holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Copy 4.2 -common to trunk

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8937 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2008-12-07 18:17:26 +00:00
parent e14349554c
commit 038a4c0756
147 changed files with 14947 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

340
Shorewall-common/COPYING Normal file
View File

@ -0,0 +1,340 @@
GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users. This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by
the GNU Library General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it
if you want it, that you can change the software or use pieces of it
in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid
anyone to deny you these rights or to ask you to surrender the rights.
These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must give the recipients all the rights that
you have. You must make sure that they, too, receive or can get the
source code. And you must show them these terms so they know their
rights.
We protect your rights with two steps: (1) copyright the software, and
(2) offer you this license which gives you legal permission to copy,
distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain
that everyone understands that there is no warranty for this free
software. If the software is modified by someone else and passed on, we
want its recipients to know that what they have is not the original, so
that any problems introduced by others will not reflect on the original
authors' reputations.
Finally, any free program is threatened constantly by software
patents. We wish to avoid the danger that redistributors of a free
program will individually obtain patent licenses, in effect making the
program proprietary. To prevent this, we have made it clear that any
patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and
modification follow.
GNU GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains
a notice placed by the copyright holder saying it may be distributed
under the terms of this General Public License. The "Program", below,
refers to any such program or work, and a "work based on the Program"
means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it,
either verbatim or with modifications and/or translated into another
language. (Hereinafter, translation is included without limitation in
the term "modification".) Each licensee is addressed as "you".
Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running the Program is not restricted, and the output from the Program
is covered only if its contents constitute a work based on the
Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.
You may charge a fee for the physical act of transferring a copy, and
you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices
stating that you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the Program or any
part thereof, to be licensed as a whole at no charge to all third
parties under the terms of this License.
c) If the modified program normally reads commands interactively
when run, you must cause it, when started running for such
interactive use in the most ordinary way, to print or display an
announcement including an appropriate copyright notice and a
notice that there is no warranty (or else, saying that you provide
a warranty) and that users may redistribute the program under
these conditions, and telling the user how to view a copy of this
License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on
the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the Program,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based
on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Program.
In addition, mere aggregation of another work not based on the Program
with the Program (or with a work based on the Program) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.
3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections
1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer
to distribute corresponding source code. (This alternative is
allowed only for noncommercial distribution and only if you
received the program in object code or executable form with such
an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source
code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to
control compilation and installation of the executable. However, as a
special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.
If distribution of executable or object code is made by offering
access to copy from a designated place, then offering equivalent
access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not
compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program
except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense or distribute the Program is
void, and will automatically terminate your rights under this License.
However, parties who have received copies, or rights, from you under
this License will not have their licenses terminated so long as such
parties remain in full compliance.
5. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to modify or
distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by
modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License.
7. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all. For example, if a patent
license would not permit royalty-free redistribution of the Program by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under
any particular circumstance, the balance of the section is intended to
apply and the section as a whole is intended to apply in other
circumstances.
It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system, which is
implemented by public license practices. Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.
This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Program under this License
may add an explicit geographical distribution limitation excluding
those countries, so that distribution is permitted only in or among
countries not thus excluded. In such case, this License incorporates
the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions
of the General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the Program
specifies a version number of this License which applies to it and "any
later version", you have the option of following the terms and conditions
either of that version or of any later version published by the Free
Software Foundation. If the Program does not specify a version number of
this License, you may choose any version ever published by the Free Software
Foundation.
10. If you wish to incorporate parts of the Program into other free
programs whose distribution conditions are different, write to the author
to ask for permission. For software which is copyrighted by the Free
Software Foundation, write to the Free Software Foundation; we sometimes
make exceptions for this. Our decision will be guided by the two goals
of preserving the free status of all derivatives of our free software and
of promoting the sharing and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
convey the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) 19yy <name of author>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Also add information on how to contact you by electronic and paper mail.
If the program is interactive, make it output a short notice like this
when it starts in an interactive mode:
Gnomovision version 69, Copyright (C) 19yy name of author
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, the commands you use may
be called something other than `show w' and `show c'; they could even be
mouse-clicks or menu items--whatever suits your program.
You should also get your employer (if you work as a programmer) or your
school, if any, to sign a "copyright disclaimer" for the program, if
necessary. Here is a sample; alter the names:
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
`Gnomovision' (which makes passes at compilers) written by James Hacker.
<signature of Ty Coon>, 1 April 1989
Ty Coon, President of Vice
This General Public License does not permit incorporating your program into
proprietary programs. If your program is a subroutine library, you may
consider it more useful to permit linking proprietary applications with the
library. If this is what you want to do, use the GNU Library General
Public License instead of this License.

24
Shorewall-common/INSTALL Normal file
View File

@ -0,0 +1,24 @@
Shoreline Firewall (Shorewall) Version 4
----- ----
-----------------------------------------------------------------------------
This program is free software; you can redistribute it and/or modify
it under the terms of Version 2 of the GNU General Public License
as published by the Free Software Foundation.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
---------------------------------------------------------------------------
Please see http://www.shorewall.net/Install.htm for installation
instructions.

17
Shorewall-common/Makefile Normal file
View File

@ -0,0 +1,17 @@
# Shorewall Makefile to restart if config-files are newer than last restart
VARDIR=$(shell /sbin/shorewall show vardir)
CONFDIR=/etc/shorewall
RESTOREFILE?=.restore
all: $(VARDIR)/${RESTOREFILE}
$(VARDIR)/${RESTOREFILE}: $(CONFDIR)/*
@/sbin/shorewall -q save >/dev/null; \
if \
/sbin/shorewall -q restart >/dev/null 2>&1; \
then \
/sbin/shorewall -q save >/dev/null; \
else \
/sbin/shorewall -q restart 2>&1 | tail >&2; \
fi
# EOF

82
Shorewall-common/Makefile-lite Normal file
View File

@ -0,0 +1,82 @@
# Shorewall Packet Filtering Firewall Export Directory Makefile - V4.2
#
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
# (c) 2006 - Tom Eastep (teastep@shorewall.net)
#
# Shorewall documentation is available at http://www.shorewall.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
################################################################################
# Place this file in each export directory. Modify each copy to set HOST
# to the name of the remote firewall corresponding to the directory.
#
# To make the 'firewall' script, type "make".
#
# Once the script is compiling correctly, you can install it by
# typing "make install".
#
################################################################################
# V A R I A B L E S
#
# Files in the export directory on which the firewall script does not depend
#
IGNOREFILES = firewall% Makefile% trace% %~
#
# Remote Firewall system
#
HOST = gateway
#
# Save some typing
#
LITEDIR = /var/lib/shorewall-lite
#
# Set this if the remote system has a non-standard modules directory
#
MODULESDIR=
#
# Default target is the firewall script
#
################################################################################
# T A R G E T S
#
all: firewall
#
# Only generate the capabilities file if it doesn't already exist
#
capabilities:
ssh root@$(HOST) "MODULESDIR=$(MODULESDIR) /usr/share/shorewall-lite/shorecap > $(LITEDIR)/capabilities"
scp root@$(HOST):$(LITEDIR)/capabilities .
#
# Compile the firewall script. Using the 'wildcard' function causes "*" to be expanded so that
# 'filter-out' will be presented with the list of files in this directory rather than "*"
#
firewall: $(filter-out $(IGNOREFILES) capabilities , $(wildcard *) ) capabilities
shorewall compile -e . firewall
#
# Only reload on demand.
#
install: firewall
scp firewall firewall.conf root@$(HOST):$(LITEDIR)
ssh root@$(HOST) "/sbin/shorewall-lite restart"
#
# Save running configuration
#
save:
ssh root@$(HOST) "/sbin/shorewall-lite save"
#
# Remove generated files
#
clean:
rm -f capabilities firewall firewall.conf reload

1
Shorewall-common/README.txt Normal file
View File

@ -0,0 +1 @@
This is the Shorewall-common Development 4.2 branch of SVN.

12
Shorewall-common/accounting Normal file
View File

@ -0,0 +1,12 @@
#
# Shorewall version 4 - Accounting File
#
# For information about entries in this file, type "man shorewall-accounting"
#
# Please see http://shorewall.net/Accounting.html for examples and
# additional information about how to use this file.
#
#####################################################################################
#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/ MARK
# PORT(S) PORT(S) GROUP
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

53
Shorewall-common/action.Drop Normal file
View File

@ -0,0 +1,53 @@
#
# Shorewall version 4 - Drop Action
#
# /usr/share/shorewall/action.Drop
#
# The default DROP common rules
#
# This action is invoked before a DROP policy is enforced. The purpose
# of the action is:
#
# a) Avoid logging lots of useless cruft.
# b) Ensure that 'auth' requests are rejected, even if the policy is
# DROP. Otherwise, you may experience problems establishing
# connections with servers that use auth.
# c) Ensure that certain ICMP packets that are necessary for successful
# internet operation are always ACCEPTed.
#
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
#
###############################################################################
#TARGET SOURCE DEST PROTO DPORT SPORT
#
# Reject 'auth'
#
Auth/REJECT
#
# Don't log broadcasts
#
dropBcast
#
# ACCEPT critical ICMP types
#
AllowICMPs - - icmp
#
# Drop packets that are in the INVALID state -- these are usually ICMP packets
# and just confuse people when they appear in the log.
#
dropInvalid
#
# Drop Microsoft noise so that it doesn't clutter up the log.
#
SMB/DROP
DropUPnP
#
# Drop 'newnotsyn' traffic so that it doesn't get logged.
#
dropNotSyn - - tcp
#
# Drop late-arriving DNS replies. These are just a nuisance and clutter up
# the log.
#
DropDNSrep
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

51
Shorewall-common/action.Reject Normal file
View File

@ -0,0 +1,51 @@
#
# Shorewall version 4 - Reject Action
#
# /usr/share/shorewall/action.Reject
#
# The default REJECT action common rules
#
# This action is invoked before a REJECT policy is enforced. The purpose
# of the action is:
#
# a) Avoid logging lots of useless cruft.
# b) Ensure that certain ICMP packets that are necessary for successful
# internet operation are always ACCEPTed.
#
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
###############################################################################
#TARGET SOURCE DEST PROTO
#
# Don't log 'auth' -- REJECT
#
Auth/REJECT
#
# Drop Broadcasts so they don't clutter up the log
# (broadcasts must *not* be rejected).
#
dropBcast
#
# ACCEPT critical ICMP types
#
AllowICMPs - - icmp
#
# Drop packets that are in the INVALID state -- these are usually ICMP packets
# and just confuse people when they appear in the log (these ICMPs cannot be
# rejected).
#
dropInvalid
#
# Reject Microsoft noise so that it doesn't clutter up the log.
#
SMB/REJECT
DropUPnP
#
# Drop 'newnotsyn' traffic so that it doesn't get logged.
#
dropNotSyn - - tcp
#
# Drop late-arriving DNS replies. These are just a nuisance and clutter up
# the log.
#
DropDNSrep
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

200
Shorewall-common/action.template Normal file
View File

@ -0,0 +1,200 @@
#
# Shorewall version 4 - Action Template
#
# /etc/shorewall/action.template
#
# This file is a template for files with names of the form
# /etc/shorewall/action.<action-name> where <action> is an
# ACTION defined in /etc/shorewall/actions.
#
# To define a new action:
#
# 1. Add the <action name> to /etc/shorewall/actions
# 2. Copy this file to /etc/shorewall/action.<action name>
# 3. Add the desired rules to that file.
#
# Please see http://shorewall.net/Actions.html for additional
# information.
#
# Columns are:
#
#
# TARGET ACCEPT, DROP, REJECT, LOG, QUEUE, CONTINUE, a <macro>
# or a previously-defined <action>
#
# ACCEPT -- allow the connection request
# DROP -- ignore the request
# REJECT -- disallow the request and return an
# icmp-unreachable or an RST packet.
# LOG -- Simply log the packet and continue.
# QUEUE -- Queue the packet to a user-space
# application such as p2pwall.
# CONTINUE -- Stop processing this action and
# return to the point where the
# action was invoked.
# <action> -- An <action> defined in
# /etc/shorewall/actions.
# The <action> must appear in that
# file BEFORE the one being defined
# in this file.
# <macro> -- The name of a macro defined in a
# file named macro.<macro-name>. If
# the macro accepts an action
# parameter (Look at the macro
# source to see if it has PARAM in
# the TARGET column) then the macro
# name is followed by "/" and the
# action (ACCEPT, DROP, REJECT, ...)
# to be substituted for the
# parameter. Example: FTP/ACCEPT.
#
# The TARGET may optionally be followed
# by ":" and a syslog log level (e.g, REJECT:info or
# ACCEPT:debugging). This causes the packet to be
# logged at the specified level.
#
# The special log level 'none' does not result in logging
# but rather exempts the rule from being overridden by a
# non-forcing log level when the action is invoked.
#
# You may also specify ULOG (must be in upper case) as a
# log level.This will log to the ULOG target for routing
# to a separate log through use of ulogd
# (http://www.gnumonks.org/projects/ulogd).
#
# Actions specifying logging may be followed by a
# log tag (a string of alphanumeric characters)
# are appended to the string generated by the
# LOGPREFIX (in /etc/shorewall/shorewall.conf).
#
# Example: ACCEPT:info:ftp would include 'ftp '
# at the end of the log prefix generated by the
# LOGPREFIX setting.
#
# SOURCE Source hosts to which the rule applies.
# A comma-separated list of subnets
# and/or hosts. Hosts may be specified by IP or MAC
# address; mac addresses must begin with "~" and must use
# "-" as a separator.
#
# 192.168.2.2 Host 192.168.2.2
#
# 155.186.235.0/24 Subnet 155.186.235.0/24
#
# 10.0.0.4-10.0.0.9 Range of IP addresses; your
# kernel and iptables must have
# iprange match support.
#
# +remote The name of an ipset prefaced
# by "+". Your kernel and
# iptables must have set match
# support
#
# +remote[4] The name of the ipset may
# followed by a number of
# levels of ipset bindings
# enclosed in square brackets.
#
# 192.168.1.1,192.168.1.2
# Hosts 192.168.1.1 and
# 192.168.1.2.
# ~00-A0-C9-15-39-78 Host with
# MAC address 00:A0:C9:15:39:78.
#
# Alternatively, clients may be specified by interface
# name. For example, eth1 specifies a
# client that communicates with the firewall system
# through eth1. This may be optionally followed by
# another colon (":") and an IP/MAC/subnet address
# as described above (e.g., eth1:192.168.1.5).
#
# DEST Location of destination host. Same as above with
# the exception that MAC addresses are not allowed and
# that you cannot specify an ipset name in both the
# SOURCE and DEST columns.
#
# PROTO Protocol - Must be "tcp", "tcp:syn", "udp", "icmp",
# "ipp2p", "ipp2p:udp", "ipp2p:all", a number, or "all".
# "ipp2p*" requires ipp2p match support in your kernel
# and iptables.
#
# "tcp:syn" implies "tcp" plus the SYN flag must be
# set and the RST, ACK and FIN flags must be reset.
#
# DEST PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port
# ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s).
#
# A port range is expressed as <low port>:<high port>.
#
# This column is ignored if PROTOCOL = all but must be
# entered if any of the following fields are supplied.
# In that case, it is suggested that this field contain
# "-"
#
# If your kernel contains multi-port match support, then
# only a single Netfilter rule will be generated if in
# this list and the CLIENT PORT(S) list below:
# 1. There are 15 or less ports listed.
# 2. No port ranges are included.
# Otherwise, a separate rule will be generated for each
# port.
#
# SOURCE PORT(S) (Optional) Port(s) used by the client. If omitted,
# any source port is acceptable. Specified as a comma-
# separated list of port names, port numbers or port
# ranges.
#
# If you don't want to restrict client ports but need to
# specify an ADDRESS in the next column, then place "-"
# in this column.
#
# If your kernel contains multi-port match support, then
# only a single Netfilter rule will be generated if in
# this list and the DEST PORT(S) list above:
# 1. There are 15 or less ports listed.
# 2. No port ranges are included.
# Otherwise, a separate rule will be generated for each
# port.
#
# RATE LIMIT You may rate-limit the rule by placing a value in
# this column:
#
# <rate>/<interval>[:<burst>]
#
# where <rate> is the number of connections per
# <interval> ("sec" or "min") and <burst> is the
# largest burst permitted. If no <burst> is given,
# a value of 5 is assumed. There may be no
# no whitespace embedded in the specification.
#
# Example: 10/sec:20
#
# USER/GROUP This column may only be non-empty if the SOURCE is
# the firewall itself.
#
# The column may contain:
#
# [!][<user name or number>][:<group name or number>][+<program name>]
#
# When this column is non-empty, the rule applies only
# if the program generating the output is running under
# the effective <user> and/or <group> specified (or is
# NOT running under that id if "!" is given).
#
# Examples:
#
# joe #program must be run by joe
# :kids #program must be run by a member of
# #the 'kids' group
# !:kids #program must not be run by a member
# #of the 'kids' group
# +upnpd #program named upnpd (This feature was
# #removed from Netfilter in kernel
# #version 2.6.14).
#
###############################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

