Shorewall 2.2.4

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2070 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

STABLE2/action.template

@@ -11,6 +11,9 @@
 #	2. Copy this file to /etc/shorewall/action.<action name>
 #	3. Add the desired rules to that file.
 #
+#	Please see http://shorewall.net/Actions.html for additional
+#	information.
+#
 # Columns are:
 #
 #

STABLE2/actions

@@ -8,7 +8,7 @@
 #
 #	ACTION names should begin with an upper-case letter to
 #	distinguish them from Shorewall-generated chain names and
-#	they must need the requirements of a Netfilter chain. If
+#	they must meet the requirements of a Netfilter chain. If
 #	you intend to log from the action then the name must be
 #	no longer than 11 character in length. Names must also
 #	meet the requirements for a Bourne Shell identifier (must
@@ -24,6 +24,9 @@
 #	If you specify ":DROP", ":REJECT" or ":ACCEPT" on a line by
 #	itself, the associated policy will have no common action.
 #
+#	Please see http://shorewall.net/Actions.html for additional
+#	information.
+#
 #ACTION
 
 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

STABLE2/actions.std

@@ -1,6 +1,8 @@
 #
 # Shorewall 2.2 /usr/share/shorewall/actions.std
 #
+#	Please see http://shorewall.net/Actions.html for additional
+#	information.
 #
 # Builtin Actions are:
 #
@@ -12,6 +14,10 @@
 #                       #conntrack state.
 #    allowInvalid	#Accept packets that are in the INVALID
 #			#conntrack state.
+#    allowoutUPnP       #Allow traffic from local command 'upnpd'
+#    allowinUPnP        #Allow UPnP inbound (to firewall) traffic
+#    forwardUPnP	#Allow traffic that upnpd has redirected from
+#			#'upnp' interfaces.
 #
 #ACTION
 

STABLE2/blacklist

@@ -38,6 +38,9 @@
 # ADDRESS/SUBNET	PROTOCOL	PORT
 # 192.0.2.126		udp		53
 #
+# Please see http://shorewall.net/blacklisting_support.htm for additional 
+# information.
+#
 ###############################################################################
 #ADDRESS/SUBNET		PROTOCOL	PORT
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

STABLE2/bogons

@@ -44,11 +44,9 @@
 31.0.0.0/8		logdrop		# Reserved
 36.0.0.0/7		logdrop		# Reserved
 39.0.0.0/8		logdrop		# Reserved
-41.0.0.0/8		logdrop		# Reserved
 42.0.0.0/8		logdrop		# Reserved
 49.0.0.0/8		logdrop		# JTC - Returned to IANA Mar 98
 50.0.0.0/8		logdrop		# JTC - Returned to IANA Mar 98
-73.0.0.0/8		logdrop		# Reserved
 74.0.0.0/7		logdrop		# Reserved
 76.0.0.0/6		logdrop		# Reserved
 89.0.0.0/8		logdrop		# Reserved

STABLE2/changelog.txt

@@ -1,3 +1,30 @@
+Changes in 2.2.4
+
+1) Added support for UPnP
+
+2) Add 'started' hook.
+
+3) Make an error message more self-explanatory
+
+4) Report Owner Match capability
+
+5) Add Paul Traina's patch to install.sh.
+
+6) Allow startup options to be overridden in /etc/sysconfig/shorewall
+   or /etc/default/shorewall.
+
+7) Add support for SAME
+
+8) Add 'shorewall show capabilities'
+
+8) Add '-v' option
+
+9) Allow 'none' in /etc/shorewall/rules.
+
+10) Add error message for invalid HOST(S) column contents.
+
+11) Apply Christian Rodriguez's patch for Slackware install.
+
 Changes in 2.2.3
 
 1) Added the 'continue' extension script.

STABLE2/continue

@@ -4,3 +4,5 @@
 # Add commands below that you want to be executed after shorewall has
 # cleared any existing Netfilter rules and has enabled existing connections.
 #
+# For additional information, see http://shorewall.net/shorewall_extension_scripts.htm
+#

STABLE2/ecn

@@ -15,6 +15,8 @@
 #			  0.0.0.0/0 is assumed. If your kernel and iptables
 #			  include iprange match support then IP address ranges
 #			  are also permitted.
+#
+# For additional information, see http://shorewall.net/Documentation.htm#ECN
 ##############################################################################
 #INTERFACE	HOST(S)
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

STABLE2/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=2.2.3
+VERSION=2.2.4
 
 usage() # $1 = exit status
 {

STABLE2/firewall

@@ -937,7 +937,7 @@ validate_interfaces_file() {
 
 	for option in $options; do
 	    case $option in
-		dhcp|norfc1918|nobogons|tcpflags|newnotsyn|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|maclist|nosmurfs|-)
+		dhcp|norfc1918|nobogons|tcpflags|newnotsyn|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|maclist|nosmurfs|upnp|-)
 		    ;;
 		detectnets)
 		    [ -n "$wildcard" ] && \
@@ -975,6 +975,9 @@ validate_hosts_file() {
        r="$z $hosts $options"
        validate_zone1 $z || startup_error "Invalid zone ($z) in record \"$r\""
 
+       case $hosts in
+	   *:*)
+
 	       interface=${hosts%%:*}
 	       iface=$(chain_base $interface)
 
@@ -982,6 +985,11 @@ validate_hosts_file() {
 		   startup_error "Unknown interface ($interface) in record \"$r\""
 
 	       hosts=${hosts#*:}
+	       ;;
+	   *)
+	       fatal_error "Invalid HOST(S) column contents: $hosts"
+	       ;;
+       esac
 
        eval ports=\$${iface}_ports
        eval zports=\$${z}_ports
@@ -2826,6 +2834,12 @@ check_config() {
 	[ -n "$PHYSDEV_MATCH" ] || startup_error "BRIDGING=Yes requires Physdev Match support in your Kernel and iptables"
     fi
 
+    [ "$MACLIST_TTL" = "0" ] && MACLIST_TTL=
+
+    if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then
+	startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables"
+    fi
+
     echo "Determining Zones..."
 
     determine_zones
@@ -3473,7 +3487,8 @@ merge_levels() # $1=level at which superior action is called, $2=level at which
 #
 process_actions1() {
 	
-    ACTIONS="dropBcast allowBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid allowInvalid"
+    ACTIONS="dropBcast allowBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP allowoutUPnP forwardUPnP"
+    
     USEDACTIONS=
 
     strip_file actions
@@ -3544,6 +3559,15 @@ process_actions1() {
 
 process_actions2() {
 
+    local interfaces="$(find_interfaces_by_option upnp)"
+
+    if [ -n "$interfaces" ]; then
+	if ! list_search forwardUPnP $USEDACTIONS; then
+	    error_message "Warning:Missing forwardUPnP rule (required by 'upnp' interface option on $interfaces)"
+	    USEDACTIONS="$USEDACTIONS forwardUPnP"
+	fi
+    fi
+
     progress_message "   Generating Transitive Closure of Used-action List..."
 
