holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Final 1.3 Updates

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@41 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-05-30 12:55:47 +00:00
parent 390ee5a4a0
commit 5245e3b75a
13 changed files with 182 additions and 207 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Shorewall/changelog.txt
View File

@ -21,6 +21,10 @@ Changes since 1.2.13
8. Added logic to allow a subzone to be excluded from a DNAT or REDIRECT rule. 8. Added logic to allow a subzone to be excluded from a DNAT or REDIRECT rule.
9. Removed white list capability
10. Added 'filterping' interface option.

9
Shorewall/common.def
View File

@ -6,8 +6,11 @@
# the firewall will also define a DROP rule for each subnet broadcast # the firewall will also define a DROP rule for each subnet broadcast
# address defined in /etc/shorewall/interfaces (including "detect"). # address defined in /etc/shorewall/interfaces (including "detect").
# #
# Do not modify this file -- if you wish to change these rules, copy this # Do not modify this file -- if you wish to change these rules, create
# file to /etc/shorewall/common and modify that file. # /etc/shorewall/common to replace it. It is suggested that you include
# the command "source /etc/shorewall/common.def" in your
# /etc/shorewall/common file so that you will continue to get the
# advantage of new releases of this file.
# #
run_iptables -A common -p icmp -j icmpdef run_iptables -A common -p icmp -j icmpdef
############################################################################ ############################################################################
@ -32,7 +35,7 @@ run_iptables -A common -p udp --dport 1900 -j DROP
run_iptables -A common -d 255.255.255.255 -j DROP run_iptables -A common -d 255.255.255.255 -j DROP
run_iptables -A common -d 224.0.0.0/4 -j DROP run_iptables -A common -d 224.0.0.0/4 -j DROP
############################################################################ ############################################################################
# AUTH -- Reject it so that connections don't get delayed. # AUTH -- Silently reject it so that connections don't get delayed.
# #
run_iptables -A common -p tcp --dport 113 -j reject run_iptables -A common -p tcp --dport 113 -j reject

2
Shorewall/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of # shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall. # Shoreline Firewall.
VERSION=1.2.90 VERSION=1.3.0
usage() # $1 = exit status usage() # $1 = exit status
{ {

