mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-11 08:08:12 +01:00
Shorewall 2.0.3
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1404 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
dbd062e23e
commit
d5a38ba02b
@ -10,6 +10,6 @@ RejectAuth
|
||||
dropBcast
|
||||
DropSMB
|
||||
DropUPnP
|
||||
dropNonSyn
|
||||
dropNotSyn
|
||||
DropDNSrep
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
@ -10,6 +10,6 @@ RejectAuth
|
||||
dropBcast
|
||||
RejectSMB
|
||||
DropUPnP
|
||||
dropNonSyn
|
||||
dropNotSyn
|
||||
DropDNSrep
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
@ -6,6 +6,13 @@
|
||||
#
|
||||
# dropBcast #Silently Drop Broadcast/multicast
|
||||
# dropNonSyn #Silently Drop Non-syn TCP packets
|
||||
# rejNonSyn #Silently Reject Non-syn TCP packets
|
||||
# logNonSyn #Log Non-syn TCP packets with disposition LOG
|
||||
# dLogNonSyn #Log Non-syn TCP packets with disposition DROP
|
||||
# rLogNonSyn #Log Non-syn TCP packets with disposition REJECT
|
||||
#
|
||||
# The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in
|
||||
# shorewall.conf. If that option isn't specified then 'info' is used.
|
||||
#
|
||||
#ACTION
|
||||
|
||||
|
@ -1,79 +1,36 @@
|
||||
Changes since 2.0.1
|
||||
Changes since 2.0.2
|
||||
|
||||
1) Reformat the code in define_firewall().
|
||||
1) Remove restore files; don't generate them for non-statechanging
|
||||
commands.
|
||||
|
||||
2) Reimplement dynamic zones.
|
||||
2) Restore file now loads kernel modules.
|
||||
|
||||
3) Tweak new dynamic zone implementation.
|
||||
3) Minor tweaks to the restore mechanism.
|
||||
|
||||
4) Implement CONFIG_PATH.
|
||||
4) Allow "!" in accounting rules.
|
||||
|
||||
5) Apply Stijn Jonker's fix for CONFIG_PATH.
|
||||
5) Backport bug fixes from stable (/var/lib/shorewall existence and
|
||||
null common action).
|
||||
|
||||
6) Restore logic to make 'find_file' check for SHOREWALL_DIR separately.
|
||||
6) Add lots of overhead to [re]start in order to catch typing errors.
|
||||
|
||||
7) Allow CONFIG_PATH to be inherited.
|
||||
7) Correct reporting of installation directory in install.sh.
|
||||
|
||||
8) Fix ensure_config_path call.
|
||||
8) Load kernel modules before detecting capabilities.
|
||||
|
||||
9) Make LOCAL and ALL INTERFACES independent in the nat file.
|
||||
9) Added the 'rejectNonSyn' standard built-in action.
|
||||
|
||||
10) Add "ko.gz" to the vast list of module suffixes that distributions
|
||||
have invented.
|
||||
10) Merged Tuomo Soini's patch to the install script.
|
||||
|
||||
11) Update the bogons file
|
||||
11) Correct brain-cramp in module loading fix (8 above).
|
||||
|
||||
12) Added example for log rate limiting knobs in shorewall.conf.
|
||||
12) Add 'key' to sample tunnel file.
|
||||
|
||||
13) Fix init.debian.sh.
|
||||
13) Allow multiple saved configurations.
|
||||
|
||||
14) Implement the -q option.
|
||||
14) Add %attr spec to /etc/init.d/shorewall in the .spec file.
|
||||
|
||||
15) Add saved configuration support (iptables-save/iptables-restore
|
||||
integration).
|
||||
15) Fix rules that have bridge ports in both SOURCE and DEST. Update
|
||||
comments in the rules file WRT "all" in SOURCE or DEST.
|
||||
|
||||
16) Use modprobe if it is available.
|
||||
|
||||
17) Lots of fixes to 'save'
|
||||
|
||||
18) 'shorewall forget'
|
||||
|
||||
19) SNAT/MASQUERADE by proto/port(s)
|
||||
|
||||
20) Shorewall 2.0.2 Beta 1 changes.
|
||||
|
||||
21) Fix ALL INTERFACES column parsing.
|
||||
|
||||
22) Correct "shorewall delete" processing.
|
||||
|
||||
23) Apply Alex Wilms's patch for install.sh
|
||||
|
||||
24) Add ACCEPT+ and NONAT targets.
|
||||
|
||||
25) Added 'initialized' extension script.
|
||||
|
||||
26) Renamed 'initialized' to 'initdone'
|
||||
|
||||
27) Applied Stijn Jonker's fix for "shorewall add"
|
||||
|
||||
28) Correct typo that broke "shorewall delete"
|
||||
|
||||
29) Apply Stijn Jonker's -q fix.
|
||||
|
||||
30) Remove restore-$$ files.
|
||||
|
||||
31) Save 'loadmodule' commands in /var/lib/shorewall/restore-base.
|
||||
|
||||
32) Correct null common action handling.
|
||||
|
||||
33) Create /var/lib/shorewall if it doesn't exist.
|
||||
|
||||
34) Fix dynamic in chains in the nat table.
|
||||
|
||||
35) Load modules before detecting capabilities.
|
||||
|
||||
36) Fix 'newnotsyn' in the hosts file.
|
||||
|
||||
37) Fix double LOG rules in actions.
|
||||
|
||||
38) Another kernel module disaster fixed.
|
||||
16) Pass INVALID icmp packets through the blacklisting chains.
|
||||
|
@ -28,7 +28,7 @@
|
||||
# shown below. Simply run this script to revert to your prior version of
|
||||
# Shoreline Firewall.
|
||||
|
||||
VERSION=2.0.2f
|
||||
VERSION=2.0.3
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
280
STABLE2/firewall
280
STABLE2/firewall
@ -51,11 +51,6 @@ my_mutex_off() {
|
||||
[ -n "$have_mutex" ] && { mutex_off; have_mutex=; }
|
||||
}
|
||||
|
||||
progress_message() # $* = Message
|
||||
{
|
||||
[ -n "$QUIET" ] || echo "$@"
|
||||
}
|
||||
|
||||
#
|
||||
# Message to stderr
|
||||
#
|
||||
@ -108,6 +103,17 @@ save_command()
|
||||
echo "$@" >> /var/lib/shorewall/restore-$$
|
||||
}
|
||||
|
||||
#
|
||||
# Write a progress_message command to /var/lib/shorewall/restore-$$
|
||||
#
|
||||
save_progress_message()
|
||||
{
|
||||
|
||||
echo >> /var/lib/shorewall/restore-$$
|
||||
echo "progress_message \"$@\"" >> /var/lib/shorewall/restore-$$
|
||||
echo >> /var/lib/shorewall/restore-$$
|
||||
}
|
||||
|
||||
#
|
||||
# Save the passed command in the restore script then run it -- returns the status of the command
|
||||
# If the command involves file redirection then it must be enclosed in quotes as in:
|
||||
@ -133,12 +139,13 @@ ensure_and_save_command()
|
||||
}
|
||||
|
||||
#
|
||||
# Append a file to /var/lib/shorewall/restore-$$
|
||||
# Append a file in $STATEDIR to /var/lib/shorewall/restore-$$
|
||||
#
|
||||
append_file() {
|
||||
save_command "cat > $STATEDIR/$1 << EOF"
|
||||
append_file() # $1 = File Name
|
||||
{
|
||||
save_command "cat > $STATEDIR/$1 << __EOF__"
|
||||
cat $STATEDIR/$1 >> /var/lib/shorewall/restore-$$
|
||||
save_command EOF
|
||||
save_command __EOF__
|
||||
}
|
||||
|
||||
#
|
||||
@ -576,7 +583,7 @@ known_interface() # $1 = interface name
|
||||
match_source_dev()
|
||||
{
|
||||
if [ -n "$BRIDGING" ]; then
|
||||
known_interface $1 && echo -i $1 || physdev_echo "--physdev-in $1"
|
||||
list_search $1 $all_ports && physdev_echo "--physdev-in $1" || echo -i $1
|
||||
else
|
||||
echo -i $1
|
||||
fi
|
||||
@ -585,12 +592,17 @@ match_source_dev()
|
||||
match_dest_dev()
|
||||
{
|
||||
if [ -n "$BRIDGING" ]; then
|
||||
known_interface $1 && echo -o $1 || physdev_echo "--physdev-out $1"
|
||||
list_search $1 $all_ports && physdev_echo "--physdev-out $1" || echo -o $1
|
||||
else
|
||||
echo -o $1
|
||||
fi
|
||||
}
|
||||
|
||||
verify_interface()
|
||||
{
|
||||
known_interface $1 || { [ -n $BRIDGING ] && list_search $1 $all_ports ; }
|
||||
}
|
||||
|
||||
#
|
||||
#
|
||||
# Find hosts in a given zone
|
||||
@ -765,7 +777,7 @@ validate_interfaces_file() {
|
||||
if [ -z "$found_obsolete_option" ]; then
|
||||
found_obsolete_option=yes
|
||||
error_message \
|
||||
"Warning: The 'dropunclean' and 'logunclean' options are not supported by Shorewall 2.0"
|
||||
"WARNING: The 'dropunclean' and 'logunclean' options are not supported by Shorewall 2.0"
|
||||
error_message \
|
||||
" PLEASE STAND BY WHILE SHOREWALL REFORMATS YOUR HARD DRIVE TO REMOVE THESE OPTIONS..."
