diff --git a/contrib/shoregen/AUTHORS b/contrib/shoregen/AUTHORS deleted file mode 100644 index 3cedc2493..000000000 --- a/contrib/shoregen/AUTHORS +++ /dev/null @@ -1 +0,0 @@ -Paul Gear diff --git a/contrib/shoregen/BUGS b/contrib/shoregen/BUGS deleted file mode 100644 index f84a1ad55..000000000 --- a/contrib/shoregen/BUGS +++ /dev/null @@ -1 +0,0 @@ -None known at present. diff --git a/contrib/shoregen/COPYING b/contrib/shoregen/COPYING deleted file mode 100644 index 5b6e7c66c..000000000 --- a/contrib/shoregen/COPYING +++ /dev/null @@ -1,340 +0,0 @@ - GNU GENERAL PUBLIC LICENSE - Version 2, June 1991 - - Copyright (C) 1989, 1991 Free Software Foundation, Inc. - 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - Everyone is permitted to copy and distribute verbatim copies - of this license document, but changing it is not allowed. - - Preamble - - The licenses for most software are designed to take away your -freedom to share and change it. By contrast, the GNU General Public -License is intended to guarantee your freedom to share and change free -software--to make sure the software is free for all its users. This -General Public License applies to most of the Free Software -Foundation's software and to any other program whose authors commit to -using it. (Some other Free Software Foundation software is covered by -the GNU Library General Public License instead.) You can apply it to -your programs, too. - - When we speak of free software, we are referring to freedom, not -price. Our General Public Licenses are designed to make sure that you -have the freedom to distribute copies of free software (and charge for -this service if you wish), that you receive source code or can get it -if you want it, that you can change the software or use pieces of it -in new free programs; and that you know you can do these things. - - To protect your rights, we need to make restrictions that forbid -anyone to deny you these rights or to ask you to surrender the rights. -These restrictions translate to certain responsibilities for you if you -distribute copies of the software, or if you modify it. - - For example, if you distribute copies of such a program, whether -gratis or for a fee, you must give the recipients all the rights that -you have. You must make sure that they, too, receive or can get the -source code. And you must show them these terms so they know their -rights. - - We protect your rights with two steps: (1) copyright the software, and -(2) offer you this license which gives you legal permission to copy, -distribute and/or modify the software. - - Also, for each author's protection and ours, we want to make certain -that everyone understands that there is no warranty for this free -software. If the software is modified by someone else and passed on, we -want its recipients to know that what they have is not the original, so -that any problems introduced by others will not reflect on the original -authors' reputations. - - Finally, any free program is threatened constantly by software -patents. We wish to avoid the danger that redistributors of a free -program will individually obtain patent licenses, in effect making the -program proprietary. To prevent this, we have made it clear that any -patent must be licensed for everyone's free use or not licensed at all. - - The precise terms and conditions for copying, distribution and -modification follow. - - GNU GENERAL PUBLIC LICENSE - TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION - - 0. This License applies to any program or other work which contains -a notice placed by the copyright holder saying it may be distributed -under the terms of this General Public License. The "Program", below, -refers to any such program or work, and a "work based on the Program" -means either the Program or any derivative work under copyright law: -that is to say, a work containing the Program or a portion of it, -either verbatim or with modifications and/or translated into another -language. (Hereinafter, translation is included without limitation in -the term "modification".) Each licensee is addressed as "you". - -Activities other than copying, distribution and modification are not -covered by this License; they are outside its scope. The act of -running the Program is not restricted, and the output from the Program -is covered only if its contents constitute a work based on the -Program (independent of having been made by running the Program). -Whether that is true depends on what the Program does. - - 1. You may copy and distribute verbatim copies of the Program's -source code as you receive it, in any medium, provided that you -conspicuously and appropriately publish on each copy an appropriate -copyright notice and disclaimer of warranty; keep intact all the -notices that refer to this License and to the absence of any warranty; -and give any other recipients of the Program a copy of this License -along with the Program. - -You may charge a fee for the physical act of transferring a copy, and -you may at your option offer warranty protection in exchange for a fee. - - 2. You may modify your copy or copies of the Program or any portion -of it, thus forming a work based on the Program, and copy and -distribute such modifications or work under the terms of Section 1 -above, provided that you also meet all of these conditions: - - a) You must cause the modified files to carry prominent notices - stating that you changed the files and the date of any change. - - b) You must cause any work that you distribute or publish, that in - whole or in part contains or is derived from the Program or any - part thereof, to be licensed as a whole at no charge to all third - parties under the terms of this License. - - c) If the modified program normally reads commands interactively - when run, you must cause it, when started running for such - interactive use in the most ordinary way, to print or display an - announcement including an appropriate copyright notice and a - notice that there is no warranty (or else, saying that you provide - a warranty) and that users may redistribute the program under - these conditions, and telling the user how to view a copy of this - License. (Exception: if the Program itself is interactive but - does not normally print such an announcement, your work based on - the Program is not required to print an announcement.) - -These requirements apply to the modified work as a whole. If -identifiable sections of that work are not derived from the Program, -and can be reasonably considered independent and separate works in -themselves, then this License, and its terms, do not apply to those -sections when you distribute them as separate works. But when you -distribute the same sections as part of a whole which is a work based -on the Program, the distribution of the whole must be on the terms of -this License, whose permissions for other licensees extend to the -entire whole, and thus to each and every part regardless of who wrote it. - -Thus, it is not the intent of this section to claim rights or contest -your rights to work written entirely by you; rather, the intent is to -exercise the right to control the distribution of derivative or -collective works based on the Program. - -In addition, mere aggregation of another work not based on the Program -with the Program (or with a work based on the Program) on a volume of -a storage or distribution medium does not bring the other work under -the scope of this License. - - 3. You may copy and distribute the Program (or a work based on it, -under Section 2) in object code or executable form under the terms of -Sections 1 and 2 above provided that you also do one of the following: - - a) Accompany it with the complete corresponding machine-readable - source code, which must be distributed under the terms of Sections - 1 and 2 above on a medium customarily used for software interchange; or, - - b) Accompany it with a written offer, valid for at least three - years, to give any third party, for a charge no more than your - cost of physically performing source distribution, a complete - machine-readable copy of the corresponding source code, to be - distributed under the terms of Sections 1 and 2 above on a medium - customarily used for software interchange; or, - - c) Accompany it with the information you received as to the offer - to distribute corresponding source code. (This alternative is - allowed only for noncommercial distribution and only if you - received the program in object code or executable form with such - an offer, in accord with Subsection b above.) - -The source code for a work means the preferred form of the work for -making modifications to it. For an executable work, complete source -code means all the source code for all modules it contains, plus any -associated interface definition