13
Shorewall-common/actions Normal file
View File

@ -0,0 +1,13 @@
#
# Shorewall version 4 - Actions File
#
# /etc/shorewall/actions
#
# For information about entries in this file, type "man shorewall-actions"
#
# Please see http://shorewall.net/Actions.html for additional information.
#
###############################################################################
#ACTION COMMENT (place '# ' below the 'C' in comment followed by
# v a comment describing the action)
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

35
Shorewall-common/actions.std Normal file
View File

@ -0,0 +1,35 @@
#
# Shorewall version 4 - Actions.std File
#
# /usr/share/shorewall/actions.std
#
# Please see http://shorewall.net/Actions.html for additional
# information.
#
# Builtin Actions are:
#
# allowBcast # Silently Allow Broadcast/multicast
# dropBcast # Silently Drop Broadcast/multicast
# dropNotSyn # Silently Drop Non-syn TCP packets
# rejNotSyn # Silently Reject Non-syn TCP packets
# dropInvalid # Silently Drop packets that are in the INVALID
# # conntrack state.
# allowInvalid # Accept packets that are in the INVALID
# # conntrack state.
# allowoutUPnP # Allow traffic from local command 'upnpd' (does not
# # work with kernel 2.6.14 and later).
# allowinUPnP # Allow UPnP inbound (to firewall) traffic
# forwardUPnP # Allow traffic that upnpd has redirected from
# # 'upnp' interfaces.
# drop1918src # Drop packets with an RFC 1918 source address
# drop1918dst # Drop packets with an RFC 1918 original dest address
# rej1918src # Reject packets with an RFC 1918 source address
# rej1918dst # Reject packets with an RFC 1918 original dest address
# Limit # Limit the rate of connections from each individual
# # IP address
#
###############################################################################
#ACTION
Drop # Default Action for DROP policy
Reject # Default Action for REJECT policy
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

11
Shorewall-common/blacklist Executable file
View File

@ -0,0 +1,11 @@
#
# Shorewall version 4 - Blacklist File
#
# For information about entries in this file, type "man shorewall-blacklist"
#
# Please see http://shorewall.net/blacklisting_support.htm for additional
# information.
#
###############################################################################
#ADDRESS/SUBNET PROTOCOL PORT
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

61
Shorewall-common/changelog.txt Normal file
View File

@ -0,0 +1,61 @@
Changes in Shorewall 4.2.3
1) Verify User/Group names.
2) Don't allow compiled script named 'shorewall'.
3) Avoid problems when '$' appears on the first line of
/etc/shorewall/compile.
4) Add the output of "netstat -tunap" to dump
5) Allow '+' as an interface.
6) Change ipp2p detection to support latest version.
7) Fix NEW_CONNTRACK_MATCH.
8) Make use of --goto.
9) Allow ressetting individual chains.
Changes in Shorewall 4.2.2
1) Insure that lines copied from a user file are newline-terminated.
2) Added macro.JAP.
3) Added macro.DAAP.
4) Added macro.DCC.
5) Added macro.GNUnet.
6) Prevent invalid rules when KLUDGEFREE is not set.
7) Separated detection of old conntrack syntax from new conntrack
feature detection.
8) Fix nonat rules with destination IP address.
9) Correct NEW_CONNTRACK_MATCH with server port but no dest port.
Changes in Shorewall 4.2.1
1) Added CONNBYTES to tcrules manpage. Flesh out description of HELPER.
2) Fixed minor CONNBYTES editing issue.
3) Add CONNLIMIT to policy and rules.
4) Allow use of iptables-1.4.1.
5) Add time match support.
6) Applied Lennart Sorensen's patch for length match.
7) Take advantage of --ctorigdstport
8) Fix syntax error in 'export'
Initial release of Shorewall 4.2.0.

13
Shorewall-common/configpath Normal file
View File

@ -0,0 +1,13 @@
#
# Shorewall version 4 - Default Config Path
#
# /usr/share/shorewall/configpath
#
# Note to maintainers.
#
# The CONFDIR variable is normally set to /etc/shorewall but when
# the command is "compile -e" then CONFDIR is set to
# /usr/share/shorewall/configfiles/. This prevents 'compile -e'
# from trying to use configuration information from /etc/shorewall.
CONFIG_PATH=${CONFDIR}:/usr/share/shorewall

14
Shorewall-common/continue Normal file
View File

@ -0,0 +1,14 @@
#
# Shorewall version 4 - Continue File
#
# /etc/shorewall/continue
#
# Add commands below that you want to be executed after shorewall has
# cleared any existing Netfilter rules and has enabled existing
# connections.
#
# For additional information, see
# http://shorewall.net/shorewall_extension_scripts.htm
#
###############################################################################
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

24
Shorewall-common/default.debian Normal file
View File

@ -0,0 +1,24 @@
# prevent startup with default configuration
# set the following varible to 1 in order to allow Shorewall to start
startup=0
# if your Shorewall configuration requires detection of the ip address of a ppp
# interface, you must list such interfaces in "wait_interface" to get Shorewall to
# wait until the interface is configured. Otherwise the script will fail because
# it won't be able to detect the IP address.
#
# Example:
# wait_interface="ppp0"
# or
# wait_interface="ppp0 ppp1"
# or, if you have defined in /etc/shorewall/params
# wait_interface=
#
# Startup options
#
OPTIONS=""
# EOF

11
Shorewall-common/ecn Normal file
View File

@ -0,0 +1,11 @@
#
# Shorewall version 4 - Ecn File
#
# For information about entries in this file, type "man shorewall-ecn"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-ecn.html
#
###############################################################################
#INTERFACE HOST(S)
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

104
Shorewall-common/fallback.sh Executable file
View File

@ -0,0 +1,104 @@
#!/bin/sh
#
# Script to back out the installation of Shoreline Firewall and to restore the previous version of
# the program
#
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
# (c) 2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
#
# Shorewall documentation is available at http://shorewall.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Usage:
#
# You may only use this script to back out the installation of the version
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=4.2.3
usage() # $1 = exit status
{
echo "usage: $(basename $0)"
exit $1
}
restore_directory() # $1 = directory to restore
{
if [ -d ${1}-${VERSION}.bkout ]; then
if mv -f $1 ${1}-${VERSION} && mv ${1}-${VERSION}.bkout $1; then
echo
echo "$1 restored"
rm -rf ${1}-${VERSION}
else
echo "ERROR: Could not restore $1"
exit 1
fi
fi
}
restore_file() # $1 = file to restore, $2 = (Optional) Directory to restore from
{
if [ -n "$2" ]; then
local file
file=$(basename $1)
if [ -f $2/$file ]; then
if mv -f $2/$file $1 ; then
echo
echo "$1 restored"
return
fi
echo "ERROR: Could not restore $1"
exit 1
fi
fi
if [ -f ${1}-${VERSION}.bkout -o -L ${1}-${VERSION}.bkout ]; then
if (mv -f ${1}-${VERSION}.bkout $1); then
echo
echo "$1 restored"
else
echo "ERROR: Could not restore $1"
exit 1
fi
fi
}
if [ ! -f /usr/share/shorewall-${VERSION}.bkout/version ]; then
echo "Shorewall Version $VERSION is not installed"
exit 1
fi
echo "Backing Out Installation of Shorewall $VERSION"
if [ -L /usr/share/shorewall/init ]; then
FIREWALL=$(ls -l /usr/share/shorewall/init | sed 's/^.*> //')
restore_file $FIREWALL /usr/share/shorewall-${VERSION}.bkout
else
restore_file /etc/init.d/shorewall /usr/share/shorewall-${VERSION}.bkout
fi
restore_file /sbin/shorewall /var/lib/shorewall-${VERSION}.bkout
restore_directory /etc/shorewall
restore_directory /usr/share/shorewall
restore_directory /var/lib/shorewall
echo "Shorewall Restored to Version $(cat /usr/share/shorewall/version)"

