Shorewall 2.2.4

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2070 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-05-02 16:28:11 +00:00
parent cc7d0ddad2
commit dcc4181eed
41 changed files with 575 additions and 127 deletions

View File

@ -11,6 +11,9 @@
# 2. Copy this file to /etc/shorewall/action.<action name>
# 3. Add the desired rules to that file.
#
# Please see http://shorewall.net/Actions.html for additional
# information.
#
# Columns are:
#
#

View File

@ -8,7 +8,7 @@
#
# ACTION names should begin with an upper-case letter to
# distinguish them from Shorewall-generated chain names and
# they must need the requirements of a Netfilter chain. If
# they must meet the requirements of a Netfilter chain. If
# you intend to log from the action then the name must be
# no longer than 11 character in length. Names must also
# meet the requirements for a Bourne Shell identifier (must
@ -24,6 +24,9 @@
# If you specify ":DROP", ":REJECT" or ":ACCEPT" on a line by
# itself, the associated policy will have no common action.
#
# Please see http://shorewall.net/Actions.html for additional
# information.
#
#ACTION
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

View File

@ -1,6 +1,8 @@
#
# Shorewall 2.2 /usr/share/shorewall/actions.std
#
# Please see http://shorewall.net/Actions.html for additional
# information.
#
# Builtin Actions are:
#
@ -12,6 +14,10 @@
# #conntrack state.
# allowInvalid #Accept packets that are in the INVALID
# #conntrack state.
# allowoutUPnP #Allow traffic from local command 'upnpd'
# allowinUPnP #Allow UPnP inbound (to firewall) traffic
# forwardUPnP #Allow traffic that upnpd has redirected from
# #'upnp' interfaces.
#
#ACTION

View File

@ -38,6 +38,9 @@
# ADDRESS/SUBNET PROTOCOL PORT
# 192.0.2.126 udp 53
#
# Please see http://shorewall.net/blacklisting_support.htm for additional
# information.
#
###############################################################################
#ADDRESS/SUBNET PROTOCOL PORT
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

View File

@ -44,11 +44,9 @@
31.0.0.0/8 logdrop # Reserved
36.0.0.0/7 logdrop # Reserved
39.0.0.0/8 logdrop # Reserved
41.0.0.0/8 logdrop # Reserved
42.0.0.0/8 logdrop # Reserved
49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
73.0.0.0/8 logdrop # Reserved
74.0.0.0/7 logdrop # Reserved
76.0.0.0/6 logdrop # Reserved
89.0.0.0/8 logdrop # Reserved

View File

@ -1,3 +1,30 @@
Changes in 2.2.4
1) Added support for UPnP
2) Add 'started' hook.
3) Make an error message more self-explanatory
4) Report Owner Match capability
5) Add Paul Traina's patch to install.sh.
6) Allow startup options to be overridden in /etc/sysconfig/shorewall
or /etc/default/shorewall.
7) Add support for SAME
8) Add 'shorewall show capabilities'
8) Add '-v' option
9) Allow 'none' in /etc/shorewall/rules.
10) Add error message for invalid HOST(S) column contents.
11) Apply Christian Rodriguez's patch for Slackware install.
Changes in 2.2.3
1) Added the 'continue' extension script.

View File

@ -4,3 +4,5 @@
# Add commands below that you want to be executed after shorewall has
# cleared any existing Netfilter rules and has enabled existing connections.
#
# For additional information, see http://shorewall.net/shorewall_extension_scripts.htm
#

View File

@ -15,6 +15,8 @@
# 0.0.0.0/0 is assumed. If your kernel and iptables
# include iprange match support then IP address ranges
# are also permitted.
#
# For additional information, see http://shorewall.net/Documentation.htm#ECN
##############################################################################
#INTERFACE HOST(S)
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=2.2.3
VERSION=2.2.4
usage() # $1 = exit status
{

