until a match is found ("all" will match
# any client or server).
# don't get a match from the /etc/shorewall/rules file . For each
# source/destination pair, the file is processed in order until a
# match is found ("all" will match any client or server).
#
# Columns are:
#
@ -19,10 +18,6 @@
# DEST Destination zone. Must be the name of a zone defined
# in /etc/shorewall/zones, $FW or "all"
#
# WARNING: Firewall->Firewall policies are not allowed; if
# you have a policy where both SOURCE and DEST are $FW,
# Shorewall will not start!
#
# POLICY Policy if no match from the rules file is found. Must
# be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE".
#
@ -47,6 +42,12 @@
# SOURCE or DEST columns contain the
# firewall zone ($FW) or "all".
#
# If this column contains ACCEPT, DROP or REJECT and a
# corresponding common action is defined in
# /etc/shorewall/actions (or /usr/share/shorewall/actions.std)
# then that action will be invoked before the policy named in
# this column is inforced.
#
# LOG LEVEL If supplied, each connection handled under the default
# POLICY is logged at that level. If not supplied, no
# log message is generated. See syslog.conf(5) for a
@ -59,7 +60,7 @@
# (http://www.gnumonks.org/projects/ulogd).
#
# If you don't want to log but need to specify the
# following column, place "_" here.
# following column, place "-" here.
#
# LIMIT:BURST If passed, specifies the maximum TCP connection rate
# and the size of an acceptable burst. If not specified,

View File

@ -1,6 +1,6 @@
##############################################################################
#
# Shorewall 1.4 -- Proxy ARP
# Shorewall 2.0 -- Proxy ARP
#
# /etc/shorewall/proxyarp
#
@ -9,22 +9,36 @@
# Columns must be separated by white space and are:
#
# ADDRESS IP Address
#
# INTERFACE Local interface where system is connected. If the
# local interface is obvious from the subnetting,
# you may enter "-" in this column.
#
# EXTERNAL External Interface to be used to access this system
#
# HAVEROUTE If there is already a route from the firewall to
# the host whose address is given, enter "Yes" or "yes"
# in this column. Otherwise, entry "no", "No" or leave
# the column empty.
# the column empty and Shorewall will add the route for
# you. If Shorewall adds the route,the route will be
# persistent if the PERSISTENT column contains Yes;
# otherwise, "shorewall stop" or "shorewall clear" will
# delete the route.
#
# PERSISTENT If HAVEROUTE is No or "no", then the value of this
# column determines if the route added by Shorewall
# persists after a "shorewall stop" or a "shorewall
# clear". If this column contains "Yes" or "yes" then
# the route persists; If the column is empty or contains
# "No"or "no" then the route is deleted at "shorewall
# stop" or "shorewall clear".
#
# Example: Host with IP 155.186.235.6 is connected to
# interface eth1 and we want hosts attached via eth0
# to be able to access it using that address.
#
# #ADDRESS INTERFACE EXTERNAL HAVEROUTE
# 155.186.235.6 eth1 eth0 No
# #ADDRESS INTERFACE EXTERNAL
# 155.186.235.6 eth1 eth0
##############################################################################
#ADDRESS INTERFACE EXTERNAL HAVEROUTE
#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

View File

@ -1,7 +1,301 @@
Shorewall 1.4.11
Shorewall 2.0.16
Problems Corrected since version 1.4.10g
----------------------------------------------------------------------
Problems Corrected in version 2.0.4
1) The shorewall.conf and zones file are no longer given execute
permission by the installer.
1) A DNAT rule with 'fw' as the source that specified logging caused
"shorewall start" to fail.
----------------------------------------------------------------------
Problems Corrected in version 2.0.5
1) Eliminated "$RESTOREBASE: ambiguous redirect" messages during
"shorewll stop" in the case where DISABLE_IPV6=Yes in
shorewall.conf.
2) An anachronistic reference to the mangle option was removed from
shorewall.conf.
----------------------------------------------------------------------
Problems Corrected in version 2.0.6
1) Some users have reported the pkttype match option in iptables/
Netfilter failing to match certain broadcast packets. The result
is that the firewall log shows a lot of broadcast packets.
Other users have complained of the following message when
starting Shorewall:
modprobe: cant locate module ipt_pkttype
Users experiencing either of these problems can use PKTTYPE=No in
shorewall.conf to cause Shorewall to use IP address filtering of
broadcasts rather than packet type.
2) The shorewall.conf and zones file are no longer given execute
permission by the installer script.
3) ICMP packets that are in the INVALID state are now dropped by the
Reject and Drop default actions. They do so using the new
'dropInvalid' builtin action.
-----------------------------------------------------------------------
Problems Corrected in version 2.0.7
1) The PKTTYPE option introduced in version 2.0.6 is now used when
generating rules to REJECT packets. Broadcast packets are silently
dropped rather than being rejected with an ICMP (which is a protocol
violation) and users whose kernels have broken packet type match
support are likely to see messages reporting this violation.
Setting PKTTYPE=No should cause these messages to cease.
2) Multiple interfaces with the 'blacklist' option no longer result in
an error message at startup.
3) The following has been added to /etc/shorewall/bogons:
0.0.0.0 RETURN
This prevents the 'nobogons' option from logging DHCP 'DISCOVER'
broadcasts.
-----------------------------------------------------------------------
New Features in version 2.0.7
1) To improve supportability, the "shorewall status" command now
includes IP and Route configuration information.
Example:
IP Configuration
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
inet6 ::1/128 scope host
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:a0:c9:15:39:78 brd ff:ff:ff:ff:ff:ff
inet6 fe80::2a0:c9ff:fe15:3978/64 scope link
3: eth1: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:a0:c9:a7:d7:bf brd ff:ff:ff:ff:ff:ff
inet6 fe80::2a0:c9ff:fea7:d7bf/64 scope link
5: sit0@NONE: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
6: eth2: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:40:d0:07:3a:1b brd ff:ff:ff:ff:ff:ff
inet6 fe80::240:d0ff:fe07:3a1b/64 scope link
7: br0: <BROADCAST,MULTICAST,NOTRAILERS,UP> mtu 1500 qdisc noqueue
link/ether 00:40:d0:07:3a:1b brd ff:ff:ff:ff:ff:ff
inet 192.168.1.3/24 brd 192.168.1.255 scope global br0
inet6 fe80::240:d0ff:fe07:3a1b/64 scope link
Routing Rules
0: from all lookup local
32765: from all fwmark ca lookup www.out
32766: from all lookup main
32767: from all lookup default
Table local:
broadcast 192.168.1.0 dev br0 proto kernel scope link src 192.168.1.3
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
local 192.168.1.3 dev br0 proto kernel scope host src 192.168.1.3
broadcast 192.168.1.255 dev br0 proto kernel scope link src 192.168.1.3
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
Table www.out:
default via 192.168.1.3 dev br0
Table main:
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.3
default via 192.168.1.254 dev br0
Table default:
-----------------------------------------------------------------------
Problems Corrected in version 2.0.8
1) User/group restricted rules now work in actions.
-----------------------------------------------------------------------
Problems Corrected in version 2.0.9
1) Previously, an empty PROTO column or a value of "all" in that column
would cause errors when processing the /etc/shorewall/tcrules file.
New Fewatures in version 2.0.9
1) The "shorewall status" command now includes the output of "brctl
show" if the bridge tools are installed.
-----------------------------------------------------------------------
Problems corrected in version 2.0.10
1) The GATEWAY column was previously ignored in 'pptpserver' entries in
/etc/shorewall/tunnels.
2) When log rule numbers are included in the LOGFORMAT, duplicate
rule numbers could previously be generated.
3) The /etc/shorewall/tcrules file now includes a note to the effect
that rule evaluation continues after a match.
4) The error message produced if Shorewall couldn't obtain the routes
through an interface named in the SUBNET column of
/etc/shorewall/masq was less than helpful since it didn't include
the interface name.
-----------------------------------------------------------------------
New Features in 2.0.10
The "shorewall status" command has been enhanced to include the values
of key /proc settings:
Example from a two-interface firewall:
/proc
/proc/sys/net/ipv4/ip_forward = 1
/proc/sys/net/ipv4/conf/all/proxy_arp = 0
/proc/sys/net/ipv4/conf/all/arp_filter = 0
/proc/sys/net/ipv4/conf/all/rp_filter = 0
/proc/sys/net/ipv4/conf/default/proxy_arp = 0
/proc/sys/net/ipv4/conf/default/arp_filter = 0
/proc/sys/net/ipv4/conf/default/rp_filter = 0
/proc/sys/net/ipv4/conf/eth0/proxy_arp = 0
/proc/sys/net/ipv4/conf/eth0/arp_filter = 0
/proc/sys/net/ipv4/conf/eth0/rp_filter = 0
/proc/sys/net/ipv4/conf/eth1/proxy_arp = 0
/proc/sys/net/ipv4/conf/eth1/arp_filter = 0
/proc/sys/net/ipv4/conf/eth1/rp_filter = 0
/proc/sys/net/ipv4/conf/lo/proxy_arp = 0
/proc/sys/net/ipv4/conf/lo/arp_filter = 0
/proc/sys/net/ipv4/conf/lo/rp_filter = 0
-----------------------------------------------------------------------
Problems corrected in 2.0.11
1) The INSTALL file now include special instructions for Slackware
users.
2) The bogons file has been updated.
3) Service names are replaced by port numbers in /etc/shorewall/tos.
4) A typo in the install.sh file that caused an error during a new
install has been corrected.
-----------------------------------------------------------------------
New Features in 2.0.11
1) The AllowNNTP action now allows NNTP over SSL/TLS (NTTPS).
-----------------------------------------------------------------------
Problems corrected in 2.0.12
1) A typo in shorewall.conf (NETNOTSYN) has been corrected.
2) The "shorewall add" and "shorewall delete" commands now work in a
bridged environment. The syntax is:
shorewall add <interface>[:<port>]:<address> <zone>
shorewall delete <interface>[:<port>]:<address> <zone>
Examples:
shorewall add br0:eth2:192.168.1.3 OK
shorewall delete br0:eth2:192.168.1.3 OK
3) Previously, "shorewall save" created an out-of-sequence restore
script. The commands saved in the user's /etc/shorewall/start script
were executed prior to the Netfilter configuration being
restored. This has been corrected so that "shorewall save" now
places those commands at the end of the script.
To accomplish this change, the "restore base" file
(/var/lib/shorewall/restore-base) has been split into two files:
/var/lib/shorewall/restore-base -- commands to be executed before
Netfilter the configuration is restored.
/var/lib/shorewall/restore-tail -- commands to be executed after the
Netfilter configuration is restored.
4) Previously, traffic from the firewall to a dynamic zone member host
did not need to match the interface specified when the host was
added to the zone. For example, if eth0:1.2.3.4 is added to dynamic
zone Z then traffic out of any firewall interface to 1.2.3.4 will
obey the fw->Z policies and rules. This has been corrected.
-----------------------------------------------------------------------
New Features in 2.0.12
1) Variable expansion may now be used with the INCLUDE directive.
Example:
/etc/shorewall/params
FILE=/etc/foo/bar
Any other config file:
INCLUDE $FILE
-----------------------------------------------------------------------
Problems corrected in 2.0.13
1) A typo in /usr/share/shorewall/firewall caused the following:
/usr/share/shorewall/firewall: line 1: match_destination_hosts: command
not found
-----------------------------------------------------------------------
New Features in 2.0.14
1) Previously, when rate-limiting was specified in
/etc/shorewall/policy (LIMIT:BURST column), any traffic which
exceeded the specified rate was silently dropped. Now, if a log
level is given in the entry (LEVEL column) then drops are logged at
that level at a rate of 5/min with a burst of 5.
-----------------------------------------------------------------------
Problems corrected in 2.0.14
1) A typo in the /etc/shorewall/interfaces file has been fixed.
2) "bad variable" error messages occurring during "shorewall stop" and
"shorewall clear" have been eliminated.
3) A misleading typo in /etc/shorewall/tunnels has been corrected.
-----------------------------------------------------------------------
Problems corrected in 2.0.15
1) The range of ports opened by the AllowTrcrt action has been
expanded to 33434:33524.
2) Code mis-ported from 2.2.0 caused the following error during
"shorewall start" where SYN rate-limiting is present in
/etc/shorewall/policy:
Bad argument `DROP'
Try `iptables -h' or 'iptables --help' for more information.
-----------------------------------------------------------------------
New Features in 2.0.16
1) Recent 2.6 kernels include code that evaluates TCP packets based on
TCP Window analysis. This can cause packets that were previously
classified as NEW or ESTABLISHED to be classified as INVALID.
The new kernel code can be disabled by including this command in
your /etc/shorewall/init file:
echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
Additional kernel logging about INVALID TCP packets may be
obtained by adding this command to /etc/shorewall/init:
echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid
Traditionally, Shorewall has dropped INVALID TCP packets early. The
new DROPINVALID option allows INVALID packets to be passed through
the normal rules chains by setting DROPINVALID=No.
If not specified or if specified as empty (e.g., DROPINVALID="")
then DROPINVALID=Yes is assumed.

