holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

1) Remove trailing white space.

Browse Source 
2) Improve detection of white space in comma-separated lists.
3) Fix a typo in the INSTALL file.


git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@464 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-02-23 14:10:37 +00:00
parent 5f9ff7336a
commit 21cb22303f
27 changed files with 279 additions and 256 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Shorewall/INSTALL
View File

@ -27,7 +27,7 @@ o If you have an earlier version of Shoreline Firewall installed,see the
o Edit the configuration files to fit your environment. o Edit the configuration files to fit your environment.
To do this, I strongly advise you to follow the instructions at: To do this, I strongly advise you to follow the instructions at:
http://www.shorewall.net/shorewall_quickstart_guide.htm http://www.shorewall.net/shorewall_quickstart_guide.htm
o If you are using Caldera, Redhat, Mandrake, Corel, Slackware, SuSE or o If you are using Caldera, Redhat, Mandrake, Corel, Slackware, SuSE or
@ -35,8 +35,8 @@ o If you are using Caldera, Redhat, Mandrake, Corel, Slackware, SuSE or
o For other distributions, determine where your distribution installs o For other distributions, determine where your distribution installs
init scripts and type "./install.sh <init script directory>" init scripts and type "./install.sh <init script directory>"
o Start the firewall by typing "shorewall start" o Start the firewall by typing "shorewall start"
o If the install script was unable to configure Shoreline Firewall to o If the install script was unable to configure Shoreline Firewall to
start audomatically at boot, see the HTML documentation contains in the start automatically at boot, see the HTML documentation contains in the
"documentation" directory. "documentation" directory.
Upgrade: Upgrade:
@ -44,4 +44,4 @@ Upgrade:
o run the install script as described above. o run the install script as described above.
o shorewall restart o shorewall restart

4
Shorewall/blacklist
View File

@ -9,7 +9,7 @@
# #
# ADDRESS/SUBNET - Host address, subnetwork or MAC address # ADDRESS/SUBNET - Host address, subnetwork or MAC address
# #
# MAC addresses must be prefixed with "~" and use "-" # MAC addresses must be prefixed with "~" and use "-"
# as a separator. # as a separator.
# #
# Example: ~00-A0-C9-15-39-78 # Example: ~00-A0-C9-15-39-78
@ -27,7 +27,7 @@
# /etc/shorewall/shorewall.conf # /etc/shorewall/shorewall.conf
# #
# If PROTOCOL or PROTOCOL and PORTS are supplied, only packets matching # If PROTOCOL or PROTOCOL and PORTS are supplied, only packets matching
# the protocol (and one of the ports if PORTS supplied) are blocked. # the protocol (and one of the ports if PORTS supplied) are blocked.
# #
# Example: # Example:
# #

2
Shorewall/common.def
View File

@ -1,7 +1,7 @@
############################################################################ ############################################################################
# Shorewall 1.4 -- /etc/shorewall/common.def # Shorewall 1.4 -- /etc/shorewall/common.def
# #
# This file defines the rules that are applied before a policy of # This file defines the rules that are applied before a policy of
# DROP or REJECT is applied. In addition to the rules defined in this file, # DROP or REJECT is applied. In addition to the rules defined in this file,
# the firewall will also define a DROP rule for each subnet broadcast # the firewall will also define a DROP rule for each subnet broadcast
# address defined in /etc/shorewall/interfaces (including "detect"). # address defined in /etc/shorewall/interfaces (including "detect").

14
Shorewall/fallback.sh
View File

@ -1,16 +1,16 @@
#!/bin/sh #!/bin/sh
# #
# Script to back out the installation of Shoreline Firewall and to restore the previous version of # Script to back out the installation of Shoreline Firewall and to restore the previous version of
# the program # the program
# #
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
# #
# (c) 2001,2002,2003 - Tom Eastep (teastep@shorewall.net) # (c) 2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
# #
# Shorewall documentation is available at http://seattlefirewall.dyndns.org # Shorewall documentation is available at http://seattlefirewall.dyndns.org
# #
# This program is free software; you can redistribute it and/or modify # This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License # it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation. # as published by the Free Software Foundation.
# #
# This program is distributed in the hope that it will be useful, # This program is distributed in the hope that it will be useful,
@ -25,7 +25,7 @@
# Usage: # Usage:
# #
# You may only use this script to back out the installation of the version # You may only use this script to back out the installation of the version
# shown below. Simply run this script to revert to your prior version of # shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall. # Shoreline Firewall.
VERSION=1.4.0-Beta1 VERSION=1.4.0-Beta1
@ -46,7 +46,7 @@ restore_file() # $1 = file to restore
echo "ERROR: Could not restore $1" echo "ERROR: Could not restore $1"
exit 1 exit 1
fi fi
fi fi
} }
if [ ! -f /usr/share/shorewall/version-${VERSION}.bkout ]; then if [ ! -f /usr/share/shorewall/version-${VERSION}.bkout ]; then
@ -77,7 +77,7 @@ restore_file /sbin/shorewall
[ -f /etc/shorewall.conf.$VERSION ] && rm -f /etc/shorewall.conf.$VERSION [ -f /etc/shorewall.conf.$VERSION ] && rm -f /etc/shorewall.conf.$VERSION
restore_file /etc/shorewall/shorewall.conf restore_file /etc/shorewall/shorewall.conf
restore_file /etc/shorewall/functions restore_file /etc/shorewall/functions
restore_file /usr/lib/shorewall/functions restore_file /usr/lib/shorewall/functions
restore_file /var/lib/shorewall/functions restore_file /var/lib/shorewall/functions
@ -92,7 +92,7 @@ restore_file /etc/shorewall/zones
restore_file /etc/shorewall/policy restore_file /etc/shorewall/policy
restore_file /etc/shorewall/interfaces restore_file /etc/shorewall/interfaces
restore_file /etc/shorewall/hosts restore_file /etc/shorewall/hosts
restore_file /etc/shorewall/rules restore_file /etc/shorewall/rules