View File

@ -937,7 +937,7 @@ validate_interfaces_file() {
for option in $options; do
case $option in
dhcp|norfc1918|nobogons|tcpflags|newnotsyn|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|maclist|nosmurfs|-)
dhcp|norfc1918|nobogons|tcpflags|newnotsyn|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|maclist|nosmurfs|upnp|-)
;;
detectnets)
[ -n "$wildcard" ] && \
@ -975,13 +975,21 @@ validate_hosts_file() {
r="$z $hosts $options"
validate_zone1 $z || startup_error "Invalid zone ($z) in record \"$r\""
interface=${hosts%%:*}
iface=$(chain_base $interface)
case $hosts in
*:*)
list_search $interface $ALL_INTERFACES || \
startup_error "Unknown interface ($interface) in record \"$r\""
interface=${hosts%%:*}
iface=$(chain_base $interface)
hosts=${hosts#*:}
list_search $interface $ALL_INTERFACES || \
startup_error "Unknown interface ($interface) in record \"$r\""
hosts=${hosts#*:}
;;
*)
fatal_error "Invalid HOST(S) column contents: $hosts"
;;
esac
eval ports=\$${iface}_ports
eval zports=\$${z}_ports
@ -2826,6 +2834,12 @@ check_config() {
[ -n "$PHYSDEV_MATCH" ] || startup_error "BRIDGING=Yes requires Physdev Match support in your Kernel and iptables"
fi
[ "$MACLIST_TTL" = "0" ] && MACLIST_TTL=
if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then
startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables"
fi
echo "Determining Zones..."
determine_zones
@ -3473,7 +3487,8 @@ merge_levels() # $1=level at which superior action is called, $2=level at which
#
process_actions1() {
ACTIONS="dropBcast allowBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid allowInvalid"
ACTIONS="dropBcast allowBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP allowoutUPnP forwardUPnP"
USEDACTIONS=
strip_file actions
@ -3544,6 +3559,15 @@ process_actions1() {
process_actions2() {
local interfaces="$(find_interfaces_by_option upnp)"
if [ -n "$interfaces" ]; then
if ! list_search forwardUPnP $USEDACTIONS; then
error_message "Warning:Missing forwardUPnP rule (required by 'upnp' interface option on $interfaces)"
USEDACTIONS="$USEDACTIONS forwardUPnP"
fi
fi
progress_message " Generating Transitive Closure of Used-action List..."
changed=Yes
@ -3695,6 +3719,26 @@ process_actions3() {
run_iptables -A $xchain -m state --state INVALID -j ACCEPT
fi
;;
forwardUPnP)
;;
allowinUPnP)
if [ "$COMMAND" != check ]; then
if [ -n "$xlevel" ]; then
log_rule_limit ${xlevel%\!} $xchain allowinUPnP ACCEPT "" "$xtag" -A -p udp --dport 1900
log_rule_limit ${xlevel%\!} $xchain allowinUPnP ACCEPT "" "$xtag" -A -p tcp --dport 49152
fi
run_iptables -A $xchain -p udp --dport 1900 -j ACCEPT
run_iptables -A $xchain -p tcp --dport 49152 -j ACCEPT
fi
;;
allowoutUPnP)
if [ "$COMMAND" != check ]; then
[ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain allowoutUPnP ACCEPT "" "$xtag" -A -m owner --owner-cmd upnpd
run_iptables -A $xchain -m owner --cmd-owner upnpd -j ACCEPT
fi
;;
*)
#
# Not a builtin
@ -3802,7 +3846,14 @@ add_nat_rule() {
# Select target
if [ -n "$serv" ]; then
if [ "$logtarget" = SAME ]; then
[ -n "$servport" ] && fatal_error "Port mapping not allowed in SAME rules"
serv1=
for srv in $(separate_list $serv); do
serv1="$serv1 --to ${srv}"
done
target1="SAME $serv1"
elif [ -n "$serv" ]; then
servport="${servport:+:$servport}"
serv1=
for srv in $(separate_list $serv); do
@ -4065,9 +4116,9 @@ add_a_rule()
servport=${servport:=$port}
natrule=Yes
;;
DNAT)
DNAT|SAME)
[ -n "$serv" ] || \
fatal_error "DNAT rules require a server address; rule: \"$rule\""
fatal_error "$logtarget rules require a server address; rule: \"$rule\""
natrule=Yes
;;
LOG)
@ -4084,7 +4135,7 @@ add_a_rule()
if [ -n "$natrule" ]; then
add_nat_rule
elif [ -n "$addr" -a "$addr" != "$serv" ] || [ -n "$servport" -a "$servport" != "$port" ]; then
fatal_error "Only DNAT and REDIRECT rules may specify destination mapping; rule \"$rule\""
fatal_error "Only DNAT, SAME and REDIRECT rules may specify destination mapping; rule \"$rule\""
fi
if [ -z "$dnat_only" ]; then
@ -4139,7 +4190,7 @@ add_a_rule()
[ -n "$addr" ] && fatal_error \
"An ORIGINAL DESTINATION ($addr) is only allowed in" \
" a DNAT or REDIRECT: \"$rule\""
" a DNAT, SAME or REDIRECT: \"$rule\""
if [ $COMMAND != check ]; then
if [ -n "$loglevel" ]; then
@ -4289,7 +4340,7 @@ process_rule() # $1 = target
CONTINUE)
target=RETURN
;;
DNAT*)
DNAT*|SAME*)
target=ACCEPT
address=${address:=detect}
;;
@ -4322,8 +4373,13 @@ process_rule() # $1 = target
excludezones="${clientzone#*!}"
clientzone="${clientzone%!*}"
[ "$logtarget" = DNAT ] || [ "$logtarget" = REDIRECT ] ||\
fatal_error "Exclude list only allowed with DNAT or REDIRECT"
case $logtarget in
DNAT|REDIRECT|SAME)
;;
*)
fatal_error "Exclude list only allowed with DNAT, SAME or REDIRECT"
;;
esac
fi
validate_zone $clientzone || fatal_error "Undefined Client Zone in rule \"$rule\""
@ -4386,7 +4442,7 @@ process_rule() # $1 = target
protocol=${protocol:=all}
case $logtarget in
DNAT*)
DNAT*|SAME)
if [ -n "$XMULTIPORT" ] && \
! list_search $protocol "icmp" "ICMP" "1" && \
[ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \
@ -4540,7 +4596,7 @@ process_rules()
}
do_it() {
expandv xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec
expandv xprotocol xports xcports xaddress xratelimit xuserspec
if [ "x$xclients" = xall ]; then
xclients="$zones $FW"
@ -4548,13 +4604,13 @@ process_rules()
xservers="$zones $FW"
fi
process_wildcard_rule
continue
return
fi
if [ "x$xservers" = xall ]; then
xservers="$zones $FW"
process_wildcard_rule
continue
return
fi
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
@ -4562,10 +4618,16 @@ process_rules()
}
while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec; do
expandv xtarget
expandv xtarget xclients xservers
if [ "x$xclients" = xnone -o "x$servers" = xnone ]; then
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
progress_message " Rule \"$rule\" ignored."
continue
fi
case "${xtarget%%:*}" in
ACCEPT|ACCEPT+|NONAT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE)
ACCEPT|ACCEPT+|NONAT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE|SAME|SAME-)
do_it
;;
*)
@ -4971,7 +5033,7 @@ rules_chain() # $1 = source zone, $2 = destination zone
[ -n "$chain" ] && { echo $chain; return; }
fatal_error "No appropriate chain for zone $1 to zone $2"
fatal_error "No policy defined for zone $1 to zone $2"
}
#
@ -5116,6 +5178,8 @@ setup_masq()
[ "x$addresses" = x- ] && addresses=
if [ -n "$addresses" -a -n "$add_snat_aliases" ]; then
for address in $(separate_list $addresses); do
address=${address%:)}
@ -5262,17 +5326,35 @@ setup_masq()
target=MASQUERADE
if [ -n "$addresses" ]; then
for address in $(separate_list $addresses); do
case $address in
*.*.*.*)
target=SNAT
addrlist="$addrlist --to-source $address"
;;
*)
addrlist="$addrlist --to-ports ${address#:}"
;;
esac
done
case "$addresses" in
SAME:nodst:*)
target="SAME --nodst"
addresses=${addresses#SAME:nodst:}
for address in $(separate_list $addresses); do
addrlist="$addrlist --to $address";
done
;;
SAME:*)
target="SAME"
addresses=${addresses#SAME:}
for address in $(separate_list $addresses); do
addrlist="$addrlist --to $address";
done
;;
*)
for address in $(separate_list $addresses); do
case $address in
*.*.*.*)
target=SNAT
addrlist="$addrlist --to-source $address"
;;
*)
addrlist="$addrlist --to-ports ${address#:}"
;;
esac
done
;;
esac
fi
if [ -n "$networks" ]; then
@ -5621,6 +5703,7 @@ determine_capabilities() {
PHYSDEV_MATCH=
IPRANGE_MATCH=
RECENT_MATCH=
OWNER_MATCH=
qt $IPTABLES -N fooX1234
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
@ -5630,6 +5713,7 @@ determine_capabilities() {
qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes
qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes
qt $IPTABLES -A fooX1234 -m owner --cmd-owner foo -j ACCEPT && OWNER_MATCH=Yes
if [ -n "$PKTTYPE" ]; then
qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT || PKTTYPE=
@ -5660,6 +5744,7 @@ report_capabilities() {
report_capability "Physdev Match" $PHYSDEV_MATCH
report_capability "IP range Match" $IPRANGE_MATCH
report_capability "Recent Match" $RECENT_MATCH
report_capability "Owner Match" $OWNER_MATCH
}
#
@ -5678,6 +5763,11 @@ initialize_netfilter () {
[ -n "$PHYSDEV_MATCH" ] || startup_error "BRIDGING=Yes requires Physdev Match support in your Kernel and iptables"
fi
[ "$MACLIST_TTL" = "0" ] && MACLIST_TTL=
if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then
startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables"
fi
[ -n "$RFC1918_STRICT" -a -z "$CONNTRACK_MATCH" ] && \
startup_error "RFC1918_STRICT=Yes requires Connection Tracking match"
@ -6290,6 +6380,20 @@ add_common_rules() {
run_iptables -A OUTPUT -o $interface -j $(dynamic_out $interface)
done
fi
#
# UPnP
#
interfaces=$(find_interfaces_by_option upnp)
if [ -n "$interfaces" ]; then
echo "Setting up UPnP..."
createnatchain UPnP
for interface in $interfaces; do
run_iptables -t nat -A PREROUTING -i $interface -j UPnP
done
fi
setup_forwarding
}
@ -6767,6 +6871,7 @@ define_firewall() # $1 = Command (Start or Restart)
mv -f /var/lib/shorewall/restore-base-$$ /var/lib/shorewall/restore-base
mv -f $RESTOREBASE /var/lib/shorewall/restore-tail
run_user_exit started
}
#
@ -7482,12 +7587,6 @@ do_initialize() {
LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY)
DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID)
RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT)
[ "$MACLIST_TTL" = "0" ] && MACLIST_TTL=
if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then
startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables"
fi
#
# Strip the files that we use often
#
@ -7672,6 +7771,10 @@ case "$COMMAND" in
EMPTY=
$@
;;
capabilities)
do_initialize
report_capabilities
;;
*)
usage
;;

