forked from extern/shorewall_code
Shorewall 1.4.1
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@520 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
c68ecd14e7
commit
2e0701d900
@ -1,10 +1,17 @@
|
||||
#
|
||||
# Shorewall 1.4 - /etc/shorewall/hosts
|
||||
#
|
||||
# WARNING: 90% of Shorewall users don't need to add entries to this
|
||||
# file and 80% of those who try to add such entries get it
|
||||
# wrong. Unless you are ABSOLUTELY SURE that you need entries
|
||||
# in this file, don't touch it!
|
||||
# THERE ARE TWO CASES WHERE YOU NEED THIS FILE:
|
||||
#
|
||||
# 1) YOU HAVE MULTIPLE NETWORKS IN THE SAME ZONE CONNECTED TO
|
||||
# A SINGLE INTERFACE AND YOU WANT THE SHOREWALL BOX TO ROUTE
|
||||
# BETWEEN THESE NETWORKS.
|
||||
#
|
||||
# 2) YOU HAVE MORE THAN ONE ZONE CONNECTED THROUGH A SINGLE
|
||||
# INTERFACE.
|
||||
#
|
||||
# IF YOU DON'T HAVE EITHER OF THESE SITUATIONS THEN DON'T TOUCH
|
||||
# THIS FILE.
|
||||
#
|
||||
# This file is used to define zones in terms of subnets and/or
|
||||
# individual IP addresses. Most simple setups don't need to
|
||||
|
@ -22,7 +22,26 @@
|
||||
# Shorewall will not start!
|
||||
#
|
||||
# POLICY Policy if no match from the rules file is found. Must
|
||||
# be "ACCEPT", "DROP", "REJECT" or "CONTINUE"
|
||||
# be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE".
|
||||
#
|
||||
# ACCEPT - Accept the connection
|
||||
# DROP - Ignore the connection request
|
||||
# REJECT - For TCP, send RST. For all other, send
|
||||
# "port unreachable" ICMP.
|
||||
# CONTINUE - Pass the connection request past
|
||||
# any other rules that it might also
|
||||
# match (where the source or destination
|
||||
# zone in those rules is a superset of
|
||||
# the SOURCE or DEST in this policy).
|
||||
# NONE - Assume that there will never be any
|
||||
# packets from this SOURCE
|
||||
# to this DEST. Shorewall will not set up
|
||||
# any infrastructure to handle such
|
||||
# packets and you may not have any rules
|
||||
# with this SOURCE and DEST in the
|
||||
# /etc/shorewall/rules file. If such a
|
||||
# packet _is_ received, the result is
|
||||
# undefined.
|
||||
#
|
||||
# LOG LEVEL If supplied, each connection handled under the default
|
||||
# POLICY is logged at that level. If not supplied, no
|
||||
|
@ -15,7 +15,8 @@
|
||||
# Columns are:
|
||||
#
|
||||
#
|
||||
# ACTION ACCEPT, DROP, REJECT, DNAT or REDIRECT
|
||||
# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE
|
||||
# or LOG.
|
||||
#
|
||||
# ACCEPT -- allow the connection request
|
||||
# DROP -- ignore the request
|
||||
@ -39,6 +40,7 @@
|
||||
# connection request will be passed
|
||||
# to the rules defined for that
|
||||
# (those) zone(s).
|
||||
# LOG -- Simply log the packet and continue.
|
||||
#
|
||||
# May optionally be followed by ":" and a syslog log
|
||||
# level (e.g, REJECT:info). This causes the packet to be
|
||||
|
@ -672,6 +672,7 @@ validate_policy()
|
||||
print_policy() # $1 = source zone, $2 = destination zone
|
||||
{
|
||||
[ $command != check ] || \
|
||||
[ $1 = $2 ] || \
|
||||
[ $1 = all ] || \
|
||||
[ $2 = all ] || \
|
||||
echo " Policy for $1 to $2 is $policy"
|
||||
@ -708,7 +709,7 @@ validate_policy()
|
||||
esac
|
||||
|
||||
case $policy in
|
||||
ACCEPT|REJECT|DROP|CONTINUE)
|
||||
ACCEPT|REJECT|DROP|CONTINUE|NONE)
|
||||
;;
|
||||
*)
|
||||
startup_error "Invalid policy $policy"
|
||||
@ -728,7 +729,7 @@ validate_policy()
|
||||
|
||||
chain=${client}2${server}
|
||||
|
||||
all_policy_chains="$all_policy_chains $chain"
|
||||
[ $policy = NONE ] || all_policy_chains="$all_policy_chains $chain"
|
||||
|
||||
eval ${chain}_is_policy=Yes
