holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

1.3 Beta 2 Snapshot

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@27 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-05-18 13:45:23 +00:00
parent e3b9278c5e
commit 44170128c2
27 changed files with 451 additions and 212 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/INSTALL
View File

@ -1,4 +1,4 @@
Shoreline Firewall (Shorewall) Version 1.2 - 12/21/2001 Shoreline Firewall (Shorewall) Version 1.3 - 6/14/2002
----- ---- ----- ----
----------------------------------------------------------------------------- -----------------------------------------------------------------------------

2
Shorewall/blacklist
View File

@ -1,5 +1,5 @@
# #
# Shorewall 1.2 -- Blacklist File # Shorewall 1.3 -- Blacklist File
# #
# /etc/shorewall/blacklist # /etc/shorewall/blacklist
# #

32
Shorewall/changelog.txt
View File

@ -1,11 +1,29 @@
Changes since 1.2.12 Changes since 1.2.13
1. Changed all file versions to 1.3
2. Changed the rules file and firewall file to implement the new forwarding
and redirection syntax.
3. Removed the sample rules from the rules file -- the quickstart samples
should provide those sample rules.
4. Added a silent Auth reject rule to common.def.
5. Changed the handling of the nat table to have a separate chain for each
source zone.
6. Removed the code that tested each rules column for "none" -- this was never
documented and was there to support the brain-dead parameterized samples.
7. Reworked the chain structure in the filter table so that each interface has
its own input and forward chain.
8. Added logic to allow a subzone to be excluded from a DNAT or REDIRECT rule.
1. Added whitelist support
2. Added SYN Flood Protection
3. Make aliases added under ADD_IP_ALIASES and ADD_SNAT_ALIASES look more
like what people expect.
4. Merged shorewall.conf file patch that adds the kernel config help
text for TCPMSS to the description of the Shorewall parameter.

7
Shorewall/common.def
View File

@ -1,5 +1,5 @@
############################################################################ ############################################################################
# Shorewall 1.1 -- /etc/shorewall/common.def # Shorewall 1.3 -- /etc/shorewall/common.def
# #
# This file defines the rules that are applied before a policy of # This file defines the rules that are applied before a policy of
# DROP or REJECT is applied. In addition to the rules defined in this file, # DROP or REJECT is applied. In addition to the rules defined in this file,
@ -31,4 +31,9 @@ run_iptables -A common -p udp --dport 1900 -j DROP
# #
run_iptables -A common -d 255.255.255.255 -j DROP run_iptables -A common -d 255.255.255.255 -j DROP
run_iptables -A common -d 224.0.0.0/4 -j DROP run_iptables -A common -d 224.0.0.0/4 -j DROP
############################################################################
# AUTH -- Reject it so that connections don't get delayed.
#
run_iptables -A common -p tcp --dport 113 -j reject

2
Shorewall/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of # shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall. # Shoreline Firewall.
VERSION=1.2.13 VERSION=1.2.90
usage() # $1 = exit status usage() # $1 = exit status
{ {

