diff --git a/STABLE2/changelog.txt b/STABLE2/changelog.txt index f168513dd..666c63b2d 100644 --- a/STABLE2/changelog.txt +++ b/STABLE2/changelog.txt @@ -1,74 +1,40 @@ -Changes since 1.4.10 +Changes since 2.0.0 -1) Remove 'unclean' support. +1) Eliminate Warning about Policy as rule when using actions. -2) Remove NAT_BEFORE_RULES. +2) Add bridging Code. -3) Remove HAVEROUTE column from ProxyARP. +3) Cleanup Warning elimination. -4) Change default for ALL INTERFACES in /etc/shorewall/nat. +4) Add 'nobogons' -5) Rename the product to Shorewall2. +5) Add 'netmap' -6) Remove common chain. +6) Fix another _frwd problem. -7) Add default action mechanism. +7) Add -x option to /sbin/shorewall. -8) Add USER/GROUP column to /etc/shorewall2/action.template. +8) Implement Sean Mathews's fix fix Proxy ARP and IPSEC. -9) Get installer/uninstaller to work. +9) Improve zone-definition checking. -10) Restore HAVEROUTE and add PERSISTENT column to the proxy arp file. +10) Add additional options to hosts file -11) Install correct init script on Debian. +11) Replace 'subnet' with 'network' in the code -12) Get the attention of 'logunclean' and 'dropunclean' users. +12) Fix item 10 above :-( -13) Replace all instances of `...` with $(...) for readability. +13) Replace good code with crap to satisfy 'ash'. -14) Add action.AllowSNMP +14) Fix if_match to only do wild-card matches on patterns ending in + "+". -15) Move some code from firewall to functions +15) Tighten edits on bridge port names. -16) Removed the DropBcast and DropNonSyn actions and replaced them with - builtin actions dropBcast and dropNonSyn. +16) Make 'routeback' on interfaces work again. -17) Make "trace" a synonym for "debug" +17) Reduce useless intra-zone rules on bridges. -18) Add the ":noah" option to IPSEC tunnels. +18) Make 'routeback' on hosts work again. -19) Added a comment to the rules file to aid users who are terminally stupid. - -20) Only create the action chains that are actually used. - -21) Move actions.std and action.* files to /usr/share/shorewall. - -22) Added DISABLE_IPV6 option. - -23) Allow rate limiting on CONTINUE and REJECT. - -24) Move rfc1918 to /usr/share/shorewall - -25) Make detectnets and routeback play nice together. - -26) Avoid superfluous --state NEW tests. - -27) Allow backrouting of 'routestopped' devices. - -28) Fix the help file. - -29) Correct handling of !z1,z2,... in a DNAT/REDIRECT rule. - -30) Remove fw->fw policy. - -31) Issue clearer message if ip6tables not installed. - -32) Make 'CONTINUE' rules work again. - -33) Correct a comment in the rules file. Update for 2.0.0 final release. - -34) Eliminate Warning about Policy as rule when using actions. - -35) Implement Sean Mathews's fix for Proxy ARP/IPSEC. - -36) Fix default value of ALL INTERFACES in /etc/shorewall/nat. +19) Fix display of ICMP packets. diff --git a/STABLE2/fallback.sh b/STABLE2/fallback.sh index 6aa8f8bb4..d3a8ab1e7 100755 --- a/STABLE2/fallback.sh +++ b/STABLE2/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=2.0.0b +VERSION=2.0.1 usage() # $1 = exit status { @@ -91,6 +91,8 @@ restore_file /etc/shorewall/rules restore_file /etc/shorewall/nat +restore_file /etc/shorewall/netmap + restore_file /etc/shorewall/params restore_file /etc/shorewall/proxyarp @@ -116,6 +118,8 @@ restore_file /etc/shorewall/whitelist restore_file /etc/shorewall/rfc1918 restore_file /usr/share/shorewall/rfc1918 +restore_file /usr/share/shorewall/bogons + restore_file /etc/shorewall/init restore_file /etc/shorewall/start diff --git a/STABLE2/firewall b/STABLE2/firewall index a76cdb105..ebaea2e66 100755 --- a/STABLE2/firewall +++ b/STABLE2/firewall @@ -99,6 +99,8 @@ report () { # $* = message # run_iptables() { + [ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev + if ! iptables $@ ; then [ -z "$stopping" ] && { stop_firewall; exit 2; } fi @@ -423,6 +425,100 @@ first_chains() #$1 = interface echo ${c}_fwd ${c}_in } +# +# Horrible hack to work around an iptables bug +# +physdev_echo() +{ + if [ -f $TMP_DIR/physdev ]; then + echo $@ + else + echo -m physdev $@ + > $TMP_DIR/physdev + fi +} + +# +# We allow hosts to be specified by IP address or by physdev. These two functions +# are used to produce the proper match in a netfilter rule. +# +match_source_hosts() +{ + if [ -n "$BRIDGING" ]; then + case $1 in + *:*) + physdev_echo "--physdev-in ${1%:*} -s ${1#*:}" + ;; + *.*.*.*) + echo -s $1 + ;; + *) + physdev_echo "--physdev-in $1" + ;; + esac + else + echo -s $1 + fi +} + +match_dest_hosts() +{ + if [ -n "$BRIDGING" ]; then + case $1 in + *:*) + physdev_echo "--physdev-out ${1%:*} -d ${1#*:}" + ;; + *.*.*.*) + echo -d $1 + ;; + *) + physdev_echo "--physdev-out $1" + ;; + esac + else + echo -d $1 + fi +} +# +# Similarly, the source or destination in a rule can be qualified by a device name. If +# the device is defined in /etc/shorewall/interfaces then a normal interface match is +# generated (-i or -o); otherwise, a physdev match is generated. +#------------------------------------------------------------------------------------- +# +# loosely match the passed interface with those in /etc/shorewall/interfaces. +# +known_interface() # $1 = interface name +{ + local iface + + for iface in $all_interfaces ; do + if if_match $iface $1 ; then + return 0 + fi + done + + return 1 +} + +match_source_dev() +{ + if [ -n "$BRIDGING" ]; then + known_interface $1 && echo -i $1 || physdev_echo "--physdev-in $1" + else + echo -i $1 + fi +} + +match_dest_dev() +{ + if [ -n "$BRIDGING" ]; then + known_interface $1 && echo -o $1 || physdev_echo "--physdev-out $1" + else + echo -o $1 + fi +} + +# # # Find hosts in a given zone # @@ -436,7 +532,7 @@ find_hosts() # $1 = host zone while read z hosts options; do if [ "x$(expand $z)" = "x$1" ]; then expandv hosts - interface=${hosts%:*} + interface=${hosts%%:*} addresses=${hosts#*:} for address in $(separate_list $addresses); do echo $interface:$address @@ -459,6 +555,18 @@ determine_interfaces() { done } +# +# Determine if an interface has a given option +# +interface_has_option() # $1 = interface, #2 = option +{ + local options + + eval options=\$$(chain_base $1)_options + + list_search $2 $options +} + # # Determine the defined hosts in each zone and generate report # @@ -471,22 +579,21 @@ determine_hosts() { eval interfaces=\$${zone}_interfaces for interface in $interfaces; do - eval options=\$$(chain_base $interface)_options - if list_search detectnets $options; then - subnets=$(get_routed_subnets $interface) + if interface_has_option $interface detectnets; then + networks=$(get_routed_networks $interface) else - subnets=0.0.0.0/0 + networks=0.0.0.0/0 fi - for subnet in $subnets; do + for networks in $networks; do if [ -z "$hosts" ]; then - hosts=$interface:$subnet + hosts=$interface:$networks else - hosts="$hosts $interface:$subnet" + hosts="$hosts $interface:$networks" fi - if list_search routeback $options; then - eval ${zone}_routeback=\"$interface:$subnet \$${zone}_routeback\" + if interface_has_option $interface routeback; then + eval ${zone}_routeback=\"$interface:$networks \$${zone}_routeback\" fi done done @@ -496,6 +603,10 @@ determine_hosts() { for host in $hosts; do interface=${host%:*} if list_search $interface $interfaces; then + list_search $interface:0.0.0.0/0 $hosts && \ + startup_error "Invalid zone definition for zone $zone" + list_search $interface:0/0 $hosts && \ + startup_error "Invalid zone definition for zone $zone" eval ${zone}_is_complex=Yes else if [ -z "$interfaces" ]; then @@ -525,6 +636,13 @@ validate_zone() # $1 = zone { list_search $1 $zones $FW } +# +# Ensure that the passed zone is defined in the zones file. +# +validate_zone1() # $1 = zone +{ + list_search $1 $zones +} # # Validate the zone names and options in the interfaces file @@ -532,11 +650,11 @@ validate_zone() # $1 = zone validate_interfaces_file() { local wildcard local found_obsolete_option= - local z interface subnet options r iface option + local z interface networks options r iface option - while read z interface subnet options; do - expandv z interface subnet options - r="$z $interface $subnet $options" + while read z interface networks options; do + expandv z interface networks options + r="$z $interface $networks $options" [ "x$z" = "x-" ] && z= @@ -550,10 +668,10 @@ validate_interfaces_file() { wildcard= case $interface in - *:*) + *:*|+) startup_error "Invalid Interface Name: $interface" ;; - *+*) + *+) wildcard=Yes ;; esac @@ -562,13 +680,13 @@ validate_interfaces_file() { options=$(separate_list $options) iface=$(chain_base $interface) - eval ${iface}_broadcast="$subnet" + eval ${iface}_broadcast="$networks" eval ${iface}_zone="$z" eval ${iface}_options=\"$options\" for option in $options; do case $option in - dhcp|norfc1918|tcpflags|newnotsyn|arp_filter|routefilter|blacklist|proxyarp|maclist|nosmurfs|-) + dhcp|norfc1918|nobogons|tcpflags|newnotsyn|arp_filter|routefilter|blacklist|proxyarp|maclist|nosmurfs|-) ;; dropunclean|logunclean) if [ -z "$found_obsolete_option" ]; then @@ -605,27 +723,51 @@ validate_interfaces_file() { # Validate the zone names and options in the hosts file # validate_hosts_file() { - local z hosts options r interface host option + local z hosts options r interface host option port ports while read z hosts options; do expandv z hosts options r="$z $hosts $options" - validate_zone $z || startup_error "Invalid zone ($z) in record \"$r\"" + validate_zone1 $z || startup_error "Invalid zone ($z) in record \"$r\"" - interface=${hosts%:*} + interface=${hosts%%:*} + iface=$(chain_base $interface) list_search $interface $all_interfaces || \ startup_error "Unknown interface ($interface) in record \"$r\"" hosts=${hosts#*:} + eval ports=\$${iface}_ports + eval zports=\$${z}_ports + for host in $(separate_list $hosts); do - for option in $(separate_list $options); do + + [ -n "$BRIDGING" ] && case $host in + *:*) + known_interface ${host%:*} && \ + startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host" + port=${host%%:*} + list_search $port $ports || ports="$ports $port" + list_search ${interface}:${port} $zports || zports="$zports ${interface}:${port}" + ;; + *.*.*.*) + ;; + *) + known_interface $host && \ + startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host" + list_search $host $ports || ports="$ports $host" + list_search ${interface}:${host} $zports || zports="$zports ${interface}:${host}" + ;; + esac + + for option in $(separate_list $options) ; do case $option in - maclist|-) + maclist|norfc1918|nobogons|blacklist|tcpflags|nosmurfs|newnotsyn|-) ;; routeback) - eval ${z}_routeback=\"$interface:$host \$${z}_routeback\" + [ -z "$ports" ] && \ + eval ${z}_routeback=\"$interface:$host \$${z}_routeback\" ;; *) error_message "Warning: Invalid option ($option) in record \"$r\"" @@ -633,6 +775,12 @@ validate_hosts_file() { esac done done + + if [ -n "$ports" ]; then + eval ${iface}_ports=\"$ports\" + eval ${z}_ports=\"$zports\" + fi + done < $TMP_DIR/hosts } @@ -838,7 +986,7 @@ find_hosts_by_option() # $1 = option expandv options if list_search $1 $(separate_list $options); then expandv hosts - interface=${hosts%:*} + interface=${hosts%%:*} addresses=${hosts#*:} for address in $(separate_list $addresses); do echo $interface:$address @@ -847,8 +995,7 @@ find_hosts_by_option() # $1 = option done < $TMP_DIR/hosts for interface in $all_interfaces; do - eval options=\$$(chain_base $interface)_options - list_search $1 $options && \ + interface_has_option $interface $1 && \ echo ${interface}:0.0.0.0/0 done } @@ -984,7 +1131,7 @@ disable_ipv6() { ip6tables -P INPUT DROP ip6tables -P OUTPUT DROP else - error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system has no ip6tables" + error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables" fi } @@ -1049,23 +1196,46 @@ stop_firewall() { strip_file routestopped - while read interface host; do - expandv interface host + while read interface host options; do + expandv interface host options [ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0 for h in $(separate_list $host); do hosts="$hosts $interface:$h" done + + routeback= + + if [ -n $options ]; then + for option in $(separate_list $options); do + case $option in + routeback) + if [ -n "$routeback" ]; then + error_message "Warning: Duplicate option ignored: routeback" + else + routeback=Yes + for h in $(separate_list $host); do + iptables -A FORWARD -i $interface -s $h -o $interface -d $h -j ACCEPT + done + fi + ;; + *) + error_message "Warning: Unknown option ignored: $option" + ;; + esac + done + fi + done < $TMP_DIR/routestopped for host in $hosts; do interface=${host%:*} - subnet=${host#*:} - iptables -A INPUT -i $interface -s $subnet -j ACCEPT + networks=${host#*:} + iptables -A INPUT -i $interface -s $networks -j ACCEPT [ -z "$ADMINISABSENTMINDED" ] && \ - iptables -A OUTPUT -o $interface -d $subnet -j ACCEPT + iptables -A OUTPUT -o $interface -d $networks -j ACCEPT for host1 in $hosts; do - iptables -A FORWARD -i $interface -s $subnet -o ${host1%:*} -d ${host1#*:} -j ACCEPT + [ "$host" != "$host1" ] && iptables -A FORWARD -i $interface -s $networks -o ${host1%:*} -d ${host1#*:} -j ACCEPT done done @@ -1077,6 +1247,10 @@ stop_firewall() { iptables -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT [ -z "$ADMINISABSENTMINDED" ] && \ iptables -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT + # + # This might be a bridge + # + iptables -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT done setup_forwarding @@ -1415,7 +1589,7 @@ setup_mac_lists() { maclist_interfaces= for hosts in $maclist_hosts; do - interface=${hosts%:*} + interface=${hosts%%:*} if ! list_search $interface $maclist_interfaces; then\ if [ -z "$maclist_interfaces" ]; then maclist_interfaces=$interface @@ -1447,6 +1621,17 @@ setup_mac_lists() { while read interface mac addresses; do expandv interface mac addresses + physdev_part= + + if [ -n "$BRIDGING" ]; then + case $interface in + *:*) + physdev_part="-m physdev --physdev-in ${interface#*:}" + interface=${interface%:*} + ;; + esac + fi + chain=$(mac_chain $interface) if ! havechain $chain ; then @@ -1456,10 +1641,10 @@ setup_mac_lists() { macpart=$(mac_match $mac) if [ -z "$addresses" ]; then - run_iptables -A $chain $macpart -j RETURN + run_iptables -A $chain $macpart $physdev_part -j RETURN else for address in $(separate_list $addresses) ; do - run_iptables2 -A $chain $macpart -s $address -j RETURN + run_iptables2 -A $chain $macpart -s $address $physdev_part -j RETURN done fi done < $TMP_DIR/maclist @@ -1494,10 +1679,10 @@ setup_mac_lists() { # Generate jumps from the input and forward chains # for hosts in $maclist_hosts; do - interface=${hosts%:*} + interface=${hosts%%:*} hosts=${hosts#*:} for chain in $(first_chains $interface) ; do - run_iptables -A $chain -s $hosts -m state --state NEW \ + run_iptables -A $chain $(match_source_hosts $hosts) -m state --state NEW \ -j $(mac_chain $interface) done done @@ -1585,7 +1770,7 @@ setup_nat() { run_iptables2 -t nat -A OUTPUT -d $external \ -j DNAT --to-destination $internal fi - elif [ -z "$allints" -o "$allints" = "No" -o "$allints" = "no" ]; then + elif [ -z "$allints" -o "$allints" = "No" -o "$allints" = "no" ]; then addnatrule $(input_chain $iface) \ -d $external -j DNAT --to-destination $internal addnatrule $(output_chain $iface) \ @@ -1621,6 +1806,34 @@ delete_nat() { [ -d ${STATEDIR} ] && touch ${STATEDIR}/nat } +# +# Setup Network Mapping (NETMAP) +# +setup_netmap() { + + while read type net1 interface net2 ; do + expandv type net1 interface net2 + + list_search $interface $all_interfaces || \ + fatal_error "Unknown interface $interface in entry \"$type $net1 $interface $net2\"" + + case $type in + DNAT) + addnatrule $(input_chain $interface) -d $net1 -j NETMAP --to $net2 + ;; + SNAT) + addnatrule $(output_chain $interface) -s $net1 -j NETMAP --to $net2 + ;; + *) + fatal_error "Invalid type $type in entry \"$type $net1 $interface $net2\"" + ;; + esac + + echo " Network $net1 on $interface mapped to $net2 ($type)" + + done < $TMP_DIR/netmap +} + # # Setup ECN disabling rules # @@ -1692,11 +1905,11 @@ process_tc_rule() chain=tcout ;; *) - if ! list_search $source $all_interfaces; then + if [ -z "$BRIDGING" ] && ! list_search $source $all_interfaces; then fatal_error "Unknown interface $source in rule \"$rule\"" fi - r="-i $source " + r="$(match_source_dev) $source " ;; esac fi @@ -1852,7 +2065,7 @@ process_accounting_rule() { case $source in *:*) - rule="-s ${source#*:} -i ${source%:*}" + rule="-s ${source#*:} $(match_source_dev ${source%:*})" ;; *.*.*.*) rule="-s $source" @@ -1860,13 +2073,13 @@ process_accounting_rule() { -|all|any) ;; *) - [ -n "$source" ] && rule="-i $source" + [ -n "$source" ] && rule="$(match_source_dev $source)" ;; esac [ -n "$dest" ] && case $dest in *:*) - rule="$rule -d ${dest#*:} -o ${dest%:*}" + rule="$rule -d ${dest#*:} $(match_dest_dev ${dest%:*})" ;; *.*.*.*) rule="$rule -d $dest" @@ -1874,7 +2087,7 @@ process_accounting_rule() { -|all|any) ;; *) - rule="$rule -o $dest" + rule="$rule $(match_dest_dev $dest)" ;; esac @@ -1959,7 +2172,6 @@ setup_accounting() # $1 = Name of accounting file } - # # Check the configuration # @@ -2113,7 +2325,7 @@ add_an_action() -) ;; *:*) - cli="-i ${client%:*} -s ${client#*:}" + cli="$(match_source_dev ${client%:*}) -s ${client#*:}" ;; *.*.*) cli="-s $client" @@ -2122,7 +2334,7 @@ add_an_action() cli=$(mac_match $client) ;; *) - [ -n "$client" ] && cli="-i $client" + [ -n "$client" ] && cli="$(match_source_dev $client)" ;; esac @@ -2141,7 +2353,7 @@ add_an_action() fatal_error "Rule \"$rule\" - Destination may not be specified by MAC Address" ;; *) - [ -n "$server" ] && dest_interface="-o $server" + [ -n "$server" ] && dest_interface="$(match_dest_dev $server)" ;; esac @@ -2321,7 +2533,7 @@ process_action() # $1 = action for client in $(separate_list ${clients:=-}); do for server in $(separate_list ${servers:=-}); do # - # add_a_rule() modifies these so we must set their values each time + # add_an_action() modifies these so we must set their values each time # port=${ports:=-} cport=${cports:=-} @@ -2673,7 +2885,7 @@ add_nat_rule() { for z in $(separate_list $excludezones); do eval hosts=\$${z}_hosts for host in $hosts; do - addnatrule $chain -s ${host#*:} -j RETURN + addnatrule $chain $(match_source_hosts ${host#*:}) -j RETURN done done @@ -2723,7 +2935,7 @@ add_nat_rule() { error_message "Warning: SNAT will occur on all connections to this server and port - rule \"$rule\"" [ $COMMAND = check ] || addnatrule $(snat_chain $dest) \ - -s ${source_host#*:} $proto $sports $multiport \ + $(match_source_hosts ${source_host#*:}) $proto $sports $multiport \ -d $serv $dports -j SNAT --to-source $snat done fi @@ -2784,7 +2996,7 @@ add_a_rule() -) ;; *:*) - cli="-i ${client%:*} -s ${client#*:}" + cli="$(match_source_dev ${client%:*}) -s ${client#*:}" ;; *.*.*) cli="-s $client" @@ -2793,7 +3005,7 @@ add_a_rule() cli=$(mac_match $client) ;; *) - [ -n "$client" ] && cli="-i $client" + [ -n "$client" ] && cli="$(match_source_dev $client)" ;; esac @@ -2812,7 +3024,7 @@ add_a_rule() fatal_error "Rule \"$rule\" - Destination may not be specified by MAC Address" ;; *) - [ -n "$server" ] && dest_interface="-o $server" + [ -n "$server" ] && dest_interface="$(match_dest_dev $server)" ;; esac @@ -2855,10 +3067,14 @@ add_a_rule() # Some misc. setup case "$logtarget" in - REJECT) - [ -n "$servport" ] && \ - fatal_error "Server port may not be specified in a REJECT rule;"\ - "rule: \"$rule\"" + ACCEPT|DROP|REJECT|CONTINUE) + + [ "$logtarget" = REJECT -a -n "$servport" ] && \ + fatal_error "Server port may not be specified in a REJECT rule; rule: \"$rule\"" + if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" -a -z "$userspec" ] ; then + error_message "Warning -- Rule \"$rule\" is a POLICY" + error_message " -- and should be moved to the policy file" + fi ;; REDIRECT) [ -n "$serv" ] && startup_error "REDIRECT rules cannot"\ @@ -2876,17 +3092,6 @@ add_a_rule() ;; esac - # Complain if the rule is really a policy - - case $logtarget in - ACCEPT|DROP|REJECT) - if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" -a -z "$userspec" ] ; then - error_message "Warning -- Rule \"$rule\" is a POLICY" - error_message " -- and should be moved to the policy file" - fi - ;; - esac - if [ -n "${serv}${servport}" ]; then if [ $COMMAND != check ]; then @@ -3360,7 +3565,7 @@ process_tos_rule() { [ -n "$src" ] && case "$src" in *.*.*) # - # IP Address or subnet + # IP Address or networks # src="-s $src" ;; @@ -3371,7 +3576,7 @@ process_tos_rule() { # # Assume that this is a device name # - src="-i $src" + src="$(match_source_dev $src)" ;; esac @@ -3403,7 +3608,7 @@ process_tos_rule() { [ -n "$dst" ] && case "$dst" in *.*.*) # - # IP Address or subnet + # IP Address or networks # ;; *) @@ -3725,9 +3930,9 @@ rules_chain() # $1 = source zone, $2 = destination zone } # -# echo the list of subnets routed out of a given interface +# echo the list of networks routed out of a given interface # -get_routed_subnets() # $1 = interface name +get_routed_networks() # $1 = interface name { local address local rest @@ -3753,15 +3958,15 @@ setup_masq() case $fullinterface in *:*:*) - # Both alias name and subnet + # Both alias name and networks destnets="${fullinterface##*:}" fullinterface="${fullinterface%:*}" ;; *:*) - # Alias name OR subnet + # Alias name OR networks case ${fullinterface#*:} in *.*) - # It's a subnet + # It's a networks destnets="${fullinterface#*:}" fullinterface="${fullinterface%:*}" ;; @@ -3782,23 +3987,23 @@ setup_masq() fatal_error "Unknown interface $interface" fi - if [ "$subnet" = "${subnet%!*}" ]; then + if [ "$networks" = "${networks%!*}" ]; then nomasq= else - nomasq="${subnet#*!}" - subnet="${subnet%!*}" + nomasq="${networks#*!}" + networks="${networks%!*}" fi - source="$subnet" + source="$networks" - case $subnet in + case $networks in *.*.