669
Shorewall-common/firewall Executable file
View File

@ -0,0 +1,669 @@
#!/bin/sh
#
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.2
#
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
#
# Complete documentation is available at http://shorewall.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# If an error occurs while starting or restarting the firewall, the
# firewall is automatically stopped.
#
# Commands are:
#
# firewall stop Stops the firewall
# firewall reset Resets iptables packet and
# byte counts
# firewall clear Remove all Shorewall chains
# and rules/policies.
# firewall add <iface>[:<host>] zone Adds a host or subnet to a zone
# firewall delete <iface>[:<host>] zone Deletes a host or subnet from a zone
#
#
# Fatal error -- stops the firewall after issuing the error message
#
fatal_error() # $* = Error Message
{
echo " ERROR: $@" >&2
stop_firewall
exit 2
}
#
# Fatal error during startup -- generate an error message and abend without
# altering the state of the firewall
#
startup_error() # $* = Error Message
{
echo " ERROR: $@" >&2
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
[ -n "$RESTOREBASE" ] && rm -f $RESTOREBASE
kill $$
exit 2
}
#
# Send a message to STDOUT and the System Log
#
report () { # $* = message
progress_message3 "$@"
logger -p kern.info "$@"
}
#
# Run iptables and if an error occurs, stop the firewall and quit
#
run_iptables() {
if [ -z "$KLUDGEFREE" ]; then
#
# Purge the temporary files that we use to prevent duplicate '-m' specifications
#
[ -n "$PHYSDEV_MATCH" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
[ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
fi
if ! $IPTABLES $@ ; then
if [ -z "$STOPPING" ]; then
error_message "ERROR: Command \"$IPTABLES $@\" Failed"
stop_firewall
exit 2
fi
fi
}
#
# Version of 'run_iptables' that inserts white space after "!" in the arg list
#
run_iptables2() {
case "$@" in
*!*)
run_iptables $(fix_bang $@)
;;
*)
run_iptables $@
;;
esac
}
#
# Quietly run iptables
#
qt_iptables() {
if [ -z "$KLUDGEFREE" ]; then
#
# Purge the temporary files that we use to prevent duplicate '-m' specifications
#
[ -n "$PHYSDEV_MATCH" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
[ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
fi
qt $IPTABLES $@
}
#
# Run ip and if an error occurs, stop the firewall and quit
#
run_ip() {
if ! ip $@ ; then
if [ -z "$STOPPING" ]; then
error_message "ERROR: Command \"ip $@\" Failed"
stop_firewall
exit 2
fi
fi
}
#
# Run tc and if an error occurs, stop the firewall and quit
#
run_tc() {
if ! tc $@ ; then
if [ -z "$STOPPING" ]; then
error_message "ERROR: Command \"tc $@\" Failed"
stop_firewall
exit 2
fi
fi
}
#
# Delete a chain if it exists
#
deletechain() # $1 = name of chain
{
qt $IPTABLES -L $1 -n && qt $IPTABLES -F $1 && qt $IPTABLES -X $1
}
#
# Find broadcast addresses -- if we are compiling a script and 'detect' is specified for an interface
# the function returns nothing for that interface
#
find_broadcasts() {
for interface in $ALL_INTERFACES; do
eval bcast=\$$(chain_base $interface)_broadcast
if [ "x$bcast" = "xdetect" ]; then
ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
elif [ "x${bcast}" != "x-" ]; then
echo $(separate_list $bcast)
fi
done
}
#
# For each entry in the CRITICALHOSTS global list, add INPUT and OUTPUT rules to
# enable traffic to/from those hosts.
#
enable_critical_hosts()
{
for host in $CRITICALHOSTS; do
interface=${host%:*}
networks=${host#*:}
$IPTABLES -A INPUT -i $interface $(source_ip_range $networks) -j ACCEPT
$IPTABLES -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
done
}
#
# For each entry in the CRITICALHOSTS global list, delete the INPUT and OUTPUT rules that
# enable traffic to/from those hosts.
#
disable_critical_hosts()
{
for host in $CRITICALHOSTS; do
interface=${host%:*}
networks=${host#*:}
$IPTABLES -D INPUT -i $interface $(source_ip_range $networks) -j ACCEPT
$IPTABLES -D OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
done
}
#
# Undo changes to routing
#
undo_routing() {
#
# Restore rt_tables database
#
if [ -f ${VARDIR}/rt_tables ]; then
[ -w /etc/iproute2/rt_table -a -z "$KEEP_RT_TABLES" ] && cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored"
rm -f ${VARDIR}/rt_tables
fi
#
# Restore the rest of the routing table
#
if [ -f ${VARDIR}/undo_routing ]; then
. ${VARDIR}/undo_routing
progress_message "Shorewall-generated routing tables and routing rules removed"
rm -f ${VARDIR}/undo_routing
fi
}
restore_default_route() {
if [ -f ${VARDIR}/default_route ]; then
local default_route
default_route=
local route
while read route ; do
case $route in
default*)
if [ -n "$default_route" ]; then
case "$default_route" in
*metric*)
#
# Don't restore a route with a metric -- we only replace the one with metric == 0
#
qt ip route delete default metric 0 && \
progress_message "Default Route with metric 0 deleted"
;;
*)
qt ip route replace $default_route && \
progress_message "Default Route (${default_route# }) restored"
;;
esac
break
fi
default_route="$default_route $route"
;;
*)
default_route="$default_route $route"
;;
esac
done < ${VARDIR}/default_route
rm -f ${VARDIR}/default_route
fi
}
#
# Stop the Firewall
#
stop_firewall() {
#
# Turn off trace unless we were tracing "stop" or "clear"
#
[ -n "$RESTOREBASE" ] && rm -f $RESTOREBASE
case $COMMAND in
stop|clear)
;;
*)
set +x
[ -n "${RESTOREFILE:=restore}" ]
RESTOREPATH=${VARDIR}/$RESTOREFILE
if [ -x $RESTOREPATH ]; then
if [ -x ${RESTOREPATH}-ipsets ]; then
progress_message2 Restoring Ipsets...
#
# We must purge iptables to be sure that there are no
# references to ipsets
#
for table in mangle nat filter; do
iptables -t $table -F
iptables -t $table -X
done
${RESTOREPATH}-ipsets
fi
echo Restoring Shorewall...
if $RESTOREPATH restore; then
echo "Shorewall restored from $RESTOREPATH"
set_state "Started"
else
set_state "Unknown"
fi
kill $$
exit 2
fi
;;
esac
set_state "Stopping"
STOPPING="Yes"
TERMINATOR=
deletechain shorewall
run_user_exit stop
if [ -n "$MANGLE_ENABLED" ]; then
run_iptables -t mangle -F
run_iptables -t mangle -X
for chain in PREROUTING INPUT FORWARD POSTROUTING; do
qt $IPTABLES -t mangle -P $chain ACCEPT
done
fi
if [ -n "$RAW_TABLE" ]; then
run_iptables -t raw -F
run_iptables -t raw -X
for chain in PREROUTING OUTPUT; do
qt $IPTABLES -t raw -P $chain ACCEPT
done
fi
if [ -n "$NAT_ENABLED" ]; then
delete_nat
for chain in PREROUTING POSTROUTING OUTPUT; do
qt $IPTABLES -t nat -P $chain ACCEPT
done
fi
delete_proxy_arp
[ -n "$CLEAR_TC" ] && delete_tc1
undo_routing
restore_default_route
[ -n "$DISABLE_IPV6" ] && disable_ipv6
undo_routing
restore_default_route
process_criticalhosts
if [ -n "$CRITICALHOSTS" ]; then
if [ -z "$ADMINISABSENTMINDED" ]; then
for chain in INPUT OUTPUT; do
setpolicy $chain ACCEPT
done
setpolicy FORWARD DROP
deleteallchains
enable_critical_hosts
for chain in INPUT OUTPUT; do
setpolicy $chain DROP
done
else
for chain in INPUT OUTPUT; do
setpolicy $chain ACCEPT
done
setpolicy FORWARD DROP
deleteallchains
enable_critical_hosts
setpolicy INPUT DROP
for chain in INPUT FORWARD; do
setcontinue $chain
done
fi
elif [ -z "$ADMINISABSENTMINDED" ]; then
for chain in INPUT OUTPUT FORWARD; do
setpolicy $chain DROP
done
deleteallchains
else
for chain in INPUT FORWARD; do
setpolicy $chain DROP
done
setpolicy OUTPUT ACCEPT
deleteallchains
for chain in INPUT FORWARD; do
setcontinue $chain
done
fi
process_routestopped -A
$IPTABLES -A INPUT -i lo -j ACCEPT
[ -z "$ADMINISABSENTMINDED" ] && \
$IPTABLES -A OUTPUT -o lo -j ACCEPT
for interface in $(find_interfaces_by_option dhcp); do
$IPTABLES -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT
[ -z "$ADMINISABSENTMINDED" ] && \
$IPTABLES -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT
#
# This might be a bridge
#
$IPTABLES -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT
done
case "$IP_FORWARDING" in
On|on|ON|Yes|yes|YES)
echo 1 > /proc/sys/net/ipv4/ip_forward
progress_message2 "IP Forwarding Enabled"
;;
Off|off|OFF|No|no|NO)
echo 0 > /proc/sys/net/ipv4/ip_forward
progress_message2 "IP Forwarding Disabled!"
;;
esac
run_user_exit stopped
set_state "Stopped"
logger -p kern.info "Shorewall Stopped"
rm -rf $TMP_DIR
case $COMMAND in
stop|clear)
;;
*)
#
# The firewall is being stopped when we were trying to do something
# else. Remove the lock file and Kill the shell in case we're in a
# subshell
#
kill $$
;;
esac
}
#
# Remove all rules and remove all user-defined chains
#
clear_firewall() {
stop_firewall
setpolicy INPUT ACCEPT
setpolicy FORWARD ACCEPT
setpolicy OUTPUT ACCEPT
run_iptables -F
echo 1 > /proc/sys/net/ipv4/ip_forward
if [ -n "$DISABLE_IPV6" ] && qt mywhich ip6tables; then
ip6tables -P INPUT ACCEPT 2> /dev/null
ip6tables -P OUTPUT ACCEPT 2> /dev/null
ip6tables -P FORWARD ACCEPT 2> /dev/null
fi
run_user_exit clear
set_state "Cleared"
logger -p kern.info "Shorewall Cleared"
}
#
# Delete existing Proxy ARP
#
delete_proxy_arp() {
if [ -f ${VARDIR}/proxyarp ]; then
while read address interface external haveroute; do
qt arp -i $external -d $address pub
[ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface
f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
[ -f $f ] && echo 0 > $f
done < ${VARDIR}/proxyarp
fi
rm -f ${VARDIR}/proxyarp
}
#
# Delete existing Static NAT
#
delete_nat() {
run_iptables -t nat -F
run_iptables -t nat -X
if [ -f ${VARDIR}/nat ]; then
while read external interface; do
qt ip addr del $external dev $interface
done < ${VARDIR}/nat
rm -f ${VARDIR}/nat
fi
[ -d ${VARDIR} ] && touch ${VARDIR}/nat
}
#
# Check for disabled startup
#
check_disabled_startup() {
if [ -z "$STARTUP_ENABLED" ]; then
echo " Shorewall Startup is disabled -- to enable startup"
echo " after you have completed Shorewall configuration,"
echo " change the setting of STARTUP_ENABLED to Yes in"
echo " ${CONFDIR}/shorewall.conf"
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
exit 2
fi
}
#
# Give Usage Information
#
usage() {
echo "Usage: $0 [debug] {start|stop|reset|restart|clear}"
exit 1
}
#
# E X E C U T I O N B E G I N S H E R E
#
#
# Start trace if first arg is "debug" or "trace"
#
[ $# -gt 1 ] && [ "x$1" = xdebug -o "$x$1" = xtrace ] && { set -x ; shift ; }
NOLOCK=
[ $# -gt 1 ] && [ "$1" = "nolock" ] && { NOLOCK=Yes; shift ; }
SHAREDIR=/usr/share/shorewall
CONFDIR=/etc/shorewall
[ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir ]
[ -n "${VARDIR:=/var/lib/shorewall}" ]
for library in lib.base lib.config; do
FUNCTIONS=${SHAREDIR}/${library}
if [ -f $FUNCTIONS ]; then
[ $VERBOSE -ge 2 ] && echo "Loading $FUNCTIONS..."
. $FUNCTIONS
else
fatal_error "Installation error: $FUNCTIONS does not exist!"
fi
done
PROGRAM=firewall
COMMAND="$1"
case "$COMMAND" in
stop)
[ $# -ne 1 ] && usage
do_initialize
#
# Don't want to do a 'stop' when startup is disabled
#
check_disabled_startup
progress_message3 "Stopping Shorewall..."
stop_firewall
[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
progress_message3 "done."
;;
reset)
do_initialize
if ! shorewall_is_started ; then
echo "Shorewall Not Started"
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
exit 2;
fi
if [ $# -eq 1 ]; then
$IPTABLES -Z
$IPTABLES -t nat -Z
$IPTABLES -t mangle -Z
report "Shorewall Counters Reset"
date > ${VARDIR}/restarted
else
shift;
for chain in $@; do
if chain_exists $chain; then
if qt $IPTABLES -Z $chain; then
progress_message3 "Filter table $chain Counters Reset"
else
error_message "ERROR: Reset of chain $chain failed"
status=2
break
fi
else
error_message "WARNING: Filter Chain $chain does not exist"
fi
done
fi
;;
clear)
[ $# -ne 1 ] && usage
do_initialize
progress_message3 "Clearing Shorewall..."
clear_firewall
[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
progress_message3 "done."
;;
add)
[ $# -lt 3 ] && usage
do_initialize
lib_load dynamiczones "The add command"
if ! shorewall_is_started ; then
echo "Shorewall Not Started"
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
exit 2;
fi
shift
add_to_zone $@
;;
delete)
[ $# -lt 3 ] && usage
lib_load dynamiczones "The delete command"
do_initialize
if ! shorewall_is_started ; then
echo "Shorewall Not Started"
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
exit 2;
fi
shift
delete_from_zone $@
;;
call)
#
# Undocumented way to call functions in ${SHAREDIR}/firewall directly
#
shift
do_initialize
EMPTY=
$@
;;
*)
usage
;;
esac

11
Shorewall-common/hosts Normal file
View File

@ -0,0 +1,11 @@
#
# Shorewall version 4 - Hosts file
#
# For information about entries in this file, type "man shorewall-hosts"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-hosts.html
#
###############################################################################
#ZONE HOST(S) OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

13
Shorewall-common/init Normal file
View File

@ -0,0 +1,13 @@
#
# Shorewall version 4 - Init File
#
# /etc/shorewall/init
#
# Add commands below that you want to be executed at the beginning of
# a "shorewall start" or "shorewall restart" command.
#
# For additional information, see
# http://shorewall.net/shorewall_extension_scripts.htm
#
###############################################################################
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

58
Shorewall-common/init.archlinux.sh Executable file
View File

@ -0,0 +1,58 @@
#!/bin/bash
OPTIONS="-f"
if [ -f /etc/sysconfig/shorewall ] ; then
. /etc/sysconfig/shorewall
elif [ -f /etc/default/shorewall ] ; then
. /etc/default/shorewall
fi
# if you want to override options, do so in /etc/sysconfig/shorewall or
# in /etc/default/shorewall --
# i strongly encourage you use the latter, since /etc/sysconfig/ does not exist.
. /etc/rc.conf
. /etc/rc.d/functions
DAEMON_NAME="shorewall" # of course shorewall is NOT a deamon.
case "$1" in
start)
stat_busy "Starting $DAEMON_NAME"
/sbin/shorewall $OPTIONS start &>/dev/null
if [ $? -gt 0 ]; then
stat_fail
else
add_daemon $DAEMON_NAME
stat_done
fi
;;
stop)
stat_busy "Stopping $DAEMON_NAME"
/sbin/shorewall stop &>/dev/null
if [ $? -gt 0 ]; then
stat_fail
else
rm_daemon $DAEMON_NAME
stat_done
fi
;;
restart|reload)
stat_busy "Restarting $DAEMON_NAME"
/sbin/shorewall restart &>/dev/null
if [ $? -gt 0 ]; then
stat_fail
else
stat_done
fi
;;
*)
echo "usage: $0 {start|stop|restart}"
esac
exit 0

129
Shorewall-common/init.debian.sh Executable file
View File

@ -0,0 +1,129 @@
#!/bin/sh
### BEGIN INIT INFO
# Provides: shorewall
# Required-Start: $network
# Required-Stop: $network
# Default-Start: S
# Default-Stop: 0 6
# Short-Description: Configure the firewall at boot time
# Description: Configure the firewall according to the rules specified in
# /etc/shorewall
### END INIT INFO
SRWL=/sbin/shorewall
SRWL_OPTS="-tvv"
WAIT_FOR_IFUP=/usr/share/shorewall/wait4ifup
# Note, set INITLOG to /dev/null if you do not want to
# keep logs of the firewall (not recommended)
INITLOG=/var/log/shorewall-init.log
test -x $SRWL || exit 0
test -x $WAIT_FOR_IFUP || exit 0
test -n $INITLOG || {
echo "INITLOG cannot be empty, please configure $0" ;
exit 1;
}
if [ "$(id -u)" != "0" ]
then
echo "You must be root to start, stop or restart \"Shorewall firewall\"."
exit 1
fi
echo_notdone () {
if [ "$INITLOG" = "/dev/null" ] ; then
echo "not done."
else
echo "not done (check $INITLOG)."
fi
}
not_configured () {
echo "#### WARNING ####"
echo "The firewall won't be started/stopped unless it is configured"
if [ "$1" != "stop" ]
then
echo ""
echo "Please read about Debian specific customization in"
echo "/usr/share/doc/shorewall-common/README.Debian.gz."
fi
echo "#################"
exit 0
}
# check if shorewall is configured or not
if [ -f "/etc/default/shorewall" ]
then
. /etc/default/shorewall
SRWL_OPTS="$SRWL_OPTS $OPTIONS"
if [ "$startup" != "1" ]
then
not_configured
fi
else
not_configured
fi
# wait for an unconfigured interface
wait_for_pppd () {
if [ "$wait_interface" != "" ]
then
for i in $wait_interface
do
$WAIT_FOR_IFUP $i 90
done
fi
}
# start the firewall
shorewall_start () {
echo -n "Starting \"Shorewall firewall\": "
wait_for_pppd
$SRWL $SRWL_OPTS start >> $INITLOG 2>&1 && echo "done." || echo_notdone
return 0
}
# stop the firewall
shorewall_stop () {
echo -n "Stopping \"Shorewall firewall\": "
$SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
return 0
}
# restart the firewall
shorewall_restart () {
echo -n "Restarting \"Shorewall firewall\": "
$SRWL $SRWL_OPTS restart >> $INITLOG 2>&1 && echo "done." || echo_notdone
return 0
}
# refresh the firewall
shorewall_refresh () {
echo -n "Refreshing \"Shorewall firewall\": "
$SRWL $SRWL_OPTS refresh >> $INITLOG 2>&1 && echo "done." || echo_notdone
return 0
}
case "$1" in
start)
shorewall_start
;;
stop)
shorewall_stop
;;
refresh)
shorewall_refresh
;;
force-reload|restart)
shorewall_restart
;;
*)
echo "Usage: /etc/init.d/shorewall {start|stop|refresh|restart|force-reload}"
exit 1
esac
exit 0

