forked from extern/shorewall_code
1) Remove trailing white space.
2) Improve detection of white space in comma-separated lists. 3) Fix a typo in the INSTALL file. git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@464 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
5f9ff7336a
commit
21cb22303f
@ -27,7 +27,7 @@ o If you have an earlier version of Shoreline Firewall installed,see the
|
||||
o Edit the configuration files to fit your environment.
|
||||
|
||||
To do this, I strongly advise you to follow the instructions at:
|
||||
|
||||
|
||||
http://www.shorewall.net/shorewall_quickstart_guide.htm
|
||||
|
||||
o If you are using Caldera, Redhat, Mandrake, Corel, Slackware, SuSE or
|
||||
@ -35,8 +35,8 @@ o If you are using Caldera, Redhat, Mandrake, Corel, Slackware, SuSE or
|
||||
o For other distributions, determine where your distribution installs
|
||||
init scripts and type "./install.sh <init script directory>"
|
||||
o Start the firewall by typing "shorewall start"
|
||||
o If the install script was unable to configure Shoreline Firewall to
|
||||
start audomatically at boot, see the HTML documentation contains in the
|
||||
o If the install script was unable to configure Shoreline Firewall to
|
||||
start automatically at boot, see the HTML documentation contains in the
|
||||
"documentation" directory.
|
||||
|
||||
Upgrade:
|
||||
@ -44,4 +44,4 @@ Upgrade:
|
||||
o run the install script as described above.
|
||||
o shorewall restart
|
||||
|
||||
|
||||
|
||||
|
@ -9,7 +9,7 @@
|
||||
#
|
||||
# ADDRESS/SUBNET - Host address, subnetwork or MAC address
|
||||
#
|
||||
# MAC addresses must be prefixed with "~" and use "-"
|
||||
# MAC addresses must be prefixed with "~" and use "-"
|
||||
# as a separator.
|
||||
#
|
||||
# Example: ~00-A0-C9-15-39-78
|
||||
@ -27,7 +27,7 @@
|
||||
# /etc/shorewall/shorewall.conf
|
||||
#
|
||||
# If PROTOCOL or PROTOCOL and PORTS are supplied, only packets matching
|
||||
# the protocol (and one of the ports if PORTS supplied) are blocked.
|
||||
# the protocol (and one of the ports if PORTS supplied) are blocked.
|
||||
#
|
||||
# Example:
|
||||
#
|
||||
|
@ -1,7 +1,7 @@
|
||||
############################################################################
|
||||
# Shorewall 1.4 -- /etc/shorewall/common.def
|
||||
#
|
||||
# This file defines the rules that are applied before a policy of
|
||||
# This file defines the rules that are applied before a policy of
|
||||
# DROP or REJECT is applied. In addition to the rules defined in this file,
|
||||
# the firewall will also define a DROP rule for each subnet broadcast
|
||||
# address defined in /etc/shorewall/interfaces (including "detect").
|
||||
|
@ -1,16 +1,16 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Script to back out the installation of Shoreline Firewall and to restore the previous version of
|
||||
# Script to back out the installation of Shoreline Firewall and to restore the previous version of
|
||||
# the program
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Shorewall documentation is available at http://seattlefirewall.dyndns.org
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
@ -25,7 +25,7 @@
|
||||
# Usage:
|
||||
#
|
||||
# You may only use this script to back out the installation of the version
|
||||
# shown below. Simply run this script to revert to your prior version of
|
||||
# shown below. Simply run this script to revert to your prior version of
|
||||
# Shoreline Firewall.
|
||||
|
||||
VERSION=1.4.0-Beta1
|
||||
@ -46,7 +46,7 @@ restore_file() # $1 = file to restore
|
||||
echo "ERROR: Could not restore $1"
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
if [ ! -f /usr/share/shorewall/version-${VERSION}.bkout ]; then
|
||||
@ -77,7 +77,7 @@ restore_file /sbin/shorewall
|
||||
[ -f /etc/shorewall.conf.$VERSION ] && rm -f /etc/shorewall.conf.$VERSION
|
||||
|
||||
restore_file /etc/shorewall/shorewall.conf
|
||||
|
||||
|
||||
restore_file /etc/shorewall/functions
|
||||
restore_file /usr/lib/shorewall/functions
|
||||
restore_file /var/lib/shorewall/functions
|
||||
@ -92,7 +92,7 @@ restore_file /etc/shorewall/zones
|
||||
restore_file /etc/shorewall/policy
|
||||
|
||||
restore_file /etc/shorewall/interfaces
|
||||
|
||||
|
||||
restore_file /etc/shorewall/hosts
|
||||
|
||||
restore_file /etc/shorewall/rules
|
||||
|
@ -2,7 +2,7 @@
|
||||
#
|
||||
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V1.4 3/14/2003
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
@ -12,7 +12,7 @@
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
@ -29,13 +29,13 @@
|
||||
#
|
||||
# Commands are:
|
||||
#
|
||||
# shorewall start Starts the firewall
|
||||
# shorewall start Starts the firewall
|
||||
# shorewall restart Restarts the firewall
|
||||
# shorewall stop Stops the firewall
|
||||
# shorewall status Displays firewall status
|
||||
# shorewall reset Resets iptabless packet and
|
||||
# byte counts
|
||||
# shorewall clear Remove all Shorewall chains
|
||||
# shorewall clear Remove all Shorewall chains
|
||||
# and rules/policies.
|
||||
# shorewall refresh . Rebuild the common chain
|
||||
# shorewall check Verify the more heavily-used
|
||||
@ -258,7 +258,7 @@ chain_exists() # $1 = chain name
|
||||
{
|
||||
qt iptables -L $1 -n
|
||||
}
|
||||
|
||||
|
||||
#
|
||||
# Query NetFilter about the existence of a mangle chain
|
||||
#
|
||||
@ -266,7 +266,7 @@ mangle_chain_exists() # $1 = chain name
|
||||
{
|
||||
qt iptables -t mangle -L $1 -n
|
||||
}
|
||||
|
||||
|
||||
#
|
||||
# Ensure that a chain exists (create it if it doesn't)
|
||||
#
|
||||
@ -340,7 +340,7 @@ deletechain() # $1 = name of chain
|
||||
is_policy_chain() # $1 = name of chain
|
||||
{
|
||||
eval test \"\$${1}_is_policy\" = Yes
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Set a standard chain's policy
|
||||
@ -373,7 +373,7 @@ chain_base() #$1 = interface
|
||||
{
|
||||
local c=${1%%+*}
|
||||
|
||||
case $c in
|
||||
case $c in
|
||||
*.*)
|
||||
echo ${c%.*}_${c#*.}
|
||||
;;
|
||||
@ -387,7 +387,7 @@ chain_base() #$1 = interface
|
||||
# Find interfaces to a given zone
|
||||
#
|
||||
# Search the variables representing the contents of the interfaces file and
|
||||
# for each record matching the passed ZONE, echo the expanded contents of
|
||||
# for each record matching the passed ZONE, echo the expanded contents of
|
||||
# the "INTERFACE" column
|
||||
#
|
||||
find_interfaces() # $1 = interface zone
|
||||
@ -496,7 +496,7 @@ determine_interfaces() {
|
||||
eval ${zone}_interfaces=\"\$interfaces\"
|
||||
done
|
||||
}
|
||||
|
||||
|
||||
#
|
||||
# Determine the defined hosts in each zone and generate report
|
||||
#
|
||||
@ -517,7 +517,7 @@ determine_hosts() {
|
||||
done
|
||||
|
||||
interfaces=
|
||||
|
||||
|
||||
for host in $hosts; do
|
||||
interface=${host%:*}
|
||||
if ! list_search $interface $interfaces; then
|
||||
@ -537,7 +537,7 @@ determine_hosts() {
|
||||
display_list "$display Zone:" $hosts
|
||||
else
|
||||
error_message "Warning: Zone $zone is empty"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
@ -559,7 +559,7 @@ validate_interfaces_file() {
|
||||
|
||||
[ "x$z" = "x-" ] && z=
|
||||
|
||||
if [ -n "$z" ]; then
|
||||
if [ -n "$z" ]; then
|
||||
validate_zone $z || startup_error "Invalid zone ($z) in record \"$r\""
|
||||
fi
|
