forked from extern/shorewall_code
Shorewall-1.4.6a
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@675 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
a63d259b40
commit
00b43e6a2e
@ -51,3 +51,6 @@ Changes since 1.4.5
|
|||||||
21. Support Linux 2.6 compressed modules.
|
21. Support Linux 2.6 compressed modules.
|
||||||
|
|
||||||
22. Don't display DHCP message when there are no DHCP interface.
|
22. Don't display DHCP message when there are no DHCP interface.
|
||||||
|
|
||||||
|
23. Move determine_capabilities call to do_initialize to ensure that
|
||||||
|
MANGLE_ENABLED is set before it is tested.
|
||||||
|
File diff suppressed because it is too large
Load Diff
@ -28,8 +28,8 @@
|
|||||||
src="images/washington.jpg" alt="" width="97" height="80" hspace="4"
|
src="images/washington.jpg" alt="" width="97" height="80" hspace="4"
|
||||||
border="0">
|
border="0">
|
||||||
</a></td>
|
</a></td>
|
||||||
<td valign="middle" width="34%" align="center"
|
<td valign="middle" width="34%"
|
||||||
bgcolor="#3366ff">
|
align="center" bgcolor="#3366ff">
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
@ -39,8 +39,8 @@
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
<img
|
<img src="images/Logo1.png"
|
||||||
src="images/Logo1.png" alt="(Shorewall Logo)" width="430" height="90">
|
alt="(Shorewall Logo)" width="430" height="90">
|
||||||
</div>
|
</div>
|
||||||
</td>
|
</td>
|
||||||
<td valign="middle" width="33%">
|
<td valign="middle" width="33%">
|
||||||
@ -90,9 +90,9 @@
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
<p>The Shoreline Firewall, more commonly known as "Shorewall", is a
|
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
|
||||||
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
|
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
|
||||||
that can be used on a dedicated firewall system, a multi-function
|
firewall that can be used on a dedicated firewall system, a multi-function
|
||||||
gateway/router/server or on a standalone GNU/Linux system.</p>
|
gateway/router/server or on a standalone GNU/Linux system.</p>
|
||||||
|
|
||||||
|
|
||||||
@ -103,8 +103,8 @@
|
|||||||
<p>This program is free software; you can redistribute it and/or modify
|
<p>This program is free software; you can redistribute it and/or modify
|
||||||
|
|
||||||
it under the terms of <a
|
it under the terms of <a
|
||||||
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
|
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the
|
||||||
General Public License</a> as published by the Free Software
|
GNU General Public License</a> as published by the Free Software
|
||||||
Foundation.<br>
|
Foundation.<br>
|
||||||
|
|
||||||
<br>
|
<br>
|
||||||
@ -166,6 +166,7 @@ step by step instructions.<br>
|
|||||||
The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
|
The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
|
||||||
Index</a> is a good place to start as is the Quick Search to your right.
|
Index</a> is a good place to start as is the Quick Search to your right.
|
||||||
|
|
||||||
|
|
||||||
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
|
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
|
||||||
If so, the documentation<b> </b>on this site
|
If so, the documentation<b> </b>on this site
|
||||||
will not apply directly to your setup. If you want to use the
|
will not apply directly to your setup. If you want to use the
|
||||||
@ -189,14 +190,25 @@ step by step instructions.<br>
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
<p><b>7/20/2003 - Shorewall-1.4.6</b><b> <img border="0"
|
<p><b>7/22/2003 - Shorewall-1.4.6a</b><b> <img border="0"
|
||||||
src="images/new10.gif" width="28" height="12" alt="(New)">
|
src="images/new10.gif" width="28" height="12" alt="(New)">
|
||||||
<br>
|
<br>
|
||||||
</b></p>
|
</b></p>
|
||||||
|
<b>Problems Corrected:</b><br>
|
||||||
|
<ol>
|
||||||
|
<li>Previously, if TC_ENABLED is set to yes in shorewall.conf then
|
||||||
|
Shorewall would fail to start with the error "ERROR: Traffic Control requires
|
||||||
|
Mangle"; that problem has been corrected.</li>
|
||||||
|
</ol>
|
||||||
|
<p><b>7/20/2003 - Shorewall-1.4.6</b><b> <img border="0"
|
||||||
|
src="images/new10.gif" width="28" height="12" alt="(New)">
|
||||||
|
</b><br>
|
||||||
|
</p>
|
||||||
|
|
||||||
|
|
||||||
<blockquote> </blockquote>
|
<blockquote> </blockquote>
|
||||||
|
|
||||||
|
|
||||||
<p><b>Problems Corrected:</b><br>
|
<p><b>Problems Corrected:</b><br>
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
@ -226,15 +238,17 @@ in the nat table (one for each element in the list). Shorewall now correctly
|
|||||||
are no DHCP rules to add.<br>
|
are no DHCP rules to add.<br>
|
||||||
</li>
|
</li>
|
||||||
|
|
||||||
|
|
||||||
</ol>
|
</ol>
|
||||||
|
|
||||||
|
|
||||||
<p><b>Migration Issues:</b><br>
|
<p><b>Migration Issues:</b><br>
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
|
|
||||||
<ol>
|
<ol>
|
||||||
<li>In earlier versions, an undocumented feature allowed
|
<li>In earlier versions, an undocumented feature allowed
|
||||||
entries in the host file as follows:<br>
|
entries in the host file as follows:<br>
|
||||||
<br>
|
<br>
|
||||||
z eth1:192.168.1.0/24,eth2:192.168.2.0/24<br>
|
z eth1:192.168.1.0/24,eth2:192.168.2.0/24<br>
|
||||||
<br>
|
<br>
|
||||||
@ -249,8 +263,10 @@ entries in the host file as follows:<br>
|
|||||||
are now automatically detected by Shorewall (see below).<br>
|
are now automatically detected by Shorewall (see below).<br>
|
||||||
</li>
|
</li>
|
||||||
|
|
||||||
|
|
||||||
</ol>
|
</ol>
|
||||||
|
|
||||||
|
|
||||||
<p><b>New Features:</b><br>
|
<p><b>New Features:</b><br>
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
@ -363,12 +379,12 @@ filtering in the filter table (rfc1918 chain).</li>
|
|||||||
iprange <address>-<address><br>
|
iprange <address>-<address><br>
|
||||||
<br>
|
<br>
|
||||||
This command decomposes a range of IP addressses into a list of
|
This command decomposes a range of IP addressses into a list of
|
||||||
network and host addresses. The command can be useful if you need to construct
|
network and host addresses. The command can be useful if you need to
|
||||||
an efficient set of rules that accept connections from a range of network
|
construct an efficient set of rules that accept connections from a range
|
||||||
addresses.<br>
|
of network addresses.<br>
|
||||||
<br>
|
<br>
|
||||||
Note: If your shell only supports 32-bit signed arithmetic (ash
|
Note: If your shell only supports 32-bit signed arithmetic (ash
|
||||||
or dash) then the range may not span 128.0.0.0.<br>
|
or dash) then the range may not span 128.0.0.0.<br>
|
||||||
<br>
|
<br>
|
||||||
Example:<br>
|
Example:<br>
|
||||||
<br>
|
<br>
|
||||||
@ -397,27 +413,29 @@ or dash) then the range may not span 128.0.0.0.<br>
|
|||||||
</li>
|
</li>
|
||||||
<li>The "shorewall check" command now includes the chain name when
|
<li>The "shorewall check" command now includes the chain name when
|
||||||
printing the applicable policy for each pair of zones.<br>
|
printing the applicable policy for each pair of zones.<br>
|
||||||
<br>
|
<br>
|
||||||
Example:<br>
|
Example:<br>
|
||||||
<br>
|
<br>
|
||||||
Policy for dmz to net is REJECT using chain all2all<br>
|
Policy for dmz to net is REJECT using chain all2all<br>
|
||||||
<br>
|
<br>
|
||||||
This means that the policy for connections from the dmz to the internet is
|
This means that the policy for connections from the dmz to the internet
|
||||||
REJECT and the applicable entry in the /etc/shorewall/policy was the all->all
|
is REJECT and the applicable entry in the /etc/shorewall/policy was the all->all
|
||||||
policy.<br>
|
policy.<br>
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
<li>Support for the 2.6 Kernel series has been added.<br>
|
<li>Support for the 2.6 Kernel series has been added.<br>
|
||||||
</li>
|
</li>
|
||||||
|
|
||||||
|
|
||||||
</ol>
|
</ol>
|
||||||
|
|
||||||
|
|
||||||
<p><b>7/15/2003 - New Mirror in Brazil</b><b> <img border="0"
|
<p><b>7/15/2003 - New Mirror in Brazil</b><b> <img border="0"
|
||||||
src="images/new10.gif" width="28" height="12" alt="(New)">
|
src="images/new10.gif" width="28" height="12" alt="(New)">
|
||||||
<br>
|
<br>
|
||||||
</b></p>
|
</b></p>
|
||||||
Thanks to the folks at securityopensource.org.br, there is now a <a
|
Thanks to the folks at securityopensource.org.br, there is now a
|
||||||
href="http://shorewall.securityopensource.org.br" target="_top">Shorewall
|
<a href="http://shorewall.securityopensource.org.br" target="_top">Shorewall
|
||||||
mirror in Brazil</a>.
|
mirror in Brazil</a>.