90
Shorewall-common/init.sh Executable file
View File

@ -0,0 +1,90 @@
#!/bin/sh
RCDLINKS="2,S41 3,S41 6,K41"
#
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.2
#
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
# (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
#
# On most distributions, this file should be called /etc/init.d/shorewall.
#
# Complete documentation is available at http://shorewall.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# If an error occurs while starting or restarting the firewall, the
# firewall is automatically stopped.
#
# Commands are:
#
# shorewall start Starts the firewall
# shorewall restart Restarts the firewall
# shorewall reload Reload the firewall
# (same as restart)
# shorewall stop Stops the firewall
# shorewall status Displays firewall status
#
# chkconfig: 2345 25 90
# description: Packet filtering firewall
### BEGIN INIT INFO
# Provides: shorewall
# Required-Start: $local_fs $remote_fs $syslog
# Should-Start: VMware $time $named
# Required-Stop:
# Default-Start: 2 3 5
# Default-Stop: 0 1 6
# Description: starts and stops the shorewall firewall
### END INIT INFO
################################################################################
# Give Usage Information #
################################################################################
usage() {
echo "Usage: $0 start|stop|reload|restart|status"
exit 1
}
################################################################################
# Get startup options (override default)
################################################################################
OPTIONS="-v0"
if [ -f /etc/sysconfig/shorewall ]; then
. /etc/sysconfig/shorewall
elif [ -f /etc/default/shorewall ] ; then
. /etc/default/shorewall
fi
################################################################################
# E X E C U T I O N B E G I N S H E R E #
################################################################################
command="$1"
case "$command" in
start|restart|stop)
exec /sbin/shorewall $OPTIONS $@
;;
stop|restart|status)
exec /sbin/shorewall $@
;;
reload)
shift
exec /sbin/shorewall $OPTIONS restart $@
;;
*)
usage
;;
esac

14
Shorewall-common/initdone Executable file
View File

@ -0,0 +1,14 @@
#
# Shorewall version 4 - Initdone File
#
# /etc/shorewall/initdone
#
# Add commands below that you want to be executed during
# "shorewall start" or "shorewall restart" commands at the point where
# Shorewall has not yet added any perminent rules to the builtin chains.
#
# For additional information, see
# http://shorewall.net/shorewall_extension_scripts.htm
#
###############################################################################
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

776
Shorewall-common/install.sh Executable file
View File

@ -0,0 +1,776 @@
#!/bin/sh
#
# Script to install Shoreline Firewall
#
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
# (c) 2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
#
# Shorewall documentation is available at http://shorewall.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.2.3
usage() # $1 = exit status
{
ME=$(basename $0)
echo "usage: $ME"
echo " $ME -v"
echo " $ME -h"
echo " $ME -n"
exit $1
}
split() {
local ifs
ifs=$IFS
IFS=:
set -- $1
echo $*
IFS=$ifs
}
qt()
{
"$@" >/dev/null 2>&1
}
mywhich() {
local dir
for dir in $(split $PATH); do
if [ -x $dir/$1 ]; then
echo $dir/$1
return 0
fi
done
return 2
}
run_install()
{
if ! install $*; then
echo
echo "ERROR: Failed to install $*" >&2
exit 1
fi
}
cant_autostart()
{
echo
echo "WARNING: Unable to configure shorewall to start automatically at boot" >&2
}
backup_directory() # $1 = directory to backup
{
if [ -d $1 ]; then
if cp -a $1 ${1}-${VERSION}.bkout ; then
echo
echo "$1 saved to ${1}-${VERSION}.bkout"
else
exit 1
fi
fi
}
backup_file() # $1 = file to backup, $2 = (optional) Directory in which to create the backup
{
if [ -z "${PREFIX}{NOBACKUP}" ]; then
if [ -f $1 -a ! -f ${1}-${VERSION}.bkout ]; then
if [ -n "$2" ]; then
if [ -d $2 ]; then
if cp -f $1 $2 ; then
echo
echo "$1 saved to $2/$(basename $1)"
else
exit 1
fi
fi
elif cp $1 ${1}-${VERSION}.bkout; then
echo
echo "$1 saved to ${1}-${VERSION}.bkout"
else
exit 1
fi
fi
fi
}
delete_file() # $1 = file to delete
{
rm -f $1
}
install_file() # $1 = source $2 = target $3 = mode
{
run_install $OWNERSHIP -m $3 $1 ${2}
}
install_file_with_backup() # $1 = source $2 = target $3 = mode $4 = (optional) backup directory
{
backup_file $2 $4
run_install $OWNERSHIP -m $3 $1 ${2}
}
#
# Parse the run line
#
# DEST is the SysVInit script directory
# INIT is the name of the script in the $DEST directory
# RUNLEVELS is the chkconfig parmeters for firewall
# ARGS is "yes" if we've already parsed an argument
#
ARGS=""
if [ -z "$DEST" ] ; then
DEST="/etc/init.d"
fi
if [ -z "$INIT" ] ; then
INIT="shorewall"
fi
if [ -z "$RUNLEVELS" ] ; then
RUNLEVELS=""
fi
DEBIAN=
CYGWIN=
case $(uname) in
CYGWIN*)
DEST=
INIT=
OWNER=$(id -un)
GROUP=$(id -gn)
CYGWIN=Yes
;;
*)
[ -z "$OWNER" ] && OWNER=root
[ -z "$GROUP" ] && GROUP=root
;;
esac
OWNERSHIP="-o $OWNER -g $GROUP"
NOBACKUP=
while [ $# -gt 0 ] ; do
case "$1" in
-h|help|?)
usage 0
;;
-v)
echo "Shorewall Firewall Installer Version $VERSION"
exit 0
;;
-n)
NOBACKUP=Yes
;;
*)
usage 1
;;
esac
shift
ARGS="yes"
done
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
#
# Determine where to install the firewall script
#
if [ -n "$PREFIX" ]; then
if [ -z "$CYGWIN" ]; then
if [ `id -u` != 0 ] ; then
echo "Not setting file owner/group permissions, not running as root."
OWNERSHIP=""
fi
install -d $OWNERSHIP -m 755 ${PREFIX}/sbin
install -d $OWNERSHIP -m 755 ${PREFIX}${DEST}
fi
else
[ -x /usr/share/shorewall-shell/compiler -o -x /usr/share/shorewall-perl/compiler.pl ] || \
{ echo " ERROR: No Shorewall compiler is installed" >&2; exit 1; }
if [ -z "$CYGWIN" ]; then
if [ -d /etc/apt -a -e /usr/bin/dpkg ]; then
DEBIAN=yes
elif [ -f /etc/slackware-version ] ; then
DEST="/etc/rc.d"
INIT="rc.firewall"
elif [ -f /etc/arch-release ] ; then
DEST="/etc/rc.d"
INIT="shorewall"
ARCHLINUX=yes
fi
fi
fi
#
# Change to the directory containing this script
#
cd "$(dirname $0)"
echo "Installing Shorewall-common Version $VERSION"
#
# Check for /etc/shorewall
#
if [ -d ${PREFIX}/etc/shorewall ]; then
first_install=""
if [ -z "$NOBACKUP" ]; then
backup_directory ${PREFIX}/etc/shorewall
backup_directory ${PREFIX}/usr/share/shorewall
backup_directory ${PREFIX}/var/lib/shorewall
fi
else
first_install="Yes"
fi
if [ -z "$CYGWIN" ]; then
install_file_with_backup shorewall ${PREFIX}/sbin/shorewall 0755 ${PREFIX}/var/lib/shorewall-${VERSION}.bkout
echo "shorewall control program installed in ${PREFIX}/sbin/shorewall"
else
install_file_with_backup shorewall ${PREFIX}/bin/shorewall 0755 ${PREFIX}/var/lib/shorewall-${VERSION}.bkout
echo "shorewall control program installed in ${PREFIX}/bin/shorewall"
fi
#
# Install the Firewall Script
#
if [ -n "$DEBIAN" ]; then
install_file_with_backup init.debian.sh /etc/init.d/shorewall 0544 ${PREFIX}/usr/share/shorewall-${VERSION}.bkout
elif [ -n "$ARCHLINUX" ]; then
install_file_with_backup init.archlinux.sh ${PREFIX}${DEST}/$INIT 0544 ${PREFIX}/usr/share/shorewall-${VERSION}.bkout
elif [ -n "$INIT" ]; then
install_file_with_backup init.sh ${PREFIX}${DEST}/$INIT 0544 ${PREFIX}/usr/share/shorewall-${VERSION}.bkout
fi
[ -n "$CYGWIN" ] || echo "Shorewall script installed in ${PREFIX}${DEST}/$INIT"
#
# Create /etc/shorewall, /usr/share/shorewall and /var/shorewall if needed
#
mkdir -p ${PREFIX}/etc/shorewall
mkdir -p ${PREFIX}/usr/share/shorewall
mkdir -p ${PREFIX}/usr/share/shorewall/configfiles
mkdir -p ${PREFIX}/var/lib/shorewall
chmod 755 ${PREFIX}/etc/shorewall
chmod 755 ${PREFIX}/usr/share/shorewall
chmod 755 ${PREFIX}/usr/share/shorewall/configfiles
#
# Install the config file
#
run_install $OWNERSHIP -m 0644 shorewall.conf ${PREFIX}/usr/share/shorewall/configfiles/shorewall.conf
qt mywhich perl && perl -p -w -i -e 's|^CONFIG_PATH=.*|CONFIG_PATH=/usr/share/shorewall/configfiles:/usr/share/shorewall|;' ${PREFIX}/usr/share/shorewall/configfiles/shorewall.conf
if [ ! -f ${PREFIX}/etc/shorewall/shorewall.conf ]; then
run_install $OWNERSHIP -m 0644 shorewall.conf ${PREFIX}/etc/shorewall/shorewall.conf
echo "Config file installed as ${PREFIX}/etc/shorewall/shorewall.conf"
fi
if [ -n "$ARCHLINUX" ] ; then
sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${PREFIX}/etc/shorewall/shorewall.conf
fi
#
# Install the zones file
#
run_install $OWNERSHIP -m 0644 zones ${PREFIX}/usr/share/shorewall/configfiles/zones
if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/zones ]; then
run_install $OWNERSHIP -m 0744 zones ${PREFIX}/etc/shorewall/zones
echo "Zones file installed as ${PREFIX}/etc/shorewall/zones"
fi
delete_file ${PREFIX}/usr/share/shorewall/compiler
delete_file ${PREFIX}/usr/share/shorewall/lib.accounting
delete_file ${PREFIX}/usr/share/shorewall/lib.actions
delete_file ${PREFIX}/usr/share/shorewall/lib.dynamiczones
delete_file ${PREFIX}/usr/share/shorewall/lib.maclist
delete_file ${PREFIX}/usr/share/shorewall/lib.nat
delete_file ${PREFIX}/usr/share/shorewall/lib.providers
delete_file ${PREFIX}/usr/share/shorewall/lib.proxyarp
delete_file ${PREFIX}/usr/share/shorewall/lib.tc
delete_file ${PREFIX}/usr/share/shorewall/lib.tcrules
delete_file ${PREFIX}/usr/share/shorewall/lib.tunnels
delete_file ${PREFIX}/usr/share/shorewall/prog.header
delete_file ${PREFIX}/usr/share/shorewall/prog.footer
#
# Install wait4ifup
#
install_file wait4ifup ${PREFIX}/usr/share/shorewall/wait4ifup 0755
echo
echo "wait4ifup installed in ${PREFIX}/usr/share/shorewall/wait4ifup"
#
# Install the policy file
#
run_install $OWNERSHIP -m 0644 policy ${PREFIX}/usr/share/shorewall/configfiles/policy
if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/policy ]; then
run_install $OWNERSHIP -m 0600 policy ${PREFIX}/etc/shorewall/policy
echo "Policy file installed as ${PREFIX}/etc/shorewall/policy"
fi
#
# Install the interfaces file
#
run_install $OWNERSHIP -m 0644 interfaces ${PREFIX}/usr/share/shorewall/configfiles/interfaces
if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/interfaces ]; then
run_install $OWNERSHIP -m 0600 interfaces ${PREFIX}/etc/shorewall/interfaces
echo "Interfaces file installed as ${PREFIX}/etc/shorewall/interfaces"
fi
#
# Install the ipsec file
#
run_install $OWNERSHIP -m 0644 ipsec ${PREFIX}/usr/share/shorewall/configfiles/ipsec
if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/ipsec ]; then
run_install $OWNERSHIP -m 0600 ipsec ${PREFIX}/etc/shorewall/ipsec
echo "Dummy IPSEC file installed as ${PREFIX}/etc/shorewall/ipsec"
fi
#
# Install the hosts file
#
run_install $OWNERSHIP -m 0644 hosts ${PREFIX}/usr/share/shorewall/configfiles/hosts
if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/hosts ]; then
run_install $OWNERSHIP -m 0600 hosts ${PREFIX}/etc/shorewall/hosts
echo "Hosts file installed as ${PREFIX}/etc/shorewall/hosts"
fi
#
# Install the rules file
#
run_install $OWNERSHIP -m 0644 rules ${PREFIX}/usr/share/shorewall/configfiles/rules
if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/rules ]; then
run_install $OWNERSHIP -m 0600 rules ${PREFIX}/etc/shorewall/rules
echo "Rules file installed as ${PREFIX}/etc/shorewall/rules"
fi
#
# Install the NAT file
#
run_install $OWNERSHIP -m 0644 nat ${PREFIX}/usr/share/shorewall/configfiles/nat
if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/nat ]; then
run_install $OWNERSHIP -m 0600 nat ${PREFIX}/etc/shorewall/nat
echo "NAT file installed as ${PREFIX}/etc/shorewall/nat"
fi
#
# Install the NETMAP file
#
run_install $OWNERSHIP -m 0644 netmap ${PREFIX}/usr/share/shorewall/configfiles/netmap
if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/netmap ]; then
run_install $OWNERSHIP -m 0600 netmap ${PREFIX}/etc/shorewall/netmap
echo "NETMAP file installed as ${PREFIX}/etc/shorewall/netmap"
fi
#
# Install the Parameters file
#
run_install $OWNERSHIP -m 0644 params ${PREFIX}/usr/share/shorewall/configfiles/params
if [ -f ${PREFIX}/etc/shorewall/params ]; then
chmod 0644 ${PREFIX}/etc/shorewall/params
else
run_install $OWNERSHIP -m 0644 params ${PREFIX}/etc/shorewall/params
