From 038a4c0756df69136708db50d1771177e6ac2a0d Mon Sep 17 00:00:00 2001 From: teastep Date: Sun, 7 Dec 2008 18:17:26 +0000 Subject: [PATCH] Copy 4.2 -common to trunk git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8937 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-common/COPYING | 340 ++++ Shorewall-common/INSTALL | 24 + Shorewall-common/Makefile | 17 + Shorewall-common/Makefile-lite | 82 + Shorewall-common/README.txt | 1 + Shorewall-common/accounting | 12 + Shorewall-common/action.Drop | 53 + Shorewall-common/action.Reject | 51 + Shorewall-common/action.template | 200 +++ Shorewall-common/actions | 13 + Shorewall-common/actions.std | 35 + Shorewall-common/blacklist | 11 + Shorewall-common/changelog.txt | 61 + Shorewall-common/configpath | 13 + Shorewall-common/continue | 14 + Shorewall-common/default.debian | 24 + Shorewall-common/ecn | 11 + Shorewall-common/fallback.sh | 104 ++ Shorewall-common/firewall | 669 +++++++ Shorewall-common/hosts | 11 + Shorewall-common/init | 13 + Shorewall-common/init.archlinux.sh | 58 + Shorewall-common/init.debian.sh | 129 ++ Shorewall-common/init.sh | 90 + Shorewall-common/initdone | 14 + Shorewall-common/install.sh | 776 ++++++++ Shorewall-common/interfaces | 11 + Shorewall-common/ipsec | 7 + Shorewall-common/ipsecvpn | 296 +++ Shorewall-common/lib.base | 1738 ++++++++++++++++++ Shorewall-common/lib.cli | 1149 ++++++++++++ Shorewall-common/lib.config | 2296 ++++++++++++++++++++++++ Shorewall-common/lib.dynamiczones | 427 +++++ Shorewall-common/maclist | 10 + Shorewall-common/macro.AllowICMPs | 16 + Shorewall-common/macro.Amanda | 21 + Shorewall-common/macro.Auth | 12 + Shorewall-common/macro.BitTorrent | 23 + Shorewall-common/macro.CVS | 12 + Shorewall-common/macro.DAAP | 14 + Shorewall-common/macro.DCC | 13 + Shorewall-common/macro.DNS | 13 + Shorewall-common/macro.Distcc | 12 + Shorewall-common/macro.Drop | 53 + Shorewall-common/macro.DropDNSrep | 15 + Shorewall-common/macro.DropUPnP | 15 + Shorewall-common/macro.Edonkey | 35 + Shorewall-common/macro.FTP | 12 + Shorewall-common/macro.Finger | 13 + Shorewall-common/macro.GNUnet | 15 + Shorewall-common/macro.GRE | 14 + Shorewall-common/macro.Gnutella | 13 + Shorewall-common/macro.HTTP | 12 + Shorewall-common/macro.HTTPS | 12 + Shorewall-common/macro.ICQ | 12 + Shorewall-common/macro.IMAP | 13 + Shorewall-common/macro.IMAPS | 13 + Shorewall-common/macro.IPIP | 13 + Shorewall-common/macro.IPP | 12 + Shorewall-common/macro.IPPserver | 30 + Shorewall-common/macro.IPsec | 15 + Shorewall-common/macro.IPsecah | 16 + Shorewall-common/macro.IPsecnat | 17 + Shorewall-common/macro.JAP | 18 + Shorewall-common/macro.JabberPlain | 12 + Shorewall-common/macro.JabberSecure | 12 + Shorewall-common/macro.Jabberd | 12 + Shorewall-common/macro.Jetdirect | 12 + Shorewall-common/macro.L2TP | 14 + Shorewall-common/macro.LDAP | 17 + Shorewall-common/macro.LDAPS | 17 + Shorewall-common/macro.Mail | 19 + Shorewall-common/macro.MySQL | 12 + Shorewall-common/macro.NNTP | 13 + Shorewall-common/macro.NNTPS | 13 + Shorewall-common/macro.NTP | 13 + Shorewall-common/macro.NTPbrd | 18 + Shorewall-common/macro.OpenVPN | 12 + Shorewall-common/macro.PCA | 13 + Shorewall-common/macro.POP3 | 13 + Shorewall-common/macro.POP3S | 13 + Shorewall-common/macro.PPtP | 14 + Shorewall-common/macro.Ping | 12 + Shorewall-common/macro.PostgreSQL | 12 + Shorewall-common/macro.Printer | 12 + Shorewall-common/macro.RDP | 12 + Shorewall-common/macro.RNDC | 12 + Shorewall-common/macro.Rdate | 16 + Shorewall-common/macro.Reject | 54 + Shorewall-common/macro.Rfc1918 | 14 + Shorewall-common/macro.Rsync | 12 + Shorewall-common/macro.SANE | 23 + Shorewall-common/macro.SMB | 19 + Shorewall-common/macro.SMBBI | 23 + Shorewall-common/macro.SMBswat | 13 + Shorewall-common/macro.SMTP | 20 + Shorewall-common/macro.SMTPS | 17 + Shorewall-common/macro.SNMP | 13 + Shorewall-common/macro.SPAMD | 12 + Shorewall-common/macro.SSH | 12 + Shorewall-common/macro.SVN | 13 + Shorewall-common/macro.SixXS | 25 + Shorewall-common/macro.Submission | 12 + Shorewall-common/macro.Syslog | 12 + Shorewall-common/macro.TFTP | 14 + Shorewall-common/macro.Telnet | 13 + Shorewall-common/macro.Telnets | 13 + Shorewall-common/macro.Time | 14 + Shorewall-common/macro.Trcrt | 13 + Shorewall-common/macro.VNC | 12 + Shorewall-common/macro.VNCL | 13 + Shorewall-common/macro.Web | 15 + Shorewall-common/macro.Webmin | 12 + Shorewall-common/macro.Whois | 12 + Shorewall-common/macro.template | 368 ++++ Shorewall-common/masq | 11 + Shorewall-common/modules | 161 ++ Shorewall-common/nat | 11 + Shorewall-common/netmap | 11 + Shorewall-common/params | 27 + Shorewall-common/policy | 12 + Shorewall-common/providers | 10 + Shorewall-common/proxyarp | 10 + Shorewall-common/releasenotes.txt | 1150 ++++++++++++ Shorewall-common/rfc1918 | 9 + Shorewall-common/route_rules | 9 + Shorewall-common/routestopped | 14 + Shorewall-common/rules | 15 + Shorewall-common/shorewall | 2014 +++++++++++++++++++++ Shorewall-common/shorewall-common.spec | 310 ++++ Shorewall-common/shorewall.conf | 199 ++ Shorewall-common/start | 13 + Shorewall-common/started | 21 + Shorewall-common/stop | 13 + Shorewall-common/stopped | 13 + Shorewall-common/strip | 110 ++ Shorewall-common/tcclasses | 10 + Shorewall-common/tcdevices | 11 + Shorewall-common/tcfilters | 11 + Shorewall-common/tcrules | 15 + Shorewall-common/tos | 9 + Shorewall-common/tunnel | 166 ++ Shorewall-common/tunnels | 12 + Shorewall-common/uninstall.sh | 114 ++ Shorewall-common/wait4ifup | 60 + Shorewall-common/zones | 13 + Shorewall-perl/README.txt | 2 +- 147 files changed, 14947 insertions(+), 1 deletion(-) create mode 100644 Shorewall-common/COPYING create mode 100644 Shorewall-common/INSTALL create mode 100644 Shorewall-common/Makefile create mode 100644 Shorewall-common/Makefile-lite create mode 100644 Shorewall-common/README.txt create mode 100644 Shorewall-common/accounting create mode 100644 Shorewall-common/action.Drop create mode 100644 Shorewall-common/action.Reject create mode 100644 Shorewall-common/action.template create mode 100644 Shorewall-common/actions create mode 100644 Shorewall-common/actions.std create mode 100755 Shorewall-common/blacklist create mode 100644 Shorewall-common/changelog.txt create mode 100644 Shorewall-common/configpath create mode 100644 Shorewall-common/continue create mode 100644 Shorewall-common/default.debian create mode 100644 Shorewall-common/ecn create mode 100755 Shorewall-common/fallback.sh create mode 100755 Shorewall-common/firewall create mode 100644 Shorewall-common/hosts create mode 100644 Shorewall-common/init create mode 100755 Shorewall-common/init.archlinux.sh create mode 100755 Shorewall-common/init.debian.sh create mode 100755 Shorewall-common/init.sh create mode 100755 Shorewall-common/initdone create mode 100755 Shorewall-common/install.sh create mode 100644 Shorewall-common/interfaces create mode 100644 Shorewall-common/ipsec create mode 100644 Shorewall-common/ipsecvpn create mode 100644 Shorewall-common/lib.base create mode 100644 Shorewall-common/lib.cli create mode 100644 Shorewall-common/lib.config create mode 100644 Shorewall-common/lib.dynamiczones create mode 100644 Shorewall-common/maclist create mode 100644 Shorewall-common/macro.AllowICMPs create mode 100644 Shorewall-common/macro.Amanda create mode 100644 Shorewall-common/macro.Auth create mode 100644 Shorewall-common/macro.BitTorrent create mode 100644 Shorewall-common/macro.CVS create mode 100644 Shorewall-common/macro.DAAP create mode 100644 Shorewall-common/macro.DCC create mode 100644 Shorewall-common/macro.DNS create mode 100644 Shorewall-common/macro.Distcc create mode 100644 Shorewall-common/macro.Drop create mode 100644 Shorewall-common/macro.DropDNSrep create mode 100644 Shorewall-common/macro.DropUPnP create mode 100644 Shorewall-common/macro.Edonkey create mode 100644 Shorewall-common/macro.FTP create mode 100644 Shorewall-common/macro.Finger create mode 100644 Shorewall-common/macro.GNUnet create mode 100644 Shorewall-common/macro.GRE create mode 100644 Shorewall-common/macro.Gnutella create mode 100644 Shorewall-common/macro.HTTP create mode 100644 Shorewall-common/macro.HTTPS create mode 100644 Shorewall-common/macro.ICQ create mode 100644 Shorewall-common/macro.IMAP create mode 100644 Shorewall-common/macro.IMAPS create mode 100644 Shorewall-common/macro.IPIP create mode 100644 Shorewall-common/macro.IPP create mode 100644 Shorewall-common/macro.IPPserver create mode 100644 Shorewall-common/macro.IPsec create mode 100644 Shorewall-common/macro.IPsecah create mode 100644 Shorewall-common/macro.IPsecnat create mode 100644 Shorewall-common/macro.JAP create mode 100644 Shorewall-common/macro.JabberPlain create mode 100644 Shorewall-common/macro.JabberSecure create mode 100644 Shorewall-common/macro.Jabberd create mode 100644 Shorewall-common/macro.Jetdirect create mode 100644 Shorewall-common/macro.L2TP create mode 100644 Shorewall-common/macro.LDAP create mode 100644 Shorewall-common/macro.LDAPS create mode 100644 Shorewall-common/macro.Mail create mode 100644 Shorewall-common/macro.MySQL create mode 100644 Shorewall-common/macro.NNTP create mode 100644 Shorewall-common/macro.NNTPS create mode 100644 Shorewall-common/macro.NTP create mode 100644 Shorewall-common/macro.NTPbrd create mode 100644 Shorewall-common/macro.OpenVPN create mode 100644 Shorewall-common/macro.PCA create mode 100644 Shorewall-common/macro.POP3 create mode 100644 Shorewall-common/macro.POP3S create mode 100644 Shorewall-common/macro.PPtP create mode 100644 Shorewall-common/macro.Ping create mode 100644 Shorewall-common/macro.PostgreSQL create mode 100644 Shorewall-common/macro.Printer create mode 100644 Shorewall-common/macro.RDP create mode 100644 Shorewall-common/macro.RNDC create mode 100644 Shorewall-common/macro.Rdate create mode 100644 Shorewall-common/macro.Reject create mode 100644 Shorewall-common/macro.Rfc1918 create mode 100644 Shorewall-common/macro.Rsync create mode 100644 Shorewall-common/macro.SANE create mode 100644 Shorewall-common/macro.SMB create mode 100644 Shorewall-common/macro.SMBBI create mode 100644 Shorewall-common/macro.SMBswat create mode 100644 Shorewall-common/macro.SMTP create mode 100644 Shorewall-common/macro.SMTPS create mode 100644 Shorewall-common/macro.SNMP create mode 100644 Shorewall-common/macro.SPAMD create mode 100644 Shorewall-common/macro.SSH create mode 100644 Shorewall-common/macro.SVN create mode 100644 Shorewall-common/macro.SixXS create mode 100644 Shorewall-common/macro.Submission create mode 100644 Shorewall-common/macro.Syslog create mode 100644 Shorewall-common/macro.TFTP create mode 100644 Shorewall-common/macro.Telnet create mode 100644 Shorewall-common/macro.Telnets create mode 100644 Shorewall-common/macro.Time create mode 100644 Shorewall-common/macro.Trcrt create mode 100644 Shorewall-common/macro.VNC create mode 100644 Shorewall-common/macro.VNCL create mode 100644 Shorewall-common/macro.Web create mode 100644 Shorewall-common/macro.Webmin create mode 100644 Shorewall-common/macro.Whois create mode 100644 Shorewall-common/macro.template create mode 100644 Shorewall-common/masq create mode 100644 Shorewall-common/modules create mode 100644 Shorewall-common/nat create mode 100644 Shorewall-common/netmap create mode 100644 Shorewall-common/params create mode 100644 Shorewall-common/policy create mode 100644 Shorewall-common/providers create mode 100644 Shorewall-common/proxyarp create mode 100644 Shorewall-common/releasenotes.txt create mode 100644 Shorewall-common/rfc1918 create mode 100644 Shorewall-common/route_rules create mode 100644 Shorewall-common/routestopped create mode 100644 Shorewall-common/rules create mode 100755 Shorewall-common/shorewall create mode 100644 Shorewall-common/shorewall-common.spec create mode 100644 Shorewall-common/shorewall.conf create mode 100644 Shorewall-common/start create mode 100644 Shorewall-common/started create mode 100644 Shorewall-common/stop create mode 100644 Shorewall-common/stopped create mode 100755 Shorewall-common/strip create mode 100644 Shorewall-common/tcclasses create mode 100644 Shorewall-common/tcdevices create mode 100644 Shorewall-common/tcfilters create mode 100644 Shorewall-common/tcrules create mode 100644 Shorewall-common/tos create mode 100755 Shorewall-common/tunnel create mode 100644 Shorewall-common/tunnels create mode 100755 Shorewall-common/uninstall.sh create mode 100755 Shorewall-common/wait4ifup create mode 100644 Shorewall-common/zones diff --git a/Shorewall-common/COPYING b/Shorewall-common/COPYING new file mode 100644 index 000000000..2ba72d57f --- /dev/null +++ b/Shorewall-common/COPYING @@ -0,0 +1,340 @@ + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc. + 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Library General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) 19yy + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) 19yy name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + , 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Library General +Public License instead of this License. diff --git a/Shorewall-common/INSTALL b/Shorewall-common/INSTALL new file mode 100644 index 000000000..195ba27c2 --- /dev/null +++ b/Shorewall-common/INSTALL @@ -0,0 +1,24 @@ +Shoreline Firewall (Shorewall) Version 4 +----- ---- + +----------------------------------------------------------------------------- + + This program is free software; you can redistribute it and/or modify + it under the terms of Version 2 of the GNU General Public License + as published by the Free Software Foundation. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +--------------------------------------------------------------------------- + +Please see http://www.shorewall.net/Install.htm for installation +instructions. + + diff --git a/Shorewall-common/Makefile b/Shorewall-common/Makefile new file mode 100644 index 000000000..1ee948e2e --- /dev/null +++ b/Shorewall-common/Makefile @@ -0,0 +1,17 @@ +# Shorewall Makefile to restart if config-files are newer than last restart +VARDIR=$(shell /sbin/shorewall show vardir) +CONFDIR=/etc/shorewall +RESTOREFILE?=.restore +all: $(VARDIR)/${RESTOREFILE} + +$(VARDIR)/${RESTOREFILE}: $(CONFDIR)/* + @/sbin/shorewall -q save >/dev/null; \ + if \ + /sbin/shorewall -q restart >/dev/null 2>&1; \ + then \ + /sbin/shorewall -q save >/dev/null; \ + else \ + /sbin/shorewall -q restart 2>&1 | tail >&2; \ + fi + +# EOF diff --git a/Shorewall-common/Makefile-lite b/Shorewall-common/Makefile-lite new file mode 100644 index 000000000..74a09aedc --- /dev/null +++ b/Shorewall-common/Makefile-lite @@ -0,0 +1,82 @@ +# Shorewall Packet Filtering Firewall Export Directory Makefile - V4.2 +# +# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] +# +# (c) 2006 - Tom Eastep (teastep@shorewall.net) +# +# Shorewall documentation is available at http://www.shorewall.net +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of Version 2 of the GNU General Public License +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +################################################################################ +# Place this file in each export directory. Modify each copy to set HOST +# to the name of the remote firewall corresponding to the directory. +# +# To make the 'firewall' script, type "make". +# +# Once the script is compiling correctly, you can install it by +# typing "make install". +# +################################################################################ +# V A R I A B L E S +# +# Files in the export directory on which the firewall script does not depend +# +IGNOREFILES = firewall% Makefile% trace% %~ +# +# Remote Firewall system +# +HOST = gateway +# +# Save some typing +# +LITEDIR = /var/lib/shorewall-lite +# +# Set this if the remote system has a non-standard modules directory +# +MODULESDIR= +# +# Default target is the firewall script +# +################################################################################ +# T A R G E T S +# +all: firewall +# +# Only generate the capabilities file if it doesn't already exist +# +capabilities: + ssh root@$(HOST) "MODULESDIR=$(MODULESDIR) /usr/share/shorewall-lite/shorecap > $(LITEDIR)/capabilities" + scp root@$(HOST):$(LITEDIR)/capabilities . +# +# Compile the firewall script. Using the 'wildcard' function causes "*" to be expanded so that +# 'filter-out' will be presented with the list of files in this directory rather than "*" +# +firewall: $(filter-out $(IGNOREFILES) capabilities , $(wildcard *) ) capabilities + shorewall compile -e . firewall +# +# Only reload on demand. +# +install: firewall + scp firewall firewall.conf root@$(HOST):$(LITEDIR) + ssh root@$(HOST) "/sbin/shorewall-lite restart" +# +# Save running configuration +# +save: + ssh root@$(HOST) "/sbin/shorewall-lite save" +# +# Remove generated files +# +clean: + rm -f capabilities firewall firewall.conf reload diff --git a/Shorewall-common/README.txt b/Shorewall-common/README.txt new file mode 100644 index 000000000..189c4ab93 --- /dev/null +++ b/Shorewall-common/README.txt @@ -0,0 +1 @@ +This is the Shorewall-common Development 4.2 branch of SVN. diff --git a/Shorewall-common/accounting b/Shorewall-common/accounting new file mode 100644 index 000000000..57c434bff --- /dev/null +++ b/Shorewall-common/accounting @@ -0,0 +1,12 @@ +# +# Shorewall version 4 - Accounting File +# +# For information about entries in this file, type "man shorewall-accounting" +# +# Please see http://shorewall.net/Accounting.html for examples and +# additional information about how to use this file. +# +##################################################################################### +#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/ MARK +# PORT(S) PORT(S) GROUP +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/action.Drop b/Shorewall-common/action.Drop new file mode 100644 index 000000000..770d0cedf --- /dev/null +++ b/Shorewall-common/action.Drop @@ -0,0 +1,53 @@ +# +# Shorewall version 4 - Drop Action +# +# /usr/share/shorewall/action.Drop +# +# The default DROP common rules +# +# This action is invoked before a DROP policy is enforced. The purpose +# of the action is: +# +# a) Avoid logging lots of useless cruft. +# b) Ensure that 'auth' requests are rejected, even if the policy is +# DROP. Otherwise, you may experience problems establishing +# connections with servers that use auth. +# c) Ensure that certain ICMP packets that are necessary for successful +# internet operation are always ACCEPTed. +# +# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!! +# +############################################################################### +#TARGET SOURCE DEST PROTO DPORT SPORT +# +# Reject 'auth' +# +Auth/REJECT +# +# Don't log broadcasts +# +dropBcast +# +# ACCEPT critical ICMP types +# +AllowICMPs - - icmp +# +# Drop packets that are in the INVALID state -- these are usually ICMP packets +# and just confuse people when they appear in the log. +# +dropInvalid +# +# Drop Microsoft noise so that it doesn't clutter up the log. +# +SMB/DROP +DropUPnP +# +# Drop 'newnotsyn' traffic so that it doesn't get logged. +# +dropNotSyn - - tcp +# +# Drop late-arriving DNS replies. These are just a nuisance and clutter up +# the log. +# +DropDNSrep +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/action.Reject b/Shorewall-common/action.Reject new file mode 100644 index 000000000..9d0b0029c --- /dev/null +++ b/Shorewall-common/action.Reject @@ -0,0 +1,51 @@ +# +# Shorewall version 4 - Reject Action +# +# /usr/share/shorewall/action.Reject +# +# The default REJECT action common rules +# +# This action is invoked before a REJECT policy is enforced. The purpose +# of the action is: +# +# a) Avoid logging lots of useless cruft. +# b) Ensure that certain ICMP packets that are necessary for successful +# internet operation are always ACCEPTed. +# +# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!! +############################################################################### +#TARGET SOURCE DEST PROTO +# +# Don't log 'auth' -- REJECT +# +Auth/REJECT +# +# Drop Broadcasts so they don't clutter up the log +# (broadcasts must *not* be rejected). +# +dropBcast +# +# ACCEPT critical ICMP types +# +AllowICMPs - - icmp +# +# Drop packets that are in the INVALID state -- these are usually ICMP packets +# and just confuse people when they appear in the log (these ICMPs cannot be +# rejected). +# +dropInvalid +# +# Reject Microsoft noise so that it doesn't clutter up the log. +# +SMB/REJECT +DropUPnP +# +# Drop 'newnotsyn' traffic so that it doesn't get logged. +# +dropNotSyn - - tcp +# +# Drop late-arriving DNS replies. These are just a nuisance and clutter up +# the log. +# +DropDNSrep +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/action.template b/Shorewall-common/action.template new file mode 100644 index 000000000..03fdec63e --- /dev/null +++ b/Shorewall-common/action.template @@ -0,0 +1,200 @@ +# +# Shorewall version 4 - Action Template +# +# /etc/shorewall/action.template +# +# This file is a template for files with names of the form +# /etc/shorewall/action. where is an +# ACTION defined in /etc/shorewall/actions. +# +# To define a new action: +# +# 1. Add the to /etc/shorewall/actions +# 2. Copy this file to /etc/shorewall/action. +# 3. Add the desired rules to that file. +# +# Please see http://shorewall.net/Actions.html for additional +# information. +# +# Columns are: +# +# +# TARGET ACCEPT, DROP, REJECT, LOG, QUEUE, CONTINUE, a +# or a previously-defined +# +# ACCEPT -- allow the connection request +# DROP -- ignore the request +# REJECT -- disallow the request and return an +# icmp-unreachable or an RST packet. +# LOG -- Simply log the packet and continue. +# QUEUE -- Queue the packet to a user-space +# application such as p2pwall. +# CONTINUE -- Stop processing this action and +# return to the point where the +# action was invoked. +# -- An defined in +# /etc/shorewall/actions. +# The must appear in that +# file BEFORE the one being defined +# in this file. +# -- The name of a macro defined in a +# file named macro.. If +# the macro accepts an action +# parameter (Look at the macro +# source to see if it has PARAM in +# the TARGET column) then the macro +# name is followed by "/" and the +# action (ACCEPT, DROP, REJECT, ...) +# to be substituted for the +# parameter. Example: FTP/ACCEPT. +# +# The TARGET may optionally be followed +# by ":" and a syslog log level (e.g, REJECT:info or +# ACCEPT:debugging). This causes the packet to be +# logged at the specified level. +# +# The special log level 'none' does not result in logging +# but rather exempts the rule from being overridden by a +# non-forcing log level when the action is invoked. +# +# You may also specify ULOG (must be in upper case) as a +# log level.This will log to the ULOG target for routing +# to a separate log through use of ulogd +# (http://www.gnumonks.org/projects/ulogd). +# +# Actions specifying logging may be followed by a +# log tag (a string of alphanumeric characters) +# are appended to the string generated by the +# LOGPREFIX (in /etc/shorewall/shorewall.conf). +# +# Example: ACCEPT:info:ftp would include 'ftp ' +# at the end of the log prefix generated by the +# LOGPREFIX setting. +# +# SOURCE Source hosts to which the rule applies. +# A comma-separated list of subnets +# and/or hosts. Hosts may be specified by IP or MAC +# address; mac addresses must begin with "~" and must use +# "-" as a separator. +# +# 192.168.2.2 Host 192.168.2.2 +# +# 155.186.235.0/24 Subnet 155.186.235.0/24 +# +# 10.0.0.4-10.0.0.9 Range of IP addresses; your +# kernel and iptables must have +# iprange match support. +# +# +remote The name of an ipset prefaced +# by "+". Your kernel and +# iptables must have set match +# support +# +# +remote[4] The name of the ipset may +# followed by a number of +# levels of ipset bindings +# enclosed in square brackets. +# +# 192.168.1.1,192.168.1.2 +# Hosts 192.168.1.1 and +# 192.168.1.2. +# ~00-A0-C9-15-39-78 Host with +# MAC address 00:A0:C9:15:39:78. +# +# Alternatively, clients may be specified by interface +# name. For example, eth1 specifies a +# client that communicates with the firewall system +# through eth1. This may be optionally followed by +# another colon (":") and an IP/MAC/subnet address +# as described above (e.g., eth1:192.168.1.5). +# +# DEST Location of destination host. Same as above with +# the exception that MAC addresses are not allowed and +# that you cannot specify an ipset name in both the +# SOURCE and DEST columns. +# +# PROTO Protocol - Must be "tcp", "tcp:syn", "udp", "icmp", +# "ipp2p", "ipp2p:udp", "ipp2p:all", a number, or "all". +# "ipp2p*" requires ipp2p match support in your kernel +# and iptables. +# +# "tcp:syn" implies "tcp" plus the SYN flag must be +# set and the RST, ACK and FIN flags must be reset. +# +# DEST PORT(S) Destination Ports. A comma-separated list of Port +# names (from /etc/services), port numbers or port +# ranges; if the protocol is "icmp", this column is +# interpreted as the destination icmp-type(s). +# +# A port range is expressed as :. +# +# This column is ignored if PROTOCOL = all but must be +# entered if any of the following fields are supplied. +# In that case, it is suggested that this field contain +# "-" +# +# If your kernel contains multi-port match support, then +# only a single Netfilter rule will be generated if in +# this list and the CLIENT PORT(S) list below: +# 1. There are 15 or less ports listed. +# 2. No port ranges are included. +# Otherwise, a separate rule will be generated for each +# port. +# +# SOURCE PORT(S) (Optional) Port(s) used by the client. If omitted, +# any source port is acceptable. Specified as a comma- +# separated list of port names, port numbers or port +# ranges. +# +# If you don't want to restrict client ports but need to +# specify an ADDRESS in the next column, then place "-" +# in this column. +# +# If your kernel contains multi-port match support, then +# only a single Netfilter rule will be generated if in +# this list and the DEST PORT(S) list above: +# 1. There are 15 or less ports listed. +# 2. No port ranges are included. +# Otherwise, a separate rule will be generated for each +# port. +# +# RATE LIMIT You may rate-limit the rule by placing a value in +# this column: +# +# /[:] +# +# where is the number of connections per +# ("sec" or "min") and is the +# largest burst permitted. If no is given, +# a value of 5 is assumed. There may be no +# no whitespace embedded in the specification. +# +# Example: 10/sec:20 +# +# USER/GROUP This column may only be non-empty if the SOURCE is +# the firewall itself. +# +# The column may contain: +# +# [!][][:][+] +# +# When this column is non-empty, the rule applies only +# if the program generating the output is running under +# the effective and/or specified (or is +# NOT running under that id if "!" is given). +# +# Examples: +# +# joe #program must be run by joe +# :kids #program must be run by a member of +# #the 'kids' group +# !:kids #program must not be run by a member +# #of the 'kids' group +# +upnpd #program named upnpd (This feature was +# #removed from Netfilter in kernel +# #version 2.6.14). +# +############################################################################### +#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# PORT PORT(S) DEST LIMIT GROUP +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/actions b/Shorewall-common/actions new file mode 100644 index 000000000..370a1a703 --- /dev/null +++ b/Shorewall-common/actions @@ -0,0 +1,13 @@ +# +# Shorewall version 4 - Actions File +# +# /etc/shorewall/actions +# +# For information about entries in this file, type "man shorewall-actions" +# +# Please see http://shorewall.net/Actions.html for additional information. +# +############################################################################### +#ACTION COMMENT (place '# ' below the 'C' in comment followed by +# v a comment describing the action) +#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/Shorewall-common/actions.std b/Shorewall-common/actions.std new file mode 100644 index 000000000..8cc596c21 --- /dev/null +++ b/Shorewall-common/actions.std @@ -0,0 +1,35 @@ +# +# Shorewall version 4 - Actions.std File +# +# /usr/share/shorewall/actions.std +# +# Please see http://shorewall.net/Actions.html for additional +# information. +# +# Builtin Actions are: +# +# allowBcast # Silently Allow Broadcast/multicast +# dropBcast # Silently Drop Broadcast/multicast +# dropNotSyn # Silently Drop Non-syn TCP packets +# rejNotSyn # Silently Reject Non-syn TCP packets +# dropInvalid # Silently Drop packets that are in the INVALID +# # conntrack state. +# allowInvalid # Accept packets that are in the INVALID +# # conntrack state. +# allowoutUPnP # Allow traffic from local command 'upnpd' (does not +# # work with kernel 2.6.14 and later). +# allowinUPnP # Allow UPnP inbound (to firewall) traffic +# forwardUPnP # Allow traffic that upnpd has redirected from +# # 'upnp' interfaces. +# drop1918src # Drop packets with an RFC 1918 source address +# drop1918dst # Drop packets with an RFC 1918 original dest address +# rej1918src # Reject packets with an RFC 1918 source address +# rej1918dst # Reject packets with an RFC 1918 original dest address +# Limit # Limit the rate of connections from each individual +# # IP address +# +############################################################################### +#ACTION +Drop # Default Action for DROP policy +Reject # Default Action for REJECT policy +#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/Shorewall-common/blacklist b/Shorewall-common/blacklist new file mode 100755 index 000000000..f8f6229df --- /dev/null +++ b/Shorewall-common/blacklist @@ -0,0 +1,11 @@ +# +# Shorewall version 4 - Blacklist File +# +# For information about entries in this file, type "man shorewall-blacklist" +# +# Please see http://shorewall.net/blacklisting_support.htm for additional +# information. +# +############################################################################### +#ADDRESS/SUBNET PROTOCOL PORT +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/changelog.txt b/Shorewall-common/changelog.txt new file mode 100644 index 000000000..b86355ec6 --- /dev/null +++ b/Shorewall-common/changelog.txt @@ -0,0 +1,61 @@ +Changes in Shorewall 4.2.3 + +1) Verify User/Group names. + +2) Don't allow compiled script named 'shorewall'. + +3) Avoid problems when '$' appears on the first line of +/etc/shorewall/compile. + +4) Add the output of "netstat -tunap" to dump + +5) Allow '+' as an interface. + +6) Change ipp2p detection to support latest version. + +7) Fix NEW_CONNTRACK_MATCH. + +8) Make use of --goto. + +9) Allow ressetting individual chains. + +Changes in Shorewall 4.2.2 + +1) Insure that lines copied from a user file are newline-terminated. + +2) Added macro.JAP. + +3) Added macro.DAAP. + +4) Added macro.DCC. + +5) Added macro.GNUnet. + +6) Prevent invalid rules when KLUDGEFREE is not set. + +7) Separated detection of old conntrack syntax from new conntrack + feature detection. + +8) Fix nonat rules with destination IP address. + +9) Correct NEW_CONNTRACK_MATCH with server port but no dest port. + +Changes in Shorewall 4.2.1 + +1) Added CONNBYTES to tcrules manpage. Flesh out description of HELPER. + +2) Fixed minor CONNBYTES editing issue. + +3) Add CONNLIMIT to policy and rules. + +4) Allow use of iptables-1.4.1. + +5) Add time match support. + +6) Applied Lennart Sorensen's patch for length match. + +7) Take advantage of --ctorigdstport + +8) Fix syntax error in 'export' + +Initial release of Shorewall 4.2.0. diff --git a/Shorewall-common/configpath b/Shorewall-common/configpath new file mode 100644 index 000000000..9c442bbbc --- /dev/null +++ b/Shorewall-common/configpath @@ -0,0 +1,13 @@ +# +# Shorewall version 4 - Default Config Path +# +# /usr/share/shorewall/configpath +# +# Note to maintainers. +# +# The CONFDIR variable is normally set to /etc/shorewall but when +# the command is "compile -e" then CONFDIR is set to +# /usr/share/shorewall/configfiles/. This prevents 'compile -e' +# from trying to use configuration information from /etc/shorewall. + +CONFIG_PATH=${CONFDIR}:/usr/share/shorewall diff --git a/Shorewall-common/continue b/Shorewall-common/continue new file mode 100644 index 000000000..4591f7662 --- /dev/null +++ b/Shorewall-common/continue @@ -0,0 +1,14 @@ +# +# Shorewall version 4 - Continue File +# +# /etc/shorewall/continue +# +# Add commands below that you want to be executed after shorewall has +# cleared any existing Netfilter rules and has enabled existing +# connections. +# +# For additional information, see +# http://shorewall.net/shorewall_extension_scripts.htm +# +############################################################################### +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/default.debian b/Shorewall-common/default.debian new file mode 100644 index 000000000..26b99e8f8 --- /dev/null +++ b/Shorewall-common/default.debian @@ -0,0 +1,24 @@ +# prevent startup with default configuration +# set the following varible to 1 in order to allow Shorewall to start + +startup=0 + +# if your Shorewall configuration requires detection of the ip address of a ppp +# interface, you must list such interfaces in "wait_interface" to get Shorewall to +# wait until the interface is configured. Otherwise the script will fail because +# it won't be able to detect the IP address. +# +# Example: +# wait_interface="ppp0" +# or +# wait_interface="ppp0 ppp1" +# or, if you have defined in /etc/shorewall/params +# wait_interface= + +# +# Startup options +# + +OPTIONS="" + +# EOF diff --git a/Shorewall-common/ecn b/Shorewall-common/ecn new file mode 100644 index 000000000..c01683c68 --- /dev/null +++ b/Shorewall-common/ecn @@ -0,0 +1,11 @@ +# +# Shorewall version 4 - Ecn File +# +# For information about entries in this file, type "man shorewall-ecn" +# +# The manpage is also online at +# http://www.shorewall.net/manpages/shorewall-ecn.html +# +############################################################################### +#INTERFACE HOST(S) +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/fallback.sh b/Shorewall-common/fallback.sh new file mode 100755 index 000000000..7e73626ad --- /dev/null +++ b/Shorewall-common/fallback.sh @@ -0,0 +1,104 @@ +#!/bin/sh +# +# Script to back out the installation of Shoreline Firewall and to restore the previous version of +# the program +# +# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] +# +# (c) 2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net) +# +# Shorewall documentation is available at http://shorewall.net +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of Version 2 of the GNU General Public License +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Usage: +# +# You may only use this script to back out the installation of the version +# shown below. Simply run this script to revert to your prior version of +# Shoreline Firewall. + +VERSION=4.2.3 + +usage() # $1 = exit status +{ + echo "usage: $(basename $0)" + exit $1 +} + +restore_directory() # $1 = directory to restore +{ + if [ -d ${1}-${VERSION}.bkout ]; then + if mv -f $1 ${1}-${VERSION} && mv ${1}-${VERSION}.bkout $1; then + echo + echo "$1 restored" + rm -rf ${1}-${VERSION} + else + echo "ERROR: Could not restore $1" + exit 1 + fi + fi +} + +restore_file() # $1 = file to restore, $2 = (Optional) Directory to restore from +{ + if [ -n "$2" ]; then + local file + file=$(basename $1) + + if [ -f $2/$file ]; then + if mv -f $2/$file $1 ; then + echo + echo "$1 restored" + return + fi + + echo "ERROR: Could not restore $1" + exit 1 + fi + fi + + if [ -f ${1}-${VERSION}.bkout -o -L ${1}-${VERSION}.bkout ]; then + if (mv -f ${1}-${VERSION}.bkout $1); then + echo + echo "$1 restored" + else + echo "ERROR: Could not restore $1" + exit 1 + fi + fi +} + +if [ ! -f /usr/share/shorewall-${VERSION}.bkout/version ]; then + echo "Shorewall Version $VERSION is not installed" + exit 1 +fi + +echo "Backing Out Installation of Shorewall $VERSION" + +if [ -L /usr/share/shorewall/init ]; then + FIREWALL=$(ls -l /usr/share/shorewall/init | sed 's/^.*> //') + restore_file $FIREWALL /usr/share/shorewall-${VERSION}.bkout +else + restore_file /etc/init.d/shorewall /usr/share/shorewall-${VERSION}.bkout +fi + +restore_file /sbin/shorewall /var/lib/shorewall-${VERSION}.bkout + +restore_directory /etc/shorewall +restore_directory /usr/share/shorewall +restore_directory /var/lib/shorewall + +echo "Shorewall Restored to Version $(cat /usr/share/shorewall/version)" + + diff --git a/Shorewall-common/firewall b/Shorewall-common/firewall new file mode 100755 index 000000000..cc2446eb0 --- /dev/null +++ b/Shorewall-common/firewall @@ -0,0 +1,669 @@ +#!/bin/sh +# +# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.2 +# +# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] +# +# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net) +# +# Complete documentation is available at http://shorewall.net +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of Version 2 of the GNU General Public License +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# If an error occurs while starting or restarting the firewall, the +# firewall is automatically stopped. +# +# Commands are: +# +# firewall stop Stops the firewall +# firewall reset Resets iptables packet and +# byte counts +# firewall clear Remove all Shorewall chains +# and rules/policies. +# firewall add [:] zone Adds a host or subnet to a zone +# firewall delete [:] zone Deletes a host or subnet from a zone +# +# +# Fatal error -- stops the firewall after issuing the error message +# +fatal_error() # $* = Error Message +{ + echo " ERROR: $@" >&2 + stop_firewall + exit 2 +} + +# +# Fatal error during startup -- generate an error message and abend without +# altering the state of the firewall +# +startup_error() # $* = Error Message +{ + echo " ERROR: $@" >&2 + [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR + [ -n "$RESTOREBASE" ] && rm -f $RESTOREBASE + kill $$ + exit 2 +} + +# +# Send a message to STDOUT and the System Log +# +report () { # $* = message + progress_message3 "$@" + logger -p kern.info "$@" +} + +# +# Run iptables and if an error occurs, stop the firewall and quit +# +run_iptables() { + if [ -z "$KLUDGEFREE" ]; then + # + # Purge the temporary files that we use to prevent duplicate '-m' specifications + # + [ -n "$PHYSDEV_MATCH" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev + [ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange + fi + + if ! $IPTABLES $@ ; then + if [ -z "$STOPPING" ]; then + error_message "ERROR: Command \"$IPTABLES $@\" Failed" + stop_firewall + exit 2 + fi + fi +} + +# +# Version of 'run_iptables' that inserts white space after "!" in the arg list +# +run_iptables2() { + + case "$@" in + *!*) + run_iptables $(fix_bang $@) + ;; + *) + run_iptables $@ + ;; + esac + +} + +# +# Quietly run iptables +# +qt_iptables() { + if [ -z "$KLUDGEFREE" ]; then + # + # Purge the temporary files that we use to prevent duplicate '-m' specifications + # + [ -n "$PHYSDEV_MATCH" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev + [ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange + fi + + qt $IPTABLES $@ +} + +# +# Run ip and if an error occurs, stop the firewall and quit +# +run_ip() { + if ! ip $@ ; then + if [ -z "$STOPPING" ]; then + error_message "ERROR: Command \"ip $@\" Failed" + stop_firewall + exit 2 + fi + fi +} + +# +# Run tc and if an error occurs, stop the firewall and quit +# +run_tc() { + if ! tc $@ ; then + if [ -z "$STOPPING" ]; then + error_message "ERROR: Command \"tc $@\" Failed" + stop_firewall + exit 2 + fi + fi +} + +# +# Delete a chain if it exists +# +deletechain() # $1 = name of chain +{ + qt $IPTABLES -L $1 -n && qt $IPTABLES -F $1 && qt $IPTABLES -X $1 +} + +# +# Find broadcast addresses -- if we are compiling a script and 'detect' is specified for an interface +# the function returns nothing for that interface +# +find_broadcasts() { + for interface in $ALL_INTERFACES; do + eval bcast=\$$(chain_base $interface)_broadcast + if [ "x$bcast" = "xdetect" ]; then + ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u + elif [ "x${bcast}" != "x-" ]; then + echo $(separate_list $bcast) + fi + done +} + +# +# For each entry in the CRITICALHOSTS global list, add INPUT and OUTPUT rules to +# enable traffic to/from those hosts. +# +enable_critical_hosts() +{ + for host in $CRITICALHOSTS; do + interface=${host%:*} + networks=${host#*:} + $IPTABLES -A INPUT -i $interface $(source_ip_range $networks) -j ACCEPT + $IPTABLES -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT + done +} + +# +# For each entry in the CRITICALHOSTS global list, delete the INPUT and OUTPUT rules that +# enable traffic to/from those hosts. +# +disable_critical_hosts() +{ + for host in $CRITICALHOSTS; do + interface=${host%:*} + networks=${host#*:} + $IPTABLES -D INPUT -i $interface $(source_ip_range $networks) -j ACCEPT + $IPTABLES -D OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT + done +} + +# +# Undo changes to routing +# +undo_routing() { + + # + # Restore rt_tables database + # + if [ -f ${VARDIR}/rt_tables ]; then + [ -w /etc/iproute2/rt_table -a -z "$KEEP_RT_TABLES" ] && cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored" + rm -f ${VARDIR}/rt_tables + fi + # + # Restore the rest of the routing table + # + if [ -f ${VARDIR}/undo_routing ]; then + . ${VARDIR}/undo_routing + progress_message "Shorewall-generated routing tables and routing rules removed" + rm -f ${VARDIR}/undo_routing + fi + +} + +restore_default_route() { + if [ -f ${VARDIR}/default_route ]; then + local default_route + default_route= + local route + + while read route ; do + case $route in + default*) + if [ -n "$default_route" ]; then + case "$default_route" in + *metric*) + # + # Don't restore a route with a metric -- we only replace the one with metric == 0 + # + qt ip route delete default metric 0 && \ + progress_message "Default Route with metric 0 deleted" + ;; + *) + qt ip route replace $default_route && \ + progress_message "Default Route (${default_route# }) restored" + ;; + esac + + break + fi + + default_route="$default_route $route" + ;; + *) + default_route="$default_route $route" + ;; + esac + done < ${VARDIR}/default_route + + rm -f ${VARDIR}/default_route + fi +} + +# +# Stop the Firewall +# +stop_firewall() { + # + # Turn off trace unless we were tracing "stop" or "clear" + # + + [ -n "$RESTOREBASE" ] && rm -f $RESTOREBASE + + case $COMMAND in + stop|clear) + ;; + *) + set +x + + [ -n "${RESTOREFILE:=restore}" ] + + RESTOREPATH=${VARDIR}/$RESTOREFILE + + if [ -x $RESTOREPATH ]; then + + if [ -x ${RESTOREPATH}-ipsets ]; then + progress_message2 Restoring Ipsets... + # + # We must purge iptables to be sure that there are no + # references to ipsets + # + for table in mangle nat filter; do + iptables -t $table -F + iptables -t $table -X + done + + ${RESTOREPATH}-ipsets + fi + + echo Restoring Shorewall... + + if $RESTOREPATH restore; then + echo "Shorewall restored from $RESTOREPATH" + set_state "Started" + else + set_state "Unknown" + fi + + kill $$ + exit 2 + fi + ;; + esac + + set_state "Stopping" + + STOPPING="Yes" + + TERMINATOR= + + deletechain shorewall + + run_user_exit stop + + if [ -n "$MANGLE_ENABLED" ]; then + run_iptables -t mangle -F + run_iptables -t mangle -X + for chain in PREROUTING INPUT FORWARD POSTROUTING; do + qt $IPTABLES -t mangle -P $chain ACCEPT + done + fi + + if [ -n "$RAW_TABLE" ]; then + run_iptables -t raw -F + run_iptables -t raw -X + for chain in PREROUTING OUTPUT; do + qt $IPTABLES -t raw -P $chain ACCEPT + done + fi + + if [ -n "$NAT_ENABLED" ]; then + delete_nat + for chain in PREROUTING POSTROUTING OUTPUT; do + qt $IPTABLES -t nat -P $chain ACCEPT + done + fi + + delete_proxy_arp + [ -n "$CLEAR_TC" ] && delete_tc1 + + undo_routing + restore_default_route + + [ -n "$DISABLE_IPV6" ] && disable_ipv6 + + undo_routing + restore_default_route + + process_criticalhosts + + if [ -n "$CRITICALHOSTS" ]; then + if [ -z "$ADMINISABSENTMINDED" ]; then + for chain in INPUT OUTPUT; do + setpolicy $chain ACCEPT + done + + setpolicy FORWARD DROP + + deleteallchains + + enable_critical_hosts + + for chain in INPUT OUTPUT; do + setpolicy $chain DROP + done + else + for chain in INPUT OUTPUT; do + setpolicy $chain ACCEPT + done + + setpolicy FORWARD DROP + + deleteallchains + + enable_critical_hosts + + setpolicy INPUT DROP + + for chain in INPUT FORWARD; do + setcontinue $chain + done + fi + elif [ -z "$ADMINISABSENTMINDED" ]; then + for chain in INPUT OUTPUT FORWARD; do + setpolicy $chain DROP + done + + deleteallchains + else + for chain in INPUT FORWARD; do + setpolicy $chain DROP + done + + setpolicy OUTPUT ACCEPT + + deleteallchains + + for chain in INPUT FORWARD; do + setcontinue $chain + done + fi + + process_routestopped -A + + $IPTABLES -A INPUT -i lo -j ACCEPT + [ -z "$ADMINISABSENTMINDED" ] && \ + $IPTABLES -A OUTPUT -o lo -j ACCEPT + + for interface in $(find_interfaces_by_option dhcp); do + $IPTABLES -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT + [ -z "$ADMINISABSENTMINDED" ] && \ + $IPTABLES -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT + # + # This might be a bridge + # + $IPTABLES -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT + done + + case "$IP_FORWARDING" in + On|on|ON|Yes|yes|YES) + echo 1 > /proc/sys/net/ipv4/ip_forward + progress_message2 "IP Forwarding Enabled" + ;; + Off|off|OFF|No|no|NO) + echo 0 > /proc/sys/net/ipv4/ip_forward + progress_message2 "IP Forwarding Disabled!" + ;; + esac + + run_user_exit stopped + + set_state "Stopped" + + logger -p kern.info "Shorewall Stopped" + + rm -rf $TMP_DIR + + case $COMMAND in + stop|clear) + ;; + *) + # + # The firewall is being stopped when we were trying to do something + # else. Remove the lock file and Kill the shell in case we're in a + # subshell + # + kill $$ + ;; + esac +} + +# +# Remove all rules and remove all user-defined chains +# +clear_firewall() { + stop_firewall + + setpolicy INPUT ACCEPT + setpolicy FORWARD ACCEPT + setpolicy OUTPUT ACCEPT + + run_iptables -F + + echo 1 > /proc/sys/net/ipv4/ip_forward + + if [ -n "$DISABLE_IPV6" ] && qt mywhich ip6tables; then + ip6tables -P INPUT ACCEPT 2> /dev/null + ip6tables -P OUTPUT ACCEPT 2> /dev/null + ip6tables -P FORWARD ACCEPT 2> /dev/null + fi + + run_user_exit clear + + set_state "Cleared" + + logger -p kern.info "Shorewall Cleared" +} + +# +# Delete existing Proxy ARP +# +delete_proxy_arp() { + if [ -f ${VARDIR}/proxyarp ]; then + while read address interface external haveroute; do + qt arp -i $external -d $address pub + [ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface + f=/proc/sys/net/ipv4/conf/$interface/proxy_arp + [ -f $f ] && echo 0 > $f + done < ${VARDIR}/proxyarp + fi + + rm -f ${VARDIR}/proxyarp +} + +# +# Delete existing Static NAT +# +delete_nat() { + run_iptables -t nat -F + run_iptables -t nat -X + + if [ -f ${VARDIR}/nat ]; then + while read external interface; do + qt ip addr del $external dev $interface + done < ${VARDIR}/nat + + rm -f ${VARDIR}/nat + fi + + [ -d ${VARDIR} ] && touch ${VARDIR}/nat +} + +# +# Check for disabled startup +# +check_disabled_startup() { + if [ -z "$STARTUP_ENABLED" ]; then + echo " Shorewall Startup is disabled -- to enable startup" + echo " after you have completed Shorewall configuration," + echo " change the setting of STARTUP_ENABLED to Yes in" + echo " ${CONFDIR}/shorewall.conf" + + [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR + exit 2 + fi +} + +# +# Give Usage Information +# +usage() { + echo "Usage: $0 [debug] {start|stop|reset|restart|clear}" + exit 1 +} + +# +# E X E C U T I O N B E G I N S H E R E +# +# +# Start trace if first arg is "debug" or "trace" +# +[ $# -gt 1 ] && [ "x$1" = xdebug -o "$x$1" = xtrace ] && { set -x ; shift ; } + +NOLOCK= + +[ $# -gt 1 ] && [ "$1" = "nolock" ] && { NOLOCK=Yes; shift ; } + +SHAREDIR=/usr/share/shorewall +CONFDIR=/etc/shorewall + +[ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir ] + +[ -n "${VARDIR:=/var/lib/shorewall}" ] + +for library in lib.base lib.config; do + FUNCTIONS=${SHAREDIR}/${library} + + if [ -f $FUNCTIONS ]; then + [ $VERBOSE -ge 2 ] && echo "Loading $FUNCTIONS..." + . $FUNCTIONS + else + fatal_error "Installation error: $FUNCTIONS does not exist!" + fi +done + +PROGRAM=firewall + +COMMAND="$1" + +case "$COMMAND" in + stop) + [ $# -ne 1 ] && usage + do_initialize + # + # Don't want to do a 'stop' when startup is disabled + # + check_disabled_startup + progress_message3 "Stopping Shorewall..." + stop_firewall + [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK + progress_message3 "done." + ;; + + reset) + do_initialize + if ! shorewall_is_started ; then + echo "Shorewall Not Started" + [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR + exit 2; + fi + if [ $# -eq 1 ]; then + $IPTABLES -Z + $IPTABLES -t nat -Z + $IPTABLES -t mangle -Z + report "Shorewall Counters Reset" + date > ${VARDIR}/restarted + else + shift; + for chain in $@; do + if chain_exists $chain; then + if qt $IPTABLES -Z $chain; then + progress_message3 "Filter table $chain Counters Reset" + else + error_message "ERROR: Reset of chain $chain failed" + status=2 + break + fi + else + error_message "WARNING: Filter Chain $chain does not exist" + fi + done + fi + ;; + + clear) + [ $# -ne 1 ] && usage + do_initialize + progress_message3 "Clearing Shorewall..." + clear_firewall + [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK + progress_message3 "done." + ;; + + add) + [ $# -lt 3 ] && usage + do_initialize + lib_load dynamiczones "The add command" + if ! shorewall_is_started ; then + echo "Shorewall Not Started" + [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR + exit 2; + fi + shift + add_to_zone $@ + ;; + + delete) + [ $# -lt 3 ] && usage + lib_load dynamiczones "The delete command" + do_initialize + if ! shorewall_is_started ; then + echo "Shorewall Not Started" + [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR + exit 2; + fi + shift + delete_from_zone $@ + ;; + + call) + # + # Undocumented way to call functions in ${SHAREDIR}/firewall directly + # + shift + do_initialize + EMPTY= + $@ + ;; + + *) + usage + ;; + +esac diff --git a/Shorewall-common/hosts b/Shorewall-common/hosts new file mode 100644 index 000000000..d68a030cf --- /dev/null +++ b/Shorewall-common/hosts @@ -0,0 +1,11 @@ +# +# Shorewall version 4 - Hosts file +# +# For information about entries in this file, type "man shorewall-hosts" +# +# The manpage is also online at +# http://www.shorewall.net/manpages/shorewall-hosts.html +# +############################################################################### +#ZONE HOST(S) OPTIONS +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE diff --git a/Shorewall-common/init b/Shorewall-common/init new file mode 100644 index 000000000..ce1dc70ba --- /dev/null +++ b/Shorewall-common/init @@ -0,0 +1,13 @@ +# +# Shorewall version 4 - Init File +# +# /etc/shorewall/init +# +# Add commands below that you want to be executed at the beginning of +# a "shorewall start" or "shorewall restart" command. +# +# For additional information, see +# http://shorewall.net/shorewall_extension_scripts.htm +# +############################################################################### +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/init.archlinux.sh b/Shorewall-common/init.archlinux.sh new file mode 100755 index 000000000..91040787c --- /dev/null +++ b/Shorewall-common/init.archlinux.sh @@ -0,0 +1,58 @@ +#!