||||
|
||||
@ -575,11 +575,11 @@ validate_interfaces_file() {
|
||||
startup_error "Invalid Interface Name: $interface"
|
||||
;;
|
||||
esac
|
||||
|
||||
|
||||
all_interfaces="$all_interfaces $interface"
|
||||
options=`separate_list $options`
|
||||
interface=`chain_base $interface`
|
||||
|
||||
|
||||
eval ${interface}_broadcast="$subnet"
|
||||
eval ${interface}_zone="$z"
|
||||
eval ${interface}_options=\"$options\"
|
||||
@ -595,7 +595,7 @@ validate_interfaces_file() {
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
|
||||
[ -z "$all_interfaces" ] && startup_error "No Interfaces Defined"
|
||||
|
||||
done < $TMP_DIR/interfaces
|
||||
@ -637,7 +637,7 @@ validate_hosts_file() {
|
||||
mac_match() # $1 = MAC address formated as described above
|
||||
{
|
||||
echo "--match mac --mac-source `echo $1 | sed 's/~//;s/-/:/g'`"
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# validate a record from the rules file
|
||||
@ -655,7 +655,7 @@ validate_rule() {
|
||||
#
|
||||
validate_list() {
|
||||
local temp="`separate_list $1`"
|
||||
|
||||
|
||||
[ `echo $temp | wc -w` -le 15 ]
|
||||
}
|
||||
|
||||
@ -858,7 +858,7 @@ validate_rule() {
|
||||
[ -z "$clientzone" -o -z "$clients" ] && \
|
||||
startup_error "Empty source zone or qualifier: rule \"$rule\""
|
||||
fi
|
||||
|
||||
|
||||
if [ "$clientzone" = "${clientzone%\!*}" ]; then
|
||||
excludezones=
|
||||
else
|
||||
@ -1036,7 +1036,7 @@ validate_policy()
|
||||
|
||||
[ "x$chain" = "x${FW}2${FW}" ] && \
|
||||
startup_error "fw->fw policy not allowed: $policy"
|
||||
|
||||
|
||||
if is_policy_chain $chain ; then
|
||||
startup_error "Duplicate policy $policy"
|
||||
fi
|
||||
@ -1067,7 +1067,7 @@ validate_policy()
|
||||
else
|
||||
for zone in $zones $FW all; do
|
||||
eval pc=\$${zone}2${server}_policychain
|
||||
|
||||
|
||||
if [ -z "$pc" ]; then
|
||||
eval ${zone}2${server}_policychain=$chain
|
||||
print_policy $zone $server
|
||||
@ -1077,16 +1077,16 @@ validate_policy()
|
||||
elif [ -n "$serverwild" ]; then
|
||||
for zone in $zones $FW all; do
|
||||
eval pc=\$${client}2${zone}_policychain
|
||||
|
||||
|
||||
if [ -z "$pc" ]; then
|
||||
eval ${client}2${zone}_policychain=$chain
|
||||
eval ${client}2${zone}_policychain=$chain
|
||||
print_policy $client $zone
|
||||
fi
|
||||
done
|
||||
else
|
||||
eval ${chain}_policychain=${chain}
|
||||
print_policy $client $server
|
||||
fi
|
||||
fi
|
||||
|
||||
done < $TMP_DIR/policy
|
||||
}
|
||||
@ -1116,7 +1116,7 @@ find_broadcasts() {
|
||||
find_interface_broadcasts() # $1 = Interface name
|
||||
{
|
||||
eval bcast=\$`chain_base ${1}`_broadcast
|
||||
|
||||
|
||||
if [ "x$bcast" = "xdetect" ]; then
|
||||
addr="`ip addr show $interface 2> /dev/null`"
|
||||
if [ -n "`echo "$addr" | grep 'inet.*brd '`" ]; then
|
||||
@ -1127,7 +1127,7 @@ find_interface_broadcasts() # $1 = Interface name
|
||||
elif [ "x${bcast}" != "x-" ]; then
|
||||
echo `separate_list $bcast`
|
||||
fi
|
||||
|
||||
|
||||
}
|
||||
|
||||
#
|
||||
@ -1136,7 +1136,7 @@ find_interface_broadcasts() # $1 = Interface name
|
||||
#
|
||||
find_interface_address() # $1 = interface
|
||||
{
|
||||
#
|
||||
#
|
||||
# get the line of output containing the first IP address
|
||||
#
|
||||
addr=`ip addr show $1 2> /dev/null | grep inet | head -n1`
|
||||
@ -1177,7 +1177,7 @@ find_hosts_by_option() # $1 = option
|
||||
eval options=\$`chain_base ${interface}`_options
|
||||
list_search $1 $options && \
|
||||
echo ${interface}:0.0.0.0/0
|
||||
done
|
||||
done
|
||||
}
|
||||
|
||||
#
|
||||
@ -1240,6 +1240,8 @@ stop_firewall() {
|
||||
|
||||
stopping="Yes"
|
||||
|
||||
terminator=
|
||||
|
||||
deletechain shorewall
|
||||
|
||||
run_user_exit stop
|
||||
@ -1260,7 +1262,7 @@ stop_firewall() {
|
||||
|
||||
hosts=
|
||||
|
||||
strip_file routestopped
|
||||
strip_file routestopped
|
||||
|
||||
while read interface host; do
|
||||
expandv interface host
|
||||
@ -1330,7 +1332,7 @@ clear_firewall() {
|
||||
run_iptables -F
|
||||
|
||||
echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||
|
||||
|
||||
setpolicy INPUT ACCEPT
|
||||
setpolicy FORWARD ACCEPT
|
||||
setpolicy OUTPUT ACCEPT
|
||||
@ -1357,7 +1359,7 @@ setup_tunnels() # $1 = name of tunnels file
|
||||
run_iptables -A $outchain -p 51 -d $1 -j ACCEPT
|
||||
|
||||
run_iptables -A $outchain -p udp -d $1 --dport 500 --sport 500 $options
|
||||
|
||||
|
||||
if [ $2 = ipsec ]; then
|
||||
run_iptables -A $inchain -p udp -s $1 --sport 500 --dport 500 $options
|
||||
else
|
||||
@ -1464,7 +1466,7 @@ setup_tunnels() # $1 = name of tunnels file
|
||||
else
|
||||
error_message "Invalid gateway zone ($z)" \
|
||||
" -- Tunnel \"$tunnel\" Ignored"
|
||||
fi
|
||||
fi
|
||||
done < $TMP_DIR/tunnels
|
||||
}
|
||||
|
||||
@ -1579,7 +1581,7 @@ setup_mac_lists() {
|
||||
if ! havechain $chain ; then
|
||||
fatal_error "No hosts on $interface have the maclist option specified"
|
||||
fi
|
||||
|
||||
|
||||
macpart=`mac_match $mac`
|
||||
|
||||
if [ -z "$addresses" ]; then
|
||||
@ -1643,13 +1645,13 @@ setup_mac_lists() {
|
||||
for hosts in $maclist_hosts; do
|
||||
interface=${hosts%:*}
|
||||
hosts=${hosts#*:}
|
||||
for chain in `first_chains $interface` ; do
|
||||
for chain in `first_chains $interface` ; do
|
||||
run_iptables -A $chain -s $hosts -m state --state NEW \
|
||||
-j `mac_chain $interface`
|
||||
done
|
||||
done
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
#
|
||||
# Set up SYN flood protection
|
||||
#
|
||||
@ -1670,7 +1672,7 @@ setup_syn_flood_chain ()
|
||||
|
||||
#
|
||||
# Enable SYN flood protection on a chain
|
||||
#
|
||||
#
|
||||
# Insert a jump rule to the protection chain from the first chain. Inserted
|
||||
# as the second rule and restrict the jump to SYN packets
|
||||
#
|
||||
@ -1714,7 +1716,7 @@ setup_nat() {
|
||||
|
||||
while read external interface internal allints localnat; do
|
||||
expandv external interface internal allints localnat
|
||||
|
||||
|
||||
iface=${interface%:*}
|
||||
|
||||
if [ -n "$ADD_IP_ALIASES" ]; then
|
||||
@ -1725,7 +1727,7 @@ setup_nat() {
|
||||
then
|
||||
addnatrule nat_in -d $external -j DNAT --to-destination $internal
|
||||
addnatrule nat_out -s $internal -j SNAT --to-source $external
|
||||
|
||||
|
||||
if [ "$localnat" = "Yes" -o "$localnat" = "yes" ]; then
|
||||
run_iptables2 -t nat -A OUTPUT -d $external \
|
||||
-j DNAT --to-destination $internal
|
||||
@ -1765,7 +1767,7 @@ delete_nat() {
|
||||
}
|
||||
|
||||
#
|
||||
# Process a TC Rule - $marking_chain is assumed to contain the name of the
|
||||
# Process a TC Rule - $marking_chain is assumed to contain the name of the
|
||||
# default marking chain
|
||||
#
|
||||
process_tc_rule()
|
||||
@ -1789,17 +1791,17 @@ process_tc_rule()
|
||||
if ! list_search $source $all_interfaces; then
|
||||
fatal_error "Unknown interface $source in rule \"$rule\""
|
||||
fi
|
||||
|
||||
|
||||
r="-i $source "
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
if [ "$mark" != "${mark%:*}" ]; then
|
||||
|
||||
|
||||
[ "$chain" = tcout ] && \
|
||||
fatal_error "Chain designator not allowed when source is \$FW; rule \"$rule\""
|
||||
|
||||
|
||||
case "${mark#*:}" in
|
||||
p|P)
|
||||
chain=tcpre
|
||||
@ -1814,7 +1816,7 @@ process_tc_rule()
|
||||
|
||||
mark="${mark%:*}"
|
||||
fi
|
||||
|
||||
|
||||
[ "x$dest" = "x-" ] || r="${r}-d $dest "
