diff --git a/Shorewall-lite/help b/Shorewall-lite/help index 7613a82b2..0f32d1b5f 100755 --- a/Shorewall-lite/help +++ b/Shorewall-lite/help @@ -205,7 +205,7 @@ save) ;; show) - echo "show: show [ [ ...] |actions|classifiers|connections|log|macros|mangle|nat|tc|zones] + echo "show: show [ [ ...] |actions|classifiers|config|connections|log|macros|mangle|nat|tc|zones] shorewall [-x] show [ ... ] - produce a verbose report about the IPtable chain(s). (iptables -L chain -n -v) @@ -229,6 +229,8 @@ show) shorewall show capabilities - displays your kernel/iptables capabilities + shorewall show config - displays the default CONFIG_PATH and LITEDIR for your distribution + When -x is given, that option is also passed to iptables to display actual packet and byte counts." ;; diff --git a/Shorewall-lite/shorewall-lite b/Shorewall-lite/shorewall-lite index 25c211684..4e9281677 100755 --- a/Shorewall-lite/shorewall-lite +++ b/Shorewall-lite/shorewall-lite @@ -683,81 +683,86 @@ show_command() { [ -n "$debugging" ] && set -x case "$1" in - connections) - [ $# -gt 1 ] && usage 1 - echo "Shorewall Lite $version Connections at $HOSTNAME - $(date)" - echo - cat /proc/net/ip_conntrack - ;; - nat) - [ $# -gt 1 ] && usage 1 - echo "Shorewall Lite $version NAT Table at $HOSTNAME - $(date)" - echo - show_reset - $IPTABLES -t nat -L $IPT_OPTIONS - ;; - tos|mangle) - [ $# -gt 1 ] && usage 1 - echo "Shorewall Lite $version Mangle Table at $HOSTNAME - $(date)" - echo - show_reset - $IPTABLES -t mangle -L $IPT_OPTIONS - ;; - log) - [ $# -gt 1 ] && usage 1 - echo "Shorewall Lite $version Log at $HOSTNAME - $(date)" - echo - show_reset - host=$(echo $HOSTNAME | sed 's/\..*$//') - packet_log 20 - ;; - tc) - [ $# -gt 1 ] && usage 1 - echo "Shorewall Lite $version Traffic Control at $HOSTNAME - $(date)" - echo - show_tc - ;; - classifiers) - [ $# -gt 1 ] && usage 1 - echo "Shorewall Lite $version Clasifiers at $HOSTNAME - $(date)" - echo - show_classifiers - ;; - zones) - [ $# -gt 1 ] && usage 1 - if [ -f ${VARDIR}/zones ]; then - echo "Shorewall Lite $version Zones at $HOSTNAME - $(date)" + connections) + [ $# -gt 1 ] && usage 1 + echo "Shorewall Lite $version Connections at $HOSTNAME - $(date)" echo - while read zone type hosts; do - echo "$zone ($type)" - for host in $hosts; do - echo " $host" + cat /proc/net/ip_conntrack + ;; + nat) + [ $# -gt 1 ] && usage 1 + echo "Shorewall Lite $version NAT Table at $HOSTNAME - $(date)" + echo + show_reset + $IPTABLES -t nat -L $IPT_OPTIONS + ;; + tos|mangle) + [ $# -gt 1 ] && usage 1 + echo "Shorewall Lite $version Mangle Table at $HOSTNAME - $(date)" + echo + show_reset + $IPTABLES -t mangle -L $IPT_OPTIONS + ;; + log) + [ $# -gt 1 ] && usage 1 + echo "Shorewall Lite $version Log at $HOSTNAME - $(date)" + echo + show_reset + host=$(echo $HOSTNAME | sed 's/\..*$//') + packet_log 20 + ;; + tc) + [ $# -gt 1 ] && usage 1 + echo "Shorewall Lite $version Traffic Control at $HOSTNAME - $(date)" + echo + show_tc + ;; + classifiers) + [ $# -gt 1 ] && usage 1 + echo "Shorewall Lite $version Clasifiers at $HOSTNAME - $(date)" + echo + show_classifiers + ;; + zones) + [ $# -gt 1 ] && usage 1 + if [ -f ${VARDIR}/zones ]; then + echo "Shorewall Lite $version Zones at $HOSTNAME - $(date)" + echo + while read zone type hosts; do + echo "$zone ($type)" + for host in $hosts; do + echo " $host" + done + done < ${VARDIR}/zones + echo + else + echo " ERROR: ${VARDIR}/zones does not exist" >&2 + exit 1 + fi + ;; + capabilities) + [ $# -gt 1 ] && usage 1 + determine_capabilities + VERBOSE=2 + report_capabilities + ;; + config) + . ${SHAREDIR}/configpath + echo "Default CONFIG_PATH is $CONFIG_PATH" + echo "LITEDIR is $LITEDIR" + ;; + *) + echo "Shorewall Lite $version $([ $# -gt 0 ] && echo Chains || echo Chain) $* at $HOSTNAME - $(date)" + echo + show_reset + if [ $# -gt 0 ]; then + for chain in $*; do + $IPTABLES -L $chain $IPT_OPTIONS done - done < ${VARDIR}/zones - echo - else - echo " ERROR: ${VARDIR}/zones does not exist" >&2 - exit 1 - fi - ;; - capabilities) - [ $# -gt 1 ] && usage 1 - determine_capabilities - VERBOSE=2 - report_capabilities - ;; - *) - echo "Shorewall Lite $version $([ $# -gt 0 ] && echo Chains || echo Chain) $* at $HOSTNAME - $(date)" - echo - show_reset - if [ $# -gt 0 ]; then - for chain in $*; do - $IPTABLES -L $chain $IPT_OPTIONS - done - else - $IPTABLES -L $IPT_OPTIONS - fi - ;; + else + $IPTABLES -L $IPT_OPTIONS + fi + ;; esac } # @@ -977,7 +982,7 @@ usage() # $1 = exit status echo " restart [ -n ] [ ]" echo " restore [ -n ] [ ]" echo " save [ ]" - echo " show [ -x ] [ -m ] [ [ ... ]|capabilities|classifiers|connections|log|mangle|nat|tc|zones]" + echo " show [ -x ] [ -m ] [ [ ... ]|capabilities|classifiers|config|connections|log|mangle|nat|tc|zones]" echo " start [ -f ] [ -n ] [ ]" echo " stop" echo " status" diff --git a/Shorewall/help b/Shorewall/help index 2e9e55887..10bd5ce35 100755 --- a/Shorewall/help +++ b/Shorewall/help @@ -308,7 +308,7 @@ save) ;; show) - echo "show: show [ [ ...] |actions|classifiers|connections|log|macros|mangle|nat|tc|zones] + echo "show: show [ [ ...] |actions|classifiers|config|connections|log|macros|mangle|nat|tc|zones] shorewall [-x] show [ ... ] - produce a verbose report about the IPtable chain(s). (iptables -L chain -n -v) @@ -336,6 +336,8 @@ show) shorewall show capabilities - displays your kernel/iptables capabilities + shorewall show config - displays the default CONFIG_PATH and LITEDIR for your distribution + When -x is given, that option is also passed to iptables to display actual packet and byte counts." ;; diff --git a/Shorewall/shorewall b/Shorewall/shorewall index 882d7a01f..6bee3ee31 100755 --- a/Shorewall/shorewall +++ b/Shorewall/shorewall @@ -889,105 +889,110 @@ show_command() { [ -n "$debugging" ] && set -x case "$1" in - connections) - [ $# -gt 1 ] && usage 1 - echo "Shorewall-$version Connections at $HOSTNAME - $(date)" - echo - cat /proc/net/ip_conntrack - ;; - nat) - [ $# -gt 1 ] && usage 1 - echo "Shorewall-$version NAT Table at $HOSTNAME - $(date)" - echo - show_reset - $IPTABLES -t nat -L $IPT_OPTIONS - ;; - tos|mangle) - [ $# -gt 1 ] && usage 1 - echo "Shorewall-$version Mangle Table at $HOSTNAME - $(date)" - echo - show_reset - $IPTABLES -t mangle -L $IPT_OPTIONS - ;; - log) - [ $# -gt 1 ] && usage 1 - echo "Shorewall-$version Log at $HOSTNAME - $(date)" - echo - show_reset - host=$(echo $HOSTNAME | sed 's/\..