mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-14 03:34:31 +01:00
Move 2.0.16 to STABLE
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1938 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
52aed7f6a5
commit
d356631782
@ -1,4 +1,4 @@
|
||||
Shoreline Firewall (Shorewall) Version 1.4 - 3/14/2003
|
||||
Shoreline Firewall (Shorewall) Version 2.0 - 2/14/2004
|
||||
----- ----
|
||||
|
||||
-----------------------------------------------------------------------------
|
||||
@ -30,18 +30,23 @@ o Edit the configuration files to fit your environment.
|
||||
|
||||
http://www.shorewall.net/shorewall_quickstart_guide.htm
|
||||
|
||||
o If you are using Caldera, Redhat, Mandrake, Corel, Slackware, SuSE or
|
||||
Debian, then type "./install.sh".
|
||||
o For other distributions, determine where your distribution installs
|
||||
init scripts and type "./install.sh <init script directory>"
|
||||
o Slackware users type:
|
||||
|
||||
DEST=/etc/rc.d INIT=rc.firewall ./install.sh
|
||||
|
||||
All other users type:
|
||||
|
||||
./install.sh
|
||||
|
||||
o Start the firewall by typing "shorewall start"
|
||||
o If the install script was unable to configure Shoreline Firewall to
|
||||
start automatically at boot, see the HTML documentation contains in the
|
||||
"documentation" directory.
|
||||
start automatically at boot, you will have to used your
|
||||
distribution's runlevel editor to configure Shorewall manually.
|
||||
|
||||
Upgrade:
|
||||
|
||||
o run the install script as described above.
|
||||
o shorewall restart
|
||||
o "shorewall check" and correct any errors found.
|
||||
o "shorewall restart"
|
||||
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall version 1.4 - Accounting File
|
||||
# Shorewall version 2.0 - Accounting File
|
||||
#
|
||||
# /etc/shorewall/accounting
|
||||
#
|
||||
|
10
STABLE/action.AllowAuth
Normal file
10
STABLE/action.AllowAuth
Normal file
@ -0,0 +1,10 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowAuth
|
||||
#
|
||||
# This action accepts Auth (identd) traffic.
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
ACCEPT - - tcp 113
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
11
STABLE/action.AllowDNS
Normal file
11
STABLE/action.AllowDNS
Normal file
@ -0,0 +1,11 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowDNS
|
||||
#
|
||||
# This action accepts DNS traffic.
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
ACCEPT - - udp 53
|
||||
ACCEPT - - tcp 53
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
11
STABLE/action.AllowFTP
Normal file
11
STABLE/action.AllowFTP
Normal file
@ -0,0 +1,11 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowFTP
|
||||
#
|
||||
# This action accepts FTP traffic. See
|
||||
# http://www.shorewall.net/FTP.html for additional considerations.
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
ACCEPT - - tcp 21
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
11
STABLE/action.AllowIMAP
Normal file
11
STABLE/action.AllowIMAP
Normal file
@ -0,0 +1,11 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowIMAP
|
||||
#
|
||||
# This action accepts IMAP traffic (secure and insecure):
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
ACCEPT - - tcp 143 #Unsecure IMAP
|
||||
ACCEPT - - tcp 993 #Secure IMAP
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
11
STABLE/action.AllowNNTP
Normal file
11
STABLE/action.AllowNNTP
Normal file
@ -0,0 +1,11 @@
|
||||
#
|
||||
# Shorewall 2.0 /usr/share/shorewall/action.AllowNNTP
|
||||
#
|
||||
# This action accepts NNTP traffic (Usenet) and encrypted NNTP (NNTPS)
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
ACCEPT - - tcp 119
|
||||
ACCEPT - - tcp 563
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
10
STABLE/action.AllowNTP
Normal file
10
STABLE/action.AllowNTP
Normal file
@ -0,0 +1,10 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowNTP
|
||||
#
|
||||
# This action accepts NTP traffic (ntpd).
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
||||
# PORT PORT(S) DEST LIMIT
|
||||
ACCEPT - - udp 123
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
11
STABLE/action.AllowPCA
Normal file
11
STABLE/action.AllowPCA
Normal file
@ -0,0 +1,11 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowPCA
|
||||
#
|
||||
# This action accepts PCAnywere (tm)
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
ACCEPT - - udp 5631
|
||||
ACCEPT - - tcp 5632
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
11
STABLE/action.AllowPOP3
Normal file
11
STABLE/action.AllowPOP3
Normal file
@ -0,0 +1,11 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowPOP3
|
||||
#
|
||||
# This action accepts POP3 traffic (secure and insecure):
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
||||
# PORT PORT(S) DEST LIMIT
|
||||
ACCEPT - - tcp 110 #Unsecure POP3
|
||||
ACCEPT - - tcp 995 #Secure POP3
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
10
STABLE/action.AllowPing
Normal file
10
STABLE/action.AllowPing
Normal file
@ -0,0 +1,10 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowPing
|
||||
#
|
||||
# This action accepts 'ping' requests.
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
ACCEPT - - icmp 8
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
10
STABLE/action.AllowRdate
Normal file
10
STABLE/action.AllowRdate
Normal file
@ -0,0 +1,10 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowRdate
|
||||
#
|
||||
# This action accepts remote time retrieval (rdate).
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
ACCEPT - - tcp 37
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
14
STABLE/action.AllowSMB
Normal file
14
STABLE/action.AllowSMB
Normal file
@ -0,0 +1,14 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowSMB
|
||||
#
|
||||
# Allow Microsoft SMB traffic. You need to invoke this action in
|
||||
# both directions.
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
ACCEPT - - udp 135,445
|
||||
ACCEPT - - udp 137:139
|
||||
ACCEPT - - udp 1024: 137
|
||||
ACCEPT - - tcp 135,139,445
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
15
STABLE/action.AllowSMTP
Normal file
15
STABLE/action.AllowSMTP
Normal file
@ -0,0 +1,15 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowSMTP
|
||||
#
|
||||
# This action accepts SMTP (email) traffic.
|
||||
#
|
||||
# Note: This action allows traffic between an MUA (Email client)
|
||||
# and an MTA (mail server) or between MTAs. It does not enable
|
||||
# reading of email via POP3 or IMAP. For those you need to use
|
||||
# the AllowPOP3 or AllowIMAP actions.
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
ACCEPT - - tcp 25
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
11
STABLE/action.AllowSNMP
Normal file
11
STABLE/action.AllowSNMP
Normal file
@ -0,0 +1,11 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowSNMP
|
||||
#
|
||||
# This action accepts SNMP traffic (including traps):
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
ACCEPT - - udp 161:162
|
||||
ACCEPT - - tcp 161
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
10
STABLE/action.AllowSSH
Normal file
10
STABLE/action.AllowSSH
Normal file
@ -0,0 +1,10 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowSSH
|
||||
#
|
||||
# This action accepts secure shell (SSH) traffic.
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
ACCEPT - - tcp 22
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
11
STABLE/action.AllowTelnet
Normal file
11
STABLE/action.AllowTelnet
Normal file
@ -0,0 +1,11 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowTelnet
|
||||
#
|
||||
# This action accepts Telnet traffic. For traffic over the
|
||||
# internet, telnet is inappropriate; use SSH instead
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
ACCEPT - - tcp 23
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
11
STABLE/action.AllowTrcrt
Normal file
11
STABLE/action.AllowTrcrt
Normal file
@ -0,0 +1,11 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowTrcrt
|
||||
#
|
||||
# This action accepts Traceroute (for up to 30 hops):
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
ACCEPT - - udp 33434:33524 #UDP Traceroute
|
||||
ACCEPT - - icmp 8 #ICMP Traceroute
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
10
STABLE/action.AllowVNC
Normal file
10
STABLE/action.AllowVNC
Normal file
@ -0,0 +1,10 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowVNC
|
||||
#
|
||||
# This action accepts VNC traffic for VNC display's 0 - 9.
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
ACCEPT - - tcp 5900:5909
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
10
STABLE/action.AllowVNCL
Normal file
10
STABLE/action.AllowVNCL
Normal file
@ -0,0 +1,10 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowVNC
|
||||
#
|
||||
# This action accepts VNC traffic from Vncservers to Vncviewers in listen mode.
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
ACCEPT - - tcp 5500
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
11
STABLE/action.AllowWeb
Normal file
11
STABLE/action.AllowWeb
Normal file
@ -0,0 +1,11 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowWeb
|
||||
#
|
||||
# This action accepts WWW traffic (secure and insecure):
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
ACCEPT - - tcp 80
|
||||
ACCEPT - - TCP 443
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
16
STABLE/action.Drop
Normal file
16
STABLE/action.Drop
Normal file
@ -0,0 +1,16 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.Drop
|
||||
#
|
||||
# The default DROP common rules
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
RejectAuth
|
||||
dropBcast
|
||||
dropInvalid
|
||||
DropSMB
|
||||
DropUPnP
|
||||
dropNotSyn
|
||||
DropDNSrep
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
10
STABLE/action.DropDNSrep
Normal file
10
STABLE/action.DropDNSrep
Normal file
@ -0,0 +1,10 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.DropDNSrep
|
||||
#
|
||||
# This action silently drops DNS UDP replies
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
DROP - - udp - 53
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
10
STABLE/action.DropPing
Normal file
10
STABLE/action.DropPing
Normal file
@ -0,0 +1,10 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.DropPing
|
||||
#
|
||||
# This action silently drops 'ping' requests.
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
DROP - - icmp 8
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
15
STABLE/action.DropSMB
Normal file
15
STABLE/action.DropSMB
Normal file
@ -0,0 +1,15 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.DropSMB
|
||||
#
|
||||
# This action silently drops Microsoft SMB traffic
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
DROP - - udp 135
|
||||
DROP - - udp 137:139
|
||||
DROP - - udp 445
|
||||
DROP - - tcp 135
|
||||
DROP - - tcp 139
|
||||
DROP - - tcp 445
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
10
STABLE/action.DropUPnP
Normal file
10
STABLE/action.DropUPnP
Normal file
@ -0,0 +1,10 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.DropUPnP
|
||||
#
|
||||
# This action silently drops UPnP probes on UDP port 1900
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
DROP - - udp 1900
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
16
STABLE/action.Reject
Normal file
16
STABLE/action.Reject
Normal file
@ -0,0 +1,16 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.Reject
|
||||
#
|
||||
# The default REJECT action common rules
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
RejectAuth
|
||||
dropBcast
|
||||
dropInvalid
|
||||
RejectSMB
|
||||
DropUPnP
|
||||
dropNotSyn
|
||||
DropDNSrep
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
10
STABLE/action.RejectAuth
Normal file
10
STABLE/action.RejectAuth
Normal file
@ -0,0 +1,10 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.RejectAuth
|
||||
#
|
||||
# This action silently rejects Auth (tcp 113) traffic
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
REJECT - - tcp 113
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
15
STABLE/action.RejectSMB
Normal file
15
STABLE/action.RejectSMB
Normal file
@ -0,0 +1,15 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.RejectSMB
|
||||
#
|
||||
# This action silently rejects Microsoft SMB traffic
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
REJECT - - udp 135
|
||||
REJECT - - udp 137:139
|
||||
REJECT - - udp 445
|
||||
REJECT - - tcp 135
|
||||
REJECT - - tcp 139
|
||||
REJECT - - tcp 445
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 1.4 /etc/shorewall/action.template
|
||||
# Shorewall 2.0 /etc/shorewall/action.template
|
||||
#
|
||||
# This file is a template for files with names of the form
|
||||
# /etc/shorewall/action.<action-name> where <action> is an
|
||||
@ -24,6 +24,9 @@
|
||||
# LOG -- Simply log the packet and continue.
|
||||
# QUEUE -- Queue the packet to a user-space
|
||||
# application such as p2pwall.
|
||||
# CONTINUE -- Discontinue processing this action
|
||||
# and return to the point where the
|
||||
# action was invoked.
|
||||
# <action> -- An <action> defined in
|
||||
# /etc/shorewall/actions. The <action>
|
||||
# must appear in that file BEFORE the
|
||||
@ -39,6 +42,15 @@
|
||||
# to a separate log through use of ulogd
|
||||
# (http://www.gnumonks.org/projects/ulogd).
|
||||
#
|
||||
# Actions specifying logging may be followed by a
|
||||
# log tag (a string of alphanumeric characters)
|
||||
# are appended to the string generated by the
|
||||
# LOGPREFIX (in /etc/shorewall/shorewall.conf).
|
||||
#
|
||||
# Example: ACCEPT:info:ftp would include 'ftp '
|
||||
# at the end of the log prefix generated by the
|
||||
# LOGPREFIX setting.
|
||||
#
|
||||
# SOURCE Source hosts to which the rule applies.
|
||||
# A comma-separated list of subnets
|
||||
# and/or hosts. Hosts may be specified by IP or MAC
|
||||
@ -80,7 +92,7 @@
|
||||
# A port range is expressed as <low port>:<high port>.
|
||||
#
|
||||
# This column is ignored if PROTOCOL = all but must be
|
||||
# entered if any of the following ields are supplied.
|
||||
# entered if any of the following fields are supplied.
|
||||
# In that case, it is suggested that this field contain
|
||||
# "-"
|
||||
#
|
||||
@ -122,8 +134,25 @@
|
||||
#
|
||||
# Example: 10/sec:20
|
||||
#
|
||||
# If you place a rate limit in this column, you may not
|
||||
# place a similar limit in the TARGET column.
|
||||
# USER/GROUP This column may only be non-empty if the SOURCE is
|
||||
# the firewall itself.
|
||||
#
|
||||
# The column may contain:
|
||||
#
|
||||
# [!][<user name or number>][:<group name or number>]
|
||||
#
|
||||
# When this column is non-empty, the rule applies only
|
||||
# if the program generating the output is running under
|
||||
# the effective <user> and/or <group> specified (or is
|
||||
# NOT running under that id if "!" is given).
|
||||
#
|
||||
# Examples:
|
||||
#
|
||||
# joe #program must be run by joe
|
||||
# :kids #program must be run by a member of
|
||||
# #the 'kids' group
|
||||
# !:kids #program must not be run by a member
|
||||
# #of the 'kids' group
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 1.4 /etc/shorewall/actions
|
||||
# Shorewall 2.0 /etc/shorewall/actions
|
||||
#
|
||||
# This file allows you to define new ACTIONS for use in rules
|
||||
# (/etc/shorewall/rules). You define the iptables rules to
|
||||
@ -8,8 +8,21 @@
|
||||
#
|
||||
# ACTION names should begin with an upper-case letter to
|
||||
# distinguish them from Shorewall-generated chain names and
|
||||
# they must need the requirements of a Netfilter chain
|
||||
# name.
|
||||
# they must need the requirements of a Netfilter chain. If
|
||||
# you intend to log from the action then the name must be
|
||||
# no longer than 11 character in length. Names must also
|
||||
# meet the requirements for a Bourne Shell identifier (must
|
||||
# begin with a letter and be composed of letters, digits and
|
||||
# underscore characters).
|
||||
#
|
||||
# If you follow the action name with ":DROP", ":REJECT" or
|
||||
# :ACCEPT then the action will be taken before a DROP, REJECT or
|
||||
# ACCEPT policy respectively is enforced. If you specify ":DROP",
|
||||
# ":REJECT" or ":ACCEPT" on more than one action then only the
|
||||
# last such action will be taken.
|
||||
#
|
||||
# If you specify ":DROP", ":REJECT" or ":ACCEPT" on a line by
|
||||
# itself, the associated policy will have no common action.
|
||||
#
|
||||
#ACTION
|
||||
|
||||
|
53
STABLE/actions.std
Normal file
53
STABLE/actions.std
Normal file
@ -0,0 +1,53 @@
|
||||
#
|
||||
# Shorewall 2.0 /usr/share/shorewall/actions.std
|
||||
#
|
||||
#
|
||||
# Builtin Actions are:
|
||||
#
|
||||
# dropBcast #Silently Drop Broadcast/multicast
|
||||
# dropNonSyn #Silently Drop Non-syn TCP packets
|
||||
# rejNonSyn #Silently Reject Non-syn TCP packets
|
||||
# logNonSyn #Log Non-syn TCP packets with disposition LOG
|
||||
# dLogNonSyn #Log Non-syn TCP packets with disposition DROP
|
||||
# rLogNonSyn #Log Non-syn TCP packets with disposition REJECT
|
||||
# dropInvalid #Silently Drop packets that are in the INVALID
|
||||
# #conntrack state.
|
||||
# allowInvalid #Accept packets that are in the INVALID conntrack
|
||||
# #state
|
||||
#
|
||||
# The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in
|
||||
# shorewall.conf. If that option isn't specified then 'info' is used.
|
||||
#
|
||||
#ACTION
|
||||
|
||||
DropSMB #Silently Drops Microsoft SMB Traffic
|
||||
RejectSMB #Silently Reject Microsoft SMB Traffic
|
||||
DropUPnP #Silently Drop UPnP Probes
|
||||
RejectAuth #Silently Reject Auth
|
||||
DropPing #Silently Drop Ping
|
||||
DropDNSrep #Silently Drop DNS Replies
|
||||
|
||||
AllowPing #Accept Ping
|
||||
AllowFTP #Accept FTP
|
||||
AllowDNS #Accept DNS
|
||||
AllowSSH #Accept SSH
|
||||
AllowWeb #Allow Web Browsing
|
||||
AllowSMB #Allow MS Networking
|
||||
AllowAuth #Allow Auth (identd)
|
||||
AllowSMTP #Allow SMTP (Email)
|
||||
AllowPOP3 #Allow reading mail via POP3
|
||||
AllowIMAP #Allow reading mail via IMAP
|
||||
AllowTelnet #Allow Telnet Access (not recommended for use over the
|
||||
#Internet)
|
||||
AllowVNC #Allow VNC viewer->server, Displays 0-9
|
||||
AllowVNCL #Allow VNC server->viewer in listening mode
|
||||
AllowNTP #Allow Network Time Protocol (ntpd)
|
||||
AllowRdate #Allow remote time (rdate).
|
||||
AllowNNTP #Allow network news (Usenet).
|
||||
AllowTrcrt #Allows Traceroute (20 hops)
|
||||
AllowSNMP #Allows SNMP (including traps)
|
||||
AllowPCA #Allows PCAnywhere (tm)
|
||||
|
||||
Drop:DROP #Common Action for DROP policy
|
||||
Reject:REJECT #Common Action for REJECT policy
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 1.4 -- Blacklist File
|
||||
# Shorewall 2.0 -- Blacklist File
|
||||
#
|
||||
# /etc/shorewall/blacklist
|
||||
#
|
||||
|
70
STABLE/bogons
Normal file
70
STABLE/bogons
Normal file
@ -0,0 +1,70 @@
|
||||
#
|
||||
# Shorewall 2.0-- Bogons File
|
||||
#
|
||||
# /etc/shorewall/bogons
|
||||
#
|
||||
# Lists the subnetworks that are blocked by the 'nobogons' interface option.
|
||||
#
|
||||
# The default list includes those those ip ADDRESSES listed
|
||||
# as 'reserved' by the IANA, the DHCP Autoconfig class B, and the class C
|
||||
# reserved for use in documentation and examples.
|
||||
#
|
||||
# DO NOT MODIFY THIS FILE. IF YOU NEED TO MAKE CHANGES, COPY THE FILE
|
||||
# TO /etc/shorewall AND MODIFY THE COPY.
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
# SUBNET The subnet (host addresses also allowed)
|
||||
# TARGET Where to send packets to/from this subnet
|
||||
# RETURN - let the packet be processed normally
|
||||
# DROP - silently drop the packet
|
||||
# logdrop - log then drop
|
||||
#
|
||||
###############################################################################
|
||||
#SUBNET TARGET
|
||||
0.0.0.0 RETURN # Stop the DHCP whining
|
||||
255.255.255.255 RETURN # We need to allow limited broadcast
|
||||
169.254.0.0/16 DROP # DHCP autoconfig
|
||||
192.0.2.0/24 logdrop # Example addresses (RFC 3330)
|
||||
#
|
||||
# The following are generated with the help of the Python program found at:
|
||||
#
|
||||
# http://www.shorewall.net/pub/shorewall/contrib/iana_reserved/
|
||||
#
|
||||
# The program was contributed by Andy Wiggin
|
||||
#
|
||||
0.0.0.0/7 logdrop # Reserved
|
||||
2.0.0.0/8 logdrop # Reserved
|
||||
5.0.0.0/8 logdrop # Reserved
|
||||
7.0.0.0/8 logdrop # Reserved
|
||||
23.0.0.0/8 logdrop # Reserved
|
||||
27.0.0.0/8 logdrop # Reserved
|
||||
31.0.0.0/8 logdrop # Reserved
|
||||
36.0.0.0/7 logdrop # Reserved
|
||||
39.0.0.0/8 logdrop # Reserved
|
||||
41.0.0.0/8 logdrop # Reserved
|
||||
42.0.0.0/8 logdrop # Reserved
|
||||
49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
|
||||
50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
|
||||
73.0.0.0/8 logdrop # Reserved
|
||||
74.0.0.0/7 logdrop # Reserved
|
||||
76.0.0.0/6 logdrop # Reserved
|
||||
89.0.0.0/8 logdrop # Reserved
|
||||
90.0.0.0/7 logdrop # Reserved
|
||||
92.0.0.0/6 logdrop # Reserved
|
||||
96.0.0.0/3 logdrop # Reserved
|
||||
127.0.0.0/8 logdrop # Loopback
|
||||
173.0.0.0/8 logdrop # Reserved
|
||||
174.0.0.0/7 logdrop # Reserved
|
||||
176.0.0.0/5 logdrop # Reserved
|
||||
184.0.0.0/6 logdrop # Reserved
|
||||
189.0.0.0/8 logdrop # Reserved
|
||||
190.0.0.0/8 logdrop # Reserved
|
||||
197.0.0.0/8 logdrop # Reserved
|
||||
198.18.0.0/15 logdrop # Reserved
|
||||
223.0.0.0/8 logdrop # Reserved - Returned by APNIC in 2003
|
||||
240.0.0.0/4 logdrop # Reserved
|
||||
#
|
||||
# End of generated entries
|
||||
#
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
@ -1,4 +1,121 @@
|
||||
Changes since 1.4.10g
|
||||
Changes in 2.0.4
|
||||
|
||||
1) Fix installer to not give zones and shorewall.conf execute
|
||||
permission.
|
||||
1) Fix DNAT logging with 'fw' as the source zone.
|
||||
|
||||
Change in 2.0.5
|
||||
|
||||
1) Eradicate more RESTOREBASE messages.
|
||||
|
||||
2) Remove 'mangle' reference from shorewall.conf.
|
||||
|
||||
Change in 2.0.6
|
||||
|
||||
1) Add PKTTYPE option.
|
||||
|
||||
shorewall.conf
|
||||
firewall
|
||||
|
||||
2) Sanitized some correct but confusing code in determine_hosts().
|
||||
|
||||
There was a loop:
|
||||
|
||||
for networks in $networks
|
||||
...
|
||||
|
||||
It now reads:
|
||||
|
||||
for network in $networks
|
||||
...
|
||||
|
||||
|
||||
3) Don't give shorewall.conf and zones execute permission.
|
||||
|
||||
4) Backport 'dropInvalid' from 2.1
|
||||
|
||||
Changes in 2.0.7
|
||||
|
||||
1) Include output of "ip rule ls" and "ip route ls" in "shorewall
|
||||
status".
|
||||
|
||||
2) Consult PKTTYPE when generating 'REJECT' rules.
|
||||
|
||||
3) Enhance IP/Routing output in "shorewall status".
|
||||
|
||||
4) Correct handling of multiple 'blacklist' interfaces.
|
||||
|
||||
5) Add "0.0.0.0 RETURN" to nobogons.
|
||||
|
||||
Changes in 2.0.8
|
||||
|
||||
1) Removed dead code from process_actions2()
|
||||
|
||||
2) Corrected read command in process_actions2() (userspec)
|
||||
|
||||
Changes in 2.0.9
|
||||
|
||||
1) Corrected setup_tc1() handling of the PROTO column.
|
||||
|
||||
2) Added warning about ADD_SNAT_ALIASES in the masq file.
|
||||
|
||||
3) Added "brctl show" to the status command.
|
||||
|
||||
Changes in 2.0.10
|
||||
|
||||
1) Corrected GATEWAY handling for 'pptpserver's
|
||||
|
||||
2) Correct log rule number generation.
|
||||
|
||||
3) Add clarification to /etc/shorewall/tcrules.
|
||||
|
||||
4) Apply part of Ian Allen's fix for down interface in the SUBNET
|
||||
column of /etc/shorewall/masq.
|
||||
|
||||
5) Add key /proc settings to "shorewall status" output.
|
||||
|
||||
Changes in 2.0.11
|
||||
|
||||
1) Add note for Slackware users to INSTALL.
|
||||
|
||||
2) Correct bogons file.
|
||||
|
||||
3) Replace service names by port numbers in /etc/shorewall/tos.
|
||||
|
||||
4) Added NNTPS to action.AllowNNTP.
|
||||
|
||||
5) Fix install.sh
|
||||
|
||||
Changes in 2.0.12
|
||||
|
||||
1) Correct typo in shorewall.conf.
|
||||
|
||||
2) Fix "shorewall add" and "shorewall delete" with bridging.
