mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-26 09:33:14 +01:00
Shorewall 2.2.4
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2070 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
cc7d0ddad2
commit
dcc4181eed
@ -11,6 +11,9 @@
|
||||
# 2. Copy this file to /etc/shorewall/action.<action name>
|
||||
# 3. Add the desired rules to that file.
|
||||
#
|
||||
# Please see http://shorewall.net/Actions.html for additional
|
||||
# information.
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
#
|
||||
|
@ -8,7 +8,7 @@
|
||||
#
|
||||
# ACTION names should begin with an upper-case letter to
|
||||
# distinguish them from Shorewall-generated chain names and
|
||||
# they must need the requirements of a Netfilter chain. If
|
||||
# they must meet the requirements of a Netfilter chain. If
|
||||
# you intend to log from the action then the name must be
|
||||
# no longer than 11 character in length. Names must also
|
||||
# meet the requirements for a Bourne Shell identifier (must
|
||||
@ -24,6 +24,9 @@
|
||||
# If you specify ":DROP", ":REJECT" or ":ACCEPT" on a line by
|
||||
# itself, the associated policy will have no common action.
|
||||
#
|
||||
# Please see http://shorewall.net/Actions.html for additional
|
||||
# information.
|
||||
#
|
||||
#ACTION
|
||||
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
||||
|
@ -1,6 +1,8 @@
|
||||
#
|
||||
# Shorewall 2.2 /usr/share/shorewall/actions.std
|
||||
#
|
||||
# Please see http://shorewall.net/Actions.html for additional
|
||||
# information.
|
||||
#
|
||||
# Builtin Actions are:
|
||||
#
|
||||
@ -12,6 +14,10 @@
|
||||
# #conntrack state.
|
||||
# allowInvalid #Accept packets that are in the INVALID
|
||||
# #conntrack state.
|
||||
# allowoutUPnP #Allow traffic from local command 'upnpd'
|
||||
# allowinUPnP #Allow UPnP inbound (to firewall) traffic
|
||||
# forwardUPnP #Allow traffic that upnpd has redirected from
|
||||
# #'upnp' interfaces.
|
||||
#
|
||||
#ACTION
|
||||
|
||||
|
@ -38,6 +38,9 @@
|
||||
# ADDRESS/SUBNET PROTOCOL PORT
|
||||
# 192.0.2.126 udp 53
|
||||
#
|
||||
# Please see http://shorewall.net/blacklisting_support.htm for additional
|
||||
# information.
|
||||
#
|
||||
###############################################################################
|
||||
#ADDRESS/SUBNET PROTOCOL PORT
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
@ -44,11 +44,9 @@
|
||||
31.0.0.0/8 logdrop # Reserved
|
||||
36.0.0.0/7 logdrop # Reserved
|
||||
39.0.0.0/8 logdrop # Reserved
|
||||
41.0.0.0/8 logdrop # Reserved
|
||||
42.0.0.0/8 logdrop # Reserved
|
||||
49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
|
||||
50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
|
||||
73.0.0.0/8 logdrop # Reserved
|
||||
74.0.0.0/7 logdrop # Reserved
|
||||
76.0.0.0/6 logdrop # Reserved
|
||||
89.0.0.0/8 logdrop # Reserved
|
||||
|
@ -1,3 +1,30 @@
|
||||
Changes in 2.2.4
|
||||
|
||||
1) Added support for UPnP
|
||||
|
||||
2) Add 'started' hook.
|
||||
|
||||
3) Make an error message more self-explanatory
|
||||
|
||||
4) Report Owner Match capability
|
||||
|
||||
5) Add Paul Traina's patch to install.sh.
|
||||
|
||||
6) Allow startup options to be overridden in /etc/sysconfig/shorewall
|
||||
or /etc/default/shorewall.
|
||||
|
||||
7) Add support for SAME
|
||||
|
||||
8) Add 'shorewall show capabilities'
|
||||
|
||||
8) Add '-v' option
|
||||
|
||||
9) Allow 'none' in /etc/shorewall/rules.
|
||||
|
||||
10) Add error message for invalid HOST(S) column contents.
|
||||
|
||||
11) Apply Christian Rodriguez's patch for Slackware install.
|
||||
|
||||
Changes in 2.2.3
|
||||
|
||||
1) Added the 'continue' extension script.
|
||||
|
@ -4,3 +4,5 @@
|
||||
# Add commands below that you want to be executed after shorewall has
|
||||
# cleared any existing Netfilter rules and has enabled existing connections.
|
||||
#
|
||||
# For additional information, see http://shorewall.net/shorewall_extension_scripts.htm
|
||||
#
|
||||
|
@ -15,6 +15,8 @@
|
||||
# 0.0.0.0/0 is assumed. If your kernel and iptables
|
||||
# include iprange match support then IP address ranges
|
||||
# are also permitted.
|
||||
#
|
||||
# For additional information, see http://shorewall.net/Documentation.htm#ECN
|
||||
##############################################################################
|
||||
#INTERFACE HOST(S)
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
@ -28,7 +28,7 @@
|
||||
# shown below. Simply run this script to revert to your prior version of
|
||||
# Shoreline Firewall.
|
||||
|
||||
VERSION=2.2.3
|
||||
VERSION=2.2.4
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
181
STABLE2/firewall
181
STABLE2/firewall
@ -937,7 +937,7 @@ validate_interfaces_file() {
|
||||
|
||||
for option in $options; do
|
||||
case $option in
|
||||
dhcp|norfc1918|nobogons|tcpflags|newnotsyn|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|maclist|nosmurfs|-)
|
||||
dhcp|norfc1918|nobogons|tcpflags|newnotsyn|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|maclist|nosmurfs|upnp|-)
|
||||
;;
|
||||
detectnets)
|
||||
[ -n "$wildcard" ] && \
|
||||
@ -975,13 +975,21 @@ validate_hosts_file() {
|
||||
r="$z $hosts $options"
|
||||
validate_zone1 $z || startup_error "Invalid zone ($z) in record \"$r\""
|
||||
|
||||
interface=${hosts%%:*}
|
||||
iface=$(chain_base $interface)
|
||||
case $hosts in
|
||||
*:*)
|
||||
|
||||
list_search $interface $ALL_INTERFACES || \
|
||||
startup_error "Unknown interface ($interface) in record \"$r\""
|
||||
interface=${hosts%%:*}
|
||||
iface=$(chain_base $interface)
|
||||
|
||||
hosts=${hosts#*:}
|
||||
list_search $interface $ALL_INTERFACES || \
|
||||
startup_error "Unknown interface ($interface) in record \"$r\""
|
||||
|
||||
hosts=${hosts#*:}
|
||||
;;
|
||||
*)
|
||||
fatal_error "Invalid HOST(S) column contents: $hosts"
|
||||
;;
|
||||
esac
|
||||
|
||||
eval ports=\$${iface}_ports
|
||||
eval zports=\$${z}_ports
|
||||
@ -2826,6 +2834,12 @@ check_config() {
|
||||
[ -n "$PHYSDEV_MATCH" ] || startup_error "BRIDGING=Yes requires Physdev Match support in your Kernel and iptables"
|
||||
fi
|
||||
|
||||
[ "$MACLIST_TTL" = "0" ] && MACLIST_TTL=
|
||||
|
||||
if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then
|
||||
startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables"
|
||||
fi
|
||||
|
||||
echo "Determining Zones..."
|
||||
|
||||
determine_zones
|
||||
@ -3473,7 +3487,8 @@ merge_levels() # $1=level at which superior action is called, $2=level at which
|
||||
#
|
||||
process_actions1() {
|
||||
|
||||
ACTIONS="dropBcast allowBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid allowInvalid"
|
||||
ACTIONS="dropBcast allowBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP allowoutUPnP forwardUPnP"
|
||||
|
||||
USEDACTIONS=
|
||||
|
||||
strip_file actions
|
||||
@ -3544,6 +3559,15 @@ process_actions1() {
|
||||
|
||||
process_actions2() {
|
||||
|
||||
local interfaces="$(find_interfaces_by_option upnp)"
|
||||
|
||||
if [ -n "$interfaces" ]; then
|
||||
if ! list_search forwardUPnP $USEDACTIONS; then
|
||||
error_message "Warning:Missing forwardUPnP rule (required by 'upnp' interface option on $interfaces)"
|
||||
USEDACTIONS="$USEDACTIONS forwardUPnP"
|
||||
fi
|
||||
fi
|
||||
|
||||
progress_message " Generating Transitive Closure of Used-action List..."