|
||||||
<p><b>6/17/2003 - Shorewall-1.4.5</b><b> </b></p>
|
<p><b>6/17/2003 - Shorewall-1.4.5</b><b> </b></p>
|
||||||
|
|
||||||
@ -429,10 +447,10 @@ policy.<br>
|
|||||||
<ol>
|
<ol>
|
||||||
<li>The command "shorewall debug try <directory>"
|
<li>The command "shorewall debug try <directory>"
|
||||||
now correctly traces the attempt.</li>
|
now correctly traces the attempt.</li>
|
||||||
<li>The INCLUDE directive now works properly in the
|
<li>The INCLUDE directive now works properly in
|
||||||
zones file; previously, INCLUDE in that file was ignored.</li>
|
the zones file; previously, INCLUDE in that file was ignored.</li>
|
||||||
<li>/etc/shorewall/routestopped records with an empty
|
<li>/etc/shorewall/routestopped records with an
|
||||||
second column are no longer ignored.<br>
|
empty second column are no longer ignored.<br>
|
||||||
</li>
|
</li>
|
||||||
|
|
||||||
|
|
||||||
@ -445,10 +463,9 @@ policy.<br>
|
|||||||
|
|
||||||
<ol>
|
<ol>
|
||||||
<li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-]
|
<li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-]
|
||||||
rule may now contain a list of addresses. If the list begins with
|
rule may now contain a list of addresses. If the list begins with "!'
|
||||||
"!' then the rule will take effect only if the original destination
|
then the rule will take effect only if the original destination address
|
||||||
address in the connection request does not match any of the addresses
|
in the connection request does not match any of the addresses listed.</li>
|
||||||
listed.</li>
|
|
||||||
|
|
||||||
|
|
||||||
</ol>
|
</ol>
|
||||||
@ -460,7 +477,7 @@ listed.</li>
|
|||||||
|
|
||||||
<p>The firewall at shorewall.net has been upgraded to the 2.4.21 kernel
|
<p>The firewall at shorewall.net has been upgraded to the 2.4.21 kernel
|
||||||
and iptables 1.2.8 (using the "official" RPM from netfilter.org).
|
and iptables 1.2.8 (using the "official" RPM from netfilter.org).
|
||||||
No problems have been encountered with this set of software. The Shorewall
|
No problems have been encountered with this set of software. The Shorewall
|
||||||
version is 1.4.4b plus the accumulated changes for 1.4.5.<br>
|
version is 1.4.4b plus the accumulated changes for 1.4.5.<br>
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
@ -468,10 +485,12 @@ No problems have been encountered with this set of software. The Shorewall
|
|||||||
<p><b>6/8/2003 - Updated Samples</b><b> </b></p>
|
<p><b>6/8/2003 - Updated Samples</b><b> </b></p>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<p>Thanks to Francesca Smith, the samples have been updated to Shorewall
|
<p>Thanks to Francesca Smith, the samples have been updated to Shorewall
|
||||||
version 1.4.4.</p>
|
version 1.4.4.</p>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<p><b></b></p>
|
<p><b></b></p>
|
||||||
|
|
||||||
|
|
||||||
@ -479,10 +498,12 @@ No problems have been encountered with this set of software. The Shorewall
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
</ol>
|
</ol>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<p><a href="News.htm">More News</a></p>
|
<p><a href="News.htm">More News</a></p>
|
||||||
|
|
||||||
|
|
||||||
@ -506,7 +527,7 @@ No problems have been encountered with this set of software. The Shorewall
|
|||||||
|
|
||||||
|
|
||||||
<b>Congratulations to Jacques and Eric
|
<b>Congratulations to Jacques and Eric
|
||||||
on the recent release of Bering 1.2!!! </b><br>
|
on the recent release of Bering 1.2!!! </b><br>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
@ -596,11 +617,10 @@ on the recent release of Bering 1.2!!! </b><br>
|
|||||||
|
|
||||||
<p align="center"><font size="4" color="#ffffff"><br>
|
<p align="center"><font size="4" color="#ffffff"><br>
|
||||||
<font size="+2"> Shorewall is free but if
|
<font size="+2"> Shorewall is free but if
|
||||||
you try it and find it useful, please consider making a donation
|
you try it and find it useful, please consider making a donation
|
||||||
to
|
to
|
||||||
<a href="http://www.starlight.org"><font
|
<a href="http://www.starlight.org"><font color="#ffffff">Starlight
|
||||||
color="#ffffff">Starlight Children's Foundation.</font></a>
|
Children's Foundation.</font></a> Thanks!</font></font></p>
|
||||||
Thanks!</font></font></p>
|
|
||||||
|
|
||||||
</td>
|
</td>
|
||||||
|
|
||||||
@ -612,8 +632,10 @@ Thanks!</font></font></p>
|
|||||||
</table>
|
</table>
|
||||||
|
|
||||||
|
|
||||||
<p><font size="2">Updated 7/19/2003 - <a href="support.htm">Tom Eastep</a></font>
|
<p><font size="2">Updated 7/22/2003 - <a href="support.htm">Tom Eastep</a></font>
|
||||||
|
|
||||||
|
<br>
|
||||||
|
</p>
|
||||||
<br>
|
<br>
|
||||||
</p>
|
|
||||||
</body>
|
</body>
|
||||||
</html>
|
</html>
|
||||||
|
@ -80,18 +80,19 @@
|
|||||||
<p>This program is free software; you can redistribute it and/or modify
|
<p>This program is free software; you can redistribute it and/or modify
|
||||||
|
|
||||||
it under the terms of <a
|
it under the terms of <a
|
||||||
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the
|
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
|
||||||
GNU General Public License</a> as published by the Free Software
|
General Public License</a> as published by the Free Software
|
||||||
Foundation.<br>
|
Foundation.<br>
|
||||||
|
|
||||||
<br>
|
<br>
|
||||||
|
|
||||||
This program is distributed
|
This program is distributed
|
||||||
in the hope that it will be useful,
|
in the hope that it will be useful,
|
||||||
but WITHOUT ANY WARRANTY; without
|
but WITHOUT ANY WARRANTY; without
|
||||||
even the implied warranty of MERCHANTABILITY
|
even the implied warranty of MERCHANTABILITY
|
||||||
or FITNESS FOR A PARTICULAR PURPOSE.
|
or FITNESS FOR A PARTICULAR PURPOSE.
|
||||||
See the GNU General Public License for more details.<br>
|
See the GNU General Public License for more
|
||||||
|
details.<br>
|
||||||
|
|
||||||
<br>
|
<br>
|
||||||
|
|
||||||
@ -119,8 +120,8 @@ but WITHOUT ANY WARRANTY; without
|
|||||||
For older versions:<br>
|
For older versions:<br>
|
||||||
|
|
||||||
<ul>
|
<ul>
|
||||||
<li>The 1.3 site is <a href="http://www.shorewall.net/1.3"
|
<li>The 1.3 site is <a
|
||||||
target="_top">here.</a></li>
|
href="http://www.shorewall.net/1.3" target="_top">here.</a></li>
|
||||||
<li>The 1.2 site is <a href="http://shorewall.net/1.2/"
|
<li>The 1.2 site is <a href="http://shorewall.net/1.2/"
|
||||||
target="_top">here</a>.<br>
|
target="_top">here</a>.<br>
|
||||||
</li>
|
</li>
|
||||||
@ -131,8 +132,8 @@ but WITHOUT ANY WARRANTY; without
|
|||||||
New to Shorewall? Start by selecting
|
New to Shorewall? Start by selecting
|
||||||
the <a
|
the <a
|
||||||
href="file:///vfat/Shorewall-docs/shorewall_quickstart_guide.htm">QuickStart
|
href="file:///vfat/Shorewall-docs/shorewall_quickstart_guide.htm">QuickStart
|
||||||
Guide</a> that most closely match your environment and
|
Guide</a> that most closely match your environment and follow
|
||||||
follow the step by step instructions.<br>
|
the step by step instructions.<br>
|
||||||
|
|
||||||
<h2>Looking for Information?</h2>
|
<h2>Looking for Information?</h2>
|
||||||
The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
|
The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
|
||||||
@ -140,11 +141,11 @@ follow the step by step instructions.<br>
|
|||||||
|
|
||||||
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
|
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
|
||||||
If so, the documentation<b> </b>on this site
|
If so, the documentation<b> </b>on this site
|
||||||
will not apply directly to your setup. If you want to use the documentation
|
will not apply directly to your setup. If you want to use the
|
||||||
that you find here, you will want to consider uninstalling what you
|
documentation that you find here, you will want to consider uninstalling
|
||||||
have and installing a setup that matches the documentation on
|
what you have and installing a setup that matches the documentation
|
||||||
this site. See the <a href="two-interface.htm">Two-interface QuickStart
|
on this site. See the <a href="two-interface.htm">Two-interface
|
||||||
Guide</a> for details.
|
QuickStart Guide</a> for details.