echo "Parameter file installed as ${PREFIX}/etc/shorewall/params"
fi
#
# Install the proxy ARP file
#
run_install $OWNERSHIP -m 0644 proxyarp ${PREFIX}/usr/share/shorewall/configfiles/proxyarp
if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/proxyarp ]; then
run_install $OWNERSHIP -m 0600 proxyarp ${PREFIX}/etc/shorewall/proxyarp
echo "Proxy ARP file installed as ${PREFIX}/etc/shorewall/proxyarp"
fi
#
# Install the Stopped Routing file
#
run_install $OWNERSHIP -m 0644 routestopped ${PREFIX}/usr/share/shorewall/configfiles/routestopped
if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/routestopped ]; then
run_install $OWNERSHIP -m 0600 routestopped ${PREFIX}/etc/shorewall/routestopped
echo "Stopped Routing file installed as ${PREFIX}/etc/shorewall/routestopped"
fi
#
# Install the Mac List file
#
run_install $OWNERSHIP -m 0644 maclist ${PREFIX}/usr/share/shorewall/configfiles/maclist
if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/maclist ]; then
run_install $OWNERSHIP -m 0600 maclist ${PREFIX}/etc/shorewall/maclist
echo "MAC list file installed as ${PREFIX}/etc/shorewall/maclist"
fi
#
# Install the Masq file
#
run_install $OWNERSHIP -m 0644 masq ${PREFIX}/usr/share/shorewall/configfiles/masq
if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/masq ]; then
run_install $OWNERSHIP -m 0600 masq ${PREFIX}/etc/shorewall/masq
echo "Masquerade file installed as ${PREFIX}/etc/shorewall/masq"
fi
#
# Install the Modules file
#
run_install $OWNERSHIP -m 0600 modules ${PREFIX}/usr/share/shorewall/modules
echo "Modules file installed as ${PREFIX}/usr/share/shorewall/modules"
#
# Install the TC Rules file
#
run_install $OWNERSHIP -m 0644 tcrules ${PREFIX}/usr/share/shorewall/configfiles/tcrules
if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/tcrules ]; then
run_install $OWNERSHIP -m 0600 tcrules ${PREFIX}/etc/shorewall/tcrules
echo "TC Rules file installed as ${PREFIX}/etc/shorewall/tcrules"
fi
#
# Install the TOS file
#
run_install $OWNERSHIP -m 0644 tos ${PREFIX}/usr/share/shorewall/configfiles/tos
if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/tos ]; then
run_install $OWNERSHIP -m 0600 tos ${PREFIX}/etc/shorewall/tos
echo "TOS file installed as ${PREFIX}/etc/shorewall/tos"
fi
#
# Install the Tunnels file
#
run_install $OWNERSHIP -m 0644 tunnels ${PREFIX}/usr/share/shorewall/configfiles/tunnels
if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/tunnels ]; then
run_install $OWNERSHIP -m 0600 tunnels ${PREFIX}/etc/shorewall/tunnels
echo "Tunnels file installed as ${PREFIX}/etc/shorewall/tunnels"
fi
#
# Install the blacklist file
#
run_install $OWNERSHIP -m 0644 blacklist ${PREFIX}/usr/share/shorewall/configfiles/blacklist
if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/blacklist ]; then
run_install $OWNERSHIP -m 0600 blacklist ${PREFIX}/etc/shorewall/blacklist
echo "Blacklist file installed as ${PREFIX}/etc/shorewall/blacklist"
fi
#
# Delete the Routes file
#
delete_file ${PREFIX}/etc/shorewall/routes
#
# Delete the tcstart file
#
delete_file ${PREFIX}/usr/share/shorewall/tcstart
#
# Delete the Limits Files
#
delete_file ${PREFIX}/usr/share/shorewall/action.Limit
delete_file ${PREFIX}/usr/share/shorewall/Limit
#
# Delete the xmodules file
#
delete_file ${PREFIX}/usr/share/shorewall/xmodules
#
# Install the Providers file
#
run_install $OWNERSHIP -m 0644 providers ${PREFIX}/usr/share/shorewall/configfiles/providers
if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/providers ]; then
run_install $OWNERSHIP -m 0600 providers ${PREFIX}/etc/shorewall/providers
echo "Providers file installed as ${PREFIX}/etc/shorewall/providers"
fi
#
# Install the Route Rules file
#
run_install $OWNERSHIP -m 0644 route_rules ${PREFIX}/usr/share/shorewall/configfiles/route_rules
if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/route_rules ]; then
run_install $OWNERSHIP -m 0600 route_rules ${PREFIX}/etc/shorewall/route_rules
echo "Routing rules file installed as ${PREFIX}/etc/shorewall/route_rules"
fi
#
# Install the tcclasses file
#
run_install $OWNERSHIP -m 0644 tcclasses ${PREFIX}/usr/share/shorewall/configfiles/tcclasses
if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/tcclasses ]; then
run_install $OWNERSHIP -m 0600 tcclasses ${PREFIX}/etc/shorewall/tcclasses
echo "TC Classes file installed as ${PREFIX}/etc/shorewall/tcclasses"
fi
#
# Install the tcdevices file
#
run_install $OWNERSHIP -m 0644 tcdevices ${PREFIX}/usr/share/shorewall/configfiles/tcdevices
if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/tcdevices ]; then
run_install $OWNERSHIP -m 0600 tcdevices ${PREFIX}/etc/shorewall/tcdevices
echo "TC Devices file installed as ${PREFIX}/etc/shorewall/tcdevices"
fi
#
# Install the tcfilters file
#
run_install $OWNERSHIP -m 0644 tcfilters ${PREFIX}/usr/share/shorewall/configfiles/tcfilters
if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/tcfilters ]; then
run_install $OWNERSHIP -m 0600 tcfilters ${PREFIX}/etc/shorewall/tcfilters
echo "TC Filters file installed as ${PREFIX}/etc/shorewall/tcfilters"
fi
#
# Install the rfc1918 file
#
install_file rfc1918 ${PREFIX}/usr/share/shorewall/rfc1918 0644
echo "RFC 1918 file installed as ${PREFIX}/usr/share/shorewall/rfc1918"
#
# Install the default config path file
#
install_file configpath ${PREFIX}/usr/share/shorewall/configpath 0644
echo "Default config path file installed as ${PREFIX}/usr/share/shorewall/configpath"
#
# Install the init file
#
run_install $OWNERSHIP -m 0644 init ${PREFIX}/usr/share/shorewall/configfiles/init
if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/init ]; then
run_install $OWNERSHIP -m 0600 init ${PREFIX}/etc/shorewall/init
echo "Init file installed as ${PREFIX}/etc/shorewall/init"
fi
#
# Install the initdone file
#
run_install $OWNERSHIP -m 0644 initdone ${PREFIX}/usr/share/shorewall/configfiles/initdone
if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/initdone ]; then
run_install $OWNERSHIP -m 0600 initdone ${PREFIX}/etc/shorewall/initdone
echo "Initdone file installed as ${PREFIX}/etc/shorewall/initdone"
fi
#
# Install the start file
#
run_install $OWNERSHIP -m 0644 start ${PREFIX}/usr/share/shorewall/configfiles/start
if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/start ]; then
run_install $OWNERSHIP -m 0600 start ${PREFIX}/etc/shorewall/start
echo "Start file installed as ${PREFIX}/etc/shorewall/start"
fi
#
# Install the stop file
#
run_install $OWNERSHIP -m 0644 stop ${PREFIX}/usr/share/shorewall/configfiles/stop
if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/stop ]; then
run_install $OWNERSHIP -m 0600 stop ${PREFIX}/etc/shorewall/stop
echo "Stop file installed as ${PREFIX}/etc/shorewall/stop"
fi
#
# Install the stopped file
#
run_install $OWNERSHIP -m 0644 stopped ${PREFIX}/usr/share/shorewall/configfiles/stopped
if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/stopped ]; then
run_install $OWNERSHIP -m 0600 stopped ${PREFIX}/etc/shorewall/stopped
echo "Stopped file installed as ${PREFIX}/etc/shorewall/stopped"
fi
#
# Install the ECN file
#
run_install $OWNERSHIP -m 0644 ecn ${PREFIX}/usr/share/shorewall/configfiles/ecn
if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/ecn ]; then
run_install $OWNERSHIP -m 0600 ecn ${PREFIX}/etc/shorewall/ecn
echo "ECN file installed as ${PREFIX}/etc/shorewall/ecn"
fi
#
# Install the Accounting file
#
run_install $OWNERSHIP -m 0644 accounting ${PREFIX}/usr/share/shorewall/configfiles/accounting
if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/accounting ]; then
run_install $OWNERSHIP -m 0600 accounting ${PREFIX}/etc/shorewall/accounting
echo "Accounting file installed as ${PREFIX}/etc/shorewall/accounting"
fi
#
# Install the Continue file
#
run_install $OWNERSHIP -m 0644 continue ${PREFIX}/usr/share/shorewall/configfiles/continue
if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/continue ]; then
run_install $OWNERSHIP -m 0600 continue ${PREFIX}/etc/shorewall/continue
echo "Continue file installed as ${PREFIX}/etc/shorewall/continue"
fi
#
# Install the Started file
#
run_install $OWNERSHIP -m 0644 started ${PREFIX}/usr/share/shorewall/configfiles/started
if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/started ]; then
run_install $OWNERSHIP -m 0600 started ${PREFIX}/etc/shorewall/started
echo "Started file installed as ${PREFIX}/etc/shorewall/started"
fi
#
# Install the Standard Actions file
#
install_file actions.std ${PREFIX}/usr/share/shorewall/actions.std 0644
echo "Standard actions file installed as ${PREFIX}/usr/shared/shorewall/actions.std"
#
# Install the Actions file
#
run_install $OWNERSHIP -m 0644 actions ${PREFIX}/usr/share/shorewall/configfiles/actions
if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/actions ]; then
run_install $OWNERSHIP -m 0644 actions ${PREFIX}/etc/shorewall/actions
echo "Actions file installed as ${PREFIX}/etc/shorewall/actions"
fi
#
# Install the Makefiles
#
run_install $OWNERSHIP -m 0644 Makefile-lite ${PREFIX}/usr/share/shorewall/configfiles/Makefile
if [ -z "$CYGWIN" ]; then
run_install $OWNERSHIP -m 0600 Makefile ${PREFIX}/etc/shorewall/Makefile
echo "Makefile installed as ${PREFIX}/etc/shorewall/Makefile"
fi
#
# Install the Action files
#
for f in action.* ; do
install_file $f ${PREFIX}/usr/share/shorewall/$f 0644
echo "Action ${f#*.} file installed as ${PREFIX}/usr/share/shorewall/$f"
done
# Install the Macro files
#
for f in macro.* ; do
install_file $f ${PREFIX}/usr/share/shorewall/$f 0644
echo "Macro ${f#*.} file installed as ${PREFIX}/usr/share/shorewall/$f"
done
#
# Install the libraries
#
for f in lib.* ; do
if [ -f $f ]; then
install_file $f ${PREFIX}/usr/share/shorewall/$f 0644
echo "Library ${f#*.} file installed as ${PREFIX}/usr/share/shorewall/$f"
fi
done
#
# Symbolically link 'functions' to lib.base
#
ln -sf lib.base ${PREFIX}/usr/share/shorewall/functions
#
# Create the version file
#
echo "$VERSION" > ${PREFIX}/usr/share/shorewall/version
chmod 644 ${PREFIX}/usr/share/shorewall/version
#
# Remove and create the symbolic link to the init script
#
if [ -z "$PREFIX" ]; then
rm -f /usr/share/shorewall/init
ln -s ${DEST}/${INIT} /usr/share/shorewall/init
fi
#
# Install the Man Pages
#
cd manpages
for f in *.5; do
gzip -c $f > $f.gz
run_install -D -m 0644 $f.gz ${PREFIX}/usr/share/man/man5/$f.gz
echo "Man page $f.gz installed to /usr/share/man/man5/$f.gz"
done
for f in *.8; do
gzip -c $f > $f.gz
run_install -D -m 0644 $f.gz ${PREFIX}/usr/share/man/man8/$f.gz
echo "Man page $f.gz installed to /usr/share/man/man8/$f.gz"
done
cd ..
echo "Man Pages Installed"
#
# Install the firewall script
#
install_file firewall ${PREFIX}/usr/share/shorewall/firewall 0755
if [ -z "$PREFIX" -a -n "$first_install" -a -z "$CYGWIN" ]; then
if [ -n "$DEBIAN" ]; then
run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall
ln -s ../init.d/shorewall /etc/rcS.d/S40shorewall
echo "shorewall will start automatically at boot"
echo "Set startup=1 in /etc/default/shorewall to enable"
touch /var/log/shorewall-init.log
qt mywhich perl && perl -p -w -i -e 's/^STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/;s/^IP_FORWARDING=On/IP_FORWARDING=Keep/;s/^SUBSYSLOCK=.*/SUBSYSLOCK=/;' /etc/shorewall/shorewall.conf
else
if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
if insserv /etc/init.d/shorewall ; then
echo "shorewall will start automatically at boot"
echo "Set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf to enable"
else
cant_autostart
fi
elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
if chkconfig --add shorewall ; then
echo "shorewall will start automatically in run levels as follows:"
echo "Set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf to enable"
chkconfig --list shorewall
else
cant_autostart
fi
elif [ -x /sbin/rc-update ]; then
if rc-update add shorewall default; then
echo "shorewall will start automatically at boot"
echo "Set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf to enable"
else
cant_autostart
fi
elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
cant_autostart
fi
fi
fi
#
# Report Success
#
echo "shorewall-common Version $VERSION Installed"