375
Shorewall/firewall
View File

@ -1,7 +1,7 @@
#!/bin/sh #!/bin/sh
RCDLINKS="2,S41 3,S41 6,K41" RCDLINKS="2,S41 3,S41 6,K41"
# #
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V1.2 12/21/2001 # The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V1.3 6/14/2002
# #
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
# #
@ -216,6 +216,48 @@ addrule() # $1 = chain name, remainder of arguments specify the rule
run_iptables -A $@ run_iptables -A $@
} }
################################################################################
# Create a nat chain #
# #
# Create a variable ${1}_nat_exists and set its value to Yes to indicate that #
# the chain now exists. #
################################################################################
createnatchain() # $1 = chain name
{
run_iptables -t nat -N $1
eval ${1}_nat_exists=Yes
}
################################################################################
# Determine if a nat chain exists #
# #
# When we create a chain "chain", we create a variable named chain_nat_exists #
# and set its value to Yes. This function tests for the "_exists" variable #
# corresponding to the passed chain having the value of "Yes". #
################################################################################
havenatchain() # $1 = name of chain
{
eval test \"\$${1}_nat_exists\" = Yes
}
################################################################################
# Ensure that a chain exists (create it if it doesn't) #
################################################################################
ensurenatchain() # $1 = chain name
{
havenatchain $1 || createnatchain $1
}
################################################################################
# Add a rule to a nat chain creating the chain if necessary #
################################################################################
addnatrule() # $1 = chain name, remainder of arguments specify the rule
{
ensurenatchain $1
run_iptables -t nat -A $@
}
################################################################################ ################################################################################
# Delete a chain if it exists # # Delete a chain if it exists #
################################################################################ ################################################################################
@ -265,6 +307,42 @@ find_interfaces() # $1 = interface zone
done < $TMP_DIR/interfaces done < $TMP_DIR/interfaces
} }
################################################################################
# Chain name base for an interface #
################################################################################
chain_base() #$1 = interface
{
local c=${1%%+*}
echo ${c:=multi}
}
################################################################################
# Forward Chain for an interface #
################################################################################
forward_chain() # $1 = interface
{
echo `chain_base $interface`_fwd
}
################################################################################
# Input Chain for an interface #
################################################################################
input_chain() # $1 = interface
{
echo `chain_base $interface`_in
}
################################################################################
# First chains for an interface #
################################################################################
first_chains() #$1 = interface
{
local c=`chain_base $1`
echo ${c}_fwd ${c}_in
}
################################################################################ ################################################################################
# Find hosts in a given zone # # Find hosts in a given zone #
# # # #
@ -287,16 +365,11 @@ find_hosts() # $1 = host zone
# variable contains a space-separated list of interfaces to the zone # # variable contains a space-separated list of interfaces to the zone #
################################################################################ ################################################################################
determine_interfaces() { determine_interfaces() {
local all_interfaces
for zone in $zones multi; do for zone in $zones multi; do
interfaces=`find_interfaces $zone` interfaces=`find_interfaces $zone`
interfaces=`echo $interfaces` # Remove extra trash interfaces=`echo $interfaces` # Remove extra trash
eval ${zone}_interfaces="\$interfaces" eval ${zone}_interfaces="\$interfaces"
all_interfaces=${all_interfaces:-$interfaces}
done done
[ -n "$all_interfaces" ] || startup_error "Error: No interfaces defined"
} }
################################################################################ ################################################################################
@ -360,6 +433,12 @@ validate_interfaces_file() {
r="$z $interface $subnet $options" r="$z $interface $subnet $options"
[ "x$z" = "x-" ] || validate_zone $z || startup_error "Invalid zone ($z) in record \"$r\"" [ "x$z" = "x-" ] || validate_zone $z || startup_error "Invalid zone ($z) in record \"$r\""
for intr in $all_interfaces; do
[ "$intr" = "$interface" ] && startup_error "Duplicate Interface $intr"
done
all_interfaces="$all_interfaces $interface"
for option in `separate_list $options`; do for option in `separate_list $options`; do
case $option in case $option in
dhcp|noping|routestopped|norfc1918|multi|routefilter|dropunclean|logunclean|blacklist|-) dhcp|noping|routestopped|norfc1918|multi|routefilter|dropunclean|logunclean|blacklist|-)
@ -369,6 +448,9 @@ validate_interfaces_file() {
