From 1026b57442580e2fde1b80705263ce6e49a35429 Mon Sep 17 00:00:00 2001 From: teastep Date: Tue, 9 Nov 2004 21:55:11 +0000 Subject: [PATCH] Changes for Shorewall 2.2.0 Beta 3 git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1743 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- LrpN/etc/shorewall/tcrules | 4 + LrpN/sbin/shorewall | 7 +- LrpN/usr/share/shorewall/firewall | 11 ++- LrpN/usr/share/shorewall/rfc1918 | 9 +- LrpN/usr/share/shorewall/version | 2 +- Shorewall-docs2/Documentation_Index.xml | 8 +- Shorewall-docs2/FAQ.xml | 33 ++++++- Shorewall-docs2/IPP2P.xml | 104 +++++++++++++++++++++++ Shorewall-docs2/images/postfix-white.gif | Bin 1488 -> 3616 bytes Shorewall2/fallback.sh | 2 +- Shorewall2/install.sh | 2 +- Shorewall2/releasenotes.txt | 2 +- Shorewall2/shorewall.spec | 4 +- Shorewall2/uninstall.sh | 2 +- 14 files changed, 170 insertions(+), 20 deletions(-) create mode 100644 Shorewall-docs2/IPP2P.xml diff --git a/LrpN/etc/shorewall/tcrules b/LrpN/etc/shorewall/tcrules index 61a115df7..304f1be31 100644 --- a/LrpN/etc/shorewall/tcrules +++ b/LrpN/etc/shorewall/tcrules @@ -92,6 +92,10 @@ # iptables include iprange match support, IP address # ranges are also allowed. # +# If the MARK column specificies a classification of +# the form : then this column may also +# contain an interface name. +# # PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p", # a number, or "all". "ipp2p" requires ipp2p match # support in your kernel and iptables. diff --git a/LrpN/sbin/shorewall b/LrpN/sbin/shorewall index 7de91b39b..3683c2e2c 100755 --- a/LrpN/sbin/shorewall +++ b/LrpN/sbin/shorewall @@ -1,6 +1,6 @@ #!/bin/sh # -# Shorewall Packet Filtering Firewall Control Program - V2.1 +# Shorewall Packet Filtering Firewall Control Program - V2.2 # # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # @@ -333,10 +333,9 @@ packet_log() # $1 = number of messages [ -n "$realtail" ] && options="-n$1" - grep "${LOGFORMAT}\|ipt_unclean" $LOGFILE | \ + grep "${LOGFORMAT}" $LOGFILE | \ sed s/" kernel:"// | \ sed s/" $host $LOGFORMAT"/" "/ | \ - sed s/" $host kernel: ipt_unclean: "/" "/ | \ sed 's/MAC=.* SRC=/SRC=/' | \ tail $options } @@ -870,7 +869,7 @@ case "$1" in [ $# -gt 2 ] && usage 1 echo "Shorewall-$version Connections at $HOSTNAME - $(date)" echo - cat /pro/net/ip_conntrack + cat /proc/net/ip_conntrack ;; nat) [ $# -gt 2 ] && usage 1 diff --git a/LrpN/usr/share/shorewall/firewall b/LrpN/usr/share/shorewall/firewall index 456584f4f..612ac167d 100755 --- a/LrpN/usr/share/shorewall/firewall +++ b/LrpN/usr/share/shorewall/firewall @@ -2344,7 +2344,16 @@ process_tc_rule() [ -n "$marktest" ] && r="${r}-m ${marktest}--mark $testval " - [ "x$dest" = "x-" ] || r="${r}$(dest_ip_range $dest) " + if [ "x$dest" != "x-" ]; then + case $dest in + *.*.