|
||||
|
||||
3) Implement variable expansion in INCLUDE directives
|
||||
|
||||
4) Split restore-base into two files.
|
||||
|
||||
5) Correct dynamic zone OUTPUT handling.
|
||||
|
||||
Changes in 2.0.13
|
||||
|
||||
1) Correct typo in "shorewall add" code.
|
||||
|
||||
Changes in 2.0.14
|
||||
|
||||
1) Log drops due to policy rate limiting.
|
||||
|
||||
2) Fix typo in interfaces file.
|
||||
|
||||
3) Eliminate "bad variable" errors during stop/clear.
|
||||
|
||||
4) Fix typo in tunnels file.
|
||||
|
||||
Changes in 2.0.15
|
||||
|
||||
1) Increased port range for Traceroute.
|
||||
|
||||
2) Corrected port of rate-limit logging change.
|
||||
|
||||
Changes in 2.0.16
|
||||
|
||||
1) Backport DROPINVALID from 2.2.0.
|
||||
|
7
STABLE/configpath
Normal file
7
STABLE/configpath
Normal file
@ -0,0 +1,7 @@
|
||||
#
|
||||
# Shorewall version 2.0 - Default Config Path
|
||||
#
|
||||
# /usr/share/shorewall/configpath
|
||||
#
|
||||
|
||||
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
|
18
STABLE/default.debian
Normal file
18
STABLE/default.debian
Normal file
@ -0,0 +1,18 @@
|
||||
# prevent startup with default configuration
|
||||
# set the following varible to 1 in order to allow Shorewall to start
|
||||
|
||||
startup=0
|
||||
|
||||
# if your Shorewall configuration requires detection of the ip address of a ppp
|
||||
# interface, you must list such interfaces in "wait_interface" to get Shorewall to
|
||||
# wait until the interface is configured. Otherwise the script will fail because
|
||||
# it won't be able to detect the IP address.
|
||||
#
|
||||
# Example:
|
||||
# wait_interface="ppp0"
|
||||
# or
|
||||
# wait_interface="ppp0 ppp1"
|
||||
# or, if you have defined in /etc/shorewall/params
|
||||
# wait_interface=
|
||||
|
||||
# EOF
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 1.4 - /etc/shorewall/ecn
|
||||
# Shorewall 2.0 - /etc/shorewall/ecn
|
||||
#
|
||||
# Use this file to list the destinations for which you want to
|
||||
# disable ECN.
|
||||
|
@ -5,7 +5,7 @@
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Shorewall documentation is available at http://seattlefirewall.dyndns.org
|
||||
#
|
||||
@ -28,11 +28,11 @@
|
||||
# shown below. Simply run this script to revert to your prior version of
|
||||
# Shoreline Firewall.
|
||||
|
||||
VERSION=1.4.11
|
||||
VERSION=2.0.16
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
echo "usage: `basename $0`"
|
||||
echo "usage: $(basename $0)"
|
||||
exit $1
|
||||
}
|
||||
|
||||
@ -57,30 +57,19 @@ fi
|
||||
echo "Backing Out Installation of Shorewall $VERSION"
|
||||
|
||||
if [ -L /usr/share/shorewall/init ]; then
|
||||
FIREWALL=`ls -l /usr/share/shorewall/firewall | sed 's/^.*> //'`
|
||||
FIREWALL=$(ls -l /usr/share/shorewall/firewall | sed 's/^.*> //')
|
||||
restore_file $FIREWALL
|
||||
restore_file /usr/share/shorewall/firewall
|
||||
elif [ -L /usr/lib/shorewall/firewall ]; then
|
||||
FIREWALL=`ls -l /usr/lib/shorewall/firewall | sed 's/^.*> //'`
|
||||
restore_file $FIREWALL
|
||||
elif [ -L /var/lib/shorewall/firewall ]; then
|
||||
FIREWALL=`ls -l /var/lib/shorewall/firewall | sed 's/^.*> //'`
|
||||
restore_file $FIREWALL
|
||||
elif [ -L /usr/lib/shorewall/init ]; then
|
||||
FIREWALL=`ls -l /usr/lib/shorewall/init | sed 's/^.*> //'`
|
||||
restore_file $FIREWALL
|
||||
restore_file /usr/lib/shorewall/firewall
|
||||
else
|
||||
restore_file /etc/init.d/shorewall
|
||||
fi
|
||||
|
||||
restore_file /sbin/shorewall
|
||||
restore_file /usr/share/shorewall/firewall
|
||||
|
||||
[ -f /etc/shorewall.conf.$VERSION ] && rm -f /etc/shorewall.conf.$VERSION
|
||||
restore_file /sbin/shorewall
|
||||
|
||||
restore_file /etc/shorewall/shorewall.conf
|
||||
|
||||
restore_file /etc/shorewall/functions
|
||||
restore_file /usr/share/shorewall/functions
|
||||
restore_file /usr/share/shorewall/firewall
|
||||
restore_file /usr/lib/shorewall/functions
|
||||
restore_file /var/lib/shorewall/functions
|
||||
restore_file /usr/lib/shorewall/firewall
|
||||
@ -102,6 +91,8 @@ restore_file /etc/shorewall/rules
|
||||
|
||||
restore_file /etc/shorewall/nat
|
||||
|
||||
restore_file /etc/shorewall/netmap
|
||||
|
||||
restore_file /etc/shorewall/params
|
||||
|
||||
restore_file /etc/shorewall/proxyarp
|
||||
@ -125,9 +116,16 @@ restore_file /etc/shorewall/blacklist
|
||||
restore_file /etc/shorewall/whitelist
|
||||
|
||||
restore_file /etc/shorewall/rfc1918
|
||||
restore_file /usr/share/shorewall/rfc1918
|
||||
|
||||
restore_file /usr/share/shorewall/bogons
|
||||
|
||||
restore_file /usr/share/shorewall/configpath
|
||||
|
||||
restore_file /etc/shorewall/init
|
||||
|
||||
restore_file /etc/shorewall/initdone
|
||||
|
||||
restore_file /etc/shorewall/start
|
||||
|
||||
restore_file /etc/shorewall/stop
|
||||
@ -138,27 +136,15 @@ restore_file /etc/shorewall/ecn
|
||||
|
||||
restore_file /etc/shorewall/accounting
|
||||
|
||||
restore_file /etc/shorewall/usersets
|
||||
|
||||
restore_file /etc/shorewall/users
|
||||
restore_file /etc/shorewall/actions.std
|
||||
|
||||
restore_file /etc/shorewall/actions
|
||||
|
||||
restore_file /etc/shorewall/action.template
|
||||
for f in /usr/share/shorewall/action.*-${VERSION}.bkout; do
|
||||
restore_file $(echo $f | sed "s/-${VERSION}.bkout//")
|
||||
done
|
||||
|
||||
if [ -f /usr/share/shorewall/version-${VERSION}.bkout ]; then
|
||||
restore_file /usr/share/shorewall/version
|
||||
oldversion="`cat /usr/share/shorewall/version`"
|
||||
elif [ -f /usr/lib/shorewall/version-${VERSION}.bkout ]; then
|
||||
restore_file /usr/lib/shorewall/version
|
||||
oldversion="`cat /usr/lib/shorewall/version`"
|
||||
elif [ -f /var/lib/shorewall/version-${VERSION}.bkout ]; then
|
||||
restore_file /var/lib/shorewall/version
|
||||
oldversion="`cat /var/lib/shorewall/version`"
|
||||
else
|
||||
restore_file /etc/shorewall/version
|
||||
oldversion="`cat /etc/shorewall/version`"
|
||||
fi
|
||||
restore_file /usr/share/shorewall/version
|
||||
|
||||
echo "Shorewall Restored to Version $oldversion"
|
||||
|
||||
|
3061
STABLE/firewall
3061
STABLE/firewall
File diff suppressed because it is too large
Load Diff
298
STABLE/functions
298
STABLE/functions
@ -1,6 +1,45 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Shorewall 1.4 -- /usr/lib/shorewall/functions
|
||||
# Shorewall 2.0 -- /usr/share/shorewall/functions
|
||||
|
||||
#
|
||||
# Search a list looking for a match -- returns zero if a match found
|
||||
# 1 otherwise
|
||||
#
|
||||
list_search() # $1 = element to search for , $2-$n = list
|
||||
{
|
||||
local e=$1
|
||||
|
||||
while [ $# -gt 1 ]; do
|
||||
shift
|
||||
[ "x$e" = "x$1" ] && return 0
|
||||
done
|
||||
|
||||
return 1
|
||||
}
|
||||
|
||||
#
|
||||
# Functions to count list elements
|
||||
# - - - - - - - - - - - - - - - -
|
||||
# Whitespace-separated list
|
||||
#
|
||||
list_count1() {
|
||||
echo $#
|
||||
}
|
||||
#
|
||||
# Comma-separated list
|
||||
#
|
||||
list_count() {
|
||||
list_count1 $(separate_list $1)
|
||||
}
|
||||
|
||||
#
|
||||
# Conditionally produce message
|
||||
#
|
||||
progress_message() # $* = Message
|
||||
{
|
||||
[ -n "$QUIET" ] || echo "$@"
|
||||
}
|
||||
|
||||
#
|
||||
# Suppress all output for a command
|
||||
@ -11,15 +50,88 @@ qt()
|
||||
}
|
||||
|
||||
#
|
||||
# Find a File -- Look first in $SHOREWALL_DIR then in /etc/shorewall
|
||||
# Perform variable substitution on the passed argument and echo the result
|
||||
#
|
||||
expand() # $@ = contents of variable which may be the name of another variable
|
||||
{
|
||||
eval echo \"$@\"
|
||||
}
|
||||
|
||||
#
|
||||
# Perform variable substitition on the values of the passed list of variables
|
||||
#
|
||||
expandv() # $* = list of variable names
|
||||
{
|
||||
local varval
|
||||
|
||||
while [ $# -gt 0 ]; do
|
||||
eval varval=\$${1}
|
||||
eval $1=\"$varval\"
|
||||
shift
|
||||
done
|
||||
}
|
||||
|
||||
#
|
||||
# Replace all leading "!" with "! " in the passed argument list
|
||||
#
|
||||
|
||||
fix_bang() {
|
||||
local i;
|
||||
|
||||
for i in $@; do
|
||||
case $i in
|
||||
!*)
|
||||
echo "! ${i#!}"
|
||||
;;
|
||||
*)
|
||||
echo $i
|
||||
;;
|
||||
esac
|
||||
done
|
||||
}
|
||||
|
||||
#
|
||||
# Set default config path
|
||||
#
|
||||
ensure_config_path() {
|
||||
local F=/usr/share/shorewall/configpath
|
||||
if [ -z "$CONFIG_PATH" ]; then
|
||||
[ -f $F ] || { echo " ERROR: $F does not exist"; exit 2; }
|
||||
. $F
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Find a File -- For relative file name, look first in $SHOREWALL_DIR then in /etc/shorewall
|
||||
#
|
||||
find_file()
|
||||
{
|
||||
if [ -n "$SHOREWALL_DIR" -a -f $SHOREWALL_DIR/$1 ]; then
|
||||
echo $SHOREWALL_DIR/$1
|
||||
else
|
||||
echo /etc/shorewall/$1
|
||||
fi
|
||||
local saveifs= directory
|
||||
|
||||
case $1 in
|
||||
/*)
|
||||
echo $1
|
||||
;;
|
||||
*)
|
||||
if [ -n "$SHOREWALL_DIR" -a -f $SHOREWALL_DIR/$1 ]; then
|
||||
echo $SHOREWALL_DIR/$1
|
||||
else
|
||||
saveifs=$IFS
|
||||
IFS=:
|
||||
for directory in $CONFIG_PATH; do
|
||||
if [ -f $directory/$1 ]; then
|
||||
echo $directory/$1
|
||||
IFS=$saveifs
|
||||
return
|
||||
fi
|
||||
done
|
||||
|
||||
IFS=$saveifs
|
||||
|
||||
echo /etc/shorewall/$1
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
#
|
||||
@ -58,6 +170,55 @@ separate_list() {
|
||||
echo "$newlist"
|
||||
}
|
||||
|
||||
#
|
||||
# Load a Kernel Module
|
||||
#
|
||||
loadmodule() # $1 = module name, $2 - * arguments
|
||||
{
|
||||
local modulename=$1
|
||||
local modulefile
|
||||
local suffix
|
||||
moduleloader=modprobe
|
||||
|
||||
if ! qt which modprobe; then
|
||||
moduleloader=insmod
|
||||
fi
|
||||
|
||||
if [ -z "$(lsmod | grep $modulename)" ]; then
|
||||
shift
|
||||
|
||||
for suffix in $MODULE_SUFFIX ; do
|
||||
modulefile=$MODULESDIR/${modulename}.${suffix}
|
||||
|
||||
if [ -f $modulefile ]; then
|
||||
case $moduleloader in
|
||||
insmod)
|
||||
insmod $modulefile $*
|
||||
;;
|
||||
*)
|
||||
modprobe $modulename $*
|
||||
;;
|
||||
esac
|
||||
|
||||
return
|
||||
fi
|
||||
done
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Reload the Modules
|
||||
#
|
||||
reload_kernel_modules() {
|
||||
|
||||
[ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
|
||||
|
||||
while read command; do
|
||||
eval $command
|
||||
done
|
||||
|
||||
}
|
||||
|
||||
#
|
||||
# Find the zones
|
||||
#
|
||||
@ -67,7 +228,7 @@ find_zones() # $1 = name of the zone file
|
||||
[ -n "$zone" ] && case "$zone" in
|
||||
\#*)
|
||||
;;
|
||||
$FW|multi)
|
||||
$FW)
|
||||
echo "Reserved zone name \"$zone\" in zones file ignored" >&2
|
||||
;;
|
||||
*)
|
||||
@ -89,15 +250,15 @@ find_display() # $1 = zone, $2 = name of the zone file
|
||||
#
|
||||
determine_zones()
|
||||
{
|
||||
local zonefile=`find_file zones`
|
||||
local zonefile=$(find_file zones)
|
||||
|
||||
multi_display=Multi-zone
|
||||
strip_file zones $zonefile
|
||||
zones=`find_zones $TMP_DIR/zones`
|
||||
zones=`echo $zones` # Remove extra trash
|
||||
zones=$(find_zones $TMP_DIR/zones)
|
||||
zones=$(echo $zones) # Remove extra trash
|
||||
|
||||
for zone in $zones; do
|
||||
dsply=`find_display $zone $TMP_DIR/zones`
|
||||
dsply=$(find_display $zone $TMP_DIR/zones)
|
||||
eval ${zone}_display=\$dsply
|
||||
done
|
||||
}
|
||||
@ -117,7 +278,7 @@ get_statedir()
|
||||
{
|
||||
MUTEX_TIMEOUT=
|
||||
|
||||
local config=`find_file shorewall.conf`
|
||||
local config=$(find_file shorewall.conf)
|
||||
|
||||
if [ -f $config ]; then
|
||||
. $config
|
||||
@ -238,7 +399,6 @@ mktempfile() {
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
#
|
||||
# create a temporary directory
|
||||
#
|
||||
@ -260,8 +420,7 @@ mktempdir() {
|
||||
echo " ERROR:Internal error in mktempdir"
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
#
|
||||
# Read a file and handle "INCLUDE" directives
|
||||
@ -271,24 +430,29 @@ read_file() # $1 = file name, $2 = nest count
|
||||
{
|
||||
local first rest
|
||||
|
||||
while read first rest; do
|
||||
if [ "x$first" = "xINCLUDE" ]; then
|
||||
if [ $2 -lt 4 ]; then
|
||||
read_file `find_file ${rest%#*}` $(($2 + 1))
|
||||
if [ -f $1 ]; then
|
||||
while read first rest; do
|
||||
if [ "x$first" = "xINCLUDE" ]; then
|
||||
if [ $2 -lt 4 ]; then
|
||||
read_file $(find_file $(expand ${rest%#*})) $(($2 + 1))
|
||||
else
|
||||
echo " WARNING: INCLUDE in $1 ignored (nested too deeply)" >&2
|
||||
fi
|
||||
else
|
||||
echo " WARNING: INCLUDE in $1 ignored (nested too deeply)" >&2
|
||||
echo "$first $rest"
|
||||
fi
|
||||
else
|
||||
echo "$first $rest"
|
||||
fi
|
||||
done < $1
|
||||
done < $1
|
||||
else
|
||||
[ -n "$terminator" ] && $terminator "No such file: $1"
|
||||
echo "Warning -- No such file: $1"
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Function for including one file into another
|
||||
#
|
||||
INCLUDE() {
|
||||
. `find_file $@`
|
||||
. $(find_file $(expand $@))
|
||||
}
|
||||
|
||||
#
|
||||
@ -299,7 +463,7 @@ strip_file() # $1 = Base Name of the file, $2 = Full Name of File (optional)
|
||||
{
|
||||
local fname
|
||||
|
||||
[ $# = 1 ] && fname=`find_file $1` || fname=$2
|
||||
[ $# = 1 ] && fname=$(find_file $1) || fname=$2
|
||||
|
||||
if [ -f $fname ]; then
|
||||
read_file $fname 0 | cut -d'#' -f1 | grep -v '^[[:space:]]*$' > $TMP_DIR/$1
|
||||
@ -376,8 +540,8 @@ ip_range() {
|
||||
;;
|
||||
esac
|
||||
|
||||
first=`decodeaddr ${1%-*}`
|
||||
last=`decodeaddr ${1#*-}`
|
||||
first=$(decodeaddr ${1%-*})
|
||||
last=$(decodeaddr ${1#*-})
|
||||
|
||||
if [ $first -gt $last ]; then
|
||||
fatal_error "Invalid IP address range: $1"
|
||||
@ -398,7 +562,7 @@ ip_range() {
|
||||
y=$(( $y * 2 ))
|
||||
done
|
||||
|
||||
echo `encodeaddr $first`$vlsm
|
||||
echo $(encodeaddr $first)$vlsm
|
||||
first=$(($first + $z))
|
||||
done
|
||||
}
|
||||
@ -415,15 +579,15 @@ ip_range_explicit() {
|
||||
;;
|
||||
esac
|
||||
|
||||
first=`decodeaddr ${1%-*}`
|
||||
last=`decodeaddr ${1#*-}`
|
||||
first=$(decodeaddr ${1%-*})
|
||||
last=$(decodeaddr ${1#*-})
|
||||
|
||||
if [ $first -gt $last ]; then
|
||||
fatal_error "Invalid IP address range: $1"
|
||||
fi
|
||||
|
||||
while [ $first -le $last ]; do
|
||||
echo `encodeaddr $first`
|
||||
echo $(encodeaddr $first)
|
||||
first=$(($first + 1))
|
||||
done
|
||||
}
|
||||
@ -441,10 +605,10 @@ ip_netmask() {
|
||||
# Network address from CIDR
|
||||
#
|
||||
ip_network() {
|
||||
local decodedaddr=`decodeaddr ${1%/*}`
|
||||
local netmask=`ip_netmask $1`
|
||||
local decodedaddr=$(decodeaddr ${1%/*})
|
||||
local netmask=$(ip_netmask $1)
|
||||
|
||||
echo `encodeaddr $(($decodedaddr & $netmask))`
|
||||
echo $(encodeaddr $(($decodedaddr & $netmask)))
|
||||
}
|
||||
|
||||
#
|
||||
@ -462,37 +626,37 @@ ip_broadcast() {
|
||||
# Calculate broadcast address from CIDR
|
||||
#
|
||||
broadcastaddress() {
|
||||
local decodedaddr=`decodeaddr ${1%/*}`
|
||||
local netmask=`ip_netmask $1`
|
||||
local broadcast=`ip_broadcast $1`
|
||||
local decodedaddr=$(decodeaddr ${1%/*})
|
||||
local netmask=$(ip_netmask $1)
|
||||
local broadcast=$(ip_broadcast $1)
|
||||
|
||||
echo `encodeaddr $(( $(($decodedaddr & $netmask)) | $broadcast ))`
|
||||
echo $(encodeaddr $(( $(($decodedaddr & $netmask)) | $broadcast )))
|
||||
}
|
||||
|
||||
#
|
||||
# Test for subnet membership
|
||||
# Test for network membership
|
||||
#
|
||||
in_subnet() # $1 = IP address, $2 = CIDR network
|
||||
in_network() # $1 = IP address, $2 = CIDR network
|
||||
{
|
||||
local netmask=`ip_netmask $2`
|
||||
local netmask=$(ip_netmask $2)
|
||||
|
||||
test $(( `decodeaddr $1` & $netmask)) -eq $(( `decodeaddr ${2%/*}` & $netmask ))
|
||||
test $(( $(decodeaddr $1) & $netmask)) -eq $(( $(decodeaddr ${2%/*}) & $netmask ))
|
||||
}
|
||||
|
||||
#
|
||||
# Netmask to VLSM
|
||||
#
|
||||
ip_vlsm() {
|
||||
local mask=`decodeaddr $1`
|
||||
local mask=$(decodeaddr $1)
|
||||
local vlsm=0
|
||||
local x=$(( 128 $LEFTSHIFT 24 ))
|
||||
local x=$(( 128 $LEFTSHIFT 24 )) # 0x80000000
|
||||
|
||||
while [ $(( $x & $mask )) -ne 0 ]; do
|
||||
[ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Don't Ask...
|
||||
[ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Not all shells shift 0x80000000 left properly.
|
||||
vlsm=$(($vlsm + 1))
|
||||
done
|
||||
|
||||
if [ $(( $mask & 2147483647)) -ne 0 ]; then
|
||||
if [ $(( $mask & 2147483647 )) -ne 0 ]; then # 2147483647 = 0x7fffffff
|
||||
echo "Invalid net mask: $1" >&2
|
||||
else
|
||||
echo $vlsm
|
||||
@ -502,11 +666,11 @@ ip_vlsm() {
|
||||
|
||||
#
|
||||
# Chain name base for an interface -- replace all periods with underscores in the passed name.
|
||||
# The result is echoed (less "+" and anything following).
|
||||
# The result is echoed (less trailing "+").
|
||||
#
|
||||
chain_base() #$1 = interface
|
||||
{
|
||||
local c=${1%%+*}
|
||||
local c=${1%%+}
|
||||
|
||||
while true; do
|
||||
case $c in
|
||||
@ -524,29 +688,25 @@ chain_base() #$1 = interface
|
||||
done
|
||||
}
|
||||
|
||||
#
|
||||
# Remove trailing digits from a name
|
||||
#
|
||||
strip_trailing_digits() {
|
||||
echo $1 | sed s'/[0-9].*$//'
|
||||
}
|
||||
|
||||
#
|
||||
# Loosly Match the name of an interface
|
||||
#
|
||||
|
||||
if_match() # $1 = Name in interfaces file - may end in "+"
|
||||
# $2 = Name from routing table
|
||||
# $2 = Full interface name - may also end in "+"
|
||||
{
|
||||
local if_file=$1
|
||||
local rt_table=$2
|
||||
|
||||
case $if_file in
|
||||
local pattern=${1%+}
|
||||
|
||||
case $1 in
|
||||
*+)
|
||||
test "`strip_trailing_digits $rt_table`" = "${if_file%+}"
|
||||
#
|
||||
# Can't use ${2:0:${#pattern}} because ash and dash don't support that flavor of
|
||||
# variable expansion :-(
|
||||
#
|
||||
test "x$(echo $2 | cut -b -${#pattern} )" = "x${pattern}"
|
||||
;;
|
||||
*)
|
||||
test "$rt_table" = "$if_file"
|
||||
test "x$1" = "x$2"
|
||||
;;
|
||||
esac
|
||||
}
|
||||
@ -571,13 +731,13 @@ find_rt_interface() {
|
||||
ip route ls | while read addr rest; do
|
||||
case $addr in
|
||||
*/*)
|
||||
in_subnet ${1%/*} $addr && echo `find_device $rest`
|
||||
in_network ${1%/*} $addr && echo $(find_device $rest)
|
||||
;;
|
||||
default)
|
||||
;;
|
||||
*)
|
||||
if [ "$addr" = "$1" -o "$addr/32" = "$1" ]; then
|
||||
echo `find_device $rest`
|
||||
echo $(find_device $rest)
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
@ -589,7 +749,7 @@ find_rt_interface() {
|
||||
#
|
||||
find_default_interface() {
|
||||
ip route ls | while read first rest; do
|
||||
[ "$first" = default ] && echo `find_device $rest` && return
|
||||
[ "$first" = default ] && echo $(find_device $rest) && return
|
||||
done
|
||||
}
|
||||
|
||||
@ -599,10 +759,10 @@ find_default_interface() {
|
||||
#
|
||||
|
||||
find_interface_by_address() {
|
||||
local dev="`find_rt_interface $1`"
|
||||
local dev="$(find_rt_interface $1)"
|
||||
local first rest
|
||||
|
||||
[ -z "$dev" ] && dev=`find_default_interface`
|
||||
[ -z "$dev" ] && dev=$(find_default_interface)
|
||||
|
||||
[ -n "$dev" ] && echo $dev
|
||||
}
|
||||
|
114
STABLE/help
114
STABLE/help
@ -1,12 +1,12 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Shorewall help subsystem - V1.4 - 3/14/2003
|
||||
# Shorewall help subsystem - V2.0 - 2/14/2004
|
||||
#
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 2003 - Tom Eastep (teastep@shorewall.net)
|
||||
# Steve Herber (herber@thing.com)
|
||||
# (c) 2003-2004 - Tom Eastep (teastep@shorewall.net)
|
||||
# Steve Herber (herber@thing.com)
|
||||
#
|
||||
# This file should be placed in /usr/share/shorewall/help
|
||||
#
|
||||
@ -29,11 +29,11 @@
|
||||
case $1 in
|
||||
|
||||
add)
|
||||
echo "add: add <interface>[:<host>] <zone>
|
||||
echo "add: add <interface>[:<bridge-port>][:<host>] <zone>
|
||||
Adds a host or subnet to a dynamic zone usually used with VPN's.
