diff --git a/LrpN/etc/shorewall/tcrules b/LrpN/etc/shorewall/tcrules index 61a115df7..304f1be31 100644 --- a/LrpN/etc/shorewall/tcrules +++ b/LrpN/etc/shorewall/tcrules @@ -92,6 +92,10 @@ # iptables include iprange match support, IP address # ranges are also allowed. # +# If the MARK column specificies a classification of +# the form : then this column may also +# contain an interface name. +# # PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p", # a number, or "all". "ipp2p" requires ipp2p match # support in your kernel and iptables. diff --git a/LrpN/sbin/shorewall b/LrpN/sbin/shorewall index 7de91b39b..3683c2e2c 100755 --- a/LrpN/sbin/shorewall +++ b/LrpN/sbin/shorewall @@ -1,6 +1,6 @@ #!/bin/sh # -# Shorewall Packet Filtering Firewall Control Program - V2.1 +# Shorewall Packet Filtering Firewall Control Program - V2.2 # # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # @@ -333,10 +333,9 @@ packet_log() # $1 = number of messages [ -n "$realtail" ] && options="-n$1" - grep "${LOGFORMAT}\|ipt_unclean" $LOGFILE | \ + grep "${LOGFORMAT}" $LOGFILE | \ sed s/" kernel:"// | \ sed s/" $host $LOGFORMAT"/" "/ | \ - sed s/" $host kernel: ipt_unclean: "/" "/ | \ sed 's/MAC=.* SRC=/SRC=/' | \ tail $options } @@ -870,7 +869,7 @@ case "$1" in [ $# -gt 2 ] && usage 1 echo "Shorewall-$version Connections at $HOSTNAME - $(date)" echo - cat /pro/net/ip_conntrack + cat /proc/net/ip_conntrack ;; nat) [ $# -gt 2 ] && usage 1 diff --git a/LrpN/usr/share/shorewall/firewall b/LrpN/usr/share/shorewall/firewall index 456584f4f..612ac167d 100755 --- a/LrpN/usr/share/shorewall/firewall +++ b/LrpN/usr/share/shorewall/firewall @@ -2344,7 +2344,16 @@ process_tc_rule() [ -n "$marktest" ] && r="${r}-m ${marktest}--mark $testval " - [ "x$dest" = "x-" ] || r="${r}$(dest_ip_range $dest) " + if [ "x$dest" != "x-" ]; then + case $dest in + *.*.*) + r="${r}$(dest_ip_range $dest) " + ;; + *) + r="${r}$(match_dest_dev $dest) " + ;; + esac + fi if [ "x$proto" = xipp2p ]; then [ "x$port" = "x-" ] && port="ipp2p" diff --git a/LrpN/usr/share/shorewall/rfc1918 b/LrpN/usr/share/shorewall/rfc1918 index 2c6304a92..038525465 100644 --- a/LrpN/usr/share/shorewall/rfc1918 +++ b/LrpN/usr/share/shorewall/rfc1918 @@ -1,5 +1,5 @@ # -# Shorewall 2.1 -- RFC1918 File +# Shorewall 2.2 -- RFC1918 File # # /etc/shorewall/rfc1918 # @@ -12,16 +12,17 @@ # # Columns are: # -# SUBNET The subnet (host addresses also allowed as are IP +# SUBNETS A comma-separated list of subnet addresses +# (host addresses also allowed as are IP # address ranges provided that your kernel and iptables -# have iprange match support). +# have iprange match support). # TARGET Where to send packets to/from this subnet # RETURN - let the packet be processed normally # DROP - silently drop the packet # logdrop - log then drop # ############################################################################### -#SUBNET TARGET +#SUBNETS TARGET 172.16.0.0/12 logdrop # RFC 1918 192.168.0.0/16 logdrop # RFC 1918 10.0.0.0/8 logdrop # RFC 1918 diff --git a/LrpN/usr/share/shorewall/version b/LrpN/usr/share/shorewall/version index d977366ad..16b54a05e 100644 --- a/LrpN/usr/share/shorewall/version +++ b/LrpN/usr/share/shorewall/version @@ -1 +1 @@ -2.2.0-Beta2 +2.2.0-Beta3 diff --git a/Shorewall-docs2/Documentation_Index.xml b/Shorewall-docs2/Documentation_Index.xml