|
||||
|
||||
changed=Yes
|
||||
@ -3695,6 +3719,26 @@ process_actions3() {
|
||||
run_iptables -A $xchain -m state --state INVALID -j ACCEPT
|
||||
fi
|
||||
;;
|
||||
forwardUPnP)
|
||||
;;
|
||||
allowinUPnP)
|
||||
if [ "$COMMAND" != check ]; then
|
||||
if [ -n "$xlevel" ]; then
|
||||
log_rule_limit ${xlevel%\!} $xchain allowinUPnP ACCEPT "" "$xtag" -A -p udp --dport 1900
|
||||
log_rule_limit ${xlevel%\!} $xchain allowinUPnP ACCEPT "" "$xtag" -A -p tcp --dport 49152
|
||||
fi
|
||||
|
||||
run_iptables -A $xchain -p udp --dport 1900 -j ACCEPT
|
||||
run_iptables -A $xchain -p tcp --dport 49152 -j ACCEPT
|
||||
fi
|
||||
;;
|
||||
allowoutUPnP)
|
||||
if [ "$COMMAND" != check ]; then
|
||||
[ -n "$xlevel" ] && \
|
||||
log_rule_limit ${xlevel%\!} $xchain allowoutUPnP ACCEPT "" "$xtag" -A -m owner --owner-cmd upnpd
|
||||
run_iptables -A $xchain -m owner --cmd-owner upnpd -j ACCEPT
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
#
|
||||
# Not a builtin
|
||||
@ -3802,7 +3846,14 @@ add_nat_rule() {
|
||||
|
||||
# Select target
|
||||
|
||||
if [ -n "$serv" ]; then
|
||||
if [ "$logtarget" = SAME ]; then
|
||||
[ -n "$servport" ] && fatal_error "Port mapping not allowed in SAME rules"
|
||||
serv1=
|
||||
for srv in $(separate_list $serv); do
|
||||
serv1="$serv1 --to ${srv}"
|
||||
done
|
||||
target1="SAME $serv1"
|
||||
elif [ -n "$serv" ]; then
|
||||
servport="${servport:+:$servport}"
|
||||
serv1=
|
||||
for srv in $(separate_list $serv); do
|
||||
@ -4065,9 +4116,9 @@ add_a_rule()
|
||||
servport=${servport:=$port}
|
||||
natrule=Yes
|
||||
;;
|
||||
DNAT)
|
||||
DNAT|SAME)
|
||||
[ -n "$serv" ] || \
|
||||
fatal_error "DNAT rules require a server address; rule: \"$rule\""
|
||||
fatal_error "$logtarget rules require a server address; rule: \"$rule\""
|
||||
natrule=Yes
|
||||
;;
|
||||
LOG)
|
||||
@ -4084,7 +4135,7 @@ add_a_rule()
|
||||
if [ -n "$natrule" ]; then
|
||||
add_nat_rule
|
||||
elif [ -n "$addr" -a "$addr" != "$serv" ] || [ -n "$servport" -a "$servport" != "$port" ]; then
|
||||
fatal_error "Only DNAT and REDIRECT rules may specify destination mapping; rule \"$rule\""
|
||||
fatal_error "Only DNAT, SAME and REDIRECT rules may specify destination mapping; rule \"$rule\""
|
||||
fi
|
||||
|
||||
if [ -z "$dnat_only" ]; then
|
||||
@ -4139,7 +4190,7 @@ add_a_rule()
|
||||
|
||||
[ -n "$addr" ] && fatal_error \
|
||||
"An ORIGINAL DESTINATION ($addr) is only allowed in" \
|
||||
" a DNAT or REDIRECT: \"$rule\""
|
||||
" a DNAT, SAME or REDIRECT: \"$rule\""
|
||||
|
||||
if [ $COMMAND != check ]; then
|
||||
if [ -n "$loglevel" ]; then
|
||||
@ -4289,7 +4340,7 @@ process_rule() # $1 = target
|
||||
CONTINUE)
|
||||
target=RETURN
|
||||
;;
|
||||
DNAT*)
|
||||
DNAT*|SAME*)
|
||||
target=ACCEPT
|
||||
address=${address:=detect}
|
||||
;;
|
||||
@ -4322,8 +4373,13 @@ process_rule() # $1 = target
|
||||
excludezones="${clientzone#*!}"
|
||||
clientzone="${clientzone%!*}"
|
||||
|
||||
[ "$logtarget" = DNAT ] || [ "$logtarget" = REDIRECT ] ||\
|
||||
fatal_error "Exclude list only allowed with DNAT or REDIRECT"
|
||||
case $logtarget in
|
||||
DNAT|REDIRECT|SAME)
|
||||
;;
|
||||
*)
|
||||
fatal_error "Exclude list only allowed with DNAT, SAME or REDIRECT"
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
validate_zone $clientzone || fatal_error "Undefined Client Zone in rule \"$rule\""
|
||||
@ -4386,7 +4442,7 @@ process_rule() # $1 = target
|
||||
protocol=${protocol:=all}
|
||||
|
||||
case $logtarget in
|
||||
DNAT*)
|
||||
DNAT*|SAME)
|
||||
if [ -n "$XMULTIPORT" ] && \
|
||||
! list_search $protocol "icmp" "ICMP" "1" && \
|
||||
[ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \
|
||||
@ -4540,7 +4596,7 @@ process_rules()
|
||||
}
|
||||
|
||||
do_it() {
|
||||
expandv xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec
|
||||
expandv xprotocol xports xcports xaddress xratelimit xuserspec
|
||||
|
||||
if [ "x$xclients" = xall ]; then
|
||||
xclients="$zones $FW"
|
||||
@ -4548,13 +4604,13 @@ process_rules()
|
||||
xservers="$zones $FW"
|
||||
fi
|
||||
process_wildcard_rule
|
||||
continue
|
||||
return
|
||||
fi
|
||||
|
||||
if [ "x$xservers" = xall ]; then
|
||||
xservers="$zones $FW"
|
||||
process_wildcard_rule
|
||||
continue
|
||||
return
|
||||
fi
|
||||
|
||||
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
|
||||
@ -4562,10 +4618,16 @@ process_rules()
|
||||
}
|
||||
|
||||
while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec; do
|
||||
expandv xtarget
|
||||
expandv xtarget xclients xservers
|
||||
|
||||
if [ "x$xclients" = xnone -o "x$servers" = xnone ]; then
|
||||
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
|
||||
progress_message " Rule \"$rule\" ignored."