View File

@ -249,7 +249,7 @@ find_zones() # $1 = name of the zone file
[ -n "$zone" ] && case "$zone" in
\#*)
;;
$FW)
$FW|all|none)
echo " Warning: Reserved zone name \"$zone\" in zones file ignored" >&2
;;
*)

View File

@ -254,6 +254,8 @@ show)
shorewall show zones - displays the contents of all zones.
shorewall show capabilities - displays your kernel/iptables capabilities
When -x is given, that option is also passed to iptables to display actual packet and byte counts."
;;

View File

@ -135,5 +135,7 @@
# /etc/shorewall/ipsec file then you do NOT
# need to specify the 'ipsec' option here.
#
# For additional information, see http://shorewall.net/Documentation.htm#Hosts
#
#ZONE HOST(S) OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

View File

@ -4,3 +4,5 @@
# Add commands below that you want to be executed at the beginning of
# a "shorewall start" or "shorewall restart" command.
#
# For additional information, see http://shorewall.net/shorewall_extension_scripts.htm
#

View File

@ -5,6 +5,7 @@ WAIT_FOR_IFUP=/usr/share/shorewall/wait4ifup
# Note, set INITLOG to /dev/null if you do not want to
# keep logs of the firewall (not recommended)
INITLOG=/var/log/shorewall-init.log
OPTIONS="-f"
test -x $SRWL || exit 0
test -n $INITLOG || {
@ -83,7 +84,7 @@ wait_for_pppd () {
shorewall_start () {
echo -n "Starting \"Shorewall firewall\": "
wait_for_pppd
$SRWL -f start >> $INITLOG 2>&1 && echo "done." || echo_notdone
$SRWL $OPTIONS start >> $INITLOG 2>&1 && echo "done." || echo_notdone
return 0
}

View File

@ -55,6 +55,16 @@ usage() {
exit 1
}
################################################################################
# Get startup options (override default)
################################################################################
OPTIONS="-f"
if [ -f /etc/sysconfig/shorewall ]; then
. /etc/sysconfig/shorewall
elif [ -f /etc/default/shorewall ] ; then
. /etc/default/shorewall
fi
################################################################################
# E X E C U T I O N B E G I N S H E R E #
################################################################################
@ -64,7 +74,7 @@ case "$command" in
start)
exec /sbin/shorewall -f start
exec /sbin/shorewall $OPTIONS start
;;
stop|restart|status)

View File

@ -5,3 +5,5 @@
# "shorewall start" or "shorewall restart" commands at the point where
# Shorewall has not yet added any perminent rules to the builtin chains.
#
# For additional information, see http://shorewall.net/shorewall_extension_scripts.htm
#