*) ;; *) - subnets=$(get_routed_subnets $subnet) - [ -z "$subnets" ] && fatal_error "Unable to determine the routes through interface $subnet" - subnet="$subnets" + networks=$(get_routed_networks $networks) + [ -z "$networks" ] && fatal_error "Unable to determine the routes through interface $networks" + networks="$networks" ;; esac @@ -3831,11 +4036,11 @@ setup_masq() addnatrule $newchain -d $destnet -j RETURN done - if [ -n "$subnet" ]; then - for s in $subnet; do + if [ -n "$networks" ]; then + for s in $networks; do addnatrule $chain -s $s -j $newchain done - subnet= + networks= else addnatrule $chain -j $newchain fi @@ -3856,8 +4061,8 @@ setup_masq() newchain=masq${masq_seq} createnatchain $newchain - if [ -n "$subnet" ]; then - for s in $subnet; do + if [ -n "$networks" ]; then + for s in $networks; do for destnet in $(separate_list $destnets); do addnatrule $chain -d $destnet -s $s -j $newchain done @@ -3870,7 +4075,7 @@ setup_masq() masq_seq=$(($masq_seq + 1)) chain=$newchain - subnet= + networks= destnets=0.0.0.0/0 for addr in $(separate_list $nomasq); do @@ -3889,8 +4094,8 @@ setup_masq() done fi - if [ -n "$subnet" ]; then - for s in $subnet; do + if [ -n "$networks" ]; then + for s in $networks; do if [ -n "$addresses" ]; then for destnet in $(separate_list $destnets); do addnatrule $chain -s $s -d $destnet -j SNAT $addrlist @@ -3919,10 +4124,10 @@ setup_masq() strip_file masq $1 - [ -n "$NAT_ENABLED" ] && echo "Masqueraded Subnets and Hosts:" + [ -n "$NAT_ENABLED" ] && echo "Masqueraded Networks and Hosts:" - while read fullinterface subnet addresses; do - expandv fullinterface subnet addresses + while read fullinterface networks addresses; do + expandv fullinterface networks addresses [ -n "$NAT_ENABLED" ] && setup_one || \ error_message "Warning: NAT disabled; masq rule ignored" done < $TMP_DIR/masq @@ -3946,7 +4151,7 @@ add_blacklist_rule() { # # Process a record from the blacklist file # -# $subnet = address/subnet +# $networks = address/networks # $protocol = Protocol Number/Name # $port = Port Number/Name # @@ -3956,7 +4161,7 @@ process_blacklist_rec() { local proto local dport - for addr in $(separate_list $subnet); do + for addr in $(separate_list $networks); do case $addr in ~*) addr=$(echo $addr | sed 's/~//;s/-/:/g') @@ -4022,11 +4227,11 @@ process_blacklist_rec() { # Setup the Black List # setup_blacklist() { - local interfaces=$(find_interfaces_by_option blacklist) + local hosts=$(find_hosts_by_option blacklist) local f=$(find_file blacklist) local disposition=$BLACKLIST_DISPOSITION - if [ -n "$interfaces" -a -f $f ]; then + if [ -n "$hosts" -a -f $f ]; then echo "Setting up Blacklisting..." strip_file blacklist $f @@ -4035,18 +4240,23 @@ setup_blacklist() { [ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW" || state= - for interface in $interfaces; do - for chain in $(first_chains $interface); do - run_iptables -A $chain $state -j blacklst - done + for host in $hosts; do + interface=${host%%:*} + network=${host#*:} - echo " Blacklisting enabled on $interface" + for chain in $(first_chains $interface); do + run_iptables -A $chain $state $(match_source_hosts $network) -j blacklst + done + + [ $network = 0/0.0.0.0 ] && network= || network=":$network" + + echo " Blacklisting enabled on ${interface}${network}" done [ "$disposition" = REJECT ] && disposition=reject - while read subnet protocol ports; do - expandv subnet protocol ports + while read networks protocol ports; do + expandv networks protocol ports process_blacklist_rec done < $TMP_DIR/blacklist @@ -4069,8 +4279,8 @@ refresh_blacklist() { run_iptables -F blacklst - while read subnet protocol ports; do - expandv subnet protocol ports + while read networks protocol ports; do + expandv networks protocol ports process_blacklist_rec done < $TMP_DIR/blacklist fi @@ -4109,14 +4319,14 @@ add_ip_aliases() # decoration on these IP addresses that they see when their # distro's net config tool adds them. In an attempt to reduce # the anxiety level, we have the following code which sets - # the VLSM and BRD from an existing address in the same subnet + # the VLSM and BRD from an existing address in the same networks # - # Get all of the lines that contain inet addresses + # Get all of the lines that contain inet addresses with broadcast # - ip -f inet addr show $interface 2> /dev/null | grep 'inet' | while read inet cidr rest ; do + ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | while read inet cidr rest ; do case $cidr in */*) - if in_subnet $external $cidr; then + if in_network $external $cidr; then echo "/${cidr#*/} brd $(broadcastaddress $cidr)" break fi @@ -4261,6 +4471,7 @@ initialize_netfilter () { strip_file proxyarp strip_file maclist strip_file nat + strip_file netmap terminator=fatal_error @@ -4419,15 +4630,18 @@ add_common_rules() { # # SMURFS # - interfaces=$(find_interfaces_by_option nosmurfs) + hosts=$(find_hosts_by_option nosmurfs) - if [ -n "$interfaces" ]; then + if [ -n "$hosts" ]; then echo "Adding Anti-smurf Rules" - for interface in $interfaces; do + for host in $hosts; do + interface=${host%%:*} + network=${host#*:} + for chain in $(first_chains $interface); do - run_iptables -A $chain -m state --state NEW -j smurfs + run_iptables -A $chain -m state --state NEW $(match_source_hosts $network) -j smurfs done done fi @@ -4441,6 +4655,11 @@ add_common_rules() { echo "Adding rules for DHCP" for interface in $interfaces; do + if [ -n "$BRIDGING" ]; then + eval is_bridge=\$$(chain_base $interface)_ports + [ -n "$is_bridge" ] && \ + iptables -A $(forward_chain $interface) -p udp -o $interface --dport 67:68 -j ACCEPT + fi run_iptables -A $(input_chain $interface) -p udp --dport 67:68 -j ACCEPT run_iptables -A OUTPUT -o $interface -p udp --dport 67:68 -j ACCEPT done @@ -4448,9 +4667,9 @@ add_common_rules() { # # RFC 1918 # - norfc1918_interfaces="$(find_interfaces_by_option norfc1918)" + hosts="$(find_hosts_by_option norfc1918)" - if [ -n "$norfc1918_interfaces" ]; then + if [ -n "$hosts" ]; then echo "Enabling RFC1918 Filtering" strip_file rfc1918 @@ -4478,7 +4697,7 @@ add_common_rules() { run_iptables -t mangle -A rfc1918 -j DROP fi - while read subnet target; do + while read networks target; do case $target in logdrop) target=rfc1918 @@ -4486,40 +4705,86 @@ add_common_rules() { DROP|RETURN) ;; *) - fatal_error "Invalid target ($target) for $subnet" + fatal_error "Invalid target ($target) for $networks" ;; esac - run_iptables2 -A norfc1918 -s $subnet -j $target + run_iptables2 -A norfc1918 -s $networks -j $target if [ -n "$CONNTRACK_MATCH" ]; then # # We have connection tracking match -- match on the original destination # - run_iptables2 -A norfc1918 -m conntrack --ctorigdst $subnet -j $target + run_iptables2 -A norfc1918 -m conntrack --ctorigdst $networks -j $target elif [ -n "$MANGLE_ENABLED" ]; then # # No connection tracking match but we have mangling -- add a rule to # the mangle table # - run_iptables2 -t mangle -A man1918 -d $subnet -j $target + run_iptables2 -t mangle -A man1918 -d $networks -j $target fi done < $TMP_DIR/rfc1918 - for interface in $norfc1918_interfaces; do + for host in $hosts; do + interface=${host%%:*} + networks=${host#*:} + for chain in $(first_chains $interface); do - run_iptables -A $chain -m state --state NEW -j norfc1918 + run_iptables -A $chain -m state --state NEW $(match_source_hosts $networks) -j norfc1918 done [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ] && \ - run_iptables -t mangle -A PREROUTING -m state --state NEW -i $interface -j man1918 + run_iptables -t mangle -A PREROUTING -m state --state NEW -i $interface $(match_source_hosts $networks) -j man1918 + done + fi + # + # Bogons + # + hosts="$(find_hosts_by_option nobogons)" + + if [ -n "$hosts" ]; then + echo "Enabling Bogon Filtering" + + strip_file bogons + + createchain nobogons no + + createchain bogons no + + log_rule $BOGON_LOG_LEVEL bogons DROP + + run_iptables -A bogons -j DROP + + while read networks target; do + case $target in + logdrop) + target=bogons + ;; + DROP|RETURN) + ;; + *) + fatal_error "Invalid target ($target) for $networks" + ;; + esac + + run_iptables2 -A nobogons -s $networks -j $target + + done < $TMP_DIR/bogons + + for host in $hosts; do + interface=${host%%:*} + network=${host#*:} + + for chain in $(first_chains $interface); do + run_iptables -A $chain -m state --state NEW $(match_source_hosts $network) -j nobogons + done done fi - interfaces=$(find_interfaces_by_option tcpflags) + hosts=$(find_hosts_by_option tcpflags) - if [ -n "$interfaces" ]; then + if [ -n "$hosts" ]; then echo "Setting up TCP Flags checking..." createchain tcpflags no @@ -4560,9 +4825,12 @@ add_common_rules() { # run_iptables -A tcpflags -p tcp --syn --sport 0 $disposition - for interface in $interfaces; do + for host in $hosts; do + interface=${host%%:*} + network=${host#*:} + for chain in $(first_chains $interface); do - run_iptables -A $chain -p tcp -j tcpflags + run_iptables -A $chain -p tcp $(match_source_hosts $network) -j tcpflags done done fi @@ -4698,8 +4966,11 @@ activate_rules() shift shift - havenatchain $destchain && \ + if havenatchain $destchain ; then run_iptables -t nat -A $sourcechain $@ -j $destchain + elif [ -n "$BRIDGING" -a -f $TMP_DIR/physdev ]; then + rm -f #TMP_DIR/physdev + fi } # @@ -4716,6 +4987,8 @@ activate_rules() eval run_iptables -t nat -I $sourcechain \ \$${sourcechain}_rule $@ -j $destchain eval ${sourcechain}_rule=\$\(\(\$${sourcechain}_rule + 1\)\) + elif [ -n "$BRIDGING" -a -f $TMP_DIR/physdev ]; then + rm -f $TMP_DIR/physdev fi } @@ -4726,7 +4999,7 @@ activate_rules() addnatjump POSTROUTING nat_out for interface in $all_interfaces; do - addnatjump PREROUTING $(input_chain $interface) -i $interface + addnatjump PREROUTING $(input_chain $interface) -i $interface addnatjump POSTROUTING $(output_chain $interface) -o $interface done @@ -4754,28 +5027,31 @@ activate_rules() need_broadcast= for host in $source_hosts; do - interface=${host%:*} - subnet=${host#*:} + interface=${host%%:*} + networks=${host#*:} - run_iptables -A OUTPUT -o $interface -d $subnet -j $chain1 + run_iptables -A OUTPUT -o $interface $(match_dest_hosts $networks) -j $chain1 # # Add jumps from the builtin chains for DNAT and SNAT rules # - addrulejump PREROUTING $(dnat_chain $zone) -i $interface -s $subnet - addrulejump POSTROUTING $(snat_chain $zone) -o $interface -d $subnet + addrulejump PREROUTING $(dnat_chain $zone) -i $interface $(match_source_hosts $networks) + addrulejump POSTROUTING $(snat_chain $zone) -o $interface $(match_dest_hosts $networks) - run_iptables -A $(input_chain $interface) -s $subnet -j $chain2 + run_iptables -A $(input_chain $interface) $(match_source_hosts $networks) -j $chain2 [ -n "$complex" ] && \ - run_iptables -A $(forward_chain $interface) -s $subnet -j $frwd_chain + run_iptables -A $(forward_chain $interface) $(match_source_hosts $networks) -j $frwd_chain - if [ "$subnet" != 0.0.0.0/0 ]; then - if ! list_search $interface $need_broadcast ; then - eval options=\$$(chain_base $interface)_options - list_search detectnets $options && need_broadcast="$need_broadcast $interface" - fi - fi + case $networks in + *.*.*.*) + if [ "$networks" != 0.0.0.0/0 ]; then + if ! list_search $interface $need_broadcast ; then + interface_has_option $interface detectnets && need_broadcast="$need_broadcast $interface" + fi + fi + ;; + esac done @@ -4797,47 +5073,75 @@ activate_rules() echo "$zone $zone1 $chain" >> ${STATEDIR}/chains if [ $zone = $zone1 ]; then + # + # Try not to generate superfluous intra-zone rules + # eval routeback=\"\$${zone}_routeback\" + eval interfaces=\"\$${zone}_interfaces\" + eval ports="\$${zone}_ports" + + num_ifaces=$(list_count1 $interfaces) + # + # If the zone has a single interface then what matters is how many ports it has + # + [ $num_ifaces -eq 1 -a -n "$ports" ] && num_ifaces=$(list_count1 $ports) + # + # If we don't need to route back and if we have only one interface or one port to + # the zone then assume that hosts in the zone can communicate directly. + # + if [ $num_ifaces -lt 2 -a -z "$routeback" ] ; then + continue + fi else routeback= + num_ifaces=0 fi if [ -n "$complex" ]; then for host1 in $dest_hosts; do - interface1=${host1%:*} - subnet1=${host1#*:} - if [ $(list_count1 $source_hosts) -eq 1 -a "$source_hosts" = "$host1" ]; then - if list_search $host1 $routeback; then - run_iptables -A $frwd_chain -o $interface1 -d $subnet1 -j $chain - fi - else - run_iptables -A $frwd_chain -o $interface1 -d $subnet1 -j $chain + interface1=${host1%%:*} + networks1=${host1#*:} + # + # Only generate an intrazone rule if the zone has more than one interface (port) or if + # routeback was specified for this host group + # + if [ $zone != $zone1 -o $num_ifaces -gt 1 ] || list_search $host1 $routeback ; then + run_iptables -A $frwd_chain -o $interface1 $(match_dest_hosts $networks1) -j $chain fi done else for host in $source_hosts; do - interface=${host%:*} - subnet=${host#*:} + interface=${host%%:*} + networks=${host#*:} chain1=$(forward_chain $interface) for host1 in $dest_hosts; do - interface1=${host1%:*} - subnet1=${host1#*:} + interface1=${host1%%:*} + networks1=${host1#*:} if [ "$host" != "$host1" ] || list_search $host $routeback; then - run_iptables -A $chain1 -s $subnet -o $interface1 -d $subnet1 -j $chain + run_iptables -A $chain1 $(match_source_hosts $networks) -o $interface1 $(match_dest_hosts $networks1) -j $chain fi done done fi done done - - for interface in $all_interfaces; do - run_iptables -A FORWARD -i $interface -j $(forward_chain $interface) - run_iptables -A INPUT -i $interface -j $(input_chain $interface) - addnatjump POSTROUTING $(masq_chain $interface) -o $interface + + for interface in $all_interfaces ; do + + run_iptables -A FORWARD -i $interface -j $(forward_chain $interface) + run_iptables -A INPUT -i $interface -j $(input_chain $interface) + addnatjump POSTROUTING $(masq_chain $interface) -o $interface + # + # Bridges under the 2.4 kernel have the wierd property that REJECTS have the physdev-in and physdev-out set to the input physdev. + # To accomodate this feature/bug, we effectively set 'routeback' on bridge ports. + # + eval ports=\$$(chain_base $interface)_ports + for port in $ports; do + run_iptables -A $(forward_chain $interface) -o $interface -m physdev --physdev-in $port --physdev-out $port -j ACCEPT + done done chain=${FW}2${FW} @@ -4865,7 +5169,6 @@ activate_rules() run_iptables -D $chain -m state --state ESTABLISHED,RELATED -j ACCEPT run_iptables -D $chain -p udp --dport 53 -j ACCEPT done - } # @@ -4910,6 +5213,10 @@ define_firewall() # $1 = Command (Start or Restart) setup_nat + echo "Setting up NETMAP..." + + setup_netmap + echo "Adding Common Rules" add_common_rules @@ -5016,7 +5323,7 @@ refresh_firewall() } # -# Add a host or subnet to a zone +# Add a host or networks to a zone # add_to_zone() # $1 = [:] $2 = zone { @@ -5178,11 +5485,11 @@ add_to_zone() # $1 = [:] $2 = zone fi for h in $dest_hosts; do - iface=${h%:*} + iface=${h%%:*} hosts=${h#*:} if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - do_iptables -I $source_chain $rulenum -s $host -o $iface -d $hosts -j $chain + do_iptables -I $source_chain $rulenum -s $host -o $iface $(match_dest_hosts $hosts) -j $chain rulenum=$(($rulenum + 1)) fi done @@ -5205,7 +5512,7 @@ add_to_zone() # $1 = [:] $2 = zone eval source_hosts=\"\$${z1}_hosts\" for h in $source_hosts; do - iface=${h%:*} + iface=${h%%:*} hosts=${h#*:} base=$(chain_base $iface) @@ -5221,7 +5528,7 @@ add_to_zone() # $1 = [:] $2 = zone fi if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - do_iptables -I $(forward_chain $iface) $rulenum -s $hosts -o $interface -d $host -j $chain + do_iptables -I $(forward_chain $iface) $rulenum $(match_source_hosts $hosts) -o $interface -d $host -j $chain rulenum=$(($rulenum + 1)) fi @@ -5237,12 +5544,12 @@ add_to_zone() # $1 = [:] $2 = zone } # -# Delete a host or subnet from a zone +# Delete a host or networks from a zone # delete_from_zone() # $1 = [:] $2 = zone { # - # Delete the subnect host(s) from the zone state file + # Delete the subject host(s) from the zone state file # delete_from_zones_file() { @@ -5328,11 +5635,11 @@ delete_from_zone() # $1 = [:] $2 = zone eval dest_hosts=\"\$${z2}_hosts\" for h in $dest_hosts $delhost; do - iface=${h%:*} + iface=${h%%:*} hosts=${h#*:} if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - qt iptables -D $source_chain -s $host -o $iface -d $hosts -j $chain + qt iptables -D $source_chain -s $host -o $iface $(match_source_hosts $hosts) -j $chain fi done fi @@ -5343,11 +5650,11 @@ delete_from_zone() # $1 = [:] $2 = zone eval source_hosts=\"\$${z1}_hosts\" for h in $source_hosts; do - iface=${h%:*} + iface=${h%%:*} hosts=${h#*:} if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - qt iptables -D $(forward_chain $iface) -s $hosts -o $interface -d $host -j $chain + qt iptables -D $(forward_chain $iface) $(match_source_hosts $hosts) -o $interface -d $host -j $chain fi done fi @@ -5450,6 +5757,7 @@ do_initialize() { TCP_FLAGS_DISPOSITION= TCP_FLAGS_LOG_LEVEL= RFC1918_LOG_LEVEL= + BOGON_LOG_LEVEL= MARK_IN_FORWARD_CHAIN= SHARED_DIR=/usr/share/shorewall FUNCTIONS= @@ -5463,6 +5771,7 @@ do_initialize() { USEDACTIONS= SMURF_LOG_LEVEL= DISABLE_IPV6= + BRIDGING= stopping= have_mutex= @@ -5582,6 +5891,8 @@ do_initialize() { fi [ -z "$RFC1918_LOG_LEVEL" ] && RFC1918_LOG_LEVEL=info + [ -z "$BOGON_LOG_LEVEL" ] && BOGON_LOG_LEVEL=info + MARK_IN_FORWARD_CHAIN=$(added_param_value_no MARK_IN_FORWARD_CHAIN $MARK_IN_FORWARD_CHAIN) [ -n "$MARK_IN_FORWARD_CHAIN" ] && marking_chain=tcfor || marking_chain=tcpre if [ -n "$TC_ENABLED" ]; then @@ -5613,6 +5924,7 @@ do_initialize() { ADMINISABSENTMINDED=$(added_param_value_no ADMINISABSENTMINDED $ADMINISABSENTMINDED) BLACKLISTNEWONLY=$(added_param_value_no BLACKLISTNEWONLY $BLACKLISTNEWONLY) DISABLE_IPV6=$(added_param_value_no DISABLE_IPV6 $DISABLE_IPV6) + BRIDGING=$(added_param_value_no BRIDGING $BRIDGING) [ -n "$MODULE_SUFFIX" ] || MODULE_SUFFIX="o gz ko o.gz" # @@ -5629,6 +5941,8 @@ do_initialize() { if [ $(encodeaddr $temp) != 192.168.1.1 ]; then startup_error "Shell $SHOREWALL_SHELL is broken and may not be used with Shorewall" fi + + rm -f $TMP_DIR/physdev } # diff --git a/STABLE2/functions b/STABLE2/functions index 9a9210325..c96f9c5bd 100755 --- a/STABLE2/functions +++ b/STABLE2/functions @@ -470,9 +470,9 @@ broadcastaddress() { } # -# Test for subnet membership +# Test for network membership # -in_subnet() # $1 = IP address, $2 = CIDR network +in_network() # $1 = IP address, $2 = CIDR network { local netmask=$(ip_netmask $2) @@ -502,11 +502,11 @@ ip_vlsm() { # # Chain name base for an interface -- replace all periods with underscores in the passed name. -# The result is echoed (less "+" and anything following). +# The result is echoed (less trailing "+"). # chain_base() #$1 = interface { - local c=${1%%+*} + local c=${1%%+} while true; do case $c in @@ -524,29 +524,25 @@ chain_base() #$1 = interface done } -# -# Remove trailing digits from a name -# -strip_trailing_digits() { - echo $1 | sed s'/[0-9].*$//' -} - # # Loosly Match the name of an interface # if_match() # $1 = Name in interfaces file - may end in "+" - # $2 = Name from routing table + # $2 = Full interface name - may also end in "+" { - local if_file=$1 - local rt_table=$2 - - case $if_file in + local pattern=${1%+} + + case $1 in *+) - test "$(strip_trailing_digits $rt_table)" = "${if_file%+}" + # + # Can't use ${2:0:${#pattern}} because ash and dash don't support that flavor of + # variable expansion :-( + # + test "x$(echo $2 | cut -b -${#pattern} )" = "x${pattern}" ;; *) - test "$rt_table" = "$if_file" + test "x$1" = "x$2" ;; esac } @@ -571,7 +567,7 @@ find_rt_interface() { ip route ls | while read addr rest; do case $addr in */*) - in_subnet ${1%/*} $addr && echo $(find_device $rest) + in_network ${1%/*} $addr && echo $(find_device $rest) ;; default) ;; diff --git a/STABLE2/help b/STABLE2/help index 4ed47f396..8a052a9ee 100644 --- a/STABLE2/help +++ b/STABLE2/help @@ -147,8 +147,13 @@ logwatch) monitor) echo "monitor: monitor [] + + shorewall [-x] monitor [] + Continuously display the firewall status, last 20 log entries and nat. - When the log entry display changes, an audible alarm is sounded." + When the log entry display changes, an audible alarm is sounded. + + When -x is given, that option is also passed to iptables to display actual packet and byte counts." ;; refresh) @@ -185,14 +190,15 @@ save) ;; show) - echo "show: show [ [ ...] |classifiers|connections|log|nat|tc|tos] - shorewall show [ ... ] - produce a verbose report about the IPtable chain(s). + echo "show: show [ [ ...] |classifiers|connections|log|nat|tc|tos] + + shorewall [-x] show [ ... ] - produce a verbose report about the IPtable chain(s). (iptables -L chain -n -v) - shorewall show nat - produce a verbose report about the nat table. + shorewall [-x] show nat - produce a verbose report about the nat table. (iptables -t nat -L -n -v) - shorewall show tos - produce a verbose report about the mangle table. + shorewall [-x] show tos - produce a verbose report about the mangle table. (iptables -t mangle -L -n -v) shorewall show log - display the last 20 packet log entries. @@ -201,7 +207,9 @@ show) being tracked by the firewall. shorewall show tc - displays information about the traffic - control/shaping configuration." + control/shaping configuration. + + When -x is given, that option is also passed to iptables to display actual packet and byte counts." ;; start) @@ -221,9 +229,14 @@ stop) status) echo "status: status + + shorewall [-x] status + Produce a verbose report about the firewall. - (iptables -L -n -v)" + (iptables -L -n -) + + When -x is given, that option is also passed to iptables to display actual packet and byte counts." ;; trace) diff --git a/STABLE2/hosts b/STABLE2/hosts index 129e5431b..2aaf93a97 100644 --- a/STABLE2/hosts +++ b/STABLE2/hosts @@ -5,28 +5,39 @@ # ONE ZONE CONNECTED THROUGH A SINGLE INTERFACE. # # IF YOU DON'T HAVE THAT SITUATION THEN DON'T TOUCH THIS FILE. -# +#------------------------------------------------------------------------------ +# IF YOU HAVE AN ENTRY FOR A ZONE AND INTERFACE IN +# /etc/shorewall/interfaces THEN DO NOT ADD ANY ENTRIES FOR THAT +# ZONE AND INTERFACE IN THIS FILE. +#------------------------------------------------------------------------------ # This file is used to define zones in terms of subnets and/or # individual IP addresses. Most simple setups don't need to # (should not) place anything in this file. # # ZONE - The name of a zone defined in /etc/shorewall/zones # -# HOST(S) - The name of an interface followed by a colon (":") and +# HOST(S) - The name of an interface defined in the +# /etc/shorewall/interfaces file followed by a colon (":") and # a comma-separated list whose elements are either: # # a) The IP address of a host # b) A subnetwork in the form # / -# -# The interface must be defined in the -# /etc/shorewall/interfaces file. +# c) A physical port name; only allowed when the +# interface names a bridge created by the +# brctl addbr command. This port must not +# be defined in /etc/shorewall/interfaces and may +# optionally followed by a colon (":") and a +# host or network IP. +# See http://www.shorewall.net/Bridge.html for details. # # Examples: # # eth1:192.168.1.3 # eth2:192.168.2.0/24 # eth3:192.168.2.0/24,192.168.3.1 +# br0:eth4 +# br0:eth0:192.168.1.16/28 # # OPTIONS - A comma-separated list of options. Currently-defined # options are: @@ -47,6 +58,66 @@ # to send requests originating from this # group to a server in the group. # +# norfc1918 - This option only makes sense for ports +# on a bridge. +# +# The port should not accept +# any packets whose source is in one +# of the ranges reserved by RFC 1918 +# (i.e., private or "non-routable" +# addresses. If packet mangling or +# connection-tracking match is enabled in +# your kernel, packets whose destination +# addresses are reserved by RFC 1918 are +# also rejected. +# +# nobogons - This option only makes sense for ports +# on a bridge. +# +# This port should not accept +# any packets whose source is in one +# of the ranges reserved by IANA (this +# option does not cover those ranges +# reserved by RFC 1918 -- see +# 'norfc1918' above). +# +# blacklist - This option only makes sense for ports +# on a bridge. +# +# Check packets arriving on this port +# against the /etc/shorewall/blacklist +# file. +# +# tcpflags - Packets arriving from these hosts are +# checked for certain illegal combinations +# of TCP flags. Packets found to have +# such a combination of flags are handled +# according to the setting of +# TCP_FLAGS_DISPOSITION after having been +# logged according to the setting of +# TCP_FLAGS_LOG_LEVEL. +# +# nosmurfs - This option only makes sense for ports +# on a bridge. +# +# Filter packets for smurfs +# (packets with a broadcast +# address as the source). +# +# Smurfs will be optionally logged based +# on the setting of SMURF_LOG_LEVEL in +# shorewall.conf. After logging, the +# packets are dropped. +# +# newnotsyn - TCP packets that don't have the SYN +# flag set and which are not part of an +# established connection will be accepted +# from these hosts, even if +# NEWNOTSYN=No has been specified in +# /etc/shorewall/shorewall.conf. +# +# This option has no effect if +# NEWNOTSYN=Yes. # #ZONE HOST(S) OPTIONS #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE diff --git a/STABLE2/install.sh b/STABLE2/install.sh index 0e83f5b98..69d82b463 100755 --- a/STABLE2/install.sh +++ b/STABLE2/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # -VERSION=2.0.0b +VERSION=2.0.1 usage() # $1 = exit status { @@ -270,6 +270,16 @@ else echo "NAT file installed as ${PREFIX}/etc/shorewall/nat" fi # +# Install the NETMAP file +# +if [ -f ${PREFIX}/etc/shorewall/netmap ]; then + backup_file /etc/shorewall/netmap +else + run_install -o $OWNER -g $GROUP -m 0600 netmap ${PREFIX}/etc/shorewall/netmap + echo + echo "NETMAP file installed as ${PREFIX}/etc/shorewall/netmap" +fi +# # Install the Parameters file # if [ -f ${PREFIX}/etc/shorewall/params ]; then @@ -384,6 +394,12 @@ install_file_with_backup rfc1918 ${PREFIX}/usr/share/shorewall/rfc1918 0600 echo echo "RFC 1918 file installed as ${PREFIX}/etc/shorewall/rfc1918" # +# Install the bogons file +# +install_file_with_backup bogons ${PREFIX}/usr/share/shorewall/bogons 0600 +echo +echo "Bogon file installed as ${PREFIX}/etc/shorewall/bogons" +# # Install the init file # if [ -f ${PREFIX}/etc/shorewall/init ]; then diff --git a/STABLE2/interfaces b/STABLE2/interfaces index 9d25a0f1f..9a9642362 100644 --- a/STABLE2/interfaces +++ b/STABLE2/interfaces @@ -46,31 +46,51 @@ # OPTIONS A comma-separated list of options including the # following: # -# dhcp - interface is managed by DHCP or used by -# a DHCP server running on the firewall or -# you have a static IP but are on a LAN -# segment with lots of Laptop DHCP clients. +# dhcp - Specify this option when any of +# the following are true: +# 1. the interface gets its IP address +# via DHCP +# 2. the interface is used by +# a DHCP server running on the firewall +# 3. you have a static IP but are on a LAN +# segment with lots of Laptop DHCP +# clients. +# 4. the interface is a bridge with +# a DHCP server on one port and DHCP +# clients on another port. +# # norfc1918 - This