View File

@ -1,13 +1,14 @@
#
# Shorewall 1.4 -- RFC1918 File
# Shorewall 2.0-- RFC1918 File
#
# /etc/shorewall/rfc1918
#
# Lists the subnetworks that are blocked by the 'norfc1918' interface option.
#
# The default list includes those IP addresses listed in RFC 1918, those listed
# as 'reserved' by the IANA, the DHCP Autoconfig class B, and the class C
# reserved for use in documentation and examples.
# The default list includes those IP addresses listed in RFC 1918.
#
# DO NOT MODIFY THIS FILE. IF YOU NEED TO MAKE CHANGES, COPY THE FILE
# TO /etc/shorewall AND MODIFY THE COPY.
#
# Columns are:
#
@ -19,50 +20,7 @@
#
###############################################################################
#SUBNET TARGET
255.255.255.255 RETURN # We need to allow limited broadcast
169.254.0.0/16 DROP # DHCP autoconfig
172.16.0.0/12 logdrop # RFC 1918
192.0.2.0/24 logdrop # Example addresses (RFC 3330)
192.168.0.0/16 logdrop # RFC 1918
#
# The following are generated with the help of the Python program found at:
#
# http://www.shorewall.net/pub/shorewall/contrib/iana_reserved/
#
# The program was contributed by Andy Wiggin
#
0.0.0.0/7 logdrop # Reserved
2.0.0.0/8 logdrop # Reserved
5.0.0.0/8 logdrop # Reserved
7.0.0.0/8 logdrop # Reserved
10.0.0.0/8 logdrop # Reserved
23.0.0.0/8 logdrop # Reserved
27.0.0.0/8 logdrop # Reserved
31.0.0.0/8 logdrop # Reserved
36.0.0.0/7 logdrop # Reserved
39.0.0.0/8 logdrop # Reserved
41.0.0.0/8 logdrop # Reserved
42.0.0.0/8 logdrop # Reserved
49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
73.0.0.0/8 logdrop # Reserved
74.0.0.0/7 logdrop # Reserved
76.0.0.0/6 logdrop # Reserved
89.0.0.0/8 logdrop # Reserved
90.0.0.0/7 logdrop # Reserved
92.0.0.0/6 logdrop # Reserved
96.0.0.0/3 logdrop # Reserved
127.0.0.0/8 logdrop # Loopback
173.0.0.0/8 logdrop # Reserved
174.0.0.0/7 logdrop # Reserved
176.0.0.0/5 logdrop # Reserved
184.0.0.0/6 logdrop # Reserved
189.0.0.0/8 logdrop # Reserved
190.0.0.0/8 logdrop # Reserved
197.0.0.0/8 logdrop # Reserved
198.18.0.0/15 logdrop # Reserved
223.0.0.0/8 logdrop # Reserved - Returned by APNIC in 2003
240.0.0.0/4 logdrop # Reserved
# End of generated entries
#
10.0.0.0/8 logdrop # RFC 1918
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

View File

@ -1,6 +1,6 @@
##############################################################################
#
# Shorewall 1.4 -- Hosts Accessible when the Firewall is Stopped
# Shorewall 2.0 -- Hosts Accessible when the Firewall is Stopped
#
# /etc/shorewall/routestopped
#
@ -14,12 +14,18 @@
# HOST(S) - (Optional) Comma-separated list of IP/subnet
# If left empty or supplied as "-",
# 0.0.0.0/0 is assumed.
# OPTIONS - (Optional) A comma-separated list of
# options. The currently-supported options are:
#
# routeback - Set up a rule to ACCEPT traffic from
# these hosts back to themselves.
#
# Example:
#
# INTERFACE HOST(S)
# INTERFACE HOST(S) OPTIONS
# eth2 192.168.1.0/24
# eth0 192.0.2.44
# br0 - routeback
##############################################################################
#INTERFACE HOST(S)
#INTERFACE HOST(S) OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