View File

@ -22,7 +22,7 @@
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
#
VERSION=2.2.3
VERSION=2.2.4
usage() # $1 = exit status
{
@ -76,7 +76,7 @@ delete_file() # $1 = file to delete
install_file_with_backup() # $1 = source $2 = target $3 = mode
{
backup_file $2
run_install -o $OWNER -g $GROUP -m $3 $1 ${2}
run_install $OWNERSHIP -m $3 $1 ${2}
}
#
@ -133,11 +133,21 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
#
DEBIAN=
OWNERSHIP="-o $OWNER -g $GROUP"
if [ -n "$PREFIX" ]; then
install -d -o $OWNER -g $GROUP -m 755 ${PREFIX}/sbin
install -d -o $OWNER -g $GROUP -m 755 ${PREFIX}${DEST}
if [ `id -u` != 0 ] ; then
echo "Not setting file owner/group permissions, not running as root."
OWNERSHIP=""
fi
install -d $OWNERSHIP -m 755 ${PREFIX}/sbin
install -d $OWNERSHIP -m 755 ${PREFIX}${DEST}
elif [ -d /etc/apt -a -e /usr/bin/dpkg ]; then
DEBIAN=yes
elif [ -f /etc/slackware-version ] ; then
DEST="/etc/rc.d"
INIT="rc.firewall"
fi
#
@ -185,7 +195,7 @@ mkdir -p ${PREFIX}/var/lib/shorewall
if [ -f ${PREFIX}/etc/shorewall/shorewall.conf ]; then
backup_file /etc/shorewall/shorewall.conf
else
run_install -o $OWNER -g $GROUP -m 0744 shorewall.conf ${PREFIX}/etc/shorewall/shorewall.conf
run_install $OWNERSHIP -m 0744 shorewall.conf ${PREFIX}/etc/shorewall/shorewall.conf
echo
echo "Config file installed as ${PREFIX}/etc/shorewall/shorewall.conf"
fi
@ -195,7 +205,7 @@ fi
if [ -f ${PREFIX}/etc/shorewall/zones ]; then
backup_file /etc/shorewall/zones
else
run_install -o $OWNER -g $GROUP -m 0744 zones ${PREFIX}/etc/shorewall/zones
run_install $OWNERSHIP -m 0744 zones ${PREFIX}/etc/shorewall/zones
echo
echo "Zones file installed as ${PREFIX}/etc/shorewall/zones"
fi
@ -232,7 +242,7 @@ delete_file icmp.def
if [ -f ${PREFIX}/etc/shorewall/policy ]; then
backup_file /etc/shorewall/policy
else
run_install -o $OWNER -g $GROUP -m 0600 policy ${PREFIX}/etc/shorewall/policy
run_install $OWNERSHIP -m 0600 policy ${PREFIX}/etc/shorewall/policy
echo
echo "Policy file installed as ${PREFIX}/etc/shorewall/policy"
fi
@ -242,7 +252,7 @@ fi
if [ -f ${PREFIX}/etc/shorewall/interfaces ]; then
backup_file /etc/shorewall/interfaces
else
run_install -o $OWNER -g $GROUP -m 0600 interfaces ${PREFIX}/etc/shorewall/interfaces
run_install $OWNERSHIP -m 0600 interfaces ${PREFIX}/etc/shorewall/interfaces
echo
echo "Interfaces file installed as ${PREFIX}/etc/shorewall/interfaces"
fi
@ -252,7 +262,7 @@ fi
if [ -f ${PREFIX}/etc/shorewall/ipsec ]; then
backup_file /etc/shorewall/ipsec
else
run_install -o $OWNER -g $GROUP -m 0600 ipsec ${PREFIX}/etc/shorewall/ipsec
run_install $OWNERSHIP -m 0600 ipsec ${PREFIX}/etc/shorewall/ipsec
echo
echo "Ipsec file installed as ${PREFIX}/etc/shorewall/ipsec"
fi
@ -262,7 +272,7 @@ fi
if [ -f ${PREFIX}/etc/shorewall/hosts ]; then
backup_file /etc/shorewall/hosts
else
run_install -o $OWNER -g $GROUP -m 0600 hosts ${PREFIX}/etc/shorewall/hosts
run_install $OWNERSHIP -m 0600 hosts ${PREFIX}/etc/shorewall/hosts
echo
echo "Hosts file installed as ${PREFIX}/etc/shorewall/hosts"
fi
@ -272,7 +282,7 @@ fi
if [ -f ${PREFIX}/etc/shorewall/rules ]; then
backup_file /etc/shorewall/rules
else
run_install -o $OWNER -g $GROUP -m 0600 rules ${PREFIX}/etc/shorewall/rules
run_install $OWNERSHIP -m 0600 rules ${PREFIX}/etc/shorewall/rules
echo
echo "Rules file installed as ${PREFIX}/etc/shorewall/rules"
fi
@ -282,7 +292,7 @@ fi
if [ -f ${PREFIX}/etc/shorewall/nat ]; then
backup_file /etc/shorewall/nat
else
run_install -o $OWNER -g $GROUP -m 0600 nat ${PREFIX}/etc/shorewall/nat
run_install $OWNERSHIP -m 0600 nat ${PREFIX}/etc/shorewall/nat
echo
echo "NAT file installed as ${PREFIX}/etc/shorewall/nat"
fi
@ -292,7 +302,7 @@ fi
if [ -f ${PREFIX}/etc/shorewall/netmap ]; then
backup_file /etc/shorewall/netmap
else
run_install -o $OWNER -g $GROUP -m 0600 netmap ${PREFIX}/etc/shorewall/netmap
run_install $OWNERSHIP -m 0600 netmap ${PREFIX}/etc/shorewall/netmap
echo
echo "NETMAP file installed as ${PREFIX}/etc/shorewall/netmap"
fi
@ -302,7 +312,7 @@ fi
if [ -f ${PREFIX}/etc/shorewall/params ]; then
backup_file /etc/shorewall/params
else
run_install -o $OWNER -g $GROUP -m 0600 params ${PREFIX}/etc/shorewall/params
run_install $OWNERSHIP -m 0600 params ${PREFIX}/etc/shorewall/params
echo
echo "Parameter file installed as ${PREFIX}/etc/shorewall/params"
fi
@ -312,7 +322,7 @@ fi
if [ -f ${PREFIX}/etc/shorewall/proxyarp ]; then
backup_file /etc/shorewall/proxyarp
else
run_install -o $OWNER -g $GROUP -m 0600 proxyarp ${PREFIX}/etc/shorewall/proxyarp
run_install $OWNERSHIP -m 0600 proxyarp ${PREFIX}/etc/shorewall/proxyarp
echo
echo "Proxy ARP file installed as ${PREFIX}/etc/shorewall/proxyarp"
fi
@ -322,7 +332,7 @@ fi
if [ -f ${PREFIX}/etc/shorewall/routestopped ]; then
backup_file /etc/shorewall/routestopped
else
run_install -o $OWNER -g $GROUP -m 0600 routestopped ${PREFIX}/etc/shorewall/routestopped
run_install $OWNERSHIP -m 0600 routestopped ${PREFIX}/etc/shorewall/routestopped
echo
echo "Stopped Routing file installed as ${PREFIX}/etc/shorewall/routestopped"
fi
@ -332,7 +342,7 @@ fi
if [ -f ${PREFIX}/etc/shorewall/maclist ]; then
backup_file /etc/shorewall/maclist
else
run_install -o $OWNER -g $GROUP -m 0600 maclist ${PREFIX}/etc/shorewall/maclist
run_install $OWNERSHIP -m 0600 maclist ${PREFIX}/etc/shorewall/maclist
echo
echo "MAC list file installed as ${PREFIX}/etc/shorewall/maclist"
fi
@ -342,7 +352,7 @@ fi
if [ -f ${PREFIX}/etc/shorewall/masq ]; then
backup_file /etc/shorewall/masq
else
run_install -o $OWNER -g $GROUP -m 0600 masq ${PREFIX}/etc/shorewall/masq
run_install $OWNERSHIP -m 0600 masq ${PREFIX}/etc/shorewall/masq
echo