280
Shorewall/firewall
View File

@ -2,7 +2,7 @@
# #
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V1.4 3/14/2003 # The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V1.4 3/14/2003
# #
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
# #
# (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net) # (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
# #
@ -12,7 +12,7 @@
# Complete documentation is available at http://shorewall.net # Complete documentation is available at http://shorewall.net
# #
# This program is free software; you can redistribute it and/or modify # This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License # it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation. # as published by the Free Software Foundation.
# #
# This program is distributed in the hope that it will be useful, # This program is distributed in the hope that it will be useful,
@ -29,13 +29,13 @@
# #
# Commands are: # Commands are:
# #
# shorewall start Starts the firewall # shorewall start Starts the firewall
# shorewall restart Restarts the firewall # shorewall restart Restarts the firewall
# shorewall stop Stops the firewall # shorewall stop Stops the firewall
# shorewall status Displays firewall status # shorewall status Displays firewall status
# shorewall reset Resets iptabless packet and # shorewall reset Resets iptabless packet and
# byte counts # byte counts
# shorewall clear Remove all Shorewall chains # shorewall clear Remove all Shorewall chains
# and rules/policies. # and rules/policies.
# shorewall refresh . Rebuild the common chain # shorewall refresh . Rebuild the common chain
# shorewall check Verify the more heavily-used # shorewall check Verify the more heavily-used
@ -258,7 +258,7 @@ chain_exists() # $1 = chain name
{ {
qt iptables -L $1 -n qt iptables -L $1 -n
} }
# #
# Query NetFilter about the existence of a mangle chain # Query NetFilter about the existence of a mangle chain
# #
@ -266,7 +266,7 @@ mangle_chain_exists() # $1 = chain name
{ {
qt iptables -t mangle -L $1 -n qt iptables -t mangle -L $1 -n
} }
# #
# Ensure that a chain exists (create it if it doesn't) # Ensure that a chain exists (create it if it doesn't)
# #
@ -340,7 +340,7 @@ deletechain() # $1 = name of chain
is_policy_chain() # $1 = name of chain is_policy_chain() # $1 = name of chain
{ {
eval test \"\$${1}_is_policy\" = Yes eval test \"\$${1}_is_policy\" = Yes
} }
# #
# Set a standard chain's policy # Set a standard chain's policy
@ -373,7 +373,7 @@ chain_base() #$1 = interface
{ {
local c=${1%%+*} local c=${1%%+*}
case $c in case $c in
*.*) *.*)
echo ${c%.*}_${c#*.} echo ${c%.*}_${c#*.}
;; ;;
@ -387,7 +387,7 @@ chain_base() #$1 = interface
# Find interfaces to a given zone # Find interfaces to a given zone
# #
# Search the variables representing the contents of the interfaces file and # Search the variables representing the contents of the interfaces file and
# for each record matching the passed ZONE, echo the expanded contents of # for each record matching the passed ZONE, echo the expanded contents of
# the "INTERFACE" column # the "INTERFACE" column
# #
find_interfaces() # $1 = interface zone find_interfaces() # $1 = interface zone
@ -496,7 +496,7 @@ determine_interfaces() {
eval ${zone}_interfaces=\"\$interfaces\" eval ${zone}_interfaces=\"\$interfaces\"
done done
} }
# #
# Determine the defined hosts in each zone and generate report # Determine the defined hosts in each zone and generate report
# #
@ -517,7 +517,7 @@ determine_hosts() {
done done
interfaces= interfaces=
for host in $hosts; do for host in $hosts; do
interface=${host%:*} interface=${host%:*}
if ! list_search $interface $interfaces; then if ! list_search $interface $interfaces; then
@ -537,7 +537,7 @@ determine_hosts() {
display_list "$display Zone:" $hosts display_list "$display Zone:" $hosts
else else
error_message "Warning: Zone $zone is empty" error_message "Warning: Zone $zone is empty"
fi fi
done done
} }
@ -559,7 +559,7 @@ validate_interfaces_file() {
[ "x$z" = "x-" ] && z= [ "x$z" = "x-" ] && z=
if [ -n "$z" ]; then if [ -n "$z" ]; then
validate_zone $z || startup_error "Invalid zone ($z) in record \"$r\"" validate_zone $z || startup_error "Invalid zone ($z) in record \"$r\""
fi fi
@ -575,11 +575,11 @@ validate_interfaces_file() {
startup_error "Invalid Interface Name: $interface" startup_error "Invalid Interface Name: $interface"
;; ;;
esac esac
all_interfaces="$all_interfaces $interface" all_interfaces="$all_interfaces $interface"
options=`separate_list $options` options=`separate_list $options`
interface=`chain_base $interface` interface=`chain_base $interface`
eval ${interface}_broadcast="$subnet" eval ${interface}_broadcast="$subnet"
eval ${interface}_zone="$z" eval ${interface}_zone="$z"
eval ${interface}_options=\"$options\" eval ${interface}_options=\"$options\"
@ -595,7 +595,7 @@ validate_interfaces_file() {
;; ;;
esac esac
done done
[ -z "$all_interfaces" ] && startup_error "No Interfaces Defined" [ -z "$all_interfaces" ] && startup_error "No Interfaces Defined"
done < $TMP_DIR/interfaces done < $TMP_DIR/interfaces
@ -637,7 +637,7 @@ validate_hosts_file() {
mac_match() # $1 = MAC address formated as described above mac_match() # $1 = MAC address formated as described above
{ {
echo "--match mac --mac-source `echo $1 | sed 's/~//;s/-/:/g'`" echo "--match mac --mac-source `echo $1 | sed 's/~//;s/-/:/g'`"
} }
# #
# validate a record from the rules file # validate a record from the rules file
@ -655,7 +655,7 @@ validate_rule() {
# #
validate_list() { validate_list() {
local temp="`separate_list $1`" local temp="`separate_list $1`"
[ `echo $temp | wc -w` -le 15 ] [ `echo $temp | wc -w` -le 15 ]
} }
@ -858,7 +858,7 @@ validate_rule() {
[ -z "$clientzone" -o -z "$clients" ] && \ [ -z "$clientzone" -o -z "$clients" ] && \
startup_error "Empty source zone or qualifier: rule \"$rule\"" startup_error "Empty source zone or qualifier: rule \"$rule\""
fi fi
if [ "$clientzone" = "${clientzone%\!*}" ]; then if [ "$clientzone" = "${clientzone%\!*}" ]; then
excludezones= excludezones=
else else
@ -1036,7 +1036,7 @@ validate_policy()
[ "x$chain" = "x${FW}2${FW}" ] && \ [ "x$chain" = "x${FW}2${FW}" ] && \
startup_error "fw->fw policy not allowed: $policy" startup_error "fw->fw policy not allowed: $policy"
if is_policy_chain $chain ; then if is_policy_chain $chain ; then
startup_error "Duplicate policy $policy" startup_error "Duplicate policy $policy"
fi fi
@ -1067,7 +1067,7 @@ validate_policy()
else else
for zone in $zones $FW all; do for zone in $zones $FW all; do
eval pc=\$${zone}2${server}_policychain eval pc=\$${zone}2${server}_policychain
if [ -z "$pc" ]; then if [ -z "$pc" ]; then
eval ${zone}2${server}_policychain=$chain eval ${zone}2${server}_policychain=$chain
print_policy $zone $server print_policy $zone $server
@ -1077,16 +1077,16 @@ validate_policy()
elif [ -n "$serverwild" ]; then elif [ -n "$serverwild" ]; then
for zone in $zones $FW all; do for zone in $zones $FW all; do
eval pc=\$${client}2${zone}_policychain eval pc=\$${client}2${zone}_policychain
if [ -z "$pc" ]; then if [ -z "$pc" ]; then
eval ${client}2${zone}_policychain=$chain eval ${client}2${zone}_policychain=$chain
print_policy $client $zone print_policy $client $zone
fi fi
done done
else else
eval ${chain}_policychain=${chain} eval ${chain}_policychain=${chain}
print_policy $client $server print_policy $client $server
fi fi
done < $TMP_DIR/policy done < $TMP_DIR/policy
} }
@ -1116,7 +1116,7 @@ find_broadcasts() {
find_interface_broadcasts() # $1 = Interface name find_interface_broadcasts() # $1 = Interface name
{ {
eval bcast=\$`chain_base ${1}`_broadcast eval bcast=\$`chain_base ${1}`_broadcast
if [ "x$bcast" = "xdetect" ]; then if [ "x$bcast" = "xdetect" ]; then
addr="`ip addr show $interface 2> /dev/null`" addr="`ip addr show $interface 2> /dev/null`"
if [ -n "`echo "$addr" | grep 'inet.*brd '`" ]; then if [ -n "`echo "$addr" | grep 'inet.*brd '`" ]; then
@ -1127,7 +1127,7 @@ find_interface_broadcasts() # $1 = Interface name
elif [ "x${bcast}" != "x-" ]; then elif [ "x${bcast}" != "x-" ]; then
echo `separate_list $bcast` echo `separate_list $bcast`
fi fi
} }
# #
@ -1136,7 +1136,7 @@ find_interface_broadcasts() # $1 = Interface name
# #
find_interface_address() # $1 = interface find_interface_address() # $1 = interface
{ {
# #
# get the line of output containing the first IP address # get the line of output containing the first IP address
# #
addr=`ip addr show $1 2> /dev/null | grep inet | head -n1` addr=`ip addr show $1 2> /dev/null | grep inet | head -n1`
@ -1177,7 +1177,7 @@ find_hosts_by_option() # $1 = option
eval options=\$`chain_base ${interface}`_options eval options=\$`chain_base ${interface}`_options
list_search $1 $options && \ list_search $1 $options && \
echo ${interface}:0.0.0.0/0 echo ${interface}:0.0.0.0/0
done done
} }
# #
@ -1240,6 +1240,8 @@ stop_firewall() {
stopping="Yes" stopping="Yes"
terminator=
deletechain shorewall deletechain shorewall
run_user_exit stop run_user_exit stop
@ -1260,7 +1262,7 @@ stop_firewall() {
hosts= hosts=
strip_file routestopped strip_file routestopped
while read interface host; do while read interface host; do
expandv interface host expandv interface host
@ -1330,7 +1332,7 @@ clear_firewall() {
run_iptables -F run_iptables -F
echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/ip_forward
setpolicy INPUT ACCEPT setpolicy INPUT ACCEPT
setpolicy FORWARD ACCEPT setpolicy FORWARD ACCEPT
setpolicy OUTPUT ACCEPT setpolicy OUTPUT ACCEPT
@ -1357,7 +1359,7 @@ setup_tunnels() # $1 = name of tunnels file
run_iptables -A $outchain -p 51 -d $1 -j ACCEPT run_iptables -A $outchain -p 51 -d $1 -j ACCEPT
run_iptables -A $outchain -p udp -d $1 --dport 500 --sport 500 $options run_iptables -A $outchain -p udp -d $1 --dport 500 --sport 500 $options
if [ $2 = ipsec ]; then if [ $2 = ipsec ]; then
run_iptables -A $inchain -p udp -s $1 --sport 500 --dport 500 $options run_iptables -A $inchain -p udp -s $1 --sport 500 --dport 500 $options
else else
@ -1464,7 +1466,7 @@ setup_tunnels() # $1 = name of tunnels file
else else
error_message "Invalid gateway zone ($z)" \ error_message "Invalid gateway zone ($z)" \
" -- Tunnel \"$tunnel\" Ignored" " -- Tunnel \"$tunnel\" Ignored"
fi fi
done < $TMP_DIR/tunnels done < $TMP_DIR/tunnels
} }
@ -1579,7 +1581,7 @@ setup_mac_lists() {
if ! havechain $chain ; then if ! havechain $chain ; then
fatal_error "No hosts on $interface have the maclist option specified" fatal_error "No hosts on $interface have the maclist option specified"
fi fi
macpart=`mac_match $mac` macpart=`mac_match $mac`
if [ -z "$addresses" ]; then if [ -z "$addresses" ]; then
@ -1643,13 +1645,13 @@ setup_mac_lists() {
for hosts in $maclist_hosts; do for hosts in $maclist_hosts; do
interface=${hosts%:*} interface=${hosts%:*}
hosts=${hosts#*:} hosts=${hosts#*:}
for chain in `first_chains $interface` ; do for chain in `first_chains $interface` ; do
run_iptables -A $chain -s $hosts -m state --state NEW \ run_iptables -A $chain -s $hosts -m state --state NEW \
-j `mac_chain $interface` -j `mac_chain $interface`
done done
done done
} }
# #
# Set up SYN flood protection # Set up SYN flood protection
# #
@ -1670,7 +1672,7 @@ setup_syn_flood_chain ()
# #
# Enable SYN flood protection on a chain # Enable SYN flood protection on a chain
# #
# Insert a jump rule to the protection chain from the first chain. Inserted # Insert a jump rule to the protection chain from the first chain. Inserted
# as the second rule and restrict the jump to SYN packets # as the second rule and restrict the jump to SYN packets
# #
@ -1714,7 +1716,7 @@ setup_nat() {
while read external interface internal allints localnat; do while read external interface internal allints localnat; do
expandv external interface internal allints localnat expandv external interface internal allints localnat
iface=${interface%:*} iface=${interface%:*}
if [ -n "$ADD_IP_ALIASES" ]; then if [ -n "$ADD_IP_ALIASES" ]; then
@ -1725,7 +1727,7 @@ setup_nat() {
then then
addnatrule nat_in -d $external -j DNAT --to-destination $internal addnatrule nat_in -d $external -j DNAT --to-destination $internal
addnatrule nat_out -s $internal -j SNAT --to-source $external addnatrule nat_out -s $internal -j SNAT --to-source $external
if [ "$localnat" = "Yes" -o "$localnat" = "yes" ]; then if [ "$localnat" = "Yes" -o "$localnat" = "yes" ]; then
run_iptables2 -t nat -A OUTPUT -d $external \ run_iptables2 -t nat -A OUTPUT -d $external \
-j DNAT --to-destination $internal -j DNAT --to-destination $internal
@ -1765,7 +1767,7 @@ delete_nat() {
} }
# #
# Process a TC Rule - $marking_chain is assumed to contain the name of the # Process a TC Rule - $marking_chain is assumed to contain the name of the
# default marking chain # default marking chain
# #
process_tc_rule() process_tc_rule()
@ -1789,17 +1791,17 @@ process_tc_rule()
if ! list_search $source $all_interfaces; then if ! list_search $source $all_interfaces; then
fatal_error "Unknown interface $source in rule \"$rule\"" fatal_error "Unknown interface $source in rule \"$rule\""
fi fi
r="-i $source " r="-i $source "
;; ;;
esac esac
fi fi
if [ "$mark" != "${mark%:*}" ]; then if [ "$mark" != "${mark%:*}" ]; then
[ "$chain" = tcout ] && \ [ "$chain" = tcout ] && \
fatal_error "Chain designator not allowed when source is \$FW; rule \"$rule\"" fatal_error "Chain designator not allowed when source is \$FW; rule \"$rule\""
case "${mark#*:}" in case "${mark#*:}" in
p|P) p|P)
chain=tcpre chain=tcpre
@ -1814,7 +1816,7 @@ process_tc_rule()
mark="${mark%:*}" mark="${mark%:*}"
fi fi
[ "x$dest" = "x-" ] || r="${r}-d $dest " [ "x$dest" = "x-" ] || r="${r}-d $dest "
[ "$proto" = "all" ] || r="${r}-p $proto " [ "$proto" = "all" ] || r="${r}-p $proto "
[ "x$port" = "x-" ] || r="${r}--dport $port " [ "x$port" = "x-" ] || r="${r}--dport $port "
@ -1844,7 +1846,7 @@ setup_tc1() {
# #
# Create the TC mangle chains # Create the TC mangle chains
# #
run_iptables -t mangle -N tcpre run_iptables -t mangle -N tcpre
run_iptables -t mangle -N tcfor run_iptables -t mangle -N tcfor
run_iptables -t mangle -N tcout run_iptables -t mangle -N tcout
@ -1861,7 +1863,7 @@ setup_tc1() {
# #
# Link to the TC mangle chains from the main chains # Link to the TC mangle chains from the main chains
# #
run_iptables -t mangle -A FORWARD -j tcfor run_iptables -t mangle -A FORWARD -j tcfor
run_iptables -t mangle -A PREROUTING -j tcpre run_iptables -t mangle -A PREROUTING -j tcpre
run_iptables -t mangle -A OUTPUT -j tcout run_iptables -t mangle -A OUTPUT -j tcout
@ -1912,7 +1914,7 @@ refresh_tc() {
[ -n "$CLEAR_TC" ] && delete_tc [ -n "$CLEAR_TC" ] && delete_tc
[ -n "$MARK_IN_FORWARD_CHAIN" ] && chain=tcfor || chain=tcpre [ -n "$MARK_IN_FORWARD_CHAIN" ] && chain=tcfor || chain=tcpre
if mangle_chain_exists $chain; then if mangle_chain_exists $chain; then
# #
# Flush the TC mangle chains # Flush the TC mangle chains
@ -1928,7 +1930,7 @@ refresh_tc() {
while read mark sources dests proto ports sports; do while read mark sources dests proto ports sports; do
expandv mark sources dests proto ports sports expandv mark sources dests proto ports sports
rule=`echo "$mark $sources $dests $proto $ports $sports"` rule=`echo "$mark $sources $dests $proto $ports $sports"`
process_tc_rule process_tc_rule
done < $TMP_DIR/tcrules done < $TMP_DIR/tcrules
run_user_exit tcstart run_user_exit tcstart
@ -1957,7 +1959,7 @@ add_nat_rule() {
local chain local chain
# Be sure we should and can NAT # Be sure we should and can NAT
case $logtarget in case $logtarget in
DNAT|REDIRECT) DNAT|REDIRECT)
if [ -z "$NAT_ENABLED" ]; then if [ -z "$NAT_ENABLED" ]; then
@ -2013,7 +2015,7 @@ add_nat_rule() {
$multiport $dports -j $target1 $multiport $dports -j $target1
else else
chain=`dnat_chain $source` chain=`dnat_chain $source`
if [ -n "$excludezones" ]; then if [ -n "$excludezones" ]; then
chain=nonat${nonat_seq} chain=nonat${nonat_seq}
nonat_seq=$(($nonat_seq + 1)) nonat_seq=$(($nonat_seq + 1))
@ -2029,7 +2031,7 @@ add_nat_rule() {
done done
done done
fi fi
for adr in $addr; do for adr in $addr; do
addnatrule $chain $proto $cli $sports \ addnatrule $chain $proto $cli $sports \
-d $adr $multiport $dports -j $target1 -d $adr $multiport $dports -j $target1
@ -2056,7 +2058,7 @@ add_nat_rule() {
for source_host in $source_hosts; do for source_host in $source_hosts; do
[ "x${source_host#*:}" = "x0.0.0.0/0" ] && \ [ "x${source_host#*:}" = "x0.0.0.0/0" ] && \
error_message "Warning: SNAT will occur on all connections to this server and port - rule \"$rule\"" error_message "Warning: SNAT will occur on all connections to this server and port - rule \"$rule\""
addnatrule `snat_chain $dest` \ addnatrule `snat_chain $dest` \
-s ${source_host#*:} $proto $sports $multiport \ -s ${source_host#*:} $proto $sports $multiport \
-d $serv $dports -j SNAT --to-source $snat -d $serv $dports -j SNAT --to-source $snat
@ -2171,7 +2173,7 @@ add_a_rule()
proto="${proto:+-p $proto}" proto="${proto:+-p $proto}"
# Some misc. setup # Some misc. setup
case "$logtarget" in case "$logtarget" in
REJECT) REJECT)
target=reject target=reject
@ -2194,7 +2196,7 @@ add_a_rule()
esac esac
# Complain if the rule is really a policy # Complain if the rule is really a policy
if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" ]; then if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" ]; then
error_message "Warning -- Rule \"$rule\" is a POLICY" error_message "Warning -- Rule \"$rule\" is a POLICY"
error_message " -- and should be moved to the policy file" error_message " -- and should be moved to the policy file"
@ -2267,7 +2269,7 @@ process_rule() # $1 = target
# $4 = protocol # $4 = protocol
# $5 = ports # $5 = ports
# $6 = cports # $6 = cports
# $7 = address # $7 = address
{ {
local target="$1" local target="$1"
local clients="$2" local clients="$2"
@ -2279,7 +2281,7 @@ process_rule() # $1 = target
local rule="`echo $target $clients $servers $protocol $ports $cports $address`" local rule="`echo $target $clients $servers $protocol $ports $cports $address`"
# Function Body -- isolate log level # Function Body -- isolate log level
if [ "$target" = "${target%:*}" ]; then if [ "$target" = "${target%:*}" ]; then
loglevel= loglevel=
else else
@ -2328,7 +2330,7 @@ process_rule() # $1 = target
[ -z "$clientzone" -o -z "$clients" ] && \ [ -z "$clientzone" -o -z "$clients" ] && \
fatal_error "Empty source zone or qualifier: rule \"$rule\"" fatal_error "Empty source zone or qualifier: rule \"$rule\""
fi fi
if [ "$clientzone" = "${clientzone%\!*}" ]; then if [ "$clientzone" = "${clientzone%\!*}" ]; then
excludezones= excludezones=
else else
@ -2457,20 +2459,20 @@ process_rules() # $1 = name of rules file
process_wildcard_rule process_wildcard_rule
continue continue
fi fi
if [ "x$xservers" = xall ]; then if [ "x$xservers" = xall ]; then
xservers="$zones $FW" xservers="$zones $FW"
process_wildcard_rule process_wildcard_rule
continue continue
fi fi
process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress
;; ;;
*) *)
rule="`echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress`" rule="`echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress`"
fatal_error "Invalid Target in rule \"$rule\"" fatal_error "Invalid Target in rule \"$rule\""
;; ;;
esac esac
done < $TMP_DIR/rules done < $TMP_DIR/rules
} }
@ -2866,7 +2868,7 @@ complete_standard_chain() # $1 = chain, $2 = source zone, $3 = destination zone
local policychain= local policychain=
run_user_exit $1 run_user_exit $1
eval policychain=\$${2}2${3}_policychain eval policychain=\$${2}2${3}_policychain
if [ -n "$policychain" ]; then if [ -n "$policychain" ]; then
@ -2891,7 +2893,7 @@ rules_chain() # $1 = source zone, $2 = destination zone
local chain=${1}2${2} local chain=${1}2${2}
havechain $chain && { echo $chain; return; } havechain $chain && { echo $chain; return; }
eval chain=\$${chain}_policychain eval chain=\$${chain}_policychain
[ -n "$chain" ] && { echo $chain; return; } [ -n "$chain" ] && { echo $chain; return; }
@ -2952,7 +2954,7 @@ setup_masq()
if ! list_search $interface $all_interfaces; then if ! list_search $interface $all_interfaces; then
fatal_error "Unknown interface $interface" fatal_error "Unknown interface $interface"
fi fi
if [ "$subnet" = "${subnet%!*}" ]; then if [ "$subnet" = "${subnet%!*}" ]; then
nomasq= nomasq=
else else
@ -2964,7 +2966,7 @@ setup_masq()
iface= iface=
source="$subnet" source="$subnet"
case $subnet in case $subnet in
*.*.*) *.*.*)
;; ;;
@ -2987,7 +2989,7 @@ setup_masq()
if [ -n "$address" -a -n "$ADD_SNAT_ALIASES" ]; then if [ -n "$address" -a -n "$ADD_SNAT_ALIASES" ]; then
list_search $address $aliases_to_add || \ list_search $address $aliases_to_add || \
aliases_to_add="$aliases_to_add $address $fullinterface" aliases_to_add="$aliases_to_add $address $fullinterface"
fi fi
destination=$destnet destination=$destnet
@ -2995,7 +2997,7 @@ setup_masq()
if [ -n "$nomasq" ]; then if [ -n "$nomasq" ]; then
newchain=masq${masq_seq} newchain=masq${masq_seq}
createnatchain $newchain createnatchain $newchain
if [ -n "$subnet" ]; then if [ -n "$subnet" ]; then
for s in $subnet; do for s in $subnet; do
addnatrule $chain -d $destnet $iface -s $s -j $newchain addnatrule $chain -d $destnet $iface -s $s -j $newchain
@ -3013,7 +3015,7 @@ setup_masq()
for addr in `separate_list $nomasq`; do for addr in `separate_list $nomasq`; do
addnatrule $chain -s $addr -j RETURN addnatrule $chain -s $addr -j RETURN
done done
source="$source except $nomasq" source="$source except $nomasq"
else else
destnet="-d $destnet" destnet="-d $destnet"
@ -3097,13 +3099,13 @@ process_blacklist_rec() {
source="-s $addr" source="-s $addr"
;; ;;
esac esac
if [ -n "$protocol" ]; then if [ -n "$protocol" ]; then
proto=" -p $protocol " proto=" -p $protocol "
case $protocol in case $protocol in
tcp|TCP|6|udp|UDP|17) tcp|TCP|6|udp|UDP|17)
if [ -n "$ports" ]; then if [ -n "$ports" ]; then
if [ -n "$MULTIPORT" -a \ if [ -n "$MULTIPORT" -a \
"$ports" != "${ports%,*}" -a \ "$ports" != "${ports%,*}" -a \
"$ports" = "${ports%:*}" -a \ "$ports" = "${ports%:*}" -a \
@ -3144,7 +3146,7 @@ process_blacklist_rec() {
elif [ -n "$protocol" ]; then elif [ -n "$protocol" ]; then
addr="$addr $protocol" addr="$addr $protocol"
fi fi
echo " $addr added to Black List" echo " $addr added to Black List"
done done
} }
@ -3168,7 +3170,7 @@ setup_blacklist() {
for chain in `first_chains $interface`; do for chain in `first_chains $interface`; do
run_iptables -A $chain -j blacklst run_iptables -A $chain -j blacklst
done done
echo " Blacklisting enabled on $interface" echo " Blacklisting enabled on $interface"
done done
@ -3230,7 +3232,7 @@ add_ip_aliases()
local interface local interface
local primary local primary
do_one() do_one()
{ {
# #
# Folks feel uneasy if they don't see all of the same # Folks feel uneasy if they don't see all of the same
@ -3262,7 +3264,7 @@ add_ip_aliases()
} }
set -- $aliases_to_add set -- $aliases_to_add
while [ $# -gt 0 ]; do while [ $# -gt 0 ]; do
external=$1 external=$1
interface=$2 interface=$2
@ -3273,7 +3275,7 @@ add_ip_aliases()
interface="${interface%:*}" interface="${interface%:*}"
label="label $interface:$label" label="label $interface:$label"
fi fi
primary=`find_interface_address $interface` primary=`find_interface_address $interface`
shift;shift shift;shift
[ "x${primary}" = "x${external}" ] || do_one [ "x${primary}" = "x${external}" ] || do_one
@ -3337,7 +3339,7 @@ initialize_netfilter () {
determine_interfaces determine_interfaces
determine_hosts determine_hosts
run_user_exit init run_user_exit init
# #
@ -3345,12 +3347,14 @@ initialize_netfilter () {
# (restart command). This reduces the length of time that the firewall isn't # (restart command). This reduces the length of time that the firewall isn't
# accepting new connections. # accepting new connections.
# #
strip_file rules strip_file rules
strip_file proxyarp strip_file proxyarp
strip_file maclist strip_file maclist
strip_file nat strip_file nat
terminator=fatal_error
deletechain shorewall deletechain shorewall
[ -n "$NAT_ENABLED" ] && delete_nat [ -n "$NAT_ENABLED" ] && delete_nat
@ -3368,7 +3372,7 @@ initialize_netfilter () {
setpolicy INPUT DROP setpolicy INPUT DROP
setpolicy OUTPUT DROP setpolicy OUTPUT DROP
setpolicy FORWARD DROP setpolicy FORWARD DROP
deleteallchains deleteallchains
setcontinue FORWARD setcontinue FORWARD
@ -3388,13 +3392,13 @@ initialize_netfilter () {
run_iptables -A FORWARD -p tcp \ run_iptables -A FORWARD -p tcp \
--tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
if [ -z "$NEWNOTSYN" ]; then if [ -z "$NEWNOTSYN" ]; then
createchain newnotsyn no createchain newnotsyn no
run_user_exit newnotsyn run_user_exit newnotsyn
if [ -n "$LOGNEWNOTSYN" ]; then if [ -n "$LOGNEWNOTSYN" ]; then
if [ "$LOGNEWNOTSYN" = ULOG ]; then if [ "$LOGNEWNOTSYN" = ULOG ]; then
run_iptables -A newnotsyn -j ULOG run_iptables -A newnotsyn -j ULOG
--ulog-prefix "Shorewall:newnotsyn:DROP:" --ulog-prefix "Shorewall:newnotsyn:DROP:"
else else
run_iptables -A newnotsyn -j LOG \ run_iptables -A newnotsyn -j LOG \
@ -3403,13 +3407,13 @@ initialize_netfilter () {
fi fi
run_iptables -A newnotsyn -j DROP run_iptables -A newnotsyn -j DROP
fi fi
createchain icmpdef no createchain icmpdef no
createchain common no createchain common no
createchain reject no createchain reject no
createchain dynamic no createchain dynamic no
if [ -f /var/lib/shorewall/save ]; then if [ -f /var/lib/shorewall/save ]; then
echo "Restoring dynamic rules..." echo "Restoring dynamic rules..."
@ -3423,7 +3427,7 @@ initialize_netfilter () {
esac esac
done < /var/lib/shorewall/save done < /var/lib/shorewall/save
fi fi
echo "Creating input Chains..." echo "Creating input Chains..."
for interface in $all_interfaces; do for interface in $all_interfaces; do
@ -3438,7 +3442,7 @@ initialize_netfilter () {
# Build the common chain -- called during [re]start and refresh # Build the common chain -- called during [re]start and refresh
# #
build_common_chain() { build_common_chain() {
# #
# Common ICMP rules # Common ICMP rules
# #
@ -3459,7 +3463,7 @@ build_common_chain() {
if [ -n "$NEWNOTSYN" ]; then if [ -n "$NEWNOTSYN" ]; then
run_iptables -A common -p tcp --tcp-flags ACK ACK -j ACCEPT run_iptables -A common -p tcp --tcp-flags ACK ACK -j ACCEPT
run_iptables -A common -p tcp --tcp-flags RST RST -j ACCEPT run_iptables -A common -p tcp --tcp-flags RST RST -j ACCEPT
fi fi
# #
# BROADCASTS # BROADCASTS
# #
@ -3564,9 +3568,9 @@ add_common_rules() {
if [ -n "$norfc1918_interfaces" ]; then if [ -n "$norfc1918_interfaces" ]; then
echo "Enabling RFC1918 Filtering" echo "Enabling RFC1918 Filtering"
strip_file rfc1918 strip_file rfc1918
createchain rfc1918 no createchain rfc1918 no
createchain logdrop no createchain logdrop no
@ -3586,7 +3590,7 @@ add_common_rules() {
run_iptables -t mangle -A logdrop -j `logdisp man1918` run_iptables -t mangle -A logdrop -j `logdisp man1918`
run_iptables -t mangle -A logdrop -j DROP run_iptables -t mangle -A logdrop -j DROP
fi fi
while read subnet target; do while read subnet target; do
case $target in case $target in
logdrop|DROP|RETURN) logdrop|DROP|RETURN)
@ -3605,23 +3609,23 @@ add_common_rules() {
run_iptables2 -t mangle -A man1918 -d $subnet -j $target run_iptables2 -t mangle -A man1918 -d $subnet -j $target
fi fi
done < $TMP_DIR/rfc1918 done < $TMP_DIR/rfc1918
for interface in $norfc1918_interfaces; do for interface in $norfc1918_interfaces; do
for chain in `first_chains $interface`; do for chain in `first_chains $interface`; do
run_iptables -A $chain -m state --state NEW -j rfc1918 run_iptables -A $chain -m state --state NEW -j rfc1918
done done
[ -n "$MANGLE_ENABLED" ] && \ [ -n "$MANGLE_ENABLED" ] && \
run_iptables -t mangle -A PREROUTING -m state --state NEW -i $interface -j man1918 run_iptables -t mangle -A PREROUTING -m state --state NEW -i $interface -j man1918
done done
fi fi
interfaces=`find_interfaces_by_option tcpflags` interfaces=`find_interfaces_by_option tcpflags`
if [ -n "$interfaces" ]; then if [ -n "$interfaces" ]; then
echo "Setting up TCP Flags checking..." echo "Setting up TCP Flags checking..."
createchain tcpflags no createchain tcpflags no
if [ -n "$TCP_FLAGS_LOG_LEVEL" ]; then if [ -n "$TCP_FLAGS_LOG_LEVEL" ]; then
@ -3661,7 +3665,7 @@ add_common_rules() {
# hosts a web server. # hosts a web server.
# #
run_iptables -A tcpflags -p tcp --syn --sport 0 $disposition run_iptables -A tcpflags -p tcp --syn --sport 0 $disposition
for interface in $interfaces; do for interface in $interfaces; do
for chain in `first_chains $interface`; do for chain in `first_chains $interface`; do
run_iptables -A $chain -p tcp -j tcpflags run_iptables -A $chain -p tcp -j tcpflags
@ -3678,7 +3682,7 @@ add_common_rules() {
# #
run_iptables -A INPUT -i lo -j ACCEPT run_iptables -A INPUT -i lo -j ACCEPT
run_iptables -A OUTPUT -o lo -j ACCEPT run_iptables -A OUTPUT -o lo -j ACCEPT
# #
# Route Filtering # Route Filtering
# #
@ -3789,7 +3793,7 @@ apply_policy_rules() {
# #
# Activate the rules # Activate the rules
# #
activate_rules() activate_rules()
{ {
local PREROUTING_rule=1 local PREROUTING_rule=1
local POSTROUTING_rule=1 local POSTROUTING_rule=1
@ -3801,11 +3805,11 @@ activate_rules()
local sourcechain=$1 destchain=$2 local sourcechain=$1 destchain=$2
shift shift
shift shift
havenatchain $destchain && \ havenatchain $destchain && \
run_iptables -t nat -A $sourcechain $@ -j $destchain run_iptables -t nat -A $sourcechain $@ -j $destchain
} }
# #
# Jump to a RULES chain from one of the builtin nat chains # Jump to a RULES chain from one of the builtin nat chains
# #
@ -3817,7 +3821,7 @@ activate_rules()
local sourcechain=$1 destchain=$2 local sourcechain=$1 destchain=$2
shift shift
shift shift
if havenatchain $destchain; then if havenatchain $destchain; then
if [ -n "$NAT_BEFORE_RULES" ]; then if [ -n "$NAT_BEFORE_RULES" ]; then
run_iptables -t nat -A $sourcechain $@ -j $destchain run_iptables -t nat -A $sourcechain $@ -j $destchain
@ -3853,12 +3857,12 @@ activate_rules()
echo "$FW $zone $chain1" >> ${STATEDIR}/chains echo "$FW $zone $chain1" >> ${STATEDIR}/chains
echo "$zone $FW $chain2" >> ${STATEDIR}/chains echo "$zone $FW $chain2" >> ${STATEDIR}/chains
for host in $source_hosts; do for host in $source_hosts; do
interface=${host%:*} interface=${host%:*}
subnet=${host#*:} subnet=${host#*:}
run_iptables -A OUTPUT -o $interface -d $subnet -j $chain1 run_iptables -A OUTPUT -o $interface -d $subnet -j $chain1
# #
# Add jumps from the builtin chains for DNAT and SNAT rules # Add jumps from the builtin chains for DNAT and SNAT rules
@ -3887,7 +3891,7 @@ activate_rules()
interface=${host%:*} interface=${host%:*}
subnet=${host#*:} subnet=${host#*:}
chain1=`forward_chain $interface` chain1=`forward_chain $interface`
if [ -n "$have_canonical" ]; then if [ -n "$have_canonical" ]; then
bounce=yes bounce=yes
else else
@ -4026,27 +4030,27 @@ define_firewall() # $1 = Command (Start or Restart)
# #
check_config() { check_config() {
echo "Verifying Configuration..." echo "Verifying Configuration..."
verify_os_version verify_os_version
load_kernel_modules load_kernel_modules
echo "Determining Zones..." echo "Determining Zones..."
determine_zones determine_zones
[ -z "$zones" ] && startup_error "No Zones Defined" [ -z "$zones" ] && startup_error "No Zones Defined"
display_list "Zones:" $zones display_list "Zones:" $zones
echo "Validating interfaces file..." echo "Validating interfaces file..."
validate_interfaces_file validate_interfaces_file
echo "Validating hosts file..." echo "Validating hosts file..."
validate_hosts_file validate_hosts_file
echo "Determining Hosts in Zones..." echo "Determining Hosts in Zones..."
determine_interfaces determine_interfaces
@ -4055,11 +4059,11 @@ check_config() {
echo "Validating rules file..." echo "Validating rules file..."
validate_rules validate_rules
echo "Validating policy file..." echo "Validating policy file..."
validate_policy validate_policy
rm -rf $TMP_DIR rm -rf $TMP_DIR
echo "Configuration Validated" echo "Configuration Validated"
@ -4098,7 +4102,7 @@ refresh_firewall()
# #
# Refresh Traffic Control # Refresh Traffic Control
# #
[ -n "$TC_ENABLED" ] && refresh_tc [ -n "$TC_ENABLED" ] && refresh_tc
report "Shorewall Refreshed" report "Shorewall Refreshed"
@ -4126,7 +4130,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
output_rule_num() { output_rule_num() {
local num=`iptables -L OUTPUT -n --line-numbers | grep icmp | cut -d' ' -f1 | head -n1` local num=`iptables -L OUTPUT -n --line-numbers | grep icmp | cut -d' ' -f1 | head -n1`
[ -n "$num" ] && echo $(($num+1)) [ -n "$num" ] && echo $(($num+1))
} }
# #
@ -4185,12 +4189,12 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
startup_error "$1 already in zone $zone" startup_error "$1 already in zone $zone"
fi fi
done done
[ -z "$hosts" ] && hosts=$newhost || hosts="$hosts $newhost" [ -z "$hosts" ] && hosts=$newhost || hosts="$hosts $newhost"
fi fi
eval ${z}_hosts=\"$hosts\" eval ${z}_hosts=\"$hosts\"
echo "$z $hosts" >> ${STATEDIR}/zones_$$ echo "$z $hosts" >> ${STATEDIR}/zones_$$
done < ${STATEDIR}/zones done < ${STATEDIR}/zones
@ -4241,7 +4245,7 @@ setup_intrazone() # $1 = zone
rulenum=$(($rulenum + 1)) rulenum=$(($rulenum + 1))
fi fi
do_iptables -I `input_chain $interface` $rulenum -s $host -j $chain do_iptables -I `input_chain $interface` $rulenum -s $host -j $chain
else else
# #
# Insert rules into the passed interface's forward chain # Insert rules into the passed interface's forward chain
@ -4254,7 +4258,7 @@ setup_intrazone() # $1 = zone
base=`chain_base $interface` base=`chain_base $interface`
eval rulenum=\$${base}_rulenum eval rulenum=\$${base}_rulenum
if [ -z "$rulenum" ]; then if [ -z "$rulenum" ]; then
if list_search $interface $blacklist_interfaces; then if list_search $interface $blacklist_interfaces; then
rulenum=3 rulenum=3
@ -4265,16 +4269,16 @@ setup_intrazone() # $1 = zone
if list_search $interface $maclist_interfaces; then if list_search $interface $maclist_interfaces; then
rulenum=$(($rulenum + 1)) rulenum=$(($rulenum + 1))
fi fi
if list_search $interface $tcpflags_interfaces; then if list_search $interface $tcpflags_interfaces; then
rulenum=$(($rulenum + 1)) rulenum=$(($rulenum + 1))
fi fi
fi fi
for h in $dest_hosts; do for h in $dest_hosts; do
iface=${h%:*} iface=${h%:*}
hosts=${h#*:} hosts=${h#*:}
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
do_iptables -I $source_chain $rulenum -s $host -o $iface -d $hosts -j $chain do_iptables -I $source_chain $rulenum -s $host -o $iface -d $hosts -j $chain
rulenum=$(($rulenum + 1)) rulenum=$(($rulenum + 1))
@ -4297,7 +4301,7 @@ setup_intrazone() # $1 = zone
# We insert them after any blacklist rules # We insert them after any blacklist rules
# #
eval source_hosts=\"\$${z1}_hosts\" eval source_hosts=\"\$${z1}_hosts\"
for h in $source_hosts; do for h in $source_hosts; do
iface=${h%:*} iface=${h%:*}
hosts=${h#*:} hosts=${h#*:}
@ -4305,7 +4309,7 @@ setup_intrazone() # $1 = zone
base=`chain_base $iface` base=`chain_base $iface`
eval rulenum=\$${base}_rulenum eval rulenum=\$${base}_rulenum
if [ -z "$rulenum" ]; then if [ -z "$rulenum" ]; then
if list_search $iface $blacklist_interfaces; then if list_search $iface $blacklist_interfaces; then
rulenum=3 rulenum=3
@ -4326,7 +4330,7 @@ setup_intrazone() # $1 = zone
done < ${STATEDIR}/chains done < ${STATEDIR}/chains
echo "$1 added to zone $2" echo "$1 added to zone $2"
} }
# #
# Delete a host or subnet from a zone # Delete a host or subnet from a zone
@ -4344,7 +4348,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
if [ "$z" = "$zone" ]; then if [ "$z" = "$zone" ]; then
temp=$hosts temp=$hosts
hosts= hosts=
for h in $temp; do for h in $temp; do
if [ "$h" = "$delhost" ]; then if [ "$h" = "$delhost" ]; then
echo Yes echo Yes
@ -4353,7 +4357,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
fi fi
done done
fi fi
echo "$z $hosts" >> ${STATEDIR}/zones_$$ echo "$z $hosts" >> ${STATEDIR}/zones_$$
done < ${STATEDIR}/zones done < ${STATEDIR}/zones
@ -4412,7 +4416,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
while read z1 z2 chain; do while read z1 z2 chain; do
if [ "$z1" = "$zone" ]; then if [ "$z1" = "$zone" ]; then
if [ "$z2" = "$FW" ]; then if [ "$z2" = "$FW" ]; then
qt iptables -D `input_chain $interface` -s $host -j $chain qt iptables -D `input_chain $interface` -s $host -j $chain
else else
source_chain=`forward_chain $interface` source_chain=`forward_chain $interface`
eval dest_hosts=\"\$${z2}_hosts\" eval dest_hosts=\"\$${z2}_hosts\"
@ -4420,7 +4424,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
for h in $dest_hosts $delhost; do for h in $dest_hosts $delhost; do
iface=${h%:*} iface=${h%:*}
hosts=${h#*:} hosts=${h#*:}
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
qt iptables -D $source_chain -s $host -o $iface -d $hosts -j $chain qt iptables -D $source_chain -s $host -o $iface -d $hosts -j $chain
fi fi
@ -4431,7 +4435,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
qt iptables -D OUTPUT -o $interface -d $host -j $chain qt iptables -D OUTPUT -o $interface -d $host -j $chain
else else
eval source_hosts=\"\$${z1}_hosts\" eval source_hosts=\"\$${z1}_hosts\"
for h in $source_hosts; do for h in $source_hosts; do
iface=${h%:*} iface=${h%:*}
hosts=${h#*:} hosts=${h#*:}
@ -4445,7 +4449,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
done < ${STATEDIR}/chains done < ${STATEDIR}/chains
echo "$1 removed from zone $2" echo "$1 removed from zone $2"
} }
# #
# Determine the value for a parameter that defaults to Yes # Determine the value for a parameter that defaults to Yes
@ -4505,6 +4509,10 @@ do_initialize() {
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
# #
# Establish termination function
#
terminator=startup_error
#
# Clear all configuration variables # Clear all configuration variables
# #
version= version=
@ -4560,7 +4568,7 @@ do_initialize() {
else else
config=/etc/shorewall/shorewall.conf config=/etc/shorewall/shorewall.conf
fi fi
if [ -f $config ]; then if [ -f $config ]; then
. $config . $config
else else
@ -4631,7 +4639,7 @@ do_initialize() {
NEWNOTSYN=`added_param_value_yes NEWNOTSYN $NEWNOTSYN` NEWNOTSYN=`added_param_value_yes NEWNOTSYN $NEWNOTSYN`
maclist_target=reject maclist_target=reject
if [ -n "$MACLIST_DISPOSITION" ] ; then if [ -n "$MACLIST_DISPOSITION" ] ; then
case $MACLIST_DISPOSITION in case $MACLIST_DISPOSITION in
REJECT) REJECT)
@ -4800,7 +4808,7 @@ case "$command" in
do_initialize do_initialize
check_config check_config
;; ;;
add) add)
[ $# -ne 3 ] && usage [ $# -ne 3 ] && usage
do_initialize do_initialize

27
Shorewall/functions
View File

@ -4,9 +4,9 @@
# #
# Suppress all output for a command # Suppress all output for a command
# #
qt() qt()
{ {
"$@" >/dev/null 2>&1 "$@" >/dev/null 2>&1
} }
@ -25,15 +25,30 @@ find_file()
# #
# Replace commas with spaces and echo the result # Replace commas with spaces and echo the result
# #
separate_list() { separate_list() {
local list local list
local part local part
local newlist local newlist
#
# There's been whining about us not catching embedded white space in
# comma-separated lists. This is an attempt to snag some of the cases.
#
# The 'terminator' function will be set by the 'firewall' script to
# either 'startup_error' or 'fatal_error' depending on the command and
# command phase
#
case "$@" in
*,|,*|*,,*)
[ -n "$terminator" ] && \
$terminator "Invalid comma-separated list \"$@\""
echo "Warning -- invalid comma-separated list \"$@\"" >&2
;;
esac
list="$@" list="$@"
part="${list%%,*}" part="${list%%,*}"
newlist="$part" newlist="$part"
while [ "x$part" != "x$list" ]; do while [ "x$part" != "x$list" ]; do
list="${list#*,}"; list="${list#*,}";
part="${list%%,*}"; part="${list%%,*}";
@ -69,7 +84,7 @@ find_display() # $1 = zone, $2 = name of the zone file
done done
} }
determine_zones() determine_zones()
{ {
local zonefile=`find_file zones` local zonefile=`find_file zones`

4
Shorewall/hosts
View File

@ -18,14 +18,14 @@
# a) The IP address of a host # a) The IP address of a host
# b) A subnetwork in the form # b) A subnetwork in the form
# <subnet-address>/<mask width> # <subnet-address>/<mask width>
# #
# The interface must be defined in the # The interface must be defined in the
# /etc/shorewall/interfaces file. # /etc/shorewall/interfaces file.
# #
# Examples: # Examples:
# #
# eth1:192.168.1.3 # eth1:192.168.1.3
# eth2:192.168.2.0/24 # eth2:192.168.2.0/24
# #
# OPTIONS - A comma-separated list of options. Currently-defined # OPTIONS - A comma-separated list of options. Currently-defined
# options are: # options are:

8
Shorewall/init.sh
View File

@ -3,7 +3,7 @@ RCDLINKS="2,S41 3,S41 6,K41"
# #
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V1.4 3/14/2003 # The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V1.4 3/14/2003
# #
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
# #
# (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net) # (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
# #
@ -13,7 +13,7 @@ RCDLINKS="2,S41 3,S41 6,K41"
# Complete documentation is available at http://shorewall.net # Complete documentation is available at http://shorewall.net
# #
# This program is free software; you can redistribute it and/or modify # This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License # it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation. # as published by the Free Software Foundation.
# #
# This program is distributed in the hope that it will be useful, # This program is distributed in the hope that it will be useful,
@ -30,7 +30,7 @@ RCDLINKS="2,S41 3,S41 6,K41"
# #
# Commands are: # Commands are:
# #
# shorewall start Starts the firewall # shorewall start Starts the firewall
# shorewall restart Restarts the firewall # shorewall restart Restarts the firewall
# shorewall stop Stops the firewall # shorewall stop Stops the firewall
# shorewall status Displays firewall status # shorewall status Displays firewall status
@ -62,7 +62,7 @@ usage() {
command="$1" command="$1"
case "$command" in case "$command" in
stop|start|restart|status) stop|start|restart|status)
exec /sbin/shorewall $@ exec /sbin/shorewall $@

32
Shorewall/install.sh
View File

@ -2,14 +2,14 @@
# #
# Script to install Shoreline Firewall # Script to install Shoreline Firewall
# #
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
# #
# (c) 2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net) # (c) 2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
# #
# Seawall documentation is available at http://seawall.sourceforge.net # Seawall documentation is available at http://seawall.sourceforge.net
# #
# This program is free software; you can redistribute it and/or modify # This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License # it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation. # as published by the Free Software Foundation.
# #
# This program is distributed in the hope that it will be useful, # This program is distributed in the hope that it will be useful,
@ -24,7 +24,7 @@
# Usage: # Usage:
# #
# If you are running a distribution that has a directory called /etc/rc.d/init.d or one # If you are running a distribution that has a directory called /etc/rc.d/init.d or one
# called /etc/init.d or you are running Slackware then simply cd to the directory # called /etc/init.d or you are running Slackware then simply cd to the directory
# containing this script and run it. # containing this script and run it.
# #
# ./install.sh # ./install.sh
@ -35,7 +35,7 @@
# ./install.sh /etc/rc.d/scripts # ./install.sh /etc/rc.d/scripts
# #
# The default is that the firewall will be started in run levels 2-5 starting at # The default is that the firewall will be started in run levels 2-5 starting at
# position 15 and stopping at position 90. This is correct RedHat/Mandrake, Debian, # position 15 and stopping at position 90. This is correct RedHat/Mandrake, Debian,
# Caldera and Corel. # Caldera and Corel.
# #
# If you wish to change that, you can pass -r "<levels startpos stoppos>". # If you wish to change that, you can pass -r "<levels startpos stoppos>".
@ -45,7 +45,7 @@
# #
# ./install.sh -r "23 15 90" # ./install.sh -r "23 15 90"
# #
# Example 2: You wish to start your firewall only in run level 3, start at position 5 # Example 2: You wish to start your firewall only in run level 3, start at position 5
# and stop at position 95. # and stop at position 95.
# #
# ./install.sh -r "3 5 95" /etc/rc.d/scripts # ./install.sh -r "3 5 95" /etc/rc.d/scripts
@ -103,7 +103,7 @@ delete_file() # $1 = file to delete
exit 1 exit 1
fi fi
fi fi
} }
modify_rclocal() modify_rclocal()
{ {
@ -116,11 +116,11 @@ modify_rclocal()
fi fi
else else
cant_autostart cant_autostart
fi fi
} }
install_file_with_backup() # $1 = source $2 = target $3 = mode install_file_with_backup() # $1 = source $2 = target $3 = mode
{ {
backup_file $2 backup_file $2
run_install -o $OWNER -g $GROUP -m $3 $1 ${2} run_install -o $OWNER -g $GROUP -m $3 $1 ${2}
} }
@ -182,7 +182,7 @@ while [ $# -gt 0 ] ; do
done done
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
# #
# Determine where to install the firewall script # Determine where to install the firewall script
# #
@ -224,7 +224,7 @@ fi
# Change to the directory containing this script # Change to the directory containing this script
# #
cd "`dirname $0`" cd "`dirname $0`"
echo "Installing Shorewall Version $VERSION" echo "Installing Shorewall Version $VERSION"
# #
@ -263,12 +263,12 @@ if [ -n "$RUNLEVELS" ]; then
fi fi
install_file_with_backup init.temp ${PREFIX}${DEST}/$FIREWALL 0544 install_file_with_backup init.temp ${PREFIX}${DEST}/$FIREWALL 0544
rm -f init.temp awk.tmp rm -f init.temp awk.tmp
else else
install_file_with_backup init.sh ${PREFIX}${DEST}/$FIREWALL 0544 install_file_with_backup init.sh ${PREFIX}${DEST}/$FIREWALL 0544
fi fi
echo echo
echo "Shorewall script installed in ${PREFIX}${DEST}/$FIREWALL" echo "Shorewall script installed in ${PREFIX}${DEST}/$FIREWALL"
@ -306,12 +306,12 @@ if [ -f ${PREFIX}/etc/shorewall/functions ]; then
backup_file ${PREFIX}/etc/shorewall/functions backup_file ${PREFIX}/etc/shorewall/functions
rm -f ${PREFIX}/etc/shorewall/functions rm -f ${PREFIX}/etc/shorewall/functions
fi fi
if [ -f ${PREFIX}/var/lib/shorewall/functions ]; then if [ -f ${PREFIX}/var/lib/shorewall/functions ]; then
backup_file ${PREFIX}/var/lib/shorewall/functions backup_file ${PREFIX}/var/lib/shorewall/functions
rm -f ${PREFIX}/var/lib/shorewall/functions rm -f ${PREFIX}/var/lib/shorewall/functions
fi fi
install_file_with_backup functions ${PREFIX}/usr/share/shorewall/functions 0444 install_file_with_backup functions ${PREFIX}/usr/share/shorewall/functions 0444
echo echo
@ -379,13 +379,13 @@ else
echo echo
echo "NAT file installed as ${PREFIX}/etc/shorewall/nat" echo "NAT file installed as ${PREFIX}/etc/shorewall/nat"
fi fi
# #
# Install the Parameters file # Install the Parameters file
# #
if [ -f ${PREFIX}/etc/shorewall/params ]; then if [ -f ${PREFIX}/etc/shorewall/params ]; then
backup_file /etc/shorewall/params backup_file /etc/shorewall/params
else else
run_install -o $OWNER -g $GROUP -m 0600 params ${PREFIX}/etc/shorewall/params run_install -o $OWNER -g $GROUP -m 0600 params ${PREFIX}/etc/shorewall/params
echo echo
echo "Parameter file installed as ${PREFIX}/etc/shorewall/params" echo "Parameter file installed as ${PREFIX}/etc/shorewall/params"
fi fi

12
Shorewall/interfaces
View File

@ -14,7 +14,7 @@
# If the interface serves multiple zones that will be # If the interface serves multiple zones that will be
# defined in the /etc/shorewall/hosts file, you should # defined in the /etc/shorewall/hosts file, you should
# place "-" in this column. # place "-" in this column.
# #
# INTERFACE Name of interface. Each interface may be listed only # INTERFACE Name of interface. Each interface may be listed only
# once in this file. You may NOT specify the name of # once in this file. You may NOT specify the name of
# an alias (e.g., eth0:0) here; see # an alias (e.g., eth0:0) here; see
@ -27,14 +27,14 @@
# column is left black.If the interface has multiple # column is left black.If the interface has multiple
# addresses on multiple subnets then list the broadcast # addresses on multiple subnets then list the broadcast
# addresses as a comma-separated list. # addresses as a comma-separated list.
# #
# If you use the special value "detect", the firewall # If you use the special value "detect", the firewall
# will detect the broadcast address for you. If you # will detect the broadcast address for you. If you
# select this option, the interface must be up before # select this option, the interface must be up before
# the firewall is started, you must have iproute # the firewall is started, you must have iproute
# installed and the interface must only be associated # installed and the interface must only be associated
# with a single subnet. # with a single subnet.
# #
# If you don't want to give a value for this column but # If you don't want to give a value for this column but
# you want to enter a value in the OPTIONS column, enter # you want to enter a value in the OPTIONS column, enter
# "-" in this column. # "-" in this column.
@ -79,8 +79,8 @@
# TCP_FLAGS_DISPOSITION after having been # TCP_FLAGS_DISPOSITION after having been
# logged according to the setting of # logged according to the setting of
# TCP_FLAGS_LOG_LEVEL. # TCP_FLAGS_LOG_LEVEL.
# proxyarp - # proxyarp -
# Sets # Sets
# /proc/sys/net/ipv4/conf/<interface>/proxy_arp. # /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
# Do NOT use this option if you are # Do NOT use this option if you are
# employing Proxy ARP through entries in # employing Proxy ARP through entries in
@ -88,7 +88,7 @@
# intended soley for use with Proxy ARP # intended soley for use with Proxy ARP
# sub-networking as described at: # sub-networking as described at:
# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet # http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
# #
# The order in which you list the options is not # The order in which you list the options is not
# significant but the list should have no embedded white # significant but the list should have no embedded white
# space. # space.

2
Shorewall/maclist
View File

@ -6,7 +6,7 @@
# Columns are: # Columns are:
# #
# INTERFACE Network interface to a host # INTERFACE Network interface to a host
# #
# MAC MAC address of the host -- you do not need to use # MAC MAC address of the host -- you do not need to use
# the Shorewall format for MAC addresses here # the Shorewall format for MAC addresses here
# #

14
Shorewall/masq
View File

@ -13,8 +13,8 @@
# /etc/shorewall/shorewall.conf, you may add ":" and # /etc/shorewall/shorewall.conf, you may add ":" and
# a digit to indicate that you want the alias added with # a digit to indicate that you want the alias added with
# that name (e.g., eth0:0). This will allow the alias to # that name (e.g., eth0:0). This will allow the alias to
# be displayed with ifconfig. THAT IS THE ONLY USE FOR # be displayed with ifconfig. THAT IS THE ONLY USE FOR
# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER # THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER
# PLACE IN YOUR SHOREWALL CONFIGURATION. # PLACE IN YOUR SHOREWALL CONFIGURATION.
# #
# This may be qualified by adding the character # This may be qualified by adding the character
@ -25,7 +25,7 @@
# a subnet or as an interface. If you give the name of an # a subnet or as an interface. If you give the name of an
# interface, you must have iproute installed and the interface # interface, you must have iproute installed and the interface
# must be up before you start the firewall. # must be up before you start the firewall.
# #
# In order to exclude a subset of the specified SUBNET, you # In order to exclude a subset of the specified SUBNET, you
# may append "!" and a comma-separated list of IP addresses # may append "!" and a comma-separated list of IP addresses
# and/or subnets that you wish to exclude. # and/or subnets that you wish to exclude.
@ -37,17 +37,17 @@
# #
# ADDRESS -- (Optional). If you specify an address here, SNAT will be # ADDRESS -- (Optional). If you specify an address here, SNAT will be
# used and this will be the source address. If # used and this will be the source address. If
# ADD_SNAT_ALIASES is set to Yes or yes in # ADD_SNAT_ALIASES is set to Yes or yes in
# /etc/shorewall/shorewall.conf then Shorewall # /etc/shorewall/shorewall.conf then Shorewall
# will automatically add this address to the # will automatically add this address to the
# INTERFACE named in the first column. # INTERFACE named in the first column.
# #
# WARNING: Do NOT specify ADD_SNAT_ALIASES=Yes if # WARNING: Do NOT specify ADD_SNAT_ALIASES=Yes if
# the address given in this column is the primary # the address given in this column is the primary
# IP address for the interface in the INTERFACE # IP address for the interface in the INTERFACE
# column. # column.
# #
# This column may not contain a DNS Name. # This column may not contain a DNS Name.
# #
# Example 1: # Example 1:
# #
@ -83,7 +83,7 @@
# #
# You want all outgoing traffic from 192.168.1.0/24 through # You want all outgoing traffic from 192.168.1.0/24 through
# eth0 to use source address 206.124.146.176 which is NOT the # eth0 to use source address 206.124.146.176 which is NOT the
# primary address of eth0. You want 206.124.146.176 added to # primary address of eth0. You want 206.124.146.176 added to
# be added to eth0 with name eth0:0. # be added to eth0 with name eth0:0.
# #
# eth0:0 192.168.1.0/24 206.124.146.176 # eth0:0 192.168.1.0/24 206.124.146.176

2
Shorewall/nat
View File

@ -17,7 +17,7 @@
# column and must not be a DNS Name. # column and must not be a DNS Name.
# INTERFACE Interface that we want to EXTERNAL address to appear # INTERFACE Interface that we want to EXTERNAL address to appear
# on. If ADD_IP_ALIASES=Yes in shorewall.conf, you may # on. If ADD_IP_ALIASES=Yes in shorewall.conf, you may
# follow the interface name with ":" and a digit to # follow the interface name with ":" and a digit to
# indicate that you want Shorewall to add the alias # indicate that you want Shorewall to add the alias
# with this name (e.g., "eth0:0"). That allows you to # with this name (e.g., "eth0:0"). That allows you to
# see the alias with ifconfig. THAT IS THE ONLY THING # see the alias with ifconfig. THAT IS THE ONLY THING

2
Shorewall/proxyarp
View File

@ -4,7 +4,7 @@
# #
# /etc/shorewall/proxyarp # /etc/shorewall/proxyarp
# #
# This file is used to define Proxy ARP. # This file is used to define Proxy ARP.
# #
# Columns must be separated by white space and are: # Columns must be separated by white space and are:
# #

2
Shorewall/releasenotes.txt
View File

@ -68,4 +68,4 @@ Changes for 1.4 include:

2
Shorewall/rfc1918
View File

@ -43,7 +43,7 @@
39.0.0.0/8 logdrop # Reserved 39.0.0.0/8 logdrop # Reserved
41.0.0.0/8 logdrop # Reserved 41.0.0.0/8 logdrop # Reserved
42.0.0.0/8 logdrop # Reserved 42.0.0.0/8 logdrop # Reserved
49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98 49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98 50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
58.0.0.0/7 logdrop # Reserved 58.0.0.0/7 logdrop # Reserved
60.0.0.0/8 logdrop # Reserved 60.0.0.0/8 logdrop # Reserved

4
Shorewall/routestopped
View File

@ -4,7 +4,7 @@
# #
# /etc/shorewall/routestopped # /etc/shorewall/routestopped
# #
# This file is used to define the hosts that are accessible when the # This file is used to define the hosts that are accessible when the
# firewall is stopped # firewall is stopped
# #
# Columns must be separated by white space and are: # Columns must be separated by white space and are:
@ -12,7 +12,7 @@
# INTERFACE - Interface through which host(s) communicate with # INTERFACE - Interface through which host(s) communicate with
# the firewall # the firewall
# HOST(S) - (Optional) Comma-separated list of IP/subnet # HOST(S) - (Optional) Comma-separated list of IP/subnet
# If left empty or supplied as "-", # If left empty or supplied as "-",
# 0.0.0.0/0 is assumed. # 0.0.0.0/0 is assumed.
# #
# Example: # Example:

6
Shorewall/rules
View File

@ -24,7 +24,7 @@
# DNAT -- Forward the request to another # DNAT -- Forward the request to another
# system (and optionally another # system (and optionally another
# port). # port).
# DNAT- -- Advanced users only. # DNAT- -- Advanced users only.
# Like DNAT but only generates the # Like DNAT but only generates the
# DNAT iptables rule and not # DNAT iptables rule and not
# the companion ACCEPT rule. # the companion ACCEPT rule.
@ -122,7 +122,7 @@
# interpreted as the destination icmp-type(s). # interpreted as the destination icmp-type(s).
# #
# A port range is expressed as <low port>:<high port>. # A port range is expressed as <low port>:<high port>.
# #
# This column is ignored if PROTOCOL = all but must be # This column is ignored if PROTOCOL = all but must be
# entered if any of the following ields are supplied. # entered if any of the following ields are supplied.
# In that case, it is suggested that this field contain # In that case, it is suggested that this field contain
@ -153,7 +153,7 @@
# Otherwise, a separate rule will be generated for each # Otherwise, a separate rule will be generated for each
# port. # port.
# #
# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or # ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or
# REDIRECT) If included and different from the IP # REDIRECT) If included and different from the IP
# address given in the SERVER column, this is an address # address given in the SERVER column, this is an address
# on some interface on the firewall and connections to # on some interface on the firewall and connections to

34
Shorewall/shorewall
View File

@ -2,7 +2,7 @@
# #
# Shorewall Packet Filtering Firewall Control Program - V1.4 - 3/14/2003 # Shorewall Packet Filtering Firewall Control Program - V1.4 - 3/14/2003
# #
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
# #
# (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net) # (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
# #
@ -12,7 +12,7 @@
# Shorewall documentation is available at http://shorewall.sourceforge.net # Shorewall documentation is available at http://shorewall.sourceforge.net
# #
# This program is free software; you can redistribute it and/or modify # This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License # it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation. # as published by the Free Software Foundation.
# #
# This program is distributed in the hope that it will be useful, # This program is distributed in the hope that it will be useful,
@ -23,7 +23,7 @@
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software # along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
# #
# If an error occurs while starting or restarting the firewall, the # If an error occurs while starting or restarting the firewall, the
# firewall is automatically stopped. # firewall is automatically stopped.
# #
@ -34,13 +34,13 @@
# #
# shorewall add <iface>[:<host>] zone Adds a host or subnet to a zone # shorewall add <iface>[:<host>] zone Adds a host or subnet to a zone
# shorewall delete <iface>[:<host>] zone Deletes a host or subnet from a zone # shorewall delete <iface>[:<host>] zone Deletes a host or subnet from a zone
# shorewall start Starts the firewall # shorewall start Starts the firewall
# shorewall restart Restarts the firewall # shorewall restart Restarts the firewall
# shorewall stop Stops the firewall # shorewall stop Stops the firewall
# shorewall monitor [ refresh-interval ] Repeatedly Displays firewall status # shorewall monitor [ refresh-interval ] Repeatedly Displays firewall status
# plus the last 20 "interesting" # plus the last 20 "interesting"
# packets # packets
# shorewall status Displays firewall status # shorewall status Displays firewall status
# shorewall reset Resets iptables packet and # shorewall reset Resets iptables packet and
# byte counts # byte counts
# shorewall clear Open the floodgates by # shorewall clear Open the floodgates by
@ -75,7 +75,7 @@
# listed address(es) # listed address(es)
# shorewall reject <address> ... Temporarily reject all packets from the # shorewall reject <address> ... Temporarily reject all packets from the
# listed address(es) # listed address(es)
# shorewall allow <address> ... Reenable address(es) previously # shorewall allow <address> ... Reenable address(es) previously
# disabled with "drop" or "reject" # disabled with "drop" or "reject"
# shorewall save Save the list of "rejected" and # shorewall save Save the list of "rejected" and
# "dropped" addresses so that it will # "dropped" addresses so that it will
@ -142,7 +142,7 @@ get_config() {
display_chains() display_chains()
{ {
trap "rm -f /tmp/chains-$$; exit 1" 1 2 3 4 5 6 9 trap "rm -f /tmp/chains-$$; exit 1" 1 2 3 4 5 6 9
if [ "$haveawk" = "Yes" ]; then if [ "$haveawk" = "Yes" ]; then
# #
# Send the output to a temporary file since ash craps if we try to store # Send the output to a temporary file since ash craps if we try to store
@ -170,11 +170,11 @@ display_chains()
echo echo
chains=`grep '^Chain.*_[in|fwd]' /tmp/chains-$$ | cut -d' ' -f 2` chains=`grep '^Chain.*_[in|fwd]' /tmp/chains-$$ | cut -d' ' -f 2`
for chain in $chains; do for chain in $chains; do
showchain $chain showchain $chain
done done
timed_read timed_read
for zone in $zones; do for zone in $zones; do
@ -242,7 +242,7 @@ display_chains()
# Delay $timeout seconds -- if we're running on a recent bash2 then allow # Delay $timeout seconds -- if we're running on a recent bash2 then allow
# <enter> to terminate the delay # <enter> to terminate the delay
# #
timed_read () timed_read ()
{ {
read -t $timeout foo 2> /dev/null read -t $timeout foo 2> /dev/null
@ -252,7 +252,7 @@ timed_read ()
# #
# Display the last $1 packets logged # Display the last $1 packets logged
# #
packet_log() # $1 = number of messages packet_log() # $1 = number of messages
{ {
local options local options
@ -334,7 +334,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
get_config get_config
host=`echo $HOSTNAME | sed 's/\..*$//'` host=`echo $HOSTNAME | sed 's/\..*$//'`
oldrejects=`iptables -L -v -n | grep 'LOG'` oldrejects=`iptables -L -v -n | grep 'LOG'`
if [ $1 -lt 0 ]; then if [ $1 -lt 0 ]; then
let "timeout=- $1" let "timeout=- $1"
pause="Yes" pause="Yes"
@ -347,7 +347,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
while true; do while true; do
display_chains display_chains
clear clear
echo "$banner `date`" echo "$banner `date`"
echo echo
@ -361,7 +361,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
if [ "$rejects" != "$oldrejects" ]; then if [ "$rejects" != "$oldrejects" ]; then
oldrejects="$rejects" oldrejects="$rejects"
$RING_BELL $RING_BELL
packet_log 20 packet_log 20
@ -435,7 +435,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
get_config get_config
host=`echo $HOSTNAME | sed 's/\..*$//'` host=`echo $HOSTNAME | sed 's/\..*$//'`
oldrejects=`iptables -L -v -n | grep 'LOG'` oldrejects=`iptables -L -v -n | grep 'LOG'`
if [ $1 -lt 0 ]; then if [ $1 -lt 0 ]; then
timeout=$((- $1)) timeout=$((- $1))
pause="Yes" pause="Yes"
@ -754,7 +754,7 @@ case "$1" in
echo "" echo ""
echo " HITS PORT SERVICE(S)" echo " HITS PORT SERVICE(S)"
echo " ---- ----- ----------" echo " ---- ----- ----------"
grep 'Shorewall:.*DPT' $LOGFILE | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | \ grep 'Shorewall:.*DPT' $LOGFILE | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | \
while read count port ; do while read count port ; do
# List all services defined for the given port # List all services defined for the given port
@ -853,4 +853,4 @@ case "$1" in
*) *)
usage 1 usage 1
;; ;;
esac esac

