extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-03-27 07:39:28 +01:00
Code Issues Packages Projects Releases Wiki Activity

Shorewall 2.0.0 Alpha1

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@443 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-02-08 20:58:44 +00:00
parent b0e5d0b131
commit ef51c04d1d
35 changed files with 452 additions and 574 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Shorewall/INSTALL
View File

@ -1,4 +1,4 @@
Shoreline Firewall (Shorewall) Version 1.3 - 6/14/2002
Shoreline Firewall (Shorewall) Version 2.0 - 3/14/2003
----- ----
-----------------------------------------------------------------------------
@ -28,7 +28,7 @@ o Edit the configuration files to fit your environment.
To do this, I strongly advise you to follow the instructions at:
http://shorewall.sf.net/shorewall_quickstart_guide.htm
http://www.shorewall.net/shorewall_quickstart_guide.htm
o If you are using Caldera, Redhat, Mandrake, Corel, Slackware, SuSE or
Debian, then type "./install.sh".

2
Shorewall/blacklist
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.3 -- Blacklist File
# Shorewall 2.0 -- Blacklist File
#
# /etc/shorewall/blacklist
#

34
Shorewall/changelog.txt
View File

@ -1,22 +1,30 @@
Changes since 1.3.13
Changes since 1.3.14
1. Fix 'shorewall add' bug.
1. All versions changed to 2.0.
2. Add OLD_PING_HANDLING option
2. Rework of error message generation to make the 'firewall' script
smaller.
3. Allow adding alias labels under ADD_IP_ALIASES=Yes.
3. Deimplemented MERGE_HOSTS=No.
4. Allow adding alias labels under ADD_SNAT_ALIASES=Yes.
4. Generate error for <dev>:<integer> name in interfaces file.
5. Use the routing table to generate list of subnets to be masqueraded
when an interface name appears in the SUBNET column of
/etc/shorewall/masq.
5. Deimplement old ping handling.
6. Restore $dev.$vid naming of VLAN interfaces.
6. Deimplement 'routestopped' interface/hosts option.
7. Updated copyrights for 2003.
7. Strip comments from potentially large files while the firewall is
still up and running during 'restart'.
8. Added support for openvpn tunnels on arbitrary ports
8. Disallow the old port forwarding/redirection syntax.
9. Corrected rule number calculation problem in 'shorewall add' command
processing.
9. Reorganize shorewall.conf.
10. Added support for LOG target.
11. Move firewall and version (one more time....)
12. Add late DNS reply rule to the common chain.
12. Corrected rule number calculation problem in 'shorewall add' command
processing.

6
Shorewall/common.def
View File

@ -1,5 +1,5 @@
############################################################################
# Shorewall 1.3 -- /etc/shorewall/common.def
# Shorewall 2.0 -- /etc/shorewall/common.def
#
# This file defines the rules that are applied before a policy of
# DROP or REJECT is applied. In addition to the rules defined in this file,
@ -36,5 +36,9 @@ run_iptables -A common -d 224.0.0.0/4 -j DROP
# AUTH -- Silently reject it so that connections don't get delayed.
#
run_iptables -A common -p tcp --dport 113 -j reject
############################################################################
# DNS -- Silenty drop late replies
run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP

10
Shorewall/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=1.3.14RC1
VERSION=2.0.0Alpha1
usage() # $1 = exit status
{
@ -49,14 +49,18 @@ restore_file() # $1 = file to restore
fi
}
if [ ! -f /usr/lib/shorewall/version-${VERSION}.bkout ]; then
if [ ! -f /usr/share/shorewall/version-${VERSION}.bkout ]; then
echo "Shorewall Version $VERSION is not installed"
exit 1
fi
echo "Backing Out Installation of Shorewall $VERSION"
if [ -L /usr/lib/shorewall/firewall ]; then
if [ -L /usr/share/shorewall/init ]; then
FIREWALL=`ls -l /usr/share/shorewall/firewall | sed 's/^.*> //'`
restore_file $FIREWALL
restore_file /usr/share/shorewall/firewall
elif [ -L /usr/lib/shorewall/firewall ]; then
FIREWALL=`ls -l /usr/lib/shorewall/firewall | sed 's/^.*> //'`
restore_file $FIREWALL
elif [ -L /var/lib/shorewall/firewall ]; then