echo "Masquerade file installed as ${PREFIX}/etc/shorewall/masq"
fi
@ -352,7 +362,7 @@ fi
if [ -f ${PREFIX}/etc/shorewall/modules ]; then
backup_file /etc/shorewall/modules
else
run_install -o $OWNER -g $GROUP -m 0600 modules ${PREFIX}/etc/shorewall/modules
run_install $OWNERSHIP -m 0600 modules ${PREFIX}/etc/shorewall/modules
echo
echo "Modules file installed as ${PREFIX}/etc/shorewall/modules"
fi
@ -362,7 +372,7 @@ fi
if [ -f ${PREFIX}/etc/shorewall/tcrules ]; then
backup_file /etc/shorewall/tcrules
else
run_install -o $OWNER -g $GROUP -m 0600 tcrules ${PREFIX}/etc/shorewall/tcrules
run_install $OWNERSHIP -m 0600 tcrules ${PREFIX}/etc/shorewall/tcrules
echo
echo "TC Rules file installed as ${PREFIX}/etc/shorewall/tcrules"
fi
@ -373,7 +383,7 @@ fi
if [ -f ${PREFIX}/etc/shorewall/tos ]; then
backup_file /etc/shorewall/tos
else
run_install -o $OWNER -g $GROUP -m 0600 tos ${PREFIX}/etc/shorewall/tos
run_install $OWNERSHIP -m 0600 tos ${PREFIX}/etc/shorewall/tos
echo
echo "TOS file installed as ${PREFIX}/etc/shorewall/tos"
fi
@ -383,7 +393,7 @@ fi
if [ -f ${PREFIX}/etc/shorewall/tunnels ]; then
backup_file /etc/shorewall/tunnels
else
run_install -o $OWNER -g $GROUP -m 0600 tunnels ${PREFIX}/etc/shorewall/tunnels
run_install $OWNERSHIP -m 0600 tunnels ${PREFIX}/etc/shorewall/tunnels
echo
echo "Tunnels file installed as ${PREFIX}/etc/shorewall/tunnels"
fi
@ -393,7 +403,7 @@ fi
if [ -f ${PREFIX}/etc/shorewall/blacklist ]; then
backup_file /etc/shorewall/blacklist
else
run_install -o $OWNER -g $GROUP -m 0600 blacklist ${PREFIX}/etc/shorewall/blacklist
run_install $OWNERSHIP -m 0600 blacklist ${PREFIX}/etc/shorewall/blacklist
echo
echo "Blacklist file installed as ${PREFIX}/etc/shorewall/blacklist"
fi
@ -428,7 +438,7 @@ echo " Default config path file installed as ${PREFIX}/usr/share/shorewall/confi
if [ -f ${PREFIX}/etc/shorewall/init ]; then
backup_file /etc/shorewall/init
else
run_install -o $OWNER -g $GROUP -m 0600 init ${PREFIX}/etc/shorewall/init
run_install $OWNERSHIP -m 0600 init ${PREFIX}/etc/shorewall/init
echo
echo "Init file installed as ${PREFIX}/etc/shorewall/init"
fi
@ -438,7 +448,7 @@ fi
if [ -f ${PREFIX}/etc/shorewall/initdone ]; then
backup_file /etc/shorewall/initdone
else
run_install -o $OWNER -g $GROUP -m 0600 initdone ${PREFIX}/etc/shorewall/initdone
run_install $OWNERSHIP -m 0600 initdone ${PREFIX}/etc/shorewall/initdone
echo
echo "Initdone file installed as ${PREFIX}/etc/shorewall/initdone"
fi
@ -448,7 +458,7 @@ fi
if [ -f ${PREFIX}/etc/shorewall/start ]; then
backup_file /etc/shorewall/start
else
run_install -o $OWNER -g $GROUP -m 0600 start ${PREFIX}/etc/shorewall/start
run_install $OWNERSHIP -m 0600 start ${PREFIX}/etc/shorewall/start
echo
echo "Start file installed as ${PREFIX}/etc/shorewall/start"
fi
@ -458,7 +468,7 @@ fi
if [ -f ${PREFIX}/etc/shorewall/stop ]; then
backup_file /etc/shorewall/stop
else
run_install -o $OWNER -g $GROUP -m 0600 stop ${PREFIX}/etc/shorewall/stop
run_install $OWNERSHIP -m 0600 stop ${PREFIX}/etc/shorewall/stop
echo
echo "Stop file installed as ${PREFIX}/etc/shorewall/stop"
fi
@ -468,7 +478,7 @@ fi
if [ -f ${PREFIX}/etc/shorewall/stopped ]; then
backup_file /etc/shorewall/stopped
else
run_install -o $OWNER -g $GROUP -m 0600 stopped ${PREFIX}/etc/shorewall/stopped
run_install $OWNERSHIP -m 0600 stopped ${PREFIX}/etc/shorewall/stopped
echo
echo "Stopped file installed as ${PREFIX}/etc/shorewall/stopped"
fi
@ -478,7 +488,7 @@ fi
if [ -f ${PREFIX}/etc/shorewall/ecn ]; then
backup_file /etc/shorewall/ecn
else
run_install -o $OWNER -g $GROUP -m 0600 ecn ${PREFIX}/etc/shorewall/ecn
run_install $OWNERSHIP -m 0600 ecn ${PREFIX}/etc/shorewall/ecn
echo
echo "ECN file installed as ${PREFIX}/etc/shorewall/ecn"
fi
@ -488,7 +498,7 @@ fi
if [ -f ${PREFIX}/etc/shorewall/accounting ]; then
backup_file /etc/shorewall/accounting
else
run_install -o $OWNER -g $GROUP -m 0600 accounting ${PREFIX}/etc/shorewall/accounting
run_install $OWNERSHIP -m 0600 accounting ${PREFIX}/etc/shorewall/accounting
echo
echo "Accounting file installed as ${PREFIX}/etc/shorewall/accounting"
fi
@ -498,11 +508,21 @@ fi
if [ -f ${PREFIX}/etc/shorewall/continue ]; then
backup_file /etc/shorewall/continue
else
run_install -o $OWNER -g $GROUP -m 0600 continue ${PREFIX}/etc/shorewall/continue
run_install $OWNERSHIP -m 0600 continue ${PREFIX}/etc/shorewall/continue
echo
echo "Continue file installed as ${PREFIX}/etc/shorewall/continue"
fi
#
# Install the Started file
#
if [ -f ${PREFIX}/etc/shorewall/started ]; then
backup_file /etc/shorewall/started
else
run_install -o $OWNER -g $GROUP -m 0600 started ${PREFIX}/etc/shorewall/started
echo
echo "Started file installed as ${PREFIX}/etc/shorewall/started"
fi
#
# Install the Standard Actions file
#
install_file_with_backup actions.std ${PREFIX}/usr/share/shorewall/actions.std 0600
@ -515,7 +535,7 @@ echo "Standard actions file installed as ${PREFIX}/etc/shorewall/actions.std"
if [ -f ${PREFIX}/etc/shorewall/actions ]; then
backup_file /etc/shorewall/actions
else
run_install -o $OWNER -g $GROUP -m 0600 actions ${PREFIX}/etc/shorewall/actions
run_install $OWNERSHIP -m 0600 actions ${PREFIX}/etc/shorewall/actions
echo
echo "Actions file installed as ${PREFIX}/etc/shorewall/actions"
fi
@ -556,7 +576,7 @@ install_file_with_backup firewall ${PREFIX}/usr/share/shorewall/firewall 0544
if [ -z "$PREFIX" -a -n "$first_install" ]; then
if [ -n "$DEBIAN" ]; then
run_install -o $OWNER -g $GROUP -m 0644 default.debian /etc/default/shorewall
run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall
ln -s ../init.d/shorewall /etc/rcS.d/S40shorewall
echo
echo "shorewall will start automatically at boot"

