holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Shorewall-1.4.6a

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@675 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-07-23 14:25:05 +00:00
parent a63d259b40
commit 00b43e6a2e
10 changed files with 3963 additions and 3684 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
STABLE/changelog.txt
View File

@ -51,3 +51,6 @@ Changes since 1.4.5
21. Support Linux 2.6 compressed modules. 21. Support Linux 2.6 compressed modules.
22. Don't display DHCP message when there are no DHCP interface. 22. Don't display DHCP message when there are no DHCP interface.
23. Move determine_capabilities call to do_initialize to ensure that
MANGLE_ENABLED is set before it is tested.

3723
STABLE/documentation/News.htm
View File

File diff suppressed because it is too large Load Diff

558
STABLE/documentation/seattlefirewall_index.htm
View File

@ -10,7 +10,7 @@
<base target="_self"> <base target="_self">
</head> </head>
<body> <body>
@ -19,17 +19,17 @@
style="border-collapse: collapse;" width="100%" id="AutoNumber3" style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#3366ff"> bgcolor="#3366ff">
<tbody> <tbody>
<tr> <tr>
<td width="33%" height="90" <td width="33%" height="90"
valign="middle" align="left"><a href="http://www.cityofshoreline.com"><img valign="middle" align="left"><a href="http://www.cityofshoreline.com"><img
src="images/washington.jpg" alt="" width="97" height="80" hspace="4" src="images/washington.jpg" alt="" width="97" height="80" hspace="4"
border="0"> border="0">
</a></td> </a></td>
<td valign="middle" width="34%" align="center" <td valign="middle" width="34%"
bgcolor="#3366ff"> align="center" bgcolor="#3366ff">
@ -39,21 +39,21 @@
<img <img src="images/Logo1.png"
src="images/Logo1.png" alt="(Shorewall Logo)" width="430" height="90"> alt="(Shorewall Logo)" width="430" height="90">
</div> </div>
</td> </td>
<td valign="middle" width="33%"> <td valign="middle" width="33%">
<h1 align="center"><a href="http://www.shorewall.net" <h1 align="center"><a href="http://www.shorewall.net"
target="_top"><img border="0" src="images/shorewall.jpg" width="119" target="_top"><img border="0" src="images/shorewall.jpg" width="119"
height="38" hspace="4" alt="(Shorewall Logo)" align="right" vspace="4"> height="38" hspace="4" alt="(Shorewall Logo)" align="right" vspace="4">
</a></h1> </a></h1>
<br> <br>
</td> </td>
</tr> </tr>
@ -70,18 +70,18 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"> style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody> <tbody>
<tr> <tr>
<td width="90%"> <td width="90%">
<div align="center"> <div align="center">
<br> <br>
</div> </div>
<h2 align="left">What is it?</h2> <h2 align="left">What is it?</h2>
@ -90,10 +90,10 @@
<p>The Shoreline Firewall, more commonly known as "Shorewall", is a <p>The Shoreline Firewall, more commonly known as "Shorewall", is
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
that can be used on a dedicated firewall system, a multi-function firewall that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p> gateway/router/server or on a standalone GNU/Linux system.</p>
@ -102,29 +102,29 @@
<p>This program is free software; you can redistribute it and/or modify <p>This program is free software; you can redistribute it and/or modify
it under the terms of <a it under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU href="http://www.gnu.org/licenses/gpl.html">Version 2 of the
General Public License</a> as published by the Free Software GNU General Public License</a> as published by the Free Software
Foundation.<br> Foundation.<br>
<br> <br>
This program is distributed This program is distributed
in the hope that it will be useful, in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without but WITHOUT ANY WARRANTY; without
even the implied warranty of MERCHANTABILITY even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. or FITNESS FOR A PARTICULAR PURPOSE.
See the GNU General Public License for more See the GNU General Public License for more
details.<br> details.<br>
<br> <br>
You should have received a You should have received a
copy of the GNU General Public License copy of the GNU General Public License
along with this program; if not, along with this program; if not,
write to the Free Software Foundation, write to the Free Software Foundation,
Inc., 675 Mass Ave, Cambridge, MA 02139, Inc., 675 Mass Ave, Cambridge, MA 02139,
USA</p> USA</p>
@ -143,36 +143,37 @@ details.<br>
<h2>This is the Shorewall 1.4 Web Site</h2> <h2>This is the Shorewall 1.4 Web Site</h2>
The information on this site applies only to 1.4.x releases of Shorewall. The information on this site applies only to 1.4.x releases of Shorewall.
For older versions:<br> For older versions:<br>
<ul> <ul>
<li>The 1.3 site is <a <li>The 1.3 site is <a
href="http://www.shorewall.net/1.3" target="_top">here.</a></li> href="http://www.shorewall.net/1.3" target="_top">here.</a></li>
<li>The 1.2 site is <a href="http://shorewall.net/1.2/" <li>The 1.2 site is <a href="http://shorewall.net/1.2/"
target="_top">here</a>.<br> target="_top">here</a>.<br>
</li> </li>
</ul> </ul>
<h2>Getting Started with Shorewall</h2> <h2>Getting Started with Shorewall</h2>
New to Shorewall? Start by selecting New to Shorewall? Start by selecting
the <a href="shorewall_quickstart_guide.htm">QuickStart Guide</a> the <a href="shorewall_quickstart_guide.htm">QuickStart Guide</a>
that most closely match your environment and follow the that most closely match your environment and follow the
step by step instructions.<br> step by step instructions.<br>
<h2>Looking for Information?</h2> <h2>Looking for Information?</h2>
The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a> is a good place to start as is the Quick Search to your right. Index</a> is a good place to start as is the Quick Search to your right.
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2> <h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
If so, the documentation<b> </b>on this site If so, the documentation<b> </b>on this site
will not apply directly to your setup. If you want to use the will not apply directly to your setup. If you want to use the
documentation that you find here, you will want to consider uninstalling documentation that you find here, you will want to consider uninstalling
what you have and installing a setup that matches the documentation what you have and installing a setup that matches the documentation
on this site. See the <a href="two-interface.htm">Two-interface on this site. See the <a href="two-interface.htm">Two-interface
QuickStart Guide</a> for details.<br> QuickStart Guide</a> for details.<br>
<h2>News</h2> <h2>News</h2>
@ -189,289 +190,307 @@ step by step instructions.<br>
<p><b>7/22/2003 - Shorewall-1.4.6a</b><b> <img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
<br>
</b></p>
<b>Problems Corrected:</b><br>
<ol>
<li>Previously, if TC_ENABLED is set to yes in shorewall.conf then
Shorewall would fail to start with the error "ERROR:  Traffic Control requires
Mangle"; that problem has been corrected.</li>
</ol>
<p><b>7/20/2003 - Shorewall-1.4.6</b><b> <img border="0" <p><b>7/20/2003 - Shorewall-1.4.6</b><b> <img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)"> src="images/new10.gif" width="28" height="12" alt="(New)">
<br> </b><br>
</b></p> </p>
<blockquote> </blockquote> <blockquote> </blockquote>
<p><b>Problems Corrected:</b><br> <p><b>Problems Corrected:</b><br>
</p> </p>
<ol> <ol>
<li>A problem seen on RH7.3 systems where Shorewall encountered <li>A problem seen on RH7.3 systems where Shorewall encountered
start errors when started using the "service" mechanism has been worked start errors when started using the "service" mechanism has been worked
around.<br> around.<br>
<br> <br>
</li> </li>
<li>Where a list of IP addresses appears in the DEST column <li>Where a list of IP addresses appears in the DEST column
of a DNAT[-] rule, Shorewall incorrectly created multiple DNAT rules of a DNAT[-] rule, Shorewall incorrectly created multiple DNAT rules
in the nat table (one for each element in the list). Shorewall now correctly in the nat table (one for each element in the list). Shorewall now correctly
creates a single DNAT rule with multiple "--to-destination" clauses.<br> creates a single DNAT rule with multiple "--to-destination" clauses.<br>
<br> <br>
</li> </li>
<li>Corrected a problem in Beta 1 where DNS names containing <li>Corrected a problem in Beta 1 where DNS names containing
a "-" were mis-handled when they appeared in the DEST column of a rule.<br> a "-" were mis-handled when they appeared in the DEST column of a rule.<br>
<br> <br>
</li> </li>
<li>A number of problems with rule parsing have been corrected. <li>A number of problems with rule parsing have been corrected.
Corrections involve the handling of "z1!z2" in the SOURCE column as well Corrections involve the handling of "z1!z2" in the SOURCE column as well
as lists in the ORIGINAL DESTINATION column.<br> as lists in the ORIGINAL DESTINATION column.<br>
<br> <br>
</li> </li>
<li>The message "Adding rules for DHCP" is now suppressed if there <li>The message "Adding rules for DHCP" is now suppressed if there
are no DHCP rules to add.<br> are no DHCP rules to add.<br>
</li> </li>
</ol> </ol>
<p><b>Migration Issues:</b><br> <p><b>Migration Issues:</b><br>
</p>
<ol>
<li>In earlier versions, an undocumented feature allowed
entries in the host file as follows:<br>
<br>
    z    eth1:192.168.1.0/24,eth2:192.168.2.0/24<br>
<br>
This capability was never documented and has been removed in 1.4.6
to allow entries of the following format:<br>
<br>
    z   eth1:192.168.1.0/24,192.168.2.0/24<br>
<br>
</li>
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options
have been removed from /etc/shorewall/shorewall.conf. These capabilities
are now automatically detected by Shorewall (see below).<br>
</li>
</ol>
<p><b>New Features:</b><br>
</p> </p>
<ol> <ol>
<li>A 'newnotsyn' interface option has been added. This <li>In earlier versions, an undocumented feature allowed
entries in the host file as follows:<br>
<br>
    z    eth1:192.168.1.0/24,eth2:192.168.2.0/24<br>
<br>
This capability was never documented and has been removed in 1.4.6
to allow entries of the following format:<br>
<br>
    z   eth1:192.168.1.0/24,192.168.2.0/24<br>
<br>
</li>
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options
have been removed from /etc/shorewall/shorewall.conf. These capabilities
are now automatically detected by Shorewall (see below).<br>
</li>
</ol>
<p><b>New Features:</b><br>
</p>
<ol>
<li>A 'newnotsyn' interface option has been added. This
option may be specified in /etc/shorewall/interfaces and overrides the option may be specified in /etc/shorewall/interfaces and overrides the
setting NEWNOTSYN=No for packets arriving on the associated interface.<br> setting NEWNOTSYN=No for packets arriving on the associated interface.<br>
<br> <br>
</li> </li>
<li>The means for specifying a range of IP addresses in <li>The means for specifying a range of IP addresses in
/etc/shorewall/masq to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes /etc/shorewall/masq to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes
is enabled for address ranges.<br> is enabled for address ranges.<br>
<br> <br>
</li> </li>
<li>Shorewall can now add IP addresses to subnets other <li>Shorewall can now add IP addresses to subnets other
than the first one on an interface.<br> than the first one on an interface.<br>
<br> <br>
</li> </li>
<li>DNAT[-] rules may now be used to load balance (round-robin) <li>DNAT[-] rules may now be used to load balance (round-robin)
over a set of servers. Servers may be specified in a range of addresses over a set of servers. Servers may be specified in a range of addresses
given as &lt;first address&gt;-&lt;last address&gt;.<br> given as &lt;first address&gt;-&lt;last address&gt;.<br>
<br> <br>
Example:<br> Example:<br>
<br> <br>
    DNAT net loc:192.168.10.2-192.168.10.5 tcp 80<br>     DNAT net loc:192.168.10.2-192.168.10.5 tcp 80<br>
<br> <br>
</li> </li>
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration <li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration
options have been removed and have been replaced by code that detects options have been removed and have been replaced by code that detects
whether these capabilities are present in the current kernel. The output whether these capabilities are present in the current kernel. The output
of the start, restart and check commands have been enhanced to report the of the start, restart and check commands have been enhanced to report the
outcome:<br> outcome:<br>
<br> <br>
Shorewall has detected the following iptables/netfilter capabilities:<br> Shorewall has detected the following iptables/netfilter capabilities:<br>
   NAT: Available<br>    NAT: Available<br>
   Packet Mangling: Available<br>    Packet Mangling: Available<br>
   Multi-port Match: Available<br>    Multi-port Match: Available<br>
Verifying Configuration...<br> Verifying Configuration...<br>
<br> <br>
</li> </li>
<li>Support for the Connection Tracking Match Extension <li>Support for the Connection Tracking Match Extension
has been added. This extension is available in recent kernel/iptables has been added. This extension is available in recent kernel/iptables
releases and allows for rules which match against elements in netfilter's releases and allows for rules which match against elements in netfilter's
connection tracking table. Shorewall automatically detects the availability connection tracking table. Shorewall automatically detects the availability
of this extension and reports its availability in the output of the start, of this extension and reports its availability in the output of the start,
restart and check commands.<br> restart and check commands.<br>
<br> <br>
Shorewall has detected the following iptables/netfilter capabilities:<br> Shorewall has detected the following iptables/netfilter capabilities:<br>
   NAT: Available<br>    NAT: Available<br>
   Packet Mangling: Available<br>    Packet Mangling: Available<br>
   Multi-port Match: Available<br>    Multi-port Match: Available<br>
   Connection Tracking Match: Available<br>    Connection Tracking Match: Available<br>
Verifying Configuration...<br> Verifying Configuration...<br>
<br> <br>
If this extension is available, the ruleset generated by Shorewall If this extension is available, the ruleset generated by Shorewall