11
Shorewall-common/interfaces Normal file
View File

@ -0,0 +1,11 @@
#
# Shorewall version 4 - Interfaces File
#
# For information about entries in this file, type "man shorewall-interfaces"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-interfaces.html
#
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

7
Shorewall-common/ipsec Normal file
View File

@ -0,0 +1,7 @@
#
# The /etc/shorewall/ipsec file is obsolete -- the information
# previously contained in this file is now placed in the
# /etc/shorewall/zones file.
#
# See the IPSECFILE option in shorewall.conf for further information.
#

296
Shorewall-common/ipsecvpn Normal file
View File

@ -0,0 +1,296 @@
#!/bin/sh
################################################################################
#
# ipsecvpn -- script for use on a roadwarrior to start/stop a tunnel-mode
# IPSEC connection
#
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
# (c) 2004,2005 - Tom Eastep (teastep@shorewall.net)
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
RCDLINKS="2,S42 3,S42 6,K42"
#### BEGIN INIT INFO
# Provides: ipsecvpn
# Required-Start: $shorewall
# Required-Stop:
# Default-Start: 2 3 5
# Default-Stop: 0 1 6
# Description: starts and stops a tunnel-mode VPN connection
### END INIT INFO
# chkconfig: 2345 26 89
# description: IPSEC tunnel-mode connection
#
################################################################################
#
# External Interface
#
INTERFACE=eth0
#
# Remote IPSEC Gateway
#
GATEWAY=1.2.3.4
#
# Networks behind the remote gateway (space-separated list)
#
NETWORKS="192.168.1.0/24"
#
# Directory where X.509 certificates are stored.
#
CERTS=/etc/certs
#
# Certificate to be used for this connection. The cert
# directory must contain:
#
# ${CERT}.pem - the certificate
# ${CERT}_key.pem - the certificates's key
#
CERT=roadwarrior
#
# The setkey binary
#
SETKEY=/usr/sbin/setkey
#
# The racoon binary
#
RACOON=/usr/sbin/racoon
#
# Message to stderr
#
error_message() # $* = Error Message
{
echo " $@" >&2
}
#
# Fatal error -- stops the firewall after issuing the error message
#
fatal_error() # $* = Error Message
{
echo " Error: $@" >&2
exit 2
}
#
# Find interface address--returns the first IP address assigned to the passed
# device
#
find_first_interface_address() # $1 = interface
{
#
# get the line of output containing the first IP address
#
addr=$(ip -f inet addr show $1 2> /dev/null | grep inet | head -n1)
#
# If there wasn't one, bail out now
#
[ -n "$addr" ] || fatal_error "Can't determine the IP address of $1"
#
# Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
# along with everything else on the line
#
echo $addr | sed 's/inet //;s/\/.*//;s/ peer.*//'
}
#
# Create a Racoon configuration file using the variables above
#
make_racoon_conf() {
echo "path certificate \"$CERTS\";"
echo
echo "listen"
echo "{"
echo " isakmp $IPADDR;"
echo "}"
echo
echo "remote $GATEWAY"
echo "{"
echo " exchange_mode main;"
echo " certificate_type x509 \"$CERT.pem\" \"${CERT}_key.pem\";"
echo " verify_cert on;"
echo " my_identifier asn1dn ;"
echo " peers_identifier asn1dn ;"
echo " verify_identifier on ;"
echo " lifetime time 24 hour ;"
echo " proposal {"
echo " encryption_algorithm blowfish;"
echo " hash_algorithm sha1;"
echo " authentication_method rsasig ;"
echo " dh_group 2 ;"
echo " }"
echo "}"
echo
for network in $NETWORKS; do
echo "sainfo address $IPADDR/32 any address $network any"
echo "{"
echo " pfs_group 2;"
echo " lifetime time 12 hour ;"
echo " encryption_algorithm blowfish ;"
echo " authentication_algorithm hmac_sha1, hmac_md5 ;"
echo " compression_algorithm deflate ;"
echo "}"
echo
echo "sainfo address $network any address $IPADDR/32 any"
echo "{"
echo " pfs_group 2;"
echo " lifetime time 12 hour ;"
echo " encryption_algorithm blowfish ;"
echo " authentication_algorithm hmac_sha1, hmac_md5 ;"
echo " compression_algorithm deflate ;"
echo "}"
done
echo "sainfo address $IPADDR/32 any address $GATEWAY/32 any"
echo "{"
echo " pfs_group 2;"
echo " lifetime time 12 hour ;"
echo " encryption_algorithm blowfish ;"
echo " authentication_algorithm hmac_sha1, hmac_md5 ;"
echo " compression_algorithm deflate ;"
echo "}"
echo
echo "sainfo address $GATEWAY/32 any address $IPADDR/32 any"
echo "{"
echo " pfs_group 2;"
echo " lifetime time 12 hour ;"
echo " encryption_algorithm blowfish ;"
echo " authentication_algorithm hmac_sha1, hmac_md5 ;"
echo " compression_algorithm deflate ;"
echo "}"
}
#
# Make a setkey configuration file using the variables above
#
make_setkey_conf()
{
echo "flush;"
echo "spdflush;"
echo "spdadd $IPADDR/32 $GATEWAY/32 any -P out ipsec esp/tunnel/${IPADDR}-${GATEWAY}/require;"
echo "spdadd $GATEWAY/32 $IPADDR/32 any -P in ipsec esp/tunnel/${GATEWAY}-${IPADDR}/require;"
for network in $NETWORKS; do
echo "spdadd $IPADDR/32 $network any -P out ipsec esp/tunnel/${IPADDR}-${GATEWAY}/require;"
echo "spdadd $network $IPADDR/32 any -P in ipsec esp/tunnel/${GATEWAY}-${IPADDR}/require;"
done
}
#
# Start the Tunnel
#
start()
{
#
# Get the first IP address configured on the device in INTERFACE
#
IPADDR=$(find_first_interface_address $INTERFACE)
#
# Create the name of the setkey temporary file
#
TEMPFILE=$(mktemp /tmp/$(basename $0).XXXXXXXX)
[ $? -eq 0 ] || fatal_error "Can't create temporary file name"
#
# Create the file
#
make_setkey_conf > $TEMPFILE
#
# Create the SPD
#
$SETKEY -f $TEMPFILE
#
# We can now remove the file
#
rm -f $TEMPFILE
#
# Create another name -- make this distict to aid debugging
# (just comment out the 'rm' commands)
#
TEMPFILE=$(mktemp /tmp/$(basename $0).XXXXXXXX)
[ $? -eq 0 ] || fatal_error "Can't create temporary file name"
#
# Create the file
#
make_racoon_conf > $TEMPFILE
#
# Start Racoon Daemon
#
$RACOON -4 -f $TEMPFILE
#
# Once the Daemon is running, we can remove the file
#
rm -f $TEMPFILE
}
#
# Stop the Tunnel
#
stop()
{
#
# Kill any racoon daemons
#
killall racoon
#
# Purge the SAD and SPD
#
setkey -F -FP
}
#
# Display command syntax and abend
#
usage()
{
error_message "usage: $(basename $0) [start|stop|restart]"
exit 1
}
################################################################################
# C O D E S T A R T S H E R E
################################################################################
[ $# -eq 1 ] || usage
case $1 in
start)
start
;;
stop)
stop
;;
restart)
stop
sleep 2
start
;;
*)
usage
;;
esac

1738
Shorewall-common/lib.base Normal file
View File

File diff suppressed because it is too large Load Diff

1149
Shorewall-common/lib.cli Normal file
View File

File diff suppressed because it is too large Load Diff

2296
Shorewall-common/lib.config Normal file
View File

File diff suppressed because it is too large Load Diff

427
Shorewall-common/lib.dynamiczones Normal file
View File

@ -0,0 +1,427 @@
#!/bin/sh
#
# Shorewall 4.2 -- /usr/share/shorewall/lib.dynamiczones
#
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
#
# Complete documentation is available at http://shorewall.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# This library is loaded by /usr/share/shorewall/firewall when processing
# the 'add' and 'delete' commands.
#
#
# Add a host or networks to a zone
#
add_to_zone() # $1...${n-1} = <interface>[:<hosts>] $n = zone
{
local interface host zone z h z1 z2 chain
local dhcp_interfaces blacklist_interfaces maclist_interfaces
local tcpflags_interfaces newhostlist=
local rulenum source_chain dest_hosts iface hosts hostlist=
nat_chain_exists() # $1 = chain name
{
qt $IPTABLES -t nat -L $1 -n
}
do_iptables() # $@ = command
{
[ -n "$PHYSDEV_MATCH" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
[ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
if ! $IPTABLES $@ ; then
error_message "ERROR: Can't add $newhost to zone $zone"
fi
}
DOING=Processing
DONE=Processed
#
# Load $zones
#
determine_zones
#
# Validate Interfaces File
#
validate_interfaces_file
#
# Validate Hosts File
#
validate_hosts_file
#
# Validate IPSec File
#
f=$(find_file $IPSECFILE)
[ -f $f ] && setup_ipsec $f
#
# Normalize host list
#
while [ $# -gt 1 ]; do
interface=${1%%:*}
host=${1#*:}
[ "$host" = "$1" ] && host=
#
# Be sure that the interface was dynamic at last [re]start
#
if ! chain_exists $(input_chain $interface) ; then
startup_error "Unknown interface $interface"
fi
if ! chain_exists $(dynamic_in $interface) ; then
startup_error "At last Shorewall [re]start, DYNAMIC_ZONES=No in shorewall.conf"
fi
if [ -z "$host" ]; then
hostlist="$hostlist $interface:0.0.0.0/0"
else
for h in $(separate_list $host); do
hostlist="$hostlist $interface:$h"
done
fi
shift
done
#
# Validate Zone
#
zone=$1
validate_zone $zone || startup_error "Unknown zone: $zone"
[ "$zone" = $FW ] && startup_error "Can't add $1 to firewall zone"
#
# Be sure that Shorewall has been restarted using a DZ-aware version of the code
#
[ -f ${VARDIR}/chains ] || startup_error "${VARDIR}/chains -- file not found"
[ -f ${VARDIR}/zones ] || startup_error "${VARDIR}/zones -- file not found"
#
# Check for duplicates and create a new zone state file
#
> ${VARDIR}/zones_$$
while read z type hosts; do
if [ "$z" = "$zone" ]; then
case $type in
bport4:*)
rm -f ${VARDIR}/zones_$$
startup_error "Bridge Port zones may not be dynamically modified"
;;
esac
case "$hosts" in
*exclude*)
rm -f ${VARDIR}/zones_$$
startup_error "Modifying a zone that has an exclude list is not supported"
;;
*)
for h in $hostlist; do
if ! list_search +$h $hosts; then
if ! list_search $h $hosts; then
newhostlist="$newhostlist +$h"
else
error_message "$h is already in zone $zone"
fi
else
error_message "$h is already in zone $zone"
fi
done
[ -z "$hosts" ] && hosts=$newhostlist || hosts="$hosts $newhostlist"
;;
esac
fi
eval ${z}_hosts=\"$hosts\"
echo "$z $type $hosts" >> ${VARDIR}/zones_$$
done < ${VARDIR}/zones
mv -f ${VARDIR}/zones_$$ ${VARDIR}/zones
TERMINATOR=fatal_error
#
# Create a new Zone state file
#
for newhost in $newhostlist; do
newhost=${newhost#+}
#
# Isolate interface and host parts
#
interface=${newhost%%:*}
host=${newhost#*:}
#
# If the zone passed in the command has a dnat chain then insert a rule in
# the nat table PREROUTING chain to jump to that chain when the source
# matches the new host(s)#
#
chain=${zone}_dnat
if nat_chain_exists $chain; then
do_iptables -t nat -A $(dynamic_in $interface) $(source_ip_range $host) $(match_ipsec_in $zone $newhost) -j $chain
fi
#
# Insert new rules into the filter table for the passed interface
#
while read z1 z2 chain; do
[ "$z1" = "$z2" ] && op="-I" || op="-A"
if [ "$z1" = "$zone" ]; then
if [ "$z2" = "$FW" ]; then
do_iptables $op $(dynamic_in $interface) $(match_source_hosts $host) $(match_ipsec_in $z1 $newhost) -j $chain
else
source_chain=$(dynamic_fwd $interface)
if is_ipsec_host $z1 $newhost ; then
do_iptables $op $source_chain $(match_source_hosts $host) $(match_ipsec_in $z1 $newhost) -j ${z1}_frwd
else
eval dest_hosts=\"\$${z2}_hosts\"
for h in $dest_hosts; do
[ "$h" = exclude ] && break
iface=${h%%:*}
iface=${iface#+}
hosts=${h#*:}
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
do_iptables $op $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) $(match_ipsec_out $z2 $h) -j $chain
fi
done
fi
fi
elif [ "$z2" = "$zone" ]; then
if [ "$z1" = "$FW" ]; then
#
# Add a rule to the dynamic out chain for the interface
#
do_iptables $op $(dynamic_out $interface) $(match_dest_hosts $host) $(match_ipsec_out $z2 $newhost) -j $chain
else
eval source_hosts=\"\$${z1}_hosts\"
for h in $source_hosts; do
[ "$h" = exclude ] && break
iface=${h%%:*}
iface=${iface#+}
hosts=${h#*:}
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
if is_ipsec_host $z1 $h; then
do_iptables $op ${z1}_dyn -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $newhost) -j $chain
else
do_iptables $op $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $newhost) -j $chain
fi
fi
done
fi
fi
done < ${VARDIR}/chains
progress_message "$newhost added to zone $zone"
done
rm -rf $TMP_DIR
}
#
# Delete a host or networks from a zone
#
delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
{
local interface host zone z h z1 z2 chain delhost
local dhcp_interfaces blacklist_interfaces maclist_interfaces tcpflags_interfaces
local rulenum source_chain dest_hosts iface hosts hostlist=
DOING=Processing
DONE=Processed
#
# Load $zones
#
determine_zones
#
# Validate Interfaces File
#
validate_interfaces_file
#
# Validate Hosts File
#
validate_hosts_file
#
# Validate IPSec File
#
f=$(find_file ipsec)
[ -f $f ] && setup_ipsec $f
#
# Normalize host list
#
while [ $# -gt 1 ]; do
interface=${1%%:*}
host=${1#*:}
[ "$host" = "$1" ] && host=
#
# Be sure that the interface was dynamic at last [re]start
#
if ! chain_exists $(input_chain $interface) ; then
startup_error "Unknown interface $interface"
fi
if ! chain_exists $(dynamic_in $interface) ; then
startup_error "At last Shorewall [re]start, DYNAMIC_ZONES=No in shorewall.conf"
fi
if [ -z "$host" ]; then
hostlist="$hostlist $interface:0.0.0.0/0"
else
for h in $(separate_list $host); do
hostlist="$hostlist $interface:$h"
done
fi
shift
done
#
# Validate Zone
#
zone=$1
validate_zone $zone || startup_error "Unknown zone: $zone"
[ "$zone" = $FW ] && startup_error "Can't delete from the firewall zone"
#
# Be sure that Shorewall has been restarted using a DZ-aware version of the code
#
[ -f ${VARDIR}/chains ] || startup_error "${VARDIR}/chains -- file not found"
[ -f ${VARDIR}/zones ] || startup_error "${VARDIR}/zones -- file not found"
#
# Delete the passed hosts from the zone state file
#
> ${VARDIR}/zones_$$
while read z hosts; do
if [ "$z" = "$zone" ]; then
temp=$hosts
hosts=
for host in $hostlist; do
found=
for h in $temp; do
if [ "$h" = "+$host" ]; then
found=Yes
break
fi
if [ "$h" = "$host" ]; then
found=No
break
fi
done
[ -n "$found" ] || error_message "WARNING: $host does not appear to be in zone $zone"
[ "$found" = No ] && startup_error "$host is a permanent member of zone $zone"
done
for h in $temp; do
found=
for host in $hostlist; do
if [ "$h" = "+$host" ]; then
found=Yes
break
fi
done
[ -n "$found" ] || hosts="$hosts $h"
done
fi
eval ${z}_hosts=\"$hosts\"
echo "$z $hosts" >> ${VARDIR}/zones_$$
done < ${VARDIR}/zones
mv -f ${VARDIR}/zones_$$ ${VARDIR}/zones
TERMINATOR=fatal_error
for delhost in $hostlist; do
interface=${delhost%%:*}
host=${delhost#*:}
#
# Delete any nat table entries for the host(s)
#
qt_iptables -t nat -D $(dynamic_in $interface) $(match_source_hosts $host) $(match_ipsec_in $zone $delhost) -j ${zone}_dnat
#
# Delete rules rules the input chains for the passed interface
#
while read z1 z2 chain; do
if [ "$z1" = "$zone" ]; then
if [ "$z2" = "$FW" ]; then
qt_iptables -D $(dynamic_in $interface) $(match_source_hosts $host) $(match_ipsec_in $z1 $delhost) -j $chain
else
source_chain=$(dynamic_fwd $interface)
if is_ipsec_host $z1 $delhost ; then
qt_iptables -D $source_chain $(match_source_hosts $host) $(match_ipsec_in $z1 $newhost) -j ${z1}_frwd
else
eval dest_hosts=\"\$${z2}_hosts\"
[ "$z2" = "$zone" ] && dest_hosts="$dest_hosts $hostlist"
for h in $dest_hosts; do
[ "$h" = exclude ] && break
iface=${h%%:*}
iface=${iface#+}
hosts=${h#*:}
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
qt_iptables -D $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) $(match_ipsec_out $z2 $h) -j $chain
fi
done
fi
fi
elif [ "$z2" = "$zone" ]; then
if [ "$z1" = "$FW" ]; then
qt_iptables -D $(dynamic_out $interface) $(match_dest_hosts $host) $(match_ipsec_out $z2 $delhost) -j $chain
else
eval source_hosts=\"\$${z1}_hosts\"
for h in $source_hosts; do
[ "$h" = exclude ] && break
iface=${h%%:*}
iface=${iface#+}
hosts=${h#*:}
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
if is_ipsec_host $z1 $h; then
qt_iptables -D ${z1}_dyn -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $delhost) -j $chain
else
qt_iptables -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $delhost) -j $chain
fi
fi
done
fi
fi
done < ${VARDIR}/chains
progress_message "$delhost removed from zone $zone"
done
rm -rf $TMP_DIR
}

