mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-22 22:30:58 +01:00
Merge branch 'master' of ssh://server.shorewall.net/home/teastep/shorewall/code
This commit is contained in:
commit
d6f8cda2d5
@ -387,7 +387,7 @@ do_save() {
|
|||||||
status=0
|
status=0
|
||||||
|
|
||||||
if [ -f ${VARDIR}/firewall ]; then
|
if [ -f ${VARDIR}/firewall ]; then
|
||||||
if $iptables_save | iptablesbug > ${VARDIR}/restore-$$; then
|
if $iptables_save | iptablesbug | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then
|
||||||
cp -f ${VARDIR}/firewall $g_restorepath
|
cp -f ${VARDIR}/firewall $g_restorepath
|
||||||
mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables
|
mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables
|
||||||
chmod +x $g_restorepath
|
chmod +x $g_restorepath
|
||||||
@ -1224,6 +1224,15 @@ show_command() {
|
|||||||
echo
|
echo
|
||||||
show_bl;
|
show_bl;
|
||||||
;;
|
;;
|
||||||
|
opens)
|
||||||
|
[ $# -gt 1 ] && usage 1
|
||||||
|
echo "$g_product $SHOREWALL_VERSION Temporarily opened connections at $g_hostname - $(date)"
|
||||||
|
|
||||||
|
if chain_exists dynamic; then
|
||||||
|
$g_tool -t filter -L dynamic $g_ipt_options | head -n2
|
||||||
|
$g_tool -t filter -L dynamic $g_ipt_options | fgrep ACCEPT | $output_filter
|
||||||
|
fi
|
||||||
|
;;
|
||||||
*)
|
*)
|
||||||
case "$g_program" in
|
case "$g_program" in
|
||||||
*-lite)
|
*-lite)
|
||||||
@ -2080,49 +2089,68 @@ open_close_command() {
|
|||||||
local command
|
local command
|
||||||
local desc
|
local desc
|
||||||
|
|
||||||
chain_exists dynamic || fatal_error "The $COMMAND command requires the firewall to be running with DYNAMIC_BLACKLIST enabled"
|
product_is_started || fatal_error "The $COMMAND command requires the firewall to be running"
|
||||||
|
chain_exists dynamic || fatal_error "The $COMMAND command requires DYNAMIC_BLACKLIST=Yes in the running configuration"
|
||||||
[ $COMMAND = open ] && command='-I dynamic' || command='-D dynamic'
|
|
||||||
|
|
||||||
[ $# -ge 2 ] || fatal_error "Too few parameters"
|
[ $# -ge 2 ] || fatal_error "Too few parameters"
|
||||||
[ $# -le 4 ] || fatal_error "Too many parameters"
|
[ $# -le 4 ] || fatal_error "Too many parameters"
|
||||||
|
|
||||||
if [ $1 = all ]; then
|
if [ $1 = all ]; then
|
||||||
desc="from *"
|
command=dynamic
|
||||||
else
|
else
|
||||||
command="$command -s $1"
|
command="dynamic -s $1"
|
||||||
desc="from $1"
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ $2 = all ]; then
|
if [ $2 != all ]; then
|
||||||
desc="$desc to *"
|
|
||||||
else
|
|
||||||
command="$command -d $2"
|
command="$command -d $2"
|
||||||
desc="$desc to $2"
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
desc="from $1 to $2"
|
||||||
|
|
||||||
if [ $# -ge 3 ]; then
|
if [ $# -ge 3 ]; then
|
||||||
command="$command -p $3"
|
command="$command -p $3"
|
||||||
|
|
||||||
|
case $3 in
|
||||||
|
[0-9]*)
|
||||||
desc="$desc protocol $3"
|
desc="$desc protocol $3"
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
desc="$desc $3"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ $# -eq 4 ]; then
|
if [ $# -eq 4 ]; then
|
||||||
command="$command --dport $4"
|
command="$command -m multiport --dports $4"
|
||||||
desc="$desc port $4"
|
|
||||||
fi
|
|
||||||
|
|
||||||
if $g_tool $command -j ACCEPT; then
|
case $4 in
|
||||||
case $COMMAND in
|
[0-9]*,)
|
||||||
open)
|
desc="$desc ports $4"
|
||||||
echo "Firewall opened for connections $desc"
|
;;
|
||||||
|
[0-9]*)
|
||||||
|
desc="$desc port $4"
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
echo "Firewall closed for connections $desc (may still be permitted by rules/policies)"
|
desc="$desc $4"
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
fi
|
||||||
|
|
||||||
|
command="$command -j ACCEPT"
|
||||||
|
|
||||||
|
if [ $COMMAND = open ]; then
|
||||||
|
if $g_tool -I $command ; then
|
||||||
|
echo "Firewall dynamically opened for connections $desc"
|
||||||
return 0
|
return 0
|
||||||
fi
|
fi
|
||||||
|
else
|
||||||
|
if $g_tool -D $command 2> /dev/null; then
|
||||||
|
echo "Firewall dynamically closed for connections $desc (may still be permitted by rules/policies)"
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
fatal_error "Connections $desc are not currently opened"
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -3721,6 +3749,7 @@ usage() # $1 = exit status
|
|||||||
echo " [ show | list | ls ] [ -m ] log [<regex>]"
|
echo " [ show | list | ls ] [ -m ] log [<regex>]"