is changed in the following ways:</li> is changed in the following ways:</li>
<ul> <ul>
<li>To handle 'norfc1918' filtering, Shorewall will not <li>To handle 'norfc1918' filtering, Shorewall will not
create chains in the mangle table but will rather do all 'norfc1918' create chains in the mangle table but will rather do all 'norfc1918'
filtering in the filter table (rfc1918 chain).</li> filtering in the filter table (rfc1918 chain).</li>
<li>Recall that Shorewall DNAT rules generate two netfilter <li>Recall that Shorewall DNAT rules generate two netfilter
rules; one in the nat table and one in the filter table. If the Connection rules; one in the nat table and one in the filter table. If the Connection
Tracking Match Extension is available, the rule in the filter table is Tracking Match Extension is available, the rule in the filter table is
extended to check that the original destination address was the same as extended to check that the original destination address was the same as
specified (or defaulted to) in the DNAT rule.<br> specified (or defaulted to) in the DNAT rule.<br>
<br> <br>
</li> </li>
</ul> </ul>
<li>The shell used to interpret the firewall script (/usr/share/shorewall/firewall) <li>The shell used to interpret the firewall script (/usr/share/shorewall/firewall)
may now be specified using the SHOREWALL_SHELL parameter in shorewall.conf.<br> may now be specified using the SHOREWALL_SHELL parameter in shorewall.conf.<br>
<br> <br>
</li> </li>
<li>An 'ipcalc' command has been added to /sbin/shorewall.<br> <li>An 'ipcalc' command has been added to /sbin/shorewall.<br>
<br> <br>
      ipcalc [ &lt;address&gt; &lt;netmask&gt; | &lt;address&gt;/&lt;vlsm&gt;       ipcalc [ &lt;address&gt; &lt;netmask&gt; | &lt;address&gt;/&lt;vlsm&gt;
]<br> ]<br>
<br> <br>
Examples:<br> Examples:<br>
<br> <br>
      [root@wookie root]# shorewall ipcalc 192.168.1.0/24<br>       [root@wookie root]# shorewall ipcalc 192.168.1.0/24<br>
         CIDR=192.168.1.0/24<br>          CIDR=192.168.1.0/24<br>
         NETMASK=255.255.255.0<br>          NETMASK=255.255.255.0<br>
         NETWORK=192.168.1.0<br>          NETWORK=192.168.1.0<br>
         BROADCAST=192.168.1.255<br>          BROADCAST=192.168.1.255<br>
      [root@wookie root]#<br>       [root@wookie root]#<br>
<br> <br>
      [root@wookie root]# shorewall ipcalc 192.168.1.0 255.255.255.0<br>       [root@wookie root]# shorewall ipcalc 192.168.1.0 255.255.255.0<br>
         CIDR=192.168.1.0/24<br>          CIDR=192.168.1.0/24<br>
         NETMASK=255.255.255.0<br>          NETMASK=255.255.255.0<br>
         NETWORK=192.168.1.0<br>          NETWORK=192.168.1.0<br>
         BROADCAST=192.168.1.255<br>          BROADCAST=192.168.1.255<br>
      [root@wookie root]#<br>       [root@wookie root]#<br>
<br> <br>
Warning:<br> Warning:<br>
<br> <br>
If your shell only supports 32-bit signed arithmatic (ash or dash), If your shell only supports 32-bit signed arithmatic (ash or dash),
then the ipcalc command produces incorrect information for IP addresses then the ipcalc command produces incorrect information for IP addresses
128.0.0.0-1 and for /1 networks. Bash should produce correct information 128.0.0.0-1 and for /1 networks. Bash should produce correct information
for all valid IP addresses.<br> for all valid IP addresses.<br>
<br> <br>
</li> </li>
<li>An 'iprange' command has been added to /sbin/shorewall. <li>An 'iprange' command has been added to /sbin/shorewall.
<br> <br>
<br> <br>
      iprange &lt;address&gt;-&lt;address&gt;<br>       iprange &lt;address&gt;-&lt;address&gt;<br>
<br> <br>
This command decomposes a range of IP addressses into a list of This command decomposes a range of IP addressses into a list of
network and host addresses. The command can be useful if you need to construct network and host addresses. The command can be useful if you need to
an efficient set of rules that accept connections from a range of network construct an efficient set of rules that accept connections from a range
addresses.<br> of network addresses.<br>
<br> <br>
Note: If your shell only supports 32-bit signed arithmetic (ash Note: If your shell only supports 32-bit signed arithmetic (ash
or dash) then the range may not span 128.0.0.0.<br> or dash) then the range may not span 128.0.0.0.<br>
<br> <br>
Example:<br> Example:<br>
<br> <br>
      [root@gateway root]# shorewall iprange 192.168.1.4-192.168.12.9<br>       [root@gateway root]# shorewall iprange 192.168.1.4-192.168.12.9<br>
      192.168.1.4/30<br>       192.168.1.4/30<br>
      192.168.1.8/29<br>       192.168.1.8/29<br>
      192.168.1.16/28<br>       192.168.1.16/28<br>
      192.168.1.32/27<br>       192.168.1.32/27<br>
      192.168.1.64/26<br>       192.168.1.64/26<br>
      192.168.1.128/25<br>       192.168.1.128/25<br>
      192.168.2.0/23<br>       192.168.2.0/23<br>
      192.168.4.0/22<br>       192.168.4.0/22<br>
      192.168.8.0/22<br>       192.168.8.0/22<br>
      192.168.12.0/29<br>       192.168.12.0/29<br>
      192.168.12.8/31<br>       192.168.12.8/31<br>
      [root@gateway root]#<br>       [root@gateway root]#<br>
<br> <br>
</li> </li>
<li>A list of host/net addresses is now allowed in an entry <li>A list of host/net addresses is now allowed in an entry
in /etc/shorewall/hosts.<br> in /etc/shorewall/hosts.<br>
<br> <br>
Example:<br> Example:<br>
<br> <br>
    foo    eth1:192.168.1.0/24,192.168.2.0/24<br>     foo    eth1:192.168.1.0/24,192.168.2.0/24<br>
<br> <br>
</li> </li>
<li>The "shorewall check" command now includes the chain name when <li>The "shorewall check" command now includes the chain name when
printing the applicable policy for each pair of zones.<br> printing the applicable policy for each pair of zones.<br>
 <br>  <br>
    Example:<br>     Example:<br>
 <br>  <br>
        Policy for dmz to net is REJECT using chain all2all<br>         Policy for dmz to net is REJECT using chain all2all<br>
 <br>  <br>
This means that the policy for connections from the dmz to the internet is This means that the policy for connections from the dmz to the internet
REJECT and the applicable entry in the /etc/shorewall/policy was the all-&gt;all is REJECT and the applicable entry in the /etc/shorewall/policy was the all-&gt;all
policy.<br> policy.<br>
<br> <br>
</li> </li>
<li>Support for the 2.6 Kernel series has been added.<br> <li>Support for the 2.6 Kernel series has been added.<br>
</li> </li>
</ol> </ol>
<p><b>7/15/2003 - New Mirror in Brazil</b><b> <img border="0" <p><b>7/15/2003 - New Mirror in Brazil</b><b> <img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)"> src="images/new10.gif" width="28" height="12" alt="(New)">
<br> <br>
</b></p> </b></p>
Thanks to the folks at securityopensource.org.br, there is now a <a Thanks to the folks at securityopensource.org.br, there is now a
href="http://shorewall.securityopensource.org.br" target="_top">Shorewall <a href="http://shorewall.securityopensource.org.br" target="_top">Shorewall
mirror in Brazil</a>. mirror in Brazil</a>.
<p><b>6/17/2003 - Shorewall-1.4.5</b><b> </b></p> <p><b>6/17/2003 - Shorewall-1.4.5</b><b> </b></p>
<p>Problems Corrected:<br> <p>Problems Corrected:<br>
</p> </p>
<ol> <ol>
<li>The command "shorewall debug try &lt;directory&gt;" <li>The command "shorewall debug try &lt;directory&gt;"
now correctly traces the attempt.</li> now correctly traces the attempt.</li>
<li>The INCLUDE directive now works properly in the <li>The INCLUDE directive now works properly in
zones file; previously, INCLUDE in that file was ignored.</li> the zones file; previously, INCLUDE in that file was ignored.</li>
<li>/etc/shorewall/routestopped records with an empty <li>/etc/shorewall/routestopped records with an
second column are no longer ignored.<br> empty second column are no longer ignored.<br>
</li> </li>
</ol> </ol>
<p>New Features:<br> <p>New Features:<br>
</p> </p>
<ol> <ol>
<li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-] <li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-]
rule may now contain a list of addresses. If the list begins with rule may now contain a list of addresses. If the list begins with "!'
"!' then the rule will take effect only if the original destination then the rule will take effect only if the original destination address
address in the connection request does not match any of the addresses in the connection request does not match any of the addresses listed.</li>
listed.</li>
</ol> </ol>
<p><b>6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8</b><b> <p><b>6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8</b><b>
</b></p> </b></p>
<p>The firewall at shorewall.net has been upgraded to the 2.4.21 kernel <p>The firewall at shorewall.net has been upgraded to the 2.4.21 kernel
and iptables 1.2.8 (using the "official" RPM from netfilter.org). and iptables 1.2.8 (using the "official" RPM from netfilter.org).
No problems have been encountered with this set of software. The Shorewall No problems have been encountered with this set of software. The Shorewall
version is 1.4.4b plus the accumulated changes for 1.4.5.<br> version is 1.4.4b plus the accumulated changes for 1.4.5.<br>
</p> </p>
<p><b>6/8/2003 - Updated Samples</b><b> </b></p> <p><b>6/8/2003 - Updated Samples</b><b> </b></p>
<p>Thanks to Francesca Smith, the samples have been updated to Shorewall <p>Thanks to Francesca Smith, the samples have been updated to Shorewall
version 1.4.4.</p> version 1.4.4.</p>
<p><b></b></p> <p><b></b></p>
@ -479,10 +498,12 @@ No problems have been encountered with this set of software. The Shorewall
</ol> </ol>
<p><a href="News.htm">More News</a></p> <p><a href="News.htm">More News</a></p>
@ -494,28 +515,28 @@ No problems have been encountered with this set of software. The Shorewall
border="0" src="images/leaflogo.gif" width="49" height="36" border="0" src="images/leaflogo.gif" width="49" height="36"
alt="(Leaf Logo)"> alt="(Leaf Logo)">
</a>Jacques Nilo and Eric </a>Jacques Nilo and Eric
Wolzak have a LEAF (router/firewall/gateway Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution on a floppy, CD or compact flash) distribution
called <i>Bering</i> that called <i>Bering</i> that
features Shorewall-1.4.2 and Kernel-2.4.20. features Shorewall-1.4.2 and Kernel-2.4.20.
You can find their work at: You can find their work at:
<a href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br> <a href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a></p> </a></p>
<b>Congratulations to Jacques and Eric <b>Congratulations to Jacques and Eric
on the recent release of Bering 1.2!!! </b><br> on the recent release of Bering 1.2!!! </b><br>
<h2><a name="Donations"></a>Donations</h2> <h2><a name="Donations"></a>Donations</h2>
</td> </td>
<td width="88" bgcolor="#3366ff" <td width="88" bgcolor="#3366ff"
valign="top" align="center"> valign="top" align="center">
@ -523,11 +544,11 @@ on the recent release of Bering 1.2!!! </b><br>
<form method="post" <form method="post"
action="http://lists.shorewall.net/cgi-bin/htsearch"> action="http://lists.shorewall.net/cgi-bin/htsearch">
<strong><br> <strong><br>
<font <font
color="#ffffff"><b>Note: </b></font></strong><font color="#ffffff"><b>Note: </b></font></strong><font
color="#ffffff">Search is unavailable Daily 0200-0330 GMT.</font><br> color="#ffffff">Search is unavailable Daily 0200-0330 GMT.</font><br>
<strong></strong> <strong></strong>
@ -535,14 +556,14 @@ on the recent release of Bering 1.2!!! </b><br>
<p><font color="#ffffff"><strong>Quick Search</strong></font><br> <p><font color="#ffffff"><strong>Quick Search</strong></font><br>
<font face="Arial" size="-1"> <input type="text" <font face="Arial" size="-1"> <input type="text"
name="words" size="15"></font><font size="-1"> </font> <font name="words" size="15"></font><font size="-1"> </font> <font
face="Arial" size="-1"> <input type="hidden" name="format" face="Arial" size="-1"> <input type="hidden" name="format"
value="long"> <input type="hidden" name="method" value="and"> <input value="long"> <input type="hidden" name="method" value="and"> <input
type="hidden" name="config" value="htdig"> <input type="submit" type="hidden" name="config" value="htdig"> <input type="submit"
value="Search"></font> </p> value="Search"></font> </p>
<font face="Arial"> <input type="hidden" <font face="Arial"> <input type="hidden"
name="exclude" value="[http://lists.shorewall.net/pipermail/*]"> </font> name="exclude" value="[http://lists.shorewall.net/pipermail/*]"> </font>
</form> </form>
@ -553,30 +574,30 @@ on the recent release of Bering 1.2!!! </b><br>
<p><font color="#ffffff"><b><a <p><font color="#ffffff"><b><a
href="http://lists.shorewall.net/htdig/search.html"><font href="http://lists.shorewall.net/htdig/search.html"><font
color="#ffffff">Extended Search</font></a></b></font></p> color="#ffffff">Extended Search</font></a></b></font></p>
<br> <br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</center> </center>
</div> </div>
<table border="0" cellpadding="5" cellspacing="0" <table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2" style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#3366ff"> bgcolor="#3366ff">
<tbody> <tbody>
<tr> <tr>
<td width="100%" <td width="100%"
style="margin-top: 1px;" valign="middle"> style="margin-top: 1px;" valign="middle">
@ -587,7 +608,7 @@ on the recent release of Bering 1.2!!! </b><br>
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10" alt="(Starlight Logo)"> hspace="10" alt="(Starlight Logo)">
</a></p> </a></p>
@ -595,16 +616,15 @@ on the recent release of Bering 1.2!!! </b><br>
<p align="center"><font size="4" color="#ffffff"><br> <p align="center"><font size="4" color="#ffffff"><br>
<font size="+2"> Shorewall is free but if <font size="+2"> Shorewall is free but if
you try it and find it useful, please consider making a donation you try it and find it useful, please consider making a donation
to to
<a href="http://www.starlight.org"><font <a href="http://www.starlight.org"><font color="#ffffff">Starlight
color="#ffffff">Starlight Children's Foundation.</font></a> Children's Foundation.</font></a> Thanks!</font></font></p>
Thanks!</font></font></p>
</td> </td>
</tr> </tr>
@ -612,8 +632,10 @@ Thanks!</font></font></p>
</table> </table>
<p><font size="2">Updated 7/19/2003 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2">Updated 7/22/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p> <br>
</p>
<br>
</body> </body>
</html> </html>

