holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Final 1.3 Updates

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@41 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-05-30 12:55:47 +00:00
parent 390ee5a4a0
commit 5245e3b75a
13 changed files with 182 additions and 207 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Shorewall/changelog.txt
View File

@ -20,6 +20,10 @@ Changes since 1.2.13
its own input and forward chain.
8. Added logic to allow a subzone to be excluded from a DNAT or REDIRECT rule.
9. Removed white list capability
10. Added 'filterping' interface option.

9
Shorewall/common.def
View File

@ -6,8 +6,11 @@
# the firewall will also define a DROP rule for each subnet broadcast
# address defined in /etc/shorewall/interfaces (including "detect").
#
# Do not modify this file -- if you wish to change these rules, copy this
# file to /etc/shorewall/common and modify that file.
# Do not modify this file -- if you wish to change these rules, create
# /etc/shorewall/common to replace it. It is suggested that you include
# the command "source /etc/shorewall/common.def" in your
# /etc/shorewall/common file so that you will continue to get the
# advantage of new releases of this file.
#
run_iptables -A common -p icmp -j icmpdef
############################################################################
@ -32,7 +35,7 @@ run_iptables -A common -p udp --dport 1900 -j DROP
run_iptables -A common -d 255.255.255.255 -j DROP
run_iptables -A common -d 224.0.0.0/4 -j DROP
############################################################################
# AUTH -- Reject it so that connections don't get delayed.
# AUTH -- Silently reject it so that connections don't get delayed.
#
run_iptables -A common -p tcp --dport 113 -j reject