     changed=Yes
@@ -3695,6 +3719,26 @@ process_actions3() {
 		    run_iptables -A $xchain -m state --state INVALID -j ACCEPT
 		fi
 		;;
+	    forwardUPnP)
+		;;
+	    allowinUPnP)
+		if [ "$COMMAND" != check ]; then
+		    if [ -n "$xlevel" ]; then
+			log_rule_limit ${xlevel%\!} $xchain allowinUPnP ACCEPT "" "$xtag" -A -p udp --dport 1900
+			log_rule_limit ${xlevel%\!} $xchain allowinUPnP ACCEPT "" "$xtag" -A -p tcp --dport 49152
+		    fi
+
+		    run_iptables -A $xchain -p udp --dport 1900  -j ACCEPT
+		    run_iptables -A $xchain -p tcp --dport 49152 -j ACCEPT
+		fi
+		;;
+	    allowoutUPnP)
+		if [ "$COMMAND" != check ]; then
+		    [ -n "$xlevel" ] && \
+			log_rule_limit ${xlevel%\!} $xchain allowoutUPnP ACCEPT "" "$xtag" -A -m owner --owner-cmd upnpd
+		    run_iptables -A $xchain -m owner --cmd-owner upnpd -j ACCEPT
+		fi
+		;;
 	    *)
 		#
 		# Not a builtin
@@ -3802,7 +3846,14 @@ add_nat_rule() {
 
     # Select target
 
-    if [ -n "$serv" ]; then
+    if [ "$logtarget" = SAME ]; then
+	[ -n "$servport" ] && fatal_error "Port mapping not allowed in SAME rules"
+	serv1=
+	for srv in $(separate_list $serv); do
+	    serv1="$serv1 --to ${srv}"
+	done
+	target1="SAME $serv1"
+    elif [ -n "$serv" ]; then
 	servport="${servport:+:$servport}"
 	serv1=
 	for srv in $(separate_list $serv); do
@@ -4065,9 +4116,9 @@ add_a_rule()
 	    servport=${servport:=$port}
 	    natrule=Yes
 	    ;;
-	DNAT)
+	DNAT|SAME)
 	    [ -n "$serv" ] || \
-		fatal_error "DNAT rules require a server address; rule: \"$rule\""
+		fatal_error "$logtarget rules require a server address; rule: \"$rule\""
 	    natrule=Yes
 	    ;;
 	LOG)
@@ -4084,7 +4135,7 @@ add_a_rule()
 	    if [ -n "$natrule" ]; then
 		add_nat_rule
 	    elif [ -n "$addr" -a "$addr" != "$serv" ] || [ -n "$servport" -a "$servport" != "$port" ]; then
-		fatal_error "Only DNAT and REDIRECT rules may specify destination mapping; rule \"$rule\""
+		fatal_error "Only DNAT, SAME and REDIRECT rules may specify destination mapping; rule \"$rule\""
 	    fi
 
 	    if [ -z "$dnat_only" ]; then
@@ -4139,7 +4190,7 @@ add_a_rule()
 
 	[ -n "$addr" ] && fatal_error \
 	    "An ORIGINAL DESTINATION ($addr) is only allowed in" \
-	    " a DNAT or REDIRECT: \"$rule\""
+	    " a DNAT, SAME or REDIRECT: \"$rule\""
 
 	if [ $COMMAND != check ]; then
 	    if [ -n "$loglevel" ]; then
@@ -4289,7 +4340,7 @@ process_rule() # $1 = target
 	CONTINUE)
 	    target=RETURN
 	    ;;
-	DNAT*)
+	DNAT*|SAME*)
 	    target=ACCEPT
 	    address=${address:=detect}
 	    ;;
@@ -4322,8 +4373,13 @@ process_rule() # $1 = target
 	excludezones="${clientzone#*!}"
 	clientzone="${clientzone%!*}"
 
-	[ "$logtarget" = DNAT ] || [ "$logtarget" = REDIRECT ] ||\
+	case $logtarget in
-	    fatal_error "Exclude list only allowed with DNAT or REDIRECT"
+	    DNAT|REDIRECT|SAME)
+		;;
+	    *)
+		fatal_error "Exclude list only allowed with DNAT, SAME or REDIRECT"
+		;;
+	esac
     fi
 
     validate_zone $clientzone || fatal_error "Undefined Client Zone in rule \"$rule\""
@@ -4386,7 +4442,7 @@ process_rule() # $1 = target
     protocol=${protocol:=all}
 
     case $logtarget in
-	DNAT*)
+	DNAT*|SAME)
 	    if [ -n "$XMULTIPORT" ] && \
 	       ! list_search $protocol "icmp" "ICMP" "1" && \
 	       [ $(( $(list_count $ports)  + $(list_count1 $(split $ports ) ) ))  -le 16 -a \
@@ -4540,7 +4596,7 @@ process_rules()
     }
 
     do_it() {
-	expandv xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec
+	expandv xprotocol xports xcports xaddress xratelimit xuserspec
 
 	if [ "x$xclients" = xall ]; then
 	    xclients="$zones $FW"
@@ -4548,13 +4604,13 @@ process_rules()
 		xservers="$zones $FW"
 	    fi
 	    process_wildcard_rule
-	    continue
+	    return
 	fi
 
 	if [ "x$xservers" = xall ]; then
 	    xservers="$zones $FW"
 	    process_wildcard_rule
-	    continue
+	    return
 	fi
 	
 	rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
@@ -4562,10 +4618,16 @@ process_rules()
     }
 
     while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec; do
-	expandv xtarget
+	expandv xtarget xclients xservers
+
+	if [ "x$xclients" = xnone -o "x$servers" = xnone ]; then
+	    rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
+	    progress_message "   Rule \"$rule\" ignored."
+	    continue
+	fi
 
 	case "${xtarget%%:*}" in
-	    ACCEPT|ACCEPT+|NONAT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE)
+	    ACCEPT|ACCEPT+|NONAT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE|SAME|SAME-)
 		do_it
 		;;
 	    *)
@@ -4971,7 +5033,7 @@ rules_chain() # $1 = source zone, $2 = destination zone
 
     [ -n "$chain" ] && { echo $chain; return; }
 
-    fatal_error "No appropriate chain for zone $1 to zone $2"
+    fatal_error "No policy defined for zone $1 to zone $2"
 }
 
 #
@@ -5116,6 +5178,8 @@ setup_masq()
 
 	[ "x$addresses" = x- ] && addresses=
 
+	
+
 	if [ -n "$addresses" -a -n "$add_snat_aliases" ]; then
 	    for address in $(separate_list $addresses); do
 		address=${address%:)}
@@ -5262,6 +5326,22 @@ setup_masq()
 	target=MASQUERADE
 
 	if [ -n "$addresses" ]; then
+	    case "$addresses" in
+		SAME:nodst:*)
+		    target="SAME --nodst"
+		    addresses=${addresses#SAME:nodst:}
+		    for address in $(separate_list $addresses); do
+			addrlist="$addrlist --to $address";
+		    done
+		    ;;
+		SAME:*)
+		    target="SAME"
+		    addresses=${addresses#SAME:}
+		    for address in $(separate_list $addresses); do
+			addrlist="$addrlist --to $address";
+		    done
+		    ;;
+		*)
 		    for address in $(separate_list $addresses); do
 			case $address in
 			    *.*.*.*)
@@ -5273,6 +5353,8 @@ setup_masq()
 				;;
 			esac
 		    done
+		    ;;
+	    esac
 	fi
 
 	if [ -n "$networks" ]; then
@@ -5621,6 +5703,7 @@ determine_capabilities() {
     PHYSDEV_MATCH=
     IPRANGE_MATCH=
     RECENT_MATCH=
+    OWNER_MATCH=
 
     qt $IPTABLES -N fooX1234
     qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT             && CONNTRACK_MATCH=Yes
@@ -5630,6 +5713,7 @@ determine_capabilities() {
     qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT                     && PHYSDEV_MATCH=Yes
     qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
     qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT                               && RECENT_MATCH=Yes
+    qt $IPTABLES -A fooX1234 -m owner --cmd-owner foo -j ACCEPT                         && OWNER_MATCH=Yes
 
     if [ -n "$PKTTYPE" ]; then
 	qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT || PKTTYPE=
@@ -5660,6 +5744,7 @@ report_capabilities() {
     report_capability "Physdev Match" $PHYSDEV_MATCH
     report_capability "IP range Match" $IPRANGE_MATCH
     report_capability "Recent Match" $RECENT_MATCH
+    report_capability "Owner Match" $OWNER_MATCH
 }
 