/bin/bash + +OPTIONS="-f" + +if [ -f /etc/sysconfig/shorewall ] ; then + . /etc/sysconfig/shorewall +elif [ -f /etc/default/shorewall ] ; then + . /etc/default/shorewall +fi + +# if you want to override options, do so in /etc/sysconfig/shorewall or +# in /etc/default/shorewall -- +# i strongly encourage you use the latter, since /etc/sysconfig/ does not exist. + +. /etc/rc.conf +. /etc/rc.d/functions + +DAEMON_NAME="shorewall" # of course shorewall is NOT a deamon. + +case "$1" in + start) + stat_busy "Starting $DAEMON_NAME" + /sbin/shorewall $OPTIONS start &>/dev/null + if [ $? -gt 0 ]; then + stat_fail + else + add_daemon $DAEMON_NAME + stat_done + fi + ;; + + + stop) + stat_busy "Stopping $DAEMON_NAME" + /sbin/shorewall stop &>/dev/null + if [ $? -gt 0 ]; then + stat_fail + else + rm_daemon $DAEMON_NAME + stat_done + fi + ;; + + restart|reload) + stat_busy "Restarting $DAEMON_NAME" + /sbin/shorewall restart &>/dev/null + if [ $? -gt 0 ]; then + stat_fail + else + stat_done + fi + ;; + + *) + echo "usage: $0 {start|stop|restart}" +esac +exit 0 + diff --git a/Shorewall-common/init.debian.sh b/Shorewall-common/init.debian.sh new file mode 100755 index 000000000..7f5667c85 --- /dev/null +++ b/Shorewall-common/init.debian.sh @@ -0,0 +1,129 @@ +#!/bin/sh +### BEGIN INIT INFO +# Provides: shorewall +# Required-Start: $network +# Required-Stop: $network +# Default-Start: S +# Default-Stop: 0 6 +# Short-Description: Configure the firewall at boot time +# Description: Configure the firewall according to the rules specified in +# /etc/shorewall +### END INIT INFO + + + +SRWL=/sbin/shorewall +SRWL_OPTS="-tvv" +WAIT_FOR_IFUP=/usr/share/shorewall/wait4ifup +# Note, set INITLOG to /dev/null if you do not want to +# keep logs of the firewall (not recommended) +INITLOG=/var/log/shorewall-init.log + +test -x $SRWL || exit 0 +test -x $WAIT_FOR_IFUP || exit 0 +test -n $INITLOG || { + echo "INITLOG cannot be empty, please configure $0" ; + exit 1; +} + +if [ "$(id -u)" != "0" ] +then + echo "You must be root to start, stop or restart \"Shorewall firewall\"." + exit 1 +fi + +echo_notdone () { + + if [ "$INITLOG" = "/dev/null" ] ; then + echo "not done." + else + echo "not done (check $INITLOG)." + fi + +} + +not_configured () { + echo "#### WARNING ####" + echo "The firewall won't be started/stopped unless it is configured" + if [ "$1" != "stop" ] + then + echo "" + echo "Please read about Debian specific customization in" + echo "/usr/share/doc/shorewall-common/README.Debian.gz." + fi + echo "#################" + exit 0 +} + +# check if shorewall is configured or not +if [ -f "/etc/default/shorewall" ] +then + . /etc/default/shorewall + SRWL_OPTS="$SRWL_OPTS $OPTIONS" + if [ "$startup" != "1" ] + then + not_configured + fi +else + not_configured +fi + +# wait for an unconfigured interface +wait_for_pppd () { + if [ "$wait_interface" != "" ] + then + for i in $wait_interface + do + $WAIT_FOR_IFUP $i 90 + done + fi +} + +# start the firewall +shorewall_start () { + echo -n "Starting \"Shorewall firewall\": " + wait_for_pppd + $SRWL $SRWL_OPTS start >> $INITLOG 2>&1 && echo "done." || echo_notdone + return 0 +} + +# stop the firewall +shorewall_stop () { + echo -n "Stopping \"Shorewall firewall\": " + $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone + return 0 +} + +# restart the firewall +shorewall_restart () { + echo -n "Restarting \"Shorewall firewall\": " + $SRWL $SRWL_OPTS restart >> $INITLOG 2>&1 && echo "done." || echo_notdone + return 0 +} + +# refresh the firewall +shorewall_refresh () { + echo -n "Refreshing \"Shorewall firewall\": " + $SRWL $SRWL_OPTS refresh >> $INITLOG 2>&1 && echo "done." || echo_notdone + return 0 +} + +case "$1" in + start) + shorewall_start + ;; + stop) + shorewall_stop + ;; + refresh) + shorewall_refresh + ;; + force-reload|restart) + shorewall_restart + ;; + *) + echo "Usage: /etc/init.d/shorewall {start|stop|refresh|restart|force-reload}" + exit 1 +esac + +exit 0 diff --git a/Shorewall-common/init.sh b/Shorewall-common/init.sh new file mode 100755 index 000000000..c3956d2d2 --- /dev/null +++ b/Shorewall-common/init.sh @@ -0,0 +1,90 @@ +#!/bin/sh +RCDLINKS="2,S41 3,S41 6,K41" +# +# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.2 +# +# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] +# +# (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net) +# +# On most distributions, this file should be called /etc/init.d/shorewall. +# +# Complete documentation is available at http://shorewall.net +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of Version 2 of the GNU General Public License +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# If an error occurs while starting or restarting the firewall, the +# firewall is automatically stopped. +# +# Commands are: +# +# shorewall start Starts the firewall +# shorewall restart Restarts the firewall +# shorewall reload Reload the firewall +# (same as restart) +# shorewall stop Stops the firewall +# shorewall status Displays firewall status +# + +# chkconfig: 2345 25 90 +# description: Packet filtering firewall + +### BEGIN INIT INFO +# Provides: shorewall +# Required-Start: $local_fs $remote_fs $syslog +# Should-Start: VMware $time $named +# Required-Stop: +# Default-Start: 2 3 5 +# Default-Stop: 0 1 6 +# Description: starts and stops the shorewall firewall +### END INIT INFO + +################################################################################ +# Give Usage Information # +################################################################################ +usage() { + echo "Usage: $0 start|stop|reload|restart|status" + exit 1 +} + +################################################################################ +# Get startup options (override default) +################################################################################ +OPTIONS="-v0" +if [ -f /etc/sysconfig/shorewall ]; then + . /etc/sysconfig/shorewall +elif [ -f /etc/default/shorewall ] ; then + . /etc/default/shorewall +fi + +################################################################################ +# E X E C U T I O N B E G I N S H E R E # +################################################################################ +command="$1" + +case "$command" in + start|restart|stop) + exec /sbin/shorewall $OPTIONS $@ + ;; + stop|restart|status) + exec /sbin/shorewall $@ + ;; + reload) + shift + exec /sbin/shorewall $OPTIONS restart $@ + ;; + *) + usage + ;; +esac diff --git a/Shorewall-common/initdone b/Shorewall-common/initdone new file mode 100755 index 000000000..ed5764491 --- /dev/null +++ b/Shorewall-common/initdone @@ -0,0 +1,14 @@ +# +# Shorewall version 4 - Initdone File +# +# /etc/shorewall/initdone +# +# Add commands below that you want to be executed during +# "shorewall start" or "shorewall restart" commands at the point where +# Shorewall has not yet added any perminent rules to the builtin chains. +# +# For additional information, see +# http://shorewall.net/shorewall_extension_scripts.htm +# +############################################################################### +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/install.sh b/Shorewall-common/install.sh new file mode 100755 index 000000000..0379d22c2 --- /dev/null +++ b/Shorewall-common/install.sh @@ -0,0 +1,776 @@ +#!/bin/sh +# +# Script to install Shoreline Firewall +# +# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] +# +# (c) 2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net) +# +# Shorewall documentation is available at http://shorewall.net +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of Version 2 of the GNU General Public License +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# + +VERSION=4.2.3 + +usage() # $1 = exit status +{ + ME=$(basename $0) + echo "usage: $ME" + echo " $ME -v" + echo " $ME -h" + echo " $ME -n" + exit $1 +} + +split() { + local ifs + ifs=$IFS + IFS=: + set -- $1 + echo $* + IFS=$ifs +} + +qt() +{ + "$@" >/dev/null 2>&1 +} + +mywhich() { + local dir + + for dir in $(split $PATH); do + if [ -x $dir/$1 ]; then + echo $dir/$1 + return 0 + fi + done + + return 2 +} + +run_install() +{ + if ! install $*; then + echo + echo "ERROR: Failed to install $*" >&2 + exit 1 + fi +} + +cant_autostart() +{ + echo + echo "WARNING: Unable to configure shorewall to start automatically at boot" >&2 +} + +backup_directory() # $1 = directory to backup +{ + if [ -d $1 ]; then + if cp -a $1 ${1}-${VERSION}.bkout ; then + echo + echo "$1 saved to ${1}-${VERSION}.bkout" + else + exit 1 + fi + fi +} + +backup_file() # $1 = file to backup, $2 = (optional) Directory in which to create the backup +{ + if [ -z "${PREFIX}{NOBACKUP}" ]; then + if [ -f $1 -a ! -f ${1}-${VERSION}.bkout ]; then + if [ -n "$2" ]; then + if [ -d $2 ]; then + if cp -f $1 $2 ; then + echo + echo "$1 saved to $2/$(basename $1)" + else + exit 1 + fi + fi + elif cp $1 ${1}-${VERSION}.bkout; then + echo + echo "$1 saved to ${1}-${VERSION}.bkout" + else + exit 1 + fi + fi + fi +} + +delete_file() # $1 = file to delete +{ + rm -f $1 +} + +install_file() # $1 = source $2 = target $3 = mode +{ + run_install $OWNERSHIP -m $3 $1 ${2} +} + +install_file_with_backup() # $1 = source $2 = target $3 = mode $4 = (optional) backup directory +{ + backup_file $2 $4 + run_install $OWNERSHIP -m $3 $1 ${2} +} + +# +# Parse the run line +# +# DEST is the SysVInit script directory +# INIT is the name of the script in the $DEST directory +# RUNLEVELS is the chkconfig parmeters for firewall +# ARGS is "yes" if we've already parsed an argument +# +ARGS="" + +if [ -z "$DEST" ] ; then + DEST="/etc/init.d" +fi + +if [ -z "$INIT" ] ; then + INIT="shorewall" +fi + +if [ -z "$RUNLEVELS" ] ; then + RUNLEVELS="" +fi + +DEBIAN= +CYGWIN= + +case $(uname) in + CYGWIN*) + DEST= + INIT= + OWNER=$(id -un) + GROUP=$(id -gn) + CYGWIN=Yes + ;; + *) + [ -z "$OWNER" ] && OWNER=root + [ -z "$GROUP" ] && GROUP=root + ;; +esac + +OWNERSHIP="-o $OWNER -g $GROUP" + +NOBACKUP= + +while [ $# -gt 0 ] ; do + case "$1" in + -h|help|?) + usage 0 + ;; + -v) + echo "Shorewall Firewall Installer Version $VERSION" + exit 0 + ;; + -n) + NOBACKUP=Yes + ;; + *) + usage 1 + ;; + esac + shift + ARGS="yes" +done + +PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin + +# +# Determine where to install the firewall script +# + +if [ -n "$PREFIX" ]; then + if [ -z "$CYGWIN" ]; then + if [ `id -u` != 0 ] ; then + echo "Not setting file owner/group permissions, not running as root." + OWNERSHIP="" + fi + + install -d $OWNERSHIP -m 755 ${PREFIX}/sbin + install -d $OWNERSHIP -m 755 ${PREFIX}${DEST} + fi +else + [ -x /usr/share/shorewall-shell/compiler -o -x /usr/share/shorewall-perl/compiler.pl ] || \ + { echo " ERROR: No Shorewall compiler is installed" >&2; exit 1; } + if [ -z "$CYGWIN" ]; then + if [ -d /etc/apt -a -e /usr/bin/dpkg ]; then + DEBIAN=yes + elif [ -f /etc/slackware-version ] ; then + DEST="/etc/rc.d" + INIT="rc.firewall" + elif [ -f /etc/arch-release ] ; then + DEST="/etc/rc.d" + INIT="shorewall" + ARCHLINUX=yes + fi + fi +fi + +# +# Change to the directory containing this script +# +cd "$(dirname $0)" + +echo "Installing Shorewall-common Version $VERSION" + +# +# Check for /etc/shorewall +# +if [ -d ${PREFIX}/etc/shorewall ]; then + first_install="" + if [ -z "$NOBACKUP" ]; then + backup_directory ${PREFIX}/etc/shorewall + backup_directory ${PREFIX}/usr/share/shorewall + backup_directory ${PREFIX}/var/lib/shorewall + fi +else + first_install="Yes" +fi + +if [ -z "$CYGWIN" ]; then + install_file_with_backup shorewall ${PREFIX}/sbin/shorewall 0755 ${PREFIX}/var/lib/shorewall-${VERSION}.bkout + echo "shorewall control program installed in ${PREFIX}/sbin/shorewall" +else + install_file_with_backup shorewall ${PREFIX}/bin/shorewall 0755 ${PREFIX}/var/lib/shorewall-${VERSION}.bkout + echo "shorewall control program installed in ${PREFIX}/bin/shorewall" +fi + + +# +# Install the Firewall Script +# +if [ -n "$DEBIAN" ]; then + install_file_with_backup init.debian.sh /etc/init.d/shorewall 0544 ${PREFIX}/usr/share/shorewall-${VERSION}.bkout +elif [ -n "$ARCHLINUX" ]; then + install_file_with_backup init.archlinux.sh ${PREFIX}${DEST}/$INIT 0544 ${PREFIX}/usr/share/shorewall-${VERSION}.bkout +elif [ -n "$INIT" ]; then + install_file_with_backup init.sh ${PREFIX}${DEST}/$INIT 0544 ${PREFIX}/usr/share/shorewall-${VERSION}.bkout +fi + +[ -n "$CYGWIN" ] || echo "Shorewall script installed in ${PREFIX}${DEST}/$INIT" + +# +# Create /etc/shorewall, /usr/share/shorewall and /var/shorewall if needed +# +mkdir -p ${PREFIX}/etc/shorewall +mkdir -p ${PREFIX}/usr/share/shorewall +mkdir -p ${PREFIX}/usr/share/shorewall/configfiles +mkdir -p ${PREFIX}/var/lib/shorewall + +chmod 755 ${PREFIX}/etc/shorewall +chmod 755 ${PREFIX}/usr/share/shorewall +chmod 755 ${PREFIX}/usr/share/shorewall/configfiles +# +# Install the config file +# +run_install $OWNERSHIP -m 0644 shorewall.conf ${PREFIX}/usr/share/shorewall/configfiles/shorewall.conf + +qt mywhich perl && perl -p -w -i -e 's|^CONFIG_PATH=.*|CONFIG_PATH=/usr/share/shorewall/configfiles:/usr/share/shorewall|;' ${PREFIX}/usr/share/shorewall/configfiles/shorewall.conf + +if [ ! -f ${PREFIX}/etc/shorewall/shorewall.conf ]; then + run_install $OWNERSHIP -m 0644 shorewall.conf ${PREFIX}/etc/shorewall/shorewall.conf + echo "Config file installed as ${PREFIX}/etc/shorewall/shorewall.conf" +fi + + +if [ -n "$ARCHLINUX" ] ; then + sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${PREFIX}/etc/shorewall/shorewall.conf +fi +# +# Install the zones file +# +run_install $OWNERSHIP -m 0644 zones ${PREFIX}/usr/share/shorewall/configfiles/zones + +if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/zones ]; then + run_install $OWNERSHIP -m 0744 zones ${PREFIX}/etc/shorewall/zones + echo "Zones file installed as ${PREFIX}/etc/shorewall/zones" +fi + +delete_file ${PREFIX}/usr/share/shorewall/compiler +delete_file ${PREFIX}/usr/share/shorewall/lib.accounting +delete_file ${PREFIX}/usr/share/shorewall/lib.actions +delete_file ${PREFIX}/usr/share/shorewall/lib.dynamiczones +delete_file ${PREFIX}/usr/share/shorewall/lib.maclist +delete_file ${PREFIX}/usr/share/shorewall/lib.nat +delete_file ${PREFIX}/usr/share/shorewall/lib.providers +delete_file ${PREFIX}/usr/share/shorewall/lib.proxyarp +delete_file ${PREFIX}/usr/share/shorewall/lib.tc +delete_file ${PREFIX}/usr/share/shorewall/lib.tcrules +delete_file ${PREFIX}/usr/share/shorewall/lib.tunnels +delete_file ${PREFIX}/usr/share/shorewall/prog.header +delete_file ${PREFIX}/usr/share/shorewall/prog.footer + +# +# Install wait4ifup +# + +install_file wait4ifup ${PREFIX}/usr/share/shorewall/wait4ifup 0755 + +echo +echo "wait4ifup installed in ${PREFIX}/usr/share/shorewall/wait4ifup" + +# +# Install the policy file +# +run_install $OWNERSHIP -m 0644 policy ${PREFIX}/usr/share/shorewall/configfiles/policy + +if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/policy ]; then + run_install $OWNERSHIP -m 0600 policy ${PREFIX}/etc/shorewall/policy + echo "Policy file installed as ${PREFIX}/etc/shorewall/policy" +fi +# +# Install the interfaces file +# +run_install $OWNERSHIP -m 0644 interfaces ${PREFIX}/usr/share/shorewall/configfiles/interfaces + +if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/interfaces ]; then + run_install $OWNERSHIP -m 0600 interfaces ${PREFIX}/etc/shorewall/interfaces + echo "Interfaces file installed as ${PREFIX}/etc/shorewall/interfaces" +fi +# +# Install the ipsec file +# +run_install $OWNERSHIP -m 0644 ipsec ${PREFIX}/usr/share/shorewall/configfiles/ipsec + +if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/ipsec ]; then + run_install $OWNERSHIP -m 0600 ipsec ${PREFIX}/etc/shorewall/ipsec + echo "Dummy IPSEC file installed as ${PREFIX}/etc/shorewall/ipsec" +fi + +# +# Install the hosts file +# +run_install $OWNERSHIP -m 0644 hosts ${PREFIX}/usr/share/shorewall/configfiles/hosts + +if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/hosts ]; then + run_install $OWNERSHIP -m 0600 hosts ${PREFIX}/etc/shorewall/hosts + echo "Hosts file installed as ${PREFIX}/etc/shorewall/hosts" +fi +# +# Install the rules file +# +run_install $OWNERSHIP -m 0644 rules ${PREFIX}/usr/share/shorewall/configfiles/rules + +if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/rules ]; then + run_install $OWNERSHIP -m 0600 rules ${PREFIX}/etc/shorewall/rules + echo "Rules file installed as ${PREFIX}/etc/shorewall/rules" +fi +# +# Install the NAT file +# +run_install $OWNERSHIP -m 0644 nat ${PREFIX}/usr/share/shorewall/configfiles/nat + +if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/nat ]; then + run_install $OWNERSHIP -m 0600 nat ${PREFIX}/etc/shorewall/nat + echo "NAT file installed as ${PREFIX}/etc/shorewall/nat" +fi +# +# Install the NETMAP file +# +run_install $OWNERSHIP -m 0644 netmap ${PREFIX}/usr/share/shorewall/configfiles/netmap + +if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/netmap ]; then + run_install $OWNERSHIP -m 0600 netmap ${PREFIX}/etc/shorewall/netmap + echo "NETMAP file installed as ${PREFIX}/etc/shorewall/netmap" +fi +# +# Install the Parameters file +# +run_install $OWNERSHIP -m 0644 params ${PREFIX}/usr/share/shorewall/configfiles/params + +if [ -f ${PREFIX}/etc/shorewall/params ]; then + chmod 0644 ${PREFIX}/etc/shorewall/params +else + run_install $OWNERSHIP -m 0644 params ${PREFIX}/etc/shorewall/params + echo "Parameter file installed as ${PREFIX}/etc/shorewall/params" +fi +# +# Install the proxy ARP file +# +run_install $OWNERSHIP -m 0644 proxyarp ${PREFIX}/usr/share/shorewall/configfiles/proxyarp + +if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/proxyarp ]; then + run_install $OWNERSHIP -m 0600 proxyarp ${PREFIX}/etc/shorewall/proxyarp + echo "Proxy ARP file installed as ${PREFIX}/etc/shorewall/proxyarp" +fi +# +# Install the Stopped Routing file +# +run_install $OWNERSHIP -m 0644 routestopped ${PREFIX}/usr/share/shorewall/configfiles/routestopped + +if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/routestopped ]; then + run_install $OWNERSHIP -m 0600 routestopped ${PREFIX}/etc/shorewall/routestopped + echo "Stopped Routing file installed as ${PREFIX}/etc/shorewall/routestopped" +fi +# +# Install the Mac List file +# +run_install $OWNERSHIP -m 0644 maclist ${PREFIX}/usr/share/shorewall/configfiles/maclist + +if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/maclist ]; then + run_install $OWNERSHIP -m 0600 maclist ${PREFIX}/etc/shorewall/maclist + echo "MAC list file installed as ${PREFIX}/etc/shorewall/maclist" +fi +# +# Install the Masq file +# +run_install $OWNERSHIP -m 0644 masq ${PREFIX}/usr/share/shorewall/configfiles/masq + +if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/masq ]; then + run_install $OWNERSHIP -m 0600 masq ${PREFIX}/etc/shorewall/masq + echo "Masquerade file installed as ${PREFIX}/etc/shorewall/masq" +fi +# +# Install the Modules file +# +run_install $OWNERSHIP -m 0600 modules ${PREFIX}/usr/share/shorewall/modules +echo "Modules file installed as ${PREFIX}/usr/share/shorewall/modules" + +# +# Install the TC Rules file +# +run_install $OWNERSHIP -m 0644 tcrules ${PREFIX}/usr/share/shorewall/configfiles/tcrules + +if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/tcrules ]; then + run_install $OWNERSHIP -m 0600 tcrules ${PREFIX}/etc/shorewall/tcrules + echo "TC Rules file installed as ${PREFIX}/etc/shorewall/tcrules" +fi + +# +# Install the TOS file +# +run_install $OWNERSHIP -m 0644 tos ${PREFIX}/usr/share/shorewall/configfiles/tos + +if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/tos ]; then + run_install $OWNERSHIP -m 0600 tos ${PREFIX}/etc/shorewall/tos + echo "TOS file installed as ${PREFIX}/etc/shorewall/tos" +fi +# +# Install the Tunnels file +# +run_install $OWNERSHIP -m 0644 tunnels ${PREFIX}/usr/share/shorewall/configfiles/tunnels + +if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/tunnels ]; then + run_install $OWNERSHIP -m 0600 tunnels ${PREFIX}/etc/shorewall/tunnels + echo "Tunnels file installed as ${PREFIX}/etc/shorewall/tunnels" +fi +# +# Install the blacklist file +# +run_install $OWNERSHIP -m 0644 blacklist ${PREFIX}/usr/share/shorewall/configfiles/blacklist + +if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/blacklist ]; then + run_install $OWNERSHIP -m 0600 blacklist ${PREFIX}/etc/shorewall/blacklist + echo "Blacklist file installed as ${PREFIX}/etc/shorewall/blacklist" +fi +# +# Delete the Routes file +# +delete_file ${PREFIX}/etc/shorewall/routes +# +# Delete the tcstart file +# + +delete_file ${PREFIX}/usr/share/shorewall/tcstart + +# +# Delete the Limits Files +# +delete_file ${PREFIX}/usr/share/shorewall/action.Limit +delete_file ${PREFIX}/usr/share/shorewall/Limit +# +# Delete the xmodules file +# +delete_file ${PREFIX}/usr/share/shorewall/xmodules +# +# Install the Providers file +# +run_install $OWNERSHIP -m 0644 providers ${PREFIX}/usr/share/shorewall/configfiles/providers + +if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/providers ]; then + run_install $OWNERSHIP -m 0600 providers ${PREFIX}/etc/shorewall/providers + echo "Providers file installed as ${PREFIX}/etc/shorewall/providers" +fi + +# +# Install the Route Rules file +# +run_install $OWNERSHIP -m 0644 route_rules ${PREFIX}/usr/share/shorewall/configfiles/route_rules + +if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/route_rules ]; then + run_install $OWNERSHIP -m 0600 route_rules ${PREFIX}/etc/shorewall/route_rules + echo "Routing rules file installed as ${PREFIX}/etc/shorewall/route_rules" +fi + +# +# Install the tcclasses file +# +run_install $OWNERSHIP -m 0644 tcclasses ${PREFIX}/usr/share/shorewall/configfiles/tcclasses + +if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/tcclasses ]; then + run_install $OWNERSHIP -m 0600 tcclasses ${PREFIX}/etc/shorewall/tcclasses + echo "TC Classes file installed as ${PREFIX}/etc/shorewall/tcclasses" +fi + +# +# Install the tcdevices file +# +run_install $OWNERSHIP -m 0644 tcdevices ${PREFIX}/usr/share/shorewall/configfiles/tcdevices + +if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/tcdevices ]; then + run_install $OWNERSHIP -m 0600 tcdevices ${PREFIX}/etc/shorewall/tcdevices + echo "TC Devices file installed as ${PREFIX}/etc/shorewall/tcdevices" +fi + +# +# Install the tcfilters file +# +run_install $OWNERSHIP -m 0644 tcfilters ${PREFIX}/usr/share/shorewall/configfiles/tcfilters + +if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/tcfilters ]; then + run_install $OWNERSHIP -m 0600 tcfilters ${PREFIX}/etc/shorewall/tcfilters + echo "TC Filters file installed as ${PREFIX}/etc/shorewall/tcfilters" +fi + +# +# Install the rfc1918 file +# +install_file rfc1918 ${PREFIX}/usr/share/shorewall/rfc1918 0644 +echo "RFC 1918 file installed as ${PREFIX}/usr/share/shorewall/rfc1918" +# +# Install the default config path file +# +install_file configpath ${PREFIX}/usr/share/shorewall/configpath 0644 +echo "Default config path file installed as ${PREFIX}/usr/share/shorewall/configpath" +# +# Install the init file +# +run_install $OWNERSHIP -m 0644 init ${PREFIX}/usr/share/shorewall/configfiles/init + +if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/init ]; then + run_install $OWNERSHIP -m 0600 init ${PREFIX}/etc/shorewall/init + echo "Init file installed as ${PREFIX}/etc/shorewall/init" +fi +# +# Install the initdone file +# +run_install $OWNERSHIP -m 0644 initdone ${PREFIX}/usr/share/shorewall/configfiles/initdone + +if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/initdone ]; then + run_install $OWNERSHIP -m 0600 initdone ${PREFIX}/etc/shorewall/initdone + echo "Initdone file installed as ${PREFIX}/etc/shorewall/initdone" +fi +# +# Install the start file +# +run_install $OWNERSHIP -m 0644 start ${PREFIX}/usr/share/shorewall/configfiles/start + +if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/start ]; then + run_install $OWNERSHIP -m 0600 start ${PREFIX}/etc/shorewall/start + echo "Start file installed as ${PREFIX}/etc/shorewall/start" +fi +# +# Install the stop file +# +run_install $OWNERSHIP -m 0644 stop ${PREFIX}/usr/share/shorewall/configfiles/stop + +if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/stop ]; then + run_install $OWNERSHIP -m 0600 stop ${PREFIX}/etc/shorewall/stop + echo "Stop file installed as ${PREFIX}/etc/shorewall/stop" +fi +# +# Install the stopped file +# +run_install $OWNERSHIP -m 0644 stopped ${PREFIX}/usr/share/shorewall/configfiles/stopped + +if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/stopped ]; then + run_install $OWNERSHIP -m 0600 stopped ${PREFIX}/etc/shorewall/stopped + echo "Stopped file installed as ${PREFIX}/etc/shorewall/stopped" +fi +# +# Install the ECN file +# +run_install $OWNERSHIP -m 0644 ecn ${PREFIX}/usr/share/shorewall/configfiles/ecn + +if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/ecn ]; then + run_install $OWNERSHIP -m 0600 ecn ${PREFIX}/etc/shorewall/ecn + echo "ECN file installed as ${PREFIX}/etc/shorewall/ecn" +fi +# +# Install the Accounting file +# +run_install $OWNERSHIP -m 0644 accounting ${PREFIX}/usr/share/shorewall/configfiles/accounting + +if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/accounting ]; then + run_install $OWNERSHIP -m 0600 accounting ${PREFIX}/etc/shorewall/accounting + echo "Accounting file installed as ${PREFIX}/etc/shorewall/accounting" +fi +# +# Install the Continue file +# +run_install $OWNERSHIP -m 0644 continue ${PREFIX}/usr/share/shorewall/configfiles/continue + +if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/continue ]; then + run_install $OWNERSHIP -m 0600 continue ${PREFIX}/etc/shorewall/continue + echo "Continue file installed as ${PREFIX}/etc/shorewall/continue" +fi +# +# Install the Started file +# +run_install $OWNERSHIP -m 0644 started ${PREFIX}/usr/share/shorewall/configfiles/started + +if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/started ]; then + run_install $OWNERSHIP -m 0600 started ${PREFIX}/etc/shorewall/started + echo "Started file installed as ${PREFIX}/etc/shorewall/started" +fi +# +# Install the Standard Actions file +# +install_file actions.std ${PREFIX}/usr/share/shorewall/actions.std 0644 +echo "Standard actions file installed as ${PREFIX}/usr/shared/shorewall/actions.std" + +# +# Install the Actions file +# +run_install $OWNERSHIP -m 0644 actions ${PREFIX}/usr/share/shorewall/configfiles/actions + +if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/actions ]; then + run_install $OWNERSHIP -m 0644 actions ${PREFIX}/etc/shorewall/actions + echo "Actions file installed as ${PREFIX}/etc/shorewall/actions" +fi + +# +# Install the Makefiles +# +run_install $OWNERSHIP -m 0644 Makefile-lite ${PREFIX}/usr/share/shorewall/configfiles/Makefile + +if [ -z "$CYGWIN" ]; then + run_install $OWNERSHIP -m 0600 Makefile ${PREFIX}/etc/shorewall/Makefile + echo "Makefile installed as ${PREFIX}/etc/shorewall/Makefile" +fi +# +# Install the Action files +# +for f in action.* ; do + install_file $f ${PREFIX}/usr/share/shorewall/$f 0644 + echo "Action ${f#*.} file installed as ${PREFIX}/usr/share/shorewall/$f" +done + +# Install the Macro files +# +for f in macro.* ; do + install_file $f ${PREFIX}/usr/share/shorewall/$f 0644 + echo "Macro ${f#*.} file installed as ${PREFIX}/usr/share/shorewall/$f" +done +# +# Install the libraries +# +for f in lib.* ; do + if [ -f $f ]; then + install_file $f ${PREFIX}/usr/share/shorewall/$f 0644 + echo "Library ${f#*.} file installed as ${PREFIX}/usr/share/shorewall/$f" + fi +done +# +# Symbolically link 'functions' to lib.base +# +ln -sf lib.base ${PREFIX}/usr/share/shorewall/functions +# +# Create the version file +# +echo "$VERSION" > ${PREFIX}/usr/share/shorewall/version +chmod 644 ${PREFIX}/usr/share/shorewall/version +# +# Remove and create the symbolic link to the init script +# + +if [ -z "$PREFIX" ]; then + rm -f /usr/share/shorewall/init + ln -s ${DEST}/${INIT} /usr/share/shorewall/init +fi + +# +# Install the Man Pages +# + +cd manpages + +for f in *.5; do + gzip -c $f > $f.gz + run_install -D -m 0644 $f.gz ${PREFIX}/usr/share/man/man5/$f.gz + echo "Man page $f.gz installed to /usr/share/man/man5/$f.gz" +done + +for f in *.8; do + gzip -c $f > $f.gz + run_install -D -m 0644 $f.gz ${PREFIX}/usr/share/man/man8/$f.gz + echo "Man page $f.gz installed to /usr/share/man/man8/$f.gz" +done + +cd .. + +echo "Man Pages Installed" + +# +# Install the firewall script +# +install_file firewall ${PREFIX}/usr/share/shorewall/firewall 0755 + +if [ -z "$PREFIX" -a -n "$first_install" -a -z "$CYGWIN" ]; then + if [ -n "$DEBIAN" ]; then + run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall + ln -s ../init.d/shorewall /etc/rcS.d/S40shorewall + echo "shorewall will start automatically at boot" + echo "Set startup=1 in /etc/default/shorewall to enable" + touch /var/log/shorewall-init.log + qt mywhich perl && perl -p -w -i -e 's/^STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/;s/^IP_FORWARDING=On/IP_FORWARDING=Keep/;s/^SUBSYSLOCK=.*/SUBSYSLOCK=/;' /etc/shorewall/shorewall.conf + else + if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then + if insserv /etc/init.d/shorewall ; then + echo "shorewall will start automatically at boot" + echo "Set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf to enable" + else + cant_autostart + fi + elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then + if chkconfig --add shorewall ; then + echo "shorewall will start automatically in run levels as follows:" + echo "Set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf to enable" + chkconfig --list shorewall + else + cant_autostart + fi + elif [ -x /sbin/rc-update ]; then + if rc-update add shorewall default; then + echo "shorewall will start automatically at boot" + echo "Set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf to enable" + else + cant_autostart + fi + elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically + cant_autostart + fi + fi +fi + +# +# Report Success +# +echo "shorewall-common Version $VERSION Installed" diff --git a/Shorewall-common/interfaces b/Shorewall-common/interfaces new file mode 100644 index 000000000..af555d44f --- /dev/null +++ b/Shorewall-common/interfaces @@ -0,0 +1,11 @@ +# +# Shorewall version 4 - Interfaces File +# +# For information about entries in this file, type "man shorewall-interfaces" +# +# The manpage is also online at +# http://www.shorewall.net/manpages/shorewall-interfaces.html +# +############################################################################### +#ZONE INTERFACE BROADCAST OPTIONS +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/ipsec b/Shorewall-common/ipsec new file mode 100644 index 000000000..9537ea736 --- /dev/null +++ b/Shorewall-common/ipsec @@ -0,0 +1,7 @@ +# +# The /etc/shorewall/ipsec file is obsolete -- the information +# previously contained in this file is now placed in the +# /etc/shorewall/zones file. +# +# See the IPSECFILE option in shorewall.conf for further information. +# diff --git a/Shorewall-common/ipsecvpn b/Shorewall-common/ipsecvpn new file mode 100644 index 000000000..07f13a663 --- /dev/null +++ b/Shorewall-common/ipsecvpn @@ -0,0 +1,296 @@ +#!/bin/sh + +################################################################################ +# +# ipsecvpn -- script for use on a roadwarrior to start/stop a tunnel-mode +# IPSEC connection +# +# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] +# +# (c) 2004,2005 - Tom Eastep (teastep@shorewall.net) +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of Version 2 of the GNU General Public License +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +RCDLINKS="2,S42 3,S42 6,K42" + +#### BEGIN INIT INFO +# Provides: ipsecvpn +# Required-Start: $shorewall +# Required-Stop: +# Default-Start: 2 3 5 +# Default-Stop: 0 1 6 +# Description: starts and stops a tunnel-mode VPN connection +### END INIT INFO + +# chkconfig: 2345 26 89 +# description: IPSEC tunnel-mode connection +# +################################################################################ +# +# External Interface +# +INTERFACE=eth0 +# +# Remote IPSEC Gateway +# +GATEWAY=1.2.3.4 +# +# Networks behind the remote gateway (space-separated list) +# +NETWORKS="192.168.1.0/24" +# +# Directory where X.509 certificates are stored. +# +CERTS=/etc/certs +# +# Certificate to be used for this connection. The cert +# directory must contain: +# +# ${CERT}.pem - the certificate +# ${CERT}_key.pem - the certificates's key +# +CERT=roadwarrior +# +# The setkey binary +# +SETKEY=/usr/sbin/setkey +# +# The racoon binary +# +RACOON=/usr/sbin/racoon + +# +# Message to stderr +# +error_message() # $* = Error Message +{ + echo " $@" >&2 +} + +# +# Fatal error -- stops the firewall after issuing the error message +# +fatal_error() # $* = Error Message +{ + echo " Error: $@" >&2 + exit 2 +} + +# +# Find interface address--returns the first IP address assigned to the passed +# device +# +find_first_interface_address() # $1 = interface +{ + # + # get the line of output containing the first IP address + # + addr=$(ip -f inet addr show $1 2> /dev/null | grep inet | head -n1) + # + # If there wasn't one, bail out now + # + [ -n "$addr" ] || fatal_error "Can't determine the IP address of $1" + # + # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link) + # along with everything else on the line + # + echo $addr | sed 's/inet //;s/\/.*//;s/ peer.*//' +} + +# +# Create a Racoon configuration file using the variables above +# +make_racoon_conf() { + echo "path certificate \"$CERTS\";" + echo + echo "listen" + echo "{" + echo " isakmp $IPADDR;" + echo "}" + echo + echo "remote $GATEWAY" + echo "{" + echo " exchange_mode main;" + echo " certificate_type x509 \"$CERT.pem\" \"${CERT}_key.pem\";" + echo " verify_cert on;" + echo " my_identifier asn1dn ;" + echo " peers_identifier asn1dn ;" + echo " verify_identifier on ;" + echo " lifetime time 24 hour ;" + echo " proposal {" + echo " encryption_algorithm blowfish;" + echo " hash_algorithm sha1;" + echo " authentication_method rsasig ;" + echo " dh_group 2 ;" + echo " }" + echo "}" + echo + + for network in $NETWORKS; do + echo "sainfo address $IPADDR/32 any address $network any" + echo "{" + echo " pfs_group 2;" + echo " lifetime time 12 hour ;" + echo " encryption_algorithm blowfish ;" + echo " authentication_algorithm hmac_sha1, hmac_md5 ;" + echo " compression_algorithm deflate ;" + echo "}" + echo + echo "sainfo address $network any address $IPADDR/32 any" + echo "{" + echo " pfs_group 2;" + echo " lifetime time 12 hour ;" + echo " encryption_algorithm blowfish ;" + echo " authentication_algorithm hmac_sha1, hmac_md5 ;" + echo " compression_algorithm deflate ;" + echo "}" + + done + + echo "sainfo address $IPADDR/32 any address $GATEWAY/32 any" + echo "{" + echo " pfs_group 2;" + echo " lifetime time 12 hour ;" + echo " encryption_algorithm blowfish ;" + echo " authentication_algorithm hmac_sha1, hmac_md5 ;" + echo " compression_algorithm deflate ;" + echo "}" + echo + echo "sainfo address $GATEWAY/32 any address $IPADDR/32 any" + echo "{" + echo " pfs_group 2;" + echo " lifetime time 12 hour ;" + echo " encryption_algorithm blowfish ;" + echo " authentication_algorithm hmac_sha1, hmac_md5 ;" + echo " compression_algorithm deflate ;" + echo "}" +} + +# +# Make a setkey configuration file using the variables above +# +make_setkey_conf() +{ + echo "flush;" + echo "spdflush;" + + echo "spdadd $IPADDR/32 $GATEWAY/32 any -P out ipsec esp/tunnel/${IPADDR}-${GATEWAY}/require;" + echo "spdadd $GATEWAY/32 $IPADDR/32 any -P in ipsec esp/tunnel/${GATEWAY}-${IPADDR}/require;" + + for network in $NETWORKS; do + echo "spdadd $IPADDR/32 $network any -P out ipsec esp/tunnel/${IPADDR}-${GATEWAY}/require;" + echo "spdadd $network $IPADDR/32 any -P in ipsec esp/tunnel/${GATEWAY}-${IPADDR}/require;" + done +} + +# +# Start the Tunnel +# +start() +{ + # + # Get the first IP address configured on the device in INTERFACE + # + IPADDR=$(find_first_interface_address $INTERFACE) + # + # Create the name of the setkey temporary file + # + TEMPFILE=$(mktemp /tmp/$(basename $0).XXXXXXXX) + [ $? -eq 0 ] || fatal_error "Can't create temporary file name" + # + # Create the file + # + make_setkey_conf > $TEMPFILE + # + # Create the SPD + # + $SETKEY -f $TEMPFILE + # + # We can now remove the file + # + rm -f $TEMPFILE + # + # Create another name -- make this distict to aid debugging + # (just comment out the 'rm' commands) + # + TEMPFILE=$(mktemp /tmp/$(basename $0).XXXXXXXX) + [ $? -eq 0 ] || fatal_error "Can't create temporary file name" + # + # Create the file + # + make_racoon_conf > $TEMPFILE + # + # Start Racoon Daemon + # + $RACOON -4 -f $TEMPFILE + # + # Once the Daemon is running, we can remove the file + # + rm -f $TEMPFILE +} +# +# Stop the Tunnel +# +stop() +{ + # + # Kill any racoon daemons + # + killall racoon + # + # Purge the SAD and SPD + # + setkey -F -FP +} + +# +# Display command syntax and abend +# +usage() +{ + error_message "usage: $(basename $0) [start|stop|restart]" + exit 1 +} +################################################################################ +# C O D E S T A R T S H E R E +################################################################################ +[ $# -eq 1 ] || usage + + +case $1 in + start) + start + ;; + stop) + stop + ;; + restart) + stop + sleep 2 + start + ;; + *) + usage + ;; +esac + + + + + + + + + + diff --git a/Shorewall-common/lib.base b/Shorewall-common/lib.base new file mode 100644 index 000000000..f7122ebe5 --- /dev/null +++ b/Shorewall-common/lib.base @@ -0,0 +1,1738 @@ +#!/bin/sh +# +# Shorewall 4.2 -- /usr/share/shorewall/lib.base +# +# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] +# +# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net) +# +# Complete documentation is available at http://shorewall.net +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of Version 2 of the GNU General Public License +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# This library contains the code common to all Shorewall components. +# +# - It is copied into the compiled script with the -e compiler flag is specified to +# shorewall-shell. +# - It is loaded by /sbin/shorewall. +# - It is loaded by /usr/share/shorewall/firewall. +# - It is loaded by /usr/share/shorewall-shell/compiler. +# - It is released as part of Shorewall Lite where it is used by /sbin/shorewall-lite +# and /usr/share/shorewall-lite/shorecap. +# - It is released as part of Shorewall Perl where it is copied into the compiled script +# by the compiler. +# + +SHOREWALL_LIBVERSION=40000 +SHOREWALL_CAPVERSION=40203 + +[ -n "${VARDIR:=/var/lib/shorewall}" ] +[ -n "${SHAREDIR:=/usr/share/shorewall}" ] +[ -n "${CONFDIR:=/etc/shorewall}" ] +SHELLSHAREDIR=/usr/share/shorewall-shell +PERLSHAREDIR=/usr/share/shorewall-perl + +# +# Message to stderr +# +error_message() # $* = Error Message +{ + echo " $@" >&2 +} + +# +# Conditionally produce message +# +progress_message() # $* = Message +{ + local timestamp + timestamp= + + if [ $VERBOSE -gt 1 ]; then + [ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) " + echo "${timestamp}$@" + fi +} + +progress_message2() # $* = Message +{ + local timestamp + timestamp= + + if [ $VERBOSE -gt 0 ]; then + [ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) " + echo "${timestamp}$@" + fi +} + +progress_message3() # $* = Message +{ + local timestamp + timestamp= + + if [ $VERBOSE -ge 0 ]; then + [ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) " + echo "${timestamp}$@" + fi +} + +# +# Split a colon-separated list into a space-separated list +# +split() { + local ifs + ifs=$IFS + IFS=: + echo $* + IFS=$ifs +} + +# +# Search a list looking for a match -- returns zero if a match found +# 1 otherwise +# +list_search() # $1 = element to search for , $2-$n = list +{ + local e + e=$1 + + while [ $# -gt 1 ]; do + shift + [ "x$e" = "x$1" ] && return 0 + done + + return 1 +} + +# +# Undo the effect of 'separate_list()' +# +combine_list() +{ + local f + local o + o= + + for f in $* ; do + o="${o:+$o,}$f" + done + + echo $o +} + +# +# Suppress all output for a command +# +qt() +{ + "$@" >/dev/null 2>&1 +} + +# +# Determine if Shorewall is "running" +# +shorewall_is_started() { + qt $IPTABLES -L shorewall -n +} + +# +# Echos the fully-qualified name of the calling shell program +# +my_pathname() { + cd $(dirname $0) + echo $PWD/$(basename $0) +} + +# +# Source a user exit file if it exists +# +run_user_exit() # $1 = file name +{ + local user_exit + user_exit=$(find_file $1) + + if [ -f $user_exit ]; then + progress_message "Processing $user_exit ..." + . $user_exit + fi +} + +# +# Set a standard chain's policy +# +setpolicy() # $1 = name of chain, $2 = policy +{ + run_iptables -P $1 $2 +} + +# +# Set a standard chain to enable established and related connections +# +setcontinue() # $1 = name of chain +{ + run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT +} + +# +# Flush one of the NAT table chains +# +flushnat() # $1 = name of chain +{ + run_iptables -t nat -F $1 +} + +# +# Flush one of the Mangle table chains +# +flushmangle() # $1 = name of chain +{ + run_iptables -t mangle -F $1 +} + +# +# Flush and delete all user-defined chains in the filter table +# +deleteallchains() { + run_iptables -F + run_iptables -X +} + +# +# Load a Kernel Module -- assumes that the variable 'moduledirectories' contains +# a space-separated list of directories to search for +# the module and that 'moduleloader' contains the +# module loader command. +# +loadmodule() # $1 = module name, $2 - * arguments +{ + local modulename + modulename=$1 + local modulefile + local suffix + + if ! list_search $modulename $MODULES $DONT_LOAD ; then + shift + + for suffix in $MODULE_SUFFIX ; do + for directory in $moduledirectories; do + modulefile=$directory/${modulename}.${suffix} + + if [ -f $modulefile ]; then + case $moduleloader in + insmod) + insmod $modulefile $* + ;; + *) + modprobe $modulename $* + ;; + esac + break 2 + fi + done + done + fi +} + +# +# Reload the Modules +# +reload_kernel_modules() { + + local save_modules_dir + save_modules_dir=$MODULESDIR + local directory + local moduledirectories + moduledirectories= + local moduleloader + moduleloader=modprobe + + if ! qt mywhich modprobe; then + moduleloader=insmod + fi + + [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ] + + [ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter + MODULES=$(lsmod | cut -d ' ' -f1) + + for directory in $(split $MODULESDIR); do + [ -d $directory ] && moduledirectories="$moduledirectories $directory" + done + + [ -n "$moduledirectories" ] && while read command; do + eval $command + done + + MODULESDIR=$save_modules_dir +} + +# +# Load kernel modules required for Shorewall +# +load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR +{ + local save_modules_dir + save_modules_dir=$MODULESDIR + local directory + local moduledirectories + moduledirectories= + local moduleloader + moduleloader=modprobe + local savemoduleinfo + savemoduleinfo=${1:-Yes} # So old compiled scripts still work + + if ! qt mywhich modprobe; then + moduleloader=insmod + fi + + [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ] + + [ -z "$MODULESDIR" ] && \ + MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter + + for directory in $(split $MODULESDIR); do + [ -d $directory ] && moduledirectories="$moduledirectories $directory" + done + + modules=$(find_file modules) + + if [ -f $modules -a -n "$moduledirectories" ]; then + MODULES=$(lsmod | cut -d ' ' -f1) + progress_message "Loading Modules..." + . $modules + if [ $savemoduleinfo = Yes ]; then + [ -d ${VARDIR} ] || mkdir -p ${VARDIR} + echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir + cp -f $modules ${VARDIR}/.modules + fi + elif [ $savemoduleinfo = Yes ]; then + [ -d ${VARDIR} ] || mkdir -p ${VARDIR} + > ${VARDIR}/.modulesdir + > ${VARDIR}/.modules + fi + + MODULESDIR=$save_modules_dir +} + +# +# Call this function to assert mutual exclusion with Shorewall. If you invoke the +# /sbin/shorewall program while holding mutual exclusion, you should pass "nolock" as +# the first argument. Example "shorewall nolock refresh" +# +# This function uses the lockfile utility from procmail if it exists. +# Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the +# behavior of lockfile. +# +mutex_on() +{ + local try + try=0 + local lockf + lockf=${LOCKFILE:=${VARDIR}/lock} + + MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60} + + if [ $MUTEX_TIMEOUT -gt 0 ]; then + + [ -d ${VARDIR} ] || mkdir -p ${VARDIR} + + if qt mywhich lockfile; then + lockfile -${MUTEX_TIMEOUT} -r1 ${lockf} + else + while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do + sleep 1 + try=$((${try} + 1)) + done + + if [ ${try} -lt ${MUTEX_TIMEOUT} ] ; then + # Create the lockfile + echo $$ > ${lockf} + else + echo "Giving up on lock file ${lockf}" >&2 + fi + fi + fi +} + +# +# Call this function to release mutual exclusion +# +mutex_off() +{ + rm -f ${LOCKFILE:=${VARDIR}/lock} +} + +# +# Load an optional library +# +lib_load() # $1 = Name of the Library, $2 = Error Message heading if the library cannot be found +{ + local lib + lib=${SHAREDIR}/lib.