diff --git a/Shorewall/firewall b/Shorewall/firewall index b8a235120..3d5e128b4 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -38,8 +38,6 @@ # shorewall clear Remove all Shorewall chains # and rules/policies. # shorewall refresh . Rebuild the common chain -# shorewall check Verify the more heavily-used -# configuration files. # # Search a list looking for a match -- returns zero if a match found @@ -655,338 +653,6 @@ mac_match() # $1 = MAC address formated as described above echo "--match mac --mac-source `echo $1 | sed 's/~//;s/-/:/g'`" } -# -# validate a record from the rules file -# -# The caller has loaded the column contents from the record into the following -# variables: -# -# target clients servers protocol ports cports address -# -# and has loaded a space-separated list of their values in "rule". -# -validate_rule() { - # - # Ensure that the passed comma-separated list has 15 or fewer elements - # - validate_list() { - local temp="`separate_list $1`" - - [ `echo $temp | wc -w` -le 15 ] - } - - # - # validate one rule - # - validate_a_rule() { - # - # Determine the format of the client - # - cli= - - [ -n "$client" ] && case "$client" in - -) - ;; - *:*) - cli="-i ${client%:*} -s ${client#*:}" - ;; - ~*) - cli=`mac_match $client` - ;; - *.*.*) - # - # IP Address, address or subnet - # - cli="-s $client" - ;; - *) - # - # Assume that this is a device name - # - cli="-i $client" - ;; - esac - - dest_interface= - - [ -n "$server" ] && case "$server" in - -) - serv= - ;; - *.*.*) - serv=$server - ;; - ~*) - startup_error "Rule \"$rule\" - Destination may not be specified by MAC Address" - ;; - *) - dest_interface="-o $server" - serv= - ;; - esac - # - # Setup PROTOCOL, PORT and STATE variables - # - sports="" - dports="" - state="-m state --state NEW" - proto=$protocol - addr=$address - servport=$serverport - - case $proto in - tcp|udp|TCP|UDP|6|17) - [ -n "$port" ] && [ "x${port}" != "x-" ] && \ - dports="--dport $port" - [ -n "$cport" ] && [ "x${cport}" != "x-" ] && \ - sports="--sport $cport" - ;; - icmp|ICMP|0) - [ -n "$port" ] && dports="--icmp-type $port" - state="" - ;; - *) - state= - [ -n "$port" ] && [ "x${port}" != "x-" ] && \ - startup_error "Port number not allowed with protocol " \ - "\"$proto\"; rule: \"$rule\"" - ;; - esac - - proto="${proto:+-p $proto}" - - case "$logtarget" in - REJECT) - target=reject - [ -n "$servport" ] && \ - startup_error "Server port may not be specified in a REJECT rule;"\ - "rule: \"$rule\"" - ;; - ACCEPT) - [ -n "$servport" ] && \ - startup_error "Server port may not be specified in an ACCEPT rule;"\ - "rule: \"$rule\"" - ;; - CONTINUE) - target=RETURN - [ -n "$servport" ] && \ - startup_error "Server port may not be specified in a CONTINUE rule;"\ - "rule: \"$rule\"" - ;; - LOG) - [ -n "$servport" ] && \ - startup_error "Server port may not be specified in an LOG rule;"\ - "rule: \"$rule\"" - - [ -n "$loglevel" ] || \ - startup_error "LOG target requires a log level" - ;; - REDIRECT) - [ -n "$serv" ] && startup_error "REDIRECT rules cannot"\ - " specify a server IP; rule: \"$rule\"" - servport=${servport:=$port} - ;; - DNAT) - [ -n "$serv" ] || startup_error "DNAT rules require a" \ - " server address; rule: \"$rule\"" - ;; - esac - - if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" ]; then - error_message "Warning -- Rule \"$rule\" is a POLICY" - error_message " -- and should be moved to the policy file" - fi - - if [ -n "${serv}${servport}" ]; then - # - # Destination is a Specific Server or we're redirecting a