holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Changes for 1.3.10

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@321 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-11-09 18:24:03 +00:00
parent a6c7cf06ee
commit 5d60471420
11 changed files with 1283 additions and 575 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1655
Lrp/etc/init.d/shorewall
View File

File diff suppressed because it is too large Load Diff

6
Lrp/etc/shorewall/hosts
View File

@ -35,6 +35,12 @@
# route messages to and from this
# member when the firewall is in the
# stopped state
# maclist - Connection requests from these hosts
# are compared against the contents of
# /etc/shorewall/maclist. If this option
# is specified, the interface must be
# an ethernet NIC and must be up before
# Shorewall is started.
#
#
#ZONE HOST(S) OPTIONS

10
Lrp/etc/shorewall/interfaces
View File

@ -16,7 +16,9 @@
# place "-" in this column.
#
# INTERFACE Name of interface. Each interface may be listed only
# once in this file.
# once in this file. You may NOT specify the name of
# an alias (e.g., eth0:0) here; see
# http://www.shorewall.net/FAQ.htm#faq18
#
# BROADCAST The broadcast address for the subnetwork to which the
# interface belongs. For P-T-P interfaces, this
@ -81,6 +83,12 @@
# . . blacklist - Check packets arriving on this interface
# against the /etc/shorewall/blacklist
# file.
# maclist - Connection requests from this interface
# are compared against the contents of
# /etc/shorewall/maclist. If this option
# is specified, the interface must be
# an ethernet NIC and must be up before
# Shorewall is started.
# proxyarp -
# Sets
# /proc/sys/net/ipv4/conf/<interface>/proxy_arp.

18
Lrp/etc/shorewall/maclist Normal file
View File

@ -0,0 +1,18 @@
#
# Shorewall 1.3 - MAC list file
#
# /etc/shorewall/maclist
#
# Columns are:
#
# INTERFACE Network interface to a host
#
# MAC MAC address of the host -- you do not need to use
# the Shorewall format for MAC addresses here
#
# IP ADDRESSES Optional -- if specified, both the MAC and IP address
# must match. This column can contain a comma-separated
# list of host and/or subnet addresses.
##############################################################################
#INTERFACE MAC IP ADDRESSES (Optional)
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

30
Lrp/etc/shorewall/shorewall.conf
View File

@ -8,6 +8,12 @@
#
# (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
##############################################################################
#
# PATH - Change this if you want to change the order in which Shorewall
# searches directories for executable files.
#
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
#
# NAME OF THE FIREWALL ZONE
#
@ -155,7 +161,8 @@ ADD_IP_ALIASES=Yes
#
# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses
# for each SNAT external address that you give in /etc/shorewall/masq. If you say
# "No" or "no", you must add these aliases youself.
# "No" or "no", you must add these aliases youself. LEAVE THIS SET TO "No" unless
# you are sure that you need it -- most people don't!!!
#
ADD_SNAT_ALIASES=No
@ -377,4 +384,25 @@ FORWARDPING=Yes
NEWNOTSYN=No
#
# MAC List Disposition
#
# This variable determines the disposition of connection requests arriving
# on interfaces that have the 'maclist' option and that are from a device
# that is not listed for that interface in /etc/shorewall/maclist. Valid
# values are ACCEPT, DROP and REJECT. If not specified or specified as
# empty (MACLIST_DISPOSITION="") then REJECT is assumed
MACLIST_DISPOSITION=REJECT
#
# MAC List Log Level
#
# Specifies the logging level for connection requests that fail MAC
# verification. If set to the empty value (MACLIST_LOG_LEVEL="") then
# such connection requests will not be logged.
#
MACLIST_LOG_LEVEL=info
#LAST LINE -- DO NOT REMOVE

