diff --git a/Shorewall/INSTALL b/Shorewall/INSTALL index 58e4501ff..340a94d9f 100644 --- a/Shorewall/INSTALL +++ b/Shorewall/INSTALL @@ -1,4 +1,4 @@ -Shoreline Firewall (Shorewall) Version 1.3 - 6/14/2002 +Shoreline Firewall (Shorewall) Version 2.0 - 3/14/2003 ----- ---- ----------------------------------------------------------------------------- @@ -28,7 +28,7 @@ o Edit the configuration files to fit your environment. To do this, I strongly advise you to follow the instructions at: - http://shorewall.sf.net/shorewall_quickstart_guide.htm + http://www.shorewall.net/shorewall_quickstart_guide.htm o If you are using Caldera, Redhat, Mandrake, Corel, Slackware, SuSE or Debian, then type "./install.sh". diff --git a/Shorewall/blacklist b/Shorewall/blacklist index 33df1518c..3367f76fc 100755 --- a/Shorewall/blacklist +++ b/Shorewall/blacklist @@ -1,5 +1,5 @@ # -# Shorewall 1.3 -- Blacklist File +# Shorewall 2.0 -- Blacklist File # # /etc/shorewall/blacklist # diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index cfeb3947e..1a6a37dfc 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -1,22 +1,30 @@ -Changes since 1.3.13 +Changes since 1.3.14 -1. Fix 'shorewall add' bug. +1. All versions changed to 2.0. -2. Add OLD_PING_HANDLING option +2. Rework of error message generation to make the 'firewall' script + smaller. -3. Allow adding alias labels under ADD_IP_ALIASES=Yes. +3. Deimplemented MERGE_HOSTS=No. -4. Allow adding alias labels under ADD_SNAT_ALIASES=Yes. +4. Generate error for : name in interfaces file. -5. Use the routing table to generate list of subnets to be masqueraded - when an interface name appears in the SUBNET column of - /etc/shorewall/masq. +5. Deimplement old ping handling. -6. Restore $dev.$vid naming of VLAN interfaces. +6. Deimplement 'routestopped' interface/hosts option. -7. Updated copyrights for 2003. +7. Strip comments from potentially large files while the firewall is + still up and running during 'restart'. -8. Added support for openvpn tunnels on arbitrary ports +8. Disallow the old port forwarding/redirection syntax. -9. Corrected rule number calculation problem in 'shorewall add' command - processing. +9. Reorganize shorewall.conf. + +10. Added support for LOG target. + +11. Move firewall and version (one more time....) + +12. Add late DNS reply rule to the common chain. + +12. Corrected rule number calculation problem in 'shorewall add' command + processing. diff --git a/Shorewall/common.def b/Shorewall/common.def index cde58a555..4170898ea 100644 --- a/Shorewall/common.def +++ b/Shorewall/common.def @@ -1,5 +1,5 @@ ############################################################################ -# Shorewall 1.3 -- /etc/shorewall/common.def +# Shorewall 2.0 -- /etc/shorewall/common.def # # This file defines the rules that are applied before a policy of # DROP or REJECT is applied. In addition to the rules defined in this file, @@ -36,5 +36,9 @@ run_iptables -A common -d 224.0.0.0/4 -j DROP # AUTH -- Silently reject it so that connections don't get delayed. # run_iptables -A common -p tcp --dport 113 -j reject +############################################################################ +# DNS -- Silenty drop late replies +run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP + diff --git a/Shorewall/fallback.sh b/Shorewall/fallback.sh index 3b8149ad1..0e6fd46a6 100755 --- a/Shorewall/fallback.sh +++ b/Shorewall/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=1.3.14RC1 +VERSION=2.0.0Alpha1 usage() # $1 = exit status { @@ -49,14 +49,18 @@ restore_file() # $1 = file to restore fi } -if [ ! -f /usr/lib/shorewall/version-${VERSION}.bkout ]; then +if [ ! -f /usr/share/shorewall/version-${VERSION}.bkout ]; then echo "Shorewall Version $VERSION is not installed" exit 1 fi echo "Backing Out Installation of Shorewall $VERSION" -if [ -L /usr/lib/shorewall/firewall ]; then +if [ -L /usr/share/shorewall/init ]; then + FIREWALL=`ls -l /usr/share/shorewall/firewall | sed 's/^.*> //'` + restore_file $FIREWALL + restore_file /usr/share/shorewall/firewall +elif [ -L /usr/lib/shorewall/firewall ]; then FIREWALL=`ls -l /usr/lib/shorewall/firewall | sed 's/^.*> //'` restore_file $FIREWALL elif [ -L /var/lib/shorewall/firewall ]; then diff --git a/Shorewall/firewall b/Shorewall/firewall index 80a4adac3..fb472a6c4 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -1,6 +1,6 @@ #!/bin/sh # -# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V1.3 6/14/2002 +# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V2.0 3/14/2003 # # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # @@ -95,7 +95,7 @@ error_message() # $* = Error Message # fatal_error() # $* = Error Message { - echo " $@" >&2 + echo " Error: $@" >&2 stop_firewall exit 2 } @@ -106,7 +106,7 @@ fatal_error() # $* = Error Message # startup_error() # $* = Error Message { - echo " $@" >&2 + echo " Error: $@" >&2 my_mutex_off [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR kill $$ @@ -225,13 +225,12 @@ run_tc() { # variable ${1}_exists and set its value to Yes to indicate that the chain now # exists. # -createchain() # $1 = chain name, $2 = If non-null, don't create default rules +createchain() # $1 = chain name, $2 = If "yes", create default rules { run_iptables -N $1 - if [ $# -eq 1 ]; then - state="ESTABLISHED" - [ -n "$ALLOWRELATED" ] && state="$state,RELATED" + if [ $2 = yes ]; then + state="ESTABLISHED,RELATED" run_iptables -A $1 -m state --state $state -j ACCEPT [ -z "$NEWNOTSYN" ] && \ run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn @@ -273,7 +272,7 @@ mangle_chain_exists() # $1 = chain name # ensurechain() # $1 = chain name { - havechain $1 || createchain $1 + havechain $1 || createchain $1 yes } # @@ -502,8 +501,11 @@ determine_interfaces() { # Determine the defined hosts in each zone and generate report # determine_hosts() { - do_a_zone() - { + + for zone in $zones; do + hosts=`find_hosts $zone` + hosts=`echo $hosts` # Remove extra trash + eval interfaces=\$${zone}_interfaces for interface in $interfaces; do @@ -513,10 +515,7 @@ determine_hosts() { hosts="$hosts $interface:0.0.0.0/0" fi done - } - recalculate_interfaces() - { interfaces= for host in $hosts; do @@ -531,32 +530,6 @@ determine_hosts() { done eval ${zone}_interfaces="\$interfaces" - } - - for zone in $zones; do - hosts=`find_hosts $zone` - hosts=`echo $hosts` # Remove extra trash - - if [ -n "MERGE_HOSTS" ]; then - # - # Zone will be the union of its host and interface definitions - # - do_a_zone - recalculate_interfaces - elif [ -n "$hosts" ]; then - # - # Zone is defined in terms of hosts -- derive the interface list - # from the host list - # - recalculate_interface - else - # - # If no hosts are defined for a zone then the zone consists of any - # host that can send us messages via the interfaces to the zone - # - do_a_zone - fi - eval ${zone}_hosts="\$hosts" if [ -n "$hosts" ]; then @@ -591,10 +564,16 @@ validate_interfaces_file() { fi [ "x$interface" = "xlo" ] && \ - startup_error "Error: The loopback interface (lo) may not be defined in /etc/shorewall/interfaces" + startup_error "The loopback interface (lo) may not be defined in /etc/shorewall/interfaces" list_search $interface $all_interfaces && \ - startup_error "Error: Duplicate Interface $interface" + startup_error "Duplicate Interface $interface" + + case $interface in + *:*) + startup_error "Invalid Interface Name: $interface" + ;; + esac all_interfaces="$all_interfaces $interface" options=`separate_list $options` @@ -606,21 +585,17 @@ validate_interfaces_file() { for option in $options; do case $option in - dhcp|routestopped|norfc1918|multi|tcpflags) + dhcp|norfc1918|multi|tcpflags) ;; routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-) ;; - noping|filterping) - [ -n "$OLD_PING_HANDLING" ] || \ - startup_error "Option $option only allowed with old ping handling" - ;; *) error_message "Warning: Invalid option ($option) in record \"$r\"" ;; esac done - [ -z "$all_interfaces" ] && startup_error "Error: No Interfaces Defined" + [ -z "$all_interfaces" ] && startup_error "No Interfaces Defined" done < $TMP_DIR/interfaces } @@ -642,7 +617,7 @@ validate_hosts_file() { for option in `separate_list $options`; do case $option in - routestopped|maclist|-) + maclist|-) ;; *) error_message "Warning: Invalid option ($option) in record \"$r\"" @@ -725,7 +700,7 @@ validate_rule() { serv=$server ;; ~*) - startup_error "Error: Rule \"$rule\" - Destination may not be specified by MAC Address" + startup_error "Rule \"$rule\" - Destination may not be specified by MAC Address" ;; *) dest_interface="-o $server" @@ -771,21 +746,29 @@ validate_rule() { REJECT) target=reject [ -n "$servport" ] && \ - startup_error "Error: server port may not be specified in a REJECT rule;"\ + startup_error "Server port may not be specified in a REJECT rule;"\ "rule: \"$rule\"" ;; ACCEPT) [ -n "$servport" ] && \ - startup_error "Error: server port may not be specified in an ACCEPT rule;"\ + startup_error "Server port may not be specified in an ACCEPT rule;"\ "rule: \"$rule\"" ;; + LOG) + [ -n "$servport" ] && \ + startup_error "Server port may not be specified in an LOG rule;"\ + "rule: \"$rule\"" + + [ -n "$loglevel" ] || \ + startup_error "LOG target requires a log level" + ;; REDIRECT) - [ -n "$serv" ] && startup_error "Error: REDIRECT rules cannot"\ + [ -n "$serv" ] && startup_error "REDIRECT rules cannot"\ " specify a server IP; rule: \"$rule\"" servport=${servport:=$port} ;; DNAT) - [ -n "$serv" ] || startup_error "Error: DNAT rules require a" \ + [ -n "$serv" ] || startup_error "DNAT rules require a" \ " server address; rule: \"$rule\"" ;; esac @@ -805,17 +788,17 @@ validate_rule() { # if [ -z "$NAT_ENABLED" ]; then startup_error \ - "Error - Rule \"$rule\" requires NAT which is disabled" + "Rule \"$rule\" requires NAT which is disabled" fi if [ "$target" != "ACCEPT" ]; then - startup_error "Error - Only ACCEPT rules may specify " \ + startup_error "Only ACCEPT rules may specify " \ "port mapping; rule \"$rule\"" fi fi else [ -n "$addr" ] && startup_error \ - "Error: An ADDRESS ($addr) is only allowed in" \ + "An ADDRESS ($addr) is only allowed in" \ " a DNAT or REDIRECT rule: \"$rule\"" fi } @@ -835,9 +818,7 @@ validate_rule() { logtarget="$target" # # DNAT and REDIRECT targets were implemented in version 1.3 to replace - # an older syntax. We simply map the new syntax into the old and proceed; - # that way, people who have files with the old syntax don't need to - # convert right away. + # an older syntax. We simply map the new syntax into the old and proceed. # case $target in DNAT) @@ -858,11 +839,10 @@ validate_rule() { servers="fw::$servers" fi ;; - ACCEPT|DROP|REJECT) + ACCEPT|DROP|REJECT|LOG) ;; *) - startup_error "Error: Invalid target;" \ - " rule: \"$rule\"" + startup_error "Invalid target; rule: \"$rule\"" esac @@ -873,7 +853,7 @@ validate_rule() { clientzone="${clients%%:*}" clients="${clients#*:}" [ -z "$clientzone" -o -z "$clients" ] && \ - startup_error "Error: Empty source zone or qualifier: rule \"$rule\"" + startup_error "Empty source zone or qualifier: rule \"$rule\"" fi if [ "$clientzone" = "${clientzone%\!*}" ]; then @@ -883,13 +863,13 @@ validate_rule() { clientzone="${clientzone%\!*}" [ "$logtarget" = DNAT ] || [ "$logtarget" = REDIRECT ] ||\ - startup_error "Error: Exclude list only allowed with DNAT or REDIRECT" + startup_error "Exclude list only allowed with DNAT or REDIRECT" fi # # Validate the Source Zone # if ! validate_zone $clientzone; then - [ "x$clientzone" = xall ] || startup_error "Error: Undefined Client Zone in rule \"$rule\"" + [ "x$clientzone" = xall ] || startup_error "Undefined Client Zone in rule \"$rule\"" fi source=$clientzone @@ -910,18 +890,18 @@ validate_rule() { serverport="${servers#*:}" servers="${servers%:*}" [ -z "$serverzone" -o -z "$serverport" ] && \ - startup_error "Error: Empty destination zone or server port: rule \"$rule\"" + startup_error "Empty destination zone or server port: rule \"$rule\"" else serverport= [ -z "$serverzone" -o -z "$servers" ] && \ - startup_error "Error: Empty destination zone or qualifier: rule \"$rule\"" + startup_error "Empty destination zone or qualifier: rule \"$rule\"" fi fi # # Validate the destination zone # if ! validate_zone $serverzone; then - [ "x$serverzone" = xall ] || startup_error "Error: Undefined Server Zone in rule \"$rule\"" + [ "x$serverzone" = xall ] || startup_error "Undefined Server Zone in rule \"$rule\"" fi dest=$serverzone @@ -976,13 +956,13 @@ validate_rules() # $1 = name of rules file expandv clients servers protocol ports cports address case "$target" in - ACCEPT*|DROP*|REJECT*|DNAT*|REDIRECT*) + ACCEPT*|DROP*|REJECT*|DNAT*|REDIRECT*|LOG*) rule="`echo $target $clients $servers $protocol $ports $cports $address`" validate_rule ;; *) rule="`echo $target $clients $servers $protocol $ports $cports $address`" - startup_error "Error: Invalid Target - rule \"$rule\" ignored" + startup_error "Invalid Target - rule \"$rule\" ignored" ;; esac done < $TMP_DIR/rules @@ -1013,7 +993,7 @@ validate_policy() all_policy_chains= - strip_file policy $policy + strip_file policy while read client server policy loglevel synparams; do expandv client server policy loglevel synparams @@ -1027,7 +1007,7 @@ validate_policy() ;; *) if ! validate_zone $client; then - startup_error "Error: Undefined zone $client" + startup_error "Undefined zone $client" fi esac @@ -1037,7 +1017,7 @@ validate_policy() ;; *) if ! validate_zone $server; then - startup_error "Error: Undefined zone $server" + startup_error "Undefined zone $server" fi esac @@ -1045,17 +1025,17 @@ validate_policy() ACCEPT|REJECT|DROP|CONTINUE) ;; *) - startup_error "Error: Invalid policy $policy" + startup_error "Invalid policy $policy" ;; esac chain=${client}2${server} [ "x$chain" = "x${FW}2${FW}" ] && \ - startup_error "Error: fw->fw policy not allowed: $policy" + startup_error "fw->fw policy not allowed: $policy" if is_policy_chain $chain ; then - startup_error "Error: Duplicate policy $policy" + startup_error "Duplicate policy $policy" fi [ "x$loglevel" = "x-" ] && loglevel= @@ -1275,7 +1255,7 @@ stop_firewall() { deleteallchains - hosts="`find_hosts_by_option routestopped`" + hosts= strip_file routestopped @@ -1522,8 +1502,6 @@ setup_proxy_arp() { > ${STATEDIR}/proxyarp - strip_file proxyarp - while read address interface external haveroute; do expandv address interface external haveroute setup_one_proxy_arp @@ -1578,7 +1556,7 @@ setup_mac_lists() { eth*) ;; *) - fatal_error "Error: MAC verification is only supported on ethernet devices: $interface" + fatal_error "MAC verification is only supported on ethernet devices: $interface" ;; esac @@ -1587,7 +1565,6 @@ setup_mac_lists() { # # Process the maclist file producing the verification rules # - strip_file maclist while read interface mac addresses; do expandv interface mac addresses @@ -1595,7 +1572,7 @@ setup_mac_lists() { chain=`mac_chain $interface` if ! havechain $chain ; then - fatal_error "Error: No hosts on $interface have the maclist option specified" + fatal_error "No hosts on $interface have the maclist option specified" fi macpart=`mac_match $mac` @@ -1629,7 +1606,7 @@ setup_mac_lists() { blob=`ip addr show $interface 2> /dev/null | grep inet | sed 's/inet //; s/brd //; s/scope.*//;'` [ -z "$blob" ] && \ - fatal_error "Error: Interface $interface must be up before Shorewall can start" + fatal_error "Interface $interface must be up before Shorewall can start" set -- $blob @@ -1728,8 +1705,6 @@ setup_nat() { # > ${STATEDIR}/nat - strip_file nat - echo "Setting up NAT..." while read external interface internal allints localnat; do @@ -1807,7 +1782,7 @@ process_tc_rule() ;; *) if ! list_search $source $all_interfaces; then - fatal_error "Error: Unknown interface $source in rule \"$rule\"" + fatal_error "Unknown interface $source in rule \"$rule\"" fi r="-i $source " @@ -1976,19 +1951,18 @@ refresh_tc() { add_nat_rule() { local chain - # Be sure NAT is enabled - - if [ -z "$NAT_ENABLED" ]; then - fatal_error \ - "Error - Rule \"$rule\" requires NAT which is disabled" - fi - - # Onle ACCEPT (plus DNAT and REDIRECT) may result in NAT - - if [ "$target" != "ACCEPT" ]; then - fatal_error "Error - Only DNAT and REDIRECT rules may specify " \ - "port mapping; rule \"$rule\"" - fi + # Be sure we should and can NAT + + case $logtarget in + DNAT|REDIRECT) + if [ -z "$NAT_ENABLED" ]; then + fatal_error "Rule \"$rule\" requires NAT which is disabled" + fi + ;; + *) + fatal_error "Only DNAT and REDIRECT rules may specify port mapping; rule \"$rule\"" + ;; + esac # Parse SNAT address if any @@ -2126,20 +2100,19 @@ add_a_rule() # Set destination variables dest_interface= + serv= [ -n "$server" ] && case "$server" in -) - serv= ;; *.*.*) serv=$server ;; ~*) - fatal_error "Error: Rule \"$rule\" - Destination may not be specified by MAC Address" + fatal_error "Rule \"$rule\" - Destination may not be specified by MAC Address" ;; *) dest_interface="-o $server" - serv= ;; esac @@ -2180,8 +2153,7 @@ add_a_rule() ;; all|ALL) [ -n "$port" ] && [ "x${port}" != "x-" ] && \ - fatal_error "Port number not allowed with \"all\";" \ - " rule: \"$rule\"" + fatal_error "Port number not allowed with \"all\"; rule: \"$rule\"" proto= ;; related|RELATED) @@ -2191,8 +2163,7 @@ add_a_rule() *) state= [ -n "$port" ] && [ "x${port}" != "x-" ] && \ - fatal_error "Port number not allowed with protocol " \ - "\"$proto\"; rule: \"$rule\"" + fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\"" ;; esac @@ -2204,18 +2175,21 @@ add_a_rule() REJECT) target=reject [ -n "$servport" ] && \ - fatal_error "Error: server port may not be specified in a REJECT rule;"\ + fatal_error "Server port may not be specified in a REJECT rule;"\ "rule: \"$rule\"" ;; REDIRECT) - [ -n "$serv" ] && startup_error "Error: REDIRECT rules cannot"\ + [ -n "$serv" ] && startup_error "REDIRECT rules cannot"\ " specify a server IP; rule: \"$rule\"" servport=${servport:=$port} ;; DNAT) - [ -n "$serv" ] || fatal_error "Error: DNAT rules require a" \ + [ -n "$serv" ] || fatal_error "DNAT rules require a" \ " server address; rule: \"$rule\"" ;; + LOG) + [ -z "$loglevel" ] && fatal_error "LOG requires log level" + ;; esac # Complain if the rule is really a policy @@ -2260,7 +2234,7 @@ add_a_rule() # Destination is a simple zone [ -n "$addr" ] && fatal_error \ - "Error: An ORIGINAL DESTINATION ($addr) is only allowed in" \ + "An ORIGINAL DESTINATION ($addr) is only allowed in" \ " a DNAT or REDIRECT: \"$rule\"" if [ -n "$loglevel" ]; then @@ -2276,8 +2250,10 @@ add_a_rule() fi fi - run_iptables2 -A $chain $proto $multiport $dest_interface $state \ - $cli $sports $dports -j $target + if [ $logtarget != LOG ]; then + run_iptables2 -A $chain $proto $multiport $dest_interface $state \ + $cli $sports $dports -j $target + fi fi } @@ -2349,7 +2325,7 @@ process_rule() # $1 = target clientzone="${clients%%:*}" clients="${clients#*:}" [ -z "$clientzone" -o -z "$clients" ] && \ - fatal_error "Error: Empty source zone or qualifier: rule \"$rule\"" + fatal_error "Empty source zone or qualifier: rule \"$rule\"" fi if [ "$clientzone" = "${clientzone%\!*}" ]; then @@ -2359,11 +2335,11 @@ process_rule() # $1 = target clientzone="${clientzone%\!*}" [ "$logtarget" = DNAT ] || [ "$logtarget" = REDIRECT ] ||\ - fatal_error "Error: Exclude list only allowed with DNAT or REDIRECT" + fatal_error "Exclude list only allowed with DNAT or REDIRECT" fi if ! validate_zone $clientzone; then - fatal_error "Error: Undefined Client Zone in rule \"$rule\"" + fatal_error "Undefined Client Zone in rule \"$rule\"" fi # Parse and validate destination @@ -2383,16 +2359,16 @@ process_rule() # $1 = target serverport="${servers#*:}" servers="${servers%:*}" [ -z "$serverzone" -o -z "$serverport" ] && \ - fatal_error "Error: Empty destination zone or server port: rule \"$rule\"" + fatal_error "Empty destination zone or server port: rule \"$rule\"" else serverport= [ -z "$serverzone" -o -z "$servers" ] && \ - startup_error "Error: Empty destination zone or qualifier: rule \"$rule\"" + startup_error "Empty destination zone or qualifier: rule \"$rule\"" fi fi if ! validate_zone $serverzone; then - fatal_error "Error: Undefined Server Zone in rule \"$rule\"" + fatal_error "Undefined Server Zone in rule \"$rule\"" fi dest=$serverzone @@ -2466,12 +2442,10 @@ process_rules() # $1 = name of rules file done } - strip_file rules $1 - while read xtarget xclients xservers xprotocol xports xcports xaddress; do case "$xtarget" in - ACCEPT|ACCEPT:*|DROP|DROP:*|REJECT|REJECT:*|DNAT|DNAT-|DNAT:*|DNAT-:*|REDIRECT|REDIRECT:*) + ACCEPT|ACCEPT:*|DROP|DROP:*|REJECT|REJECT:*|DNAT|DNAT-|DNAT:*|DNAT-:*|REDIRECT|REDIRECT:*|LOG|LOG:*) expandv xclients xservers xprotocol xports xcports xaddress if [ "x$xclients" = xall ]; then @@ -2493,7 +2467,7 @@ process_rules() # $1 = name of rules file ;; *) rule="`echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress`" - fatal_error "Error: Invalid Target in rule \"$rule\"" + fatal_error "Invalid Target in rule \"$rule\"" ;; esac @@ -2871,7 +2845,7 @@ default_policy() # $1 = client $2 = server if [ -n "$chain1" ]; then apply_default $1 $2 else - fatal_error "Error: No default policy for zone $1 to zone $2" + fatal_error "No default policy for zone $1 to zone $2" fi } @@ -2921,7 +2895,7 @@ rules_chain() # $1 = source zone, $2 = destination zone [ -n "$chain" ] && { echo $chain; return; } - fatal_error "Error: No appropriate chain for zone $1 to zone $2" + fatal_error "No appropriate chain for zone $1 to zone $2" } # @@ -2975,7 +2949,7 @@ setup_masq() interface=${fullinterface%:*} if ! list_search $interface $all_interfaces; then - fatal_error "Error: Unknown interface $interface" + fatal_error "Unknown interface $interface" fi if [ "$subnet" = "${subnet%!*}" ]; then @@ -3348,7 +3322,7 @@ initialize_netfilter () { determine_zones - [ -z "$zones" ] && startup_error "ERROR: No Zones Defined" + [ -z "$zones" ] && startup_error "No Zones Defined" display_list "Zones:" $zones @@ -3368,6 +3342,17 @@ initialize_netfilter () { determine_interfaces determine_hosts + + # + # The some files might be large so strip them while the firewall is still running + # (restart command). This reduces the length of time that the firewall isn't + # accepting new connections. + # + + strip_file rules + strip_file proxyarp + strip_file maclist + strip_file nat deletechain shorewall @@ -3399,7 +3384,8 @@ initialize_netfilter () { # run_iptables -A INPUT -p udp --dport 53 -j ACCEPT # I suppose that there # is an idiot somewhere - # who needs this + # who needs this strip_file nat + run_iptables -A OUTPUT -p udp --dport 53 -j ACCEPT run_iptables -A FORWARD -p udp --dport 53 -j ACCEPT @@ -3458,13 +3444,6 @@ initialize_netfilter () { # build_common_chain() { - if [ -n "$OLD_PING_HANDLING" ]; then - # - # PING - # - [ -n "$FORWARDPING" ] && \ - run_iptables -A icmpdef -p icmp --icmp-type echo-request -j ACCEPT - fi # # Common ICMP rules # @@ -3618,7 +3597,7 @@ add_common_rules() { logdrop|DROP|RETURN) ;; *) - fatal_error " Error:Illegal target ($target) for $subnet" + fatal_error "Illegal target ($target) for $subnet" ;; esac @@ -3780,7 +3759,7 @@ apply_policy_rules() { # related sessions associated with sessions going # in the other direction # - createchain $chain + createchain $chain yes # # If either client or server is 'all' then this MUST be @@ -4017,26 +3996,6 @@ define_firewall() # $1 = Command (Start or Restart) process_rules $rules - if [ -n "$OLD_PING_HANDLING" ]; then - echo "Setting up ICMP Echo handling..." - - filterping_interfaces="`find_interfaces_by_option filterping`" - noping_interfaces="`find_interfaces_by_option noping`" - - for interface in $all_interfaces; do - if ! list_search $interface $filterping_interfaces; then - if list_search $interface $noping_interfaces; then - target=DROP - else - target=ACCEPT - fi - - run_iptables -A `input_chain $interface` \ - -p icmp --icmp-type echo-request -j $target - fi - done - fi - policy=`find_file policy` echo "Processing $policy..." @@ -4086,7 +4045,7 @@ check_config() { determine_zones - [ -z "$zones" ] && startup_error "ERROR: No Zones Defined" + [ -z "$zones" ] && startup_error "No Zones Defined" display_list "Zones:" $zones @@ -4109,7 +4068,7 @@ check_config() { echo "Validating policy file..." - validate_policy + validate_policy rm -rf $TMP_DIR @@ -4129,7 +4088,7 @@ refresh_firewall() validate_interfaces_file - [ -z "$zones" ] && startup_error "ERROR: No Zones Defined" + [ -z "$zones" ] && startup_error "No Zones Defined" determine_interfaces @@ -4171,7 +4130,7 @@ add_to_zone() # $1 = [:] $2 = zone do_iptables() # $@ = command { if ! iptables $@ ; then - startup_error "Error: can't add $1 to zone $2" + startup_error "Can't add $1 to zone $2" fi } @@ -4196,26 +4155,25 @@ add_to_zone() # $1 = [:] $2 = zone # zone=$2 - validate_zone $zone || startup_error "Error: Unknown zone: $zone" + validate_zone $zone || startup_error "Unknown zone: $zone" - [ "$zone" = $FW ] && startup_error "Error: Can't add $1 to firewall zone" + [ "$zone" = $FW ] && startup_error "Can't add $1 to firewall zone" # # Be sure that Shorewall has been restarted using a DZ-aware version of the code # - [ -f ${STATEDIR}/chains ] || startup_error "Error: ${STATEDIR}/chains -- file not found" - [ -f ${STATEDIR}/zones ] || startup_error "Error: ${STATEDIR}/zones -- file not found" + [ -f ${STATEDIR}/chains ] || startup_error "${STATEDIR}/chains -- file not found" + [ -f ${STATEDIR}/zones ] || startup_error "${STATEDIR}/zones -- file not found" # # Be sure that the interface was present at last [re]start # if ! chain_exists `input_chain $interface` ; then - startup_error "Error: Unknown interface $interface" + startup_error "Unknown interface $interface" fi # # Build lists of interfaces with special rules # dhcp_interfaces=`find_interfaces_by_option dhcp` blacklist_interfaces=`find_interfaces_by_option blacklist` - filterping_interfaces=`find_interfaces_by_option filterping` maclist_interfaces=`find_interfaces_by_option maclist` tcpflags_interfaces=`find_interfaces_by_option tcpflags` # @@ -4234,7 +4192,7 @@ add_to_zone() # $1 = [:] $2 = zone for h in $hosts; do if [ "$h" = "$newhost" ]; then rm -f ${STATEDIR}/zones_$$ - startup_error "Error: $1 already in zone $zone" + startup_error "$1 already in zone $zone" fi done @@ -4273,10 +4231,6 @@ add_to_zone() # $1 = [:] $2 = zone rulenum=2 fi - if list_search $interface $filterping_interfaces; then - rulenum=$(($rulenum + 1)) - fi - if list_search $interface $maclist_interfaces; then rulenum=$(($rulenum + 1)) fi @@ -4417,19 +4371,19 @@ delete_from_zone() # $1 = [:] $2 = zone zone=$2 - validate_zone $zone || startup_error "Error: Unknown zone: $zone" + validate_zone $zone || startup_error "Unknown zone: $zone" - [ "$zone" = $FW ] && startup_error "Error: Can't remove $1 from firewall zone" + [ "$zone" = $FW ] && startup_error "Can't remove $1 from firewall zone" # # Be sure that Shorewall has been restarted using a DZ-aware version of the code # - [ -f ${STATEDIR}/chains ] || startup_error "Error: ${STATEDIR}/chains -- file not found" - [ -f ${STATEDIR}/zones ] || startup_error "Error: ${STATEDIR}/zones -- file not found" + [ -f ${STATEDIR}/chains ] || startup_error "${STATEDIR}/chains -- file not found" + [ -f ${STATEDIR}/zones ] || startup_error "${STATEDIR}/zones -- file not found" # # Be sure that the interface was present at last [re]start # if ! chain_exists `input_chain $interface` ; then - startup_error "Error: Unknown interface $interface" + startup_error "Unknown interface $interface" fi # # Normalize the first argument to this function @@ -4555,7 +4509,7 @@ do_initialize() { FW= SUBSYSLOCK= STATEDIR= - ALLOWRELATED= + ALLOWRELATED=Yes LOGRATE= LOGBURST= LOGPARMS= @@ -4572,7 +4526,6 @@ do_initialize() { NAT_BEFORE_RULES= MULTIPORT= DETECT_DNAT_IPADDRS= - MERGE_HOSTS= MUTEX_TIMEOUT= NEWNOTSYN= LOGNEWNOTSYN= @@ -4583,8 +4536,7 @@ do_initialize() { TCP_FLAGS_LOG_LEVEL= RFC1918_LOG_LEVEL= MARK_IN_FORWARD_CHAIN= - OLD_PING_HANDLING= - SHARED_DIR=/usr/lib/shorewall + SHARED_DIR=/usr/share/shorewall FUNCTIONS= VERSION_FILE= @@ -4633,6 +4585,8 @@ do_initialize() { [ -z "$FW" ] && FW=fw ALLOWRELATED="`added_param_value_yes ALLOWRELATED $ALLOWRELATED`" + [ -n "$ALLOWRELATED" ] || \ + startup_error "ALLOWRELATED=No is not supported" NAT_ENABLED="`added_param_value_yes NAT_ENABLED $NAT_ENABLED`" MANGLE_ENABLED="`added_param_value_yes MANGLE_ENABLED $MANGLE_ENABLED`" ADD_IP_ALIASES="`added_param_value_yes ADD_IP_ALIASES $ADD_IP_ALIASES`" @@ -4668,8 +4622,10 @@ do_initialize() { NAT_BEFORE_RULES=`added_param_value_yes NAT_BEFORE_RULES $NAT_BEFORE_RULES` MULTIPORT=`added_param_value_no MULTIPORT $MULTIPORT` DETECT_DNAT_IPADDRS=`added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS` - MERGE_HOSTS=`added_param_value_no MERGE_HOSTS $MERGE_HOSTS` FORWARDPING=`added_param_value_no FORWARDPING $FORWARDPING` + [ -n "$FORWARDPING" ] && \ + startup_error "FORWARDPING=Yes is no longer supported" + NEWNOTSYN=`added_param_value_yes NEWNOTSYN $NEWNOTSYN` maclist_target=reject @@ -4709,10 +4665,6 @@ do_initialize() { else CLEAR_TC= fi - OLD_PING_HANDLING=`added_param_value_yes OLD_PING_HANDLING $OLD_PING_HANDLING` - - [ -z "$OLD_PING_HANDLING" -a -n "$FORWARDPING" ] && \ - startup_error "FORWARDPING=Yes is incompatible with OLD_PING_HANDLING=No" run_user_exit params diff --git a/Shorewall/functions b/Shorewall/functions index 90ad27b35..d056392fe 100755 --- a/Shorewall/functions +++ b/Shorewall/functions @@ -1,6 +1,6 @@ #!/bin/sh # -# Shorewall 1.3 -- /usr/lib/shorewall/functions +# Shorewall 2.0 -- /usr/lib/shorewall/functions # # Suppress all output for a command diff --git a/Shorewall/hosts b/Shorewall/hosts index 9ce4bc3ab..9b8d11e36 100644 --- a/Shorewall/hosts +++ b/Shorewall/hosts @@ -1,5 +1,5 @@ # -# Shorewall 1.3 - /etc/shorewall/hosts +# Shorewall 2.0 - /etc/shorewall/hosts # # WARNING: 90% of Shorewall users don't need to add entries to this # file and 80% of those who try to add such entries get it @@ -30,11 +30,6 @@ # OPTIONS - A comma-separated list of options. Currently-defined # options are: # -# routestopped - (Deprecated -- use -# /etc/shorewall/routestopped) -# route messages to and from this -# member when the firewall is in the -# stopped state # maclist - Connection requests from these hosts # are compared against the contents of # /etc/shorewall/maclist. If this option diff --git a/Shorewall/init b/Shorewall/init index d7bee1d0a..cdd21c79b 100644 --- a/Shorewall/init +++ b/Shorewall/init @@ -1,5 +1,5 @@ ############################################################################ -# Shorewall 1.3 -- /etc/shorewall/init +# Shorewall 2.0 -- /etc/shorewall/init # # Add commands below that you want to be executed at the beginning of # a "shorewall start" or "shorewall restart" command. diff --git a/Shorewall/init.sh b/Shorewall/init.sh index 464e7a75a..971d5aeb3 100644 --- a/Shorewall/init.sh +++ b/Shorewall/init.sh @@ -1,7 +1,7 @@ #!/bin/sh RCDLINKS="2,S41 3,S41 6,K41" # -# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V1.3 6/14/2002 +# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V2.0 3/14/2003 # # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # diff --git a/Shorewall/install.sh b/Shorewall/install.sh index 46e874594..dde8d31e0 100755 --- a/Shorewall/install.sh +++ b/Shorewall/install.sh @@ -54,7 +54,7 @@ # /etc/rc.d/rc.local file is modified to start the firewall. # -VERSION=1.3.14RC1 +VERSION=2.0.0Alpha1 usage() # $1 = exit status { @@ -93,6 +93,18 @@ backup_file() # $1 = file to backup fi } +delete_file() # $1 = file to delete +{ + if [ -z "$PREFIX" -a -f $1 -a ! -f ${1}-${VERSION}.bkout ]; then + if (mv $1 ${1}-${VERSION}.bkout); then + echo + echo "$1 moved to ${1}-${VERSION}.bkout" + else + exit 1 + fi + fi +} + modify_rclocal() { if [ -f /etc/rc.d/rc.local ]; then @@ -261,10 +273,10 @@ echo echo "Shorewall script installed in ${PREFIX}${DEST}/$FIREWALL" # -# Create /etc/shorewall, /usr/lib/shorewall and /var/shorewall if needed +# Create /etc/shorewall, /usr/share/shorewall and /var/shorewall if needed # mkdir -p ${PREFIX}/etc/shorewall -mkdir -p ${PREFIX}/usr/lib/shorewall +mkdir -p ${PREFIX}/usr/share/shorewall mkdir -p ${PREFIX}/var/lib/shorewall # # Install the config file @@ -300,10 +312,10 @@ if [ -f ${PREFIX}/var/lib/shorewall/functions ]; then rm -f ${PREFIX}/var/lib/shorewall/functions fi -install_file_with_backup functions ${PREFIX}/usr/lib/shorewall/functions 0444 +install_file_with_backup functions ${PREFIX}/usr/share/shorewall/functions 0444 echo -echo "Common functions installed in ${PREFIX}/usr/lib/shorewall/functions" +echo "Common functions installed in ${PREFIX}/usr/share/shorewall/functions" # # Install the common.def file # @@ -311,13 +323,11 @@ install_file_with_backup common.def ${PREFIX}/etc/shorewall/common.def 0444 echo echo "Common rules installed in ${PREFIX}/etc/shorewall/common.def" -# -# Install the icmp.def file -# -install_file_with_backup icmp.def ${PREFIX}/etc/shorewall/icmp.def 0444 -echo -echo "Common ICMP rules installed in ${PREFIX}/etc/shorewall/icmp.def" +# +# Delete the icmp.def file +# +delete_file icmp.def # # Install the policy file @@ -531,7 +541,9 @@ fi # Backup the version file # if [ -z "$PREFIX" ]; then - if [ -f /usr/lib/shorewall/version ]; then + if [ -f /usr/share/shorewall/version ]; then + backup_file /usr/share/shorewall/version + elif [ -f /usr/lib/shorewall/version ]; then backup_file /usr/lib/shorewall/version elif [ -n "$oldversion" ]; then echo $oldversion > /usr/lib/shorewall/version-${VERSION}.bkout @@ -542,10 +554,10 @@ fi # # Create the version file # -echo "$VERSION" > ${PREFIX}/usr/lib/shorewall/version -chmod 644 ${PREFIX}/usr/lib/shorewall/version +echo "$VERSION" > ${PREFIX}/usr/share/shorewall/version +chmod 644 ${PREFIX}/usr/share/shorewall/version # -# Remove and create the symbolic link to the firewall script +# Remove and create the symbolic link to the init script # if [ -z "$PREFIX" ]; then @@ -554,12 +566,13 @@ if [ -z "$PREFIX" ]; then [ -L /usr/lib/shorewall/firewall ] && \ mv -f /usr/lib/shorewall/firewall /usr/lib/shorewall/firewall-${VERSION}.bkout rm -f /usr/lib/shorewall/init - ln -s ${DEST}/${FIREWALL} /usr/lib/shorewall/init + rm -f /usr/share/shorewall/init + ln -s ${DEST}/${FIREWALL} /usr/share/shorewall/init fi # # Install the firewall script # -install_file_with_backup firewall ${PREFIX}/usr/lib/shorewall/firewall 0544 +install_file_with_backup firewall ${PREFIX}/usr/share/shorewall/firewall 0544 if [ -z "$PREFIX" -a -n "$first_install" ]; then if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then diff --git a/Shorewall/interfaces b/Shorewall/interfaces index 29490d9b5..8797af3cd 100644 --- a/Shorewall/interfaces +++ b/Shorewall/interfaces @@ -1,5 +1,5 @@ # -# Shorewall 1.3 -- Interfaces File +# Shorewall 2.0 -- Interfaces File # # /etc/shorewall/interfaces # @@ -46,11 +46,6 @@ # a DHCP server running on the firewall or # you have a static IP but are on a LAN # segment with lots of Laptop DHCP clients. -# routestopped - (Deprecated -- use -# /etc/shorewall/routestopped) -# When the firewall is stopped, allow -# and route traffic to and from this -# interface. # norfc1918 - This interface should not receive # any packets whose source is in one # of the ranges reserved by RFC 1918 @@ -106,21 +101,19 @@ # local subnet is 192.168.1.0/24. The interface gets # it's IP address via DHCP from subnet # 206.191.149.192/27. You have a DMZ with subnet -# 192.168.2.0/24 using eth2. You want to be able to -# access the firewall from the local network when the -# firewall is stopped. +# 192.168.2.0/24 using eth2. # # Your entries for this setup would look like: # # net eth0 206.191.149.223 dhcp -# local eth1 192.168.1.255 routestopped +# local eth1 192.168.1.255 # dmz eth2 192.168.2.255 # # Example 2: The same configuration without specifying broadcast # addresses is: # # net eth0 detect dhcp -# loc eth1 detect routestopped +# loc eth1 detect # dmz eth2 detect # # Example 3: You have a simple dial-in system with no ethernet diff --git a/Shorewall/maclist b/Shorewall/maclist index 37c61a38f..b49bd8765 100644 --- a/Shorewall/maclist +++ b/Shorewall/maclist @@ -1,5 +1,5 @@ # -# Shorewall 1.3 - MAC list file +# Shorewall 2.0 - MAC list file # # /etc/shorewall/maclist # diff --git a/Shorewall/masq b/Shorewall/masq index 0b8515619..7eb83d665 100755 --- a/Shorewall/masq +++ b/Shorewall/masq @@ -1,5 +1,5 @@ # -# Shorewall 1.3 - Masquerade file +# Shorewall 2.0 - Masquerade file # # /etc/shorewall/masq # diff --git a/Shorewall/modules b/Shorewall/modules index 5bc6278dd..0dfbe57ed 100644 --- a/Shorewall/modules +++ b/Shorewall/modules @@ -1,7 +1,12 @@ ############################################################################## -# Shorewall 1.3 /etc/shorewall/modules +# Shorewall 2.0 /etc/shorewall/modules # # This file loads the modules needed by the firewall. +# +# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in +# dependency order. i.e., if M2 depends on M1 then you must load M1 before +# you load M2. +# loadmodule ip_tables loadmodule iptable_filter diff --git a/Shorewall/nat b/Shorewall/nat index e791a8052..982d53b0d 100755 --- a/Shorewall/nat +++ b/Shorewall/nat @@ -1,6 +1,6 @@ ############################################################################## # -# Shorewall 1.3 -- Network Address Translation Table +# Shorewall 2.0 -- Network Address Translation Table # # /etc/shorewall/nat # diff --git a/Shorewall/params b/Shorewall/params index fbea82388..8e09d2be7 100644 --- a/Shorewall/params +++ b/Shorewall/params @@ -1,5 +1,5 @@ # -# Shorewall 1.3 /etc/shorewall/params +# Shorewall 2.0 /etc/shorewall/params # # Assign any variables that you need here. # @@ -11,7 +11,7 @@ # # NET_IF=eth0 # NET_BCAST=130.252.100.255 -# NET_OPTIONS=noping,norfc1918 +# NET_OPTIONS=routefilter,norfc1918 # # Example (/etc/shorewall/interfaces record): # @@ -19,7 +19,7 @@ # # The result will be the same as if the record had been written # -# net eth0 130.252.100.255 noping,norfc1918 +# net eth0 130.252.100.255 routefilter,norfc1918 # # Variables can be used in the following places in the other configuration # files: diff --git a/Shorewall/policy b/Shorewall/policy index 421d05c78..556a71e8a 100644 --- a/Shorewall/policy +++ b/Shorewall/policy @@ -1,5 +1,5 @@ # -# Shorewall 1.3 -- Policy File +# Shorewall 2.0 -- Policy File # # /etc/shorewall/policy # diff --git a/Shorewall/proxyarp b/Shorewall/proxyarp index f7261543a..0d4bb91ca 100644 --- a/Shorewall/proxyarp +++ b/Shorewall/proxyarp @@ -1,6 +1,6 @@ ############################################################################## # -# Shorewall 1.3 -- Proxy ARP +# Shorewall 2.0 -- Proxy ARP # # /etc/shorewall/proxyarp # diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 1770be3ea..f6206baa2 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -1,105 +1,41 @@ -This is a minor release of Shorewall that has a couple of new features. +This is a major release of Shorewall. -New features include: +Function from 1.3 that has been omitted from this version include: -1) An OLD_PING_HANDLING option has been added to shorewall.conf. When - set to Yes, Shorewall ping handling is as it has always been (see - http://www.shorewall.net/ping.html). +1) The MERGE_HOSTS variable in shorewall.conf is no longer + supported. Shorewall 2.0 behavior is the same as 1.3 with + MERGE_HOSTS=Yes. - When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules and - policies just like any other connection request. The FORWARDPING - option in shorewall.conf is ignored and the 'noping' and - 'filterping' options in /etc/shorewall/interfaces will generate an - error. +2. Interface names of the form : in + /etc/shorewall/interfaces now generate an error. -2) It is now possible to direct Shorewall to create a "label" such as - "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes - and ADD_SNAT_ALIASES=Yes. This is done by specifying the label - instead of just the interface name: +3. Shorewall 2.0 implements behavior consistent with + OLD_PING_HANDLING=No. OLD_PING_HANDLING=Yes will generate an error + at startup as will specification of the 'noping' or 'filterping' + interface options. - a) In the INTERFACE column of /etc/shorewall/masq - b) In the INTERFACE column of /etc/shorewall/nat +4. The 'routestopped' option in the /etc/shorewall/interfaces and + /etc/shorewall/hosts files is no longer supported and will generate + an error at startup if specified. -3) The ability to name your VLAN interfaces using the $dev.$vid - convention (e.g., "eth0.0") has been restored. This capability was - inadvertently broken in version 1.3.12. +5. The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer + accepted. -4) Support has been added for defining OpenVPN tunnels in the - /etc/shorewall/tunnels file. +6. The ALLOWRELATED variable in shorewall.conf is no longer + supported. Shorewall 2.0 behavior is the same as 1.3 with + ALLOWRELATED=Yes. -5) When an interface name is entered in the SUBNET column of the - /etc/shorewall/masq file, Shorewall previously masqueraded traffic - from only the first subnet defined on that interface. It did not - masquerade traffic from: +Changes for 2.0 include: - a) The subnets associated with other addresses on the interface. - b) Subnets accessed through local routers. +1. shorewall.conf has been completely reorganized into logical + sections. - Beginning with Shorewall 1.3.14, if you enter an interface name in - the SUBNET column, shorewall will use the firewall's routing table - to construct the masquerading/SNAT rules. +2. LOG is now a valid action for a rule (/etc/shorewall/rules). - Example 1 -- This is how it works in 1.3.14. - - [root@gateway test]# cat /etc/shorewall/masq - #INTERFACE SUBNET ADDRESS - eth0 eth2 206.124.146.176 - #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE - - [root@gateway test]# ip route show dev eth2 - 192.168.1.0/24 scope link - 192.168.10.0/24 proto kernel scope link src 192.168.10.254 - - [root@gateway test]# ip route show dev eth2 - 192.168.1.0/24 scope link - 192.168.10.0/24 proto kernel scope link src 192.168.10.254 - [root@gateway test]# shorewall start - ... - Masqueraded Subnets and Hosts: - To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176 - To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176 - Processing /etc/shorewall/tos... +3. The firewall script and version file are now installed in + /usr/share/shorewall. - When upgrading to Shorewall 1.3.14, if you have multiple local - subnets connected to an interface that is specified in the SUBNET - column of an /etc/shorewall/masq entry, your /etc/shorewall/masq - file will need changing. In most cases, you will simply be able to - remove redundant entries. In some cases though, you might want to change - from using the interface name to listing specific subnetworks if the - change described above will cause masquerading to occur on - subnetworks that you don't wish to masquerade. +4. Late arriving DNS replies are now silently dropped in the common + chain by default. - Example 2 -- Suppose that your current config is as follows: - - [root@gateway test]# cat /etc/shorewall/masq - #INTERFACE SUBNET ADDRESS - eth0 eth2 206.124.146.176 - eth0 192.168.10.0/24 206.124.146.176 - #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE - - [root@gateway test]# ip route show dev eth2 - 192.168.1.0/24 scope link - 192.168.10.0/24 proto kernel scope link src 192.168.10.254 - [root@gateway test]# - - In this case, the second entry in /etc/shorewall/masq is no longer - required. - - Example 3 -- What if your current configuration is like this? - - [root@gateway test]# cat /etc/shorewall/masq - #INTERFACE SUBNET ADDRESS - eth0 eth2 206.124.146.176 - #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE - - [root@gateway test]# ip route show dev eth2 - 192.168.1.0/24 scope link - 192.168.10.0/24 proto kernel scope link src 192.168.10.254 - [root@gateway test]# - - In this case, you would want to change the entry in - /etc/shorewall/masq to: - - #INTERFACE SUBNET ADDRESS - eth0 192.168.1.0/24 206.124.146.176 - #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE + diff --git a/Shorewall/rfc1918 b/Shorewall/rfc1918 index eae549722..12b67afd2 100644 --- a/Shorewall/rfc1918 +++ b/Shorewall/rfc1918 @@ -1,5 +1,5 @@ # -# Shorewall 1.3 -- RFC1918 File +# Shorewall 2.0 -- RFC1918 File # # /etc/shorewall/rfc1918 # diff --git a/Shorewall/routestopped b/Shorewall/routestopped index db1459080..9e0b9ddc8 100644 --- a/Shorewall/routestopped +++ b/Shorewall/routestopped @@ -1,6 +1,6 @@ ############################################################################## # -# Shorewall 1.3 -- Hosts Accessible when the Firewall is Stopped +# Shorewall 2.0 -- Hosts Accessible when the Firewall is Stopped # # /etc/shorewall/routestopped # diff --git a/Shorewall/rules b/Shorewall/rules index 8a6244f55..430a5b1da 100755 --- a/Shorewall/rules +++ b/Shorewall/rules @@ -1,5 +1,5 @@ # -# Shorewall version 1.3 - Rules File +# Shorewall version 2.0 - Rules File # # /etc/shorewall/rules # diff --git a/Shorewall/shorewall b/Shorewall/shorewall index 3a2da0b91..eedb689b2 100755 --- a/Shorewall/shorewall +++ b/Shorewall/shorewall @@ -1,6 +1,6 @@ #!/bin/sh # -# Shorewall Packet Filtering Firewall Control Program - V1.3 - 6/14/2002 +# Shorewall Packet Filtering Firewall Control Program - V2.0 - 3/14/2003 # # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # @@ -570,7 +570,7 @@ fi [ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin -SHARED_DIR=/usr/lib/shorewall +SHARED_DIR=/usr/share/shorewall MUTEX_TIMEOUT= if [ -n "$SHOREWALL_DIR" -a -f $SHOREWALL_DIR/shorewall.conf ]; then diff --git a/Shorewall/shorewall.conf b/Shorewall/shorewall.conf index b79bb1faf..450f13d5c 100755 --- a/Shorewall/shorewall.conf +++ b/Shorewall/shorewall.conf @@ -1,5 +1,5 @@ ############################################################################## -# /etc/shorewall/shorewall.conf V1.3 - Change the following variables to +# /etc/shorewall/shorewall.conf V2.0 - Change the following variables to # match your setup # # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] @@ -8,13 +8,16 @@ # # (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net) ############################################################################## -# +# D I S T R I B U T I O N - S P E C I F I C S E T T I N G S +############################################################################## # You should not have to change the variables in this section -- they are set # by the packager of your Shorewall distribution # -SHARED_DIR=/usr/lib/shorewall +SHARED_DIR=/usr/share/shorewall # ############################################################################## +# L O G G I N G +############################################################################## # # General note about log levels. Log levels are a method of describing # to syslog (8) the importance of a message and a number of parameters @@ -45,59 +48,19 @@ SHARED_DIR=/usr/lib/shorewall # configured to log all Shorewall message to their own log file ################################################################################ # -# PATH - Change this if you want to change the order in which Shorewall -# searches directories for executable files. +# LOG FILE LOCATION # -PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin +# This variable tells the /sbin/shorewall program where to look for Shorewall +# log messages. If not set or set to an empty string (e.g., LOGFILE="") then +# /var/log/messages is assumed. +# +# WARNING: The LOGFILE variable simply tells the 'shorewall' program where to +# look for Shorewall messages.It does NOT control the destination for +# these messages. For information about how to do that, see +# +# http://www.shorewall.net/shorewall_logging.html -# -# NAME OF THE FIREWALL ZONE -# -# Name of the firewall zone -- if not set or if set to an empty string, "fw" -# is assumed. -# -FW=fw - -# -# SUBSYSTEM LOCK FILE -# -# Set this to the name of the lock file expected by your init scripts. For -# RedHat, this should be /var/lock/subsys/shorewall. On Debian, it -# should be /var/state/shorewall. If your init scripts don't use lock files, -# set this to "". -# - -SUBSYSLOCK=/var/lock/subsys/shorewall - -# -# SHOREWALL TEMPORARY STATE DIRECTORY -# -# This is the directory where the firewall maintains state information while -# it is running -# - -STATEDIR=/var/lib/shorewall - -# -# ALLOW RELATED CONNECTIONS -# -# Set this to "yes" or "Yes" if you want to accept all connection requests -# that are related to already established connections. For example, you want -# to accept FTP data connections. If you say "no" here, then to accept -# these connections between particular zones or hosts, you must include -# explicit "related" rules in /etc/shorewall/rules. -# - -ALLOWRELATED=yes - -# -# KERNEL MODULE DIRECTORY -# -# If your netfilter kernel modules are in a directory other than -# /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that -# directory in this variable. Example: MODULESDIR=/etc/modules. - -MODULESDIR= +LOGFILE=/var/log/messages # # LOG RATE LIMITING @@ -132,25 +95,133 @@ LOGBURST= # packets are logged under the 'logunclean' interface option. If the variable # is empty, these packets will still be logged at the 'info' level. # -# See the comment at the top of this file for a description of log levels +# See the comment at the top of this section for a description of log levels # LOGUNCLEAN=info # -# LOG FILE LOCATION +# BLACKLIST LOG LEVEL # -# This variable tells