|
||||||
echo " [ show | list | ls ] [ -x ] mangle|nat|raw|rawpost"
|
echo " [ show | list | ls ] [ -x ] mangle|nat|raw|rawpost"
|
||||||
echo " [ show | list | ls ] nfacct"
|
echo " [ show | list | ls ] nfacct"
|
||||||
|
echo " [ show | list | ls ] opens"
|
||||||
echo " [ show | list | ls ] policies"
|
echo " [ show | list | ls ] policies"
|
||||||
echo " [ show | list | ls ] routing"
|
echo " [ show | list | ls ] routing"
|
||||||
echo " [ show | list | ls ] tc [ device ]"
|
echo " [ show | list | ls ] tc [ device ]"
|
||||||
|
@ -865,19 +865,22 @@
|
|||||||
firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
|
firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
|
||||||
<ulink url="/manpages/shorewall.conf.html">shorewall.conf
|
<ulink url="/manpages/shorewall.conf.html">shorewall.conf
|
||||||
(5)</ulink>. The effect of the command is to temporarily open the
|
(5)</ulink>. The effect of the command is to temporarily open the
|
||||||
firewall for connections matching the parameters. The
|
firewall for connections matching the parameters.</para>
|
||||||
<replaceable>source</replaceable> and
|
|
||||||
|
<para>The <replaceable>source</replaceable> and
|
||||||
<replaceable>dest</replaceable> parameters may each be specified as
|
<replaceable>dest</replaceable> parameters may each be specified as
|
||||||
<emphasis role="bold">all</emphasis> if you don't wish to restrict
|
<emphasis role="bold">all</emphasis> if you don't wish to restrict
|
||||||
the connection source or destination respectively. The
|
the connection source or destination respectively. Otherwise, each
|
||||||
<replaceable>protocol</replaceable> may be specified either as a
|
must contain a host or network address or a valid DNS name.</para>
|
||||||
number or as a name listed in /etc/protocols. The
|
|
||||||
<replaceable>port</replaceable> must be specified
|
<para>The <replaceable>protocol</replaceable> may be specified
|
||||||
numerically.</para>
|
either as a number or as a name listed in /etc/protocols. The
|
||||||
|
<replaceable>port</replaceable> may be specified numerically or as a
|
||||||
|
name listed in /etc/services.</para>
|
||||||
|
|
||||||
<para>To reverse the effect of a successful <command>open</command>
|
<para>To reverse the effect of a successful <command>open</command>
|
||||||
command, use the <command>close</command> command with the same
|
command, use the <command>close</command> command with the same
|
||||||
parameters.</para>
|
parameters or simply restart the firewall.</para>
|
||||||
|
|
||||||
<para>Example: To open the firewall for SSH connections to address
|
<para>Example: To open the firewall for SSH connections to address
|
||||||
192.168.1.1, the command would be:</para>
|
192.168.1.1, the command would be:</para>
|
||||||
@ -1157,6 +1160,16 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">opens</emphasis></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Added in Shorewall 4.5.8. Displays the iptables rules in
|
||||||
|
the 'dynamic' chain created through use of the <command>open
|
||||||
|
</command>command..</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">policies</emphasis></term>
|
<term><emphasis role="bold">policies</emphasis></term>
|
||||||
|
|
||||||
|
@ -7953,7 +7953,7 @@ else
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
if chain_exists dynamic; then
|
if chain_exists dynamic; then
|
||||||
$tool -S dynamic | tail -n +2 > \${VARDIR}/.dynamic
|
$tool -S dynamic | tail -n +2 | fgrep -v -- '-j ACCEPT' > \${VARDIR}/.dynamic
|
||||||
else
|
else
|
||||||
rm -f \${VARDIR}/.dynamic
|
rm -f \${VARDIR}/.dynamic
|
||||||
fi
|
fi
|
||||||
|
@ -2418,7 +2418,7 @@ EOF
|
|||||||
case $COMMAND in
|
case $COMMAND in
|
||||||
stop|clear|restore)
|
stop|clear|restore)
|
||||||
if chain_exists dynamic; then
|
if chain_exists dynamic; then
|
||||||
${IPTABLES}-save -t filter | grep '^-A dynamic' > ${VARDIR}/.dynamic
|
${IPTABLES}-save -t filter | grep '^-A dynamic' | fgrep -v -- '-j ACCEPT' > ${VARDIR}/.dynamic
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
@ -2433,7 +2433,7 @@ EOF
|
|||||||
case $COMMAND in
|
case $COMMAND in
|
||||||
stop|clear|restore)
|
stop|clear|restore)
|
||||||
if chain_exists dynamic; then
|
if chain_exists dynamic; then
|
||||||
${IP6TABLES}-save -t filter | grep '^-A dynamic' > ${VARDIR}/.dynamic
|
${IP6TABLES}-save -t filter | grep '^-A dynamic' | fgrep -v -- '-j ACCEPT' > ${VARDIR}/.dynamic