592
STABLE/documentation/sourceforge_index.htm
View File

@ -10,7 +10,7 @@
<base target="_self"> <base target="_self">
</head> </head>
<body> <body>
@ -19,23 +19,23 @@
style="border-collapse: collapse;" width="100%" id="AutoNumber3" style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#3366ff"> bgcolor="#3366ff">
<tbody> <tbody>
<tr> <tr>
<td width="33%" height="90" <td width="33%" height="90"
valign="middle" align="left"><a href="http://www.cityofshoreline.com"><img valign="middle" align="left"><a href="http://www.cityofshoreline.com"><img
src="images/washington.jpg" alt="" width="97" height="80" hspace="4" src="images/washington.jpg" alt="" width="97" height="80" hspace="4"
border="0"> border="0">
</a></td> </a></td>
<td valign="middle" <td valign="middle"
bgcolor="#3366ff" width="34%" align="center"> bgcolor="#3366ff" width="34%" align="center">
<img <img
src="images/Logo1.png" alt="(Shorewall Logo)" width="430" height="90"> src="images/Logo1.png" alt="(Shorewall Logo)" width="430" height="90">
</td> </td>
<td valign="top" width="33"><br> <td valign="top" width="33"><br>
</td> </td>
</tr> </tr>
@ -48,11 +48,11 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"> style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody> <tbody>
<tr> <tr>
<td width="90%"> <td width="90%">
@ -68,7 +68,7 @@
<p>The Shoreline Firewall, more commonly known as "Shorewall", is <p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a a <a
href="http://www.netfilter.org">Netfilter</a> (iptables) href="http://www.netfilter.org">Netfilter</a> (iptables)
based firewall that can be used on a dedicated based firewall that can be used on a dedicated
firewall system, a multi-function gateway/router/server firewall system, a multi-function gateway/router/server
or on a standalone GNU/Linux system.</p> or on a standalone GNU/Linux system.</p>
@ -79,28 +79,29 @@
<p>This program is free software; you can redistribute it and/or modify <p>This program is free software; you can redistribute it and/or modify
it under the terms of <a it under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
GNU General Public License</a> as published by the Free Software General Public License</a> as published by the Free Software
Foundation.<br> Foundation.<br>
<br> <br>
This program is distributed This program is distributed
in the hope that it will be useful, in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without but WITHOUT ANY WARRANTY; without
even the implied warranty of MERCHANTABILITY even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. or FITNESS FOR A PARTICULAR PURPOSE.
See the GNU General Public License for more details.<br> See the GNU General Public License for more
details.<br>
<br> <br>
You should have received a You should have received a
copy of the GNU General Public License copy of the GNU General Public License
along with this program; if not, along with this program; if not,
write to the Free Software Foundation, write to the Free Software Foundation,
Inc., 675 Mass Ave, Cambridge, MA 02139, Inc., 675 Mass Ave, Cambridge, MA 02139,
USA</p> USA</p>
@ -115,36 +116,36 @@ but WITHOUT ANY WARRANTY; without
<h2>This is the Shorewall 1.4 Web Site</h2> <h2>This is the Shorewall 1.4 Web Site</h2>
The information on this site applies only to 1.4.x releases of Shorewall. The information on this site applies only to 1.4.x releases of Shorewall.
For older versions:<br> For older versions:<br>
<ul> <ul>
<li>The 1.3 site is <a href="http://www.shorewall.net/1.3" <li>The 1.3 site is <a
target="_top">here.</a></li> href="http://www.shorewall.net/1.3" target="_top">here.</a></li>
<li>The 1.2 site is <a href="http://shorewall.net/1.2/" <li>The 1.2 site is <a href="http://shorewall.net/1.2/"
target="_top">here</a>.<br> target="_top">here</a>.<br>
</li> </li>
</ul> </ul>
<h2>Getting Started with Shorewall</h2> <h2>Getting Started with Shorewall</h2>
New to Shorewall? Start by selecting New to Shorewall? Start by selecting
the <a the <a
href="file:///vfat/Shorewall-docs/shorewall_quickstart_guide.htm">QuickStart href="file:///vfat/Shorewall-docs/shorewall_quickstart_guide.htm">QuickStart
Guide</a> that most closely match your environment and Guide</a> that most closely match your environment and follow
follow the step by step instructions.<br> the step by step instructions.<br>
<h2>Looking for Information?</h2> <h2>Looking for Information?</h2>
The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a> is a good place to start as is the Quick Search to your right. Index</a> is a good place to start as is the Quick Search to your right.
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2> <h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
If so, the documentation<b> </b>on this site If so, the documentation<b> </b>on this site
will not apply directly to your setup. If you want to use the documentation will not apply directly to your setup. If you want to use the
that you find here, you will want to consider uninstalling what you documentation that you find here, you will want to consider uninstalling
have and installing a setup that matches the documentation on what you have and installing a setup that matches the documentation
this site. See the <a href="two-interface.htm">Two-interface QuickStart on this site. See the <a href="two-interface.htm">Two-interface
Guide</a> for details. QuickStart Guide</a> for details.
<h2></h2> <h2></h2>
@ -154,220 +155,235 @@ this site. See the <a href="two-interface.htm">Two-interface QuickStart
<h2><b>News</b></h2> <h2><b>News</b></h2>
<p><b>7/22/2003 - Shorewall-1.4.6a</b><b> <img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
<br>
</b></p>
<b>Problems Corrected:</b><br>
<ol>
<li>Previously, if TC_ENABLED is set to yes in shorewall.conf then
Shorewall would fail to start with the error "ERROR:  Traffic Control requires
Mangle"; that problem has been corrected.</li>
</ol>
<p><b>7/20/2003 - Shorewall-1.4.6</b><b> <img border="0" <p><b>7/20/2003 - Shorewall-1.4.6</b><b> <img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)"> src="images/new10.gif" width="28" height="12" alt="(New)">
<br> <br>
</b> </p> </b> </p>
<p><b>Problems Corrected:</b><br> <p><b>Problems Corrected:</b><br>
</p>
<ol>
<li>A problem seen on RH7.3 systems where Shorewall encountered
start errors when started using the "service" mechanism has been worked
around.<br>
<br>
</li>
<li>Where a list of IP addresses appears in the DEST column of
a DNAT[-] rule, Shorewall incorrectly created multiple DNAT rules in
the nat table (one for each element in the list). Shorewall now correctly
creates a single DNAT rule with multiple "--to-destination" clauses.<br>
<br>
</li>
<li>Corrected a problem in Beta 1 where DNS names containing a
"-" were mis-handled when they appeared in the DEST column of a rule.<br>
<br>
</li>
<li>A number of problems with rule parsing have been corrected.
Corrections involve the handling of "z1!z2" in the SOURCE column as well
as lists in the ORIGINAL DESTINATION column.<br>
<br>
</li>
<li>The message "Adding rules for DHCP" is now suppressed if there
are no DHCP rules to add.</li>
</ol>
<p><b>Migration Issues:</b><br>
</p> </p>
<ol> <ol>
<li>A problem seen on RH7.3 systems where Shorewall encountered <li>In earlier versions, an undocumented feature allowed
start errors when started using the "service" mechanism has been worked entries in the host file as follows:<br>
around.<br> <br>
<br>     z    eth1:192.168.1.0/24,eth2:192.168.2.0/24<br>
</li> <br>
<li>Where a list of IP addresses appears in the DEST column of This capability was never documented and has been removed in 1.4.6
a DNAT[-] rule, Shorewall incorrectly created multiple DNAT rules in the
nat table (one for each element in the list). Shorewall now correctly creates
a single DNAT rule with multiple "--to-destination" clauses.<br>
<br>
</li>
<li>Corrected a problem in Beta 1 where DNS names containing a
"-" were mis-handled when they appeared in the DEST column of a rule.<br>
<br>
</li>
<li>A number of problems with rule parsing have been corrected.
Corrections involve the handling of "z1!z2" in the SOURCE column as well
as lists in the ORIGINAL DESTINATION column.<br>
<br>
</li>
<li>The message "Adding rules for DHCP" is now suppressed if there
are no DHCP rules to add.</li>
</ol>
<p><b>Migration Issues:</b><br>
</p>
<ol>
<li>In earlier versions, an undocumented feature allowed entries
in the host file as follows:<br>
<br>
    z    eth1:192.168.1.0/24,eth2:192.168.2.0/24<br>
<br>
This capability was never documented and has been removed in 1.4.6
to allow entries of the following format:<br> to allow entries of the following format:<br>
<br> <br>
    z   eth1:192.168.1.0/24,192.168.2.0/24<br>     z   eth1:192.168.1.0/24,192.168.2.0/24<br>
<br> <br>
</li> </li>
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options <li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options
have been removed from /etc/shorewall/shorewall.conf. These capabilities have been removed from /etc/shorewall/shorewall.conf. These capabilities
are now automatically detected by Shorewall (see below).<br> are now automatically detected by Shorewall (see below).<br>
</li> </li>
</ol> </ol>
<p><b>New Features:</b><br> <p><b>New Features:</b><br>
</p> </p>
<ol> <ol>
<li>A 'newnotsyn' interface option has been added. This option <li>A 'newnotsyn' interface option has been added. This option
may be specified in /etc/shorewall/interfaces and overrides the setting may be specified in /etc/shorewall/interfaces and overrides the setting
NEWNOTSYN=No for packets arriving on the associated interface.<br> NEWNOTSYN=No for packets arriving on the associated interface.<br>
<br> <br>
</li> </li>
<li>The means for specifying a range of IP addresses in /etc/shorewall/masq <li>The means for specifying a range of IP addresses in /etc/shorewall/masq
to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes is enabled for to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes is enabled for
address ranges.<br> address ranges.<br>
<br> <br>
</li> </li>
<li>Shorewall can now add IP addresses to subnets other than <li>Shorewall can now add IP addresses to subnets other than
the first one on an interface.<br> the first one on an interface.<br>
<br> <br>
</li> </li>
<li>DNAT[-] rules may now be used to load balance (round-robin) <li>DNAT[-] rules may now be used to load balance (round-robin)
over a set of servers. Servers may be specified in a range of addresses over a set of servers. Servers may be specified in a range of addresses
given as &lt;first address&gt;-&lt;last address&gt;.<br> given as &lt;first address&gt;-&lt;last address&gt;.<br>
<br> <br>
Example:<br> Example:<br>
<br> <br>
    DNAT net loc:192.168.10.2-192.168.10.5 tcp 80<br>     DNAT net loc:192.168.10.2-192.168.10.5 tcp 80<br>
<br> <br>
</li> </li>
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration <li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration
options have been removed and have been replaced by code that detects options have been removed and have been replaced by code that detects
whether these capabilities are present in the current kernel. The output whether these capabilities are present in the current kernel. The output
of the start, restart and check commands have been enhanced to report the of the start, restart and check commands have been enhanced to report the
outcome:<br> outcome:<br>
<br> <br>
Shorewall has detected the following iptables/netfilter capabilities:<br> Shorewall has detected the following iptables/netfilter capabilities:<br>
   NAT: Available<br>    NAT: Available<br>
   Packet Mangling: Available<br>    Packet Mangling: Available<br>
   Multi-port Match: Available<br>    Multi-port Match: Available<br>
Verifying Configuration...<br> Verifying Configuration...<br>
<br> <br>
</li> </li>
<li>Support for the Connection Tracking Match Extension has <li>Support for the Connection Tracking Match Extension has
been added. This extension is available in recent kernel/iptables releases been added. This extension is available in recent kernel/iptables releases
and allows for rules which match against elements in netfilter's connection and allows for rules which match against elements in netfilter's connection
tracking table. Shorewall automatically detects the availability of this tracking table. Shorewall automatically detects the availability of this
extension and reports its availability in the output of the start, restart extension and reports its availability in the output of the start, restart
and check commands.<br> and check commands.<br>
<br> <br>
Shorewall has detected the following iptables/netfilter capabilities:<br> Shorewall has detected the following iptables/netfilter capabilities:<br>
   NAT: Available<br>    NAT: Available<br>
   Packet Mangling: Available<br>    Packet Mangling: Available<br>
   Multi-port Match: Available<br>    Multi-port Match: Available<br>
   Connection Tracking Match: Available<br>    Connection Tracking Match: Available<br>
Verifying Configuration...<br> Verifying Configuration...<br>
<br> <br>
If this extension is available, the ruleset generated by Shorewall If this extension is available, the ruleset generated by Shorewall
is changed in the following ways:</li> is changed in the following ways:</li>
<ul> <ul>
<li>To handle 'norfc1918' filtering, Shorewall will not <li>To handle 'norfc1918' filtering, Shorewall will not
create chains in the mangle table but will rather do all 'norfc1918' create chains in the mangle table but will rather do all 'norfc1918' filtering
filtering in the filter table (rfc1918 chain).</li> in the filter table (rfc1918 chain).</li>
<li>Recall that Shorewall DNAT rules generate two netfilter <li>Recall that Shorewall DNAT rules generate two netfilter
rules; one in the nat table and one in the filter table. If the Connection rules; one in the nat table and one in the filter table. If the Connection
Tracking Match Extension is available, the rule in the filter table is Tracking Match Extension is available, the rule in the filter table is
extended to check that the original destination address was the same as extended to check that the original destination address was the same as
specified (or defaulted to) in the DNAT rule.<br> specified (or defaulted to) in the DNAT rule.<br>
<br> <br>
</li> </li>
