From 63f3b609f7f000aa5913fb657b988526947353fd Mon Sep 17 00:00:00 2001 From: teastep Date: Wed, 10 Dec 2008 02:07:09 +0000 Subject: [PATCH] More cleanup git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8968 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Samples6/one-interface/interfaces | 2 +- Samples6/three-interfaces/interfaces | 8 +-- Samples6/three-interfaces/rules | 10 +-- .../{shorewall.conf => shorewall6.conf} | 69 ++----------------- Samples6/two-interfaces/interfaces | 4 +- Samples6/two-interfaces/masq | 19 ----- Samples6/two-interfaces/rules | 4 +- .../{shorewall.conf => shorewall6.conf} | 69 ++----------------- Samples6/two-interfaces/zones | 4 +- Shorewall-perl/Shorewall/Compiler.pm | 11 +-- 10 files changed, 37 insertions(+), 163 deletions(-) rename Samples6/three-interfaces/{shorewall.conf => shorewall6.conf} (77%) delete mode 100644 Samples6/two-interfaces/masq rename Samples6/two-interfaces/{shorewall.conf => shorewall6.conf} (77%) diff --git a/Samples6/one-interface/interfaces b/Samples6/one-interface/interfaces index 97ef3de09..e7d3a166a 100644 --- a/Samples6/one-interface/interfaces +++ b/Samples6/one-interface/interfaces @@ -16,5 +16,5 @@ # ############################################################################### #ZONE INTERFACE BROADCAST OPTIONS -net eth0 detect tcpflags,nosmurfs +net eth0 detect tcpflags #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Samples6/three-interfaces/interfaces b/Samples6/three-interfaces/interfaces index b1289cb44..367da4159 100644 --- a/Samples6/three-interfaces/interfaces +++ b/Samples6/three-interfaces/interfaces @@ -1,6 +1,6 @@ # -# Shorewall version 4.0 - Sample Interfaces File for three-interface configuration. -# Copyright (C) 2006 by the Shorewall Team +# Shorewall6 version 4.0 - Sample Interfaces File for three-interface configuration. +# Copyright (C) 2006,2008 by the Shorewall Team # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public @@ -16,7 +16,7 @@ # ############################################################################### #ZONE INTERFACE BROADCAST OPTIONS -net eth0 detect tcpflags,dhcp,routefilter,nosmurfs,logmartians -loc eth1 detect tcpflags,nosmurfs +net eth0 detect tcpflags +loc eth1 detect tcpflags dmz eth2 detect #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Samples6/three-interfaces/rules b/Samples6/three-interfaces/rules index 59b47523e..88af478a8 100644 --- a/Samples6/three-interfaces/rules +++ b/Samples6/three-interfaces/rules @@ -1,6 +1,6 @@ # -# Shorewall version 4.0 - Sample Rules File for three-interface configuration. -# Copyright (C) 2006,2007 by the Shorewall Team +# Shorewall6 version 4.0 - Sample Rules File for three-interface configuration. +# Copyright (C) 2006,2007,2008 by the Shorewall Team # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public @@ -47,9 +47,9 @@ Ping/ACCEPT loc dmz Ping/ACCEPT dmz loc Ping/ACCEPT dmz net -ACCEPT $FW net icmp -ACCEPT $FW loc icmp -ACCEPT $FW dmz icmp +ACCEPT $FW net ipv6-icmp +ACCEPT $FW loc ipv6-icmp +ACCEPT $FW dmz ipv6-icmp # Uncomment this if using Proxy ARP and static NAT and you want to allow ping from # the net zone to the dmz and loc diff --git a/Samples6/three-interfaces/shorewall.conf b/Samples6/three-interfaces/shorewall6.conf similarity index 77% rename from Samples6/three-interfaces/shorewall.conf rename to Samples6/three-interfaces/shorewall6.conf index 634ed438c..3d94652e9 100644 --- a/Samples6/three-interfaces/shorewall.conf +++ b/Samples6/three-interfaces/shorewall6.conf @@ -1,7 +1,6 @@ -s############################################################################### +############################################################################### # -# Shorewall version 4.0 - Sample shorewall.conf for three-interface -# configuration. +# Shorewall version 3.4 - Sample shorewall.conf for one-interface configuration. # Copyright (C) 2006 by the Shorewall Team # # This library is free software; you can redistribute it and/or @@ -15,7 +14,6 @@ s############################################################################### # # The manpage is also online at # http://shorewall.net/manpages/shorewall.conf.html -# ############################################################################### # S T A R T U P E N