322
Shorewall/firewall
View File

@ -1,6 +1,6 @@
#!/bin/sh
#
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V1.3 6/14/2002
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V2.0 3/14/2003
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
@ -95,7 +95,7 @@ error_message() # $* = Error Message
#
fatal_error() # $* = Error Message
{
echo " $@" >&2
echo " Error: $@" >&2
stop_firewall
exit 2
}
@ -106,7 +106,7 @@ fatal_error() # $* = Error Message
#
startup_error() # $* = Error Message
{
echo " $@" >&2
echo " Error: $@" >&2
my_mutex_off
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
kill $$
@ -225,13 +225,12 @@ run_tc() {
# variable ${1}_exists and set its value to Yes to indicate that the chain now
# exists.
#
createchain() # $1 = chain name, $2 = If non-null, don't create default rules
createchain() # $1 = chain name, $2 = If "yes", create default rules
{
run_iptables -N $1
if [ $# -eq 1 ]; then
state="ESTABLISHED"
[ -n "$ALLOWRELATED" ] && state="$state,RELATED"
if [ $2 = yes ]; then
state="ESTABLISHED,RELATED"
run_iptables -A $1 -m state --state $state -j ACCEPT
[ -z "$NEWNOTSYN" ] && \
run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn
@ -273,7 +272,7 @@ mangle_chain_exists() # $1 = chain name
#
ensurechain() # $1 = chain name
{
havechain $1 || createchain $1
havechain $1 || createchain $1 yes
}
#
@ -502,8 +501,11 @@ determine_interfaces() {
# Determine the defined hosts in each zone and generate report
#
determine_hosts() {
do_a_zone()
{
for zone in $zones; do
hosts=`find_hosts $zone`
hosts=`echo $hosts` # Remove extra trash
eval interfaces=\$${zone}_interfaces
for interface in $interfaces; do
@ -513,10 +515,7 @@ determine_hosts() {
hosts="$hosts $interface:0.0.0.0/0"
fi
done
}
recalculate_interfaces()
{
interfaces=
for host in $hosts; do
@ -531,32 +530,6 @@ determine_hosts() {
done
eval ${zone}_interfaces="\$interfaces"
}
for zone in $zones; do
hosts=`find_hosts $zone`
hosts=`echo $hosts` # Remove extra trash
if [ -n "MERGE_HOSTS" ]; then
#
# Zone will be the union of its host and interface definitions
#
do_a_zone
recalculate_interfaces
elif [ -n "$hosts" ]; then
#
# Zone is defined in terms of hosts -- derive the interface list
# from the host list
#
recalculate_interface
else
#
# If no hosts are defined for a zone then the zone consists of any
# host that can send us messages via the interfaces to the zone
#
do_a_zone
fi
eval ${zone}_hosts="\$hosts"
if [ -n "$hosts" ]; then
@ -591,10 +564,16 @@ validate_interfaces_file() {
fi
[ "x$interface" = "xlo" ] && \
startup_error "Error: The loopback interface (lo) may not be defined in /etc/shorewall/interfaces"
startup_error "The loopback interface (lo) may not be defined in /etc/shorewall/interfaces"
list_search $interface $all_interfaces && \
startup_error "Error: Duplicate Interface $interface"
startup_error "Duplicate Interface $interface"
case $interface in
*:*)
startup_error "Invalid Interface Name: $interface"
;;
esac
all_interfaces="$all_interfaces $interface"
options=`separate_list $options`
@ -606,21 +585,17 @@ validate_interfaces_file() {
for option in $options; do
case $option in
dhcp|routestopped|norfc1918|multi|tcpflags)
dhcp|norfc1918|multi|tcpflags)
;;
routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-)
;;
noping|filterping)
[ -n "$OLD_PING_HANDLING" ] || \
startup_error "Option $option only allowed with old ping handling"
;;
*)
error_message "Warning: Invalid option ($option) in record \"$r\""
;;
esac
done
[ -z "$all_interfaces" ] && startup_error "Error: No Interfaces Defined"
[ -z "$all_interfaces" ] && startup_error "No Interfaces Defined"
done < $TMP_DIR/interfaces
}
@ -642,7 +617,7 @@ validate_hosts_file() {
for option in `separate_list $options`; do
case $option in
routestopped|maclist|-)
maclist|-)
;;
*)
error_message "Warning: Invalid option ($option) in record \"$r\""
@ -725,7 +700,7 @@ validate_rule() {
serv=$server
;;
~*)
startup_error "Error: Rule \"$rule\" - Destination may not be specified by MAC Address"
startup_error "Rule \"$rule\" - Destination may not be specified by MAC Address"
;;
*)
dest_interface="-o $server"
@ -771,21 +746,29 @@ validate_rule() {
REJECT)
target=reject
[ -n "$servport" ] && \
startup_error "Error: server port may not be specified in a REJECT rule;"\
startup_error "Server port may not be specified in a REJECT rule;"\
"rule: \"$rule\""
;;
ACCEPT)
[ -n "$servport" ] && \
startup_error "Error: server port may not be specified in an ACCEPT rule;"\
startup_error "Server port may not be specified in an ACCEPT rule;"\
"rule: \"$rule\""
;;
LOG)
[ -n "$servport" ] && \
startup_error "Server port may not be specified in an LOG rule;"\
"rule: \"$rule\""
[ -n "$loglevel" ] || \
startup_error "LOG target requires a log level"
;;
REDIRECT)
[ -n "$serv" ] && startup_error "Error: REDIRECT rules cannot"\
[ -n "$serv" ] && startup_error "REDIRECT rules cannot"\
" specify a server IP; rule: \"$rule\""
servport=${servport:=$port}
;;
DNAT)
[ -n "$serv" ] || startup_error "Error: DNAT rules require a" \
[ -n "$serv" ] || startup_error "DNAT rules require a" \
" server address; rule: \"$rule\""
;;
esac
@ -805,17 +788,17 @@ validate_rule() {
#
if [ -z "$NAT_ENABLED" ]; then
startup_error \
"Error - Rule \"$rule\" requires NAT which is disabled"
"Rule \"$rule\" requires NAT which is disabled"
fi
if [ "$target" != "ACCEPT" ]; then
startup_error "Error - Only ACCEPT rules may specify " \
startup_error "Only ACCEPT rules may specify " \
"port mapping; rule \"$rule\""
fi
fi
else
[ -n "$addr" ] && startup_error \
"Error: An ADDRESS ($addr) is only allowed in" \
"An ADDRESS ($addr) is only allowed in" \
" a DNAT or REDIRECT rule: \"$rule\""
fi
}
@ -835,9 +818,7 @@ validate_rule() {
logtarget="$target"
#
# DNAT and REDIRECT targets were implemented in version 1.3 to replace
# an older syntax. We simply map the new syntax into the old and proceed;
# that way, people who have files with the old syntax don't need to
# convert right away.
# an older syntax. We simply map the new syntax into the old and proceed.
#
case $target in
DNAT)
@ -858,11 +839,10 @@ validate_rule() {
servers="fw::$servers"
fi
;;
ACCEPT|DROP|REJECT)
ACCEPT|DROP|REJECT|LOG)
;;
*)
startup_error "Error: Invalid target;" \
" rule: \"$rule\""
startup_error "Invalid target; rule: \"$rule\""
esac
@ -873,7 +853,7 @@ validate_rule() {
clientzone="${clients%%:*}"
clients="${clients#*:}"
[ -z "$clientzone" -o -z "$clients" ] && \
startup_error "Error: Empty source zone or qualifier: rule \"$rule\""
startup_error "Empty source zone or qualifier: rule \"$rule\""
fi
if [ "$clientzone" = "${clientzone%\!*}" ]; then
@ -883,13 +863,13 @@ validate_rule() {
clientzone="${clientzone%\!*}"
[ "$logtarget" = DNAT ] || [ "$logtarget" = REDIRECT ] ||\
startup_error "Error: Exclude list only allowed with DNAT or REDIRECT"
startup_error "Exclude list only allowed with DNAT or REDIRECT"
fi
#
# Validate the Source Zone
#
if ! validate_zone $clientzone; then
[ "x$clientzone" = xall ] || startup_error "Error: Undefined Client Zone in rule \"$rule\""
[ "x$clientzone" = xall ] || startup_error "Undefined Client Zone in rule \"$rule\""
fi
source=$clientzone
@ -910,18 +890,18 @@ validate_rule() {
serverport="${servers#*:}"
servers="${servers%:*}"
[ -z "$serverzone" -o -z "$serverport" ] && \
startup_error "Error: Empty destination zone or server port: rule \"$rule\""
startup_error "Empty destination zone or server port: rule \"$rule\""
else
serverport=
[ -z "$serverzone" -o -z "$servers" ] && \
startup_error "Error: Empty destination zone or qualifier: rule \"$rule\""
startup_error "Empty destination zone or qualifier: rule \"$rule\""
fi
fi
#
# Validate the destination zone
#
if ! validate_zone $serverzone; then
[ "x$serverzone" = xall ] || startup_error "Error: Undefined Server Zone in rule \"$rule\""
[ "x$serverzone" = xall ] || startup_error "Undefined Server Zone in rule \"$rule\""
fi
dest=$serverzone
@ -976,13 +956,13 @@ validate_rules() # $1 = name of rules file
expandv clients servers protocol ports cports address
case "$target" in
ACCEPT*|DROP*|REJECT*|DNAT*|REDIRECT*)
ACCEPT*|DROP*|REJECT*|DNAT*|REDIRECT*|LOG*)