34
Lrp/etc/shorewall/tunnels
View File

@ -9,7 +9,8 @@
#
# The columns are:
#
# TYPE -- must start in column 1 and be "ipsec", "ip" or "gre"
# TYPE -- must start in column 1 and be "ipsec", "ipsecnat","ip"
# "gre","pptpclient" or "pptpserver"
#
# ZONE -- The zone of the physical interface through which
# tunnel traffic passes. This is normally your internet
@ -19,10 +20,10 @@
# remote getway has no fixed address (Road Warrior)
# then specify the gateway as 0.0.0.0/0.
#
# GATEWAY ZONE-- Optional. If the gateway system specified in the third
# GATEWAY ZONES -- Optional. If the gateway system specified in the third
# column is a standalone host then this column should
# contain the name of the zone that the host is in. This
# column only applies to IPSEC tunnels.
# contain a comma-separated list of the names of the zones that
# the host might be in. This column only applies to IPSEC tunnels.
#
# Example 1:
#
@ -47,5 +48,28 @@
#
# ipsec net 4.33.99.124 gw
#
# TYPE ZONE GATEWAY GATEWAY ZONE
# Example 4:
#
# Road Warriors that may belong to zones vpn1, vpn2 or
# vpn3. The FreeS/Wan _updown script will add the
# host to the appropriate zone using the "shorewall add"
# command on connect and will remove the host from the
# zone at disconnect time.
#
# ipsec net 0.0.0.0/0 vpn1,vpn2,vpn3
#
# Example 5:
#
# You run the Linux PPTP client on your firewall and
# connect to server 192.0.2.221.
#
# pptpclient net 192.0.2.221
#
# Example 6:
#
# You run a PPTP server on your firewall.
#
# pptpserver net
#
# TYPE ZONE GATEWAY GATEWAY ZONE
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

79
Lrp/sbin/shorewall
View File

@ -32,6 +32,8 @@
#
# Commands are:
#
# shorewall add <iface>[:<host>] zone Adds a host or subnet to a zone
# shorewall delete <iface>[:<host>] zone Deletes a host or subnet from a zone
# shorewall start Starts the firewall
# shorewall restart Restarts the firewall
# shorewall stop Stops the firewall
@ -108,11 +110,10 @@ showchain() # $1 = name of chain
fi
}
#################################################################################
# Set the configuration variables from shorewall.conf #
#################################################################################
#
# Set the configuration variables from shorewall.conf
#
get_config() {
get_statedir
[ -z "$LOGFILE" ] && LOGFILE=/var/log/messages
@ -133,10 +134,10 @@ get_config() {
[ -n "$FW" ] || FW=fw
}
#################################################################################
# Display IPTABLES rules -- we used to store them in a variable but ash #
# dies when trying to display large sets of rules #
#################################################################################
#
# Display IPTABLES rules -- we used to store them in a variable but ash
# dies when trying to display large sets of rules
#
display_chains()
{
trap "rm -f /tmp/chains-$$; exit 1" 1 2 3 4 5 6 9
@ -226,10 +227,10 @@ display_chains()
}
#################################################################################
# Delay $timeout seconds -- if we're running on a recent bash2 then allow #
# <enter> to terminate the delay #
#################################################################################
#
# Delay $timeout seconds -- if we're running on a recent bash2 then allow
# <enter> to terminate the delay
#
timed_read ()
{
read -t $timeout foo 2> /dev/null
@ -237,9 +238,9 @@ timed_read ()
test $? -eq 2 && sleep $timeout
}
#################################################################################
# Display the last $1 packets logged #
#################################################################################
#
# Display the last $1 packets logged
#
packet_log() # $1 = number of messages
{
local options
@ -253,9 +254,9 @@ packet_log() # $1 = number of messages
tail $options
}
#################################################################################
# Show traffic control information #
#################################################################################
#
# Show traffic control information
#
show_tc() {
show_one_tc() {
@ -283,9 +284,9 @@ show_tc() {
}
#################################################################################
# Monitor the Firewall #
#################################################################################
#
# Monitor the Firewall
#
monitor_firewall() # $1 = timeout -- if negative, prompt each time that
# an 'interesting' packet count changes
{
@ -359,9 +360,9 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
done
}
#################################################################################
# Watch the Firewall Log #
#################################################################################
#
# Watch the Firewall Log
#
logwatch() # $1 = timeout -- if negative, prompt each time that
# an 'interesting' packet count changes
{
@ -409,13 +410,15 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
done
}
#################################################################################
# Give Usage Information #
#################################################################################
#
# Give Usage Information
#
usage() # $1 = exit status
{
echo "Usage: `basename $0` [debug] [nolock] [-c <directory>] <command>"
echo "where <command> is one of:"
echo " add <interface>[:<host>] <zone>"
echo " delete <interface>[:<host>] <zone>"
echo " show [<chain>|connections|log|nat|tc|tos]"
echo " start"
echo " stop"
@ -437,17 +440,17 @@ usage() # $1 = exit status
exit $1
}
#################################################################################
# Display the time that the counters were last reset #
#################################################################################
#
# Display the time that the counters were last reset
#
show_reset() {
[ -f $STATEDIR/restarted ] && \
echo -e "Counters reset `cat $STATEDIR/restarted`\\n"
}
#################################################################################
# Execution begins here #
#################################################################################
#
# Execution begins here
#
debugging=
if [ $# -gt 0 ] && [ "$1" = "debug" ]; then
@ -532,11 +535,17 @@ fi
banner="Shorewall-$version Status at $HOSTNAME -"
get_statedir
case "$1" in
start|stop|restart|reset|clear|refresh|check)
[ $# -ne 1 ] && usage 1
exec $firewall $debugging $nolock $1
;;
add|delete)
[ $# -ne 3 ] && usage 1
exec $firewall $debugging $nolock $1 $2 $3
;;
show)
[ $# -gt 2 ] && usage 1
case "$2" in
@ -550,7 +559,6 @@ case "$1" in
iptables -t nat -L -n -v
;;
tos|mangle)
get_config
echo -e "Shorewall-$version TOS at $HOSTNAME - `date`\\n"
show_reset
iptables -t mangle -L -n -v
@ -567,7 +575,6 @@ case "$1" in
show_tc
;;
*)
get_config
echo -e "Shorewall-$version Chain $2 at $HOSTNAME - `date`\\n"
show_reset
iptables -L $2 -n -v
@ -710,6 +717,8 @@ case "$1" in
[ $# -ne 1 ] && usage 1
mutex_on
if qt iptables -L shorewall -n; then
[ -d /var/lib/shorewall ] || mkdir /var/lib/shorewall
if iptables -L dynamic -n > /var/lib/shorewall/save; then
echo "Dynamic Rules Saved"
else

22
Lrp/usr/lib/shorewall/functions
View File

@ -80,17 +80,17 @@ determine_zones()
}
###############################################################################
#
# The following functions may be used by apps that wish to ensure that
# the state of Shorewall isn't changing
#------------------------------------------------------------------------------
#
# This function loads the STATEDIR variable (directory where Shorewall is to
# store state files). If your application supports alternate Shorewall
# configurations then the name of the alternate configuration directory should
# be in $SHOREWALL_DIR at the time of the call.
#
# If the shorewall.conf file does not exist, this function does not return
###############################################################################
#
get_statedir()
{
MUTEX_TIMEOUT=
@ -107,7 +107,7 @@ get_statedir()
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
}
###############################################################################
#
# Call this function to assert MUTEX with Shorewall. If you invoke the
# /sbin/shorewall program while holding MUTEX, you should pass "nolock" as
# the first argument. Example "shorewall nolock refresh"
@ -115,7 +115,7 @@ get_statedir()
# This function uses the lockfile utility from procmail if it exists.
# Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the
# behavior of lockfile.
###############################################################################
#
mutex_on()
{
local try=0
@ -145,18 +145,18 @@ mutex_on()
fi
}
###############################################################################
#
# Call this function to release MUTEX
###############################################################################
#
mutex_off()
{
rm -f $STATEDIR/lock
}
###############################################################################
# Strip comments and blank lines from a file and place the result in the #
# temporary directory #
###############################################################################
#
# Strip comments and blank lines from a file and place the result in the
# temporary directory
#
strip_file() # $1 = Base Name of the file, $2 = Full Name of File (optional)
{
local fname

1
Lrp/var/lib/lrpkg/shorwall.conf
View File

@ -4,6 +4,7 @@
/etc/shorewall/hosts Hosts Define specific zones
/etc/shorewall/policy Policy Firewall high-level policy
/etc/shorewall/rules Rules Exceptions to policy
/etc/shorewall/maclist Maclist MAC Verification
/etc/shorewall/masq Masq Internal MASQ Server Configuration
/etc/shorewall/proxyarp ProxyArp Proxy ARP Configuration
/etc/shorewall/routestopped Stopped Hosts admitted after 'shorewall stop'

1
Lrp/var/lib/lrpkg/shorwall.list
View File

@ -2,5 +2,4 @@ etc/init.d/shorewall
etc/shorewall
sbin/shorewall
usr/lib/shorewall
var/lib/shorewall
var/lib/lrpkg/shorwall.*

2
Lrp/var/lib/lrpkg/shorwall.version
View File

@ -1 +1 @@
1.3.9
1.3.10