diff --git a/Shorewall/INSTALL b/Shorewall/INSTALL index 99e98a3a7..9233faf91 100644 --- a/Shorewall/INSTALL +++ b/Shorewall/INSTALL @@ -1,4 +1,4 @@ -Shoreline Firewall (Shorewall) Version 1.2 - 12/21/2001 +Shoreline Firewall (Shorewall) Version 1.3 - 6/14/2002 ----- ---- ----------------------------------------------------------------------------- diff --git a/Shorewall/blacklist b/Shorewall/blacklist index 24b08c9a9..5c7ce6d81 100755 --- a/Shorewall/blacklist +++ b/Shorewall/blacklist @@ -1,5 +1,5 @@ # -# Shorewall 1.2 -- Blacklist File +# Shorewall 1.3 -- Blacklist File # # /etc/shorewall/blacklist # diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 5ea2dd89a..7bb6b1934 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -1,11 +1,29 @@ -Changes since 1.2.12 +Changes since 1.2.13 + +1. Changed all file versions to 1.3 + +2. Changed the rules file and firewall file to implement the new forwarding + and redirection syntax. + +3. Removed the sample rules from the rules file -- the quickstart samples + should provide those sample rules. + +4. Added a silent Auth reject rule to common.def. + +5. Changed the handling of the nat table to have a separate chain for each + source zone. + +6. Removed the code that tested each rules column for "none" -- this was never + documented and was there to support the brain-dead parameterized samples. + +7. Reworked the chain structure in the filter table so that each interface has + its own input and forward chain. + +8. Added logic to allow a subzone to be excluded from a DNAT or REDIRECT rule. + + + -1. Added whitelist support -2. Added SYN Flood Protection -3. Make aliases added under ADD_IP_ALIASES and ADD_SNAT_ALIASES look more - like what people expect. -4. Merged shorewall.conf file patch that adds the kernel config help - text for TCPMSS to the description of the Shorewall parameter. diff --git a/Shorewall/common.def b/Shorewall/common.def index f5119665f..e317d6239 100644 --- a/Shorewall/common.def +++ b/Shorewall/common.def @@ -1,5 +1,5 @@ ############################################################################ -# Shorewall 1.1 -- /etc/shorewall/common.def +# Shorewall 1.3 -- /etc/shorewall/common.def # # This file defines the rules that are applied before a policy of # DROP or REJECT is applied. In addition to the rules defined in this file, @@ -31,4 +31,9 @@ run_iptables -A common -p udp --dport 1900 -j DROP # run_iptables -A common -d 255.255.255.255 -j DROP run_iptables -A common -d 224.0.0.0/4 -j DROP +############################################################################ +# AUTH -- Reject it so that connections don't get delayed. +# +run_iptables -A common -p tcp --dport 113 -j reject + diff --git a/Shorewall/fallback.sh b/Shorewall/fallback.sh index a0e078f7e..80c9b6d1a 100755 --- a/Shorewall/fallback.sh +++ b/Shorewall/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=1.2.13 +VERSION=1.2.90 usage() # $1 = exit status { diff --git a/Shorewall/firewall b/Shorewall/firewall index 9ffbcc3fb..9cb6aab2a 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -1,7 +1,7 @@ #!/bin/sh RCDLINKS="2,S41 3,S41 6,K41" # -# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V1.2 12/21/2001 +# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V1.3 6/14/2002 # # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # @@ -216,6 +216,48 @@ addrule() # $1 = chain name, remainder of arguments specify the rule run_iptables -A $@ } +################################################################################ +# Create a nat chain # +# # +# Create a variable ${1}_nat_exists and set its value to Yes to indicate that # +# the chain now exists. # +################################################################################ +createnatchain() # $1 = chain name +{ + run_iptables -t nat -N $1 + + eval ${1}_nat_exists=Yes +} + +################################################################################ +# Determine if a nat chain exists # +# # +# When we create a chain "chain", we create a variable named chain_nat_exists # +# and set its value to Yes. This function tests for the "_exists" variable # +# corresponding to the passed chain having the value of "Yes". # +################################################################################ +havenatchain() # $1 = name of chain +{ + eval test \"\$${1}_nat_exists\" = Yes +} + +################################################################################ +# Ensure that a chain exists (create it if it doesn't) # +################################################################################ +ensurenatchain() # $1 = chain name +{ + havenatchain $1 || createnatchain $1 +} + +################################################################################ +# Add a rule to a nat chain creating the chain if necessary # +################################################################################ +addnatrule() # $1 = chain name, remainder of arguments specify the rule +{ + ensurenatchain $1 + run_iptables -t nat -A $@ +} + ################################################################################ # Delete a chain if it exists # ################################################################################ @@ -265,6 +307,42 @@ find_interfaces() # $1 = interface zone done < $TMP_DIR/interfaces } +################################################################################ +# Chain name base for an interface # +################################################################################ +chain_base() #$1 = interface +{ + local c=${1%%+*} + + echo ${c:=multi} +} + +################################################################################ +# Forward Chain for an interface # +################################################################################ +forward_chain() # $1 = interface +{ + echo `chain_base $interface`_fwd +} + +################################################################################ +# Input Chain for an interface # +################################################################################ +input_chain() # $1 = interface +{ + echo `chain_base $interface`_in +} + +################################################################################ +# First chains for an interface # +################################################################################ +first_chains() #$1 = interface +{ + local c=`chain_base $1` + + echo ${c}_fwd ${c}_in +} + ################################################################################ # Find hosts in a given zone # # # @@ -287,16 +365,11 @@ find_hosts() # $1 = host zone # variable contains a space-separated list of interfaces to the zone # ################################################################################ determine_interfaces() { - local all_interfaces - for zone in $zones multi; do interfaces=`find_interfaces $zone` interfaces=`echo $interfaces` # Remove extra trash eval ${zone}_interfaces="\$interfaces" - all_interfaces=${all_interfaces:-$interfaces} done - - [ -n "$all_interfaces" ] || startup_error "Error: No interfaces defined" } ################################################################################ @@ -360,6 +433,12 @@ validate_interfaces_file() { r="$z $interface $subnet $options" [ "x$z" = "x-" ] || validate_zone $z || startup_error "Invalid zone ($z) in record \"$r\"" + for intr in $all_interfaces; do + [ "$intr" = "$interface" ] && startup_error "Duplicate Interface $intr" + done + + all_interfaces="$all_interfaces $interface" + for option in `separate_list $options`; do case $option in dhcp|noping|routestopped|norfc1918|multi|routefilter|dropunclean|logunclean|blacklist|-) @@ -369,6 +448,9 @@ validate_interfaces_file() { ;; esac done + + [ -z "$all_interfaces" ] && startup_error "Error: No Interfaces Defined" + done < $TMP_DIR/interfaces } @@ -537,6 +619,33 @@ validate_rule() { fi logtarget="$target" + # + # DNAT and REDIRECT targets were implemented in version 1.3 to replace + # an older syntax. We simply map the new syntax into the old and proceed; + # that way, people who have files with the old syntax don't need to + # convert right away. + # + case $target in + DNAT) + target=ACCEPT + address=${address:=all} + ;; + REDIRECT) + target=ACCEPT + address=${address:=all} + if [ "x-" = "x$servers" ]; then + servers=$FW + else + servers="fw::$servers" + fi + ;; + ACCEPT|DROP|REJECT) + ;; + *) + startup_error " Error: Invalid target;" \ + " rule: \"$rule\"" + + esac if [ "$clients" = "${clients%:*}" ]; then clientzone="$clients" @@ -545,6 +654,16 @@ validate_rule() { clientzone="${clients%:*}" clients="${clients#*:}" fi + + if [ "$clientzone" = "${clientzone%\!*}" ]; then + excludezones= + else + excludezones="${clientzone#*\!}" + clientzone="${clientzone%\!*}" + + [ "$logtarget" = DNAT ] || [ "$logtarget" = REDIRECT ] ||\ + startup_error " Error: Exclude list only allowed with DNAT or REDIRECT" + fi ############################################################################ # Validate the Source Zone @@ -584,23 +703,17 @@ validate_rule() { ############################################################################ # Iterate through the various lists validating individual rules # - [ "$ports" = "none" -o "$ports" = "None" -o \ - "$cports" = "none" -o "$cports" = "None" -o \ - "$clients" = "none" -o "$clients" = "None" -o \ - "$servers" = "none" -o "$servers" = "None" ] || \ - { - for client in `separate_list ${clients:=-}`; do - for server in `separate_list ${servers:=-}`; do - for port in `separate_list ${ports:=-}`; do - for cport in `separate_list ${cports:=-}`; do - validate_a_rule - done - done + for client in `separate_list ${clients:=-}`; do + for