interface should not receive # any packets whose source is in one # of the ranges reserved by RFC 1918 # (i.e., private or "non-routable" -# addresses. If packet mangling is -# enabled in shorewall.conf, packets -# whose destination addresses are -# reserved by RFC 1918 are also rejected. +# addresses. If packet mangling or +# connection-tracking match is enabled in +# your kernel, packets whose destination +# addresses are reserved by RFC 1918 are +# also rejected. +# +# nobogons - This interface should not receive +# any packets whose source is in one +# of the ranges reserved by IANA (this +# option does not cover those ranges +# reserved by RFC 1918 -- see above). +# # routefilter - turn on kernel route filtering for this # interface (anti-spoofing measure). This # option can also be enabled globally in # the /etc/shorewall/shorewall.conf file. +# # . . blacklist - Check packets arriving on this interface # against the /etc/shorewall/blacklist # file. +# # maclist - Connection requests from this interface # are compared against the contents of # /etc/shorewall/maclist. If this option # is specified, the interface must be # an ethernet NIC and must be up before # Shorewall is started. +# # tcpflags - Packets arriving on this interface are # checked for certain illegal combinations # of TCP flags. Packets found to have @@ -79,6 +99,7 @@ # TCP_FLAGS_DISPOSITION after having been # logged according to the setting of # TCP_FLAGS_LOG_LEVEL. +# # proxyarp - # Sets # /proc/sys/net/ipv4/conf//proxy_arp. @@ -127,7 +148,7 @@ # hosts routed through the interface. # # WARNING: DO NOT SET THE detectnets OPTION ON YOUR -# INTERNET INTERFACE! +# INTERNET INTERFACE. # # The order in which you list the options is not # significant but the list should have no embedded white diff --git a/STABLE2/releasenotes.txt b/STABLE2/releasenotes.txt index 5a16c6b15..cc2f9bee0 100644 --- a/STABLE2/releasenotes.txt +++ b/STABLE2/releasenotes.txt @@ -1,237 +1,100 @@ -Shorewall 2.0.0b +Shorewall 2.0.1 ---------------------------------------------------------------------- -Problems Corrected since 1.4.10 - -1) A blank USER/GROUP column in /etc/shorewall/tcrules no longer causes - a [re]start error. - -2) The 'fgrep' utility is no longer required (caused startup problems - on LEAF/Bering). - -3) The "shorewall add" command no longer inserts rules before checking - of the blacklist. - -4) The 'detectnets' and 'routeback' options may now be used together - with the intended effect. - -5) The following syntax previously produced an error: - - DNAT z1!z2,z3 z4... - -Problems Corrected since RC2 - -1) CONTINUE rules now work again. - -2) A comment in the rules file has been corrected. - Problems Corrected since 2.0.0 1) Using actions in the manner recommended in the documentation results in a Warning that the rule is a policy. -Problems Corrected since 2.0.0a +2) When a zone on a single interface is defined using + /etc/shorewall/hosts, superfluous rules are generated in the + _frwd chain. -1) Thanks to Sean Mathews, a long-time problem with Proxy ARP and IPSEC - has been corrected. +3) Thanks to Sean Mathews, a long-standing problem with Proxy ARP and + IPSEC has been corrected. Thanks Sean!!! -2) The Default value for ALL INTERFACES in the /etc/shorewall/nat file - is supposed to be 'no' but it remained 'yes' as in 1.4. +4) The "shorewall show log" and "shorewall logwatch" commands + incorrectly displayed type 3 ICMP packets. ----------------------------------------------------------------------- -Issues when migrating from Shorewall 1.4.x to Shorewall 2.0.0: +Issues when migrating from Shorewall 2.0.0 to Shorewall 2.0.1: -1) The 'dropunclean' and 'logunclean' interface options are no longer - supported. If either option is specified in - /etc/shorewall/interfaces, an threatening message will be - generated. +1) The function of 'norfc1918' is now split between that option and a + new 'nobogons' option. -2) The NAT_BEFORE_RULES option has been removed from - shorewall.conf. The behavior of Shorewall is as if - NAT_BEFORE_RULES=No had been specified. In other words, DNAT rules - now always take precidence over one-to-one NAT specifications. + The rfc1918 file released with Shorewall now contains entries for + only those three address ranges reserved by RFC 1918. A 'nobogons' + interface option has been added which handles bogon source + addresses (those which are reserved by the IANA, those reserved for + DHCP auto-configuration and the class C test-net reserved for + testing and documentation examples). This will allow users to + perform RFC 1918 filtering without having to deal with out + of date data from IANA. Those who are willing to update their + /usr/share/shorewall/bogons file regularly can specify the + 'nobogons' option in addition to 'norfc1918'. -3) The default value for the ALL INTERFACES column in - /etc/shorewall/nat has changed. In Shorewall 1.*, if the column was - left empty, a value of "Yes" was assumed. This has been changed so - that a value of "No" is now assumed. - -4) The following files don't exist in Shorewall 2.0: - - /etc/shorewall/common.def - /etc/shorewall/common - /etc/shorewall/icmpdef - /etc/shorewall/action.template (Moved to /usr/share/shorewall) - /etc/shorewall/rfc1918 (Moved to /usr/share/shorewall). - - The /etc/shorewall/action file now allows an action to be - designated as the "common" action for a particular policy type by - following the action name with ":" and the policy (DROP, REJECT or - ACCEPT). - - The file /usr/share/shorewall/actions.std has been added to define those - actions that are released as part of Shorewall. In that file are - two actions as follows: - - Drop:DROP - Reject:REJECT - - The "Drop" action is the common action for DROP policies while the - "Reject" action is the default action for "REJECT" policies. These - actions will be performed on packets prior to applying the DROP or - REJECT policy respectively. In the first release, the difference - between "Reject" and "Drop" is that "Reject" REJECTs SMB traffic - while "Drop" silently drops such traffic. - - As described above, Shorewall allows a common action for ACCEPT - policies but does not specify such an action in the default - configuration. - - If for some reason, you don't wish to have a common DROP or REJECT - action, just include :DROP or :REJECT respectively in your - /etc/shorewall/actions file. - - The file /usr/share/shorewall/actions.std catalogs the standard - actions and is processed prior to /etc/shorewall/actions. This - causes a large number of actions to be defined. The files which - define these aactions are also located in /usr/share/shorewall as - is the he action template file (action.template). - - In the initial release, the following actions are defined: - - dropBcast #Silently Drops Broadcast Traffic - dropNonSyn #Silently Drop Non-syn TCP packets - - DropSMB #Silently Drops Microsoft SMB Traffic - RejectSMB #Silently Reject Microsoft SMB Traffic - DropUPnP #Silently Drop UPnP Probes - RejectAuth #Silently Reject Auth - DropPing #Silently Drop Ping - DropDNSrep #Silently Drop DNS Replies - - AllowPing #Accept Ping - AllowFTP #Accept FTP - AllowDNS #Accept DNS - AllowSSH #Accept SSH - AllowWeb #Allow Web Browsing - AllowSMB #Allow MS Networking - AllowAuth #Allow Auth (identd) - AllowSMTP #Allow SMTP (Email) - AllowPOP3 #Allow reading mail via POP3 - AllowIMAP #Allow reading mail via IMAP - AllowTelnet #Allow Telnet Access (not recommended for use over the - #Internet) - AllowVNC #Allow VNC, Displays 0-9 - AllowVNCL #Allow access to VNC viewer in listen mode - AllowNTP #Allow Network Time Protocol (ntpd) - AllowRdate #Allow remote time (rdate). - AllowNNTP #Allow network news (Usenet). - AllowTrcrt #Allows Traceroute (20 hops) - AllowSNMP #Allows SNMP (including traps) - AllowPCA #Allows PCAnywhere (tm). - - Drop:DROP #Common rules for DROP policy - Reject:REJECT #Common Action for Reject policy - - These actions may be used in the ACTION column of the rules - column. So for example, to allow FTP from your loc zone to your firewall, - you would place this rule in /etc/shorewall/rules: - - #ACTION SOURCE DEST - AllowFTP loc fw - - if you want to redefine any of the Shorewall-defined actions, - simply copy the appropriate action file from /usr/share/shorewall - to /etc/shorewall and modify the copy as desired. Your modified - copy will be used rather than the original one in - /usr/share/shorewall. - - Note: The 'dropBcast' and 'dropNonSyn' actions are built into - Shorewall and may not be changed. - - Beginning with version 2.0.0-Beta2, Shorewall will only create a - chain for those actions that are actually used. - -5) The /etc/shorewall directory no longer contains a 'users' file or a - 'usersets' file. Similar functionality is now available using - user-defined actions. - - Now, action files created by copying - /usr/share/shorewall/action.template may now specify a USER and or - GROUP name/id in the final column just like in the rules file (see - below). It is thus possible to create actions that control traffic - from a list of users and/or groups. - - The last column in /etc/shorewall/rules is now labeled USER/GROUP - and may contain: - - [!][:] - [!][:] - [!]: - [!]: - [!]: - [!]: - [!]: - [!]: - -6) It is no longer possible to specify rate limiting in the ACTION - column of /etc/shorewall/rules -- you must use the RATE LIMIT - column. - -7) Depending on which method you use to upgrade, if you have your own - version of /etc/shorewall/rfc1918, you may have to take special - action to restore it after the upgrade. Look for - /etc/shorewall/rfc1918*, locate the proper file and rename it back - to /etc/shorewall/rfc1918. The contents of that file will supercede - the contents of /usr/share/shorewall/rfc1918. + The level at which bogon packets are logged is specified in the new + BOGON_LOG_LEVEL variable in shorewall.conf. If that option is not + specified or is specified as empty (e.g, BOGON_LOG_LEVEL="") then + bogon packets whose TARGET is 'logdrop' in + /usr/share/shorewall/bogons are logged at the 'info' level. New Features: -1) The INCLUDE directive now allows absolute file names. +1) Support for Bridging Firewalls has been added. For details, see -2) A 'nosmurfs' interface option has been added to - /etc/shorewall/interfaces. When specified for an interface, this - option causes smurfs (packets with a broadcast address as their - source) to be dropped and optionally logged (based on the setting of - a new SMURF_LOG_LEVEL option in shorewall.conf). + http://shorewall.net/bridge.html -3) fw->fw traffic may now be controlled by Shorewall. There is no need - to define the loopback interface in /etc/shorewall/interfaces; you - simply add a fw->fw policy and fw->fw rules. If you have neither a - fw->fw policy nor fw->fw rules, all fw->fw traffic is allowed. +2) Support for NETMAP has been added. NETMAP allows NAT to be defined + between two network: -4) There is a new PERSISTENT column in the proxyarp file. A value of - "Yes" in this column means that the route added by Shorewall for - this host will remain after a "shorewall stop" or "shorewall clear". + a.b.c.1 -> x.y.z.1 + a.b.c.2 -> x.y.z.2 + a.b.c.3 -> x.y.z.3 + ... -5) "trace" is now a synonym for "debug" in /sbin/shorewall commands. - So to trace the "start" command, you could enter: + http://shorewall.net/netmap.html - shorewall trace start 2> /tmp/trace +3) The /sbin/shorewall program now accepts a "-x" option to cause + iptables to print out the actual packet and byte counts rather than + abbreviated counts such as "13MB". - The trace information would be written to the file /tmp/trace. + Commands affected by this are: -6) When defining an ipsec tunnel in /etc/shorewall/tunnels, if you - follow the tunnel type ("ipsec" or "ipsecnet") with ":noah" - (e.g., "ipsec:noah"), then Shorewall will only create rules for - ESP (protocol 50) and will not create rules for AH (protocol 51). + shorewall -x show [ [ ...] ] + shorewall -x show tos|mangle + shorewall -x show nat + shorewall -x status + shorewall -x monitor [ ] -7) A new DISABLE_IPV6 option has been added to shorewall.conf. When - this option is set to "Yes", Shorewall will set the policy for the - IPv6 INPUT, OUTPUT and FORWARD chains to DROP during "shorewall - [re]start" and "shorewall stop". Regardless of the setting of this - variable, "shorewall clear" will silently attempt to set these - policies to ACCEPT. +4) Shorewall now traps two common zone definition errors: - If this option is not set in your existing shorewall.conf then a - setting of DISABLE_IPV6=No is assumed in which case, Shorewall will - not touch any IPv6 settings except during "shorewall clear". + - Including the firewall zone in a /etc/shorewall/hosts record. + - Defining an interface for a zone in both /etc/shorewall/interfaces + and /etc/shorewall/hosts. -8) The CONTINUE target is now available in action definitions. CONTINUE - terminates processing of the current action and returns to the point - where that action was invoked. + In the second case, the following will appear during "shorewall + [re]start" or "shorewall check": + Determining Hosts in Zones... + ... + Error: Invalid zone definition for zone + Terminated +5) To support bridging, the following options have been added to + entries in /etc/shorewall/hosts: + norfc1918 + nobogons + blacklist + tcpflags + nosmurfs + newnotsyn - + With the exception of 'newnotsyn', these options are only + useful when the entry refers to a bridge port. + + Example: + + #ZONE HOST(S) OPTIONS + net br0:eth0 norfc1918,nobogons,blacklist,tcpflags,nosmurfs diff --git a/STABLE2/rfc1918 b/STABLE2/rfc1918 index 01123a4b7..42bd82e3d 100644 --- a/STABLE2/rfc1918 +++ b/STABLE2/rfc1918 @@ -5,9 +5,10 @@ # # Lists the subnetworks that are blocked by the 'norfc1918' interface option. # -# The default list includes those IP addresses listed in RFC 1918, those listed -# as 'reserved' by the IANA, the DHCP Autoconfig class B, and the class C -# reserved for use in documentation and examples. +# The default list includes those IP addresses listed in RFC 1918. +# +# DO NOT MODIFY THIS FILE. IF YOU NEED TO MAKE CHANGES, COPY THE FILE +# TO /etc/shorewall AND MODIFY THE COPY. # # Columns are: # @@ -19,45 +20,7 @@ # ############################################################################### #SUBNET TARGET -255.255.255.255 RETURN # We need to allow limited broadcast -169.254.0.0/16 DROP # DHCP autoconfig 172.16.0.0/12 logdrop # RFC 1918 -192.0.2.0/24 logdrop # Example addresses (RFC 3330) 192.168.0.0/16 logdrop # RFC 1918 -# -# The following are generated with the help of the Python program found at: -# -# http://www.shorewall.net/pub/shorewall/contrib/iana_reserved/ -# -# The program was contributed by Andy Wiggin -# -0.0.0.0/7 logdrop # Reserved -2.0.0.0/8 logdrop # Reserved -5.0.0.0/8 logdrop # Reserved -7.0.0.0/8 logdrop # Reserved -10.0.0.0/8 logdrop # Reserved -23.0.0.0/8 logdrop # Reserved -27.0.0.0/8 logdrop # Reserved -31.0.0.0/8 logdrop # Reserved -36.0.0.0/7 logdrop # Reserved -39.0.0.0/8 logdrop # Reserved -41.0.0.0/8 logdrop # Reserved -42.0.0.0/8 logdrop # Reserved -49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98 -50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98 -58.0.0.0/7 logdrop # Reserved -70.0.0.0/7 logdrop # Reserved -72.0.0.0/5 logdrop # Reserved -85.0.0.0/8 logdrop # Reserved -86.0.0.0/7 logdrop # Reserved -88.0.0.0/5 logdrop # Reserved -96.0.0.0/3 logdrop # Reserved -127.0.0.0/8 logdrop # Loopback -197.0.0.0/8 logdrop # Reserved -198.18.0.0/15 logdrop # Reserved -223.0.0.0/8 logdrop # Reserved - Returned by APNIC in 2003 -240.0.0.0/4 logdrop # Reserved -# -# End of generated entries -# +10.0.0.0/8 logdrop # RFC 1918 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/STABLE2/shorewall b/STABLE2/shorewall index 42efa2091..90185f2d9 100755 --- a/STABLE2/shorewall +++ b/STABLE2/shorewall @@ -175,7 +175,7 @@ display_chains() # Send the output to a temporary file since ash craps if we try to store # the output in a variable. # - iptables -L -n -v > /tmp/chains-$$ + iptables -L $IPT_OPTIONS > /tmp/chains-$$ clear echo "$banner $(date)" @@ -289,7 +289,7 @@ packet_log() # $1 = number of messages sed s/" kernel:"// | \ sed s/" $host $LOGFORMAT"/" "/ | \ sed s/" $host kernel: ipt_unclean: "/" "/ | \ - sed 's/MAC=.*SRC=/SRC=/' | \ + sed 's/MAC=.* SRC=/SRC=/' | \ tail $options } @@ -420,7 +420,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that echo echo "NAT Status" echo - iptables -t nat -L -n -v + iptables -t nat -L $IPT_OPTIONS timed_read clear @@ -429,7 +429,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that echo echo "TOS/MARK Status" echo - iptables -t mangle -L -n -v + iptables -t mangle -L $IPT_OPTIONS timed_read clear @@ -530,7 +530,7 @@ help() # usage() # $1 = exit status { - echo "Usage: $(basename $0) [debug|trace] [nolock] [-c ] " + echo "Usage: $(basename $0) [debug|trace] [nolock] [-c ] [ -x ] " echo "where is one of:" echo " add [:] " echo " allow
..." @@ -585,6 +585,7 @@ if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then fi SHOREWALL_DIR= +IPT_OPTIONS="-nv" done=0 while [ $done -eq 0 ]; do @@ -605,6 +606,10 @@ while [ $done -eq 0 ]; do shift shift ;; + -x) + IPT_OPTIONS="-xnv" + shift + ;; *) done=1 ;; @@ -710,14 +715,14 @@ case "$1" in echo "Shorewall-$version NAT at $HOSTNAME - $(date)" echo show_reset - iptables -t nat -L -n -v + iptables -t nat -L $IPT_OPTIONS ;; tos|mangle) [ $# -gt 2 ] && usage 1 echo "Shorewall-$version TOS at $HOSTNAME - $(date)" echo show_reset - iptables -t mangle -L -n -v + iptables -t mangle -L $IPT_OPTIONS ;; log) [ $# -gt 2 ] && usage 1 @@ -748,10 +753,10 @@ case "$1" in show_reset if [ $# -gt 0 ]; then for chain in $*; do - iptables -L $chain -n -v + iptables -L $chain $IPT_OPTIONS done else - iptables -L -n -v + iptables -L $IPT_OPTIONS fi ;; esac @@ -775,17 +780,17 @@ case "$1" in echo show_reset host=$(echo $HOSTNAME | sed 's/\..*$//') - iptables -L -n -v + iptables -L $IPT_OPTIONS echo packet_log 20 echo echo "NAT Table" echo - iptables -t nat -L -n -v + iptables -t nat -L $IPT_OPTIONS echo echo "Mangle Table" echo - iptables -t mangle -L -n -v + iptables -t mangle -L $IPT_OPTIONS echo cat /proc/net/ip_conntrack ;; diff --git a/STABLE2/shorewall.conf b/STABLE2/shorewall.conf index 1e0bd1755..2530f0485 100644 --- a/STABLE2/shorewall.conf +++ b/STABLE2/shorewall.conf @@ -169,11 +169,29 @@ RFC1918_LOG_LEVEL=info # SMURF Log Level # # Specifies the logging level for smurf packets dropped by the -#'nosmurfs' interface option in /etc/shorewall/interfaces. If set to the empty -# value ( SMURF_LOG_LEVEL="" ) then dropped smurfs are not logged. +#'nosmurfs' interface option in /etc/shorewall/interfaces and in +# /etc/shorewall/hosts. If set to the empty value ( SMURF_LOG_LEVEL="" +# ) then dropped smurfs are not logged. + +# +# See the comment at the top of this section for a description of log levels +# SMURF_LOG_LEVEL=info +# +# BOGON Log Level +# +# Specifies the logging level for bogon packets dropped by the +#'nobogons' interface option in /etc/shorewall/interfaces and in +# /etc/shorewall/hosts. If set to the empty value +# ( BOGON_LOG_LEVEL="" ) then packets whose TARGET is 'logdrop' +# in /usr/share/shorewall/bogons are logged at the 'info' level. +# +# See the comment at the top of this section for a description of log levels +# + +BOGON_LOG_LEVEL=info ################################################################################ # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S ################################################################################ @@ -417,7 +435,7 @@ MUTEX_TIMEOUT=60 # established connection. # # If NEWNOTSYN is set to "No" or "no", then non-SYN packets that are not -# part of an already established connection, it will be dropped by the +# part of an already established connection will be dropped by the # firewall. The setting of LOGNEWNOTSYN above determines if these packets are # logged before they are dropped. # @@ -429,7 +447,9 @@ MUTEX_TIMEOUT=60 # also need to select NEWNOTSYN=Yes. # # The behavior of NEWNOTSYN=Yes may also be enabled on a per-interface basis -# using the 'newnotsyn' option in /etc/shorewall/interfaces. +# using the 'newnotsyn' option in /etc/shorewall/interfaces and on a +# network or host basis using the same option in /etc/shorewall/hosts. + # # I find that NEWNOTSYN=No tends to result in lots of "stuck" # connections because any network timeout during TCP session tear down @@ -524,6 +544,18 @@ MODULE_SUFFIX= # firewall system. This requires that you have ip6tables installed. DISABLE_IPV6=Yes + +# +# BRIDGING +# +# If you wish to control traffic through a bridge (see http://bridge.sf.net), +# then set BRIDGING=Yes. Your kernel must have the physdev match option +# enabled; that option is available at the above URL for 2.4 kernels and +# is included as a standard part of the 2.6 series kernels. If not +# specified or specified as empty (BRIDGING="") then "No" is assumed. +# + +BRIDGING=No ################################################################################ # P A C K E T D I S P O S I T I O N ################################################################################ @@ -534,6 +566,7 @@ DISABLE_IPV6=Yes # Blacklisted systems. Must be DROP or REJECT. If not set or set to empty, # DROP is assumed. # + BLACKLIST_DISPOSITION=DROP # @@ -552,8 +585,9 @@ MACLIST_DISPOSITION=REJECT # # This variable determins the disposition of packets having an invalid # combination of TCP flags that are received on interfaces having the -# 'tcpflags' option specified in /etc/shorewall/interfaces. If not specified -# or specified as empty (TCP_FLAGS_DISPOSITION="") then DROP is assumed. +# 'tcpflags' option specified in /etc/shorewall/interfaces or in +# /etc/shorewall/hosts. If not specified or specified as empty +# (TCP_FLAGS_DISPOSITION="") then DROP is assumed. TCP_FLAGS_DISPOSITION=DROP diff --git a/STABLE2/shorewall.spec b/STABLE2/shorewall.spec index 6ff60c28d..dbf66a6bb 100644 --- a/STABLE2/shorewall.spec +++ b/STABLE2/shorewall.spec @@ -1,5 +1,5 @@ %define name shorewall -%define version 2.0.0b +%define version 2.0.1 %define release 1 %define prefix /usr @@ -78,6 +78,7 @@ fi %attr(0600,root,root) %config(noreplace) /etc/shorewall/interfaces %attr(0600,root,root) %config(noreplace) /etc/shorewall/rules %attr(0600,root,root) %config(noreplace) /etc/shorewall/nat +%attr(0600,root,root) %config(noreplace) /etc/shorewall/netmap %attr(0600,root,root) %config(noreplace) /etc/shorewall/params %attr(0600,root,root) %config(noreplace) /etc/shorewall/proxyarp %attr(0600,root,root) %config(noreplace) /etc/shorewall/routestopped @@ -133,14 +134,31 @@ fi %attr(0544,root,root) /usr/share/shorewall/firewall %attr(0544,root,root) /usr/share/shorewall/help %attr(0600,root,root) /usr/share/shorewall/rfc1918 +%attr(0600,root,root) /usr/share/shorewall/bogons %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %changelog -* Sat Mar 20 2004 Tom Eastep -- Update for 2.0.0b +* Mon Apr 05 2004 Tom Eastep tom@shorewall.net +- Updated for 2.0.1-1 +* Thu Apr 02 2004 Tom Eastep tom@shorewall.net +- Updated for 2.0.1 RC5 +* Thu Apr 01 2004 Tom Eastep tom@shorewall.net +- Updated for 2.0.1 RC4 +* Sun Mar 28 2004 Tom Eastep tom@shorewall.net +- Updated for 2.0.1 RC3 +* Thu Mar 25 2004 Tom Eastep tom@shorewall.net +- Updated for 2.0.1 RC2 +* Wed Mar 24 2004 Tom Eastep tom@shorewall.net +- Updated for 2.0.1 RC1 +* Fri Mar 19 2004 Tom Eastep tom@shorewall.net +- Updated for 2.0.1 Beta 2 +* Thu Mar 18 2004 Tom Eastep tom@shorewall.net +- Added netmap file * Wed Mar 17 2004 Tom Eastep -- Update for 2.0.0a +- Update for 2.0.1 Beta 1 +* Wed Mar 17 2004 Tom Eastep +- Add bogons file * Sat Mar 13 2004 Tom Eastep - Update for 2.0.0 Final * Sat Mar 06 2004 Tom Eastep diff --git a/STABLE2/uninstall.sh b/STABLE2/uninstall.sh index cd5251bbc..a7a06e9cd 100755 --- a/STABLE2/uninstall.sh +++ b/STABLE2/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Seattle Firewall -VERSION=2.0.0b +VERSION=2.0.1 usage() # $1 = exit status { diff --git a/Shorewall-Website/Banner.html b/Shorewall-Website/Banner.html index a4fcd9ad8..b64ca2cce 100755 --- a/Shorewall-Website/Banner.html +++ b/Shorewall-Website/Banner.html @@ -1,11 +1,10 @@ - + Banner - + diff --git a/Shorewall-Website/News.htm b/Shorewall-Website/News.htm index b76ab6b2a..2196e304a 100644 --- a/Shorewall-Website/News.htm +++ b/Shorewall-Website/News.htm @@ -18,9 +18,235 @@ Texts. A copy of the license is included in the section entitled “GNU Free Documentation Licenseâ€.