rule="`echo $target $clients $servers $protocol $ports $cports $address`"
validate_rule
;;
*)
rule="`echo $target $clients $servers $protocol $ports $cports $address`"
startup_error "Error: Invalid Target - rule \"$rule\" ignored"
startup_error "Invalid Target - rule \"$rule\" ignored"
;;
esac
done < $TMP_DIR/rules
@ -1013,7 +993,7 @@ validate_policy()
all_policy_chains=
strip_file policy $policy
strip_file policy
while read client server policy loglevel synparams; do
expandv client server policy loglevel synparams
@ -1027,7 +1007,7 @@ validate_policy()
;;
*)
if ! validate_zone $client; then
startup_error "Error: Undefined zone $client"
startup_error "Undefined zone $client"
fi
esac
@ -1037,7 +1017,7 @@ validate_policy()
;;
*)
if ! validate_zone $server; then
startup_error "Error: Undefined zone $server"
startup_error "Undefined zone $server"
fi
esac
@ -1045,17 +1025,17 @@ validate_policy()
ACCEPT|REJECT|DROP|CONTINUE)
;;
*)
startup_error "Error: Invalid policy $policy"
startup_error "Invalid policy $policy"
;;
esac
chain=${client}2${server}
[ "x$chain" = "x${FW}2${FW}" ] && \
startup_error "Error: fw->fw policy not allowed: $policy"
startup_error "fw->fw policy not allowed: $policy"
if is_policy_chain $chain ; then
startup_error "Error: Duplicate policy $policy"
startup_error "Duplicate policy $policy"
fi
[ "x$loglevel" = "x-" ] && loglevel=
@ -1275,7 +1255,7 @@ stop_firewall() {
deleteallchains
hosts="`find_hosts_by_option routestopped`"
hosts=
strip_file routestopped
@ -1522,8 +1502,6 @@ setup_proxy_arp() {
> ${STATEDIR}/proxyarp
strip_file proxyarp
while read address interface external haveroute; do
expandv address interface external haveroute
setup_one_proxy_arp
@ -1578,7 +1556,7 @@ setup_mac_lists() {
eth*)
;;
*)
fatal_error "Error: MAC verification is only supported on ethernet devices: $interface"
fatal_error "MAC verification is only supported on ethernet devices: $interface"
;;
esac
@ -1587,7 +1565,6 @@ setup_mac_lists() {
#
# Process the maclist file producing the verification rules
#
strip_file maclist
while read interface mac addresses; do
expandv interface mac addresses
@ -1595,7 +1572,7 @@ setup_mac_lists() {
chain=`mac_chain $interface`
if ! havechain $chain ; then
fatal_error "Error: No hosts on $interface have the maclist option specified"
fatal_error "No hosts on $interface have the maclist option specified"
fi
macpart=`mac_match $mac`
@ -1629,7 +1606,7 @@ setup_mac_lists() {
blob=`ip addr show $interface 2> /dev/null | grep inet | sed 's/inet //; s/brd //; s/scope.*//;'`
[ -z "$blob" ] && \
fatal_error "Error: Interface $interface must be up before Shorewall can start"
fatal_error "Interface $interface must be up before Shorewall can start"
set -- $blob
@ -1728,8 +1705,6 @@ setup_nat() {
#
> ${STATEDIR}/nat
strip_file nat
echo "Setting up NAT..."
while read external interface internal allints localnat; do
@ -1807,7 +1782,7 @@ process_tc_rule()
;;
*)
if ! list_search $source $all_interfaces; then
fatal_error "Error: Unknown interface $source in rule \"$rule\""
fatal_error "Unknown interface $source in rule \"$rule\""
fi
r="-i $source "
@ -1976,19 +1951,18 @@ refresh_tc() {
add_nat_rule() {
local chain
# Be sure NAT is enabled
if [ -z "$NAT_ENABLED" ]; then
fatal_error \
"Error - Rule \"$rule\" requires NAT which is disabled"
fi
# Onle ACCEPT (plus DNAT and REDIRECT) may result in NAT
if [ "$target" != "ACCEPT" ]; then
fatal_error "Error - Only DNAT and REDIRECT rules may specify " \
"port mapping; rule \"$rule\""
fi
# Be sure we should and can NAT
case $logtarget in
DNAT|REDIRECT)
if [ -z "$NAT_ENABLED" ]; then
fatal_error "Rule \"$rule\" requires NAT which is disabled"
fi
;;
*)
fatal_error "Only DNAT and REDIRECT rules may specify port mapping; rule \"$rule\""
;;
esac
# Parse SNAT address if any
@ -2126,20 +2100,19 @@ add_a_rule()
# Set destination variables
dest_interface=
serv=
[ -n "$server" ] && case "$server" in
-)
serv=
;;
*.*.*)
serv=$server
;;
~*)
fatal_error "Error: Rule \"$rule\" - Destination may not be specified by MAC Address"
fatal_error "Rule \"$rule\" - Destination may not be specified by MAC Address"
;;
*)
dest_interface="-o $server"
serv=
;;
esac
@ -2180,8 +2153,7 @@ add_a_rule()
;;
all|ALL)
[ -n "$port" ] && [ "x${port}" != "x-" ] && \
fatal_error "Port number not allowed with \"all\";" \
" rule: \"$rule\""
fatal_error "Port number not allowed with \"all\"; rule: \"$rule\""
proto=
;;
related|RELATED)
@ -2191,8 +2163,7 @@ add_a_rule()
*)
state=
[ -n "$port" ] && [ "x${port}" != "x-" ] && \
fatal_error "Port number not allowed with protocol " \
"\"$proto\"; rule: \"$rule\""
fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\""
;;
esac
@ -2204,18 +2175,21 @@ add_a_rule()
REJECT)
target=reject
[ -n "$servport" ] && \
fatal_error "Error: server port may not be specified in a REJECT rule;"\
fatal_error "Server port may not be specified in a REJECT rule;"\
"rule: \"$rule\""
;;
REDIRECT)
[ -n "$serv" ] && startup_error "Error: REDIRECT rules cannot"\
[ -n "$serv" ] && startup_error "REDIRECT rules cannot"\
" specify a server IP; rule: \"$rule\""
servport=${servport:=$port}
;;
DNAT)
[ -n "$serv" ] || fatal_error "Error: DNAT rules require a" \
[ -n "$serv" ] || fatal_error "DNAT rules require a" \
" server address; rule: \"$rule\""
;;
LOG)
[ -z "$loglevel" ] && fatal_error "LOG requires log level"
;;
esac
# Complain if the rule is really a policy
@ -2260,7 +2234,7 @@ add_a_rule()
# Destination is a simple zone
[ -n "$addr" ] && fatal_error \
"Error: An ORIGINAL DESTINATION ($addr) is only allowed in" \
"An ORIGINAL DESTINATION ($addr) is only allowed in" \
" a DNAT or REDIRECT: \"$rule\""
if [ -n "$loglevel" ]; then
@ -2276,8 +2250,10 @@ add_a_rule()
fi
fi
run_iptables2 -A $chain $proto $multiport $dest_interface $state \
$cli $sports $dports -j $target
if [ $logtarget != LOG ]; then
run_iptables2 -A $chain $proto $multiport $dest_interface $state \
$cli $sports $dports -j $target
fi
fi
}
@ -2349,7 +2325,7 @@ process_rule() # $1 = target
clientzone="${clients%%:*}"
clients="${clients#*:}"
[ -z "$clientzone" -o -z "$clients" ] && \
fatal_error "Error: Empty source zone or qualifier: rule \"$rule\""
fatal_error "Empty source zone or qualifier: rule \"$rule\""
fi
if [ "$clientzone" = "${clientzone%\!*}" ]; then
@ -2359,11 +2335,11 @@ process_rule() # $1 = target
clientzone="${clientzone%\!*}"
[ "$logtarget" = DNAT ] || [ "$logtarget" = REDIRECT ] ||\
fatal_error "Error: Exclude list only allowed with DNAT or REDIRECT"
fatal_error "Exclude list only allowed with DNAT or REDIRECT"
fi
if ! validate_zone $clientzone; then
fatal_error "Error: Undefined Client Zone in rule \"$rule\""
fatal_error "Undefined Client Zone in rule \"$rule\""
fi
# Parse and validate destination
@ -2383,16 +2359,16 @@ process_rule() # $1 = target
serverport="${servers#*:}"
servers="${servers%:*}"
[ -z "$serverzone" -o -z "$serverport" ] && \
fatal_error "Error: Empty destination zone or server port: rule \"$rule\""
fatal_error "Empty destination zone or server port: rule \"$rule\""
else
serverport=
[ -z "$serverzone" -o -z "$servers" ] && \
startup_error "Error: Empty destination zone or qualifier: rule \"$rule\""
startup_error "Empty destination zone or qualifier: rule \"$rule\""
fi
fi
if ! validate_zone $serverzone; then
fatal_error "Error: Undefined Server Zone in rule \"$rule\""
fatal_error "Undefined Server Zone in rule \"$rule\""
fi
dest=$serverzone
@ -2466,12 +2442,10 @@ process_rules() # $1 = name of rules file
done
}
strip_file rules $1
while read xtarget xclients xservers xprotocol xports xcports xaddress; do
case "$xtarget" in
ACCEPT|ACCEPT:*|DROP|DROP:*|REJECT|REJECT:*|DNAT|DNAT-|DNAT:*|DNAT-:*|REDIRECT|REDIRECT:*)
ACCEPT|ACCEPT:*|DROP|DROP:*|REJECT|REJECT:*|DNAT|DNAT-|DNAT:*|DNAT-:*|REDIRECT|REDIRECT:*|LOG|LOG:*)
expandv xclients xservers xprotocol xports xcports xaddress
if [ "x$xclients" = xall ]; then
@ -2493,7 +2467,7 @@ process_rules() # $1 = name of rules file
;;
*)
rule="`echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress`"
fatal_error "Error: Invalid Target in rule \"$rule\""
fatal_error "Invalid Target in rule \"$rule\""
;;
esac
@ -2871,7 +2845,7 @@ default_policy() # $1 = client $2 = server