|
||||
|
||||
shorewall add interface[:host] zone - Adds the specified interface
|
||||
(and host if included) to the specified zone.
|
||||
shorewall add interface[:port][:host] zone - Adds the specified interface
|
||||
(and bridge port/host if included) to the specified zone.
|
||||
|
||||
Example:
|
||||
|
||||
@ -87,15 +87,17 @@ debug)
|
||||
shorewall debug start 2> /tmp/trace
|
||||
|
||||
The above command would trace the 'start' command and
|
||||
place the trace information in the file /tmp/trace."
|
||||
place the trace information in the file /tmp/trace.
|
||||
|
||||
The word 'trace' is a synonym for 'debug'."
|
||||
;;
|
||||
|
||||
delete)
|
||||
echo "delete: delete <interface>[:<host>] <zone>
|
||||
echo "delete: delete <interface>[:<bridge-port>][:<host>] <zone>
|
||||
Deletes a host or subnet from a dynamic zone usually used with VPN's.
|
||||
|
||||
shorewall delete interface[:host] zone - Deletes the specified
|
||||
interface (and host if included) from the specified zone.
|
||||
shorewall delete interface[:port][:host] zone - Deletes the specified
|
||||
interface (and bridge port/host if included) from the specified zone.
|
||||
|
||||
Example:
|
||||
|
||||
@ -114,6 +116,14 @@ drop)
|
||||
See also \"help address\""
|
||||
;;
|
||||
|
||||
forget)
|
||||
echo "forget: forget [ <file name> ]
|
||||
Deletes /var/lib/shorewall/<file name>. If no <file name> is given then
|
||||
the file specified by RESTOREFILE in shorewall.conf is removed.
|
||||
|
||||
See also \"help save\""
|
||||
;;
|
||||
|
||||
help)
|
||||
echo "help: help [<command> | host | address ]
|
||||
Display helpful information about the shorewall commands."
|
||||
@ -145,15 +155,21 @@ logwatch)
|
||||
|
||||
monitor)
|
||||
echo "monitor: monitor [<refresh_interval>]
|
||||
|
||||
shorewall [-x] monitor [<refresh_interval>]
|
||||
|
||||
Continuously display the firewall status, last 20 log entries and nat.
|
||||
When the log entry display changes, an audible alarm is sounded."
|
||||
When the log entry display changes, an audible alarm is sounded.
|
||||
|
||||
When -x is given, that option is also passed to iptables to display actual packet and byte counts."
|
||||
;;
|
||||
|
||||
refresh)
|
||||
echo "refresh: refresh
|
||||
echo "refresh: [ -q ] refresh
|
||||
The rules involving the broadcast addresses of firewall interfaces,
|
||||
the black list, traffic control rules and ECN control rules are recreated
|
||||
to reflect any changes made. Existing connections are untouched"
|
||||
to reflect any changes made. Existing connections are untouched
|
||||
If \"-q\" is specified, less detain is displayed making it easier to spot warnings"
|
||||
;;
|
||||
|
||||
reject)
|
||||
@ -171,26 +187,45 @@ reset)
|
||||
;;
|
||||
|
||||
restart)
|
||||
echo "restart: restart [ -c <configuration-directory> ]
|
||||
echo "restart: restart [ -q ] [ -c <configuration-directory> ]
|
||||
Restart is the same as a shorewall stop && shorewall start.
|
||||
Existing connections are dropped."
|
||||
Existing connections are maintained.
|
||||
If \"-q\" is specified, less detain is displayed making it easier to spot warnings"
|
||||
;;
|
||||
|
||||
restore)
|
||||
echo "restore: restore [ <file name> ]
|
||||
Restore Shorewall to a state saved using the 'save' command
|
||||
Existing connections are maintained. The <file name> names a restore file in
|
||||
/var/lib/shorewall created using "shorewall save"; if no <file name> is given
|
||||
then Shorewall will be restored from the file specified by the RESTOREFILE
|
||||
option in shorewall.conf.
|
||||
|
||||
See also \"help save\" and \"help forget\""
|
||||
;;
|
||||
|
||||
save)
|
||||
echo "save: save
|
||||
The dynamic data is stored in /var/lib/shorewall/save
|
||||
Shorewall allow, drop, rejct and save implement dynamic blacklisting."
|
||||
echo "save: save [ <file name> ]
|
||||
The dynamic data is stored in /var/lib/shorewall/save. The state of the
|
||||
firewall is stored in /var/lib/shorewall/<file name> for use by the 'shorewall restore'
|
||||
and 'shorewall -f start' commands. If <file name> is not given then the state is saved
|
||||
in the file specified by the RESTOREFILE option in shorewall.conf.
|
||||
|
||||
Shorewall allow, drop, rejct and save implement dynamic blacklisting.
|
||||
|
||||
See also \"help restore\" and \"help forget\""
|
||||
;;
|
||||
|
||||
show)
|
||||
echo "show: show [<chain> [ <chain> ...] |classifiers|connections|log|nat|tc|tos]
|
||||
shorewall show <chain> [ <chain> ... ] - produce a verbose report about the IPtable chain(s).
|
||||
echo "show: show [ <chain> [ <chain> ...] |classifiers|connections|log|nat|tc|tos]
|
||||
|
||||
shorewall [-x] show <chain> [ <chain> ... ] - produce a verbose report about the IPtable chain(s).
|
||||
(iptables -L chain -n -v)
|
||||
|
||||
shorewall show nat - produce a verbose report about the nat table.
|
||||
shorewall [-x] show nat - produce a verbose report about the nat table.
|
||||
(iptables -t nat -L -n -v)
|
||||
|
||||
shorewall show tos - produce a verbose report about the mangle table.
|
||||
shorewall [-x] show tos - produce a verbose report about the mangle table.
|
||||
(iptables -t mangle -L -n -v)
|
||||
|
||||
shorewall show log - display the last 20 packet log entries.
|
||||
@ -199,14 +234,19 @@ show)
|
||||
being tracked by the firewall.
|
||||
|
||||
shorewall show tc - displays information about the traffic
|
||||
control/shaping configuration."
|
||||
control/shaping configuration.
|
||||
|
||||
When -x is given, that option is also passed to iptables to display actual packet and byte counts."
|
||||
;;
|
||||
|
||||
start)
|
||||
echo "start: start [ -c <configuration-directory> ]
|
||||
echo "start: [ -q ] [ -f ] [ -c <configuration-directory> ] start
|
||||
Start shorewall. Existing connections through shorewall managed
|
||||
interfaces are untouched. New connections will be allowed only
|
||||
if they are allowed by the firewall rules or policies."
|
||||
if they are allowed by the firewall rules or policies.
|
||||
If \"-q\" is specified, less detail is displayed making it easier to spot warnings
|
||||
If \"-f\" is specified, the saved configuration specified by the RESTOREFILE option
|
||||
in shorewall.conf will be restored if that saved configuration exists"
|
||||
;;
|
||||
|
||||
stop)
|
||||
@ -219,9 +259,31 @@ stop)
|
||||
|
||||
status)
|
||||
echo "status: status
|
||||
|
||||
shorewall [-x] status
|
||||
|
||||
Produce a verbose report about the firewall.
|
||||
|
||||
(iptables -L -n -v)"
|
||||
(iptables -L -n -)
|
||||
|
||||
When -x is given, that option is also passed to iptables to display actual packet and byte counts."
|
||||
;;
|
||||
|
||||
trace)
|
||||
echo "trace: trace
|
||||
If you include the keyword trace as the first argument to any
|
||||
of these commands:
|
||||
|
||||
start|stop|restart|reset|clear|refresh|check|add|delete
|
||||
|
||||
then a shell trace of the command is produced. For example:
|
||||
|
||||
shorewall trace start 2> /tmp/trace
|
||||
|
||||
The above command would trace the 'start' command and
|
||||
place the trace information in the file /tmp/trace.
|
||||
|
||||
The word 'debug' is a synonym for 'trace'."
|
||||
;;
|
||||
|
||||
try)
|
||||
|
105
STABLE/hosts
105
STABLE/hosts
@ -1,39 +1,48 @@
|
||||
#
|
||||
# Shorewall 1.4 - /etc/shorewall/hosts
|
||||
# Shorewall 2.0 - /etc/shorewall/hosts
|
||||
#
|
||||
# THERE ARE TWO CASES WHERE YOU NEED THIS FILE:
|
||||
#
|
||||
# 1) YOU HAVE MULTIPLE NETWORKS IN THE SAME ZONE CONNECTED TO
|
||||
# A SINGLE INTERFACE AND YOU WANT THE SHOREWALL BOX TO ROUTE
|
||||
# BETWEEN THESE NETWORKS.
|
||||
#
|
||||
# 2) YOU HAVE MORE THAN ONE ZONE CONNECTED THROUGH A SINGLE
|
||||
# INTERFACE.
|
||||
#
|
||||
# IF YOU DON'T HAVE EITHER OF THESE SITUATIONS THEN DON'T TOUCH
|
||||
# THIS FILE.
|
||||
# THE ONLY TIME YOU NEED THIS FILE IS WHERE YOU HAVE MORE THAN
|
||||
# ONE ZONE CONNECTED THROUGH A SINGLE INTERFACE.
|
||||
#
|
||||
# IF YOU DON'T HAVE THAT SITUATION THEN DON'T TOUCH THIS FILE.
|
||||
#------------------------------------------------------------------------------
|
||||
# IF YOU HAVE AN ENTRY FOR A ZONE AND INTERFACE IN
|
||||
# /etc/shorewall/interfaces THEN DO NOT ADD ANY ENTRIES FOR THAT
|
||||
# ZONE AND INTERFACE IN THIS FILE.
|
||||
#------------------------------------------------------------------------------
|
||||
# This file is used to define zones in terms of subnets and/or
|
||||
# individual IP addresses. Most simple setups don't need to
|
||||
# (should not) place anything in this file.
|
||||
#
|
||||
# The order of entries in this file is not significant in
|
||||
# determining zone composition. Rather, the order that the zones
|
||||
# are defined in /etc/shorewall/zones determines the order in
|
||||
# which the records in this file are interpreted.
|
||||
#
|
||||
# ZONE - The name of a zone defined in /etc/shorewall/zones
|
||||
#
|
||||
# HOST(S) - The name of an interface followed by a colon (":") and
|
||||
# HOST(S) - The name of an interface defined in the
|
||||
# /etc/shorewall/interfaces file followed by a colon (":") and
|
||||
# a comma-separated list whose elements are either:
|
||||
#
|
||||
# a) The IP address of a host
|
||||
# b) A subnetwork in the form
|
||||
# <subnet-address>/<mask width>
|
||||
#
|
||||
# The interface must be defined in the
|
||||
# /etc/shorewall/interfaces file.
|
||||
# c) A physical port name; only allowed when the
|
||||
# interface names a bridge created by the
|
||||
# brctl addbr command. This port must not
|
||||
# be defined in /etc/shorewall/interfaces and may
|
||||
# optionally followed by a colon (":") and a
|
||||
# host or network IP.
|
||||
# See http://www.shorewall.net/Bridge.html for details.
|
||||
#
|
||||
# Examples:
|
||||
#
|
||||
# eth1:192.168.1.3
|
||||
# eth2:192.168.2.0/24
|
||||
# eth3:192.168.2.0/24,192.168.3.1
|
||||
# br0:eth4
|
||||
# br0:eth0:192.168.1.16/28
|
||||
#
|
||||
# OPTIONS - A comma-separated list of options. Currently-defined
|
||||
# options are:
|
||||
@ -45,15 +54,75 @@
|
||||
# an ethernet NIC and must be up before
|
||||
# Shorewall is started.
|
||||
#
|
||||
# routeback - Shorewall show set up the infrastructure
|
||||
# routeback - Shorewall should set up the infrastructure
|
||||
# to pass packets from this/these
|
||||
# address(es) back to themselves. This is
|
||||
# necessary of hosts in this group use the
|
||||
# necessary if hosts in this group use the
|
||||
# services of a transparent proxy that is
|
||||
# a member of the group or if DNAT is used
|
||||
# to send requests originating from this
|
||||
# group to a server in the group.
|
||||
#
|
||||
# norfc1918 - This option only makes sense for ports
|
||||
# on a bridge.
|
||||
#
|
||||
# The port should not accept
|
||||
# any packets whose source is in one
|
||||
# of the ranges reserved by RFC 1918
|
||||
# (i.e., private or "non-routable"
|
||||
# addresses. If packet mangling or
|
||||
# connection-tracking match is enabled in
|
||||
# your kernel, packets whose destination
|
||||
# addresses are reserved by RFC 1918 are
|
||||
# also rejected.
|
||||
#
|
||||
# nobogons - This option only makes sense for ports
|
||||
# on a bridge.
|
||||
#
|
||||
# This port should not accept
|
||||
# any packets whose source is in one
|
||||
# of the ranges reserved by IANA (this
|
||||
# option does not cover those ranges
|
||||
# reserved by RFC 1918 -- see
|
||||
# 'norfc1918' above).
|
||||
#
|
||||
# blacklist - This option only makes sense for ports
|
||||
# on a bridge.
|
||||
#
|
||||
# Check packets arriving on this port
|
||||
# against the /etc/shorewall/blacklist
|
||||
# file.
|
||||
#
|
||||
# tcpflags - Packets arriving from these hosts are
|
||||
# checked for certain illegal combinations
|
||||
# of TCP flags. Packets found to have
|
||||
# such a combination of flags are handled
|
||||
# according to the setting of
|
||||
# TCP_FLAGS_DISPOSITION after having been
|
||||
# logged according to the setting of
|
||||
# TCP_FLAGS_LOG_LEVEL.
|
||||
#
|
||||
# nosmurfs - This option only makes sense for ports
|
||||
# on a bridge.
|
||||
#
|
||||
# Filter packets for smurfs
|
||||
# (packets with a broadcast
|
||||
# address as the source).
|
||||
#
|
||||
# Smurfs will be optionally logged based
|
||||
# on the setting of SMURF_LOG_LEVEL in
|
||||
# shorewall.conf. After logging, the
|
||||
# packets are dropped.
|
||||
#
|
||||
# newnotsyn - TCP packets that don't have the SYN
|
||||
# flag set and which are not part of an
|
||||
# established connection will be accepted
|
||||
# from these hosts, even if
|
||||
# NEWNOTSYN=No has been specified in
|
||||
# /etc/shorewall/shorewall.conf.
|
||||
#
|
||||
# This option has no effect if
|
||||
# NEWNOTSYN=Yes.
|
||||
#
|
||||
#ZONE HOST(S) OPTIONS
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
|
||||
|
@ -1,5 +1,5 @@
|
||||
############################################################################
|
||||
# Shorewall 1.4 -- /etc/shorewall/init
|
||||
# Shorewall 2.0 -- /etc/shorewall/init
|
||||
#
|
||||
# Add commands below that you want to be executed at the beginning of
|
||||
# a "shorewall start" or "shorewall restart" command.
|
||||
|
129
STABLE/init.debian.sh
Executable file
129
STABLE/init.debian.sh
Executable file
@ -0,0 +1,129 @@
|
||||
#!/bin/sh
|
||||
|
||||
SRWL=/sbin/shorewall
|
||||
WAIT_FOR_IFUP=/usr/share/shorewall/wait4ifup
|
||||
# Note, set INITLOG to /dev/null if you do not want to
|
||||
# keep logs of the firewall (not recommended)
|
||||
INITLOG=/var/log/shorewall-init.log
|
||||
|
||||
test -x $SRWL || exit 0
|
||||
test -n $INITLOG || {
|
||||
echo "INITLOG cannot be empty, please configure $0" ;
|
||||
exit 1;
|
||||
}
|
||||
|
||||
if [ "$(id -u)" != "0" ]
|
||||
then
|
||||
echo "You must be root to start, stop or restart \"Shorewall firewall\"."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo_notdone () {
|
||||
|
||||
if [ "$INITLOG" = "/dev/null" ] ; then
|
||||
"not done."
|
||||
else
|
||||
"not done (check $INITLOG)."
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
not_configured () {
|
||||
echo "#### WARNING ####"
|
||||
echo "the firewall won't be started/stopped unless it is configured"
|
||||
if [ "$1" != "stop" ]
|
||||
then
|
||||
echo ""
|
||||
echo "please configure it and then edit /etc/default/shorewall"
|
||||
echo "and set the \"startup\" variable to 1 in order to allow "
|
||||
echo "shorewall to start"
|
||||
fi
|
||||
echo "#################"
|
||||
exit 0
|
||||
}
|
||||
|
||||
# parse the shorewall params file in order to use params in
|
||||
# /etc/default/shorewall
|
||||
if [ -f "/etc/shorewall/params" ]
|
||||
then
|
||||
. /etc/shorewall/params
|
||||
fi
|
||||
|
||||
# check if shorewall is configured or not
|
||||
if [ -f "/etc/default/shorewall" ]
|
||||
then
|
||||
. /etc/default/shorewall
|
||||
if [ "$startup" != "1" ]
|
||||
then
|
||||
not_configured
|
||||
fi
|
||||
else
|
||||
not_configured
|
||||
fi
|
||||
|
||||
# wait an unconfigured interface
|
||||
wait_for_pppd () {
|
||||
if [ "$wait_interface" != "" ]
|
||||
then
|
||||
if [ -f $WAIT_FOR_IFUP ]
|
||||
then
|
||||
for i in $wait_interface
|
||||
do
|
||||
$WAIT_FOR_IFUP $i 90
|
||||
done
|
||||
else
|
||||
echo "$WAIT_FOR_IFUP: File not found" >> $INITLOG
|
||||
echo_notdone
|
||||
exit 2
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# start the firewall
|
||||
shorewall_start () {
|
||||
echo -n "Starting \"Shorewall firewall\": "
|
||||
wait_for_pppd
|
||||
$SRWL -f start >> $INITLOG 2>&1 && echo "done." || echo_notdone
|
||||
return 0
|
||||
}
|
||||
|
||||
# stop the firewall
|
||||
shorewall_stop () {
|
||||
echo -n "Stopping \"Shorewall firewall\": "
|
||||
$SRWL stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
|
||||
return 0
|
||||
}
|
||||
|
||||
# restart the firewall
|
||||
shorewall_restart () {
|
||||
echo -n "Restarting \"Shorewall firewall\": "
|
||||
$SRWL restart >> $INITLOG 2>&1 && echo "done." || echo_notdone
|
||||
return 0
|
||||
}
|
||||
|
||||
# refresh the firewall
|
||||
shorewall_refresh () {
|
||||
echo -n "Refreshing \"Shorewall firewall\": "
|
||||
$SRWL refresh >> $INITLOG 2>&1 && echo "done." || echo_notdone
|
||||
return 0
|
||||
}
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
shorewall_start
|
||||
;;
|
||||
stop)
|
||||
shorewall_stop
|
||||
;;
|
||||
refresh)
|
||||
shorewall_refresh
|
||||
;;
|
||||
force-reload|restart)
|
||||
shorewall_restart
|
||||
;;
|
||||
*)
|
||||
echo "Usage: /etc/init.d/shorewall {start|stop|refresh|restart|force-reload}"
|
||||
exit 1
|
||||
esac
|
||||
|
||||
exit 0
|
@ -1,14 +1,13 @@
|
||||
#!/bin/sh
|
||||
RCDLINKS="2,S41 3,S41 6,K41"
|
||||
#
|
||||
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V1.4 3/14/2003
|
||||
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V2.0 3/14/2003
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# On most distributions, this file should be called:
|
||||
# /etc/rc.d/init.d/shorewall or /etc/init.d/shorewall
|
||||
# On most distributions, this file should be called /etc/init.d/shorewall.
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
@ -63,7 +62,12 @@ command="$1"
|
||||
|
||||
case "$command" in
|
||||
|
||||
stop|start|restart|status)
|
||||
start)
|
||||
|
||||
exec /sbin/shorewall -f start
|
||||
;;
|
||||
|
||||
stop|restart|status)
|
||||
|
||||
exec /sbin/shorewall $@
|
||||
;;
|
||||
|
7
STABLE/initdone
Executable file
7
STABLE/initdone
Executable file
@ -0,0 +1,7 @@
|
||||
############################################################################
|
||||
# Shorewall 2.0 -- /etc/shorewall/initdone
|
||||
#
|
||||
# Add commands below that you want to be executed during
|
||||
# "shorewall start" or "shorewall restart" commands at the point where
|
||||
# Shorewall has not yet added any perminent rules to the builtin chains.
|
||||
#
|
@ -4,9 +4,9 @@
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Seawall documentation is available at http://seawall.sourceforge.net
|
||||
# Shorewall documentation is available at http://shorewall.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
@ -21,47 +21,15 @@
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||
#
|
||||
# Usage:
|
||||
#
|
||||
# If you are running a distribution that has a directory called /etc/rc.d/init.d or one
|
||||
# called /etc/init.d or you are running Slackware then simply cd to the directory
|
||||
# containing this script and run it.
|
||||
#
|
||||
# ./install.sh
|
||||
#
|
||||
# If you don't have either of those directories, you will need to determine where the
|
||||
# SysVInit scripts are kept on your system and pass the name of that directory.
|
||||
#
|
||||
# ./install.sh /etc/rc.d/scripts
|
||||
#
|
||||
# The default is that the firewall will be started in run levels 2-5 starting at
|
||||
# position 15 and stopping at position 90. This is correct RedHat/Mandrake, Debian,
|
||||
# Caldera and Corel.
|
||||
#
|
||||
# If you wish to change that, you can pass -r "<levels startpos stoppos>".
|
||||
#
|
||||
# Example 1: You wish to start your firewall in runlevels 2 and three, start at position
|
||||
# 15 and stop at position 90
|
||||
#
|
||||
# ./install.sh -r "23 15 90"
|
||||
#
|
||||
# Example 2: You wish to start your firewall only in run level 3, start at position 5
|
||||
# and stop at position 95.
|
||||
#
|
||||
# ./install.sh -r "3 5 95" /etc/rc.d/scripts
|
||||
#
|
||||
# For distributions that don't include chkconfig (Slackware, for example), the
|
||||
# /etc/rc.d/rc.local file is modified to start the firewall.
|
||||
#
|
||||
|
||||
VERSION=1.4.11
|
||||
VERSION=2.0.16
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
ME=`basename $0`
|
||||
echo "usage: $ME [ -r \"<chkconfig parameters>\" ] [ <init scripts directory> ]"
|
||||
echo " $ME [ -v ]"
|
||||
echo " $ME [ -h ]"
|
||||
ME=$(basename $0)
|
||||
echo "usage: $ME"
|
||||
echo " $ME -v"
|
||||
echo " $ME -h"
|
||||
exit $1
|
||||
}
|
||||
|
||||
@ -77,7 +45,7 @@ run_install()
|
||||
cant_autostart()
|
||||
{
|
||||
echo
|
||||
echo "WARNING: Unable to configure Shorewall to start"
|
||||
echo "WARNING: Unable to configure shorewall to start"
|
||||
echo " automatically at boot"
|
||||
}
|
||||
|
||||
@ -105,20 +73,6 @@ delete_file() # $1 = file to delete
|
||||
fi
|
||||
}
|
||||
|
||||
modify_rclocal()
|
||||
{
|
||||
if [ -f /etc/rc.d/rc.local ]; then
|
||||
if [ -z "`grep shorewall /etc/rc.d/rc.local`" ]; then
|
||||
cp -f /etc/rc.d/rc.local /etc/rc.d/rc.local-shorewall.bkout
|
||||
echo >> /etc/rc.d/rc.local
|
||||
echo "/sbin/shorewall start" >> /etc/rc.d/rc.local
|
||||
echo "/etc/rc.d/rc.local modified to start Shorewall"
|
||||
fi
|
||||
else
|
||||
cant_autostart
|
||||
fi
|
||||
}
|
||||
|
||||
install_file_with_backup() # $1 = source $2 = target $3 = mode
|
||||
{
|
||||
backup_file $2
|
||||
@ -129,13 +83,24 @@ install_file_with_backup() # $1 = source $2 = target $3 = mode
|
||||
# Parse the run line
|
||||
#
|
||||
# DEST is the SysVInit script directory
|
||||
# INIT is the name of the script in the $DEST directory
|
||||
# RUNLEVELS is the chkconfig parmeters for firewall
|
||||
# ARGS is "yes" if we've already parsed an argument
|
||||
#
|
||||
DEST=""
|
||||
RUNLEVELS=""
|
||||
ARGS=""
|
||||
|
||||
if [ -z "$DEST" ] ; then
|
||||
DEST="/etc/init.d"
|
||||
fi
|
||||
|
||||
if [ -z "$INIT" ] ; then
|
||||
INIT="shorewall"
|
||||
fi
|
||||
|
||||
if [ -z "$RUNLEVELS" ] ; then
|
||||
RUNLEVELS=""
|
||||
fi
|
||||
|
||||
if [ -z "$OWNER" ] ; then
|
||||
OWNER=root
|
||||
fi
|
||||
@ -147,34 +112,14 @@ fi
|
||||
while [ $# -gt 0 ] ; do
|
||||
case "$1" in
|
||||
-h|help|?)