|
||||
[ "$proto" = "all" ] || r="${r}-p $proto "
|
||||
[ "x$port" = "x-" ] || r="${r}--dport $port "
|
||||
@ -1844,7 +1846,7 @@ setup_tc1() {
|
||||
#
|
||||
# Create the TC mangle chains
|
||||
#
|
||||
|
||||
|
||||
run_iptables -t mangle -N tcpre
|
||||
run_iptables -t mangle -N tcfor
|
||||
run_iptables -t mangle -N tcout
|
||||
@ -1861,7 +1863,7 @@ setup_tc1() {
|
||||
#
|
||||
# Link to the TC mangle chains from the main chains
|
||||
#
|
||||
|
||||
|
||||
run_iptables -t mangle -A FORWARD -j tcfor
|
||||
run_iptables -t mangle -A PREROUTING -j tcpre
|
||||
run_iptables -t mangle -A OUTPUT -j tcout
|
||||
@ -1912,7 +1914,7 @@ refresh_tc() {
|
||||
[ -n "$CLEAR_TC" ] && delete_tc
|
||||
|
||||
[ -n "$MARK_IN_FORWARD_CHAIN" ] && chain=tcfor || chain=tcpre
|
||||
|
||||
|
||||
if mangle_chain_exists $chain; then
|
||||
#
|
||||
# Flush the TC mangle chains
|
||||
@ -1928,7 +1930,7 @@ refresh_tc() {
|
||||
while read mark sources dests proto ports sports; do
|
||||
expandv mark sources dests proto ports sports
|
||||
rule=`echo "$mark $sources $dests $proto $ports $sports"`
|
||||
process_tc_rule
|
||||
process_tc_rule
|
||||
done < $TMP_DIR/tcrules
|
||||
|
||||
run_user_exit tcstart
|
||||
@ -1957,7 +1959,7 @@ add_nat_rule() {
|
||||
local chain
|
||||
|
||||
# Be sure we should and can NAT
|
||||
|
||||
|
||||
case $logtarget in
|
||||
DNAT|REDIRECT)
|
||||
if [ -z "$NAT_ENABLED" ]; then
|
||||
@ -2013,7 +2015,7 @@ add_nat_rule() {
|
||||
$multiport $dports -j $target1
|
||||
else
|
||||
chain=`dnat_chain $source`
|
||||
|
||||
|
||||
if [ -n "$excludezones" ]; then
|
||||
chain=nonat${nonat_seq}
|
||||
nonat_seq=$(($nonat_seq + 1))
|
||||
@ -2029,7 +2031,7 @@ add_nat_rule() {
|
||||
done
|
||||
done
|
||||
fi
|
||||
|
||||
|
||||
for adr in $addr; do
|
||||
addnatrule $chain $proto $cli $sports \
|
||||
-d $adr $multiport $dports -j $target1
|
||||
@ -2056,7 +2058,7 @@ add_nat_rule() {
|
||||
for source_host in $source_hosts; do
|
||||
[ "x${source_host#*:}" = "x0.0.0.0/0" ] && \
|
||||
error_message "Warning: SNAT will occur on all connections to this server and port - rule \"$rule\""
|
||||
|
||||
|
||||
addnatrule `snat_chain $dest` \
|
||||
-s ${source_host#*:} $proto $sports $multiport \
|
||||
-d $serv $dports -j SNAT --to-source $snat
|
||||
@ -2171,7 +2173,7 @@ add_a_rule()
|
||||
proto="${proto:+-p $proto}"
|
||||
|
||||
# Some misc. setup
|
||||
|
||||
|
||||
case "$logtarget" in
|
||||
REJECT)
|
||||
target=reject
|
||||
@ -2194,7 +2196,7 @@ add_a_rule()
|
||||
esac
|
||||
|
||||
# Complain if the rule is really a policy
|
||||
|
||||
|
||||
if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" ]; then
|
||||
error_message "Warning -- Rule \"$rule\" is a POLICY"
|
||||
error_message " -- and should be moved to the policy file"
|
||||
@ -2267,7 +2269,7 @@ process_rule() # $1 = target
|
||||
# $4 = protocol
|
||||
# $5 = ports
|
||||
# $6 = cports
|
||||
# $7 = address
|
||||
# $7 = address
|
||||
{
|
||||
local target="$1"
|
||||
local clients="$2"
|
||||
@ -2279,7 +2281,7 @@ process_rule() # $1 = target
|
||||
local rule="`echo $target $clients $servers $protocol $ports $cports $address`"
|
||||
|
||||
# Function Body -- isolate log level
|
||||
|
||||
|
||||
if [ "$target" = "${target%:*}" ]; then
|
||||
loglevel=
|
||||
else
|
||||
@ -2328,7 +2330,7 @@ process_rule() # $1 = target
|
||||
[ -z "$clientzone" -o -z "$clients" ] && \
|
||||
fatal_error "Empty source zone or qualifier: rule \"$rule\""
|
||||
fi
|
||||
|
||||
|
||||
if [ "$clientzone" = "${clientzone%\!*}" ]; then
|
||||
excludezones=
|
||||
else
|
||||
@ -2457,20 +2459,20 @@ process_rules() # $1 = name of rules file
|
||||
process_wildcard_rule
|
||||
continue
|
||||
fi
|
||||
|
||||
|
||||
if [ "x$xservers" = xall ]; then
|
||||
xservers="$zones $FW"
|
||||
process_wildcard_rule
|
||||
continue
|
||||
fi
|
||||
|
||||
|
||||
process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress
|
||||
;;
|
||||
*)
|
||||
rule="`echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress`"
|
||||
fatal_error "Invalid Target in rule \"$rule\""
|
||||
;;
|
||||
|
||||
|
||||
esac
|
||||
done < $TMP_DIR/rules
|
||||
}
|
||||
@ -2866,7 +2868,7 @@ complete_standard_chain() # $1 = chain, $2 = source zone, $3 = destination zone
|
||||
local policychain=
|
||||
|
||||
run_user_exit $1
|
||||
|
||||
|
||||
eval policychain=\$${2}2${3}_policychain
|
||||
|
||||
if [ -n "$policychain" ]; then
|
||||
@ -2891,7 +2893,7 @@ rules_chain() # $1 = source zone, $2 = destination zone
|
||||
local chain=${1}2${2}
|
||||
|
||||
havechain $chain && { echo $chain; return; }
|
||||
|
||||
|
||||
eval chain=\$${chain}_policychain
|
||||
|
||||
[ -n "$chain" ] && { echo $chain; return; }
|
||||
@ -2952,7 +2954,7 @@ setup_masq()
|
||||
if ! list_search $interface $all_interfaces; then
|
||||
fatal_error "Unknown interface $interface"
|
||||
fi
|
||||
|
||||
|
||||
if [ "$subnet" = "${subnet%!*}" ]; then
|
||||
nomasq=
|
||||
else
|
||||
@ -2964,7 +2966,7 @@ setup_masq()
|
||||
iface=
|
||||
|
||||
source="$subnet"
|
||||
|
||||
|
||||
case $subnet in
|
||||
*.*.*)
|
||||
;;
|
||||
@ -2987,7 +2989,7 @@ setup_masq()
|
||||
|
||||
if [ -n "$address" -a -n "$ADD_SNAT_ALIASES" ]; then
|
||||
list_search $address $aliases_to_add || \
|
||||
aliases_to_add="$aliases_to_add $address $fullinterface"
|
||||
aliases_to_add="$aliases_to_add $address $fullinterface"
|
||||
fi
|
||||
|
||||
destination=$destnet
|
||||
@ -2995,7 +2997,7 @@ setup_masq()
|
||||
if [ -n "$nomasq" ]; then
|
||||
newchain=masq${masq_seq}
|
||||
createnatchain $newchain
|
||||
|
||||
|
||||
if [ -n "$subnet" ]; then
|
||||
for s in $subnet; do
|
||||
addnatrule $chain -d $destnet $iface -s $s -j $newchain
|
||||
@ -3013,7 +3015,7 @@ setup_masq()
|
||||
for addr in `separate_list $nomasq`; do
|
||||
addnatrule $chain -s $addr -j RETURN
|
||||
done
|
||||
|
||||
|
||||
source="$source except $nomasq"
|
||||
else
|
||||
destnet="-d $destnet"
|
||||
@ -3097,13 +3099,13 @@ process_blacklist_rec() {
|
||||
source="-s $addr"
|
||||
;;
|
||||
esac
|
||||
|
||||
|
||||
if [ -n "$protocol" ]; then
|
||||
proto=" -p $protocol "
|
||||
|
||||
case $protocol in
|
||||
tcp|TCP|6|udp|UDP|17)
|
||||
if [ -n "$ports" ]; then
|
||||
if [ -n "$ports" ]; then
|
||||
if [ -n "$MULTIPORT" -a \
|
||||
"$ports" != "${ports%,*}" -a \
|
||||
"$ports" = "${ports%:*}" -a \
|
||||
@ -3144,7 +3146,7 @@ process_blacklist_rec() {
|
||||
elif [ -n "$protocol" ]; then
|
||||
addr="$addr $protocol"
|
||||
fi
|
||||
|
||||
|
||||
echo " $addr added to Black List"
|
||||
done
|
||||
}
|
||||
@ -3168,7 +3170,7 @@ setup_blacklist() {
|
||||
for chain in `first_chains $interface`; do
|
||||
run_iptables -A $chain -j blacklst
|
||||
done
|
||||
|
||||
|
||||
echo " Blacklisting enabled on $interface"
|
||||
done
|
||||
|
||||
@ -3230,7 +3232,7 @@ add_ip_aliases()
|
||||
local interface
|
||||
local primary
|
||||
|
||||
do_one()
|
||||
do_one()
|
||||
{
|
||||
#
|
||||
# Folks feel uneasy if they don't see all of the same
|
||||
@ -3262,7 +3264,7 @@ add_ip_aliases()
|
||||
}
|
||||
|
||||
set -- $aliases_to_add
|
||||
|
||||
|
||||
while [ $# -gt 0 ]; do
|
||||
external=$1
|
||||
interface=$2
|
||||
@ -3273,7 +3275,7 @@ add_ip_aliases()
|
||||
interface="${interface%:*}"
|
||||
label="label $interface:$label"