$1 + local loaded + + eval loaded=\$LIB_${1}_LOADED + + if [ -z "$loaded" ]; then + [ -f $lib ] || lib=${SHELLSHAREDIR}/lib.$1 + + if [ -f $lib ]; then + progress_message "Loading library $lib..." + . $lib + eval LIB_${1}_LOADED=Yes + else + startup_error "$2 requires the Shorewall library $1 ($lib) which is not installed" + fi + fi +} + +# +# Determine if an optional library is available +# +lib_avail() # $1 = Name of the Library +{ + [ -f ${SHAREDIR}/lib.$1 ] +} + +# +# Note: The following set of IP address manipulation functions have anomalous +# behavior when the shell only supports 32-bit signed arithmetic and +# the IP address is 128.0.0.0 or 128.0.0.1. +# + +LEFTSHIFT='<<' + +# +# Validate an IP address +# +valid_address() { + local x + local y + local ifs + ifs=$IFS + + IFS=. + + for x in $1; do + case $x in + [0-9]|[0-9][0-9]|[1-2][0-9][0-9]) + [ $x -lt 256 ] || { IFS=$ifs; return 2; } + ;; + *) + IFS=$ifs + return 2 + ;; + esac + done + + IFS=$ifs + + return 0 +} + +# +# Convert an IP address in dot quad format to an integer +# +decodeaddr() { + local x + local temp + temp=0 + local ifs + ifs=$IFS + + IFS=. + + for x in $1; do + temp=$(( $(( $temp $LEFTSHIFT 8 )) | $x )) + done + + echo $temp + + IFS=$ifs +} + +# +# convert an integer to dot quad format +# +encodeaddr() { + addr=$1 + local x + local y + y=$(($addr & 255)) + + for x in 1 2 3 ; do + addr=$(($addr >> 8)) + y=$(($addr & 255)).$y + done + + echo $y +} + +# +# Miserable Hack to work around broken BusyBox ash in OpenWRT +# +addr_comp() { + test $(bc < $2 +EOF +) -eq 1 + +} + +# +# Enumerate the members of an IP range -- When using a shell supporting only +# 32-bit signed arithmetic, the range cannot span 128.0.0.0. +# +# Comes in two flavors: +# +# ip_range() - produces a mimimal list of network/host addresses that spans +# the range. +# +# ip_range_explicit() - explicitly enumerates the range. +# +ip_range() { + local first + local last + local l + local x + local y + local z + local vlsm + + case $1 in + !*) + # + # Let iptables complain if it's a range + # + echo $1 + return + ;; + [0-9]*.*.*.*-*.*.*.*) + ;; + *) + echo $1 + return + ;; + esac + + first=$(decodeaddr ${1%-*}) + last=$(decodeaddr ${1#*-}) + + if addr_comp $first $last; then + fatal_error "Invalid IP address range: $1" + fi + + l=$(( $last + 1 )) + + while addr_comp $l $first; do + vlsm= + x=31 + y=2 + z=1 + + while [ $(( $first % $y )) -eq 0 ] && addr_comp $l $(( $first + $y )) ; do + vlsm=/$x + x=$(( $x - 1 )) + z=$y + y=$(( $y * 2 )) + done + + echo $(encodeaddr $first)$vlsm + first=$(($first + $z)) + done +} + +ip_range_explicit() { + local first + local last + + case $1 in + [0-9]*.*.*.*-*.*.*.*) + ;; + *) + echo $1 + return + ;; + esac + + first=$(decodeaddr ${1%-*}) + last=$(decodeaddr ${1#*-}) + + if addr_comp $first $last; then + fatal_error "Invalid IP address range: $1" + fi + + while ! addr_comp $first $last; do + echo $(encodeaddr $first) + first=$(($first + 1)) + done +} + +# +# Netmask from CIDR +# +ip_netmask() { + local vlsm + vlsm=${1#*/} + + [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 $LEFTSHIFT $(( 32 - $vlsm )) )) +} + +# +# Network address from CIDR +# +ip_network() { + local decodedaddr + decodedaddr=$(decodeaddr ${1%/*}) + local netmask + netmask=$(ip_netmask $1) + + echo $(encodeaddr $(($decodedaddr & $netmask))) +} + +# +# The following hack is supplied to compensate for the fact that many of +# the popular light-weight Bourne shell derivatives don't support XOR ("^"). +# +ip_broadcast() { + local x + x=$(( 32 - ${1#*/} )) + + [ $x -eq 32 ] && echo -1 || echo $(( $(( 1 $LEFTSHIFT $x )) - 1 )) +} + +# +# Calculate broadcast address from CIDR +# +broadcastaddress() { + local decodedaddr + decodedaddr=$(decodeaddr ${1%/*}) + local netmask + netmask=$(ip_netmask $1) + local broadcast + broadcast=$(ip_broadcast $1) + + echo $(encodeaddr $(( $(($decodedaddr & $netmask)) | $broadcast ))) +} + +# +# Test for network membership +# +in_network() # $1 = IP address, $2 = CIDR network +{ + local netmask + netmask=$(ip_netmask $2) + # + # We compare the values as strings rather than integers to work around broken BusyBox ash on OpenWRT + # + test $(( $(decodeaddr $1) & $netmask)) = $(( $(decodeaddr ${2%/*}) & $netmask )) +} + +# +# Netmask to VLSM +# +ip_vlsm() { + local mask + mask=$(decodeaddr $1) + local vlsm + vlsm=0 + local x + x=$(( 128 << 24 )) # 0x80000000 + + while [ $(( $x & $mask )) -ne 0 ]; do + [ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Not all shells shift 0x80000000 left properly. + vlsm=$(($vlsm + 1)) + done + + if [ $(( $mask & 2147483647 )) -ne 0 ]; then # 2147483647 = 0x7fffffff + echo "Invalid net mask: $1" >&2 + else + echo $vlsm + fi +} + + +# +# Chain name base for an interface -- replace all periods with underscores in the passed name. +# The result is echoed (less trailing "+"). +# +chain_base() #$1 = interface +{ + local c + c=${1%%+} + + while true; do + case $c in + @*) + c=at_${c#@} + ;; + *.*) + c="${c%.*}_${c##*.}" + ;; + *-*) + c="${c%-*}_${c##*-}" + ;; + *%*) + c="${c%\%*}_${c##*%}" + ;; + *@*) + c="${c%@*}_${c##*@}" + ;; + *) + echo ${c:=common} + return + ;; + esac + done +} + +# +# Query NetFilter about the existence of a filter chain +# +chain_exists() # $1 = chain name +{ + qt $IPTABLES -L $1 -n +} + +# +# Find the value 'dev' in the passed arguments then echo the next value +# + +find_device() { + while [ $# -gt 1 ]; do + [ "x$1" = xdev ] && echo $2 && return + shift + done +} + +# +# Find the value 'via' in the passed arguments then echo the next value +# + +find_gateway() { + while [ $# -gt 1 ]; do + [ "x$1" = xvia ] && echo $2 && return + shift + done +} + +# +# Find the value 'mtu' in the passed arguments then echo the next value +# + +find_mtu() { + while [ $# -gt 1 ]; do + [ "x$1" = xmtu ] && echo $2 && return + shift + done +} + +# +# Find the value 'peer' in the passed arguments then echo the next value up to +# "/" +# + +find_peer() { + while [ $# -gt 1 ]; do + [ "x$1" = xpeer ] && echo ${2%/*} && return + shift + done +} + +# +# Find the interfaces that have a route to the passed address - the default +# route is not used. +# + +find_rt_interface() { + ip route list | while read addr rest; do + case $addr in + */*) + in_network ${1%/*} $addr && echo $(find_device $rest) + ;; + default) + ;; + *) + if [ "$addr" = "$1" -o "$addr/32" = "$1" ]; then + echo $(find_device $rest) + fi + ;; + esac + done +} + +# +# Try to find the gateway through an interface looking for 'nexthop' + +find_nexthop() # $1 = interface +{ + echo $(find_gateway `ip route list | grep "[[:space:]]nexthop.* $1"`) +} + +# +# Find the default route's interface +# +find_default_interface() { + ip route list | while read first rest; do + [ "$first" = default ] && echo $(find_device $rest) && return + done +} + +# +# Echo the name of the interface(s) that will be used to send to the +# passed address +# + +find_interface_by_address() { + local dev + dev="$(find_rt_interface $1)" + local first + local rest + + [ -z "$dev" ] && dev=$(find_default_interface) + + [ -n "$dev" ] && echo $dev +} + +# +# Find the interface with the passed MAC address +# + +find_interface_by_mac() { + local mac + mac=$1 + local first + local second + local rest + local dev + + ip link list | while read first second rest; do + case $first in + *:) + dev=$second + ;; + *) + if [ "$second" = $mac ]; then + echo ${dev%:} + return + fi + esac + done +} + +# +# Determine if Interface is up +# +interface_is_up() { + [ -n "$(ip link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ] +} + +# +# Find interface address--returns the first IP address assigned to the passed +# device +# +find_first_interface_address() # $1 = interface +{ + # + # get the line of output containing the first IP address + # + addr=$(ip -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1) + # + # If there wasn't one, bail out now + # + [ -n "$addr" ] || fatal_error "Can't determine the IP address of $1" + # + # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link) + # along with everything else on the line + # + echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' +} + +find_first_interface_address_if_any() # $1 = interface +{ + # + # get the line of output containing the first IP address + # + addr=$(ip -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1) + # + # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link) + # along with everything else on the line + # + [ -n "$addr" ] && echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' || echo 0.0.0.0 +} + +# +# Determine if interface is usable from a Netfilter prespective +# +interface_is_usable() # $1 = interface +{ + interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ] +} + +# +# Find interface addresses--returns the set of addresses assigned to the passed +# device +# +find_interface_addresses() # $1 = interface +{ + ip -f inet addr show $1 2> /dev/null | grep inet\ | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' +} + +# +# echo the list of networks routed out of a given interface +# +get_routed_networks() # $1 = interface name, $2-n = Fatal error message +{ + local address + local rest + + ip route show dev $1 2> /dev/null | + while read address rest; do + case "$address" in + default) + if [ $# -gt 1 ]; then + shift + fatal_error "$@" + else + echo "WARNING: default route ignored on interface $1" >&2 + fi + ;; + multicast|broadcast|prohibit|nat|throw|nexthop) + ;; + *) + [ "$address" = "${address%/*}" ] && address="${address}/32" + echo $address + ;; + esac + done +} + +get_interface_bcasts() # $1 = interface +{ + ip -f inet addr show dev $1 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u +} + +# +# Internal version of 'which' +# +mywhich() { + local dir + + for dir in $(split $PATH); do + if [ -x $dir/$1 ]; then + echo $dir/$1 + return 0 + fi + done + + return 2 +} + +# +# Set default config path +# +ensure_config_path() { + local F + F=${SHAREDIR}/configpath + if [ -z "$CONFIG_PATH" ]; then + [ -f $F ] || { echo " ERROR: $F does not exist"; exit 2; } + . $F + fi + + if [ -n "$SHOREWALL_DIR" ]; then + [ "${CONFIG_PATH%%:*}" = "$SHOREWALL_DIR" ] || CONFIG_PATH=$SHOREWALL_DIR:$CONFIG_PATH + fi +} + +# +# Find a File -- For relative file name, look in each ${CONFIG_PATH} then ${CONFDIR} +# +find_file() +{ + local saveifs + saveifs= + local directory + + case $1 in + /*) + echo $1 + ;; + *) + for directory in $(split $CONFIG_PATH); do + if [ -f $directory/$1 ]; then + echo $directory/$1 + return + fi + done + + echo ${CONFDIR}/$1 + ;; + esac +} + +# +# Get fully-qualified name of file +# +resolve_file() # $1 = file name +{ + local pwd + pwd=$PWD + + case $1 in + /*) + echo $1 + ;; + .) + echo $pwd + ;; + ./*) + echo ${pwd}${1#.} + ;; + ..) + cd .. + echo $PWD + cd $pwd + ;; + ../*) + cd .. + resolve_file ${1#../} + cd $pwd + ;; + *) + echo $pwd/$1 + ;; + esac +} + +# +# Perform variable substitution on the passed argument and echo the result +# +expand() # $@ = contents of variable which may be the name of another variable +{ + eval echo \"$@\" +} + +# +# Function for including one file into another +# +INCLUDE() { + . $(find_file $(expand $@)) +} + +# +# Set the Shorewall state +# +set_state () # $1 = state +{ + echo "$1 ($(date))" > ${VARDIR}/state +} + +# +# Determine which optional facilities are supported by iptables/netfilter +# +determine_capabilities() { + qt $IPTABLES -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED= + qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED= + + CONNTRACK_MATCH= + NEW_CONNTRACK_MATCH= + OLD_CONNTRACK_MATCH= + MULTIPORT= + XMULTIPORT= + POLICY_MATCH= + PHYSDEV_MATCH= + PHYSDEV_BRIDGE= + IPRANGE_MATCH= + RECENT_MATCH= + OWNER_MATCH= + IPSET_MATCH= + CONNMARK= + XCONNMARK= + CONNMARK_MATCH= + XCONNMARK_MATCH= + RAW_TABLE= + IPP2P_MATCH= + LENGTH_MATCH= + CLASSIFY_TARGET= + ENHANCED_REJECT= + USEPKTTYPE= + KLUDGEFREE= + MARK= + XMARK= + MANGLE_FORWARD= + COMMENTS= + ADDRTYPE= + TCPMSS_MATCH= + HASHLIMIT_MATCH= + NFQUEUE_TARGET= + REALM_MATCH= + HELPER_MATCH= + CONNLIMIT_MATCH= + TIME_MATCH= + GOTO_TARGET= + + chain=fooX$$ + + [ -n "$IPTABLES" ] || IPTABLES=$(mywhich iptables) + + if [ -z "$IPTABLES" ]; then + echo " ERROR: No executable iptables binary can be found on your PATH" >&2 + exit 1 + fi + + qt $IPTABLES -F $chain + qt $IPTABLES -X $chain + if ! $IPTABLES -N $chain; then + echo " ERROR: The command \"$IPTABLES -N $chain\" failed" >&2 + exit 1 + fi + + chain1=${chain}1 + + qt $IPTABLES -F $chain1 + qt $IPTABLES -X $chain1 + if ! $IPTABLES -N $chain1; then + echo " ERROR: The command \"$IPTABLES -N $chain1\" failed" >&2 + exit 1 + fi + + if ! qt $IPTABLES -A $chain -m state --state ESTABLISHED,RELATED -j ACCEPT; then + echo " ERROR: Your kernel lacks connection tracking and/or state matching -- Shorewall will not run on this system" >&2 + exit 1 + fi + + qt $IPTABLES -A $chain -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes + + if [ -n "$CONNTRACK_MATCH" ]; then + qt $IPTABLES -A $chain -m conntrack -p tcp --ctorigdstport 22 -j ACCEPT && NEW_CONNTRACK_MATCH=Yes + qt $IPTABLES -A $chain -m conntrack ! --ctorigdst 1.2.3.4 || OLD_CONNTRACK_MATCH=Yes + fi + + if qt $IPTABLES -A $chain -p tcp -m multiport --dports 21,22 -j ACCEPT; then + MULTIPORT=Yes + qt $IPTABLES -A $chain -p tcp -m multiport --sports 60 -m multiport --dports 99 -j ACCEPT && KLUDEFREE=Yes + fi + + qt $IPTABLES -A $chain -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes + qt $IPTABLES -A $chain -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT && POLICY_MATCH=Yes + + if qt $IPTABLES -A $chain -m physdev --physdev-out eth0 -j ACCEPT; then + PHYSDEV_MATCH=Yes + qt $IPTABLES -A $chain -m physdev --physdev-is-bridged --physdev-in eth0 --physdev-out eth0 -j ACCEPT && PHYSDEV_BRIDGE=Yes + if [ -z "${KLUDGEFREE}" ]; then + qt $IPTABLES -A $chain -m physdev --physdev-in eth0 -m physdev --physdev-out eth0 -j ACCEPT && KLUDGEFREE=Yes + fi + fi + + if qt $IPTABLES -A $chain -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT; then + IPRANGE_MATCH=Yes + if [ -z "${KLUDGEFREE}" ]; then + qt $IPTABLES -A $chain -m iprange --src-range 192.168.1.5-192.168.1.124 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT && KLUDGEFREE=Yes + fi + fi + + qt $IPTABLES -A $chain -m recent --update -j ACCEPT && RECENT_MATCH=Yes + qt $IPTABLES -A $chain -m owner --uid-owner 0 -j ACCEPT && OWNER_MATCH=Yes + + if qt $IPTABLES -A $chain -m connmark --mark 2 -j ACCEPT; then + CONNMARK_MATCH=Yes + qt $IPTABLES -A $chain -m connmark --mark 2/0xFF -j ACCEPT && XCONNMARK_MATCH=Yes + fi + + qt $IPTABLES -A $chain -p tcp -m ipp2p --edk -j ACCEPT && IPP2P_MATCH=Yes + qt $IPTABLES -A $chain -m length --length 10:20 -j ACCEPT && LENGTH_MATCH=Yes + qt $IPTABLES -A $chain -j REJECT --reject-with icmp-host-prohibited && ENHANCED_REJECT=Yes + + qt $IPTABLES -A $chain -j ACCEPT -m comment --comment "This is a comment" && COMMENTS=Yes + + if [ -n "$MANGLE_ENABLED" ]; then + qt $IPTABLES -t mangle -N $chain + + if qt $IPTABLES -t mangle -A $chain -j MARK --set-mark 1; then + MARK=Yes + qt $IPTABLES -t mangle -A $chain -j MARK --and-mark 0xFF && XMARK=Yes + fi + + if qt $IPTABLES -t mangle -A $chain -j CONNMARK --save-mark; then + CONNMARK=Yes + qt $IPTABLES -t mangle -A $chain -j CONNMARK --save-mark --mask 0xFF && XCONNMARK=Yes + fi + + qt $IPTABLES -t mangle -A $chain -j CLASSIFY --set-class 1:1 && CLASSIFY_TARGET=Yes + qt $IPTABLES -t mangle -F $chain + qt $IPTABLES -t mangle -X $chain + qt $IPTABLES -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes + fi + + qt $IPTABLES -t raw -L -n && RAW_TABLE=Yes + + if qt mywhich ipset; then + qt ipset -X $chain # Just in case something went wrong the last time + + if qt ipset -N $chain iphash ; then + if qt $IPTABLES -A $chain -m set --set $chain src -j ACCEPT; then + qt $IPTABLES -D $chain -m set --set $chain src -j ACCEPT + IPSET_MATCH=Yes + fi + qt ipset -X $chain + fi + fi + + qt $IPTABLES -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes + qt $IPTABLES -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes + qt $IPTABLES -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes + qt $IPTABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes + qt $IPTABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes + qt $IPTABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes + qt $IPTABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes + qt $IPTABLES -A $chain -m connlimit --connlimit-above 8 -j DROP && CONNLIMIT_MATCH=Yes + qt $IPTABLES -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes + qt $IPTABLES -A $chain -g $chain1 && GOTO_TARGET=Yes + + qt $IPTABLES -F $chain + qt $IPTABLES -X $chain + qt $IPTABLES -F $chain1 + qt $IPTABLES -X $chain1 + + CAPVERSION=$SHOREWALL_CAPVERSION +} + +report_capabilities() { + report_capability() # $1 = Capability Description , $2 Capability Setting (if any) + { + local setting + setting= + + [ "x$2" = "xYes" ] && setting="Available" || setting="Not available" + + echo " " $1: $setting + } + + if [ $VERBOSE -gt 1 ]; then + echo "Shorewall has detected the following iptables/netfilter capabilities:" + report_capability "NAT" $NAT_ENABLED + report_capability "Packet Mangling" $MANGLE_ENABLED + report_capability "Multi-port Match" $MULTIPORT + [ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT + report_capability "Connection Tracking Match" $CONNTRACK_MATCH + if [ -n "$CONNTRACK_MATCH" ]; then + report_capability "Extended Connection Tracking Match Support" $NEW_CONNTRACK_MATCH + report_capability "Old Connection Tracking Match Syntax" $OLD_CONNTRACK_MATCH + fi + report_capability "Packet Type Match" $USEPKTTYPE + report_capability "Policy Match" $POLICY_MATCH + report_capability "Physdev Match" $PHYSDEV_MATCH + report_capability "Physdev-is-bridged Support" $PHYSDEV_BRIDGE + report_capability "Packet length Match" $LENGTH_MATCH + report_capability "IP range Match" $IPRANGE_MATCH + report_capability "Recent Match" $RECENT_MATCH + report_capability "Owner Match" $OWNER_MATCH + report_capability "Ipset Match" $IPSET_MATCH + report_capability "CONNMARK Target" $CONNMARK + [ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target" $XCONNMARK + report_capability "Connmark Match" $CONNMARK_MATCH + [ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match" $XCONNMARK_MATCH + report_capability "Raw Table" $RAW_TABLE + report_capability "IPP2P Match" $IPP2P_MATCH + report_capability "CLASSIFY Target" $CLASSIFY_TARGET + report_capability "Extended REJECT" $ENHANCED_REJECT + report_capability "Repeat match" $KLUDGEFREE + report_capability "MARK Target" $MARK + [ -n "$MARK" ] && report_capability "Extended MARK Target" $XMARK + report_capability "Mangle FORWARD Chain" $MANGLE_FORWARD + report_capability "Comments" $COMMENTS + report_capability "Address Type Match" $ADDRTYPE + report_capability "TCPMSS Match" $TCPMSS_MATCH + report_capability "Hashlimit Match" $HASHLIMIT_MATCH + report_capability "NFQUEUE Target" $NFQUEUE_TARGET + report_capability "Realm Match" $REALM_MATCH + report_capability "Helper Match" $HELPER_MATCH + report_capability "Connlimit Match" $CONNLIMIT_MATCH + report_capability "Time Match" $TIME_MATCH + report_capability "Goto Support" $GOTO_TARGET + fi + + [ -n "$PKTTYPE" ] || USEPKTTYPE= + +} + +report_capabilities1() { + report_capability1() # $1 = Capability + { + eval echo $1=\$$1 + } + + echo "#" + echo "# Shorewall $VERSION detected the following iptables/netfilter capabilities - $(date)" + echo "#" + report_capability1 NAT_ENABLED + report_capability1 MANGLE_ENABLED + report_capability1 MULTIPORT + report_capability1 XMULTIPORT + report_capability1 CONNTRACK_MATCH + report_capability1 NEW_CONNTRACK_MATCH + report_capability1 OLD_CONNTRACK_MATCH + report_capability1 USEPKTTYPE + report_capability1 POLICY_MATCH + report_capability1 PHYSDEV_MATCH + report_capability1 PHYSDEV_BRIDGE + report_capability1 LENGTH_MATCH + report_capability1 IPRANGE_MATCH + report_capability1 RECENT_MATCH + report_capability1 OWNER_MATCH + report_capability1 IPSET_MATCH + report_capability1 CONNMARK + report_capability1 XCONNMARK + report_capability1 CONNMARK_MATCH + report_capability1 XCONNMARK_MATCH + report_capability1 RAW_TABLE + report_capability1 IPP2P_MATCH + report_capability1 CLASSIFY_TARGET + report_capability1 ENHANCED_REJECT + report_capability1 KLUDGEFREE + report_capability1 MARK + report_capability1 XMARK + report_capability1 MANGLE_FORWARD + report_capability1 COMMENTS + report_capability1 ADDRTYPE + report_capability1 TCPMSS_MATCH + report_capability1 HASHLIMIT_MATCH + report_capability1 NFQUEUE_TARGET + report_capability1 REALM_MATCH + report_capability1 HELPER_MATCH + report_capability1 CONNLIMIT_MATCH + report_capability1 TIME_MATCH + report_capability1 GOTO_TARGET + + echo CAPVERSION=$SHOREWALL_CAPVERSION +} + +# +# Delete IP address +# +del_ip_addr() # $1 = address, $2 = interface +{ + [ $(find_first_interface_address_if_any $2) = $1 ] || qt ip addr del $1 dev $2 +} + +# Add IP Aliases +# +add_ip_aliases() # $* = List of addresses +{ + local addresses + local external + local interface + local inet + local cidr + local rest + local val1 + local arping + arping=$(mywhich arping) + + address_details() + { + # + # Folks feel uneasy if they don't see all of the same + # decoration on these IP addresses that they see when their + # distro's net config tool adds them. In an attempt to reduce + # the anxiety level, we have the following code which sets + # the VLSM and BRD from an existing address in the same networks + # + # Get all of the lines that contain inet addresses with broadcast + # + ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | while read inet cidr rest ; do + case $cidr in + */*) + if in_network $external $cidr; then + echo "/${cidr#*/} brd $(broadcastaddress $cidr)" + break + fi + ;; + esac + done + } + + do_one() + { + val=$(address_details) + + ip addr add ${external}${val} dev $interface $label + [ -n "$arping" ] && qt $arping -U -c 2 -I $interface $external + echo "$external $interface" >> $VARDIR/nat + [ -n "$label" ] && label="with $label" + progress_message " IP Address $external added to interface $interface $label" + } + + progress_message "Adding IP Addresses..." + + while [ $# -gt 0 ]; do + external=$1 + interface=$2 + label= + + if [ "$interface" != "${interface%:*}" ]; then + label="${interface#*:}" + interface="${interface%:*}" + label="label $interface:$label" + fi + + shift 2 + + list_search $external $(find_interface_addresses $interface) || do_one + done +} + +detect_gateway() # $1 = interface +{ + local interface + interface=$1 + # + # First assume that this is some sort of point-to-point interface + # + gateway=$( find_peer $(ip addr list $interface ) ) + # + # Maybe there's a default route through this gateway already + # + [ -n "$gateway" ] || gateway=$(find_gateway $(ip route list dev $interface)) + # + # Last hope -- is there a load-balancing route through the interface? + # + [ -n "$gateway" ] || gateway=$(find_nexthop $interface) + # + # Be sure we found one + # + [ -n "$gateway" ] && echo $gateway +} + +# +# Disable IPV6 +# +disable_ipv6() { + local foo + foo="$(ip -f inet6 addr list 2> /dev/null)" + + if [ -n "$foo" ]; then + if qt mywhich ip6tables; then + ip6tables -P FORWARD DROP + ip6tables -P INPUT DROP + ip6tables -P OUTPUT DROP + ip6tables -F + ip6tables -X + ip6tables -A OUTPUT -o lo -j ACCEPT + ip6tables -A INPUT -i lo -j ACCEPT + else + error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables" + fi + fi +} + +# Function to truncate a string -- It uses 'cut -b -' +# rather than ${v:first:last} because light-weight shells like ash and +# dash do not support that form of expansion. +# + +truncate() # $1 = length +{ + cut -b -${1} +} + +# +# Add a logging rule. +# +do_log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = disposition , $5 = rate limit $6=log tag $7=command $... = predicates for the rule +{ + local level + level=$1 + local chain + chain=$2 + local displayChain + displayChain=$3 + local disposition + disposition=$4 + local rulenum + rulenum= + local limit + limit= + local tag + tag= + local command + command= + local prefix + local base + base=$(chain_base $displayChain) + local pf + + limit="${5:-$LOGLIMIT}" # Do this here rather than in the declaration above to appease /bin/ash. + tag=${6:+$6 } + command=${7:--A} + + shift 7 + + if [ -n "$tag" -a -n "$LOGTAGONLY" ]; then + displayChain=$tag + tag= + fi + + if [ -n "$LOGRULENUMBERS" ]; then + # + # Hack for broken printf on some lightweight shells + # + [ $(printf "%d" 1) = "1" ] && pf=printf || pf=$(mywhich printf) + + eval rulenum=\$${base}_logrules + + rulenum=${rulenum:-1} + + prefix="$($pf "$LOGFORMAT" $displayChain $rulenum $disposition)${tag}" + + rulenum=$(($rulenum + 1)) + eval ${base}_logrules=$rulenum + else + prefix="$(printf "$LOGFORMAT" $displayChain $disposition)${tag}" + fi + + if [ ${#prefix} -gt 29 ]; then + prefix="`echo "$prefix" | truncate 28` " + error_message "WARNING: Log Prefix shortened to \"$prefix\"" + fi + + case $level in + ULOG) + $IPTABLES $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix" + ;; + *) + $IPTABLES $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix" + ;; + esac + + if [ $? -ne 0 ] ; then + [ -z "$STOPPING" ] && { stop_firewall; exit 2; } + fi +} + +do_log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates for the rule +{ + local level + level=$1 + local chain + chain=$2 + local disposition + disposition=$3 + + shift 3 + + do_log_rule_limit $level $chain $chain $disposition "$LOGLIMIT" "" -A $@ +} + +delete_tc1() +{ + clear_one_tc() { + tc qdisc del dev $1 root 2> /dev/null + tc qdisc del dev $1 ingress 2> /dev/null + + } + + run_user_exit tcclear + + run_ip link list | \ + while read inx interface details; do + case $inx in + [0-9]*) + clear_one_tc ${interface%:} + ;; + *) + ;; + esac + done +} + +# +# Detect a device's MTU -- echos the passed device's MTU +# +get_device_mtu() # $1 = device +{ + local output + output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash + + if [ -n "$output" ]; then + echo $(find_mtu $output) + else + echo 1500 + fi +} + +# +# Version of the above that doesn't generate any output for MTU 1500. +# Generates 'mtu ' otherwise, where is the device's MTU + 100 +# +get_device_mtu1() # $1 = device +{ + local output + output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash + local mtu + + if [ -n "$output" ]; then + mtu=$(find_mtu $output) + if [ -n "$mtu" ]; then + [ $mtu = 1500 ] || echo mtu $(($mtu + 100)) + fi + fi + +} + +# +# Undo changes to routing +# +undo_routing() { + + if [ -z "$NOROUTES" ]; then + # + # Restore rt_tables database + # + if [ -f ${VARDIR}/rt_tables ]; then + [ -w /etc/iproute2/rt_table -a -z "$KEEP_RT_TABLES" ] && cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored" + rm -f ${VARDIR}/rt_tables + fi + # + # Restore the rest of the routing table + # + if [ -f ${VARDIR}/undo_routing ]; then + . ${VARDIR}/undo_routing + progress_message "Shorewall-generated routing tables and routing rules removed" + rm -f ${VARDIR}/undo_routing + fi + fi + +} + +restore_default_route() { + if [ -z "$NOROUTES" -a -f ${VARDIR}/default_route ]; then + local default_route + default_route= + local route + + while read route ; do + case $route in + default*) + if [ -n "$default_route" ]; then + case "$default_route" in + *metric*) + # + # Don't restore a route with a metric -- we only replace the one with metric == 0 + # + qt ip route delete default metric 0 && \ + progress_message "Default Route with metric 0 deleted" + ;; + *) + qt ip route replace $default_route && \ + progress_message "Default Route (${default_route# }) restored" + ;; + esac + + break + fi + + default_route="$default_route $route" + ;; + *) + default_route="$default_route $route" + ;; + esac + done < ${VARDIR}/default_route + + rm -f ${VARDIR}/default_route + fi +} + +# +# Determine how to do "echo -e" +# + +find_echo() { + local result + + result=$(echo "a\tb") + [ ${#result} -eq 3 ] && { echo echo; return; } + + result=$(echo -e "a\tb") + [ ${#result} -eq 3 ] && { echo "echo -e"; return; } + + result=$(which echo) + [ -n "$result" ] && { echo "$result -e"; return; } + + echo echo +} + +# Determine which version of mktemp is present (if any) and set MKTEMP accortingly: +# +# None - No mktemp +# BSD - BSD mktemp (Mandrake) +# STD - mktemp.org mktemp +# +find_mktemp() { + local mktemp + mktemp=`mywhich mktemp 2> /dev/null` + + if [ -n "$mktemp" ]; then + if qt mktemp -V ; then + MKTEMP=STD + else + MKTEMP=BSD + fi + else + MKTEMP=None + fi +} + +# +# create a temporary file. If a directory name is passed, the file will be created in +# that directory. Otherwise, it will be created in a temporary directory. +# +mktempfile() { + + [ -z "$MKTEMP" ] && find_mktemp + + if [ $# -gt 0 ]; then + case "$MKTEMP" in + BSD) + mktemp $1/shorewall.XXXXXX + ;; + STD) + mktemp -p $1 shorewall.XXXXXX + ;; + None) + > $1/shorewall-$$ && echo $1/shorewall-$$ + ;; + *) + error_message "ERROR:Internal error in mktempfile" + ;; + esac + else + case "$MKTEMP" in + BSD) + mktemp /tmp/shorewall.XXXXXX + ;; + STD) + mktemp -t shorewall.XXXXXX + ;; + None) + rm -f /tmp/shorewall-$$ + > /tmp/shorewall-$$ && echo /tmp/shorewall-$$ + ;; + *) + error_message "ERROR:Internal error in mktempfile" + ;; + esac + fi +} diff --git a/Shorewall-common/lib.cli b/Shorewall-common/lib.cli new file mode 100644 index 000000000..a09c40f5f --- /dev/null +++ b/Shorewall-common/lib.cli @@ -0,0 +1,1149 @@ +#!/bin/sh +# +# Shorewall 4.2 -- /usr/share/shorewall/lib.cli. +# +# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] +# +# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net) +# +# Complete documentation is available at http://shorewall.net +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of Version 2 of the GNU General Public License +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# This library contains the command processing code common to /sbin/shorewall and +# /sbin/shorewall-lite. +# + +# +# Fatal Error +# +fatal_error() # $@ = Message +{ + echo " $@" >&2 + exit 2 +} + +# Display a chain if it exists +# + +showfirstchain() # $1 = name of chain +{ + awk \ + 'BEGIN {prnt=0; rslt=1; }; \ + /^$/ { next; };\ + /^Chain/ {if ( prnt == 1 ) { rslt=0; exit 0; }; };\ + /Chain '$1'/ { prnt=1; }; \ + { if (prnt == 1) print; };\ + END { exit rslt; }' $TMPFILE +} + +showchain() # $1 = name of chain +{ + if [ "$firstchain" = "Yes" ]; then + if showfirstchain $1; then + firstchain= + fi + else + awk \ + 'BEGIN {prnt=0;};\ + /^$|^ pkts/ { next; };\ + /^Chain/ {if ( prnt == 1 ) exit; };\ + /Chain '$1'/ { prnt=1; };\ + { if (prnt == 1) print; }' $TMPFILE + fi +} + +# +# The 'awk' hack that compensates for bugs in iptables-save (or rather in the extension modules). +# + +iptablesbug() +{ + if qt mywhich awk ; then + awk 'BEGIN { sline=""; };\ + /^-j/ { print sline $0; next };\ + /-m policy.*-j/ { print $0; next };\ + /-m policy/ { sline=$0; next };\ + /--mask ff/ { sub( /--mask ff/, "--mask 0xff" ) };\ + { print ; sline="" }' + else + echo " WARNING: You don't have 'awk' on this system so the output of the save command may be unusable" >&2 + cat + fi +} + +# +# Validate the value of RESTOREFILE +# +validate_restorefile() # $* = label +{ + case $RESTOREFILE in + */*) + error_message "ERROR: $@ must specify a simple file name: $RESTOREFILE" + exit 2 + ;; + .safe|.try) + ;; + .*|NONE) + error_message "ERROR: Reserved File Name: $RESTOREFILE" + exit 2 + ;; + esac +} + +# +# Clear descriptor 1 if it is a terminal +# +clear_term() { + [ -t 1 ] && clear +} + +# +# Delay $timeout seconds -- if we're running on a recent bash2 then allow +# to terminate the delay +# +timed_read () +{ + read -t $timeout foo 2> /dev/null + + test $? -eq 2 && sleep $timeout +} + +# +# Determine if 'syslog -C' is running +# +syslog_circular_buffer() { + local pid + local tty + local flags + local cputime + local path + local args + local arg + + ps ax 2> /dev/null | while read pid tty flags cputime path args; do + case $path in + syslogd|*/syslogd) + for arg in $args; do + if [ x$arg = x-C ]; then + echo Yes + return + fi + done + ;; + esac + done +} + +# +# Display the last $1 packets logged +# +packet_log() # $1 = number of messages +{ + local options + + if [ -n "$SHOWMACS" -o $VERBOSE -gt 2 ]; then + $LOGREAD | grep 'IN=.* OUT=' | head -n$1 | tac | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/ + else + $LOGREAD | grep 'IN=.* OUT=' | head -n$1 | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/ + fi +} + +# +# Show traffic control information +# +show_tc() { + + show_one_tc() { + local device + device=${1%@*} + qdisc=$(tc qdisc list dev $device) + + if [ -n "$qdisc" ]; then + echo Device $device: + tc -s -d qdisc show dev $device + echo + tc -s -d class show dev $device + echo + fi + } + + ip -o link list | while read inx interface details; do + show_one_tc ${interface%:} + done + +} + +# +# Show classifier information +# +show_classifiers() { + + show_one_classifier() { + local device + device=${1%@*} + qdisc=$(tc qdisc list dev $device) + + if [ -n "$qdisc" ]; then + echo Device $device: + tc -s filter ls dev $device + echo + fi + } + + ip -o link list | while read inx interface details; do + show_one_classifier ${interface%:} + done + +} + +# +# Watch the Firewall Log +# +logwatch() # $1 = timeout -- if negative, prompt each time that + # an 'interesting' packet count changes +{ + + host=$(echo $HOSTNAME | sed 's/\..*$//') + oldrejects=$($IPTABLES -L -v -n | grep 'LOG') + + if [ $1 -lt 0 ]; then + timeout=$((- $1)) + pause="Yes" + else + pause="No" + timeout=$1 + fi + + qt mywhich awk && haveawk=Yes || haveawk= + + while true; do + clear_term + echo "$banner $(date)" + echo + + echo "Dropped/Rejected Packet Log ($LOGFILE)" + echo + + show_reset + + rejects=$($IPTABLES -L -v -n | grep 'LOG') + + if [ "$rejects" != "$oldrejects" ]; then + oldrejects="$rejects" + + $RING_BELL + + packet_log 40 + + if [ "$pause" = "Yes" ]; then + echo + echo $ECHO_N 'Enter any character to continue: ' + read foo + else + timed_read + fi + else + echo + packet_log 40 + timed_read + fi + done +} + +# +# Save currently running configuration +# +save_config() { + + local result + result=1 + + iptables_save=${IPTABLES}-save + + [ -x $iptables_save ] || echo "$iptables-save does not exist or is not executable" >&2 + + if shorewall_is_started ; then + [ -d ${VARDIR} ] || mkdir -p ${VARDIR} + + if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then + echo " ERROR: $RESTOREPATH exists and is not a saved $PRODUCT configuration" >&2 + else + case $RESTOREFILE in + capabilities|chains|default_route|firewall|firewall.conf|nat|proxyarp|restarted|rt_tables|save|state|undo_routing|zones) + echo " ERROR: Reserved file name: $RESTOREFILE" >&2 + ;; + *) + validate_restorefile RESTOREFILE + + if $IPTABLES -L dynamic -n > ${VARDIR}/save; then + echo " Dynamic Rules Saved" + if [ -f ${VARDIR}/.restore ]; then + if $iptables_save | iptablesbug > ${VARDIR}/restore-$$; then + cp -f ${VARDIR}/.restore $RESTOREPATH + mv -f ${VARDIR}/restore-$$ ${RESTOREPATH}-iptables + chmod +x $RESTOREPATH + echo " Currently-running Configuration Saved to $RESTOREPATH" + + rm -f ${RESTOREPATH}-ipsets + + case ${SAVE_IPSETS:-No} in + [Yy][Ee][Ss]) + RESTOREPATH=${RESTOREPATH}-ipsets + + f=${VARDIR}/restore-$$ + + echo "#!/bin/sh" > $f + echo "#This ipset restore file generated $(date) by Shorewall $version" >> $f + echo >> $f + echo ". ${SHAREDIR}/lib.base" >> $f + echo >> $f + cat ${VARDIR}/.modulesdir >> $f + echo >> $f + echo "reload_kernel_modules << __EOF__" >> $f + grep 'loadmodule ip_set' ${VARDIR}/.modules >> $f + echo "__EOF__" >> $f + echo >> $f + echo "ipset -U :all: :all:" >> $f + echo "ipset -U :all: :default:" >> $f + echo "ipset -F" >> $f + echo "ipset -X" >> $f + echo "ipset -R << __EOF__" >> $f + ipset -S >> $f + echo "__EOF__" >> $f + mv -f $f $RESTOREPATH + chmod +x $RESTOREPATH + echo " Current Ipset Contents Saved to $RESTOREPATH" + result=0 + ;; + [Nn][Oo]) + ;; + *) + echo " WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS. Ipset contents not saved" >&2 + ;; + esac + + run_user_exit save + else + rm -f ${VARDIR}/restore-$$ + echo " ERROR: Currently-running Configuration Not Saved" >&2 + fi + else + echo " ERROR: ${VARDIR}/.restore does not exist" >&2 + fi + else + echo "Error Saving the Dynamic Rules" >&2 + fi + ;; + esac + fi + else + echo "Shorewall isn't started" >&2 + fi + + return 0 + +} + +# +# Show routing configuration +# +show_routing() { + if [ -n "$(ip rule list)" ]; then + heading "Routing Rules" + ip rule list + ip rule list | while read rule; do + echo ${rule##* } + done | sort -u | while read table; do + heading "Table $table:" + ip route list table $table + done + else + heading "Routing Table" + ip route list + fi +} + +# +# Show Command Executor +# +show_command() { + local finished + finished=0 + local table + table=filter + local table_given + table_given= + + show_macro() { + foo=`grep 'This macro' $macro | sed 's/This macro //'` + if [ -n "$foo" ]; then + macro=${macro#*.} + foo=${foo%.*} + if [ ${#macro} -gt 10 ]; then + echo " $macro ${foo#\#}" + else + $ECHO_E " $macro \t${foo#\#}" + fi + fi + } + + while [ $finished -eq 0 -a $# -gt 0 ]; do + option=$1 + case $option in + -*) + option=${option#-} + + while [ -n "$option" ]; do + case $option in + -) + finished=1 + option= + ;; + v*) + VERBOSE=$(($VERBOSE + 1 )) + option=${option#v} + ;; + x*) + IPT_OPTIONS="-xnv" + option=${option#x} + ;; + m*) + SHOWMACS=Yes + option=${option#m} + ;; + f*) + FILEMODE=Yes + option=${option#f} + ;; + t) + [ $# -eq 1 ] && usage 1 + + case $2 in + mangle|nat|filter|raw) + table=$2 + table_given=Yes + ;; + *) + fatal_error "Invalid table name ($s)" + ;; + esac + + option= + shift + ;; + *) + usage 1 + ;; + esac + done + shift + ;; + *) + finished=1 + ;; + esac + done + + [ -n "$debugging" ] && set -x + case "$1" in + connections) + [ $# -gt 1 ] && usage 1 + echo "$PRODUCT $version Connections at $HOSTNAME - $(date)" + echo + [ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || cat /proc/net/nf_conntrack + ;; + nat) + [ $# -gt 1 ] && usage 1 + echo "$PRODUCT $version NAT Table at $HOSTNAME - $(date)" + echo + show_reset + $IPTABLES -t nat -L $IPT_OPTIONS + ;; + tos|mangle) + [ $# -gt 1 ] && usage 1 + echo "$PRODUCT $version Mangle Table at $HOSTNAME - $(date)" + echo + show_reset + $IPTABLES -t mangle -L $IPT_OPTIONS + ;; + log) + [ $# -gt 1 ] && usage 1 + echo "$PRODUCT $version Log ($LOGFILE) at $HOSTNAME - $(date)" + echo + show_reset + host=$(echo $HOSTNAME | sed 's/\..*$//') + packet_log 20 + ;; + tc) + [ $# -gt 1 ] && usage 1 + echo "$PRODUCT $version Traffic Control at $HOSTNAME - $(date)" + echo + show_tc + ;; + classifiers|filters) + [ $# -gt 1 ] && usage 1 + echo "$PRODUCT $version Classifiers at $HOSTNAME - $(date)" + echo + show_classifiers + ;; + zones) + [ $# -gt 1 ] && usage 1 + if [ -f ${VARDIR}/zones ]; then + echo "$PRODUCT $version Zones at $HOSTNAME - $(date)" + echo + while read zone type hosts; do + echo "$zone ($type)" + for host in $hosts; do + case $host in + exclude) + echo " exclude:" + ;; + *) + echo " $host" + ;; + esac + done + done < ${VARDIR}/zones + echo + else + echo " ERROR: ${VARDIR}/zones does not exist" >&2 + exit 1 + fi + ;; + capabilities) + [ $# -gt 1 ] && usage 1 + determine_capabilities + VERBOSE=2 + if [ -n "$FILEMODE" ]; then + report_capabilities1 + else + report_capabilities + fi + ;; + ip) + [ $# -gt 1 ] && usage 1 + echo "$PRODUCT $version IP at $HOSTNAME - $(date)" + echo + ip -4 addr list + ;; + routing) + [ $# -gt 1 ] && usage 1 + echo "$PRODUCT $version Routing at $HOSTNAME - $(date)" + echo + show_routing + ;; + config) + . ${SHAREDIR}/configpath + echo "Default CONFIG_PATH is $CONFIG_PATH" + [ -n "$LITEDIR" ] && echo "LITEDIR is $LITEDIR" + ;; + chain) + shift + echo "$PRODUCT $version $([ $# -gt 1 ] && echo "Chains " || [ $# -gt 0 ] && echo "Chain " || echo $table Table)$* at $HOSTNAME - $(date)" + echo + show_reset + if [ $# -gt 0 ]; then + for chain in $*; do + $IPTABLES -t $table -L $chain $IPT_OPTIONS + done + else + $IPTABLES -t $table -L $IPT_OPTIONS + fi + ;; + vardir) + echo $VARDIR; + ;; + *) + if [ "$PRODUCT" = Shorewall ]; then + case $1 in + actions) + [ $# -gt 1 ] && usage 1 + echo "allowBcast # Silently Allow Broadcast/multicast" + echo "allowInvalid # Accept packets that are in the INVALID conntrack state." + echo "allowinUPnP # Allow UPnP inbound (to firewall) traffic" + echo "allowoutUPnP # Allow traffic from local command 'upnpd' (does not work with kernels after 2.6.13)" + echo "dropBcast # Silently Drop Broadcast/multicast" + echo "dropInvalid # Silently Drop packets that are in the INVALID conntrack state" + echo "dropNotSyn # Silently Drop Non-syn TCP packets" + echo "drop1918src # Drop packets with an RFC 1918 source address (Shorewall-perl only)" + echo "drop1918dst # Drop packets with an RFC 1918 original dest address (Shorewall-perl only)" + echo "forwardUPnP # Allow traffic that upnpd has redirected from" + echo "rejNotSyn # Silently Reject Non-syn TCP packets" + echo "rej1918src # Reject packets with an RFC 1918 source address (Shorewall-perl only)" + echo "rej1918dst # Reject packets with an RFC 1918 original dest address (Shorewall-perl only)" + + if [ -f ${CONFDIR}/actions ]; then + cat ${SHAREDIR}/actions.std ${CONFDIR}/actions | grep -Ev '^\#|^$' + else + grep -Ev '^\#|^$' ${SHAREDIR}/actions.std + fi + + return + ;; + macros) + [ $# -gt 1 ] && usage 1 + + for directory in $(split $CONFIG_PATH); do + temp= + for macro in ${directory}/macro.*; do + case $macro in + *\*) + ;; + *) + if [ -z "$temp" ]; then + echo + echo "Macros in $directory:" + echo + temp=Yes + fi + show_macro + ;; + esac + done + done + return + ;; + esac + fi + + if [ $# -gt 0 ]; then + [ -n "$table_given" ] || for chain in $*; do + if ! qt $IPTABLES -t $table -L $chain $IPT_OPTIONS; then + echo "usage $(basename $0) show [ -x ] [ -m ] [-f] [ -t {filter|mangle|nat} ] [ {chain [ [ ... ]|actions|capabilities|classifiers|config|connections|filters|ip|log|macros|mangle|nat|routing|tc|zones} ] " >&2 + exit 1 + fi + done + + echo "$PRODUCT $version $([ $# -gt 1 ] && echo "Chains " || echo "Chain ")$* at $HOSTNAME - $(date)" + echo + show_reset + for chain in $*; do + $IPTABLES -t $table -L $chain $IPT_OPTIONS + done + else + echo "$PRODUCT $version $table Table at $HOSTNAME - $(date)" + echo + show_reset + $IPTABLES -t $table -L $IPT_OPTIONS + fi + ;; + esac +} + +# +# Dump Command Executor +# +dump_command() { + local finished + finished=0 + + while [ $finished -eq 0 -a $# -gt 0 ]; do + option=$1 + case $option in + -*) + option=${option#-} + + while [ -n "$option" ]; do + case $option in + -) + finished=1 + option= + ;; + x*) + IPT_OPTIONS="-xnv" + option=${option#x} + ;; + m*) + SHOWMACS=Yes + option=${option#m} + ;; + *) + usage 1 + ;; + esac + done + shift + ;; + *) + finished=1 + ;; + esac + done + + [ $VERBOSE -lt 2 ] && VERBOSE=2 + + [ -n "$debugging" ] && set -x + [ $# -eq 0 ] || usage 1 + clear_term + echo "$PRODUCT $version Dump at $HOSTNAME - $(date)" + echo + if [ -f /usr/share/shorewall-shell/version ]; then + echo " Shorewall-shell $(cat /usr/share/shorewall-shell/version)" + if [ -f /usr/share/shorewall-perl/version ]; then + echo " Shorewall-perl $(cat /usr/share/shorewall-perl/version)" + fi + echo + elif [ -f /usr/share/shorewall-perl/version ]; then + echo " Shorewall-perl $(cat /usr/share/shorewall-perl/version)" + echo + fi + + show_reset + host=$(echo $HOSTNAME | sed 's/\..*$//') + $IPTABLES -L $IPT_OPTIONS + + heading "Log ($LOGFILE)" + packet_log 20 + + heading "NAT Table" + $IPTABLES -t nat -L $IPT_OPTIONS + + heading "Mangle Table" + $IPTABLES -t mangle -L $IPT_OPTIONS + + heading "Conntrack Table" + [ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || cat /proc/net/nf_conntrack + + heading "IP Configuration" + ip -4 addr list + + heading "IP Stats" + ip -stat link list + + if qt mywhich brctl; then + heading "Bridges" + brctl show + fi + + if qt mywhich setkey; then + heading "PFKEY SPD" + setkey -DP + heading "PFKEY SAD" + setkey -D | grep -Ev '^[[:space:]](A:|E:)' # Don't divulge the keys + fi + + heading "/proc" + show_proc /proc/version + show_proc /proc/sys/net/ipv4/ip_forward + show_proc /proc/sys/net/ipv4/icmp_echo_ignore_all + + for directory in /proc/sys/net/ipv4/conf/*; do + for file in proxy_arp arp_filter arp_ignore rp_filter log_martians; do + show_proc $directory/$file + done + done + + show_routing + + heading "ARP" + arp -na + + if qt mywhich lsmod; then + heading "Modules" + lsmod | grep -E '^(ip_|ipt_|iptable_|nf_|xt_)' | sort + fi + + determine_capabilities + echo + report_capabilities + + echo + netstat -tunap + + if [ -n "$TC_ENABLED" ]; then + heading "Traffic Control" + show_tc + heading "TC Filters" + show_classifiers + fi +} + +# +# Restore Comand Executor +# +restore_command() { + local finished + finished=0 + + while [ $finished -eq 0 -a $# -gt 0 ]; do + option=$1 + case $option in + -*) + option=${option#-} + + while [ -n "$option" ]; do + case $option in + -) + finished=1 + option= + ;; + n*) + NOROUTES=Yes + option=${option#n} + ;; + *) + usage 1 + ;; + esac + done + shift + ;; + *) + finished=1 + ;; + esac + done + + case $# in + 0) + ;; + 1) + RESTOREFILE="$1" + validate_restorefile '' + ;; + *) + usage 1 + ;; + esac + + if [ -z "$STARTUP_ENABLED" ]; then + error_message "ERROR: Startup is disabled" + exit 2 + fi + + RESTOREPATH=${VARDIR}/$RESTOREFILE + + export NOROUTES + + [ -n "$nolock" ] || mutex_on + + if [ -x $RESTOREPATH ]; then + if [ -x ${RESTOREPATH}-ipsets ] ; then + echo Restoring Ipsets... + iptables -F + iptables -X + $SHOREWALL_SHELL ${RESTOREPATH}-ipsets + fi + + progress_message3 "Restoring Shorewall..." + + $SHOREWALL_SHELL $RESTOREPATH restore && progress_message3 "$PRODUCT restored from ${VARDIR}/$RESTOREFILE" + + [ -n "$nolock" ] || mutex_off + else + echo "File $RESTOREPATH: file not found" + [ -n "$nolock" ] || mutex_off + exit 2 + fi +} + +# +# Display the time that the counters were last reset +# +show_reset() { + [ -f ${VARDIR}/restarted ] && \ + echo "Counters reset $(cat ${VARDIR}/restarted)" && \ + echo +} + +# +# Display's the passed file name followed by "=" and the file's contents. +# +show_proc() # $1 = name of a file +{ + [ -f $1 ] && echo " $1 = $(cat $1)" +} + +read_yesno_with_timeout() { + read -t 60 yn 2> /dev/null + if [ $? -eq 2 ] + then + # read doesn't support timeout + test -x /bin/bash || return 2 # bash is not installed so the feature is not available + /bin/bash -c 'read -t 60 yn ; if [ "$yn" == "y" ] ; then exit 0 ; else exit 1 ; fi' # invoke bash and use its version of read + return $? + else + # read supports timeout + case "$yn" in + y|Y) + return 0 + ;; + *) + return 1 + ;; + esac + fi +} + +# +# Print a heading with leading and trailing black lines +# +heading() { + echo + echo "$@" + echo +} + +# +# Create the appropriate -q option to pass onward +# +make_verbose() { + local v + v=$VERBOSE_OFFSET + local option + option=- + + if [ -n "$USE_VERBOSITY" ]; then + echo "-v$USE_VERBOSITY" + elif [ $VERBOSE_OFFSET -gt 0 ]; then + while [ $v -gt 0 ]; do + option="${option}v" + v=$(($v - 1)) + done + + echo $option + elif [ $VERBOSE_OFFSET -lt 0 ]; then + while [ $v -lt 0 ]; do + option="${option}q" + v=$(($v + 1)) + done + + echo $option + fi +} + +# +# Executor for drop,reject,... commands +# +block() # $1 = command, $2 = Finished, $3 - $n addresses +{ + local chain + chain=$1 + local finished + finished=$2 + + shift 3 + + while [ $# -gt 0 ]; do + case $1 in + *-*) + qt $IPTABLES -D dynamic -m iprange --src-range $1 -j reject + qt $IPTABLES -D dynamic -m iprange --src-range $1 -j DROP + qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logreject + qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logdrop + $IPTABLES -A dynamic -m iprange --src-range $1 -j $chain || break 1 + ;; + *) + qt $IPTABLES -D dynamic -s $1 -j reject + qt $IPTABLES -D dynamic -s $1 -j DROP + qt $IPTABLES -D dynamic -s $1 -j logreject + qt $IPTABLES -D dynamic -s $1 -j logdrop + $IPTABLES -A dynamic -s $1 -j $chain || break 1 + ;; + esac + + echo "$1 $finished" + shift + done +} + +# +# 'hits' commmand executor +# +hits_command() { + local finished + finished=0 + local today + today= + + while [ $finished -eq 0 -a $# -gt 0 ]; do + option=$1 + case $option in + -*) + option=${option#-} + + while [ -n "$option" ]; do + case $option in + -) + finished=1 + option= + ;; + t*) + today=$(date +'^%b %_d.*') + option=${option#t} + ;; + *) + usage 1 + ;; + esac + done + shift + ;; + *) + finished=1 + ;; + esac + done + + [ $# -eq 0 ] || usage 1 + + clear_term + echo "$PRODUCT $version Hits at $HOSTNAME - $(date)" + echo + + timeout=30 + + if $LOGREAD | grep -q "${today}IN=.* OUT=" ; then + echo " HITS IP DATE" + echo " ---- --------------- ------" + $LOGREAD | grep "${today}IN=.* OUT=" | sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\3 \1/' | sort | uniq -c | sort -rn | while read count address month day; do + printf '%7d %-15s %3s %2d\n' $count $address $month $day + done + + echo "" + + echo " HITS IP PORT" + echo " ---- --------------- -----" + $LOGREAD | grep "${today}IN=.* OUT=" | sed 's/\(.*SRC=\)\(.*\)\( DST=.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2 \4/ + t + s/\(.*SRC=\)\(.*\)\( DST=.*\)/\2/' | sort | uniq -c | sort -rn | while read count address port; do + printf '%7d %-15s %d\n' $count $address $port + done + + echo "" + + echo " HITS DATE" + echo " ---- ------" + $LOGREAD | grep "${today}IN=.* OUT=" | sed 's/\(.\{6\}\)\(.*\)/\1/' | sort | uniq -c | sort -rn | while read count month day; do + printf '%7d %3s %2d\n' $count $month $day + done + + echo "" + + echo " HITS PORT SERVICE(S)" + echo " ---- ----- ----------" + $LOGREAD | grep "${today}IN=.* OUT=.*DPT" | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | while read count port ; do + # List all services defined for the given port + srv=$(grep "^[^#].*\\b$port/" /etc/services | cut -f 1 | cut -f 1 -d' ' | sort -u) + srv=$(echo $srv | sed 's/ /,/g') + + if [ -n "$srv" ] ; then + printf '%7d %5d %s\n' $count $port $srv + else + printf '%7d %5d\n' $count $port + fi + done + fi +} + +# +# 'allow' command executor +# +allow_command() { + [ -n "$debugging" ] && set -x + [ $# -eq 1 ] && usage 1 + if shorewall_is_started ; then + [ -n "$nolock" ] || mutex_on + while [ $# -gt 1 ]; do + shift + case $1 in + *-*) + if qt $IPTABLES -D dynamic -m iprange --src-range $1 -j reject ||\ + qt $IPTABLES -D dynamic -m iprange --src-range $1 -j DROP ||\ + qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logdrop ||\ + qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logreject + then + echo "$1 Allowed" + else + echo "$1 Not Dropped or Rejected" + fi + ;; + *) + if qt $IPTABLES -D dynamic -s $1 -j reject ||\ + qt $IPTABLES -D dynamic -s $1 -j DROP ||\ + qt $IPTABLES -D dynamic -s $1 -j logdrop ||\ + qt $IPTABLES -D dynamic -s $1 -j logreject + then + echo "$1 Allowed" + else + echo "$1 Not Dropped or Rejected" + fi + ;; + esac + done + [ -n "$nolock" ] || mutex_off + else + error_message "ERROR: $PRODUCT is not started" + exit 2 + fi +} + +# +# 'logwatch' command executor +# +logwatch_command() { + shift + + finished=0 + + while [ $finished -eq 0 -a $# -ne 0 ]; do + option=$1 + case $option in + -*) + option=${option#-} + + [ -z "$option" ] && usage 1 + + while [ -n "$option" ]; do + case $option in + v*) + VERBOSE=$(($VERBOSE + 1 )) + option=${option#v} + ;; + q*) + VERBOSE=$(($VERBOSE - 1 )) + option=${option#q} + ;; + m*) + SHOWMACS=Yes + option=${option#m} + ;; + -) + finished=1 + option= + ;; + *) + usage 1 + ;; + esac + done + shift + ;; + *) + finished=1 + ;; + esac + done + + [ -n "$debugging" ] && set -x + + if [ $# -eq 1 ]; then + logwatch $1 + elif [ $# -eq 0 ]; then + logwatch 30 + else + usage 1 + fi +} diff --git a/Shorewall-common/lib.config b/Shorewall-common/lib.config new file mode 100644 index 000000000..27608981e --- /dev/null +++ b/Shorewall-common/lib.config @@ -0,0 +1,2296 @@ +#!/bin/sh +# +# Shorewall 4.2 -- /usr/share/shorewall/lib.config +# +# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] +# +# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net) +# +# Complete documentation is available at http://shorewall.net +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of Version 2 of the GNU General Public License +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# This library contains the configuration file parsing code common to +# /usr/share/shorewall/compiler and /usr/share/shorewall/firewall +# + +SHOREWALL_CONFIGVERSION=40000 + +# +# Replace commas with spaces and echo the result +# +separate_list() { + local list + list="$@" + local part + local newlist + local firstpart + local lastpart + local enclosure + + case "$list" in + *,|,*|*,,*|*[[:space:]]*) + # + # There's been whining about us not catching embedded white space in + # comma-separated lists. This is an attempt to snag some of the cases. + # + # The 'TERMINATOR' function will be set by the 'firewall' script to + # either 'startup_error' or 'fatal_error' depending on the command and + # command phase + # + [ -n "$TERMINATOR" ] && \ + $TERMINATOR "Invalid comma-separated list \"$@\"" + echo "WARNING -- invalid comma-separated list \"$@\"" >&2 + ;; + *\[*\]*) + # + # Where we need to embed comma-separated lists within lists, we enclose them + # within square brackets. + # + firstpart=${list%%\[*} + lastpart=${list#*\[} + enclosure=${lastpart%%\]*} + lastpart=${lastpart#*\]} + case $lastpart in + \,*) + case $firstpart in + *\,) + echo "$(separate_list ${firstpart%,}) [$enclosure] $(separate_list ${lastpart#,})" + ;; + *) + echo "$(separate_list $firstpart)[$enclosure] $(separate_list ${lastpart#,})" + ;; + esac + ;; + *) + case $firstpart in + *\,) + echo "$(separate_list ${firstpart%,}) [$enclosure]$(separate_list $lastpart)" + ;; + *) + echo "$(separate_list $firstpart)[$enclosure]$(separate_list $lastpart)" + ;; + esac + ;; + esac + return + ;; + esac + + list="$@" + part="${list%%,*}" + newlist="$part" + + while [ "x$part" != "x$list" ]; do + list="${list#*,}"; + part="${list%%,*}"; + newlist="$newlist $part"; + done + + echo "$newlist" +} + +# +# Display elements of a list with leading white space +# +display_list() # $1 = List Title, rest of $* = list to display +{ + [ $# -gt 1 ] && echo " $*" +} + +# +# Determine if a chain is a policy chain +# +is_policy_chain() # $1 = name of chain +{ + eval test \"\$${1}_is_policy\" = Yes +} + +# +# Return a space separated list of values matching +# +list_walk() # $1 = element to search for, $2-$n = list +{ + local e + e=$1 + local result + result= + + while [ $# -gt 1 ]; do + shift + case $1 in + $e*) + result="$result ${1##$e}" + ;; + esac + done + echo $result +} + +# +# Functions to count list elements +# - - - - - - - - - - - - - - - - +# Whitespace-separated list +# +list_count1() { + echo $# +} +# +# Comma-separated list +# +list_count() { + list_count1 $(separate_list $1) +} + +# +# Filter that expands variables +# +expand_line() { + local line + + while read line; do + echo $(expand $line) + done +} + +# +# Add whitespace after leading "!" +# +fix_bang() +{ + local result + result= + + while [ $# -gt 0 ]; do + case $1 in + !*) + result="$result ! ${1#!}" + ;; + *) + result="$result $1" + ;; + esac + shift + done + + echo $result +} + +# +# Read the zones file and find the firewall zone +# +get_firewall_zone() { + local zone + local type + local rest + local comment + comment='#*' + local f + f=$(find_file zones) + + [ -f $f ] || startup_error "Unable to find zones file" + + while read zone type rest; do + case $zone in + $comment) + ;; + *) + if [ "x$type" = xfirewall ]; then + FW=$zone + return + fi + ;; + esac + done < $f + + startup_error "No firewall zone defined in $f" +} + +# +# This function assumes that the TMP_DIR variable is set and that +# its value names an existing directory. +# +determine_zones() +{ + local zone + local parent + local parents + local rest + local new_zone_file + new_zone_file= + local r + + merge_zone() + { + local z + local zones + zones="$ZONES" + local merged + merged= + + if [ -n "$parents" ]; then + ZONES= + for z in $zones; do + if [ -z "$merged" ] && list_search $z $parents; then + ZONES="$ZONES $zone" + merged=Yes + fi + ZONES="$ZONES $z" + done + else + ZONES="$ZONES $zone" + fi + } + + ZONES= + IPV4_ZONES= + IPSEC_ZONES= + + [ "$IPSECFILE" = zones ] && new_zone_file=Yes || test -n "${FW:=fw}" + + while read zone type rest; do + case $zone in + *:*) + parents=${zone#*:} + zone=${zone%:*} + [ -n "$zone" ] || startup_error "Invalid nested zone syntax: :$parents" + parents=$(separate_list $parents) + eval ${zone}_parents=\"$parents\" + ;; + *) + parents= + eval ${zone}_parents= + ;; + esac + + for parent in $parents; do + [ "$parent" = "$FW" ] && startup_error "Sub-zones of the firewall zone are not allowed" + list_search $parent $ZONES || startup_error "Parent zone not defined: $parent" + done + + [ ${#zone} -gt $MAXZONENAMELENGTH ] && startup_error "Zone name longer than $MAXZONENAMELENGTH characters: $zone" + + case "$zone" in + [0-9*]) + startup_error "Illegal zone name \"$zone\" in zones file" + ;; + all|none|SOURCE|DEST) + startup_error "Reserved zone name \"$zone\" in zones file" + ;; + esac + + if [ -n "$new_zone_file" ]; then + case ${type:=ipv4} in + ipv4|IPv4|IPV4|plain|-) + list_search $zone $ZONES $FW && startup_error "Zone $zone is defined more than once" + merge_zone + IPV4_ZONES="$IPV4_ZONES $zone" + ;; + ipsec|IPSEC|ipsec4|IPSEC4) + list_search $zone $ZONES $FW && startup_error "Zone $zone is defined more than once" + [ -n "$POLICY_MATCH" ] || startup_error "Your kernel and/or iptables does not support policy match" + eval ${zone}_is_ipsec=Yes + eval ${zone}_is_complex=Yes + merge_zone + IPSEC_ZONES="$IPSEC_ZONES $zone" + ;; + firewall) + [ -n "$FW" ] && startup_error "Only one firewall zone may be defined" + list_search $zone $ZONES && startup_error "Zone $zone is defined more than once" + [ -n "$parents" ] && startup_error "The firewall zone may not be nested" + for r in $rest; do + [ "x$r" = x- ] || startup_error "OPTIONS not allowed on the firewall zone" + done + FW=$zone + ;; + bport|bport4) + [ "$PROGRAM" = compiler ] && startup_error "Invalid Zone Type: $type" + list_search $zone $ZONES $FW && startup_error "Zone $zone is defined more than once" + merge_zone + BRIDGING=Yes + ;; + *) + startup_error "Invalid Zone Type: $type" + ;; + esac + + eval ${zone}_type=$type + else + list_search $zone $ZONES $FW && startup_error "Zone $zone is defined more than once" + ZONES="$ZONES $zone" + IPV4_ZONES="$IPV4_ZONES $zone" + eval ${zone}_type=ipv4 + fi + done < $TMP_DIR/zones + + [ -z "$ZONES" ] && startup_error "No ipv4 or ipsec Zones Defined" + + [ -z "$FW" ] && startup_error "No Firewall Zone Defined" +} + +# +# Validate the zone names and options in the interfaces file +# +validate_interfaces_file() { + local wildcard + local found_obsolete_option + found_obsolete_option= + local z + local interface + local networks + local options + local r + local iface + local option + + while read z interface networks options; do + r="$z $interface $networks $options" + + [ "x$z" = "x-" ] && z= + + if [ -n "$z" ]; then + validate_zone $z || startup_error "Invalid zone ($z) in record \"$r\"" + fi + + list_search $interface $ALL_INTERFACES && \ + startup_error "Duplicate Interface $interface" + + wildcard= + + case $interface in + *:*) + if [ "$PROGRAM" != compiler ]; then + # + # Assume that this is 4.0 syntax for a bridge + # + local bridge + bridge=${interface%:*} + list_search $bridge $ALL_INTERFACES || startup_error "Unknown Interface: $bridge" + interface=${interface#*:} + else + startup_error "Invalid Interface Name: $interface" + fi + ;; + +) + startup_error "Invalid Interface Name: +" + ;; + *+) + wildcard=Yes + ;; + esac + + ALL_INTERFACES="$ALL_INTERFACES $interface" + options=$(separate_list $options) + iface=$(chain_base $interface) + + eval ${iface}_broadcast="$networks" + eval ${iface}_zone="$z" + eval ${iface}_options=\"$options\" + + for option in $options; do + case $option in + -) + ;; + dhcp|tcpflags|arp_filter|routefilter|logmartians|sourceroute|blacklist|nosmurfs|upnp|-) + ;; + proxyarp) + [ "$PROGRAM" = compiler ] && lib_load proxyarp "The 'proxyarp' option on interface $interface" + ;; + maclist) + [ "$PROGRAM" = compiler ] && lib_load maclist "The 'maclist' option" + ;; + norfc1918) + if [ "$PROGRAM" != compiler ]; then + addr=$(ip -f inet addr show $interface 2> /dev/null | grep inet | head -n1) + if [ -n "$addr" ]; then + addr=$(echo $addr | sed 's/inet //;s/\/.*//;s/ peer.*//') + for network in 10.0.0.0/8 176.16.0.0/12 192.168.0.0/16; do + if in_network $addr $network; then + startup_error "The 'norfc1918' option may not be specified on an interface with an RFC 1918 address. Interface:$interface" + fi + done + fi + fi + ;; + arp_ignore=*) + eval ${iface}_arp_ignore=${option#*=} + ;; + arp_ignore) + eval ${iface}_arp_ignore=1 + ;; + detectnets) + [ -n "$wildcard" ] && \ + startup_error "The \"detectnets\" option may not be used with a wild-card interface" + [ -n "$EXPORT" ] && \ + startup_error "'detectnets' not permitted with the -e run-line option" + ;; + routeback) + [ -n "$z" ] || startup_error "The routeback option may not be specified on a multi-zone interface" + ;; + *) + [ $PROGRAM = compiler ] && error_message "WARNING: Invalid option ($option) in record \"$r\"" + ;; + esac + done + done < $TMP_DIR/interfaces + + [ -z "$ALL_INTERFACES" ] && startup_error "No Interfaces Defined" +} + +# +# Process the ipsec information in the zones file +# +setup_ipsec() { + local zone + local using_ipsec + using_ipsec= + # + # Add a --set-mss rule to the passed chain + # + set_mss1() # $1 = chain, $2 = MSS + { + local policy + eval policy=\$${1}_policy + + if [ "$policy" != NONE ]; then + ensurechain $1 + local match + match= + [ "$TCPMSS_MATCH" ] && match="-m tcpmss --mss $2: " + run_iptables -I $1 -p tcp --tcp-flags SYN,RST SYN ${match}-j TCPMSS --set-mss $2 + fi + } + # + # Set up rules to set MSS to and/or from zone "$zone" + # + set_mss() # $1 = MSS value, $2 = _in, _out or "" + { + for z in $ZONES $FW; do + case $2 in + _in) + set_mss1 ${zone}2${z} $1 + ;; + _out) + set_mss1 ${z}2${zone} $1 + ;; + *) + set_mss1 ${z}2${zone} $1 + set_mss1 ${zone}2${z} $1 + ;; + esac + done + } + + do_options() # $1 = _in, _out or "" - $2 = option list + { + local option + local newoptions + newoptions= + local val + + [ x${2} = x- ] && return + + for option in $(separate_list $2); do + val=${option#*=} + + case $option in + mss=[0-9]*) [ "$PROGRAM" = compiler ] && set_mss $val $1 ;; + strict) newoptions="$newoptions --strict" ;; + next) newoptions="$newoptions --next" ;; + reqid=*) newoptions="$newoptions --reqid $val" ;; + spi=*) newoptions="$newoptions --spi $val" ;; + proto=*) newoptions="$newoptions --proto $val" ;; + mode=*) newoptions="$newoptions --mode $val" ;; + tunnel-src=*) newoptions="$newoptions --tunnel-src $val" ;; + tunnel-dst=*) newoptions="$newoptions --tunnel-dst $val" ;; + reqid!=*) newoptions="$newoptions ! --reqid $val" ;; + spi!=*) newoptions="$newoptions ! --spi $val" ;; + proto!=*) newoptions="$newoptions ! --proto $val" ;; + mode!=*) newoptions="$newoptions ! --mode $val" ;; + tunnel-src!=*) newoptions="$newoptions ! --tunnel-src $val" ;; + tunnel-dst!=*) newoptions="$newoptions ! --tunnel-dst $val" ;; + *) fatal_error "Invalid option \"$option\" for zone $zone" ;; + esac + done + + if [ -n "$newoptions" ]; then + [ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match" + eval ${zone}_is_complex=Yes + eval ${zone}_ipsec${1}_options=\"${newoptions# }\" + fi + } + + case $IPSECFILE in + zones) + f=zones + progress_message "$DOING IPSEC..." + [ $PROGRAM = compiler -a -n "$IPSEC_ZONES" ] && save_progress_message "Setting up IPSEC management..." + ;; + ipsec) + using_ipsec=Yes + if [ -s ${TMP_DIR}/ipsec ]; then + progress_message "$DOING ipsec..." + [ $PROGRAM = compiler ] && save_progress_message "Setting up IPSEC management..." + f=ipsec + else + return + fi + ;; + esac + + while read zone type options in_options out_options mss; do + if [ -n "$using_ipsec" ]; then + validate_zone1 $zone || fatal_error "Unknown zone: $zone" + fi + + if [ -n "$type" ]; then + if [ -n "$using_ipsec" ]; then + case $type in + No|no) + ;; + Yes|yes) + [ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match" + eval ${zone}_is_ipsec=Yes + eval ${zone}_is_complex=Yes + eval ${zone}_type=ipsec4 + ;; + *) + fatal_error "Invalid IPSEC column contents" + ;; + esac + fi + + do_options "" $options + do_options "_in" $in_options + do_options "_out" $out_options + fi + + done < $TMP_DIR/$f +} + +# +# Validate the zone names and options in the hosts file +# +validate_hosts_file() { + local z + local hosts + local options + local r + local interface + local host + local option + local zports + local ipsec + ipsec= + + check_bridge_port() + { + list_search ${interface}:${1} $zports || zports="$zports ${interface}:${1}" + list_search $1 $ALL_PORTS || ALL_PORTS="$ALL_PORTS $1" + } + + while read z hosts options; do + r="$z $hosts $options" + validate_zone1 $z || startup_error "Invalid zone ($z) in record \"$r\"" + + case $hosts in + *:*) + + interface=${hosts%%:*} + iface=$(chain_base $interface) + + list_search $interface $ALL_INTERFACES || \ + startup_error "Unknown interface ($interface) in record \"$r\"" + + hosts=${hosts#*:} + ;; + *) + startup_error "Invalid HOST(S) column contents: $hosts" + ;; + esac + + eval zports=\$${z}_ports + + if [ -z "$BRIDGING" ]; then + case $hosts in + *!*!*) + startup_error "Invalid hosts file entry: \"$r\"" + ;; + !*) + hosts=0.0.0.0/0 + eval ${z}_is_complex=Yes + ;; + *!*) + hosts=${hosts%%!*} + eval ${z}_is_complex=Yes + ;; + esac + fi + + for host in $(separate_list $hosts); do + if [ -n "$BRIDGING" ]; then + case $host in + *:*) + known_interface ${host%:*} && \ + startup_error "Bridged interfaces may not be defined in ${CONFDIR}/interfaces: $host" + check_bridge_port ${host%%:*} + ;; + *.*.*) + ;; + *+|+*|*!*) + eval ${z}_is_complex=Yes + ;; + *) + known_interface $host && \ + startup_error "Bridged interfaces may not be defined in ${CONFDIR}/interfaces: $host" + check_bridge_port $host + ;; + esac + else + case $host in + *.*.*) + ;; + +*) + eval ${z}_is_complex=Yes + ;; + *) + startup_error "BRIDGING=Yes is needed for this zone definition: $r" + ;; + esac + fi + + for option in $(separate_list $options) ; do + case $option in + norfc1918|blacklist|tcpflags|nosmurfs|-) + ;; + maclist) + [ "$PROGRAM" = compiler ] && lib_load maclist "The 'maclist' option" + ;; + ipsec) + [ -n "$POLICY_MATCH" ] || \ + startup_error "Your kernel and/or iptables does not support policy match: ipsec" + eval ${z}_ipsec_hosts=\"\$${z}_ipsec_hosts $interface:$host\" + eval ${z}_is_complex=Yes + ipsec=Yes + ;; + routeback) + eval ${z}_routeback=\"$interface:$host \$${z}_routeback\" + ;; + *) + error_message "WARNING: Invalid option ($option) in record \"$r\"" + ;; + esac + done + done + + [ -n "$zports" ] && eval ${z}_ports=\"$zports\" + + done < $TMP_DIR/hosts + + [ -n "$ALL_PORTS" ] && progress_message2 " Bridge ports are: $ALL_PORTS" + + [ -n "${IPSEC_ZONES}${ipsec}" ] || POLICY_MATCH= +} + +# +# Find interfaces to a given zone +# +# Search the variables representing the contents of the interfaces file and +# for each record matching the passed ZONE, echo the expanded contents of +# the "INTERFACE" column +# +find_interfaces() # $1 = interface zone +{ + local zne + zne=$1 + local z + local interface + + for interface in $ALL_INTERFACES; do + eval z=\$$(chain_base $interface)_zone + [ "x${z}" = x${zne} ] && echo $interface + done +} + +# +# Forward Chain for an interface +# +forward_chain() # $1 = interface +{ + echo $(chain_base $1)_fwd +} + +# +# Input Chain for an interface +# +input_chain() # $1 = interface +{ + echo $(chain_base $1)_in +} + +# +# Output Chain for an interface +# +output_chain() # $1 = interface +{ + echo $(chain_base $1)_out +} + +# +# Masquerade Chain for an interface +# +masq_chain() # $1 = interface +{ + echo $(chain_base $1)_masq +} + +# +# MAC Verification Chain for an interface +# +mac_chain() # $1 = interface +{ + echo $(chain_base $1)_mac +} + +macrecent_target() # $1 - interface +{ + [ -n "$MACLIST_TTL" ] && echo $(chain_base $1)_rec || echo RETURN +} + +# +# Functions for creating dynamic zone rules +# +dynamic_fwd() # $1 = interface +{ + echo $(chain_base $1)_dynf +} + +dynamic_in() # $1 = interface +{ + echo $(chain_base $1)_dyni +} + +dynamic_out() # $1 = interface +{ + echo $(chain_base $1)_dyno +} + +dynamic_chains() #$1 = interface +{ + local c + c=$(chain_base $1) + + echo ${c}_dyni ${c}_dynf ${c}_dyno +} + +# +# DNAT Chain from a zone +# +dnat_chain() # $1 = zone +{ + echo ${1}_dnat +} + +# +# SNAT Chain to an interface +# +snat_chain() # $1 = interface +{ + echo $(chain_base $1)_snat +} + +# +# ECN Chain to an interface +# +ecn_chain() # $1 = interface +{ + echo $(chain_base $1)_ecn +} + +# +# First chains for an interface +# +first_chains() #$1 = interface +{ + local c + c=$(chain_base $1) + + echo ${c}_fwd ${c}_in +} + +# +# Out Chain to an interface +# +out_chain() # $1 = interface +{ + echo $(chain_base $1)_out +} + +# +# Horrible hack to work around an iptables limitation +# +iprange_echo() +{ + if [ -n "$KLUDGEFREE" ]; then + echo "-m iprange $@" + elif [ -f $TMP_DIR/iprange ]; then + echo $@ + else + echo "-m iprange $@" + > $TMP_DIR/iprange + fi +} + +# +# Get set flags (ipsets). +# +get_set_flags() # $1 = set name and optional [levels], $2 = src or dst +{ + local temp + local setname + setname=$1 + local options + options=$2 + + [ -n "$IPSET_MATCH" ] || fatal_error "Your kernel and/or iptables does not include ipset match: $1" + + case $1 in + *\[[1-6]\]) + temp=${1#*\[} + temp=${temp%\]} + setname=${1%\[*} + while [ $temp -gt 1 ]; do + options="$options,$2" + temp=$(($temp - 1)) + done + ;; + *\[*\]) + options=${1#*\[} + options=${options%\]} + setname=${1%\[*} + ;; + *) + ;; + esac + + echo "--set ${setname#+} $options" +} + +# +# Horrible hack to work around an iptables limitation +# +physdev_echo() +{ + if [ -n "$KLUDGEFREE" ]; then + echo -m physdev $@ + elif [ -f $TMP_DIR/physdev ]; then + echo $@ + else + echo -m physdev $@ + > $TMP_DIR/physdev + fi +} + +# +# Source IP range +# +source_ip_range() # $1 = Address or Address Range +{ + [ $# -gt 0 ] && case $1 in + *.*.*.*-*.*.*.*) + case $1 in + !*) + iprange_echo "! --src-range ${1#!}" + ;; + *) + iprange_echo "--src-range $1" + ;; + esac + ;; + !+*) + echo "-m set ! $(get_set_flags ${1#!} src)" + ;; + +*) + echo "-m set $(get_set_flags $1 src)" + ;; + *) + echo "-s $1" + ;; + esac +} + +# +# Destination IP range +# +dest_ip_range() # $1 = Address or Address Range +{ + [ $# -gt 0 ] && case $1 in + *.*.*.*-*.*.*.*) + case $1 in + !*) + iprange_echo "! --dst-range ${1#!}" + ;; + *) + iprange_echo "--dst-range $1" + ;; + esac + ;; + !+*) + echo "-m set ! $(get_set_flags ${1#!} dst)" + ;; + +*) + echo "-m set $(get_set_flags $1 dst)" + ;; + *) + echo "-d $1" + ;; + esac +} + +both_ip_ranges() # $1 = Source address or range, $2 = dest address or range +{ + local rangeprefix + rangeprefix= + local setprefix + setprefix= + local rangematch + rangematch= + local setmatch + setmatch= + + case $1 in + *.*.*.*-*.*.*.*) + rangeprefix="-m iprange" + rangematch="--src-range $1" + ;; + !+*) + setprefix="-m set" + setmatch="! $(get_set_flags ${1#!} src)" + ;; + +*) + setprefix="-m set" + setmatch="$(get_set_flags $1 src)" + ;; + *) + rangematch="-s $1" + ;; + esac + + case $2 in + *.*.*.*-*.*.*.*) + rangeprefix="-m iprange" + rangematch="$rangematch --dst-range $2" + ;; + !+*) + setprefix="-m set" + match="$setmatch ! $(get_set_flags ${2#!} dst)" + ;; + +*) + setprefix="-m set" + setmatch="$setmatch $(get_set_flags $2 dst)" + ;; + *) + rangematch="$rangematch -d $2" + ;; + esac + + echo "$rangeprefix $rangematch $setprefix $setmatch" +} + +# +# Loosly Match the name of an interface +# + +if_match() # $1 = Name in interfaces file - may end in "+" + # $2 = Full interface name - may also end in "+" +{ + local pattern + pattern=${1%+} + + case $1 in + *+) + test "x$(echo $2 | truncate ${#pattern} )" = "x${pattern}" + ;; + *) + test "x$1" = "x$2" + ;; + esac +} + +# +# We allow hosts to be specified by IP address or by physdev. These two functions +# are used to produce the proper match in a netfilter rule. +# +match_source_hosts() +{ + if [ -n "$BRIDGING" ]; then + case $1 in + *:*) + physdev_echo "--physdev-in ${1%:*} $(source_ip_range ${1#*:})" + ;; + *.*.*.*|+*|!+*) + echo $(source_ip_range $1) + ;; + *) + physdev_echo "--physdev-in $1" + ;; + esac + else + echo $(source_ip_range $1) + fi +} + +match_dest_hosts() +{ + if [ -n "$BRIDGING" ]; then + case $1 in + *:*) + physdev_echo "--physdev-out ${1%:*} $(dest_ip_range ${1#*:})" + ;; + *.*.*.*|+*|!+*) + echo $(dest_ip_range $1) + ;; + *) + physdev_echo "--physdev-out $1" + ;; + esac + else + echo $(dest_ip_range $1) + fi +} +# +# Matches for either or :
+# +match_source() +{ + case "$1" in + *:*) + echo "-i ${1%%:*} $(match_source_hosts ${1#*:})" + ;; + *) + echo $(dest_ip_range $1) + ;; + esac +} + +match_dest() +{ + case "$1" in + *:*) + echo "-o ${1%%:*} $(match_dest_hosts ${1#*:})" + ;; + *) + echo $(dest_ip_range $1) + ;; + esac +} + +# +# Similarly, the source or destination in a rule can be qualified by a device name. If +# the device is defined in ${CONFDIR}/interfaces then a normal interface match is +# generated (-i or -o); otherwise, a physdev match is generated. +#------------------------------------------------------------------------------------- +# +# loosely match the passed interface with those in ${CONFDIR}/interfaces. +# +known_interface() # $1 = interface name +{ + local iface + + for iface in $ALL_INTERFACES ; do + if if_match $iface $1 ; then + return 0 + fi + done + + return 1 +} + +known_port() # $1 = port name +{ + local port + + for port in $ALL_PORTS ; do + if if_match $port $1 ; then + return 0 + fi + done + + return 1 +} + +match_source_dev() +{ + if [ -n "$BRIDGING" ]; then + known_port $1 && physdev_echo "--physdev-in $1" || echo -i $1 + elif known_interface $1; then + echo -i $1 + elif [ -n "$PHYSDEV_MATCH" ]; then + physdev_echo "--physdev-in $1" + else + echo -i $1 + fi +} + +match_dest_dev() +{ + if [ -n "$BRIDGING" ]; then + known_port $1 && physdev_echo "--physdev-out $1" || echo -o $1 + elif known_interface $1; then + echo -o $1 + elif [ -n "$PHYSDEV_MATCH" ]; then + physdev_echo "--physdev-out $1" + else + echo -o $1 + fi +} + +verify_interface() +{ + known_interface $1 || { [ -n "$BRIDGING" ] && known_port $1 ; } +} + +# +# Determine if communication to/from a host is encrypted using IPSEC +# +is_ipsec_host() # $1 = zone, $2 = host +{ + local is_ipsec + eval is_ipsec=\$${1}_is_ipsec + local hosts + eval hosts=\"\$${1}_ipsec_hosts\" + + test -n "$is_ipsec" || list_search $2 $hosts +} + +# +# Generate a match for decrypted packets +# +match_ipsec_in() # $1 = zone, $2 = host +{ + if is_ipsec_host $1 $2 ; then + local options + eval options=\"\$${1}_ipsec_options \$${1}_ipsec_in_options\" + echo "-m policy --pol ipsec --dir in $options" + elif [ -n "$POLICY_MATCH" ]; then + echo "-m policy --pol none --dir in" + fi +} + +# +# Generate a match for packets that will be encrypted +# +match_ipsec_out() # $1 = zone, $2 = host +{ + if is_ipsec_host $1 $2 ; then + local options + eval options=\"\$${1}_ipsec_options \$${1}_ipsec_out_options\" + echo "-m policy --pol ipsec --dir out $options" + elif [ -n "$POLICY_MATCH" ]; then + echo "-m policy --pol none --dir out" + fi +} + +# +# Jacket for ip_range() that takes care of iprange match +# + +firewall_ip_range() # $1 = IP address or range +{ + [ -n "$IPRANGE_MATCH" ] && echo $1 || ip_range $1 +} + +# +# +# Find hosts in a given zone +# +# Read hosts file and for each record matching the passed ZONE, +# echo the expanded contents of the "HOST(S)" column +# +find_hosts() # $1 = host zone +{ + local hosts + local interface + local address + local addresses + + while read z hosts options; do + if [ "x$(expand $z)" = "x$1" ]; then + interface=${hosts%%:*} + addresses=${hosts#*:} + case $addresses in + !*) + echo $interface:0.0.0.0/0 + ;; + *) + for address in $(separate_list ${addresses%%!*}); do + echo $interface:$address + done + ;; + esac + fi + done < $TMP_DIR/hosts +} + +# +# +# Find exclusions in a given zone +# +# Read hosts file and for each record matching the passed ZONE, +# echo any exclusions +# +find_exclusions() # $1 = host zone +{ + local hosts + local interface + local address + local addresses + + while read z hosts options; do + if [ "x$z" = "x$1" ]; then + interface=${hosts%%:*} + addresses=${hosts#*:} + case $addresses in + *!*) + for address in $(separate_list ${addresses#*!}); do + echo $interface:$address + done + ;; + esac + fi + done < $TMP_DIR/hosts +} + +# +# Determine the interfaces on the firewall +# +# For each zone, create a variable called ${zone}_interfaces. This +# variable contains a space-separated list of interfaces to the zone +# +determine_interfaces() { + for zone in $ZONES; do + interfaces=$(find_interfaces $zone) + interfaces=$(echo $interfaces) # Remove extra trash + eval ${zone}_interfaces=\"\$interfaces\" + done +} + +# +# Determine if an interface has a given option +# +interface_has_option() # $1 = interface, #2 = option +{ + local options + + eval options=\$$(chain_base $1)_options + + list_search $2 $options +} + +# +# Determine the defined hosts in each zone +# +determine_hosts() { + for zone in $ZONES; do + hosts=$(find_hosts $zone) + hosts=$(echo $hosts) # Remove extra trash + exclusions=$(find_exclusions $zone) + exclusions=$(echo $exclusions) # Remove extra trash + + eval interfaces=\$${zone}_interfaces + + for interface in $interfaces; do + if interface_has_option $interface detectnets; then + networks=$(get_routed_networks $interface "detectnets not allowed on interface with default route - $interface" ) + else + networks=0.0.0.0/0 + fi + + for network in $networks; do + if [ -z "$hosts" ]; then + hosts=$interface:$network + else + hosts="$hosts $interface:$network" + fi + + if interface_has_option $interface routeback; then + eval ${zone}_routeback=\"$interface:$network \$${zone}_routeback\" + fi + done + done + + interfaces= + + for host in $hosts; do + interface=${host%:*} + if list_search $interface $interfaces; then + list_search $interface:0.0.0.0/0 $hosts && \ + startup_error "Invalid zone definition for zone $zone" + list_search $interface:0/0 $hosts && \ + startup_error "Invalid zone definition for zone $zone" + eval ${zone}_is_complex=Yes + else + if [ -z "$interfaces" ]; then + interfaces=$interface + else + interfaces="$interfaces $interface" + fi + fi + done + + eval ${zone}_exclusions="\$exclusions" + eval ${zone}_interfaces="\$interfaces" + eval ${zone}_hosts="\$hosts" + + if [ -n "$hosts" ]; then + if [ $VERBOSE -ge 1 ]; then + [ -n "$exclusions" ] && display_list "$zone Zone:" $hosts minus "($exclusions)" || display_list "$zone Zone:" $hosts + fi + else + error_message "WARNING: Zone $zone is empty" + fi + done +} + +# +# Ensure that the passed zone is defined in the zones file or is the firewall +# +validate_zone() # $1 = zone +{ + list_search $1 $ZONES $FW +} +# +# Ensure that the passed zone is defined in the zones file. +# +validate_zone1() # $1 = zone +{ + list_search $1 $ZONES +} + +# +# Format a match by the passed MAC address +# The passed address begins with "~" and uses "-" as a separator between bytes +# Example: ~01-02-03-04-05-06 +# +mac_match() # $1 = MAC address formated as described above +{ + echo "--match mac --mac-source $(echo $1 | sed 's/~//;s/-/:/g')" +} + +# +# Find interfaces that have the passed option specified +# +find_interfaces_by_option() # $1 = option +{ + for interface in $ALL_INTERFACES; do + eval options=\$$(chain_base $interface)_options + list_search $1 $options && echo $interface + done +} + +# +# This slightly slower version is used to find both the option and option followed +# by equal sign ("=") and a value +# +find_interfaces_by_option1() # $1 = option +{ + local options + local option + + for interface in $ALL_INTERFACES; do + eval options=\$$(chain_base $interface)_options + for option in $options; do + if [ "${option%=*}" = "$1" ]; then + echo $interface + break + fi + done + done +} + +# +# Find hosts with the passed option +# +find_hosts_by_option() # $1 = option +{ + local ignore + local hosts + local interface + local address + local addresses + local options + local ipsec + ipsec= + local list + + while read ignore hosts options; do + list=$(separate_list $options) + if list_search $1 $list; then + list_search ipsec $list && ipsec=ipsec || ipsec=none + interface=${hosts%%:*} + addresses=${hosts#*:} + for address in $(separate_list $addresses); do + echo ${ipsec}^$interface:$address + done + fi + done < $TMP_DIR/hosts + + for interface in $ALL_INTERFACES; do + interface_has_option $interface $1 && \ + echo none^${interface}:0.0.0.0/0 + done +} + +# +# Process the routestopped file either adding or deleting rules +# +process_routestopped() # $1 = command +{ + local hosts + hosts= + local interface + local host + local host1 + local options + local networks + local source + source= + local dest + dest= + local matched + + while read interface host options; do + [ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0 + for h in $(separate_list $host); do + hosts="$hosts $interface:$h" + done + + routeback= + + if [ -n "$options" ]; then + for option in $(separate_list $options); do + case $option in + routeback) + if [ -n "$routeback" ]; then + error_message "WARNING: Duplicate routestopped option ignored: routeback" + else + routeback=Yes + for h in $(separate_list $host); do + run_iptables $1 FORWARD -i $interface -o $interface $(both_ip_ranges $h $h) -j ACCEPT + done + fi + ;; + source) + for h in $(separate_list $host); do + source="$source $interface:$h" + done + ;; + dest) + for h in $(separate_list $host); do + dest="$dest $interface:$h" + done + ;; + critical) + ;; + *) + error_message "WARNING: Unknown routestopped option ignored: $option" + ;; + esac + done + fi + + done < $TMP_DIR/routestopped + + + for host in $hosts; do + interface=${host%:*} + networks=${host#*:} + source_range=$(source_ip_range $networks) + dest_range=$(dest_ip_range $networks) + run_iptables $1 INPUT -i $interface $source_range -j ACCEPT + [ -z "$ADMINISABSENTMINDED" ] && \ + run_iptables $1 OUTPUT -o $interface $dest_range -j ACCEPT + + matched= + + if list_search $host $source ; then + run_iptables $1 FORWARD -i $interface $source_range -j ACCEPT + matched=Yes + fi + + if list_search $host $dest ; then + run_iptables $1 FORWARD -o $interface $dest_range -j ACCEPT + matched=Yes + fi + + if [ -z "$matched" ]; then + for host1 in $hosts; do + [ "$host" != "$host1" ] && run_iptables $1 FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT + done + fi + done +} + +process_criticalhosts() +{ + local hosts + hosts= + local interface + local host + local h + local options + local networks + local criticalhosts + criticalhosts= + + while read interface host options; do + [ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0 || host=$(separate_list $host) + + if [ -n "$options" ]; then + for option in $(separate_list $options); do + case $option in + routeback|source|dest) + ;; + critical) + for h in $host; do + criticalhosts="$criticalhosts $interface:$h" + done + ;; + *) + error_message "WARNING: Unknown routestopped option ignored: $option" + ;; + esac + done + fi + done < $TMP_DIR/routestopped + + if [ -n "$criticalhosts" ]; then + CRITICALHOSTS=$criticalhosts + progress_message "Critical Hosts are:$CRITICALHOSTS" + fi + +} + +# +# create a temporary directory +# +mktempdir() { + + [ -z "$MKTEMP" ] && find_mktemp + + case "$MKTEMP" in + STD) + mktemp -td shorewall.XXXXXX + ;; + None|BSD) + # + # Not all versions of the BSD mktemp support the -d option under Linux + # + qt rm -rf /tmp/shorewall-$$ + mkdir -p /tmp/shorewall-$$ && chmod 700 /tmp/shorewall-$$ && echo /tmp/shorewall-$$ + ;; + *) + error_message "ERROR:Internal error in mktempdir" + ;; + esac +} + +# +# Read a file and handle "INCLUDE" directives +# + +read_file() # $1 = file name, $2 = nest count +{ + local first + local rest + + if [ -f $1 ]; then + while read first rest; do + if [ "x$first" = "xINCLUDE" ]; then + if [ $2 -lt 4 ]; then + read_file $(find_file $(expand ${rest%#*})) $(($2 + 1)) + else + error_message "WARNING: INCLUDE in $1 ignored (nested too deeply)" + fi + else + echo "$first $rest" + fi + done < $1 + else + [ -n "$TERMINATOR" ] && $TERMINATOR "No such file: $1" + echo "WARNING -- No such file: $1" + fi +} + +# +# Strip comments and blank lines from a file and place the result in the +# temporary directory +# +strip_file() # $1 = Base Name of the file, $2 = Full Name of File (optional) +{ + local fname + + if [ ! -f $TMP_DIR/$1 ]; then + [ $# = 1 ] && fname=$(find_file $1) || fname=$2 + + if [ -f $fname ]; then + read_file $fname 0 | cut -d'#' -f1 | grep -v '^[[:space:]]*$' | expand_line > $TMP_DIR/$1 + else + > $TMP_DIR/$1 + fi + fi +} + +# +# Strip the passed file. +# +# Return success if +# a) the stripped file is non-empty and the library was successfully loaded; or +# b) the stripped file is empty but the library had been loaded previously +# +strip_file_and_lib_load() # $1 = logical file name, $2 = library to load if the stripped file is non-empty +{ + local f + f=$(find_file $1) + + strip_file $1 $f + + if [ -s $TMP_DIR/$1 ]; then + lib_load $2 "A non-empty $1 file ($f)" + return 0 + fi + + eval test -n \"\$LIB_${2}_LOADED\" +} + +# +# Check that a mark value or mask is less that 256 or that it is less than 65536 and +# that it's lower 8 bits are zero. +# +verify_mark() # $1 = value to test +{ + verify_mark2() + { + case $1 in + 0*) + [ $(($1)) -lt 256 ] && return 0 + [ -n "$HIGH_ROUTE_MARKS" ] || return 1 + [ $(($1)) -gt 65535 ] && return 1 + return $(($1 & 0xFF)) + ;; + [1-9]*) + [ $1 -lt 256 ] && return 0 + [ -n "$HIGH_ROUTE_MARKS" ] || return 1 + [ $1 -gt 65535 ] && return 1 + return $(($1 & 0xFF)) + ;; + *) + return 2 + ;; + esac + } + + verify_mark2 $1 || fatal_error "Invalid Mark or Mask value: $1" +} + +# +# Determine the value for a parameter that defaults to Yes +# +added_param_value_yes() # $1 = Parameter Name, $2 = Parameter value +{ + local val + val="$2" + + if [ -z "$val" ]; then + echo "Yes" + else case $val in + [Yy][Ee][Ss]) + echo "Yes" + ;; + [Nn][Oo]) + echo "" + ;; + *) + startup_error "Invalid value ($val) for $1" + ;; + esac + fi +} + +# +# Determine the value for a parameter that defaults to No +# +added_param_value_no() # $1 = Parameter Name, $2 = Parameter value +{ + local val + val="$2" + + if [ -z "$val" ]; then + echo "" + else case $val in + [Yy][Ee][Ss]) + echo "Yes" + ;; + [Nn][Oo]) + echo "" + ;; + *) + startup_error "Invalid value ($val) for $1" + ;; + esac + fi +} + +# +# Initialize this program +# +do_initialize() { + + # Run all utility programs using the C locale + # + # Thanks to Vincent Planchenault for this tip # + + export LC_ALL=C + + # Make sure umask is sane + umask 077 + + PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin + # + # Establish termination function + # + TERMINATOR=fatal_error + # + # Clear all configuration variables (shorewall.conf) + # + STARTUP_ENABLED= + # + #VERBOSE is inherited -- VERBOSITY is only used in the CIs + # + # + # Logging + # + LOGFILE= + LOGFORMAT= + LOGTAGONLY= + LOGRATE= + LOGBURST= + LOGALLNEW= + BLACKLIST_LOGLEVEL= + MACLIST_LOG_LEVEL= + TCP_FLAGS_LOG_LEVEL= + RFC1918_LOG_LEVEL= + SMURF_LOG_LEVEL= + LOG_MARTIANS= + # + # Location of files + # + IPTABLES= + #PATH is inherited + SHOREWALL_SHELL= + SUBSYSLOCK= + MODULESDIR= + #CONFIG_PATH is inherited + RESTOREFILE= + IPSECFILE= + LOCKFILE= + # + # Default Actions/Macros + # + DROP_DEFAULT= + REJECT_DEFAULT= + ACCEPT_DEFAULT= + QUEUE_DEFAULT= + # + # Firewall Options + # + IP_FORWARDING= + ADD_IP_ALIASES= + ADD_SNAT_ALIASES= + RETAIN_ALIASES= + TC_ENABLED= + TC_EXPERT= + CLEAR_TC= + MARK_IN_FORWARD_CHAIN= + CLAMPMSS= + ROUTE_FILTER= + DETECT_DNAT_IPADDRS= + MUTEX_TIMEOUT= + ADMINISABSENTMINDED= + BLACKLISTNEWONLY= + DELAYBLACKLISTLOAD= + MODULE_SUFFIX= + DISABLE_IPV6= + BRIDGING= + DYNAMIC_ZONES= + PKTTYPE= + RFC1918_STRICT= + MACLIST_TABLE= + MACLIST_TTL= + SAVE_IPSETS= + MAPOLDACTIONS= + FASTACCEPT= + IMPLICIT_CONTINUE= + HIGH_ROUTE_MARKS= + USE_ACTIONS= + OPTIMIZE= + EXPORTPARAMS= + KEEP_TC_RULES= + DELETE_THEN_ADD= + DONT_LOAD= + # + # Packet Disposition + # + MACLIST_DISPOSITION= + TCP_FLAGS_DISPOSITION= + BLACKLIST_DISPOSITION= + # + # Other Globals + # + VERSION= + FW= + USEPKTYPE= + LOGLIMIT= + LOGPARMS= + OUTPUT= + ALL_INTERFACES= + ROUTEMARK_INTERFACES= + PROVIDERS= + CRITICALHOSTS= + EXCLUSION_SEQ=1 + STOPPING= + HAVE_MUTEX= + ALIASES_TO_ADD= + SECTION=ESTABLISHED + SECTIONS= + ALL_PORTS= + ACTIONS= + USEDACTIONS= + DEFAULT_MACROS= + COMMENT= + VERSION_FILE= + LOGRULENUMBERS= + ORIGINAL_POLICY_MATCH= + ORIGINAL_MANGLE_ENABLED= + + ensure_config_path + + VERSION_FILE=$SHAREDIR/version + + [ -f $VERSION_FILE ] && VERSION=$(cat $VERSION_FILE) + + [ -d /usr/share/shorewall-perl ] && set -a; + + run_user_exit params + + set +a + + config=$(find_file shorewall.conf) + + if [ -f $config ]; then + if [ -r $config ]; then + progress_message "Processing $config..." + . $config + else + startup_error "Cannot read $config (Hint: Are you root?)" + fi + else + startup_error "$config does not exist!" + fi + # + # Restore CONFIG_PATH if the shorewall.conf file cleared it + # + ensure_config_path + + TMP_DIR=$(mktempdir) + + [ -n "$TMP_DIR" ] && chmod 700 $TMP_DIR || \ + startup_error "Can't create a temporary directory" + + case $PROGRAM in + compiler) + trap "[ -n "$OUTPUT" ] && rm -f $OUTPUT;rm -rf $TMP_DIR; exit 2" 1 2 3 4 5 6 9 + ;; + firewall) + trap "[ -n "$RESTOREBASE" ] && rm -f $RESTOREBASE;rm -rf $TMP_DIR; exit 2" 1 2 3 4 5 6 9 + ;; + esac + + # + # Determine the capabilities of the installed iptables/netfilter + # We load the kernel modules here to accurately determine + # capabilities when module autoloading isn't enabled. + # + PKTTYPE=$(added_param_value_no PKTTYPE $PKTTYPE) + [ -n "$DONT_LOAD" ] && DONT_LOAD="$(echo $DONT_LOAD | sed 's/,/ /g' )" + + [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ] + + if [ -z "$EXPORT" -a $(id -u) -eq 0 ]; then + + load_kernel_modules Yes + + if [ -z "$IPTABLES" ]; then + IPTABLES=$(mywhich iptables 2> /dev/null) + [ -z "$IPTABLES" ] && startup_error "Can't find iptables executable" + else + [ -e "$IPTABLES" ] || startup_error "\$IPTABLES=$IPTABLES does not exist or is not executable" + fi + + f=$(find_file capabilities) + + [ -f $f ] && . $f || determine_capabilities + else + f=$(find_file capabilities) + [ -f $f ] && . $f || startup_error "The -e flag requires a capabilities file" + fi + + if [ -n "$CAPVERSION" ]; then + [ $CAPVERSION -ge $SHOREWALL_CAPVERSION ] || error_message "WARNING: $f is out of date -- it does not contain all of the capabilities defined by Shorewall version $VERSION" + else + error_message "WARNING: $f may be not contain all of the capabilities defined by Shorewall version $VERSION" + fi + + ORIGINAL_POLICY_MATCH=$POLICY_MATCH + ORIGINAL_MANGLE_ENABLED=$MANGLE_ENABLED + + ADD_IP_ALIASES="$(added_param_value_yes ADD_IP_ALIASES $ADD_IP_ALIASES)" + + if [ -n "${LOGRATE}${LOGBURST}" ]; then + LOGLIMIT="--match limit" + [ -n "$LOGRATE" ] && LOGLIMIT="$LOGLIMIT --limit $LOGRATE" + [ -n "$LOGBURST" ] && LOGLIMIT="$LOGLIMIT --limit-burst $LOGBURST" + fi + + if [ -n "$IP_FORWARDING" ]; then + case "$IP_FORWARDING" in + On|Off|Yes|No|Keep|on|off|yes|no|keep|ON|OFF|YES|NO|KEEP) + ;; + *) + startup_error "Invalid value ($IP_FORWARDING) for IP_FORWARDING" + ;; + esac + else + IP_FORWARDING=On + fi + + if [ -n "$ROUTE_FILTER" ]; then + case "$ROUTE_FILTER" in + Yes|yes|YES) + ROUTE_FILTER=yes + ;; + No|no|NO) + ROUTE_FILTER=no + ;; + Keep|keep|KEEP) + ROUTE_FILTER= + ;; + *) + startup_error "Invalid value ($ROUTE_FILTER) for ROUTE_FILTER" + ;; + esac + else + ROUTE_FILTER= + fi + + if [ -n "$LOG_MARTIANS" ]; then + case "$LOG_MARTIANS" in + Yes|yes|YES) + LOG_MARTIANS=yes + ;; + No|no|NO) + LOG_MARTIANS=no + ;; + Keep|keep|KEEP) + LOG_MARTIANS= + ;; + *) + startup_error "Invalid value ($LOG_MARTIANS) for LOG_MARTIANS" + ;; + esac + else + LOG_MARTIANS=yes + fi + + [ -n "${BLACKLIST_DISPOSITION:=DROP}" ] + + case "$CLAMPMSS" in + [0-9]*) + ;; + *) + CLAMPMSS=$(added_param_value_no CLAMPMSS $CLAMPMSS) + ;; + esac + + ADD_SNAT_ALIASES=$(added_param_value_no ADD_SNAT_ALIASES $ADD_SNAT_ALIASES) + DETECT_DNAT_IPADDRS=$(added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS) + + MACLIST_TARGET=reject + + if [ -n "$MACLIST_DISPOSITION" ] ; then + case $MACLIST_DISPOSITION in + REJECT) + ;; + DROP) + MACLIST_TARGET=DROP + ;; + ACCEPT) + MACLIST_TARGET=RETURN + ;; + *) + startup_error "Invalid value ($MACLIST_DISPOSITION) for MACLIST_DISPOSITION" + ;; + esac + else + MACLIST_DISPOSITION=REJECT + fi + + if [ -n "$TCP_FLAGS_DISPOSITION" ] ; then + case $TCP_FLAGS_DISPOSITION in + REJECT|ACCEPT|DROP) + ;; + *) + startup_error "Invalid value ($TCP_FLAGS_DISPOSITION) for TCP_FLAGS_DISPOSITION" + ;; + esac + else + TCP_FLAGS_DISPOSITION=DROP + fi + + [ -n "${RFC1918_LOG_LEVEL:=info}" ] + + MARK_IN_FORWARD_CHAIN=$(added_param_value_no MARK_IN_FORWARD_CHAIN $MARK_IN_FORWARD_CHAIN) + [ -n "$MARK_IN_FORWARD_CHAIN" ] && MARKING_CHAIN=tcfor || MARKING_CHAIN=tcpre + CLEAR_TC=$(added_param_value_yes CLEAR_TC $CLEAR_TC) + + if [ -n "$LOGFORMAT" ]; then + if [ -n "$(echo $LOGFORMAT | grep '%d')" ]; then + LOGRULENUMBERS=Yes + temp=$(printf "$LOGFORMAT" fooxx2barxx 1 ACCEPT 2> /dev/null) + if [ $? -ne 0 ]; then + startup_error "Invalid LOGFORMAT string: \"$LOGFORMAT\"" + fi + else + temp=$(printf "$LOGFORMAT" fooxx2barxx ACCEPT 2> /dev/null) + if [ $? -ne 0 ]; then + startup_error "Invalid LOGFORMAT string: \"$LOGFORMAT\"" + fi + fi + + [ ${#temp} -le 29 ] || startup_error "LOGFORMAT string is longer than 29 characters: \"$LOGFORMAT\"" + + MAXZONENAMELENGTH=$(( 5 + ( ( 29 - ${#temp}) / 2) )) + MAXZONENAMELENGTH=${MAXZONENAMELENGTH%.