|
||||
if [ -n "$ARGS" ]; then
|
||||
usage 1
|
||||
fi
|
||||
|
||||
usage 0
|
||||
;;
|
||||
-r)
|
||||
if [ -n "$RUNLEVELS" -o $# -eq 1 ]; then
|
||||
usage 1
|
||||
fi
|
||||
|
||||
RUNLEVELS="$2";
|
||||
shift
|
||||
;;
|
||||
-v)
|
||||
if [ -n "$ARGS" ]; then
|
||||
usage 1
|
||||
fi
|
||||
|
||||
echo "Shorewall Firewall Installer Version $VERSION"
|
||||
exit 0
|
||||
;;
|
||||
*)
|
||||
if [ -n "$DEST" ]; then
|
||||
usage 1
|
||||
fi
|
||||
|
||||
DEST="$1"
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
shift
|
||||
@ -186,44 +131,19 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||
#
|
||||
# Determine where to install the firewall script
|
||||
#
|
||||
DEBIAN=
|
||||
|
||||
if [ -n "$PREFIX" ]; then
|
||||
install -d -o $OWNER -g $GROUP -m 755 ${PREFIX}/sbin
|
||||
install -d -o $OWNER -g $GROUP -m 755 ${PREFIX}${DEST}
|
||||
fi
|
||||
|
||||
FIREWALL="shorewall"
|
||||
|
||||
if [ -z "$DEST" ]; then
|
||||
#
|
||||
# We make this first test so that on RedHat systems that have Seawall installed,
|
||||
# we can still use PREFIX (the code that reads the existing symbolic link
|
||||
# fails dreadfully if the link is relative and PREFIX is non-null).
|
||||
#
|
||||
if [ -x /etc/rc.d/init.d/firewall ]; then
|
||||
DEST=/etc/rc.d/init.d
|
||||
elif [ -L /etc/shorewall/firewall ]; then
|
||||
TEMP=`ls -l /etc/shorewall/firewall | sed 's/^.*> //'`
|
||||
DEST=`dirname $TEMP`
|
||||
FIREWALL=`basename $TEMP`
|
||||
elif [ -d /etc/rc.d/init.d ]; then
|
||||
DEST=/etc/rc.d/init.d
|
||||
elif [ -d /etc/init.d ]; then
|
||||
DEST=/etc/init.d
|
||||
elif [ -f /etc/rc.d/rc.local ]; then
|
||||
DEST=/etc/rc.d
|
||||
FIREWALL="rc.shorewall"
|
||||
else
|
||||
echo "ERROR: Can't determine where to install the firewall script"
|
||||
echo " Rerun $0 passing the name of the SysVInit script directory"
|
||||
echo " on your system"
|
||||
exit 1
|
||||
fi
|
||||
elif [ -d /etc/apt -a -e /usr/bin/dpkg ]; then
|
||||
DEBIAN=yes
|
||||
fi
|
||||
|
||||
#
|
||||
# Change to the directory containing this script
|
||||
#
|
||||
cd "`dirname $0`"
|
||||
cd "$(dirname $0)"
|
||||
|
||||
echo "Installing Shorewall Version $VERSION"
|
||||
|
||||
@ -239,45 +159,26 @@ fi
|
||||
install_file_with_backup shorewall ${PREFIX}/sbin/shorewall 0544
|
||||
|
||||
echo
|
||||
echo "Shorewall control program installed in ${PREFIX}/sbin/shorewall"
|
||||
echo "shorewall control program installed in ${PREFIX}/sbin/shorewall"
|
||||
|
||||
#
|
||||
# Install the Firewall Script
|
||||
#
|
||||
if [ -n "$RUNLEVELS" ]; then
|
||||
#
|
||||
# User specified chkconfig parameters -- build an awk script to install them
|
||||
# in the firewall script
|
||||
#
|
||||
echo "/# chkconfig/ { print \"# chkconfig: $RUNLEVELS\" ; next }" > awk.temp
|
||||
echo "{ print }" >> awk.temp
|
||||
|
||||
awk -f awk.temp init.sh > init.temp
|
||||
|
||||
if [ $? -ne 0 ]; then
|
||||
echo
|
||||
echo "ERROR: Error running awk."
|
||||
echo " You must run `basename $0` without the "-r" option then edit"
|
||||
echo " $DEST/$FIREWALL manually (line beginning '# chkconfig:')"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
install_file_with_backup init.temp ${PREFIX}${DEST}/$FIREWALL 0544
|
||||
|
||||
rm -f init.temp awk.tmp
|
||||
if [ -n "$DEBIAN" ]; then
|
||||
install_file_with_backup init.debian.sh /etc/init.d/shorewall 0544
|
||||
else
|
||||
install_file_with_backup init.sh ${PREFIX}${DEST}/$FIREWALL 0544
|
||||
install_file_with_backup init.sh ${PREFIX}${DEST}/$INIT 0544
|
||||
fi
|
||||
|
||||
echo
|
||||
echo "Shorewall script installed in ${PREFIX}${DEST}/$FIREWALL"
|
||||
echo "Shorewall script installed in ${PREFIX}${DEST}/$INIT"
|
||||
|
||||
#
|
||||
# Create /etc/shorewall, /usr/share/shorewall and /var/shorewall if needed
|
||||
#
|
||||
mkdir -p ${PREFIX}/etc/shorewall
|
||||
mkdir -p ${PREFIX}/usr/share/shorewall
|
||||
mkdir -p ${PREFIX}/var/lib/shorewall
|
||||
mkdir -p ${PREFIX}/etc/shorewall && chmod 700 ${PREFIX}/etc/shorewall
|
||||
mkdir -p ${PREFIX}/usr/share/shorewall && chmod 700 ${PREFIX}/usr/share/shorewall
|
||||
mkdir -p ${PREFIX}/var/lib/shorewall && chmod 700 ${PREFIX}/var/lib/shorewall
|
||||
#
|
||||
# Install the config file
|
||||
#
|
||||
@ -307,11 +208,6 @@ if [ -f ${PREFIX}/etc/shorewall/functions ]; then
|
||||
rm -f ${PREFIX}/etc/shorewall/functions
|
||||
fi
|
||||
|
||||
if [ -f ${PREFIX}/var/lib/shorewall/functions ]; then
|
||||
backup_file ${PREFIX}/var/lib/shorewall/functions
|
||||
rm -f ${PREFIX}/var/lib/shorewall/functions
|
||||
fi
|
||||
|
||||
install_file_with_backup functions ${PREFIX}/usr/share/shorewall/functions 0444
|
||||
|
||||
echo
|
||||
@ -324,13 +220,6 @@ install_file_with_backup help ${PREFIX}/usr/share/shorewall/help 0544
|
||||
|
||||
echo
|
||||
echo "Help command executor installed in ${PREFIX}/usr/share/shorewall/help"
|
||||
#
|
||||
# Install the common.def file
|
||||
#
|
||||
install_file_with_backup common.def ${PREFIX}/etc/shorewall/common.def 0444
|
||||
|
||||
echo
|
||||
echo "Common rules installed in ${PREFIX}/etc/shorewall/common.def"
|
||||
|
||||
#
|
||||
# Delete the icmp.def file
|
||||
@ -388,6 +277,16 @@ else
|
||||
echo "NAT file installed as ${PREFIX}/etc/shorewall/nat"
|
||||
fi
|
||||
#
|
||||
# Install the NETMAP file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/netmap ]; then
|
||||
backup_file /etc/shorewall/netmap
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 netmap ${PREFIX}/etc/shorewall/netmap
|
||||
echo
|
||||
echo "NETMAP file installed as ${PREFIX}/etc/shorewall/netmap"
|
||||
fi
|
||||
#
|
||||
# Install the Parameters file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/params ]; then
|
||||
@ -498,13 +397,21 @@ fi
|
||||
#
|
||||
# Install the rfc1918 file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/rfc1918 ]; then
|
||||
backup_file /etc/shorewall/rfc1918
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 rfc1918 ${PREFIX}/etc/shorewall/rfc1918
|
||||
echo
|
||||
echo "RFC 1918 file installed as ${PREFIX}/etc/shorewall/rfc1918"
|
||||
fi
|
||||
install_file_with_backup rfc1918 ${PREFIX}/usr/share/shorewall/rfc1918 0600
|
||||
echo
|
||||
echo "RFC 1918 file installed as ${PREFIX}/usr/share/shorewall/rfc1918"
|
||||
#
|
||||
# Install the bogons file
|
||||
#
|
||||
install_file_with_backup bogons ${PREFIX}/usr/share/shorewall/bogons 0600
|
||||
echo
|
||||
echo "Bogon file installed as ${PREFIX}/usr/share/shorewall/bogons"
|
||||
#
|
||||
# Install the default config path file
|
||||
#
|
||||
install_file_with_backup configpath ${PREFIX}/usr/share/shorewall/configpath 0600
|
||||
echo
|
||||
echo " Default config path file installed as ${PREFIX}/usr/share/shorewall/configpath"
|
||||
#
|
||||
# Install the init file
|
||||
#
|
||||
@ -516,6 +423,16 @@ else
|
||||
echo "Init file installed as ${PREFIX}/etc/shorewall/init"
|
||||
fi
|
||||
#
|
||||
# Install the initdone file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/initdone ]; then
|
||||
backup_file /etc/shorewall/initdone
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 initdone ${PREFIX}/etc/shorewall/initdone
|
||||
echo
|
||||
echo "Initdone file installed as ${PREFIX}/etc/shorewall/initdone"
|
||||
fi
|
||||
#
|
||||
# Install the start file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/start ]; then
|
||||
@ -566,25 +483,13 @@ else
|
||||
echo "Accounting file installed as ${PREFIX}/etc/shorewall/accounting"
|
||||
fi
|
||||
#
|
||||
# Install the User Sets file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/usersets ]; then
|
||||
backup_file /etc/shorewall/usersets
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 usersets ${PREFIX}/etc/shorewall/usersets
|
||||
echo
|
||||
echo "User Sets file installed as ${PREFIX}/etc/shorewall/usersets"
|
||||
fi
|
||||
# Install the Standard Actions file
|
||||
#
|
||||
# Install the User file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/users ]; then
|
||||
backup_file /etc/shorewall/users
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 users ${PREFIX}/etc/shorewall/users
|
||||
echo
|
||||
echo "Users file installed as ${PREFIX}/etc/shorewall/users"
|
||||
fi
|
||||
install_file_with_backup actions.std ${PREFIX}/usr/share/shorewall/actions.std 0600
|
||||
echo
|
||||
echo "Standard actions file installed as ${PREFIX}/etc/shorewall/actions.std"
|
||||
|
||||
#
|
||||
# Install the Actions file
|
||||
#
|
||||
@ -596,27 +501,23 @@ else
|
||||
echo "Actions file installed as ${PREFIX}/etc/shorewall/actions"
|
||||
fi
|
||||
#
|
||||
# Install the Action Template file
|
||||
# Install the Action files
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/action.template ]; then
|
||||
backup_file /etc/shorewall/action.template
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 action.template ${PREFIX}/etc/shorewall/action.template
|
||||
echo
|
||||
echo "Action Template file installed as ${PREFIX}/etc/shorewall/action.template"
|
||||
fi
|
||||
for f in action.* ; do
|
||||
if [ -f ${PREFIX}/usr/share/shorewall/$f ]; then
|
||||
backup_file /usr/share/shorewall/$f
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 $f ${PREFIX}/usr/share/shorewall/$f
|
||||
echo
|
||||
echo "Action ${f#*.} file installed as ${PREFIX}/usr/share/shorewall/$f"
|
||||
fi
|
||||
done
|
||||
#
|
||||
# Backup the version file
|
||||
#
|
||||
if [ -z "$PREFIX" ]; then
|
||||
if [ -f /usr/share/shorewall/version ]; then
|
||||
backup_file /usr/share/shorewall/version
|
||||
elif [ -f /usr/lib/shorewall/version ]; then
|
||||
backup_file /usr/lib/shorewall/version
|
||||
elif [ -n "$oldversion" ]; then
|
||||
echo $oldversion > /usr/lib/shorewall/version-${VERSION}.bkout
|
||||
else
|
||||
echo "Unknown" > /usr/lib/shorewall/version-${VERSION}.bkout
|
||||
fi
|
||||
fi
|
||||
#
|
||||
@ -629,54 +530,64 @@ chmod 644 ${PREFIX}/usr/share/shorewall/version
|
||||
#
|
||||
|
||||
if [ -z "$PREFIX" ]; then
|
||||
rm -f /etc/shorewall/firewall
|
||||
rm -f /var/lib/shorewall/firewall
|
||||
[ -L /usr/lib/shorewall/firewall ] && \
|
||||
mv -f /usr/lib/shorewall/firewall /usr/lib/shorewall/firewall-${VERSION}.bkout
|
||||
rm -f /usr/lib/shorewall/init
|
||||
rm -f /usr/share/shorewall/init
|
||||
ln -s ${DEST}/${FIREWALL} /usr/share/shorewall/init
|
||||
ln -s ${DEST}/${INIT} /usr/share/shorewall/init
|
||||
fi
|
||||
|
||||
#
|
||||
# Install the firewall script
|
||||
#
|
||||
install_file_with_backup firewall ${PREFIX}/usr/share/shorewall/firewall 0544
|
||||
|
||||
if [ -z "$PREFIX" -a -n "$first_install" ]; then
|
||||
if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
|
||||
if insserv /etc/init.d/shorewall ; then
|
||||
if [ -z "$PREFIX" ]; then
|
||||
if [ -n "$first_install" ]; then
|
||||
if [ -n "$DEBIAN" ]; then
|
||||
run_install -o $OWNER -g $GROUP -m 0644 default.debian /etc/default/shorewall
|
||||
ln -s ../init.d/shorewall /etc/rcS.d/S40shorewall
|
||||
echo
|
||||
echo "Firewall will start automatically at boot"
|
||||
echo "shorewall will start automatically at boot"
|
||||
echo "Set startup=1 in /etc/default/shorewall to enable"
|
||||
else
|
||||
cant_autostart
|
||||
fi
|
||||
elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
|
||||
if chkconfig --add $FIREWALL ; then
|
||||
echo
|
||||
echo "Firewall will start automatically in run levels as follows:"
|
||||
chkconfig --list $FIREWALL
|
||||
else
|
||||
cant_autostart
|
||||
fi
|
||||
elif [ -x /sbin/rc-update ]; then
|
||||
if rc-update add shorewall default; then
|
||||
echo
|
||||
echo "Firewall will start automatically at boot"
|
||||
else
|
||||
cant_autostart
|
||||
fi
|
||||
else
|
||||
modify_rclocal
|
||||
fi
|
||||
|
||||
echo \
|
||||
if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
|
||||
if insserv /etc/init.d/shorewall ; then
|
||||
echo
|
||||
echo "shorewall will start automatically at boot"
|
||||
echo "Remove /etc/shorewall/startup_disabled in /etc/default/shorewall to enable"
|
||||
else
|
||||
cant_autostart
|
||||
fi
|
||||
elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
|
||||
if chkconfig --add shorewall ; then
|
||||
echo
|
||||
echo "shorewall will start automatically in run levels as follows:"
|
||||
echo "Remove /etc/shorewall/startup_disabled in /etc/default/shorewall to enable"
|
||||
chkconfig --list shorewall
|
||||
else
|
||||
cant_autostart
|
||||
fi
|
||||
elif [ -x /sbin/rc-update ]; then
|
||||
if rc-update add shorewall default; then
|
||||
echo
|
||||
echo "shorewall will start automatically at boot"
|
||||
echo "Remove /etc/shorewall/startup_disabled in /etc/default/shorewall to enable"
|
||||
else
|
||||
cant_autostart
|
||||
fi
|
||||
elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
|
||||
cant_autostart
|
||||
fi
|
||||
|
||||
echo \
|
||||
"########################################################################
|
||||
# REMOVE THIS FILE AFTER YOU HAVE CONFIGURED SHOREWALL #
|
||||
########################################################################" > /etc/shorewall/startup_disabled
|
||||
fi
|
||||
|
||||
fi
|
||||
elif [ -n "$DEBIAN" -a ! -f /etc/default/shorewall ]; then
|
||||
run_install -o $OWNER -g $GROUP -m 0644 default.debian /etc/default/shorewall
|
||||
fi
|
||||
fi
|
||||
#
|
||||
# Report Success
|
||||
#
|
||||
echo
|
||||
echo "Shorewall Version $VERSION Installed"
|
||||
echo "shorewall Version $VERSION Installed"