|
||||
sleep 5
|
||||
@ -798,6 +810,13 @@ validate_interfaces_file() {
|
||||
validate_hosts_file() {
|
||||
local z hosts options r interface host option port ports
|
||||
|
||||
check_bridge_port()
|
||||
{
|
||||
list_search $1 $ports || ports="$ports $1"
|
||||
list_search ${interface}:${1} $zports || zports="$zports ${interface}:${1}"
|
||||
list_search $1 $all_ports || all_ports="$all_ports $1"
|
||||
}
|
||||
|
||||
while read z hosts options; do
|
||||
expandv z hosts options
|
||||
r="$z $hosts $options"
|
||||
@ -820,17 +839,14 @@ validate_hosts_file() {
|
||||
*:*)
|
||||
known_interface ${host%:*} && \
|
||||
startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host"
|
||||
port=${host%%:*}
|
||||
list_search $port $ports || ports="$ports $port"
|
||||
list_search ${interface}:${port} $zports || zports="$zports ${interface}:${port}"
|
||||
check_bridge_port ${host%%:*}
|
||||
;;
|
||||
*.*.*.*)
|
||||
;;
|
||||
*)
|
||||
known_interface $host && \
|
||||
startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host"
|
||||
list_search $host $ports || ports="$ports $host"
|
||||
list_search ${interface}:${host} $zports || zports="$zports ${interface}:${host}"
|
||||
check_bridge_port $host
|
||||
;;
|
||||
esac
|
||||
|
||||
@ -855,6 +871,8 @@ validate_hosts_file() {
|
||||
fi
|
||||
|
||||
done < $TMP_DIR/hosts
|
||||
|
||||
[ -n "$all_ports" ] && echo " Bridge ports are: $all_ports"
|
||||
}
|
||||
|
||||
#
|
||||
@ -1178,6 +1196,9 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo
|
||||
# Set /proc/sys/net/ipv4/ip_forward based on $IP_FORWARDING
|
||||
#
|
||||
setup_forwarding() {
|
||||
|
||||
save_progress_message "Restoring IP Forwarding..."
|
||||
|
||||
case "$IP_FORWARDING" in
|
||||
[Oo][Nn])
|
||||
run_and_save_command "echo 1 > /proc/sys/net/ipv4/ip_forward"
|
||||
@ -1198,6 +1219,7 @@ disable_ipv6() {
|
||||
|
||||
if [ -n "$foo" ]; then
|
||||
if qt which ip6tables; then
|
||||
save_progress_message "Disabling IPV6..."
|
||||
ip6tables -P FORWARD DROP && save_command ip6tables -P FORWARD DROP
|
||||
ip6tables -P INPUT DROP && save_command ip6tables -P INPUT DROP
|
||||
ip6tables -P OUTPUT DROP && save_command ip6tables -P OUTPUT DROP
|
||||
@ -1226,10 +1248,15 @@ stop_firewall() {
|
||||
;;
|
||||
*)
|
||||
set +x
|
||||
if [ -f /var/lib/shorewall/restore ]; then
|
||||
|
||||
[ -z "$RESTOREFILE" ] && RESTOREFILE=restore
|
||||
|
||||
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
|
||||
|
||||
if [ -x $RESTOREPATH ]; then
|
||||
echo Restoring Shorewall...
|
||||
. /var/lib/shorewall/restore
|
||||
echo Shorewall restored
|
||||
$RESTOREPATH
|
||||
echo "Shorewall restored from $RESTOREPATH"
|
||||
my_mutex_off
|
||||
kill $$
|
||||
exit 2
|
||||
@ -1640,6 +1667,8 @@ setup_proxy_arp() {
|
||||
|
||||
> ${STATEDIR}/proxyarp
|
||||
|
||||
save_progress_message "Restoring Proxy ARP..."
|
||||
|
||||
while read address interface external haveroute persistent; do
|
||||
expandv address interface external haveroute persistent
|
||||
setup_one_proxy_arp
|
||||
@ -1840,6 +1869,8 @@ setup_nat() {
|
||||
#
|
||||
> ${STATEDIR}/nat
|
||||
|
||||
save_progress_message "Restoring one-to-one NAT..."
|
||||
|
||||
while read external interface internal allints localnat; do
|
||||
expandv external interface internal allints localnat
|
||||
|
||||
@ -1995,10 +2026,8 @@ process_tc_rule()
|
||||
chain=tcout
|
||||
;;
|
||||
*)
|
||||
if [ -z "$BRIDGING" ] && ! list_search $source $all_interfaces; then
|
||||
fatal_error "Unknown interface $source in rule \"$rule\""
|
||||
fi
|
||||
|
||||
|
||||
verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\""
|
||||
r="$(match_source_dev) $source "
|
||||
;;
|
||||
esac
|
||||
@ -2023,7 +2052,11 @@ process_tc_rule()
|
||||
esac
|
||||
fi
|
||||
|
||||
[ "x$dest" = "x-" ] || r="${r}-d $dest "
|
||||
if [ "x$dest" != "x-" ]; then
|
||||
verify_interface $dest || fatal_error "Unknown interface $dest in rule \"$rule\""
|
||||
r="${r}$(match_dest_dev $dest) "
|
||||
fi
|
||||
|
||||
[ "$proto" = "all" ] || r="${r}-p $proto "
|
||||
[ "x$port" = "x-" ] || r="${r}--dport $port "
|
||||
[ "x$sport" = "x-" ] || r="${r}--sport $sport "
|
||||
@ -2095,6 +2128,8 @@ setup_tc1() {
|
||||
run_iptables -t mangle -A OUTPUT -j tcout
|
||||
|
||||
run_user_exit tcstart
|
||||
|
||||
save_progress_message "Restoring Traffic Control..."
|
||||
save_command . $(find_file tcstart)
|
||||
|
||||
}
|
||||
@ -2118,6 +2153,8 @@ delete_tc()
|
||||
|
||||
}
|
||||
|
||||
save_progress_message "Clearing Traffic Control/QOS"
|
||||
|
||||
run_user_exit tcclear
|
||||
|
||||
run_ip link list | \
|
||||
@ -2144,6 +2181,14 @@ process_accounting_rule() {
|
||||
error_message "Warning: Invalid Accounting rule" $action $chain $source $dest $proto $port $sport
|
||||
}
|
||||
|
||||
accounting_interface_error() {
|
||||
error_message "Warning: Unknown interface $1 in " $action $chain $source $dest $proto $port $sport
|
||||
}
|
||||
|
||||
accounting_interface_verify() {
|
||||
verify_interface $1 || accounting_interface_error $1
|
||||
}
|
||||
|
||||
jump_to_chain() {
|
||||
if ! havechain $jumpchain; then
|
||||
if ! createchain2 $jumpchain No; then
|
||||
@ -2157,6 +2202,7 @@ process_accounting_rule() {
|
||||
|
||||
case $source in
|
||||
*:*)
|
||||
accounting_interface_verify ${source%:*}
|
||||
rule="-s ${source#*:} $(match_source_dev ${source%:*})"
|
||||
;;
|
||||
*.*.*.*)
|
||||
@ -2165,12 +2211,16 @@ process_accounting_rule() {
|
||||
-|all|any)
|
||||
;;
|
||||
*)
|
||||
[ -n "$source" ] && rule="$(match_source_dev $source)"
|
||||
if [ -n "$source" ]; then
|
||||
accounting_interface_verify $source
|
||||
rule="$(match_source_dev $source)"
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
[ -n "$dest" ] && case $dest in
|
||||
*:*)
|
||||
accounting_interface_verify ${dest%:*}
|
||||
rule="$rule -d ${dest#*:} $(match_dest_dev ${dest%:*})"
|
||||
;;
|
||||
*.*.*.*)
|
||||
@ -2179,6 +2229,7 @@ process_accounting_rule() {
|
||||
-|all|any)
|
||||
;;
|
||||
*)
|
||||
accounting_interface_verify $dest
|
||||
rule="$rule $(match_dest_dev $dest)"
|
||||
;;
|
||||
esac
|
||||
@ -2233,8 +2284,8 @@ process_accounting_rule() {
|
||||
|
||||
ensurechain1 $chain
|
||||
|
||||
if iptables -A $chain $rule ; then
|
||||
[ "x$rule2" != x ] && run_iptables -A $jumpchain $rule2
|
||||
if iptables -A $chain $(fix_bang $rule) ; then
|
||||
[ -n "$rule2" ] && run_iptables2 -A $jumpchain $rule2
|
||||
progress_message " Accounting rule" $action $chain $source $dest $proto $port $sport Added
|
||||
else
|
||||
accounting_error
|
||||
@ -2409,6 +2460,16 @@ add_an_action()
|
||||
fi
|
||||
}
|
||||
|
||||
interface_error()
|
||||
{
|
||||
fatal_error "Unknown interface $1 in rule: \"$rule\""
|
||||
}
|
||||
|
||||
action_interface_verify()