View File

@ -167,6 +167,8 @@
# detectnets - Automatically taylors the zone named
# in the ZONE column to include only those
# hosts routed through the interface.
# upnp - Incoming requests from this interface may
# be remapped via UPNP (upnpd).
#
# WARNING: DO NOT SET THE detectnets OPTION ON YOUR
# INTERNET INTERFACE.
@ -199,6 +201,9 @@
# connections.
#
# net ppp0 -
#
# For additional information, see http://shorewall.net/Documentation.htm#Interfaces
#
##############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
#

View File

@ -1,6 +1,11 @@
#
# Shorewall 2.2 - MAC list file
#
# This file is used to define the MAC addresses and optionally their
# associated IP addresses to be allowed to use the specified interface.
# The feature is enabled by using the maclist option in the interfaces
# or hosts configuration file.
#
# /etc/shorewall/maclist
#
# Columns are:
@ -18,6 +23,9 @@
# list of host and/or subnet addresses. If your kernel
# and iptables have iprange match support then IP
# address ranges are also allowed.
#
# For additional information, see http://shorewall.net/MAC_Validation.html
#
##############################################################################
#INTERFACE MAC IP ADDRESSES (Optional)
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

View File

@ -86,6 +86,20 @@
# 192.0.2.4:5000-6000
# :4000-5000
#
# You can invoke the SAME target using the
# following in this column:
#
# SAME:[nodst:]<address-range>[,<address-range>...]
#
# The <address-ranges> may be single addresses.
#
# SAME works like SNAT with the exception that the
# same local IP address is assigned to each connection
# from a local address to a given remote address. If
# the 'nodst:' option is included, then the same source
# address is used for a given internal system regardless
# of which remote system is involved.
#
# If you want to leave this column empty
# but you need to specify the next column then
# place a hyphen ("-") here.
@ -195,6 +209,8 @@
#
# THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!!
#
# For additional information, see http://shorewall.net/Documentation.htm#Masq
#
###############################################################################
#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

View File

@ -7,6 +7,7 @@
# dependency order. i.e., if M2 depends on M1 then you must load M1 before
# you load M2.
#
# For additional information, see http://shorewall.net/Documentation.htm#modules
loadmodule ip_tables
loadmodule iptable_filter

View File

@ -38,6 +38,8 @@
#
# LOCAL If Yes or yes, NAT will be effective from the firewall
# system
#
# For additional information, see http://shorewall.net/NAT.htm
##############################################################################
#EXTERNAL INTERFACE INTERNAL ALL LOCAL
# INTERFACES

View File

@ -85,6 +85,7 @@
# #
# all all REJECT info
#
# See http://shorewall.net/Documentation.htm#Policy for additional information.
###############################################################################
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL

View File

@ -39,6 +39,8 @@
#
# #ADDRESS INTERFACE EXTERNAL
# 155.186.235.6 eth1 eth0
#
# See http://shorewall.net/ProxyARP.htm for additional information.
##############################################################################
#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

View File

@ -1,4 +1,183 @@
Shorewall 2.2.3
Shorewall 2.2.4
-----------------------------------------------------------------------
Problems corrected in version 2.2.4
1) The error message:
Error: No appropriate chain for zone <z1> to zone <z2>
has been changed to one that is more self-explanatory:
Error: No policy defined for zone <z1> to zone <z2>
2) When only an interface name appeared in the HOST(S) column of an
/etc/shorewall/hosts file entry, a misleading iptables error message
resulted. Now the following message is generated:
Error: Invalid HOST(S) column contents: <column contents>
-----------------------------------------------------------------------
New Features in version 2.2.4
1) Support has been added for UPnP using linux-igd
(http://linux-idg.sourceforge.net). UPnP is required by a number of
popular applications including MSN IM.
WARNING: From a security architecture viewpoint, UPnP is a
disaster. It assumes that:
a) All local systems and their users are completely
trustworthy.
b) No local system is infected with any worm or trojan.
If either of these assumptions are not true then UPnP can
be used to totally defeat your firewall and to allow
incoming connections to arbitrary local systems on any port
whatsoever.
In short: USE UPnP AT YOUR OWN RISK.
WARNING: The linux-igd project appears to be inactive and the web
site does not display correctly on any open source browser
that I've tried.
Building and installing linux-igd is not for the faint of
heart. You must download the source from CVS and be
prepared to do quite a bit of fiddling with the include
files from libupnp (which is required to build and/or run
linux-igd).
linux-idg Configuration:
In /etc/upnpd.conf, you will want:
insert_forward_rules = yes
prerouting_chain_name = UPnP
forward_chain_name = forwardUPnP
Shorewall Configuration:
In /etc/shorewall/interfaces, you need the 'upnp' option
on your external interface.
If your fw->loc policy is not ACCEPT then you need this
rule:
allowoutUPnP fw loc
Note: To use 'allowoutUPnP', your iptables and kernel must
support the 'owner match' feature (see the output of
"shorewall check").
If your loc->fw policy is not ACCEPT then you need this
rule:
allowinUPnP loc fw
You MUST have this rule:
forwardUPnP net loc
You must also ensure that you have a route to 224.0.0.0/4 on your
internal (local) interface.
2) A new 'started' extension script has been added. The difference
between this extension script and /etc/shorewall/start is that this
one is invoked after delayed loading of the blacklist
(DELAYBLACKLISTLOAD=Yes) and after the 'shorewall' chain has been
created (thus signaling that the firewall is completely up.
/etc/shorewall/started should not change the firewall configuration
directly but may do so indirectly by running /sbin/shorewall with
the 'nolock' option.
3) By default, shorewall is started with the "-f" (fast) option when
your system boots. You can override that setting by setting the
OPTIONS variable in /etc/sysconfig/shorewall (SuSE/Redhat) or
/etc/default/shorewall (Debian/Bering). If neither file exists, feel
free to create one.
Example: If you want Shorewall to always use the config files even
if there is a saved configuration, then specify:
OPTIONS=""
4) Shorewall now has support for the SAME target. This change affects
the /etc/shorewall/masq and /etc/shorewall/rules file.
SAME is useful when you specify multiple target IP addresses (in the
ADDRESSES column of /etc/shorewall/masq or in the DEST column of
/etc/shorewall/rules).
If you use normal SNAT then multiple connections from a given local
host to hosts on the internet can be assigned different source IP
addresses. This confuses some applications that use multiple
connections. To correct this problem, prefix the list of address
ranges in the ADDRESS column with "SAME:"
Example: SAME:206.124.146.176-206.124.146.180
If you want each internal system to use the same IP address from the
list regardless of which internet host it is talking to then prefix
the rages with "SAME:nodst:".
Example: SAME:nodst:206.124.146.176-206.124.146.180
Note that it is not possible to map port numbers when using SAME.
In the rules file, when multiple connections from an internet host
match a SAME rule then all of the connections will be sent to the
same internal server. SAME rules are very similar to DNAT rules with
the keyword SAME replacing DNAT. As in the masq file, changing the
port number is not supported.
5) A "shorewall show capabilities" command has been added to report the
capabilities of your kernel and iptables.
Example:
gateway:~# shorewall show capabilities
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available
Packet Mangling: Available
Multi-port Match: Available
Extended Multi-port Match: Available
Connection Tracking Match: Available
Packet Type Match: Not available
Policy Match: Available
Physdev Match: Available
IP range Match: Available
Recent Match: Available
Owner Match: Available
gateway:~#
6) A "-v" option has been added to /sbin/shorewall. Currently, this
option only affects the "show log" command (e.g., "shorewall -v show
log") and the "monitor" command. In these commands, it causes the
MAC address in the log message (if any) to be displayed. As
previously, when "-v" is omitted, the MAC address is suppressed.
7) In /etc/shorewall/rules, a value of 'none' in either the SOURCE or
DEST columns now causes the rule to be ignored. This is most useful
when used with shell variables:
Example:
/etc/shorewall/rules:
AllowFTP $FTP_CLIENTS fw
When FTP_CLIENTS is set to 'none', the above rule is ignored.
Otherwise, the rule is evaluated and generates Netfilter rules.
8) The installer now detects that it is running on a Slackware system
and adjusts the DEST and INIT variables accordingly.
-----------------------------------------------------------------------
Problems corrected in version 2.2.3