276
Shorewall/firewall
View File

@ -55,6 +55,22 @@ RCDLINKS="2,S41 3,S41 6,K41"
# description: Packet filtering firewall # description: Packet filtering firewall
# #
###############################################################################
# Search a list looking for a match -- returns zero if a match found #
# 1 otherwise #
###############################################################################
list_search() # $1 = element to search for , $2-$n = list
{
local e=$1
while [ $# -gt 1 ]; do
shift
[ "x$e" = "x$1" ] && return 0
done
return 1
}
############################################################################### ###############################################################################
# Mutual exclusion -- These functions are jackets for the mutual exclusion # # Mutual exclusion -- These functions are jackets for the mutual exclusion #
# routines in /etc/shorewall/functions. They invoke the # # routines in /etc/shorewall/functions. They invoke the #
@ -74,7 +90,7 @@ my_mutex_off() {
############################################################################### ###############################################################################
error_message() # $* = Error Message error_message() # $* = Error Message
{ {
echo "$@" >&2 echo " $@" >&2
} }
############################################################################### ###############################################################################
@ -82,7 +98,7 @@ error_message() # $* = Error Message
############################################################################### ###############################################################################
fatal_error() # $* = Error Message fatal_error() # $* = Error Message
{ {
echo "$@" >&2 echo " $@" >&2
stop_firewall stop_firewall
exit 2 exit 2
} }
@ -93,7 +109,7 @@ fatal_error() # $* = Error Message
############################################################################### ###############################################################################
startup_error() # $* = Error Message startup_error() # $* = Error Message
{ {
echo "$@" >&2 echo " $@" >&2
my_mutex_off my_mutex_off
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
kill $$ kill $$
@ -312,7 +328,7 @@ chain_base() #$1 = interface
{ {
local c=${1%%+*} local c=${1%%+*}
echo ${c:=multi} echo ${c:=common}
} }
################################################################################ ################################################################################
@ -405,7 +421,7 @@ determine_hosts() {
eval display=\$${zone}_display eval display=\$${zone}_display
display_list "$display Zone:" $hosts display_list "$display Zone:" $hosts
else else
error_message " Warning: Zone $zone is empty" error_message "Warning: Zone $zone is empty"
fi fi
done done
} }
@ -415,11 +431,7 @@ determine_hosts() {
################################################################################ ################################################################################
validate_zone() # $1 = zone validate_zone() # $1 = zone
{ {
local zone list_search $1 $zones $FW
for zone in $zones $FW; do
[ "$zone" = "$1" ] && return 0
done
return 1
} }
################################################################################ ################################################################################
@ -431,18 +443,17 @@ validate_interfaces_file() {
r="$z $interface $subnet $options" r="$z $interface $subnet $options"
[ "x$z" = "x-" ] || validate_zone $z || startup_error "Invalid zone ($z) in record \"$r\"" [ "x$z" = "x-" ] || validate_zone $z || startup_error "Invalid zone ($z) in record \"$r\""
for intr in $all_interfaces; do list_search $intr $all_interfaces && \
[ "$intr" = "$interface" ] && startup_error "Duplicate Interface $intr" startup_error "Duplicate Interface $intr"
done
all_interfaces="$all_interfaces $interface" all_interfaces="$all_interfaces $interface"
for option in `separate_list $options`; do for option in `separate_list $options`; do
case $option in case $option in
dhcp|noping|routestopped|norfc1918|multi|routefilter|dropunclean|logunclean|blacklist|-) dhcp|noping|filterping|routestopped|norfc1918|multi|routefilter|dropunclean|logunclean|blacklist|-)
;; ;;
*) *)
error_message " Warning: Invalid option ($option) in record \"$r\"" error_message "Warning: Invalid option ($option) in record \"$r\""
;; ;;
esac esac
done done
@ -466,7 +477,7 @@ validate_hosts_file() {
routestopped|-) routestopped|-)
;; ;;
*) *)
error_message " Warning: Invalid option ($option) in record \"$r\"" error_message "Warning: Invalid option ($option) in record \"$r\""
;; ;;
esac esac
done done
@ -561,14 +572,14 @@ validate_rule() {
[ -n "$port" ] && dports="--icmp-type $port" [ -n "$port" ] && dports="--icmp-type $port"
state="" state=""
;; ;;
all|ALL)
proto=
;;
related|RELATED) related|RELATED)
proto= proto=
state="-m state --state RELATED" state="-m state --state RELATED"
