extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-24 00:23:28 +01:00
Code Issues Packages Projects Releases Wiki Activity

Alchemy -- zone file style

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2623 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-09-02 20:46:53 +00:00
parent cf710d08ea
commit f6875e9da7
4 changed files with 123 additions and 63 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

118
Shorewall/firewall
View File

@ -487,14 +487,53 @@ flushmangle() # $1 = name of chain
}
#
# Find the zones
# This function assumes that the TMP_DIR variable is set and that
# its value named an existing directory.
#
find_zones() # $1 = name of the zone file
determine_zones()
{
local zone rest
local zone parent parents rest new_zone_file=
while read zone rest; do
expandv zone
merge_zone()
{
local z zones="$ZONES" merged=
ZONES=
for z in $zones; do
if [ -z "$merged" ] && list_search $z $parents; then
ZONES="$ZONES $zone"
merged=Yes
fi
ZONES="$ZONES $z"
done
}
strip_file zones
ZONES=
[ "$IPSECFILE" = zones ] && new_zone_file=Yes
while read zone type rest; do
expandv zone type
case $zone in
*:*)
parents=${zone#*:}
zone=${zone%:*}
[ -n "$zone" ] || startup_error "Invalid nested zone syntax: :$parents"
parents=$(separate_list $parents)
;;
*)
parents=
;;
esac
for parent in $parents; do
[ "$parent" = "$FW" ] && startup_error "Sub-zones of the firewall zone are not allowed"
list_search $parent $ZONES || startup_error "Parent zone not defined: $parent"
done
[ ${#zone} -gt 5 ] && startup_error "Zone name longer than 5 characters: $zone"
@ -502,35 +541,42 @@ find_zones() # $1 = name of the zone file
[0-9*])
startup_error "Illegal zone name \"$zone\" in zones file"
;;
$FW|all|none)
startup_error "Reserved zone name \"$zone\" in zones file ignored"
;;
*)
echo $zone
all|none)
startup_error "Reserved zone name \"$zone\" in zones file"
;;
esac
done < $1
}
#
# This function assumes that the TMP_DIR variable is set and that
# its value named an existing directory.
#
determine_zones()
{
local zonefile=$(find_file zones) zones=
strip_file zones $zonefile
ZONES=
zones=$(find_zones $TMP_DIR/zones)
for zone in $zones; do
if [ -n "$new_zone_file" ]; then
case ${type:=plain} in
plain|-)
list_search $zone $ZONES $FW && startup_error "Zone $zone is defined more than once"
merge_zone
;;
ipsec)
list_search $zone $ZONES $FW && startup_error "Zone $zone is defined more than once"
[ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match"
eval ${zone}_is_ipsec=Yes
eval ${zone}_is_complex=Yes
merge_zone
;;
firewall)
list_search $zone $ZONES && startup_error "Zone $zone is defined more than once"
[ -n "$parents" ] && startup_error "The firewall zone may not be nested"
[ -n "$rest" ] && startup_error "OPTIONS not allowed in a firewall zone"
FW=$zone
;;
*)
startup_error "Invalid Zone Type: $zone"
;;
esac
else
ZONES="$ZONES $zone"
done
fi
done < $TMP_DIR/zones
[ -z "$ZONES" ] && startup_error "ERROR: No Zones Defined"
[ -z "$ZONES" ] && startup_error "No plain or ipsec Zones Defined"
[ -z "$FW" ] && startup_error "No Firewall Zone Defined"
}
#
@ -2536,16 +2582,17 @@ setup_ipsec() {
;;
esac
while read zone ipsec options in_options out_options mss; do
expandv zone ipsec options in_options out_options mss
while read zone type options in_options out_options mss; do
expandv zone type options in_options out_options mss
if [ -n "$using_ipsec" ]; then
validate_zone1 $zone || fatal_error "Unknown zone: $zone"
fi
if [ -n "$ipsec" ]; then
case $ipsec in
-|No|no)
if [ -n "$type" ]; then
if [ -n "$using_ipsec" ]; then
case $type in
No|no)
;;
Yes|yes)
[ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match"
@ -2553,9 +2600,10 @@ setup_ipsec() {
eval ${zone}_is_complex=Yes
;;
*)
fatal_error "Invalid IPSEC column value: $ipsec"
fatal_error "Invalid IPSEC column contents"
;;
esac
fi
do_options "" $options
do_options "_in" $in_options
@ -9000,8 +9048,6 @@ do_initialize() {
[ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
[ -z "$FW" ] && FW=fw
ALLOWRELATED="$(added_param_value_yes ALLOWRELATED $ALLOWRELATED)"
[ -n "$ALLOWRELATED" ] || \
startup_error "ALLOWRELATED=No is not supported"