|
||||
continue
|
||||
fi
|
||||
|
||||
case "${xtarget%%:*}" in
|
||||
ACCEPT|ACCEPT+|NONAT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE)
|
||||
ACCEPT|ACCEPT+|NONAT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE|SAME|SAME-)
|
||||
do_it
|
||||
;;
|
||||
*)
|
||||
@ -4971,7 +5033,7 @@ rules_chain() # $1 = source zone, $2 = destination zone
|
||||
|
||||
[ -n "$chain" ] && { echo $chain; return; }
|
||||
|
||||
fatal_error "No appropriate chain for zone $1 to zone $2"
|
||||
fatal_error "No policy defined for zone $1 to zone $2"
|
||||
}
|
||||
|
||||
#
|
||||
@ -5116,6 +5178,8 @@ setup_masq()
|
||||
|
||||
[ "x$addresses" = x- ] && addresses=
|
||||
|
||||
|
||||
|
||||
if [ -n "$addresses" -a -n "$add_snat_aliases" ]; then
|
||||
for address in $(separate_list $addresses); do
|
||||
address=${address%:)}
|
||||
@ -5262,17 +5326,35 @@ setup_masq()
|
||||
target=MASQUERADE
|
||||
|
||||
if [ -n "$addresses" ]; then
|
||||
for address in $(separate_list $addresses); do
|
||||
case $address in
|
||||
*.*.*.*)
|
||||
target=SNAT
|
||||
addrlist="$addrlist --to-source $address"
|
||||
;;
|
||||
*)
|
||||
addrlist="$addrlist --to-ports ${address#:}"
|
||||
;;
|
||||
esac
|
||||
done
|
||||
case "$addresses" in
|
||||
SAME:nodst:*)
|
||||
target="SAME --nodst"
|
||||
addresses=${addresses#SAME:nodst:}
|
||||
for address in $(separate_list $addresses); do
|
||||
addrlist="$addrlist --to $address";
|
||||
done
|
||||
;;
|
||||
SAME:*)
|
||||
target="SAME"
|
||||
addresses=${addresses#SAME:}
|
||||
for address in $(separate_list $addresses); do
|
||||
addrlist="$addrlist --to $address";
|
||||
done
|
||||
;;
|
||||
*)
|
||||
for address in $(separate_list $addresses); do
|
||||
case $address in
|
||||
*.*.*.*)
|
||||
target=SNAT
|
||||
addrlist="$addrlist --to-source $address"
|
||||
;;
|
||||
*)
|
||||
addrlist="$addrlist --to-ports ${address#:}"
|
||||
;;
|
||||
esac
|
||||
done
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
if [ -n "$networks" ]; then
|
||||
@ -5621,6 +5703,7 @@ determine_capabilities() {
|
||||
PHYSDEV_MATCH=
|
||||
IPRANGE_MATCH=
|
||||
RECENT_MATCH=
|
||||
OWNER_MATCH=
|
||||
|
||||
qt $IPTABLES -N fooX1234
|
||||
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
|
||||
@ -5630,6 +5713,7 @@ determine_capabilities() {
|
||||
qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes
|
||||
qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
|
||||
qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes
|
||||
qt $IPTABLES -A fooX1234 -m owner --cmd-owner foo -j ACCEPT && OWNER_MATCH=Yes
|
||||
|
||||
if [ -n "$PKTTYPE" ]; then
|
||||
qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT || PKTTYPE=
|
||||
@ -5660,6 +5744,7 @@ report_capabilities() {
|
||||
report_capability "Physdev Match" $PHYSDEV_MATCH
|
||||
report_capability "IP range Match" $IPRANGE_MATCH
|
||||
report_capability "Recent Match" $RECENT_MATCH
|
||||
report_capability "Owner Match" $OWNER_MATCH
|
||||
}
|
||||
|
||||
#
|
||||
@ -5678,6 +5763,11 @@ initialize_netfilter () {
|
||||
[ -n "$PHYSDEV_MATCH" ] || startup_error "BRIDGING=Yes requires Physdev Match support in your Kernel and iptables"
|
||||
fi
|
||||
|
||||
[ "$MACLIST_TTL" = "0" ] && MACLIST_TTL=
|
||||
|
||||
if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then
|
||||
startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables"
|
||||
fi
|
||||
|
||||
[ -n "$RFC1918_STRICT" -a -z "$CONNTRACK_MATCH" ] && \
|
||||
startup_error "RFC1918_STRICT=Yes requires Connection Tracking match"
|
||||
@ -6290,6 +6380,20 @@ add_common_rules() {
|
||||
run_iptables -A OUTPUT -o $interface -j $(dynamic_out $interface)
|
||||
done
|
||||
fi
|
||||
#
|
||||
# UPnP
|
||||
#
|
||||
interfaces=$(find_interfaces_by_option upnp)
|
||||
|
||||
if [ -n "$interfaces" ]; then
|
||||
echo "Setting up UPnP..."
|
||||
|
||||
createnatchain UPnP
|
||||
|
||||
for interface in $interfaces; do
|
||||
run_iptables -t nat -A PREROUTING -i $interface -j UPnP
|
||||
done
|
||||
fi
|
||||
|
||||
setup_forwarding
|
||||
}
|
||||
@ -6767,6 +6871,7 @@ define_firewall() # $1 = Command (Start or Restart)
|
||||
mv -f /var/lib/shorewall/restore-base-$$ /var/lib/shorewall/restore-base
|
||||
mv -f $RESTOREBASE /var/lib/shorewall/restore-tail
|
||||
|
||||
run_user_exit started
|
||||
}
|
||||
|
||||
#
|
||||
@ -7482,12 +7587,6 @@ do_initialize() {
|
||||
LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY)
|
||||
DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID)
|
||||
RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT)
|
||||
|
||||
[ "$MACLIST_TTL" = "0" ] && MACLIST_TTL=
|
||||
|
||||
if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then
|
||||
startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables"
|
||||
fi
|
||||
#
|
||||
# Strip the files that we use often
|
||||
#
|
||||
@ -7672,6 +7771,10 @@ case "$COMMAND" in
|
||||
EMPTY=
|
||||
$@
|
||||
;;
|
||||
capabilities)
|
||||
do_initialize
|
||||
report_capabilities
|
||||
;;
|
||||
*)
|
||||
usage
|
||||
;;
|
||||
|
@ -249,7 +249,7 @@ find_zones() # $1 = name of the zone file
|
||||
[ -n "$zone" ] && case "$zone" in
|
||||
\#*)
|
||||
;;
|
||||
$FW)
|
||||
$FW|all|none)
|
||||
echo " Warning: Reserved zone name \"$zone\" in zones file ignored" >&2
|
||||
;;
|
||||
*)
|
||||
|
@ -254,6 +254,8 @@ show)
|
||||
|
||||
shorewall show zones - displays the contents of all zones.
|
||||
|
||||
shorewall show capabilities - displays your kernel/iptables capabilities
|
||||
|
||||
When -x is given, that option is also passed to iptables to display actual packet and byte counts."
|
||||
;;
|
||||
|
||||
|
@ -135,5 +135,7 @@
|
||||
# /etc/shorewall/ipsec file then you do NOT
|
||||
# need to specify the 'ipsec' option here.
|
||||
#
|
||||
# For additional information, see http://shorewall.net/Documentation.htm#Hosts
|
||||
#
|
||||
#ZONE HOST(S) OPTIONS
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
|
||||
|
@ -4,3 +4,5 @@
|
||||
# Add commands below that you want to be executed at the beginning of
|
||||
# a "shorewall start" or "shorewall restart" command.
|
||||
#
|
||||
# For additional information, see http://shorewall.net/shorewall_extension_scripts.htm
|
||||
#
|
||||
|
@ -5,6 +5,7 @@ WAIT_FOR_IFUP=/usr/share/shorewall/wait4ifup
|
||||
# Note, set INITLOG to /dev/null if you do not want to
|
||||
# keep logs of the firewall (not recommended)
|
||||
INITLOG=/var/log/shorewall-init.log
|
||||
OPTIONS="-f"
|
||||
|
||||
test -x $SRWL || exit 0
|
||||
test -n $INITLOG || {
|
||||
@ -83,7 +84,7 @@ wait_for_pppd () {
|
||||
shorewall_start () {
|
||||
echo -n "Starting \"Shorewall firewall\": "
|
||||
wait_for_pppd
|
||||
$SRWL -f start >> $INITLOG 2>&1 && echo "done." || echo_notdone
|
||||
$SRWL $OPTIONS start >> $INITLOG 2>&1 && echo "done." || echo_notdone
|
||||
return 0
|
||||
}
|
||||
|
||||
|
@ -55,6 +55,16 @@ usage() {
|
||||
exit 1
|
||||
}
|
||||
|
||||
################################################################################
|
||||
# Get startup options (override default)
|
||||
################################################################################
|
||||
OPTIONS="-f"
|
||||
if [ -f /etc/sysconfig/shorewall ]; then
|
||||
. /etc/sysconfig/shorewall
|
||||
elif [ -f /etc/default/shorewall ] ; then
|
||||
. /etc/default/shorewall
|
||||
fi
|
||||
|
||||
################################################################################
|
||||
# E X E C U T I O N B E G I N S H E R E #
|
||||
################################################################################
|
||||
@ -64,7 +74,7 @@ case "$command" in
|
||||
|
||||
start)
|
||||
|
||||
exec /sbin/shorewall -f start
|
||||
exec /sbin/shorewall $OPTIONS start
|
||||
;;
|
||||
|
||||
stop|restart|status)
|
||||
|
@ -5,3 +5,5 @@
|
||||
# "shorewall start" or "shorewall restart" commands at the point where
|
||||
# Shorewall has not yet added any perminent rules to the builtin chains.
|
||||
#
|
||||
# For additional information, see http://shorewall.net/shorewall_extension_scripts.htm
|
||||
#
|
||||
|
@ -22,7 +22,7 @@
|
||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||
#
|
||||
|
||||
VERSION=2.2.3
|
||||
VERSION=2.2.4
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
@ -76,7 +76,7 @@ delete_file() # $1 = file to delete
|
||||
install_file_with_backup() # $1 = source $2 = target $3 = mode
|
||||
{
|
||||
backup_file $2
|
||||
run_install -o $OWNER -g $GROUP -m $3 $1 ${2}
|
||||
run_install $OWNERSHIP -m $3 $1 ${2}
|
||||
}
|
||||
|
||||
#
|
||||
@ -133,11 +133,21 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||
#
|
||||
DEBIAN=
|
||||
|
||||
OWNERSHIP="-o $OWNER -g $GROUP"
|
||||
|
||||
if [ -n "$PREFIX" ]; then
|
||||
install -d -o $OWNER -g $GROUP -m 755 ${PREFIX}/sbin
|
||||
install -d -o $OWNER -g $GROUP -m 755 ${PREFIX}${DEST}
|
||||
if [ `id -u` != 0 ] ; then
|
||||
echo "Not setting file owner/group permissions, not running as root."
