From 01cded414d13ff579911f45268ced4cdbad52b9b Mon Sep 17 00:00:00 2001
From: teastep
Date: Fri, 26 Nov 2004 18:53:04 +0000
Subject: [PATCH] Update for Shorewall 2.2.0 Beta 5
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1767 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
LrpN/etc/shorewall/shorewall.conf | 9 +++
LrpN/etc/shorewall/tcrules | 2 +-
LrpN/sbin/shorewall | 66 ++++++++++-------
LrpN/usr/share/shorewall/firewall | 113 ++++++++++++++++-------------
LrpN/usr/share/shorewall/version | 2 +-
Shorewall-docs2/Documentation.xml | 39 ++++++++--
Shorewall-docs2/FAQ.xml | 7 +-
Shorewall-docs2/myfiles.xml | 10 +--
Shorewall-docs2/upgrade_issues.xml | 26 ++++++-
Shorewall2/fallback.sh | 2 +-
Shorewall2/install.sh | 2 +-
Shorewall2/releasenotes.txt | 2 +-
Shorewall2/shorewall.spec | 6 +-
Shorewall2/uninstall.sh | 2 +-
14 files changed, 185 insertions(+), 103 deletions(-)
diff --git a/LrpN/etc/shorewall/shorewall.conf b/LrpN/etc/shorewall/shorewall.conf
index 91b2f06a3..19efef986 100755
--- a/LrpN/etc/shorewall/shorewall.conf
+++ b/LrpN/etc/shorewall/shorewall.conf
@@ -247,6 +247,15 @@ LOG_MARTIANS=No
################################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
################################################################################
+#
+# IPTABLES
+#
+# Full path to iptables executable Shorewall uses to build the firewall. If
+# not specified or if specified with an empty value (e.g., IPTABLES="") then
+# the iptables executable located via the PATH setting below is used.
+#
+IPTABLES=
+
#
# PATH - Change this if you want to change the order in which Shorewall
# searches directories for executable files.
diff --git a/LrpN/etc/shorewall/tcrules b/LrpN/etc/shorewall/tcrules
index 304f1be31..94d686e96 100644
--- a/LrpN/etc/shorewall/tcrules
+++ b/LrpN/etc/shorewall/tcrules
@@ -115,7 +115,7 @@
# In that case, it is suggested that this field contain
# "-"
#
-# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
+# SOURCE PORT(S) (Optional) Source port(s). If omitted,
# any source port is acceptable. Specified as a comma-
# separated list of port names, port numbers or port
# ranges.
diff --git a/LrpN/sbin/shorewall b/LrpN/sbin/shorewall
index 3683c2e2c..d657ea865 100755
--- a/LrpN/sbin/shorewall
+++ b/LrpN/sbin/shorewall
@@ -192,6 +192,19 @@ get_config() {
[ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:"
+ if [ -n "$IPTABLES" ]; then
+ if [ ! -e "$IPTABLES" ]; then
+ echo " ERROR: The program specified in IPTABLES does not exist or is not executable" >&2
+ exit 2
+ fi
+ else
+ IPTABLES=$(which iptables 2> /dev/null)
+ if [ -z "$IPTABLES" ] ; then
+ echo " ERROR: Can't find iptables executable" >&2
+ exit 2
+ fi
+ fi
+
if [ -n "$SHOREWALL_SHELL" ]; then
if [ ! -e "$SHOREWALL_SHELL" ]; then
echo " ERROR: The program specified in SHOREWALL_SHELL does not exist or is not executable" >&2
@@ -223,7 +236,7 @@ display_chains()
TMPFILE=$(mktempfile)
[ -n "$TMPFILE" ] || { echo " ERROR:Cannot create temporary file" >&2; exit 1; }