 #
@@ -5678,6 +5763,11 @@ initialize_netfilter () {
 	[ -n "$PHYSDEV_MATCH" ] || startup_error "BRIDGING=Yes requires Physdev Match support in your Kernel and iptables"
     fi
 
+    [ "$MACLIST_TTL" = "0" ] && MACLIST_TTL=
+
+    if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then
+	startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables"
+    fi
 
     [ -n "$RFC1918_STRICT" -a -z "$CONNTRACK_MATCH" ] && \
 	startup_error "RFC1918_STRICT=Yes requires Connection Tracking match"
@@ -6290,6 +6380,20 @@ add_common_rules() {
 	    run_iptables -A OUTPUT -o $interface        -j $(dynamic_out $interface)
 	done
     fi
+    #
+    # UPnP
+    #
+    interfaces=$(find_interfaces_by_option upnp)
+
+    if [ -n "$interfaces" ]; then
+	echo "Setting up UPnP..."
+
+	createnatchain UPnP
+	
+	for interface in $interfaces; do
+	    run_iptables -t nat -A PREROUTING -i $interface -j UPnP
+	done
+    fi
 
     setup_forwarding
 }
@@ -6767,6 +6871,7 @@ define_firewall() # $1 = Command (Start or Restart)
     mv -f /var/lib/shorewall/restore-base-$$ /var/lib/shorewall/restore-base
     mv -f $RESTOREBASE /var/lib/shorewall/restore-tail    
 
+    run_user_exit started
 }
 
 #
@@ -7482,12 +7587,6 @@ do_initialize() {
     LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY)
     DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID)
     RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT)
-
-    [ "$MACLIST_TTL" = "0" ] && MACLIST_TTL=
-
-    if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then
-	startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables"
-    fi
     #
     # Strip the files that we use often
     #
@@ -7672,6 +7771,10 @@ case "$COMMAND" in
 	EMPTY=
 	$@
 	;;
+    capabilities)
+	do_initialize
+	report_capabilities
+	;;
     *)
 	usage
 	;;

STABLE2/functions

@@ -249,7 +249,7 @@ find_zones() # $1 = name of the zone file
 	[ -n "$zone" ] && case "$zone" in
 	    \#*)
 		;;
-            $FW)
+            $FW|all|none)
 	        echo "   Warning: Reserved zone name \"$zone\" in zones file ignored" >&2
 		;;
             *)

STABLE2/help

@@ -254,6 +254,8 @@ show)
 
     shorewall show zones - displays the contents of all zones.
 
+    shorewall show capabilities - displays your kernel/iptables capabilities
+
     When -x is given, that option is also passed to iptables to display actual packet and byte counts."
 	;;
 

STABLE2/hosts

@@ -135,5 +135,7 @@
 #				       /etc/shorewall/ipsec file then you do NOT
 #				       need to specify the 'ipsec' option here.
 #
+# For additional information, see http://shorewall.net/Documentation.htm#Hosts
+#
 #ZONE		HOST(S)				OPTIONS
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

STABLE2/init

@@ -4,3 +4,5 @@
 # Add commands below that you want to be executed at the beginning of
 # a "shorewall start" or "shorewall restart" command.
 #
+# For additional information, see http://shorewall.net/shorewall_extension_scripts.htm
+#

STABLE2/init.debian.sh

@@ -5,6 +5,7 @@ WAIT_FOR_IFUP=/usr/share/shorewall/wait4ifup
 # Note, set INITLOG to /dev/null if you do not want to
 # keep logs of the firewall (not recommended)
 INITLOG=/var/log/shorewall-init.log
+OPTIONS="-f"
 
 test -x $SRWL || exit 0
 test -n $INITLOG || {
@@ -83,7 +84,7 @@ wait_for_pppd () {
 shorewall_start () {
   echo -n "Starting \"Shorewall firewall\": "
   wait_for_pppd
-  $SRWL -f start >> $INITLOG 2>&1 && echo "done." || echo_notdone
+  $SRWL $OPTIONS start >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }
 

STABLE2/init.sh

@@ -55,6 +55,16 @@ usage() {
     exit 1
 }
 
+################################################################################
+# Get startup options (override default)
+################################################################################
+OPTIONS="-f"
+if [ -f /etc/sysconfig/shorewall ]; then
+    . /etc/sysconfig/shorewall
+elif [ -f /etc/default/shorewall ] ; then
+    . /etc/default/shorewall
+fi
+
 ################################################################################
 # E X E C U T I O N    B E G I N S   H E R E				       #
 ################################################################################
@@ -64,7 +74,7 @@ case "$command" in
 
     start)
 	
-	exec /sbin/shorewall -f start
+	exec /sbin/shorewall $OPTIONS start
 	;;
 
     stop|restart|status)

STABLE2/initdone

@@ -5,3 +5,5 @@
 # "shorewall start" or "shorewall restart" commands at the point where
 # Shorewall has not yet added any perminent rules to the builtin chains.
 #
+# For additional information, see http://shorewall.net/shorewall_extension_scripts.htm
+#

STABLE2/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
 #
 
-VERSION=2.2.3
+VERSION=2.2.4
 
 usage() # $1 = exit status
 {
@@ -76,7 +76,7 @@ delete_file() # $1 = file to delete
 install_file_with_backup() # $1 = source $2 = target $3 = mode
 {
     backup_file $2
-    run_install -o $OWNER -g $GROUP -m $3 $1 ${2}
+    run_install $OWNERSHIP -m $3 $1 ${2}
 }
 
 #
@@ -133,11 +133,21 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 #
 DEBIAN=
 
+OWNERSHIP="-o $OWNER -g $GROUP"
+
 if [ -n "$PREFIX" ]; then
-	install -d -o $OWNER -g $GROUP -m 755 ${PREFIX}/sbin
+	if [ `id -u` != 0 ] ; then
-	install -d -o $OWNER -g $GROUP -m 755 ${PREFIX}${DEST}
+	    echo "Not setting file owner/group permissions, not running as root."
+	    OWNERSHIP=""
+	fi
+
+	install -d $OWNERSHIP -m 755 ${PREFIX}/sbin
+	install -d $OWNERSHIP -m 755 ${PREFIX}${DEST}
 elif [ -d /etc/apt -a -e /usr/bin/dpkg ]; then
     DEBIAN=yes
+elif [ -f /etc/slackware-version ] ; then
+    DEST="/etc/rc.d"
+    INIT="rc.firewall"
 fi
 