|
||||
{
|
||||
verify_interface $1 || interface_error $1
|
||||
}
|
||||
|
||||
# Set source variables. The 'cli' variable will hold the client match predicate(s).
|
||||
|
||||
cli=
|
||||
@ -2417,6 +2478,7 @@ add_an_action()
|
||||
-)
|
||||
;;
|
||||
*:*)
|
||||
action_interface_verify ${client%:*}
|
||||
cli="$(match_source_dev ${client%:*}) -s ${client#*:}"
|
||||
;;
|
||||
*.*.*)
|
||||
@ -2426,7 +2488,10 @@ add_an_action()
|
||||
cli=$(mac_match $client)
|
||||
;;
|
||||
*)
|
||||
[ -n "$client" ] && cli="$(match_source_dev $client)"
|
||||
if [ -n "$client" ]; then
|
||||
action_interface_verify $client
|
||||
cli="$(match_source_dev $client)"
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
@ -2445,7 +2510,10 @@ add_an_action()
|
||||
fatal_error "Rule \"$rule\" - Destination may not be specified by MAC Address"
|
||||
;;
|
||||
*)
|
||||
[ -n "$server" ] && dest_interface="$(match_dest_dev $server)"
|
||||
if [ -n "$server" ]; then
|
||||
action_interface_verify $server
|
||||
dest_interface="$(match_dest_dev $server)"
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
@ -2496,20 +2564,18 @@ add_an_action()
|
||||
$(fix_bang $proto $sports $multiport $cli -d $srv $dports)
|
||||
fi
|
||||
|
||||
[ "$logtarget" = LOG ] || \
|
||||
run_iptables2 -A $action $proto $multiport $cli $sports \
|
||||
-d $srv $dports $ratelimit $userandgroup -j $target
|
||||
run_iptables2 -A $action $proto $multiport $cli $sports \
|
||||
-d $srv $dports $ratelimit $userandgroup -j $target
|
||||
done
|
||||
done
|
||||
else
|
||||
if [ -n "$loglevel" ]; then
|
||||
log_rule_limit $loglevel $action $logtarget "$ratelimit" "$logtag" $userandgroup \
|
||||
$(fix_bang $proto $sports $multiport $cli $dports)
|
||||
$(fix_bang $proto $sports $multiport $cli $dest_interface $dports)
|
||||
fi
|
||||
|
||||
[ "$logtarget" = LOG ] || \
|
||||
run_iptables2 -A $action $proto $multiport $cli $sports \
|
||||
$dports $ratelimit $userandgroup -j $target
|
||||
run_iptables2 -A $action $proto $multiport $cli $dest_interface $sports \
|
||||
$dports $ratelimit $userandgroup -j $target
|
||||
fi
|
||||
fi
|
||||
}
|
||||
@ -2682,33 +2748,9 @@ createactionchain() # $1 = chain name
|
||||
#
|
||||
|
||||
process_actions1() {
|
||||
#
|
||||
# Add the builtin actions
|
||||
#
|
||||
add_builtin_actions() {
|
||||
|
||||
if [ "$COMMAND" != check ]; then
|
||||
createchain dropBcast no
|
||||
qt iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP
|
||||
if ! qt iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP; then
|
||||
#
|
||||
# No pkttype support -- do it the hard way
|
||||
#
|
||||
for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
|
||||
run_iptables -A dropBcast -d $address -j DROP
|
||||
done
|
||||
fi
|
||||
|
||||
createchain dropNonSyn no
|
||||
run_iptables -A dropNonSyn -p tcp ! --syn -j DROP
|
||||
fi
|
||||
|
||||
ACTIONS="dropBcast dropNonSyn"
|
||||
USEDACTIONS="dropBcast dropNonSyn"
|
||||
|
||||
}
|
||||
|
||||
add_builtin_actions
|
||||
ACTIONS="dropBcast dropNonSyn dropNotSyn rejNotSyn logNotSyn rLogNotSyn dLogNotSyn"
|
||||
USEDACTIONS=
|
||||
|
||||
strip_file actions
|
||||
|
||||
@ -2821,6 +2863,10 @@ process_actions2() {
|
||||
process_action $xaction $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec
|
||||
|
||||
}
|
||||
|
||||
log_action() {
|
||||
[ "$COMMAND" != check ] && log_rule ${LOGNEWNOTSYN:-info} $1 $2 "" "" -p tcp ! --syn
|
||||
}
|
||||
#
|
||||
# Generate the transitive closure of $USEDACTIONS
|
||||
#
|
||||
@ -2844,7 +2890,38 @@ process_actions2() {
|
||||
#
|
||||
for xaction in $USEDACTIONS; do
|
||||
case $xaction in
|
||||
dropNonSyn|dropBcast)
|
||||
dropBcast)
|
||||
if [ "$COMMAND" != check ]; then
|
||||
qt iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP
|
||||
if ! qt iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP; then
|
||||
#
|
||||
# No pkttype support -- do it the hard way
|
||||
#
|
||||
for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
|
||||
run_iptables -A dropBcast -d $address -j DROP
|
||||
done
|
||||
fi
|
||||
fi
|
||||
;;
|
||||
dropNonSyn)
|
||||
error_message "WARNING: \"dropNonSyn\" has been replaced by \"dropNotSyn\""
|
||||
[ "$COMMAND" != check ] && run_iptables -A dropNonSyn -p tcp ! --syn -j DROP
|
||||
;;
|
||||
|
||||
dropNotSyn)
|
||||
[ "$COMMAND" != check ] && run_iptables -A dropNotSyn -p tcp ! --syn -j DROP
|
||||
;;
|
||||
rejNotSyn)
|
||||
[ "$COMMAND" != check ] && run_iptables -A rejectNotSyn -p tcp ! --syn -j REJECT --reject-with tcp-reset
|
||||
;;
|
||||
logNotSyn)
|
||||
log_action logNotSyn LOG
|
||||
;;
|
||||
rLogNotSyn)
|
||||
log_action rLogNotSyn REJECT
|
||||
;;
|
||||
dLogNotSyn)
|
||||
log_action dLogNotSyn DROP
|
||||
;;
|
||||
*)
|
||||
f=action.$xaction
|
||||
@ -3091,6 +3168,16 @@ add_a_rule()
|
||||
fi
|
||||
}
|
||||
|
||||
interface_error()
|
||||
{
|
||||
fatal_error "Unknown interface $1 in rule: \"$rule\""
|
||||
}
|
||||
|
||||
rule_interface_verify()
|
||||
{
|
||||
verify_interface $1 || interface_error $1
|
||||
}
|
||||
|
||||
# Set source variables. The 'cli' variable will hold the client match predicate(s).
|
||||
|
||||
cli=
|
||||
@ -3099,6 +3186,7 @@ add_a_rule()
|
||||
-)
|
||||
;;
|
||||
*:*)
|
||||
rule_interface_verify ${client%:*}
|
||||
cli="$(match_source_dev ${client%:*}) -s ${client#*:}"
|
||||
;;
|
||||
*.*.*)
|
||||
@ -3108,7 +3196,10 @@ add_a_rule()
|
||||
cli=$(mac_match $client)
|
||||
;;
|
||||
*)
|
||||
[ -n "$client" ] && cli="$(match_source_dev $client)"
|
||||
if [ -n "$client" ]; then
|
||||
rule_interface_verify $client
|
||||
cli="$(match_source_dev $client)"
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
@ -3128,7 +3219,8 @@ add_a_rule()
|
||||
;;
|
||||
*)
|
||||
if [ -n "$server" ]; then
|
||||
[ -n "$nonat" ] && fatal_error "Destination interface not allowe with $logtarget"
|
||||
[ -n "$nonat" ] && fatal_error "Destination interface not allowed with $logtarget"
|
||||
rule_interface_verify $server
|
||||
dest_interface="$(match_dest_dev $server)"
|
||||
fi
|
||||
;;
|
||||
@ -3265,7 +3357,7 @@ add_a_rule()
|
||||
if [ $COMMAND != check ]; then
|
||||
if [ -n "$loglevel" ]; then
|
||||
log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logtag" $userandgroup \
|
||||
$(fix_bang $proto $multiport $dest_interface $cli $sports $dports)
|
||||
$(fix_bang $proto $multiport $cli $dest_interface $sports $dports)
|
||||
fi
|
||||
|
||||
if [ "$logtarget" != LOG ]; then
|
||||
@ -3274,8 +3366,8 @@ add_a_rule()
|
||||
$cli $sports $dports $ratelimit $userandgroup -j RETURN
|
||||
|
||||
[ "$logtarget" != NONAT ] && \
|
||||
run_iptables2 -A $chain $proto $multiport $dest_interface \
|
||||
$cli $sports $dports $ratelimit $userandgroup -j $target
|
||||
run_iptables2 -A $chain $proto $multiport $cli $dest_interface \
|
||||
$sports $dports $ratelimit $userandgroup -j $target
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
@ -3708,6 +3800,11 @@ process_tos_rule() {
|
||||
#
|
||||
# Assume that this is a device name
|
||||
#
|
||||
if ! verify_interface $src ; then
|
||||
error_message "Warning: Unknown Interface in rule \"$rule\" ignored"
|
||||
return
|
||||
fi
|
||||
|
||||
src="$(match_source_dev $src)"
|
||||
;;
|
||||
esac
|
||||
@ -4285,7 +4382,7 @@ setup_masq()
|
||||
|
||||
strip_file masq $1
|
||||
|
||||
[ -n "$NAT_ENABLED" ] && echo "Masqueraded Networks and Hosts:"
|
||||
[ -n "$NAT_ENABLED" ] && echo "Masqueraded Networks and Hosts:" && save_progress_message "Restoring Masquerading/SNAT..."