;; ;;
esac esac
done done
[ -z "$all_interfaces" ] && startup_error "Error: No Interfaces Defined"
done < $TMP_DIR/interfaces done < $TMP_DIR/interfaces
} }
@ -537,6 +619,33 @@ validate_rule() {
fi fi
logtarget="$target" logtarget="$target"
#
# DNAT and REDIRECT targets were implemented in version 1.3 to replace
# an older syntax. We simply map the new syntax into the old and proceed;
# that way, people who have files with the old syntax don't need to
# convert right away.
#
case $target in
DNAT)
target=ACCEPT
address=${address:=all}
;;
REDIRECT)
target=ACCEPT
address=${address:=all}
if [ "x-" = "x$servers" ]; then
servers=$FW
else
servers="fw::$servers"
fi
;;
ACCEPT|DROP|REJECT)
;;
*)
startup_error " Error: Invalid target;" \
" rule: \"$rule\""
esac
if [ "$clients" = "${clients%:*}" ]; then if [ "$clients" = "${clients%:*}" ]; then
clientzone="$clients" clientzone="$clients"
@ -545,6 +654,16 @@ validate_rule() {
clientzone="${clients%:*}" clientzone="${clients%:*}"
clients="${clients#*:}" clients="${clients#*:}"
fi fi
if [ "$clientzone" = "${clientzone%\!*}" ]; then
excludezones=
else
excludezones="${clientzone#*\!}"
clientzone="${clientzone%\!*}"
[ "$logtarget" = DNAT ] || [ "$logtarget" = REDIRECT ] ||\
startup_error " Error: Exclude list only allowed with DNAT or REDIRECT"
fi
############################################################################ ############################################################################
# Validate the Source Zone # Validate the Source Zone
@ -584,11 +703,6 @@ validate_rule() {
############################################################################ ############################################################################
# Iterate through the various lists validating individual rules # Iterate through the various lists validating individual rules
# #
[ "$ports" = "none" -o "$ports" = "None" -o \
"$cports" = "none" -o "$cports" = "None" -o \
"$clients" = "none" -o "$clients" = "None" -o \
"$servers" = "none" -o "$servers" = "None" ] || \
{
for client in `separate_list ${clients:=-}`; do for client in `separate_list ${clients:=-}`; do
for server in `separate_list ${servers:=-}`; do for server in `separate_list ${servers:=-}`; do
for port in `separate_list ${ports:=-}`; do for port in `separate_list ${ports:=-}`; do
@ -601,7 +715,6 @@ validate_rule() {
echo " Rule \"$rule\" validated." echo " Rule \"$rule\" validated."
} }
}
################################################################################ ################################################################################
# validate the rules file # # validate the rules file #
@ -614,7 +727,7 @@ validate_rules() # $1 = name of rules file
expandv clients servers protocol ports cports address expandv clients servers protocol ports cports address
case "$target" in case "$target" in
ACCEPT*|DROP*|REJECT*) ACCEPT*|DROP*|REJECT*|DNAT*|REDIRECT*)
rule="`echo $target $clients $servers $protocol $ports $cports $address`" rule="`echo $target $clients $servers $protocol $ports $cports $address`"
validate_rule validate_rule
;; ;;
@ -1239,9 +1352,82 @@ delete_tc()
# and has loaded a space-separated list of their values in "rule". # # and has loaded a space-separated list of their values in "rule". #
################################################################################ ################################################################################
process_rule() { process_rule() {
############################################################################
# Add a NAT rule
#
add_nat_rule() {
local chain
if [ -z "$NAT_ENABLED" ]; then
fatal_error \
" Error - Rule \"$rule\" requires NAT which is disabled"
fi
if [ "$target" != "ACCEPT" ]; then
fatal_error " Error - Only ACCEPT rules may specify " \
"port mapping; rule \"$rule\""
fi
if [ "$addr" != "${addr%:*}" ]; then
snat="${addr#*:}"
addr="${addr%:*}"
else
snat=""
fi
[ "$addr" = "all" ] && addr= || addr="-d $addr"
if [ -n "$serv" ]; then
servport="${servport:+:$servport}"
target1="DNAT --to-destination ${serv}${servport}"
else
target1="REDIRECT --to-port $servport"
fi
if [ "$source" = "$FW" ]; then
run_iptables -t nat -A OUTPUT $proto $sports $addr \
$dports -j $target1
else
chain=$source
if [ -n "$excludezones" ]; then
chain=nonat${nonat_seq}
nonat_seq=$(($nonat_seq + 1))
createnatchain $chain
addnatrule $source -j $chain
for z in $excludezones; do
eval hosts=\$${z}_hosts
for host in $hosts; do
addnatrule $chain $proto -s ${host#*:} \
$sports $addr $dports -j RETURN
done
done
fi
addnatrule $chain $proto $cli $sports \
$addr $dports -j $target1
fi
[ -n "$servport" ] && dports="--dport ${servport#*:}"
if [ -n "$snat" ]; then
if [ -n "$cli" ]; then
run_iptables -t nat -A POSTROUTING $proto $cli \
$sports -d $serv $dports -j SNAT --to-source $snat
else
for source_host in $source_hosts; do
run_iptables -t nat -A POSTROUTING \
-s ${source_host#*:} $proto $sports \
-d $serv $dports -j SNAT --to-source $snat
done
fi
fi
}
############################################################################ ############################################################################
# Add one rule # Add one rule
# #
add_a_rule() { add_a_rule() {
######################################################################## ########################################################################
# Determine the format of the client # Determine the format of the client
@ -1317,7 +1503,14 @@ process_rule() {
proto="${proto:+-p $proto}" proto="${proto:+-p $proto}"
[ "$target" = REJECT ] && target=reject case "$logtarget" in
REJECT)
target=reject
;;
REDIRECT)
servport=${servport:=$port}
;;
esac
if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" ]; then if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" ]; then
error_message " Warning -- Rule \"$rule\" is a POLICY" error_message " Warning -- Rule \"$rule\" is a POLICY"
@ -1332,67 +1525,13 @@ process_rule() {
############################################################## ##############################################################
# Must use Prerouting DNAT # Must use Prerouting DNAT
# #
if [ -z "$NAT_ENABLED" ]; then add_nat_rule
fatal_error \
" Error - Rule \"$rule\" requires NAT which is disabled"
fi
if [ "$target" != "ACCEPT" ]; then
fatal_error " Error - Only ACCEPT rules may specify " \
"port mapping; rule \"$rule\""
fi
if [ "$addr" != "${addr%:*}" ]; then
snat="${addr#*:}"
addr="${addr%:*}"
else
snat=""
fi
[ "$addr" = "all" ] && addr= || addr="-d $addr"
if [ -n "$serv" ]; then
servport="${servport:+:$servport}"
target1="DNAT --to-destination ${serv}${servport}"
else
target1="REDIRECT --to-port $servport"
fi
if [ "$source" = "$FW" ]; then
run_iptables -t nat -A OUTPUT $proto $sports $addr \
$dports -j $target1
elif [ -n "$cli" ]; then
run_iptables -t nat -A PREROUTING $proto $cli $sports \
$addr $dports -j $target1
else
for source_host in $source_hosts; do
run_iptables -t nat -A PREROUTING \
-i ${source_host%:*} \
-s ${source_host#*:} $proto $sports \
$addr $dports -j $target1
done
fi
[ -n "$servport" ] && dports="--dport ${servport#*:}"
if [ -n "$snat" ]; then
if [ -n "$cli" ]; then
run_iptables -t nat -A POSTROUTING $proto $cli \
$sports -d $serv $dports -j SNAT --to-source $snat
else
for source_host in $source_hosts; do
run_iptables -t nat -A POSTROUTING \
-s ${source_host#*:} $proto $sports \
-d $serv $dports -j SNAT --to-source $snat
done
fi
fi
fi fi
serv="${serv:+-d $serv}" serv="${serv:+-d $serv}"
[ -n "$loglevel" ] && run_iptables -A $chain $proto $state $cli \ [ -n "$loglevel" ] && run_iptables -A $chain $proto $state \
$sports $serv $dports -j LOG $LOGPARMS --log-prefix \ $cli $sports $serv $dports -j LOG $LOGPARMS --log-prefix \
"Shorewall:$chain:$logtarget:" --log-level $loglevel "Shorewall:$chain:$logtarget:" --log-level $loglevel
run_iptables -A $chain $proto $state $cli $sports \ run_iptables -A $chain $proto $state $cli $sports \
$serv $dports -j $target $serv $dports -j $target
@ -1427,6 +1566,28 @@ process_rule() {
fi fi
logtarget="$target" logtarget="$target"
#
# DNAT and REDIRECT targets were implemented in version 1.3 to replace
# an older syntax. We simply map the new syntax into the old and proceed;
# that way, people who have files with the old syntax don't need to
# convert right away.
#
case $target in
DNAT)
target=ACCEPT
address=${address:=all}
;;
REDIRECT)
target=ACCEPT
address=${address:=all}
if [ "x-" = "x$servers" ]; then
servers=$FW
else
servers="$FW::$servers"
fi
;;
esac
if [ "$clients" = "${clients%:*}" ]; then if [ "$clients" = "${clients%:*}" ]; then
clientzone="$clients" clientzone="$clients"
@ -1436,6 +1597,16 @@ process_rule() {
clients="${clients#*:}" clients="${clients#*:}"
fi fi
if [ "$clientzone" = "${clientzone%\!*}" ]; then
excludezones=
else
excludezones="${clientzone#*\!}"
clientzone="${clientzone%\!*}"
[ "$logtarget" = DNAT ] || [ "$logtarget" = REDIRECT ] ||\
fatal_error " Error: Exclude list only allowed with DNAT or REDIRECT"
fi
############################################################################ ############################################################################
# Validate the Source Zone # Validate the Source Zone
@ -1473,18 +1644,13 @@ process_rule() {
dest=$serverzone dest=$serverzone
############################################################################ ############################################################################
# Create the canonlcal chain if it doesn't exist # Create the canonical chain if it doesn't exist
# #
chain=${source}2${dest} chain=${source}2${dest}
ensurechain $chain ensurechain $chain
############################################################################ ############################################################################
# Iterate through the various lists creating individual rules # Iterate through the various lists creating individual rules
# #
[ "$ports" = "none" -o "$ports" = "None" -o \
"$cports" = "none" -o "$cports" = "None" -o \
"$clients" = "none" -o "$clients" = "None" -o \
"$servers" = "none" -o "$servers" = "None" ] || \
{
for client in `separate_list ${clients:=-}`; do for client in `separate_list ${clients:=-}`; do
for server in `separate_list ${servers:=-}`; do for server in `separate_list ${servers:=-}`; do
for port in `separate_list ${ports:=-}`; do for port in `separate_list ${ports:=-}`; do
@ -1497,7 +1663,6 @@ process_rule() {
echo " Rule \"$rule\" added." echo " Rule \"$rule\" added."
} }
}
################################################################################ ################################################################################
# Process the rules file # # Process the rules file #
@ -1509,7 +1674,7 @@ process_rules() # $1 = name of rules file
while read target clients servers protocol ports cports address; do while read target clients servers protocol ports cports address; do
case "$target" in case "$target" in
ACCEPT*|DROP*|REJECT*) ACCEPT*|DROP*|REJECT*|DNAT*|REDIRECT*)
expandv clients servers protocol ports cports address expandv clients servers protocol ports cports address
rule="`echo $target $clients $servers $protocol $ports $cports $address`" rule="`echo $target $clients $servers $protocol $ports $cports $address`"
process_rule process_rule
@ -2146,8 +2311,10 @@ setup_blacklist() {
createchain blacklst no createchain blacklst no
for interface in $interfaces; do for interface in $interfaces; do
run_iptables -A INPUT -i $interface -j blacklst for chain in `first_chains $interface`; do
run_iptables -A FORWARD -i $interface -j blacklst run_iptables -A $chain -i $interface -j blacklst
done
echo " Blacklisting enabled on $interface" echo " Blacklisting enabled on $interface"
done done
@ -2319,6 +2486,17 @@ initialize_netfilter () {
createchain icmpdef no createchain icmpdef no
createchain common no createchain common no
createchain reject no createchain reject no
echo "Creating input Chains..."
for interface in $all_interfaces; do
chain=`forward_chain $interface`
if ! havechain $chain; then
createchain $chain no
createchain `input_chain $interface` no
fi
done
} }
################################################################################ ################################################################################
@ -2349,7 +2527,7 @@ add_common_rules() {
echo "Mangled/Invalid Packet filtering enabled on:" echo "Mangled/Invalid Packet filtering enabled on:"
for interface in $interfaces; do for interface in $interfaces; do
for chain in INPUT FORWARD; do for chain in `first_chains $interface`; do
run_iptables -A $chain -i $interface --match unclean -j badpkt run_iptables -A $chain -i $interface --match unclean -j badpkt
done done
echo " $interface" echo " $interface"
@ -2372,7 +2550,7 @@ add_common_rules() {
echo "Mangled/Invalid Packet Logging enabled on:" echo "Mangled/Invalid Packet Logging enabled on:"
for interface in $interfaces; do for interface in $interfaces; do
for chain in INPUT FORWARD; do for chain in `first_chains $interface`; do
run_iptables -A $chain -i $interface --match unclean -j logpkt run_iptables -A $chain -i $interface --match unclean -j logpkt
done done
echo " $interface" echo " $interface"
@ -2465,8 +2643,10 @@ add_common_rules() {
done done
for interface in $norfc1918_interfaces; do for interface in $norfc1918_interfaces; do
run_iptables -A INPUT -i $interface -j rfc1918 for chain in `first_chains $interface`; do
run_iptables -A FORWARD -i $interface -j rfc1918 run_iptables -A $chain -i $interface -j rfc1918
done
[ -n "$MANGLE_ENABLED" ] && \ [ -n "$MANGLE_ENABLED" ] && \
run_iptables -t mangle -A PREROUTING -i $interface -j rfc1918 run_iptables -t mangle -A PREROUTING -i $interface -j rfc1918
done done
@ -2596,7 +2776,7 @@ activate_rules() {
for host in $source_hosts; do for host in $source_hosts; do
interface=${host%:*} interface=${host%:*}
subnet=${host#*:} subnet=${host#*:}
chain=INPUT chain=`input_chain $interface`
if [ "$zone" != "multi" ]; then if [ "$zone" != "multi" ]; then
# #
@ -2613,6 +2793,11 @@ activate_rules() {
run_iptables -A OUTPUT -o \ run_iptables -A OUTPUT -o \
$interface -d $subnet -j `rules_chain $FW $zone` $interface -d $subnet -j `rules_chain $FW $zone`
if havenatchain $zone; then
run_iptables -t nat -A PREROUTING \
-i $interface -s $subnet -j $zone
fi
fi fi
run_iptables -A $chain -i $interface -s $subnet \ run_iptables -A $chain -i $interface -s $subnet \
@ -2627,17 +2812,20 @@ activate_rules() {
for host in $source_hosts; do for host in $source_hosts; do
interface=${host%:*} interface=${host%:*}
subnet=${host#*:} subnet=${host#*:}
chain1=`forward_chain $interface`
for host1 in $dest_hosts; do for host1 in $dest_hosts; do
interface1=${host1%:*} interface1=${host1%:*}
subnet1=${host1#*:} subnet1=${host1#*:}
[ $interface = $interface1 -a "x$subnet" = "x$subnet1" ] ||\ [ $interface = $interface1 -a "x$subnet" = "x$subnet1" ] ||\
run_iptables -A FORWARD -i $interface -s $subnet \ run_iptables -A $chain1 -i $interface -s $subnet \
-o $interface1 -d $subnet1 -j $chain -o $interface1 -d $subnet1 -j $chain
done done
done done
done done
done done
while read zone interface broadcast options; do while read zone interface broadcast options; do
@ -2647,13 +2835,19 @@ activate_rules() {
expandv interface options && \ expandv interface options && \
for option in `separate_list $options`; do for option in `separate_list $options`; do
[ "$option" = "multi" ] && \ [ "$option" = "multi" ] && \
run_iptables -A FORWARD -i $interface \ run_iptables -A `forward_chain $interface` \
-i $interface \
-o $interface -j ${zone}2${zone} && \ -o $interface -j ${zone}2${zone} && \
break 1 break 1
done done
done done
done < $TMP_DIR/interfaces done < $TMP_DIR/interfaces
for interface in $all_interfaces; do
run_iptables -A FORWARD -i $interface -j `forward_chain $interface`
run_iptables -A INPUT -i $interface -j `input_chain $interface`
done
complete_standard_chain INPUT all $FW complete_standard_chain INPUT all $FW
complete_standard_chain OUTPUT $FW all complete_standard_chain OUTPUT $FW all
complete_standard_chain FORWARD all all complete_standard_chain FORWARD all all
@ -2705,8 +2899,8 @@ define_firewall() # $1 = Command (Start or Restart)
echo "Adding rules for DHCP" echo "Adding rules for DHCP"
for interface in `find_interfaces_by_option dhcp`; do for interface in `find_interfaces_by_option dhcp`; do
iptables -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT run_iptables -A `input_chain $interface` -p udp --dport 67:68 -j ACCEPT
iptables -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT run_iptables -A OUTPUT -o $interface -p udp --dport 67:68 -j ACCEPT
done done
echo "Setting up ICMP Echo handling..." echo "Setting up ICMP Echo handling..."
@ -2935,6 +3129,7 @@ do_initialize() {
stopping= stopping=
have_mutex= have_mutex=
masq_seq=1 masq_seq=1
nonat_seq=1
TMP_DIR=/tmp/shorewall-$$ TMP_DIR=/tmp/shorewall-$$
rm -rf $TMP_DIR rm -rf $TMP_DIR