10
Shorewall-common/maclist Normal file
View File

@ -0,0 +1,10 @@
#
# Shorewall version 4 - Maclist file
#
# For information about entries in this file, type "man shorewall-maclist"
#
# For additional information, see http://shorewall.net/MAC_Validation.html
#
###############################################################################
#DISPOSITION INTERFACE MAC IP ADDRESSES (Optional)
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

16
Shorewall-common/macro.AllowICMPs Normal file
View File

@ -0,0 +1,16 @@
#
# Shorewall version 4 - AllowICMPs Macro
#
# /usr/share/shorewall/macro.AllowICMPs
#
# This macro ACCEPTs needed ICMP types
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
COMMENT Needed ICMP types
ACCEPT - - icmp fragmentation-needed
ACCEPT - - icmp time-exceeded
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

21
Shorewall-common/macro.Amanda Normal file
View File

@ -0,0 +1,21 @@
#
# Shorewall version 4 - Amanda Macro
#
# /usr/share/shorewall/macro.Amanda
#
# This macro handles connections required by the AMANDA backup system
# to back up remote nodes. It does not provide the ability to restore
# files from those nodes.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - udp 10080
#
# You may also need this rule. With AMANDA 2.4.4 on Linux kernel 2.6,
# it should not be necessary to use this. The ip_conntrack_amanda
# kernel module should be loaded (via /etc/shorewall/modules) on all
# systems which need to pass AMANDA traffic through netfilter.
#PARAM - - tcp 50000:50100
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall-common/macro.Auth Normal file
View File

@ -0,0 +1,12 @@
#
# Shorewall version 4 - Auth Macro
#
# /usr/share/shorewall/macro.Auth
#
# This macro handles Auth (identd) traffic.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - tcp 113
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

23
Shorewall-common/macro.BitTorrent Normal file
View File

@ -0,0 +1,23 @@
#
# Shorewall version 4 - BitTorrent Macro
#
# /usr/share/shorewall/macro.BitTorrent
#
# This macro handles BitTorrent traffic.
#
# If you are running a more modern BitTorrent client, then you may need
# to tweak the open port range. This can be done by copying the below
# rules into /etc/shorewall and making the necessary edits there:
#
# Replace 6881:6889 with 6881:6899
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - tcp 6881:6889
#
# It may also be necessary to allow UDP traffic:
#
PARAM - - udp 6881
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall-common/macro.CVS Normal file
View File

@ -0,0 +1,12 @@
#
# Shorewall version 4 - CVS Macro
#
# /usr/share/shorewall/macro.CVS
#
# This macro handles connections to the CVS pserver.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - tcp 2401
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

14
Shorewall-common/macro.DAAP Normal file
View File

@ -0,0 +1,14 @@
#
# Shorewall version 4 - DAAP Macro
#
# /usr/share/shorewall/macro.DAAP
#
# This macro handles DAAP (Digital Audio Access Protocol) traffic.
# The protocol is used by iTunes, Rythmbox and other similar daemons.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - tcp 3689
PARAM - - udp 3689
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

13
Shorewall-common/macro.DCC Normal file
View File

@ -0,0 +1,13 @@
#
# Shorewall version 4 - DCC Macro
#
# /usr/share/shorewall/macro.DCC
#
# This macro handles DCC (Distributed Checksum Clearinghouse) traffic.
# DCC is a distributed spam filtering mechanism.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - tcp 6277
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

13
Shorewall-common/macro.DNS Normal file
View File

@ -0,0 +1,13 @@
#
# Shorewall version 4 - DNS Macro
#
# /usr/share/shorewall/macro.DNS
#
# This macro handles DNS traffic.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - udp 53
PARAM - - tcp 53
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall-common/macro.Distcc Normal file
View File

@ -0,0 +1,12 @@
#
# Shorewall version 4 - Distcc Macro
#
# /usr/share/shorewall/macro.Distcc
#
# This macro handles connections to the Distributed Compiler service.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - tcp 3632
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

53
Shorewall-common/macro.Drop Normal file
View File

@ -0,0 +1,53 @@
#
# Shorewall version 4 - Drop Macro
#
# /usr/share/shorewall/macro.Drop
#
# This macro generates the same rules as the Drop default action
# It is used in place of action.Drop when USE_ACTIONS=No.
#
# Example:
#
# Drop net all
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
#
# Don't log 'auth' REJECT
#
REJECT - - tcp 113
#
# Drop Broadcasts so they don't clutter up the log
# (broadcasts must *not* be rejected).
#
dropBcast
#
# ACCEPT critical ICMP types
#
ACCEPT - - icmp fragmentation-needed
ACCEPT - - icmp time-exceeded
#
# Drop packets that are in the INVALID state -- these are usually ICMP packets
# and just confuse people when they appear in the log (these ICMPs cannot be
# rejected).
#
dropInvalid
#
# Drop Microsoft noise so that it doesn't clutter up the log.
#
DROP - - udp 135,445
DROP - - udp 137:139
DROP - - udp 1024: 137
DROP - - tcp 135,139,445
DROP - - udp 1900
#
# Drop 'newnotsyn' traffic so that it doesn't get logged.
#
dropNotSyn
#
# Drop late-arriving DNS replies. These are just a nuisance and clutter up
# the log.
#
DROP - - udp - 53
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

15
Shorewall-common/macro.DropDNSrep Normal file
View File

@ -0,0 +1,15 @@
#
# Shorewall version 4 - DropDNSrep Macro
#
# /usr/share/shorewall/macro.DropDNSrep
#
# This macro silently drops DNS UDP replies
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
COMMENT Late DNS Replies
DROP - - udp - 53
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

15
Shorewall-common/macro.DropUPnP Normal file
View File

@ -0,0 +1,15 @@
#
# Shorewall version 4 - DropUPnP Macro
#
# /usr/share/shorewall/macro.DropUPnP
#
# This macro silently drops UPnP probes on UDP port 1900
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
COMMENT UPnP
DROP - - udp 1900
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

35
Shorewall-common/macro.Edonkey Normal file
View File

@ -0,0 +1,35 @@
#
# Shorewall version 4 - Edonkey Macro
#
# /usr/share/shorewall/macro.Edonkey
#
# This macro handles Edonkey traffic.
#
#
# http://www.portforward.com/english/routers/port_forwarding/2wire/1000s/eDonkey.htm
# says to use udp 5737 rather than 4665.
#
# http://www.amule.org/wiki/index.php/FAQ_ed2k says this:
#
# 4661 TCP (outgoing) Port, on which a server listens for connection
# (defined by server).
#
# 4665 UDP (outgoing) used for global server searches and global source
# queries. This is always Server TCP port (in this case 4661) + 4.
#
# 4662 TCP (outgoing and incoming) Client to client transfers.
#
# 4672 UDP (outgoing and incoming) Extended eMule protocol, Queue
# Rating, File Reask Ping
#
# 4711 TCP WebServer listening port.
#
# 4712 TCP External Connection port. Used to communicate aMule with other
# applications such as aMule WebServer or aMuleCMD.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - tcp 4662
PARAM - - udp 4665
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall-common/macro.FTP Normal file
View File

@ -0,0 +1,12 @@
#
# Shorewall version 4 - FTP Macro
#
# /usr/share/shorewall/macro.FTP
#
# This macro handles FTP traffic.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - tcp 21
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

13
Shorewall-common/macro.Finger Normal file
View File

@ -0,0 +1,13 @@
#
# Shorewall version 4 - Finger Macro
#
# /usr/share/shorewall/macro.Finger
#
# This macro handles Finger protocol. You should not generally open
# your finger information to internet.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - tcp 79
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

15
Shorewall-common/macro.GNUnet Normal file
View File

@ -0,0 +1,15 @@
#
# Shorewall version 4 - GNUnet Macro
#
# /usr/share/shorewall/macro.GNUnet
#
# This macro handles GNUnet (secure peer-to-peer networking) traffic.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - tcp 2086
PARAM - - udp 2086
PARAM - - tcp 1080
PARAM - - udp 1080
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

14
Shorewall-common/macro.GRE Normal file
View File

@ -0,0 +1,14 @@
#
# Shorewall version 4 - GRE Macro
#
# /usr/share/shorewall/macro.GRE
#
# This macro (bi-directional) handles Generic Routing Encapsulation
# traffic (RFC 1701)
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - 47 # GRE
PARAM DEST SOURCE 47 # GRE
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

13
Shorewall-common/macro.Gnutella Normal file
View File

@ -0,0 +1,13 @@
#
# Shorewall version 4 - Gnutella Macro
#
# /usr/share/shorewall/macro.Gnutella
#
# This macro handles Gnutella traffic.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - tcp 6346
PARAM - - udp 6346
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall-common/macro.HTTP Normal file
View File

@ -0,0 +1,12 @@
#
# Shorewall version 4 - HTTP Macro
#
# /usr/share/shorewall/macro.HTTP
#
# This macro handles plaintext HTTP (WWW) traffic.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - tcp 80
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall-common/macro.HTTPS Normal file
View File

@ -0,0 +1,12 @@
#
# Shorewall version 4 - HTTPS Macro
#
# /usr/share/shorewall/macro.HTTPS
#
# This macro handles HTTPS (WWW over SSL) traffic.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - tcp 443
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall-common/macro.ICQ Normal file
View File

@ -0,0 +1,12 @@
#
# Shorewall version 4 - ICQ Macro
#
# /usr/share/shorewall/macro.ICQ
#
# This macro handles ICQ, now called AOL Instant Messenger (or AIM).
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - tcp 5190
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

13
Shorewall-common/macro.IMAP Normal file
View File

@ -0,0 +1,13 @@
#
# Shorewall version 4 - IMAP Macro
#
# /usr/share/shorewall/macro.IMAP
#
# This macro handles plaintext IMAP traffic. For encrypted IMAP,
# see macro.IMAPS.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - tcp 143
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

13
Shorewall-common/macro.IMAPS Normal file
View File

@ -0,0 +1,13 @@
#
# Shorewall version 4 - IMAPS Macro
#
# /usr/share/shorewall/macro.IMAPS
#
# This macro handles encrypted IMAP traffic. For plaintext IMAP
# (not recommended), see macro.IMAP.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - tcp 993
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

13
Shorewall-common/macro.IPIP Normal file
View File

@ -0,0 +1,13 @@
#
# Shorewall version 4 - IPIP Macro
#
# /usr/share/shorewall/macro.IPIP
#
# This macro (bidirectional) handles IPIP capsulation traffic
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - 94 # IPIP
PARAM DEST SOURCE 94 # IPIP
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall-common/macro.IPP Normal file
View File

@ -0,0 +1,12 @@
#
# Shorewall version 3.2 - IPP Macro
#
# /usr/share/shorewall/macro.IPP
#
# This macro handles Internet Printing Protocol (IPP).
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - tcp 631
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

30
Shorewall-common/macro.IPPserver Normal file
View File

@ -0,0 +1,30 @@
#
# Shorewall version 3.2 - IPPserver Macro
#
# /usr/share/shorewall/macro.IPPserver
#
# This macro handles Internet Printing Protocol (IPP), indicating
# that DEST is a printing server for SOURCE. The macro allows
# print queue broadcasts from the server to the client, and
# printing connections from the client to the server.
#
# Example usage on a single-interface firewall which is a print
# client:
# IPPserver/ACCEPT $FW net
#
# Example for a two-interface firewall which acts as a print
# server for loc:
# IPPserver/ACCEPT loc $FW
#
# NOTE: If you want both to serve requests for local printers and
# listen to requests for remote printers (i.e. your CUPS server is
# also a client), you need to apply the rule twice, e.g.
# IPPserver/ACCEPT loc $FW
# IPPserver/ACCEPT $FW loc
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM SOURCE DEST tcp 631
PARAM DEST SOURCE udp 631
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

15
Shorewall-common/macro.IPsec Normal file
View File

@ -0,0 +1,15 @@
#
# Shorewall version 4 - IPsec Macro
#
# /usr/share/shorewall/macro.IPsec
#
# This macro (bidirectional) handles IPsec traffic
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - udp 500 500 # IKE
PARAM - - 50 # ESP
PARAM DEST SOURCE udp 500 500 # IKE
PARAM DEST SOURCE 50 # ESP
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

16
Shorewall-common/macro.IPsecah Normal file
View File

@ -0,0 +1,16 @@
#
# Shorewall version 4 - IPsecah Macro
#
# /usr/share/shorewall/macro.IPsecah
#
# This macro (bidirectional) handles IPsec authentication (AH) traffic.
# This is insecure. You should use ESP with encryption for security.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - udp 500 500 # IKE
PARAM - - 51 # AH
PARAM DEST SOURCE udp 500 500 # IKE
PARAM DEST SOURCE 51 # AH
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

17
Shorewall-common/macro.IPsecnat Normal file
View File

@ -0,0 +1,17 @@
#
# Shorewall version 4 - IPsecnat Macro
#
# /usr/share/shorewall/macro.IPsecnat
#
# This macro (bidirectional) handles IPsec traffic and Nat-Traversal
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - udp 500 # IKE
PARAM - - udp 4500 # NAT-T
PARAM - - 50 # ESP
PARAM DEST SOURCE udp 500 # IKE
PARAM DEST SOURCE udp 4500 # NAT-T
PARAM DEST SOURCE 50 # ESP
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

18
Shorewall-common/macro.JAP Normal file
View File

@ -0,0 +1,18 @@
#
# Shorewall version 4 - JAP Macro
#
# /usr/share/shorewall/macro.JAP
#
# This macro handles JAP Anon Proxy traffic. This macro is for
# administrators running a Mix server. It is NOT for people trying
# to browse anonymously!
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - tcp 8080 # HTTP port
PARAM - - tcp 6544 # HTTP port
PARAM - - tcp 6543 # InfoService port
HTTPS/PARAM
SSH/PARAM
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall-common/macro.JabberPlain Normal file
View File