|
||||||
|
|
||||||
<h2></h2>
|
<h2></h2>
|
||||||
|
|
||||||
@ -154,6 +155,17 @@ this site. See the <a href="two-interface.htm">Two-interface QuickStart
|
|||||||
<h2><b>News</b></h2>
|
<h2><b>News</b></h2>
|
||||||
|
|
||||||
|
|
||||||
|
<p><b>7/22/2003 - Shorewall-1.4.6a</b><b> <img border="0"
|
||||||
|
src="images/new10.gif" width="28" height="12" alt="(New)">
|
||||||
|
<br>
|
||||||
|
</b></p>
|
||||||
|
<b>Problems Corrected:</b><br>
|
||||||
|
|
||||||
|
<ol>
|
||||||
|
<li>Previously, if TC_ENABLED is set to yes in shorewall.conf then
|
||||||
|
Shorewall would fail to start with the error "ERROR: Traffic Control requires
|
||||||
|
Mangle"; that problem has been corrected.</li>
|
||||||
|
</ol>
|
||||||
<p><b>7/20/2003 - Shorewall-1.4.6</b><b> <img border="0"
|
<p><b>7/20/2003 - Shorewall-1.4.6</b><b> <img border="0"
|
||||||
src="images/new10.gif" width="28" height="12" alt="(New)">
|
src="images/new10.gif" width="28" height="12" alt="(New)">
|
||||||
<br>
|
<br>
|
||||||
@ -170,13 +182,13 @@ this site. See the <a href="two-interface.htm">Two-interface QuickStart
|
|||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
<li>Where a list of IP addresses appears in the DEST column of
|
<li>Where a list of IP addresses appears in the DEST column of
|
||||||
a DNAT[-] rule, Shorewall incorrectly created multiple DNAT rules in the
|
a DNAT[-] rule, Shorewall incorrectly created multiple DNAT rules in
|
||||||
nat table (one for each element in the list). Shorewall now correctly creates
|
the nat table (one for each element in the list). Shorewall now correctly
|
||||||
a single DNAT rule with multiple "--to-destination" clauses.<br>
|
creates a single DNAT rule with multiple "--to-destination" clauses.<br>
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
<li>Corrected a problem in Beta 1 where DNS names containing a
|
<li>Corrected a problem in Beta 1 where DNS names containing a
|
||||||
"-" were mis-handled when they appeared in the DEST column of a rule.<br>
|
"-" were mis-handled when they appeared in the DEST column of a rule.<br>
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
<li>A number of problems with rule parsing have been corrected.
|
<li>A number of problems with rule parsing have been corrected.
|
||||||
@ -186,14 +198,16 @@ as lists in the ORIGINAL DESTINATION column.<br>
|
|||||||
</li>
|
</li>
|
||||||
<li>The message "Adding rules for DHCP" is now suppressed if there
|
<li>The message "Adding rules for DHCP" is now suppressed if there
|
||||||
are no DHCP rules to add.</li>
|
are no DHCP rules to add.</li>
|
||||||
|
|
||||||
</ol>
|
</ol>
|
||||||
|
|
||||||
|
|
||||||
<p><b>Migration Issues:</b><br>
|
<p><b>Migration Issues:</b><br>
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
<ol>
|
<ol>
|
||||||
<li>In earlier versions, an undocumented feature allowed entries
|
<li>In earlier versions, an undocumented feature allowed
|
||||||
in the host file as follows:<br>
|
entries in the host file as follows:<br>
|
||||||
<br>
|
<br>
|
||||||
z eth1:192.168.1.0/24,eth2:192.168.2.0/24<br>
|
z eth1:192.168.1.0/24,eth2:192.168.2.0/24<br>
|
||||||
<br>
|
<br>
|
||||||
@ -267,10 +281,11 @@ outcome:<br>
|
|||||||
If this extension is available, the ruleset generated by Shorewall
|
If this extension is available, the ruleset generated by Shorewall
|
||||||
is changed in the following ways:</li>
|
is changed in the following ways:</li>
|
||||||
|
|
||||||
|
|
||||||
<ul>
|
<ul>
|
||||||
<li>To handle 'norfc1918' filtering, Shorewall will not
|
<li>To handle 'norfc1918' filtering, Shorewall will not
|
||||||
create chains in the mangle table but will rather do all 'norfc1918'
|
create chains in the mangle table but will rather do all 'norfc1918' filtering
|
||||||
filtering in the filter table (rfc1918 chain).</li>
|
in the filter table (rfc1918 chain).</li>
|
||||||
<li>Recall that Shorewall DNAT rules generate two netfilter
|
<li>Recall that Shorewall DNAT rules generate two netfilter
|
||||||
rules; one in the nat table and one in the filter table. If the Connection
|
rules; one in the nat table and one in the filter table. If the Connection
|
||||||
Tracking Match Extension is available, the rule in the filter table is
|
Tracking Match Extension is available, the rule in the filter table is
|
||||||
@ -279,6 +294,7 @@ specified (or defaulted to) in the DNAT rule.<br>
|
|||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
|
|
||||||
|
|
||||||
</ul>
|
</ul>
|
||||||
<li>The shell used to interpret the firewall script (/usr/share/shorewall/firewall)
|
<li>The shell used to interpret the firewall script (/usr/share/shorewall/firewall)
|
||||||
may now be specified using the SHOREWALL_SHELL parameter in shorewall.conf.<br>
|
may now be specified using the SHOREWALL_SHELL parameter in shorewall.conf.<br>
|
||||||
@ -318,13 +334,13 @@ specified (or defaulted to) in the DNAT rule.<br>
|
|||||||
<br>
|
<br>
|
||||||
iprange <address>-<address><br>
|
iprange <address>-<address><br>
|
||||||
<br>
|
<br>
|
||||||
This command decomposes a range of IP addressses into a list of network
|
This command decomposes a range of IP addressses into a list of
|
||||||
and host addresses. The command can be useful if you need to construct
|
network and host addresses. The command can be useful if you need to
|
||||||
an efficient set of rules that accept connections from a range of network
|
construct an efficient set of rules that accept connections from a range
|
||||||
addresses.<br>
|
of network addresses.<br>
|
||||||
<br>
|
<br>
|
||||||
Note: If your shell only supports 32-bit signed arithmetic (ash or
|
Note: If your shell only supports 32-bit signed arithmetic (ash
|
||||||
dash) then the range may not span 128.0.0.0.<br>
|
or dash) then the range may not span 128.0.0.0.<br>
|
||||||
<br>
|
<br>
|
||||||
Example:<br>
|
Example:<br>
|
||||||
<br>
|
<br>
|
||||||
@ -360,7 +376,7 @@ name when printing the applicable policy for each pair of zones.<br>
|
|||||||
<br>
|
<br>
|
||||||
This means that the policy for connections from the dmz to the internet
|
This means that the policy for connections from the dmz to the internet
|
||||||
is REJECT and the applicable entry in the /etc/shorewall/policy was the all->all
|
is REJECT and the applicable entry in the /etc/shorewall/policy was the all->all
|
||||||
policy.<br>
|
policy.<br>
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
<li>Support for the 2.6 Kernel series has been added.<br>
|
<li>Support for the 2.6 Kernel series has been added.<br>
|
||||||
@ -393,7 +409,7 @@ policy.<br>
|
|||||||
<li>The command "shorewall debug try <directory>"
|
<li>The command "shorewall debug try <directory>"
|
||||||
now correctly traces the attempt.</li>
|
now correctly traces the attempt.</li>
|
||||||
<li>The INCLUDE directive now works properly in the
|
<li>The INCLUDE directive now works properly in the
|
||||||
zones file; previously, INCLUDE in that file was ignored.</li>
|
zones file; previously, INCLUDE in that file was ignored.</li>
|
||||||
<li>/etc/shorewall/routestopped records with an empty
|
<li>/etc/shorewall/routestopped records with an empty
|
||||||
second column are no longer ignored.<br>
|
second column are no longer ignored.<br>
|
||||||
</li>
|
</li>
|
||||||
@ -418,8 +434,8 @@ zones file; previously, INCLUDE in that file was ignored.</li>
|
|||||||
|
|
||||||
<p><b>6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8</b><b>
|
<p><b>6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8</b><b>
|
||||||
</b></p>
|
</b></p>
|
||||||
The firewall at shorewall.net has been upgraded to the 2.4.21
|
The firewall at shorewall.net has been upgraded to the
|
||||||
kernel and iptables 1.2.8 (using the "official" RPM from netfilter.org).
|
2.4.21 kernel and iptables 1.2.8 (using the "official" RPM from netfilter.org).
|
||||||
No problems have been encountered with this set of software. The Shorewall
|
No problems have been encountered with this set of software. The Shorewall
|
||||||
version is 1.4.4b plus the accumulated changes for 1.4.5.
|
version is 1.4.4b plus the accumulated changes for 1.4.5.