*$//') - packet_log 20 - ;; - tc) - [ $# -gt 1 ] && usage 1 - echo "Shorewall-$version Traffic Control at $HOSTNAME - $(date)" - echo - show_tc - ;; - classifiers) - [ $# -gt 1 ] && usage 1 - echo "Shorewall-$version Clasifiers at $HOSTNAME - $(date)" - echo - show_classifiers - ;; - zones) - [ $# -gt 1 ] && usage 1 - if [ -f ${VARDIR}/zones ]; then - echo "Shorewall-$version Zones at $HOSTNAME - $(date)" + connections) + [ $# -gt 1 ] && usage 1 + echo "Shorewall-$version Connections at $HOSTNAME - $(date)" echo - while read zone type hosts; do - echo "$zone ($type)" - for host in $hosts; do - echo " $host" - done - done < ${VARDIR}/zones + cat /proc/net/ip_conntrack + ;; + nat) + [ $# -gt 1 ] && usage 1 + echo "Shorewall-$version NAT Table at $HOSTNAME - $(date)" echo - else - echo " ERROR: ${VARDIR}/zones does not exist" >&2 - exit 1 - fi - ;; - capabilities) - [ $# -gt 1 ] && usage 1 - determine_capabilities - VERBOSE=2 - report_capabilities - ;; - actions) - [ $# -gt 1 ] && usage 1 - echo "allowBcast # Silently Allow Broadcast/multicast" - echo "dropBcast # Silently Drop Broadcast/multicast" - echo "dropNotSyn # Silently Drop Non-syn TCP packets" - echo "rejNotSyn # Silently Reject Non-syn TCP packets" - echo "dropInvalid # Silently Drop packets that are in the INVALID conntrack state" - echo "allowInvalid # Accept packets that are in the INVALID conntrack state." - echo "allowoutUPnP # Allow traffic from local command 'upnpd'" - echo "allowinUPnP # Allow UPnP inbound (to firewall) traffic" - echo "forwardUPnP # Allow traffic that upnpd has redirected from" - cat ${SHAREDIR}/actions.std ${CONFDIR}/actions | grep -Ev '^\#|^$' - ;; - macros) - [ $# -gt 1 ] && usage 1 - for macro in ${SHAREDIR}/macro.*; do - foo=`grep 'This macro' $macro | head -n 1` - if [ -n "$foo" ]; then - macro=${macro#*.} - foo=${foo%.*} - echo " $macro ${foo#\#}" | sed 's/This macro //' + show_reset + $IPTABLES -t nat -L $IPT_OPTIONS + ;; + tos|mangle) + [ $# -gt 1 ] && usage 1 + echo "Shorewall-$version Mangle Table at $HOSTNAME - $(date)" + echo + show_reset + $IPTABLES -t mangle -L $IPT_OPTIONS + ;; + log) + [ $# -gt 1 ] && usage 1 + echo "Shorewall-$version Log at $HOSTNAME - $(date)" + echo + show_reset + host=$(echo $HOSTNAME | sed 's/\..*$//') + packet_log 20 + ;; + tc) + [ $# -gt 1 ] && usage 1 + echo "Shorewall-$version Traffic Control at $HOSTNAME - $(date)" + echo + show_tc + ;; + classifiers) + [ $# -gt 1 ] && usage 1 + echo "Shorewall-$version Clasifiers at $HOSTNAME - $(date)" + echo + show_classifiers + ;; + zones) + [ $# -gt 1 ] && usage 1 + if [ -f ${VARDIR}/zones ]; then + echo "Shorewall-$version Zones at $HOSTNAME - $(date)" + echo + while read zone type hosts; do + echo "$zone ($type)" + for host in $hosts; do + echo " $host" + done + done < ${VARDIR}/zones + echo + else + echo " ERROR: ${VARDIR}/zones does not exist" >&2 + exit 1 fi - done - ;; - *) - echo "Shorewall-$version $([ $# -gt 0 ] && echo Chains || echo Chain) $* at $HOSTNAME - $(date)" - echo - show_reset - if [ $# -gt 0 ]; then - for chain in $*; do - $IPTABLES -L $chain $IPT_OPTIONS + ;; + capabilities) + [ $# -gt 1 ] && usage 1 + determine_capabilities + VERBOSE=2 + report_capabilities + ;; + actions) + [ $# -gt 1 ] && usage 1 + echo "allowBcast # Silently Allow Broadcast/multicast" + echo "dropBcast # Silently Drop Broadcast/multicast" + echo "dropNotSyn # Silently Drop Non-syn TCP packets" + echo "rejNotSyn # Silently Reject Non-syn TCP packets" + echo "dropInvalid # Silently Drop packets that are in the INVALID conntrack state" + echo "allowInvalid # Accept packets that are in the INVALID conntrack state." + echo "allowoutUPnP # Allow traffic from local command 'upnpd'" + echo "allowinUPnP # Allow UPnP inbound (to firewall) traffic" + echo "forwardUPnP # Allow traffic that upnpd has redirected from" + cat ${SHAREDIR}/actions.std ${CONFDIR}/actions | grep -Ev '^\#|^$' + ;; + macros) + [ $# -gt 1 ] && usage 1 + for macro in ${SHAREDIR}/macro.