2
Shorewall/functions
View File

@ -1,5 +1,5 @@
# #
# Shorewall 1.2 -- /etc/shorewall/functions # Shorewall 1.3 -- /etc/shorewall/functions
# #
# Suppress all output for a command # Suppress all output for a command

2
Shorewall/hosts
View File

@ -1,5 +1,5 @@
# #
# Shorewall 1.2 - /etc/shorewall/hosts # Shorewall 1.3 - /etc/shorewall/hosts
# #
# WARNING: 90% of Shorewall users don't need to add entries to this # WARNING: 90% of Shorewall users don't need to add entries to this
# file and 80% of those who try to add such entries get it # file and 80% of those who try to add such entries get it

2
Shorewall/icmp.def
View File

@ -1,5 +1,5 @@
############################################################################## ##############################################################################
# Shorewall 1.2 /etc/shorewall/icmp.def # Shorewall 1.3 /etc/shorewall/icmp.def
# #
# This file defines the default rules for accepting ICMP packets. # This file defines the default rules for accepting ICMP packets.
# #

2
Shorewall/install.sh
View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall. # /etc/rc.d/rc.local file is modified to start the firewall.
# #
VERSION=1.2.13 VERSION=1.2.90
usage() # $1 = exit status usage() # $1 = exit status
{ {

2
Shorewall/interfaces
View File

@ -1,5 +1,5 @@
# #
# Shorewall 1.2 -- Interfaces File # Shorewall 1.3 -- Interfaces File
# #
# /etc/shorewall/interfaces # /etc/shorewall/interfaces
# #

2
Shorewall/masq
View File

@ -1,5 +1,5 @@
# #
# Shorewall 1.2 - Masquerade file # Shorewall 1.3 - Masquerade file
# #
# /etc/shorewall/masq # /etc/shorewall/masq
# #

2
Shorewall/modules
View File

@ -1,5 +1,5 @@
############################################################################## ##############################################################################
# Shorewall 1.2 /etc/shorewall/modules # Shorewall 1.3 /etc/shorewall/modules
# #
# This file loads the modules needed by the firewall. # This file loads the modules needed by the firewall.

2
Shorewall/nat
View File

@ -1,6 +1,6 @@
############################################################################## ##############################################################################
# #
# Shorewall 1.2 -- Network Address Translation Table # Shorewall 1.3 -- Network Address Translation Table
# #
# /etc/shorewall/nat # /etc/shorewall/nat
# #

2
Shorewall/params
View File

@ -1,5 +1,5 @@
# #
# Shorewall 1.2 /etc/shorewall/params # Shorewall 1.3 /etc/shorewall/params
# #
# Assign any variables that you need here. # Assign any variables that you need here.
# #

10
Shorewall/policy
View File

@ -1,20 +1,20 @@
# #
# Shorewall 1.2 -- Policy File # Shorewall 1.3 -- Policy File
# #
# /etc/shorewall/policy # /etc/shorewall/policy
# #
# This file determines what to do with a new connection request if we # This file determines what to do with a new connection request if we
# don't get a match from the /etc/shorewall/rules file or from the # don't get a match from the /etc/shorewall/rules file or from the
# /etc/shorewall/common[.def] file. For each client/server pair, the # /etc/shorewall/common[.def] file. For each source/destination pair, the
# file is processed in order until a match is found ("all" will match # file is processed in order until a match is found ("all" will match
# any client or server). # any client or server).
# #
# Columns are: # Columns are:
# #
# CLIENT Location of client. Must be the name of a zone defined # SOURCE Source zone. Must be the name of a zone defined
# in /etc/shorewall/zones, $FW or "all". # in /etc/shorewall/zones, $FW or "all".
# #
# SERVER Location of server. Must be the name of a zone defined # DEST Destination zone. Must be the name of a zone defined
# in /etc/shorewall/zones, $FW or "all" # in /etc/shorewall/zones, $FW or "all"
# #
# POLICY Policy if no match from the rules file is found. Must # POLICY Policy if no match from the rules file is found. Must
@ -40,7 +40,7 @@
# d) All other connection requests are rejected and logged at level # d) All other connection requests are rejected and logged at level
# KERNEL.INFO. # KERNEL.INFO.
############################################################################### ###############################################################################
#CLIENT SERVER POLICY LOG LEVEL LIMIT:BURST #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc net ACCEPT loc net ACCEPT
net all DROP info net all DROP info
all all REJECT info all all REJECT info

2
Shorewall/proxyarp
View File

@ -1,6 +1,6 @@
############################################################################## ##############################################################################
# #
# Shorewall 1.2 -- Proxy ARP # Shorewall 1.3 -- Proxy ARP
# #
# /etc/shorewall/proxyarp # /etc/shorewall/proxyarp
# #

24
Shorewall/releasenotes.txt
View File

@ -1,12 +1,20 @@
This is a minor release of Shorewall. This is a major release of Shorewall.
In this release: In this release:
1. Whitelist support has been added. 1. The rules syntax for port forwarding and port redirection has been
2. Optional SYN Flood protection is now available. simplified.
3. Aliases added under ADD_IP_ALIASES and ADD_SNAT_ALIASES
now use the VLSM and broadcast address of the interface's 2. Compatibility has been maintained with version 1.2 configurations so
primary address. that users may migrate their configuration at their convenience.
4. Port forwarding rules may now optionally override the
contents of the /etc/shorewall/nat file. WARNING: Compatibility has NOT been maintained with the parameterized
sample configurations which were withdrawn on 4/8/2002. Users
still employing one of those samples must upgrade to the
latest samples before running Shorewall 1.3 (Beta or Release).
3. You may now exclude zone A from a DNAT or REDIRECT rule that applies
to zone B where zone A is a subzone of sone B.

