2007-03-08 05:38:37 +01:00
|
|
|
#! /usr/bin/perl -w
|
2007-03-15 22:55:22 +01:00
|
|
|
#
|
|
|
|
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall Compiler - V3.9
|
|
|
|
#
|
|
|
|
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
|
|
|
#
|
|
|
|
# (c) 2007 - Tom Eastep (teastep@shorewall.net)
|
|
|
|
#
|
|
|
|
# Complete documentation is available at http://shorewall.net
|
|
|
|
#
|
|
|
|
# This program is free software; you can redistribute it and/or modify
|
|
|
|
# it under the terms of Version 2 of the GNU General Public License
|
|
|
|
# as published by the Free Software Foundation.
|
|
|
|
#
|
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
# GNU General Public License for more details.
|
|
|
|
#
|
|
|
|
# You should have received a copy of the GNU General Public License
|
|
|
|
# along with this program; if not, write to the Free Software
|
|
|
|
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
|
|
|
#
|
|
|
|
# Commands are:
|
|
|
|
#
|
|
|
|
# compiler.pl Verify the configuration files.
|
|
|
|
# compile <path name> Compile into <path name>
|
|
|
|
#
|
|
|
|
# Environmental Variables are set up by the Compiler wrapper ('compiler' program).
|
|
|
|
#
|
|
|
|
# EXPORT=Yes -e option specified to /sbin/shorewall
|
|
|
|
# SHOREWALL_DIR A directory name was passed to /sbin/shorewall
|
|
|
|
# VERBOSE Standard Shorewall verbosity control.
|
|
|
|
# DEBUG=Yes Debugging Enabled
|
|
|
|
# VERSION Shorewall Version
|
|
|
|
# TMP_DIR Temporary Directory containing stripped copies
|
|
|
|
# of all configuration files. Shell variable substitution
|
|
|
|
# has been performed on these files.
|
|
|
|
# TIMESTAMP=Yes -t option specified to /sbin/shorewall
|
|
|
|
#
|
|
|
|
# This program performs rudimentary shell variable expansion on action and macro files.
|
2007-03-08 05:38:37 +01:00
|
|
|
|
|
|
|
use strict;
|
2007-03-15 22:55:22 +01:00
|
|
|
use lib '/usr/share/shorewall/Shorewall';
|
2007-03-14 03:44:41 +01:00
|
|
|
use Shorewall::Common;
|
|
|
|
use Shorewall::Config;
|
2007-03-14 04:12:22 +01:00
|
|
|
use Shorewall::Chains;
|
2007-03-14 04:19:25 +01:00
|
|
|
use Shorewall::Zones;
|
2007-03-14 04:24:28 +01:00
|
|
|
use Shorewall::Interfaces;
|
2007-03-14 16:23:07 +01:00
|
|
|
use Shorewall::Hosts;
|
2007-03-15 02:04:43 +01:00
|
|
|
use Shorewall::Nat;
|
2007-03-15 02:10:56 +01:00
|
|
|
use Shorewall::Tc;
|
2007-03-15 02:15:05 +01:00
|
|
|
use Shorewall::Tunnels;
|
2007-03-15 02:38:04 +01:00
|
|
|
use Shorewall::Providers;
|
2007-03-15 03:18:29 +01:00
|
|
|
use Shorewall::Policy;
|
2007-03-15 03:46:00 +01:00
|
|
|
use Shorewall::Macros;
|
2007-03-15 03:18:29 +01:00
|
|
|
use Shorewall::Actions;
|
2007-03-15 03:50:09 +01:00
|
|
|
use Shorewall::Accounting;
|
2007-03-15 04:17:56 +01:00
|
|
|
use Shorewall::Rules;
|
2007-03-16 17:26:34 +01:00
|
|
|
use Shorewall::Proc;
|
2007-03-17 00:07:50 +01:00
|
|
|
use Shorewall::Proxyarp;
|
2007-03-15 00:09:05 +01:00
|
|
|
|
2007-03-13 23:03:59 +01:00
|
|
|
sub generate_script_1 {
|
2007-03-12 02:04:21 +01:00
|
|
|
copy find_file 'prog.header';
|
|
|
|
|
|
|
|
my $date = localtime;
|
|
|
|
|
|
|
|
emit "#\n# Compiled firewall script generated by Shorewall $ENV{VERSION} - $date\n#";
|
|
|
|
|
|
|
|
if ( $ENV{EXPORT} ) {
|
|
|
|
emit 'SHAREDIR=/usr/share/shorewall-lite';
|
|
|
|
emit 'CONFDIR=/etc/shorewall-lite';
|
|
|
|
emit 'VARDIR=/var/lib/shorewall-lite';
|
|
|
|
emit 'PRODUCT="Shorewall Lite"';
|
2007-03-13 23:03:59 +01:00
|
|
|
|
2007-03-12 02:04:21 +01:00
|
|
|
copy "$env{SHAREDIR}/lib.base";
|
2007-03-13 23:03:59 +01:00
|
|
|
|
2007-03-12 02:04:21 +01:00