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 1.4 -- Interfaces File
|
||||
# Shorewall 2.0 -- Interfaces File
|
||||
#
|
||||
# /etc/shorewall/interfaces
|
||||
#
|
||||
@ -24,11 +24,12 @@
|
||||
# want to make an entry that applies to all PPP
|
||||
# interfaces, use 'ppp+'.
|
||||
#
|
||||
# DO NOT DEFINE THE LOOPBACK INTERFACE (lo) IN THIS FILE.
|
||||
# There is no need to define the loopback interface (lo)
|
||||
# in this file.
|
||||
#
|
||||
# BROADCAST The broadcast address for the subnetwork to which the
|
||||
# interface belongs. For P-T-P interfaces, this
|
||||
# column is left black.If the interface has multiple
|
||||
# column is left blank.If the interface has multiple
|
||||
# addresses on multiple subnets then list the broadcast
|
||||
# addresses as a comma-separated list.
|
||||
#
|
||||
@ -36,8 +37,7 @@
|
||||
# will detect the broadcast address for you. If you
|
||||
# select this option, the interface must be up before
|
||||
# the firewall is started, you must have iproute
|
||||
# installed and the interface must only be associated
|
||||
# with a single subnet.
|
||||
# installed.
|
||||
#
|
||||
# If you don't want to give a value for this column but
|
||||
# you want to enter a value in the OPTIONS column, enter
|
||||
@ -46,38 +46,51 @@
|
||||
# OPTIONS A comma-separated list of options including the
|
||||
# following:
|
||||
#
|
||||
# dhcp - interface is managed by DHCP or used by
|
||||
# a DHCP server running on the firewall or
|
||||
# you have a static IP but are on a LAN
|
||||
# segment with lots of Laptop DHCP clients.
|
||||
# dhcp - Specify this option when any of
|
||||
# the following are true:
|
||||
# 1. the interface gets its IP address
|
||||
# via DHCP
|
||||
# 2. the interface is used by
|
||||
# a DHCP server running on the firewall
|
||||
# 3. you have a static IP but are on a LAN
|
||||
# segment with lots of Laptop DHCP
|
||||
# clients.
|
||||
# 4. the interface is a bridge with
|
||||
# a DHCP server on one port and DHCP
|
||||
# clients on another port.
|
||||
#
|
||||
# norfc1918 - This interface should not receive
|
||||
# any packets whose source is in one
|
||||
# of the ranges reserved by RFC 1918
|
||||
# (i.e., private or "non-routable"
|
||||
# addresses. If packet mangling is
|
||||
# enabled in shorewall.conf, packets
|
||||
# whose destination addresses are
|
||||
# reserved by RFC 1918 are also rejected.
|
||||
# addresses. If packet mangling or
|
||||
# connection-tracking match is enabled in
|
||||
# your kernel, packets whose destination
|
||||
# addresses are reserved by RFC 1918 are
|
||||
# also rejected.
|
||||
#
|
||||
# nobogons - This interface should not receive
|
||||
# any packets whose source is in one
|
||||
# of the ranges reserved by IANA (this
|
||||
# option does not cover those ranges
|
||||
# reserved by RFC 1918 -- see above).
|
||||
#
|
||||
# routefilter - turn on kernel route filtering for this
|
||||
# interface (anti-spoofing measure). This
|
||||
# option can also be enabled globally in
|
||||
# the /etc/shorewall/shorewall.conf file.
|
||||
# dropunclean - Logs and drops mangled/invalid
|
||||
# packets. USE OF THIS OPTION IS
|
||||
# NOT RECOMMENDED. It will be removed in
|
||||
# Shorewall 2.0.
|
||||
# logunclean - Logs mangled/invalid packets but does
|
||||
# not drop them. This option will be
|
||||
# removed in Shorewall 2.0.
|
||||
#
|
||||
# . . blacklist - Check packets arriving on this interface
|
||||
# against the /etc/shorewall/blacklist
|
||||
# file.
|
||||
#
|
||||
# maclist - Connection requests from this interface
|
||||
# are compared against the contents of
|
||||
# /etc/shorewall/maclist. If this option
|
||||
# is specified, the interface must be
|
||||
# an ethernet NIC and must be up before
|
||||
# Shorewall is started.
|
||||
#
|
||||
# tcpflags - Packets arriving on this interface are
|
||||
# checked for certain illegal combinations
|
||||
# of TCP flags. Packets found to have
|
||||
@ -86,6 +99,7 @@
|
||||
# TCP_FLAGS_DISPOSITION after having been
|
||||
# logged according to the setting of
|
||||
# TCP_FLAGS_LOG_LEVEL.
|
||||
#
|
||||
# proxyarp -
|
||||
# Sets
|
||||
# /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
|
||||
@ -101,11 +115,21 @@
|
||||
# established connection will be accepted
|
||||
# from this interface, even if
|
||||
# NEWNOTSYN=No has been specified in
|
||||
# /etc/shorewall/shorewall.conf.
|
||||
# /etc/shorewall/shorewall.conf. In other
|
||||
# words, packets coming in on this interface
|
||||
# are processed as if NEWNOTSYN=Yes had been
|
||||
# specified in /etc/shorewall/shorewall.conf.
|
||||
#
|
||||
# This option has no effect if
|
||||
# NEWNOTSYN=Yes.
|
||||
#
|
||||
# It is the opinion of the author that
|
||||
# NEWNOTSYN=No creates more problems than
|
||||
# it solves and I recommend against using
|
||||
# that setting in shorewall.conf (hence
|
||||
# making the use of the 'newnotsyn'
|
||||
# interface option unnecessary).
|
||||
#
|
||||
# routeback - If specified, indicates that Shorewall
|
||||
# should include rules that allow filtering
|
||||
# traffic arriving on this interface back
|
||||
@ -120,12 +144,21 @@
|
||||
# interface. The interface must be up
|
||||
# when Shorewall is started.
|
||||
#
|
||||
# nosmurfs - Filter packets for smurfs
|
||||
# (packets with a broadcast
|
||||
# address as the source).
|
||||
#
|
||||
# Smurfs will be optionally logged based
|
||||
# on the setting of SMURF_LOG_LEVEL in
|
||||
# shorewall.conf. After logging, the
|
||||
# packets are dropped.
|
||||
#
|
||||
# detectnets - Automatically taylors the zone named
|
||||
# in the ZONE column to include only those
|
||||
# hosts routed through the interface.
|
||||
#
|
||||
# WARNING: DO NOT SET THE detectnets OPTION ON YOUR
|
||||
# INTERNET INTERFACE!
|
||||
# INTERNET INTERFACE.
|
||||
#
|
||||
# The order in which you list the options is not
|
||||
# significant but the list should have no embedded white
|
||||
@ -157,4 +190,5 @@
|
||||
# net ppp0 -
|
||||
##############################################################################
|
||||
#ZONE INTERFACE BROADCAST OPTIONS
|
||||
#
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
@ -1,11 +1,14 @@
|
||||
#
|
||||
# Shorewall 1.4 - MAC list file
|
||||
# Shorewall 2.0 - MAC list file
|
||||
#
|
||||
# /etc/shorewall/maclist
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
# INTERFACE Network interface to a host
|
||||
# INTERFACE Network interface to a host. If the interface
|
||||
# names a bridge, it may be optionally followed by
|
||||
# a colon (":") and a physical port name (e.g.,
|
||||
# br0:eth4).
|
||||
#
|
||||
# MAC MAC address of the host -- you do not need to use
|
||||
# the Shorewall format for MAC addresses here
|
||||
|
56
STABLE/masq
56
STABLE/masq
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 1.4 - Masquerade file
|
||||
# Shorewall 2.0 - Masquerade file
|
||||
#
|
||||
# /etc/shorewall/masq
|
||||
#
|
||||
@ -18,12 +18,7 @@
|
||||
# PLACE IN YOUR SHOREWALL CONFIGURATION.
|
||||
#
|
||||
# This may be qualified by adding the character
|
||||
# ":" followed by a comma-separed list of
|
||||
# destination hosts or subnets. If this list begins with
|
||||
# "!" then masquerading will occur if and only if the
|
||||
# connection destination is NOT included in the list.
|
||||
# Otherwise, the masquerading will occur if and only if
|
||||
# the destination IS included in the list.
|
||||
# ":" followed by a destination host or subnet.
|
||||
#
|
||||
#
|
||||
# SUBNET -- Subnet that you wish to masquerade. You can specify this as
|
||||
@ -47,6 +42,13 @@
|
||||
# will automatically add this address to the
|
||||
# INTERFACE named in the first column.
|
||||
#
|
||||
# If you have set ADD_SNAT_ALIASES=Yes in
|
||||
# /etc/shorewall/shorewall.conf then DO NOT
|
||||
# PLACE YOUR EXTERNAL INTERFACE'S PRIMARY IP
|
||||
# ADDRESS IN THIS COLUMN -- If you do so, you
|
||||
# will loose your default route when Shorewall
|
||||
# starts.
|
||||
#
|
||||
# You may also specify a range of up to 256
|
||||
# IP addresses if you want the SNAT address to
|
||||
# be assigned from that range in a round-robin
|
||||
@ -60,6 +62,27 @@
|
||||
#
|
||||
# This column may not contain DNS Names.
|
||||
#
|
||||
# If you want to leave this column empty
|
||||
# but you need to specify the next column then
|
||||
# place a hyphen ("-") here.
|
||||
#
|
||||
# PROTO -- (Optional) If you wish to restrict this entry to a
|
||||
# particular protocol then enter the protocol
|
||||
# name (from /etc/protocols) or number here.
|
||||
#
|
||||
# PORT(S) -- (Optional) If the PROTO column specifies TCP (protocol 6)
|
||||
# or UDP (protocol 17) then you may list one
|
||||
# or more port numbers (or names from
|
||||
# /etc/services) separated by commas or you
|
||||
# may list a single port range
|
||||
# (<low port>:<high port>).
|
||||
#
|
||||
# Where a comma-separated list is given, your
|
||||
# kernel and iptables must have multiport match
|
||||
# support and a maximum of 15 ports may be
|
||||
# listed.
|
||||
#
|
||||
#
|
||||
# Example 1:
|
||||
#
|
||||
# You have a simple masquerading setup where eth0 connects to
|
||||
@ -94,11 +117,24 @@
|
||||
#
|
||||
# You want all outgoing traffic from 192.168.1.0/24 through
|
||||
# eth0 to use source address 206.124.146.176 which is NOT the
|
||||
# primary address of eth0. You want 206.124.146.176 to
|
||||
# primary address of eth0. You want 206.124.146.176 added to
|
||||
# be added to eth0 with name eth0:0.
|
||||
#
|
||||
# eth0:0 192.168.1.0/24 206.124.146.176
|
||||
#
|
||||
##############################################################################
|
||||
#INTERFACE SUBNET ADDRESS
|
||||
# Example 5:
|
||||
#
|
||||
# You want all outgoing SMTP traffic entering the firewall
|
||||
# on eth1 to be sent from eth0 with source IP address
|
||||
# 206.124.146.177. You want all other outgoing traffic
|
||||
# from eth1 to be sent from eth0 with source IP address
|
||||
# 206.124.146.176.
|
||||
#
|
||||
# eth0 eth1 206.124.146.177 tcp smtp
|
||||
# eth0 eth1 206.124.146.176
|
||||
#
|
||||
# THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!!
|
||||
#
|
||||
###############################################################################
|
||||
#INTERFACE SUBNET ADDRESS PROTO PORT(S)
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
||||
|
@ -1,5 +1,5 @@
|
||||
##############################################################################
|
||||
# Shorewall 1.4 /etc/shorewall/modules
|
||||
# Shorewall 2.0 /etc/shorewall/modules
|
||||
#
|
||||
# This file loads the modules needed by the firewall.
|
||||
#
|
||||
|
11
STABLE/nat
11
STABLE/nat
@ -1,6 +1,6 @@
|
||||
##############################################################################
|
||||
#
|
||||
# Shorewall 1.4 -- Network Address Translation Table
|
||||
# Shorewall 2.0 -- Network Address Translation Table
|
||||
#
|
||||
# /etc/shorewall/nat
|
||||
#
|
||||
@ -16,7 +16,7 @@
|
||||
# EXTERNAL External IP Address - this should NOT be the primary
|
||||
# IP address of the interface named in the next
|
||||
# column and must not be a DNS Name.
|
||||
# INTERFACE Interface that we want to EXTERNAL address to appear
|
||||
# INTERFACE Interface that you want to EXTERNAL address to appear
|
||||
# on. If ADD_IP_ALIASES=Yes in shorewall.conf, you may
|
||||
# follow the interface name with ":" and a digit to
|
||||
# indicate that you want Shorewall to add the alias
|
||||
@ -25,12 +25,11 @@
|
||||
# THAT THIS NAME IS GOOD FOR -- YOU CANNOT USE IT
|
||||
# ANYWHERE ELSE IN YOUR SHORWALL CONFIGURATION.
|
||||
# INTERNAL Internal Address (must not be a DNS Name).
|
||||
# ALL INTERFACES If Yes or yes (or left empty), NAT will be effective
|
||||
# from all hosts. If No or no then NAT will be effective
|
||||
# ALL INTERFACES If Yes or yes, NAT will be effective from all hosts.
|
||||
# If No or no (or left empty) then NAT will be effective
|
||||
# only through the interface named in the INTERFACE
|
||||
# column
|
||||
# LOCAL If Yes or yes and the ALL INTERFACES column contains
|
||||
# Yes or yes, NAT will be effective from the firewall
|
||||
# LOCAL If Yes or yes, NAT will be effective from the firewall
|
||||
# system
|
||||
##############################################################################
|
||||
#EXTERNAL INTERFACE INTERNAL ALL LOCAL
|
||||
|
38
STABLE/netmap
Normal file
38
STABLE/netmap
Normal file
@ -0,0 +1,38 @@
|
||||
##############################################################################
|
||||
#
|
||||
# Shorewall 2.0 -- Network Mapping Table
|
||||
#
|
||||
# /etc/shorewall/netmap
|
||||
#
|
||||
# This file is used to map addresses in one network to corresponding
|
||||
# addresses in a second network.
|
||||
#
|
||||
# WARNING: To use this file, your kernel and iptables must have
|
||||
# NETMAP support included.
|
||||
#
|
||||
# Columns must be separated by white space and are:
|
||||
#
|
||||
# TYPE Must be DNAT or SNAT.
|
||||
#
|
||||
# If DNAT, traffic entering INTERFACE and addressed to
|
||||
# NET1 has it's destination address rewritten to the
|
||||
# corresponding address in NET2.
|
||||
#
|
||||
# If SNAT, traffic leaving INTERFACE with a source
|
||||
# address in NET1 has it's source address rewritten to
|
||||
# the corresponding address in NET2.
|
||||
#
|
||||
# NET1 Network in CIDR format (e.g., 192.168.1.0/24)
|
||||
#
|
||||
# INTERFACE The name of a network interface. The interface must
|
||||
# be defined in /etc/shorewall/interfaces.
|
||||
#
|
||||
# NET2 Network in CIDR format
|
||||
#
|
||||
# See http://shorewall.net/netmap.html for an example and usage
|
||||
# information.
|
||||
#
|
||||
##############################################################################
|
||||
#TYPE NET1 INTERFACE NET2
|
||||
#
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 1.4 /etc/shorewall/params
|
||||
# Shorewall 2.0 /etc/shorewall/params
|
||||
#
|
||||
# Assign any variables that you need here.
|
||||
#
|
||||
|
@ -1,15 +1,14 @@
|
||||
#
|
||||
# Shorewall 1.4 -- Policy File
|
||||
# Shorewall 2.0 -- Policy File
|
||||
#
|
||||
# /etc/shorewall/policy
|
||||
#
|
||||
# THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT
|
||||
#
|
||||
# This file determines what to do with a new connection request if we
|
||||
# don't get a match from the /etc/shorewall/rules file or from the
|
||||
# /etc/shorewall/common[.def] file. For each source/destination pair, the
|
||||
# file is processed in order until a match is found ("all" will match
|
||||
# any client or server).
|
||||
# don't get a match from the /etc/shorewall/rules file . For each
|
||||
# source/destination pair, the file is processed in order until a
|
||||
# match is found ("all" will match any client or server).
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
@ -19,10 +18,6 @@
|
||||
# DEST Destination zone. Must be the name of a zone defined
|
||||
# in /etc/shorewall/zones, $FW or "all"
|
||||
#
|
||||
# WARNING: Firewall->Firewall policies are not allowed; if
|
||||
# you have a policy where both SOURCE and DEST are $FW,
|
||||
# Shorewall will not start!
|
||||
#
|
||||
# POLICY Policy if no match from the rules file is found. Must
|
||||
# be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE".
|
||||
#
|
||||
@ -47,6 +42,12 @@
|
||||
# SOURCE or DEST columns contain the
|
||||
# firewall zone ($FW) or "all".
|
||||
#
|
||||
# If this column contains ACCEPT, DROP or REJECT and a
|
||||
# corresponding common action is defined in
|
||||
# /etc/shorewall/actions (or /usr/share/shorewall/actions.std)
|
||||
# then that action will be invoked before the policy named in
|
||||
# this column is inforced.
|
||||
#
|
||||
# LOG LEVEL If supplied, each connection handled under the default
|
||||
# POLICY is logged at that level. If not supplied, no
|
||||
# log message is generated. See syslog.conf(5) for a
|
||||
@ -59,7 +60,7 @@
|
||||
# (http://www.gnumonks.org/projects/ulogd).
|
||||
#
|
||||
# If you don't want to log but need to specify the
|
||||
# following column, place "_" here.
|
||||
# following column, place "-" here.
|
||||
#
|
||||
# LIMIT:BURST If passed, specifies the maximum TCP connection rate
|
||||
# and the size of an acceptable burst. If not specified,
|
||||
|
@ -1,6 +1,6 @@
|
||||
##############################################################################
|
||||
#
|
||||
# Shorewall 1.4 -- Proxy ARP
|
||||
# Shorewall 2.0 -- Proxy ARP
|
||||
#
|
||||
# /etc/shorewall/proxyarp
|
||||
#
|
||||
@ -9,22 +9,36 @@
|
||||
# Columns must be separated by white space and are:
|
||||
#
|
||||
# ADDRESS IP Address
|
||||
#
|
||||
# INTERFACE Local interface where system is connected. If the
|
||||
# local interface is obvious from the subnetting,
|
||||
# you may enter "-" in this column.
|
||||
#
|
||||
# EXTERNAL External Interface to be used to access this system
|
||||
#
|
||||
# HAVEROUTE If there is already a route from the firewall to
|
||||
# the host whose address is given, enter "Yes" or "yes"
|
||||
# in this column. Otherwise, entry "no", "No" or leave
|
||||
# the column empty.
|
||||
# the column empty and Shorewall will add the route for
|
||||
# you. If Shorewall adds the route,the route will be
|
||||
# persistent if the PERSISTENT column contains Yes;
|
||||
# otherwise, "shorewall stop" or "shorewall clear" will
|
||||
# delete the route.
|
||||
#
|
||||
# PERSISTENT If HAVEROUTE is No or "no", then the value of this
|
||||
# column determines if the route added by Shorewall
|
||||
# persists after a "shorewall stop" or a "shorewall
|
||||
# clear". If this column contains "Yes" or "yes" then
|
||||
# the route persists; If the column is empty or contains
|
||||
# "No"or "no" then the route is deleted at "shorewall
|
||||
# stop" or "shorewall clear".
|
||||
#
|
||||
# Example: Host with IP 155.186.235.6 is connected to
|
||||
# interface eth1 and we want hosts attached via eth0
|
||||
# to be able to access it using that address.
|
||||
#
|
||||
# #ADDRESS INTERFACE EXTERNAL HAVEROUTE
|
||||
# 155.186.235.6 eth1 eth0 No
|
||||
# #ADDRESS INTERFACE EXTERNAL
|
||||
# 155.186.235.6 eth1 eth0
|
||||
##############################################################################
|
||||
#ADDRESS INTERFACE EXTERNAL HAVEROUTE
|
||||
#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
@ -1,7 +1,301 @@
|
||||
Shorewall 1.4.11
|
||||
Shorewall 2.0.16
|
||||
|
||||
Problems Corrected since version 1.4.10g
|
||||
----------------------------------------------------------------------
|
||||
Problems Corrected in version 2.0.4
|
||||
|
||||
1) The shorewall.conf and zones file are no longer given execute
|
||||
permission by the installer.
|
||||
1) A DNAT rule with 'fw' as the source that specified logging caused
|
||||
"shorewall start" to fail.
|
||||
|
||||
----------------------------------------------------------------------
|
||||
Problems Corrected in version 2.0.5
|
||||
|
||||
1) Eliminated "$RESTOREBASE: ambiguous redirect" messages during
|
||||
"shorewll stop" in the case where DISABLE_IPV6=Yes in
|
||||
shorewall.conf.
|
||||
|
||||
2) An anachronistic reference to the mangle option was removed from
|
||||
shorewall.conf.
|
||||
|
||||
----------------------------------------------------------------------
|
||||
Problems Corrected in version 2.0.6
|
||||
|
||||
1) Some users have reported the pkttype match option in iptables/
|
||||
Netfilter failing to match certain broadcast packets. The result
|
||||
is that the firewall log shows a lot of broadcast packets.
|
||||
|
||||
Other users have complained of the following message when
|
||||
starting Shorewall:
|
||||
|
||||
modprobe: cant locate module ipt_pkttype
|
||||
|
||||
Users experiencing either of these problems can use PKTTYPE=No in
|
||||
shorewall.conf to cause Shorewall to use IP address filtering of
|
||||
broadcasts rather than packet type.
|
||||
|
||||
2) The shorewall.conf and zones file are no longer given execute
|
||||
permission by the installer script.
|
||||
|
||||
3) ICMP packets that are in the INVALID state are now dropped by the
|
||||
Reject and Drop default actions. They do so using the new
|
||||
'dropInvalid' builtin action.
|
||||
-----------------------------------------------------------------------
|
||||
Problems Corrected in version 2.0.7
|
||||
|
||||
1) The PKTTYPE option introduced in version 2.0.6 is now used when
|
||||
generating rules to REJECT packets. Broadcast packets are silently
|
||||
dropped rather than being rejected with an ICMP (which is a protocol
|
||||
violation) and users whose kernels have broken packet type match
|
||||
support are likely to see messages reporting this violation.
|
||||
Setting PKTTYPE=No should cause these messages to cease.
|
||||
|
||||
2) Multiple interfaces with the 'blacklist' option no longer result in
|
||||
an error message at startup.
|
||||
|
||||
3) The following has been added to /etc/shorewall/bogons:
|
||||
|
||||
0.0.0.0 RETURN
|
||||
|
||||
This prevents the 'nobogons' option from logging DHCP 'DISCOVER'
|
||||
broadcasts.
|
||||
-----------------------------------------------------------------------
|
||||
New Features in version 2.0.7
|
||||
|
||||
1) To improve supportability, the "shorewall status" command now
|
||||
includes IP and Route configuration information.
|
||||
|
||||
Example:
|
||||
|
||||
IP Configuration
|
||||
|
||||
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
|
||||
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
|
||||
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
|
||||
inet6 ::1/128 scope host
|
||||
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 1000
|
||||
link/ether 00:a0:c9:15:39:78 brd ff:ff:ff:ff:ff:ff
|
||||
inet6 fe80::2a0:c9ff:fe15:3978/64 scope link
|
||||
3: eth1: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 1000
|
||||
link/ether 00:a0:c9:a7:d7:bf brd ff:ff:ff:ff:ff:ff
|
||||
inet6 fe80::2a0:c9ff:fea7:d7bf/64 scope link
|
||||
5: sit0@NONE: <NOARP> mtu 1480 qdisc noop
|
||||
link/sit 0.0.0.0 brd 0.0.0.0
|
||||
6: eth2: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 1000
|
||||
link/ether 00:40:d0:07:3a:1b brd ff:ff:ff:ff:ff:ff
|
||||
inet6 fe80::240:d0ff:fe07:3a1b/64 scope link
|
||||
7: br0: <BROADCAST,MULTICAST,NOTRAILERS,UP> mtu 1500 qdisc noqueue
|
||||
link/ether 00:40:d0:07:3a:1b brd ff:ff:ff:ff:ff:ff
|
||||
inet 192.168.1.3/24 brd 192.168.1.255 scope global br0
|
||||
inet6 fe80::240:d0ff:fe07:3a1b/64 scope link
|
||||
|
||||
Routing Rules
|
||||
|
||||
0: from all lookup local
|
||||
32765: from all fwmark ca lookup www.out
|
||||
32766: from all lookup main
|
||||
32767: from all lookup default
|
||||
|
||||
Table local:
|
||||
|
||||
broadcast 192.168.1.0 dev br0 proto kernel scope link src 192.168.1.3
|
||||
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
|
||||
local 192.168.1.3 dev br0 proto kernel scope host src 192.168.1.3
|
||||
broadcast 192.168.1.255 dev br0 proto kernel scope link src 192.168.1.3
|
||||
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
|
||||
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
|
||||
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
|
||||
|
||||
Table www.out:
|
||||
|
||||
default via 192.168.1.3 dev br0
|
||||
|
||||
Table main:
|
||||
|
||||
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.3
|
||||
default via 192.168.1.254 dev br0
|
||||
|
||||
Table default:
|
||||
-----------------------------------------------------------------------
|
||||
Problems Corrected in version 2.0.8
|
||||
|
||||
1) User/group restricted rules now work in actions.
|
||||
|
||||
-----------------------------------------------------------------------
|
||||
Problems Corrected in version 2.0.9
|
||||
|
||||
1) Previously, an empty PROTO column or a value of "all" in that column
|
||||
would cause errors when processing the /etc/shorewall/tcrules file.
|
||||
|
||||
New Fewatures in version 2.0.9
|
||||
|
||||
1) The "shorewall status" command now includes the output of "brctl
|
||||
show" if the bridge tools are installed.
|
||||
-----------------------------------------------------------------------
|
||||
Problems corrected in version 2.0.10
|
||||
|
||||
1) The GATEWAY column was previously ignored in 'pptpserver' entries in
|
||||
/etc/shorewall/tunnels.
|
||||
|
||||
2) When log rule numbers are included in the LOGFORMAT, duplicate
|
||||
rule numbers could previously be generated.
|
||||
|
||||
3) The /etc/shorewall/tcrules file now includes a note to the effect
|
||||
that rule evaluation continues after a match.
|
||||
|
||||
4) The error message produced if Shorewall couldn't obtain the routes
|
||||
through an interface named in the SUBNET column of
|
||||
/etc/shorewall/masq was less than helpful since it didn't include
|
||||
the interface name.
|
||||
-----------------------------------------------------------------------
|
||||
New Features in 2.0.10
|
||||
|
||||
The "shorewall status" command has been enhanced to include the values
|
||||
of key /proc settings:
|
||||
|
||||
Example from a two-interface firewall:
|
||||
|
||||
/proc
|
||||
|
||||
/proc/sys/net/ipv4/ip_forward = 1
|
||||
/proc/sys/net/ipv4/conf/all/proxy_arp = 0
|
||||
/proc/sys/net/ipv4/conf/all/arp_filter = 0
|
||||
/proc/sys/net/ipv4/conf/all/rp_filter = 0
|
||||
/proc/sys/net/ipv4/conf/default/proxy_arp = 0
|
||||
/proc/sys/net/ipv4/conf/default/arp_filter = 0
|
||||
/proc/sys/net/ipv4/conf/default/rp_filter = 0
|
||||
/proc/sys/net/ipv4/conf/eth0/proxy_arp = 0
|
||||
/proc/sys/net/ipv4/conf/eth0/arp_filter = 0
|
||||
/proc/sys/net/ipv4/conf/eth0/rp_filter = 0
|
||||
/proc/sys/net/ipv4/conf/eth1/proxy_arp = 0
|
||||
/proc/sys/net/ipv4/conf/eth1/arp_filter = 0
|
||||
/proc/sys/net/ipv4/conf/eth1/rp_filter = 0
|
||||
/proc/sys/net/ipv4/conf/lo/proxy_arp = 0
|
||||
/proc/sys/net/ipv4/conf/lo/arp_filter = 0
|
||||
/proc/sys/net/ipv4/conf/lo/rp_filter = 0
|
||||
|
||||
-----------------------------------------------------------------------
|
||||
Problems corrected in 2.0.11
|
||||
|
||||
1) The INSTALL file now include special instructions for Slackware
|
||||
users.
|
||||
|
||||
2) The bogons file has been updated.
|
||||
|
||||
3) Service names are replaced by port numbers in /etc/shorewall/tos.
|
||||
|
||||
4) A typo in the install.sh file that caused an error during a new
|
||||
install has been corrected.
|
||||
-----------------------------------------------------------------------
|
||||
New Features in 2.0.11
|
||||
|
||||
1) The AllowNNTP action now allows NNTP over SSL/TLS (NTTPS).
|
||||
|
||||
-----------------------------------------------------------------------
|
||||
Problems corrected in 2.0.12
|
||||
|
||||
1) A typo in shorewall.conf (NETNOTSYN) has been corrected.
|
||||
|
||||
2) The "shorewall add" and "shorewall delete" commands now work in a
|
||||
bridged environment. The syntax is:
|
||||
|
||||
shorewall add <interface>[:<port>]:<address> <zone>
|
||||
shorewall delete <interface>[:<port>]:<address> <zone>
|
||||
|
||||
Examples:
|
||||
|
||||
shorewall add br0:eth2:192.168.1.3 OK
|
||||
shorewall delete br0:eth2:192.168.1.3 OK
|
||||
|
||||
3) Previously, "shorewall save" created an out-of-sequence restore
|
||||
script. The commands saved in the user's /etc/shorewall/start script
|
||||
were executed prior to the Netfilter configuration being
|
||||
restored. This has been corrected so that "shorewall save" now
|
||||
places those commands at the end of the script.
|
||||
|
||||
To accomplish this change, the "restore base" file
|
||||
(/var/lib/shorewall/restore-base) has been split into two files:
|
||||
|
||||
/var/lib/shorewall/restore-base -- commands to be executed before
|
||||
Netfilter the configuration is restored.
|
||||
|
||||
/var/lib/shorewall/restore-tail -- commands to be executed after the
|
||||
Netfilter configuration is restored.
|
||||
|
||||
4) Previously, traffic from the firewall to a dynamic zone member host
|
||||
did not need to match the interface specified when the host was
|
||||
added to the zone. For example, if eth0:1.2.3.4 is added to dynamic
|
||||
zone Z then traffic out of any firewall interface to 1.2.3.4 will
|
||||
obey the fw->Z policies and rules. This has been corrected.
|
||||
|
||||
-----------------------------------------------------------------------
|
||||
New Features in 2.0.12
|
||||
|
||||
1) Variable expansion may now be used with the INCLUDE directive.
|
||||
|
||||
Example:
|
||||
|
||||
/etc/shorewall/params
|
||||
|
||||
FILE=/etc/foo/bar
|
||||
|
||||
Any other config file:
|
||||
|
||||
INCLUDE $FILE
|
||||
-----------------------------------------------------------------------
|
||||
Problems corrected in 2.0.13
|
||||
|
||||
1) A typo in /usr/share/shorewall/firewall caused the following:
|
||||
|
||||
/usr/share/shorewall/firewall: line 1: match_destination_hosts: command
|
||||
not found
|
||||
-----------------------------------------------------------------------
|
||||
New Features in 2.0.14
|
||||
|
||||
1) Previously, when rate-limiting was specified in
|
||||
/etc/shorewall/policy (LIMIT:BURST column), any traffic which
|
||||
exceeded the specified rate was silently dropped. Now, if a log
|
||||
level is given in the entry (LEVEL column) then drops are logged at
|
||||
that level at a rate of 5/min with a burst of 5.
|
||||
-----------------------------------------------------------------------
|
||||
Problems corrected in 2.0.14
|
||||
|
||||
1) A typo in the /etc/shorewall/interfaces file has been fixed.
|
||||
|
||||
2) "bad variable" error messages occurring during "shorewall stop" and
|
||||
"shorewall clear" have been eliminated.
|
||||
|
||||
3) A misleading typo in /etc/shorewall/tunnels has been corrected.
|
||||
-----------------------------------------------------------------------
|
||||
Problems corrected in 2.0.15
|
||||
|
||||
1) The range of ports opened by the AllowTrcrt action has been
|
||||
expanded to 33434:33524.
|
||||
|
||||
2) Code mis-ported from 2.2.0 caused the following error during
|
||||
"shorewall start" where SYN rate-limiting is present in
|
||||
/etc/shorewall/policy:
|
||||
|
||||
Bad argument `DROP'
|
||||
Try `iptables -h' or 'iptables --help' for more information.
|
||||
-----------------------------------------------------------------------
|
||||
New Features in 2.0.16
|
||||
|
||||
1) Recent 2.6 kernels include code that evaluates TCP packets based on
|
||||
TCP Window analysis. This can cause packets that were previously
|
||||
classified as NEW or ESTABLISHED to be classified as INVALID.
|
||||
|
||||
The new kernel code can be disabled by including this command in
|
||||
your /etc/shorewall/init file:
|
||||
|
||||
echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
|
||||
|
||||
Additional kernel logging about INVALID TCP packets may be
|
||||
obtained by adding this command to /etc/shorewall/init:
|
||||
|
||||
echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid
|
||||
|
||||
Traditionally, Shorewall has dropped INVALID TCP packets early. The
|
||||
new DROPINVALID option allows INVALID packets to be passed through
|
||||
the normal rules chains by setting DROPINVALID=No.
|
||||
|
||||
If not specified or if specified as empty (e.g., DROPINVALID="")
|
||||
then DROPINVALID=Yes is assumed.
|
||||
|
@ -1,13 +1,14 @@
|
||||
#
|
||||
# Shorewall 1.4 -- RFC1918 File
|
||||
# Shorewall 2.0-- RFC1918 File
|
||||
#
|
||||
# /etc/shorewall/rfc1918
|
||||
#
|
||||
# Lists the subnetworks that are blocked by the 'norfc1918' interface option.
|
||||
#
|
||||
# The default list includes those IP addresses listed in RFC 1918, those listed
|
||||
# as 'reserved' by the IANA, the DHCP Autoconfig class B, and the class C
|
||||
# reserved for use in documentation and examples.
|
||||
# The default list includes those IP addresses listed in RFC 1918.
|
||||
#
|
||||
# DO NOT MODIFY THIS FILE. IF YOU NEED TO MAKE CHANGES, COPY THE FILE
|
||||
# TO /etc/shorewall AND MODIFY THE COPY.
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
@ -19,50 +20,7 @@
|
||||
#
|
||||
###############################################################################
|
||||
#SUBNET TARGET
|
||||
255.255.255.255 RETURN # We need to allow limited broadcast
|
||||
169.254.0.0/16 DROP # DHCP autoconfig
|
||||
172.16.0.0/12 logdrop # RFC 1918
|
||||
192.0.2.0/24 logdrop # Example addresses (RFC 3330)
|
||||
192.168.0.0/16 logdrop # RFC 1918
|
||||
#
|
||||
# The following are generated with the help of the Python program found at:
|
||||
#
|
||||
# http://www.shorewall.net/pub/shorewall/contrib/iana_reserved/
|
||||
#
|
||||
# The program was contributed by Andy Wiggin
|
||||
#
|
||||
0.0.0.0/7 logdrop # Reserved
|
||||
2.0.0.0/8 logdrop # Reserved
|
||||
5.0.0.0/8 logdrop # Reserved
|
||||
7.0.0.0/8 logdrop # Reserved
|
||||
10.0.0.0/8 logdrop # Reserved
|
||||
23.0.0.0/8 logdrop # Reserved
|
||||
27.0.0.0/8 logdrop # Reserved
|
||||
31.0.0.0/8 logdrop # Reserved
|
||||
36.0.0.0/7 logdrop # Reserved
|
||||
39.0.0.0/8 logdrop # Reserved
|
||||
41.0.0.0/8 logdrop # Reserved
|
||||
42.0.0.0/8 logdrop # Reserved
|
||||
49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
|
||||
50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
|
||||
73.0.0.0/8 logdrop # Reserved
|
||||
74.0.0.0/7 logdrop # Reserved
|
||||
76.0.0.0/6 logdrop # Reserved
|
||||
89.0.0.0/8 logdrop # Reserved
|
||||
90.0.0.0/7 logdrop # Reserved
|
||||
92.0.0.0/6 logdrop # Reserved
|
||||
96.0.0.0/3 logdrop # Reserved
|
||||
127.0.0.0/8 logdrop # Loopback
|
||||
173.0.0.0/8 logdrop # Reserved
|
||||
174.0.0.0/7 logdrop # Reserved
|
||||
176.0.0.0/5 logdrop # Reserved
|
||||
184.0.0.0/6 logdrop # Reserved
|
||||
189.0.0.0/8 logdrop # Reserved
|
||||
190.0.0.0/8 logdrop # Reserved
|
||||
197.0.0.0/8 logdrop # Reserved
|
||||
198.18.0.0/15 logdrop # Reserved
|
||||
223.0.0.0/8 logdrop # Reserved - Returned by APNIC in 2003
|
||||
240.0.0.0/4 logdrop # Reserved
|
||||
# End of generated entries
|
||||
#
|
||||
10.0.0.0/8 logdrop # RFC 1918
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
@ -1,6 +1,6 @@
|
||||
##############################################################################
|
||||
#
|
||||
# Shorewall 1.4 -- Hosts Accessible when the Firewall is Stopped
|
||||
# Shorewall 2.0 -- Hosts Accessible when the Firewall is Stopped
|
||||
#
|
||||
# /etc/shorewall/routestopped
|
||||
#
|
||||
@ -14,12 +14,18 @@
|
||||
# HOST(S) - (Optional) Comma-separated list of IP/subnet
|
||||
# If left empty or supplied as "-",
|
||||
# 0.0.0.0/0 is assumed.
|
||||
# OPTIONS - (Optional) A comma-separated list of
|
||||
# options. The currently-supported options are:
|
||||
#
|
||||
# routeback - Set up a rule to ACCEPT traffic from
|
||||
# these hosts back to themselves.
|
||||
#
|
||||
# Example:
|
||||
#
|
||||
# INTERFACE HOST(S)
|
||||
# INTERFACE HOST(S) OPTIONS
|
||||
# eth2 192.168.1.0/24
|
||||
# eth0 192.0.2.44
|
||||
# br0 - routeback
|
||||
##############################################################################
|
||||
#INTERFACE HOST(S)
|
||||
#INTERFACE HOST(S) OPTIONS
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
105
STABLE/rules
105
STABLE/rules
@ -1,24 +1,37 @@
|
||||
#
|
||||
# Shorewall version 1.4 - Rules File
|
||||
# Shorewall version 2.0 - Rules File
|
||||
#
|
||||
# /etc/shorewall/rules
|
||||
#
|
||||
# Rules in this file govern connection establishment. Requests and
|
||||
# responses are automatically allowed using connection tracking.
|
||||
# responses are automatically allowed using connection tracking. For any
|
||||
# particular (source,dest) pair of zones, the rules are evaluated in the
|
||||
# order in which they appear in this file and the first match is the one
|
||||
# that determines the disposition of the request.
|
||||
#
|
||||
# In most places where an IP address or subnet is allowed, you
|
||||
# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
|
||||
# indicate that the rule matches all addresses except the address/subnet
|
||||
# given. Notice that no white space is permitted between "!" and the
|
||||
# address/subnet.
|
||||
#
|
||||
#------------------------------------------------------------------------------
|
||||
# WARNING: If you masquerade or use SNAT from a local system to the internet,
|
||||
# you cannot use an ACCEPT rule to allow traffic from the internet to
|
||||
# that system. You *must* use a DNAT rule instead.
|
||||
#-------------------------------------------------------------------------------#
|
||||
# Columns are:
|
||||
#
|
||||
#
|
||||
# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
|
||||
# LOG or an <action>.
|
||||
# LOG, QUEUE or an <action>.
|
||||
#
|
||||
# ACCEPT -- allow the connection request
|
||||
# ACCEPT+ -- like ACCEPT but also excludes the
|
||||
# connection from any subsequent
|
||||
# DNAT[-] or REDIRECT[-] rules
|
||||
# NONAT -- Excludes the connection from any
|
||||
# subsequent DNAT[-] or REDIRECT[-]
|
||||
# rules but doesn't generate a rule
|
||||
# to accept the traffic.
|
||||
# DROP -- ignore the request
|
||||
# REJECT -- disallow the request and return an
|
||||
# icmp-unreachable or an RST packet.
|
||||
@ -36,6 +49,7 @@
|
||||
# Like REDIRET but only generates the
|
||||
# REDIRECT iptables rule and not
|
||||
# the companion ACCEPT rule.
|
||||
#
|
||||
# CONTINUE -- (For experts only). Do not process
|
||||
# any of the following rules for this
|
||||
# (source zone,destination zone). If
|
||||
@ -47,38 +61,31 @@
|
||||
# (those) zone(s).
|
||||
# LOG -- Simply log the packet and continue.
|
||||
# QUEUE -- Queue the packet to a user-space
|
||||
# application such as p2pwall.
|
||||
# application such as ftwall
|
||||
# (http://p2pwall.sf.net).
|
||||
# <action> -- The name of an action defined in
|
||||
# /etc/shorewall/actions.
|
||||
# /etc/shorewall/actions or in
|
||||
# /usr/share/shorewall/actions.std.
|
||||
#
|
||||
# You may rate-limit the rule by optionally
|
||||
# following ACCEPT, DNAT[-], REDIRECT[-] or LOG with
|
||||
#
|
||||
# < <rate>/<interval>[:<burst>] >
|
||||
#
|
||||
# where <rate> is the number of connections per
|
||||
# <interval> ("sec" or "min") and <burst> is the
|
||||
# largest burst permitted. If no <burst> is given,
|
||||
# a value of 5 is assumed. There may be no
|
||||
# no whitespace embedded in the specification.
|
||||
#
|
||||
# Example: ACCEPT<10/sec:20>
|
||||
#
|
||||
# The ACTION (and rate limit) may optionally be followed
|
||||
# The ACTION may optionally be followed
|
||||
# by ":" and a syslog log level (e.g, REJECT:info or
|
||||
# DNAT<4/sec:8>:debugging). This causes the packet to be
|
||||
# DNAT:debug). This causes the packet to be
|
||||
# logged at the specified level.
|
||||
#
|
||||
# NOTE: For those of you who prefer to place the
|
||||
# rate limit in a separate column, see the RATE LIMIT
|
||||
# column below. If you specify a value in that column,
|
||||
# you must not include a rate limit in the ACTION column
|
||||
#
|
||||
# You may also specify ULOG (must be in upper case) as a
|
||||
# log level.This will log to the ULOG target for routing
|
||||
# to a separate log through use of ulogd
|
||||
# (http://www.gnumonks.org/projects/ulogd).
|
||||
#
|
||||
# Actions specifying logging may be followed by a
|
||||
# log tag (a string of alphanumeric characters)
|
||||
# are appended to the string generated by the
|
||||
# LOGPREFIX (in /etc/shorewall/shorewall.conf).
|
||||
#
|
||||
# Example: ACCEPT:info:ftp would include 'ftp '
|
||||
# at the end of the log prefix generated by the
|
||||
# LOGPREFIX setting.
|
||||
#
|
||||
# SOURCE Source hosts to which the rule applies. May be a zone
|
||||
# defined in /etc/shorewall/zones, $FW to indicate the
|
||||
# firewall itself, or "all" If the ACTION is DNAT or
|
||||
@ -86,6 +93,10 @@
|
||||
# excluded from the rule by following the zone name with
|
||||
# "!' and a comma-separated list of sub-zone names.
|
||||
#
|
||||
# When "all" is used either in the SOURCE or DEST column
|
||||
# intra-zone traffic is not affected. You must add
|
||||
# separate rules to handle that traffic.
|
||||
#
|
||||
# Except when "all" is specified, clients may be further
|
||||
# restricted to a list of subnets and/or hosts by
|
||||
# appending ":" and a comma-separated list of subnets
|
||||
@ -116,6 +127,10 @@
|
||||
# /etc/shorewall/zones, $FW to indicate the firewall
|
||||
# itself or "all"
|
||||
#
|
||||
# When "all" is used either in the SOURCE or DEST column
|
||||
# intra-zone traffic is not affected. You must add
|
||||
# separate rules to handle that traffic.
|
||||
#
|
||||
# Except when "all" is specified, the server may be
|
||||
# further restricted to a particular subnet, host or
|
||||
# interface by appending ":" and the subnet, host or
|
||||
@ -180,8 +195,8 @@
|
||||
# ranges.
|
||||
#
|
||||
# If you don't want to restrict client ports but need to
|
||||
# specify an ADDRESS in the next column, then place "-"
|
||||
# in this column.
|
||||
# specify an ORIGINAL DEST in the next column, then
|
||||
# place "-" in this column.
|
||||
#
|
||||
# If your kernel contains multi-port match support, then
|
||||
# only a single Netfilter rule will be generated if in
|
||||
@ -229,25 +244,25 @@
|
||||
#
|
||||
# Example: 10/sec:20
|
||||
#
|
||||
# If you place a rate limit in this column, you may not
|
||||
# place a similar limit in the ACTION column.
|
||||
#
|
||||
# USER SET This column may only be non-empty if the SOURCE is
|
||||
# the firewall itself and the ACTION is ACCEPT, DROP or
|
||||
# REJECT.
|
||||
# USER/GROUP This column may only be non-empty if the SOURCE is
|
||||
# the firewall itself.
|
||||
#
|
||||
# The column may contain a user set name defined in the
|
||||
# /etc/shorewall/usersets file or it may contain:
|
||||
# The column may contain:
|
||||
#
|
||||
# [<user name or number>]:[<group name or number>]
|
||||
# [!][<user name or number>][:<group name or number>]
|
||||
#
|
||||
# When this column is non-empty, the rule applies only
|
||||
# if the program generating the output is running under
|
||||
# the effective <user>(s) and/or <group>(s) specified.
|
||||
# When a user set name is given, a log level may not be
|
||||
# present in the ACTION column; logging for such rules is
|
||||
# controlled by the user set's entry in
|
||||
# /etc/shorewall/usersets.
|
||||
# the effective <user> and/or <group> specified (or is
|
||||
# NOT running under that id if "!" is given).
|
||||
#
|
||||
# Examples:
|
||||
#
|
||||
# joe #program must be run by joe
|
||||
# :kids #program must be run by a member of
|
||||
# #the 'kids' group
|
||||
# !:kids #program must not be run by a member
|
||||
# #of the 'kids' group
|
||||
#
|
||||
# Example: Accept SMTP requests from the DMZ to the internet
|
||||
#
|
||||
@ -293,6 +308,6 @@
|
||||
# ACCEPT net:130.252.100.69,130.252.100.70 fw \
|
||||
# tcp 22
|
||||
####################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER
|
||||
# PORT PORT(S) DEST LIMIT
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
423
STABLE/shorewall
423
STABLE/shorewall
@ -1,11 +1,10 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Shorewall Packet Filtering Firewall Control Program - V1.4 - 3/14/2003
|
||||
# Shorewall Packet Filtering Firewall Control Program - V2.0 - 3/14/2004
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# This file should be placed in /sbin/shorewall.
|
||||
#
|
||||
@ -77,10 +76,17 @@
|
||||
# listed address(es)
|
||||
# shorewall allow <address> ... Reenable address(es) previously
|
||||
# disabled with "drop" or "reject"
|
||||
# shorewall save Save the list of "rejected" and
|
||||
# shorewall save [ <file> ] Save the list of "rejected" and
|
||||
# "dropped" addresses so that it will
|
||||
# be automatically reinstated the
|
||||
# next time that Shorewall starts.
|
||||
# Save the current state so that 'shorewall
|
||||
# restore' can be used.
|
||||
#
|
||||
# shorewall forget [ <file> ] Discard the data saved by 'shorewall save'
|
||||
#
|
||||
# shorewall restore [ <file> ] Restore the state of the firewall from
|
||||
# previously saved information.
|
||||
#
|
||||
# shorewall ipaddr [ <address>/<cidr> | <address> <netmask> ]
|
||||
#
|
||||
@ -128,6 +134,19 @@ showchain() # $1 = name of chain
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Validate the value of RESTOREFILE
|
||||
#
|
||||
validate_restorefile() # $* = label
|
||||
{
|
||||
case $RESTOREFILE in
|
||||
*/*)
|
||||
echo " ERROR: $@ must specify a simple file name: $RESTOREFILE" >&2
|
||||
exit 2
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
#
|
||||
# Set the configuration variables from shorewall.conf
|
||||
#
|
||||
@ -157,10 +176,17 @@ get_config() {
|
||||
|
||||
if [ -n "$SHOREWALL_SHELL" ]; then
|
||||
if [ ! -e "$SHOREWALL_SHELL" ]; then
|
||||
echo "The program specified in SHOREWALL_SHELL does not exist or is not executable" >&2
|
||||
echo " ERROR: The program specified in SHOREWALL_SHELL does not exist or is not executable" >&2
|
||||
exit 2
|
||||
fi
|
||||
fi
|
||||
|
||||
[ -n "$RESTOREFILE" ] || RESTOREFILE=restore
|
||||
|
||||
validate_restorefile RESTOREFILE
|
||||
|
||||
export RESTOREFILE
|
||||
|
||||
}
|
||||
|
||||
#
|
||||
@ -169,7 +195,7 @@ get_config() {
|
||||
#
|
||||
display_chains()
|
||||
{
|
||||
trap "rm -f $TMPFILE; exit 1" 1 2 3 4 5 6 9
|
||||
trap "rm -f $tmpfile; exit 1" 1 2 3 4 5 6 9
|
||||
|
||||
if [ "$haveawk" = "Yes" ]; then
|
||||
#
|
||||
@ -177,13 +203,12 @@ display_chains()
|
||||
# the output in a variable.
|
||||
#
|
||||
TMPFILE=$(mktempfile)
|
||||
[ -n "$TMPFILE" ] || { echo " ERROR:Cannot create temporary file" >&2; exit 1; }
|
||||
|
||||
[ -n "$TMPFILE" ] || { echo "Cannot create a temporary file" >&2; exit 2; }
|
||||
|
||||
iptables -L -n -v >> $TMPFILE
|
||||
iptables -L $IPT_OPTIONS >> $TMPFILE
|
||||
|
||||
clear
|
||||
echo "$banner `date`"
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
echo "Standard Chains"
|
||||
echo
|
||||
@ -195,13 +220,13 @@ display_chains()
|
||||
timed_read
|
||||
|
||||
clear
|
||||
echo "$banner `date`"
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
firstchain=Yes
|
||||
echo "Input Chains"
|
||||
echo
|
||||
|
||||
chains=`grep '^Chain.*_[in|fwd]' $TMPFILE | cut -d' ' -f 2`
|
||||
chains=$(grep '^Chain.*_[in|fwd]' $TMPFILE | cut -d' ' -f 2)
|
||||
|
||||
for chain in $chains; do
|
||||
showchain $chain
|
||||
@ -211,9 +236,9 @@ display_chains()
|
||||
|
||||
for zone in $zones; do
|
||||
|
||||
if [ -n "`grep "^Chain \.*${zone}" $TMPFILE`" ] ; then
|
||||
if [ -n "$(grep "^Chain \.*${zone}" $TMPFILE)" ] ; then
|
||||
clear
|
||||
echo "$banner `date`"
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
firstchain=Yes
|
||||
eval display=\$${zone}_display
|
||||
@ -232,7 +257,7 @@ display_chains()
|
||||
done
|
||||
|
||||
clear
|
||||
echo "$banner `date`"
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
firstchain=Yes
|
||||
echo "Policy Chains"
|
||||
@ -253,7 +278,7 @@ display_chains()
|
||||
timed_read
|
||||
|
||||
clear
|
||||
echo "$banner `date`"
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
firstchain=Yes
|
||||
echo "Dynamic Chain"
|
||||
@ -294,7 +319,7 @@ packet_log() # $1 = number of messages
|
||||
sed s/" kernel:"// | \
|
||||
sed s/" $host $LOGFORMAT"/" "/ | \
|
||||
sed s/" $host kernel: ipt_unclean: "/" "/ | \
|
||||
sed 's/MAC=.*SRC=/SRC=/' | \
|
||||
sed 's/MAC=.* SRC=/SRC=/' | \
|
||||
tail $options
|
||||
}
|
||||
|
||||
@ -305,7 +330,7 @@ show_tc() {
|
||||
|
||||
show_one_tc() {
|
||||
local device=${1%@*}
|
||||
qdisc=`tc qdisc list dev $device`
|
||||
qdisc=$(tc qdisc list dev $device)
|
||||
|
||||
if [ -n "$qdisc" ]; then
|
||||
echo Device $device:
|
||||
@ -335,7 +360,7 @@ show_classifiers() {
|
||||
|
||||
show_one_classifier() {
|
||||
local device=${1%@*}
|
||||
qdisc=`tc qdisc list dev $device`
|
||||
qdisc=$(tc qdisc list dev $device)
|
||||
|
||||
if [ -n "$qdisc" ]; then
|
||||
echo Device $device:
|
||||
@ -364,8 +389,8 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
||||
{
|
||||
|
||||
get_config
|
||||
host=`echo $HOSTNAME | sed 's/\..*$//'`
|
||||
oldrejects=`iptables -L -v -n | grep 'LOG'`
|
||||
host=$(echo $HOSTNAME | sed 's/\..*$//')
|
||||
oldrejects=$(iptables -L -v -n | grep 'LOG')
|
||||
|
||||
if [ $1 -lt 0 ]; then
|
||||
let "timeout=- $1"
|
||||
@ -378,7 +403,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
||||
|
||||
if qt which awk; then
|
||||
TMP_DIR=$(mktempdir)
|
||||
[ -n "$TMP_DIR" ] || { echo "Unable to create a temporary directory" >&2; exit 2; }
|
||||
[ -n "$TMP_DIR" ] || { echo " ERROR:Cannot create temporary directory" >&2; exit 1; }
|
||||
haveawk=Yes
|
||||
determine_zones
|
||||
rm -rf $TMP_DIR
|
||||
@ -390,7 +415,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
||||
display_chains
|
||||
|
||||
clear
|
||||
echo "$banner `date`"
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
|
||||
echo "Dropped/Rejected Packet Log"
|
||||
@ -398,7 +423,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
||||
|
||||
show_reset
|
||||
|
||||
rejects=`iptables -L -v -n | grep 'LOG'`
|
||||
rejects=$(iptables -L -v -n | grep 'LOG')
|
||||
|
||||
if [ "$rejects" != "$oldrejects" ]; then
|
||||
oldrejects="$rejects"
|
||||
@ -421,24 +446,24 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
||||
fi
|
||||
|
||||
clear
|
||||
echo "$banner `date`"
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
echo "NAT Status"
|
||||
echo
|
||||
iptables -t nat -L -n -v
|
||||
iptables -t nat -L $IPT_OPTIONS
|
||||
timed_read
|
||||
|
||||
clear
|
||||
echo "$banner `date`"
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
echo
|
||||
echo "TOS/MARK Status"
|
||||
echo
|
||||
iptables -t mangle -L -n -v
|
||||
iptables -t mangle -L $IPT_OPTIONS
|
||||
timed_read
|
||||
|
||||
clear
|
||||
echo "$banner `date`"
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
echo
|
||||
echo "Tracked Connections"
|
||||
@ -447,7 +472,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
||||
timed_read
|
||||
|
||||
clear
|
||||
echo "$banner `date`"
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
echo
|
||||
echo "Traffic Shaping/Control"
|
||||
@ -456,7 +481,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
||||
timed_read
|
||||
|
||||
clear
|
||||
echo "$banner `date`"
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
echo
|
||||
echo "Packet Classifiers"
|
||||
@ -474,8 +499,8 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
|
||||
{
|
||||
|
||||
get_config
|
||||
host=`echo $HOSTNAME | sed 's/\..*$//'`
|
||||
oldrejects=`iptables -L -v -n | grep 'LOG'`
|
||||
host=$(echo $HOSTNAME | sed 's/\..*$//')
|
||||
oldrejects=$(iptables -L -v -n | grep 'LOG')
|
||||
|
||||
if [ $1 -lt 0 ]; then
|
||||
timeout=$((- $1))
|
||||
@ -489,7 +514,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
|
||||
|
||||
while true; do
|
||||
clear
|
||||
echo "$banner `date`"
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
|
||||
echo "Dropped/Rejected Packet Log"
|
||||
@ -497,7 +522,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
|
||||
|
||||
show_reset
|
||||
|
||||
rejects=`iptables -L -v -n | grep 'LOG'`
|
||||
rejects=$(iptables -L -v -n | grep 'LOG')
|
||||
|
||||
if [ "$rejects" != "$oldrejects" ]; then
|
||||
oldrejects="$rejects"
|
||||
@ -535,7 +560,7 @@ help()
|
||||
#
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
echo "Usage: `basename $0` [debug] [nolock] [-c <directory>] <command>"
|
||||
echo "Usage: $(basename $0) [debug|trace] [nolock] [-c <directory>] [ -x ] [ -q ] [ -f ] <command>"
|
||||
echo "where <command> is one of:"
|
||||
echo " add <interface>[:<host>] <zone>"
|
||||
echo " allow <address> ..."
|
||||
@ -543,6 +568,7 @@ usage() # $1 = exit status
|
||||
echo " clear"
|
||||
echo " delete <interface>[:<host>] <zone>"
|
||||
echo " drop <address> ..."
|
||||
echo " forget [ <file name> ]"
|
||||
echo " help [ <command > | host | address ]"
|
||||
echo " hits"
|
||||
echo " ipcalc [ <address>/<vlsm> | <address> <netmask> ]"
|
||||
@ -553,7 +579,8 @@ usage() # $1 = exit status
|
||||
echo " reject <address> ..."