files, plus the scripts used to -control compilation and installation of the executable. However, as a -special exception, the source code distributed need not include -anything that is normally distributed (in either source or binary -form) with the major components (compiler, kernel, and so on) of the -operating system on which the executable runs, unless that component -itself accompanies the executable. - -If distribution of executable or object code is made by offering -access to copy from a designated place, then offering equivalent -access to copy the source code from the same place counts as -distribution of the source code, even though third parties are not -compelled to copy the source along with the object code. - - 4. You may not copy, modify, sublicense, or distribute the Program -except as expressly provided under this License. Any attempt -otherwise to copy, modify, sublicense or distribute the Program is -void, and will automatically terminate your rights under this License. -However, parties who have received copies, or rights, from you under -this License will not have their licenses terminated so long as such -parties remain in full compliance. - - 5. You are not required to accept this License, since you have not -signed it. However, nothing else grants you permission to modify or -distribute the Program or its derivative works. These actions are -prohibited by law if you do not accept this License. Therefore, by -modifying or distributing the Program (or any work based on the -Program), you indicate your acceptance of this License to do so, and -all its terms and conditions for copying, distributing or modifying -the Program or works based on it. - - 6. Each time you redistribute the Program (or any work based on the -Program), the recipient automatically receives a license from the -original licensor to copy, distribute or modify the Program subject to -these terms and conditions. You may not impose any further -restrictions on the recipients' exercise of the rights granted herein. -You are not responsible for enforcing compliance by third parties to -this License. - - 7. If, as a consequence of a court judgment or allegation of patent -infringement or for any other reason (not limited to patent issues), -conditions are imposed on you (whether by court order, agreement or -otherwise) that contradict the conditions of this License, they do not -excuse you from the conditions of this License. If you cannot -distribute so as to satisfy simultaneously your obligations under this -License and any other pertinent obligations, then as a consequence you -may not distribute the Program at all. For example, if a patent -license would not permit royalty-free redistribution of the Program by -all those who receive copies directly or indirectly through you, then -the only way you could satisfy both it and this License would be to -refrain entirely from distribution of the Program. - -If any portion of this section is held invalid or unenforceable under -any particular circumstance, the balance of the section is intended to -apply and the section as a whole is intended to apply in other -circumstances. - -It is not the purpose of this section to induce you to infringe any -patents or other property right claims or to contest validity of any -such claims; this section has the sole purpose of protecting the -integrity of the free software distribution system, which is -implemented by public license practices. Many people have made -generous contributions to the wide range of software distributed -through that system in reliance on consistent application of that -system; it is up to the author/donor to decide if he or she is willing -to distribute software through any other system and a licensee cannot -impose that choice. - -This section is intended to make thoroughly clear what is believed to -be a consequence of the rest of this License. - - 8. If the distribution and/or use of the Program is restricted in -certain countries either by patents or by copyrighted interfaces, the -original copyright holder who places the Program under this License -may add an explicit geographical distribution limitation excluding -those countries, so that distribution is permitted only in or among -countries not thus excluded. In such case, this License incorporates -the limitation as if written in the body of this License. - - 9. The Free Software Foundation may publish revised and/or new versions -of the General Public License from time to time. Such new versions will -be similar in spirit to the present version, but may differ in detail to -address new problems or concerns. - -Each version is given a distinguishing version number. If the Program -specifies a version number of this License which applies to it and "any -later version", you have the option of following the terms and conditions -either of that version or of any later version published by the Free -Software Foundation. If the Program does not specify a version number of -this License, you may choose any version ever published by the Free Software -Foundation. - - 10. If you wish to incorporate parts of the Program into other free -programs whose distribution conditions are different, write to the author -to ask for permission. For software which is copyrighted by the Free -Software Foundation, write to the Free Software Foundation; we sometimes -make exceptions for this. Our decision will be guided by the two goals -of preserving the free status of all derivatives of our free software and -of promoting the sharing and reuse of software generally. - - NO WARRANTY - - 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY -FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN -OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES -PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED -OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS -TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE -PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, -REPAIR OR CORRECTION. - - 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING -WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR -REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, -INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING -OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED -TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY -YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER -PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE -POSSIBILITY OF SUCH DAMAGES. - - END OF TERMS AND CONDITIONS - - How to Apply These Terms to Your New Programs - - If you develop a new program, and you want it to be of the greatest -possible use to the public, the best way to achieve this is to make it -free software which everyone can redistribute and change under these terms. - - To do so, attach the following notices to the program. It is safest -to attach them to the start of each source file to most effectively -convey the exclusion of warranty; and each file should have at least -the "copyright" line and a pointer to where the full notice is found. - - - Copyright (C) - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - - -Also add information on how to contact you by electronic and paper mail. - -If the program is interactive, make it output a short notice like this -when it starts in an interactive mode: - - Gnomovision version 69, Copyright (C) year name of author - Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. - This is free software, and you are welcome to redistribute it - under certain conditions; type `show c' for details. - -The hypothetical commands `show w' and `show c' should show the appropriate -parts of the General Public License. Of course, the commands you use may -be called something other than `show w' and `show c'; they could even be -mouse-clicks or menu items--whatever suits your program. - -You should also get your employer (if you work as a programmer) or your -school, if any, to sign a "copyright disclaimer" for the program, if -necessary. Here is a sample; alter the names: - - Yoyodyne, Inc., hereby disclaims all copyright interest in the program - `Gnomovision' (which makes passes at compilers) written by James Hacker. - - , 1 April 1989 - Ty Coon, President of Vice - -This General Public License does not permit incorporating your program into -proprietary programs. If your program is a subroutine library, you may -consider it more useful to permit linking proprietary applications with the -library. If this is what you want to do, use the GNU Library General -Public License instead of this License. diff --git a/contrib/shoregen/ChangeLog b/contrib/shoregen/ChangeLog deleted file mode 100644 index 500f06250..000000000 --- a/contrib/shoregen/ChangeLog +++ /dev/null @@ -1,14 +0,0 @@ -0.1.1 Paul Gear No idea when - - Initial release. - -0.1.2 