|
||||||
|
|
||||||
@ -470,6 +486,7 @@ zones file; previously, INCLUDE in that file was ignored.</li>
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<p><a href="file:///Z:/Shorewall-docs/News.htm"></a></p>
|
<p><a href="file:///Z:/Shorewall-docs/News.htm"></a></p>
|
||||||
<b> </b>
|
<b> </b>
|
||||||
|
|
||||||
@ -569,8 +586,8 @@ zones file; previously, INCLUDE in that file was ignored.</li>
|
|||||||
type="hidden" name="method" value="and"> <input type="hidden"
|
type="hidden" name="method" value="and"> <input type="hidden"
|
||||||
name="config" value="htdig"> <input type="submit"
|
name="config" value="htdig"> <input type="submit"
|
||||||
value="Search"></font> </p>
|
value="Search"></font> </p>
|
||||||
<font face="Arial"> <input
|
<font face="Arial">
|
||||||
type="hidden" name="exclude"
|
<input type="hidden" name="exclude"
|
||||||
value="[http://lists.shorewall.net/pipermail/*]"> </font>
|
value="[http://lists.shorewall.net/pipermail/*]"> </font>
|
||||||
</form>
|
</form>
|
||||||
|
|
||||||
@ -606,7 +623,8 @@ zones file; previously, INCLUDE in that file was ignored.</li>
|
|||||||
|
|
||||||
<tr>
|
<tr>
|
||||||
|
|
||||||
<td width="100%" style="margin-top: 1px;">
|
<td width="100%"
|
||||||
|
style="margin-top: 1px;">
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
@ -625,7 +643,7 @@ zones file; previously, INCLUDE in that file was ignored.</li>
|
|||||||
|
|
||||||
<p align="center"><font size="4" color="#ffffff"><br>
|
<p align="center"><font size="4" color="#ffffff"><br>
|
||||||
<font size="+2">Shorewall is free but if you
|
<font size="+2">Shorewall is free but if you
|
||||||
try it and find it useful, please consider making a donation
|
try it and find it useful, please consider making a donation
|
||||||
to
|
to
|
||||||
<a href="http://www.starlight.org"><font color="#ffffff">Starlight
|
<a href="http://www.starlight.org"><font color="#ffffff">Starlight
|
||||||
Children's Foundation.</font></a> Thanks!</font></font></p>
|
Children's Foundation.</font></a> Thanks!</font></font></p>
|
||||||
@ -640,7 +658,7 @@ try it and find it useful, please consider making a donation
|
|||||||
</table>
|
</table>
|
||||||
|
|
||||||
|
|
||||||
<p><font size="2">Updated 7/19/2003 - <a href="support.htm">Tom Eastep</a></font>
|
<p><font size="2">Updated 7/22/2003 - <a href="support.htm">Tom Eastep</a></font>
|
||||||
<br>
|
<br>
|
||||||
</p>
|
</p>
|
||||||
</body>
|
</body>
|
||||||
|
@ -28,7 +28,7 @@
|
|||||||
# shown below. Simply run this script to revert to your prior version of
|
# shown below. Simply run this script to revert to your prior version of
|
||||||
# Shoreline Firewall.
|
# Shoreline Firewall.
|
||||||
|
|
||||||
VERSION=1.4.6
|
VERSION=1.4.6a
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
|
366
STABLE/firewall
366
STABLE/firewall
@ -233,8 +233,7 @@ createchain() # $1 = chain name, $2 = If "yes", create default rules
|
|||||||
run_iptables -N $1
|
run_iptables -N $1
|
||||||
|
|
||||||
if [ $2 = yes ]; then
|
if [ $2 = yes ]; then
|
||||||
state="ESTABLISHED,RELATED"
|
run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||||
run_iptables -A $1 -m state --state $state -j ACCEPT
|
|
||||||
[ -z "$NEWNOTSYN" ] && \
|
[ -z "$NEWNOTSYN" ] && \
|
||||||
run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn
|
run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn
|
||||||
fi
|
fi
|
||||||
@ -495,10 +494,17 @@ first_chains() #$1 = interface
|
|||||||
#
|
#
|
||||||
find_hosts() # $1 = host zone
|
find_hosts() # $1 = host zone
|
||||||
{
|
{
|
||||||
local hosts
|
local hosts interface address addresses
|
||||||
|
|
||||||
while read z hosts options; do
|
while read z hosts options; do
|
||||||
[ "x`expand $z`" = "x$1" ] && expandv hosts && echo `separate_list $hosts`
|
if [ "x`expand $z`" = "x$1" ]; then
|
||||||
|
expandv hosts
|
||||||
|
interface=${hosts%:*}
|
||||||
|
addresses=${hosts#*:}
|
||||||
|
for address in `separate_list $addresses`; do
|
||||||
|
echo $interface:$address
|
||||||
|
done
|
||||||
|
fi
|
||||||
done < $TMP_DIR/hosts
|
done < $TMP_DIR/hosts
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -608,7 +614,7 @@ validate_interfaces_file() {
|
|||||||
|
|
||||||
for option in $options; do
|
for option in $options; do
|
||||||
case $option in
|
case $option in
|
||||||
dhcp|norfc1918|tcpflags)
|
dhcp|norfc1918|tcpflags|newnotsyn)
|
||||||
;;
|
;;
|
||||||
routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-)
|
routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-)
|
||||||
;;
|
;;
|
||||||
@ -636,18 +642,20 @@ validate_hosts_file() {
|
|||||||
r="$z $hosts $options"
|
r="$z $hosts $options"
|
||||||
validate_zone $z || startup_error "Invalid zone ($z) in record \"$r\""
|
validate_zone $z || startup_error "Invalid zone ($z) in record \"$r\""
|
||||||
|
|
||||||
for host in `separate_list $hosts`; do
|
interface=${hosts%:*}
|
||||||
interface=${host%:*}
|
|
||||||
|
|
||||||
list_search $interface $all_interfaces || \
|
list_search $interface $all_interfaces || \
|
||||||
startup_error "Unknown interface ($interface) in record \"$r\""
|
startup_error "Unknown interface ($interface) in record \"$r\""
|
||||||
|
|
||||||
|
hosts=${hosts#*:}
|
||||||
|
|
||||||
|
for host in `separate_list $hosts`; do
|
||||||
for option in `separate_list $options`; do
|
for option in `separate_list $options`; do
|
||||||
case $option in
|
case $option in
|
||||||
maclist|-)
|
maclist|-)
|
||||||
;;
|
;;
|
||||||
routeback)
|
routeback)
|
||||||
eval ${z}_routeback=\"$host \$${z}_routeback\"
|
eval ${z}_routeback=\"$interface:$host \$${z}_routeback\"
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
error_message "Warning: Invalid option ($option) in record \"$r\""
|
error_message "Warning: Invalid option ($option) in record \"$r\""
|
||||||
@ -689,7 +697,7 @@ validate_policy()
|
|||||||
[ $1 = $2 ] || \
|
[ $1 = $2 ] || \
|
||||||
[ $1 = all ] || \
|
[ $1 = all ] || \
|
||||||
[ $2 = all ] || \
|
[ $2 = all ] || \
|
||||||
echo " Policy for $1 to $2 is $policy"
|
echo " Policy for $1 to $2 is $policy using chain $chain"
|
||||||
}
|
}
|
||||||
|
|
||||||
all_policy_chains=
|
all_policy_chains=
|
||||||
@ -832,6 +840,15 @@ find_interface_address() # $1 = interface
|
|||||||
echo $addr | sed 's/inet //;s/\/.*//;s/ peer.*//'
|
echo $addr | sed 's/inet //;s/\/.*//;s/ peer.*//'
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Find interface addresses--returns the set of addresses assigned to the passed
|
||||||
|
# device
|
||||||
|
#
|
||||||
|
find_interface_addresses() # $1 = interface
|
||||||
|
{
|
||||||
|
ip addr show $1 | grep inet | sed 's/inet //;s/\/.*//;s/ peer.*//'
|
||||||
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Find interfaces that have the passed option specified
|
# Find interfaces that have the passed option specified
|
||||||
#
|
#
|
||||||
@ -848,10 +865,18 @@ find_interfaces_by_option() # $1 = option
|
|||||||
#
|
#
|
||||||
find_hosts_by_option() # $1 = option
|
find_hosts_by_option() # $1 = option
|
||||||
{
|
{
|
||||||
|
local ignore hosts interface address addresses options
|
||||||
|
|
||||||
while read ignore hosts options; do
|
while read ignore hosts options; do
|
||||||
expandv options
|
expandv options
|
||||||
list_search $1 `separate_list $options` && \
|
if list_search $1 `separate_list $options`; then
|
||||||
echo `expand $hosts`
|
expandv hosts
|
||||||
|
interface=${hosts%:*}
|
||||||
|
addresses=${hosts#*:}
|
||||||
|
for address in `separate_list $addresses`; do
|
||||||
|
echo $interface:$address
|
||||||
|
done
|
||||||
|
fi
|
||||||
done < $TMP_DIR/hosts
|
done < $TMP_DIR/hosts
|
||||||
|
|
||||||
for interface in $all_interfaces; do
|
for interface in $all_interfaces; do
|
||||||
@ -1685,14 +1710,16 @@ check_config() {
|
|||||||
|
|
||||||
disclaimer() {
|
disclaimer() {
|
||||||
echo
|
echo
|
||||||
echo "WARNING: THE 'check' COMMAND IS TOTALLY UNSUPPORTED AND PROBLEM"
|
echo "Notice: The 'check' command is unsupported and problem"
|
||||||
echo " REPORTS COMPLAINING ABOUT ERRORS THAT IT DIDN'T CATCH"
|
echo " reports complaining about errors that it didn't catch"
|
||||||
echo " WILL NOT BE ACCEPTED"
|
echo " will not be accepted"
|
||||||
echo
|
echo
|
||||||
}
|
}
|
||||||
|
|
||||||
disclaimer
|
disclaimer
|
||||||
|
|
||||||
|
report_capabilities
|
||||||
|
|
||||||
echo "Verifying Configuration..."
|
echo "Verifying Configuration..."