 #
@@ -185,7 +195,7 @@ mkdir -p ${PREFIX}/var/lib/shorewall
 if [ -f ${PREFIX}/etc/shorewall/shorewall.conf ]; then
    backup_file /etc/shorewall/shorewall.conf
 else
-   run_install -o $OWNER -g $GROUP -m 0744 shorewall.conf ${PREFIX}/etc/shorewall/shorewall.conf
+   run_install $OWNERSHIP -m 0744 shorewall.conf ${PREFIX}/etc/shorewall/shorewall.conf
    echo
    echo "Config file installed as ${PREFIX}/etc/shorewall/shorewall.conf"
 fi
@@ -195,7 +205,7 @@ fi
 if [ -f ${PREFIX}/etc/shorewall/zones ]; then
     backup_file /etc/shorewall/zones
 else
-    run_install -o $OWNER -g $GROUP -m 0744 zones ${PREFIX}/etc/shorewall/zones
+    run_install $OWNERSHIP -m 0744 zones ${PREFIX}/etc/shorewall/zones
     echo
     echo "Zones file installed as ${PREFIX}/etc/shorewall/zones"
 fi
@@ -232,7 +242,7 @@ delete_file icmp.def
 if [ -f ${PREFIX}/etc/shorewall/policy ]; then
     backup_file /etc/shorewall/policy
 else
-    run_install -o $OWNER -g $GROUP -m 0600 policy ${PREFIX}/etc/shorewall/policy
+    run_install $OWNERSHIP -m 0600 policy ${PREFIX}/etc/shorewall/policy
     echo
     echo "Policy file installed as ${PREFIX}/etc/shorewall/policy"
 fi
@@ -242,7 +252,7 @@ fi
 if [ -f ${PREFIX}/etc/shorewall/interfaces ]; then
     backup_file /etc/shorewall/interfaces
 else
-    run_install -o $OWNER -g $GROUP -m 0600 interfaces ${PREFIX}/etc/shorewall/interfaces
+    run_install $OWNERSHIP -m 0600 interfaces ${PREFIX}/etc/shorewall/interfaces
     echo
     echo "Interfaces file installed as ${PREFIX}/etc/shorewall/interfaces"
 fi
@@ -252,7 +262,7 @@ fi
 if [ -f ${PREFIX}/etc/shorewall/ipsec ]; then
     backup_file /etc/shorewall/ipsec
 else
-    run_install -o $OWNER -g $GROUP -m 0600 ipsec ${PREFIX}/etc/shorewall/ipsec
+    run_install $OWNERSHIP -m 0600 ipsec ${PREFIX}/etc/shorewall/ipsec
     echo
     echo "Ipsec file installed as ${PREFIX}/etc/shorewall/ipsec"
 fi
@@ -262,7 +272,7 @@ fi
 if [ -f ${PREFIX}/etc/shorewall/hosts ]; then
     backup_file /etc/shorewall/hosts
 else
-    run_install -o $OWNER -g $GROUP -m 0600 hosts ${PREFIX}/etc/shorewall/hosts
+    run_install $OWNERSHIP -m 0600 hosts ${PREFIX}/etc/shorewall/hosts
     echo
     echo "Hosts file installed as ${PREFIX}/etc/shorewall/hosts"
 fi
@@ -272,7 +282,7 @@ fi
 if [ -f ${PREFIX}/etc/shorewall/rules ]; then
     backup_file /etc/shorewall/rules
 else
-    run_install -o $OWNER -g $GROUP -m 0600 rules ${PREFIX}/etc/shorewall/rules
+    run_install $OWNERSHIP -m 0600 rules ${PREFIX}/etc/shorewall/rules
     echo
     echo "Rules file installed as ${PREFIX}/etc/shorewall/rules"
 fi
@@ -282,7 +292,7 @@ fi
 if [ -f ${PREFIX}/etc/shorewall/nat ]; then
     backup_file /etc/shorewall/nat
 else
-    run_install -o $OWNER -g $GROUP -m 0600 nat ${PREFIX}/etc/shorewall/nat
+    run_install $OWNERSHIP -m 0600 nat ${PREFIX}/etc/shorewall/nat
     echo
     echo "NAT file installed as ${PREFIX}/etc/shorewall/nat"
 fi
@@ -292,7 +302,7 @@ fi
 if [ -f ${PREFIX}/etc/shorewall/netmap ]; then
     backup_file /etc/shorewall/netmap
 else
-    run_install -o $OWNER -g $GROUP -m 0600 netmap ${PREFIX}/etc/shorewall/netmap
+    run_install $OWNERSHIP -m 0600 netmap ${PREFIX}/etc/shorewall/netmap
     echo
     echo "NETMAP file installed as ${PREFIX}/etc/shorewall/netmap"
 fi
@@ -302,7 +312,7 @@ fi
 if [ -f ${PREFIX}/etc/shorewall/params ]; then
     backup_file /etc/shorewall/params
 else
-    run_install -o $OWNER -g $GROUP -m 0600 params ${PREFIX}/etc/shorewall/params
+    run_install $OWNERSHIP -m 0600 params ${PREFIX}/etc/shorewall/params
     echo
     echo "Parameter file installed as ${PREFIX}/etc/shorewall/params"
 fi
@@ -312,7 +322,7 @@ fi
 if [ -f ${PREFIX}/etc/shorewall/proxyarp ]; then
     backup_file /etc/shorewall/proxyarp
 else
-    run_install -o $OWNER -g $GROUP -m 0600 proxyarp ${PREFIX}/etc/shorewall/proxyarp
+    run_install $OWNERSHIP -m 0600 proxyarp ${PREFIX}/etc/shorewall/proxyarp
     echo
     echo "Proxy ARP file installed as ${PREFIX}/etc/shorewall/proxyarp"
 fi
@@ -322,7 +332,7 @@ fi
 if [ -f ${PREFIX}/etc/shorewall/routestopped ]; then
     backup_file /etc/shorewall/routestopped
 else
-    run_install -o $OWNER -g $GROUP -m 0600 routestopped ${PREFIX}/etc/shorewall/routestopped
+    run_install $OWNERSHIP -m 0600 routestopped ${PREFIX}/etc/shorewall/routestopped
     echo
     echo "Stopped Routing file installed as ${PREFIX}/etc/shorewall/routestopped"
 fi
@@ -332,7 +342,7 @@ fi
 if [ -f ${PREFIX}/etc/shorewall/maclist ]; then
     backup_file /etc/shorewall/maclist
 else
-    run_install -o $OWNER -g $GROUP -m 0600 maclist ${PREFIX}/etc/shorewall/maclist
+    run_install $OWNERSHIP -m 0600 maclist ${PREFIX}/etc/shorewall/maclist
     echo
     echo "MAC list file installed as ${PREFIX}/etc/shorewall/maclist"
 fi
@@ -342,7 +352,7 @@ fi
 if [ -f ${PREFIX}/etc/shorewall/masq ]; then
     backup_file /etc/shorewall/masq
 else
-    run_install -o $OWNER -g $GROUP -m 0600 masq ${PREFIX}/etc/shorewall/masq
+    run_install $OWNERSHIP -m 0600 masq ${PREFIX}/etc/shorewall/masq
     echo
     echo "Masquerade file installed as ${PREFIX}/etc/shorewall/masq"
 fi
@@ -352,7 +362,7 @@ fi
 if [ -f ${PREFIX}/etc/shorewall/modules ]; then
     backup_file /etc/shorewall/modules
 else
-    run_install -o $OWNER -g $GROUP -m 0600 modules ${PREFIX}/etc/shorewall/modules
+    run_install $OWNERSHIP -m 0600 modules ${PREFIX}/etc/shorewall/modules
     echo