if [ -n "$chain1" ]; then
apply_default $1 $2
else
fatal_error "Error: No default policy for zone $1 to zone $2"
fatal_error "No default policy for zone $1 to zone $2"
fi
}
@ -2921,7 +2895,7 @@ rules_chain() # $1 = source zone, $2 = destination zone
[ -n "$chain" ] && { echo $chain; return; }
fatal_error "Error: No appropriate chain for zone $1 to zone $2"
fatal_error "No appropriate chain for zone $1 to zone $2"
}
#
@ -2975,7 +2949,7 @@ setup_masq()
interface=${fullinterface%:*}
if ! list_search $interface $all_interfaces; then
fatal_error "Error: Unknown interface $interface"
fatal_error "Unknown interface $interface"
fi
if [ "$subnet" = "${subnet%!*}" ]; then
@ -3348,7 +3322,7 @@ initialize_netfilter () {
determine_zones
[ -z "$zones" ] && startup_error "ERROR: No Zones Defined"
[ -z "$zones" ] && startup_error "No Zones Defined"
display_list "Zones:" $zones
@ -3368,6 +3342,17 @@ initialize_netfilter () {
determine_interfaces
determine_hosts
#
# The some files might be large so strip them while the firewall is still running
# (restart command). This reduces the length of time that the firewall isn't
# accepting new connections.
#
strip_file rules
strip_file proxyarp
strip_file maclist
strip_file nat
deletechain shorewall
@ -3399,7 +3384,8 @@ initialize_netfilter () {
#
run_iptables -A INPUT -p udp --dport 53 -j ACCEPT # I suppose that there
# is an idiot somewhere
# who needs this
# who needs this strip_file nat
run_iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
run_iptables -A FORWARD -p udp --dport 53 -j ACCEPT
@ -3458,13 +3444,6 @@ initialize_netfilter () {
#
build_common_chain() {
if [ -n "$OLD_PING_HANDLING" ]; then
#
# PING
#
[ -n "$FORWARDPING" ] && \
run_iptables -A icmpdef -p icmp --icmp-type echo-request -j ACCEPT
fi
#
# Common ICMP rules
#
@ -3618,7 +3597,7 @@ add_common_rules() {
logdrop|DROP|RETURN)
;;
*)
fatal_error " Error:Illegal target ($target) for $subnet"
fatal_error "Illegal target ($target) for $subnet"
;;
esac
@ -3780,7 +3759,7 @@ apply_policy_rules() {
# related sessions associated with sessions going
# in the other direction
#
createchain $chain
createchain $chain yes
#
# If either client or server is 'all' then this MUST be
@ -4017,26 +3996,6 @@ define_firewall() # $1 = Command (Start or Restart)
process_rules $rules
if [ -n "$OLD_PING_HANDLING" ]; then
echo "Setting up ICMP Echo handling..."
filterping_interfaces="`find_interfaces_by_option filterping`"
noping_interfaces="`find_interfaces_by_option noping`"
for interface in $all_interfaces; do
if ! list_search $interface $filterping_interfaces; then
if list_search $interface $noping_interfaces; then
target=DROP
else
target=ACCEPT
fi
run_iptables -A `input_chain $interface` \
-p icmp --icmp-type echo-request -j $target
fi
done
fi
policy=`find_file policy`
echo "Processing $policy..."
@ -4086,7 +4045,7 @@ check_config() {
determine_zones
[ -z "$zones" ] && startup_error "ERROR: No Zones Defined"
[ -z "$zones" ] && startup_error "No Zones Defined"
display_list "Zones:" $zones
@ -4109,7 +4068,7 @@ check_config() {
echo "Validating policy file..."
validate_policy
validate_policy
rm -rf $TMP_DIR
@ -4129,7 +4088,7 @@ refresh_firewall()
validate_interfaces_file
[ -z "$zones" ] && startup_error "ERROR: No Zones Defined"
[ -z "$zones" ] && startup_error "No Zones Defined"
determine_interfaces
@ -4171,7 +4130,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
do_iptables() # $@ = command
{
if ! iptables $@ ; then
startup_error "Error: can't add $1 to zone $2"
startup_error "Can't add $1 to zone $2"
fi
}
@ -4196,26 +4155,25 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
#
zone=$2
validate_zone $zone || startup_error "Error: Unknown zone: $zone"
validate_zone $zone || startup_error "Unknown zone: $zone"
[ "$zone" = $FW ] && startup_error "Error: Can't add $1 to firewall zone"
[ "$zone" = $FW ] && startup_error "Can't add $1 to firewall zone"
#
# Be sure that Shorewall has been restarted using a DZ-aware version of the code
#
[ -f ${STATEDIR}/chains ] || startup_error "Error: ${STATEDIR}/chains -- file not found"
[ -f ${STATEDIR}/zones ] || startup_error "Error: ${STATEDIR}/zones -- file not found"
[ -f ${STATEDIR}/chains ] || startup_error "${STATEDIR}/chains -- file not found"
[ -f ${STATEDIR}/zones ] || startup_error "${STATEDIR}/zones -- file not found"
#
# Be sure that the interface was present at last [re]start
#
if ! chain_exists `input_chain $interface` ; then
startup_error "Error: Unknown interface $interface"
startup_error "Unknown interface $interface"
fi
#
# Build lists of interfaces with special rules
#
dhcp_interfaces=`find_interfaces_by_option dhcp`
blacklist_interfaces=`find_interfaces_by_option blacklist`
filterping_interfaces=`find_interfaces_by_option filterping`
maclist_interfaces=`find_interfaces_by_option maclist`
tcpflags_interfaces=`find_interfaces_by_option tcpflags`
#
@ -4234,7 +4192,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
for h in $hosts; do
if [ "$h" = "$newhost" ]; then
rm -f ${STATEDIR}/zones_$$
startup_error "Error: $1 already in zone $zone"
startup_error "$1 already in zone $zone"
fi
done
@ -4273,10 +4231,6 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
rulenum=2
fi
if list_search $interface $filterping_interfaces; then
rulenum=$(($rulenum + 1))
fi
if list_search $interface $maclist_interfaces; then
rulenum=$(($rulenum + 1))
fi
@ -4417,19 +4371,19 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
zone=$2
validate_zone $zone || startup_error "Error: Unknown zone: $zone"
validate_zone $zone || startup_error "Unknown zone: $zone"
[ "$zone" = $FW ] && startup_error "Error: Can't remove $1 from firewall zone"
[ "$zone" = $FW ] && startup_error "Can't remove $1 from firewall zone"
#
# Be sure that Shorewall has been restarted using a DZ-aware version of the code
#
[ -f ${STATEDIR}/chains ] || startup_error "Error: ${STATEDIR}/chains -- file not found"
[ -f ${STATEDIR}/zones ] || startup_error "Error: ${STATEDIR}/zones -- file not found"
[ -f ${STATEDIR}/chains ] || startup_error "${STATEDIR}/chains -- file not found"
[ -f ${STATEDIR}/zones ] || startup_error "${STATEDIR}/zones -- file not found"
#
# Be sure that the interface was present at last [re]start
#
if ! chain_exists `input_chain $interface` ; then
startup_error "Error: Unknown interface $interface"
startup_error "Unknown interface $interface"
fi
#
# Normalize the first argument to this function
@ -4555,7 +4509,7 @@ do_initialize() {
FW=
SUBSYSLOCK=
STATEDIR=
ALLOWRELATED=
ALLOWRELATED=Yes
LOGRATE=
LOGBURST=
LOGPARMS=
@ -4572,7 +4526,6 @@ do_initialize() {
NAT_BEFORE_RULES=
MULTIPORT=
DETECT_DNAT_IPADDRS=
MERGE_HOSTS=
MUTEX_TIMEOUT=
NEWNOTSYN=
LOGNEWNOTSYN=
@ -4583,8 +4536,7 @@ do_initialize() {
TCP_FLAGS_LOG_LEVEL=
RFC1918_LOG_LEVEL=
MARK_IN_FORWARD_CHAIN=
OLD_PING_HANDLING=
SHARED_DIR=/usr/lib/shorewall
SHARED_DIR=/usr/share/shorewall
FUNCTIONS=
VERSION_FILE=
@ -4633,6 +4585,8 @@ do_initialize() {
[ -z "$FW" ] && FW=fw
ALLOWRELATED="`added_param_value_yes ALLOWRELATED $ALLOWRELATED`"
[ -n "$ALLOWRELATED" ] || \
startup_error "ALLOWRELATED=No is not supported"
NAT_ENABLED="`added_param_value_yes NAT_ENABLED $NAT_ENABLED`"
MANGLE_ENABLED="`added_param_value_yes MANGLE_ENABLED $MANGLE_ENABLED`"
ADD_IP_ALIASES="`added_param_value_yes ADD_IP_ALIASES $ADD_IP_ALIASES`"
@ -4668,8 +4622,10 @@ do_initialize() {
NAT_BEFORE_RULES=`added_param_value_yes NAT_BEFORE_RULES $NAT_BEFORE_RULES`
MULTIPORT=`added_param_value_no MULTIPORT $MULTIPORT`
DETECT_DNAT_IPADDRS=`added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS`
MERGE_HOSTS=`added_param_value_no MERGE_HOSTS $MERGE_HOSTS`
FORWARDPING=`added_param_value_no FORWARDPING $FORWARDPING`
[ -n "$FORWARDPING" ] && \
startup_error "FORWARDPING=Yes is no longer supported"
NEWNOTSYN=`added_param_value_yes NEWNOTSYN $NEWNOTSYN`
maclist_target=reject
@ -4709,10 +4665,6 @@ do_initialize() {
else
CLEAR_TC=
fi
OLD_PING_HANDLING=`added_param_value_yes OLD_PING_HANDLING $OLD_PING_HANDLING`
[ -z "$OLD_PING_HANDLING" -a -n "$FORWARDPING" ] && \
startup_error "FORWARDPING=Yes is incompatible with OLD_PING_HANDLING=No"
run_user_exit params