|
||||
|
||||
while read fullinterface networks addresses proto ports; do
|
||||
expandv fullinterface networks addresses proto ports
|
||||
@ -4399,7 +4496,7 @@ setup_blacklist() {
|
||||
|
||||
createchain blacklst no
|
||||
|
||||
[ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW" || state=
|
||||
[ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW,INVALID" || state=
|
||||
|
||||
for host in $hosts; do
|
||||
interface=${host%%:*}
|
||||
@ -4507,6 +4604,8 @@ add_ip_aliases()
|
||||
|
||||
set -- $aliases_to_add
|
||||
|
||||
save_progress_message "Restoring IP Addresses..."
|
||||
|
||||
while [ $# -gt 0 ]; do
|
||||
external=$1
|
||||
interface=$2
|
||||
@ -4529,7 +4628,7 @@ add_ip_aliases()
|
||||
#
|
||||
load_kernel_modules()
|
||||
{
|
||||
local save_modules_dir=$MODULESDIR
|
||||
save_modules_dir=$MODULESDIR
|
||||
|
||||
[ -z "$MODULESDIR" ] && \
|
||||
MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
|
||||
@ -4537,7 +4636,7 @@ load_kernel_modules()
|
||||
modules=$(find_file modules)
|
||||
|
||||
if [ -f $modules -a -d $MODULESDIR ]; then
|
||||
echo "Loading Modules..."
|
||||
progress_message "Loading Modules..."
|
||||
. $modules
|
||||
fi
|
||||
|
||||
@ -4547,12 +4646,10 @@ load_kernel_modules()
|
||||
save_load_kernel_modules()
|
||||
{
|
||||
|
||||
[ -z "$MODULESDIR" ] && \
|
||||
MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
|
||||
|
||||
modules=$(find_file modules)
|
||||
|
||||
save_command "reload_kernel_modules <<EOF"
|
||||
save_progress_message "Loading kernel modules..."
|
||||
save_command "reload_kernel_modules <<__EOF__"
|
||||
|
||||
while read command; do
|
||||
case "$command" in
|
||||
@ -4562,7 +4659,7 @@ save_load_kernel_modules()
|
||||
esac
|
||||
done < $modules
|
||||
|
||||
save_command EOF
|
||||
save_command __EOF__
|
||||
|
||||
}
|
||||
|
||||
@ -4721,7 +4818,7 @@ initialize_netfilter () {
|
||||
run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) -p tcp --tcp-flags ACK ACK -j ACCEPT
|
||||
run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) -p tcp --tcp-flags RST RST -j ACCEPT
|
||||
run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) -p tcp --tcp-flags FIN FIN -j ACCEPT
|
||||
run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) -j RETURN
|
||||
run_iptables -A newnotsyn -i $interface $(match_source_hosts ${host#*:}) -j RETURN
|
||||
done
|
||||
|
||||
run_user_exit newnotsyn
|
||||
@ -4754,7 +4851,7 @@ initialize_netfilter () {
|
||||
fi
|
||||
fi
|
||||
|
||||
[ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW" || state=
|
||||
[ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW,INVALID" || state=
|
||||
|
||||
echo "Creating Interface Chains..."
|
||||
|
||||
@ -5028,6 +5125,8 @@ add_common_rules() {
|
||||
#
|
||||
# ARP Filtering
|
||||
#
|
||||
save_progress_message "Restoring ARP filtering..."
|
||||
|
||||
for f in /proc/sys/net/ipv4/conf/*/arp_filter; do
|
||||
run_and_save_command "echo 0 > $f"
|
||||
done
|
||||
@ -5055,6 +5154,8 @@ add_common_rules() {
|
||||
if [ -n "$interfaces" -o -n "$ROUTE_FILTER" ]; then
|
||||
echo "Setting up Kernel Route Filtering..."
|
||||
|
||||
save_progress_message "Restoring Route Filtering..."
|
||||
|
||||
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
|
||||
run_and_save_command "echo 0 > $f"
|
||||
done
|
||||
@ -5419,7 +5520,10 @@ define_firewall() # $1 = Command (Start or Restart)
|
||||
[ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
|
||||
|
||||
echo '#bin/sh' > /var/lib/shorewall/restore-$$
|
||||
echo ". /usr/share/shorewall/functions" >> /var/lib/shorewall/restore-$$
|
||||
save_command "#"
|
||||
save_command "# Restore base file generated by Shorewall $version - $(date)"
|
||||
save_command "#"
|
||||
save_command ". /usr/share/shorewall/functions"
|
||||
|
||||
save_command "MODULESDIR=\"$MODULESDIR\""
|
||||
save_command "MODULE_SUFFIX=\"$MODULE_SUFFIX\""
|
||||
@ -5476,9 +5580,11 @@ define_firewall() # $1 = Command (Start or Restart)
|
||||
|
||||
save_command "date > $STATEDIR/restarted"
|
||||
|
||||
save_command 'iptables-restore << EOF'
|
||||
save_progress_message "Restoring Netfilter Configuration..."
|
||||
|
||||
# 'shorewall save' appends the iptables-save output and 'EOF'
|
||||
save_command 'iptables-restore << __EOF__'
|
||||
|
||||
# 'shorewall save' appends the iptables-save output and '__EOF__'
|
||||
|
||||
mv -f /var/lib/shorewall/restore-$$ /var/lib/shorewall/restore-base
|
||||
|
||||
@ -5948,16 +6054,16 @@ do_initialize() {
|
||||
ensure_config_path
|
||||
#
|
||||
# Determine the capabilities of the installed iptables/netfilter
|
||||
# We load the kernel modules so that capabilities can be
|
||||
# accurately detected when kernel module autoloading is not
|
||||
# enabled.
|
||||
# We load the kernel modules here to acurately determine
|
||||
# capabilities when module autoloading isn't enabled.
|
||||
#
|
||||
|
||||
[ -n "$MODULE_SUFFIX" ] || MODULE_SUFFIX="o gz ko o.gz ko.gz"
|
||||
load_kernel_modules
|
||||
determine_capabilities
|
||||
|
||||
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
|
||||
|
||||
|
||||
[ -d $STATEDIR ] || mkdir -p $STATEDIR
|
||||
|
||||
[ -z "$FW" ] && FW=fw
|
||||
|
@ -33,6 +33,14 @@ list_count() {
|
||||
list_count1 $(separate_list $1)
|
||||
}
|
||||
|
||||
#
|
||||
# Conditionally produce message
|
||||
#
|
||||
progress_message() # $* = Message
|
||||
{
|
||||
[ -n "$QUIET" ] || echo "$@"
|
||||
}
|
||||
|
||||
#
|
||||
# Suppress all output for a command
|
||||
#
|
||||
|
27
STABLE2/help
27
STABLE2/help
@ -117,9 +117,9 @@ drop)
|
||||
;;
|
||||
|
||||
forget)
|
||||
echo "forget: forget
|
||||
Deletes /var/lib/shorewall/save and /var/lib/shorewall/restore. Those
|
||||
files are created by the 'shorewall save' command
|
||||
echo "forget: forget [ <file name> ]
|
||||
Deletes /var/lib/shorewall/<file name>. If no <file name> is given then
|
||||
the file specified by RESTOREFILE in shorewall.conf is removed.
|
||||
|
||||
See also \"help save\""
|
||||
;;
|
||||
@ -194,18 +194,22 @@ restart)
|
||||
;;
|
||||
|
||||
restore)
|
||||
echo "restore: restore
|
||||
Restore Shorewall to its last state saved using the 'save' command
|
||||
Existing connections are maintained.
|
||||
echo "restore: restore [ <file name> ]
|
||||
Restore Shorewall to a state saved using the 'save' command
|
||||
Existing connections are maintained. The <file name> names a restore file in
|
||||
/var/lib/shorewall created using "shorewall save"; if no <file name> is given
|
||||
then Shorewall will be restored from the file specified by the RESTOREFILE
|
||||
option in shorewall.conf.