|
||||
fi
|
||||
|
||||
|
||||
primary=`find_interface_address $interface`
|
||||
shift;shift
|
||||
[ "x${primary}" = "x${external}" ] || do_one
|
||||
@ -3337,7 +3339,7 @@ initialize_netfilter () {
|
||||
|
||||
determine_interfaces
|
||||
determine_hosts
|
||||
|
||||
|
||||
run_user_exit init
|
||||
|
||||
#
|
||||
@ -3345,12 +3347,14 @@ initialize_netfilter () {
|
||||
# (restart command). This reduces the length of time that the firewall isn't
|
||||
# accepting new connections.
|
||||
#
|
||||
|
||||
|
||||
strip_file rules
|
||||
strip_file proxyarp
|
||||
strip_file maclist
|
||||
strip_file nat
|
||||
|
||||
terminator=fatal_error
|
||||
|
||||
deletechain shorewall
|
||||
|
||||
[ -n "$NAT_ENABLED" ] && delete_nat
|
||||
@ -3368,7 +3372,7 @@ initialize_netfilter () {
|
||||
setpolicy INPUT DROP
|
||||
setpolicy OUTPUT DROP
|
||||
setpolicy FORWARD DROP
|
||||
|
||||
|
||||
deleteallchains
|
||||
|
||||
setcontinue FORWARD
|
||||
@ -3388,13 +3392,13 @@ initialize_netfilter () {
|
||||
run_iptables -A FORWARD -p tcp \
|
||||
--tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
|
||||
|
||||
|
||||
|
||||
if [ -z "$NEWNOTSYN" ]; then
|
||||
createchain newnotsyn no
|
||||
run_user_exit newnotsyn
|
||||
if [ -n "$LOGNEWNOTSYN" ]; then
|
||||
if [ "$LOGNEWNOTSYN" = ULOG ]; then
|
||||
run_iptables -A newnotsyn -j ULOG
|
||||
run_iptables -A newnotsyn -j ULOG
|
||||
--ulog-prefix "Shorewall:newnotsyn:DROP:"
|
||||
else
|
||||
run_iptables -A newnotsyn -j LOG \
|
||||
@ -3403,13 +3407,13 @@ initialize_netfilter () {
|
||||
fi
|
||||
|
||||
run_iptables -A newnotsyn -j DROP
|
||||
fi
|
||||
fi
|
||||
|
||||
createchain icmpdef no
|
||||
createchain common no
|
||||
createchain reject no
|
||||
createchain dynamic no
|
||||
|
||||
|
||||
if [ -f /var/lib/shorewall/save ]; then
|
||||
echo "Restoring dynamic rules..."
|
||||
|
||||
@ -3423,7 +3427,7 @@ initialize_netfilter () {
|
||||
esac
|
||||
done < /var/lib/shorewall/save
|
||||
fi
|
||||
|
||||
|
||||
echo "Creating input Chains..."
|
||||
|
||||
for interface in $all_interfaces; do
|
||||
@ -3438,7 +3442,7 @@ initialize_netfilter () {
|
||||
# Build the common chain -- called during [re]start and refresh
|
||||
#
|
||||
build_common_chain() {
|
||||
|
||||
|
||||
#
|
||||
# Common ICMP rules
|
||||
#
|
||||
@ -3459,7 +3463,7 @@ build_common_chain() {
|
||||
if [ -n "$NEWNOTSYN" ]; then
|
||||
run_iptables -A common -p tcp --tcp-flags ACK ACK -j ACCEPT
|
||||
run_iptables -A common -p tcp --tcp-flags RST RST -j ACCEPT
|
||||
fi
|
||||
fi
|
||||
#
|
||||
# BROADCASTS
|
||||
#
|
||||
@ -3564,9 +3568,9 @@ add_common_rules() {
|
||||
|
||||
if [ -n "$norfc1918_interfaces" ]; then
|
||||
echo "Enabling RFC1918 Filtering"
|
||||
|
||||
|
||||
strip_file rfc1918
|
||||
|
||||
|
||||
createchain rfc1918 no
|
||||
|
||||
createchain logdrop no
|
||||
@ -3586,7 +3590,7 @@ add_common_rules() {
|
||||
run_iptables -t mangle -A logdrop -j `logdisp man1918`
|
||||
run_iptables -t mangle -A logdrop -j DROP
|
||||
fi
|
||||
|
||||
|
||||
while read subnet target; do
|
||||
case $target in
|
||||
logdrop|DROP|RETURN)
|
||||
@ -3605,23 +3609,23 @@ add_common_rules() {
|
||||
run_iptables2 -t mangle -A man1918 -d $subnet -j $target
|
||||
fi
|
||||
done < $TMP_DIR/rfc1918
|
||||
|
||||
|
||||
for interface in $norfc1918_interfaces; do
|
||||
for chain in `first_chains $interface`; do
|
||||
run_iptables -A $chain -m state --state NEW -j rfc1918
|
||||
done
|
||||
|
||||
|
||||
[ -n "$MANGLE_ENABLED" ] && \
|
||||
run_iptables -t mangle -A PREROUTING -m state --state NEW -i $interface -j man1918
|
||||
done
|
||||
|
||||
fi
|
||||
|
||||
|
||||
interfaces=`find_interfaces_by_option tcpflags`
|
||||
|
||||
if [ -n "$interfaces" ]; then
|
||||
echo "Setting up TCP Flags checking..."
|
||||
|
||||
|
||||
createchain tcpflags no
|
||||
|
||||
if [ -n "$TCP_FLAGS_LOG_LEVEL" ]; then
|
||||
@ -3661,7 +3665,7 @@ add_common_rules() {
|
||||
# hosts a web server.
|
||||
#
|
||||
run_iptables -A tcpflags -p tcp --syn --sport 0 $disposition
|
||||
|
||||
|
||||
for interface in $interfaces; do
|
||||
for chain in `first_chains $interface`; do
|
||||
run_iptables -A $chain -p tcp -j tcpflags
|
||||
@ -3678,7 +3682,7 @@ add_common_rules() {
|
||||
#
|
||||
run_iptables -A INPUT -i lo -j ACCEPT
|
||||
run_iptables -A OUTPUT -o lo -j ACCEPT
|
||||
|
||||
|
||||
#
|
||||
# Route Filtering
|
||||
#
|
||||
@ -3789,7 +3793,7 @@ apply_policy_rules() {
|
||||
#
|
||||
# Activate the rules
|
||||
#
|
||||
activate_rules()
|
||||
activate_rules()
|
||||
{
|
||||
local PREROUTING_rule=1
|
||||
local POSTROUTING_rule=1
|
||||
@ -3801,11 +3805,11 @@ activate_rules()
|
||||
local sourcechain=$1 destchain=$2
|
||||
shift
|
||||
shift
|
||||
|
||||
|
||||
havenatchain $destchain && \
|
||||
run_iptables -t nat -A $sourcechain $@ -j $destchain
|
||||
}
|
||||
|
||||
|
||||
#
|
||||
# Jump to a RULES chain from one of the builtin nat chains
|
||||
#
|
||||
@ -3817,7 +3821,7 @@ activate_rules()
|
||||
local sourcechain=$1 destchain=$2
|
||||
shift
|
||||
shift
|
||||
|
||||
|
||||
if havenatchain $destchain; then
|
||||
if [ -n "$NAT_BEFORE_RULES" ]; then
|
||||
run_iptables -t nat -A $sourcechain $@ -j $destchain
|
||||
@ -3853,12 +3857,12 @@ activate_rules()
|
||||
|
||||
echo "$FW $zone $chain1" >> ${STATEDIR}/chains
|
||||
echo "$zone $FW $chain2" >> ${STATEDIR}/chains
|
||||
|
||||
|
||||
for host in $source_hosts; do
|
||||
interface=${host%:*}
|
||||
subnet=${host#*:}
|
||||
|
||||
run_iptables -A OUTPUT -o $interface -d $subnet -j $chain1
|
||||
run_iptables -A OUTPUT -o $interface -d $subnet -j $chain1
|
||||
|
||||
#
|
||||
# Add jumps from the builtin chains for DNAT and SNAT rules
|
||||
@ -3887,7 +3891,7 @@ activate_rules()
|
||||
interface=${host%:*}
|
||||
subnet=${host#*:}
|
||||
chain1=`forward_chain $interface`
|
||||
|
||||
|
||||
if [ -n "$have_canonical" ]; then
|
||||
bounce=yes
|
||||
else
|
||||
@ -4026,27 +4030,27 @@ define_firewall() # $1 = Command (Start or Restart)
|
||||
#
|
||||
check_config() {
|
||||
echo "Verifying Configuration..."
|
||||
|
||||
|
||||
verify_os_version
|
||||
|
||||
|
||||
load_kernel_modules
|
||||
|
||||
|
||||
echo "Determining Zones..."
|
||||
|
||||
|
||||
determine_zones
|
||||
|
||||
|
||||
[ -z "$zones" ] && startup_error "No Zones Defined"
|
||||
|
||||
|
||||
display_list "Zones:" $zones
|
||||
|
||||
|
||||
echo "Validating interfaces file..."
|
||||
|
||||
|
||||
validate_interfaces_file
|
||||
|
||||
|
||||
echo "Validating hosts file..."
|
||||
|
||||
|
||||
validate_hosts_file
|
||||
|
||||
|
||||
echo "Determining Hosts in Zones..."
|
||||
|
||||
determine_interfaces
|
||||
@ -4055,11 +4059,11 @@ check_config() {
|
||||
echo "Validating rules file..."
|
||||
|
||||
validate_rules
|
||||
|
||||
|
||||
echo "Validating policy file..."