     echo "Modules file installed as ${PREFIX}/etc/shorewall/modules"
 fi
@@ -362,7 +372,7 @@ fi
 if [ -f ${PREFIX}/etc/shorewall/tcrules ]; then
     backup_file /etc/shorewall/tcrules
 else
-    run_install -o $OWNER -g $GROUP -m 0600 tcrules ${PREFIX}/etc/shorewall/tcrules
+    run_install $OWNERSHIP -m 0600 tcrules ${PREFIX}/etc/shorewall/tcrules
     echo
     echo "TC Rules file installed as ${PREFIX}/etc/shorewall/tcrules"
 fi
@@ -373,7 +383,7 @@ fi
 if [ -f ${PREFIX}/etc/shorewall/tos ]; then
     backup_file /etc/shorewall/tos
 else
-    run_install -o $OWNER -g $GROUP -m 0600 tos ${PREFIX}/etc/shorewall/tos
+    run_install $OWNERSHIP -m 0600 tos ${PREFIX}/etc/shorewall/tos
     echo
     echo "TOS file installed as ${PREFIX}/etc/shorewall/tos"
 fi
@@ -383,7 +393,7 @@ fi
 if [ -f ${PREFIX}/etc/shorewall/tunnels ]; then
     backup_file /etc/shorewall/tunnels
 else
-    run_install -o $OWNER -g $GROUP -m 0600 tunnels ${PREFIX}/etc/shorewall/tunnels
+    run_install $OWNERSHIP -m 0600 tunnels ${PREFIX}/etc/shorewall/tunnels
     echo
     echo "Tunnels file installed as ${PREFIX}/etc/shorewall/tunnels"
 fi
@@ -393,7 +403,7 @@ fi
 if [ -f ${PREFIX}/etc/shorewall/blacklist ]; then
     backup_file /etc/shorewall/blacklist
 else
-    run_install -o $OWNER -g $GROUP -m 0600 blacklist ${PREFIX}/etc/shorewall/blacklist
+    run_install $OWNERSHIP -m 0600 blacklist ${PREFIX}/etc/shorewall/blacklist
     echo
     echo "Blacklist file installed as ${PREFIX}/etc/shorewall/blacklist"
 fi
@@ -428,7 +438,7 @@ echo " Default config path file installed as ${PREFIX}/usr/share/shorewall/confi
 if [ -f ${PREFIX}/etc/shorewall/init ]; then
     backup_file /etc/shorewall/init
 else
-    run_install -o $OWNER -g $GROUP -m 0600 init ${PREFIX}/etc/shorewall/init
+    run_install $OWNERSHIP -m 0600 init ${PREFIX}/etc/shorewall/init
     echo
     echo "Init file installed as ${PREFIX}/etc/shorewall/init"
 fi
@@ -438,7 +448,7 @@ fi
 if [ -f ${PREFIX}/etc/shorewall/initdone ]; then
     backup_file /etc/shorewall/initdone
 else
-    run_install -o $OWNER -g $GROUP -m 0600 initdone ${PREFIX}/etc/shorewall/initdone
+    run_install $OWNERSHIP -m 0600 initdone ${PREFIX}/etc/shorewall/initdone
     echo
     echo "Initdone file installed as ${PREFIX}/etc/shorewall/initdone"
 fi
@@ -448,7 +458,7 @@ fi
 if [ -f ${PREFIX}/etc/shorewall/start ]; then
     backup_file /etc/shorewall/start
 else
-    run_install -o $OWNER -g $GROUP -m 0600 start ${PREFIX}/etc/shorewall/start
+    run_install $OWNERSHIP -m 0600 start ${PREFIX}/etc/shorewall/start
     echo
     echo "Start file installed as ${PREFIX}/etc/shorewall/start"
 fi
@@ -458,7 +468,7 @@ fi
 if [ -f ${PREFIX}/etc/shorewall/stop ]; then
     backup_file /etc/shorewall/stop
 else
-    run_install -o $OWNER -g $GROUP -m 0600 stop ${PREFIX}/etc/shorewall/stop
+    run_install $OWNERSHIP -m 0600 stop ${PREFIX}/etc/shorewall/stop
     echo
     echo "Stop file installed as ${PREFIX}/etc/shorewall/stop"
 fi
@@ -468,7 +478,7 @@ fi
 if [ -f ${PREFIX}/etc/shorewall/stopped ]; then
     backup_file /etc/shorewall/stopped
 else
-    run_install -o $OWNER -g $GROUP -m 0600 stopped ${PREFIX}/etc/shorewall/stopped
+    run_install $OWNERSHIP -m 0600 stopped ${PREFIX}/etc/shorewall/stopped
     echo
     echo "Stopped file installed as ${PREFIX}/etc/shorewall/stopped"
 fi
@@ -478,7 +488,7 @@ fi
 if [ -f ${PREFIX}/etc/shorewall/ecn ]; then
     backup_file /etc/shorewall/ecn
 else
-    run_install -o $OWNER -g $GROUP -m 0600 ecn ${PREFIX}/etc/shorewall/ecn
+    run_install $OWNERSHIP -m 0600 ecn ${PREFIX}/etc/shorewall/ecn
     echo
     echo "ECN file installed as ${PREFIX}/etc/shorewall/ecn"
 fi
@@ -488,7 +498,7 @@ fi
 if [ -f ${PREFIX}/etc/shorewall/accounting ]; then
     backup_file /etc/shorewall/accounting
 else
-    run_install -o $OWNER -g $GROUP -m 0600 accounting ${PREFIX}/etc/shorewall/accounting
+    run_install $OWNERSHIP -m 0600 accounting ${PREFIX}/etc/shorewall/accounting
     echo
     echo "Accounting file installed as ${PREFIX}/etc/shorewall/accounting"
 fi
@@ -498,11 +508,21 @@ fi
 if [ -f ${PREFIX}/etc/shorewall/continue ]; then
     backup_file /etc/shorewall/continue
 else
-    run_install -o $OWNER -g $GROUP -m 0600 continue ${PREFIX}/etc/shorewall/continue
+    run_install $OWNERSHIP -m 0600 continue ${PREFIX}/etc/shorewall/continue
     echo
     echo "Continue file installed as ${PREFIX}/etc/shorewall/continue"
 fi
 #
+# Install the Started file
+#
+if [ -f ${PREFIX}/etc/shorewall/started ]; then
+    backup_file /etc/shorewall/started
+else
+    run_install -o $OWNER -g $GROUP -m 0600 started ${PREFIX}/etc/shorewall/started
+    echo
+    echo "Started file installed as ${PREFIX}/etc/shorewall/started"
+fi
+#
 # Install the Standard Actions file
 #
 install_file_with_backup actions.std ${PREFIX}/usr/share/shorewall/actions.std 0600
@@ -515,7 +535,7 @@ echo "Standard actions file installed as ${PREFIX}/etc/shorewall/actions.std"
 if [ -f ${PREFIX}/etc/shorewall/actions ]; then
     backup_file /etc/shorewall/actions
 else
-    run_install -o $OWNER -g $GROUP -m 0600 actions ${PREFIX}/etc/shorewall/actions
+    run_install $OWNERSHIP -m 0600 actions ${PREFIX}/etc/shorewall/actions
     echo
     echo "Actions file installed as ${PREFIX}/etc/shorewall/actions"
 fi
@@ -556,7 +576,7 @@ install_file_with_backup firewall ${PREFIX}/usr/share/shorewall/firewall 0544
 