the /sbin/shorewall program where to look for Shorewall -# log messages. If not set or set to an empty string (e.g., LOGFILE="") then -# /var/log/messages is assumed. +# Set this variable to the syslogd level that you want blacklist packets logged +# (beware of DOS attacks resulting from such logging). If not set, no logging +# of blacklist packets occurs. # -# WARNING: The LOGFILE variable simply tells the 'shorewall' program where to -# look for Shorewall messages.It does NOT control the destination for -# these messages. For information about how to do that, see +# See the comment at the top of this section for a description of log levels # -# http://www.shorewall.net/FAQ.htm#faq6 +BLACKLIST_LOGLEVEL= -LOGFILE=/var/log/messages +# +# LOGGING 'New not SYN' rejects +# +# This variable only has an effect when NEWNOTSYN=No (see below). +# +# When a TCP packet that does not have the SYN flag set and the ACK and RST +# flags clear then unless the packet is part of an established connection, +# it will be rejected by the firewall. If you want these rejects logged, +# then set LOGNEWNOTSYN to the syslog log level at which you want them logged. +# +# See the comment at the top of this section for a description of log levels +# +# Example: LOGNEWNOTSYN=debug + + +LOGNEWNOTSYN= + +# +# MAC List Log Level +# +# Specifies the logging level for connection requests that fail MAC +# verification. If set to the empty value (MACLIST_LOG_LEVEL="") then +# such connection requests will not be logged. +# +# See the comment at the top of this section for a description of log levels +# + +MACLIST_LOG_LEVEL=info + +# +# TCP FLAGS Log Level +# +# Specifies the logging level for packets that fail TCP Flags +# verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then +# such packets will not be logged. +# +# See the comment at the top of this section for a description of log levels +# + +TCP_FLAGS_LOG_LEVEL=info + +# +# RFC1918 Log Level +# +# Specifies the logging level for packets that fail RFC 1918 +# verification. If set to the empty value (RFC1918_LOG_LEVEL="") then +# RFC1918_LOG_LEVEL=info is assumed. +# +# See the comment at the top of this section for a description of log levels +# + +RFC1918_LOG_LEVEL=info + +################################################################################ +# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S +################################################################################ +# +# PATH - Change this if you want to change the order in which Shorewall +# searches directories for executable files. +# +PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin + +# SUBSYSTEM LOCK FILE +# +# Set this to the name of the lock file expected by your init scripts. For +# RedHat, this should be /var/lock/subsys/shorewall. On Debian, it +# should be /var/state/shorewall. If your init scripts don't use lock files, +# set this to "". +# + +SUBSYSLOCK=/var/lock/subsys/shorewall + +# +# SHOREWALL TEMPORARY STATE DIRECTORY +# +# This is the directory where the firewall maintains state information while +# it is running +# + +STATEDIR=/var/lib/shorewall + +# +# KERNEL MODULE DIRECTORY +# +# If your netfilter kernel modules are in a directory other than +# /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that +# directory in this variable. Example: MODULESDIR=/etc/modules. + +MODULESDIR= + +################################################################################ +# F I R E W A L L O P T I O N S +################################################################################ + +# NAME OF THE FIREWALL ZONE +# +# Name of the firewall zone -- if not set or if set to an empty string, "fw" +# is assumed. +# +FW=fw + +# ALLOW RELATED CONNECTIONS +# +# Set this to "yes" or "Yes" if you want to accept all connection requests +# that are related to already established connections. For example, you want +# to accept FTP data connections. If you say "no" here, then to accept +# these connections between particular zones or hosts, you must include +# explicit "related" rules in /etc/shorewall/rules. +# + +ALLOWRELATED=yes # # ENABLE NAT SUPPORT @@ -214,24 +285,40 @@ ADD_SNAT_ALIASES=No TC_ENABLED=No # -# BLACKLIST DISPOSITION +# Clear Traffic Shapping/Control # -# Set this variable to the action that you want to perform on packets from -# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty, -# DROP is assumed. +# If this option is set to 'No' then Shorewall won't clear the current +# traffic control rules during [re]start. This setting is intended +# for use by people that prefer to configure traffic shaping when +# the network interfaces come up rather than when the firewall +# is started. If that is what you want to do, set TC_ENABLED=Yes and +# CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That +# way, your traffic shaping rules can still use the 'fwmark' +# classifier based on packet marking defined in /etc/shorewall/tcrules. # -BLACKLIST_DISPOSITION=DROP +# If omitted, CLEAR_TC=Yes is assumed. + +CLEAR_TC=Yes # -# BLACKLIST LOG LEVEL +# Mark Packets in the forward chain # -# Set this variable to the syslogd level that you want blacklist packets logged -# (beward of DOS attacks resulting from such logging). If not set, no logging -# of blacklist packets occurs. +# When processing the tcrules file, Shorewall normally marks packets in the +# PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set +# this to "Yes". If not specified or if set to the empty value (e.g., +# MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed. # -# See the comment at the top of this file for a description of log levels +# Marking packets in the FORWARD chain has the advantage that inbound +# packets destined for Masqueraded/SNATed local hosts have had their destination +# address rewritten so they can be marked based on their destination. When +# packets are marked in the PREROUTING chain, packets destined for +# Masqueraded/SNATed local hosts still have a destination address corresponding +# to the firewall's external interface. # -BLACKLIST_LOGLEVEL= +# Note: Older kernels do not support marking packets in the FORWARD chain and +# setting this variable to Yes may cause startup problems. + +MARK_IN_FORWARD_CHAIN=No # # MSS CLAMPING @@ -335,39 +422,6 @@ MULTIPORT=No DETECT_DNAT_IPADDRS=No -# -# MERGE HOSTS FILE -# -# The traditional behavior of the /etc/shorewall/hosts file has been that -# if that file has ANY entry for a zone then the zone must be defined -# entirely in the hosts file. This is counter-intuitive and has caused -# people some problems. -# -# By setting MERGE_HOSTS=Yes, a more intuitive behavior of the hosts file -# is enabled. With MERGE_HOSTS=Yes, the zone contents in the hosts file -# are added to the contents described in the /etc/shorewall/interfaces file. -# -# Example: Suppose that we have the following interfaces and hosts files: -# -# Interfaces: -# -# net eth0 -# loc eth1 -# - ppp+ -# -# Hosts: -# -# loc ppp+:192.168.1.0/24 -# wrk ppp+:!192.168.1.0/24 -# -# With MERGE_HOSTS=No, the contents of the 'loc' zone would be just -# ppp+:192.168.1.0/24. With MERGE_HOSTS=Yes, the contents would be -# ppp+:192.168.1.0 and eth1:0.0.0.0/0 -# -# If this variable is not set or is set to the empty value, "No" is assumed. - -MERGE_HOSTS=Yes - # # MUTEX TIMEOUT # @@ -383,36 +437,6 @@ MERGE_HOSTS=Yes MUTEX_TIMEOUT=60 -# -# LOGGING 'New not SYN' rejects -# -# This variable only has an effect when NEWNOTSYN=No (see below). -# -# When a TCP packet that does not have the SYN flag set and the ACK and RST -# flags clear then unless the packet is part of an established connection, -# it will be rejected by the firewall. If you want these rejects logged, -# then set LOGNEWNOTSYN to the syslog log level at which you want them logged. -# -# See the comment at the top of this file for a description of log levels -# -# Example: LOGNEWNOTSYN=debug - - -LOGNEWNOTSYN= - -# -# Old Ping Handling -# -# If this option is set to "Yes" then Shorewall will use its old ping handling -# facility including the FORWARDPING option in this file and the 'noping' and -# 'filterping' interface options. If this option is set to 'No' then ping -# is handled via policy and rules just like any other connection request. -# -# If