index 983a9b73b..6a0223d6e 100644 --- a/Shorewall-docs2/Documentation_Index.xml +++ b/Shorewall-docs2/Documentation_Index.xml @@ -15,7 +15,7 @@ - 2004-10-06 + 2004-11-03 2001-2004 @@ -23,7 +23,7 @@ Thomas M. Eastep - 2.0.3 + 2.2.0 Beta 2 Permission is granted to copy, distribute and/or modify this @@ -337,6 +337,10 @@ Installation/Upgrade + + IPP2P + + IPSEC diff --git a/Shorewall-docs2/FAQ.xml b/Shorewall-docs2/FAQ.xml index 1e59803e0..3f92b63c9 100644 --- a/Shorewall-docs2/FAQ.xml +++ b/Shorewall-docs2/FAQ.xml @@ -17,7 +17,7 @@ - 2004-10-30 + 2004-11-05 2001-2004 @@ -539,7 +539,7 @@ to debug/develop the newnat interface.
- (FAQ 4c) How to I use Shorewall with PortSentry? + (FAQ 4c) How do I use Shorewall with PortSentry? Here's @@ -851,7 +851,8 @@ LOGBURST=""
- (FAQ 17) Why are these packets being Dropped/Rejected? + (FAQ 17) Why are these packets being Dropped/Rejected?/How do I + decode Shorewall log messages? Answer: Logging of dropped/rejected packets occurs out of a number of chains (as indicated @@ -1465,6 +1466,12 @@ Creating input Chains... Shorewall. See the SHOREWALL_SHELL variable in shorewall.conf. + Use a fast terminal emulator -- in particular the KDE konsole + scrolls much faster than the Gnome terminal. Also use the '-q' option if + you are restarting remotely or from a slow terminal (or redirect the + output to a file as in shorewall restart > + /dev/null). + Beginning with Shorewall version 2.0.2 Beta 1, Shorewall supports a fast start capability. To use this capability: @@ -1965,6 +1972,26 @@ REJECT fw net:216.239.39.99 allGiven that Revision History + + 1.37 + + 2004-11-05 + + TE + + Added second title to FAQ 17. + + + + 1.36 + + 2004-11-04 + + TE + + Add note about Gnome Terminal. + + 1.35 diff --git a/Shorewall-docs2/IPP2P.xml b/Shorewall-docs2/IPP2P.xml new file mode 100644 index 000000000..5dadb3d3b --- /dev/null +++ b/Shorewall-docs2/IPP2P.xml @@ -0,0 +1,104 @@ + + +
+ + + + Shorewall and ipp2p + + + + Tom + + Eastep + + + + 2004-11-04 + + + 2004 + + Thomas M. Eastep + + + + Permission is granted to copy, distribute and/or modify this + document under the terms of the GNU Free Documentation License, Version + 1.2 or any later version published by the Free Software Foundation; with + no Invariant Sections, with no Front-Cover, and with no Back-Cover + Texts. A copy of the license is included in the section entitled + GNU Free Documentation + License. + + + +
+ Introduction + + Shorewall verions 2.2.0 and later include support for the ipp2p + match facility. This is a departure from my usual policy in that the ipp2p + match facility is included in Patch-O-Matic-NG and is unlikely to ever be + included in the kernel.org source tree. Questions about how to install the + patch or how to build your kernel and/or iptables should not be posted on + the Shorewall mailing lists but should rather be referred to the Netfilter + Mailing List. +
+ +
+ Scope + + In the following files, the "PROTO" or "PROTOCOL" column may contain + "ipp2p": + + + /etc/shorewall/rules + + /etc/shorewall/tcrules + + /etc/shorewall/accounting + + + When the PROTO or PROTOCOL column contains "ipp2p" then the DEST + PORT(S) or PORT(S) column may contain a recognized ipp2p option; for a + list of the options and their meaning, at a root prompt type: + + iptables -m ipp2p --help + + You must not include the leading "--" on the option; Shorewall will + supply those characters for you. If you do not include an option then + "ipp2p" is assumed (Shorewall will generate "-m ipp2p --ipp2p"). +