View File

@ -1,24 +1,37 @@
#
# Shorewall version 1.4 - Rules File
# Shorewall version 2.0 - Rules File
#
# /etc/shorewall/rules
#
# Rules in this file govern connection establishment. Requests and
# responses are automatically allowed using connection tracking.
# responses are automatically allowed using connection tracking. For any
# particular (source,dest) pair of zones, the rules are evaluated in the
# order in which they appear in this file and the first match is the one
# that determines the disposition of the request.
#
# In most places where an IP address or subnet is allowed, you
# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
# indicate that the rule matches all addresses except the address/subnet
# given. Notice that no white space is permitted between "!" and the
# address/subnet.
#
#------------------------------------------------------------------------------
# WARNING: If you masquerade or use SNAT from a local system to the internet,
# you cannot use an ACCEPT rule to allow traffic from the internet to
# that system. You *must* use a DNAT rule instead.
#-------------------------------------------------------------------------------#
# Columns are:
#
#
# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
# LOG or an <action>.
# LOG, QUEUE or an <action>.
#
# ACCEPT -- allow the connection request
# ACCEPT+ -- like ACCEPT but also excludes the
# connection from any subsequent
# DNAT[-] or REDIRECT[-] rules
# NONAT -- Excludes the connection from any
# subsequent DNAT[-] or REDIRECT[-]
# rules but doesn't generate a rule
# to accept the traffic.
# DROP -- ignore the request
# REJECT -- disallow the request and return an
# icmp-unreachable or an RST packet.
@ -36,6 +49,7 @@
# Like REDIRET but only generates the
# REDIRECT iptables rule and not
# the companion ACCEPT rule.
#
# CONTINUE -- (For experts only). Do not process
# any of the following rules for this
# (source zone,destination zone). If
@ -47,38 +61,31 @@
# (those) zone(s).
# LOG -- Simply log the packet and continue.
# QUEUE -- Queue the packet to a user-space
# application such as p2pwall.
# application such as ftwall
# (http://p2pwall.sf.net).
# <action> -- The name of an action defined in
# /etc/shorewall/actions.
# /etc/shorewall/actions or in
# /usr/share/shorewall/actions.std.
#
# You may rate-limit the rule by optionally
# following ACCEPT, DNAT[-], REDIRECT[-] or LOG with
#
# < <rate>/<interval>[:<burst>] >
#
# where <rate> is the number of connections per
# <interval> ("sec" or "min") and <burst> is the
# largest burst permitted. If no <burst> is given,
# a value of 5 is assumed. There may be no
# no whitespace embedded in the specification.
#
# Example: ACCEPT<10/sec:20>
#
# The ACTION (and rate limit) may optionally be followed
# The ACTION may optionally be followed
# by ":" and a syslog log level (e.g, REJECT:info or
# DNAT<4/sec:8>:debugging). This causes the packet to be
# DNAT:debug). This causes the packet to be
# logged at the specified level.
#
# NOTE: For those of you who prefer to place the
# rate limit in a separate column, see the RATE LIMIT
# column below. If you specify a value in that column,
# you must not include a rate limit in the ACTION column
#
# You may also specify ULOG (must be in upper case) as a
# log level.This will log to the ULOG target for routing
# to a separate log through use of ulogd
# (http://www.gnumonks.org/projects/ulogd).
#
# Actions specifying logging may be followed by a
# log tag (a string of alphanumeric characters)
# are appended to the string generated by the
# LOGPREFIX (in /etc/shorewall/shorewall.conf).
#
# Example: ACCEPT:info:ftp would include 'ftp '
# at the end of the log prefix generated by the
# LOGPREFIX setting.
#
# SOURCE Source hosts to which the rule applies. May be a zone
# defined in /etc/shorewall/zones, $FW to indicate the
# firewall itself, or "all" If the ACTION is DNAT or
@ -86,6 +93,10 @@
# excluded from the rule by following the zone name with
# "!' and a comma-separated list of sub-zone names.
#
# When "all" is used either in the SOURCE or DEST column
# intra-zone traffic is not affected. You must add
# separate rules to handle that traffic.
#
# Except when "all" is specified, clients may be further
# restricted to a list of subnets and/or hosts by
# appending ":" and a comma-separated list of subnets
@ -116,6 +127,10 @@
# /etc/shorewall/zones, $FW to indicate the firewall
# itself or "all"
#
# When "all" is used either in the SOURCE or DEST column
# intra-zone traffic is not affected. You must add
# separate rules to handle that traffic.
#
# Except when "all" is specified, the server may be
# further restricted to a particular subnet, host or
# interface by appending ":" and the subnet, host or
@ -180,8 +195,8 @@
# ranges.
#
# If you don't want to restrict client ports but need to
# specify an ADDRESS in the next column, then place "-"
# in this column.
# specify an ORIGINAL DEST in the next column, then
# place "-" in this column.
#
# If your kernel contains multi-port match support, then
# only a single Netfilter rule will be generated if in
@ -229,25 +244,25 @@
#
# Example: 10/sec:20
#
# If you place a rate limit in this column, you may not
# place a similar limit in the ACTION column.
#
# USER SET This column may only be non-empty if the SOURCE is
# the firewall itself and the ACTION is ACCEPT, DROP or
# REJECT.
# USER/GROUP This column may only be non-empty if the SOURCE is
# the firewall itself.
#
# The column may contain a user set name defined in the
# /etc/shorewall/usersets file or it may contain:
# The column may contain:
#
# [<user name or number>]:[<group name or number>]
# [!][<user name or number>][:<group name or number>]
#
# When this column is non-empty, the rule applies only
# if the program generating the output is running under
# the effective <user>(s) and/or <group>(s) specified.
# When a user set name is given, a log level may not be
# present in the ACTION column; logging for such rules is
# controlled by the user set's entry in
# /etc/shorewall/usersets.
# the effective <user> and/or <group> specified (or is
# NOT running under that id if "!" is given).
#
# Examples:
#
# joe #program must be run by joe
# :kids #program must be run by a member of
# #the 'kids' group
# !:kids #program must not be run by a member
# #of the 'kids' group
#
# Example: Accept SMTP requests from the DMZ to the internet
#
@ -293,6 +308,6 @@
# ACCEPT net:130.252.100.69,130.252.100.70 fw \
# tcp 22
####################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER
# PORT PORT(S) DEST LIMIT
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