*; do + foo=`grep 'This macro' $macro | head -n 1` + if [ -n "$foo" ]; then + macro=${macro#*.} + foo=${foo%.*} + echo " $macro ${foo#\#}" | sed 's/This macro //' + fi done - else - $IPTABLES -L $IPT_OPTIONS - fi - ;; + ;; + config) + . ${SHAREDIR}/configpath + echo "Default CONFIG_PATH is $CONFIG_PATH" + echo "LITEDIR is $LITEDIR" + ;; + *) + echo "Shorewall-$version $([ $# -gt 0 ] && echo Chains || echo Chain) $* at $HOSTNAME - $(date)" + echo + show_reset + if [ $# -gt 0 ]; then + for chain in $*; do + $IPTABLES -L $chain $IPT_OPTIONS + done + else + $IPTABLES -L $IPT_OPTIONS + fi + ;; esac } # @@ -1347,7 +1352,7 @@ usage() # $1 = exit status echo " restart [ -n ] [ ]" echo " restore [ -n ] [ ]" echo " save [ ]" - echo " show [ -x ] [ -m ] [ [ ... ]|actions|capabilities|classifiers|connections|log|macros|mangle|nat|tc|zones]" + echo " show [ -x ] [ -m ] [ [ ... ]|actions|capabilities|classifiers|config|connections|log|macros|mangle|nat|tc|zones]" echo " start [ -f ] [ -n ] [ ]" echo " stop" echo " status" diff --git a/Shorewall/shorewall.conf b/Shorewall/shorewall.conf index 7f728e75d..f3e15bf51 100644 --- a/Shorewall/shorewall.conf +++ b/Shorewall/shorewall.conf @@ -339,7 +339,8 @@ MODULESDIR= # to the front of this list. # # If not specified or specified as null ("CONFIG_PATH=""), -# CONFIG_PATH=/etc/shorewall:/usr/share/shorewall is assumed. +# the default is distribution-defined. See the output of "shorewall show +# config" to find the default value on your distribution. # CONFIG_PATH=/etc/shorewall:/usr/share/shorewall diff --git a/docs/CompiledPrograms.xml b/docs/CompiledPrograms.xml index ee6d49926..1d0975aa9 100644 --- a/docs/CompiledPrograms.xml +++ b/docs/CompiledPrograms.xml @@ -247,9 +247,16 @@ class="directory">/var/lib/shorewall-lite in packages from shorewall.net. The package maintainers for the various distributions are free to choose the directory where the script - will be stored under their distribution. You can look in your - /usr/share/shorewall/configpath file to see what your - distribution defines for the value of LITEDIR. + will be stored under their distribution. See the output of + shorewall[-lite] show config for the value of + LITEDIR on your distribution. + + Example: + + gateway:~ # shorewall-lite show config +Default CONFIG_PATH is /etc/shorewall-lite:/usr/share/shorewall-lite +LITEDIR is /var/lib/shorewall-lite +gateway:~ # @@ -398,6 +405,23 @@ cd <configuration directory> /sbin/shorewall compile -e . firewall scp firewall root@<firewall system>:/var/lib/shorewall-lite/ + + + The 'firewall' script is in /var/lib/shorewall-lite in packages + from shorewall.net. The package maintainers for the various + distributions are free to choose the directory where the script + will be stored under their distribution. See the output of + shorewall[-lite] show config for the value of + LITEDIR on your distribution. + + Example: + + gateway:~ # shorewall-lite show config +Default CONFIG_PATH is /etc/shorewall-lite:/usr/share/shorewall-lite +LITEDIR is /var/lib/shorewall-lite +gateway:~ # + @@ -433,10 +457,13 @@ teastep@wookie:~$ cd Configs/gateway teastep@wookie:~/Configs/gateway$ /sbin/shorewall reload gateway Compiling... -Shorewall configuration compiled to firewall -firewall 100% 29KB 29.3KB/s 00:00 +Shorewall configuration compiled to ./firewall +Copying ./firewall to gateway:/var/lib/shorewall-lite... +firewall 100% 67KB 66.7KB/s 00:00 +Copy complete Restarting Shorewall Lite.... done. +System gateway reloaded teastep@wookie:~/Configs/gateway$ diff --git a/docs/Documentation.xml b/docs/Documentation.xml index bbc9a6146..30617cdb0 100644 --- a/docs/Documentation.xml +++ b/docs/Documentation.xml @@ -15,7 +15,7 @@ - 2006-06-12 + 2006-06-17 2001-2006 @@ -3058,8 +3058,9 @@ $FW chld ACCEPT /usr/share/shorewall/configpath are used. As released from shorewall.net, that file sets the CONFIG_PATH to /etc/shorewall:/usr/share/shorewall - but your particular distribution may set it - differently. + but your particular distribution may set it differently. + See the output of shorewall show config for the + default on your system. Note that the setting in /usr/share/shorewall/configpath is always used @@ -4085,4 +4086,4 @@ eth1 - This file is described in the Traffic Accounting Documentation. - + \ No newline at end of file diff --git a/docs/starting_and_stopping_shorewall.xml b/docs/starting_and_stopping_shorewall.xml index 731320731..39465e86e 100644 --- a/docs/starting_and_stopping_shorewall.xml +++ b/docs/starting_and_stopping_shorewall.xml @@ -166,6 +166,23 @@ firewall program. The program is generated using the shorewall compile -e command on a system with the full Shorewall product installed. + + + The 'firewall' script is in /var/lib/shorewall-lite in packages + from shorewall.net. The package maintainers for the various + distributions are free to choose the directory where the script will + be stored under their distribution. See the output of + shorewall[-lite] show config for the value of + LITEDIR on your distribution. + + Example: + + gateway:~ # shorewall-lite show config +Default CONFIG_PATH is /etc/shorewall-lite:/usr/share/shorewall-lite +LITEDIR is /var/lib/shorewall-lite +gateway:~ # + @@ -982,9 +999,16 @@ class="directory">/var/lib/shorewall-lite in packages from shorewall.net. The package maintainers for the various distributions are free to choose the directory where the script - will be stored under their distribution. You can look in your - /usr/share/shorewall/configpath file to see what your distribution - defines for the value of LITEDIR. + will be stored under their distribution. See the output of + shorewall[-lite] show config for the value of + LITEDIR on your distribution. + + Example: + + gateway:~ # shorewall-lite show config +Default CONFIG_PATH is /etc/shorewall-lite:/usr/share/shorewall-lite +LITEDIR is /var/lib/shorewall-lite +gateway:~ # Example: shorewall reload gateway @@ -1128,6 +1152,9 @@ displays information about the traffic control/shaping classifiers. + shorewall[-lite] show config - displays the + default CONFIG_PATH and LITEDIR for your distribution. + shorewall [ -x ] show macros (Not supported by Shorewall Lite) — produces a list of macros available on the system.