+ +
+ Example (assumes that you are running Shorewall 2.2.0 Beta 3 or + later): + + Example 2 in the ipp2p documentation recommends the following + iptables rules: + + 01# iptables -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark +02# iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT +03# iptables -t mangle -A PREROUTING -p tcp -m ipp2p --ipp2p -j MARK --set-mark 1 +04# iptables -t mangle -A PREROUTING -p tcp -m mark --mark 1 -j CONNMARK --save-mark + +05# iptables -t mangle -A POSTROUTING -o eth0 -m mark --mark 1 -j CLASSIFY --set-class 1:12 +06# iptables -t mangle -A POSTROUTING -o eth1 -m mark --mark 1 -j CLASSIFY --set-class 2:12 + + These are implemented in the /etc/shorewall/tcrules file as + follows: + + #MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST +# PORT(S) +RESTORE:P - - tcp +CONTINUE:P - - tcp - - - !0 +1:P - - ipp2p ipp2p +SAVE:P - - tcp - - - 1 +1:12 - eth0 - - - - 1 +2:12 - eth1 - - - - 1 +
+
\ No newline at end of file diff --git a/Shorewall-docs2/images/postfix-white.gif b/Shorewall-docs2/images/postfix-white.gif index 90df1fcab..e1ab7639c 100644 Binary files a/Shorewall-docs2/images/postfix-white.gif and b/Shorewall-docs2/images/postfix-white.gif differ diff --git a/Shorewall2/fallback.sh b/Shorewall2/fallback.sh index 4544886a2..f8c78c33f 100755 --- a/Shorewall2/fallback.sh +++ b/Shorewall2/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=2.2.0-Beta2 +VERSION=2.2.0-Beta3 usage() # $1 = exit status { diff --git a/Shorewall2/install.sh b/Shorewall2/install.sh index 3dc1c648c..4c7232a6e 100755 --- a/Shorewall2/install.sh +++ b/Shorewall2/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # -VERSION=2.2.0-Beta2 +VERSION=2.2.0-Beta3 usage() # $1 = exit status { diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index e83d05745..7e52fbf86 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -114,7 +114,7 @@ Problems corrected since 2.2.0 Beta 2. 1) Missing '#' in the rfc1918 file. -2) The INSTALL file now include special instructions for Slackware +2) The INSTALL file now includes special instructions for Slackware users. ----------------------------------------------------------------------- diff --git a/Shorewall2/shorewall.spec b/Shorewall2/shorewall.spec index ef4eac411..3d66402b9 100644 --- a/Shorewall2/shorewall.spec +++ b/Shorewall2/shorewall.spec @@ -1,6 +1,6 @@ %define name shorewall %define version 2.2.0 -%define release 0Beta2 +%define release 0Beta3 %define prefix /usr Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. @@ -137,6 +137,8 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %changelog +* Tue Nov 09 2004 Tom Eastep tom@shorewall.net +- Updated to 2.2.0-0Beta3 * Tue Nov 02 2004 Tom Eastep tom@shorewall.net - Updated to 2.2.0-0Beta2 * Fri Oct 22 2004 Tom Eastep tom@shorewall.net diff --git a/Shorewall2/uninstall.sh b/Shorewall2/uninstall.sh index ecfe97576..9eb1c2712 100755 --- a/Shorewall2/uninstall.sh +++ b/Shorewall2/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Seattle Firewall -VERSION=2.2.0-Beta2 +VERSION=2.2.0-Beta3 usage() # $1 = exit status {