forked from extern/shorewall_code
1.3 Beta 2 Snapshot
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@27 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
e3b9278c5e
commit
44170128c2
@ -1,4 +1,4 @@
|
||||
Shoreline Firewall (Shorewall) Version 1.2 - 12/21/2001
|
||||
Shoreline Firewall (Shorewall) Version 1.3 - 6/14/2002
|
||||
----- ----
|
||||
|
||||
-----------------------------------------------------------------------------
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 1.2 -- Blacklist File
|
||||
# Shorewall 1.3 -- Blacklist File
|
||||
#
|
||||
# /etc/shorewall/blacklist
|
||||
#
|
||||
|
@ -1,11 +1,29 @@
|
||||
Changes since 1.2.12
|
||||
Changes since 1.2.13
|
||||
|
||||
1. Changed all file versions to 1.3
|
||||
|
||||
2. Changed the rules file and firewall file to implement the new forwarding
|
||||
and redirection syntax.
|
||||
|
||||
3. Removed the sample rules from the rules file -- the quickstart samples
|
||||
should provide those sample rules.
|
||||
|
||||
4. Added a silent Auth reject rule to common.def.
|
||||
|
||||
5. Changed the handling of the nat table to have a separate chain for each
|
||||
source zone.
|
||||
|
||||
6. Removed the code that tested each rules column for "none" -- this was never
|
||||
documented and was there to support the brain-dead parameterized samples.
|
||||
|
||||
7. Reworked the chain structure in the filter table so that each interface has
|
||||
its own input and forward chain.
|
||||
|
||||
8. Added logic to allow a subzone to be excluded from a DNAT or REDIRECT rule.
|
||||
|
||||
|
||||
|
||||
|
||||
1. Added whitelist support
|
||||
2. Added SYN Flood Protection
|
||||
3. Make aliases added under ADD_IP_ALIASES and ADD_SNAT_ALIASES look more
|
||||
like what people expect.
|
||||
4. Merged shorewall.conf file patch that adds the kernel config help
|
||||
text for TCPMSS to the description of the Shorewall parameter.
|
||||
|
||||
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
############################################################################
|
||||
# Shorewall 1.1 -- /etc/shorewall/common.def
|
||||
# Shorewall 1.3 -- /etc/shorewall/common.def
|
||||
#
|
||||
# This file defines the rules that are applied before a policy of
|
||||
# DROP or REJECT is applied. In addition to the rules defined in this file,
|
||||
@ -31,4 +31,9 @@ run_iptables -A common -p udp --dport 1900 -j DROP
|
||||
#
|
||||
run_iptables -A common -d 255.255.255.255 -j DROP
|
||||
run_iptables -A common -d 224.0.0.0/4 -j DROP
|
||||
############################################################################
|
||||
# AUTH -- Reject it so that connections don't get delayed.
|
||||
#
|
||||
run_iptables -A common -p tcp --dport 113 -j reject
|
||||
|
||||
|
||||
|
@ -28,7 +28,7 @@
|
||||
# shown below. Simply run this script to revert to your prior version of
|
||||
# Shoreline Firewall.
|
||||
|
||||
VERSION=1.2.13
|
||||
VERSION=1.2.90
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -1,7 +1,7 @@
|
||||
#!/bin/sh
|
||||
RCDLINKS="2,S41 3,S41 6,K41"
|
||||
#
|
||||
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V1.2 12/21/2001
|
||||
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V1.3 6/14/2002
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
@ -216,6 +216,48 @@ addrule() # $1 = chain name, remainder of arguments specify the rule
|
||||
run_iptables -A $@
|
||||
}
|
||||
|
||||
################################################################################
|
||||
# Create a nat chain #
|
||||
# #
|
||||
# Create a variable ${1}_nat_exists and set its value to Yes to indicate that #
|
||||
# the chain now exists. #
|
||||
################################################################################
|
||||
createnatchain() # $1 = chain name
|
||||
{
|
||||
run_iptables -t nat -N $1
|
||||
|
||||
eval ${1}_nat_exists=Yes
|
||||
}
|
||||
|
||||
################################################################################
|
||||
# Determine if a nat chain exists #
|
||||
# #
|
||||
# When we create a chain "chain", we create a variable named chain_nat_exists #
|
||||
# and set its value to Yes. This function tests for the "_exists" variable #
|
||||
# corresponding to the passed chain having the value of "Yes". #
|
||||
################################################################################
|
||||
havenatchain() # $1 = name of chain
|
||||
{
|
||||
eval test \"\$${1}_nat_exists\" = Yes
|
||||
}
|
||||
|
||||
################################################################################
|
||||
# Ensure that a chain exists (create it if it doesn't) #
|
||||
################################################################################
|
||||
ensurenatchain() # $1 = chain name
|
||||
{
|
||||
havenatchain $1 || createnatchain $1
|
||||
}
|
||||
|
||||
################################################################################
|
||||
# Add a rule to a nat chain creating the chain if necessary #
|
||||
################################################################################
|
||||
addnatrule() # $1 = chain name, remainder of arguments specify the rule
|
||||
{
|
||||
ensurenatchain $1
|
||||
run_iptables -t nat -A $@
|
||||
}
|
||||
|
||||
################################################################################
|
||||
# Delete a chain if it exists #
|
||||
################################################################################
|
||||
@ -265,6 +307,42 @@ find_interfaces() # $1 = interface zone
|
||||
done < $TMP_DIR/interfaces
|
||||