42
Shorewall/shorewall.conf
View File

@ -2,7 +2,7 @@
# /etc/shorewall/shorewall.conf V1.4 - Change the following variables to # /etc/shorewall/shorewall.conf V1.4 - Change the following variables to
# match your setup # match your setup
# #
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
# #
# This file should be placed in /etc/shorewall # This file should be placed in /etc/shorewall
# #
@ -19,7 +19,7 @@ SHARED_DIR=/usr/share/shorewall
# L O G G I N G # L O G G I N G
############################################################################## ##############################################################################
# #
# General note about log levels. Log levels are a method of describing # General note about log levels. Log levels are a method of describing
# to syslog (8) the importance of a message and a number of parameters # to syslog (8) the importance of a message and a number of parameters
# in this file have log levels as their value. # in this file have log levels as their value.
# #
@ -35,16 +35,16 @@ SHARED_DIR=/usr/share/shorewall
# 0 emerg # 0 emerg
# #
# For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall # For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall
# log messages are generated by NetFilter and are logged using facility # log messages are generated by NetFilter and are logged using facility
# 'kern' and the level that you specifify. If you are unsure of the level # 'kern' and the level that you specifify. If you are unsure of the level
# to choose, 6 (info) is a safe bet. You may specify levels by name or by # to choose, 6 (info) is a safe bet. You may specify levels by name or by
# number. # number.
# #
# If you have build your kernel with ULOG target support, you may also # If you have build your kernel with ULOG target support, you may also
# specify a log level of ULOG (must be all caps). Rather than log its # specify a log level of ULOG (must be all caps). Rather than log its
# messages to syslogd, Shorewall will direct netfilter to log the messages # messages to syslogd, Shorewall will direct netfilter to log the messages
# via the ULOG target which will send them to a process called 'ulogd'. # via the ULOG target which will send them to a process called 'ulogd'.
# ulogd is available from http://www.gnumonks.org/projects/ulogd and can be # ulogd is available from http://www.gnumonks.org/projects/ulogd and can be
# configured to log all Shorewall message to their own log file # configured to log all Shorewall message to their own log file
################################################################################ ################################################################################
# #
@ -118,7 +118,7 @@ BLACKLIST_LOGLEVEL=
# #
# When a TCP packet that does not have the SYN flag set and the ACK and RST # When a TCP packet that does not have the SYN flag set and the ACK and RST
# flags clear then unless the packet is part of an established connection, # flags clear then unless the packet is part of an established connection,
# it will be rejected by the firewall. If you want these rejects logged, # it will be rejected by the firewall. If you want these rejects logged,
# then set LOGNEWNOTSYN to the syslog log level at which you want them logged. # then set LOGNEWNOTSYN to the syslog log level at which you want them logged.
# #
# See the comment at the top of this section for a description of log levels # See the comment at the top of this section for a description of log levels
@ -133,10 +133,10 @@ LOGNEWNOTSYN=
# #
# Specifies the logging level for connection requests that fail MAC # Specifies the logging level for connection requests that fail MAC
# verification. If set to the empty value (MACLIST_LOG_LEVEL="") then # verification. If set to the empty value (MACLIST_LOG_LEVEL="") then
# such connection requests will not be logged. # such connection requests will not be logged.
# #
# See the comment at the top of this section for a description of log levels # See the comment at the top of this section for a description of log levels
# #
MACLIST_LOG_LEVEL=info MACLIST_LOG_LEVEL=info
@ -145,10 +145,10 @@ MACLIST_LOG_LEVEL=info
# #
# Specifies the logging level for packets that fail TCP Flags # Specifies the logging level for packets that fail TCP Flags
# verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then # verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then
# such packets will not be logged. # such packets will not be logged.
# #
# See the comment at the top of this section for a description of log levels # See the comment at the top of this section for a description of log levels
# #
TCP_FLAGS_LOG_LEVEL=info TCP_FLAGS_LOG_LEVEL=info
@ -160,7 +160,7 @@ TCP_FLAGS_LOG_LEVEL=info
# RFC1918_LOG_LEVEL=info is assumed. # RFC1918_LOG_LEVEL=info is assumed.
# #
# See the comment at the top of this section for a description of log levels # See the comment at the top of this section for a description of log levels
# #
RFC1918_LOG_LEVEL=info RFC1918_LOG_LEVEL=info
@ -169,7 +169,7 @@ RFC1918_LOG_LEVEL=info
################################################################################ ################################################################################
# #
# PATH - Change this if you want to change the order in which Shorewall # PATH - Change this if you want to change the order in which Shorewall
# searches directories for executable files. # searches directories for executable files.
# #
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@ -294,13 +294,13 @@ CLEAR_TC=Yes
# #
# When processing the tcrules file, Shorewall normally marks packets in the # When processing the tcrules file, Shorewall normally marks packets in the
# PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set # PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set
# this to "Yes". If not specified or if set to the empty value (e.g., # this to "Yes". If not specified or if set to the empty value (e.g.,
# MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed. # MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed.
# #
# Marking packets in the FORWARD chain has the advantage that inbound # Marking packets in the FORWARD chain has the advantage that inbound
# packets destined for Masqueraded/SNATed local hosts have had their destination # packets destined for Masqueraded/SNATed local hosts have had their destination
# address rewritten so they can be marked based on their destination. When # address rewritten so they can be marked based on their destination. When
# packets are marked in the PREROUTING chain, packets destined for # packets are marked in the PREROUTING chain, packets destined for
# Masqueraded/SNATed local hosts still have a destination address corresponding # Masqueraded/SNATed local hosts still have a destination address corresponding
# to the firewall's external interface. # to the firewall's external interface.
# #
@ -387,27 +387,27 @@ MULTIPORT=No
# DNAT net loc:192.168.1.3 tcp 80 # DNAT net loc:192.168.1.3 tcp 80
# #
# it will forward TCP port 80 connections from the net to 192.168.1.3 # it will forward TCP port 80 connections from the net to 192.168.1.3
# REGARDLESS OF THE ORIGINAL DESTINATION ADDRESS. This behavior is # REGARDLESS OF THE ORIGINAL DESTINATION ADDRESS. This behavior is
# convenient for two reasons: # convenient for two reasons:
# #
# a) If the the network interface has a dynamic IP address, the # a) If the the network interface has a dynamic IP address, the
# firewall configuration will work even when the address # firewall configuration will work even when the address
# changes. # changes.
# #
# b) It saves having to configure the IP address in the rule # b) It saves having to configure the IP address in the rule
# while still allowing the firewall to be started before the # while still allowing the firewall to be started before the
# internet interface is brought up. # internet interface is brought up.
# #
# This default behavior can also have a negative effect. If the # This default behavior can also have a negative effect. If the
# internet interface has more than one IP address then the above # internet interface has more than one IP address then the above
# rule will forward connection requests on all of these addresses; # rule will forward connection requests on all of these addresses;
# that may not be what is desired. # that may not be what is desired.
# #
# By setting DETECT_DNAT_IPADDRS=Yes, rules such as the above will apply # By setting DETECT_DNAT_IPADDRS=Yes, rules such as the above will apply
# only if the original destination address is the primary IP address of # only if the original destination address is the primary IP address of
# one of the interfaces associated with the source zone. Note that this # one of the interfaces associated with the source zone. Note that this
# requires all interfaces to the source zone to be up when the firewall # requires all interfaces to the source zone to be up when the firewall
# is [re]started. # is [re]started.
DETECT_DNAT_IPADDRS=No DETECT_DNAT_IPADDRS=No
@ -440,7 +440,7 @@ MUTEX_TIMEOUT=60
# Users with a High-availability setup with two firewall's and one acting # Users with a High-availability setup with two firewall's and one acting
# as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may # as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may
# also need to select NEWNOTSYN=Yes. # also need to select NEWNOTSYN=Yes.
NEWNOTSYN=No NEWNOTSYN=No
################################################################################ ################################################################################
@ -469,7 +469,7 @@ MACLIST_DISPOSITION=REJECT
# #
# TCP FLAGS Disposition # TCP FLAGS Disposition
# #
# This variable determins the disposition of packets having an invalid # This variable determins the disposition of packets having an invalid
# combination of TCP flags that are received on interfaces having the # combination of TCP flags that are received on interfaces having the
# 'tcpflags' option specified in /etc/shorewall/interfaces. If not specified # 'tcpflags' option specified in /etc/shorewall/interfaces. If not specified
# or specified as empty (TCP_FLAGS_DISPOSITION="") then DROP is assumed. # or specified as empty (TCP_FLAGS_DISPOSITION="") then DROP is assumed.

8
Shorewall/shorewall.spec
View File

@ -48,10 +48,10 @@ if [ $1 -eq 1 ]; then
########################################################################" \ ########################################################################" \
> /etc/shorewall/startup_disabled > /etc/shorewall/startup_disabled
if [ -x /sbin/insserv ]; then if [ -x /sbin/insserv ]; then
/sbin/insserv /etc/rc.d/shorewall /sbin/insserv /etc/rc.d/shorewall
elif [ -x /sbin/chkconfig ]; then elif [ -x /sbin/chkconfig ]; then
/sbin/chkconfig --add shorewall; /sbin/chkconfig --add shorewall;
fi fi
fi fi
@ -68,7 +68,7 @@ if [ $1 = 0 ]; then
fi fi
%files %files
/etc/init.d/shorewall /etc/init.d/shorewall
%attr(0700,root,root) %dir /etc/shorewall %attr(0700,root,root) %dir /etc/shorewall
%attr(0700,root,root) %dir /usr/share/shorewall %attr(0700,root,root) %dir /usr/share/shorewall
@ -279,7 +279,7 @@ fi
- Changed the release to 4 - Changed the release to 4
- Added Zones and Functions files - Added Zones and Functions files
* Mon Mar 12 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org> * Mon Mar 12 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
- Change ipchains dependency to an iptables dependency and - Change ipchains dependency to an iptables dependency and
changed the release to 3 changed the release to 3
* Fri Mar 9 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org> * Fri Mar 9 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
- Add additional files. - Add additional files.

2
Shorewall/start
View File

@ -1,6 +1,6 @@
############################################################################ ############################################################################
# Shorewall 1.4 -- /etc/shorewall/start # Shorewall 1.4 -- /etc/shorewall/start
# #
# Add commands below that you want to be executed after shorewall has # Add commands below that you want to be executed after shorewall has
# been started or restarted. # been started or restarted.
# #

4
Shorewall/tcrules
View File

@ -26,10 +26,10 @@
# /etc/shorewall/shorewall.conf. # /etc/shorewall/shorewall.conf.
# #
# SOURCE Source of the packet. A comma-separated list of # SOURCE Source of the packet. A comma-separated list of
# interface names, IP addresses, MAC addresses # interface names, IP addresses, MAC addresses
# and/or subnets. Use $FW if the packet originates on # and/or subnets. Use $FW if the packet originates on
# the firewall in which case the MARK column may NOT # the firewall in which case the MARK column may NOT
# specify either ":P" or ":F" (marking always occurs # specify either ":P" or ":F" (marking always occurs
# in the OUTPUT chain). # in the OUTPUT chain).
# #
# MAC addresses must be prefixed with "~" and use # MAC addresses must be prefixed with "~" and use

4
Shorewall/tunnel
View File

@ -6,8 +6,8 @@ RCDLINKS="2,S45 3,S45 6,K45"
# #
# Modified - Steve Cowles 5/9/2000 # Modified - Steve Cowles 5/9/2000
# Incorporated init {start|stop} syntax and iproute2 usage # Incorporated init {start|stop} syntax and iproute2 usage
# #
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
# #
# (c) 2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net) # (c) 2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
# #

2
Shorewall/tunnels
View File

@ -25,7 +25,7 @@
# remote getway has no fixed address (Road Warrior) # remote getway has no fixed address (Road Warrior)
# then specify the gateway as 0.0.0.0/0. # then specify the gateway as 0.0.0.0/0.
# #
# GATEWAY # GATEWAY
# ZONES -- Optional. If the gateway system specified in the third # ZONES -- Optional. If the gateway system specified in the third
# column is a standalone host then this column should # column is a standalone host then this column should
# contain a comma-separated list of the names of the # contain a comma-separated list of the names of the

10
Shorewall/uninstall.sh
View File

@ -2,14 +2,14 @@
# #
# Script to back uninstall Shoreline Firewall # Script to back uninstall Shoreline Firewall
# #
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
# #
# (c) 2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net) # (c) 2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
# #
# Shorewall documentation is available at http://shorewall.sourceforge.net # Shorewall documentation is available at http://shorewall.sourceforge.net
# #
# This program is free software; you can redistribute it and/or modify # This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License # it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation. # as published by the Free Software Foundation.
# #
# This program is distributed in the hope that it will be useful, # This program is distributed in the hope that it will be useful,
@ -35,8 +35,8 @@ usage() # $1 = exit status
exit $1 exit $1
} }
qt() qt()
{ {
"$@" >/dev/null 2>&1 "$@" >/dev/null 2>&1
} }
@ -49,7 +49,7 @@ restore_file() # $1 = file to restore
else else
exit 1 exit 1
fi fi
fi fi
} }
remove_file() # $1 = file to restore remove_file() # $1 = file to restore

4
Shorewall/zones
View File

@ -3,12 +3,12 @@
# #
# This file determines your network zones. Columns are: # This file determines your network zones. Columns are:
# #
# ZONE Short name of the zone # ZONE Short name of the zone
# DISPLAY Display name of the zone # DISPLAY Display name of the zone
# COMMENTS Comments about the zone # COMMENTS Comments about the zone
# #
#ZONE DISPLAY COMMENTS #ZONE DISPLAY COMMENTS
net Net Internet net Net Internet
loc Local Local networks loc Local Local networks
dmz DMZ Demilitarized zone dmz DMZ Demilitarized zone
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE