extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-24 00:23:28 +01:00
Code Issues Packages Projects Releases Wiki Activity

Alchemy -- zone file style

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2623 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-09-02 20:46:53 +00:00
parent cf710d08ea
commit f6875e9da7
4 changed files with 123 additions and 63 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

138
Shorewall/firewall
View File

@ -487,14 +487,53 @@ flushmangle() # $1 = name of chain
} }
# #
# Find the zones # This function assumes that the TMP_DIR variable is set and that
# its value named an existing directory.
# #
find_zones() # $1 = name of the zone file determine_zones()
{ {
local zone rest local zone parent parents rest new_zone_file=
while read zone rest; do merge_zone()
expandv zone {
local z zones="$ZONES" merged=
ZONES=
for z in $zones; do
if [ -z "$merged" ] && list_search $z $parents; then
ZONES="$ZONES $zone"
merged=Yes
fi
ZONES="$ZONES $z"
done
}
strip_file zones
ZONES=
[ "$IPSECFILE" = zones ] && new_zone_file=Yes
while read zone type rest; do
expandv zone type
case $zone in
*:*)
parents=${zone#*:}
zone=${zone%:*}
[ -n "$zone" ] || startup_error "Invalid nested zone syntax: :$parents"
parents=$(separate_list $parents)
;;
*)
parents=
;;
esac
for parent in $parents; do
[ "$parent" = "$FW" ] && startup_error "Sub-zones of the firewall zone are not allowed"
list_search $parent $ZONES || startup_error "Parent zone not defined: $parent"
done
[ ${#zone} -gt 5 ] && startup_error "Zone name longer than 5 characters: $zone" [ ${#zone} -gt 5 ] && startup_error "Zone name longer than 5 characters: $zone"
@ -502,35 +541,42 @@ find_zones() # $1 = name of the zone file
[0-9*]) [0-9*])
startup_error "Illegal zone name \"$zone\" in zones file" startup_error "Illegal zone name \"$zone\" in zones file"
;; ;;
$FW|all|none) all|none)
startup_error "Reserved zone name \"$zone\" in zones file ignored" startup_error "Reserved zone name \"$zone\" in zones file"
;;
*)
echo $zone
;; ;;
esac esac
done < $1
}
# if [ -n "$new_zone_file" ]; then
# This function assumes that the TMP_DIR variable is set and that case ${type:=plain} in
# its value named an existing directory. plain|-)
# list_search $zone $ZONES $FW && startup_error "Zone $zone is defined more than once"
determine_zones() merge_zone
{ ;;
local zonefile=$(find_file zones) zones= ipsec)
list_search $zone $ZONES $FW && startup_error "Zone $zone is defined more than once"
[ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match"
eval ${zone}_is_ipsec=Yes
eval ${zone}_is_complex=Yes
merge_zone
;;
firewall)
list_search $zone $ZONES && startup_error "Zone $zone is defined more than once"
[ -n "$parents" ] && startup_error "The firewall zone may not be nested"
[ -n "$rest" ] && startup_error "OPTIONS not allowed in a firewall zone"
FW=$zone
;;
*)
startup_error "Invalid Zone Type: $zone"
;;
esac
else
ZONES="$ZONES $zone"
fi
done < $TMP_DIR/zones
strip_file zones $zonefile [ -z "$ZONES" ] && startup_error "No plain or ipsec Zones Defined"
ZONES= [ -z "$FW" ] && startup_error "No Firewall Zone Defined"
zones=$(find_zones $TMP_DIR/zones)
for zone in $zones; do
list_search $zone $ZONES && startup_error "Zone $zone is defined more than once"
ZONES="$ZONES $zone"
done
[ -z "$ZONES" ] && startup_error "ERROR: No Zones Defined"
} }
# #
@ -2536,26 +2582,28 @@ setup_ipsec() {
;; ;;
esac esac
while read zone ipsec options in_options out_options mss; do while read zone type options in_options out_options mss; do
expandv zone ipsec options in_options out_options mss expandv zone type options in_options out_options mss
if [ -n "$using_ipsec" ]; then if [ -n "$using_ipsec" ]; then
validate_zone1 $zone || fatal_error "Unknown zone: $zone" validate_zone1 $zone || fatal_error "Unknown zone: $zone"
fi fi
if [ -n "$ipsec" ]; then if [ -n "$type" ]; then
case $ipsec in if [ -n "$using_ipsec" ]; then
-|No|no) case $type in
;; No|no)
Yes|yes) ;;
[ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match" Yes|yes)
eval ${zone}_is_ipsec=Yes [ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match"
eval ${zone}_is_complex=Yes eval ${zone}_is_ipsec=Yes
;; eval ${zone}_is_complex=Yes
*) ;;
fatal_error "Invalid IPSEC column value: $ipsec" *)
;; fatal_error "Invalid IPSEC column contents"
esac ;;
esac
fi
do_options "" $options do_options "" $options
do_options "_in" $in_options do_options "_in" $in_options
@ -9000,8 +9048,6 @@ do_initialize() {
[ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall [ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
[ -z "$FW" ] && FW=fw
ALLOWRELATED="$(added_param_value_yes ALLOWRELATED $ALLOWRELATED)" ALLOWRELATED="$(added_param_value_yes ALLOWRELATED $ALLOWRELATED)"
[ -n "$ALLOWRELATED" ] || \ [ -n "$ALLOWRELATED" ] || \
startup_error "ALLOWRELATED=No is not supported" startup_error "ALLOWRELATED=No is not supported"