- iptables -L $IPT_OPTIONS >> $TMPFILE
+ $IPTABLES -L $IPT_OPTIONS >> $TMPFILE
clear
echo "$banner $(date)"
@@ -306,7 +319,7 @@ display_chains()
qt rm -f $TMPFILE
else
- iptables -L -n -v
+ $IPTABLES -L -n -v
timed_read
fi
trap - 1 2 3 4 5 6 9
@@ -407,7 +420,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
get_config
host=$(echo $HOSTNAME | sed 's/\..*$//')
- oldrejects=$(iptables -L -v -n | grep 'LOG')
+ oldrejects=$($IPTABLES -L -v -n | grep 'LOG')
if [ $1 -lt 0 ]; then
let "timeout=- $1"
@@ -440,7 +453,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
show_reset
- rejects=$(iptables -L -v -n | grep 'LOG')
+ rejects=$($IPTABLES -L -v -n | grep 'LOG')
if [ "$rejects" != "$oldrejects" ]; then
oldrejects="$rejects"
@@ -467,7 +480,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
echo
echo "NAT Status"
echo
- iptables -t nat -L $IPT_OPTIONS
+ $IPTABLES -t nat -L $IPT_OPTIONS
timed_read
clear
@@ -476,7 +489,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
echo
echo "TOS/MARK Status"
echo
- iptables -t mangle -L $IPT_OPTIONS
+ $IPTABLES -t mangle -L $IPT_OPTIONS
timed_read
clear
@@ -517,7 +530,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
get_config
host=$(echo $HOSTNAME | sed 's/\..*$//')
- oldrejects=$(iptables -L -v -n | grep 'LOG')
+ oldrejects=$($IPTABLES -L -v -n | grep 'LOG')
if [ $1 -lt 0 ]; then
timeout=$((- $1))
@@ -539,7 +552,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
show_reset
- rejects=$(iptables -L -v -n | grep 'LOG')
+ rejects=$($IPTABLES -L -v -n | grep 'LOG')
if [ "$rejects" != "$oldrejects" ]; then
oldrejects="$rejects"
@@ -876,14 +889,14 @@ case "$1" in
echo "Shorewall-$version NAT at $HOSTNAME - $(date)"
echo
show_reset
- iptables -t nat -L $IPT_OPTIONS
+ $IPTABLES -t nat -L $IPT_OPTIONS
;;
tos|mangle)
[ $# -gt 2 ] && usage 1
echo "Shorewall-$version TOS at $HOSTNAME - $(date)"
echo
show_reset
- iptables -t mangle -L $IPT_OPTIONS
+ $IPTABLES -t mangle -L $IPT_OPTIONS
;;
log)
[ $# -gt 2 ] && usage 1
@@ -914,10 +927,10 @@ case "$1" in
show_reset
if [ $# -gt 0 ]; then
for chain in $*; do
- iptables -L $chain $IPT_OPTIONS
+ $IPTABLES -L $chain $IPT_OPTIONS
done
else
- iptables -L $IPT_OPTIONS
+ $IPTABLES -L $IPT_OPTIONS
fi
;;
esac
@@ -941,17 +954,17 @@ case "$1" in
echo
show_reset
host=$(echo $HOSTNAME | sed 's/\..*$//')
- iptables -L $IPT_OPTIONS
+ $IPTABLES -L $IPT_OPTIONS
echo
packet_log 20
echo
echo "NAT Table"
echo
- iptables -t nat -L $IPT_OPTIONS
+ $IPTABLES -t nat -L $IPT_OPTIONS
echo
echo "Mangle Table"
echo
- iptables -t mangle -L $IPT_OPTIONS
+ $IPTABLES -t mangle -L $IPT_OPTIONS
echo
cat /proc/net/ip_conntrack
echo
@@ -971,6 +984,7 @@ case "$1" in
echo
show_proc /proc/sys/net/ipv4/ip_forward
+ show_proc /proc/sys/net/ipv4/icmp_echo_ignore_all
for directory in /proc/sys/net/ipv4/conf/*; do
for file in proxy_arp arp_filter rp_filter log_martians; do
@@ -1041,10 +1055,10 @@ case "$1" in
[ -n "$SHOREWALL_DIR" ] && startup_error "Error: -c option may not be used with \"try\""
[ $# -lt 2 -o $# -gt 3 ] && usage 1
if ! $0 $debugging -c $2 restart; then
- if ! iptables -L shorewall > /dev/null 2> /dev/null; then
+ if ! $IPTABLES -L shorewall > /dev/null 2> /dev/null; then
$0 start
fi
- elif ! iptables -L shorewall > /dev/null 2> /dev/null; then
+ elif ! $IPTABLES -L shorewall > /dev/null 2> /dev/null; then
$0 start
elif [ $# -eq 3 ]; then
sleep $3
@@ -1067,9 +1081,9 @@ case "$1" in
mutex_on
while [ $# -gt 1 ]; do
shift
- qt iptables -D dynamic -s $1 -j reject
- qt iptables -D dynamic -s $1 -j DROP
- iptables -A dynamic -s $1 -j DROP || break 1
+ qt $IPTABLES -D dynamic -s $1 -j reject
+ qt $IPTABLES -D dynamic -s $1 -j DROP
+ $IPTABLES -A dynamic -s $1 -j DROP || break 1
echo "$1 Dropped"
done
mutex_off
@@ -1080,9 +1094,9 @@ case "$1" in
mutex_on
while [ $# -gt 1 ]; do
shift
- qt iptables -D dynamic -s $1 -j reject
- qt iptables -D dynamic -s $1 -j DROP
- iptables -A dynamic -s $1 -j reject || break 1
+ qt $IPTABLES -D dynamic -s $1 -j reject
+ qt $IPTABLES -D dynamic -s $1 -j DROP
+ $IPTABLES -A dynamic -s $1 -j reject || break 1
echo "$1 Rejected"
done
mutex_off
@@ -1093,7 +1107,7 @@ case "$1" in
mutex_on
while [ $# -gt 1 ]; do
shift
- if qt iptables -D dynamic -s $1 -j reject || qt iptables -D dynamic -s $1 -j DROP; then
+ if qt $IPTABLES -D dynamic -s $1 -j reject || qt $IPTABLES -D dynamic -s $1 -j DROP; then
echo "$1 Allowed"
else
echo "$1 Not Dropped or Rejected"
@@ -1122,7 +1136,7 @@ case "$1" in
mutex_on
- if qt iptables -L shorewall -n; then
+ if qt $IPTABLES -L shorewall -n; then
[ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then
@@ -1133,7 +1147,7 @@ case "$1" in
echo " ERROR: Reserved file name: $RESTOREFILE"
;;
*)
- if iptables -L dynamic -n > /var/lib/shorewall/save; then
+ if $IPTABLES -L dynamic -n > /var/lib/shorewall/save; then
echo " Dynamic Rules Saved"
if [ -f /var/lib/shorewall/restore-base ]; then
cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$
diff --git a/LrpN/usr/share/shorewall/firewall b/LrpN/usr/share/shorewall/firewall
index 1ae200063..b1238d2aa 100755
--- a/LrpN/usr/share/shorewall/firewall
+++ b/LrpN/usr/share/shorewall/firewall
@@ -156,9 +156,9 @@ run_iptables() {
[ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
[ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
- if ! iptables $@ ; then
+ if ! $IPTABLES $@ ; then
if [ -z "$stopping" ]; then
- error_message "ERROR: Command \"iptables $@\" Failed"
+ error_message "ERROR: Command \"$IPTABLES $@\" Failed"
stop_firewall
exit 2
fi
@@ -234,7 +234,7 @@ createchain2() # $1 = chain name, $2 = If "yes", create default rules
{
local c=$(chain_base $1)
- if iptables -N $1; then
+ if $IPTABLES -N $1; then
if [ $2 = yes ]; then
run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
@@ -265,7 +265,7 @@ havechain() # $1 = name of chain
#
chain_exists() # $1 = chain name
{
- qt iptables -L $1 -n
+ qt $IPTABLES -L $1 -n
}
#
@@ -273,7 +273,7 @@ chain_exists() # $1 = chain name
#
mangle_chain_exists() # $1 = chain name
{
- qt iptables -t mangle -L $1 -n
+ qt $IPTABLES -t mangle -L $1 -n
}
#
@@ -351,7 +351,7 @@ addnatrule() # $1 = chain name, remainder of arguments specify the rule
#
deletechain() # $1 = name of chain
{
- qt iptables -L $1 -n && qt iptables -F $1 && qt iptables -X $1
+ qt $IPTABLES -L $1 -n && qt $IPTABLES -F $1 && qt $IPTABLES -X $1
}
#
@@ -1292,10 +1292,10 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = dispositi
case $level in
ULOG)
- iptables $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix"
+ $IPTABLES $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix"
;;
*)
- iptables $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix"
+ $IPTABLES $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix"
;;
esac
@@ -1462,7 +1462,7 @@ stop_firewall() {
else
routeback=Yes
for h in $(separate_list $host); do
- iptables -A FORWARD -i $interface -o $interface $(both_ip_ranges $h $h) -j ACCEPT
+ $IPTABLES -A FORWARD -i $interface -o $interface $(both_ip_ranges $h $h) -j ACCEPT
done
fi
;;
@@ -1478,27 +1478,27 @@ stop_firewall() {
for host in $hosts; do
interface=${host%:*}
networks=${host#*:}
- iptables -A INPUT -i $interface $(source_ip_range $networks) -j ACCEPT
+ $IPTABLES -A INPUT -i $interface $(source_ip_range $networks) -j ACCEPT
[ -z "$ADMINISABSENTMINDED" ] && \
- iptables -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
+ $IPTABLES -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
for host1 in $hosts; do
- [ "$host" != "$host1" ] && iptables -A FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT
+ [ "$host" != "$host1" ] && $IPTABLES -A FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT
done
done
- iptables -A INPUT -i lo -j ACCEPT
+ $IPTABLES -A INPUT -i lo -j ACCEPT
[ -z "$ADMINISABSENTMINDED" ] && \
- iptables -A OUTPUT -o lo -j ACCEPT
+ $IPTABLES -A OUTPUT -o lo -j ACCEPT
for interface in $(find_interfaces_by_option dhcp); do
- iptables -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT
+ $IPTABLES -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT
[ -z "$ADMINISABSENTMINDED" ] && \
- iptables -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT
+ $IPTABLES -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT
#
# This might be a bridge
#
- iptables -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT
+ $IPTABLES -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT
done
case "$IP_FORWARDING" in
@@ -2700,7 +2700,7 @@ process_accounting_rule() {
ensurechain1 $chain
- if iptables -A $chain $(fix_bang $rule) ; then
+ if $IPTABLES -A $chain $(fix_bang $rule) ; then
[ -n "$rule2" ] && run_iptables2 -A $jumpchain $rule2
progress_message " Accounting rule" $action $chain $source $dest $proto $port $sport $user Added
else
@@ -5303,7 +5303,7 @@ refresh_blacklist() {
local f=$(find_file blacklist)
local disposition=$BLACKLIST_DISPOSITION
- if qt iptables -L blacklst -n ; then
+ if qt $IPTABLES -L blacklst -n ; then
echo "Loading Black List..."