|
|
|
emit '################################################################################';
|
|
|
|
emit '# End of /usr/share/shorewall/lib.base';
|
|
|
|
emit '################################################################################';
|
|
|
|
} else {
|
|
|
|
emit 'SHAREDIR=/usr/share/shorewall';
|
|
|
|
emit 'CONFDIR=/etc/shorewall';
|
|
|
|
emit 'VARDIR=/var/lib/shorewall\n';
|
|
|
|
emit 'PRODUCT=\'Shorewall\'';
|
2007-03-16 20:14:47 +01:00
|
|
|
emit '. /usr/share/shoreall/lib.base';
|
2007-03-12 02:04:21 +01:00
|
|
|
}
|
2007-03-13 23:03:59 +01:00
|
|
|
|
2007-03-12 02:04:21 +01:00
|
|
|
emit '';
|
2007-03-13 23:03:59 +01:00
|
|
|
|
2007-03-12 23:18:50 +01:00
|
|
|
for my $exit qw/init start tcclear started stop stopped/ {
|
2007-03-12 02:04:21 +01:00
|
|
|
emit "run_${exit}_exit() {";
|
2007-03-14 03:44:41 +01:00
|
|
|
push_indent;
|
2007-03-12 02:04:21 +01:00
|
|
|
append_file $exit;
|
2007-03-14 03:44:41 +01:00
|
|
|
pop_indent;
|
2007-03-12 02:04:21 +01:00
|
|
|
emit "}\n";
|
|
|
|
}
|
2007-03-13 23:03:59 +01:00
|
|
|
|
2007-03-12 02:04:21 +01:00
|
|
|
emit 'initialize()';
|
|
|
|
emit '{';
|
|
|
|
|
2007-03-13 23:03:59 +01:00
|
|
|
push_indent;
|
|
|
|
|
2007-03-12 02:04:21 +01:00
|
|
|
if ( $ENV{EXPORT} ) {
|
|
|
|
emit '#';
|
|
|
|
emit '# These variables are required by the library functions called in this script';
|
|
|
|
emit '#';
|
|
|
|
emit 'CONFIG_PATH="/etc/shorewall-lite:/usr/share/shorewall-lite"';
|
|
|
|
} else {
|
|
|
|
emit 'if [ ! -f ${SHAREDIR}/version ]; then';
|
|
|
|
emit ' fatal_error "This script requires Shorewall which do not appear to be installed on this system (did you forget \"-e\" when you compiled?)"';
|
|
|
|
emit 'fi';
|
|
|
|
emit '';
|
|
|
|
emit 'local version=\$(cat \${SHAREDIR}/version)';
|
|
|
|
emit '';
|
|
|
|
emit 'if [ ${SHOREWALL_LIBVERSION:-0} -lt 30203 ]; then';
|
|
|
|
emit ' fatal_error "This script requires Shorewall version 3.3.3 or later; current version is $version"';
|
|
|
|
emit 'fi';
|
|
|
|
emit '#';
|
|
|
|
emit '# These variables are required by the library functions called in this script';
|
|
|
|
emit '#';
|
|
|
|
emit "CONFIG_PATH=\"$config{CONFIG_PATH}\"";
|
|
|
|
}
|
2007-03-14 03:44:41 +01:00
|
|
|
|
|
|
|
propagateconfig;
|
2007-03-13 23:03:59 +01:00
|
|
|
|
2007-03-12 02:04:21 +01:00
|
|
|
emit '[ -n "${COMMAND:=restart}" ]';
|
|
|
|
emit '[ -n "${VERBOSE:=0}" ]';
|
|
|
|
emit '[ -n "${RESTOREFILE:=$RESTOREFILE}" ]';
|
|
|
|
emit '[ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:%s:%s:"';
|
|
|
|
emit "VERSION=\"$ENV{VERSION}\"";
|
|
|
|
emit "PATH=\"$config{PATH}\"";
|
|
|
|
emit 'TERMINATOR=fatal_error';
|
2007-03-13 23:03:59 +01:00
|
|
|
|
2007-03-12 02:04:21 +01:00
|
|
|
if ( $config{IPTABLES} ) {
|
|
|
|
emit "IPTABLES=\"$config{IPTABLES}\"\n";
|
|
|
|
emit "[ -x \"$config{IPTABLES}\" ] || startup_error \"IPTABLES=$config{IPTABLES} does not exist or is not executable\"";
|
|
|
|
} else {
|
|
|
|
emit '[ -z "$IPTABLES" ] && IPTABLES=$(mywhich iptables 2> /dev/null)';
|
|
|
|
emit '';
|
|
|
|
emit '[ -n "$IPTABLES" -a -x "$IPTABLES" ] || startup_error "Can\'t find iptables executable"';
|
|
|
|
}
|
|
|
|
|
|
|
|
emit '';
|
|
|
|
emit "STOPPING=";
|
|
|
|
emit "COMMENT=\n"; # Fixme -- eventually this goes but it's ok now to maintain compability with lib.base
|
|
|
|
emit '#';
|
|
|
|
emit '# The library requires that ${VARDIR} exist';
|
|
|
|
emit '#';
|
|
|
|
emit '[ -d ${VARDIR} ] || mkdir -p ${VARDIR}';
|
|
|
|
|
2007-03-13 23:03:59 +01:00
|
|
|
pop_indent;
|
2007-03-12 02:04:21 +01:00
|
|
|
|
|
|
|
emit "}\n";