|
||||
|
||||
See also \"help save\" and \"help forget\""
|
||||
;;
|
||||
|
||||
save)
|
||||
echo "save: save
|
||||
echo "save: save [ <file name> ]
|
||||
The dynamic data is stored in /var/lib/shorewall/save. The state of the
|
||||
firewall is stored in /var/lib/shorewall/restore for use by the 'shorewall restore'
|
||||
and 'shorewall -f start' commands.
|
||||
firewall is stored in /var/lib/shorewall/<file name> for use by the 'shorewall restore'
|
||||
and 'shorewall -f start' commands. If <file name> is not given then the state is saved
|
||||
in the file specified by the RESTOREFILE option in shorewall.conf.
|
||||
|
||||
Shorewall allow, drop, rejct and save implement dynamic blacklisting.
|
||||
|
||||
@ -240,8 +244,9 @@ start)
|
||||
Start shorewall. Existing connections through shorewall managed
|
||||
interfaces are untouched. New connections will be allowed only
|
||||
if they are allowed by the firewall rules or policies.
|
||||
If \"-q\" is specified, less detain is displayed making it easier to spot warnings
|
||||
If \"-f\" is specified, the last saved configuraton if any will be restored"
|
||||
If \"-q\" is specified, less detail is displayed making it easier to spot warnings
|
||||
If \"-f\" is specified, the saved configuration specified by the RESTOREFILE option
|
||||
in shorewall.conf will be restored if that saved configuration exists"
|
||||
;;
|
||||
|
||||
stop)
|
||||
|
@ -22,7 +22,7 @@
|
||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||
#
|
||||
|
||||
VERSION=2.0.2f
|
||||
VERSION=2.0.3
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
@ -87,11 +87,20 @@ install_file_with_backup() # $1 = source $2 = target $3 = mode
|
||||
# RUNLEVELS is the chkconfig parmeters for firewall
|
||||
# ARGS is "yes" if we've already parsed an argument
|
||||
#
|
||||
DEST="/etc/init.d"
|
||||
INIT="shorewall"
|
||||
RUNLEVELS=""
|
||||
ARGS=""
|
||||
|
||||
if [ -z "$DEST" ] ; then
|
||||
DEST="/etc/init.d"
|
||||
fi
|
||||
|
||||
if [ -z "$INIT" ] ; then
|
||||
INIT="shorewall"
|
||||
fi
|
||||
|
||||
if [ -z "$RUNLEVELS" ] ; then
|
||||
RUNLEVELS=""
|
||||
fi
|
||||
|
||||
if [ -z "$OWNER" ] ; then
|
||||
OWNER=root
|
||||
fi
|
||||
@ -402,7 +411,7 @@ echo "Bogon file installed as ${PREFIX}/usr/share/shorewall/bogons"
|
||||
#
|
||||
install_file_with_backup configpath ${PREFIX}/usr/share/shorewall/configpath 0600
|
||||
echo
|
||||
echo " Default config path file installed as ${PREFIX}/etc/shorewall/configpath"
|
||||
echo " Default config path file installed as ${PREFIX}/usr/share/shorewall/configpath"
|
||||
#
|
||||
# Install the init file
|
||||
#
|
||||
@ -500,7 +509,7 @@ for f in action.* ; do
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 $f ${PREFIX}/usr/share/shorewall/$f
|
||||
echo
|
||||
echo "Action ${f#*.} file installed as ${PREFIX}/etc/shorewall/$f"
|
||||
echo "Action ${f#*.} file installed as ${PREFIX}/usr/share/shorewall/$f"
|
||||
fi
|
||||
done
|
||||
#
|
||||
|
@ -1,21 +1,6 @@
|
||||
Shorewall 2.0.2f
|
||||
Shorewall 2.0.3 RC2
|
||||
|
||||
----------------------------------------------------------------------
|
||||
Problems Corrected since 2.0.1
|
||||
|
||||
1) The /etc/init.d/shorewall script installed on Debian by install.sh
|
||||
failed silently due to a missing file
|
||||
(/usr/share/shorewall/wait4ifup). That file is not part of the
|
||||
normal Shorewall distribution and is provided by the Debian
|
||||
maintainer.
|
||||
|
||||
2) A meaningless warning message out of the proxyarp file processing
|
||||
has been eliminated.
|
||||
|
||||
3) The "shorewall delete" command now correctly removes all dynamic
|
||||
rules pertaining to the host(s) being deleted. Thanks to Stefan
|
||||
Engel for this correction.
|
||||
|
||||
Problems Corrected since 2.0.2
|
||||
|
||||
1) The 'firewall' script is not purging temporary restore files in
|
||||
@ -34,222 +19,139 @@ Problems Corrected since 2.0.2
|
||||
used, these rules cause the rule to be checked against ALL input,
|
||||
not just input from the designated zone.
|
||||
|
||||
6) Shorewall checks netfilter capabilities before loading kernel
|
||||
6) The install.sh script reported installing some files in
|
||||
/etc/shorewall when the files were actually installed in
|
||||
/usr/share/shorewall.
|
||||
|
||||
7) Shorewall checks netfilter capabilities before loading kernel
|
||||
modules. Hence if kernel module autoloading isn't enabled, the
|
||||
capabilities will be misdetected.
|
||||
|
||||
7) The 'newnotsyn' option in /etc/shorewall/hosts has no effect.
|
||||
8) The 'newnotsyn' option in /etc/shorewall/hosts has no effect.
|
||||
|
||||
8) When used within an action, the LOG target produces two logging
|
||||
rules.
|
||||
9) The file /etc/init.d/shorewall now gets proper ownership when the
|
||||
RPM is built by a non-root user.
|
||||
|
||||
10) Rules that specify bridge ports in both the SOURCE and DEST
|
||||
columns no longer cause "shorewall start" to fail.
|
||||
|
||||
11) Comments in the rules file have been added to advise users that
|
||||
"all" in the SOURCE or DEST column does not affect intra-zone
|
||||
traffic.
|
||||
|
||||
12) With BLACKLISTNEWONLY=Yes, ICMP packets with state INVALID are now
|
||||
passed through the blacklisting chains. Without this change, it is
|
||||
not possible to blacklist hosts that are mounting certain types of
|
||||
ICMP-based DOS attacks.
|
||||
|
||||
9) Kernel Modules loading is still screwed up.
|
||||
-----------------------------------------------------------------------
|
||||
Issues when migrating from Shorewall 2.0.1 to Shorewall 2.0.2:
|
||||
Issues when migrating from Shorewall 2.0.2 to Shorewall 2.0.3:
|
||||
|
||||
1) Extension Scripts
|
||||
|
||||
In order for extension scripts to work properly with the new
|
||||
iptables-save/restore integration (see New Feature 1 below), some
|
||||
change may be required to your extension scripts.
|
||||
|
||||
If your extension scripts are executing commands other than iptables
|
||||
then those commands must also be written to the restore file (a
|
||||
temporary file in /var/lib/shorewall that is renamed
|
||||
/var/lib/shorewall/restore-base at the end of the operation).
|
||||
|
||||
The following functions should be of help:
|
||||
|
||||
A. save_command() -- saves the passed command to the restore file.
|
||||
|
||||
Example:
|
||||
|
||||
save_command echo Operation Complete
|
||||
|
||||
That command would simply write "echo Operation Complete" to the
|
||||
restore file.
|
||||
|
||||
B. run_and_save_command() -- saves the passed command to the restore
|
||||
file then executes it. The return value is the exit status of the
|
||||
command.
|
||||
|
||||
Example:
|
||||
|
||||
run_and_save_command "echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all"
|
||||
|
||||
Note that as in this example, when the command involves file
|
||||
redirection then the entire command must be enclosed in quotes. This
|
||||
applies to all of the functions described here.
|
||||
|
||||
C. ensure_and_save_command() -- runs the passed command. If the
|
||||
command fails, the firewall is restored to it's prior saved state
|
||||
and the operation is terminated. If the command succeeds, the
|
||||
command is written to the restore file.
|
||||
|
||||
2) Dynamic Zone support.
|
||||
|
||||
If you don't need to use the "shorewall add" and "shorewall delete"
|
||||
commands, you should set DYNAMIC_ZONES=No in
|
||||
/etc/shorewall/shorewall.conf.
|
||||
1) The 'dropNonSyn' standard builtin action has been replaced with the
|
||||
'dropNotSyn' standard builtin action. The old name can still be used
|
||||
but will generate a warning.
|
||||
|
||||
-----------------------------------------------------------------------
|
||||
New Features:
|
||||
|
||||
1) Shorewall has now been integrated with
|
||||
iptables-save/iptables-restore to provide very fast start and
|
||||
restart. The elements of this integration are as follows:
|
||||
1) Shorewall now supports multiple saved configurations.