;; ;;
*) *)
[ -n "$port" ] && [ "x${port}" != "x-" ] && \
startup_error "Port number not allowed with protocol " \
"\"$proto\"; rule: \"$rule\""
;; ;;
esac esac
@ -579,13 +590,19 @@ validate_rule() {
target=reject target=reject
;; ;;
REDIRECT) REDIRECT)
[ -n "$serv" ] && startup_error "Error: REDIRECT rules cannot"\
" specify a server IP; rule: \"$rule\""
servport=${servport:=$port} servport=${servport:=$port}
;; ;;
DNAT)
[ -n "$serv" ] || startup_error "Error: DNAT rules require a" \
" server address; rule: \"$rule\""
;;
esac esac
if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" ]; then if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" ]; then
error_message " Warning -- Rule \"$rule\" is a POLICY" error_message "Warning -- Rule \"$rule\" is a POLICY"
error_message " -- and should be moved to the policy file" error_message " -- and should be moved to the policy file"
fi fi
if [ -n "${serv}${servport}" ]; then if [ -n "${serv}${servport}" ]; then
@ -598,18 +615,18 @@ validate_rule() {
# #
if [ -z "$NAT_ENABLED" ]; then if [ -z "$NAT_ENABLED" ]; then
startup_error \ startup_error \
" Error - Rule \"$rule\" requires NAT which is disabled" "Error - Rule \"$rule\" requires NAT which is disabled"
fi fi
if [ "$target" != "ACCEPT" ]; then if [ "$target" != "ACCEPT" ]; then
startup_error " Error - Only ACCEPT rules may specify " \ startup_error "Error - Only ACCEPT rules may specify " \
"port mapping; rule \"$rule\"" "port mapping; rule \"$rule\""
fi fi
fi fi
else else
[ -n "$addr" ] && startup_error \ [ -n "$addr" ] && startup_error \
" Error: An ADDRESS ($addr) is only allowed in" \ "Error: An ADDRESS ($addr) is only allowed in" \
" a port mapping rule: \"$rule\"" " a DNAT or REDIRECT rule: \"$rule\""
fi fi
} }
############################################################################ ############################################################################
@ -649,7 +666,7 @@ validate_rule() {
ACCEPT|DROP|REJECT) ACCEPT|DROP|REJECT)
;; ;;
*) *)
startup_error " Error: Invalid target;" \ startup_error "Error: Invalid target;" \
" rule: \"$rule\"" " rule: \"$rule\""
esac esac
@ -669,13 +686,13 @@ validate_rule() {
clientzone="${clientzone%\!*}" clientzone="${clientzone%\!*}"
[ "$logtarget" = DNAT ] || [ "$logtarget" = REDIRECT ] ||\ [ "$logtarget" = DNAT ] || [ "$logtarget" = REDIRECT ] ||\
startup_error " Error: Exclude list only allowed with DNAT or REDIRECT" startup_error "Error: Exclude list only allowed with DNAT or REDIRECT"
fi fi
############################################################################ ############################################################################
# Validate the Source Zone # Validate the Source Zone
if ! validate_zone $clientzone; then if ! validate_zone $clientzone; then
startup_error " Error: Undefined Client Zone in rule \"$rule\"" startup_error "Error: Undefined Client Zone in rule \"$rule\""
fi fi
source=$clientzone source=$clientzone
@ -703,7 +720,7 @@ validate_rule() {
# Validate the destination zone # Validate the destination zone
# #
if ! validate_zone $serverzone; then if ! validate_zone $serverzone; then
startup_error " Error: Undefined Server Zone in rule \"$rule\"" startup_error "Error: Undefined Server Zone in rule \"$rule\""
fi fi
dest=$serverzone dest=$serverzone
@ -760,7 +777,7 @@ validate_policy()
;; ;;
*) *)
if ! validate_zone $client; then if ! validate_zone $client; then
startup_error " Error: Undefined zone $client" startup_error "Error: Undefined zone $client"
fi fi
esac esac
@ -769,7 +786,7 @@ validate_policy()
;; ;;
*) *)
if ! validate_zone $server; then if ! validate_zone $server; then
startup_error " Error: Undefined zone $server" startup_error "Error: Undefined zone $server"
fi fi
esac esac
@ -777,7 +794,7 @@ validate_policy()
ACCEPT|REJECT|DROP|CONTINUE) ACCEPT|REJECT|DROP|CONTINUE)
;; ;;
*) *)
startup_error " Error: Invalid policy $policy" startup_error "Error: Invalid policy $policy"
;; ;;
esac esac
@ -812,9 +829,8 @@ find_interfaces_by_option() # $1 = option
{ {
while read ignore interface subnet options; do while read ignore interface subnet options; do
expandv options expandv options
for option in `separate_list $options`; do list_search $1 `separate_list $options` && \
[ "$option" = "$1" ] && echo `expand $interface` && break 1 echo `expand $interface` && break 1
done
done < $TMP_DIR/interfaces done < $TMP_DIR/interfaces
} }
@ -825,17 +841,15 @@ find_hosts_by_option() # $1 = option
{ {
while read ignore hosts options; do while read ignore hosts options; do
expandv options expandv options
for option in `separate_list $options`; do list_search $1 `separate_list $options` && \
[ "$option" = "$1" ] && echo `expand $hosts` echo `expand $hosts`
done
done < $TMP_DIR/hosts done < $TMP_DIR/hosts
while read ignore interface ignore1 options; do while read ignore interface ignore1 options; do
expandv options expandv options