 if [ -z "$PREFIX" -a -n "$first_install" ]; then
     if [ -n "$DEBIAN" ]; then
-	run_install -o $OWNER -g $GROUP -m 0644 default.debian /etc/default/shorewall
+	run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall
 	ln -s ../init.d/shorewall /etc/rcS.d/S40shorewall
 	echo
 	echo "shorewall will start automatically at boot"

STABLE2/interfaces

@@ -167,6 +167,8 @@
 #			detectnets   - Automatically taylors the zone named
 #				       in the ZONE column to include only those
 #				       hosts routed through the interface.
+#			upnp         - Incoming requests from this interface may
+#				       be remapped via UPNP (upnpd).
 #
 #		        WARNING: DO NOT SET THE detectnets OPTION ON YOUR
 #			         INTERNET INTERFACE.
@@ -199,6 +201,9 @@
 #			connections.
 #
 #			net	ppp0	-
+#
+# For additional information, see http://shorewall.net/Documentation.htm#Interfaces
+#
 ##############################################################################
 #ZONE	 INTERFACE	BROADCAST	OPTIONS
 #

STABLE2/maclist

@@ -1,6 +1,11 @@
 #
 # Shorewall 2.2 - MAC list file
 #
+#	This file is used to define the MAC addresses and optionally their
+#	associated IP addresses to be allowed to use the specified interface.
+#	The feature is enabled by using the maclist option in the interfaces
+#	or hosts configuration file.
+#
 # /etc/shorewall/maclist
 #
 # Columns are:
@@ -18,6 +23,9 @@
 #			list of host and/or subnet addresses. If your kernel
 #			and iptables have iprange match support then IP 
 #			address ranges are also allowed.
+#
+# For additional information, see http://shorewall.net/MAC_Validation.html
+#
 ##############################################################################
 #INTERFACE	        MAC			IP ADDRESSES (Optional)
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

STABLE2/masq

@@ -86,6 +86,20 @@
 #					192.0.2.4:5000-6000
 #					:4000-5000
 #
+#				You can invoke the SAME target using the 
+#				following in this column:
+#
+#				   SAME:[nodst:]<address-range>[,<address-range>...]
+#
+#				The <address-ranges> may be single addresses. 
+#
+#				SAME works like SNAT with the exception that the
+#				same local IP address is assigned to each connection
+#				from a local address to a given remote address. If
+#				the 'nodst:' option is included, then the same source
+#				address is used for a given internal system regardless
+#				of which remote system is involved.
+#
 #				If you want to leave this column empty
 #				but you need to specify the next column then
 #				place a hyphen ("-") here.
@@ -195,6 +209,8 @@
 #
 #		THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!!
 #
+# For additional information, see http://shorewall.net/Documentation.htm#Masq
+#
 ###############################################################################
 #INTERFACE	        SUBNET		ADDRESS		PROTO	PORT(S)	IPSEC
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

STABLE2/modules

@@ -7,6 +7,7 @@
 # dependency order. i.e., if M2 depends on M1 then you must load M1 before
 # you load M2.
 #
+# For additional information, see http://shorewall.net/Documentation.htm#modules
 
     loadmodule ip_tables
     loadmodule iptable_filter

STABLE2/nat

@@ -38,6 +38,8 @@
 #
 #       LOCAL           If Yes or yes, NAT will be effective from the firewall
 #                       system
+#
+# For additional information, see http://shorewall.net/NAT.htm
 ##############################################################################
 #EXTERNAL	INTERFACE	INTERNAL	ALL		LOCAL
 #						INTERFACES

STABLE2/policy

@@ -85,6 +85,7 @@
 #	#	
 #	all		all		REJECT		info 
 #
+# See http://shorewall.net/Documentation.htm#Policy for additional information.
 ###############################################################################
 #SOURCE		DEST		POLICY		LOG		LIMIT:BURST
 #						LEVEL

STABLE2/proxyarp

@@ -39,6 +39,8 @@
 #
 #			#ADDRESS	INTERFACE	EXTERNAL
 #			155.186.235.6	eth1		eth0
+#
+# See http://shorewall.net/ProxyARP.htm for additional information.
 ##############################################################################
 #ADDRESS	INTERFACE	EXTERNAL	HAVEROUTE	PERSISTENT
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

STABLE2/releasenotes.txt

@@ -1,4 +1,183 @@
-Shorewall 2.2.3
+Shorewall 2.2.4
+
+-----------------------------------------------------------------------
+Problems corrected in version 2.2.4
+
+1) The error message:
+
+       Error: No appropriate chain for zone <z1> to zone <z2>
+
+   has been changed to one that is more self-explanatory:
+
+       Error: No policy defined for zone <z1> to zone <z2> 
+
+2) When only an interface name appeared in the HOST(S) column of an
+   /etc/shorewall/hosts file entry, a misleading iptables error message
+   resulted. Now the following message is generated:
+
+       Error: Invalid HOST(S) column contents: <column contents>
+
+-----------------------------------------------------------------------
+New Features in version 2.2.4
+
+1) Support has been added for UPnP using linux-igd
+   (http://linux-idg.sourceforge.net). UPnP is required by a number of
+   popular applications including MSN IM.
+
+   WARNING: From a security architecture viewpoint, UPnP is a
+	    disaster. It assumes that:
+
+	    a) All local systems and their users are completely
+	       trustworthy.
+
+	    b) No local system is infected with any worm or trojan.
+
+	    If either of these assumptions are not true then UPnP can
+	    be used to totally defeat your firewall and to allow
+	    incoming connections to arbitrary local systems on any port
+	    whatsoever. 
+
+	    In short: USE UPnP AT YOUR OWN RISK.
+
+   WARNING: The linux-igd project appears to be inactive and the web
+	    site does not display correctly on any open source browser
+	    that I've tried.
+
+	    Building and installing linux-igd is not for the faint of
+	    heart. You must download the source from CVS and be
+	    prepared to do quite a bit of fiddling with the include
+	    files from libupnp (which is required to build and/or run
+	    linux-igd).
+
+   linux-idg Configuration:
+
+	     In /etc/upnpd.conf, you will want:
+
+		insert_forward_rules = yes
+		prerouting_chain_name = UPnP
+		forward_chain_name = forwardUPnP
+
+   Shorewall Configuration:
+
+	     In /etc/shorewall/interfaces, you need the 'upnp' option
+	     on your external interface.
+
+	     If your fw->loc policy is not ACCEPT then you need this
+	     rule:
+
+	     allowoutUPnP	fw	loc
+
+	     Note: To use 'allowoutUPnP', your iptables and kernel must
+	     support the 'owner match' feature (see the output of
+	     "shorewall check").
+
+	     If your loc->fw policy is not ACCEPT then you need this
+	     rule:
+
+	     allowinUPnP	loc	fw
+
+	     You MUST have this rule:
+
+	     forwardUPnP	net	loc
+
+   You must also ensure that you have a route to 224.0.0.0/4 on your
+   internal (local) interface.
+
+2) A new 'started' extension script has been added.  The difference
+   between this extension script and /etc/shorewall/start is that this
+   one is invoked after delayed loading of the blacklist
+   (DELAYBLACKLISTLOAD=Yes) and after the 'shorewall' chain has been
+   created (thus signaling that the firewall is completely up.
+
+   /etc/shorewall/started should not change the firewall configuration
+   directly but may do so indirectly by running /sbin/shorewall with
+   the 'nolock' option.
+
+3) By default, shorewall is started with the "-f" (fast) option when
+   your system boots. You can override that setting by setting the
+   OPTIONS variable in /etc/sysconfig/shorewall (SuSE/Redhat) or
+   /etc/default/shorewall (Debian/Bering). If neither file exists, feel
+   free to create one.
+
+   Example: If you want Shorewall to always use the config files even
+   if there is a saved configuration, then specify:
+
+      OPTIONS=""
+
+4) Shorewall now has support for the SAME target. This change affects
+   the /etc/shorewall/masq and /etc/shorewall/rules file.
+
+   SAME is useful when you specify multiple target IP addresses (in the
+   ADDRESSES column of /etc/shorewall/masq or in the DEST column of
+   /etc/shorewall/rules). 
+
+   If you use normal SNAT then multiple connections from a given local
+   host to hosts on the internet can be assigned different source IP
+   addresses. This confuses some applications that use multiple
+   connections. To correct this problem, prefix the list of address
+   ranges in the ADDRESS column with "SAME:"
+
+	  Example:   SAME:206.124.146.176-206.124.146.180
+
+   If you want each internal system to use the same IP address from the
+   list regardless of which internet host it is talking to then prefix
+   the rages with "SAME:nodst:".
+
+	  Example:   SAME:nodst:206.124.146.176-206.124.146.180
+   
+   Note that it is not possible to map port numbers when using SAME.
+
+   In the rules file, when multiple connections from an internet host
+   match a SAME rule then all of the connections will be sent to the
+   same internal server. SAME rules are very similar to DNAT rules with
+   the keyword SAME replacing DNAT. As in the masq file, changing the
+   port number is not supported.
+
+5) A "shorewall show capabilities" command has been added to report the
+   capabilities of your kernel and iptables.
+
+   Example:
+
+      gateway:~# shorewall show capabilities
+      Loading /usr/share/shorewall/functions...
+      Processing /etc/shorewall/params ...
+      Processing /etc/shorewall/shorewall.conf...
+      Loading Modules...
+      Shorewall has detected the following iptables/netfilter capabilities:
+	     NAT: Available
+	     Packet Mangling: Available
+	     Multi-port Match: Available
+	     Extended Multi-port Match: Available
+	     Connection Tracking Match: Available
+	     Packet Type Match: Not available
+	     Policy Match: Available
+	     Physdev Match: Available
+	     IP range Match: Available
+	     Recent Match: Available
+	     Owner Match: Available
+      gateway:~#
+
+6) A "-v" option has been added to /sbin/shorewall. Currently, this
+   option only affects the "show log" command (e.g., "shorewall -v show
+   log") and the "monitor" command. In these commands, it causes the
+   MAC address in the log message (if any) to be displayed. As
+   previously, when "-v" is omitted, the MAC address is suppressed.
+
+7) In /etc/shorewall/rules, a value of 'none' in either the SOURCE or
+   DEST columns now causes the rule to be ignored. This is most useful
+   when used with shell variables:
+
+   Example:
+
+	/etc/shorewall/rules:
+
+		AllowFTP    $FTP_CLIENTS	fw
+
+        When FTP_CLIENTS is set to 'none', the above rule is ignored.
+	Otherwise, the rule is evaluated and generates Netfilter rules.
+
+8) The installer now detects that it is running on a Slackware system
+   and adjusts the DEST and INIT variables accordingly.
 