@ -0,0 +1,12 @@
#
# Shorewall version 3.4 - JabberPlain Macro
#
# /usr/share/shorewall/macro.JabberPlain
#
# This macro accepts Jabber traffic (plaintext).
#
###############################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - tcp 5222
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall-common/macro.JabberSecure Normal file
View File

@ -0,0 +1,12 @@
#
# Shorewall version 3.4 - JabberSecure (ssl) Macro
#
# /usr/share/shorewall/macro.JabberSecure
#
# This macro accepts Jabber traffic (ssl).
#
###############################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - tcp 5223
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall-common/macro.Jabberd Normal file
View File

@ -0,0 +1,12 @@
#
# Shorewall version 3.4 - Jabberd (server intercommunication)
#
# /usr/share/shorewall/macro.Jabberd
#
# This macro accepts Jabberd intercommunication traffic
#
###############################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - tcp 5269
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall-common/macro.Jetdirect Normal file
View File

@ -0,0 +1,12 @@
#
# Shorewall version 3.2 - Jetdirect Macro
#
# /usr/share/shorewall/macro.Jetdirect
#
# This macro handles HP Jetdirect printing.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - tcp 9100
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

14
Shorewall-common/macro.L2TP Normal file
View File

@ -0,0 +1,14 @@
#
# Shorewall version 4 - L2TP Macro
#
# /usr/share/shorewall/macro.L2TP
#
# This macro (bidirectional) handles Layer 2 Tunneling Protocol traffic
# (RFC 2661)
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - udp 1701 # L2TP
PARAM DEST SOURCE udp 1701 # L2TP
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

17
Shorewall-common/macro.LDAP Normal file
View File

@ -0,0 +1,17 @@
#
# Shorewall version 4 - LDAP Macro
#
# /usr/share/shorewall/macro.LDAP
#
# This macro handles plaintext LDAP traffic. For encrypted LDAP
# traffic, see macro.LDAPS. Use of LDAPS is recommended (and is
# required by some directory services) if you want to do user
# authentication over LDAP. Note that some LDAP implementations
# support initiating TLS connections via the plaintext LDAP port.
# Consult your LDAP server documentation for details.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - tcp 389
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

17
Shorewall-common/macro.LDAPS Normal file
View File

@ -0,0 +1,17 @@
#
# Shorewall version 4 - LDAPS Macro
#
# /usr/share/shorewall/macro.LDAPS
#
# This macro handles encrypted LDAP traffic. For plaintext LDAP
# traffic, see macro.LDAP. Use of LDAPS is recommended (and is
# required by some directory services) if you want to do user
# authentication over LDAP. Note that some LDAP implementations
# support initiating TLS connections via the plaintext LDAP port.
# Consult your LDAP server documentation for details.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - tcp 636
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

19
Shorewall-common/macro.Mail Normal file
View File

@ -0,0 +1,19 @@
#
# Shorewall version 4 - Mail Macro
#
# /usr/share/shorewall/macro.Mail
#
# This macro handles SMTP (email secure and insecure) traffic.
# It's the aggregate of macro.SMTP, macro.SMTPS, macro.Submission.
#
# Note: This macro handles traffic between an MUA (Email client)
# and an MTA (mail server) or between MTAs. It does not enable
# reading of email via POP3 or IMAP. For those you need to use
# the POP3 or IMAP macros.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - tcp 25
PARAM - - tcp 465
PARAM - - tcp 587

12
Shorewall-common/macro.MySQL Normal file
View File

@ -0,0 +1,12 @@
#
# Shorewall version 4 - MySQL Macro
#
# /usr/share/shorewall/macro.MySQL
#
# This macro handles connections to the MySQL server.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - tcp 3306
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

13
Shorewall-common/macro.NNTP Normal file
View File

@ -0,0 +1,13 @@
#
# Shorewall version 4 NNTP Macro
#
# /usr/share/shorewall/macro.NNTP
#
# This macro handles plaintext NNTP traffic (Usenet). For
# encrypted NNTP, see macro.NNTPS.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - tcp 119
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

13
Shorewall-common/macro.NNTPS Normal file
View File

@ -0,0 +1,13 @@
#
# Shorewall version 4 NNTPS Macro
#
# /usr/share/shorewall/macro.NNTPS
#
# This macro handles encrypted NNTP traffic (Usenet). For
# plaintext NNTP, see macro.NNTP.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - tcp 563
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

13
Shorewall-common/macro.NTP Normal file
View File

@ -0,0 +1,13 @@
#
# Shorewall version 4 - NTP Macro
#
# /usr/share/shorewall/macro.NTP
#
# This macro handles NTP traffic (ntpd).
# For broadcast NTP traffic, use NTPbrd Macro.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - udp 123
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

18
Shorewall-common/macro.NTPbrd Normal file
View File

@ -0,0 +1,18 @@
#
# Shorewall version 4 - NTPbrd Macro
#
# /usr/share/shorewall/macro.NTPbrd
#
# This macro handles NTP traffic (ntpd) including replies to Broadcast
# NTP traffic.
#
# It is recommended only to use this where the source host is trusted -
# otherwise it opens up a large hole in your firewall because
# Netfilter doesn't track connections for broadcast traffic.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - udp 123
PARAM - - udp 1024: 123
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall-common/macro.OpenVPN Normal file
View File

@ -0,0 +1,12 @@
#
# Shorewall version 4 - OpenVPN Macro
#
# /usr/share/shorewall/macro.OpenVPN Macro
#
# This macro handles OpenVPN traffic.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - udp 1194
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

13
Shorewall-common/macro.PCA Normal file
View File

@ -0,0 +1,13 @@
#
# Shorewall version 4 - PCA Macro
#
# /usr/share/shorewall/macro.PCA
#
# This macro handles PCAnywere (tm)
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - udp 5632
PARAM - - tcp 5631
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

13
Shorewall-common/macro.POP3 Normal file
View File

@ -0,0 +1,13 @@
#
# Shorewall version 4 - POP3 Macro
#
# /usr/share/shorewall/macro.POP3
#
# This macro handles plaintext POP3 traffic. For encrypted POP3,
# see macro.POP3S.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - tcp 110
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

13
Shorewall-common/macro.POP3S Normal file
View File

@ -0,0 +1,13 @@
#
# Shorewall version 4 - POP3S Macro
#
# /usr/share/shorewall/macro.POP3S
#
# This macro handles encrypted POP3 traffic. For plaintext POP3,
# see macro.POP3.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - tcp 995 # Secure POP3
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

14
Shorewall-common/macro.PPtP Normal file
View File

@ -0,0 +1,14 @@
#
# Shorewall version 4 - PPTP Macro
#
# /usr/share/shorewall/macro.PPtP Macro
#
# This macro handles PPTP traffic.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - 47
PARAM DEST SOURCE 47
PARAM - - tcp 1723
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall-common/macro.Ping Normal file
View File

@ -0,0 +1,12 @@
#
# Shorewall version 4 - Ping Macro
#
# /usr/share/shorewall/macro.Ping
#
# This macro handles 'ping' requests.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - icmp 8
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall-common/macro.PostgreSQL Normal file
View File

@ -0,0 +1,12 @@
#
# Shorewall version 4 - PostgreSQL Macro
#
# /usr/share/shorewall/macro.PostgreSQL
#
# This macro handles connections to the PostgreSQL server.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - tcp 5432
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall-common/macro.Printer Normal file
View File

@ -0,0 +1,12 @@
#
# Shorewall version 3.2 - Printer Macro
#
# /usr/share/shorewall/macro.Printer
#
# This macro handles Line Printer protocol printing.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - tcp 515
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall-common/macro.RDP Normal file
View File

@ -0,0 +1,12 @@
#
# Shorewall version 3.2 - RDP Macro
#
# /usr/share/shorewall/macro.RDP
#
# This macro handles Microsoft RDP (Remote Desktop) traffic.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - tcp 3389
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall-common/macro.RNDC Normal file
View File

@ -0,0 +1,12 @@
#
# Shorewall version 4 - RNDC Macro
#
# /usr/share/shorewall/macro.RNDC
#
# This macro handles RNDC (BIND remote management protocol) traffic.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - tcp 953
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

16
Shorewall-common/macro.Rdate Normal file
View File

@ -0,0 +1,16 @@
#
# Shorewall version 4 - Rdate Macro
#
# /usr/share/shorewall/macro.Rdate
#
# This macro handles remote time retrieval (rdate).
# Unless you are supporting extremely old hardware or software,
# you shouldn't be using this. NTP is a superior alternative.
# And even if you need to use rfc 868 Time protocol you should
# use Time macro instead.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - tcp 37
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

54
Shorewall-common/macro.Reject Normal file
View File

@ -0,0 +1,54 @@
#
# Shorewall version 4 - Reject Macro
#
# /usr/share/shorewall/macro.Reject
#
# This macro generates the same rules as the Reject default action
# It is used in place of action.Reject when USE_ACTIONS=No.
#
# Example:
#
# Reject loc fw
#
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
#
# Don't log 'auth' REJECT
#
REJECT - - tcp 113
#
# Drop Broadcasts so they don't clutter up the log
# (broadcasts must *not* be rejected).
#
dropBcast
#
# ACCEPT critical ICMP types
#
ACCEPT - - icmp fragmentation-needed
ACCEPT - - icmp time-exceeded
#
# Drop packets that are in the INVALID state -- these are usually ICMP packets
# and just confuse people when they appear in the log (these ICMPs cannot be
# rejected).
#
dropInvalid
#
# Reject Microsoft noise so that it doesn't clutter up the log.
#
REJECT - - udp 135,445
REJECT - - udp 137:139
REJECT - - udp 1024: 137
REJECT - - tcp 135,139,445
DROP - - udp 1900
#
# Drop 'newnotsyn' traffic so that it doesn't get logged.
#
dropNotSyn
#
# Drop late-arriving DNS replies. These are just a nuisance and clutter up
# the log.
#
DROP - - udp - 53
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

14
Shorewall-common/macro.Rfc1918 Normal file
View File

@ -0,0 +1,14 @@
#
# Shorewall version 4 - Macro Template
#
# /usr/share/shorewall/macro.Rfc1918
#
# This macro handles pkts with a SOURCE or ORIGINAL DEST address reserved by RFC 1918
#############################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT(S) PORT(S) DEST LIMIT GROUP
FORMAT 2
PARAM SOURCE:10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 \
DEST - - - - - -
PARAM SOURCE DEST - - - 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall-common/macro.Rsync Normal file
View File

@ -0,0 +1,12 @@
#
# Shorewall version 4 - Rsync Macro
#
# /usr/share/shorewall/macro.Rsync
#
# This macro handles connections to the rsync server.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - tcp 873
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

23
Shorewall-common/macro.SANE Normal file
View File

@ -0,0 +1,23 @@
#
# Shorewall version 4 - SANE Macro
#
# /usr/share/shorewall/macro.SANE
#
# This macro handles SANE network scanning.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - tcp 6566
#
# Kernels 2.6.23+ has nf_conntrack_sane module which will handle
# sane data connection.
#
# If you don't have sane conntracking support you need to open whole dynamic
# port range.
#
# This is for normal linux 2.4+
#PARAM - - tcp 32768:61000
# This is generic rule for any os running saned.
#PARAM - - tcp 1024:
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

19
Shorewall-common/macro.SMB Normal file
View File

@ -0,0 +1,19 @@
#
# Shorewall version 4 - SMB Macro
#
# /usr/share/shorewall/macro.SMB
#
# This macro handles Microsoft SMB traffic. You need to invoke
# this macro in both directions. Beware! This rule opens a lot
# of ports, and could possibly be used to compromise your firewall
# if not used with care. You should only allow SMB traffic
# between hosts you fully trust.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - udp 135,445
PARAM - - udp 137:139
PARAM - - udp 1024: 137
PARAM - - tcp 135,139,445
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

23
Shorewall-common/macro.SMBBI Normal file
View File

@ -0,0 +1,23 @@
#
# Shorewall version 4 - SMB Bi-directional Macro
#
# /usr/share/shorewall/macro.SMBBI
#
# This macro (bidirectional) handles Microsoft SMB traffic.
#
# Beware! This macro opens a lot of ports, and could possibly be used
# to compromise your firewall if not used with care. You should only
# allow SMB traffic between hosts you fully trust.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - udp 135,445
PARAM - - udp 137:139
PARAM - - udp 1024: 137
PARAM - - tcp 135,139,445
PARAM DEST SOURCE udp 135,445
PARAM DEST SOURCE udp 137:139
PARAM DEST SOURCE udp 1024: 137
PARAM DEST SOURCE tcp 135,139,445
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

13
Shorewall-common/macro.SMBswat Normal file
View File

@ -0,0 +1,13 @@
#
# Shorewall version 4 - SMBswat Macro
#
# /usr/share/shorewall/macro.SMBswat
#
# This macro handles connections to the Samba Web Administration Tool
# (SWAT).
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - tcp 901
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

20
Shorewall-common/macro.SMTP Normal file
View File

@ -0,0 +1,20 @@
#
# Shorewall version 4 - SMTP Macro
#
# /usr/share/shorewall/macro.SMTP
#
# This macro handles plaintext SMTP (email) traffic. For SMTP
# encrypted over SSL, use macro.SMTPS. Note that STARTTLS can be
# used over the standard STMP port, so the use of this macro
# doesn't necessarily imply the use of an insecure connection.
#
# Note: This macro handles traffic between an MUA (Email client)
# and an MTA (mail server) or between MTAs. It does not enable
# reading of email via POP3 or IMAP. For those you need to use
# the POP3 or IMAP macros.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - tcp 25
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

17
Shorewall-common/macro.SMTPS Normal file
View File

@ -0,0 +1,17 @@
#
# Shorewall version 4 - SMTPS Macro
#
# /usr/share/shorewall/macro.SMTPS
#
# This macro handles encrypted SMTPS (email) traffic.
#
# Note: This macro handles traffic between an MUA (Email client)
# and an MTA (mail server) or between MTAs. It does not enable
# reading of email via POP3 or IMAP. For those you need to use
# the POP3(S) or IMAP(S) macros.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - tcp 465
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

13
Shorewall-common/macro.SNMP Normal file
View File

@ -0,0 +1,13 @@
#
# Shorewall version 4 - SNMP Macro
#
# /usr/share/shorewall/macro.SNMP
#
# This macro handles SNMP traffic (including traps).
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - udp 161:162
PARAM - - tcp 161
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall-common/macro.SPAMD Normal file
View File

@ -0,0 +1,12 @@
#
# Shorewall version 4 - SPAMD Macro
#
# /usr/share/shorewall/macro.SPAMD
#
# This macro handles Spam Assassin SPAMD traffic.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - tcp 783
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall-common/macro.SSH Normal file
View File

@ -0,0 +1,12 @@
#
# Shorewall version 4 - SSH Macro
#
# /usr/share/shorewall/macro.SSH
#
# This macro handles secure shell (SSH) traffic.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - tcp 22
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Some files were not shown because too many files have changed in this diff Show More