*) + r="${r}$(dest_ip_range $dest) " + ;; + *) + r="${r}$(match_dest_dev $dest) " + ;; + esac + fi if [ "x$proto" = xipp2p ]; then [ "x$port" = "x-" ] && port="ipp2p" diff --git a/LrpN/usr/share/shorewall/rfc1918 b/LrpN/usr/share/shorewall/rfc1918 index 2c6304a92..038525465 100644 --- a/LrpN/usr/share/shorewall/rfc1918 +++ b/LrpN/usr/share/shorewall/rfc1918 @@ -1,5 +1,5 @@ # -# Shorewall 2.1 -- RFC1918 File +# Shorewall 2.2 -- RFC1918 File # # /etc/shorewall/rfc1918 # @@ -12,16 +12,17 @@ # # Columns are: # -# SUBNET The subnet (host addresses also allowed as are IP +# SUBNETS A comma-separated list of subnet addresses +# (host addresses also allowed as are IP # address ranges provided that your kernel and iptables -# have iprange match support). +# have iprange match support). # TARGET Where to send packets to/from this subnet # RETURN - let the packet be processed normally # DROP - silently drop the packet # logdrop - log then drop # ############################################################################### -#SUBNET TARGET +#SUBNETS TARGET 172.16.0.0/12 logdrop # RFC 1918 192.168.0.0/16 logdrop # RFC 1918 10.0.0.0/8 logdrop # RFC 1918 diff --git a/LrpN/usr/share/shorewall/version b/LrpN/usr/share/shorewall/version index d977366ad..16b54a05e 100644 --- a/LrpN/usr/share/shorewall/version +++ b/LrpN/usr/share/shorewall/version @@ -1 +1 @@ -2.2.0-Beta2 +2.2.0-Beta3 diff --git a/Shorewall-docs2/Documentation_Index.xml b/Shorewall-docs2/Documentation_Index.xml index 983a9b73b..6a0223d6e 100644 --- a/Shorewall-docs2/Documentation_Index.xml +++ b/Shorewall-docs2/Documentation_Index.xml @@ -15,7 +15,7 @@ - 2004-10-06 + 2004-11-03 2001-2004 @@ -23,7 +23,7 @@ Thomas M. Eastep - 2.0.3 + 2.2.0 Beta 2 Permission is granted to copy, distribute and/or modify this @@ -337,6 +337,10 @@ Installation/Upgrade + + IPP2P + + IPSEC diff --git a/Shorewall-docs2/FAQ.xml b/Shorewall-docs2/FAQ.xml index 1e59803e0..3f92b63c9 100644 --- a/Shorewall-docs2/FAQ.xml +++ b/Shorewall-docs2/FAQ.xml @@ -17,7 +17,7 @@ - 2004-10-30 + 2004-11-05 2001-2004 @@ -539,7 +539,7 @@ to debug/develop the newnat interface.
- (FAQ 4c) How to I use Shorewall with PortSentry? + (FAQ 4c) How do I use Shorewall with PortSentry? Here's @@ -851,7 +851,8 @@ LOGBURST=""
- (FAQ 17) Why are these packets being Dropped/Rejected? + (FAQ 17) Why are these packets being Dropped/Rejected?/How do I + decode Shorewall log messages? Answer: Logging of dropped/rejected packets occurs out of a number of chains (as indicated @@ -1465,6 +1466,12 @@ Creating input Chains... Shorewall. See the SHOREWALL_SHELL variable in shorewall.conf. + Use a fast terminal emulator -- in particular the KDE konsole + scrolls much faster than the Gnome terminal. Also use the '-q' option if + you are restarting remotely or from a slow terminal (or redirect the + output to a file as in shorewall restart > + /dev/null). + Beginning with Shorewall version 2.0.2 Beta 1, Shorewall supports a fast start capability. To use this capability: @@ -1965,6 +1972,26 @@ REJECT fw net:216.239.39.99 allGiven that Revision History + + 1.37 + + 2004-11-05 + + TE + + Added second title to FAQ 17. + + + + 1.36 + + 2004-11-04 + + TE + + Add note about Gnome Terminal. + + 1.35 diff --git a/Shorewall-docs2/IPP2P.xml b/Shorewall-docs2/IPP2P.xml new file mode 100644 index 000000000..5dadb3d3b --- /dev/null +++ b/Shorewall-docs2/IPP2P.xml @@ -0,0 +1,104 @@ + + +