 -----------------------------------------------------------------------
 Problems corrected in version 2.2.3

STABLE2/routestopped

@@ -31,6 +31,10 @@
 #	eth2		192.168.1.0/24
 #	eth0		192.0.2.44
 #	br0		-			routeback
+#
+# See http://shorewall.net/Documentation.htm#Routestopped and
+# http://shorewall.net/starting_and_stopping_shorewall.htm for additional 
+# information.
 ##############################################################################
 #INTERFACE	HOST(S)		OPTIONS
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

STABLE2/rules

@@ -42,6 +42,16 @@
 #					    Like DNAT but only generates the
 #					    DNAT iptables rule and not
 #					    the companion ACCEPT rule.
+#				SAME	 -- Similar to DNAT except that the
+#					    port may not be remapped and when
+#					    multiple server addresses are 
+#					    listed, all requests from a given
+#					    remote system go to the same
+#					    server.
+#				SAME-    -- Advanced users only.
+#					    Like SAME but only generates the
+#					    NAT iptables rule and not
+#					    the companion ACCEPT rule.
 #				REDIRECT -- Redirect the request to a local
 #					    port on the firewall.
 #				REDIRECT-
@@ -102,11 +112,14 @@
 #
 #	SOURCE		Source hosts to which the rule applies. May be a zone
 #                       defined in /etc/shorewall/zones, $FW to indicate the
-#			firewall itself, or "all" If the ACTION is DNAT or
+#			firewall itself, "all" or "none" If the ACTION is DNAT or
 #			REDIRECT, sub-zones of the specified zone may be
 #			excluded from the rule by following the zone name with
 #			"!' and a comma-separated list of sub-zone names.
 #
+#			When "none" is used either in the SOURCE or DEST column,
+#			the rule is ignored.
+#
 #			When "all" is used either in the SOURCE or DEST column
 #			intra-zone traffic is not affected. You must add 
 #			separate rules to handle that traffic.
@@ -147,7 +160,10 @@
 #
 #	DEST		Location of Server. May be a zone defined in
 #			/etc/shorewall/zones, $FW to indicate the firewall
-#			itself or "all"
+#			itself, "all" or "none".
+#
+#			When "none" is used either in the SOURCE or DEST column,
+#			the rule is ignored.
 #
 #			When "all" is used either in the SOURCE or DEST column
 #			intra-zone traffic is not affected. You must add 

STABLE2/shorewall

@@ -58,6 +58,7 @@
 #	   shorewall show {mangle|tos}		   Display the rules in the mangle table
 #	   shorewall show tc			   Display traffic control info
 #	   shorewall show classifiers		   Display classifiers
+#          shorewall show capabilities             Display iptables/kernel capabilities
 #	   shorewall version			   Display the installed version id
 #	   shorewall check			   Verify the more heavily-used
 #						   configuration files.
@@ -353,11 +354,18 @@ packet_log() # $1 = number of messages
 
     [ -n "$realtail" ] && options="-n$1"
 
+    if [ -n "$VERBOSE" ]; then
+	grep "${LOGFORMAT}" $LOGFILE | \
+	    sed s/" kernel:"// | \
+	    sed s/" $host $LOGFORMAT"/" "/ | \
+	    tail $options
+    else
 	grep "${LOGFORMAT}" $LOGFILE | \
 	    sed s/" kernel:"// | \
 	    sed s/" $host $LOGFORMAT"/" "/ | \
 	    sed 's/MAC=.* SRC=/SRC=/' | \
 	    tail $options
+    fi
 }
 
 #
@@ -595,7 +603,7 @@ help()
 #
 usage() # $1 = exit status
 {
-    echo "Usage: $(basename $0) [debug|trace] [nolock] [-c <directory>] [ -x ] [ -q ] [ -f ] <command>"
+    echo "Usage: $(basename $0) [debug|trace] [nolock] [ -x ] [ -q ] [ -f ] [ -v ] <command>"
     echo "where <command> is one of:"
     echo "   add <interface>[:{<bridge-port>[:<host>]|<host>}[,...]] ... <zone>"
     echo "   allow <address> ..."
@@ -616,14 +624,13 @@ usage() # $1 = exit status
     echo "   restart [ <directory> ]"
     echo "   restore [ <file name> ]"
     echo "   save [ <file name> ]"
-    echo "   show [<chain> [ <chain> ... ]|classifiers|connections|log|nat|tc|tos|zones]"
+    echo "   show [<chain> [ <chain> ... ]|capabilities|classifiers|connections|log|nat|tc|tos|zones]"
     echo "   start [ <directory> ]"
     echo "   stop"
     echo "   status"
     echo "   try <directory> [ <timeout> ]"
     echo "   version"
     echo 
-    echo "The -c and -f options may not be specified with a <directory> in the start, restart and check commands"
     exit $1
 }
 
@@ -664,6 +671,7 @@ SHOREWALL_DIR=
 QUIET=
 IPT_OPTIONS="-nv"
 FAST=
+VERBOSE=
 
 done=0
 
@@ -705,6 +713,10 @@ while [ $done -eq 0 ]; do
 			FAST=Yes
 			option=${option#f}
 			;;
+		    v*)
+			VERBOSE=Yes
+			option=${option#v}
+			;;
 		    *)
 			usage 1
 			;;
@@ -938,6 +950,9 @@ case "$1" in
 		exit 1
 	    fi
 	    ;;
+	capabilities)
+	    exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock capabilities
+	    ;;
 	*)
 	    shift
 	    

