holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Combo of Beta2 and IPV6 disable

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1149 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-02-15 17:52:27 +00:00
parent cff939d94e
commit 052194cb9b
10 changed files with 175 additions and 130 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Shorewall2/actions
View File

@ -16,14 +16,6 @@
# respectively is enforced. If you specify ":DROP" or ":REJECT"
# on more than one action then only the last such action will be
# taken.
#
# If you remove the following INCLUDE, you will need to copy the
# definitions you need from the actions.std file into this one.
#
INCLUDE /etc/shorewall/actions.std
#
# Add your entries below here
#
#ACTION
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

4
Shorewall2/changelog.txt
View File

@ -40,3 +40,7 @@ Changes since 1.4.10
19) Added a comment to the rules file to aid users who are terminally stupid.
20) Only create the action chains that are actually used.
21) Move actions.std and action.* files to /usr/share/shorewall.
22) Added DISABLE_IPV6 option.

4
Shorewall2/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=2.0.0-Beta1
VERSION=2.0.0-Beta2
usage() # $1 = exit status
{
@ -131,7 +131,7 @@ restore_file /etc/shorewall/actions.std
restore_file /etc/shorewall/actions
for f in /etc/shorewall/action.*-${VERSION}.bkout; do
for f in /usr/share/shorewall/action.*-${VERSION}.bkout; do
restore_file $(echo $f | sed "s/-${VERSION}.bkout//")
done