Paul Gear No idea when - - Removed filtering of zones that are on the same interface. - This caused problems when a zone was accessible via more than - one interface. - -0.1.3 Paul Gear No idea when - - Optimisation to detect whether system is a router and remove - redundant zones from rules and policies if so. - -3.2.0-beta1 Paul Gear - - First attempt at compatibility with Shorewall 3.2.x. diff --git a/contrib/shoregen/README b/contrib/shoregen/README deleted file mode 100644 index ceac0ef72..000000000 --- a/contrib/shoregen/README +++ /dev/null @@ -1,124 +0,0 @@ -Shoreline Firewall configuration generator -(c) Copyright 2004-2006 Paul D. Gear - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - - -SHOREWALL - -The quick plug: - - - Shorewall is the only firewall i trust. - -The IT Manager plug: - - - Shorewall is a policy-driven firewall which lets you think about your - firewall at a higher level than iptables commands. - -The hard sell to you crazy people still maintaining manual firewall scripts: - - - Shorewall is a wrapper around the kernel iptables, so your existing - Linux firewall skills transfer. I converted from a 900-plus-line - ipchains shell script to around 50 lines of shorewall configuration in - less than 4 hours, with no prior experience. - - -ISSUES - - - I'm paranoid - i want more than one firewall between me and the world. - - - Configuring multiple firewalls separately is a recipe for getting your - rules out of sync, and allowing security problems to creep in. - - - IT Manager types (like me) like to know their policy is consistently - implemented. - - -SOLUTION - -Shoregen is a script that generates shorewall configurations for multiple -firewalls from a common set of rules and policies. Only the minimal -information necessary for operation is stored on each firewall, so, for -example, your DMZ server doesn't need to know about the rules on your -internal network, but at the same time, it gets consistent rules to your -outer guard. - - -PHILOSOPHY - -Shoregen assumes the X-Files approach to firewall design: trust no one. -That is, paranoia is a virtue. All access should be as limited as possible -for things to work. If you don't already agree with this philosophy, you -may find some of the things shoregen does frustrating, but then again, -you're probably not reading this document. :-) - - -DESIGN - -Shoregen distinguishes between two different types of shorewall -configuration files. Most shorewall configuration files are simply -concatenated together from parts constructed from common and host-specific -parts. These are called simple configs; shoregen doesn't substantially -alter them, and uses little information from them. - -Configs with which shoregen is more concerned are treated separately, and -additional features beyond the scope of shorewall itself are implemented. -Most importantly, two new policy/rule keywords are introduced: WARN and -BAN. These keywords are not included in shoregen's output, but when a -subsequent rule or policy is encountered which matches a rule or policy -marked WARN or BAN, an error message is issued. In the case of BAN, the -offending line is also dropped from the output, and a non-zero return code -issued. - - -PREREQUISITES - -The tools you will need to use shoregen are: - perl The main shoregen script is written in Perl - rsync Used to keep /etc/shorewall directories on your firewalls - in sync with the central repository - ssh Encrypted transport for rsync - make Optional, but saves a few keystrokes. - - -USAGE - -Put shoregen and install_shoregen in a directory on your PATH. - -Make a central directory for your configs. I recommend somewhere in a -trusted user's home directory or central system admin repository. This -directory should be on a trusted machine in the most secure part of your -network. Put all of your policies, rules, and zones together in the -correct order in files in the top level of this directory. - -For each of the simple configs you want to generate centrally, create a -directory, with a file called COMMON (if necessary) containing the content -you want to see in that file on all hosts, and a file named for each host -for host-specific content. I recommend that the default shorewall -configuration file be placed in the COMMON file of the corresponding -directory, with directives that are not appropriate commented out. - -When shoregen is run, it places the generated files in the directory -SPOOL/, where is the hostname of the target firewall. The -files in this directory are synchronised and the firewall checked and/or -restarted by a simple wrapper script called install_shoregen. - -See the samples directory for a starting point configuration. It provides -some suggested policies & rules for the network shown in example1.png. The -sample configuration has not been tested in any way. - -I hope you find shoregen useful. I welcome your comments, contributions, -criticisms, and questions. - diff --git a/contrib/shoregen/TODO b/contrib/shoregen/TODO deleted file mode 100644 index ff5a33420..000000000 --- a/contrib/shoregen/TODO +++ /dev/null @@ -1,21 +0,0 @@ - -- Make it possible for a host to have the same $FW name as the zone in - which it belongs, and have shoregen automatically create appropriate - rules. - -- At the moment, if a fully-expanded policy file (such as is shown - -- Better rule & policy sanitisation. - -- Hosts and interfaces could be reduced based on what's used in the policy - and rules files. - -- The Makefile could be improved to detect changes in the lower level - config files and call shoregen automatically when they are out-of-date. - At the moment, shoregen is so simple (and thus fast) that the amount of - time that would be saved by a clever Makefile (in comparison to the - rsync, ssh, and shorewall steps) is probably not worth the trouble to - code. - -- Automatic generation of firewall hosts & interfaces files. - diff --git a/contrib/shoregen/install_shoregen b/contrib/shoregen/install_shoregen deleted file mode 100755 index 967516f38..000000000 --- a/contrib/shoregen/install_shoregen +++ /dev/null @@ -1,116 +0,0 @@ -#!/bin/sh -# -# $Id: install_shoregen,v 1.5 2004/04/22 11:12:51 paulgear Exp $ -# -# Wrapper script to install shoregen-generated shorewall configuration files. -# - -# -# (c) Copyright 2004 Paul D. Gear -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General -# Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA, or go to -# on the World Wide Web. - -VERBOSE=0 -RESTART=0 -CHECK=1 -TIME=0 - -usage() -{ - echo "Usage: $0 [--verbose] [--restart] host ... - Generates and installs shorewall configuration on the given hosts" >&2 - exit 1 -} - -error() -{ - echo "$0: ERROR -" "$@" >&2 -} - -while :; do - case "$1" in - - -v|--verbose) - VERBOSE=1 - shift - ;; - - -r|--restart) - RESTART=1 - shift - ;; - - -c|--nocheck) - CHECK=0 - shift - ;; - - -t|--notime) - TIME=0 - shift - ;; - - --) - shift - break 2 - ;; - - --*) - error "Unrecognised option $1" - usage - ;; - - *) - break 2 - ;; - - esac -done - -set -e -set -u - -if [ "$#" -lt 1 ]; then - usage -fi - -USER=root -RSYNC_ARGS="--recursive --backup --times --cvs-exclude --rsh=ssh" -#--progress -if [ "$VERBOSE" -gt 0 ]; then - RSYNC_ARGS="$RSYNC_ARGS --verbose" -fi -DIR=/etc/shorewall -SW_PATH=/sbin/shorewall - -PATH=$PATH: - -if [ "$TIME" -gt 0 ]; then - TIME="time" -else - TIME="" -fi - -for HOST; do - shoregen $HOST - rsync $RSYNC_ARGS SPOOL/$HOST/ $USER@$HOST:$DIR/ - if [ "$CHECK" -gt 0 ]; then - $TIME ssh -l $USER -t $HOST $SW_PATH check - fi - if [ "$RESTART" -gt 0 ]; then - $TIME ssh -l $USER -t $HOST $SW_PATH restart - fi -done diff --git a/contrib/shoregen/samples/Makefile b/contrib/shoregen/samples/Makefile deleted file mode 100644 index 1d18073d6..000000000 --- a/contrib/shoregen/samples/Makefile +++ /dev/null @@ -1,10 +0,0 @@ -FLAGS=-c -r -HOSTS=ig proxy mail og - -default: $(HOSTS) - -$(HOSTS): - shoregen $@ - -install: $(HOSTS) - install_shoregen -c -r $(HOSTS) diff --git a/contrib/shoregen/samples/example1.dia b/contrib/shoregen/samples/example1.dia deleted file mode 100644 index 92f261084..000000000 Binary files a/contrib/shoregen/samples/example1.dia and /dev/null differ diff --git a/contrib/shoregen/samples/example1.png b/contrib/shoregen/samples/example1.png deleted file mode 100644 index 71739088d..000000000 Binary files a/contrib/shoregen/samples/example1.png and /dev/null differ diff --git a/contrib/shoregen/samples/hosts/ig b/contrib/shoregen/samples/hosts/ig deleted file mode 100644 index a9b9f738c..000000000 --- a/contrib/shoregen/samples/hosts/ig +++ /dev/null @@ -1,13 +0,0 @@ -# ZONE HOST(S) OPTIONS - -# I used the vi command -# !Gsort -k2 -k1 -# to sort this file, starting at the next line. -mail eth0:$MAIL -og eth0:$OG -proxy eth0:$PROXY -net eth0:0.0.0.0/0 -lan eth1:$LAN -other eth1:0.0.0.0/0 -guest eth2:$GUEST -other eth2:0.0.0.0/0 diff --git a/contrib/shoregen/samples/hosts/mail b/contrib/shoregen/samples/hosts/mail deleted file mode 100644 index 362369f0f..000000000 --- a/contrib/shoregen/samples/hosts/mail +++ /dev/null @@ -1,7 +0,0 @@ -# ZONE HOST(S) OPTIONS -guest eth0:$GUEST -ig eth0:$IG -lan eth0:$LAN -og eth0:$OG -proxy eth0:$PROXY -net eth0:0.0.0.0/0 diff --git a/contrib/shoregen/samples/hosts/og b/contrib/shoregen/samples/hosts/og deleted file mode 100644 index 66a912c84..000000000 --- a/contrib/shoregen/samples/hosts/og +++ /dev/null @@ -1,7 +0,0 @@ -# ZONE HOST(S) OPTIONS -guest eth0:$GUEST -ig eth0:$IG -lan eth0:$LAN -mail eth0:$MAIL -proxy eth0:$PROXY -other eth0:0.0.0.0/0 diff --git a/contrib/shoregen/samples/hosts/proxy b/contrib/shoregen/samples/hosts/proxy deleted file mode 100644 index a0ca224c0..000000000 --- a/contrib/shoregen/samples/hosts/proxy +++ /dev/null @@ -1,7 +0,0 @@ -# ZONE HOST(S) OPTIONS -guest eth0:$GUEST -ig eth0:$IG -lan eth0:$LAN -mail eth0:$MAIL -og eth0:$OG -net eth0:0.0.0.0/0 diff --git a/contrib/shoregen/samples/interfaces/ig b/contrib/shoregen/samples/interfaces/ig deleted file mode 100644 index 523891686..000000000 --- a/contrib/shoregen/samples/interfaces/ig +++ /dev/null @@ -1,5 +0,0 @@ -#ZONE INTERFACE BROADCAST OPTIONS -- eth0 detect - -- eth1 detect dhcp -- eth2 detect dhcp -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/contrib/shoregen/samples/interfaces/mail b/contrib/shoregen/samples/interfaces/mail deleted file mode 100644 index 8c485e0ec..000000000 --- a/contrib/shoregen/samples/interfaces/mail +++ /dev/null @@ -1,3 +0,0 @@ -#ZONE INTERFACE BROADCAST OPTIONS -- eth0 detect - -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/contrib/shoregen/samples/interfaces/og b/contrib/shoregen/samples/interfaces/og deleted file mode 100644 index b627368ec..000000000 --- a/contrib/shoregen/samples/interfaces/og +++ /dev/null @@ -1,5 +0,0 @@ -#ZONE INTERFACE BROADCAST OPTIONS -- eth0 detect - -net eth1 detect norfc1918,blacklist,dhcp -net ppp+ detect norfc1918,blacklist -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/contrib/shoregen/samples/interfaces/proxy b/contrib/shoregen/samples/interfaces/proxy deleted file mode 100644 index 8c485e0ec..000000000 --- a/contrib/shoregen/samples/interfaces/proxy +++ /dev/null @@ -1,3 +0,0 @@ -#ZONE INTERFACE BROADCAST OPTIONS -- eth0 detect - -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/contrib/shoregen/samples/params/COMMON b/contrib/shoregen/samples/params/COMMON deleted file mode 100644 index 2f7bed38b..000000000 --- a/contrib/shoregen/samples/params/COMMON +++ /dev/null @@ -1,9 +0,0 @@ -# These are parameterised firstly so they only live in one place, and -# secondly because they can appear on different interfaces, but with a -# constant address. -OG=10.1.1.1 -MAIL=10.1.1.2 -PROXY=10.1.1.3 -IG=10.1.1.4 -LAN=10.1.2.0/24 -GUEST=10.1.3.0/24 diff --git a/contrib/shoregen/samples/policy b/contrib/shoregen/samples/policy deleted file mode 100644 index 7106fd0d4..000000000 --- a/contrib/shoregen/samples/policy +++ /dev/null @@ -1,112 +0,0 @@ -#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST EXT - -# -# Meta-policies - no ACCEPT/DNAT rules contravening these may be defined in -# the policy or rules file. These are not part of shorewall and do not -# actually block any traffic. They are about stopping the firewall -# administrator from activating silly rules. Note that these rules should -# always be accompanied by a corresponding REJECT/BAN policy as they don't -# actually set the shorewall policy (see below for these). -# -# These policies are samples only and are not suggested for your -# environment. You must decide on the policies that are right for you. -# - -guest lan BAN -proxy lan BAN -mail lan BAN -og lan BAN -net lan BAN - -proxy guest BAN -mail guest BAN -og guest BAN -net guest BAN - -proxy ig BAN -mail ig BAN -og ig BAN -net ig BAN - -net proxy BAN - -proxy og BAN -mail og BAN -net og BAN - -ig net BAN - - -# -# Now the normal policies. We define each set of zone pairs individually -# so that Shorewall produces more meaningful error messages. -# - -lan guest ACCEPT info -lan ig REJECT info -lan proxy REJECT info -lan mail REJECT info -lan og REJECT info -lan net REJECT info -lan other REJECT info -lan all REJECT info - -guest lan REJECT info -guest ig REJECT info -guest proxy REJECT info -guest mail REJECT info -guest og REJECT info -guest net ACCEPT info -guest other REJECT info -guest all REJECT info - -ig lan REJECT info -ig guest REJECT info -ig proxy REJECT info -ig mail REJECT info -ig og REJECT info -ig net REJECT info -ig other REJECT info -ig all REJECT info - -proxy lan REJECT info -proxy guest REJECT info -proxy ig REJECT info -proxy mail REJECT info -proxy og REJECT info -proxy net ACCEPT -proxy other REJECT info -proxy all REJECT info - -mail lan REJECT info -mail guest REJECT info -mail ig REJECT info -mail proxy REJECT info -mail og REJECT info -mail net REJECT info -mail other REJECT info -mail all REJECT info - -og lan REJECT info -og guest REJECT info -og ig REJECT info -og proxy REJECT info -og mail REJECT info -og net REJECT info -og other REJECT info -og all REJECT info - -net lan DROP info -net guest DROP info -net ig DROP info -net proxy DROP info -net mail DROP info -net og DROP info -net other DROP info -net all DROP info - -# Catch-all policies -other all DROP info -all all DROP info - -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/contrib/shoregen/samples/rules b/contrib/shoregen/samples/rules deleted file mode 100644 index 1723a706e..000000000 --- a/contrib/shoregen/samples/rules +++ /dev/null @@ -1,187 +0,0 @@ -# -# $Id: rules,v 1.4 2004/04/24 12:26:25 paulgear Exp $ -# -# Master Rules File -# -# This file is organised into 4 main sections: -# 1. Rules that need to transcend the more general WARN/BAN rules. The -# reason for this is typically system administration and -# troubleshooting. This section should be kept as small as possible. -# 2. WARN/BAN rules to put restrictions on which rules contravening -# policies may be created. This section should be as large as -# possible, if you take a traditional (i.e. paranoid) approach to -# firewall design. -# 3. Noise-reducing rules for illegitimate traffic. This is typically -# small, but may grow as time goes on. -# 4. Normal rules which define the holes in your firewall. Again, this -# should include only the rules you need and no more. However, even -# on a simple home network like mine, this section tends to get -# large! -# - -# -# Order by port, protocol, dest zone (in->out order), src zone (in->out -# order). -# - -#ACTION CLIENT(S) SERVER(S) PROTO PORT(S) CLIENT PORT(S) ADDRESS - -# -# Section 1: Rules that need to transcend WARN/BAN rules in section 2. -# -# Nearly all of these rules should be limited to system administration -# terminals. These would be better put in a separate zone. -# - -# ping (more below) -ACCEPT lan og icmp 8 - -# ssh (more below) -ACCEPT lan og tcp 22 -ACCEPT ig og tcp 22 - -# SNMP (more below) - for MRTG stats run from LAN -ACCEPT lan og udp 161 - -# syslog (more below) -ACCEPT ig lan udp 514 - -# Squid - this wouldn't be necessary except that a lot of OS updates are -# rather large... -ACCEPT mail proxy tcp 3128 - -# -# Section 2: WARN/BAN rule directives -# - -BAN ig lan -BAN mail proxy -BAN lan og -BAN ig og - -# -# Section 3: Drop noisy junk -# - -# auth - reverse of the SMTP rules below -REJECT mail lan tcp 113 -REJECT mail guest tcp 113 -REJECT mail ig tcp 113 -REJECT mail proxy tcp 113 -REJECT mail og tcp 113 -REJECT net og tcp 113 -REJECT mail net tcp 113 - -# KaZaA file sharing -DROP net og tcp 1214 - -# Gnutella server -REJECT net og tcp 6346,6347 - -# Half-Life -REJECT net og udp 27015,27016 - - -# -# Section 4: Normal traffic -# - -# ping (more above) -ACCEPT lan ig icmp 8 -ACCEPT lan proxy icmp 8 -ACCEPT lan mail icmp 8 -ACCEPT ig proxy icmp 8 -ACCEPT ig mail icmp 8 -ACCEPT og proxy icmp 8 -ACCEPT og mail icmp 8 -ACCEPT og net icmp 8 - -# FTP -ACCEPT proxy net tcp 21 - -# ssh (more above) -ACCEPT lan ig tcp 22 -ACCEPT lan proxy tcp 22 -ACCEPT lan mail tcp 22 -ACCEPT lan net tcp 22 -ACCEPT ig proxy tcp 22 -ACCEPT ig mail tcp 22 -ACCEPT proxy mail tcp 22 -ACCEPT proxy net tcp 22 - -# SMTP -ACCEPT lan mail tcp 25 -ACCEPT guest mail tcp 25 -ACCEPT ig mail tcp 25 -ACCEPT proxy mail tcp 25 -ACCEPT og mail tcp 25 -DNAT net mail:$MAIL tcp 25 -ACCEPT mail net tcp 25 - -# DNS - assumes split DNS, with internal DNS run in LAN, external DNS on -# proxy, and mail independent of the rest (proxy & mail should run their -# own caches). -ACCEPT lan proxy tcp 53 -ACCEPT lan proxy udp 53 -ACCEPT guest proxy tcp 53 -ACCEPT guest proxy udp 53 -ACCEPT ig proxy tcp 53 -ACCEPT ig proxy udp 53 -ACCEPT og proxy tcp 53 -ACCEPT og proxy udp 53 -ACCEPT proxy net tcp 53 -ACCEPT proxy net udp 53 -ACCEPT mail net tcp 53 -ACCEPT mail net udp 53 - -# HTTP -ACCEPT proxy net tcp 80 - -# POP3 - must be proxied through mail -ACCEPT mail net tcp 110 -ACCEPT lan mail tcp 110 - -# NNTP - application layer proxy (e.g. leafnode) on proxy -ACCEPT lan proxy tcp 119 -ACCEPT proxy net tcp 119 - -# NTP - we really need more than 2 servers, but this is only an example. :-) -ACCEPT lan proxy udp 123 -ACCEPT lan mail udp 123 -ACCEPT ig proxy udp 123 -ACCEPT ig mail udp 123 -ACCEPT proxy net udp 123 -ACCEPT mail net udp 123 -ACCEPT og proxy udp 123 -ACCEPT og mail udp 123 - -# IMAP -ACCEPT lan mail tcp 143 -ACCEPT guest mail tcp 143 - -# SNMP (more above) - for MRTG stats -ACCEPT lan ig udp 161 -ACCEPT lan proxy udp 161 -ACCEPT lan mail udp 161 - -# HTTPS -ACCEPT proxy net tcp 443 - -# syslog (more above) - DMZ & OG hosts log to mail, IG & LAN hosts log to LAN -ACCEPT og mail udp 514 -ACCEPT proxy mail udp 514 - -# Squid -ACCEPT lan proxy tcp 3128 -ACCEPT guest proxy tcp 3128 -ACCEPT ig proxy tcp 3128 -ACCEPT og proxy tcp 3128 - -# Webmin -ACCEPT lan proxy tcp 10000 -ACCEPT guest proxy tcp 10000 -ACCEPT ig proxy tcp 10000 -ACCEPT og proxy tcp 10000 - - -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/contrib/shoregen/samples/shorewall.conf/COMMON b/contrib/shoregen/samples/shorewall.conf/COMMON deleted file mode 100644 index 42e415842..000000000 --- a/contrib/shoregen/samples/shorewall.conf/COMMON +++ /dev/null @@ -1,569 +0,0 @@ -############################################################################## -# /etc/shorewall/shorewall.conf V1.4 - Change the following variables to -# match your setup -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# This file should be placed in /etc/shorewall -# -# (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net) -############################################################################## -# L O G G I N G -############################################################################## -# -# General note about log levels. Log levels are a method of describing -# to syslog (8) the importance of a message and a number of parameters -# in this file have log levels as their value. -# -# Valid levels are: -# -# 7 debug -# 6 info -# 5 notice -# 4 warning -# 3 err -# 2 crit -# 1 alert -# 0 emerg -# -# For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall -# log messages are generated by NetFilter and are logged using facility -# 'kern' and the level that you specifify. If you are unsure of the level -# to choose, 6 (info) is a safe bet. You may specify levels by name or by -# number. -# -# If you have build your kernel with ULOG target support, you may also -# specify a log level of ULOG (must be all caps). Rather than log its -# messages to syslogd, Shorewall will direct netfilter to log the messages -# via the ULOG target which will send them to a process called 'ulogd'. -# ulogd is available from http://www.gnumonks.org/projects/ulogd and can be -# configured to log all Shorewall message to their own log file -################################################################################ -# -# LOG FILE LOCATION -# -# This variable tells the /sbin/shorewall program where to look for Shorewall -# log messages. If not set or set to an empty string (e.g., LOGFILE="") then -# /var/log/messages is assumed. -# -# WARNING: The LOGFILE variable simply tells the 'shorewall' program where to -# look for Shorewall messages.It does NOT control the destination for -# these messages. For information about how to do that, see -# -# http://www.shorewall.net/shorewall_logging.html - -LOGFILE=/var/log/messages - -# -# LOG FORMAT -# -# Shell 'printf' Formatting template for the --log-prefix value in log messages -# generated by Shorewall to identify Shorewall log messages. The supplied -# template is expected to accept either two or three arguments; the first is -# the chain name, the second (optional) is the logging rule number within that -# chain and the third is the ACTION specifying the disposition of the packet -# being logged. You must use the %d formatting type for the rule number; if your -# template does not contain %d then the rule number will not be included. -# -# If you want to integrate Shorewall with fireparse, then set LOGFORMAT as: -# -# LOGFORMAT="fp=%s:%d a=%s " -# -# If not specified or specified as empty (LOGFORMAT="") then the value -# "Shorewall:%s:%s:" is assumed. -# -# CAUTION: /sbin/shorewall uses the leading part of the LOGFORMAT string (up -# to but not including the first '%') to find log messages in the 'show log', -# 'status' and 'hits' commands. This part should not be omitted (the -# LOGFORMAT should not begin with "%") and the leading part should be -# sufficiently unique for /sbin/shorewall to identify Shorewall messages. - -LOGFORMAT="Shorewall:%s:%s:" - -# -# LOG RATE LIMITING -# -# The next two variables can be used to control the amount of log output -# generated. LOGRATE is expressed as a number followed by an optional -# `/second', `/minute', `/hour', or `/day' suffix and specifies the maximum -# rate at which a particular message will occur. LOGBURST determines the -# maximum initial burst size that will be logged. If set empty, the default -# value of 5 will be used. -# -# Example: -# -# LOGRATE=10/minute -# LOGBURST=5 -# -# If BOTH variables are set empty then logging will not be rate-limited. -# - -LOGRATE=10/minute -LOGBURST=5 - -# -# LEVEL AT WHICH TO LOG 'UNCLEAN' PACKETS -# -# This variable determines the level at which Mangled/Invalid packets are logged -# under the 'dropunclean' interface option. If you set this variable to an -# empty value (e.g., LOGUNCLEAN= ), Mangled/Invalid packets will be dropped -# silently. -# -# The value of this variable also determines the level at which Mangled/Invalid -# packets are logged under the 'logunclean' interface option. If the variable -# is empty, these packets will still be logged at the 'info' level. -# -# See the comment at the top of this section for a description of log levels -# - -LOGUNCLEAN=info - -# -# BLACKLIST LOG LEVEL -# -# Set this variable to the syslogd level that you want blacklist packets logged -# (beware of DOS attacks resulting from such logging). If not set, no logging -# of blacklist packets occurs. -# -# See the comment at the top of this section for a description of log levels -# -BLACKLIST_LOGLEVEL= - -# -# LOGGING 'New not SYN' rejects -# -# This variable only has an effect when NEWNOTSYN=No (see below). -# -# When a TCP packet that does not have the SYN flag set and the ACK and RST -# flags clear then unless the packet is part of an established connection, -# it will be rejected by the firewall. If you want these rejects logged, -# then set LOGNEWNOTSYN to the syslog log level at which you want them logged. -# -# See the comment at the top of this section for a description of log levels -# -# Example: LOGNEWNOTSYN=debug - - -LOGNEWNOTSYN=info - -# -# MAC List Log Level -# -# Specifies the logging level for connection requests that fail MAC -# verification. If set to the empty value (MACLIST_LOG_LEVEL="") then -# such connection requests will not be logged. -# -# See the comment at the top of this section for a description of log levels -# - -MACLIST_LOG_LEVEL=info - -# -# TCP FLAGS Log Level -# -# Specifies the logging level for packets that fail TCP Flags -# verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then -# such packets will not be logged. -# -# See the comment at the top of this section for a description of log levels -# - -TCP_FLAGS_LOG_LEVEL=info - -# -# RFC1918 Log Level -# -# Specifies the logging level for packets that fail RFC 1918 -# verification. If set to the empty value (RFC1918_LOG_LEVEL="") then -# RFC1918_LOG_LEVEL=info is assumed. -# -# See the comment at the top of this section for a description of log levels -# - -RFC1918_LOG_LEVEL=info - -################################################################################ -# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S -################################################################################ -# -# PATH - Change this if you want to change the order in which Shorewall -# searches directories for executable files. -# -#PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin -PATH=/sbin:/bin:/usr/sbin:/usr/bin - -# -# SHELL -# -# The firewall script is normally interpreted by /bin/sh. If you wish to change -# the shell used to interpret that script, specify the shell here. - -SHOREWALL_SHELL=/bin/sh - -# SUBSYSTEM LOCK FILE -# -# Set this to the name of the lock file expected by your init scripts. For -# RedHat, this should be /var/lock/subsys/shorewall. If your init scripts don't -# use lock files, set this to "". -# - -SUBSYSLOCK=/var/lock/subsys/shorewall - -# -# SHOREWALL TEMPORARY STATE DIRECTORY -# -# This is the directory where the firewall