*} + else + LOGFORMAT="Shorewall:%s:%s:" + MAXZONENAMELENGTH=5 + fi + + ADMINISABSENTMINDED=$(added_param_value_no ADMINISABSENTMINDED $ADMINISABSENTMINDED) + BLACKLISTNEWONLY=$(added_param_value_no BLACKLISTNEWONLY $BLACKLISTNEWONLY) + DISABLE_IPV6=$(added_param_value_no DISABLE_IPV6 $DISABLE_IPV6) + BRIDGING=$(added_param_value_no BRIDGING $BRIDGING) + + DYNAMIC_ZONES=$(added_param_value_no DYNAMIC_ZONES $DYNAMIC_ZONES) + if [ -n "$DYNAMIC_ZONES" ]; then + [ -n "$EXPORT" ] && startup_error "DYNAMIC_ZONES=Yes is incompatible with the -e option" + lib_avail dynamiczones || error_message "WARNING: DYNAMIC_ZONES=Yes requires the Shorewall dynamiczones library (${SHAREDIR}/lib.dynamiczones) which is not installed" + fi + + STARTUP_ENABLED=$(added_param_value_yes STARTUP_ENABLED $STARTUP_ENABLED) + RETAIN_ALIASES=$(added_param_value_no RETAIN_ALIASES $RETAIN_ALIASES) + [ -n "${ADD_IP_ALIASES}${ADD_SNAT_ALIASES}" ] || RETAIN_ALIASES= + DELAYBLACKLISTLOAD=$(added_param_value_no DELAYBLACKLISTLOAD $DELAYBLACKLISTLOAD) + LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY) + RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT) + SAVE_IPSETS=$(added_param_value_no SAVE_IPSETS $SAVE_IPSETS) + MAPOLDACTIONS=$(added_param_value_yes MAPOLDACTIONS $MAPOLDACTIONS) + FASTACCEPT=$(added_param_value_no FASTACCEPT $FASTACCEPT) + + [ -n "$FASTACCEPT" -a -z "$BLACKLISTNEWONLY" ] && error_message "WARNING: BLACKLISTNEWONLY=No does not work with FASTACCEPT=Yes" + + IMPLICIT_CONTINUE=$(added_param_value_no IMPLICIT_CONTINUE $IMPLICIT_CONTINUE) + HIGH_ROUTE_MARKS=$(added_param_value_no HIGH_ROUTE_MARKS $HIGH_ROUTE_MARKS) + TC_EXPERT=$(added_param_value_no TC_EXPERT $TC_EXPERT) + USE_ACTIONS=$(added_param_value_yes USE_ACTIONS $USE_ACTIONS) + EXPORTPARAMS=$(added_param_value_yes EXPORTPARAMS $EXPORTPARAMS) + KEEP_TC_RULES=$(added_param_value_no KEEP_TC_RULES $KEEP_TC_RULES) + DELETE_THEN_ADD=$(added_param_value_yes DELETE_THEN_ADD $DELETE_THEN_ADD) + + if [ -n "$MANGLE_ENABLED" ] ; then + case $MANGLE_ENABLED in + Yes|yes) + ;; + No|no) + MANGLE_ENABLED= + ;; + *) + startup_error "Invalid value ($MANGLE_ENABLED) for MANGLE_ENABLED"; + ;; + esac + fi + + [ "$PROGRAM" = compiler ] && [ -n "$USE_ACTIONS" ] && lib_load actions "USE_ACTIONS=Yes" + + [ -n "$XCONNMARK_MATCH" ] || XCONNMARK= + [ -n "$XMARK" ] || XCONNMARK= + + [ -n "$HIGH_ROUTE_MARKS" -a -z "$XCONNMARK" ] && startup_error "HIGH_ROUTE_MARKS=Yes requires extended CONNMARK target, extended CONNMARK match support and extended MARK support" + + case ${MACLIST_TABLE:=filter} in + filter) + ;; + mangle) + [ $MACLIST_DISPOSITION = reject ] && startup_error "MACLIST_DISPOSITION=REJECT is not allowed with MACLIST_TABLE=mangle" + ;; *) + startup_error "Invalid value ($MACLIST_TABLE) for MACLIST_TABLE option" + ;; + esac + + TC_SCRIPT= + + if [ -n "$TC_ENABLED" ] ; then + case "$TC_ENABLED" in + [Yy][Ee][Ss]) + TC_ENABLED=Yes + TC_SCRIPT=$(find_file tcstart) + [ -f $TC_SCRIPT ] || startup_error "Unable to find tcstart file" + ;; + [Ii][Nn][Tt][Ee][Rr][Nn][Aa][Ll]) + TC_ENABLED=Internal + ;; + [Nn][Oo]) + TC_ENABLED= + ;; + esac + else + TC_ENABLED=Yes + fi + + if [ -n "$TC_ENABLED" ];then + [ -n "$ORIGINAL_MANGLE_ENABLED" ] || startup_error "Traffic Shaping requires mangle support in your kernel and iptables" + [ -n "$MANGLE_ENABLED" ] || startup_error "Traffic Shaping requires MANGLE_ENABLED=Yes in shorewall.conf" + fi + + [ "x${SHOREWALL_DIR}" = "x." ] && SHOREWALL_DIR="$PWD" + [ -n "${RESTOREFILE:=restore}" ] + + case "${DROP_DEFAULT:=Drop}" in + None) + DROP_DEFAULT=none + ;; + esac + + case "${REJECT_DEFAULT:=Reject}" in + None) + REJECT_DEFAULT=none + ;; + esac + + case "${QUEUE_DEFAULT:=none}" in + None) + QUEUE_DEFAULT=none + ;; + esac + + case "${ACCEPT_DEFAULT:=none}" in + None) + ACCEPT_DEFAULT=none + ;; + esac + + case "${OPTIMIZE:=0}" in + 0|1) + ;; + *) + startup_error "Invalid OPTIMIZE value ($OPTIMIZE)" + ;; + esac + + if [ -n "$LOCKFILE" ]; then + [ -d $(dirname $LOCKFILE) ] || startup_error "LOCKFILE=$LOCKFILE: Directory $(dirname $LOCKFILE) does not exist" + fi + # + # Check out the user's shell + # + [ -n "${SHOREWALL_SHELL:=/bin/sh}" ] + + temp=$(decodeaddr 192.168.1.1) + if [ $(encodeaddr $temp) != 192.168.1.1 ]; then + startup_error "Shell $SHOREWALL_SHELL is broken and may not be used with Shorewall" + fi + + if [ -z "$KLUDGEFREE" ]; then + rm -f $TMP_DIR/physdev + rm -f $TMP_DIR/iprange + fi + + qt mywhich awk && HAVEAWK=Yes || HAVEAWK= + # + # Pre-process all of the standard files + # + # Because 'strip_file()' does shell variable expansion, we must first determine the + # setting of $FW + # + case ${IPSECFILE:=ipsec} in + ipsec) + [ -n "${FW:=fw}" ] + strip_file ipsec + ;; + zones) + get_firewall_zone + ;; + *) + startup_error "Invalid value ($IPSECFILE) for IPSECFILE option" + ;; + esac + + strip_file zones + strip_file routestopped + strip_file interfaces + strip_file hosts + + if [ $PROGRAM = compiler ]; then + strip_file_and_lib_load accounting accounting + + if [ -n "$USE_ACTIONS" ]; then + strip_file actions + strip_file actions.std ${SHAREDIR}/actions.std + fi + + strip_file blacklist + strip_file ecn + strip_file maclist + strip_file_and_lib_load masq nat + strip_file_and_lib_load nat nat + strip_file_and_lib_load netmap nat + strip_file policy + strip_file_and_lib_load providers providers && strip_file route_rules + strip_file_and_lib_load proxyarp proxyarp + strip_file rfc1918 + strip_file routestopped + strip_file rules + + if [ "$TC_ENABLED" = Internal ]; then + strip_file_and_lib_load tcdevices tc + strip_file_and_lib_load tcclasses tc + fi + + strip_file_and_lib_load tcrules tcrules + strip_file tos + strip_file_and_lib_load tunnels tunnels + fi + + [ "$IPSECFILE" = zones ] && FW= +} diff --git a/Shorewall-common/lib.dynamiczones b/Shorewall-common/lib.dynamiczones new file mode 100644 index 000000000..826da53de --- /dev/null +++ b/Shorewall-common/lib.dynamiczones @@ -0,0 +1,427 @@ +#!/bin/sh +# +# Shorewall 4.2 -- /usr/share/shorewall/lib.dynamiczones +# +# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] +# +# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net) +# +# Complete documentation is available at http://shorewall.net +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of Version 2 of the GNU General Public License +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# This library is loaded by /usr/share/shorewall/firewall when processing +# the 'add' and 'delete' commands. +# + +# +# Add a host or networks to a zone +# +add_to_zone() # $1...${n-1} = [:] $n = zone +{ + local interface host zone z h z1 z2 chain + local dhcp_interfaces blacklist_interfaces maclist_interfaces + local tcpflags_interfaces newhostlist= + local rulenum source_chain dest_hosts iface hosts hostlist= + + nat_chain_exists() # $1 = chain name + { + qt $IPTABLES -t nat -L $1 -n + } + + do_iptables() # $@ = command + { + [ -n "$PHYSDEV_MATCH" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev + [ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange + + if ! $IPTABLES $@ ; then + error_message "ERROR: Can't add $newhost to zone $zone" + fi + } + + DOING=Processing + DONE=Processed + # + # Load $zones + # + determine_zones + # + # Validate Interfaces File + # + validate_interfaces_file + # + # Validate Hosts File + # + validate_hosts_file + # + # Validate IPSec File + # + f=$(find_file $IPSECFILE) + + [ -f $f ] && setup_ipsec $f + # + # Normalize host list + # + while [ $# -gt 1 ]; do + interface=${1%%:*} + host=${1#*:} + [ "$host" = "$1" ] && host= + # + # Be sure that the interface was dynamic at last [re]start + # + if ! chain_exists $(input_chain $interface) ; then + startup_error "Unknown interface $interface" + fi + + if ! chain_exists $(dynamic_in $interface) ; then + startup_error "At last Shorewall [re]start, DYNAMIC_ZONES=No in shorewall.conf" + fi + + if [ -z "$host" ]; then + hostlist="$hostlist $interface:0.0.0.0/0" + else + for h in $(separate_list $host); do + hostlist="$hostlist $interface:$h" + done + fi + + shift + done + # + # Validate Zone + # + zone=$1 + + validate_zone $zone || startup_error "Unknown zone: $zone" + + [ "$zone" = $FW ] && startup_error "Can't add $1 to firewall zone" + + # + # Be sure that Shorewall has been restarted using a DZ-aware version of the code + # + [ -f ${VARDIR}/chains ] || startup_error "${VARDIR}/chains -- file not found" + [ -f ${VARDIR}/zones ] || startup_error "${VARDIR}/zones -- file not found" + # + # Check for duplicates and create a new zone state file + # + > ${VARDIR}/zones_$$ + + while read z type hosts; do + if [ "$z" = "$zone" ]; then + case $type in + bport4:*) + rm -f ${VARDIR}/zones_$$ + startup_error "Bridge Port zones may not be dynamically modified" + ;; + esac + + case "$hosts" in + *exclude*) + rm -f ${VARDIR}/zones_$$ + startup_error "Modifying a zone that has an exclude list is not supported" + ;; + *) + for h in $hostlist; do + if ! list_search +$h $hosts; then + if ! list_search $h $hosts; then + newhostlist="$newhostlist +$h" + else + error_message "$h is already in zone $zone" + fi + else + error_message "$h is already in zone $zone" + fi + done + + [ -z "$hosts" ] && hosts=$newhostlist || hosts="$hosts $newhostlist" + ;; + esac + fi + + eval ${z}_hosts=\"$hosts\" + + echo "$z $type $hosts" >> ${VARDIR}/zones_$$ + done < ${VARDIR}/zones + + mv -f ${VARDIR}/zones_$$ ${VARDIR}/zones + + TERMINATOR=fatal_error + # + # Create a new Zone state file + # + for newhost in $newhostlist; do + newhost=${newhost#+} + # + # Isolate interface and host parts + # + interface=${newhost%%:*} + host=${newhost#*:} + # + # If the zone passed in the command has a dnat chain then insert a rule in + # the nat table PREROUTING chain to jump to that chain when the source + # matches the new host(s)# + # + chain=${zone}_dnat + + if nat_chain_exists $chain; then + do_iptables -t nat -A $(dynamic_in $interface) $(source_ip_range $host) $(match_ipsec_in $zone $newhost) -j $chain + fi + # + # Insert new rules into the filter table for the passed interface + # + while read z1 z2 chain; do + [ "$z1" = "$z2" ] && op="-I" || op="-A" + if [ "$z1" = "$zone" ]; then + if [ "$z2" = "$FW" ]; then + do_iptables $op $(dynamic_in $interface) $(match_source_hosts $host) $(match_ipsec_in $z1 $newhost) -j $chain + else + source_chain=$(dynamic_fwd $interface) + if is_ipsec_host $z1 $newhost ; then + do_iptables $op $source_chain $(match_source_hosts $host) $(match_ipsec_in $z1 $newhost) -j ${z1}_frwd + else + eval dest_hosts=\"\$${z2}_hosts\" + + for h in $dest_hosts; do + [ "$h" = exclude ] && break + iface=${h%%:*} + iface=${iface#+} + hosts=${h#*:} + + if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then + do_iptables $op $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) $(match_ipsec_out $z2 $h) -j $chain + fi + done + fi + fi + elif [ "$z2" = "$zone" ]; then + if [ "$z1" = "$FW" ]; then + # + # Add a rule to the dynamic out chain for the interface + # + do_iptables $op $(dynamic_out $interface) $(match_dest_hosts $host) $(match_ipsec_out $z2 $newhost) -j $chain + else + eval source_hosts=\"\$${z1}_hosts\" + + for h in $source_hosts; do + [ "$h" = exclude ] && break + iface=${h%%:*} + iface=${iface#+} + hosts=${h#*:} + + if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then + if is_ipsec_host $z1 $h; then + do_iptables $op ${z1}_dyn -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $newhost) -j $chain + else + do_iptables $op $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $newhost) -j $chain + fi + fi + done + fi + fi + done < ${VARDIR}/chains + + progress_message "$newhost added to zone $zone" + + done + + rm -rf $TMP_DIR +} + +# +# Delete a host or networks from a zone +# +delete_from_zone() # $1 = [:] $2 = zone +{ + local interface host zone z h z1 z2 chain delhost + local dhcp_interfaces blacklist_interfaces maclist_interfaces tcpflags_interfaces + local rulenum source_chain dest_hosts iface hosts hostlist= + + DOING=Processing + DONE=Processed + # + # Load $zones + # + determine_zones + # + # Validate Interfaces File + # + validate_interfaces_file + # + # Validate Hosts File + # + validate_hosts_file + # + # Validate IPSec File + # + f=$(find_file ipsec) + + [ -f $f ] && setup_ipsec $f + + # + # Normalize host list + # + while [ $# -gt 1 ]; do + interface=${1%%:*} + host=${1#*:} + [ "$host" = "$1" ] && host= + # + # Be sure that the interface was dynamic at last [re]start + # + if ! chain_exists $(input_chain $interface) ; then + startup_error "Unknown interface $interface" + fi + + if ! chain_exists $(dynamic_in $interface) ; then + startup_error "At last Shorewall [re]start, DYNAMIC_ZONES=No in shorewall.conf" + fi + + if [ -z "$host" ]; then + hostlist="$hostlist $interface:0.0.0.0/0" + else + for h in $(separate_list $host); do + hostlist="$hostlist $interface:$h" + done + fi + + shift + done + # + # Validate Zone + # + zone=$1 + + validate_zone $zone || startup_error "Unknown zone: $zone" + + [ "$zone" = $FW ] && startup_error "Can't delete from the firewall zone" + + # + # Be sure that Shorewall has been restarted using a DZ-aware version of the code + # + [ -f ${VARDIR}/chains ] || startup_error "${VARDIR}/chains -- file not found" + [ -f ${VARDIR}/zones ] || startup_error "${VARDIR}/zones -- file not found" + # + # Delete the passed hosts from the zone state file + # + > ${VARDIR}/zones_$$ + + while read z hosts; do + if [ "$z" = "$zone" ]; then + temp=$hosts + hosts= + + for host in $hostlist; do + found= + for h in $temp; do + if [ "$h" = "+$host" ]; then + found=Yes + break + fi + + if [ "$h" = "$host" ]; then + found=No + break + fi + done + + [ -n "$found" ] || error_message "WARNING: $host does not appear to be in zone $zone" + [ "$found" = No ] && startup_error "$host is a permanent member of zone $zone" + done + + for h in $temp; do + found= + for host in $hostlist; do + if [ "$h" = "+$host" ]; then + found=Yes + break + fi + done + + [ -n "$found" ] || hosts="$hosts $h" + done + fi + + eval ${z}_hosts=\"$hosts\" + + echo "$z $hosts" >> ${VARDIR}/zones_$$ + done < ${VARDIR}/zones + + mv -f ${VARDIR}/zones_$$ ${VARDIR}/zones + + TERMINATOR=fatal_error + + for delhost in $hostlist; do + interface=${delhost%%:*} + host=${delhost#*:} + # + # Delete any nat table entries for the host(s) + # + qt_iptables -t nat -D $(dynamic_in $interface) $(match_source_hosts $host) $(match_ipsec_in $zone $delhost) -j ${zone}_dnat + # + # Delete rules rules the input chains for the passed interface + # + while read z1 z2 chain; do + if [ "$z1" = "$zone" ]; then + if [ "$z2" = "$FW" ]; then + qt_iptables -D $(dynamic_in $interface) $(match_source_hosts $host) $(match_ipsec_in $z1 $delhost) -j $chain + else + source_chain=$(dynamic_fwd $interface) + if is_ipsec_host $z1 $delhost ; then + qt_iptables -D $source_chain $(match_source_hosts $host) $(match_ipsec_in $z1 $newhost) -j ${z1}_frwd + else + eval dest_hosts=\"\$${z2}_hosts\" + + [ "$z2" = "$zone" ] && dest_hosts="$dest_hosts $hostlist" + + for h in $dest_hosts; do + [ "$h" = exclude ] && break + iface=${h%%:*} + iface=${iface#+} + hosts=${h#*:} + + if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then + qt_iptables -D $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) $(match_ipsec_out $z2 $h) -j $chain + fi + done + fi + fi + elif [ "$z2" = "$zone" ]; then + if [ "$z1" = "$FW" ]; then + qt_iptables -D $(dynamic_out $interface) $(match_dest_hosts $host) $(match_ipsec_out $z2 $delhost) -j $chain + else + eval source_hosts=\"\$${z1}_hosts\" + + for h in $source_hosts; do + [ "$h" = exclude ] && break + iface=${h%%:*} + iface=${iface#+} + hosts=${h#*:} + + if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then + if is_ipsec_host $z1 $h; then + qt_iptables -D ${z1}_dyn -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $delhost) -j $chain + else + qt_iptables -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $delhost) -j $chain + fi + fi + done + fi + fi + done < ${VARDIR}/chains + + progress_message "$delhost removed from zone $zone" + + done + + rm -rf $TMP_DIR +} diff --git a/Shorewall-common/maclist b/Shorewall-common/maclist new file mode 100644 index 000000000..39270ff38 --- /dev/null +++ b/Shorewall-common/maclist @@ -0,0 +1,10 @@ +# +# Shorewall version 4 - Maclist file +# +# For information about entries in this file, type "man shorewall-maclist" +# +# For additional information, see http://shorewall.net/MAC_Validation.html +# +############################################################################### +#DISPOSITION INTERFACE MAC IP ADDRESSES (Optional) +#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.AllowICMPs b/Shorewall-common/macro.AllowICMPs new file mode 100644 index 000000000..81a9729dd --- /dev/null +++ b/Shorewall-common/macro.AllowICMPs @@ -0,0 +1,16 @@ +# +# Shorewall version 4 - AllowICMPs Macro +# +# /usr/share/shorewall/macro.AllowICMPs +# +# This macro ACCEPTs needed ICMP types +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP + +COMMENT Needed ICMP types + +ACCEPT - - icmp fragmentation-needed +ACCEPT - - icmp time-exceeded +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.Amanda b/Shorewall-common/macro.Amanda new file mode 100644 index 000000000..8a79c6067 --- /dev/null +++ b/Shorewall-common/macro.Amanda @@ -0,0 +1,21 @@ +# +# Shorewall version 4 - Amanda Macro +# +# /usr/share/shorewall/macro.Amanda +# +# This macro handles connections required by the AMANDA backup system +# to back up remote nodes. It does not provide the ability to restore +# files from those nodes. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - udp 10080 +# +# You may also need this rule. With AMANDA 2.4.4 on Linux kernel 2.6, +# it should not be necessary to use this. The ip_conntrack_amanda +# kernel module should be loaded (via /etc/shorewall/modules) on all +# systems which need to pass AMANDA traffic through netfilter. +#PARAM - - tcp 50000:50100 +# +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.Auth b/Shorewall-common/macro.Auth new file mode 100644 index 000000000..b633d63c0 --- /dev/null +++ b/Shorewall-common/macro.Auth @@ -0,0 +1,12 @@ +# +# Shorewall version 4 - Auth Macro +# +# /usr/share/shorewall/macro.Auth +# +# This macro handles Auth (identd) traffic. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - tcp 113 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.BitTorrent b/Shorewall-common/macro.BitTorrent new file mode 100644 index 000000000..96147dfaa --- /dev/null +++ b/Shorewall-common/macro.BitTorrent @@ -0,0 +1,23 @@ +# +# Shorewall version 4 - BitTorrent Macro +# +# /usr/share/shorewall/macro.BitTorrent +# +# This macro handles BitTorrent traffic. +# +# If you are running a more modern BitTorrent client, then you may need +# to tweak the open port range. This can be done by copying the below +# rules into /etc/shorewall and making the necessary edits there: +# +# Replace 6881:6889 with 6881:6899 +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - tcp 6881:6889 +# +# It may also be necessary to allow UDP traffic: +# +PARAM - - udp 6881 +# +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.CVS b/Shorewall-common/macro.CVS new file mode 100644 index 000000000..386c8c39b --- /dev/null +++ b/Shorewall-common/macro.CVS @@ -0,0 +1,12 @@ +# +# Shorewall version 4 - CVS Macro +# +# /usr/share/shorewall/macro.CVS +# +# This macro handles connections to the CVS pserver. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - tcp 2401 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.DAAP b/Shorewall-common/macro.DAAP new file mode 100644 index 000000000..cafb8fab1 --- /dev/null +++ b/Shorewall-common/macro.DAAP @@ -0,0 +1,14 @@ +# +# Shorewall version 4 - DAAP Macro +# +# /usr/share/shorewall/macro.DAAP +# +# This macro handles DAAP (Digital Audio Access Protocol) traffic. +# The protocol is used by iTunes, Rythmbox and other similar daemons. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - tcp 3689 +PARAM - - udp 3689 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.DCC b/Shorewall-common/macro.DCC new file mode 100644 index 000000000..dc4027d18 --- /dev/null +++ b/Shorewall-common/macro.DCC @@ -0,0 +1,13 @@ +# +# Shorewall version 4 - DCC Macro +# +# /usr/share/shorewall/macro.DCC +# +# This macro handles DCC (Distributed Checksum Clearinghouse) traffic. +# DCC is a distributed spam filtering mechanism. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - tcp 6277 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.DNS b/Shorewall-common/macro.DNS new file mode 100644 index 000000000..584481e84 --- /dev/null +++ b/Shorewall-common/macro.DNS @@ -0,0 +1,13 @@ +# +# Shorewall version 4 - DNS Macro +# +# /usr/share/shorewall/macro.DNS +# +# This macro handles DNS traffic. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - udp 53 +PARAM - - tcp 53 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.Distcc b/Shorewall-common/macro.Distcc new file mode 100644 index 000000000..95ac70615 --- /dev/null +++ b/Shorewall-common/macro.Distcc @@ -0,0 +1,12 @@ +# +# Shorewall version 4 - Distcc Macro +# +# /usr/share/shorewall/macro.Distcc +# +# This macro handles connections to the Distributed Compiler service. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - tcp 3632 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.Drop b/Shorewall-common/macro.Drop new file mode 100644 index 000000000..8a6520ef9 --- /dev/null +++ b/Shorewall-common/macro.Drop @@ -0,0 +1,53 @@ +# +# Shorewall version 4 - Drop Macro +# +# /usr/share/shorewall/macro.Drop +# +# This macro generates the same rules as the Drop default action +# It is used in place of action.Drop when USE_ACTIONS=No. +# +# Example: +# +# Drop net all +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +# +# Don't log 'auth' REJECT +# +REJECT - - tcp 113 +# +# Drop Broadcasts so they don't clutter up the log +# (broadcasts must *not* be rejected). +# +dropBcast +# +# ACCEPT critical ICMP types +# +ACCEPT - - icmp fragmentation-needed +ACCEPT - - icmp time-exceeded +# +# Drop packets that are in the INVALID state -- these are usually ICMP packets +# and just confuse people when they appear in the log (these ICMPs cannot be +# rejected). +# +dropInvalid +# +# Drop Microsoft noise so that it doesn't clutter up the log. +# +DROP - - udp 135,445 +DROP - - udp 137:139 +DROP - - udp 1024: 137 +DROP - - tcp 135,139,445 +DROP - - udp 1900 +# +# Drop 'newnotsyn' traffic so that it doesn't get logged. +# +dropNotSyn +# +# Drop late-arriving DNS replies. These are just a nuisance and clutter up +# the log. +# +DROP - - udp - 53 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.DropDNSrep b/Shorewall-common/macro.DropDNSrep new file mode 100644 index 000000000..2828ec307 --- /dev/null +++ b/Shorewall-common/macro.DropDNSrep @@ -0,0 +1,15 @@ +# +# Shorewall version 4 - DropDNSrep Macro +# +# /usr/share/shorewall/macro.DropDNSrep +# +# This macro silently drops DNS UDP replies +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP + +COMMENT Late DNS Replies + +DROP - - udp - 53 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.DropUPnP b/Shorewall-common/macro.DropUPnP new file mode 100644 index 000000000..9ad8a04a9 --- /dev/null +++ b/Shorewall-common/macro.DropUPnP @@ -0,0 +1,15 @@ +# +# Shorewall version 4 - DropUPnP Macro +# +# /usr/share/shorewall/macro.DropUPnP +# +# This macro silently drops UPnP probes on UDP port 1900 +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP + +COMMENT UPnP + +DROP - - udp 1900 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.Edonkey b/Shorewall-common/macro.Edonkey new file mode 100644 index 000000000..9d7264f57 --- /dev/null +++ b/Shorewall-common/macro.Edonkey @@ -0,0 +1,35 @@ +# +# Shorewall version 4 - Edonkey Macro +# +# /usr/share/shorewall/macro.Edonkey +# +# This macro handles Edonkey traffic. +# +# +# http://www.portforward.com/english/routers/port_forwarding/2wire/1000s/eDonkey.htm +# says to use udp 5737 rather than 4665. +# +# http://www.amule.org/wiki/index.php/FAQ_ed2k says this: +# +# 4661 TCP (outgoing) Port, on which a server listens for connection +# (defined by server). +# +# 4665 UDP (outgoing) used for global server searches and global source +# queries. This is always Server TCP port (in this case 4661) + 4. +# +# 4662 TCP (outgoing and incoming) Client to client transfers. +# +# 4672 UDP (outgoing and incoming) Extended eMule protocol, Queue +# Rating, File Reask Ping +# +# 4711 TCP WebServer listening port. +# +# 4712 TCP External Connection port. Used to communicate aMule with other +# applications such as aMule WebServer or aMuleCMD. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - tcp 4662 +PARAM - - udp 4665 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.FTP b/Shorewall-common/macro.FTP new file mode 100644 index 000000000..997b78615 --- /dev/null +++ b/Shorewall-common/macro.FTP @@ -0,0 +1,12 @@ +# +# Shorewall version 4 - FTP Macro +# +# /usr/share/shorewall/macro.FTP +# +# This macro handles FTP traffic. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - tcp 21 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.Finger b/Shorewall-common/macro.Finger new file mode 100644 index 000000000..f180ecfb2 --- /dev/null +++ b/Shorewall-common/macro.Finger @@ -0,0 +1,13 @@ +# +# Shorewall version 4 - Finger Macro +# +# /usr/share/shorewall/macro.Finger +# +# This macro handles Finger protocol. You should not generally open +# your finger information to internet. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - tcp 79 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.GNUnet b/Shorewall-common/macro.GNUnet new file mode 100644 index 000000000..1a2615b64 --- /dev/null +++ b/Shorewall-common/macro.GNUnet @@ -0,0 +1,15 @@ +# +# Shorewall version 4 - GNUnet Macro +# +# /usr/share/shorewall/macro.GNUnet +# +# This macro handles GNUnet (secure peer-to-peer networking) traffic. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - tcp 2086 +PARAM - - udp 2086 +PARAM - - tcp 1080 +PARAM - - udp 1080 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.GRE b/Shorewall-common/macro.GRE new file mode 100644 index 000000000..3f0f6b2f6 --- /dev/null +++ b/Shorewall-common/macro.GRE @@ -0,0 +1,14 @@ +# +# Shorewall version 4 - GRE Macro +# +# /usr/share/shorewall/macro.GRE +# +# This macro (bi-directional) handles Generic Routing Encapsulation +# traffic (RFC 1701) +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - 47 # GRE +PARAM DEST SOURCE 47 # GRE +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.Gnutella b/Shorewall-common/macro.Gnutella new file mode 100644 index 000000000..4ec5718af --- /dev/null +++ b/Shorewall-common/macro.Gnutella @@ -0,0 +1,13 @@ +# +# Shorewall version 4 - Gnutella Macro +# +# /usr/share/shorewall/macro.Gnutella +# +# This macro handles Gnutella traffic. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - tcp 6346 +PARAM - - udp 6346 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.HTTP b/Shorewall-common/macro.HTTP new file mode 100644 index 000000000..798b6bc94 --- /dev/null +++ b/Shorewall-common/macro.HTTP @@ -0,0 +1,12 @@ +# +# Shorewall version 4 - HTTP Macro +# +# /usr/share/shorewall/macro.HTTP +# +# This macro handles plaintext HTTP (WWW) traffic. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - tcp 80 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.HTTPS b/Shorewall-common/macro.HTTPS new file mode 100644 index 000000000..af75c782f --- /dev/null +++ b/Shorewall-common/macro.HTTPS @@ -0,0 +1,12 @@ +# +# Shorewall version 4 - HTTPS Macro +# +# /usr/share/shorewall/macro.HTTPS +# +# This macro handles HTTPS (WWW over SSL) traffic. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - tcp 443 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.ICQ b/Shorewall-common/macro.ICQ new file mode 100644 index 000000000..65d69748e --- /dev/null +++ b/Shorewall-common/macro.ICQ @@ -0,0 +1,12 @@ +# +# Shorewall version 4 - ICQ Macro +# +# /usr/share/shorewall/macro.ICQ +# +# This macro handles ICQ, now called AOL Instant Messenger (or AIM). +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - tcp 5190 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.IMAP b/Shorewall-common/macro.IMAP new file mode 100644 index 000000000..f9da86963 --- /dev/null +++ b/Shorewall-common/macro.IMAP @@ -0,0 +1,13 @@ +# +# Shorewall version 4 - IMAP Macro +# +# /usr/share/shorewall/macro.IMAP +# +# This macro handles plaintext IMAP traffic. For encrypted IMAP, +# see macro.IMAPS. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - tcp 143 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.IMAPS b/Shorewall-common/macro.IMAPS new file mode 100644 index 000000000..f3f1f14eb --- /dev/null +++ b/Shorewall-common/macro.IMAPS @@ -0,0 +1,13 @@ +# +# Shorewall version 4 - IMAPS Macro +# +# /usr/share/shorewall/macro.IMAPS +# +# This macro handles encrypted IMAP traffic. For plaintext IMAP +# (not recommended), see macro.IMAP. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - tcp 993 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.IPIP b/Shorewall-common/macro.IPIP new file mode 100644 index 000000000..3f1caf089 --- /dev/null +++ b/Shorewall-common/macro.IPIP @@ -0,0 +1,13 @@ +# +# Shorewall version 4 - IPIP Macro +# +# /usr/share/shorewall/macro.IPIP +# +# This macro (bidirectional) handles IPIP capsulation traffic +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - 94 # IPIP +PARAM DEST SOURCE 94 # IPIP +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.IPP b/Shorewall-common/macro.IPP new file mode 100644 index 000000000..9486ac824 --- /dev/null +++ b/Shorewall-common/macro.IPP @@ -0,0 +1,12 @@ +# +# Shorewall version 3.2 - IPP Macro +# +# /usr/share/shorewall/macro.IPP +# +# This macro handles Internet Printing Protocol (IPP). +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - tcp 631 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.IPPserver b/Shorewall-common/macro.IPPserver new file mode 100644 index 000000000..cd91202c9 --- /dev/null +++ b/Shorewall-common/macro.IPPserver @@ -0,0 +1,30 @@ +# +# Shorewall version 3.2 - IPPserver Macro +# +# /usr/share/shorewall/macro.IPPserver +# +# This macro handles Internet Printing Protocol (IPP), indicating +# that DEST is a printing server for SOURCE. The macro allows +# print queue broadcasts from the server to the client, and +# printing connections from the client to the server. +# +# Example usage on a single-interface firewall which is a print +# client: +# IPPserver/ACCEPT $FW net +# +# Example for a two-interface firewall which acts as a print +# server for loc: +# IPPserver/ACCEPT loc $FW +# +# NOTE: If you want both to serve requests for local printers and +# listen to requests for remote printers (i.e. your CUPS server is +# also a client), you need to apply the rule twice, e.g. +# IPPserver/ACCEPT loc $FW +# IPPserver/ACCEPT $FW loc +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM SOURCE DEST tcp 631 +PARAM DEST SOURCE udp 631 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.IPsec b/Shorewall-common/macro.IPsec new file mode 100644 index 000000000..2819d7e74 --- /dev/null +++ b/Shorewall-common/macro.IPsec @@ -0,0 +1,15 @@ +# +# Shorewall version 4 - IPsec Macro +# +# /usr/share/shorewall/macro.IPsec +# +# This macro (bidirectional) handles IPsec traffic +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - udp 500 500 # IKE +PARAM - - 50 # ESP +PARAM DEST SOURCE udp 500 500 # IKE +PARAM DEST SOURCE 50 # ESP +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.IPsecah b/Shorewall-common/macro.IPsecah new file mode 100644 index 000000000..a6ca61523 --- /dev/null +++ b/Shorewall-common/macro.IPsecah @@ -0,0 +1,16 @@ +# +# Shorewall version 4 - IPsecah Macro +# +# /usr/share/shorewall/macro.IPsecah +# +# This macro (bidirectional) handles IPsec authentication (AH) traffic. +# This is insecure. You should use ESP with encryption for security. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - udp 500 500 # IKE +PARAM - - 51 # AH +PARAM DEST SOURCE udp 500 500 # IKE +PARAM DEST SOURCE 51 # AH +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.IPsecnat b/Shorewall-common/macro.IPsecnat new file mode 100644 index 000000000..9212d97c5 --- /dev/null +++ b/Shorewall-common/macro.IPsecnat @@ -0,0 +1,17 @@ +# +# Shorewall version 4 - IPsecnat Macro +# +# /usr/share/shorewall/macro.IPsecnat +# +# This macro (bidirectional) handles IPsec traffic and Nat-Traversal +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - udp 500 # IKE +PARAM - - udp 4500 # NAT-T +PARAM - - 50 # ESP +PARAM DEST SOURCE udp 500 # IKE +PARAM DEST SOURCE udp 4500 # NAT-T +PARAM DEST SOURCE 50 # ESP +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.JAP b/Shorewall-common/macro.JAP new file mode 100644 index 000000000..793c8c4ba --- /dev/null +++ b/Shorewall-common/macro.JAP @@ -0,0 +1,18 @@ +# +# Shorewall version 4 - JAP Macro +# +# /usr/share/shorewall/macro.JAP +# +# This macro handles JAP Anon Proxy traffic. This macro is for +# administrators running a Mix server. It is NOT for people trying +# to browse anonymously! +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - tcp 8080 # HTTP port +PARAM - - tcp 6544 # HTTP port +PARAM - - tcp 6543 # InfoService port +HTTPS/PARAM +SSH/PARAM +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.JabberPlain b/Shorewall-common/macro.JabberPlain new file mode 100644 index 000000000..c7a5ce5d7 --- /dev/null +++ b/Shorewall-common/macro.JabberPlain @@ -0,0 +1,12 @@ +# +# Shorewall version 3.4 - JabberPlain Macro +# +# /usr/share/shorewall/macro.JabberPlain +# +# This macro accepts Jabber traffic (plaintext). +# +############################################################################### +#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - tcp 5222 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.JabberSecure b/Shorewall-common/macro.JabberSecure new file mode 100644 index 000000000..7e10c0abf --- /dev/null +++ b/Shorewall-common/macro.JabberSecure @@ -0,0 +1,12 @@ +# +# Shorewall version 3.4 - JabberSecure (ssl) Macro +# +# /usr/share/shorewall/macro.JabberSecure +# +# This macro accepts Jabber traffic (ssl). +# +############################################################################### +#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - tcp 5223 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.Jabberd b/Shorewall-common/macro.Jabberd new file mode 100644 index 000000000..0be954292 --- /dev/null +++ b/Shorewall-common/macro.Jabberd @@ -0,0 +1,12 @@ +# +# Shorewall version 3.4 - Jabberd (server intercommunication) +# +# /usr/share/shorewall/macro.Jabberd +# +# This macro accepts Jabberd intercommunication traffic +# +############################################################################### +#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - tcp 5269 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.Jetdirect b/Shorewall-common/macro.Jetdirect new file mode 100644 index 000000000..c505b262f --- /dev/null +++ b/Shorewall-common/macro.Jetdirect @@ -0,0 +1,12 @@ +# +# Shorewall version 3.2 - Jetdirect Macro +# +# /usr/share/shorewall/macro.Jetdirect +# +# This macro handles HP Jetdirect printing. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - tcp 9100 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.L2TP b/Shorewall-common/macro.L2TP new file mode 100644 index 000000000..64afee142 --- /dev/null +++ b/Shorewall-common/macro.L2TP @@ -0,0 +1,14 @@ +# +# Shorewall version 4 - L2TP Macro +# +# /usr/share/shorewall/macro.L2TP +# +# This macro (bidirectional) handles Layer 2 Tunneling Protocol traffic +# (RFC 2661) +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - udp 1701 # L2TP +PARAM DEST SOURCE udp 1701 # L2TP +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.LDAP b/Shorewall-common/macro.LDAP new file mode 100644 index 000000000..ba5710172 --- /dev/null +++ b/Shorewall-common/macro.LDAP @@ -0,0 +1,17 @@ +# +# Shorewall version 4 - LDAP Macro +# +# /usr/share/shorewall/macro.LDAP +# +# This macro handles plaintext LDAP traffic. For encrypted LDAP +# traffic, see macro.LDAPS. Use of LDAPS is recommended (and is +# required by some directory services) if you want to do user +# authentication over LDAP. Note that some LDAP implementations +# support initiating TLS connections via the plaintext LDAP port. +# Consult your LDAP server documentation for details. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - tcp 389 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.LDAPS b/Shorewall-common/macro.LDAPS new file mode 100644 index 000000000..bcaf2de91 --- /dev/null +++ b/Shorewall-common/macro.LDAPS @@ -0,0 +1,17 @@ +# +# Shorewall version 4 - LDAPS Macro +# +# /usr/share/shorewall/macro.LDAPS +# +# This macro handles encrypted LDAP traffic. For plaintext LDAP +# traffic, see macro.LDAP. Use of LDAPS is recommended (and is +# required by some directory services) if you want to do user +# authentication over LDAP. Note that some LDAP implementations +# support initiating TLS connections via the plaintext LDAP port. +# Consult your LDAP server documentation for details. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - tcp 636 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.Mail b/Shorewall-common/macro.Mail new file mode 100644 index 000000000..46d6cabdc --- /dev/null +++ b/Shorewall-common/macro.Mail @@ -0,0 +1,19 @@ +# +# Shorewall version 4 - Mail Macro +# +# /usr/share/shorewall/macro.Mail +# +# This macro handles SMTP (email secure and insecure) traffic. +# It's the aggregate of macro.SMTP, macro.SMTPS, macro.Submission. +# +# Note: This macro handles traffic between an MUA (Email client) +# and an MTA (mail server) or between MTAs. It does not enable +# reading of email via POP3 or IMAP. For those you need to use +# the POP3 or IMAP macros. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - tcp 25 +PARAM - - tcp 465 +PARAM - - tcp 587 diff --git a/Shorewall-common/macro.MySQL b/Shorewall-common/macro.MySQL new file mode 100644 index 000000000..1e438d97c --- /dev/null +++ b/Shorewall-common/macro.MySQL @@ -0,0 +1,12 @@ +# +# Shorewall version 4 - MySQL Macro +# +# /usr/share/shorewall/macro.MySQL +# +# This macro handles connections to the MySQL server. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - tcp 3306 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.NNTP b/Shorewall-common/macro.NNTP new file mode 100644 index 000000000..3bfc76283 --- /dev/null +++ b/Shorewall-common/macro.NNTP @@ -0,0 +1,13 @@ +# +# Shorewall version 4 NNTP Macro +# +# /usr/share/shorewall/macro.NNTP +# +# This macro handles plaintext NNTP traffic (Usenet). For +# encrypted NNTP, see macro.NNTPS. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - tcp 119 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.NNTPS b/Shorewall-common/macro.NNTPS new file mode 100644 index 000000000..25fef49d8 --- /dev/null +++ b/Shorewall-common/macro.NNTPS @@ -0,0 +1,13 @@ +# +# Shorewall version 4 NNTPS Macro +# +# /usr/share/shorewall/macro.NNTPS +# +# This macro handles encrypted NNTP traffic (Usenet). For +# plaintext NNTP, see macro.NNTP. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - tcp 563 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.NTP b/Shorewall-common/macro.NTP new file mode 100644 index 000000000..6ff0a350e --- /dev/null +++ b/Shorewall-common/macro.NTP @@ -0,0 +1,13 @@ +# +# Shorewall version 4 - NTP Macro +# +# /usr/share/shorewall/macro.NTP +# +# This macro handles NTP traffic (ntpd). +# For broadcast NTP traffic, use NTPbrd Macro. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - udp 123 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.NTPbrd b/Shorewall-common/macro.NTPbrd new file mode 100644 index 000000000..63b110add --- /dev/null +++ b/Shorewall-common/macro.NTPbrd @@ -0,0 +1,18 @@ +# +# Shorewall version 4 - NTPbrd Macro +# +# /usr/share/shorewall/macro.NTPbrd +# +# This macro handles NTP traffic (ntpd) including replies to Broadcast +# NTP traffic. +# +# It is recommended only to use this where the source host is trusted - +# otherwise it opens up a large hole in your firewall because +# Netfilter doesn't track connections for broadcast traffic. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - udp 123 +PARAM - - udp 1024: 123 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.OpenVPN b/Shorewall-common/macro.OpenVPN new file mode 100644 index 000000000..6a827603f --- /dev/null +++ b/Shorewall-common/macro.OpenVPN @@ -0,0 +1,12 @@ +# +# Shorewall version 4 - OpenVPN Macro +# +# /usr/share/shorewall/macro.OpenVPN Macro +# +# This macro handles OpenVPN traffic. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - udp 1194 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.PCA b/Shorewall-common/macro.PCA new file mode 100644 index 000000000..1518af059 --- /dev/null +++ b/Shorewall-common/macro.PCA @@ -0,0 +1,13 @@ +# +# Shorewall version 4 - PCA Macro +# +# /usr/share/shorewall/macro.PCA +# +# This macro handles PCAnywere (tm) +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - udp 5632 +PARAM - - tcp 5631 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.POP3 b/Shorewall-common/macro.POP3 new file mode 100644 index 000000000..b0acab21d --- /dev/null +++ b/Shorewall-common/macro.POP3 @@ -0,0 +1,13 @@ +# +# Shorewall version 4 - POP3 Macro +# +# /usr/share/shorewall/macro.POP3 +# +# This macro handles plaintext POP3 traffic. For encrypted POP3, +# see macro.POP3S. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - tcp 110 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.POP3S b/Shorewall-common/macro.POP3S new file mode 100644 index 000000000..fd9c26097 --- /dev/null +++ b/Shorewall-common/macro.POP3S @@ -0,0 +1,13 @@ +# +# Shorewall version 4 - POP3S Macro +# +# /usr/share/shorewall/macro.POP3S +# +# This macro handles encrypted POP3 traffic. For plaintext POP3, +# see macro.POP3. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - tcp 995 # Secure POP3 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.PPtP b/Shorewall-common/macro.PPtP new file mode 100644 index 000000000..ac3823e56 --- /dev/null +++ b/Shorewall-common/macro.PPtP @@ -0,0 +1,14 @@ +# +# Shorewall version 4 - PPTP Macro +# +# /usr/share/shorewall/macro.PPtP Macro +# +# This macro handles PPTP traffic. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - 47 +PARAM DEST SOURCE 47 +PARAM - - tcp 1723 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.Ping b/Shorewall-common/macro.Ping new file mode 100644 index 000000000..dad8b3a9a --- /dev/null +++ b/Shorewall-common/macro.Ping @@ -0,0 +1,12 @@ +# +# Shorewall version 4 - Ping Macro +# +# /usr/share/shorewall/macro.Ping +# +# This macro handles 'ping' requests. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - icmp 8 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.PostgreSQL b/Shorewall-common/macro.PostgreSQL new file mode 100644 index 000000000..2c4a4cab1 --- /dev/null +++ b/Shorewall-common/macro.PostgreSQL @@ -0,0 +1,12 @@ +# +# Shorewall version 4 - PostgreSQL Macro +# +# /usr/share/shorewall/macro.PostgreSQL +# +# This macro handles connections to the PostgreSQL server. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - tcp 5432 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.Printer b/Shorewall-common/macro.Printer new file mode 100644 index 000000000..8c28ed8df --- /dev/null +++ b/Shorewall-common/macro.Printer @@ -0,0 +1,12 @@ +# +# Shorewall version 3.2 - Printer Macro +# +# /usr/share/shorewall/macro.Printer +# +# This macro handles Line Printer protocol printing. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - tcp 515 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.RDP b/Shorewall-common/macro.RDP new file mode 100644 index 000000000..fbbd8254e --- /dev/null +++ b/Shorewall-common/macro.RDP @@ -0,0 +1,12 @@ +# +# Shorewall version 3.2 - RDP Macro +# +# /usr/share/shorewall/macro.RDP +# +# This macro handles Microsoft RDP (Remote Desktop) traffic. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - tcp 3389 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.RNDC b/Shorewall-common/macro.RNDC new file mode 100644 index 000000000..63ccc5afc --- /dev/null +++ b/Shorewall-common/macro.RNDC @@ -0,0 +1,12 @@ +# +# Shorewall version 4 - RNDC Macro +# +# /usr/share/shorewall/macro.RNDC +# +# This macro handles RNDC (BIND remote management protocol) traffic. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - tcp 953 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.Rdate b/Shorewall-common/macro.Rdate new file mode 100644 index 000000000..500873ed0 --- /dev/null +++ b/Shorewall-common/macro.Rdate @@ -0,0 +1,16 @@ +# +# Shorewall version 4 - Rdate Macro +# +# /usr/share/shorewall/macro.Rdate +# +# This macro handles remote time retrieval (rdate). +# Unless you are supporting extremely old hardware or software, +# you shouldn't be using this. NTP is a superior alternative. +# And even if you need to use rfc 868 Time protocol you should +# use Time macro instead. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - tcp 37 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.Reject b/Shorewall-common/macro.Reject new file mode 100644 index 000000000..f44ed506b --- /dev/null +++ b/Shorewall-common/macro.Reject @@ -0,0 +1,54 @@ +# +# Shorewall version 4 - Reject Macro +# +# /usr/share/shorewall/macro.Reject +# +# This macro generates the same rules as the Reject default action +# It is used in place of action.Reject when USE_ACTIONS=No. +# +# Example: +# +# Reject loc fw +# +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +# +# Don't log 'auth' REJECT +# +REJECT - - tcp 113 +# +# Drop Broadcasts so they don't clutter up the log +# (broadcasts must *not* be rejected). +# +dropBcast +# +# ACCEPT critical ICMP types +# +ACCEPT - - icmp fragmentation-needed +ACCEPT - - icmp time-exceeded +# +# Drop packets that are in the INVALID state -- these are usually ICMP packets +# and just confuse people when they appear in the log (these ICMPs cannot be +# rejected). +# +dropInvalid +# +# Reject Microsoft noise so that it doesn't clutter up the log. +# +REJECT - - udp 135,445 +REJECT - - udp 137:139 +REJECT - - udp 1024: 137 +REJECT - - tcp 135,139,445 +DROP - - udp 1900 +# +# Drop 'newnotsyn' traffic so that it doesn't get logged. +# +dropNotSyn +# +# Drop late-arriving DNS replies. These are just a nuisance and clutter up +# the log. +# +DROP - - udp - 53 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.Rfc1918 b/Shorewall-common/macro.Rfc1918 new file mode 100644 index 000000000..5cb8992f8 --- /dev/null +++ b/Shorewall-common/macro.Rfc1918 @@ -0,0 +1,14 @@ +# +# Shorewall version 4 - Macro Template +# +# /usr/share/shorewall/macro.Rfc1918 +# +# This macro handles pkts with a SOURCE or ORIGINAL DEST address reserved by RFC 1918 +############################################################################################# +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# PORT(S) PORT(S) DEST LIMIT GROUP +FORMAT 2 +PARAM SOURCE:10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 \ + DEST - - - - - - +PARAM SOURCE DEST - - - 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.Rsync b/Shorewall-common/macro.Rsync new file mode 100644 index 000000000..530358b96 --- /dev/null +++ b/Shorewall-common/macro.Rsync @@ -0,0 +1,12 @@ +# +# Shorewall version 4 - Rsync Macro +# +# /usr/share/shorewall/macro.Rsync +# +# This macro handles connections to the rsync server. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - tcp 873 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.SANE b/Shorewall-common/macro.SANE new file mode 100644 index 000000000..19312256e --- /dev/null +++ b/Shorewall-common/macro.SANE @@ -0,0 +1,23 @@ +# +# Shorewall version 4 - SANE Macro +# +# /usr/share/shorewall/macro.SANE +# +# This macro handles SANE network scanning. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - tcp 6566 +# +# Kernels 2.6.23+ has nf_conntrack_sane module which will handle +# sane data connection. +# +# If you don't have sane conntracking support you need to open whole dynamic +# port range. +# +# This is for normal linux 2.4+ +#PARAM - - tcp 32768:61000 +# This is generic rule for any os running saned. +#PARAM - - tcp 1024: +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.SMB b/Shorewall-common/macro.SMB new file mode 100644 index 000000000..e4166c351 --- /dev/null +++ b/Shorewall-common/macro.SMB @@ -0,0 +1,19 @@ +# +# Shorewall version 4 - SMB Macro +# +# /usr/share/shorewall/macro.SMB +# +# This macro handles Microsoft SMB traffic. You need to invoke +# this macro in both directions. Beware! This rule opens a lot +# of ports, and could possibly be used to compromise your firewall +# if not used with care. You should only allow SMB traffic +# between hosts you fully trust. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - udp 135,445 +PARAM - - udp 137:139 +PARAM - - udp 1024: 137 +PARAM - - tcp 135,139,445 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.SMBBI b/Shorewall-common/macro.SMBBI new file mode 100644 index 000000000..04e91e7c9 --- /dev/null +++ b/Shorewall-common/macro.SMBBI @@ -0,0 +1,23 @@ +# +# Shorewall version 4 - SMB Bi-directional Macro +# +# /usr/share/shorewall/macro.SMBBI +# +# This macro (bidirectional) handles Microsoft SMB traffic. +# +# Beware! This macro opens a lot of ports, and could possibly be used +# to compromise your firewall if not used with care. You should only +# allow SMB traffic between hosts you fully trust. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - udp 135,445 +PARAM - - udp 137:139 +PARAM - - udp 1024: 137 +PARAM - - tcp 135,139,445 +PARAM DEST SOURCE udp 135,445 +PARAM DEST SOURCE udp 137:139 +PARAM DEST SOURCE udp 1024: 137 +PARAM DEST SOURCE tcp 135,139,445 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.SMBswat b/Shorewall-common/macro.SMBswat new file mode 100644 index 000000000..d63805518 --- /dev/null +++ b/Shorewall-common/macro.SMBswat @@ -0,0 +1,13 @@ +# +# Shorewall version 4 - SMBswat Macro +# +# /usr/share/shorewall/macro.SMBswat +# +# This macro handles connections to the Samba Web Administration Tool +# (SWAT). +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - tcp 901 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.SMTP b/Shorewall-common/macro.SMTP new file mode 100644 index 000000000..b8782315d --- /dev/null +++ b/Shorewall-common/macro.SMTP @@ -0,0 +1,20 @@ +# +# Shorewall version 4 - SMTP Macro +# +# /usr/share/shorewall/macro.SMTP +# +# This macro handles plaintext SMTP (email) traffic. For SMTP +# encrypted over SSL, use macro.SMTPS. Note that STARTTLS can be +# used over the standard STMP port, so the use of this macro +# doesn't necessarily imply the use of an insecure connection. +# +# Note: This macro handles traffic between an MUA (Email client) +# and an MTA (mail server) or between MTAs. It does not enable +# reading of email via POP3 or IMAP. For those you need to use +# the POP3 or IMAP macros. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - tcp 25 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.SMTPS b/Shorewall-common/macro.SMTPS new file mode 100644 index 000000000..e2f188243 --- /dev/null +++ b/Shorewall-common/macro.SMTPS @@ -0,0 +1,17 @@ +# +# Shorewall version 4 - SMTPS Macro +# +# /usr/share/shorewall/macro.SMTPS +# +# This macro handles encrypted SMTPS (email) traffic. +# +# Note: This macro handles traffic between an MUA (Email client) +# and an MTA (mail server) or between MTAs. It does not enable +# reading of email via POP3 or IMAP. For those you need to use +# the POP3(S) or IMAP(S) macros. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - tcp 465 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.SNMP b/Shorewall-common/macro.SNMP new file mode 100644 index 000000000..0959e4fbb --- /dev/null +++ b/Shorewall-common/macro.SNMP @@ -0,0 +1,13 @@ +# +# Shorewall version 4 - SNMP Macro +# +# /usr/share/shorewall/macro.SNMP +# +# This macro handles SNMP traffic (including traps). +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - udp 161:162 +PARAM - - tcp 161 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.SPAMD b/Shorewall-common/macro.SPAMD new file mode 100644 index 000000000..258c6d14c --- /dev/null +++ b/Shorewall-common/macro.SPAMD @@ -0,0 +1,12 @@ +# +# Shorewall version 4 - SPAMD Macro +# +# /usr/share/shorewall/macro.SPAMD +# +# This macro handles Spam Assassin SPAMD traffic. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - tcp 783 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.SSH b/Shorewall-common/macro.SSH new file mode 100644 index 000000000..2bde98249 --- /dev/null +++ b/Shorewall-common/macro.SSH @@ -0,0 +1,12 @@ +# +# Shorewall version 4 - SSH Macro +# +# /usr/share/shorewall/macro.SSH +# +# This macro handles secure shell (SSH) traffic. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - tcp 22 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.SVN b/Shorewall-common/macro.SVN new file mode 100644 index 000000000..aa5e52a00 --- /dev/null +++ b/Shorewall-common/macro.SVN @@ -0,0 +1,13 @@ +# +# Shorewall version 4 - SVN Macro +# +# /usr/share/shorewall/macro.SVN +# +# This macro handles connections to the Subversion server (svnserve). +# +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - tcp 3690 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.SixXS b/Shorewall-common/macro.SixXS new file mode 100644 index 000000000..657e75f43 --- /dev/null +++ b/Shorewall-common/macro.SixXS @@ -0,0 +1,25 @@ +# +# Shorewall version 4 - SIXXS Macro +# +# /usr/share/shorewall/macro.SixXS +# +# This macro handles SixXS -- An IPv6 Deployment and Tunnel Broker +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +# +# Used for retrieving the tunnel information (eg by AICCU) +PARAM - - tcp 3874 +# +# Used for signaling where the current IPv4 endpoint +# of the tunnel is and that it is alive +PARAM - - udp 3740 +# +# Used for tunneling IPv6 over IPv4 (static + heartbeat tunnels) +PARAM - - 41 +# +# Used for tunneling IPv6 over IPv4 (AYIYA +# tunnels)(5072 is official port, 8374 is used in the beta) +PARAM - - udp 5072,8374 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.Submission b/Shorewall-common/macro.Submission new file mode 100644 index 000000000..4f9e1e2ce --- /dev/null +++ b/Shorewall-common/macro.Submission @@ -0,0 +1,12 @@ +# +# Shorewall version 4 - Submission Macro +# +# /usr/share/shorewall/macro.Submission +# +# This macro handles mail message submission traffic. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - tcp 587 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.Syslog b/Shorewall-common/macro.Syslog new file mode 100644 index 000000000..9efc6443e --- /dev/null +++ b/Shorewall-common/macro.Syslog @@ -0,0 +1,12 @@ +# +# Shorewall version 4 - Syslog Macro +# +# /usr/share/shorewall/macro.Syslog +# +# This macro handles syslog UDP traffic. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - udp 514 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.TFTP b/Shorewall-common/macro.TFTP new file mode 100644 index 000000000..70f2c0980 --- /dev/null +++ b/Shorewall-common/macro.TFTP @@ -0,0 +1,14 @@ +# +# Shorewall version 3.2 - TFTP Macro +# +# /usr/share/shorewall/macro.TFTP +# +# This macro handles Trivial File Transfer Protocol (TFTP) +# Because TFTP lacks all security you should not enable it over +# Internet. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - udp 69 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.Telnet b/Shorewall-common/macro.Telnet new file mode 100644 index 000000000..da87b2001 --- /dev/null +++ b/Shorewall-common/macro.Telnet @@ -0,0 +1,13 @@ +# +# Shorewall version 4 - Telnet Macro +# +# /usr/share/shorewall/macro.Telnet +# +# This macro handles Telnet traffic. For traffic over the +# internet, telnet is inappropriate; use SSH instead +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - tcp 23 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.Telnets b/Shorewall-common/macro.Telnets new file mode 100644 index 000000000..158e9b280 --- /dev/null +++ b/Shorewall-common/macro.Telnets @@ -0,0 +1,13 @@ +# +# Shorewall version 4 - Telnet Macro +# +# /usr/share/shorewall/macro.Telnets +# +# This macro handles Telnets (Telnet over SSL) traffic. +# For traffic over the internet, SSH might be more practical. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - tcp 992 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.Time b/Shorewall-common/macro.Time new file mode 100644 index 000000000..4bc33d184 --- /dev/null +++ b/Shorewall-common/macro.Time @@ -0,0 +1,14 @@ +# +# Shorewall version 4 - Time Macro +# +# /usr/share/shorewall/macro.Time +# +# This macro handles rfc 868 Time protocol. +# Unless you are supporting extremely old hardware or software, +# you shouldn't be using this. NTP is a superior alternative. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - tcp 37 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.Trcrt b/Shorewall-common/macro.Trcrt new file mode 100644 index 000000000..2d84d1eed --- /dev/null +++ b/Shorewall-common/macro.Trcrt @@ -0,0 +1,13 @@ +# +# Shorewall version 4 -Trcrt Macro +# +# /usr/share/shorewall/macro.Trcrt +# +# This macro handles Traceroute (for up to 30 hops). +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - udp 33434:33524 # UDP Traceroute +PARAM - - icmp 8 # ICMP Traceroute +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.VNC b/Shorewall-common/macro.VNC new file mode 100644 index 000000000..92102db5c --- /dev/null +++ b/Shorewall-common/macro.VNC @@ -0,0 +1,12 @@ +# +# Shorewall version 4 - VNC Macro +# +# /usr/share/shorewall/macro.VNC +# +# This macro handles VNC traffic for VNC display's 0 - 9. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - tcp 5900:5909 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.VNCL b/Shorewall-common/macro.VNCL new file mode 100644 index 000000000..52b1ffa21 --- /dev/null +++ b/Shorewall-common/macro.VNCL @@ -0,0 +1,13 @@ +# +# Shorewall version 4 -VNCL Macro +# +# /usr/share/shorewall/macro.VNCL +# +# This macro handles VNC traffic from Vncservers to Vncviewers in listen +# mode. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - tcp 5500 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.Web b/Shorewall-common/macro.Web new file mode 100644 index 000000000..3d54f800f --- /dev/null +++ b/Shorewall-common/macro.Web @@ -0,0 +1,15 @@ +# +# Shorewall version 4 - Web Macro +# +# /usr/share/shorewall/macro.Web +# +# This macro handles WWW traffic (secure and insecure). This +# macro is deprecated - use of macro.HTTP and macro.HTTPS instead +# is recommended. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - tcp 80 # HTTP (plaintext) +PARAM - - tcp 443 # HTTPS (over SSL) +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.Webmin b/Shorewall-common/macro.Webmin new file mode 100644 index 000000000..8ac6d213a --- /dev/null +++ b/Shorewall-common/macro.Webmin @@ -0,0 +1,12 @@ +# +# Shorewall version 4 - Webmin Macro +# +# /usr/share/shorewall/macro.Webmin +# +# This macro handles Webmin traffic. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - tcp 10000 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.Whois b/Shorewall-common/macro.Whois new file mode 100644 index 000000000..5bc2a0509 --- /dev/null +++ b/Shorewall-common/macro.Whois @@ -0,0 +1,12 @@ +# +# Shorewall version 4 - Whois Macro +# +# /usr/share/shorewall/macro.Whois +# +# This macro handles whois (nicname) traffic. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - tcp 43 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.template b/Shorewall-common/macro.template new file mode 100644 index 000000000..ae357d1bd --- /dev/null +++ b/Shorewall-common/macro.template @@ -0,0 +1,368 @@ +# +# Shorewall version 4 - Macro Template +# +# /usr/share/shorewall/macro.template +# +# Macro files are similar to action files with the following exceptions: +# +# - A macro file is not processed unless the marcro that it defines is +# referenced in the /etc/shorewall/rules file or in an action +# definition file. +# +# - Macros are translated directly into one or more rules whereas +# actions become their own chain. +# +# - All entries in a macro undergo substitution when the macro is +# invoked in the rules file. +# +# - Macros used in action bodies may not invoke other macros. +# +# The columns in the file are the same as those in the action.template file but +# have different restrictions: +# +# Columns are: +# +# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE, +# LOG, QUEUE, PARAM or an name. +# +# ACCEPT -- allow the connection request +# ACCEPT+ -- like ACCEPT but also excludes the +# connection from any subsequent +# DNAT[-] or REDIRECT[-] rules +# NONAT -- Excludes the connection from any +# subsequent DNAT[-] or REDIRECT[-] +# rules but doesn't generate a rule +# to accept the traffic. +# DROP -- ignore the request +# REJECT -- disallow the request and return an +# icmp-unreachable or an RST packet. +# DNAT -- Forward the request to another +# system (and optionally another +# port). +# DNAT- -- Advanced users only. +# Like DNAT but only generates the +# DNAT iptables rule and not +# the companion ACCEPT rule. +# SAME -- Similar to DNAT except that the +# port may not be remapped and when +# multiple server addresses are +# listed, all requests from a given +# remote system go to the same +# server. +# SAME- -- Advanced users only. +# Like SAME but only generates the +# NAT iptables rule and not +# the companion ACCEPT rule. +# REDIRECT -- Redirect the request to a local +# port on the firewall. +# REDIRECT- +# -- Advanced users only. +# Like REDIRET but only generates the +# REDIRECT iptables rule and not +# the companion ACCEPT rule. +# +# CONTINUE -- (For experts only). Do not process +# any of the following rules for this +# (source zone,destination zone). If +# The source and/or destination IP +# address falls into a zone defined +# later in /etc/shorewall/zones, this +# connection request will be passed +# to the rules defined for that +# (those) zone(s). +# LOG -- Simply log the packet and continue. +# QUEUE -- Queue the packet to a user-space +# application such as ftwall +# (http://p2pwall.sf.net). +# PARAM -- If you code PARAM as the action in +# a macro then when you invoke the +# macro, you can include the name of +# the macro followed by a slash ("/") +# and an ACTION (either builtin or +# user-defined. All instances of +# PARAM in the body of the macro will +# be replaced with the ACTION. +# -- The name of an action defined in +# /usr/share/shorewall/actions.std or +# in /etc/shorewall/actions. +# +# The ACTION may optionally be followed +# by ":" and a syslog log level (e.g, REJECT:info or +# DNAT:debug). This causes the packet to be +# logged at the specified level. +# +# You may also specify ULOG (must be in upper case) as a +# log level.This will log to the ULOG target for routing +# to a separate log through use of ulogd +# (http://www.gnumonks.org/projects/ulogd). +# +# Actions specifying logging may be followed by a +# log tag (a string of alphanumeric characters) +# are appended to the string generated by the +# LOGPREFIX (in /etc/shorewall/shorewall.conf). +# +# Example: ACCEPT:info:ftp would include 'ftp ' +# at the end of the log prefix generated by the +# LOGPREFIX setting. +# +# SOURCE Source hosts to which the rule applies. May be a zone +# defined in /etc/shorewall/zones, $FW to indicate the +# firewall itself, "all", "all+" or "none" If the ACTION +# is DNAT or REDIRECT, sub-zones of the specified zone +# may be excluded from the rule by following the zone +# name with "!' and a comma-separated list of sub-zone +# names. +# +# When "none" is used either in the SOURCE or DEST +# column, the rule is ignored. +# +# When "all" is used either in the SOURCE or DEST column +# intra-zone traffic is not affected. When "all+" is +# used, intra-zone traffic is affected. +# +# Except when "all[+]" is specified, clients may be +# further restricted to a list of subnets and/or hosts by +# appending ":" and a comma-separated list of subnets +# and/or hosts. Hosts may be specified by IP or MAC +# address; mac addresses must begin with "~" and must use +# "-" as a separator. +# +# Hosts may be specified as an IP address range using the +# syntax -. This requires that +# your kernel and iptables contain iprange match support. +# If you kernel and iptables have ipset match support +# then you may give the name of an ipset prefaced by "+". +# The ipset name may be optionally followed by a number +# from 1 to 6 enclosed in square brackets ([]) to +# indicate the number of levels of source bindings to be +# matched. +# +# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ +# +# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the +# Internet +# +# loc:192.168.1.1,192.168.1.2 +# Hosts 192.168.1.1 and +# 192.168.1.2 in the local zone. +# loc:~00-A0-C9-15-39-78 Host in the local zone with +# MAC address 00:A0:C9:15:39:78. +# +# net:192.0.2.11-192.0.2.17 +# Hosts 192.0.2.11-192.0.2.17 in +# the net zone. +# +# Alternatively, clients may be specified by interface +# by appending ":" to the zone name followed by the +# interface name. For example, loc:eth1 specifies a +# client that communicates with the firewall system +# through eth1. This may be optionally followed by +# another colon (":") and an IP/MAC/subnet address +# as described above (e.g., loc:eth1:192.168.1.5). +# +# DEST Location of Server. May be a zone defined in +# /etc/shorewall/zones, $FW to indicate the firewall +# itself, "all". "all+" or "none". +# +# When "none" is used either in the SOURCE or DEST +# column, the rule is ignored. +# +# When "all" is used either in the SOURCE or DEST column +# intra-zone traffic is not affected. When "all+" is +# used, intra-zone traffic is affected. +# +# Except when "all[+]" is specified, the server may be +# further restricted to a particular subnet, host or +# interface by appending ":" and the subnet, host or +# interface. See above. +# +# Restrictions: +# +# 1. MAC addresses are not allowed. +# 2. In DNAT rules, only IP addresses are +# allowed; no FQDNs or subnet addresses +# are permitted. +# 3. You may not specify both an interface and +# an address. +# +# Like in the SOURCE column, you may specify a range of +# up to 256 IP addresses using the syntax +# -. When the ACTION is DNAT or DNAT-, +# the connections will be assigned to addresses in the +# range in a round-robin fashion. +# +# If you kernel and iptables have ipset match support +# then you may give the name of an ipset prefaced by "+". +# The ipset name may be optionally followed by a number +# from 1 to 6 enclosed in square brackets ([]) to +# indicate the number of levels of destination bindings +# to be matched. Only one of the SOURCE and DEST columns +# may specify an ipset name. +# +# The port that the server is listening on may be +# included and separated from the server's IP address by +# ":". If omitted, the firewall will not modifiy the +# destination port. A destination port may only be +# included if the ACTION is DNAT or REDIRECT. +# +# Example: loc:192.168.1.3:3128 specifies a local +# server at IP address 192.168.1.3 and listening on port +# 3128. The port number MUST be specified as an integer +# and not as a name from /etc/services. +# +# if the ACTION is REDIRECT, this column needs only to +# contain the port number on the firewall that the +# request should be redirected to. +# +# PROTO Protocol - Must be "tcp", "tcp:syn", "udp", "icmp", +# "ipp2p", "ipp2p:udp", "ipp2p:all" a number, or "all". +# "ipp2p*" requires ipp2p match support in your kernel +# and iptables. +# +# "tcp:syn" implies "tcp" plus the SYN flag must be +# set and the RST,ACK and FIN flags must be reset. +# +# DEST PORT(S) Destination Ports. A comma-separated list of Port +# names (from /etc/services), port numbers or port +# ranges; if the protocol is "icmp", this column is +# interpreted as the destination icmp-type(s). +# +# If the protocol is ipp2p*, this column is interpreted +# as an ipp2p option without the leading "--" (example +# "bit" for bit-torrent). If no port is given, "ipp2p" is +# assumed. +# +# A port range is expressed as :. +# +# This column is ignored if PROTOCOL = all but must be +# entered if any of the following ields are supplied. +# In that case, it is suggested that this field contain +# "-" +# +# If your kernel contains multi-port match support, then +# only a single Netfilter rule will be generated if in +# this list and the CLIENT PORT(S) list below: +# 1. There are 15 or less ports listed. +# 2. No port ranges are included. +# Otherwise, a separate rule will be generated for each +# port. +# +# SOURCE PORT(S) (Optional) Port(s) used by the client. If omitted, +# any source port is acceptable. Specified as a comma- +# separated list of port names, port numbers or port +# ranges. +# +# If you don't want to restrict client ports but need to +# specify an ORIGINAL DEST in the next column, then +# place "-" in this column. +# +# If your kernel contains multi-port match support, then +# only a single Netfilter rule will be generated if in +# this list and the DEST PORT(S) list above: +# 1. There are 15 or less ports listed. +# 2. No port ranges are included. +# Otherwise, a separate rule will be generated for each +# port. +# +# ORIGINAL Original destination IP address. Must be omitted ( +# DEST or '-') if the macro is to be used from within +# an action. See 'man shorewall-rules'. +# +# RATE LIMIT You may rate-limit the rule by placing a value in +# this colume: +# +# /[:] +# +# where is the number of connections per +# ("sec" or "min") and is the +# largest burst permitted. If no is given, +# a value of 5 is assumed. There may be no +# no whitespace embedded in the specification. +# +# Example: 10/sec:20 +# +# USER/GROUP This column may only be non-empty if the SOURCE is +# the firewall itself. +# +# The column may contain: +# +# [!][][:][+] +# +# When this column is non-empty, the rule applies only +# if the program generating the output is running under +# the effective and/or specified (or is +# NOT running under that id if "!" is given). +# +# Examples: +# +# joe #program must be run by joe +# :kids #program must be run by a member of +# #the 'kids' group +# !:kids #program must not be run by a member +# #of the 'kids' group +# +upnpd #program named upnpd (This feature was +# #removed from Netfilter in kernel +# #version 2.6.14). +# +# A few examples should help show how Macros work. +# +# /etc/shorewall/macro.FwdFTP: +# +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# # PORT(S) PORT(S) DEST LIMIT GROUP +# DNAT - - tcp 21 +# +# /etc/shorewall/rules: +# +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# # PORT(S) PORT(S) DEST LIMIT GROUP +# FwdFTP net loc:192.168.1.5 +# +# The result is equivalent to: +# +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# # PORT(S) PORT(S) DEST LIMIT GROUP +# DNAT net loc:192.168.1.5 tcp 21 +# +# The substitution rules are as follows: +# +# ACTION column If in the invocation of the macro, the macro +# name is followed by slash ("/") and a second +# name, the second name is substituted for each +# entry in the macro whose ACTION is PARAM +# +# For example, if macro FOO is invoked as +# FOO/ACCEPT then when expanding macro.FOO, +# Shorewall will substitute ACCEPT in each +# entry in macro.FOO whose ACTION column +# contains PARAM. PARAM may be optionally +# followed by a colon and a log level. +# +# You may also follow the +# +# Any logging specified when the macro is +# invoked is applied to each entry in the macros. +# +# SOURCE and DEST If the column in the macro is empty then the +# columns value in the rules file is used. If the column +# in the macro is non-empty then any value in +# the rules file is appended with a ":" +# separator. +# +# Example: ############################################### +# #ACTION SOURCE DEST PROTO DEST +# # PORT(S) +# macro.FTP File PARAM net loc tcp 21 +# rules File FTP/DNAT - 192.168.1.5 +# Result DNAT net loc:192.168.1.5 tcp 21 +# +# Remaining Any value in the rules file REPLACES the value +# columns given in the macro file. +# +####################################################################################################### +# DO NOT REMOVE THE FOLLOWING LINE +FORMAT 2 +####################################################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ ORIGINAL +# PORT(S) PORT(S) DEST LIMIT GROUP DEST +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/masq b/Shorewall-common/masq new file mode 100644 index 000000000..9b4f38dd1 --- /dev/null +++ b/Shorewall-common/masq @@ -0,0 +1,11 @@ +# +# Shorewall version 4 - Masq file +# +# For information about entries in this file, type "man shorewall-masq" +# +# The manpage is also online at +# http://www.shorewall.net/manpages/shorewall-masq.html +# +############################################################################### +#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK +#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Shorewall-common/modules b/Shorewall-common/modules new file mode 100644 index 000000000..5532a96af --- /dev/null +++ b/Shorewall-common/modules @@ -0,0 +1,161 @@ +# +# Shorewall version 4 - Modules File +# +# /usr/share/shorewall/modules +# +# This file loads the modules that may be needed by the firewall. +# +# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in +# dependency order. i.e., if M2 depends on M1 then you must load M1 +# before you load M2. +# +# If you need to modify this file, copy it to /etc/shorewall and modify the +# copy. +# +############################################################################### +# +# Essential Modules +# +loadmodule nfnetlink +loadmodule x_tables +loadmodule ip_tables +loadmodule iptable_filter +loadmodule iptable_mangle +loadmodule ip_conntrack +loadmodule nf_conntrack +loadmodule nf_conntrack_ipv4 +loadmodule iptable_nat +loadmodule xt_state +loadmodule xt_tcpudp +# +# Other xtables modules +# +loadmodule xt_CLASSIFY +loadmodule xt_connmark +loadmodule xt_CONNMARK +loadmodule xt_conntrack +loadmodule xt_dccp +loadmodule xt_dscp +loadmodule xt_DSCP +loadmodule xt_hashlimit +loadmodule xt_helper +loadmodule xt_iprange +loadmodule xt_length +loadmodule xt_limit +loadmodule xt_mac +loadmodule xt_mark +loadmodule xt_MARK +loadmodule xt_multiport +loadmodule xt_NFLOG +loadmodule xt_NFQUEUE +loadmodule xt_owner +loadmodule xt_physdev +loadmodule xt_pkttype +loadmodule xt_tcpmss +# +# Helpers +# +loadmodule ip_conntrack_amanda +loadmodule ip_conntrack_ftp +loadmodule ip_conntrack_h323 +loadmodule ip_conntrack_irc +loadmodule ip_conntrack_netbios_ns +loadmodule ip_conntrack_pptp +loadmodule ip_conntrack_sip +loadmodule ip_conntrack_tftp +loadmodule ip_nat_amanda +loadmodule ip_nat_ftp +loadmodule ip_nat_h323 +loadmodule ip_nat_irc +loadmodule ip_nat_pptp +loadmodule ip_nat_sip +loadmodule ip_nat_snmp_basic +loadmodule ip_nat_tftp +loadmodule ip_set +loadmodule ip_set_iphash +loadmodule ip_set_ipmap +loadmodule ip_set_macipmap +loadmodule ip_set_portmap +# +# 2.6.20+ helpers +# +loadmodule nf_conntrack_ftp +loadmodule nf_conntrack_h323 +loadmodule nf_conntrack_irc +loadmodule nf_conntrack_netbios_ns +loadmodule nf_conntrack_netlink +loadmodule nf_conntrack_pptp +loadmodule nf_conntrack_proto_gre +loadmodule nf_conntrack_proto_sctp +loadmodule nf_conntrack_sip +loadmodule nf_conntrack_tftp +loadmodule nf_conntrack_sane +loadmodule nf_nat_amanda +loadmodule nf_nat_ftp +loadmodule nf_nat_h323 +loadmodule nf_nat_irc +loadmodule nf_nat +loadmodule nf_nat_pptp +loadmodule nf_nat_proto_gre +loadmodule nf_nat_sip +loadmodule nf_nat_snmp_basic +loadmodule nf_nat_tftp +# +# Traffic Shaping +# +loadmodule sch_sfq +loadmodule sch_ingress +loadmodule sch_htb +loadmodule cls_u32 +loadmodule cls_fw +loadmodule act_police +# +# Extensions +# +loadmodule ipt_addrtype +loadmodule ipt_ah +loadmodule ipt_CLASSIFY +loadmodule ipt_CLUSTERIP +loadmodule ipt_comment +loadmodule ipt_connmark +loadmodule ipt_CONNMARK +loadmodule ipt_conntrack +loadmodule ipt_dscp +loadmodule ipt_DSCP +loadmodule ipt_ecn +loadmodule ipt_ECN +loadmodule ipt_esp +loadmodule ipt_hashlimit +loadmodule ipt_helper +loadmodule ipt_ipp2p +loadmodule ipt_iprange +loadmodule ipt_length +loadmodule ipt_limit +loadmodule ipt_LOG +loadmodule ipt_mac +loadmodule ipt_mark +loadmodule ipt_MARK +loadmodule ipt_MASQUERADE +loadmodule ipt_multiport +loadmodule ipt_NETMAP +loadmodule ipt_NOTRACK +loadmodule ipt_owner +loadmodule ipt_physdev +loadmodule ipt_pkttype +loadmodule ipt_policy +loadmodule ipt_realm +loadmodule ipt_recent +loadmodule ipt_REDIRECT +loadmodule ipt_REJECT +loadmodule ipt_SAME +loadmodule ipt_sctp +loadmodule ipt_set +loadmodule ipt_state +loadmodule ipt_tcpmss +loadmodule ipt_TCPMSS +loadmodule ipt_tos +loadmodule ipt_TOS +loadmodule ipt_ttl +loadmodule ipt_TTL +loadmodule ipt_ULOG +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/nat b/Shorewall-common/nat new file mode 100644 index 000000000..5c8874c8e --- /dev/null +++ b/Shorewall-common/nat @@ -0,0 +1,11 @@ +# +# Shorewall version 4 - Nat File +# +# For information about entries in this file, type "man shorewall-nat" +# +# For additional information, see http://shorewall.net/NAT.htm +# +############################################################################### +#EXTERNAL INTERFACE INTERNAL ALL LOCAL +# INTERFACES +#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Shorewall-common/netmap b/Shorewall-common/netmap new file mode 100644 index 000000000..6290bcfb4 --- /dev/null +++ b/Shorewall-common/netmap @@ -0,0 +1,11 @@ +# +# Shorewall version 4 - Netmap File +# +# For information about entries in this file, type "man shorewall-netmap" +# +# See http://shorewall.net/netmap.html for an example and usage +# information. +# +############################################################################### +#TYPE NET1 INTERFACE NET2 +#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Shorewall-common/params b/Shorewall-common/params new file mode 100644 index 000000000..84983dc13 --- /dev/null +++ b/Shorewall-common/params @@ -0,0 +1,27 @@ +# +# Shorewall version 4 - Params File +# +# /etc/shorewall/params +# +# Assign any variables that you need here. +# +# It is suggested that variable names begin with an upper case letter +# to distinguish them from variables used internally within the +# Shorewall programs +# +# Example: +# +# NET_IF=eth0 +# NET_BCAST=130.252.100.255 +# NET_OPTIONS=routefilter,norfc1918 +# +# Example (/etc/shorewall/interfaces record): +# +# net $NET_IF $NET_BCAST $NET_OPTIONS +# +# The result will be the same as if the record had been written +# +# net eth0 130.252.100.255 routefilter,norfc1918 +# +############################################################################### +#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/Shorewall-common/policy b/Shorewall-common/policy new file mode 100644 index 000000000..338f13fec --- /dev/null +++ b/Shorewall-common/policy @@ -0,0 +1,12 @@ +# +# Shorewall version 4 - Policy File +# +# For information about entries in this file, type "man shorewall-policy" +# +# The manpage is also online at +# http://www.shorewall.net/manpages/shorewall-policy.html +# +############################################################################### +#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: +# LEVEL BURST MASK +#LAST LINE -- DO NOT REMOVE diff --git a/Shorewall-common/providers b/Shorewall-common/providers new file mode 100644 index 000000000..63dc6c064 --- /dev/null +++ b/Shorewall-common/providers @@ -0,0 +1,10 @@ +# +# Shorewall version 4 - Providers File +# +# For information about entries in this file, type "man shorewall-providers" +# +# For additional information, see http://shorewall.net/MultiISP.html +# +############################################################################################ +#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY +#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Shorewall-common/proxyarp b/Shorewall-common/proxyarp new file mode 100644 index 000000000..4bc86f21b --- /dev/null +++ b/Shorewall-common/proxyarp @@ -0,0 +1,10 @@ +# +# Shorewall version 4 - Proxyarp File +# +# For information about entries in this file, type "man shorewall-proxyarp" +# +# See http://shorewall.net/ProxyARP.htm for additional information. +# +############################################################################### +#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt new file mode 100644 index 000000000..bca5a9850 --- /dev/null +++ b/Shorewall-common/releasenotes.txt @@ -0,0 +1,1150 @@ +Shorewall 4.2.3 + +---------------------------------------------------------------------------- + R E L E A S E 4 . 2 H I G H L I G H T S +---------------------------------------------------------------------------- +1) Support is included for multiple internet providers through the same + ethernet interface. + +2) Support for NFLOG has been added. + +3) Enhanced operational logging. + +4) The tarball installers now work under Cygwin. + +5) Shorewall-perl now supports IFB devices which allow traffic shaping of + incoming traffic. + +6) Shorewall-perl supports definition of u32 traffic classification + filters. + +Migration Issues. + +1) Previously, when HIGH_ROUTE_MARKS=Yes, Shorewall allowed non-zero + mark values < 256 to be assigned in the OUTPUT chain. This has been + changed so that only high mark values may be assigned + there. Packet marking rules for traffic shaping of packets + originating on the firewall must be coded in the POSTROUTING table. + +2) Previously, Shorewall did not range-check the value of the + VERBOSITY option in shorewall.conf. Beginning with Shorewall 4.2: + + a) A VERBOSITY setting outside the range -1 through 2 is rejected. + b) After the -v and -q options are applied, the resulting value is + adjusted to fall within the range -1 through 2. + +3) Specifying a destination zone in a NAT-only rule now generates a + warning and the destination zone is ignored. NAT-only rules are: + + NONAT + REDIRECT- + DNAT- + +4) The default value for LOG_MARTIANS has been changed. Previously, + the defaults were: + + Shorewall-perl - 'Off' + Shorewall-shell - 'No' + + The new default values are: + + Shorewall-perl - 'On' + Shorewall-shell - 'Yes'. + + Shorewall-perl users may: + + a) Accept the new default -- martians will be logged from all + interfaces with route filtering except those with log_martians=0 + in /etc/shorewall/interfaces. + + b) Explicitly set LOG_MARTIANS=Off to maintain compatibility with + prior versions of Shorewall. + + Shorewall-shell users may: + + a) Accept the new default -- martians will be logged from all + interfaces with the route filtering enabled. + + b) Explicitly set LOG_MARTIONS=No to maintain compatibility with + prior versions of Shorewall. + +5) The value of IMPLICIT_CONTINUE in shorewall.conf (and samples) has + been changed from Yes to No. + +6) The 'norfc1918' option is deprecated. Use explicit rules instead. + Note that there is a new 'Rfc1918' macro that acts on addresses + reserved by RFC 1918. + +7) DYNAMIC_ZONES=Yes is no longer supported by Shorewall-perl. Use + ipset-based zones instead. + +Problems corrected in Shorewall 4.2.3 + +1) Previously, Shorewall would allow compilation for export of a + script named 'shorewall' with the unfortunate side effect that + the 'shorewall.conf' file was overwritten. Scripts named + 'shorewall' now cause a fatal error to be raised. + +2) Previously, Shorewall-perl attempted to do Shell variable + substitution on the first line in /etc/shorewall/compile. + +3) Following the Netfilter tradition, the IPP2P maintainer has made an + incompatible syntax change (the --ipp2p option has been + removed). Shorewall has always used "-m ipp2p --ipp2p" when + detecting the presence of IPP2P support. + + Shorewall-common and Shorewall-perl have been modified to use + "-m ipp2p --edk" instead. + +4) When Extended Conntrack Match support was available, Shorewall-perl + would create invalid iptables-restore input for certain DNAT rules. + +Other changes in Shorewall 4.2.3 + +1) Except with the -e option is specified, the Shorewall-perl compiler + now verifies user/group names appearing in the USER/GROUP column of + the rules file. + +2) The output of 'shorewall dump' now includes the output from + 'netstat -tunap'. + +3) Shorewall-perl now accepts '+' as an interface name in + /etc/shorewall/interfaces. That name matches any interface and is + useful for defining a zone that will match any interface that might + be added after Shorewall is started. + + A couple of words of caution are in order. + + a) Because '+' matches any interface name, Shorewall cannot + verify interface names appearing in other files when '+' is + defined in /etc/shorewall/interfaces. + + b) The zone assigned to '+' must be the last one defined in + /etc/shorewall/zones. + +4) Shorewall-perl now uses the iptables --goto parameter in obvious + cases. + +5) The 'reset' command now allows you to reset the packet and byte + counter on individual chains: + + shorewall reset chain1 chain2 ... + shorewall-lite reset chain1 chain2 ... + +New Features in Shorewall 4.2 + +1) Shorewall 4.2 contains support for multiple Internet providers + through a single ethernet interface. Configuring two providers + through a single interface differs from two providers through two + interfaces in several ways. + + a) Only ethernet (or ethernet-like) interfaces can be used. For + inbound traffic, the MAC addresses of the gateway routers is used + to determine which provider a packet was received through. Note + that only routed traffic can be categorized using this technique. + + b) You must specify the address on the interface that corresponds to + a particular provider in the INTERFACE column by following the + interface name with a colon (":") and the address. + + c) Entries in /etc/shorewall/masq must be qualified by the provider + name (or number). + + d) This feature requires Realm Match support in your kernel and + iptables. If you use a capabilities file, you need to regenerate + the file with Shorewall 4.2 or Shorewall-lite 4.2. + + e) You must add route_rules entries for networks that are accessed + through a particular provider. + + f) If you have additional IP addresses through either provider, + you must add route_rules to direct traffic FROM each of those + addresses through the appropriate provider. + + g) You must add MARK rules for any traffic that you know originates + from a particular provider. + + Example: + + Providers Blarg (1) and Avvanta (2) are both connected to + eth0. The firewall's IP address with Blarg is 206.124.146.176/24 + (gateway 206.124.146.254) and the IP address from Avvanta is + 130.252.144.8/24 (gateway 130.252.144.254). We have a second IP + address (206.124.146.177) from Blarg. + + /etc/shorewall/providers: + + #PROVIDER NUMBER MARK DUPLICATE INTERFACE GATEWAY + Blarg 1 1 main eth0:206.124.146.176 206.124.146.254 ... + Avvanta 2 2 main eth0:130.252.144.8 130.252.144.254 ... + + /etc/shorewall/masq: + + #INTERFACE SOURCE ADDRESS + eth0(Blarg) 130.252.144.8 206.124.146.176 + eth0(Avvanta) 206.124.146.176 130.252.144.8 + eth0(Blarg) eth1 206.124.146.176 + eth0(Avvanta) eth1 130.252.144.8 + + /etc/shorewall/route_rules: + + #SOURCE DEST PROVIDER PRIORITY + - 206.124.146.0/24 Blarg 1000 + - 130.252.144.0/24 Avvanta 1000 + 206.124.146.177 - Blarg 26000 + + /etc/shorewall/tcrules + + #MARK/CLASSIFY SOURCE DEST + 1 eth0:206.124.146.0/24 0.0.0.0/0 + 2 eth0:130.242.144.0/24 0.0.0.0/0 + +2) You may now include the name of a table (nat, mangle or filter) in + a 'shorewall refresh' command by following the table name with a + colon (e.g., mangle:). This causes all non-builtin chains in the + table to be reloaded. + + Example: + + shorewall refresh nat: + +3) When no chain name is given to the 'shorewall refresh' command, the + mangle table is refreshed along with the blacklist chain (if + any). This allows you to modify /etc/shorewall/tcrules and install + the changes using 'shorewall refresh'. + +4) Support for the NFLOG log target has been added. NFLOG is a + successor to ULOG. In addition, both ULOG and NFLOG may be followed + by a list of up to three numbers in parentheses. + + The first number specifies the netlink group (1-32). If omitted + (e.g., NFLOG(,0,10)) then a value of 1 is assumed. + + The second number specifies the maximum number of bytes to copy. If + omitted, 0 (no limit) is assumed. + + The third number specifies the number of log messages that should + be buffered in the kernel before they are sent to user space. The + default is 1. + + Examples: + + /etc/shorewall/shorewall.conf: + + MACLIST_LOG_LEVEL=NFLOG(1,0,1) + + /etc/shorewall/rules: + + ACCEPT:NFLOG(1,0,1) vpn fw tcp ssh,time,631,8080 + +5) Shorewall-perl 4.2 implements an alternative syntax for macro + parameters and for the NFQUEUE queue number. Rather than following + the macro name (or NFQUEUE) with a slash ("/") and the parameter, + the parameter may be enclosed in parentheses. + + Examples -- each pair shown below are equivalent: + + DNS/ACCEPT DNS(ACCEPT) + NFQUEUE/3 NFQUEUE(3) + + The old syntax will still be accepted but will cease to be documented + in some future Shorewall release. + +6) Shorewall 4.2 contains enhanced operational logging capabilities + through a set of related enhancements to Shorewall-common and + Shorewall-perl. The enhancements are not supported by + Shorewall-shell nor are they supported by Shorewall-lite except + when the script is compiled using Shorewall-perl. + + a) The STARTUP_LOG option in /etc/shorewall/shorewall.conf gives + the name of the Shorewall operational log. The log will be + created if it does not exist. + + b) The LOG_VERBOSITY option in /etc/shorewall/shorewall.conf gives + the verbosity at which logging will occur. It uses the same + value range as VERBOSITY: + + -1 Do not log + 0 Almost quiet + 1 Only major steps + 2 Verbose + + c) An absolute VERBOSITY may be specified on the command line + using the -v option followed by -1,0,1 or 2. + + Example: + + shorewall -v2 check + + d) The /etc/init.d/shorewall script supplied with the + shorewall.net packages sets '-v0' as the default. This may be + overridden with the OPTIONS setting in /etc/defaults/shorewall or + /etc/sysconfig/shorewall. + + Logging occurs on both Shorewall-perl and the generated script when + the following commands are issued: + + start + restart + refresh + + Messages in the log are always timestamped. + + This change implemented two new options to the Shorewall-perl + compiler (/usr/share/shorewall-perl/compiler.pl). + + --log= + --log_verbosity={-1|0-2} + + The --log option is ignored when --log_verbosity is not supplied or + is supplied with value -1. + + To avoid a proliferation of parameters to + Shorewall::Compiler::compile(), that function has been changed to + use named parameters. Parameter names are: + + object Object file. If omitted or '', the + configuration is syntax checked. + directory Directory. If omitted or '', configuration + files are located using + CONFIG_PATH. Otherwise, the directory named by + this parameter is searched first. + verbosity Verbosity; range -1 to 2 + timestamp 0|1 -- timestamp messages. + debug 0|1 -- include stack trace in warning/error + messages. + export 0|1 -- compile for export. + chains List of chains to be reloaded by 'refresh'. + log File to log compiler messages to. + log_verbosity Log Verbosity; range -1 to 2. + + Those parameters that are supplied must have defined values. + + Defaults are: + + object '' ('check' command) + directory '' + verbosity 1 + timestamp 0 + debug 0 + export 0 + chains '' + log '' + log_verbosity -1 + + + Example: + + use lib '/usr/share/shorewall-perl/'; + use Shorewall::Compiler; + + compiler( object => '/root/firewall', + log => '/root/compile.log', + log_verbosity => 2 ); + +7) Previously, when HIGH_ROUTE_MARKS=Yes, Shorewall allowed non-zero + mark values < 256 to be assigned in the OUTPUT chain. This has been + changed so that only high mark values may be assigned + there. Packet marking rules for traffic shaping of packets + originating on the firewall must be coded in the POSTROUTING chain. + +8) Previously, Shorewall did not range-check the value of the + VERBOSITY option in shorewall.conf. Beginning with Shorewall 4.2: + + a) A VERBOSITY setting outside the range -1 through 2 is rejected. + b) After the -v and -q options are applied, the resulting value is + adjusted to fall within the range -1 through 2. + +9) The tcdevices file has been extended to include an OPTIONS + column. Currently only a single option is defined. + + classify When specified, you must use explicit CLASSIFY tcrules + to classify traffic by class. Shorewall will not create + any CLASSIFY rules to classify traffic by mark value. + + See http://www.shorewall.net/traffic_shaping.htm for further + information. + +10) COMMENT lines are now supported in macro bodies by Shorewall-perl + and are ignored by the Shorewall-shell compiler. + + COMMENT lines in macros work slightly differently from COMMENT + lines in other files. COMMENT lines in macros are ignored if + COMMENT support is not available or if there was a COMMENT in use + when the top-level macro was invoked. This allows the + following: + + /etc/shorewall/macro.SSH: + + #ACTION SOURCE PROTO DEST SOURCE RATE USER/ + # PORT(S) PORT(S) LIMIT GROUP + COMMENT My SSH Macro + PARAM - - tcp 22 + + /etc/shorewall/rules: + + COMMENT Allow SSH from home + SSH/ALLOW net:$MYIP $FW + COMMENT + + The comment line in macro.SSH will not override the + COMMENT line in the rules file and the generated rule will show + + /* Allow SSH from home */ + + when displayed through the Shorewall show and dump commands. + + If a macro is invoked and there is no current comment, then the + name of the macro automatically becomes the current comment. This + makes macros self-commenting. + +11) If the program named in SHOREWALL_SHELL doesn't exist or is not + executable, Shorewall and Shorewall-lite now both fall back to + /bin/sh after issuing a warning message. Previously, both + terminated with a fatal error. + +12) Shorewall-perl now generates fatal error conditions if there are + no IPv4 zones defined or there are no interfaces defined. + +13) Shorewall now unconditionally uses tc filter rules to classify + traffic by MARK value. Previously, Shorewall used the CLASSIFY + target in the POSTROUTING chain if it was available. + +14) The Shorewall installers (install.sh) now work on Windows + under Cygwin. By default, they install under the user id and group + of the person doing the install. This can be overridden by + specifying OWNER and GROUP explicitly. + + Example: + + OWNER=foo GROUP=bar ./install.sh + + To install Shorewall-perl under Cygwin: + + $ tar -zxf shorewall-perl-4.x.y.tar.bz2 + $ tar -zxf shorewall-common-4.x.y.tar.bz2 + $ cd shorewall-perl-4.x.y + $ ./install.sh + $ cd ../shorewall-common-4.x.y + $ ./install.sh + + The 'shorewall' program is installed in /bin/ (a.k.a, /usr/bin/). + +15) When installing on Cygwin, /etc/shorewall is no longer fully + populated. Rather, only the shorewall.conf and params files are + installed. As always, the full configuration file set is installed + in /usr/share/shorewall/configfiles. + +16) Specifying a destination zone in a NAT-only rule now generates a + warning and the destination zone is ignored. NAT-only rules are: + + NONAT + REDIRECT- + DNAT- + +17) The /etc/shorewall/masq and /etc/shorewall/nat file now accept a + comma-separated list of interface names where before only a single + interface name could be listed (Shorewall-perl only). + + This feature is not for beginners. It iterates over the + list of interfaces, substituting each interface in place of the + list and processing the resulting entry according to the semantics + of earlier Shorewall versions. If you don't know where to use this, + don't try. + + Example 1: + + /etc/shorewall/masq: + + #INTERFACE SOURCE ADDRESS + eth0,eth1 eth2 1.2.3.4 + + equivalent to: + + #INTERFACE SOURCE ADDRESS + eth0 eth2 1.2.3.4 + eth1 eth2 1.2.3.4 + + Example 2: + + /etc/shorewall/masq: + + #INTERFACE SOURCE ADDRESS + eth0,eth1::192.168.1.0/24 eth2 1.2.3.4 + + equivalent to: + + #INTERFACE SOURCE ADDRESS + eth0::192.168.1.0/24 eth2 1.2.3.4 + eth1::192.168.1.0/24 eth2 1.2.3.4 + + Example 3: + + /etc/shorewall/nat: + + #EXTERNAL INTERFACE INTERNAL + 206.124.146.178 eth0,wlan0 192.168.1.3 + + equivalent to: + + #EXTERNAL INTERFACE INTERNAL + 206.124.146.178 eth0 192.168.1.3 + 206.124.146.178 wlan0 192.168.1.3 + +18) Previously, the INTERFACE name used in the masq, nat and netmap + files had to exactly match the name of an interface from the + interfaces file. Beginning with Shorewall-perl 4.1.4, the + interface may loosely match a wildcard entry in the interfaces + file. + + Example: + + /etc/shorewall/interfaces: + + vpn tun+ + + /etc/shorewall/masq: + + tun1 192.168.4.0/24 + +19) Previously, Shorewall classified non-firewall zones as either + 'simple' or 'complex'. Attributes of a zone which made it 'complex' + included: + + - The zone was of type 'ipsec' or 'ipsec4' or it had a hosts + entry with the 'ipsec' options. + - The zone had OPTIONS, IN OPTIONS or OUT OPTIONS + - The zone had more than one network on a given interface + - The zone had a hosts file entry with an exclusion. + - The zone had a hosts file entry specifying an ipset. + + The handling of 'simple' and 'complex' zones was different. + + - complex zones had their own 'forward' chain (named + '_frwd'). + - complex zones with exclusions had their own 'input' and + 'output' chains. + + Beginning with Shorewall-perl 4.2, all non-firewall zones will be + treated as 'complex'. This will have the effect of one additional + filter chain per zone but in most cases, the average number of + filter rules traversed by a connection request will be reduced. + +20) The need for interface-specific chains (such as eth0_in, eth4_fwd, + etc.) in the filter table has been drastically reduced. This has + the effect of reducing the average number of rules that each packet + must traverse. + +21) The default value for LOG_MARTIANS is now 'Yes' ('On' in + Shorewall-perl). Previously, the default value was 'No' ('Off' in + Shorewall-perl). The shorewall.conf file has also been + updated to specify a value of 'Yes' (which is interpreted as 'On' + by Shorewall-perl). + +22) Shorewall-perl now generates an error when a MAC address appears in + a traffic shaping rule in the OUTPUT or POSTROUTING chains. + +23) Macros are now self-commenting under control of a new AUTO_COMMENT + option in shorewall.conf. When this option is set, if there is not + a current comment when a macro is invoked, the behavior under + Shorewall-perl is as if the first line of the macro file was + "COMMENT ". + + So, if you have this rule: + + SSH/ACCEPT loc fw + + then the generated netfilter rule will include "/* SSH */" when + viewed with 'iptables -L' or 'shorewall show loc2fw' or 'shorewall + dump'. + + The AUTO_COMMENT option has a default value of 'Yes' and is only + available under Shorewall-perl. The option is ignored by + Shorewall-shell. + +24) The default value for the IMPLICIT_CONTINUE option has been changed + to 'No'. + +25) Shorewall-perl now supports an 'l2tp' tunnel type. It opens UDP + port 1701 in both directions and assumes that the source port will + also be 1701. Some implementations (particularly OS X) use a + different source port. In that case, you should use + 'generic:udp:1701' rather than 'l2tp'. + +26) The /etc/shorewall/tcdevices and /etc/shorewall/tcclasses files + have undergone some changes, especially when the 'classify' option + has been specified. + + Normally Shorewall assigns interface numbers sequentially to + devices listed in /etc/shorewall/tcdevices. Beginning with + Shorewall 4.1.6, you can explicitly specify inteface numbers by + prefixing the interface name with the interface number and a colon: + + Example: + + #INTERFACE IN-BANDWITH OUT-BANDWIDTH OPTIONS + 1:eth0 1300kbit 384kbit classify + 2:eth1 5600kbit 1000kbit + + In /etc/shorewall/tcclasses: + + a) You can specify the INTERFACE using either the interface name + or interface number. + + b) classes associated with devices which have the 'classify' + option _must_ specify a class number by following the interface + name/number with a colon (":") and the class number. The same + class number may be used for classes defined on different + interfaces but a class number may not be the same as any + interface number. + + A class number may be specified when 'classify' has not been + specified for the associated device. When a class number has not + been given, the default class number remains the mark value + prefixed by "1". + +27) Shorewall now supports Intermediate Functional Block (IFB) devices. + These devices allow shaping of incoming traffic. + + The 'ifb' module is available in the kernels included with today's + distributions. You must load the module manually: + + If your distribution has modprobe: + + modprobe ifb [ numifbs= ] + + Otherwise: + + insmod /ifb.ko [ numifbs= ] + + By default, the module automatically creates two IFB devices (ifb0 + and ifb1). To create only one, specify 'numifbs=1'. + + Example: + + ursa:~ # modprobe ifb numifbs=1 + ursa:~ # ip link ls + 1: lo: mtu 16436 qdisc noqueue + link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 + 2: eth0: mtu 1500 qdisc pfifo_fast qlen 1000 + link/ether cc:2b:cb:24:1b:00 brd ff:ff:ff:ff:ff:ff + 3: wlan0: mtu 1500 qdisc pfifo_fast qlen 1000 + link/ether 00:1a:73:db:8c:35 brd ff:ff:ff:ff:ff:ff + 4: ifb0: mtu 1500 qdisc noop qlen 32 + link/ether 26:99:d8:7d:32:26 brd ff:ff:ff:ff:ff:ff + ursa:~ # + + After you have created the IFB(s), you must bring it(them) up: + + ip link set dev ifb0 up + + You can place all of this in /etc/shorewall/init as follows: + + modprobe ifb numifbs=1 + ip link set dev ifb0 up + + The /etc/shorewall/tcdevices file has been extended to include an + additional REDIRECTED DEVICES column. To convert your configuration + to use an IFB: + + a) Look at your current /etc/shorewall/tcdevices file. Suppose you + have: + + #INTERFACE IN-BANDWIDTH OUT-BANDWIDTH OPTIONS + eth0 1300kbit 384kbit - + + Change it as follows: + + #INTERFACE IN-BANDWIDTH OUT-BANDWIDTH OPTIONS REDIRECTED + # DEVICES + eth0 - 384kkbit - + ifb0 - 1300kbit - eth0 + + Note that the old IN-BANDWIDTH for eth0 has become the + OUT-BANDWIDTH for ifb0 and that neither device has an + IN-BANDWIDTH in the new configuration. + + Finally note that eth0 has been specified as a REDIRECTED device + for the IFB. + + b) There are no Netfilter hooks between the real device (eth0) and + the IFB (ifb0). So tcrules cannot be used to specify shaping of + traffic leaving the IFB. To allow that traffic to be classified, + a new /etc/shorewall/tcfilters file has been added. + + /etc/shorewall/tcfilters can be used for classifying traffic on + any interface. When using entries in that file, it is important + to realize that those entries act on packets as they appear 'on + the wire'. That means that on output, SNAT/MASQUERADE has been + applied and on input (output to an IFB), DNAT has not yet been + applied. + + Columns in the file are: + + INTERFACE:CLASS + + The interface name or number followed by a colon (":") + and the class number. + + SOURCE + Source IP address. May be a host or network address. + Specify "-" if any SOURCE address should match. + + DEST + Destination IP address. May be a host or network + address. Specify "-" if any DEST address should match. + + PROTO + Protocol Name/Number. Specify "-" if any PROTO should + match. + + DEST PORT(S) + A comma-separated list of destination ports. May only + be given if the PROTO is tcp, udp, icmp or + sctp. Port ranges may be used, except when the PROTO is + icmp. Specify "-" if any PORT should match. + + SOURCE PORT(S) + A comma-separated list of source port. May only be + given if the PROTO is tcp, udp or sctp. Port ranges + may be used unless the protocol is icmp. Specify "-" if + any PORT should match. + + Entries in /etc/shorewall/tcfilters generate U32 tc filters which + may be displayed using the "shorewall show filters" ("shorewall-lite + show filters") command. Note: The 'show filters' command is an + alias for the existing 'show classifiers' command. + + Note that /etc/shorewall/tcfilters provides a usable alternative to + HIGH_ROUTE_MARKS=Yes. You can use marks to select between providers + and use entries in /etc/shorewall/tcfilters (or CLASSIFY tcrules) + for traffic shaping. + +28) If an interface fails when using balanced multi-ISP routing, the + default route is lost. If there are remaining working interfaces + with dynamic gateway addresses, Shorewall will be unable to + determine those gateways. + + Beginning with Shorewall (Shorewall-lite) 4.1.7, the 'init' script + may participate in gateway detection by setting variables with + pre-determined names as follows: + + _GATEWAY + + where is the interface name: + + - in upper case + - with any characters not allowed in shell variable names + replaced by '_'. + + Example (from OpenWRT): + + Interface: eth0.1 + Variable: ETH0_1_GATEWAY + /etc/shorewall/init: + + ETH0_1_GATEWAY=$(uci get /var/state/network.wan0.gateway) + +29) A new CONNBYTES column has been added to the tcrules file. The + column defines a byte or packet range that the connection must fall + within in order for the rule to match. The contents are: + + [!]:[[:{O|R|B}[:{B|P|A}]]] + + ! matches if the the packet/byte count is not within the range + defined by and . + + is an integer which defines the beginning of the byte/packet + range. + + is an integer which defines the end of the byte/packet range. + If omitted, only the beginning of the range is checked. + + The first letter gives the direction which the range refers to: + + O - The original direction of the connection. + R - The opposite direction from the original connection. + B - The total of both directions. + + If omitted, 'B' is assumed. + + The second letter determins what the range refers to. + + B - Bytes + P - Packets + A - Average packet size. + + If omitted, 'B' is assumed. + + Examples: + + 1000000: - Connection has transferred a total of + at least 1,000,000 bytes. + + 1000000::R - Connection has transferred at least + 1,000,000 bytes in the direction opposite + of the original direction (typical of a + large download). + + 1000000::O:P - Connection has sent at least 1,000,000 + packets in the direction of the original + connection. + +30) A new MANGLE_ENABLED option is added to shorewall.conf. The default + setting is 'Yes' which causes Shorewall to assume responsibility for + the Netfilter mangle table. + + When MANGLE_ENABLED is set to 'No', Shorewall assumes no + responsibility for that table. In this setting: + + a) Shorewall doesn't alter the mangle table. + b) You may not use Shorewall Traffic Shaping (TC_ENABLED must be + set to 'No'. + c) The tcrules file is ignored. + d) The providers file must be empty. + e) All entries in tcdevices must specify the 'classify' option and + traffic classification may only occur using the tcfilters file. + + This allows for another application running on your firewall to + take over the mangle table and use it for it's own purposes. + +31) Shorewall-perl now supports an ORIGINAL DEST column in macro files. + The column must be left empty if the macro is to be used in the + body of an action. + + The new column is placed between the SOURCE PORT(S) and RATE LIMIT + columns. So that Shorewall-perl can determine which column layout + each macro has, a new FORMAT directive is added: + + FORMAT {1|2} + + The default is FORMAT 1 which is the old format. FORMAT 2 specifies + that the macro is in the new format. + +32) Shorewall-perl implements a new Rfc1918 macro that deals with + RFC 1918 addresses. This macro should be used in place of + the 'norfc1918' interface option which is deprecated. + + The macro body is: + + #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ + # PORT(S) PORT(S) DEST LIMIT GROUP + FORMAT 2 + PARAM SOURCE:10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 \ + DEST - - - - - - + PARAM SOURCE DEST - - - 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 + #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE + + The 'norfc1918' option on the interface associated with zone 'z' + and with RFC1018_STRICT=Yes is equivalent to: + + Rfc1918(DROP) z all + +33) A better way to perform RFC 1918 filtration is to null-route the + address ranges reserved by RFC 1918. You can do that by setting the + new NULL_ROUTE_RFC1918 option to 'Yes' in shorewall.conf. + + It is highly recommended that you also set ROUTE_FILTER=Yes to get + Martian messages. These will help diagnose problems where you need + to be able to access hosts with RFC 1918 addresses that are outside + of your local networks. Sometimes, these can be subtle such as the + case where your ISP is using RFC 1918 addresses on their DHCP + servers. + + NULL_ROUTE_RFC1918 defaults to 'No' and is only supported by + Shorewall-perl; Shorewall-shell ignores the option. + +34) There is now a macro.SANE which supports network-attached + scanners. Shorewall now automatically loads the sane connection + tracking helper module. + + Thanks for this feature go to Tuomo Soini. + +35) Previously, when IP_FORWARDING=Yes in shorewall.conf, Shorewall + would enable ip forwarding before instantiating the rules. This + could lead to incorrect connection tracking entries being created + between the time that forwarding was enabled and when the nat table + rules were instantiated. + + Beginning with Shorewall 4.0.11 and 4.1.7, enabling of forwarding + is deferred until after the rules are in place. + +36) When using Shorewall-perl, the CEIL and RATE columns must now + contain arithmetic expressions consisting of: + + a) Numeric digits (Hex numbers not allowed). + b) Parentheses. + c) The arithmetic operators +-* and /. + d) The word 'full'. + +37) The installers (install.sh) now auto-detect a Cygwin environment + and install under the current user's ID if OWNER and GROUP are not + given. + +38) The 'start' and 'restart' commands now support a '-p' (purge) + option which cause all entries to be removed from the Netfilter + conntrack table. In order to use this option, the 'conntrack' + utility must be installed on your system. Although it is generally + not installed by default, Most distributions have this utility in + their repositories. + +39) A 'save' extension script is added. The script is run after + iptables-save has completed successfully. + + The 'load' and 'reload' commands copy the save script (if any) to + /etc/shorewall-lite/ on the remove firewall system. The 'export' + command copies the file to the same directory as the 'firewall' and + 'firewall.conf' scripts. + + I have the following commands in my 'save' script: + + [ -s /root/ipsets.save ] && cp -a /root/ipsets.save /root/ipsets.save.backup + ipset -S > /root/ipsets.save + + These commands complement my 'init' script: + + qt modprobe ifb numifbs=1 + qt ip link set dev ifb0 up + + if [ "$COMMAND" = start ]; then + ipset -U :all: :all: + ipset -U :all: :default: + ipset -F + ipset -X + ipset -R < /root/ipsets.save + fi + + Those two scripts allow me to save and restore the contents of my + ipsets automatically under Shorewall-perl/Shorewall-lite (my + routestopped file does not use ipsets). + +40) A HELPER column is included in the tcrules file. The value in this + column names one of the Netfilter protocol 'helper' module sets + (ftp, sip, amanda, etc). + + See http://www.shorewall.net/traffic_shaping.htm for an example. + +41) DYNAMIC_ZONES=Yes is no longer supported by Shorewall-perl. + +42) Farkas Levante has contributed a macro.Mail macro that covers SMTP, + SMTPS and submission. + +43) Beginning with Shorewall 4.0.0, the -f option was no longer the + default for '/etc/init.d/shorewall start'. Beginning with 4.0.13 + and 4.2.0-Beta3, this is also true for Shoreawall-lite. + +44) A new USE_DEFAULT_RT option has been added to shorewall.conf. When + set to 'Yes', it causes the Shorewall multi-ISP feature to create + a different set of routing rules which are resilient to changes in + the main routing table. Such changes can occur for a number of + reasons, VPNs going up and down being an example. + + The idea is to send packets through the main table prior to + applying any of the Shorewall-generated routing rules. So changes + to the main table will affect the routing of packets by default. + + When USE_DEFAULT_RT=Yes: + + a) Both the DUPLICATE and the COPY columns in the providers file + must remain empty (or contain "-"). + + b) The default route is added to the the 'default' table rather + than to the main table. + + c) 'balance' is assumed unless 'loose' is specified. + + d) Packets are sent through the main routing table by a rule with + priority 999. In /etc/shorewall/routing_rules, the range 1-998 + may be used for inserting rules that bypass the main table. + + e) All provider gateways must be specified explicitly in the + GATEWAY column. 'detect' may not be specified. + + f) You should disable all default route management outside of + Shorewall. If a default route is added to the main table while + Shorewall is started, then all policy routing will stop working + (except for those routing rules in the priority range 1-998). + +45) The 'shorewall restart' command now supports an -f option. When + this option is specified, no compilation occurs; rather, the script + which last started or restarted Shorewall is used. + +46) A macro supporting RNDC (BIND remote management protocol) traffic + has been added. It can be used as any other macro (e.g., RNDC/ACCEPT) + in the rules file. + +47) If 'NONAT' is specified in the ADDRESS column of an entry in + /etc/shorewall/masq, then traffic matching that entry is not + passed to the entries that follow. + +New Features added in Shorewall 4.2.1 + +1) With the recent renewed interest in DOS attacks, it seems + appropriate to have connection limiting support in Shorewall. To + that end, a CONNLIMIT column has been added to both the policy and + rules files. + + The content of these columns is of the format + + [!] [:] + + where + + is the limit on simultaneous TCP connections. + + specifies the size of the network to which + the limit applies and is specified as a + CIDR mask length. The default value for + is 32 which means that each remote + IP address can have TCP connections + active at once. + + ! Not allowed in the policy file. In the rules file, it + causes connections to match when the number of + current connections exceeds . + + When specified in the policy file, the limit is enforced on all + connections that are subject to the given policy (just like + LIMIT:BURST). The limit is checked on new connections before the + connection is passed through the rules in the NEW section of the + rules file. + + It is important to note that while the limit is only checked for + those destinations specified in the DEST column, the number of + current connections is calculated over all destinations and not + just the destination specified in the DEST column. + + Use of this feature requires the connlimit match capability in your + kernel and iptables. If you use a capabilities file when compiling + your Shorewall configuration(s), then you need to regenerate the + file using Shorewall or Shorewall-lite 4.2.1. + +2) Shorewall now supports time/date restrictions on entries in the + rules file via a new TIME column. + + The contents of this column is a series of one or more "time + elements" separated by apersands ("&"). Possible time elements are: + + utc Times are expressed in Greenwich Mean Time. + localtz Times are expressed in local civil time (default) + timestart=hh:mm[:ss] + timestop=hh:mm[:ss] Start and stop time of day for rule + weekdays=ddd[,ddd]... where ddd is Mon,Tue,Wed,Thu,Fri,Sat or + Sun + monthdays=dd[,dd]... where dd is an ordinal day of the month. + datestart=yyyy[-mm[-dd[Thh[:mm[:ss]]]]] + datestop=yyyy[-mm[-dd[Thh[:mm[:ss]]]]] + where yyyy = Year + first mm = Month + dd = Day + hh = Hour + 2nd mm = Minute + ss = Second + + Examples: + + 1) utc×tart=10:00×top=12:00 + + Between 10am and 12 noon each day, GMT + + 2) datestart=2008-11-01T12:00 + + Beginning November 1, 2008 at noon LCT. + + Use of this feature requires the time match capability in your + kernel and iptables. If you use a capabilities file when compiling + your Shorewall configuration(s), then you need to regenerate the + file using Shorewall or Shorewall-lite 4.2.1. + +3) If your kernel and iptables support "-m conntrack --ctorigdstport" + then Shorewall will utilize that capability to ensure that when you + do port mapping (change the destination port but not the + destination IP address), the final destination port is not opened + as a side effect. + + Example: + + DNAT net loc:206.124.146.177:22 tcp 2222 - 206.124.146.177 + + That rule maps port 2222 -> 22 but without this new feature, it + also opens port 22 directly. + + To use this feature, you must be running Shorewall-perl and the + output of 'shorewall show capabilities' must show: + + Extended Connection Tracking Match Support: Available + +New Featurs in Shorewall 4.2.2 + +1) A macro supporting JAP (anonymization protocol) has been added. + It can be used as any other macro (e.g., JAP/ACCEPT) in the rules + file. + +2) A macro supporting DAAP (Digital Audio Access Protocol) has been added. + It can be used as any other macro (e.g., DAAP/ACCEPT) in the rules + file. + +3) A macro supporting DCC (Distributed Checksum Clearinghouse) has been + added. It can be used as any other macro (e.g., DCCP/ACCEPT) in the + rules file. + +4) A macro supporting GNUnet (secure peer-to-peer networking) has been + added. It can be used as any other macro (e.g., GNUnet/ACCEPT) in the + rules file. + +5) In 4.2.1, a single capability ("Extended conntrack match support") + was used both to control the use of --ctorigport and to trigger use + of the new syntax for inversion of --ctorigdst (e.g., "! + --ctorigdst ..."). In 4.2.2, these are controlled by two separate + capabilities. If you use a capabilities file when compiling your + configuration, be sure to generate a new one after installing + 4.2.2. + +Problems corrected in Shorewall 4.2.1 + +1) A description of the CONNBYTES column has been added to + shorewall-tcrules(5). + +2) Previously, Shorewall-perl would accept zero as the value in + the CONNBYTES column of tcrules even when the field was + non-zero. A value of zero for was equivalent to omitting + . + +3) iptables 1.4.1 discontinued support of syntax generated by + shorewall in some cases. Shorewall now detects when the new syntax + is required and uses it instead. + +4) The Shorewall-perl implementation of the LENGTH column in + /etc/shorewall/tcrules was incomplete with the result that + all LENGTH rules matched. Thanks to Lennart Sorensen for the patch. + +5) The 'export' command no longer fails with the error: + + /sbin/shorewall: 1413: Syntax error: "(" unexpected (expecting "fi") + +Problems corrected in Shorewall 4.2.2 + +1) Shorewall-perl now insures that each line copied from a + configuration file or user exit is terminated with a newline + character. + +2) When ipranges were used to define zones, Shorewall-perl could + generate invalid iptables-restore input if 'Repeat Match' was not + available. Repeat Match is not a true match -- it rather is a + feature of recent iptables releases that allows a match to be + repeated within a rule. + +3) With Shorewall-perl, if a destination port list had exactly 16 + ports, where a port-range counts as two ports, then Shorewall-perl + would fail to split the rule into multiple rules and an + iptables-restore error would result. + +4) The change to Shorewall-perl in 4.2.1 that promised iptables 1.4.1 + compatibility contained a typo that prevented it from working + correctly. + +5) If a no-NAT rule (DNAT-, ACCEPT+, NONAT) included a destination IP + address and no zone name in the DEST column, Shorewall-perl would + reject the rule. If a zone name was specified, Shorewall-perl + would issue a Warning message. + diff --git a/Shorewall-common/rfc1918 b/Shorewall-common/rfc1918 new file mode 100644 index 000000000..abdfc2825 --- /dev/null +++ b/Shorewall-common/rfc1918 @@ -0,0 +1,9 @@ +# +# Shorewall version 4 - Rfc1918 File +# +############################################################################### +#SUBNETS TARGET +172.16.0.0/12 logdrop # RFC 1918 +192.168.0.0/16 logdrop # RFC 1918 +10.0.0.0/8 logdrop # RFC 1918 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/route_rules b/Shorewall-common/route_rules new file mode 100644 index 000000000..53ae2c76b --- /dev/null +++ b/Shorewall-common/route_rules @@ -0,0 +1,9 @@ +# +# Shorewall version 4 - route_rules File +# +# For information about entries in this file, type "man shorewall-route_rules" +# +# For additional information, see http://www.shorewall.net/MultiISP.html +############################################################################## +#SOURCE DEST PROVIDER PRIORITY +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/routestopped b/Shorewall-common/routestopped new file mode 100644 index 000000000..91fb28c9c --- /dev/null +++ b/Shorewall-common/routestopped @@ -0,0 +1,14 @@ +# +# Shorewall version 4 - Routestopped File +# +# For information about entries in this file, type "man shorewall-routestopped" +# +# The manpage is also online at +# http://www.shorewall.net/manpages/shorewall-routestopped.html +# +# See http://shorewall.net/starting_and_stopping_shorewall.htm for additional +# information. +# +############################################################################### +#INTERFACE HOST(S) OPTIONS +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/rules b/Shorewall-common/rules new file mode 100644 index 000000000..dbfe994cc --- /dev/null +++ b/Shorewall-common/rules @@ -0,0 +1,15 @@ +# +# Shorewall version 4 - Rules File +# +# For information on the settings in this file, type "man shorewall-rules" +# +# The manpage is also online at +# http://www.shorewall.net/manpages/shorewall-rules.html +# +#################################################################################################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME +# PORT PORT(S) DEST LIMIT GROUP +#SECTION ESTABLISHED +#SECTION RELATED +SECTION NEW +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/shorewall b/Shorewall-common/shorewall new file mode 100755 index 000000000..6abf579f3 --- /dev/null +++ b/Shorewall-common/shorewall @@ -0,0 +1,2014 @@ +#!/bin/sh +# +# Shorewall Packet Filtering Firewall Control Program - V4.2 +# +# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] +# +# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008 - Tom Eastep (teastep@shorewall.net) +# +# This file should be placed in /sbin/shorewall. +# +# Shorewall documentation is available at http://www.shorewall.net +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of Version 2 of the GNU General Public License +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# If an error occurs while starting or restarting the firewall, the +# firewall is automatically stopped. +# +# The firewall uses configuration files in /etc/shorewall/ - skeleton +# files are included with the firewall. +# +# Commands are: +# +# shorewall add [:] zone Adds a host or subnet to a zone +# shorewall delete [:] zone Deletes a host or subnet from a zone +# shorewall dump Dumps all Shorewall-related information +# for problem analysis +# shorewall start Starts the firewall +# shorewall restart Restarts the firewall +# shorewall stop Stops the firewall +# shorewall status Displays firewall status +# shorewall reset Resets iptables packet and +# byte counts +# shorewall clear Open the floodgates by +# removing all iptables rules +# and setting the three permanent +# chain policies to ACCEPT +# shorewall refresh Rebuild the common chain to +# compensate for a change of +# broadcast address on any "detect" +# interface. +# shorewall [re]load [ ] +# Compile a script and install it on a +# remote Shorewall Lite system. +# shorewall show [ ... ] Display the rules in each listed +# shorewall show actions Displays the available actions +# shorewall show log Print the last 20 log messages +# shorewall show connections Show the kernel's connection +# tracking table +# shorewall show nat Display the rules in the nat table +# shorewall show {mangle|tos} Display the rules in the mangle table +# shorewall show tc Display traffic control info +# shorewall show classifiers Display classifiers +# shorewall show capabilities Display iptables/kernel capabilities +# shorewall show vardir Display the VARDIR setting. +# shorewall version Display the installed version id +# shorewall check [ -e ] [ ] Dry-run compilation. +# shorewall try [ ] Try a new configuration and if +# it doesn't work, revert to the +# standard one. If a timeout is supplied +# the command reverts back to the +# standard configuration after that many +# seconds have elapsed after successfully +# starting the new configuration. +# shorewall logwatch [ refresh-interval ] Monitor the local log for Shorewall +# messages. +# shorewall drop
... Temporarily drop all packets from the +# listed address(es) +# shorewall reject
... Temporarily reject all packets from the +# listed address(es) +# shorewall allow
... Reenable address(es) previously +# disabled with "drop" or "reject" +# shorewall save [ ] Save the list of "rejected" and +# "dropped" addresses so that it will +# be automatically reinstated the +# next time that Shorewall starts. +# Save the current state so that 'shorewall +# restore' can be used. +# +# shorewall forget [ ] Discard the data saved by 'shorewall save' +# +# shorewall restore [ ] Restore the state of the firewall from +# previously saved information. +# +# shorewall ipaddr {
/ |
} +# +# Displays information about the network +# defined by the argument[s] +# +# shorewall iprange
-
Decomposes a range of IP addresses into +# a list of network/host addresses. +# +# shorewall ipdecimal {
| } +# +# Displays the decimal equivalent of an IP +# address and vice versa. +# +# shorewall safe-start [ ] Starts the firewall and promtp for a c +# confirmation to accept or reject the new +# configuration +# +# shorewall safe-restart [ ] Restarts the firewall and prompt for a +# confirmation to accept or reject the new +# configuration +# +# shorewall compile [ -e ] [ ] +# Compile a firewall program file. + +# +# Set the configuration variables from shorewall.conf +# +# $1 = Yes: read the params file +# $2 = Yes: check for STARTUP_ENABLED +# $3 = Yes: Check for LOGFILE +# +# +get_config() { + + ensure_config_path + + if [ "$1" = Yes ]; then + params=$(find_file params) + + if [ -f $params ]; then + . $params + fi + fi + + config=$(find_file shorewall.conf) + + if [ -f $config ]; then + if [ -r $config ]; then + . $config + else + echo "Cannot read $config! (Hint: Are you root?)" >&2 + exit 1 + fi + else + echo "$config does not exist!" >&2 + exit 2 + fi + + ensure_config_path + + if [ -z "$EXPORT" -a "$(id -u)" = 0 ]; then + # + # This block is avoided for compile for export and when the user isn't root + # + export CONFIG_PATH + + if [ "$3" = Yes ]; then + [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages + + if [ -n "$(syslog_circular_buffer)" ]; then + LOGREAD="logread | tac" + elif [ -f $LOGFILE ]; then + LOGREAD="tac $LOGFILE" + else + echo "LOGFILE ($LOGFILE) does not exist!" >&2 + exit 2 + fi + fi + + if [ -n "$IPTABLES" ]; then + if [ ! -x "$IPTABLES" ]; then + echo " ERROR: The program specified in IPTABLES does not exist or is not executable" >&2 + exit 2 + fi + else + IPTABLES=$(mywhich iptables 2> /dev/null) + if [ -z "$IPTABLES" ] ; then + echo " ERROR: Can't find iptables executable" >&2 + exit 2 + fi + fi + + export IPTABLES + + # + # Compile by non-root needs no restore file + # + [ -n "$RESTOREFILE" ] || RESTOREFILE=restore + + validate_restorefile RESTOREFILE + + export RESTOREFILE + + if [ "$2" = Yes ]; then + case $STARTUP_ENABLED in + No|no|NO) + echo " ERROR: Shorewall startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in ${CONFDIR}/shorewall.conf" >&2 + exit 2 + ;; + Yes|yes|YES) + ;; + *) + if [ -n "$STARTUP_ENABLED" ]; then + echo " ERROR: Invalid Value for STARTUP_ENABLE: $STARTUP_ENABLED" >&2 + exit 2 + fi + ;; + esac + fi + + case ${TC_ENABLED:=Internal} in + No|NO|no) + TC_ENABLED= + ;; + esac + + [ -n "LOGFORMAT" ] && LOGFORMAT="${LOGFORMAT%%%*}" + + [ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:" + + export LOGFORMAT + + if [ -n "$STARTUP_LOG" ]; then + if [ -n "$LOG_VERBOSITY" ]; then + case $LOG_VERBOSITY in + -1) + ;; + 0|1|2) + ;; + *) + echo " ERROR: Invalid LOG_VERBOSITY ($LOG_VERBOSITY)" >&2 + exit 2; + ;; + esac + else + LOG_VERBOSITY=2; + fi + else + LOG_VERBOSITY=-1; + fi + + else + STARTUP_LOG= + LOG_VERBOSITY=-1 + fi + + if [ -n "$SHOREWALL_SHELL" ]; then + if [ ! -x "$SHOREWALL_SHELL" ]; then + echo " WARNING: The program specified in SHOREWALL_SHELL does not exist or is not executable; falling back to /bin/sh" >&2 + SHOREWALL_SHELL=/bin/sh + fi + fi + + case $VERBOSITY in + -1|0|1|2) + ;; + *) + if [ -n "$VERBOSITY" ]; then + echo " ERROR: Invalid VERBOSITY setting ($VERBOSITY)" >&2 + exit 2 + else + VERBOSITY=2 + fi + ;; + esac + + [ -n "$USE_VERBOSITY" ] && VERBOSE=$USE_VERBOSITY || VERBOSE=$(($VERBOSE_OFFSET + $VERBOSITY)) + + if [ $VERBOSE -lt -1 ]; then + VERBOSE=-1 + elif [ $VERBOSE -gt 2 ]; then + VERBOSE=2 + fi + + export VERBOSE + + [ -n "${HOSTNAME:=$(hostname)}" ] + + [ -n "$RSH_COMMAND" ] || RSH_COMMAND='ssh ${root}@${system} ${command}' + [ -n "$RCP_COMMAND" ] || RCP_COMMAND='scp ${files} ${root}@${system}:${destination}' + + case $MANGLE_ENABLED in + Yes|yes) + ;; + No|no) + MANGLE_ENABLED= + ;; + *) + if [ -n "$MANGLE_ENABLED" ]; then + echo " ERROR: Invalid MANGLE_ENABLED setting ($MANGLE_ENABLED)" >&2 + exit 2 + fi + ;; + esac +} + +# +# Run the appropriate compiler +# +compiler() { + local sc + sc=${SHELLSHAREDIR}/compiler + local pc + pc=${PERLSHAREDIR}/compiler.pl + + startup_error() { + echo " ERROR: $@" >&2 + exit 1 + } + + local command + command=$1 + + shift + + if [ $(id -u) -ne 0 ]; then + if [ -z "$SHOREWALL_DIR" -o "$SHOREWALL_DIR" = /etc/shorewall ]; then + startup_error "Ordinary users may not compile the /etc/shorewall configuration" + fi + fi + # + # We've now set SHOREWALL_DIR so recalculate CONFIG_PATH + # + ensure_config_path + + compiler= + haveparams= + + if [ -n "$SHOREWALL_COMPILER" ]; then + compiler="$SHOREWALL_COMPILER" #Compiler specified in /etc/shorewall/shorewall.conf or on the run-line + elif [ -x $sc ]; then + if [ ! -x $pc ]; then + compiler=shell + fi + elif [ -x $pc ]; then + compiler=perl + else + fatal_error "No shorewall compiler installed" + fi + + if [ -z "$compiler" ]; then + # + # Both compilers installed. Read the appropriate shorewall.conf to learn the setting of SHOREWALL_COMPILER + # + if [ -n "$SHOREWALL_DIR" ]; then + shell=$SHOREWALL_SHELL + + [ -x $pc ] && set -a + run_user_exit params + set +a + haveparams=Yes + + get_config No No No + + SHOREWALL_SHELL=$shell + fi + # + # And initiate the appropriate compiler + # + if [ -n "$SHOREWALL_COMPILER" ]; then + compiler="$SHOREWALL_COMPILER" + elif [ -x $sc ]; then + compiler=shell + else + compiler=perl + fi + fi + + case $COMMAND in + *start|try|refresh) + ;; + *) + STARTUP_LOG= + LOG_VERBOSITY=-1 + ;; + esac + + [ $command = exec ] || command= + + case "$compiler" in + perl) + debugflags="-w" + [ -n "$DEBUG" ] && debugflags='-wd' + [ -n "$PROFILE" ] && debugflags='-wd:DProf' + + # Perl compiler only takes the output file as a argument + + [ "$1" = debug -o "$1" = trace ] && shift; + [ "$1" = nolock ] && shift; + shift + + options="--verbose=$VERBOSE" + [ -n "$STARTUP_LOG" ] && options="$options --log=$STARTUP_LOG" + [ -n "$LOG_VERBOSITY" ] && options="$options --log_verbosity=$LOG_VERBOSITY"; + [ -n "$EXPORT" ] && options="$options --export" + [ -n "$SHOREWALL_DIR" ] && options="$options --directory=$SHOREWALL_DIR" + [ -n "$TIMESTAMP" ] && options="$options --timestamp" + [ -n "$TEST" ] && options="$options --test" + [ "$debugging" = trace ] && options="$options --debug" + [ -n "$REFRESHCHAINS" ] && options="$options --refresh=$REFRESHCHAINS" + [ -x $pc ] || startup_error "SHOREWALL_COMPILER=perl requires the shorewall-perl package which is not installed" + # + # Run the appropriate params file + # + if [ -z "$haveparams" ]; then + set -a; + run_user_exit params + set +a + fi + + $command perl $debugflags $pc $options $@ + ;; + shell) + [ -x $sc ] || startup_error "SHOREWALL_COMPILER=shell requires the shorewall-shell package which is not installed" + [ -n "$REFRESHCHAINS" ] && startup_error "Shorewall-shell does not support refresh of specific chains" + $command $SHOREWALL_SHELL $sc $@ + ;; + *) + startup_error "Invalid value ($SHOREWALL_COMPILER) for SHOREWALL_COMPILER" + ;; + esac +} + +# +# Start Command Executor +# +start_command() { + local finished + finished=0 + + do_it() { + local rc + rc=0 + + progress_message3 "Compiling..." + + if compiler run $debugging $nolock compile ${VARDIR}/.start; then + [ -n "$nolock" ] || mutex_on + ${VARDIR}/.start $debugging start + rc=$? + [ -n "$nolock" ] || mutex_off + else + rc=$? + logger -p kern.err "ERROR:Shorewall start failed" + fi + + exit $rc + } + + if shorewall_is_started; then + error_message "Shorewall is already running" + exit 0 + fi + + [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled" + + while [ $finished -eq 0 -a $# -gt 0 ]; do + option=$1 + case $option in + -*) + option=${option#-} + + while [ -n "$option" ]; do + case $option in + -) + finished=1 + option= + ;; + C) + [ $# -gt 1 ] || fatal_error "-C must be followed by a compiler name" + SHOREWALL_COMPILER=$2 + option= + shift + ;; + d*) + DEBUG=Yes + option=${option#d} + ;; + f*) + FAST=Yes + option=${option#f} + ;; + p*) + [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system" + PURGE=Yes + option=${option%p} + ;; + *) + usage 1 + ;; + esac + done + shift + ;; + *) + finished=1 + ;; + esac + done + + case $# in + 0) + ;; + 1) + [ -n "$SHOREWALL_DIR" -o -n "$FAST" ] && usage 2 + + if [ ! -d $1 ]; then + if [ -e $1 ]; then + echo "$1 is not a directory" >&2 && exit 2 + else + echo "Directory $1 does not exist" >&2 && exit 2 + fi + fi + + SHOREWALL_DIR=$(resolve_file $1) + export SHOREWALL_DIR + ;; + *) + usage 1 + ;; + esac + + export NOROUTES + export PURGE + + if [ -n "$FAST" ]; then + if qt mywhich make; then + # + # RESTOREFILE is exported by get_config() + # + make -qf ${CONFDIR}/Makefile || FAST= + fi + + if [ -n "$FAST" ]; then + + RESTOREPATH=${VARDIR}/$RESTOREFILE + + if [ -x $RESTOREPATH ]; then + if [ -x ${RESTOREPATH}-ipsets ]; then + echo Restoring Ipsets... + # + # We must purge iptables to be sure that there are no + # references to ipsets + # + iptables -F + iptables -X + $SHOREWALL_SHELL ${RESTOREPATH}-ipsets + fi + + echo Restoring Shorewall... + $SHOREWALL_SHELL $RESTOREPATH restore + date > ${VARDIR}/restarted + progress_message3 Shorewall restored from $RESTOREPATH + else + do_it + fi + else + do_it + fi + else + do_it + fi +} + +# +# Compile Command Executor +# +compile_command() { + local finished + finished=0 + + while [ $finished -eq 0 ]; do + [ $# -eq 0 ] && usage 1 + option=$1 + case $option in + -*) + shift + option=${option#-} + + [ -z "$option" ] && usage 1 + + while [ -n "$option" ]; do + case $option in + e*) + EXPORT=Yes + option=${option#e} + ;; + p*) + PROFILE=Yes + option=${option#p} + ;; + C) + [ $# -gt 0 ] || fatal_error "-C must be followed by a compiler name" + SHOREWALL_COMPILER=$1 + option= + shift + ;; + t*) + TEST=Yes + option=${option#t} + ;; + d*) + DEBUG=Yes; + option=${option#d} + ;; + -) + finished=1 + option= + ;; + *) + usage 1 + ;; + esac + done + ;; + *) + finished=1 + ;; + esac + done + + file= + + case $# in + 1) + file=$1 + [ -d $file ] && echo " ERROR: $file is a directory" >&2 && exit 2; + ;; + 2) + [ -n "$SHOREWALL_DIR" ] && usage 2 + + if [ ! -d $1 ]; then + if [ -e $1 ]; then + echo "$1 is not a directory" >&2 && exit 2 + else + echo "Directory $1 does not exist" >&2 && exit 2 + fi + fi + + SHOREWALL_DIR=$(resolve_file $1) + export SHOREWALL_DIR + file=$2 + ;; + *) + usage 1 + ;; + esac + + export EXPORT + + progress_message3 "Compiling..." + + compiler exec $debugging compile $file +} + +# +# Check Command Executor +# +check_command() { + local finished + finished=0 + + while [ $finished -eq 0 -a $# -gt 0 ]; do + option=$1 + case $option in + -*) + option=${option#-} + + while [ -n "$option" ]; do + case $option in + -) + finished=1 + option= + ;; + e*) + EXPORT=Yes + option=${option#e} + ;; + p*) + PROFILE=Yes + option=${option#p} + ;; + d*) + DEBUG=Yes; + option=${option#d} + ;; + C) + [ $# -gt 0 ] || fatal_error "-C must be followed by a compiler name" + SHOREWALL_COMPILER=$2 + option= + shift + ;; + *) + usage 1 + ;; + esac + done + shift + ;; + *) + finished=1 + ;; + esac + done + + case $# in + 0) + ;; + 1) + [ -n "$SHOREWALL_DIR" ] && usage 2 + + if [ ! -d $1 ]; then + if [ -e $1 ]; then + echo "$1 is not a directory" >&2 && exit 2 + else + echo "Directory $1 does not exist" >&2 && exit 2 + fi + fi + + SHOREWALL_DIR=$(resolve_file $1) + export SHOREWALL_DIR + ;; + *) + usage 1 + ;; + esac + + export EXPORT + + progress_message3 "Checking..." + + compiler exec $debugging $nolock check +} + +# +# Restart Command Executor +# +restart_command() { + local finished + finished=0 + local rc + rc=0 + + while [ $finished -eq 0 -a $# -gt 0 ]; do + option=$1 + case $option in + -*) + option=${option#-} + + while [ -n "$option" ]; do + case $option in + -) + finished=1 + option= + ;; + d*) + DEBUG=Yes + option=${option#d} + ;; + f*) + FAST=Yes + option=${option#f} + ;; + n*) + NOROUTES=Yes + option=${option#n} + ;; + C) + [ $# -gt 1 ] || fatal_error "-C must be followed by a compiler name" + SHOREWALL_COMPILER=$2 + option= + shift + ;; + p*) + [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system" + PURGE=Yes + option=${option%p} + ;; + *) + usage 1 + ;; + esac + done + shift + ;; + *) + finished=1 + ;; + esac + done + + case $# in + 0) + ;; + 1) + [ -n "$SHOREWALL_DIR" ] && usage 2 + + if [ ! -d $1 ]; then + if [ -e $1 ]; then + echo "$1 is not a directory" >&2 && exit 2 + else + echo "Directory $1 does not exist" >&2 && exit 2 + fi + fi + + SHOREWALL_DIR=$(resolve_file $1) + [ -n "$FAST" ] && fatal_error "Directory may not be specified with the -f option" + export SHOREWALL_DIR + ;; + *) + usage 1 + ;; + esac + + [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled" + + export NOROUTES + export PURGE + + if [ -z "$FAST" ]; then + progress_message3 "Compiling..." + + if compiler run $debugging $nolock compile ${VARDIR}/.restart; then + [ -n "$nolock" ] || mutex_on + $SHOREWALL_SHELL ${VARDIR}/.restart $debugging restart + rc=$? + [ -n "$nolock" ] || mutex_off + else + rc=$? + logger -p kern.err "ERROR:Shorewall restart failed" + fi + else + [ -x ${VARDIR}/.restore ] || fatal_error "No ${VARDIR}/.restore file found" + [ -n "$nolock" ] || mutex_on + $SHOREWALL_SHELL ${VARDIR}/.restore $debugging restart + rc=$? + [ -n "$nolock" ] || mutex_off + fi + + return $rc +} + +# +# Refresh Command Executor +# +refresh_command() { + local finished + finished=0 + + while [ $finished -eq 0 -a $# -gt 0 ]; do + option=$1 + case $option in + -*) + option=${option#-} + + while [ -n "$option" ]; do + case $option in + -) + finished=1 + option= + ;; + C) + [ $# -gt 1 ] || fatal_error "-C must be followed by a compiler name" + SHOREWALL_COMPILER=$2 + option= + shift + ;; + *) + usage 1 + ;; + esac + done + shift + ;; + *) + finished=1 + ;; + esac + done + + if [ $# -gt 0 ]; then + REFRESHCHAINS=$1 + shift + + while [ $# -gt 0 ]; do + REFRESHCHAINS="$REFRESHCHAINS,$1" + shift + done + fi + + shorewall_is_started || fatal_error "Shorewall is not running" + + [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled" + + export NOROUTES + + progress_message3 "Compiling..." + + if compiler run $debugging $nolock compile ${VARDIR}/.refresh; then + [ -n "$nolock" ] || mutex_on + $SHOREWALL_SHELL ${VARDIR}/.refresh $debugging refresh + rc=$? + [ -n "$nolock" ] || mutex_off + else + rc=$? + fi + + return $rc +} + +# +# Safe-start/safe-restart Command Executor +# +safe_commands() { + local finished + finished=0 + + # test is the shell supports timed read + read -t 0 junk 2> /dev/null + if [ $? -eq 2 -a ! -x /bin/bash ];then + echo "Your shell does not support a feature required to execute this command". + exit 2 + fi + + while [ $finished -eq 0 -a $# -gt 0 ]; do + option=$1 + case $option in + -*) + option=${option#-} + + while [ -n "$option" ]; do + case $option in + -) + finished=1 + option= + ;; + n*) + NOROUTES=Yes + option=${option#n} + ;; + C) + [ $# -gt 1 ] || fatal_error "-C must be followed by a compiler name" + SHOREWALL_COMPILER=$2 + option= + shift + ;; + *) + usage 1 + ;; + esac + done + shift + ;; + *) + finished=1 + ;; + esac + done + + case $# in + 0) + ;; + 1) + [ -n "$SHOREWALL_DIR" ] && usage 2 + + if [ ! -d $1 ]; then + if [ -e $1 ]; then + echo "$1 is not a directory" >&2 && exit 2 + else + echo "Directory $1 does not exist" >&2 && exit 2 + fi + fi + + SHOREWALL_DIR=$(resolve_file $1) + export SHOREWALL_DIR + ;; + *) + usage 1 + ;; + esac + + [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled" + + if shorewall_is_started; then + running=Yes + else + running= + fi + + if [ "$COMMAND" = "safe-start" -a -n "$running" ]; then + # the command is safe-start but the firewall is already running + error_message "Shorewall is already started" + exit 0 + fi + + if [ "$COMMAND" = "safe-start" -o -z "$running" ]; then + # the command is safe-start or shorewall is not started yet + command="start" + else + # the command is safe-restart and the firewall is already running + command="restart" + fi + + progress_message3 "Compiling..." + + if ! compiler run $debugging nolock compile ${VARDIR}/.$command; then + status=$? + exit $status + fi + + case $command in + start) + export RESTOREFILE=NONE + progress_message3 "Starting..." + ;; + restart) + export RESTOREFILE=.safe + RESTOREPATH=${VARDIR}/.safe + save_config + progress_message3 "Restarting..." + ;; + esac + + [ -n "$nolock" ] || mutex_on + + if ${VARDIR}/.$command $command; then + + echo -n "Do you want to accept the new firewall configuration? [y/n] " + + if read_yesno_with_timeout; then + echo "New configuration has been accepted" + else + if [ "$command" = "restart" ]; then + ${VARDIR}/.safe restore + else + ${VARDIR}/.$command clear + fi + + [ -n "$nolock" ] || mutex_off + + echo "New configuration has been rejected and the old one restored" + exit 2 + fi + + fi + + [ -n "$nolock" ] || mutex_off +} + +# +# 'try' Command Executor +# +try_command() { + local finished + finished=0 + local timeout + timeout= + + handle_directory() { + [ -n "$SHOREWALL_DIR" ] && usage 2 + + if [ ! -d $1 ]; then + if [ -e $1 ]; then + echo "$1 is not a directory" >&2 && exit 2 + else + echo "Directory $1 does not exist" >&2 && exit 2 + fi + fi + + SHOREWALL_DIR=$(resolve_file $1) + export SHOREWALL_DIR + } + + while [ $finished -eq 0 -a $# -gt 0 ]; do + option=$1 + case $option in + -*) + option=${option#-} + + while [ -n "$option" ]; do + case $option in + -) + finished=1 + option= + ;; + n*) + NOROUTES=Yes + option=${option#n} + ;; + C) + [ $# -gt 1 ] || fatal_error "-C must be followed by a compiler name" + SHOREWALL_COMPILER=$2 + option= + shift + ;; + *) + usage 1 + ;; + esac + done + shift + ;; + *) + finished=1 + ;; + esac + done + + case $# in + 0) + usage 1 + ;; + 1) + handle_directory $1 + ;; + 2) + handle_directory $1 + timeout=$2 + case $timeout in + *[!0-9]*) + echo " ERROR: Invalid timeout ($timeout)" >&2; + exit 1 + ;; + esac + ;; + *) + usage 1 + ;; + esac + + [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled" + + if shorewall_is_started; then + running=Yes + else + running= + fi + + if [ -z "$running" ]; then + # shorewall is not started yet + command="start" + else + # the firewall is already running + command="restart" + fi + + progress_message3 "Compiling..." + + if ! compiler run $debugging $nolock compile ${VARDIR}/.$command; then + status=$? + exit $status + fi + + case $command in + start) + export RESTOREFILE=NONE + progress_message3 "Starting..." + ;; + restart) + export RESTOREFILE=.try + RESTOREPATH=${VARDIR}/.try + save_config + progress_message3 "Restarting..." + ;; + esac + + [ -n "$nolock" ] || mutex_on + + if ${VARDIR}/.$command $command && [ -n "$timeout" ]; then + sleep $timeout + + if [ "$command" = "restart" ]; then + ${VARDIR}/.try restore + else + ${VARDIR}/.$command clear + fi + fi + + [ -n "$nolock" ] || mutex_off + + return 0 +} + +rsh_command() { + command="$*" + + eval $RSH_COMMAND +} + +rcp_command() { + files="$1" + destination=$2 + + eval $RCP_COMMAND +} + +# +# [Re]load command executor +# +reload_command() # $* = original arguments less the command. +{ + local verbose + verbose=$(make_verbose) + local file + file= + local capabilities + capabilities= + local finished + finished=0 + local saveit + saveit= + local result + local directory + local system + local getcaps + getcaps= + local root + root=root + local compiler + compiler= + + LITEDIR=/var/lib/shorewall-lite + + while [ $finished -eq 0 -a $# -gt 0 ]; do + option=$1 + case $option in + -*) + option=${option#-} + + while [ -n "$option" ]; do + case $option in + -) + finished=1 + option= + ;; + s*) + saveit=Yes + option=${option#s} + ;; + c*) + getcaps=Yes + option=${option#c} + ;; + r) + [ $# -gt 1 ] || fatal_error "Missing Root User name" + root=$2 + option= + shift + ;; + C) + [ $# -gt 1 ] || fatal_error "-C must be followed by a compiler name" + compiler="-C $2" + option= + shift + ;; + *) + usage 1 + ;; + esac + done + shift + ;; + *) + finished=1 + ;; + esac + done + + case $# in + 1) + directory="." + system=$1 + ;; + 2) + directory=$1 + system=$2 + ;; + *) + usage 1 + ;; + esac + + litedir=$(rsh_command /sbin/shorewall-lite show config 2> /dev/null | grep ^LITEDIR | sed 's/LITEDIR is //') + + [ -n "$litedir" ] && LITEDIR=$litedir + + if [ -z "$getcaps" ]; then + SHOREWALL_DIR=$(resolve_file $directory) + ensure_config_path + capabilities=$(find_file capabilities) + [ -f $capabilities ] || getcaps=Yes + fi + + if [ -n "$getcaps" ]; then + if [ -f $directory/shorewall.conf ]; then + . $directory/shorewall.conf + ensure_config_path + fi + + progress_message "Getting Capabilities on system $system..." + if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES /usr/share/shorewall-lite/shorecap" > $directory/capabilities; then + fatal_error "ERROR: Capturing capabilities on system $system failed" + fi + fi + + file=$(resolve_file $directory/firewall) + + [ -n "$TIMESTAMP" ] && timestamp='-t' || timestamp= + + if shorewall $debugging $verbose $timestamp compile -e $compiler $directory $directory/firewall && \ + progress_message3 "Copying $file and ${file}.conf to ${system}:${LITEDIR}..." && \ + rcp_command "$directory/firewall $directory/firewall.conf" ${LITEDIR} + then + save=$(find_file save); + + [ -f $save ] && progress_message3 "Copying $save to ${system}:/etc/shorewall-lite/" && rcp_command $save /etc/shorewall-lite/ + + progress_message3 "Copy complete" + if [ $COMMAND = reload ]; then + rsh_command "/sbin/shorewall-lite $debugging $verbose $timestamp restart" && \ + progress_message3 "System $system reloaded" || saveit= + else + rsh_command "/sbin/shorewall-lite $debugging $verbose $timestamp start" && \ + progress_message3 "System $system loaded" || saveit= + fi + + if [ -n "$saveit" ]; then + rsh_command "/sbin/shorewall-lite $debugging $verbose $timestamp save" && \ + progress_message3 "Configuration on system $system saved" + fi + fi +} + +# +# Export command executor +# +export_command() # $* = original arguments less the command. +{ + local verbose + verbose=$(make_verbose) + local file + file= + local finished + finished=0 + local directory + local target + local compiler + compiler= + + while [ $finished -eq 0 -a $# -gt 0 ]; do + option=$1 + case $option in + -*) + option=${option#-} + + while [ -n "$option" ]; do + case $option in + -) + finished=1 + option= + ;; + C) + [ $# -gt 1 ] || fatal_error "-C must be followed by a compiler name" + compiler="-C $2" + option= + shift + ;; + *) + fatal_error "Unrecognized option \"$option\"" + ;; + esac + done + shift + ;; + *) + finished=1 + ;; + esac + done + + case $# in + 1) + directory="." + target=$1 + ;; + 2) + directory=$1 + target=$2 + ;; + *) + fatal_error "ERROR: Invalid command syntax (\"man shorewall\" for help)" + ;; + esac + + case $target in + *:*) + ;; + *) + target=$target: + ;; + esac + + file=$(resolve_file $directory/firewall) + + if shorewall $debugging $verbose compile -e $compiler $directory $directory/firewall && \ + echo "Copying $file and ${file}.conf to ${target#*@}..." && \ + scp $directory/firewall $directory/firewall.conf $target + then + save=$(find_file save); + + [ -f $save ] && progress_message3 "Copying $save to ${target#*}..." && rcp_command $save $target + + progress_message3 "Copy complete" + fi +} + +# +# Give Usage Information +# +usage() # $1 = exit status +{ + echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v[-1|{0-2}] ] [ -t ] " + echo "where is one of:" + echo " add [:] ... " + echo " allow