2
Shorewall/functions
View File

@ -1,6 +1,6 @@
#!/bin/sh
#
# Shorewall 1.3 -- /usr/lib/shorewall/functions
# Shorewall 2.0 -- /usr/lib/shorewall/functions
#
# Suppress all output for a command

7
Shorewall/hosts
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.3 - /etc/shorewall/hosts
# Shorewall 2.0 - /etc/shorewall/hosts
#
# WARNING: 90% of Shorewall users don't need to add entries to this
# file and 80% of those who try to add such entries get it
@ -30,11 +30,6 @@
# OPTIONS - A comma-separated list of options. Currently-defined
# options are:
#
# routestopped - (Deprecated -- use
# /etc/shorewall/routestopped)
# route messages to and from this
# member when the firewall is in the
# stopped state
# maclist - Connection requests from these hosts
# are compared against the contents of
# /etc/shorewall/maclist. If this option

2
Shorewall/init
View File

@ -1,5 +1,5 @@
############################################################################
# Shorewall 1.3 -- /etc/shorewall/init
# Shorewall 2.0 -- /etc/shorewall/init
#
# Add commands below that you want to be executed at the beginning of
# a "shorewall start" or "shorewall restart" command.

2
Shorewall/init.sh
View File

@ -1,7 +1,7 @@
#!/bin/sh
RCDLINKS="2,S41 3,S41 6,K41"
#
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V1.3 6/14/2002
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V2.0 3/14/2003
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#

47
Shorewall/install.sh
View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall.
#
VERSION=1.3.14RC1
VERSION=2.0.0Alpha1
usage() # $1 = exit status
{
@ -93,6 +93,18 @@ backup_file() # $1 = file to backup
fi
}
delete_file() # $1 = file to delete
{
if [ -z "$PREFIX" -a -f $1 -a ! -f ${1}-${VERSION}.bkout ]; then
if (mv $1 ${1}-${VERSION}.bkout); then
echo
echo "$1 moved to ${1}-${VERSION}.bkout"
else
exit 1
fi
fi
}
modify_rclocal()
{
if [ -f /etc/rc.d/rc.local ]; then
@ -261,10 +273,10 @@ echo
echo "Shorewall script installed in ${PREFIX}${DEST}/$FIREWALL"
#
# Create /etc/shorewall, /usr/lib/shorewall and /var/shorewall if needed
# Create /etc/shorewall, /usr/share/shorewall and /var/shorewall if needed
#
mkdir -p ${PREFIX}/etc/shorewall
mkdir -p ${PREFIX}/usr/lib/shorewall
mkdir -p ${PREFIX}/usr/share/shorewall
mkdir -p ${PREFIX}/var/lib/shorewall
#
# Install the config file
@ -300,10 +312,10 @@ if [ -f ${PREFIX}/var/lib/shorewall/functions ]; then
rm -f ${PREFIX}/var/lib/shorewall/functions
fi
install_file_with_backup functions ${PREFIX}/usr/lib/shorewall/functions 0444
install_file_with_backup functions ${PREFIX}/usr/share/shorewall/functions 0444
echo
echo "Common functions installed in ${PREFIX}/usr/lib/shorewall/functions"
echo "Common functions installed in ${PREFIX}/usr/share/shorewall/functions"
#
# Install the common.def file
#
@ -311,13 +323,11 @@ install_file_with_backup common.def ${PREFIX}/etc/shorewall/common.def 0444
echo
echo "Common rules installed in ${PREFIX}/etc/shorewall/common.def"
#
# Install the icmp.def file
#
install_file_with_backup icmp.def ${PREFIX}/etc/shorewall/icmp.def 0444
echo
echo "Common ICMP rules installed in ${PREFIX}/etc/shorewall/icmp.def"
#
# Delete the icmp.def file
#
delete_file icmp.def
#
# Install the policy file
@ -531,7 +541,9 @@ fi
# Backup the version file
#
if [ -z "$PREFIX" ]; then
if [ -f /usr/lib/shorewall/version ]; then
if [ -f /usr/share/shorewall/version ]; then
backup_file /usr/share/shorewall/version
elif [ -f /usr/lib/shorewall/version ]; then
backup_file /usr/lib/shorewall/version
elif [ -n "$oldversion" ]; then
echo $oldversion > /usr/lib/shorewall/version-${VERSION}.bkout
@ -542,10 +554,10 @@ fi
#
# Create the version file
#
echo "$VERSION" > ${PREFIX}/usr/lib/shorewall/version
chmod 644 ${PREFIX}/usr/lib/shorewall/version
echo "$VERSION" > ${PREFIX}/usr/share/shorewall/version
chmod 644 ${PREFIX}/usr/share/shorewall/version
#
# Remove and create the symbolic link to the firewall script
# Remove and create the symbolic link to the init script
#
if [ -z "$PREFIX" ]; then
@ -554,12 +566,13 @@ if [ -z "$PREFIX" ]; then
[ -L /usr/lib/shorewall/firewall ] && \
mv -f /usr/lib/shorewall/firewall /usr/lib/shorewall/firewall-${VERSION}.bkout
rm -f /usr/lib/shorewall/init
ln -s ${DEST}/${FIREWALL} /usr/lib/shorewall/init
rm -f /usr/share/shorewall/init
ln -s ${DEST}/${FIREWALL} /usr/share/shorewall/init
fi
#
# Install the firewall script
#
install_file_with_backup firewall ${PREFIX}/usr/lib/shorewall/firewall 0544
install_file_with_backup firewall ${PREFIX}/usr/share/shorewall/firewall 0544
if [ -z "$PREFIX" -a -n "$first_install" ]; then
if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then

15
Shorewall/interfaces
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.3 -- Interfaces File
# Shorewall 2.0 -- Interfaces File
#
# /etc/shorewall/interfaces
#
@ -46,11 +46,6 @@
# a DHCP server running on the firewall or
# you have a static IP but are on a LAN
# segment with lots of Laptop DHCP clients.
# routestopped - (Deprecated -- use
# /etc/shorewall/routestopped)
# When the firewall is stopped, allow
# and route traffic to and from this
# interface.
# norfc1918 - This interface should not receive
# any packets whose source is in one
# of the ranges reserved by RFC 1918
@ -106,21 +101,19 @@
# local subnet is 192.168.1.0/24. The interface gets
# it's IP address via DHCP from subnet
# 206.191.149.192/27. You have a DMZ with subnet
# 192.168.2.0/24 using eth2. You want to be able to
# access the firewall from the local network when the
# firewall is stopped.
# 192.168.2.0/24 using eth2.
#
# Your entries for this setup would look like:
#
# net eth0 206.191.149.223 dhcp
# local eth1 192.168.1.255 routestopped
# local eth1 192.168.1.255
# dmz eth2 192.168.2.255
#
# Example 2: The same configuration without specifying broadcast
# addresses is:
#
# net eth0 detect dhcp
# loc eth1 detect routestopped
# loc eth1 detect
# dmz eth2 detect
#
# Example 3: You have a simple dial-in system with no ethernet

2
Shorewall/maclist
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.3 - MAC list file
# Shorewall 2.0 - MAC list file
#
# /etc/shorewall/maclist
#

2
Shorewall/masq
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.3 - Masquerade file
# Shorewall 2.0 - Masquerade file
#
# /etc/shorewall/masq
#

7
Shorewall/modules
View File

@ -1,7 +1,12 @@
##############################################################################
# Shorewall 1.3 /etc/shorewall/modules
# Shorewall 2.0 /etc/shorewall/modules
#
# This file loads the modules needed by the firewall.
#
# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
# dependency order. i.e., if M2 depends on M1 then you must load M1 before
# you load M2.
#
loadmodule ip_tables
loadmodule iptable_filter