|
||||
OWNERSHIP=""
|
||||
fi
|
||||
|
||||
install -d $OWNERSHIP -m 755 ${PREFIX}/sbin
|
||||
install -d $OWNERSHIP -m 755 ${PREFIX}${DEST}
|
||||
elif [ -d /etc/apt -a -e /usr/bin/dpkg ]; then
|
||||
DEBIAN=yes
|
||||
elif [ -f /etc/slackware-version ] ; then
|
||||
DEST="/etc/rc.d"
|
||||
INIT="rc.firewall"
|
||||
fi
|
||||
|
||||
#
|
||||
@ -185,7 +195,7 @@ mkdir -p ${PREFIX}/var/lib/shorewall
|
||||
if [ -f ${PREFIX}/etc/shorewall/shorewall.conf ]; then
|
||||
backup_file /etc/shorewall/shorewall.conf
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0744 shorewall.conf ${PREFIX}/etc/shorewall/shorewall.conf
|
||||
run_install $OWNERSHIP -m 0744 shorewall.conf ${PREFIX}/etc/shorewall/shorewall.conf
|
||||
echo
|
||||
echo "Config file installed as ${PREFIX}/etc/shorewall/shorewall.conf"
|
||||
fi
|
||||
@ -195,7 +205,7 @@ fi
|
||||
if [ -f ${PREFIX}/etc/shorewall/zones ]; then
|
||||
backup_file /etc/shorewall/zones
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0744 zones ${PREFIX}/etc/shorewall/zones
|
||||
run_install $OWNERSHIP -m 0744 zones ${PREFIX}/etc/shorewall/zones
|
||||
echo
|
||||
echo "Zones file installed as ${PREFIX}/etc/shorewall/zones"
|
||||
fi
|
||||
@ -232,7 +242,7 @@ delete_file icmp.def
|
||||
if [ -f ${PREFIX}/etc/shorewall/policy ]; then
|
||||
backup_file /etc/shorewall/policy
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 policy ${PREFIX}/etc/shorewall/policy
|
||||
run_install $OWNERSHIP -m 0600 policy ${PREFIX}/etc/shorewall/policy
|
||||
echo
|
||||
echo "Policy file installed as ${PREFIX}/etc/shorewall/policy"
|
||||
fi
|
||||
@ -242,7 +252,7 @@ fi
|
||||
if [ -f ${PREFIX}/etc/shorewall/interfaces ]; then
|
||||
backup_file /etc/shorewall/interfaces
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 interfaces ${PREFIX}/etc/shorewall/interfaces
|
||||
run_install $OWNERSHIP -m 0600 interfaces ${PREFIX}/etc/shorewall/interfaces
|
||||
echo
|
||||
echo "Interfaces file installed as ${PREFIX}/etc/shorewall/interfaces"
|
||||
fi
|
||||
@ -252,7 +262,7 @@ fi
|
||||
if [ -f ${PREFIX}/etc/shorewall/ipsec ]; then
|
||||
backup_file /etc/shorewall/ipsec
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 ipsec ${PREFIX}/etc/shorewall/ipsec
|
||||
run_install $OWNERSHIP -m 0600 ipsec ${PREFIX}/etc/shorewall/ipsec
|
||||
echo
|
||||
echo "Ipsec file installed as ${PREFIX}/etc/shorewall/ipsec"
|
||||
fi
|
||||
@ -262,7 +272,7 @@ fi
|
||||
if [ -f ${PREFIX}/etc/shorewall/hosts ]; then
|
||||
backup_file /etc/shorewall/hosts
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 hosts ${PREFIX}/etc/shorewall/hosts
|
||||
run_install $OWNERSHIP -m 0600 hosts ${PREFIX}/etc/shorewall/hosts
|
||||
echo
|
||||
echo "Hosts file installed as ${PREFIX}/etc/shorewall/hosts"
|
||||
fi
|
||||
@ -272,7 +282,7 @@ fi
|
||||
if [ -f ${PREFIX}/etc/shorewall/rules ]; then
|
||||
backup_file /etc/shorewall/rules
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 rules ${PREFIX}/etc/shorewall/rules
|
||||
run_install $OWNERSHIP -m 0600 rules ${PREFIX}/etc/shorewall/rules
|
||||
echo
|
||||
echo "Rules file installed as ${PREFIX}/etc/shorewall/rules"
|
||||
fi
|
||||
@ -282,7 +292,7 @@ fi
|
||||
if [ -f ${PREFIX}/etc/shorewall/nat ]; then
|
||||
backup_file /etc/shorewall/nat
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 nat ${PREFIX}/etc/shorewall/nat
|
||||
run_install $OWNERSHIP -m 0600 nat ${PREFIX}/etc/shorewall/nat
|
||||
echo
|
||||
echo "NAT file installed as ${PREFIX}/etc/shorewall/nat"
|
||||
fi
|
||||
@ -292,7 +302,7 @@ fi
|
||||
if [ -f ${PREFIX}/etc/shorewall/netmap ]; then
|
||||
backup_file /etc/shorewall/netmap
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 netmap ${PREFIX}/etc/shorewall/netmap
|
||||
run_install $OWNERSHIP -m 0600 netmap ${PREFIX}/etc/shorewall/netmap
|
||||
echo
|
||||
echo "NETMAP file installed as ${PREFIX}/etc/shorewall/netmap"
|
||||
fi
|
||||
@ -302,7 +312,7 @@ fi
|
||||
if [ -f ${PREFIX}/etc/shorewall/params ]; then
|
||||
backup_file /etc/shorewall/params
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 params ${PREFIX}/etc/shorewall/params
|
||||
run_install $OWNERSHIP -m 0600 params ${PREFIX}/etc/shorewall/params
|
||||
echo
|
||||
echo "Parameter file installed as ${PREFIX}/etc/shorewall/params"
|
||||
fi
|
||||
@ -312,7 +322,7 @@ fi
|
||||
if [ -f ${PREFIX}/etc/shorewall/proxyarp ]; then
|
||||
backup_file /etc/shorewall/proxyarp
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 proxyarp ${PREFIX}/etc/shorewall/proxyarp
|
||||
run_install $OWNERSHIP -m 0600 proxyarp ${PREFIX}/etc/shorewall/proxyarp
|
||||
echo
|
||||
echo "Proxy ARP file installed as ${PREFIX}/etc/shorewall/proxyarp"
|
||||
fi
|
||||
@ -322,7 +332,7 @@ fi
|
||||
if [ -f ${PREFIX}/etc/shorewall/routestopped ]; then
|
||||
backup_file /etc/shorewall/routestopped
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 routestopped ${PREFIX}/etc/shorewall/routestopped
|
||||
run_install $OWNERSHIP -m 0600 routestopped ${PREFIX}/etc/shorewall/routestopped
|
||||
echo
|
||||
echo "Stopped Routing file installed as ${PREFIX}/etc/shorewall/routestopped"
|
||||
fi
|
||||
@ -332,7 +342,7 @@ fi
|
||||
if [ -f ${PREFIX}/etc/shorewall/maclist ]; then
|
||||
backup_file /etc/shorewall/maclist
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 maclist ${PREFIX}/etc/shorewall/maclist
|
||||
run_install $OWNERSHIP -m 0600 maclist ${PREFIX}/etc/shorewall/maclist
|
||||
echo
|
||||
echo "MAC list file installed as ${PREFIX}/etc/shorewall/maclist"
|
||||
fi
|
||||
@ -342,7 +352,7 @@ fi
|
||||
if [ -f ${PREFIX}/etc/shorewall/masq ]; then
|
||||
backup_file /etc/shorewall/masq
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 masq ${PREFIX}/etc/shorewall/masq
|
||||
run_install $OWNERSHIP -m 0600 masq ${PREFIX}/etc/shorewall/masq
|
||||
echo
|
||||
echo "Masquerade file installed as ${PREFIX}/etc/shorewall/masq"
|
||||
fi
|
||||
@ -352,7 +362,7 @@ fi
|
||||
if [ -f ${PREFIX}/etc/shorewall/modules ]; then
|
||||
backup_file /etc/shorewall/modules
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 modules ${PREFIX}/etc/shorewall/modules
|
||||
run_install $OWNERSHIP -m 0600 modules ${PREFIX}/etc/shorewall/modules
|
||||
echo
|
||||