-

2004-01-30
+

2004-04-05

+

3/14/2004 - Shorewall 2.0.0b 

+Corrects two problems:
+
    +
  1. Thanks to Sean Mathews, the long-standing problem with +Proxy ARP and IPSEC has been eliminated!
    2. +
  2. The default value of the ALL INTERFACES column in +/etc/shorewall/nat is documented as 'No' but the default continued to +be 'Yes' as it was in Shorewall 1.4.
    +
    3. +
+

3/14/2004 - Shorewall 2.0.0a 

+

Corrects one problem:
+

+
    +
  • Rules of the form:
    +
    +<action>     +zone1      zone2
    +
    +generated a warning stating that the rule was a policy.
    +
    • +
+

3/14/2004 - Shorewall 2.0.0
+

+

Dedicated to Agnes Van Slyke Eastep: March 14, 1910 - February +23, 2004
+

+

Problems Corrected since 1.4.10
+

+
    +
  1. A blank USER/GROUP column in /etc/shorewall/tcrules no +longer causes a [re]start error.
    2. +
  2. The 'fgrep' utility is no longer required (caused startup +problems on LEAF/Bering).
    3. +
  3. The "shorewall add" command no longer inserts rules before +checking of the blacklist.
    4. +
  4. The 'detectnets' and 'routeback' options may now be used +together with the intended effect.
    5. +
  5. The following syntax previously produced an error:
    +
    +DNAT  z1!z2,z3       z4...
    +
    6. +
+

Problems Corrected since RC2
+
+

+
    +
  1. CONTINUE rules now work again.
    2. +
  2. A comment in the rules file has been corrected.
    +
    3. +
+

Issues when migrating from Shorewall 1.4.x to Shorewall 2.0.0:
+

+
    +
  1. The 'dropunclean' and 'logunclean' interface options are no +longer supported. If either option is specified in +/etc/shorewall/interfaces, an threatening message will be generated.
    2. +
  2. The NAT_BEFORE_RULES option has been removed from +shorewall.conf. The behavior of Shorewall is as if NAT_BEFORE_RULES=No +had been specified. In other words, DNAT rules now always take +precidence over one-to-one NAT specifications.
    3. +
  3. The default value for the ALL INTERFACES column in +/etc/shorewall/nat has changed. In Shorewall 1.*, if the column was +left empty, a value of "Yes" was assumed. This has been changed so that +a value of "No" is now assumed.
    4. +
  4. The following files don't exist in Shorewall 2.0:
    +/etc/shorewall/common.def
    +/etc/shorewall/common
    +/etc/shorewall/icmpdef
    +/etc/shorewall/action.template (Moved to /usr/share/shorewall)
    +/etc/shorewall/rfc1918 (Moved to /usr/share/shorewall).
    +
    +The /etc/shorewall/action file now allows an action to be designated as +the "common" action for a particular policy type by following the +action name with ":" and the policy (DROP, REJECT or ACCEPT).
    +
    +The file /usr/share/shorewall/actions.std has been added to define +those actions that are released as part of Shorewall. In that file are +two actions as follows:
    +
    +    Drop:DROP
    +   Reject:REJECT
    +
    +The "Drop" action is the common action for DROP policies while the +"Reject" action is the default action for "REJECT" policies. These +actions will be performed on packets prior to applying the DROP or +REJECT policy respectively. In the first release, the difference +between "Reject" and "Drop" is that "Reject" REJECTs SMB traffic while +"Drop" silently drops such traffic.
    +
    +As described above, Shorewall allows a common action for ACCEPT +policies but does not specify such an action in the default +configuration.
    +
    +If for some reason, you don't wish to have a common DROP or REJECT +action, just include :DROP or :REJECT respectively in your +/etc/shorewall/actions file.
    +
    +The file /usr/share/shorewall/actions.std catalogs the standard actions +and is processed prior to /etc/shorewall/actions. This causes a large +number of actions to be defined. The files which define these aactions +are also located in /usr/share/shorewall as is the he action template +file (action.template).
    +
    +These actions may be used in the ACTION column of the rules column. So +for example, to allow FTP from your loc zone to your firewall, you +would place this rule in /etc/shorewall/rules:
    +
    +  #ACTION     +SOURCE       DEST
    +  AllowFTP     +loc             +      fw
    +
    +If you want to redefine any of the Shorewall-defined actions, simply +copy the appropriate action file from /usr/share/shorewall to +/etc/shorewall and modify the copy as desired. Your modified copy will +be used rather than the original one in /usr/share/shorewall.
    +
    +Note: The 'dropBcast' and 'dropNonSyn' actions are built into Shorewall +and may not be changed.
    +
    +Beginning with version 2.0.0-Beta2, Shorewall will only create a chain +for those actions that are actually used.
    +
    +
    5. +
  5. The /etc/shorewall directory no longer contains a 'users' +file or a 'usersets' file. Similar functionality is now available using +user-defined actions.
    +
    +Now, action files created by copying +/usr/share/shorewall/action.template may specify a USER and or GROUP +name/id in the final column just like in the rules file (see below). It +is thus possible to create actions that control traffic from a list of +users and/or groups.
    +
    +The last column in /etc/shorewall/rules is now labeled USER/GROUP and +may contain:
    +
    +    [!]<user number>[:]
    +    [!]<user name>[:]
    +    [!]:<group number>
    +    [!]:<group name>
    +    [!]<user number>:<group number>
    +    [!]<user number>:<group name>
    +    [!]<user name>:<group number>
    +    [!]<user name>:<group name>

    +
    6. +
  6. It is no longer possible to specify rate limiting in the +ACTION column of /etc/shorewall/rules -- you must use the RATE LIMIT +column.
    +
    +
    7. +
  7. Depending on which method you use to upgrade, if you have +your own version of /etc/shorewall/rfc1918, you may have to take +special action to restore it after the upgrade. Look for +/etc/shorewall/rfc1918*, locate the proper file and rename it back to +/etc/shorewall/rfc1918. The contents of that file will supercede the +contents of /usr/share/shorewall/rfc1918.
    8. +
+

New Features:
+

+
    +
  1. The INCLUDE directive now allows absolute file names.
    2. +
  2. A 'nosmurfs' interface option has been added to +/etc/shorewall/interfaces. When specified for an interface, this option +causes smurfs (packets with a broadcast address as their source) to be +dropped and optionally logged (based on the setting of a new +SMURF_LOG_LEVEL option in shorewall.conf).
    3. +
  3. fw->fw traffic may now be controlled by Shorewall. There +is no need to define the loopback interface in +/etc/shorewall/interfaces; you simply add a fw->fw policy and +fw->fw rules. If you have neither a fw->fw policy nor fw->fw +rules, all fw->fw traffic is allowed.
    4. +
  4. There is a new PERSISTENT column in the proxyarp file. A +value of "Yes" in this column means that the route added by Shorewall +for this host will remain after a "shorewall stop" or "shorewall clear".
    5. +
  5. "trace" is now a synonym for "debug" in /sbin/shorewall +commands. So to trace the "start" command, you could enter:
    +
    +shorewall trace start 2> /tmp/trace
    +
    +The trace information would be written to the file /tmp/trace.
    +
    +
    6. +
  6. When defining an ipsec tunnel in /etc/shorewall/tunnels, if +you follow the tunnel type ("ipsec" or "ipsecnet") with ":noah" (e.g., +"ipsec:noah"), then Shorewall will only create rules for ESP (protocol +50) and will not create rules for AH (protocol 51).
    7. +
  7. A new DISABLE_IPV6 option has been added to shorewall.conf. +When this option is set to "Yes", Shorewall will set the policy for the +IPv6 INPUT, OUTPUT and FORWARD chains to DROP during "shorewall +[re]start" and "shorewall stop". Regardless of the setting of this +variable, "shorewall clear" will silently attempt to set these policies +to ACCEPT.
    +
    +If this option is not set in your existing shorewall.conf then a +setting of DISABLE_IPV6=No is assumed in which case, Shorewall will not +touch any IPv6 settings except during "shorewall clear".
    8. +
  8. The CONTINUE target is now available in action definitions. +CONTINUE terminates processing of the current action and returns to the +point where that action was invoked.
    9. +
+

2/15/2004 - Shorewall 1.4.10c 

+

Corrects one problem:
+

+Entries in /etc/shorewall/tcrules with an empty USER/GROUP column would +cause a startup error. +

2/12/2004 - Shorewall 1.4.10b 

+

Corrects one problem:
+

+
    +
  • In the /etc/shorewall/masq entry “eth0:!10.1.1.150 +   0.0.0.0/0!10.1.0.0/16     10.1.2.16â€, the +“!10.1.0.0/16†is ignored.
    • +
+

2/8/2004 - Shorewall 1.4.10a 

+

Corrects two problems:
+

+
    +
  • A problem which can cause [re]start to fail inexplicably +while processing /etc/shorewall/masq.
    • +
  • Interfaces using the Atheros WiFi card to use the 'maclist' +option.
    • +

1/30/2004 - Shorewall 1.4.10

Problems Corrected since version 1.4.9

    diff --git a/Shorewall-Website/SeattleInTheSpring.html b/Shorewall-Website/SeattleInTheSpring.html index 31c8c8231..083f3936b 100755 --- a/Shorewall-Website/SeattleInTheSpring.html +++ b/Shorewall-Website/SeattleInTheSpring.html @@ -8,7 +8,6 @@ --+

    Visit Seattle in the Springtime!!!

    diff --git a/Shorewall-Website/Shorewall_index_frame.htm b/Shorewall-Website/Shorewall_index_frame.htm index 99bd80c23..0aba4cb76 100644 --- a/Shorewall-Website/Shorewall_index_frame.htm +++ b/Shorewall-Website/Shorewall_index_frame.htm @@ -7,54 +7,50 @@ - - - - - - -
    - -
    -

    Copyright © 2001-2004 Thomas -M. Eastep.
    -

    + +
    (Protected by Shorewall)
    + +

    Copyright © 2001-2004 Thomas +M. Eastep.
    +

    +


    diff --git a/Shorewall-Website/Shorewall_sfindex_frame.htm b/Shorewall-Website/Shorewall_sfindex_frame.htm index afeb12fa1..21f2a7c6c 100644 --- a/Shorewall-Website/Shorewall_sfindex_frame.htm +++ b/Shorewall-Website/Shorewall_sfindex_frame.htm @@ -37,11 +37,14 @@ Guides (HOWTOs)
    target="_top">Wiki)
  1. Useful Links
    2. -
  2. Things to try if it doesn't +
  3. Troubleshooting - Things to try if +it doesn't work
  4. Errata
  5. Upgrade Issues
    6. -
  6. Getting help or Answers to Questions
    7. +
  7. Support +- Getting help or Answers to Questions
  8. Mailing Lists
    9. @@ -66,7 +69,11 @@ Repository

    Copyright © 2001-2004 Thomas M. Eastep.

    +

    SourceForge Logo


    -
    +This site is hosted by the generous folks at SourceForge.net diff --git a/Shorewall-Website/download.htm b/Shorewall-Website/download.htm index e35c0682e..ba521d0f7 100644 --- a/Shorewall-Website/download.htm +++ b/Shorewall-Website/download.htm @@ -22,7 +22,7 @@ Texts. A copy of the license is included in the section entitled “GNU Free Documentation Licenseâ€.

    -

    2004-01-13
    +

    2004-03-01

    I strongly urge you to read and print a copy of the

    France Shorewall.net - Browse + Browse Browse diff --git a/Shorewall-Website/index.htm b/Shorewall-Website/index.htm index 802a2d853..9b848c332 100644 --- a/Shorewall-Website/index.htm +++ b/Shorewall-Website/index.htm @@ -3,6 +3,7 @@ Frameset//EN""http://www.w3.org/TR/html4/frameset.dtd"> Shoreline Firewall +
    -

    2004-01-28
    +

    2004-03-15

    Note

    @@ -52,7 +52,7 @@ allow HTML in list posts!!
    I think that blocking all HTML is a Draconian way to control spam and that the ultimate losers here are not the spammers but the list subscribers whose MTAs are bouncing all shorewall.net mail. As one list -subscriber wrote to me privately "These e-mail admin's need to get a (explitive +subscriber wrote to me privately "These e-mail admin's need to get a (expletive deleted) life instead of trying to rid the planet of HTML based e-mail". Nevertheless, to allow subscribers to receive list posts as must as possible, I have now @@ -61,6 +61,11 @@ outgoing posts. This means that HTML-only posts will be bounced by the list server.

    Note: The list server limits posts to 120kb.

    +

    Please don't hijack another poster's thread

    +On shorewall.net as elsewhere, it is considered very bad netiquette to +hijack another poster's thread by simply replying to a list post and +changing the subject to a different one. Please start a new thread when +you wish to introduce a new topic for discussion.

    Other Mail Delivery Problems

    If you find that you are missing an occasional list post, your e-mail admin may be blocking mail whose Received: headers contain the @@ -111,29 +116,12 @@ in your browser. If you don't wish to trust my certificates then you can either use unencrypted access when subscribing to Shorewall mailing lists or you can use secure access (SSL) and accept the server's certificate when prompted by your browser.
    -

    Shorewall Newbies Mailing List

    -This list provides a place where people who are new to Shorewall can -get questions answered and can receive help with problems.
    -

    Before posting -to this list, please see the problem -reporting guidelines.
    -

    -

    To subscribe: https//lists.shorewall.net/mailman/listinfo/shorewall-newbies

    -

    To post to the list, post to shorewall-newbies@lists.shorewall.net.
    -

    -

    The list archives are at http://lists.shorewall.net/pipermail/shorewall-newbies.

    Shorewall Users Mailing List

    The Shorewall Users Mailing list provides a way for users to get answers to questions and to report problems. Information of general interest to the Shorewall user community is also posted to this list.

    -

    The Shorewall author does not monitor this list.
    -

    Before posting to this list, please see the problem reporting guidelines.
    @@ -186,7 +174,19 @@ USE THIS LIST FOR REPORTING PROBLEMS OR ASKING FOR HELP.

    To post to the list, post to shorewall-devel@lists.shorewall.net

    The list archives are at http://lists.shorewall.net/pipermail/shorewall-devel.

    + href="http://lists.shorewall.net/pipermail/shorewall-devel">http://lists.shorewall.net/pipermail/shorewall-devel.
    +

    +

    Shorewall Newbies Mailing List (Closed)
    +

    +This list previously provided a place where people who are new to +Shorewall could +get questions answered and could receive help with problems. It proved +to be less that a success and has been discontinued.
    +

    To unsubscribe: https//lists.shorewall.net/mailman/listinfo/shorewall-newbies

    +

    The list archives are at http://lists.shorewall.net/pipermail/shorewall-newbies.

    How to Unsubscribe from one of the Mailing Lists

    There seems to be near-universal confusion about diff --git a/Shorewall-Website/seattlefirewall_index.htm b/Shorewall-Website/seattlefirewall_index.htm index e294bb2ac..97aae024b 100755 --- a/Shorewall-Website/seattlefirewall_index.htm +++ b/Shorewall-Website/seattlefirewall_index.htm @@ -3,7 +3,7 @@ - Shoreline Firewall (Shorewall) 1.4 + Shoreline Firewall (Shorewall) 2.0 @@ -14,18 +14,26 @@

    Introduction to Shorewall

    -

    This is the Shorewall 1.4 Web Site

    -The information on this site applies only to 1.4.x releases of +

    This is the Shorewall 2.0 Web Site

    +
    The information on this site +applies only to 2.0.x releases of Shorewall. For older versions:
    +

    Glossary

      -
    • Netfilter - the +
    • Netfilter +- the packet filter facility built into the 2.4 and later Linux kernels.
    • ipchains - the packet filter facility built into the 2.2 Linux kernels. Also the name of the utility program used to configure @@ -37,7 +45,8 @@ combination of iptables+Netfilter (with Netfilter not in ipchains compatibility mode).

    What is Shorewall?

    -The Shoreline Firewall, more commonly known as "Shorewall", is +
    The Shoreline Firewall, more +commonly known as "Shorewall", is high-level tool for configuring Netfilter. You describe your firewall/gateway requirements using entries in a set of configuration files. Shorewall reads those configuration files and with the help of @@ -45,223 +54,196 @@ the iptables utility, Shorewall configures Netfilter to match your requirements. Shorewall can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system. Shorewall does not use Netfilter's ipchains compatibility mode -and can thus take advantage of Netfilter's connection state tracking -capabilities.
    +and can thus take advantage of Netfilter's connection +state tracking +capabilities.

    Shorewall is not a -daemon. Once Shorewall has configured Netfilter, it's job is complete -although the /sbin/shorewall +daemon. Once Shorewall has configured Netfilter, it's job is complete. +After that, there is no Shorewall code running although the /sbin/shorewall program can be used at any time to monitor the Netfilter firewall.
    +

    Getting Started with Shorewall

    -New to Shorewall? Start by selecting the QuickStart Guide that most +
    New to Shorewall? Start by +selecting the QuickStart Guide +that most closely match your environment and follow the step by step instructions.
    +

    Looking for Information?

    -The Documentation +
    The Documentation Index is a good place to start as is the Quick Search in the frame -above. -

    License

    -This program is free software; you can redistribute it and/or modify it -under the terms of Version -2 of the GNU General Public License as published by the Free -Software Foundation.
    -

    This program is distributed in the hope that it will be -useful, but WITHOUT ANY WARRANTY; without even the implied warranty of -MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -General Public License for more detail.