23
Shorewall/releasenotes.txt
View File

@ -89,6 +89,10 @@ Migration Considerations:
columns of the /etc/shorewall/ipsec file. The latter file has been columns of the /etc/shorewall/ipsec file. The latter file has been
removed. removed.
Additionally the FW option in shorewall.conf has been deprecated and
is no longer set to 'fw' by default. New users are expected to
define the firewall zone in /etc/shorewall/zones.
Adhering to the principle of least astonishment, the old Adhering to the principle of least astonishment, the old
/etc/shorewall/ipsec file will continue to be supported. A new /etc/shorewall/ipsec file will continue to be supported. A new
IPSECFILE variable in /etc/shorewall/shorewall.conf determines the IPSECFILE variable in /etc/shorewall/shorewall.conf determines the
@ -113,13 +117,16 @@ Migration Considerations:
The names "all" and "none" are reserved and may The names "all" and "none" are reserved and may
not beused as zone names. not beused as zone names.
IPSEC Yes -- Communication with all zone hosts is TYPE ipsec - Communication with all zone hosts is encrypted
ONLY encrypted. Your kernel and iptables Your kernel and iptables must include policy
must include policy match support. match support.
No -- Communication with some zone hosts may plain - Communication with some zone hosts may be encrypted.
be encrypted. Encrypted hosts are Encrypted hosts are designated using the 'ipsec'
designated using the 'ipsec' option in option in /etc/shorewall/hosts.
/etc/shorewall/hosts. firewall
- Designates the firewall itself. You must have
exactly one 'firewall' zone. No options are
permitted with a 'firewall' zone.
OPTIONS, A comma-separated list of options as OPTIONS, A comma-separated list of options as
IN OPTIONS, follows: IN OPTIONS, follows:
@ -226,7 +233,7 @@ Migration Considerations:
ACCEPT them. See http://www.shorewall.net/VPNBasics.html for ACCEPT them. See http://www.shorewall.net/VPNBasics.html for
information on the rules generated by entries in the tunnels file. information on the rules generated by entries in the tunnels file.
10) In previous releases, the "refresh" command would source your tcstart 10) In previous releases, the "refresh" command could source your tcstart
script. Beginning with this release, "refresh" will run that script script. Beginning with this release, "refresh" will run that script
if it is executable but will not source it. Users of third-party TC if it is executable but will not source it. Users of third-party TC
scripts like WonderShaper should see no change provided that scripts like WonderShaper should see no change provided that

6
Shorewall/shorewall.conf
View File

@ -344,11 +344,11 @@ IPSECFILE=zones
# NAME OF THE FIREWALL ZONE # NAME OF THE FIREWALL ZONE
# #
# Name of the firewall zone -- if not set or if set to an empty string, "fw" # Name of the firewall zone -- if not set or if set to an empty string, then
# is assumed. # you must include a definition of the firewall zone in /etc/shorewall/zones.
# #
FW=fw FW=
# #
# ENABLE IP FORWARDING # ENABLE IP FORWARDING

19
Shorewall/zones
View File

@ -11,12 +11,16 @@
# The names "all" and "none" are reserved and may not be # The names "all" and "none" are reserved and may not be
# used as zone names. # used as zone names.
# #
# IPSEC Yes -- Communication with all zone hosts is encrypted # TYPE ipsec - Communication with all zone hosts is encrypted
# ONLY Your kernel and iptables must include policy # Your kernel and iptables must include policy
# match support. # match support.
# No -- Communication with some zone hosts may be encrypted. # plain - Communication with some zone hosts may be encrypted.
# Encrypted hosts are designated using the 'ipsec' # Encrypted hosts are designated using the 'ipsec'
# option in /etc/shorewall/hosts. # option in /etc/shorewall/hosts.
# firewall
# - Designates the firewall itself. You must have
# exactly one 'firewall' zone. No options are
# permitted with a 'firewall' zone.
# #
# OPTIONS, A comma-separated list of options as follows: # OPTIONS, A comma-separated list of options as follows:
# IN OPTIONS, # IN OPTIONS,
@ -65,12 +69,15 @@
# You have a three interface firewall with internet, local and DMZ # You have a three interface firewall with internet, local and DMZ
# interfaces. # interfaces.
# #
# #ZONE IPSEC OPTIONS IN OUT # #ZONE TYPE OPTIONS IN OUT
# # OPTIONS OPTIONS
# fw firewall
# net # net
# loc # loc
# dmz # dmz
# #
############################################################################### ###############################################################################
#ZONE IPSEC OPTIONS IN OUT #ZONE TYPE OPTIONS IN OUT
# ONLY OPTIONS OPTIONS # OPTIONS OPTIONS
fw firewall
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE