From 01cded414d13ff579911f45268ced4cdbad52b9b Mon Sep 17 00:00:00 2001 From: teastep Date: Fri, 26 Nov 2004 18:53:04 +0000 Subject: [PATCH] Update for Shorewall 2.2.0 Beta 5 git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1767 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- LrpN/etc/shorewall/shorewall.conf | 9 +++ LrpN/etc/shorewall/tcrules | 2 +- LrpN/sbin/shorewall | 66 ++++++++++------- LrpN/usr/share/shorewall/firewall | 113 ++++++++++++++++------------- LrpN/usr/share/shorewall/version | 2 +- Shorewall-docs2/Documentation.xml | 39 ++++++++-- Shorewall-docs2/FAQ.xml | 7 +- Shorewall-docs2/myfiles.xml | 10 +-- Shorewall-docs2/upgrade_issues.xml | 26 ++++++- Shorewall2/fallback.sh | 2 +- Shorewall2/install.sh | 2 +- Shorewall2/releasenotes.txt | 2 +- Shorewall2/shorewall.spec | 6 +- Shorewall2/uninstall.sh | 2 +- 14 files changed, 185 insertions(+), 103 deletions(-) diff --git a/LrpN/etc/shorewall/shorewall.conf b/LrpN/etc/shorewall/shorewall.conf index 91b2f06a3..19efef986 100755 --- a/LrpN/etc/shorewall/shorewall.conf +++ b/LrpN/etc/shorewall/shorewall.conf @@ -247,6 +247,15 @@ LOG_MARTIANS=No ################################################################################ # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S ################################################################################ +# +# IPTABLES +# +# Full path to iptables executable Shorewall uses to build the firewall. If +# not specified or if specified with an empty value (e.g., IPTABLES="") then +# the iptables executable located via the PATH setting below is used. +# +IPTABLES= + # # PATH - Change this if you want to change the order in which Shorewall # searches directories for executable files. diff --git a/LrpN/etc/shorewall/tcrules b/LrpN/etc/shorewall/tcrules index 304f1be31..94d686e96 100644 --- a/LrpN/etc/shorewall/tcrules +++ b/LrpN/etc/shorewall/tcrules @@ -115,7 +115,7 @@ # In that case, it is suggested that this field contain # "-" # -# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted, +# SOURCE PORT(S) (Optional) Source port(s). If omitted, # any source port is acceptable. Specified as a comma- # separated list of port names, port numbers or port # ranges. diff --git a/LrpN/sbin/shorewall b/LrpN/sbin/shorewall index 3683c2e2c..d657ea865 100755 --- a/LrpN/sbin/shorewall +++ b/LrpN/sbin/shorewall @@ -192,6 +192,19 @@ get_config() { [ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:" + if [ -n "$IPTABLES" ]; then + if [ ! -e "$IPTABLES" ]; then + echo " ERROR: The program specified in IPTABLES does not exist or is not executable" >&2 + exit 2 + fi + else + IPTABLES=$(which iptables 2> /dev/null) + if [ -z "$IPTABLES" ] ; then + echo " ERROR: Can't find iptables executable" >&2 + exit 2 + fi + fi + if [ -n "$SHOREWALL_SHELL" ]; then if [ ! -e "$SHOREWALL_SHELL" ]; then echo " ERROR: The program specified in SHOREWALL_SHELL does not exist or is not executable" >&2 @@ -223,7 +236,7 @@ display_chains() TMPFILE=$(mktempfile) [ -n "$TMPFILE" ] || { echo " ERROR:Cannot create temporary file" >&2; exit 1; } - iptables -L $IPT_OPTIONS >> $TMPFILE + $IPTABLES -L $IPT_OPTIONS >> $TMPFILE clear echo "$banner $(date)" @@ -306,7 +319,7 @@ display_chains() qt rm -f $TMPFILE else - iptables -L -n -v + $IPTABLES -L -n -v timed_read fi trap - 1 2 3 4 5 6 9 @@ -407,7 +420,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that get_config host=$(echo $HOSTNAME | sed 's/\..*$//') - oldrejects=$(iptables -L -v -n | grep 'LOG') + oldrejects=$($IPTABLES -L -v -n | grep 'LOG') if [ $1 -lt 0 ]; then let "timeout=- $1" @@ -440,7 +453,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that show_reset - rejects=$(iptables -L -v -n | grep 'LOG') + rejects=$($IPTABLES -L -v -n | grep 'LOG') if [ "$rejects" != "$oldrejects" ]; then oldrejects="$rejects" @@ -467,7 +480,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that echo echo "NAT Status" echo - iptables -t nat -L $IPT_OPTIONS + $IPTABLES -t nat -L $IPT_OPTIONS timed_read clear @@ -476,7 +489,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that echo echo "TOS/MARK Status" echo - iptables -t mangle -L $IPT_OPTIONS + $IPTABLES -t mangle -L $IPT_OPTIONS timed_read clear @@ -517,7 +530,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that get_config host=$(echo $HOSTNAME | sed 's/\..*$//') - oldrejects=$(iptables -L -v -n | grep 'LOG') + oldrejects=$($IPTABLES -L -v -n | grep 'LOG') if [ $1 -lt 0 ]; then timeout=$((- $1)) @@ -539,7 +552,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that show_reset - rejects=$(iptables -L -v -n | grep 'LOG') + rejects=$($IPTABLES -L -v -n | grep 'LOG') if [ "$rejects" != "$oldrejects" ]; then oldrejects="$rejects" @@ -876,14 +889,14 @@ case "$1" in echo "Shorewall-$version NAT at $HOSTNAME - $(date)" echo show_reset - iptables -t nat -L $IPT_OPTIONS + $IPTABLES -t nat -L $IPT_OPTIONS ;; tos|mangle) [ $# -gt 2 ] && usage 1 echo "Shorewall-$version TOS at $HOSTNAME - $(date)" echo show_reset - iptables -t mangle -L $IPT_OPTIONS + $IPTABLES -t mangle -L $IPT_OPTIONS ;; log) [ $# -gt 2 ] && usage 1 @@ -914,10 +927,10 @@ case "$1" in show_reset if [ $# -gt 0 ]; then for chain in $*; do - iptables -L $chain $IPT_OPTIONS + $IPTABLES -L $chain $IPT_OPTIONS done else - iptables -L $IPT_OPTIONS + $IPTABLES -L $IPT_OPTIONS fi ;; esac @@ -941,17 +954,17 @@ case "$1" in echo show_reset host=$(echo $HOSTNAME | sed 's/\..*$//') - iptables -L $IPT_OPTIONS + $IPTABLES -L $IPT_OPTIONS echo packet_log 20 echo echo "NAT Table" echo - iptables -t nat -L $IPT_OPTIONS + $IPTABLES -t nat -L $IPT_OPTIONS echo echo "Mangle Table" echo - iptables -t mangle -L $IPT_OPTIONS + $IPTABLES -t mangle -L $IPT_OPTIONS echo cat /proc/net/ip_conntrack echo @@ -971,6 +984,7 @@ case "$1" in echo show_proc /proc/sys/net/ipv4/ip_forward + show_proc /proc/sys/net/ipv4/icmp_echo_ignore_all for directory in /proc/sys/net/ipv4/conf/*; do for file in proxy_arp arp_filter rp_filter log_martians; do @@ -1041,10 +1055,10 @@ case "$1" in [ -n "$SHOREWALL_DIR" ] && startup_error "Error: -c option may not be used with \"try\"" [ $# -lt 2 -o $# -gt 3 ] && usage 1 if ! $0 $debugging -c $2 restart; then - if ! iptables -L shorewall > /dev/null 2> /dev/null; then + if ! $IPTABLES -L shorewall > /dev/null 2> /dev/null; then $0 start fi - elif ! iptables -L shorewall > /dev/null 2> /dev/null; then + elif ! $IPTABLES -L shorewall > /dev/null 2> /dev/null; then $0 start elif [ $# -eq 3 ]; then sleep $3 @@ -1067,9 +1081,9 @@ case "$1" in mutex_on while [ $# -gt 1 ]; do shift - qt iptables -D dynamic -s $1 -j reject - qt iptables -D dynamic -s $1 -j DROP - iptables -A dynamic -s $1 -j DROP || break 1 + qt $IPTABLES -D dynamic -s $1 -j reject + qt $IPTABLES -D dynamic -s $1 -j DROP + $IPTABLES -A dynamic -s $1 -j DROP || break 1 echo "$1 Dropped" done mutex_off @@ -1080,9 +1094,9 @@ case "$1" in mutex_on while [ $# -gt 1 ]; do shift - qt iptables -D dynamic -s $1 -j reject - qt iptables -D dynamic -s $1 -j DROP - iptables -A dynamic -s $1 -j reject || break 1 + qt $IPTABLES -D dynamic -s $1 -j reject + qt $IPTABLES -D dynamic -s $1 -j DROP + $IPTABLES -A dynamic -s $1 -j reject || break 1 echo "$1 Rejected" done mutex_off @@ -1093,7 +1107,7 @@ case "$1" in mutex_on while [ $# -gt 1 ]; do shift - if qt iptables -D dynamic -s $1 -j reject || qt iptables -D dynamic -s $1 -j DROP; then + if qt $IPTABLES -D dynamic -s $1 -j reject || qt $IPTABLES -D dynamic -s $1 -j DROP; then echo "$1 Allowed" else echo "$1 Not Dropped or Rejected" @@ -1122,7 +1136,7 @@ case "$1" in mutex_on - if qt iptables -L shorewall -n; then + if qt $IPTABLES -L shorewall -n; then [ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then @@ -1133,7 +1147,7 @@ case "$1" in echo " ERROR: Reserved file name: $RESTOREFILE" ;; *) - if iptables -L dynamic -n > /var/lib/shorewall/save; then + if $IPTABLES -L dynamic -n > /var/lib/shorewall/save; then echo " Dynamic Rules Saved" if [ -f /var/lib/shorewall/restore-base ]; then cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$ diff --git a/LrpN/usr/share/shorewall/firewall b/LrpN/usr/share/shorewall/firewall index 1ae200063..b1238d2aa 100755 --- a/LrpN/usr/share/shorewall/firewall +++ b/LrpN/usr/share/shorewall/firewall @@ -156,9 +156,9 @@ run_iptables() { [ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev [ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange - if ! iptables $@ ; then + if ! $IPTABLES $@ ; then if [ -z "$stopping" ]; then - error_message "ERROR: Command \"iptables $@\" Failed" + error_message "ERROR: Command \"$IPTABLES $@\" Failed" stop_firewall exit 2 fi @@ -234,7 +234,7 @@ createchain2() # $1 = chain name, $2 = If "yes", create default rules { local c=$(chain_base $1) - if iptables -N $1; then + if $IPTABLES -N $1; then if [ $2 = yes ]; then run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT @@ -265,7 +265,7 @@ havechain() # $1 = name of chain # chain_exists() # $1 = chain name { - qt iptables -L $1 -n + qt $IPTABLES -L $1 -n } # @@ -273,7 +273,7 @@ chain_exists() # $1 = chain name # mangle_chain_exists() # $1 = chain name { - qt iptables -t mangle -L $1 -n + qt $IPTABLES -t mangle -L $1 -n } # @@ -351,7 +351,7 @@ addnatrule() # $1 = chain name, remainder of arguments specify the rule # deletechain() # $1 = name of chain { - qt iptables -L $1 -n && qt iptables -F $1 && qt iptables -X $1 + qt $IPTABLES -L $1 -n && qt $IPTABLES -F $1 && qt $IPTABLES -X $1 } # @@ -1292,10 +1292,10 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = dispositi case $level in ULOG) - iptables $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix" + $IPTABLES $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix" ;; *) - iptables $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix" + $IPTABLES $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix" ;; esac @@ -1462,7 +1462,7 @@ stop_firewall() { else routeback=Yes for h in $(separate_list $host); do - iptables -A FORWARD -i $interface -o $interface $(both_ip_ranges $h $h) -j ACCEPT + $IPTABLES -A FORWARD -i $interface -o $interface $(both_ip_ranges $h $h) -j ACCEPT done fi ;; @@ -1478,27 +1478,27 @@ stop_firewall() { for host in $hosts; do interface=${host%:*} networks=${host#*:} - iptables -A INPUT -i $interface $(source_ip_range $networks) -j ACCEPT + $IPTABLES -A INPUT -i $interface $(source_ip_range $networks) -j ACCEPT [ -z "$ADMINISABSENTMINDED" ] && \ - iptables -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT + $IPTABLES -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT for host1 in $hosts; do - [ "$host" != "$host1" ] && iptables -A FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT + [ "$host" != "$host1" ] && $IPTABLES -A FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT done done - iptables -A INPUT -i lo -j ACCEPT + $IPTABLES -A INPUT -i lo -j ACCEPT [ -z "$ADMINISABSENTMINDED" ] && \ - iptables -A OUTPUT -o lo -j ACCEPT + $IPTABLES -A OUTPUT -o lo -j ACCEPT for interface in $(find_interfaces_by_option dhcp); do - iptables -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT + $IPTABLES -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT [ -z "$ADMINISABSENTMINDED" ] && \ - iptables -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT + $IPTABLES -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT # # This might be a bridge # - iptables -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT + $IPTABLES -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT done case "$IP_FORWARDING" in @@ -2700,7 +2700,7 @@ process_accounting_rule() { ensurechain1 $chain - if iptables -A $chain $(fix_bang $rule) ; then + if $IPTABLES -A $chain $(fix_bang $rule) ; then [ -n "$rule2" ] && run_iptables2 -A $jumpchain $rule2 progress_message " Accounting rule" $action $chain $source $dest $proto $port $sport $user Added else @@ -5303,7 +5303,7 @@ refresh_blacklist() { local f=$(find_file blacklist) local disposition=$BLACKLIST_DISPOSITION - if qt iptables -L blacklst -n ; then + if qt $IPTABLES -L blacklst -n ; then echo "Loading Black List..." strip_file blacklist $f @@ -5456,8 +5456,8 @@ verify_ip() { # Determine which optional facilities are supported by iptables/netfilter # determine_capabilities() { - qt iptables -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED= - qt iptables -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED= + qt $IPTABLES -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED= + qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED= CONNTRACK_MATCH= MULTIPORT= @@ -5465,20 +5465,20 @@ determine_capabilities() { PHYSDEV_MATCH= IPRANGE_MATCH= - if qt iptables -N fooX1234 ; then - qt iptables -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes - qt iptables -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes - qt iptables -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes - qt iptables -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes - qt iptables -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes + if qt $IPTABLES -N fooX1234 ; then + qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes + qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes + qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes + qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes + qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes if [ -n "$PKTTYPE" ]; then - qt iptables -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT || PKTTYPE= + qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT || PKTTYPE= fi - qt iptables -F fooX1234 - qt iptables -X fooX1234 + qt $IPTABLES -F fooX1234 + qt $IPTABLES -X fooX1234 fi } @@ -5706,8 +5706,8 @@ add_common_rules() { # Reject Rules -- Don't respond to broadcasts with an ICMP # if [ -n "$PKTTYPE" ]; then - qt iptables -A reject -m pkttype --pkt-type broadcast -j DROP - if ! qt iptables -A reject -m pkttype --pkt-type multicast -j DROP; then + qt $IPTABLES -A reject -m pkttype --pkt-type broadcast -j DROP + if ! qt $IPTABLES -A reject -m pkttype --pkt-type multicast -j DROP; then # # No pkttype support -- do it the hard way # @@ -5728,8 +5728,8 @@ add_common_rules() { # # Not all versions of iptables support these so don't complain if they don't work # - qt iptables -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable - if ! qt iptables -A reject -j REJECT --reject-with icmp-host-prohibited; then + qt $IPTABLES -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable + if ! qt $IPTABLES -A reject -j REJECT --reject-with icmp-host-prohibited; then # # In case the above doesn't work # @@ -5792,7 +5792,7 @@ add_common_rules() { if [ -n "$BRIDGING" ]; then eval is_bridge=\$$(chain_base $interface)_ports [ -n "$is_bridge" ] && \ - iptables -A $(forward_chain $interface) -p udp -o $interface --dport 67:68 $policyin -j ACCEPT + $IPTABLES -A $(forward_chain $interface) -p udp -o $interface --dport 67:68 $policyin -j ACCEPT fi run_iptables -A $(input_chain $interface) -p udp --dport 67:68 $policyin -j ACCEPT run_iptables -A OUTPUT -o $interface -p udp --dport 67:68 $policyout -j ACCEPT @@ -6617,12 +6617,12 @@ add_to_zone() # $1 = [:] $2 = zone nat_chain_exists() # $1 = chain name { - qt iptables -t nat -L $1 -n + qt $IPTABLES -t nat -L $1 -n } do_iptables() # $@ = command { - if ! iptables $@ ; then + if ! $IPTABLES $@ ; then startup_error "Can't add $1 to zone $2" fi } @@ -6878,14 +6878,14 @@ delete_from_zone() # $1 = [:] $2 = zone # # Delete any nat table entries for the host(s) # - qt iptables -t nat -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j ${zone}_dnat + qt $IPTABLES -t nat -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j ${zone}_dnat # # Delete rules rules the input chains for the passed interface # while read z1 z2 chain; do if [ "$z1" = "$zone" ]; then if [ "$z2" = "$FW" ]; then - qt iptables -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j $chain + qt $IPTABLES -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j $chain else source_chain=$(dynamic_fwd $interface) eval dest_hosts=\"\$${z2}_hosts\" @@ -6895,13 +6895,13 @@ delete_from_zone() # $1 = [:] $2 = zone hosts=${h#*:} if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - qt iptables -D $source_chain $(source_ip_range $host) -o $iface $(match_dest_hosts $hosts) $policyout -j $chain + qt $IPTABLES -D $source_chain $(source_ip_range $host) -o $iface $(match_dest_hosts $hosts) $policyout -j $chain fi done fi elif [ "$z2" = "$zone" ]; then if [ "$z1" = "$FW" ]; then - qt iptables -D $(dynamic_out $interface) $(dest_ip_range $host) $policyout -j $chain + qt $IPTABLES -D $(dynamic_out $interface) $(dest_ip_range $host) $policyout -j $chain else eval source_hosts=\"\$${z1}_hosts\" @@ -6910,7 +6910,7 @@ delete_from_zone() # $1 = [:] $2 = zone hosts=${h#*:} if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - qt iptables -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(dest_ip_range $host) $policyout -j $chain + qt $IPTABLES -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(dest_ip_range $host) $policyout -j $chain fi done fi @@ -6988,6 +6988,7 @@ do_initialize() { # Clear all configuration variables # version= + IPTABLES= FW= SUBSYSLOCK= STATEDIR= @@ -7102,6 +7103,14 @@ do_initialize() { [ -d $STATEDIR ] || mkdir -p $STATEDIR + if [ -z "$IPTABLES" ]; then + IPTABLES=$(which iptables 2> /dev/null) + + [ -z "$IPTABLES" ] && startup_error "Can't find iptables executable" + else + [ -e "$IPTABLES" ] || startup_error "\$IPTABLES=$IPTABLES does not exist or is not executable" + fi + [ -z "$FW" ] && FW=fw ALLOWRELATED="$(added_param_value_yes ALLOWRELATED $ALLOWRELATED)" @@ -7283,7 +7292,7 @@ case "$COMMAND" in [ $# -ne 1 ] && usage do_initialize my_mutex_on - if qt iptables -L shorewall -n ; then + if qt $IPTABLES -L shorewall -n ; then [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK echo "Shorewall Already Started" [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR @@ -7298,7 +7307,7 @@ case "$COMMAND" in [ $# -ne 1 ] && usage do_initialize my_mutex_on - if qt iptables -L shorewall -n ; then + if qt $IPTABLES -L shorewall -n ; then define_firewall "Restart" else echo "Shorewall Not Currently Running" @@ -7313,22 +7322,22 @@ case "$COMMAND" in [ $# -ne 1 ] && usage echo "Shorewall-$version Status at $HOSTNAME - $(date)" echo - iptables -L -n -v + $IPTABLES -L -n -v ;; reset) [ $# -ne 1 ] && usage do_initialize my_mutex_on - if ! qt iptables -L shorewall -n ; then + if ! qt $IPTABLES -L shorewall -n ; then echo "Shorewall Not Started" [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR my_mutex_off exit 2; fi - iptables -Z - iptables -t nat -Z - iptables -t mangle -Z + $IPTABLES -Z + $IPTABLES -t nat -Z + $IPTABLES -t mangle -Z report "Shorewall Counters Reset" date > $STATEDIR/restarted my_mutex_off @@ -7338,7 +7347,7 @@ case "$COMMAND" in [ $# -ne 1 ] && usage do_initialize my_mutex_on - if ! qt iptables -L shorewall -n ; then + if ! qt $IPTABLES -L shorewall -n ; then echo "Shorewall Not Started" [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR my_mutex_off @@ -7369,7 +7378,7 @@ case "$COMMAND" in [ $# -ne 3 ] && usage do_initialize my_mutex_on - if ! qt iptables -L shorewall -n ; then + if ! qt $IPTABLES -L shorewall -n ; then echo "Shorewall Not Started" [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR my_mutex_off @@ -7383,7 +7392,7 @@ case "$COMMAND" in [ $# -ne 3 ] && usage do_initialize my_mutex_on - if ! qt iptables -L shorewall -n ; then + if ! qt $IPTABLES -L shorewall -n ; then echo "Shorewall Not Started" [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR my_mutex_off diff --git a/LrpN/usr/share/shorewall/version b/LrpN/usr/share/shorewall/version index 6af336bdb..926f19e80 100644 --- a/LrpN/usr/share/shorewall/version +++ b/LrpN/usr/share/shorewall/version @@ -1 +1 @@ -2.2.0-Beta4 +2.2.0-Beta5 diff --git a/Shorewall-docs2/Documentation.xml b/Shorewall-docs2/Documentation.xml index 2984938d5..3f0cfe8ca 100644 --- a/Shorewall-docs2/Documentation.xml +++ b/Shorewall-docs2/Documentation.xml @@ -15,7 +15,7 @@ - 2004-11-18 + 2004-11-26 2001-2004 @@ -1245,7 +1245,7 @@ loc loc REJECT info UNLESS the user defines the zone badly so that intra-zone rules are required. In that case, Shorewall will not try to guess what the user's intentions are and will treat traffic within the affected zone(s) - just like any other traffic. + just like any other traffic. Any time that you have multiple interfaces associated with a single zone, you should ask yourself if you really want traffic routed @@ -2771,6 +2771,17 @@ eth0 eth1 206.124.146.176 + + IPTABLES + + + (Added at version 2.2.0) — This parameter names the iptables + executable to be used by Shorewall. If not specified or if specified + as a null value, then the iptables executable located usint the PATH + option is used. + + + LOGFORMAT @@ -2938,6 +2949,22 @@ eth0 eth1 206.124.146.176 If you have a HA setup with failover to another firewall, you should have NEWNOTSYN=Yes on both firewalls. You should also select NEWNOTSYN=Yes if you have asymmetric routing. + + + I find that NEWNOTSYN=No tends to result in lots of "stuck" + connections because any network timeout during TCP session tear + down results in retries being dropped (Netfilter has removed the + connection from the conntrack table but the end-points haven't + completed shutting down the connection). I therefore have chosen + NEWNOTSYN=Yes as the default value and I advise caution in using + NEWNOTSYN=Yes. + + If you are looking for a way to defeat "stealth TCP scans" + then I recommend the tcpflags + interface option in /etc/shorewall/interfaces rather than + NEWNOTSYN=No. + @@ -2953,9 +2980,9 @@ eth0 eth1 206.124.146.176 LOGNEWNOTSYN=ULOG| - Packets logged under this option are usually the result of - broken remote IP stacks rather than the result of any sort of - attempt to breach your firewall. + Packets logged under this option are usually the result of a + "stuck" connection rather than as the result of an attempt to + breach your firewall. @@ -3992,4 +4019,4 @@ eth1 - - + \ No newline at end of file diff --git a/Shorewall-docs2/FAQ.xml b/Shorewall-docs2/FAQ.xml index 13afb122f..424a60aae 100644 --- a/Shorewall-docs2/FAQ.xml +++ b/Shorewall-docs2/FAQ.xml @@ -17,7 +17,7 @@ - 2004-11-18 + 2004-11-24 2001-2004 @@ -1105,7 +1105,10 @@ LOGBURST="" to report problems back to the sender of a packet; this is what is happening here. Unfortunately, where NAT is involved (including SNAT, DNAT and Masquerade), there are a lot of broken implementations. That is - what you are seeing with these messages. + what you are seeing with these messages. When Netfilter displays these + messages, the part before the "[" describes the ICMP packet and the part + between the "[" and "]" describes the packet for which the ICMP is a + response. Here is my interpretation of what is happening -- to confirm this analysis, one would have to have packet sniffers placed a both ends of diff --git a/Shorewall-docs2/myfiles.xml b/Shorewall-docs2/myfiles.xml index a1e27de7e..e76683b68 100644 --- a/Shorewall-docs2/myfiles.xml +++ b/Shorewall-docs2/myfiles.xml @@ -308,11 +308,11 @@ $EXT_IF $OMAK my rfc1918 file. I copied /usr/share/shorewall/rfc1918 to /etc/shorewall/rfc1918 and changed it as follows: - #SUBNET TARGET -192.168.1.1 RETURN -172.16.0.0/12 logdrop # RFC 1918 -192.168.0.0/16 logdrop # RFC 1918 -10.0.0.0/8 logdrop # RFC 1918 + #SUBNET TARGET +192.168.1.1 RETURN +172.16.0.0/12 logdrop # RFC 1918 +192.168.0.0/16 logdrop # RFC 1918 +10.0.0.0/8 logdrop # RFC 1918 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-docs2/upgrade_issues.xml b/Shorewall-docs2/upgrade_issues.xml index d2771fe26..ee3d15a67 100644 --- a/Shorewall-docs2/upgrade_issues.xml +++ b/Shorewall-docs2/upgrade_issues.xml @@ -97,8 +97,8 @@ - If shorewall.conf is upgraded to the latest version, it needs - to be modified to set STARTUP_ENABLED=Yes. + If shorewall.conf is upgraded to the latest version, it needs to + be modified to set STARTUP_ENABLED=Yes. @@ -122,7 +122,7 @@ The ORIGINAL DEST column of the /etc/shorewall/rules file may no longer contain a second (SNAT) address. You must use an entry in - /etc/shorewall/masq instead. + /etc/shorewall/masq instead. Example from Shorewall FAQ #1: @@ -140,7 +140,7 @@ loc eth1 detect routeback # PORT DEST DNAT loc loc:192.168.1.12 tcp 80 - 130.252.100.69:192.168.1.254 - Shorewall 2.1 and Later: + Shorewall 2.1 and Later: /etc/shorewall/interfaces @@ -389,6 +389,24 @@ DNAT loc loc:192.168.1.12 tcp 80 - 130.252.100.69

+
+ Version >= 1.4.9 + + + + The default value of NEWNOTSYN set in /etc/shorewall/shorewall.conf has + been changed from 'No' to 'Yes'. I find that NEWNOTSYN=No tends to + result in lots of "stuck" connections because any network timeout + during TCP session tear down results in retries being dropped + (Netfilter has removed the connection from the conntrack table but the + end-points haven't completed shutting down the connection). I + therefore have chosen NEWNOTSYN=Yes as the default value and I advise + caution in using NEWNOTSYN=Yes. + + +
+
Version >= 1.4.8 diff --git a/Shorewall2/fallback.sh b/Shorewall2/fallback.sh index 0ba61aec3..fefd0c441 100755 --- a/Shorewall2/fallback.sh +++ b/Shorewall2/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=2.2.0-Beta4 +VERSION=2.2.0-Beta5 usage() # $1 = exit status { diff --git a/Shorewall2/install.sh b/Shorewall2/install.sh index 2681e2ff1..95876d2bd 100755 --- a/Shorewall2/install.sh +++ b/Shorewall2/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # -VERSION=2.2.0-Beta4 +VERSION=2.2.0-Beta5 usage() # $1 = exit status { diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index a02eb6800..e4c598537 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -1,4 +1,4 @@ -Shorewall 2.2.0-Beta4 +Shorewall 2.2.0-Beta5 ---------------------------------------------------------------------- Problems Corrected since 2.0.3 diff --git a/Shorewall2/shorewall.spec b/Shorewall2/shorewall.spec index d1b3c3038..ec500ebcd 100644 --- a/Shorewall2/shorewall.spec +++ b/Shorewall2/shorewall.spec @@ -1,6 +1,6 @@ %define name shorewall %define version 2.2.0 -%define release 0Beta4 +%define release 0Beta5 %define prefix /usr Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. @@ -137,8 +137,10 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %changelog +* Fri Nov 26 2004 Tom Eastep tom@shorewall.net +- Updated to 2.2.0-0Beta5 * Fri Nov 19 2004 Tom Eastep tom@shorewall.net -- Updated to 2.2.0-0Beta3 +- Updated to 2.2.0-0Beta4 * Tue Nov 09 2004 Tom Eastep tom@shorewall.net - Updated to 2.2.0-0Beta3 * Tue Nov 02 2004 Tom Eastep tom@shorewall.net diff --git a/Shorewall2/uninstall.sh b/Shorewall2/uninstall.sh index c371a5a51..6486a69ec 100755 --- a/Shorewall2/uninstall.sh +++ b/Shorewall2/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Seattle Firewall -VERSION=2.2.0-Beta4 +VERSION=2.2.0-Beta5 usage() # $1 = exit status {