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
|
@ -1712,6 +1712,7 @@ usage() # $1 = exit status
|
|||||||
echo " [ show | list | ls ] marks"
|
echo " [ show | list | ls ] marks"
|
||||||
echo " [ show | list | ls ] [ -x ] mangle|nat|raw|rawpost|routing"
|
echo " [ show | list | ls ] [ -x ] mangle|nat|raw|rawpost|routing"
|
||||||
echo " [ show | list | ls ] nfacct"
|
echo " [ show | list | ls ] nfacct"
|
||||||
|
echo " [ show | list | ls ] opens"
|
||||||
echo " [ show | list | ls ] policies"
|
echo " [ show | list | ls ] policies"
|
||||||
echo " [ show | list | ls ] routing"
|
echo " [ show | list | ls ] routing"
|
||||||
echo " [ show | list | ls ] tc [ device ]"
|
echo " [ show | list | ls ] tc [ device ]"
|
||||||
|
@ -1320,19 +1320,22 @@
|
|||||||
firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
|
firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
|
||||||
<ulink url="/manpages/shorewall.conf.html">shorewall.conf
|
<ulink url="/manpages/shorewall.conf.html">shorewall.conf
|
||||||
(5)</ulink>. The effect of the command is to temporarily open the
|
(5)</ulink>. The effect of the command is to temporarily open the
|
||||||
firewall for connections matching the parameters. The
|
firewall for connections matching the parameters.</para>
|
||||||
<replaceable>source</replaceable> and
|
|
||||||
|
<para>The <replaceable>source</replaceable> and
|
||||||
<replaceable>dest</replaceable> parameters may each be specified as
|
<replaceable>dest</replaceable> parameters may each be specified as
|
||||||
<emphasis role="bold">all</emphasis> if you don't wish to restrict
|
<emphasis role="bold">all</emphasis> if you don't wish to restrict
|
||||||
the connection source or destination respectively. The
|
the connection source or destination respectively. Otherwise, each
|
||||||
<replaceable>protocol</replaceable> may be specified either as a
|
must contain a host or network address or a valid DNS name.</para>
|
||||||
number or as a name listed in /etc/protocols. The
|
|
||||||
<replaceable>port</replaceable> must be specified
|
<para>The <replaceable>protocol</replaceable> may be specified
|
||||||
numerically.</para>
|
either as a number or as a name listed in /etc/protocols. The
|
||||||
|
<replaceable>port</replaceable> may be specified numerically or as a
|
||||||
|
name listed in /etc/services.</para>
|
||||||
|
|
||||||
<para>To reverse the effect of a successful <command>open</command>
|
<para>To reverse the effect of a successful <command>open</command>
|
||||||
command, use the <command>close</command> command with the same
|
command, use the <command>close</command> command with the same
|
||||||
parameters.</para>
|
parameters or simply restart the firewall.</para>
|
||||||
|
|
||||||
<para>Example: To open the firewall for SSH connections to address
|
<para>Example: To open the firewall for SSH connections to address
|
||||||
192.168.1.1, the command would be:</para>
|
192.168.1.1, the command would be:</para>
|
||||||
@ -1844,6 +1847,16 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">opens</emphasis></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Added in Shorewall 4.5.8. Displays the iptables rules in
|
||||||
|
the 'dynamic' chain created through use of the <command>open
|
||||||
|
</command>command..</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">policies</emphasis></term>
|
<term><emphasis role="bold">policies</emphasis></term>
|
||||||
|
|
||||||
|
@ -883,19 +883,22 @@
|
|||||||
firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
|
firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
|
||||||
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf
|
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf
|
||||||
(5)</ulink>. The effect of the command is to temporarily open the
|
(5)</ulink>. The effect of the command is to temporarily open the
|
||||||
firewall for connections matching the parameters. The
|
firewall for connections matching the parameters.</para>
|
||||||
<replaceable>source</replaceable> and
|
|
||||||
|
<para>The <replaceable>source</replaceable> and
|
||||||
<replaceable>dest</replaceable> parameters may each be specified as
|
<replaceable>dest</replaceable> parameters may each be specified as
|
||||||
<emphasis role="bold">all</emphasis> if you don't wish to restrict
|
<emphasis role="bold">all</emphasis> if you don't wish to restrict
|
||||||
the connection source or destination respectively. The
|