|
||||
|
||||
validate_policy
|
||||
|
||||
|
||||
validate_policy
|
||||
|
||||
rm -rf $TMP_DIR
|
||||
|
||||
echo "Configuration Validated"
|
||||
@ -4098,7 +4102,7 @@ refresh_firewall()
|
||||
#
|
||||
# Refresh Traffic Control
|
||||
#
|
||||
[ -n "$TC_ENABLED" ] && refresh_tc
|
||||
[ -n "$TC_ENABLED" ] && refresh_tc
|
||||
|
||||
report "Shorewall Refreshed"
|
||||
|
||||
@ -4126,7 +4130,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
||||
|
||||
output_rule_num() {
|
||||
local num=`iptables -L OUTPUT -n --line-numbers | grep icmp | cut -d' ' -f1 | head -n1`
|
||||
|
||||
|
||||
[ -n "$num" ] && echo $(($num+1))
|
||||
}
|
||||
#
|
||||
@ -4185,12 +4189,12 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
||||
startup_error "$1 already in zone $zone"
|
||||
fi
|
||||
done
|
||||
|
||||
|
||||
[ -z "$hosts" ] && hosts=$newhost || hosts="$hosts $newhost"
|
||||
fi
|
||||
|
||||
eval ${z}_hosts=\"$hosts\"
|
||||
|
||||
|
||||
echo "$z $hosts" >> ${STATEDIR}/zones_$$
|
||||
done < ${STATEDIR}/zones
|
||||
|
||||
@ -4241,7 +4245,7 @@ setup_intrazone() # $1 = zone
|
||||
rulenum=$(($rulenum + 1))
|
||||
fi
|
||||
|
||||
do_iptables -I `input_chain $interface` $rulenum -s $host -j $chain
|
||||
do_iptables -I `input_chain $interface` $rulenum -s $host -j $chain
|
||||
else
|
||||
#
|
||||
# Insert rules into the passed interface's forward chain
|
||||
@ -4254,7 +4258,7 @@ setup_intrazone() # $1 = zone
|
||||
base=`chain_base $interface`
|
||||
|
||||
eval rulenum=\$${base}_rulenum
|
||||
|
||||
|
||||
if [ -z "$rulenum" ]; then
|
||||
if list_search $interface $blacklist_interfaces; then
|
||||
rulenum=3
|
||||
@ -4265,16 +4269,16 @@ setup_intrazone() # $1 = zone
|
||||
if list_search $interface $maclist_interfaces; then
|
||||
rulenum=$(($rulenum + 1))
|
||||
fi
|
||||
|
||||
|
||||
if list_search $interface $tcpflags_interfaces; then
|
||||
rulenum=$(($rulenum + 1))
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
for h in $dest_hosts; do
|
||||
iface=${h%:*}
|
||||
hosts=${h#*:}
|
||||
|
||||
|
||||
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
|
||||
do_iptables -I $source_chain $rulenum -s $host -o $iface -d $hosts -j $chain
|
||||
rulenum=$(($rulenum + 1))
|
||||
@ -4297,7 +4301,7 @@ setup_intrazone() # $1 = zone
|
||||
# We insert them after any blacklist rules
|
||||
#
|
||||
eval source_hosts=\"\$${z1}_hosts\"
|
||||
|
||||
|
||||
for h in $source_hosts; do
|
||||
iface=${h%:*}
|
||||
hosts=${h#*:}
|
||||
@ -4305,7 +4309,7 @@ setup_intrazone() # $1 = zone
|
||||
base=`chain_base $iface`
|
||||
|
||||
eval rulenum=\$${base}_rulenum
|
||||
|
||||
|
||||
if [ -z "$rulenum" ]; then
|
||||
if list_search $iface $blacklist_interfaces; then
|
||||
rulenum=3
|
||||
@ -4326,7 +4330,7 @@ setup_intrazone() # $1 = zone
|
||||
done < ${STATEDIR}/chains
|
||||
|
||||
echo "$1 added to zone $2"
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Delete a host or subnet from a zone
|
||||
@ -4344,7 +4348,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
||||
if [ "$z" = "$zone" ]; then
|
||||
temp=$hosts
|
||||
hosts=
|
||||
|
||||
|
||||
for h in $temp; do
|
||||
if [ "$h" = "$delhost" ]; then
|
||||
echo Yes
|
||||
@ -4353,7 +4357,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
||||
|
||||
echo "$z $hosts" >> ${STATEDIR}/zones_$$
|
||||
done < ${STATEDIR}/zones
|
||||
|
||||
@ -4412,7 +4416,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
||||
while read z1 z2 chain; do
|
||||
if [ "$z1" = "$zone" ]; then
|
||||
if [ "$z2" = "$FW" ]; then
|
||||
qt iptables -D `input_chain $interface` -s $host -j $chain
|
||||
qt iptables -D `input_chain $interface` -s $host -j $chain
|
||||
else
|
||||
source_chain=`forward_chain $interface`
|
||||
eval dest_hosts=\"\$${z2}_hosts\"
|
||||
@ -4420,7 +4424,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
||||
for h in $dest_hosts $delhost; do
|
||||
iface=${h%:*}
|
||||
hosts=${h#*:}
|
||||
|
||||
|
||||
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
|
||||
qt iptables -D $source_chain -s $host -o $iface -d $hosts -j $chain
|
||||
fi
|
||||
@ -4431,7 +4435,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
||||
qt iptables -D OUTPUT -o $interface -d $host -j $chain
|
||||
else
|
||||
eval source_hosts=\"\$${z1}_hosts\"
|
||||
|
||||
|
||||
for h in $source_hosts; do
|
||||
iface=${h%:*}
|
||||
hosts=${h#*:}
|
||||
@ -4445,7 +4449,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
||||
done < ${STATEDIR}/chains
|
||||
|
||||
echo "$1 removed from zone $2"
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Determine the value for a parameter that defaults to Yes
|
||||
@ -4505,6 +4509,10 @@ do_initialize() {
|
||||
|
||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
|
||||
#
|
||||
# Establish termination function
|
||||
#
|
||||
terminator=startup_error
|
||||
#
|
||||
# Clear all configuration variables
|
||||
#
|
||||
version=
|
||||
@ -4560,7 +4568,7 @@ do_initialize() {
|
||||
else
|
||||
config=/etc/shorewall/shorewall.conf
|
||||
fi
|
||||
|
||||
|
||||
if [ -f $config ]; then
|
||||
. $config
|
||||
else
|
||||
@ -4631,7 +4639,7 @@ do_initialize() {
|
||||
NEWNOTSYN=`added_param_value_yes NEWNOTSYN $NEWNOTSYN`
|
||||
|
||||
maclist_target=reject
|
||||
|
||||
|
||||
if [ -n "$MACLIST_DISPOSITION" ] ; then
|
||||
case $MACLIST_DISPOSITION in
|
||||
REJECT)
|
||||
@ -4800,7 +4808,7 @@ case "$command" in
|
||||
do_initialize
|
||||
check_config
|
||||
;;
|
||||
|
||||
|
||||
add)
|
||||
[ $# -ne 3 ] && usage
|
||||
do_initialize
|
||||
|
@ -4,9 +4,9 @@
|
||||
|
||||
#
|
||||
# Suppress all output for a command
|
||||
#
|
||||
qt()
|
||||
{
|
||||
#
|
||||
qt()
|
||||
{
|
||||
"$@" >/dev/null 2>&1
|
||||
}
|
||||
|
||||
@ -25,15 +25,30 @@ find_file()
|
||||
#
|
||||
# Replace commas with spaces and echo the result
|
||||
#
|
||||
separate_list() {
|
||||
separate_list() {
|
||||
local list
|
||||
local part
|
||||
local newlist
|
||||
#
|
||||
# There's been whining about us not catching embedded white space in
|
||||
# comma-separated lists. This is an attempt to snag some of the cases.
|
||||
#
|
||||
# The 'terminator' function will be set by the 'firewall' script to
|
||||
# either 'startup_error' or 'fatal_error' depending on the command and
|
||||
# command phase
|
||||
#
|
||||
case "$@" in
|
||||
*,|,*|*,,*)
|
||||
[ -n "$terminator" ] && \
|
||||
$terminator "Invalid comma-separated list \"$@\""
|
||||
echo "Warning -- invalid comma-separated list \"$@\"" >&2
|
||||
;;
|
||||
esac
|
||||
|
||||
list="$@"
|
||||
part="${list%%,*}"
|
||||
newlist="$part"
|
||||
|
||||
|
||||
while [ "x$part" != "x$list" ]; do
|
||||
list="${list#*,}";
|
||||
part="${list%%,*}";
|
||||
@ -69,7 +84,7 @@ find_display() # $1 = zone, $2 = name of the zone file
|
||||
done
|
||||
}
|
||||
|
||||
determine_zones()
|
||||
determine_zones()
|
||||
{
|
||||
local zonefile=`find_file zones`
|
||||
|
||||
|
@ -18,14 +18,14 @@
|
||||
# a) The IP address of a host
|
||||
# b) A subnetwork in the form
|
||||
# <subnet-address>/<mask width>
|
||||
#
|
||||
#
|
||||
# The interface must be defined in the
|
||||
# /etc/shorewall/interfaces file.
|
||||
#
|
||||
# Examples:
|
||||
#
|
||||
# eth1:192.168.1.3
|
||||
# eth2:192.168.2.0/24
|
||||
# eth2:192.168.2.0/24
|
||||
#
|
||||
# OPTIONS - A comma-separated list of options. Currently-defined
|
||||
# options are:
|
||||
|
@ -3,7 +3,7 @@ RCDLINKS="2,S41 3,S41 6,K41"
|
||||
#
|
||||
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V1.4 3/14/2003
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
@ -13,7 +13,7 @@ RCDLINKS="2,S41 3,S41 6,K41"
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
@ -30,7 +30,7 @@ RCDLINKS="2,S41 3,S41 6,K41"
|
||||
#
|
||||
# Commands are:
|
||||
#
|
||||
# shorewall start Starts the firewall
|
||||
# shorewall start Starts the firewall
|
||||
# shorewall restart Restarts the firewall
|
||||
# shorewall stop Stops the firewall
|
||||
# shorewall status Displays firewall status
|
||||
@ -62,7 +62,7 @@ usage() {
|
||||
command="$1"
|
||||
|
||||
case "$command" in
|
||||
|
||||
|
||||
stop|start|restart|status)
|
||||
|
||||
exec /sbin/shorewall $@
|
||||
|
@ -2,14 +2,14 @@
|
||||
#
|
||||
# Script to install Shoreline Firewall
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Seawall documentation is available at http://seawall.sourceforge.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