maintains state information while -# it is running -# - -STATEDIR=/var/lib/shorewall - -# -# KERNEL MODULE DIRECTORY -# -# If your netfilter kernel modules are in a directory other than -# /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter then specify that -# directory in this variable. Example: MODULESDIR=/etc/modules. - -MODULESDIR= - -################################################################################ -# F I R E W A L L O P T I O N S -################################################################################ - -# NAME OF THE FIREWALL ZONE -# -# Name of the firewall zone -- if not set or if set to an empty string, "fw" -# is assumed. -# -#FW=fw - -# -# ENABLE IP FORWARDING -# -# If you say "On" or "on" here, IPV4 Packet Forwarding is enabled. If you -# say "Off" or "off", packet forwarding will be disabled. You would only want -# to disable packet forwarding if you are installing Shorewall on a -# standalone system or if you want all traffic through the Shorewall system -# to be handled by proxies. -# -# If you set this variable to "Keep" or "keep", Shorewall will neither -# enable nor disable packet forwarding. -# -#IP_FORWARDING=On - -# -# AUTOMATICALLY ADD NAT IP ADDRESSES -# -# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses -# for each NAT external address that you give in /etc/shorewall/nat. If you say -# "No" or "no", you must add these aliases youself. -# -ADD_IP_ALIASES=Yes - -# -# AUTOMATICALLY ADD SNAT IP ADDRESSES -# -# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses -# for each SNAT external address that you give in /etc/shorewall/masq. If you say -# "No" or "no", you must add these aliases youself. LEAVE THIS SET TO "No" unless -# you are sure that you need it -- most people don't!!! -# -ADD_SNAT_ALIASES=No - -# -# ENABLE TRAFFIC SHAPING -# -# If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If -# you say "No" or "no" then traffic shaping is not enabled. If you enable traffic -# shaping you must have iproute[2] installed (the "ip" and "tc" utilities) and -# you must enable packet mangling above. -# -TC_ENABLED=No - -# -# Clear Traffic Shapping/Control -# -# If this option is set to 'No' then Shorewall won't clear the current -# traffic control rules during [re]start. This setting is intended -# for use by people that prefer to configure traffic shaping when -# the network interfaces come up rather than when the firewall -# is started. If that is what you want to do, set TC_ENABLED=Yes and -# CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That -# way, your traffic shaping rules can still use the 'fwmark' -# classifier based on packet marking defined in /etc/shorewall/tcrules. -# -# If omitted, CLEAR_TC=Yes is assumed. - -CLEAR_TC=Yes - -# -# Mark Packets in the forward chain -# -# When processing the tcrules file, Shorewall normally marks packets in the -# PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set -# this to "Yes". If not specified or if set to the empty value (e.g., -# MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed. -# -# Marking packets in the FORWARD chain has the advantage that inbound -# packets destined for Masqueraded/SNATed local hosts have had their destination -# address rewritten so they can be marked based on their destination. When -# packets are marked in the PREROUTING chain, packets destined for -# Masqueraded/SNATed local hosts still have a destination address corresponding -# to the firewall's external interface. -# -# Note: Older kernels do not support marking packets in the FORWARD chain and -# setting this variable to Yes may cause startup problems. - -MARK_IN_FORWARD_CHAIN=No - -# -# MSS CLAMPING -# -# Set this variable to "Yes" or "yes" if you want the TCP "Clamp MSS to PMTU" -# option. This option is most commonly required when your internet -# interface is some variant of PPP (PPTP or PPPoE). Your kernel must -# have CONFIG_IP_NF_TARGET_TCPMSS set. -# -# [From the kernel help: -# -# This option adds a `TCPMSS' target, which allows you to alter the -# MSS value of TCP SYN packets, to control the maximum size for that -# connection (usually limiting it to your outgoing interface's MTU -# minus 40). -# -# This is used to overcome criminally braindead ISPs or servers which -# block ICMP Fragmentation Needed packets. The symptoms of this -# problem are that everything works fine from your Linux -# firewall/router, but machines behind it can never exchange large -# packets: -# 1) Web browsers connect, then hang with no data received. -# 2) Small mail works fine, but large emails hang. -# 3) ssh works fine, but scp hangs after initial handshaking. -# ] -# -# If left blank, or set to "No" or "no", the option is not enabled. -# -CLAMPMSS=No - -# -# ROUTE FILTERING -# -# Set this variable to "Yes" or "yes" if you want kernel route filtering on all -# interfaces started while Shorewall is started (anti-spoofing measure). -# -# If this variable is not set or is set to the empty value, "No" is assumed. -# Regardless of the setting of ROUTE_FILTER, you can still enable route filtering -# on individual interfaces using the 'routefilter' option in the -# /etc/shorewall/interfaces file. - -ROUTE_FILTER=yes - -# -# NAT BEFORE RULES -# -# Shorewall has traditionally processed static NAT rules before port forwarding -# rules. If you would like to reverse the order, set this variable to "No". -# -# If this variable is not set or is set to the empty value, "Yes" is assumed. - -NAT_BEFORE_RULES=Yes - -# DNAT IP ADDRESS DETECTION -# -# Normally when Shorewall encounters the following rule: -# -# DNAT net loc:192.168.1.3 tcp 80 -# -# it will forward TCP port 80 connections from the net to 192.168.1.3 -# REGARDLESS OF THE ORIGINAL DESTINATION ADDRESS. This behavior is -# convenient for two reasons: -# -# a) If the the network interface has a dynamic IP address, the -# firewall configuration will work even when the address -# changes. -# -# b) It saves having to configure the IP address in the rule -# while still allowing the firewall to be started before the -# internet interface is brought up. -# -# This default behavior can also have a negative effect. If the -# internet interface has more than one IP address then the above -# rule will forward connection requests on all of these addresses; -# that may not be what is desired. -# -# By setting DETECT_DNAT_IPADDRS=Yes, rules such as the above will apply -# only if the original destination address is the primary IP address of -# one of the interfaces associated with the source zone. Note that this -# requires all interfaces to the source zone to be up when the firewall -# is [re]started. - -DETECT_DNAT_IPADDRS=No - -# -# MUTEX TIMEOUT -# -# The value of this variable determines the number of seconds that programs -# will wait for exclusive access to the Shorewall lock file. After the number -# of seconds corresponding to the value of this variable, programs will assume -# that the last program to hold the lock died without releasing the lock. -# -# If not set or set to the empty value, a value of 60 (60 seconds) is assumed. -# -# An appropriate value for this parameter would be twice the length of time -# that it takes your firewall system to process a "shorewall restart" command. - -MUTEX_TIMEOUT=60 - -# -# NEWNOTSYN -# -# TCP connections are established using the familiar three-way "handshake": -# -# CLIENT SERVER -# -# SYN--------------------> -# <------------------SYN,ACK -# ACK--------------------> -# -# The first packet in that exchange (packet with the SYN flag on and the ACK -# and RST flags off) is referred to in Netfilter terminology as a "syn" packet. -# A packet is said to be NEW if it is not part of or related to an already -# established connection. -# -# The NETNOTSYN option determines the handling of non-SYN packets (those with -# SYN off or with ACK or RST on) that are not associated with an already -# established connection. -# -# If NEWNOTSYN is set to "No" or "no", then non-SYN packets that are not -# part of an already established connection, it will be dropped by the -# firewall. The setting of LOGNEWNOTSYN above determines if these packets are -# logged before they are dropped. -# -# If NEWNOTSYN is set to "Yes" or "yes" then such packets will not be -# dropped but will pass through the normal rule/policy processing. -# -# Users with a High-availability setup with two firewall's and one acting -# as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may -# also need to select NEWNOTSYN=Yes. -# -# The behavior of NEWNOTSYN=Yes may also be enabled on a per-interface basis -# using the 'newnotsyn' option in /etc/shorewall/interfaces. -# -# I find that NEWNOTSYN=No tends to result in lots of "stuck" -# connections because any network timeout during TCP session tear down -# results in retries being dropped (Netfilter has removed the -# connection from the conntrack table but the end-points haven't -# completed shutting down the connection). I therefore have chosen -# NEWNOTSYN=Yes as the default value. - -NEWNOTSYN=Yes - -# -# FOR ADMINS THAT REPEATEDLY SHOOT THEMSELVES IN THE FOOT -# -# Normally, when a "shorewall stop" command is issued or an error occurs during -# the execution of another shorewall command, Shorewall puts the firewall into -# a state where only traffic to/from the hosts listed in -# /etc/shorewall/routestopped is accepted. -# -# When performing remote administration on a Shorewall firewall, it is -# therefore recommended that the IP address of the computer being used for -# administration be added to the firewall's /etc/shorewall/routestopped file. -# -# Some administrators have a hard time remembering to do this with the result -# that they get to drive across town in the middle of the night to restart -# a remote firewall (or worse, they have to get someone out of bed to drive -# across town to restart a very remote firewall). -# -# For those administrators, we offer ADMINISABSENTMINDED=Yes. With this setting, -# when the firewall enters the 'stopped' state: -# -# All traffic that is part of or related to established connections is still -# allowed and all OUTPUT traffic is allowed. This is in addition to traffic -# to and from hosts listed in /etc/shorewall/routestopped. -# -# If this variable is not set or it is set to the null value then -# ADMINISABSENTMINDED=No is assumed. -# -ADMINISABSENTMINDED=Yes - -# -# BLACKLIST Behavior -# -# Shorewall offers two types of blacklisting: -# -# - static blacklisting through the /etc/shorewall/blacklist file together -# with the 'blacklist' interface option. -# - dynamic blacklisting using the 'drop', 'reject' and 'allow' commands. -# -# The following variable determines whether the blacklist is checked for each -# packet or for each new connection. -# -# BLACKLISTNEWONLY=Yes Only consult blacklists for new connection -# requests -# -# BLACKLISTNEWONLY=No Consult blacklists for all packets. -# -# If the BLACKLISTNEWONLY option is not set or is set to the empty value then -# BLACKLISTNEWONLY=No is assumed. -# -BLACKLISTNEWONLY=Yes - -# MODULE NAME SUFFIX -# -# When loading a module named in /etc/shorewall/modules, Shorewall normally -# looks in the MODULES DIRECTORY (see MODULESDIR above) for files whose names -# end in ".o", ".ko", ".gz" or "o.gz". If your distribution uses a different -# naming convention then you can specify the suffix (extension) for module -# names in this variable. -# -# To see what suffix is used by your distribution: -# -# ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter -# -# All of the file names listed should have the same suffix (extension). Set -# MODULE_SUFFIX to that suffix. -# -# Examples: -# -# If all file names end with ".kzo" then set MODULE_SUFFIX="kzo" -# If all file names end with ".kz.o" then set MODULE_SUFFIX="kz.o" -# - -MODULE_SUFFIX= - -################################################################################ -# P A C K E T D I S P O S I T I O N -################################################################################ -# -# BLACKLIST DISPOSITION -# -# Set this variable to the action that you want to perform on packets from -# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty, -# DROP is assumed. -# -BLACKLIST_DISPOSITION=DROP - -# -# MAC List Disposition -# -# This variable determines the disposition of connection requests arriving -# on interfaces that have the 'maclist' option and that are from a device -# that is not listed for that interface in /etc/shorewall/maclist. Valid -# values are ACCEPT, DROP and REJECT. If not specified or specified as -# empty (MACLIST_DISPOSITION="") then REJECT is assumed - -MACLIST_DISPOSITION=REJECT - -# -# TCP FLAGS Disposition -# -# This variable determins the disposition of packets having an invalid -# combination of TCP flags that are received on interfaces having the -# 'tcpflags' option specified in /etc/shorewall/interfaces. If not specified -# or specified as empty (TCP_FLAGS_DISPOSITION="") then DROP is assumed. - -TCP_FLAGS_DISPOSITION=DROP - -#LAST LINE -- DO NOT REMOVE diff --git a/contrib/shoregen/samples/shorewall.conf/ig b/contrib/shoregen/samples/shorewall.conf/ig deleted file mode 100644 index ffc52bd43..000000000 --- a/contrib/shoregen/samples/shorewall.conf/ig +++ /dev/null @@ -1,2 +0,0 @@ -FW=ig -IP_FORWARDING=On diff --git a/contrib/shoregen/samples/shorewall.conf/mail b/contrib/shoregen/samples/shorewall.conf/mail deleted file mode 100644 index a6051a9af..000000000 --- a/contrib/shoregen/samples/shorewall.conf/mail +++ /dev/null @@ -1,2 +0,0 @@ -FW=enoch -IP_FORWARDING=Off diff --git a/contrib/shoregen/samples/shorewall.conf/og b/contrib/shoregen/samples/shorewall.conf/og deleted file mode 100644 index 220ec2e8a..000000000 --- a/contrib/shoregen/samples/shorewall.conf/og +++ /dev/null @@ -1,2 +0,0 @@ -FW=og -IP_FORWARDING=On diff --git a/contrib/shoregen/samples/shorewall.conf/proxy b/contrib/shoregen/samples/shorewall.conf/proxy deleted file mode 100644 index b324a4fc7..000000000 --- a/contrib/shoregen/samples/shorewall.conf/proxy +++ /dev/null @@ -1,2 +0,0 @@ -FW=dmz -IP_FORWARDING=Off diff --git a/contrib/shoregen/samples/zones b/contrib/shoregen/samples/zones deleted file mode 100644 index d84061bd5..000000000 --- a/contrib/shoregen/samples/zones +++ /dev/null @@ -1,10 +0,0 @@ -#ZONE DISPLAY COMMENTS -lan LAN Local network -guest Guest Untrusted LAN hosts -ig IG Inner Guard -og OG Outer Guard -mail Mail Mail server -proxy Proxy Proxy server -net Net Internet -other Other Basket for things that don't fit elsewhere -#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/contrib/shoregen/shoregen b/contrib/shoregen/shoregen deleted file mode 100755 index bcbbbbf0e..000000000 --- a/contrib/shoregen/shoregen +++ /dev/null @@ -1,443 +0,0 @@ -#!/usr/bin/perl -w -# -# shoregen: Generate shorewall configuration for a host from central -# configuration files. -# - -# -# (c) Copyright 2004-2006 Paul D. Gear -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General -# Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA, or go to -# on the World Wide Web. -# - -use strict; - -my $VERBOSE = 1; -my $DEBUG = 1; -my $DATE = scalar localtime; -my $HEADER = "#\n# Shorewall %s - constructed by $0 on $DATE\n#\n\n"; -my $ret = 0; # return code to shell - -if ($#ARGV != 0) { - print STDERR "Usage: $0 \n"; - exit 1; -} - -my $base = "."; -my $host = $ARGV[ 0 ]; -my $spool = "$base/SPOOL"; -my $dir = "$spool/$host"; - - -# -# Messaging routines for use by the program itself - any errors that are -# generated externally (e.g. file opening problems) are reported using the -# usual perl 'die' or 'warn' functions. -# - -sub info -{ - print "$0: @_\n"; -} - -sub mesg -{ - my $type = shift; - print STDERR "$0: $type - @_\n"; -} - -sub warning -{ - mesg "WARNING", @_; -} - -sub error -{ - mesg "ERROR", @_; - ++$ret; -} - -sub fatal -{ - mesg "FATAL", @_; - ++$ret; - exit $ret; -} - - -# -# These bits make the files that actually get copied to the target host -# - -sub stripfile -{ - open( my $file, $_[ 0 ] ) or die "Can't open $_[ 0 ] for reading: $!"; - my @file; - - for (<$file>) { - s/\s*#.*$//g; # remove all comments - next if m/^\s*$/; # skip blank lines - push @file, $_; - } - - close $file or warn "Can't close $_[ 0 ] after reading: $!"; - - return @file; -} - - -# -# Construct a configuration file given a number of input files -# -sub constructfile -{ - my $confname = shift; - my $dst = shift; - my $foundone = 0; - - info "Constructing $confname" if $VERBOSE > 1; - - open( my $DST, ">$dst" ) or die "Can't create $dst: $!"; - printf $DST $HEADER, $confname; - - for my $file (@_) { - if (-r $file) { - $foundone = 1; - print $DST "##$file\n" if $DEBUG > 1; - print $DST stripfile $file; - } - } - - close $DST or warn "Can't close $dst: $!"; - - if (!