118
Shorewall2/firewall
View File

@ -1012,6 +1012,12 @@ stop_firewall() {
delete_proxy_arp
[ -n "$CLEAR_TC" ] && delete_tc
if [ -n "$DISABLE_IPV6" ]; then
ip6tables -P FORWARD DROP
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
fi
if [ -z "$ADMINISABSENTMINDED" ]; then
for chain in INPUT OUTPUT FORWARD; do
setpolicy $chain DROP
@ -1105,6 +1111,10 @@ clear_firewall() {
setpolicy FORWARD ACCEPT
setpolicy OUTPUT ACCEPT
ip6tables -P INPUT ACCEPT 2> /dev/null
ip6tables -P OUTPUT ACCEPT 2> /dev/null
ip6tables -P FORWARD ACCEPT 2> /dev/null
run_user_exit clear
logger "Shorewall Cleared"
@ -2386,58 +2396,64 @@ process_actions1() {
strip_file actions
while read xaction rest; do
[ "x$rest" = x ] || fatal_error "Invalid Action: $xaction $rest"
strip_file actions.std /usr/share/shorewall/actions.std
case $xaction in
*:*)
temp=${xaction#*:}
xaction=${xaction%:*}
case $temp in
ACCEPT|REJECT|DROP)
eval ${temp}_common=$xaction
if ! list_search $xaction $USEDACTIONS; then
USEDACTIONS="$USEDACTIONS $xaction"
[ $command = check ] || createactionchain $xaction
fi
;;
*)
fatal_error "Common Actions are only allowed for ACCEPT, DROP and REJECT"
;;
esac
esac
for inputfile in actions.std actions; do
while read xaction rest; do
[ "x$rest" = x ] || fatal_error "Invalid Action: $xaction $rest"
f=action.$xaction
fn=$(find_file $f)
case $xaction in
*:*)
temp=${xaction#*:}
xaction=${xaction%:*}
case $temp in
ACCEPT|REJECT|DROP)
eval ${temp}_common=$xaction
if ! list_search $xaction $USEDACTIONS; then
USEDACTIONS="$USEDACTIONS $xaction"
[ $command = check ] || createactionchain $xaction
fi
;;
*)
fatal_error "Common Actions are only allowed for ACCEPT, DROP and REJECT"
;;
esac
esac
eval requiredby_${action}=
if ! list_search $xaction $ACTIONS; then
f=action.$xaction
fn=$(find_file $f)
if [ -f $fn ]; then
echo " Pre-processing $fn..."
strip_file $f $fn
while read xtarget xclients xservers xprotocol xports xcports xratelimit $xuserspec; do
expandv xtarget
temp="${xtarget%:*}"
case "${temp%<*}" in
ACCEPT|DROP|REJECT|LOG|QUEUE)
;;
*)
if list_search $temp $ACTIONS; then
eval requiredby_${xaction}=\"\$requiredby_${xaction} $temp\"
else
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec)"
fatal_error "Invalid TARGET in rule \"$rule\""
fi
;;
eval requiredby_${action}=
esac
done < $TMP_DIR/$f
else
fatal_error "Missing Action File: $f"
fi
if [ -f $fn ]; then
echo " Pre-processing $fn..."
strip_file $f $fn
while read xtarget xclients xservers xprotocol xports xcports xratelimit $xuserspec; do
expandv xtarget
temp="${xtarget%:*}"
case "${temp%<*}" in
ACCEPT|DROP|REJECT|LOG|QUEUE)
;;
*)
if list_search $temp $ACTIONS; then
eval requiredby_${xaction}=\"\$requiredby_${xaction} $temp\"
else
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec)"
fatal_error "Invalid TARGET in rule \"$rule\""
fi
;;
ACTIONS="$ACTIONS $xaction"
done < $TMP_DIR/actions
esac
done < $TMP_DIR/$f
else
fatal_error "Missing Action File: $f"
fi
ACTIONS="$ACTIONS $xaction"
fi
done < $TMP_DIR/$inputfile
done
}
#
# Generate the transitive closure of $USEDACTIONS (the actions directly referred to in rules and as common actions) then
@ -2508,7 +2524,7 @@ process_actions2() {
#
for xaction in $USEDACTIONS; do
case $xaction in
dropNonSyn|dropBcasts)
dropNonSyn|dropBcast)
;;
*)
f=action.$xaction
@ -4278,6 +4294,12 @@ initialize_netfilter () {
setcontinue INPUT
setcontinue OUTPUT
if [ -n "$DISABLE_IPV6" ]; then
ip6tables -P FORWARD DROP
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
fi
#
# Enable the Loopback interface for now
#
@ -5441,6 +5463,7 @@ do_initialize() {
ACTIONS=
USEDACTIONS=
SMURF_LOG_LEVEL=
DISABLE_IPV6=
stopping=
have_mutex=
@ -5590,6 +5613,7 @@ do_initialize() {
fi
ADMINISABSENTMINDED=$(added_param_value_no ADMINISABSENTMINDED $ADMINISABSENTMINDED)
BLACKLISTNEWONLY=$(added_param_value_no BLACKLISTNEWONLY $BLACKLISTNEWONLY)
DISABLE_IPV6=$(added_param_value_no DISABLE_IPV6 $DISABLE_IPV6)
[ -n "$MODULE_SUFFIX" ] || MODULE_SUFFIX="o gz ko o.gz"
#

4
Shorewall2/functions
View File

@ -94,6 +94,10 @@ find_file()
*)
if [ -n "$SHOREWALL_DIR" -a -f $SHOREWALL_DIR/$1 ]; then
echo $SHOREWALL_DIR/$1
elif [ -f /etc/shorewall/$1 ]; then
echo /etc/shorewall/$1
elif [ -f /usr/share/shorewall/$1 ]; then
echo /usr/share/shorewall/$1
else
echo /etc/shorewall/$1
fi