|
2007-03-16 00:18:58 +01:00
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
sub compile_stop_firewall() {
|
2007-03-16 17:26:34 +01:00
|
|
|
#
|
|
|
|
# Emacs doesn't handle 'here documents' in Perl Mode nearly as well as it does in Shell mode
|
|
|
|
# (it basically doesn't understand it at all and gets lost). So we use the following rather
|
2007-03-16 20:14:47 +01:00
|
|
|
# awkward style in place of 'here docs'.
|
2007-03-16 17:26:34 +01:00
|
|
|
#
|
2007-03-16 01:58:25 +01:00
|
|
|
emit "
|
2007-03-16 00:18:58 +01:00
|
|
|
#
|
2007-03-16 01:58:25 +01:00
|
|
|
# Stop/restore the firewall after an error or because of a 'stop' or 'clear' command
|
2007-03-16 00:18:58 +01:00
|
|
|
#
|
|
|
|
stop_firewall() {
|
|
|
|
|
|
|
|
deletechain() {
|
|
|
|
qt \$IPTABLES -L \$1 -n && qt \$IPTABLES -F \$1 && qt \$IPTABLES -X \$1
|
|
|
|
}
|
|
|
|
|
|
|
|
deleteallchains() {
|
|
|
|
\$IPTABLES -F
|
|
|
|
\$IPTABLES -X
|
|
|
|
}
|
|
|
|
|
|
|
|
setcontinue() {
|
|
|
|
\$IPTABLES -A \$1 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
|
|
}
|
|
|
|
|
|
|
|
delete_nat() {
|
|
|
|
\$IPTABLES -t nat -F
|
|
|
|
\$IPTABLES -t nat -X
|
|
|
|
|
|
|
|
if [ -f \${VARDIR}/nat ]; then
|
|
|
|
while read external interface; do
|
|
|
|
del_ip_addr \$external \$interface
|
|
|
|
done < \${VARDIR}/nat
|
|
|
|
|
|
|
|
rm -f \${VARDIR}/nat
|
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
|
|
|
case \$COMMAND in
|
|
|
|
stop|clear)
|
|
|
|
;;
|
|
|
|
*)
|
|
|
|
set +x
|
|
|
|
|
|
|
|
case \$COMMAND in
|
|
|
|
start)
|
2007-03-16 01:58:25 +01:00
|
|
|
logger -p kern.err \"ERROR:\$PRODUCT start failed\"
|
2007-03-16 00:18:58 +01:00
|
|
|
;;
|
|
|
|
restart)
|
2007-03-16 01:58:25 +01:00
|
|
|
logger -p kern.err \"ERROR:\$PRODUCT restart failed\"
|
2007-03-16 00:18:58 +01:00
|
|
|
;;
|
|
|
|
restore)
|
2007-03-16 01:58:25 +01:00
|
|
|
logger -p kern.err \"ERROR:\$PRODUCT restore failed\"
|
2007-03-16 00:18:58 +01:00
|
|
|
;;
|
|
|
|
esac
|
|
|
|
|
2007-03-16 01:58:25 +01:00
|
|
|
if [ \"\$RESTOREFILE\" = NONE ]; then
|
2007-03-16 00:18:58 +01:00
|
|
|
COMMAND=clear
|
|
|
|
clear_firewall
|
2007-03-16 01:58:25 +01:00
|
|
|
echo \"\$PRODUCT Cleared\"
|
2007-03-16 00:18:58 +01:00
|
|
|
|
|
|
|
kill \$\$
|
|
|
|
exit 2
|
|
|
|
else
|
|
|
|
RESTOREPATH=\${VARDIR}/\$RESTOREFILE
|
|
|
|
|
|
|
|
if [ -x \$RESTOREPATH ]; then
|
|
|
|
|
|
|
|
if [ -x \${RESTOREPATH}-ipsets ]; then
|
|
|
|
progress_message2 Restoring Ipsets...
|
|
|
|
#
|
|
|
|
# We must purge iptables to be sure that there are no
|
|
|
|
# references to ipsets
|
|
|
|
#
|
|
|
|
for table in mangle nat filter; do
|
|
|
|
\$IPTABLES -t \$table -F
|
|
|
|
\$IPTABLES -t \$table -X
|
|
|
|
done
|
|
|
|
|
|
|
|
\${RESTOREPATH}-ipsets
|
|
|
|
fi
|
|
|
|
|
|
|
|
echo Restoring \${PRODUCT:=Shorewall}...