@ -24,7 +24,7 @@
|
||||
# Usage:
|
||||
#
|
||||
# If you are running a distribution that has a directory called /etc/rc.d/init.d or one
|
||||
# called /etc/init.d or you are running Slackware then simply cd to the directory
|
||||
# called /etc/init.d or you are running Slackware then simply cd to the directory
|
||||
# containing this script and run it.
|
||||
#
|
||||
# ./install.sh
|
||||
@ -35,7 +35,7 @@
|
||||
# ./install.sh /etc/rc.d/scripts
|
||||
#
|
||||
# The default is that the firewall will be started in run levels 2-5 starting at
|
||||
# position 15 and stopping at position 90. This is correct RedHat/Mandrake, Debian,
|
||||
# position 15 and stopping at position 90. This is correct RedHat/Mandrake, Debian,
|
||||
# Caldera and Corel.
|
||||
#
|
||||
# If you wish to change that, you can pass -r "<levels startpos stoppos>".
|
||||
@ -45,7 +45,7 @@
|
||||
#
|
||||
# ./install.sh -r "23 15 90"
|
||||
#
|
||||
# Example 2: You wish to start your firewall only in run level 3, start at position 5
|
||||
# Example 2: You wish to start your firewall only in run level 3, start at position 5
|
||||
# and stop at position 95.
|
||||
#
|
||||
# ./install.sh -r "3 5 95" /etc/rc.d/scripts
|
||||
@ -103,7 +103,7 @@ delete_file() # $1 = file to delete
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
}
|
||||
}
|
||||
|
||||
modify_rclocal()
|
||||
{
|
||||
@ -116,11 +116,11 @@ modify_rclocal()
|
||||
fi
|
||||
else
|
||||
cant_autostart
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
install_file_with_backup() # $1 = source $2 = target $3 = mode
|
||||
{
|
||||
{
|
||||
backup_file $2
|
||||
run_install -o $OWNER -g $GROUP -m $3 $1 ${2}
|
||||
}
|
||||
@ -182,7 +182,7 @@ while [ $# -gt 0 ] ; do
|
||||
done
|
||||
|
||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||
|
||||
|
||||
#
|
||||
# Determine where to install the firewall script
|
||||
#
|
||||
@ -224,7 +224,7 @@ fi
|
||||
# Change to the directory containing this script
|
||||
#
|
||||
cd "`dirname $0`"
|
||||
|
||||
|
||||
echo "Installing Shorewall Version $VERSION"
|
||||
|
||||
#
|
||||
@ -263,12 +263,12 @@ if [ -n "$RUNLEVELS" ]; then
|
||||
fi
|
||||
|
||||
install_file_with_backup init.temp ${PREFIX}${DEST}/$FIREWALL 0544
|
||||
|
||||
|
||||
rm -f init.temp awk.tmp
|
||||
else
|
||||
install_file_with_backup init.sh ${PREFIX}${DEST}/$FIREWALL 0544
|
||||
fi
|
||||
|
||||
|
||||
echo
|
||||
echo "Shorewall script installed in ${PREFIX}${DEST}/$FIREWALL"
|
||||
|
||||
@ -306,12 +306,12 @@ if [ -f ${PREFIX}/etc/shorewall/functions ]; then
|
||||
backup_file ${PREFIX}/etc/shorewall/functions
|
||||
rm -f ${PREFIX}/etc/shorewall/functions
|
||||
fi
|
||||
|
||||
|
||||
if [ -f ${PREFIX}/var/lib/shorewall/functions ]; then
|
||||
backup_file ${PREFIX}/var/lib/shorewall/functions
|
||||
rm -f ${PREFIX}/var/lib/shorewall/functions
|
||||
fi
|
||||
|
||||
|
||||
install_file_with_backup functions ${PREFIX}/usr/share/shorewall/functions 0444
|
||||
|
||||
echo
|
||||
@ -379,13 +379,13 @@ else
|
||||
echo
|
||||
echo "NAT file installed as ${PREFIX}/etc/shorewall/nat"
|
||||
fi
|
||||
#
|
||||
#
|
||||
# Install the Parameters file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/params ]; then
|
||||
backup_file /etc/shorewall/params
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 params ${PREFIX}/etc/shorewall/params
|
||||
run_install -o $OWNER -g $GROUP -m 0600 params ${PREFIX}/etc/shorewall/params
|
||||
echo
|
||||
echo "Parameter file installed as ${PREFIX}/etc/shorewall/params"