}
|
||||
|
||||
################################################################################
|
||||
# Chain name base for an interface #
|
||||
################################################################################
|
||||
chain_base() #$1 = interface
|
||||
{
|
||||
local c=${1%%+*}
|
||||
|
||||
echo ${c:=multi}
|
||||
}
|
||||
|
||||
################################################################################
|
||||
# Forward Chain for an interface #
|
||||
################################################################################
|
||||
forward_chain() # $1 = interface
|
||||
{
|
||||
echo `chain_base $interface`_fwd
|
||||
}
|
||||
|
||||
################################################################################
|
||||
# Input Chain for an interface #
|
||||
################################################################################
|
||||
input_chain() # $1 = interface
|
||||
{
|
||||
echo `chain_base $interface`_in
|
||||
}
|
||||
|
||||
################################################################################
|
||||
# First chains for an interface #
|
||||
################################################################################
|
||||
first_chains() #$1 = interface
|
||||
{
|
||||
local c=`chain_base $1`
|
||||
|
||||
echo ${c}_fwd ${c}_in
|
||||
}
|
||||
|
||||
################################################################################
|
||||
# Find hosts in a given zone #
|
||||
# #
|
||||
@ -287,16 +365,11 @@ find_hosts() # $1 = host zone
|
||||
# variable contains a space-separated list of interfaces to the zone #
|
||||
################################################################################
|
||||
determine_interfaces() {
|
||||
local all_interfaces
|
||||
|
||||
for zone in $zones multi; do
|
||||
interfaces=`find_interfaces $zone`
|
||||
interfaces=`echo $interfaces` # Remove extra trash
|
||||
eval ${zone}_interfaces="\$interfaces"
|
||||
all_interfaces=${all_interfaces:-$interfaces}
|
||||
done
|
||||
|
||||
[ -n "$all_interfaces" ] || startup_error "Error: No interfaces defined"
|
||||
}
|
||||
|
||||
################################################################################
|
||||
@ -360,6 +433,12 @@ validate_interfaces_file() {
|
||||
r="$z $interface $subnet $options"
|
||||
[ "x$z" = "x-" ] || validate_zone $z || startup_error "Invalid zone ($z) in record \"$r\""
|
||||
|
||||
for intr in $all_interfaces; do
|
||||
[ "$intr" = "$interface" ] && startup_error "Duplicate Interface $intr"
|
||||
done
|
||||
|
||||
all_interfaces="$all_interfaces $interface"
|
||||
|
||||
for option in `separate_list $options`; do
|
||||
case $option in
|
||||
dhcp|noping|routestopped|norfc1918|multi|routefilter|dropunclean|logunclean|blacklist|-)
|
||||
@ -369,6 +448,9 @@ validate_interfaces_file() {
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
[ -z "$all_interfaces" ] && startup_error "Error: No Interfaces Defined"
|
||||
|
||||
done < $TMP_DIR/interfaces
|
||||
}
|
||||
|
||||
@ -537,6 +619,33 @@ validate_rule() {
|
||||
fi
|
||||
|
||||
logtarget="$target"
|
||||
#
|
||||
# DNAT and REDIRECT targets were implemented in version 1.3 to replace
|
||||
# an older syntax. We simply map the new syntax into the old and proceed;
|
||||
# that way, people who have files with the old syntax don't need to
|
||||
# convert right away.
|
||||
#
|
||||
case $target in
|
||||
DNAT)
|
||||
target=ACCEPT
|
||||
address=${address:=all}
|
||||
;;
|
||||
REDIRECT)
|
||||
target=ACCEPT
|
||||
address=${address:=all}
|
||||
if [ "x-" = "x$servers" ]; then
|
||||
servers=$FW
|
||||
else
|
||||
servers="fw::$servers"
|
||||
fi
|
||||
;;
|
||||
ACCEPT|DROP|REJECT)
|
||||
;;
|
||||
*)
|
||||
startup_error " Error: Invalid target;" \
|
||||
" rule: \"$rule\""
|
||||
|
||||
esac
|
||||
|
||||
if [ "$clients" = "${clients%:*}" ]; then
|
||||
clientzone="$clients"
|
||||
@ -545,6 +654,16 @@ validate_rule() {
|
||||
clientzone="${clients%:*}"
|
||||
clients="${clients#*:}"
|
||||
fi
|
||||
|
||||
if [ "$clientzone" = "${clientzone%\!*}" ]; then
|
||||
excludezones=
|
||||
else
|
||||
excludezones="${clientzone#*\!}"
|
||||
clientzone="${clientzone%\!*}"
|
||||
|
||||
[ "$logtarget" = DNAT ] || [ "$logtarget" = REDIRECT ] ||\
|
||||
startup_error " Error: Exclude list only allowed with DNAT or REDIRECT"
|
||||
fi
|
||||
############################################################################
|
||||
# Validate the Source Zone
|
||||
|
||||
@ -584,23 +703,17 @@ validate_rule() {
|
||||
############################################################################
|
||||
# Iterate through the various lists validating individual rules
|
||||
#
|
||||
[ "$ports" = "none" -o "$ports" = "None" -o \
|
||||
"$cports" = "none" -o "$cports" = "None" -o \
|
||||
"$clients" = "none" -o "$clients" = "None" -o \
|
||||
"$servers" = "none" -o "$servers" = "None" ] || \
|
||||
{
|
||||
for client in `separate_list ${clients:=-}`; do
|
||||
for server in `separate_list ${servers:=-}`; do
|
||||
for port in `separate_list ${ports:=-}`; do
|
||||
for cport in `separate_list ${cports:=-}`; do
|
||||
validate_a_rule
|
||||
done
|
||||
done
|
||||
for client in `separate_list ${clients:=-}`; do
|
||||
for server in `separate_list ${servers:=-}`; do
|
||||
for port in `separate_list ${ports:=-}`; do
|
||||
for cport in `separate_list ${cports:=-}`; do
|
||||
validate_a_rule
|
||||
done
|
||||
done
|
||||
done
|
||||
done
|
||||
done
|
||||
|
||||
echo " Rule \"$rule\" validated."
|
||||
}
|
||||
echo " Rule \"$rule\" validated."
|
||||
}
|
||||
|
||||
################################################################################
|
||||
@ -614,7 +727,7 @@ validate_rules() # $1 = name of rules file
|
||||
expandv clients servers protocol ports cports address
|
||||
case "$target" in
|
||||
|
||||
ACCEPT*|DROP*|REJECT*)
|
||||
ACCEPT*|DROP*|REJECT*|DNAT*|REDIRECT*)
|
||||
rule="`echo $target $clients $servers $protocol $ports $cports $address`"
|
||||
validate_rule
|
||||
;;
|
||||
@ -876,7 +989,7 @@ setup_tunnels() # $1 = name of tunnels file
|
||||
return 1
|
||||
fi
|
||||
|
||||
options="-mstate --state NEW -j ACCEPT"
|
||||
options="-m state --state NEW -j ACCEPT"
|
||||
inchain=${1}2${FW}
|
||||
outchain=${FW}2${1}
|
||||
addrule $inchain -p 50 -s $2 $options
|
||||
@ -906,7 +1019,7 @@ setup_tunnels() # $1 = name of tunnels file
|
||||
return 1
|
||||
fi
|
||||
|
||||
options="-mstate --state NEW -j ACCEPT"
|
||||
options="-m state --state NEW -j ACCEPT"
|
||||
inchain=${1}2${FW}
|
||||
outchain=${FW}2${1}
|
||||
addrule $inchain -p $3 -s $2 $options
|
||||
@ -1239,9 +1352,82 @@ delete_tc()
|
||||
# and has loaded a space-separated list of their values in "rule". #
|
||||
################################################################################
|
||||
process_rule() {
|
||||
############################################################################
|
||||
# Add a NAT rule
|
||||
#
|
||||
add_nat_rule() {
|
||||
local chain
|
||||
|
||||
if [ -z "$NAT_ENABLED" ]; then
|
||||
fatal_error \
|
||||
" Error - Rule \"$rule\" requires NAT which is disabled"
|
||||
fi
|
||||
|
||||
if [ "$target" != "ACCEPT" ]; then
|
||||
fatal_error " Error - Only ACCEPT rules may specify " \
|
||||
"port mapping; rule \"$rule\""
|
||||
fi
|
||||
|
||||
if [ "$addr" != "${addr%:*}" ]; then
|
||||
snat="${addr#*:}"
|
||||
addr="${addr%:*}"
|
||||
else
|
||||
snat=""
|
||||
fi
|
||||
|
||||
[ "$addr" = "all" ] && addr= || addr="-d $addr"
|
||||
|
||||
if [ -n "$serv" ]; then
|
||||
servport="${servport:+:$servport}"
|
||||
target1="DNAT --to-destination ${serv}${servport}"
|
||||
else
|
||||
target1="REDIRECT --to-port $servport"
|
||||
fi
|
||||
|
||||
if [ "$source" = "$FW" ]; then
|
||||
run_iptables -t nat -A OUTPUT $proto $sports $addr \
|
||||
$dports -j $target1
|
||||
else
|
||||
chain=$source
|
||||
|
||||
if [ -n "$excludezones" ]; then
|
||||
chain=nonat${nonat_seq}
|
||||
nonat_seq=$(($nonat_seq + 1))
|
||||
createnatchain $chain
|
||||
addnatrule $source -j $chain
|
||||
for z in $excludezones; do
|
||||
eval hosts=\$${z}_hosts
|
||||
for host in $hosts; do
|
||||
addnatrule $chain $proto -s ${host#*:} \
|
||||
$sports $addr $dports -j RETURN
|
||||
done
|
||||
done
|
||||
fi
|
||||
|
||||
addnatrule $chain $proto $cli $sports \
|
||||
$addr $dports -j $target1
|
||||
fi
|
||||
|
||||
[ -n "$servport" ] && dports="--dport ${servport#*:}"
|
||||
|
||||
if [ -n "$snat" ]; then
|
||||
if [ -n "$cli" ]; then
|
||||
run_iptables -t nat -A POSTROUTING $proto $cli \
|
||||
$sports -d $serv $dports -j SNAT --to-source $snat
|
||||
else
|
||||
for source_host in $source_hosts; do
|
||||
run_iptables -t nat -A POSTROUTING \
|
||||
-s ${source_host#*:} $proto $sports \
|
||||
-d $serv $dports -j SNAT --to-source $snat
|
||||
done
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
############################################################################
|
||||
# Add one rule
|
||||
#
|
||||
|
||||
add_a_rule() {
|
||||
########################################################################
|
||||
# Determine the format of the client
|
||||
@ -1316,8 +1502,15 @@ process_rule() {
|
||||
esac
|
||||
|
||||
proto="${proto:+-p $proto}"
|
||||
|
||||
[ "$target" = REJECT ] && target=reject
|
||||
|
||||
case "$logtarget" in
|
||||
REJECT)
|
||||
target=reject
|
||||
;;
|
||||
REDIRECT)
|
||||
servport=${servport:=$port}
|
||||
;;
|
||||
esac
|
||||
|
||||
if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" ]; then
|
||||
error_message " Warning -- Rule \"$rule\" is a POLICY"
|
||||
@ -1332,67 +1525,13 @@ process_rule() {
|
||||
##############################################################
|
||||
# Must use Prerouting DNAT
|
||||
#
|
||||
if [ -z "$NAT_ENABLED" ]; then
|
||||
fatal_error \
|
||||
" Error - Rule \"$rule\" requires NAT which is disabled"
|
||||
fi
|
||||
|
||||
if [ "$target" != "ACCEPT" ]; then
|
||||
fatal_error " Error - Only ACCEPT rules may specify " \
|
||||
"port mapping; rule \"$rule\""
|
||||
fi
|
||||
|
||||
if [ "$addr" != "${addr%:*}" ]; then
|
||||
snat="${addr#*:}"
|
||||
addr="${addr%:*}"
|
||||
else
|
||||
snat=""
|
||||
fi
|
||||
|
||||
[ "$addr" = "all" ] && addr= || addr="-d $addr"
|
||||
|
||||
if [ -n "$serv" ]; then
|
||||
servport="${servport:+:$servport}"
|
||||
target1="DNAT --to-destination ${serv}${servport}"