13
Shorewall2/install.sh
View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall.
#
VERSION=2.0.0-Beta1
VERSION=2.0.0-Beta2
usage() # $1 = exit status
{
@ -503,7 +503,7 @@ fi
#
# Install the Standard Actions file
#
install_file_with_backup actions.std ${PREFIX}/etc/shorewall/actions.std 0600
install_file_with_backup actions.std ${PREFIX}/usr/share/shorewall/actions.std 0600
echo
echo "Standard actions file installed as ${PREFIX}/etc/shorewall/actions.std"
@ -521,10 +521,10 @@ fi
# Install the Action files
#
for f in action.* ; do
if [ -f ${PREFIX}/etc/shorewall/$f ]; then
backup_file /etc/shorewall/$f
if [ -f ${PREFIX}/usr/share/shorewall/$f ]; then
backup_file /usr/share/shorewall/$f
else
run_install -o $OWNER -g $GROUP -m 0600 $f ${PREFIX}/etc/shorewall/$f
run_install -o $OWNER -g $GROUP -m 0600 $f ${PREFIX}/usr/share/shorewall/$f
echo
echo "Action ${f#*.} file installed as ${PREFIX}/etc/shorewall/$f"
fi
@ -548,8 +548,9 @@ chmod 644 ${PREFIX}/usr/share/shorewall/version
if [ -z "$PREFIX" ]; then
rm -f /usr/share/shorewall/init
ln -s ${DEST}/firewall /usr/share/shorewall/init
ln -s ${DEST}/shorewall /usr/share/shorewall/init
fi
#
# Install the firewall script
#

72
Shorewall2/releasenotes.txt
View File

@ -1,4 +1,4 @@
Shorewall 2.0.0-Beta1
Shorewall 2.0.0-Beta2
----------------------------------------------------------------------
Problems Corrected since prior version.
@ -27,13 +27,14 @@ Issues when migrating from Shorewall 1.4.x to Shorewall 2.0.0:
/etc/shorewall/common.def
/etc/shorewall/common
/etc/shorewall/icmpdef
/etc/shorewall/action.template
The /etc/shorewall/action file now allows an action to be
designated as the "common" action for a particular policy type by
following the action name with ":" and the policy (DROP, REJECT or
ACCEPT).
The file /etc/shorewall/actions.std has been added to define those
The file /usr/share/shorewall/actions.std has been added to define those
actions that are released as part of Shorewall. In that file are
two actions as follows:
@ -51,15 +52,20 @@ Issues when migrating from Shorewall 1.4.x to Shorewall 2.0.0:
policies but does not specify such an action in the default
configuration.
/etc/shorewall/actions contains an INCLUDE for
/etc/shorewall/actions.std. This causes a large number of actions to
be defined; in the current release:
The file /usr/share/shorewall/actions.std catalogs the standard
actions and is processed prior to /etc/shorewall/actions. This
causes a large number of actions to be defined. The files which
define these aactions are also located in /usr/share/shorewall as
is the he action template file (action.template).
In the initial release, the following actions are defined:
dropBcast #Silently Drops Broadcast Traffic
dropNonSyn #Silently Drop Non-syn TCP packets
DropBcast #Silently Drops Broadcast Traffic
DropSMB #Silently Drops Microsoft SMB Traffic
RejectSMB #Silently Reject Microsoft SMB Traffic
DropUPnP #Silently Drop UPnP Probes
DropNonSyn #Silently Drop Non-syn TCP packets
RejectAuth #Silently Reject Auth
DropPing #Silently Drop Ping
DropDNSrep #Silently Drop DNS Replies
@ -77,47 +83,38 @@ Issues when migrating from Shorewall 1.4.x to Shorewall 2.0.0:
AllowTelnet #Allow Telnet Access (not recommended for use over the