port - # - if [ -n "$addr" -a "$addr" != "$serv" ]; then - # - # Must use Prerouting DNAT - # - if [ -z "$NAT_ENABLED" ]; then - startup_error \ - "Rule \"$rule\" requires NAT which is disabled" - fi - - if [ "$target" != "ACCEPT" ]; then - startup_error "Only ACCEPT rules may specify " \ - "port mapping; rule \"$rule\"" - fi - fi - else - [ -n "$addr" ] && startup_error \ - "An ADDRESS ($addr) is only allowed in" \ - " a DNAT or REDIRECT rule: \"$rule\"" - fi - } - # - # V a l i d a t e _ R u l e S t a r t s H e r e - # - # Parse the Target and Clients columns - # - if [ "$target" = "${target%:*}" ]; then - loglevel= - else - loglevel="${target#*:}" - target="${target%:*}" - expandv loglevel - fi - - logtarget="$target" - # - # DNAT and REDIRECT targets were implemented in version 1.3 to replace - # an older syntax. We simply map the new syntax into the old and proceed. - # - case $target in - DNAT) - target=ACCEPT - address=${address:=detect} - ;; - DNAT-) - target=ACCEPT - address=${address:=detect} - logtarget=DNAT - ;; - REDIRECT) - target=ACCEPT - address=${address:=all} - if [ "x-" = "x$servers" ]; then - servers=$FW - else - servers="fw::$servers" - fi - ;; - ACCEPT|DROP|REJECT|LOG) - ;; - *) - startup_error "Invalid target; rule: \"$rule\"" - - esac - - if [ "$clients" = "${clients%:*}" ]; then - clientzone="$clients" - clients= - else - clientzone="${clients%%:*}" - clients="${clients#*:}" - [ -z "$clientzone" -o -z "$clients" ] && \ - startup_error "Empty source zone or qualifier: rule \"$rule\"" - fi - - if [ "$clientzone" = "${clientzone%\!*}" ]; then - excludezones= - else - excludezones="${clientzone#*\!}" - clientzone="${clientzone%\!*}" - - [ "$logtarget" = DNAT ] || [ "$logtarget" = REDIRECT ] ||\ - startup_error "Exclude list only allowed with DNAT or REDIRECT" - fi - # - # Validate the Source Zone - # - if ! validate_zone $clientzone; then - [ "x$clientzone" = xall ] || startup_error "Undefined Client Zone in rule \"$rule\"" - fi - - source=$clientzone - - [ $source = $FW ] && source_hosts= || eval source_hosts=\"\$${source}_hosts\" - - # - # Parse the servers column - # - if [ "$servers" = "${servers%:*}" ] ; then - serverzone="$servers" - servers= - serverport= - else - serverzone="${servers%%:*}" - servers="${servers#*:}" - if [ "$servers" != "${servers%:*}" ] ; then - serverport="${servers#*:}" - servers="${servers%:*}" - [ -z "$serverzone" -o -z "$serverport" ] && \ - startup_error "Empty destination zone or server port: rule \"$rule\"" - else - serverport= - [ -z "$serverzone" -o -z "$servers" ] && \ - startup_error "Empty destination zone or qualifier: rule \"$rule\"" - fi - fi - # - # Validate the destination zone - # - if ! validate_zone $serverzone; then - [ "x$serverzone" = xall ] || startup_error "Undefined Server Zone in rule \"$rule\"" - fi - - dest=$serverzone - - chain=${source}2${dest} - - if [ "x$chain" = x${FW}2${FW} ]; then - case $logtarget in - REDIRECT) - ;; - *) - error_message "WARNING: fw -> fw rules are not supported; rule \"$rule\" ignored" - return - ;; - esac - fi - - # - # Check length of port lists if MULTIPORT set - # - if [ -n "$MULTIPORT" ]; then - validate_list $ports || - error_message "Warning: Too many destination ports: Rule \"$rule\"" - validate_list $cports || - error_message "Warning: Too many source ports: Rule \"$rule\"" - fi - - # - # Iterate through the various lists validating individual rules - # - for client in `separate_list ${clients:=-}`; do - for server in `separate_list ${servers:=-}`; do - for port in `separate_list ${ports:=-}`; do - for cport in `separate_list ${cports:=-}`; do - validate_a_rule - done - done - done - done - - echo " Rule \"$rule\" validated." -} - -# -# validate the rules file -# -validate_rules() # $1 = name of rules file -{ - strip_file rules - - while read target clients servers protocol ports cports address; do - expandv clients servers protocol ports cports address - case "$target" in - - ACCEPT*|DROP*|REJECT*|DNAT*|REDIRECT*|LOG*|CONTINUE*) - rule="`echo $target $clients $servers $protocol $ports $cports $address`" - validate_rule - ;; - *) - rule="`echo $target $clients $servers $protocol $ports $cports $address`" - startup_error "Invalid Target - rule \"$rule\" ignored" - ;; - esac - done < $TMP_DIR/rules -} - # # validate the policy file # @@ -1002,14 +668,6 @@ validate_policy() local loglevel local synparams - print_policy() # $1 = source zone, $2 = destination zone - { - [ $command != check ] || \ - [ $1 = all ] || \ - [ $2 = all ] || \ - echo " Policy for $1 to $2 is $policy" - } - all_policy_chains= strip_file policy @@ -1076,7 +734,6 @@ validate_policy() if [ -z "$pc" ]; then eval ${zone}2${zone1}_policychain=$chain - print_policy $zone $zone1 fi done done @@ -1086,7 +743,6 @@ validate_policy() if [ -z "$pc" ]; then eval ${zone}2${server}_policychain=$chain - print_policy $zone $server fi done fi @@ -1096,12 +752,10 @@ validate_policy() if [ -z "$pc" ]; then eval ${client}2${zone}_policychain=$chain - print_policy $client $zone fi done else eval ${chain}_policychain=${chain} - print_policy $client $server fi done < $TMP_DIR/policy @@ -4091,50 +3745,6 @@ define_firewall() # $1 = Command (Start or Restart) rm -rf $TMP_DIR } -# -# Check the configuration -# -check_config() { - echo "Verifying Configuration..." - - verify_os_version - - load_kernel_modules - - echo "Determining Zones..." - - determine_zones - - [ -z "$zones" ] && startup_error "No Zones Defined" - - display_list "Zones:" $zones - - echo "Validating interfaces file..." - - validate_interfaces_file - - echo "Validating hosts file..." - - validate_hosts_file - - echo "Determining Hosts in Zones..." - - determine_interfaces - determine_hosts - - echo "Validating rules file..." - - validate_rules - - echo "Validating policy file..." - - validate_policy - - rm -rf $TMP_DIR - - echo "Configuration Validated" -} - # # Rebuild the common chain # @@ -4864,12 +4474,6 @@ case "$command" in my_mutex_off ;; - check) - [ $# -ne 1 ] && usage - do_initialize - check_config - ;; - add) [ $# -ne 3 ] && usage do_initialize diff --git a/Shorewall/shorewall b/Shorewall/shorewall index b87f77de0..f93b5e59e 100755 --- a/Shorewall/shorewall +++ b/Shorewall/shorewall @@ -60,8 +60,6 @@ # shorewall show tc Display traffic control info # shorewall show classifiers Display classifiers # shorewall version Display the installed version id -# shorewall check Verify the more heavily-used -# configuration files. # shorewall try [ ] Try a new configuration and if # it doesn't work, revert to the # standard one. If a timeout is supplied @@ -84,6 +82,7 @@ # # Display a chain if it exists # + showfirstchain() # $1 = name of chain { awk \ @@ -500,7 +499,6 @@ usage() # $1 = exit status echo " hits" echo " monitor []" echo " version" - echo " check" echo " try [ ]" echo " logwatch []" echo " drop
..." @@ -641,7 +639,7 @@ case `echo -n "Testing"` in esac case "$1" in - start|stop|restart|reset|clear|refresh|check) + start|stop|restart|reset|clear|refresh) [ $# -ne 1 ] && usage 1 exec $FIREWALL $debugging $nolock $1 ;;