|
||||
|
||||
a) The 'shorewall save' command now saves the current configuration
|
||||
in addition to the current dynamic blacklist. If you have
|
||||
dynamic zones, you will want to issue 'shorewall save' when the
|
||||
zones are empty or the current contents of the zones will be
|
||||
restored by the 'shorewall restore' and 'shorewall -f start'
|
||||
commands.
|
||||
a) The default saved configuration (restore script) in
|
||||
/var/lib/shorewall is now specified using the RESTOREFILE option
|
||||
in shorewall.conf. If this variable isn't set then to maitain
|
||||
backward compatibility, 'restore' is assumed.
|
||||
|
||||
The value of RESTOREFILE must be a simple file name; no slashes
|
||||
("/") may be included.
|
||||
|
||||
b) The "save" command has been extended to be able to specify the
|
||||
name of a saved configuration.
|
||||
|
||||
b) The 'shorewall restore' command has been added. This command
|
||||
restores the configuration at the time of the last 'save'.
|
||||
shorewall save [ <file name> ]
|
||||
|
||||
c) The -f (fast) option has been added to 'shorewall start'. When
|
||||
specified (e.g. 'shorewall -f start'), shorewall will perform a
|
||||
'shorewall restore' if there is a saved configuration. If there
|
||||
is no saved configuration, a normal 'shorewall start' is
|
||||
performed.
|
||||
The current state is saved to /var/lib/shorewall/<file name>. If
|
||||
no <file name> is given, the configuration is saved to
|
||||
the file determined by the RESTOREFILE setting.
|
||||
|
||||
d) The /etc/init.d/shorewall script now translates the 'start'
|
||||
command into 'shorewall -f start' so that fast restart is
|
||||
possible.
|
||||
c) The "restore" command has been extended to be able to specify
|
||||
the name of a saved configuration:
|
||||
|
||||
e) When a state-changing command encounters an error and there is a
|
||||
current saved configuration, that configuration will be restored
|
||||
(currently, the firewall is placed in the 'stopped' state).
|
||||
shorewall restore [ <file name> ]
|
||||
|
||||
f) If you have previously saved the running configuration and want
|
||||
Shorewall to discard it, use the 'shorewall forget' command.
|
||||
The firewall state is restored from /var/lib/shorewall/<file
|
||||
name>. If no <file name> is given, the firewall state is
|
||||
restored from the file determined by the RESTOREFILE setting.
|
||||
|
||||
WARNING: iptables 1.2.9 is broken with respect to iptables-save;
|
||||
If your kernel has connection tracking match support, you must
|
||||
patch iptables 1.2.9 with the iptables patch availale from
|
||||
the Shorewall errata page.
|
||||
c) The "forget" command has changed. Previously, the command
|
||||
unconditionally removed the /var/lib/shorewall/save file which
|
||||
records the current dynamic blacklist. The "forget" command now
|
||||
leaves that file alone.
|
||||
|
||||
2) The previous implementation of dynamic zones was difficult to
|
||||
maintain. I have changed the code to make dynamic zones optional
|
||||
under the control of the DYNAMIC_ZONES option in
|
||||
/etc/shorewall/shorewall.conf.
|
||||
Also, the "forget" command has been extended to be able to
|
||||
specify the name of a saved configuration:
|
||||
|
||||
3) In earlier Shorewall 2.0 releases, Shorewall searches in order the
|
||||
following directories for configuration files.
|
||||
shorewall forget [ <file name> ]
|
||||
|
||||
a) The directory specified in a 'try' command or specified using
|
||||
the -c option.
|
||||
The file /var/lib/shorewall/<file name> is removed. If no <file
|
||||
name> is given, the file determined by the RESTOREFILE setting
|
||||
is removed.
|
||||
|
||||
b) /etc/shorewall
|
||||
d) The "shorewall -f start" command restores the state from the
|
||||
file determined by the RESTOREFILE setting.
|
||||
|
||||
c) /usr/share/shorewall
|
||||
2) "!" is now allowed in accounting rules.
|
||||
|
||||
In this release, the CONFIG_PATH option is added to shorewall.conf.
|
||||
CONFIG_PATH contains a list of directory names separated by colons
|
||||
(":"). If not set or set to a null value (e.g., CONFIG_PATH="") then
|
||||
"CONFIG_PATH=/etc/shorewall:/usr/share/shorewall" is assumed.
|
||||
3) Interface names appearing within the configuration are now
|
||||
verified. Interface names must match the name of an entry in
|
||||
/etc/shorewall/interfaces (or if bridging is enabled, they must
|
||||
match the name of an entry in /etc/shorewall/interfaces or the name
|
||||
of a bridge port appearing in /etc/shorewall/hosts).
|
||||
|
||||
Now Shorewall searches for shorewall.conf according to the old
|
||||
rules and for other configuration files as follows:
|
||||
4) A new 'rejNotSyn' built-in standard action has been added. This
|
||||
action responds to "New not SYN" packets with an RST.
|
||||
|
||||
a) The directory specified in a 'try' command or specified using
|
||||
the -c option.
|
||||
The 'dropNonSyn' action has been superceded by the new 'dropNotSyn'
|
||||
action. The old name will be accepted until the next major release
|
||||
of Shorewall but will generate a warning.
|
||||
|
||||
b) Each directory in $CONFIG_PATH is searched in sequence.
|
||||
Several new logging actions involving "New not SYN" packets have
|
||||
been added:
|
||||
|
||||
In case it is not obvious, your CONFIG_PATH should include
|
||||
/usr/share/shorewall and your shorewall.conf file must be in the
|
||||
directory specified via -c or in a try command, in /etc/shorewall
|
||||
or in /usr/share/shorewall.
|
||||
logNewNotSyn -- logs the packet with disposition = LOG
|
||||
dLogNewNotSyn -- logs the packet with disposition = DROP
|
||||
rLogNewNotSyn -- logs the packet with disposition = REJECT
|
||||
|
||||
For distribution packagers, the default CONFIG_PATH is set in
|
||||
/usr/share/shorewall/configpath. You can customize this file to
|
||||
have a default that differs from mine.
|
||||
The packets are logged at the log level specified in the
|
||||
LOGNEWNOTSYN option in shorewall.conf. If than option is empty or
|
||||
not specified, then 'info' is assumed.
|
||||
|
||||
4) Previously, in /etc/shorewall/nat a Yes (or yes) in the LOCAL column
|
||||
would only take effect if the ALL INTERFACES column also contained
|
||||
Yes or yes. Now, the LOCAL columns contents are treated
|
||||
independently of the contents of the ALL INTERFACES column.
|
||||
Examples (In all cases, set NEWNOTSYN=Yes in shorewall.conf):
|
||||
|
||||
5) The folks at Mandrake have created yet another kernel module
|
||||
naming convention (module names end in "ko.gz"). As a consequence,
|
||||
beginning with this release, if MODULE_SUFFIX isn't specified in
|
||||
shorewall.conf, then the default value is "o gz ko o.gz ko.gz".
|
||||
A: To simulate the behavior of NEWNOTSYN=No:
|
||||
|
||||
6) An updated bogons file is included in this release.
|
||||
a) Add 'NoNewNotSyn' to /etc/shorewall/actions.
|
||||
b) Create /etc/shorewall/action.NoNewNotSyn containing:
|
||||
|
||||
7) In /etc/shorewall/rules and in action files generated from
|
||||
/usr/share/shorewall/action.template, rules that perform logging can
|
||||
specify an optional "log tag". A log tag is a string of alphanumeric
|
||||
characters and is specified by following the log level with ":" and
|
||||
the log tag.
|
||||
dLogNotSyn
|
||||
dropNotSyn
|
||||
|
||||
Example:
|
||||
c) Early in your rules file, place:
|
||||
|
||||
ACCEPT:info:ftp net dmz tcp 21
|
||||
NoNewNotSyn all all tcp
|
||||
|
||||
The log tag is appended to the log prefix generated by the LOGPREFIX
|
||||
variable in /etc/shorewall/conf. If "ACCEPT:info" generates the log
|
||||
prefix "Shorewall:net2dmz:ACCEPT:" then "ACCEPT:info:ftp" will
|
||||
generate "Shorewall:net2dmz:ACCEPT:ftp " (note the trailing blank).
|
||||
The maximum length of a log prefix supported by iptables is 29
|
||||
characters; if a larger prefix is generated, Shorewall will issue a
|
||||
warning message and will truncate the prefix to 29 characters.
|
||||
B: Drop 'New not SYN' packets from the net only. Don't log them.
|
||||
|
||||
8) A new "-q" option has been added to /sbin/shorewall commands. It
|
||||
causes the start, restart, check and refresh commands to produce
|
||||
much less output so that warning messages are more visible (when
|
||||
testing this change, I discovered a bug where a bogus warning
|
||||
message was being generated).
|
||||
a) Early in your rules file, place:
|
||||
|
||||
9) Shorewall now uses 'modprobe' to load kernel modules if that utility
|
||||
is available in the PATH; otherwise, 'insmod' is used.