|
||||
fi
|
||||
|
@ -14,7 +14,7 @@
|
||||
# If the interface serves multiple zones that will be
|
||||
# defined in the /etc/shorewall/hosts file, you should
|
||||
# place "-" in this column.
|
||||
#
|
||||
#
|
||||
# INTERFACE Name of interface. Each interface may be listed only
|
||||
# once in this file. You may NOT specify the name of
|
||||
# an alias (e.g., eth0:0) here; see
|
||||
@ -27,14 +27,14 @@
|
||||
# column is left black.If the interface has multiple
|
||||
# addresses on multiple subnets then list the broadcast
|
||||
# addresses as a comma-separated list.
|
||||
#
|
||||
#
|
||||
# If you use the special value "detect", the firewall
|
||||
# will detect the broadcast address for you. If you
|
||||
# select this option, the interface must be up before
|
||||
# the firewall is started, you must have iproute
|
||||
# installed and the interface must only be associated
|
||||
# with a single subnet.
|
||||
#
|
||||
#
|
||||
# If you don't want to give a value for this column but
|
||||
# you want to enter a value in the OPTIONS column, enter
|
||||
# "-" in this column.
|
||||
@ -79,8 +79,8 @@
|
||||
# TCP_FLAGS_DISPOSITION after having been
|
||||
# logged according to the setting of
|
||||
# TCP_FLAGS_LOG_LEVEL.
|
||||
# proxyarp -
|
||||
# Sets
|
||||
# proxyarp -
|
||||
# Sets
|
||||
# /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
|
||||
# Do NOT use this option if you are
|
||||
# employing Proxy ARP through entries in
|
||||
@ -88,7 +88,7 @@
|
||||
# intended soley for use with Proxy ARP
|
||||
# sub-networking as described at:
|
||||
# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
|
||||
#
|
||||
#
|
||||
# The order in which you list the options is not
|
||||
# significant but the list should have no embedded white
|
||||
# space.
|
||||
|
@ -6,7 +6,7 @@
|
||||
# Columns are:
|
||||
#
|
||||
# INTERFACE Network interface to a host
|
||||
#
|
||||
#
|
||||
# MAC MAC address of the host -- you do not need to use
|
||||
# the Shorewall format for MAC addresses here
|
||||
#
|
||||
|
@ -13,8 +13,8 @@
|
||||
# /etc/shorewall/shorewall.conf, you may add ":" and
|
||||
# a digit to indicate that you want the alias added with
|
||||
# that name (e.g., eth0:0). This will allow the alias to
|
||||
# be displayed with ifconfig. THAT IS THE ONLY USE FOR
|
||||
# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER
|
||||
# be displayed with ifconfig. THAT IS THE ONLY USE FOR
|
||||
# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER
|
||||
# PLACE IN YOUR SHOREWALL CONFIGURATION.
|
||||
#
|
||||
# This may be qualified by adding the character
|
||||
@ -25,7 +25,7 @@
|
||||
# a subnet or as an interface. If you give the name of an
|
||||
# interface, you must have iproute installed and the interface
|
||||
# must be up before you start the firewall.
|
||||
#
|
||||
#
|
||||
# In order to exclude a subset of the specified SUBNET, you
|
||||
# may append "!" and a comma-separated list of IP addresses
|
||||
# and/or subnets that you wish to exclude.
|
||||
@ -37,17 +37,17 @@
|
||||
#
|
||||
# ADDRESS -- (Optional). If you specify an address here, SNAT will be
|
||||
# used and this will be the source address. If
|
||||
# ADD_SNAT_ALIASES is set to Yes or yes in
|
||||
# ADD_SNAT_ALIASES is set to Yes or yes in
|
||||
# /etc/shorewall/shorewall.conf then Shorewall
|
||||
# will automatically add this address to the
|
||||
# INTERFACE named in the first column.
|
||||
# INTERFACE named in the first column.
|
||||
#
|
||||
# WARNING: Do NOT specify ADD_SNAT_ALIASES=Yes if
|
||||
# the address given in this column is the primary
|
||||
# IP address for the interface in the INTERFACE
|
||||
# column.
|
||||
#
|
||||
# This column may not contain a DNS Name.
|
||||
# This column may not contain a DNS Name.
|
||||
#
|
||||
# Example 1:
|
||||
#
|
||||
@ -83,7 +83,7 @@
|
||||
#
|
||||
# You want all outgoing traffic from 192.168.1.0/24 through
|
||||
# eth0 to use source address 206.124.146.176 which is NOT the
|
||||
# primary address of eth0. You want 206.124.146.176 added to
|
||||
# primary address of eth0. You want 206.124.146.176 added to
|
||||
# be added to eth0 with name eth0:0.
|
||||
#
|
||||
# eth0:0 192.168.1.0/24 206.124.146.176
|
||||
|
@ -17,7 +17,7 @@
|
||||
# column and must not be a DNS Name.
|
||||
# INTERFACE Interface that we want to EXTERNAL address to appear
|
||||
# on. If ADD_IP_ALIASES=Yes in shorewall.conf, you may
|
||||
# follow the interface name with ":" and a digit to
|
||||
# follow the interface name with ":" and a digit to
|
||||
# indicate that you want Shorewall to add the alias
|
||||
# with this name (e.g., "eth0:0"). That allows you to
|
||||
# see the alias with ifconfig. THAT IS THE ONLY THING
|
||||
|
@ -4,7 +4,7 @@
|
||||
#
|
||||
# /etc/shorewall/proxyarp
|
||||
#
|
||||
# This file is used to define Proxy ARP.
|
||||
# This file is used to define Proxy ARP.
|
||||
#
|
||||
# Columns must be separated by white space and are:
|
||||
#
|
||||
|
@ -68,4 +68,4 @@ Changes for 1.4 include:
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
@ -43,7 +43,7 @@
|
||||
39.0.0.0/8 logdrop # Reserved
|
||||
41.0.0.0/8 logdrop # Reserved
|
||||
42.0.0.0/8 logdrop # Reserved
|
||||
49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
|
||||
49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
|
||||
50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
|
||||
58.0.0.0/7 logdrop # Reserved
|
||||
60.0.0.0/8 logdrop # Reserved
|
||||
|
@ -4,7 +4,7 @@
|
||||
#
|
||||
# /etc/shorewall/routestopped
|
||||
#
|
||||
# This file is used to define the hosts that are accessible when the
|
||||
# This file is used to define the hosts that are accessible when the
|
||||
# firewall is stopped
|
||||
#
|
||||
# Columns must be separated by white space and are:
|
||||
@ -12,7 +12,7 @@
|
||||
# INTERFACE - Interface through which host(s) communicate with
|
||||
# the firewall
|
||||
# HOST(S) - (Optional) Comma-separated list of IP/subnet
|
||||
# If left empty or supplied as "-",
|
||||
# If left empty or supplied as "-",
|
||||
# 0.0.0.0/0 is assumed.
|
||||
#
|
||||
# Example:
|
||||
|
@ -24,7 +24,7 @@
|
||||
# DNAT -- Forward the request to another
|
||||
# system (and optionally another
|
||||
# port).
|
||||
# DNAT- -- Advanced users only.
|
||||
# DNAT- -- Advanced users only.
|
||||
# Like DNAT but only generates the
|
||||
# DNAT iptables rule and not
|
||||
# the companion ACCEPT rule.
|
||||
@ -122,7 +122,7 @@
|
||||
# interpreted as the destination icmp-type(s).
|
||||
#
|
||||
# A port range is expressed as <low port>:<high port>.
|
||||
#
|
||||
#
|
||||
# This column is ignored if PROTOCOL = all but must be
|
||||
# entered if any of the following ields are supplied.
|
||||
# In that case, it is suggested that this field contain
|
||||
@ -153,7 +153,7 @@
|
||||
# Otherwise, a separate rule will be generated for each
|
||||
# port.
|
||||
#
|
||||
# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or
|
||||
# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or
|
||||
# REDIRECT) If included and different from the IP
|
||||
# address given in the SERVER column, this is an address
|
||||
# on some interface on the firewall and connections to
|
||||
|
@ -2,7 +2,7 @@
|
||||
#
|
||||
# Shorewall Packet Filtering Firewall Control Program - V1.4 - 3/14/2003
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
@ -12,7 +12,7 @@
|
||||
# Shorewall documentation is available at http://shorewall.sourceforge.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
@ -23,7 +23,7 @@
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||
#
|
||||
#
|
||||
# If an error occurs while starting or restarting the firewall, the
|
||||
# firewall is automatically stopped.
|
||||
#
|
||||
@ -34,13 +34,13 @@
|
||||
#
|
||||
# shorewall add <iface>[:<host>] zone Adds a host or subnet to a zone
|
||||
# shorewall delete <iface>[:<host>] zone Deletes a host or subnet from a zone
|
||||
# shorewall start Starts the firewall
|
||||
# shorewall start Starts the firewall
|
||||
# shorewall restart Restarts the firewall
|
||||
# shorewall stop Stops the firewall
|
||||
# shorewall monitor [ refresh-interval ] Repeatedly Displays firewall status
|
||||
# plus the last 20 "interesting"
|
||||
# packets
|
||||
# shorewall status Displays firewall status
|
||||
# shorewall status Displays firewall status
|
||||
# shorewall reset Resets iptables packet and
|
||||
# byte counts
|
||||
# shorewall clear Open the floodgates by
|
||||
@ -75,7 +75,7 @@
|
||||
# listed address(es)
|
||||
# shorewall reject <address> ... Temporarily reject all packets from the
|
||||
# listed address(es)
|
||||
# shorewall allow <address> ... Reenable address(es) previously
|
||||
# shorewall allow <address> ... Reenable address(es) previously
|
||||
# disabled with "drop" or "reject"
|
||||
# shorewall save Save the list of "rejected" and
|
||||
# "dropped" addresses so that it will
|
||||
@ -142,7 +142,7 @@ get_config() {
|
||||
display_chains()
|
||||
{
|
||||
trap "rm -f /tmp/chains-$$; exit 1" 1 2 3 4 5 6 9
|
||||
|
||||
|
||||
if [ "$haveawk" = "Yes" ]; then
|
||||
#
|
||||
# Send the output to a temporary file since ash craps if we try to store
|
||||
@ -170,11 +170,11 @@ display_chains()
|
||||
echo
|
||||
|
||||
chains=`grep '^Chain.*_[in|fwd]' /tmp/chains-$$ | cut -d' ' -f 2`
|
||||
|
||||
|
||||
for chain in $chains; do
|
||||
showchain $chain
|
||||
done
|
||||
|
||||
|
||||
timed_read
|
||||
|
||||
for zone in $zones; do
|
||||
@ -242,7 +242,7 @@ display_chains()
|
||||
# Delay $timeout seconds -- if we're running on a recent bash2 then allow
|
||||
# <enter> to terminate the delay
|
||||
#
|
||||
timed_read ()
|
||||
timed_read ()
|
||||
{
|
||||
read -t $timeout foo 2> /dev/null
|
||||
|
||||
@ -252,7 +252,7 @@ timed_read ()
|
||||
#
|
||||
# Display the last $1 packets logged
|
||||
#
|
||||
packet_log() # $1 = number of messages
|
||||
packet_log() # $1 = number of messages
|
||||
{
|
||||
local options
|
||||
|
||||
@ -334,7 +334,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
||||
get_config
|
||||
host=`echo $HOSTNAME | sed 's/\..*$//'`
|
||||
oldrejects=`iptables -L -v -n | grep 'LOG'`
|
||||
|
||||
|
||||
if [ $1 -lt 0 ]; then
|
||||
let "timeout=- $1"
|
||||
pause="Yes"
|
||||
@ -347,7 +347,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
||||
|
||||
while true; do
|
||||
display_chains
|
||||
|
||||
|
||||
clear
|
||||
echo "$banner `date`"
|
||||
echo
|
||||
@ -361,7 +361,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
||||
|
||||
if [ "$rejects" != "$oldrejects" ]; then
|
||||
oldrejects="$rejects"
|
||||
|
||||
|
||||
$RING_BELL
|
||||
|
||||
packet_log 20
|
||||
@ -435,7 +435,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
|
||||
get_config
|
||||
host=`echo $HOSTNAME | sed 's/\..*$//'`
|
||||
oldrejects=`iptables -L -v -n | grep 'LOG'`
|
||||
|
||||
|
||||
if [ $1 -lt 0 ]; then
|
||||
timeout=$((- $1))
|
||||
pause="Yes"
|
||||
@ -754,7 +754,7 @@ case "$1" in
|
||||
echo ""
|
||||
|
||||
echo " HITS PORT SERVICE(S)"
|
||||
echo " ---- ----- ----------"
|
||||
echo " ---- ----- ----------"
|
||||
grep 'Shorewall:.*DPT' $LOGFILE | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | \
|
||||
while read count port ; do
|
||||
# List all services defined for the given port
|
||||
@ -853,4 +853,4 @@ case "$1" in
|
||||
*)
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
esac
|
||||
|
@ -2,7 +2,7 @@
|
||||
# /etc/shorewall/shorewall.conf V1.4 - Change the following variables to
|
||||
# match your setup
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# This file should be placed in /etc/shorewall
|
||||
#
|
||||
@ -19,7 +19,7 @@ SHARED_DIR=/usr/share/shorewall
|
||||
# L O G G I N G
|
||||
##############################################################################
|
||||
#
|
||||
# General note about log levels. Log levels are a method of describing
|
||||
# General note about log levels. Log levels are a method of describing
|
||||
# to syslog (8) the importance of a message and a number of parameters
|
||||
# in this file have log levels as their value.
|
||||
#
|
||||
@ -35,16 +35,16 @@ SHARED_DIR=/usr/share/shorewall
|
||||
# 0 emerg
|
||||
#
|
||||
# For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall
|
||||
# log messages are generated by NetFilter and are logged using facility
|
||||
# log messages are generated by NetFilter and are logged using facility
|
||||
# 'kern' and the level that you specifify. If you are unsure of the level
|
||||
# to choose, 6 (info) is a safe bet. You may specify levels by name or by
|
||||
# number.
|
||||
#
|
||||
# If you have build your kernel with ULOG target support, you may also
|
||||
# If you have build your kernel with ULOG target support, you may also
|
||||
# specify a log level of ULOG (must be all caps). Rather than log its
|
||||
# messages to syslogd, Shorewall will direct netfilter to log the messages
|
||||
# via the ULOG target which will send them to a process called 'ulogd'.
|
||||
# ulogd is available from http://www.gnumonks.org/projects/ulogd and can be
|
||||
# ulogd is available from http://www.gnumonks.org/projects/ulogd and can be
|
||||
# configured to log all Shorewall message to their own log file
|
||||
################################################################################
|
||||
#
|
||||
@ -118,7 +118,7 @@ BLACKLIST_LOGLEVEL=
|
||||
#
|
||||
# When a TCP packet that does not have the SYN flag set and the ACK and RST
|
||||
# flags clear then unless the packet is part of an established connection,
|
||||
# it will be rejected by the firewall. If you want these rejects logged,
|
||||
# it will be rejected by the firewall. If you want these rejects logged,
|
||||
# then set LOGNEWNOTSYN to the syslog log level at which you want them logged.
|
||||
#
|
||||
# See the comment at the top of this section for a description of log levels
|
||||
@ -133,10 +133,10 @@ LOGNEWNOTSYN=
|
||||
#
|
||||
# Specifies the logging level for connection requests that fail MAC
|
||||
# verification. If set to the empty value (MACLIST_LOG_LEVEL="") then
|
||||
# such connection requests will not be logged.
|
||||
# such connection requests will not be logged.
|
||||
#
|
||||
# See the comment at the top of this section for a description of log levels
|
||||
#
|
||||
#
|
||||
|
||||
MACLIST_LOG_LEVEL=info
|
||||
|
||||
@ -145,10 +145,10 @@ MACLIST_LOG_LEVEL=info
|
||||
#
|
||||
# Specifies the logging level for packets that fail TCP Flags
|
||||
# verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then
|
||||
# such packets will not be logged.
|
||||
# such packets will not be logged.
|
||||
#
|
||||
# See the comment at the top of this section for a description of log levels
|
||||
#
|
||||
#
|
||||
|
||||
TCP_FLAGS_LOG_LEVEL=info
|
||||
|
||||
@ -160,7 +160,7 @@ TCP_FLAGS_LOG_LEVEL=info
|
||||
# RFC1918_LOG_LEVEL=info is assumed.
|
||||
#
|
||||
# See the comment at the top of this section for a description of log levels
|
||||
#
|
||||
#
|
||||
|
||||
RFC1918_LOG_LEVEL=info
|
||||
|
||||
@ -169,7 +169,7 @@ RFC1918_LOG_LEVEL=info
|
||||
################################################################################
|
||||
#
|
||||
# PATH - Change this if you want to change the order in which Shorewall
|
||||
# searches directories for executable files.
|
||||
# searches directories for executable files.
|
||||
#
|
||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||
|
||||
@ -294,13 +294,13 @@ CLEAR_TC=Yes
|
||||
#
|
||||
# When processing the tcrules file, Shorewall normally marks packets in the
|
||||
# PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set
|
||||
# this to "Yes". If not specified or if set to the empty value (e.g.,
|
||||
# this to "Yes". If not specified or if set to the empty value (e.g.,
|
||||
# MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed.
|
||||
#
|
||||
# Marking packets in the FORWARD chain has the advantage that inbound
|
||||
# packets destined for Masqueraded/SNATed local hosts have had their destination
|
||||
# address rewritten so they can be marked based on their destination. When
|
||||
# packets are marked in the PREROUTING chain, packets destined for
|
||||
# packets are marked in the PREROUTING chain, packets destined for
|
||||
# Masqueraded/SNATed local hosts still have a destination address corresponding
|
||||
# to the firewall's external interface.
|
||||
#
|
||||
@ -387,27 +387,27 @@ MULTIPORT=No
|
||||
# DNAT net loc:192.168.1.3 tcp 80
|
||||
#
|
||||
# it will forward TCP port 80 connections from the net to 192.168.1.3
|
||||
# REGARDLESS OF THE ORIGINAL DESTINATION ADDRESS. This behavior is
|
||||
# REGARDLESS OF THE ORIGINAL DESTINATION ADDRESS. This behavior is
|
||||
# convenient for two reasons:
|
||||
#
|
||||
# a) If the the network interface has a dynamic IP address, the
|
||||
# firewall configuration will work even when the address
|
||||
# changes.
|
||||
#
|
||||
# b) It saves having to configure the IP address in the rule
|
||||
# b) It saves having to configure the IP address in the rule
|
||||
# while still allowing the firewall to be started before the
|
||||
# internet interface is brought up.
|
||||
#
|
||||
# This default behavior can also have a negative effect. If the
|
||||
# internet interface has more than one IP address then the above
|
||||
# rule will forward connection requests on all of these addresses;
|
||||
# internet interface has more than one IP address then the above
|
||||
# rule will forward connection requests on all of these addresses;
|
||||
# that may not be what is desired.
|
||||
#
|
||||
# By setting DETECT_DNAT_IPADDRS=Yes, rules such as the above will apply
|
||||
# only if the original destination address is the primary IP address of
|
||||
# one of the interfaces associated with the source zone. Note that this
|
||||
# requires all interfaces to the source zone to be up when the firewall
|
||||
# is [re]started.
|
||||
# is [re]started.
|
||||
|
||||
DETECT_DNAT_IPADDRS=No
|
||||
|
||||
@ -440,7 +440,7 @@ MUTEX_TIMEOUT=60
|
||||
# Users with a High-availability setup with two firewall's and one acting
|
||||
# as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may
|
||||
# also need to select NEWNOTSYN=Yes.
|
||||
|
||||
|
||||
NEWNOTSYN=No
|
||||
|
||||
################################################################################
|
||||
@ -469,7 +469,7 @@ MACLIST_DISPOSITION=REJECT
|
||||
#
|
||||
# TCP FLAGS Disposition
|
||||
#
|
||||
# This variable determins the disposition of packets having an invalid
|
||||
# This variable determins the disposition of packets having an invalid
|
||||
# combination of TCP flags that are received on interfaces having the
|
||||
# 'tcpflags' option specified in /etc/shorewall/interfaces. If not specified
|
||||
# or specified as empty (TCP_FLAGS_DISPOSITION="") then DROP is assumed.
|
||||
|
@ -48,10 +48,10 @@ if [ $1 -eq 1 ]; then
|
||||
########################################################################" \
|
||||
> /etc/shorewall/startup_disabled
|
||||
|
||||
if [ -x /sbin/insserv ]; then
|
||||
if [ -x /sbin/insserv ]; then
|
||||
/sbin/insserv /etc/rc.d/shorewall
|
||||
elif [ -x /sbin/chkconfig ]; then
|
||||
/sbin/chkconfig --add shorewall;
|
||||
/sbin/chkconfig --add shorewall;
|
||||
fi
|
||||
fi
|
||||
|
||||
@ -68,7 +68,7 @@ if [ $1 = 0 ]; then
|
||||
|
||||
fi
|
||||
|
||||
%files
|
||||
%files
|
||||
/etc/init.d/shorewall
|
||||
%attr(0700,root,root) %dir /etc/shorewall
|
||||
%attr(0700,root,root) %dir /usr/share/shorewall
|
||||
@ -279,7 +279,7 @@ fi
|
||||
- Changed the release to 4
|
||||
- Added Zones and Functions files
|
||||
* Mon Mar 12 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
|
||||
- Change ipchains dependency to an iptables dependency and
|
||||
- Change ipchains dependency to an iptables dependency and
|
||||
changed the release to 3
|
||||
* Fri Mar 9 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
|
||||
- Add additional files.
|
||||
|
@ -1,6 +1,6 @@
|
||||
############################################################################
|
||||
# Shorewall 1.4 -- /etc/shorewall/start
|
||||
#
|
||||
# Add commands below that you want to be executed after shorewall has
|
||||
# Add commands below that you want to be executed after shorewall has
|
||||
# been started or restarted.
|
||||
#
|
||||
|
@ -26,10 +26,10 @@
|
||||
# /etc/shorewall/shorewall.conf.
|
||||
#
|
||||
# SOURCE Source of the packet. A comma-separated list of
|
||||
# interface names, IP addresses, MAC addresses
|
||||
# interface names, IP addresses, MAC addresses
|
||||
# and/or subnets. Use $FW if the packet originates on
|
||||
# the firewall in which case the MARK column may NOT
|
||||
# specify either ":P" or ":F" (marking always occurs
|
||||
# specify either ":P" or ":F" (marking always occurs
|
||||
# in the OUTPUT chain).
|
||||
#
|
||||
# MAC addresses must be prefixed with "~" and use
|
||||
|
@ -6,8 +6,8 @@ RCDLINKS="2,S45 3,S45 6,K45"
|
||||
#
|
||||
# Modified - Steve Cowles 5/9/2000
|
||||
# Incorporated init {start|stop} syntax and iproute2 usage
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
|
@ -25,7 +25,7 @@
|
||||
# remote getway has no fixed address (Road Warrior)
|
||||
# then specify the gateway as 0.0.0.0/0.
|
||||
#
|
||||
# GATEWAY
|
||||
# GATEWAY
|
||||
# ZONES -- Optional. If the gateway system specified in the third
|
||||
# column is a standalone host then this column should
|
||||
# contain a comma-separated list of the names of the
|
||||
|
@ -2,14 +2,14 @@
|
||||
#
|
||||
# Script to back uninstall Shoreline Firewall
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Shorewall documentation is available at http://shorewall.sourceforge.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
@ -35,8 +35,8 @@ usage() # $1 = exit status
|
||||
exit $1
|
||||
}
|
||||
|
||||
qt()
|
||||
{
|
||||
qt()
|
||||
{
|
||||
"$@" >/dev/null 2>&1
|
||||
}
|
||||
|
||||
@ -49,7 +49,7 @@ restore_file() # $1 = file to restore
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
remove_file() # $1 = file to restore
|
||||
|
@ -3,12 +3,12 @@
|
||||
#
|
||||
# This file determines your network zones. Columns are:
|
||||
#
|
||||
# ZONE Short name of the zone
|
||||
# ZONE Short name of the zone
|
||||
# DISPLAY Display name of the zone
|
||||
# COMMENTS Comments about the zone
|
||||
#
|
||||
#ZONE DISPLAY COMMENTS
|
||||
net Net Internet
|
||||
net Net Internet
|
||||
loc Local Local networks
|
||||
dmz DMZ Demilitarized zone
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
||||
|
Loading…
Reference in New Issue
Block a user