|
|
|
|
|
|
|
|
if \$RESTOREPATH restore; then
|
2007-03-16 01:58:25 +01:00
|
|
|
echo \"\$PRODUCT restored from \$RESTOREPATH\"
|
|
|
|
set_state \"Started\"
|
2007-03-16 00:18:58 +01:00
|
|
|
else
|
2007-03-16 01:58:25 +01:00
|
|
|
set_state \"Unknown\"
|
2007-03-16 00:18:58 +01:00
|
|
|
fi
|
|
|
|
|
|
|
|
kill \$\$
|
|
|
|
exit 2
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
|
2007-03-16 01:58:25 +01:00
|
|
|
set_state \"Stopping\"
|
2007-03-16 00:18:58 +01:00
|
|
|
|
2007-03-16 01:58:25 +01:00
|
|
|
STOPPING=\"Yes\"
|
2007-03-16 00:18:58 +01:00
|
|
|
|
|
|
|
TERMINATOR=
|
|
|
|
|
|
|
|
deletechain shorewall
|
|
|
|
|
|
|
|
determine_capabilities
|
|
|
|
|
|
|
|
run_stop_exit;
|
2007-03-16 01:58:25 +01:00
|
|
|
|
|
|
|
if [ -n \"\$MANGLE_ENABLED\" ]; then
|
2007-03-16 00:18:58 +01:00
|
|
|
run_iptables -t mangle -F
|
|
|
|
run_iptables -t mangle -X
|
|
|
|
for chain in PREROUTING INPUT FORWARD POSTROUTING; do
|
|
|
|
qt \$IPTABLES -t mangle -P \$chain ACCEPT
|
|
|
|
done
|
|
|
|
fi
|
|
|
|
|
2007-03-16 01:58:25 +01:00
|
|
|
if [ -n \"\$RAW_TABLE\" ]; then
|
2007-03-16 00:18:58 +01:00
|
|
|
run_iptables -t raw -F
|
|
|
|
run_iptables -t raw -X
|
|
|
|
for chain in PREROUTING OUTPUT; do
|
|
|
|
qt \$IPTABLES -t raw -P \$chain ACCEPT
|
|
|
|
done
|
|
|
|
fi
|
|
|
|
|
2007-03-16 01:58:25 +01:00
|
|
|
if [ -n \"\$NAT_ENABLED\" ]; then
|
2007-03-16 00:18:58 +01:00
|
|
|
delete_nat
|
|
|
|
for chain in PREROUTING POSTROUTING OUTPUT; do
|
|
|
|
qt \$IPTABLES -t nat -P \$chain ACCEPT
|
|
|
|
done
|
|
|
|
fi
|
|
|
|
|
|
|
|
if [ -f \${VARDIR}/proxyarp ]; then
|
|
|
|
while read address interface external haveroute; do
|
|
|
|
qt arp -i \$external -d \$address pub
|
2007-03-16 01:58:25 +01:00
|
|
|
[ -z \"\${haveroute}\${NOROUTES}\" ] && qt ip route del \$address dev \$interface
|
2007-03-16 00:18:58 +01:00
|
|
|
done < \${VARDIR}/proxyarp
|
|
|
|
|
|
|
|
for f in /proc/sys/net/ipv4/conf/*; do
|
|
|
|
[ -f \$f/proxy_arp ] && echo 0 > \$f/proxy_arp
|
|
|
|
done
|
|
|
|
fi
|
|
|
|
|
2007-03-16 01:58:25 +01:00
|
|
|
rm -f \${VARDIR}/proxyarp\n";
|
|
|
|
|
2007-03-16 17:26:34 +01:00
|
|
|
emit ' delete_tc1' if $config{CLEAR_TC};
|
|
|
|
emit ' undo_routing';
|
|
|
|
emit ' restore_default_route';
|
2007-03-13 23:03:59 +01:00
|
|
|
|
2007-03-16 01:58:25 +01:00
|
|
|
my $criticalhosts = process_criticalhosts;
|
2007-03-16 00:18:58 +01:00
|
|
|
|
2007-03-16 03:35:51 +01:00
|
|
|
if ( @$criticalhosts ) {
|
2007-03-16 00:18:58 +01:00
|
|
|
if ( $config{ADMINISABSENTMINDED} ) {
|
2007-03-16 17:26:34 +01:00
|
|
|
emit ' for chain in INPUT OUTPUT; do';
|
|
|
|
emit ' setpolicy \$chain ACCEPT';
|
|
|
|
emit " done\n";
|
2007-03-16 00:18:58 +01:00
|
|
|
|
2007-03-16 17:26:34 +01:00
|
|
|
emit " setpolicy FORWARD DROP\n";
|
2007-03-16 00:18:58 +01:00
|
|
|
|
2007-03-16 17:26:34 +01:00
|
|
|
emit ' deleteallchains';
|
2007-03-16 03:35:51 +01:00
|
|
|
emit '';
|
2007-03-16 00:18:58 +01:00
|
|
|
|
2007-03-16 01:58:25 +01:00
|
|
|
for my $hosts ( @$criticalhosts ) {
|
2007-03-16 00:18:58 +01:00
|
|
|
my ( $interface, $host ) = ( split /,/, $hosts );
|
2007-03-16 01:58:25 +01:00
|
|
|
my $source = match_source_net $host;
|
|
|
|
my $dest = match_dest_net $host;
|
|
|
|
|
2007-03-16 17:26:34 +01:00
|
|
|
emit " \$IPTABLES -A INPUT -i $interface $source -j ACCEPT";
|
|
|
|
emit " \$IPTABLES -A OUTPUT -o $interface $dest -j ACCEPT";
|
2007-03-16 01:58:25 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
emit "
|
|
|
|