|
||||||
|
|
||||||
verify_os_version
|
verify_os_version
|
||||||
@ -1839,7 +1866,11 @@ add_nat_rule() {
|
|||||||
|
|
||||||
if [ -n "$serv" ]; then
|
if [ -n "$serv" ]; then
|
||||||
servport="${servport:+:$servport}"
|
servport="${servport:+:$servport}"
|
||||||
target1="DNAT --to-destination ${serv}${servport}"
|
serv1=
|
||||||
|
for srv in `separate_list $serv`; do
|
||||||
|
serv1="$serv1 --to-destination ${srv}${servport}"
|
||||||
|
done
|
||||||
|
target1="DNAT $serv1"
|
||||||
else
|
else
|
||||||
target1="REDIRECT --to-port $servport"
|
target1="REDIRECT --to-port $servport"
|
||||||
fi
|
fi
|
||||||
@ -1856,7 +1887,10 @@ add_nat_rule() {
|
|||||||
chain=nonat${nonat_seq}
|
chain=nonat${nonat_seq}
|
||||||
nonat_seq=$(($nonat_seq + 1))
|
nonat_seq=$(($nonat_seq + 1))
|
||||||
createnatchain $chain
|
createnatchain $chain
|
||||||
run_iptables -t nat -A OUTPUT $cli $proto $multiport $sports $dports -j $chain
|
|
||||||
|
for adr in `separate_list $addr`; do
|
||||||
|
run_iptables2 -t nat -A OUTPUT $cli $proto $multiport $sports $dports -d $adr -j $chain
|
||||||
|
done
|
||||||
|
|
||||||
for adr in $excludedests; do
|
for adr in $excludedests; do
|
||||||
addnatrule $chain -d $adr -j RETURN
|
addnatrule $chain -d $adr -j RETURN
|
||||||
@ -1866,11 +1900,15 @@ add_nat_rule() {
|
|||||||
log_rule $loglevel $chain $logtarget -t nat
|
log_rule $loglevel $chain $logtarget -t nat
|
||||||
fi
|
fi
|
||||||
|
|
||||||
addnatrule $chain $proto -j $target1
|
addnatrule $chain $proto -j $target1 # Protocol is necessary for port redirection
|
||||||
else
|
else
|
||||||
for adr in `separate_list $addr`; do
|
for adr in `separate_list $addr`; do
|
||||||
run_iptables2 -t nat -A OUTPUT $proto $sports -d $adr \
|
if [ -n "$loglevel" ]; then
|
||||||
$multiport $dports -j $target1
|
log_rule $loglevel $OUTPUT $logtarget -t nat \
|
||||||
|
`fix_bang $proto $cli $sports -d $adr $multiport $dports`
|
||||||
|
fi
|
||||||
|
|
||||||
|
run_iptables2 -t nat -A OUTPUT $proto $sports -d $adr $multiport $dports -j $target1
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
@ -1880,13 +1918,15 @@ add_nat_rule() {
|
|||||||
chain=nonat${nonat_seq}
|
chain=nonat${nonat_seq}
|
||||||
nonat_seq=$(($nonat_seq + 1))
|
nonat_seq=$(($nonat_seq + 1))
|
||||||
createnatchain $chain
|
createnatchain $chain
|
||||||
addnatrule `dnat_chain $source` $cli $proto $multiport $sports $dports -j $chain
|
|
||||||
|
for adr in `separate_list $addr`; do
|
||||||
|
addnatrule `dnat_chain $source` $cli $proto $multiport $sports $dports -d $adr -j $chain
|
||||||
|
done
|
||||||
|
|
||||||
for z in $excludezones; do
|
for z in $excludezones; do
|
||||||
eval hosts=\$${z}_hosts
|
eval hosts=\$${z}_hosts
|
||||||
for host in $hosts; do
|
for host in $hosts; do
|
||||||
for adr in `separate_list $addr`; do
|
addnatrule $chain -s ${host#*:} -j RETURN
|
||||||
addnatrule $chain -s ${host#*:} -d $adr -j RETURN
|
|
||||||
done
|
|
||||||
done
|
done
|
||||||
done
|
done
|
||||||
|
|
||||||
@ -1894,13 +1934,11 @@ add_nat_rule() {
|
|||||||
addnatrule $chain -d $adr -j RETURN
|
addnatrule $chain -d $adr -j RETURN
|
||||||
done
|
done
|
||||||
|
|
||||||
for adr in `separate_list $addr`; do
|
|
||||||
if [ -n "$loglevel" ]; then
|
if [ -n "$loglevel" ]; then
|
||||||
log_rule $loglevel $chain $logtarget -t nat -d `fix_bang $adr`
|
log_rule $loglevel $chain $logtarget -t nat
|
||||||
fi
|
fi
|
||||||
|
|
||||||
addnatrule $chain $proto -d $adr -j $target1
|
addnatrule $chain $proto -j $target1 # Protocol is necessary for port redirection
|
||||||
done
|
|
||||||
else
|
else
|
||||||
for adr in `separate_list $addr`; do
|
for adr in `separate_list $addr`; do
|
||||||
if [ -n "$loglevel" ]; then
|
if [ -n "$loglevel" ]; then
|
||||||
@ -1943,6 +1981,8 @@ add_nat_rule() {
|
|||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
[ "x$addr" = "x0.0.0.0/0" ] && addr=
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -2015,9 +2055,12 @@ add_a_rule()
|
|||||||
servport=$serverport
|
servport=$serverport
|
||||||
multiport=
|
multiport=
|
||||||
|
|
||||||
|
[ x$port = x- ] && port=
|
||||||
|
[ x$cport = x- ] && cport=
|
||||||
|
|
||||||
case $proto in
|
case $proto in
|
||||||
tcp|udp|TCP|UDP|6|17)
|
tcp|udp|TCP|UDP|6|17)
|
||||||
if [ -n "$port" -a "x${port}" != "x-" ]; then
|
if [ -n "$port" ]; then
|
||||||
dports="--dport"
|
dports="--dport"
|
||||||
if [ -n "$multioption" -a "$port" != "${port%,*}" ]; then
|
if [ -n "$multioption" -a "$port" != "${port%,*}" ]; then
|
||||||
multiport="$multioption"
|
multiport="$multioption"
|
||||||
@ -2026,7 +2069,7 @@ add_a_rule()
|
|||||||
dports="$dports $port"
|
dports="$dports $port"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -n "$cport" -a "x${cport}" != "x-" ]; then
|
if [ -n "$cport" ]; then
|
||||||
sports="--sport"
|
sports="--sport"
|
||||||
if [ -n "$multioption" -a "$cport" != "${cport%,*}" ]; then
|
if [ -n "$multioption" -a "$cport" != "${cport%,*}" ]; then
|
||||||
multiport="$multioption"
|
multiport="$multioption"
|
||||||
@ -2036,18 +2079,17 @@ add_a_rule()
|
|||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
icmp|ICMP|1)
|
icmp|ICMP|1)
|
||||||
[ -n "$port" ] && [ "x${port}" != "x-" ] && \
|
[ -n "$port" ] && dports="--icmp-type $port"
|
||||||
dports="--icmp-type $port"
|
|
||||||
state=
|
state=
|
||||||
;;
|
;;
|
||||||
all|ALL)
|
all|ALL)
|
||||||
[ -n "$port" ] && [ "x${port}" != "x-" ] && \
|
[ -n "$port" ] && \
|
||||||
fatal_error "Port number not allowed with \"all\"; rule: \"$rule\""
|
fatal_error "Port number not allowed with protocol \"all\"; rule: \"$rule\""
|
||||||
proto=
|
proto=
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
state=
|
state=
|
||||||
[ -n "$port" ] && [ "x${port}" != "x-" ] && \
|
[ -n "$port" ] && \
|
||||||
fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\""
|
fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\""
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
@ -2098,15 +2140,39 @@ add_a_rule()
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -z "$dnat_only" -a $chain != ${FW}2${FW} ]; then
|
if [ -z "$dnat_only" -a $chain != ${FW}2${FW} ]; then
|
||||||
serv="${serv:+-d $serv}"
|
if [ -n "$serv" ]; then
|
||||||
|
for serv1 in `separate_list $serv`; do
|
||||||
|
for srv in `ip_range $serv1`; do
|
||||||
|
if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then
|
||||||
|
for adr in `separate_list $addr`; do
|
||||||
if [ -n "$loglevel" -a -z "$natrule" ]; then
|
if [ -n "$loglevel" -a -z "$natrule" ]; then
|
||||||
log_rule $loglevel $chain $logtarget \
|
log_rule $loglevel $chain $logtarget -m conntrack --ctorigdst $adr \
|
||||||
`fix_bang $proto $sports $multiport $state $cli $serv $dports`
|
`fix_bang $proto $sports $multiport $state $cli -d $srv $dports`
|
||||||
fi
|
fi
|
||||||
|
|
||||||
run_iptables2 -A $chain $proto $multiport $state $cli $sports \
|
run_iptables2 -A $chain $proto $multiport $state $cli $sports \
|
||||||
$serv $dports -j $target
|
-d $srv $dports -m conntrack --ctorigdst $adr -j $target
|
||||||
|
done
|
||||||
|
else
|
||||||
|
if [ -n "$loglevel" -a -z "$natrule" ]; then
|
||||||
|
log_rule $loglevel $chain $logtarget \
|
||||||
|
`fix_bang $proto $sports $multiport $state $cli -d $srv $dports`
|
||||||
|
fi
|
||||||
|
|
||||||
|
run_iptables2 -A $chain $proto $multiport $state $cli $sports \
|
||||||
|
-d $srv $dports -j $target
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
done
|
||||||
|
else
|
||||||
|
if [ -n "$loglevel" -a -z "$natrule" ]; then
|
||||||
|
log_rule $loglevel $chain $logtarget \
|
||||||
|
`fix_bang $proto $sports $multiport $state $cli $dports`
|
||||||
|
fi
|
||||||
|
|
||||||
|
run_iptables2 -A $chain $proto $multiport $state $cli $sports \
|
||||||
|
$dports -j $target
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
@ -2293,6 +2359,45 @@ process_rule() # $1 = target
|
|||||||
|
|
||||||
# Generate Netfilter rule(s)
|
# Generate Netfilter rule(s)
|
||||||
|
|
||||||
|
case $logtarget in
|
||||||
|
DNAT*)
|
||||||
|
if [ -n "$MULTIPORT" -a \
|
||||||
|
"$ports" = "${ports%:*}" -a \
|
||||||
|
"$cports" = "${cports%:*}" -a \
|
||||||
|
`list_count $ports` -le 15 -a \
|
||||||
|
`list_count $cports` -le 15 ]