you are a new Shorewall user DON'T CHANGE THE VALUE OF THIS OPTION AND -# DON'T DELETE IT!!!!!! -# -OLD_PING_HANDLING=No - # # NEWNOTSYN # @@ -430,6 +454,18 @@ OLD_PING_HANDLING=No NEWNOTSYN=No +################################################################################ +# P A C K E T D I S P O S I T I O N +################################################################################ +# +# BLACKLIST DISPOSITION +# +# Set this variable to the action that you want to perform on packets from +# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty, +# DROP is assumed. +# +BLACKLIST_DISPOSITION=DROP + # # MAC List Disposition # @@ -441,18 +477,6 @@ NEWNOTSYN=No MACLIST_DISPOSITION=REJECT -# -# MAC List Log Level -# -# Specifies the logging level for connection requests that fail MAC -# verification. If set to the empty value (MACLIST_LOG_LEVEL="") then -# such connection requests will not be logged. -# -# See the comment at the top of this file for a description of log levels -# - -MACLIST_LOG_LEVEL=info - # # TCP FLAGS Disposition # @@ -463,64 +487,4 @@ MACLIST_LOG_LEVEL=info TCP_FLAGS_DISPOSITION=DROP -# -# TCP FLAGS Log Level -# -# Specifies the logging level for packets that fail TCP Flags -# verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then -# such packets will not be logged. -# -# See the comment at the top of this file for a description of log levels -# - -TCP_FLAGS_LOG_LEVEL=info - -# -# RFC1918 Log Level -# -# Specifies the logging level for packets that fail RFC 1918 -# verification. If set to the empty value (RFC1918_LOG_LEVEL="") then -# RFC1918_LOG_LEVEL=info is assumed. -# -# See the comment at the top of this file for a description of log levels -# - -RFC1918_LOG_LEVEL=info - -# -# Mark Packets in the forward chain -# -# When processing the tcrules file, Shorewall normally marks packets in the -# PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set -# this to "Yes". If not specified or if set to the empty value (e.g., -# MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed. -# -# Marking packets in the FORWARD chain has the advantage that inbound -# packets destined for Masqueraded/SNATed local hosts have had their destination -# address rewritten so they can be marked based on their destination. When -# packets are marked in the PREROUTING chain, packets destined for -# Masqueraded/SNATed local hosts still have a destination address corresponding -# to the firewall's external interface. -# -# Note: Older kernels do not support marking packets in the FORWARD chain and -# setting this variable to Yes may cause startup problems. - -MARK_IN_FORWARD_CHAIN=No - -# -# Clear Traffic Shapping/Control -# -# If this option is set to 'No' then Shorewall won't clear the current -# traffic control rules during [re]start. This setting is intended -# for use by people that prefer to configure traffic shaping when -# the network interfaces come up rather than when the firewall -# is started. If that is what you want to do, set TC_ENABLED=Yes and -# CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That -# way, your traffic shaping rules can still use the 'fwmark' -# classifier based on packet marking defined in /etc/shorewall/tcrules. -# -# If omitted, CLEAR_TC=Yes is assumed. - -CLEAR_TC=Yes - #LAST LINE -- DO NOT REMOVE diff --git a/Shorewall/shorewall.spec b/Shorewall/shorewall.spec index 61003db82..5e2ec353f 100644 --- a/Shorewall/shorewall.spec +++ b/Shorewall/shorewall.spec @@ -1,6 +1,6 @@ %define name shorewall -%define version 1.3.14 -%define release 0RC1 +%define version 2.0.0 +%define release 0Alpha1 %define prefix /usr Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. @@ -71,11 +71,10 @@ fi %files /etc/init.d/shorewall %attr(0700,root,root) %dir /etc/shorewall -%attr(0700,root,root) %dir /usr/lib/shorewall +%attr(0700,root,root) %dir /usr/share/shorewall %attr(0700,root,root) %dir /var/lib/shorewall -%attr(0600,root,root) /usr/lib/shorewall/version +%attr(0600,root,root) /usr/share/shorewall/version %attr(0600,root,root) /etc/shorewall/common.def -%attr(0600,root,root) /etc/shorewall/icmp.def %attr(0600,root,root) %config(noreplace) /etc/shorewall/shorewall.conf %attr(0600,root,root) %config(noreplace) /etc/shorewall/zones %attr(0600,root,root) %config(noreplace) /etc/shorewall/policy @@ -99,12 +98,16 @@ fi %attr(0600,root,root) %config(noreplace) /etc/shorewall/stop %attr(0600,root,root) %config(noreplace) /etc/shorewall/stopped %attr(0544,root,root) /sbin/shorewall -%attr(0444,root,root) /usr/lib/shorewall/functions -%attr(0544,root,root) /usr/lib/shorewall/firewall +%attr(0444,root,root) /usr/share/shorewall/functions +%attr(0544,root,root) /usr/share/shorewall/firewall %doc documentation %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %changelog +* Thu Feb 06 2003 Tom Eastep +- Changes version to 2.0.0Alpha1 +- Delete icmp.def +- Move firewall and version to /usr/share/shorewall * Tue Feb 04 2003 Tom Eastep - Changes version to 1.3.14-0RC1 * Tue Jan 28 2003 Tom Eastep diff --git a/Shorewall/start b/Shorewall/start index bd36e8544..d88f1f460 100644 --- a/Shorewall/start +++ b/Shorewall/start @@ -1,5 +1,5 @@ ############################################################################ -# Shorewall 1.3 -- /etc/shorewall/start +# Shorewall 2.0 -- /etc/shorewall/start # # Add commands below that you want to be executed after shorewall has # been started or restarted. diff --git a/Shorewall/stop b/Shorewall/stop index 5f097b037..78c5fa97b 100644 --- a/Shorewall/stop +++ b/Shorewall/stop @@ -1,5 +1,5 @@ ############################################################################ -# Shorewall 1.3 -- /etc/shorewall/stop +# Shorewall 2.0 -- /etc/shorewall/stop # # Add commands below that you want to be executed at the beginning of a # "shorewall stop" command. diff --git a/Shorewall/stopped b/Shorewall/stopped index 90afeb3ac..16feb827b 100644 --- a/Shorewall/stopped +++ b/Shorewall/stopped @@ -1,5 +1,5 @@ ############################################################################ -# Shorewall 1.3 -- /etc/shorewall/stopped +# Shorewall 2.0 -- /etc/shorewall/stopped # # Add commands below that you want to be executed at the completion of a # "shorewall stop" command. diff --git a/Shorewall/tcrules b/Shorewall/tcrules index 41d23120b..b05224058 100755 --- a/Shorewall/tcrules +++ b/Shorewall/tcrules @@ -1,5 +1,5 @@ # -# Shorewall version 1.3 - Traffic Control Rules File +# Shorewall version 2.0 - Traffic Control Rules File # # /etc/shorewall/tcrules # diff --git a/Shorewall/tos b/Shorewall/tos index 0254fcdff..ff2bbb281 100755 --- a/Shorewall/tos +++ b/Shorewall/tos @@ -1,5 +1,5 @@ # -# Shorewall 1.3 -- /etc/shorewall/tos +# Shorewall 2.0 -- /etc/shorewall/tos # # This file defines rules for setting Type Of Service (TOS) # diff --git a/Shorewall/tunnel b/Shorewall/tunnel index 6fd56fad7..db2c9b38f 100755 --- a/Shorewall/tunnel +++ b/Shorewall/tunnel @@ -2,7 +2,7 @@ RCDLINKS="2,S45 3,S45 6,K45" ################################################################################ -# Script to create a gre or ipip tunnel -- Shorewall 1.3 +# Script to create a gre or ipip tunnel -- Shorewall 2.0 # # Modified - Steve Cowles 5/9/2000 # Incorporated init {start|stop} syntax and iproute2 usage diff --git a/Shorewall/tunnels b/Shorewall/tunnels index 86747729b..e34d6dbae 100644 --- a/Shorewall/tunnels +++ b/Shorewall/tunnels @@ -1,5 +1,5 @@ # -# Shorewall 1.3 - /etc/shorewall/tunnels +# Shorewall 2.0 - /etc/shorewall/tunnels # # This file defines IPSEC, GRE, IPIP and OPENVPN tunnels. # diff --git a/Shorewall/uninstall.sh b/Shorewall/uninstall.sh index 0ef626153..aacbf123b 100755 --- a/Shorewall/uninstall.sh +++ b/Shorewall/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Seattle Firewall -VERSION=1.3.14RC1 +VERSION=2.0.0Alpha1 usage() # $1 = exit status { @@ -108,6 +108,7 @@ fi rm -rf /etc/shorewall rm -rf /usr/lib/shorewall rm -rf /var/lib/shorewall +rm -rf /usr/share/shorewall echo "Shorewall Uninstalled" diff --git a/Shorewall/zones b/Shorewall/zones index 45f103b73..f4185bdf8 100644 --- a/Shorewall/zones +++ b/Shorewall/zones @@ -1,5 +1,5 @@ # -# Shorewall 1.3 /etc/shorewall/zones +# Shorewall 2.0 /etc/shorewall/zones # # This file determines your network zones. Columns are: #