2
Shorewall/nat
View File

@ -1,6 +1,6 @@
##############################################################################
#
# Shorewall 1.3 -- Network Address Translation Table
# Shorewall 2.0 -- Network Address Translation Table
#
# /etc/shorewall/nat
#

6
Shorewall/params
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.3 /etc/shorewall/params
# Shorewall 2.0 /etc/shorewall/params
#
# Assign any variables that you need here.
#
@ -11,7 +11,7 @@
#
# NET_IF=eth0
# NET_BCAST=130.252.100.255
# NET_OPTIONS=noping,norfc1918
# NET_OPTIONS=routefilter,norfc1918
#
# Example (/etc/shorewall/interfaces record):
#
@ -19,7 +19,7 @@
#
# The result will be the same as if the record had been written
#
# net eth0 130.252.100.255 noping,norfc1918
# net eth0 130.252.100.255 routefilter,norfc1918
#
# Variables can be used in the following places in the other configuration
# files:

2
Shorewall/policy
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.3 -- Policy File
# Shorewall 2.0 -- Policy File
#
# /etc/shorewall/policy
#

2
Shorewall/proxyarp
View File

@ -1,6 +1,6 @@
##############################################################################
#
# Shorewall 1.3 -- Proxy ARP
# Shorewall 2.0 -- Proxy ARP
#
# /etc/shorewall/proxyarp
#

120
Shorewall/releasenotes.txt
View File

@ -1,105 +1,41 @@
This is a minor release of Shorewall that has a couple of new features.
This is a major release of Shorewall.
New features include:
Function from 1.3 that has been omitted from this version include:
1) An OLD_PING_HANDLING option has been added to shorewall.conf. When
set to Yes, Shorewall ping handling is as it has always been (see
http://www.shorewall.net/ping.html).
1) The MERGE_HOSTS variable in shorewall.conf is no longer
supported. Shorewall 2.0 behavior is the same as 1.3 with
MERGE_HOSTS=Yes.
When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules and
policies just like any other connection request. The FORWARDPING
option in shorewall.conf is ignored and the 'noping' and
'filterping' options in /etc/shorewall/interfaces will generate an
error.
2. Interface names of the form <device>:<integer> in
/etc/shorewall/interfaces now generate an error.
2) It is now possible to direct Shorewall to create a "label" such as
"eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes
and ADD_SNAT_ALIASES=Yes. This is done by specifying the label
instead of just the interface name:
3. Shorewall 2.0 implements behavior consistent with
OLD_PING_HANDLING=No. OLD_PING_HANDLING=Yes will generate an error
at startup as will specification of the 'noping' or 'filterping'
interface options.
a) In the INTERFACE column of /etc/shorewall/masq
b) In the INTERFACE column of /etc/shorewall/nat
4. The 'routestopped' option in the /etc/shorewall/interfaces and
/etc/shorewall/hosts files is no longer supported and will generate
an error at startup if specified.
3) The ability to name your VLAN interfaces using the $dev.$vid
convention (e.g., "eth0.0") has been restored. This capability was
inadvertently broken in version 1.3.12.
5. The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer
accepted.
4) Support has been added for defining OpenVPN tunnels in the
/etc/shorewall/tunnels file.
6. The ALLOWRELATED variable in shorewall.conf is no longer
supported. Shorewall 2.0 behavior is the same as 1.3 with
ALLOWRELATED=Yes.
5) When an interface name is entered in the SUBNET column of the
/etc/shorewall/masq file, Shorewall previously masqueraded traffic
from only the first subnet defined on that interface. It did not
masquerade traffic from:
Changes for 2.0 include:
a) The subnets associated with other addresses on the interface.
b) Subnets accessed through local routers.
1. shorewall.conf has been completely reorganized into logical
sections.
Beginning with Shorewall 1.3.14, if you enter an interface name in
the SUBNET column, shorewall will use the firewall's routing table
to construct the masquerading/SNAT rules.
2. LOG is now a valid action for a rule (/etc/shorewall/rules).
Example 1 -- This is how it works in 1.3.14.
[root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
[root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]# shorewall start
...
Masqueraded Subnets and Hosts:
To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176
To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176
Processing /etc/shorewall/tos...
3. The firewall script and version file are now installed in
/usr/share/shorewall.
When upgrading to Shorewall 1.3.14, if you have multiple local
subnets connected to an interface that is specified in the SUBNET
column of an /etc/shorewall/masq entry, your /etc/shorewall/masq
file will need changing. In most cases, you will simply be able to
remove redundant entries. In some cases though, you might want to change
from using the interface name to listing specific subnetworks if the
change described above will cause masquerading to occur on
subnetworks that you don't wish to masquerade.
4. Late arriving DNS replies are now silently dropped in the common
chain by default.
Example 2 -- Suppose that your current config is as follows:
[root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
eth0 192.168.10.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
[root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
In this case, the second entry in /etc/shorewall/masq is no longer
required.
Example 3 -- What if your current configuration is like this?
[root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
[root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
In this case, you would want to change the entry in
/etc/shorewall/masq to:
#INTERFACE SUBNET ADDRESS
eth0 192.168.1.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

2
Shorewall/rfc1918
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.3 -- RFC1918 File
# Shorewall 2.0 -- RFC1918 File
#
# /etc/shorewall/rfc1918
#

2
Shorewall/routestopped
View File

@ -1,6 +1,6 @@
##############################################################################
#
# Shorewall 1.3 -- Hosts Accessible when the Firewall is Stopped
# Shorewall 2.0 -- Hosts Accessible when the Firewall is Stopped
#
# /etc/shorewall/routestopped
#

2
Shorewall/rules
View File

@ -1,5 +1,5 @@
#
# Shorewall version 1.3 - Rules File
# Shorewall version 2.0 - Rules File
#
# /etc/shorewall/rules
#

4
Shorewall/shorewall
View File

@ -1,6 +1,6 @@
#!/bin/sh
#
# Shorewall Packet Filtering Firewall Control Program - V1.3 - 6/14/2002
# Shorewall Packet Filtering Firewall Control Program - V2.0 - 3/14/2003
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
@ -570,7 +570,7 @@ fi
[ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SHARED_DIR=/usr/lib/shorewall
SHARED_DIR=/usr/share/shorewall
MUTEX_TIMEOUT=
if [ -n "$SHOREWALL_DIR" -a -f $SHOREWALL_DIR/shorewall.conf ]; then

384
Shorewall/shorewall.conf
View File

@ -1,5 +1,5 @@
##############################################################################
# /etc/shorewall/shorewall.conf V1.3 - Change the following variables to
# /etc/shorewall/shorewall.conf V2.0 - Change the following variables to
# match your setup
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
@ -8,13 +8,16 @@
#
# (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
##############################################################################
#
# D I S T R I B U T I O N - S P E C I F I C S E T T I N G S
##############################################################################
# You should not have to change the variables in this section -- they are set
# by the packager of your Shorewall distribution
#
SHARED_DIR=/usr/lib/shorewall
SHARED_DIR=/usr/share/shorewall
#
##############################################################################
# L O G G I N G
##############################################################################
#
# General note about log levels. Log levels are a method of describing
# to syslog (8) the importance of a message and a number of parameters
@ -45,59 +48,19 @@ SHARED_DIR=/usr/lib/shorewall
# configured to log all Shorewall message to their own log file
################################################################################
#
# PATH - Change this if you want to change the order in which Shorewall
# searches directories for executable files.
# LOG FILE LOCATION
#
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
# This variable tells the /sbin/shorewall program where to look for Shorewall
# log messages. If not set or set to an empty string (e.g., LOGFILE="") then
# /var/log/messages is assumed.
#
# WARNING: The LOGFILE variable simply tells the 'shorewall' program where to
# look for Shorewall messages.It does NOT control the destination for
# these messages. For information about how to do that, see
#
# http://www.shorewall.net/shorewall_logging.html
#
# NAME OF THE FIREWALL ZONE
#
# Name of the firewall zone -- if not set or if set to an empty string, "fw"
# is assumed.
#
FW=fw
#
# SUBSYSTEM LOCK FILE
#
# Set this to the name of the lock file expected by your init scripts. For
# RedHat, this should be /var/lock/subsys/shorewall. On Debian, it
# should be /var/state/shorewall. If your init scripts don't use lock files,
# set this to "".
#
SUBSYSLOCK=/var/lock/subsys/shorewall
#
# SHOREWALL TEMPORARY STATE DIRECTORY
#
# This is the directory where the firewall maintains state information while
# it is running
#
STATEDIR=/var/lib/shorewall
#
# ALLOW RELATED CONNECTIONS
#
# Set this to "yes" or "Yes" if you want to accept all connection requests
# that are related to already established connections. For example, you want
# to accept FTP data connections. If you say "no" here, then to accept
# these connections between particular zones or hosts, you must include
# explicit "related" rules in /etc/shorewall/rules.
#
ALLOWRELATED=yes
#
# KERNEL MODULE DIRECTORY
#
# If your netfilter kernel modules are in a directory other than
# /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that
# directory in this variable. Example: MODULESDIR=/etc/modules.
MODULESDIR=
LOGFILE=/var/log/messages
#
# LOG RATE LIMITING
@ -132,25 +95,133 @@ LOGBURST=
# packets are logged under the 'logunclean' interface option. If the variable
# is empty, these packets will still be logged at the 'info' level.
#
# See the comment at the top of this file for a description of log levels
# See the comment at the top of this section for a description of log levels
#
LOGUNCLEAN=info
#
# LOG FILE LOCATION
# BLACKLIST LOG LEVEL
#
# This variable tells the /sbin/shorewall program where to look for Shorewall
# log messages. If not set or set to an empty string (e.g., LOGFILE="") then
# /var/log/messages is assumed.
# Set this variable to the syslogd level that you want blacklist packets logged
# (beware of DOS attacks resulting from such logging). If not set, no logging
# of blacklist packets occurs.
#
# WARNING: The LOGFILE variable simply tells the 'shorewall' program where to
# look for Shorewall messages.It does NOT control the destination for
# these messages. For information about how to do that, see
# See the comment at the top of this section for a description of log levels
#
# http://www.shorewall.net/FAQ.htm#faq6
BLACKLIST_LOGLEVEL=
LOGFILE=/var/log/messages
#
# LOGGING 'New not SYN' rejects
#
# This variable only has an effect when NEWNOTSYN=No (see below).
#
# When a TCP packet that does not have the SYN flag set and the ACK and RST
# flags clear then unless the packet is part of an established connection,
# it will be rejected by the firewall. If you want these rejects logged,
# then set LOGNEWNOTSYN to the syslog log level at which you want them logged.
#
# See the comment at the top of this section for a description of log levels
#
# Example: LOGNEWNOTSYN=debug
LOGNEWNOTSYN=
#
# MAC List Log Level
#
# Specifies the logging level for connection requests that fail MAC
# verification. If set to the empty value (MACLIST_LOG_LEVEL="") then
# such connection requests will not be logged.
#
# See the comment at the top of this section for a description of log levels
#
MACLIST_LOG_LEVEL=info
#
# TCP FLAGS Log Level
#
# Specifies the logging level for packets that fail TCP Flags
# verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then
# such packets will not be logged.
#
# See the comment at the top of this section for a description of log levels
#
TCP_FLAGS_LOG_LEVEL=info
#
# RFC1918 Log Level
#
# Specifies the logging level for packets that fail RFC 1918
# verification. If set to the empty value (RFC1918_LOG_LEVEL="") then
# RFC1918_LOG_LEVEL=info is assumed.
#
# See the comment at the top of this section for a description of log levels
#
RFC1918_LOG_LEVEL=info
################################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
################################################################################
#
# PATH - Change this if you want to change the order in which Shorewall
# searches directories for executable files.
#
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
# SUBSYSTEM LOCK FILE
#
# Set this to the name of the lock file expected by your init scripts. For
# RedHat, this should be /var/lock/subsys/shorewall. On Debian, it
# should be /var/state/shorewall. If your init scripts don't use lock files,
# set this to "".
#
SUBSYSLOCK=/var/lock/subsys/shorewall
#
# SHOREWALL TEMPORARY STATE DIRECTORY
#
# This is the directory where the firewall maintains state information while
# it is running
#
STATEDIR=/var/lib/shorewall
#
# KERNEL MODULE DIRECTORY
#
# If your netfilter kernel modules are in a directory other than
# /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that
# directory in this variable. Example: MODULESDIR=/etc/modules.
MODULESDIR=
################################################################################
# F I R E W A L L O P T I O N S
################################################################################
# NAME OF THE FIREWALL ZONE
#
# Name of the firewall zone -- if not set or if set to an empty string, "fw"
# is assumed.
#
FW=fw
# ALLOW RELATED CONNECTIONS
#
# Set this to "yes" or "Yes" if you want to accept all connection requests
# that are related to already established connections. For example, you want
# to accept FTP data connections. If you say "no" here, then to accept
# these connections between particular zones or hosts, you must include
# explicit "related" rules in /etc/shorewall/rules.
#
ALLOWRELATED=yes
#
# ENABLE NAT SUPPORT
@ -214,24 +285,40 @@ ADD_SNAT_ALIASES=No
TC_ENABLED=No
#
# BLACKLIST DISPOSITION
# Clear Traffic Shapping/Control
#
# Set this variable to the action that you want to perform on packets from
# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty,
# DROP is assumed.
# If this option is set to 'No' then Shorewall won't clear the current
# traffic control rules during [re]start. This setting is intended
# for use by people that prefer to configure traffic shaping when
# the network interfaces come up rather than when the firewall
# is started. If that is what you want to do, set TC_ENABLED=Yes and
# CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That
# way, your traffic shaping rules can still use the 'fwmark'
# classifier based on packet marking defined in /etc/shorewall/tcrules.
#
BLACKLIST_DISPOSITION=DROP
# If omitted, CLEAR_TC=Yes is assumed.
CLEAR_TC=Yes
#
# BLACKLIST LOG LEVEL
# Mark Packets in the forward chain
#
# Set this variable to the syslogd level that you want blacklist packets logged
# (beward of DOS attacks resulting from such logging). If not set, no logging
# of blacklist packets occurs.
# When processing the tcrules file, Shorewall normally marks packets in the
# PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set
# this to "Yes". If not specified or if set to the empty value (e.g.,
# MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed.
#
# See the comment at the top of this file for a description of log levels
# Marking packets in the FORWARD chain has the advantage that inbound
# packets destined for Masqueraded/SNATed local hosts have had their destination
# address rewritten so they can be marked based on their destination. When
# packets are marked in the PREROUTING chain, packets destined for
# Masqueraded/SNATed local hosts still have a destination address corresponding
# to the firewall's external interface.
#
BLACKLIST_LOGLEVEL=
# Note: Older kernels do not support marking packets in the FORWARD chain and
# setting this variable to Yes may cause startup problems.
MARK_IN_FORWARD_CHAIN=No
#
# MSS CLAMPING
@ -335,39 +422,6 @@ MULTIPORT=No
DETECT_DNAT_IPADDRS=No
#
# MERGE HOSTS FILE
#
# The traditional behavior of the /etc/shorewall/hosts file has been that
# if that file has ANY entry for a zone then the zone must be defined
# entirely in the hosts file. This is counter-intuitive and has caused
# people some problems.
#
# By setting MERGE_HOSTS=Yes, a more intuitive behavior of the hosts file
# is enabled. With MERGE_HOSTS=Yes, the zone contents in the hosts file
# are added to the contents described in the /etc/shorewall/interfaces file.
#
# Example: Suppose that we have the following interfaces and hosts files:
#
# Interfaces:
#
# net eth0
# loc eth1
# - ppp+
#
# Hosts:
#
# loc ppp+:192.168.1.0/24
# wrk ppp+:!192.168.1.0/24
#
# With MERGE_HOSTS=No, the contents of the 'loc' zone would be just
# ppp+:192.168.1.0/24. With MERGE_HOSTS=Yes, the contents would be
# ppp+:192.168.1.0 and eth1:0.0.0.0/0
#
# If this variable is not set or is set to the empty value, "No" is assumed.
MERGE_HOSTS=Yes
#
# MUTEX TIMEOUT
#
@ -383,36 +437,6 @@ MERGE_HOSTS=Yes
MUTEX_TIMEOUT=60
#
# LOGGING 'New not SYN' rejects
#
# This variable only has an effect when NEWNOTSYN=No (see below).
#
# When a TCP packet that does not have the SYN flag set and the ACK and RST
# flags clear then unless the packet is part of an established connection,
# it will be rejected by the firewall. If you want these rejects logged,
# then set LOGNEWNOTSYN to the syslog log level at which you want them logged.
#
# See the comment at the top of this file for a description of log levels
#
# Example: LOGNEWNOTSYN=debug
LOGNEWNOTSYN=
#
# Old Ping Handling
#
# If this option is set to "Yes" then Shorewall will use its old ping handling
# facility including the FORWARDPING option in this file and the 'noping' and
# 'filterping' interface options. If this option is set to 'No' then ping
# is handled via policy and rules just like any other connection request.
#
# If you are a new Shorewall user DON'T CHANGE THE VALUE OF THIS OPTION AND
# DON'T DELETE IT!!!!!!
#
OLD_PING_HANDLING=No
#
# NEWNOTSYN
#
@ -430,6 +454,18 @@ OLD_PING_HANDLING=No
NEWNOTSYN=No
################################################################################
# P A C K E T D I S P O S I T I O N
################################################################################
#
# BLACKLIST DISPOSITION
#
# Set this variable to the action that you want to perform on packets from
# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty,
# DROP is assumed.
#
BLACKLIST_DISPOSITION=DROP
#
# MAC List Disposition
#
@ -441,18 +477,6 @@ NEWNOTSYN=No
MACLIST_DISPOSITION=REJECT
#
# MAC List Log Level
#
# Specifies the logging level for connection requests that fail MAC
# verification. If set to the empty value (MACLIST_LOG_LEVEL="") then
# such connection requests will not be logged.
#
# See the comment at the top of this file for a description of log levels
#
MACLIST_LOG_LEVEL=info
#
# TCP FLAGS Disposition
#
@ -463,64 +487,4 @@ MACLIST_LOG_LEVEL=info
TCP_FLAGS_DISPOSITION=DROP
#
# TCP FLAGS Log Level
#
# Specifies the logging level for packets that fail TCP Flags
# verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then
# such packets will not be logged.
#
# See the comment at the top of this file for a description of log levels
#
TCP_FLAGS_LOG_LEVEL=info
#
# RFC1918 Log Level
#
# Specifies the logging level for packets that fail RFC 1918
# verification. If set to the empty value (RFC1918_LOG_LEVEL="") then
# RFC1918_LOG_LEVEL=info is assumed.
#
# See the comment at the top of this file for a description of log levels
#
RFC1918_LOG_LEVEL=info
#
# Mark Packets in the forward chain
#
# When processing the tcrules file, Shorewall normally marks packets in the
# PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set
# this to "Yes". If not specified or if set to the empty value (e.g.,
# MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed.
#
# Marking packets in the FORWARD chain has the advantage that inbound
# packets destined for Masqueraded/SNATed local hosts have had their destination
# address rewritten so they can be marked based on their destination. When
# packets are marked in the PREROUTING chain, packets destined for
# Masqueraded/SNATed local hosts still have a destination address corresponding
# to the firewall's external interface.
#
# Note: Older kernels do not support marking packets in the FORWARD chain and
# setting this variable to Yes may cause startup problems.
MARK_IN_FORWARD_CHAIN=No
#
# Clear Traffic Shapping/Control
#
# If this option is set to 'No' then Shorewall won't clear the current
# traffic control rules during [re]start. This setting is intended
# for use by people that prefer to configure traffic shaping when
# the network interfaces come up rather than when the firewall
# is started. If that is what you want to do, set TC_ENABLED=Yes and
# CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That
# way, your traffic shaping rules can still use the 'fwmark'
# classifier based on packet marking defined in /etc/shorewall/tcrules.
#
# If omitted, CLEAR_TC=Yes is assumed.
CLEAR_TC=Yes
#LAST LINE -- DO NOT REMOVE