#Internet)
AllowVNC #Allow VNC, Displays 0-9
AllowVNCL #Allow access to VNC viewer in listen mode
AllowNTP #Allow Network Time Protocol (ntpd)
AllowRdate #Allow remote time (rdate).
AllowNNTP #Allow network news (Usenet).
AllowTrcrt #Allows Traceroute (20 hops)
AllowSNMP #Allows SNMP (including traps)
AllowPCA #Allows PCAnywhere (tm).
Drop:DROP #Common rules for DROP policy
Reject:REJECT #Common Action for Reject policy
If you don't want to create all of the action chains, you can remove
the INCLUDE and only include those actions that you need. Here's my
/etc/shorewall/actions file:
if you want to redefine any of the Shorewall-defined actions,
simply copy the appropriate action file from /usr/share/shorewall
to /etc/shorewall and modify the copy as desired. Your modified
copy will be used rather than the original one in
/usr/share/shorewall.
DropBcast #Silently Drops Broadcast Traffic
DropSMB #Silently Drops Microsoft SMB Traffic
RejectSMB #Silently Reject Microsoft SMB Traffic
DropUPnP #Silently Drop UPnP Probes
DropNonSyn #Silently Drop Non-syn TCP packets
RejectAuth #Silently Reject Auth
DropPing #Silently Drop Ping
DropDNSrep #Silently Drop DNS Replies
AllowPing #Accept Ping
Note: The 'dropBcast' and 'dropNonSyn' actions are built into
Shorewall and may not be changed.
Mirrors #Accept traffic from Shorewall Mirrors
MyDrop:DROP
MyReject:REJECT
At any rate, if you have an existing /etc/shorewall/actions file,
then you MUST either add "INCLUDE /etc/shorewall/actions.std" to
that file or you must include the definitions similar to mine above
in your /etc/shorewall/actions file.
Beginning with version 2.0.0-Beta2, Shorewall will only create a
chain for those actions that are actually used.
5) The /etc/shorewall directory no longer contains a 'users' file or a
'usersets' file. Similar functionality is now available using
user-defined actions.
Now, action files created by copying /etc/shorewall/action.template
may now specify a USER and or GROUP name/id in the final column just
like in the rules file (see below). It is thus possible to create
actions that control traffic from a list of users and/or groups.
Now, action files created by copying
/usr/share/shorewall/action.template may now specify a USER and or
GROUP name/id in the final column just like in the rules file (see
below). It is thus possible to create actions that control traffic
from a list of users and/or groups.
The last column in /etc/shorewall/rules is now labeled USER/GROUP
and may contain:
@ -166,5 +163,16 @@ New Features:
(e.g., "ipsec:noah"), then Shorewall will only create rules for
ESP (protocol 50) and will not create rules for AH (protocol 51).
7) A new DISABLE_IPV6 option has been added to shorewall.conf. When
this option is set to "Yes", Shorewall will set the policy for the
IPv6 INPUT, OUTPUT and FORWARD chains to DROP during "shorewall
[re]start" and "shorewall stop". Regardless of the setting of this
variable, "shorewall clear" will silently attempt to set these
policies to ACCEPT.
If this option is not set in your existing shorewall.conf then a
setting of DISABLE_IPV6=No is assumed in which case, Shorewall will
not touch any IPv6 settings except during "shorewall clear".