..." + echo " check [ -e ] [ -C {shell|perl} ] [ ]" + echo " clear [ -f ]" + echo " compile [ -e ] [ -C {shell|perl} ] [ ] " + echo " delete [:] ... " + echo " drop
..." + echo " dump [ -x ]" + echo " export [ -C {shell|perl} ] [ ] [@][:]" + echo " forget [ ]" + echo " help" + echo " hits [ -t ]" + echo " ipcalc {
/ |
}" + echo " ipdecimal {
| }" + echo " iprange
-
" + echo " load [ -s ] [ -c ] [ -r ] [ -C {shell|perl} ] [ ] " + echo " logdrop
..." + echo " logreject
..." + echo " logwatch []" + echo " refresh [ -C {shell|perl} ] [ ... ]" + echo " reject
..." + echo " reload [ -s ] [ -c ] [ -r ] [ -C {shell|perl} ] [ ] " + echo " reset [ ... ]" + echo " restart [ -n ] [ -p ] [ -f ] [ -C {shell|perl} ] [ ]" + echo " restore [ -n ] [ ]" + echo " save [ ]" + echo " show [ -x ] [ -m ] [-f] [ -t {filter|mangle|nat} ] [ {chain [ [ ... ]|actions|capabilities|classifiers|config|connections|filters|ip|log|macros|mangle|nat|routing|tc|vardir|zones} ]" + echo " start [ -f ] [ -n ] [ -p ] [ -C {shell|perl} ] [ ]" + echo " stop [ -f ]" + echo " status" + echo " try [ -C {shell|perl} ] [ ]" + echo " version [ -a ]" + echo " safe-start [ -C {shell|perl} ] [ ]" + echo " safe-restart [ -C {shell|perl} ] [ ]" + echo + exit $1 +} + +# +# Execution begins here +# +debugging= + +if [ $# -gt 0 ] && [ "x$1" = "xdebug" -o "x$1" = "xtrace" ]; then + debugging=$1 + shift +fi + +nolock= + +if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then + nolock=nolock + shift +fi + +SHOREWALL_DIR= +IPT_OPTIONS="-nv" +FAST= +VERBOSE_OFFSET=0 +USE_VERBOSITY= +NOROUTES= +PURGE= +EXPORT= +export TIMESTAMP= +noroutes= + +finished=0 + +while [ $finished -eq 0 ]; do + [ $# -eq 0 ] && usage 1 + option=$1 + case $option in + -) + finished=1 + ;; + -*) + option=${option#-} + + while [ -n "$option" ]; do + case $option in + c) + [ $# -eq 1 ] && usage 1 + + if [ ! -d $2 ]; then + if [ -e $2 ]; then + echo "$2 is not a directory" >&2 && exit 2 + else + echo "Directory $2 does not exist" >&2 && exit 2 + fi + fi + + SHOREWALL_DIR=$(resolve_file $2) + option= + shift + ;; + e*) + EXPORT=Yes + option=${option#e} + ;; + x*) + IPT_OPTIONS="-xnv" + option=${option#x} + ;; + q*) + VERBOSE_OFFSET=$(($VERBOSE_OFFSET - 1 )) + option=${option#q} + ;; + f*) + FAST=Yes + option=${option#f} + ;; + v*) + option=${option#v} + case $option in + -1*) + USE_VERBOSITY=-1 + option=${option#-1} + ;; + 0*) + USE_VERBOSITY=0 + option=${option#0} + ;; + 1*) + USE_VERBOSITY=1 + option=${option#1} + ;; + 2*) + USE_VERBOSITY=2 + option=${option#2} + ;; + *) + VERBOSE_OFFSET=$(($VERBOSE_OFFSET + 1 )) + USE_VERBOSITY= + ;; + esac + ;; + n*) + NOROUTES=Yes + option=${option#n} + ;; + t*) + TIMESTAMP=Yes + option=${option#t} + ;; + -) + finished=1 + option= + ;; + *) + usage 1 + ;; + esac + done + shift + ;; + *) + finished=1 + ;; + esac +done + +version_command() { + local finished + finished=0 + local all + all= + + while [ $finished -eq 0 -a $# -gt 0 ]; do + option=$1 + case $option in + -*) + option=${option#-} + + while [ -n "$option" ]; do + case $option in + -) + finished=1 + option= + ;; + a*) + all=Yes + option=${option#a} + ;; + *) + usage 1 + ;; + esac + done + shift + ;; + *) + finished=1 + ;; + esac + done + + [ $# -gt 0 ] && usage 1 + + echo $version + + if [ -n "$all" ]; then + if [ -f /usr/share/shorewall-shell/version ]; then + echo "Shorewall-shell $(cat /usr/share/shorewall-shell/version)" + fi + + if [ -f /usr/share/shorewall-perl/version ]; then + echo "Shorewall-perl $(cat /usr/share/shorewall-perl/version)" + fi + fi +} + +if [ $# -eq 0 ]; then + usage 1 +fi + +[ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR +PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin +MUTEX_TIMEOUT= + +SHAREDIR=/usr/share/shorewall +CONFDIR=/etc/shorewall +export PRODUCT="Shorewall" + +[ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir + +[ -n "${VARDIR:=/var/lib/shorewall}" ] + +FIREWALL=$SHAREDIR/firewall +LIBRARIES="$SHAREDIR/lib.base $SHAREDIR/lib.cli" +VERSION_FILE=$SHAREDIR/version +REFRESHCHAINS= + +for library in $LIBRARIES; do + if [ -f $library ]; then + . $library + else + echo "$library does not exist!" >&2 + exit 2 + fi +done + +if [ ! -f $FIREWALL ]; then + echo " ERROR: Shorewall is not properly installed" >&2 + if [ -L $FIREWALL ]; then + echo " $FIREWALL is a symbolic link to a" >&2 + echo " non-existant file" >&2 + else + echo " The file $FIREWALL does not exist" >&2 + fi + + exit 2 +fi + +if [ -f $VERSION_FILE ]; then + version=$(cat $VERSION_FILE) +else + echo " ERROR: Shorewall is not properly installed" >&2 + echo " The file $VERSION_FILE does not exist" >&2 + exit 1 +fi + +banner="Shorewall-$version Status at $HOSTNAME -" + +case $(echo -e) in + -e*) + RING_BELL="echo \a" + ECHO_E="echo" + ;; + *) + RING_BELL="echo -e \a" + ECHO_E="echo -e" + ;; +esac + +case $(echo -n "Testing") in + -n*) + ECHO_N= + ;; + *) + ECHO_N=-n + ;; +esac + +COMMAND=$1 + +case "$COMMAND" in + start) + get_config Yes Yes + shift + start_command $@ + ;; + stop|clear) + if [ "x$2" = x-f ]; then + [ -x ${VARDIR}/.restore ] && FIREWALL=${VARDIR}/.restore + shift; + fi + + [ $# -ne 1 ] && usage 1 + get_config + export NOROUTES + mutex_on + $SHOREWALL_SHELL $FIREWALL $debugging $nolock $COMMAND + mutex_off + ;; + reset) + get_config + export NOROUTE + shift + mutex_on + $SHOREWALL_SHELL $FIREWALL $debugging $nolock reset $@ + mutex_off + ;; + compile) + get_config Yes + shift + compile_command $@ + ;; + restart) + get_config Yes Yes + shift + restart_command $@ + ;; + refresh) + get_config Yes Yes + shift + refresh_command $@ + ;; + check) + get_config Yes + shift + check_command $@ + ;; + add|delete) + [ $# -lt 3 ] && usage 1 + get_config + mutex_on + $SHOREWALL_SHELL $FIREWALL $debugging $nolock $@ + mutex_off + ;; + show|list) + get_config Yes No Yes + shift + show_command $@ + ;; + load|reload) + get_config Yes + shift + reload_command $@ + ;; + export) + get_config Yes + shift + export_command $@ + ;; + status) + [ $# -eq 1 ] || usage 1 + get_config + echo "Shorewall-$version Status at $HOSTNAME - $(date)" + echo + if shorewall_is_started ; then + echo "Shorewall is running" + status=0 + else + echo "Shorewall is stopped" + status=4 + fi + + if [ -f ${VARDIR}/state ]; then + state="$(cat ${VARDIR}/state)" + case $state in + Stopped*|Clear*) + status=3 + ;; + esac + else + state=Unknown + fi + echo "State:$state" + echo + exit $status + ;; + dump) + get_config Yes No Yes + shift + dump_command $@ + ;; + hits) + get_config Yes No Yes + [ -n "$debugging" ] && set -x + shift + hits_command $@ + ;; + version) + shift + version_command $@ + ;; + try) + get_config Yes + shift + try_command $@ + ;; + logwatch) + get_config Yes Yes Yes + banner="Shorewall-$version Logwatch at $HOSTNAME -" + logwatch_command $@ + ;; + drop) + get_config + [ -n "$debugging" ] && set -x + [ $# -eq 1 ] && usage 1 + if shorewall_is_started ; then + [ -n "$nolock" ] || mutex_on + block DROP Dropped $* + [ -n "$nolock" ] || mutex_off + else + fatal_error "Shorewall is not started" + fi + ;; + logdrop) + get_config + [ -n "$debugging" ] && set -x + [ $# -eq 1 ] && usage 1 + if shorewall_is_started ; then + [ -n "$nolock" ] || mutex_on + block logdrop Dropped $* + [ -n "$nolock" ] || mutex_off + else + fatal_error "Shorewall is not started" + fi + ;; + reject|logreject) + get_config + [ -n "$debugging" ] && set -x + [ $# -eq 1 ] && usage 1 + if shorewall_is_started ; then + [ -n "$nolock" ] || mutex_on + block $COMMAND Rejected $* + [ -n "$nolock" ] || mutex_off + else + fatal_error "Shorewall is not started" + fi + ;; + allow) + get_config + allow_command $@ + ;; + save) + get_config + [ -n "$debugging" ] && set -x + + case $# in + 1) + ;; + 2) + RESTOREFILE="$2" + validate_restorefile '' + ;; + *) + usage 1 + ;; + esac + + RESTOREPATH=${VARDIR}/$RESTOREFILE + + [ -n "$nolock" ] || mutex_on + + save_config + + result=$? + + [ -n "$nolock" ] || mutex_off + + exit $result + ;; + forget) + get_config + case $# in + 1) + ;; + 2) + RESTOREFILE="$2" + validate_restorefile '' + ;; + *) + usage 1 + ;; + esac + + + RESTOREPATH=${VARDIR}/$RESTOREFILE + + if [ -x $RESTOREPATH ]; then + + if [ -x ${RESTOREPATH}-ipsets ]; then + rm -f ${RESTOREPATH}-ipsets + echo " ${RESTOREPATH}-ipsets removed" + fi + + rm -f $RESTOREPATH + rm -f ${RESTOREPATH}-iptables + echo " $RESTOREPATH removed" + elif [ -f $RESTOREPATH ]; then + echo " $RESTOREPATH exists and is not a saved Shorewall configuration" + fi + rm -f ${VARDIR}/save + ;; + ipcalc) + [ -n "$debugging" ] && set -x + if [ $# -eq 2 ]; then + address=${2%/*} + vlsm=${2#*/} + elif [ $# -eq 3 ]; then + address=$2 + vlsm=$(ip_vlsm $3) + else + usage 1 + fi + + valid_address $address || fatal_error "Invalid IP address: $address" + [ -z "$vlsm" ] && exit 2 + [ "x$address" = "x$vlsm" ] && usage 2 + [ $vlsm -gt 32 ] && echo "Invalid VLSM: /$vlsm" >&2 && exit 2 + + address=$address/$vlsm + + echo " CIDR=$address" + temp=$(ip_netmask $address); echo " NETMASK=$(encodeaddr $temp)" + temp=$(ip_network $address); echo " NETWORK=$temp" + temp=$(broadcastaddress $address); echo " BROADCAST=$temp" + ;; + + iprange) + [ -n "$debugging" ] && set -x + case $2 in + *.*.*.*-*.*.*.*) + for address in ${2%-*} ${2#*-}; do + valid_address $address || fatal_error "Invalid IP address: $address" + done + + ip_range $2 + ;; + *) + usage 1 + ;; + esac + ;; + ipdecimal) + [ -n "$debugging" ] && set -x + [ $# -eq 2 ] || usage 1 + case $2 in + *.*.*.*) + valid_address $2 || fatal_error "Invalid IP address: $2" + echo " $(decodeaddr $2)" + ;; + *) + echo " $(encodeaddr $2)" + ;; + esac + ;; + restore) + get_config + shift + restore_command $@ + ;; + call) + get_config + [ -n "$debugging" ] && set -x + # + # Undocumented way to call functions in ${SHAREDIR}/functions directly + # + shift + $@ + ;; + help) + shift + usage + ;; + safe-restart|safe-start) + get_config Yes + shift + safe_commands $@ + ;; + *) + usage 1 + ;; + +esac diff --git a/Shorewall-common/shorewall-common.spec b/Shorewall-common/shorewall-common.spec new file mode 100644 index 000000000..9881af02e --- /dev/null +++ b/Shorewall-common/shorewall-common.spec @@ -0,0 +1,310 @@ +%define name shorewall-common +%define version 4.2.3 +%define release 0base + +Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. +Name: %{name} +Version: %{version} +Release: %{release} +License: GPL +Packager: Tom Eastep +Group: Networking/Utilities +Source: %{name}-%{version}.tgz +URL: http://www.shorewall.net/ +BuildArch: noarch +BuildRoot: %{_tmppath}/%{name}-%{version}-root +Requires: iptables iproute shorewall_compiler + +%description + +The Shoreline Firewall, more commonly known as "Shorewall", is a Netfilter +(iptables) based firewall that can be used on a dedicated firewall system, +a multi-function gateway/ router/server or on a standalone GNU/Linux system. + +Shorewall offers two alternative firewall compilers, shorewall-perl and +shorewall-shell. The shorewall-perl compilers is suggested for new installed +systems and shorewall-shell is provided for backwards compability and smooth +legacy system upgrades because shorewall perl is not fully compatible with +all legacy configurations. + +%prep + +%setup + +%build + +%install +export PREFIX=$RPM_BUILD_ROOT ; \ +export OWNER=`id -n -u` ; \ +export GROUP=`id -n -g` ;\ +./install.sh -n + +%clean +rm -rf $RPM_BUILD_ROOT + +%post + +if [ $1 -eq 1 ]; then + if [ -x /sbin/insserv ]; then + /sbin/insserv /etc/rc.d/shorewall + elif [ -x /sbin/chkconfig ]; then + /sbin/chkconfig --add shorewall; + fi +fi + +%preun + +if [ $1 = 0 ]; then + if [ -x /sbin/insserv ]; then + /sbin/insserv -r /etc/init.d/shorewall + elif [ -x /sbin/chkconfig ]; then + /sbin/chkconfig --del shorewall + fi + + rm -f /etc/shorewall/startup_disabled + +fi + +%triggerpostun -- shorewall < 4.0.0 + +if [ -x /sbin/insserv ]; then + /sbin/insserv /etc/rc.d/shorewall +elif [ -x /sbin/chkconfig ]; then + /sbin/chkconfig --add shorewall; +fi + +%files +%defattr(0644,root,root,0755) +%attr(0544,root,root) /etc/init.d/shorewall +%attr(0755,root,root) %dir /etc/shorewall +%attr(0755,root,root) %dir /usr/share/shorewall +%attr(0755,root,root) %dir /usr/share/shorewall/configfiles +%attr(0700,root,root) %dir /var/lib/shorewall +%attr(0644,root,root) %config(noreplace) /etc/shorewall/shorewall.conf +%attr(0600,root,root) %config(noreplace) /etc/shorewall/zones +%attr(0600,root,root) %config(noreplace) /etc/shorewall/policy +%attr(0600,root,root) %config(noreplace) /etc/shorewall/interfaces +%attr(0600,root,root) %config(noreplace) /etc/shorewall/ipsec +%attr(0600,root,root) %config(noreplace) /etc/shorewall/rules +%attr(0600,root,root) %config(noreplace) /etc/shorewall/nat +%attr(0600,root,root) %config(noreplace) /etc/shorewall/netmap +%attr(0644,root,root) %config(noreplace) /etc/shorewall/params +%attr(0600,root,root) %config(noreplace) /etc/shorewall/proxyarp +%attr(0600,root,root) %config(noreplace) /etc/shorewall/routestopped +%attr(0600,root,root) %config(noreplace) /etc/shorewall/maclist +%attr(0600,root,root) %config(noreplace) /etc/shorewall/masq +%attr(0600,root,root) %config(noreplace) /etc/shorewall/tcrules +%attr(0600,root,root) %config(noreplace) /etc/shorewall/tos +%attr(0600,root,root) %config(noreplace) /etc/shorewall/tunnels +%attr(0600,root,root) %config(noreplace) /etc/shorewall/hosts +%attr(0600,root,root) %config(noreplace) /etc/shorewall/blacklist +%attr(0600,root,root) %config(noreplace) /etc/shorewall/init +%attr(0600,root,root) %config(noreplace) /etc/shorewall/initdone +%attr(0600,root,root) %config(noreplace) /etc/shorewall/start +%attr(0600,root,root) %config(noreplace) /etc/shorewall/stop +%attr(0600,root,root) %config(noreplace) /etc/shorewall/stopped +%attr(0600,root,root) %config(noreplace) /etc/shorewall/ecn +%attr(0600,root,root) %config(noreplace) /etc/shorewall/accounting +%attr(0600,root,root) %config(noreplace) /etc/shorewall/actions +%attr(0600,root,root) %config(noreplace) /etc/shorewall/continue +%attr(0600,root,root) %config(noreplace) /etc/shorewall/started +%attr(0600,root,root) %config(noreplace) /etc/shorewall/providers +%attr(0600,root,root) %config(noreplace) /etc/shorewall/route_rules +%attr(0600,root,root) %config(noreplace) /etc/shorewall/tcclasses +%attr(0600,root,root) %config(noreplace) /etc/shorewall/tcdevices +%attr(0600,root,root) %config(noreplace) /etc/shorewall/tcfilters +%attr(0600,root,root) /etc/shorewall/Makefile + +%attr(0755,root,root) /sbin/shorewall + +%attr(0644,root,root) /usr/share/shorewall/version +%attr(0644,root,root) /usr/share/shorewall/actions.std +%attr(0644,root,root) /usr/share/shorewall/action.Drop +%attr(0644,root,root) /usr/share/shorewall/action.Reject +%attr(0644,root,root) /usr/share/shorewall/action.template +%attr(0755,root,root) /usr/share/shorewall/firewall +%attr(- ,root,root) /usr/share/shorewall/functions +%attr(0644,root,root) /usr/share/shorewall/lib.base +%attr(0644,root,root) /usr/share/shorewall/lib.cli +%attr(0644,root,root) /usr/share/shorewall/lib.config +%attr(0644,root,root) /usr/share/shorewall/lib.dynamiczones +%attr(0644,root,root) /usr/share/shorewall/macro.* +%attr(0644,root,root) /usr/share/shorewall/modules +%attr(0644,root,root) /usr/share/shorewall/rfc1918 +%attr(0644,root,root) /usr/share/shorewall/configpath +%attr(0755,root,root) /usr/share/shorewall/wait4ifup + +%attr(0644,root,root) /usr/share/shorewall/configfiles/shorewall.conf +%attr(0644,root,root) /usr/share/shorewall/configfiles/zones +%attr(0644,root,root) /usr/share/shorewall/configfiles/policy +%attr(0644,root,root) /usr/share/shorewall/configfiles/interfaces +%attr(0644,root,root) /usr/share/shorewall/configfiles/ipsec +%attr(0644,root,root) /usr/share/shorewall/configfiles/rules +%attr(0644,root,root) /usr/share/shorewall/configfiles/nat +%attr(0644,root,root) /usr/share/shorewall/configfiles/netmap +%attr(0644,root,root) /usr/share/shorewall/configfiles/params +%attr(0644,root,root) /usr/share/shorewall/configfiles/proxyarp +%attr(0644,root,root) /usr/share/shorewall/configfiles/routestopped +%attr(0644,root,root) /usr/share/shorewall/configfiles/maclist +%attr(0644,root,root) /usr/share/shorewall/configfiles/masq +%attr(0644,root,root) /usr/share/shorewall/configfiles/tcrules +%attr(0644,root,root) /usr/share/shorewall/configfiles/tos +%attr(0644,root,root) /usr/share/shorewall/configfiles/tunnels +%attr(0644,root,root) /usr/share/shorewall/configfiles/hosts +%attr(0644,root,root) /usr/share/shorewall/configfiles/blacklist +%attr(0644,root,root) /usr/share/shorewall/configfiles/init +%attr(0644,root,root) /usr/share/shorewall/configfiles/initdone +%attr(0644,root,root) /usr/share/shorewall/configfiles/start +%attr(0644,root,root) /usr/share/shorewall/configfiles/stop +%attr(0644,root,root) /usr/share/shorewall/configfiles/stopped +%attr(0644,root,root) /usr/share/shorewall/configfiles/ecn +%attr(0644,root,root) /usr/share/shorewall/configfiles/accounting +%attr(0644,root,root) /usr/share/shorewall/configfiles/actions +%attr(0644,root,root) /usr/share/shorewall/configfiles/continue +%attr(0644,root,root) /usr/share/shorewall/configfiles/started +%attr(0644,root,root) /usr/share/shorewall/configfiles/providers +%attr(0644,root,root) /usr/share/shorewall/configfiles/route_rules +%attr(0644,root,root) /usr/share/shorewall/configfiles/tcclasses +%attr(0644,root,root) /usr/share/shorewall/configfiles/tcdevices +%attr(0644,root,root) /usr/share/shorewall/configfiles/tcfilters +%attr(0644,root,root) /usr/share/shorewall/configfiles/Makefile + +%attr(0644,root,root) %{_mandir}/man5/* +%attr(0644,root,root) %{_mandir}/man8/shorewall.8.gz + +%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples + +%changelog +* Fri Dec 05 2008 Tom Eastep tom@shorewall.net +- Updated to 4.2.3-0base +* Wed Nov 05 2008 Tom Eastep tom@shorewall.net +- Updated to 4.2.2-0base +* Wed Oct 08 2008 Tom Eastep tom@shorewall.net +- Updated to 4.2.1-0base +* Fri Oct 03 2008 Tom Eastep tom@shorewall.net +- Updated to 4.2.0-0base +* Tue Sep 23 2008 Tom Eastep tom@shorewall.net +- Updated to 4.2.0-0RC4 +* Mon Sep 15 2008 Tom Eastep tom@shorewall.net +- Updated to 4.2.0-0RC3 +* Mon Sep 08 2008 Tom Eastep tom@shorewall.net +- Updated to 4.2.0-0RC2 +* Tue Aug 19 2008 Tom Eastep tom@shorewall.net +- Updated to 4.2.0-0RC1 +* Thu Jul 03 2008 Tom Eastep tom@shorewall.net +- Updated to 4.2.0-0Beta3 +* Mon Jun 02 2008 Tom Eastep tom@shorewall.net +- Updated to 4.2.0-0Beta2 +* Wed May 07 2008 Tom Eastep tom@shorewall.net +- Updated to 4.2.0-0Beta1 +* Mon Apr 28 2008 Tom Eastep tom@shorewall.net +- Updated to 4.1.8-0base +* Mon Mar 24 2008 Tom Eastep tom@shorewall.net +- Updated to 4.1.7-0base +* Thu Mar 13 2008 Tom Eastep tom@shorewall.net +- Updated to 4.1.6-0base +* Tue Feb 05 2008 Tom Eastep tom@shorewall.net +- Updated to 4.1.5-0base +* Fri Jan 04 2008 Tom Eastep tom@shorewall.net +- Updated to 4.1.4-0base +* Wed Dec 12 2007 Tom Eastep tom@shorewall.net +- Updated to 4.1.3-0base +* Fri Dec 07 2007 Tom Eastep tom@shorewall.net +- Updated to 4.1.3-1 +* Tue Nov 27 2007 Tom Eastep tom@shorewall.net +- Updated to 4.1.2-1 +* Wed Nov 21 2007 Tom Eastep tom@shorewall.net +- Updated to 4.1.1-1 +* Mon Nov 19 2007 Tom Eastep tom@shorewall.net +- Updated to 4.1.0-1 +* Thu Nov 15 2007 Tom Eastep tom@shorewall.net +- Updated to 4.0.6-1 +* Sat Nov 10 2007 Tom Eastep tom@shorewall.net +- Updated to 4.0.6-0RC3 +* Wed Nov 07 2007 Tom Eastep tom@shorewall.net +- Updated to 4.0.6-0RC2 +* Thu Oct 25 2007 Tom Eastep tom@shorewall.net +- Updated to 4.0.6-0RC1 +* Tue Oct 03 2007 Tom Eastep tom@shorewall.net +- Updated to 4.0.5-1 +* Wed Sep 05 2007 Tom Eastep tom@shorewall.net +- Updated to 4.0.4-1 +* Mon Aug 13 2007 Tom Eastep tom@shorewall.net +- Updated to 4.0.3-1 +* Thu Aug 09 2007 Tom Eastep tom@shorewall.net +- Updated to 4.0.2-1 +* Sat Jul 21 2007 Tom Eastep tom@shorewall.net +- Updated to 4.0.1-1 +* Wed Jul 11 2007 Tom Eastep tom@shorewall.net +- Updated to 4.0.0-1 +* Sun Jul 08 2007 Tom Eastep tom@shorewall.net +- Updated to 4.0.0-0RC2 +* Fri Jun 29 2007 Tom Eastep tom@shorewall.net +- Updated to 4.0.0-0RC1 +* Sun Jun 24 2007 Tom Eastep tom@shorewall.net +- Updated to 4.0.0-0Beta7 +* Wed Jun 20 2007 Tom Eastep tom@shorewall.net +- Updated to 4.0.0-0Beta6 +* Thu Jun 14 2007 Tom Eastep tom@shorewall.net +- Updated to 4.0.0-0Beta5 +* Fri Jun 08 2007 Tom Eastep tom@shorewall.net +- Updated to 4.0.0-0Beta4 +* Tue Jun 05 2007 Tom Eastep tom@shorewall.net +- Updated to 4.0.0-0Beta3 +* Tue May 15 2007 Tom Eastep tom@shorewall.net +- Updated to 4.0.0-0Beta1 +* Fri May 11 2007 Tom Eastep tom@shorewall.net +- Updated to 3.9.7-1 +* Sat May 05 2007 Tom Eastep tom@shorewall.net +- Updated to 3.9.6-1 +* Mon Apr 30 2007 Tom Eastep tom@shorewall.net +- Updated to 3.9.5-1 +* Mon Apr 23 2007 Tom Eastep tom@shorewall.net +- Updated to 3.9.4-1 +* Wed Apr 18 2007 Tom Eastep tom@shorewall.net +- Updated to 3.9.3-1 +* Mon Apr 16 2007 Tom Eastep tom@shorewall.net +- Moved lib.dynamiczones from Shorewall-shell +* Sat Apr 14 2007 Tom Eastep tom@shorewall.net +- Updated to 3.9.2-1 +* Tue Apr 03 2007 Tom Eastep tom@shorewall.net +- Updated to 3.9.1-1 +* Thu Mar 24 2007 Tom Eastep tom@shorewall.net +- Updated to 3.4.2-1 +* Thu Mar 15 2007 Tom Eastep tom@shorewall.net +- Updated to 3.4.1-1 +* Sat Mar 10 2007 Tom Eastep tom@shorewall.net +- Updated to 3.4.0-1 +* Sun Feb 25 2007 Tom Eastep tom@shorewall.net +- Updated to 3.4.0-0RC3 +* Sun Feb 04 2007 Tom Eastep tom@shorewall.net +- Updated to 3.4.0-0RC2 +* Wed Jan 24 2007 Tom Eastep tom@shorewall.net +- Updated to 3.4.0-0RC1 +* Mon Jan 22 2007 Tom Eastep tom@shorewall.net +- Updated to 3.4.0-0Beta3 +* Wed Jan 03 2007 Tom Eastep tom@shorewall.net +- Updated to 3.4.0-0Beta2 +* Thu Dec 14 2006 Tom Eastep tom@shorewall.net +- Updated to 3.4.0-0Beta1 +* Sat Nov 25 2006 Tom Eastep tom@shorewall.net +- Added shorewall-exclusion(5) +- Updated to 3.3.6-1 +* Sun Nov 19 2006 Tom Eastep tom@shorewall.net +- Updated to 3.3.5-1 +* Sat Nov 18 2006 Tom Eastep tom@shorewall.net +- Add Man Pages. +* Sun Oct 29 2006 Tom Eastep tom@shorewall.net +- Updated to 3.3.4-1 +* Mon Oct 16 2006 Tom Eastep tom@shorewall.net +- Updated to 3.3.3-1 +* Sat Sep 30 2006 Tom Eastep tom@shorewall.net +- Updated to 3.3.2-1 +* Wed Aug 30 2006 Tom Eastep tom@shorewall.net +- Updated to 3.3.1-1 +* Sun Aug 27 2006 Tom Eastep tom@shorewall.net +- Updated to 3.3.0-1 +* Fri Aug 25 2006 Tom Eastep tom@shorewall.net +- Updated to 3.2.3-1 + + diff --git a/Shorewall-common/shorewall.conf b/Shorewall-common/shorewall.conf new file mode 100644 index 000000000..134c93801 --- /dev/null +++ b/Shorewall-common/shorewall.conf @@ -0,0 +1,199 @@ +############################################################################### +# /etc/shorewall/shorewall.conf Version 4 - Change the following variables to +# match your setup +# +# This program is under GPL +# [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] +# +# This file should be placed in /etc/shorewall +# +# (c) 1999,2000,2001,2002,2003,2004,2005, +# 2006,2007,2008 - Tom Eastep (teastep@shorewall.net) +# +# For information about the settings in this file, type "man shorewall.conf" +# +# Additional information is available at +# http://www.shorewall.net/Documentation.htm#Conf +############################################################################### +# S T A R T U P E N A B L E D +############################################################################### + +STARTUP_ENABLED=No + +############################################################################### +# V E R B O S I T Y +############################################################################### + +VERBOSITY=1 + +############################################################################### +# C O M P I L E R +# (setting this to 'perl' requires installation of Shorewall-perl) +############################################################################### + +SHOREWALL_COMPILER= + +############################################################################### +# L O G G I N G +############################################################################### + +LOGFILE=/var/log/messages + +STARTUP_LOG= + +LOG_VERBOSITY= + +LOGFORMAT="Shorewall:%s:%s:" + +LOGTAGONLY=No + +LOGRATE= + +LOGBURST= + +LOGALLNEW= + +BLACKLIST_LOGLEVEL= + +MACLIST_LOG_LEVEL=info + +TCP_FLAGS_LOG_LEVEL=info + +RFC1918_LOG_LEVEL=info + +SMURF_LOG_LEVEL=info + +LOG_MARTIANS=Yes + +############################################################################### +# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S +############################################################################### + +IPTABLES= + +PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin + +SHOREWALL_SHELL=/bin/sh + +SUBSYSLOCK=/var/lock/subsys/shorewall + +MODULESDIR= + +CONFIG_PATH=/etc/shorewall:/usr/share/shorewall + +RESTOREFILE= + +IPSECFILE=zones + +LOCKFILE= + +############################################################################### +# D E F A U L T A C T I O N S / M A C R O S +############################################################################### + +DROP_DEFAULT="Drop" +REJECT_DEFAULT="Reject" +ACCEPT_DEFAULT="none" +QUEUE_DEFAULT="none" +NFQUEUE_DEFAULT="none" + +############################################################################### +# R S H / R C P C O M M A N D S +############################################################################### + +RSH_COMMAND='ssh ${root}@${system} ${command}' +RCP_COMMAND='scp ${files} ${root}@${system}:${destination}' + +############################################################################### +# F I R E W A L L O P T I O N S +############################################################################### + +IP_FORWARDING=On + +ADD_IP_ALIASES=Yes + +ADD_SNAT_ALIASES=No + +RETAIN_ALIASES=No + +TC_ENABLED=Internal + +TC_EXPERT=No + +CLEAR_TC=Yes + +MARK_IN_FORWARD_CHAIN=No + +CLAMPMSS=No + +ROUTE_FILTER=No + +DETECT_DNAT_IPADDRS=No + +MUTEX_TIMEOUT=60 + +ADMINISABSENTMINDED=Yes + +BLACKLISTNEWONLY=Yes + +DELAYBLACKLISTLOAD=No + +MODULE_SUFFIX= + +DISABLE_IPV6=Yes + +BRIDGING=No + +DYNAMIC_ZONES=No + +PKTTYPE=Yes + +RFC1918_STRICT=No + +MACLIST_TABLE=filter + +MACLIST_TTL= + +SAVE_IPSETS=No + +MAPOLDACTIONS=No + +FASTACCEPT=No + +IMPLICIT_CONTINUE=No + +HIGH_ROUTE_MARKS=No + +USE_ACTIONS=Yes + +OPTIMIZE=0 + +EXPORTPARAMS=Yes + +EXPAND_POLICIES=Yes + +KEEP_RT_TABLES=No + +DELETE_THEN_ADD=Yes + +MULTICAST=No + +DONT_LOAD= + +AUTO_COMMENT=Yes + +MANGLE_ENABLED=Yes + +USE_DEFAULT_RT=No + +############################################################################### +# P A C K E T D I S P O S I T I O N +############################################################################### + +BLACKLIST_DISPOSITION=DROP + +MACLIST_DISPOSITION=REJECT + +TCP_FLAGS_DISPOSITION=DROP + +#LAST LINE -- DO NOT REMOVE diff --git a/Shorewall-common/start b/Shorewall-common/start new file mode 100644 index 000000000..8117566a1 --- /dev/null +++ b/Shorewall-common/start @@ -0,0 +1,13 @@ +# +# Shorewall version 4 - Start File +# +# /etc/shorewall/start +# +# Add commands below that you want to be executed after shorewall has +# been started or restarted. +# +# See http://shorewall.net/shorewall_extension_scripts.htm for additional +# information. +# +############################################################################### +#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/Shorewall-common/started b/Shorewall-common/started new file mode 100644 index 000000000..840f472cd --- /dev/null +++ b/Shorewall-common/started @@ -0,0 +1,21 @@ +# +# Shorewall version 4 - Started File +# +# /etc/shorewall/started +# +# Add commands below that you want to be executed after shorewall has +# been completely started or restarted. The difference between this +# extension script and /etc/shorewall/start is that this one is invoked +# after delayed loading of the blacklist (DELAYBLACKLISTLOAD=Yes) and +# after the 'shorewall' chain has been created (thus signaling that the +# firewall is completely up). +# +# This script should not change the firewall configuration directly but +# may do so indirectly by running /sbin/shorewall with the 'nolock' +# option. +# +# See http://shorewall.net/shorewall_extension_scripts.htm for additional +# information. +# +############################################################################### +#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/Shorewall-common/stop b/Shorewall-common/stop new file mode 100644 index 000000000..0088abe10 --- /dev/null +++ b/Shorewall-common/stop @@ -0,0 +1,13 @@ +# +# Shorewall version 4 - Stop File +# +# /etc/shorewall/stop +# +# Add commands below that you want to be executed at the beginning of a +# "shorewall stop" command. +# +# See http://shorewall.net/shorewall_extension_scripts.htm for additional +# information. +# +############################################################################### +#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/Shorewall-common/stopped b/Shorewall-common/stopped new file mode 100644 index 000000000..438e5e05c --- /dev/null +++ b/Shorewall-common/stopped @@ -0,0 +1,13 @@ +# +# Shorewall version 4 - Stopped File +# +# /etc/shorewall/stopped +# +# Add commands below that you want to be executed at the completion of a +# "shorewall stop" command. +# +# See http://shorewall.net/shorewall_extension_scripts.htm for additional +# information. +# +############################################################################### +#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/Shorewall-common/strip b/Shorewall-common/strip new file mode 100755 index 000000000..eae1ffe6e --- /dev/null +++ b/Shorewall-common/strip @@ -0,0 +1,110 @@ +#! /bin/sh +# +# Script for use from Perl to strip config files and perform shell variable +# +# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] +# +# (c) 2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net) +# +# Shorewall documentation is available at http://shorewall.net +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of Version 2 of the GNU General Public License +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +############################################################################### +# Filter that expands variables +# +expand_line() { + local line + + while read line; do + echo $(expand $line) + done +} + +# +# Read a file and handle "INCLUDE" directives +# + +read_file() # $1 = file name, $2 = nest count +{ + local first + local rest + + if [ -f $1 ]; then + while read first rest; do + if [ "x$first" = "xINCLUDE" ]; then + if [ $2 -lt 4 ]; then + read_file $(find_file $(expand ${rest%#*})) $(($2 + 1)) + else + echo " WARNING: INCLUDE in $1 ignored (nested too deeply)" >&2 + fi + else + eval "$first $rest" + fi + done < $1 + else + echo " WARNING -- No such file: $1" >&2 + fi +} + +# +# Split a colon-separated list into a space-separated list +# +split() { + local ifs + ifs=$IFS + IFS=: + echo $* + IFS=$ifs +} + +# +# Find a File -- For relative file name, look in ${SHOREWALL_DIR} then each ${CONFIG_PATH} then ${CONFDIR} +# +find_file() +{ + local saveifs + saveifs= + local directory + + case $1 in + /*) + echo $1 + ;; + *) + for directory in $(split $CONFIG_PATH); do + if [ -f $directory/$1 ]; then + echo $directory/$1 + return + fi + done + + echo ${CONFDIR}/$1 + ;; + esac +} + +# +# Strip comments and blank lines from a file and place the result in the +# temporary directory +# +if [ ! -f $TMP_DIR/$1 ]; then + [ $# = 1 ] && fname=$(find_file $1) || fname=$2 + + if [ -f $fname ]; then + read_file $fname 0 | cut -d'#' -f1 | grep -v '^[[:space:]]*$' | expand_line > $TMP_DIR/$1 + else + > $TMP_DIR/$1 + fi +fi diff --git a/Shorewall-common/tcclasses b/Shorewall-common/tcclasses new file mode 100644 index 000000000..44e63a103 --- /dev/null +++ b/Shorewall-common/tcclasses @@ -0,0 +1,10 @@ +# +# Shorewall version 4 - Tcclasses File +# +# For information about entries in this file, type "man shorewall-tcclasses" +# +# See http://shorewall.net/traffic_shaping.htm for additional information. +# +############################################################################### +#INTERFACE:CLASS MARK RATE CEIL PRIORITY OPTIONS +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/tcdevices b/Shorewall-common/tcdevices new file mode 100644 index 000000000..2a93faadd --- /dev/null +++ b/Shorewall-common/tcdevices @@ -0,0 +1,11 @@ +# +# Shorewall version 4 - Tcdevices File +# +# For information about entries in this file, type "man shorewall-tcdevices" +# +# See http://shorewall.net/traffic_shaping.htm for additional information. +# +############################################################################### +#NUMBER: IN-BANDWITH OUT-BANDWIDTH OPTIONS REDIRECTED +#INTERFACE INTERFACES +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/tcfilters b/Shorewall-common/tcfilters new file mode 100644 index 000000000..d8fb44607 --- /dev/null +++ b/Shorewall-common/tcfilters @@ -0,0 +1,11 @@ +# +# Shorewall version 4 - Tcfilters File +# +# For information about entries in this file, type "man shorewall-tcfilters" +# +# See http://shorewall.net/traffic_shaping.htm for additional information. +# +############################################################################### +#INTERFACE: SOURCE DEST PROTO DEST SOURCE +#CLASS PORT(S) PORT(S) +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/tcrules b/Shorewall-common/tcrules new file mode 100644 index 000000000..cd32eddc1 --- /dev/null +++ b/Shorewall-common/tcrules @@ -0,0 +1,15 @@ +# +# Shorewall version 4 - Tcrules File +# +# For information about entries in this file, type "man shorewall-tcrules" +# +# See http://shorewall.net/traffic_shaping.htm for additional information. +# For usage in selecting among multiple ISPs, see +# http://shorewall.net/MultiISP.html +# +# See http://shorewall.net/PacketMarking.html for a detailed description of +# the Netfilter/Shorewall packet marking mechanism. +###################################################################################################################### +#MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER +# PORT(S) PORT(S) +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/tos b/Shorewall-common/tos new file mode 100644 index 000000000..80ca1c131 --- /dev/null +++ b/Shorewall-common/tos @@ -0,0 +1,9 @@ +# +# Shorewall version 4 - Tos File +# +# For information about entries in this file, type "man shorewall-tos" +# +############################################################################### +#SOURCE DEST PROTOCOL SOURCE DEST TOS MARK +# PORTS PORTS +#LAST LINE -- Add your entries above -- DO NOT REMOVE diff --git a/Shorewall-common/tunnel b/Shorewall-common/tunnel new file mode 100755 index 000000000..a0a3c374c --- /dev/null +++ b/Shorewall-common/tunnel @@ -0,0 +1,166 @@ +#!/bin/sh + +RCDLINKS="2,S45 3,S45 6,K45" +################################################################################ +# Script to create a gre or ipip tunnel -- Shorewall 4 +# +# Modified - Steve Cowles 5/9/2000 +# Incorporated init {start|stop} syntax and iproute2 usage +# +# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] +# +# (c) 2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net) +# +# Modify the following variables to match your configuration +# +# chkconfig: 2345 26 89 +# description: GRE/IP Tunnel +# +################################################################################ + +# +# Type of tunnel (gre or ipip) +# + +tunnel_type=gre + +# Name of the tunnel +# + +tunnel="dfwbos" +# +# Address of your External Interface (only required for gre tunnels) +# +myrealip="x.x.x.x" + +# Address of the local system -- this is the address of one of your +# local interfaces (or for a mobile host, the address that this system has +# when attached to the local network). +# + +myip="192.168.1.254" + +# Address of the Remote system -- this is the address of one of the +# remote system's local interfaces (or if the remote system is a mobile host, +# the address that it uses when attached to the local network). + +hisip="192.168.9.1" + +# Internet address of the Remote system +# + +gateway="x.x.x.x" + +# Remote sub-network -- if the remote system is a gateway for a +# private subnetwork that you wish to +# access, enter it here. If the remote +# system is a stand-alone/mobile host, leave this +# empty + +subnet="192.168.9.0/24" + +# GRE Key -- set this to a number or to a dotted quad if you want +# a keyed GRE tunnel. You must specify a KEY if you +# intend to load ip_conntrack_proto_gre on either +# gateway system + +key= + +PATH=$PATH:/sbin:/usr/sbin:/usr/local/sbin + +load_modules () { + case $tunnel_type in + ipip) + echo "Loading IP-ENCAP Module" + modprobe ipip + ;; + gre) + echo "Loading GRE Module" + modprobe ip_gre + ;; + esac +} + +do_stop() { + + if [ -n "`ip link show $tunnel 2>/dev/null`" ]; then + echo "Stopping $tunnel" + ip link set dev $tunnel down + fi + + if [ -n "`ip addr show $tunnel 2>/dev/null`" ]; then + echo "Deleting $tunnel" + ip tunnel del $tunnel + fi +} + +do_start() { + + #NOTE: Comment out the next line if you have built gre/ipip into your kernel + + load_modules + + if [ -n "`ip link show $tunnel 2>/dev/null`" ]; then + do_stop + fi + + echo "Adding $tunnel" + + case $tunnel_type in + gre) + ip tunnel add $tunnel mode gre remote $gateway local $myrealip ttl 255 ${key:+key $key} + ;; + *) + ip tunnel add $tunnel mode ipip remote $gateway + ;; + esac + + echo "Starting $tunnel" + + + ip link set dev $tunnel up + + case $tunnel_type in + gre) + ip addr add $myip dev $tunnel + ;; + *) + ip addr add $myip peer $hisip dev $tunnel + ;; + esac + + # + # As with all interfaces, the 2.4 kernels will add the obvious host + # route for this point-to-point interface + # + + if [ -n "$subnet" ]; then + echo "Adding Routes" + case $tunnel_type in + gre) + ip route add $subnet dev $tunnel + ;; + ipip) + ip route add $subnet via $gateway dev $tunnel onlink + ;; + esac + fi +} + +case "$1" in + start) + do_start + ;; + stop) + do_stop + ;; + restart) + do_stop + sleep 1 + do_start + ;; + *) + echo "Usage: $0 {start|stop|restart}" + exit 1 +esac +exit 0 diff --git a/Shorewall-common/tunnels b/Shorewall-common/tunnels new file mode 100644 index 000000000..d38eda2b5 --- /dev/null +++ b/Shorewall-common/tunnels @@ -0,0 +1,12 @@ +# +# Shorewall version 4 - Tunnels File +# +# For information about entries in this file, type "man shorewall-tunnels" +# +# The manpage is also online at +# http://www.shorewall.net/manpages/shorewall-tunnels.html +# +############################################################################### +#TYPE ZONE GATEWAY GATEWAY +# ZONE +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/uninstall.sh b/Shorewall-common/uninstall.sh new file mode 100755 index 000000000..ba784b699 --- /dev/null +++ b/Shorewall-common/uninstall.sh @@ -0,0 +1,114 @@ +#!/bin/sh +# +# Script to back uninstall Shoreline Firewall +# +# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] +# +# (c) 2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net) +# +# Shorewall documentation is available at http://www.shorewall.net +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of Version 2 of the GNU General Public License +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Usage: +# +# You may only use this script to uninstall the version +# shown below. Simply run this script to remove Shorewall Firewall + +VERSION=4.2.3 + +usage() # $1 = exit status +{ + ME=$(basename $0) + echo "usage: $ME" + exit $1 +} + +qt() +{ + "$@" >/dev/null 2>&1 +} + +restore_file() # $1 = file to restore +{ + if [ -f ${1}-shorewall.bkout ]; then + if (mv -f ${1}-shorewall.bkout $1); then + echo + echo "$1 restored" + else + exit 1 + fi + fi +} + +remove_file() # $1 = file to restore +{ + if [ -f $1 -o -L $1 ] ; then + rm -f $1 + echo "$1 Removed" + fi +} + +if [ -f /usr/share/shorewall/version ]; then + INSTALLED_VERSION="$(cat /usr/share/shorewall/version)" + if [ "$INSTALLED_VERSION" != "$VERSION" ]; then + echo "WARNING: Shorewall Version $INSTALLED_VERSION is installed" + echo " and this is the $VERSION uninstaller." + VERSION="$INSTALLED_VERSION" + fi +else + echo "WARNING: Shorewall Version $VERSION is not installed" + VERSION="" +fi + +echo "Uninstalling shorewall $VERSION" + +if qt iptables -L shorewall -n && [ ! -f /sbin/shorewall-lite ]; then + /sbin/shorewall clear +fi + +if [ -L /usr/share/shorewall/init ]; then + FIREWALL=$(ls -l /usr/share/shorewall/init | sed 's/^.*> //') +else + FIREWALL=/etc/init.d/shorewall +fi + +if [ -n "$FIREWALL" ]; then + if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then + insserv -r $FIREWALL + elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then + chkconfig --del $(basename $FIREWALL) + else + rm -f /etc/rc*.d/*$(basename $FIREWALL) + fi + + remove_file $FIREWALL + rm -f ${FIREWALL}-*.bkout +fi + +rm -f /sbin/shorewall +rm -f /sbin/shorewall-*.bkout + +rm -rf /etc/shorewall +rm -rf /etc/shorewall-*.bkout +rm -rf /var/lib/shorewall +rm -rf /var/lib/shorewall-*.bkout +rm -rf /usr/share/shorewall +rm -rf /usr/share/shorewall-*.bkout +rm -rf /usr/share/man/man5/shorewall* +rm -rf /usr/share/man/man8/shorewall* + +echo "Shorewall Uninstalled" + + diff --git a/Shorewall-common/wait4ifup b/Shorewall-common/wait4ifup new file mode 100755 index 000000000..01089821a --- /dev/null +++ b/Shorewall-common/wait4ifup @@ -0,0 +1,60 @@ +#!/bin/sh +# +# Shorewall interface helper utility - V4.2 +# +# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] +# +# (c) 2007 - Tom Eastep (teastep@shorewall.net) +# +# This file is installed in /usr/share/shorewall/wait4ifup +# +# Shorewall documentation is available at http://www.shorewall.net +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of Version 2 of the GNU General Public License +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# If an error occurs while starting or restarting the firewall, the +# firewall is automatically stopped. +# +# The firewall uses configuration files in /etc/shorewall/ - skeleton +# files is included with the firewall. +# +# wait4ifup [ ] +# + +interface_is_up() { + [ -n "$(ip link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ] +} + +case $# in + 1) + timeout=60 + ;; + 2) + timeout=$2 + ;; + *) + echo "usage: $(basename $0) [ ]" + exit 2 + ;; +esac + +while [ $timeout -gt 0 ]; do + interface_is_up $1 && exit 0 + sleep 1 + timeout=$(( $timeout - 1 )) +done + +exit 1 + + diff --git a/Shorewall-common/zones b/Shorewall-common/zones new file mode 100644 index 000000000..d5164e93e --- /dev/null +++ b/Shorewall-common/zones @@ -0,0 +1,13 @@ +# +# Shorewall version 4 - Zones File +# +# For information about this file, type "man shorewall-zones" +# +# The manpage is also online at +# http://www.shorewall.net/manpages/shorewall-zones.html +# +############################################################################### +#ZONE TYPE OPTIONS IN OUT +# OPTIONS OPTIONS +fw firewall +#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/Shorewall-perl/README.txt b/Shorewall-perl/README.txt index 5a2cc54b9..5c2c3eddc 100644 --- a/Shorewall-perl/README.txt +++ b/Shorewall-perl/README.txt @@ -1,2 +1,2 @@ -This is the Shorewall-perl stable 4.2 branch of SVN. +This is the Shorewall-perl development 4.2 branch of SVN.