View File

@ -1,11 +1,10 @@
#!/bin/sh
#
# Shorewall Packet Filtering Firewall Control Program - V1.4 - 3/14/2003
# Shorewall Packet Filtering Firewall Control Program - V2.0 - 3/14/2004
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
#
# (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
#
# This file should be placed in /sbin/shorewall.
#
@ -77,10 +76,17 @@
# listed address(es)
# shorewall allow <address> ... Reenable address(es) previously
# disabled with "drop" or "reject"
# shorewall save Save the list of "rejected" and
# shorewall save [ <file> ] Save the list of "rejected" and
# "dropped" addresses so that it will
# be automatically reinstated the
# next time that Shorewall starts.
# Save the current state so that 'shorewall
# restore' can be used.
#
# shorewall forget [ <file> ] Discard the data saved by 'shorewall save'
#
# shorewall restore [ <file> ] Restore the state of the firewall from
# previously saved information.
#
# shorewall ipaddr [ <address>/<cidr> | <address> <netmask> ]
#
@ -128,6 +134,19 @@ showchain() # $1 = name of chain
fi
}
#
# Validate the value of RESTOREFILE
#
validate_restorefile() # $* = label
{
case $RESTOREFILE in
*/*)
echo " ERROR: $@ must specify a simple file name: $RESTOREFILE" >&2
exit 2
;;
esac
}
#
# Set the configuration variables from shorewall.conf
#
@ -157,10 +176,17 @@ get_config() {
if [ -n "$SHOREWALL_SHELL" ]; then
if [ ! -e "$SHOREWALL_SHELL" ]; then
echo "The program specified in SHOREWALL_SHELL does not exist or is not executable" >&2
echo " ERROR: The program specified in SHOREWALL_SHELL does not exist or is not executable" >&2
exit 2
fi
fi
[ -n "$RESTOREFILE" ] || RESTOREFILE=restore
validate_restorefile RESTOREFILE
export RESTOREFILE
}
#
@ -169,7 +195,7 @@ get_config() {
#
display_chains()
{
trap "rm -f $TMPFILE; exit 1" 1 2 3 4 5 6 9
trap "rm -f $tmpfile; exit 1" 1 2 3 4 5 6 9
if [ "$haveawk" = "Yes" ]; then
#
@ -177,13 +203,12 @@ display_chains()
# the output in a variable.
#
TMPFILE=$(mktempfile)
[ -n "$TMPFILE" ] || { echo " ERROR:Cannot create temporary file" >&2; exit 1; }
[ -n "$TMPFILE" ] || { echo "Cannot create a temporary file" >&2; exit 2; }
iptables -L -n -v >> $TMPFILE
iptables -L $IPT_OPTIONS >> $TMPFILE
clear
echo "$banner `date`"
echo "$banner $(date)"
echo
echo "Standard Chains"
echo
@ -195,13 +220,13 @@ display_chains()
timed_read
clear
echo "$banner `date`"
echo "$banner $(date)"
echo
firstchain=Yes
echo "Input Chains"
echo
chains=`grep '^Chain.*_[in|fwd]' $TMPFILE | cut -d' ' -f 2`
chains=$(grep '^Chain.*_[in|fwd]' $TMPFILE | cut -d' ' -f 2)
for chain in $chains; do
showchain $chain
@ -211,9 +236,9 @@ display_chains()
for zone in $zones; do
if [ -n "`grep "^Chain \.*${zone}" $TMPFILE`" ] ; then
if [ -n "$(grep "^Chain \.*${zone}" $TMPFILE)" ] ; then
clear
echo "$banner `date`"
echo "$banner $(date)"
echo
firstchain=Yes
eval display=\$${zone}_display
@ -232,7 +257,7 @@ display_chains()
done
clear
echo "$banner `date`"
echo "$banner $(date)"
echo
firstchain=Yes
echo "Policy Chains"
@ -253,7 +278,7 @@ display_chains()
timed_read
clear
echo "$banner `date`"
echo "$banner $(date)"
echo
firstchain=Yes
echo "Dynamic Chain"
@ -294,7 +319,7 @@ packet_log() # $1 = number of messages
sed s/" kernel:"// | \
sed s/" $host $LOGFORMAT"/" "/ | \
sed s/" $host kernel: ipt_unclean: "/" "/ | \
sed 's/MAC=.*SRC=/SRC=/' | \
sed 's/MAC=.* SRC=/SRC=/' | \
tail $options
}
@ -305,7 +330,7 @@ show_tc() {
show_one_tc() {
local device=${1%@*}
qdisc=`tc qdisc list dev $device`
qdisc=$(tc qdisc list dev $device)
if [ -n "$qdisc" ]; then
echo Device $device:
@ -335,7 +360,7 @@ show_classifiers() {
show_one_classifier() {
local device=${1%@*}
qdisc=`tc qdisc list dev $device`
qdisc=$(tc qdisc list dev $device)
if [ -n "$qdisc" ]; then
echo Device $device:
@ -364,8 +389,8 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
{
get_config
host=`echo $HOSTNAME | sed 's/\..*$//'`
oldrejects=`iptables -L -v -n | grep 'LOG'`
host=$(echo $HOSTNAME | sed 's/\..*$//')
oldrejects=$(iptables -L -v -n | grep 'LOG')
if [ $1 -lt 0 ]; then
let "timeout=- $1"
@ -378,7 +403,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
if qt which awk; then
TMP_DIR=$(mktempdir)
[ -n "$TMP_DIR" ] || { echo "Unable to create a temporary directory" >&2; exit 2; }
[ -n "$TMP_DIR" ] || { echo " ERROR:Cannot create temporary directory" >&2; exit 1; }
haveawk=Yes
determine_zones
rm -rf $TMP_DIR
@ -390,7 +415,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
display_chains
clear
echo "$banner `date`"
echo "$banner $(date)"
echo
echo "Dropped/Rejected Packet Log"
@ -398,7 +423,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
show_reset
rejects=`iptables -L -v -n | grep 'LOG'`
rejects=$(iptables -L -v -n | grep 'LOG')
if [ "$rejects" != "$oldrejects" ]; then
oldrejects="$rejects"
@ -421,24 +446,24 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
fi
clear
echo "$banner `date`"
echo "$banner $(date)"
echo
echo "NAT Status"
echo
iptables -t nat -L -n -v
iptables -t nat -L $IPT_OPTIONS
timed_read
clear
echo "$banner `date`"
echo "$banner $(date)"
echo
echo
echo "TOS/MARK Status"
echo
iptables -t mangle -L -n -v
iptables -t mangle -L $IPT_OPTIONS
timed_read
clear
echo "$banner `date`"
echo "$banner $(date)"
echo
echo
echo "Tracked Connections"
@ -447,7 +472,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
timed_read
clear
echo "$banner `date`"
echo "$banner $(date)"
echo
echo
echo "Traffic Shaping/Control"
@ -456,7 +481,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
timed_read
clear
echo "$banner `date`"
echo "$banner $(date)"
echo
echo
echo "Packet Classifiers"
@ -474,8 +499,8 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
{
get_config
host=`echo $HOSTNAME | sed 's/\..*$//'`
oldrejects=`iptables -L -v -n | grep 'LOG'`
host=$(echo $HOSTNAME | sed 's/\..*$//')
oldrejects=$(iptables -L -v -n | grep 'LOG')
if [ $1 -lt 0 ]; then
timeout=$((- $1))
@ -489,7 +514,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
while true; do
clear
echo "$banner `date`"
echo "$banner $(date)"
echo
echo "Dropped/Rejected Packet Log"
@ -497,7 +522,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
show_reset
rejects=`iptables -L -v -n | grep 'LOG'`
rejects=$(iptables -L -v -n | grep 'LOG')
if [ "$rejects" != "$oldrejects" ]; then
oldrejects="$rejects"
@ -535,7 +560,7 @@ help()
#
usage() # $1 = exit status
{
echo "Usage: `basename $0` [debug] [nolock] [-c <directory>] <command>"
echo "Usage: $(basename $0) [debug|trace] [nolock] [-c <directory>] [ -x ] [ -q ] [ -f ] <command>"
echo "where <command> is one of:"
echo " add <interface>[:<host>] <zone>"
echo " allow <address> ..."
@ -543,6 +568,7 @@ usage() # $1 = exit status
echo " clear"
echo " delete <interface>[:<host>] <zone>"
echo " drop <address> ..."
echo " forget [ <file name> ]"
echo " help [ <command > | host | address ]"
echo " hits"
echo " ipcalc [ <address>/<vlsm> | <address> <netmask> ]"
@ -553,7 +579,8 @@ usage() # $1 = exit status
echo " reject <address> ..."
echo " reset"
echo " restart"
echo " save"
echo " restore [ <file name> ]"
echo " save [ <file name> ]"
echo " show [<chain> [ <chain> ... ]|classifiers|connections|log|nat|tc|tos]"
echo " start"
echo " stop"
@ -568,16 +595,20 @@ usage() # $1 = exit status
#
show_reset() {
[ -f $STATEDIR/restarted ] && \
echo "Counters reset `cat $STATEDIR/restarted`" && \
echo "Counters reset $(cat $STATEDIR/restarted)" && \
echo
}
show_proc() {
[ -f $1 ] && echo " $1 = $(cat $1)"
}
#
# Execution begins here
#
debugging=
if [ $# -gt 0 ] && [ "$1" = "debug" ]; then
if [ $# -gt 0 ] && [ "$1" = "debug" -o "$1" = "trace" ]; then
debugging=debug
shift
fi
@ -590,29 +621,60 @@ if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then
fi
SHOREWALL_DIR=
QUIET=
IPT_OPTIONS="-nv"
FAST=
done=0
while [ $done -eq 0 ]; do
[ $# -eq 0 ] && usage 1
case $1 in
-c)
[ $# -eq 1 ] && usage 1
option=$1
case $option in
-*)
option=${option#-}
if [ ! -d $2 ]; then
if [ -e $2 ]; then
echo "$2 is not a directory" >&2 && exit 2
else
echo "Directory $2 does not exist" >&2 && exit 2
fi
fi
[ -z "$option" ] && usage 1
while [ -n "$option" ]; do
case $option in
c)
[ $# -eq 1 ] && usage 1
SHOREWALL_DIR=$2
shift
shift
;;
*)
done=1
;;
if [ ! -d $2 ]; then
if [ -e $2 ]; then
echo "$2 is not a directory" >&2 && exit 2
else
echo "Directory $2 does not exist" >&2 && exit 2
fi
fi
SHOREWALL_DIR=$2
option=
shift
;;
x*)
IPT_OPTIONS="-xnv"
option=${option#x}
;;
q*)
QUIET=Yes
option=${option#q}
;;
f*)
FAST=Yes
option=${option#f}
;;
*)
usage 1
;;
esac
done
shift
;;
*)
done=1
;;
esac
done
@ -621,6 +683,7 @@ if [ $# -eq 0 ]; then
fi
[ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR
[ -n "$QUIET" ] && export QUIET
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
MUTEX_TIMEOUT=
@ -638,15 +701,26 @@ else
exit 2
fi
config=`find_file shorewall.conf`
ensure_config_path
config=$(find_file shorewall.conf)
if [ -f $config ]; then
. $config
if [ -r $config ]; then
. $config
else
echo "Cannot read $config! (Hint: Are you root?)" >&2