|
||||
dropNotSyn net all tcp
|
||||
|
||||
10) It is now possible to restrict entries in the /etc/shorewall/masq
|
||||
file to particular protocols and destination port(s). Two new
|
||||
columns (PROTO and PORT(S)) have been added to the file.
|
||||
5) Slackware users no longer have to modify the install.sh script
|
||||
before installation. Tuomo Soini has provided a change that allows
|
||||
the INIT and FIREWALL variables to be specified outside the script
|
||||
as in:
|
||||
|
||||
Example:
|
||||
DEST=/etc/rc.d INIT=rc.firewall ./install.sh
|
||||
|
||||
You want all outgoing SMTP traffic entering the firewall
|
||||
on eth1 to be sent from eth0 with source IP address
|
||||
206.124.146.177. You want all other outgoing traffic
|
||||
from eth1 to be sent from eth0 with source IP address
|
||||
206.124.146.176.
|
||||
|
||||
eth0 eth1 206.124.146.177 tcp 25
|
||||
eth0 eth1 206.124.146.176
|
||||
|
||||
|
||||
THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!!
|
||||
|
||||
Assuming that 10.0.0.0/8 is the only host/network connected
|
||||
to eth1, the progress message at "shorewall start" would be:
|
||||
|
||||
Masqueraded Networks and Hosts:
|
||||
To 0.0.0.0/0 (tcp 25) from 10.0.0.0/8 through eth0 using 206.124.146.177
|
||||
To 0.0.0.0/0 (all) from 10.0.0.0/8 through eth0 using 206.124.146.176
|
||||
|
||||
11) Two new actions are available in the /etc/shorewall/rules file.
|
||||
|
||||
ACCEPT+ -- Behaves like ACCEPT with the exception that it exempts
|
||||
matching connections from subsequent DNAT[-] and
|
||||
REDIRECT[-] rules.
|
||||
|
||||
NONAT -- Exempts matching connections from subsequent DNAT[-]
|
||||
and REDIRECT[-] rules.
|
||||
|
||||
12) A new extension script 'initdone' has been added. This script is invoked
|
||||
at the same point as the 'common' script was previously and is useful for
|
||||
users who mis-used that script under Shorewall 1.x (the script was intended
|
||||
for adding rules to the 'common' chain but many users treated it as a script
|
||||
for adding rules before Shorewall's).
|
||||
|
||||
13) Installing/Upgrading Shorewall on Slackware has been
|
||||
improved. Slackware users must use the tarball and must modify
|
||||
settings in the install.sh script before running it as follows:
|
||||
|
||||
DEST="/etc/rc.d"
|
||||
INIT="rc.firewall"
|
||||
|
||||
Thanks to Alex Wilms for helping with this change.
|
||||
|
@ -93,6 +93,10 @@
|
||||
# excluded from the rule by following the zone name with
|
||||
# "!' and a comma-separated list of sub-zone names.
|
||||
#
|
||||
# When "all" is used either in the SOURCE or DEST column
|
||||
# intra-zone traffic is not affected. You must add
|
||||
# separate rules to handle that traffic.
|
||||
#
|
||||
# Except when "all" is specified, clients may be further
|
||||
# restricted to a list of subnets and/or hosts by
|
||||
# appending ":" and a comma-separated list of subnets
|
||||
@ -123,6 +127,10 @@
|
||||
# /etc/shorewall/zones, $FW to indicate the firewall
|
||||
# itself or "all"
|
||||
#
|
||||
# When "all" is used either in the SOURCE or DEST column
|
||||
# intra-zone traffic is not affected. You must add
|
||||
# separate rules to handle that traffic.
|
||||
#
|
||||
# Except when "all" is specified, the server may be
|
||||
# further restricted to a particular subnet, host or
|
||||
# interface by appending ":" and the subnet, host or
|
||||
|
@ -76,14 +76,17 @@
|
||||
# listed address(es)
|
||||
# shorewall allow <address> ... Reenable address(es) previously
|
||||
# disabled with "drop" or "reject"
|
||||
# shorewall save Save the list of "rejected" and
|
||||
# shorewall save [ <file> ] Save the list of "rejected" and
|
||||
# "dropped" addresses so that it will
|
||||
# be automatically reinstated the
|
||||
# next time that Shorewall starts.
|
||||
# Save the current state so that 'shorewall
|
||||
# restore' can be used.
|
||||
#
|
||||
# shorewall forget Discard the data saved by 'shorewall save'
|
||||
# shorewall forget [ <file> ] Discard the data saved by 'shorewall save'
|
||||
#
|
||||
# shorewall restore [ <file> ] Restore the state of the firewall from
|
||||
# previously saved information.
|
||||
#
|
||||
# shorewall ipaddr [ <address>/<cidr> | <address> <netmask> ]
|
||||
#
|
||||
@ -131,6 +134,19 @@ showchain() # $1 = name of chain
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Validate the value of RESTOREFILE
|
||||
#
|
||||
validate_restorefile() # $* = label
|
||||
{
|
||||
case $RESTOREFILE in
|
||||
*/*)
|
||||
echo " ERROR: $@ must specify a simple file name: $RESTOREFILE" >&2
|
||||
exit 2
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
#
|
||||
# Set the configuration variables from shorewall.conf
|
||||
#
|
||||
@ -160,11 +176,17 @@ get_config() {
|
||||
|
||||
if [ -n "$SHOREWALL_SHELL" ]; then
|
||||
if [ ! -e "$SHOREWALL_SHELL" ]; then
|
||||
echo "The program specified in SHOREWALL_SHELL does not exist or is not executable" >&2
|
||||
echo " ERROR: The program specified in SHOREWALL_SHELL does not exist or is not executable" >&2
|
||||
exit 2
|
||||
fi
|
||||
fi
|
||||
|
||||
[ -n "$RESTOREFILE" ] || RESTOREFILE=restore
|
||||
|
||||
validate_restorefile RESTOREFILE
|
||||
|
||||
export RESTOREFILE
|
||||
|
||||
}
|
||||
|
||||
#
|
||||
@ -535,7 +557,7 @@ help()
|
||||
#
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
echo "Usage: $(basename $0) [debug|trace] [nolock] [-c <directory>] [ -x ] [ -q ] <command>"
|
||||
echo "Usage: $(basename $0) [debug|trace] [nolock] [-c <directory>] [ -x ] [ -q ] [ -f ] <command>"
|
||||
echo "where <command> is one of:"
|
||||
echo " add <interface>[:<host>] <zone>"
|
||||
echo " allow <address> ..."
|
||||
@ -543,7 +565,7 @@ usage() # $1 = exit status
|
||||
echo " clear"
|
||||
echo " delete <interface>[:<host>] <zone>"
|
||||
echo " drop <address> ..."
|
||||
echo " forget"
|
||||
echo " forget [ <file name> ]"
|
||||
echo " help [ <command > | host | address ]"
|
||||
echo " hits"
|
||||
echo " ipcalc [ <address>/<vlsm> | <address> <netmask> ]"
|
||||
@ -554,8 +576,8 @@ usage() # $1 = exit status
|
||||
echo " reject <address> ..."
|
||||
echo " reset"
|
||||
echo " restart"
|
||||
echo " restore"
|
||||
echo " save"
|
||||
echo " restore [ <file name> ]"
|
||||
echo " save [ <file name> ]"
|
||||
echo " show [<chain> [ <chain> ... ]|classifiers|connections|log|nat|tc|tos]"
|
||||
echo " start"
|
||||
echo " stop"
|
||||
@ -735,11 +757,14 @@ case "$1" in
|
||||
[ $# -ne 1 ] && usage 1
|
||||
get_config
|
||||
if [ -n "$FAST" ]; then
|
||||
if [ -f /var/lib/shorewall/restore ]; then
|
||||
|
||||
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
|
||||
|
||||
if [ -x $RESTOREPATH ]; then
|
||||
echo Restoring Shorewall...
|
||||
. /var/lib/shorewall/restore
|
||||
$RESTOREPATH
|
||||
date > $STATEDIR/restarted
|
||||
echo Shorewall restored
|
||||
echo Shorewall restored from $RESTOREPATH
|
||||
else
|
||||
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start
|
||||
fi
|
||||
@ -963,28 +988,57 @@ case "$1" in
|
||||
;;
|
||||
save)
|
||||
[ -n "$debugging" ] && set -x
|
||||
[ $# -ne 1 ] && usage 1
|
||||
|
||||
get_config
|
||||
|
||||
case $# in
|
||||
1)
|
||||
;;
|
||||
2)
|
||||
RESTOREFILE="$2"
|
||||
validate_restorefile '<restore file>'
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
|
||||
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
|
||||
|
||||
mutex_on
|
||||
|
||||
if qt iptables -L shorewall -n; then
|
||||
[ -d /var/lib/shorewall ] || mkdir /var/lib/shorewall
|
||||
[ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
|
||||
|
||||
if iptables -L dynamic -n > /var/lib/shorewall/save; then
|
||||
echo " Dynamic Rules Saved"
|
||||
if [ -f /var/lib/shorewall/restore-base ]; then
|
||||
cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$
|
||||
if iptables-save >> /var/lib/shorewall/restore-$$ ; then
|
||||
echo EOF >> /var/lib/shorewall/restore-$$
|
||||
mv -f /var/lib/shorewall/restore-$$ /var/lib/shorewall/restore
|
||||
chmod +x /var/lib/shorewall/restore
|
||||
echo " Currently-running Configuration Saved"
|
||||
else
|
||||
rm -f /var/lib/shorewall/restore-$$
|
||||
echo " ERROR: Currently-running Configuration Not Saved"
|
||||
fi
|
||||
fi
|
||||
if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then
|
||||
echo " ERROR: $RESTOREPATH exists and is not a saved Shorewall configuration"
|
||||
else
|
||||
echo "Error Saving the Dynamic Rules"
|
||||
case $RESTOREFILE in
|
||||
save|restore-base)
|
||||
echo " ERROR: Reserved file name: save"
|
||||
;;
|
||||
*)
|
||||
if iptables -L dynamic -n > /var/lib/shorewall/save; then
|
||||
echo " Dynamic Rules Saved"
|
||||
if [ -f /var/lib/shorewall/restore-base ]; then
|
||||
cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$
|
||||
if iptables-save >> /var/lib/shorewall/restore-$$ ; then
|
||||
echo __EOF__ >> /var/lib/shorewall/restore-$$
|
||||
mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH
|
||||
chmod +x $RESTOREPATH
|
||||
echo " Currently-running Configuration Saved to $RESTOREPATH"
|
||||
else
|
||||
rm -f /var/lib/shorewall/restore-$$
|
||||
echo " ERROR: Currently-running Configuration Not Saved"
|
||||
fi
|
||||
else
|
||||
echo " ERROR: /var/lib/shorewall/restore-base does not exist"
|
||||
fi
|
||||
else
|
||||
echo "Error Saving the Dynamic Rules"
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
else
|
||||
echo "Shorewall isn't started"
|
||||
@ -992,9 +1046,28 @@ case "$1" in
|
||||
mutex_off
|
||||
;;
|
||||
forget)
|
||||
rm -f /var/lib/shorewall/restore
|
||||
rm -f /var/lib/shorewall/save
|
||||
echo " Previously saved information discarded"
|
||||
get_config
|
||||
case $# in
|
||||
1)
|
||||
;;
|
||||
2)
|
||||
RESTOREFILE="$2"
|
||||
validate_restorefile '<restore file>'
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
|
||||
|
||||
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
|
||||
|
||||
if [ -x $RESTOREPATH ]; then
|
||||
rm -f $RESTOREPATH
|
||||
echo " $RESTOREPATH removed"
|
||||
elif [ -f $RESTOREPATH ]; then
|
||||
echo " ERROR: $RESTOREPATH is not a restore script"
|
||||
fi
|
||||
;;
|
||||
ipcalc)
|
||||
[ -n "$debugging" ] && set -x
|
||||
@ -1032,12 +1105,26 @@ case "$1" in
|
||||
esac
|
||||
;;
|
||||
restore)
|
||||
if [ -f /var/lib/shorewall/restore ]; then
|
||||
get_config
|
||||
case $# in
|
||||
1)
|
||||
;;
|
||||
2)
|
||||
RESTOREFILE="$2"
|
||||
validate_restorefile '<restore file>'
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
|
||||
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
|
||||
|
||||
if [ -x $RESTOREPATH ]; then
|
||||
echo Restoring Shorewall...
|
||||
. /var/lib/shorewall/restore
|
||||
echo Shorewall restored
|
||||
$RESTOREPATH && echo "Shorewall restored from /var/lib/shorewall/$RESTOREFILE"
|
||||
else
|
||||
echo "File /var/lib/shorewall/restore: file not found"
|
||||
echo "File /var/lib/shorewall/$RESTOREFILE: file not found"
|
||||
exit 2
|
||||
fi
|
||||
;;
|
||||
|
@ -258,6 +258,24 @@ MODULESDIR=
|
||||
# CONFIG_PATH=/etc/shorewall:/usr/share/shorewall is assumed.
|
||||
|
||||
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
|
||||
|
||||
#
|
||||
# RESTORE SCRIPT
|
||||
#
|
||||
# This option determines the script to be run in the following cases:
|
||||
#
|
||||
# shorewall -f start
|
||||
# shorewall restore
|
||||
# shorewall save
|
||||
# shorewall forget
|
||||
# Failure of shorewall start or shorewall restart
|
||||
#
|
||||
# The value of the option must be the name of an executable file in the
|
||||
# directory /var/lib/shorewall. If this option is not set or if it is
|
||||
# set to the empty value (RESTOREFILE="") then RESTOREFILE=restore is
|
||||
# assumed.
|
||||
|
||||
RESTOREFILE=
|
||||
################################################################################
|
||||
# F I R E W A L L O P T I O N S
|
||||
################################################################################
|
||||
|
@ -1,5 +1,5 @@
|
||||
%define name shorewall
|
||||
%define version 2.0.2f
|
||||
%define version 2.0.3
|
||||
%define release 1
|
||||
%define prefix /usr
|
||||
|
||||
@ -68,7 +68,7 @@ if [ $1 = 0 ]; then
|
||||
fi
|
||||
|
||||
%files
|
||||
/etc/init.d/shorewall
|
||||
%attr(0544,root,root) /etc/init.d/shorewall
|
||||
%attr(0700,root,root) %dir /etc/shorewall
|
||||
%attr(0700,root,root) %dir /usr/share/shorewall
|
||||
%attr(0700,root,root) %dir /var/lib/shorewall
|
||||
@ -141,16 +141,14 @@ fi
|
||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
|
||||
|
||||
%changelog
|
||||
* Thu Jun 03 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated for 2.0.2f-1
|
||||
* Sat May 29 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated for 2.0.2e-1
|
||||
* Thu May 27 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated for 2.0.2d-1
|
||||
* Fri May 21 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated for 2.0.2c-1
|
||||
* Mon May 17 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated for 2.0.2b-1
|
||||
* Wed Jun 23 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.0.2-1
|
||||
* Sat Jun 19 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.0.2-0RC2
|
||||
* Tue Jun 15 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.0.2-0RC1
|
||||
* Mon Jun 14 2004 Tom Eastep tom@shorewall.net
|
||||
- Added %attr spec for /etc/init.d/shorewall
|
||||
* Sat May 15 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated for 2.0.2a-1
|
||||
* Thu May 13 2004 Tom Eastep tom@shorewall.net
|
||||
|
@ -59,6 +59,13 @@ gateway="x.x.x.x"
|
||||
|
||||
subnet="192.168.9.0/24"
|
||||
|
||||
# GRE Key -- set this to a number or to a dotted quad if you want
|
||||
# a keyed GRE tunnel. You must specify a KEY if you
|
||||
# intend to load ip_conntrack_proto_gre on either
|
||||
# gateway system
|
||||
|
||||
key=
|
||||
|
||||
PATH=$PATH:/sbin:/usr/sbin:/usr/local/sbin
|
||||
|
||||
load_modules () {
|
||||
@ -101,7 +108,7 @@ do_start() {
|
||||
|
||||
case $tunnel_type in
|
||||
gre)
|
||||
ip tunnel add $tunnel mode gre remote $gateway local $myrealip ttl 255
|
||||
ip tunnel add $tunnel mode gre remote $gateway local $myrealip ttl 255 ${key:+key $key)
|
||||
;;
|
||||
*)
|
||||
ip tunnel add $tunnel mode ipip remote $gateway
|
||||
|
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Seattle Firewall
|
||||
|
||||
VERSION=2.0.2f
|
||||
VERSION=2.0.3
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -28,7 +28,7 @@
|
||||
# shown below. Simply run this script to revert to your prior version of
|
||||
# Shoreline Firewall.
|
||||
|
||||
VERSION=2.0.3-RC2
|
||||
VERSION=2.0.3
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -22,7 +22,7 @@
|
||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||
#
|
||||
|
||||
VERSION=2.0.3-RC2
|
||||
VERSION=2.0.3
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -1,6 +1,6 @@
|
||||
%define name shorewall
|
||||
%define version 2.0.3
|
||||
%define release 0RC2
|
||||
%define release 1
|
||||
%define prefix /usr
|
||||
|
||||
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
|
||||
@ -141,6 +141,8 @@ fi
|
||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
|
||||
|
||||
%changelog
|
||||
* Wed Jun 23 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.0.2-1
|
||||
* Sat Jun 19 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.0.2-0RC2
|
||||
* Tue Jun 15 2004 Tom Eastep tom@shorewall.net
|
||||
|
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Seattle Firewall
|
||||
|
||||
VERSION=2.0.3-RC2
|
||||
VERSION=2.0.3
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
Loading…
Reference in New Issue
Block a user