</ul> </ul>
<li>The shell used to interpret the firewall script (/usr/share/shorewall/firewall) <li>The shell used to interpret the firewall script (/usr/share/shorewall/firewall)
may now be specified using the SHOREWALL_SHELL parameter in shorewall.conf.<br> may now be specified using the SHOREWALL_SHELL parameter in shorewall.conf.<br>
<br> <br>
</li> </li>
<li>An 'ipcalc' command has been added to /sbin/shorewall.<br> <li>An 'ipcalc' command has been added to /sbin/shorewall.<br>
<br> <br>
      ipcalc [ &lt;address&gt; &lt;netmask&gt; | &lt;address&gt;/&lt;vlsm&gt;       ipcalc [ &lt;address&gt; &lt;netmask&gt; | &lt;address&gt;/&lt;vlsm&gt;
]<br> ]<br>
<br> <br>
Examples:<br> Examples:<br>
<br> <br>
      [root@wookie root]# shorewall ipcalc 192.168.1.0/24<br>       [root@wookie root]# shorewall ipcalc 192.168.1.0/24<br>
         CIDR=192.168.1.0/24<br>          CIDR=192.168.1.0/24<br>
         NETMASK=255.255.255.0<br>          NETMASK=255.255.255.0<br>
         NETWORK=192.168.1.0<br>          NETWORK=192.168.1.0<br>
         BROADCAST=192.168.1.255<br>          BROADCAST=192.168.1.255<br>
      [root@wookie root]#<br>       [root@wookie root]#<br>
<br> <br>
      [root@wookie root]# shorewall ipcalc 192.168.1.0 255.255.255.0<br>       [root@wookie root]# shorewall ipcalc 192.168.1.0 255.255.255.0<br>
         CIDR=192.168.1.0/24<br>          CIDR=192.168.1.0/24<br>
         NETMASK=255.255.255.0<br>          NETMASK=255.255.255.0<br>
         NETWORK=192.168.1.0<br>          NETWORK=192.168.1.0<br>
         BROADCAST=192.168.1.255<br>          BROADCAST=192.168.1.255<br>
      [root@wookie root]#<br>       [root@wookie root]#<br>
<br> <br>
Warning:<br> Warning:<br>
<br> <br>
If your shell only supports 32-bit signed arithmatic (ash or dash), If your shell only supports 32-bit signed arithmatic (ash or dash),
then the ipcalc command produces incorrect information for IP addresses then the ipcalc command produces incorrect information for IP addresses
128.0.0.0-1 and for /1 networks. Bash should produce correct information 128.0.0.0-1 and for /1 networks. Bash should produce correct information
for all valid IP addresses.<br> for all valid IP addresses.<br>
<br> <br>
</li> </li>
<li>An 'iprange' command has been added to /sbin/shorewall. <li>An 'iprange' command has been added to /sbin/shorewall.
<br> <br>
<br> <br>
      iprange &lt;address&gt;-&lt;address&gt;<br>       iprange &lt;address&gt;-&lt;address&gt;<br>
<br> <br>
This command decomposes a range of IP addressses into a list of network This command decomposes a range of IP addressses into a list of
and host addresses. The command can be useful if you need to construct network and host addresses. The command can be useful if you need to
an efficient set of rules that accept connections from a range of network construct an efficient set of rules that accept connections from a range
addresses.<br> of network addresses.<br>
<br> <br>
Note: If your shell only supports 32-bit signed arithmetic (ash or Note: If your shell only supports 32-bit signed arithmetic (ash
dash) then the range may not span 128.0.0.0.<br> or dash) then the range may not span 128.0.0.0.<br>
<br> <br>
Example:<br> Example:<br>
<br> <br>
      [root@gateway root]# shorewall iprange 192.168.1.4-192.168.12.9<br>       [root@gateway root]# shorewall iprange 192.168.1.4-192.168.12.9<br>
      192.168.1.4/30<br>       192.168.1.4/30<br>
      192.168.1.8/29<br>       192.168.1.8/29<br>
      192.168.1.16/28<br>       192.168.1.16/28<br>
      192.168.1.32/27<br>       192.168.1.32/27<br>
      192.168.1.64/26<br>       192.168.1.64/26<br>
      192.168.1.128/25<br>       192.168.1.128/25<br>
      192.168.2.0/23<br>       192.168.2.0/23<br>
      192.168.4.0/22<br>       192.168.4.0/22<br>
      192.168.8.0/22<br>       192.168.8.0/22<br>
      192.168.12.0/29<br>       192.168.12.0/29<br>
      192.168.12.8/31<br>       192.168.12.8/31<br>
      [root@gateway root]#<br>       [root@gateway root]#<br>
<br> <br>
</li> </li>
<li>A list of host/net addresses is now allowed in an entry <li>A list of host/net addresses is now allowed in an entry
in /etc/shorewall/hosts.<br> in /etc/shorewall/hosts.<br>
<br> <br>
Example:<br> Example:<br>
<br> <br>
    foo    eth1:192.168.1.0/24,192.168.2.0/24<br>     foo    eth1:192.168.1.0/24,192.168.2.0/24<br>
<br> <br>
</li> </li>
<li value="11">The "shorewall check" command now includes the chain <li value="11">The "shorewall check" command now includes the chain
name when printing the applicable policy for each pair of zones.<br> name when printing the applicable policy for each pair of zones.<br>
 <br>  <br>
    Example:<br>     Example:<br>
 <br>  <br>
        Policy for dmz to net is REJECT using chain all2all<br>         Policy for dmz to net is REJECT using chain all2all<br>
 <br>  <br>
This means that the policy for connections from the dmz to the internet This means that the policy for connections from the dmz to the internet
is REJECT and the applicable entry in the /etc/shorewall/policy was the all-&gt;all is REJECT and the applicable entry in the /etc/shorewall/policy was the all-&gt;all
policy.<br> policy.<br>
<br> <br>
</li> </li>
<li>Support for the 2.6 Kernel series has been added.<br> <li>Support for the 2.6 Kernel series has been added.<br>
</li> </li>
</ol> </ol>
<b> </b> <b> </b>
<ol> <ol>
@ -377,37 +393,37 @@ policy.<br>
<p><b>7/15/2003 - New Mirror in Brazil</b><b> <img border="0" <p><b>7/15/2003 - New Mirror in Brazil</b><b> <img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)"> src="images/new10.gif" width="28" height="12" alt="(New)">
<br> <br>
</b></p> </b></p>
Thanks to the folks at securityopensource.org.br, there is now a <a Thanks to the folks at securityopensource.org.br, there is now a <a
href="http://shorewall.securityopensource.org.br" target="_top">Shorewall href="http://shorewall.securityopensource.org.br" target="_top">Shorewall
mirror in Brazil</a> mirror in Brazil</a>
<p><b>6/17/2003 - Shorewall-1.4.5</b><b> </b></p> <p><b>6/17/2003 - Shorewall-1.4.5</b><b> </b></p>
<p>Problems Corrected:<br> <p>Problems Corrected:<br>
</p> </p>
<ol> <ol>
<li>The command "shorewall debug try &lt;directory&gt;" <li>The command "shorewall debug try &lt;directory&gt;"
now correctly traces the attempt.</li> now correctly traces the attempt.</li>
<li>The INCLUDE directive now works properly in the <li>The INCLUDE directive now works properly in the
zones file; previously, INCLUDE in that file was ignored.</li> zones file; previously, INCLUDE in that file was ignored.</li>
<li>/etc/shorewall/routestopped records with an empty <li>/etc/shorewall/routestopped records with an empty
second column are no longer ignored.<br> second column are no longer ignored.<br>
</li> </li>
</ol> </ol>
<p>New Features:<br> <p>New Features:<br>
</p> </p>
<ol> <ol>
<li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-] <li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-]
rule may now contain a list of addresses. If the list begins with "!' rule may now contain a list of addresses. If the list begins with "!'
then the rule will take effect only if the original destination address then the rule will take effect only if the original destination address
in the connection request does not match any of the addresses listed.</li> in the connection request does not match any of the addresses listed.</li>
@ -417,11 +433,11 @@ zones file; previously, INCLUDE in that file was ignored.</li>
<p><b>6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8</b><b> <p><b>6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8</b><b>
</b></p> </b></p>
The firewall at shorewall.net has been upgraded to the 2.4.21 The firewall at shorewall.net has been upgraded to the
kernel and iptables 1.2.8 (using the "official" RPM from netfilter.org). 2.4.21 kernel and iptables 1.2.8 (using the "official" RPM from netfilter.org).
No problems have been encountered with this set of software. The Shorewall No problems have been encountered with this set of software. The Shorewall
version is 1.4.4b plus the accumulated changes for 1.4.5. version is 1.4.4b plus the accumulated changes for 1.4.5.
<p><b>6/8/2003 - Updated Samples</b><b> </b></p> <p><b>6/8/2003 - Updated Samples</b><b> </b></p>
@ -464,28 +480,29 @@ zones file; previously, INCLUDE in that file was ignored.</li>
</ol> </ol>
</blockquote> </blockquote>
<p><a href="file:///Z:/Shorewall-docs/News.htm"></a></p> <p><a href="file:///Z:/Shorewall-docs/News.htm"></a></p>
<b> </b> <b> </b>
<p><b><a href="News.htm">More News</a></b></p> <p><b><a href="News.htm">More News</a></b></p>
<b> </b> <b> </b>
<h2><b> </b></h2> <h2><b> </b></h2>
<b> </b> <b> </b>
@ -495,17 +512,17 @@ zones file; previously, INCLUDE in that file was ignored.</li>
border="0" src="images/leaflogo.gif" width="49" height="36" border="0" src="images/leaflogo.gif" width="49" height="36"
alt="(Leaf Logo)"> alt="(Leaf Logo)">
</a>Jacques Nilo and Eric </a>Jacques Nilo and Eric
Wolzak have a LEAF (router/firewall/gateway Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution on a floppy, CD or compact flash) distribution
called <i>Bering</i> that called <i>Bering</i> that
features Shorewall-1.4.2 and Kernel-2.4.20. features Shorewall-1.4.2 and Kernel-2.4.20.
You can find their work at: You can find their work at:
<a href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p> <a href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<b>Congratulations to Jacques <b>Congratulations to Jacques
and Eric on the recent release of Bering and Eric on the recent release of Bering
1.2!!! </b><br> 1.2!!! </b><br>
@ -514,15 +531,15 @@ zones file; previously, INCLUDE in that file was ignored.</li>
align="left" alt="SourceForge Logo" align="left" alt="SourceForge Logo"
src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3"> src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3">
</a></b></h1> </a></b></h1>
<b> </b> <b> </b>
<h4><b> </b></h4> <h4><b> </b></h4>
<b> </b> <b> </b>
@ -530,17 +547,17 @@ zones file; previously, INCLUDE in that file was ignored.</li>
<h2><b>This site is hosted by the generous folks at <a <h2><b>This site is hosted by the generous folks at <a
href="http://www.sf.net">SourceForge.net</a> </b></h2> href="http://www.sf.net">SourceForge.net</a> </b></h2>
<b> </b> <b> </b>
<h2><b><a name="Donations"></a>Donations</b></h2> <h2><b><a name="Donations"></a>Donations</b></h2>
<b> <b>
</b></td> </b></td>
<td width="88" bgcolor="#3366ff" <td width="88" bgcolor="#3366ff"
valign="top" align="center"> valign="top" align="center">
@ -552,27 +569,27 @@ zones file; previously, INCLUDE in that file was ignored.</li>
<p><strong><br> <p><strong><br>
<font color="#ffffff"><b>Note: <font color="#ffffff"><b>Note:
</b></font></strong> <font </b></font></strong> <font
color="#ffffff">Search is unavailable Daily 0200-0330 GMT.</font><br> color="#ffffff">Search is unavailable Daily 0200-0330 GMT.</font><br>
 </p>  </p>
<p><font color="#ffffff"><strong>Quick Search</strong></font><br> <p><font color="#ffffff"><strong>Quick Search</strong></font><br>
<font face="Arial" size="-1"> <font face="Arial" size="-1">
<input type="text" name="words" size="15"></font><font <input type="text" name="words" size="15"></font><font
size="-1"> </font><font face="Arial" size="-1"> <input size="-1"> </font><font face="Arial" size="-1"> <input
type="hidden" name="format" value="long"> <input type="hidden" name="format" value="long"> <input
type="hidden" name="method" value="and"> <input type="hidden" type="hidden" name="method" value="and"> <input type="hidden"
name="config" value="htdig"> <input type="submit" name="config" value="htdig"> <input type="submit"
value="Search"></font> </p> value="Search"></font> </p>
<font face="Arial"> <input <font face="Arial">
type="hidden" name="exclude" <input type="hidden" name="exclude"
value="[http://lists.shorewall.net/pipermail/*]"> </font> value="[http://lists.shorewall.net/pipermail/*]"> </font>
</form> </form>
@ -580,33 +597,34 @@ zones file; previously, INCLUDE in that file was ignored.</li>
<p><font color="#ffffff"><b> <a <p><font color="#ffffff"><b> <a
href="http://lists.shorewall.net/htdig/search.html"> <font href="http://lists.shorewall.net/htdig/search.html"> <font
color="#ffffff">Extended Search</font></a></b></font></p> color="#ffffff">Extended Search</font></a></b></font></p>
<a target="_top" <a target="_top"
href="file:///vfat/Shorewall-docs/1.3/index.html"><font color="#ffffff"> href="file:///vfat/Shorewall-docs/1.3/index.html"><font color="#ffffff">
</font></a><a target="_top" </font></a><a target="_top"
href="http://www1.shorewall.net/1.2/index.htm"><font color="#ffffff"><small><small><small></small></small></small></font></a><br> href="http://www1.shorewall.net/1.2/index.htm"><font color="#ffffff"><small><small><small></small></small></small></font></a><br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</center> </center>
</div> </div>
<table border="0" cellpadding="5" cellspacing="0" <table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2" style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#3366ff"> bgcolor="#3366ff">
<tbody> <tbody>
<tr> <tr>
<td width="100%" style="margin-top: 1px;"> <td width="100%"
style="margin-top: 1px;">
@ -616,7 +634,7 @@ zones file; previously, INCLUDE in that file was ignored.</li>
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10"> hspace="10">
</a></p> </a></p>
@ -624,15 +642,15 @@ zones file; previously, INCLUDE in that file was ignored.</li>
<p align="center"><font size="4" color="#ffffff"><br> <p align="center"><font size="4" color="#ffffff"><br>
<font size="+2">Shorewall is free but if you <font size="+2">Shorewall is free but if you
try it and find it useful, please consider making a donation try it and find it useful, please consider making a donation
to to
<a href="http://www.starlight.org"><font color="#ffffff">Starlight <a href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></font></p> Children's Foundation.</font></a> Thanks!</font></font></p>
</td> </td>
</tr> </tr>
@ -640,7 +658,7 @@ try it and find it useful, please consider making a donation
</table> </table>
<p><font size="2">Updated 7/19/2003 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2">Updated 7/22/2003 - <a href="support.htm">Tom Eastep</a></font>
<br> <br>
</p> </p>
</body> </body>