strip_file blacklist $f
@@ -5456,8 +5456,8 @@ verify_ip() {
# Determine which optional facilities are supported by iptables/netfilter
#
determine_capabilities() {
- qt iptables -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED=
- qt iptables -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
+ qt $IPTABLES -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED=
+ qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
CONNTRACK_MATCH=
MULTIPORT=
@@ -5465,20 +5465,20 @@ determine_capabilities() {
PHYSDEV_MATCH=
IPRANGE_MATCH=
- if qt iptables -N fooX1234 ; then
- qt iptables -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
- qt iptables -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
- qt iptables -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes
- qt iptables -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes
- qt iptables -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
+ if qt $IPTABLES -N fooX1234 ; then
+ qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
+ qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
+ qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes
+ qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes
+ qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
if [ -n "$PKTTYPE" ]; then
- qt iptables -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT || PKTTYPE=
+ qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT || PKTTYPE=
fi
- qt iptables -F fooX1234
- qt iptables -X fooX1234
+ qt $IPTABLES -F fooX1234
+ qt $IPTABLES -X fooX1234
fi
}
@@ -5706,8 +5706,8 @@ add_common_rules() {
# Reject Rules -- Don't respond to broadcasts with an ICMP
#
if [ -n "$PKTTYPE" ]; then
- qt iptables -A reject -m pkttype --pkt-type broadcast -j DROP
- if ! qt iptables -A reject -m pkttype --pkt-type multicast -j DROP; then
+ qt $IPTABLES -A reject -m pkttype --pkt-type broadcast -j DROP
+ if ! qt $IPTABLES -A reject -m pkttype --pkt-type multicast -j DROP; then
#
# No pkttype support -- do it the hard way
#
@@ -5728,8 +5728,8 @@ add_common_rules() {
#
# Not all versions of iptables support these so don't complain if they don't work
#
- qt iptables -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
- if ! qt iptables -A reject -j REJECT --reject-with icmp-host-prohibited; then
+ qt $IPTABLES -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
+ if ! qt $IPTABLES -A reject -j REJECT --reject-with icmp-host-prohibited; then
#
# In case the above doesn't work
#
@@ -5792,7 +5792,7 @@ add_common_rules() {
if [ -n "$BRIDGING" ]; then
eval is_bridge=\$$(chain_base $interface)_ports
[ -n "$is_bridge" ] && \
- iptables -A $(forward_chain $interface) -p udp -o $interface --dport 67:68 $policyin -j ACCEPT
+ $IPTABLES -A $(forward_chain $interface) -p udp -o $interface --dport 67:68 $policyin -j ACCEPT
fi
run_iptables -A $(input_chain $interface) -p udp --dport 67:68 $policyin -j ACCEPT
run_iptables -A OUTPUT -o $interface -p udp --dport 67:68 $policyout -j ACCEPT
@@ -6617,12 +6617,12 @@ add_to_zone() # $1 = [:] $2 = zone
nat_chain_exists() # $1 = chain name
{
- qt iptables -t nat -L $1 -n
+ qt $IPTABLES -t nat -L $1 -n
}
do_iptables() # $@ = command
{
- if ! iptables $@ ; then
+ if ! $IPTABLES $@ ; then
startup_error "Can't add $1 to zone $2"
fi
}
@@ -6878,14 +6878,14 @@ delete_from_zone() # $1 = [:] $2 = zone
#
# Delete any nat table entries for the host(s)
#
- qt iptables -t nat -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j ${zone}_dnat
+ qt $IPTABLES -t nat -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j ${zone}_dnat
#
# Delete rules rules the input chains for the passed interface
#
while read z1 z2 chain; do
if [ "$z1" = "$zone" ]; then
if [ "$z2" = "$FW" ]; then
- qt iptables -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j $chain
+ qt $IPTABLES -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j $chain
else
source_chain=$(dynamic_fwd $interface)
eval dest_hosts=\"\$${z2}_hosts\"
@@ -6895,13 +6895,13 @@ delete_from_zone() # $1 = [:] $2 = zone
hosts=${h#*:}
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
- qt iptables -D $source_chain $(source_ip_range $host) -o $iface $(match_dest_hosts $hosts) $policyout -j $chain
+ qt $IPTABLES -D $source_chain $(source_ip_range $host) -o $iface $(match_dest_hosts $hosts) $policyout -j $chain
fi
done
fi
elif [ "$z2" = "$zone" ]; then
if [ "$z1" = "$FW" ]; then
- qt iptables -D $(dynamic_out $interface) $(dest_ip_range $host) $policyout -j $chain
+ qt $IPTABLES -D $(dynamic_out $interface) $(dest_ip_range $host) $policyout -j $chain
else
eval source_hosts=\"\$${z1}_hosts\"
@@ -6910,7 +6910,7 @@ delete_from_zone() # $1 = [:] $2 = zone
hosts=${h#*:}
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
- qt iptables -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(dest_ip_range $host) $policyout -j $chain
+ qt $IPTABLES -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(dest_ip_range $host) $policyout -j $chain
fi
done
fi
@@ -6988,6 +6988,7 @@ do_initialize() {
# Clear all configuration variables
#
version=
+ IPTABLES=
FW=
SUBSYSLOCK=
STATEDIR=
@@ -7102,6 +7103,14 @@ do_initialize() {
[ -d $STATEDIR ] || mkdir -p $STATEDIR
+ if [ -z "$IPTABLES" ]; then
+ IPTABLES=$(which iptables 2> /dev/null)
+
+ [ -z "$IPTABLES" ] && startup_error "Can't find iptables executable"
+ else
+ [ -e "$IPTABLES" ] || startup_error "\$IPTABLES=$IPTABLES does not exist or is not executable"
+ fi
+
[ -z "$FW" ] && FW=fw
ALLOWRELATED="$(added_param_value_yes ALLOWRELATED $ALLOWRELATED)"
@@ -7283,7 +7292,7 @@ case "$COMMAND" in
[ $# -ne 1 ] && usage
do_initialize
my_mutex_on
- if qt iptables -L shorewall -n ; then
+ if qt $IPTABLES -L shorewall -n ; then
[ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
echo "Shorewall Already Started"
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
@@ -7298,7 +7307,7 @@ case "$COMMAND" in
[ $# -ne 1 ] && usage
do_initialize
my_mutex_on
- if qt iptables -L shorewall -n ; then
+ if qt $IPTABLES -L shorewall -n ; then
define_firewall "Restart"
else
echo "Shorewall Not Currently Running"
@@ -7313,22 +7322,22 @@ case "$COMMAND" in
[ $# -ne 1 ] && usage
echo "Shorewall-$version Status at $HOSTNAME - $(date)"
echo
- iptables -L -n -v
+ $IPTABLES -L -n -v
;;
reset)
[ $# -ne 1 ] && usage
do_initialize
my_mutex_on
- if ! qt iptables -L shorewall -n ; then
+ if ! qt $IPTABLES -L shorewall -n ; then
echo "Shorewall Not Started"
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
my_mutex_off
exit 2;
fi
- iptables -Z
- iptables -t nat -Z
- iptables -t mangle -Z
+ $IPTABLES -Z
+ $IPTABLES -t nat -Z
+ $IPTABLES -t mangle -Z
report "Shorewall Counters Reset"
date > $STATEDIR/restarted
my_mutex_off
@@ -7338,7 +7347,7 @@ case "$COMMAND" in
[ $# -ne 1 ] && usage
do_initialize
my_mutex_on
- if ! qt iptables -L shorewall -n ; then
+ if ! qt $IPTABLES -L shorewall -n ; then
echo "Shorewall Not Started"
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
my_mutex_off
@@ -7369,7 +7378,7 @@ case "$COMMAND" in
[ $# -ne 3 ] && usage
do_initialize
my_mutex_on
- if ! qt iptables -L shorewall -n ; then
+ if ! qt $IPTABLES -L shorewall -n ; then
echo "Shorewall Not Started"
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
my_mutex_off
@@ -7383,7 +7392,7 @@ case "$COMMAND" in
[ $# -ne 3 ] && usage
do_initialize
my_mutex_on
- if ! qt iptables -L shorewall -n ; then
+ if ! qt $IPTABLES -L shorewall -n ; then
echo "Shorewall Not Started"
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
my_mutex_off
diff --git a/LrpN/usr/share/shorewall/version b/LrpN/usr/share/shorewall/version
index 6af336bdb..926f19e80 100644
--- a/LrpN/usr/share/shorewall/version
+++ b/LrpN/usr/share/shorewall/version
@@ -1 +1 @@
-2.2.0-Beta4
+2.2.0-Beta5
diff --git a/Shorewall-docs2/Documentation.xml b/Shorewall-docs2/Documentation.xml
index 2984938d5..3f0cfe8ca 100644
--- a/Shorewall-docs2/Documentation.xml
+++ b/Shorewall-docs2/Documentation.xml
@@ -15,7 +15,7 @@
- 2004-11-18
+ 2004-11-262001-2004
@@ -1245,7 +1245,7 @@ loc loc REJECT info
UNLESS the user defines the zone badly so that intra-zone rules
are required. In that case, Shorewall will not try to guess what the
user's intentions are and will treat traffic within the affected zone(s)
- just like any other traffic.