echo "Modules file installed as ${PREFIX}/etc/shorewall/modules"
|
||||
fi
|
||||
@ -362,7 +372,7 @@ fi
|
||||
if [ -f ${PREFIX}/etc/shorewall/tcrules ]; then
|
||||
backup_file /etc/shorewall/tcrules
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 tcrules ${PREFIX}/etc/shorewall/tcrules
|
||||
run_install $OWNERSHIP -m 0600 tcrules ${PREFIX}/etc/shorewall/tcrules
|
||||
echo
|
||||
echo "TC Rules file installed as ${PREFIX}/etc/shorewall/tcrules"
|
||||
fi
|
||||
@ -373,7 +383,7 @@ fi
|
||||
if [ -f ${PREFIX}/etc/shorewall/tos ]; then
|
||||
backup_file /etc/shorewall/tos
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 tos ${PREFIX}/etc/shorewall/tos
|
||||
run_install $OWNERSHIP -m 0600 tos ${PREFIX}/etc/shorewall/tos
|
||||
echo
|
||||
echo "TOS file installed as ${PREFIX}/etc/shorewall/tos"
|
||||
fi
|
||||
@ -383,7 +393,7 @@ fi
|
||||
if [ -f ${PREFIX}/etc/shorewall/tunnels ]; then
|
||||
backup_file /etc/shorewall/tunnels
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 tunnels ${PREFIX}/etc/shorewall/tunnels
|
||||
run_install $OWNERSHIP -m 0600 tunnels ${PREFIX}/etc/shorewall/tunnels
|
||||
echo
|
||||
echo "Tunnels file installed as ${PREFIX}/etc/shorewall/tunnels"
|
||||
fi
|
||||
@ -393,7 +403,7 @@ fi
|
||||
if [ -f ${PREFIX}/etc/shorewall/blacklist ]; then
|
||||
backup_file /etc/shorewall/blacklist
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 blacklist ${PREFIX}/etc/shorewall/blacklist
|
||||
run_install $OWNERSHIP -m 0600 blacklist ${PREFIX}/etc/shorewall/blacklist
|
||||
echo
|
||||
echo "Blacklist file installed as ${PREFIX}/etc/shorewall/blacklist"
|
||||
fi
|
||||
@ -428,7 +438,7 @@ echo " Default config path file installed as ${PREFIX}/usr/share/shorewall/confi
|
||||
if [ -f ${PREFIX}/etc/shorewall/init ]; then
|
||||
backup_file /etc/shorewall/init
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 init ${PREFIX}/etc/shorewall/init
|
||||
run_install $OWNERSHIP -m 0600 init ${PREFIX}/etc/shorewall/init
|
||||
echo
|
||||
echo "Init file installed as ${PREFIX}/etc/shorewall/init"
|
||||
fi
|
||||
@ -438,7 +448,7 @@ fi
|
||||
if [ -f ${PREFIX}/etc/shorewall/initdone ]; then
|
||||
backup_file /etc/shorewall/initdone
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 initdone ${PREFIX}/etc/shorewall/initdone
|
||||
run_install $OWNERSHIP -m 0600 initdone ${PREFIX}/etc/shorewall/initdone
|
||||
echo
|
||||
echo "Initdone file installed as ${PREFIX}/etc/shorewall/initdone"
|
||||
fi
|
||||
@ -448,7 +458,7 @@ fi
|
||||
if [ -f ${PREFIX}/etc/shorewall/start ]; then
|
||||
backup_file /etc/shorewall/start
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 start ${PREFIX}/etc/shorewall/start
|
||||
run_install $OWNERSHIP -m 0600 start ${PREFIX}/etc/shorewall/start
|
||||
echo
|
||||
echo "Start file installed as ${PREFIX}/etc/shorewall/start"
|
||||
fi
|
||||
@ -458,7 +468,7 @@ fi
|
||||
if [ -f ${PREFIX}/etc/shorewall/stop ]; then
|
||||
backup_file /etc/shorewall/stop
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 stop ${PREFIX}/etc/shorewall/stop
|
||||
run_install $OWNERSHIP -m 0600 stop ${PREFIX}/etc/shorewall/stop
|
||||
echo
|
||||
echo "Stop file installed as ${PREFIX}/etc/shorewall/stop"
|
||||
fi
|
||||
@ -468,7 +478,7 @@ fi
|
||||
if [ -f ${PREFIX}/etc/shorewall/stopped ]; then
|
||||
backup_file /etc/shorewall/stopped
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 stopped ${PREFIX}/etc/shorewall/stopped
|
||||
run_install $OWNERSHIP -m 0600 stopped ${PREFIX}/etc/shorewall/stopped
|
||||
echo
|
||||
echo "Stopped file installed as ${PREFIX}/etc/shorewall/stopped"
|
||||
fi
|
||||
@ -478,7 +488,7 @@ fi
|
||||
if [ -f ${PREFIX}/etc/shorewall/ecn ]; then
|
||||
backup_file /etc/shorewall/ecn
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 ecn ${PREFIX}/etc/shorewall/ecn
|
||||
run_install $OWNERSHIP -m 0600 ecn ${PREFIX}/etc/shorewall/ecn
|
||||
echo
|
||||
echo "ECN file installed as ${PREFIX}/etc/shorewall/ecn"
|
||||
fi
|
||||
@ -488,7 +498,7 @@ fi
|
||||
if [ -f ${PREFIX}/etc/shorewall/accounting ]; then
|
||||
backup_file /etc/shorewall/accounting
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 accounting ${PREFIX}/etc/shorewall/accounting
|
||||
run_install $OWNERSHIP -m 0600 accounting ${PREFIX}/etc/shorewall/accounting
|
||||
echo
|
||||
echo "Accounting file installed as ${PREFIX}/etc/shorewall/accounting"
|
||||
fi
|
||||
@ -498,11 +508,21 @@ fi
|
||||
if [ -f ${PREFIX}/etc/shorewall/continue ]; then
|
||||
backup_file /etc/shorewall/continue
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 continue ${PREFIX}/etc/shorewall/continue
|
||||
run_install $OWNERSHIP -m 0600 continue ${PREFIX}/etc/shorewall/continue
|
||||
echo
|
||||
echo "Continue file installed as ${PREFIX}/etc/shorewall/continue"
|
||||
fi
|
||||
#
|
||||
# Install the Started file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/started ]; then
|
||||
backup_file /etc/shorewall/started
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 started ${PREFIX}/etc/shorewall/started
|
||||
echo
|
||||
echo "Started file installed as ${PREFIX}/etc/shorewall/started"
|
||||
fi
|
||||
#
|
||||
# Install the Standard Actions file
|
||||
#
|
||||
install_file_with_backup actions.std ${PREFIX}/usr/share/shorewall/actions.std 0600
|
||||
@ -515,7 +535,7 @@ echo "Standard actions file installed as ${PREFIX}/etc/shorewall/actions.std"
|
||||
if [ -f ${PREFIX}/etc/shorewall/actions ]; then
|
||||
backup_file /etc/shorewall/actions
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 actions ${PREFIX}/etc/shorewall/actions
|
||||
run_install $OWNERSHIP -m 0600 actions ${PREFIX}/etc/shorewall/actions
|
||||
echo
|
||||
echo "Actions file installed as ${PREFIX}/etc/shorewall/actions"
|
||||
fi
|
||||
@ -556,7 +576,7 @@ install_file_with_backup firewall ${PREFIX}/usr/share/shorewall/firewall 0544
|
||||
|
||||
if [ -z "$PREFIX" -a -n "$first_install" ]; then
|
||||
if [ -n "$DEBIAN" ]; then
|
||||
run_install -o $OWNER -g $GROUP -m 0644 default.debian /etc/default/shorewall
|
||||
run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall
|
||||
ln -s ../init.d/shorewall /etc/rcS.d/S40shorewall
|
||||
echo
|
||||
echo "shorewall will start automatically at boot"