exit 1
fi
else
echo "$config does not exist!" >&2
exit 2
fi
ensure_config_path
export CONFIG_PATH
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
if [ ! -f $FIREWALL ]; then
@ -662,7 +736,7 @@ if [ ! -f $FIREWALL ]; then
fi
if [ -f $VERSION_FILE ]; then
version=`cat $VERSION_FILE`
version=$(cat $VERSION_FILE)
else
echo "ERROR: Shorewall is not properly installed"
echo " The file $VERSION_FILE does not exist"
@ -671,8 +745,7 @@ fi
banner="Shorewall-$version Status at $HOSTNAME -"
case `echo -e` in
case $(echo -e) in
-e*)
RING_BELL="echo \a"
;;
@ -681,7 +754,7 @@ case `echo -e` in
;;
esac
case `echo -n "Testing"` in
case $(echo -n "Testing") in
-n*)
ECHO_N=
;;
@ -691,7 +764,26 @@ case `echo -n "Testing"` in
esac
case "$1" in
start|stop|restart|reset|clear|refresh|check)
start)
[ $# -ne 1 ] && usage 1
get_config
if [ -n "$FAST" ]; then
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
if [ -x $RESTOREPATH ]; then
echo Restoring Shorewall...
$RESTOREPATH
date > $STATEDIR/restarted
echo Shorewall restored from $RESTOREPATH
else
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start
fi
else
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start
fi
;;
stop|restart|reset|clear|refresh|check)
[ $# -ne 1 ] && usage 1
get_config
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1
@ -702,65 +794,67 @@ case "$1" in
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1 $2 $3
;;
show|list)
[ -n "$debugging" ] && set -x
case "$2" in
connections)
[ $# -gt 2 ] && usage 1
echo "Shorewall-$version Connections at $HOSTNAME - `date`"
echo "Shorewall-$version Connections at $HOSTNAME - $(date)"
echo
cat /proc/net/ip_conntrack
;;
nat)
[ $# -gt 2 ] && usage 1
echo "Shorewall-$version NAT at $HOSTNAME - `date`"
echo "Shorewall-$version NAT at $HOSTNAME - $(date)"
echo
show_reset
iptables -t nat -L -n -v
iptables -t nat -L $IPT_OPTIONS
;;
tos|mangle)
[ $# -gt 2 ] && usage 1
echo "Shorewall-$version TOS at $HOSTNAME - `date`"
echo "Shorewall-$version TOS at $HOSTNAME - $(date)"
echo
show_reset
iptables -t mangle -L -n -v
iptables -t mangle -L $IPT_OPTIONS
;;
log)
[ $# -gt 2 ] && usage 1
get_config
echo "Shorewall-$version Log at $HOSTNAME - `date`"
echo "Shorewall-$version Log at $HOSTNAME - $(date)"
echo
show_reset
host=`echo $HOSTNAME | sed 's/\..*$//'`
host=$(echo $HOSTNAME | sed 's/\..*$//')
packet_log 20
;;
tc)
[ $# -gt 2 ] && usage 1
echo "Shorewall-$version Traffic Control at $HOSTNAME - `date`"
echo "Shorewall-$version Traffic Control at $HOSTNAME - $(date)"
echo
show_tc
;;
classifiers)
[ $# -gt 2 ] && usage 1
echo "Shorewall-$version Clasifiers at $HOSTNAME - `date`"
echo "Shorewall-$version Clasifiers at $HOSTNAME - $(date)"
echo
show_classifiers
;;
*)
shift
echo "Shorewall-$version `[ $# -gt 1 ] && echo Chains || echo Chain` $* at $HOSTNAME - `date`"
echo "Shorewall-$version $([ $# -gt 1 ] && echo Chains || echo Chain) $* at $HOSTNAME - $(date)"
echo
show_reset
if [ $# -gt 0 ]; then
for chain in $*; do
iptables -L $chain -n -v
iptables -L $chain $IPT_OPTIONS
done
else
iptables -L -n -v
iptables -L $IPT_OPTIONS
fi
;;
esac
;;
monitor)
[ -n "$debugging" ] && set -x
if [ $# -eq 2 ]; then
monitor_firewall $2
elif [ $# -eq 1 ]; then
@ -770,37 +864,74 @@ case "$1" in
fi
;;
status)
[ -n "$debugging" ] && set -x
[ $# -eq 1 ] || usage 1
get_config
clear
echo "Shorewall-$version Status at $HOSTNAME - `date`"
echo "Shorewall-$version Status at $HOSTNAME - $(date)"
echo
show_reset
host=`echo $HOSTNAME | sed 's/\..*$//'`
iptables -L -n -v
host=$(echo $HOSTNAME | sed 's/\..*$//')
iptables -L $IPT_OPTIONS
echo
packet_log 20
echo
echo "NAT Table"
echo
iptables -t nat -L -n -v
iptables -t nat -L $IPT_OPTIONS
echo
echo "Mangle Table"
echo
iptables -t mangle -L -n -v
iptables -t mangle -L $IPT_OPTIONS
echo
cat /proc/net/ip_conntrack
echo
echo "IP Configuration"
echo
ip addr ls
if qt which brctl; then
echo
echo "Bridges"
echo
brctl show
fi
echo
echo "/proc"
echo
show_proc /proc/sys/net/ipv4/ip_forward
for directory in /proc/sys/net/ipv4/conf/*; do
for file in proxy_arp arp_filter rp_filter; do
show_proc $directory/$file
done
done
echo
echo "Routing Rules"
echo
ip rule ls
ip rule ls | while read rule; do
table=${rule##* }
echo
echo "Table $table:"
echo
ip route ls table $table
done
;;
hits)
[ -n "$debugging" ] && set -x
[ $# -eq 1 ] || usage 1
get_config
clear
echo "Shorewall-$version Hits at $HOSTNAME - `date`"
echo "Shorewall-$version Hits at $HOSTNAME - $(date)"
echo
timeout=30
if [ `grep -c "$LOGFORMAT" $LOGFILE ` -gt 0 ] ; then
if [ $(grep -c "$LOGFORMAT" $LOGFILE ) -gt 0 ] ; then
echo " HITS IP DATE"
echo " ---- --------------- ------"
grep "$LOGFORMAT" $LOGFILE | sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\3 \1/' | sort | uniq -c | sort -rn
@ -823,8 +954,8 @@ case "$1" in
grep "$LOGFORMAT.*DPT" $LOGFILE | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | \
while read count port ; do
# List all services defined for the given port
srv=`grep "^[^#].*\\b$port/" /etc/services | cut -f 1 | sort -u`
srv=`echo $srv | sed 's/ /,/g'`
srv=$(grep "^[^#].*\\b$port/" /etc/services | cut -f 1 | sort -u)
srv=$(echo $srv | sed 's/ /,/g')
if [ -n "$srv" ] ; then
printf '%7d %5d %s\n' $count $port $srv
@ -852,6 +983,7 @@ case "$1" in
fi
;;
logwatch)
[ -n "$debugging" ] && set -x
if [ $# -eq 2 ]; then
logwatch $2
elif [ $# -eq 1 ]; then
@ -861,6 +993,7 @@ case "$1" in
fi
;;
drop)
[ -n "$debugging" ] && set -x
[ $# -eq 1 ] && usage 1
mutex_on
while [ $# -gt 1 ]; do
@ -873,6 +1006,7 @@ case "$1" in
mutex_off
;;
reject)
[ -n "$debugging" ] && set -x
[ $# -eq 1 ] && usage 1
mutex_on
while [ $# -gt 1 ]; do
@ -885,6 +1019,7 @@ case "$1" in
mutex_off
;;
allow)
[ -n "$debugging" ] && set -x
[ $# -eq 1 ] && usage 1
mutex_on
while [ $# -gt 1 ]; do
@ -898,28 +1033,98 @@ case "$1" in
mutex_off
;;
save)
[ $# -ne 1 ] && usage 1
mutex_on
if qt iptables -L shorewall -n; then
[ -d /var/lib/shorewall ] || { mkdir /var/lib/shorewall; chmod 700 /var/lib/shorewall; }
[ -n "$debugging" ] && set -x
if iptables -L dynamic -n > /var/lib/shorewall/save; then
echo "Dynamic Rules Saved"
get_config
case $# in
1)
;;
2)
RESTOREFILE="$2"
validate_restorefile '<restore file>'
;;
*)
usage 1
;;
esac
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
mutex_on
if qt iptables -L shorewall -n; then
[ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then
echo " ERROR: $RESTOREPATH exists and is not a saved Shorewall configuration"
else
echo "Error Saving the Dynamic Rules"
case $RESTOREFILE in
save|restore-base)
echo " ERROR: Reserved file name: $RESTOREFILE"
;;
*)
if iptables -L dynamic -n > /var/lib/shorewall/save; then
echo " Dynamic Rules Saved"
if [ -f /var/lib/shorewall/restore-base ]; then
cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$
if iptables-save >> /var/lib/shorewall/restore-$$ ; then
echo __EOF__ >> /var/lib/shorewall/restore-$$
[ -f /var/lib/shorewall/restore-tail ] && \
cat /var/lib/shorewall/restore-tail >> /var/lib/shorewall/restore-$$
mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH
chmod +x $RESTOREPATH
echo " Currently-running Configuration Saved to $RESTOREPATH"
else
rm -f /var/lib/shorewall/restore-$$
echo " ERROR: Currently-running Configuration Not Saved"
fi
else
echo " ERROR: /var/lib/shorewall/restore-base does not exist"
fi
else
echo "Error Saving the Dynamic Rules"
fi
;;
esac
fi
else
echo "Shorewall isn't started"
fi
mutex_off
;;
forget)
get_config
case $# in
1)
;;
2)
RESTOREFILE="$2"
validate_restorefile '<restore file>'
;;
*)
usage 1
;;
esac
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
if [ -x $RESTOREPATH ]; then
rm -f $RESTOREPATH
echo " $RESTOREPATH removed"
elif [ -f $RESTOREPATH ]; then
echo " ERROR: $RESTOREPATH exists and is not a saved Shorewall configuration"
fi
;;
ipcalc)
[ -n "$debugging" ] && set -x
if [ $# -eq 2 ]; then
address=${2%/*}
vlsm=${2#*/}
elif [ $# -eq 3 ]; then
address=$2
vlsm=`ip_vlsm $3`
vlsm=$(ip_vlsm $3)
else
usage 1
fi
@ -930,13 +1135,14 @@ case "$1" in
address=$address/$vlsm
echo " CIDR=$address"
temp=`ip_netmask $address`; echo " NETMASK=`encodeaddr $temp`"
temp=`ip_network $address`; echo " NETWORK=$temp"
temp=`broadcastaddress $address`; echo " BROADCAST=$temp"
echo " CIDR=$address"
temp=$(ip_netmask $address); echo " NETMASK=$(encodeaddr $temp)"
temp=$(ip_network $address); echo " NETWORK=$temp"
temp=$(broadcastaddress $address); echo " BROADCAST=$temp"
;;
iprange)
[ -n "$debugging" ] && set -x
case $2 in
*.*.*.*-*.*.*.*)
ip_range $2
@ -946,7 +1152,32 @@ case "$1" in
;;
esac
;;
restore)
get_config
case $# in
1)
;;
2)
RESTOREFILE="$2"
validate_restorefile '<restore file>'
;;
*)
usage 1
;;
esac
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
if [ -x $RESTOREPATH ]; then
echo Restoring Shorewall...
$RESTOREPATH && echo "Shorewall restored from /var/lib/shorewall/$RESTOREFILE"
else
echo "File /var/lib/shorewall/$RESTOREFILE: file not found"
exit 2
fi
;;
call)
[ -n "$debugging" ] && set -x
#
# Undocumented way to call functions in /usr/share/shorewall/functions directly
#

View File

@ -1,12 +1,12 @@
##############################################################################
# /etc/shorewall/shorewall.conf V1.4 - Change the following variables to
# /etc/shorewall/shorewall.conf V2.0 - Change the following variables to
# match your setup
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# This file should be placed in /etc/shorewall
#
# (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
# (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
##############################################################################
# L O G G I N G
##############################################################################
@ -32,7 +32,7 @@
# to choose, 6 (info) is a safe bet. You may specify levels by name or by
# number.
#
# If you have build your kernel with ULOG target support, you may also
# If you have built your kernel with ULOG target support, you may also
# specify a log level of ULOG (must be all caps). Rather than log its
# messages to syslogd, Shorewall will direct netfilter to log the messages
# via the ULOG target which will send them to a process called 'ulogd'.
@ -90,34 +90,26 @@ LOGFORMAT="Shorewall:%s:%s:"
# maximum initial burst size that will be logged. If set empty, the default
# value of 5 will be used.
#
# If BOTH variables are set empty then logging will not be rate-limited.
#
# Example:
#
# LOGRATE=10/minute
# LOGBURST=5
#
# If BOTH variables are set empty then logging will not be rate-limited.
# For each logging rule, the first time the rule is reached, the packet
# will be logged; in fact, since the burst is 5, the first five packets
# will be logged. After this, it will be 6 seconds (1 minute divided by
# the rate of 10) before a message will be logged from the rule, regardless
# of how many packets reach it. Also, every 6 seconds which passes without
# matching a packet, one of the bursts will be regained; if no packets hit
# the rule for 30 seconds, the burst will be fully recharged; back where
# we started.
#
LOGRATE=
LOGBURST=
#
# LEVEL AT WHICH TO LOG 'UNCLEAN' PACKETS
#
# This variable determines the level at which Mangled/Invalid packets are logged
# under the 'dropunclean' interface option. If you set this variable to an
# empty value (e.g., LOGUNCLEAN= ), Mangled/Invalid packets will be dropped
# silently.
#
# The value of this variable also determines the level at which Mangled/Invalid
# packets are logged under the 'logunclean' interface option. If the variable
# is empty, these packets will still be logged at the 'info' level.
#
# See the comment at the top of this section for a description of log levels
#
LOGUNCLEAN=info
#
# BLACKLIST LOG LEVEL
#
@ -182,6 +174,33 @@ TCP_FLAGS_LOG_LEVEL=info
RFC1918_LOG_LEVEL=info
#
# SMURF Log Level
#
# Specifies the logging level for smurf packets dropped by the
#'nosmurfs' interface option in /etc/shorewall/interfaces and in
# /etc/shorewall/hosts. If set to the empty value ( SMURF_LOG_LEVEL=""
# ) then dropped smurfs are not logged.
#
# See the comment at the top of this section for a description of log levels
#
SMURF_LOG_LEVEL=info
#
# BOGON Log Level
#
# Specifies the logging level for bogon packets dropped by the
#'nobogons' interface option in /etc/shorewall/interfaces and in
# /etc/shorewall/hosts. If set to the empty value
# ( BOGON_LOG_LEVEL="" ) then packets whose TARGET is 'logdrop'
# in /usr/share/shorewall/bogons are logged at the 'info' level.
#
# See the comment at the top of this section for a description of log levels
#
BOGON_LOG_LEVEL=info
################################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
################################################################################
@ -226,6 +245,37 @@ STATEDIR=/var/lib/shorewall
MODULESDIR=
#
# CONFIGURATION SEARCH PATH
#
# This option holds a list of directory names separated by colons
# (":"). Shorewall will search each directory in turn when looking for a
# configuration file. When processing a 'try' command or a command
# containing the "-c" option, Shorewall will automatically add the
# directory specified in the command to the front of this list.
#
# If not specified or specified as null ("CONFIG_PATH=""),
# CONFIG_PATH=/etc/shorewall:/usr/share/shorewall is assumed.
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
#
# RESTORE SCRIPT
#
# This option determines the script to be run in the following cases:
#
# shorewall -f start
# shorewall restore
# shorewall save
# shorewall forget
# Failure of shorewall start or shorewall restart
#
# The value of the option must be the name of an executable file in the
# directory /var/lib/shorewall. If this option is not set or if it is
# set to the empty value (RESTOREFILE="") then RESTOREFILE=restore is
# assumed.
RESTOREFILE=
################################################################################
# F I R E W A L L O P T I O N S
################################################################################
@ -275,9 +325,8 @@ ADD_SNAT_ALIASES=No
#
# If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If
# you say "No" or "no" then traffic shaping is not enabled. If you enable traffic
# shaping you must have iproute[2] installed (the "ip" and "tc" utilities) and
# you must enable packet mangling above.
#
# shaping you must have iproute[2] installed (the "ip" and "tc" utilities).
TC_ENABLED=No
#
@ -358,16 +407,6 @@ CLAMPMSS=No
ROUTE_FILTER=No
#
# NAT BEFORE RULES
#
# Shorewall has traditionally processed static NAT rules before port forwarding
# rules. If you would like to reverse the order, set this variable to "No".
#
# If this variable is not set or is set to the empty value, "Yes" is assumed.
NAT_BEFORE_RULES=Yes
# DNAT IP ADDRESS DETECTION
#
# Normally when Shorewall encounters the following rule:
@ -430,12 +469,12 @@ MUTEX_TIMEOUT=60
# A packet is said to be NEW if it is not part of or related to an already
# established connection.
#
# The NETNOTSYN option determines the handling of non-SYN packets (those with
# The NEWNOTSYN option determines the handling of non-SYN packets (those with
# SYN off or with ACK or RST on) that are not associated with an already
# established connection.
#
# If NEWNOTSYN is set to "No" or "no", then non-SYN packets that are not
# part of an already established connection, it will be dropped by the
# part of an already established connection will be dropped by the
# firewall. The setting of LOGNEWNOTSYN above determines if these packets are
# logged before they are dropped.
#
@ -447,7 +486,9 @@ MUTEX_TIMEOUT=60
# also need to select NEWNOTSYN=Yes.
#
# The behavior of NEWNOTSYN=Yes may also be enabled on a per-interface basis
# using the 'newnotsyn' option in /etc/shorewall/interfaces.
# using the 'newnotsyn' option in /etc/shorewall/interfaces and on a
# network or host basis using the same option in /etc/shorewall/hosts.
#
# I find that NEWNOTSYN=No tends to result in lots of "stuck"
# connections because any network timeout during TCP session tear down
@ -513,9 +554,9 @@ BLACKLISTNEWONLY=Yes
#
# When loading a module named in /etc/shorewall/modules, Shorewall normally
# looks in the MODULES DIRECTORY (see MODULESDIR above) for files whose names
# end in ".o", ".ko", ".gz" or "o.gz". If your distribution uses a different
# naming convention then you can specify the suffix (extension) for module
# names in this variable.
# end in ".o", ".ko", ".gz", "o.gz" or "ko.gz" . If your distribution uses a
# different naming convention then you can specify the suffix (extension) for
# module names in this variable.
#
# To see what suffix is used by your distribution:
#
@ -532,6 +573,88 @@ BLACKLISTNEWONLY=Yes
MODULE_SUFFIX=
#
# DISABLE IPV6
#
# Distributions (notably SuSE) are beginning to ship with IPV6
# enabled. If you are not using IPV6, you are at risk of being
# exploited by users who do. Setting DISABLE_IPV6=Yes will cause
# Shorewall to disable IPV6 traffic to/from and through your
# firewall system. This requires that you have ip6tables installed.
DISABLE_IPV6=Yes
#
# BRIDGING
#
# If you wish to control traffic through a bridge (see http://bridge.sf.net),
# then set BRIDGING=Yes. Your kernel must have the physdev match option
# enabled; that option is available at the above URL for 2.4 kernels and
# is included as a standard part of the 2.6 series kernels. If not
# specified or specified as empty (BRIDGING="") then "No" is assumed.
#
BRIDGING=No
#
# DYNAMIC ZONES
#
# If you need to be able to add and delete hosts from zones dynamically then
# set DYNAMIC_ZONES=Yes. Otherwise, set DYNAMIC_ZONES=No.
DYNAMIC_ZONES=No
#
# USE PKTTYPE MATCH
#
# Some users have reported problems with the PKTTYPE match extension not being
# able to match certain broadcast packets.
#
# Other users have complained of the following message when
# starting Shorewall:
#
# modprobe: cant locate module ipt_pkttype
#
# If you set PKTTYPE=No then Shorewallwill use IP addresses to detect
# broadcasts rather than pkttype. If not given or if given as empty
# (PKTTYPE="") then PKTTYPE=Yes is assumed.
PKTTYPE=Yes
#
# DROP INVALID PACKETS
#
# Netfilter classifies packets relative to its connection tracking table into
# four states:
#
# NEW - thes packet initiates a new connection
# ESTABLISHED - thes packet is part of an established connection
# RELATED - thes packet is related to an established connection; it may
# establish a new connection
# INVALID - the packet does not related to the table in any sensible way.
#
# Recent 2.6 kernels include code that evaluates TCP packets based on TCP
# Window analysis. This can cause packets that were previously classified as
# NEW or ESTABLISHED to be classified as INVALID.
#
# The new kernel code can be disabled by including this command in your
# /etc/shorewall/init file:
#
# echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
#
# Additional kernel logging about INVALID TCP packets may be obtained by
# adding this command to /etc/shorewall/init:
#
# echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid
#
# Traditionally, Shorewall has dropped INVALID TCP packets early. The DROPINVALID
# option allows INVALID packets to be passed through the normal rules chains by
# setting DROPINVALID=No.
#
# If not specified or if specified as empty (e.g., DROPINVALID="") then
# DROPINVALID=Yes is assumed.
DROPINVALID=No
################################################################################
# P A C K E T D I S P O S I T I O N
################################################################################
@ -542,6 +665,7 @@ MODULE_SUFFIX=
# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty,
# DROP is assumed.
#
BLACKLIST_DISPOSITION=DROP
#
@ -560,8 +684,9 @@ MACLIST_DISPOSITION=REJECT
#
# This variable determins the disposition of packets having an invalid
# combination of TCP flags that are received on interfaces having the
# 'tcpflags' option specified in /etc/shorewall/interfaces. If not specified
# or specified as empty (TCP_FLAGS_DISPOSITION="") then DROP is assumed.
# 'tcpflags' option specified in /etc/shorewall/interfaces or in
# /etc/shorewall/hosts. If not specified or specified as empty
# (TCP_FLAGS_DISPOSITION="") then DROP is assumed.
TCP_FLAGS_DISPOSITION=DROP

View File

@ -1,5 +1,5 @@
%define name shorewall
%define version 1.4.11
%define version 2.0.16
%define release 1
%define prefix /usr
@ -33,7 +33,7 @@ a multi-function gateway/ router/server or on a standalone GNU/Linux system.
export PREFIX=$RPM_BUILD_ROOT ; \
export OWNER=`id -n -u` ; \
export GROUP=`id -n -g` ;\
./install.sh /etc/init.d
./install.sh
%clean
rm -rf $RPM_BUILD_ROOT
@ -68,18 +68,17 @@ if [ $1 = 0 ]; then
fi
%files
/etc/init.d/shorewall
%attr(0544,root,root) /etc/init.d/shorewall
%attr(0700,root,root) %dir /etc/shorewall
%attr(0700,root,root) %dir /usr/share/shorewall
%attr(0700,root,root) %dir /var/lib/shorewall
%attr(0600,root,root) /usr/share/shorewall/version
%attr(0600,root,root) /etc/shorewall/common.def
%attr(0600,root,root) %config(noreplace) /etc/shorewall/shorewall.conf
%attr(0600,root,root) %config(noreplace) /etc/shorewall/zones
%attr(0600,root,root) %config(noreplace) /etc/shorewall/policy
%attr(0600,root,root) %config(noreplace) /etc/shorewall/interfaces
%attr(0600,root,root) %config(noreplace) /etc/shorewall/rules
%attr(0600,root,root) %config(noreplace) /etc/shorewall/nat
%attr(0600,root,root) %config(noreplace) /etc/shorewall/netmap
%attr(0600,root,root) %config(noreplace) /etc/shorewall/params
%attr(0600,root,root) %config(noreplace) /etc/shorewall/proxyarp
%attr(0600,root,root) %config(noreplace) /etc/shorewall/routestopped
@ -91,50 +90,146 @@ fi
%attr(0600,root,root) %config(noreplace) /etc/shorewall/tunnels
%attr(0600,root,root) %config(noreplace) /etc/shorewall/hosts
%attr(0600,root,root) %config(noreplace) /etc/shorewall/blacklist
%attr(0600,root,root) %config(noreplace) /etc/shorewall/rfc1918
%attr(0600,root,root) %config(noreplace) /etc/shorewall/init
%attr(0600,root,root) %config(noreplace) /etc/shorewall/initdone
%attr(0600,root,root) %config(noreplace) /etc/shorewall/start
%attr(0600,root,root) %config(noreplace) /etc/shorewall/stop
%attr(0600,root,root) %config(noreplace) /etc/shorewall/stopped
%attr(0600,root,root) %config(noreplace) /etc/shorewall/ecn
%attr(0600,root,root) %config(noreplace) /etc/shorewall/accounting
%attr(0600,root,root) %config(noreplace) /etc/shorewall/usersets
%attr(0600,root,root) %config(noreplace) /etc/shorewall/users
%attr(0600,root,root) %config(noreplace) /etc/shorewall/actions
%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.template
%attr(0544,root,root) /sbin/shorewall
%attr(0600,root,root) /usr/share/shorewall/version
%attr(0600,root,root) /usr/share/shorewall/actions.std
%attr(0600,root,root) /usr/share/shorewall/action.AllowAuth
%attr(0600,root,root) /usr/share/shorewall/action.AllowDNS
%attr(0600,root,root) /usr/share/shorewall/action.AllowFTP
%attr(0600,root,root) /usr/share/shorewall/action.AllowIMAP
%attr(0600,root,root) /usr/share/shorewall/action.AllowNNTP
%attr(0600,root,root) /usr/share/shorewall/action.AllowNTP
%attr(0600,root,root) /usr/share/shorewall/action.AllowPCA
%attr(0600,root,root) /usr/share/shorewall/action.AllowPing
%attr(0600,root,root) /usr/share/shorewall/action.AllowPOP3
%attr(0600,root,root) /usr/share/shorewall/action.AllowRdate
%attr(0600,root,root) /usr/share/shorewall/action.AllowSMB
%attr(0600,root,root) /usr/share/shorewall/action.AllowSMTP
%attr(0600,root,root) /usr/share/shorewall/action.AllowSNMP
%attr(0600,root,root) /usr/share/shorewall/action.AllowSSH
%attr(0600,root,root) /usr/share/shorewall/action.AllowTelnet
%attr(0600,root,root) /usr/share/shorewall/action.AllowTrcrt
%attr(0600,root,root) /usr/share/shorewall/action.AllowVNC
%attr(0600,root,root) /usr/share/shorewall/action.AllowVNCL
%attr(0600,root,root) /usr/share/shorewall/action.AllowWeb
%attr(0600,root,root) /usr/share/shorewall/action.Drop
%attr(0600,root,root) /usr/share/shorewall/action.DropDNSrep
%attr(0600,root,root) /usr/share/shorewall/action.DropPing
%attr(0600,root,root) /usr/share/shorewall/action.DropSMB
%attr(0600,root,root) /usr/share/shorewall/action.DropUPnP
%attr(0600,root,root) /usr/share/shorewall/action.Reject
%attr(0600,root,root) /usr/share/shorewall/action.RejectAuth
%attr(0600,root,root) /usr/share/shorewall/action.RejectSMB
%attr(0600,root,root) /usr/share/shorewall/action.template
%attr(0444,root,root) /usr/share/shorewall/functions
%attr(0544,root,root) /usr/share/shorewall/firewall
%attr(0544,root,root) /usr/share/shorewall/help
%attr(0600,root,root) /usr/share/shorewall/rfc1918
%attr(0600,root,root) /usr/share/shorewall/bogons
%attr(0600,root,root) /usr/share/shorewall/configpath
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog
* Wed Jun 30 2004 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.11
* Wed Jun 30 2004 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.10g-1
* Mon Jun 28 2004 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.10f-1
* Tue Apr 13 2004 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.10e-1
* Tue Mar 16 2004 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.10d-1
* Sun Feb 15 2004 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.10c-1
* Tue Feb 01 2005 Tom Eastep tom@shorewall.net
- Updated to 2.0.16-1
* Wed Jan 12 2005 Tom Eastep tom@shorewall.net
- Updated to 2.0.15-1
* Mon Jan 03 2005 Tom Eastep tom@shorewall.net
- Updated to 2.0.14-1
* Thu Dec 02 2004 Tom Eastep tom@shorewall.net
- Updated to 2.0.13-1
* Wed Dec 01 2004 Tom Eastep tom@shorewall.net
- Updated to 2.0.12-1
* Mon Nov 22 2004 Tom Eastep tom@shorewall.net
- Updated to 2.0.11-1
* Mon Oct 25 2004 Tom Eastep tom@shorewall.net
- Updated to 2.0.10-1
* Thu Sep 23 2004 Tom Eastep tom@shorewall.net
- Updated to 2.0.9-1
* Sun Aug 22 2004 Tom Eastep tom@shorewall.net
- Updated to 2.0.8-1
* Tue Jul 20 2004 Tom Eastep tom@shorewall.net
- Updated to 2.0.7-1
* Sun Jul 11 2004 Tom Eastep tom@shorewall.net
- Updated to 2.0.6-1
* Fri Jul 09 2004 Tom Eastep tom@shorewall.net
- Updated to 2.0.5-1
* Tue Jul 06 2004 Tom Eastep tom@shorewall.net
- Updated to 2.0.4-1
* Fri Jul 02 2004 Tom Eastep tom@shorewall.net
- Updated to 2.0.3c-1
* Wed Jun 30 2004 Tom Eastep tom@shorewall.net
- Updated to 2.0.3b-1
* Mon Jun 28 2004 Tom Eastep tom@shorewall.net
- Updated to 2.0.3a-1
* Wed Jun 23 2004 Tom Eastep tom@shorewall.net
- Updated to 2.0.3-1
* Sat Jun 19 2004 Tom Eastep tom@shorewall.net
- Updated to 2.0.2-0RC2
* Tue Jun 15 2004 Tom Eastep tom@shorewall.net
- Updated to 2.0.2-0RC1
* Mon Jun 14 2004 Tom Eastep tom@shorewall.net
- Added %attr spec for /etc/init.d/shorewall
* Sat May 15 2004 Tom Eastep tom@shorewall.net
- Updated for 2.0.2a-1
* Thu May 13 2004 Tom Eastep tom@shorewall.net
- Updated for 2.0.2-1
* Mon May 10 2004 Tom Eastep tom@shorewall.net
- Add /etc/shorewall/initdone
* Fri May 07 2004 Tom Eastep tom@shorewall.net
- Shorewall 2.0.2-RC1
* Tue May 04 2004 Tom Eastep tom@shorewall.net
- Shorewall 2.0.2-Beta2
* Tue Apr 13 2004 Tom Eastep tom@shorewall.net
- Add /usr/share/shorewall/configpath
* Mon Apr 05 2004 Tom Eastep tom@shorewall.net
- Updated for 2.0.1-1
* Thu Apr 02 2004 Tom Eastep tom@shorewall.net
- Updated for 2.0.1 RC5
* Thu Apr 01 2004 Tom Eastep tom@shorewall.net
- Updated for 2.0.1 RC4
* Sun Mar 28 2004 Tom Eastep tom@shorewall.net
- Updated for 2.0.1 RC3
* Thu Mar 25 2004 Tom Eastep tom@shorewall.net
- Updated for 2.0.1 RC2
* Wed Mar 24 2004 Tom Eastep tom@shorewall.net
- Updated for 2.0.1 RC1
* Fri Mar 19 2004 Tom Eastep tom@shorewall.net
- Updated for 2.0.1 Beta 2
* Thu Mar 18 2004 Tom Eastep tom@shorewall.net
- Added netmap file
* Wed Mar 17 2004 Tom Eastep <tom@shorewall.net>
- Update for 2.0.1 Beta 1
* Wed Mar 17 2004 Tom Eastep <tom@shorewall.net>
- Add bogons file
* Sat Mar 13 2004 Tom Eastep <tom@shorewall.net>
- Update for 2.0.0 Final
* Sat Mar 06 2004 Tom Eastep <tom@shorewall.net>
- Update for RC2
* Fri Feb 27 2004 Tom Eastep <tom@shorewall.net>
- Update for RC1
* Mon Feb 16 2004 Tom Eastep <tom@shorewall.net>
- Moved rfc1918 to /usr/share/shorewall
- Update for Beta 3
* Sat Feb 14 2004 Tom Eastep <tom@shorewall.net>
- Removed common.def
- Unconditionally replace actions.std
- Update for Beta 2
* Thu Feb 12 2004 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.10b-1
- Added action.AllowPCA
* Sun Feb 08 2004 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.10a-1
* Fri Jan 30 2004 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.10-1
* Tue Jan 27 2004 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.10-RC3
* Sat Jan 24 2004 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.10-RC2
* Thu Jan 22 2004 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.10-RC1
* Tue Jan 13 2004 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.9
- Updates for Shorewall 2.0.0.
* Mon Dec 29 2003 Tom Eastep <tom@shorewall.net>
- Remove Documentation from this RPM
* Sun Dec 28 2003 Tom Eastep <tom@shorewall.net>