server in `separate_list ${servers:=-}`; do + for port in `separate_list ${ports:=-}`; do + for cport in `separate_list ${cports:=-}`; do + validate_a_rule done - done + done + done + done - echo " Rule \"$rule\" validated." - } + echo " Rule \"$rule\" validated." } ################################################################################ @@ -614,7 +727,7 @@ validate_rules() # $1 = name of rules file expandv clients servers protocol ports cports address case "$target" in - ACCEPT*|DROP*|REJECT*) + ACCEPT*|DROP*|REJECT*|DNAT*|REDIRECT*) rule="`echo $target $clients $servers $protocol $ports $cports $address`" validate_rule ;; @@ -876,7 +989,7 @@ setup_tunnels() # $1 = name of tunnels file return 1 fi - options="-mstate --state NEW -j ACCEPT" + options="-m state --state NEW -j ACCEPT" inchain=${1}2${FW} outchain=${FW}2${1} addrule $inchain -p 50 -s $2 $options @@ -906,7 +1019,7 @@ setup_tunnels() # $1 = name of tunnels file return 1 fi - options="-mstate --state NEW -j ACCEPT" + options="-m state --state NEW -j ACCEPT" inchain=${1}2${FW} outchain=${FW}2${1} addrule $inchain -p $3 -s $2 $options @@ -1239,9 +1352,82 @@ delete_tc() # and has loaded a space-separated list of their values in "rule". # ################################################################################ process_rule() { + ############################################################################ + # Add a NAT rule + # + add_nat_rule() { + local chain + + if [ -z "$NAT_ENABLED" ]; then + fatal_error \ + " Error - Rule \"$rule\" requires NAT which is disabled" + fi + + if [ "$target" != "ACCEPT" ]; then + fatal_error " Error - Only ACCEPT rules may specify " \ + "port mapping; rule \"$rule\"" + fi + + if [ "$addr" != "${addr%:*}" ]; then + snat="${addr#*:}" + addr="${addr%:*}" + else + snat="" + fi + + [ "$addr" = "all" ] && addr= || addr="-d $addr" + + if [ -n "$serv" ]; then + servport="${servport:+:$servport}" + target1="DNAT --to-destination ${serv}${servport}" + else + target1="REDIRECT --to-port $servport" + fi + + if [ "$source" = "$FW" ]; then + run_iptables -t nat -A OUTPUT $proto $sports $addr \ + $dports -j $target1 + else + chain=$source + + if [ -n "$excludezones" ]; then + chain=nonat${nonat_seq} + nonat_seq=$(($nonat_seq + 1)) + createnatchain $chain + addnatrule $source -j $chain + for z in $excludezones; do + eval hosts=\$${z}_hosts + for host in $hosts; do + addnatrule $chain $proto -s ${host#*:} \ + $sports $addr $dports -j RETURN + done + done + fi + + addnatrule $chain $proto $cli $sports \ + $addr $dports -j $target1 + fi + + [ -n "$servport" ] && dports="--dport ${servport#*:}" + + if [ -n "$snat" ]; then + if [ -n "$cli" ]; then + run_iptables -t nat -A POSTROUTING $proto $cli \ + $sports -d $serv $dports -j SNAT --to-source $snat + else + for source_host in $source_hosts; do + run_iptables -t nat -A POSTROUTING \ + -s ${source_host#*:} $proto $sports \ + -d $serv $dports -j SNAT --to-source $snat + done + fi + fi + } + ############################################################################ # Add one rule # + add_a_rule() { ######################################################################## # Determine the format of the client @@ -1316,8 +1502,15 @@ process_rule() { esac proto="${proto:+-p $proto}" - - [ "$target" = REJECT ] && target=reject + + case "$logtarget" in + REJECT) + target=reject + ;; + REDIRECT) + servport=${servport:=$port} + ;; + esac if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" ]; then error_message " Warning -- Rule \"$rule\" is a POLICY" @@ -1332,67 +1525,13 @@ process_rule() { ############################################################## # Must use Prerouting DNAT # - if [ -z "$NAT_ENABLED" ]; then - fatal_error \ - " Error - Rule \"$rule\" requires NAT which is disabled" - fi - - if [ "$target" != "ACCEPT" ]; then - fatal_error " Error - Only ACCEPT rules may specify " \ - "port mapping; rule \"$rule\"" - fi - - if [ "$addr" != "${addr%:*}" ]; then - snat="${addr#*:}" - addr="${addr%:*}" - else - snat="" - fi - - [ "$addr" = "all" ] && addr= || addr="-d $addr" - - if [ -n "$serv" ]; then - servport="${servport:+:$servport}" - target1="DNAT --to-destination ${serv}${servport}" - else - target1="REDIRECT --to-port $servport" - fi - - if [ "$source" = "$FW" ]; then - run_iptables -t nat -A OUTPUT $proto $sports $addr \ - $dports -j $target1 - elif [ -n "$cli" ]; then - run_iptables -t nat -A PREROUTING $proto $cli $sports \ - $addr $dports -j $target1 - else - for source_host in $source_hosts; do - run_iptables -t nat -A PREROUTING \ - -i ${source_host%:*} \ - -s ${source_host#*:} $proto $sports \ - $addr $dports -j $target1 - done - fi - - [ -n "$servport" ] && dports="--dport ${servport#*:}" - - if [ -n "$snat" ]; then - if [ -n "$cli" ]; then - run_iptables -t nat -A POSTROUTING $proto $cli \ - $sports -d $serv $dports -j SNAT --to-source $snat - else - for source_host in $source_hosts; do - run_iptables -t nat -A POSTROUTING \ - -s ${source_host#*:} $proto $sports \ - -d $serv $dports -j SNAT --to-source $snat - done - fi - fi + add_nat_rule fi serv="${serv:+-d $serv}" - [ -n "$loglevel" ] && run_iptables -A $chain $proto $state $cli \ - $sports $serv $dports -j LOG $LOGPARMS --log-prefix \ + [ -n "$loglevel" ] && run_iptables -A $chain $proto $state \ + $cli $sports $serv $dports -j LOG $LOGPARMS --log-prefix \ "Shorewall:$chain:$logtarget:" --log-level $loglevel run_iptables -A $chain $proto $state $cli $sports \ $serv $dports -j $target @@ -1403,12 +1542,12 @@ process_rule() { [ -n "$addr" ] && fatal_error \ " Error: An ADDRESS ($addr) is only allowed in" \ " a port mapping rule: \"$rule\"" - + [ -n "$loglevel" ] && run_iptables -A $chain $proto \ $dest_interface $state $cli $sports $dports -j LOG \ $LOGPARMS --log-prefix "Shorewall:$chain:$logtarget:" \ --log-level $loglevel - + run_iptables -A $chain $proto $dest_interface $state \ $cli $sports $dports -j $target fi @@ -1427,6 +1566,28 @@ process_rule() { fi logtarget="$target" + # + # DNAT and REDIRECT targets were implemented in version 1.3 to replace + # an older syntax. We simply map the new syntax into the old and proceed; + # that way, people who have files with the old syntax don't need to + # convert right away. + # + + case $target in + DNAT) + target=ACCEPT + address=${address:=all} + ;; + REDIRECT) + target=ACCEPT + address=${address:=all} + if [ "x-" = "x$servers" ]; then + servers=$FW + else + servers="$FW::$servers" + fi + ;; + esac if [ "$clients" = "${clients%:*}" ]; then clientzone="$clients" @@ -1435,6 +1596,16 @@ process_rule() { clientzone="${clients%:*}" clients="${clients#*:}" fi + + if [ "$clientzone" = "${clientzone%\!*}" ]; then + excludezones= + else + excludezones="${clientzone#*\!}" + clientzone="${clientzone%\!*}" + + [ "$logtarget" = DNAT ] || [ "$logtarget" = REDIRECT ] ||\ + fatal_error " Error: Exclude list only allowed with DNAT or REDIRECT" + fi ############################################################################ # Validate the Source Zone @@ -1473,30 +1644,24 @@ process_rule() { dest=$serverzone ############################################################################ - # Create the canonlcal chain if it doesn't exist + # Create the canonical chain if it doesn't exist # chain=${source}2${dest} ensurechain $chain ############################################################################ # Iterate through the various lists creating individual rules # - [ "$ports" = "none" -o "$ports" = "None" -o \ - "$cports" = "none" -o "$cports" = "None" -o \ - "$clients" = "none" -o "$clients" = "None" -o \ - "$servers" = "none" -o "$servers" = "None" ] || \ - { - for client in `separate_list ${clients:=-}`; do - for server in `separate_list ${servers:=-}`; do - for port in `separate_list ${ports:=-}`; do - for cport in `separate_list ${cports:=-}`; do - add_a_rule - done - done + for client in `separate_list ${clients:=-}`; do + for server in `separate_list ${servers:=-}`; do + for port in `separate_list ${ports:=-}`; do + for cport in `separate_list ${cports:=-}`; do + add_a_rule done - done + done + done + done - echo " Rule \"$rule\" added." - } + echo " Rule \"$rule\" added." } ################################################################################ @@ -1509,7 +1674,7 @@ process_rules() # $1 = name of rules file while read target clients servers protocol ports cports address; do case "$target" in - ACCEPT*|DROP*|REJECT*) + ACCEPT*|DROP*|REJECT*|DNAT*|REDIRECT*) expandv clients servers protocol ports cports address rule="`echo $target $clients $servers $protocol $ports $cports $address`" process_rule @@ -2146,8 +2311,10 @@ setup_blacklist() { createchain blacklst no for interface in $interfaces; do - run_iptables -A INPUT -i $interface -j blacklst - run_iptables -A FORWARD -i $interface -j blacklst + for chain in `first_chains $interface`; do + run_iptables -A $chain -i $interface -j blacklst + done + echo " Blacklisting enabled on $interface" done @@ -2319,6 +2486,17 @@ initialize_netfilter () { createchain icmpdef no createchain common no createchain reject no + + echo "Creating input Chains..." + + for interface in $all_interfaces; do + chain=`forward_chain $interface` + + if ! havechain $chain; then + createchain $chain no + createchain `input_chain $interface` no + fi + done } ################################################################################ @@ -2349,7 +2527,7 @@ add_common_rules() { echo "Mangled/Invalid Packet filtering enabled on:" for interface in $interfaces; do - for chain in INPUT FORWARD; do + for chain in `first_chains $interface`; do run_iptables -A $chain -i $interface --match unclean -j badpkt done echo " $interface" @@ -2372,7 +2550,7 @@ add_common_rules() { echo "Mangled/Invalid Packet Logging enabled on:" for interface in $interfaces; do - for chain in INPUT FORWARD; do + for chain in `first_chains $interface`; do run_iptables -A $chain -i $interface --match unclean -j logpkt done echo " $interface" @@ -2465,8 +2643,10 @@ add_common_rules() { done for interface in $norfc1918_interfaces; do - run_iptables -A INPUT -i $interface -j rfc1918 - run_iptables -A FORWARD -i $interface -j rfc1918 + for chain in `first_chains $interface`; do + run_iptables -A $chain -i $interface -j rfc1918 + done + [ -n "$MANGLE_ENABLED" ] && \ run_iptables -t mangle -A PREROUTING -i $interface -j rfc1918 done @@ -2596,8 +2776,8 @@ activate_rules() { for host in $source_hosts; do interface=${host%:*} subnet=${host#*:} - chain=INPUT - + chain=`input_chain $interface` + if [ "$zone" != "multi" ]; then # # If we have a 'multi2fw' chain and the current interface is @@ -2613,6 +2793,11 @@ activate_rules() { run_iptables -A OUTPUT -o \ $interface -d $subnet -j `rules_chain $FW $zone` + + if havenatchain $zone; then + run_iptables -t nat -A PREROUTING \ + -i $interface -s $subnet -j $zone + fi fi run_iptables -A $chain -i $interface -s $subnet \ @@ -2627,17 +2812,20 @@ activate_rules() { for host in $source_hosts; do interface=${host%:*} subnet=${host#*:} + chain1=`forward_chain $interface` for host1 in $dest_hosts; do interface1=${host1%:*} subnet1=${host1#*:} [ $interface = $interface1 -a "x$subnet" = "x$subnet1" ] ||\ - run_iptables -A FORWARD -i $interface -s $subnet \ + run_iptables -A $chain1 -i $interface -s $subnet \ -o $interface1 -d $subnet1 -j $chain done + done done + done while read zone interface broadcast options; do @@ -2647,12 +2835,18 @@ activate_rules() { expandv interface options && \ for option in `separate_list $options`; do [ "$option" = "multi" ] && \ - run_iptables -A FORWARD -i $interface \ + run_iptables -A `forward_chain $interface` \ + -i $interface \ -o $interface -j ${zone}2${zone} && \ break 1 done done done < $TMP_DIR/interfaces + + for interface in $all_interfaces; do + run_iptables -A FORWARD -i $interface -j `forward_chain $interface` + run_iptables -A INPUT -i $interface -j `input_chain $interface` + done complete_standard_chain INPUT all $FW complete_standard_chain OUTPUT $FW all @@ -2705,8 +2899,8 @@ define_firewall() # $1 = Command (Start or Restart) echo "Adding rules for DHCP" for interface in `find_interfaces_by_option dhcp`; do - iptables -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT - iptables -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT + run_iptables -A `input_chain $interface` -p udp --dport 67:68 -j ACCEPT + run_iptables -A OUTPUT -o $interface -p udp --dport 67:68 -j ACCEPT done echo "Setting up ICMP Echo handling..." @@ -2935,6 +3129,7 @@ do_initialize() { stopping= have_mutex= masq_seq=1 + nonat_seq=1 TMP_DIR=/tmp/shorewall-$$ rm -rf $TMP_DIR @@ -3053,7 +3248,7 @@ case "$command" in exit 0; fi define_firewall "Start" && [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK - my_mutex_off + my_mutex_off ;; restart) do_initialize diff --git a/Shorewall/functions b/Shorewall/functions index cfd2d00b0..6e3bf64b2 100755 --- a/Shorewall/functions +++ b/Shorewall/functions @@ -1,5 +1,5 @@ # -# Shorewall 1.2 -- /etc/shorewall/functions +# Shorewall 1.3 -- /etc/shorewall/functions # # Suppress all output for a command diff --git a/Shorewall/hosts b/Shorewall/hosts index 100b02b72..e23e9f712 100644 --- a/Shorewall/hosts +++ b/Shorewall/hosts @@ -1,5 +1,5 @@ # -# Shorewall 1.2 - /etc/shorewall/hosts +# Shorewall 1.3 - /etc/shorewall/hosts # # WARNING: 90% of Shorewall users don't need to add entries to this # file and 80% of those who try to add such entries get it diff --git a/Shorewall/icmp.def b/Shorewall/icmp.def index 6e639151c..109a4e8ea 100644 --- a/Shorewall/icmp.def +++ b/Shorewall/icmp.def @@ -1,5 +1,5 @@ ############################################################################## -# Shorewall 1.2 /etc/shorewall/icmp.def +# Shorewall 1.3 /etc/shorewall/icmp.def # # This file defines the default rules for accepting ICMP packets. # diff --git a/Shorewall/install.sh b/Shorewall/install.sh index 258143066..69301a135 100755 --- a/Shorewall/install.sh +++ b/Shorewall/install.sh @@ -54,7 +54,7 @@ # /etc/rc.d/rc.local file is modified to start the firewall. # -VERSION=1.2.13 +VERSION=1.2.90 usage() # $1 = exit status { diff --git a/Shorewall/interfaces b/Shorewall/interfaces index 127ef6818..638db2d5f 100644 --- a/Shorewall/interfaces +++ b/Shorewall/interfaces @@ -1,5 +1,5 @@ # -# Shorewall 1.2 -- Interfaces File +# Shorewall 1.3 -- Interfaces File # # /etc/shorewall/interfaces # diff --git a/Shorewall/masq b/Shorewall/masq index 43627e04d..b6cb59c64 100755 --- a/Shorewall/masq +++ b/Shorewall/masq @@ -1,5 +1,5 @@ # -# Shorewall 1.2 - Masquerade file +# Shorewall 1.3 - Masquerade file # # /etc/shorewall/masq # diff --git a/Shorewall/modules b/Shorewall/modules index 6a799484b..5bc6278dd 100644 --- a/Shorewall/modules +++ b/Shorewall/modules @@ -1,5 +1,5 @@ ############################################################################## -# Shorewall 1.2 /etc/shorewall/modules +# Shorewall 1.3 /etc/shorewall/modules # # This file loads the modules needed by the firewall. diff --git a/Shorewall/nat b/Shorewall/nat index ce1020b8e..db85e4114 100755 --- a/Shorewall/nat +++ b/Shorewall/nat @@ -1,6 +1,6 @@ ############################################################################## # -# Shorewall 1.2 -- Network Address Translation Table +# Shorewall 1.3 -- Network Address Translation Table # # /etc/shorewall/nat # diff --git a/Shorewall/params b/Shorewall/params index 6e9f4e468..fbea82388 100644 --- a/Shorewall/params +++ b/Shorewall/params @@ -1,5 +1,5 @@ # -# Shorewall 1.2 /etc/shorewall/params +# Shorewall 1.3 /etc/shorewall/params # # Assign any variables that you need here. # diff --git a/Shorewall/policy b/Shorewall/policy index 1a2b8c0a1..8545ec919 100644 --- a/Shorewall/policy +++ b/Shorewall/policy @@ -1,20 +1,20 @@ # -# Shorewall 1.2 -- Policy File +# Shorewall 1.3 -- Policy File # # /etc/shorewall/policy # # This file determines what to do with a new connection request if we # don't get a match from the /etc/shorewall/rules file or from the -# /etc/shorewall/common[.def] file. For each client/server pair, the +# /etc/shorewall/common[.def] file. For each source/destination pair, the # file is processed in order until a match is found ("all" will match # any client or server). # # Columns are: # -# CLIENT Location of client. Must be the name of a zone defined +# SOURCE Source zone. Must be the name of a zone defined # in /etc/shorewall/zones, $FW or "all". # -# SERVER Location of server. Must be the name of a zone defined +# DEST Destination zone. Must be the name of a zone defined # in /etc/shorewall/zones, $FW or "all" # # POLICY Policy if no match from the rules file is found. Must @@ -40,7 +40,7 @@ # d) All other connection requests are rejected and logged at level # KERNEL.INFO. ############################################################################### -#CLIENT SERVER POLICY LOG LEVEL LIMIT:BURST +#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST loc net ACCEPT net all DROP info all all REJECT info diff --git a/Shorewall/proxyarp b/Shorewall/proxyarp index 746d087f5..f7261543a 100644 --- a/Shorewall/proxyarp +++ b/Shorewall/proxyarp @@ -1,6 +1,6 @@ ############################################################################## # -# Shorewall 1.2 -- Proxy ARP +# Shorewall 1.3 -- Proxy ARP # # /etc/shorewall/proxyarp # diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index a2b4ea757..b56aab60f 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -1,12 +1,20 @@ -This is a minor release of Shorewall. +This is a major release of Shorewall. In this release: -1. Whitelist support has been added. -2. Optional SYN Flood protection is now available. -3. Aliases added under ADD_IP_ALIASES and ADD_SNAT_ALIASES - now use the VLSM and broadcast address of the interface's - primary address. -4. Port forwarding rules may now optionally override the - contents of the /etc/shorewall/nat file. +1. The rules syntax for port forwarding and port redirection has been + simplified. + +2. Compatibility has been maintained with version 1.2 configurations so + that users may migrate their configuration at their convenience. + +WARNING: Compatibility has NOT been maintained with the parameterized + sample configurations which were withdrawn on 4/8/2002. Users + still employing one of those samples must upgrade to the + latest samples before running Shorewall 1.3 (Beta or Release). + +3. You may now exclude zone A from a DNAT or REDIRECT rule that applies + to zone B where zone A is a subzone of sone B. + + diff --git a/Shorewall/rules b/Shorewall/rules index c71c56dab..c07cbcca0 100755 --- a/Shorewall/rules +++ b/Shorewall/rules @@ -1,7 +1,7 @@ # -# Shorewall version 1.2 - Rules File +# Shorewall version 1.3 - Rules File # -# /etc/shorewall/rules +# /etc/shorewall/rules # # Rules in this file govern connection establishment. Requests and # responses are automatically allowed using connection tracking. @@ -12,32 +12,31 @@ # given. Notice that no white space is permitted between "!" and the # address/subnet. # -# If any of the following columns contain the word "none" then the rule -# is ignored: -# -# PORT(S), CLIENT PORT(S), CLIENT(S) and SERVER. -# # Columns are: # # -# RESULT ACCEPT, DROP or REJECT +# ACTION ACCEPT, DROP, REJECT, DNAT or REDIRECT # -# ACCEPT -- allow the connection request -# DROP -- ignore the request -# REJECT -- disallow the