|
||||
|
@ -167,6 +167,8 @@
|
||||
# detectnets - Automatically taylors the zone named
|
||||
# in the ZONE column to include only those
|
||||
# hosts routed through the interface.
|
||||
# upnp - Incoming requests from this interface may
|
||||
# be remapped via UPNP (upnpd).
|
||||
#
|
||||
# WARNING: DO NOT SET THE detectnets OPTION ON YOUR
|
||||
# INTERNET INTERFACE.
|
||||
@ -199,6 +201,9 @@
|
||||
# connections.
|
||||
#
|
||||
# net ppp0 -
|
||||
#
|
||||
# For additional information, see http://shorewall.net/Documentation.htm#Interfaces
|
||||
#
|
||||
##############################################################################
|
||||
#ZONE INTERFACE BROADCAST OPTIONS
|
||||
#
|
||||
|
@ -1,6 +1,11 @@
|
||||
#
|
||||
# Shorewall 2.2 - MAC list file
|
||||
#
|
||||
# This file is used to define the MAC addresses and optionally their
|
||||
# associated IP addresses to be allowed to use the specified interface.
|
||||
# The feature is enabled by using the maclist option in the interfaces
|
||||
# or hosts configuration file.
|
||||
#
|
||||
# /etc/shorewall/maclist
|
||||
#
|
||||
# Columns are:
|
||||
@ -18,6 +23,9 @@
|
||||
# list of host and/or subnet addresses. If your kernel
|
||||
# and iptables have iprange match support then IP
|
||||
# address ranges are also allowed.
|
||||
#
|
||||
# For additional information, see http://shorewall.net/MAC_Validation.html
|
||||
#
|
||||
##############################################################################
|
||||
#INTERFACE MAC IP ADDRESSES (Optional)
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
||||
|
16
STABLE2/masq
16
STABLE2/masq
@ -86,6 +86,20 @@
|
||||
# 192.0.2.4:5000-6000
|
||||
# :4000-5000
|
||||
#
|
||||
# You can invoke the SAME target using the
|
||||
# following in this column:
|
||||
#
|
||||
# SAME:[nodst:]<address-range>[,<address-range>...]
|
||||
#
|
||||
# The <address-ranges> may be single addresses.
|
||||
#
|
||||
# SAME works like SNAT with the exception that the
|
||||
# same local IP address is assigned to each connection
|
||||
# from a local address to a given remote address. If
|
||||
# the 'nodst:' option is included, then the same source
|
||||
# address is used for a given internal system regardless
|
||||
# of which remote system is involved.
|
||||
#
|
||||
# If you want to leave this column empty
|
||||
# but you need to specify the next column then
|
||||
# place a hyphen ("-") here.
|
||||
@ -195,6 +209,8 @@
|
||||
#
|
||||
# THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!!
|
||||
#
|
||||
# For additional information, see http://shorewall.net/Documentation.htm#Masq
|
||||
#
|
||||
###############################################################################
|
||||
#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
||||
|
@ -7,6 +7,7 @@
|
||||
# dependency order. i.e., if M2 depends on M1 then you must load M1 before
|
||||
# you load M2.
|
||||
#
|
||||
# For additional information, see http://shorewall.net/Documentation.htm#modules
|
||||
|
||||
loadmodule ip_tables
|
||||
loadmodule iptable_filter
|
||||
|
@ -38,6 +38,8 @@
|
||||
#
|
||||
# LOCAL If Yes or yes, NAT will be effective from the firewall
|
||||
# system
|
||||
#
|
||||
# For additional information, see http://shorewall.net/NAT.htm
|
||||
##############################################################################
|
||||
#EXTERNAL INTERFACE INTERNAL ALL LOCAL
|
||||
# INTERFACES
|
||||
|
@ -85,6 +85,7 @@
|
||||
# #
|
||||
# all all REJECT info
|
||||
#
|
||||
# See http://shorewall.net/Documentation.htm#Policy for additional information.
|
||||
###############################################################################
|
||||
#SOURCE DEST POLICY LOG LIMIT:BURST
|
||||
# LEVEL
|
||||
|
@ -39,6 +39,8 @@
|
||||
#
|
||||
# #ADDRESS INTERFACE EXTERNAL
|
||||
# 155.186.235.6 eth1 eth0
|
||||
#
|
||||
# See http://shorewall.net/ProxyARP.htm for additional information.
|
||||
##############################################################################
|
||||
#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
@ -1,4 +1,183 @@
|
||||
Shorewall 2.2.3
|
||||
Shorewall 2.2.4
|
||||
|
||||
-----------------------------------------------------------------------
|
||||
Problems corrected in version 2.2.4
|
||||
|
||||
1) The error message:
|
||||
|
||||
Error: No appropriate chain for zone <z1> to zone <z2>
|
||||
|
||||
has been changed to one that is more self-explanatory:
|
||||
|
||||
Error: No policy defined for zone <z1> to zone <z2>
|
||||
|
||||
2) When only an interface name appeared in the HOST(S) column of an
|
||||
/etc/shorewall/hosts file entry, a misleading iptables error message
|
||||
resulted. Now the following message is generated:
|
||||
|
||||
Error: Invalid HOST(S) column contents: <column contents>
|
||||
|
||||
-----------------------------------------------------------------------
|
||||
New Features in version 2.2.4
|
||||
|
||||
1) Support has been added for UPnP using linux-igd
|
||||
(http://linux-idg.sourceforge.net). UPnP is required by a number of
|
||||
popular applications including MSN IM.
|
||||
|
||||
WARNING: From a security architecture viewpoint, UPnP is a
|
||||
disaster. It assumes that:
|
||||
|
||||
a) All local systems and their users are completely
|
||||
trustworthy.
|
||||
|
||||
b) No local system is infected with any worm or trojan.
|
||||
|
||||
If either of these assumptions are not true then UPnP can
|
||||
be used to totally defeat your firewall and to allow
|
||||
incoming connections to arbitrary local systems on any port
|
||||
whatsoever.
|
||||
|
||||
In short: USE UPnP AT YOUR OWN RISK.
|
||||
|
||||
WARNING: The linux-igd project appears to be inactive and the web
|
||||
site does not display correctly on any open source browser
|
||||
that I've tried.
|
||||
|
||||
Building and installing linux-igd is not for the faint of
|
||||
heart. You must download the source from CVS and be
|
||||
prepared to do quite a bit of fiddling with the include
|
||||
files from libupnp (which is required to build and/or run
|
||||
linux-igd).
|
||||
|
||||
linux-idg Configuration:
|
||||
|
||||
In /etc/upnpd.conf, you will want:
|
||||
|
||||
insert_forward_rules = yes
|
||||
prerouting_chain_name = UPnP
|
||||
forward_chain_name = forwardUPnP
|
||||
|
||||
Shorewall Configuration:
|
||||
|
||||
In /etc/shorewall/interfaces, you need the 'upnp' option
|
||||
on your external interface.
|
||||
|
||||
If your fw->loc policy is not ACCEPT then you need this
|
||||
rule:
|
||||
|
||||
allowoutUPnP fw loc
|
||||
|
||||
Note: To use 'allowoutUPnP', your iptables and kernel must
|
||||
support the 'owner match' feature (see the output of
|
||||
"shorewall check").
|
||||
|
||||
If your loc->fw policy is not ACCEPT then you need this
|
||||
rule:
|
||||
|
||||
allowinUPnP loc fw
|
||||
|
||||
You MUST have this rule:
|
||||
|
||||
forwardUPnP net loc
|
||||
|
||||
You must also ensure that you have a route to 224.0.0.0/4 on your
|
||||
internal (local) interface.
|
||||
|
||||
2) A new 'started' extension script has been added. The difference
|
||||
between this extension script and /etc/shorewall/start is that this
|
||||
one is invoked after delayed loading of the blacklist
|
||||
(DELAYBLACKLISTLOAD=Yes) and after the 'shorewall' chain has been
|
||||
created (thus signaling that the firewall is completely up.
|
||||
|
||||
/etc/shorewall/started should not change the firewall configuration
|
||||
directly but may do so indirectly by running /sbin/shorewall with
|
||||
the 'nolock' option.
|
||||
|
||||
3) By default, shorewall is started with the "-f" (fast) option when
|
||||
your system boots. You can override that setting by setting the
|
||||
OPTIONS variable in /etc/sysconfig/shorewall (SuSE/Redhat) or
|
||||
/etc/default/shorewall (Debian/Bering). If neither file exists, feel
|
||||
free to create one.
|
||||
|
||||
Example: If you want Shorewall to always use the config files even
|
||||
if there is a saved configuration, then specify:
|
||||
|
||||
OPTIONS=""
|
||||
|
||||
4) Shorewall now has support for the SAME target. This change affects
|
||||
the /etc/shorewall/masq and /etc/shorewall/rules file.
|
||||
|
||||
SAME is useful when you specify multiple target IP addresses (in the
|
||||
ADDRESSES column of /etc/shorewall/masq or in the DEST column of
|
||||
/etc/shorewall/rules).
|
||||
|
||||
If you use normal SNAT then multiple connections from a given local
|
||||
host to hosts on the internet can be assigned different source IP
|
||||
addresses. This confuses some applications that use multiple
|
||||
connections. To correct this problem, prefix the list of address
|
||||
ranges in the ADDRESS column with "SAME:"
|
||||
|
||||
Example: SAME:206.124.146.176-206.124.146.180
|
||||
|
||||
If you want each internal system to use the same IP address from the
|
||||
list regardless of which internet host it is talking to then prefix
|
||||
the rages with "SAME:nodst:".
|
||||
|
||||
Example: SAME:nodst:206.124.146.176-206.124.146.180
|
||||
|
||||
Note that it is not possible to map port numbers when using SAME.
|
||||
|
||||
In the rules file, when multiple connections from an internet host
|
||||
match a SAME rule then all of the connections will be sent to the
|
||||
same internal server. SAME rules are very similar to DNAT rules with
|
||||
the keyword SAME replacing DNAT. As in the masq file, changing the
|
||||
port number is not supported.
|
||||
|
||||
5) A "shorewall show capabilities" command has been added to report the
|
||||
capabilities of your kernel and iptables.
|
||||
|
||||
Example:
|
||||
|
||||
gateway:~# shorewall show capabilities
|
||||
Loading /usr/share/shorewall/functions...
|
||||
Processing /etc/shorewall/params ...
|
||||
Processing /etc/shorewall/shorewall.conf...
|
||||
Loading Modules...
|
||||
Shorewall has detected the following iptables/netfilter capabilities:
|
||||
NAT: Available
|
||||
Packet Mangling: Available
|
||||
Multi-port Match: Available
|
||||
Extended Multi-port Match: Available
|
||||
Connection Tracking Match: Available
|
||||
Packet Type Match: Not available
|
||||
Policy Match: Available
|
||||
Physdev Match: Available
|
||||
IP range Match: Available
|
||||
Recent Match: Available
|
||||
Owner Match: Available
|
||||
gateway:~#
|
||||
|
||||
6) A "-v" option has been added to /sbin/shorewall. Currently, this
|
||||
option only affects the "show log" command (e.g., "shorewall -v show
|
||||
log") and the "monitor" command. In these commands, it causes the
|
||||
MAC address in the log message (if any) to be displayed. As
|
||||
previously, when "-v" is omitted, the MAC address is suppressed.
|
||||
|
||||
7) In /etc/shorewall/rules, a value of 'none' in either the SOURCE or
|
||||
DEST columns now causes the rule to be ignored. This is most useful
|
||||
when used with shell variables:
|
||||
|
||||
Example:
|
||||
|
||||
/etc/shorewall/rules:
|
||||
|
||||
AllowFTP $FTP_CLIENTS fw
|
||||
|
||||
When FTP_CLIENTS is set to 'none', the above rule is ignored.
|
||||
Otherwise, the rule is evaluated and generates Netfilter rules.
|
||||
|
||||
8) The installer now detects that it is running on a Slackware system
|
||||
and adjusts the DEST and INIT variables accordingly.
|
||||
|
||||
-----------------------------------------------------------------------
|
||||
Problems corrected in version 2.2.3
|
||||
|
@ -31,6 +31,10 @@
|
||||
# eth2 192.168.1.0/24
|
||||
# eth0 192.0.2.44
|
||||
# br0 - routeback
|
||||
#
|
||||
# See http://shorewall.net/Documentation.htm#Routestopped and
|
||||
# http://shorewall.net/starting_and_stopping_shorewall.htm for additional
|
||||
# information.
|
||||
##############################################################################
|
||||
#INTERFACE HOST(S) OPTIONS
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
@ -42,6 +42,16 @@
|
||||
# Like DNAT but only generates the
|
||||
# DNAT iptables rule and not
|
||||
# the companion ACCEPT rule.
|
||||
# SAME -- Similar to DNAT except that the
|
||||
# port may not be remapped and when
|
||||
# multiple server addresses are
|
||||
# listed, all requests from a given
|
||||
# remote system go to the same
|
||||
# server.
|
||||
# SAME- -- Advanced users only.
|
||||
# Like SAME but only generates the
|
||||
# NAT iptables rule and not
|
||||
# the companion ACCEPT rule.
|
||||
# REDIRECT -- Redirect the request to a local
|
||||
# port on the firewall.
|
||||
# REDIRECT-
|
||||
@ -102,11 +112,14 @@
|
||||
#
|
||||
# SOURCE Source hosts to which the rule applies. May be a zone
|
||||
# defined in /etc/shorewall/zones, $FW to indicate the
|
||||
# firewall itself, or "all" If the ACTION is DNAT or
|
||||
# firewall itself, "all" or "none" If the ACTION is DNAT or
|
||||
# REDIRECT, sub-zones of the specified zone may be
|
||||
# excluded from the rule by following the zone name with
|
||||
# "!' and a comma-separated list of sub-zone names.
|
||||
#
|
||||
# When "none" is used either in the SOURCE or DEST column,
|
||||
# the rule is ignored.
|
||||
#
|
||||
# When "all" is used either in the SOURCE or DEST column
|
||||
# intra-zone traffic is not affected. You must add
|
||||
# separate rules to handle that traffic.
|
||||
@ -147,7 +160,10 @@
|
||||
#
|
||||
# DEST Location of Server. May be a zone defined in
|
||||
# /etc/shorewall/zones, $FW to indicate the firewall
|
||||
# itself or "all"
|
||||
# itself, "all" or "none".
|
||||
#
|
||||
# When "none" is used either in the SOURCE or DEST column,
|
||||
# the rule is ignored.
|
||||
#
|
||||
# When "all" is used either in the SOURCE or DEST column
|
||||
# intra-zone traffic is not affected. You must add
|
||||
|
@ -58,6 +58,7 @@
|
||||
# shorewall show {mangle|tos} Display the rules in the mangle table
|
||||
# shorewall show tc Display traffic control info
|
||||
# shorewall show classifiers Display classifiers
|
||||
# shorewall show capabilities Display iptables/kernel capabilities
|
||||
# shorewall version Display the installed version id
|
||||
# shorewall check Verify the more heavily-used
|
||||
# configuration files.
|
||||
@ -353,11 +354,18 @@ packet_log() # $1 = number of messages
|
||||
|
||||
[ -n "$realtail" ] && options="-n$1"
|
||||
|
||||
grep "${LOGFORMAT}" $LOGFILE | \
|
||||
sed s/" kernel:"// | \
|
||||
sed s/" $host $LOGFORMAT"/" "/ | \
|
||||
sed 's/MAC=.* SRC=/SRC=/' | \
|
||||
tail $options
|
||||
if [ -n "$VERBOSE" ]; then
|
||||
grep "${LOGFORMAT}" $LOGFILE | \
|
||||
sed s/" kernel:"// | \
|
||||
sed s/" $host $LOGFORMAT"/" "/ | \
|
||||
tail $options
|
||||
else
|
||||
grep "${LOGFORMAT}" $LOGFILE | \
|
||||
sed s/" kernel:"// | \
|
||||
sed s/" $host $LOGFORMAT"/" "/ | \
|
||||
sed 's/MAC=.* SRC=/SRC=/' | \
|
||||
tail $options
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
@ -595,7 +603,7 @@ help()
|
||||
#
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
echo "Usage: $(basename $0) [debug|trace] [nolock] [-c <directory>] [ -x ] [ -q ] [ -f ] <command>"
|
||||
echo "Usage: $(basename $0) [debug|trace] [nolock] [ -x ] [ -q ] [ -f ] [ -v ] <command>"
|
||||
echo "where <command> is one of:"
|
||||
echo " add <interface>[:{<bridge-port>[:<host>]|<host>}[,...]] ... <zone>"
|
||||
echo " allow <address> ..."
|
||||
@ -616,14 +624,13 @@ usage() # $1 = exit status
|
||||
echo " restart [ <directory> ]"
|
||||
echo " restore [ <file name> ]"
|
||||
echo " save [ <file name> ]"
|
||||
echo " show [<chain> [ <chain> ... ]|classifiers|connections|log|nat|tc|tos|zones]"
|
||||
echo " show [<chain> [ <chain> ... ]|capabilities|classifiers|connections|log|nat|tc|tos|zones]"
|
||||
echo " start [ <directory> ]"
|
||||
echo " stop"
|
||||
echo " status"
|
||||
echo " try <directory> [ <timeout> ]"
|
||||
echo " version"
|
||||
echo
|
||||
echo "The -c and -f options may not be specified with a <directory> in the start, restart and check commands"
|
||||
exit $1
|
||||
}
|
||||
|
||||
@ -664,6 +671,7 @@ SHOREWALL_DIR=
|
||||
QUIET=
|
||||
IPT_OPTIONS="-nv"
|
||||
FAST=
|
||||
VERBOSE=
|
||||
|
||||
done=0
|
||||
|
||||
@ -705,6 +713,10 @@ while [ $done -eq 0 ]; do
|
||||
FAST=Yes
|
||||
option=${option#f}
|
||||
;;
|
||||
v*)
|
||||
VERBOSE=Yes
|
||||
option=${option#v}
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
;;
|
||||
@ -938,6 +950,9 @@ case "$1" in
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
capabilities)
|
||||
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock capabilities
|
||||
;;
|
||||
*)
|
||||
shift
|
||||
|
||||
|
@ -6,7 +6,7 @@
|
||||
#
|
||||
# This file should be placed in /etc/shorewall
|
||||
#
|
||||
# (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
|
||||
##############################################################################
|
||||
# S T A R T U P E N A B L E D
|
||||
##############################################################################
|
||||
@ -399,9 +399,8 @@ RETAIN_ALIASES=No
|
||||
#
|
||||
# If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If
|
||||
# you say "No" or "no" then traffic shaping is not enabled. If you enable traffic
|
||||
# shaping you must have iproute[2] installed (the "ip" and "tc" utilities) and
|
||||
# you must enable packet mangling above.
|
||||
#
|
||||
# shaping you must have iproute[2] installed (the "ip" and "tc" utilities).
|
||||
|
||||
TC_ENABLED=No
|
||||
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
%define name shorewall
|
||||
%define version 2.2.3
|
||||
%define version 2.2.4
|
||||
%define release 1
|
||||
%define prefix /usr
|
||||
|
||||
@ -94,6 +94,7 @@ fi
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/accounting
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/actions
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/continue
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/started
|
||||
|
||||
%attr(0544,root,root) /sbin/shorewall
|
||||
|
||||
@ -138,6 +139,10 @@ fi
|
||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn
|
||||
|
||||
%changelog
|
||||
* Mon Apr 11 2005 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.2.4-1
|
||||
* Fri Apr 08 2005 Tom Eastep tom@shorewall.net
|
||||
- Added /etc/shorewall/started
|
||||
* Tue Apr 05 2005 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.2.3-1
|
||||
* Mon Mar 07 2005 Tom Eastep tom@shorewall.net
|
||||
|
@ -4,3 +4,5 @@
|
||||
# Add commands below that you want to be executed after shorewall has
|
||||
# been started or restarted.
|
||||
#
|
||||
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
|
||||
# information.
|
||||
|
@ -4,3 +4,5 @@
|
||||
# Add commands below that you want to be executed at the beginning of a
|
||||
# "shorewall stop" command.
|
||||
#
|
||||
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
|
||||
# information.
|
||||
|
@ -4,3 +4,5 @@
|
||||
# Add commands below that you want to be executed at the completion of a
|
||||
# "shorewall stop" command.
|
||||
#
|
||||
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
|
||||
# information.
|
||||
|
@ -147,6 +147,8 @@
|
||||
# testing
|
||||
# :C Designates a connection mark. If omitted,
|
||||
# the packet mark's value is tested.
|
||||
#
|
||||
# See http://shorewall.net/traffic_shaping.htm for additional information.
|
||||
##############################################################################
|
||||
#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
|
||||
# PORT(S)
|
||||
|
@ -108,6 +108,10 @@
|
||||
#
|
||||
# generic:udp:4444 net 4.3.99.124
|
||||
#
|
||||
#
|
||||
# See http://shorewall.net/Documentation.htm#Tunnels for additional information.
|
||||
#
|
||||
# TYPE ZONE GATEWAY GATEWAY
|
||||
# ZONE
|
||||
#
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Seattle Firewall
|
||||
|
||||
VERSION=2.2.3
|
||||
VERSION=2.2.4
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -4,6 +4,8 @@
|
||||
# This file determines your network zones. Columns are:
|
||||
#
|
||||
# ZONE Short name of the zone (5 Characters or less in length).
|
||||
# The names "all" and "none" are reserved and may not be
|
||||
# used as zone names.
|
||||
# DISPLAY Display name of the zone
|
||||
# COMMENTS Comments about the zone
|
||||
#
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2005-04-17</pubdate>
|
||||
<pubdate>2005-04-29</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2005</year>
|
||||
@ -2565,28 +2565,6 @@ eth0 eth1 206.124.146.176</programlisting>
|
||||
place <quote>Yes</quote> in the HAVEROUTE column.</para>
|
||||
</tip></para>
|
||||
</example>
|
||||
|
||||
<warning>
|
||||
<para>Do not use Proxy ARP and FreeS/Wan on the same system unless you
|
||||
are prepared to suffer the consequences. If you start or restart
|
||||
Shorewall with an IPSEC tunnel active, the proxied IP addresses are
|
||||
mistakenly assigned to the IPSEC tunnel device (ipsecX) rather than to
|
||||
the interface that you specify in the INTERFACE column of
|
||||
<filename>/etc/shorewall/proxyarp</filename>. I haven't had the time to
|
||||
debug this problem so I can't say if it is a bug in the Kernel or in
|
||||
FreeS/Wan.</para>
|
||||
|
||||
<para>You <emphasis role="bold">might</emphasis> be able to work around
|
||||
this problem using the following (I haven't tried it):</para>
|
||||
|
||||
<para>In <filename>/etc/shorewall/init</filename>, include:</para>
|
||||
|
||||
<programlisting><command>qt /etc/init.d/ipsec stop</command></programlisting>
|
||||
|
||||
<para>In <filename>/etc/shorewall/start</filename>, include:</para>
|
||||
|
||||
<programlisting><command>qt /etc/init.d/ipsec start</command></programlisting>
|
||||
</warning>
|
||||
</section>
|
||||
|
||||
<section id="NAT" xreflabel="/etc/shorewall/nat">
|
||||
@ -2698,7 +2676,7 @@ eth0 eth1 206.124.146.176</programlisting>
|
||||
6to4 and other tunnels with end-points on your firewall.</para>
|
||||
|
||||
<para>For an overview of Shorewall's VPN support, try <ulink
|
||||
url="VPNBasics.html">this article</ulink>. </para>
|
||||
url="VPNBasics.html">this article</ulink>.</para>
|
||||
|
||||
<para>Instructions for setting up <ulink url="IPSEC.htm">IPSEC
|
||||
tunnels</ulink> may be found here (if you are using kernel 2.6 with native
|
||||
|
@ -17,7 +17,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2005-04-08</pubdate>
|
||||
<pubdate>2005-04-24</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2005</year>
|
||||
@ -278,6 +278,23 @@ DNAT loc dmz:192.168.2.4 tcp 80 - 206
|
||||
# PORT DEST.
|
||||
DNAT loc dmz:192.168.2.4 tcp 80 - $ETH0_IP</programlisting>
|
||||
</section>
|
||||
|
||||
<section id="faq1e">
|
||||
<title>(FAQ 1e) In order to discourage brute force attacks I would
|
||||
like to redirect all connections on a non-standard port (4104) to port
|
||||
22 on the router/firewall. I notice that setting up a REDIRECT rule
|
||||
causes the firewall to open both ports 4104 and 22 to connections from
|
||||
the net. Is it possible to only redirect 4104 to the localhost port 22
|
||||
and have connection attempts to port 22 from the net dropped?</title>
|
||||
|
||||
<para><emphasis role="bold">Answer </emphasis>courtesy of Ryan: Assume
|
||||
that the IP address of your local firewall interface is 192.168.1.1.
|
||||
If you add the following rule then from the net, you will have 4104
|
||||
listening, from your LAN, port 22.</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
DNAT net fw:192.168.1.1:22 tcp 4104</programlisting>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section id="faq30">
|
||||
|
@ -15,10 +15,10 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-12-23</pubdate>
|
||||
<pubdate>2005-05-29</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2004</year>
|
||||
<year>2001-2005</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
@ -55,7 +55,7 @@
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Configuring FreeS/Wan</title>
|
||||
<title>Configuring FreeS/Wan and Derivatives Such as OpenS/Wan</title>
|
||||
|
||||
<para>There is an excellent guide to configuring IPSEC tunnels at <ulink
|
||||
url="http://jixen.tripod.com/">http://jixen.tripod.com/</ulink>. I highly
|
||||
|
Loading…
Reference in New Issue
Block a user