2
Shorewall/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=1.2.90
VERSION=1.3.0
usage() # $1 = exit status
{

280
Shorewall/firewall
View File

@ -55,6 +55,22 @@ RCDLINKS="2,S41 3,S41 6,K41"
# description: Packet filtering firewall
#
###############################################################################
# Search a list looking for a match -- returns zero if a match found #
# 1 otherwise #
###############################################################################
list_search() # $1 = element to search for , $2-$n = list
{
local e=$1
while [ $# -gt 1 ]; do
shift
[ "x$e" = "x$1" ] && return 0
done
return 1
}
###############################################################################
# Mutual exclusion -- These functions are jackets for the mutual exclusion #
# routines in /etc/shorewall/functions. They invoke the #
@ -74,7 +90,7 @@ my_mutex_off() {
###############################################################################
error_message() # $* = Error Message
{
echo "$@" >&2
echo " $@" >&2
}
###############################################################################
@ -82,7 +98,7 @@ error_message() # $* = Error Message
###############################################################################
fatal_error() # $* = Error Message
{
echo "$@" >&2
echo " $@" >&2
stop_firewall
exit 2
}
@ -93,7 +109,7 @@ fatal_error() # $* = Error Message
###############################################################################
startup_error() # $* = Error Message
{
echo "$@" >&2
echo " $@" >&2
my_mutex_off
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
kill $$
@ -312,7 +328,7 @@ chain_base() #$1 = interface
{
local c=${1%%+*}
echo ${c:=multi}
echo ${c:=common}
}
################################################################################
@ -405,7 +421,7 @@ determine_hosts() {
eval display=\$${zone}_display
display_list "$display Zone:" $hosts
else
error_message " Warning: Zone $zone is empty"
error_message "Warning: Zone $zone is empty"
fi
done
}
@ -415,11 +431,7 @@ determine_hosts() {
################################################################################
validate_zone() # $1 = zone
{
local zone
for zone in $zones $FW; do
[ "$zone" = "$1" ] && return 0
done
return 1
list_search $1 $zones $FW
}
################################################################################
@ -431,18 +443,17 @@ validate_interfaces_file() {
r="$z $interface $subnet $options"
[ "x$z" = "x-" ] || validate_zone $z || startup_error "Invalid zone ($z) in record \"$r\""
for intr in $all_interfaces; do
[ "$intr" = "$interface" ] && startup_error "Duplicate Interface $intr"
done
list_search $intr $all_interfaces && \
startup_error "Duplicate Interface $intr"
all_interfaces="$all_interfaces $interface"
for option in `separate_list $options`; do
case $option in
dhcp|noping|routestopped|norfc1918|multi|routefilter|dropunclean|logunclean|blacklist|-)
dhcp|noping|filterping|routestopped|norfc1918|multi|routefilter|dropunclean|logunclean|blacklist|-)
;;
*)
error_message " Warning: Invalid option ($option) in record \"$r\""
error_message "Warning: Invalid option ($option) in record \"$r\""
;;
esac
done
@ -466,7 +477,7 @@ validate_hosts_file() {
routestopped|-)
;;
*)
error_message " Warning: Invalid option ($option) in record \"$r\""
error_message "Warning: Invalid option ($option) in record \"$r\""
;;
esac
done
@ -561,14 +572,14 @@ validate_rule() {
[ -n "$port" ] && dports="--icmp-type $port"
state=""
;;
all|ALL)
proto=
;;
related|RELATED)
proto=
state="-m state --state RELATED"
;;
*)
[ -n "$port" ] && [ "x${port}" != "x-" ] && \
startup_error "Port number not allowed with protocol " \
"\"$proto\"; rule: \"$rule\""
;;
esac
@ -579,13 +590,19 @@ validate_rule() {
target=reject
;;
REDIRECT)
[ -n "$serv" ] && startup_error "Error: REDIRECT rules cannot"\
" specify a server IP; rule: \"$rule\""
servport=${servport:=$port}
;;
DNAT)
[ -n "$serv" ] || startup_error "Error: DNAT rules require a" \
" server address; rule: \"$rule\""
;;
esac
if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" ]; then
error_message " Warning -- Rule \"$rule\" is a POLICY"
error_message " -- and should be moved to the policy file"
error_message "Warning -- Rule \"$rule\" is a POLICY"
error_message " -- and should be moved to the policy file"
fi
if [ -n "${serv}${servport}" ]; then
@ -598,18 +615,18 @@ validate_rule() {
#
if [ -z "$NAT_ENABLED" ]; then
startup_error \
" Error - Rule \"$rule\" requires NAT which is disabled"
"Error - Rule \"$rule\" requires NAT which is disabled"
fi
if [ "$target" != "ACCEPT" ]; then
startup_error " Error - Only ACCEPT rules may specify " \
startup_error "Error - Only ACCEPT rules may specify " \
"port mapping; rule \"$rule\""
fi
fi
else
[ -n "$addr" ] && startup_error \
" Error: An ADDRESS ($addr) is only allowed in" \
" a port mapping rule: \"$rule\""
"Error: An ADDRESS ($addr) is only allowed in" \
" a DNAT or REDIRECT rule: \"$rule\""
fi
}
############################################################################
@ -649,7 +666,7 @@ validate_rule() {
ACCEPT|DROP|REJECT)
;;
*)
startup_error " Error: Invalid target;" \
startup_error "Error: Invalid target;" \
" rule: \"$rule\""
esac
@ -669,13 +686,13 @@ validate_rule() {
clientzone="${clientzone%\!*}"
[ "$logtarget" = DNAT ] || [ "$logtarget" = REDIRECT ] ||\
startup_error " Error: Exclude list only allowed with DNAT or REDIRECT"
startup_error "Error: Exclude list only allowed with DNAT or REDIRECT"
fi
############################################################################
# Validate the Source Zone
if ! validate_zone $clientzone; then
startup_error " Error: Undefined Client Zone in rule \"$rule\""
startup_error "Error: Undefined Client Zone in rule \"$rule\""
fi
source=$clientzone
@ -703,7 +720,7 @@ validate_rule() {
# Validate the destination zone
#
if ! validate_zone $serverzone; then
startup_error " Error: Undefined Server Zone in rule \"$rule\""
startup_error "Error: Undefined Server Zone in rule \"$rule\""
fi
dest=$serverzone
@ -760,7 +777,7 @@ validate_policy()
;;
*)
if ! validate_zone $client; then
startup_error " Error: Undefined zone $client"
startup_error "Error: Undefined zone $client"
fi
esac
@ -769,7 +786,7 @@ validate_policy()
;;
*)
if ! validate_zone $server; then
startup_error " Error: Undefined zone $server"
startup_error "Error: Undefined zone $server"
fi
esac
@ -777,7 +794,7 @@ validate_policy()
ACCEPT|REJECT|DROP|CONTINUE)
;;
*)
startup_error " Error: Invalid policy $policy"
startup_error "Error: Invalid policy $policy"
;;
esac
@ -812,9 +829,8 @@ find_interfaces_by_option() # $1 = option
{
while read ignore interface subnet options; do
expandv options
for option in `separate_list $options`; do
[ "$option" = "$1" ] && echo `expand $interface` && break 1
done
list_search $1 `separate_list $options` && \
echo `expand $interface` && break 1
done < $TMP_DIR/interfaces
}
@ -825,17 +841,15 @@ find_hosts_by_option() # $1 = option
{
while read ignore hosts options; do
expandv options
for option in `separate_list $options`; do
[ "$option" = "$1" ] && echo `expand $hosts`
done
list_search $1 `separate_list $options` && \
echo `expand $hosts`
done < $TMP_DIR/hosts
while read ignore interface ignore1 options; do
expandv options
for option in `separate_list $options`; do
[ "$option" = "$1" ] && \
echo `expand $interface`:0.0.0.0/0 && break 1
done
list_search $1 `separate_list $options` && \
echo `expand $interface`:0.0.0.0/0 && \
break 1
done < $TMP_DIR/interfaces
}
@ -849,11 +863,9 @@ have_interfaces_in_zone_with_option() # $1 = zone, $2 = option
local zne=$1
while read z interface broadcast options; do
[ "x`expand $z`" = "x$zne" ] && \
expandv options && \
for option in `separate_list $options`; do
[ "$option" = "$2" ] && return 0
done
[ "x`expand $z`" = "x$zne" ] && expandv options && \
list_search $1 `separate_list $options` && \
return 0
done < $TMP_DIR/interfaces
return 1
}
@ -1219,7 +1231,7 @@ setup_nat() {
}
################################################################################
# Delete existing Static NAT and Port Forwarding #
# Delete existing Static NAT #
################################################################################
delete_nat() {
run_iptables -t nat -F
@ -1358,11 +1370,11 @@ process_rule() {
if [ -z "$NAT_ENABLED" ]; then
fatal_error \
" Error - Rule \"$rule\" requires NAT which is disabled"
"Error - Rule \"$rule\" requires NAT which is disabled"
fi
if [ "$target" != "ACCEPT" ]; then
fatal_error " Error - Only ACCEPT rules may specify " \
fatal_error "Error - Only DNAT and REDIRECT rules may specify " \
"port mapping; rule \"$rule\""
fi
@ -1373,7 +1385,7 @@ process_rule() {
snat=""
fi
[ "$addr" = "all" ] && addr= || addr="-d $addr"
[ "$addr" = "all" ] && addr= || addr=${addr:+-d $addr}
if [ -n "$serv" ]; then
servport="${servport:+:$servport}"
@ -1489,6 +1501,9 @@ process_rule() {
state=""
;;
all|ALL)
[ -n "$port" ] && [ "x${port}" != "x-" ] && \
fatal_error "Port number not allowed with \"all\";" \
" rule: \"$rule\""
proto=
;;
related|RELATED)
@ -1496,6 +1511,9 @@ process_rule() {
state="-m state --state RELATED"
;;
*)
[ -n "$port" ] && [ "x${port}" != "x-" ] && \
fatal_error "Port number not allowed with protocol " \
"\"$proto\"; rule: \"$rule\""
;;
esac
@ -1506,13 +1524,19 @@ process_rule() {
target=reject
;;
REDIRECT)
[ -n "$serv" ] && startup_error "Error: REDIRECT rules cannot"\
" specify a server IP; rule: \"$rule\""
servport=${servport:=$port}
;;
DNAT)
[ -n "$serv" ] || fatal_error "Error: DNAT rules require a" \
" server address; rule: \"$rule\""
;;
esac
if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" ]; then
error_message " Warning -- Rule \"$rule\" is a POLICY"
error_message " -- and should be moved to the policy file"
error_message "Warning -- Rule \"$rule\" is a POLICY"
error_message " -- and should be moved to the policy file"
fi
if [ -n "${serv}${servport}" ]; then
@ -1521,7 +1545,7 @@ process_rule() {
#
if [ -n "$addr" -a "$addr" != "$serv" ]; then
##############################################################
# Must use Prerouting DNAT
# Must use Prerouting DNAT or REDIRECT
#
add_nat_rule
fi
@ -1538,8 +1562,8 @@ process_rule() {
# Destination is just a zone or an interface
#
[ -n "$addr" ] && fatal_error \
" Error: An ADDRESS ($addr) is only allowed in" \
" a port mapping rule: \"$rule\""
"Error: An ADDRESS ($addr) is only allowed in" \
" a DNAT or REDIRECT: \"$rule\""
[ -n "$loglevel" ] && run_iptables -A $chain $proto \
$dest_interface $state $cli $sports $dports -j LOG \
@ -1550,6 +1574,7 @@ process_rule() {
$cli $sports $dports -j $target
fi
}
############################################################################
# P r o c e s s _ R u l e S t a r t s H e r e
############################################################################
@ -1602,14 +1627,14 @@ process_rule() {
clientzone="${clientzone%\!*}"
[ "$logtarget" = DNAT ] || [ "$logtarget" = REDIRECT ] ||\
fatal_error " Error: Exclude list only allowed with DNAT or REDIRECT"
fatal_error "Error: Exclude list only allowed with DNAT or REDIRECT"
fi
############################################################################
# Validate the Source Zone
if ! validate_zone $clientzone; then
fatal_error " Error: Undefined Client Zone in rule \"$rule\""
fatal_error "Error: Undefined Client Zone in rule \"$rule\""
fi
source=$clientzone
@ -1637,7 +1662,7 @@ process_rule() {
# Validate the destination zone
#
if ! validate_zone $serverzone; then
fatal_error " Error: Undefined Server Zone in rule \"$rule\""
fatal_error "Error: Undefined Server Zone in rule \"$rule\""
fi
dest=$serverzone
@ -2267,32 +2292,6 @@ process_blacklist_rec() {
done
}
###############################################################################
# Process a record from the whilelist file #
# #
# $subnet = address/subnet #
###############################################################################
process_whitelist_rec() {
local source
local addr
for addr in `separate_list $subnet`; do
case $addr in
~*)
addr=`echo $addr | sed 's/~//;s/-/:/g'`
source="--match mac --mac-source $addr"
;;
*)
source="-s $addr"
;;
esac
run_iptables -A common $source -j ACCEPT
echo " $addr added to White List"
done
}
###############################################################################
# Setup the Black List #
###############################################################################
@ -2326,25 +2325,6 @@ setup_blacklist() {
fi
}
###############################################################################
# Setup the White List #
###############################################################################
setup_whitelist() {
local f=`find_file whitelist`
if [ -f $f ]; then
echo "Setting up Whitelisting..."
strip_file whitelist $f
while read subnet; do
expandv subnet
process_whitelist_rec
done < $TMP_DIR/whitelist
fi
}
###############################################################################
# Refresh the Black List #
###############################################################################
@ -2369,25 +2349,6 @@ refresh_blacklist() {
fi
}
###############################################################################
# Refresh the White List #
###############################################################################
refresh_whitelist() {
local f=`find_file whitelist`
if [ -f $f ]; then
echo "Refreshing White List..."
strip_file whitelist $f
while read subnet; do
expandv subnet
process_whitelist_rec
done < $TMP_DIR/whitelist
fi
}
###############################################################################
# Verify that kernel has netfilter support #
###############################################################################
@ -2488,12 +2449,8 @@ initialize_netfilter () {
echo "Creating input Chains..."
for interface in $all_interfaces; do
chain=`forward_chain $interface`
if ! havechain $chain; then
createchain $chain no
createchain `input_chain $interface` no
fi
createchain `forward_chain $interface` no
createchain `input_chain $interface` no
done
}
@ -2554,11 +2511,6 @@ add_common_rules() {
echo " $interface"
done
fi
############################################################################
# White List
#
setup_whitelist
############################################################################
# Common ICMP rules
#
@ -2764,6 +2716,8 @@ apply_policy_rules() {
################################################################################
activate_rules() {
multi_interfaces=`find_interfaces_by_option multi`
for zone in $zones; do
eval source_hosts=\$${zone}_hosts
@ -2792,34 +2746,25 @@ activate_rules() {
interface=${host%:*}
subnet=${host#*:}
chain1=`forward_chain $interface`
list_search $interface $multi_interfaces && multi=yes || multi=
for host1 in $dest_hosts; do
interface1=${host1%:*}
subnet1=${host1#*:}
[ $interface = $interface1 -a "x$subnet" = "x$subnet1" ] ||\
if [ $interface != $interface1 -o \
"x$subnet" != "x$subnet1" -o \
-n "$multi" ]; then
run_iptables -A $chain1 -s $subnet \
-o $interface1 -d $subnet1 -j $chain
fi
done
done
done
done
while read zone interface broadcast options; do
expandv zone
if [ "x$zone" != "x-" ]; then
expandv interface options
for option in `separate_list $options`; do
[ "$option" = "multi" ] && \
run_iptables -A `forward_chain $interface` \
-o $interface -j ${zone}2${zone} && \
break 1
done
fi
done < $TMP_DIR/interfaces
for interface in $all_interfaces; do
run_iptables -A FORWARD -i $interface -j `forward_chain $interface`
run_iptables -A INPUT -i $interface -j `input_chain $interface`
@ -2864,9 +2809,6 @@ define_firewall() # $1 = Command (Start or Restart)
[ -f $tunnels ] && \
echo "Processing $tunnels..." && setup_tunnels $tunnels
chains="`run_iptables -L -n | grep ^Chain | cut -d' ' -f2`"
chains=`echo $chains`
rules=`find_file rules`
echo "Processing $rules..."
@ -2882,13 +2824,20 @@ define_firewall() # $1 = Command (Start or Restart)
echo "Setting up ICMP Echo handling..."
filterping_interfaces="`find_interfaces_by_option filterping`"
noping_interfaces="`find_interfaces_by_option noping`"
for interface in $all_interfaces; do
[ -n "`echo $noping_interfaces | grep $interface`" ] && \
target=DROP || target=ACCEPT
run_iptables -A `input_chain $interface` \
-p icmp --icmp-type echo-request -j $target
if ! list_search $interface $filterping_interfaces; then
if list_search $interface $noping_interfaces; then
target=DROP
else
target=ACCEPT
fi
run_iptables -A `input_chain $interface` \
-p icmp --icmp-type echo-request -j $target
fi
done
[ -z "$NAT_BEFORE_RULES" ] && setup_nat
@ -2911,7 +2860,6 @@ define_firewall() # $1 = Command (Start or Restart)
[ -n "$TC_ENABLED" ] && setup_tc
echo "Activating Rules..."
activate_rules
@ -2984,13 +2932,10 @@ refresh_firewall()
determine_interfaces
run_user_exit refresh
run_iptables -F common
############################################################################
# White List
#
refresh_whitelist
echo "Adding Common Rules"
############################################################################
# Common rules in each chain
@ -3208,6 +3153,7 @@ case "$command" in
echo "done."
my_mutex_off
;;
start)
do_initialize
my_mutex_on
@ -3220,6 +3166,7 @@ case "$command" in
define_firewall "Start" && [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
my_mutex_off
;;
restart)
do_initialize
my_mutex_on
@ -3233,14 +3180,17 @@ case "$command" in
[ $? -eq 0 ] && [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
my_mutex_off
;;
status)
echo -e "Shorewall-$version Status at $HOSTNAME - `date`\\n"
iptables -L -n -v
;;
reset)
iptables -L -n -Z -v
report "Shorewall Counters Reset"
;;
refresh)
do_initialize
my_mutex_on
@ -3252,6 +3202,7 @@ case "$command" in
refresh_firewall;
my_mutex_off
;;
clear)
do_initialize
my_mutex_on
@ -3262,11 +3213,14 @@ case "$command" in
echo "done."
my_mutex_off
;;
check)
do_initialize
check_config
;;
*)
usage
;;
esac

11
Shorewall/icmp.def
View File

@ -3,11 +3,16 @@
#
# This file defines the default rules for accepting ICMP packets.
#
# Do not modify this file -- if you want to change these rules, copy this
# file to /etc/shorewall/icmpdef and modify that file.
# Do not modify this file -- if you wish to change these rules, create
# /etc/shorewall/icmpdef to replace it. It is suggested that you include
# the command "source /etc/shorewall/icmp.def" in your
# /etc/shorewall/icmpdef file so that you will continue to get the
# advantage of new releases of this file.
#
# In particular, if you want to accept 'ping' everywhere then add
# For example, if you want to accept 'ping' everywhere then create
# /etc/shorewall/icmpdef with the following two lines:
#
# source /etc/shorewall/icmp.def
# run_iptables -A icmpdef -p ICMP --icmp-type echo-request -j ACCEPT
#
run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT

8
Shorewall/install.sh
View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall.
#
VERSION=1.2.90
VERSION=1.3.0
usage() # $1 = exit status
{
@ -416,13 +416,11 @@ else
echo -e "\nBlacklist file installed as ${PREFIX}/etc/shorewall/blacklist"
fi
#
# Install the whitelist file
# Backup and remove the whitelist file
#
if [ -f ${PREFIX}/etc/shorewall/whitelist ]; then
backup_file /etc/shorewall/whitelist
else
run_install -o $OWNER -g $GROUP -m 0600 whitelist ${PREFIX}/etc/shorewall/whitelist
echo -e "\nWhitelist file installed as ${PREFIX}/etc/shorewall/whitelist"
rm -f ${PREFIX}/etc/shorewall/whitelist
fi
#
# Backup the version file

12
Shorewall/interfaces
View File

@ -36,8 +36,18 @@
#
# dhcp - interface is managed by DHCP or used by
# a DHCP server running on the firewall.
# noping - icmp echo-request (ping) packets should
# noping - icmp echo-request (ping) packets
# addressed to the firewall should
# be ignored on this interface
# filterping - icmp echo-request (ping) packets
# addressed to the firewall should
# be controlled by the rules file and
# applicable policy. If neither 'noping'
# nor 'filterping' are specified then
# the firewall will respond to 'ping'
# requests. 'filterping' takes
# precedence over 'noping' if both are
# given.
# routestopped - When the firewall is stopped, allow
# and route traffic to and from this
# interface.

13
Shorewall/releasenotes.txt
View File

@ -14,7 +14,18 @@ WARNING: Compatibility has NOT been maintained with the parameterized
latest samples before running Shorewall 1.3 (Beta or Release).
3. You may now exclude zone A from a DNAT or REDIRECT rule that applies
to zone B where zone A is a subzone of sone B.
to zone B where zone A is a subzone of sone B.
4. The whitelist capability has been deimplemented. With recent changes
to the firewall structure and change 3. above, white lists are now
best implemented using zones as shown at:
http://www.shorewall.net/whitelisting_under_shorewall.htm
5. A 'filterping' interface option has been added to allow the
rules and policy files to control the handling of ICMP echo-request
(ping) requests that are addressed to the firewall.

15
Shorewall/shorewall
View File

@ -72,18 +72,20 @@
showfirstchain() # $1 = name of chain
{
awk \
'BEGIN {prnt=0;}; \
'BEGIN {prnt=0; rslt=1; }; \
/^$/ { next; };\
/^Chain/ {if ( prnt == 1 ) exit; };\
/^Chain/ {if ( prnt == 1 ) { rslt=0; exit 0; }; };\
/Chain '$1'/ { prnt=1; }; \
{ if (prnt == 1) print; }' /tmp/chains-$$
{ if (prnt == 1) print; };\
END { exit rslt; }' /tmp/chains-$$
}
showchain() # $1 = name of chain
{
if [ "$firstchain" = "Yes" ]; then
showfirstchain $1
firstchain=
if showfirstchain $1; then
firstchain=
fi
else
awk \
'BEGIN {prnt=0;};\
@ -146,6 +148,7 @@ display_chains()
clear
echo -e "$banner `date`\\n"
firstchain=Yes
echo -e "Input Chains\\n"
chains=`grep '^Chain.*_[in|fwd]' /tmp/chains-$$ | cut -d' ' -f 2`
@ -180,8 +183,8 @@ display_chains()
echo -e "$banner `date`\\n"
firstchain=Yes
echo -e "Policy Chains\\n"
showchain badpkt
showchain common
showchain badpkt
showchain icmpdef
showchain rfc1918
showchain blacklst

13
Shorewall/shorewall.spec
View File

@ -1,6 +1,6 @@
%define name shorewall
%define version 1.2
%define release 90
%define version 1.3
%define release 0
%define prefix /usr
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@ -70,7 +70,6 @@ if [ $1 = 0 ]; then if [ -x /sbin/insserv ]; then /sbin/insserv -r /etc/init.d/s
%attr(0600,root,root) %config(noreplace) /etc/shorewall/tunnels
%attr(0600,root,root) %config(noreplace) /etc/shorewall/hosts
%attr(0600,root,root) %config(noreplace) /etc/shorewall/blacklist
%attr(0600,root,root) %config(noreplace) /etc/shorewall/whitelist
%attr(0544,root,root) /sbin/shorewall
%attr(0444,root,root) /etc/shorewall/functions
/etc/shorewall/firewall
@ -78,7 +77,13 @@ if [ $1 = 0 ]; then if [ -x /sbin/insserv ]; then /sbin/insserv -r /etc/init.d/s
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog
* Wed May 8 Tom Eastep <tom@shorewall.net>
* Wed May 29 2002 Tom Eastep <tom@shorewall.net>
- Changed version to 1.3.0
* Mon May 20 2002 Tom Eastep <tom@shorewall.net>
- Removed whitelist file
* Sat May 18 2002 Tom Eastep <tom@shorewall.net>
- changed version to 91
* Wed May 8 2002 Tom Eastep <tom@shorewall.net>
- changed version to 90
- removed 'provides' tag.
* Tue Apr 23 2002 Tom Eastep <tom@shorewall.net>

2
Shorewall/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall
VERSION=1.2.90
VERSION=1.3.0
usage() # $1 = exit status
{

18
Shorewall/whitelist
View File

@ -1,18 +0,0 @@
#
# Shorewall 1.2 -- Whitelist File
#
# /etc/shorewall/whitelist
#
# This file contains a list of IP addresses, MAC addresses and/or subnetworks.
# If a connection request fails to match any of the rules defined in
# /etc/shorewall/rules then the connection source is compared against this
# list; if a match is found, the connection request is accepted.
#
# MAC addresses must be prefixed with "~" and use "-" as a separator.
#
# Example: ~00-A0-C9-15-39-78
###############################################################################
#ADDRESS/SUBNET
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

2
Shorewall/zones
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.2 /etc/shorewall/zones
# Shorewall 1.3 /etc/shorewall/zones
#
# This file determines your network zones. Columns are:
#