23
Shorewall/releasenotes.txt
View File

@ -89,6 +89,10 @@ Migration Considerations:
columns of the /etc/shorewall/ipsec file. The latter file has been
removed.
Additionally the FW option in shorewall.conf has been deprecated and
is no longer set to 'fw' by default. New users are expected to
define the firewall zone in /etc/shorewall/zones.
Adhering to the principle of least astonishment, the old
/etc/shorewall/ipsec file will continue to be supported. A new
IPSECFILE variable in /etc/shorewall/shorewall.conf determines the
@ -113,13 +117,16 @@ Migration Considerations:
The names "all" and "none" are reserved and may
not beused as zone names.
IPSEC Yes -- Communication with all zone hosts is
ONLY encrypted. Your kernel and iptables
must include policy match support.
No -- Communication with some zone hosts may
be encrypted. Encrypted hosts are
designated using the 'ipsec' option in
/etc/shorewall/hosts.
TYPE ipsec - Communication with all zone hosts is encrypted
Your kernel and iptables must include policy
match support.
plain - Communication with some zone hosts may be encrypted.
Encrypted hosts are designated using the 'ipsec'
option in /etc/shorewall/hosts.
firewall
- Designates the firewall itself. You must have
exactly one 'firewall' zone. No options are
permitted with a 'firewall' zone.
OPTIONS, A comma-separated list of options as
IN OPTIONS, follows:
@ -226,7 +233,7 @@ Migration Considerations:
ACCEPT them. See http://www.shorewall.net/VPNBasics.html for
information on the rules generated by entries in the tunnels file.
10) In previous releases, the "refresh" command would source your tcstart
10) In previous releases, the "refresh" command could source your tcstart
script. Beginning with this release, "refresh" will run that script
if it is executable but will not source it. Users of third-party TC
scripts like WonderShaper should see no change provided that

6
Shorewall/shorewall.conf
View File

@ -344,11 +344,11 @@ IPSECFILE=zones
# NAME OF THE FIREWALL ZONE
#
# Name of the firewall zone -- if not set or if set to an empty string, "fw"
# is assumed.
# Name of the firewall zone -- if not set or if set to an empty string, then
# you must include a definition of the firewall zone in /etc/shorewall/zones.
#
FW=fw
FW=
#
# ENABLE IP FORWARDING

19
Shorewall/zones
View File

@ -11,12 +11,16 @@
# The names "all" and "none" are reserved and may not be
# used as zone names.
#
# IPSEC Yes -- Communication with all zone hosts is encrypted
# ONLY Your kernel and iptables must include policy
# TYPE ipsec - Communication with all zone hosts is encrypted
# Your kernel and iptables must include policy
# match support.
# No -- Communication with some zone hosts may be encrypted.
# plain - Communication with some zone hosts may be encrypted.
# Encrypted hosts are designated using the 'ipsec'
# option in /etc/shorewall/hosts.
# firewall
# - Designates the firewall itself. You must have
# exactly one 'firewall' zone. No options are
# permitted with a 'firewall' zone.
#
# OPTIONS, A comma-separated list of options as follows:
# IN OPTIONS,
@ -65,12 +69,15 @@
# You have a three interface firewall with internet, local and DMZ
# interfaces.
#
# #ZONE IPSEC OPTIONS IN OUT
# #ZONE TYPE OPTIONS IN OUT
# # OPTIONS OPTIONS
# fw firewall
# net
# loc
# dmz
#
###############################################################################
#ZONE IPSEC OPTIONS IN OUT
# ONLY OPTIONS OPTIONS
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE