forked from extern/shorewall_code
Changes for 2.2.0 Beta 7
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1803 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
884e405222
commit
594884732a
@ -609,7 +609,7 @@ usage() # $1 = exit status
|
||||
echo " restart [ <directory> ]"
|
||||
echo " restore [ <file name> ]"
|
||||
echo " save [ <file name> ]"
|
||||
echo " show [<chain> [ <chain> ... ]|classifiers|connections|log|nat|tc|tos]"
|
||||
echo " show [<chain> [ <chain> ... ]|classifiers|connections|log|nat|tc|tos|zones]"
|
||||
echo " start [ <directory> ]"
|
||||
echo " stop"
|
||||
echo " status"
|
||||
@ -913,6 +913,24 @@ case "$1" in
|
||||
echo
|
||||
show_classifiers
|
||||
;;
|
||||
zones)
|
||||
[ $# -gt 2 ] && usage 1
|
||||
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
|
||||
if [ -f $STATEDIR/zones ]; then
|
||||
echo "Shorewall-$version Zones at $HOSTNAME - $(date)"
|
||||
echo
|
||||
while read zone hosts; do
|
||||
echo $zone
|
||||
for host in $hosts; do
|
||||
echo " $host"
|
||||
done
|
||||
done < $STATEDIR/zones
|
||||
echo
|
||||
else
|
||||
echo " ERROR: $STATEDIR/zones does not exist" >&2
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
shift
|
||||
|
||||
@ -964,6 +982,10 @@ case "$1" in
|
||||
echo "IP Configuration"
|
||||
echo
|
||||
ip addr ls
|
||||
echo
|
||||
echo "IP Stats"
|
||||
echo
|
||||
ip -stat link ls
|
||||
|
||||
if qt which brctl; then
|
||||
echo
|
||||
@ -1143,7 +1165,9 @@ case "$1" in
|
||||
cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$
|
||||
if iptables-save | iptablesbug >> /var/lib/shorewall/restore-$$ ; then
|
||||
echo __EOF__ >> /var/lib/shorewall/restore-$$
|
||||
mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH
|
||||
[ -f /var/lib/shorewall/restore-tail ] && \
|
||||
cat /var/lib/shorewall/restore-tail >> /var/lib/shorewall/restore-$$
|
||||
mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH
|
||||
chmod +x $RESTOREPATH
|
||||
echo " Currently-running Configuration Saved to $RESTOREPATH"
|
||||
else
|
||||
|
@ -181,6 +181,17 @@ run_iptables2() {
|
||||
|
||||
}
|
||||
|
||||
#
|
||||
# Quietly run iptables
|
||||
#
|
||||
qt_iptables() {
|
||||
|
||||
[ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
|
||||
[ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
|
||||
|
||||
qt $IPTABLES $@
|
||||
}
|
||||
|
||||
#
|
||||
# Run ip and if an error occurs, stop the firewall and quit
|
||||
#
|
||||
@ -1756,9 +1767,14 @@ setup_ipsec() {
|
||||
set_mss1() # $1 = chain, $2 = MSS
|
||||
{
|
||||
eval local policy=\$${1}_policy
|
||||
if [ "$policy" != NONE -a "$COMMAND" != add ]; then
|
||||
ensurechain $1
|
||||
run_iptables -I $1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss $2
|
||||
|
||||
if [ "$policy" != NONE ]; then
|
||||
case $COMMAND in
|
||||
start|restart)
|
||||
ensurechain $1
|
||||
run_iptables -I $1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss $2
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
}
|
||||
#
|
||||
@ -2066,8 +2082,9 @@ setup_mac_lists() {
|
||||
setup_syn_flood_chain ()
|
||||
# $1 = policy chain
|
||||
# $2 = synparams
|
||||
# $3 = loglevel
|
||||
{
|
||||
local chain=$1
|
||||
local chain=@$1
|
||||
local limit=$2
|
||||
local limit_burst=
|
||||
|
||||
@ -2078,9 +2095,11 @@ setup_syn_flood_chain ()
|
||||
;;
|
||||
esac
|
||||
|
||||
run_iptables -N @$chain
|
||||
run_iptables -A @$chain -m limit --limit $limit $limit_burst -j RETURN
|
||||
run_iptables -A @$chain -j DROP
|
||||
run_iptables -N $chain
|
||||
run_iptables -A $chain -m limit --limit $limit $limit_burst -j RETURN
|
||||
[ -n "$3" ] && \
|
||||
log_rule_limit $3 $chain $chain DROP "-m limit --limit 5/min --limit-burst 5" "" ""
|
||||
run_iptables -A $chain -j DROP
|
||||
}
|
||||
|
||||
#
|
||||
@ -5465,21 +5484,20 @@ determine_capabilities() {
|
||||
PHYSDEV_MATCH=
|
||||
IPRANGE_MATCH=
|
||||
|
||||
if qt $IPTABLES -N fooX1234 ; then
|
||||
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
|
||||
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
|
||||
qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes
|
||||
qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes
|
||||
qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
|
||||
qt $IPTABLES -N fooX1234
|
||||
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
|
||||
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
|
||||
qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes
|
||||
qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes
|
||||
qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
|
||||
|
||||
|
||||
if [ -n "$PKTTYPE" ]; then
|
||||
qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT || PKTTYPE=
|
||||
fi
|
||||
|
||||
qt $IPTABLES -F fooX1234
|
||||
qt $IPTABLES -X fooX1234
|
||||
if [ -n "$PKTTYPE" ]; then
|
||||
qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT || PKTTYPE=
|
||||
fi
|
||||
|
||||
qt $IPTABLES -F fooX1234
|
||||
qt $IPTABLES -X fooX1234
|
||||
}
|
||||
|
||||
report_capability() # $1 = Capability Name, $2 Capability Setting (if any)
|
||||
@ -6106,7 +6124,7 @@ add_common_rules() {
|
||||
|
||||
run_iptables -A $(input_chain $interface) -j $chain
|
||||
run_iptables -A $(forward_chain $interface) -j $(dynamic_fwd $interface)
|
||||
run_iptables -A OUTPUT -j $(dynamic_out $interface)
|
||||
run_iptables -A OUTPUT -o $interface -j $(dynamic_out $interface)
|
||||
done
|
||||
fi
|
||||
|
||||
@ -6126,7 +6144,7 @@ apply_policy_rules() {
|
||||
eval loglevel=\$${chain}_loglevel
|
||||
eval synparams=\$${chain}_synparams
|
||||
|
||||
[ -n "$synparams" ] && setup_syn_flood_chain $chain $synparams
|
||||
[ -n "$synparams" ] && setup_syn_flood_chain $chain $synparams $loglevel
|
||||
|
||||
if havechain $chain; then
|
||||
[ -n "$synparams" ] && \
|
||||
@ -6280,8 +6298,9 @@ activate_rules()
|
||||
|
||||
[ -n "$complex" ] && frwd_chain=${zone}_frwd
|
||||
|
||||
echo $zone $source_hosts >> ${STATEDIR}/zones
|
||||
|
||||
if [ -n "$DYNAMIC_ZONES" ]; then
|
||||
echo $zone $source_hosts >> ${STATEDIR}/zones
|
||||
echo "$FW $zone $chain1" >> ${STATEDIR}/chains
|
||||
echo "$zone $FW $chain2" >> ${STATEDIR}/chains
|
||||
fi
|
||||
@ -6541,9 +6560,28 @@ define_firewall() # $1 = Command (Start or Restart)
|
||||
[ -n "$aliases_to_add" ] && \
|
||||
echo "Adding IP Addresses..." && add_ip_aliases
|
||||
|
||||
for file in chains nat proxyarp zones; do
|
||||
append_file $file
|
||||
done
|
||||
|
||||
save_progress_message "Restoring Netfilter Configuration..."
|
||||
|
||||
save_command 'iptables-restore << __EOF__'
|
||||
|
||||
# 'shorewall save' appends the iptables-save output and '__EOF__'
|
||||
|
||||
mv -f $RESTOREBASE /var/lib/shorewall/restore-base-$$
|
||||
|
||||
> $RESTOREBASE
|
||||
|
||||
save_command "#"
|
||||
save_command "# Restore tail file generated by Shorewall $version - $(date)"
|
||||
save_command "#"
|
||||
save_command "date > $STATEDIR/restarted"
|
||||
|
||||
run_user_exit start
|
||||
|
||||
[ -n "$DELAYBLACKLISTLOAD" ] && refresh_blacklist
|
||||
[ -n "$DELAYBLACKLISTLOAD" ] && refresh_blacklist
|
||||
|
||||
createchain shorewall no
|
||||
|
||||
@ -6553,19 +6591,8 @@ define_firewall() # $1 = Command (Start or Restart)
|
||||
|
||||
rm -rf $TMP_DIR
|
||||
|
||||
for file in chains nat proxyarp zones; do
|
||||
append_file $file
|
||||
done
|
||||
|
||||
save_command "date > $STATEDIR/restarted"
|
||||
|
||||
save_progress_message "Restoring Netfilter Configuration..."
|
||||
|
||||
save_command 'iptables-restore << __EOF__'
|
||||
|
||||
# 'shorewall save' appends the iptables-save output and '__EOF__'
|
||||
|
||||
mv -f $RESTOREBASE /var/lib/shorewall/restore-base
|
||||
mv -f /var/lib/shorewall/restore-base-$$ /var/lib/shorewall/restore-base
|
||||
mv -f $RESTOREBASE /var/lib/shorewall/restore-tail
|
||||
|
||||
}
|
||||
|
||||
@ -6622,6 +6649,9 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
||||
|
||||
do_iptables() # $@ = command
|
||||
{
|
||||
[ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
|
||||
[ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
|
||||
|
||||
if ! $IPTABLES $@ ; then
|
||||
startup_error "Can't add $1 to zone $2"
|
||||
fi
|
||||
@ -6630,7 +6660,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
||||
#
|
||||
# Isolate interface and host parts
|
||||
#
|
||||
interface=${1%:*}
|
||||
interface=${1%%:*}
|
||||
host=${1#*:}
|
||||
|
||||
[ -z "$host" ] && host="0.0.0.0/0"
|
||||
@ -6735,7 +6765,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
||||
while read z1 z2 chain; do
|
||||
if [ "$z1" = "$zone" ]; then
|
||||
if [ "$z2" = "$FW" ]; then
|
||||
do_iptables -A $(dynamic_in $interface) $(source_ip_range $host) $policyin -j $chain
|
||||
do_iptables -A $(dynamic_in $interface) $(match_source_hosts $host) $policyin -j $chain
|
||||
else
|
||||
source_chain=$(dynamic_fwd $interface)
|
||||
eval dest_hosts=\"\$${z2}_hosts\"
|
||||
@ -6745,7 +6775,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
||||
hosts=${h#*:}
|
||||
|
||||
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
|
||||
do_iptables -A $source_chain $(source_ip_range $host) -o $iface $(match_dest_hosts $hosts) $policyout -j $chain
|
||||
do_iptables -A $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) $policyout -j $chain
|
||||
fi
|
||||
done
|
||||
fi
|
||||
@ -6754,7 +6784,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
||||
#
|
||||
# Add a rule to the dynamic out chain for the interface
|
||||
#
|
||||
do_iptables -A $(dynamic_out $interface) $(dest_ip_range $host) $policyout -j $chain
|
||||
do_iptables -A $(dynamic_out $interface) $(match_dest_hosts $host) $policyout -j $chain
|
||||
else
|
||||
eval source_hosts=\"\$${z1}_hosts\"
|
||||
|
||||
@ -6763,7 +6793,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
||||
hosts=${h#*:}
|
||||
|
||||
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
|
||||
do_iptables -A $(dynamic_fwd $iface) $rulenum $(match_source_hosts $hosts) -o $interface $(dest_ip_range $host) $policyout -j $chain
|
||||
do_iptables -A $(dynamic_fwd $iface) $rulenum $(match_source_hosts $hosts) -o $interface $(match_dest_hosts $host) $policyout -j $chain
|
||||
fi
|
||||
done
|
||||
fi
|
||||
@ -6809,7 +6839,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
||||
#
|
||||
# Isolate interface and host parts
|
||||
#
|
||||
interface=${1%:*}
|
||||
interface=${1%%:*}
|
||||
host=${1#*:}
|
||||
|
||||
[ -z "$host" ] && host="0.0.0.0/0"
|
||||
@ -6878,14 +6908,14 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
||||
#
|
||||
# Delete any nat table entries for the host(s)
|
||||
#
|
||||
qt $IPTABLES -t nat -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j ${zone}_dnat
|
||||
qt_iptables -t nat -D $(dynamic_in $interface) $(match_source_hosts $host) $policyin -j ${zone}_dnat
|
||||
#
|
||||
# Delete rules rules the input chains for the passed interface
|
||||
#
|
||||
while read z1 z2 chain; do
|
||||
if [ "$z1" = "$zone" ]; then
|
||||
if [ "$z2" = "$FW" ]; then
|
||||
qt $IPTABLES -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j $chain
|
||||
qt_iptables -D $(dynamic_in $interface) $(match_source_hosts $host) $policyin -j $chain
|
||||
else
|
||||
source_chain=$(dynamic_fwd $interface)
|
||||
eval dest_hosts=\"\$${z2}_hosts\"
|
||||
@ -6895,13 +6925,13 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
||||
hosts=${h#*:}
|
||||
|
||||
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
|
||||
qt $IPTABLES -D $source_chain $(source_ip_range $host) -o $iface $(match_dest_hosts $hosts) $policyout -j $chain
|
||||
qt_iptables -D $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) $policyout -j $chain
|
||||
fi
|
||||
done
|
||||
fi
|
||||
elif [ "$z2" = "$zone" ]; then
|
||||
if [ "$z1" = "$FW" ]; then
|
||||
qt $IPTABLES -D $(dynamic_out $interface) $(dest_ip_range $host) $policyout -j $chain
|
||||
qt_iptables -D $(dynamic_out $interface) $(match_dest_hosts $host) $policyout -j $chain
|
||||
else
|
||||
eval source_hosts=\"\$${z1}_hosts\"
|
||||
|
||||
@ -6910,7 +6940,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
||||
hosts=${h#*:}
|
||||
|
||||
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
|
||||
qt $IPTABLES -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(dest_ip_range $host) $policyout -j $chain
|
||||
qt_iptables -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(match_dest_hosts $host) $policyout -j $chain
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
@ -1,6 +1,6 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Shorewall 2.1 -- /usr/share/shorewall/functions
|
||||
# Shorewall 2.2 -- /usr/share/shorewall/functions
|
||||
|
||||
# Function to truncate a string -- It uses 'cut -b -<n>'
|
||||
# rather than ${v:first:last} because light-weight shells like ash and
|
||||
@ -73,9 +73,9 @@ qt()
|
||||
#
|
||||
# Perform variable substitution on the passed argument and echo the result
|
||||
#
|
||||
expand() # $1 = contents of variable which may be the name of another variable
|
||||
expand() # $@ = contents of variable which may be the name of another variable
|
||||
{
|
||||
eval echo \"$1\"
|
||||
eval echo \"$@\"
|
||||
}
|
||||
|
||||
#
|
||||
@ -459,7 +459,7 @@ read_file() # $1 = file name, $2 = nest count
|
||||
while read first rest; do
|
||||
if [ "x$first" = "xINCLUDE" ]; then
|
||||
if [ $2 -lt 4 ]; then
|
||||
read_file $(find_file ${rest%#*}) $(($2 + 1))
|
||||
read_file $(find_file $(expand ${rest%#*})) $(($2 + 1))
|
||||
else
|
||||
echo " WARNING: INCLUDE in $1 ignored (nested too deeply)" >&2
|
||||
fi
|
||||
@ -477,7 +477,7 @@ read_file() # $1 = file name, $2 = nest count
|
||||
# Function for including one file into another
|
||||
#
|
||||
INCLUDE() {
|
||||
. $(find_file $@)
|
||||
. $(find_file $(expand $@))
|
||||
}
|
||||
|
||||
#
|
||||
|
@ -29,11 +29,11 @@
|
||||
case $1 in
|
||||
|
||||
add)
|
||||
echo "add: add <interface>[:<host>] <zone>
|
||||
echo "add: add <interface>[:<bridge-port>][:<host>] <zone>
|
||||
Adds a host or subnet to a dynamic zone usually used with VPN's.
|
||||
|
||||
shorewall add interface[:host] zone - Adds the specified interface
|
||||
(and host if included) to the specified zone.
|
||||
(and bridge port/host if included) to the specified zone.
|
||||
|
||||
Example:
|
||||
|
||||
@ -95,11 +95,11 @@ debug)
|
||||
;;
|
||||
|
||||
delete)
|
||||
echo "delete: delete <interface>[:<host>] <zone>
|
||||
echo "delete: delete <interface>[:<bridge-port>][:<host>] <zone>
|
||||
Deletes a host or subnet from a dynamic zone usually used with VPN's.
|
||||
|
||||
shorewall delete interface[:host] zone - Deletes the specified
|
||||
interface (and host if included) from the specified zone.
|
||||
shorewall delete interface[:port][:host] zone - Deletes the specified
|
||||
interface (and bridge port/host if included) from the specified zone.
|
||||
|
||||
Example:
|
||||
|
||||
@ -219,7 +219,7 @@ save)
|
||||
;;
|
||||
|
||||
show)
|
||||
echo "show: show [ <chain> [ <chain> ...] |classifiers|connections|log|nat|tc|tos]
|
||||
echo "show: show [ <chain> [ <chain> ...] |classifiers|connections|log|nat|tc|tos|zones]
|
||||
|
||||
shorewall [-x] show <chain> [ <chain> ... ] - produce a verbose report about the IPtable chain(s).
|
||||
(iptables -L chain -n -v)
|
||||
@ -238,6 +238,8 @@ show)
|
||||
shorewall show tc - displays information about the traffic
|
||||
control/shaping configuration.
|
||||
|
||||
shorewall show zones - displays the contents of all zones.
|
||||
|
||||
When -x is given, that option is also passed to iptables to display actual packet and byte counts."
|
||||
;;
|
||||
|
||||
|
@ -1 +1 @@
|
||||
2.2.0-Beta6
|
||||
2.2.0-Beta7
|
||||
|
@ -1635,7 +1635,7 @@ alias ipt_pkttype off</programlisting>
|
||||
url="http://www.cityofshoreline.com">the city where I live</ulink>) and
|
||||
<quote>Fire<emphasis>wall</emphasis></quote>. The full name of the
|
||||
product is actually <quote>Shoreline Firewall</quote> but
|
||||
<quote>Shorewall</quote> is must more commonly used.</para>
|
||||
<quote>Shorewall</quote> is much more commonly used.</para>
|
||||
</section>
|
||||
|
||||
<section id="faq23">
|
||||
@ -1740,8 +1740,9 @@ alias ipt_pkttype off</programlisting>
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Netfilter/iptables doesn't fully support IPSEC in the 2.6
|
||||
Kernels -- there are interim instructions linked from the <ulink
|
||||
url="IPSEC.htm">Shorewall IPSEC page</ulink>.</para>
|
||||
Kernels -- kernel and iptables patches are available and the details
|
||||
may be found at the <ulink url="IPSEC-2.6.htm">Shorewall IPSEC-2.6
|
||||
page</ulink>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
|
Loading…
Reference in New Issue
Block a user