for option in `separate_list $options`; do list_search $1 `separate_list $options` && \
[ "$option" = "$1" ] && \ echo `expand $interface`:0.0.0.0/0 && \
echo `expand $interface`:0.0.0.0/0 && break 1 break 1
done
done < $TMP_DIR/interfaces done < $TMP_DIR/interfaces
} }
@ -849,11 +863,9 @@ have_interfaces_in_zone_with_option() # $1 = zone, $2 = option
local zne=$1 local zne=$1
while read z interface broadcast options; do while read z interface broadcast options; do
[ "x`expand $z`" = "x$zne" ] && \ [ "x`expand $z`" = "x$zne" ] && expandv options && \
expandv options && \ list_search $1 `separate_list $options` && \
for option in `separate_list $options`; do return 0
[ "$option" = "$2" ] && return 0
done
done < $TMP_DIR/interfaces done < $TMP_DIR/interfaces
return 1 return 1
} }
@ -1219,7 +1231,7 @@ setup_nat() {
} }
################################################################################ ################################################################################
# Delete existing Static NAT and Port Forwarding # # Delete existing Static NAT #
################################################################################ ################################################################################
delete_nat() { delete_nat() {
run_iptables -t nat -F run_iptables -t nat -F
@ -1358,11 +1370,11 @@ process_rule() {
if [ -z "$NAT_ENABLED" ]; then if [ -z "$NAT_ENABLED" ]; then
fatal_error \ fatal_error \
" Error - Rule \"$rule\" requires NAT which is disabled" "Error - Rule \"$rule\" requires NAT which is disabled"
fi fi
if [ "$target" != "ACCEPT" ]; then if [ "$target" != "ACCEPT" ]; then
fatal_error " Error - Only ACCEPT rules may specify " \ fatal_error "Error - Only DNAT and REDIRECT rules may specify " \
"port mapping; rule \"$rule\"" "port mapping; rule \"$rule\""
fi fi
@ -1373,7 +1385,7 @@ process_rule() {
snat="" snat=""
fi fi
[ "$addr" = "all" ] && addr= || addr="-d $addr" [ "$addr" = "all" ] && addr= || addr=${addr:+-d $addr}
if [ -n "$serv" ]; then if [ -n "$serv" ]; then
servport="${servport:+:$servport}" servport="${servport:+:$servport}"
@ -1489,6 +1501,9 @@ process_rule() {
state="" state=""
;; ;;
all|ALL) all|ALL)
[ -n "$port" ] && [ "x${port}" != "x-" ] && \
fatal_error "Port number not allowed with \"all\";" \
" rule: \"$rule\""
proto= proto=
;; ;;
related|RELATED) related|RELATED)
@ -1496,6 +1511,9 @@ process_rule() {
state="-m state --state RELATED" state="-m state --state RELATED"
;; ;;
*) *)
[ -n "$port" ] && [ "x${port}" != "x-" ] && \
fatal_error "Port number not allowed with protocol " \
"\"$proto\"; rule: \"$rule\""
;; ;;
esac esac
@ -1506,13 +1524,19 @@ process_rule() {
target=reject target=reject
;; ;;
REDIRECT) REDIRECT)
[ -n "$serv" ] && startup_error "Error: REDIRECT rules cannot"\
" specify a server IP; rule: \"$rule\""
servport=${servport:=$port} servport=${servport:=$port}
;; ;;
DNAT)
[ -n "$serv" ] || fatal_error "Error: DNAT rules require a" \
" server address; rule: \"$rule\""
;;
esac esac
if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" ]; then if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" ]; then
error_message " Warning -- Rule \"$rule\" is a POLICY" error_message "Warning -- Rule \"$rule\" is a POLICY"
error_message " -- and should be moved to the policy file" error_message " -- and should be moved to the policy file"
fi fi
if [ -n "${serv}${servport}" ]; then if [ -n "${serv}${servport}" ]; then
@ -1521,7 +1545,7 @@ process_rule() {
# #
if [ -n "$addr" -a "$addr" != "$serv" ]; then if [ -n "$addr" -a "$addr" != "$serv" ]; then
############################################################## ##############################################################
# Must use Prerouting DNAT # Must use Prerouting DNAT or REDIRECT
# #
add_nat_rule add_nat_rule
fi fi
@ -1538,8 +1562,8 @@ process_rule() {
# Destination is just a zone or an interface # Destination is just a zone or an interface
# #
[ -n "$addr" ] && fatal_error \ [ -n "$addr" ] && fatal_error \
" Error: An ADDRESS ($addr) is only allowed in" \ "Error: An ADDRESS ($addr) is only allowed in" \
" a port mapping rule: \"$rule\"" " a DNAT or REDIRECT: \"$rule\""
[ -n "$loglevel" ] && run_iptables -A $chain $proto \ [ -n "$loglevel" ] && run_iptables -A $chain $proto \
$dest_interface $state $cli $sports $dports -j LOG \ $dest_interface $state $cli $sports $dports -j LOG \
@ -1550,6 +1574,7 @@ process_rule() {
$cli $sports $dports -j $target $cli $sports $dports -j $target
fi fi
} }
############################################################################ ############################################################################
# P r o c e s s _ R u l e S t a r t s H e r e # P r o c e s s _ R u l e S t a r t s H e r e
############################################################################ ############################################################################
@ -1602,14 +1627,14 @@ process_rule() {