|
||||
echo " reset"
|
||||
echo " restart"
|
||||
echo " save"
|
||||
echo " restore [ <file name> ]"
|
||||
echo " save [ <file name> ]"
|
||||
echo " show [<chain> [ <chain> ... ]|classifiers|connections|log|nat|tc|tos]"
|
||||
echo " start"
|
||||
echo " stop"
|
||||
@ -568,16 +595,20 @@ usage() # $1 = exit status
|
||||
#
|
||||
show_reset() {
|
||||
[ -f $STATEDIR/restarted ] && \
|
||||
echo "Counters reset `cat $STATEDIR/restarted`" && \
|
||||
echo "Counters reset $(cat $STATEDIR/restarted)" && \
|
||||
echo
|
||||
}
|
||||
|
||||
show_proc() {
|
||||
[ -f $1 ] && echo " $1 = $(cat $1)"
|
||||
}
|
||||
|
||||
#
|
||||
# Execution begins here
|
||||
#
|
||||
debugging=
|
||||
|
||||
if [ $# -gt 0 ] && [ "$1" = "debug" ]; then
|
||||
if [ $# -gt 0 ] && [ "$1" = "debug" -o "$1" = "trace" ]; then
|
||||
debugging=debug
|
||||
shift
|
||||
fi
|
||||
@ -590,29 +621,60 @@ if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then
|
||||
fi
|
||||
|
||||
SHOREWALL_DIR=
|
||||
QUIET=
|
||||
IPT_OPTIONS="-nv"
|
||||
FAST=
|
||||
|
||||
done=0
|
||||
|
||||
while [ $done -eq 0 ]; do
|
||||
[ $# -eq 0 ] && usage 1
|
||||
case $1 in
|
||||
-c)
|
||||
[ $# -eq 1 ] && usage 1
|
||||
option=$1
|
||||
case $option in
|
||||
-*)
|
||||
option=${option#-}
|
||||
|
||||
if [ ! -d $2 ]; then
|
||||
if [ -e $2 ]; then
|
||||
echo "$2 is not a directory" >&2 && exit 2
|
||||
else
|
||||
echo "Directory $2 does not exist" >&2 && exit 2
|
||||
fi
|
||||
fi
|
||||
[ -z "$option" ] && usage 1
|
||||
|
||||
while [ -n "$option" ]; do
|
||||
case $option in
|
||||
c)
|
||||
[ $# -eq 1 ] && usage 1
|
||||
|
||||
SHOREWALL_DIR=$2
|
||||
shift
|
||||
shift
|
||||
;;
|
||||
*)
|
||||
done=1
|
||||
;;
|
||||
if [ ! -d $2 ]; then
|
||||
if [ -e $2 ]; then
|
||||
echo "$2 is not a directory" >&2 && exit 2
|
||||
else
|
||||
echo "Directory $2 does not exist" >&2 && exit 2
|
||||
fi
|
||||
fi
|
||||
|
||||
SHOREWALL_DIR=$2
|
||||
option=
|
||||
shift
|
||||
;;
|
||||
x*)
|
||||
IPT_OPTIONS="-xnv"
|
||||
option=${option#x}
|
||||
;;
|
||||
q*)
|
||||
QUIET=Yes
|
||||
option=${option#q}
|
||||
;;
|
||||
f*)
|
||||
FAST=Yes
|
||||
option=${option#f}
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
shift
|
||||
;;
|
||||
*)
|
||||
done=1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
@ -621,6 +683,7 @@ if [ $# -eq 0 ]; then
|
||||
fi
|
||||
|
||||
[ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR
|
||||
[ -n "$QUIET" ] && export QUIET
|
||||
|
||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||
MUTEX_TIMEOUT=
|
||||
@ -638,15 +701,26 @@ else
|
||||
exit 2
|
||||
fi
|
||||
|
||||
config=`find_file shorewall.conf`
|
||||
ensure_config_path
|
||||
|
||||
config=$(find_file shorewall.conf)
|
||||
|
||||
if [ -f $config ]; then
|
||||
. $config
|
||||
if [ -r $config ]; then
|
||||
. $config
|
||||
else
|
||||
echo "Cannot read $config! (Hint: Are you root?)" >&2
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
echo "$config does not exist!" >&2
|
||||
exit 2
|
||||
fi
|
||||
|
||||
ensure_config_path
|
||||
|
||||
export CONFIG_PATH
|
||||
|
||||
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
|
||||
|
||||
if [ ! -f $FIREWALL ]; then
|
||||
@ -662,7 +736,7 @@ if [ ! -f $FIREWALL ]; then
|
||||
fi
|
||||
|
||||
if [ -f $VERSION_FILE ]; then
|
||||
version=`cat $VERSION_FILE`
|
||||
version=$(cat $VERSION_FILE)
|
||||
else
|
||||
echo "ERROR: Shorewall is not properly installed"
|
||||
echo " The file $VERSION_FILE does not exist"
|
||||
@ -671,8 +745,7 @@ fi
|
||||
|
||||
banner="Shorewall-$version Status at $HOSTNAME -"
|
||||
|
||||
|
||||
case `echo -e` in
|
||||
case $(echo -e) in
|
||||
-e*)
|
||||
RING_BELL="echo \a"
|
||||
;;
|
||||
@ -681,7 +754,7 @@ case `echo -e` in
|
||||
;;
|
||||
esac
|
||||
|
||||
case `echo -n "Testing"` in
|
||||
case $(echo -n "Testing") in
|
||||
-n*)
|
||||
ECHO_N=
|
||||
;;
|
||||
@ -691,7 +764,26 @@ case `echo -n "Testing"` in
|
||||
esac
|
||||
|
||||
case "$1" in
|
||||
start|stop|restart|reset|clear|refresh|check)
|
||||
start)
|
||||
[ $# -ne 1 ] && usage 1
|
||||
get_config
|
||||
if [ -n "$FAST" ]; then
|
||||
|
||||
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
|
||||
|
||||
if [ -x $RESTOREPATH ]; then
|
||||
echo Restoring Shorewall...
|
||||
$RESTOREPATH
|
||||
date > $STATEDIR/restarted
|
||||
echo Shorewall restored from $RESTOREPATH
|
||||
else
|
||||
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start
|
||||
fi
|
||||
else
|
||||
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start
|
||||
fi
|
||||
;;
|
||||
stop|restart|reset|clear|refresh|check)
|
||||
[ $# -ne 1 ] && usage 1
|
||||
get_config
|
||||
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1
|
||||
@ -702,65 +794,67 @@ case "$1" in
|
||||
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1 $2 $3
|
||||
;;
|
||||
show|list)
|
||||
[ -n "$debugging" ] && set -x
|
||||
case "$2" in
|
||||
connections)
|
||||
[ $# -gt 2 ] && usage 1
|
||||
echo "Shorewall-$version Connections at $HOSTNAME - `date`"
|
||||
echo "Shorewall-$version Connections at $HOSTNAME - $(date)"
|
||||
echo
|
||||
cat /proc/net/ip_conntrack
|
||||
;;
|
||||
nat)
|
||||
[ $# -gt 2 ] && usage 1
|
||||
echo "Shorewall-$version NAT at $HOSTNAME - `date`"
|
||||
echo "Shorewall-$version NAT at $HOSTNAME - $(date)"
|
||||
echo
|
||||
show_reset
|
||||
iptables -t nat -L -n -v
|
||||
iptables -t nat -L $IPT_OPTIONS
|
||||
;;
|
||||
tos|mangle)
|
||||
[ $# -gt 2 ] && usage 1
|
||||
echo "Shorewall-$version TOS at $HOSTNAME - `date`"
|
||||
echo "Shorewall-$version TOS at $HOSTNAME - $(date)"
|
||||
echo
|
||||
show_reset
|
||||
iptables -t mangle -L -n -v
|
||||
iptables -t mangle -L $IPT_OPTIONS
|
||||
;;
|
||||
log)
|
||||
[ $# -gt 2 ] && usage 1
|
||||
get_config
|
||||
echo "Shorewall-$version Log at $HOSTNAME - `date`"
|
||||
echo "Shorewall-$version Log at $HOSTNAME - $(date)"
|
||||
echo
|
||||
show_reset
|
||||
host=`echo $HOSTNAME | sed 's/\..*$//'`
|
||||
host=$(echo $HOSTNAME | sed 's/\..*$//')
|
||||
packet_log 20
|
||||
;;
|
||||
tc)
|
||||
[ $# -gt 2 ] && usage 1
|
||||
echo "Shorewall-$version Traffic Control at $HOSTNAME - `date`"
|
||||
echo "Shorewall-$version Traffic Control at $HOSTNAME - $(date)"
|
||||
echo
|
||||
show_tc
|
||||
;;
|
||||
classifiers)
|
||||
[ $# -gt 2 ] && usage 1
|
||||
echo "Shorewall-$version Clasifiers at $HOSTNAME - `date`"
|
||||
echo "Shorewall-$version Clasifiers at $HOSTNAME - $(date)"
|
||||
echo
|
||||
show_classifiers
|
||||
;;
|
||||
*)
|
||||
shift
|
||||
|
||||
echo "Shorewall-$version `[ $# -gt 1 ] && echo Chains || echo Chain` $* at $HOSTNAME - `date`"
|
||||
echo "Shorewall-$version $([ $# -gt 1 ] && echo Chains || echo Chain) $* at $HOSTNAME - $(date)"
|
||||
echo
|
||||
show_reset
|
||||
if [ $# -gt 0 ]; then
|
||||
for chain in $*; do
|
||||
iptables -L $chain -n -v
|
||||
iptables -L $chain $IPT_OPTIONS
|
||||
done
|
||||
else
|
||||
iptables -L -n -v
|
||||
iptables -L $IPT_OPTIONS
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
monitor)
|
||||
[ -n "$debugging" ] && set -x
|
||||
if [ $# -eq 2 ]; then
|
||||
monitor_firewall $2
|
||||
elif [ $# -eq 1 ]; then
|
||||
@ -770,37 +864,74 @@ case "$1" in
|
||||
fi
|
||||
;;
|
||||
status)
|
||||
[ -n "$debugging" ] && set -x
|
||||
[ $# -eq 1 ] || usage 1
|
||||
get_config
|
||||
clear
|
||||
echo "Shorewall-$version Status at $HOSTNAME - `date`"
|
||||
echo "Shorewall-$version Status at $HOSTNAME - $(date)"
|
||||
echo
|
||||
show_reset
|
||||
host=`echo $HOSTNAME | sed 's/\..*$//'`
|
||||
iptables -L -n -v
|
||||
host=$(echo $HOSTNAME | sed 's/\..*$//')
|
||||
iptables -L $IPT_OPTIONS
|
||||
echo
|
||||
packet_log 20
|
||||
echo
|
||||
echo "NAT Table"
|
||||
echo
|
||||
iptables -t nat -L -n -v
|
||||
iptables -t nat -L $IPT_OPTIONS
|
||||
echo
|
||||
echo "Mangle Table"
|
||||
echo
|
||||
iptables -t mangle -L -n -v
|
||||
iptables -t mangle -L $IPT_OPTIONS
|
||||
echo
|
||||
cat /proc/net/ip_conntrack
|
||||
echo
|
||||
echo "IP Configuration"
|
||||
echo
|
||||
ip addr ls
|
||||
|
||||
if qt which brctl; then
|
||||
echo
|
||||
echo "Bridges"
|
||||
echo
|
||||
brctl show
|
||||
fi
|
||||
|
||||
echo
|
||||
echo "/proc"
|
||||
echo
|
||||
|
||||
show_proc /proc/sys/net/ipv4/ip_forward
|
||||
|
||||
for directory in /proc/sys/net/ipv4/conf/*; do
|
||||
for file in proxy_arp arp_filter rp_filter; do
|
||||
show_proc $directory/$file
|
||||
done
|
||||
done
|
||||
|
||||
echo
|
||||
echo "Routing Rules"
|
||||
echo
|
||||
ip rule ls
|
||||
ip rule ls | while read rule; do
|
||||
table=${rule##* }
|
||||
echo
|
||||
echo "Table $table:"
|
||||
echo
|
||||
ip route ls table $table
|
||||
done
|
||||
;;
|
||||
hits)
|
||||
[ -n "$debugging" ] && set -x
|
||||
[ $# -eq 1 ] || usage 1
|
||||
get_config
|
||||
clear
|
||||
echo "Shorewall-$version Hits at $HOSTNAME - `date`"
|
||||
echo "Shorewall-$version Hits at $HOSTNAME - $(date)"
|
||||
echo
|
||||
|
||||
timeout=30
|
||||
|
||||
if [ `grep -c "$LOGFORMAT" $LOGFILE ` -gt 0 ] ; then
|
||||
if [ $(grep -c "$LOGFORMAT" $LOGFILE ) -gt 0 ] ; then
|
||||
echo " HITS IP DATE"
|
||||
echo " ---- --------------- ------"
|
||||
grep "$LOGFORMAT" $LOGFILE | sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\3 \1/' | sort | uniq -c | sort -rn
|
||||
@ -823,8 +954,8 @@ case "$1" in
|
||||
grep "$LOGFORMAT.*DPT" $LOGFILE | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | \
|
||||
while read count port ; do
|
||||
# List all services defined for the given port
|
||||
srv=`grep "^[^#].*\\b$port/" /etc/services | cut -f 1 | sort -u`
|
||||
srv=`echo $srv | sed 's/ /,/g'`
|
||||
srv=$(grep "^[^#].*\\b$port/" /etc/services | cut -f 1 | sort -u)
|
||||
srv=$(echo $srv | sed 's/ /,/g')
|
||||
|
||||
if [ -n "$srv" ] ; then
|
||||
printf '%7d %5d %s\n' $count $port $srv
|
||||
@ -852,6 +983,7 @@ case "$1" in
|
||||
fi
|
||||
;;
|
||||
logwatch)
|
||||
[ -n "$debugging" ] && set -x
|
||||
if [ $# -eq 2 ]; then
|
||||
logwatch $2
|
||||
elif [ $# -eq 1 ]; then
|
||||
@ -861,6 +993,7 @@ case "$1" in
|
||||
fi
|
||||
;;
|
||||
drop)
|
||||
[ -n "$debugging" ] && set -x
|
||||
[ $# -eq 1 ] && usage 1
|
||||
mutex_on
|
||||
while [ $# -gt 1 ]; do
|
||||
@ -873,6 +1006,7 @@ case "$1" in
|
||||
mutex_off
|
||||
;;
|
||||
reject)
|
||||
[ -n "$debugging" ] && set -x
|
||||
[ $# -eq 1 ] && usage 1
|
||||
mutex_on
|
||||
while [ $# -gt 1 ]; do
|
||||
@ -885,6 +1019,7 @@ case "$1" in
|
||||
mutex_off
|
||||
;;
|
||||
allow)
|
||||
[ -n "$debugging" ] && set -x
|
||||
[ $# -eq 1 ] && usage 1
|
||||
mutex_on
|
||||
while [ $# -gt 1 ]; do
|
||||
@ -898,28 +1033,98 @@ case "$1" in
|
||||
mutex_off
|
||||
;;
|
||||
save)
|
||||
[ $# -ne 1 ] && usage 1
|
||||
mutex_on
|
||||
if qt iptables -L shorewall -n; then
|
||||
[ -d /var/lib/shorewall ] || { mkdir /var/lib/shorewall; chmod 700 /var/lib/shorewall; }
|
||||
[ -n "$debugging" ] && set -x
|
||||
|
||||
if iptables -L dynamic -n > /var/lib/shorewall/save; then
|
||||
echo "Dynamic Rules Saved"
|
||||
get_config
|
||||
|
||||
case $# in
|
||||
1)
|
||||
;;
|
||||
2)
|
||||
RESTOREFILE="$2"
|
||||
validate_restorefile '<restore file>'
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
|
||||
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
|
||||
|
||||
mutex_on
|
||||
|
||||
if qt iptables -L shorewall -n; then
|
||||
[ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
|
||||
|
||||
if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then
|
||||
echo " ERROR: $RESTOREPATH exists and is not a saved Shorewall configuration"
|
||||
else
|
||||
echo "Error Saving the Dynamic Rules"
|
||||
case $RESTOREFILE in
|
||||
save|restore-base)
|
||||
echo " ERROR: Reserved file name: $RESTOREFILE"
|
||||
;;
|
||||
*)
|
||||
if iptables -L dynamic -n > /var/lib/shorewall/save; then
|
||||
echo " Dynamic Rules Saved"
|
||||
if [ -f /var/lib/shorewall/restore-base ]; then
|
||||
cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$
|
||||
if iptables-save >> /var/lib/shorewall/restore-$$ ; then
|
||||
echo __EOF__ >> /var/lib/shorewall/restore-$$
|
||||
[ -f /var/lib/shorewall/restore-tail ] && \
|
||||
cat /var/lib/shorewall/restore-tail >> /var/lib/shorewall/restore-$$
|
||||
mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH
|
||||
chmod +x $RESTOREPATH
|
||||
echo " Currently-running Configuration Saved to $RESTOREPATH"
|
||||
else
|
||||
rm -f /var/lib/shorewall/restore-$$
|
||||
echo " ERROR: Currently-running Configuration Not Saved"
|
||||
fi
|
||||
else
|
||||
echo " ERROR: /var/lib/shorewall/restore-base does not exist"
|
||||
fi
|
||||
else
|
||||
echo "Error Saving the Dynamic Rules"
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
else
|
||||
echo "Shorewall isn't started"
|
||||
fi
|
||||
mutex_off
|
||||
;;
|
||||
forget)
|
||||
get_config
|
||||
case $# in
|
||||
1)
|
||||
;;
|
||||
2)
|
||||
RESTOREFILE="$2"
|
||||
validate_restorefile '<restore file>'
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
|
||||
|
||||
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
|
||||
|
||||
if [ -x $RESTOREPATH ]; then
|
||||
rm -f $RESTOREPATH
|
||||
echo " $RESTOREPATH removed"
|
||||
elif [ -f $RESTOREPATH ]; then
|
||||
echo " ERROR: $RESTOREPATH exists and is not a saved Shorewall configuration"
|
||||
fi
|
||||
;;
|
||||
ipcalc)
|
||||
[ -n "$debugging" ] && set -x
|
||||
if [ $# -eq 2 ]; then
|
||||
address=${2%/*}
|
||||
vlsm=${2#*/}
|
||||
elif [ $# -eq 3 ]; then
|
||||
address=$2
|
||||
vlsm=`ip_vlsm $3`
|
||||
vlsm=$(ip_vlsm $3)
|
||||
else
|
||||
usage 1
|
||||
fi
|
||||
@ -930,13 +1135,14 @@ case "$1" in
|
||||
|
||||
address=$address/$vlsm
|
||||
|
||||
echo " CIDR=$address"
|
||||
temp=`ip_netmask $address`; echo " NETMASK=`encodeaddr $temp`"
|
||||
temp=`ip_network $address`; echo " NETWORK=$temp"
|
||||
temp=`broadcastaddress $address`; echo " BROADCAST=$temp"
|
||||
echo " CIDR=$address"
|
||||
temp=$(ip_netmask $address); echo " NETMASK=$(encodeaddr $temp)"
|
||||
temp=$(ip_network $address); echo " NETWORK=$temp"
|
||||
temp=$(broadcastaddress $address); echo " BROADCAST=$temp"
|
||||
;;
|
||||
|
||||
iprange)
|
||||
[ -n "$debugging" ] && set -x
|
||||
case $2 in
|
||||
*.*.*.*-*.*.*.*)
|
||||
ip_range $2
|
||||
@ -946,7 +1152,32 @@ case "$1" in
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
restore)
|
||||
get_config
|
||||
case $# in
|
||||
1)
|
||||
;;
|
||||
2)
|
||||
RESTOREFILE="$2"
|
||||
validate_restorefile '<restore file>'
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
|
||||
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
|
||||
|
||||
if [ -x $RESTOREPATH ]; then
|
||||
echo Restoring Shorewall...
|
||||
$RESTOREPATH && echo "Shorewall restored from /var/lib/shorewall/$RESTOREFILE"
|
||||
else
|
||||
echo "File /var/lib/shorewall/$RESTOREFILE: file not found"
|
||||
exit 2
|
||||
fi
|
||||
;;
|
||||
call)
|
||||
[ -n "$debugging" ] && set -x
|
||||
#
|
||||
# Undocumented way to call functions in /usr/share/shorewall/functions directly
|
||||
#
|
||||
|
@ -1,12 +1,12 @@
|
||||
##############################################################################
|
||||
# /etc/shorewall/shorewall.conf V1.4 - Change the following variables to
|
||||
# /etc/shorewall/shorewall.conf V2.0 - Change the following variables to
|
||||
# match your setup
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# This file should be placed in /etc/shorewall
|
||||
#
|
||||
# (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
|
||||
##############################################################################
|
||||
# L O G G I N G
|
||||
##############################################################################
|
||||
@ -32,7 +32,7 @@
|
||||
# to choose, 6 (info) is a safe bet. You may specify levels by name or by
|
||||
# number.
|
||||
#
|
||||
# If you have build your kernel with ULOG target support, you may also
|
||||
# If you have built your kernel with ULOG target support, you may also
|
||||
# specify a log level of ULOG (must be all caps). Rather than log its
|
||||
# messages to syslogd, Shorewall will direct netfilter to log the messages
|
||||
# via the ULOG target which will send them to a process called 'ulogd'.
|
||||
@ -90,34 +90,26 @@ LOGFORMAT="Shorewall:%s:%s:"