|
||||||
|
then
|
||||||
|
#
|
||||||
|
# MULTIPORT is enabled, there are no port ranges in the rule and less than
|
||||||
|
# 16 ports are listed - use multiport match.
|
||||||
|
#
|
||||||
|
multioption="-m multiport"
|
||||||
|
for client in `separate_list ${clients:=-}`; do
|
||||||
|
#
|
||||||
|
# add_a_rule() modifies these so we must set their values each time
|
||||||
|
#
|
||||||
|
server=${servers:=-}
|
||||||
|
port=${ports:=-}
|
||||||
|
cport=${cports:=-}
|
||||||
|
add_a_rule
|
||||||
|
done
|
||||||
|
else
|
||||||
|
#
|
||||||
|
# MULTIPORT is disabled or the rule isn't compatible with multiport match
|
||||||
|
#
|
||||||
|
multioption=
|
||||||
|
for client in `separate_list ${clients:=-}`; do
|
||||||
|
for port in `separate_list ${ports:=-}`; do
|
||||||
|
for cport in `separate_list ${cports:=-}`; do
|
||||||
|
server=${servers:=-}
|
||||||
|
add_a_rule
|
||||||
|
done
|
||||||
|
done
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
|
||||||
if [ -n "$MULTIPORT" -a \
|
if [ -n "$MULTIPORT" -a \
|
||||||
"$ports" = "${ports%:*}" -a \
|
"$ports" = "${ports%:*}" -a \
|
||||||
"$cports" = "${cports%:*}" -a \
|
"$cports" = "${cports%:*}" -a \
|
||||||
@ -2329,6 +2434,8 @@ process_rule() # $1 = target
|
|||||||
done
|
done
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
|
;;
|
||||||
|
esac
|
||||||
#
|
#
|
||||||
# Report Result
|
# Report Result
|
||||||
#
|
#
|
||||||
@ -2360,7 +2467,7 @@ process_rules() # $1 = name of rules file
|
|||||||
while read xtarget xclients xservers xprotocol xports xcports xaddress; do
|
while read xtarget xclients xservers xprotocol xports xcports xaddress; do
|
||||||
case "${xtarget%:*}" in
|
case "${xtarget%:*}" in
|
||||||
|
|
||||||
ACCEPT|DROP|REJECT|DNAT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE)
|
ACCEPT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE)
|
||||||
expandv xclients xservers xprotocol xports xcports xaddress
|
expandv xclients xservers xprotocol xports xcports xaddress
|
||||||
|
|
||||||
if [ "x$xclients" = xall ]; then
|
if [ "x$xclients" = xall ]; then
|
||||||
@ -2382,7 +2489,7 @@ process_rules() # $1 = name of rules file
|
|||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
rule="`echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress`"
|
rule="`echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress`"
|
||||||
fatal_error "Invalid Target in rule \"$rule\""
|
fatal_error "Invalid Action in rule \"$rule\""
|
||||||
;;
|
;;
|
||||||
|
|
||||||
esac
|
esac
|
||||||
@ -2582,24 +2689,19 @@ loadmodule() # $1 = module name, $2 - * arguments
|
|||||||
{
|
{
|
||||||
local modulename=$1
|
local modulename=$1
|
||||||
local modulefile
|
local modulefile
|
||||||
|
local suffix
|
||||||
|
|
||||||
if [ -z "`lsmod | grep $modulename`" ]; then
|
if [ -z "`lsmod | grep $modulename`" ]; then
|
||||||
shift
|
shift
|
||||||
modulefile=$MODULESDIR/${modulename}.o
|
|
||||||
|
for suffix in o gz ko ; do
|
||||||
|
modulefile=$MODULESDIR/${modulename}.${suffix}
|
||||||
|
|
||||||
if [ -f $modulefile ]; then
|
if [ -f $modulefile ]; then
|
||||||
insmod $modulefile $*
|
insmod $modulefile $*
|
||||||
return
|
return
|
||||||
fi
|
fi
|
||||||
#
|
done
|
||||||
# If the modules directory contains compressed modules then we'll
|
|
||||||
# assume that insmod can load them
|
|
||||||
#
|
|
||||||
modulefile=${modulefile}.gz
|
|
||||||
|
|
||||||
if [ -f $modulefile ]; then
|
|
||||||
insmod $modulefile $*
|
|
||||||
fi
|
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -2900,8 +3002,16 @@ setup_masq()
|
|||||||
esac
|
esac
|
||||||
|
|
||||||
if [ -n "$address" -a -n "$ADD_SNAT_ALIASES" ]; then
|
if [ -n "$address" -a -n "$ADD_SNAT_ALIASES" ]; then
|
||||||
list_search $address $aliases_to_add || \
|
for addr in `ip_range $address` ; do
|
||||||
aliases_to_add="$aliases_to_add $address $fullinterface"
|
if ! list_search $addr $aliases_to_add; then
|
||||||
|
aliases_to_add="$aliases_to_add $addr $fullinterface"
|
||||||
|
case $fullinterface in
|
||||||
|
*:*)
|
||||||
|
fullinterface=${fullinterface%:*}:$((${fullinterface#*:} + 1 ))
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
fi
|
||||||
|
done
|
||||||
fi
|
fi
|
||||||
|
|
||||||
destination=$destnet
|
destination=$destnet
|
||||||
@ -3118,7 +3228,7 @@ verify_os_version() {
|
|||||||
osversion=`uname -r`
|
osversion=`uname -r`
|
||||||
|
|
||||||
case $osversion in
|
case $osversion in
|
||||||
2.4.*|2.5.*)
|
2.4.*|2.5.*|2.6.*)
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
startup_error "Shorewall version $version does not work with kernel version $osversion"
|
startup_error "Shorewall version $version does not work with kernel version $osversion"
|
||||||
@ -3134,35 +3244,30 @@ verify_os_version() {
|
|||||||
#
|
#
|
||||||
add_ip_aliases()
|
add_ip_aliases()
|
||||||
{
|
{
|
||||||
local external
|
local addresses external interface inet cidr rest val
|
||||||
local interface
|
|
||||||
local primary
|
|
||||||
|
|
||||||
do_one()
|
address_details()
|
||||||
{
|
{
|
||||||
#
|
#
|
||||||
# Folks feel uneasy if they don't see all of the same
|
# Folks feel uneasy if they don't see all of the same
|
||||||
# decoration on these IP addresses that they see when their
|
# decoration on these IP addresses that they see when their
|
||||||
# distro's net config tool adds them. In an attempt to reduce
|
# distro's net config tool adds them. In an attempt to reduce
|
||||||
# the anxiety level, we have the following code which sets
|
# the anxiety level, we have the following code which sets
|
||||||
# the VLSM and BRD from the primary address
|
# the VLSM and BRD from an existing address in the same subnet
|
||||||
#
|
#
|
||||||
# Get all of the lines that contain inet addresses with broadcast
|
# Get all of the lines that contain inet addresses
|
||||||
#
|
#
|
||||||
val=`ip addr show $interface | grep 'inet.*brd '` 2> /dev/null
|
ip addr show $interface 2> /dev/null | grep 'inet' | while read inet cidr rest ; do
|
||||||
|
if in_subnet $external $cidr; then
|
||||||
if [ -n "$val" ] ; then
|
echo "/${cidr#*/} brd `broadcastaddress $cidr`"