10
Shorewall2/shorewall.conf
View File

@ -514,6 +514,16 @@ BLACKLISTNEWONLY=Yes
MODULE_SUFFIX=
#
# DISABLE IPV6
#
# Distributions (notably SuSE) are beginning to ship with IPV6
# enabled. If you are not using IPV6, you are at risk of being
# exploited by users who do. Setting DISABLE_IPV6=Yes will cause
# Shorewall to disable IPV6 traffic to/from and through your
# firewall system. This requires that you have ip6tables installed.
DISABLE_IPV6=Yes
################################################################################
# P A C K E T D I S P O S I T I O N
################################################################################

62
Shorewall2/shorewall.spec
View File

@ -72,8 +72,6 @@ fi
%attr(0700,root,root) %dir /etc/shorewall
%attr(0700,root,root) %dir /usr/share/shorewall
%attr(0700,root,root) %dir /var/lib/shorewall
%attr(0600,root,root) /usr/share/shorewall/version
%attr(0600,root,root) /etc/shorewall/actions.std
%attr(0600,root,root) %config(noreplace) /etc/shorewall/shorewall.conf
%attr(0600,root,root) %config(noreplace) /etc/shorewall/zones
%attr(0600,root,root) %config(noreplace) /etc/shorewall/policy
@ -98,40 +96,44 @@ fi
%attr(0600,root,root) %config(noreplace) /etc/shorewall/stopped
%attr(0600,root,root) %config(noreplace) /etc/shorewall/ecn
%attr(0600,root,root) %config(noreplace) /etc/shorewall/accounting
%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.AllowAuth
%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.AllowDNS
%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.AllowFTP
%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.AllowIMAP
%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.AllowNNTP
%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.AllowNTP
%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.AllowPCA
%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.AllowPing
%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.AllowPOP3
%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.AllowRdate
%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.AllowSMB
%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.AllowSMTP
%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.AllowSNMP
%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.AllowSSH
%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.AllowTelnet
%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.AllowTrcrt
%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.AllowVNC
%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.AllowVNCL*
%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.AllowWeb
%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.Drop
%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.DropDNSrep
%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.DropPing
%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.DropSMB
%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.DropUPnP
%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.Reject
%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.RejectAuth
%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.RejectSMB
%attr(0600,root,root) %config(noreplace) /etc/shorewall/action.template
%attr(0600,root,root) %config(noreplace) /etc/shorewall/actions
%attr(0544,root,root) /sbin/shorewall
%attr(0600,root,root) /usr/share/shorewall/version
%attr(0600,root,root) /usr/share/shorewall/actions.std
%attr(0600,root,root) /usr/share/shorewall/action.AllowAuth
%attr(0600,root,root) /usr/share/shorewall/action.AllowDNS
%attr(0600,root,root) /usr/share/shorewall/action.AllowFTP
%attr(0600,root,root) /usr/share/shorewall/action.AllowIMAP
%attr(0600,root,root) /usr/share/shorewall/action.AllowNNTP
%attr(0600,root,root) /usr/share/shorewall/action.AllowNTP
%attr(0600,root,root) /usr/share/shorewall/action.AllowPCA
%attr(0600,root,root) /usr/share/shorewall/action.AllowPing
%attr(0600,root,root) /usr/share/shorewall/action.AllowPOP3
%attr(0600,root,root) /usr/share/shorewall/action.AllowRdate
%attr(0600,root,root) /usr/share/shorewall/action.AllowSMB
%attr(0600,root,root) /usr/share/shorewall/action.AllowSMTP
%attr(0600,root,root) /usr/share/shorewall/action.AllowSNMP
%attr(0600,root,root) /usr/share/shorewall/action.AllowSSH
%attr(0600,root,root) /usr/share/shorewall/action.AllowTelnet
%attr(0600,root,root) /usr/share/shorewall/action.AllowTrcrt
%attr(0600,root,root) /usr/share/shorewall/action.AllowVNC
%attr(0600,root,root) /usr/share/shorewall/action.AllowVNCL
%attr(0600,root,root) /usr/share/shorewall/action.AllowWeb
%attr(0600,root,root) /usr/share/shorewall/action.Drop
%attr(0600,root,root) /usr/share/shorewall/action.DropDNSrep
%attr(0600,root,root) /usr/share/shorewall/action.DropPing
%attr(0600,root,root) /usr/share/shorewall/action.DropSMB
%attr(0600,root,root) /usr/share/shorewall/action.DropUPnP
%attr(0600,root,root) /usr/share/shorewall/action.Reject
%attr(0600,root,root) /usr/share/shorewall/action.RejectAuth
%attr(0600,root,root) /usr/share/shorewall/action.RejectSMB
%attr(0600,root,root) /usr/share/shorewall/action.template
%attr(0444,root,root) /usr/share/shorewall/functions
%attr(0544,root,root) /usr/share/shorewall/firewall
%attr(0544,root,root) /usr/share/shorewall/help
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog

2
Shorewall2/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall
VERSION=2.0.0-Beta1
VERSION=2.0.0-Beta2
usage() # $1 = exit status
{