+ + + + Shorewall and ipp2p + + + + Tom + + Eastep + + + + 2004-11-04 + + + 2004 + + Thomas M. Eastep + + + + Permission is granted to copy, distribute and/or modify this + document under the terms of the GNU Free Documentation License, Version + 1.2 or any later version published by the Free Software Foundation; with + no Invariant Sections, with no Front-Cover, and with no Back-Cover + Texts. A copy of the license is included in the section entitled + GNU Free Documentation + License. + + + +
+ Introduction + + Shorewall verions 2.2.0 and later include support for the ipp2p + match facility. This is a departure from my usual policy in that the ipp2p + match facility is included in Patch-O-Matic-NG and is unlikely to ever be + included in the kernel.org source tree. Questions about how to install the + patch or how to build your kernel and/or iptables should not be posted on + the Shorewall mailing lists but should rather be referred to the Netfilter + Mailing List. +
+ +
+ Scope + + In the following files, the "PROTO" or "PROTOCOL" column may contain + "ipp2p": + + + /etc/shorewall/rules + + /etc/shorewall/tcrules + + /etc/shorewall/accounting + + + When the PROTO or PROTOCOL column contains "ipp2p" then the DEST + PORT(S) or PORT(S) column may contain a recognized ipp2p option; for a + list of the options and their meaning, at a root prompt type: + + iptables -m ipp2p --help + + You must not include the leading "--" on the option; Shorewall will + supply those characters for you. If you do not include an option then + "ipp2p" is assumed (Shorewall will generate "-m ipp2p --ipp2p"). +
+ +
+ Example (assumes that you are running Shorewall 2.2.0 Beta 3 or + later): + + Example 2 in the ipp2p documentation recommends the following + iptables rules: + + 01# iptables -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark +02# iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT +03# iptables -t mangle -A PREROUTING -p tcp -m ipp2p --ipp2p -j MARK --set-mark 1 +04# iptables -t mangle -A PREROUTING -p tcp -m mark --mark 1 -j CONNMARK --save-mark + +05# iptables -t mangle -A POSTROUTING -o eth0 -m mark --mark 1 -j CLASSIFY --set-class 1:12 +06# iptables -t mangle -A POSTROUTING -o eth1 -m mark --mark 1 -j CLASSIFY --set-class 2:12 + + These are implemented in the /etc/shorewall/tcrules file as + follows: + + #MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST +# PORT(S) +RESTORE:P - - tcp +CONTINUE:P - - tcp - - - !0 +1:P - - ipp2p ipp2p +SAVE:P - - tcp - - - 1 +1:12 - eth0 - - - - 1 +2:12 - eth1 - - - - 1 +
+
\ No newline at end of file diff --git a/Shorewall-docs2/images/postfix-white.gif b/Shorewall-docs2/images/postfix-white.gif index 90df1fcabbea5b0de41b9c7f1e3420949f9b3932..e1ab7639c596616d36102637b67d645669a10ac0 100644 GIT binary patch literal 3616 zcmbW(`CpQG0>JU_^Kc(80YL*XMMOlS!t%BQP!o>|O^wVH$s^11oWjW|yvpL&C#aa@X8}?%q+8P2JP6cDaxj)t(@Kc7xw)he17``1g`V+ipv9A!I`B1z<@+C z^FU*m){GPg=j>?Bb9QuFvRDgGY=Nv#pm}y4#QRcI32Qz4DJ6*C$5G28VCXj}_m& zH}U+pdgI*hfBkX#Sep zanGj&^SGRm5pLo@OERBBLNnT@7`-ea+LFz>F*|2VM^O3;mvC8@6dW3riN=vAbQX90 z_?^4BslSFrdKLT;4^C{$L8a(`ATc0ZH&lH{HA;7!QFI|>e;0kTe?hLjzZzgs6^li zM0sBco{Qp@+OQ!EhU}~%b)VXpg8r+dFBeMB9u)1nu}au;pmpZdZ*b2aKlGwVJ3c)m zqm^w!n6t2|v4m0b@h^jdaoW{vleIEQ3Nr*Rg1jJ!Nmt+~ROQmSIlz$dSCv$SYQkO4 z!%}m!koQf!epqoJe)Da#b9uW62xcWzhl+thLTm&kMFx%pmp~j-pOBf>d0zt|VA&Hk+dAvV~ zH!Xe%@2WGD@n@FwyQ8}+$2_CAS)L2Na5WJ|%fdOzkS>rwD6p zDMZ6PFeRQHL0DqrdXTle%_dNQM9!uLq zcLFk7J|fpsbH#C7sj8>U*WhiYdKj@7uqeE}(gf=@nTt*(ZAXcQ#cBfu3t3#w#W?bX zt_17J)#vL-NL`R~$mtDYcyQ7a}k6bcy}fj z@^iiK{xug567H~cVOu8jZuRtY(YMRt(7Cl zWI*s6U!mH0e`_xXA4*q4)UH9ae_Azs-52s;&d!&nT`2#9w9}#s{1)||84`y_xJTdP zxU=#yj&7vkcc{QZ5mxnERem@s{?s|XI``3T6)8m1=d(c5VR`a(Ntp(-Eqa^RNF2&M z4csX*@>Uj=vR($?b7TWi291Kqw4NhVTx)RZ!)B-8N%X^pUmp7#DYHWW#ZB``SK>8z zsy&6Tw?POtO3<8e!pt+5mH!r0@lY%U0)@PPBFrJxb8>}K`5C&pa_E)()kVx2ugNPX zXBff_qn!>`x|N#;i2jSW2+P!{x14%9WyM;)Srso@^&MYe+G+XleSOROn6`(wY@bfm_7`idETD_6AhB!h!>N)|D<#~atupaom z$XBLi9i5Y$D?(%WzW$PRtCB15?cp$%7MdbS8~?zUHsO#Nw6j*oCW!#7*?D&trsozW z`XiI@;@+hjFJ#ud@n!KG1d=K>#8IC?*t7z~F$-O`yK&*sI^|py^MO39)z}M%5|*D{ zowR+T9TZMZz&3T9&Yb+3661vD0ci9e=bbIMvMJ=4?2=Wa2|AjnWolR7WV(munF}N3 z(*O#dnr$zm2_b?^1%o~u&v`Jvh4B`cS@D`8ohdxo$lKdt_2x(B_Lklm6ANq#0PYt(gnr5zdnp6F% z+y_qJA60i>CnZ1F)A+JG^6x9*jlUMix7H6C(3H_6TDupA|9Na31#T6zy+m56hH#uT z8GoA|2wX2g&t2Nr+RtVA31~4luCo>v9Q2t#b_*>xnx2-f+Je}c4t}ovlr*VHDC}ktriC6G?DjeJq(OM-6-5;tK;GW>%LwSaPzfuIY`iqH^vvb= zxukD*7E8MDVQO1bC)b76hOgyH+4QJ-M0kcj(ztR{y)i&+<;jsT_oXb>%{=|SAsb(P zF^@ph(^|*HtLZLK!a`P2Wn-6DmBRWy)mm7;$mIMme0_0;&3**R^V+a&Yb8ye+%5IF zb+@v}g+}C=$sV5z?v!(5a&e*2D{KIsTyH+)n0mpu1x)VwfJ&P|>_>?pXL-5HPYEcN ziN1DrRWssWn^_w}l)wFBDjAmaH$$goxOy zuj8h0vUI0hOG@{_Me^@hYs357>&45>0gxVIRj;>S>4u|Fb2!q{(Ixuc>~6_}%LP^V z4yuuwruwk$pvA*Q!fm%E({{aaO?{_)h4`p<1Lqn5O0b&(8MCd%BPf&a_cNw+J7}Wbi(I^G=Qg9r5P+*(7Pj`W#;-=kOaMI%26~?J3OpeRBC;? zqYD+7Z{E+7vNt@#_0KWuga@Lo04>ULLJh3+Ip%^y0?M}ZDO>E2zmt>yxiD9$0Ky*T z9#t$ez}`x@JmsdGP?EPlooZ(QT?tNi+Yauoitd#cK5k&uP2ia_pM)X{2e9f&Cq78K zw`FjLtHOT$6MW!Jifa;COU5u=*eWePGSbFR0nAtwON!NKfl_tfLph}Uecz_AbBx4$ zaf%hBchZo9Fbrq}Y-8a@70#2 z;{A)AQ%?vCmE%aL8vRAxs!A}!X=qzCmf0G*PGi-rv7Xl0e9^Fm6RTadoGn^zww9;U zR@1cnY3(wcWi`_G-Dgp%0~fFt-<5_SfWJ6R>nqi+9kvhyp~5^d?t}E1Op7L4d|#sw;lA*va@mq`u8E8Hb8-{2mOrt>pHLuUUsj6` zAycPemXSNJv5FRP-+R_vnRi*Lsv-FzKfs=GdCHvZstiVrSV&dOg+c8VIm2+Q)ABJ9 z(pyXylewl($YQT5pho6+RVT&+YBwn-*{gmWj=SQ-Bl8a*a{8D3LH}{xQgHOduz#Xo zq?%FlX~puZ!xldC)%}9ucb(2-q(V;ruG~HBSU{K}p0Abw&oLdNuziqno?U$Np&53;7*1OsDe$taU z-Bnz5)omT}RJQA4F-$KEt6n;eX909j#>qFhni;2t$1k~K>AK*?ia(uvT%K|_ZmFt1 z?f$*F*512;QVJjQLeee3ypxs_73JoIpRM&ZAHdZy8a#s1uyzXNk%w1VSE5W0HOc@ps?_{#q_AR@yF5k*xvc(>ihBZ{r>*{EC2ui0DJ&K z000R7009UbNU)&6g9sBUT*$DY!-o(fN}NcsqD6`V258(!;DCXR0|Z+|lX500#(ARy^?Y%AQ%T4$mEuz-Iy|?`roe&~?kvxD);= zWhlTn!Hxy)q83QB0DzV5iT7T48$iePfw9ByIbgiP^7E-gT73mkh2LgI8AMZF2B21) zdo*>15Ka2&$I@OA3ItYD*bzukTOE2AAWz{6B-ld5DHT#iBhlpCdqqv<8)hBW*x^HS zNr+H!hryJQZ#4pt)nyb}ca;DIycL^GB_221flIiu$x80RJ1t(Jg3Yu6HYOYDi z5RXnJY1&%l#rGdlH8u6zmGk8!WJIzVWZghNDu-r&lWo@b)sTWXF zG0GBGBYp*?MAoHh6N<44gxmqVnHN-6HVQawdU_5iQ&zM=3MoTF3WQR6de!<@c_K}l z8*rzE)f1i~@n#gUrQJkjLzOkTnNrqa8z4^BX^9bnC3foWn9r4&q_dWGiBMKI8H#0g ze)5#$icLZqFL&>0HZZytA&Ia{*l7f*z=68R6Mvhw#+i05^<-m*s3u2{%8xzEl&?q5Z`cA$(-QUBO{M)k+LiDKfZRKf7++Bm#88A>m>-JQ16jMg?kWJmhZ&b`<{ zb6dOOCBT;WEH}#W75o0Qo@xoJEM;O15KQH!7eAQ=Bu zBvhy)73spV!R0jsY%KcwdF3j+sN#w z#;L3c$xU?u;=q7r6w{n1SX0u-sM@9+M!D%OM=>5>P6M&#sEI4VBMWnIbg|F%r$NuN zAN#bUy)*&`jn?ysQ%onDx^&1rTMXi^hDEmYJ;Y`ti<9UuhLjA-MTveImzCJbwTa$c`g5dlMQwfBfsAG1_NHONO(6y%2&+Vb94vO{LF-{APrBkrOL2)MH?bH& zh62Bouu4d(>`W+11L}gfHw8ry*lX}~B%BiI@mSKK1So%-mPvvJ;W+JsP}&eU_%!_}vp qD$}J91t}SsUVXCa6YDUMsyjv9N9Y6AvYPd*XickH*J_Y}002AnbhnlO diff --git a/Shorewall2/fallback.sh b/Shorewall2/fallback.sh index 4544886a2..f8c78c33f 100755 --- a/Shorewall2/fallback.sh +++ b/Shorewall2/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=2.2.0-Beta2 +VERSION=2.2.0-Beta3 usage() # $1 = exit status { diff --git a/Shorewall2/install.sh b/Shorewall2/install.sh index 3dc1c648c..4c7232a6e 100755 --- a/Shorewall2/install.sh +++ b/Shorewall2/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # -VERSION=2.2.0-Beta2 +VERSION=2.2.0-Beta3 usage() # $1 = exit status { diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index e83d05745..7e52fbf86 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -114,7 +114,7 @@ Problems corrected since 2.2.0 Beta 2. 1) Missing '#' in the rfc1918 file. -2) The INSTALL file now include special instructions for Slackware +2) The INSTALL file now includes special instructions for Slackware users. ----------------------------------------------------------------------- diff --git a/Shorewall2/shorewall.spec b/Shorewall2/shorewall.spec index ef4eac411..3d66402b9 100644 --- a/Shorewall2/shorewall.spec +++ b/Shorewall2/shorewall.spec @@ -1,6 +1,6 @@ %define name shorewall %define version 2.2.0 -%define release 0Beta2 +%define release 0Beta3 %define prefix /usr Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. @@ -137,6 +137,8 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %changelog +* Tue Nov 09 2004 Tom Eastep tom@shorewall.net +- Updated to 2.2.0-0Beta3 * Tue Nov 02 2004 Tom Eastep tom@shorewall.net - Updated to 2.2.0-0Beta2 * Fri Oct 22 2004 Tom Eastep tom@shorewall.net diff --git a/Shorewall2/uninstall.sh b/Shorewall2/uninstall.sh index ecfe97576..9eb1c2712 100755 --- a/Shorewall2/uninstall.sh +++ b/Shorewall2/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Seattle Firewall -VERSION=2.2.0-Beta2 +VERSION=2.2.0-Beta3 usage() # $1 = exit status {