for chain in INPUT OUTPUT; do
|
|
|
|
setpolicy \$chain DROP
|
2007-03-16 23:19:32 +01:00
|
|
|
done
|
|
|
|
";
|
2007-03-16 01:58:25 +01:00
|
|
|
} else {
|
|
|
|
emit "
|
|
|
|
for chain in INPUT OUTPUT; do
|
|
|
|
setpolicy \$chain ACCEPT
|
|
|
|
done
|
|
|
|
|
|
|
|
setpolicy FORWARD DROP
|
|
|
|
|
2007-03-16 23:19:32 +01:00
|
|
|
deleteallchains
|
|
|
|
";
|
2007-03-16 01:58:25 +01:00
|
|
|
|
|
|
|
for my $hosts ( @$criticalhosts ) {
|
|
|
|
my ( $interface, $host ) = ( split /,/, $hosts );
|
|
|
|
my $source = match_source_net $host;
|
|
|
|
my $dest = match_dest_net $host;
|
|
|
|
|
2007-03-16 17:26:34 +01:00
|
|
|
emit " \$IPTABLES -A INPUT -i $interface $source -j ACCEPT";
|
|
|
|
emit " \$IPTABLES -A OUTPUT -o $interface $dest -j ACCEPT";
|
2007-03-16 01:58:25 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
emit "
|
|
|
|
setpolicy INPUT DROP
|
|
|
|
|
|
|
|
for chain in INPUT FORWARD; do
|
|
|
|
setcontinue \$chain
|
2007-03-16 23:19:32 +01:00
|
|
|
done
|
|
|
|
";
|
2007-03-16 01:58:25 +01:00
|
|
|
}
|
|
|
|
} elsif ( ! $config{ADMINISABSENTMINDED} ) {
|
|
|
|
emit "
|
|
|
|
for chain in INPUT OUTPUT FORWARD; do
|
|
|
|
setpolicy \$chain DROP
|
|
|
|
done
|
|
|
|
|
2007-03-16 03:35:51 +01:00
|
|
|
deleteallchains";
|
2007-03-16 01:58:25 +01:00
|
|
|
} else {
|
|
|
|
emit "
|
|
|
|
for chain in INPUT FORWARD; do
|
|
|
|
setpolicy \$chain DROP
|
|
|
|
done
|
|
|
|
|
|
|
|
setpolicy OUTPUT ACCEPT
|
2007-03-16 00:18:58 +01:00
|
|
|
|
2007-03-16 01:58:25 +01:00
|
|
|
deleteallchains
|
2007-03-16 00:18:58 +01:00
|
|
|
|
2007-03-16 01:58:25 +01:00
|
|
|
for chain in INPUT FORWARD; do
|
|
|
|
setcontinue \$chain
|
2007-03-16 23:19:32 +01:00
|
|
|
done
|
|
|
|
";
|
2007-03-16 01:58:25 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
push_indent;
|
|
|
|
|
|
|
|
process_routestopped;
|
|
|
|
|
|
|
|
emit '$IPTABLES -A INPUT -i lo -j ACCEPT';
|
|
|
|
emit '$IPTABLES -A OUTPUT -o lo -j ACCEPT';
|
|
|
|
emit '$IPTABLES -A OUTPUT -o lo -j ACCEPT' unless $config{ADMINISABSENTMINDED};
|
|
|
|
|
|
|
|
my $interfaces = find_interfaces_by_option 'dhcp';
|
|
|
|
|
|
|
|
for my $interface ( @$interfaces ) {
|
|
|
|
emit "\$IPTABLES -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT";
|
|
|
|
emit "\$IPTABLES -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT" unless $config{ADMINISABSENTMINDED};
|
|
|
|
#
|
|
|
|
# This might be a bridge
|
|
|
|
#
|
|
|
|
emit "\$IPTABLES -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT";
|
|
|
|
}
|
|
|
|
|
|
|
|
emit '';
|
|
|
|
|
|
|
|
if ( $config{IP_FORWARDING} =~ /on/i ) {
|
|
|
|
emit 'echo 1 > /proc/sys/net/ipv4/ip_forward';
|
|
|
|
emit 'progress_message2 IP Forwarding Enabled';
|
|
|
|
} elsif ( $config{IP_FORWARDING} =~ /off/i ) {
|
|
|
|
emit 'echo 0 > /proc/sys/net/ipv4/ip_forward';
|
|
|
|
emit 'progress_message2 IP Forwarding Disabled!';
|
|
|
|
}
|
|
|
|
|
|
|
|
append_file 'stopped';
|
|
|
|
|
|
|
|
pop_indent;
|
|
|
|
|
|
|
|
emit "
|
|
|
|
set_state \"Stopped\"
|
|
|
|
|
|
|
|
logger -p kern.info \"\$PRODUCT Stopped\"
|
|
|
|
|
|
|
|
case \$COMMAND in
|
|
|
|
stop|clear)
|
|
|
|
;;
|
|
|
|
*)
|
|
|
|
#
|
|
|
|
# The firewall is being stopped when we were trying to do something
|
|
|
|
# else. Remove the lock file and Kill the shell in case we're in a
|
|
|
|
# subshell
|
|
|
|
#
|
|
|
|
kill \$\$
|
|
|
|
;;
|
|
|
|
esac
|
2007-03-16 03:35:51 +01:00
|
|
|
}\n";
|
2007-03-16 17:26:34 +01:00
|
|
|
|
2007-03-13 23:03:59 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