|
||||
eval ${chain}_policy=$policy
|
||||
@ -743,6 +744,7 @@ validate_policy()
|
||||
|
||||
if [ -z "$pc" ]; then
|
||||
eval ${zone}2${zone1}_policychain=$chain
|
||||
eval ${zone}2${zone1}_policy=$policy
|
||||
print_policy $zone $zone1
|
||||
fi
|
||||
done
|
||||
@ -753,6 +755,7 @@ validate_policy()
|
||||
|
||||
if [ -z "$pc" ]; then
|
||||
eval ${zone}2${server}_policychain=$chain
|
||||
eval ${zone}2${server}_policy=$policy
|
||||
print_policy $zone $server
|
||||
fi
|
||||
done
|
||||
@ -763,6 +766,7 @@ validate_policy()
|
||||
|
||||
if [ -z "$pc" ]; then
|
||||
eval ${client}2${zone}_policychain=$chain
|
||||
eval ${client}2${zone}_policy=$policy
|
||||
print_policy $client $zone
|
||||
fi
|
||||
done
|
||||
@ -1438,7 +1442,7 @@ delete_nat() {
|
||||
#
|
||||
setup_ecn() # $1 = file name
|
||||
{
|
||||
local interfaces
|
||||
local interfaces=""
|
||||
local hosts
|
||||
local h
|
||||
|
||||
@ -2151,7 +2155,7 @@ process_rule() # $1 = target
|
||||
else
|
||||
serverport=
|
||||
[ -z "$serverzone" -o -z "$servers" ] && \
|
||||
startup_error "Empty destination zone or qualifier: rule \"$rule\""
|
||||
fatal_error "Empty destination zone or qualifier: rule \"$rule\""
|
||||
fi
|
||||
fi
|
||||
|
||||
@ -2165,6 +2169,11 @@ process_rule() # $1 = target
|
||||
|
||||
chain=${source}2${dest}
|
||||
|
||||
eval policy=\$${chain}_policy
|
||||
|
||||
[ $policy = NONE ] && \
|
||||
fatal_error "Rules may not override a NONE policy: rule \"$rule\""
|
||||
|
||||
[ $command = check ] || ensurechain $chain
|
||||
|
||||
if [ "x$chain" = x${FW}2${FW} ]; then
|
||||
@ -2683,6 +2692,8 @@ rules_chain() # $1 = source zone, $2 = destination zone
|
||||
|
||||
havechain $chain && { echo $chain; return; }
|
||||
|
||||
[ "$1" = "$2" ] && { echo ACCEPT; return; }
|
||||
|
||||
eval chain=\$${chain}_policychain
|
||||
|
||||
[ -n "$chain" ] && { echo $chain; return; }
|
||||
@ -3670,41 +3681,27 @@ activate_rules()
|
||||
done
|
||||
|
||||
for zone1 in $zones; do
|
||||
|
||||
eval policy=\$${zone}2${zone1}_policy
|
||||
|
||||
[ "$policy" = NONE ] && continue
|
||||
|
||||
eval dest_hosts=\$${zone1}_hosts
|
||||
|
||||
chain="`rules_chain $zone $zone1`"
|
||||
|
||||
echo "$zone $zone1 $chain" >> ${STATEDIR}/chains
|
||||
|
||||
if havechain ${zone}2${zone1} || havechain ${zone1}2${zone}; then
|
||||
have_canonical=Yes
|
||||
else
|
||||
have_canonical=
|
||||
fi
|
||||
|
||||
for host in $source_hosts; do
|
||||
interface=${host%:*}
|
||||
subnet=${host#*:}
|
||||
chain1=`forward_chain $interface`
|
||||
|
||||
if [ -n "$have_canonical" ]; then
|
||||
bounce=yes
|
||||
else
|
||||
case $interface in
|
||||
*+*)
|
||||
bounce=yes
|
||||
;;
|
||||
*)
|
||||
bounce=
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
for host1 in $dest_hosts; do
|
||||
interface1=${host1%:*}
|
||||
subnet1=${host1#*:}
|
||||
|
||||
if [ $interface != $interface1 -o -n "$bounce" ]; then
|
||||
if [ "$host" != "$host1" ]; then
|
||||
run_iptables -A $chain1 -s $subnet -o $interface1 -d $subnet1 -j $chain
|
||||
fi
|
||||
done
|
||||
|
@ -1 +1 @@
|
||||
1.4.0
|
||||
1.4.1
|
||||
|
@ -16,6 +16,7 @@
|
||||
/etc/shorewall/tos TOS Type of Service policy
|
||||
/etc/shorewall/blacklist Blacklist Blacklisted hosts
|
||||
/etc/shorewall/rfc1918 RFC1918 Defines 'norfc1918' interface option
|
||||
/etc/shorewall/ecn ECN Disable ECN to hosts and networks
|
||||
/etc/shorewall/init Init Commands executed before [re]start
|
||||
/etc/shorewall/start Start Commands executed after [re]start
|
||||
/etc/shorewall/stop Stop Commands executed before stop
|
||||
|
@ -1 +1 @@
|
||||
1.4.0
|
||||
1.4.1
|
||||
|
Loading…
Reference in New Issue
Block a user