+ just like any other traffic.
Any time that you have multiple interfaces associated with a
single zone, you should ask yourself if you really want traffic routed
@@ -2771,6 +2771,17 @@ eth0 eth1 206.124.146.176
+
+ IPTABLES
+
+
+ (Added at version 2.2.0) — This parameter names the iptables
+ executable to be used by Shorewall. If not specified or if specified
+ as a null value, then the iptables executable located usint the PATH
+ option is used.
+
+
+
LOGFORMAT
@@ -2938,6 +2949,22 @@ eth0 eth1 206.124.146.176
If you have a HA setup with failover to another firewall, you
should have NEWNOTSYN=Yes on both firewalls. You should also select
NEWNOTSYN=Yes if you have asymmetric routing.
+
+
+ I find that NEWNOTSYN=No tends to result in lots of "stuck"
+ connections because any network timeout during TCP session tear
+ down results in retries being dropped (Netfilter has removed the
+ connection from the conntrack table but the end-points haven't
+ completed shutting down the connection). I therefore have chosen
+ NEWNOTSYN=Yes as the default value and I advise caution in using
+ NEWNOTSYN=Yes.
+
+ If you are looking for a way to defeat "stealth TCP scans"
+ then I recommend the tcpflags
+ interface option in /etc/shorewall/interfaces rather than
+ NEWNOTSYN=No.
+
@@ -2953,9 +2980,9 @@ eth0 eth1 206.124.146.176
LOGNEWNOTSYN=ULOG|
- Packets logged under this option are usually the result of
- broken remote IP stacks rather than the result of any sort of
- attempt to breach your firewall.
+ Packets logged under this option are usually the result of a
+ "stuck" connection rather than as the result of an attempt to
+ breach your firewall.
@@ -3992,4 +4019,4 @@ eth1 -
-
+
\ No newline at end of file
diff --git a/Shorewall-docs2/FAQ.xml b/Shorewall-docs2/FAQ.xml
index 13afb122f..424a60aae 100644
--- a/Shorewall-docs2/FAQ.xml
+++ b/Shorewall-docs2/FAQ.xml
@@ -17,7 +17,7 @@
- 2004-11-18
+ 2004-11-242001-2004
@@ -1105,7 +1105,10 @@ LOGBURST=""
to report problems back to the sender of a packet; this is what is
happening here. Unfortunately, where NAT is involved (including SNAT,
DNAT and Masquerade), there are a lot of broken implementations. That is
- what you are seeing with these messages.
+ what you are seeing with these messages. When Netfilter displays these
+ messages, the part before the "[" describes the ICMP packet and the part
+ between the "[" and "]" describes the packet for which the ICMP is a
+ response.
Here is my interpretation of what is happening -- to confirm this
analysis, one would have to have packet sniffers placed a both ends of
diff --git a/Shorewall-docs2/myfiles.xml b/Shorewall-docs2/myfiles.xml
index a1e27de7e..e76683b68 100644
--- a/Shorewall-docs2/myfiles.xml
+++ b/Shorewall-docs2/myfiles.xml
@@ -308,11 +308,11 @@ $EXT_IF $OMAK
my rfc1918 file. I copied /usr/share/shorewall/rfc1918 to
/etc/shorewall/rfc1918 and changed it as follows:
- #SUBNET TARGET
-192.168.1.1 RETURN
-172.16.0.0/12 logdrop # RFC 1918
-192.168.0.0/16 logdrop # RFC 1918
-10.0.0.0/8 logdrop # RFC 1918
+ #SUBNET TARGET
+192.168.1.1 RETURN
+172.16.0.0/12 logdrop # RFC 1918
+192.168.0.0/16 logdrop # RFC 1918
+10.0.0.0/8 logdrop # RFC 1918
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-docs2/upgrade_issues.xml b/Shorewall-docs2/upgrade_issues.xml
index d2771fe26..ee3d15a67 100644
--- a/Shorewall-docs2/upgrade_issues.xml
+++ b/Shorewall-docs2/upgrade_issues.xml
@@ -97,8 +97,8 @@
- If shorewall.conf is upgraded to the latest version, it needs
- to be modified to set STARTUP_ENABLED=Yes.