sub generate_script_2 () {
|
2007-03-16 00:18:58 +01:00
|
|
|
|
|
|
|
copy find_file 'prog.functions';
|
|
|
|
|
2007-03-12 02:04:21 +01:00
|
|
|
emit '#';
|
2007-03-13 23:03:59 +01:00
|
|
|
emit '# Setup Routing and Traffic Shaping';
|
2007-03-12 02:04:21 +01:00
|
|
|
emit '#';
|
2007-03-13 23:03:59 +01:00
|
|
|
emit 'setup_routing_and_traffic_shaping() {';
|
2007-03-14 03:44:41 +01:00
|
|
|
|
|
|
|
push_indent;
|
2007-03-12 02:04:21 +01:00
|
|
|
|
|
|
|
emit 'local restore_file=$1';
|
|
|
|
|
|
|
|
save_progress_message 'Initializing...';
|
|
|
|
|
|
|
|
if ( $ENV{EXPORT} ) {
|
|
|
|
my $mf = find_file 'modules';
|
|
|
|
|
|
|
|
if ( $mf ne "$env{SHAREDIR}/module" && -f $mf ) {
|
|
|
|
|
|
|
|
emit 'echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir';
|
|
|
|
emit 'cat > ${VARDIR}/.modules << EOF';
|
|
|
|
|
|
|
|
open MF, $mf or fatal_error "Unable to open $mf: $!";
|
|
|
|
|
2007-03-15 04:56:40 +01:00
|
|
|
while ( $line = <MF> ) { emit_as_is $line if $line =~ /^\s*loadmodule\b/; }
|
2007-03-12 02:04:21 +01:00
|
|
|
|
|
|
|
close MF;
|
|
|
|
|
|
|
|
emit_unindented "EOF\n";
|
|
|
|
|
|
|
|
emit 'reload_kernel_modules < ${VARDIR}/.modules';
|
|
|
|
} else {
|
|
|
|
emit 'load_kernel_modules Yes';
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
emit 'load_kernel_modules Yes';
|
|
|
|
}
|
|
|
|
|
|
|
|
emit '';
|
|
|
|
|
|
|
|
for my $interface ( @{find_interfaces_by_option 'norfc1918'} ) {
|
|
|
|
emit "addr=\$(ip -f inet addr show $interface 2> /dev/null | grep 'inet\ ' | head -n1)";
|
|
|
|
emit 'if [ -n "$addr" ]; then';
|
|
|
|
emit " addr=\$(echo \$addr | sed 's/inet //;s/\/.*//;s/ peer.*//')";
|
|
|
|
emit ' for network in 10.0.0.0/8 176.16.0.0/12 192.168.0.0/16; do';
|
|
|
|
emit ' if in_network $addr $network; then';
|
|
|
|
emit " startup_error \"The 'norfc1918' option has been specified on an interface with an RFC 1918 address. Interface:$interface\"";
|
|
|
|
emit ' fi';
|
|
|
|
emit ' done';
|
2007-03-12 03:59:12 +01:00
|
|
|
emit "fi\n";
|
2007-03-12 02:04:21 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
emit "run_init_exit\n";
|
2007-03-12 23:18:50 +01:00
|
|
|
emit 'qt $IPTABLES -L shorewall -n && qt $IPTABLES -F shorewall && qt $IPTABLES -X shorewall';
|
2007-03-12 02:04:21 +01:00
|
|
|
emit '';
|
2007-03-12 23:18:50 +01:00
|
|
|
emit "delete_proxyarp\n";
|
|
|
|
emit "delete_tc1\n" if $config{CLEAR_TC};
|
2007-03-12 02:04:21 +01:00
|
|
|
|
|
|
|
emit "disable_ipv6\n" if $config{DISABLE_IPV6};
|
|
|
|
|
2007-03-17 00:57:43 +01:00
|
|
|
setup_mss( $config{CLAMPMSS} ) if $config{CLAMPMSS};
|
|
|
|
|
2007-03-14 00:11:15 +01:00
|
|
|
}
|
2007-03-12 03:59:12 +01:00
|
|
|
|
2007-03-14 00:11:15 +01:00
|
|
|
sub generate_script_3() {
|
2007-03-12 23:18:50 +01:00
|
|
|
|
2007-03-17 17:44:47 +01:00
|
|
|
emit 'cat > ${VARDIR}/proxyarp << __EOF__';
|
|
|
|
|
|
|
|
for $line ( @proxyarp ) {
|
|
|
|
emit_unindented $line;
|
|
|
|
}
|
|
|
|
|
|
|
|
emit_unindented '__EOF__';
|
|
|
|
|
2007-03-17 17:54:39 +01:00
|
|
|
pop_indent;
|
2007-03-17 17:44:47 +01:00
|
|
|
|
2007-03-17 17:54:39 +01:00
|
|
|
emit "}/n";
|
2007-03-17 17:44:47 +01:00
|
|
|
|
2007-03-17 17:54:39 +01:00
|
|
|
progress_message2 "Creating iptables-restore input...";
|
|
|
|
create_netfilter_load;
|
2007-03-17 17:44:47 +01:00
|
|
|
|
2007-03-17 17:54:39 +01:00
|
|
|
emit "#\n# Start/Restart the Firewall\n#";
|
|
|
|
emit 'define_firewall() {';
|
|
|
|
emit ' setup_routing_and_traffic_shaping;';