|
||||
else
|
||||
target1="REDIRECT --to-port $servport"
|
||||
fi
|
||||
|
||||
if [ "$source" = "$FW" ]; then
|
||||
run_iptables -t nat -A OUTPUT $proto $sports $addr \
|
||||
$dports -j $target1
|
||||
elif [ -n "$cli" ]; then
|
||||
run_iptables -t nat -A PREROUTING $proto $cli $sports \
|
||||
$addr $dports -j $target1
|
||||
else
|
||||
for source_host in $source_hosts; do
|
||||
run_iptables -t nat -A PREROUTING \
|
||||
-i ${source_host%:*} \
|
||||
-s ${source_host#*:} $proto $sports \
|
||||
$addr $dports -j $target1
|
||||
done
|
||||
fi
|
||||
|
||||
[ -n "$servport" ] && dports="--dport ${servport#*:}"
|
||||
|
||||
if [ -n "$snat" ]; then
|
||||
if [ -n "$cli" ]; then
|
||||
run_iptables -t nat -A POSTROUTING $proto $cli \
|
||||
$sports -d $serv $dports -j SNAT --to-source $snat
|
||||
else
|
||||
for source_host in $source_hosts; do
|
||||
run_iptables -t nat -A POSTROUTING \
|
||||
-s ${source_host#*:} $proto $sports \
|
||||
-d $serv $dports -j SNAT --to-source $snat
|
||||
done
|
||||
fi
|
||||
fi
|
||||
add_nat_rule
|
||||
fi
|
||||
|
||||
serv="${serv:+-d $serv}"
|
||||
|
||||
[ -n "$loglevel" ] && run_iptables -A $chain $proto $state $cli \
|
||||
$sports $serv $dports -j LOG $LOGPARMS --log-prefix \
|
||||
[ -n "$loglevel" ] && run_iptables -A $chain $proto $state \
|
||||
$cli $sports $serv $dports -j LOG $LOGPARMS --log-prefix \
|
||||
"Shorewall:$chain:$logtarget:" --log-level $loglevel
|
||||
run_iptables -A $chain $proto $state $cli $sports \
|
||||
$serv $dports -j $target
|
||||
@ -1403,12 +1542,12 @@ process_rule() {
|
||||
[ -n "$addr" ] && fatal_error \
|
||||
" Error: An ADDRESS ($addr) is only allowed in" \
|
||||
" a port mapping rule: \"$rule\""
|
||||
|
||||
|
||||
[ -n "$loglevel" ] && run_iptables -A $chain $proto \
|
||||
$dest_interface $state $cli $sports $dports -j LOG \
|
||||
$LOGPARMS --log-prefix "Shorewall:$chain:$logtarget:" \
|
||||
--log-level $loglevel
|
||||
|
||||
|
||||
run_iptables -A $chain $proto $dest_interface $state \
|
||||
$cli $sports $dports -j $target
|
||||
fi
|
||||
@ -1427,6 +1566,28 @@ process_rule() {
|
||||
fi
|
||||
|
||||
logtarget="$target"
|
||||
#
|
||||
# DNAT and REDIRECT targets were implemented in version 1.3 to replace
|
||||
# an older syntax. We simply map the new syntax into the old and proceed;
|
||||
# that way, people who have files with the old syntax don't need to
|
||||
# convert right away.
|
||||
#
|
||||
|
||||
case $target in
|
||||
DNAT)
|
||||
target=ACCEPT
|
||||
address=${address:=all}
|
||||
;;
|
||||
REDIRECT)
|
||||
target=ACCEPT
|
||||
address=${address:=all}
|
||||
if [ "x-" = "x$servers" ]; then
|
||||
servers=$FW
|
||||
else
|
||||
servers="$FW::$servers"
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
if [ "$clients" = "${clients%:*}" ]; then
|
||||
clientzone="$clients"
|
||||
@ -1435,6 +1596,16 @@ process_rule() {
|
||||
clientzone="${clients%:*}"
|
||||
clients="${clients#*:}"
|
||||
fi
|
||||
|
||||
if [ "$clientzone" = "${clientzone%\!*}" ]; then
|
||||
excludezones=
|
||||
else
|
||||
excludezones="${clientzone#*\!}"
|
||||
clientzone="${clientzone%\!*}"
|
||||
|
||||
[ "$logtarget" = DNAT ] || [ "$logtarget" = REDIRECT ] ||\
|
||||
fatal_error " Error: Exclude list only allowed with DNAT or REDIRECT"
|
||||
fi
|
||||
|
||||
############################################################################
|
||||
# Validate the Source Zone
|
||||
@ -1473,30 +1644,24 @@ process_rule() {
|
||||
|
||||
dest=$serverzone
|
||||
############################################################################
|
||||
# Create the canonlcal chain if it doesn't exist
|
||||
# Create the canonical chain if it doesn't exist
|
||||
#
|
||||
chain=${source}2${dest}
|
||||
ensurechain $chain
|
||||
############################################################################
|
||||
# Iterate through the various lists creating individual rules
|
||||
#
|
||||
[ "$ports" = "none" -o "$ports" = "None" -o \
|
||||
"$cports" = "none" -o "$cports" = "None" -o \
|
||||
"$clients" = "none" -o "$clients" = "None" -o \
|
||||
"$servers" = "none" -o "$servers" = "None" ] || \
|
||||
{
|
||||
for client in `separate_list ${clients:=-}`; do
|
||||
for server in `separate_list ${servers:=-}`; do
|
||||
for port in `separate_list ${ports:=-}`; do
|
||||
for cport in `separate_list ${cports:=-}`; do
|
||||
add_a_rule
|
||||
done
|
||||
done
|
||||
for client in `separate_list ${clients:=-}`; do
|
||||
for server in `separate_list ${servers:=-}`; do
|
||||
for port in `separate_list ${ports:=-}`; do
|
||||
for cport in `separate_list ${cports:=-}`; do
|
||||
add_a_rule
|
||||
done
|
||||
done
|
||||
done
|
||||
done
|
||||
done
|
||||
|
||||
echo " Rule \"$rule\" added."
|
||||
}
|
||||
echo " Rule \"$rule\" added."