A B L E D ############################################################################### @@ -28,13 +26,6 @@ STARTUP_ENABLED=No VERBOSITY=1 -############################################################################### -# C O M P I L E R -# (setting this to 'perl' requires installation of Shorewall-perl) -############################################################################### - -SHOREWALL_COMPILER= - ############################################################################### # L O G G I N G ############################################################################### @@ -57,21 +48,13 @@ LOGALLNEW= BLACKLIST_LOGLEVEL= -MACLIST_LOG_LEVEL=info - TCP_FLAGS_LOG_LEVEL=info -RFC1918_LOG_LEVEL=info - -SMURF_LOG_LEVEL=info - -LOG_MARTIANS=Yes - ############################################################################### # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S ############################################################################### -IPTABLES= +IP6TABLES= PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin @@ -81,12 +64,10 @@ SUBSYSLOCK=/var/lock/subsys/shorewall MODULESDIR= -CONFIG_PATH=/etc/shorewall:/usr/share/shorewall +CONFIG_PATH=/usr/share/shorewall6/configfiles:/usr/share/shorewall6 RESTOREFILE= -IPSECFILE=zones - LOCKFILE= ############################################################################### @@ -110,15 +91,7 @@ RCP_COMMAND='scp ${files} ${root}@${system}:${destination}' # F I R E W A L L O P T I O N S ############################################################################### -IP_FORWARDING=On - -ADD_IP_ALIASES=Yes - -ADD_SNAT_ALIASES=No - -RETAIN_ALIASES=No - -TC_ENABLED=Internal +TC_ENABLED=No TC_EXPERT=No @@ -128,46 +101,20 @@ MARK_IN_FORWARD_CHAIN=No CLAMPMSS=No -ROUTE_FILTER=No - -DETECT_DNAT_IPADDRS=No - MUTEX_TIMEOUT=60 ADMINISABSENTMINDED=Yes BLACKLISTNEWONLY=Yes -DELAYBLACKLISTLOAD=No - MODULE_SUFFIX= -DISABLE_IPV6=Yes - -BRIDGING=No - -DYNAMIC_ZONES=No - -PKTTYPE=Yes - -RFC1918_STRICT=No - -MACLIST_TABLE=filter - -MACLIST_TTL= - -SAVE_IPSETS=No - -MAPOLDACTIONS=No - FASTACCEPT=No IMPLICIT_CONTINUE=No HIGH_ROUTE_MARKS=No -USE_ACTIONS=Yes - OPTIMIZE=1 EXPORTPARAMS=No @@ -178,22 +125,20 @@ KEEP_RT_TABLES=No DELETE_THEN_ADD=Yes -MULTICAST=No - DONT_LOAD= AUTO_COMMENT=Yes MANGLE_ENABLED=Yes +USE_DEFAULT_RT=Yes + ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### BLACKLIST_DISPOSITION=DROP -MACLIST_DISPOSITION=REJECT - TCP_FLAGS_DISPOSITION=DROP #LAST LINE -- DO NOT REMOVE diff --git a/Samples6/two-interfaces/interfaces b/Samples6/two-interfaces/interfaces index 904590118..2e2fea2d3 100644 --- a/Samples6/two-interfaces/interfaces +++ b/Samples6/two-interfaces/interfaces @@ -16,6 +16,6 @@ # ############################################################################### #ZONE INTERFACE BROADCAST OPTIONS -net eth0 detect dhcp,tcpflags,routefilter,nosmurfs,logmartians -loc eth1 detect tcpflags,nosmurfs +net eth0 detect tcpflags +loc eth1 detect tcpflags #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Samples6/two-interfaces/masq b/Samples6/two-interfaces/masq deleted file mode 100644 index 95ed88e1b..000000000 --- a/Samples6/two-interfaces/masq +++ /dev/null @@ -1,19 +0,0 @@ -# -# Shorewall version 4.0 - Sample Masq file for two-interface configuration. -# Copyright (C) 2006 by the Shorewall Team -# -# This library is free software; you can redistribute it and/or -# modify it under the terms of the GNU Lesser General Public -# License as published by the Free Software Foundation; either -# version 2.1 of the License, or (at your option) any later version. -# -# See the file README.txt for further details. -#------------------------------------------------------------------------------ -# For information about entries in this file, type "man shorewall-masq" -# -# For additional information, see http://shorewall.net/Documentation.htm#Masq -# -############################################################################### -#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK -eth0 eth1 -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Samples6/two-interfaces/rules b/Samples6/two-interfaces/rules index d922c14f6..c97fd06a2 100644 --- a/Samples6/two-interfaces/rules +++ b/Samples6/two-interfaces/rules @@ -35,8 +35,8 @@ Ping/ACCEPT loc $FW Ping/DROP net $FW -ACCEPT $FW loc icmp -ACCEPT $FW net icmp +ACCEPT $FW loc ipv6-icmp +ACCEPT $FW net ipv6-icmp # #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Samples6/two-interfaces/shorewall.conf b/Samples6/two-interfaces/shorewall6.conf similarity index 77% rename from Samples6/two-interfaces/shorewall.conf rename to Samples6/two-interfaces/shorewall6.conf index 8f30fb31a..3d94652e9 100644 --- a/Samples6/two-interfaces/shorewall.conf +++ b/Samples6/two-interfaces/shorewall6.conf @@ -1,7 +1,7 @@ ############################################################################### # -# Shorewall version 4.0 - Sample shorewall.conf for two-interface configuration. -# Copyright (C) 2006,2007 by the Shorewall Team +# Shorewall version 3.4 - Sample shorewall.conf for one-interface configuration. +# Copyright (C) 2006 by the Shorewall Team # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public @@ -26,13 +26,6 @@ STARTUP_ENABLED=No VERBOSITY=1 -############################################################################### -# C O M P I L E R -# (setting this to 'perl' requires installation of Shorewall-perl) -############################################################################### - -SHOREWALL_COMPILER= - ############################################################################### # L O G G I N G ############################################################################### @@ -55,21 +48,13 @@ LOGALLNEW= BLACKLIST_LOGLEVEL= -MACLIST_LOG_LEVEL=info - TCP_FLAGS_LOG_LEVEL=info -RFC1918_LOG_LEVEL=info - -SMURF_LOG_LEVEL=info - -LOG_MARTIANS=Yes - ############################################################################### # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S ############################################################################### -IPTABLES= +IP6TABLES= PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin @@ -79,12 +64,10 @@ SUBSYSLOCK=/var/lock/subsys/shorewall MODULESDIR= -CONFIG_PATH=/etc/shorewall:/usr/share/shorewall +CONFIG_PATH=/usr/share/shorewall6/configfiles:/usr/share/shorewall6 RESTOREFILE= -IPSECFILE=zones - LOCKFILE= ############################################################################### @@ -108,15 +91,7 @@ RCP_COMMAND='scp ${files} ${root}@${system}:${destination}' # F I R E W A L L O P T I O N S ############################################################################### -IP_FORWARDING=On - -ADD_IP_ALIASES=Yes - -ADD_SNAT_ALIASES=No - -RETAIN_ALIASES=No - -TC_ENABLED=Internal +TC_ENABLED=No TC_EXPERT=No @@ -126,74 +101,44 @@ MARK_IN_FORWARD_CHAIN=No CLAMPMSS=No -ROUTE_FILTER=No - -DETECT_DNAT_IPADDRS=No - MUTEX_TIMEOUT=60 ADMINISABSENTMINDED=Yes BLACKLISTNEWONLY=Yes -DELAYBLACKLISTLOAD=No - MODULE_SUFFIX= -DISABLE_IPV6=Yes - -BRIDGING=No - -DYNAMIC_ZONES=No - -PKTTYPE=Yes - -RFC1918_STRICT=No - -MACLIST_TABLE=filter - -MACLIST_TTL= - -SAVE_IPSETS=No - -MAPOLDACTIONS=No - FASTACCEPT=No IMPLICIT_CONTINUE=No HIGH_ROUTE_MARKS=No -USE_ACTIONS=Yes - OPTIMIZE=1 EXPORTPARAMS=No EXPAND_POLICIES=No -EXPAND_POLICIES=Yes - KEEP_RT_TABLES=No DELETE_THEN_ADD=Yes -MULTICAST=No - DONT_LOAD= AUTO_COMMENT=Yes MANGLE_ENABLED=Yes +USE_DEFAULT_RT=Yes + ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### BLACKLIST_DISPOSITION=DROP -MACLIST_DISPOSITION=REJECT - TCP_FLAGS_DISPOSITION=DROP #LAST LINE -- DO NOT REMOVE diff --git a/Samples6/two-interfaces/zones b/Samples6/two-interfaces/zones index 89c296037..d065817fd 100644 --- a/Samples6/two-interfaces/zones +++ b/Samples6/two-interfaces/zones @@ -17,7 +17,7 @@ #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall -net ipv4 -loc ipv4 +net ipv6 +loc ipv6 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/Shorewall-perl/Shorewall/Compiler.pm b/Shorewall-perl/Shorewall/Compiler.pm index 1a57fc709..3018a2326 100644 --- a/Shorewall-perl/Shorewall/Compiler.pm +++ b/Shorewall-perl/Shorewall/Compiler.pm @@ -949,14 +949,17 @@ sub compiler { # # /proc stuff # - setup_arp_filtering; - setup_route_filtering; - setup_martian_logging; + if ( $family == F_IPV4 ) { + setup_arp_filtering; + setup_route_filtering; + setup_martian_logging; + } + setup_source_routing; # # Proxy Arp # - setup_proxy_arp; + setup_proxy_arp if $family == F_IPV4; # # Handle MSS setings in the zones file #