request and return an -# icmp-unreachable packet. +# ACCEPT -- allow the connection request +# DROP -- ignore the request +# REJECT -- disallow the request and return an +# icmp-unreachable or an RST packet. +# DNAT -- Forward the request to another +# system (and optionally another port). +# REDIRECT -- Redirect the request to a local +# port on the firewall. # # May optionally be followed by ":" and a syslog log # level (e.g, REJECT:info). This causes the packet to be # logged at the specified level. # -# CLIENT(S) Hosts permitted to be clients. May be a zone defined +# SOURCE Hosts permitted to be clients. May be a zone defined # in /etc/shorewall/zones or $FW to indicate the # firewall itself. # # Clients may be further restricted to a list of subnets # and/or hosts by appending ":" and a comma-separated -# list of subnets and/or hosts. Hosts may be specified +# list of subnets and/or hosts. Hosts may be specified # by IP or MAC address; mac addresses must begin with # "~" and must use "-" as a separator. # @@ -49,7 +48,7 @@ # loc:192.168.1.1,192.168.1.2 # Hosts 192.168.1.1 and # 192.168.1.2 in the local zone. -# loc:~00-A0-C9-15-39-78 Host in the local zone with +# loc:~00-A0-C9-15-39-78 Host in the local zone with # MAC address 00:A0:C9:15:39:78. # # Alternatively, clients may be specified by interface @@ -57,7 +56,7 @@ # example, loc:eth1 specifies a client that # communicates with the firewall system through eth1. # -# SERVER Location of Server. May be a zone defined in +# DEST Location of Server. May be a zone defined in # /etc/shorewall/zones or $FW to indicate the firewall # itself. # @@ -70,17 +69,21 @@ # ":". If omitted, the firewall will not modifiy the # destination port. # -# Example: loc:192.168.1.3:8080 specifies a local +# Example: loc:192.168.1.3:3128 specifies a local # server at IP address 192.168.1.3 and listening on port -# 8080. The port number MUST be specified as an integer +# 3128. The port number MUST be specified as an integer # and not as a name from /etc/services. # +# if the RESULT is REDIRECT, this column needs only to +# contain the port number on the firewall that the request +# should be redirected to. +# # PROTO Protocol - Must be "tcp", "udp", "icmp", a number, # "all" or "related". If "related", the remainder of the # entry must be omitted and connection requests that are # related to existing requests will be accepted. # -# PORT(S) Destination Ports. A comma-separated list of Port +# DEST PORT(S) Destination Ports. A comma-separated list of Port # names (from /etc/services), port numbers or port # ranges; if the protocol is "icmp", this column is # interpreted as the destination icmp-type(s). @@ -99,53 +102,48 @@ # specify an ADDRESS in the next column, then place "-" # in this column. # -# ADDRESS (0ptional) If included and different from the IP +# DEST ADDRESS (0ptional) If included and different from the IP # address given in the SERVER column, this is an address # on some interface on the firewall and connections to # that address will be forwarded to the IP and port # specified in the SERVER column. # -# If the special value "all" is used, then requests from -# the client zone given in the CLIENT(s) column with the -# destination port given in PORT(s) will be forwarded to -# the IP address given in SERVER. The value "all" is -# intended to be used when your internet IP address is -# dynamic and you want to do port forwarding or you want -# to do proxy redirection. IT SHOULD NOT BE USED IN ANY -# OTHER SITUATION. +# The address may optionally be followed by +# a colon (":") and a second IP address. This causes +# Shorewall to use the second IP address as the source +# address in forwarded packets. See the Shorewall +# documentation for restrictions concerning this feature. +# If no source IP address is given, the original source +# address is not altered. # -# The address (or "all") may optionally be followed by -# a colon (":") an an IP address. This causes Shorewall -# to use the specified IP address as the source address -# in forwarded packets. See the Shorewall documentation -# for restrictions concerning this feature. If no source -# IP address is given, the original source address is not -# altered. +# Example: Accept SMTP requests from the DMZ to the internet +# +# #ACTION SOURCE DEST PROTO DEST SOURCE DEST +# # PORT PORT(S) ADDRESS +# ACCEPT dmz net tcp smtp # # Example: Forward all ssh and http connection requests from the internet # to local system 192.168.1.3 # -# #RESULT CLIENTS SERVER(S) PROTO PORT(S) CLIENT PORT(S) ADDRESS -# ACCEPT net loc:192.168.1.3 tcp ssh,http - all +# #ACTION SOURCE DEST PROTO DEST SOURCE DEST +# # PORT PORT(S) ADDRESS +# DNAT net loc:192.168.1.3 tcp ssh,http # # Example: Redirect all locally-originating www connection requests to -# port 8080 on the firewall (Squid running on the firewall -# system)except when the destination address is 192.168.2.2 +# port 3128 on the firewall (Squid running on the firewall +# system) except when the destination address is 192.168.2.2 # -# #RESULT CLIENTS SERVER(S) PROTO PORTS(S) CLIENT PORT(S) ADDRESS -# ACCEPT loc $FW::8080 tcp www - !192.168.2.2 +# #ACTION SOURCE DEST PROTO DEST SOURCE DEST +# # PORT PORT(S) ADDRESS +# REDIRECT loc 3128 tcp www - !192.168.2.2 +# +# Example: All http requests from the internet to address +# 130.252.100.69 are to be forwarded to 192.168.1.3 +# +# #ACTION SOURCE DEST PROTO DEST SOURCE DEST +# # PORT PORT(S) ADDRESS +# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69 ############################################################################## -#RESULT CLIENT(S) SERVER(S) PROTO PORT(S) CLIENT PORT(S) ADDRESS -# -# Allow SSH from the local network -# -ACCEPT loc $FW tcp ssh -# -# Allow SSH and Auth from the internet -# -ACCEPT net $FW tcp ssh,auth -# -# Run an NTP daemon on the firewall that is synced with outside sources -# -ACCEPT $FW net udp ntp +#ACTION SOURCE DEST PROTO DEST SOURCE DEST +# PORT PORT(S) ADDRESS #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/shorewall b/Shorewall/shorewall index 946e8072f..5814ec9a7 100755 --- a/Shorewall/shorewall +++ b/Shorewall/shorewall @@ -1,6 +1,6 @@ #!/bin/sh # -# Shorewall Packet Filtering Firewall Control Program - V1.2 - 12/21/2001 +# Shorewall Packet Filtering Firewall Control Program - V1.3 - 6/14/2002 # # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # @@ -144,7 +144,20 @@ display_chains() timed_read + clear + echo -e "$banner `date`\\n" + echo -e "Input Chains\\n" + + chains=`grep '^Chain.*_[in|fwd]' /tmp/chains-$$ | cut -d' ' -f 2` + + for chain in $chains; do + showchain $chain + done + + timed_read + for zone in $zones multi; do + if [ -n "`grep "^Chain \.*${zone}" /tmp/chains-$$`" ] ; then clear echo -e "$banner `date`\\n" diff --git a/Shorewall/shorewall.conf b/Shorewall/shorewall.conf index aa84062df..dbad42c9b 100755 --- a/Shorewall/shorewall.conf +++ b/Shorewall/shorewall.conf @@ -1,5 +1,5 @@ ############################################################################## -# /etc/shorewall/shorewall.conf V1.2 - Change the following variables to +# /etc/shorewall/shorewall.conf V1.3 - Change the following variables to # match your setup # # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] diff --git a/Shorewall/shorewall.spec b/Shorewall/shorewall.spec index 607fdad64..f21da0923 100644 --- a/Shorewall/shorewall.spec +++ b/Shorewall/shorewall.spec @@ -1,6 +1,6 @@ %define name shorewall %define version 1.2 -%define release 13 +%define release 90 %define prefix /usr Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. @@ -17,7 +17,6 @@ BuildArch: noarch BuildRoot: /%{_tmppath}/%{name}-%{version}-%{release}-root Requires: iptables Conflicts: kernel <= 2.2 -Provides: shorewall %description @@ -79,6 +78,9 @@ if [ $1 = 0 ]; then if [ -x /sbin/insserv ]; then /sbin/insserv -r /etc/init.d/s %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %changelog +* Wed May 8 Tom Eastep +- changed version to 90 +- removed 'provides' tag. * Tue Apr 23 2002 Tom Eastep - changed version to 13 - Added whitelist file. diff --git a/Shorewall/tcrules b/Shorewall/tcrules index 082165d10..b36d01091 100755 --- a/Shorewall/tcrules +++ b/Shorewall/tcrules @@ -1,5 +1,5 @@ # -# Shorewall version 1.2 - Traffic Control Rules File +# Shorewall version 1.3 - Traffic Control Rules File # # /etc/shorewall/tcrules # diff --git a/Shorewall/tos b/Shorewall/tos index 80b7ad3d8..0254fcdff 100755 --- a/Shorewall/tos +++ b/Shorewall/tos @@ -1,5 +1,5 @@ # -# Shorewall 1.2 -- /etc/shorewall/tos +# Shorewall 1.3 -- /etc/shorewall/tos # # This file defines rules for setting Type Of Service (TOS) # diff --git a/Shorewall/tunnel b/Shorewall/tunnel index 42d234f09..12b26523d 100755 --- a/Shorewall/tunnel +++ b/Shorewall/tunnel @@ -2,7 +2,7 @@ RCDLINKS="2,S45 3,S45 6,K45" ################################################################################ -# Script to create a gre or ipip tunnel -- Shorewall 1.2 +# Script to create a gre or ipip tunnel -- Shorewall 1.3 # # Modified - Steve Cowles 5/9/2000 # Incorporated init {start|stop} syntax and iproute2 usage diff --git a/Shorewall/tunnels b/Shorewall/tunnels index e5ef9bc1b..1e841e814 100644 --- a/Shorewall/tunnels +++ b/Shorewall/tunnels @@ -1,5 +1,5 @@ # -# Shorewall 1.2 - /etc/shorewall/tunnels +# Shorewall 1.3 - /etc/shorewall/tunnels # # This file defines IPSEC, GRE and IPIP tunnels. # diff --git a/Shorewall/uninstall.sh b/Shorewall/uninstall.sh index 46f8367b5..0ebae124a 100755 --- a/Shorewall/uninstall.sh +++ b/Shorewall/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Seattle Firewall -VERSION=1.2.13 +VERSION=1.2.90 usage() # $1 = exit status {