|
||||
}
|
||||
|
||||
################################################################################
|
||||
@ -1509,7 +1674,7 @@ process_rules() # $1 = name of rules file
|
||||
while read target clients servers protocol ports cports address; do
|
||||
case "$target" in
|
||||
|
||||
ACCEPT*|DROP*|REJECT*)
|
||||
ACCEPT*|DROP*|REJECT*|DNAT*|REDIRECT*)
|
||||
expandv clients servers protocol ports cports address
|
||||
rule="`echo $target $clients $servers $protocol $ports $cports $address`"
|
||||
process_rule
|
||||
@ -2146,8 +2311,10 @@ setup_blacklist() {
|
||||
createchain blacklst no
|
||||
|
||||
for interface in $interfaces; do
|
||||
run_iptables -A INPUT -i $interface -j blacklst
|
||||
run_iptables -A FORWARD -i $interface -j blacklst
|
||||
for chain in `first_chains $interface`; do
|
||||
run_iptables -A $chain -i $interface -j blacklst
|
||||
done
|
||||
|
||||
echo " Blacklisting enabled on $interface"
|
||||
done
|
||||
|
||||
@ -2319,6 +2486,17 @@ initialize_netfilter () {
|
||||
createchain icmpdef no
|
||||
createchain common no
|
||||
createchain reject no
|
||||
|
||||
echo "Creating input Chains..."
|
||||
|
||||
for interface in $all_interfaces; do
|
||||
chain=`forward_chain $interface`
|
||||
|
||||
if ! havechain $chain; then
|
||||
createchain $chain no
|
||||
createchain `input_chain $interface` no
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
################################################################################
|
||||
@ -2349,7 +2527,7 @@ add_common_rules() {
|
||||
echo "Mangled/Invalid Packet filtering enabled on:"
|
||||
|
||||
for interface in $interfaces; do
|
||||
for chain in INPUT FORWARD; do
|
||||
for chain in `first_chains $interface`; do
|
||||
run_iptables -A $chain -i $interface --match unclean -j badpkt
|
||||
done
|
||||
echo " $interface"
|
||||
@ -2372,7 +2550,7 @@ add_common_rules() {
|
||||
echo "Mangled/Invalid Packet Logging enabled on:"
|
||||
|
||||
for interface in $interfaces; do
|
||||
for chain in INPUT FORWARD; do
|
||||
for chain in `first_chains $interface`; do
|
||||
run_iptables -A $chain -i $interface --match unclean -j logpkt
|
||||
done
|
||||
echo " $interface"
|
||||
@ -2465,8 +2643,10 @@ add_common_rules() {
|
||||
done
|
||||
|
||||
for interface in $norfc1918_interfaces; do
|
||||
run_iptables -A INPUT -i $interface -j rfc1918
|
||||
run_iptables -A FORWARD -i $interface -j rfc1918
|
||||
for chain in `first_chains $interface`; do
|
||||
run_iptables -A $chain -i $interface -j rfc1918
|
||||
done
|
||||
|
||||
[ -n "$MANGLE_ENABLED" ] && \
|
||||
run_iptables -t mangle -A PREROUTING -i $interface -j rfc1918
|
||||
done
|
||||
@ -2596,8 +2776,8 @@ activate_rules() {
|
||||
for host in $source_hosts; do
|
||||
interface=${host%:*}
|
||||
subnet=${host#*:}
|
||||
chain=INPUT
|
||||
|
||||
chain=`input_chain $interface`
|
||||
|
||||
if [ "$zone" != "multi" ]; then
|
||||
#
|
||||
# If we have a 'multi2fw' chain and the current interface is
|
||||
@ -2613,6 +2793,11 @@ activate_rules() {
|
||||
|
||||
run_iptables -A OUTPUT -o \
|
||||
$interface -d $subnet -j `rules_chain $FW $zone`
|
||||
|
||||
if havenatchain $zone; then
|
||||
run_iptables -t nat -A PREROUTING \
|
||||
-i $interface -s $subnet -j $zone
|
||||
fi
|
||||
fi
|
||||
|
||||
run_iptables -A $chain -i $interface -s $subnet \
|
||||
@ -2627,17 +2812,20 @@ activate_rules() {
|
||||
for host in $source_hosts; do
|
||||
interface=${host%:*}
|
||||
subnet=${host#*:}
|
||||
chain1=`forward_chain $interface`
|
||||
|
||||
for host1 in $dest_hosts; do
|
||||
interface1=${host1%:*}
|
||||
subnet1=${host1#*:}
|
||||
|
||||
[ $interface = $interface1 -a "x$subnet" = "x$subnet1" ] ||\
|
||||
run_iptables -A FORWARD -i $interface -s $subnet \
|
||||
run_iptables -A $chain1 -i $interface -s $subnet \
|
||||
-o $interface1 -d $subnet1 -j $chain
|
||||
done
|
||||
|
||||
done
|
||||
done
|
||||
|
||||
done
|
||||
|
||||
while read zone interface broadcast options; do
|
||||
@ -2647,12 +2835,18 @@ activate_rules() {
|
||||
expandv interface options && \
|
||||
for option in `separate_list $options`; do
|
||||
[ "$option" = "multi" ] && \
|
||||
run_iptables -A FORWARD -i $interface \
|
||||
run_iptables -A `forward_chain $interface` \
|
||||
-i $interface \
|
||||
-o $interface -j ${zone}2${zone} && \
|
||||
break 1
|
||||
done
|
||||
done
|
||||
done < $TMP_DIR/interfaces
|
||||
|
||||
for interface in $all_interfaces; do
|
||||
run_iptables -A FORWARD -i $interface -j `forward_chain $interface`
|
||||
run_iptables -A INPUT -i $interface -j `input_chain $interface`
|
||||
done
|
||||
|
||||
complete_standard_chain INPUT all $FW
|
||||
complete_standard_chain OUTPUT $FW all
|
||||
@ -2705,8 +2899,8 @@ define_firewall() # $1 = Command (Start or Restart)
|
||||
echo "Adding rules for DHCP"
|
||||
|
||||
for interface in `find_interfaces_by_option dhcp`; do
|
||||
iptables -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT
|
||||
iptables -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT
|
||||
run_iptables -A `input_chain $interface` -p udp --dport 67:68 -j ACCEPT
|
||||
run_iptables -A OUTPUT -o $interface -p udp --dport 67:68 -j ACCEPT
|
||||
done
|
||||
|
||||
echo "Setting up ICMP Echo handling..."