$foundone) { - warning "\"$confname\" not present. " . - "Existing file on $host will be preserved." if $VERBOSE > 2; - unlink $dst; - } -} - -# -# main -# - -my $fw; # Firewall zone for this host -my $router; # Is this host a router? -my @globalzones; # All known zones -my %globalzones; -my %hostzones; # zones applicable to this host -my $outfile; # filename holders -my $conf; # config file we're processing at present -my %warnban; # meta-rules/policies - - -# Change to the base configuration directory -die "Configuration directory $base doesn't exist!" if ! -d $base; -chdir $base or die "Can't change directory to $base: $!"; - -# Create spool directories if necessary -if (! -d "$spool") { - mkdir "$spool" or die "Can't create spool directory $spool: $!"; -} -if (! -d $dir) { - mkdir $dir or die "Can't create host spool directory $dir: $!"; -} - - -# -# Construct all the simple config files. -# - -# Config files for which the host-specific file is included *first* -my @hostfirstconfigs = qw( - accounting - actions - blacklist - bogons - continue - ecn - hosts - interfaces - maclist - masq - nat - netmap - proxyarp - rfc1918 - routestopped - route_rules - start - started - stop - stopped - tcclasses - tcdevices - tos - tunnels -); - -# Config files for which the host-specific file is included *last* -my @hostlastconfigs = qw( - common - configpath - init - initdone - ipsec - modules - params - providers - shorewall.conf - tcrules -); - - -for my $conf (@hostfirstconfigs) { - constructfile "$conf", "$dir/$conf", "$conf/$host", "$conf/COMMON"; -} - -for my $conf (@hostlastconfigs) { - constructfile "$conf", "$dir/$conf", "$conf/COMMON", "$conf/$host"; -} - -# -# The remaining config files (policy, rules, zones) are processed uniquely. -# - -# Find the firewall name of this host -open( my $infile, "$dir/shorewall.conf" ) or - die "Can't open $dir/shorewall.conf: $!"; - -for (<$infile>) { - if (/^\s*FW=(\S+)/) { - $fw = $1 unless defined $fw; - } - if (/^\s*IP_FORWARDING=(\S+)/) { - $router = $1 unless defined $router; - } -} - -close $infile; - - -# The firewall name must be defined -unless (defined $fw) { - fatal "Can't find firewall name (FW variable) for $host in $dir/shorewall.conf"; -} - -# Router must be defined -unless (defined $router) { - fatal "Can't find IP_FORWARDING setting for $host in $dir/shorewall.conf"; -} -if ($router =~ m/On|Yes/i) { - $router = 1; -} -else { - $router = 0; -} -print "fw=$fw, router=$router\n" if $DEBUG > 3; - -# Find all valid zones -unless (-r "zones") { - fatal "You must provide a global zone file"; -} - - -for (stripfile "zones") { - chomp; - my ($zone, $details) = split /[\s:]+/, $_, 2; - push @globalzones, $zone; - $globalzones{ $zone } = $details; -} - -# -# Work out which zones apply to this host from the combination of hosts & -# interfaces. The first field in both files is the zone name, and the -# second (minus any trailing ips) is the interface, which we save as well -# for later reference. -# - -for my $infile ("$dir/hosts", "$dir/interfaces") { - if (-r $infile) { - for (stripfile $infile) { - chomp; - my @F = split; - next if $#F < 0; - next if $F[ 0 ] eq "-"; - my @IF = split /:/, $F[ 0 ]; # strip off parent zone, if present - $hostzones{ $IF[ 0 ] } = 1; - } - } -} - -$conf = "zones"; - -# -# Create the zones file from the intersection of the above - note the order -# from the original zone file must be preserved, hence the need for the -# array as well as the hash. -# - -open( $outfile, ">$dir/$conf" ) or - die "Can't open $dir/$conf for writing: $!"; - -printf $outfile $HEADER, "$conf"; -my %tmpzones = %hostzones; # Take a copy of all the zones, - -for my $zone (@globalzones) { - if (exists $tmpzones{ $zone }) { - print $outfile "$zone $globalzones{ $zone }\n"; - delete $tmpzones{ $zone }; # deleting those found as we go along. - } -} - -close $outfile or warn "Can't close $dir/$conf after writing: $!"; - -for my $zone (sort keys %tmpzones) { # Warn if we've got any zones left now. - #next if $zone eq "-"; - warning "No entry for $zone in global zones file - ignored"; -} -undef %tmpzones; - - -my @tmp = sort keys %hostzones; -info "FW zone for $host: $fw" if $VERBOSE > 0; -info "Other zones for $host: @tmp" if $VERBOSE > 0; - -# -# Add 'all' as a valid source or destination. Added here so it doesn't get -# checked in %tmpzones check above. Also add firewall itself. (The -# numbers are not important as long as they are non-zero.) -# - -$hostzones{"all"} = 1; -$hostzones{$fw} = 1; - -# -# Create the policy file, including only the applicable zones. -# - -$conf = "policy"; -if (! -r $conf) { - fatal "You must provide a global \"$conf\" file"; -} - -open( $outfile, ">$dir/$conf" ) or - die "Can't open $dir/$conf for writing: $!"; -printf $outfile $HEADER, "$conf"; - -for (stripfile $conf) { - chomp; - - my ($src, $dst, $pol, $rest) = split /\s+/, $_, 4; - - print "$src, $dst, $pol, $rest\n" if $DEBUG > 3; - - # Both source and destination zones must be valid on this host for this - # policy to apply. - next unless defined $hostzones{$src} and defined $hostzones{$dst}; - - # Source and destination zones must be on different interfaces as well, - # except for the case of all2all. - #next if ($hostzones{$src} eq $hostzones{$dst} && $src ne "all"); - - # Save WARN & BAN details for later rules processing - if ($pol eq "WARN" or $pol eq "BAN") { - if (exists $warnban{$src}{$dst}) { - error "Duplicate WARN/BAN rule: $src,$dst,$pol - possible typo?"; - } - $warnban{$src}{$dst} = $pol; - next; - } - - printf $outfile "%s\n", $_; -} -close $outfile or warn "Can't close $dir/$conf for writing: $!"; - - -# -# Create the rules file, only including the applicable zones and taking -# into account any WARN or BAN policies. -# - -$conf = "rules"; -if (! -r $conf) { - fatal "You must provide a global \"$conf\" file"; -} - -open( $outfile, ">$dir/$conf" ) or - die "Can't open $dir/$conf for writing: $!"; -printf $outfile $HEADER, "$conf"; - -for my $infile ("$conf.COMMON", "$conf.$host", "$conf") { - next unless -r $infile; - for (stripfile $infile) { - chomp; - - my ($act, $src, $dst, $rest) = split /\s+/, $_, 4; - - $act =~ s/:.*//; # strip off logging directives - $src =~ s/:.*//; # strip off host & port specifiers - $dst =~ s/:.*//; # strip off host & port specifiers - - print "$act, $src, $dst, $rest\n" if $DEBUG > 3; - - # Both source and destination zones must be valid on this host - # for this rule to apply. - next unless defined $hostzones{$src} and defined $hostzones{$dst}; - - # If host is not a router, either the source or destination zone - # must be the firewall itself. - if (!$router) { - next unless $src eq $fw - or $dst eq $fw - or $src eq "all" - or $dst eq "all"; - } - - # Save additional WARN/BAN rules - if ($act eq "WARN" or $act eq "BAN") { - if (exists $warnban{$src}{$dst}) { - error "Duplicate WARN/BAN rule: $src,$dst,$act - possible typo?"; - } - $warnban{$src}{$dst} = $act; - next; - } - - # Check against WARN/BAN rules - if (exists $warnban{$src}{$dst} && $act =~ /^(ACCEPT|Allow|DNAT)/) { - if ($warnban{$src}{$dst} eq "WARN") { - warning "Rule contravenes WARN policy:\n\t$_"; - } - else { # $warnban{$src}{$dst} eq "BAN" - error "Rule contravenes BAN policy (omitted):\n\t$_"; - next; - } - } - - # Mangle DNAT rules if the destination is the local machine - if ($act =~ /^DNAT/ && $dst eq $fw) { - $_ =~ s/\bDNAT(-)?/ACCEPT/; # change rule type - $_ =~ s/\b$fw:\S+/$dst/; # strip trailing server address/port - } - - printf $outfile "%s\n", $_; - } -} -close $outfile or warn "Can't close $dir/$conf for writing: $!"; - - -# Finished - return whatever we produced above... -exit $ret; diff --git a/contrib/shoregen/spec/description b/contrib/shoregen/spec/description deleted file mode 100644 index e4f33e240..000000000 --- a/contrib/shoregen/spec/description +++ /dev/null @@ -1,3 +0,0 @@ -Shoregen is a script that generates Shoreline Firewall configurations for -multiple firewalls from a common set of rules and policies. Only the -minimal information necessary for operation is stored on each firewall. diff --git a/contrib/shoregen/spec/files b/contrib/shoregen/spec/files deleted file mode 100644 index 10685dd98..000000000 --- a/contrib/shoregen/spec/files +++ /dev/null @@ -1,4 +0,0 @@ -# $Id: files,v 1.2 2004/04/24 13:15:14 paulgear Exp $ -/usr/bin/%{name} -/usr/bin/install_%{name} -%doc /usr/share/doc/%{name}-%{version}/ diff --git a/contrib/shoregen/spec/header b/contrib/shoregen/spec/header deleted file mode 100644 index c0c422fd7..000000000 --- a/contrib/shoregen/spec/header +++ /dev/null @@ -1,10 +0,0 @@ -# $Id: header,v 1.1 2004/04/24 12:53:04 paulgear Exp $ -Summary: Shoreline Firewall configuration generator -License: GPL -Group: Applications/System -BuildArch: noarch -URL: http://paulgear.webhop.net/linux/#shoregen -Packager: Paul Gear -Requires: openssh -Requires: perl -Requires: rsync diff --git a/contrib/shoregen/spec/install b/contrib/shoregen/spec/install deleted file mode 100644 index 12c63ae99..000000000 --- a/contrib/shoregen/spec/install +++ /dev/null @@ -1,9 +0,0 @@ -# $Id: install,v 1.6 2004/04/24 13:15:14 paulgear Exp $ - -install -d -m 0700 $RPM_BUILD_ROOT/usr/bin/ -install -m 0555 install_%{name} %{name} $RPM_BUILD_ROOT/usr/bin/ - -install -d -m 0755 $RPM_BUILD_ROOT/usr/share/doc/%{name}-%{version}/ -install -m 0444 AUTHORS BUGS COPYING README TODO $RPM_BUILD_ROOT/usr/share/doc/%{name}-%{version}/ -cp -r samples $RPM_BUILD_ROOT/usr/share/doc/%{name}-%{version}/ -chmod -R go=u-w $RPM_BUILD_ROOT/usr/share/doc/%{name}-%{version}/ diff --git a/contrib/shoregen/spec/type b/contrib/shoregen/spec/type deleted file mode 100644 index 1c561e982..000000000 --- a/contrib/shoregen/spec/type +++ /dev/null @@ -1,2 +0,0 @@ -install -# $Id: type,v 1.2 2004/04/24 13:13:57 paulgear Exp $