STABLE2/shorewall.conf

@@ -6,7 +6,7 @@
 #
 #  This file should be placed in /etc/shorewall
 #
-#  (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
+#  (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
 ##############################################################################
 #                      S T A R T U P   E N A B L E D
 ##############################################################################
@@ -399,9 +399,8 @@ RETAIN_ALIASES=No
 #
 # If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If
 # you say "No" or "no" then traffic shaping is not enabled. If you enable traffic
-# shaping you must have iproute[2] installed (the "ip" and "tc" utilities) and
+# shaping you must have iproute[2] installed (the "ip" and "tc" utilities).
-# you must enable packet mangling above.
+
-#
 TC_ENABLED=No
 
 #

STABLE2/shorewall.spec

@@ -1,5 +1,5 @@
 %define name shorewall
-%define version 2.2.3
+%define version 2.2.4
 %define release 1
 %define prefix /usr
 
@@ -94,6 +94,7 @@ fi
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/accounting
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/actions
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/continue
+%attr(0600,root,root) %config(noreplace) /etc/shorewall/started
 
 %attr(0544,root,root) /sbin/shorewall
 
@@ -138,6 +139,10 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn
 
 %changelog
+* Mon Apr 11 2005 Tom Eastep tom@shorewall.net
+- Updated to 2.2.4-1
+* Fri Apr 08 2005 Tom Eastep tom@shorewall.net
+- Added /etc/shorewall/started
 * Tue Apr 05 2005 Tom Eastep tom@shorewall.net
 - Updated to 2.2.3-1
 * Mon Mar 07 2005 Tom Eastep tom@shorewall.net

STABLE2/start

@@ -4,3 +4,5 @@
 # Add commands below that you want to be executed after shorewall has
 # been started or restarted.
 #
+# See http://shorewall.net/shorewall_extension_scripts.htm for additional 
+# information.

STABLE2/stop

@@ -4,3 +4,5 @@
 # Add commands below that you want to be executed at the beginning of a
 # "shorewall stop" command.
 #
+# See http://shorewall.net/shorewall_extension_scripts.htm for additional 
+# information.

STABLE2/stopped

@@ -4,3 +4,5 @@
 # Add commands below that you want to be executed at the completion of a
 # "shorewall stop" command.
 #
+# See http://shorewall.net/shorewall_extension_scripts.htm for additional 
+# information.

STABLE2/tcrules

@@ -147,6 +147,8 @@
 #					testing 
 #				:C	Designates a connection mark. If omitted,
 #					the packet mark's value is tested.
+#
+# See http://shorewall.net/traffic_shaping.htm for additional information.
 ##############################################################################
 #MARK		SOURCE 		DEST		PROTO	PORT(S)	CLIENT	USER	TEST
 #								PORT(S)

STABLE2/tunnels

@@ -108,6 +108,10 @@
 #
 #			generic:udp:4444	net	4.3.99.124
 #
+# 
+# See http://shorewall.net/Documentation.htm#Tunnels for additional information.
+#
 # TYPE			ZONE	GATEWAY		GATEWAY
 #						ZONE
+#
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

STABLE2/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Seattle Firewall
 
-VERSION=2.2.3
+VERSION=2.2.4
 
 usage() # $1 = exit status
 {

STABLE2/zones

@@ -4,6 +4,8 @@
 # This file determines your network zones. Columns are:
 #
 #	ZONE		Short name of the zone (5 Characters or less in length).
+#			The names "all" and "none" are reserved and may not be
+#			used as zone names.
 #	DISPLAY		Display name of the zone
 #	COMMENTS	Comments about the zone
 #

Shorewall-docs2/Documentation.xml

@@ -15,7 +15,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2005-04-17</pubdate>
+    <pubdate>2005-04-29</pubdate>
 
     <copyright>
       <year>2001-2005</year>
@@ -2565,28 +2565,6 @@ eth0                  eth1            206.124.146.176</programlisting>
           place <quote>Yes</quote> in the HAVEROUTE column.</para>
         </tip></para>
     </example>
-
-    <warning>
-      <para>Do not use Proxy ARP and FreeS/Wan on the same system unless you
-      are prepared to suffer the consequences. If you start or restart
-      Shorewall with an IPSEC tunnel active, the proxied IP addresses are
-      mistakenly assigned to the IPSEC tunnel device (ipsecX) rather than to
-      the interface that you specify in the INTERFACE column of
-      <filename>/etc/shorewall/proxyarp</filename>. I haven't had the time to
-      debug this problem so I can't say if it is a bug in the Kernel or in
-      FreeS/Wan.</para>
-
-      <para>You <emphasis role="bold">might</emphasis> be able to work around
-      this problem using the following (I haven't tried it):</para>
-
-      <para>In <filename>/etc/shorewall/init</filename>, include:</para>
-
-      <programlisting><command>qt /etc/init.d/ipsec stop</command></programlisting>
-
-      <para>In <filename>/etc/shorewall/start</filename>, include:</para>
-
-      <programlisting><command>qt /etc/init.d/ipsec start</command></programlisting>
-    </warning>
   </section>
 
   <section id="NAT" xreflabel="/etc/shorewall/nat">
@@ -2698,7 +2676,7 @@ eth0                  eth1            206.124.146.176</programlisting>
     6to4 and other tunnels with end-points on your firewall.</para>
 
     <para>For an overview of Shorewall's VPN support, try <ulink
-    url="VPNBasics.html">this article</ulink>. </para>
+    url="VPNBasics.html">this article</ulink>.</para>
 
     <para>Instructions for setting up <ulink url="IPSEC.htm">IPSEC
     tunnels</ulink> may be found here (if you are using kernel 2.6 with native

Shorewall-docs2/FAQ.xml

@@ -17,7 +17,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2005-04-08</pubdate>
+    <pubdate>2005-04-24</pubdate>
 
     <copyright>
       <year>2001-2005</year>
@@ -278,6 +278,23 @@ DNAT       loc      dmz:192.168.2.4     tcp      80              -           206
 #                                                                PORT      DEST.
 DNAT       loc           dmz:192.168.2.4    tcp      80          -         $ETH0_IP</programlisting>
       </section>
+
+      <section id="faq1e">
+        <title>(FAQ 1e) In order to discourage brute force attacks I would
+        like to redirect all connections on a non-standard port (4104) to port
+        22 on the router/firewall. I notice that setting up a REDIRECT rule
+        causes the firewall to open both ports 4104 and 22 to connections from
+        the net. Is it possible to only redirect 4104 to the localhost port 22
+        and have connection attempts to port 22 from the net dropped?</title>
+
+        <para><emphasis role="bold">Answer </emphasis>courtesy of Ryan: Assume
+        that the IP address of your local firewall interface is 192.168.1.1.
+        If you add the following rule then from the net, you will have 4104
+        listening, from your LAN, port 22.</para>
+
+        <programlisting>#ACTION SOURCE  DEST                    PROTO   DEST PORT(S)
+DNAT    net     fw:192.168.1.1:22       tcp     4104</programlisting>
+      </section>
     </section>
 
     <section id="faq30">

Shorewall-docs2/IPSEC.xml

@@ -15,10 +15,10 @@
       </author>
     </authorgroup>
 
-    <pubdate>2004-12-23</pubdate>
+    <pubdate>2005-05-29</pubdate>
 
     <copyright>
-      <year>2001-2004</year>
+      <year>2001-2005</year>
 
       <holder>Thomas M. Eastep</holder>
     </copyright>
@@ -55,7 +55,7 @@
   </section>
 
   <section>
-    <title>Configuring FreeS/Wan</title>
+    <title>Configuring FreeS/Wan and Derivatives Such as OpenS/Wan</title>
 
     <para>There is an excellent guide to configuring IPSEC tunnels at <ulink
     url="http://jixen.tripod.com/">http://jixen.tripod.com/</ulink>. I highly