|
||||
@ -2935,6 +3129,7 @@ do_initialize() {
|
||||
stopping=
|
||||
have_mutex=
|
||||
masq_seq=1
|
||||
nonat_seq=1
|
||||
|
||||
TMP_DIR=/tmp/shorewall-$$
|
||||
rm -rf $TMP_DIR
|
||||
@ -3053,7 +3248,7 @@ case "$command" in
|
||||
exit 0;
|
||||
fi
|
||||
define_firewall "Start" && [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
|
||||
my_mutex_off
|
||||
my_mutex_off
|
||||
;;
|
||||
restart)
|
||||
do_initialize
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 1.2 -- /etc/shorewall/functions
|
||||
# Shorewall 1.3 -- /etc/shorewall/functions
|
||||
|
||||
#
|
||||
# Suppress all output for a command
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 1.2 - /etc/shorewall/hosts
|
||||
# Shorewall 1.3 - /etc/shorewall/hosts
|
||||
#
|
||||
# WARNING: 90% of Shorewall users don't need to add entries to this
|
||||
# file and 80% of those who try to add such entries get it
|
||||
|
@ -1,5 +1,5 @@
|
||||
##############################################################################
|
||||
# Shorewall 1.2 /etc/shorewall/icmp.def
|
||||
# Shorewall 1.3 /etc/shorewall/icmp.def
|
||||
#
|
||||
# This file defines the default rules for accepting ICMP packets.
|
||||
#
|
||||
|
@ -54,7 +54,7 @@
|
||||
# /etc/rc.d/rc.local file is modified to start the firewall.
|
||||
#
|
||||
|
||||
VERSION=1.2.13
|
||||
VERSION=1.2.90
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 1.2 -- Interfaces File
|
||||
# Shorewall 1.3 -- Interfaces File
|
||||
#
|
||||
# /etc/shorewall/interfaces
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 1.2 - Masquerade file
|
||||
# Shorewall 1.3 - Masquerade file
|
||||
#
|
||||
# /etc/shorewall/masq
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
##############################################################################
|
||||
# Shorewall 1.2 /etc/shorewall/modules
|
||||
# Shorewall 1.3 /etc/shorewall/modules
|
||||
#
|
||||
# This file loads the modules needed by the firewall.
|
||||
|
||||
|
@ -1,6 +1,6 @@
|
||||
##############################################################################
|
||||
#
|
||||
# Shorewall 1.2 -- Network Address Translation Table
|
||||
# Shorewall 1.3 -- Network Address Translation Table
|
||||
#
|
||||
# /etc/shorewall/nat
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 1.2 /etc/shorewall/params
|
||||
# Shorewall 1.3 /etc/shorewall/params
|
||||
#
|
||||
# Assign any variables that you need here.
|
||||
#
|
||||
|
@ -1,20 +1,20 @@
|
||||
#
|
||||
# Shorewall 1.2 -- Policy File
|
||||
# Shorewall 1.3 -- Policy File
|
||||
#
|
||||
# /etc/shorewall/policy
|
||||
#
|
||||
# This file determines what to do with a new connection request if we
|
||||
# don't get a match from the /etc/shorewall/rules file or from the
|
||||
# /etc/shorewall/common[.def] file. For each client/server pair, the
|
||||
# /etc/shorewall/common[.def] file. For each source/destination pair, the
|
||||
# file is processed in order until a match is found ("all" will match
|
||||
# any client or server).
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
# CLIENT Location of client. Must be the name of a zone defined
|
||||
# SOURCE Source zone. Must be the name of a zone defined
|
||||
# in /etc/shorewall/zones, $FW or "all".
|
||||
#
|
||||
# SERVER Location of server. Must be the name of a zone defined
|
||||
# DEST Destination zone. Must be the name of a zone defined
|
||||
# in /etc/shorewall/zones, $FW or "all"
|
||||
#
|
||||
# POLICY Policy if no match from the rules file is found. Must
|
||||
@ -40,7 +40,7 @@
|
||||
# d) All other connection requests are rejected and logged at level
|
||||
# KERNEL.INFO.
|
||||
###############################################################################
|
||||
#CLIENT SERVER POLICY LOG LEVEL LIMIT:BURST
|
||||
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||
loc net ACCEPT
|
||||
net all DROP info
|
||||
all all REJECT info
|
||||
|
@ -1,6 +1,6 @@
|
||||
##############################################################################
|
||||
#
|
||||
# Shorewall 1.2 -- Proxy ARP
|
||||
# Shorewall 1.3 -- Proxy ARP
|
||||
#
|
||||
# /etc/shorewall/proxyarp
|
||||
#
|
||||
|
@ -1,12 +1,20 @@
|
||||
This is a minor release of Shorewall.
|
||||
This is a major release of Shorewall.
|
||||
|
||||
In this release:
|
||||
|
||||
1. Whitelist support has been added.
|
||||
2. Optional SYN Flood protection is now available.
|
||||
3. Aliases added under ADD_IP_ALIASES and ADD_SNAT_ALIASES
|
||||
now use the VLSM and broadcast address of the interface's
|
||||
primary address.
|
||||
4. Port forwarding rules may now optionally override the
|
||||
contents of the /etc/shorewall/nat file.
|
||||
1. The rules syntax for port forwarding and port redirection has been
|
||||
simplified.
|
||||
|
||||
2. Compatibility has been maintained with version 1.2 configurations so
|
||||
that users may migrate their configuration at their convenience.
|
||||
|
||||
WARNING: Compatibility has NOT been maintained with the parameterized
|
||||
sample configurations which were withdrawn on 4/8/2002. Users
|
||||
still employing one of those samples must upgrade to the
|
||||
latest samples before running Shorewall 1.3 (Beta or Release).
|
||||
|
||||
3. You may now exclude zone A from a DNAT or REDIRECT rule that applies
|
||||
to zone B where zone A is a subzone of sone B.
|
||||
|
||||
|
||||
|
||||
|
106
Shorewall/rules
106
Shorewall/rules
@ -1,7 +1,7 @@
|
||||
#
|
||||
# Shorewall version 1.2 - Rules File
|
||||
# Shorewall version 1.3 - Rules File
|
||||
#
|
||||
# /etc/shorewall/rules
|
||||
# /etc/shorewall/rules
|
||||
#
|
||||
# Rules in this file govern connection establishment. Requests and
|
||||
# responses are automatically allowed using connection tracking.
|
||||
@ -12,32 +12,31 @@
|
||||
# given. Notice that no white space is permitted between "!" and the
|
||||
# address/subnet.
|
||||
#
|
||||
# If any of the following columns contain the word "none" then the rule
|
||||
# is ignored:
|
||||
#
|
||||
# PORT(S), CLIENT PORT(S), CLIENT(S) and SERVER.
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
#
|
||||
# RESULT ACCEPT, DROP or REJECT
|
||||
# ACTION ACCEPT, DROP, REJECT, DNAT or REDIRECT
|
||||
#
|
||||
# ACCEPT -- allow the connection request
|
||||
# DROP -- ignore the request
|
||||
# REJECT -- disallow the request and return an
|
||||
# icmp-unreachable packet.
|
||||
# ACCEPT -- allow the connection request
|
||||
# DROP -- ignore the request
|
||||
# REJECT -- disallow the request and return an
|
||||
# icmp-unreachable or an RST packet.
|
||||
# DNAT -- Forward the request to another
|
||||
# system (and optionally another port).
|
||||
# REDIRECT -- Redirect the request to a local
|
||||
# port on the firewall.
|
||||
#
|
||||
# May optionally be followed by ":" and a syslog log
|
||||
# level (e.g, REJECT:info). This causes the packet to be
|
||||
# logged at the specified level.
|
||||
#
|
||||
# CLIENT(S) Hosts permitted to be clients. May be a zone defined
|
||||
# SOURCE Hosts permitted to be clients. May be a zone defined
|
||||
# in /etc/shorewall/zones or $FW to indicate the
|
||||
# firewall itself.
|
||||
#
|
||||
# Clients may be further restricted to a list of subnets
|
||||
# and/or hosts by appending ":" and a comma-separated
|
||||
# list of subnets and/or hosts. Hosts may be specified
|
||||
# list of subnets and/or hosts. Hosts may be specified
|
||||
# by IP or MAC address; mac addresses must begin with
|
||||
# "~" and must use "-" as a separator.
|
||||
#
|
||||
@ -49,7 +48,7 @@
|
||||
# loc:192.168.1.1,192.168.1.2
|
||||
# Hosts 192.168.1.1 and
|
||||
# 192.168.1.2 in the local zone.
|
||||
# loc:~00-A0-C9-15-39-78 Host in the local zone with
|
||||
# loc:~00-A0-C9-15-39-78 Host in the local zone with
|
||||
# MAC address 00:A0:C9:15:39:78.
|
||||
#
|
||||
# Alternatively, clients may be specified by interface
|
||||
@ -57,7 +56,7 @@
|
||||
# example, loc:eth1 specifies a client that
|
||||
# communicates with the firewall system through eth1.
|
||||
#
|
||||
# SERVER Location of Server. May be a zone defined in
|
||||
# DEST Location of Server. May be a zone defined in
|
||||
# /etc/shorewall/zones or $FW to indicate the firewall
|
||||
# itself.
|
||||
#
|
||||
@ -70,17 +69,21 @@
|
||||
# ":". If omitted, the firewall will not modifiy the
|
||||
# destination port.
|
||||
#
|
||||
# Example: loc:192.168.1.3:8080 specifies a local
|
||||
# Example: loc:192.168.1.3:3128 specifies a local
|
||||
# server at IP address 192.168.1.3 and listening on port
|
||||
# 8080. The port number MUST be specified as an integer
|
||||
# 3128. The port number MUST be specified as an integer
|
||||
# and not as a name from /etc/services.
|
||||
#
|
||||
# if the RESULT is REDIRECT, this column needs only to
|
||||
# contain the port number on the firewall that the request
|
||||
# should be redirected to.
|
||||
#
|
||||
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number,
|
||||
# "all" or "related". If "related", the remainder of the
|
||||
# entry must be omitted and connection requests that are
|
||||
# related to existing requests will be accepted.
|
||||
#
|
||||
# PORT(S) Destination Ports. A comma-separated list of Port
|
||||
# DEST PORT(S) Destination Ports. A comma-separated list of Port
|
||||
# names (from /etc/services), port numbers or port
|
||||
# ranges; if the protocol is "icmp", this column is
|
||||
# interpreted as the destination icmp-type(s).
|
||||
@ -99,53 +102,48 @@
|
||||
# specify an ADDRESS in the next column, then place "-"
|
||||
# in this column.
|
||||
#
|
||||
# ADDRESS (0ptional) If included and different from the IP
|
||||
# DEST ADDRESS (0ptional) If included and different from the IP
|
||||
# address given in the SERVER column, this is an address
|
||||
# on some interface on the firewall and connections to
|
||||
# that address will be forwarded to the IP and port
|
||||
# specified in the SERVER column.
|
||||
#
|
||||
# If the special value "all" is used, then requests from
|
||||
# the client zone given in the CLIENT(s) column with the
|
||||
# destination port given in PORT(s) will be forwarded to
|
||||
# the IP address given in SERVER. The value "all" is
|
||||
# intended to be used when your internet IP address is
|
||||
# dynamic and you want to do port forwarding or you want
|
||||
# to do proxy redirection. IT SHOULD NOT BE USED IN ANY
|
||||
# OTHER SITUATION.
|
||||
# The address may optionally be followed by
|
||||
# a colon (":") and a second IP address. This causes
|
||||
# Shorewall to use the second IP address as the source
|
||||
# address in forwarded packets. See the Shorewall
|
||||
# documentation for restrictions concerning this feature.
|
||||
# If no source IP address is given, the original source
|
||||
# address is not altered.
|
||||
#
|
||||
# The address (or "all") may optionally be followed by
|
||||
# a colon (":") an an IP address. This causes Shorewall
|
||||