2
STABLE/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of # shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall. # Shoreline Firewall.
VERSION=1.4.6 VERSION=1.4.6a
usage() # $1 = exit status usage() # $1 = exit status
{ {

464
STABLE/firewall
View File

@ -233,8 +233,7 @@ createchain() # $1 = chain name, $2 = If "yes", create default rules
run_iptables -N $1 run_iptables -N $1
if [ $2 = yes ]; then if [ $2 = yes ]; then
state="ESTABLISHED,RELATED" run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
run_iptables -A $1 -m state --state $state -j ACCEPT
[ -z "$NEWNOTSYN" ] && \ [ -z "$NEWNOTSYN" ] && \
run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn
fi fi
@ -495,10 +494,17 @@ first_chains() #$1 = interface
# #
find_hosts() # $1 = host zone find_hosts() # $1 = host zone
{ {
local hosts local hosts interface address addresses
while read z hosts options; do while read z hosts options; do
[ "x`expand $z`" = "x$1" ] && expandv hosts && echo `separate_list $hosts` if [ "x`expand $z`" = "x$1" ]; then
expandv hosts
interface=${hosts%:*}
addresses=${hosts#*:}
for address in `separate_list $addresses`; do
echo $interface:$address
done
fi
done < $TMP_DIR/hosts done < $TMP_DIR/hosts
} }
@ -608,7 +614,7 @@ validate_interfaces_file() {
for option in $options; do for option in $options; do
case $option in case $option in
dhcp|norfc1918|tcpflags) dhcp|norfc1918|tcpflags|newnotsyn)
;; ;;
routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-) routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-)
;; ;;
@ -636,18 +642,20 @@ validate_hosts_file() {
r="$z $hosts $options" r="$z $hosts $options"
validate_zone $z || startup_error "Invalid zone ($z) in record \"$r\"" validate_zone $z || startup_error "Invalid zone ($z) in record \"$r\""
interface=${hosts%:*}
list_search $interface $all_interfaces || \
startup_error "Unknown interface ($interface) in record \"$r\""
hosts=${hosts#*:}
for host in `separate_list $hosts`; do for host in `separate_list $hosts`; do
interface=${host%:*}
list_search $interface $all_interfaces || \
startup_error "Unknown interface ($interface) in record \"$r\""
for option in `separate_list $options`; do for option in `separate_list $options`; do
case $option in case $option in
maclist|-) maclist|-)
;; ;;
routeback) routeback)
eval ${z}_routeback=\"$host \$${z}_routeback\" eval ${z}_routeback=\"$interface:$host \$${z}_routeback\"
;; ;;
*) *)
error_message "Warning: Invalid option ($option) in record \"$r\"" error_message "Warning: Invalid option ($option) in record \"$r\""
@ -689,7 +697,7 @@ validate_policy()
[ $1 = $2 ] || \ [ $1 = $2 ] || \
[ $1 = all ] || \ [ $1 = all ] || \
[ $2 = all ] || \ [ $2 = all ] || \
echo " Policy for $1 to $2 is $policy" echo " Policy for $1 to $2 is $policy using chain $chain"
} }
all_policy_chains= all_policy_chains=
@ -832,6 +840,15 @@ find_interface_address() # $1 = interface
echo $addr | sed 's/inet //;s/\/.*//;s/ peer.*//' echo $addr | sed 's/inet //;s/\/.*//;s/ peer.*//'
} }
#
# Find interface addresses--returns the set of addresses assigned to the passed
# device
#
find_interface_addresses() # $1 = interface
{
ip addr show $1 | grep inet | sed 's/inet //;s/\/.*//;s/ peer.*//'
}
# #
# Find interfaces that have the passed option specified # Find interfaces that have the passed option specified
# #
@ -848,10 +865,18 @@ find_interfaces_by_option() # $1 = option
# #
find_hosts_by_option() # $1 = option find_hosts_by_option() # $1 = option
{ {
local ignore hosts interface address addresses options
while read ignore hosts options; do while read ignore hosts options; do
expandv options expandv options
list_search $1 `separate_list $options` && \ if list_search $1 `separate_list $options`; then
echo `expand $hosts` expandv hosts
interface=${hosts%:*}
addresses=${hosts#*:}
for address in `separate_list $addresses`; do
echo $interface:$address
done
fi
done < $TMP_DIR/hosts done < $TMP_DIR/hosts
for interface in $all_interfaces; do for interface in $all_interfaces; do
@ -1685,14 +1710,16 @@ check_config() {
disclaimer() { disclaimer() {
echo echo
echo "WARNING: THE 'check' COMMAND IS TOTALLY UNSUPPORTED AND PROBLEM" echo "Notice: The 'check' command is unsupported and problem"
echo " REPORTS COMPLAINING ABOUT ERRORS THAT IT DIDN'T CATCH" echo " reports complaining about errors that it didn't catch"
echo " WILL NOT BE ACCEPTED" echo " will not be accepted"
echo echo
} }
disclaimer disclaimer
report_capabilities
echo "Verifying Configuration..." echo "Verifying Configuration..."
verify_os_version verify_os_version
@ -1839,7 +1866,11 @@ add_nat_rule() {
if [ -n "$serv" ]; then if [ -n "$serv" ]; then
servport="${servport:+:$servport}" servport="${servport:+:$servport}"
target1="DNAT --to-destination ${serv}${servport}" serv1=
for srv in `separate_list $serv`; do
serv1="$serv1 --to-destination ${srv}${servport}"
done
target1="DNAT $serv1"
else else
target1="REDIRECT --to-port $servport" target1="REDIRECT --to-port $servport"
fi fi
@ -1856,7 +1887,10 @@ add_nat_rule() {
chain=nonat${nonat_seq} chain=nonat${nonat_seq}
nonat_seq=$(($nonat_seq + 1)) nonat_seq=$(($nonat_seq + 1))
createnatchain $chain createnatchain $chain
run_iptables -t nat -A OUTPUT $cli $proto $multiport $sports $dports -j $chain
for adr in `separate_list $addr`; do
run_iptables2 -t nat -A OUTPUT $cli $proto $multiport $sports $dports -d $adr -j $chain
done
for adr in $excludedests; do for adr in $excludedests; do
addnatrule $chain -d $adr -j RETURN addnatrule $chain -d $adr -j RETURN
@ -1866,11 +1900,15 @@ add_nat_rule() {
log_rule $loglevel $chain $logtarget -t nat log_rule $loglevel $chain $logtarget -t nat
fi fi
addnatrule $chain $proto -j $target1 addnatrule $chain $proto -j $target1 # Protocol is necessary for port redirection
else else
for adr in `separate_list $addr`; do for adr in `separate_list $addr`; do
run_iptables2 -t nat -A OUTPUT $proto $sports -d $adr \ if [ -n "$loglevel" ]; then
$multiport $dports -j $target1 log_rule $loglevel $OUTPUT $logtarget -t nat \
`fix_bang $proto $cli $sports -d $adr $multiport $dports`
fi
run_iptables2 -t nat -A OUTPUT $proto $sports -d $adr $multiport $dports -j $target1
done done
fi fi
else else
@ -1880,13 +1918,15 @@ add_nat_rule() {
chain=nonat${nonat_seq} chain=nonat${nonat_seq}
nonat_seq=$(($nonat_seq + 1)) nonat_seq=$(($nonat_seq + 1))
createnatchain $chain createnatchain $chain
addnatrule `dnat_chain $source` $cli $proto $multiport $sports $dports -j $chain
for adr in `separate_list $addr`; do
addnatrule `dnat_chain $source` $cli $proto $multiport $sports $dports -d $adr -j $chain
done
for z in $excludezones; do for z in $excludezones; do
eval hosts=\$${z}_hosts eval hosts=\$${z}_hosts
for host in $hosts; do for host in $hosts; do
for adr in `separate_list $addr`; do addnatrule $chain -s ${host#*:} -j RETURN
addnatrule $chain -s ${host#*:} -d $adr -j RETURN
done
done done
done done
@ -1894,13 +1934,11 @@ add_nat_rule() {
addnatrule $chain -d $adr -j RETURN addnatrule $chain -d $adr -j RETURN
done done
for adr in `separate_list $addr`; do if [ -n "$loglevel" ]; then
if [ -n "$loglevel" ]; then log_rule $loglevel $chain $logtarget -t nat
log_rule $loglevel $chain $logtarget -t nat -d `fix_bang $adr` fi
fi
addnatrule $chain $proto -d $adr -j $target1 addnatrule $chain $proto -j $target1 # Protocol is necessary for port redirection
done
else else
for adr in `separate_list $addr`; do for adr in `separate_list $addr`; do
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
@ -1943,6 +1981,8 @@ add_nat_rule() {
done done
fi fi
fi fi
[ "x$addr" = "x0.0.0.0/0" ] && addr=
} }
# #
@ -2015,9 +2055,12 @@ add_a_rule()
servport=$serverport servport=$serverport
multiport= multiport=
[ x$port = x- ] && port=
[ x$cport = x- ] && cport=
case $proto in case $proto in
tcp|udp|TCP|UDP|6|17) tcp|udp|TCP|UDP|6|17)
if [ -n "$port" -a "x${port}" != "x-" ]; then if [ -n "$port" ]; then
dports="--dport" dports="--dport"
if [ -n "$multioption" -a "$port" != "${port%,*}" ]; then if [ -n "$multioption" -a "$port" != "${port%,*}" ]; then
multiport="$multioption" multiport="$multioption"
@ -2026,7 +2069,7 @@ add_a_rule()
dports="$dports $port" dports="$dports $port"
fi fi
if [ -n "$cport" -a "x${cport}" != "x-" ]; then if [ -n "$cport" ]; then
sports="--sport" sports="--sport"
if [ -n "$multioption" -a "$cport" != "${cport%,*}" ]; then if [ -n "$multioption" -a "$cport" != "${cport%,*}" ]; then
multiport="$multioption" multiport="$multioption"
@ -2036,18 +2079,17 @@ add_a_rule()
fi fi
;; ;;
icmp|ICMP|1) icmp|ICMP|1)
[ -n "$port" ] && [ "x${port}" != "x-" ] && \ [ -n "$port" ] && dports="--icmp-type $port"
dports="--icmp-type $port"
state= state=
;; ;;
all|ALL) all|ALL)
[ -n "$port" ] && [ "x${port}" != "x-" ] && \ [ -n "$port" ] && \
fatal_error "Port number not allowed with \"all\"; rule: \"$rule\"" fatal_error "Port number not allowed with protocol \"all\"; rule: \"$rule\""
proto= proto=
;; ;;
*) *)
state= state=
[ -n "$port" ] && [ "x${port}" != "x-" ] && \ [ -n "$port" ] && \
fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\"" fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\""
;; ;;
esac esac
@ -2098,15 +2140,39 @@ add_a_rule()
fi fi
if [ -z "$dnat_only" -a $chain != ${FW}2${FW} ]; then if [ -z "$dnat_only" -a $chain != ${FW}2${FW} ]; then
serv="${serv:+-d $serv}" if [ -n "$serv" ]; then
for serv1 in `separate_list $serv`; do
for srv in `ip_range $serv1`; do
if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then
for adr in `separate_list $addr`; do
if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule $loglevel $chain $logtarget -m conntrack --ctorigdst $adr \
`fix_bang $proto $sports $multiport $state $cli -d $srv $dports`
fi
if [ -n "$loglevel" -a -z "$natrule" ]; then run_iptables2 -A $chain $proto $multiport $state $cli $sports \
log_rule $loglevel $chain $logtarget \ -d $srv $dports -m conntrack --ctorigdst $adr -j $target
`fix_bang $proto $sports $multiport $state $cli $serv $dports` done
else
if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule $loglevel $chain $logtarget \
`fix_bang $proto $sports $multiport $state $cli -d $srv $dports`
fi
run_iptables2 -A $chain $proto $multiport $state $cli $sports \
-d $srv $dports -j $target
fi
done
done
else
if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule $loglevel $chain $logtarget \
`fix_bang $proto $sports $multiport $state $cli $dports`
fi
run_iptables2 -A $chain $proto $multiport $state $cli $sports \
$dports -j $target
fi fi
run_iptables2 -A $chain $proto $multiport $state $cli $sports \
$serv $dports -j $target
fi fi
fi fi
else else
@ -2293,42 +2359,83 @@ process_rule() # $1 = target
# Generate Netfilter rule(s) # Generate Netfilter rule(s)
if [ -n "$MULTIPORT" -a \ case $logtarget in
"$ports" = "${ports%:*}" -a \ DNAT*)
"$cports" = "${cports%:*}" -a \ if [ -n "$MULTIPORT" -a \
`list_count $ports` -le 15 -a \ "$ports" = "${ports%:*}" -a \
`list_count $cports` -le 15 ] "$cports" = "${cports%:*}" -a \
then `list_count $ports` -le 15 -a \
# `list_count $cports` -le 15 ]
# MULTIPORT is enabled, there are no port ranges in the rule and less than then
# 16 ports are listed - use multiport match. #
# # MULTIPORT is enabled, there are no port ranges in the rule and less than
multioption="-m multiport" # 16 ports are listed - use multiport match.
for client in `separate_list ${clients:=-}`; do #
for server in `separate_list ${servers:=-}`; do multioption="-m multiport"
# for client in `separate_list ${clients:=-}`; do
# add_a_rule() modifies these so we must set their values each time #
# # add_a_rule() modifies these so we must set their values each time
port=${ports:=-} #
cport=${cports:=-} server=${servers:=-}
add_a_rule port=${ports:=-}
done cport=${cports:=-}
done add_a_rule
else done
# else
# MULTIPORT is disabled or the rule isn't compatible with multiport match #
# # MULTIPORT is disabled or the rule isn't compatible with multiport match
multioption= #
for client in `separate_list ${clients:=-}`; do multioption=
for server in `separate_list ${servers:=-}`; do for client in `separate_list ${clients:=-}`; do
for port in `separate_list ${ports:=-}`; do for port in `separate_list ${ports:=-}`; do
for cport in `separate_list ${cports:=-}`; do for cport in `separate_list ${cports:=-}`; do
server=${servers:=-}
add_a_rule
done
done
done
fi
;;
*)
if [ -n "$MULTIPORT" -a \
"$ports" = "${ports%:*}" -a \
"$cports" = "${cports%:*}" -a \
`list_count $ports` -le 15 -a \
`list_count $cports` -le 15 ]
then
#
# MULTIPORT is enabled, there are no port ranges in the rule and less than
# 16 ports are listed - use multiport match.
#
multioption="-m multiport"
for client in `separate_list ${clients:=-}`; do
for server in `separate_list ${servers:=-}`; do
#
# add_a_rule() modifies these so we must set their values each time
#
port=${ports:=-}
cport=${cports:=-}
add_a_rule add_a_rule
done done
done done
done else
done #
fi # MULTIPORT is disabled or the rule isn't compatible with multiport match
#
multioption=
for client in `separate_list ${clients:=-}`; do
for server in `separate_list ${servers:=-}`; do
for port in `separate_list ${ports:=-}`; do
for cport in `separate_list ${cports:=-}`; do
add_a_rule
done
done
done
done
fi
;;
esac
# #
# Report Result # Report Result
# #
@ -2360,7 +2467,7 @@ process_rules() # $1 = name of rules file
while read xtarget xclients xservers xprotocol xports xcports xaddress; do while read xtarget xclients xservers xprotocol xports xcports xaddress; do
case "${xtarget%:*}" in case "${xtarget%:*}" in
ACCEPT|DROP|REJECT|DNAT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE) ACCEPT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE)
expandv xclients xservers xprotocol xports xcports xaddress expandv xclients xservers xprotocol xports xcports xaddress
if [ "x$xclients" = xall ]; then if [ "x$xclients" = xall ]; then
@ -2382,7 +2489,7 @@ process_rules() # $1 = name of rules file
;; ;;
*) *)
rule="`echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress`" rule="`echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress`"
fatal_error "Invalid Target in rule \"$rule\"" fatal_error "Invalid Action in rule \"$rule\""
;; ;;
esac esac
@ -2582,24 +2689,19 @@ loadmodule() # $1 = module name, $2 - * arguments
{ {
local modulename=$1 local modulename=$1
local modulefile local modulefile
local suffix
if [ -z "`lsmod | grep $modulename`" ]; then if [ -z "`lsmod | grep $modulename`" ]; then
shift shift
modulefile=$MODULESDIR/${modulename}.o
if [ -f $modulefile ]; then for suffix in o gz ko ; do
insmod $modulefile $* modulefile=$MODULESDIR/${modulename}.${suffix}
return
fi
#
# If the modules directory contains compressed modules then we'll
# assume that insmod can load them
#
modulefile=${modulefile}.gz
if [ -f $modulefile ]; then if [ -f $modulefile ]; then
insmod $modulefile $* insmod $modulefile $*
fi return
fi
done
fi fi
} }
@ -2900,8 +3002,16 @@ setup_masq()
esac esac
if [ -n "$address" -a -n "$ADD_SNAT_ALIASES" ]; then if [ -n "$address" -a -n "$ADD_SNAT_ALIASES" ]; then
list_search $address $aliases_to_add || \ for addr in `ip_range $address` ; do
aliases_to_add="$aliases_to_add $address $fullinterface" if ! list_search $addr $aliases_to_add; then
aliases_to_add="$aliases_to_add $addr $fullinterface"
case $fullinterface in
*:*)
fullinterface=${fullinterface%:*}:$((${fullinterface#*:} + 1 ))
;;
esac
fi
done
fi fi
destination=$destnet destination=$destnet
@ -3118,7 +3228,7 @@ verify_os_version() {
osversion=`uname -r` osversion=`uname -r`
case $osversion in case $osversion in
2.4.*|2.5.*) 2.4.*|2.5.*|2.6.*)
;; ;;
*) *)
startup_error "Shorewall version $version does not work with kernel version $osversion" startup_error "Shorewall version $version does not work with kernel version $osversion"
@ -3134,35 +3244,30 @@ verify_os_version() {
# #
add_ip_aliases() add_ip_aliases()
{ {
local external local addresses external interface inet cidr rest val
local interface
local primary
do_one() address_details()
{ {
# #
# Folks feel uneasy if they don't see all of the same # Folks feel uneasy if they don't see all of the same
# decoration on these IP addresses that they see when their # decoration on these IP addresses that they see when their
# distro's net config tool adds them. In an attempt to reduce # distro's net config tool adds them. In an attempt to reduce
# the anxiety level, we have the following code which sets # the anxiety level, we have the following code which sets
# the VLSM and BRD from the primary address # the VLSM and BRD from an existing address in the same subnet
# #
# Get all of the lines that contain inet addresses with broadcast # Get all of the lines that contain inet addresses
# #
val=`ip addr show $interface | grep 'inet.*brd '` 2> /dev/null ip addr show $interface 2> /dev/null | grep 'inet' | while read inet cidr rest ; do
if in_subnet $external $cidr; then
if [ -n "$val" ] ; then echo "/${cidr#*/} brd `broadcastaddress $cidr`"
# break
# Hack off the leading 'inet <ip addr>' (actually cut off the fi
# "/" as well but add it back in). done
# }
val="/${val#*/}"
#
# Now get the VLSM, "brd" and the broadcast address
#
val=${val%% scope*}
fi
do_one()
{
val=`address_details`
run_ip addr add ${external}${val} dev $interface $label run_ip addr add ${external}${val} dev $interface $label
echo "$external $interface" >> ${STATEDIR}/nat echo "$external $interface" >> ${STATEDIR}/nat
[ -n "$label" ] && label="with $label" [ -n "$label" ] && label="with $label"
@ -3182,9 +3287,9 @@ add_ip_aliases()
label="label $interface:$label" label="label $interface:$label"
fi fi
primary=`find_interface_address $interface`
shift;shift shift;shift
[ "x${primary}" = "x${external}" ] || do_one
list_search $external `find_interface_addresses $interface` || do_one
done done
} }
@ -3207,10 +3312,46 @@ load_kernel_modules() {
# Verify that the 'ip' program is installed # Verify that the 'ip' program is installed
verify_ip() { verify_ip() {
qt which ip ||\ qt ip link ls ||\
startup_error "Shorewall $version requires the iproute package ('ip' utility)" startup_error "Shorewall $version requires the iproute package ('ip' utility)"