|
|
|
|
emit ' setup_netfilter';
|
|
|
|
emit ' restore_dynamic_rules';
|
|
|
|
emit ' date > ${VARDIR}/restarted';
|
|
|
|
emit ' run_start_exit';
|
|
|
|
emit ' run_iptables -N shorewall';
|
|
|
|
emit ' set_state "Started"';
|
|
|
|
emit ' run_started_exit';
|
|
|
|
emit '';
|
|
|
|
emit ' cp -f $(my_pathname) ${VARDIR}/.restore
|
2007-03-17 17:44:47 +01:00
|
|
|
|
|
|
|
case \$COMMAND in
|
|
|
|
start)
|
|
|
|
logger -p kern.info "$PRODUCT started"
|
|
|
|
;;
|
|
|
|
restart)
|
|
|
|
logger -p kern.info "$PRODUCT restarted"
|
|
|
|
;;
|
|
|
|
restore)
|
|
|
|
logger -p kern.info "$PRODUCT restored"
|
|
|
|
;;
|
2007-03-17 17:54:39 +01:00
|
|
|
esac';
|
2007-03-17 17:44:47 +01:00
|
|
|
|
2007-03-14 00:11:15 +01:00
|
|
|
emit "}\n";
|
|
|
|
|
|
|
|
copy find_file 'prog.footer';
|
2007-03-12 02:04:21 +01:00
|
|
|
}
|
|
|
|
|
2007-03-10 19:17:28 +01:00
|
|
|
sub compile_firewall( $ ) {
|
|
|
|
|
|
|
|
my $objectfile = $_[0];
|
|
|
|
|
|
|
|
( $command, $doing, $done ) = qw/ check Checking Checked / unless $objectfile;
|
2007-03-11 02:40:59 +01:00
|
|
|
|
2007-03-14 03:44:41 +01:00
|
|
|
initialize_chain_table;
|
|
|
|
|
2007-03-11 02:40:59 +01:00
|
|
|
if ( $command eq 'compile' ) {
|
2007-03-15 01:34:17 +01:00
|
|
|
create_temp_object( $objectfile );
|
2007-03-13 23:03:59 +01:00
|
|
|
generate_script_1;
|
2007-03-12 02:04:21 +01:00
|
|
|
}
|
2007-03-11 02:40:59 +01:00
|
|
|
|
2007-03-14 03:44:41 +01:00
|
|
|
report_capabilities if $ENV{VERBOSE} > 1;
|
2007-03-11 02:40:59 +01:00
|
|
|
|
2007-03-14 00:11:15 +01:00
|
|
|
fatal_error "Shorewall $ENV{VERSION} requires Conntrack Match Support"
|
|
|
|
unless $capabilities{CONNTRACK_MATCH};
|
|
|
|
fatal_error "Shorewall $ENV{VERSION} requires Extended Multi-port Match Support"
|
|
|
|
unless $capabilities{XMULTIPORT};
|
|
|
|
fatal_error "Shorewall $ENV{VERSION} requires Address Type Match Support"
|
|
|
|
unless $capabilities{ADDRTYPE};
|
|
|
|
fatal_error 'BRIDGING=Yes requires Physdev Match support in your Kernel and iptables'
|
|
|
|
if $config{BRIDGING} && ! $capabilities{PHYSDEV_MATCH};
|
|
|
|
fatal_error 'MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables'
|
|
|
|
if $config{MACLIST_TTL} && ! $capabilities{RECENT_MATCH};
|
|
|
|
fatal_error 'RFC1918_STRICT=Yes requires Connection Tracking match'
|
|
|
|
if $config{RFC1918_STRICT} && ! $capabilities{CONNTRACK_MATCH};
|
2007-03-09 01:03:04 +01:00
|
|
|
#
|
|
|
|
# Process the zones file.
|
|
|
|
#
|
2007-03-14 00:11:15 +01:00
|
|
|
progress_message2 "Determining Zones...";
|
|
|
|
determine_zones;
|
2007-03-09 01:03:04 +01:00
|
|
|
#
|
|
|
|
# Process the interfaces file.
|
|
|
|
#
|
2007-03-14 00:11:15 +01:00
|
|
|
progress_message2 "Validating interfaces file...";
|
|
|
|
validate_interfaces_file;
|
|
|
|
dump_interface_info if $ENV{DEBUG};
|
2007-03-09 01:03:04 +01:00
|
|
|
#
|
|
|
|
# Process the hosts file.
|
|
|
|
#
|
2007-03-14 00:11:15 +01:00
|
|
|
progress_message2 "Validating hosts file...";
|
|
|
|
validate_hosts_file;
|
2007-03-09 01:03:04 +01:00
|
|
|
|
|
|
|
if ( $ENV{DEBUG} ) {
|
|
|
|
dump_zone_info;
|
2007-03-12 02:04:21 +01:00
|
|
|
} elsif ( $ENV{VERBOSE} > 1 ) {
|
2007-03-14 00:11:15 +01:00
|
|
|
progress_message "Determining Hosts in Zones...";
|
|
|
|
zone_report;
|
2007-03-09 01:03:04 +01:00
|
|
|
}
|
|
|
|
#
|
|
|
|
# Do action pre-processing.
|
|
|
|
#
|
2007-03-14 00:11:15 +01:00
|
|
|
progress_message2 "Preprocessing Action Files...";
|
|
|
|
process_actions1;
|
2007-03-09 01:03:04 +01:00
|
|
|
#
|
|
|
|
# Process the Policy File.
|
|
|
|
#
|
2007-03-14 00:11:15 +01:00
|
|
|
progress_message2 "Validating Policy file...";
|
|
|
|
validate_policy;
|
|
|
|
#
|
2007-03-16 01:58:25 +01:00
|
|
|
# Compile the 'stop_firewall()' function
|
|
|
|
#
|
|
|
|
compile_stop_firewall;
|
|
|
|
#
|
2007-03-14 00:11:15 +01:00
|
|
|
# Start Second Part of script
|
|
|
|
#
|
|
|
|
generate_script_2;
|
2007-03-09 01:03:04 +01:00
|
|
|
#
|
|
|
|
# Do all of the zone-independent stuff
|
|
|
|
#
|
2007-03-14 00:11:15 +01:00
|
|
|
progress_message2 "Setting up Common Rules...";
|
|
|
|
add_common_rules;
|
|
|
|
#
|
2007-03-16 17:26:34 +01:00
|
|
|
# /proc stuff
|
|
|
|
#
|
|
|
|
setup_arp_filtering;
|
|
|
|
setup_route_filtering;
|
|
|
|
setup_martian_logging;
|
|
|
|
setup_source_routing;
|
|
|
|
setup_forwarding;
|
|
|
|
#
|
2007-03-17 00:07:50 +01:00
|
|
|
# Proxy Arp
|
|
|
|
#
|
|
|
|
setup_proxy_arp;
|
|
|
|
#
|
2007-03-14 00:11:15 +01:00
|
|
|
# [Re-]establish Routing
|
|
|
|
#
|
|
|
|
if ( -s "$ENV{TMP_DIR}/providers" ) {
|
|
|
|
setup_providers;
|
|
|
|
} else {
|
|
|
|
emit "\nundo_routing";
|
|
|
|
emit 'restore_default_route';
|
|
|
|
}
|
|
|
|
#
|
|
|
|
# Traffic Shaping
|
|
|
|
#
|
|
|
|
setup_traffic_shaping if -s "$ENV{TMP_DIR}/tcdevices";
|
2007-03-09 01:03:04 +01:00
|
|
|
#
|
|
|
|
# Setup Masquerading/SNAT
|
|
|
|
#
|
2007-03-14 00:11:15 +01:00
|
|
|
progress_message2 "$doing Masq file...";
|
|
|
|
setup_masq;
|
2007-03-09 01:03:04 +01:00
|
|
|
#
|
|
|
|
# MACLIST Filtration
|
|
|
|
#
|
2007-03-14 00:11:15 +01:00
|
|
|
progress_message2 "Setting up MAC Filtration -- Phase 1...";
|
|
|
|
setup_mac_lists 1;
|
2007-03-09 01:03:04 +01:00
|
|
|
#
|
|
|
|
# Process the rules file.
|
|
|
|
#
|
2007-03-14 00:11:15 +01:00
|
|
|
progress_message2 "$doing Rules...";
|
|
|
|
process_rules;
|
2007-03-09 01:03:04 +01:00
|
|
|
#
|
|
|
|
# Add Tunnel rules.
|
|
|
|
#
|
2007-03-14 00:11:15 +01:00
|
|
|
progress_message2 "Adding Tunnels...";
|
|
|
|
setup_tunnels;
|
2007-03-09 01:03:04 +01:00
|
|
|
#
|
|
|
|
# Post-rules action processing.
|
|
|
|
#
|
|
|
|
process_actions2;
|
|
|
|
process_actions3;
|
|
|
|
#
|
|
|
|
# MACLIST Filtration again
|
|
|
|
#
|
2007-03-14 00:11:15 +01:00
|
|
|
progress_message2 "Setting up MAC Filtration -- Phase 2...";
|
|
|
|
setup_mac_lists 2;
|
2007-03-09 01:03:04 +01:00
|
|
|
#
|
|
|
|
# Apply Policies
|
|
|
|
#
|
2007-03-14 00:11:15 +01:00
|
|
|
progress_message2 'Applying Policies...';
|
|
|
|
apply_policy_rules;
|
|
|
|
dump_action_table if $ENV{DEBUG};
|
2007-03-09 01:03:04 +01:00
|
|
|
#
|
|
|
|
# Setup Nat
|
|
|
|
#
|
2007-03-14 00:11:15 +01:00
|
|
|
progress_message2 "$doing one-to-one NAT...";
|
|
|
|
setup_nat;
|
2007-03-09 01:03:04 +01:00
|
|
|
#
|
|
|
|
# TCRules
|
|
|
|
#
|
2007-03-14 00:11:15 +01:00
|
|
|
progress_message2 "Processing TC Rules...";
|
|
|
|
process_tcrules;
|
2007-03-09 01:03:04 +01:00
|
|
|
#
|
|
|
|
# Accounting.
|
|
|
|
#
|
2007-03-14 00:11:15 +01:00
|
|
|
progress_message2 "Setting UP Accounting...";
|
|
|
|
setup_accounting;
|
2007-03-15 22:55:22 +01:00
|
|
|
|
2007-03-17 17:44:47 +01:00
|
|
|
if ( $command eq 'check' ) {
|
|
|
|
progress_message3 "Shorewall configuration verified";
|
|
|
|
} else {
|
2007-03-13 23:03:59 +01:00
|
|
|
#
|
|
|
|
# Finish the script.
|
|
|
|
#
|
2007-03-14 00:11:15 +01:00
|
|
|
progress_message2 'Generating Rule Matrix...';
|
|
|
|
generate_matrix;
|
|
|
|
dump_chain_table if $ENV{DEBUG};
|
|
|
|
generate_script_3;
|
2007-03-15 01:34:17 +01:00
|
|
|
finalize_object;
|
2007-03-17 19:18:54 +01:00
|
|
|
generate_aux_config;
|
2007-03-10 19:17:28 +01:00
|
|
|
}
|
2007-03-09 01:03:04 +01:00
|
|
|
}
|
|
|
|
|
2007-03-08 05:38:37 +01:00
|
|
|
#
|
2007-03-14 00:11:15 +01:00
|
|
|
# E x e c u t i o n S t a r t s H e r e
|
2007-03-08 05:38:37 +01:00
|
|
|
#
|
|
|
|
|
|
|
|
$ENV{VERBOSE} = 2 if $ENV{DEBUG};
|
|
|
|
#
|
|
|
|
# Get shorewall.conf and capabilities.
|
|
|
|
#
|
2007-03-15 03:53:07 +01:00
|
|
|
get_configuration;
|
|
|
|
#
|
|
|
|
# Compile/Check the configuration.
|
|
|
|
#
|
2007-03-10 19:17:28 +01:00
|
|
|
compile_firewall $ARGV[0];
|