View File

@ -31,6 +31,10 @@
# eth2 192.168.1.0/24
# eth0 192.0.2.44
# br0 - routeback
#
# See http://shorewall.net/Documentation.htm#Routestopped and
# http://shorewall.net/starting_and_stopping_shorewall.htm for additional
# information.
##############################################################################
#INTERFACE HOST(S) OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

View File

@ -42,6 +42,16 @@
# Like DNAT but only generates the
# DNAT iptables rule and not
# the companion ACCEPT rule.
# SAME -- Similar to DNAT except that the
# port may not be remapped and when
# multiple server addresses are
# listed, all requests from a given
# remote system go to the same
# server.
# SAME- -- Advanced users only.
# Like SAME but only generates the
# NAT iptables rule and not
# the companion ACCEPT rule.
# REDIRECT -- Redirect the request to a local
# port on the firewall.
# REDIRECT-
@ -102,11 +112,14 @@
#
# SOURCE Source hosts to which the rule applies. May be a zone
# defined in /etc/shorewall/zones, $FW to indicate the
# firewall itself, or "all" If the ACTION is DNAT or
# firewall itself, "all" or "none" If the ACTION is DNAT or
# REDIRECT, sub-zones of the specified zone may be
# excluded from the rule by following the zone name with
# "!' and a comma-separated list of sub-zone names.
#
# When "none" is used either in the SOURCE or DEST column,
# the rule is ignored.
#
# When "all" is used either in the SOURCE or DEST column
# intra-zone traffic is not affected. You must add
# separate rules to handle that traffic.
@ -147,7 +160,10 @@
#
# DEST Location of Server. May be a zone defined in
# /etc/shorewall/zones, $FW to indicate the firewall
# itself or "all"
# itself, "all" or "none".
#
# When "none" is used either in the SOURCE or DEST column,
# the rule is ignored.
#
# When "all" is used either in the SOURCE or DEST column
# intra-zone traffic is not affected. You must add

View File

@ -58,6 +58,7 @@
# shorewall show {mangle|tos} Display the rules in the mangle table
# shorewall show tc Display traffic control info
# shorewall show classifiers Display classifiers
# shorewall show capabilities Display iptables/kernel capabilities
# shorewall version Display the installed version id
# shorewall check Verify the more heavily-used
# configuration files.
@ -353,11 +354,18 @@ packet_log() # $1 = number of messages
[ -n "$realtail" ] && options="-n$1"
grep "${LOGFORMAT}" $LOGFILE | \
sed s/" kernel:"// | \
sed s/" $host $LOGFORMAT"/" "/ | \
sed 's/MAC=.* SRC=/SRC=/' | \
tail $options
if [ -n "$VERBOSE" ]; then
grep "${LOGFORMAT}" $LOGFILE | \
sed s/" kernel:"// | \
sed s/" $host $LOGFORMAT"/" "/ | \
tail $options
else
grep "${LOGFORMAT}" $LOGFILE | \
sed s/" kernel:"// | \
sed s/" $host $LOGFORMAT"/" "/ | \
sed 's/MAC=.* SRC=/SRC=/' | \
tail $options
fi
}
#
@ -595,7 +603,7 @@ help()
#
usage() # $1 = exit status
{
echo "Usage: $(basename $0) [debug|trace] [nolock] [-c <directory>] [ -x ] [ -q ] [ -f ] <command>"
echo "Usage: $(basename $0) [debug|trace] [nolock] [ -x ] [ -q ] [ -f ] [ -v ] <command>"
echo "where <command> is one of:"
echo " add <interface>[:{<bridge-port>[:<host>]|<host>}[,...]] ... <zone>"
echo " allow <address> ..."
@ -616,14 +624,13 @@ usage() # $1 = exit status
echo " restart [ <directory> ]"
echo " restore [ <file name> ]"
echo " save [ <file name> ]"
echo " show [<chain> [ <chain> ... ]|classifiers|connections|log|nat|tc|tos|zones]"
echo " show [<chain> [ <chain> ... ]|capabilities|classifiers|connections|log|nat|tc|tos|zones]"
echo " start [ <directory> ]"
echo " stop"
echo " status"
echo " try <directory> [ <timeout> ]"
echo " version"
echo
echo "The -c and -f options may not be specified with a <directory> in the start, restart and check commands"
exit $1
}
@ -664,6 +671,7 @@ SHOREWALL_DIR=
QUIET=
IPT_OPTIONS="-nv"
FAST=
VERBOSE=
done=0
@ -705,6 +713,10 @@ while [ $done -eq 0 ]; do
FAST=Yes
option=${option#f}
;;
v*)
VERBOSE=Yes
option=${option#v}
;;
*)
usage 1
;;
@ -938,6 +950,9 @@ case "$1" in
exit 1
fi
;;
capabilities)
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock capabilities
;;
*)
shift