|
||||
# maximum initial burst size that will be logged. If set empty, the default
|
||||
# value of 5 will be used.
|
||||
#
|
||||
# If BOTH variables are set empty then logging will not be rate-limited.
|
||||
#
|
||||
# Example:
|
||||
#
|
||||
# LOGRATE=10/minute
|
||||
# LOGBURST=5
|
||||
#
|
||||
# If BOTH variables are set empty then logging will not be rate-limited.
|
||||
# For each logging rule, the first time the rule is reached, the packet
|
||||
# will be logged; in fact, since the burst is 5, the first five packets
|
||||
# will be logged. After this, it will be 6 seconds (1 minute divided by
|
||||
# the rate of 10) before a message will be logged from the rule, regardless
|
||||
# of how many packets reach it. Also, every 6 seconds which passes without
|
||||
# matching a packet, one of the bursts will be regained; if no packets hit
|
||||
# the rule for 30 seconds, the burst will be fully recharged; back where
|
||||
# we started.
|
||||
#
|
||||
|
||||
LOGRATE=
|
||||
LOGBURST=
|
||||
|
||||
#
|
||||
# LEVEL AT WHICH TO LOG 'UNCLEAN' PACKETS
|
||||
#
|
||||
# This variable determines the level at which Mangled/Invalid packets are logged
|
||||
# under the 'dropunclean' interface option. If you set this variable to an
|
||||
# empty value (e.g., LOGUNCLEAN= ), Mangled/Invalid packets will be dropped
|
||||
# silently.
|
||||
#
|
||||
# The value of this variable also determines the level at which Mangled/Invalid
|
||||
# packets are logged under the 'logunclean' interface option. If the variable
|
||||
# is empty, these packets will still be logged at the 'info' level.
|
||||
#
|
||||
# See the comment at the top of this section for a description of log levels
|
||||
#
|
||||
|
||||
LOGUNCLEAN=info
|
||||
|
||||
#
|
||||
# BLACKLIST LOG LEVEL
|
||||
#
|
||||
@ -182,6 +174,33 @@ TCP_FLAGS_LOG_LEVEL=info
|
||||
|
||||
RFC1918_LOG_LEVEL=info
|
||||
|
||||
#
|
||||
# SMURF Log Level
|
||||
#
|
||||
# Specifies the logging level for smurf packets dropped by the
|
||||
#'nosmurfs' interface option in /etc/shorewall/interfaces and in
|
||||
# /etc/shorewall/hosts. If set to the empty value ( SMURF_LOG_LEVEL=""
|
||||
# ) then dropped smurfs are not logged.
|
||||
|
||||
#
|
||||
# See the comment at the top of this section for a description of log levels
|
||||
#
|
||||
|
||||
SMURF_LOG_LEVEL=info
|
||||
|
||||
#
|
||||
# BOGON Log Level
|
||||
#
|
||||
# Specifies the logging level for bogon packets dropped by the
|
||||
#'nobogons' interface option in /etc/shorewall/interfaces and in
|
||||
# /etc/shorewall/hosts. If set to the empty value
|
||||
# ( BOGON_LOG_LEVEL="" ) then packets whose TARGET is 'logdrop'
|
||||
# in /usr/share/shorewall/bogons are logged at the 'info' level.
|
||||
#
|
||||
# See the comment at the top of this section for a description of log levels
|
||||
#
|
||||
|
||||
BOGON_LOG_LEVEL=info
|
||||
################################################################################
|
||||
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
|
||||
################################################################################
|
||||
@ -226,6 +245,37 @@ STATEDIR=/var/lib/shorewall
|
||||
|
||||
MODULESDIR=
|
||||
|
||||
#
|
||||
# CONFIGURATION SEARCH PATH
|
||||
#
|
||||
# This option holds a list of directory names separated by colons
|
||||
# (":"). Shorewall will search each directory in turn when looking for a
|
||||
# configuration file. When processing a 'try' command or a command
|
||||
# containing the "-c" option, Shorewall will automatically add the
|
||||
# directory specified in the command to the front of this list.
|
||||
#
|
||||
# If not specified or specified as null ("CONFIG_PATH=""),
|
||||
# CONFIG_PATH=/etc/shorewall:/usr/share/shorewall is assumed.
|
||||
|
||||
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
|
||||
|
||||
#
|
||||
# RESTORE SCRIPT
|
||||
#
|
||||
# This option determines the script to be run in the following cases:
|
||||
#
|
||||
# shorewall -f start
|
||||
# shorewall restore
|
||||
# shorewall save
|
||||
# shorewall forget
|
||||
# Failure of shorewall start or shorewall restart
|
||||
#
|
||||
# The value of the option must be the name of an executable file in the
|
||||
# directory /var/lib/shorewall. If this option is not set or if it is
|
||||
# set to the empty value (RESTOREFILE="") then RESTOREFILE=restore is
|
||||
# assumed.
|
||||
|
||||
RESTOREFILE=
|
||||
################################################################################
|
||||
# F I R E W A L L O P T I O N S
|
||||
################################################################################
|
||||
@ -275,9 +325,8 @@ ADD_SNAT_ALIASES=No
|
||||
#
|
||||
# If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If
|
||||
# you say "No" or "no" then traffic shaping is not enabled. If you enable traffic
|
||||
# shaping you must have iproute[2] installed (the "ip" and "tc" utilities) and
|
||||
# you must enable packet mangling above.
|
||||
#
|
||||
# shaping you must have iproute[2] installed (the "ip" and "tc" utilities).
|
||||
|
||||
TC_ENABLED=No
|
||||
|
||||
#
|
||||
@ -358,16 +407,6 @@ CLAMPMSS=No
|
||||
|
||||
ROUTE_FILTER=No
|
||||
|
||||
#
|
||||
# NAT BEFORE RULES
|
||||
#
|
||||
# Shorewall has traditionally processed static NAT rules before port forwarding
|
||||
# rules. If you would like to reverse the order, set this variable to "No".
|
||||
#
|
||||
# If this variable is not set or is set to the empty value, "Yes" is assumed.
|
||||
|
||||
NAT_BEFORE_RULES=Yes
|
||||
|
||||
# DNAT IP ADDRESS DETECTION
|
||||
#
|
||||
# Normally when Shorewall encounters the following rule:
|
||||
@ -430,12 +469,12 @@ MUTEX_TIMEOUT=60
|
||||
# A packet is said to be NEW if it is not part of or related to an already
|
||||
# established connection.
|
||||
#
|
||||
# The NETNOTSYN option determines the handling of non-SYN packets (those with
|
||||
# The NEWNOTSYN option determines the handling of non-SYN packets (those with
|
||||
# SYN off or with ACK or RST on) that are not associated with an already
|
||||
# established connection.
|
||||
#
|
||||
# If NEWNOTSYN is set to "No" or "no", then non-SYN packets that are not
|
||||
# part of an already established connection, it will be dropped by the
|
||||
# part of an already established connection will be dropped by the
|
||||
# firewall. The setting of LOGNEWNOTSYN above determines if these packets are
|
||||
# logged before they are dropped.
|
||||
#
|
||||
@ -447,7 +486,9 @@ MUTEX_TIMEOUT=60
|
||||
# also need to select NEWNOTSYN=Yes.
|
||||
#
|
||||
# The behavior of NEWNOTSYN=Yes may also be enabled on a per-interface basis
|
||||
# using the 'newnotsyn' option in /etc/shorewall/interfaces.
|
||||
# using the 'newnotsyn' option in /etc/shorewall/interfaces and on a
|
||||
# network or host basis using the same option in /etc/shorewall/hosts.
|
||||
|
||||
#
|
||||
# I find that NEWNOTSYN=No tends to result in lots of "stuck"
|
||||
# connections because any network timeout during TCP session tear down
|
||||
@ -513,9 +554,9 @@ BLACKLISTNEWONLY=Yes
|
||||
#
|
||||
# When loading a module named in /etc/shorewall/modules, Shorewall normally
|
||||
# looks in the MODULES DIRECTORY (see MODULESDIR above) for files whose names
|
||||
# end in ".o", ".ko", ".gz" or "o.gz". If your distribution uses a different
|
||||
# naming convention then you can specify the suffix (extension) for module
|
||||
# names in this variable.
|
||||
# end in ".o", ".ko", ".gz", "o.gz" or "ko.gz" . If your distribution uses a
|
||||
# different naming convention then you can specify the suffix (extension) for
|
||||
# module names in this variable.
|
||||
#
|
||||
# To see what suffix is used by your distribution:
|
||||
#
|
||||
@ -532,6 +573,88 @@ BLACKLISTNEWONLY=Yes
|
||||
|
||||
MODULE_SUFFIX=
|
||||
|
||||
#
|
||||
# DISABLE IPV6
|
||||
#
|
||||
# Distributions (notably SuSE) are beginning to ship with IPV6
|
||||
# enabled. If you are not using IPV6, you are at risk of being
|
||||
# exploited by users who do. Setting DISABLE_IPV6=Yes will cause
|
||||
# Shorewall to disable IPV6 traffic to/from and through your
|
||||
# firewall system. This requires that you have ip6tables installed.
|
||||
|
||||
DISABLE_IPV6=Yes
|
||||
|
||||
#
|
||||
# BRIDGING
|
||||
#
|
||||
# If you wish to control traffic through a bridge (see http://bridge.sf.net),
|
||||
# then set BRIDGING=Yes. Your kernel must have the physdev match option
|
||||
# enabled; that option is available at the above URL for 2.4 kernels and
|
||||
# is included as a standard part of the 2.6 series kernels. If not
|
||||
# specified or specified as empty (BRIDGING="") then "No" is assumed.
|
||||
#
|
||||
|
||||
BRIDGING=No
|
||||
|
||||
#
|
||||
# DYNAMIC ZONES
|
||||
#
|
||||
# If you need to be able to add and delete hosts from zones dynamically then
|
||||
# set DYNAMIC_ZONES=Yes. Otherwise, set DYNAMIC_ZONES=No.
|
||||
|
||||
DYNAMIC_ZONES=No
|
||||
|
||||
#
|
||||
# USE PKTTYPE MATCH
|
||||
#
|
||||
# Some users have reported problems with the PKTTYPE match extension not being
|
||||
# able to match certain broadcast packets.
|
||||
#
|
||||
# Other users have complained of the following message when
|
||||
# starting Shorewall:
|
||||
#
|
||||
# modprobe: cant locate module ipt_pkttype
|
||||
#
|
||||
# If you set PKTTYPE=No then Shorewallwill use IP addresses to detect
|
||||
# broadcasts rather than pkttype. If not given or if given as empty
|
||||
# (PKTTYPE="") then PKTTYPE=Yes is assumed.
|
||||
|
||||
PKTTYPE=Yes
|
||||
|
||||
#
|
||||
# DROP INVALID PACKETS
|
||||
#
|
||||
# Netfilter classifies packets relative to its connection tracking table into
|
||||
# four states:
|
||||
#
|
||||
# NEW - thes packet initiates a new connection
|
||||
# ESTABLISHED - thes packet is part of an established connection
|
||||
# RELATED - thes packet is related to an established connection; it may
|
||||
# establish a new connection
|
||||
# INVALID - the packet does not related to the table in any sensible way.
|
||||
#
|
||||
# Recent 2.6 kernels include code that evaluates TCP packets based on TCP
|
||||
# Window analysis. This can cause packets that were previously classified as
|
||||
# NEW or ESTABLISHED to be classified as INVALID.
|
||||
#
|
||||
# The new kernel code can be disabled by including this command in your
|
||||
# /etc/shorewall/init file:
|
||||
#
|
||||
# echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
|
||||
#
|
||||
# Additional kernel logging about INVALID TCP packets may be obtained by
|
||||
# adding this command to /etc/shorewall/init:
|
||||
#
|
||||
# echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid
|
||||
#
|
||||
# Traditionally, Shorewall has dropped INVALID TCP packets early. The DROPINVALID
|
||||
# option allows INVALID packets to be passed through the normal rules chains by
|
||||
# setting DROPINVALID=No.
|
||||
#
|
||||
# If not specified or if specified as empty (e.g., DROPINVALID="") then
|
||||
# DROPINVALID=Yes is assumed.
|
||||
|
||||
DROPINVALID=No
|
||||
################################################################################
|
||||
# P A C K E T D I S P O S I T I O N
|
||||
################################################################################
|
||||
@ -542,6 +665,7 @@ MODULE_SUFFIX=
|
||||
# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty,
|
||||
# DROP is assumed.
|
||||
#
|
||||
|
||||
BLACKLIST_DISPOSITION=DROP
|
||||
|
||||
#
|
||||
@ -560,8 +684,9 @@ MACLIST_DISPOSITION=REJECT
|
||||
#
|
||||
# This variable determins the disposition of packets having an invalid
|
||||
# combination of TCP flags that are received on interfaces having the
|
||||
# 'tcpflags' option specified in /etc/shorewall/interfaces. If not specified
|
||||
# or specified as empty (TCP_FLAGS_DISPOSITION="") then DROP is assumed.
|
||||
# 'tcpflags' option specified in /etc/shorewall/interfaces or in
|
||||
# /etc/shorewall/hosts. If not specified or specified as empty
|
||||
# (TCP_FLAGS_DISPOSITION="") then DROP is assumed.
|
||||
|
||||
TCP_FLAGS_DISPOSITION=DROP
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
%define name shorewall
|
||||
%define version 1.4.11
|
||||
%define version 2.0.16
|
||||
%define release 1
|
||||
%define prefix /usr
|
||||
|
||||
@ -33,7 +33,7 @@ a multi-function gateway/ router/server or on a standalone GNU/Linux system.
|
||||
export PREFIX=$RPM_BUILD_ROOT ; \
|
||||
export OWNER=`id -n -u` ; \
|
||||
export GROUP=`id -n -g` ;\
|
||||
./install.sh /etc/init.d
|
||||
./install.sh
|
||||
|
||||
%clean
|
||||
rm -rf $RPM_BUILD_ROOT
|
||||
@ -68,18 +68,17 @@ if [ $1 = 0 ]; then
|
||||
fi
|
||||
|
||||
%files
|
||||
/etc/init.d/shorewall
|
||||
%attr(0544,root,root) /etc/init.d/shorewall
|
||||
%attr(0700,root,root) %dir /etc/shorewall
|
||||
%attr(0700,root,root) %dir /usr/share/shorewall
|
||||
%attr(0700,root,root) %dir /var/lib/shorewall
|
||||
%attr(0600,root,root) /usr/share/shorewall/version
|
||||
%attr(0600,root,root) /etc/shorewall/common.def
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/shorewall.conf
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/zones
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/policy
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/interfaces
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/rules
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/nat
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/netmap
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/params
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/proxyarp
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/routestopped
|
||||
@ -91,50 +90,146 @@ fi
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/tunnels
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/hosts
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/blacklist
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/rfc1918
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/init
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/initdone
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/start
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/stop
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/stopped
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/ecn
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/accounting
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/usersets
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/users
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/actions
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.template
|
||||
|
||||
%attr(0544,root,root) /sbin/shorewall
|
||||
|
||||
%attr(0600,root,root) /usr/share/shorewall/version
|
||||
%attr(0600,root,root) /usr/share/shorewall/actions.std
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.AllowAuth
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.AllowDNS
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.AllowFTP
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.AllowIMAP
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.AllowNNTP
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.AllowNTP
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.AllowPCA
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.AllowPing
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.AllowPOP3
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.AllowRdate
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.AllowSMB
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.AllowSMTP
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.AllowSNMP
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.AllowSSH
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.AllowTelnet
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.AllowTrcrt
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.AllowVNC
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.AllowVNCL
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.AllowWeb
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.Drop
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.DropDNSrep
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.DropPing
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.DropSMB
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.DropUPnP
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.Reject
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.RejectAuth
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.RejectSMB
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.template
|
||||
%attr(0444,root,root) /usr/share/shorewall/functions
|
||||
%attr(0544,root,root) /usr/share/shorewall/firewall
|
||||
%attr(0544,root,root) /usr/share/shorewall/help
|
||||
%attr(0600,root,root) /usr/share/shorewall/rfc1918
|
||||
%attr(0600,root,root) /usr/share/shorewall/bogons
|
||||
%attr(0600,root,root) /usr/share/shorewall/configpath
|
||||
|
||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
|
||||
|
||||
%changelog
|
||||
* Wed Jun 30 2004 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.11
|
||||
* Wed Jun 30 2004 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.10g-1
|
||||
* Mon Jun 28 2004 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.10f-1
|
||||
* Tue Apr 13 2004 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.10e-1
|
||||
* Tue Mar 16 2004 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.10d-1
|
||||
* Sun Feb 15 2004 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.10c-1
|
||||
* Tue Feb 01 2005 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.0.16-1
|
||||
* Wed Jan 12 2005 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.0.15-1
|
||||
* Mon Jan 03 2005 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.0.14-1
|
||||
* Thu Dec 02 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.0.13-1
|
||||
* Wed Dec 01 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.0.12-1
|
||||
* Mon Nov 22 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.0.11-1
|
||||
* Mon Oct 25 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.0.10-1
|
||||
* Thu Sep 23 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.0.9-1
|
||||
* Sun Aug 22 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.0.8-1
|
||||
* Tue Jul 20 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.0.7-1
|
||||
* Sun Jul 11 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.0.6-1
|
||||
* Fri Jul 09 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.0.5-1
|
||||
* Tue Jul 06 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.0.4-1
|
||||
* Fri Jul 02 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.0.3c-1
|
||||
* Wed Jun 30 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.0.3b-1
|
||||
* Mon Jun 28 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.0.3a-1
|
||||
* Wed Jun 23 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.0.3-1
|
||||
* Sat Jun 19 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.0.2-0RC2
|
||||
* Tue Jun 15 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.0.2-0RC1
|
||||
* Mon Jun 14 2004 Tom Eastep tom@shorewall.net
|
||||
- Added %attr spec for /etc/init.d/shorewall
|
||||
* Sat May 15 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated for 2.0.2a-1
|
||||
* Thu May 13 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated for 2.0.2-1
|
||||
* Mon May 10 2004 Tom Eastep tom@shorewall.net
|
||||
- Add /etc/shorewall/initdone
|
||||
* Fri May 07 2004 Tom Eastep tom@shorewall.net
|
||||
- Shorewall 2.0.2-RC1
|
||||
* Tue May 04 2004 Tom Eastep tom@shorewall.net
|
||||
- Shorewall 2.0.2-Beta2
|
||||
* Tue Apr 13 2004 Tom Eastep tom@shorewall.net
|
||||
- Add /usr/share/shorewall/configpath
|
||||
* Mon Apr 05 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated for 2.0.1-1
|
||||
* Thu Apr 02 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated for 2.0.1 RC5
|
||||
* Thu Apr 01 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated for 2.0.1 RC4
|
||||
* Sun Mar 28 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated for 2.0.1 RC3
|
||||
* Thu Mar 25 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated for 2.0.1 RC2
|
||||
* Wed Mar 24 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated for 2.0.1 RC1
|
||||
* Fri Mar 19 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated for 2.0.1 Beta 2
|
||||
* Thu Mar 18 2004 Tom Eastep tom@shorewall.net
|
||||
- Added netmap file
|
||||
* Wed Mar 17 2004 Tom Eastep <tom@shorewall.net>
|
||||
- Update for 2.0.1 Beta 1
|
||||
* Wed Mar 17 2004 Tom Eastep <tom@shorewall.net>
|
||||
- Add bogons file
|
||||
* Sat Mar 13 2004 Tom Eastep <tom@shorewall.net>
|
||||
- Update for 2.0.0 Final
|
||||
* Sat Mar 06 2004 Tom Eastep <tom@shorewall.net>
|
||||
- Update for RC2
|
||||
* Fri Feb 27 2004 Tom Eastep <tom@shorewall.net>
|
||||
- Update for RC1
|
||||
* Mon Feb 16 2004 Tom Eastep <tom@shorewall.net>
|
||||
- Moved rfc1918 to /usr/share/shorewall
|
||||
- Update for Beta 3
|
||||
* Sat Feb 14 2004 Tom Eastep <tom@shorewall.net>
|
||||
- Removed common.def
|
||||
- Unconditionally replace actions.std
|
||||
- Update for Beta 2
|
||||
* Thu Feb 12 2004 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.10b-1
|
||||
- Added action.AllowPCA
|
||||
* Sun Feb 08 2004 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.10a-1
|
||||
* Fri Jan 30 2004 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.10-1
|
||||
* Tue Jan 27 2004 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.10-RC3
|
||||
* Sat Jan 24 2004 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.10-RC2
|
||||
* Thu Jan 22 2004 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.10-RC1
|
||||
* Tue Jan 13 2004 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.9
|
||||
- Updates for Shorewall 2.0.0.
|
||||
* Mon Dec 29 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Remove Documentation from this RPM
|
||||
* Sun Dec 28 2003 Tom Eastep <tom@shorewall.net>
|
||||
|
@ -1,5 +1,5 @@
|
||||
############################################################################
|
||||
# Shorewall 1.4 -- /etc/shorewall/start
|
||||
# Shorewall 2.0 -- /etc/shorewall/start
|
||||
#
|
||||
# Add commands below that you want to be executed after shorewall has
|
||||
# been started or restarted.
|
||||
|
@ -1,5 +1,5 @@
|
||||
############################################################################
|
||||
# Shorewall 1.4 -- /etc/shorewall/stop
|
||||
# Shorewall 2.0 -- /etc/shorewall/stop
|
||||
#
|
||||
# Add commands below that you want to be executed at the beginning of a
|
||||
# "shorewall stop" command.
|
||||
|
@ -1,5 +1,5 @@
|
||||
############################################################################
|
||||
# Shorewall 1.4 -- /etc/shorewall/stopped
|
||||
# Shorewall 2.0 -- /etc/shorewall/stopped
|
||||
#
|
||||
# Add commands below that you want to be executed at the completion of a
|
||||
# "shorewall stop" command.
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall version 1.4 - Traffic Control Rules File
|
||||
# Shorewall version 2.0 - Traffic Control Rules File
|
||||
#
|
||||
# /etc/shorewall/tcrules
|
||||
#
|
||||
@ -11,6 +11,11 @@
|
||||
# FOR ENTRIES IN THIS FILE TO HAVE ANY EFFECT, YOU MUST SET
|
||||
# TC_ENABLED=Yes in /etc/shorewall/shorewall.conf
|
||||
#
|
||||
# Unlike rules in the /etc/shorewall/rules file, evaluation
|
||||
# of rules in this file will continue after a match. So the
|
||||
# final mark for each packet will be the one assigned by the
|
||||
# LAST tcrule that matches.
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
#
|
||||
|
14
STABLE/tos
14
STABLE/tos
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 1.4 -- /etc/shorewall/tos
|
||||
# Shorewall 2.0 -- /etc/shorewall/tos
|
||||
#
|
||||
# This file defines rules for setting Type Of Service (TOS)
|
||||
#
|
||||
@ -43,10 +43,10 @@
|
||||
#
|
||||
##############################################################################
|
||||
#SOURCE DEST PROTOCOL SOURCE PORTS DEST PORTS TOS
|
||||
all all tcp - ssh 16
|
||||
all all tcp ssh - 16
|
||||
all all tcp - ftp 16
|
||||
all all tcp ftp - 16
|
||||
all all tcp ftp-data - 8
|
||||
all all tcp - ftp-data 8
|
||||
all all tcp - 22 16
|
||||
all all tcp 22 - 16
|
||||
all all tcp - 21 16
|
||||
all all tcp 21 - 16
|
||||
all all tcp 20 - 8
|
||||
all all tcp - 20 8
|
||||
#LAST LINE -- Add your entries above -- DO NOT REMOVE
|
||||
|
@ -2,14 +2,14 @@
|
||||
|
||||
RCDLINKS="2,S45 3,S45 6,K45"
|
||||
################################################################################
|
||||
# Script to create a gre or ipip tunnel -- Shorewall 1.4
|
||||
# Script to create a gre or ipip tunnel -- Shorewall 2.0
|
||||
#
|
||||
# Modified - Steve Cowles 5/9/2000
|
||||
# Incorporated init {start|stop} syntax and iproute2 usage
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Modify the following variables to match your configuration
|
||||
#
|
||||
@ -59,6 +59,13 @@ gateway="x.x.x.x"
|
||||
|
||||
subnet="192.168.9.0/24"
|
||||
|
||||
# GRE Key -- set this to a number or to a dotted quad if you want
|
||||
# a keyed GRE tunnel. You must specify a KEY if you
|
||||
# intend to load ip_conntrack_proto_gre on either
|
||||
# gateway system
|
||||
|
||||
key=
|
||||
|
||||
PATH=$PATH:/sbin:/usr/sbin:/usr/local/sbin
|
||||
|
||||
load_modules () {
|
||||
@ -101,7 +108,7 @@ do_start() {
|
||||
|
||||
case $tunnel_type in
|
||||
gre)
|
||||
ip tunnel add $tunnel mode gre remote $gateway local $myrealip ttl 255
|
||||
ip tunnel add $tunnel mode gre remote $gateway local $myrealip ttl 255 ${key:+key $key)
|
||||
;;
|
||||
*)
|
||||
ip tunnel add $tunnel mode ipip remote $gateway
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 1.4 - /etc/shorewall/tunnels
|
||||
# Shorewall 2.0 - /etc/shorewall/tunnels
|
||||
#
|
||||
# This file defines IPSEC, GRE, IPIP and OPENVPN tunnels.
|
||||
#
|
||||
@ -9,10 +9,14 @@
|
||||
#
|
||||
# The columns are:
|
||||
#
|
||||
# TYPE -- must start in column 1 and be "ipsec", "ipsecnat","ip"
|
||||
# TYPE -- must start in column 1 and be "ipsec", "ipsecnat","ipip"
|
||||
# "gre", "6to4", "pptpclient", "pptpserver", "openvpn" or
|
||||
# "generic"
|
||||
#
|
||||
# If the type is "ipsec" or "ipsecnat", it may be followed
|
||||
# by ":noah" to indicate that the Authentication Header
|
||||
# protocol (51) is not used by the tunnel.
|
||||
#
|
||||
# If type is "openvpn", it may optionally be followed
|
||||
# by ":" and the port number used by the tunnel. if no
|
||||
# ":" and port number are included, then the default port
|
||||
@ -42,9 +46,10 @@
|
||||
# Example 1:
|
||||
#
|
||||
# IPSec tunnel. The remote gateway is 4.33.99.124 and
|
||||
# the remote subnet is 192.168.9.0/24
|
||||
# the remote subnet is 192.168.9.0/24. The tunnel does
|
||||
# not use the AH protocol
|
||||
#
|
||||
# ipsec net 4.33.99.124
|
||||
# ipsec:noah net 4.33.99.124
|
||||
#
|
||||
# Example 2:
|
||||
#
|
||||
|
@ -4,7 +4,7 @@
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Shorewall documentation is available at http://shorewall.sourceforge.net
|
||||
#
|
||||
@ -26,11 +26,11 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Seattle Firewall
|
||||
|
||||
VERSION=1.4.11
|
||||
VERSION=2.0.16
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
ME=`basename $0`
|
||||
ME=$(basename $0)
|
||||
echo "usage: $ME"
|
||||
exit $1
|
||||
}
|
||||
@ -61,7 +61,7 @@ remove_file() # $1 = file to restore
|
||||
}
|
||||
|
||||
if [ -f /usr/share/shorewall/version ]; then
|
||||
INSTALLED_VERSION="`cat /usr/share/shorewall/version`"
|
||||
INSTALLED_VERSION="$(cat /usr/share/shorewall/version)"
|
||||
if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
|
||||
echo "WARNING: Shorewall Version $INSTALLED_VERSION is installed"
|
||||
echo " and this is the $VERSION uninstaller."
|
||||
@ -72,27 +72,25 @@ else
|
||||
VERSION=""
|
||||
fi
|
||||
|
||||
echo "Uninstalling Shorewall $VERSION"
|
||||
echo "Uninstalling shorewall $VERSION"
|
||||
|
||||
if qt iptables -L shorewall -n; then
|
||||
/sbin/shorewall clear
|
||||
fi
|
||||
|
||||
if [ -L /usr/lib/shorewall/firewall ]; then
|
||||
FIREWALL=`ls -l /usr/lib/shorewall/firewall | sed 's/^.*> //'`
|
||||
elif [ -L /var/lib/shorewall/firewall ]; then
|
||||
FIREWALL=`ls -l /var/lib/shorewall/firewall | sed 's/^.*> //'`
|
||||
elif [ -L /usr/lib/shorewall/init ]; then
|
||||
FIREWALL=`ls -l /usr/lib/shorewall/init | sed 's/^.*> //'`
|
||||
if [ -L /usr/share/shorewall/init ]; then
|
||||
FIREWALL=$(ls -l /usr/share/shorewall/init | sed 's/^.*> //')
|
||||
else
|
||||
FIREWALL=
|
||||
FIREWALL=/etc/init.d/shorewall
|
||||
fi
|
||||
|
||||
if [ -n "$FIREWALL" ]; then
|
||||
if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
|
||||
insserv -r $FIREWALL
|
||||
elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
|
||||
chkconfig --del `basename $FIREWALL`
|
||||
chkconfig --del $(basename $FIREWALL)
|
||||
else
|
||||
rm -f /etc/rc*.d/*$(basename $FIREWALL)
|
||||
fi
|
||||
|
||||
remove_file $FIREWALL
|
||||
@ -102,12 +100,7 @@ fi
|
||||
rm -f /sbin/shorewall
|
||||
rm -f /sbin/shorewall-*.bkout
|
||||
|
||||
if [ -n "$VERSION" ]; then
|
||||
restore_file /etc/rc.d/rc.local
|
||||
fi
|
||||
|
||||
rm -rf /etc/shorewall
|
||||
rm -rf /usr/lib/shorewall
|
||||
rm -rf /var/lib/shorewall
|
||||
rm -rf /usr/share/shorewall
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 1.4 /etc/shorewall/zones
|
||||
# Shorewall 2.0 /etc/shorewall/zones
|
||||
#
|
||||
# This file determines your network zones. Columns are:
|
||||
#
|
||||
|
Loading…
Reference in New Issue
Block a user