the connection source or destination respectively. Otherwise, each
|
||||||
<replaceable>protocol</replaceable> may be specified either as a
|
must contain a host or network address or a valid DNS name.</para>
|
||||||
number or as a name listed in /etc/protocols. The
|
|
||||||
<replaceable>port</replaceable> must be specified
|
<para>The <replaceable>protocol</replaceable> may be specified
|
||||||
numerically.</para>
|
either as a number or as a name listed in /etc/protocols. The
|
||||||
|
<replaceable>port</replaceable> may be specified numerically or as a
|
||||||
|
name listed in /etc/services.</para>
|
||||||
|
|
||||||
<para>To reverse the effect of a successful <command>open</command>
|
<para>To reverse the effect of a successful <command>open</command>
|
||||||
command, use the <command>close</command> command with the same
|
command, use the <command>close</command> command with the same
|
||||||
parameters.</para>
|
parameters or simply restart the firewall.</para>
|
||||||
|
|
||||||
<para>Example: To open the firewall for SSH connections to address
|
<para>Example: To open the firewall for SSH connections to address
|
||||||
2001:470:b:227::1, the command would be:</para>
|
2001:470:b:227::1, the command would be:</para>
|
||||||
@ -1168,6 +1171,16 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">opens</emphasis></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Added in Shorewall 4.5.8. Displays the iptables rules in
|
||||||
|
the 'dynamic' chain created through use of the <command>open
|
||||||
|
</command>command..</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">nat</emphasis></term>
|
<term><emphasis role="bold">nat</emphasis></term>
|
||||||
|
|
||||||
|
@ -1231,19 +1231,22 @@
|
|||||||
firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
|
firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
|
||||||
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf
|
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf
|
||||||
(5)</ulink>. The effect of the command is to temporarily open the
|
(5)</ulink>. The effect of the command is to temporarily open the
|
||||||
firewall for connections matching the parameters. The
|
firewall for connections matching the parameters.</para>
|
||||||
<replaceable>source</replaceable> and
|
|
||||||
|
<para>The <replaceable>source</replaceable> and
|
||||||
<replaceable>dest</replaceable> parameters may each be specified as
|
<replaceable>dest</replaceable> parameters may each be specified as
|
||||||
<emphasis role="bold">all</emphasis> if you don't wish to restrict
|
<emphasis role="bold">all</emphasis> if you don't wish to restrict
|
||||||
the connection source or destination respectively. The
|
the connection source or destination respectively. Otherwise, each
|
||||||
<replaceable>protocol</replaceable> may be specified either as a
|
must contain a host or network address or a valid DNS name.</para>
|
||||||
number or as a name listed in /etc/protocols. The
|
|
||||||
<replaceable>port</replaceable> must be specified
|
<para>The <replaceable>protocol</replaceable> may be specified
|
||||||
numerically.</para>
|
either as a number or as a name listed in /etc/protocols. The
|
||||||
|
<replaceable>port</replaceable> may be specified numerically or as a
|
||||||
|
name listed in /etc/services.</para>
|
||||||
|
|
||||||
<para>To reverse the effect of a successful <command>open</command>
|
<para>To reverse the effect of a successful <command>open</command>
|
||||||
command, use the <command>close</command> command with the same
|
command, use the <command>close</command> command with the same
|
||||||
parameters.</para>
|
parameters or simply restart the firewall.</para>
|
||||||
|
|
||||||
<para>Example: To open the firewall for SSH connections to address
|
<para>Example: To open the firewall for SSH connections to address
|
||||||
2001:470:b:227::1, the command would be:</para>
|
2001:470:b:227::1, the command would be:</para>
|
||||||
@ -1725,6 +1728,16 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">opens</emphasis></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Added in Shorewall 4.5.8. Displays the iptables rules in
|
||||||
|
the 'dynamic' chain created through use of the <command>open
|
||||||
|
</command>command..</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">policies</emphasis></term>
|
<term><emphasis role="bold">policies</emphasis></term>
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user