View File

@ -1,5 +1,5 @@
############################################################################
# Shorewall 1.4 -- /etc/shorewall/start
# Shorewall 2.0 -- /etc/shorewall/start
#
# Add commands below that you want to be executed after shorewall has
# been started or restarted.

View File

@ -1,5 +1,5 @@
############################################################################
# Shorewall 1.4 -- /etc/shorewall/stop
# Shorewall 2.0 -- /etc/shorewall/stop
#
# Add commands below that you want to be executed at the beginning of a
# "shorewall stop" command.

View File

@ -1,5 +1,5 @@
############################################################################
# Shorewall 1.4 -- /etc/shorewall/stopped
# Shorewall 2.0 -- /etc/shorewall/stopped
#
# Add commands below that you want to be executed at the completion of a
# "shorewall stop" command.

View File

@ -1,5 +1,5 @@
#
# Shorewall version 1.4 - Traffic Control Rules File
# Shorewall version 2.0 - Traffic Control Rules File
#
# /etc/shorewall/tcrules
#
@ -11,6 +11,11 @@
# FOR ENTRIES IN THIS FILE TO HAVE ANY EFFECT, YOU MUST SET
# TC_ENABLED=Yes in /etc/shorewall/shorewall.conf
#
# Unlike rules in the /etc/shorewall/rules file, evaluation
# of rules in this file will continue after a match. So the
# final mark for each packet will be the one assigned by the
# LAST tcrule that matches.
#
# Columns are:
#
#

View File

@ -1,5 +1,5 @@
#
# Shorewall 1.4 -- /etc/shorewall/tos
# Shorewall 2.0 -- /etc/shorewall/tos
#
# This file defines rules for setting Type Of Service (TOS)
#
@ -43,10 +43,10 @@
#
##############################################################################
#SOURCE DEST PROTOCOL SOURCE PORTS DEST PORTS TOS
all all tcp - ssh 16
all all tcp ssh - 16
all all tcp - ftp 16
all all tcp ftp - 16
all all tcp ftp-data - 8
all all tcp - ftp-data 8
all all tcp - 22 16
all all tcp 22 - 16
all all tcp - 21 16
all all tcp 21 - 16
all all tcp 20 - 8
all all tcp - 20 8
#LAST LINE -- Add your entries above -- DO NOT REMOVE

View File

@ -2,14 +2,14 @@
RCDLINKS="2,S45 3,S45 6,K45"
################################################################################
# Script to create a gre or ipip tunnel -- Shorewall 1.4
# Script to create a gre or ipip tunnel -- Shorewall 2.0
#
# Modified - Steve Cowles 5/9/2000
# Incorporated init {start|stop} syntax and iproute2 usage
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# (c) 2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
# (c) 2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
#
# Modify the following variables to match your configuration
#
@ -59,6 +59,13 @@ gateway="x.x.x.x"
subnet="192.168.9.0/24"
# GRE Key -- set this to a number or to a dotted quad if you want
# a keyed GRE tunnel. You must specify a KEY if you
# intend to load ip_conntrack_proto_gre on either
# gateway system
key=
PATH=$PATH:/sbin:/usr/sbin:/usr/local/sbin
load_modules () {
@ -101,7 +108,7 @@ do_start() {
case $tunnel_type in
gre)
ip tunnel add $tunnel mode gre remote $gateway local $myrealip ttl 255
ip tunnel add $tunnel mode gre remote $gateway local $myrealip ttl 255 ${key:+key $key)
;;
*)
ip tunnel add $tunnel mode ipip remote $gateway

View File

@ -1,5 +1,5 @@
#
# Shorewall 1.4 - /etc/shorewall/tunnels
# Shorewall 2.0 - /etc/shorewall/tunnels
#
# This file defines IPSEC, GRE, IPIP and OPENVPN tunnels.
#
@ -9,10 +9,14 @@
#
# The columns are:
#
# TYPE -- must start in column 1 and be "ipsec", "ipsecnat","ip"
# TYPE -- must start in column 1 and be "ipsec", "ipsecnat","ipip"
# "gre", "6to4", "pptpclient", "pptpserver", "openvpn" or
# "generic"
#
# If the type is "ipsec" or "ipsecnat", it may be followed
# by ":noah" to indicate that the Authentication Header
# protocol (51) is not used by the tunnel.
#
# If type is "openvpn", it may optionally be followed
# by ":" and the port number used by the tunnel. if no
# ":" and port number are included, then the default port
@ -42,9 +46,10 @@
# Example 1:
#
# IPSec tunnel. The remote gateway is 4.33.99.124 and
# the remote subnet is 192.168.9.0/24
# the remote subnet is 192.168.9.0/24. The tunnel does
# not use the AH protocol
#
# ipsec net 4.33.99.124
# ipsec:noah net 4.33.99.124
#
# Example 2:
#

View File

@ -4,7 +4,7 @@
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# (c) 2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
# (c) 2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
#
# Shorewall documentation is available at http://shorewall.sourceforge.net
#
@ -26,11 +26,11 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall
VERSION=1.4.11
VERSION=2.0.16
usage() # $1 = exit status
{
ME=`basename $0`
ME=$(basename $0)
echo "usage: $ME"
exit $1
}
@ -61,7 +61,7 @@ remove_file() # $1 = file to restore
}
if [ -f /usr/share/shorewall/version ]; then
INSTALLED_VERSION="`cat /usr/share/shorewall/version`"
INSTALLED_VERSION="$(cat /usr/share/shorewall/version)"
if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
echo "WARNING: Shorewall Version $INSTALLED_VERSION is installed"
echo " and this is the $VERSION uninstaller."
@ -72,27 +72,25 @@ else
VERSION=""
fi
echo "Uninstalling Shorewall $VERSION"
echo "Uninstalling shorewall $VERSION"
if qt iptables -L shorewall -n; then
/sbin/shorewall clear
fi
if [ -L /usr/lib/shorewall/firewall ]; then
FIREWALL=`ls -l /usr/lib/shorewall/firewall | sed 's/^.*> //'`
elif [ -L /var/lib/shorewall/firewall ]; then
FIREWALL=`ls -l /var/lib/shorewall/firewall | sed 's/^.*> //'`
elif [ -L /usr/lib/shorewall/init ]; then
FIREWALL=`ls -l /usr/lib/shorewall/init | sed 's/^.*> //'`
if [ -L /usr/share/shorewall/init ]; then
FIREWALL=$(ls -l /usr/share/shorewall/init | sed 's/^.*> //')
else
FIREWALL=
FIREWALL=/etc/init.d/shorewall
fi
if [ -n "$FIREWALL" ]; then
if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
insserv -r $FIREWALL
elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
chkconfig --del `basename $FIREWALL`
chkconfig --del $(basename $FIREWALL)
else
rm -f /etc/rc*.d/*$(basename $FIREWALL)
fi
remove_file $FIREWALL
@ -102,12 +100,7 @@ fi
rm -f /sbin/shorewall
rm -f /sbin/shorewall-*.bkout
if [ -n "$VERSION" ]; then
restore_file /etc/rc.d/rc.local
fi
rm -rf /etc/shorewall
rm -rf /usr/lib/shorewall
rm -rf /var/lib/shorewall
rm -rf /usr/share/shorewall

View File

@ -1,5 +1,5 @@
#
# Shorewall 1.4 /etc/shorewall/zones
# Shorewall 2.0 /etc/shorewall/zones
#
# This file determines your network zones. Columns are:
#