clientzone="${clientzone%\!*}" clientzone="${clientzone%\!*}"
[ "$logtarget" = DNAT ] || [ "$logtarget" = REDIRECT ] ||\ [ "$logtarget" = DNAT ] || [ "$logtarget" = REDIRECT ] ||\
fatal_error " Error: Exclude list only allowed with DNAT or REDIRECT" fatal_error "Error: Exclude list only allowed with DNAT or REDIRECT"
fi fi
############################################################################ ############################################################################
# Validate the Source Zone # Validate the Source Zone
if ! validate_zone $clientzone; then if ! validate_zone $clientzone; then
fatal_error " Error: Undefined Client Zone in rule \"$rule\"" fatal_error "Error: Undefined Client Zone in rule \"$rule\""
fi fi
source=$clientzone source=$clientzone
@ -1637,7 +1662,7 @@ process_rule() {
# Validate the destination zone # Validate the destination zone
# #
if ! validate_zone $serverzone; then if ! validate_zone $serverzone; then
fatal_error " Error: Undefined Server Zone in rule \"$rule\"" fatal_error "Error: Undefined Server Zone in rule \"$rule\""
fi fi
dest=$serverzone dest=$serverzone
@ -2267,32 +2292,6 @@ process_blacklist_rec() {
done done
} }
###############################################################################
# Process a record from the whilelist file #
# #
# $subnet = address/subnet #
###############################################################################
process_whitelist_rec() {
local source
local addr
for addr in `separate_list $subnet`; do
case $addr in
~*)
addr=`echo $addr | sed 's/~//;s/-/:/g'`
source="--match mac --mac-source $addr"
;;
*)
source="-s $addr"
;;
esac
run_iptables -A common $source -j ACCEPT
echo " $addr added to White List"
done
}
############################################################################### ###############################################################################
# Setup the Black List # # Setup the Black List #
############################################################################### ###############################################################################
@ -2326,25 +2325,6 @@ setup_blacklist() {
fi fi
} }
###############################################################################
# Setup the White List #
###############################################################################
setup_whitelist() {
local f=`find_file whitelist`
if [ -f $f ]; then
echo "Setting up Whitelisting..."
strip_file whitelist $f
while read subnet; do
expandv subnet
process_whitelist_rec
done < $TMP_DIR/whitelist
fi
}
############################################################################### ###############################################################################
# Refresh the Black List # # Refresh the Black List #
############################################################################### ###############################################################################
@ -2369,25 +2349,6 @@ refresh_blacklist() {
fi fi
} }
###############################################################################
# Refresh the White List #
###############################################################################
refresh_whitelist() {
local f=`find_file whitelist`
if [ -f $f ]; then
echo "Refreshing White List..."
strip_file whitelist $f
while read subnet; do
expandv subnet
process_whitelist_rec
done < $TMP_DIR/whitelist
fi
}
############################################################################### ###############################################################################
# Verify that kernel has netfilter support # # Verify that kernel has netfilter support #
############################################################################### ###############################################################################
@ -2488,12 +2449,8 @@ initialize_netfilter () {
echo "Creating input Chains..." echo "Creating input Chains..."
for interface in $all_interfaces; do for interface in $all_interfaces; do
chain=`forward_chain $interface` createchain `forward_chain $interface` no
createchain `input_chain $interface` no
if ! havechain $chain; then
createchain $chain no
createchain `input_chain $interface` no
fi
done done
} }
@ -2554,11 +2511,6 @@ add_common_rules() {
echo " $interface" echo " $interface"
done done
fi fi
############################################################################
# White List
#
setup_whitelist
############################################################################ ############################################################################
# Common ICMP rules # Common ICMP rules
# #
@ -2764,6 +2716,8 @@ apply_policy_rules() {
################################################################################ ################################################################################
activate_rules() { activate_rules() {
multi_interfaces=`find_interfaces_by_option multi`
for zone in $zones; do for zone in $zones; do
eval source_hosts=\$${zone}_hosts eval source_hosts=\$${zone}_hosts
@ -2792,14 +2746,18 @@ activate_rules() {
interface=${host%:*} interface=${host%:*}
subnet=${host#*:} subnet=${host#*:}
chain1=`forward_chain $interface` chain1=`forward_chain $interface`
list_search $interface $multi_interfaces && multi=yes || multi=
for host1 in $dest_hosts; do for host1 in $dest_hosts; do
interface1=${host1%:*} interface1=${host1%:*}
subnet1=${host1#*:} subnet1=${host1#*:}
[ $interface = $interface1 -a "x$subnet" = "x$subnet1" ] ||\ if [ $interface != $interface1 -o \
"x$subnet" != "x$subnet1" -o \
-n "$multi" ]; then
run_iptables -A $chain1 -s $subnet \ run_iptables -A $chain1 -s $subnet \
-o $interface1 -d $subnet1 -j $chain -o $interface1 -d $subnet1 -j $chain
fi
done done
done done
@ -2807,19 +2765,6 @@ activate_rules() {
done done
while read zone interface broadcast options; do
expandv zone
if [ "x$zone" != "x-" ]; then
expandv interface options
for option in `separate_list $options`; do
[ "$option" = "multi" ] && \
run_iptables -A `forward_chain $interface` \
-o $interface -j ${zone}2${zone} && \
break 1
done
fi
done < $TMP_DIR/interfaces
for interface in $all_interfaces; do for interface in $all_interfaces; do
run_iptables -A FORWARD -i $interface -j `forward_chain $interface` run_iptables -A FORWARD -i $interface -j `forward_chain $interface`
run_iptables -A INPUT -i $interface -j `input_chain $interface` run_iptables -A INPUT -i $interface -j `input_chain $interface`
@ -2864,9 +2809,6 @@ define_firewall() # $1 = Command (Start or Restart)
[ -f $tunnels ] && \ [ -f $tunnels ] && \
echo "Processing $tunnels..." && setup_tunnels $tunnels echo "Processing $tunnels..." && setup_tunnels $tunnels
chains="`run_iptables -L -n | grep ^Chain | cut -d' ' -f2`"
chains=`echo $chains`
rules=`find_file rules` rules=`find_file rules`
echo "Processing $rules..." echo "Processing $rules..."
@ -2882,13 +2824,20 @@ define_firewall() # $1 = Command (Start or Restart)
echo "Setting up ICMP Echo handling..." echo "Setting up ICMP Echo handling..."
filterping_interfaces="`find_interfaces_by_option filterping`"
noping_interfaces="`find_interfaces_by_option noping`" noping_interfaces="`find_interfaces_by_option noping`"
for interface in $all_interfaces; do for interface in $all_interfaces; do
[ -n "`echo $noping_interfaces | grep $interface`" ] && \ if ! list_search $interface $filterping_interfaces; then
target=DROP || target=ACCEPT if list_search $interface $noping_interfaces; then
run_iptables -A `input_chain $interface` \ target=DROP
-p icmp --icmp-type echo-request -j $target else
target=ACCEPT
fi
run_iptables -A `input_chain $interface` \
-p icmp --icmp-type echo-request -j $target
fi
done done
[ -z "$NAT_BEFORE_RULES" ] && setup_nat [ -z "$NAT_BEFORE_RULES" ] && setup_nat
@ -2911,7 +2860,6 @@ define_firewall() # $1 = Command (Start or Restart)
[ -n "$TC_ENABLED" ] && setup_tc [ -n "$TC_ENABLED" ] && setup_tc
echo "Activating Rules..." echo "Activating Rules..."
activate_rules activate_rules
@ -2984,12 +2932,9 @@ refresh_firewall()
determine_interfaces determine_interfaces
run_iptables -F common run_user_exit refresh
############################################################################ run_iptables -F common
# White List
#
refresh_whitelist
echo "Adding Common Rules" echo "Adding Common Rules"
############################################################################ ############################################################################
@ -3208,6 +3153,7 @@ case "$command" in
echo "done." echo "done."
my_mutex_off my_mutex_off
;; ;;
start) start)
do_initialize do_initialize
my_mutex_on my_mutex_on
@ -3220,6 +3166,7 @@ case "$command" in
define_firewall "Start" && [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK define_firewall "Start" && [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
my_mutex_off my_mutex_off
;; ;;
restart) restart)
do_initialize do_initialize
my_mutex_on my_mutex_on
@ -3233,14 +3180,17 @@ case "$command" in
[ $? -eq 0 ] && [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK [ $? -eq 0 ] && [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
my_mutex_off my_mutex_off
;; ;;
status) status)
echo -e "Shorewall-$version Status at $HOSTNAME - `date`\\n" echo -e "Shorewall-$version Status at $HOSTNAME - `date`\\n"
iptables -L -n -v iptables -L -n -v
;; ;;
reset) reset)
iptables -L -n -Z -v iptables -L -n -Z -v
report "Shorewall Counters Reset" report "Shorewall Counters Reset"
;; ;;
refresh) refresh)
do_initialize do_initialize
my_mutex_on my_mutex_on
@ -3252,6 +3202,7 @@ case "$command" in
refresh_firewall; refresh_firewall;
my_mutex_off my_mutex_off
;; ;;
clear) clear)
do_initialize do_initialize
my_mutex_on my_mutex_on
@ -3262,11 +3213,14 @@ case "$command" in
echo "done." echo "done."
my_mutex_off my_mutex_off
;; ;;
check) check)
do_initialize do_initialize
check_config check_config
;; ;;
*) *)
usage usage
;; ;;
esac esac