17
Shorewall/shorewall.spec
View File

@ -1,6 +1,6 @@
%define name shorewall
%define version 1.3.14
%define release 0RC1
%define version 2.0.0
%define release 0Alpha1
%define prefix /usr
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@ -71,11 +71,10 @@ fi
%files
/etc/init.d/shorewall
%attr(0700,root,root) %dir /etc/shorewall
%attr(0700,root,root) %dir /usr/lib/shorewall
%attr(0700,root,root) %dir /usr/share/shorewall
%attr(0700,root,root) %dir /var/lib/shorewall
%attr(0600,root,root) /usr/lib/shorewall/version
%attr(0600,root,root) /usr/share/shorewall/version
%attr(0600,root,root) /etc/shorewall/common.def
%attr(0600,root,root) /etc/shorewall/icmp.def
%attr(0600,root,root) %config(noreplace) /etc/shorewall/shorewall.conf
%attr(0600,root,root) %config(noreplace) /etc/shorewall/zones
%attr(0600,root,root) %config(noreplace) /etc/shorewall/policy
@ -99,12 +98,16 @@ fi
%attr(0600,root,root) %config(noreplace) /etc/shorewall/stop
%attr(0600,root,root) %config(noreplace) /etc/shorewall/stopped
%attr(0544,root,root) /sbin/shorewall
%attr(0444,root,root) /usr/lib/shorewall/functions
%attr(0544,root,root) /usr/lib/shorewall/firewall
%attr(0444,root,root) /usr/share/shorewall/functions
%attr(0544,root,root) /usr/share/shorewall/firewall
%doc documentation
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog
* Thu Feb 06 2003 Tom Eastep <tom@shorewall.net>
- Changes version to 2.0.0Alpha1
- Delete icmp.def
- Move firewall and version to /usr/share/shorewall
* Tue Feb 04 2003 Tom Eastep <tom@shorewall.net>
- Changes version to 1.3.14-0RC1
* Tue Jan 28 2003 Tom Eastep <tom@shorewall.net>

2
Shorewall/start
View File

@ -1,5 +1,5 @@
############################################################################
# Shorewall 1.3 -- /etc/shorewall/start
# Shorewall 2.0 -- /etc/shorewall/start
#
# Add commands below that you want to be executed after shorewall has
# been started or restarted.

2
Shorewall/stop
View File

@ -1,5 +1,5 @@
############################################################################
# Shorewall 1.3 -- /etc/shorewall/stop
# Shorewall 2.0 -- /etc/shorewall/stop
#
# Add commands below that you want to be executed at the beginning of a
# "shorewall stop" command.

2
Shorewall/stopped
View File

@ -1,5 +1,5 @@
############################################################################
# Shorewall 1.3 -- /etc/shorewall/stopped
# Shorewall 2.0 -- /etc/shorewall/stopped
#
# Add commands below that you want to be executed at the completion of a
# "shorewall stop" command.

2
Shorewall/tcrules
View File

@ -1,5 +1,5 @@
#
# Shorewall version 1.3 - Traffic Control Rules File
# Shorewall version 2.0 - Traffic Control Rules File
#
# /etc/shorewall/tcrules
#

2
Shorewall/tos
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.3 -- /etc/shorewall/tos
# Shorewall 2.0 -- /etc/shorewall/tos
#
# This file defines rules for setting Type Of Service (TOS)
#

2
Shorewall/tunnel
View File

@ -2,7 +2,7 @@
RCDLINKS="2,S45 3,S45 6,K45"
################################################################################
# Script to create a gre or ipip tunnel -- Shorewall 1.3
# Script to create a gre or ipip tunnel -- Shorewall 2.0
#
# Modified - Steve Cowles 5/9/2000
# Incorporated init {start|stop} syntax and iproute2 usage

2
Shorewall/tunnels
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.3 - /etc/shorewall/tunnels
# Shorewall 2.0 - /etc/shorewall/tunnels
#
# This file defines IPSEC, GRE, IPIP and OPENVPN tunnels.
#

3
Shorewall/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall
VERSION=1.3.14RC1
VERSION=2.0.0Alpha1
usage() # $1 = exit status
{
@ -108,6 +108,7 @@ fi
rm -rf /etc/shorewall
rm -rf /usr/lib/shorewall
rm -rf /var/lib/shorewall
rm -rf /usr/share/shorewall
echo "Shorewall Uninstalled"

2
Shorewall/zones
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.3 /etc/shorewall/zones
# Shorewall 2.0 /etc/shorewall/zones
#
# This file determines your network zones. Columns are:
#