View File

@ -6,7 +6,7 @@
#
# This file should be placed in /etc/shorewall
#
# (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
# (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
##############################################################################
# S T A R T U P E N A B L E D
##############################################################################
@ -399,9 +399,8 @@ RETAIN_ALIASES=No
#
# If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If
# you say "No" or "no" then traffic shaping is not enabled. If you enable traffic
# shaping you must have iproute[2] installed (the "ip" and "tc" utilities) and
# you must enable packet mangling above.
#
# shaping you must have iproute[2] installed (the "ip" and "tc" utilities).
TC_ENABLED=No
#

View File

@ -1,5 +1,5 @@
%define name shorewall
%define version 2.2.3
%define version 2.2.4
%define release 1
%define prefix /usr
@ -94,6 +94,7 @@ fi
%attr(0600,root,root) %config(noreplace) /etc/shorewall/accounting
%attr(0600,root,root) %config(noreplace) /etc/shorewall/actions
%attr(0600,root,root) %config(noreplace) /etc/shorewall/continue
%attr(0600,root,root) %config(noreplace) /etc/shorewall/started
%attr(0544,root,root) /sbin/shorewall
@ -138,6 +139,10 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn
%changelog
* Mon Apr 11 2005 Tom Eastep tom@shorewall.net
- Updated to 2.2.4-1
* Fri Apr 08 2005 Tom Eastep tom@shorewall.net
- Added /etc/shorewall/started
* Tue Apr 05 2005 Tom Eastep tom@shorewall.net
- Updated to 2.2.3-1
* Mon Mar 07 2005 Tom Eastep tom@shorewall.net

View File

@ -4,3 +4,5 @@
# Add commands below that you want to be executed after shorewall has
# been started or restarted.
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information.

View File

@ -4,3 +4,5 @@
# Add commands below that you want to be executed at the beginning of a
# "shorewall stop" command.
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information.

View File

@ -4,3 +4,5 @@
# Add commands below that you want to be executed at the completion of a
# "shorewall stop" command.
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information.

View File

@ -147,6 +147,8 @@
# testing
# :C Designates a connection mark. If omitted,
# the packet mark's value is tested.
#
# See http://shorewall.net/traffic_shaping.htm for additional information.
##############################################################################
#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
# PORT(S)

View File

@ -108,6 +108,10 @@
#
# generic:udp:4444 net 4.3.99.124
#
#
# See http://shorewall.net/Documentation.htm#Tunnels for additional information.
#
# TYPE ZONE GATEWAY GATEWAY
# ZONE
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall
VERSION=2.2.3
VERSION=2.2.4
usage() # $1 = exit status
{

View File

@ -4,6 +4,8 @@
# This file determines your network zones. Columns are:
#
# ZONE Short name of the zone (5 Characters or less in length).
# The names "all" and "none" are reserved and may not be
# used as zone names.
# DISPLAY Display name of the zone
# COMMENTS Comments about the zone
#

View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2005-04-17</pubdate>
<pubdate>2005-04-29</pubdate>
<copyright>
<year>2001-2005</year>
@ -2565,28 +2565,6 @@ eth0 eth1 206.124.146.176</programlisting>
place <quote>Yes</quote> in the HAVEROUTE column.</para>
</tip></para>
</example>
<warning>
<para>Do not use Proxy ARP and FreeS/Wan on the same system unless you
are prepared to suffer the consequences. If you start or restart
Shorewall with an IPSEC tunnel active, the proxied IP addresses are
mistakenly assigned to the IPSEC tunnel device (ipsecX) rather than to
the interface that you specify in the INTERFACE column of
<filename>/etc/shorewall/proxyarp</filename>. I haven't had the time to
debug this problem so I can't say if it is a bug in the Kernel or in
FreeS/Wan.</para>
<para>You <emphasis role="bold">might</emphasis> be able to work around
this problem using the following (I haven't tried it):</para>
<para>In <filename>/etc/shorewall/init</filename>, include:</para>
<programlisting><command>qt /etc/init.d/ipsec stop</command></programlisting>
<para>In <filename>/etc/shorewall/start</filename>, include:</para>
<programlisting><command>qt /etc/init.d/ipsec start</command></programlisting>
</warning>
</section>
<section id="NAT" xreflabel="/etc/shorewall/nat">
@ -2698,7 +2676,7 @@ eth0 eth1 206.124.146.176</programlisting>
6to4 and other tunnels with end-points on your firewall.</para>
<para>For an overview of Shorewall's VPN support, try <ulink
url="VPNBasics.html">this article</ulink>. </para>
url="VPNBasics.html">this article</ulink>.</para>
<para>Instructions for setting up <ulink url="IPSEC.htm">IPSEC
tunnels</ulink> may be found here (if you are using kernel 2.6 with native

View File

@ -17,7 +17,7 @@
</author>
</authorgroup>
<pubdate>2005-04-08</pubdate>
<pubdate>2005-04-24</pubdate>
<copyright>
<year>2001-2005</year>
@ -278,6 +278,23 @@ DNAT loc dmz:192.168.2.4 tcp 80 - 206
# PORT DEST.
DNAT loc dmz:192.168.2.4 tcp 80 - $ETH0_IP</programlisting>
</section>
<section id="faq1e">
<title>(FAQ 1e) In order to discourage brute force attacks I would
like to redirect all connections on a non-standard port (4104) to port
22 on the router/firewall. I notice that setting up a REDIRECT rule
causes the firewall to open both ports 4104 and 22 to connections from
the net. Is it possible to only redirect 4104 to the localhost port 22
and have connection attempts to port 22 from the net dropped?</title>
<para><emphasis role="bold">Answer </emphasis>courtesy of Ryan: Assume
that the IP address of your local firewall interface is 192.168.1.1.
If you add the following rule then from the net, you will have 4104
listening, from your LAN, port 22.</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
DNAT net fw:192.168.1.1:22 tcp 4104</programlisting>
</section>
</section>
<section id="faq30">

View File

@ -15,10 +15,10 @@
</author>
</authorgroup>
<pubdate>2004-12-23</pubdate>
<pubdate>2005-05-29</pubdate>
<copyright>
<year>2001-2004</year>
<year>2001-2005</year>
<holder>Thomas M. Eastep</holder>
</copyright>
@ -55,7 +55,7 @@
</section>
<section>
<title>Configuring FreeS/Wan</title>
<title>Configuring FreeS/Wan and Derivatives Such as OpenS/Wan</title>
<para>There is an excellent guide to configuring IPSEC tunnels at <ulink
url="http://jixen.tripod.com/">http://jixen.tripod.com/</ulink>. I highly