11
Shorewall/icmp.def
View File

@ -3,11 +3,16 @@
# #
# This file defines the default rules for accepting ICMP packets. # This file defines the default rules for accepting ICMP packets.
# #
# Do not modify this file -- if you want to change these rules, copy this # Do not modify this file -- if you wish to change these rules, create
# file to /etc/shorewall/icmpdef and modify that file. # /etc/shorewall/icmpdef to replace it. It is suggested that you include
# the command "source /etc/shorewall/icmp.def" in your
# /etc/shorewall/icmpdef file so that you will continue to get the
# advantage of new releases of this file.
# #
# In particular, if you want to accept 'ping' everywhere then add # For example, if you want to accept 'ping' everywhere then create
# /etc/shorewall/icmpdef with the following two lines:
# #
# source /etc/shorewall/icmp.def
# run_iptables -A icmpdef -p ICMP --icmp-type echo-request -j ACCEPT # run_iptables -A icmpdef -p ICMP --icmp-type echo-request -j ACCEPT
# #
run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT

8
Shorewall/install.sh
View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall. # /etc/rc.d/rc.local file is modified to start the firewall.
# #
VERSION=1.2.90 VERSION=1.3.0
usage() # $1 = exit status usage() # $1 = exit status
{ {
@ -416,13 +416,11 @@ else
echo -e "\nBlacklist file installed as ${PREFIX}/etc/shorewall/blacklist" echo -e "\nBlacklist file installed as ${PREFIX}/etc/shorewall/blacklist"
fi fi
# #
# Install the whitelist file # Backup and remove the whitelist file
# #
if [ -f ${PREFIX}/etc/shorewall/whitelist ]; then if [ -f ${PREFIX}/etc/shorewall/whitelist ]; then
backup_file /etc/shorewall/whitelist backup_file /etc/shorewall/whitelist
else rm -f ${PREFIX}/etc/shorewall/whitelist
run_install -o $OWNER -g $GROUP -m 0600 whitelist ${PREFIX}/etc/shorewall/whitelist
echo -e "\nWhitelist file installed as ${PREFIX}/etc/shorewall/whitelist"
fi fi
# #
# Backup the version file # Backup the version file

12
Shorewall/interfaces
View File

@ -36,8 +36,18 @@
# #
# dhcp - interface is managed by DHCP or used by # dhcp - interface is managed by DHCP or used by
# a DHCP server running on the firewall. # a DHCP server running on the firewall.
# noping - icmp echo-request (ping) packets should # noping - icmp echo-request (ping) packets
# addressed to the firewall should
# be ignored on this interface # be ignored on this interface
# filterping - icmp echo-request (ping) packets
# addressed to the firewall should
# be controlled by the rules file and
# applicable policy. If neither 'noping'
# nor 'filterping' are specified then
# the firewall will respond to 'ping'
# requests. 'filterping' takes
# precedence over 'noping' if both are
# given.
# routestopped - When the firewall is stopped, allow # routestopped - When the firewall is stopped, allow
# and route traffic to and from this # and route traffic to and from this
# interface. # interface.

11
Shorewall/releasenotes.txt
View File

@ -16,5 +16,16 @@ WARNING: Compatibility has NOT been maintained with the parameterized
3. You may now exclude zone A from a DNAT or REDIRECT rule that applies 3. You may now exclude zone A from a DNAT or REDIRECT rule that applies
to zone B where zone A is a subzone of sone B. to zone B where zone A is a subzone of sone B.
4. The whitelist capability has been deimplemented. With recent changes
to the firewall structure and change 3. above, white lists are now
best implemented using zones as shown at:
http://www.shorewall.net/whitelisting_under_shorewall.htm
5. A 'filterping' interface option has been added to allow the
rules and policy files to control the handling of ICMP echo-request
(ping) requests that are addressed to the firewall.

15
Shorewall/shorewall
View File

@ -72,18 +72,20 @@
showfirstchain() # $1 = name of chain showfirstchain() # $1 = name of chain
{ {
awk \ awk \
'BEGIN {prnt=0;}; \ 'BEGIN {prnt=0; rslt=1; }; \
/^$/ { next; };\ /^$/ { next; };\
/^Chain/ {if ( prnt == 1 ) exit; };\ /^Chain/ {if ( prnt == 1 ) { rslt=0; exit 0; }; };\
/Chain '$1'/ { prnt=1; }; \ /Chain '$1'/ { prnt=1; }; \
{ if (prnt == 1) print; }' /tmp/chains-$$ { if (prnt == 1) print; };\
END { exit rslt; }' /tmp/chains-$$
} }
showchain() # $1 = name of chain showchain() # $1 = name of chain
{ {
if [ "$firstchain" = "Yes" ]; then if [ "$firstchain" = "Yes" ]; then
showfirstchain $1 if showfirstchain $1; then
firstchain= firstchain=
fi
else else
awk \ awk \
'BEGIN {prnt=0;};\ 'BEGIN {prnt=0;};\
@ -146,6 +148,7 @@ display_chains()
clear clear
echo -e "$banner `date`\\n" echo -e "$banner `date`\\n"
firstchain=Yes
echo -e "Input Chains\\n" echo -e "Input Chains\\n"
chains=`grep '^Chain.*_[in|fwd]' /tmp/chains-$$ | cut -d' ' -f 2` chains=`grep '^Chain.*_[in|fwd]' /tmp/chains-$$ | cut -d' ' -f 2`
@ -180,8 +183,8 @@ display_chains()
echo -e "$banner `date`\\n" echo -e "$banner `date`\\n"
firstchain=Yes firstchain=Yes
echo -e "Policy Chains\\n" echo -e "Policy Chains\\n"
showchain badpkt
showchain common showchain common
showchain badpkt
showchain icmpdef showchain icmpdef
showchain rfc1918 showchain rfc1918
showchain blacklst showchain blacklst

13
Shorewall/shorewall.spec
View File

@ -1,6 +1,6 @@
%define name shorewall %define name shorewall
%define version 1.2 %define version 1.3
%define release 90 %define release 0
%define prefix /usr %define prefix /usr
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@ -70,7 +70,6 @@ if [ $1 = 0 ]; then if [ -x /sbin/insserv ]; then /sbin/insserv -r /etc/init.d/s
%attr(0600,root,root) %config(noreplace) /etc/shorewall/tunnels %attr(0600,root,root) %config(noreplace) /etc/shorewall/tunnels
%attr(0600,root,root) %config(noreplace) /etc/shorewall/hosts %attr(0600,root,root) %config(noreplace) /etc/shorewall/hosts
%attr(0600,root,root) %config(noreplace) /etc/shorewall/blacklist %attr(0600,root,root) %config(noreplace) /etc/shorewall/blacklist
%attr(0600,root,root) %config(noreplace) /etc/shorewall/whitelist
%attr(0544,root,root) /sbin/shorewall %attr(0544,root,root) /sbin/shorewall
%attr(0444,root,root) /etc/shorewall/functions %attr(0444,root,root) /etc/shorewall/functions
/etc/shorewall/firewall /etc/shorewall/firewall
@ -78,7 +77,13 @@ if [ $1 = 0 ]; then if [ -x /sbin/insserv ]; then /sbin/insserv -r /etc/init.d/s
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog %changelog
* Wed May 8 Tom Eastep <tom@shorewall.net> * Wed May 29 2002 Tom Eastep <tom@shorewall.net>
- Changed version to 1.3.0
* Mon May 20 2002 Tom Eastep <tom@shorewall.net>
- Removed whitelist file
* Sat May 18 2002 Tom Eastep <tom@shorewall.net>
- changed version to 91
* Wed May 8 2002 Tom Eastep <tom@shorewall.net>
- changed version to 90 - changed version to 90
- removed 'provides' tag. - removed 'provides' tag.
* Tue Apr 23 2002 Tom Eastep <tom@shorewall.net> * Tue Apr 23 2002 Tom Eastep <tom@shorewall.net>

2
Shorewall/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall # shown below. Simply run this script to remove Seattle Firewall
VERSION=1.2.90 VERSION=1.3.0
usage() # $1 = exit status usage() # $1 = exit status
{ {

18
Shorewall/whitelist
View File

@ -1,18 +0,0 @@
#
# Shorewall 1.2 -- Whitelist File
#
# /etc/shorewall/whitelist
#
# This file contains a list of IP addresses, MAC addresses and/or subnetworks.
# If a connection request fails to match any of the rules defined in
# /etc/shorewall/rules then the connection source is compared against this
# list; if a match is found, the connection request is accepted.
#
# MAC addresses must be prefixed with "~" and use "-" as a separator.
#
# Example: ~00-A0-C9-15-39-78
###############################################################################
#ADDRESS/SUBNET
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

2
Shorewall/zones
View File

@ -1,5 +1,5 @@
# #
# Shorewall 1.2 /etc/shorewall/zones # Shorewall 1.3 /etc/shorewall/zones
# #
# This file determines your network zones. Columns are: # This file determines your network zones. Columns are:
# #