+ If shorewall.conf is upgraded to the latest version, it needs to
+ be modified to set STARTUP_ENABLED=Yes.
@@ -122,7 +122,7 @@
The ORIGINAL DEST column of the /etc/shorewall/rules file may no
longer contain a second (SNAT) address. You must use an entry in
- /etc/shorewall/masq instead.
+ /etc/shorewall/masq instead.
Example from Shorewall FAQ #1:
@@ -140,7 +140,7 @@ loc eth1 detect routeback
# PORT DEST
DNAT loc loc:192.168.1.12 tcp 80 - 130.252.100.69:192.168.1.254
- Shorewall 2.1 and Later:
+ Shorewall 2.1 and Later:/etc/shorewall/interfaces
@@ -389,6 +389,24 @@ DNAT loc loc:192.168.1.12 tcp 80 - 130.252.100.69
+
+ Version >= 1.4.9
+
+
+
+ The default value of NEWNOTSYN set in /etc/shorewall/shorewall.conf has
+ been changed from 'No' to 'Yes'. I find that NEWNOTSYN=No tends to
+ result in lots of "stuck" connections because any network timeout
+ during TCP session tear down results in retries being dropped
+ (Netfilter has removed the connection from the conntrack table but the
+ end-points haven't completed shutting down the connection). I
+ therefore have chosen NEWNOTSYN=Yes as the default value and I advise
+ caution in using NEWNOTSYN=Yes.
+
+
+
+
Version >= 1.4.8
diff --git a/Shorewall2/fallback.sh b/Shorewall2/fallback.sh
index 0ba61aec3..fefd0c441 100755
--- a/Shorewall2/fallback.sh
+++ b/Shorewall2/fallback.sh
@@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
-VERSION=2.2.0-Beta4
+VERSION=2.2.0-Beta5
usage() # $1 = exit status
{
diff --git a/Shorewall2/install.sh b/Shorewall2/install.sh
index 2681e2ff1..95876d2bd 100755
--- a/Shorewall2/install.sh
+++ b/Shorewall2/install.sh
@@ -22,7 +22,7 @@
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
#
-VERSION=2.2.0-Beta4
+VERSION=2.2.0-Beta5
usage() # $1 = exit status
{
diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt
index a02eb6800..e4c598537 100755
--- a/Shorewall2/releasenotes.txt
+++ b/Shorewall2/releasenotes.txt
@@ -1,4 +1,4 @@
-Shorewall 2.2.0-Beta4
+Shorewall 2.2.0-Beta5
----------------------------------------------------------------------
Problems Corrected since 2.0.3
diff --git a/Shorewall2/shorewall.spec b/Shorewall2/shorewall.spec
index d1b3c3038..ec500ebcd 100644
--- a/Shorewall2/shorewall.spec
+++ b/Shorewall2/shorewall.spec
@@ -1,6 +1,6 @@
%define name shorewall
%define version 2.2.0
-%define release 0Beta4
+%define release 0Beta5
%define prefix /usr
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@@ -137,8 +137,10 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog
+* Fri Nov 26 2004 Tom Eastep tom@shorewall.net
+- Updated to 2.2.0-0Beta5
* Fri Nov 19 2004 Tom Eastep tom@shorewall.net
-- Updated to 2.2.0-0Beta3
+- Updated to 2.2.0-0Beta4
* Tue Nov 09 2004 Tom Eastep tom@shorewall.net
- Updated to 2.2.0-0Beta3
* Tue Nov 02 2004 Tom Eastep tom@shorewall.net
diff --git a/Shorewall2/uninstall.sh b/Shorewall2/uninstall.sh
index c371a5a51..6486a69ec 100755
--- a/Shorewall2/uninstall.sh
+++ b/Shorewall2/uninstall.sh
@@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall
-VERSION=2.2.0-Beta4
+VERSION=2.2.0-Beta5
usage() # $1 = exit status
{