} }
#
# Determine which optional facilities are supported by iptables/netfilter
#
determine_capabilities() {
qt iptables -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED=
qt iptables -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
CONNTRACK_MATCH=
MULTIPORT=
if qt iptables -N fooX1234 ; then
qt iptables -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
qt iptables -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
qt iptables -F fooX1234
qt iptables -X fooX1234
fi
}
report_capability() # $1 = Capability Name, $2 Capability Setting (if any)
{
local setting=
[ "x$1" = "xYes" ] && { setting="Available"; shift; } || setting="Not available"
echo " " $@: $setting
}
report_capabilities() {
echo "Shorewall has detected the following iptables/netfilter capabilities:"
report_capability $NAT_ENABLED "NAT"
report_capability $MANGLE_ENABLED "Packet Mangling"
report_capability $MULTIPORT "Multi-port Match"
report_capability $CONNTRACK_MATCH "Connection Tracking Match"
}
# #
# Perform Initialization # Perform Initialization
# - Delete all old rules # - Delete all old rules
@ -3221,6 +3362,8 @@ verify_ip() {
# #
initialize_netfilter () { initialize_netfilter () {
report_capabilities
echo "Determining Zones..." echo "Determining Zones..."
determine_zones determine_zones
@ -3307,7 +3450,16 @@ initialize_netfilter () {
if [ -z "$NEWNOTSYN" ]; then if [ -z "$NEWNOTSYN" ]; then
createchain newnotsyn no createchain newnotsyn no
for interface in `find_interfaces_by_option newnotsyn`; do
run_iptables -A newnotsyn -i $interface -p tcp --tcp-flags ACK ACK -j ACCEPT
run_iptables -A newnotsyn -i $interface -p tcp --tcp-flags RST RST -j ACCEPT
run_iptables -A newnotsyn -i $interface -p tcp --tcp-flags FIN FIN -j ACCEPT
run_iptables -A newnotsyn -i $interface -j RETURN
done
run_user_exit newnotsyn run_user_exit newnotsyn
if [ -n "$LOGNEWNOTSYN" ]; then if [ -n "$LOGNEWNOTSYN" ]; then
log_rule $LOGNEWNOTSYN newnotsyn DROP log_rule $LOGNEWNOTSYN newnotsyn DROP
fi fi
@ -3334,7 +3486,7 @@ initialize_netfilter () {
done < /var/lib/shorewall/save done < /var/lib/shorewall/save
fi fi
echo "Creating input Chains..." echo "Creating Interface Chains..."
for interface in $all_interfaces; do for interface in $all_interfaces; do
createchain `forward_chain $interface` no createchain `forward_chain $interface` no
@ -3369,6 +3521,7 @@ build_common_chain() {
if [ -n "$NEWNOTSYN" ]; then if [ -n "$NEWNOTSYN" ]; then
run_iptables -A common -p tcp --tcp-flags ACK ACK -j ACCEPT run_iptables -A common -p tcp --tcp-flags ACK ACK -j ACCEPT
run_iptables -A common -p tcp --tcp-flags RST RST -j ACCEPT run_iptables -A common -p tcp --tcp-flags RST RST -j ACCEPT
run_iptables -A common -p tcp --tcp-flags FIN FIN -j ACCEPT
fi fi
# #
# BROADCASTS # BROADCASTS
@ -3462,13 +3615,17 @@ add_common_rules() {
# #
# DHCP # DHCP
# #
echo "Adding rules for DHCP" interfaces=`find_interfaces_by_option dhcp`
for interface in `find_interfaces_by_option dhcp`; do if [ -n "$interfaces" ]; then
run_iptables -A `input_chain $interface` -p udp --dport 67:68 -j ACCEPT
run_iptables -A OUTPUT -o $interface -p udp --dport 67:68 -j ACCEPT
done
echo "Adding rules for DHCP"
for interface in $interfaces; do
run_iptables -A `input_chain $interface` -p udp --dport 67:68 -j ACCEPT
run_iptables -A OUTPUT -o $interface -p udp --dport 67:68 -j ACCEPT
done
fi
# #
# RFC 1918 # RFC 1918
# #
@ -3487,11 +3644,12 @@ add_common_rules() {
run_iptables -A logdrop -j DROP run_iptables -A logdrop -j DROP
if [ -n "$MANGLE_ENABLED" ]; then if [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ]; then
# #
# Mangling is enabled -- create a chain in the mangle table to # Mangling is enabled but conntrack match isn't available --
# filter RFC1918 destination addresses. This must be done in the # create a chain in the mangle table to filter RFC1918 destination
# mangle table before we apply any DNAT rules in the nat table # addresses. This must be done in the mangle table before we apply
# any DNAT rules in the nat table
# #
# Also add a chain to log and drop any RFC1918 packets that we find # Also add a chain to log and drop any RFC1918 packets that we find
# #
@ -3511,11 +3669,17 @@ add_common_rules() {
esac esac
run_iptables2 -A rfc1918 -s $subnet -j $target run_iptables2 -A rfc1918 -s $subnet -j $target
#
# If packet mangling is enabled, trap packets with an if [ -n "$CONNTRACK_MATCH" ]; then
# RFC1918 destination #
# # We have connection tracking match -- match on the original destination
if [ -n "$MANGLE_ENABLED" ]; then #
run_iptables2 -A rfc1918 -m conntrack --ctorigdst $subnet -j $target
elif [ -n "$MANGLE_ENABLED" ]; then
#
# No connection tracking match but we have mangling -- add a rule to
# the mangle table
#
run_iptables2 -t mangle -A man1918 -d $subnet -j $target run_iptables2 -t mangle -A man1918 -d $subnet -j $target
fi fi
done < $TMP_DIR/rfc1918 done < $TMP_DIR/rfc1918
@ -3525,7 +3689,7 @@ add_common_rules() {
run_iptables -A $chain -m state --state NEW -j rfc1918 run_iptables -A $chain -m state --state NEW -j rfc1918
done done
[ -n "$MANGLE_ENABLED" ] && \ [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ] && \
run_iptables -t mangle -A PREROUTING -m state --state NEW -i $interface -j man1918 run_iptables -t mangle -A PREROUTING -m state --state NEW -i $interface -j man1918
done done
@ -4366,6 +4530,7 @@ added_param_value_no() # $1 = Parameter Name, $2 = Parameter value
# Initialize this program # Initialize this program
# #
do_initialize() { do_initialize() {
# Run all utility programs using the C locale # Run all utility programs using the C locale
# #
# Thanks to Vincent Planchenault for this tip # # Thanks to Vincent Planchenault for this tip #
@ -4388,8 +4553,6 @@ do_initialize() {
LOGRATE= LOGRATE=
LOGBURST= LOGBURST=
LOGPARMS= LOGPARMS=
NAT_ENABLED=
MANGLE_ENABLED=
ADD_IP_ALIASES= ADD_IP_ALIASES=
ADD_SNAT_ALIASES= ADD_SNAT_ALIASES=
TC_ENABLED= TC_ENABLED=
@ -4399,7 +4562,6 @@ do_initialize() {
CLAMPMSS= CLAMPMSS=
ROUTE_FILTER= ROUTE_FILTER=
NAT_BEFORE_RULES= NAT_BEFORE_RULES=
MULTIPORT=
DETECT_DNAT_IPADDRS= DETECT_DNAT_IPADDRS=
MUTEX_TIMEOUT= MUTEX_TIMEOUT=
NEWNOTSYN= NEWNOTSYN=
@ -4433,6 +4595,7 @@ do_initialize() {
FUNCTIONS=$SHARED_DIR/functions FUNCTIONS=$SHARED_DIR/functions
if [ -f $FUNCTIONS ]; then if [ -f $FUNCTIONS ]; then
echo "Loading $FUNCTIONS..."
. $FUNCTIONS . $FUNCTIONS
else else
startup_error "$FUNCTIONS does not exist!" startup_error "$FUNCTIONS does not exist!"
@ -4453,6 +4616,10 @@ do_initialize() {
echo "$config does not exist!" >&2 echo "$config does not exist!" >&2
exit 2 exit 2
fi fi
#
# Determine the capabilities of the installed iptables/netfilter
#
determine_capabilities
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall [ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
@ -4463,8 +4630,6 @@ do_initialize() {
ALLOWRELATED="`added_param_value_yes ALLOWRELATED $ALLOWRELATED`" ALLOWRELATED="`added_param_value_yes ALLOWRELATED $ALLOWRELATED`"
[ -n "$ALLOWRELATED" ] || \ [ -n "$ALLOWRELATED" ] || \
startup_error "ALLOWRELATED=No is not supported" startup_error "ALLOWRELATED=No is not supported"
NAT_ENABLED="`added_param_value_yes NAT_ENABLED $NAT_ENABLED`"
MANGLE_ENABLED="`added_param_value_yes MANGLE_ENABLED $MANGLE_ENABLED`"
ADD_IP_ALIASES="`added_param_value_yes ADD_IP_ALIASES $ADD_IP_ALIASES`" ADD_IP_ALIASES="`added_param_value_yes ADD_IP_ALIASES $ADD_IP_ALIASES`"
TC_ENABLED="`added_param_value_yes TC_ENABLED $TC_ENABLED`" TC_ENABLED="`added_param_value_yes TC_ENABLED $TC_ENABLED`"
@ -4496,7 +4661,6 @@ do_initialize() {
ADD_SNAT_ALIASES=`added_param_value_no ADD_SNAT_ALIASES $ADD_SNAT_ALIASES` ADD_SNAT_ALIASES=`added_param_value_no ADD_SNAT_ALIASES $ADD_SNAT_ALIASES`
ROUTE_FILTER=`added_param_value_no ROUTE_FILTER $ROUTE_FILTER` ROUTE_FILTER=`added_param_value_no ROUTE_FILTER $ROUTE_FILTER`
NAT_BEFORE_RULES=`added_param_value_yes NAT_BEFORE_RULES $NAT_BEFORE_RULES` NAT_BEFORE_RULES=`added_param_value_yes NAT_BEFORE_RULES $NAT_BEFORE_RULES`
MULTIPORT=`added_param_value_no MULTIPORT $MULTIPORT`
DETECT_DNAT_IPADDRS=`added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS` DETECT_DNAT_IPADDRS=`added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS`
FORWARDPING=`added_param_value_no FORWARDPING $FORWARDPING` FORWARDPING=`added_param_value_no FORWARDPING $FORWARDPING`
[ -n "$FORWARDPING" ] && \ [ -n "$FORWARDPING" ] && \
@ -4567,6 +4731,15 @@ do_initialize() {
# #
strip_file interfaces strip_file interfaces
strip_file hosts strip_file hosts
#
# Check out the user's shell
#
[ -n "$SHOREWALL_SHELL" ] || SHOREWALL_SHELL=/bin/sh
temp=`decodeaddr 192.168.1.1`
if [ `encodeaddr $temp` != 192.168.1.1 ]; then
startup_error "Shell $SHOREWALL_SHELL is broken and may not be used with Shorewall"
fi
} }
# #
@ -4719,6 +4892,15 @@ case "$command" in
my_mutex_off my_mutex_off
;; ;;
call)
#
# Undocumented way to call functions in /usr/share/shorewall/firewall directly
#
shift;
do_initialize
EMPTY=
$@
;;
*) *)
usage usage
;; ;;

2
STABLE/install.sh
View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall. # /etc/rc.d/rc.local file is modified to start the firewall.
# #
VERSION=1.4.6 VERSION=1.4.6a
usage() # $1 = exit status usage() # $1 = exit status
{ {

3
STABLE/releasenotes.txt
View File

@ -20,6 +20,9 @@ Problems Corrected:
5) The message "Adding rules for DHCP" is now suppressed if there are 5) The message "Adding rules for DHCP" is now suppressed if there are
no DHCP rules to add. no DHCP rules to add.
6) Corrected problem in 1.4.6 where the MANGLE_ENABLED variable was
being tested before it was set.
Migration Issues: Migration Issues:
1) In earlier versions, an undocumented feature allowed entries in 1) In earlier versions, an undocumented feature allowed entries in

4
STABLE/shorewall.spec
View File

@ -1,5 +1,5 @@
%define name shorewall %define name shorewall
%define version 1.4.6 %define version 1.4.6a
%define release 1 %define release 1
%define prefix /usr %define prefix /usr
@ -105,6 +105,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog %changelog
* Tue Jul 22 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.6a-1
* Sat Jul 19 2003 Tom Eastep <tom@shorewall.net> * Sat Jul 19 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.6-1 - Changed version to 1.4.6-1
* Mon Jul 14 2003 Tom Eastep <tom@shorewall.net> * Mon Jul 14 2003 Tom Eastep <tom@shorewall.net>

2
STABLE/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall # shown below. Simply run this script to remove Seattle Firewall
VERSION=1.4.6 VERSION=1.4.6a
usage() # $1 = exit status usage() # $1 = exit status
{ {