# to use the specified IP address as the source address
|
||||
# in forwarded packets. See the Shorewall documentation
|
||||
# for restrictions concerning this feature. If no source
|
||||
# IP address is given, the original source address is not
|
||||
# altered.
|
||||
# Example: Accept SMTP requests from the DMZ to the internet
|
||||
#
|
||||
# #ACTION SOURCE DEST PROTO DEST SOURCE DEST
|
||||
# # PORT PORT(S) ADDRESS
|
||||
# ACCEPT dmz net tcp smtp
|
||||
#
|
||||
# Example: Forward all ssh and http connection requests from the internet
|
||||
# to local system 192.168.1.3
|
||||
#
|
||||
# #RESULT CLIENTS SERVER(S) PROTO PORT(S) CLIENT PORT(S) ADDRESS
|
||||
# ACCEPT net loc:192.168.1.3 tcp ssh,http - all
|
||||
# #ACTION SOURCE DEST PROTO DEST SOURCE DEST
|
||||
# # PORT PORT(S) ADDRESS
|
||||
# DNAT net loc:192.168.1.3 tcp ssh,http
|
||||
#
|
||||
# Example: Redirect all locally-originating www connection requests to
|
||||
# port 8080 on the firewall (Squid running on the firewall
|
||||
# system)except when the destination address is 192.168.2.2
|
||||
# port 3128 on the firewall (Squid running on the firewall
|
||||
# system) except when the destination address is 192.168.2.2
|
||||
#
|
||||
# #RESULT CLIENTS SERVER(S) PROTO PORTS(S) CLIENT PORT(S) ADDRESS
|
||||
# ACCEPT loc $FW::8080 tcp www - !192.168.2.2
|
||||
# #ACTION SOURCE DEST PROTO DEST SOURCE DEST
|
||||
# # PORT PORT(S) ADDRESS
|
||||
# REDIRECT loc 3128 tcp www - !192.168.2.2
|
||||
#
|
||||
# Example: All http requests from the internet to address
|
||||
# 130.252.100.69 are to be forwarded to 192.168.1.3
|
||||
#
|
||||
# #ACTION SOURCE DEST PROTO DEST SOURCE DEST
|
||||
# # PORT PORT(S) ADDRESS
|
||||
# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
|
||||
##############################################################################
|
||||
#RESULT CLIENT(S) SERVER(S) PROTO PORT(S) CLIENT PORT(S) ADDRESS
|
||||
#
|
||||
# Allow SSH from the local network
|
||||
#
|
||||
ACCEPT loc $FW tcp ssh
|
||||
#
|
||||
# Allow SSH and Auth from the internet
|
||||
#
|
||||
ACCEPT net $FW tcp ssh,auth
|
||||
#
|
||||
# Run an NTP daemon on the firewall that is synced with outside sources
|
||||
#
|
||||
ACCEPT $FW net udp ntp
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE DEST
|
||||
# PORT PORT(S) ADDRESS
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
@ -1,6 +1,6 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Shorewall Packet Filtering Firewall Control Program - V1.2 - 12/21/2001
|
||||
# Shorewall Packet Filtering Firewall Control Program - V1.3 - 6/14/2002
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
@ -144,7 +144,20 @@ display_chains()
|
||||
|
||||
timed_read
|
||||
|
||||
clear
|
||||
echo -e "$banner `date`\\n"
|
||||
echo -e "Input Chains\\n"
|
||||
|
||||
chains=`grep '^Chain.*_[in|fwd]' /tmp/chains-$$ | cut -d' ' -f 2`
|
||||
|
||||
for chain in $chains; do
|
||||
showchain $chain
|
||||
done
|
||||
|
||||
timed_read
|
||||
|
||||
for zone in $zones multi; do
|
||||
|
||||
if [ -n "`grep "^Chain \.*${zone}" /tmp/chains-$$`" ] ; then
|
||||
clear
|
||||
echo -e "$banner `date`\\n"
|
||||
|
@ -1,5 +1,5 @@
|
||||
##############################################################################
|
||||
# /etc/shorewall/shorewall.conf V1.2 - Change the following variables to
|
||||
# /etc/shorewall/shorewall.conf V1.3 - Change the following variables to
|
||||
# match your setup
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
|
@ -1,6 +1,6 @@
|
||||
%define name shorewall
|
||||
%define version 1.2
|
||||
%define release 13
|
||||
%define release 90
|
||||
%define prefix /usr
|
||||
|
||||
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
|
||||
@ -17,7 +17,6 @@ BuildArch: noarch
|
||||
BuildRoot: /%{_tmppath}/%{name}-%{version}-%{release}-root
|
||||
Requires: iptables
|
||||
Conflicts: kernel <= 2.2
|
||||
Provides: shorewall
|
||||
|
||||
%description
|
||||
|
||||
@ -79,6 +78,9 @@ if [ $1 = 0 ]; then if [ -x /sbin/insserv ]; then /sbin/insserv -r /etc/init.d/s
|
||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
|
||||
|
||||
%changelog
|
||||
* Wed May 8 Tom Eastep <tom@shorewall.net>
|
||||
- changed version to 90
|
||||
- removed 'provides' tag.
|
||||
* Tue Apr 23 2002 Tom Eastep <tom@shorewall.net>
|
||||
- changed version to 13
|
||||
- Added whitelist file.
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall version 1.2 - Traffic Control Rules File
|
||||
# Shorewall version 1.3 - Traffic Control Rules File
|
||||
#
|
||||
# /etc/shorewall/tcrules
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 1.2 -- /etc/shorewall/tos
|
||||
# Shorewall 1.3 -- /etc/shorewall/tos
|
||||
#
|
||||
# This file defines rules for setting Type Of Service (TOS)
|
||||
#
|
||||
|
@ -2,7 +2,7 @@
|
||||
|
||||
RCDLINKS="2,S45 3,S45 6,K45"
|
||||
################################################################################
|
||||
# Script to create a gre or ipip tunnel -- Shorewall 1.2
|
||||
# Script to create a gre or ipip tunnel -- Shorewall 1.3
|
||||
#
|
||||
# Modified - Steve Cowles 5/9/2000
|
||||
# Incorporated init {start|stop} syntax and iproute2 usage
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 1.2 - /etc/shorewall/tunnels
|
||||
# Shorewall 1.3 - /etc/shorewall/tunnels
|
||||
#
|
||||
# This file defines IPSEC, GRE and IPIP tunnels.
|
||||
#
|
||||
|
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Seattle Firewall
|
||||
|
||||
VERSION=1.2.13
|
||||
VERSION=1.2.90
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
Loading…
Reference in New Issue
Block a user