    -

    You should have received a copy of the GNU General Public -License along with this program; if not, write to the Free Software -Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA

    -Permission is granted to copy, distribute and/or modify this document -under the terms of the GNU Free Documentation License, Version 1.2 or -any later version published by the Free Software Foundation; with no -Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. -A copy of the license is included in the section entitled "GNU Free -Documentation License". -

    Copyright © 2001-2004 Thomas M. Eastep

    -

    Running Shorewall on Mandrake with a two-interface setup?

    -If so, the documentation on this site will not apply directly +above.
    +

    Running Shorewall on Mandrake® with a two-interface setup?

    +
    If so, the documentation on this +site will not apply directly to your setup. If you want to use the documentation that you find here, you will want to consider uninstalling what you have and installing a setup that matches the documentation on this site. See the Two-interface QuickStart Guide for details.
    +
    + Update: I've been +informed by Mandrake Development that this problem has been corrected +in Mandrake 10.0 Final (the problem still exists in the 10.0 Community +release).
    +
    +

    License

    +
    This program is free software; +you can redistribute it and/or modify it +under the terms of Version +2 of the GNU General Public License as published by the Free +Software Foundation.
    +
    +

    This program is distributed in the +hope that it will be +useful, but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +General Public License for more detail.

    +
    +

    You should have received a copy of +the GNU General Public +License along with this program; if not, write to the Free Software +Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA

    +
    Permission is granted to copy, +distribute and/or modify this document +under the terms of the GNU Free Documentation License, Version 1.2 or +any later version published by the Free Software Foundation; with no +Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. +A copy of the license is included in the section entitled "GNU Free +Documentation License".
    +

    Copyright © 2001-2004 Thomas M. Eastep

    +

    News

    -

    1/30/2004 - Shorewall 1.4.10 (New)4/5/2004 - Shorewall 2.0.1 (New)

    -

    Problems Corrected since version 1.4.9

    + style="border: 0px solid ; width: 28px; height: 12px;" title="">
    +

    +Problems Corrected since 2.0.0
    +
      -
    1. The column descriptions in the action.template file did not -match the column headings. That has been corrected.
      2. -
    2. The presence of IPV6 addresses on devices generated error -messages during [re]start if ADD_IP_ALIASES=Yes or ADD_SNAT_ALIASES=Yes -are specified in /etc/shorewall/shorewall.conf. These messages have -been eliminated.
      3. -
    3. The CONTINUE action in /etc/shorewall/rules now works -correctly. A couple of problems involving rate limiting have been -corrected. These bug fixes courtesy of Steven Jan Springl.
      4. -
    4. Shorewall now tried to avoid sending an ICMP response to -broadcasts and smurfs.
      5. -
    5. Specifying "-" or "all" in the PROTO column of an action no -longer causes a startup error.
      -
      +
    6. Using actions in the manner recommended in the +documentation results in a Warning that the rule is a policy.
      7. +
    7. When a zone on a single interface is defined using +/etc/shorewall/hosts, superfluous rules are generated in the +<zone>_frwd chain.
      8. +
    8. Thanks to Sean Mathews, a long-standing problem with Proxy +ARP and IPSEC has been corrected. Thanks Sean!!!
      9. +
    9. The "shorewall show log" and "shorewall logwatch" commands +incorrectly displayed type 3 ICMP packets.
    -Migragion Issues:
    -
    -    None.
    +Issues when migrating from Shorewall 2.0.0 to Shorewall 2.0.1:

    +
      +
    1. The function of 'norfc1918' is now split between that +option and a new 'nobogons' option.
      +
      +The rfc1918 file released with Shorewall now contains entries for only +those three address ranges reserved by RFC 1918. A 'nobogons' interface +option has been added which handles bogon source addresses (those which +are reserved by the IANA, those reserved for DHCP auto-configuration +and the class C test-net reserved for testing and documentation +examples). This will allow users to perform RFC 1918 filtering without +having to deal with out of date data from IANA. Those who are willing +to update their /usr/share/shorewall/bogons file regularly can specify +the 'nobogons' option in addition to 'norfc1918'.
      +
      +The level at which bogon packets are logged is specified in the new +BOGON_LOG_LEVEL variable in shorewall.conf. If that option is not +specified or is specified as empty (e.g, BOGON_LOG_LEVEL="") then bogon +packets whose TARGET is 'logdrop' in /usr/share/shorewall/bogons are +logged at the 'info' level.
      2. +
    New Features:
    -
      -
    1. The INTERFACE column in the /etc/shorewall/masq file may -now specify a destination list.
      -
      -Example:
      -
      -    #INTERFACE        -    SUBNET        ADDRESS
      -    eth0:192.0.2.3,192.0.2.16/28    eth1
      -
      -If the list begins with "!" then SNAT will occur only if the -destination IP address is NOT included in the list.
      -
      -
      2. -
    2. Output traffic control rules (those with the firewall as -the source) may now be qualified by the effective userid and/or -effective group id of the program generating the output. This feature -is courtesy of  Frédéric LESPEZ.
      -
      -A new USER column has been added to /etc/shorewall/tcrules. It may -contain :
      -
      -      [<user name or number>]:[<group -name or number>]
      -
      -The colon is optionnal when specifying only a user.
      -
      -       Examples : john: / john / :users / -john:users
      -
      -
      3. -
    3. A "detectnets" interface option has been added for entries -in /etc/shorewall/interfaces. This option automatically taylors the -definition of the zone named in the ZONE column to include just  -those hosts that have routes through the interface named in the -INTERFACE column. The named interface must be UP when Shorewall is -[re]started.
      -
      - WARNING: DO NOT SET THIS OPTION ON YOUR INTERNET INTERFACE!
      -
      4. -
    -

    1/17/2004 - FAQ Wiki Available 

    -

    It has been asserted that the use of CVS for maintaining the -Shorewall documentation has been a barrier to community participation. -To test this theory, Alex Martin has -created a Wiki and with the help of Mike Noyes has populated the -Wiki with the Shorewall FAQ.
    -

    -

    1/13/2004 - Shorewall 1.4.9 

    -

    Problems Corrected since version 1.4.8:

    -
      -
    1. There has been a low continuing level of confusion over the -terms "Source NAT" (SNAT) and "Static NAT". To avoid future confusion, -all instances of "Static NAT" have been replaced with "One-to-one NAT" -in the documentation and configuration files.
      2. -
    2. The description of NEWNOTSYN in shorewall.conf has been -reworded for clarity.
      3. -
    3. Wild-card rules (those involving "all" as SOURCE or DEST) -will no longer produce an error if they attempt to add a rule that -would override a NONE policy. The logic for expanding these wild-card -rules now simply skips those (SOURCE,DEST) pairs that have a NONE -policy.
      4. -
    4. DNAT rules that also specified SNAT now work reliably. -Previously, there were cases where the SNAT specification was -effectively ignored.
      -
      5. -
    -

    Migration Issues:

    -

        None.

    -New Features:

      -
    1. The documentation has been completely rebased to Docbook -XML. The documentation is now released as separate HTML and XML -packages.
      +
    2. Support for Bridging Firewalls has been added. For details, +see
      +
      +http://shorewall.net/bridge.html
      +
      3. -
    3. To cut down on the number of "Why are these ports closed -rather than stealthed?" questions, the SMB-related rules in -/etc/shorewall/common.def have been changed from 'reject' to 'DROP'.
      4. -
    4. For easier identification, packets logged under the -'norfc1918' interface option are now logged out of chains named -'rfc1918'. Previously, such packets were logged under chains named -'logdrop'.
      5. -
    5. Distributors and developers seem to be regularly inventing -new naming conventions for kernel modules. To avoid the need to change -Shorewall code for each new convention, the MODULE_SUFFIX option has -been added to shorewall.conf. MODULE_SUFFIX may be set to the suffix -for module names in your particular distribution. If MODULE_SUFFIX is -not set in shorewall.conf, Shorewall will use the list "o gz ko o.gz".
      +
    6. Support for NETMAP has been added. NETMAP allows NAT to be +defined between two network:

      -To see what suffix is used by your distribution:
      +           +a.b.c.1    -> x.y.z.1
      +           +a.b.c.2    -> x.y.z.2
      +           +a.b.c.3    -> x.y.z.3
      +           ...

      -ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
      +   http://shorewall.net/netmap.htm

      -All of the files listed should have the same suffix (extension). Set -MODULE_SUFFIX to that suffix.
      -
      -Examples:
      -
      -     If all files end in ".kzo" then set -MODULE_SUFFIX="kzo"
      -     If all files end in ".kz.o" then set -MODULE_SUFFIX="kz.o"
      7. -
    7. Support for user defined rule ACTIONS has been implemented -through two new files:
      -
      -/etc/shorewall/actions - used to list the user-defined ACTIONS.
      -/etc/shorewall/action.template - For each user defined <action>, -copy this file to /etc/shorewall/action.<action> and add the -appropriate rules for that <action>. Once an <action> has -been defined, it may be used like any of the builtin ACTIONS (ACCEPT, -DROP, etc.) in /etc/shorewall/rules.
      -
      -Example: You want an action that logs a packet at the 'info' level and -accepts the connection.
      -
      -In /etc/shorewall/actions, you would add:
      -
      -     LogAndAccept
      -
      -You would then copy /etc/shorewall/action.template to -/etc/shorewall/action.LogAndAccept and in that file, you would add the -two -rules:
      -        LOG:info
      -        ACCEPT
      8. -
    8. The default value for NEWNOTSYN in shorewall.conf is now -"Yes" (non-syn TCP packets that are not part of an existing connection -are filtered according to the rules and policies rather than being -dropped). I have made this change for two reasons:
      +
    9. The /sbin/shorewall program now accepts a "-x" option to +cause iptables to print out the actual packet and byte counts rather +than abbreviated counts such as "13MB".

      -a) NEWNOTSYN=No tends to result in lots of "stuck" connections since -any timeout during TCP session tear down results in the firewall -dropping all of the retries.
      +Commands affected by this are:

      -b) The old default of NEWNOTSYN=No and LOGNEWNOTSYN=info resulted in -lots of confusing messages when a connection got "stuck". While I could -have changed the default value of LOGNEWNOTSYN to suppress logging, I -dislike defaults that silently throw away packets.
      10. -
    10. The common.def file now contains an entry that silently -drops ICMP packets with a null source address. Ad Koster reported a -case where these were occuring frequently as a result of a broken -system on his external network.
      +            +shorewall -x show [ <chain>[ <chain> ...] ]
      +            +shorewall -x show tos|mangle
      +            +shorewall -x show nat
      +            +shorewall -x status
      +            +shorewall -x monitor [ <interval> ]
      +
      +
      11. +
    11. Shorewall now traps two common zone definition errors:
      +
        +
      • Including the firewall zone in a /etc/shorewall/hosts +record.
        • +
      • Defining an interface for a zone in both +/etc/shorewall/interfaces and /etc/shorewall/hosts.
        +
        +
        • +
      +
      12. +
    12. In the second case, the following will appear during +"shorewall [re]start" or "shorewall check":
      +
      +   Determining Hosts in Zones...
      +      ...
      +      Error: Invalid zone definition for zone +<name of zone>
      +   Terminated
      +
      +
      13. +
    13. To support bridging, the following options have been added +to entries in /etc/shorewall/hosts:
      +
      +           norfc1918
      +           nobogons
      +           blacklist
      +           tcpflags
      +           nosmurfs
      +           newnotsyn
      +
      +With the exception of 'newnotsyn', these options are only useful when +the entry refers to a bridge port.
      +
      +   Example:
      +
      +   #ZONE   HOST(S)      +OPTIONS
      +   net     +br0:eth0     +norfc1918,nobogons,blacklist,tcpflags,nosmurfs

    More News

    +

    (Leaf Logo)

    -

    Donations

    -

    (Starlight Logo)
    - Shorewall is free but if you try it and find it useful, -please consider making a donation to Starlight -Children's Foundation. Thanks!
    -

    +
    +

    Donations
    +

    +

    (Alzheimer's Association Logo)Shorewall is free but +if you +try it and find it useful, +please consider making a donation to the Alzheimer's Association. Thanks!

    -
    +
    -

    Updated 01/30/2004 - Tom Eastep
    +

    Updated 04/05/2004 - Tom Eastep

    diff --git a/Shorewall-Website/shoreline.htm b/Shorewall-Website/shoreline.htm index b48265649..ff0308703 100644 --- a/Shorewall-Website/shoreline.htm +++ b/Shorewall-Website/shoreline.htm @@ -10,6 +10,13 @@

    Tom Eastep

    +Perfection in design is achieved not +when there is nothing left to add, but rather when there is nothing +left to take away.
    +
    +
     - Antoine de Saint-Exupery
    +
    +
    Copyright © 2001-2003 Thomas M. Eastep

    Permission is granted to copy, distribute and/or modify this @@ -30,16 +37,21 @@ Documentation Licenseâ€.


    @@ -53,7 +65,8 @@ Seattle Firewall. Expanding on what I learned from Seattle Firewall, I then designed and wrote Shorewall.

    I telework from our home -in Shoreline, Washington +in Shoreline, +Washington where I live with my wife Tarry. 

    @@ -61,7 +74,8 @@ I live with my wife Tarry. 

    For information about our home network see my Shorewall Configuration files.

    -

    All of our other systems are made by Compaq -(part of the new HP).

    +

    All of our other systems are made by Compaq +(part of the new HP).

    diff --git a/Shorewall-Website/sourceforge_index.htm b/Shorewall-Website/sourceforge_index.htm index a547b9988..601aa9ab5 100644 --- a/Shorewall-Website/sourceforge_index.htm +++ b/Shorewall-Website/sourceforge_index.htm @@ -42,7 +42,9 @@ Netfilter to match your requirements. Shorewall can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system. Shorewall does not use Netfilter's ipchains compatibility mode and can thus take advantage -of Netfilter's connection state tracking capabilities. +of Netfilter's connection +state tracking capabilities.

    This program is free software; you can redistribute it and/or modify it under the terms of Version 2 of the GNU @@ -75,6 +77,16 @@ Shorewall. For older versions:
    target="_top">here    .
    +

    Read about

    +You can prepare +for 2.0 while you are still running Shorewall 1.4.
    +
    +The Shorewall 2.0.0 +RC2 is available!
    +
    +Here's the Shorewall +2.0.0 Documentation.

    Getting Started with Shorewall

    New to Shorewall? Start by selecting the QuickStart Guide that most @@ -85,16 +97,43 @@ The Documentation Index is a good place to start as is the Quick Search in the frame above.

    Running Shorewall on Mandrake with a two-interface setup?

    -If so, the documentation on this site will not apply +If so, the documentation on this site will not apply directly to your setup. If you want to use the documentation that you find here, you will want to consider uninstalling what you have and installing a setup that matches the documentation on this site. See the Two-interface QuickStart Guide for details.

    News

    -

    1/30/2004 - Shorewall 1.4.10 (New)2/15/2004 - Shorewall 1.4.10c (New)

    +

    Corrects one problem:
    +

    +Entries in /etc/shorewall/tcrules with an empty USER/GROUP column would +cause a startup error. +

    2/12/2004 - Shorewall 1.4.10b (New)

    +

    Corrects one problem:
    +

    +
      +
    • In the /etc/shorewall/masq entry “eth0:!10.1.1.150 +   0.0.0.0/0!10.1.0.0/16     10.1.2.16â€, the +“!10.1.0.0/16†is ignored.
      • +
    +

    2/8/2004 - Shorewall 1.4.10a (New)

    +

    Corrects two problems:
    +

    +
      +
    • A problem which can cause [re]start to fail inexplicably +while processing /etc/shorewall/masq.
      • +
    • Interfaces using the Atheros WiFi card to use the 'maclist' +option.
      +
      • +
    +

    1/30/2004 - Shorewall 1.4.10

    Problems Corrected since version 1.4.9

    1. The column descriptions in the action.template file did not @@ -143,7 +182,7 @@ contain :
            [<user name or number>]:[<group name or number>]

      -The colon is optionnal when specifying only a user.
      +The colon is optional when specifying only a user.

             Examples : john: / john / :users / john:users
      @@ -160,7 +199,7 @@ column. The named interface must be UP when Shorewall is [re]started.
       WARNING: DO NOT SET THIS OPTION ON YOUR INTERNET INTERFACE!   
    -

    1/17/2004 - FAQ Wiki Available 

    +

    1/17/2004 - FAQ Wiki Available 

    It has been asserted that the use of CVS for maintaining the Shorewall documentation has been a barrier to community participation. To test this theory, Alex Martin

More News

- -

-

(Leaf Logo) Jacques Nilo and Eric Wolzak have a LEAF @@ -290,39 +326,27 @@ Bering 1.2!!!

SourceForge Logo

- -

-

This site is hosted by the generous folks at SourceForge.net



Donations

- + (Alzheimer's Association Logo)Shorewall +is free but +if you try it and find it useful, +please consider making a donation to the Alzheimer's Association. Thanks!
+
+ - - - - - - -
-

Starlight Foundation Logo

-


- Shorewall is free but if you try it and find it -useful, please consider making a donation to Starlight -Children's Foundation. Thanks!

-
-

Updated 01/30/2004 - Tom +

Updated 03/08/2004 - Tom Eastep

diff --git a/Shorewall-docs2/Documentation.xml b/Shorewall-docs2/Documentation.xml index 23ee41fc2..4c3b98d96 100644 --- a/Shorewall-docs2/Documentation.xml +++ b/Shorewall-docs2/Documentation.xml @@ -15,7 +15,7 @@ - 2004-02-15 + 2004-03-28 2001-2004 @@ -227,6 +227,16 @@ + + bogons + + + a parameter file in /usr/share/shorewall + used to define the treatment of packets under the nobogons interface option. + + + routestopped @@ -554,18 +564,15 @@ dmz DMZ Demilitarized zone Packets arriving on this interface and that have a - source address that is reserved in RFC 1918 or in other RFCs - will be dropped after being optionally logged. If packet mangling is enabled in - /etc/shorewall/shorewall.conf , - then packets arriving on this interface that have a - destination address that is reserved by one of these RFCs will - also be logged and dropped. + source or destination address that is reserved in RFC 1918 + will be dropped after being optionally logged. - Addresses blocked by the standard rfc1918 file include those addresses - reserved by RFC1918 plus other ranges reserved by the IANA or - by other RFCs. + Prior to Shorewall 2.0.1, addresses blocked by the + standard rfc1918 file include + those addresses reserved by RFC1918 plus other ranges reserved + by the IANA or by other RFCs. Beginning with Shorewall 2.0.1, + these additional addresses are covered by the nobogons option below. Beware that as IPv4 addresses become in increasingly short supply, ISPs are beginning to use RFC 1918 addresses @@ -579,6 +586,17 @@ dmz DMZ Demilitarized zone + + nobogons (Added in Shorewall 2.0.1) + + + Packets arriving on this interface that have a source + address reserved by the IANA or by other RFCs (other than + 1918) are dropped after being optionally logged. See the + /etc/shorewall/bogons file documentation below. + + + routefilter @@ -731,22 +749,32 @@ loc eth1 192.168.1.255,192.168.12.255 HOST(S) - The name of a network interface followed by a colon (:) - followed by a comma-separated list either: + The name of an interface defined in the /etc/shorewall/interfaces file followed + by a colon (":") and a comma-separated list whose elements + are either: - An IP address (example - eth1:192.168.1.3) + The IP address of a host - A subnet in CIDR notation (example - eth2:192.168.2.0/24) + A subnetwork in the form <subnet-address>/<mask + width> + + + + A physical port name (Shorewall version 2.0.1 and later); + only allowed when the interface names a bridge created by the + brctl addbr command. This port must not be + defined in /etc/shorewall/interfaces and + may optionally followed by a colon (":") and a host or + network IP. See the bridging + documentation for details. - The interface name much match an entry in - /etc/shorewall/interfaces. - If you are running a version of Shorewall earlier than 1.4.6, only a single host/subnet address may be specified in an @@ -782,6 +810,69 @@ loc eth1 192.168.1.255,192.168.12.255 This option is only valid for ethernet interfaces. + + + tcpflags (Added in Shorewall 2.0.1) + + + (added in version 1.3.11) - This option causes Shorewall + to make sanity checks on the header flags in TCP packets + arriving from these hosts. Checks include Null flags, SYN+FIN, + SYN+RST and FIN+URG+PSH; these flag combinations are typically + used for silent port scans. Packets failing + these checks are logged according to the TCP_FLAGS_LOG_LEVEL + option in and are disposed of + according to the TCP_FLAGS_DISPOSITION option. + + + + + blacklist (Added in Shorewall 2.0.1 -- only makes sense + for bridge ports) + + + This option causes incoming packets on this port to be + checked against the blacklist. + + + + + norfc1918 (Added in Shorewall 2.0.1 -- only makes sense + for bridge ports) + + + Packets arriving on this port and that have a source + address that is reserved in RFC 1918 will be dropped after + being optionally logged as specified in the settion of + RFC1918_LOG_LEVEL in shorewall.conf. + + + + + nobogons (Added in Shorewall 2.0.1 -- only makes sense for + bridge ports) + + + Packets arriving on this port that have a source address + reserved by the IANA or by other RFCs (other than 1918) are + dropped after being optionally logged. See the + /etc/shorewall/bogons file documentation below. + + + + + nosmurfs (Added in Shorewall 2.0.1 -- only makes sense for + bridge ports) + + + If this option is specified, incoming connection + requests will be checked to ensure that they do not have a + broadcast or multicast address as their source. Any such + packets will be dropped after being optionally logged + according to the setting of SMURF_LOG_LEVEL in /etc/shorewall/shorewall.conf. + + @@ -2138,6 +2229,15 @@ eth0 192.168.12.0/24 206.124.146.177,206.124.146.179This file is used to set the following firewall parameters: + + BRIDGING + + + (Added at version 2.0.1) - When set to Yes or yes, enables + Shorewall Bridging support. + + + SMURF_LOG_LEVEL @@ -2272,6 +2372,18 @@ eth0 192.168.12.0/24 206.124.146.177,206.124.146.179 + + BOGON_LOG_LEVEL + + + (Added at version 2.0.1) - This parameter determines the level + at which packets logged under the nobogons + mechanism are logged. The value must be a valid syslog level and if no level is + given, then info is assumed. + + + TCP_FLAGS_DISPOSITION @@ -2455,7 +2567,17 @@ eth0 192.168.12.0/24 206.124.146.177,206.124.146.179 - LOGRATE=10/minute LOGBURST=5 + LOGRATE=10/minute +LOGBURST=5 + + For each logging rule, the first time the rule is reached, + the packet will be logged; in fact, since the burst is 5, the + first five packets will be logged. After this, it will be 6 + seconds (1 minute divided by the rate of 10) before a message will + be logged from the rule, regardless of how many packets reach it. + Also, every 6 seconds which passes without matching a packet, one + of the bursts will be regained; if no packets hit the rule for 30 + seconds, the burst will be fully recharged; back where we started. @@ -2907,6 +3029,116 @@ all all tcp ftp-data - 8 +
+ /usr/share//shorewall/bogons — Added in Version 2.0.1 + + This file lists the subnets affected by the nobogons interface option and nobogons hosts option. Columns in the file are: + + + + SUBNET + + + The subnet using VLSM notation (e.g., 192.168.0.0/16). + + + + + TARGET + + + What to do with packets to/from the SUBNET: + + + + RETURN + + + Process the packet normally thru the rules and policies. + + + + + DROP + + + Silently drop the packet. + + + + + logdrop + + + Log then drop the packet -- see the BOGONS_LOG_LEVEL + parameter above. + + + + + + + + If you want to modify this file, DO NOT MODIFY /usr/share/shorewall/bogons. + Rather copy that file to /etc/shorewall/bogons and + modify the copy. +
+ +
+ /etc/shorewall/netmap (Added in Version 2.0.1) + + Network mapping is defined using the /etc/shorewall/netmap + file. Columns in this file are: + + + + TYPE + + + Must be DNAT or SNAT. + + If DNAT, traffic entering INTERFACE and addressed to NET1 has + it's destination address rewritten to the corresponding address + in NET2. + + If SNAT, traffic leaving INTERFACE with a source address in + NET1 has it's source address rewritten to the corresponding + address in NET2. + + + + + NET1 + + + Must be expressed in CIDR format (e.g., 192.168.1.0/24). + + + + + INTERFACE + + + A firewall interface. This interface must have been defined in + /etc/shorewall/interfaces. + + + + + NET2 + + + A second network expressed in CIDR format. + + + + + For more information, see the Network + Mapping documentation. +
+
/etc/shorewall/routestopped (Added in Version 1.3.4) @@ -2968,7 +3200,8 @@ eth1 - Revision History - 1.152004-02-16TEMove + 1.162004-03-17TEClarified + LOGBURST and LOGLIMIT.1.152004-02-16TEMove the rfc1918 file to /usr/share/shorewall.1.142004-02-13TEAdd a note about the order of rules.1.132004-02-03TEUpdate for Shorewall 2.0.1.122004-01-21TEAdd diff --git a/Shorewall-docs2/Documentation_Index.xml b/Shorewall-docs2/Documentation_Index.xml index 6536d10a8..90e80114b 100644 --- a/Shorewall-docs2/Documentation_Index.xml +++ b/Shorewall-docs2/Documentation_Index.xml @@ -15,7 +15,7 @@ - 2004-02-15 + 2004-03-28 2001-2004 @@ -23,7 +23,7 @@ Thomas M. Eastep - 2.0.0-Beta1 + 2.0.1 Permission is granted to copy, distribute and/or modify this @@ -40,10 +40,11 @@ url="http://www.mandrakesoft.com">Mandrake Linux with a two-interface setup? - If so, this documentation will not apply directly to your - environment. If you want to use the documentation that you find here, you - will want to consider uninstalling what you have and installing a - configuration that matches this documentation. See the If so and if you configured your system while running a Mandrake + release earlier than 10.0 final then this documentation will not apply + directly to your environment. If you want to use the documentation that + you find here, you will want to consider uninstalling what you have and + installing a configuration that matches this documentation. See the Two-interface QuickStart Guide for details. @@ -91,6 +92,10 @@ + + Bridge/Firewall + + Commands (Description of all /sbin/shorewall commands) @@ -138,7 +143,9 @@ url="Accounting.html">accountingusersets and usersmaclistactions and action.template + url="User_defined_Actions.html">actions and action.templatebogonsnetmap @@ -228,6 +235,10 @@ Netfilter Overview + + Network Mapping + + One-to-one NAT (Formerly referred to as Static NAT) diff --git a/Shorewall-docs2/IPSEC.xml b/Shorewall-docs2/IPSEC.xml index 09c651130..52e4423f2 100644 --- a/Shorewall-docs2/IPSEC.xml +++ b/Shorewall-docs2/IPSEC.xml @@ -15,7 +15,7 @@ - 2004-01-22 + 2004-03-20 2001-2004 @@ -52,24 +52,9 @@ configuring FreeS/Wan. - Do not use Proxy ARP and FreeS/Wan on the same system unless you - are prepared to suffer the consequences. If you start or restart - Shorewall with an IPSEC tunnel active, the proxied IP addresses are - mistakenly assigned to the IPSEC tunnel device (ipsecX) rather than to - the interface that you specify in the INTERFACE column of - /etc/shorewall/proxyarp. I haven't had the time to debug this - problem so I can't say if it is a bug in the Kernel or in FreeS/Wan. - - You might be able to work around - this problem using the following (I haven't tried it): - - In /etc/shorewall/init, include: - - qt service ipsec stop - - In /etc/shorewall/start, include: - - qt service ipsec start + IPSEC and Proxy ARP do not work unless you are running Shorewall + 2.0.1 Beta 3 or later or unless you have installed the fix to Shorewall + 2.0.0 available from the Errata Page. diff --git a/Shorewall-docs2/MAC_Validation.xml b/Shorewall-docs2/MAC_Validation.xml index 39150e581..1961520c2 100644 --- a/Shorewall-docs2/MAC_Validation.xml +++ b/Shorewall-docs2/MAC_Validation.xml @@ -15,7 +15,7 @@ - 2004-01-06 + 2004-04-05 2001-2004 @@ -38,7 +38,7 @@ MAC address may be optionally associated with one or more IP addresses. - MAC addresses are only visible within a + MAC addresses are only visible within an ethernet segment so all MAC addresses used in verification must belong to devices physically connected to one of the LANs to which your firewall is connected. diff --git a/Shorewall-docs2/Shorewall_Doesnt.xml b/Shorewall-docs2/Shorewall_Doesnt.xml index 3acdb13ff..aa7b2a735 100644 --- a/Shorewall-docs2/Shorewall_Doesnt.xml +++ b/Shorewall-docs2/Shorewall_Doesnt.xml @@ -13,7 +13,7 @@ Eastep - 2004-03-05 + 2004-03-18 2003 @@ -37,12 +37,6 @@ Shorewall Cannot: - - Be used to filter traffic through a Layer 2 Bridge (although - experimental Shorewall Bridge code is available — check here for details). - - Act as a Personal Firewall that allows internet access by application. @@ -80,7 +74,8 @@ Shorewall does not contain any support for Netfilter Patch-O-Matic - features -- Shorewall only supports features from released kernels. + features or any other features that require kernel patching -- + Shorewall only supports features from released kernels.
diff --git a/Shorewall-docs2/Shorewall_Squid_Usage.xml b/Shorewall-docs2/Shorewall_Squid_Usage.xml index a9d52c482..401fc5bdb 100644 --- a/Shorewall-docs2/Shorewall_Squid_Usage.xml +++ b/Shorewall-docs2/Shorewall_Squid_Usage.xml @@ -15,7 +15,7 @@ - 2004-02-04 + 2004-03-29 2003-2004 @@ -51,8 +51,8 @@ In all cases, Squid should be configured to run as a transrent - proxy as described at - http://tldp.org/HOWTO/mini/TransparentProxy.html. + proxy as described at http://tldp.org/HOWTO/mini/TransparentProxy.html. diff --git a/Shorewall-docs2/User_defined_Actions.xml b/Shorewall-docs2/User_defined_Actions.xml index edc305003..534a9b58a 100755 --- a/Shorewall-docs2/User_defined_Actions.xml +++ b/Shorewall-docs2/User_defined_Actions.xml @@ -15,7 +15,7 @@ - 2004-03-10 + 2004-03-25 2003 @@ -230,6 +230,8 @@ + Omitted column entries should be entered using a dash ("-:). + Example: /etc/shorewall/actions: diff --git a/Shorewall-docs2/bridge.xml b/Shorewall-docs2/bridge.xml index c7060d734..36022d12b 100755 --- a/Shorewall-docs2/bridge.xml +++ b/Shorewall-docs2/bridge.xml @@ -15,7 +15,7 @@ - 2004-03-06 + 2004-04-05 2004 @@ -68,20 +68,19 @@
Requirements - In order to use Shorewall with a bridging firewall, your kernel must - meet the following requirements: + In order to use Shorewall with a bridging firewall: - It must contain bridge support (CONFIG_BRIDGE=m or + Your kernel must contain bridge support (CONFIG_BRIDGE=m or CONFIG_BRIDGE=y). - It must contain Netfilter physdev match support + Your kernel must contain Netfilter physdev match support (CONFIG_IP_NF_MATCH_PHYSDEV=m or CONFIG_IP_NF_MATCH_PHYSDEV=y). - Physdev match is available in the 2.6 kernel series but must be - patched into the 2.4 kernels (see http://bridge.sf.net). + Physdev match is standard in the 2.6 kernel series but must be patched + into the 2.4 kernels (see http://bridge.sf.net). @@ -93,11 +92,11 @@ You must have the bridge utilities (bridge-utils) package installed. - - You must also be running Shorewall 2.0.1 or later (users running - Shorewall 2.0.0-RC* or Shorewall-2.0.0 may find the necessary updated - files at http://shorewall.net/pub/shorewall/Bridging). + + You must be running Shorewall 2.0.1 Beta 1 or later. + +
@@ -145,7 +144,9 @@ There are other possibilities here -- there could be a hub or switch between the router and the Bridge/Firewall and there could be other systems connected to that switch. All of the systems on the local side of - the router would still be configured with IP addresses in 192.168.1.0/24. + the router would still be configured with + IP addresses in 192.168.1.0/24 as shown below.
@@ -160,11 +161,13 @@ configuration tools and the network configuration GUIs don't detect the presence of bridge devices. You may refer to my configuration files - for an example of configuring a bridge at system boot under + for an example of configuring a three-port bridge at system boot under SuSE. Here is an excerpt from a Debian - /etc/network/interfaces file for a bridge: + /etc/network/interfaces file for a two-port bridge + with a static IP address: - auto br0 +
+ auto br0 iface br0 inet static address 192.168.1.253 netmask 255.255.255.0 @@ -174,14 +177,68 @@ iface br0 inet static pre-up /sbin/ip link set eth1 up pre-up /usr/sbin/brctl addbr br0 pre-up /usr/sbin/brctl addif br0 eth0 - pre-up /usr/sbin/brctl addif br0 eth1 -gateway:/etc/network# + pre-up /usr/sbin/brctl addif br0 eth1 +
While it is not a requirement to give the bridge an IP address, doing so allows the bridge/firewall to access other systems and allows the - bridge/firewall to be managed remotely. I have not tested Shorewall with a - bridge configured without an IP address so if you try it and it - doesn't work do not be surprised. + bridge/firewall to be managed remotely. The bridge must also have an IP + address for REJECT rules and policies to work correctly — otherwise REJECT + behaves the same as DROP. + + The bridge may have its IP address assigned via DHCP. Here's an + example of an /etc/sysconfig/network/ifcfg-br0 file from a + SuSE system: + +
+ BOOTPROTO='dhcp' +REMOTE_IPADDR='' +STARTMODE='onboot' +UNIQUE='3hqH.MjuOqWfSZ+C' +WIRELESS='no' +MTU='' +
+ + Here's an /etc/sysconfig/network-scripts/ifcfg-br0 file for a + Mandrake system: + +
+ DEVICE=br0 +BOOTPROTO=dhcp +ONBOOT=yes +
+ + On both the SuSE and Mandrake systems, a separate script is required + to configure the bridge itself (again see my + configuration files for an example - /etc/init.d/bridge). + + Axel Westerhold has contributed this example of configuring a bridge + with a static IP address on a Fedora System (Core 1 and Core 2 Test 1). + Note that these files also configure the bridge itself so there is no need + for a separate bridge config script. + +
+ /etc/sysconfig/network-scripts/ifcfg-br0: + + DEVICE=br0 +TYPE=Bridge +IPADDR=192.168.50.14 +NETMASK=255.255.255.0 +ONBOOT=yes + + /etc/sysconfig/network-scripts/ifcfg-eth0:DEVICE=eth0 +TYPE=ETHER +BRIDGE=br0 +ONBOOT=yes/etc/sysconfig/network-scripts/ifcfg-eth1:DEVICE=eth1 +TYPE=ETHER +BRIDGE=br0 +ONBOOT=yes +
+ + Users who successfully configure bridges on other distributions, + with static or dynamic IP addresses, are encouraged to send me their configuration so I + can post it here.
@@ -260,7 +317,7 @@ br0 192.168.1.0/24 routeback The /etc/shorewall/interfaces file is as follows:#ZONE INTERFACE BROADCAST OPTIONS -- br0 detect rfc1918,routefilter +- br0 detect routefilter loc eth1 detect @@ -277,7 +334,7 @@ dmz br0:eth2
Limitations - Bridging doesn' t work with some wireless cards — see Bridging doesn' t work with wireless cards — see http://bridge.sf.net.
\ No newline at end of file diff --git a/Shorewall-docs2/configuration_file_basics.xml b/Shorewall-docs2/configuration_file_basics.xml index ba0e5bf54..272005a22 100644 --- a/Shorewall-docs2/configuration_file_basics.xml +++ b/Shorewall-docs2/configuration_file_basics.xml @@ -15,7 +15,7 @@ - 2004-02-20 + 2004-04-03 2001-2004 @@ -82,7 +82,15 @@ your own actions for rules in /etc/shorewall/rules (shorewall 1.4.9 and later)./usr/share/shorewall/actions.std - Actions defined by Shorewall./usr/share/shorewall/actions.* - - Details of actions defined by Shorewall. + - Details of actions defined by Shorewall./usr/share/rfc1918 + — Defines the behavior of the 'norfc1918' interface option in + /etc/shorewall/interfaces. If + you need to change this file, copy it to /etc/shorewall + and modify the copy./usr/share/bogons + — Defines the behavior of the 'nobogons' interface option in + /etc/shorewall/interfaces. If + you need to change this file, copy it to /etc/shorewall + and modify the copy.
diff --git a/Shorewall-docs2/errata.xml b/Shorewall-docs2/errata.xml index 833613970..0d15d66df 100644 --- a/Shorewall-docs2/errata.xml +++ b/Shorewall-docs2/errata.xml @@ -13,7 +13,7 @@ - 2004-03-15 + 2004-03-20 2001-2004 @@ -67,7 +67,12 @@ Here is the most up to date version of the rfc1918 file. + url="Documentation.htm#rfc1918">rfc1918 file. This file only + applies to Shorewall version 2.0.0 and its bugfix updates. In Shorewall + 2.0.1 and later releases, the bogons file lists IP + ranges that are reserved by the IANA and the rfc1918 + file only lists those three ranges that are reserved by RFC 1918.
@@ -81,12 +86,20 @@ When using an Action in the ACTIONS column of a rule, you may receive a warning message about the rule being a policy. While this warning may be safely ignored, it can be eliminated by installing - this - corrected firewall script in /usr/share/shorewall as - described above. + the script from the link below. + + + + Thanks to Sean Mathews, a long-standing problem with Proxy ARP + and IPSEC has been corrected. + + The first problem has been corrected in Shorewall update 2.0.0a. + + All of these problems may be corrected by installing this + firewall script in /usr/share/shorewall as described above.
@@ -230,7 +243,9 @@ Aborted (core dumped) Revision History4 - 1.52004-02-03TEUpdate + 1.62004-03-20TEProxy + ARP/IPSEC fix.1.62004-03-17TEAction + rules are reported as policies.1.52004-02-03TEUpdate for Shorewall 2.0.0.1.42004-01-19TEIPV6 address problems. Make RFC1918 file section more prominent.1.32004-01-14TEConfusing template file in 1.4.91.32004-01-03TEAdded diff --git a/Shorewall-docs2/images/bridge.png b/Shorewall-docs2/images/bridge.png index 9bfb09386..72c0461e2 100755 Binary files a/Shorewall-docs2/images/bridge.png and b/Shorewall-docs2/images/bridge.png differ diff --git a/Shorewall-docs2/images/bridge.vdx b/Shorewall-docs2/images/bridge.vdx index 77b30ca12..c90376126 100755 --- a/Shorewall-docs2/images/bridge.vdx +++ b/Shorewall-docs2/images/bridge.vdx @@ -1,5 +1,5 @@ - + @@ -641,7 +641,7 @@ AD/AAD/AAD/AAD/AAD/AACfAFRgVP//////////////////////////////////////////////// D/AAD/AAAAAAD/AAAAAAD/AAAAAAD/AAAAAAD/AAAAAAD/AAAAAAD/AAAAAAD/AAB/AAD/AAD/AAD /AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AADfAAD/AAAAAAD/AAAAAAD/AAAAAAD/AAAA AAD/AAAAAAD/AAAAAAD/AAAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/A -AD/AAD/AAD/AAD/AACfAAD/AAB/AAD/AAB/AAD/AAB/AAD/AAB/AAD/AAB/AAD/AAB/AAD/AAB/AA +AD/AAD/AAD/AAD/AAC/AAD/AAB/AAD/AAB/AAD/AAB/AAD/AAB/AAD/AAB/AAD/AAB/AAD/AAB/AA D/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAB/AAD/AAB/AAD/AAB/AAD/AAB /AAD/AAB/AAD/AAB/AAD/AAB/AAD/AADvAAD/AAD/AAD/AAD/AAD/AAD/AAD/AACfAFRgVP////// ///////////////////////////////////////////////////////////////////////////// @@ -656,7 +656,7 @@ AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AADnAAD/AAC/AAD/AAC/AAD/AAC/AAD/A AC/AAD/AAC/AAD/AAC/AAD/AAC/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AA D/AAD/AAD/AAC/AAD/AAC/AAD/AAC/AAD/AAC/AAD/AAC/AAD/AAC/AAD/AAC/AAD/AADPAAD/AAD /AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAAAAD/AAAAAAD/ -AAAAAAD/AAAAAAD/AAAAAAD/AAAAAAD/AAAAAAD/AADfAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/A +AAAAAAD/AAAAAAD/AAAAAAD/AAAAAAD/AAAAAAD/AACfAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/A AD/AAD/AAD/AAAg AAD/AAAAAAD/AAAAAAD/AAAAAAD/AAAAAAD/AAAAAAD/AAAAAAD/AAAAAAD/AAD/AAD/AAD/AAD/A AD/AAD/AAD/AACfAFRgVP//////////////////////////////////////////////////////// @@ -671,7 +671,7 @@ AD/AAD/AAD/AACfAFRgVP//////////////////////////////////////////////////////// MYAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIDAgDfAAD/AAD/AAD/AAD/AAD /AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAASpBAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/A -AD/AAD/AACfAAD/AAB/AAD/AAB/AAD/AAB/AAD/AAB/AAD/AAB/AAD/AAB/AAD/AAB/AAD/AAD/AA +AD/AAD/AAC/AAD/AAB/AAD/AAB/AAD/AAB/AAD/AAB/AAD/AAB/AAD/AAB/AAD/AAB/AAD/AAD/AA D/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAB/AAD/AAB/AAD/AAB/AAD/AAB/AAD/AAB /AAD/AAB/AAD/AAB/AAD/AADvAAD/AAD/AAD/AAD/AAD/AAD/AAD/AACfAFRgVP////////////// ///////////////////////////////////////////////////////////////////////////// @@ -685,8 +685,8 @@ D/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAB/AAD/AAB/AAD/AAB/AAD/AAB/AAD/AAB AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAMKAwUGBQ4QDhEUEQkKCQAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAkKCRMzEwDfAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AA D/AAArAAMDAw0PDREUEQ0PDQICAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAUFBR8zHwS1BAD/AAD/AAD -/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AADvAAYrBgoi -CgoiCgoiCgkhCQC1AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/A +/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAVLBQoi +CgoiCgoiCgoiCgZ1BgD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/A AD/AADRAAAUAAAQAAAQAAAQAAAQAAAQAAAQAAAQAAAQAAAQAAAQAAAQAAAQAAOIAwD/AAD/AAD/AA D/AAD/AAD/AAD/AAD/AACfAFRgVP///////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// @@ -700,7 +700,7 @@ D/AAD/AAD/AAD/AAD/AACfAFRgVP///////////////////////////////////////////////// /AAD/AAMPA2xsbMDAwMDAwC0tLQBAAAAAAAAAAAwMDDAwMDAwMDAwMBISEgwMDE1NTQB/AAD/AAD/ AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAA/ADAwMMDAwMDAwGFhYQBIAAAIAAAAA AYGBjAwMDAwMDAwMBgYGAAAAGVlZQo6CgD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AA -D/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AACPAAMFA0hISEhISEhISCQkJAwYDADPAAD/AAD/AAD/AAD +D/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAAAEhISEhISEhISDY2NgsSCwmZCQD/AAD/AAD/AAD /AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AACPAAQKBB+FH1haWkJCQlZWVlhYWFhY WFpaWltbW11dXV5eXl9fXzAwMBEdEQS1BAD/AAD/AAD/AAD/AAD/AAD/AAD/AACfAFRgVP/////// ///////////////////////////////////////////////////////////////////////////// @@ -715,8 +715,8 @@ AD/AAD/AAD/AAD/ AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAMPA4SEhMDAwMDAwCszKwDPAABIAABAAAA/AAAYAAAAA AAAAAAAAAwMDE1NTQB/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAA/AE ZGRsDAwMDAwGVlZQC/AABQAABQAAAyAAA4AAAAAAAAAAAAAAAAAGVlZQo6CgD/AAD/AAD/AAD/AAD -/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AACPAAkNCcDAwMDAwMDA -wGBgYEhISAoZCgDvAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AACLA +/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAAAMDAwMDAwMDA +wJCQkCIuIhwuHAC/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AACLA AEBAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADo6OgIGAgD/AAD/AAD/AAD/AA D/AAD/AAD/AACfAFRgVP///////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// @@ -730,7 +730,7 @@ D/AAD/AAD/AACfAFRgVP///////////////////////////////////////////////////////// TA0ZHb2Nqbic0JwoNCgBAAAAgAAAgAAAAAAAAAAAAAAAAAAAAAAwNDE1NTQB/AAD/AAD/AAD/AAD/ AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAA/AC4wOmJniig0KBYdFgAwAAAQAAAwAAAAAAAAA AAAAAAAAAAAAAUFBWlpaQo6CgD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AA -D/AAD/AAD/AAD/AAD/AAD/AACPAAkNCcDAwLm5ucDAwGBgYE1NTQwYDADfAAD/AAD/AAD/AAD/AAD +D/AAD/AAD/AAD/AAD/AAD/AAD/AAAAAMDAwMDAwMDAwJCQkCIuIjM/MwCfAAD/AAD/AAD/AAD/AAD /AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AADvAAMJAxEUEQwPDBAREBERERQUFBUVFRUVFRUV FRUVFRQUFBQUFBkZGXacdgAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AACfAFRgVP/////////////// ///////////////////////////////////////////////////////////////////////////// @@ -744,8 +744,8 @@ FRUVFRQUFBQUFBkZGXacdgAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AACfAFRgVP/////////////// AD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AADKABMoEwMDAwAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAB8fH3N/c0NUQwB/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD /AADgABAuEAkJCQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABEREWpval6IXgo6CgD/AAD/AAD/ -AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AACPAAkMCZCQk -JSUlJCQkFRUVE1NTQwYDADfAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AA +AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAAAJCQk +JCQkJCQkHV1dSIuIjM/MwCfAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AA D/AAD/AAECARwcHCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJB4oHgYGBj1CPQIHAgD/AAD/AAD /AAD/AAD/AAD/AAD/AACfAFRgVP////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// @@ -759,7 +759,7 @@ D/AAD/AAECARwcHCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJB4oHgYGBj1CPQIHAgD/AAD/AAD AAD/AAD/AAC1AAIDAmBgYGBgYGBgYGBgYGBgYGBgYGBgYF1hXR8tHwMDAwAAAAAAAACvAAD/AAD/A AD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AADvAAAAAGBgYGBgYGBgYGBgYGBgYG BgYGBgYGBgYCo6KgUGBQAAAAAAAApsCgD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD -/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AACPAAQFBBAQEBoaGhcXFw0NDU1NTQwYDADfAAD/AAD/AAD/ +/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAAAAsLCxkZGRoaGgQEBB8qHzM/MwCfAAD/AAD/AAD/ AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAEEAZOTk8DAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwBIZEkNDQwdzBwD/AAD/AAD/AAD/AAD/AAD/AAD/AACfAFRgVP//////// ///////////////////////////////////////////////////////////////////////////// @@ -774,8 +774,8 @@ MDAwMDAwMDAwMDAwMDAwBIZEkNDQwdzBwD/AAD/AAD/AAD/AAD/AAD/AAD/AACfAFRgVP//////// AD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AADDAAIDAqenp++dne+dne+dne+dne+dne+dndvb20 BDQAYGBgA/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD /AAAAAKioqO+dne+dne+dne+dne+dne+dndvb22BgYA4ODgMPAwD/AAD/AAD/AAD/AAD/AAD/AAD/ -AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AACPAAMEAwAAAAAAAAAAA -AcHB01NTQwYDADfAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AA +AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAAAAYGBgAAAAAAA +A4ODh4oHjM/MwCfAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AA EEAZOTk++bm/+Pj/+Pj/+Pj/+Pj/+Pj/+Pj/+Pj/eVlcDAwBIZEkNDQwl5CQD/AAD/AAD/AAD/AAD /AAD/AAD/AACfAFRgVP////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// @@ -789,7 +789,7 @@ EEAZOTk++bm/+Pj/+Pj/+Pj/+Pj/+Pj/+Pj/+Pj/eVlcDAwBIZEkNDQwl5CQD/AAD/AAD/AAD/AAD AADDAAIDAqenp/+mpv+mpv+mpv+mpv+mpv+YmM/Pz0BDQAgICAE4AQD/AAD/AAD/AAD/AAD/AAD/A AD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAAAKioqP+mpv+mpv+mpv+mpv+mpv+fn8 /Pz2BgYA4ODgMPAwD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD -/AAD/AAD/AAD/AAD/AAD/AACPAAMEAwAAAAAAAAAAAAcHB01NTQwYDADfAAD/AAD/AAD/AAD/AAD/ +/AAD/AAD/AAD/AAD/AAD/AAD/AAAAAAYGBgAAAAAAAA4ODh4oHjM/MwCfAAD/AAD/AAD/AAD/AAD/ AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAEEAZOTk++srP+lpf+lpf+lpf+lpf+lpf+lp f+amveVlcDAwBIZEkNDQwl5CQD/AAD/AAD/AAD/AAD/AAD/AAD/AACfAFRgVP//////////////// ///////////////////////////////////////////////////////////////////////////// @@ -803,8 +803,8 @@ f+amveVlcDAwBIZEkNDQwl5CQD/AAD/AAD/AAD/AAD/AAD/AAD/AACfAFRgVP//////////////// D/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AADDAAIDAqenp//Bwf/Bwf/Bwf+6uv+srP+ YmMDAwEBDQCYmJgEFAQD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/ AAD/AAD/AAAAAKioqP/Bwf/Bwf/Bwf/Bwf+srP+fn8DAwGBgYCMjIwABAADvAAD/AAD/AAD/AAD/A -AD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AACPAAMEAwAAAA -AAAAAAAAYGBk1NTQwYDADfAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD +AD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAAAAMDAw +AAAAAAAAoKCh4oHjM/MwCfAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD /AAD/AAEEAZOTk++8vP+6uv+6uv+6uv+6uv+1tf+qqv+amveVlcDAwBIZEmVlZQs5CwD/AAD/AAD/ AAD/AAD/AAD/AAD/AACfAFRgVP/////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// @@ -818,7 +818,7 @@ AAD/AAD/AAD/AAD/AACfAFRgVP/////////////////////////////////////////////////// AD/AAD/AADDAAIDAqenp//W1v/W1v/Pz/+6uv+srP+YmLW1tUBDQDw8PAAAAAD/AAD/AAD/AAD/AA D/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAAAKioqP/W1v/W1v/Pz//Bwf+ srP+fn7W1tWBgYCYmJgIDAgDDAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/ -AAD/AAD/AAD/AAD/AAD/AAD/AAD/AACPAAMEAwMrAwAAAAAAAAUFBU1NTQwYDADfAAD/AAD/AAD/A +AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAAAAEhAQAIAAAAAAUFBR4oHjM/MwCfAAD/AAD/AAD/A AD/AAD/AAD/AAD/ AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAEEAZOTk+/IyP/Kyv/Kyv/Kyv/Fxf+1tf+qqv+amveVl cDAwBIZEoeHhwAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AACfAFRgVP//////////////////////// @@ -833,8 +833,8 @@ cDAwBIZEoeHhwAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AACfAFRgVP//////////////////////// D/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AADDAAIDAqenp//x8f/d3f/Pz/+6uv+srP+YmKWlpUB DQDw8PAAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/ AAAAAKioqP/x8f/j4//Pz//Bwf+srP+fn6WlpWBgYCYmJgIDAgDDAAD/AAD/AAD/AAD/AAD/AAD/A -AD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AACPAAMEAwFxAQAIAAAAAA -UFBU1NTQwYDADfAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAE +AD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAAAABYAAAgAAAAAA +YGBh4oHjM/MwCfAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAE EAZOTk+/X1//f3//f3//U1P/Fxf+1tf+qqv+amveVlcDAwBIZEoeHhwAAAAD/AAD/AAD/AAD/AAD/ AAD/AAD/AACfAFRgVP/////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// @@ -848,7 +848,7 @@ AAD/AAD/AACfAFRgVP/////////////////////////////////////////////////////////// ADDAAECAZSUlJWVlZWVlZWVlZWVlZWVlZWVlZWVlTAyMDo6OgAAAAD/AAD/AAD/AAD/AAD/AAD/AA D/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAAAJOTk5WVlZWVlZWVlZWVlZWVlZWVlZW VlUhISCQkJAIDAgDDAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/ -AAD/AAD/AAD/AAD/AAD/AACPAAMEAwNzAwoaCgMDAwYGBk1NTQwYDADfAAD/AAD/AAD/AAD/AAD/A +AAD/AAD/AAD/AAD/AAD/AAD/AAAAAANTAww8DAQEBAsLCx4oHjM/MwCfAAD/AAD/AAD/AAD/AAD/A AD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAEEAZOTk+/n5//v7//f3//U1P/Fxf+1tf+qqv +amveVlcDAwBIZEoeHhwAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AACfAFRgVP///////////////// ///////////////////////////////////////////////////////////////////////////// @@ -862,8 +862,8 @@ AD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAEEAZOTk+/n5//v7//f3//U1P/Fxf+1tf+qqv /AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AADoAAQLBAsLCxQXFBQXFBQXFBATEBEUERQX FBQXFBUYFRgdGAAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/A AD/AAD/AAUSBQkJCRQXFBQXFBQXFBEUERATEBQXFBQXFBQXFBQYFAECAQDDAAD/AAD/AAD/AAD/AA -D/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AACPAAMEAwFBAQA -AAAAAAAcHB01NTQwYDADfAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/ +D/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAAAAU1BQA +QAAAAAAgICB4oHjM/MwCfAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/ AAD/AAEEAZOTk62tra2tra2tra2tra2tra2tra2tra2tra2trcDAwBIZEoeHhwAAAAD/AAD/AAD/A AD/AAD/AAD/AAD/AACfAFRgVP//////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// @@ -878,7 +878,7 @@ vxBAEAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AADvA AYYBgsPCwsPCwsPCwQGBAcJBwsPCwsPCwsPCwQFBAEBAQD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AA D/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAYjBgsPCwsPCwsPCwcJBwQGBAsPCwsPCwsPCwY HBgEBAQDRAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/ -AAD/AAD/AAD/AAC3AAEBAQAAAAAAAAAAAAAAAFhiWAwYDADfAAD/AAD/AAD/AAD/AAD/AAD/AAD/A +AAD/AAD/AAD/AAD/AAIDAgAAAAAAAAAAAAAAAC40LjM+MwCfAAD/AAD/AAD/AAD/AAD/AAD/AAD/A AD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAQYBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAABIbEo6VjgAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AACfAFRgVP///////////////////////// ///////////////////////////////////////////////////////////////////////////// @@ -892,8 +892,8 @@ AAABIbEo6VjgAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AACfAFRgVP///////////////////////// /AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AADvAACPAACPAACPAAA2AABZAACPAACPAACP AACPAAC9AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/A AD/AAD/AACPAACPAACPAABZAAA2AACPAACPAACPAACPAACvAAD/AAD/AAD/AAD/AAD/AAD/AAD/AA -D/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AACoAAkPCTQ0NAcHBzk -5ORgZGAUIBQDfAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD3 +D/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AADgAAYPBjk5OQkJCTI +yMiQkJBATEACVAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD3 ABROFKCmoObm5ubm5ubm5ubm5khISLu7u+bm5ubm5ubm5ubm5rHlsQAAAAD/AAD/AAD/AAD/AAD/A AD/AAD/AACfAFRgVP//////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// @@ -907,7 +907,7 @@ AD/AAD/AACfAFRgVP//////////////////////////////////////////////////////////// D/AAD/AAD/AAD/AAD/AAD/AABgAACfAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD /AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AACfAABgAAD/AAD/ AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/A -AD/AAD/AAD/AAD/AAD/AAD/AAD/AACoAAA3AAAIAAA/AAA/AABQAAD/AAD/AAD/AAD/AAD/AAD/AA +AD/AAD/AAD/AAD/AAD/AAD/AAD/AADgAAA/AAAIAAA3AAA/AAA/AADgAAD/AAD/AAD/AAD/AAD/AA D/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD3ABBGEAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAwuDAD/AAD/AAD/AAD/AAD/AAD/AAD/AACfAFRgVP////////////////// ///////////////////////////////////////////////////////////////////////////// @@ -921,8 +921,8 @@ AAAAAAAAAAAAAAAAAAAwuDAD/AAD/AAD/AAD/AAD/AAD/AAD/AACfAFRgVP////////////////// AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AABgAACfAAD/A AD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AA D/AAD/AAD/AAD/AAD/AAD/AAD/AACfAABgAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD -/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AADf -AAAgAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/A +/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/ +AAAgAADfAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/A AD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AABAAAC/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AA D/AAD/AAD/AAD/AACfAFRgVP///////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// @@ -937,7 +937,7 @@ xBAEAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AA D/AAD/AAD/AAD/AABgAACfAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD /AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AACfAABgAAD/AAD/AAD/AAD/ AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/A -AD/AAD/AAD/AAD/AAD/AAD/AADfAAAgAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AA +AD/AAD/AAD/AAD/AAD/AAD/AAD/AAAgAADfAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AA D/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AABAAAC/AAD/AAD/AAD /AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AACfAFRgVP////////////////////////// ///////////////////////////////////////////////////////////////////////////// @@ -951,7 +951,7 @@ D/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AABAAAC/AAD/AAD/AAD AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AABgAACfAAD/AAD/AAD/A AD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AA D/AAD/AAD/AAD/AAD/AACfAABgAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD -/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD3AAAAAAD/ +/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAAAAD3 AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/A AD/AAD/AAD/AAD/AAD/AAD/AABAAAC/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AA D/AAD/AACfAFRgVP///////////////////////////////////////////////////////////// @@ -3206,8 +3206,8 @@ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHd3f/////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////w4AAAAUAAAAAAAAABAAAAAUAAAA 2004-03-01T17:16:19 -2004-03-06T13:43:21 -2004-03-06T13:42:58 +2004-03-27T17:04:15 +2004-03-27T17:03:59 2004-03-01T17:16:19 @@ -8528,7 +8528,7 @@ AAAD/////////////////+AP///AD///wA///8AP///AD///wA///8Af///8////+P////z////8/ 0 0 0 - + 0.21875 @@ -8537,7 +8537,7 @@ AAAD/////////////////+AP///AD///wA///8AP///AD///wA///8Af///8////+P////z////8/ 0 0 0 - + 0 @@ -8546,7 +8546,7 @@ AAAD/////////////////+AP///AD///wA///8AP///AD///wA///8Af///8////+P////z////8/ 0 0 0 - + 0.03515625 @@ -8555,7 +8555,7 @@ AAAD/////////////////+AP///AD///wA///8AP///AD///wA///8Af///8////+P////z////8/ 0 0 0 - + 0.1875 @@ -8564,7 +8564,7 @@ AAAD/////////////////+AP///AD///wA///8AP///AD///wA///8Af///8////+P////z////8/ 0 0 0 - + 0 @@ -8578,7 +8578,7 @@ AAAD/////////////////+AP///AD///wA///8AP///AD///wA///8Af///8////+P////z////8/ Enter the manufacturer name. - + 0 0 @@ -8588,7 +8588,7 @@ AAAD/////////////////+AP///AD///wA///8AP///AD///wA///8Af///8////+P////z////8/ Enter the product number. - + 0 0 @@ -8598,7 +8598,7 @@ AAAD/////////////////+AP///AD///wA///8AP///AD///wA///8Af///8////+P////z////8/ Enter the part number. - + 0 0 @@ -8608,7 +8608,7 @@ AAAD/////////////////+AP///AD///wA///8AP///AD///wA///8Af///8////+P////z////8/ Enter the product description. - + 0 0 @@ -8618,7 +8618,7 @@ AAAD/////////////////+AP///AD///wA///8AP///AD///wA///8Af///8////+P////z////8/ Enter the asset ID. - + 0 0 @@ -8628,7 +8628,7 @@ AAAD/////////////////+AP///AD///wA///8AP///AD///wA///8Af///8////+P////z////8/ Enter the serial number. - + 0 0 @@ -8638,7 +8638,7 @@ AAAD/////////////////+AP///AD///wA///8AP///AD///wA///8Af///8////+P////z////8/ Enter the location. - + 0 0 @@ -8648,7 +8648,7 @@ AAAD/////////////////+AP///AD///wA///8AP///AD///wA///8Af///8////+P////z////8/ Enter the building. - + 0 0 @@ -8658,7 +8658,7 @@ AAAD/////////////////+AP///AD///wA///8AP///AD///wA///8Af///8////+P////z////8/ Enter the room. - + 0 0 @@ -8668,7 +8668,7 @@ AAAD/////////////////+AP///AD///wA///8AP///AD///wA///8Af///8////+P////z////8/ Enter the department. - + 0 0 @@ -8682,11 +8682,11 @@ AAAD/////////////////+AP///AD///wA///8AP///AD///wA///8Af///8////+P////z////8/ Firewall,barrier,on,network,device,filter,block,data,packets,based,such,criteria,type,source,destination,Basic,3D,workgroups,configuration,WANs,LANs,networked,information - + 10 - + @@ -10573,15 +10573,15 @@ AAAD/////////////////+AP///AD///wA///8AP///AD///wA///8Af///8////+P////z////8/ 1 - + 1 - + 0 - + 1 @@ -10636,7 +10636,7 @@ s/////P/////////////w== 3 3 0.125 --0.125 +-0.125 1 1 4 @@ -10950,7 +10950,7 @@ AAAD/////////////////gH///79///4Df//8A3//+AN///AAAAf0A3/39Ad/9/eff/f3H3/3959/ 0 0 0 - + 0.53125 @@ -10959,7 +10959,7 @@ AAAD/////////////////gH///79///4Df//8A3//+AN///AAAAf0A3/39Ad/9/eff/f3H3/3959/ 0 0 0 - + 0 @@ -10968,7 +10968,7 @@ AAAD/////////////////gH///79///4Df//8A3//+AN///AAAAf0A3/39Ad/9/eff/f3H3/3959/ 0 0 0 - + 0.25 @@ -10977,7 +10977,7 @@ AAAD/////////////////gH///79///4Df//8A3//+AN///AAAAf0A3/39Ad/9/eff/f3H3/3959/ 0 0 0 - + 0.28125 @@ -10986,7 +10986,7 @@ AAAD/////////////////gH///79///4Df//8A3//+AN///AAAAf0A3/39Ad/9/eff/f3H3/3959/ 0 0 0 - + 0 @@ -11000,7 +11000,7 @@ AAAD/////////////////gH///79///4Df//8A3//+AN///AAAAf0A3/39Ad/9/eff/f3H3/3959/ Enter the manufacturer name. - + 0 0 @@ -11010,7 +11010,7 @@ AAAD/////////////////gH///79///4Df//8A3//+AN///AAAAf0A3/39Ad/9/eff/f3H3/3959/ Enter the product number. - + 0 0 @@ -11020,7 +11020,7 @@ AAAD/////////////////gH///79///4Df//8A3//+AN///AAAAf0A3/39Ad/9/eff/f3H3/3959/ Enter the part number. - + 0 0 @@ -11030,7 +11030,7 @@ AAAD/////////////////gH///79///4Df//8A3//+AN///AAAAf0A3/39Ad/9/eff/f3H3/3959/ Enter the product description. - + 0 0 @@ -11040,7 +11040,7 @@ AAAD/////////////////gH///79///4Df//8A3//+AN///AAAAf0A3/39Ad/9/eff/f3H3/3959/ Enter the asset ID. - + 0 0 @@ -11050,7 +11050,7 @@ AAAD/////////////////gH///79///4Df//8A3//+AN///AAAAf0A3/39Ad/9/eff/f3H3/3959/ Enter the serial number. - + 0 0 @@ -11060,7 +11060,7 @@ AAAD/////////////////gH///79///4Df//8A3//+AN///AAAAf0A3/39Ad/9/eff/f3H3/3959/ Enter the location. - + 0 0 @@ -11070,7 +11070,7 @@ AAAD/////////////////gH///79///4Df//8A3//+AN///AAAAf0A3/39Ad/9/eff/f3H3/3959/ Enter the building. - + 0 0 @@ -11080,7 +11080,7 @@ AAAD/////////////////gH///79///4Df//8A3//+AN///AAAAf0A3/39Ad/9/eff/f3H3/3959/ Enter the room. - + 0 0 @@ -11090,7 +11090,7 @@ AAAD/////////////////gH///79///4Df//8A3//+AN///AAAAf0A3/39Ad/9/eff/f3H3/3959/ Enter the department. - + 0 0 @@ -11104,11 +11104,11 @@ AAAD/////////////////gH///79///4Df//8A3//+AN///AAAAf0A3/39Ad/9/eff/f3H3/3959/ Router,device,used,connect,LANs,WANs,link,different,network,topologies,Basic,3D,workgroups,configuration,networked,information - + 10 - + @@ -13058,15 +13058,15 @@ AAAD/////////////////gH///79///4Df//8A3//+AN///AAAAf0A3/39Ad/9/eff/f3H3/3959/ 1 - + 1 - + 0 - + 1 @@ -13282,7 +13282,7 @@ D/AAAAfwAAAH8AAAB/AAAAf8AAAP///////////////////////////////////////////////// 0 0 0 - + 0.53125 @@ -13291,7 +13291,7 @@ D/AAAAfwAAAH8AAAB/AAAAf8AAAP///////////////////////////////////////////////// 0 0 0 - + 0 @@ -13300,7 +13300,7 @@ D/AAAAfwAAAH8AAAB/AAAAf8AAAP///////////////////////////////////////////////// 0 0 0 - + 0.28125 @@ -13309,7 +13309,7 @@ D/AAAAfwAAAH8AAAB/AAAAf8AAAP///////////////////////////////////////////////// 0 0 0 - + 0.28125 @@ -13318,7 +13318,7 @@ D/AAAAfwAAAH8AAAB/AAAAf8AAAP///////////////////////////////////////////////// 0 0 0 - + 0 @@ -13332,7 +13332,7 @@ D/AAAAfwAAAH8AAAB/AAAAf8AAAP///////////////////////////////////////////////// Enter the manufacturer name. - + 0 0 @@ -13342,7 +13342,7 @@ D/AAAAfwAAAH8AAAB/AAAAf8AAAP///////////////////////////////////////////////// Enter the product number. - + 0 0 @@ -13352,7 +13352,7 @@ D/AAAAfwAAAH8AAAB/AAAAf8AAAP///////////////////////////////////////////////// Enter the part number. - + 0 0 @@ -13362,7 +13362,7 @@ D/AAAAfwAAAH8AAAB/AAAAf8AAAP///////////////////////////////////////////////// Enter the product description. - + 0 0 @@ -13372,7 +13372,7 @@ D/AAAAfwAAAH8AAAB/AAAAf8AAAP///////////////////////////////////////////////// Enter the asset ID. - + 0 0 @@ -13382,7 +13382,7 @@ D/AAAAfwAAAH8AAAB/AAAAf8AAAP///////////////////////////////////////////////// Enter the serial number. - + 0 0 @@ -13392,7 +13392,7 @@ D/AAAAfwAAAH8AAAB/AAAAf8AAAP///////////////////////////////////////////////// Enter the location. - + 0 0 @@ -13402,7 +13402,7 @@ D/AAAAfwAAAH8AAAB/AAAAf8AAAP///////////////////////////////////////////////// Enter the building. - + 0 0 @@ -13412,7 +13412,7 @@ D/AAAAfwAAAH8AAAB/AAAAf8AAAP///////////////////////////////////////////////// Enter the room. - + 0 0 @@ -13422,7 +13422,7 @@ D/AAAAfwAAAH8AAAB/AAAAf8AAAP///////////////////////////////////////////////// Enter the department. - + 0 0 @@ -13436,11 +13436,11 @@ D/AAAAfwAAAH8AAAB/AAAAf8AAAP///////////////////////////////////////////////// Hub,switch,Adds,network,diagram,Basic,3D,workgroups,configuration,WANs,LANs,networked,information - + 10 - + @@ -17373,15 +17373,15 @@ D/AAAAfwAAAH8AAAB/AAAAf8AAAP///////////////////////////////////////////////// 1 - + 1 - + 0 - + 1 @@ -17623,7 +17623,7 @@ B/AAAAfwAAAH8AAAB/AAAAf4AAAH/gAAD//////////////////////////////////////////// 0 0 0 - + 0.53125 @@ -17632,7 +17632,7 @@ B/AAAAfwAAAH8AAAB/AAAAf4AAAH/gAAD//////////////////////////////////////////// 0 0 0 - + 2.2204460492503E-16 @@ -17641,7 +17641,7 @@ B/AAAAfwAAAH8AAAB/AAAAf4AAAH/gAAD//////////////////////////////////////////// 0 0 0 - + 0.28124999984632 @@ -17650,7 +17650,7 @@ B/AAAAfwAAAH8AAAB/AAAAf4AAAH/gAAD//////////////////////////////////////////// 0 0 0 - + 0.28125 @@ -17659,7 +17659,7 @@ B/AAAAfwAAAH8AAAB/AAAAf4AAAH/gAAD//////////////////////////////////////////// 0 0 0 - + 0 @@ -17673,7 +17673,7 @@ B/AAAAfwAAAH8AAAB/AAAAf4AAAH/gAAD//////////////////////////////////////////// Enter the manufacturer name. - + 0 0 @@ -17683,7 +17683,7 @@ B/AAAAfwAAAH8AAAB/AAAAf4AAAH/gAAD//////////////////////////////////////////// Enter the product number. - + 0 0 @@ -17693,7 +17693,7 @@ B/AAAAfwAAAH8AAAB/AAAAf4AAAH/gAAD//////////////////////////////////////////// Enter the part number. - + 0 0 @@ -17703,7 +17703,7 @@ B/AAAAfwAAAH8AAAB/AAAAf4AAAH/gAAD//////////////////////////////////////////// Enter the product description. - + 0 0 @@ -17713,7 +17713,7 @@ B/AAAAfwAAAH8AAAB/AAAAf4AAAH/gAAD//////////////////////////////////////////// Enter the asset ID. - + 0 0 @@ -17723,7 +17723,7 @@ B/AAAAfwAAAH8AAAB/AAAAf4AAAH/gAAD//////////////////////////////////////////// Enter the serial number. - + 0 0 @@ -17733,7 +17733,7 @@ B/AAAAfwAAAH8AAAB/AAAAf4AAAH/gAAD//////////////////////////////////////////// Enter the location. - + 0 0 @@ -17743,7 +17743,7 @@ B/AAAAfwAAAH8AAAB/AAAAf4AAAH/gAAD//////////////////////////////////////////// Enter the building. - + 0 0 @@ -17753,7 +17753,7 @@ B/AAAAfwAAAH8AAAB/AAAAf4AAAH/gAAD//////////////////////////////////////////// Enter the room. - + 0 0 @@ -17763,7 +17763,7 @@ B/AAAAfwAAAH8AAAB/AAAAf4AAAH/gAAD//////////////////////////////////////////// Enter the department. - + 0 0 @@ -17777,11 +17777,11 @@ B/AAAAfwAAAH8AAAB/AAAAf4AAAH/gAAD//////////////////////////////////////////// Personal,computer,non,manufacturer,specific,desktop,Basic,Network,3D,workgroups,configuration,WANs,LANs,networked,information - + 10 - + @@ -20913,15 +20913,15 @@ B/AAAAfwAAAH8AAAB/AAAAf4AAAH/gAAD//////////////////////////////////////////// 1 - + 1 - + 0 - + 1 @@ -21137,7 +21137,7 @@ B/wAAAf8AAAP/AAAf/wAAH/8AAB//AAAP/wAAD/8AAA//AAAP/wAAD/8AAA//gAAP/+AAH//4AD// 0 0 0 - + 0.21875 @@ -21146,7 +21146,7 @@ B/wAAAf8AAAP/AAAf/wAAH/8AAB//AAAP/wAAD/8AAA//AAAP/wAAD/8AAA//gAAP/+AAH//4AD// 0 0 0 - + 0 @@ -21155,7 +21155,7 @@ B/wAAAf8AAAP/AAAf/wAAH/8AAB//AAAP/wAAD/8AAA//AAAP/wAAD/8AAA//gAAP/+AAH//4AD// 0 0 0 - + 0.125 @@ -21164,7 +21164,7 @@ B/wAAAf8AAAP/AAAf/wAAH/8AAB//AAAP/wAAD/8AAA//AAAP/wAAD/8AAA//gAAP/+AAH//4AD// 0 0 0 - + 0.125 @@ -21173,7 +21173,7 @@ B/wAAAf8AAAP/AAAf/wAAH/8AAB//AAAP/wAAD/8AAA//AAAP/wAAD/8AAA//gAAP/+AAH//4AD// 0 0 0 - + 0 @@ -21187,7 +21187,7 @@ B/wAAAf8AAAP/AAAf/wAAH/8AAB//AAAP/wAAD/8AAA//AAAP/wAAD/8AAA//gAAP/+AAH//4AD// Enter the manufacturer name. - + 0 0 @@ -21197,7 +21197,7 @@ B/wAAAf8AAAP/AAAf/wAAH/8AAB//AAAP/wAAD/8AAA//AAAP/wAAD/8AAA//gAAP/+AAH//4AD// Enter the product number. - + 0 0 @@ -21207,7 +21207,7 @@ B/wAAAf8AAAP/AAAf/wAAH/8AAB//AAAP/wAAD/8AAA//AAAP/wAAD/8AAA//gAAP/+AAH//4AD// Enter the part number. - + 0 0 @@ -21217,7 +21217,7 @@ B/wAAAf8AAAP/AAAf/wAAH/8AAB//AAAP/wAAD/8AAA//AAAP/wAAD/8AAA//gAAP/+AAH//4AD// Enter the product description. - + 0 0 @@ -21227,7 +21227,7 @@ B/wAAAf8AAAP/AAAf/wAAH/8AAB//AAAP/wAAD/8AAA//AAAP/wAAD/8AAA//gAAP/+AAH//4AD// Enter the asset ID. - + 0 0 @@ -21237,7 +21237,7 @@ B/wAAAf8AAAP/AAAf/wAAH/8AAB//AAAP/wAAD/8AAA//AAAP/wAAD/8AAA//gAAP/+AAH//4AD// Enter the serial number. - + 0 0 @@ -21247,7 +21247,7 @@ B/wAAAf8AAAP/AAAf/wAAH/8AAB//AAAP/wAAD/8AAA//AAAP/wAAD/8AAA//gAAP/+AAH//4AD// Enter the location. - + 0 0 @@ -21257,7 +21257,7 @@ B/wAAAf8AAAP/AAAf/wAAH/8AAB//AAAP/wAAD/8AAA//AAAP/wAAD/8AAA//gAAP/+AAH//4AD// Enter the building. - + 0 0 @@ -21267,7 +21267,7 @@ B/wAAAf8AAAP/AAAf/wAAH/8AAB//AAAP/wAAD/8AAA//AAAP/wAAD/8AAA//gAAP/+AAH//4AD// Enter the room. - + 0 0 @@ -21277,7 +21277,7 @@ B/wAAAf8AAAP/AAAf/wAAH/8AAB//AAAP/wAAD/8AAA//AAAP/wAAD/8AAA//gAAP/+AAH//4AD// Enter the department. - + 0 0 @@ -21291,11 +21291,11 @@ B/wAAAf8AAAP/AAAf/wAAH/8AAB//AAAP/wAAD/8AAA//AAAP/wAAD/8AAA//gAAP/+AAH//4AD// Server,Adds,network,diagram,Basic,3D,workgroups,configuration,WANs,LANs,networked,information - + 10 - + @@ -24384,15 +24384,15 @@ B/wAAAf8AAAP/AAAf/wAAH/8AAB//AAAP/wAAD/8AAA//AAAP/wAAD/8AAA//gAAP/+AAH//4AD// 1 - + 1 - + 0 - + 1 @@ -24608,7 +24608,7 @@ f/+AAH//gAB//4AAf/+AAH//gAB//4AAf/+AAH//gAB//4AAf/+AAH//wAB//+AAf//wAP/////// 0 0 0 - + 0.53125 @@ -24617,7 +24617,7 @@ f/+AAH//gAB//4AAf/+AAH//gAB//4AAf/+AAH//gAB//4AAf/+AAH//wAB//+AAf//wAP/////// 0 0 0 - + 0 @@ -24626,7 +24626,7 @@ f/+AAH//gAB//4AAf/+AAH//gAB//4AAf/+AAH//gAB//4AAf/+AAH//wAB//+AAf//wAP/////// 0 0 0 - + 0.296875 @@ -24635,7 +24635,7 @@ f/+AAH//gAB//4AAf/+AAH//gAB//4AAf/+AAH//gAB//4AAf/+AAH//wAB//+AAf//wAP/////// 0 0 0 - + 0.296875 @@ -24644,7 +24644,7 @@ f/+AAH//gAB//4AAf/+AAH//gAB//4AAf/+AAH//gAB//4AAf/+AAH//wAB//+AAf//wAP/////// 0 0 0 - + 0 @@ -24658,7 +24658,7 @@ f/+AAH//gAB//4AAf/+AAH//gAB//4AAf/+AAH//gAB//4AAf/+AAH//wAB//+AAf//wAP/////// Enter the manufacturer name. - + 0 0 @@ -24668,7 +24668,7 @@ f/+AAH//gAB//4AAf/+AAH//gAB//4AAf/+AAH//gAB//4AAf/+AAH//wAB//+AAf//wAP/////// Enter the product number. - + 0 0 @@ -24678,7 +24678,7 @@ f/+AAH//gAB//4AAf/+AAH//gAB//4AAf/+AAH//gAB//4AAf/+AAH//wAB//+AAf//wAP/////// Enter the part number. - + 0 0 @@ -24688,7 +24688,7 @@ f/+AAH//gAB//4AAf/+AAH//gAB//4AAf/+AAH//gAB//4AAf/+AAH//wAB//+AAf//wAP/////// Enter the product description. - + 0 0 @@ -24698,7 +24698,7 @@ f/+AAH//gAB//4AAf/+AAH//gAB//4AAf/+AAH//gAB//4AAf/+AAH//wAB//+AAf//wAP/////// Enter the asset ID. - + 0 0 @@ -24708,7 +24708,7 @@ f/+AAH//gAB//4AAf/+AAH//gAB//4AAf/+AAH//gAB//4AAf/+AAH//wAB//+AAf//wAP/////// Enter the serial number. - + 0 0 @@ -24718,7 +24718,7 @@ f/+AAH//gAB//4AAf/+AAH//gAB//4AAf/+AAH//gAB//4AAf/+AAH//wAB//+AAf//wAP/////// Enter the location. - + 0 0 @@ -24728,7 +24728,7 @@ f/+AAH//gAB//4AAf/+AAH//gAB//4AAf/+AAH//gAB//4AAf/+AAH//wAB//+AAf//wAP/////// Enter the building. - + 0 0 @@ -24738,7 +24738,7 @@ f/+AAH//gAB//4AAf/+AAH//gAB//4AAf/+AAH//gAB//4AAf/+AAH//wAB//+AAf//wAP/////// Enter the room. - + 0 0 @@ -24748,7 +24748,7 @@ f/+AAH//gAB//4AAf/+AAH//gAB//4AAf/+AAH//gAB//4AAf/+AAH//wAB//+AAf//wAP/////// Enter the department. - + 0 0 @@ -24762,11 +24762,11 @@ f/+AAH//gAB//4AAf/+AAH//gAB//4AAf/+AAH//gAB//4AAf/+AAH//wAB//+AAf//wAP/////// Workstation,Adds,high,end,personal,computer,network,diagram,Basic,3D,workgroups,configuration,WANs,LANs,networked,information - + 10 - + @@ -27237,15 +27237,15 @@ f/+AAH//gAB//4AAf/+AAH//gAB//4AAf/+AAH//gAB//4AAf/+AAH//wAB//+AAf//wAP/////// 1 - + 1 - + 0 - + 1 @@ -27296,7 +27296,7 @@ B/wAAA/8AAB//AAAf/wAAH/8AAA//AAAP/wAAD/8AAA//AAAP/wAAD/+AAA//4AAf//gAP/////// - + 11 @@ -27497,6 +27497,7 @@ B/wAAA/8AAB//AAAf/wAAH/8AAA//AAAP/wAAD/8AAA//AAAP/wAAD/+AAA//4AAf//gAP/////// 0 + @@ -27933,7 +27934,7 @@ B/wAAA/8AAB//AAAf/wAAH/8AAA//AAAP/wAAD/8AAA//AAAP/wAAD/+AAA//4AAf//gAP/////// 0 3 0 -1 +1 2 0 @@ -35104,7 +35105,7 @@ B/wAAA/8AAB//AAAf/wAAH/8AAA//AAAP/wAAD/8AAA//AAAP/wAAD/+AAA//4AAf//gAP/////// -5.28625 +5.29625 2.05 0.1875 0.5 @@ -36380,7 +36381,7 @@ B/wAAA/8AAB//AAAf/wAAH/8AAA//AAAP/wAAD/8AAA//AAAP/wAAD/+AAA//4AAf//gAP/////// 2 0 2 -1 +1 2 0 @@ -36431,11 +36432,11 @@ B/wAAA/8AAB//AAAf/wAAH/8AAA//AAAP/wAAD/8AAA//AAAP/wAAD/+AAA//4AAf//gAP/////// -5.3196875 +5.3246875 2.621875 -0.2 +-0.2 0.58125 -0.1 +-0.1 0.290625 0 0 @@ -36443,7 +36444,7 @@ B/wAAA/8AAB//AAAf/wAAH/8AAA//AAAP/wAAD/8AAA//AAAP/wAAD/+AAA//4AAf//gAP/////// 0 -5.3175 +5.3275 2.33125 5.321875 2.9125 @@ -36476,9 +36477,9 @@ B/wAAA/8AAB//AAAf/wAAH/8AAA//AAAP/wAAD/8AAA//AAAP/wAAD/+AAA//4AAf//gAP/////// 1 -0.1021875 -0.2884375 -0.55555555555556 +-0.1028125 +0.2878125 +0.55555555555555 0.24444444444444 0.27777777777778 0.12222222222222 @@ -36505,19 +36506,19 @@ B/wAAA/8AAB//AAAf/wAAH/8AAA//AAAP/wAAD/8AAA//AAAP/wAAD/+AAA//4AAf//gAP/////// 0 0 -0.097812499999998 +-0.0971875 0 -0.097812499999998 +-0.0971875 0.15625 -0.1021875 +-0.1028125 0.15625 -0.1021875 +-0.1028125 0.58125 @@ -36629,7 +36630,7 @@ B/wAAA/8AAB//AAAf/wAAH/8AAA//AAAP/wAAD/8AAA//AAAP/wAAD/+AAA//4AAf//gAP/////// - + 1 1 0 diff --git a/Shorewall-docs2/myfiles.xml b/Shorewall-docs2/myfiles.xml index 06423184f..e2254cbc2 100644 --- a/Shorewall-docs2/myfiles.xml +++ b/Shorewall-docs2/myfiles.xml @@ -15,7 +15,7 @@ - 2004-03-16 + 2004-04-03 2001-2004 @@ -135,8 +135,7 @@ /etc/network/interfaces file (see below) adds a host route to 206.124.146.177 through eth1 when that interface is brought up. - Ursa (192.168.1.5 A.K.A. 206.124.146.178) runs a PPTP server for - Road Warrior access. + Tarry (192.168.1.4) runs a PPTP server for Road Warrior access.
@@ -464,8 +463,8 @@ Mirrors net dmz tcp # # When I'm "on the road", the following two rules allow me VPN access back home. # -ACCEPT net loc:192.168.1.5 tcp 1723 -ACCEPT net loc:192.168.1.5 gre +DNAT net loc:192.168.1.4 tcp 1723 +DNAT net loc:192.168.1.4 gre # # ICQ # diff --git a/Shorewall-docs2/ports.xml b/Shorewall-docs2/ports.xml index 47def1585..c87c46ff1 100644 --- a/Shorewall-docs2/ports.xml +++ b/Shorewall-docs2/ports.xml @@ -13,7 +13,7 @@ - 2004-02-18 + 2004-03-27 2001-2002 @@ -40,35 +40,41 @@ - - Beginning with Shorewall 2.0.0, the Shorewall distribution contains - a library of user-defined actions that allow for easily allowing or - blocking a particular application. Check your /etc/shorewall/actions.std - file for a list of the actions in your distribution. If you find what you - need, you simply use the action in a rule. For example, to allow DNS - queries from the dmz zone to the - net zone: +
+ Important Notes - #ACTION SOURCE DESTINATION -AllowPing dmz net - + + Beginning with Shorewall 2.0.0, the Shorewall distribution + contains a library of user-defined actions that allow for easily + allowing or blocking a particular application. Check your + /etc/shorewall/actions.std file for a list of the + actions in your distribution. If you find what you need, you simply use + the action in a rule. For example, to allow DNS queries from the + dmz zone to the net + zone: - - In the rules that are shown in this document, the ACTION is shown as - ACCEPT. You may need to use DNAT (see FAQ 30) - or you may want DROP or REJECT if you are trying to block the application. + #ACTION SOURCE DESTINATION +AllowDNS dmz net + - Example: You want to port forward FTP from the net to your server at - 192.168.1.4 in your DMZ. The FTP section below gives you: + + In the rules that are shown in this document, the ACTION is shown + as ACCEPT. You may need to use DNAT (see FAQ + 30) or you may want DROP or REJECT if you are trying to block + the application. - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + Example: You want to port forward FTP from the net to your server + at 192.168.1.4 in your DMZ. The FTP section below gives you: + + #ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> tcp 21 - You would code your rule as follows: + You would code your rule as follows: - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DEST PORT(S) DNAT net dmz:192.168.1.4 tcp 21 - + +
Auth (identd) diff --git a/Shorewall-docs2/quotes.xml b/Shorewall-docs2/quotes.xml index 8a5e63aa1..1888a9852 100644 --- a/Shorewall-docs2/quotes.xml +++ b/Shorewall-docs2/quotes.xml @@ -13,11 +13,13 @@ Eastep - 2003-07-01 + 2004-03-28 2003 + 2004 + Thomas M Eastep @@ -46,6 +48,17 @@ grateful +
+ SE, California, USA + + In two words, I'd call Shorewall "brilliant + simplicity". Define general rules of what it is you want to do, and + let the software determine the specific rules on how to implement it. + It's great only having to define specific rules for specific + instances. I have a much higher degree of confidence in my firewall than + I have had previously. Thank you for Shorewall!. +
+
BC, USA diff --git a/Shorewall-docs2/shorewall_features.xml b/Shorewall-docs2/shorewall_features.xml index 04eeb3f88..8044167fb 100644 --- a/Shorewall-docs2/shorewall_features.xml +++ b/Shorewall-docs2/shorewall_features.xml @@ -13,10 +13,10 @@ Eastep - 2003-11-13 + 2004-04-04 - 2001-2003 + 2001-2004 Thomas M Eastep @@ -82,7 +82,8 @@ - Extensive documentation + Extensive documentation included in the .tgz and .rpm downloads. @@ -110,8 +111,9 @@ - Blacklisting - of individual IP addresses and subnetworks is supported. + Blacklisting of individual IP addresses + and subnetworks is supported. @@ -150,8 +152,9 @@ - Support for Traffic - Control/Shaping integration. + Support for Traffic Control/Shaping + integration. @@ -180,12 +183,18 @@ - Media Access Control (MAC) - Address Verification. + Media Access Control (MAC) Address Verification. - Traffic Accounting. + Traffic + Accounting. + + + + Bridge/Firewall + support (requires a 2.6 kernel or a patched 2.4 kernel).
diff --git a/Shorewall-docs2/shorewall_setup_guide.xml b/Shorewall-docs2/shorewall_setup_guide.xml index 0eedbfecf..88da3221c 100644 --- a/Shorewall-docs2/shorewall_setup_guide.xml +++ b/Shorewall-docs2/shorewall_setup_guide.xml @@ -15,7 +15,7 @@ - 2004-02-04 + 2004-04-03 2001-2004 @@ -2211,6 +2211,61 @@ foobar.net. 86400 IN A 192.0.2.177 86400 IN MX 1 <backup MX>.
+
+ Some Things to Keep in Mind + + + + You cannot test your firewall from the + inside. Just because you send requests to your firewall + external IP address does not mean that the request will be associated + with the external interface or the net zone. Any + traffic that you generate from the local network will be associated + with your local interface and will be treated as loc->fw traffic. + + + + IP addresses are properties of systems, + not of interfaces. It is a mistake to believe that your + firewall is able to forward packets just because you can ping the IP + address of all of the firewall's interfaces from the local + network. The only conclusion you can draw from such pinging success is + that the link between the local system and the firewall works and that + you probably have the local system's default gateway set + correctly. + + + + All IP addresses configured on firewall + interfaces are in the $FW (fw) zone. If 192.168.1.254 is + the IP address of your internal interface then you can write + $FW:192.168.1.254 in a + rule but you may not write loc:192.168.1.254. + Similarly, it is nonsensical to add 192.168.1.254 to the loc zone using an entry in + /etc/shorewall/hosts. + + + + Reply packets do NOT automatically follow + the reverse path of the one taken by the original request. + All packets are routed according to the routing table of the host at + each step of the way. This issue commonly comes up when people install + a Shorewall firewall parallel to an existing gateway and try to use + DNAT through Shorewall without changing the default gateway of the + system receiving the forwarded requests. Requests come in through the + Shorewall firewall where the destination IP address gets rewritten but + replies go out unmodified through the old gateway. + + + + Shorewall itself has no notion of inside + or outside. These concepts are embodied in how Shorewall is + configured. + + +
+
Starting and Stopping the Firewall diff --git a/Shorewall-docs2/three-interface.xml b/Shorewall-docs2/three-interface.xml index 0ae4b77dd..1ed38e89e 100755 --- a/Shorewall-docs2/three-interface.xml +++ b/Shorewall-docs2/three-interface.xml @@ -15,7 +15,7 @@ - 2004-02-12 + 2004-04-03 2002-2004 @@ -633,7 +633,7 @@ DNAT loc dmz:10.10.11.2 tcp 80 - $ETH0_IPYou can configure your internal - systems to use your ISP's name servers. If you ISP gave you the + systems to use your ISP's name servers. If your ISP gave you the addresses of their servers or if those addresses are available on their web site, you can configure your internal systems to use those addresses. If that information isn't available, look in /etc/resolv.conf @@ -751,6 +751,61 @@ ACCEPT net fw tcp 80
+
+ Some Things to Keep in Mind + + + + You cannot test your firewall from the + inside. Just because you send requests to your firewall + external IP address does not mean that the request will be associated + with the external interface or the net zone. Any + traffic that you generate from the local network will be associated + with your local interface and will be treated as loc->fw traffic. + + + + IP addresses are properties of systems, + not of interfaces. It is a mistake to believe that your + firewall is able to forward packets just because you can ping the IP + address of all of the firewall's interfaces from the local + network. The only conclusion you can draw from such pinging success is + that the link between the local system and the firewall works and that + you probably have the local system's default gateway set + correctly. + + + + All IP addresses configured on firewall + interfaces are in the $FW (fw) zone. If 192.168.1.254 is + the IP address of your internal interface then you can write + $FW:192.168.1.254 in a + rule but you may not write loc:192.168.1.254. + Similarly, it is nonsensical to add 192.168.1.254 to the loc zone using an entry in + /etc/shorewall/hosts. + + + + Reply packets do NOT automatically follow + the reverse path of the one taken by the original request. + All packets are routed according to the routing table of the host at + each step of the way. This issue commonly comes up when people install + a Shorewall firewall parallel to an existing gateway and try to use + DNAT through Shorewall without changing the default gateway of the + system receiving the forwarded requests. Requests come in through the + Shorewall firewall where the destination IP address gets rewritten but + replies go out unmodified through the old gateway. + + + + Shorewall itself has no notion of inside + or outside. These concepts are embodied in how Shorewall is + configured. + + +
+
Starting and Stopping Your Firewall @@ -763,11 +818,11 @@ ACCEPT net fw tcp 80 /etc/shorewall/startup_disabled. Users of the .deb package must edit - /etc/default/shorewall and set startup=1. - The firewall is started using the shorewall start - command and stopped using shorewall stop. When the - firewall is stopped, routing is enabled on those hosts that have an entry - in /etc/shorewall/routestopped. + /etc/default/shorewall and set startup=1.The + firewall is started using the shorewall start command + and stopped using shorewall stop. When the firewall is + stopped, routing is enabled on those hosts that have an entry in /etc/shorewall/routestopped. A running firewall may be restarted using the shorewall restart command. If you want to totally remove any trace of Shorewall from your Netfilter configuration, use shorewall clear. diff --git a/Shorewall-docs2/troubleshoot.xml b/Shorewall-docs2/troubleshoot.xml index fd0a58914..c5903c364 100644 --- a/Shorewall-docs2/troubleshoot.xml +++ b/Shorewall-docs2/troubleshoot.xml @@ -13,7 +13,7 @@ Eastep - 2004-02-02 + 2004-04-03 2001-2004 @@ -143,6 +143,17 @@ iptables: No chain/target/match by that name correctly. + + All IP addresses configured on firewall + interfaces are in the $FW (fw) zone. If 192.168.1.254 is + the IP address of your internal interface then you can write + $FW:192.168.1.254 in a + rule but you may not write loc:192.168.1.254. + Similarly, it is nonsensical to add 192.168.1.254 to the loc zone using an entry in + /etc/shorewall/hosts. + + Reply packets do NOT automatically follow the reverse path of the one taken by the original request. @@ -158,7 +169,7 @@ iptables: No chain/target/match by that name Shorewall itself has no notion of inside or outside. These concepts are embodied in how Shorewall is - configured. + configured.
@@ -399,7 +410,8 @@ DROP net fw icmp echo-request Revision History - 1.72005-02-02TEAdd + 1.82005-04-03TEPoint + out that firewall addresses are in the $FW zone.1.72005-02-02TEAdd hint about testing from inside the firewall.1.62005-01-06TEAdd pointer to Site and Mailing List Archives Searches.1.52004-01-01TEAdded information about eliminating ping-generated log messages.1.42003-12-22TEInitial diff --git a/Shorewall-docs2/two-interface.xml b/Shorewall-docs2/two-interface.xml index e7829616d..7462aefed 100644 --- a/Shorewall-docs2/two-interface.xml +++ b/Shorewall-docs2/two-interface.xml @@ -12,7 +12,7 @@ Eastep - 2003-03-16 + 2003-04-03 2002 @@ -499,7 +499,7 @@ DNAT net loc:10.10.10.2:80 tcp 5000You can configure your internal systems - to use your ISP's name servers. If you ISP gave you the addresses of + to use your ISP's name servers. If your ISP gave you the addresses of their servers or if those addresses are available on their web site, you can configure your internal systems to use those addresses. If that information isn't available, look in /etc/resolv.conf on your firewall @@ -586,6 +586,61 @@ ACCEPT loc fw tcp 80 #Allow Weblet to work +
+ Some Things to Keep in Mind + + + + You cannot test your firewall from the + inside. Just because you send requests to your firewall + external IP address does not mean that the request will be associated + with the external interface or the net zone. Any + traffic that you generate from the local network will be associated + with your local interface and will be treated as loc->fw traffic. + + + + IP addresses are properties of systems, + not of interfaces. It is a mistake to believe that your + firewall is able to forward packets just because you can ping the IP + address of all of the firewall's interfaces from the local + network. The only conclusion you can draw from such pinging success is + that the link between the local system and the firewall works and that + you probably have the local system's default gateway set + correctly. + + + + All IP addresses configured on firewall + interfaces are in the $FW (fw) zone. If 192.168.1.254 is + the IP address of your internal interface then you can write + $FW:192.168.1.254 in a + rule but you may not write loc:192.168.1.254. + Similarly, it is nonsensical to add 192.168.1.254 to the loc zone using an entry in + /etc/shorewall/hosts. + + + + Reply packets do NOT automatically follow + the reverse path of the one taken by the original request. + All packets are routed according to the routing table of the host at + each step of the way. This issue commonly comes up when people install + a Shorewall firewall parallel to an existing gateway and try to use + DNAT through Shorewall without changing the default gateway of the + system receiving the forwarded requests. Requests come in through the + Shorewall firewall where the destination IP address gets rewritten but + replies go out unmodified through the old gateway. + + + + Shorewall itself has no notion of inside + or outside. These concepts are embodied in how Shorewall is + configured. + + +
+
Starting and Stopping Your Firewall diff --git a/Shorewall-docs2/upgrade_issues.xml b/Shorewall-docs2/upgrade_issues.xml index 4f00200a2..470dbbba4 100644 --- a/Shorewall-docs2/upgrade_issues.xml +++ b/Shorewall-docs2/upgrade_issues.xml @@ -60,6 +60,32 @@ command to see the groups associated with each of your zones.
+
+ Version >= 2.0.1 + + + + The function of 'norfc1918' is now split between that + option and a new 'nobogons' option. The rfc1918 file released + with Shorewall now contains entries for only those three address + ranges reserved by RFC 1918. A 'nobogons' interface option has + been added which handles bogon source addresses (those which are + reserved by the IANA, those reserved for DHCP auto-configuration and + the class C test-net reserved for testing and documentation examples). + This will allow users to perform RFC 1918 filtering without having to + deal with out of date data from IANA. Those who are willing to update + their /usr/share/shorewall/bogons file regularly + can specify the 'nobogons' option in addition to + 'norfc1918'. The level at which bogon packets are logged is + specified in the new BOGON_LOG_LEVEL variable in shorewall.conf. If + that option is not specified or is specified as empty (e.g, + BOGON_LOG_LEVEL="") then bogon packets whose TARGET is + 'logdrop' in /usr/share/shorewall/bogons + are logged at the 'info' level. + + +
+
VERSION >= 2.0.0-Beta1