92
Shorewall/rules
View File

@ -1,5 +1,5 @@
# #
# Shorewall version 1.2 - Rules File # Shorewall version 1.3 - Rules File
# #
# /etc/shorewall/rules # /etc/shorewall/rules
# #
@ -12,26 +12,25 @@
# given. Notice that no white space is permitted between "!" and the # given. Notice that no white space is permitted between "!" and the
# address/subnet. # address/subnet.
# #
# If any of the following columns contain the word "none" then the rule
# is ignored:
#
# PORT(S), CLIENT PORT(S), CLIENT(S) and SERVER.
#
# Columns are: # Columns are:
# #
# #
# RESULT ACCEPT, DROP or REJECT # ACTION ACCEPT, DROP, REJECT, DNAT or REDIRECT
# #
# ACCEPT -- allow the connection request # ACCEPT -- allow the connection request
# DROP -- ignore the request # DROP -- ignore the request
# REJECT -- disallow the request and return an # REJECT -- disallow the request and return an
# icmp-unreachable packet. # icmp-unreachable or an RST packet.
# DNAT -- Forward the request to another
# system (and optionally another port).
# REDIRECT -- Redirect the request to a local
# port on the firewall.
# #
# May optionally be followed by ":" and a syslog log # May optionally be followed by ":" and a syslog log
# level (e.g, REJECT:info). This causes the packet to be # level (e.g, REJECT:info). This causes the packet to be
# logged at the specified level. # logged at the specified level.
# #
# CLIENT(S) Hosts permitted to be clients. May be a zone defined # SOURCE Hosts permitted to be clients. May be a zone defined
# in /etc/shorewall/zones or $FW to indicate the # in /etc/shorewall/zones or $FW to indicate the
# firewall itself. # firewall itself.
# #
@ -57,7 +56,7 @@
# example, loc:eth1 specifies a client that # example, loc:eth1 specifies a client that
# communicates with the firewall system through eth1. # communicates with the firewall system through eth1.
# #
# SERVER Location of Server. May be a zone defined in # DEST Location of Server. May be a zone defined in
# /etc/shorewall/zones or $FW to indicate the firewall # /etc/shorewall/zones or $FW to indicate the firewall
# itself. # itself.
# #
@ -70,17 +69,21 @@
# ":". If omitted, the firewall will not modifiy the # ":". If omitted, the firewall will not modifiy the
# destination port. # destination port.
# #
# Example: loc:192.168.1.3:8080 specifies a local # Example: loc:192.168.1.3:3128 specifies a local
# server at IP address 192.168.1.3 and listening on port # server at IP address 192.168.1.3 and listening on port
# 8080. The port number MUST be specified as an integer # 3128. The port number MUST be specified as an integer
# and not as a name from /etc/services. # and not as a name from /etc/services.
# #
# if the RESULT is REDIRECT, this column needs only to
# contain the port number on the firewall that the request
# should be redirected to.
#
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, # PROTO Protocol - Must be "tcp", "udp", "icmp", a number,
# "all" or "related". If "related", the remainder of the # "all" or "related". If "related", the remainder of the
# entry must be omitted and connection requests that are # entry must be omitted and connection requests that are
# related to existing requests will be accepted. # related to existing requests will be accepted.
# #
# PORT(S) Destination Ports. A comma-separated list of Port # DEST PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port # names (from /etc/services), port numbers or port
# ranges; if the protocol is "icmp", this column is # ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s). # interpreted as the destination icmp-type(s).
@ -99,53 +102,48 @@
# specify an ADDRESS in the next column, then place "-" # specify an ADDRESS in the next column, then place "-"
# in this column. # in this column.
# #
# ADDRESS (0ptional) If included and different from the IP # DEST ADDRESS (0ptional) If included and different from the IP
# address given in the SERVER column, this is an address # address given in the SERVER column, this is an address
# on some interface on the firewall and connections to # on some interface on the firewall and connections to
# that address will be forwarded to the IP and port # that address will be forwarded to the IP and port
# specified in the SERVER column. # specified in the SERVER column.
# #
# If the special value "all" is used, then requests from # The address may optionally be followed by
# the client zone given in the CLIENT(s) column with the # a colon (":") and a second IP address. This causes
# destination port given in PORT(s) will be forwarded to # Shorewall to use the second IP address as the source
# the IP address given in SERVER. The value "all" is # address in forwarded packets. See the Shorewall
# intended to be used when your internet IP address is # documentation for restrictions concerning this feature.
# dynamic and you want to do port forwarding or you want # If no source IP address is given, the original source
# to do proxy redirection. IT SHOULD NOT BE USED IN ANY # address is not altered.
# OTHER SITUATION.
# #
# The address (or "all") may optionally be followed by # Example: Accept SMTP requests from the DMZ to the internet
# a colon (":") an an IP address. This causes Shorewall #
# to use the specified IP address as the source address # #ACTION SOURCE DEST PROTO DEST SOURCE DEST
# in forwarded packets. See the Shorewall documentation # # PORT PORT(S) ADDRESS
# for restrictions concerning this feature. If no source # ACCEPT dmz net tcp smtp
# IP address is given, the original source address is not
# altered.
# #
# Example: Forward all ssh and http connection requests from the internet # Example: Forward all ssh and http connection requests from the internet
# to local system 192.168.1.3 # to local system 192.168.1.3
# #
# #RESULT CLIENTS SERVER(S) PROTO PORT(S) CLIENT PORT(S) ADDRESS # #ACTION SOURCE DEST PROTO DEST SOURCE DEST
# ACCEPT net loc:192.168.1.3 tcp ssh,http - all # # PORT PORT(S) ADDRESS
# DNAT net loc:192.168.1.3 tcp ssh,http
# #
# Example: Redirect all locally-originating www connection requests to # Example: Redirect all locally-originating www connection requests to
# port 8080 on the firewall (Squid running on the firewall # port 3128 on the firewall (Squid running on the firewall
# system) except when the destination address is 192.168.2.2 # system) except when the destination address is 192.168.2.2
# #
# #RESULT CLIENTS SERVER(S) PROTO PORTS(S) CLIENT PORT(S) ADDRESS # #ACTION SOURCE DEST PROTO DEST SOURCE DEST
# ACCEPT loc $FW::8080 tcp www - !192.168.2.2 # # PORT PORT(S) ADDRESS
# REDIRECT loc 3128 tcp www - !192.168.2.2
#
# Example: All http requests from the internet to address
# 130.252.100.69 are to be forwarded to 192.168.1.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE DEST
# # PORT PORT(S) ADDRESS
# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
############################################################################## ##############################################################################
#RESULT CLIENT(S) SERVER(S) PROTO PORT(S) CLIENT PORT(S) ADDRESS #ACTION SOURCE DEST PROTO DEST SOURCE DEST
# # PORT PORT(S) ADDRESS
# Allow SSH from the local network
#
ACCEPT loc $FW tcp ssh
#
# Allow SSH and Auth from the internet
#
ACCEPT net $FW tcp ssh,auth
#
# Run an NTP daemon on the firewall that is synced with outside sources
#
ACCEPT $FW net udp ntp
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

15
Shorewall/shorewall
View File

@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# #
# Shorewall Packet Filtering Firewall Control Program - V1.2 - 12/21/2001 # Shorewall Packet Filtering Firewall Control Program - V1.3 - 6/14/2002
# #
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
# #
@ -144,7 +144,20 @@ display_chains()
timed_read timed_read
clear
echo -e "$banner `date`\\n"
echo -e "Input Chains\\n"
chains=`grep '^Chain.*_[in|fwd]' /tmp/chains-$$ | cut -d' ' -f 2`
for chain in $chains; do
showchain $chain
done
timed_read
for zone in $zones multi; do for zone in $zones multi; do
if [ -n "`grep "^Chain \.*${zone}" /tmp/chains-$$`" ] ; then if [ -n "`grep "^Chain \.*${zone}" /tmp/chains-$$`" ] ; then
clear clear
echo -e "$banner `date`\\n" echo -e "$banner `date`\\n"

2
Shorewall/shorewall.conf
View File

@ -1,5 +1,5 @@
############################################################################## ##############################################################################
# /etc/shorewall/shorewall.conf V1.2 - Change the following variables to # /etc/shorewall/shorewall.conf V1.3 - Change the following variables to
# match your setup # match your setup
# #
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]

6
Shorewall/shorewall.spec
View File

@ -1,6 +1,6 @@
%define name shorewall %define name shorewall
%define version 1.2 %define version 1.2
%define release 13 %define release 90
%define prefix /usr %define prefix /usr
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@ -17,7 +17,6 @@ BuildArch: noarch
BuildRoot: /%{_tmppath}/%{name}-%{version}-%{release}-root BuildRoot: /%{_tmppath}/%{name}-%{version}-%{release}-root
Requires: iptables Requires: iptables
Conflicts: kernel <= 2.2 Conflicts: kernel <= 2.2
Provides: shorewall
%description %description
@ -79,6 +78,9 @@ if [ $1 = 0 ]; then if [ -x /sbin/insserv ]; then /sbin/insserv -r /etc/init.d/s
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog %changelog
* Wed May 8 Tom Eastep <tom@shorewall.net>
- changed version to 90
- removed 'provides' tag.
* Tue Apr 23 2002 Tom Eastep <tom@shorewall.net> * Tue Apr 23 2002 Tom Eastep <tom@shorewall.net>
- changed version to 13 - changed version to 13
- Added whitelist file. - Added whitelist file.

2
Shorewall/tcrules
View File

@ -1,5 +1,5 @@
# #
# Shorewall version 1.2 - Traffic Control Rules File # Shorewall version 1.3 - Traffic Control Rules File
# #
# /etc/shorewall/tcrules # /etc/shorewall/tcrules
# #

2
Shorewall/tos
View File

@ -1,5 +1,5 @@
# #
# Shorewall 1.2 -- /etc/shorewall/tos # Shorewall 1.3 -- /etc/shorewall/tos
# #
# This file defines rules for setting Type Of Service (TOS) # This file defines rules for setting Type Of Service (TOS)
# #

2
Shorewall/tunnel
View File

@ -2,7 +2,7 @@
RCDLINKS="2,S45 3,S45 6,K45" RCDLINKS="2,S45 3,S45 6,K45"
################################################################################ ################################################################################
# Script to create a gre or ipip tunnel -- Shorewall 1.2 # Script to create a gre or ipip tunnel -- Shorewall 1.3
# #
# Modified - Steve Cowles 5/9/2000 # Modified - Steve Cowles 5/9/2000
# Incorporated init {start|stop} syntax and iproute2 usage # Incorporated init {start|stop} syntax and iproute2 usage

2
Shorewall/tunnels
View File

@ -1,5 +1,5 @@
# #
# Shorewall 1.2 - /etc/shorewall/tunnels # Shorewall 1.3 - /etc/shorewall/tunnels
# #
# This file defines IPSEC, GRE and IPIP tunnels. # This file defines IPSEC, GRE and IPIP tunnels.
# #

2
Shorewall/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall # shown below. Simply run this script to remove Seattle Firewall
VERSION=1.2.13 VERSION=1.2.90
usage() # $1 = exit status usage() # $1 = exit status
{ {