|
||||||
#
|
break
|
||||||
# Hack off the leading 'inet <ip addr>' (actually cut off the
|
|
||||||
# "/" as well but add it back in).
|
|
||||||
#
|
|
||||||
val="/${val#*/}"
|
|
||||||
#
|
|
||||||
# Now get the VLSM, "brd" and the broadcast address
|
|
||||||
#
|
|
||||||
val=${val%% scope*}
|
|
||||||
fi
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
do_one()
|
||||||
|
{
|
||||||
|
val=`address_details`
|
||||||
run_ip addr add ${external}${val} dev $interface $label
|
run_ip addr add ${external}${val} dev $interface $label
|
||||||
echo "$external $interface" >> ${STATEDIR}/nat
|
echo "$external $interface" >> ${STATEDIR}/nat
|
||||||
[ -n "$label" ] && label="with $label"
|
[ -n "$label" ] && label="with $label"
|
||||||
@ -3182,9 +3287,9 @@ add_ip_aliases()
|
|||||||
label="label $interface:$label"
|
label="label $interface:$label"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
primary=`find_interface_address $interface`
|
|
||||||
shift;shift
|
shift;shift
|
||||||
[ "x${primary}" = "x${external}" ] || do_one
|
|
||||||
|
list_search $external `find_interface_addresses $interface` || do_one
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -3207,10 +3312,46 @@ load_kernel_modules() {
|
|||||||
# Verify that the 'ip' program is installed
|
# Verify that the 'ip' program is installed
|
||||||
|
|
||||||
verify_ip() {
|
verify_ip() {
|
||||||
qt which ip ||\
|
qt ip link ls ||\
|
||||||
startup_error "Shorewall $version requires the iproute package ('ip' utility)"
|
startup_error "Shorewall $version requires the iproute package ('ip' utility)"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Determine which optional facilities are supported by iptables/netfilter
|
||||||
|
#
|
||||||
|
determine_capabilities() {
|
||||||
|
qt iptables -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED=
|
||||||
|
qt iptables -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
|
||||||
|
|
||||||
|
CONNTRACK_MATCH=
|
||||||
|
MULTIPORT=
|
||||||
|
|
||||||
|
if qt iptables -N fooX1234 ; then
|
||||||
|
qt iptables -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
|
||||||
|
qt iptables -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
|
||||||
|
|
||||||
|
qt iptables -F fooX1234
|
||||||
|
qt iptables -X fooX1234
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
report_capability() # $1 = Capability Name, $2 Capability Setting (if any)
|
||||||
|
{
|
||||||
|
local setting=
|
||||||
|
|
||||||
|
[ "x$1" = "xYes" ] && { setting="Available"; shift; } || setting="Not available"
|
||||||
|
|
||||||
|
echo " " $@: $setting
|
||||||
|
}
|
||||||
|
|
||||||
|
report_capabilities() {
|
||||||
|
echo "Shorewall has detected the following iptables/netfilter capabilities:"
|
||||||
|
report_capability $NAT_ENABLED "NAT"
|
||||||
|
report_capability $MANGLE_ENABLED "Packet Mangling"
|
||||||
|
report_capability $MULTIPORT "Multi-port Match"
|
||||||
|
report_capability $CONNTRACK_MATCH "Connection Tracking Match"
|
||||||
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Perform Initialization
|
# Perform Initialization
|
||||||
# - Delete all old rules
|
# - Delete all old rules
|
||||||
@ -3221,6 +3362,8 @@ verify_ip() {
|
|||||||
#
|
#
|
||||||
initialize_netfilter () {
|
initialize_netfilter () {
|
||||||
|
|
||||||
|
report_capabilities
|
||||||
|
|
||||||
echo "Determining Zones..."
|
echo "Determining Zones..."
|
||||||
|
|
||||||
determine_zones
|
determine_zones
|
||||||
@ -3307,7 +3450,16 @@ initialize_netfilter () {
|
|||||||
|
|
||||||
if [ -z "$NEWNOTSYN" ]; then
|
if [ -z "$NEWNOTSYN" ]; then
|
||||||
createchain newnotsyn no
|
createchain newnotsyn no
|
||||||
|
|
||||||
|
for interface in `find_interfaces_by_option newnotsyn`; do
|
||||||
|
run_iptables -A newnotsyn -i $interface -p tcp --tcp-flags ACK ACK -j ACCEPT
|
||||||
|
run_iptables -A newnotsyn -i $interface -p tcp --tcp-flags RST RST -j ACCEPT
|
||||||
|
run_iptables -A newnotsyn -i $interface -p tcp --tcp-flags FIN FIN -j ACCEPT
|
||||||
|
run_iptables -A newnotsyn -i $interface -j RETURN
|
||||||
|
done
|
||||||
|
|
||||||
run_user_exit newnotsyn
|
run_user_exit newnotsyn
|
||||||
|
|
||||||
if [ -n "$LOGNEWNOTSYN" ]; then
|
if [ -n "$LOGNEWNOTSYN" ]; then
|
||||||
log_rule $LOGNEWNOTSYN newnotsyn DROP
|
log_rule $LOGNEWNOTSYN newnotsyn DROP
|
||||||
fi
|
fi
|
||||||
@ -3334,7 +3486,7 @@ initialize_netfilter () {
|
|||||||
done < /var/lib/shorewall/save
|
done < /var/lib/shorewall/save
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo "Creating input Chains..."
|
echo "Creating Interface Chains..."
|
||||||
|
|
||||||
for interface in $all_interfaces; do
|
for interface in $all_interfaces; do
|
||||||
createchain `forward_chain $interface` no
|
createchain `forward_chain $interface` no
|
||||||
@ -3369,6 +3521,7 @@ build_common_chain() {
|
|||||||
if [ -n "$NEWNOTSYN" ]; then
|
if [ -n "$NEWNOTSYN" ]; then
|
||||||
run_iptables -A common -p tcp --tcp-flags ACK ACK -j ACCEPT
|
run_iptables -A common -p tcp --tcp-flags ACK ACK -j ACCEPT
|
||||||
run_iptables -A common -p tcp --tcp-flags RST RST -j ACCEPT
|
run_iptables -A common -p tcp --tcp-flags RST RST -j ACCEPT
|
||||||
|
run_iptables -A common -p tcp --tcp-flags FIN FIN -j ACCEPT
|
||||||
fi
|
fi
|
||||||
#
|
#
|
||||||
# BROADCASTS
|
# BROADCASTS
|
||||||
@ -3462,13 +3615,17 @@ add_common_rules() {
|
|||||||
#
|
#
|
||||||
# DHCP
|
# DHCP
|
||||||
#
|
#
|
||||||
|
interfaces=`find_interfaces_by_option dhcp`
|
||||||
|
|
||||||
|
if [ -n "$interfaces" ]; then
|
||||||
|
|
||||||
echo "Adding rules for DHCP"
|
echo "Adding rules for DHCP"
|
||||||
|
|
||||||
for interface in `find_interfaces_by_option dhcp`; do
|
for interface in $interfaces; do
|
||||||
run_iptables -A `input_chain $interface` -p udp --dport 67:68 -j ACCEPT
|
run_iptables -A `input_chain $interface` -p udp --dport 67:68 -j ACCEPT
|
||||||
run_iptables -A OUTPUT -o $interface -p udp --dport 67:68 -j ACCEPT
|
run_iptables -A OUTPUT -o $interface -p udp --dport 67:68 -j ACCEPT
|
||||||
done
|
done
|
||||||
|
fi
|
||||||
#
|
#
|
||||||
# RFC 1918
|
# RFC 1918
|
||||||
#
|
#
|
||||||
@ -3487,11 +3644,12 @@ add_common_rules() {
|
|||||||
|
|
||||||
run_iptables -A logdrop -j DROP
|
run_iptables -A logdrop -j DROP
|
||||||
|
|
||||||
if [ -n "$MANGLE_ENABLED" ]; then
|
if [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ]; then
|
||||||
#
|
#
|
||||||
# Mangling is enabled -- create a chain in the mangle table to
|
# Mangling is enabled but conntrack match isn't available --
|
||||||
# filter RFC1918 destination addresses. This must be done in the
|
# create a chain in the mangle table to filter RFC1918 destination
|
||||||
# mangle table before we apply any DNAT rules in the nat table
|
# addresses. This must be done in the mangle table before we apply
|
||||||
|
# any DNAT rules in the nat table
|
||||||
#
|
#
|
||||||
# Also add a chain to log and drop any RFC1918 packets that we find
|
# Also add a chain to log and drop any RFC1918 packets that we find
|
||||||
#
|
#
|
||||||
@ -3511,11 +3669,17 @@ add_common_rules() {
|
|||||||
esac
|
esac
|
||||||
|
|
||||||
run_iptables2 -A rfc1918 -s $subnet -j $target
|
run_iptables2 -A rfc1918 -s $subnet -j $target
|
||||||
|
|
||||||
|
if [ -n "$CONNTRACK_MATCH" ]; then
|
||||||
#
|
#
|
||||||
# If packet mangling is enabled, trap packets with an
|
# We have connection tracking match -- match on the original destination
|
||||||
# RFC1918 destination
|
#
|
||||||
|
run_iptables2 -A rfc1918 -m conntrack --ctorigdst $subnet -j $target
|
||||||
|
elif [ -n "$MANGLE_ENABLED" ]; then
|
||||||
|
#
|
||||||
|
# No connection tracking match but we have mangling -- add a rule to
|
||||||
|
# the mangle table
|
||||||
#
|
#
|
||||||
if [ -n "$MANGLE_ENABLED" ]; then
|
|
||||||
run_iptables2 -t mangle -A man1918 -d $subnet -j $target
|
run_iptables2 -t mangle -A man1918 -d $subnet -j $target
|
||||||
fi
|
fi
|
||||||
done < $TMP_DIR/rfc1918
|
done < $TMP_DIR/rfc1918
|
||||||
@ -3525,7 +3689,7 @@ add_common_rules() {
|
|||||||
run_iptables -A $chain -m state --state NEW -j rfc1918
|
run_iptables -A $chain -m state --state NEW -j rfc1918
|
||||||
done
|
done
|
||||||
|
|
||||||
[ -n "$MANGLE_ENABLED" ] && \
|
[ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ] && \
|
||||||
run_iptables -t mangle -A PREROUTING -m state --state NEW -i $interface -j man1918
|
run_iptables -t mangle -A PREROUTING -m state --state NEW -i $interface -j man1918
|
||||||
done
|
done
|
||||||
|
|
||||||
@ -4366,6 +4530,7 @@ added_param_value_no() # $1 = Parameter Name, $2 = Parameter value
|
|||||||
# Initialize this program
|
# Initialize this program
|
||||||
#
|
#
|
||||||
do_initialize() {
|
do_initialize() {
|
||||||
|
|
||||||
# Run all utility programs using the C locale
|
# Run all utility programs using the C locale
|
||||||
#
|
#
|
||||||
# Thanks to Vincent Planchenault for this tip #
|
# Thanks to Vincent Planchenault for this tip #
|
||||||
@ -4388,8 +4553,6 @@ do_initialize() {
|
|||||||
LOGRATE=
|
LOGRATE=
|
||||||
LOGBURST=
|
LOGBURST=
|
||||||
LOGPARMS=
|
LOGPARMS=
|
||||||
NAT_ENABLED=
|
|
||||||
MANGLE_ENABLED=
|
|
||||||
ADD_IP_ALIASES=
|
ADD_IP_ALIASES=
|
||||||
ADD_SNAT_ALIASES=
|
ADD_SNAT_ALIASES=
|
||||||
TC_ENABLED=
|
TC_ENABLED=
|
||||||
@ -4399,7 +4562,6 @@ do_initialize() {
|
|||||||
CLAMPMSS=
|
CLAMPMSS=
|
||||||
ROUTE_FILTER=
|
ROUTE_FILTER=
|
||||||
NAT_BEFORE_RULES=
|
NAT_BEFORE_RULES=
|
||||||
MULTIPORT=
|
|
||||||
DETECT_DNAT_IPADDRS=
|
DETECT_DNAT_IPADDRS=
|
||||||
MUTEX_TIMEOUT=
|
MUTEX_TIMEOUT=
|
||||||
NEWNOTSYN=
|
NEWNOTSYN=
|
||||||
@ -4433,6 +4595,7 @@ do_initialize() {
|
|||||||
FUNCTIONS=$SHARED_DIR/functions
|
FUNCTIONS=$SHARED_DIR/functions
|
||||||
|
|
||||||
if [ -f $FUNCTIONS ]; then
|
if [ -f $FUNCTIONS ]; then
|
||||||
|
echo "Loading $FUNCTIONS..."
|
||||||
. $FUNCTIONS
|
. $FUNCTIONS
|
||||||
else
|
else
|
||||||
startup_error "$FUNCTIONS does not exist!"
|
startup_error "$FUNCTIONS does not exist!"
|
||||||
@ -4453,6 +4616,10 @@ do_initialize() {
|
|||||||
echo "$config does not exist!" >&2
|
echo "$config does not exist!" >&2
|
||||||
exit 2
|
exit 2
|
||||||
fi
|
fi
|
||||||
|
#
|
||||||
|
# Determine the capabilities of the installed iptables/netfilter
|
||||||
|
#
|
||||||
|
determine_capabilities
|
||||||
|
|
||||||
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
|
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
|
||||||
|
|
||||||
@ -4463,8 +4630,6 @@ do_initialize() {
|
|||||||
ALLOWRELATED="`added_param_value_yes ALLOWRELATED $ALLOWRELATED`"
|
ALLOWRELATED="`added_param_value_yes ALLOWRELATED $ALLOWRELATED`"
|
||||||
[ -n "$ALLOWRELATED" ] || \
|
[ -n "$ALLOWRELATED" ] || \
|
||||||
startup_error "ALLOWRELATED=No is not supported"
|
startup_error "ALLOWRELATED=No is not supported"
|
||||||
NAT_ENABLED="`added_param_value_yes NAT_ENABLED $NAT_ENABLED`"
|
|
||||||
MANGLE_ENABLED="`added_param_value_yes MANGLE_ENABLED $MANGLE_ENABLED`"
|
|
||||||
ADD_IP_ALIASES="`added_param_value_yes ADD_IP_ALIASES $ADD_IP_ALIASES`"
|
ADD_IP_ALIASES="`added_param_value_yes ADD_IP_ALIASES $ADD_IP_ALIASES`"
|
||||||
TC_ENABLED="`added_param_value_yes TC_ENABLED $TC_ENABLED`"
|
TC_ENABLED="`added_param_value_yes TC_ENABLED $TC_ENABLED`"
|
||||||
|
|
||||||
@ -4496,7 +4661,6 @@ do_initialize() {
|
|||||||
ADD_SNAT_ALIASES=`added_param_value_no ADD_SNAT_ALIASES $ADD_SNAT_ALIASES`
|
ADD_SNAT_ALIASES=`added_param_value_no ADD_SNAT_ALIASES $ADD_SNAT_ALIASES`
|
||||||
ROUTE_FILTER=`added_param_value_no ROUTE_FILTER $ROUTE_FILTER`
|
ROUTE_FILTER=`added_param_value_no ROUTE_FILTER $ROUTE_FILTER`
|
||||||
NAT_BEFORE_RULES=`added_param_value_yes NAT_BEFORE_RULES $NAT_BEFORE_RULES`
|
NAT_BEFORE_RULES=`added_param_value_yes NAT_BEFORE_RULES $NAT_BEFORE_RULES`
|
||||||
MULTIPORT=`added_param_value_no MULTIPORT $MULTIPORT`
|
|
||||||
DETECT_DNAT_IPADDRS=`added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS`
|
DETECT_DNAT_IPADDRS=`added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS`
|
||||||
FORWARDPING=`added_param_value_no FORWARDPING $FORWARDPING`
|
FORWARDPING=`added_param_value_no FORWARDPING $FORWARDPING`
|
||||||
[ -n "$FORWARDPING" ] && \
|
[ -n "$FORWARDPING" ] && \
|
||||||
@ -4567,6 +4731,15 @@ do_initialize() {
|
|||||||
#
|
#
|
||||||
strip_file interfaces
|
strip_file interfaces
|
||||||
strip_file hosts
|
strip_file hosts
|
||||||
|
#
|
||||||
|
# Check out the user's shell
|
||||||
|
#
|
||||||
|
[ -n "$SHOREWALL_SHELL" ] || SHOREWALL_SHELL=/bin/sh
|
||||||
|
|
||||||
|
temp=`decodeaddr 192.168.1.1`
|
||||||
|
if [ `encodeaddr $temp` != 192.168.1.1 ]; then
|
||||||
|
startup_error "Shell $SHOREWALL_SHELL is broken and may not be used with Shorewall"
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -4719,6 +4892,15 @@ case "$command" in
|
|||||||
my_mutex_off
|
my_mutex_off
|
||||||
;;
|
;;
|
||||||
|
|
||||||
|
call)
|
||||||
|
#
|
||||||
|
# Undocumented way to call functions in /usr/share/shorewall/firewall directly
|
||||||
|
#
|
||||||
|
shift;
|
||||||
|
do_initialize
|
||||||
|
EMPTY=
|
||||||
|
$@
|
||||||
|
;;
|
||||||
*)
|
*)
|
||||||
usage
|
usage
|
||||||
;;
|
;;
|
||||||
|
@ -54,7 +54,7 @@
|
|||||||
# /etc/rc.d/rc.local file is modified to start the firewall.
|
# /etc/rc.d/rc.local file is modified to start the firewall.
|
||||||
#
|
#
|
||||||
|
|
||||||
VERSION=1.4.6
|
VERSION=1.4.6a
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
|
@ -20,6 +20,9 @@ Problems Corrected:
|
|||||||
5) The message "Adding rules for DHCP" is now suppressed if there are
|
5) The message "Adding rules for DHCP" is now suppressed if there are
|
||||||
no DHCP rules to add.
|
no DHCP rules to add.
|
||||||
|
|
||||||
|
6) Corrected problem in 1.4.6 where the MANGLE_ENABLED variable was
|
||||||
|
being tested before it was set.
|
||||||
|
|
||||||
Migration Issues:
|
Migration Issues:
|
||||||
|
|
||||||
1) In earlier versions, an undocumented feature allowed entries in
|
1) In earlier versions, an undocumented feature allowed entries in
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
%define name shorewall
|
%define name shorewall
|
||||||
%define version 1.4.6
|
%define version 1.4.6a
|
||||||
%define release 1
|
%define release 1
|
||||||
%define prefix /usr
|
%define prefix /usr
|
||||||
|
|
||||||
@ -105,6 +105,8 @@ fi
|
|||||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
|
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Jul 22 2003 Tom Eastep <tom@shorewall.net>
|
||||||
|
- Changed version to 1.4.6a-1
|
||||||
* Sat Jul 19 2003 Tom Eastep <tom@shorewall.net>
|
* Sat Jul 19 2003 Tom Eastep <tom@shorewall.net>
|
||||||
- Changed version to 1.4.6-1
|
- Changed version to 1.4.6-1
|
||||||
* Mon Jul 14 2003 Tom Eastep <tom@shorewall.net>
|
* Mon Jul 14 2003 Tom Eastep <tom@shorewall.net>
|
||||||
|
@ -26,7 +26,7 @@
|
|||||||
# You may only use this script to uninstall the version
|
# You may only use this script to uninstall the version
|
||||||
# shown below. Simply run this script to remove Seattle Firewall
|
# shown below. Simply run this script to remove Seattle Firewall
|
||||||
|
|
||||||
VERSION=1.4.6
|
VERSION=1.4.6a
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
|
Loading…
Reference in New Issue
Block a user